ML20155A606
| ML20155A606 | |
| Person / Time | |
|---|---|
| Issue date: | 06/30/1988 |
| From: | Baranowsky P Office of Nuclear Reactor Regulation, NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| To: | |
| References | |
| REF-GTECI-A-44, REF-GTECI-EL, TASK-A-44, TASK-OR NUREG-1032, NUDOCS 8806100152 | |
| Download: ML20155A606 (161) | |
Text
.
NUREG-1032 Evaluation of Station Blackout Accidents at l\\uclear Power Plants Technical Findings Related to Unresolved Safety Issue A-44 Final Report
~
U.S. Nuclear Reguletory Commission Office of Nuclear Regulatory Research Office of Nuclear Reactor Regulation P. W. Baranowsky p +'**%<g
/
4
....+
l yttata "
';on 1032 R
e c.
NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited in N RC publications will be available from one of the following sources:
- 1. The NRC Public Document Room,1717 H Street, N.W.
Washington, DC 20555
- 2. The Superintendent of Documents, U.S. Government Printing Office, Post Of fice Box 37082, Washington, DC 20013 7082
- 3. The National Technical Information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publications, it is not intended to be exhaustive.
Referenced documents available for inspection and copying for a fee from the NRC Public Docu-ment Room include NRC correspondence and internal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investigation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers; and applicant and licensee documer ts and correspondence.
The following doct.ments in the NUREG series are available for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRC sponsored conference proceedings, and N RC booklets and brochures. Also available are Regulatory Guides, NRC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commission Issuances.
Documents available from the National Technical Information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, torerunner agency to the Nuclear Regulatory Commission.
Documents available from public and special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions. Federal Register notices, federal and state legislation, and congressional reports can usuaily be obtained from these libraries.
Documents such as theses, disse'tations, foreign reports and translations, and non N RC conference proceedings are available for purchase from the organization sponsoring the publication cited.
Single copies of N RC draf t reports are available free, to the extent of supply. upon written request j
to the Division of information Support Services, Distribution Section, U S. Nuclear Regulatory Commission. Washington, DC 20555.
Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually copyrighted and may be purchased front the originating organization or, if they are American National Standards, from the American National Standards institute,1430 Broadway, New York, NY 10018.
NUREG-1032 Evaluation of Station Blackout Accidents at Nuclear Power P ants Technical Findings Related to Unresolved Safety Issue A-44 Final Report Manuscript Completed: May 1988 Date Published: June 1988 P. W. Baranowsky Office of Nucler.r Regulatory Research Office of Nuclest Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555
,p. %,,,
' 'y yA i
e
ABSTRACT "Station Blackout," which is the complete loss of alternating current (AC) elec-trical power in a nuclear power plant, has been designated as Unresolved Safety Issue A-44.
Because many safety systems required for reactor core decay heat removal and containment heat removal depend on AC power, the consequences of a station blackout could be severe.
This report documents the findings of techni-cal studies performed as part of the program to resolve this issue.
The impor-tant factors analyzed include:
the frequency of loss of offsite power; the pro-bability that emergency or onsite AC power supplies would be unavailable; the capability and reliability of decay heat removal systems independent of AC power; and the likelihood that offsite power would be restored before systems that cannot operate for extended periods without AC power fail, thus resulting in core damage.
This report also addresses effects of different designs, loca-tions, and operational features on the estimated frequency of core damage re-sulting frem station blackout events.
NUREG-1032 iii
.l TABLE OF CONTENTS Page ABSTRACT................................
iii LIST OF FIGURES.............
v
' LIST OF TABLES.............................
vi PREFACE.................................
ix ACKNOWLEDGMENTS.............................
xi 1 EXECUTIVE
SUMMARY
1-1 2 INTRODUCTION AND TECHNICAL APPROACH........
2-1 3 LOSS OF 0FFSITE POWER FREQUENCY AND DURATION.....
3-1 4 RELIABILITY OF EMERGENCY AC POWER SUPPLIES..............
4-1 S STATION BLACK 0UT FREQUENCY AND DURATION,.............
S-1 6
ABILITY TO COPE WITH A STATION BLACK 0UT..............
6-1 7
ACCIDENT SEQUENCE ANALYSES......................
7-1 8
EVALUATION OF DOMINANT STATION BLACK 0UT ACCIDENT CHARACTERISTICS,..
8-1 9
RELATIONSHIP 0F OTHER SAFETY ISSUES T 10 REFERENCES..............O STATION BLACK 0UT,......
9-1 10-1 APPENDIX A DEVELOPMENT OF LOSS-OF-0FFSITE-POWER FREQUENCY AND DURATION RELATIONSHIPS APPENDIX B EMERGENCY AC POWER RELIABILITY AND STATION BLACK 0UT FREQUEN MODELING AND ANALYSIS RESULTS APPENDIX C STATION BLACK 0UT CORE DAMAGE LIKELIHOOD AND RISK LIST OF FIGURES 3.1 Diagram of offsite power system used in nuclear power plants.
3-2
- 3. 2 Frequency of loss-of-offsite power events exceeding specified durations......................
3-4 3.3 Estimated frequency of loss-of-offsite power events exceeding specified durations for representative clusters........
3-7 4.1 Simplified 1-of-2 onsite AC power distribution system.....
4-2 4.2 Onsite power system functional block diagram.
4-3 4.3a Histograms showing eraergency diesel generator failure on demand for 1976 through 1982................
4-7 4.3b Histograms showing emergency diesel generator failure on demand for 1983 through 1985.................
4-8 4.4 Failure contribution by diesel generator subsystem.
4-9 4.5 Onsite AC system unavailability for 18 plants studied in NUREG/CR-2989.......................
4-11 NUREG-1032 v
i TABLE OF CONTENTS (Continued)
P_ age
. 4. 6 Percentage of emergency diesel generator failures repaired vs. time since failure....................
4-13 4.7 Generic emergency AC power unavailability as a function of emergency diesel generator (EDG) reliability........
4-15 i
4.8 Generic emergency AC power unavailability as a function of individual diesel generator running reliability 4-16 5.1 ~
Estimated frequency of station blackout exceeding specified durations for several representative offsite power clusters..
5-2 5.2 Estimated frequency of station blackout exceeding specified durations for several EDG reliability levels.........
5-3 5.3 Estimated frequency of station blackout exceeding specified durations for several emergency AC power configurations....
5-4 7.1 Generic PWR event tree for station blackout.....
7-2 7.2 Generic BWR event tree for station blackout (DWR-2 or S)...
7-3 7.3 Generic BWR event tree for station blackout (BWR-4, 5, or 6).
7-4 7.4 Time to core uncovery as a function of time at which turbine-driven auxiliary feedwater train fails........
7-7 7.5 PWR station blackout accident sequence............
7-9 7.6 BWR station blackout accident sequence............
7-10 8.1 Sensitivity of estimated station blackout--core damage fre-quency to offsite power cluster, AC-independent decay heat removal reliability, and station blackout coping capability..
8-2 8.2 Sensitivity of estimated station blackout--core damage fre-quency to emergency diesel generator reliability, AC-independent decay heat removal reliability, and station blr ik-out coping capability............
8-4 8.3 Sensitivity of estimated station blackout--core damage fre-quency to emergency AC power configurations, AC-independent decay heat removal reliability, and station blackout coping capability............
8-5 8.4 Sensitivity of estimated station blackout--core damage fre-quency to reducing the common cause failure susceptibility of emergency diesel generators, their reliability, and station i
blackout coping capability 8-6 8.5 Estimated core damage frequency showing uncertainty range for 'our reference plants...................
8-8 i
t LIST OF TABLES 1.1 Summary of station blackout program technical results.....
1-2 3.1 Total losses of offsite power at U.S. nuclear power plant sites, 1968 through 1985...................
3-3 3.2 Characteristics of some loss-of-of f site power-event clusters that affect longer duration outages..........
3-8 NUREG-1032 vi i
4 i
TABLE OF CONTENTS (Continued) 4
?'92 4.la Diesel generator start attempts and failures for tests and actual demands from NUREG/CR-2989...............
4-5 j.
4.lb Diesel generator start attempts and failures for tests and actual demands from EPRI study.................
4-5 4.2 Results of onsite power system reliability analysis reported in NUREG/CR-2989.............,..........
4-12 6.1 Effects of station blackout on plant decay heat removal functions.....,.....................
6-2 6.2 Possible factors limiting the ability to cope with a station blackout event......
6-6 7.1 Estimated time to uncover core for station blackout sequences with initial failure of AC-independent decay heat removal systems and/or reactor coolant leaks.............
7-6 7.2 Summary of potentially dominant core damage accident sequences.................,.........
7-12 7.3 Containment performance and consequence results for station blackout sequences...................
7-14 B.1 Sensitivity of estimated core damage frequency reduction for station blackout accidents with reactor coolant pump seal failure delay from 2 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and 4 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.....
8-7 9.1 Coupling between external plant failures......(and internal) events and potential 9-4 s
i I
1 i
h NUREG-1032 vii
PREFACE This report represents the culmination of several technical studies undertaken by Nuclear Regulatory Commission (NRC) staff and contractors to place a reli-ability and risk perspective on Unresolved Safety Issue A-44, "Station Black-out." The technical findings published in this report are intended to document the basis for future NRC regulatory activities that will be the resolution of this safety issue.
The analy'ses, evaluations, and results presented are meant to provide a "best estimate assessment of the major contributors to the frequency of station blackout and the probability of subsequent core damage.
Most results are pre-sented as point estimates and are intended for use in the quantitative regula-tory analyses that will be used to support a proposed resolution of this issue.
The uncertainties in the quantitative analyses are large enough that rigorous application of these results should be made with caution. 'However, the staff believes that the qualitative insights and conclusions are correct and useful as guidance in determining what constitutes resolution of this issue.
P.W. Baranowsky 1
4 1
NUREG-1032 ix
ACKNOWLEDGMENTS The preparation of this report involved the technical contribution, review, and comment of several individuals in addition to the principal author.
The con-tributions of the following NRC staff members are hereby acknowledged arid appreciation given-S. A. Bernstein J. H. Flack J. W. Johnson L. E. Lancaster E.
Lois D. M. Rasmuson A. M. Rubin NUREG-1032 xi
J
-} '.
. ACKNOWLEDGMENTS t
- The preparation of this report involved the technical contribution, review, and' comment of-several individuah in' addition to the principal author.
The con-tributions of the following NRC staff members are hereby acknowledged and appreciation given:
S. A. Bernstein J. H. Flack J. W. Johnson L. E. Lancaster E.
Lois D. M. Rasmuson A. M. Rubin 7
4 i
NUREG-1032 xi
1 EXECUTIVE
SUMMARY
Station blackout is the complete loss of alternating current (AC) electrical power to the essential and nonessential switchgear buses in a nuclear power plant.
Because many safety systems required for reactor core cooling and con-tainment heat removal depend on AC power, the consequences of a station blackout could be severe.
Existing regulations do not require explicitly that nuclear power plants be capable of withstanding a station blackout.
In 1975, the "Reactor Safety Study" (NUREG-75/140) showed that station blackout could be an important contributor to the total risk from nuclear power plant accidents.
In addition, as operating experience accumulated, the concern arose that the reliability of both the onsite and offsite emergency AC power systems might be less than originally anticipated.
Thus, in 1979 the Nuclear Regulatory Commission (NRC) designated station blackout as an unresolved safety issue (USI);
a task action plan for its resolution (TAP A-44) was issued in July 1980, and work was begun to determine whether additional safety requirements were needed.
Technical studies performed to resolve this safety issue have identified the dominant factors affecting the likelihood of station blackout accidents at nuclear power plants.
A summary of the principal probabilistic results is in Table 1.1.
These results are based on operating experience; the results of several plant-specific probabilistic safety studies; and reliabilitv, accident sequence, and consequence analyses performed as part of TAP A-44.
The results show the following important characteristics of station blackout accidents:
(1) The variability of estimated station blackout likelihood is potentially large, ranging from approximately 10 5 to 10 3 per reactor year.
A "typical" estimated frequency is on the order of 10 4 per reactor year.
(2) The capability to restore offsite power in a timely manner (less than 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />) can have a significant effect on accident consequences.
(3) The redundancy of onsite AC power systems and the reliability of indi-vidual power supplies have a large influence on the likelihood of station blackout events.
(4) The capability of the decay heat removal system to cope with long duration blackouts (greater than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />) can be a dominant factor influencing the likelihood of core damage or core melt for the accident sequence.
(5) The estimated frequency of station blackout events that result in core damage or core melt can range from approximately 10 6 to greater than 10 4 per reactor year.
A "typical" core damage frequency estimate is on the order of 10.s per reactor yea".
NUREG-1032 1-1
Table 1.1 Summary of station blackout program technical results Parameter Value Operational Experience Loss of offsite power (occurrence per year)
Average 0.1 Range 0 to 0.4 Time to restore offsite power (hours) j Median 0.6 90% restored 3.0 j
Emergency diesel generator reliability (per demand) 1 Average 0.98.
j Range 0.9 to 1.0 Median emergency diesel generator repair 8
time (hours)
Analytical Results Estimated range of unavailability of emergency 10 4 to 10 2 AC power systems (per demand) 10 3 Estimated range of frequency of station blackout 10 5 (per year)
Estimated range of frequency of core damage as a 10 6 - 10 4 result of station blackout (per year)
(6)
Information currently available indicates that containment failure as a result of overpressure inay follow a station-blackout-induced core melt.
Smaller, low-design pressure containments are most susceptible to early failure (possibly in less than 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />).
Sime large, high-design pressure containments may not fail as a result of ovtrpressure, or if they do fail, the failure time could be on the order of a day or more.
The losses of offsite power can be categorized as those resulting from (1) plant-centered faults, (2) utility grid blackouts, and (3) failures of offsite power sources induced by severe weather.
The industry average fre-quency of total losses of offsite power was determined to be about 0.1 per site / year, and the median restoration time was about one-half hour.
The fac-tors identified as af fecting the frequency and duration of of fsite power losses are NUREG-1032 1-2
(1) the design of preferred power distribution system, particularly the num-ber and independence of offsite power circuits from the point where they enter the site up to the safety buses (2) operations that can compromise redundancy or independence of multiple off-site power sources, including human error (3) the reliability and security of the power grid, and the ability to restore power to a nuclear plant site with a grid blackout (4) the hazard from, and susceptibility to, severe weather conditions that can cause loss of offsite power for extended periods A refiew of the design and operating experience, combined with a reliability analysis of the onsite emergency AC power system, has shown that there are a variety of potentially important causes of failure.
The typical unavailability of a two-division emergency AC power system is about 10 3 per demand, and the typical failure rate of individual emergency diesel generators is about 2 x 10 2 per demand.
The factors identified as affecting emergency AC power system reliability during a loss of offsite power are (1) power supply configuration redundancy (2) reliability of each power supply (3) dependence of the emergency AC power system on support or auxiliary cooling systeis arid control systems, and the reliability of those support systems l
(4) vulnerability to common cause failures associated with design, operational, and environmental factors The likelihood that a station blackout will progress to core damage or core melt is dependent on the reliability and capability of decay heat removal l
systems that are not dependent on AC power.
If the capability is sufficient, additional time will be available to restore AC power to the many systems l
normally used to cool the core and remove decay heat.
The most important i
factors relating to decay heat removal during a station blackout are I
(1) the starting reliability of systems required to remove decay heat and maintain reactor coolant inventory i
l (2) the capacity and ability to function of decay heat removal systems and auxiliary or support systems that must remain functional during a station blackout (e.g., direct current (DC) electrical power, condensate storage),
including effects of inoperable heating, ventilation, and air conditioning (HVAC) systems (3) for pressurized water reactors (PWRs) and for boiling water reactors (BWRs) without reactor coolant makeup capability during a station blackout, the magnitude of reactor coolant pump seal leakage (4) for BWRs that remove decay heat to the suppression pool, the ability to maintain suppression pool integrity and operate heat removal systems at high pool temperatures during recirculation NUREG-1032 1-3
~. -.--.._-. -
s (5) recovery of AC power including availability of alternate AC power sources On.the basis of reviews of design,. operation, 'and location ' factors, the staff determined that the expected core melt frequency from station blackout could be maintained around 10 5 per reactor year or ' lower for all plants.
To reach this level of core melt frequency, a plant would have to be able to cope with sta-tion blackouts on the order of 2 to 4 and perhaps 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> long and have emergency diesel-generator reliabilities of 0.95 per demand or better, with relatively low susceptibility to common cause failures.
t l
2 NUREG-1032 1-4 w
r---
-e eve--v-e n--
w 4,
rv.
+
m-n--
w
P 2 INTRODUCTION AND TECHNICAL APPROACil Station blackout refers to the complete loss of AC electrical power to the essential and nonessential switchgear buses in a nuclear power plant.
Station blackout involves the loss of offsite power concurrent with the failure of.the onsite emergency AC power system.
It does not include the loss of available AC power to buses fed by station batteries through inverters.
Because many safety systems required for reactor core cooling, decay heat removal, and containment heat removal depend on AC power, the consequences of station blackout could be severe.
The concern about station blackout is based on accumulated operating experience regarding the reliability of AC power supplies.
A number of operating plants have experienced a total loss of offsite electrical power, and more such occur-rences are expected.
During these loss-of-offsite power events, onsite emer-gency AC power sources were available to supply the power needed by vital safety equipment.
However, in some instances one of the redundant emergency power supplies was unavailable, and in a few cases there was a complete loss of AC power.
(Ouring these event 3 AC power was restored in a short time without any serious consequences.) In addition, there have been numerous instances at operating plants in which emergency diesel generators failed to start and run during surveillance tests.
For one of two plants evaluated, the Reactor Safety Study (NUREG-75/014) showed that station blackout could be an important contributor to the total risk from nuclear power plant accidents.
Although this total risk was found to be small, the relative importance of the station blackout event was established.
This finding, with the accumulated data on diesel generator failures, increased the concern about station blackout.
An analysis of the risk from station blackout involves an assessment of (1) the likelihood and duration of the loss of offsite power, (2) the reliability of onsite AC power systems, and (3) the potential for severe accident sequences after a loss of all AC power.
These topics were investigated under USI TAP A-44.
This plan included the following major tasks:
(1) Estimating the frequency of station blackout at operating U
- 5. nuclear power plants.
This analysis consisted of two parts estimating the frequency of loss of offsite power for various plant locations estimating the probability that tne onsite AC power system will fail to supply AC power for core cooling (2) Determining plant responses to station blackout and the risk associated with station-blackout-initiated accident sequences.
The scope of this investigation included i
NUREG-1032 2-1
reviewing shutdewn cooling systems design and assessing their capa-bility and reliability during a prolonged station blackout reviewing containment designs and their ability to withstand tempera-tore and pressure buildup during a prolonged loss of AC power estimating the probability of station blackout accident sequences for a spectrum of nuclear power plant designs The principal focus of TAP A-44 was the reliability of emergency AC power supplies.
This approach was taken for several reasons.
First, station black-out was identified as a USI primarilj on the basis of the questions raised abnut the reliability of onsite emergency power supplies, Second, if safety improvements are required, it is easier to analyze, identify, and implement them for the onsite AC power system than for the offsite AC power supplies or for the AC-independent decay heat removal system.
For 6xaaple, offsite power reliability is dependent on a number of factors--such as regional electrical
. grid stability, weather phenomena, and repair anc restoration capability--that are difficult to analyze and to control.
Also, the capability of a plant to withstand a station. blackout depends on those decay heat removal systems, com-ponents, instruments, and controls that are independent of AC power.
These features vary from plant to plant; thus considerable effort is required to analyze all of them or to ensure that the plants indeed have that capability.
Third, significant progress has been made on improving operating PWRs by back-fitting the auxiliary feedwater system to make it independent of AC pawer.
In addition, under the TAP for USI A-45, "Shutdown Decay Heat Removal Require-ments," the adequacy of shutdown decay heat removal systems for nuclear power plants is being reviewed.
Thus, the reliability of emergency AC power supplies is of principal importance to USI A-44.
A preli.ainary screening analysis was done to identify plants most likely to suffer core damage as a result of a loss of all AC power.
The iatent was to survey the frequency and implication of station blackout events in operating plants and identify any plants with especially high risk that might require further analysis or action on an urgent basis.
The initial results showed no VJch plants.
Following this initial analysis, station blackout events ware evaluated in more detail.
Because the station blackout issue centers on concern about the relia-bility of AC power supplies, typical offsite and emergency AC power supplies were evaluated and operating (failure) experience reviewed.
This effort was limited to power supply availability and did not include an evaluation of the adequacy of power distribution design or power capacity requirements.
Information on loss of offsite power was collected from licensee event reports (LERs), responses to an NRC questionnaire, and various reports prepared by industry sources.
Most of the event descriptions in the LERs and in other docucentation in the NRC filas did not contain sufficient information to pro-vide an accurate data base for estimating frequencies and durations of losses of offsite power.
For example, in one case a licensee reported that offsite power was restored in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />; in fact, one offsite power source was restored in 8 minutes and all offsite power was restored in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. Because restoration of one source of offsite power terminates a loss of offsite power, the li-censee's description was not accurate enough.
In some other cases, although NUREG-1032 2-2
offsite power was available to be reconnected, the plant operators did not re-connect it for some time after it was available because onsite power was avail-able.
To obtain more accurate data, the NRC and Oak Ridge National Laboratory staff members worked closely with the Institute of Electrical and Electronics i
Engineers (IEEE) and the Electric Power Research Institute (EPRI).
These groups contacted utilicy engineers to get better descriptions of the causes and sequences of events, and the times and methods of restoring offsite power (Wykcoff, May and September 1986).
To gain a perspective on consequences, station blackout event sequences and associated plant responses were analyzed.
The Interim Reliability Evaluation Program (IREP) was one source of information for developing the shutdown cooling reliability models and accident scenarios needed for this evaluation.
The Reactor Risk Reference Document (NUREG-1150) and supporting studies were a source of information for developing an updated perspective on containment failure and consequences associated with a station blackout accident.
The following sections of this report summarize the results of the technical evaluations discussed above.
Details of the technical assessments performed as part of USI TAP A-44 are reported in NUREG/CR-2989, -3226, and -3992.
Signifi-cant use was also made of NSAC/103 (Wyckoff, May 1986) and NSAC/108 (Wyckoff, September 1986) as well as other documents produced to assess various station blackout concerns which are appropriately referenced throughout this report.
Technical evaluations in this report were derived from these references to coalesce that material and extend the analysis to obtain the broader insights and bascs necessary to resolve the station blackout issue in an integral manner, considering plant differences.
These supplemental analyses are described in Appendices A, 8, and C of this report.
NUREG-1032 2-3
3 LOSS OF 0FFSITE POWER FREQUENCY AND DURATION The offsite or preferred power system at nuclear power plants consists of the following major components:
two or more incoming power supplies from the grid one or more switchyards to allow routing and distribution of power within the plant one or more transformers to allow the reduction of voltage to levels needed for safety and non-safety systems within the plant distribution systems from the transformers to the switchgear buses Figure 3.1 provides an example of an offsite power system design used for nuclear power plants.
During normal operation, AC power is typically provided to the safety and non-safety buses from the main generator through the auxil-iary transformer; it may also be supplied directly through a startup trans-former.
A minimum of two preferred power supply circuits must be provided.
Sources of offsite power other than the grid may also be provided as alternate or backup sources of power.
These may include nearby (or onsite) gas turbine generators, fossil power plants, and hydroelectric power facilities.
A loss of offsite power is said to occur when all sources of offsite power become un-available, causing safety buses to become deenergized and initiating an under-voltage signal.
Some loss-of-offsite power transients will be very short--just long enough to allow switching from one failed source to another available source.
Because of the short duration of this type of loss-of-offsite power transient, it is not of concern relative to station blackout.
This type of loss-of-offsite power transient is better described as an interruption.
How-ever, if switching errors or failures of alternate sources of power compound the situation and longer term repair, restoration, or actuation of alternate power sources is required, the loss-of-offsite power transient can be signifi-cant.
This type of loss-of-offsite power event is referred to as a total loss of offsite power.
Although total loss of offsite power is relatively infrequent at nuclear power plants, it has happened a number of times and a data base of information has been compiled (Wyckoff, May 1986; NUREG/CR-3992).
Historically, a loss of off-site power occurs about once per 10 site years.
The typical duration of these events is on the order of one-half hour.
However, at some power plants the frequency of cffsite power loss has been substantially greater than the average, and at other plants the duration of offsite power outages has greatly exceeded the norm.
Table 3.1 provides a summary of the data on total-loss-of-offsite-power events through 1985.
Because design characteristics, operational features, and the location of nuclear power plants within different grids and meteorological areas can have a significant effect on the likelihood and duration of loss-of-offsite power events, it was necessary to analyze the generic data in more detail.
The data NUREG-1032 3-1
n a
a o
o a
a a
a
- E E
345 kV 138 LV E
AwAw wa AwAw Awa Awa AAAA AAAA u
u u u y n NC NC NONSAFETY NO NONGAF ETY NO MAIN CL ASS 1 E CLASS 1E CLASS IE CLASS 1E GENEaATOR OlVISION 1 OlVISION 2 OlVISIGN 1 OlVISION f
I 4
4 i
l l___^uyOuA_yistaAyStEn.___,r_________;
L _ _ _ _ _^F9" ATLC La A_NSJ E a, _ _ _ _ _ j l
Figure 3.1 Diagram Of Offsite power system used in nuclear power plants l
l l
NUREG-1032 3-2
Table 3.1 Total losses of offsite power at U.S. nuclear power plant sites, 1968 through 1985 Frequency of Median occurrence duration Type of-event Number (yr 1)*
(hours)
Plant-centered 46 0.087 0.3 Grid 12 0.018 0.6 Weather 6
0.009 3.5**
Total 64 0.114 0.6
- Through December 1985, 664 site years were used to compute the frequency of grid and weather events.
Reactor critical site-years totaling 527 for the same period were used to compute the frequency of plant-centered events due to data screening.
(See Appendix A.)
- The median value of 3.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> was obtained from a two-parameter Weibull curve fit of the data.
The actual median is 4.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />.
have been categorized into plant-centered events and area-or weather-related events.
Plant-centered events are those in which the design and operational characteristics of the plant itself play a role in the likelihood of the loss of offsite power.
Area-or weather-related events include those on which the reliability of the grid or external influences on the grid have an effect on the likelihood and duration of the loss of offsite power.
The data show that plant-centered events account for the majority of the loss-of-offsite power events.
The area or weather related events, although of lesser frequency, typically account for the longer duration outages with storms being the major factor.
Figure 3.2 provides a plot of the frequency and duration of loss of-offsite power events resulting from plant-centered faults, grid blackout, and severe weather based on past experience at nuclear plant sites.
Appendix A to this report provides a more thorough discussion of the technical bases for-the loss-of-offsite power frequency and duration characteristics discussed in the remainder of this section.
Plant-centered failures typically involve hardware failures, design deficien-cies, human errors (maintenance and switching), and localized weather-induced faults (lightning and ice), or combinations of these types of failure.
No strong correlation was found between the frequency-of plant-centered loss-of-offsite power events and any particular design factor.
However, a modest cor-relation was observed between the duration of plant-centered loss-of-offsite-power events and the independence and redundancy of offsite power circuits at a site.
In this regard, it has been observed that a site with several immediate and delayed access circuits will generally recover offsite power more promptly NUREG-1032 3-3
I I
Data:
0.05 -
' O Total A Plant Centered D
O Grid e
e Weather
.t u) g 0.04 E
A wO Z
A cc
$ 0.03 Plant-Centered Total 00 O
u.
O 0 0.02 2w Dd Grid A
0.01 O
Severe Weather e
1 0.00 0.1 1.0 10 DUR ATION (Hours)
Figure 3.2 Frequency of loss-of-offsite power events exceeding specified durations 1
NUREG-1032 3-4
than a site with only the minimum requirements.
However, recovery from the relatively high frequency plant-centered faults can be accomplished within a few hours.
Plant location plays an important role in loss-of-offsite power events.
Factors shown to be significant were (1) the reliability of the grid from which the nuclear power plant draws its preferred power supply and (2) the likelihood of severe weather that can'cause damage to the grid distribution system and hence a loss of power to the plant.
Traditionally, analyses have focused on grid reliability as a dominant factor in estimating loss of offsite power at a plant site.
However, a review of the historical data shows that approximately 19% of all-loss-of-offsite power events have been caused by grid problems; in fact, a large percentage of grid-related loss-of-offsite power events can be traced to one utility's system.
The grid reliability of that system dominates the data, distorting the perspective on the contribution of grid failure to loss-of-offsite power frequency.
This finding of overall grid reliability should not be unexpected when one recognizes that current distribution and dispatch systems are well coordinated.
Utilities shed loads when possible and generally protect their grid from overloads and faults that could cause grid loss in the various day-to-day operations.
Moreover, when there is a loss of power on the grid, the first activity that is usually undertaken is the restoration of power to the electric generation plants so that the grid may be restored to customers with appropriate power supplies.
In fact. during the Northeast blackout of 1965, power was restored to a nuclear powe. plant in New England within about one-half an hour of the grid collapse, while power was not restored to the entire grid for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or more.
With the exception of a few utility systems, large grid disturbances are rela-tively infrequent, and, again with few exceptions, the duration of power outages at power plants as a result of grid disturbances is relatively short.
An iden-tified weakness in a system is usually corrected as soon as practical; it is the unidentified weaknesses that result in grid failures.
In the absence of a his-torical trend, operating experience related to grid reliability is not necessar-ily an indication of future problems unless a known weakness has not been cor-rected.
Because grids in the United States are generally very stable and system planning is directed at maintaining and improving that stability, grid reliabil-ity is usually not the principal indicator of the likelihood of loss of offsite power.
Severe weather, such as local or area-wide storms, can disrupt incoming power supplies to the plant.
