ML20206J276
| ML20206J276 | |
| Person / Time | |
|---|---|
| Site: | Seabrook  |
| Issue date: | 11/05/1976 |
| From: | Chapla W, Kelly C, Parisano J UNITED ENGINEERS & CONSTRUCTORS, INC. |
| To: | |
| Shared Package | |
| ML20205K769 | List: |
| References | |
| FOIA-87-7 9763-006-248-55, 9763-6-248-55, NUDOCS 8704160057 | |
| Download: ML20206J276 (13) | |
Text
{{#Wiki_filter:. i , t 36L)-5/G eJ'. G////
/ UNITED ENGINEERS & C0!!S'lltUCTURS INC.
30 SOUTH 177H S11tEET PHIIADELPHIA. PENNSYLVANIA 19101 SPECIFICATION FIBERCIASS PIPE AND G)./. tl
' ' * **a C .' C ,y; /
FITTINGS - M t PUBLIC SERVICE C(MPANY OF NEW HAMPSHIRE SEABROOK STATION UNIT NOS.1 & 2 ls 1 Revisions Spacification No. 9763-006-248-55
! No. Date Prep. By Checked By Approved BY Date November 5, 1976 l /*1116 j)p*_ k d.) k < d Prepared By: [- ^/
1 11118l 2'* dkd J Bf '
/
/ V ' '
Checked By: "1*l' 9' C. . ly g Approved By: 1
- U 4WCS8'd J. a Approved By: -
7.JV1hoads p]*// -87* 7 0704160057 070409 PDR FOIA PDR E/// Dil0LLYD7-7
. . . . . . ~ . . . . . _ ~ . - - . . .--. - - _.. . --.-..-. .. -. ..-..
l 2 4 i e i CHANCES INCORPORATED I J ;
. ECA/DCN MD. DATE ;
t i 19-0272-A 12/21/81 t f i
.i . ?
. s s .
i
)
L i 4 , 1 . 1 l i
. e l
I r J,
- t. .
i I I' f
. 1
/ .
P t
/ -
l i t
.i t
1 i l Spec. No. 9763-006-248-55 l 6 f FMWw'+!EstV 99 "
(
, TABLE OF CONTENTS
_Page No. CENERAL INFORMATION 1 1.0 GENERAL '- 2 1.1 Scope of Supply'
- 2 1.2 Work Performed By Others .
2 2.0 APPLICABLE DOCUNINTS 3 i 2.1 Standards 3
~ 3.0 TECHNICAL REQUIREMENTS '4 3.1' service conditions 4 3.2 Naterial 4 3.3 Fabrication 5 3.4 Identification 6 3.5 Inspection 6
( A. 3.6 3.7 Cleaning Packaging 6 6 4.0 SHIPMER 8 5.0 QUALITY ASSURANCE 9 b L .I
CENERAL INFORMATION Owner Public Service Company of New Hampshire 1000 Elm Street Manchester, New Hampshira 03105 Engineerina Supervisor . 5 Yankee Atomic Electric Company
- 1671 Worcester Rodd Framingham, Massachusetts 01701
'1 Enaineer-Constructor United hsineers & Constructors Inc. 30 S. 17th 8t. P.O. Box 8223
. Philadelphia, Pennsylvania 19101 Construction Manamers t
3' -- United Engineers & Constructors
. ( ~ 30 S. 17th St. ]' P.O. Box 8223 Philadelphia, Pennsylvania 19101 Site 1,ocation Seabrook Station -
Approximately 6000 feet east of Seabrook, N. H. at termination of Rocks Road description The Seabrook Station is a two unit nuclear power plant. Each unit is rated at 1200 MWe.and includes a four-loop PWR and a tandem compound, six-flow turbine senerator. The pipe and fittings will be part of the continuous chlorination system with the major portion of pipe to be installed in the circulating water tunnel system. The pipe will transport a solution of sodium hypochlorite in sea water which is used for control of marine growth. i L
,a_ Spec. No. 9763-006-248-SS
, 1.0 GENERAL i 1.1 Scope of Work This specification establishes the requirements for fiberstass . reinforced thermosetting vinyl ester or bisphenol-A-fumarate polyester resta pipe and fittings.
1.1.1 The Seller shall furnish, fabricate, inspect, test, clean, prepare for s M at and deliver to the jobsite, all pipe - and fittings as defined in the attached bills of asterial i and all supplements thereto. i 1.1.2 The Seller shall be responsible for complying with the requirements of the regulatory agencies and standards referred to herein. 1.1.,3 The Seller shall be responsible for complytag with all the i requirements presented in subsequent sections of this specification. Nothing in this specification shall relieve the Seller of the responsibility from performing, la addition to the requirements of this specification, such analyses, i f' tests, inspections and other functions which the seller l (. considers necessary to insure that the material and workmanship are suitable for the required service and as dictated by good engineering practice. 1.1.4 ,- The Seller shall supply any special tools or adhesive asterista l required for jotains the pipe and fittings. 1.1.5 The Seller shall furnish the services of,a field engineer j ' j to instruct Contractor's personnel on Seller's recossended installation procedures. 1./ Work performed Br others The Seller will not be responsible for the followings a) Unionding, storage, and erection b) In place testing (if feasible)
( 2.0 APPLICABLE DOCUMENTS The latest issue of the documents contained below, including all supplements, revisions and addenda in effect on the date of purchase order award are applicable when supplying pipe and fittings to this specification, and are made part thereof. All equipment furnished in accordance with this specification shall be mangfactured in accordance with the following standards.upon award of purchase order.
, These standards form a part of this specification to the extent specified herein.
The scope of jurisdiction of the various standards shall be as required by the governing body at the site of the power plant and as defined by the purchasing documents. If any conflict should occur between the referenced standards, the bills of material and/or this specification, such conflict shall be brought to the attention of the Purchaser for final resolution. 2.1 Standards American National Standards Institute (ANSI) 1430 Broadway New York. New York 10018 B16.5 Steel Pipe Flanges and Flanged Fittings American Society for Testing and Materials (ASTM) 1916 Race Street Philadelphia Penna, 19103 Naterials Specifications i U.S. Dept. of Commerce National Bureau of Standards Sprinnfield. Virginia 22151 Voluntary Product Standard PS 15-69 0 0 I L.
(
, 3.0 TECIGIICAL REQUIREMENTS 3.1 Service Conditions he pire and fittings will be part of the chlorination system which injects a sodium hypochlorite solution (produced by on-site electrolysis of sea water) into the ocean intake' twinal for the' purpose of contro111ag marine growth. The pipe and fittings shall be designed for a useful life of at least 40 years';'
3.1.1 External Cohditions he piping will be encased in the concrete lining of the intake tunnel supplying seawater to the plant. He concrete lining shall not be considered when determining the ability of the pipe to withstand the pressure and temperature conditions as stated in Paragraph 3.1.2 3.1.2 Internal Conditions the piping will be subjected to the following conditions: a) Fluid - ges water and sodium hypochlorite (Na001) b) Concentration - 2400 pre Na0C1, 25-36 ppt TDS (Salinity) c) Flow Rate - 750 to 1500 GPM d) Pressure (max) - 300 pai - 3" and ses11er 350 pai - 4" and larger ! . e) Temperature (max) - 100'F j . l 3.2 Material 3.2.1 All pipe and fittings shall be produced from a vinyl ester I or bisphenol-A polyester resin and glass. He resin, reinforceaant, colorants, fillers and other materials, when. . l combined as a composite structure, shall produce pipe and . fittings that aset or exceed the requirements in specifications ASTM D-2310-71 ASTM D-2996-71, ASTM D-2997-71 and/or Voluntary Product Standard ?S 15-69. i l k
l t i i
, I i !
, 3.2.2 All pipe and fittings shall contain a resin-rich liner, i reinforced with a minimum C-Veil of 40 mile. H e seller !
shall indicate to the Purchaser, the minimum wall thickness ! j of the pipe and fittings required for the temperature and ! pressure conditions stated in Paragraph 3.1.2. ! t 3.3 Fabrication t 3.3.1 h e fabrication of the pipe and fittings shall be as free l as commercially practical from visual defects such as f inclualons, dry spots, air bubbles, pin holes, blisters. *
' cracks, crasing and delamination as indicated in A31M 2563, t
" Recommended Practice for Classifying Visual Defects in !
Class-Reinforced Laminates and Parts Made herefrom." ) svidence of poor workmanship shall be sufficient cause for
, rejection. i 1 -
{ 3.3.2 Flange dimensions (except thickness) and bolting shall i i correspond to ANg1 316.5 for class 150 lb. Flange faces r i shall be flat faced with a sesoth surface. , ! 3.3.3 The pipe and fittings supplied shall have a uniform total thickness of laminate and glass-to-resin ratio without excess - resin or unsaturated glass. f
; 3.3.4 No metal reinforcement within the laminata is allowed. )
2 . j 3.3.5 Thinotropic agents such as Cab-O-Sil are prohibited. 3 ( ! 3.3.6 he exterior surface of the pipe and fittings shall have a 7 t ! relatively smooth, uniform met texture with no enposed ' t unsaturated reinforcing fiters. I $3.7 he joining system recommended by the seller shall be capable f l / of withstanding the compressive forces imposed by the concrete { ! lining as well as providing a leaktight joint capable of i supporting the entire antal load imposed by the internal ! pressure. If socket type fittings are reconnended, they shall be designed to insure proper entry and alignment of j ' the pipe and shall incorporate an integral pipe stop. Where i adhesives are required to be used, the seller shall notify ' the purchaser of all precautionary steps necessary to insure proper curing for the following environmental conditions 1 e I l L k I l ! i 1 > j Spec. No. 9763-006-248-55--- --~~!
( which will exist in the tunnel during construction. a) Relative Humidity - 70 to 100% b) Temperature - 20*to 100*
. .. ... . 3.3.8 The seller shall furnish instruetions .and all naceamary materials for making the field joints.
3.4 IDElftIFICATIOk All pipe and fittings shall be identified by the Seller in accordance with the ASTM standard to which it was fabricated. The unique identification shall consist of the applicable ASTM specification, type and grade of material and any additional marking which will aid in identifying the material. 3.5 INSFECTION / Prior to shipment, all pipe and fittings shall be inspectrid by the Furchaser unless specifically waived in writing. A 72 hour advance notice is required for inspection. Evidtince of poor workmanship shall be cause for rejection. 3.6 CLEANING The galler shall submit a cleaning and cleanliness cor. trol program to the Purchaser for review. The program sust specify methods used in maintaining cleanliness and cleaning procedures used during and af ter fabrication. 3.7e PACKACING f 3r7.1 All openings shall be capped or plugged to provide frotection
/ from physical damage. llandling equipment, blocking, strapping, or hold down devices, shall be applied so as to prevent surfaces from being marred.
3.7.2 All loose fittings and other miscellaneous materials such as adhesives shall be bagged or boxed and properlylidentified. The seller shall indicate the shelf life of all adhesives. I
\
l 4 l
, Spec. No. 9763-006-248-55
r 3.7.3 The preparation for shipment shall be such that, upon arrival at the jobsite, the pipe and fittings are essentially in the same condition as when they left the Seller's shop.
. N i
e i ( I 4 1 i 4 . I q f i 1 . i i i i l \ k l l [ ^ Spec. No. 9763-006-248-55
i 4.0 SHIPMENT The pipe and fittings as shipped shall be clearly marked and include the following information: Public Service Company of New Hampshire' ~ Seabrook Station Seabrook,'New Hampshire
- 4. Purchase Order No. 9763-006-248-69
. N ,
e O s i I l e ! / r i l I 1 4 i (
5.0 QUALITY ASSURANCE Within thirty (30) days af ter award of contract, the Seller shall officially submit a Quality Assurance Program for the Purchaser's review. Subsequent changes to the Quality Assurance Program shall also be submittiuf foYrsili~eiprior to their implementation.
. s ..
4. o C 4 g
@pm o fh 976h006-24Rdi
b BROOKHAVEN NATIONAL l.ABORATORY ASSOCIATED UNIVERSITIES. INC.
- Upton. Long 15lond. New York i1973 (516) 282s 3337 FTS 666' Office of tre Drecto- i September 2'6, 1984 Mr. David Schweller, Manager . **
Brookhaven Area Office - U. S. Department of Energy Upton, New York 11973 ,
Dear Mr. Schweller:
Enclosed is one copy of a proposal to the Nuclear Regulat' cry Cor:.ission entitled, " Review of the PRA for the Seabrook Nuclear Power Plant," FIN A-3778, being submitted for your review and approval. The proposal is being Two sutimitted in response to a request from NRC dated September 5,1984 copies have been sent to Mr. R. W. Barber, Department of Energy, one copy has been sent to Mr. T. L. DiCaloma, Nuclear Regulatory Commission, and six copies y have been sent to: Mrs. Sybil Boyd, Program Assistant to the Director Division of Systems Integration, MS P-1102 Office of Nuclear Reactor Regulation U. S. NucleaY Regulatory Commission Washington, D. C. 20555 The total cost of this program is $84,000. The funds obligated to date are $50,000. . This proposal has been prepared in accordance with the statement of work If there are any questions regarding attached to the aforementioned letter. the document, please call the principal investigator or Mr. A. J. Romano, FTS' ( 666-LO24, Department Administrator for the Department of Nuclear Energy. Sincerely yours, H. C. Grahn Assistan: Director for Financial Planning Enclosures cc: R. L'. Barber (2) S. Boyd (6) g T. L. DiCaloma
l . l A REVIEW OF THE SEABROOK STATION PROBABILISTIC SAFETY ASSESSMENT Abel A. Garcia, Principal Investigator December 12, 1984 Prepared by , T. J. Altenbach P. G. Prassinos A. A. Garcia J. B. Savy Lawrence Livermore National Laboratory P. J. Amico Applied Risk Technology Corporation J. W. Reed M. W. McCann Jr. Jack R. Benjamin & Associates. Inc. P. R. Davis Consultant Lawrence Livermore National Laboratory 7000 East Avenue Livermore, CA 94550 i Prepared for Division of Safety Technology Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission - Washington, D. C. 20555 tT).
