ML20155J900
| ML20155J900 | |
| Person / Time | |
|---|---|
| Site: | Three Mile Island  |
| Issue date: | 11/30/1987 |
| From: | Garrick B, Hubbard F, Iden D PLG, INC. (FORMERLY PICKARD, LOWE & GARRICK, INC.) |
| To: | |
| Shared Package | |
| ML20155J777 | List: |
| References | |
| PLG-0525, PLG-0525-V01, PLG-525, PLG-525-V1, NUDOCS 8806210067 | |
| Download: ML20155J900 (42) | |
Text
. _ _ _ _ _ _ . _ _
D-Copy Copyright c 1987, by PLG-0525 GPU Nuclear Corporation Volume 1 Three Mile Island Unit 1
. Probabilistic Risk Assessment
. EXECUTIVE
SUMMARY
REPORT Project Director B. John Garrick Project Manager Douglas C. Iden O Principal Investigator Frank R. Hubbard Task Leaders Mardyros Kazarians O Ali Mosleh Harold F. Perla Martin B. Sattison Donald J. Wakefield O
Prepared for GPU NUCLEAR CORPORATION Parsippany, New Jersey 0 November 1987 o
Pickarc.,LOwe anc Garrick,Inc.
Engineers e Applied Scientists e Management Consultants O Newport Beach, CA Washington, DC kbbkDOC $!o$o$e9 L
P DCD
a
(
(
l NOTICE This is a report of work conducted by individual (s) and contractors for use by GPU Nuclear Corporation. Neither GPU Nuclear Corporation nor the authors of g the report warrant that the report is complete or accurate. Nothing contained in the report establishes company policy or constitutes a commitment by GPU Nuclear Corporation.
G G
8 9
e
h'
SUMMARY
OF CONTENTS I
)
l EXECUTIVE
SUMMARY
REPORT Acknowledgment Volume 1 l Foreword TECHNICAL
SUMMARY
REPORT Volume 2 l
) PLANT MODEL REPORT Volume 3 SYSTEMS ANALYSIS REPORT Volume 4 j DATA ANALYSIS REPORT Volume 5 l
p HUMAN ACTIONS ANALYSIS REPORT Volume 6 ENVIRONMENTAL AND EXTERNAL HAZARDS REPORT Volume 7
)
\
J l
D D
D D
0540G123186
,- =
1 i
, ACKNOWLEDGMENT l
I
] In an undertaking of this size, there are many more people who contribute to the end product along the way than are identified in the title page.
j' Key members .of the TMI-1 PRA study team who participated in every major area of this assessment throughout the life of the project are members of the GPUN Risk Analysis Section. They-are as follows: Ken Goddard, Section Manager, Chuck Adams, Hassan Elrada, Ed Rodrick and (in the 3 early stages of the project) R. Locke. Under-Ken Goddard's guidance-and continuous efforts, the personnel in this section contributed greatly to-the ultimate content of this study. In addition'to their efforts, other members of the GPU organi_zation who made special technical contributions include: Chuck Husted, Brent Mays, Lou Lanese, and Howard Crawford.
) An essential part of this analysis has been technical review. Members of the technical review board who provided expert advice and direction were as follows:
o C. D. Adams, GPU Nuclear Corporation, Safety Review Staff
)
e P. P. Bientarz, Risk Management Associates e R. W. Griebe, Aisling, Inc.
e J. M. Hudson, ACTA, Inc.
Q e J. E. Lynch, Babcock & Wilcox Company e W. R. Sugnet, Electric Power Research Institute / Nuclear Safety Analysis Center e N. G. Trikouros, GPU Nuclear Corporation, Manager of Safety Analysis O and Plant Control l
e G. B. Yarnado, International Energy Associates, Ltd.
e J. P. Gaertner, Electric Power Research Institute Q e R. W. Whitesel, GPU Nuclear Corporation, Nuclear Safety Analysis Department, Director Special acknowledgment is made to the principal investigator, Frank i Hubbard, for his untiring effort in both the technical and editorial l i
aspects in bringing this project to a timely completion. :
D ,
Other PLG staff members bo h in Washington, D.C., and in the Newport {
Beach, California, offices aho participated in this project are also i appreciated. Others at PLG 'ot included on the cover page who made notable contributions are Kat.Nieen Ramp ana Tom Mikschl. l l I
- O l
,O iii 0593G111187ESR
1 FOREWORD This Executive Summary Report provides a concise discussion of the major l- results, conclusions, and recommendations of the Three Mile Island, Unit 1 (TMI-1) probabilistic risk assessment (PRA) performed by Pickard, Lowe and Garrick, Inc. (PLG), and GPU Nuclear Corporation (GPUN). It also presents an overview of the historical perspective of PRA methodology and a comparison of the results with those of some other PRAs.
} In addition to this Executive Summary, this PRA is documented in a set of reports that discuss each part of the analysis as shown in Figure 1.
Each report in the set is described briefly:
e Technical Summary Report. The purpose of this report _is to provide an overview of the TMI-1 PRA methodology and results in more detail than
) is done in the Executive Summary. This report contains material necessary for understanding the following reports and should be read first.
e Plant Model Report. The Plant Model-Report contains a description of all of the event sequence diagrams and event trees defining the '
3 scenarios that make up the plant model for TMI-1. It describes the initiating events, the interactions between support systems and frontline systems, the plant damage states, the quantification of the plant model, and the detailed results.
! e Systems Analysis Report. The Systems Analysis Report presents all of D the system performance models used to calculate the numbers used for evaluating the event trees, thereby producing scenario frequencies.
J
! e Data Analysis Report. This report presents the basic component data base (e.g., equipment failure rate and length of time to repair) developed for use in the TMI-1 PRA systems and initiating event ;
D frequency analysis. A discussion of some of the techniques used and steps taken in developing the data base is also presented. )
e Human Actions Analysis Report. The Human Actions Analysis Report !
proviacs the plant event sequence models with frequencies for both favorable and unfavorable operator actions. This report quantifies
] the frequency of failure of the identified human actions. These frequencies are included in the plant model to delineate the human !
[ contribution to the core damage frequency. I i
l e Environmentai and External Hazards Report. The Environmental and j i
External Hazaras Report (EEHR) cnaracterizes the impact of )
O environmental and external hazards on TMI-1. Environmental hazards !
cause equipment failure from sources within the plant boundaries; j e.g. , fire, internal flood, steam, etc. Such environmental hazards l may simultaneously affect several plant components. External hazards, i on the other hand, are causes of equipment failure that originate ;
outside the plant boundaries; e.g., earthquakes, external floods, O aircraft crashes, etc. The EEHR sorts through all such hazards to 1
l determine which ones contribute significantly to core damage frequency, i O iv
., u O O O O U U U U P ENVIRONMENTAL m AND EXTERNAL HAZARDS REPORT 1r r T,r DATA ANALYSIS SYSTEMS PLANT MODEL TECHNICAL EXECUTIVE REPORT + ANALYSIS 4 REPORT +
SUMMARY
+
SUMMARY
REPORT REPORT REPORT 26 JL HUMAN ACTIONS ANALYSIS REPORT FIGURE 1. IliTERACTION BETWEEN REPORTS IN THE TMI-I PRA
- CONTENTS l
j Section Pace
!IET Or TABLES AND FIGURES viii 1 INTRODUCTION 1-1 1.1 Background 1-1 1.2 Objectives 1-1 1.3 Scope of the PHA 1-2 l 1.4 Historical Perspective 1-3 2 RESULTS 2-1 2.1 Core Damage Frequency 2-1 3 2.2 Dominant Contributors to Core Damage Frequency 2-2 l 2.3 Results in Context 2-3 2.4 Impact of Recent Information 2-6 2.4.1 Loss of Control Building Ventilation 2-7 2.4.2 Fire Hazard Scenarios 2-7 2.4.3 Reactor Coolant Pump Seals 2-7 .
3 INSIGHTS AND RECOMMENDATIONS 3-1 3.1 Operational Changes Resulting from and Incorporated into the PRA 3-1 3.2 Technical Insights 3-2 3.3 Recommendations 3-3 4 REFERENCES 4-1 1
l l
O 4 P
a a
3 vi 0593G111197ESR
).
LIST OF TABLES AND FIGURES Table Page
)
2-1 Scenarios Contributing Significantly to Core Damage Frequency 2-9 2-2 Initiating Event Categories Contributing Significantly to Core Damage Frequency 2-11 2-3 Systems Contributing Significantly to the
)
Frequency of Core Damage from Internal Events 2-12 2-4 Core Melt Frequency Comparison 2-13 3-1 Operator Action Failures Contributing Significantly to the Frequency of Core Darage 3-9 Figure
)
2-1 TMI-1 PRA Probability of Core Damage Frequency Distributions (Probability Density Format) 2-15 2-2 TMI-1 PRA Probability of Core Damage Frequency Distributions (Cumulative Probability Format) 2-16 -
)
i 1
5 1
I l
)
)
l 3
t l
vii 0593G111197ESR
.. .. - ~ . . . . __= . . - . _. .. - -
k' l 1. INTRODUCTION
1.1 BACKGROUND
j
?
The TMI-1 PRA was initiated by GPUN in the fall of 1983. The consulting firm of PLG was retained as the primary contractor for the conduct of the study.- It is a Level 1 PRA, as defined by the PRA Procedures Guide (Reference 1), including a treatment of external events. . GPUN . undertook such a study to develop a management decision-making tool that would help h address various important issues, including safety, plant availability, and economic costs and benefits.
i i
1.2 OBJECTIVES
! The overall objectives of the TMI-1 PRA were to:
) e Perform an independent and plant-specific assessment of the level of '
safety of the operation of TMI-1 to ensure that GPUN is carrying out its corporate responsibility to generato electricity in a manner that afforcs adequate protection for the health and safety of the public and its employees.
