Text

Forwards Two Draft Repts Re Technical Insights Gained from Pras.Repts Are Outcome of Effort to Make Available & Utilize Info Re Factors Which Dominate Risk Associated W/Nuclear Power Plants in Technical & Managerial Activities
	ML20137A806
Person / Time
Site:	Waterford
Issue date:	01/07/1986
From:	Joshua Wilson; Office of Nuclear Reactor Regulation
To:	Leddick R; LOUISIANA POWER & LIGHT CO.
Shared Package
ML20136F585	List: ML20136F580; ML20137A806;
References
	NUDOCS 8601140549
	Download: ML20137A806 (3)
	v • d • e

-

o u N

pn Atzg,

<.. A UNITED STATE 3

[ } ),, ( Q NUCLEAR REGULATORY COMMISSION D

Q ,.

.' ( ';y WASHING TON, D. C. 20555

% ..v.../q JAN 7 1986 Docket No.: 50-382 Mr. R. S. Leddick Louisiana Power and Light Company 317 Baronne Street, Mail Unit 17 New Orleans, Louisiana 70160

Dear Mr. Leddick:

Subject:

Reports on PRA Insights Enclosed are two draft reoorts concernino technical insfahts gained from Probabilistic Risk Assessments (PRAs). These reports are the outcome of an ongoing effort to make available and utilize in numerous technical and managerial activities the information in probabilistic risk assessments regarding the factors which dominate the risk associated with nuclear power plants. This effort includes identification of the features of design or operational practices which have been found to be important to safety in the types of plants which have been subjected to risk assessments. In addition, the .iection on insights into PRA method focuses on areas which are sensitive to the results and the overall perception of plant weaknesses and vulnerabilities.

In particular, these reports contain discussions of: general insights on plant strengths and weaknesses gained from PRAs; the contribution to core melt frequency from classes of sequences induced by various initiatino events; modifications, both hardware and procedural, which have been imolemented to address problems identified in the conduct or as a result of PRAs; insights into PRA methodolpgies; and the contribution to measures of risk (core melt frequency and consequences of radioactive releases) from systems, components and events.

6 0601140549 PDR 060107ADOCK 05000302 PDR P

n 2_

.These reports will be published in their final forms in approximately two months. These reports are being provided to you, as well as all other licensees, in advance of formal publication for your information. If, after reviewing these reports, you wish to provide comments to the staff, please provide them by February 10, 1986.

Sincerely, pstGHED BT James H. Wilson, Project Manager PWR Project Directorate No. 7 Division of PWR Licensing-B

Enclosures:

As stated cc: See next page DISTRIBUTION ,

s N 50438th NRC PDR L POR PBD7 Reading FMiraglia Attorney, OELD EJordan BGrimes JPartlow JWilson JLee ACRS(10) 71 PBD7 JWilso Qt DIR: BD7 GWKnighton 1/7/8 1/ /86

Mr. R. S. Leddick Louisiana Power & Light Company Waterford 3 cc:

W. Malcolm Stevenson, Esq. Regional Administrator, Region IV Monroe & Leman U.S. Nuclear Regulatory Commission 1432 Whitney Building Office of Executive Director New Orleans, Louisiana 70103 for Operations 611 Ryan Plaza Drive, Suite 1000 Mr. E. Blake . Arlington, Texas 76011 Shaw, Pittman, Potts and Trowbridge .

1800 M Street, NW Carole H. Burstein, Esq.

Washington, D.C. 20036 445 Walnut Street New Orleans, Louisiana 70118 Mr. Gary L. Groesch P. O. Box 791169 Mr. Charles B. Brinkman, Manager New Orleans, Louisiana 70179-1169 Washington Nuclear Operations Combustion Engineering, Inc.

Mr. F. J. Drummond 7910 Woodmont Avenue, Suite 1310 Project Manager - Nuclear Bethesda, Maryland 20814 Louisiana Power and Light Company 142 Delaronde Street New Orleans, Louisiana 70174 Mr. K. W. Cook Nuclear Support and Licensing Manager Louisiana Power and Light Company 142 Delaronde Street New Orleans, Louisiana 70174 Resident Inspector /Waterford NPS P. O. Box 822

.Killona, Louisiana 70066 Mr. Jack Fager l Middle South Services, Inc.

P. O. Box 61000 New Orleans, Louisiana 70161

~~'

Chairman Louisiana Public Service Commission l One American Place, Suite 1630 Baton Rouge, Louisiana 70804 t 1

1 i

I J

i..

{'s e .. .

e INSIGHTS GAINED FROM PROBA8ILISTIC RISK ASSESSMENTS Sarah M. Davis Reliability.and Risk Assessment Branch Division of Safety Technology Office of Nuclear Reactor Regulation U.S. Nuc~ lear Regulatory Comnission September 20, 1984

l. .

e

9 e

l-e e

9 4

,. s*

i ,a -

Table of Contents

1. Introduction 1.1 Purpose and Applications

1. 2 Sources, References, and Additional Sources 1.3 Contents

2. Summary - Insights Gained From PRA Results 2.1 Human Error .

2.2 Support Systems 2.3 Initiating Events ..

2.4 External Events

3. I'nsights into PRA Methodologies

4. Measures of Contribution 4.1 Cutset Evaluation 4.1 Importance Ranking Appendix A - Plant Specific Importance Ranking Res'ults Appendix B - Discussions of Selected Topics - Insights Gained From PRA Results l '

l

c

e e

4

/ '_ .

I

1. 0 Introduction

1.1 Purpose and Acolications The purpose of this report is to provide an update of the draft report

" Insights Gained From Four Probabilistic Risk Assessments" issued in' March 1983. .

The expansion of this report to include 15 PRAs is part of an ongoing effort in the Reliability and Risk Assessment Branch (RRAB), Division of S Technology, NRR, of making available and using the information in Probabilistic Risk Assessments (PRAs) to highlight factors which have been :.

found to dominate the risk assoc'iated with operation of varying types of nuclea power plants.

This effort will also identify design' or operational practices which have been found to be important to safety in the types of

. plants which have been subjected to risk assessments. In addition, methodological differences will be noted.

The evaluation of the impact of different treatments of methodological topics on the perception of plant vulnerabilities was undertaken in a separate program in RRA8, Insights on PRA Methodology.

i Conclusions from this task comprise Section 3.0 of this report.

i The focus of the report is on the PRAs themselves. The purpose of this task is_ not a critique of these studies.

For the purpose of gleaning insights and l

i calculating importance measures, the assumptions and conclusions of the studies were accepted as valid with the intent to learn from these conclusions and l

l

_, m -

\' - . :.

i 1 2- -

provide additional perspectives to the insights and inferences that can be drawn and their applicability to reactor safety and the use of PRA in ge .

It is expected that this information will continue to aid in the assessment safety issues in the absence of plant specific studies.

This has already been done in many areas such as the Systematic Evaluation Program operating reactors and Severe Accident considerations in Environmental Statements for plants in the licensing phase.

This compilation of risk assessment information and insights can' .-pot benefit both the industry and NRC staff.

Insights drawn from PRAs done to data can te used by utilities to examine current plant design / operation in order to identify any weaknesses or vulnerabilities found in plants with similar char'acteristics.

This information can also be used as a checklist for the conduct of future PRAs to increase awareness of problems that have i

already been identified and to systematically check the applicability to a specific plant.

The methodology assessment provides an awareness of the effects of the methodology on the PRA results when structuring future PRA studies.

This assessment focuses on those aspects of the methodology to which the results 1 appear to be sensitive.

t These insights can enable those performing PRAs to a

4 f

9 h

e

,- ,- ., ._,,,n -- .-- - - - -

. _ . = ._

. . . g.

3-be aware of those areas of asalysis where it may be beneficial to expend resources and explore details of additional analyses. This can also aid in focusing the review on the scre sensitive areas. Some of the areas found to .

have a significant impact are system dependency analyses, human error evaluations and electrical systems analyses.

Another facet of the purpose of this ongoing effort is to increase awareness and sensitivity of NRC staff to the importance of systems and components derived from PRA results. ' The availability of this collected information -

will hopefully serve to familiarize NRC staff reviews as to overall PRA insights, both design and methodological nature, and aid the staff in a .

number of specific areas. The insights gained from~PRAs may be useful in 1

numerous ongoing technical activities and can also provide information to cognizant branches for the identification of generic safety issues. The focus on importance which this effort provides can prove useful to plant project managers in the prioritization of plant specific work schedules for actions or modifications to operating reactors. In addition, these insights can be useful to resident inspectors for focusing activities on areas where potential problems or weaknesses have been identified in similar plants. .

The insights gained from methodology assessment can provide valuable guidance to RRAB enabling project managers for PRA reviews to focus the review on areas sensitive to methodological assumptions and aid in the interpretation and application of results. 'Cutsets derived or identified -

9

-- .,,sy-,,____ __ .,

r_ _-,-.. - ,-.-,-_.._.,,_,...m- -- - - _

~

l- , , ,,

-4' '

in calculations of the importance ranking of systems and components can used in evaluating new safety issues or proposed modifications of plants through the processing and dissemination of information obtained from PRAs .

For those plants subjected to extensive review,.the review process elucidated some significant differences in identification and/or quantification of dominant accident sequences. Critiques and revised estimates of significant sequences are provided in NUREG/CR-2934 (Indian Point Units 2 and 3), NUREG/CR-3300 (Zion), NUREG/CR-3028 and NUREG/ -

(l.imerick), and EGG-EA-5765 (Big Rock . Point). for those PRAs which recei extensive review by NRR staff.

Final results of the reviews were not available during the conduct of the importance calculations and thus are not ref'lected in the discussions of plant specific importance rankings. It should be emphasized that this report is not intended to be a representation of. the current safety profile of the plants under consideration but rather a presentation of PRA results and insights derived from the conduct of such studies.

The inclusion of examples of modifications implemented by applicants / licensees and significant review findings is intended to illustrate the valuab.le information provided by PRAs and PRA reviews which lead'to a much deeper understanding of plant safety and areas of vulnerabi;ity as well as strength.

In many instances this provides a tool with which to more readily identify cost-effective means of improving plant safety.

These examples are, however, by no means exhaustive and appropriate caution shculd be exercised in utilizing the infcreation presented in this report.

e

,,-.,__-7,. , - . - , , - , . . - . . - . - - - . ,- , _ _ _ , y .,

-5' -

1. 2 Sources of Material

~X1cng with the 'PRAs themselves, a major source of information used in this 4

report is DRAFT NUREG/CR-3495, " Calculation of Failure Importance Measures For Basic Events and Plant Systems in Nuclear Power Plants", to be published late'r this year. .

The purpose of this project, done under contract to RRA8 by Sandia National Laboratories, was to develop and utilize a methodology which extracts minimal cutsats from dominant accident sequences in order to i

. examine and rank systems, components and failure modes as to their contribution to core melt frequency, release, and risk using various measures of importance and risk. (The definition and interpretation of these terms will be expanded more fully in later sections of this report.)

Other sources which contain cataloging of sequences, generic sequence development and insights are the Technical Reports from the Industry Degraded Core Rulemaking Program (IDCOR) sponsored by the Nuclear Industr the Draft Report For Comment, NUREG-1050, "Probabilistic Risk Assessment (PRA):

Status Report and Guidance for Regulatory Application", published by 0ffice of Nuclear Regulatory Research, EPRI NP-3265 Interim Report, "A Review of Some Early Large-Scale Probabilistic Risk Assessments", and reports from the Accident Sequence Evaluation Program, part of the Severe Accident Research Program.

These an'd other documents and programs also provide perspectives'on the use of PRA and various insights of a global and plant specific nature.

s e .

S e

, m _.

_ , . ,9 ,-_ .

~

-6' ~

1.3 Contents of Report Fbilowing this'section are Tables 1.1-1.3.

Listed in Table 1.1 are the plants and program sponsors, with overall core melt frequency.as reported in the PRA and the date of publication.

The PRAs are generally characterized by four categories:

WASH-1400 - The Reactor Safety Study (RSS), a pioneering program of a full-blown risk assessment using Surry 1 and Peach Bottom 2 as representative -

of PWRs and BWRs, respectively. A critique of this documentation was performed by the Risk Assessment Review Group (also known as the Lewis Committee Report) in NUREG/CR-0400. '

Reactor Safety Study Methodology Applications Program RSSMAP) -

initiated after the RSS, these are truncated' WASH-1400-type evaluations based on judgement and experience with analysis of accident sequences identified in WASH-1400. '

Interim Reliability Evaluation Program (IREP) - the Crystal River-3 Safety Study was the pilot effort in this program initiated in the year following the Three Mile Island accident. These analyses were principally concerned with probability of core melt with no detailed review of containment failure or o'ffsite consequences. (The Calvert I Cliffs 1 IREP report was not available when the calculations of importance ranking were performed and thus, was omitted from this '

analysis). '

~

.---se,--.- -e., , , , ,-. - . ,- ,_-.---r, - , - , - , , - - - - - , - - ,--n--

' 9

-7 Industry Sponsored PRAs - Those used in the importance ranking work ar full scope risk' assessment employing various methodologies dependin the authors and purpose of the study.

Others have been received by NRC with reviews ongoing or not yet ' initiated .

which were not available for the task of importance calculations. They are Millstone 3, Shoreham, Midland, Seabrook, Yankee Rowe, and GESSAR (standardized BWR design).

s Listed in Table 1.2 are the contributions to core melt frequency from seque initiators for the 15 PRAs under consideration. This provides a general measure of the contributions made by classes of sequences to core melt frequency "

various types and designs of plants.

Following in Table 1.3 are some of the modifications made to these plants which would be expected to impact the dominant sequences initiated by the events listed in Table 1.2. Section 2.0, Summary Insights Gained from PRA.Results, contains summary tables gleaned from numerous PRAs in areas such as Human Error, Support System Importance, Initiating Events and External Event Analyses. Appendix B provides more detailed discussions of the background for selected items from Section 2.0.

Section 3.0 provides a summary of " Insights into PRA -

Methodologies."

Section 4.0, Measures of Contribution, contains a discussion of methods for obtaining a quantitative estimate of the importance of system and component failures to overall core melt frequency and risk, and specific

.results are discussed for each plant in Appendix A.

4 r_ _ _ . - - - , .wm., , , , . - - _ . . - . . - . ,.

TABLE 1.1 -

PLANT TYPE PRA NAME ESTIMATED CORE SCOPE SPONSOR MELT FREQUENCY AND DATE PUBLISHED AS REPORTED IN PRA SURRY PWR NRC- 6 x 10 s/RY WASH-1400 INTERNAL EVENTS ONLY 10/75 PEACH BOTTOM BWR NRC-2 ~3 x 10.s/RY INTERNAL EVENTS ONLY WASH-1400

~ 10/75 SdQUOYAH1 PWR , NRC- ~6 x 10 5/RY INTERNAL EVENTS ONLY RSSMAP 2/81 ,

} OCONEE 3 PWR NRC- 8 x 10.s/RY INTERNAL EVENTS ONLY RSSMAP 5/81 GRANO GULF 1 BWR NRC- ~4 x 10.s/RY INTERNAL EVENTS ONLY RSSMAP

' 10/81 CALVERT CLIFFi PWR NRC-2 ~2 x 10.s/RY INTERNAL EVENTS ONLY RSSMAP 5/82 CRYSTAL RIVER P9R NRC-3 ~4 x 10 4/RY INTERNAL EVENTS ONLY IREP 12/81 ARKANSAS PWR NRC-NUCLEAR ONE 5 x'10 5/RY INTERNAL EVENTS ONLY IREP '

6/82

, BROWNS FERRY BWR iNRC-1 2 x 10 4/RY INTERNAL EVENTS ONLY IREP 7/82 MILLSTONE 1 BWR NRC- 3 x 10-4/RY INTERNAL EVENTS ONLY IREP '

5/83 BIG ROCK BWR POINT INDUSTRY 1 x 10 8/RY INTERNAL AND EXTERNAL EVENTS 3/81 ZION PWR INDUSTRY ~6 x 10.s/RY INTERNAL AND EXTERNAL EVENTS 1 9/81 INDIAN POINT PWR 2 INDUSTRY ~5 x 10-4/RY INTERNAL AND EXTERNAL.

EVENTS

. 4/82

_ a .w . -a a +. .--- _ s - _ - .

9-TABLE 1.1 (CON'T.)

PLANT TYPE PRA !

NAME ESTIMATED CORE SCOPE SPONSOR MELT FREQUENCY AND DATE PUBLISHED AS REPORTED IN PRA INDIAN POINT PWR 3 INDUSTRY ~2 x 10 4/RY INTERNAL AND EXTERNAL EVENTS 4/82 LIMERICK 1 BWR INDUSTRY ~2'x 10 s/RY INTERNAL AND EXTERNAL EVENTS j 3/81 s

REVISED AND EXPANDED '.,

TO INCLUDE EXTERNAL EVEN13 4/83 NOTE:

This table shows the estimated core melt frequency as reported in each of the 15 Probabilistic Risk Assessments (PRAs). In many cases, this staff review resulted in revised estimates not reflected in table. For other cases, reviews are ongoing. Caution should

, be exercised in viewing these results.

4 Many of the licensees / applicants made modifications to both hardware and procedural aspects of the design and operation of plants, frequency. which would bi expected to impact the overall core melt There are large uncertainties associated with the values in this table and interplant comparisons cannot be appropriately made since the PRAs were performed under differing scopes, methodologies and assumptions and the results are p varying measur,es (point estimates, medians, or means) resented by us .

G

-womas e

TABLE 1.2 SEQUENCE CONTRIBUTION TO CORE MELT FREQUENCY (GROUPED BY INITIATING EVENT * - -

ROUNDED T0 NEAREST 5%)

l PLANT NAME LOCA WIND OR TRANSIENT ATWS FIRE SEISMIC TORNADO SURRY 1 65 25 10 1

PEACH BOTTOM 2 70 30 SEQUDYAH 1 V 95 5

w .: ... 0CONEE 3 70. * .;

x: . . . 25 5

- .' i GRMO GULF 1, 15 70 15 CALVERT CLIFFS 2 95 -

5 CRYSTAL. RIVER 3 75 25 ARKANSAS NUCLEAR 25 70 5 ONE 1 BROWNS FERRY 1 75 25 MILLSTONE 1 95 5 BIG ROCK POINT 55 15 .

5 25 ZION (1 AND 2) 65 20 15

' ~

INDIAN POINT 2 10 10 40 30 10 ~

, DWIAN POINT 3 65 -

. 35 LDERICK 1 100 p# 6 9

e

. . - . _ _ , _ . _ _ _ _ . _ , _ ____.____,___a . _ _ _ . _ _ _ . _ _ . _ . , _ _ _ _ _ _ _ _ _ _ , , _ . , . , _ _ _ , , _

TABLE 1.3 PLANT NAME MODIFICATIONS A00RESSING 00MINANT SEQUENCES .

SURRY 1 The identification of the Interfacing LOCA (Event V) as a dominant contributor to risk led to the requirement of the capability for the strategic testing of the check valves in high/ low pressure boundaries.

SEQUOYAH 1 Special administrative controls incorporated in new Technical Specifications addressed the identified problem peculiar to ice condenser containment designs. '

A more strategic testing procedure was instituted

for the check valves of concern in the interfacing systems LOCA event. -

OCONEE 3 The licensee took actions addressing Event V, eliminated the AC power dependency of the turbine driven train of the Emergency Feedwater System, instituted emergency procedures to prevent cavitation of ECCS pumps during.certain postulated events, made modifications to the Instrumentation

! and Control System, and instituted preventive measures regarding the possibility of accident sequences induced by turbine building flooding.

CALVERT CLIFFS 2 The Auxiliary Feedwater system was modified to include automatic initiation logic and a third

motor-driven EFW pump train was added (to both units) with the ability to valve in the

. motor-driven train from each unit into the motor-

driven train of the other unit.

CRYSTAL RIVER 3 The licensee made improvements to operator training and procedures for switchover from ECCS infection to recirculation, removed the AC dependency of the turbine driven EFW pump and plans to institute procedures for local manual control of this pump and instituted testing procedures addressing Event V.

ARKANSAS NUCLEAR ONE-1 Modifications made during the course of the study 3

- included revised battery testing procedures,

' testing of actuation circuitry of switchgear room coolers and corrections in ECCS pump testing procedures.

I Y

_ . _ . , - - _ _ _ - _ _ . . , _ . _ _ _ _ _ _ . _ _ . _ _ , . _ _ _ _ _ _ _ _ . . . _ _ . - _ - _ - - _ _ ..,_,____,______,__,._y _ _ _ . . _ _ _ _ _ _ , _.,.__,_,-.-__,__._y __

l . ,. ,

TABLE 1.3, (CON'T.)

PLANT NAME MODIFICATIONS ADDRESSING DOMINANT SEQUENCES MILLSTONE 1 The licensee implemented changes addressi,ng insights gained through the risk assessment process:

Corrected single failure vulnerability in the LNP (loss of normal power) logic; removed the AC power dependency of the isolation condenser; and instituted procedural and equipment provisions for manual control of the normally closed valve in the isolation condenser. -

BIG ROCK POINT -

Modifications made by the utility addressing the .

significant contributors to core melt based on their PRA included remotely operated make-up to the emergency condenser from the fire system; post-accident valve position (locks); early containment spray following a LOCA; additional isolation valves on the primary coolant system; and high pressure recycle. -

ZION During the staff review of the PRA the licenses agreed to take the following actions:

Institute refill procedure of the RWST to accommodate the containment spray s Open PORV block valves.ystem.

Improved Safety System Room Cooler surveillance.

In addition, the staff modified Technical Specifications decreasing the allowable outage time for two Auxiliary Feedwater pumps.

INDIAN POINT 2 The licensee proposed modifications to the control

..... .. building roof and ceiling to accommodate high '

seismic accelerations. The staff established the ,

. . M .' . .".' meteorological bases for a technical specification

'. ~. requiring orderly anticipatory shutdown of Indian Point, Unit 2 when hurricanes are approaching the site. ,

INDIAN POINT 3 '

In accordance with existing regulations concerning fire protection (Appendix R), the staff imposed the

. implementation of five interim actions to reduce risk of core melt from fire pending the licensee's Appendix R submittal.

The interim modifications involved the provision of an alternate power source to vulnerable shutdown related components.

~

m

l 4

13 -

TABLE 1.3, (CON'T..)

PLANT NAME MODIFICATIONS ADDRESSING 00MINANT SEQUENCES i

LIMERICK During the course of the Limerick PRA, the applicant took steps to implement the following:

Alternate 3A AWS Fixes (plus modifications beyond those designated in Alternate 3A); modifications to

' the ADS air supply; modifications to RHR System; separate ECCS nozzles; and procedural changes to achieve an alternate method of room cooling for the HPCI and RCIC pump rooms. '

4 I

4 i

l

~ .

O l .

J l

i .

i a

t 4

m.._ - - - -,..

--.,-.__my, _._,_..,__,_.,-,---..,,y _, ,- , - ,- ,--__--

l .

i i ! -

2.0 Summary-Insichts Gained From PRA Results l

The structure of a PRA systematically leads to a set of accident sequences 1

comprising an initiating event, a combination of system failures with .a calculated estimate of the probability of occurrence and the associated plant damage state.

In full scale PRAs, these results are used to estimate the probability of containment failure, the mode of failure, and the magnitude of a release to the environment following a breach or bypass of 5 containment.

1 The set of accident sequences considered " dominant" with respect to core melt are those sequences with probabilities of occurrence which constitute the major portion of the overall core melt probability with the' remaining portion being the cumulative probabilities of a large number i

of sequences with significantly lower probabilities of occurrence. Sequences considered " dominant" to risk take into account the probability of occurrence and the estimated magnitude of release represented by their placement into l defined release categories.

i i In the context of an accident sequence, system failure is not quantitatively i

defined as an overall unavailability of the system per se, but rather as a '

combination of cut set.s that lead to failure of the system function. A cutset (or failure path) is the minimal set of component failures which disable the system from performing the required function (function being defined by system success criteria for the sequence). Thus, the combination

~ ' '

- - , - - - - . - . - - - - - - , - - . , - - . . . - - . , . _ , - . . - - . - .---n_,-4,- ,- -- ._n.--. - - -

e--.w- --,,-- ,---, .

. )

of cut sets are a prescribed set of failures and events which must occur for the accident sequence to take place.

4 Examination of dominant accident sequences and their cutsets in a PRA

provide plant specific insights into areas of vulnerability and weakness as f

well as strengths of design and operation for that plant. One method of 1

obtaining insights in a quantitative manner is that of importance ranking.

1 The insights into the relative importance of systems, components and basic events on a plant by plant basis are discussed in Appendix A. However, the -

i greatest value of the conduct and results of a PRA are the qualitative insights into plant design and operation which are gained that significant 1

aid in our awareness and judgement regarding the factors vital to overall 4

plant safety. !

For this reason, some'of the insights gained in the process of Probabilistic Risk Assessment have been compiled in this report and are i presented in tabular form in this section.

! More detailed discussions of the i background and effects of selected topics from this section are contained in Appendix B.

I It has become apparent that as risk assessment techniques have evolved, of investigation have expanded and changed reflecting the attitude intrinsic

, to the methodology.

That is, the emphasis given possible failure modes, either by general assumptions or by methods of collecting data and calculating i

probabilities, can greatly affect which. factors of unavailability dominate

{ the results.

i This is especially true in the area of quantifying the

16 -

probability of human error, the importance of support system dependencies, the selection of initiating events, and the inclusion of external events analyses.

Some of the overall insights gained in these areas are presented in the following sections.

}

e O

4 0

e e

4 e

Y a

.s. p =-

=# **

e p p e

e e

1 2.1 Human Error, Recovery Actions and Procedures, Test and Maintenance i

Summary Table 1

, 1.

l Potential causes of failure of manual switchover from ECCS injection to recirculation in PWRs (Generic Issue 24):

(a) Premature switchover causing pump cavitation (b) Failure to reinitiate safety injection pumps when nseded in '

conjunction with the high pressure pumps during recirculation (c) Incorrect reconfiguration of valves for recirculation phase.

2.

1 Potential causes of common cause failures due to human error:

(a) Redundant actuation circuitry fails due to miscalibration performed by the same individual on one shift (b) Components left in the incorrect position following test or amintenance activities: ,

(1) redundant actuation fails due to control switch being incorrectly left in manual mode. '

, 3.

Failure to open drain valves between upper and lower containment areas in plant with an ice condenser containment so that discharged water does not reach sump for recirculation phase, thus failing ECCS recirculation. '

. e ,

l

18 -

4. I Event V - Periodic t.asting of the integrity of the double isolation !

valves on the suction side of the RHR system can reduce the likelih\

these valves rupturing sequentially over a period of time or opera t cycles resulting in an interfacing system LOCA initiating event.

t 5.

Valve position indication may be misleading to the operator if it is n i

directly off the stem, e.g. , connected actuator subsequently becomes disengaged from the stem.

)

6.

Staggered testing and calibration of redundant trains of equipment

' the potential for common cause failures (2.(a)) by the operator of not i

only actuation circuitry but other vital safety functions (e.g. , DC Batteries see' Support System summary).

7.

Lack of surveillance (either direct or indirect) or extended surveillance periods for components, both active and passive, in vital safety systems may increase the unreliability of the safety function.

i i

The components most likely to elude surveillance are manual valves j

was mentioned, whose position or disc integrity may be important to a i safety function.

i - '

8.

Recovery Actions and Procedures: ,. ,

(a)

Reliance on the operator to establish high pressure cooling in the feed-and-bleed mode following failure of the Emergency t

e e

.. . __ . . _ _ _ _ - - - _ = . - _ _ _ _ - . __

19 -

Feedwater System could potentially be alleviated by improving the reliability of the EFS or automating the High Pressure i

Recirculation System for loss of feedwater scenarios. Improved operator training may aid in reducing .the likelihood of operator error in this action.

(b)

Procedures and training for depressurizing the steam generators and using the condensate booster pumps (pressure 400-500 psi) in the event of loss of feedwater (both main and emergency feedwater) greatly enhances the reliability of the decay heat removal .;

function following a reactor trip.

9 9

9 0

0 I

e l i

i i

i L

_. 7 ,

l 1

1 2.2 Support Systems Summary Table 1.

Cooling of both emergency feedwater pumps is supplied by an AC powered service water system, thus loss of al.1 AC disables both trains of f

., emergency feedwater.

l The pumps were modified to self-cooling designs.

2.

i DC bus supplies actuation power to the turbine driven emergency feedwater pump and a diesel generator (the breaker connecting the bus ' '.

fails to close). A single DC bus. failure disables two emergency j

feedwater pumps in the event of a loss of offsite power.

i 3.

( Strippin'g vital loads from the safety buses on a safety injection f signal (even though offsite powr has not been lost) and then reloadin'g j .

them sequentially on the bus reduces the reliability of the safety j function.

1 -

t j 4.

OC bus. faults can cause a reactor trip initiating event with concomitant failure of multiple core and containment cooling system i trains.

1 i 4

5.

Potential causes of DC battery failure or degradation:

(a)

Common mode test or maintenance error (rectified by staggered l

testing) l j

i l

1 i

i t .

-(b)

Maintenance personnel may leave battery charger disconnected from bus following maintenance activities. During this time, loads

. will be supplied by the battery itself causing degradation in battery capability.

(c) Loss of ventilation in battery rooms 3

(d) Excess voltage during equalizing charge (e)

Following test or maintenance, jumpers may not be removed from cells.

.i j 6. ..

Failure of battery fails the Isolation Condenser return valve and a diesel generator emergency power train.

1 7.

Ventilation required for equipment operability may fail in rooms with redundant equipment due to the thermostat never being checked or power to ventilation systest is not on an emergency power bus.

2 i

l l 8.

'i Diesel Generator may not operate following loss of offsite power due to j

loss of service water required to provide DG cooling from service water pumppoweredbyemergencybussupplied$yafaileddieselgenerator.

'. 9. .

l Sight glass in air lock may not sustain as high an overpressure as the ~

4 rest of the containment. !

l 1 .

i 1 i i

[

l

[

22 -

10.

Fan coolers provide a redundant containment cooling function in m plants.

However, the fan coolers may fail in a post-core melt environment due to hydrogen burns failing electrical cabling or air borne particulates clogging fan filters.

11.

Failures in the Component Cooling Water System (CCW) have been identified as extremely important support system failures which have the potential of being an initiating event along with disabling mitigative systems required for that sequence. These aspects are discussed together in the next section on Initiating Events.

S S

emp 5

6 9 e

5 1

mm

2.3 Initiatina Events Summary Table 4

1.

A Component cooling Water System (CCW) pipe break causes loss of cooling to the reactor coolant pump seals and to the charging pumps which provide seal injection flow. Loss of seal cooling and injection flow may result in seal failure (i.e. , small LOCA).

Core melt may ensue because the high head safety injection pumps (ECCS) also fail due to loss of CCW cooling. Thus, a single -

i initiating event (loss of CCW) may directly result in core melt.

4 2.

Loss of cooling to reactor pump seals for short periods of time (30 minutes to an hour) may result in' seal. failure even when the RCP pumps have been tripped. '

3.

Auxiliary component cooling water pumps driven by the ECCS pump motors may reduce dependence of ECCS on the main CCW system.

1 4.

! The ability to share CCW systems in multi-unit sites may increase the reliability of CCW flow to safety systems. !

l S. .

Small break LOCAs appear to be dominated by RCP seal failure and l

steam generator tube ruptures in PWRs.

l -

l s

6.

Small break LOCAs appear to be dominated by stuck open safety / relief valves in BWR, i

7.

Depending on the location of small break LOCAs (e.g. , below reactor in pedestal cavity), the result may be to fail filling the sump prior to initiation of recirculation pumps due to flow path

! geometry inside containment, thus failing ECCS recirculation.

8. Interfacing Systeras LOCA: .

The likelihood of this event can be '

substantially reduced through strategic testing of the valves at the high/1cw pressure boundary.

' For many plants, the valves of concern are the check valves in the RHR or Low Pressure Injection

" lines.

However, from the Indian Point PRA, additional conditions have been recognized.

The motor opeiated isolailion valves in the RHR suction line may also be vulnerab?e to an Interfacing System

't.0CA event.

On the other hand, since much of the piping and the RHR heat exchanger are within containment, failure of the heat exchanger or piping in this area is no longer a sequence which

. bypasses containment but rather a LOCA~within cuntainment that depends on the availability of emergency sitigative systems. This i

conf,1guration is somewhat unusual which underscores the importance

1 of identifying plant-specific features which may render previously

{

i identified events less likely as well as verifying the existence i

of vulnerabilities found in othe plants.

A i

1 l

1 i , l

2. 4 External Events Summary Table 1.

During a severe seismic event, adjoining structures which are not adequately separated or joined together could respond out of phase so that one or both structures fail, losing vital safety functions or equipment in one or both buildings.

2.

During a severe seismic event, panels in hung ceilings in the ~

control room could fail, incapacitating the reactor operators and/or the control room itself.

3.

The frequency of seismic events for many parts of the country is being reassessed and may be greater than previously thought.

4.

The damage zone of a fire may be much larger than the immediate fire area because of the hot gas. layer that forms at the top of the room.

Equipment or cabling located along the ceiling could subsequently fail even though they are not in the direct fire path.

5.

Hurricane and tornado winds have been identified as important contributors to loss of offsite power events with intensities that may also damage buildings and equipment.

,o" i

s

e -

26 -

6.

A severe seismic event resulting in failure of the service water system disables the diesel generators thus resulting in loss of all emergency AC power.

e 4

e e

e G

4 e

e p O**

O

-w

. p s-quM8

' ,/

p -

.e, , - ..

/

e

- . _ _ _ _ , . _ . -- _. _ _ . . . _ _ _ . _ _ . - . . , , _ . _ _ __ . _ . - . . , . ,, __ -_ ~ - - . - _ - .- ~, -

III. Insichts Into PRA Methodolooies About 20 probabilistic risk analyses of nuclear power plants have been -

performed in the United States.

These analyses have been performed by different organizations using different degrees of sophistication or deta in the various methodological topic areas encompassed by a probabilistic study.

The staff has sponsored a survey of six PRA studies to evaluate the impact of the level of effort (detail) expended in each topic area on the perception of plant vulnerability and/or core melt likelihood. '

The results -

of this survey are presented in " Insights into PRA Methodologies", NU .

The various topics considered in the study and the suggested level of ,

treatment for,each of the topics is presented in Table 3.1. ~

Half of the topics were considered to have a significant impact on the perception of plant vulnerabilities as noted by the asterisks (*) in Table 3.1.

6

=

0 e

e

,o" O e

ocuse J.1 .Sug9 sGed Lcv315 Cl Lilcrt perived from Empirical Effcrt - Impact Analysis - 4

..... a,e. - .

w,t ed it.,4 ., i,,en .

,. , . le,,,,,,; .

,,,,,,e ,,,,, ,, ,,,,,,

in -

lu.onun .e >

c. sie ge.nic s n nie, d.u ele use iest a.4 tecA .u.t.. u tes, de as.

- '"*"-" (- '""'-d"*"""""d'"

.anieto,, - "** 8-

. ; " d d ' ei n 'a ade 's 1 **

,n as u it.

. . ele... o . e. .. . e ,e.e. . d.t. 's,.e.ted ., 2

<?-"

fregeency of traaggest glestical use of plaat.Spetillt

~a""i"a "a-. .'s ~ a - d " " ~ e --

and LO(& teltlators data.

(C .

Commee Caste easlytll it . f-*** tree endeltag-

4 Use t=411 systeelt eetat treet,or 8

%elt(t tempenealt far easients tesh=leves *

"""""I'""'"'I'#'*'*'

8 use Isege event trees sectedlag 9 gletal homen attleas. De .

Selecteoa of coopeatat 4 Use generic date.

44

%este= hardeleed deptedenc y amalgt eg

t. Use Seelee's reduc ties gode. * "" #'** """ b ***"" "*1

us grite. seteregtse. . . #

saatents 4, .e est perger. 4. a. lgseg . ages e.e .. pon. .

en angIneersag Insights. 8sta .

Use et meang es ese of 4

~at - ,,,,,,$ use ,mese laestatat of the past d,,, fa,ilure asses, se g ,,,

, S. Use realsstu accident lengths .,,,,t ,,e ass Heat heat etee,at ,

based on seevente gegeltenests. ggg ,

,q,,,,,gg,, ,, ,,,,,,,,,9 g,

,,,,gg y,,,,,,,,,,,,,$9,,9,,,,,,,

\ -

.e r...

e. .se - ..det..Ie ~ a. uc - " - .

a u"- a'~ "*' 'o u-

d. e ..,

-r . . e,.t

.e.ie n. c "" u" ~"c ~"" -

i

- . - u aen errets dettag

,, ~ i " " a d o - '- -~ ~

E. ese detailed besan etter . lyttee tuttell (ettefle.

auldest progrestsee analysis. g,, ,

. ,,,,,,,,, ,, g,,, ,,, g, y,, ,,,,,,, ,,,,,,,,,,,,,,,,,

(# = (es ee sede temae

8. use se analysts based se

error eastysts *"

engtmeeting judgement. . **

I I " " * " ' "

e ******""*''"" "*'" ~

. 3,, g.geg og ,,ge,ery C. Cees tder the recovery of hennae toaditleas eate aeered, etters and attestles feellt.

t t *

\

\ \ .

s .

~ie i cheio of de .n ... de,e e,s. i.e ie.ei of e n,e,i e.,eaded is eimo g

topst areas. part 8cularly $5A. 18 the leggested 184 level of ef fort .

(level El Is used. the taggested level of ef fort for the topic arts A088e

Is leest (. **

, 9

,s

i l

These topics should be given careful consideration when performin also when reviewing a study.

The suggested level of effort to realize an acceptable level of analysis is only significant for three topic areas ,

namely:

(a) System hardwired dependencies (b) Modeling of ac power systems (c) Human errors during an accident.

Analysis of system hardwired depndencies and modeling of ac power sy are related topics that deal with auxiliary systems that support vital' safety functions.

Of concern are the potential cross-connections in the auxiliary system that eff.ectively defeat redundancy in the safety functions.

The analysis require detailed fault trees that include these potential interdependencies and a Boolean reduction code capable of processing the large matrices obtained.

The task could be reduced somewhat if a determination is made at the outset abut the realistic requirements with regard to auxiliary cooling either through direct coolers attached to a component or through room cooling.

Modeling of human errors during an accident is concerned with depicting realistic expectation of operator actions during an accident.

These actions are those related to preexisting training and training and procedures and do not include random acts.

Although the suggested level of effort for this topic includes detailed task analyses to portray the actions of interest ,

the results, are still highly dependent on the analyst's bias in assessing

30 -

the performance shaping factors that impact the quantification of human errors.

This area deserves careful attention in the review process because of this sensitivity.

. Actuation and control logic and recovery of failed components or actions also have significant impact on the perceived plant vulnerabilities, but the study indicated that less detailed effort was required for these topics to achieve reasonable results. These topics are related to modeling of ac power and human actions during an accident and therefore should probably be '

considered as a package when deciding what level of effort,to devote to a PRA analysis.