' (k
( l 7'
&lf fib Feza 7 6//3
3 A REVIEW 0F THE SEABROOK STATION PROBABILISTIC SAFETY ASSESSMENT t Abel A. Garcia, Principal Investigator December 12, 1984 Prepared by T. J. Altenbach P. G. Prassinos A. A. Garcia J. B. Savy Lawrence Livermore National ' Laboratory P. J. Amico Applied Risk Technology Corporation J. W. Reed M. W. McCann Jr. Jack R. Benjamin & Associates. Inc. P. R. Davis Consultant s Lawrence Livermore National Laboratory 7000 East Avenue Livermore, CA 94550 Prepared for Division of Safety Technology Office of Nuclear Reactor Regulation 7 U.S. Nuclear Regulatory Commission Washington, D. C. 20555 f i
's
r: TABLE OF CONTENTS ( Section Title Pm 1 EXECUTIVE
SUMMARY
1-1 1.1 Internal Events 1-3 1.2 External Events 1-7 1.2.1 Earthquakes 1-7 1.2.2 Fires 1-9 1.2.3 Aircraft Crash 1-10 1.2.4 Internal Flooding 1-11 1.2.5 External Flood 1-12 1.2.6 Hazardous Chemicals and Transportation Events 1-13 1.2.7 Extreme Wind 1-13 1.2.8 Turbine Missiles 1-14 1.3 References for Chapter 1 1-14 2 INTRODUCTION 2-1 2.1 Background 2-1 2.2 Scope 2-2 2.3 Review Assumptions 2-2 2.4 Sununary of Results Presented in the SSPSA 2-4 2.4.1 Questions Answered by the PRA SSPSA 2-5
- r. 2.4.2 What was Considered in the Analysis 2.4.3 R.tsults 2-6 2.4.4 Key Findings and Insights 2-15 2.5 References for Chapter 2 2-17 3 INTERNAL EVENTS ANALYSIS 3-1 3.1 Initiating Events 3-2 3.1.1 Completeness of Initiating Events Considered 3-2 3.1.2 Initiating Event Frequencies 3-12 3.1.3 Issues Directly Included as Initiating Events 3-22 3.2 Event Trees 3-25 3.2.1 General Event Tree Findings 3-25 3.2.2 Specific Event Tree Findings 3-27 3.2.3 Issues of Importance to the NRC 3-47 .,
3.3 Success Criteria 3-52 3.3.1 Emergency Core Cooling Early 3-53 g 3.3.2 Emergency Core Cooling Late 3-55 3.3.3 Containment Heat Removal 3-57 3.3.4 Revised Success Criteria 3-57 3.3.5 References for Section 3.3 3-57 3.4 Systems 3.4-1 3.4.1 Electric Power System 3.4-7 3.4.2 Service Water System 3.4-12 3.4.3 Primary Component Cooling ( Water System 3.4-19 3.4.4 Instrument Air System 3.4-25
TABLE OF CONTENTS (Continued) Section Title Page 3.4.5 Reactor Trip, Solid State Protection System, and Engineered Safety Features Actuation System 3.4-29 3.4.6 Containment Envlosure Air Hnadling System 3.4-46 , 3.4.7 Emergency Core Cooling System 3.4-50 3.4.8 Emergency Feedwater System 3.4-65 3.4.9 Reactor Coolant Pressure Relief System 3.4-78 - 3.4.10 Main Steam System 3.4-80 3.4.11 Containment Building Spray System 3.4-88 3.4.12 Containment Isolation System 3.4-92 3.4.13 Control Room Complex Heating
- Ventilation and Air Conditioning 3.4-98 3.5 Human Factors .
3.5-1 3.5.1 General Consnents on the Human Factors Analysis 3.5-1 (. 3.5.2 Specific Consnents 3.5-3 3.6 Failure Data 3.6-1 3.6.1 Random Component Failure Rates 3.6-1 3.6.2 System Failure Probabilities 3.6-18 3.6.3 Conclusions 3.6-68 3.7 Operating Experience Analysis 3.7-1 3.7.1 Initiating Events 3.7-2 3.7.2 Component Failures 3.7-6 3.7.3 Maintenance Data .3.7-7 3.7.4 Consnon Cause Failure Parameters (Beta Factors) 3.7-8 3.7.5 Human Errors 3.7-10 3.7.6 Concluding Remarks 3.7-10 - 3.8 Analysis Codes 3.8-1 l 3.8.1 Data Analysis 3.8-1 3.8.2 External Events Analysis 3.8-2 3.8.3 Plant Model Analysis 3.8-3 3.8.4 Accident Phenomena, Containment and Site Analysis 3.8-4 3.8.5 Concludir.g Remarks 3.8-6 . 3.9 Accident Sequences 3.9-1 3.9.1 Review of Appendix H, Section H.2.1 3.9.2. Review of Appendix Section H.22 3.9.3 ! f.. 3.9.3 Review of Section 11.1, Core and Containment Response L , Analysis Overview 3.9-8 (
r TABLE OF CONTENTS (Continued) [ Page Section Title 3.9.4 Review of Section 11.5.3 Time Window Analysis 3.9-8 3.9.5 Review of Appendix B; Thermal-Hydraulic Analysis of Selected Accident Scenarios 3.9-8 3.9.6 Referbnces for Section 3.9 3.9-8 3.10 Dependencies 3.10-1 3.10.1 Review of Section 8, Dependent Failure Analysis 3.10-3 3.10.2 Review of Section 4.3.1.4 Common Cause Initiating . Events 3.10-2 3.10.3 Review of Section 4.3.4.2 Common Cause Failure Rates 3.10-5 3.10.4 Review of Section 4.3.5 Plant Model Analysis of Dependent Failures 3.10-5 3.10.5 Review of Section 4.3.6 S patial Interaction Analysis 3.10-8 3.10.6 Review of Section 6.3 ( Common Cause Failure Parameters (Beta-factors) 3.10-8 3.10.7 Review of Appendix E Support Materials for Spatial Interaction Study 3.10-13 3.10.8 Conclusions 3.10-13 3.10.9 References for Section 3.10 3.10-14 4 EXTERNAL EVENT ANALYSIS 4-1 4.1 Seismic Events 4.1-1 4.1.1 Seismic Hazard 4.1-1 l 4.1.2 Seismic Hazard / Fragility ! Interface 4.1-37 4.1.3 Seismic Fragility Assessment 4.1-51 4.1A Consulting Report 4.1A-1 4.2 Fire Events 4.2-1 4.2.1 Fire-Hazard Analysis 4.2-2 4.2.2 Fire-Propagation Analysis 4.2-5 4.2.3 Plant and Systems Analysis 4.2-7 4.2.4 Concluding Remarks 4.2-8 4.2.5 References for Section 4.2 4.2-9 4.3 Aircraft Crash Analysis 4.3-1 4.4 Internal Floods 4.4-1 4.5 External Flooding 4.5-1 4.5.1 Background 4.5-1 4.5.2 Flood Initiators 4.5-1 4.5.3 Methodology 4.5-2 ( 4.5.4 Conclusions 4.5-4
TABLE OF CONTENTS (Continued)
,l Title Page Section 4.6 Hazardous Chemicals and Transportation Events 4.6-1 4.7 Wind Events 4.7-1 4.7.1 Tornado Wind Hazard and Frequency 4.7-1 4.7.2 Tornado Wind Fragility of Structures 4.7-2 4.7.3 Tornado Wind Initiated Scenarios 4.7-3 4.7.4 Tornado Missile Hazard and Frequency 4.7-3 .
4.7.5 Tornado Missile Fragility 4.7-6 4.7.6 Tornado Missile Initiated Scenarios 4.7-6 4.8 Turbine Missiles Hazard 4.8-1 4.8.2 Concluding Remarks 4.8-2
SUMMARY
AND CONCLUSIONS 5-1 5 5.1 Problems and Omissions 5-2 5.2 Treatment of Uncertainty 5-4 5.3 Overall Evaluation of SSPSA 5-7 ( i 4
)
1.0 EXECUTIVE
SUMMARY
k Lawrence Livermore National Laboratory (LLNL) has conducted a review of the Seabrook Station Probabilistic Safety Assessment (SSPSA) [Ref.1] for the Office of Nuclear Reactor Regulation (NRR) of the U.S. Nuclear Regulatory Commission (NRC). This probabilistic risk assessment (PRA) was performed by a contractor for Public Service of New Hampshire (PSNH) and Yankee Atomic Electric Company (YAEC). The SSPSA, completed in December 1983, was provided to the NRC "for its information" in January 1984. The review was performed by ' a project team composed of personnel from LLNL staff, subcontractors and consultants. The review began in June 1984 and was completed in December 1984. The objective of the project was to perform an expeditious and cost effective review of those aspects of the SSPSA leading to estimates of the frequencies 1 j of each plant damage state and their associated uncertainties and to determine the accuracy of those estimates. The SSPSA results for core melt probabilities were 1.6E-4 per reactor year (RY) for internal events and 6.2E-5/RY for external events, for a total of 2.3E-4/RY. External events were dominated by contributions of 2.9E-5/RY from seismic events and 2.6E-5/RY for fi res. The scope of the review did not include a review of containment l l response or offsite consequences nor extensive requantification. l The review process included one site visit, and one meeting with the plant owner (PSNH) held during the site visit. No meetings were held with l contractors or consultants to PSNH, and the extent of formal and informal I communications with PSNH was essentially nil. Although a set of detailed 1-1
1 I questions concerning material presented in the SSPSA was submitted to PSNH, no I response was received. There is no doubt that the general lack of cooperation by PSNH with our review effort was largely due to the current nature of serious financial problems the utility was facing at the time and the relationship of these problems to the Seabrook Station. This lack of cooperation nevertheless significantly complicated and hindered the review process and made it impossible to reach meaningful conclusions in several areas of the review. The review covered all major areas of the plant analysis and evaluation in the SSPSA. This included initiating events, event trees, success criteria (for functions and systems), fault trees, human factors, component and operating experience data and the treatment of uncertainty. The review of external events included earthquakes, fires, external and internal flooding, extreme winds, aircraft accidents, hazardous materials, and turbine missiles. The review effort expended in these areas varied significantly, both because of the extent and detail of the analyses presented in the SSPSA and because of the relative importances of specific areas. In general, more effort was expended on those areas that were or had the potential of being significant contributors to the frequency of core melt or to the various indices of public risk. The scope of the review included an examination of several issues of particular concern to the NRC, including: (1) reactor coolant pump seal failure during station blackout, (2) depletion of station batteries during i 1-2
station blackout. (3) pressurized thermal shock, (4) steam generator tube
/
(' rupture with stuck-open secondary steam relief valves, (5) anticipated transients without scram, and (6) stuck-open safety / relief valve. No significant omissions were found in terms of an overall contribution to the frequency of core melt. Several modeling errors were found that indicate an incomplete or different understanding of interactions between plant systems or human beings (operators) and plant systems; these are described in the internal events section. Their significance could not be completely assessed.
- The principal qualitative and quantitative conclusions of this review are briefly described below in general terms.
i 1 1.1 INTERNAL EVENTS ( The extent and type of internal event initiators and their treatment is generally reasonable and consistent with those considered in other PRAs. The event tree models in most cases correctly represented the accident sequence phenomenology assumed in the SSPSA; however, we have identified several areas of disagreement with the assumed phenomenology. We are also concerned that the requirement to have each event on an event tree independent of the others has resulted in large and very complex trees which are difficult , to follow and analyze, i.e., trees which are essentially inscrutable. In addition, the large number of sequences, on the order of 100 times as clany as in previous PRAs, effectively fragmented many accident scenarios which could (' be simply described as single sequences into a large number of sequences, so 1-3
that the usefulness of the event tree sequences as a means to obtain engineering insights was lost. Although many deficiencies in these trees are described in the text of this report, it was not possible to evaluate the effect of most, primarily because of the complexity of tre trees in the SSPSA and their use of proprietary codes to perform the quantitative evaluations. It is not clear whether the extensive detail in the event trees was appropriately used in assessing the risk consequences because we did not perfonn a review of the consequence analysis. The systems analysis is significantly different than any PRA which any of the reviewers had previously examined. The systems which were analysed were modeled with reliability block diagrams (RBDs) instead of the more traditional fault trees. The RBDs were constructed using a set of supercomponent blocks The RBDs were, in turn, used to develop logic expressions for system failure whir.h are dependent on specific initiators, boundary conditions and system function; and these expressions were used to quantify the system unavailabilities. Although the system models are reasonable in terms of representing the plant systems, the evaluation process in the SSPSA which uses the RBDs ultimately . h, provides significantly less information than is needed to perform a thorough l i review of the complete analysis. In particular, the RBDs were constructed as independent blocks which were quantified for various specific conditions, after which only the quantitative information was propagated in the analysis. Several important concerns are raised by the process: first, the analysis l' does not provide cut sets which represent sequences, so that important and l 1 1-4
useful qualitative information is not provided; second, the use of the support ! states appears to place undue emphasis on the ability of the analyst to recognize dependencies, while it simultaneously makes it virtually impossible for the reviewer to verify that inter-system dependencies received adequate treatment; third in spite of the fact that the systems models were found to contain many conservative assumptions, made principally to simplify the analysis, these conservative assumptions in combination with the support state evaluation process have the potential to mask important qualitative results. The functional success criteria used in the SSPSA were generally found to be reasonable, with some exceptions. These criteria, however not clearly stated in many cases, included both conservative and optimistic examples and in general were not justifled or adequately documented. The review of the failure rate data used in the SSPSA consisted of a comparison of the individual component failure rates with other sources and a review of system failure probabilities and unavailabilities. The SSPSA provided failure values for components, but it described as proprietary and did not provide information regarding the derivation of the values, the sources of data, or adjustments to the source data. The proprietary material was not reviewed for this report. The data values presented were found to be reasonably consistent with other data sources available to the review. A comparison of system failure probabilities with other sources of similar data revealed that these values were reasonably consistent with the other sources. 1-5
Several discrepancies were found and examined, but they did not change the
! overall results. The treatment of comon cause data left us with some concern because of the exclusion of passive components and the use of very low beta .
l factors for some components. Although rio instance was identified that would I significantly change the results, it was not possible to reach definitive conclusions in a few cases. The reviews of the use of operational experience in the SSPSA found that the methodology used to develop a plant-specific data base was generally adequate and that it appears to have used a broad base of data sources. Although we have reservations about the proprietary nature of the actual data used in the i analysis (which was not available to the review), the resultant data base appears to be generally acceptable. Two minor concerns are the use of nation-wide data to estimate the frequency of loss of offsite power and the use of ( only four categories to quantify the maintenance unavailabilities of all components at the plant. i The more than 20 computer codes used in the SSPSA generaliy appear to be adequate and appropriate for the analysis. A review of severe accident progression method; and assumptions used i- the SSPSA identified numerous minor discrepancies but none which appear to have the potential to significantly change the results. Consideration and treatment of dependencies and common cause failures in the SSPSA were evaluated in the review in three categories: common cause initiating events, intersystem dependencies, and intercomponent ( 1-6
dependencies. The methodology used in the analysis appears reasonable and (' appropriate. No important omissions in the treatment of dependencies were identified by the review. Concerns regarding the treatment of common cause failures and the use of beta factors do not appear to have significant effects on the results. The quantification process used in the SSPSA is the matrix formalism rethodology developed by Pickard, Lowe and Garrick, Inc. 1.2 EXTERNAL EVENTS The external event types considered in the SSPSA are earthquakes, fires, aircraft accidents, internal and external flooding, hazardous materials, extreme winds, and turbine missiles. ( The methodologies used in the detailed assessments are generally reasonable and consistent with the state-of-the-art; however, there are notable disagreements in several areas. More detail is provided below for the various event types. 1.2.1 EARTHQUAKES 1.2.1.1 SEISMIC HAZARD The methodology used in the evaluation of the frequency of the seismic hazard at Seabrook is consistent with the state-of-the-art of commercial PRAs. ( However, we disagree with numerous applications of the methodology in the 1-7
SSPSA. In particular, the assessment of alternative model hypotheses and the ( assignment of subjective probability weights is not adequately supported. The ad hoc procedure used to perform the uncertainty analysis failed to document the choices made and the uncertainty assigned to key parameters in the analysis. A review of individual parameters in the analysis and a comparison-with the interim Seismic Hazard Characterization Program lead us to qualitatively conclude that the hazard analysis results may be optimistic and the uncertainty underestimated. The absence of a more complete and well-dccumented uncertainty analysis leaves the seismic hazard results unsupported. 1.2.1.2 SEISMIC FRAGILITY ( The methodology used in the SSPSA for determining the seismic fragilities is appropriate and adequate to obtain a rational measure of the strength of structures and equipment. The methodology obtained capacity values based on simple probabilistic models which used some data but currently rely heavily on engineering judgement. Based on a preliminary review of the results of the
- SSPSA, the mean frequency of core melt value of 2.89E-5 per year appears to be high relative to the hazard curves used in the analysis. A quick check suggests that the central capacity of the core melt fragility curve appears to be somewhere between 0.50g and 0.709 . It seems on the low side.