) !
e Improve GPU "iclear's functional capabilities to use PRA as a tool for decision making and resource allocation for possible
- modifications of the plant configuration, operation, maintenance, and l emergency planning.
) e Provide a quantitative assessment of the range of the frequency of core damage, independent of regulatory criteria, with the documentation of results and methods in a form suitable for detailed technical review and public presentation.
To meet these objectives, specific goals in the course of the PRA have
)
been to:
j I
e Develop a quantitative assessment of the range of the risk from operating TNI-1 in terms of the likelihood of core damage and its associated uncertainty.
3 o Icentif.y the significant contributors to risk, considering accident j initiators, both internal and external to the plant, o Rank piant systems and components quantitatively in terms of their contribution to the frequency of core damage. .!
p e Develop a plant risk model and the tools for its use by GPUN in j future TMI-1 risk management applications, )
i l
l e :
Develop ana organize a data base with provisions for periodic !
updating consistent with the requirements of the plant risk model and its tools.
D 1
1-1 0558G111197ESR
l ,
h.
l 1.3 SCOPE OF THE PRA The THI-I probabilistic risk assessment is a plant-specific assessment of '
core damage frequency, including such accident initiators as pipe breaks
)
l and the effect of floods, earthquakes, fires, and other more complex events. It includes consideration of all alleviating systems
- and all j systems whose failure to perform might increase the consequences produced l
by an initiating event. Both safety and nonsafety systems were considered for any favorable or unfavorable contribution that they might make to influence the frequency of core damage scenarios. Containment D safety features were included for possible use at some later date for extending the analysis to incorporate containment response and offsite consequences.
In a truly plant-specific risk-assessment like this, each plant seems to reveal its own set of dominant risk contributors. To allow early use of 3 the PRA as a risk management tool, a "first pass," Phase I model was i developed in the first 8 months of the project. Phase I was an l abbreviated though a comprehensive scoping analysis intended to facilitate a more detailed and lengthy second phase. Phase I produced an approximate or focusing PRA to identify early those systems and assumptions that require more int rmation or a more detailed analysis 3 prior to their incorporation in the final risk model. In TMI's case, for instance, the control building ventilation system was found to be one whose faihre could lead to core damage, but little was known about the course of events following its failure, including such facts as: given system failure, how long it would take to heat up the rooms, at what temperature components in these rooms would begin to fail, etc. The D results of Phase I precipitated a study that lasted more than a year before finalization of the control building ventilation ' system failure model and its incorporation into the. detailed Phase II PRA model.
)
In Phase II, key systems and scenarios for plant safety were analyzed l very closely, with the objective of identifying potential changes in
? design and operation. The Phase 11 risk model evolved over 2 years and incluced four major revisions to reflect the expected TMI plant performance accurately. Each major revision was followed by further
! analysis to refine assumptions about plant systems and operator performance. An important result of this refinement was the treatment of I human actions. These actions, while not unique to the TMI-1 PRA, were O used much more extensively than in previous PRAs. They include such l actions as possible miscalibration of sensors, manual actuation of systems whose automatic actuation had failed, and operator recovery of
! systems postulated to fail. j 1
O
- The term "alleviating" is used throughout the THI-1 PRA reports in the sense of Webster's New Collegiate Dictionary sense of "b. to partially remove or correct." Other synonymous terms, such as "mitigate," are reserved for other special applications, such as "to mitigate the O corsequences of core damage."
i l
1-2 p 0558G111197ESR I --. - _
I
).
In addition to producing the risk ~model, the scope of the PRA involved
. the transfer of.PRA technology to GPUN staff and computer facilities.
The codes involved were developed specifically to simplify the quantification of the THI PRA model, including special input preparation
) codes to streamline processing.
The most important result of the TMI-1 PRA has been to identify -
l cpportunities to reduce the core damage frequency. To facilitate the cor tinued quantitative management of the TMI-l risk, the following adoitional products have been developed: I
- 1. A final report, including this summary report and a technical summary report.
- 2. The PRA model, consisting of system and scenario models and data-bases.
1.4 HISTORICAL PERSPECTIVE Nuclear safety has been a visible and fundamental concern in the development and commercialization of nuclear power. From the beginning of the nuclear industry, safety design philosophy has centered around '
) "defense in-depth," characterized by the multiple fission product barrier i
i concept supported by upper bound, deterministic calculations. This
- approach has served the cause of nuclear safety well. Carried to an j extreme, however, it can lead to the wasteful use of resources and the unnecessary introduction of equipment complexity that can actually reduce safety. With the growth of experience with operating nuclear power
) plants, the upper bound calculations have been replaced with an analytical approach that assesses nuclear power plant safety more realistically by putting such upper bound results into context. !
Probabilistic risk assessment is the approach. PRA.is both a systematic identification of the levels of damage that could result from nuclear plant operation ano a rigorous assessment of the likelihood of such
) occurrences.
The upper bound deterministic approach for assessing nuclear power plant l safety is specified in the Code of Federal Regulations. The Code i
requires the analysis of a fixed set of predefined accidents for the reactor plant. Originally, the most severe of those accidents, the
) maximum hypothetical accidents, were selected to establish required distance factors from the plant (Reference 2). The somewhat arbitrary nature of these distance factors began to stir in:erest. In the early 1960s, F. R. Farmer, of the United Kingdom, propo:;ed a new approach to power plant safety based on the reliability of co1 sequence-limiting equipment (Reference 3) . At the time, the United Kingdom, facing a need 3
to bring nuclear power plants closer to large populations, began to abandon the scmewhat arbitrary notions of plant stfety and espoused a more realistic and quantitative definition of rist to public health. l Meanwhile, in the United States, a series of studies sponsored by the i U.S. Atomic Energy Commission were undertaken in the early and mid-1960s
)
l
) 0558 Gill 197ESR 1-3
1 to probe the merits of using reliability techniques in the safety
, analysis c' American nuclear power plants. These studies (Reference 4) identified the need for special data and analytical tools, such as fault tree analysis, to perform meaningful quantitative risk analysis. '
)
Interest in probabilistic risk assessment continued to grow during the 1960s. Analysis techniques were borrowed from statisticians and reliability engineers (References 4, 5, and 6) and developed into-tools suitable for preaicting failure frequencies for large, complex nuclear power plant systems. The benefits in terms of safety control and
) understanding were documented in Reference 4 (This reference developed a methodology for attacking the problem of probabilistic risk assessment of complex plants.) With the evolution c-f reliability techniques, people began to believe that it was possible to estimate the likelihood of low frequeacy, high consequence accidents at nuclear plants. In 1972, the U.S. Atomic Energy Commission undertook the Reactor Safety Study (RSS)
) under the direction of Professor N. C. Rasmussen of MIT (Reference 7).
It was the most thorough investigation of reactor safety of its time, and, as such, it set the stage for the understanding of safety for years to come, it calculated the risk from the operation of 100 U.S. light water reactors of then current design operated at base power. The report showed the way to derive and present risk results meaningfully to
) technical specialists and policymakers alike. The finished document formed a basis for thorough discussion of risk methodology, thereby focusing criticism, review, and improvement. Three important findings of :
thJ study were that: (1) the risk associated with the operation of i selected nuclear power plants was indeed small, (2) the dominant contributor to risk was not the large loss of coolant accident, as
)
~ previously emphasized in the Code of Federal Regulations, but (3) it was the more probable transients and the small loss of coolant accidents (LOCA) that of ten make up most of the contribution to risk.
The accident that occurred at TMI-2 in March 1979 (Reference 8) had a i
profound impact on the nuclear industry and on the concept of risk D a s se s smer.t. Portions of the TMI-2 sequence of events were not included in detail in the RSS analysis, causing many to question the validity of the analyses.
l In truth, the transient at TMl did fit the RSS sequences, albeit not exactly. The transient fit in the sense that a small LOCA with a failure of high pressure injection was included as one of the Reactor Safety Study (RSS) sequences. However, it did not fit exactly because the numerical probaDilities that the RSS placed on this scenario represented an accident progression going all the way to core melt. What the RSS did not model was the likelihood that operater interruption would be the cause of the failure of high pressure injection ficw. It also did not D model the operator's subsequent action to restart high pressure injection (HPI) flow which prevented loss of reactor vessel integrity.
The initial reaction to the TMI accident was negative with respect to the value and role of probabilistic risk assessment; on reflection, the attitude changed. Two important post-TMI independent studies reccmmended h greater use of probabilistic analysis techniques in assessing nuclear l
l I
l-4 3 0558G111197ESR
i i
plant .r isks and in making decisions aoout nuclear safety. They were the
. _ report of the President's Commission on the Three Mile Island accident (Reference 9) and the so-called Rogovin Report (Reference 10). Following the lead of these commissions' reports, several post-TMI NRC reports also 3 noted the value of quantitative risk analysis (References 11 through 14).