A related topic, not directly addressed by the survey, is the treatment of component operability under conditions beyond their design point. For f

example, do pumps fail if they don't have lube oil cooling or will equipment inside containment operate in a post co're melt environment. The sponsored reviews of PRA studies have shown that assumptions made in these studies regarding system / component success criteria have a significant impact on the PRA results.

Many of these sensitive areas have been highlighted in the '

previous insights section.

Because of this sensitivity to analyst's judgement on component operability, it is very important that these assumptions be explicitly identified in the PRA studies along with justification and/or sensitivity studies to display the impact of the -

assumption.

e edee

__.__..,__._.__y-, -,. ,,v.. , . . ,.,,-.--s -.,,, - ,,-.., ... -, -, , - , . - _ - - - - _ - ,

i 4.0. Measures of Contribution

, 4.1 Cut Set-Evaluation

f To gain insight into the relative importance of particular system failures it is possible' to review all the minimal cutsets (whic'h can number in the

tens of thousands) via computerized search to determine which ones contain the system failures of interest.

It is then possible to determine what '

percentage of the plant's core melt frequency is contributed by sequences containing these system failures in the cut sets.

t As with " dominant" sequences, the dominant minimal cutsats', those which hav probabilities dominating a large portion of the sequence frequency, are of primary importance. ~

There may be system failures of interest in the i

remaining cut sets of a sequence, but they are of c.onsiderably lower ,

probability and contribute significantly less to the sequence (customarily, below a prescribed low probability or. small contribution cutoff).

. In order to focus on the important contributors identified, we restrict our

attention to the dominant minimal cutsets of an accident sequence. Since all elements in a sequence cutset contribute multiplicative1y to the cut set, it is not possible to attribute the precise contribution of system failure elements to overall core melt frequency.

However, the existance of a large l

1.

l

[

32 -

l contribution to core melt frequency of sequences containing particular !

system. failures would indicate that examination of the elements of those sequences may identify areas where reductions in core melt frequency or ris are possible through various improvements.1 1

It is important to realize that " dominance" is arrived at quantitatively.

accurate are There largeand modelling uncertainties associated with sequences due to sta completeness issues.

probabilities for do Therefore the estimated higher of other sequences. minant sequences or events may 'supp,ress the significance of equally as thoselikely.

sequences as dominant but also the consideratio e

4.2 Importance Ranking A further method which can.be used to arrive at the relative importance of particular systems is the application of importance measures.

.An importance measure often used is the "Fussel-Vesely" measure o.f importance.

The interpretation of the values given for each term (system / basic event) is the probability that the defined term contributed to total core melt frequency, given that a core melt has occurred. It is important to recall the definition of system in this context. It is not overall system unavailability but rather the probability that a combination of components in that system (defined by dominant cutsats) have failed given that a core melt has occurred. In this way, we can get some measure of the relative importance of a system or component but not the contri,bution to the coremeltfrequency,aspresentedinthecutsetapproachibove.1 As was previously mentioned' even when the dominant cut sets are identified for each i

dominant sequence in a PRA, the most that can be said is that the component or system failure was contained in cut sets which contribute some percentage to j overall core melt.

i However, this does not tell you numerically how big a part was played by the failure of that component or system within the cut set. It is for this reason importance measures were developed, since an accident '

sequence does not comprise a series of overall system failures but rather a series of cut sets or failure paths of system components which lead to the l

plant damage state. ,

l ~

- With both techniques, it is important to realize that the lack of appearance of particular systems or events .may be due to deficient modelling and/or assumptions. i issue of completeness contributes to uncertainty.As with other assessments.of -

- _ - -__ - -- - - - - - - ~'~--~ ~

34 -

The analysis performed by Sandia National Laboratories under contract to

! RRAB examined 13 PRAs (15 plants) in order to rank basic events / component failures by their calculated measure of importance. Before discussing the results, a very important point concerning the use of importance measures is necessary.

While a " system" say have the highest measure of importance and thus has the potential to yield the highest relative decrease in core melt frequency from an increase in availability, practically soeaking, the -

achievability of that increase must be considered. A sys*.em with a high measure of importance may itself already have a high reliability. Further -

methods of increasing its reliability may introduce additional complexity

, and new failure modes (common cause failures for example) so that the modifications may not introduce the expected reduction in core melt frequency and may therefore not be the most effecient allocation of resources to increase safety.

t J Keeping this in mind, it is still useful to examine the results of importance ranking and failure modes of systems in the dominant sequences as i

presented in the PRAs subjected to this type of analysis. This information

, is provided for each plant in Appendix A. '

- '~ .

~~ , , , , , , , _ ,- a_- ,_,, , _ - -, _ , , - - - , , - , - - - - - ,,+v , , , _ . - _ , _ _ _ , .

- - - - - ,,p,--a,-nwe,-w,,,,,wne. -w

o .

f APPENDIX A I

Plant Specific Importance Rankina Results Surry

' STEAM i PLANT GENERATOR VENDOR LOOPS MWe PRA

. CONTAINMENT RATING STUDY Westinghouse 3 Ory, 775 RSS Subatmospheric (WASH-1400)

Since detailed information on the dominant sequence cutsats were not '

published in WASH-1400, the events that were ranked are general in na 1,s., system level terms.

i l With respect to core melt frequency, the initiating events, small and medium LOCA and loss of offsite power transients, are dominant along with six basi events which contribute adre than 10 percent to core melt frequency. Small LOCAs are ranked first followed by the High Pressure Injection System and Auxiliary Feedwater System.

The HPIS failure is dominated by single and

~

double hardware failures and AFWS failure is dominated by failures due to 1

test and maintenance in the turbine driven train. Diesel failures (with non-recovery) are followed by human errors in aligning the Low and High j

4 Pressure Recirculation systems in importance.

l Three sequences dominate risk (in this case defined by those sequences whic result in releases in PWR categories 1, 2 and 3).

r i *

, _ . . _ . . . . -._._._....a--,...-_.__,.-._..,__._._.__,_.._,__.m,._ . __ _ _ . _ . m,, 7_ _ _

i i

. Event V, the interfacing systems LOCA, dominated by test and maintenance errors, is ranked first and is the most dominant basic event since it results in a release probability of 1 in category 2. Improved procedures

and check valve testing capability have contributed to the reduction of the Event V sequence probability since,the identification of this sequenc.e i .

3 Event V is esentially a LOCA which bypasses containment, thus resulting in a release directly to the environment.

' The second is Station Blackout (TMLB) which is dominated by the LOSP transient, failure of emergency. AC power and non recovery of offsite AC '

1 power.

The importances of AFWS, Recovery and AC power are equal because 4

sequence TMLB has only one cutset. The severity if the release is due to the fact that there are no heat removal or containment cooling systems available.

l The third sequence is a small LOCA'with failure of the Containment Spray

Injection System, dominated by human error faults during test and maintenance.

Its importance measure is less than one half of Event V, but it results in a category 3 release.

The failure of CSIS results in 1

insufficent water in the sump at the time the CSRS is initiated, thus the i. l

spray pumps would fail.

i

With the sprays not available to provide overpressure protection, the containment fails and, in the case of Surry, the ECCS pumps i

no longer have adequata not positive suction head to continue operating.

This is a sequence that is dependent on the containment and NPSH requirements

{I of the ECCS pumps specific to a plant.

i

~ . _ _ . - - , . _ _ _ _ _ _

. _ - - _ _____.t_.._.___.__,.- . _ - _ _ - - . .

Peach Bottom 1

STEAM PLANT GENERATOR i VENDOR LOOPS MWe PRA CONTAINMEN~ RATING STUDY General E?cet.ic Mark I 1065 RSS (WASH-14co)

As with Surry, detailed cutsats were not presented in the Peach Bottom

' analysis in WASH-1400.

The events ranked are on the system level.

Two sequences dominate both measures of importance, core melt frequ risk (core melt with release) the remaining dominant sequences are all at least two orders of magnitude less than the frequencies of TW, failure of decay heat. removal given a transient and TC, the ATWS. -

J Failure of decay heat removal is dominated by failure of the Low Pressure Injection System in the Residual Heat Removal mode induced by failure of t High Pressure Service Water System to provide cooling to the RHR heat exchangers.

Though the initiating transients were combined in the modelling of transient sequences in the Peach Bottom analysis, by considering the fraction of transients with loss of offsite power assumed for this task, the'.

transients without loss of offsite power were dominant with regard to core-melt frequency (ranked higher than transients with LOSP).

. . - . _ - - , . _ _ , _ . - , . _ _ - . _ _ _ _ _ _ . _.___..--__._e . _ _ _ _ _ _ . . _ . _ _ - _ - _ _ . . _ _ - -

. . - - - - . - _ _ - . _. . .- - .-_ - . . . _ _ ._ . - = - . _ . _ -

38 -

TC, fai. lure to achieve subcriticality following a transient event , is dominated by the human error of failure of the operator to ram manually upon failure of the Reactor Protection System and mechanical failure of RPS.

Though the probability of the operator error is four orders of magnitude higher than failure of the RPS, they are ranked equ both appear in only one cutset.

e

' e O

4 r 4

8 6

4 D

d e

O l

r e 6

8 O

, . - , - - , - . - . . - - _ _ . . _ . . , _ , - . , . . . , _ -, . . ._..-_-..m., , _

l

- jequoyah STEAM PLANT GENERATOR VENDOR LOOPS MWe PRA CONTAINMENT RATING STUDY Westinghouse 4 Ice Condenser 1148 RSSMAP The Sequoyah study was first performed under RSSMAP and does not contain much detail regarding cutsats as later RSSMAP studies.

The LOCA (small and medium) are among the most important basic events since "

all but one dominant sequence, Event V, is initiated by a LOCA. Thus, every cutset includes a LOCA initiator.

With regard to core melt frequency, sequences initiated by LOCAs followed failure of ECCS recirculation, ECCS injection, and a common mode failure of recirculation including containment sprays are ranked in importance first, second and third respectively. Event V is last, with regard to core melt frequency.

ECCS recirculation failure is dominated by two human errors: the operator fails to open valves in suction lines to Low Pressure Recirculation System pumps discharge (failure to realign correctly) and operator failure to

. realign LPRS and HPRS for hot leg injection af'ter 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . It is questionable whether the second operator error truly constitutes failure of recirculation. Hot leg injection is assumed to be needed within the first

- ~ , - . - - - . . , . . ._e . . ,- -- ~, . - .- , - - - _ - - - . - - - - - - - - _ _ _ _ _ _ _ - - - - . _ . - - . - - _ _ _ - . _ , . ,

40 -

day following a colo leg break in order to flush the accumulation of baron ,

residue and debris.

. Hot leg injection may not be needed for all small LOCA break sizes and there was no determination of the break size w necessitate this action. The remaining failure of HPRS is insufficient ventilation air to the charging pumps during recirculation.

Failure of ECCS injection following a LOCA is dominated by combinations of hardware failures in the charging lines or pugs of HPIS and hardware failures in safety injection lines or pumps of the HPIS. ' '

~

The human error associated with the common mode failure o discussed in Section II is ranked equally with human errors on the basic event level.

This common mode contributor to failure of ECCS recircu and containment spray recirculation is caused by the failure to open the drains between the upper and lower containment compartments following asintenance and refueling' operations.

In this way, water collects in the upper compartment rather than flowing down to the containment sump thus failing to provide coolant for recirculation and damaging ECCS and CSRS pumps by cavitation. '

With regard to ri,sk, both the LOCA followed by common mode failure of recirculation ($HF) and Event V (interfacing systems LOCA) were assigned t release category 2 with a probability of 1.

Ranked in terms of basic events, the small LOCA is ranked first, followed by human error associated with common mode failure of upper compartment drain, and Event Y.

9 e

41 -

Special administrative controls have been incorporated in the Technical Specifications for Sequoyah addressing the identified drain blockage problem, unique to ice condenser plants.

Capability and a more strategic testing procedure for check valves in the pressure boundry have been instituted to address the interfacing systems LOCA event.

l 4

4 0

0

-- M e

e yee e

0 0

O

, Oconee 3 STEAM PLANT GENERATOR VENDOR LOOPS MWe PRA CONTAINMENT RATING STUDY Babcock 2 Ory and 886 RSSMAP Wilcox Eight sequences are dominant with respect to core melt frequency. Transient initiated sequences dominate with frequencies which differ by 'small factors (2 or less).

Three sequences initiated by small and medium LOCAs are in the same range.

At the system level, operator errors are ranked first, with respect to core melt frequency.

The four events are about equal in importance. These are:

(1) ,

failure of Low Pressure Injection System due to test valves left incorrectly positioned, (2) failure of operator to align HPR5 to LPR5 discharge for '

recirculation mode, '

(3) failure of operator to open sump valves for recirculation mode, and (4) failure of operator to initiate High Pressure Injection System following an ATWS event.

,s**

O s

l

. I

' The human errors in aligning ECCS systems dominate because events in order of importance are transient initiators and event Q ,

Pressurizer Safety / Relief Valve (S/RV) fails to reclose. e

- Thus t

, dominant sequences are transient induced LOCAs with event every cutset for these sequences.

These events are followed by failure of the Low Pressure Service Water System (LPSW) due toe hardwa pump in each of two trains.

Along with small LOCA and transient initiators non recovery of the Power Conversion System and failure of the Reactor Protection System are followed with importance measures very clos 'I

. together. -

Though the operator failing.to initiate HPIS following mechan

, failure of the RPS is ranked first with other human errors, the HPIS availability may be much lower following very high reactor coolan .

pressures during an ATW5 sequence.

Though the HEP assigned to this manual action is high (about .1) it is also questionable'that. successful act would be possible or that subcriticality would be achieved in time to prevent plant damage.

The remaining failures with lower importance ranking involve hardware failures in Low Pressure Injection System

, Engineered Safeguards Actuation Devices System and ECCS and Containmen Recirculation which include the same hardware faults as those du injedtion phase plus failure of the sump valves to open for the '

recirculation phase.

Recall, that human error failing ECCS injection and recirculation are ranked the highest of basic events.

This means that these systema are important, but treating the human as a system or a subsys results in this failure mode (human error) being ranked first, even th the remainder of the system failure contributions are ranked much lower

~

. Whardware failures).

0

. -g.

With respect to risk, most of the eight sequences still dominate with the addition of Event V which becomes a dominant contributor to risk though it was not dominant to core melt. Also, the medium LOCA followed by failure of ECCS injection sequence is no longer dominant (with respect to risk).

Three additional points should be made.

(1)

Reactor Coolant Pump' seal failures were not included in this analysis.

Were they to be considered, the frequency of small LOCAs could be greater than that assumed for this study. However, there could be additional recovery actions to be considered in a requantification of these small L6CA sequences. .

(2)

. During the course of the study, the licensee modified the AFWS by removing the AC power dependency of the turbine driven pump. In -

addition, Oconee has a back-up system to the AFWS, the High Head Auxiliary Service Water System with a dedicated AC and DC power source independent of emergency AC power sources for other systems.

(3) .For emergency AC power, Oconee can utilize either of two hydro -

generators.

, Oconee also has backup from one of two turbine generators which are available for long term operation.

This contributes to the absence of a station blackout scenario as a dominant accident sequence

, in this analysis (i.e., the sequence contributed slightly less than M to overall core melt frequency). .

e 45 - !

1

^

I i

EFWS and HPI primarily fail due to hardware failures of the Low Pressure Service Water System, not loss of all AC power.

i i

4 4

h E

9 b

, 9 0 8 j

(

i f

i e

l l

?

L F

e I

i 4

i e

i ,

e ie :

e f j

i , .

j 1 I a

.{

i .-

4 2

- l

, e **

,,w & **

f r

a I i ,

. .o f 7

I

~%- I 1

Grand Gulf i

l t

t STEAM PLANT GENERATOR '

i. M 199P1 CONTAINMENT ING c Me k III 1250 RSSMAP

\

I Five sequences contribute 5% or more to overall core melt frequenc\

1 transient initiated sequences and one LOCA ' initiated sequence. Wfth respect 1

i to core melt frequency and risk (rankings are essentially the same) the system level terms are dominated by failure of the Standby Service Water l

System ($$WS), recovery actions by plant personnel, transient initi unrecovery of offsite power and mechanical failure of the RPS. The remaining system terms are dominated by hardware failures, such as t of the Residual Heat Removal System (RHRS). (

i '

The 55WS supplies cooling to tho'RHR5 heat exchangers.

Four

of the dominant sequences involve failure of

, i 1

,the RHR5 to removs heat from the suppression pool or the containment.

l (Recovery terms are expressed in a general nature - failure to correct er maintenance faults or other corrective actions within 28 Inspection of the system level cutsets shows that 55WS failures are in i

' of the cutsets of these sequences, with only a few cutsets containing R hardware failures. l So the high importance of 55W5 reflects the heavy '

dependence of RHR$ success upon $$WS success.

i 55WS failure is dominated by

valve and pump failures in both of the 55WS trains.

Operator errors, test O

44 4

, k and maintenance faults, and hardware faults have been combined togetner in the definition of these events. Thus, the actual as.ount of importance due to human versus hardware faults cannot be determined by importance calculations.

r l

For both events, failure of a safety / relief valve to reseat and mechanical failure'of the RPS, failure probabilities were taken directly from WASH-140 '

For RHR$ and the Reactor Core Isolation Cooling System (RCICS), failures '

defined by general terms as combinations of control circuit, hardware and maintenance faults leading to system unavailability.

t Emergency.AC Power is dominated by failures of both diesel generators. It should be noted that the dies 41 generators for Grand Gulf are the subject a Task Force investigating the reliability of diesel generators made by !

Transamerican DeLeval Inc.

The conclusions of this Task Force could affact the assessment of emergency.AC power availability for Grand Gulf. However, Grand Gulf has installed, in addition to the diesel generators, three gas !

turbines, where two of three provide adequate power for plant shutdown.

i

. 1 l

l

, ao 1

z -same '#

1

Calvert Cliffs 2 STE/M PLANT GENERATOR M MRP),

CONTAINMENT MWe RATING g PRA Combustion 2 Dry Engineering 850 RSSMAP Three sequences dominate the core melt frequency. All three sequences are transient initiated (as were all sequences discussed as dominant sequences in the PRA).

Those transient inttiated sequences with failure of all secondary cooling contribute over 905 to overall cors melt frequency. The system level importance ranking results, not suprisingly, show that only three system level components are significant:

the Auxiliary Feedwater System (ANS), operator errors and the Power Conversion System. All other systems have a very small contribution to core melt frequency, s

In many of the subevents of A WS failure, the operator errors and hardware faults are combined into one unavailability, so it is not readily apparent in the importance results as to what amount is due to operator error and .

I that which is due to hardware faults. However, the single most dominant subevent is operator failure to manually initiate AWS. The remaining portion of the unavailability is due to failure check valves, manual valves control valves, motor-operated valves and the ANS turbine pump. However, as noted, a term for human error has been bumped with these unavailabilities to yield a single value. '

Following these terms and unavailability of the PCS, with much smaller measures of contribution, are transient initiators and failure of emergency AC power due to both diesel generators failing from mairtenance and start failures and a failure of a control valve in the salt Water system, which provides jacket cooling to the diesels.. The only other human error identified in event ranking is that of the operator failing to restore AFWS by opening manual bypass valves in steam adoission line (given that o'.W' failures have not made this action impossible or ineffective).

The same three sequences dominate risk with the addition of one other sequence.

Hardware and operator faults .in the AFW5 still dominate all other events with significant contribution to plant risk by the PCS faults.

The

' inclusion of the fourth sequence, that in which failure of PCs and AFWS is followed by failure of the containment fans and sprays, accounts for a small but significant importance of the DC Power System.

This fault is a miscalibration of the battery charger charging rate, which allows the betteries to degrade and fail when demanded.

This fault is actually a human error .though it is modelled as a DC Power System fault. It is ' independent of all other system faulta and operater actions.

l.

This study was beped on an AFWS which has since been upgraded. The original system was a manually opera two-train system. The upgraded system is an automatically initiated system with two steam' driven pumps and one electric pump (there were only two steam driven pumps at the time of the study) with the option of valving in the motor-operated train of the AFW5 of Unit 1 into 5

50 -

the motor driven train of Unit 2 by operator action.

It was estimated to reduce the overall core melt frequency by an order of magnitude. The Calvert Cliffs, Unit 1 IREP study is expected to provide a more detailed, up-to-date assessment of the Calvert Cliffs Units which are essentially identical.

e G

0 8 6 6

e 6

9 4

0 0

O e e 9

1*

s 9

I Crystal River 3

{

~

STEAM PLANT GENERATOR i YgggR MWe PRA M9,P), CONTAINMENT l

RATING g '

,Sabco.ck 2 Dry 906 and ,IREP Wilcox '

Jf the set of sequences designated as dominant in the Crystal River-3 (C ,

study, only three contribute 5% or more to core melt frequency. Two are initiated by small LOCAs, and one is initiated by a loss of offsite power transient.

The system level importance ranking results for both core melt and risk show that small LOCAs are the most important initiating events with operator errors dominating system failures with an importance measure equal to that of the small LOCA (see Section II.A-Human Error). The DC and emergency AC power systems have significant contributions with hardware failure of the taergency Feedwater System ranked last with a small importance measure.

The three dominant operator errors involve improper operator actions d switchover from injection to recirculation mode of emergency core cooling during the recirculation phase.

All actions which must take place b e

4 i

I g o

4

j switchover to recirculation are manual actions versus some plants where so valves receive automatic signals for change of state based on level

, indicators. .

A ,*elatively high probability of error is attached to the performance of actions under accident conditions and in consideration of the quality and clarity of emergency procedures.

Specifically, the operator is subject to any of several errors:

(1) premature switc$ver, where the operator .reconfigures for recirculation too soon causing pump cavitation due to insufficient not positive suction head, .

(2) after terminating the low pressun injection pumps (which initiate upon the same actuation signal that startes the high pressure pumps), the operator fails to reinitiate the low pressure pumps for recireviation during which time the high pressure pumps take suction free the low pressure pumps discharge, or

-(3) the operator incorrectly reconfigures the systems for

recirculation.

I For emergency AC power, the individual diesel generster unavailabilities are the same.

However, diesel generater 8 is dependent on the 8 battery in the DC system.

The breaker connecting diesel train 5 to the bus would not close with failure of the DC train B. In addition, the turnine driven emergency 4

r

i feedwatsr pump, which has a DC powered control value would also be rendere ,

inoperable by failure of battery B.

.Thus, with fai'aure of battery B plus simultaneous failure of diesel generator A, emergency cooling is dependent on the availability of emergency AC power from Crystal River fossil units 1 and 2.

' The loss. of offsite power initiated , sequence frequency would be higher without the two fossil units available at the site.

e It should be noted that the frequency of small LOCAs did not include

, I consideration of RCP seal failures nor were they considered in the Station

Slackout scenarics. <

These sequence frequencies could possibly be higher if '

RCP seal failure contribution were included as an initiator or subsequent failure to loss of all AC power.

However, some changes have occurred since i .

the study, such as post-TMI staffing requirements and improved emergency (

procedure which would affect the calculated human error probabilities.

l <

1

! =

0 9

e e

d 4

)

l

_n..,,,-.,,__.,,.,,,_,_7,,-n _ _

. Arkansas Nuclear One 1 STEAM -

PLANT GENERATOR VENDOR LOOPS MWe PRA CONTAINMENT RATING STUDY Babcock 2 and Dry 820 IREP Wilcox

\

Of the fourteen sequences designated as dominant in the ANO-1 study

, nine .

sequences contributed 5% or more to overall core melt frequency. .All of these ANO-1 sequences have frequencies fairly close in value to each oth .

Therefore, many system level terms have similar importance measures.

DC power is ranked highest among system level terms with the highest importance measure.

Seven other system terms have relatively significant contributions. *

~~

The DC power system is a two division system with two normal battery chargers (one standby) and no ability to cross-tie DC buses.

Cross-tied DC buses allows transferring a bus faults, a common mode failure discussed in l

NUREG-0666, "A Probabilistic Safety Analysis of DC Power Supply Requi

' for Nuclear Power Plants."

DC power system failure is dominated by the single most dominant basic event, a common mode failure caused by huma error during test and maintenance.

Previous to the ANO-1 study, testing.

I

55 -

procedures allowed both batteries to be tested on the same day by the same personnel.

As a result of the ANO-1 study, quarterly tests of the two station batteries are now required to be performed on a staggered basis, one battary every six weeks.

, In addition, the DC (and AC) switchgear room cooler actuation circuitry is now required to undergo a complete test. The previous test procedure omitted a portion of the circuitry. Another potential problem was identified concerning the actual energy capacity of the station batteries. The DC system is powered from the AC system through the battery charges.

Although the battery output voltage is monitored, it ,

is not clear whether this reflects the discharge voltage of the battery itself or that which the charger is supplying. This monitoring may not adequately characterize battery status (see Section II, Summary Insights, (B) Support Systems). '

Following a loss of offsite power transient in inportance and equal to the basic event Q, failure of pressurizer relief valves to ressat, is the transient initiator of a loss of a DC b's u (see Section II, (B) and (C)).

Failure of this' bus results in multiple failures of accident mitigating systems:

~

(1) fails 2 of 3 High Pressure Injection System pumps, (2) fails 2 of 4 Reactor Building Cooling System fans,

~ . _ - _

(3) fail's 1 of 2 Emergency Feedwater System Turbine Pump flow control valves, and (4) fails EFS motor-driven pump.

The detailed modelling of the DC power system in the ANO-1 study resulted in the identification of the large importance of the DC power system as both an initiator and contributor to accident sequences with regard to core melt .

Following hardware failures in the EFS in importance are small LOCAs and operator errors.

The reliability of the EFS affects the need for an operator action, failu're of which is one of the dominant operator error terms.

Because of the importance of the EFS in mitigating transients such as loss-of all AC power and loss of AC or DC bus event, the licensee took actions to improve the EFS reliability by modifying the check valve configuration to the condensate storage tank and improved the starting procedure for the emergency diesel generator so that it can be manually started in the event of loss of DC power.

These modifications were made for the interim period until the resolution of the generic program regarding modifications to upgrade Emergency Feedwater Systems.

The improved reliability of the EFS would hopefully minimize the reliance on operator actions for certain ,

sequences.

In this case, the operator error is failure to provide heat removal upon failure of the EFS by initiating the HPI pump in the feed-and-bleed mode.

This operator error probability was considered optimistic o -w,- - . _ . , - - - , - - - - - - . , + - - - -, , , , , . , . , , , _--

in the ANO-1 study due to the assumption of a longer time frame for the operator to successfully establish feed and-bleed. Both sequence and core melt frequency are sensitive to this error and thus could likely be higher than those calculated in the study.

1 In addition to other modifications for the interim, the licensee has implemented ATOG (Abnormal Transient Operatin

!- Guidelines) and modified the operator training program which could aid in '

l minimizing this human error.

The only other dominant human error is failure of the operator to initiate HPI following failure of the Reactor Protection System.

(See the discussion for Oconee 3 concerning the probability and effectiveness of this action.) -

l l The small LOCA frequency is dominated by Reactor Coolant Pump Seal failures.

However, there were six R'CP seal failures at ANO-1 over a 3h year

(

period which were not included in the RCP seal failure frequency in the IREP l study.

l Since sequences involving small LOCAs are important contributors to core melt, the overall core melt frequency could potentially be higher than that calculated in the study. To improve RCP seal performance, the licensee initiated a RCP seal upgrade program that includes modifying internal parts and controlled bleed off flow rate'. This is also an interim measure pending the resolution and recommendations from Generic Issue 23, Reactor Coolant Pump Sea Failures. (See Section II, (C).) .

~

The High Pressure Injection System and Reactor Building Spray Injection Syeten-fel-low-in1mp6rtance and share two basic events wherein pipe segment or valve faults result in failure of suction to HPIS pumps and 1 of 2 RBSI pumps. -

With regard to risk, the same basic elements dominate with the replacement of the EFS as the highest ranking system. DC power no longer dominates due to the relatively low probability of severe release (Category 2) of the loss of. offsite power initiated sequence with subsequent failure of DC power by the dominant common mode failure. This common mode failure term appears only in this sequence.

S e

+

8 h G

e e

e O

9 6 L

l l

' ~

o ..

Browns Ferry 1

~

STEAM

! PLANT- GENERATOR VENDOR MWe PRA LOOPS CONTAINMENT RATING STUDY General Mark I Electric 1098 IREP Due to the absence of sequence fault trees and cutsets in the Browns Ferry 1 (BF-1) study, meaningful importance ranking was difficult to perform. '

Minimal cutsats were derived from simplified sequence logic diagrams and system unavailability cutsets.

The results of this importance ranking .

should be viewed with this severe limitation in mind. It is evident in that' two of the three sequences which dominate core melt frequency (and risk) are transient initiated with failures of the Residual Heat Removal System l (RHRS).

These two sequences account for over 60 percent of core melt frequency, yet the importance calculations performed on the derived minimal cutsets result in a suspiciously small importance measure.

The three sequences are transient initiated, two by loss of the Power Conversion System (PCS), one by loss of offsite power.. '

l The system level results show only two systems, along with the transient l

initiators, with significant importance, the Reactor Protection System (RPS) l .

s =

l .

and emergency AC power.

Failure of RPS consists of only one event, the frequency of failure to scram taken from NUREG-0460, " Anticipated Transients l

Without Scram For Light Water Reactors," following a loss of offsite power.

l l

The dominant fault of the emergency AC power system was taken from the discussion of the sequence initiated by loss of offsite power. This is a combination of three diesel generators failing, however, no description or l quantification was given for this event.

Looking over the Boolean terms, it may be useful to note the failure modes

~

of the RHRS.

They are in order of the attempted importance ranking:

Isolation Signal Faults - RHRS Control Circuit Faults no output RHRS Reactor Core Isolation Cooling System Control Circuit faults 1

Failure of Inboard Torus Cooling Valvec Operator errors of failure to manually initiate Shutdown Cooling Mode of hR l

Residual Heat Removal Service Water System interface faults I

~ ~ ~ .

__ ; eEEhency Equipment Cooling Water System Motor Control Circuit faults

. Millstone 1 STEAM PLANT GENERATOR VENDOR MWe PRA LOOPS CONTAINMENT RATING STUDY General Mark I Electric 652 IREP In the Millstone 1 study, loss of offsite power transient initiated sequences comprised 85% of overall core melt frequency, other transients 14% and LOCA ',

initiated sequences comprised only 1%. Of the 11 sequences designated as dominant in the study, 8 contributed 5% or more to core melt frequency and an addition 3, just under the S% cutoff, contributed to risk so that 10 sequenceswereanalyzedintheimportancecalculations.

Seven sequences dominated core melt frequency with six of the seven initiated by loss of offsite power followed ~by failure to cool the core at high pressures.

The other dominant sequence was initiated by loss of the ...

Power Con' version System followed by a failure to scram.

The system level importance results.are in agreement with the major e engineering insights summarized in the PRA.

, The highest ranking event is obviously the loss of offsite power initiating event followed by:

5

y . -

t failure to recover offsite power with one-half hour failure of emergency AC power systems operator failure to manually depressurize the Reactor Coolant System failure of a safety / relief valve to reclose failure of the Isolation Condense.r.

With progressively smaller importance measures are:

failure of Feedwater Coolant Injection System (FWCI)

' Service Water System faults failure of the Reactor Protection System.

M111 stone's high pressure emergency cooling systems are highly depe the gas turbine eraergency power source which has a relatively low reliability. '

t Since the Automatic Pressure Relief system is such that it is actuated during a LOCA, for transient initiated events, the operator must manual depressurize the RCS upon failure of the high pressure cooling systems to allow the low pressure systems to' operate.

It is noted in the PRA that the emergency procedure is poorly written and confusing, thus a high failure probability was assumed for this task. .

This deficiency in the procedures was subsequently. corrected.

l l

l_

l Adding to the importance of emergency AC power is the dependency of the Low l ,

Pressure Coolant Injection System on both the diesel and gas turbine trains

.s -

c .- __

of emergency AC power.

Also, the Isolation Condenser Make Up System is failed upon loss of the gas turbine generator, which in turn fails the l Isolation Condenser. .

At the basic event level, emergency AC power is dominated by failure of the diesel generator and by several circuit breaker failures which prevent the loading of emergency AC loads onto the gas turbine buses.

In addition to contributions from hardware failures, actuation circuitry -

failures and a small contribution from test and maintenance errors by which pressure sensors fail the FWCI, Service Water System faults fail cooling to the FWCI pumps.

Also, failure of the SWS heat exchangers fail cooling to the Diesel Generator.

One of the contributors to the station blackout scenarios was a pair of single failures in the loss of normal power (LNP) logic which caused the LNP signal to fail to reset after tripping key breakers, preventing the emergency generators from picking up emergency equipment loads.

l Subsequsntly, the licensee redesigned part of LNP logic to el.ininate the single failures. w%

In addition, the AC dependency of.the IC makeup valve'was removed, thus I removing this failure mode of the Isolation Condenser and the licensee instituted procedural and equipment provisions for the operator to take

, ~~

~

manual control of the IC return valve to allow for recovery of its DC power source, Battery A, fails.

With regard to risk, the ATWS sequence has the highest importance and two of the six LOSP initiated sequences resulted in a core melt at high RCS pressure and are dominant to risk.

The Millstone PRA assigns a much higher probability of containment failure due to in vessel steam explosions at low pressures than at high pressures.

Therefore, low pressure sequences tend 'to dominate risk (which 1mplivs that the operator successfully depressurized the RCS) and emergency AC power is important due to the dependency of the LPCI on the diesel and gas turbine trains.

However, for low pressure

sequences, recovery of offsite power must take place in a period of 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months rather than the short time frame for high pressure sequences (about 4 to 2 -

hourt).

O h

( -

l

/

~

W e

e

lia Rock Point STEAM PLANT GENERATOR VENDOR MWe PRA LOOPS CONTAINMENT RATING STUDY Ger. oral Pre-Mark -

75 Electric e Independent Consumers Power Company Sequence fault trees and cutsets were not published in.the Big Rock Point (BRP) PRA.

Cutsets were developed for this analysis from descriptions of the dominant accident sequences and are of a very general nature. The cutsets are essentially at the event tree level (i.e., combinations of systems failures not refined furthe'r to the component level).

Five sequences dominate core melt frequency. These sequences are initiated by a steam line break, interfacing systems LOCA, fire, loss of offsite power and loss of instrumer. air.

The system level importance results are essentially'the same as basic event importances.

Only operator errors and fire events have more than one basic event.

The most dominant basic event is failure of a safety / relief valve to resent. This is followed by fire and operator error.

O e

e

Fire ,in the Cable Penetration Area (inside containment) which affects all safety system cables is the initiating event with the only subsequent failure of fire being suppressed manually..

The dominant operator error is the failure to send someone into the containment to open a valve which is part of the fire protection system but is being used to supply makeup water to the emergency condenser. If someone is sent in, there is still a probability of the valve not opening, reflected

~ by the importance value of this valve which enables successful operation of "

the emergency condenser. The other operator error is failure of the operator to switch the domineralized water pump over to emergency AC power after loss of offsite power or loss of instrument air.

The remaining events of significance are not discussed or quantified in the PRA, however, some are listed below:

Interfacing System LOCA due to failure of a single valve isolation line in recirculation and shutdown cooling system '

Failure of operator te manually close main steam isolation valve I

. Loss of and failure to restore instrument air Failure of Post Incident System in the event of an Interfacing Systems LOCA below the core due to valves being in the wrong position. - ~

e

With regard to risk, most events are less important to risk than core melt due'to the large fraction of release category probabilities in low risk release categories.

Only the fire events have a high probability for release'in category 3.

(Release categories were redefined in the BRP study due to the uniqueness of the plant in consideration of its size and location.) There is essentially negligible risk associated with the BRP sequences.

As a result of the PRA, the licensee did, however, make modifications to reduce the probability of core melt and plant damage:

(1) Remotely operat'ed fire water supply valve to the emergency '

, condenser, . '

j -(2) Post-Incident System modifications such that the eight manual valves can only be locked in'the correct position, l (3) Early Enclosure Spray elimination of a 15 minute d' elay so that enclosure spray can automatically actuate during a safety valve -

I opening event or steam line break in containment to avoid degradattion of essential equipment due to excessive temperature, (4) Procedure changes to permit High Pressure Recycle using the main feedwater system which will lessen the dependence on the RDS, and (5) Additional isolation valves on the Primary Coolant System.

l

- E8 -

Zion 1 and 2 STEAM PLANT GENERATOR VENDOR LOOPS MWe PRA CONTAINMENT RATING STUDY Westinghouse 4 Ory 1100 Independent for Commonwealth Edison by Pickard Lowe

& Garrick, Inc.

Sequence fault trees or cutsets were not published in the Zion PRA so that .

the information used for this importance ranking task was . derived from sequence definitions and system descriptions. There were a large number of dominant sequences for Zion with frequencies very close together and with the exception of one sequence *, these frequencies are al1 ~below 10 8 Since only 4 sequences contributed 5% or more to core melt, this cut-off probability excluded many sequences from the importance analysis so the cumulative effect of many lower frequency sequences is not reflected in this analysis.

One other point of difference in this PRA is the study's contention that the containment will not fail following every core melt.

Therefore, these four sequences dominate core melt frequency for this analys but caly 1 of the 4 dominates core melt with r'elease or risk.

O e .

e

Three sequences are LOCA initiated (small, medium and large) followed by failure of recirculation cooling. The fourth is initiated by a seismic event which indicues loss of all AC power. Only this sequence results in containment failure and a release.

With respect to core melt, system level results are' dominated by operator error, the small LOCA initiator, Residual Heat Removal System and the seismic event. 'With pregressively maller importance measures are the medium and large LOCA initiators, combinations of hardware failures and trains or pumps out for maintenance for the Charging Pumps and Safety

, Injection Pumps and Containment Sump blockage.

The two dominant human errors are fa'ilure of the operator to manually switch

over to recirculation at the proper time or to stop the Refueling Water Storaget Tank (RWST) Pump at Low-Low level given a medium or large LOCA. The short time frame for the medium and large LOCA creates a more stressful l

f environment for the operator, thus having a higher failure probability.

However, the frequencies of medium and large LOCAs are one and two orders of magnitude smaller, respectively, than that for small LOCAs.

ThedominantfailuremodesoftheRHRSaresomewhatvaguelydbfinedinthe Zion stucty, but basically involv.e combinations of RHR Pump under maintenance with hardware failures of both trains of RHR so that pumps or motor-operated .

valves fail on demand.

l i

t

'The seismic event d' ominates core melt and risk and contains only two elements, the seismic event initiator and loss of all AC power. However, looking at the seismic core melt fault tree branch expansion, a Reactor Coolant Pump Seal failure will follow due to loss of service water components through failure of the pumps (directly or " indirectly" by '

collapse. of Crib house pump enclosure roof or unavailability of the water supply from the seismic event).

f Similarly for diesel generator failure, the i

failures can be direct, loss of DC start power or " indirectly" by Auxiliary Building concrete Shear Wall failure. Direct failures and Auxiliary .

Building Shear Wall failures contribute to failure of onsite AC power cables.

,It should be noted that the single failure of the Auxiliary Building Concrete Shear Wall fails both onsite AC power cables and offsite AC power cables.

' RCP seal failures were not included in the small LOCA data base though it was a contention of the study that the high frequency assumed for j

small LOCA initiators (3.5 x 10 2/ reactor year) implicitly accounted for this concern.