A spot check of the calculations indicates that the capacities of the key l l components at the SSE value are low. Using a ratio of the "95 - 5" value l [ (i.e., the capacity corresponding to a 95% probability of less than a 5% 1-8
i , l frequency of failure) to the SSE value, ratios for key components at Seabrook l k are generally less than one while values for Limerick and Millstone are generally two or larger. Finally, comparing fragility parameter values of Scabrook and other PWRs (new and old), the capacity values of equipment 1
- - considered also appeared to be low for Seabrook. Based on experience with past PRA reviews and the generally favorable impression of the plant we gained i during the site inspection, we believe that the capacities of the dominant .
, contributors should be reevaluated to determine whether the capacities are truly as low as indicated. We are optimistic that the capacities will be ' found to be larger. l 1.2.2 FIRES 1 l . The fire analysis performed for the SSPSA appears accurate and valid. The l' frequencies of the fire induced initiating event which include system failure - f are reasonable. The contribution to core damage due to fires at the various ,
~
locations analyzed fall within the range of those calculated from other fire assessments at nuclear power plants (IE-4 to IE-7). About 11% of the core melt frequency is due to the eight fire induced accident sequences that appear ! t in the top 43 contributors. i The methodology employed in the SSPSA for the evaluation of fires represents i the state-of-the-art in fire risk analysis. We believe the screening process - l and the use of the 10CFR50 Appendix R fire evaluation identified all fire areas deserving detailed analysis. The fire frequency estimates for the various compartments were determined using acceptable methods and are ( reasonable. 1-9 l i
The analysis of fire propagation for determining the loss of safety related I functions is rigorous and explicit. The considerations of fire phenomena, material properties, fire detection and suppression, operator action, and modeling uncertainty at each fire location were reasonable. The conditional unavailability of systems due to fires appears to be accurate. We have a concern, however, about the manner in which the fire induced initiating events are processed through the plant matrix. It appears thct these initiating events, which already include component or system failures.
- are being incorrectly combined with auxiliary and front-line event trees that have not explicitly considered these same failures.
1.2.3 AIRCRAFT CRASH i Air traffic due to several airports and landing facilities near the Seabrook site is analyzed in the SSPSA. Using statistics for a 10-yr period, inflight crash rates per mile flown were calculated for commercial air carriers, general aviation aircraft, and military aircraft. Frequencies of aircraft l ! crashes into the various structures of the plant were then calculated. Three scenarios were judged to be important enough for quantification in the plant model: (1) crash of a large aircraft into containment, with a frequency of 1.21E-8 per year; (2) crash into the control building, with a frequency of l 1.39E-7 per year; and (3) crash into the primary auxiliary ba11 ding, with a frequency of 2.00E-7 per year. This analysis is judged to be reasonable and acceptable. ( 1-10 l - _ _ . . . -- . __
l ( l.2.4 INTERNAL' FLOODING The SSPSA treats internal flooding primarily qualitatively, with a quantitative analysis performed for a turbine building and switchgear rcom flood. The qualitative analyses consider all internal flood sources for each defined location, including floods caused by fire protection equipment and sources from adjacent locations. In all these locations it was concluded that the risk due to flooding was insignificant. - A flood in the turbine building was quantified for three scenarios according to the postulated effects, as follow: (1) loss of offsite power, with a frequency of 3.2E-4 per year; (2) loss of offsite power and bus ES, with a frequency of 2.5E-6 per year; (3) loss of offsite power and busses E5 and E6,
- (
with a frequency of 8.5E-8 per year. These frequencies were then input to the full risk model quantification. The quantification of the turbine building flood appears to be reasonable and adequate. The qualitative treatment of flooding in other locations is adequate. 1.2.5 EXTERNAL FLOOD The assessment of external flooding consists of a qualitative screening of potential sources of flooding and a point estimate assessment of flood frequencies and core melt. A formal probabilistic analysis of external flood hazard or of plant systems response was not performed. ( 1-11
The SSPSA concluded from a qualitative screening of the Seabrook FSAR that a probable maximum hurricane combined with a standard project storm posed the greatest hazard to the plant. Based on subjectively estimated point estimates of flood frequencies, it was concluded that flooding at the elevation of plant structures, 21 feet MSL, has a median frequency of IE-6 per year. The assumed uncertainty on the frequency of flooding led to the conclusion that the frequency of exceeding 21 feet MSL at the 95th percentile is SE-6. Although the frequency of flooding at the plant site due to hurricane ' precipitation is believed to be conservative, the absence of a probabilistic analysis that addresses all sources of flooding is considered to be a serious omission. The uncertainties in estimating the frequency of extreme flood events is believed to be much greater than that which was assumed. I Conservative assumptions for the frequency of flooding indicate that the contribution from this event is insignificant relative to other hazards. This conclusion, in the absence of a probabilistic analysis, is judged inadequately justified. 1.2.6 HAZARD 0US CHEMICALS AND TRANSPORTATION EVENTS A qualitative and partially quantitative analysis was performed in the SSPSA to assess the potential for accident initiation due to industrial activities near the plant. Hazardous chemicals stored offsite or onsite were considered, as well as gas pipeline accidents (judged insignificant) and onsite truck crashes into the transmission lines. , I 1-12
The frequency of control room uninhabitability due to hazardous gas k infiltration is estimated at 7E-7 per yr and is considered an insignificant t contributor to risk. The frequency of a nonrecoverable loss of offsite power due to a truck craste into the transmission lines was calculated at 2.76E-4 per yr. This was considered significant enough to be included as an initiating event in the plant model quantification. This analysis appears to be reasonable and acceptable. 1.2.7 EXTREME WIND l We conclude that the probability of damage to safety related equipment due to the effects of wind is on the order of IE-7 per year or less. This agrees generally with the SSPSA, but our basis is different. Although the SSPSA addresses only tornado initiated scenarios, the safety-related structures were i j conservatively designed for a wind speed of 360 gh, so that the effects of l hurricanes and other types of wind are implicitly included. We agree that wind hazard is not a significant external event. 1.2.8 TURBINE MISSILES None of the six turbine missile initiating events identified in the SSpSA L i resulted in sequences that appear in the top 43 contributors to core melt or I as a dominant contributor to any of the plant damage states, i f 4 1-13
_ . . _ - - . ._ . ._ - .-- . = - . . _ . _ . . The estimate for the probability of missile-generating turbine failures, 8.3E- ] ( 5, is comparable to the recomended value, IE-4, given in NRC Regulatory Guide 1.115. The mean values of the turbine missile initiating event frequencies range from 8.3E-5 to 1.27E-8 and account for main steam line breaks, control room failures, loss of condensor vacuum, large LOCA, loss of condensate storage tank and loss of primary component cooling. Our qualitative review concludes that turbine missiles are not a dominant contributor to core melt or plant risk due to their low frequencies. ' . 1.3 References for Chapter 1 1 s
- 1. SSPSA
( 4 i 1-14 A
2.0 INTRODUCTION
k Lawrence Livermore National Laboratory (LLNL) Has conducted a review of the Seabrook Station Probabilistic Safety Assessment (SSPSA) [Ref.1] for the office of Nuclear Reactor Regulation (NRR) of the Nuclear Regulatory Commission (NRC). This project is one of several in a larger NRR probabilistic risk assessment (PRA) review program in which a comprehens'ive review and evaluation is given to PRAs submitted to the NRC by ifcense applicants and licensees. t .
2.1 Background
The roots of the PRA review program lie in the interest expressed in April 1980 by the Comissioners of the NRC in determining if there were any candidates for special risk studies at plant sites which may be risk outliers. The staff performed limited generic risk analyses for plant sites within the U.S. based on (1) weighted population density within a 30 mile boundary about the site, (2) plant power level, and (3) stage of construction. Three plant sites (Zion, Indian Point, and Limerick) were found to have a weighted density factor 10 to 15 times higher than the median (SECY-81-25) [Ref. 2]. The NRC required these plants to perform a PRA. Seabrook is one of eight plant sites found to have a slightly lower weighted density factor (4 to 8 times the median). Although the NRC did not require that a PRA be performed for this plant, one was requested by the State of New Hampshire. It was performed by a contractor for Public Service of New Hampshire (PSNH), the plant operator, and Yankee Atomic Electric Company (' (YAEC), a part owner. The PRA was completed in December 1983 and provided to 2-1
the NRC "for its information" in January 1984. 2.2 Scope The objective of this project was to perform a review of those aspects of the SSPSA leading to the estimates of the frequencies of each plant damage state and the associated uncertainty spread to determine the accuracy of these estimates. The review covered methodology, assumptions, data, information sources, models, plant understanding, completeness of the analysis, and other areas where inconsistencies could affect the qualitative and quantitative results. The scope of the analysis did not include extensive reevaluation or requantification of plant damage state frequencies, nor a review of the containment response or consequence analysis included in the SSPSA. ( 2.3 Review Assumptions i The review philosophy on this subject was simple and straightforward, and - applied throughout the review. Our approach was to examine the models and data in the SSPSA with respect to appropriate selection and application, and
~
proper execution, and to determine whether or not any validation was required. We assumed that the use of standard computer codes, data sources, system modeling techniques, human factors information, etc, was acceptable and did not require validation except for the specific application (s) in the analysis. We similarly assumed that the execution of a particular application - was acceptable if it generally conformed with previous work in the PRA arena that had received peer review. Conversely, if the choice of model(s) or data, f or the application to a particular problem, or the manner of execution was new 2-2
k and/or different than previously observed, and it was not obviously correct, we did not accept the new data or approach unless appropriate justification I was provided or the justification was known to, and could be provided by us. l A specific area worthy of note is that we did not assume, a priori, that the application of a conservative, or very conservative approach necessarily
- provided an acceptable result. Although it is often assumed that this is not only a correct approach, but one where the analysis is conciously accepting a l self-imposed penalty, we do not accept this argument. We would agree that '
- many, if not most cases in which the conservative selection of general approach, model, or data leads to acceptably conservative results; however, the object of a PRA is to identify the dominant contributors to core melt, or to some other risk index, and the selection of excessively conservative models or data may produce results, especially qualitative results, that are
( essentially incorrect. This can occur because components, systems, or even l accident seqJence; are effectively promoted in relative importance so that I they may mask important results. If realistic models are used, the problem does not exist, and botn the qualitative and quantitative results would be ! , easier to evaluate in terms of NRC concerns with public safety and in terms of the utility's use of the results for both public safety and plant reliability , considerations.
- Y i This is not to say that we take issue with the concept of screening
- evaluations, or the use of conservative models or data to simplify and make tractable what is already a very complex analysis. The point is that the i
choice of conservative assumptions in the analysis with respect to models and ( data in a PRA must be made with care, so that the results are not thereby l 2-3 { f
, , , - . . . . - . . . , .- - . . . - _ , . ,_.n-. , . , - , , , , . , , , - . - - - - . - - - - . . . , , . . , , , , - , , - - , . . - . . . - , . - - , -
l l
. distorted in such a manner that important insights are lost due to incorrect k
identification of dominant contributors. 2.4 Summary of Results Presented in the SSPSA The content of this section is intended to provide a concise description of i the results presented in the SSPSA, without connent or elaboration, i .e., from the perspective of PSNH. We intentionally drew heavily from the text' of the SSPSA as a means of maintaining this perspective, and many brief quotes and near-quotes from the SSPSA are included in the material presented here, along with tables and figures from that report. As a consequence, this section may I appear to lack development of important points or subjects. Thbsectionis i organized with all of the text preceeding the tables and figures. ( The reader is cautioned to use the information in this section #ith care, and to refer to the SSPSA for additional detail, particularly to SSPSA Sections 2.3 and 2.4. We also note that this summary is provided here only as a convenience to the reader and that it is not intended to replace the summary information presented in the SSPSA. \. 2-4 I
L 2.4.1 Questions Answered by the PRA SSPSA The three questions listed below provide a structure for the analytical work of the SSPSA and a framework for organizing the numerical results. o What is the likelihood of core melt? o What is the likelihood of release of radioactive materials as a function of release magnitude? o What is the likelihood of damage to public health and property as a function of the level of damage? The answers to these questions developed in the SSPSA are briefly described in ( Section 2.4.3. herein. 2.4.2 What was Considered in the Analysis 2.4.2.1 Initiating Events The SPRA included consideration and quantification of the 58 initiating events - listed in Table 2-1. The table includes the code designator used for each initiator in the study. 2.4.2.2 Plant Damage States
,( Tne SSPSA considered 39 plant damage states in the risk model. These PDSs are 2-5
. _ - . . . . - . - - _ _ = _ _ . _- --
listed and defined in Table 2-2a. Their relationships to one another are illustrated in Table 2-2b. 2.4.2.3 Release Categories The SSPSA used 13 release categories to represent the spectrum of release states. These 13 release categories can be further categorized into three groups: one group for categories in which the containment structure remains intact and isolated, a second for release categories that involve a gradual, long term degradation of containment integrity, and a third which involves early containment failure or bypass. Definitions of the release categories in each of these three groups are presented in Table 2-3. Each release category is represented by a three-part code. The code designator consists of an S, which denotes applicability to Seabrook Station, a number to indicate the [ absence of containment failure mode or state, a bar ( ) to indicate the absence of containment filtration by the containment building spray system, and a V to indicate the presence of an additional vaporization component of the source term for scenarios in which the molten core debris experiences sustained elevated temperatures. Certain symbol combinations corresponding to additional ' release categories which can be hypothesized are precluded by 4 Seabrook Station design features. For example, there is no SS because the 4 containment building sprays must function with adequate heat removal to keep the containment structure intact. l 2.4.3 Results ( 4 i 2-6
2.4.3.1 Classes of Results Presented The SSPSA presents results for the 7 classes of damage indices listed below, with consideration of uncertainty for each. o Core melt frequency. o Early fatalities; those occurring within a short time after exposure. o Injuries (radiation illness not leading to fatality). o Thyroid cancer cases (total occurring over a 30-year period); those ' resulting mainly from iodine ingestion and curable medically in about 90% of the cases. o Latent cancer fatalities; those from cancers other than thyroid cancers, occurring over a 30-year period. o Total population dose, or man-rem (whole body gamma dose). o Total public property damage and evacuation costs in dollars. o Tne results are also presented in terms of single unit and station (2-unit) risk. 2.4.3.2 Numerical Results The results of the SSPSA are presented in a probability of frequency format
~
for each of the seven classes of damage indices. 2.4.3.2.1 Single Unit Risk The probability of frequency of core damage (melt) is presented in Figure 2-la ( (probability density) and Figure 2-lb (cumulative probability). The results 2-7 ,
. for the remaining six damage indices are presented as risk curves including k
uncertainty in Figure 2-2a through 2-2f. 2.4.3.2.2 Two-Unit Station Risk The evaluation of risk of the Seabrook Station with two operating reactors required that the following factors be taken 'into account.