A draf t report of the "0PSA, Oyster Creek Probabilistic Safety Analysis,"
l was completed in 1979 (Reference IS). It was begun before the TMI-2 event, but coincidently already included many of the features suggested by the TMI-2 post-mortem. The Zion (Reference 16) and Indian Point PRAs 3 (Reference 17) and others performed by PLG for various utilities built on the Oyster Creek PRA methods and also added important improvements including: expanded common cause failure analysis, uncert:inty
, quantification methods, methods for assembling and dissect 3ng the L results, analysis of dependent failures and human interactions, containment and core response analysis, modeling of external events
] (!arthquakes, fires, floods, etc.), and incorporation of the
! site-specific topography, emergency preparedness plans, and changing weather patterns in the consequence model. One impact of the above l advances has been a more accurate specification of the contributors to
, risk. The methodology now alicws identification of the contributors to risk and the ability to observe, in increasing detail, what is driving D the risk. This is vital for making decisions on design modifications, ;
procedural options, or any other risk management action on the part of l the utility. Knowledge of the contributors to risk enables effective risk management.
In addition to the advances made by these recent PRAs, a very significant i O sign of the ceveloping maturity of risk assessment was the publication of a PRA procedures guide (Reference 1). Developed by experienced practitioners in private industry, in the NRC, and in national laboratories, this guide defines what is meant by a PRA and describes some of the alternative methods available for performing each of its aspects.
The important risk scenarios from other PRAs cannot be directly applied to TMI-1. Recent experience indicates that the scenarios important to risk are even more plant specific than realized after the early PRAs. A striking example is the difference in dominant risk contributors between the Irdian Point Units 2 and 3, which are similar units located on the O same site (Reference 17) .
The ultimate reason for doing a risk assessment is to assist utility management in making safety-related decisions. The risk assessment provices vital input to the decision-making process. A PRA can assist in making decisions about whether to modify a plant or its procedures for O operation and maintenance by comparing the calculated risk to the risk at other plants and to the Nuclear Regulatory Commission's (NRC) proposed safety goals. After the final results have been assembled, the methodology permits a clear examination of risk contributors from several different perspectives and at successive levels of detail. Risk quantified before and after any propcsed change allows prediction of the O ef fectiveness of the change. witn this detail, options can be identified that can be the most ef fective in reducing risk.
1-5 0 0558G111197ESR
b.
Reduction in the frequency of core damage may result from changes in
, specific plant components, personnel training, or procedures. The plant-specific risk model develop 2d in this project is designed to assist in this level of decision making.
It is also important to note that as a "mocel" the PRA provides an estimate of the actual but not exactly known core damage frequency.
Changes to this estimate can also result from incorporation of new information, changes in study assumptions and/or better analysis methods, which do not affect the actual core damage.
I
)
l D
l l
D D
D D
l
\
! 1-6 0 0558G111197ESR
- 2. RESULTS
) This section summarizes the results of the PRA. The quantification of L the frequer cy of core damage is presented in Section 2.1. The frequency !
- of core damage is dalculated from the sum of the frequencies of a l multitude of postulated accident sequences. Each such accident sequence, '
or scenario, consists of an initiating event and the failure of one or more systems designed to alleviate the consequences of the initiating
)' event. These results are presented in Section 2.2. Section 2.3 puts- l these results into perspective relative to regulatory guidelines and to other PRAs. Finally, Section 2.4 identifies new information that will, when incorporated into the PRA, reduce the total frequency of core damage. All of the results presented here are discussed in somewhat greater detail in the Technical Summary Report and in great detail in
) Section 6 of the Plant Mudel Report.
2.1 CORE DAMAGE FREQUENCY The curves in Figures 2-1 ana 2-2 are key results of the PRA. Both figures are presented because two formats have become widely used in PRAs *
) to present core damage frequency and its associated uncertainty.
Figure 2-1 is a probability density curve,* and Figure 2-2 is a cumulative probability curve. These curves represent our complete state of knowledge about the TMI-1 core damage frequency, including uncertainty.
l Uncertainity about the frequency of core damage stems from many factors,
) including variation in data, modeling approximations, and incomplete information. Such uncertainty has been accounted for, to the extent possible, in all elements of the study. As shown, Figure 2-2 indicates a mean frequency of 5.5 x 10-4 per year and a median (our "best estimate") 'f 1.5 x 10-4 It also communicates that the TMI-1 PRA t is 90%9.4 and conix. .10 gnt that the core damage frequency is.between 2.6 x 10
} per year.
The frequency of core damage is calculated f rom the sum of the f frequencies of accident sequences. It is important to note that although the risk of operating TMI-1 is characteri:ed, in part, by the core damage frequency, the actual health risk to the public can only be measured by
) performing containment and offsite consequence analyses. Such analyses i
4 take into account the effectiveness of containment safety systems in containing radiation leakage and the effect on public exposure of weather population distribution and evacuation during any leakage.
l
)
- The area under the probability density curve between any two frequency values gives the probability that the core damage frequency will be greater than or equal to the lower frequency and less than or eaual to the upper frequency. The total area under the curve is equal to 1 and
) represents our certainty that the core damage frequency must be bounded j I
by the frequencies under the curve. Any point on the cumulative I distribution curve indicates the probability (y-axis) that core damage frequency will be less than or equal to its x-axis value.
l 2-1 i
0559G111187ESR l
- i
_ . _ _ _ _ , , _ - . - , , , . , - . _ , _ - J
).
2.2 DOMINANT CONTRIBUTORS TO CORE DAMAGE FREOUENCY The accident sequences that contribute the most to the frequency of core
) damage are ranked in Table 2-1. It is interesting to note that 33% of the core damage frequency is attributable to one scenario: the loss of control building ventilation and the su'o sequent failure tu recover it prior to core damage. (Other scenarios initiated by a loss of CBV contribute an additional 3%.) The control building ventilation (CBV) system is designed to maintain the control building rooms at normal
) conditions; that is, within desired limits of terperature and humidity.
Failure of the ventilation system causes the internal room temperatures to increase and, within a period of hours, to exceed the design temperatures of the electronic and electrical equipment in the rooms. At some elevated temperature (which is not well known), equipment will fail, and the plant will automatically trip or be tripped by the operator.
) This calls on the systems to remove decay heat to operate, but, in this dominant accident sequence, these systems also eventually fail due to loss of motive and/or control power, as more electrical equipment in the control buildino fails. (Refer to Section 2.4 for recent inforration that impacts these results; also refer to Section 3.2 Technical
) Insights, for further discussion of loss of the control building '
ventilation (CBV). Core damage will result from the failure to rerove decay heat. This scenario also includes the l'ke-ihood of the operator trying, but f ailing, to recover cantrol buildin ventilation and trying, but f ailing, to provide alternative ventilation.
The next three highest frequency scenarios at 6%, 4%, and 4%, respec-
) tively, are fires in three dif ferent areas of the plant. The first is in the notor control center area of the auxiliary building, and the other two are in the IS switchgear room and.the engineered safeguards analysis system (ESAS) cabinet areas of the control building. These fires are assered to interrupt either power or control to both trains of the systems required to maintain reactor coolant prott a
'RCP) seal 2 integrity cnd provide injection flow to the reactor : ,,. ant systen (RCS) following RCP seal failure. (Refer to Section 2.4 for recent information that impacts the results; also see Section 3.2, Technical Insights, for a discussion of the limitations and uncertainty in the fire analysis.)
The fifth highest frequency scenario is characterized by the occurrence
) of a medium LOCA and the failure to manually initiate recirculation from the reactor building surp. More specifically, this sequence recuires a manual switchover of the low pressure injection purp suction from the empty borated water storage tank to the reactor building surp. Failure of the ranual switchover may occur for several reasons, including f ailure on the part of the operator to recognize the event, failure of the low
) level alarm of the borated water storage tank to notify the operator of a near-empty condition, or equiprent f ailure in the lines that take suction frcm the surp. This scenario contributes about 3% to the overall core damage frequency. Similar scenarios initiated by large and very small LOCAs together contribute an additional 2%.
) The sixth most significant accident sequence involves three independent failures: an excessive arount of rain feedwater being fed to the steam generators initiates the event, failure to provide high-pressure injection pump ninirun-flow recirculation fails the reactor coolant pump 3 2-2 0559G111187ESR
O.
, seal injection, and reactor coolant pump seal cooline also fails. In this scenario, the excessive main feedwater causes the reactor coolant system to cool down and depressurize enough to generate a 1,600-psi O engineered safeguards actuation signal. This signal starts high pressure injection and closes the HPI minimum-flow recirculation line to the makeup tank among other actions. The operator then fails to reopen this recirculation line when he throttles HPI flow, causing the HPI purps to fail. (Continued seal injection flow of 32 gpm is inadequate for minimum flow requirements of three high pressure injection pumps.) This disables
.O both reactor coolant makeup and seal injection. The reactor coolant pump seal cooling (from ICCW) has failed due to independent causes. The pump seals, deprived of both injection and cooling, degrade and leak, causing a loss of RCS inventory. Since makeup is not available due to the failed makeup pumps, core uncovery and damage eventually occur. The scenario is commonly referred to as an "RCP seal LOCA." Refer to Section 4 for a O discussion of recent information that may impact thase results.
As a further means of identifying the major risk contributors in the plant, we can focus on the events that initiate scenarios. The locs of control building ventilation initiates the nost important scenario of Table 2-1. The importance of events that initiate many scenarios of O small individual contributions to core damage frequency is not so obvious. Their importance then can only be known by tallying their total contribution to core damage frequency, as shown in Table 2-2.