Event V, the' interfacing systems LOCA was recognized as a contributor to

/

risk due to the p.otential of a large releas'e outside of containment. The licensee did institute strategic check valve testing during the course of .

l the study.

l

V Indian Point 2 STEAM PLANT GENERATOR MWe PRA VENDOR LOOPS CONTAINMENT RATING STUDY Westinghouse 4 Dry 873 Independent

- for Power Authority of New York and Consolidated Edison by PL&G, Inc<

Sequence fault trees and cutsats were not published in the Indian Point (IP2) PRA. Basic events were developed from sequence definitions and system descriptions. ~

Core Melt with Release is dominated by external events. The sequences are a seismic event resulting in loss of AC power, fire in the electrical tunnel or switchgear room, and loss of all AC power due to hurricane winds. The fire and seismic initiated events are of approximately equal importance.

Since the values of basic events in these sequenc.es were not included in the PRA, they were modelled as one event sequence for this analysis. However, some' subsequent failures ~and failure modes were discussed. '

O 4

9

.=. . - -- _. - __ - . _ - - .._ ___._ - -_

7 The primary hazards in the seismic and hurricane events are loss of offsite power due to the intensity of the event and loss of control and/or auxiliary AC power.

Loss of control power may occur due to the failure of panels in the ceiling of the control room during a seismic event which incapacitates the operators or the control room itself. Loss of onsite AC' power can result from severe winds stripping away sheet metal building cover thus exposing the diesel generators.

It was recognized that a fire in any of three locations (the Auxiliary Building end of the electrical tunnel, the Control Building end of the tunnel, or the switchgear room) not only fails control power, but could also fail power to the Charging Pumps, Containment Spray Pumps, Auxiliary Feedwater System, Safety Injection Pumps and Component Cooling Water pumps. It was recognized that a fire of this kind results in a small LOCA due to reactor coolant pump seal failures and subsequent core melt due to the loss of high pressure safety -

injection. .

P The same sequences along with another fire initiated sequence and loss of

~

offsite power initiated sequence dominate core melt frequency:

Fire in the e'lectrical tunnel right stack which would result in core melt due to RCP seal failure LOCA, determined in the study to result in no release to the environment due to the availability of containment cooling, and

F , ,

e . .o 73 -

Loss of offsite power and failure of emergency AC power. However, a gas turbine generator is available and can be started within hour thus providing power to containment coolin'g systems. The study concluded that core melt would occur but with no release to the environment.

l i

Containment integrity was enhanced by features such as the large volume, high failure pressure, and the makeup of the containment. material (basaltic concrete basemat which releases less gas upon contact with molten fuel than the more common limestone concrete and thus leads to lower post-melt-down containment pressure.)

O l

l . .

4 g

S l ._

t

, . . , . - - , ,-y. ., , . .- - , - , . - .,e- -

Indian Point 3 STEAM PLANT GENERATOR MWe PRA VENDOR LOOPS CONTAINMENT RATING STUOY Westinghouse 4 Dry 965 Independent for Power Authority of New York and Consolidated

' Edison by PL&G, Inc.

Only one sequence was determined to be important to co e melt with release.

Similar to.the fire sequence for Indian Point 2, this :equence is initiated by a fire in either the switchgear room or the cable sp reading room. These initiators can result in a failure of power to the Charging Pumps, the Containment Spray Pumps, the Component Cooling Pumps and the Safety Injection Pumps.

A small LOCA in the reac$or coolant pump seals would result and the loss of the containment sprays and fans would result in containment failure. This sequence dominates risk with a probability of 1 in PWR release category 2.

Three additional sequences contributed over 5% to core melt frequency but were detemined to result in no release to the environment. These sequences are initiated by LOCAs (small, medium and large) followed by failure of 9

1

~

/'

I .

recirculation core cooling, either in the low pressure or high pressure mode.

The Recirculation System is described as one system in the IP3 study, so no division of basic events in Low Pressure or High Pressure systems was made.

The small LOCA is ranked first of the basic events. The Recirculation System failure is dominated by a term defined as failure of all three Safety Injection pumps followed.by a term which was a factor calculated to account for undetermined unavailability of all SI pumps and ector-operated valves due to errors in design, installation, or

manufacturing. These are followed by terms with much smaller importance 1

measures most involving hardware failure of recirculation pumps and operator error in switching or failure to switch to the Residual Heat Removal pumps.

Fire in the switchgear room or tunnel entrance of the cable room is followed by operator arror. The operator error term is dominated by failure to initiate switchover to recirculation mode following a LOCA.

Interfacing Systems LOCA in the RHR suction line was identified as important to risk.

e l

3

{

l Limerick t

STEAM '

PLANT GENERATOR VENDOR MWe PRA LOOPS CONTAINMENT RATING' STUOY .

General Mark II '

1055 Independent by GE and SAI, Inc.

for Ph'iladelphia Electric Company This analysis was based on an early version of the Limerick PRA study. -

Limitations in 'the content and format of this study resulted in the derived cutsets and events being of a very general nature with a virtual one to one correlation between event tree terms, system terms and basic events. There was no sequence by sequence description and the quantification of the events on the event tree was not shown. In addition, the frequency of each accident sequence was divided among several containment failure modes specific to the Limerick study. There was an attempt,- though, of .

correlating these categories to WASH-1400 BWR release categories.

Three sequences contributed 5% or more to overall core melt frequency. With -

/

respect to core melt and risk, they are ranked in the same order as are the system level terms. All three are transient initiated sequences.

. The first is a loss of offsite power transient, the second a transient involving main steam isolation valve closure and the third is a turbine trip. Loss of

_ Mw

O

o

i 77 -

offsite power is followed by failure of High and Low Pressure Injection

. Systems.

i MSIV closure is followed by loss of the Feedwater System or the Condenser and failure of HPIS and the Automatic Depressurization System.

The turbine trip is followed by failure of the FWS, the HPIS and the ADS.

I Failure of HPIS is ranked first, . defined only by failure of the High !

Pressure Coolant Injection System or failure of the Reactor Core Isolation Cooling System.

i .

These are followed by the loss of offsite power transient, Low Pressure Emergency Core Cooling System availability, Feedwater recovery, timely actuation of the ADS, MSIV closure'and subsequent feedwater loss, and the tu'rbine trip.

All of the systems (and basic events) identified have significant contributions to core melt.

However, no further system or event k

importance insights could be derived and no quantification or description of system failures were given.

However, during the course of the Limerick PRA, a number of design and procedurak weaknesses were identified and the applicant has taken steps to

~

implement the following:

Alternate 3A ATWS Fixes (includes alternate rod insertion, t recirculation pump trip, feedwater runback, scram volume instrumentation, MSIV isolation setpoint change and automatic Standby Liquid Control System along with the installation of a 3d SLC pump),

1 e

D c- - - -y - - . - . - , , . , - - , . , - - - . .

v--, , ,, . - - . - . .-----.,,,m. ,mm,r_- ,.m,_-, ,, , - , . , , , _ rr , - -- - , ., , , - -.,

78 -

Modifications to the ADS air supply system (added redundant solenoids),

Modifications to RHR System (added crossover valves for the Service Water System, and Procedural changes to achieve an alternate method of room cooling for the HPCI and RCIC pump rooms.

e De 9

4 6

4 e

e G 8 9

e S

9 e

e m*

3 e e e 9

e

Appendix B

~

)

Discussions of Selected Topics - Insights Gained From PRA Results 8.1 Human Error An area which is sensitive to the structure of the analysis, to both the assumptions of the study and the bias of the analyst, is human error.

It has been playing an increasingly large role in risk assessment, I-especially in the years following the accident at Three Mile Island 2.

It has been necessary at the same time to focus research on the '

techniques of quantification of human error probabilities. The work done for NRC by Sandia Laboratories (Handbook of Human Reliability Analysis With Emphasis'on Nuclear Power Plant Applications, by A. D. Swain and H. E. Guttman (NUREG/CR-1278) provides a much needed methodology for quantifying human error. However, thera is still a great deal of subjectivity in the' inclusion of the human in a system model and the calculated probability of error and research is continuing with the purpose of improving the methodology of calculating human error tontribution to accident sequences. For, example, the treatment of human error in the Crystal River 3 Safety study results in operator error being

! the dominant failure mode of the safety injection systems. A relatively i

i high probability of error is attached to the performance of actions under i 1

s

. . b accident conditions.

Specifically, the operatoc is subject to any of several errors in the manual switchover from the injection phase to the recirculation phase and during the phases themselves:

Premature Switchover - the operator reconfigures for recirculation too soon causing pump cavitation due to insufficient net positive suction head. .

After terminating injection pumps, the operator fails to manually '..

reinitiate injection when required.

The operator incorrectly reconfigures the system for recirculation. (See discussion of Crystal River-3 Importance Ranking)

Since these particular operator errors appear in many PRAs of plants with manual switchover, improved training and procedures, which were instituted for CR-3 operators, and automatic switchover from injection to recirculation are being considered in Generic Issue 24 - Automatic Emergency Core Cooling System Switch to Recirculation. '

However, the rise to dominance of sequences involving the failure of emergency core cooling systems due to operator error is not the only impact of the estimated high probability of human error. As implied by j l

I

1 their designation, " dominant" accident sequences are those with probabilities of occurrence which are above those of other sequences.

Sometimes the difference is great and the cut-off probability value is clear. In other cases, the dominant sequences cumulatively dominate

. the total probability of core melt, but the difference between 4

particular " dominant" sequences and other sequences can be small. In

this casi, the ECCS failure sequences are, for the most part, driven to dominance by the operator error contribution. It is therefore 4

important to realize that the appearance of other sequences as dominant may be suppressed largely because of the assumption and calculation of the probability of human error. Investigation through sensitivity and uncertainty analyses may be particularly important in cases such as i

this. ,

For the reference PWR in WASH-1400, Surry, and a few others', the human 4

error contributions were principally in the areas of test and maintenance activities and common cause failures. The test and meintenance contributions included actual downtime and components left in the incorrect position following test or maintenance. The common .

h use failures were often associated with incorrect calibrations performed on similar components. The.se. contributions highlight the need for explicit procedures and independent checks. The common mode contribution from operator error in the control room was also included but with a lower estimated probability. There has since been work to

, ~..

support an increase in the probability of human error in the control room when taking into account the quality of emergency procedures and the stressful environment of accident conditions. Emergency Procedure Guidelines (EPGs) should be of substantial value in this area.

As a result of the Sequoyah risk assessment performed as part of RSSMAP, a vulnerability which can be induced by human error and particular to the design (ice condenser containment) was identified.

It is a common mode failure which results in the failure of the EmergencyCoreCoolingRecirculationSystem(ECCS)andtheContainment Spray Recirculation System (CSS). Between the upper and lower containment compartments are two drains which are closed during refueling If these drains are inadvertent.ly left closed or become clogged, water that has been sprayed into the upper compartment will be prevented from returning to the sump.

Eventually all the water would be transferred to the upper compartment thus emptying the sump.

In the recirculation phase both the ECCS and the CSS take suction from the sump and.would, therefore, be failed when the switchover occurs.

This failure mode results in dominant accident sequences accounting for 70% of the total

. probability of release in category 2 and 10% of the category 3 '

probability o.f release.

These sequences point out the need for stringent checking procedures and fault detection capabilities.

The need for strategic testing procedures is indicated by the fact that the Interfacing Systems LOCA (check valve failures causing the high

. . .4 1

l pressure primary coolant to fail the low pressure piping outside containment) remains an important sequence for Sequoyah as well as other plants.

The emphasis given failure modes resulting from test and maintenance actions and procedures is evident in the number of sequences and release categories dominated by these failure modes.

The ability of the operator to recover and correct events leading to an accident sequence is another controversial and evolving part of the analysis of the role of the human in accident sequences.

These activities '

range from the operator establishing the feed-and-bleed mode of high pressure injection to the operator manually opening valves or, upon observation of parameters displayed in the control room, manually actuat'ing a system or component that was supposed to have received a signal for automatic actuation.'

This is illustrated in the ANO-1 IREP study where the. probability of the operator establishing feed-and-bleed within 20 minutes (for a Babcock and Wilcox plant) of the transient initiattig event and failure of Emergency Feedwater System was optimistic in light of other human error probability (HEP) analyses for this action. The overall core melt probability was found to be sensitive to the values assumed for this and other HEPs and others wh implies the possibility of certain sequences and overall core melt frequency being greater due to the uncertainty in assessing operator error probabilities. ' Improving the reliability of the EFW system, automating the high pressure recirculation system, or improving operator e

84 -

training are potential ways of minimizing the HEPs in dominant accident sequences and thus reduce overall core melt frequency.

/

The treatment of human error was a point of discussion in the WASH-1400 and other..PRA critiques and, as has been mentioned, techniques to quantify human error probability are still being refined. However, the assessments of human error contribution in these studies do point out the effect of assumptions and perceptions on the failure modes which dominate accident sequences. '

4 els O

6 em

' e i

-.- - - - _ . - - - . _ , . , m.__ _

- . - - . . , _ , - - - . _ _ . _ _ _ _ _ - . - - - - - - . - y, --- - - - - - -,, - . .-- ~

85'-

l B.2 Support Systems An area that is invest'igated as part of determining failure modes for hardware components is that of dependency, especially undesirable dependency of redundant components on a common support system.A prime example is the dependency identified in the Crystal River 3 Safety Study of the AC power dependency of the two emergency feedwater pumps via their cooling medium, the Nuclear Services Closed Cycle Cooling System. Once recognized, Florida Power Corporation proposed self cooling designs for -

each pump to eliminate this dependency. This AC dependency through various support systems was found in other plants as well. The discovery of specific, not readily apparent hardware faults (system failures induced by .

support system faults, for example) through rigorous risk assessment techniques (fault trees, FMEAs, etc.) is one of the primary objectives of a risk assessment. Obviously, there is a trade off between resources and time and the rigor of the risk assessment methodology which must enter

+

into the selection of the type of risk assessment to be performed, in general.

This issue is addressed in Insights Into PRA Methodologies,Section III.

4 .

l .

It has been found that another support electric power system, normal and emergency DC power, has the potential of significantly contributing to accident sequences leading to core melt.

e 4

i

In assessing the contribution of DC Power System failures to the core melt frequency or potential risk of nuclear power plants, several t elements must be considered. Considering the DC power system alone, it is clear that the system function is of high importance. Since most plants rely heavily on DC power for plant instrumentation and control, during normal operation, a failure in the DC power system would create an unstable condition, thus potentially becoming an accident initiating event. In accident conditions initiated by another event, subsequent DC power .

failures can affect the progression, timing, and severity of an accident.

The treatment of DC power systems in PRAs have varied widely from very poor and cur'sory to much more detailed and thorough. Thus, the validity of conclusions drawn from the presentation of only numerical results would be highly questionable. Specific examples of DC power system treatment in some PRAs may prov.ide a context for any numerical importance results and to illustrate the effects that assumptions, methodology and review may have on the depiction ~ of the DC power system importance.

Tor example, the original Zion Safety Study analyzed the DC power system which'has two divisions per unit in addition to a fifth diesel generator, battery, and emergency DC bus which are shared by the two units. A loss of DC bus initiated sequence was nodelled and quantified in the PRA.

It was not found to be a F

.- -. . , - , . - - ,, n., - . - - _. _ , , , , . . . . , , . _ . . . . - - - . - - - . - , , ,. , , , , _, _,_,.-- -., _ .

s i

l significant contributor /,thus the cutsets of this sequence would not be considered dominant" cutsets). Upon review, a DC dependency of the PORVs was identified which would then constitute part of sequence which contributed ~14% to the estimated overall core melt frequency. . Upon further review and analysis, it was found that appropriate operator recovery actions could reduce this contribution to about 2%. It should be noted that the Zion Safety Study DC power system modelling did not contain consideration of failures due to common cause or human error. Therefore, while the examination of PRA results in this report does provide us with insights, it is possible that many PRAs have understated the relative importance of DC power.

Because of the intrinsic importance of electrical power to plant safety functions, these uncertainties should be considered in evaluating results.

Keeping this in mind, it may still prove helpful to examine the results of importance ranking and failure modes of the DC power system as presented in the PRAs analyzed. Of the 15 PRAs, only a few plants contained DC power in the importance rankings. At this ,

' point, it does not appear that the absence of DC power in the rankings indicates negligible importance of DC power systems but rather indicates thatcloserattentionshouldbegiventomodellingofdCpowerandthe effects of DC Power System faults. '

G l #s .esr.

l I

.s.

The ANO-1 study, in our judgement, contains a more thorough and careful analysis of DC power than previous risk assessments. The system consists of two divisions with two normal battery chargers (one standby) and no ability to cross-tie DC buses.* For ANO-1, the rank of the importance measure of the DC power system reflects the high contribution of cutsets containing DC power failures. The DC failure elements of the dominant.cutsets were combinations of local faults of DC buses and batteries, but were dominated by a common mode failure of both station batteries. However in the ANO-1 report, .

failure of a single DC bus treated as an accident initiator, was identified as important since this can cause a reactor trip initiating event with concomitant failure of several. safety system trains.

Results in NUREG-0666, "A Probabilistic Safety Analysis of DC Power

. Supply. Requirements for Nuclear Power Plants" indicated that one of the potential ca'uses for failure of multiple station batteries was a common mode test and maintenance error. This possibility was found to exist at

~

Cross-tied DC buses which allow transferring of bus faults was a common mode failure discussed in NUREG-0666. The reduced ability to cross-tie buses is also true for Zion where interlocks minimize the likelihood of this occurrence.

e

89 -

the ANO-1 plant and as a result of the ANO-1 IREP study, quarterly tests of the two station batteries are now required to be performed on a staggered basis, i.e., one battery every six weeks. (See ANO-1 Importance Ranking)

Previously, the procedure allowed both batteries to be tested on the same day by the same personnel In addition, AC and DC switchgear room cooler actuation circuitry are now required to undergo a complete test.

The previous test procedure omitted a portion of the circuitry.

Another potential problem was identified concerning the actual energy capacity of the station batteries. Normally, the DC !

system is powered from the AC system through the battery chargers.

Unless the AC supply is interrupted, the capacity of the batteries is ambiguous.

Although the battery output voltage is monitored,

'it is not clear whether this reflects the discharge voltage of the battery itsel or that which the charger is supplying. This monitoring may not adequately characterize battery status.

The Crystal River-3 (CR-3) Safety Study analysis considered DC power only in the context of a failure event subsequent 'to loss of AC power (offsite).

The DC power system is a two train system with two normal battery chargers (one standby). Though many areas "

of potential degradation or failure were noted, they were not modelled and quantified due to the assumption that an operating system is constantly monitored and failures would be detected a

y

_...s~~

,p 4o e

.e e l

l quickly. l Potential degradation or failure could occur in various ways:

Work on a charger requires that it be disconnected from the DC bus.

Maintenance personnel may leave the switch, which 1

disconnects charger from the bus, in the "off" position.

However, when maintenance is being performed on a charger, the spare charger is switched on line. After work is completed, the original charger might not be placed back on

line even though the spare charger has been disconnected.

This condition can be discovered during daily check of charging voltage. During the time a battery is not on float .

charge, loads will be supp1 fed by the battery itself causing degradation in battery capability.

1 Batteries are housed in rooms requiring ventilation. Loss of 4

ventilation can cause batteries to fail or degrade and possibly a significant (explosive) mixture of hydrogen can develop if charging continues after loss of ventilation.

During. equalizing charge, excess voltage may be applied and ssibly severely damage the battery.

During tests for grounds, all or part of the battery may be t

taken off line (momentarily).

i e

j

-- ,, - _.,---.n. -

,.w m,,-

4 .

Cells may be jumpered for test or maintenance and jumpers may not be removed which could degrade battery capability.

These and.any other common mode or human error failures were not 4

explicitly modelled in the DC power system analysis nor was the ability to cross-tie buses addressed.

Realizing that the role of DC Power may have been understated in the modelling, the importance measure for DC power at CR-3 was '

q ranked fifth of six events. This is due entirely to the identification of a DC power dependency involved in a dominant sequence which contributed ~15% to the estimated core melt' frequency.

The sequence is initiated by a loss of offsite power I

(with no recovery modelled). In the sequence cutset, the CR-3 DC power system is completely characterized by battery 8.

Failure of battery 8 fails both the B diesel generator (the breaker connecting the bus fails to close) and the turbine driven '

emergency feedwater pump. With simultaneous failure of diesel A, '

emergency cooling is dependent on the availability of emergency AC .

M r from the Crystal River Fossil Units 1 and 2 at the site.

For this loss of offsite power case, the unavailability of the batteries dominates the unavailability of each DC-train. Though di.r.harge (by contact making ammeters) and charging current are checked each shift, voltage, specific gravity and electrolyte level

.< f

\ '

s

...____.._,.,_.,_.._,_.._.,.,...r_..__ _.m__m,,,_m_,.,-..,e-._.._._m,- . - _ . . _ - _ _ . . , - , .. -mmy. , , . - . . .

of each battery cell are measure once each quarter. Pilot cells are checked weekly.

l The Millstone 1 DC power system is composed of two systems, the 125 volt DC station battery system and the +24 volt DC system.

The normal source of +24 volt DC power when AC is available is through the battery chargers, one of which is connected to each of four batteries. There are no ties or cross connections.

Considering the AC and DC power systems as being dependent on each '

other, the three battery chargers and their associated AC feeds were deliberately left out of the DC power fault tree. DC power was ranked last out of the 12 front line and support systems with regard to importance to core me,1ti frequency. Though it was determined in the Millstone study that loss of a DC bus would not cause a reactor trip, thus not contribute to accident initiation, an important DC dependency was identified. The dependency of the Isolation Condenser (IC) on a single DC power source contributed to certain station blackout scenarios. The reason for this is that the IC return valve gets its' power from DC battery A, as do all the breakers on the diesel generator emergency power train.

Thus, failure of battery A fails both the IC and the diesel train. This combined with the gas turbine train failure, disables all AC power in the plant plus the DC powered IC. (This fault was

~ rectified by the utility, See Millstone 1 Importance Ranking).

a In the case of the Limerick PRA, the DC power system was not i

identified as a significant contributor to core melt frequency nor did it,show up in the importance measure ranking. In this case, the lack of dominant cutsats containing DC power failures may not be due to poor modelling but rather due to the design of the DC power system at Limerick.

Limerick has a highly redundant system with four divisions, four diesels, and four batteries per plant.

In addition, the probability of recovery of AC power at various times during the sequence was modelled. '

In our judgement, the review ~ of results of PRAs indicate the potential for DC power system failures having high importance and significantly.contrisating to accident scenarios 1eading to core melt on a plant specific basis.

Much more attention should be given to the modelling of DC power systems in PRAs and the effects of the modelling should be carefully reviewed and analyzed. This is especially true in looking for DC power failures as initiating events, DC depen.dencies of front line mitigating systems or components, test and maintenance practices, human errors and tommon mode failures as well as design or hardware faults. -

1 .

The focus on support system dependencies has widened greatly due to the l

increasing awareness of the importance and effects of support system faults and failures on normally operating and emergency syatoms.

,_W M '*

W

. .. e 94 -

Additional areas are receiving a greater degree of investigation such as Heating and Ventilation Systems and cooling / Service Water Systems.

Heating and ventilation can be vital to sustain an environment in which i

components are operable, especially in consideration of the mission time for various accident scenarios.

Failure of Cooling Water and Service Water Systems can themselves be accident initiating events while simultaneously failing mitigative systems. For example, failure of component Cooling Water not only contributes to failure modes of ECCS pumps but may also induce a Reactor Coolant Pump Seal LOCA (see -

section B.3, Initiating Events, for discussion regarding RCP seal failure LOCAs). This is in addition to the significant role cooling'/

g,, service water systems play in accident scenarios resulting from other initiating events (transients and LOCAs). This is illustrated by the contribution to failure of decay heat removal from failures in the Residual- Heat Removal Service Water Systam in the Browns Ferry results, __

as well as for other plants, and other events such as failure of diesel generator ecoling, pump cooling, and room' cooling. The importance of cooling water systems is discussed further in the following section, 8.3, on initiating events.

a I

I

% s 8

I l

- . - - - , - ,,,_m-, , , ,,,.*g.w-m----.m.--, - - - - . - ,- ,,,m--__.mm_._,__.. , , . -

w - - -

,,_-7---- , - -

,.,-,-,,,,--..--,,,,,,.,-w ,,---+--,--,% - ,,m. - ,.-

o'

a 1

95 -

B.3 Initiating Events 2

As mentioned in the previous section, there has been an increasing awareness of the failure of support systems having the potential to i

initiate an accident sequence.

As seen in the results of the ANO-1 IREP analysis, four dominant sequences, with respect to both core melt and risk,

are transients initiated by an Engineered Safeguards DC buses. . This is an example of the initiating event of a sequence contributing to the failure of mitigating systems for that sequence. The list of mitigating events considered in PRA has expanded to those which, alone or in combination with other system failures, disable systems needed to mitigate the acc~ident sequence eve $ts.

1 Another area which has come into recognition as an important contributor and initiator of accident sequences is that of Reactor Coolant Pump Seal failures. Seal failures can occur as a result of failures in support systems (i.e., Component Cooling, Seal Injection Pumps) and can also be ,

the primary initiating event.' Seal, failure has resulted in a loss of primary coolant to the containment at flow rates greater than normal 1 makeup capacity of the plant, thus, constituting a small LOCA. With #

small LOCAs often being a major contributor to core melt frequency,

, the added consideration. of seal failures may well add to sequence and overall core melt frequency. In the ANO-1 results, an RCP seal LOCA initiated sequence was ranked second with regard to core melt wm e -y ,w -w-~w g - re e-w,-gr, -

-y- y -- yn - __ y. w,g-mig w,ym---w-- ----------m------- - - - - - - - - - - - , -. ---M

o f I

96 -

l frequency. A point of discussion in the ANO-1 Insights review is the absence'in the small LOCA data base of several seal failures experienced at ANO-1.

It follows that loss of component cooling, as mention in section B, Support Systems, can also be considered l an initiating event. In the Zion and Indian Point PRAs and reviews, loss of CCWS 'causes small LOCA and disables injection. The information gleaned from these PRAs resulted in the identification of this issue j

as a Generic Issue 23 with a safety priority ranking of "high." RCP l

seal failures are also receiving more attention in Station Blackout "

(Loss of normal AC and emergency AC power) sequences since the loss of !

1 seal injection due to loss of component cooling could result in a small LOCA with no AC powered containment cooling systems available.

In some plants, such as Zion, loss of service water is also a focus of 1

support system failure initiating event since service water provides cooling for both the component cooling water and the diesel generators.

With concomitant loss of offsite power, it again becomes a case of a small LOCA (RCP seal failures) with no AC powered ECCS or containment i

cooling systems.

These are a few examples of increased awareness of potential

' accident initiators which may degrade mitigating systems gleaned i

from information derived from system analyses and fault trees performed during the course of PRAs.

l 4

)

9 1

,w- - - - - ,r. ,--,,--v-----,.- .m---.-.- v<--,,- _ .,,-*r e-mm-w~-rww ---*4w**i-,w-w= e-*-vr-v-

..D 97 -

B.4 External Events One of the most obvious chan'ges in PRAs is the incrcased and detailed attention given to accident sequences intiated by external events (earthquake, fire, flood (internal as well as external flooding are considered in external events), tornadoes, etc.).

Many of the early PRA programs concentrated exclusively on internal initiators, primarily LOCAs and transients.

The most recent industry sponsored PRAs have included external events analyses, 'though the greatest uncertainty is associated with t5ase analyses. We are

_ still on the learning curve of quantifying the frequency and consequences of these events, though some have been foci of much p work to date, as in the case of fire for example.

' Fire was found to be b a dominant contributor to core melt and risk in the Indian Point i

o PRA, emphasizing the importance of fire protection and separation of redundant systems and components such as electrical cables.

Seismic initiated sequences are important in both Zion and Indian Point PRAs, inducing loss of AC power for Zion. The primary hazards identified in the seismic and hurricane events for Indian P loss of offsite power due to the intensity of the event and loss of ..

control power or emergency AC power., Loss of control power may occur due to the failure of panels in the ceiling of the control room during a seismic event which incapacitates the operators or the control room itself.

Loss of onsite AC power can result from severe winds stripping away sheet metal butiding cover thus exposing the diesel generators.

,-.y .

o l

NUREG/CR-4405 BNL/NUREG-51931 PROBABILISTIC RISK ASSESSMENT (PRA) INSIGHTS R. FITZPATRICK, L. ARRIETA, T. TEICHMANN, P. DAVIS '

DATE PUBLISHED - DECEMBER 1985 DEPARTMENT OF NUCLEAR ENERGY ,

BROOKHAVEN NATIONAL L/BORATORY UPTON, NEW YORK 11973 -

PREPARED FOR U.S. NUCLE,AR REGULATORY COMMISSION WASHINGTON, D.C. 20555 I

V ,. 1 NUREG/CR-4405 BNL-NUREG-51931 l

PROBABILISTIC RISK ASSESSMENT (PRAT INSIGHTS R. FITZPATRICK, L. ARRIETA, T. TEICHMANN, P. DAVIS' MANUSCRIPT COMPLETED - NOVEMBER 1985 DATE PUBLISHED - DECEMBER 1985 DEPARTMENT OF NUCLEAR ENERGY BROOKHAVEN NATIONAL !ABORATORY -

UPTON, NEW YORK 11973

INTERMOUNTAIN TECHNOLOGIES, INC.

PREPARED FOR U.S. NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555 CONTRACT NO. DE-AC02-76CH00016 FIN A-3796

. h IN

f.

ABSTRACT Four different probabilistic risk assessments (PRAs) have been briefly reviewed with the broad objective of ascertainin insights might be gained (beyond those already documented in the PRAs)g by what an independent evalua-tion. This effort was not intended to verify the specific details and results of each PRA but rather, having accepted the results, to see what they might mean on a plant-specific and/or generic level. The four PRAs evaluated were those for Millstone 3, Seabrook, Shoreham, and Oconee 3. Full detailed re-views of each of these four PRAs have been comissioned by the NRC, but only two have been completed and available as further input to this study: the re-view of Millstone 3 by LLNL and the review of Shoreham by BNL.

The review reported here focused on identifying the dominant (leading) initiators, failure modes, plant systems, and specific components that affect the overall core melt probability and/or risk to the public. In addition, the various elements of the methodologies egloyed by the four PRAs are discussed and ranked (per NUREG/CR-3852). PRA-specific insights are presented within the the Summary.

report section addressing that PRA, and overall insights are presented in e

i 6

i 111

P-

?e f ** 8

= ,

e e -e s 9

0 4

S e

e o

e e

6 9

e e

i t .

1

~

TABLE OF CONTENTS Page ABSTRACT............................................................

LIST OF iii FICURES.....................................................

LIST OF TABLES..................... vii viii ACKNOWLEDGMENTS...................................................... .. .

. EXECUT I VE SUMMAR Y . . . . . . . . . . . . . .. .. .... ... ..... .... .. .. .. ... .. .. .... .. .. . ........... xiii I N TR 00 0C T I O N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. . . . . . . . . . .

1.

INSIGHTS FROM THE MILLSTONE 3 PROBASILISTIC SAFETY 1-1 STUDY........

1.1 In t rodu ct i on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 1.2 Inter na l E vent s . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ...... . . . . .. .. .. .. .... .. .... .. .. . 1-1 1.2.1 Overall Results................

1.2.2 Domi na n t Sequ en c e s . . . . . . . . . . . . .... . . ....

. . . .. .. ... .. . . . . . . . . . . . . . 1 -1 1.2.3 Initiating ........... 1-5 .-

Events.......................... .. . .. ... ... . 1-5 1.2.4 System and Component Failures and Failure Modes........ 1-5 1.3 External Events..... 1-22

, References............... .........................................

......................................... 1-27 2.

INSIGHTS FROM THE SEABROOK STATION PR08A8ILISTIC SAFETY ASSES 2.1 I n t r odu ct i on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.2 In t ernOverall 2.2.1 a l Even t s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 .- 1. . . . . . . . .

2.2.2 Domi na ntResults........................................

Sequ en ces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2- 1 2-1 2.2.3 In i t i at i n g E vent s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6

, 2.2.4 System and Component Failures and Failure Modes........

2.3 External Events.. 2-6 Re feren ce s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 - 21

............................................ 2-24 3.

INSIGHTS FROM THE SHOREHAM PROBA8ILISTIC RISK ASSESSMENT......... 3-1 3.1 In t r odu ct i on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3.2 Interna l Events . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . . . . . . 3 -1 3.2.1 Overall Results........................... ............. 3-1 3.2.2 Domi nant Sequences . . . . . . . . . . . . . . . . . . . . . . . . ...... . . . . . . . . . . . 3-1 3.2.3 Ini ti ati ng Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... . . .... .. . 3-5 3-5 -

) 3.2.4 System and Component Failures and Failure Modes........ 3-5 3.3 Risk.........

i References........ ................................................

3-22 3-22 4.

INSIGHTS FROM THE OCONEE 3 PR08A8ILISTIC RISK ASSESSMENT...... 4-1 4.1 Introduction............................. . - - - -

. 4

4.2 In terna l Event s . . . . . . . . . . . . . . . . . . . . . . . . . .. . ... ..... . . . .............

.. 4-1 4.2.1 Overall Results........................... . . . . . . . . . . 4 - 1 4.2.2 Domi na n t Sequ ences . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 4-4 4.2.3 Initiating Events.......................... 4-4 4.2.4 System and Component Failures and Failure Modes........ 4-4 i

y G

wn.,-,,- , - - , - -- ,-,,- ,, ,------n.,r me- _c--r->- w w. a , -em-m-a-- v.r ,a ,

e, . .

k i

Page 4.3 External Events......

4.4 Risk................ ......................................... 4-12 Re ference s . . . . . . . . . . . . . . .. . ... . . .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 -20

................................... 4-20 5.

DISCUSSION AND RANKING OF THE VARIOUS ELEMENTS OF THE M 5.1 5.2 Introduction..................................................

Discussion of the Elements of the Methodologies............... 5-1 5-1

+

5.2.1 Identi fi cati on of Ini tiating Events. . . . . . . . . . . . . . . . . . . . 5-1 5.2.2 Estimation of Frequency of Initiatin

5. 2. 3 Event Tree Model i ng Technique . . . . . . . g Events . . . . . . . . . . . 5-2 5.2.4 Aggregati on of Initiating Events. . . . . . ................... 5-2

. . . . . . . . . . . . . . ... 5-3 5.2.5 Hardwired System Dependency Analysis.........

5-3 5.2.6 System Interacti on Analysi s . . . . . . . . . . . . . . . . . . . . . . . . . . .

3 5.2.7 ......... 5-4 .

i Treatment of the Post-Accident 5.2.8 Evaluation of Human Errors During Normal Operation..... Heat Removal Phase......5-5 5-6 5.2.9 Evaluation of Human Errors Durin 5.2.10 Common Mode Ana lys i s . . . . . . . . . . . g an Acci dent . . . . . . . . . . 5-6 -

5. 2.11 Treatment of Recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7 5.2.12 Modeling of AC Power Systems........................... ................. 5-8 5.2.13 Modeling of Lo ...... 5-8 5.2.14 Common Cause. .gi c ( Actuati on) Systems . . . . . . . . . . . . . . . . . . 5-9 4

5.2.15 Comp onent Rel i abi l i ty Data 8ase. . . . . . . . . . . . . ...... . . . . . . . . . . 5-10 5-10 1

5.2.16 Use of Demand Fai lure Probabi lities . . . . . . . . . . ..... . . . . . 5-11 5.2.17 Use of 5.2.18 System SuccessMeans Versus Use of Medians........ ............ 5-12 Criteria................... ............ 5-12 '

5.2.19 Treatment of Test and Maintenance Quta

) 5.2.20 Envi ronsental Qual i fi cati on. . . . . . . . . . . ges ....

. . . . . . . . . . . . . . 5-13 -

5.2.21 External Event Methodol ogy. . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14 -

4 5.3 5. 2. 22 Sou Comparison andr Rankin ce Terms . . . . . . . . . . . . . . . . . . ............ . . . . . . . . . 5-17 .... ........

P1 ants...............g.... . ..... of PRA Methodologies for the Four

............................... 5-18 6.

SUMMARY

..............................................'.............. 6-1 4

Appendix A: DETERMINATIONOFLATENTFATALITYRISK(AT>1000 FATALITIES ) CONTR IBUTION FOR SEA 8R00K. . . . . . . . . . . . . . . . . .

d a

O e

! vi r * * * * * *

E

e .. ,

e LIST OF FIGURES Figure Page 1.1 Comparison of PH11 stone 3 early fatality risks, external vs 1.2 i nter na l e vent s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 .-3. . . . .

Comparison of Millstone 3 latent fatality risks, external vs internal events................................... 1-4 2.1 SSPSA ri sk of early fatal i ti es . . . . . . . . . . . . . . . . . . . . . ..............

. . . . . . . . . . . 2-3 2.2 Risk of latent cancer fatalities cancers ) . . . . . . . . . . . . . . . . . . . . . . . . . .(other t han fatal t hyroi d 4.1 ............................. 2-3 Oconee Unit 3 risk curves for all internal initiating events:

4.2 (a) latent-cancer fatlaittes and (b) early fatalities.......... 4-21 Oconee Unit 3 risk curves for external initiating events (modified plant):

fata11 ties..........(a) latent-cancer fatalities and (b) early

............................................ 4-23 '?

4 O

t m

9 e

e O

4 I

9 vii -

LIST OF TABLES

, Table Page 1.1 1.2 Mi ll stone 3 Transient Ini tiator L1 st. . . . . . . . . . . . . . . . . . . . . . . . 1-2 .....

Millstone 3 Dominant Accident Sequences Contributing to Core Melt, 1.3 Early Fatalities, and Latent Fatalities for Internal Events...... 1-6 Initiating Event Categories - Contribution to Core M Probabi li ty ( Internal Event s 0nly ) . . . . . . . . . . . . . . . ..............

. . el t 1.4 1-8 System and Component Failure Contributions to Millstone 3 Sequences Dominatin 0nly)..............g Core Malt Probability (Internal Events 1.5 ..............................................

System and Cosponent Failure Contributions to Millstone 3 1-9 1.6 Sequences Dominating Latent Fatality Risk (Internal Events Only). 1-14 -

System and Component Failure and Failure Mode contributions to 1.7 Core Mel t Probabi l i ty (Internal Events 0nly ) . . . . . . . . . . . . . . . . . . . . . 1-15 System and Component Failure Contributions Risk (Internal Events 0nly)................to ......................

Latent Fatality 1-18 1.8 Sussuary of System and Component Failures and Failure Mode 1.g Contri buti ons to CMP (Internal Event 0n ly ) . . . . . . . . . . . . . . . . . . . . . . . 1-20 Summary of System and Component Failures and Failure Mode

1.10 Contributions to Latent Fatlaity Risk (Internal Events Only)..... 1-23 External of 1.11 Summary Event Ini tiators External Event RConsidered in the P55. . . . . . . . . . . . . .1-24 .... l from Seismic Events for 1.12 Millstone 3................isks.............................. 1-24 Summary of Externa l Event Ri sks from Fi res . . . . . . . . . . . . . . . . . . . . . . 1-26 2.1 2.2 Seabrook Trans ient Ini ti ator Li st . . . . . . . . . . . . . . . . . . . .........