.c o The increase in the likelinood of accidents because of the presence of two
- reactor units and the potential for interactions between the units.
o The possibility of simultaneous accidents in response to initiating events { that affect both units. o The possibility of comon cause failures between units in response to an initiating event that affects both units. The results for core melt frequency are presented in Figures 2-3a (probability density) and 2-3b (cumulative probability). The difference in the mean frequencies of single unit and station (2-unit) core melt events per year is less than a factor of two because of the elimination of double counting for those initiating events that cause a core melt in both units. In other words, Figures 2-3a and 2-3b illustrate the probability of frequency of one or more (two) core melts per station year. The contributions to the total event frequency from single and double unit events are illustrated below in terms of mean values. Event Mean Frequency (Events Per Station Year) 2-8
Core Melt Involving 4.0 E-4 ( One Unit (2.0 E-4) x 2 Core Melt Involving 0.3 E-4 Both Units Total 4.3 E-4 Tne effect of two-unit operation on the risk curves is illustrated in Figures 2-4a and 2-4b for early fatalities and latent cancer fatalities respecti vely. These figures contain plots of the mean value risk curves for two-unit (station) operations and the corresponding curves for single-unit . operations. The two-unit station risk curves include contributions from single unit accidents as well as from double unit accidents. Figure 2-4a is indicative of the damage indices for early health effects, whereas Figure 2-4b is indicative of latent effects. ( 2.4.3.3 Principal Contributors to Core Melt and Risk The matrix formation used in the SSPSA allows ready identification of major contributors to the numerical risk results by a process of decomposition of the risk matrices. The procedure for systematically determining the principal risk contributors begins with the risk curves and works progressively backward through the risk model to determine the most important paths insofar as numerical contributions are concerned. 2.4.3.331 Dominant Release Categories The dominant contributions are identified by determining the relative importances of the release categories at various damage levels, in terms of ( the relative frequency of exceedance values. 2-9
Tables 2-4a and 2-4b present the relevant matrices for early fatalities and latent cancer fatalities, respectively, and Figures 2-Sa and 2-5b are plots of the information in the matrices. Summary tabulations of the dominant release category contributions to risk for these risk indices are shown in Tables 2-Sa and 2-5b, respectively. The results of Figure 2-5a and Table 2-Sa clearly show that release category S6V dominates the risk of early fatalities across the full range of damage level presented and S2V makes a small contribution. Release category S1 contributes to an extended tail of the risk curve at frequencies below 1E 9 as seen in Table 2-Sa. None of the remaining 10 release categories were found to make a significant contributions to early fatality risk. In Figure 2-Sb and Table 2-5b, it seems that release categories S6V and S2V also contribute significantly to the risk of latent cancer fatality, 4 especially in the low frequency range of the risk curve. In the low consequence relatively high frequency range of the risk curve, release categories S3V and S3 make significant contributions. Category S4V makes a small contribution across the full range of the latent cancer fatality risk curve, and category S5 has only a small contribution to the risk with no potential for large numbers of latent cancer fatalities. The importance of a release category, as measured by its influence or. the risk curves, depends not only on its frequency but on its potential for producing various levels of damage. The singular effect of each release category's potential for producing damage is measured by the elements of the S matrix whose results have been plotted in Figure 2-6a for early fatalities and Figure , ( 2-6b for latent cancer fatalities. In Figure 2-6a, it is seen that over much 2-10 _ ,y _ _ _ - . - - , - - - -
of the damage level range, category S1 has the highest poten'tial to produce ( early health effects given its postulated occurrence, followed by categories S6V and S1 with category S2V having a much lower potential to produce damage. However, as shown in the previous section, categories S1 and S1 have an extremely low frequency of occurrence relative to categories S6V and S2V; thus, they make extremely small contributions to risk. Hence, upon completing the first step of the risk unraveling process, it has been determined that of the 13 release categories utilized in the risk model to group the billions of accident sequences that were analyzed, only 4 release ' cetegories make significant contributions to risk. These are categories S6V, S2V, S3V, and S3. Of these, only categories S6V and S2V make significant contributions to the risk of early fatalities. The results of an uncertainity analysis performed in the evaluation show that it is necessary to add only two more categories to the above (namely, categories SS and S4V) to obtain all categories making significant contributions to core melt frequency. Hence, 6 out of 13 release categories were found to be significant with respect to their contribution to risk or to frequency of occurrence according to the following key: Significance Relative to: Release Category Risk Occurrence Early Latent Frequency Effects Effects S6V Major Major Minor S2V Minor Major Major ( S3V None Major Major 1 2-11 I (
- i S3 None Major Major
-[ .
. S4V. None Minor Major SS None None Major 2.4.3.3.2 Dominant Plant Damage States -
l . Identification of the dominant plant damage states is accompl'ished by using the matrix tabulation of release category frequency of occurrence versus plant damage state. Table 2-7 shows this matrix. By examining the column of this ' matrix corresponding to,the risk dominant release categories identified in Section 2.4.3.3.1 the dominant plant damage states are identified. . 2.4.3.4 Comparative Results ( 7 " The purpose of this section is to provide a perspective for viewing the absolute value of the risk levels calculated for Seabrook through the use of 7 limited comparisons. Four types of comparisons are made, as follows: I o to risk levels calculated in PRAs of other nuclear power plants i o to risk from sources of energy other than nuclear power l !. o to sources of. risk other than energy production -
~
O to the provisional safety goals currently under evaluation by the NRC o Each of these comparisons is described in modest detail below. 2.4.3.4.1 Comparison to'the Risk from Other Nuclear Plants { i t { PRAs have been performed on about 207. of the nuclear power plants in operation ' I 2-12
~
l
i or under construction in the U.S. There are wide variations in the scope of , (-
~
these PRAs, which includes variations in the extent of the analysis, the type of plant, the site, as well as many other types of differences. It is nevertheless possible to divide these PRAs into two general classes: limited . scope and full scope. Limited scope is defined as not including consideration of external events and limited to an evaluation of the core melt frequency. There are 13 of these. Full scope is defined as generally including consideration of external events and evaluating health risk. There are four of these. The limited scope PRAs have mean values of core melt frequency ranging from 0.1 to about 3 core melt events per year, with an average of about 0.5 events 1 per 1000 reactor years of operation. The Seabrook result is 0.23 events per 1000 years of reactor operations, near the lower end of the range. The full scope PRAs have mean values of core melt frequency ranging from less than 0.1 to about 1.6 events per 1000 reactor years. The Seabrook result again compares favorably. An examination of the contributions to health risks and core melt frequency in the fuller scope PRAs reveals that there are general similarities in the results, such as the frequent appearance of fires and seismic events as risk contributors, and small LOCAs as important core - melt contributors. In addition, two cases (including Seabrook) have the
~
interfacing systems LOCA as the dominant contributor to early fatality risk. 2.4.3.4.2 Comparison to the Risk from Other Sources of Energy u The description of comparative risks of alternative energy sources is based on - ( the final report of the National Research Council Committee on Nuclear and 2-13
1 Alternative Energy Systems (CONAES) [Ref. 3]. In essence, the CONAES report states that for routine operation nuclear power poses smaller risks to the public than other alternative energy sources except for natural gas. For accidents, the large range of uncertainty that still attaches to nuclear risk calculations makes it difficult to provide a confident assessment of catastrophic reactor accidents, even though the projected mean number of fatalities is probably less than the risk from routine operation of the nuclear fuel cycle. 2.4.3.4.3 Comparison to Sources of Risk Other than Energy Froduction This comparison, also based on the CONAES report, indicates that energy sources, in general, pose accidental death rates less than 1% of the rate due to all other causes of accidents such as automobile accidents, drownings, etc., and that this result is probably independent of the uncertainties in the calculation of nuclear accident risks. 2.4.3.4.4 Comparison to NRC's Provisional Safety Goals A comparison to NRC's provisional safety goals is presented in Table 2-6. As j can be seen in this table, the risk of early fatalities to the 4,435 l individuals within 1 mile of the plant was found to be a factor of between 5 and 6 below the individual risk goal, and the 4.2 million people within 50 miles of the plant were found to have an individual risk of latent cancer l fatality more than two orders of magnitude below the societal risk goal. Note that the values calculated in Table 2-6 for Seabrook Station are mean values. The mean values are used to obtain the best match with the statement ( l 2-14 . i
of the risk goals in column 5. ' Unlike the median values, the mean values are significantly influenced (increased) by the uncertainties that were quantified. With regard to the core melt frequency design objective, the results of this the SSPSA of 1.9E-4 events per reactor year (median) are within a factor of two of the design objective. The use of median values for this core melt frequency comparison has been suggested by the NRC for the trial use of the safety goals. In view of the facts that the Seabrook results include contributions from a full spectrum of external events and that the NRC has indicated that care should be taken in the apportionment of external events to the design objective, the SSPSA results are viewed as comparing favorably with the design objective. If the contributions from seismic events, fires, and other external events were not included, the SSPSA results for the median core melt frequency would have been about 1.3E-4 events per reactor year. In light of the underlying uncertainties, there is not a significant difference between 1.3E-4 and 1.0E-4 events per reactor year. 2.4.4 Key Findings and Insights In general, insights from the PRA are presented in the SSPSA Sumary Report. l beginning on page 17. A listing of insights believed to be important is provided below, in the words of the reviewers. o Risks are low, but the core melt probability is higher than the proposed safety goal.
,/ o A very large number of sequences contribute to the total core melt
! probability. The single most dominant sequence contributes less than 15% of the total, and the top 27 sequences contribute just over half to the 2-15
. total.