The scenarios can be examined at yet a greater level of detail; namely, at the systems level. That is, the large number of scenarios considered O in the TMI-1 PRA were further analyzed to find the system failures that dominate the frequency of severe core damage. These results are presented in Table 2-3. The importance of these systems was calculated by adding the frequency of all scenarios in which the failure of a particular system occurs. Therefore, the total percentage of all contributing systems may exceed 100% because more than one system failure O may occur in each core damage scenario.*
2.3 RESULTS IN CONTEXT The TMI-1 PRA represents an extensive application of state-of-the-art risk assessment methodology. This section briefly examines the O differences between the methods used and the results calculated for TMI-1 and those assessed in risk studies for other nuclear power plants, as
- The importance percentage calculated in this way usually indicates the O percentage reduction in core damage frecuency, which would result if the system were made perfect; i.0, unable to fail. For instance, if system A (which contributes to 10t of the core damage frequency) were made perfect, the total core damage frequency would be reduced by 107 One exception to this rule is for cases when a containment safety feature has failed but the system does not contribute to core damage. Fixing the O containment safety feature in this case will not reduce core damage frequency. Another exception is when there are two systems failed in the scenario, either one of which would, by itself, lead to corc damage.
Fixing one such system would not reduce the total core damage frecuency.
O 2-3 0559G111187ESR
i J k '
l l shown in Table 2-4 These comparisons consider differences in PRA i
, methodology, plant design, ano statistical representation of the results. The differences identified in the comparison illustrate the '
need for extreme caution in making such comparisons. Comparisons are meaningful only when there is commonality of such items as initiating events, basic event data, scope, and methods of calculating uccertainty.
As indicatea in Table 2-4, the TMI-l PRA core damage frequency is !
relatively high in comparison to the results from other PRAs. A major reason for this is the nature of the major contributors to core damage '
frequency and the assumptions used in the quantification of their ;
frequency. Two major contributors (responsible for approximately~ half of '
the TMI-l total) are loss of control building ventilation and fires in electrical equipment rooms. Section 2.4 describes the potential impact of new information on reducing the core damage frequency from these contributors, d
These scenarios were not treated in detail in most of the other studies referenced in Table 2-4. Other studies might also be at a more refined point in terms of incorporating modifications to reduce the frequency of
! such scenarios. In addition to these major items, the comparison to the l results of othr PRAs may be affected by dif ferences in PRA methodology '
D and assumptions. % .e examples of such differences are:
e Treatment of Potential Common Cause Failures. Potential common cause tailures et identical redundant equipment have not been treated the same in all PRAs. Later PRAs, especially PLG's, have used advanced methocology. For instance, in the case of the TMI-1 PRA, the ,
O analysis used generic and all available TMI-l specific data. These data were used consistently for analyzing the failure rate of 1
i identical components (e.g., valves and pumps) within and across '
redundant trains of all systems. The results of other PRAs, those using the Interim Reliability Evaluation Program (IREP) methodology, -
for example, do not include the impact of this state-of-the-art O treatment of common cause failures.
o Accountinc for the Impact of Potential Human Actions. Human actions were constaerea extensively in the TMI-1 PRA. Approximately one-half ;
of all the human actions analyzed were those taken to recover failed '
systems. A very consistent, uniform method was used to document the D basis for the human action numbers used in the TMI-1 PRA; therefore, the TMI-1 PRA team did not hesitate to incorporate such actions where ,
appropriate. The operator was never automatically assumed to be successful. On a case-by-case basis his actions were carefully characterized and the likelihood of success was quantified. Wherever such analysis was not performed the operator was assumed to have been ;
O unsuccessful, i
i Systems analysis in all the PRAs generally use the techniques developed for reliability analysis. System logic models are developed as a framework for analyzing accident sequences that may lead to core melt.
These models are used to analyze the top events (headings) of event trees O and the systems that support the top events. Generally, the systems analysis of the Limerick and Big Rock Point PRAs was similar to the Reactor Safety Study. The Reactor Safety Study methodology application 2-4 0 0559G111197ESR
e.
' (RSSMAP) of Oconee, Sequoyah, and Grand Gulf drew directly from RSS experience. Midland, Oconee, Susquehanna, Seabrook, Bellefonte, Browns Ferry, South Texas, Pilgrim, Salem, Hatch, Nine Mile Point, Indian Point g and Zion PRAs have taken advantage of more recent advances in systems analysis methods; e.g., the treatment of dependent failures. While the RSS employed conservative success criteria for system operability, later PRAs, including RSSMAP studies, used new information (for example from the Three Mile Island Unit 2 studies), resulting, in some cases, in less conservative (more realistic) criteria.
D More recent studies, including the TMI-PRA, are considering a more complete set of initiating events. For instance, steam generator tube ruptures and fires were measurable contributors in the TMI-PRA but were judged to be unirportant and therefore not studied explicitly in the Reactor Safety Study and other risk assessments.
9 For external events, such as fire, earthquake, tornado, hurricane, and flood, the RSS performed a scoping overview analysis and concluded that the risk due to these events is less than the risk resulting from other causes. External event analysis was not within the scope of the Lirerick and RSSMAP PRAs. Big Rock Point analyzed fires and earthquakes and found -
g fires, in particular, to be important to the overall risk. For Zion and Indian Point, earthquakes were found to be irportant, especially for latent health effects. This was because an earthquake could result in both core damage and containment failure. Otherwise, the joint f recuency of core damage from an internal initiating event and the independent, subsequent f ailure of Zion's very high capacity containrent is ruch lower, e
The TMI-PRA modeled more scenarios than generally considered in other PRAs.
This was done because the effects of interdependencies among systers were found to be very irportant at TMI-1. This includes support systems (e.g. electric power or cooling water), which have been found to g be as important as at most other plants examined to date. As a result, dependency between systems were necessarily treated in more detail in the TMI-PRA.
The RSS compiled component failure data from a varicty of sources, establishing a benchmark data base. Some updates based on recent g industry and plant-specific experience we, e made for the TMI-1, Midland, Oconee, Limerick, Big Rock Point, Zion, and Indian Point PRAs. TMI-1 adopted and, in sene cases, extended the data techniques used in previous PLG PRAs.
Human interaction and reliability analyses were perforred at the system and sequence level in the RSS analysis. These interactions were g quantified by new techniques that have subsequently been incorporated in to the Swain and Guttmann handbook (NUREG/CR-1278) (Reference 18).
Subseque..t PRAs have employed this hancbook extensively. The Zion and Indian Point studies first introduced sone specific operator actions into their event trees. The TMI-1 PRA considerably extends consideration of operator actions.
g Operator actions to recover f ailed systers were found to be irportant to reducing risk at "idland and even nore irportant at TMI-1.
] 2-5 0559G111187ESR
).
Common cause failure of identical components was included in the system models. Advances in the methodology of treatment of common cause failure since the Reactor Safety Study have resulted in the use of the beta
) f actor or rultiple Greek letter" method in the TMI-1 PRA. This method distinguishes between multiple failures of two or three components.
Details of this methodology can be found in Section 2.2, (Common Cause Failure Parameters) of the Data Analysis Report.
Uncertainty analysis and the inclusion of uncertainty in representing the
) results is an essential part of any PRA. Not all Interim Reliability Evaluation Program and RSSMAP PRAs represented their uncertainties quantitatively. The TMI-1 PRA made a special effort to cuantify the uncertainty in the results. The use of frequency distributions rather than point estimates for core damage frequency is seen as an important irprovement toward increasing the confidence, rigor, and credibility of
_) the risk assessments.
Some PRAs, such as Limerick's, refer to point estinates of risk without associating with these numbers any statistical parameter, such as mean, k median, or mode. The RSS "bcst estimate" values were represented as medians, and judgmental "uncertainty factors" were estinated for the 3 final frequency and consecuence values.
to be lognormally distributed. The RSS The risk estimates were assured median core relt frequency is 6 x 10-5 for pressurized water reactors (PWR), with an approximate uncertainty factor of 5. Based on the legnormal distribution, one obtains a mean value of 1.3 x 10-4 for the RSS.
3 Point estimates reported in all studies, except those for Oyster Creek.
Zion, Big Rock Point (BRP), and Indian Point, were redians; that is, "best estirates" or 50th percentile results. In this type of work, rean values wil1 almost always be higher than the redians; therefore, comparisons among results of various PRAs should be rade by using equivalent statistical parameters; i.e., reans should be corpared to J means and redians to medians, but not reans to redians. In addition, since the TMI-1 PRA includes the irpact of external events, its results should only be cocpared to those of other PRAs that also included external events.
2.4 IMPACT OF RECENT INFORMATION D
Any PRA is a model and a living docurent. As such, it provides an estimate of the actual but unknown core darage frequency and is subject to change as a result of new information and changes to study assurptions.
Since the results presented in this report were calculated, additional infornation has been received, which indicates that the J contribution from some events has been overestimated. This inforration Will reduce the uncertainty associated with and the rean frecuency of a number of rajor contributors to the core damage frequency. This will also decrease the mean f recuency of core damage. New inferration has been received about the effects of the loss of control building ventilation and the consecuences of fires in the control building. Also, D recent tests of the effect on reactor coolant pump seals of losing both cooling and injection indicate that rore tire ray be available before leakage becomes large. All of this information, if it eliminated the 3 2-6 0559G111187ESR
contributions of loss of CBY and of the most important fires, could
. reduce core damage frequency by up to approximately 50%.