In fact, a number of loss-of-offsite power events at nuclear power plants were weather related.
These can be divided into two failure groups:
(1) those in which the weather caused the event but did not affect the time to restore power (2) those in which the weather initiated the event and caused adverse condi-tions over a sufficiently broad area such that power was not or could not be restored for a long time The first group includes lightning and most other weather events that are not too They can cause a loss of offsite power, but their severity generally severe.
NUREG-1032 3-5
does not contribute in any significant way to long-duration losses of offsite power.
These types of weather-related losses of offsite power have been treated as either plant-centered or grid-related losses of offsite power.
The second group includes losses of offsite power as a result of severe weather such as hurricanes, high winds, snow and ice storms, and tornadoes.
The expected loss-of-offsite power frequency of this group is relatively small. On the other hand, the likelihood of restoring offsite power quickly for this group is also rela-tively small.
Although it is expected that the actions of dispatch and plant i
personnel can influence substantially the duration of area-wide grid disturbances that cause a loss of offsite power, severe weather conditions--and the expected i
duration of the resulting loss-of-offsite power events--cannot be influenced in the same way.
Therefore, one would expect severe weather to dominate the res-toration characteristics for long-duration outages.
The redundancy, separation, and independence of the offsite power system may affect the likelihood of some weather related losses such as those induced by tornado strikes.
The depth of this study has not been sufficient to show the effectiveness of these design considerations on reducing the likelihood of other types of weather-related outages.
l There is a potentially large variation in the annual expected frequency of loss-of-offsite power events at different nuclear power plants, depending on their design and location.
A large variation also has been observed in the duration of loss of-offsite power events at different nuclear power plants.
The expec-tion of long-duration outages is dominated by the likelihood of severe storms and, to a lesser extent, by the likelihood of grid blackout and t he ability to restore power to the site during grid loss.
Grid-related losses are important only when the frequency of occurrence greatly exceeds the national average.
Appendix A describes the modeling and analyses performed by NRC staf f to deter-mine the relationship between design and location and the frequency of and dura-tion of loss-of-offsite power events representative of most U.S. nuclear power plant sites.
Figure 3.3 provides a plot of the expected frequency and duration for loss of offsite power for site, design, grid, and weather characteristics that have been found to "cluster" reasonably well.
The factor that most predomi-nantly affects the characteristic groupings is severe weather.
Table 3.2 pro-vides a definition of the t te characteristics that make up the loss-of-offsite-i power clusters shown.
Appendix A includes additional discussion of the charac-teristics of these clusters.
NUREG-1032 3-6
1.0 i
i g
=
g 0.1 4
.e
)
e m
1 5
Offsite -
E
~
Power ~
>u Cluiter 2w 0.01 S
5 4
5 g
N 3
s 2
p 0.001 1
l 0.0001 I
I I
I I
I I
I I
O 2
4 6
8 10 12 14 16 DURATION (Hours)
Figure 3.3 Estimated frequency of loss-of-offsite power events exceeding specified durations for representative clusters NUREG-1032 3-7
Table 3.2 Characteristics of some loss-of-offsite power-event clusters that affect longer duration outages Cluster Characteristics Sites with demonstrated high grid reliability and multiple sources of offsite power available through independent switch-yard circuits and low severe-weather hazards or design features to limit loss of offsite power or hasten recovery from severe-weather events.
2 Sites with demonstrated high grid reliability and low severe-weather hazards or moderate severe-weather hszards with design features to limit loss of offsite power or hasten recovery from severe-weather events.
1 3
Sites located in moderate to high severe-weather hazard areas 1
and with limited design features to preclude loss of offsite power or hasten recovery from severe-weather events.
4 Sites with known grid reliability problems and low to moderate severe-weather hazards or design features to limit loss of offsite power or hasten recovery from severe-weather events.
5 Sites located in a high severe-weather hazard area and without design features to preclude loss of offsite power or hasten recovery from severe-weather events.
NUREG-1032 3-8
4 RELIABILITY OF EMERGENCY AC POWER SUPPLIES The emergency AC power system provides an alternate or backup power supply to the offsite power sources.
Figure 4.1 is a simplified one line diagram of a typical emergency AC power system.
If the offsite power system is lost, an undervoltage condition will exist on the safety buses, causing actuation of the emergency AC power system.
The emergency AC power system provides sufficient functional capability and redundancy of the power requirements for the systems needed to mitigate the consequences of a design-basis accident.
includes a requirement to actuate emergency AC power supplies and make themThis typica available for loading within about 10 seconds after receiving an actuation signal.
The emergency AC power system also meets the single-failure criterion when applied to design-basis accidents.
Emergency AC power is generally provided by diesel generator systems, although other sources such as gas turbine generators or hydroelectric power are used at some plants.
Because of the preponderance of diesel generator usage, that power supply type will be the principal focus of emergency AC power system discussions in this report.
Figure 4.2 identifies the typical subsystems and support systems that are needed for successful operation of the emergency diesel generator.
Emergency AC power systems typically consist of two diesel generators, either one of which is sufficient to meet AC power load requirements for a design-basis accident.
This configuration has been designated by its success criterion:
one out of two or more simply 1/2.
In some cases, three or four or more diesel generators are used at single-unit sites, and in others, diesel generators are shared at multi-unit sites.
These systems also can be described by their success criteria, or number of diesel generators required per number provided.
- However, for evaluating the station blackout issue, the success criterion will be defined as the number of diesel generators required to maintain a stable core cooling and decay heat removal condition with all offsite power sources unavailable.
The emergency AC power configurations that exist in the United States have been identified as follows:
(1) Emergency AC power supplies dedicated to one unit 1/2 1/3 1/4 2/4 (2) Emergency AC power supplies shared between two units 1/2 2/3 2/4 2/5 3/5 NUREG-1032 4-1
J I
l i
f I
W alN OF Filf t W AIN 0775416 U N il POwim UNIT POutR Mw w
w uw uw CD C3 S (WERCCNCY C3 tWimCENCY BUS 2 eUSI wa wu T P C AL gany 480V TYPICAL p
SE R VIC E LOAD
- S t A VIC E WAltR I Dgt
,gyg, y D0t EWE 8GENCT*"
OPEN entante w
1R ANSFORWER Figure 4.1 Simplified 1-of-2 onsite AC power distribution system NUREG-1032 4-2
_q I (
SE0VENCER 7
00S PREFERht0 l
POWER I
e l
l OUTPUT
-j DAEAKER
.N I
s I
(
DESEL GENEAATOR
)
ESFAS i
/\\A
/s i
FUEL OfL E N CIT E R I
COotiNo l HvAc l
MEOR RE L T A I
I START SYSTEM SCAVENGINO syst M l
^'A l
80VNDARY I
I g
oovERNOR I
I g
ENHAUST I
I I
I l
SNUTDO WN
]
I L - - - - - - - - - - - _ _ - _ _ _
,.)I Figure 4.2 Onsite power system functional block diagram
- ESFAS = engineered safety feature actuation system NUREG-1032 4-3
(3) Emergency AC power supplies shared between thre( units 3/8 [1/4 at one unit and 2/4 at 2 units with crcss ties between 1 and 2 unit systems]
Although a closer review of emergency AC power supply requirements may produce some variations on these configurations, they represent a wide variety in system success criteria for reliability evaluations.
The design variability of emergency AC power systems is further complicated by dependencies on certain support systems that, by themselves, have a multitude of designs.
These support systems include cooling systems (air or water), DC power, and heating, ventilation, and air conditioning (HVAC) systems.
- Moreover, maintenance and testing activities vary considerably, which can affect the reli-ability of the emergency AC power system.
Emergency AC power systems can be considered in two separate parts:
power supplies and the power distribution system.
In general it has been found that the individual components of the emergency AC power distribution system from the safety (switchgear) buses to the safety components are not significant con-tributors to the unavailability of AC power in regard to the station blackout issue.
This statement is true because many independent, separate, and diverse distribution system components must fail to cause loss of all AC power to the safety systems.
Although fires and earthquakes have the potential to cause such distribution system failures, these hazards have been studied as separate safety issues, and were not systematically assessed as part of the station blackout issue.
Substantial operating experience data were investigated to identify and esti-mate important reliability characteristics of emergency diesel generators.
Initially, diesel generator reliability performance information was collected from 45 nuclear power plants with 86 diesel generators (NUREG/CR-2989).
A summary of the emergency diesel generator statistical data collected is pro-vided in Table 4.la.
In addition, information regarding diesel generator out-ages and downtime was obtained from responses to TMI Action Plan (NUREG-0737) items from licensees of plants with 58 diesel generators, and more than 1500 licensee event reports (LERs) covering 5 years from 1976 through 1980 were re-viewed for failure information.
Analysis of this operating experience showed that, on the average, diesel generators failed to start, load, or continue run-ning approximately 2 times out of every 100 demands.
It was also observed that, during the actual loss-of-offsite power events through 1983, there were 19 in-stances in which one or more diesel generators failed, operated in a degraded condition, or were otherwise unavailable.
During most of these events, the degraded diesel generators were able to meet minimum performance requirements and f ailed units were promptly restored to an operable condition.
This informa-tion was supplemented with data collected from licensee responses to Generic Letter 84-15 (NUREG/CR-4347) for the years 1981 and 1982.
A more recent EPRI study (Wyckoff, September 1986) has provided emergency diesel generator failure-rate data for the years 1983 through 1985.
Emergency diesel generator failure
}
statistics derived from the EPRI data are shown in Table 4.lb.
l l
1 NUREG-1032 4-4
Table 4.la Diesel generator start attempts and failures for tests and actual demands
- from NUREG/CR-2989 No. of Auto-auto-start Start No. of Fail-start fail-attempt No. of fail-ures per fail-ures per Unavail-Unavail-category demands ures demand ures demand able ability
' Test 13,665 253 0.019 55 0.004 0.006 Loss of
'100 5
0.05 3
0.03 3
0.03 offsite power **
All 539 14 0.026 5
0.009 3
0.006 emergency demands Failure to run:
2.4 x 10 3/hr***
- Summarizing the responses to diesel generator reliability questionnaires based on 45 nuclear power plants, with 86 diesel generators, for operating years 1976 through 1930.
- Updated from data reported in NUREG/CR-2989.
- 8ased on 314 attempts at scheduled run time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> or more with 9 failures to run during these attempts.
Table 4.lb Diesel generator start attempts and failures for tests and actual demands from EPRI study (Wyckoff, Sept. 1986)
Start Failure attempt No. of No. of per Unavail-category demands failures demand able All 22,180 260*
0.012 Emergency 424 3
0.0071 Loss of offsite 41 1
0.024 1
I power l
Failure to run:
3.2 x 10 3
- Includes 39 failures identified from LERs and/or categorized as non-failures g
in EPRI study (Wyckoff, Sept. 1986).
I NUREG-1032 4-5 l
Figures 4.3a and 4.3b provide histograms of emergency diesel generator failures on demand for 1976 through 1982 and 1983 through 1985, respectively.
Although the average failure on demand observed is about 2 x 10 2, there is a significant spread from the highest to the lowest demand failure rate.
The average failure rate and range have not changed substantially during this period.
- However, EPRI data show an average failure rate of 1.2 x 10 2 per demand.
A review of the data has not identified any particular type of failure as the most dominant.
At least in part, the reasons for this are (1) that there are several different types of diesel generators with different support and auxiliary system designs operating at nuclear power plants, and (2) that maintenance and test activities are not standardized within the nuclear industry.
Figure 4.4 shows the percent-age contribution of failure by subsystem.
In general, sufficient information was not available to add high confidence to the correlation of root failure causes with specific design and operational factors.
The data indicate that approximately 80% of the failures are the result of hardware-related problems and 20% are the result of human error.
These statements are not meant to imply that any one particular diesel gener-ator is susceptible to all possible failure modes with equal importance.
It is more likely that a few specific defects may exist, and if these are not discovered and currected, failures may occur.
The failures observed can be classified into three general types:
(1) design and hardware failures related to mechanical integrity or various failure modes in the diesel generator subsystems, such as fuel, cooling, starting, and actuation (2) operation and maintenance errors related to the correctness and adequacy of procedures or training, and human facto s including the potential for errors of commission and omission (3) failures that occur in support systems, or at interfaces with support systems and other systems, that can involve DC control power, service (or raw) water cooling, environmental control (air temperature and quality),
and interface with the normal AC power system (undervoltage relays)
From 1976 through 1985 there were 145 instances in which multiple diesel gen-erators were simultaneously failed, unavailable, or showed some degradation.
There were 22 instances classified as common cause failures of two or more diesel generators (see Appendix B).
Multiple diesel generator failures can occur when a fault or degradation exists involving a common factor or dependency for two or more diesel generators.
Multiple failures may also occur as a result of design and operating deficien-cies similar to those previously mentioned; but in this case degradation or failure occurs concurrently in multiple diesel units.
For instance, a defec-i tive crankshaft design may be such that mechanical failure is highly likely to occur after a certain amount of usage.
If two or more diesel generators reach that usage level at nearly the same time, concurrent failures may result.
As another example, defective maintenance procedures and training could result in human errors causing failure or simultaneous outages of two or more diesel units.
NUREG-1032 4-6
m.
m.
=<
m.
m.
m<
m<
1976
_ w.
1977 so.
1978 j Ma f
M.
M.
m.
i E..
=
m-u.
a w.
m.
e..
g f
m<~,,4 m<
r-m.
2 w< M, > r"1. M,
- s. <
, i. m.....
i A
ei a es a a a n as a
o>w et a aa a a u a a io > w ei a u
- o. a a n a e,
w 2,.
PAOSAS4ff? Of FMLunt PeOsassuf f of ragval Peosageurs of raggat 100 1m <
m' 90 <
se a 1979
=<
198o 3-M.
7-n<
0 e
i n.
i m<
$ m-1 lw.
0< g i
m-i ><
t t
n.
's n-s,
. A.
,A, A,
ei an a a a e a a
=>w ei w a= m a o a aw>w PROS ABiU77 Of F An t'At PAOtatiott Of f anWat m.
m<
m.
=<
_ m-1981 6
- n:,
1982 i
O N<
C N'
=
=
j w<
j W<,
.! wa ea e..
hm.
m-1 n-1 n,,
n,
- h,.
ei =
=m a a o a m w
.i.
.a m.., a m
>w Pa04&B44TY Of FA4 Wag PROSA4EstrOfFA4URE Figure 4.3a Histograms showing emergency diesel generator failure on demand for 1976 through 1982 NUREG-1032 4-7
110 3g 100 to 4F
,gt-
),, L e
2.
c m
30 to I
0
.06'.07.08.09'.10 >.10
.01.02.03.04.06 PROBASILITY OF FAILURE U0 1985 110 jgg4 100 m
m m
a n
n Ea 5 m m
3gm Ea e
e 30 30 20 20 l
l 10 10 l
0 0
.01.02.03.04.06.06 '.07 I.08'.09.10
.10
.01.02.03.04.06.06
.07.08.09 ' 10 >.10 I
PR08 ABILITY OF FAILURE PROBABILITY OF FAILURg Figure 4.3b Histograms showing emergency diesel generator failure on demand for 1983 through 1985 1
NUREG-1032 4-8
35 1976 80 30 m
198v82 a
F 25 z
O A
p g
20 II:
g e
O O
15 w
/,
a:
0
,.i:$
.l.,
p
'.f; iia [}
ml to ll
'/
M m
o O
fl g;.:
fg 5
y w-a'4 0
kr /
Fe f
/
/
~7 4 10
/
e SUBSYSTEM Figure 4.4 Failure contribution by diesel generator subsystem NUREG-1032 4-9
Another type of common cause failure is related to the existence of single point vulnerabilities.
Examples include a check valve in a header of a cooling water supply, the unrecognized dependence on an obscure single control circuit or element, and the use of common fuel supplies and containers.
Finally, common cause failures can be related to commonality of location with regard to environmental conditions for which adequate protection is not provided.
These conditions can include fire, flood, dust, corrosive elements in the air, or temperature and humidity extremes.
In assessing the reliability of emergency AC power systems, consideration was given to the failure modes, causes, and failure rates derived from the opera-tional data.
Reliability analyses performed by Oak Ridge National Laboratory (ORNL) (HUREG/CR-2989) for 18 nuclear power plant AC power configurations and the plant-specific failure data were applied to derive typical system unavail-ability estimates.
Figure 4.5 shows a histogram of the onsite AC power results for the 18 plants studied. The results of this work, summarized in Table 4.2, show the diesel generator configuration studied, the calculated range of un-availability on demand, and the dominant failure causes for each group analyzed.
Not surprisingly, for the least redundant system configuration, the independent diesel generator failure likelihood is the most dominant failure factor.
As system redundancy is increased, common cause failures become more important.
Common cause failures involving hardware failure, human error, and dependent system failures were found to be important.
Although, for the most part, power supply outages resulting from testing and maintenance were nnt found to be large contributors to system unavailability, a few cases were identified in which extensive maintenance outages could cause significant system unavailability.
The quality of test and maintenance pro-cedures, however, can be an important factor affecting system reliability.
Lower than average human-error-related diesel generator failures were observed when procedures were clearly written and had a sufficient level of detail, in-cluding complete check lists so operations personnel could verify that normal values were properly indicated after maintenance.
The impact of dependent systems (such as service water cooling and DC power) on the reliability of the emergency AC power system varies from plant to plant.
The ORNL analyses did not go into detail on the reliability of those support systems.
However, failures of dependent systems that affect the emergency AC power system seem to be dominated by single point passive failures or human error.
An unreliable support system can cause an unreliable AC power system.
Because these support and auxiliary systems also tend to be important for the operation of decay heat removal systems--and to some extent for the supply of normal AC power from the offsite power sources--single point vulnerabilities and human error failures in these systems have added importance.
Another potentially important reliability parameter involves the likelihood of l
a failed power supply (diesel) being restored to an operable state during a loss-of-AC power transient.
A histogram based on emergency diesel generator repair times following a failure is provided in Figure 4.6.
The median repair time is approximately 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
These data represent an aggragate for all types of failure modes, and, for the most part, they represent repair times during non-emergencies.
Primarily these failures occurred during plant operation, but some occurred during plant shutdown.
They do not include autostart faiiures.
NUREG-1032 4-10
8-i M m ms -
6-2 5
s.
4-5 cc Eo 2
2 0
1x10 3x10
1x10'3 3x10'3 1x10 2 3x10-2 3,3n i U N AVAILABILTY
[
l Figure 4.5 Onsite AC system unavailability for 18 plants studied in NUREG/CR-2989 NUREG-1032 4 11 1
[
Table 4.2 Results of onsite power system reliability analysis reported in NUREG/CR-2989 Diesel generator Range of system unavail-configuration ability per demand Dominant failure causes 2 of 3 4.2 x 10 3 to 4.8 x 10 2 Independent diesel ~ failure;-
~
human error CCF*.
1 of 2 1.1 x 10 3 to'6.8 x 10 3 Independent diesel failure; human error CCF.
T&M**~
outages.
2 of 4 3.7 x 10 4 to 1.7 x 10 3 Human errer and hardware CCF.
1 of 3 1.8 x 10 4 to 7.2 x 10 4 Human error, hardware, and service water CCF, indepen-dent diesel failure; DC power CCF.
2 of 5 1.4 x 10 4 to 2.5 x 10 3 Human error, hardware, service water, and DC pcser CCF.
- CCF = common cause failures
- T&M = test and maintenance i
a d
i.
k f
l B
I f
r NVREG-1032 4-12
4 f
t to ;_
s, ir E
no e
O cc ecn 3
c 6
D E
a c.
t
- b-4F.
I 3
5 7
17 o
is 24 im Time 51nce diesel b.enitiatoi i o ilur e (i.ou r s j Figure 4.6 Percentage of emergency diesel generator failures repaired vs. time since failure Source:
NUREG/CR-2989 NUREG-1032 4-13
It is difficult to determine whether these data overestimate or underestimate the diesel generator repair time anticipated during an emergency.
There are reasons to believe that these data cverestimate the time required to repair a failed diesel generator during a station blackout.
Because the typical limiting condition for operation (LCO) for a single diesel generator out of servica is 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or more, there is no urgency to restore a failed diesel generator as quickly as would be the case during a loss of all AC power.
In auaition, tne LC0 may not have been in force if the plant were shut down when a test failure occurred, which also would have lessened the urgency for repair.
Moreover, if a failure did occur when alternate AC power sources were available, it might be seen as an opportune time to perform other routine maintenr.nce on the failed diesel generator.
Conversely, the repair time could be underestimated by virtue of the confusion that could occur during e station blackout event.
Under stressful conditions, human error is usually higher than it is under normal conditions.
The diesel l
failure problem would have to be diagnosed, needed equipment would have to be obtained, and correct repair procedures would have to be followed; all this would have to be done under time constraints and pressure, without AC power available.
Also, maintenance and operations personnel resources would be di-vided between activities for restoring both offsite and emergency power supplies.
In addition to conducting the plant-specific analyses, ORNL constructed generic models for different emergency AC power configurations.
These generic models were used to estimate system reliability as a function of the important char-acteristics identified in the plant-specific analyses.
Typical system depend-encies and naminal values for common cause failures and pro.edural errors were assumed in the models, and sensitivity analyses were performed to determine the importance of all the factors considered.
Overall, the most important factors tended to be system redundancy and the reliability of emergency diesel genera-tors on demand.
Not surprisingly, it was found that common cause failure is most important in highly redundant system configurations with highly reliable (for independent failure causes) diesel generators.
Based on these considerations, the NRC staff performed additional analyses of emergency AC power system reliability to extend the quantitative results and further explore the sensitivities.
Figure 4.7 shows the effect of varying emergency diesel generator reliability on emergency AC power system reliability for several configurations, bath with and without common cause failure.
The sensitivities of system reliability estimates on variations in diesel generator running reliability are shown in Figure 4.8.
Additional results, parametric analyses, and details of the analytical model are provided in Appendix B.
Thus, on the basis of a review of operating experience and reliability analyses, the following factors have been identified as being the largest contributors to AC power system unavailability:
(1) the configuration of the diesel generate in terms of the number avail-able and the number required for shutd-ooling (2) the raliability of diesel generators c
,ther power sources used in the emergency AC power system NUREG-1032 4-14
1 10
~
With EDG Common Cause Failure
--- Without EDG Common Cause Failure Emergency AC Configuration (2 of 3) 10 2 (1 of 2)
N g\\
3 bd N
E N
N
\\
a N
N N
N
\\
\\
\\
N
\\
2
\\ (2 of 4)
T
\\
\\
\\
i: 103 k
~
% (1 of 3) u
[
N a
N N
\\
5 N
\\
e N
\\
N N
m 3 ' ~.
\\
\\
r N
\\
\\
\\
N
\\
\\
\\
\\
I I
l l
l l
10 5 0.90 0.92 0.94 0.s6 0.98 1 00 EDG RELIABILITY Figure 4.7 Generic emergency AC power unavailability as a function of aergency diesel generator (EDG) reliability NUREG-1032 4-15
(
C
10 2
~
1 i
Base Case Common Cause __
Failure to Run Rate
~
Common Cause Failure to -
Run Rate is 0 N N%
N N
g N
N*N
~
N sg N
N N
N
_5_
s 4
\\
s\\
2of3 4
\\
N
\\ x 3 10'3
\\
1 of 2 O
N 4
O Z
2of4 e
~
5 A
E
~
w
~ ' - - - - ~ ~
1 of 3 10 I
J l
I l
l 4
0.980 0.984 0.988 0.992 0.996 1.000 EDG RUNNING RELIABILITY Figure 4.8. Generic emergency AC powei unavailability as a function of individual diesel generator running reliability NUREG-1032 4-16
(3) the dependence of the AC power system on support or auxiliary systems used for actuation, control, or cooling (4) the vulnerability of the AC power system to common cause failure as a result of various design, human error, and internal or external environ-mental hazards In general, it has been observed that problems with onsite emergency AC power systems are very plant-specific, and improvement in system reliability would have to be developed on a plant-by plant bar,is.
NUREG-1032 4-17
m
~.
K
-5 STATION' BLACK 0UT FREQUENCY AND DURATION There have been several incidents at nuclear power plants that could be classi-fled as precursors.to station blackout.
In fact, there have been a few cases in which loss of offsite and emergency AC power supplies occurred simultaneously.
However, none of these events progressed to 'e a significant safety concern.
o Many of these incidents ~ occurred when plants were shut down or during refueling, when station blackout concerns are much reduced and the LCO--in terms of num-bers of offsite and emergency AC power supplies available--are reduced.
The lack of a significant number of station blackout events is not surprising when one considers past frequency of loss of-offsite power events and the re-liability record of emergency AC power systems.
As a result, it has been necessary to estimate station blackout frequency by combining loss of-offsite-power-event frequency and_ duration corralations with the emergency AC power reliability models.
(Appendix B describes the methods used to derive station blackout frequency and duration estimates.)
Figures 5.1 through 5.3 give the results of sensitivity analyses performed to determine the effect of design, location, and the reliability of emergency AC power supplies.
Specifically, Figure 5.1 shows the effect of site location and offsite power system design as represented by offsite power clusters 1, 2, 3, and 4. (These clusters are defined in Section 3 and Appendix A.) These clusters wete combined with a typical, two-diee.el generator, emergency AC power system with a diesel generator reliability of 0.975.
Cluster 2 is a clost representa-tion of the average of nuclear operating experience with regard to the frequency and duration of loss-of'offsite power events.
Cluster 4 represents sites with relatively high severe-weather hazards and susceptibility to failure from those
- hazards, Cluster 3 has slightly lower severe-weather hazards than cluster 4.
Cluster 1 represents the combination of the more reliable offsite power design features and sites with low severe-weather hazards or low susceptibility to severe-weather hazards.
The estimated frequency of longer duration station blackouts is dependent on the likelihood of the more damaging and extensive losses of offsite power for which severe-weather hazards have been identified as a principal contributor.
(Note:
Seismically induced loss of offsite power has not been included, but could be accounted for through a hazard evaluation and fragility analysis; this consideration is discussed in Section 9.)
Figure 5.2 shows the effect of variations in emergency diesel generator reliabil-ity for the typical nffsite system (cluster 2) and emergency AC power system (1/2 configuration).
The largest change in frequency per percentile change in diesel gener:. tor reliability is obtained when reliability levels are lowest (0.9).
This is somewhat of an artifact of tha model in whicn common cause fail-ure rates are kept constant.
If there were no common cause failure contribu-tions or if common cause failure were correlated with the independent failure rate of diesel generators (and it may be), tho f requency reduction could be pro-portional to the square of the percantile change in diesel reliability for the configuration analyzed.
NUREG-1032 5-1 l
l f
l 1
10 3 i
i 3
l l
~
\\
~
1/2 EDG Configuration 0.975 EDG Reliability J
l l
10-4 r 1
l
~
~
=
{
s m
E 10-5
~:
l b
l
~
Offsite Power
~
N.a Cluster l
l 4
3 4
10 6 7
3
~
?
l l
1 1
1 1
_ __ l 104 0
4 8
12 16 BLACKOUT DURATION (Hours) i Figure 5.1 Estimated frequency of station blackout exceeding specified duettions for several representative offsite power clusters NUREG-1032 5-2
i l
1 l
l i
102:
i i
I i
t Offsite Power Cluster 2
[
t 1/2 EDG Configuration 5 10'3 3
g e
g k 104
>0 2
w a
d W
5 a: 10 r
7 EDG
[
w Reliability F-2
~
0.9 b(A 10'6 0.95 w
3 0.975 5
0.99 10'7 J
l I
I 0
4 8
12 16 BLACKOUT DURATION (Hours) l Figure 5.2.
Estimated frequency of station blackout exceeding specified durations for several EDG reliat ility levels NOREG-1032 6-3
3 10 i
i i
i e
3 Offsite Power Cluster 2 4
R 10 E-0.975 EDG Reliability 5
y a:
E c.
10 5 =__
y g
AC Power w
Configuration 3
O
$ 10 6 g.
- 2/3
' E_
w 1/2
~
o w
r E
@ 10'7 y g
5 l
l 2/4 I
~
1/3
[
10~8 I
I I
I I
O 4
8 12 16 BLACKOUT DURATION (Hours)
Figure 5.3 Estimated irequency of station blackout exceeding specified durations for several emergency AC power configurations NUREG-1032 5-4
Figure 5.3 shows the effect of emergency AC power configuration and success criteria on station blackout frequency, using a diesel generator reliability of 0.975 and a generic common cause failure rate.
Again the effect of common cause failures on system reliability is to reduce the difference between the four configuratioris that would be expected from simple redundancy considerations.
The results of the station blackout sersitivity analyses show that there is a potential for wide variation in frequency and duration, depending on location, design, and reliability.
(Additional results are in Appendix B.)
b 5
NUREG-1032 5-5
6 ABILITY TO COPE WITH A STATION BLACK 0UT Station blackout is a serious concern because it has a large effect on the avail-ability of systems for removing decay heat.
In both PWRs and BWRs, a substantial number of systems normally used to cool the reactor are lost when AC power is not available.
A loss of offsite power will usually result in the unavailability of the power conversion system and, in particular, an inability to operate the main feedwater system.
Power to reactor coolant system recirculation pumps will also be lost, requiring that natural circulation be used for cooling to shutdown con-ditions.
When the loss of offsite power is compounded by a loss of the emer-gency AC power supplies, reactor core cooling and decay heat removal must be accomplished by a limited set of systems that are steam driven, passive, or have other dedicated (or alternate) sources of power.
Unless special provisions are made, the plant will have to be maintained in a "hot" mode (hot shutdown or possibly hot standby) until AC power is restored.
Table 6.1 lists which func-tions and systems for PWRs and BWRs would be lost and which would remain avail-able during a station blackout event.
Decay heat can be removed successfully, using the AC-independent systems identified, for a limited time, depending on functional capabilities, capacities, and procedural adequacy.