( The V-sequence accident totally dominates the risk of early fatalities. o o External events are not important risk contributors (this result is not consistent with other recent PRA results: Zion, Indian Point, Oconee (NSAC/ utility assessment), Millstone Unit 3). o The most important initiating event in terms of core melt probability is loss of off-site power. . ( 4 i ( 2-16 i
2.5 References for Chapter 2 k-
- 1. SSPSA
- 2. SECY-81-25
- 3. CONAES Report I
l ( 2-17
1 TABLE 2-1. INITIATING EVENTS SELECTED FOR QUANTIFICATION OF THE SEABROOK STATION RISK MODEL ( Initiating Event Categories Selected Code Group for Separate Quantification Designator e Loss of Coolant 1. Excessive LOCA ELOCA Inventory 2. Large LOCA LLOCA
- 3. Medium LOCA MLOCA
- 4. Small LOCA SLOCA
- 5. Interfacing Systems LOCA Y
- 6. Steam Generator Tube Rupture SGTR e General 7. Reactor Trip RT Transients 8. Turbine Trip TT i
- 9. Total Main Feedwater Loss TLMFW ,
- 10. Partial Main Feedwater Loss i PLMFW
- 11. Excessive Feedwater Flow EXFW
- 12. Loss of Condenser Vacuum LCV
- 13. Closure of One Main Steam Isolation Valve (MSIV) IMSIV
, 14. Closure of All MSIVs AMSIV l 15. Core Power Excursion CPEXC
- 16. Loss cf Primary Flow LOPF
( 17. Steam Line Break Inside Containment SLBI
- 18. Steam Line Break Outside Contairl ment SLB0
- 19. Main Steam Ralief Valve Opening MSRV
- 20. Inadvertent Safety Injection SI
! e Conraon Cause l Initiating d Events
- Support 21. Loss of Offsite Power LOSP System Faults 22. Loss of One DC Bus . L1DC l
- 23. Total. Loss of Service Water LOSW
- 24. Total Loss of Component Cooling LPCC Water
- Seismic 25. 0.7g Seismic LOCA E.7L Events 26. 1.0g Seismic LOCA E1.0L
- 27. 0.2g Seismic Loss of Offsite Power E.2T
- 28. 0.3g Seismic Loss of Offsite Power E.3T
- 29. 0.4 Seismic Loss of Offsite Power E.4T
- 30. 0.5 Seismic Loss of Offsite Power E.5T l 31. 0.7 Seismic Loss of Offsite Power E.7T l
- 32. 1.0g Seismic Loss of Offsite Power E1.0T l
l ( i l 2-18 l
TABLE 2-1. (continued) ( Initiating Event Categories Selected Code Group Designator for Separate Quantification
. - Fires 33. Cable Spreading Room - PCC Loss FSRCC
- 34. Cable Spreading Room - AC Power Loss FSRAC
- 35. Control Room - PCC Loss FCRCC
- 36. Control Room - Service Water Loss FCRSW
- 37. Control Room - AC Power Loss FCRAC
- 38. Electrical Tunnel 1 FET1
- 39. Electrical Tunnel 3 FET2 ,
- 40. PCC Area FPCC
- 41. Turbine Building - Loss of Offsite Power FTBLP
- Turbine 42. Steam Line Break TMSLB Missile 43. Large LOCA TMLL
- 44. Loss of Condenser Vacuum TMLCV
- 45. Control Room Impact TMCR
- 46. Condensate Storage Tank Impact TMCST
- 47. Loss of PCC TMPCC
(
- Tornado 48. Loss of Offsite Power and One MELF Missile Diesel Generator
- 49. Loss of PCC MPCC
- 50. Control Room Impact MCR
- Aircraft 51. Containment Impact APC Crash 52. Control Room Impact ACR
- 53. Primary Auxiliary Building Impact APA8
- Flooding 54. Loss of Offsite Power FLLP
- 55. Loss of Offsite Power and One Switchgear Room FL1SG
- 56. Loss of Offsite Power and Two Switchgear Rooms FL2SG
- 57. Loss of Offsite Power and Service Water Pumps FLSW
- Others 58. Truck Crash into Transmission Lines TCTL
( 2-19
TABLE 2-2a. DEFINITION OF PLANT DAMAGE STATES USED' IN : t SEABROOK STATION RISK MODEL
! pg,,, Canditf ans at its er reactor Vessel Neit-Through
. ,I* Centainment Conditten State Vessel Core
% yg,, pressure Cavity ,
i 10 tarly Low Ory !selated. No Sprays. No Neat Removal IF Early Lew Ory Sypassed. Large Opening. No Flitratten IFp tarly Lew Ory typassed. Sas11 Opening. No Flitration ! IFA Early Lew Ory Aircraft Crash. No Flitration 2A tarly Lew Wet !selated. Sprays. Neat Removal l 2C Early Lew Wet !seisted. Sprays. No Neat Removal 20 Early Low Wet !selated. No Sprays. No Neat Removal 21 Early Lew Wet typassed. Large Opening. Flitratten 7 2F Early Lew Wet Bypassed. Large Opening. No Flitratten 2Fp Early Lou Wet Bypassed. Small Opening. No Flitratten i 2FA Early Low Wet Afrcraft Crash. Ne Flitratten , Nigh Ory !selated. No Sprays. No Neat Removal ) 30 tarly Ory Oypassed. Large Openfog. No Ff1tratten 3F tarly Nigh j 3Fp Early Nigh Ory Bypassed. San 11 Opening. No F11tratten l Wet Isolated. Sprays. Heat Removal 4A Early Nigh i 4C tarly Nigh Wet !selated. Sprays. No Heat Removat (, 40 tarty High Vet Iselated. No Sprays. No Heat Removal 4E tarly Nigh Wet Bypassed. Large Opening. Flitratten ' l W Early Nigh Wet typassed. Large Opening. No F11tratten 4FP tarly NIgh Wet typassed. San 11 Opening. No Flitratten GA Late Lew Wet !selated. Sprays. Heat Removal GC ' Late Lew Wet !seisted. Sprays. No Neat Resevat 60 Late Lew Wet Isolated. No Sprays. No Neat Removal GE Late Low Wet typassed. Large opening. Flitratten F Late Law Wet typassed. Large,0pening. No Flitratten l GFp Late Lou Wet typassed. Sea.11 Opening. No Flitratten I WA Late Low Wet Afecraft Crash.lNo Filtratten
- 70 Late Nigh Ory !selated. No Sprays. No Neat Removal 7F Late Mfgh
- Ory. Bypassed. Large'Op'ning.
e No Flitratten 7Fp Late Nigh Dry Sypassed. 'Santi Opening. So Flitration SA Late Nigh Wet !selated. Sprays. Neat Removat SC Late High Wet Isolated. Sprays. No Heat Removal to Late Nigh Wet !selated. Ne Sprays. No Heat Removal at Late High Wet typassed. Large Opening. Flitratten SF Late Mfgh Wet typassed. Large Opening. No Filtration Ep late Mfgh Wet Sypassed, Small Opening. No Flitration IA Bypassed. $ prays. Heat Re, oval
!$pecial States for Steas Sypassed. Sprays. No Heat temoval 9C l*ieneratorTubeRapture
(. ,
" $ ' I' Sypassed. No Sprays. No Meat Removal f ft ne tr 2-20
I i i ( l lI @@ @ l diii A$ .:n ism d2 & l ! l E #3 i
@@@@ g@ @
, , 1! !!l. "w
@l73 l1 l
E g E J:!:-
@@@ l" 5
" l g
9 . lE @ @ @ @ i m . .
!N $<
l ,
!3 8 @ @ @ f@ @
8@ ~ l' i l i l ll ' Illi- @ e l @ l @- 1l ! !: : li '
+ g x ld '
i w" l i!!l-l@le[@ l@ @ a 58 a a a a a a s a j [ E I I I I I I I a l=i l' ilg Ig'l ' i i
- .. .l! l!j,nas i .
I a g, lar !! I ( ;I el _I si
!I a: s: la 8
l < m
TABLE 2 -3. RELEASE CATEGORIES EMPLOYED IN THE SEABROOK STATION RISK MODEL ( Release Category Release Definition Group Category SS Containment intact / isolated with enclosure air l - Containment handling filtration working.
. Intact / Isolated A 55 Same as SS but with enclosure air handling filtration not working. ,
J S2 Early containment leakage with late overpres-surization failure and containment building
- sprays working.
i U Sane as 52, but with containment building spray not working. l MV Same as V, but with an additional vaporization
- component of the source term.
Long Tem S3 Late overpressurization failure of the contain-4 ( Containment ment with no early leakage and cont'ainment Failure building sprays working. l U Same as 53, but with containment building sprays not working. { UV Same as U, but with an additional vaporization component of the source ters. MV Containment basemat melt-through with contain-ment building sprays not working and additional vaporization component of the source term. 56 Containment bypass or isolation failure with . containment building sprays working. EV Same as S6, but with containment building Early sprays not working and an additional vapori-Containment zation component of the source term. Failure / Bypass 51 Early containment failure due to steam explosion or hydrogen burn with containment building i sprays working. ( I E Sane as 51, but with containment building sprays - not working. i i 2-22
r k
- i. *:..
... E. 3 3 3 :. :
. S. 3 8
- 31 it e '2 3,
*1 3 3
- I~. :. 3
~
- e. t...~.
~~.. ... . . e. ....~ .
~-
~
....e
......~.
~
~
. .. ... ~~ .. . .. .
# t TY 177 1 17 77 7 ?? t 3 2.~2 3.32 N.
*5 2 3 35 3 .. .3 . . . ~. 2 m w J I
w r- J .t i. ..t .. i " .....
.*..'.4 J.*..."......**
I= 6 3 :: .. 3 3 3 3 :: .. 2 2. :. . 3 3 3 af
+ * *
***~~
7*
*:~
. 3.~5
.~
~ *g 3
... . . . ~~. . . .
4
> at d ...... .. ....
. . 2. ~. ~
~ ..
. ~~
. .~ ... . ~~ .~~
x ? 77 777 ? ?? ? 77 777 7 ?? ? 9
- XX: 3 32 3 33 *** * ** 3
%, Q w 3 3 2 33 23: 2 3 g ,. g1.*3.3....2-~....4 ,
. . . . . . . . .. . ~. =
. . . ~ . . .. .... . . . ......3
~..
. m ............
p3 2. :.
- 3 3. *T 3. :. :. ===
... S. *3 T
3 d =
. =. .~.
- : : : := ~3
. . ~. .. e- - e . g F- > u.
w 4 2. . .:. :. :. . .*. . 2 3 3 3. . 4. ". 2. . 3. . 2.
.4 % .....-~...... .
W ~~ . .. ... . ~ ~ , i
- (- x Iw e w
I .= 77
==
177 m:
?
- z7
?? ? 77 777 T TT x* szy
- 3 3 T
=
a' s. 22 22 3 37 :3 SK 3 33 e a ~. ..~. ... .~.. 3, . e
>=
g . . . .~..e ..... . ~
. ~
. ~. .. ..~ ~.. .. ... ...
..~.. ~ ............
.........e . m I ..
u, w
. .T. .
~. ~T .
m 3 2. 2 8, 3 : $ 2.: i2,3 t.s s. :
~
3 .. 5a
- r. . .. .~.~ , 33 .~3 . . g,
- 5
- AassaJaissisa a
- a:442*4442444 4
- 4444444444444 4 ,
v . .. .... . - ~ = .. ... ~ ~ , ,. I og 5 ? 77 777 ? ?? ? 77 777 TT T
- W: *** * * * * ** *** * ** * "8
. 8 3. ::. :: ,
2 3 32 3 3. : : : :. 3
.n > . .
t
..- , . . . ~ . ~ . . . . . . . . ,.
.. -~.....
. ~..~ . .. ~ . .. . .. .
~ . , . .. ,. . ............
~ -
~ 3: .. ::= 3 3 3 ::. 3 : :,
w .. a.
=.
=. =.. .T . . .
g := 22: : a : g a
. .....=.......
3 -
- r. o.
a
- ,3 33
,. :am.........,.
- ...~eeeee g s:s. i. . . ........
g3 2 s e =. ,
, noee n n .eeee.eeee.e e i . .. ... . ~~ ~ .. ..~.e.e.m
. . ~~ ,. .
. . T-
? 77 777 ? ?? T 77 777 ? ?? T7 7 77 zu m:* * *3 3 ** 133 3 4 2 3 3 3
- h.
- S
- 23T f 3 i $ Ej
- 323 43 3 a
3 33
- J a..t .i.. .a *. . 1.
. * ,t J
~~
.t 1.~*~* .. .. .
.' 1 J. ...t
.... 1 1 0 e
i e
.ss.:....
. ss::::::
...... ~
d ss
.. .a s. .s .a .: s. d
........ ~.
gbg e***,s.w
.%.e memeneem ew.e4 .%.co.
e w e c e * * .n e
=
~ ~ e~e .
eewee
.w.co.--cwnee ew-eewwwwwwww ~ .
- e=
w se l 4 4 W . i 2-23
l l 1 *
- i 1
l l J ( 5 2.I3 2 2.S*t . I S. I 8 I5 :!.S. . 2.:.83 'T.83. 8 *t S. s 3. :. .= ;. =. .= =. =: =. I 3_ .3.... 3::=
.-~.::::_ ; g i'
- 1. 23 :- 3:22 3F3: 3
- 3:2 333 22:2* .
- as:4444:4: *:a s 4:44 4444A444 a
- 4444444444444 ;
-... ~.e .
T
. T .I? 77tt I.II t I .T ... .e.777 77?? tit? 7 ?
3 333 =333 23E3 4 3 3:: 13:2 2* 3 =Eg mR** **r3 3 3 32. 233 : 3 3 J .11.* g32:i
....., . * " .$.1, t J ~~.ti" iat*.iaE"g
-~......
- t J ............
b> 3 383 =238 . 3888 3 5 228 :::3 ... 8383 8 8 :
===
... - # 33 *I*
S. *8:27 .. C: t. 3
- = :::: g:
ms i. ::: :::: x I X.--*:::I :I . . .
~ ziaiaaaas::Za i ~ 44:444:;i: 44 a ~ 44444a4444444'::
m. 4 u ... -- . . . w U T 7?? 77?? ... ?? ..II .T . T 7? ..I .... 77?? .???7 I T T T 3 ; Iar*3x33 *gs:
- 8::: - 3:
3 I33g:s. e-t.t a s 33:2 **** *
- 3=
,t--
I. 4 g 3 gd. ; a e..st
. . -~ ne.-t
. ..., . ~te: , --
.. . ~... .
- ..... ...... ...... , l
= 2 i-- SIi ?Iif IIII I I SiI I*II IIii I I ?? ??I ? II 5.5 u ::= :::: ==== = ::: a g-9,,g y I. !.==
- z::.:~=.=.:=
aiaiaaazi:isa
- z. =:=:3 3
- i.:
.._ -::~
- 3:- : ::
- i::: 44:ai 4
- -- . I. :::
~~ 32 s* I : !.
- Zitat:44tida :
w ... .... . . ~~ ... .
- ( 3'
-d - I ...
7tt Tret tett t ? ret... .... 7777 fe... tt . t ? 77 777 e I e. i
- -5 3 I *
- *:*= =::mus :: :::: says y-
- Iess**33
==s ::: grsy ~ :: *- I **: ..:- :ar*
- E
- c.i a
- 3a -.. -~.......~ts,:
- $ :- _ a -::.,s_t_is
~~_. ~ . -_-e - . a .t ... ..... ..
..t .
8 % a. s.g? :.n.t. s 9.:.:. 9 . s.a.y =.s.t.g g:.3.9 9 : ==
= -
.. ..: s. 9 II.-
=-
i u -3.-:=. :.s::
- _: =::= ::: :
33=.= =.
- ].
==.=.
- = 83:.5
- =
- = 83:.5
-:=.- - .
==
=~.
=
I:: $ tb
- Asas aaisissa a
- aassaa 4444s ZZ44as:44444 a
! $" ! .k. T t .... 77?? .... ??tt . ? . ... -. I ??t? ?
? Tit Tit
.... . . ~-- ...
? 777 777I T TT I l
y, r 3 =ys =33z 3p=t 3 320 3:3: 8 22 3 233 3:3= 3373 x 8 ::8 S::: SSR2 : 3 3r3 ==33 3 rz = 3 3:3 23:3 3 "; }5 i w y a t.i.t..i.'it .. ..--
- tat- a a .t.it. *t.ti. .. i.t t .** A ..
. -. -t.t at.tt.
.t* i
.... . C.
5 3 2533.:.1.t 3 **8 2 8 ::: ": 28
.I .I .ItT.*. *
. ....... .. .f.t 2. .I .
... . ' .8.. I .I I.t.8.
2 8. I .:.. .t2. ..