2.4.1 LOSS OF CONTROL BUILDING VENTILATION
)
Included in the frequen:y of loss t :nzrol building ventilation scenarios that go to core damage is tne likelihood that the operator recovers cooling to the equipment in the control building before the room temperatures reach 104*F. At 104*F, equipment required to maintain reactor coolant pump seal injection or cooling and mitigate the failure
) of the seals is assumed to be lost. Tests in September of 1967 have indicated that more time is available for operator action prior to the hottest rocms reaching 104*F. It may, in fact, take as long as 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for these rooms to reach 104*F. This longer time is due to initial overestimations of the heat generation rates in these rocms. In addition, the outside air temperatures for which temporary ventilation
) would be ef fective can therefcre be higher. More time availabic for recovery will result in a higher likelihood that the operator will succeed in establishing alternative ventilation. This higher likelihood will reduce the frequency of loss of control building ventilation scenarios that go to core damage, thur reducing the total core damage frequency. If the heatup is slow enough so the operator has more than '
) enough time to perform the action successfully, then the frequency of the scenario will become insignificant. Because the total contribution of these scenarios is currently so great, any change in their contribution would significantly reduce the total core damage frequency. The results of these recent tests will be reviewed and their impact on the estimated core damage frequency will be inccrporated into the next revision of the
) PRA.
2.4.2 FIRE HAZARD SCENARIOS Two areas of recent changes relative to the PRA fire scenario frequencies are:
J
- 1. Additional Appendix R modifications made after ccmpletien of the PRA analysis. For instance, pcwer is now removed from some valves during normal operatior., which precludes their actuation by hot shorts during a fire that is currently considered in the PRA.
3 2. New procedures have been put into place to provide acre guidance on equipment operation and recovery for specific fires. Among the fires to which these procedures apply are those of the most importance in the PRA. These procedures provide guidance for the operator, from the control roca or frca the remote shutacwn panel, to operate
) equipment more ef fectively, which will prevent or mitigate RCP seal failures.
2.4.3 REACTOR COOLANT PUMP SEALS Tests perfcrmed by the Westingnouse Electric Company on RCP seals (Reference 19) under loss of all AC pcwer conditions have shcwn that 3 reactor coolant pump seals leaked no more than 16 gpm during the 20-hour 2-7 D 0559Glll197ESR
k l
)
test. It is believed that these tests may be represer.tative of the seals !
. for the reactor coolant pumps at TMI-1.
B Except for station blackout and loss of river water scenarios, no credit was taken in the PRA for recovery of seal cooling and/or seal injection in scenarios af ter both were lost. Seal LOCAs o: cur, as noted previously in the loss of control building ventilation scenarios, in all the fire scenarios that were explicitly modeled, and in other scenarios in which multiple independent failures occur.
D Incorporation of these actions and additional recovery time, which the Westinghouse tests indicate are available, will significantly increase the likelihood of successful accomplishment of these and such actions that already exist in the PRA. Increasing the application of recovery and the likelihood of successful recovery will reduce the frequency of D core damage scenarios that contain the failure of seal injection and cooling, thus reducing the total core damage frequency.
9 e
O D
D D
h 0559G111197ESR l
g g , ,._...._.____
TABLE 2-1. SCENARIOS CONTRIBUTIf;G SIGt;IFICAtTLY TO CORE DAMAGE FREQUEf;CY*
Sheet 1 of 2
" " U" RCP Mean Order Seal eme Frequency N u<We r Description r. ore Damage 7 g)_ per Reactor ure Frequency (percent) Year 1 Loss of control building ventilation and failure **
33.3 1.83 x 10-4 to establish alternate room cooling.
2 Fire in auxiliary building MCC area ( AB-FZ-6; t 5.5 3.00 x 10-5 hazard scenario 1).
3 Fire in control building switchgear room IS i 3.6 2.00 x 10-5 (CB-FA-2b; hazard scenario la).
7 4 Fire in control building ESAS cabinet area
- i 3.6 2.00 x 10-5 (CB-FA-3c; hazard scenario 1), and the operator fails to use the alternatise shutdown system correctly.
5 Nedium LOCA and f ailure to establish sump 2.4 1.30 x 10-5 recirculation.
O Excessive r:ain feedwater, leading to llPI actuation; i 1.9 1.02 x 10-5 tailure to provide liPI minimum-flow recirculation after HPI flow throttling, leading to HPI pump failure; and failure of RCP seal cooling Icading to seal LOCA with no liPI available.
7 Fire in control building IE switchgear room i 1.8 1.00 x 10-5 (Cb-FA-3b; hazard scenario 1).
l *1f all scenarios were listed, the total contribution to the core damage frequency would equal 1007..
l **Long-term decay heat removal is also unavailable.
t Scal cooling and injection are both f ailed.
0560G111187ESR:7
U U U U U U v v v v" y TABLE 2-1 (continued)
Sheet 2 of 2 RCP Contribution g ,9 Order Seal tJurte r Description Core Damage Frequency Fail- per Reactor ure requency
( percent) Year 8 Loss of air; failure of RCP seal injection and
- cooling.
1.1 6.26 x 10-6 9 Large LOCA and failure to establish sump 1.1 5.95 x 10-6 recirculation.
10 5teara generator tube rupture and failure of 1.1 5.88 x 10-6 one train of decay heat removal and the opposite n2 train of decay heat cooling water, Icading to
- 2. loss of long-term decay heat removal capability.
o 11 Very srall LOCA and failure of both trains of 1.1 5.78 x 10-6 decay heat cooling water, Icading to loss of long-term decay heat removal capability.
Subtotal 56.5 3.10 x 10-4 All Other Scenarios 43.5 2.4 x 10-4 Total 100 5.5 x 10-4
- 5ca) cooling and injection are both failed.
0560G111127ESR:8
O TABLE 2-2. INITIATING EVENT CATEGORIES CONTRIBUTING SIGNIFICANTLY TO CORE DAMAGE FREQUENCY
!O Percent Mean Description Contribution Freauency to Core Damage per Reactor Frequency Year
- O INTERNAL 80.6 4.43 x 10-4 Loss of Support Systems: 52.8 Loss of CBV 36.4 2.00 x 10-4 lO Others 8.? 4.53 x 10-5 l Loss of Offsite Power
- 5, 2.90 x 10-5 l Loss of River Water to Pumphouse 2, 1.58 x 10-5 All Other Transients 11.1 6.09 x 10-5 l -
'O Very Small LOCAs (includicg steam generator tube rupture) 10.1 5.58 x 10-5 All Larger LOCAs 6.5 3.58 x 10-5 LOCA outside Containment < 0.1 1.00 x 10-7 EXTE R'lAL 19.4 1.07 x 10-4 j Fires Explicitly Modeled** 15.7 8.64 x 10-5 l
All Other Fires and All
,O Internal Floods (2 < 1.00 x 10-5 Earthquakes 0.5 2.70 x 10-6 External Flood 1.4 7.5 x 10-6 lQ Tornado << 0.1 1.2 x 10-8
' l 1
Turbine Missile < 0.1 2.3 x 10-7 Aircraft Crash < 0.1 1.0 x 10-7 O Toxic Chemical < 0.1 2.6 x 10-7 1 I
- Loss of of f site power could also be included in the external category, I
- Fires, though internal to the plant, are usually categorized as l external events. '
O j i
l O 2-11 0560G110987ESR i I
' TABLE 2-3. SYSTEMS CONTRIBUTING SIGNIFICANTLY TO THE FREQUENCY OF CORE DAMAGE FROM INTERNAL EVENTS
.O System Total Contribution System to Core Demage Frequency From O Internal Events Control Building Ventilation 43%
0 High Pressure Injection 37%
Electric Power 24%
Main Steam and Feedwater 23%
0 RCS Pressure Control 22%
Decay Heat Cooling Water 21%
Intermeaf ate Closed Cooling Water 9%
.O Emergency Feedwater 6%
, Instrument Air 4%
Nuclear Services Cooling Water 4" O Engineered Safeguardi, Actuation 2%
Reactor Protection 1*
NOTE: A system's contribution is calculated by adding the frequency of all sequences in which the failure of the system occurs and core damage results. This sum is % hen divided by the total core damage frequency from internal events only to calculate the percentage contribution from each system. Since more than one system failure
'O may ccur in e ch c re damage sequence, the total percentage due to all system contributions exceeds 100%. These precentages are higher than would be obtained by basing them on the total core damage frequency.
O O 0560G111187ESR:9
~ '
, TABLE 2-4. CORE MELT FREQUENCY COMPARIS0N (Occurrences per Reactor Year)
- Sheet 1 of 2 PRA Study "
Median Mean Sponsor 04te Published Venoor Team S
TMI Internal 3.5 x 10-4 4.4 x 10-4 Level 1 Babcock & wticos PLG/GPUN General Pubite Utilities Internal and Esternal 4.5 m 10-4 5.5 x 10-4 01/87 Nuclear Midland Internal and 2.1 m 10-4 3.1 x 10-4 Level 2 Babcock & Wilcon PLG Consumers Power Company Enternal 05/84 Indf an Point 2 - Internal 5 5.0 7.9 a 10-5 .
Internal and Enternal 1.0 ma 10- 10 4 1.4 a 10-4 04/82 Westinghouse PLG Consolidated Edtson Company Indian Point 3 - Internal 3.0 i 10-5 y,3 ,30-4 . !