For PWRs, decay heat can be removed by use of a steam-driven or dedicated diesel-driven train of the auxiliary feedwater system (AFWS).
Decay heat would be re-jected to the environment by the atmospheric dump valves (ADVs) or, if necessary, by the steam generator relief valves.
Because residual heat removal systems, reactor coolant makeup systems, and systems to control reactivity through boration would be inoperable, the plant must be maintained in a hot condition.
The plant's operating state (primary coolant pressure and temperature) would be maintained by manual operation of the AFWS and atmospheric steam dump valves.
With primary coolant pumps unavailable, reactor core cooling would be achieved through natural circulation.
If the AFWS can remain operable, and if primary coolant inventory can be maintained at a level adequate to maintain the core cooling / heat transport loop to the steam generators, a PWR should be able to stay in this mode of decay heat removal for a substantial period of time.
The amount of time that decay heat removal can be maintained in a PWR is generally limited by primary pressure boundary leakage and the capacity of certain support or auxiliary systems.
The sources of potential leakage include reactor coolant pump seals, unisolated letdown lines, and a stuck-open pilot-operated relief valve (PORV).
With provisions for manual isolation of letdown lines and reduced frequency of PORV demands, the reactor coolant pump seal leakage rate is considered to be a potentially limiting factor for some designs.
If the leakage rate is low (on the order of several gallons per minute) this concern is negligible.
However, if seal leakage is on the order of 100 gpm or more, l
reactor coolant system inventory depletion wi' be a factor limiting decay heat removal for an extended period of time, i
NUREG-1032 6-1 r
Table 6.1 Effects of station blackout on plant decay heat removal functions Plant Functions (systems)
Functions (systems)
Type remaining lost PWR Shutdown heat removal [ steam-Shutdown heat removal (motor-driven auxiliary feedwater driven AFWS) system (AFWS), atmospheric dump valves]
Long-term heat removal [ residual heat removal (RHR)]
Instrumentation and control Reactivity control (chemical)
(DC power / converted AC volume and control system) power, compressed air reservoir)
Reactor coolant system (RCS) makeup
[high pressure injection system]
Pressure and temperature control (pressurizer heaters / spray and pilot-operated relief valves)
Support systems [ service / component cooling water systems; heating, ventilation, and air conditioning (HVAC); station air compressors]
- BWR, Shutdown heat removal Long-term heat removal (RHR) 2/3 (isolation condenser, fire water system)
RCS makeup (low pressure core spray system, feedwater coolant injection system)
Instrumentation and control Support systems (service /
(DC power / converted AC component cooling water systems, power, compressed air HVAC, station air compressors) reservoirs)
- BWR, Shutdown heat removal and RCS Long-term heat removal (shutdown 46 makeup (high pressure coolant cooling system, low pressure injection or high pressure coolant recirculation system, core spray / reactor core suppression pool cooling system) isolation cooling systems)
Instrumentation and control Support systems (service / component (DC power / converted AC power, cooling water systems, HVAC, compressed air reservoirs) ctation air compressors)
NUREG-1032 6-2
(
Natural circulation cooldown in PWRs has been successfully demonstrated by ac-tual operating experience.
The process becomes more difficult with AC power d
unavailable because reactor coolant makeup systems, to accommodate system shrink-age and pressurizer. heaters or sprays to help rantrol primary system coolant conditions, are inoperable.
Nevertheless, analytical evaluations (Fletcher, 1981) and experimental observations (Adams, et al. 1983) show that decay heat removal can be achieved with the operational limitations associated with a sta-tion blackout.
In fact, core cooling is expected to preclude core melting even with significant voiding in the primary coolant system if the steam generator is maintained as a heat sink.
To assess station blackout, BWRs have been divided into two functionally differ-ent classes:
(1) those that use_an isolation condenser cooling system for decay heat removal and do not have a makeup capability independent of AC power (BWR-2
)
and -3 designs), and (2) those with a reactor core isolation cooling (RCIC) sys-ten and either a steam-turbine-driven high pressure coolant injection (HPCI) sys-tem or high pressure core spray (HPCS) system with a dedicated diesel, any of which is adequate to remove decay heat from the core and control water inventory conditions in the reactor vessel (BWR-4,
-5, and -6 designs).
Because BWRs are designed as natural circulation reactors, at least at reduced power levels, the loss of reactor coolant recirculation poses no special consideration.
- Moreover, reactivity control during cooldown is adequately maintained by control rod in-sertion, an action that would occur automatically on loss of all AC power.
The isolation condenser BWR has functional characteristics somewhat like that of a PWR during a station blackout in that normal makeup to the reactor coolant system is lost along with the residual heat removal (RHR) system.
The isolation condenser is essentially a passive system that is actuated by opening a conden-sate return valve; it transfers decay heat by natural circulation.
The shell side of the condenser is supplied with water from a diesel-driven pump.
- However, replenishment of the existing reservoir of water in the isolation condenser is not required until 1 or 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after actuation.
It may also be possible to remove decay heat from this class of BWRs by depressurizing the primary system and using a special connection for a fire water pump to provide reactor coolant makeup.
This alternative would require much greater operator involvement.
Some BWR-3 designs have added an RCIC system, giving makeup capability to the 4
AC power-independent decay heat removal capability of the isolation condenser e
cooling system.
A large source of uncontrolled primary coolant leakage will limit the time the isolation condenser cooling system can be effective.
If no source of makeup is provided, eventually enough inventory will be lost to uncover the core.
A stuck-I open relief valve or the reactor coolant recirculation pump seal are potential sources of such leakage.
When isolation condenser cooling has been established, the need to maintain the operability of such auxiliary and support systems as DC power and compressed air is less for this type of BWR than it is for the PWR.
However, these systems would eventually be needed to recover from the transient.
BWRs with RCIC and HPCI or HPCS can establish decay heat removal by discharging steam to the suppression pool through relief valves and by making up lost coolant to the reactor vessel.
In these BWR designs, decay heat is not removed to the environment, but is stored in the suppression pool.
For this type of BWR design, j
long-term heat removal in the form of suppression pool cooling or residual heat removal, using low pressure coolant injection and recirculation heat transport NUREG-1032 6-3
loops, is lost during a station blackout.
The time that the plant can be main-tained in a safe condition without AC power recovery is determined, in part, by the maximum suppression pool temperature for which successful operation of decay heat removal systems can be ensured both during a station blackout event and when AC power is recovered.
At high suppression pool temperatures (around 200 F),
unstable condensation loads may cause loss of containment suppression pool integ-rity.
Another suppression pool temper-ture limitation to be considered is the qualification temperature on the RCIC or HPCI pumps to be used during recircula-tion.
Suppression pool temperatures may also be limited by net positive suction head (NPSH) requirements for pumps in systems required to effect recovery once AC power is restored.
In general, all light-water reactor (LWR) designs include the ability to remove decay heat for some period of time.
The time depends on the capabilities and capacities of support systems, such as the quantity and availability of water required for decay heat rejection, the capacity of DC power supplies and com-pressed air reservoirs, and the potential degradation of components as a result of environmental conditions that arise when heating, ventilation, and air condi-tioning (HVAC) systems are not operating.
System capabilities and capacities are normally set so the system can provide its safety function during the spec-trum of design-basis accidents and anticipated operational transients, which does not include station blackout.
Perhaps the most important support system for both PWRs and BWRs is the DC power supply.
During a station blackout, unless special emergency systems are pro-vided, battery charging capability is lost.
Therefore, the capability of the DC system to provide power needed for instrumentation and control can be a sig-nificant time constraint on the ability of a plant to cope with a station black-out.
OC power systems are generally designed for a certain capacity in the event of a design-basis accident with battery charging unavailable.
However, the sys-tem loads required for decay heat removal during a total loss of AC power are somewhat less than the expected design-basis accident loads on the DC power sys-tem.
Therefore, most DC power systems in operation today have the capacity to last longer during a station blackout than they would be expected to last dur-ing a design-basis accident.
Another important factor in regard to decay heat removal during station blackout is the capacity of the condensate storage tank.
Normally, this tank contains a sufficient amount of water to cool the reactor until the RHR system can be placed in operation.
Because the RHR system is not available when all AC power is lost, the ability to cope with station blackout is a function of the condensate storage tank capacity.
The ability to provide makeup to the condensate storage tank with systems and/or components that are independent of station AC power would extend this potentially limiting factor.
Also, during a station blackout, there may be need to operate some pneumatic valves, such as a steam dump valve.
Because AC power is not available, the station air compressors will be lost.
For this reason, local air reservoirs are normally provided to permit the valves to be operated for a limited number of cycles.
After the air supply is exhausted, these valves may have to be operated manually by the operations staff, or additional portable air tanks would have to be connected.
NUREG-1032 6-4
During a station blackout, normal plant HVAC would be unavailable.
The equipment needed to operate during a station blackout.and that required for recovery from a station blackout would have to operate in environmental conditions (e.g.,
temperature, pressure, humidity) that could occur as a result of the blackout.
Otherwise, failures of necessary equipment could lead to loss of core cooling and decay heat removal during the blackout or failure to recover from the event when AC power is restored.
The instrumentation and control elements of compo-nents required during station blackout are the most likely to be impacted by adverse environments.
However, only limited equipment in the control room would have to be operable, thus limiting equipment generated heat loads in that loca-tion. The same would be true for equipment in auxiliary buildings and inside containment, although sensible heat from pre-existing scurces could be consider-able.
For control rooms and auxiliary buildings, opening doors should allow enough heat to escape to maintain equipment in an acceptable operating environ-ment.
Temperature-sensitive equipment located in normally enclosed cabinets that rely on HVAC systems to remove heat generated during normal operation could be subject to failure or degradation unless ventilation is provided.
Most equip-ment in containment is designed to function in the more limiting environment associated with a design-basis loss-of coolant accident, and therefore, could be expected to function during a station blackout.
l Table 6.2 summarizes the design-related factors that have been identified as potentially limiting the capability of LWRs to cope with a station blackout.
A::tions necessary to operate systems that are needed to establish and maintain decay heat removal and fully recover from a station blackout would not be routine.
The operator would have somewhat less information and operational flexibility than is normally available during most other transients requiring reactor cooldown.
On the other hand, the loss of all AC power is an easily diagnosed occurrence, although it is not always easily corrected.
Operational staff activities would have to he directed at both reactor decay heat removal requirements ar.d the restoration of AC power.
These activities would include manual operations within the control room to control the rete of core decay heat removal and special operations outside the control room.
The latter would include repairing failed components, isolating sources of reactor coolant leakage, conserving DC power through load stripping, making available alternate makeup water supplies, hooking up compressed air bottles, and possibly l
starting local manual operation of some components.
The success of these activ-ities would require preplanning, training, and procedures.
In addition, ade-quate lighting and communication would be required.
Where local access is necessary, security and working environment (pressure, temperature, humidity, and radiation) could be limiting factors.
In PWRs, operators must control the rate at which the AFWS removes heat from the steam generators to maintain the proper pressure and temperature balance l
within the primary coolant system.
This balance then allows adequate natural circulation and the maintenance of adequate water level in the pressurizer, Although analytical and experimental evidence suggests that natural circulation i
and adequate decay heat removal can be maintained when pressurizer level is lost (and, in fact, when a two phase flow mixture exists in the reactor coolant system up to the point the reactor core is uncovered), these conditions would complicate the recovery process and add to the difficulty of operator recovery
[
actions.
NUREG-1032 6-5
Table 6.2 Possible factors limiting the ability to cope with a station blackout event Type of plant Limiting factor PWR BWR 2/3 BWR 4/5/6 RCS1 pump seal leakage X
X RCS letdown / makeup and water X
X chemistry control lines Stuck-open relief valve X
X OC battery capacity (instrumenta-X X
X tion and control)
Compressed air (valve control)
X X
X Decay heat removal water supply X
X X
(condensate, firewater)
Operating environment (temperature)
Control room X
X X
(instrumentation and f
control)
I Containment X
(suppression pool, wetwell, drywell)
Auxiliary building X
X (AFWS / room)
(HPCI3/RCIC4 2
room) 1RCS = reactor coolant syste.n.
2AFWS = auxiliary feedwater system.
3HPCI = high pressure coolant injection.
4RCIC = reactor core isolation cooling.
NUREG-1032 6-6
In BWRs, the isolation condenser appears to need less operator attention, However, operators would have to ensure that automatic depressurization does not occur and that the makeup system to the isolation condericer is operating properly within approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of the loss of AC power, In BWRs with HPCI or HPCS and RCIC, the operator must control pressure and the level of reactor coolant in the vessel.
This requires actuation of makeup and relief systems.
In all LWRs, operators would have to be prepared to deal with the effects of the loss and restoration of AC power on plant control and safety system set points to limit additional transient complications and ensure operability of AC powered cooling systems.
l l
l NUREG-1032 6-7
7 ACCIDENT SEQUENCE ANALYSES Accident sequence analyses have been performed to determine the accident pro-
.gression characteristics (Fletcher, 1981; NUREG/CR-1988; Schultz and Wagoner, 1982; and NUREG/CR-2182) and likelihood (NUREG/CR-3226) of a station blackout.
Using fault trees and event trees, these analyses have identified functional and system failure characteristics of accident sequences.
Reactor coolant sys-tem transient response analyses were used (1) to determine the capability of a plant to cope with station blackout and (2) for potentially important functional failures during a station blackout, to estimate how much time would be available for AC power recovery before core damage and core melt.
Considering the decay-heat removal system capability requirements and the asso-ciated systems' reliability, failure modes, and failure causes, three phases of a station bla:kout transient were identified.
The first phase includes the need for promptly actuating decay heat removal systems and the potential for a station blackout induced loss-of-coolant accident (LOCA), eitiier of which can result in a loss of core cooling within Ils to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.
The second phase lasts up to approximately 8 to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and includes operational limitations in the capability of continued decay heat removal considering limited capacities (such as DC power, condensate storage tank) or interactive failure [for example, high temperature effects due to loss of heating, ventilation, and air conditioning (HVAC)], and the potential for reactor coolant loss (such as, through pump seal leakage).
During this period, the running reliability of the system is less important than the successful initial actuation of the AC-independent decay heat removal systems.
The third phase involves the need to eventually recover AC power and establish a stable, controllable mode of decay heat removal.
As discussed above, considering the systems and functions available for the dif-ferent PWR and BWR designs resulted in the development of three event trees for the identification of station blackout accident sequences.
Figure 7.1 shows the event tree for PWRs; Figure 7.2 shows it for BWRs that use an isolation conden-ser; and Figure 7.3 for BWRs that have AC-independent makeup systems [ reactor or core isolation cooling (RCIC), high pressure core spray (HPCS), and high-pressure coolant injection (HPCI)].
The event trees are characterized not only I
by the systemic and functional considerations important to station blackout accident sequences, but also by the phases of the transient that would affect the plant response and system operability for station blackouts of nrious dur-ations.
The event trees show the loss of all AC power as the initiating event and proceed through decay heat removal, reactor coolant inventory (integrity),
and restoration of AC power to enable operation of the normal decay heat re-moval and makeup systems.
The accident sequence logic is similar for PWRs and those isolation-condenser BWRs that do not have the capability to make up lost reactor coolant during a station blackout.
These plants are susceptible to degraded core cooling as a result of relatively small losses of reactor cool-ant. -The accident sequence logic is somewhat different for BWRs with reactor coolant makeup available during a station blackout.
Most losses of reactor coolant caused by station blackout can be accommodated by the available reactor NUREG-1032 7-1
i.
- l. 2 hrn. 12 h re.
>12->24 hre.
s "u
o a
o oo a
wsa U
d 6
58 JUS
?
5f$
e da so oa85 "55 s.
Ewy 0
du 8
"I 5
o5 N"
05 St.
5 55 8
8x J 2.0 :
J
" us W5s Wa WWE N
"8 e
W W
(Li l 101)
(Bi l (L 1 (02)
(821 (83) 2 (Tl100)
TM B0 OR TM81 OK TM 82 OR TM 82 CD
-Success
-rallure
_ TM0 821 OR Small LOCA TM02 2 CD 8
r Eb 81 UA 2
TM L 822 CD TM80 Sma11 LOCA-TM L 08221 OR TML 02 2 CD 2 8 Small LOCA TMogB0 OK 1M0 811 CD TML 8 OK g0 TM L B g CD I
Small LOCA TMLgog8o og TML Og83 CD 3
i Figure 7.1 Generic PWR event tree for station blackout Source:
l NUREG-1032 7-2
{
jlil1 tuo u*w{*
y YZ
- I.-
ow ".
kc a
D l
L D
DD L
E/L B
N A
N O
.EO A
RPA
. O G
T
.I I
GDI T
EUV n
T I
E I
T DR ENR I
VEO E
E o
HLT T
VS HLEE TEE VS OK M C
CE i
AA)
N M
ADP NTP M
CAE N
Nn t
YVL I
Eo a
AOOD TT AOEE EE TT R
U UC t
CMSN S
S CMTM S
M S
S.
Q QT S
EEIO C
CY EEXI CNI Cr CCT E
EU DR(C R
SO gw-
^ $wo -
C_-
~
_C=-
8-
.=..
H2Wo on H2a on H2ew on 5 E'ao.
- 42ew no l-3 ll.c*
m3L
- H3Ow on e.
42Ow u no e
42Cw -
on e
.x==1t 42Cw u no e
ma L **
42Cwou on m
42Cwou w na a
mal
- w2O S on 42C e.-
no 3
42C.aa on 42C e-no m3 ~
- by 42C o sa oa r
42C o m.-
no m.ocse y N Om3es*O mEm e<*s+c +s** ys o +cw$ o 5,n#oC nMrT w WV c-t "ocsn2~
2CMmo'so:oe wNN*
~
zCAa.~owN w8" ll1l
0-2 hra.
212 hre
>l2->24 hra.
o N
Uo No U
bg E
33 N
SEbb 20$
d UD>
0 N
U U x1
$@y b
$32 w
w' 2
"E
- $s" VMU "E
8*U V
WV c
O OU zudu "Uw OU U
U
$O y
M
$5 W3
$$5h
$50 W3 WEW zu (Ugl (011 1B1)
(U )
(02I (82)
(83) 2 GMBO)
TMBo OK TMBt OK TMB2 OK 3
-Success small W A og g OK
-rallure Small TMQ3 3 OK 8
LOCA TM0283 CD TMU 8 OK 21 TMU 822 CD W80-Small LOCA TMU 0281 OK 2
TMU 03 3 CD 3 8 Small 14CA THQg B0 OK Sm a l l LDC A TMQgBg OK Small TM0g 82 OK l
LOCA TMQg83 CD Small LOCA TMQgU Bg OK 3
TM01 2 2 CD 08 TMUgB0 O*
TMUgB3 CD smal1 LOCA TMU3 0g Bo OK TMUgO B1 CD L
Figure 7.3 Generic BWR event tree for station blackout (BWR-4, 5, or 6)
Source:
NUREG/CR-3226 NUREG-1032 7-4
coolant injection systems.
Reactor coolant loss equivalent to that lost be-cause of a stuck-open relief valve can be accommodated by the RCIC systems.
The HPCI or HPCS system can provide adequate makeup to cope with larger leaks.
All of the LWRs encompassed by the accident logic models are subject to the operational limitations for the longer duration blackouts as described pre-viously in Section 6.
The event trees end with a sequence outcome state designated as "0K," meaning that stable, long-term core cooling is achieved or achievable, or "CD," meaning that an inadequate core cooling state is reached and some reactor core damage can be expected.
For the latter case, core damage can be expected to proceed to core melt if effective and timely measures to restore AC power and core cooling are not taken or available.
The potential difference between an acci-dent sequence that ends in core damage and one that leads to core melt is deter-mined by evaluating the likelihood of restoring core cooling and the cooling effectiveness from the onset of core damage to the time when irrevocable core melting has begun.
This latter time in the accident sequence progression is not well known because there are significant uncertainties in the modeling of core melt phenomena.
It has been estimated that the time between the onset of core damage and time that a core melt would penetrate the reactor vessel is on the order of 1 to 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> (NUREG/CR-1988, -2128).
Considering the low probability that AC power would be restored during this time period and the uncertainty in modeling this accident process, including the ability to terminate a core melt in progress, it has been assumed that core melt would be the likelv final out-come in accident sequences that progress to core damage.
Detailed plant transient response analyses were performed to cover the spectrum of sequences identified in the event trees (NUREG/CR-2181).
The purposes of this work were (1) to better understand accident progression characteristics re-lated to the timing of events and physical parameter values during the transient, and (2) to determine success states for systems, trains, components, and opera-tor actions during station blackout sequences.
The sequences were divided into three groups:
(1) failure of AC-independent decay heat removal with reactor coolant leakage less than Technical Specification upper limits (2) failure of reactor coolant system integrity (liquid or steam leaks) with AC-independent decay heat removal systems operable (3) failure of AC-independent decay heat removal systems with loss of reactor coolant system integrity Variations in system failure and actuation a me, reactor coolant leak rate, and operator actions were analyzed to determine both the potential for sequence outcomes with adequate (or inadequate) core cooling and the time in which AC power must be recovered to avoid core damage.
Table 7.1 shows the estimated time of core uncovery for station blackout se-quences with AC-independent decay heat removal systems not available.
Plants with Babcuck and Wilcox (B&W)-type nuclear steam supply systems (NSSS), which have a small steam generator secondary water inventory and, thas, the smallest heat capacity, would require the most prompt recovery to avoid core damage for this particular sequence.
For these plants, core uncovery was estimated to NUREG-1032 7-5
Table 7.1 Estimated time to uncover core for station blackout sequences with initial failure of AC-independent decay heat removal systems and/or reactor coolant leaks Sequence Core uncovery time (seconds)
AFW failure 2715 6200 5800 5040 Stuck-open PORV 3190 1
27950 100 gpm total leak 21070 rate from reactor l
coolant pump seals 4800 AFW failure and 2480 stuck-open PORV BWRs GE HPCI/RCIC failure 2300 HPCI/RCIC failure and 1680 stuck open SRV Source:
Fletcher, 1981 occur within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.
For plants with Westinghouse or Combustion-Engineering NSSS designs, core uncovery would take about.' hours, as it would for a BWR-4 plant.
Figure 7.4 shows how the core uncovery time is extended for sequences in which decay heat removal is initially successful but fails later during the accident.
Estimates of the time core uncovery would take with a stuck-open relief valve and other types of reactor coolant leakage are also provided in Table 7.1.
For BWRs with RCIC available (or HPCI or HPCS), adequtte reactor coolant makeup is provided to maintain core cooling even with a stuck-open relief valve.
The core uncovery time for PWRs would not be significantly shortened if a relief valve sticks open coincident with the loss of the steam turbine-driven train of the auxiliary feedwater system (AFWS).
This is because loss of the AFWS for decay heat removal usually results in primary system pres-sure relief, which removes decay heat almost equivalent to the energy loss of a stuck-open relief valve with AC-independent decay heat removal available.
If a relief valve sticks open in a BWR without RCIC or in cases when the AC-independent decay heat removal systems are unavailable, the core uncovery time would be somewhat shortened.
NUREG-1032 7-6
4; I
l I
I I
l I
E.
}',
?
/
4 g
8 8
8 8
B&W E
d 2
e Assuming loss of offsite power, failure of all e
diesel generators, technical specification leakage, turbine-driven auxiliary feedwater y
(AFW) initially operates then fails at a later p
time.
I I
I l
g 0
5 10 15 20 25 Time of failure of turbine-driven AFW (Hours)
Figure 7.4 Time to core uncovery as a function of time at which turbine-driven auxiliary feedwater train fails Source:
Fletcher, 1981.
NUREG-1032 7-7 l
Complete accident progression analyses have been performed for several key station blackout sequences starting with the loss of offsite power through to core melt and containment failure.
A time line presentation of a PWR sequence in which AFWS operation is initially successful but fails several hours into the transient is provided in Figure 7.5.
Station blackout occurs at zero hours (to).
After the initial fluctuations in reactor coolant system pressure, core outlet temperature, pressurizer level, core flow, and steam generator level, a relatively stable period of decay heat removal with primary coolant natural cir-culation follows.
When AFW makeup to the steam generator becom3s unavailable in about 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (t ), the steam generator level begins to drop, causing de-i creased heat transport from the primary coolant system.
As the steam generator dries out and heat transfer to the secondary system ceases, reactor coolant pressure and core outlet temperature rise.
The reactor coolant temperature in-crease combined with some voiding causes the pressurizer level to rise, and there is relief to the containment.
Continued voiding in the primary system affects natural circulation flow, but core cooling is adequate to prevent melt-ing until the core is uncovered (t ) at about 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br />.
At this point, the 2
pressurizer level has dropped because most of the primary system is voided.
Within about 2 more hours (t ) the core has melted and penetrated the reactor 3
vessel, causing a containment pressure and temperature spike because of the rapid influx of steam and noncondensable gases from the melt.
If containment survives that spike, the continued release of decay heat and the generation of combustible and non-combustible gas will continue to load the containment.
Containment failure by overpressure in this sequence occurs about 19 hours2.199074e-4 days <br />0.00528 hours <br />3.141534e-5 weeks <br />7.2295e-6 months <br /> into the accident (t ).
4 Figure 7.6 shows a BWR station blackout accident sequence progression.
In this scenario for a BWR with Mark I containment, station blackout occurs at time zero (to).
The reactor coolant system pressure and level are maintained within limits by RCIC and/or HPCI and relief valve actuations, which also transfers decay heat to the suppression pool.
Both the suppression pool and drywell tem-perature begin to rise slowly; the latter is more affected by natural convec-tion heat transport from the hot metal (vessel and piping) of the primary system.
Af ter 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, when AC power restoration is not expected, the operator begins a controlled depressurization of the primary system to about 100 psi.
This also causes a reduction in reactor coolant temperature from about 550 F to 350 F, which will reduce the heat load to the drywell as primary system metal compo-nents are also cooled.
The suppression pool temperature increcse is only slightly faster than it would have been without depressurization.
Drywell pres-sure is also slowly increasing.
At about 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (t ), DC power supplies are de-3 pleted, and HPCI and RCIC are no longer operable.
Primary coolant heatup fol-lows, with increases in pressure and level until the safety-relief valve set point is reached.
Continued core heatup causes continued release of steam; this eventually depletes the primary coolant inventory to the point that the l
level falls and the core is uncovered, about 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> aftar loss of makeup (t )-
2 Core temperature then begins to rise rapidly, resulting in core melt and vessel l
penetration within annther 2 or 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> (ta).
During the core melt phase, containment pressure and teroperature rise considerably so that--nearly coinci-dent with vessel penetration--containment failure occurs, either by loss of electrical penetration integrity (shown at t ) or by containment overpressure 4
shortly thereafter, around 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br /> into the accident.
NUREG-1032 7-8
f Delayed failure of ARYS (or DC power coplotion)
Reactor Coolant System Pressure
(
1 Pressurizer Level k
(
Core Flow l
Core Outlet Temperature Steam Generator [
Level Containment Pressure l
1 Containment Temperature Emo (hrs) 0 4
8
,12 16
.0 t
t t2 3
o i
t t4 Tim e Sequence Event to less of all AC power AFWS fails for DC power dep!eted) t3 t2 Core uncovery begins t3 hi t us s e s sel r.or u r s tio n t,
Con *,iis m e,t f 3ilur e Figure 7.5 PWR station blackout accident sequence
{
NUREG-1032 7-9
E RCIC/HPCI available, controlled depressurization Reactor Vessel Pressure Reactor Vessel Level Core Temperature Suppression Pool Temperature
.Jry. / ell Temperature y
[
Oryw ell Pressure g
i i
i Time (hrs) 0 4
8 12 16 t3 t t2 t
t3 4
o Time Sequence Event g
Loss of all AC power OC power (batteries) depleted t3 Core uncovery begins t2 Reactor w3sel penetradon t3 t
Containment f ailure 4
Figure 7.6 BWR station blackout accident sequence 7-10 NUREG-1032
2 L'
i Estimates of the likelihood of these accident sequences were made to identify i
the potentially dominant contributors to the station blackout accident sequences (HUREG/CR-3226).
Table 7.2 summarizes the results for the typical PWR and BWR.
2 These results have been modified to account for better estimates of loss of-offsite power frequency and duration derived since NUREG/CR-3226 was conipleted (see Appendix A).
In addition to identifying the dominant accident sequences and their likelihoods, the table also shows the major factors affecting the i
i accident sequence frequency.
For PWRs, an important centributor to the estimate of the likelihood of core damage is the ability to restore AC power before the i
DC power needed to run the auxiliary feedwater system is lost or the condensate storage tank supplies are depleted.
Another important contributor is the integ-i rity of the reactor coolant system considering potential leaks from the reactor coolant pump seals following a station blackout.
If reactor coolant pump seals leak and there is no way to supply makeup water to the reactor coolant system, the core will be uncovered.
If reactor coolant pump seal leakage is large (more than 100 gpm per pump), the core could be uncovered within a few hours.
Smaller leak rates (a few gpm per pump) are not a limiting factor.
Adequate 2
i coolant inventory would be available to allow continued core cooling for a day or more without the need for makeup if other limitations (e.g., DC power) did not exist.
The analyses performed for this program (NUREG/CR-3226) showed the reactor core was uncovered in approximately 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, using the reactor coolant seal leakage information currently available (a leak rate of about 10 to 20 gpm per pump).
i For BWRs with isolation condensers, a similar dominant failure mode exists. The failure of the DC power system is less important because the isolation condenser system operates passively once it is activated; little operator action is neces-j sary thereafter.
However, reactor coolant pump seal failure could cause deple-tion of reactor coolant inventory and, because the isolation condenser BWR typically does not have an AC power-independent makeup system, the reactor core could be uncovered.
This sequence was estimated to result in core damage in about 8 to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.