. . . . . . . .2-2 ...

Seabrook Dominant Accident Sequences Contributing to Core Melt, 2.3 Early Fatalities, and Latent Fatalities for Internal Events...... 2-4 Dominant Accident Sequences Grouped by Initiating Event (Internal Events 0nly ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7 2.4 System and Cosponent Failure Contributions to Seabrook Se 2.5 Dominating Core Malt Probability (Internal Events Only)..quences ........ 2-8 System and Cosponent Failure Contributions to Seabrook se 2.6 Dominating Latent Fatality Risk (Internal Events Only)...quences ........ 2-13 System and Cosponent Failure and Failure Mode Contributions to 2.7 Core Melt Probability for Seabrook (Internal Events Only)........ 2-14 System and Cosponent Failure contributions to Lat seabrook (Interna l Event s 0n ly ) . . . . . . . . . . . . . . . . . .ent Ri sk for 2.8 Summary of System and Cosponent Failures and Failure Mode

................ 2-17 2.9 Contributions to Cfr for h ook (Internal Events Only)......... 2-18 Susenery of System and Cosponent Failures and Failure Mode Contributions to Late Events 0nly).........nt Fatality Risk for Seabrook (Internal 2.10 ............................................ 2-20 External 2.11 Susumery of Externa Event Initiators Considered in the 55PSA for Seabrook... 2-22 Seabrook...........l Event Risks from Seismic Events for

.............................................. 2-23 2.12 3.1 Summary of External Event Risks from Fires for Seabrook.......... 2-23 Sussuary of the Categories of BWR Transients Used in SNPS-PRA 3-2 3.2 Other Pos tu l ated Low Frequency Trans i ent s . . . . . . . . . . . . . . . . . . . . . . .

3.3 Leading Sequences for Contribution to CMP from Shor .... 3-4 3.4 Slt.

Accident Revi ew ( Internal sequences Events for shoreham Grou) . . . . . . . . . ...............

. . . . . . . . . . 3-6 . . .eham PRA Timing (Internal 0nly).............. ped by Initiating Event 4

............................. 3-12 viii t I a ea aas rs A1% A- - ^-

\

[

Tabte Page j 3.5 3.6 Initiating System andEvent Co Categories Contribution to Core Melt (Internal). 3-13

5equences....gonent Failure Contributions to Shoreham Leading CM

3.7 Total System and ....................................................

Cogonent Failure 3-14 j Cu t Sets . . . . . . . . . . . . . . . . . . . . . . . . . . .Contri butions from Leading '

3.8 .............................. 3-19 Failure Mode Contribution to CMP from Leading Cut Sets........... 3-21 i 3.9 System Cont ri bu ti on t o CMP fr om Leadi ng Cut 5et s . . . . . . . . . . . . . . . . . 3-21 j 3.10 Cog onent Contribution to CMP from Leading Cut

! 3.11 Summary of Release Parameters for Ex-Plant Consequences.......... Sets.............. 3-21 1

3.12 Summary of Shoreham Release Cate 3-23 i Radiological Igact.............gories with Potentially Severe 3.13 Description of the Severe Releas ................................. 3-24 Shoreham PRA. . . . . . . . . . . . . . . . . . . .e Categori es Ident i fi ed by the l 4.1 Internal Initiating Events for the .................................

Oconee PRA.................... 3-25 4-2 4

4.2 Leading Sequences for Contribu ,

i 4.3 Events ) . . . . . . . . . . . . . ....................................

. . . . . . . . . tion to CMP - Oconee 4-5 3 (Int ern 4.4 Mean Annual Core Melt Frequencies for Internal Initiating Events. 4-7 Internal Initiating Event Cate Probability...................gories--Contribution to Core Melt 4.5 ................................... 4-7 System and Component Failure Contributions to Oconee 3 Sequences Dominating Core Melt Probability (Internal Events)............... 4-8 i

4.6 Total System and Co Leading 5equences..gonent Failure Contribution to CMP from 2

4.7 .............................................. 4-11 Failure Mode Contribution to CMP from Leading Sequence / Cut Sets 1

4 4.8 ( 0conee ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 -. 13. . . . . . . . . .

t

- System Contribution to CMP from Leading Sequence / Cut Sets j 4.9 Componen)t Failure Contr(0conee ......................................................... 4

, 5ets . . . . . . . . . . . . . . . . . . . i but i on to CMP from Leadi ng Sequence /Cu t 4.10 Mean Annual Core Melt Fre.......................................... 4-13

4.11. External Events - 0conee.quencies for External Initiating Events. 4-14

'. 4.12 Sunnary of Oconee Rel ease Categori es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15 4.13 Summary of Consequence Ran ............. 4-23 Affect Risk Curves........ges for Which Release Categories i

5.1 ....................................... 4-24 Cogarison and Ranking of PRA Methodologies for Four Plants...... 5-19 A.1 Contribution of Release Categories to Risk of Latent Cancer Fatalities for 5eabrook...........................................

j A.2 Contribution of Release Categories to Plant Damage States......... A-3 A-3 '.

A.3 !

1 Contribution of External Events to Seabrook Plant Damage States... A-4 :

I I

l i .

_ - - = -

l j !

! lx

ACKNOWLEDGMENTS This work was performed for the Reliability and Risk Assessment Branch (RRA8) of the U.S. Nuclear Regulatory Commission. Ms. Sarah Davis of RRAB was the technical monitor of the Project. The authors would like to acknowledge the pidance and constructive commentary provided by Ms. Davis throughout this effort. The authors would also like to express their appreciation to Cheryl Conrad, Nancy Nelson, and Sheree F11ppen for their untiring efforts in coordi-nating and typing this document.

l l

1 i

o Xi

4 j

.- . . ~

i i 2

EXECUTIVE

SUMMARY

)

This review of four probabilistic risk assessments (PRAs) with the goal

! of gaining insights into nuclear plant safety, nuclear plant vulnerabilities, and PRA methodologies was conducted by Brookhaven National Laboratory (BNL) 1 under the sponsorship of the U.S.. Itaclear Regulatory Connission. The four PRAs under investigation are those for Millstone 3, Seabrook, Shoreham, and Oconee 3. This effort was not intended as a vehicle for verifying the specif-j j

ic details and results of these PRAs, but rather -- having accepted the re-suits of the PRAs -- for ascertaining what the results might mean on a plant-specific and/or generic basis. For two of the four PRAs, those for Millstone

3 and Shoreham, IWIC-sponsored reviews had been completed and documented, and 1

j these were utilized in the effort; for the other two, the reviews had not been coupleted.

1 i

This review focused on identifying the dominant (leading) initiators, failure modes, plant systems, and specific components that affect the overall .-

core melt probability and/or risk to the public. Each PRA was analyzed with

! respect to these items, and plant-specific insights were drawn from the re-i i

suits. In addition, the various elements of the methodologies employed by the four PRAs were discussed and ranked (per NUREG/CR-3852, " Insights into PRA 3-Methodologies").

j Perhaps the most important insight with respect to nuclear safety was the following, derived from the Oconee PRA: '

The core melt probability and public risk associated with the inter- t

facing systems LOCA (event V), as demonstrated in the Oconee PRA, can i

be substantially reduced by appropriate selection of operating config-uration and testing procedures and prohibition of testing of the in- l terfacing valves with the reactor at power / pressure.

The following are other overall insights gained from this study.

j (Plant-specific insights are discussed in. connection with each PRA).

1

{ .

All four PRAs were carried out with numerous refinements over the WASH-1400 effort and have yielded more realistic results.

! . The core melt j error bounds) forprobability three ofdue theto internal plants andevents relatively is identical close for (within the

fourth (Seabrook).

i With the possible exception of the low pressure service water system ,

initiator at Oconee, none of the PRAs shows any internal events to be

" outliers."

l .

i The dominant risk soevences reoresent antv a.nmal.1_fesction-(typically less tun 15) of the total contribution to core melt probability (CMP) i and are characterized by loss of the containment function due to di-l rect bypass or overpressurization. ..

~

In the two PRAs (Millstone and Seabrook) which specif1'cally documented risk contribution by sequence; interfacing systems LOCA represents j xiii 4

e a m a ma . aua_ _ _ , _ .-r- . N-

~ _ __ _ _ ._ _ _ _ _. _ _ _ _ _ _ . _ _ _ _

for 98% of the total contribution to early fatalities. Although not specifically quantified, the Shoreham PRA appears to identify large LOCA with early suppression pool failure as its leading contributor to eary fatalities. i The leading contributors to latent fatalities would appear to be in-terfacing systems LOCA, large LOCA with early containment fatture, station blackout greater than six hours and RCP seal LOCA.

The Shoreham PRA insights listed in Section 3 are driven to a large extent by one major assumption within the PRA. The PRA has adopted a generic failure to scram probability from NUREG-0460 and assumes the common mode failure of the control rods to insert to be the only con-tributor. The PRA states that a Shoreham-specific analysis was done and that were notthe used results in the were study.on the order of 25% lower than the NUREG but Had these results been used, the CMP as '

well as the dominant sequences, failure modes, system failures, and component failures would all be affected. ..

The various plant PRAs show wide variance as to what internal accident initiators dominated the CMP. For Shoreham boiling water reactor (8WR), anticipated transient without scram (ATWS) dominated and loss of coolant accidents (LOCAs) were insignificant. For Oconee, LOCAs contributed approximately 30% of the CMP and a large LOCA contributed 1.5 times as such as a small LOCA. Even the two Westinghouse plants (Seabrook and Millstone) were considerably different from one ano'.h-er.

The Seabrook and the Millstone PRAs both found the CMP contribu-tion of a small LOCA greater than large LOCA, but a small LOCA contri- ,

buted lit in Seabrook and 245 in Millstone.

The CMP and the percentage contribution from internal and external initiators are shown below for the four PRAs analyzed.

Total Core Melt Contribution from Contribution from Probability !

Plant Internal Initiators External Initiators (CMP) (5) -

(5)

M111 stone 5.89E-05 76.4 23.6 Seabrook 2.30E-04 80.0 20.0 l Oconee 2.54E-04 i 21.3 78.7 Shoreham 5.50E-05 100.0 *

The stu b did not consider external events. '

i The main insight drawn from these results is that the usual percentage breakdown of the contribution of internal versus external initiators of about 80/20 was fully reversed in the Oconee study. The Oconee results are for the modified plant; the external initiator dominance (mainly internal floods) was even more dominant in the original plant.

i xiv j .

.....-v.-...--.. -

INTRODUCTION This report summarizes the findings of an investigation of four probabil-istic risk assessments (PRAs), those for Millstone 3 Seabrook, Shoreham, and Oconee 3, performed by Brookhaven National Laboratory (BNL) for the Reliabili-ty and Risk Assessment Branch of the U.S. Nuclear Regulatory Commission. The objectives of this work were 1) to identify and rank initiators, systems, com-ponents, and failure modes from dominant accident sequences according to their contribution to core melt probability and public risk; 2) to break down the various elements of the methodologies employed and evaluate and rank them in accordance with the guidelines of NUREG/CR-3852, " Insights into PRA Methodol-ogies"; and 3) to derive from this process plant-specific, methodological, and generic insights. This effort was not intended to verify the specific details and results of each PRA but rather - having accepted the results -- to see what they might mean on a plant-specific and/or generic basis. The NRC has sponsored full detailed reviews of each of these PRAs, but only two, those for Millstone 3 and Shoreham, were completed and fully documented in time to allow their incorporation into this effort.

Millstone 3 was in its latter phases of construction when the PRA was cogleted. It is a Westinghouse pressurized water reactor (PWR) and shares a coastal Connecticut site with two other operating nuclear power plants, Mill-stone 1, a General Electric boiling water reactor (BWR), and Millstone 2, a Combustion Engineering PWR. Section 1 of this report presents an analysis of the dominant accident sequences with respect to core melt probability (~"P) and public risk, provides a breakdown of initiators, failure modes, syst s, and cogonents related to the dominant sequences, and lists the insights .3-rived from this effort.

Seabrook was also in a construction phase when its PRA was completeif.

It is a Westinghouse PWR, located on a coastal New Hagshire site. Section 2 provides a revtew analogous to that for Millstone but with the major differ-ence that, since internal and external initiating events were not separated in the Seabrook PRA, they were however separated in this report to be consistent with the other report sections. Because of the format of the results in this PRA, the contribution to latent fatalities from external events could not be

' ascertained in a straightforward way; the method used to determine it is de-scribed in Appendix A.

Shoreham also was in a construction phase when the PRA was completed.

It is a General Electric 8WR, located on Long Island, New York, on the coast '

of Long Island Sound. Section 3 provides a review analogous to that for Mill-stone with the following differences: 1) the Shoreham PRA considered only one external initiating event, flooding at level 8 in the reactor building, and combined this with the internal events, and 2) it stopped short of a public risk assessment by providing only the expected radiological releases by re-lease category. -

Oconee 3 a Babcock & Wilcox PWR/ is the only fully operational plant of the four in this study. It shares an inland site in South Carolina with two other nuclear power plants, Oconee 1 and Oconee 2, that are essentially iden-tical to it. Unique features here include a dam and reservoir at the site and an earthen das upstream of the site. Since the lower levels of the turbine building are below the level of the reservoir, turbine building flooding is 1 -

. l l

i the dominant core melt initiator for this plant. Section 4 provides a review of the Oconee 3 PRA analogous to the others. ,

1 plantInby Sections plant (PRA1 through 4 of this report, insights have been derived on a by PRA) basis. Insights derived by any of the PRAs or their here.

reviews (where available) were, to the extent practicable, not repeated i In Section 5 the four PRAs are compared in terms of the various method-ologies applied by each to accomplish the same goals. Table 5.1 explicitly ranks each PRA per NUREG/CR-3852, " Insights into PRA Methodologies," and iri-cludes some additional categories. The latter were added in the evaluation of the methodologies by the project team to provide greater breadth to the com-parison and include some aspects of external events, a subject not addressed in the NUREG report.

Section 6 provides a brief stamary of the effort and lists the insights derived from the four PRAs taken as a whole, and those from the individual PRAs that were thought to be worth highlighting.

I 1

2

e. + ee ,.e.. .. - - . .

1.

INSIGHTS FROM THE MILLSTONE 3 PROBABILISTIC SAFETY STUDY 1.1 Introduction This section Probabilistic Safetypresents Study (PSS)1 an overview of the results from the Millstone 3 suits. and selected insights derived from these re-It also includes cogarative results and insights from a review of the PSS performed by Lawrence Livermore National Laboratory (LLNL) for the NRC.2 It is ty of not the purpose the LLNL review. of this effort to review the PSS or to judge the validi-Rather, the results from both the PSS and the LLNL re-view are used as is, and the insights are based entirely on these results.

Following a brief overview of the PSS and LLNL results, the leading acci-dent and late sequences contributing to both core melt probability and risk (of early fatalities) are examined in detail to obtain the following insights:

Relative significance of initiating events.

System Ces. and cogonent failure contributions to leading accident sequen-

Failure mode (i.e., human error, random, dependent, etc.) contribu-tions to leading accident sequences.

In conjunction with these insights, additional perspective is provided, as appropriate, regarding the relative significance of leading sequences .and the different characteristics probability and risk. of the accident sequence " mix" for. core melt The results for internal and external accident initiating events are con-sideredsepargtely. This is in accordance with discussions in the PRA refer-ence document itself.

and is also consistent with a similar separation in the PSS 1.2 Internal Events --

events. 'This section presents results and insights from internal initiating Internal initiators are defined in the PSS as loss-of-coolant a:ci-dents and transients, where transients are confir.ed to those disruptions list-ed in Table 1.1 (reproduced from Table 11-2 of the PSS).

1.2.1 Overall Results .

According to Volume 1,Section V, of the PSS, the total core melt proba- 1 bility from internally initiated accidents is 4.5E-5/ reactor-year. The PSS does not provide a value for the individual risk of early and latent fatali-ties, but Volume 1 includes curves of exceedence frequency vs number of fatal-ities (both early and latent) which are cogared with WASH-1400 results. The PSS results those for both are significantly less (by more than a factor of 10) than in WASH-1400.

Figure 1.1 shows a cogarison of early fatality risk, with the 50% and 90% confidence levels. Figure 1.2 is a similar plot for la-tent fatality risk.

1-1

q . e

.i

I Table 1.1 Millstone 3 Transient Initiator List

1. Control Bod Drive Hoehanisa Break or Failure 28. Reduction in Feedwater Temperature j 2. Control Rod Ejection ;

29. Total Loss or reedwater

3. Control Rod withdrawal ,

4. Control Rod Drop 30. Increase la Feedwater Flow in one or More Loops

[ 5. Control Rod Drive Hochenian Halfunction 31. Full or Factial closure of One or More levIV

6. Reactor Coolant Pump Trip

32. Closure or all lev 1Va

! 7. Reactor Coolant Pump Locked Rotor 33. Feedvater Flow Instability - Operator Error

34. Feedwater Flow Instability - Hiscellaneous

8. Multiple Reactor Coolant Pump Trips Hechanical Causes

9. Reeotor Coolant Pump Shaft Failure

35. Miscellaneous Leakage in Secondary System

10. Startup of Inactive Coolant Pump 36. Condenser Leakage

11. CVCs Hairunction - Boron Dilution 37. Feedwater Line Break Downstrees or NFWIY

12. Inadvertent Safety Injection Signal 38. Feedwater Line Break Upstream of 191IV

13. High or Low Pressuriser Fressure

39. Steam Line Break Downstream or HSIVs

14. High or Low Pressuriser Level 40. Steam Line Break Upstream of HSIVs

15. Reactor Trip - Spurious Trip, Unknown Cause

41. Full or Fartial closure of One or More HSIY g 16. Reactor Trip - Manual Trip, Operator Error 42. Closure of all HSIVs

.h 17. Reactor Trip - Pressure, Temperature or Power 43. One or More Steam Generator Roller Yalves Fails Open Imbalanoe

18. Reactor Trip - Auto Trip Harduare Error 44. One or More Stone Generator Safety Valves Fails Open

19. Loss or component Coolant 45. One or More Steam Dump Valves Fails Open

46. Automatic Turbine Trips

20. Loss of Instrument Air

21. Loss or Servloe Water 47. Throttle Valve Closure - EHC Control Problems

48. Generator Trip or Generator caused Faults

22. Loss of Circulating Water

49. Throttle Valve Opening - EHC Control Problems

23. Loss of Condenser Vacuum

50. Redcotion or External Load

24. Loss or Otraite Power .

51. Loss or External Load

25. Loss of Essential Servloe Buses

52. Turbine Generator overload

26. Loss or one or Hore Condenaste Pumps

53. Full or ParLial control Bus Failure

27. Reduction in Feedwater Flow i . ._ _

i i

O e

e-

6 1 0-4 . .c .' ' ' ' ' ' '

- - - - INTERNAL EVENTS ?.

EXTERNAL EVENTS ".

1 0-5 ..

.. , s M.

l w ..

N ..

5 ..

a

=

gs s ...

o 1 0-6 .- \ .

w

\ .54 --

m .. \ ..

, .. g \ ..

w A

. . g ..

W

. . \ \

u \

g ..

5 o

1 0-7 ..

\,

\ -

w

.. g : .

w .

g .

,c . . \

w . .

\ ,

g . .

\ I

> \ ,

o 1 0-8 l w

= :.:

\

N 1 w \

j a . . ..

w . .. s ..

g --

. . i g ..

i.0-9 ..

l ..

t l -

1.0-10 - - -

. . . . . . . . . . . . . . '.. . .=. '..-

o o o o o o o o o o

' o o o o

- LATENT FATALITIES '"

3 s

l Figure 1.1 Comparison of Millstone 3 early fatality risks,-

external vs internal events.

i l

1 'i

. e

1.0-7 .. . .- . . .....

c-

. . .- , . . .....- .c .- .- .

': - - - - INTERNAL EVENTS EXTERNAL EVENTS l.0-8 .N'%

\ .9 sN

< .m w ..

e ..

~

o \ ..

o

\ --

m .

\ 5 m

1.0-9 ac w

\ ..

g ..

w ..

u .. \ ..

5 \' 9 O ..

w \

w .-

g -.

u M

w \

N s.1.0-10 o

N ..

g ..

z ..

w I ..

o ..

o l w

a . .

g ..

E .

1 0-11 ..

k I ::

.%.,% s .5 I

.. s .

. . N I ..

. . . N \ -

g .. .

I '

1 0-12 .-

i-

- e o e o

- o o o o o

- o EARLY FATALITIES ~

l l Figure 1.2 Comparison of Millstone 3 latent fatality risks, external vs internal events 1-4

1 1.2.2 Dominant Sequences r that Table 1.2, reproduced from Table V-1 of the PSS, lists accident sequences are leading contributors to core melt probability, early fatalities

(>100), and latent fatalities (>1000). It provides some interesting insights relative to the significance of individual accident sequences and the mix of sequences contributing to core melt probability vs risk:

No single sequence makes a very large contribution to core melt proba-bility. The leading sequence contributes only 8.5% to the total, and the ten leading sequences together contribute less than 50% (43.1%).

One single sequence (interfacing systems LOCA) overwhelms all others with regard to early fatalities, contributing 99.8% to the total.

Two sequences (ranked five and six in the first column) dominate the contribution to latent fatalities (46.3%), and six others are signifi- o

, cant contributors (greater than 2%).

The top six leading contributors to core melt probability include sig-nificant contributors also to early fatalities (99.8% contribution from Sequence 5) and latent fatalities (46.3% contribution from Se-quences 5 and 6).

1.2.3 Initiating Events Table 1.3, constructed from information in the LLNL review,2 provides a breakdown of core melt contributors in which accident sequences have been

" binned" on the basis of common accident initiating events. It gives the aggregate PSS and byprobability the LLNL review. of all sequences in each category as estimated by the The last two columns show that the categories used contribute 96% to the total core melt probability in the PSS and 89% in the LLNL review.

Transients and small LOCAs dominatc core melt probability. In the ,

PSS, transients contributed more than half of the total CMP, and small

LOCAs about a quarter. In the LLNL review, transients and small LOCAs l were also found to be dominant, but the small LOCA initiators were more significant.

For early fatalities, the total probability comes almost entirely (99.8%) from the contribution of a single sequence which is initiated l by an interfacing systems LOCA.

1.2.4 System and Component Failures and Failure Modes The contribution to core melt probability and_ cisk h %dividual system and component etc.), were examined. failures, as weH as failure modes (human error, dependencies, Table 1.4 lists the contribution from system and component failures to each of the ten core melt probability sequences (1 through 10 of Table 1.1).

O

'l-5 l

l

....-~~.:.-.--.-c.- .,%,. ..

, ,_ . . . _ . . _ ._ - . - - . - - - - - - -~

'l Table 1.2 Millstone latent Fatalities 3 Dominant Accident for Internal Sequences Contributing to Core Melt, Early Fatalities, and Events i

Percent ihreent

. Contribution Contribution hecost to Early to Latent Rask with Contribution i Respect to Fatalities Fatalities to (at >100 Core Holt Moon Aantal Core Melt (at >1000 Sequence Baseription Frequency Fatalitics Fatalities Frequency level) level) 1 g 2 Mediten LOCA: Fallwe er Hish-Fressure mentreulation 3 875-6 8.5

~

<0.1 < 0.1 i '

Imes or. Vital BC Bus 1 er 2: Failure er Auxiliary 2.20Fr6 Fee &seter, Philwe er Bleed and Feed Cooling 4.9 (0.1 (0.1 3

Ilme er Vital AC Bus 1 or 2: Philure er Auxiliary 1 98Fe6 Feedwater, Fallwe er Nish-Fressure seeirculation 4.4 <0.1 <0.1 1 4 Imes of Tital AC Bus 3 er 4: Fall w e er. Auxiliary 1.98'e6 Feessater, Fallwe er Ittsh-Freasure Recirculation 4.4 <0.1 <0.1 5

Interracing Systems IACA: Failure of NIR Inlet Valves 7 6 - 1 90Fr6 4.2 98.4 27.9 05 less or Ortalte Powers Failure er Both Dicael Denerated 1.655-6 3.6 <0.1 18.4 Fa11we er, Quench Spray BoeoveryFailure to Recover hver in six hows, T

teos or arraite huer: Failwe of One ESF Bus 1.63Fr6 Steen Line Break Inside Contairment, Failwe e,r 3.6 (0.1 <0.1 Auxiliary Feeduster, Failure er Primary Bleed

' Through FORTA 8

Steen Line Break Outside Cbatainment: Fallwe to 1.55Fe6

' Isolete Hein Steam Line, Fallwe of Primary Bleed 3.4 (0.1 <0.1 Through FORVa 9 ,

amall IACA: Failure to Control Frisery Deprenewization, 1 395-6 Fa11re or Hish-Fressee Boolreulation 3.1 <0.1 <0.1 -

to Imrge LOCA: Fallwe of Leu-Presere Neoirculation 19 1 37Fe6 3.0 i loss or vital AC sus 1 er 2: Failure er Opposite <0.1 <0.1 Train ESF Cabinet, Fallee or Auxiliary Feedwater, T.23Fe7 1.6 <0.1 8.0 Fa11we of Bleed and Feed Cooling, Failure er Quench Spray ,

t

~'-

I

~

_ _ _ _ _ 2

j Table 1.2 Continued hroent percent Contritmetion Contribution Percent to Early to Latent

( Bank with l Contribution Fatalities Respect to to Fatalities

(at >100 (at >1000 Core Nlt Sequeena Description Haan Annual Core Melt Fatalities Fatalities Frequency Frequency level) level) i 20 pelmery to W hwer Hlanatds: Failwe or 6.15E-7 1.4 <0.1

Both ESF Cabineta Fallee or Auxiliary Fee & eater, 6.9 Failure of Bleed and Food Cooling, Fa11re of Quench spre -

25 Boeotor Trips Fallte o of Both ISF Cabinata, Fallwe

.j 4.875 7

,or Auxiliary Feedwater, Failure of Bleed and Feed 1.1 <0.1 5.4 I

Coolies, Failure of Quench Sprag 31 Satdne Wips Failure of Both E5F Chbinata, Failwe or Auxiliary Feedwater, Failure of Bleed and Feed 3 74b7 0.8 (0.1 4.1 Conting, Failure of Quandi Sprer 40 Frisery to % Pbuer Miaestch Coincident s

Station Blackout, .tsall IACA, Failure or High- 2.43b7 0.5 <0.1 27 i

( -

Pressure Injection, Fa11 re or -_ r "_:i Depressurisation and Low-Presswa Injection, Failwe of Quench Sgrey Recovery I

46 Reactor Wip Coinoident Station Blachout, !hiell 1 92b7 12CA, Failure of High.-Pressure Injection, Fallwe 0.4 (0.1 2.1 or Secondary Depresowization and Low-Pressure Injection, Failure of Quench Spray Recovery 54 hrbine Wip Coinoident station Blookout, amall 1.42-7 12CA, Failure of Nisit Pressure Injection, Fe11ure 03 (0.1 0.7 of *-- - ' ry Depresowization and Low-Pressure Injectica, Philure or Quandi Spray Recovery 70 Imes or vital Ac Bus 1 or 2: Failure of Auxiliary 9.365-8 0.2 Fee &sater, Falles of High-Freasure Recirculation, (0.1 1.2 Pailwa cr'Contairmeent Recirmlation Sprar i

~

... .~ . . . .

i 4

\

W

o ,

P Table 1.3 InitiatingEvents (Internal Event Categories Only) - Contribution to Core Melt Probability 3 Probability 5 Contribution to CMP Initiator PSS LLNL Rev. PSS LLNL Review Transients 2 3E-5 3.2E-5 51 32 Small LOCA 1.1E-5 5.1E-5 24 51 Large LOCA 7.8E-6 4.8E-6 17 5 Interfacing LOCA 1 9E-6 8E-7 4

, 1 Total -

4.'5E-5 1E-4 96

. 89 -

i 3

4 I

e O

f I

u

, 1-8

'I . L l

i~

Table 1.4 Probability (Internal Events Only)-System and Component Failure Contributions to M l .

i Ikutsunst. *

$ C.it %aten Ih11we itzin e=sr- Quiritatlan Ibilisis ItwenM11ty Osdributicas $ er titel Quponert Ih11 wee $ & Mital Remim

!- 1 8.5 Rieltwasise 5.85-3 namn a ns- 15 - -

I . n,,n,.. w -

Queen thume 26 ters 12 Om esuse fallisis are Raps 2.5 in the cordaineert, agrar r ctrmutton systen 2 4.9 k m Emed 5.91NI Ruuka a=r===* 53 le and as4 dan 3r haps le hap asistien 16 ans netsse hap y

Quman thuse 19 (thopecirjad)

E 10 Sid flim Ilmata 5 3rtins Rap and 5 tat d le pimp pied and Bleed 1.0 Dependet 100 NW 100 realisw e ene a two (Imas & do power tuo falla REF) IUlva asaamed to fail feed and tiend 3 4.4 A m Pued 5.M Rin&m Quponset 53 le and trtdre 3r haps le Rap letatien 16 ant nrttna Rap Qumonthune- 10 (m=r=nstiad) to "9%eim=

~

Table 1.4 Continued knirmet .

$C.It % stas Philure Ibde Quponut -

h anum P Gardritutien Philtswa hv*= Witty (bedritaAlone 5 & 1btal Philtres $er1btal Remarka 3(Cort) 4.4 hat Feed (Qxt) 5.9s-4 ihrem plus 5 mrtdra Rap and 5 test, Test & ID Rap Itish-lhestaw 5.ms.2 studu 51 Valves (rail 32

, ancistmalatJon to dares state)

Valves (ping 19 e ran to .

riunin ogen) 4 4.4 hat Feed 5 98-4 shnia Quponert 53 .le and n rtdre 3T hange i

, g ID Rap Actiation 16 e

and nrtune Rap o .

Ozuman Qiume 10 (Unspecirled) 10 lbrda Flue Test 5 Mrtino Rap and 5 test, & ID ptmp litab-lhasse 5.RS 2 Rude 51 Valves (rail 32 ancirtmalatica to diarse state)

Valves (pits 19 ce ran to e

sumala open) 5 4.2 2 51 1.964 Ruda 100 valves 100 % stas faittes is also (antastratido acc1&rt irdLiate Arterral Imk) 1

Table 1.4 Continued .

. 5 C.it. Ikminut

%stan hilias hde sequence amerituuas h12ms omgannt Rutendisty astratut. sone 5 e ibtal huwee $ e 1btal neerle 6 3.6 ihrsmuy 4.5654 n=== aune AC Rmer 53 Idesels 53 Quand Sp sy ' 8.195-3 Dependet 88 Raps M 1%penderry is on

' nortwoovery & AC Ihmen Rwr 12 -

la six hairs 7 3.6 Esr has 1.4 H lhnka 99 Diesel can.

hilias 8f

, ESF Cettnet.

7

1D13 (hhinet. 6 AnatFeed 4.535,2 Awebe 90 steen 1trtene Y .

~

N 93 t:. Test. A m int;

! 5 Inrtine Rap 5 Feed & Bleed 1.0 Dependast 100 IUlf 100 Ibth IUlfs a==w to be r==d*wd 8 3.4 HL Isolataan 1.55-3 % thues 91 Valses 91 Feed & Bleed 2 76M lbstka 64 IUlf 40 Blode Valve 24 thamn Enr 36 -

S l

I

I f

j !

Table 1.4 Continued ,

n= tant '

$ c.n .v a. ano n*

sequence outributico M1 wee IMeldlity Ostratuucas y er 1btal M lisis i er 1btal - limurts 9 31 75 honema - 15 4 - namn anc 100 - -

1:auen .

Ittah-thesws 1.5954 Ozmon (huse M Valves Recimalauen 12

}

Raps 2.5 aman nur is - -

10 30 telhames 4.025-3 Eman nur 25 - -

Iboimalauen y .

% (hume 13.4 Val m 9.8 U

hass 3.6 Ihndma 4.5 Valves 4.5 Pitaniss .

~ ' '

e- ,e %. . , ,

m...... m ,,

The informatio' tional analyses needed n wastoobtained from various extract individual sections of the PSS and from contributions. It should be em-phasized that the breakdown of each system within this table was not derived directly of each from sequence individual cut sets. Rather, the breakdown came from the analysis system.

were not provided. This was necessitated because sequence cut sets The reader is therefore cautioned that any sequence-dependent failures listed in the table are based upon this review and due to the limited scope of this review the listings may not be exhaustive.

The first column of Table 1.4 identifies the sequence by number corre-sponding to the Table 1.1 sequences. The second column provides the core melt probability contribution (in percent) from the individual sequences. The third column lists all of the system failures associated with each sequence, and the fourth column gives the probability of each system failure. It is im-portant to note that these probabilities, as provided in the PSS, are condi-tional that is, dependent upon the initiating event and any preceding systerD.

failures.

the system Thefailures.

fifth column provides the failure mode contributions to each of i

cause, dependent, random, Fivehuman such modes error, and were identified in the PSS: comon test.

l As used herein, dependent failures refer preceding exclusively system failures. to failures related to the initiating event and The sixth column identifies the fractional contribution of each failure mode to the total. system failure probability. For example, in Sequence 1,15%

of the failure probability of the high-pressure recirculation system is from human error and 26% from connon cause failures. Note that in many cases (including this example) the column six failure mode contributions do not total to 100%. This is because only those modes identified in the PSS as dom-inant contributors are considered. Resources did not permit detailed exami-nation of individual failure modes cut sets for lesser and fault trees to extract further detail on contributors.

failure modes identified in the sixth column accountIn nearly all cases, however, the

, for over half of the total system failure probability,. and for many (about 1pIJof the systems the identified failure modes contribute over 90% of the total.

The seventh column identifies the conponents associated with the relevant t

failure modes. For the dependent and human error modes, no components are identified since for these modes individual congonent failures are not asso-l l

ciated with the system failure. The eighth column provides the individual '

conponent contribution to system failure for each failure mode. For example, for Sequence 1,12% of the system failure probability is die to common mode ~

failures of motor operated valves.

information pertinent to the appropriate system.The last column provides some clarify l Table 1.5 gives information similar to that in Table 1.4 for latent fatality risks. Asrisks.

latent fatality discussed previously, six leading sequences c,ontribute to to the core melt probability Twoand of these (Numbers therefore tha 4 5format and 6) are also contributors 40n-about them, identi-cal to that in Table 1.4, is not repeated. In Table 1.5, the " test" mode of failure has no associated component since the entire system is assumed to be in the test mode and therefore unavailable.

From information provided in Table 1.4, Table 1.6 was constructed in order to consolidate the contributions to CMP and risk from systems, failure 1-13

I i

8 Table 1.5

] System and Component Failure Contributions to Millstone 3 Sequences Dominating t.atent Fatality Risk (Internal Events Only)

Ibettert 5 Centributtee % stem Philure Itale Quporert

. hy- Latent Fatalltles Falksts IbemM18tr Qsdrilatices yof htal Philurte y of Rdal e

Reerlas 5 27 9 ,

ase h hte 5 6 18.4 See hble 5 19 8.0 Ac mm 6.1552 linspectried - -

(ttained true inittet.iss w thtenet 1.1 5 5 hat evert data tame 29 - -

Rudu 58 tgio (hres 41 Aur Flead MP

llelay 17 1.0 Deperdut 103 - -

g Feed & Bleed 1.0 Dependert 100 - -

4 Omndaagrar 1.0 Ihperdert 100 - -

i 20 6.9 Inr (htdseta 1.657 hat 29 - -

Ruda 58 taloCards 41 AstFeed 1.0 Dependert Otet linlar 17 100 - -

reed & aleed 1.0 Depernut too - -

Gensiss rar 1.0 Deparent '

100 - -

~

1 1

25 5.4 '

asse se sequerum 20 stm.

31 4.1 Sese as hu mos 20 atmo

~

1 9

I

i i

I -

Table 1.6 System and Component Failure and Failure Mode Contribution To Cora Melt Probability (Internal Events Only) hystenFailureModeContribution,5(ContributiontoCNr.5)

Byetem seg. No. Husen

. $ CNF Common cause Bandon Dependent Error Test Unopeoffled ,

Nigh-Pressure 8.5 12 1 (1.02)-HDF - -

15 (.47) -

59 (5.0)

Boeirculation

' 2.5 ( .21)-F -

11.5 ( .98)-5 - -

3 4.4 -

51 ft.2)-F -

4 4.4 49 (2.2) 51 P 2)-P - - -

49 (2.2) 9 31 12 ( .37)-HDV - -

15 (.47) -

59 (1.8) 2.5 ( .08)-r 11.5 ( .36)-s Tetale 20.4 3.02 4.4 -

1.77 -

11.2 7 Auxiliary 2 4.9 10 (.49)-U 53 (2.5)-F - -

5 (.25) 32 (1.6) g Feeduster 3 4.4 10 (.44)-5 53 (2 3)-P - -

5 (.22) 32 (1.4) 4 4.4 10 (.44)-U 53 (2.3)-P 5 (.22) 7 3.6 32 (1.4) 90 (3.2)-r - -

5 (.18) 5 ( .18)

Totals 17 3 1 3T In.4 - -

.87 4.58 Feed & Bleed 2 4.9 - -

100 (4.9) - - -

7 3.6 '

100 (3 6) - - -

8 3.4 - 40 (1.4)roBy 36 (1.2) - -

24 (.82)37 Totale 11.9 -

2.2 8.5 1.2 - -

i o

S

1 h E t 5 R $ 5 1 1 I 1 I- 1 I S a 3 5 %

C 5 '

5 j i ! I I I i i A

3 3 $ E j s C "

.- .I.gt i I l' I . 8 m -

( g !

a O s o s A

{1 f a # 5-g g i l i i 81

}. d 8 -

-s 3"-

v j Am na sIs a . nnn 9 s k I O-~ "

kg

= 0 1 1 I I i gr. I I

- a a I jj

~a s,e : ik s

a gs

.g '

a I g I

= -

ha;

'l 4 s Ela i i : -

i aa.

i

. a i i -

I

=

IIs B .n .n s. 5 -: - , , n 9 B58

, m. ,. . . . . . . a i d

. : : =

s ,

= -

2 s 3 -

a m

. 1 e a a- 3 e a -

g I 1 s as a

33 3 g 2 E

i E*g ai 3-h

.b g:-

Ij a

l i

a3 E

3 [!k

.is

E i.a8 .fa a In: n i sy. a ...-

ma s s~.s 1-16 i l

1

_ _T_'* K *y * * * *T:2*. * ~;~~~~*:*~~~ ~ ******----'****'~-'--~~"~~~~~~~

~ ~ ^ ' ' ~ ' ' ^ ^ '~ ~ ^

modes, and cog onents.

In Table 1.6, each system is considered separately, as indicated in the first column. The second column lists each sequence (identi-fied in Table 1.1) in which the system appears as a contributor to the se-quence ' probability, and the third column gives the percentage contribution to CMP from each sequence.

The remaining six columns give the failure mode contributions, including an " unspecified" column whichrp~ ovides a quantification of the residual fail- i ure mode contribution not specified in the PSS. For the "comon cause" and

)

" random" columns, the component failure contributions to the respective fail-ure modes are identified. !

uans were obtained from Table The1.5.

numerical entries (first number) for these col- i The number in parentheses is the product of the component failure contribution and the percent contribution of the re- ,

spective sequence (third column) to the CMP.

sure of the significance of each failure mode This value is an absolute mea-and cogonent failure to the CMP.