.. ... *t
.$ 3:==:rgnerzi=a 8 =g .
s3 gag:s res: I 3. :::=: :::ss::sI=g:sg t
- g,
.. u 8 ::::=s_:ses
~ asi:::aia:2:a :
- ~ asettaatsei : a
- - :::: ~
at:i:4:4444:: : e Ng ,,,,,,,,,, , , ,,, ,,,, ,,,, , , ,,, ,,,, ,,,, , { I ,,,TT77tT7???? ? i wg 7t ? 7?? 77?? ??tt t ? 777 77tf ???? ? g l gE 3 zyyt=7syys*** 3 3 53:::=$3f333: 2 3 N35 2333 37t* W 3 32 $33: MSAS 7 3 *** NT=3 2333 3 3 3: :53 23 = 2* *
'J : ""1 1. ** =t --*= J 11 a - O i*11.".tT*%*7..t.t
, -. .... .t - - - t
- t
- t .t a . 4 .'. 1 ". a" ---.. t i t .*
I e 3::::::: s j M ::Si;;;; - 22:! :I; * ::E;;;; I &
"$2:2000
- 03:33~3"$2"' ~3 00"$$ 2 *
( { k. i ww i C4 j EW i 1 t
- -. . _ - _ . - . _5
m - e I l - j 1 TABLE 2-5a. CONTRIBUTION OF RELEASE CATEGORIES TO RISK j OF EARLY FATALITIES l l Number of Early Fatalities j (percoat contritation of release category) l 1 10 100 1,000 10,000 1 i5 i= W (98.981 55T (98.8) 557 (99.4) W (99.4) W (99.s) l W (0.92) W (1.10) , W (0.52) N (0.49) 51 (0.2s) j 3T (0.24) l Others (< .1) Others (<'.2) Others (< .1) Others (< .1) Others (0) l En e 4.60-7 3.87-7 3.14-7 1.78-7 6.26-10 . NOTE: Exponential i.e. 4.60-7 notation is if. cated in abtweviated forer,
= 4.60 x 10-
} \ l 0921P110983 I
m m n TABLE 2 -5b. CONTRIBUTIONS OF RELEASE CATEGORIES TO RISK OF LATENT CANCER FATALITIES
. Musber of Latent Cancer Fatalities 1 10 100 1,000 10.000 100.000 5W (43.8) 3 W (41.9) IN (31.7) W (51.2) 3 N (44.8) 3 W (76.C) 37 (32.0) 3T (33.3) W (30.3) 3 W (17.11 W (35.5) W (22.4)
IN (12.3) 3 W (16.2) 3T (28.2) IT (15.9) IT (9.55 ) 5 W (5.51) . 3W (5.73) M (4.82) M (11.9) 3 W (7.65) 55 (4.07) I K (2.19) W (4.11) 5W (1.67) Others (< 1.0) Others. (< 1.0) Others (< 1.0) Others (< 4.0) Others (< 3.0) Others (< 2.0)
,]'d,8f 1.45-4 1.10-4 5.04-5 8.15-6 4.32-7 1.17-9 HOTE: Expor.ential notation is indicated in abbreviated form; i.e., 1.45-4 = 1.45 x 10-4 0921PIl0983 .
~~
~
.m TABLE 2-6. COMPARISON OF INDIVIDUAL AND SOCIETAL RISKS CALCULATED FOR SEABROOK STATION AGAINST NRC INTERIM SAFETY GOALS Risk Monnuclear Calculated NRC Rfsk 3 Fatal 1 4 Risk in W W Goal Bests Per e of component of Population Population (fwy of (f y y (pement of Segment hanuclear Risk Goal facility per of fatality nonnuclear gg ,g f person per year) per person risk)
@ per year) Early Fata11ty 1 alle radius 4,435 ' 5.0 x 10-4 8.6 x 10-8 0.1% of Non- : 0.0171 nuclear Accidental ' Fatality Risk 50 mile radius 4,200,000 2.0 x 10-3 6.3 x 10-9 0.1% of Mon. 0.00035 Latent Cancer nuclear Cancer Fatality
- - Fata11ty Risk
- Based on mean values of uncertainty distributions.
TABLE 2-7. RESULTS OF MATRIX OPERATION gi C; FREQUENCY OF OCCURRENCE D OF EACH RELEASE CATEGORY AS A RESULT OF EACH PLANT DAMAGE STATE Plant Damage Release Categories
- State
- u u o n i. n ... . n. n u . .. . n. n u .. .u . .. . .... .. ..... .
.. .. .. .. .. .. . m.u .. .. .. e.n u'..n .....u...
. ..n . . .. .. 3.
... u
.. .. .. . .u.a.n ..
. ... u u,. ..u. u.w
. .. .u.. ...n..u........ .u n. . .
.u . e na.u .u
....n.n
..une.u ..
.. u. . ...... ..
..n r.o ,
.. .nu. ...u.......
ro .. .. ..un. . .. .. co
.. .. .n.u-u n.n . . .
. ..u n. . ..
..m..u...
. u ..
.n. ... n. ...n..u . .. ..
. . . . . . . . u. . . a ...
..un.u . um.n ..mu .
. n.. . ...
......n.......u..... .. ... .... m .u
.. .. .m..n . .. .
.....u...
u . n .n
. .n .. .. .
.. .. .m =.n .. .
.mu.
~
..u u.
..u
...........n..u....
n.u ... ... . u.
. .. . . ... .....u.
. . ....u.
.. .. . .. ... .w
....eu.
.. ..u w .n .. . .u . ..m m . .
. . u . .. .
.u . .... . . . . .
.n ..
..u ..
um ... . ...un ..u ... .....u.u.n .um...........= ... ..... . . ...... .....
- Plant damage state and release categories are defined in Tables 13.1-2 and 13.1-3 respectively.
i O -
,A i
1 , I i i 1
! C i ~ ?
- L n
i E I $ 2 0
- 1 i
l i 1 i I I i w* w* w' w' w' EWNT F AGOut90CY lEWNTS PE A Af ACTOR Wang j FIGURE 2-la. UNCERTAINTY DISTRIBUTION FOR CORE MELT FREQUENCY EVALUATED l FOR SEABROOK STATION - SINGLE UNIT OPERATION (PROBABILITY DENSITY) } t
--a , - . - 4
- we b
e e 0 I .T .E.a .I-6.9 M 384 is , y , , , , yg y y , i,
, , g y y g i asEAss b 3.3 M M*4 es - -
l l
, MMMNTRE h D I.S X IS je6 - -
Il l' l 1 I to ? l 6 ).. 3 i ..,s E mE _ I u x =-S e i oa - l - a i I I e - d i1 a! i* i i i aaeI e i i i i i i
,,- s w-4 , -a -a -
Fatousaecy Or sessGLE uself CORE teELT IEVEteTS PER AEACTOR VEARI FIGURE 2-lb. UNCERTAINITY DISTRIBUTION FOR CORE MELT FREQUENCY EVALUATED FOR SEABROOK STATION -SINGLE UNIT OPERATION (ClMILATIVE PROBABILITY)
. _ _ _ _ . . . - _ - . . . - . . . - . _ - _ _ . . - _ . - . - _ - - - . = - .
10*3 g g l l 10 4 - - a io-5 - - N i g >8 0 104 - ~ w 0.95 De 5E o.so i k geg
; hy 0.70 i geio-7 E , o.50 -
I - l 10 4 - - 0.30 O.10 4 ' ' ' 10 too to t 10 2 ig3 god ig5
- ACUTE FATALITIES i
i FIGURE 2-2a. RISK OF EARLY FATALITIES ! (
; 2-31
. I l
1 l l (. 10-3 I I I i tod - _ d
~
2a w to-5 _ _ Q 4 ) 8 5e 0.95 5o0
- o. o
( 5 =' 5t 0.70
$g IE 30-7 -
c.50
~
h
=
m 0.30 8 ~ c.10 - l l r 0.50 l l I < l io-o 10' 10' 102 . ,gs tod gas EARLY INJURIES FIGURE 2 2b. RISK OF INJURIES I (. ! 2-32 l l l
1 t 10~3 g I I I
,0" -
\
0.95 0.90 0.70 . w 0.50
~
10 0.30 l
< 0.10
((,m 0.05
- B>e 10-6 g
- a wI i
3"g " gg 10'7 - e I I s l (
~
10 4 - ; I t I I 100 to t 10 2 19 1/ 18 THYMotD CANCER CASES i ( FIGURE 2-2c. RISK OF THYROID CANCER CASES 2-33 l
i ( 10 3 l 1 I. I 1 10'# 0.95 d 0.90 0.70 0.50 g ' g 0.n _
,,-5 _
0.iO 8r 0.05 g5 ! I8 80 _
- 1e s _
D EE ( B=! n "" E 10*7 -
=*
\--
4 io-s _ i t I I L 3 ,.9 2 3 4 5 0 10 1 10 10 10 10 i 10 ' LATENT CANCER FATALITIES l i 1 1 l I l
.001 .01 .1 1A 10.0 100.0
.0001 PERCENT INCREASE IN CANCER FATALITIES WITHIN 50 MILES l
( FIGURE 2-2d. RISK OF LATENT CANCER FATALITIES l (OTHERTHANFATALTHYROIDCANCERS) l j 2-34
. 1 l
i ( , teF3 g i i I 3 as w*
~
nn a o.no i su att Ie 3>I
~
-r ag
( is .
~
f .
,,, ; L l - ,,
FIGURE 2-2e. RISK OF MAN-REM ( 2-35
G
*e I
G h m W m' %
.=
180 h.s
= ,.- - an 2 06
( iat - 4 - s. Et - a g ,,.i _
$5 I*
a 4 _ l l "g
,,p ,7
,wn octuas, isp i
isP e te" i w" 10 j g g-1 g4 g-8 10 10 " ans ootuas FIGURE 2-2f. RISK OF PROPERTY DAMAGE AND EVACUATION COSTS ( 2-36
i
. k.
S w E u N w _ g g .
^
l F- > dU
=n
>I $$
o Es . up Cb
\ l 5=
en (
, se 5m W5 i '
s.1 "A E C&
~5 le
! EE go 6U In M8 i
~
e S no 9E N< QC l 3 t
, g i t i I I I
- m sute m meveowd
? I o 2-37 o
A I l 1 l l 1 4 1 StruneCfwrRe h 1 s.t x w 3 1l ** i i i i iiiig i i i i i iii
. i i iii l
1
,, I. mmes -
j es - u x w* - m j g lsernnacewrne d es _ se x w* i _ a to a "8
; O " I i cn = I i y - - - I
- ;: I 5 ea '
3 3 3 ' u E , I l t
- I
- 8 l .2 -
l ovwnacewrne _ I i.e x w
- I I
1 ! l ! I I I I ' '
d i i n! : : i i i e ieii ; so-s w* ws at j rasauracy or come mett awwis na svarion wans i
I 1 FIGURE 2-3b. UNCERTAINITY DISTRIBUTION OF CORE MELT FREQUENCY FOR TWO UNIT OPERATIONS (Cumulative Probability) j . 1 . i
. l 1
l 10'3 i i 4 a _ $1NGLE UNIT _
, - = = DOUBLE UNIT d
3 a 3 _ - la,,.s d 85 8 W - - - - - -
. g 10-. , _
Um ,% xm
=6 %
g 80 N
\
( g5 ~ \ ~ l$10*7 \ I E m \ \ \ 3 ,-s - % - 1 1 I l I t I la 10 0 10 3 10 2 103 10 4 10 5 EARLY FATALITIES FIGURE 2 da. COMPARISON OF SIN'GLE AND DOUBLE UNIT RISK OF EARLY FATALITY (MEAN VALUES) l ( 2-39 l
.-..-..--,-.nn - - - , - - -
i.6
, ~.
4 1 l
. 104 i , , ,
i SINGLE UNIT
* = =
,** w
%g - - - DOUBLE UNIT s
sod N s 1
\
d N B s ; s 5 -
\ ~
N
$2,,-s \
\
. 55 \
$$C \
( 50 4 %
- \ -
$l10 z "\ -
{ , g! E
\
\
$2 \
, >W g _
W 5 io-7 '-
\
E s
=
* \
\
so* - 5 ~ \
\
\
i t i i n 3a-o 4 103 o 1 2 5 g6 10 10 10 10 10
\ LATENT CANCER FATALITIES
( FIGURE 2-4b. COMPARISON OF SINGLE AND DOUBLE UNIT RISK OF LATENT CANCER FATALITY - MEAN VALUES 2-40
. _ _ . . _ - ~ . - - . _ _ . _ _ . __ _ _ _ _ .. _ . . . _ _ . _ _ - -
1o*3 g g i 3 ( . tod E
=
h tod
-~
g . a s E I
=
$,s
. g. o
( l --- _,,,____ ALL RELEASE CATEGORIES g , W
~,%
sev \ _ io.7 _
\
\
l- s s \
\
- \
10 4 - g -
\
- \
y \ go-e i I . m._1 I i , 1o2 ig3 jo4 100 tot NUMBER OF EARLY FATALITIES FIGURE 2-Sa. CONTRIBUTION OF RELEASE CATEGORIES (- TO RISK OF EARLY FATALITIES (MEAN VALUES) 2-41
a - -
.2 .. - -
tr8 i i
~~~k
' > %s
= ......e.................._.
w' -
, s.
l__ _ =v .C_ m...%. ' A .s s\' . I . i . . i . Es g
\ \ .-
1
! ! \
s I. i i
. g.
B : a gw7
- I g . _
l I .
. \ ' .,
l
. I \
wa - l
. g- _
' \ -
.I i
.l-Y i ( u,
,ge h e e i 108 toi tet 3 ,3 ,ge ,,s peutesER OF LATEftf CA88CEA FATALITIES FIGURE 2-5b. CONTRIBUTION OF RELEASE CATEGORIES TO RISK OF LATENT CANCER FATALITIES 2-42 i
, - , - . - - . -_. _ . ~ . _ .- ._ ._ ,_. , - . .
k
-ssy $1
~_ _ _ _ _ _ _ _ _ _ _ _, _ %. _, 3 _
1 ,,., ~~s,. 8 % . 8 \ g 8 ,e _ s - I L I - 1, 1ie- { 9 j l w
- l. \,
8, 3 - 's. . . _ . . , j - I k
*i
- l. h.
- \
l is _ \ \
- ALSO USEO POR $2,E A8e0 SS
- i
, , i 1 e 1[ 10 I 12 gg3 1/
founsetA OF EAALY FATALITIES
- FIGURE 2-6a. CONDITIONAL FREQUENCY OF EXCEEDANCE 0F EARLY FATALITIES FOR RELEASE CATEGORIES S1,3T,32V, and T5V.
! . S MATRIX (MEAN VALUES) 1 I i 1 l 2-43
I.
~
3 i too E 1-...........s..,,,,,_ i i i
%a * ...,,
g \'\, ,, k,. N'N \ \ \ ' ,n % s 5 - s I
\ Nsi .
B k 2- -
\\ g,, t.,
h t . 3 ir2 1 \ \ S
\.' . ,
g -
. s\ \
; \
a \. Ev \\\ s 5 t I \ e B \ s.