BWRs with HPCI and RCIC are capable of coping with reac-tor coolant system leaks equivalent to that resulting from a stuck-open relief valve.
However, they are subject to the effects of DC power depletion and other i
interactive failures associated with the lack of the ventilation system to main-i tain HPCI and RCIC room temperature, and suppression pool heatup phenomena that can result in a loss of core cooling in about 8 to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.
For this i
type of plant, un?ttenuated suppression pool temperature increases during a station blackout transient can be a problem because of the potential for un-i stable condensation phenomena.
These phenomena could cause containment struc-l tural failure, with the potential for subsequent loss of reactor coolant from l
the suppression pool resulting in loss of recirculation capability.
- However, recent test data provided by General Electric in support of the BWR Owners Group suggest there is no unstable condensation regime (General Electric Topical Report NED0-30832).
Perhaps more important is the effect that high suppression pool temperature would have on HPCI pumps during recirculation.
These pumps are not usually qualified for operation with fluid temperatures in excess of 160'F.
In addition, NPSH requirements may not be satisfied if sup-pression pool temperatures exceed 200'F.
NUREG-1032 7-11
Table 7.2 Summary of potentially dominant core damage accident sequences Time in which AC power must be recovered Generic DHR system / component to avoid core Typical core plant Sequence contributors damage, hr damage frequency PWR TML 8 Steam driven AFWS 1 1 (all unavailable TML B DC ptwer or condensate 4 to 16 1 x 10 5 2 2 exhausted TMQ2Ba Reactor coolanc pump 4 to 16 1 x 10 5 seal leak BWR TMU 8 Isolation condenser 1 to 2 2 x 10 6 1 3 w/ isolation unavailable condenser TMQi 1 Stuck-open relief 1 to 2 3 x 10 6 B
valve TMQ28 Reactor coolant pump 4 to 16 2 x 10 5 2
seal leak BWR TMU 8 HPCI/RCIC 1 to 2 2 x 10 6 1 1 w/HPCI-unavailable RCIC 2 2 DC power or condensate 4 to 16 2 x 10 s TMU 8 exhausted, component operability limi's exceeded (HPCI/RCIC)
BWR TMU B HPCS/RCIC 1 to 2 5 x.1.0 7 i 3 w/HPCS-unavailable RCIC TMU B HPCS unavailable, DC 3 i power or condensate exhausted, component operability limits exceeded (RCIC) bb9Cc 1032 7-12
For BWRs with HPCS, which has.its own AC and DC power systems, both the effects of depletion of the DC supply and reactor coolant leakage are minimal contrib-utors to sequenct; core melt probability.
However, suppression pool temperature limitations may cause some equipment operability problems during longer dura-tion station blackouts.
In all of the accident sequences evaluated for this program, the early failure of decay heat removal because of the initial.unreliability of these systems was a relatively small, but not insignificant, contributor to core melt frequency.
This is not surprising, because, since the accident of Three Mile Island Unit 2 (TMI-2), most nuclear power plants have been required to have at least one AC-power-independent decay heat removal train available.
However, very little has been done at nus sar power plants to determine the capability and reliability of systems during a sustained loss of AC power.
Thus, it is not inconsistent that most of the dominant failure modes that have been identified are associated with the inability to vperate decay heat removal systems because of support system failures or capacity limits on support and auxiliary systems needed to maintain decay heat removal during station blackout.
With the consideration of containment failure, station blackout events can rep-resent an importar.t contributor to reactor risk.
In general, active containmer.t systems are unavailable during a station blackout event.
These systems are usually required for pressure suppression through ste u ccndensation to maintain the containment pressure below the appropriate limits and for the removal of radioactivity from the containment atmosphere following an accident. The time to containment failure after the onset of core damage and the containment fail-ure mode is an important factor in determining fission product release and ulti-mately public risk.
Table 7.3 summarizes containment failure insights derived from the analyces performed for the severe accident research program at the NRC (NUREG-1150).
It shows the different types of containment, the estimated time of containment failure following the onset of core damage, and the consequences of containment failure resulting from a station blackout accident.
For the large, dry PWR containment, long-term failure (by overpres.ure or basemat meltthrough) or no failure is more likely than early failure.
The potential for early failure is principally associated with uncertainties in the phenomena related to "direct containment heating," as discussed in draft NUREG-1150.
Because of its smaller volume and pressure capacity, the f",lR ice u;ndenser containmt.nt is less capable in nandling steam or hydrogsn combustion loads during station blackout accidents.
In NUREG/CR-3226, it was estimated that the containment would fail in about 1 or 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for several possible reasons including hydrogen burn, steam pressure spike, or containment overpressure as a resuit of noncondensables and noncon-densed steam.
The recent analyses show a lesser likelihood of containment fail-Analyses performed as patt of the Industry Degraded Core Rulemaking ure.
Program (IpCOR, 1984), show containment failure times of uore than 1 day and significant reductions in perceived consequences.
The BWP, Mark I and II containments offer some pressure suppression capability during a station blackout accident, but after a core meit, they may fail by one of several modes.
Because of the small size of these containments, direct con-tact of molten core material with the containment wall has been identified as a potential failure mode.
In addition, temperature-induced failure of penetra-tions or the steel containment structure nas been identified as a potential threat.
Absent effective containment venting strategies during station blackout, NUREG-1032 7-13
Table 7.3 Containment performance and consequence results for station blackout accident sequences Containment performance Probability Population dose Failure Timing Plant Sequence mode Mean Range (hr)
Mean Range Surry Station Early 0.3 0-1 3
1E+07 4E6-2E7 blackout w/ seal LOCA Late
<0.01 (SNNN)
Basemat 0.3 0-0.4
>24 2E+04 mel t-through None 0.37 0.01-0.6 N/A 2E+04 Station Early 0.3 0-0.9 3
1E+07 4E6-2E7 l
blackout l
no seal LOCA Late
<0.01 (THNN) l Basemat 0.2 0-0.5
' 24 2E+04 l
melt-through None 0.4 0-0.9 N/A 2E+04 2
3d+07 Zion Station Early 0.3 blackout 15 1E+07 w/ seal LOCA Late 0.5 (SE)
>24 3E+04 Basemat 0.16 l
mel t-through None
<0.01 N/A 3
3E+07 Station Early 0.2 blackout no seal LOCA Late
<0.01 (TEC)
Basemat
<0.01 melt-through N/A 3E+04 None 0.7 See footnotes at end of table.
NUREG-1032 7-14
l Table'7.3 (Continued)
Containment. performance Probability Population dose Failure Timing Plant Sequence mode Mean Range (br)
Mean Range Sequoyah Station Early 0.56 2
SE+06 blackout w/ seal LOCA-Late 0.4 2E+06 (S2NNNN)
None 0.03 N/A 1E+04 Station Early 0.56 3
SE+06 blackout no seal LOCA Late 0.4 2E+06 (TNNNN)
None 0.01 N/A 1E+04 Peach Station Early 0.6 0.01-0.8 12 2E+07 3E6-4E7 Bottom blackout
--slow Late 0.3 0.1-0.6 15 7E+06 2E6-1E7 (6-br battery depletion)
None 0.1 0.05-0.2 N/A 1E+04 (TB)
Station Early 0.6 0.01-0.8 3
2E+07 3E6-4E7 blackout
--fast Late 0.3 0.1-0.6 6
7E+06 2E6-1E7 (TBU/TBUX)
None 0.1 0.05-0.2' N/A 1E+04 Grand Station Early 0.3 0.25-0.4 12 9E+05
.1E5-8E6 Gulf blackout
--slow Late 0.6 0.5-0.7 6E+05 1E5-2E6 (6-hr battery depletion Nona 0.1 0.05-0.15 N/A 3E+05 (TB)
Station Early 0.3 0.25-0.4 3
7E+05 1ES-8E6 l
blackout
--fast late 0.6 0.5-0.7 SE+05 1ES-2E6 (TBU/TBUX)
None 0.1 0.05-0.15 N/A 3E+05
- Not currently available from NUREG-1150 analyses.
- Dependent on timing of power restoration, spray operation, and hydrogen burning, j
NOTE:
N/A = not applicable.
[..
NUREG-1032 7-15
overpressure of the containment has also been predicted within 5 to 15 hours1.736111e-4 days <br />0.00417 hours <br />2.480159e-5 weeks <br />5.7075e-6 months <br />.
(IDCOR estimates a Mark I containment will fail in about 18 hours2.083333e-4 days <br />0.005 hours <br />2.97619e-5 weeks <br />6.849e-6 months <br /> as a result of temperature loadings.) Because these containments are generally inerted, hydrogen burn is not considered a likely failure mode.
For Mark III contain-ments, which are low pressure, large volume containments, failure in about 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> has been estimated in NUREG-1150 analyses for late overpressure scenarios not involving hydrogen combustion.
The IDCOR estimate.is 47 hours5.439815e-4 days <br />0.0131 hours <br />7.771164e-5 weeks <br />1.78835e-5 months <br /> for this type of containment failure.
One item of interest should be noted for both the ice condenser containment and the Mark III containment, where hydrogen ignitors must be installed to meet hydrogen rule requirements and the post-Construction Permit Manufacturing Licensee (CPML) rule.
For these cortainments, there is the potential that an inactive ignitor could oe turned on following the restoration of AC power at a time when the hydrogen concentration is essentially at an explcsive level.
This consieration has been accounted for in the probability and consequence estimates shown in Table 7.3.
However, this potential problem can be addressed and somewhat suppressed through proper procedures and by instructing the operators on how to control the hydrogen burning with ignitor systems following the restoration of AC power.
Substantial uncertainties exist regarding containment performance during a core melt accident.
Based on the best information available at this time, it can be seen that station plackout accidents can potentially result in substantial consequences.
However, the reader is cautioned that there are some technical disagreements between NRC and IDCOR and that ongoing research could cause revision of these recent findings.
NUREG-1032 7-16
8 EVN.UATION OF DOMINANT STATION BLACK 0UT ACCIDENT CHARACTFP.ISTICS The important factors that affect the probability of station blackott accidents have baon identified on the basis of the previous work presented on dominant station blackout eccident sequences.
The principal parts of the station blackout sequence include:
the likelihood or frequency of loss of affsite power; the probability that the emergency or ansito AC power supplies will be unavailabic; the capability and reliability of decay heat removal systamc tha'. must function dur'ng a loss of AC power; and the likelihood that a source of offsite power wi.I be restored before the core is damaged as a rcsult of the loss of core cooling and the failure of systems that cannot operate without -AC power.
Reactor type, by itself, has not been round to be a dominant factor in dete mining like-lihood of core damage as a result of stati m blackout beccuse the capabilities of auxiliary and support systems needed for decay heat removal during station blackout caa vary censiderably (and still meet current safety requirements).
The important factors in determining the lik(lihood of core damage as a resuit of station blackout are reliability of tne AC power system (offsite and orsite) and the performance of these auxiliary systems (DC power, compressed air), os well as such plant chsracteristics as pump seal design, natural circulation capability, and suppression pool temperature effects.
Because of.these differences, core damage fregt.ency estimates for station blackout accident sequences could vary considerably.
Therefere, the NRC staff analyzed the sensitsvity of core damage frequency estimates to design varia-tions different from the reference plart 'nalyses performed by Sandia National Laboratories (NUREG/CR-3226).
The modeis used wera based 1 insights obta"sd from previous studies; they are describcd in Appendix C.
Station blackout sequences were divided into two groups.
The first included nquences tuolving the f ailure of AC-independent decay heat removal and, for plants without AC-independent makeup, loss of reactor coolant integrity at the onset of or soon after a station blackout.
For these early core cooling failure sequences, AC power must be restored in 1 or 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to avoid core damage and ultimately core melt.
The second group of secuences identified included failures during an cxtended station blackout o# 4 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> or more, lc.ese failures include a smaller rate of reactor coolant loss, support system capacity limitations (e.g.,
batterice, makeup water inventory, compressed air), and other station blackout capability limitations in aecay heat removal systems (e.g., natural circulation and suppression pool temperature limitatiors).
Several sersitivity analyses have hcen performed oy RC staff to evaluate varia-tions in LWR olant designs for both decay heat removal capability and system reliability, including offhite power.
Because the ability to cope with a sta-tion blackout may very considerably, results are provided to show the effect of limitations in m.aintaining oecay heat removal during '.tation blackouts of 2 to 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br />.
First, Figure 8.1 shows the sensitivity to offsite power system design and ic'ation as represented by different offsite power grot 9s (clusters).
The importance of higher frequency and long-duration losses of offsite power can be seen.
4t is also worthwhile to note that the highly reliable (redundant) AC-independent decay heat removal systems provide added value when ability to cope fnr long durations exists and very low ore melt frequencies are estimated.
NUREG-1032 8-1
i i
l 10'3 1/2 AC Configuration 0.975 EDG Reliability
\\
AC-Independent DHR System l
\\.
E s
1 Train 4
c 10 g
-- 2 Train 3
E
\\
e N
5
\\
Offsite
\\
Power O
Cluster
$4
\\
10 5 g
a 4
k
\\
g
\\N h
\\
\\
\\
3 10 6
\\
2
.Ng-w N
8o s
~
\\ \\s N
10'7 L--
O 4
8 12 16 STAYlON BLACKOUT CAPABILITY (Hours)
Figure 8.1 Sensitivity of estimated station blackout--core damage frequency to offsite power cluster, AC-independent decoy heat removal reliability, and station blackout coping capaoility NUREG-1032 8-2
Figure 8.2 shows the relationship between various emergency diesel generator reliability levels and estimeted core damage frequency.
A combination of reason-aoly good diesel generator reliability and the ibility to cope with a station blackout lasting several hours.esults in estiinated core damage frequencies on the order of 10 5 per year or less.
The effect of a plant's emergency AC power configuration is shown in Figure 8.3.
A substantial difference in core damage frequency may exist between plants with three unrgency diesel generators, de-
-pending on the minimum number (1 or 2) needed to maintain core cooling and decay heat removal during a loss of offsite power.
Again, frequencies drop rapidly as station blackout coping capabilities extend to cover longer AC pcser outages.
Figure 8.4 shows the variations in emergency diesel generator failure rate from both independent and common causes.
In this figure, common cause faili...es in support systems (e.g., service water, DC power) are estimated on the basis of the industry experience (see Appendix B).
These results show that estimated core damage frequency can be kept low by maintaining highly reliably emergency AC power systems.
Estimated core damage frequencies as low as 10 6 per year may be possible if the emergency AC power system i s maintained in a high state of operational reliability and there is some capability of coping with an unlikely station blackout.
The results described above and additional sensitivity analyses can be used to assess the effectiver. css of certain strategies in dealino with station blackout concerns.
For instance, if PWR reactor coolant pump seuls were known to f:.il early during station blackout and the reactor coolanc system leakage were the factor limiting the ability to cope with station blackout, core damage could occur 1 or 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after the loss of AC power, even if the AC-independent decay heat removal system (the AFWS) were operating properly.
Table 8.1 has been developed from the sensitivity analyses to show the effect of providing a "fix" to maintain reactor coolant pump seal integrity to allow successful core cooling for station blackouts from 2 to 4 and 4 to 8 hcurs.
The results provided up to this tire represent point estimates of probability or, more properly, frequency.
NUREG/CR-3226 shows the effect of using log nor-mal distribut*.ons to repret"nt basic event probabilities on mean probability estimates, calculated medians, and uncertainty canges.
When that work was com-plet.'d, th' magnitude of the uncertainty in the loss of offsite power frequency and duration estimates was not known.
Because the uncertainty bounds are now perceived to exceed those used in NUREG/CR-3226, the accident sequence uncer-tainty "anges derived using the most recent uncertainty estimates for loss of offsite power frequency may be larger th4n previously estimated.
The loss of offsite power freauency and duration estimates are most uncertain for the very low frequency, long duration losses of offsite power.
The uncertainty on the probability of accident sequence = which result from the shorter duration losses of oftsite power should not be significantly different from the previous estimates.
Some typica' station blackout core damage probabilitics and uncertainty ranges representing a 90% confidence interval have baen provided in Figure 8.5 for reference.
The sequence mean is typically 3 to 8 times larger than the point estimate and the upper and lower bounds are typically within a factor of 5 to 20 of ;.he median estimate.
The large difference in point estimate and mean can be attributed to the use of a log-normai distribution.
When sequences are combined into a single core damage probability, the proportional distance between mean and point estimate tends to decrease somewhat.
NUREG-1032 8-3
. ~.
1 10-2 g
Offsite Cluster 2 1/2 AC Configuration O
cco I 10'3 =
?
S 5
AC-independent DHR System E o
CC 1 Train g
'E 2 Trains e 10-4 T
o E
z w
o
@ 10-5 N
EDG cc N
Reliability]
N N
N N
N N
4 N
0.9 -
E 0.95 9 106 0.9755
=
E 0.99 :
s O,
10'7I I
I 0
4 8
12 16 STATION BLACKOUT CAPABILITY (Hours)
Figure 8.2 Sensicivity of estimated station blackout--core damage frequency to emergency diesel generator reliability, AC-independent decay heat removal reliability, and station blackout coping capability NUREG-1032 8-4
10'3 l
l i
i 2
Offsite Power Cluster 2 1
0.975 EDG Reliability
$ 104
?
U g
x
\\
4
\\
~ 10
\\
AC Power E 3
\\
\\
Configuration [
D
~
o NN N
N
~
N
\\\\
N 2/3 w
@ 10 6 N\\
N N
~~
w
\\
1/2 E
s (D
~
N NN 9 10'7
\\ N 2/4._
E 5
N \\
1/3 5 Ns 8
N 10 8 I
I I
I i
0 4
8 12 16 STATION BLACKOUT DURATION (Hours)
Figure 8.3 Sensitivity of estimated station blackout--core damage frequency to emergency AC power configurations, AC-independent decay heat removal reliability, and station blackout coping capability NUREG-1032 8-5
l 10'3
~
Offsite Power Cluster 2 1/2 AC Configuration
~
r AC-Independent DHR System E
D 10-4 1 Train B
15
- -2 Train 8
I 2
5 E
0
$I O
10.s 3
E5 Z
S E2 8
i E
0 N
e e
m us
\\h O
O
\\ \\\\
-0.975 Nominal 2
%N
-0.990 1
N
-0.975 O 10-6
\\\\
0
\\\\
' 0.990 0
\\ \\
\\ -0.975 ' Nominal N
-0.990
\\ \\ -0.975 1
-0.990 10'7 O
4 8
12 16 STATION BLACKOUT DURATION (Hours)
Figure 8.4 Sensitivity of estimated station blackout--core damage frequency to reducing the common cause failure susceptibility of emergency diesel generators, their reliability, and station blackout coping capability NUREG-1032 8-6 i
Table 8.1 Sensitivity of estimated core damage frequency reduction for station blackout accidents with reactor coolant pump seal failure delay from 2 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and 4 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> Estimated core damage frequency (per reactor year)
EDGR* = 0.025 EDGR = 0.05 Configuration and Cluster 2 to 4 hr 4 to 8 hr 2 to 4 hr 4 to 8 hr 1/2 configuration:
1 6.8 x 10 6 3.5 x 10 6 1.2 x 10 5 5.9 x 10 6 2
2.1 x 10 5 1.2 x 10 5 4.0 x 10 5 1.9 x 10 5 3
4.7 x 10 5 2.6 x 10 5 8.8 x 10 5 4.5 x 10 5 4
8.1 x 10 5 5.1 x 10 5 1.2 x 10 4 8.5 x 10 5 1/3 configuration:
1 2.4 x 10 6 9.9 x 10 7 2
7.7 x 10 6 3.2 x 10 6 3
1.8 x 10 5 7.3 x 10 6 4
2.7 x 10 5 1.4 x 10 5
- EDGR = emergency diesel generator unreliability (i.e., failure rate per demand)
The measure of risk associated with a station blackout accident can be obtained by multiplying the estimated core damage likelihood by the estimated dose that would result from containment failure during the accident.
The recovery of AC power during the accident would provide the potential for terminating core damage before core melt and the potential for reducing fission product releases by delaying contatnment failure or by actuating containment sprays before containment failure.
NUREG-1032 8-7
PWR with 1 steam BWR with 1 BWR with BWR with Driven AFW Train isolation Condenser HPCl/RCIC HPCS/RCIC 10 3 5
4 g 10
[]
a:
()
q, U
5 o
()
0 E
o qi qi
[]
t>
C)
(3 e
O o
g El m
q, o
o C(
41 E
,I q)
O O
4 10 O
y 46 Oo 8
g u
10 Upper 95% Confidence Limit W
Mean Median i> Point Valve
-- Lower 5% Confidence Limit a
i E
d i
E d
E E
E
.T
.2 6
6 5
cr 5
C 5
?
2 E
E E
E E
E E
E E
r r
e r
e r
e r
r s
ACCIDENT SEQUENCES Figure 8.5 Estimated core damage frequency showing uncertainty range for four reference plants Source:
NUREG/CR-3226 NUREG-1032 8-8
9 RELATIONcHIP 0F OTHER SAFETY ISSUES TO STATION BLACK 0UT The implications of station blackout on sever il other safety ismes were re-viewed for significance.
These include:
loss-of-coolant-accident initiators; anticipated transients without scram; external hazards, such as seismic events and severe weather; and internal hazards associated with fire or extreme environ-ments, such as flooding or high steam temperature resulting from pipe breaks within the plant.
In general, it was concluded that, if the likelihood of sta-tion blackout were independent of any of these other safety considerations, the potential risk of a station blackout concurrent with one of these other safety concerns is very small.
However, if as a result of common cause failure or in-teractive failure, the initiation of an accident by one of those other mechanisms described causes a station blackout, then the safety implications of those safety issues on station blackout are fairly large.
Each of these safety issues is dis-cussed below.
9.1 Loss-of-Coolant Accidents Loss-of-coolant accidents (LOCAs) induced by a station blackout transient have already been included in the accident sequence analyses described in Section 7; these will not be discussed further here.
LOCAs concurrent with a loss of of f-site power are usually included in the design basis of nuclear power plants in acccrdance with the general design criteria of Appendix A to 10 CFR 50.
The likelihood of a LOCA followed by and concurrent with a station blackout has been considered and is discussed below.
I Although no strong coupling could be found between the initiation of a LOCA and a subsequent failure of the offsite or onsite AC power system, one potential mechanism has been identified.
If a LOCA were to occur at a nuclear power plant, the reactor would trip; subsequently the turbine generator would be tripped and a grid instability could follow, or the site could be isolated by switching ac-tivities in the switchyard to provide onsite safety-related or alternative sources of preferred power to the emergency power safety buses.
Historical ex-perience collected about loss-of-offsite power events at nuclear power plants suggests that given a transient or an accident situation that would cause a trip of the turbine generator, the likelihood of a failure of the offsite power supply is on the order of 10 4 to 10 2, depending on the strength of the grid and the offsite power design at the site.
Estimated LOCA frequencies range from 10 2 per reactor year for small loss-of-coolant accidents down to less than 10 4 per reactor year for large diameter pipe breaks.
The frequency of small LOCAs is dominated by pump seal LOCAs on pressurized-water reactors and stuck open safety relief valves on boiling-water reactors.
These situations do not require rapid actuation of AC puered emer-gency safety feature equipment and have been addressed previously.
The most likely small LOCA that has not been incorporated in the station blackout acci-dent analyses is a small pipe break (less than 2 inches in diameter) with a frequency of about 10 3 per reactor year.
NUREG-1032 9-1 l
The low LOCA frequency combined with the likelihood of losing offsite power on turbinegeneratortripresultsinanestimatedfrequencyofoccurrenceranging from 10- per reactor year to 10 7 per reactor year.
When this frequency is combined with a conservative estimate of emergency AC power system unreliability of 10 2 per demand, it is easily shown that accident sequences of this type re-present a small element of reactor risk (less than 10 7 per reactor year).
The variability of the frequency of station blackout caused by a LOCA could be as much as two orders of magnitude higher and still represent one of the smaller station blackout accident threats.
Although, at this higher level, these acci-dents could represent a noticeable fraction of reactor risk.
Large pipe break LOCAs with initiating frequencies on the order of 10 4 per reactor year combined with the probability of subsequent failure of all AC power do not appear to represent an appreciable fraction of accident likelihood or public risk, at least in comparison to other station blackout sequences.
9.2 Anticipated Transients Without $ cram Another safety consideration that was investigated is anticipated transients without scram.
In this case, the anticipated transient is a loss of offsite If the probability of a loss of offsite power is taken as the generic power.
average, 0.1 per year, and the probability of reactor scram failure is taken as the historical average, about 10 4 per demand, then the probability of a loss of offsite power iollowed by a failure to scram is about 10 5 This is a level of accident sequence likelihood that might be considered important.
- However, in order for a station olackout to occur, the onsite emergency AC power system also must fail.
In the worst case, one might find an unreliability of the emer-gency AC power system of about 10 2 per demand.
Thus, the frequency of an anti-cipated transient without scram involving loss of offsite power and a failure of the onsite emergency AC power system is on the order of 10 7 per reactor year or less.
Even if the level of uncertainty were an order of magnitude higher, this accident sequence would not be of concern in comparison to the dominant station blackout accident sequences that have been identified.
9.3 Extreme Internal Environment A safety area in which there does appear to be a potential for station-blackout-type accident sequences being induced by other causes involves fire and other extreme environments internal to a nuclear power plant.
The concern associated with internal environmental hazards is that their occurrence can represent a common cause accident initiator that also affects the ability to cope with the incident.
Specifically of concern is the likelihood of a fire, flood, or othe' extreme environmental condition generated by internal events that would cause a loss of all AC power.
In general, for this to occur, portions of AC power systems must be in a common locatian where these hazards are present, or pro-tection barriers and AC power system design requirements must be insufficient to control the spread or failure resulting from these hazards.
Therefore, the likelihood of internal hazards causing a station-blackout-type accident is heavily dependent on the plant's design and, in particular, on the location of equipment.
If separation and internal environmental protection barriers are maintained, or adequate AC system design is provided, the likelihood of these beverysmall,probablylessthan10gastation-blackout-typeaccidentwould internal environmental hazards causin per reactor year.
On the other hand, if commonality of location or a lack of protection exists at a plant, then the safety significance of these internal hazards would have to be evaluated for NUREG-1032 9-2
plant damage susceptibility and likelihood of occurrerce.
The frequency of occurrence of these hazards can be as high as once per 100 to once per 1,000 reactor years.
Therefore, the vulnerability to station-blackout-type accidents resulting from these hazards can be of concern.
However, the requirements of Appendix R to 10 CFR 50 provide substantial protection against the initiation and spread of fires, and the implementation of these requirements should limit the potential risks from fires in nuclear power plants.
9.4 External Hazards Another potentially significant safety consideration that could be related to station blackout involves external hazards to the plant, particularly those resulting from seismic-and weather-induced failures.
To date, a seismically induced loss of offsite power has not been observed at a nuclear power plant.
Failure of offsite power because of severe weather has been observed at nuclear power plants; in fact, severe weather was included as a major factor in deter-mining the likely duration of an extended offsite power outage at nuclear power plants, as described in Section 3.
The greatest potential for safety signifi" cance exists where there is a direct coupling or common cause failure associated between a transient-initiating external hazard causing loss of offsite power and the reliability of the onsite and offsite power systems.
It can be expected that significant seismic and severe-weather events will cause a loss of the offsite power system.
On the other hand, the plant, and in particular the emergency AC power system, is typically designed to withstand, or is protected from the effects of, these severe phenomena.
Therefore, for severe external hazards that are within the design basis of the plant, the failure of the emergency AC power system can be considered as an independent failure event.
For example, if the likelihood of a safe shutdown earthquake that could cause a loss of offsite power were approximately 10 2 per year or less, and one assumes that it would take approximately 8 to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to restore offsite power from such an incident, then a typical estimate of core damage or core melt frequency as a result of a safe shutdown earthquake and a station blackout would be about 10 6 per reactor year or less.
For severe weather, the likelihood of the weather-induced failure of the offsite power system could be as high as 10 2 per year, and the outage could be expected to be on the order of several hours.
Again, if the severe-weather event is within the design basis of the plant, the likelihood of a weather-induced station blackout accident causing core damage or core melt would be on the order of 10 5 per reactor year.
l Table 9.1 provides a summary of the typical internal and external accident l
hazards of a nuclear power plant and identifies some potential points of failure i
that could result in a coupling between these accident initiators and a station blackout.
If such interactions or points of commonality do not exist, then it is concluded that the contribution of these accident initiators to station blackout accident sequences results in core melt frequencies that are no larger, and probably much less, than those previously considered.
NUREG-1032 9-3
Table 9.1 Coupling between external (and internal) events and potential plant failures Event Potential plant "weakness" Saismic Switchyard, control, non-seismically designed equipment Fire, flood Areas with multiple divisions, inadequate protection barriers Severe weather Transmission lines and towers, switchyard, ncn-safety structures l
NUREG-1032 9-4
10 REFERENCES Adams, J. P., et al., "Natural Circulation Cooling Characteristics During PWR Accident Simulations," Second National Topical Meeting on Nuclear Reactor Ther-mal Hydraulics, January 11 to.14, 1983.
Fletcher, C. D., "A Revised Summary of PWR Loss of Offsite Power Calculations,"
EGG-CAAD-5553, EG&G Idaho, Inc., September 1981.
General Electric Topical Report HE00-30832, "Eliminal. ion of Limits on BWR Sup-pression Pool Temperatures for SRV Discharge with Quenchers," December 1984.
Industry Degraded Core Rulemaking Program (IDCOR), IDCOR Technical Summary Report, "Nuclear Power Plant Response to Severe Accidents," published by Technology for Energy Corp., Knoxville, Tennessee, November 1984.
Schultz, R. R., and S. R. Wagoner, "The Station Blackout Transient at the Browns Ferry Unit One Plant A Severe Accident Sequence Analysis," EGG-NTAP-6002, EG&G Inc., September 1982.