An exagle will aid in interpreting Table 1.6. The high-pressure recir-culation system (HPRS) appears as a system failure element in four of the CMP '

leading sequences (1, 3, 4 and 9).

The total contribution of these four se-quences to the CMP is 20.4% (shown under totals in the "% CMP" column). In other words, if the HPRS failure probability could be reduced to 0 under the conditions of the four accident sequences, the total CMP calculated by the PSS for internal events would be reduced by 20.4%. For Sequence 1, 26% of the HPRS failure probability derives from connon cause failures, of which 12% are common cause MOV failures, 2.5% pugs, and 11.5% unspecified.

By maltiplying these fractions by the core melt contribution (8.5%), the individual component common cause contribution to core melt probability for Sequence 1 is obtained (these are the values in parentheses: 1.02, 0.21, and 0.98). These contributions are summed as shown in the " totals" row, thus the

"% CMP" for the four sequences involving the HPRS (20.4) is made up of a 3.02%

contributor from all connon cause failures, of which 1.39% is from motor oper-ated valves. 0.29% from pumps, and 1.34% from cogonents not specified in the PSS.

Similarly, 4.4% of the 20.4% is from random failures of which the entire contribution is from pump failures. Human error contributes 1.77%, and a con-tribution' of 11.2% is from unspecified failure modes of the HPRS. Thus, if it were possible to eliminate comon cause failures in the HPRS the CMP would be reduced by 3.02%, or if common cause MOV failures in the HPRS could be elimi-nated, a 1.39% reduction in CMP would occur.

Table ity risks. 1.7 is similar to Table 1.6 and gives the results for latent fatal-Table 1.8 consolidates and summarizes the results of Table 1.6 for system failure, component failure, and failure mode contributions. Table 1.8 lists all systems which appear in the ten leading CMP sequences and the contribution each system igoses on the total CMP for internal event initiated sequences.

Reducing the failure probability to O for each system would produce the corre-sponding reduction in CMP.

of combinations of systems would not necessarily produce a benefit eIt sh to the summation of the corresponding CMP contributions because more'quivalent than one system appears in some sequences. For example, reducing the failure probabil-ity of HPRS and auxiliary feedwater to near 0 would not reduce the CMP by s 1-17

1 i

j Table 1.7 System and Component Failure Contributions to Latent Fatality Risk (Internal Events Only) .

System s Latent commen mean Beg. # Fatality cause Bopendent 1

Random Error Waspeottled Test Quench 6 18.4 Sprmy 88 ( 16.2) --

12 (2.2) -

19 8.0 -

100 (8.0) - - -

20 6.9 -

100 (6.9) - - - -

i 25 5.4 -

100 (5.4) - - - -

31 4.1 -

100 (4.1) - - -

t Totals 42.8 -

40.6 2.2 - -

l l

i mesidual 5 27.9 Heat 100 (27 9) - - - -

Removal I

Totale 27 9 -

27 9 - - - -

Y j g ESFCabinet 19 8.0 - -

41 (3 3)-LC -

13 (1.0) 29 (2.3)

! 20 17 (1.4)-on 6.9 - -

41 (2.8)-LL l

13 ( .9) 29 (2.0)

! 25

.17 (1.2)-on 5.4 - -

41 (2.2)-LL

+

31 4.1 -

13 ( .7) 29 (1.6) j 41 (1.7)-LL -

13 ( .5) 29 (1.2) 17 ( .7)-OR a

Totals 24.4 - -

10-LC

, a 3.1 7.1 4.2-08

Auxiliary 19 .0 i ! Feedwater 20 100 (8.0) - - -

6.9 -

100 (6.9) - - -

l a

25 5.4 -

100 (5.4) - - - -

30 4.1 -

100 (4.1) - - - --

, Totala 24.4 24.4 i

~

t s

l Table 1.7 Continued

$ Latent Common SFotem Seq. # Fatality cause -

Dependent Human .

Random Error Unopeettled Test Feed & Bleed 19 8.0 20 100 (8.0) - - -

1 6.9 -

100 (6.9) - - -

25 5.4 -

100 (5.4) - - -

1 31 4.1 -

100 (4.1) - -

Totala 24.4 -

24.4 -- - - -

I BeersemeF 6 18.4 53 (9.8)-D0 - -

1 Electrie -

47 (8.6) -

i Fouer

Totala 18.4 9.8-DG - - -

8.6 -

AC Bus 19 8.0 - -

e 100 (8.0) -

! g Totala 8.0 8.0 3 LEDEND:

M07 = Noter Operated Talves e

DG = Dicael Seaeratora j LC = Logie Cards OR = Output Relay

. . . - - - --- -~ ~ - '

1 4

I o ,

j -

Table 1.8 Summary of System and Component Failures and Failure Me Contributions to btP (Internal Event only)

I j

Failure Mode contribution (5)

Component Common Ruman Failure System $ Contribution cause Contribution Bandon Dependent Error Test Unspecified (5)

Nigh-Pressure 20.4 3.0 4.4 -

1.8 11.2 Recirculation -

4.7-P 1.4-lOV-Auxiliary 17 3 1.4 10.4 - -

.9 4.6 Feedvater 10.4-P Feed & Bleed 11 9 - 2.2 8.5 1.2 - - 1,4-pony

.82-BV

, Roaldual 4.2 Heat 4.2 - - - --

Removal Y '

g hersenor 3.6 1.9 - - -

Electrie -

1.7 1.9-Do Pouer '

ESF Bus 36 -

3.6 - - - -

3.1-D0

.27-ESFC

.21-EDLSC MSL 3.4 . 3.1 - -

Isolation 7 -

3 3.1-HOV I

O

t Table 1.8 Continued '.

i 5

}

- Failure Mode Contribution ($) .

3

, Component

( Systee $ Contribestica Common Himan Failure cause Random Dependent Contribution Error Test Unspeoirled (5)

Primary 3.1 -

Depressur- - -

3.1 - - -

isation Laer-Preastre 3.0 - -

Roolroulatios -

3.0 - - -

LEGMD:

P = Fusp M07 = Molar Operated Talve ,

FORT = Paper Operated Beller Valve BT = Block Talve 7

N DG = Diosel Generator g E5FC = Bet raemoy Saraguard Features Cabinet EGL5C

Bet ree#0F Oenerator Load Sequencer Cabinet gtom&W gwe amp whg 9

5 h 9

l l

37.7% (20.4 plus 17.3) because these two. systems appear together in some of the same sequences (Sequences 3 and 4). The net. effect of reliability im-provements 1 ~. 6.

for combinations of systems would have to be determined from Table Table 1.8 also provides the failure mode contributions to CMP for cogo-

, nent contributions (last column).

fatality Table 1.9 is similar to Table 1.8 and gives information for the latent risk.

From the data in Tables 1.8 and 1.9 the following insights are evident:

The high-pressure recirculation, auxiliary feedwater, and feed and bleed system failures dcminate the core melt probability from leading core melt sequences in descending order of stgnificance. However, none of these systems is a particularly significant contributor.

Ran' dom and dependent failure modes appear to dominate failures of the '

systems important to CMP, with pugs being the major (but not overly significant) component contributing to failure.

Quench spray system failure is the most significant system fa1Iure contributing to latent fatality risks. This system contributes over 40% to the latent fatalities for the leading sequences.

Dependent failure is the most important mode contributing to latent fatality risks.

1 Early fatality risks result essentially entirely from the contribution of a dependent failure of the residual heat removal system.

1.3 External Events This section presents a summary of the results of the external events risk analysis from the Millstone 3 PSS.

also considered. The LLNL r'eview of these results is The PSS considered a total of eight external event initiators. These are '

, listed in Table 1.10, with indications of which events were found to be sig-i nificant contributors to risk and core melt probability. Only two, earth-quakes and fires (within the plant), were found to be significant, And only these are considered further in this review (except for the:LLNL results),

i n .

According to the PSS, the total core melt probability : Cconsidering re-

....M sults from Amendment 37 from external events is 1.39E-5/yr, 'of which 9.1E-6 (65%) is from seismic events and the remainder from fires.Thus, external events contribute about 20% to the total CMP. The significance of external i

events to early and a late fatality risks is shown in Figures 1.1 and 1.2.

External events dominate the early fatality risks and have about the same con- -

tribution as internal events ta latent fatality risks.

.- Table and probability 1.11latent shows fatality the seismicrisks -initiated in the PSS events assessment. that dominated core melt

,. . s - The second 1-22 x

'i .

-i 8 Table 1.9 Summary of System and Component Failures and Failure Mode Contributions to Latent Fatality Risk (Internal Events Only) ;

3 Failure Mode Contribution (5)

Component Common Failure System . Numan Contribution

$ Contribution Cause Randon Dependent Error Test Unspecified (5) t Quench 42.8 Sway 40.6 2.2 - - -

.i mesidual 27 9 i Heat 27 9 - - - -

l E***'*1 ISF Cabinet 24.4 -- 14.2 71 31 10-LC l 4.2-0R

) Auxiliary 24.4 - -

24.4 '

i 7 Feeduater - -

= - .

.l,

Feed & Bleed 24.4 - -

24.4 - -- -

l ,

.i Ehergency 18.4 9.8 -

Electrio

- - - 8.6 9.8-D0 a

' Pouer i

1

- i t

AC Bus 8.0 - - - - - 8.0 - i I

1 -

1 .

j LEDEND:

i LC = Logie Card I OR = Output Relay DG - Diesel Generation :

l 1

t i

l .

i I

l Table 1.10 External Event Initiators Considered in the PSS Event Significant J

Earthquakes Yes Fires (inside plant)

Yes External Flood No j

Internal Flood No Extreme Wind go 4

Aircraft go Bazardous Materials (1) No Turbine Missiles No

"(1) Includes storage of on-site materials and transportation of materials near the site.

Table 1.11 Summary of External Event Risks from Seismic Events for Millstone 3 i

0xitrih* Arm to total frta all events Initiating em*mi e Latent Brent

% usocy Early htality Response Per Year Core Malt htality (>1000)

IAss of Off-Site Feuer N14T Failure 5 7FA 9.5 -

52 Small IACA h " T Failure 1 9F4 32 -

Large LOCA- , 17

%um Failtre 6.55-7 1.1 -

10C4 7

, Zoolation Failure 1.05-7 .2 - -

i .

. Totals 9.1 H 14 0 76 e

p -M- ~

1-24 l

l

.i . .

b l

'umn, " Containment Response," indicates the containment function (isolation or cooling) initiating which was lost as part of the sequences associated with the event. The last three columns indicate the percentage that each )

i initiating event and containment response combination contributed to CMP and to early and late fatality risks from seismic events.

The latent fatality column results could not be directly obtained from the Millstone 3 PSS.

of external events was determined from FiTo derive these values, first the relative contribution (at the 0.5 confidence level)gure 1.2. At 1000 fatalities, the of the total, and at 2000 fatalities, about 94%. from external events is about 92%

0.93 was applied to the external event risks. Thus, a weighting factor of to the PSS, is from fire initiated sequences (see Table 1.10).Of Thus,this, about 12%,

the con-tribution from seismic events is about 81%. This factor was multiplied by the product of the latent i'atality risk release category contribution and the plant the damage state contribution from seismic events given in Table 7.5.1-5 of PSS.

For example, according to Table 7.5.1-5, the M7 release category i pro.vides 90% of the seismic risk of latent fatalities. The M7 category is 1 made up of four seismic plant damage states, of which the loss of off-site .

i power with containment cooling failure contributes 71%. Thus, the seismic contribution to latent fatality risk due to this plant damage state is (0.90)(0.71)(0.81) = 0.52, which is the value in Table 1.11.

As Table 1.12 indicates, loss of off-site power with subsequent loss of

> containment risks. The LOCA cooling is the dominant contributor to both CMP and late fatality event followed by failure of containment isolation dominates the early fatality risk.s. , .

dents.Table 1.12 provides a summary of the PSS results for fire initiated acci-The total CMP from fires represents about 8.4% of the overall CMP as estimated in the PSS from all accidents. Fires in the charging and component cooling pung area and in the cable spreading room are dominant CMP contribu-l

tors, while latent fatality risks, according to the PSS, are dominated by fire in the control room and instrument rack rooms.

fires, according to the PSS,. represents aboutThe latent fatality risk from causes. 12% of the total from all fatalities. Fire initiated accide'.ts represent a negligible contribution to early The LLNL review 2

the following major conclusions: of the PSS external event risk assessment resulted in 1.

The core melt probability from seismic events for Millstone 3 could be as high as 1E-3 based on a re-aaalysis of the seismic contribu-tion.

I 2.

A revision of the PSS assessment of the contribution to CMP from fires led to anbyincrease (an increase a factor ofin about the contribution 5.8). from 4.8E-6 to .2.8E-5 The contribution to latent

- - fatalities, greater.

although not explicitly quantified, was judged to be even 3.

The PSS does not provide an adequate assessment to support the con-clusion that floods are not significant core melt contributors.

1-25 i

' _ _ y ~ ~ ": K_~7 , _, T - - - - -- = '~r ""' " ~" ~ " " ~~ ~ ~ ~ ~

e 4

Table 1.12 Summary of External Event Risks from Fires Fire Location Frequency 5 Contribution (CMP) ,

Charging and 1.1E-6 Component Cooling 19 :

, Pump Area Cable Spreading 9 9E-7 Room 17 Switchgear Rooms 8.0E-7 1.4

Control Room . 7 3E-7

. , 1.2

, Electrical Tunnels 6.9E-7 1.2 '

' Instrument Rack Room 2.4 E-7 .4 i

Diesel Generator 1.45E-7 .2 Enclosures Totals 4 7E- 6 l 6.1

These sequences dominate the latent fatality risks from fires and contribute about 12% to the total PSS latent fatality risk. -

e 1-i G

. d

.e -W 1-26

.-- ,, - - , . - - - , , , . - . - , - - _ - _ . - . . . . , . , _ . . . , _ _ - _ - , - - - , - - -.n. _ . . . - . , , - , .- -

4 It CMP.

is unlikely that winds could be a significant contributor to the 5.

The PSS conclusion that aircraft accidents are not significant con-tributors to CMP is reasonable.

6.

It was not possible to determine whether the screening criteria used to or dismiss hazardous material contributors were applied appropriately consistently.

7. The PSS conclusion that turbine missiles are not significant contrib-utors to plant risk is reasonable.

sightsBased on the preceding discussion of ' external events, the following in-

~

were derived:

The PSS determined that of eight different external events. considered, only those accidents initiated by internal fires and earthquakes were of significance to CMP or risk. .

External events are a modest contributor to CMP (20%) with seismic events being the major contributor (65% of total).

Seismic events are a significant contributor to latent fatalities.

Fires do not contribute to early fatalities, and only about 12% to the total latent fatality risk.

The leading seismic initiated accidents contributing to CMP and la-tent fatalities are those resulting in loss of off-site power with loss of containment cooling.

The leading fire initiated secuences contributing to CMP are fires in the charging and component eoling pump area and cable spreading room.

The leading sequenc% cor ributing to latent fatality risk are from fires initiating in t'e <rre al and instrument rack rooms.

Major problems found in the LLNL review of the PSS assessment of ex-ternal events were 1) the CMP from seismic events could be as high as 1E-3/yr, 2) the CMP from fires is underestimated by a factor of almost six (late fatality risks are also underestimated), and (3) it was not possible to validate the screening criteria used by the PSS for haz-i ardous material risks.

REFERENCES

.1. I "M111 stone' Unit 3 Probab~ilistic Safety Stu(y,"

August 1983. Northeast Utilities, 2.

"A Review of the Millstone 3 Prebabilistic Safety Study," NUREG/CR-4142, Lawrence Livermore htional Laboratory, May 1984 3.

Probabilistic Risk Assessment JPRA): Status Report & Guidance for Regula-tion Application, NUREG-1050, LSNRC, February 1984.

1-27

._ - - . . -- ---- ' ~ ' - - - ~ ~ ~ ~

4.

" Millstone 1984. Unit 3 Probabilistic Safety Study," Amendment 3, November 28,

~-

1-28

- ._. ,.e - _ _ . . - ,

k

, o .

2.

INSIGHTS FROM THE SEABROOK STATION PROBABILISTIC SAFETY-ASSESSM 2.1 Introduction This section presents an overview of the results from the Seabrook Sta-tion Probabilistic Safety Assessment (SSPSA)1 and selected insights derived from these results. It is not the purpose of this effort to review the SSPSA.

ly on these Rather, results. the results are used as is, and the insights are based entire-Following a brief overview of the SSPSA results, the leading accident se-quences contributing to both core melt probability and risk (of early and late fatalities) are examined in detail to obtain tie following insights:

Relative significance of initiating uents.

System and conponent failure contributions to leading accident se-quences. -

Failure mode (i.e., human error, random, dependent, etc.) contribu-tions to leading accident sequences.

- In conjunction with these insights, additional perspective is provided, as appropriate, regarding the relative significance of leading sequences and the coredifferent melt probability characteristics and risk.of the accident sequence " mix" contributing to The results for internal and external accident initiating events are con-sidered separately.

2.2 Internal Events t

events. This section presents results anti insights from internal initiating i Internal initiators are defined in the SSPSA as loss-of-coolant acci-dents and transients, where transients are confined to those disruptions list- .

1 ed in Table 2.1. -

2.2.1 Overall Results '

According to the Summary Report of the SSPSA, the total best-estimate core melt probability is 1.9E-4/ reactor year. Based on results given in this Summary Report, the individual risk of early fatalities is about 2E-7/ reactor year and for late fatalities (cancer) about IE-8/ reactor year. Figure 2.1, from the SSPSA, shows a distribution of early fatality risks with confidence levels indicated. Figure 2.2 is a similar plot for late fatality risks. Un-like the Millstone 3 PSS, the Seabrook stucty did not consider internal and ex-ternal initiating events separately.

2.2.2 Dominant Sequences Table 2.2 lists accident sequences that are leading contributors to core melt probability, early fatalities (>100), and late fatalities (>1000). It provides some interesting insights relative to the significance of individual 2-1

. __. , . _ - - . _ _ _ _ _ -. _ . _ - _ _ . _____m_._.____________ _

Table 2.1 Seabrook Transient Initiator List l

1

1. Reactor Trip !

1- 2. Turbine Trip

3. Total Main Feedwater Loss

4. Partial Main Feedwater Loss *

5. Excessive Feedwater Flow

I

6. Loss of Condenser vacuum

7. Closure of One Main Steam

8. Isolation Valve (MSIV) :

9. Closure of all MsIva . -

10. Core Power Excursion .

t*

11. Loss of Primary Flow

12. Steam Line Break Inside containment

13. Steam Line Break Outside Containment

14. Main Steam Relief Yalve Opening

15. Inadvertent Safety Injection

16. Loss of Off-site Power (1) j

17. Loss of One DC Bus (1)

18. Total Loss of Service Water (1)

19. ' Total Loss of Component Cooling Water (1)

~

i (1) Classified in the SSPSA as "Conson Cause Initiating Events" (Table 5.2-1) y# e 2-2 .

i

i i e i to*I'- -"

3 5

N iIE to-* -

o -

g >g .

o so h a.70 gg ia-7 -

W*

o.50 8"t

$3 io d -

gs -

om

=

aio

,,.. i h i i son io' io r 3,2 ,,4 3,s EARLY FATALITIES Figure 2.1 SSPSA risk of early fatalities.

'r' i i

, i so" g -

$ w

- 5 .

o.2e

us

,gs .

am g Elo Bn *=

P

= ir* -

E 3=

n!

p ir> -

3rs _

so o

, w8 to2 io 3 w* w5 t.ATENTCANCER FATAUTis5 ,

i Figure 2.2 Risk of latent cancer fatalities (other than fatal thyroid cancers).

2-3

- , -. - - - - , , , . .- - - - - - - - , , w- - - - - - - -

I

!! ~

?. Table 2.2 Seabrook Dominant Accident Sequences Contributing to Core Melt Early Fatalfties, and Latent Fatalities for Internal Events i:

il i-Percent Feroent I. Contritaation Contribution Peroant to Early to Latent Rank with Contribution Fatalities Fatalities

.?

Respect to .

to (at >100 (at >1000 Core Melt Heen Annual Core Melt Fatalities Fatalities Sequence Doocription Requency Frequency level) level) 1 i imes or Ofr-atte Fbuer Loss or on-atte AC Power, no 3.35-5 14.0

Becovery bercre Core Damese -

5 2 Imes or off-site Pbuer Failure or Servios Vater, no Recovery of Off-site Power 9.2Fr6 4.0 e l 13 3 anell IACA: Fallwa of Residual Heat Raeoval .

8.9Fr6 39 8

4 loss of Main Feedwater Fallwe or Solid State or 8.3Fr6 35 8 Protectico systen 1.2 5

Steen Line Break Inside Contairment Failure of 5.65-6 p .

Operator to Establish Long-Tera Heat Renoval 2.4 e e

6 Reactor Trip: Loss or Primary Component Cooling 4.65-6 2.0 e 7 3.4 less or Off-site Pbuer Failure or W ain-A 4.4S-6 19 e On-alte, Wain B 3ervice Water, no recovery of 0.6 Off-atte Power bercre Core twaan 8

Imos or Off-site Feuer Failure of Train B On-atte 4.45-6 19 e Power, Wain A Servios Water, no Recovery cf AC Feuer 0.6 before Core Deseen 9 Partial Iman of Main Feedwater Failure of Primary 3.8r,6 Caponent Cooling 17 e a 10 Imas of One DC Bust Failure of Beergency Feedwater, 3 2E-6 1.4 e a no Recovery of Beergency of Startup Feedwater -

11 Reactor Wip: Operator Fallwe to Establish Long- 3 0E-6 *

Ters Heat Removal 1.3 I

' e

r O I .

i t

! Table 2.2 Continued i

"~ Porcent Percent

~

Contribution Contritnation Percent to Early to Latent

!' Rank with Contribution Fatalities Fatalities Respect to to (at >100 (at >1000 Core Melt Sequsace Description Mean Annual Core Helt Fatalities hequency Requency Fatalities level) leval) 12 Turbine Wips Failure of Primary Component 2.8&6 Cooling 1.2 e' s 13 lose of Service Water 14 23&6 1 8 8 Partial Loss of Feeeenter Operator Failure to Establish Lost-Terie Heat Asmoval 23&6 1 e a 15 amall 1DCA Train B Safety Features Actuation, 2-2&6 8 Train A Reatdual Heat Renovel .

1 8 16 amall IACA: Train A Safety Features Aotuation

.. 2-2&6 - --

- i>" e Train B Roaldual Heat Removal - ~ ~ ! e 17 hrbine hips Failure of Reactor Wip, Failure 7

to Hanually Scron and to Effect-Esergency Beration "19&6 .8 e a 18 -

Interfacing Systems LOCA 1.8&6 .8 98 17.5 Totals 1.0E-4 44.8 98 29.6 t

.O

f .

accident bility vs sequences risk: and the mix of sequences contributing to core melt proba-No single sequence makes a very large contribution to core melt prob-ability.

The leading sequence contributes only 14% to the total, and the ten leading sequences contribute less than 40% (36.7%).

A single sequence (interfacing systems LOCA) overwhelms all others with regard to early fatalities,' contributing 98% to the total.

The interfacing systems LOCA sequenc? also dominates the contribution to late fatalities (17.5%) from internal events. Only two others are significant contributors (greater than 2%).

The top ten leading contributors to core melt probability contribute only about 12% to late fatalities and a negligible amount to early fatalities.

2.2.3 Initiating Events '

Table 2.3, constructed from information in Section 13 of the SSPSA, pro-vides a breakdown of internal event core melt contributors in which acciden sequences have been "bi nned" on the basis of conmion accident initiating events.

gory. It gives the aggregate probability of all sequences in each cate-As indicited in the last columns, the categories used contribute essen-tially 100% to the total SSPSA core melt probability from internal initiating events.

Based on the results in Table 2.3, in conjunction with information in Table 2.2 on early and late risk contributors, the following insights are pro-vided:

Transients and small LOCAs dominate core melt probability, with tran-sients contributing almost 85% to the total CMP.

For early fatalities, thhe total probability comes almost entirely (98%)

an from the interfacing contribution systems LOCA. of a single sequence which is initiated by For late fatalities, this same sequence dominates, but is less significant than external events (considered later).

2.2.4 System and Component Failures and Failure Modes The contribution to core melt probability and risk from individual system and' component etc.), were examined. fattures, as well as failure modes (human error, dependencies, Table 2.4 lists the contribution from svstaan and ea-aonent--fa41eres- to '

each of the 12 core melt probability sequences (1 through 12 of Table 2.2).

The information additional analyseswas obtained needed fromindividual to extract various contributions.

sections of the SSPSA and from It should be emphasized that the breakdown of each system within this table was not derived directly. from sequence cut sets.

of each individual system. This was Rather the breakdown came from the analysis ne,cessitated because sequence cut sets

! 2-6

-_ : ~ ::.~::: .

- = = == - - " -~ ~ ~

Table 2.3 Dominant Accident Sequences Grouped by Initiating Event (Internal Events Only)

Accident Sequence

. Initiating Event Probability 5 of Total Internal Event CMP Transients:

)

Loss of Off-site Power 6.88E-5 37.6 ATWS 1.20E-5 All Others 6.5 7 32E-5 40.0 Small LOCA 1 99E-5 10.8 j Large LOCA .

Interfacing. Systems LOCA 1.84E-6 1.0 -

Steam Line Break 7 29E-6 4.0 l (Inside Containment) e Negligible e

G 9

2-7 i l

. . :- -- .--. _ . _ _ ~ . - . __,_ . - -. _ - - . - . _ . - . - - . - . _ _ _ _ - - -

l . o l Table 2.4 System and Probability c- ,:::..tEvents (Internal FailureOnly) Contributions to Seabrook Sequences Dominating Core Melt 5 c.M.

we t estan g- aye,.ththe Minus M1== 8txh h d ahn ity Querihdh 5er1btal W .' '

T Mimes 5er1btal Amerie 1 14 w ie ac 7.4s-3 Ihruku Sr 'meeni osmarstes

.I* nn.er % asse 16 56.2 Qu has is ==w meest oermestas 16 avanaue te rexway l

~

M & M s* - 15 - -

i asect e i' Omlast 1 the = h=* 100 - -

i WM Out. Ekk.

Sirars 1 W 100 - -

1.o trshe 2 4 Sevko 1.1 H

e4 Quman(huse 68 Rasps Mater 44.8 It is asemed 9 Ruuka i'

4

[so 22 (1) (1) Ire are available te swoovery artar ses rauws

Remote (holast 1 Dependert 100 M ves nap 3ent 25 2 I

Qut. Inds. 1 Dependert 100 -

aprays -

1 4 '

3 3.9 andemLIhat 5.554*

! % thee 50 hap 50 Ammoval Ihaka

{ 39 (1) (1) l Halstenance 11 -

l

+N h-

g app ee , og I -

l t

I l

J .-

w- _ _ . .

g 9 1

1 I

is i i i i i a i 1 .

13 is i i i i i j i l

1-g

. I g E# BR H E E

I

~.

i dl lilill ! il l i,,,, i i, ;

8

~

ihi11hh 111ifl1

~

q , .

i .

2-9

, . . . . . . . . . . .... . . - 1

-a a su l l e an i I a l 11 B

]

Il gji i

] g} i i ji a .

! .. .i i c3

! !!,, !!,, s=

g i -

-,i - i. l

~

i,ljl$13I fl il $1i ld IJ3 i}21 .

i, i I

l}l W

P 1 - . .

2-10 P

-- - .-w ww. . - - ..---...cs..--,--------m------------ -

- r--,---,--------------------.----c --------------_--+--w -

O 1 0

1 i

g' w ! E i I,

ls i ;. .

s i j i 15 l

~

3 g

11 g S R

g &T 3 .

jg 3

2 J j!

}

s ] _

3 I l 1 Iu. 1: -

1 .s g!

,1 :

l !

! ! s il!

11 0 II. III Ili H!

~

h 3 3 3 l!Il

= , 1n 2

) _ ..

33 2-11

were not provided. The reader is therefore cautioned that any sequence-depen-dent failures listed in the table are based upon this review and due to the 4

limited scope of this review the listings may not be exhuastive.

The first column of Table 2.4 identifies the sequence by number corre-sponding to the Table 2.2 sequences. The second column provides the core melt probability contribution (in percent) from the individual sequences. The third colunn lists all of the system failures associated with each sequence, and the fourth column gives the probability of each system failure. It is im-portant to note that these probabilities, as provided in the SSPSA, are condi-tional, that is, dependent upon the initiating event and any preceding system failures.

the system The fifth column provides the failure mode contributions to each of failures.

Five such modes were identified in. the SSPSA: common cause, dependent, random (also called " hardware"), human error, and test and

! maintenance. As used herein, dependent failures refer exclusively to failures related to the initiating event and preceding system failures.

The sixth column identifies the fractional contribution of each failure mode to the total system failure probability. For example, in Sequence 1, 57%

of the failure probability of the on-site ac power system is from random fail-ures and 26% from common cause failures.

Note that in many cases (including

, this exagle) the column six failure mode contributions do not total to 100%.

This is because only those modes found in the SSPSA as dominant contributors are considered. Resources did not permit detailed examination of individual cut sets and fault trees to extract further detail on failure modes for lessor contributors.

In nearly all cases, however, the failure modes identified in the sixth column account for over half of the total system fatiur' e probabili-ty, and for many of the systems the identified failure modes contribute over 90% of the total.

The seventh column identifies the conponents associated with the relevant i failure modes. For the dependent, test and maintenance, and human . error modes, no components are identified since for these modes individual component

' failures' are not associated with the system failure. The eighth column pro-vides the individual component contribution to system failure for each failure mode.

For exangle, for Sequence 1, 56.2% of the system failure probability is due to random failures of diesel generators. The last column provides some l clarifying information pertinent to the appropriate system.

Table 2.5 gives information similar to thati in Table 2.4 for latent fa-tality risks.

latent fatality As discussed previously, five leading sequences contribute to risks.

Four of these are also contributors to the core melt probability and therefore the information about them, identical to that in Table 2.4, is not' repeated.

From information provided in Table 2.4, Table 2.6 was constructed in order to consolidate the contributions to CMP and risk from systems, failure modes, and components.

In Table 2.6 each system is considered separately, as indicated in the first column. The second column lists each sequence (identi-fled in Table 2.2) in which the system appears as a contributor to the se-quence probability, and the third column gives the percentage contribution to CMP from each sequence.

i 2-12 !

i

. ._ _ . _ . ,. .b. . I I -- YI- 1 'I - -

- ~'~ ' ' ~

i k

{

E

i ! -

4 Table 2.5 l

4 System Risk and Component (Internal Events Only) Failure Contributions to Seabrook Sequences Dominating Latent Fatality i

l 1

!- Sequeam If Ihatur

% stem Ehtlee Ibda n=pn==*

i ambiensen mahs s n e dstity amertintless y er meat f M1=us y er meat annah

\ 1 5

\ \ '

a sa -

\ .

)

4' 1.2 (ase mide 2.4) s u y j

MM jW

{ y 8""*t W fdtre h dm

, anddert imitante bh I

- ~ - - - - - - - .

4 3

i

\,

k i

i .

l

~

l

? .

Table 2.6 System and Component for Seabrook (Internal Events Failure Only)and Failure Mode Contributions to Core Melt Probability l

System Pa11mre Mode Centributions, S (Contribution to CMP. 5) 3,.e -

e- - En. Numan Ondetermined E d5EP P P---- *' * - - - ' " Test and or Lw hime-n.---

onette ac *=--- Offind 1 14 Feuer 16 (2.2)-as 56 (7.8)-se - -

15 (2.1) 13 (i.a) ,

servios water 2 4 45 (1.8)-P 32 (13)-(1) - -

23 ( .9)-V -

asesdeel meet 3 39 nemovat so (2.o)-P 39 (1.5)-(1) - - -

11 (.4) -

Solid State 4 3.5 -

Preteetion 29 (1)-(1) -

71 (2 5) -

- i Deear meet 5.11 3.7 - -

m Bemoval -

100 (3.7) -

L (Lens Tere)

Primary 6,9,12 4.9 -

Component So (4.4)-T - -

Cooling to (.5) onette ac 7,8 3.5 -

Power-Train 82 (3 1)-me -

a er B 18 (.7) s Servloe 7,8 3.8 -

Noter-Train 6o (2.3)-Y - - -

a er a 22 ( .8)-P 18 (.7) i

\

e i

f

\ :

I -

, o . - .

I 1 a y C a - .

.ht 8 I I I

.I .lII l I

1.l .

II

Aj I I I I

.~

5 3 .4 I

I 3 ll!

au

! I I I 3

8 -

mG E 1

$, i 5 $$

j g 8

8 8 1 g

.,5 .. .

. J ; I I I I 4 '

z l 4 k <

t- L E l t i I I I a s .

@ M M

, e i ae i e ng o'

- - -~ - -

J 1

e i II 1 &* 8] $

I t

A l.j .

2 A sa* d3 -

2-15

. . . i I

The remaining six columns give the failure mode contributions, including i

an " unspecified" ure mode contribution column which provides a quantification of the residual fail-not readily identified in the SSPSA. For the "comon ,

cause" and spective " random" failure modescolumns, the cogonent failure contributions to the re-are identified. 3 for these columns were obtained from Table 2.4.The The number numericalisentries in parentheses the product of the component failure contribution and the percent contribution of the respective sequence (third column) to the CMP.

This value is an abso-luteCMP.

the measure of the significance of each failure mode and cogonent failure to An example will aid in interpreting Table 2.6. The on-site ac power sys-tem (No.appears 1). as a system failure element in one of the CMP leading sequences under totals in the "% CMP" column).The total contribution of this seque In other words, if the on-site ac power system failure probability could be reduced to 0 under the conditions of the accident would sequence, be reduced by the 145.total CMP calculated by the SSPSA for internal events For Sequence 1 16% of the on-site ac power system .

from random diesel generator ' failures, etc. failure probability derive -

By multiplying these fractions by the core melt contribution (14%), the individual component common cause contribution to core melt probability for Sequence 1 is obtained (these are the values in parentheses: 2.2, 7.8, 2.1, and 1.8). Thus, the "% CMP" for the -

is made up of a 2.2% contributor fro sequence involving on-site AC power (14%)

m common cause diesel generator failures, 7.8% from random diesel generator failures, 2.1% from test and maintenance, and 1.8% from undetermined or unspecified in the SSPSA.

sible to eliminate common cause failures in the on-site ac power system, theT CW would be reduced by 2.2%, or if random failures in the diesel generators could be eliminated, a 7.8% reduction in the CMP would occur.

ity risks.Table 2.7 is statlar to Table 2.6 and gives the results for latent fatal-

- Table 2.8 consolidates and summarizes the results of Table 2.6 for system failure, component failure, and failure mode contributions. Table 2.8 lists all systems which appear in the twelve leading CMP sequences and the contribu-tion each system imposes on the total CMP for internal event initiated se-quences.

the corresponding reduction in CMP. Reducing the failure probability to 0 for e ,

liability of combinations of systems would not necessarily produce a ben equivalent to the susanation of the corresponding CMP c more than one of the systems may appear in some sequences.ontributions because Table 2.8 also provides the failure mode contributions to CMP for each component contribution (last column).

tality Table risk.2.9 is similar to Table 2.8 and gives information for the late fa-F From the data in Tables 2.8 and 2.9, the following insights are evident:

2-16 .

9 -*um em e. .e e 6 . . . . ,,,,,, , ,_

~

I

'i Table 2.7 System and Component Failure Contributions to Latent Risk

, for Seabrook (Internal Events Only)

System Failure Mode Contributions, 5 (Contribution to CMP, 3) 1 1

System Seq. Bo. Rimaa Undetermined centritettee Common Cause Bandon Dependent Test and or Error Maintenance Unspectried Besidual Beat 18 17.5 -

Removal 100 (17 5)-Y - - -

Oneite AC 1 5 Power 16 (.8)-DG *

$6 (2.8)-DG -

15 (7.5) 13 (.65)

Primary 6 3.4 -

Component 90 (3.1)-Y - - -

Cooling 10 (.34)

Service Water 2 13 45 (.6)-P 32 ( .4)-(1) - -

t 23 (.3)-Y - -

C Solid State 4 1.2 -

29 ( .3)-(1)

Protection -

71 (.9) - -

Boeotor Coolant 1,2,6 97 - -

t-Pump Seal 100 (9 7) - - -

cont, bids. 1,2,4 7.5 -

Sprays .

100 (7.5) - - -

Emergency 4 1.2 . -

reedvater -

100 (1.2) - - -

Nigh-Pressure 4 1.2 -

Makeup 1(0 (1.2) - - -

i e

9

4!

c

!?

1 Table 2.8 Summary of System and Component Failures and Failure Mode Contributions to CMP I

for Seabrook (Internal Events Only)

?

a

., , Failure Mode Contributica ($)

Component Failure common ,Ruman Test and Contributica

, m _. _ g e . wi ., c. - - - . - - - - - --- - -

, _ - m e .u ---

tried (s) i teneter coolmat 26.9 - -

26.9 - - - -

) Pump Seal oasite 14 2.2 7.8 - - 2.1 1.8 10-DG l AC Power Primary 4.9 - 4.4 Component

.5 4.4-7 Cooling

] Imersemer 4.9 - - - - -

4.9 -

l Feeduster Y servion 4 2.7 13 - - - -

1. 8-P l Q Water -

. 9-7 i

j Beeldeal 39 2.0 1.5 .4

Eat 2.0-P

Eeooral l

)

Oneite AC 3.4 - 3.1 - - - -

Power-Trale 3.1-DG

& or 5 1

Service Water 38 -

31 - -

.6 1 Trale A or B 2 3-Y

.I .8-P f

" " '

e 1 ,,,,ew i

I

\

i

Ta'ble 2.8 Continued Failure Mode Contribution (5)

Component Common Failure .

System $ Contr1tation Cause Ruman Test and

Contribution Randon Dependent Irror Maintenance Unspeettled (5)

BeeeF Rest 3.7 - -

nemoval 3.7 - - -

(tang Ters)

Solid State 3.5 -

Protection 1 -

2.5 - - -

Remotor Trip 3.5 - -

3.5 - - - -

Righ-Freesee 3.5 -

Makeup 35 - - - -

y .. ._ . .. -. -

40

>f

.h} ,

. 2

e

.o

r e

]

~

t .

Table 2.9 Sususary Risk of System for Seabrook and Component (Internal Events Only) Failures and Failure Mode Contributions to Latent Fatality

! Philwe muse contributten ($)

Sequenoe Component system amber Common Fall we 5 centribution mean W Test and chuan aandon 1

\

aver mintenance naspecirled contributica

(s) nestemi 18 i unet assoral 17 5 -

17.5 - - - -

i 17.5-v Remoter omolant 1.2.6

{ nap seel - 37 - -

97 - -. -

Cod. Blds. 1.2.4 7.5 j sproa - -

75 - -

castte 1 5 .8 2.8 i

" h"*", - -

75 .65 3.6-c0 to Primary 6 w

e 3.4 -

3.1 - - -

i o cooling . 34 3.1-Y Senrios 2

Water 1.3 9 .4 - - - -

! .6-P Solid State 4 .3-Y Protecti m 1.2 _

3 _ ,g . _

hersseur 4 1.2

reematar - -

,1.2 Mi h Pressure 4 I

W 1.2 - -

1.2 - -. -

I ..