Internal and Enternal 5.0 x 10-5 y,4 ,30-4 04/82 Westinghouse PLG Consolidated Edison Company
, RSS-Surry-Internal 6.0 x 10-5 1.2 a 10-4
- tevel 3 Westinghouse WASN-1400 AEC NRC 10/75 2fon - Internal 5.0 x 10-5 5.7 x 10-5 Level 3 Westfnghouse PLG Commonwealth Edison i
Internal and External 5.2 a 10-5 6.7 a 10-5 09/81 T
ORS Internal 4.0 x 10-5 9.6 a 10-5 t,,,i 3 1
Oconee-Internal 2.0 x 10-4 4.0 x 10-4* tevel 2 Babcock & Wilcox RSSMAP NRC 05/81 Sequoyah 6.0 x 10-5 1.2 a 10-4* tevel 2 Westinghouse RSSMAP NRC 02/81 4 N
- e Arkansas Wl. clear One - 5 x 10-5 Level 2. Ba cock & Wilcom IREP NRC g c-* Internal 06/82 a GJ s Calvert C11f fs - 2 x 10'3 Level 2 Costiustion IREP NRC Internal 05/82 Engineering
, Crystal atver 4 x 10-4 Level 2 abcock & vficox SA! NRC/IREP i A 12/81 i
l 8ellefonte Unit 1 - 8etweenj0-4 Level 1 Sabcock & Wticon PLG Tennessee Valley Authority l Internal and External and 10- 10/85
! Seabroot - Internal and ' 1.9 x 10-4 2.3 a 10-4 tevel 3 Westinghouse PLG Pubile Service Company of
- External 12/83 New Hampsttre t'
Oconee Unit 3 - 1.8 m 10-4 2.5 x 10-4 Level 3' Babcock & W11com Duke Power Electric Power Research 4
Internal and Enternal 06/84 Company /NSAC Institute t i S 4
' Crand Gulf - Internal 3.0 a 10-5 6.0 x 10-5* tevel 2- General Electrec RSSMAP NRC 10/81 RSS-Pasch Bottom 3.0 a 10-5 6.0 x 10-5 level 3 General Electric WASH-1400 AEC/NRC '
l Internal 10/75 1
L feerf ck - Internal 1.5 a 10-5 2.8 x 10-5 Level 3 General Electric ' 5AI Phfladelphia Electric 09/82 Company j Browns Ferry unf* 1 - 2 x 10-4 tevel 2 General Electric IREP NRC Internal 07/82 f i
?
1
- Calculated from the medlar; assumes lognormal distribution; uncertainty factor of 5.
a '
0560Gi10987ESR
{ .
5 i
llll
,1 I
V 2
f o
2 y y n n t s a a e e p p e m m h
it o o i y C C F l n S ia n r tp o e U "0 P
Um o is w o
$ tC d P s E ae a ec n o hi ig t v t r rr s o oe o B ts G e
e s
U h u
o 9
n m i a t e s G G T e L l L P P t
c ic ic U irt t r
t r
) c c c r e e e d o d lE lE lE e n e
u W l
a la la n e r
e r r c
i n n n t e e e C C C n
o d c e U (
" fs h
2 1I 1I 2 e6 le8 les8 l
4 e6 h
u les8
- v/ va/ v a/
P e1 eh1 eh4 2 e L0 tP1 lP0 t
E a D
L B
A 5 3 T 0 0'
n 3 1 a
U e M
o, 0
m 9 1 5 4 n 4 0 0 ia 0 1 1 d 1 m m e
M m U 3 7 6
4 6
l a
n r
e la n
y t
n r
e la d I t n
u r t
l a Inl e a t U S A
R er ne ot n
n r
e I
n e
P t a imta -
lsE l9 tE h c
d lin fd n t
a Ma Pa M O
f g ~swb o
llll\ 1l!l i i1
i! l:l l 4.
U 2 0
1 S
O O N
I T
U B
I
" R T
S I
)
R D O A Y E C L Y N A R E
U T
O O Q T 3 T E l 0 C R 1 A F E >
R E O G)
R AT E MA P AM DR S O T EF N R E OY V CT I
E FS O E
(
ON E
G YD A T I Y M LT A I I L
D BL R
SN A
N E
R O
AI BB OA RB O E C PO T R N F AP I 4
- O R(
L 3 0 P 1 Y A C 1 T N -
O E I T U M T
Q O E R .
F 1 2
E R
U S G I
L F
E O
gee 9 ewe 9>-
e Uab:am O
- ll' lr !il!
O O O O G O O O O D O 1.0 TYPE 5% 5%
50 % 95% MEAN
^ TOTAL INT R AL 2.0x10-4 3.5x10-4 7.7x10-4 4.4x10-4 y O.8 - TOTAL A
> INTERNAL b
d TOTAL c) EXTERNAL 3.2x10-5 6.5x10-5 2.6x10-4 1.1x10-4 g 0.6 -
m N uJ MEDIAN h$$ TOTAL 2.6x10-4 4.5x10-4 9.4x10-4 5.5x10-4
$ 0.4 -
8
(
0.2 -
TOTAL EXTERNAL #
5%
0 i .
./ ,/ )
10-6 10-5 10-4 10-3 10-2 FREQUENCY OF COGE DAMAGE (EVENTS PER REACTOR YEAR)
FIGURE 2-2. TMI-1 PRA PROBABILITY OF CORE DAMAGE FREQUENCY DISTRIBUTIONS (CUMULATIVE PP.0BABILITY FORMAT) l
t E.
, 3. INSIGHTS AND RECOMMENDATIONS 9 The TMI-1 PRA has produced a number of operational modifications and several technical insights into the operation of the plant. Based on the results* of this PRA, it has been possible to identify the most meaningful actions to be taken to better understand the contributors to, and to reduce the frequency of, core +. mage. These are presented in Section 3.3.
D As a result of the TMI-1 PRA, a number of technical insights into the operation of the plant were gained. These insights and the resulting recommendations (some of which were incorporated early enough to be used within the analysis) are presented in Sections 3.1 and 3.2.
9 3.1 OPERATIONAL CHANGES RESULTING FROM AND INCORPORATED INTO THE PRA These changes were:
o The system analyses for the reactor building emergency cooling water 9 system identifed that it was possible for the system discharge valve to fail to open, when required, and possibly go undetected due to lack of definitive instrumentation and procedures. As a result, changes were made to the system surveillance procedures, alarm response procedures, and operator training material. These changes provided an ef fective increase in the opportunity for operator action, which was credited in the analysis.
O e
Early and current results of the TMI-1 PRA show failures in the control building ventilation system (CBVS) to be large contributors to core damage frequency. Recommendations were made that will result in changes to the CBYS emergency procedures. These changes 9 incorporate the use of emergency fans to cool the engineered safeguards electrical equipment if normal ventilation is lost.
Credit was taken for these changes in the analysis. (Note: All equipment necessary for operators to use these revised procedures has been procured; however, the connections required to attach them to existing plant duct work are not complete as of October,1987.)
3 e The makeup and purification system operating procedure and the engineered safeguard system status checklist were revised to ensure that when makeup pump B is selected for engineered safeguards actuation, its corresponding lube oil pumps are powered from the same electrical power train as the 3 makeup pump. This prevents a mismatch from taking place.
i 3 *Recent information based on tests of TMI control building ventilation system and a review of assumptions used in determining the effects of important fire scenarios are discussed in Section 2.4.
^
3-1 0561G111187ESR
D.
3.2 TECHNICAL INSIGHTS Foremost among the insights gained by the PRA is the recognition of D factors underlying the greatest portion of risk.at TMI-1. These factors and their relative contria' ution to risk are described below.
e Failures of Support Systems, Including Control Building Yentilation.
As shown in Table 2-3, tailures or support systems contribute to a major part of the calculated core damage frequency at TMT-1. The D predominant support system failure is that of the controt 'uilding ventilation system (43%), which, in turn, fails the safety-related AC and DC power to plant systems and leads to a failure to remove decay heat.
Other support system failures contributing significantly to core D damage frequency are electric power (24%), the decay heat river water and closed cooling water systems (21%), intermediate closed cooling water for reactor coolant pump seal cooling (9%), instrument air (4%), and nuclear services cooling water (4%),
e Reactor Coolant Pump Seals. Failure of RCP seal cooling and seal ,,
D injection is believed to lead to degradation, leakage, and eventual failure of the seals, even with the pumps not running, as long as the RCS is hot and pressurized. Such failures, called "seal LOCAs," that are accompanied by loss of HPI flow occur in scenarios that account for a majority of the core damage frequency in this study. Changing knowledge about seal LOCAs would not necessarily eliminate their D contributing the same portion of the calculated core damage frequency, however, since many of the seal LOCA scenarios (such as loss of CBVS described above) would eventually lead to core damage anyway because of the failure to remove decay heat. In many such scenarios, however, seal LOCAs will dictate the time available to recover systems and prevent core damage, e Operator Actions. Many operator actions are modeled in the PRA, and their inclusion is an important factor in preventing core damage in many sequences. (These actions and their importance are sumarized in Table 3-1.) Such sequences include many in which the operators successfully restore failed systems (control building ventilation, 3 decay heat closed cooling water or decay heat river water, and offsite or onsite power) or initiate a system when automatic initiation has failed (reactor protection; engineered safety features actuation). However, many core damage sequences include failures by the operators to take a procedural action; e.g., switchover from injection to recirculate following a LOCA, providing HPI pump minimum 3 flow recirculation when throttling HPI, and initiating HPI cooling, e Fires. This study included many of the fire protection modifications mace at TMI-1 to comply with 10CFR50 Appendix R.