U. S. Nuclear Regulatory Commission, NUREG-75/140 "Reactor Safety Study," Octo-ber 1975 (formerly WASH-1400).
--, NUREG-0737, "Clarification of TMI Action Plan Requirements," November 1980.
--, NUREG-1150, "Reactor Risk Reference Document," Draf t for Comment, February 1987.
--, NUREG/CR-1988, F. E. Haskin, W. B. Murfin, J. B. Rivard, and J. L. Darby, "Analysis of a Hypothetical Core Meltdown Accident Initiated by Loss of Offsite Power for the Zion 1 Pressurized Water Reactor," December 1981.
l
--, NUREG/CR-2182, D. H. Cook, S. R. Greene, R. M. Herrington, S. A. Hodge, and O. D. Yue, "Station Blackout at Browns Ferry Unit One - Accident Sequence Analy-sis," November 1981.
--, NUREG/CR-2989, R. E. Battle and D. J. Campbell, "Reliability of Emergency AC Power Systems at Nuclear Power Plants," July 1983.
--, NUREG/CR-3226, A. M. Kolaczkowski and A. C. Payne, Jr., "Station Blackout Accident Analyses (Part of NRC Task Action Plan A-44)," May 1983.
--, NUREG/CR-3992, R. E. Battle, "Collection and Evaluation of Complete and Partial losses of Of fsite Power at Nuclear Power Plants," February 1985.
--, NUREG/CR-4347, R. E. Battle, "Emergency Diesel Generator Operating Experi-ence, 1981-1983," December 1985.
Wyckoff, H., "Losses of Offsite Power at U. S. Nuclear Power Plants--All Years Through 1985," NSAC/103, Electric Power Research Institute, May 1986.
NUREG-1032 10-1
Wyckoff, H., "Reliebility of Emergency Diesel Generators at U.S. Nuclear Power Plants," NSAC/108, Electric Power Research Institute, September 1986.
NUREG-1032 10-2
APPENDIX A DEVELOPMENT OF LOSS-0F-0FFSITE-POWER FREQUENCY AND DURATION RELATIONSHIPS NUREG-1032
TABLE OF CONTENTS P_ ate INTRODUCTION..........................................................
A-1 LOSS OF 0FFSITE POWER FROM PLANT-CENTERED CAUSES......................
A-5 GRID-RELATED LOSS OF 0FFSITE POWER....................................
A-8 LOSS OF 0FFSITE POWER AS A RESULT OF SEVERE WEATHER...................
A-14 GENERIC LOSS-0F-0FFSITE-POWER CORRELATIONS...........................
A-24 REFERENCES............................................................
A-37 LIST OF FIGURES A.1 Frequency of loss of-offsite-durations................... power events exceeding speci fied A-3 A.2 Annual frequency of loss of offsite power.........................
A-4 j
A3 Estimated frequency of occurrence of plant-centered losses of offsite power exceeding specified durations......................
A-11 A.4 90% confidence limits for two categories of plant-centered losses of offsite power.........................................
A-12 A.5 Restoration probability for grid-related losses of offsite power.
A-15 A.6 Estimated frequency of occurrence of grid-related losses of offsite power exceeding specified durations......................
A-17 A.7 Weather hazard expectation histograms............................
A-22 A.8 Restoration probability for severe-weather-induced losses of l
offsite power...................................................
A-25 A.9 Estimated frequency of occurrence of severe-storm-induced losses of offsite power exceeding specified durations...................
A-27 A.10 Estimated frequency of losses of offsite power exceeding specified durations for Indian Point........................................
A-30 l
A.11 Estimated frequency of losses of offsite power exceeding specified durations for Zion...............................................
A-31 l
A.12 Estimated frequency of losses of offsite power exceeding specified durations for Shoreham.........
A-31 A.13 Estimated frequency of losses of offsite power exceeding specified durations for Millstone 3........................................
A-32 A.14 Estimated frequency of losses of offsite power exceeding specified durations for Limerick...........................................
A-33 A.15 Estimated frequency of occurrence of losses of offsite power exceeding specified durations for nine offsite power clusters....
A-34 LIST OF TABLES A.1 Summary of loss-of-offsite power experience.
A-2 A.2 Definitions of offsite power system design factors...............
A-6 A.3 Mean time to restore offsite power.
A-7 NUREG-1032 A-iii
TABLE OF CONTENTS (Continued)
Page A.4 Data used for plant-centered loss-of-offsite power-duration A-9 curve fits......................................................
A.5 Grid-related loss-of-offsite power frequency versus A-13 duration, through December 1983.................................
A-16 A.6 Grid reliability / recovery........................................
A.7 Severe-weather-induced losses of offsite power used in the A-19 analysis........................................................
A.8 Severe-weather-induced loss of-offsite power frequency / recovery..
A-26 A-28 A.9 Extremely severe-weather-induced loss-of-offsite power frequency.
A.10 Identification of grid, offsite power system design, severe weather, and extremely severe weather factors included in A-35 cluster groups..................................................
A.11 Loss of-offsite power frequency dist"ibution per cluster group....
A-36 NUREG-1032 A-iv
APPENDIX A DEVELOPMENT OF LOSS-0F-0FFSITE-j POWER FREQUENCY AND DURATION RELATIONSHIPS INTRODUCTION l
This appendix provides the details and results of analyses performed by NRC staff to develop the cause, frequency, and duration relationships for loss of offsite power at nuclear power plants.
The purpose of this work was to develop generic loss of offsite power relationships that would allow differentiation of L
plant design, operational, and location factors that can significantly affect i
the expected frequency and duration of loss of offsite power events.
Within this study, the loss of offsite power has been defined as the interruption of the preferred power supply to the essential and nenessential switchgear buses neces-sitating or resulting in the use of emergency AC power supplies.
A total loss of offsite power is said to have occurred when non emergency AC power sources become unavailable requiring some diagnosis or special recovery actions, includ-ing correcting switching errors, fixing or bypassing faulted equipment, or other-wise making available an alternate standby source of non-emergency AC power.
'Although total loss of offsite power is a relatively infrequent occurrence at nuclear power plants, it has happened a number of times, and a data base of information has been compiled (Wyckoff, 1986; NUREG/CR-3992).
From these data and a review of relevant design and operatienal characteristics, the frequency and duration relationships for loss-of-offsite power events at nuclear power plants have been developed.
Historically, a loss of offsite power has occurred with a frequency of about once per 10 site years.
The typical duration of these events has been on the order of one-half hour.
However, at some power plants the frequency of loss of offsite power has been substantially higher than the average, and in other instances the duration of offsite power outages has been much longer than the norm.
In some cases, licensees have and are taking correc-tive action to limit the recurrence of these longer and more frequent losses of offsite power.
A summary of the data on the total loss of-offsite power events is provided in Table A.1.
Because design characteristics, operational features, and the loca-tion of nuclear power plants within different grids and meteorological areas can have a significant effect on the likelihood and duration of loss-of-offsite-power events, it was necessary to analyze the nuclear industry experience in more detail.
The aata have been categorized into plant-centered events and area or weather-related events.
Plant centered events are those in which the desi n and operational characteristics of the plant itself play a role in the like ihood or duration of the loss-of-offsite power event.
Area or weather effects include the reliability of the grid and external influences on the grid or at the site (such as severe weather) that have an effect on the likelihood and duration of the loss of offsite power.
The data show that plant centered y
events account for the majority of the loss-of-offsite power events.
Although the area-blackout-and weather related events are less frequent, they typically NUREG-1032 A-1
Table A.1 Summary of loss-of-offsite power experience l
No. of events Frequency (yr 1)
Category (1 4 hr)
(2 4 hr)
Plant centered 46 0.087 (15)
(0.028) j Grid 12 0.018 (7)
(0.011)
Weather 6
0.009 (6)
(0.009) i Total 64 0.114 (28)
(0.048)
Note: The number of reactor-critical site years through December 1985 is 527, and the number of site years is 664.
account for the longer duration outages, with storms the major contributor to long outages.
Because plant-centered events that occurred when reactors were shut down were screened from the event count, reactor-critical site years were used to derive plant-centered event frequencies.
Reactor-critical site years are the number of years that reactors were at power conditions at the site.
Figure A.1 provides a plot of the frequency and duration of loss-of-offsite-power events resulting from plant-centered faults, grid blackout, and severe weather, based on past experience at nuclear plant sites.
The curves were developed by fitting data to a two parameter Weibull function of the following form:
A (t) _ ALOP '
LOP j
j where LOP (t) is the frequency of losses of of fsite power of +.ype "i," which A
j are equal to or greater than duration "t."
That is, the recovery time equals A
or exceeds "t" hours. The term LOP is the frequency of occurrence of losses g
of offsite power of type "i," which have greater than zero duration.
Parameters a4 and are curve-shaping constants that vary according to the data being 4
curve fitted.
Analyses were also performed to determine the trends in the frequency of loss of offsite power.
Figure A.2 shows a plot of the rolling average loss ofThese offsite power for nuclear plants included in Table A.1 and Figure A.1.
results show that over a period of 20 years, from 1966 through 1985, the general NUREG-1032 A-2
l I
Data:
0.05 O Total A Plant-Centered 4
O Grid e Weather (A
g 0.04 E
A wUZ<
A cc
$ 0.03 Plant-Centered Total 00 O
l u.
0 0.02 2w D
0 Grid 0.01 O
Severe Weather e
0.00 1
0.1 1.0 10 DUR ATION (Hours) l:
Figure A.1 Frequency of loss-of-offsite power events exceeding specified durations NUREG-1032 A-3 1
M i
i i
i i
i i
i i
n iii;i i
1 I
I
-- 1 Yr Average Traveling 3 Yr Average s
g%
I \\
r l \\
20
- \\
\\
\\
f j
\\
l i
\\
- \\
\\
\\
l\\
I
\\
I
\\
jis-1 g
I g
j
\\
\\
l
\\
I
\\
l
\\
E,o I
\\
\\
\\
\\
r' I
I I
\\l
\\ l
\\
/
1 I
\\\\
\\/
\\^
l s
I
\\\\
\\ 1 V
\\
/
~
1 l
I
\\\\
V
\\
l
\\\\
I Y
0 1966 1970 1974 1978 1982 1985 YEAR i
Figure A.2 Annual frequency of loss of offsite power NUREG-1032 A-4
trent' has been toward a reduction in loss-of-offsite power frequency.
- However, that reduction in frequency has been modest.
The results also show tnat #1uc-tuations occur so that trends and averages indicated in any given interval of 2 or 3 years can be considerably different than the cumulative results.
As of the end of 1985, the cumulative average frequency of loss of offsite power was about 0.1 while the trends from Figure A.2 indicate an industry-wide fre-quency variation ranging between 0.25 and 0.05 over the period.
LOSS OF 0FFSITE POWER FROM PLANT-CENTERED CAUSES Plant-centered failures typically involve hardware failures, design deficiencies, human errors (in maintenance and switching), localized weather-induced faults (lightning), or combinations of these failure types.
Plant-centered failures can be recovered by switching or repairing faulted equipment at the site.
An ef fort was made to screen out events that occurred when plants were shut down cnd offsite power cunfigurations are not required to meet requirements for avail-ability of immediate and delayed access circuits.
For the plant-centered losses, an attempt was made to determine any correlation between offsite power design characteristics and frequency and duration of losses of offsite power.
Two offsite power design features were identified as poten-tially significant with regard to frequency and duration of loss of offsite power:
(1) the independence of incoming offsite power sources and (2) the number of immediate and delayed access circuits and their transfe schemes to the Class 1E buses.
Table A.2 defines the design differences associated with these fea-tures.
The designs of offsite power sources were further subdivided into groups, and the number of shutdown sources were subdivided into different possible de-sign combinations (NUREG/CR-3992).
The relationship between the listed design features and the frequency of loss of offsite power was analyzed using the Failure Rate Analysis Code (FRAC)
(NUREG/CR-2434) to correlate loss-of-offsite power frequency with various design features.
These analyses showed no statistically significant correlations be-tween frequency of plant-centered losses of offsite power and the design features analyzed.
An analysis was also performed to determine if any relationship exists between of fsite power design characteristics and the duration of losses of of fsite power.
Analyses were performed using the generalized linear model (GLM) procedure of the Statistical Analysis System (SAS) (SAS Institute, 1979).
The data for all of the different design factors were analyzed to check for any statistical in-teractions using analysis of variance.
One data point--a 5.83-hour restoration time for an event at the Calvert Cliffs plant on April 13, 1978--was found to cause a strong interaction.
Without that event, there was no significant inter-action.
The Calvert Cliffs event involved a latent design flaw that has since been corrected; it is not expected to typify future occurrences with regard to design feature, type of failure, or duration.
With the data "corrected," the indeper.dence of offsite power sources was found to be an important determinant of the restoration time associated with plant centered losses of offsite power.
The number and type of transfer schemes were found to be less significant.
It was concluded that various combinations of these design features could be used to define a set of design characteristics with different recovery times for plant centered losses of offsite power.
On the basis of this analysis and a NUREG-1032 A-5
4 Table A.2 Definitions of offsite power system design factors Major design factor Design features A.
Independence of 1.
All offsite power sources are connected to the offsite power plant through one switchyard, sources to the nuclear plant 2.
All offsite power sources are connected to the plant through two or more switchyards, and the switchyards are electrically connected.
3.
All offsite power sources are connected to the plant through two or more switchyards or separate incoming transmission lines, but at least one of the AC sources is electrically independent of the others.
8.
Automatic and 1.
If the normal source of AC power fails, there manual transfer are no automatic transfers and there is one or schemes for the more manual transfers to preferred or alternate Class 1E buses offsite power sources, when the normal source of AC 2.
If the normal source of AC power fails, there is power fails and one automatic transfer but no manual transfers when the backuo to preferred or alternate offsite power sources.
sources of offsite power fail a.
All of the Class 1E buses in a unit are connected to the same preferred power source after the automatic transfer of power sources.
b.
The Class 1E buses in a unit are connected to separate offsite power sources after the automatic transfer of power sources.
3.
Af ter loss of the normal AC power source, there is one automatic transfer.
If this source fails, there may be one or more manual transfers of power sources to preferred or alternate offsite power
- sources, a.
All of the Class 1E buses in a unit are con-nected to one preferred power source after the first automatic transfer, b.
The Class 1E buses in a unit are connected to separate offsite power sources after the first automatic transfer.
NUREG-1032 A-6
, pp
+
+
<-f Table A'2 (continued)
- Major.designfactor-Design features 4.
If the normal source of AC-power fails, there is Ti an automatic transfer to a preferred source of power.
If this preferred source of power fails, there is an automatic transfer to another source
-of offsite power, a.
All of the Class 1E buses in a unit are connected to the same preferred power source after the first automatic transfer.
b.
The Class 1E buses in a unit are connected to separate offsite power sour:.es after the first automatic transfer of power sources.
review of the design features, the staff concluded (1) that plants with switch-yard designs that are normally operated as an interconnected system could be separated, as a group, from those with designs offering electrical independence, and-(2) that sites with two or more alternate offsite power circuits (immediate or. delayed access) in addition to the normally energized power circuit to the Class IE buses (offsite or unit generator source) could be grouped.
Table A.3 shows design combinations obtained with the mean-time-to-repair (MITR) values i
for each group.
0ther groupings can be derived that have at least some statistical significance and are physically valid.
"owever, data limitations and small differences in MTTR that occur for more cetailed breakdowns suggest that the design groups obtained represent a reasonable and valid compromise between completely generi-and more design-specific breakdowns, t
Table A.3 Mean time to restore offsite power Group designation Design factor
- Mean time to restore 11 A1, A2, or A3 and B4 0.20 IE Al or A2 and B2b or B3 0.39 13 Al or A2 and B1 or B2a 0.78
- See Table A.2 for design features.
NUREG-1032 A-7
A plant-centered loss-of-offsite power-frequency-vs.-duration curve was devel-oped for mch of the three design groups by fitting the corresponding data to a two param ter Weibull distribution.
A list of the data used for each curve fit is given in Table A.4.
The actual curves generated by this analysis are in Fig-ure A.3.
The curves show the probability and frequency of events that exceed a specified duration.
Figure A.4 shows the 90% confidence limits for two of the correlations (Il and 13) derived using the extreme value theory.
GR!0-RELATED LOSS OF 0FFSITE POWER Grid reliability has traditionally been the most prominent factor associated with a loss of offsite power at nuclear power plants.
Yet, the historical data l
show that losses of offsite power as a result of grid-related problems account for no more than 19% of all losses of offsite power.
Attempts to find charac-teristics to classify site, design, and location features that affect the expec-ted frequency of grid loss have not been successful.
An inveitigation into the various utility transmission and distribution system reliability characteristics was beyond the scope of this study.
Such a study is likely to involve an ex-tensive state-of-the-art analysis of grid stability, the results of which would be of questionable validity considering limitations on current methodology.
In its place a more pragmatic and experience-based approach to estimating nuclear plant site susceptibility to grid loss was taken.
Both frequency of grid loss and time to restore power were considered.
It was recognized that the Florida Power and Light (FPL) grid has represented the upper end of utility grid failure frequency during the past 10 to 15 years, although some recent improvements seem to have been effective.
Very few other nuclear plant sites have experienced even one or two loss-of-offsite power events as a result of grid blackout.
The great majority of nuclear power plants have not experienced grid failure.
A systemic weakness identified after a grid failure is usually corrected as soon as possible.
Thus, it is usually a new and previously unidentified systemic weakness that results in future failures.
Therefore, in the absence of known and uncorrected systemic weaknesses, the occasional, non-recurring type of grid failure may not be a good indicator of future trends within a utility system. With this in mind, the FPL experience was siparated from the balance of the U.S. nuclear utility experience to esti-mate grid-failure frequency.
Because a set of design or location factors could not be identified that could effectively dif ferentiate the expected reliability of the various utility grids, grid reliability was categorized by failure fre-l quency ranges characteristic of past exp*-ience.
The FPL experience suggests an upper end to the grid-failure frequency of once per 2 to 5 site years, i
although there have been recent improvements.
In a few utility systems, the accasional grid failures have occurred at a frequency of about once per 10 to once per 20 site years.
The national average is about once per 100 site years, excluding FPL experience.
Table A.5 lists grid-related losses of offsite power and site-specific frequencies calculated from the data.
Two grid undervoltage events are discussed in a footnote to the table.
Although these events were not counted as grid failures, offsite power sources were momenttrily unavail-able during these events.
Two factors that have been identified at significant in determining the dura-j tiar. of grid-related losses of offsite power at nuclear power plant sites are:
(1) the availability' of adequate restoration procedures and (2) the availabil-ity of "black star; power sources that are able to supply power to a nuclear NUREG-1032 A-8 1
I i
n,.
r, c
\\'
fable A.4 Data used for plant-centered loss-of-offsite power-duration curve fits
- Group **
Plant.
Date Duration (br) 11 Davis-Besse' 11/29/77 0.002 Nine Mile Point-11/17/73 0.003 Oconee 01/04/74 0.013 Haddam Neck 07/19/72 0.017 Millstone 07/21/76 0.080 Haddam Neck 07/15/69 0.150 Haddam Neck-08/01/84 0.167 Susquehanna 07/26/84 0.183 Monticello 04/27/81 0.250 Haddam Neck 06/26/76 0.270 Haddam Neck 01/19/74 0.330 Davis-Besse 10/15/79 0.430 Haddam Neck 04/27/68 0.480 Indian Point 2,3 06/03/80 0.500***
4 12 Oyster Creek 09/08/73 0.003 Point Beach 04/27/74 0.023
~ Brunswick 03/26/75 0.070 Dresden 08/16/85 0.083 Point Beach 02/05/71 0.130 Turkey Point 02/12/84 0.250 Turkey Point 02/16/84 0.250 Beaver' Valley 07/28/78 0.280-McGuire 08/21/84 0.334 Ginna 03/04/71 0.500 Ginna 10/21/73 0.670 Prairie Island 07/15/80 1.030 Arkansas Nuclear One 09/16/78 1.480 13 San Onofre 11/22/80 0.004 Fort Calhoun 08/22/77 0.315 San Onofre 11/21/85 0.067 Palo Verde 10/07/85 0.200 Palo Verde 10/03.o3 0.400 Palisades 09/24/77 0.500 Quad Cities 06/22/82 0.570 Farley 09/16/77 0.900 Fort Calhoun 02/21/76 0.900 Palisades 09/02/71 0.930 Quad Cities 11/06/77 1.150 Indian Point 06/03/80 1./50***
Farlav 10/08/83 2.750 (See next page for footnotesT NUREG-1032 A-9
Table A.4 - Footnotes
- Not included in the duration analysis were the Palisades events of l
11/25/77 and 12'11/77 (recurring failures), the Calvert Clif fs event of 04/13/78 (outlier), the Big Rock Point event of 11/25/72 (insuf-ficient plant design information), and the Crystal River event of l
06/16/81, the Vermont Yankee event of 12/17/72, and the Turkey Point l
event of 04/04/79 (incomplete reporting of duration).
l
- Group designations are explained in Table A.3.
- The Indian Point event of 06/30/80 lasting 1.75 hours8.680556e-4 days <br />0.0208 hours <br />1.240079e-4 weeks <br />2.85375e-5 months <br />, included in Group 13, is also included as a 0.50-hour event in Grcup 11 on the basis that had the available gas turbine been employed, offsite power would most likely have been recovered in approximately 30 minutes.
i l
M 1
1
\\
l NUREG-1032 A-10 i
I
i i
i i iiiii i
i i iiiiin i
i i i iisi 0.09 1.0 0.08 x 0.9 w
5 20.8 0.07 w
13 t
$ 0.7
. 0.0a I 42 o
0 i
11
- 0.05 $
h 0.6 e
s
@ 0.5 y
E
- 0.04 z w
- s oz 0.4 o
o
- 0.03 Eu.
C 0.3 a
E 0.02
$ 0.2 oe A
0.01 0.1
I 0
O 0.01 0.1 1.0 10 DUR ATION (Hours)
Figure A,3 Estimated frequency of occurrence of plant-centered losses of offsite power exceeding specified durations (for offsite power groups as shown in Table A.3)
NUREG-1032 A-11
[
!(
i i
i iiisig i
i i iiiiii i
iiiisii 0.09 1.0 Curve Fits foi Category 11
- - Curve Fits for Category 13
%g 0.08 a: 0.0 N N h
h k 0.8
\\
\\
0.07
\\
h 90% Confidence m
s_
b Y
Limits for 13 0
0.7
\\
- 0.06 i N
\\
\\
4 B
0.6
\\
\\
\\
i
\\
\\ 23_\\
0.05 4
=
$ 0.5
\\
\\
\\
y a:
\\
0.04 z z 0.4
\\
\\
s a
\\
o g
g g
\\
\\
- 6.03 E
& 0.3 90% Confidence
\\-
\\
3 Limits for 11
'g '
\\
\\
5
\\
- 0.02 482 N
xN 0
\\
\\\\
- 0.01 0.1 N
NN
'I
'I
'hh O
0.01 0.1 1.0 10 DUR ATION (Hours)
Figure A.4 90% confidence limits for two categories of plant-centered l
losses of offsite power 1
I NUREG-1032 A-12
I Tabie A.5 Grid related loss v/-offsite po.ter frequency versas d'mation, through Decen.aer 1983 Date of Duration Site frequency Site occurrence (Sours)
(per year)
Turkey Point:
06/28/74 0.180 0.444 (6 events in 13.5 site years) 04/04/73 0.250 04/03/73 0.300 04/25/74 0.330 05/16/77^
1.030 05/16/77*
2.000 05/17/85 2.083 Indian Point:
07/20/72 0.920 0.126 (3 events in 23.8 site years) 07/13/77 6.470 11/09/65 St. Lucie:
05/14/78 0.130 0.20 (2 events in 9.8 site years) 03/16/77*
0.330 05/16/77*
1.500 Yankee Rowe:
11/09/65 0.550*
0.039 (1 event in 25.5 site years) 60 sites:
none***
(no events in 0.3 to 26.3 site years)
Total for 64 sites 0.018 (12 events in 664.4 site years)
Total excluding FPL 0.006 (4 events in C64.4 site years)
- The Turkey Point and St. Lucie events of 05/16/77 were counted as one event for each plant for frequency calculations.
- Actual duration not reported.
- The undervoltage event at Millstone on 07/21/76 was treated as a plant-centere? design problem the undervoltage event at Quad Cities on 02/13/78 was treated as a degradation with a usable offsite power source available throughout the incident.
NUREG-1032 A-13
[
Both of these factors can con-pnwer plant in isolation of a grid disturbance. tribute to a significant reduction in the e l
losses of offsite power, as reported in the Indian Point Safety Study (Power In 1981 the NRC sent Generic Authority of the State of New York, 1982).
Letter 81-04 to all nuclear power plant licensees requesting them to devalop Responses to and implement procedures to enhance restoration of offsite power.
that generic letter have indicated that power could be preferentially restored to many nuclear power plant ;ites within 1 or 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, even if the grid remained in a blackout condition.
The time to restore offsite power following a grid failure can be estimated by However, if an apptspriate set of procedures is provided and past experience.
oower sources are availt.ble and capable of supplying power during grid blackout, Human reliability and the availability a more prompt recovery may be possible.
of alternate power sources r9y limit the recovery potential to as low as 60%
If multiple reliable sources of power that can be recovery in about an hour.
isolated from a blacked-out grid are available, the potential may be as high as For this study, an offsite power-95% recovery in less than one-half hour.
restoration likelihood of 80% within one-half hour of a grid failure was assumed for the analysis cf plant sites with ennanced recovery capabilities (e.g., pro-The cedures and at least one power source available for prompt recovery).
recovery probabilities for grid-related losses of offsite power wera developed The by fitting past operating data to a two parameter Weibull distribution.
Figure A.5 provides a data used in the curve fit are provided in Table A.5.
curve showing the probability of not restoring offsite power versus the duration It also shows the of losses of offsite power as a result of grid blackouts.
potential for improvement with enhanced recovery capability over past operating experience.
The correlations for grid reliability and offsite power restoration were frequencies representative of operating developed by combining the occurrencs Table A.6 provides the experience and the calculated recovery probabilities. Figure A.6 shows the dis-grid failure frequency and duration groups obtained. crete loss-of-offsite-power groups identified in Table A.6.
LOSS OF 0FFSITE POWER AS A RESULT OF SEVERE WEATHER Severe weather conditions, such as local or area-wide storms, have caused Weather-related causes of losses of offsite power at nuclear pcwer plants.
offsite power failure have been divided into two groups those for which the weather caused the event but did not affect the time (1) to restore power those for which the weather initiated the event and created conditions so (2) that power was not or could not have been restored for a long time
(
Group (1) includes lightning and most other weather events that do not cause severe ur extensive physical damage at or near the site.
They can cause a loss of offsite power, but their severity does not contribute in any significant way These types of weather-related off-to long-duration losses of of f site pnwer.
site power outages are usually considered in the plant-centered or, possibly, Group (2) includes losses of offsite power that result from the grid category.
A-14 NUREG-1032
f.
f.
1 i
a iii s
i s
I a a l i i
a a i 1 I i g g
9 Data 1.0 h
50.9 N
h h
Normal Recovery 0.8 h
\\
\\
90% Confidence g 0.7
\\
\\
Limits for Normal'
\\
Recovery
- 0.6
\\*
i g
o N
uJ 0.5
\\e
\\
O 0.4 Enhanced a
Recovery
\\
\\
$ 0.3
\\
\\
m
\\
0.2
\\
\\
0.1 N
\\* s-
I 0
O.01 0.1 1.0 10 DUR ATION (Hours)
Figure t..E Restoration probability for grid-related losses of offsite power NUREG-1032 A-15
Table A.6 Grid reliability / recovery Group Grid loss frequency, reliability recovery Grid reliability group (G):
Frequency of grid loss:
G1 Less than 1 per 60 site years (0.01/ site year)
G2
> 1 per 60 site years and
< 1 per 20 site years (0.03/ site year)
G3
> 1 per 20 site years and
> 1 per 6 site years
{0.1/siteyear)
G4 Greater than or equal to 1 per 6 site years (0.3/ site year)
Recovery from grid blackout group (R):
Recovery capability:
R1 Plant has capability and procedures to recover offsite (nonemergency)
AC power to the site within 1/2 hour following a grid blackout.
R2 All other plants not in R1.
Grid reliability /
Grid reliability Recovery from grid recovery group (GR):
group (G):
blackout group (R):
GR1 G1 R1 GR2 G2 R1 GR3 G3 R1 GR4 G4 R1 GR5 G1 R2 GR6 G2 R2 GR7 G3 R2 l
l i
l fiUREG-1032 A-16 1
0.06 3
i i
i GR4 GR3 Note:
0.05 Grid Reliability / Recovery
~
Groups GR 1 - GR 7 Are Defined in Table A.6 y 0.04 i
6
.t t.n E
GR7 E 0.03
>0 2
GR6 modw E 0.02 GR2 0.01 GR5 GR1 I
0.00 O.1 0.3 1.0 3.0 10.0 DURATION (Hours)
Figure A.6 Estimated frequency of occurrence of grid-related Icsses of offsite power exceeding specified durations NUREG-1032 A-17 1
l
major storms, hurricanes, high winds, accumulations of snow and ice, and torna-does.
The expected frequency of loss of offsite power of this group is rela-tively small; oi, the other hand, for this group the likelihood of restoring offsite power in a short time is also relatively small.
To estimate the likelinood and duration of loss of offsite power as a result of severe weather, it is necessary to (1) identify the set of weather hazards to be considered, (2) determine the likelihood of failure for a given hazard inten-sity, and (3) determine the repair or restoration time for the various failure modes associated with severe weather-related power losses.