S@e

.I l

a

}

The t'eactor coolant pump seal, on-site ac power, primary component cooling, and emergency feedwater system failures are major contribu-tors to the core descending ordermelt probability from leading core melt sequences in of significance. However, none of these systems is a particularly significant contributor. It should be noted that, in

. some cases, dependent failures are dominant contributors.

Random systems and dependent failure modes appear to dominate failures of the igortant (but not overly significant) component contributing toto CMP, w failure.

~

Residual heat removal system failure is the most significant system failure contributing to late fatality risks.

Random to and dependent late fatality risks. failures are the most inportant mode contributing Early fatality risks (as discussed previously) result essentially en ' -

tirely from the contribution of a dependent failure of the residual heat removal system. i i

2.3 External Events This section risk analysis from thepresents SSPSA.a summary of the results of the external events

'The SSPSA considered a total of eight external event initiators. These are If sted in Table 2.10, with indications of which events were found to be significant contributors to risk and core melt probability. Only two, earth- :

quakes and fires (within the plant), were found to be significant. ,

from external events accounts for 20% of the total CMP, of!

from fires and the remainder (9%) from seismic events.

Table 2.11 shows the seismic initiated events that dominated core mel probability and late fatality risks in the SSPSA assessment. This information was not directly procedure obtainable described fromA.the SSPSA results, but was derived by the in Appendix timation, the results are approximate only.Because of assugtions The second and2.11, coluan of Table methods of

" Containment Response " indicates the containment function (isolation or cool-ing) which was lost as part of the sequences associated with the initiating event.

The last three columns indicate the approximate percentage that each initiating event and containment response combination contributed to CMP and to early and late fatality risks from seismic events. '

As Table 2.11 indicates, loss of off-site power with subsequent failure of containment isolation (<3" openings) is the dominant contributor both to , ;

CMP and to early and late fatality risks. ;

Table 2.12 provides a summary of the SSPSA results for . fire initiated accidents.

contributors.Fires in the control room are dominant CMP and late fatality risk early fatalities. Fire initiated accidents represent a negligible contribution to 2-21

Table 2.10 for External Seabrook Event Initiators Considered in the SSPSA Event

- Significant Setaaio Fires (Internal) Yes Wind

, Tornado Missiles No Aircraft ,

Wasardous Chemica's I No Floods No

Fires (External) No e

9 O

a m

W e

2-22

o

Table 2.11 Summary of External Event Risks from Seismic Events for Seabrook 3 Contribution l Contairment &equency Core Early Initiating Event Response he Year Malt late Fatality Fatality Imes of Orfaite Power anall Isolation 1 7E-5 7.4 .5 42 9 f Fail we (<3") -

large Isolation 8 8 I 2 35-7 2.6 '

Fail we (>3")

Failwe of Solid State Large Isolation 1.65-7 e a 1,3

,&ctection System hilwe (>3") i Totals 1 73-5 74 ~.5 47 3 .

Negligible Table 2.12 Swanary of External Event Risks from Fires for Seabrook

$ Contribution Fire Location -

Frequency CMP Early Fatalities Late Fatalities Control Room 8 7E-6 3.8 e

, 2.0

Primary Component 4.1E-6 1.8 e Cooling Area ,9 Cable Spreading 3.5E-6 1.5

Room -

.8 Turbine Building' 2 3E-6 1.0 *

l Totala --

1.86 E-5 '8.1 e 4 37

Negligibl e '

2-23

__ : =

==_ _ .--- - --- - -. - - - - - - - - - - ^ - - - - - ~ - -' ~~ ~ ~ - ' - ~ ~ ~

sightsBased )n the preceding discussion of external events, the followirg in-were derived:

The SSPSA determined that, of eight different external events con-sidered, only those accidents initiated by internal fires and earth-quakes were of significance to CMP or risk.

External events are a modest contributor to CMP (20%), with seismic events contributing about 9% and internal fires about 11%.

. Seismic events are a significant contributor to late fatalities *

(about 47%). Fires do not contribute to early fatalities, and only about 4% to the total late fatality risk.

The leading seismic initiated accidents contributing to CMP and late fatalities are those resulting in loss of off-site power with loss of containnent isolation. -

The leading fire initiated sequences contributing to CMP and late '

fatalities are fires in the control room. Fires did not contribute to early fatalities.

REFERENCES 1.

"Seabrook Station Probabilistic Safety Assessment," Pickard, Lowe and Garrick, Inc., December 1983.

mW 6

e s

5 2-24 .

- - _ _ . _ - - . - - . - . _ . - - - - _ _ _ _ ~ . _. - - _ - - - - _-__ _ - - -

i 6

3.

INSIGHTS FROM THE SHOREHAM PROBABILISTIC RISK ASSESSMENT 3.1 Introduction This section presents an o

abilistic Risk Assessment (PRA)yerview of the results from the Shoreham Prob-sults. It also includes cogarative and selected insights derived from these re-

results and insights from a review of the PRA performed by Brookhaven National Laboratory for the NRC.2 It is not the purpose review. of this effort to review the PRA or to judge the validity of the BNL Rather, the result s from both the PRA and the BNL review are used as is, and the insights are provided ba' sed entirely on these results.

4 Following a brief overview of the PRA and 8NL results, the leading acci-dont sequences contributing to core melt probability are examined in detail to obtain the following insights:

Relative significance of initiating events. .

i System and cogonent failure contributions to leading accident sequen-cas.

Failure mode (i.e., human error, random, dependent, etc.) contribu-tions to leading accident sequences.

In conjunction with these insights, additional perspective is provided as '

appropriate, regarding the relative significance of leading sequences and the different characteristics of the accident sequence " mix" for core melt proba-bility.

t l

The scope of the Shoreham PRA did not include external events except for I flooding at elevation 8 of the reactor butiding. Therefore, the results for 1

internal and external accident initiating events are considered together both ,

here and in the PRA itself.

was not fully developed in the Section PRA. 3.3 addresses risk; however, this subject

! 3.2 Int'rnale Events 1

i events. This section presents results and insights from internal initiating j Internal initiators are defined in the PRA as loss-of-coolant acci-

^

dents, transients"and manual shutdowns, initiators coupled with failure to scram, and other low frequency transient events. Transients are confined to those disruptions listed in Table 3.1 and have been grouped into six major categories. Table 3.2 lists the plant-specific low frequency transients.

3.2.1 Overall Results 4 According to the PRA, the total core melt probability from internally initiated accidents is 5.5E-5/ reactor-year. The PRA does not address the in-dividual risk of early and latent fatalities. The BNL review requantified the i PRA CMP and arrived at a value of 1.42E-4/ reactor-year, l

1 i

1 3-1 i

- - - _ - _ - - - - .__ _ - _ _ - , _ - _ . _ , , _ - _ _ -._-_-.-_a__.._.,.-

. _ _ - =. . _ - _ . _ _ . . - - _ . ._ . - _ ..

Table 3.1 Summary of the Categories of BWR Transients Used in SNPS-PRA Transient Initiator Grouo

1. Electric Load Rejection TT

2. Electric Load Rejection with Turbine Bypass Valve Failurt , TC

3. Turbine Trip -

TT

4. Turbine Trip with Turbine Bypass Valve Failure TC

5. Main Steam Isolation Valve Closure

Tg

, 6. Inadvertent Closure of One MSIV (Rest Open)

Ti ;

7. Partial MSIV Closure Ti ,

8. Loss of normal Condenser Vacuum TC j 9. Pressure Regulator Fails Open TT ,

10. Pressure Regulator Fails closed Ty

11. Inadvertent Opening of a Safety / Relief Yalve (Stuck)

Tt f

12. Turbine Bypass Fails Open '

TT

13. Turbine Bypass or Cont'rol Valves Cause Increased Pressure TT

(. Closed)

14. Recirculation Control Failure -- Increasing Flow Ti

15. Recirculation Control Failure -- Decreasing Flow -

Ti

16. Trip of One Recirculation Pump TT ,

i 17. Trip of All Recirculation Pumps Ti

18. Abnormal Startup of Idle Recirculation Pump Ty . .

19. Recirculation Pump Seizure i TT

20. Feedwater -- Increasing Flow at Power

, TT

21. Loss of Fee'dwater Heater TT I

3-2 6

, _ ~ * . . . , ,-.._m ,..7- _ . - -,_ . . _ . . . _ . , . ~ , ,.-..,.,_m. % %,,,, , , , . . - _ , , r- n y. - - - . ~ -

Table 3.1 Continued Transient Initiator Grouc

22. Loss of All Feedwater Flow Tp

23. Trip of One Feedwater Pump (or Condensate Pump) .

TT

24. Feedwater -- Low Flow

' TT i

25. Low Feedwater Flow During Startup or Shutdown TT

26. High Feedwater Flow During Startup or Shutdown TT I

27. Rod Withdrawal at Power TT

, 28. High Flux Due to Rod Withdrawal at Startup Ty .

,1

29. Inadvertent Insertion of Rod or Rods TT -

30. Detected Fault in Reactor Protection System TT

31. Loss of Offsite Power TE 32.

Loss of Auxiliary Power (Loss of Auxiliary Transformer) T7

33. Inadvertent Startup of HPCI/HPCS Ty

34. Scram due to Plant Occurrences T' T.

35. Spurious Trip via Instrumentation, RPS Fault

TT

36. Manual Scram -- No Out-of-Tolerance Condition TT

37. Cause Unknown TT i l

l

! NOTE:

TT - Turbine Trip TM - MSIV Closure -

TC - Loss of Condenser TI - Inadvertent Open Relief Valve TE - Loss of Offsite Power TF - Loss of Feedwater Flow O

3-3 I

~ . - . __ . , _ . . _ - . - _ . -. . - . - . . _ . - , . . . .

l l

Table 3.2 Other Postulated Low Frequency Transients Transient Initiator

?

1. Excessive Release of Water into Elevation 8 of the Reactor Building (Sum Over Maintenance Component Failure Initiators).

2. Loss of DC Power Bus.

3 Reactor Water Level Measurement System - Reference ;

Line Leak.

4. Drywell Cooler Failure.

5. Loss of Service Water. '

6. Loss of AC Power Bus.

e N

e S

(

3-4

, , -m-- . - - -- m- e

3.2.2 Dominant Sequences Table 3.3, reproduced from Table 5-14 of the BNL Review, lists accident sequences that are leading contributors to core melt probability, based upon the PRA and the BNL review. It provides some interesting insights relative to the significance of individual accident sequences and the mix of sequences contributing to core melt probability:

In the PRA, no single sequence makes a very large contribution to core melt probability. The leading sequence contributes only 12% to the total, and the 15 leading sequences contribute 55%.

The BNL results are similar in that the leading sequence contributes only 7% to the total, and the 15 leading sequences contribute 60%.

It should be noted that the BNL results for percent contribution are calculated on a total CMP different from that in the PRA, and that the top five BNL sequences have a higher frequency than the leading PRA sequence. .,

3.2.3 Initiating Events Table 3.4, constructed from information in the BNL review,2 provides a t

breakdown of core melt contributors in which accident sequences have been

" binned" on the basis of common accident initiating events and early vs late core melt. It gives the aggregate probability of all sequences in each cate-gory as estimated by the PRA and by the BNL review, as well as from the fif-teen leading sequences of each review found in Table 3.3. As indicated in the fourth and sixth columns, the cate gories used contribute 99.8% to the total PRA core melt probability and 99.3% to the BNL estimate.

The information in Table 3.4 from the total CMP listings was used to es-tablish the relative contribution from igortant initiating event classes.

Table 3.5 gives the data for five initiating event categories. Based on the results in Table 3.5, the following insights are provided:

Transients overwhelmingly dominate core melt probability with a great-er than 95% contribution in both the PRA and BNL review.

The PRA and BNL reviews were very consistent in this area. The major difference was in *the LOCA contribution, for which BNL estimated a -

lower percentage, but the actual frequencies were close.

3.2.4 System and Component Failures and Failure Modes - - - - -

The contribution to core melt probability from individual system and com-ponent failures, as well as failure modes (human error, dependencies, etc.)

were examined. This analysis does not include the BNL review results.

Table 3.6 gives the contribution from system and cogonent failures to each of the 15 PRA core melt probability sequences (1 through 15 of Table 3.3). The in-formation needed analyses was obtained fromindividual to extract various sections of the PRA and from additional contributions. It should be eghasized that the breakdown from sequence cut sets.

of each system within this table was not derived directly Rather, the breakdown came from the analysis of each 3-5

, . . . . . ..,i.,i. .

, ... i.,,.

t j .f Table 3.3 Leading Sequences for Contribution to CMP from Shoreham PRA and BNL Review (Internal E Leading Shoreham PRA Sequences Class / Cumulative '

Sequence Description Subclass Probability

% CMP % CMP

1. T(M2)C(M)C(2)

I MSIV closure transient with failure to IV 6.4E-6 12 '

scram and failure of one of the standby 12 11guld control system loops.

! 2. T(C)UX Loss of condenser transient with failure IA 2.1E-6 5 of all high pressure injection systems 17 and failure to depressurize.

3. T(T)QUX i

Turbine trip with failure of feedwater, IA 2.4E-6 all high pressure injection systess, and 5 22 depressurization.

. 92 4. T(D)D(IlQ o$ Loss of a de bus with failure of the IA 2.2E-6 4 diesel generators for at least two hours 26 1 and recovery of the offsite power system

! after 30 minutes as well as a loss of feedwater.

5. T(E) IV DUX Loss of offsite power with recovery in IB 2.2E-6 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months , loss of the diesel generators 4 30 for at least 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , failure of all high pressure injection systems, and failure to depressurize.

6. FS(0)00X Reactor building flood with failure of '

ID 1.7E-6 3 feedwater, all high pressure injection 33 systens and depressurization.

i

i e

' *t s a i Table 3.3 Continued '

Leading Shoreham PRA i Sequences Class / Cumulative Sequence Description Subclass Probability 1 CMP % CMP

7. T(E)III(C)DV Loss of offsite power with recovery in IB 1.5E-6 3 four hours, failure to scram, failure to 36 .

recover the diesel generators in two ,

t

' hours, and failure of the low pressure ,

injection function.

8. T(F)C(M)U Loss of feedwater with mechanical IC 1.5E-6 3

. failure to scram and failure of the 39 high pressure injection function.

t

9. T(E)C(M)UD Loss of offsite power with mechanical IV 1.5E-6 3 42 failure to scram, failure of the high I ya pressure injection function and failure

-4 to recover the diesel generator within two hours.,

10. T(C)W'W" Loss of condenser transient followed by II 1.5E-6 3 45 loss of containment cooling (late melt).

11. M(S)QUX i Manual shutdown with failure of feedwater. IA 1.3E-6 2 47 the high pressure injection function, and depressurization.

12. T(E)lll(A)DUV Loss of offsite power for four hours with IB a large LDCA, diesel generator failure 1.2E-6 2 49 with no recovery in two hours, failure of the high pressure injection function '

and failure to depressurize.

\ -

l

O Table 3.3 Continued leading Shoreham PRA Sequences Class / Cumulative Sequence Description ' Subclass Probability % CMP % CMP

13. T(E)W(D) Loss of offsite power with failure of II 1.1E-6 containment cooling and failure to 2 51 restore the diesel genertor within two hours.

14 T(R)RQUX Loss of level measurement transient with IA 1.1E-6 2 53 loss of the redundant reactivity control system, loss of feedwater, loss cf the HPI function, and failure to depressurf re. *

15. T(F)C(M)C(2) Loss of feedwater transient with mechant- IV 1.0E-6 2 55 cal failure to scram and failure of one of the standby liquid control system loops.

Y

=

i 4

t e

I

., i,

,i

i. ..

'- .. i -

i , .

1 Table 3.3 continued -

Leading BNL Review Sequences Class / Cumulative ~

i Sequence Description Subclass Probability '

% CMP % CMP

1. T(T)C(M)K(0) Turbine trip with mechanical failure IV 1.0E-5 to scram, failure of alternate rod 7 7 insertion, and failure of feedwater. -

2. T(E)lDGL Loss of offsite power recovered in 30- IB 1.0E-5 7 minutes with failure of the diesel 14 9enerators, drywell heat removal, and level control.

3. FS(0)QUX Reactor building flood with failure of IA ~1.0E-5 7 feedwater, HPI functions, and depres- 21 surization.

4. T(M)C(M)KU(H) ya MSIV closure transient with mechanical IV 8.3E-6 6 um failure to scram, failure of alternate 27 rod insertion, failure of HPI function, and operator falls to initiate RHR within, two hours.

5 T(T)C(M)KUH Turbine trip with mechanical failure to IV 6.7E-6 5 32 scram and failure of alternate rod insertion, HPI fonction, and operator ,

initiation of RHR in two hours.

6 T(E)IV D ' Loss of offsite power'with recovery in 10 'fB 6.7 E-6 5 37 hours4.282407e-4 days 0.0103 hours 6.117725e-5 weeks 1.40785e-5 months , and failure of the diesel genera-tors,to be recovered within two hours.

e . .

. i ..

i. i ir . .

, ... t... ., i ,, ..

~

ii .

, i

" Table 3.3 Continued Leading BNL Review Sequences Class / Cumulative Sequence Description Subclass Probability % CNP % CMP 7 T(T)QUX Turbine trip with failure of feedwater. IA 5.5E-6 HPI function, and depressurization. 4 41 8 T(T)C(M)C(2) Turbine trip with mechanical failure to IV 4.2E-6 scram and failure of one standby 11guld 3 44 control system loop.

9. T(C)UX Loss of condenser with failure of HPI IA 4.2E-6 3 function and failure to depressurize. 47 10 T(T)C(M)U(H) . Turbine trip with mechanical failure to IV 3.9E-6 3 50 scram and failure of HPI function and failure of operator to initiate RHR within two hours.

48 11. T(E)ll!DUX Loss of offsite power with recovery in Es IB 3.3E-6 2 52 four hours and failure to recover diesel generators within two hours, failure of HPI function, and failure to depressurize.

12 T(SW)TSUV Loss of service water with failure to 10 2.6E-6 2 crosstie turbine building service water 54 and the unavailability of the power con- ,

version system (for both injection and heat sink functions), the failure of HPI function and failure of LPI functions.

13. T(SW)TSUX Same as above except that instead of failure IA 2.6E-6 2 56 of the LPI function there is failure to depressurize.

t e

4

} e f; .

0, .

4 -

Table 3.3 Continued i

Leading BNL Review Class /

Sequences Cumulative Sequence Description Subclass Probability % CMP % CMP

14. T(M)QUX MSIV closure transient with failure of IA 2.5E-6 2 feedwater, HPI functions, and depressuri- 58 zation.

15. T(C)W Loss of condenser with failure of contain- II 2.5E-6 2 ment heat removal functions. 60 h

C 0

1

l a

t 3 e o 0 6

0 so 6 3 T 4 9 0 0

) 1 l 3 9 1 2 .

y 1 5 l

n .

O l s 5 9 e 5 - 5 a n c - E 6

- 5 n Li n Nd e E 4 E E -

r Ba u 0 - 7 - 5 -

1 3 -

E 3

e e q 2 L e 2 2 3 8 t

S I

n

(

l g a 8 7 2 7 i

n t T

o 8 2 1 0

4 0 06 0 4

3 2 ,

i m 1 1 5 T -

d n s 5 a 9e nc 6 6

- 6 6 5 5in E - - -

E E 8 - E -

t Pde 9 5 1 6 E - E n Nau 9 9

Seq e Le 4 1 1 2 8 2 ~

v S E

e g e n l i a 7 1 t t 4 0 8 a T o

0 0 0 7 3 8 8

9 7 1

1 2 i 2 3 9 t 1 3 9 i

I n

5 5 y 5

- 7 - 6 5 7 b La l

E E - E - - - 4 6 5 E E Nt 9 - 2 2 E d Bo X. X. 5 0 4 e

p T 2 5 5 1 1 4 2 1 u

o r

G l a

m a

t o 8 9 1 5 8 8 6 7

6 T 7 4 8 1 0 8 h 1 7 2 e 1 3 1 3 1

1 5 9 r 2 9 o

h S 6 6 5

6 l - -

6 - 6 5 8 5 E - E - -

r sa E 1 E 0 E f

o rto a

ST M.

9 0 8 0 5 0 E

4 E

7 E

6 4 1 1 7 1 1 s 3 5 9 s

e c

n e

u T s N q s 8 E 1 A S

e l a

S C 4 C

O f

5 N i l V V .

e C I I L A t I

D A I R t C I I i e .

n l e I d _

9 i

c s c t n

A s s e e t t i r

n e en s 4 e l n l e

p s si a r l a

l 3 T y n an a T F l

e r r 1 w e e c T T e t n

y r

l n s t e D b

a e

u q

)

n n e

v e

)

l s

a L a

i m

n d

e S

L A

T T e i i v C e . a i O S r t t t s T D O r D a n n t

( ( C L e o Ou r , s i

C

/

p 5 e A n A S o A o WT h t

C O r a C O T W C O

L A O L T L A L ii 6 3

e s* 1 !

l Table 3.5 Initiating Event Categories Contribution to Core Molt (Internal)

Initiator % Contribution to CMP Shoreham BNL LOCA 3.6 1.28 LOCA Outside Drywell 0.067 0.1 ATWS 32.35 31.7 LOOP 17.8 !

. 20.4 Other Transients 45.98 45.8 Totals 99.8 99.28 9

t

+

5 t

7 m d **

e.~.

4 3-13 .

M Table 3.6 System and Component Failure Contributions To ShorehaIR Leading CM Sequences I CM System Dominant Campenent Sequence Centr h tien Failures Probability Failure Centributten 5 et Total Failures 1 of Total

1. T(M2)C(M)C(2) 11.5 SCRAM IE-5 Common Caese 100 Control Rods SLC I.05E-1 100 Human 95.2 - -

2 T(C)UI 5.6 RCIC 5.873E-2 Test and Malatenance 16 - -

Random . ,64 Pressure Sensors 8. 7 Temperature Elem. 37.8 MDV's 17.5 i' HPCI 9.63E-2 Test and Maintenance 10.4 - -

Human 13.5 - -

Random 45.5 Pump and Turbine 15.5 MOV's 30 ADS 8.56E-4 Common Cause 47 Solenold Valves 35 Contam. Air Supply 12 Human 33 Y* 3. T(T) QUI 4.3 Fee &sater N 5.46E-2 Common Cause 11

Human 58.6 -

Random 4.4 Pressure Sensors 4.4 RCIC*

HPCl*

ADS

4 T(0)o(l)Q 4.1 Olesels 3.8x10-3 Common Cause 90

, Feedvater*

Analyzed Above 4

. o ,

I i .

i .

1 j Table 3.6 Continued 1 Of System Dominant Component Sequence Centributten Fallwes . Probability Failure Contributten 5 of Total Failures i 1 of Total

\

5 T(E)IVDUI 4.1

\g LPCS 3.62E-3 Human Cannon Cause*

58 13.5 Pumps (Meter-driven) 100 Dependent . , 7.1

\ s Test and Malatenance 3.9 - -

'. LPCI 2.6E-3 Musan 82 . .

-\ Dependent 9.7

, Test and Maintenance 5.2 Diesels

MPCI*

RCIC*

ADS

6 FS(0) QUI 3. 0 Feedwater*

HPCI*

RCIC*

u ADS *

. e G 7. T(E)lIICDV 2.7 SCRAM

Diesels * ' .

LPCS*

LPCI*

8 T(F)C(M)tf 2. 7 SCRAM

HPCl*

, RCIC*

" Analyzed nbove I

B

Table 3.6 Continued 1 08 System Sequence Dominent Ceaponent Centributies Failures Prohebility failure Contributten 5 of Total Failures 5 of Total

9. T(E)C(M)US 2. 7 SCRAM

WCl*

RCIC*

. Olesels* .

10 T(C)W'W" 2.7 RCICSC 1.4E-1 Human 37 -

Random 7. 5 M0Vs 5.7 RNR 4.83E-4 Dependent Pressure Sensors 1.8 54 Test and Malatenance 29 -

Common Cause 7.3 Pumps Condensate 1.2X-1 Human 20 -

100 Dependent 1 II. M(5) QUI 2.3 Feedwater*

WCl

RCIC*

ADS *

. Y, 12 T(E)lll(A)DUV 2.2 ~ Diesels

w *

HPCl*

RCIC*

LPCl*

LPCS*

" Analyzed Above

"h 9 = +e m 4-k

\

, e

s-

. Table 3.6 Continued 4

5 01 Systes Sequence Centributtee Desinant Component Failures Probability Failure Centributtee

. 5 of Total Failures 5 of Total

13. T(E)W(0) 2 tim.*easate*

Cen Diesels

14 T(R)aQUI 2 Feedwater*

HPCl*

RCIC*

1

ADS * ,

4 ,

~15 T(F)C(M)C(2) 1.8 SCRAM

SLCS*

\ *~.,,...~e sa - - - -

N - ___

t S

\

l 1 -

9

, o l

l individual system. This was necessitated because sequence cut sets were not provided. The reader is therefore cautioned that any sequence-dependent. fail-ures listed in the table are based upon this review and due to the limited scope of this review the listings may not be exhaustive.

The first column of Table 3.6 identifies the sequence by number and des-ignation corresponding to the Table 3.3 sequences. The second column provides the core melt probability contribution (in percent) from the individual se-quences.

The third column lists all of the system failures associated with each sequence, failure. It is-igortant and the fourth column gives the probability of each system to note that these probabilities, as provided in the PRA, are conditional, that is, dependent upon the initiating event and any preceding system failures. The fifth column provides the failure mode contri-butions to. each of the system failures. Five such modes were identified in the PRA: common cause, dependent, random, human error, and test. As used herein, dependent failures refer exclusively to failures related to the initi-ating event and preceding system failures. .

modeThe sixth column identifies failure the fractional contribution of each failure i

to the total system probability. For example, in Sequence 1 95.2% of the failure probability of the standby liquid control system is from human error and the remainder is not specified. Note that in many cases (in-cluding this exagle) the column six failure mode contributions do not total to 100%. This is becru -e only those modes identified in the PRA as dominant contributors are considered. Resources did not permit detailed examination of individual for lesser cut sets and fault trees to extract further detail on failure modes contributors. In nearly all cases, however, the failure modes identified in the sixth column account for over half of the total system fail-ure probability, and for many of the systems the identified failure modes con- ,

tribute over 90% of the total. 1 4

The seventh column ideutifies the cogonents associated with the relevant failure modes. For the dependent and human error modes, no components are i identified since for these modes individual cogonent failures are not as sociated with the system failure. The eighth column provides the individual component contribution to system failure for each failure mode. For exagle, for Sequence 1, essentially 160% of the scram system failure probability is due to common mode failure of the control rods to insert.

From information provided in Table 3.6, Tab 1'e 3.7 was constructed in order to consolidate the contributions to CMP from systems, failure modes, and components. In Table 3.7, .each system is considered separately, as indicated in the first column. The second column lists the number of sequences (identi-fied in Table 3.3) in which t'io system appears as a contributor to the se- ,

quence probability, and the third column gives the aggregate percentage con-tribution to CMP from these sequences. .

The . remaining six major colunms give the failure mode contributions, in-cluding an " unspecified" column which provides a quantification of the resid-ual failure mode contribution not specified in the PRA.

For the " common l cause" and " random" columns, the component failure contributions to the re-spective failure modes are identified. The .vnerical entries for these col- t uans were obtained by taking the product M the componenr failure or failure I mode contribution from Table 3.6 and the percent contribution of the 3-18

t i .

Table 3.7 Total System and Component Failure Contributions from Leading Cut Sets aw .

SYSTEN $E4s. I CW ^ CeleWe CASSE SA00ml IISWI TEST 4 E00005 n41st. 1815PEC. SEPE0eEST eserell Centrol Se;eseld Caetas. Insterised everall Pressere Temp.- Tertsee 5 eeds Velves Air Supply Peeps gespec. 5 Sensers Elem. Met's 8 Pump SCOAfl 5 21.4 21.4 25.4 SLC 2 13.3 It.H 8.54 SCIC 18 31.8 20.22 2.75 11.85 5.53 5.06 6.32 IFCI ,9 N.9 13.15 8.67 4.48 3.9 3.s 8.M nel - e ti.3 is.. 1.n 2.H j r. 3 4. M FEE 8unIES 5 15.7 8. T3 1 1.73 8.H 0.69 9.2 4.08 elESELS 5 17.8 16,82 16.02

I.78 LPC5 3 9.e I.ft 1.22 5.22 8.35 1.58 0.64 LPCt 3 9.e 7.30 e.47 e.28 0.87 GCICSC l 2.7 8.M 85 0. I5 1.0 1.5 c.a

$ ONE 2 4.7 8.34 0.34 ' t.36 0.46 2.54 CoueE85Aff f 4.7 M 3.75 e.oS TelAL5 50. 75 34.M 47.33 10.24 32.87 4.1 21.4 F.n 2.H I.H IF.75 3.49 II.H 14.35 4.48

.m=

e. e em _ , , '

_ m- e t

l respective sequence (third column of Table 3.7) to the CMP. This value is an absolute measure of the significance of each failure mode and component fail-ure to the CMP.

An exagle will aid in interpreting Table 3.7. The reactor core isola-tion cooling CMP leading sesystem (RCIC) appears as a system failure element in ten of the CMP is 31.6% (quences. The total contribution of these ten sequences to the shown under the "% CMP" column). In other words, if the RCIC failure probability could be reduced to 0 under the conditions of the ten accident 31.6%. sequences, the total CMP calculated by the PRA would be reduced by For the ADS, 47% of its failure probability derives from common cause failures, of which 35% are connon cause 50V failures and 12% arise from con-taminated air supplies (Table 3.6). By nultiplying these fractions by the core melt contribution (Column 3), the individual cogonent common cause con-tribution to core melt probability is obtained.

Tables 3.8, 3.9, and 3.10 consolidate and summarize the results of Table 3.7 for failure mode, system failure, and component failure contributions to CMP, respectively. ,

CMP sequences and the contribution each system imposes on the internal event initiated sequences. Reducing the failure probability to O for each system would produce the corresponding reduction in CMP.

noted that igrowing the reliability of combinations of systemsIt would should be not CMP contributions because more than one system appears The in net effect of reliability improvements for combinations of systems would have to be determined from Table 3.6.

evident: From the data in Tables 3.8, 3.9, and 3.10, the following insights are The reactor core isolation cooling and high pressure coolant injection system melt failur.es in sequences dominate the core melt probability from leading core that order.

particularly significant contributor.However, neither of these systems is a Common cause failure appears to dominate failures of the systems igortant to CMP, however, this is driven by the major role of ATWS in the leading CMP sequences.

Human error contributes almost 50% (47.33%) of the overall CMP.

With respect to failure to scram, it is clear that the assugtions made about scram failure pobability and the total dominance by CMF of the 3.8,control 3.9 androds drive the conclusions derived from Tables 3.5, 3.7, 3.10. The PRA states that these assumptions were taken directly from NUREG-0460 and that their own evaluation of the specific Shoreham design (not used in the PRA) would reduce the scram system contribution to CMP to around 10%.

the insights derived from the above tables.This could have a large impact on 3-20

Table 3.8 Failure Mode Contribution to CMP from Leading Cut Sets FAILURE MODE % CONTRIBUTION COMMON CAUSE 50.71 HUMAN 47.33 RANDOM 34.26 UNSPECIFIED 32.87 TEST & MAINTENANCE '

10.74 DEPENDENT 4.1 Table 3.9 System Contribution to CMP Table 3.10 Component Contribution to from Leading Cut Sets CMP from Leading Cut Sets SYSTEM % CONTRIBUTION COMPONENT ' % CONTRIBUTION _

RCIC 31.6 CONTROL R005 '21.4 HPCI .28.9 MOVs 14.35 SCRAM , 21.4 TEMP. ELEMENTS 11.85

- l, ADS 21.3 '

SOLENOID VALVES 7.45 DIESELS 17.8 TURBINE & PUMP 4.48 i

FEEDWATER 15.7 PRESSURE SENSORS 3.49 SLC 13.3 MOTORIZED PUMPS 1.56 ,

LPCS 9. 0 i LPCI 9.0 .

RML 4.7 CONDENSATE 4.7 RCICSC 2.7 3-21

j . o . .

3.3 Risk Long Island 1.ighting Company divided the PRA effort into three phases:

1) the probabilistic evaluation of event sequences; 2) was an in-plart conse-quence Phase 1,evaluation, and 3) the ex-plant consequence evaluation. The results of i.e., the core melt probabilities, above. are addressed in Section 3.2, This section would normally address the results of Phase 3, but Phase 3 is not a part of the published PRA. Therefore, the results of Phase 2 are briefly addressed although this is not a satisfactory substitution fgr Phase results.

Phase 2 of the PRA was not included in the BNL PRA review.

The PRA allocated the core melt sequences into 16 release categories, the parameters of which are defined in Table 3.11 (Table 5.3.2 of the PRA).

> The severe potential radiological igacts and frequencies are summarized in Table 3.12 (from Table 2 of the PRA), which shows that only three of the 16 ,

release categories have been designated as severe (7,13, and 14). These are described in Table 3.13. The PRA defines its qualitative measures of radiolo-gical igact as follows:

Severe -- the entire core inventory of the noble gases is relet ied, and large fractions of the volatiles and particulates are released, t

Moderate -- a large fraction of the noble gases and some fraction of the volatiles and particulates are released.

6 Minor -- primarily noble gases' are released, and small fractions of the volatiles and particulates are released; this implies that very long warning times are available to implement protective actions to mitigate the effects of the release.

Negligible -- a very small fraction of the fission products is released since core melt is arrested, or the containment leakage is very slow; this also iglies that protective actions may not be required. -

The following insights are offered based on the foregoing:

The three " severe" release categories represent about 0.33% of the l total core melt probability and expectedly have the shortest warning times.

These three release categories would be expected to dominate early fatalities.

Interfacing systems LOCA is included in the severe category, but it does not appear to dominate as it does in some of the other studies.

l REFERENCES 1.

"Probabilistic Island LightingRisk Assessment Co./SAI, Shoreham thclear Power Station " Long June 1983.

. 2.

"A Review of the Shoreham Nuclear Power Station Probabilistic Risk Assessment," NUREG/CR-4050, Brookhaven National Laboratory, June 1985.

3-22 l

O -

l e .

/ -

t u _

8 .

T*

N 001 EF 0

. 0 0 5 0 05 0 20 0 3 0 f, - -

lM0 lVS E

5 5 3 3 3 6 6 6 6 6 - - .

s AGA *.

e TAE NCL c ONE -

n CER '

e u

q .

5 e

s "FE R n OT $

E o NM 0

C l , ,

iE 0 0 06 0 06 0 6 0 06 .

t AS 6 6 6 6 0 0 0 0 0 0 0 5 n VA 6 6 6 6 6 6 6 7 EE a LL EE l

R P

x C ,

E EV .

mis ITt r TCl e E

o GT .

f N0N l9O s uPI 2 2 4 4 5 5 -

r t ARC T 2 2 2 2 3 3 1 2 2 2 2 2 - -

HOA 1 1 - -

.- e F t

e m

a F5 r O8 a E 1

P 0 .

lE 5 5 5 5 e fS AA 2 5 5 5 5 5 0 0 0 0 0 -

s SE 2 0 6 2 2 2 0 0 1 1 1 2 2 - -

a . tL BE e R

~

l e

R 5 * -

f o F1 8 -

O , 5 5 0 0 5 5 y E(

5 5 5 5 5 5 5 5 5 5 r M5 IA 2 2 3

2 3

2 0

3 0

3 1 6

2 6

2 2 2 '2 a TE 1 ! 2 2

- n u L s E .

E u

S .

1 - TR f

1 eY4 fC0 I ' ' 4 I 0 I I I 4 0 3 MtC MuA NT

'e '0 'e -

C Ws *l 0 e

'o * -

0 e l e 0l 4

8 0 0 l0 6

0

'0 l

e 1eE 1tR l

s 1

0

=

l 3

s 1

9 a

l s

t s

1 s s s 1

s 1

s a 1

s 1

5a e. 3 5 7 8 3 b EFR 2 P. l. l. 5 l.

3 9 2 2 5 6 a M 1 1 6 6 3 3 6 2 1 0 3 T

Y ER e SO 'l 2 3 4 5 6 7 e 9 1 2 3 4 5 6 AC l 1 1 1 1 1 1 t(

LI (A

BC uku

, ;'r

: j;! l

Table 3.12 Summary of Shoreham Release Categories with Potentially Severe Radiological Impact Accident Classes Potential Release Contributing to Category Radiological Frequency Release Category Impact of Release 7 III Severe 1.5x10-7 13 V Severe 2.5x10-8 1<4 V

, Severe 1.1x10-8 l .

I 0

9

?

i 3-24

i -

r .

Table 3.13 Description of the Severe Delease Categories Identified by the Shoreham PRA i

l Release Dominant Accident Category Sequence Contribution General Description Basis For In-Plant Analysis 7

1his release category is representative of a Class !!! accident sequence in which the containment falls early in the accident Large.LOCA failure of vapor suppression, sequence due to inadequate pressure suppression capablitty. De early overpressure failure of containment.

fission products released from the core region are discharged directly to the drywell atmosphere and are not significantly attenuated prior to leakage from the drywell. H is category includes Large LOCA and RPV failure accident sequences, which -

challenge containment integrity early in the sequence.

13 hl.s release category is representative of Class y accident sequences which involve core meltdown following a LOCA out- Interfacing LOCA, the suppression pool is side containment. De SRVs are actuated in order to mitigate partially effective in mitigating releases, une release of fission products to the environment by providing an alternative path into the containment (i.e., suppression pool) during the in-wessel release period, u

k m

14 his release category is' representative of Class V accident

~

sequence which involve core meltdown following a LOCA out-Interfacing LOCA. failure of SRVs.

side containment. De SRVs are assumed not to be opened, and the fission products released from the fuel totally bypass the containment.

._2._.

l e

E-

4. 1 INSIGHTS FROM THE OCONEE 3 PROBABILISTIC RISK ASSESSMENT I

4.1 Iritroduction .

This section presents an overview of the results from the Oconee 3 Proba- l sults. Risk Assessment (PRA)1 and selected insights derived from these re-bilistic The review of the PRA being done by Brookhaven National Laboratory for the NRC the purpose was not cogleted at the time this study was undertaken. It is not of this effort to review the PRA or to judge its validity.

4 Rather, the entirely on theseresultsresults.

from the PRA are used as is, and the insights are based 4

. Following a brief overview of the PRA, the leading accident sequences contributing to both core melt probability and risk (of early and late fatali-ties) are ex.amined in detati to obtain the following insights:

Relative significance of initiating events.

System quences. and component failure contributions to leading accident se-

Failure mode (f.e., human error, random, dependent, etc.) contribu-tions to leading accident sequences.