However, the PRA fire analysis included the likelihood (albeit small) of fires more intense than those considered in Appendix R. These low frequency 3 fires would be intense enough to compromise the fire barriers provided in accordance with Appendix R to protect equipment in the area of the fire. The possibility of such fires is substantiated by l
0561G110987ESR
k the industry data (see Section 3 of the Environmental and External Hazards Report), . including the Licensee Event Reports that identify the occurrence of degradation of fire barriers and of failures of administrative controls. These low frequency fires contribute
).. approximately 15% to the frequency of core damage. All such scenarios involve seal LOCAs with failure of makeup to the RCS.
ihe models and data for fire frequency, severity, propagation, and-suppression are not as well refined as those used for other parts of the PRA. Therefore, the uncertainty associated with the results of
) the fire analysis is higher. Among the major assumptions made in performing the fire analysis that contributed to this increased uncertainty by requiring more analy,st judgment, were:
Probability and Location of Critical Fires Fire Growth and Propagation
) -
Fire Suppression Hot Shorts (See Section 3, Spatial Interactions of the Environmental and External Hazards Report for a detailed discussion of the assumptions
) involved in, and the limitations of, this analysis.) -
e Train Dependency in Decay Heat Removal. At TMI-1, the decay hea t river water, closea cooling water, and decay heat removal systems are composed of two separate trains without cross-connection capability from the control room. The decay heat removal (OHR) system is the
) only system with cross-connection valves between the trains and these are manual valves. As a result, a large number of combinations of unavailabilities or failures of two components, one in each train, can lead to failure of the DHR function. Also, failure of one DHR train with failure of the opposite train of AC or DC power is important. Although operator actions will mitigate many of these 3 occurrences, contribution, train dependency still leads to a high core damage o
Distribution of Core Damage Frequency. Although the major part of core damage frequency is attributable to sequences discussed above, a significant portion of the frequenc number of low frequency sequences.This y is accounted makes it difficult for by a large to 3 discuss these sequences or to develop meaningful insights from them except by looking at system actions that occur in many scenarios.
3.3 RECOMMENDATIONS
) The following recommendations were based on the insights described in Section 3.2 and on other findings during the PRA. These recommendations are the product of the thinking of many people at GPUN, PLG, and attendees of the Technical Review Board meetings. The recommendations ,
l have not been subject to "cost-bonefit" analysis, and before significant j expenditures are made, such analysis will be required. As a follow-on '
) activity to the PRA, the benefit in terms of core damage frequency reduction and the various costs associated with acting on each of these i recommendations should be quantified and compared to other options for controlling and reducing risk.
)
1 0561G111197ESR L. .. .
D.
e Control Building Ventilation System. Since failures of the control building ventilation system contribute to 43% of the total core damage frequency from internal events,.several actions are I recommended to better understand this problem, improve the reliability of the system, and improve the operator's ability to cope with system failures.
The temperatures at which equipment in the control building would fail is an important assumption in the analysis. More accurate D estimates of these temperatures should be pursued. If the failure temperatures are higher, more time will be available for system recovery, and some equipment may not fail at all.
A procedure to provide temporary emergency ventilation to critical areas of the control building by using portable fans D should be instituted. Development of this procedure started as a result of the PRA, and the PRA CBVS ar.alysis takes credit for the existence of this procedure. (Note: The viability of any such procedure is still limited by the outside air temperature.)
As an alternative or as a supplement to the above procedure, a
) procedure for reducing the loading on buses in the control building (and thus reducing the heat generation rates) could be instituted. If sufficient time is available, reducing loads is less desirable than using temporary emergency ventilation because reducing load minimizes the equipment available for use during the shutdown.
) -
Certain minor modifications to the CBVS could reduce or eliminate some system failure modes, e
Currently, all of the second-floor area isolation dampers are supplied from one power supply, and all of the third-floor 3 area isolation dampers are fed from another power supply. A rearrangement of these power supplies could reduce the vulnerability of room cooling to failure of a single DC power supply, e
Indication in the control room of the CBVS inlet, outlet, and J recirculation dampers does not show actual damper position.
Providing indication to the operators from limit switches would make timely response to a damper failure more likely.
e The CBYS control air supply is vulnerable to flooding or fires in the area of the compressors. A backup air supply from the plant instrument air system would reduce this vulne 'hility.
Investigt 'venents in maintenance, spare parts inventories, and job "
system to %at would reduce the time needed to restore the the unavai .on af ter a failure and therefore would rcduce 3 i ties of CBVS equipment.
3-4 0561G110987ESR
)
e Reactor Coolant Pump Seals. Because RCP seal leakage and failure tollowing loss or seal injection and seal cooling are important in many core damage scenarios, a better understanding of this issue is
) important and improvements to these important support systems should be sought.
GPUN should follow industry activities on the subject of RCP seal integrity and factor what is learned into design, maintenance, and operations, as well as into the PRA.
)
The intermediate closed cooling water pump discharge check valves have a history of failure that impacts the reliability of that system for providing RCP seal cooling. Improvements in design or maintenance should be investigated.
) -
Loss of instrument air causes loss of both seal cooling and seal injection. Improvements to air system reliability are thus valuable. The new air dryers should improve system reliability although the dryer transfer mechanism is still a vulnerability that requires prompt operator action in case of failure (to avert a plant trip and loss of RCP seal cooling).
)
Procedures and training should emphasize the importance of seal cooling, seal injection, and the actions necessary to prevent seal damage, e Fires. The fire hazard scenarios, which were signficant contributors
.) to the core damage frequency in the TMI-1 PRA, should be examined more carefully to confirm the validity of the assumptions about which cables and other ecuipment are damaged. All Appendix R nodifications that have been completed to date and recovery actions currently in procedures should be included in the PRA model. If they continue to
) be important scenarios, the values used for frequency of occurrence, severity and nonsuppression factors should be further analyzed to reduce the uncertainty associated with them.
e Onsite Electric Power. Failures in the onsite electric power system are significant contributors to core damage frequency. Several vulnerabilities and potential improvements have been identified.
TMI-1 diesel generators have starting failure rates comparable to the industry average, but higher than average maintenance unavailabilities primarily caused by preventfve maintenance.
Unavailability due to preventive maintenance stems from scheduling maintenance during periods of plant operation. The
) maintenance program and scheduling should be evaluated with the aim of achieving the lowest possible total unavailability for the diesel generators.
During automatic start attempts of the emergency diesel
) generators caused by an engineered safeguards actuation signal, the diesel shutdown relays are blocked, which allows starting air to continue flowing to the engines until the air supply is exhaus ted. For nonengineered safeguards starts if the engines are not running within 7 seconds (as evidenced by oil pressure 3-5 0561G111187ESR
D.
and RPM), the air supply valves close. Closing the valves conserves air and allows the operator to correct the cause of the start failure and make another start attempt without having to I recharge the air supply tanks. A modification to the starting circuit is recommended to allow multiple start attempts even during engineered safeguards automatic starts.
In scenarios in which AC power sources are lost, the time for which DC power will continue to be available for instrumentation I and control is an important factor. Battery capacity, loads, and procedures for conserving DC power should be reviewed with the aim of maximizing the time available before DC power would be lost, e Offsite Electric Power. The ability to restore offsite power af ter
, an extended loss could be jeopardized by the design of the switchyard in which power for air compressors and breaker heaters comes from the switchyard itself. In cold weather, a station blackout could result -
in the breakers becoming inoperable af ter some period of time, as the SF6 gas cools down. Two additional J00-kW diesel generators, separate from the plant emergency diesel generators, are presently D being procured to mitigate this situation, e
Decay Heat Removal, Closed Cooling Water, and River Water.
Combinations ot unavailability or ta11ure of components in these systams (or associated power supplies) contribute significantly to core damage frequency. This is due largely to the strict separation O of the trains, which produces many pairs of train A and 8 failures.
Two areas of improvement seem worthwhile. First, the unavailability of decay heat removal trains could be reduced. This requires an examination of maintenance policies and practices. Second, the ability to cross-connect trains mechanically and/or electrically should be examined. This will require some modifications. The 8 ability to back up decay heat river water with another river water source (as can be done with nuclear services and secondary services river water) should be considered, o High Pressure Injection. The HPI system and several operator actions ssociateo with it appear as important contributors to core damage
.requency.
3 Recommendations relating exclusively to operator actions are described later in this section. Certain aspects of the HPI system design should be considered for possible improvement.
Failure of the operator to open MU-V-36 and MU-V-37 to provide a recirculation flow path for the HPI pumps when throttling HPI or 3
~' makeup could be avoided by leaving those valves open at all times or by providing an automatic opening signal on low flow. The former is preferable for both reliability and simplicity and should be pursued.
D C 0561G110987ESR
).
- BUST suction valves (MU-V-14A and MU-V-148) failure leads to almost immediate HPI pump failure. Operating with the suction crossties open would provide increased reliability, but would
) introduce a possible single failure (pipe break) for the HPI system. This change is being investigated.
The "B" HPI pump oil pumps are powered from bus IC, which may be fed from a different AC power train than HPI pump B itself, although procedures have been modified to reduce the time in this
) configuration. The automatic transfer of bus IC is blocked by an engineered safeguards signal . ( A similar situation exists with nuclear services river water pump B and its discharge valve.)
Consideration should be given to removing the engineered safeguards block, or to some other method of eliminating this failure mode.
)
e LOCA Outside the Reactor Building (V-Sequence) . Although this sequence is not a major contributor to core damage frequency at TMI-1, it could be reduced even further. Current testing procedures incorporate precautions and make operators aware of V-sequence hazards. They reduce the estimated risk by allowing the operator to -
9 detect leakage prior to fully opening the valves. The frequency of testing the OH-V-4A and DH-V-4B valves during operation should be investigated to determine if a reduction in risk could be achieved by a change in test frequency. Operator training and procedures should be modified to specifically address breaks outside the reactor building.