\ \ t Iir a - Ev\ ~
\ *. _
s -
\ \ \ t i E
8
\
I\ J I. 5 l p \ l s y Is - \, \l
\1 _
E \ g 0 \ t I ' I- -
. A_ _O FOR .
t AL3O USEO FOR S3.53v ALSO USED FOR 52.I ANO SS g I t t t 1 io n tot io r ,,3 ,,4 ,,s NUMSER OF t.ATENT CANCER FATAUTIES i ( FIGURE 2-6b. CONDITIONAL FREQUENCY OF EXCEEDANCE OF LATENT CANCER FATALITIES FOR DIFFERENT RELEASE CATEGORIES (MEAN VALUES) l . 2-44
( 3.0 INTERNAL EVENTS ANALYSIS The evaluation of internal events in the SSPSA uses support state methodology. In this approach, a number of support states are defined for various conditions of initiating event occurrence and system or train availability. The use of support state methodology in the SSPSA, in combination with very large and complex event trees, produced an analysis that is judged to be generally inscrutable and relatively useless to the reviewers for the determination of engineering insights. Although it was considered necessary to reconstruct the event trees to evaluate them, it was not possible to do 1 this because of the limited time available to perform the review, the extreme complexity of the trees and the absence of critical pieces of information in the SSFSA. The details are provided in the sections of this chapter. In very general terms, the internal event initiating event analysis is reasonable, comprehensive, and consistent with the state of the art. We concurred with the selection of initiating events except for the division of most of the general transients into several sub-classes, which we believe is ( unnecessary and inappropriate. In addition, three initiators did not receive adequate discussion in the SSPSA, and it appears that at least two of these should have been considered as separate initiating event classes. The initiating event frequency evaluation was also generally reasonable, and the event frequencies are generally consistent with other data sources, however, ( several minor deficiencies were identified in the review. l 3-1 L
c ( Our review of the entire internal event analysis in the SSPSA is described in following sections of this chapter, which respectively address the topics listed below (in the noted sections): Initiating events (3.1); event trees (3.2); success criteria (3.3); systems analysis (3.4); human factors (3.5); failure data (3.6); operating experience (3.7); analysis codes (3.8); severe accident sequence progression (3.9); dependencies (3.10); and the approach to ) quantification (3.11). l ( 3- la
I l 1 ( ' l 3.1 INITIATING EVENTS The SSPSA evaluated more than one hundred individual internal initiating
, events in the process of defining a stet of twenty-four internal initiator classes for the study. This section presents the results of our review of the completeness of the list of initiating events considered and of the frequency estimates assigned to each event.
- 3.1.1 Completeness of Initiating Events Considered The SSPSA considered two general classes of initiating events, LOCAs and transients, in keeping with the traditional classifications. established in previous PRAs. Three methods were used to identify the individual initiators which make up these classifications. }he first method is the Master Logic Diagram, which attempts to trace the thought process which follows from the question "How can a significant release to the environment occur?" This diagram traces down to the types of initiating events which can result in a failure to provide sufficient core cooling. The second method is the Heat Balance Fault Tree, which has as its top event " initiating event occurs." The
- tree structure and analysis is based on the concept that an initiating event must involve an upset or imbalance in the thermal equilibrium of the plant.
The tree attempts to logically model all tne ways in which this can occur. The third method is the Failure Modes and Effects Analysis. This is used specifically to look at support systems initiators in greater detail than is ( possible with the other two methods. It is a " brute force" type of technique, , 3-2
where various support system failures are postulated and their effects tabulated to determine if they constitute unique plant conditions which do not fit into the initiator lists developed from the first two methods. The final list of initiators is then compared to initiator lists from other documents, such as EPRI NP-2230 [Ref 3.1-1], WASH-1400 [Ref 3.1-2], and NUREG/CR-2300 [Ref. 3.1-3], as a further check for completeness. In general, we found that the analysis performed as discussed above was comprehensive, and comendable in its attention to detail. The use of several methods provided assurance that all initiators were identified, since initiators missed by one method might be identified by another. Additionally, the fact that the different checks showed a substantial amount of overlap in the initiators identified gave us a good feeling that all the techniques were capable of identifying most of the initiators, in at least at some level of [ detail. This means to us that they each have a high level of validity. On the other hand, we have nevertheless concluded that some initiators may not have been considered in sufficient detai1, wich will be discussed later. Overall, the process identifhtliver 100 individual initiators. Followin'g the selection of the initiators, they were grouped into twenty-four initiating event classes. The purpose of this step is to reduce the number of initiating events which must be analyzed separately by combining into a single class all the initiating events which have nominally identical effects on the plant. That is, any group of initiators which require the same response from plant mitigating systems and which have the same effects on the ability of those mitigating systems to respond to the event should be placed in the same ( event class. The twenty-four plant classes used in the SSPSA are shown in 3-3
Table 3.1-1. In general, we concur with the selection of these plant classes, k-with one notable exception. The division of most of the general transients into classes 7 through 16 is not necessary, since they do not actually represent differences in plant response or affect on mitigating systems. While we would agree that they do represent differences in the initial phenomenology of transients, i.e., the root caust of the plant trip is different, they do not in general differ in any other way. Within the first few seconds following the plant trip, they are all nominally identical in plant response and the need for certain mitigating systems. Some of them do
- have a slightly different effect on the availability of a mitigating system which can supply secondary cooling. One way to provide secondary cooling is through the power conversion system (main steam, turbine bypass, condenser, condensate, and main feedwater (using startup feed pump) subsystems).
Transients which result in main feedwater isolation or MSIV closure, or any condition which would lead to these events, renders this path unusable. Thus, these ten initiating event classes need only to be separated into two, loss of PCS ( power conversion system) and non-loss of PCS. Although the SSPSA separation of these transients into more classes than actually required, is not incorrect, in a strict sense, it does serve to dilute the results and mask insights. For example a particular accident sequence comon to a number of these classes could fail to appear in a list of dominant sequences because the classes are no indvidually significant. However, they may be significant when added together. The salient information required to make a reasonable judgement regarding the importance of that sequence is that it is initiated by a transient Class of a given plant response, and it is not important specifically how the transient developed in its first few seconds. Our ( regrouping of these transients into the two required classes is shown in 3-4
I (. TABLE 3.1-1 INITIATING EVENT CLASSES IN THE SSPSA Initiator Category
- 1. Excessive LOCA
- 2. Large LOCA
- 3. Medium LOCA
( 4a. Small LOCA (nonisolable) 4b. Small LOCA (isolable)
- 5. Interfacing Systens LOCA
- 6. Steam Generator Tube Rupture
- 7. Reactor Trip
- 8. Turbine Trip
( 9. Total loss of Main Feedwater 3-5
(~ 10. Partial Loss of Main Feedwater Flow 1
- 11. Excessive Feedwater Flow
- 12. Loss of Condenser Vacuum
- 13. Closure of One MSIV
- 14. Inadvertent Closure of All MSIVs
- 15. Core Power Excursion
- 16. Loss of Primary Flow
- 17. Steam Line Break Inside Containment
- 18. Steam Line Break Outside Containnent
- 19. Inadvertent Opening of Main Steam Relief Valves l
- 20. Inadvertent Safety Injection Signal
- 21. Loss of Offsite Power _
9 ( 22. Loss of an Essential DC Bus 3-6
- 23. Loss of Service Water
- 24. Loss of Primary Component Cooling
( 3-7
Tables 3.1-2a and 3.1-2b, using the PWR transient list from EPRI NP-2230 to illustrate how various transients would fall into the two event classes. It should be noted that some transients appear on both lists. These transients, while not automatically failing PCS, would result in significant asymetric perturbations of plant systems which are more likely to result in failure of PCS than other transients. When determining the overall frequency of the event classes, we would assign 50% of the frequencies of these initiating events into each initiating event class. The remainder of Section 3.1.1 discusses individual transient events which we consider not adequately discussed in the PSA. 3.1.1.1 Incore Instrument Tube Rupture ( This event is representative of a class of LOCAs which discharge coolant into the reactor cavity rather than to the containment floor, thus resulting in initially no water buildup in the containment sump, which is required for recirculation. There was no indication in the SSPSA that this initiator was considered in detail during the initiating event analysis. This event was notable in the Millstone Unit 3 Probabilistic Safety Study [Ref. 3.1-4], but for one particular reason: at Millstone, recirculation is automatically actuated five minutes after containment spray actuation. This led to the problem that for this initiator, if the spray injection failed to function there would be no water in the sump when recirculation was actuated and the recirculation system would fail. The important point in this is that recirculation could be actuated at Millstone prior to full RWST injection, ( 3-8
i TABLE 3.1-2a PCS AVAILABLE TRANSIENTS FOR SEABROOK BASED ON EPRI NP-2230 EPRI NP-2230 FREQUENCY Event No. TRANSIENT NAME (PER YEAR)
- 1. Loss of RCS Flow .39 2 2. Uncontrolled Rod Withdrawal .02
- 3. CRDM Problems and/or Rod Drop .65
- 4. Leakage From Control Rods .02
- 5. Leakage in Primary System .08
- 6. Low Pressurizer Pressure .03
- 7. Pressurizer Leakage .01
- 8. High Pressurizer Pressure .03
- 11. CVCS Malfunction - Boron Dilution .04
( 12 .~ Pressure / Temperature / Power Imbalance .16
- 13. Startup of Inactive Coolant Pump .00
- 14. Total loss of RCS Flow .03
- 15. Loss or Reduction in Feedwater Flow (1 loop) (50%) .94
- 17. Full or Partial Closure of MSIV (1 loop) (50%) .12
- 19. Increase in Feedwater Flow (1 loop) (50%) .35
- 23. Loss of Condensate Pump (1 loop) (50%) .04
- 26. Steam Generator Leakage .04
- 27. Condenser Leakage .05
- 28. Miscellaneous Leakage in Secondary Systems .08
- 33. Turbine Trip. Throttle Valve Closure, EHC Problems 1.38 34 Generator Trip or Generator Caused Faults .38 36 Pressurizer Spray Failure .04 37 Loss of Power to Necessary Plant Systems (50%) .05 38 Spurious trips - Cause Unknown .14 39 Automatic Trip - No Transient Condition 1.55 40 Manual Trip - No Transient Condition .62 i Total - PCS Available Transients 7.24 3-9
TABLE 3.1-2b LOSS OF PCS TRANSIENTS FOR SEABROOK BASED ON EPRI NP-2230 EPRI NP-2230 FREQUENCY Event No. TRANSIENT NAME (PER YEAR)
- 10. Containment Pressure Problems .01
- 15. Loss or Reduction in Feedwater Flow (1 loop) (50%) .94
- 16. Total Loss of Feedwater Flow (all loops) .15
- 17. Full or Partial Closure of MSIV (1 loop) (50%) .12
- 18. Closure of all MSIV .03
- 19. Increase in Feedwater Flow (1 loop) (50%) .35
- 20. Increase in Feedwater Flow (all loops) .01
- 21. Feedwater Flow Instability - Operator Error .15
- 22. Feedwater Flow Instability - Misc. Mechanical Causes .21
( 23. Loss of Condensate Pump (1 loop) (50%) .04
- 24. Loss of Condensate Pumps (all loops) .00
- 25. Loss of Condenser Vacuum .20
- 30. Loss of Circulating Water .06
- 31. Loss of Component Cooling .00
- 37. Loss of Power to Necessary Plant Systems (50%) .05 Total - Loss of PCS Transients 2.32 l
3-10
since RWST level had nothing to do with recirculation actuation. At Seabrook, recirculation is actuated only when the RWST is virtually empty, so that the occurrence of this event is precluded. Even with the flow going to the reactor cavity instead of the containment floor, we believe the injection of the full RWST would cause the reactor cavity to overflow its curb, with the overflow going to the containment sump. Thus, there would be sufficient sump level to allow recirculation when required. The failure of the SSPSA to consider this initiator as a separate event class is, fortunately, not a deficiency since it is virtually identical to other small LOCA initiators for - this plant. However, it should be noted that this result is apparently a matter of luck rather than an informed rejection of this initiator by analysis within the SSPSA. 3.1.1.2 Loss of a Vital 120V AC Bus The SSPSA considered this initiator in the initiating event analysis, but later rejected it an being an initiator. The material presented in the SSPSA is contradictory and incomplete. It states, correctly, that loss of one of the four busses will not directly result in a plant trip from the solid state protection system (SSPSA) because the loss will affect only one of the four sensor input channels. However, there appears to be no investigation into whether the loss of a bus will result in a plant trip due to the affect on Other equipment tied to that bus. Further, no mention is made in the initiating event analysis of an additional affect on the mitigating systems if one of two particular vital AC busses fails. The 1 and 4 busses (apparently referring to busses A and 0) supply power, respectively, to the train A and B ( engineered safeguard feature actuation system (ESFAS) output relays. Loss of 3-11 .