': In conjunct.fon with these insights, additional perspective is provided, as appropriate, regarding the relative significance of leading sequences and .

the different probability characteristics and risk. of the accident sequence " mix" for core melt

The core melt probability results for internal and external accident ini-tiating events are considered separately, in Sections 4.2 and 4.3. This is in 2

accordance with discussions in the PRA reference document and is also consis-tent with a similar separation in the PRA itself.

Both internal and external they are combined also in Section 4.4 events were combined in the PRA in The Oconee PRA identified turbine building flooding as the dominant ini-t1ator within the PRA study; as a result, the plant was modified and certain aspects of the PRA were requantified. It is igortant to keep in mind that the published and that PRA contains a mix of pre- and post-modification quantification in this study the post-modification information was used whenever '

t. available and, whereever a mix of data was used, the distinction was noted.

4.2 Internal Events ,

events. This section presents results and insights from internal initiating dents andInternal transients. initiators are defined in the PRA as loss-of-coolant acci-4.1 (reproduced from Table 3.5 of the PRA).These initiating events are listed 4.2.1 Overall Results 5.4E-5/ The reactor total year.core melt probability from internally initiated accidents is For Oconee, this represents only 21.3% of the total 4

4-1

..cm..- ,, ,. _ , _ _ _ _ . _ , ,.[.'___.,___... - _ , , . . . . , . . _ _ _ _ - , _ _ . . . , _ _ , - . , . _ . , , , , _ . , , . . . . , . . . _ . . . . _ _ , _ . _ . _

Table 4.1 Internal Initiating Events for the Oconee PRA Event Description LOSS-OF-COOLANT ACCIDENTS S Small-break LOCA A break or leak 1/2 to 4 inches in effective diameter. These are spontaneous events:

induced

LOCAs were treated directly.

As Large LOCA A break or rupture greater than 4 inches in ,

effective diameter except those noted be-

low. t-Aa g Interfacing-system LOCA A large loss of coolant through the valves acting as a boundary between high and low RCS pressure.

RPV RUPTURE: Vessel rupture A loss of reactor-vessel integrity precluding the ability to maintain coolant inventory.

83g: Steam-generator tube A rupture of a steam-generator tube resulting rupture in an RCS leak greater than 100 gym. j TRANSIENT EVENTS ,

Tja Reactor / turbine trip An event resulting in reactor trip but not significantly degrading the operability of equipment needed to respond to the event. -

k T:2 Ioss of main feedwater An interruption of main-feedwater flow from both trains of the system. Soms events re-sulting in a loss of main feedwater are treated separately as defined by other ,

transients.

i T: 3 Partial loss of main A degradation of the feedwater system suffi-feedwater cient to cause a trip but not precluding an immediate feedwater response af ter the trip. Failure of one main-feedwater pump .

is an example.

T:4 less of condenser A reduction of condenser vacuum to a level

r. vacuum resulting in a feedwater-pump trip. Recov-ery of this event considers the level of degradation caused by the potential initi-ating events.

T5eubF: Failure of offsite Substation fadit resulting in plant isolation power at the from the electrical grid, substation

, 4-2

$ $u g wg a g4 O 9 thi

... . , o Table 4.1 Continued Event Description TRANSIENT EVENTS (continued) .

T5FEEDFs Fa e of elee.

Failure of the local grid or feeders result- '

I main feeders Power to the plant.

i T) 6 Ioss of instrument A reduction in instrument-air pressure to a air level where valves and instruments cannot provide their intended function.

A 10-minute loss resulting in plant trip was assumed for the calculated T6 frequency. t T:7 Excessive feedwater j .-

Feedwater events leading to the overfilling of a steam generator and hence an overcool- j

.. ing transient.

Tg Spurious engineered-safeguards signal A spurious initiation of safeguards equip-ment. The effect specifically modeled is the initiation of HPI flow.

T:9 Steamline break A rupture. of a large secondary steamline.

Effects of breaks inside and outside con-tainment were detailed.

T 10 Feedline break Failure of a major feedwater line resulting in failure cf main feedwater.

Tg1: Io'ss of ICS power bus KI Failure of power provided by bus KI to the ICS.

T12: Ioss of service water Failure of the LPSW system resulting in insufficient flow in the main headers or failure to vital equipmept.

T 12(108): Loss of service Iailure of the LPSW system due, to the spe'-

water due to cific failure mode involving valve LPSW- .

transfer of LPSW-108 108. This is a subset of T 12, treated dif-forently for recovery actions.

Tg3: spurious low-pressuriser-pressure Incorrect instrument measurement of pres-signal .surizer pressure. Sensed signal is lower than the true value.

Tg4: Ioss of power to bus 3'IC Failure of bus or switchgear 3TC resulting in power loss to many plant loads. Plant and main-feedwater trip are the first effects.

. 4-3 0

g , gg gggga *$$- DWS *

(internal + external) core melt probability. The significance of internally initiated events to early and late fatality risks is discussed in Section 4.4.

4.2.2 Dominant Sequences Table 4.2 lists the accident sequences that are leaoing contributors to core melt probability. It provides the following insight relative to the sig-nificance of individual accident sequences:

.The top 12 sequences provide 82% of the contribution to core melt probability. The leading sequence contributes 24% to the total, and is three' times as probable as any of the others.

4.2.3 Initiating Events Table 4.3 provides a breakdown of total core melt contributors on the basis of accident initiating events. This information was used to establish the relative contribution from important initiating event classes. The re-suits are given in Table 4.4, in which four initiating event categories are used.

Based on these results, the following insights are provided:

Transients dominate core melt probability.

Loss of service water contributes nearly one quarter of the CMP.

Large LOCA contributes about 1.5 times as much as small LOCA.

4.2.4 System and Component Failures and Failure Modes The contribution to core melt probability from individual system and com-ponent failures, as well as failure modes (human error, dependencies, etc.),

were examined. Table 4.5 shows the contribution from system and component failures to each of the listed core melt sequences. This information was ob-tained directly from the PRA by examining the leading cut sets of each se-quence.

The Oconee PRA was unique in that this informe. tion was provided di-rectly by sequence and thus a much more accurate ex. traction of the data for Table 4.5 was possible than for the other PRAs examined in this study. Note that the eleven sequence types in Table 4.5 do not correspond exactly to the top twelve sequences in Table 4.2. This is the result of a further binning process whereby similar sequences were combined into ,a single sequence type within a plant damage bin. For 'exagle, Sequence 1 in Table 4.2 represents only LPSW as the initiating event whereas Sequence 1 in Table 4.5 also in- ~

cludes some loss of ac power events that in turn fati: LPSW. As this latter configuration of sequences was presented in the PRA with accoganying leading cut sets, these sequences were the ones analyzed. As it turns out, the bin-ning process yields eleven sequence types contributing 85% of the total core melt probability from internal events.

ignator.The first column of Table 4.5 identifies the sequence by number and des-in percent,The from second column provides the core melt probability contribution, the individual weight of the cut sets examined.sequence and in parenthesis the percent by The third column lists all of the system failures associated with each sequence. The fourth column gives the contribu-tion in percent to the total CMP, i.e., column 2 times the parenthetical 4-4

1 -

j Table 4.2 Leading Sequences for contribution to CW - Oconee 3 (Internal Events)

Leading

Sequences Sequence Description Cumulative Probability % CMP % CMP

1. T3 BU Failure of LPSW fails HPI pumps unless operator action i 1.3x10-5 24 and failure to initiate SSF seal injectior. leads to 24 i

RCS leak with no make-up

2. SY X S3 SBLOCA with successful HPI. LOCA actuates RBSS and 5.0x10-' 9 either operator fails to terminate of RBCS is unavailable 33 I and RSSS must be left on. HPR fails to be initiated successfully upon depletion of BWST.

3. Tg sBU Large feedwater line break causes loss of MFW and EFW. 4.8x10-8 9 42 Feedwater HPI coolingfrom fails.other sources fails to be initiated and l 4. AX l ui A Failure of LPR to initiate or run after large LOCA. 4.8x10-8 9 51

5. AX g Large LOCA with successful injection. High flow develops 3.3x10-8 6 57 in LPR leading to pump cavitation and failure if not remedied.

6. TsBU Loss of instrument air resulting in loss of MFW. Failure 3.2x10-6 6 63 i of EFW, failure to recover feedwater, and HPI cooling fails.

't '

7. TWS ATWS (turbine trip) MFW fails and either injection or 2.8x10-8 2

long term cooling fails. 5 68

8. TsBU Loss of offsite power resulting in loss of instrument air 2.4x10-8 4 and MFW. Failure of EFW, failure to recover feedwater 72 and HPI cooling fails.

9. TWS ATWS (turbine trip), moderator temperature coefficient 1.7x10-6 less than 95% yields large pressure transient with 3 75 resulting LOCA. Injection systems fall to provide makeup.

e '

i 1 l' -

l Table 4.2 Continued ,

Leading Sequences Sequence Description Cumulative Probability % CW % CMP 10 TWS ATWS (turbine trip), same as sequence 9 above except 1.5x10-8 3 that long term cooling falls following successful 78

injection.

11 T28U Loss of MFW followed by failure of EFW and HPI cooling. 1.2x10-8 2 80 ;

., 12. VR Reactor vessel rupture.

1.1x10-8 2 82 a

A I

D 9

e 9

e e I

l I

i Table 4.3 Mean Annual Core Melt Frequencies for Internal Initiating Eventsa

% CMP Loss of service water 1,3-5 24.06 Large-break LOCA 9.0-6 16.65 Small-break LOCA 6.1-6 11.29 Transient without scram 6.0-6 11.10 Feedwater-line break 4.8-6 8.88 Loss of instrument air 3.2-6 5.92 Steam-generator tube rupture 2.7-6 5.00 Loss of offsite power 2.4-6 4.44 Turbine / reactor trip 1.8-6 3.33 Loss of main feedwater 1.2-6 2.22 Other transients 2.6-6 4.81 Reactor-vessel rupture 1.1-6 2.04 Interfacing-system LOCA 1.4-7 0.26 , ,

i Total 5.4-5 100.00 abased on analysis of the unmodified plant.

Table 4.4 Internal Initiating Event Categories--

Contribution to Core Melt Probability

% Contribution Initiator Probability to Internal CMP Transients 3.5E-5 64.77 LOCA 1.62E-5 29.98 St. Gen. Tube Rupt. 2.7E-6 -

5.00 Interfacing LOCA 1.4E-7 0.26 Totals 5.4E-5 ~ 100.00 O

e 4-7

---:-----=-- -. - ..- -- . . . . . . . - . - ..____:..-___ _ _ - - . _ - _ _

Table 4.5 System and Component Failure Contributions to Oconee 3 Sequences Dominating Core Malt Probability (Internal Events)

Seq. Related Sequence leading Cut Set Dominant 1 CM Cont. System Contributions Related Sequence-(1 Cut Sets Ex) Failures Failure h de % Component

% Total CW Contributors Total CMP Failures % Total CMP

1. T128U 28 (97.53) LPSW 27.31 (97.53) Dependent 1.12 (4.0)

Random HPI 27.31 (97.53), Dependent 26.18 [93.5) MOV 16.35 (58.4) 27.31 (97.53)

2. SY X 9 (99.3) HPR 33 8.937 (99.3) Human Random 8.26 (91.8) 0.61 (7.5)

3. T ieBU 9(97.9) MFW EFW 8.81 (97.9) Dependent 8.81 (97.9) 8.81 (97.9 Dependent 8.81 (97.9)

HPI 8.81 (97.9 ~

Human 8.81 (97.9)

, 4. -AXg 9 (98) LPR b 8.82 (98) Human 8.82 (98) 5 TgBU 9(98.6) HPI 8.87 (98.6) heian MFW 8.87 (98.6)

EFW 8.87 (98.6) Derendent 8.87 (98.6) 8.87 (98.6) Dependent 6.25 (69.4)

Randon 2.63 (29.2) UST 2.63 (29.2) 6 AX g 6 (97.6) LPR 5.86 (97.6) Human Dependent 5.09 (84.8)

Random 0.7 (11.6) 0.07 (1.2) MOV 0.07 (1.2)

7. IMS 5 (89.3) SCRAM MFW 4.47 (89.3) Common Cause 4.47 (89.3)

HPI 4.47 (89.3) thspec ,

LPR 2.32 (46.4) thspec

, 2.15 (42.9) Unspec l

O -

t

' I i

Table 4.5 Continued i Seq. Related Sequence Leading Cut Set Dominant l % CM Cont. System Relateo Sequence

' Contributions Failure Made % Cosponent

(% Cut Sets Ex) Failures

% Total C N Contributors Total CW Failures % Total CMP l

8. TWS 3(71) LPSW

2.13 (71) Common Cause 2.13(96)

HPI 2.13 (71) - Dependent 2.13 (71)

SRV 0.55 (18.2) Dependent 0.55 (18.2)

EFW 0.37 (12.4) hspecified

0.37 (12.4)

MFW 0.12 (4) Wspecified 0.13(4)

, 9. TWS 3(78.6) SCRAM 2.36 (78.6) Comunon Cause 2.36 (78.6)

LPR 2.36 (78.6) Dependent

! 2.36 (78.6)

~ EFW 0.68 (22.6) Wspecified 0.68 (22.6)

MFW 0.30 (10) Unspecified i SRV 0.30 (10) 0.56 (18.6) W specified 0.56(18.6)

10. Tg8U 2(77.3) HPI 1.55 (77.3) Human ~1.55 (77.3)

EFW 1.55 (77.3) Randon 4 1.55 (17.3) UST 1.28 (64.2)

TD Pump 0.15 (7.5)

.MOV 0.11 (5.4)

LPSW 0.062 (3.1) Human 0.038 (1.9)

Random 0.024 (1.2) Pumps 0.015 (0.73)

MOV 0.01 (0.52)

11. VR 2(100) RPV 2 (100) Random 2 .(100) Vessel 2 (100)

Note - ed Ntambers (i.e. the in parentheses leading cut sets). in column 2 represent the percent by weight of the total sequence cut sets examin-weight of the total sequenc,e cut sets examined that involved the given item. Numbers in parenth

cut sets (28 x 97.53% = 27.31); percent of the column 2 total CMP that wa that these percentages represent are conditiontit is important to note that the probab initiating are again event percent and anysets).

of cut preceding system failures (the numbers in parenth contributions to each of the system failures.The fifth ceiumn provides the failv:e mo ,

in the PRA: common cause, dependent, random, and Four such error.

htsnan modes were Jominant As ued here-in, dependent failures refer to failures related to the initiating ever.t or in some instances to preceding system failures.

The sixth column gives the contribution in percent to the total CPP and in parenthesis nation of the cut thesets.

percent of the column 2 total CMP that was found by exami-For example, in Sequence 1, 93.5% of the failure con .

tribution 4.1% from dependent failures.service water system is from random failure and of the low-pressure Note that in many cases (including this exam-column 4 numbers in parentheses. contributions do not total to 100% of the ple) the column six failure mode as leading contributors were considered.This is because only those modes identified failure~ 1he seventh column identifies the components associated with the relevant modes.

For the dependent and hianan error modes, no components are identified since ciated with the system for thesefailure.

modes individual component failures are not asso-The eighth column provides the individual component contribution to system failure for each failure mode. For example, '

in Sequence 1, 58.4% of the low pressure service water system contribution to the overall sequence CMP is due to failures of motor operated valves and this yields an overall 16.35 percent contribution to the CMP (28 x 58.4% = 16.35).

From information provided in Table 4.5, Table 4.6 was constructed in modes,to order consolidate and components.the contributions to internal CMP from systems, failure indicated in the first column.In Table 4.6, each system is considered separately, as The second column lists the number of se-quences (identified in Table 4.5) in which the system appears as a contribu-tor, for each and the third column gives the summation of percent contribution to CMP system. '

The remaining five major columns give the failure mode contributions, including an " unspecified" column which provides quantification of the resid-ual failure mode contribution not easily determined in the cut sets. For the "modes random" arecolumn, identified. the component failure contributions to the respective failure The nisnerical entries for these columns were obtained directly from Table 4.5 and represent the direct percent of the internal CMP of each failure mode and component failure.

( An example will aid in interpreting Table 4.6 l tion system (HPI) appears as a system fa1. lure eleme.it in six of the CMP lead-T ing sequences.

fled by cut set axamination, is 50.99%.M total contribution of these six sequen In other words, if the HPI failure t- probability could be reduced to 0 under the conditions of the six accident se-

! quences, duced by the total50.99%.

at least CMP calculated by the PRA for internal events would be re-19.23% human, 29.44% dependent, and 2.32% unspecified.The HPI failure c 4-10

~--- r = -- ~ = " - - -

Table 4.6 Total System and P- - : _ Failure Centrhtions to Or free Leadin9 Sequences Randen

' 1 DF Systes ! Seq centributfen 1CW MOV Pump WST A0V/50V RI Wessel hspec heen Dependent Casumen Cause hspecified LP5W 2 27.37 26.194 16.36 3.13

,. 6.7 0.038 1.12 HP1 6 50.99 19.23 29.44 2.32 55F 1 27.31 27.31 NPR 1 8.937 0.61 0.61' 8.26 MFW 5 22.57 17.68 4.89 EFW 5 20.28 4.18 0.11 0.15 3.91 0.1 15.06 1.05 LPt 4 19.19 0.07 0,87 13.91 3.06 2.15 i

SCRAM 3 8.96 8.96 PPW 1 2 2 2 .

, Totals 33.05 17.15 3.28 3.91 0.1 2 6.7 68.75 66.36 8.96 10.41 ;

, - - - --r-- ---

e b

t e

. i l

Tables 4.7, .4.8, and 4.9 consolidate and summarize the results of Table !

4.6 for failure mode, system failure, and component failure contributions to CMP.

Table 1.8 lists all systems which appear in the eleven leading CMP se-quences event initiated and the contribution each system imposes on the total CMP for internal sequences. Reducing the failure probability to O for each system would produce the corresponding reduction in CMP.

It should be noted that improving the reliability of combinations of systems would not necessar-11y produce a benefit equivalent to the summation of the corresponding CMP contributions because more than one system appears in all sequences. The net effect of reliability improvements for combinations of systems would have to be ' determined by a close examination of Table 4.5.

made for combinations of components. A similar statement can be dent: From the data in Tables 4.7, 4.8, and 4.9 the following insights are evi-Human and dependent failure modes appear to dominate failures of the systems important to CMP.

i .

- HPI appears in over half of the total CMP contribution. Its major i contributing failure mode arises from its dependence on service water for cooling and its second leading failure mode derives from human er-ror mostly associated with failure to initiate in time in scenarios such that auto initiation would not be counted upon.

Failure of the Safe Shutdown Facility (SSF) appears in over one quart-er of the total CMP and is totally associated with operator failure to initiate in time.

Random component failures do not play a significant role in the top 80% of the CMP. The failure of MOVs dominates this category and most of this comes from the failure of valve 108 in the service water sys-tem, which initiates a transient and terminates service water cooling.

4.3 External Events

i. This section presents a summary of the results of the external events analysis from the Oconee 3 PRA.

The PRA considered a total of five external event initiators. These are listed CMP.

in Table 4.10, with indications of the percent contribution to external Even after plant modifications, turbine building flooding is still the l

dominant initiator.

i events According is 2.0E-4/yr. to the PRA, the total core melt probability from external CMP.

Thus, external events contribute 78.7% to the total j The significance of external events to early and late fatality risks is discussed in Section'4.4.

The PRA explicitly provides the leading cut sets for the external events

' contribution to CMP. The cut sets are categorized by plant damage bin. Table 4.11 is the cospilation from examining 86.1% (by weight) of the cut sets for external CMP. The first column lists the initiator category, and the second provides its overall numerical contribution to CMP, from Table 4.10. Column mO 4-12

- *=h =e - =a m. ,

Table 4.7 Failure Mode Contribution to CMP from Leading Sequence / Cut Sets (0conee)

Failure Mode

% Contribution Random Human 33.05 Dependent 68.75 66.36 Common Cause Unspecified 8.96 29.29*

81.12% (by weight) of the cut sets for the total CMP were investigated leaving 18.88% not investigated and 10.41% from Table 4.6 Table 4.8 System Contribution to CMP from Leading Sequence / Cut -

Sets (Oconee)

System

% CMP

HPI 50.99 LPSW 27.37 SSF 27.31 MFW 22.57 EFW 20.28 LPR 19.19 SCRAM 8.96 HPR 8.94 RPV 2.0 Based upon investigation of 81.12%

(by weight) of total CMP cut sets.

Table 4.9 Component Failure Contribution to CMP from Leading Sequence /

Cut Sets Component

% CMP

MOV 17'.15 UST 3.91 Pump 3.28 RPV -

2.0 A0V/SOV 0.1 -_

Based upon investigation of 81.12% (by

- weight) of total CMP cut sets.

aW 4-13

. o . .

Table 4.10 Mean Annual Core Melt Frequencies for External Initiating Eventsa

% CMP 4

Turbine-building flooda 8.8-5 44.2 Ea rthquakeb 6.3-5 b 31.7 Externa 2.5-5 12.6 Torngdog flood 1.3-5 6.5 Fi re 1.0-5 5.0 Total 2.0-4 100.00 abased on analysis of the modified plant, bBased on analysis of the unmodified plant.

g G 2

't t

0 e

't 0

i 4

e e

l

(

,e**

6oom 4-14

l .

I

.t O

<l .

1ebte 4.11 toternet Events . acesse Plant lefilAfet IsitanAL t cArtasse ce easmet Elf. Sgt. EIT.

als tw # tw DeAs51Est stPfletti st5penst 5 II i selsnsc s.x-5 sattuu eassen to 5 ft j- 1.st-5 i s.4(7t.1) misens ce

[* \ . Ass. bide. essemery sells ww ser ryc EFW e.4

\g .

2 a.s it.st-sl condesser maall wi wW saw rre ii \ 3 CCW piples EfW wt e.e .

i*

'.' e. (4t-73 tendem pepses tPI ACpeer

4 e.2 (4f-7) hPI 3

Letdem piples LPI g

l: aes. bide, ensemary sells

\ ,

5 e.1(N-7) feedseter Ieneters

!IDrerstoragetest NPI we Sev FTC if W. e.1 AC poner a e.2 tu 7) AC pe= r NPR wa saw tic 15 2.st-4 EFW IsP seelleg EFW e.2 III 4.et-5 1 1.3 (f.EE-6) Jocessee see 557 5.e (IE-5) AC poner

- t 7.5 ft.5f-5) , Aes, bide. eells wt 4 wi ww 3 5.s (it 5) At U Ceedesser WW

trM 4 55F pear /3 (3.575) s.5 lit-8 F ww 55F/3 1.57 55F/3

! W5i eekter Nester 55F/2 0.25 1.57

,& (fW 557/2 0.25 I AC comer NPE n=*

l . _ . .

I 1

i :

i

-on

~

l

. =. B a o

c I g

. I_

3,5 as a r-nI==a r-

= _ ~~*

. .n- -n Ann a- am . .

] ul g

= 555 g gE n ---

3 E Et E i

=

a s t as si

-1 .

a a a

a a I:=mems i -s ss 2

2 Eus394!=i!al!=i!a=l3343a a a

a = : :

. ssY sis? sss

=58 dd E. d E. d E ddd 4 a a .~.

. a e a aaa g- -- -- . _

T *

. i T ng

- =a = = -

m T

a a = a a S -

IE O

So E em E se m

E e

I N E a . I a .

)

9 En 23

_IE 3 E g

4-16 l- . .. .. _.. . . . . . . . . . . .

=,

.w 4 4 4 4 d i 5 = n a i ai m

B a

B a a a.

we w .

E c, . . . . . . .

.u 4 a d a 4 4 4 ,

G f

=

. x .. !'

o

=

o = == = ;

W = = E2 =

I I 5 I a 53 3 3 I

z .

I.I a W l ga_...

ga m.mt. ..-..

.e__3=. -=s metang_a=...._._ .

m an=mxm=.amm== .

I i

1 1 e c 1

",l t I l. A 2 i

2

=

d I: 1 J 2

2 4 el El 5 t t t5 t

?

g e. :. -

a T =. =. =.

~. w w = w w= =

-E8 d d d i d dd d 3 4 a .. . t d 4 4 4 4 4 ,

g.

. i

. t

$8 .

4

- s i

, 4 ,

iII d i

f

6 8 m - . t E d 4 M

i IM Y

d .i es E*

l si lW

_Ers '.E _E_! -

_ .e-4-17

e e * %

I *** *

w =

t M M M 1 k"m.35 55

=n aa - . .. .. ..

.5 aa a 4 4 a da aa i

6 M M M !

W W - W g Ik 3 IS 3 I I GR E GE E R GB!! l i

n ! 1 15 Ess st!ss!!ssi!ss!sss -

= '

3 .

i t I 3 E 3 IaaI 2 2 8

~

5 _ f_ f 8 '

s A

eIa2 EeE ! t 4 i i

= = : : : 3

. s i i i i i i a 5. -

~55 i ii i i i i i **

a d a a d a a a

~

4 r

i 3 3

g. ~ . . . ~ , ,

j ~s ;

Ng

. i. Si. _5$ _

,i 1 g.1.3II .

si.nin!

j1]341i:- 8 3

1!*5 , m. ,

1 jeli-IS g IIIs1!! si 8I

=ilEc_3sey13--I1.. -

t--

. k!gg !

-)((11 3u 1 J -

. lg 21522dih r

3

]

4-18 i

- ~

~ :--..___. ..

. *s - '

three lists the plant damage bin, and column four provides that bin's numeri-cal contribution to CMP. Columns five and six singly order the sequences within each bin and provide the percent and (numerical) contribution to CMP of each sequence.

the plant (i .e., The seventh column provides the initial transient response of what broke). The eighth column lists all the dependent sys-tem failures based upon the initiating event and plant response, and the final four columns track those additional random or human errors that also occur-red. Because each sequence entry has multiple cut sets provided for review, some table entries have fractions next to them denoting in what fraction of the total sequence they played a part. - All percentages represent % of total external CMP.

Review of Table 4.11 provided the following insights with respect to ex-ternal events:

External events comprise 78.7% of the total CMP.

Major dependent system failures were found in all 86.1% of the cut

' sets examined, and 100% of the external CMP cut sets are expected to display this phenomenon.

The external events of the stu# were severe enough that in well over 50% of the sequences additional failures were not needed for core melt. -

Random failures were included in 34.32% of the cut sets. This cate-gery was dominated by failures in the SSF (23%) and primary system

$RVs failing to close following actuation (10.4%).

Human error accounted for only 11.22% of the external CMP, but this category was totally dominated by human errors associated with the SSF (10.52%).

'In the seismic s4quences, the auxiliary building masonary walls are capable of failing WW, EFW, and HPI if they crumble.

All of the tornado sequences were similar in that they all started i

with LOOP, RX trip, and trip of MFW.

Only one fire area was analyzed in the PRA. This was the cable shaft area, lowing:

in which a fire can result in failure of any or all of the fol-

a. main feedwater controls, b.

emergency feedwater controls,

c. HPI controls, *

'd. LPI controls,

e. fan cooler power and controls, *

f. R8 spray controls.

g. PORY and block valve controls.

Cut sets were not provided for the external flood initiator which was taken to be failure of the Jocassee Dam. Dam failure is capable of 4-19

2"."*:*2' ~22L r ~ ' = = = - ~ ~ ~ - ~ ~ ~ ~ ~

d flooding LPI, and SSF the turbine functions. and SSF buildings, thus failing MFW, EFW, HPI,

~

In spite of the modifications to the turbine building to ingrove the plant response to turbine building flooding, this initiator is still j the overall largest contributor to CMP.

4.4 Risk The PRA presents curves of exceedance frequency vs number of fatalities for both early and latent cancer fatalities. Figure 4.1 shows the latent and early fatality curves for internal initiating events, and Figure 4.2 shows similar curves for external initiating events. The PRA did not explicitly de-fine leading cut sets for the risk aspects of the study as it did for CMP.

Six major release characteristics given incategories Table 4.12. were defined for Oconee, with the general The consequence ranges for these six categories are summarized in Table 4.13.

4 Categories 3 and 5 were found to have no meaningful contribution to health effects. The mean frequency per

year and its relation to the overall CMP are also given, as are the split be-tween internal and external events for each release category. The following insights on risk are derived from the foregoing:

35.25% of the CMP does not enter into any risk category.

An additional 63% of' the CMP represents low to intermediate conse-quenc.e portions of the CCDFs.

The highest risk category represents 0.01% of the total CMP.

The overall split in CMP between internal and external events is approximately 20% to 80%. In all but one release category, external i events exhibit

a larger than 80% contribution. The PRA notes that the Reactor Building Sprays are relatively more likely to fail under ex-tornal events than internal. The discrepancy in release category 2

! (i.e., internal >30%) is based on the inclusion of the sequences that include steam generator tube rupture with a stuck open SRV on the same generator, which yields a direct path to the environs. t REFERENCES j 1. NSAC 60, "A Probabilistic Risk Assessment of Oconee Unit 3," June 1984.

l 2.

Probabilistic Risk Assessment (PRA): Status Report and Guidance for Regu-lation Application, NUREG-1050. USNRC, February 1984.

4 4-70 k

.__2__* *[*d.*.

~* * ((, [ . _ _ . _ . _ _ _ _ . _ , _ _ _ , _ _ _~. _ _. __m_,.m -,_ _,r_-_____ _ _ _

..8 . IE' F .F.'

. WI e

- "T 10 -5 4_

r -

e i (a) --

Total 5 I* 2 i \

7 g i g 10-7 rg 3* g ;.

~ ~

N .

o .

g r .

= !1A* ,

e : : !

$ 10-8 r-

< i sa

\ i 1a 1a EA 100 101 102 jos

&e a 104 Number of latent cancer fatalities t1 I I I I 10-3 10 -2 10-1 i

1 to increase in rate of fatalities (%)

3. . . .g .

.......g . . . .

2* . . .g

. Total (b) 10-s _

g : _;

10 -e JAt 1 .- .

10-# : -

.I ,1 100 10' 102 jos Number of early fatalities Figure 4.1 Oconee Unit 3 risk curves for all internal initiating events:

fatalities.)* (a latent-cancer Release categories fatalities and as defined ear (b) Tab;'y in e 4.12.

4-21

~. . .. - - -

. - _ _ _ - _ _ - ..- - --- = ---- __ _ _ _ - . - . -

1

g. . .g .3 . .g . .; ..,

10 -4 4 .

r (a) 9 Total :

I. 1 x

:1B* ~

_o 10-s g

2 ,

5 3*

I r: . N -i

-. 10 - a g :

c -

M I.

- 7:

1 0 - 10 ' '

I ..I . .! . .I . . .I ..I l '

100 101 102 jos 1c4 Number of latent <ancer fatalltles -

1I I I I I I 10 -3 10-2 10 -1 1 jo increase in rate of fatalities (%)

.......3 ....g ......., , .

10-7 2*

(b) 3 Total

,- g -

10 -s ,

51A*-

I 10 -8

~

.1 ...I .

.f .I

~

100 101 102 goa Number of early fatalities Figure 4.2 Oconee Unit 3 risk curves for external initiating events (modified plant): (a) latent-cancer fatalities and (b) early fatalities.

Release categories as defined in Table 4.12.

4-22 '

Table 4.12 Summary of Oconee Release Categories Warning Time Duration Time Elevation Containment of of for of Release Release Release Energy Category Evac. Release (Hr) Release

-(Hr) (Hr) (Meters) (1068tu/Hr) 1A Puff 1 2. 5 0.5 1. 5 Puff 2 3.0 21.5 289.0

.. , , 2. 5 2.0 21.5 77.0 18 24.0 0.5 20.0 21.5 289.0 2 1.5 3.5 0.5 0 33.0 3 1.5 1.5 0.5 0 33.0 0 4 62.0 0.5 60.0 21.5 289.0 5 1.5 3.0 0.5 0 0.08 O

O O

l l

f I

f 4-23 l

} ' T_ T .:~ .l~~ l

' ^

- - - - - - - - - - - - ~ - ~ ' - - ~ ~ ~ " ~ ' ~ ~ ~ ' ~ ^ ~ ~ ~ '

N .

Table 4.13 Sammary of CE. :e Ranges for thich Release Categories Affect Risk Curves '

tatent Mean 1 Overall 1 Contribution

[ Release Cancer Early 1 Contribution y Total Enternal Internal Category Fatalities Fatalities Fr

( yVr- ) Cr Events Events Comments IA 6000-11000 1000-7000 2.gE-8 01 85.55 14.45

e RCIA ranges represent the highest-consequence portions of the CCDFs.

1B 100-1000 No effect 2.2E-6 .87 33.41 6.53 RCIS ranges represent a narrow segment of the fatermediate-consequence of the CCDFs 1' 2 100-6000 1-2000 2.2E-6 .87 68.32 31.68 RC2 ranges represent latermediate- to high-consequence portions of all CCDFs and low- to i

high-consecuence portions i for early fatalities

3 No effect he effect - - - -

a 4 1-100- No effect 1.6E-4 63 32.43 7.51 i

4 a

RC4 ranges represent the low- to intermediate-l consequence portions of the CCDFs 5 No effect Ib effect - - - -

. _ . _ _ _ _ _e g a w

?

1 l

i I .

._ _ . _ .. _ _ - . ~ . . _ - _ _ . _

... 9, ,

5.

DISCUSSION AND RANKING OF THE VARIOUS ELEMENTS OF THE METHODO 1

I 5.1. Iritroduction The four subject PRAs have been analyzed in accordance with the guide-i lines of NUREG/CR-3852, " Insights into PRA Methodologies." Section 5.2 pro-vides a brief description of how each of the PRAs handled the various aspects involved in performing a PRA as outlined in the NUREG report. Section 5.3 in-l' cludes a table in which the areas discussed above are ranked against one another (PRA to PRA) by using the levels of effort developed in the NUREG re-port, which are defined in Section 5.2 for each area. Note that the, ranking i

process prescribed in the NUREG report did not in all cases result in a rank-ing category that truly matched what was actually done in the PRA effort.

Therefore, the ranking required a certain amount of judgment, which introduced

some uncertainty into the results.

i 5.2 Discussion of the Elements of the Methodologies The following items correspond to the 20 categories listed in NUREG/CR-j 3852, with some rearrangement in the order of presentation, as well as some

< additional items added for the current evaluation because the NUREG report did not addre,ss external events.

5.2.1 Identification of Initiating Events 4

Description Levels of Effort

} Identify transients and A. -

LOCA initiating events Use WASH-1400 (16)

8. WASH-1400 plus EPRI NP-801 a

C. Generic events plus plant specific (17) r

a. Millstone Extensive review of plant operating data plus plant specific assessment.

i Used three LOCAs plus special LOCAs (interfacing system and R.V.), SGTR, SL break inside and out of containment and 14 transients.

j b. Seabrook i

! lease Used Master Logic Diagram (similar to fault tree with top event being re- !

events. ofAlso radioactive materials) which branches downward into initiating used Plant Heat (energy) Balance Fault Tree to provide more de- ,

l tail, then model, FMEA. used historical initiating events, other PRAs, feedback from risk

c. Shoreham j . -

The PRA utilized WASH-1400, other PRAs, LERs, and plant specific items to generate the set of initiating events.

l d. Oconee i

i The PRA used available sources as well as plant specific analyses for de-termining the initiating events.

5-1

} r

l 5.2.2 Estimation of Frequency of Initiating Events j

Description Levels of Effort Work performed to estimate A. Generic data the frequencies of initiating 8. Generic data and plant specific l

events C. Two-stage Bayesian

a. Millstone Based on domestic PWR experience plus site specific LOOP estimate. For relatively l frequent events, classical statistical methods used, for rare events, Bayesian approach.

b. Seabrook brook.Used data from other power plant experience for events applicable to Sea-For plant specific initiators (interfacing systems LOCA, loss of 5.W.S., and CCW loss) did a plant specific analysis. Used EPRI-2230 as pri- .,

mary source for events which have alrea# occurred. Data were modified, other sources used, and frequency coqutation performed (proprietary). For LOCA and steam breaks, used Nuclear Power Experience and other data. Frequeacy deter-mination for these events also proprietary,

c. Shoreham The PRA used the following sources in the order of their priority for quantifying the frequencies of initiating events: a) plant specific, b) NRC data, c) General Electric Co., d) WASH-1400, and e) IEEE 500.

d. Oconee The PRA used generic data and used a one-stage Bayesian update of the generic date for plant specific data, where available.

5.2.3 Event Tree Modeling Technique Description Levels of Effort Options for accident sequence N. Small systemic event trees for modeling using event trees each initiating event class

8. Large event trees for each plant ,

state

a. Millstone Approach is consistent with PRA Procedures Guide (NUREG-2300).

plant functional event tree model. Used support state concept to accountUsed for support system failures. Functional event trees used, and six top eients de-fined with a total of 44,. ystems used (some duplications) for the top events.

Very cogrehensive event trees. For exagle, 55 different sequences are de-fined for the loss of off-site power initiators for a particular support state.

5-2

i

} b. Seabrook j Used event sequence diagrams which are used to construct event trees.

' Twelve event sequence models used to cover all initiating events. Very com-prehensive event trees. i 159 possible sequences.

For exagle, the generalized transient event tree has 4

c. Shoreham The PRA developed and quantified separate event trees for those initiat-ing events which may have a s~trong effect on the system available for accident )

mitigation and plant cooldown. l

d. Oconee The PRA employed the systemic event tree approach.

, 5.2.4 Accrenation of Initiating Events Description Levels of Effort The extent to which initiating A. Coglete aggregation; one initiating

! events are combined as entry event category for all accidents points for event trees C. Aggregation based on function or phenomena E. Little or no aggregation ,

s. Millstone Very little aggregation employed.

21 internal event initiating events considered.Used 17 event trees to represent all ,

b. Seabrook Some aggregation done for similar initiating events. A total of 58 ini-tiating events (24 internal, 34 external) were grouped into 12 event trees.

c. Shoreham .

t The PRA did do some aggregation based upon function or phenomena. '

d. Oconee Some aggregation was performed.

5.2.5 Hardwired System Deoendency Analysis !

I Description Levels of Effort

!~

Identification and quanti- A. Engineering judgment based on prior fication of igact of hardwired knowledge and insights 4 system dependencies C. Systematic hand analysis based on system diagrams E. Large-scala Boolean reduction code i

1 5-3 '

i

)

, ,o . . .

I J

a. Millstone Used support state method in which each support system interaction with front-line systems was defined and analyzed deterministically. Five support systems were identified, and eight support states were used with 'different combinations of support system availabilities. These eight support states were similarobtained by combining the initial 72 support states into groups with plant states. A computerized support state model was egloyed to analyze the support state dependencies.

b. Seabrook Two support sytem matrices were developed to relate support system inter-dependencies, dependencies.

as well as support system dependencies, with front-line system A total of 10 support systems were defined, and their depen-doncy with 11 front-line systems / functions was assessed. Boundary conditions were defined which corresponded to various combinations of support system failures. System unavailabilities wer.e then quantified for appropriate boundary conditions. ..

c. Shoreham Ac power, de power, and service water were explicitly modeled in the event trees. The remaining support systems were modeled in the fault trees.