)
e Preventive Maintenance. Preventive maintenance is important for ensuring the reliable performance of components and systems.
However, the time that a component or system is out of service for preventive maintenance is also one contributor to the unavailability of the sistem. In the case of some systems at TMI, this contribution
) is significant.
For example, desilting the intake screen and pump house cause: a large portion of the unavailability of the river water pumps, and the yearly overhaul of the emergency diesel generators signi ficantly ince Mes the time that the diesels are unavailable during TMI-1 operations. We recommend that the preventive maintenance program, policies, and practices be reviewed and revised, when necessary, to achieve the highest possible system availability (which means minimizing the sum of all of the contributors to unavailability).
e Operator Actions. Many operator actions are important in the TMI-1 PRA and contribute significantly to reducing the calculated core 3 damage frequency. However, the failure of the operators to successfully perform certain actions contributes to core damage in a portion of the scenarios. Some of these actions are discussed in other sections, with recommendations for improvement of the systems involved. Others included are:
J
) 3-7 0561G102287ESR
).
Failure to switch over fron injection to recirculation af ter a LOCA is the dominant source of recirculation failure. The major portion of this failure is due to human error. The assumptions
) used in the human error calculation leading to this conclusion should be reexamined, and, if validated, several corrective actions should be pursued. One option would be to automate the opening of the sump suction valves on low BWST level. (Note:
The reliability of this automatic action would also have to be calculated and factored into the calculation of core damage frequency.) Another option would be to improve training cnd
) procedures to allow the operators to perform this task with a higher reliability.
Failure to provide HPI pump minimum-flow recirculation was discussed elsewhere with potential system improvements. If these
) system improvements are not feasible, then improvements in training, and procedures are in order to improve the reliability of this human action.
Failure to initiate HPI cooling is the most significant cause of failure of the HPI core cooling mode. The human action analysis involved should be examined for any actions that increase the '
) reliability of HPI cooling initiation. If no means of automating the action is feasible (and none has Deen suggested), efforts will have to be directed to operator training and emergency procedures. i In many scenarios, recovery of failed or unavailable systems is
) important to preventing core damage. Some examples are recovery s of off site power or a diesel generator af ter a station blackout, recovery of river water systems af ter a loss of river water (intake screen clogging), recovery of control building ventilation, and recovery of decay heat removal systems. The
) ability to perform the: e actions could be improved by preplanning, stocking spare parts and emergency equipment, and training.
)
)
2 3-8 0561G102287ESR
l
,. l J* '
TABLE 3-1. OPERATOR ACTION FAILURES CONTRIBUTING SIGNIFICANTLY TO THE FREQUENCY OF CORE DAMAGE
- Sheet 1 of 2 O Operator Action Category ecWC Operator Action Category Contribution E (specific operator action) to Core Damage At Contribution 9"'"##
(percent)
(percent)
(/
Operator Restoration and Recovery 30 e soss of CBY initi. .ing event 17 (includes operator fails to estcblish alternate cooling).
O e At least one train of DliR starts 5 and runs and one train of onsite AC power is recovered in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
e Loss of river water initiating 3 event from operatu history data (includes operator fails to n
clear the screen before plant tri;). -
e Recover river water. 2 e Recover river water with steam- I driven EFW pump failed.
e Recover onsite or offsite power < .1 during a station blackout with Q steam-driven EF'4 pump failed, e Recover single train of onsite <.I power or offsite power.
e Provide alternate ventilation af ter < .1 control building ventilation failure, given failure of nuclear Q services water.
e Recover single train of onsite < .1 power or of f site po.ver with steam-driven EF'4 pump failed.
e Recover onsite or of fsite power <1 during a station blackout.
P#
Manual Actions To Actuate Systems 12 o Minimum-flew recirculation is 6 established af ter successfully tnrottling HPI.
e Recirculation available and 5 c)
' initiated within 1 minute of BWST Icw level alarm during a large or medium LOCA.
- Indicates failure of the action described.
NOTE: A system's contribution is calculated by adding the frequency of all g' sequences in which the failure of the system occurs and core iamage results. This sum is then divided by the total core damage frequency i
from internal events only to calculate the percentage contribution from each system. Since more than one system failure may occur in each core damage sequence. the total percentage due to all system contributions exceeos 100%. These precentages are higher than would be obtained by basing them on the total core damage frequency.
O 0560G111187ESR:10 3-9
1 TABLE 3-1 (continued)
Sheet 2 of 2 Operator Action 3
a ugory Operator Action Category Operator Contribution (specific operator action) Action to Core Damage equency Cet@tM (percent) ( ercent)
]
e Operator initiates HPI cooling. I e Throttle makeup flow using MU-V16s <1 before diesel gener tor train A fails, h e Operator identifies SGTR. <1 e Throttle makeup flow using MU-V16s. <1 e Cool the plant down to repair a < .1 small leak.
e Throttle makeup flow using MU-V217. < .1 l e Recirculation available and < .1
[ initiated within 10 minutes of BWST f
low level alarm during a small or
! very small LOCA.
i e Throttle makeup flow using < .1 O HU-V217, tven that offsite fas t af ter plant power is l- trip, l'
e Cool the plant down during < .1 an SGTR leak in RCS, Manual Backup to Automatic Actuations 8 3 e At least one pump started, given 2 no of fsite power, no instrument i
air, and only one train of j emergency AC power available.
l e Primary safety valves reclose 2 l af ter passing water, and operator throttles HPI flow.
h I
e At least one pump started, given 1 no offsite power and only one train of emergency AC y power available. !
'l e At least one pump started, given .I
% no offsite power and no J
instrument air.
e PORY recloses af ter passing water and operator throttles <l HPI flow. I 4
s e Given emergency AC train A < .I or B and of fsite power 3 available.
i Total Contribution to Core Damage Frequency of All Manual Actions 50 h 3-10 0560G110987ESR I
O,.
- 4. REFERENCES
- 1. American Nuclear Society and Institute of Electrical and Electronics O Engineers, "PRA Procedures Guide: A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants," U.S.
Nuclear Regulatory Commission,' NUREG/CR-2300, April '1983.
- 2. DiNunno, J., F. Anderson, R. Baker, and R. Waterfield, "Calculation O of Distance Factors for Power and Test Reactor Sites," TID-14844 March 1962.
- 3. Farmek'F. R., "The G'rowth of Reactor Safety Criteria in the United Kingdom," Anglo-Spanish Nuclear Power Symposium, Madrid, Spain, November 1964
<O 4. Garrick, B. J., and W. C. Gekler, "Reliability Analysis of Nuclear Power Plant Protective Systems," HN-190, U.S. Atomic Energy Commissinn, May 1967.
- 5. Garrick, B. J., "Principles of Unified Systems Safety Analysis,"
Nuclear Engineering and Design, Vcl. 13, No. 2, pp. 245-321, 1970. ~
- 6. "Canvey: An Investigation of Potential Hazards from Operations in the Canvey Island /Thurrock Area," U.K. Health and Safety Executive, May 1978.
- 7. U.S. fluclear Regulatory Commission, "Reactor Safety Study: An O
Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants," WASH-1400, NUREG-75/014, October 1975.
- 8. Electric Power Research Institute, "Analysis of Three Mile Island-Unit 2 Accid:nt," Nuclear Safety Analysis Center, NSAC-1, July 1979. '
- 9. The President's Commission on the Three Mile Island Accident, "The Need for Change - The Legacy of TMI," October 1979.
- 10. Rogovin, M., and G. T. Frampton, "Three Mile Island, a Report to the O Commissioners and to the Public," Government Printing Office, January 1980.
- 11. U.S. Nuclear Regulatory Commission, "TMI-2 Lessons Learned Task Force Status Report and Short-Term Recommendations," NUREG-0578, July 1979.
O 12. U.S. Nuclear Regulatory Commission, "TMI-2 Lessons Learned Task Force Final Report," HUREG-0585, October 1979.
13.
U.S. Nuclear Regulatory Commission, "Action Plans for Implementing Recommendations of the President's Commission and Other Studies of g TMI-2 Accident," draf t report, NUREG-0660, December 1979.
O 0563G102287ESR
!Cl1
- 14. U.S. Nuclear Regulatory Commission, "Review of HRC Regulatory Processes and Functions," NUREG-0642, January 1980.
- C) 15. Pickard, Lowe and Garrick,:Inc., "0PSA,;0yster Creek Probabilistic Safety Analysis," prepared for Jersey Central Power and Light Company, draf t PLG-0100, August 1979.
- 16. ~ Pickard, Lowe and Garrick, Inc., Westinghouse Electric Corporation, and Fauske & Associates, Inc... "Zion Probabilistic Safety Study,"
. C) prepared for the Commonwealth Edison Company, September 1981,
- 17. Pickard, Lowe and Garrick, Inc., Westinghouse Electric Corporation, and Fauske & Associates, Inc., "Indian Point Probabilistic Safety .
Study," prepared for Consoll dated Edison Company of. New York, Inc.,
~
and the Power Authority of the State of New York, March 1982.
~ C)
- 18. Swain, A. D., and H. E. Guttmann, "Handbook of Human Reliability
~
Analysis with Emphasis on Nuclear Power Plant Applications,"'
NUREG/CR-1278, August 1983.
'19. ' Westinghouse Electric Corporation, "Westinghouse Owners Group- -
() Report, Reactor Coolant Pump Seal Performance Following the Loss of All AC Power," WCAP-10541, Rev. 2, November 1986. .
C) l C) !
l l
l n
O i
O l
O
() 4-2 l 0563G102287ESR !