Although utilities and regional cower pools normally keep extensive data on transmission line, terminal, and customer outages from all causes, including weather, little information has been obtainable that can be used to derive the likelihood of loss of all of fsite power at nuclear plants or for similarly designed incoming transmission lines and switchyards at non-nuclear plants.
In light of this limitation, the objective of this study was to derive some general frequency and duration characteristics that could be applied to the design and location of nuclear power plant offsite power systems generically or on a case-by-case basis, considering specific susceptibility to the various weather hazards.
The approach taken was to develop a range of loss-of-offsite power frequency and duration relationships based on weather hazard rate and past operating experience.
First, data for all loss-of-offsite power events involving both partial or total failures were reviewed.
Weather-related total loss-of-offsite-power events and significant partial loss-of-offsite power events, such as those causing the complete loss of power to or from a switchyard, were included.
These data are provided in Table A.7.
Here again, as with grid reliability experience, this data base is too small to be used to derive plant location and design-dependent conclusions regarding the expected frequency of loss of offsite power as a result of severe weather.
Normally, regression analyses would be used to correlate failure rate, design factors, and weather hazards.
However, the losses of offsite power are so rare that the available data are too limited to take such an approach.
The method used to correlate loss-of-offsite power frequency to weather hazards is based on the assumption that the frequency of loss of offsite power as a result of severe-weather events is proportional to the weather hazard rates at a site.
The weather hazard rate is a measure of the frequency of conditions that have the potential to cause loss of offsite power.
The following weather hazard rate indicators were selected:
snow / ice:
inches of snowfall per year tornado:
frequency of tornadoes per year hurricane and wind:
frequency of storms per year with wind speeds of tropical storm strength or greater l
These factors are called indicators because no mechanistic cause and effect i
analysis has been performed to associate their occurrence with a loss of offsite power.
Rather, it has been observed that losses of offsite power have occurred when these types of weather conditions were present.
For instance, winter and spring snowstorms, which can be measured according to inches of snowfall, also bring conditions involving ice accumulations on lines and terminals.
Windy conditions may also accompany tnese storms.
Thus, a hazard indicator of inches NUREG-1032 A-18
f' Table A.7 Severe-weather-induced losses of_offsite power used in the analysis Duration Type loss / site Date (hours)
Weather type Total losses of Offsite Power:
Fort St. Vrain 05/17/83 1.75 Snow / Ice Pilgrim 05/10/77 2.67 Snow / Ice Dresden 11/12/65 4.00 Tornado Millstone 08/10/76 5.00 Salt Spray Millstone 09/27/85 5.50 Salt Spray Pilgrim 02/06/78 8.90 Snow / Ice Major Partial Losses of Offsite Power:
1 Browns Ferry 03/01/80 Snow / Ice D. C. Cook 02/04/78 Snow / Ice Pilgrim 10/12/82 Salt Spray San Onofre 02/24/69 High Wind Brunswick 09/13/84 Hurricane / Wind Arkansas Nuclear One 02/22/75 Tornado Arkansas Nuclear One 04/07/80 Tornado Browns Ferry 04/03/74 Tornado of snowfall is merely a factor used to correlate loss-of-offsite power occur-rences with locations most susceptible to winter and spring storms involving snow and ice accumulations and associated windy conditions.
A similar situation exists with regard to tornado hazards.
The expected fre-quency of tornadoes in the vicinity of the plant was used as a factor to cor-relate actual losses of offsite power resulting from tornado strikes.
i l
Hurricane and high wind conditions can cause losses of offsite power by blowing debris, falling trees, and other possible modes of falling lines and shorting terminals.
Storms are classified as hurricanes when wind speeds sustain 75 mph.
The frequency of this wind speed was used as a correlation point to determine the variability of hurricanes and high wind hazards at various locations (sites).
A special subgroup was identified for hurricane and wind losses at plants adjacent to the seacoast or large bodies of salt water.
This subgroup was formed in response to experience at the Millstone and Pilgrim sites where I
high winds associated with storms and hurricanes caused salt buildup on switch-yard insulators, which then resulted in arcing and faulting of the switchyard.
By dividing the number of losses of offsite power that have occurred by the cumulative historical weather hazards for each weather type at nuclear power plant sites, an offsite power failure proportionality factor for each weather type was derived.
This process can be represented as follows:
NUREG-1032 A-19
N 4
Pg = IH jj where P4= the proportionality factor for weather type "i" Ng= the observed number of offsite power losses as a result of weather type "i" Hjj = the cumulative weather hazard factor for weather type "i" at site "j" Hjj = hjg at) where jg = the weather hazard rate for type "i" weather at site "j" h
At. = the cumulative site years since commercial operation began at 3
site "j" The expectation frequency of loss of offsite power can then be computed by S)$ = P4 jj h
where $
is the estimated frequency of loss of offsite power at site "j" for 39 weather type "i", and P and h are defined as before.
g jg Weather-induced failure proportionality factors were derived using the data from Table A.7 and cumulative weather hazards data for U.S. nuclear power plant sites through 1985.
The weather hazard factors for each site were derived from l
National Weather Service data where available (Batts et al.,1980; National Oceanic and Atmospheric Administration, 1980; Neumann et al., 1985; Shaefer et al., 1985; Simiu et al., 1979) and from site-specific probability calculations performed by the National Severe Storms Forecast Center.
The proportionality i
factors from hurricane /high wind and tornadoes were derived for several sub-groups to account for plant design or location features which may result in variations in the probability of offsite power losses resulting from these weather conditions.
As discussed previously, hurricane and high wind conditions which can induce salt spray to unprotected switchyard components near bodies of salt water were separated from other potential causes of hurricane /high wind induced losses of offsite power (e.g., falling trees and blowing debris).
Since no total losses of offsite power were reported for the latter type of hurricane /high wind condi-tions, the median value of the chi-square for zero failures and two degrees of freedom was used as a bound.
NUREG-1032 A-20
. A tornado hazards loss-of-offsite power proportionality factor was derived for plants with single or closely spaced rights-of-way emanating from the plant and for plants with multiple, divergent rights-of-way.
The data in Table A.7 in-volve lost.es of lines on single rights-of-way or multiple line losses on some but not all rights-of-way.
Therefore, these data were used-to derive the pro-portionality factor for sights with single or closely grouped rights-of-way.
Since no occurrences of tornadoes causing total loss of offsite power at sites with multiple, divergent rights-of-way have been reported, the median value of the zero failure chi-square statistic was used to approximate this proportion-ality factor.
On the basis of the analyses described above, the following weather-induced failure proportionality factors were derived:
P
= 1.3 x 10 4 inches of snowfall 3fy 1.2 x 10 2 for windspeeds > 75 mph P
=
H/W P
= 0.783 for windspeeds > 50 mph gg P
= 72.3 for single rights-of-way or equivalent T1 P
= 12.5 for multiple divergent r<ghts-of-way T2 where subscripts S/I = snow / ice, H/W = hurricane /high wind, SS = salt spray, and T1 and T2 refer to tornadoes.
Normally this type of correlation would be supported by a statistical validity test.
As' pointed out previously, because there have only been a few weather-related losses of offsite power at nuclear plants, the statistical validity could not be ascertained.
However, as a test of the reasonableness of this formulation, a plot of cumulative weather hazard factor for each site (H )
g versus total cumulative weather hazard factor tabulated for all applicable nuclear plant sites (IH ) was made, and the severe weather-related cperating 4
experience for both total and major partial loss-of-offsite power events was identified.
A comparison was also made of the number of sites falling within subdivisions of the range of cumulative weather hazard factors.
This informa-tion is provided in Figure A.7, where the number of losses of offsite power followed by a "T" represent total losses of offsite power and those followed by a "P" represent major partial losses of offsite power.
Because frequency of loss of offsite power as a result of weather has been assumed to be proportional to the magnitude of weather hazards, the occurrence of weather-related losses of offsite power should favor the sites with the highest cumulative weather l
hazard.
In general it does.
The events identified in Table A.7 are typified by durations of several hours.
The failures are somewhat localized, able to be isolated, or repairable with modest effort.
Design factors such as transmission line right-of-way separation, structural strength of transmission and switchyard components, insulation from effects of adverse environments, and operational factors related to repair capa-bility or use of alternate, available power sources will impact the likelihood and duration of loss-of-offsite power events of this type.
Events of this type will be referred to as severe-weather events throughout this appendix.
NUREG-1032 A-21 l
l
SNOW /lCE 20 10.000 4T 1P 15 7,500 l
I m
I C 10 5,000 I
m u.
O I'A 1P ewmh5 "9
2,500 2
l l
0---
0 10' 102 3
10 '
Hs HURRICANE / WIND / SALT SPRAY TORNADOES 20 20 20 0.100 2T 2P 37 3P M
15 15 15 0.075 l
1 l
1 l
l 1
l l
m m
$ 10 0.050 l
- 10 10 a
1 a
i u.
O O
J-C El C
[3 w
w m
m 2
5 5
E 5 0 025 m
o 2
2
-5 H
I 0
0 0---
0 000 4
3 2
0.1 1.0 10 10 10 H
H g
y Figure A.7 Weather hazard expectation histograms NUREG-1032 A-22
None of the events identified in Table A.7 involved tornado or hurricane /high wind conditions that severely damaged structural elements of all transmission
.and/or switchyard components of sources of offsite power to tiii plant.
Although such an occurrence is rarely expected, many hours or days could be required to repair and restore offsite power.
The frequency of these more extreme weather-related power losses can be esti-mated by determining the frequency of weather conditions that are severe enough to damage all offsite power sources.
The same design factors noted above for the more repairable loss-of offsite power events will determine the suscepti-bility, and thus frequency, or hazard rate, of weather conditions that could result in area-wide transmission and/or switchyard failures.
Based on the National Electric Safety Code, power plant transmission systems should be designed for wind speeds on the order of 125 mph.
High wind speeds could cause extensive power transmission losses, although this will vary, depending on the specific design. - Another potential hazard, tornado (es), must strike all rights-of-way or switchyards with sufficient intensity to damage the minimum number of components required to supply offsite power in order to cause a long-duration loss of offsite power.
The probability of equipment failure given the occur-rence of these extreme weather conditions is assumed to be unity, or nearly so; thus the likelihood of loss of offsite pc...r can be approximated by the fre-quency of occurrence of the extreme weather condition.
The frequencies of the extreme hurricane (known as great hurricanes) and high winds are available from National Weather Service data.
To estimate the frequency of single or multiple tornado strikes damaging all transmission lines or switchyard components requires modaling of the offsite power transmission line geometry (Anders et al,, 1984, Teles et al., 1980) and using site / area data for tornado frequency, intensity, and direction.
This type of mechanistic, probabilistic analysis was not performed as part of this work.
A simpler approach was used.
The frequency of tornadoes of intensity F2 or greater (> 113 mph wind speeds) striking at any point within the site was obtained.
Since this frequency for tornado strikes can be considered to occur any where at the site, it has been used as the frequency of tornado strikes at the switchyard or transformers.
This represents the frequency of losses of offsite power as a result of tornado strikes that require significant repair effort and time.
Since tornado strikes crossing all rights-of-way are not included in this simplified approach, the frequencies estimated will under-predict the actual frequency of long-repair-time losses of offsite power as a result of tornado strikes.
However, the repairable losses of offsite power resulting from tornado strikes have been included in the overall model pre-viously discussed, using the hazard and proportionality factor approach.
And the median repair time of about 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> should adequately account for repairable tornado-associated losses in light of the overall uncertainty of the simplified modeling and analyses used.
Events of the types discussed in the preceding two paragraphs are referred to as extreme weather events throughout this appendix.
Although the frequency of these extremely severe-weather events could be as high as 0.01 per site year, it will more typically be less than 0.001 per site year.
The time necessary to restore a source of offsite power for weather-related failures will depend on the severity of damage caused by the event.
Major NUREG-1032 A-23
structural damage can typically require 8 to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or longer for repair.
Data obtained from the Mid-America Interpool Network (MAIN) and the Mid-Continental Area Power Pool (MAPP) (MAIN, 1983; MAPP, 1983) indicate that it takes on the order of 8 to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to restore transmission or terminal point outages that resulted from severe weather.
For this study, nuclear power plant outage time data for losses of offsite power that resulted from severe weather were used to estimate restoration likelihood for the less-than-catastrophically-damaging weather events.
Data for total loss-of-offsite power events were fitted to a two parameter Weibull distribution and used to generate the restoration likelihood curve shown in Figure A.8.
Also shown in Figure A.8 is an example of an "enhanced" recovery curve that can be used to dif ferentiate plants with practicable power restoration procedures for these weather types.
The applica-bility of enhanced recovery shown depends on the capability and procedures to restore power within about 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for a given weather hazard.
An estimate of the total severe-weather-related f requency of loss of of f site power was derived by summing the values for each weather hazard type at all nuclear plant sites.
Plant-specific design or procedural details can affect the estimated frequency of weather-related losses of offsite power.
Therefore, an attempt was made to derive the range of possibilities rather than to provide site-specific estimates.
It should be noted, however, that, because of a lack of data, not all weather hazards could be accounted for at every site.
- Moreover, some weather data extrapolations were necessary when data from weather stations near a site were not available.
The frequency range derived was large, and determining where a particular site / design combination would fall in that range requires evaluation of the site-specific details identified previously.
For the purpose of this werk, the range was subdividej into groups with approximately a factor of 3 difference in median frequency.
The subranges so derived are pro-vided in Table A.8.
This partitioning allowed generic evaluation of the effects of severe weather hazard on loss-of-offsite power frequency while at the same time providing a perspective on the potential for plant-specific differences.
Figure A.9 shows the severe weather frequency and duration combinations corres-ponding to the groups defined in Table A.8.
For losses of offsite power caused by extremely severe weather--such as great hurricanes, very high winds (greater than 125 mph), and major damage from tor-nado strikes to a switchyard--restoration of offsite power was not assumed to occur before 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after the start of the outage.
The frequency breakdowns, derived in a manner similar to that for severe weather, are provided in Table A.9.
Again it must be noted that a site-specific assessment of the susceptibility to these weather hazards must be performed to determine the site-specific expecta-tion frequency.
GENERIC LOSS-0F-0FFSITE-POWER CORRELATIONS Combinations of design, grid, and weather factors derived in the previous sec-tions provide a wide spectrum of possibilities for loss-of-of fsite power fre-quency and duration.
Each of these factors was subdivided to account for known or hypothetical but reasonable differences in frequency and duration; typically, a factor of 2 to 5 difference was maintained for these subdivisions.
The intent was to develop a discrete set of frequency and duration groups that muld account for actual and potential differences in both design and location (rvid and wea-ther) for the spectrum cf nuclear power plant sites.
The frequency of losses NUREG-1032 A-24
i i
i i iiiij i
i i iiiii; i
iiiiiii 1.0
. Data 0"
- 0.9 h
Normal Recovery m
- 0.8 ro I
90% Confidence o 0.7 Limits for Normal k
Recovery O
h 0.6
\\y ' k a
$ 0.5 k
\\
H 0.4
\\
\\
/
\\
\\
wo
[ 0.3 Recovery
\\
Enhanced /
\\
\\
l 5
\\,
\\\\
0.2 0.1
\\
N
\\
I
'l 0
O.1 1.0 10 100 DUR ATION (Hours)
Figure A.8 Restoration probability for severe-weather-induced losses of offsite power NUREG-1032 A-25
.~ _
i
' Table A.8 Severe-weather-induced loss-of-offsite power frequency / recovery
+
Group-Duration combination Frequency of severe-weather-induced loss of offsite power
-group (s):
Frequency:
S1 Less than 1 per 333 site years (0.002)
S2 1/333 to 1/100 site years (0.005)
S3 1/100 to 1/33 site years (0.02)
S4 1/33 to 1/10 site years (0.05) 55 1/10 to 1/3 site years (0.2)
Recovery from severe-weather-induced loss-of-offsite power group (R):
Recovery capability:
R1 Plant has capability and procedures to I
recover offsite (nonemergency) AC power to the site within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> following a severe-weather-induced loss of off-site power.
l R2 All other plants not in R1.
Severe-weather-induced loss-of-offsite power frequency / recovery group (SR):
Frequency group (S):
Recovery group (R):
SR1 51 R1 SR2 S2 R1 l
SR3 S3 R1 1
SR4 S4 R1 l
SRS 55 R1
)
SR6 51 R2 SR7 S2 R2 SR8 S3 R2 SR9 S4 R2 SR10 55 R2 4
j l
i 4
NUREG-1032 A-26
0.020 SR8 SR4 SR5 SR9 SR10 SR3 i
1 j 0.015 s
i3 E
E Note:
0.010 U
See Table A.8 for z
Definitions of SR1 - SR10 w
30 SR7 u.
0.005 SR2 0.000 t
a_
0.1 0.3 1.0 3.0 10 DUR ATION (Hours)
Figure A.9 Estimated frequency of occurrence of severe-storm-induced losses of offsite power exceeding specified durations NUREG-1032 A-27
Table A 9 Extremely severe-weather-induced loss-of-offsite power frequency 3
Extremely severe-weather-induced loss-of-offsite power frequency group (SS).
Frequency SS1 Less than 1 per 3333 site years (0.0002/ site year)
SS2 1 1 per 3333 site years and
< 1 per 1200 site years (0.0005/ site year)
SS3 1 1 per 1000 site years and
< 1 per 333 site years (0.002/ site year)
SS4 1 1 per 333 site years and i
< 1 per 100 site years (0.005/ site year)
SS5 Greater than or equal to 1 per 100 site years (0.02/ site year) of offsite power lasting duration "t" or longer can be estimated by an appro-priate combination of the correlations that were developed in this appendix and can be represented by-the following equation:
LOP (t) = l (t) + GR (t) + SR (t) + SS A
j j
k i
where I (t) = the plant-centered loss-of-offsite power frequency correlation, j
defined in Table A.3 and Figure A.3 GR (t) = the grid-related loss-of-offsite power frequency correlation j
defined in Table A.6 and Figure A.6 SR (t) = the severe-weather-related loss-of-offsite power frequency k
correlation defined in Table A.8 and Figure A 9 SS
= the extremely severe-weather-related loss-of-offsite power 3
frequency defined in Table A.9 The identification of the 1 factor is the most straightforward because it is 4
based on configuration.
As a first cut, the appropriate GR) factor can be identified by dividing nuclear sites in the United States into two categories:
NUREG-1032 A-28
(1) FPL sites, approximated by GR3, GR4, or GR7, and (2) all other sites repre-senting average frequency expection of grid failure, approximated by GR1 or GR4.
The SR and SS k
factors are not so easily identified because both design specifics and hazard rate must be determined.
It is possible, howaver, to bracket these factors with a range that can be used to judge importance of station blackout considerations using hazard rates and proportionality factors for severe weather and using the upper range of the estimated failure rate for extreme weather hazards.
A test of the loss-of-offsite power correlations that were developed was made by comparison with plant-specific results from published probabilistic risk assessments (PRAs).
Figures A.10 through A.14 provide these comparisons.
The degree of conformity between the results from the published PRAs and results based on the models developed in this appendix varies.
Reasonable agreement was achieved for Indian Point (with credit for nearby gas turbine generators),
Shoreham, and Limerick.
The difference between the Indian Point PRA with credit for nearby gas turbine generators and this model is primarily due to the reliability associated with those power sources.
In the Indian Point PRA, the combined reliability of the two gas turbine generators was on the order of 99%.
In the model developed for this study, a fixed value for alternate offsite power sources of 80% was used.
With regard to the Millstone PRA, the differences are primarily due to the use of data from other sites that do not appear to have the susceptibility to salt spray that the Millstone site has.
In the model developed in this study the operating experience at sites other than Millstone, and to some extent Pilgrim, was not considered to be relevant and thus the two long losses of offsite power at the Millstone site contribute significantly to the estimated occurrence frequency of Eng< m tion outages.
The differences with the Zion PRA results could stem irom one of several possibilities:
design and proce-dural factors are more reliable than assumed in the comparison; the Zion PRA results are optimistic; or the models and correlations derived for generic analyses have limitations when applied to some plant specific cases.
Because of these considerations, a generic analysis must be used with caution in plant-specific applications.
However, the generic models can usually provide good "ball park" results for generic applications and perspectives.
Clearly the 4
more details available and included in the models regarding design, procedures, alternate power sources, and protection provided from severe weather condi-tions, the more likely that the generic results will closely equate to plant-l specific results.
I The development of a more limited number of generic loss-of offsite power fre-quency and duration relationships that could be used for regulatory analysis involved the clustering of the site / design factors to determine if combinations of these factors could be grouped into a more limited, but still representative, set.
A set of five cluster groups was derived from the set of site / design possibilities using the Fastclus procedure of the SAS package (SAS Institute, 1979).
To limit the number of cluster groups, the clustering had to be based on loss of offsite power durations of 2 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
Figure A.15 provides a plot of the cluster groups derived from this analysis, and Table A.10 identifies combinations of each of the four factors (GR, I, SR, and SS) included in the nine cluster groups.
For example, a plant with GR1, 11, SR1, and S$2 would be in cluster group 1.
Grid reliability groups were limited to GR1, GR3, GRS, and GR7 to generate the clusters.
Table A.11 provides a tabulation of cluster mean, median, and range values.
NUREG-1032 A-29
0.10 y
Without use of nearby gas turbine generators 0.08 Indian Point PRA
[
(mean)
=
toj 0.06 Indian Point PRA
/
(medians) l U
5 3
3 0.04 E
l With use of 0.02 nearby gas-Model M
/
turbine generators p odel Indian (mean)
Point PR A (medians)
I I
0.00 1.0 2.0 4.0 8.0 16.0 DUR ATION (Hours)
Figure A.10 Estimated frequency of losses of offsite power exceeding specified durations for Indian Point NUREG-1032 A-30
0.M g
y
- 0.04 t
U 5
3 Zion PRA 8 0.02 - (means) 5 a:
/
/
Model Zion PRA ~
(medians) 0.00 I
O.5 1.0 2.0 4.0 8.0 16.0 DUR ATION (Hours)
Figure A.11 Estimated frequency of losses af offsite power exceeding specified durations for Zion 0.%
=
f0.04 E
c.
~
Shoreham PRA s
3 0.02 E
Model I
I 0.00 1.0 2.0 4.0 00 16.0 DUR ATION (Hours)
Figure A.12 Estimated frequency of losses of offsite power exceeding specified durations for Shoreham NUREG-1032 A-31
0.5 g
g g
0.4 -
E 0.3 E
U 7
u; D
3 0.2 E
Model 0.1 Millstone 3 PRA I
0.0 1.0 2.0 4.0 8.0 16.0 DUR ATION (Hours)
I figure A.13 istimated frequency of losses of offsite power exceeding specified durations for Millstone 3 NUREG-1032 A-32
i
(
t 0.04 i
i i
0.03 Model j
j Limerick PRA i
g t
8:
$ 0.02 zwn Cw E
0.01 0.00 I
I I
1.0 2.0 4.0 8.0 16.0 DUR ATION (Hours)
Figure A.14 Estimated frequency of losses of offsite power i
exceeding specified durations for Limerick NUREG-1032 A-33 e-r
I i
1.0 p i
i i
i i
i i
i I
0 3
0.1 7 4
.t:
m Offsite -
5 Power S
~
Cluster ~
>u 5
6 0.01 4
-=
3 O
g o
w 3
2 1
g 0.001 f
3 W
1 I
I I
I I
I I
I I
0.0001 0
2 4
6 8
10 12 14 16 DURATION (Hours)
Figure A.15 Estimated frequency of occurrence of losses of offsite power exceeding specified durations for nine offsite power clusters l
NUREG-1032 A-34
Table A.10 Identification of-grid (GR), offsite power system design (I), severe weather (SR), and extremely severe weather (SS) factors included in five cluster groups Cluster group I
GR SR-SS 1
1,2 1,3,5 1,2,G,7 1,2 1,2 1,3,5 1,6 3
1,2 1,3,5 3
1,2 2
1,2 1,3,5 8
1,2,3 1,2 1,3,5 4
1-4 1,2 1,3,5 2,3,7 3,4 1,2 1,3,5 1,6 4
3 1,3,5 1,2,6,7 1-4 3
1,3,5 3,8 1,2 3
1,3,5 3
3,4 3
1,3,5 4
1-4 3
Same as 7
Same as Same as cluster 2 cluster 2 cluster and 1 and 1 2 and 1 4
1,2,3 1,3,5,7 1-9 5
1,2,3 1,3,5,7 5,9 1-4 1,2 1,3,5,7 8
4 3
1,3,5,7 8
3,4 5
1,2,3 1,3,5,7 10 1-5 NUREG-1032 A-35
~..
Table A.11 Loss-of-offsite power frequency distribution per cluster group Duration (hrs)
Cluster group /value:
0 2
4 8
16
. Cluster 1:
Upper Bound 0.1895 0.0102 0.0050 0.0031 0.0022 Mean 0.1157 0.0057 0.0027 0.0014 0.0007 Median 0.0845 0.0052 0.0025 0.0012 0.0005 Lower Bound 0.0812 0.0013 0.0005 0.0003 0.0002 Cluster 2:
Upper Bound 0.2240 0.0271 0.0142 0.0077 0.0058 Mean 0.1297 0.0144 0.0075 0.0044 0.0027 Median 0.1040 0.0141 0.0070 0.0043 0.0022 Lower Bound 0.0812 0.0037 0.0026 0.0007 0.0002 Cluster 3:
Upper Bound 0.2277 0.0447 0.0232 0.0104 0.0060 Mean 0.1892 0.0307 0.0159 0.0063 0.0024 Median 0.1798 0.0303 0.0153 0.0057 0.0017 Lower Bound 0.1749 0.0?l8 0.0113 0.0037 0.0006 Cluster 4:-
Upper Bound 0.3927 0.0909 0.0563 0.0340 0.0230 Mean 0.2113 0.0447 0.0273 0.0175 0.0126 Median 0.1978 0.0043 0.0253 0.0186 0.0080 Lower Bound 0.1010 0.0191 0.0140 0.0065 0.0023 Cluster 5:
Upper Bound 0.3927 0.1838 0.1242 0.0647 0.0287 Mean 0.3306 0.1504 0.1006 0.0477 0.0140 Median 0.3343 0.1466 0.0970 0.0449 0.0123 Lower Bound 0.2792 0.1354 0.0909 0.0412 0.0086 NUREG-1032 A-36
Because design, grid, and weather all play a role in the frequency and duration relationship for each cluster, it is difficult to generalize about the dominant
. factors affecting loss of offsite power.
It is possible to say that the higher frequency at longer duration groups (clusters) are most heavily influenced by weather hazara susceptibility.
The highest frequency and duration correlation developed in this study (cluster 5) is driven by the high occurrence frequency (location) and susceptibility (design) to salt spray at coastal sites.
REFERENCES Anders, G.
J., P. L. Dandeno, and E. E. Neudorf, "Computation of Frequency of Right-of-Way Losses Due to Tornadoes," Paper 84WM0402, IEEE Winter Power Meet-ing, Dallas, Texas, January 1984 Batts, M.
E., M. R. Cordes, L. R. Russell, J. R. Shaver, and E. Simiu, "Hurri-cane Wind Speeds in the United States," National Bureau of Standards, BSS 124, May 1980.
Mid-America Interpol Network (MAIN) Transmission Outage Task Force, "Summary of MAIN Transmission Line Performance fo.- the Year 1982, 345 KV and 765 KV,"
September 1983.
Mid-Continental Area Power Pool (MAPP) Transmission Reliability Task Force,
'"Mid-Continent Area Power Pool Bulk Transmission System Outage Report (January 1977 - December 1982)," July 1983.
National Oceanic and Atmospheric Administration, Comparative Climatic Data for the United States through 1980, 1980.
Neumann, C. J. N., G. W. Cry, E. L. Caso, and B. R. Jarbinen, "Tropical Cyclone of the North Atlantic Ocean, 1871-1980," National Oceanic and Atmospheric Administration, July 1985.
Power Authority of the State of New York and Consolidated Edison Company of New York (PASNY), "Indian Point Probabilistic Safety Study," 1982.
l Shaefer, J. T., D. L. Kelley, and R. F. Abbey, "A Minimum Assumption Tornado Hazard Probability Model," National Oceanic and Atmospheric Administration, Technical Memorandum NWS NSSFC-8, may 1985.
Simiu, E., J. Changery, J. J. Filliben, "Extreme Wind Speeds at 129 Stations in the Contiguous United States," National Bureau of Standards BSS 118, March 1979.
SAS (Statistical Analysis System ) Institute, Inc., "SAS Users Guide 1979 Edition," 1979.
Teles, J. E., S. W. Anderson, and G. L. Landgren, "Tornadoes and Transmission Reliability Planning," in Proc. American Power Conference, Vol. 42, 1980.
U.S. Nuclear Regulatory Commission Generic Letter 81-04, "Emergency Procedures and Training for Station Blackout Events," February 25, 1981.
NUREG-1032 A-37
--, NUREG/CR-2434, H. F. Monty, R. J. Beckman, C. R. McIntear, "FRAC (Failure Rate Analysis Code):
A Computer Program for Analysis of Variance of Failure Rates," March 1982.
--, NUREG/CR-3992, R. E. Battle, "Collection and Evaluation of Ccmplete and Partial Losses of Offsite Power at Nuclear Power Plants," February 1985.
Wyckoff, H., "Losses of Offsite Power at U.S. Nuclear Power Plants All Years Through 1985," NSAC/103, Electric Power Research Institute, May 1986.
l l
I l
NUREG-1032 A-38
.l
-i
,1 L
5 F l
=
I b
4 APPENDIX B EMERGENCY AC POWER RELIABILITY.AND STATION BLACK 0UT FREQUENCY:
MODELING'AND ANALYSIS RESULTS
~
4 M
r:
1:
.._,;.... c_
TABLE OF CON ~ENTS
.Page ELEMENTS OF EMERGENCY AC POWER RELIABILITY MODEL...........