For the three above, an event tree was used to screen the quantitative contri-bution of these dependences out of the systemic event trees. Once calculated, these contributions were then transferred to the applicable initiator for spe-cial processing through an event tree logic diagram suited to represent the predetermined conditions of the support system.

d. Oconee

~

The major support systems were deve1oped in fault trees and combined with the appropriate frontline systems using SETS to solve the sequences.

5.2.6 System Interaction Analysis .

Descriotion Levels of Effort System interactions other A. No analysis to identify interactions than hardwired C. Engineering insights ,

Plant walk-through D.

E. Plant walk-through coupled with detailed analysis of failure modes and effects

a. Millstone In general, intersystem physical interactions modeled only for external common cause initiators. For internal events, physical interaction dependen-cies are embodied in success criteria and damage limits for cogonents. Some were modeled in conjunction with intersystem functional dependencies. Inter-system physical interactions were modeled on an event and sequence specific basis.

5-4

- 4 9

i

b. Seabrook Spatial interactions were considered for external initiating events.

Drawings and other plant studies were used, as well as plant walk-throughs, to establish spatial interactions which could be important. The SETS ~ computer code is used to quantify and identify the igortant spatial interactions,

c. Shoreham Engineering insights and plant walkdowns were used as inputs to the plant modeling.

In one specific case, a common cause analysis was also performed and related to flooding at elevation 8 of the reactor building.

d. Oconee The PRA includes the results of plant walkdowns and detailed analyses of potential threats and attendant vulnerabilities.

5.2.7 Treatment of the Post-Accident Heat Removal phase

I f Description Levels of Effort Consideration of accident A. 24-hr t ration with no recovery duration and equipment recoverability assumptions of machenical failures

8. Realistic accident & rations without recovery of mechanical failures C. Realistic accident durations with recovery of mechanical failures

a. Millstone For purposes was generally of system unavailability analysis, a 24-hour mission time assumed.

However, 'for accident recovery analyses, realistic accident times were estimated, and recovery of systems with assumed mechanical failures was considered.

b. Seabrook i

For purposes of system unavailability analysis, a 24-hour mission time was generally assumed with plant conditions stable and expectation of con-tinued cooling. The possibility of manual recovery of mechanical failures was j assumed in selected cases including the turbine driven auxiliary feedwater, i the service water system, and the electric power system. In these cases, realistic estimates of accident times were made. '

i

c. Shoreham Operator actions which are required by procedures or which are possible to remedy a failed system are depicted and evaluated.

[

intervals were used for the mission times. Realistic accident time

d. Oconee P

[

! Realistic accident time intervals were used, and the leading cut sets 1 were examined individually to determine what recovery measures could be taken.

I 5-5 i

I I .

I

5.2.8 Evaluation of Human Errors _ During Normal Operation Description Levels of Effort Quantification of the effect of A. Conservative scoping human error human errors during plant values ;

operation (miscalculation, C. Human error estimates (i.e., NUREG-unsafe valve alignment, etc.) 1278) with a non-detailed analysis E. Human error estimates using detailed methodology (i.e., THERP tree analy-sis)

a. Millstone Conservative screening values were used throughout the study based on data from NUREG-1278. Since operating procedures were not developed for Mill-stone 3 at the time ot the PRA, procedures from Units 1 and 2 were used. The THERP analysis was used to determine human error contribution to conponent unavailability. '

b. Seabrook Human errors are accounted for in assessing system reliability. Contri-butions from outage due to maintenance (planned and unplanned) or tests as well as human errors in testing and maintenance are considered. The principal source o,f human error rate used was NUREG-1278.

c. Shoreham The PRA used NUREG/CR-1278 as the source for maintenance and operations errors and further includes items such as stress and response times.

d. Oconee The PRA evaluates the human errors by a detailed analysis which accounts for ambiguity, stress, time available, etc.

5.2.9 Evaluation of Human Errors Durina an Accident Description Levels of Effort Quantification of human errors A. Conservative scoping human error *

. which could occur during an values accident sequence C. Human error estimates (i.e., NUREG-1278) with a non-detailed analysis E. Human error estimates using detailed methodology (i.e. THERP tree analy-sis)

a. Millstone Both cognitive (decision making) and procedural errors are considered.

_ __ The time available for action is evaluated, in addition to the diagnostic information available to the operator based on the accident scenario. The complexity of the required action is also taken into account. Recovery of 5-6

failed systems was considered in selected cases. The methodology employed was generally the cognitive error model in the NREP Procedures Guide. Human error rates from NUREG-1278 were generally used. The THERP analysis was used to de-termine human error contribution to component unavailability via restoration errors.

b. Seabrook Operator action trees were employed in evaluating human error contribu-tions during accidents. The plant simulator was used to assist in defining potential operator errors by inputting accident scenarios and evaluating oper-ator plant status perception matrix. Error rates were established by the PRA study team.

c. Shoreham The PRA does not consider errors of commission by the operator. The error 1278. model in the NREP Procedures Guide was used with data from NUREG/CR- '

d. Oconee The PRA utilizes the same very detailed methodology as discussed for normal operation above in evaluating postaccident human errors.

5.2.10 Connon Mode Analysis Description Levels of Effort Level of effort applied to A. No common made human error analysis common mode human error B. Selective analysis of common mode analysis human error analysis D. More potential conson mode failures and more consistent evaluation than B

a. Millstone ,

Multiple coneca cause human errors of design, test / maintenance, and in- !

correct calibration and operation were considered. The binomial failure rate model was esployed, based on actual operating plant statistics corrected as -

necessary to reflect specific features of Millstone 3.

b. Seabrook Cosmon cause human errors were considered and quantified by use of the beta-factor model, and airo by the dependence model provided in NUREG-1278.

Judgment was applied to determine the degree of dependence between human errors. '

c. Shoreham The PRA utiliz four level sensors. ed this methodology in evaluating the miscalibration of

,.- It also modeled coupling between operators.

i 5-7 '

i

. . . .s

d. _0conee The PRA included common cause human error analysis in a number of in-stances and included within this the coupling between operators when more than one would/could be involved in the particular scenario.

5. !.11 Treatment of Recovery Description levels of Effort Possible operator recovery A. No recovery actions 8. Recovery from human errors and auto-matic actuation systems failures D. Recovery from human error, actuation system failure, and individual components

a. Millstone Analyses were performed to determine time intervals and flow rate re-quirements for recovery of risk dominant sequences. System recovery actions, use and of quantified.alternative systems, and recovery of failed cogonents were considered

b. Seabrook Recovery was considered for risk significant accident sequences where operator action was considered to be feasible. Recovery of failed automatic systems (i.e., turbine driven auxiliary feedwater) was considered, as was re-covery of failed support systems (i.e., service water, control room H&V, con-tainment enclosure air cooling system). Extensive analysis of recovery from loss, of. AC power was performed, including recovery of failed diesel gener-ators.

c. Shoreham _

Operator recovery accions were included for human errors, failure of automatic actuation systems, and selected cog onents.

d. Oconee All leading cut sets were exa:nined to determine what recovery actions were possible and what the appropriate probabilities should be.

~

5.2.12 Modeling of AC Power Systems Description 1

Levels of Effort Level of detail in modeling and A. Past PRA models of AC power systems quantifying AC power support C. Simple, non-detailed models 4

system l

E. Detailed fault trees with support

~~

system interfaces 5-8

1

a. M111stene

plant AC power (main electrical system) modeling was detailed, extensive, and specific.

Diesel generator failure rates were based on tests of ,

i Millstone 3 diesel generators and similar units. Support system interfaces

. and dependencies were assessed in detail.

b. Seabrook plantAC power (electric power system) modeling was detailed, extensive, and specific.

detail. Support system interfaces and dependencies were assessed 'in j c. Shoreham The power system was divided into three areas: offsite, onsite AC, and DC, and each was modeled in plant-specific detail.

d. Oconee -

Thedetail.

Oconee power system is quite unique and all aspects were modeled in specific s

5.2.13 Modeline of Logic (Actuation) Systems

Description i Levels' of Effort Level of detail in modeling and A. Using past PRA models of lo ic sys-quantifying logic equation sys- tems (unreliability of -10 g/

tems

. train)

C. Sigle models E. Detailed fault tree models

a. Millstone i

for the The engineered Millstone 3 plant. safety features actuation system is the actuation system -

i It was modeled with detailed fault trees based on which are to be ig' emented attest plant specific design as well as and maintenance procedures and schedules ;

i the plant.

6. Seabrook ..

The actuation systems for Seabrook consist of the reactor trip, engineer-ed safety features actuation, and solid state logic protection systems. These ,

systems were analyzed together, utilizing detailed fault trees based on plant j specific the plant. design and test and maintenance procedures and schedules planned for

c. Shoreham ,

j ,

Logic systems were modeled in plant-specific detail.

I l

5-9 f

l 1

l

D. _0conee Logic systems were modeled in plant-specific detail.

5.2.14 Comon Cause Description Levels of Effort Level of effort expended to A. No common cause analysis perform hardware coninon cause B.

analyses Analysis on a few components identified by engineering judgment C. Consistent analysis using nuclear experience data

a. Millstone The cosmon cause analysis consisted of a detailed assessment, consistent-ly applied, using operating nuclear plant data.

model was egloyed for common cause system and hardware analysis.

The binomial failure rate *

b. Seabrook Comon cause failures were consistently treated either explicitly by 4

identifying causes of common cause failure and incorporating them explicitly in the systems, contribution or iglicitly tc system by using certain parameters to account for their failure.

common cause failures was the beta factor method.The basic parametric model use Some beta factors were quantified to Seabrook.with design specific nuclear plant data screened for applicability used. Where data were sparse or nonexistent, a generic beta factor was

c. Shoreham ing floodCommon cause analysis at elevation 8. was included in the modeling of the reactor build-

d. Oc'onee '

engineering judgment.Some cosmon cause analysis was included in the PRA an:

l 5.2.15 Component Reliability Data Base '

Description

_ Levels of Effort -

~ -

Type of data base used in PRA A. Generic data only (e.g., WASH-1400 or IREP data base) i C. Generic data augmented by plant l specific for a few igortant fault l

types E. Generic and plant specific employing Bayesian treatment .

i

.r~ ~

, , , , M ""

5-10 t l

l

l . .

l i

a. Millstone The data were generated primarily from the Westinghouse Data Base, which i

is proprietary. These data are based extensively on Westinghous nuclear plant i

operating experience, which covers a time span of 1972 through 1981 and con-l tains over 200 reactor-years of plant operation. For cases with little or no

! nuclear data for the hardware, ten other data sources were used.

b. Seabrook l

Cogonent failure rate distributions were developed based on information from a variety of generic data sources as well as detailed plant specific data collected in the process of performing PRAs on several other plants. Details regarding the generation of each specific failure rate are proprietary. A Bayesian updating procedure was used to integrate data from several sources l into uncertainty distributions for failure rates. Operating experience data were used, and screening of LERs was performed for particularly risk sensitive conponents.

c. Shoreham ,

The data base utilizas plant-specific data where possible; however, the l

plant had no operational data base.

d. Oconee The PRA used generic data as a prior and then performed a one-stage Bay- <

esian update based on available plant-specific data.

! 5.2.16 Use of Demar:d Failure Probabilities Description Levels of Effort Treat' ment of demand failure A. Use of demand failure probability probabilities from a generic directly from generic data base data base for components with C. Use of generic demand failure very long test intervals probabilities combined with long test period

a. Millstone -

The probability of failure on demand was derived by obtaining the ratio of the total number of failures on demand (from various data sources) to the

, total number of challenges.

l l b. Seabrook The method used for derivation of demand failure probabilities could not be found in the PRA. Proprietary documents are referenced as sources of in-

!. formation used to develop demand failure distributions.

5-11 i ._ - . - - - ._ - - . .- -

, a- .

c. Shoreham Demand failure rates are converted to failure probabilities over the appropriate time interval.

d. Oconee The probability of failure on demand was derived where possible from plant-specific data by taking the ratio of number of failures (from various plant records) to number of challenges over the plant's life.

5.2.17 Use of Means Versus Use of Medians Description Levels of Effort Use of means or medians of data A. Use of either means or medians for component fault quantifi-cation (No other levels considered)

, a. Millstone Mean values were used for component failure rates.

l

b. Seabrook i

Mean values were used for couponent failure rates,

c. Shoreham i

Mean values were used for component failure rates,

d. Oconee Means were used as the point value estimates from the data distributions.

i. 5.2.18 System Success Criteria Description Levels of Effort Determination of system success A. Use system criteria in the Final criteria Analysis Report ,

C. Realistic, plant specific phenomeno-logical analysis

a. Millstone A majority of the success criteria were based on best-estimate plant spe-cific safety analysis. However, certain succe6 critaria caly-on-the-scafety~ ~

analysis from the M111shne 3 FSAR.

b. *eabrook No specific overall discussion of system success criteria was found 'iii the PRA. However, the study generally used best estimate.

5-12

l l

c. Shoreham The PRA success criteria represent realistic requirements and were deter-mined in part from vendor deterministic analyses.

d. Oconee The PRA success criteria represent realistic requirements.

5.2.19 Treatment of Test and Maintenance Outages

! Description Levels of Effort i

l Modeling of test and maintenance A.

outage contributions Generic data for maintenance fre-quencies and test and maintenance outage times B. Generic data with repair times based on plant specific data l D. Plant specific data for all test and , ,

maintenance parameters

a. Millstone Test outages are based on test frequencies required in the Millstone

. Technical Specifications and the reported times to test. Operational data for Millstone Units 1 and 2 were used for the time to test pugs and valves, assuming that the test time is log normally distributed. Cogonent unavaila-bility due to maintenance outages was based on random failure rates and assumed repair times. The Millstone Unit 3 Technical Specification limit on downtime for any train was used as the upper bound repair time, and Millstone l Units 1 and 2 experience was used to establish mininum repair time. Log nor-i i

mal distribution was assumed.

i b. Seab' rook -

l Test outages are based on technical specifications for Seabrook. Four maintenance frequency distributions were developed for four general component categories based on component type, service duty, and technical specification inoperability. limitations. Log normal distributions were assumed. The dis-tributions for the duration of maintenance were developed for the four general maintenance categories. The distributions were based primarily on the applied inoperability time limitations for each component category. Details of the development of the distributions are proprietary.

c. Shoreham Plant specific data are not available for this plant, and essentially SASH-1400 input was used.

d. Oconae The PRA combined generic data with plant-specific data wherever available to develop the test and maintenance data base.

o 5-13 w r -

-r,,,,m,- v-, -,%-,,, - - --,- . + - - - . , , .--y-.- . , . , , . - , , . . . - _.,,------rw.-w.ye-,-- ---

5.2.20 Environmental Qualification Description Levels of Effort Modeling of environmental A. Not considered qualification of equipment B. Engineering judgment C. Calculation of environments, and failure assumed for severe environ-ment exposure E. Calculation of environments, and modification of failure probabili-ties

a. Millstone Environmental effects including grit, moisture / humidity, tenperature, electromagnetic interference, radiation exposure, and vibration were analyzed on the basis of the binomial failure rate common cause model using data from operating not provided. reactors (corrected for application to Millstone 3). Further detail "'

b. Seabrook Environmental effects are mentioned as failure contributors, but the methodology and data used for evaluating such effects could not be found in the SSPSA except for external events that create environmental stress. In these cases, a spatial interaction analysis was used..

c. Shoreham Could not find subject addressed in the PRA.

d. Oconee i

Engineering judgment was used to augment the evaluation as to whether

! certain conponents needed for a successful sequence could function in the ex-

,pected environment carried by the sequence.

5.2.21 External Event Methodology Description Levels of Effort .

Scope and treatment of ex- Not applicable (not considered in ternal events NUREG/CR-3852)

a. Millstone

-Eight external events were considered: earthquakes, fires inside the plant, internal and external flooding, winds (and associated missiles), air-craft crashes, transportation and storage of hazardous materials, and turbine '

missiles. The events were initially screened for significance by examining their frequency and reverity and the vulnerability of the plant to damage from them.

The screening showed only earthquakes and fires to be significant e

5-14 l

- - - - - -e--

contributors.

follows: Briefly, the methodology used for these two contributors was as

1. Earthquakes - The probability of earthquakes near the site was esti-mateo. Seismic fault trees for various core damage states were de-velopea, and seismic fragility analyses for various plant systems were perfomed. Probability distributions for fragilities were devel-oped assuming a Weibull distribution. The base events of the seismic core melt fault tree were quantified, yielding a seismic core melt frequency and uncertainty.

Seismic related containment event trees were prepared and quantified for seismic related containment failure modes. The consequence analyses were modified to account for slower evacuation speeds and alternative routes.

ii. Fires - Fire probabilities in certain plant areas were assessed on the basis of utility experience. Mechanistic models of fire propaga-tions and the effe:ts of mitigation were evaluated. Fire related operator actions and human errors were quantified. Overall fire re-lated core melt frequencies were coguted, and consequence analysis -

was done in a manner similar to that used for internal events.

b. Seabrook '

Eight external events were considered: seismic, fires, aircraft acci-dents, wind, turbine missiles, internal floods, external floods, and hazardous chemicals. A limited bounding analysis was applied for some of the events to show, for the largest predicted sizes, that either no damage of concern would result or the frequency of damaging plant components which could lead to core i

melt would be negligible cogared with that of other events. This bounding

analysis fires, seismic, eliminated from further and aircraft crashes. consideration all external events except ology was employed: For these three, the following method-

{ 1.

Seismic - The frequency of ground motion of various magnitudes was determined. The fragility of plant structures and components was de- "

termined by estimating the ground acceleration that would cause fail-ure. A plant logic model was developed which related system failures l (including nonseismic failures in conjunction with seismic failures) to core damage. These steps were combined to produce estimates of core melt frequency and related plant damage states. For the major seismic contributors, calculation of the probability distribution of l plant damage state frequencies was completed. '

11. Aircraft crash - Aircraft activity near the Seabrook site was examin-ed, and crash rates at the site were estimated based on this activity

- 'and U.S. aircraft accident rates for the past 10 years. Fragilities for structures identified as potential targets at the site were esti-mated, and plant damage states were identified for varlous crash sca-narios. From these estimates, the probability of a severe accident and the consequences from aircraft crashes at the site were calcu-lated. The contribution to core melt probability and risk was found to be negligible.

5-15 -

+---y---3 -w-*-.-. .-p,,, -% g ,pr.,,-u,. _m_- , y_

iii. Fires - The fire analysis is based on the location of important cables and equipment previously assessed for the plant by the util-ity.

The frequencies of fires were derived from data collected from all U.S. nuclear power plants. The impact of fires on instrumenta-tion was analyzed explicitly for the cable spreading room and control room. A list of 11 fire zones judged to have the largest potential of plant damage from fire was developed. The frequencies and conse-quences of fire suppression efforts was considered. From these re-sults, the contribution from fires to core melt probability and risk was estimated.

cr. Shoreham The only external event considered in the PRA was flooding of elevation 8 of the reactor building.

category. This initiator was combined into the internal events

d. Oconee -

Six external events were considered: seismic, tornado, fires, external .

floods, flooding events from sources within the plant, and aircraft impact.

All remaining events in the external events list were eliminated from consid-eration by determining their inapplicability to the Oconee site. The aircraft impact initiator'was eliminated by screening calculations which verified that their to core frequency of occurrence melt frequency or risk.wasFor too low to present an important contribution the external . flood initiator, a detailed bounding analysis showed that failure of the Jocassee Dam contributed about 10% of the total core melt frequency. For the remaining four external initia-tors the following methodology was employed:

1.

Seismic - The frequency of occurrence of ground motions of various magnitudes was evaluated.to obtain the seismicity hazard. The capa-cities of important plant structures and equipment to withstand earthquakes were evaluated to determine ~the conditional probability of failure as a function of ground acceleration. The internal initi-ator fault tree and event tree models were modified to reflect plant i

! response to seismic events and then solved to obtain Boolean expres-sions for the seismic event sequences. The Boolean expressions were quantified by using the probabilistic site seismicity and the fragil-ities for plant structures and equipment.

11.

Tornado - The frequency of occurrence of tornadoes with wind speed above 150 mph was evaluated from historical data in the area. A tor-nado event tree was constructed and quantified by using judgmental data for the tornado effects on systems and equipment.

iii.

Fires be - The analysis was limited to areas where the most damage could anticipated. The frequencies of fires were derived from the ex-perience of all U.S. nuclear power plants. Simple models were used to assess the propagation of fires in cable trays and the temperature rise in compartments due to fires. The analysis of the fire-initiated sequences was not detailed. It did not include the timing i

of events, sibility of errors the possibility of commission. of restoring lost functions, and the pos-5-16 m - - - --

, , --.-,.-,.-,p,- , - . , -, ,, , , , , , , - - - -

iv. Internal Floods - The initial analysis of internal flooding was done by using a survey and overview technique. Flood sources and critical locations were identified. The frequency of flood initiating events was estimated from U.S. nuclear power plant experience combined with Oconee plant experience. Core melt sequences were constructed based on information obtained from the above efforts plus the understanding obtained from the analysis of the internal initiator sequences. The results indicated that turbine building flooding dominated the core melt frequency. In view of that, a refined analysis was carried out including detailed fault tree models for all turbine-building floods in order to obtain a more plant specific quantification of their fre-quencies. Since the turbine-building flooding continued to dominate the results, it was decided to make some plant modifications. Fur-ther evaluation of these sequences, including the modifications, were then performed.

5.2.22 Source Terms i Description Levels of Effort Characteristics of radionuclide Not applicable (not considered in release from accident sequence NUREG/CR-3853)

a. Millstone Fission product release to the containment was calculated by the MARCH /

MODMESH/CORCON/C0C0 CLASS 9 code package.

The CORRAL-2 code was used to compute fission product fractions available for release from the containment. Some 30 CORRAL runs were made corresponding to plant damage states. These results were grouped and release into 13 release categories depending on similarities of timing magnitude.

l l To account for fission product attentuations in the primary system and in the containment from physical mechanisms not considered

' in CORRAL, a discrete probability distribution method was used. In this meth-od, the point estimate release estimates from CORRAL were multiplied by dis-crete factor.factors of one or less with corresponding probabilities assigned to each These factors and probabilities were derived by expert judgment ap-plied to the separate transport and deposition stages,

b. Seabrook Time-dependent releases calculated in the CORRAL-II code were used to de-fine the point estimate release categories. Thirteen release categories were used based on containment failure mode, availability of sprays, and whether the reactor vessel cavity was assessed to be wet or dry. The MARCH, MODMESH, CORCON, and COC0 CLASS 9 codes were used to define thermal-hydraulic conditions in the primary system and containment. The discrete probability distribution approach was used to estimate -factors (all 1.0 or less), and their nrobabil-ity, which were applied to the CORRAL-II point estimate resnite These-param eters were established by expert judgment.

c. Shoreham ture, The PRA employed the MARCH code to calculate system pressure, tempera-core-coolant interactions, and containment conditions for " binned" 3-17

.ee=e m*

groups of accident sequences. WASH-1400 assumptions and recent studies of re-leases from fuel were used to establish the inventory available, and the CORRAL code was used to calculate the effects of the transport and removal mechanisms on fraction of available inventory in each control volume of the containment and the total release to the atmosphere, and its com osition, as a function of time.

D. Oconee The CORRAL code (USNRC,1975) was used to analyze the release and trans-port of radionuclides inside the containment. The radionuclide inventories and release mechanisms were taken from the RSS (WASH-1400) and altered as nec-essary to reflect new information concerning releases. Many sensitivity studies were performed to determine the effect of known uncertainties and varying assumptions. The entire spectrum of releases was then grouped into six release categories.

t 5.3 Concarison and Ranking of PRA Methodologies for the Four Plants

- This section presents, in unified tabular form, the methodological char-acteristics of the four PRAs examined (Millstone 3, Seabrook, Shoreham, and

~

Oconee), in the light of criteria defined in NUREG/CR-3852 (Table 5.1).

Several introductory remarks are in order, particularly in the light of the uncertainties and in some cases the lack of complete definition remarked on in the introduction above.

1. The treatment of certain topics was not uniform, one aspect being treated in one way (e.g., generically) while another was treated dif-

forently (e.g., plant specifically). In those cases the " level of l effort" was described by a mixed notation, e.g., B/C or D/A.

11., only one of the plants under consideration (Oconee) is actually oper-ational. In the other cases, the terminology " plant-specific" as ap-plied to experiential data is moot. However, in many of these cases '

generic data have been combined with particularly relevant data from analogous plants and equipment. When this was done, the characteri-zation of the treatment (level of effort) was " starred" (e.g., A*).

iii.- No external event data were available for Shoreham.

iv. Related investigations regarding containment are, however, available for Shoreham, and for conplateness they are stated here:

The containment response was obtained by detailed specific analy-ses and numerical calculations.

No special assumptions (such as steam explosions, etc.) were included.

The ultimate external consequence analysis for Shoreham is not available at present.

S-18 i

~

i Table 5.1 .

Cogiarison and Ranking of PRA Methodologies for Four Plants Topic Designator Topic Description -

' Levels of Effort Mt11 stone

' 1 IIE Identification of fattiating Seabrook Shoreham Oconee events A WA5H-1400 initiators used C S WASH-1400 plus EPRI NP-801 used C C C (generic data)

C Generic data plus pitat specific data 2 FIE Frequency of inttfatfag A events Generic (for example tM Np-801) C S B/C*

Generic plus classical use of plant A* C specified data C Two stage Bayestap 3 ET Event tree modeling characteristics A Small systemic event trees 8 8 1 B Large event trees including global A A h aan actfons 4 AIE Aggregation of fattiating A Complete aggregation events C E Functional (phenomenological) aggregation C C C i E No or little aggregation

i 5 504

. System harestred dependency

. analysis A use of engineering judgment 1

4 C Systematized hand analysis 1 C E E Boolean reduction code used 6 SIA System Interaction analysis A Me analysis performed C Engineering insfght C 2 C/D E D Plakt walkthrough E FMEA plus plant walkthrough 7 PAHR Treatment of the postaccident A heat removal phase 5tandard (WASN-1400) accident length used D (24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ) D D D 8

Realistic accident length based on sequence requirements D

, Healistic accident length and component recovery considered 8 HN Hinnan errors during normal A operation Scoping human error analysis C E E ltin-detailed hamnen error analysis C E E

Detailed human error analysis bh -

96e 'g &W reg

_ s w eegup m m e- e+

. ~

~

i j

i .

l 4

i Table 5.1 Continued i! '

4 Topic

, Designator Topfc Desciption Levels of Effort M111 stone Seabrook It

g Shoreham Oconee 4

! HA Itaman errors during A Scoping human error analysis j E E E accident progression C Non-detailed human error analysis E

E Detailed human error analysis

10 CM Common mode human error A No analysis performed analysts D D 8' D B Analysis performed on an inconsistent basis ;

4 D Detailed consistent analysis performed >

l 11 R Treatment of recovery A No recovery act1ons consfdered i D D D D 1' C Recovery of human errors and actuation i'

faults considered D Recovery of human errors, actuation faults

] ,

and Individual component faults considered I. 12 AC Modeling of ac power syctees A previous study results used 1 E E E E C Simple non-detailed models used E Detailed system'models used 7

ro 13 L Modsling of logic systems A prestous study results used E E E i E o , C Simple non-detailed models used E Detailed system models used 4 14 CC Cosamon cause analysts A No analysis performed C C B B 1, 8 Analysis performed on components determined by engineering judgment 1

C Detalled comprehensive analysis performed i 15 DB Data base used A Generic

' A 1 A* E i

C Generic plus classical plant specific E Plant spectfic. Bayesian

! 16 DFp Use of demand failure A Use of generic demand failure probablif ties A 2 i A C probablittles for long test periods C Use of failure rates developed from DEP for long test periods 4

17 MVM Use of mean vs use of medtans i

A Use of mean failure rates A A A A A Use of median failure rates m N+ e p, @*

1 -

l i

I -

i .

l o

1-i -

Table 5.1 Continued Topic -

Designator Topic Description Levels of Effort 18 55C Millstone Seabrook Shorehae Oconee Determination of system success criteria A FSAR data used C C 2 i

lg plant specific (realistic) analysis performed C C TM Modeling of test maintenance outages A . Generic data used R B B Generic data plus plant specific repair A B times used D Plant specific data used 20 E0 Modeltag equipment environmental qualtffcation A Da not consider B use engineering judgment 8 2 A C

C

Estimate environmental conditions at time of accident and use manufacturers' speciffca-tions for equipment 21A EIE External inttlating events A Not included D D 5 Generic events used D C Some plant specific events used D Comprehensive data used -

218 FEE Frequency of external H

initiators A Generic data used C B Regional data used C C C plant specific (local) data used 21C MEE Methodology of external event treatment A Engineering judgment 1, S Screening only C C B/D i C Screning plus detailed evaluation 0 Quantitative formalism 22 ST Source tern A WASH-1400 5 ANS C C C C C WASH-1400 plus refinements D 5pecific calculations I

1 - None of deffned levels of effort define methodology.

2 - Could not be determined. See Section 5.2 for details.

4

l 6.

SUMMARY

~

This section is intended to highlight the insights derived from the study. The PRA-specific insights with respect to initiators, failure modes, system failures and conponent failures are included in Sections 1 through 4 and, with few exceptions, will not be repeated here. The " generic" insights derived from the study are presented with the note that it was difficult to

. glean numerous " generic", insights from only four PRAs, representing three dif-ferent reactor types, although this in itself may be an insight.

The following are the insights bounded by the above discussion:

All four PRAs were conducted with numerous refinements over the WASH- -

1400 effort and have yielded more realistic results.

The core melt probabilities due to internal events are identical (within error bounds) for three of the plants, and that for the fourth i

(Seabrook) is relatively close.

With the possible exception of the low pressure service water system initiator at Oconee, none of the PRAs shows any internal events to be

" outliers."

~

The dominant risk sequences represent only a small fraction (typically less than 1%) of the total contribution to CMP and are characterized by loss of the containment function due to direct bypass or overpres-

, surization. -

In the two PRAs (Millstone and Seabrook) which specifically documented risk contribution by sequence; interfacing systems LOCA represent over

' 98% of the total contribution to early fatalities. Although not spe-cifically quantified, the Shoreham PRA appears to identify large LOCA with early suppression pool failure as its leading contributor to early fatalities.

' The CMP and risk associated with the interfacing systems LOCA (event V), as demonstrated by tks Oconee PRA, can be substantially reduced by appropriate selection cf operating configuration, testing procedures, The leading contributors to latent fatalities would appear to be in-terfacing systems LOCA, large LOCA with early containment failure, station blackout greater than six hours and RCP seal LOCA.

The Shoreham PRA insights listed in Section 3 are driven to a large

' extent by one major assunption within the PRA. The PRA has adopted a 1

' generic failure to scram probability from NUREG-0460 and assumes the common mode failure of the control rods to insert as the only contrib-utor. The PRA states that a Shoreham-specific analysis was done and that the results were on the order of 25% lower than the NUREG, but were not used in the study. Had these results been used, the CMP as well as the dominant sequences, failure modes, system failures, and component failures as presented in this report would all be changed.

6-1 m--* w i.p._ ,

_w-..,p3 y,p,,- y3-s- - -

,w-.-.7,-. -, y g,-, m-m-__,..,. 7_y,,,,,_,....,~_,.--..e-.,,.-.,----.e p,e----,..wm- - -,v--- *,---.--

The different plant PRAs showed wide variance as to what internal accident initiators dominated the CMP. For Shoreham (BWR), ATWS domi-nated and LOCAs were insignificant. For Oconee, LOCAs contributed approximately 30% of the CMP and large LOCA contribution was 1.5 times that of small LOCA. Even the results for the two Westinghouse plants (Seabrook and Millstone) were considerably different from one anoth-er. Seabrook and Millstone both found small. LOCA greater than large LOCA in terms of contribution to CMP, but small LOCA contribution was 11% in Seabrook and 24% in Millstone.

The core melt probability (CMP) and the percentage contribution from internal and external initiators are shown below for the four PRAs analyzed.

Total Core Melt Contribution from Contribution from Probability Internal Initiators Plant (CMP)

External Initiators

(%) (%) , ,

Millstone 5.89E-05 -

76.4 23.6 .

Seabrook 2.30E-04 80.0 20.0 Oconee 2.54E-04 21.3 78.7 Shoreham 5.50E-05 100.0 *

The study did not consider external events.

The main insight drawn from these results is that the usual breakdown of percentage contribution by internal versus external initiators of about 80/20 was fully reversed in the Oconee study. The Oconee results are for the modi-fied plant; the external initiator dominance (mainly internal floods) was even more dominant in the original plant.

6-2 v- -- w - - g i ,e,-,g- y - - - - - - y,-. y w . r_-, ,--,e-----y,-- - - - - - - - -

, , - - . , - e-, -- -------

Appendix A DETERMINATION OF LATENT FATALITY RISK (AT >1000 FATALITI CONTRIBUTION FOR SEABROOK This appendix describes the procedure used in deriving accident sequence contributions SSPSA results.

to latent fatalities from external events, based on the Seabrook The SSPSA does not provide information from which these con-tributions can be directly obtained, but the results provided are detailed enough to allow estimation of the contributions by combining appropriate fac-tors.

The SSPSA latent fatalities are conputed from source terms associated with ters. release categories defining the necessary radionuclide release parame-Each release category is made up of plant damage states having similar characteristics relative to the disposition of radionuclides. Each plant dam-age state consists of accident sequences grouped into the damage states on the basis ofsequence.

similar outcomes regarding the end state of the plant following the assumed The SSPSA provides the relative contributions of leading accident sequences to plant damage states, the relative contribution of plant

.. bution damagetostates to releaserisks.

latentfatality categories, and the relative release category contri-By extraction of appropriate contributions i

i from each of these steps, the relative significance of individual accident se-quences (or groups of sequences) to latent fatality risk can be estimated.

The first step in the procedure was to determine the relative contribu-tion of the various release categories to latent fatality risk. This informa-tion is given in Table A.1 (extracted from Table 13.2-7b of the SSPSA). The last column shows the contribution from the release categories averaged over the 1,000 and 10,000 fatality levels. To be consistent with othe estimates in

! this ter.

report, the level above 1,000 fatalities was chosen as the risk parame-l ty. The 100,000 level was neglected because of its extremely low probabili-

! This averaging is a crude estimate, but is considered valid because the release category contributtons for 1,000 and 10,000 are similar, as shown ~1n Table A.1; within 5% of the average in all cases but one (S6V), for which the average is 13% from the two contributions. -

After establishing the contribution from each release category to the la-tent fatality risk, the next step was to determine the plant damage state con-tribution to each release category.

This information (from Table 13.2-8 of -

the SSPSA) is given in Table A.2 for the four release categories of interest.

The plant damage states (7FP, etc.) identify certain plant accident co7ditions which result in particular release categories.

The next step in the procedure was to examine the accident sequences which are the leading contributors to each plant damage state to determine connon and theirfeatures, relativeincluding which sequences are initiatad-by-external mats significance.

13.2-13c through 13.2-131. This information is found in SSPSA Tables appropriately, Table A.3 was fornJ1ated. these sequences, and grouping them By examining It includes only those plant damage states which had significant contributors (more than a few percent) from acci-den Csequences initiated by external events.

I A-1 e W

~ -

From the information in Tables A-1, A-2, and A-3, the contribution to latent fatalities from accident sequences initiated by external events can be readily obtained.

For example, for seismic events causing loss of off-site power and containrr.ent isolation failure (<3"), the product of the contribution of these accidents to plant damage state 7FP (90%) and the contribution of 7FP to release categcry 52V (60.6%), and the contribution of S2V to the latent fatality risk (48%) are computed. Similarly, all accident groupings in Table A-3 are computed. The result is given in Table 2.11 of the main report.

Table A.1 Contribution of Release Categories to Risk of Latent Cancer Fatalities for Seabrook

% Contribution 1000 10000 Release Category Fatalities Fatalities Average ,,

52V 51.2 44.8 48 S6V 11.9 .35.5 23.7 S3 15.9 9.55 12.7 S3V 17.1 7.65 12.4 Totals 96.1 97.5 96.8 t

Table A.2 Contribution of Release' Categories to Plant Damage States

% Contribution to Damage States Release Category 7FP 3FP 1FP 8D 40 1F 3F 7F 70 30

$2V 60.6 34.6 4.75 '

56V 77.6 20.5 1.46 S3 94.4 4.8 S3V 78.3 21.4 A-2

k' \

)

\ \ s

Table A.3 Contributton of External Events to Seabrook Plant Damage States

\ ,

Seisof c. Solid State - .

Plant Damage Seismic. LSOP Containment Protection Failure.

State Fire. Loss of Containment Isolation Isolation Failure (<3") Containment Cooling Seismic. LOSP Containment Failure (>3") Isolation Failure (>3")

7FP 90 3FP 85 30 3F 32 46 -

1 i

i l

1 i

4 f

e e

, -m %, #

e

-=

u E muCL.am m.Gutafon, e- y e peront mueseen sa p ., reoc. am. wer m.. .e a4re

""T'E m

BIBUOGRAPHIC DATA SHEET NUREG/CR-4405 BNL-NUREG-51931

& neu a osu rira a ua.. .u ProbabilisticRiskAssessment(PRA) Insights

. ara mepoar Cons *L.T.D

,,,7_ _

NovemYe'r' I 1985"^"

R. Fitzpatrick, L. Arrieta, T. Teichmann, P. Davis -

,,c,,,,,'

7. ,.ftponsmas4 omeame&ar,ose asaas. aamo asasuas4 acom.a. N

/

"" "'I"" "*' .a.

le C.sme

& Pnca.C7trasansons um,r nues..a Brookhaven National Laboratory '*""*"'"'"""""

Upton, New York 11973 ,

FIN A-3796

.4

, omeassegafaels saaes. asse anaeusse acom.s. - . E, case, isar,p.Osm.pon7

~

Division of Safety Technology

Office of Nuclear Reactor Regulation <

U.S. Nuclear Regulatory Commission . . co.. or u.,

Washington, DC 20555

.a su,.u raa, ru r

.& e%7 d= _aramm ._

~

I with the broad objective of ascertaining what insights mi already documented in the PRAs) by an independent evaluation.

This effort was not

.level.

accepted the results, to see what they sight mean on .

Oconee 3.The four PRAs evaluated were those for Millstone 3 Seabrook, Shoreham, a

the IEtC, but only two have been cogleted and available the review of Millstone 3 by LLNL and the review of Shoreham by BNL.

- failure modes, plant systems, and specific cogonents th probability and/or risk to the public.

In addition, the various elements of the , 1 methodologies employed by the four PRAs are discussed and ranked (per N;l i PRA-specific insights are presented within the report section addressing that overall insights are presented in the Summary.

! 1 l

u , == . . a m ,

Probabilistic risk assessment ","frC."," :

Insights Seabrook thcreham Unlimited Millstone . _ _ _

Oconee

~

. =cu..r.e . a,6

. n i

am.a.- -

. _ - - Unc1assified Unclassified ;

1 F " CE of #AG.3 l

i. puests i

s ._g . -

4?f . * * * ^ ~ '

. ' ~

== == .z. __--~ .

. - _ _ _ _ _ . __ __ _ _ ~~_~_ ~ - _ __~~ _ _ __

ML20137A806

Text

Dear Mr. Leddick:

Subject:

Enclosures:

SUMMARY

SUMMARY

SUMMARY

Navigation menu

Search