B-1
-COMMON CAUSE FAILURE OF THE EMERGENCY.
00WER SYSTEM...................
B-4 EMERGtNCY AC POWER RELIABILITY EVALVATI0a...............................
B-9 STATION BLACK 0UT FREQUENCY..............................................
B 15 REFERENCES..............................................................
B-19 LIST OF FIGURES B.1 Emergency AC Power Unavailability as a Function of Individual EDG Reliability and Common Cause Failure To Start for Three Emergency AC Configurations........................................
B-11 B.2 Emergency AC Power Unavailability as a Function of Out-of-Service Unavailability for Three EDG Unreliabilities.......................
B-12 B.3 Emergency AC Power Unavailability as a Function of Repair Time for Both Independent EDG Faults and Common Cause Failure To Start..
B-13 B.4 Estimated Range of Emergency AC Power System Reliability for Different Diesel Generator Configurations...................
B-14 B.5 Sensitivity of Station Bleckout Results to Potential Variation in Plant-Centered Loss-of-Of f si te-Power Frequency.................
B-17 B.6 Sensitivity of Station Blackout Results to Potential Variation in Grid-Related Loss-of-Of f si te-Power Frequency....................
B-18 LIST OF TABLES B.1 Areas of Potential Common Cause Failure...........................
B-5 B.2 Emergency Diesel Generator (EDG) Common Cause Failures............
B-6 l
B.3 Common Cause Failure Rate Parameter Estimates......................
B-8 NUREG-1032 B-iii
APPENDIX B EMERGENCY AC POWER RELIABILITY AND STATION BLACK 0UT FREQUENCY:
MODELING AND ANALYSIS RESULTS This appendix provides the details and results of emergency AC power system reliability analyses and station blackout frequency / duration estimates.
The models and analysis results were developed to confirm and extend the findings of a previous study (NUREG/CR-2989) and to be used in regulatory analyses.
Modeling has been done at a generic level, but it could be made plant-specific by adjusting failure rate parameters to reflect site location, system design, and operational facters.
The term generic, as used here, is meant to imply that the insights derived are generally applicable to a large number of plants.
Modeling and component failure rate variations are used to account for plant differences in. design and operational features that are most important to sys-tem reliability.
Sensitivity analyses were used to explore the effect of design and operational differences on system reliability for a realistic spectrum of differences.
ELEMENTS OF EMERGENCY AC P0n d RELIABILITY MODEL The diesel generators--including all the subsystems and the auxiliary systems required to start, load, and run the diesels--are the components that have the highest impact on system reliability.
Specifically the following have been identified as the largest contributors to AC power system availability:
(1) diesel generator configuration (2) reliability of each diesel generator (3) vulnerability to common cause failure (4) support / auxiliary system dependence 1
In general, the details of the emergency AC power distribution system design from the Class E engineered safety feature buses to the safety system compo-nents using emergency AC power have not been found to be important contributors to system unreliability.
With this in mind, emergency diesel generators (EDGs),
DC power supplies, and service water cooling systems were the principal system elements included in the emergency AC power reliability models.
A relatively high level (super component) modeling approach was used that could account for major differences in equipment configuration and support system dependencies while using support system reliability estimates developed in other studies.
Four generic emergency AC power system designs were selected as roughly repre-senting the spectrum of operating nuclear plant systems.
These systems are de-scribed by the number of diesel generators in the system and the number required to maintain core cooling during a loss of offsite power.
These generic systems have been designated 2/3, 1/2, 2/4, and 1/3, indicating the number of diesel generators required per number available.
Some other configurations do exist, but, emergency AC power system reliability is generally encompassed and well characterized by the four systems modeled, especially if the variability of NUREG-1032 B-1
failure rates of the inajor components and auxiliary systems is accounted for.
Configurations with a higher. degree of redundancy and/or diversity are the exception, not the rule, in current U.S. designs.
The simplified reliability logic models for the generic configurations were developed from fault trees and insights on what factors are important contributors to AC system reliability.
The simplified logic models are provided below:
REAC1/2 = 1 - PEAC2/2
= 1 - [(PEDG)
+P 3
CCF2/2 REAC1/3 = 1 - PEAC1/3 3
= 1 - [(PEDG) + 3P PCCF2/3 + PCCF3/3 EDG REAC2/3 = 1 - PEAC2/3 3
2 1 - [3(PEDG) + 3PCCF2/3 + PCCF3/3 REAC2/4 = 1 - PEAC3/4 3
21 - [4(PEDG) + 12P PCCF2/4 + 6(PCCF2/4) + 4PCCc3/4 + PCCF4/4 EDG Where R is the AC power reliability of an "i" out of "j" diesel generator EACi/j is the probability that "i" out of "j" diesels will fail or system, and PEACi/j be unavailable when required, P is the probability that a single diesel gen-EDG is the probability erator will fail or be unavailable when required, and PCCFi/j that "i" out of "j" diesel generators will fail and be unavailable as a result of common causes when required.
A more complete logic model can be developed using Markov modeling techniques (Husseing, 1982) when failure and repair rates are expow ntially distributed in time.
However, the simplifications inherent to the models used are in keeping j
with the approach of accounting for dominant factors affecting system reliability.
Both random independent component failures and common cause or dependent fail-ures are included in the model.
Failure mode considerations included hardware f aults and human errors for start and run failures, component repair, and com-ponent out-of-service time for maintenance. The least detailed level of model-ing was at the support systems, which vary considerably in design.
These sys-tems have been modeled in detail in saveral probabilistic risk assessments (PRAs).
The reliabilities of the support systems were treated as a super com-ponent or undeveloped event in the logic models with a failure rate indicative of results from other studies (NUREG/CR-3226).
Failure to run was treated as a constant failure rate process, and emergency diesel generator repair was treated as a constant repair rate process.
With NUREG-1032 B-2
these approximations, the probability that a diesel generator will be'unavail-able for I hours during a loss of offsite power lasting T is given by SB LOP "I
II
'A t
t /T SB R * (ILOP'ISB FTR SB R PEDG = PFTS *
'i FTR A
e e
dt o
where T is the mean repair time and AFTR'is the failure-to-run rate.
The R
failure-to-start probability, PFTS, includes the standby demand failure like-lihood of the emergency diesel generator to start and load, plus the unavail-ability because of scheduled and unscheduled maintenance, and the probability that auxiliary systems will fail or be unavailable (out of service) at the time of the demand.
Although the second term of the equation can be integrated easily, the integral is maintained for applications relating to estimatino sta-tion blackout frequency and duration to follow.
The probability of failure to start, load, and run for a time, ISB, because of common cause failures is developed similarly ',o that for independent failures.
It is given by:
"I
!I
'A t
t /t SB CCFR * (ILOP'ISB CCFTR SB CCFR PEDGCCF - PCCF
- J CCFTR A
e e
dt g
Here, P represents the common cause failure-to-start probability, A CCFTS CCFTR represents the common cause failure-to-run rate, and T is the associated repair time constant.
CCFR For simplicity, the repair rate for auxiliary systems that are required for successful diesel operation has been assumed to be approximately equal to that of the emergency diesel generator.
Double component out-of-service conditions limited by technical specification were eliminated from the final expression through inspection.
However, the possibility of such outages occurring as a result of human errors or simultaneous failures was treated as a common cause I
l unavailability contributor.
Recall that the unreliability of a two diesel generator system was given by PEAC2/2 = (PEDG)
+P CFF2/2 where (PEDG) =F1+F2+f3 NUREG-1032 B-3
r and where
/I SB R F1 = (PFTS)
I
'A t -(t+TSB)!IR
-I SB A
e e
dt F2 = 2PFTS
.o
-t )/T
'A SB R F LOP SB LOP SB FTR 2 -(t +I t
'I
!I I
I
'I
-I
'A t
2 SB i
R FTR 1 F3 - 2e (AFTR)2e e
dt2e dt 1 l
'o t i with "I
!I SB CCFR PCCF2/2 - PCCFTS2/2 *
-I "A
t
-t
!I
e e
dt
+J CCFTR2/2 g
and PFTS " 9-EDG1 + UEDG1 + POC1 + P3y1 PCCFTS
- 9CCF2/2 + UCCF2/2 + PDCCCF + PSWCCF i
where Q is the probability of a diesel generator failing on demand, UEDG1 EDG1 is the proba-is the maintenance unavailability of the diesel generator, P001 bility.of DC power supply failure causing a diesel to fail on deraand, and P391 is the probability of a service water system failure causing a diesel generator failure on demand.
Terms with subscript CCF represent common cause failure contributions.
The term (UEDG1) is not allowed.
It is accounted for in the term U I"
CCF2/2' a similar manner, the correlations for three or four diesel generator systems requiring one or two diesels for success can be derived.
C0iHON CAUSE FAILURE OF THE EMERGENCY AC POWER SYSTEM There has been a concern for years that the reliability of redundant systems may be limited by single point and common causes of failure resulting in simul-taneous unavailability of two or more trains.
Several techniques for modeling NUREG-1032 B-4
and quantifying the major contributors and their likelihood have been, and con-tinue to be, developed.
Some of these techniques are aimed at a qualitative evaluation of common cause failure potential (Rasmuson, 1982), while others are primarily used to estimate common cause failure likelihood (Fleming and Raabe, 1978).
Existing techniques have been used in this study to model and quantify common cause failures on a generic level, with sensitivity analyses used to evaluate realistic variations in common cause failure likelihood and the effect on emergency AC power reliability.
Emergency diesel generator operating experience for the years 1976 through 1980 was reviewed and documentad in NUREG/CR-2989.
Other reviews [ Electric Power Research Institute (EPRI), 1982; NUREG/CR-2099] also show relevant operating experience and analysis of common cause failures of emergency diesel generators.
Based on information from these sources and limited review through 1985 of li-censee event reports c 1Rs) dealing with common cause failures, an updated list and classification of multiple emergency diesel generator failures and outages has been prepared.
When enough information exists, the common cause failures can usually be identified as falling into one of four groups:
(1) design /
hardware, (2) operations / maintenance, (3) support systems / dependence, and (4) exter nal environment.
A further breakdown of this classification scheme is provided in Table B.1.
The list of common cause failures taken from LERs is in Table B.2.
In NUREG/CR-2989 these were classified somewhat more generally in two broad categories of hardware and human error related failures.
These two categories were then classified more specifically into generic and plant-specific design groups and into generic human error or plant procedure-specific human error.
Table B.1 Areas of potential common cause failure Common cause failure group Types of potential failures Design / hardware Mechanical / structural design inadequacy Subsystems (fuel, cooling, start, actuation)
Environment (normal)
Operations / maintenance Inadequate procedures Errors of omission / commission Wrong procedure Support / dependence systems DC control power Service water cooling EDG room heating, ventilation, and air conditioning Electrical interface External Fire Flood Severe weather Seismic Other internal environmental extremes NUREG-1032 B-5
Table B.2 Emergency diesel generator (EDG) comm^n cause failures Date of LER Plant
' event number Description of event AN0 08/27/73 79-016 Water in lube oil caused failure of two 09/11/79 79-017 EDGs 2 weeks apart.
Arnold 05/10/77 77-037 Maintenance caused control system 05/12/77 77-043 failures on both EDGs within 2 days.
Browns Ferry 05/06/81 81-019 Left bank air start motors failed to 1, 2 05/06/81 81-020 start three EDGs.
Browns Ferry 3 01/03/84 84-001 Clam shell movement on overchlorination failed emergency service water (ESW) coolers and three of four EDGs.
Brunswick 1, 2 01/04/77 77-001 Low lube oil pressure tripped two of four EDGs after starting.
Low ambient room temperature (28 F)
Crystal River 3 01/04/79 failed both EDGs.
Dresden 3 10/23/81 81-033 ESW check valve tailures caused two of the three EDGs to trip on high temperature.
Farley 1 09/13/77 77-026 Dirty air start circuit failed two EDGs 09/16/77 77-027 within 3 days.
Farley 1, 2 09/18/81 81-043 Scored cylinder linings failed two EDGs 09/27/81 81-067 9 days apart.
FitzPatrick 02/07/85 85-003 ESW pump trip failed two EDGs.
)
Millstone 2 05/15/77 77-020 Both EDG fuel supply valves found closed.
North Anna 2 02/18/81 81-020 Batteries failed surveillance test, caused both EDGs to be inoperable.
North Anna 2 12/09/84 84-013 Damaged cyli..ders and high crankcase pressure failed both EDGs, caused unit shutdown.
Peach Bottom 06/13/77 77-026 Air-start compressor trip caused two EDGs to fail while another was unavailable.
Improper ESW valve lineup degraded three Quad Cities 05/01/77 EDGs.
NUREG-1032 B-6
Table B.2 (Continued)
Date of LER Plant event-number Description of event Salem 1 07/30/77 77-059 Fuel rack lubrication leak cod sub-sequent linkage binding caused failure of two EDGs.
Salem.1 10/08/80 80-060 All three EDGs failed to start because of a misaligned service water valve.
Operator disabled service water from train 2 while train 1 was down for maintenance.
Sequoyah 1, 2 08/09/80 80-140 Operator error caused relay coils to fail on all EDGs.
Susquehanna 01/21/85 85-002 Low ambient room temperature failed two EDGs.
Vermont Yankee 10/22/84 84-022 Failed Zener diodes caused all EDGs to lock out.
WNP-2 07/09/84 84-008 Slip ring and bearing design weakness caused failure of two EDGs.
Yankee Rowe 08/02/77 77-042 Sludge plugged cooling water radiator tubes caused failure of two EDGs
- Reported in PLG-400, Pickard, Lowe and Garrick Inc.
Common cause failure rates were estimated in NUREG/CR-2989 using the binomial failure rate (BFR) computer code (NUREG/CR-2729).
The estimated common cause l
failure rates varied by about an order of magnitude depending on plant design and procedural dependencies.
If individual emergency diesel generator reliabil-ity is maintained at or above industry average levels, common cause failure
-contributed on the order of one-half the system unavailability for the less redundant configurations and most of the unavailability for the more redundant designs, especially when demand failure rates are low (<0.03).
At lower reli-ability levels, independent diesel generator failures are the major contributor to the unavailability of the onsite AC power system.
A technique that has been used to estimate the likelihood of emergency diesel generator common cause failure is the beta factor method (Fleming, 1975) and its extension known as the multiple Greek letter (MGL) method (Fleming and Kalinowski, 1983).
This method was used to estimate common cause failure rates from the updated LER review.
Table B.3 provides the MGL parameter estimates and common cause failure rate estimates that were derived by the MGL method.
It also compares these estimates with "generic" rates derived in NUREG/CR-2989 using the BFR method.
Differences result more from data classification than from analytical method.
NUREG-1032 B-7
Table 8.3 Common cause failure rate parameter estimates Results of MGL method
- BFR method 2 EDG configuration:
p = 0.035 CCFTS (2/2) = 5.7 x 10 4 7.1 x 10 4 P
PCCFTR (2/2) = 1.0 x 10 4/hr 3 EDG configuration:
= 0.087 y = 0.351 PCCFTS (2/3) = 4.62 x 10 4 5.6 x 10 4 PCCFTS (3/3) = 5.00 x 10 4 1.8 x 10 4 PCCFTR (2/3) = 8.19 x 10 5/hr CCFTR (3/3) = 8.85 x 10 5/hr P
4 EDG configuration:
p = 0.147 y = 0.528 6 = 0.505 PCCFTS (2/4) = 3.79 x 10 4 CCFTS (3/4) = 2.10 x 10 4 P
PCCFTS (4/4) = 6.43 x 10 4 CCFTR (2/4) = 6.71 x 10 5 P
CCFTR (3/4) = 3.71 x 10 5 P
CCFTR (4/4) = 1.14 x 10 4 P
- The following equations were used to p'erform the above calculations:
PCCF (2/2) = pQ CCF (2/3) = (1 y) SQ P
2 I
PCCF (3/3) = ypQ CCF (2/4) = (1 y) SQ P
3 CCF (3/4) = (1-0)y SQ P
3 PCCF (4/4) = 6y Q 7
NUREG ^^
B-8
EMERGENCY AC POWER RELIABILITY EVALUATION The reliability estimates for the generic emergency AC power systems were derived for instantaneous availability on demand and mission reliability.
(The latter is the likelihood that emergency AC power will be available for a speci-fied mission length, such as the duration of a loss-of-offsite power event or for the duration of a test.) System reliability analysis parameters were selected to represent the average of the operating reactor population as well as the variations within that population.
The population average and ranges for the system reliability analysis parameters are described below.
(1) Emergency Diesel Generator Failure To Start l
Based on data reported in NUREG/CR-2989 and NSAC/108 (Wyckoff, 1986), the I
failure rate can vary considerably from plant to plant.
The following probability of f ailure/ demand rates have been identified:
Average 0.02 High 0.08 Low 0.005 (2) Emergency Diesel Generator Failure To Run A constant failure rate of 0.0024 per hour was estimated in NUREG/CR-2989, while more recent data obtained from NSAC/108 and a review of LERs from 1983 through 1985 resulted in a revised estimate of 0.0032 per hour.
For the period 1976 through 1985 the average was 0.0028 per hour.
A range of 0.001 to 0.01 is reasonably representative of other published estimates (EPRI, 1982).
(3) Emergency Diesel Generator Repair Time Approximately 50% of all diesel generator failures reported in NUREG/
CR-2989 were repaired within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
If two diesel generators failed as a result of independent causes and operators could diagnose the problems to select the quickest possible repair, in 50% of these cases, onc of two diesel generators would be repaired in approximately 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
These two cases have been used as representative of the repair rate.
(4) Common Cause Failure Common cause failure rates were obtained from NUREG/CR-2989 for diesel generator hardware and human-error-related causes; however, only failure-to-start estimates were made in that study.
Subsequently, the MGL method has been used to estimate generic common cause failure rates for both failure to start and failure to run.
Human errors causing a simultaneous out-of-service state for two or more diesel generators were included in estimates of failure to start. The MGL estimates are consistent with the generic estimates made in NUREG/CR-2989.
The common cause failure rates, for support systems--such as DC power, service water, and component cooling water--were obtained from NUREG/CR-3226.
NUREG-1032 B-9
(5) Common Cause Failure Repair Rates for Components and Subsystems When the. inadvertent removal from service of more than two diesel gener-ators is excluded, the failure mode and repair rates appear similar to those for independent failure causes.
In this case, however, the same repair time could be expected for both units.
For inadvertent removal from service, repair (or restoration) can be accomplished usually in less than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and many times even more'promptly (within minutes).
Repair rates for hardware failure and maintenance outages have been based on median repair times of 2 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
The effect of system reliability parameter variations covering the realistic range was analyzed to determine the sensitivity within the generic models and the variability that is possible in plant-specific cases.
The first sensitivity analysis shown in Figure 8.1 includes the effect of a mission time of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> for various emergency diesel generator starting re-liability values and for variations in common cause failure rates by a factor of 3.
These results show that starting reliability of individual emergency diesel generators.is most important when lower-than-average diesel generator performance exists or when system configurations represent nominal redundancy (e.g., 2/3 and 1/2).
Common cause failures dominate system failure probability when individual diesel generator reliability levels are above average or when a higher level of redundancy (2/4 and 1/3) is introduced.
Figure B.2 shows the sensitivity of emergency AC power system unavailability as a function of individual diesel unavailability.
This unavailability is due to out-of-service time for normal maintenance and for repairs necessary to fix incipient, degraded, or catastrophic failures of diesel generators which are detected by surveillance or other activities during normal plant operations.
Only when the diesel generator out-of-service unavailability approaches or exceeds the starting failure rate does a significant effect on system unavail-ability become apparent.
Figure B.3 shows the AC power system unavailability variation as a function of diesel generator repair time for a mission time of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
This repair time represents the time it would take to repair 50% of all diesel generator failures during an actual demand situation assuming an exponential rate of repair.
Also it has been assumed that sufficient resources and expertise are available to ensure selection of the diesel generator which can be repaired most quickly.
The most significant affect on system unavailability is due to variations in common cause failure repair times especially where common cause failures are the dominant contributor to system unavailability (e.g., 1/3 system configuration).
The last sensitivity analysis performed is shown in Figure B.4.
In this case the potential range of unavailability for emergency AC power systems was esti-mated by using combinations of above and below average reliability performance parameters discussed previously in this appendix.
Not surprisingly, the range is large, especially for the more redundant configurations.
NUREG-1032 B-10
10'1 Common Cause Failure to Start
~
--- 3x Base Value Configuration Base Value g
--- 1/3x Base Value E
cc
$ 102 N
q
- (1 of 2) g z
- ==. g %
%,N, N g N
N s%
a N
\\
cc
~ (2 of 4)
N g
g i:
s s.
N 2
s,\\
- D 4
o<
N
'""a==
%,N
' ' ' ' ' = =
N.
10~3 --(
\\
w N
%*===-
lE w
N %, %.
==
- ===**%~
10 4 I
I I
I I
I 0.90 0.92 0.94 0.96 0.98 1.01 EDG RELIABILITY Figure B.1 Emergency AC power unavailability as a function of individual EDG reliability and common cause failure to start for three emergency AC configurations NUREG-1032 B-11
1 l
4 10 i
i i
EDG R M
0.05 a
lii
'1/2 5
a
)
j 0.025 3
Ew s 10 3 0.01
=
~
2 0.05==""" p.-== ="" """"
I g
- 1/3 O="*"*~~""~~~
j o
zg
=w 2w 10 I
I I
4 0.006 0.015 0.025 OUT OF SERVICE UNAVAILABILITY Figure 8.2 Emergency AC power unavailability as a function of out-of-service unavailability for three EDG unreliabilities NUREG-1032 B-12
10-2,
I Duration of Loss of Offsite Power is 8 Hours Duration of Station Blackout is 4 Hours
- d Configuration ~
s cn 5
f 10'3 {
8 hrs
}
/
2 4 hrs D
2 hrs 8 hrs f
r o.
g 4
4 hrs z 10'd
>1/3 7
w e
g w
2 hrs 10-5 I
I I
0 2
4 8
REPAIR TIME FOR INDEPENDENT EDG FAULTS (Hours) l l
Figure B.3 Emergency AC power unavailability as a function of repair time for both independent EDG faults and common cause failure to start
{
NUREG-1032 B-13
104=
-- High Values '
Diesel Generator 4 > Base Values ? Reliability Parameters 10 2 g-Low Values j a p bd 2
0 3
10'3 =-
E
=
t b
~
2 p
cc 10'8 w
3
=
0 Q.
C U
y 2
10 5 =-
w 0
cc 1
w 2
w 10-6 gg.
10~7 I
l l
(2 of 3)
(1 of 2)
(2 of 4)
(1 of 3)
DIESEL GENERATOR CONFIGURATION Figure B.4 Estimated range of emergency AC power system reliability for different diesel generator configurations NUREG-1032 B-14
STATION BLACK 0UT FREQUENCY Station blackout has been defined as the loss of all AC power supplies from both offsite and safety-related sources.
Also, a station blackout must exist for sufficient time to incur core damage and result in containment failure if the sequence is to be of risk significance.
Therefore, station blackout models incorporate duration as a parameter in frequency estimates.
Although in some instances it is possible to have a station blackout initiated by failure of, or operational efforts associated with, DC control power, this type of event is more rare than the station blackout sequence beginning with loss of offsite power and followed by failure of the safety-related AC power supplies.
DC power reliability is the subject of another generic safety issue, designated A-30, "Adequacy of Safety-Related DC Power Supplies.
Station blac M ut frequency estimates can be made by combining the loss-of-offsite power models developed in Appendix A with the emergency AC power relia-bility models of this appendix.
The loss-of-offsite power frequency and duration correlations were derived in Appendix A.
In the derivations that follow, let ALOP(t) represent a loss-of-offsite power frequency correlation.
The frequency of a station blackout is derived by combining the loss-of-offsite power duration (repair frequency with the rate of emergency AC power system failures of duration I ver the SB time period of interest for which a loss of offsite and emergency AC power can occur.
This is the same general approach that has been taken in other studies [ Evans and Parry, 1983; Power Authority of the State of New York (PASNY), 1982] to estimate the frequency of total losses of offsite and emer-gency AC power for risk analysis.
For the 1/2 emergency diesel generator configuration, the equation for the frequency of a station blackout lasting l
T or longer can be written as SB
^SB1/2(ISB)
- ALOP(ISB)(PFTS) 1
+ALOP(tSB) PCCFTS2/2 *
!I t
I t %
SB R
SB R f LOP SB TR ALOP(t+tSB) AFTRe e
dt
+ 2P e
FTS Jo
-t )/T
-t
2 SB i
R
+ 2e A
e e
dt2 FTR
'o t 1 A
t FTR 1 ALOP(t ) AFTR
- i
'A t
t I
[ILOP'ISb CCFTR2/2 SB CCFR e
e dt
+
ALOP(t*ISB) ACCFTR2/2 NUREG-1032 B-15
In a similar manner, the station blackout frequency equations for three and four diesel generator systems requiring one or two diesels for success can be derived.
- Analyses have been performed to estimate the sensitivity of station blackout frequencies and durations to various site characteristics.
The loss-of-offsite-power cluster correlations developed in Appendix A were combined with the emergency AC power system reliability models using nominal values for emergency diesel generator failure to start and run, repair, and common cause failure rates.
Results are in the main rep rt in Figures 5.1, 5.2, and 5.3.
Additional analyses were performed to determine the sensitivity of station blackout results to potential variations in plant-centered loss-of-offsite-power frequency.
Cluster correlations 2 and 4 (see Appendix A of this report) were selected.
The plant-centered loss-of-offsite power frequency was varied from a high value of 0.15 to a low value of 0.04.
This represents a reasonable variation in the plant-centered frequency based on actual operating experience.
Figure B.5 provides the results of these analyses.
This figure shows that modest variations (factor of 2) in the plant-centered loss-of-offsite power frequency will have essentially no noticeable effect on results at sites dominated by weather-induced losses of offsite power (cluster 4).
Only a small effect would be noticeable at sites which have a more typical blend of failure causes (cluster 2), and that effect is only noticeable for short duration blackouts.
Thus potential variations in plant-centered loss-of-offsite power frequency will generally result in small changes in station blackout results when typical or more substantial contributions from grid and particularly weather exist.
Another sensitivity analysis was performed to estimate the impact of variations in grid reliability and restoration capability.
For cluster 4, grid loss fre-quencies of 0.01 and 0.1 per year were analyzed with enhanced recovery (see Appendix A).
For cluster 2, the same frequencies were analyzed but this time with normal recovery.
The results are shown in Figure B.6.
Potential varia-tions in grid-related loss-of-offsite power frequency have a small effect on the station blackout frequency and duration in most cases where typical or more substantial contributions from plant-centered and particularly weather exist.
NUREG-1032 B-16
10'3 {
~
Plant Centered Lop Frequency (Events / Year)
- 0.15
\\
0.069
.i
\\\\
--. __ O m
\\
10**
\\. t 3
\\
W
\\
s
\\
e
\\
u.
~
-\\
Power Offsite l
o y
\\
Cluster 5
\\
4 N
m z
N 9
E b
2 10-6 i
i i
i 0
4 8
12 16 STATION BLACKOUT DURATION (Hours)
Figure B.5 Sensitivity of station blackout results to potential variation in plant-centered loss-of-offsite power frequency NUREG-1032 B-17
10-3
~
Grid Reilability Group G3 (0.1 Events / Site-Yr)
\\
6 5
N
- G1 (0.01 Events / Site Yr)
\\\\
5 N
E'o' r
\\
s v
\\
N E
\\
i NN So 10-5 Offsite cm Power Z
Cluster 9
4 y
u 2
10-8 0
4 8
12 16 l
DUR ATION (Hours) l Figure B.6 Sensitivity of station blackout results to potential variation in grid-related loss-of-offsite power frequency NUREG-1032 B-18
REFERENCES Electric Power Research Institute (EPRI), "Diesel Generator Reliability at Nuclear Power Plants:
Data and Preliminary Analysis," EPRI NP-2433, June 1982.
Evans, M. G. K., and G. W. Parry, "Quantification of the Contribution to Light Water Reactor Core Melt Frequency of Loss of Offsite Power," in Reliability Engineering, 6:43-45, 1983.
Fleming, K. N., "A Reliability Model for Redundant Safety Systems," in Proceedings on the Sixth Annual Pittsburgh Conference on Modeling and Simulation, April 24, 1975.
Fleming, K. N., and A. M. Kalinowski, "An Extension of the Beta Factor Method to Systems with High Levels of Redundancy," Pickard, Lowe and Garrick, Inc.,
PLG-0289, June 1983.
Fleming, K. N., and P. H. Raabe, "A Comparison of Three Methods for Quantitative Analysis of Common Cause Failures," U.S. Department of Energy Report GA-A-14568, General Atomic Company, National Technical Information Service, May 1978.
Husseing, A. A., et al., "Unavailability of Redundant Diesel Generators in Nuclear Power Plants," in Reliability Engineering, 3:109-169, 1982.
Pickard, Lowe and Garrick, Inc., PLG-400, "Classification and Analysis of i
Reactor Operating Experience Involving Dependent Event," prepared for Electric Power Research Institute, Palo Alto, California, February 1985.
Power Authority of the State of New York (PASNY) and Consolidated Ed: son Company of New York, "Indian Point Probabilistic Safety Study," 1982.
Rasmuson, D. M., et al., "Use of COMCAN III in System Design and Reliability Analysis," EG&G Idaho, Inc., EGG-2187, October 1982.
U.S. Nuclear Regulatory Commission, NUREG/CR-2099, J. A. Steverson and C. L.
Atwood, "Common Cause Failure Rate Estimates for Diesel Generators in Nuclear Power Plants," June 1982.
--, NUREG/CR-2729, C. L. Atwood and W. J. Suitt, "User's Guide to BFR, a Com-puter Code Based on the Binomial Failure Rate Common-Cause Model," February 1983.
--, NUREG/CR-2989, R. E. Battle and D. J. Campbell, "Reliability of Emergency AC Power Systems at Nuclear Power Plants," July 1983.
--, NUREG/CR-3226, A. M. Kolaczkowski and A. C. Payne, Jr., "Station Blackout Accident Analyses (Part of NRC Task Action Plan A-44)," May 1983.
Wyckoff, H., "The Reliability of Emergency Diesel Generators at U.S. Nuclear Power Plants," NSAC/108, Electric Power Research Institute, September 1986.
NUREG-1032 B-19
l APPENDIX C STATION BLACK 0UT CORE DAMAGE LIKELIH009 AND RISK l
TABLE OF CONTENTS P_ age STATION BLACK 0UT CORE DAMAGE LIKELIH00D............................... C-1 STAT I ON B LAC K0 UT RI S K................................................. C-10 REFERENCES............................................................
C-11' LIST OF TABLES C.1 Summary of potentially dominant core damage accident sequences..............................
................ C-2 C.2 Decay heat removal failure probability for-loss of core cooling early during station blackout....................... C-4 C.3 Estimated frequency of early core cooling failure during station blackout, per reactor year........................
C-5 C.4 Tabulated estimated values of total core damage frequency for station blackout accidents as a function of emergency diesel generator configuration, EDG unreliability, offsite power cluster, and ability to cope with station blackout......... C-6 C.5 - Comparison of results with NUREG/CR-3226.........................
C-10 r
t NUREG-1032 C-iii 4
x-s
- m.
s
APPENDIX-C STATION BLACK 0UT CORE DAMAGE LIKELIHOOD AND RISK This appendix nrovides a description of the simplified method used to estimate station blackout core damage likelihood, and risks from station blackout tran-sients.
The models and results are generic in nature and intended for use in regulatory analyses.
The station blackout frequency estimation models described in Appendix 8 of this report were integrated into sequences involving failure of decay heat removal systems with AC power unavailable, thus allowing the esti-mation of the frequency of core dsmage as a result of station blackout events.
When core damage proceeds to core melt and containment failure, fission products may be released to the environs, causing risk to public health and safety.
The likelihood of station blackout transients involving core damage and the dominant accident sequences have been identified by Kolaczkowski and Payne in MUREG/CR-3226, using event tree and fault tree analyses of several typical plant designs.
However, the variability of station blackout frequency and dura-tion was not evaluated systematically as part of that work.
In this appendix, the station blackout models have been combined with the decay heat removal and core cooling failure sequences to obtain a more complete evaluation of the sen-sitivity of station blackout core damage likelihood and risk estimates to varia-tions in plant design.
STATION BLACK 0UT CORE DAMAGE LIKELIHOOD The dominant station blackout sequences are provided in Table C.1.
Both pres-surized water reactors (PWRs) and boiling water reactors (BWRs) have sequences that involve early core cooling failure (essentially on demand) and time-dependent failures related to capacity, capability, and transient phenom-enoicgical conditions associated with a loss of all AC power.
For the dominant accident sequences, the core damage times have been characterized as falling into two groups:
(1) a core damage time of 1 to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for the early core cooling failure types of sequences or (2) core damage in the 2-to-16-hour range for the sequences involving capability and capacity limitations causing loss of core cooling during extended blackouts.
Sequences involving ionger duration blackouts than these have not been found to be nearly as impertant.
Thermai hydraulic analyses have been performed to determine event timing for both types of sequences (Fletcher, 1981; Schultz and Wagoner, 1982).
In gen-eral, it has been estimated that it will take between 1 and 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to uncover the reactor core following a station blackout and loss of all core cooling, and perhaps another 1 to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for the reactor core to melt and penetrate the reactor vessel after the core is uncovered.
If decay heat removal is initially successful during statien blackout and then is lost several hours into the transient because of design limitations, the time to core uncovery and melt will be somewhat extended as a result of 'ower primary coolant temperatures and reduced decay heat levels.
NUREG-1032 C-1
Table C.1 Summary of potentially dominant core damage accident sequances AC recovery Generic time to avoi' plant type Sequence DHR system / component contributors core damage
..c)
PWR TML B Steam-driven AFWS unavailable 1 to 2 i t (all)
TML B DC power or condensate exhausted 4 to 16 22 TMQ2B KCS pump seal leak 4 to 16 2
BWR TMU B Isolation condenser unavailable 1 to 2 1 i w/ isolation contenser TMQtB Stuck open relief valve 1 to 2 i
TMQ2 2 RCS pump seal leak 4 to 16 8
BWR THU B HPCI/RLIC unavt*;able 1 to 2 t 1 w/HPCI-RCIC TMU 8 DC rower or condensate exhausted, 4 to 16 22 component operability limits exceeded (HPCI/RCIC)
BWR TMutB HPCS/RCIC unavailable 1 to 2 i
w/HPCS-RCIC TMU 8 HPCS unavailable, DC power or 4 to 16 22 condensate exhausted, camponent operability limits exceeded (RCIC)
Notes:
DHR = decay heat removal HPCS = high pressure core spray AFWS = auxiliary feedeater system RCIC = eactor core 1 solation cooling RCS = reactor coolant tystem HPCI - high pressure coolant inspection The dominant accident sequences.:ere modeled as either an early core cooling tail"re or as a subsequent loss of core cooling.
In the former cese, the like-li'.
of tne accident sequence is given by the probability of a station black-ou?
)mbined h, the probability of failure to maintain adequate core cooling n cay bet
'e-t il by AC-independent means long enough to cause core damage.
e
' 1;R-2 and -3 plants that do not have a makeup capability inde-
'4
, there are two oaths to inadequate core couling early during t
The first involves failure of the turbine-driven train of o
.*ater system (AFWS) in PWRs or failure of the isolation con-1 2
. se t'
R-2 and -3 plants.
Because neither of these reactor types has a uakcup r.
- ty independent of AC power, thc core will be uncovered early by a major as of reactor coolant system (RCS) integrity such as a stuck open l
NUREG-1032 C-2
relief valve or gross failure of reactor coolant pump seals, either of which could result in leak rates upwards of several hundred gpm.
BWRs with reactor core isolation cooling (RCIC) systems, steam turbine-driven high pressure cool-ant injection (HPCI) systems, or high pressure core spray (HPCS) systems with a dedicated diesel generator can cool the reactor core and have the potential to make up losses of coolant equal to or greater than those identified above.
The latter type of sequence was modeled as the likelihood of a station blackout of a duration sufficient to exceed core cooling systems capabilities and allow core damage to occur.
If decay heat removal is initially successful, if reactor coolant leakage rates do not exceed makeup ca;: ability, and if primary coolant inventory requirements are met, operators should be aole to establish a rela-tively stabic decay heat removal mode.
However, decay heat rencval capability during longer blackouts may be limited by the capacity of support systems such as DC power or compressed air, oy reactor coolant leakage when makeup is unavail-able or insufficient, or by thermal limitations on component operability as a result of the loss of heating, ventilation, and air conditioning systems.
In light of the above discussion, the general form of the core damage accident likelihood equation considering both early pnase and longer term decay heat removal failure is as follows:
PSBCD = PSB(t ) (PDHR/SB + FLOCA/SB) + PSB(t )
(1) t 2
where P is the probsbility of core damage due to station blackout, 'SB(t )
SBCD i
is the probability of a station blackout of duration ti and tt is a time sufficient for core damage to occur if all decay he:tt removal capability is lost at the onset of a station blackout.
P is the probability of decay DHR/SB heat removal failure on demand givcn station blackout.
P is the LOCA/SB probability of a station-blackout-induced loss of reactor coolant integrity that would cause an early core cooling loss.
PSB(t ) is the probability of a 2
station blackout of duration t, where t is a time sufficient for core 2
2 l-damage to occur because decay heat removal capability limits are exueeded during an extended duration station blackout.
In terms of the notation used to describe the dominant accident sequences for the various types of light water reactors (LWRs) identified in Table C.1, the equation can Le written as follows:
for PWRs:
P B Rt + Q1) +
B (2)
SBCD =
i 2
for BWR 2/3s:
PSBCD =
(3)
B (Ut + Qt) + MB2 i
for BWR 4/5/6s:
P B ut + MB W
SBCD =
l 2
The probabilities for (L2 + Q2), (U2 + Q2), and U2 have been set equal to 1.0, because the time of B2 vas selN ted to represent loss if decay heat removal capabiiity as a result of design limitations.
The ?robability contribution to Qt from reactor coolant pump seals degradation during station blackout is not well known.
Based on material reviewed in NUREG/CR-3226, the impact of reactor NUREG-1032 C-3
coolant pump seal leakage was assumed to represent a potential limit on the TMB type of sequences.
2 The TMBi portion of equations 2, 3 and 4 above can be estimated from the first term failure-to-start portion of the station blackout equations in Appendix B term of these equations can be estimated from the com-of this repcet. The TM82 plete station blackout equations in Appendix B.
Probability estimates for L,
i Ui and Qi were derived from NUREG/CR-3226 and are summarized in Table C.2.
Table C.2 Decay heat removal failure probability for loss of core cooling early during station blackout Probability of System / train / component failure Auxiliary feedwater systems 1 steem turbine-driven train 0.04 2 steam turbine-driven trains 0.002 Isolation condenser 0.01 Stuck-open safety relief valve (BWR) 0.025 HPCI/RCIC 0.005 HPCS/RCIC 0.001 Es timated values of the early loss of core cooling term of equations 2, 3, and 4 are provided in Table C.3.
This table shows the sensitivity of the estimated frequency of early core coolirg failure during station blackout on loss-of-off-site power characteristics (clusters 1 through 5), emergency AC power unre-liability (EDGR, i.e., failures per demand) and decay heat removal unreliabil-ity (DHR).
The second term estimates of equations 2, 3, and 4 are the same as the station blackout frequency and duration assessments provided previously, given that tg is defined.
Because the capability limitations vary from plant to plant, so will ty.
Some example estimates for the total core damage frequencies given caprity l'nitations which equate to station blackout durations of 2, 4, 8, and 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> are provided in Table C.4.
These estimates include the early core cooling failura frequencies from Table C.3.
The results in Tables C.3 and C.4 show that the frequency and duration probabil-ities of offsite power failures, emergency AC power configuration, and reliabil-ity of the diesels are the most important factors in limiting the likelihood of core damage.
These results also show that the likelihood of rignificant core damage may exist at some plants if the capability to cope with station black-out of modest durations (2 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />) does not exist.
Moreover, the results show that the demand reliability of AC-independent decay heat removal systems is important, but it is not the most dominant factor in limiting the likeli-hood of core damage for station blackout.
NUREG-1032 C-4
i6 Table C.3 Estimated frequency of early core cooling failure during station blackout, per reactor year Offsite power cluster DHR EDGR 1
2 3
4 5
1/2 EDG' configuration 0.05 0.1 2.5E-E 8.0E-6 1.9E-5 3.0E-5 9.0E-5 0.05 1.0E-6 3.4E-6 7.5E-6 1.3E-5 3.8E-5 0.025 5.52-7 1.9E-6 4.1E-6 7.5E-6 2.2E-5 0.01 4.0E-7 1.4E-6 2.8E-6 5.5E-6 1.5E-5 0.01 0.1 5.0E-7 1.6E-6 3.7E-6 5.9E-6 1.8E-5 0.05 2.0E-7 6.7E-7 1.5E-6 2.5E-6 7.5E-6 0.025 1.1E-7 3.8E-7 8.2E-7 1.5E-6 4.3E-6 0.01 8.0E-8 2.7E-7 5.6E-7 1.1E-6 3.0E-6 0.005 0.1 2.5E-7 8.0E-7 1.9E-6 3.0E-6 9.0E-6 0.05 1.0E-7 3.4E-7 7.5E-7 1.3E-6 3.8E-6 0.025 5.5E-8 1.9E-7 4.1E-7 7.5E-7 2.2E-6 0.01 4.0E-8 1.4E-7 2.8E-7 5.5E-7 1.5E-6 2/3 EDG configuration 0.05 0.1 7.0E-6 2.3E-5 5.0E-5 8.0E-5 2.5E-4 0.05 2.6E-6 8.5E-6 1.9E-5 3.1E-5 9.5E-5 0.025 1.3E-6 4.3E-6 9.5E-6 1.7E-5 4.9E-5 0.01 8.5E-7 2.8E-6 6.0E-6 1.1E-5 3.2E-5 0.01 0.1 1.4E-6 4.5E-6 1.0E-5 1.6E-5 4.9E-5 0.05 5.2E-7 1.7E-6
';.8E-6 6.2E-6 1.9E-5 0.025 2.6E-7 8.6E-7 1.9E-6 3.3E-6 9.7E-6 0.01 1.7E-7 5.5E-7 1.2E-6 2.1E-6 6.2E-6 0.005 0.1 7.0E-7 2.3E-6 5.0E-6 6.0E-6 2.5E-5 0.05 2.6E-7 8.5E-7 1.9E-6 3.1E-6 9.5E-6 0.025 1.3E-7 4.3E-7 9.5E-7 1./E-3 4.9E-6 0.01 8.5E-3 2.8E-7 6.0E-7 1.1E-6 3.2E-6 1/3 EDG configuration 0.05 0.1 3.6E-7 1.2E-6 2.6E-6 9.3E-6 1.3E-5 0.05 1.8E-7 6.0E-7 1.3E-6 2.3E-6 6.5E-6 0 025 1.5E-7 4.9E-7 1.1E-6 1.fE-6 5.5E-6 0.01 1.4E-7 4.6E-7 1.0E-6 1.8E-6 5.0E-6 0.01 0.1 7.1E-8 2.3E-7 5.2E-7 8.6E-7 2.6E-6 0.05 3.6E-8 1.2E-7 2.6E-7 4.5E-7 1.3E-6 0.025 2.9E-8 9.7E-8 2.1E-7 3.7E-7 1.1E-6 0.01 2.7E-8 9.1E-8
- 2. 0E ~;
3.5E-7 1.0E-6 NUREG-1032 C-5
Table C.3 (continued)
Offsite power cluster OHR EDGR 1
2 3
4 5
2/4 EDG configuration 0.01 0.1 2.3E-7 7.5E-7 1.7E-6 2.7E-6
- 8. 3E-6 0 05 8.6E-8 2.8E-7 6.2E-7 1.1E-6 3.2E-6 0.025 5.7E-8 1.9E-7 4.1E-7 7.2E-7 1.8E-6 0.01 4.8E-8 1.6E-7 3.4E-7 6.1E-7 1.1E-6 0.005 0.1 1.2E-7 3.8E-7 8.5E-7 1.4E-6 4.2E-5 0.05 4.?E-8 1.4E-7 3.1E-7 5.5E-7 1.6E-5 0.025 2.9E-8 9.5E-7 2.1E-7 3.6E-7 9.0E-7 0.01 2.4E-8 8.0E-7 1.7E-7 3.1E-7 5.5E-7 Table C.4 Tabulated estimated values of total core damage frequency for station blackout accidelits as a function of emergency diesel generator configuration, EDG unreliability, offsite power l
cluster, and ability to cope with station blackout Offsite power cluster EDGR and t(hr) 1 2
3 4
E 1/2 AC configuration EDGR = 0.1 2
5.1E-5 1.7E-4 3.8E-4 6.1E-4 1.9E-3 4
2.0E-5 6.8E-5 1.5E-4 2.9E-4
- 9. 0 E-4 8
6.3E-6 2.2E-5 4.0E-5 1.0E-4 2.5E-4 16 5.0E-7 2.0E-6 2.4E-6 9.6E-6 1.2E-E to 2.4E-6 to 8.2E-6 to 1.6E-5 to 3.2E-5 to 8.4E-5 EDGR = 0.05 2
2.1E-5 6.9E-5 1.5E-4 2.5E-4 7.7E-4 4
8.7E-6 2.9E-5 6.2E-5 1.3E-4 3.8E-4 8
2.8E-6
- 1. 0 E-5 1.7E-5 4.5E-5 1.1E-4 16
?.2E-7 9.1E-7 1.1E-6 4.4E-6 6.8E-6 la 1.0E-6 to 3.5E-6 to 6.7E-6 to 1.4E-5 to 3.5E-5 EDGR = 0.025 2
1.2E-5 3.9E-5 8.3E-5 1.6E-4 4.4E-4 4
5.20-5 1.SE-5 3.6E-5 7.9E-5 2.2E-4 8
1.7E-6 6.1E-6 1.0E-5 2.8E-5 6.2E-5 16 1.4E-7 5.8E-7 6.3E-7 2.8E-6 4.2E-6 to 5.8E-7 to 2.0E-6 to 3.7E-6 to 8.6E-6 to 2.0E-5 NUREG-1032 C-6
Table C.4 (continued)
Offsite power cluster EDGR and t(hr) 1 2
3 4
5 1/2 AC configuration EDGR = 0.01 2
8.3E-6 2.8E-5 5.7E-5 1.1E-4 3.1E-4 4
3.8E-6 1.3E-5 2.6E-5 5.9E-5 1.6E-4 8
1.3E-6 4.5E-6 7.1E-6 2.1E-5 4.6E-5 16 1.1E-7 4.5E-7 4.7E-7 2.2E-6 3.2E-6 to 4.1E-7 to 1. 5E-6 to 2.6E-6 to 6.4E-6 to 1.5E-5 1/3 AC configuration EDGR = 0.1 2
7.3E-6 2.4E-5 5.3E-5 8.8E-5 2.7E-4 4
2.5E-6 8.1E-6 1.8E-5
- 3. 5 E-5 1.1E-4 8
5.5E-7 2.1E-6 3.8E-6 9.2E-6 2.3E-5 16
- 3. 'JE-8 1.1E-7 1.7E-7 5.0E-7 9.8E-7 to 3.0E-7 to 9.9E-7 to 2.2E-6 to 3.8E-6 to 1.1E-5 EDCR = 0.05 2
3.7E-6 1.2E-5 2.7E-5 4.6F.-5 1.4E-4 4
1.3E-6 4.2E-6 9.2E-6 1.9E-5 5.6E-5 8
3.1E-7 1.1E-6 1.9E-6 4.8E-6 1.2E-5 16 1.5E-8 5.7E-8 8.6E-8 2.6E-7 5.0E-7 to 1.5E-7 to 5.1E-7 to 1.1E-6 to 2.0E-6 to 5.6E-6 EDGR = 0.025 2
3.0E-6 9.9E-6 2.2E-5 3.8E-5 1.1E-4 l
4 1.1E-6 3.6E-6 7.5E-6 1.6E-5 4.6E-5 8
2.6E-7 9.0E-7 1.5E-6 4.0E-6 9.7E-6 16 1.2E-8 4.8E-8 6.8E-8 2.1E-7 4.1E-7 to 1.2E-7 to 4.2E-7 to 8.7E-7 to 1.6E-6 to 4.5E-6 EDGR = 0.01 2
2.8E-6 9.3E-6 2.0E-5 3.6E-5 1.1E-4 4
9.7E-7 3.3E-6 6.9E-6 1.5E-5 4.3E-5 8
2.4E-7 8.3E-7 1.5E-6 3.7E-6 8.9E-6 16 1.1E-8 4.3E-8 6.4E-8 2.0E-7 3.8E-7 to 1.3E-7 to 3.9E-7 to 8.1E-7 to 1.5E-6 to 4.2E-6 NUREG-1032 C-7
Table C.4 (continued)
Offsite power cluster EDGR and t(hr) 1 2
3 4
5 2/3 AC configuration EDGR = 0.1 2
1.4E-4 4.6E-3 1.1E-3 1.7E-3 5.0E-3 4
5.4E-5 1.8E-4 4.1E-4 7.6E-4 2.4E-3 8
1.7E-5
- 5. 8E-5 1.1E-4 2.6E-4 6.6E-4 16 1.3E-6 5.1E-6 6.4E-6 2.4E-5 4.0E-5 to 6.5E-6 to 2.2E-5 to 4.5E-5 to 8.5E-5 to 2.3E-4 EDGR = 0.05 2
5.3E-5 1.8E-4 3.9E-4 6.4E-4 2.0E-3 4
2.1E-5 6.9E-5 1.6E-4 3.0E-4 9.4E-4 8
6.5E-6 2.3E-5 4.1E-5 1.0E-4 2.6E-4 16 4.9E-7 2.0E-6 2.4E-6 9.4E-6 1.5E-5 to 2.5E-6 to 8.4E-6 to 1.7E-5 to 3.3E-5 to 8.7E-5 EDGR = 0.025 2
2.7E-5 8.9E-5 2.0E-4 3.4E-4 1.0E-3 4
1.2E-5 3.7E-5 8.0E-5 2.7E-4 4.9E-4 8
3.4E-6 1.2E-5 2.1E-5 5.5E-5 1.3E-4 16 2.5E-7 1.0E-6 1.2E-6 4.9E-6 7.8E-6 to 1.3E-6 to 4.3E-6 to 8.5E-6 to 1.7E-5 to 4.5E-5 EDGR = 0.01 2
1.7E-5 5.1E-5 1.3E-4 2.2E-4 6.4E-4 4
- 7. 3E-6 2.4E-5 5.1E-5 1.1E-4 3.1E-4 8
2.2E-6 7.7E-6 1.3E-5 3.6E-5 8.4E-5 16 1.6E-7 6.5E-7 7.6E-7 3.1E-6 4.9E-6 l
to 8.0E-7 to 2.8E-6 to 5.3E-6 to 1.1E-5 to 2.9E-5 2/4 AC configuration EDGR = 0.1 2
2.4E-5 7.7E-5 3.5E-5 2.8E-4 8.5E-4 4
7.2E-6 2.5E-5 1.1E-5 1.1E-4 3.5E-4 8
1.8E-6 6.2E-6 2.1E-6 2.7E-5 7.0E-5 16 9.6E-7 3.4E-7 9.3E-8 1.5E-6 3.1E-6 to 9.8E-8 to 3.2E-6 to 1.4E-6 to 1.2E-5 to 3.5E-5 NUREG-1032 C-8
Table C.4 (continued)
Offsite power cluster EDGR and t(hr) 1 2
3 4
5 2/4 AC configuration EDGR = 0.05 2
8.8E-6 2.9E-5 6.3E-5 1.1E-4 3.3E-4 4
2.0E-6 1.0E-6 2.1E-5 4.2E-5 1.3E-4 8
6.5E-7 2.3E-6 4.1E-6 1.0E-5 2.5E-5 16 3.2E-8 1.2E-7 1.9E-7 5.2E-7 1.1E-6 to 3.6E-7 to 1.2E-6 to 2.6E-6 to 4.6E-6 to 1.3E-5 EDGR = 0.025 2
5.8E-6 2.0E-5 4.2E-5 7.3E-5 2.2E-4 4
1.9E-6 6.4E-6 1.4E-5 2.9E-5 8.2E-5 8
4.2E-7 1.5E-6 2.6E-6 6.5E-6 1.6E-5 16 2.0E-8 7.3E-8 1.2E-7 3.2E-7 6.6E-7 to 2.4E-7 to 7.9E-7 to 1.7E-6 to 3.1E-6 to 8.7E-6 EDGR = 0.01 2
4.8E-6 1.6E-5 3.6E-5 6.2E-5 1.8E-4 4
1.5E-6 5.3E-6 1.1E-5 1.4E-5 6.8E-5 8
2.5E-7 1.2E-6 2.1E-6 5.4E-6 1.3E-5 16 6.1E-9 5.8E-8 9.3E-8 2.5E-7 5.3E-7 1.6E-8 6.6E-7 1.4E-6 2.6E-6 7.2E-6 The point estimatet obtained from NUREG/CR-3226 ar.o a comparable plant design analyzed in this study are shown in Table C.5.
The differences in results pri-i marily result from lower loss-of offsite power frequencies supported by most recent evaluations of the data (see Appendix A),
The results provided up to this time represent point estimates of probability per year or, more properly, frequency.
The effect on the mean probability estimates of using log-normal distributions to represent basic event probabil-ities, calculated medians, and uncertainty ranges was shown in NUREG/CR-3226.
The sequence mean estimates derived in that document were typically 3 to 8 times larger than the point estimates, and the upper and lower bounds were typically within a factor of 5 to 20 of the median estimates.
The large difference be-tween point estimates and means can be attributed to the use of a log-normal distribution.
l The potential effect of operator error causing loss of decay heat removal has not been found to be a large contributor, if adequate training and procedures exist.
Another consideration that has not been found to be a significant factor is the difference in time to core uncovery for the various LWR designs on loss of all decay heat removal.
NUREG-1033 C-9
t Table C.5 Comparison of results with NUREG/CR-3226 Core damage frequency (per reactor year)
Plant type and sequence NUREG/CR-3226 NUREG-1032 t
PWR with one steam-driven AFW train TML B 5 x 10 8 1.5 x 10 8 1 t TMB (L2 + Q2) 2 x 10 5 9.2 x.10 e 2
BWR with isolation cooling 5 x 10 8 1.3 x 10 8 TM(Vi + Qt)Bt TMQ2 2 2 x 10 5 9.2 x 10 6 B
BWR with HPCI/RCIC
-TMU 8 2 x 10 8 1.9 x 10 7 3 2 2 x 10 5 9.2 x 10 8 TMU B22 BWR with HPCS/RCIC TMU B 5 x 10 7 3.8 x 10 7 t 1 1 x 10 8 5.2 x 10 8 THU B22 Note:
All B2 sequences except the BWR with HPCS/RCIC are assumed to result in loss of core cooling and decay-heat removal in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> frem the j
start of station blackout for the NUREG-1032 results.
Core damage frequencies in this table (NUREG-1032 column) are based on offsite power cluster 2, 1/2 diesel generator configuration and 0.975 diesel generator reliability.
STATION BLACK 0UT RISK The potential risk associated with station blackout accidents can be estimated by extending the core damage probabilistic results through to accident conse-quence estimates.
The potential for terminating core damage before core melt and coping with core melt before containment failure is currently a matter of extensive research and evaluation.
In most probabilistic risk assessments (PRAs),
the probe.)ility of core damage has be9n equated with core melt.
Acknowledging that this is a possible conservative assumption, to estimate risk in these PRAs, containment failure modes and probabilities are applied as if the core has melted.
NUREG-1032 C-10
REFERENCES Fletcher, C. D., "A Revised Summary of PWR Loss-of-Offsite-Power Calculations,"
EG&G Idaho, Inc., EGG-CAA0-5553, September 1981.
Schultz, R. R. and S. R. Wagoner, "The Station Blackout Transient at Browns Ferry Unit One plant, A Severe Accident Sequence Analysis," EG&G Idaho, Inc.,
EGG-NTAP-6002, September 1982.
U. S. Nuclear Regulatory Commission, NUREG/CR-3226, A. M. Kolaczkowski and A. C. Payne, Jr., "Station Blackout Accident Analyses (Part of NRC Task Action Plan A-44)," May 1983.
I NUREG-1032 C-11
gacjoaum v =vetimewtavow co.u.ss.o
. i rum wveia..,-~ ~ r,oc = + 3p a..o L"o'," E' BIBLIOGRAPHIC DATA SHEET fiUR EG-1032 [e un isitaves
...ive se 6......
Evaluation f Station Blackout Accidents at fiuclear Power Plant Technical Findings Related to Unresolved Safety Issue-44
. av,-om,'
Ma#[
l Final Ronnrt 1988 P.W. Saranowsk'7, N,,,""""'"",,,,
June 1988
... _ _. ~.,.,,e s,.... s o
~.....,~,.,.c, g USI A-44
,,., ~. _, _...
Office of Nuclear R. latory Research
/
Of fice of Nuclear Rea or Regulation
/
"' ~ '"""""
U.S Nuclear Regulatory ommission
[
'ashington, DC 20555 10 s@%,0 6%G ORG.%'d.,80% %.vt.%D W..t NG.00
> anoe t, cw.t y
ti. 1 v*t OF Mt P0h, Office of huclear Regulator Research Technical Report Office of fiuclear Reactor Rc ulation U.S. Nuclear Regulatory Commi ion Wshington, DC 20555
/
uso-a.
u...
on, g
4,W i s.....a ax....
z "Station Blackout" which is the c&i ete loss of alternating current ( AC) electrical power in a nuclear power plants, hd bet. designated as Unresolved Safety Issue A-44 Becausemanysafetysystemsrequi[edfor eactor core decay heat removal and containment heat removal depend on AC power ;7the consy uences of a station blackout could be severe.
This report documents the findygs of tech al studies performed as part of the pro-gram to resolve this issue.
he important tors analyzed include:
the frequency of 4
' bability that e,,rgency or onsite AC power supplies would be unavailable; the capabil y and reliability ' f decay heat removal systems independent of AC power; and the likel.f ood that offsite pov c would be restored before systems that cannot operate for ektended periods without' " power fail, thus resulting in core damage.
this report alf/ addresses effects of dif rent designs, locations, and op-erational features on tJee estimated frequency of co damage resulting from station blackout events.
9 t
s#
&y:
,.m.s,.s....,
e.. m, c x...-,
., p,. =,.
Unresol Safety Issue A-44 Unlimited Statio,lackout, Loss of Offsite Power, Emery y AC Power Reliability y
..,, c u,,,,, c,,,,,,, e.,, g
,r..,,,
.oi,,...
isese,o.....
Unc1assified j
, r. na u Unclassified
.v..cs. a,
- U.S. CQWC# AMnf 94!4f lu Crr J t(itggs.732.p g i n;p
U"'
,im cass uut POlihG1 b $115 PA>D NUCLEAR EGu ATORY COMMISSION US%RC WASHINGTON, D.C. 20555 et av" "' * *'
orscAL suSWESS PENnTY FOR PRtVATE USE. 4300 120555078877 US OIV 0FNRC -Ot4 R M. A n gIANIAlll3 I
PUB svcr
..kfhY PUH MGT HR.png WASHIycygg NUDEG CC 2 0 5 c; c
_