,,w- v-..=- w-
power to these relays disables the associated train of emergency equipment due to the inability to provide actuation signals. This information is presented only in the ESFAS systems analysis appendix. If the loss of bus A or D results in a plant trip with loss of one train of ESFAS, which we believe to be the case based on previous plant analyses, this event should have been considered as a separate initiating event class. 3.1.1.3 Loss of a Single Service Water or Component Cooling Water Train Although the SSPSA considers a total loss of each of these systems as an initiating event, it does not consider loss of a single train. The basis used in the SSPSA for this assumption is that if a single train is lost, the plant will not imediately trip. The conclusion is that the operator can proceed with an orderly shutdown, and thus it is not an initiating event. We disagree (- with this position. Although it may be possible, and even highly probable, that an orderly shutdown will take place, it is definitely a forced shutdown that must take place in the absense of one train of a support system. We believe that this is essentially equivalent to other support system transients and that two new initiator classes should be added to account for these single train failure events. 3.1.2 Initiating Event Frequencies The SSPSA estimated initiating event frequencies by dividing the event classes into two general groups. The first consisted of those initiating events which were felt to be adequately represented by generic data, and constituted the ( vast majority of the event classes. The generic data utilized consisted 3-12
mostly of EPRI NP-2230 [Ref 3.1-1], augmented by a Pickard, Lowe, and Garrick proprietary data base. The second group consisted of three event classes (interfacing system LOCA, total loss of service water, and total loss of primary component cooling) for which unique systems designs required that a plant specific analysis be performed. The treatment of the initiating event classes in this manner is, in our judgement, reasonable. Table 3.1-3 presents a comparison of the SSPSA frequencies (means and medians) with data from other sources and studies. The table, shows that the SSPSA data is in general agreement with these other sources. Our review judgement regarding the reasonableness of each frequency estimate is indicated in the last column of the table. Where the values used in the SSPSA did not differ significantly from the other sources, we have accepted the SSPSA value and this is indicated by an "0K". Where the values used in the PSA did differ significantly and we felt another value should have been used, the revised value is indicated. We { have also indicated values for the three initiating event classes discussed in the previous section which we felt were omitted from the SSPSA. The remainder of this section discusses the basis for our revised and added values, as well as a discussion of our verification of the interfacing systems LOCA frequency. 3.1.2.1 Small LOCA The SSPSA utilizes two values for small LOCA, representing breaks that can be isolated and those that cannot. It was not made clear in the SSPSA what breaks fell into these two categories. It is generally recognized that isolable breaks do not significantly contribute to overall small LOCA frequency due to the amount of time available for the operator to isolate them ( prior to the need for emergency core cooling. This was adequately 3-13
O O A Table 3.1-3 IMITI ATING EVENTS DATA COMPARISDN MP-3 55P5A
$$PSA SSPSA WASH EG4G PSS MP-3 ANO-1 Zion Review
. Initiator Category Mean Median 1400 (NREP) (mean) Revised IRE P PGA Judgement
- 1. Excessive LOCA 2.66E-7 8.75E-5 IE-7 --
3E-7 DK , 2. Large LOCA 2.03E-4 8.llE-5 IE-4(6*) 3.88E-4 IE-4 2.5E-4(4*) DE
- 3. Medium LOCA 4.65E-4 2.00E-4 3E-4(2-6*) 1E-3(2-6*) 6.11E-4 3E-4 3.8E-4 (1. 7-4 * ) DE 4a. Small LOCA (nonisolable) 5.83E-3 1.80E-3 IE-3( 2") IE-2( 2") 9.07E-3 IE-3 2E-2(1.7") 2E-2 4b. Small LOCA (tsolable) 2. 30E-2 8.73E-3 2E-2
- 5. Interfacing Systens LOCA 1.84E -6 3.95E-8 4E-6(1) 1.9E-6(2) BE-7(2) OK 6 Steam Generator Tube Rupture 1.38E-2 5.58E-3 3.9E-2 2E-2 OK(8) 7 Reactor Trip 2.29E+0
- 3.13E +0 3.03 7.24(6) 7.l(6) 7.224(6)
- 8. Turbine Trip 1.95E+0 1.60E+0
- 2.33 2.32(7) 1.0(7) 2.3.(7)
- 9. Total Loss of Main Feedwater 3.31E-1 1.17E-1 IE-1 7.29E-1 * *
- 04 OJ Od 10. Partial Loss of Main Feedwater Flow 2.53E +0 1.47E+0 IE-1 *
- 7.29E-1
- 3 la la 11. Excessive Feedwater Flow 1.38E+0 3.47E-1 * * * *
- cn on ** 12. Loss of Condenser Vacuum 4.18E-1 2.27E-1 2E-1 * * * *
- 13. Closure of One MSIV 3.54E-1 1.29E-1 3E-1 * * * *
- 14. Inadvertent closure of All MSIVs 2.44E-3 8.7BE-4 4E-2 * * * *
- 15. Core Power Excursion 2.73E-2 1.2BE-2 * * * * *
- 16. Loss of Primary Flow 5.60E-1 2.73E-1 4E-1 4.91E-1 *
- 17. Steam Line Break Inside Containment 4.65E-4 2.00E-4 3.8BE-4 4E-2(4)
- 18. Steam Line Break Outside Containment 6.04E-3 2.lBE-3 3.78E-2(4) 1E-4
, 19. Inadvertent Opening of Main Steam 4.94E-2 1. 79E-2 OK i Relief Valves
- 20. Inadvertent Safety Injection Signal 6.40E-2 1.24E-2 6E-2 1.83E-2 6E-2 OE
- 21. Loss of Offstte Power 1.35E-1 7.43E-2 2E-1(3) 1.1E-1 IE-1 .32 -
Ot
- 22. Loss of Essential DC Bus 3.35E-2 1.63E-2 3.91E-3 3.6E-2 3.6E-2 OE
- 23. Loss of Service Water 2.52E-6 9.47E-7 7.44E-6(5) 2.6E-3 2.2E-8 OK
- 24. Loss of Primary Component Cooling 1.38E-6 4.29E-7
- 25. Loss of 120 VAC Bus A or D -- --
6.15E-2 7E-2 7.0E-2 7E-2
- 26. Loss of a Single SW Train -- --
1.27E-2 2E-2 PE-2
- 27. Loss of a Single PCC Train -- --
FE-2 (1) Includes injection side only *The study included this initiator, however, its frequency (2) Includes suction side only is included in one of the other catagories. (3) Northeast Power Coodination Council data (4) Includes steam generator relief valve failures (5) For 24-hour period (6) Non-Loss of PCS (7) Loss of PCS (3) See Section 3.1.2.5 __.----__w
demonstrated in a review performed on the Millstone-3 PSS [Ref 3.1-4]. Thus, our principal concern is with' the nonisolable break frequency. The comparison of values shown on the table indicates a large difference in this frequency between the various data sources. This is based on whether a reactor coolant pump seal LOCA is isolable or nonisolable at a given plant. The frequency of the random reactor coolant pump (RCP) LOCA is estimated at .02/ year based on data from the ANO-1 IREP [Ref. 3.1-5]. The Seabrook plant does not have primary loop isolation valves, thus this break should be considered nonisolable. Tnis value would therefore apply to Seabrook for nonisolable ' small LOCAs, and is a factor of four higher than the SSPSA value utilized. This is a significant difference, and we feel the higher value should have been used in the analysis. 3.1.2.2 General Trrisients The revised values for the general transients (classes 7-16) result from the _ transient regrouping discussed in Section 3.1.1. The values shown in the last column are for non-loss of PCS and loss of PCS transients as defined in that j section. The development of the values is shown in the frequency column of Tables 3.1-2a and 3;1-2b, and are based on EPRI NP-2230. Note that there is
/
- virtually no difference between the sum of these values and the sum of the l
SSPSA values for event classes 7-16, so that the effect is due to the ! regrouping only. i 3.1.2.3 Loss of 120V Vital AC Bus A or D l { The value used for this new initiator is taken from the ANO-1 IREP [Ref. 3.1-5] data base. l 3-17
( 3.1.2.4 Loss of a Single Service Water or Primary Component Cooling Train The values for these new initiators are taken from EPRI NP-2230 [Ref. 3.1-1]. In finding these values, the assumption was made that the event i frequencies for these initiators could be reasonably expected to be equal. ! 3.1.2.5 Interfacing Systems LOCA (Event V) l l In attempting to verify the plant specific value determined for this initiator, we determined that it was not possible for us to duplicate the answer s'hown in the SSPSA using the values and equations presented therein. We therefore performed a simplified but independent analysis to determine the frequency of this initiator. The arrangement of piping sensitive to event V is shown on Figures 3.1-la and 3.1-lb. We based our analysis on the method used in the Crystal River-3 Safety Study [Ref. 3.1-6]. The failure rate for catastrophic internal leakage of a motor operated or check valve was taken to be IE-7/ hour from NUREG/CR-2815 [Ref. 3.1-7]. We assumed that for the cold leg injection lines, rupture of any two check valves in series would result in an event V which could be isolated by the operator by closing the appropriate motor operated valve within 20 minutes. A human error probability of 0.1 was assigned to this task based on the cognitive error screening model from NUREG/CR-2815 [Ref. 3.1-73 We further assumed that the inboard valve in any path must fail first before the outboard valve is exposed to high pressure. The frequency of event V can thus be estimated as follows: ( - 3-18
( ,- l l l HIGH LOW . PRESSURE PRESSURE R 4 '/, X IC slv20 RH V61 RH V31 LPI SYSTEM T l TRAIN A l RH V14 i' 0= /,
% V RH VIS sl V5 RH-59 I
V 4 N ~ j s!V50 RH V65 RH V30 l s l TRAIN 8 E RH V26 l L 4 /> X M l l SI V35 RH V63 RH 29 I INSIDE l CONTAINMENT l
+--
FIGURE 3.1-la. COLD LEG INJECTION ARRANGEMENT ( 3-19
( R MT LEG O TO RHR pesp .
,A RH V87 RH V88 C
T O R V E HOT LEG 0 TO RHR PUMP L ( RH V27 RH V23 FIGURE 3.1-lb. RHR SUCTION ARRANGEMENT . ( 3-20
- - , -n ,,-v,---- - - - - - , _ _w ----- --ne, - - , - . - . - , - --,-v --,-----..-r,- - --- -,.v,., , - e , ,- - - . - - , - - - - - - - - - - , , -
k. Injection Path: Single Check Valve Path: (IE-7/hr
- 8760hr/yr) * (1/2yr
- IE-7/hr
- 8760hr/yr) = 4E-7/yr Adjusted for Two Paths per Train with Operator Recovery:
(2
- 4E-7/yr)
- 0.1 = 8E-8/yr
- 2 trains = 2E-7/yr TOTAL EVENT V FREQUENCY (INJECTION) = 2E-7/yr Suction Path:
Two Suction Valve Paths: ( ((1E-7/hr
- 8760hr/yr) * (1/2yr
- IE-7/hr
- 8760hr/yr))
- 2 = 8E-7/yr TOTAL EVENT V FREQUENCY (SUCTION) = 8E-7/yr Thus, our estimate of the frequency of event V from the above calculation is:
-TOTAL EVENT V FREQUENCY = IE-6/yr This value is close enough to the SSPSA mean valve to serve as an independent verification of the SSPSA calculations. Thus, we conclude that the event V frequency used in the SSPSA is reasonable. ,
[ 3-21
,. 3.1.3 Issues of Importance to the NRC ( In their instructions for this review, the NRC listed certain issues of concern to them. They wanted to know how these issues were treated in the SSPSA. Some of those issues were either treated or should have been been treated in the initiating event analysis. This section discusses those issues. 3.1.3.1 Issues Directly Included as Initiating Events - A number of the issues of concern were directly included in the analysis within the more than 100 internal initiating events evaluated. Those
~
issues / events are: ( - Loss of DC Power
- Steam Generator Tube Rupture Loss of Service Water Turbine Trip Loss of Main Feedwater
- Loss of Component Cooling Water Reactor Coolant Pump Seal LOCA Boron Dilution
- Excess Feedwater Flow Loss of Instrument or Control Air 3-22
( 3.1.3.2 Issues Excluded as Initiating Events Two issues of concern were not included as initiating events in the SSPSA, and we consider their exclusion to be justified. The first is multiple instrument tube LOCA below core level. This event is simply a larger version of the initiator discussed in Section 3.1.1.1, and is reasonably excluded based on the same arguments. The second is loss of ventilation in the auxiliary building. In general, previous PRAs have not considered these events as initiators. This approach is considered to be reasonable since ventilation losses to specific plant areas are not likely to result in both plant trip and degradation of mitigating systems in ways not forseen by other initiators of greater frequency. It is our judgement that the omission of this event as an initiator does not affect the study results. { 3.1.3.3 Issues Improperly Excluded as Initiating Events Only one issue, loss of instrument and control power, was not properly considered in the PSA. This is discussed in Section 3.1.1.2. ( 3-23
i l References for Section 3.1 i ( , . , I 3.1-1 EPRI.NP-2230, ATWS: A Reappraisal. Part 3: Frequency of Anticipated Transients, January 1982. 3.1-2 WASH-1400, Reactor Safety Study, October 1975. 3.1-3 NUREG/CR-2300, PRA Procedures Guide, January 1983. 3.1-4 Northeast Utilities, Millstone Unit 3 Probabilistic Safety Study, August 1983. ( 3.1-5 NUREG/CR-2787, Kolb, G.J., et al, Interim Reliability Evaluation Program: Analysis of the Arkansas Nuclear One - Unit 1 Nuclear Power Plant, June 1982. 3.1-6 NUREG/CR-2515, Garcia, A.A., et al, Crystal River - 3 Safety Study, December 1981. 3.1-7 NUREG/CR-2815, Papazoglou, I.A., et al, Probabilistic Safety Analysis Procedures Guide, January 1984.
/ ~
3-24
M w, 3.2 EVENT TREES The SSPSA constructed 10 event trees to represent plant response to the initiatorsdisfussedinSection3.'l. . Me have reviewed these trees to determine if they are a reasonable representation of that response. The ~I
! assumptions used in the tr'ee constructior, dere compared to assumptions used in previously performed PRAs. 'Where there were rotable differences, these differences were evaluated to determine if they were reasonable. The 1- evaluations consisted of reviewing calculations provided in the SSPSA, -
i reviewing ah'licable p reference materials, and performing limited calculations Each of these differences and our final conclusions regarding their validity are discussed in this section, sin addition, a number of issues of specific interest to the NRC were also elamined. ( ?
,' p 3.2.1 GENERAL EVEN7 cTREE' FINDINGS ,,
, i6 This section presents the results of our evaluation for items which pertain to a number of event trees.
s, We found that the event trees correctly represented the phenomenology of the sequences in rest cases. That is, only' a few errors were identified which resulted from the conversion of the description of the phenomenology to its representation in an event tree format. This does not mean that we consider the trees to be a correct representation.of plant response: in fact we have serious concerns about some assumptions and conclusions used in describing the phenomenology of plant response. These are discussed in detail in the next [' section. We note, however, that we believe the event tree design concept contains deficiencies. ' 3-25 l
4 The trees are very de, tailed in certain areas, and not as detailed in others. This is due to a requirement, for quantificatiion purposes, to have each event on the tree be independent of the others. There is also an effect from the utilization of long and short term trees and transfers from the latter to the Tformer. The result is that in some cases it was necessary to put individual components on the trees, rather than in the systems, when that component was shared between two systems. Also, the need to transfer required that transfer stases exist which considered the precise number of system trains operating,
- rather than just whether a system had met its required success criteria.
Thus, individual trains were also represented as separate events on the t[ees. This complexity rendered the trees extremely difficult to follow and analyze, i.e., they were quite inscrutable. The number of sequences on each tree was on the order of 100 times greater than those from previous SSPSAs. The proliferation of sequences made the trees significantly less useful as an engineering tool (simple insights were impossible). Furthermore, the large number of sequences, some representing f ailures of entire systems and others rep' resenting failures of individual components, created a situation where
" sequences" in:some cases were nothing more than the equivalent of a single cut set. In other cases, sequences represented system failures for which the analysis could not provide cut sets. The resulting mixture of contributions
~
i made it difficult to determine the dominant sequences (in the traditional sense) because they were so fragmented. Identical system failure combinations and event phenomenologies, which normally appear as a single sequence, were actually often represented by many individual SSPSA sequences. This resulted in further Wsking of engineering insights our conclusion is that the event tree models used in the SSPSA, while not being incorrect in the strict sense { 3-26 l _ , . _ , . _ _ _ _ _ _ _ ~ . _ _ _ _ . - ___ _ _ -
l of the word, do not represent an advance in the state-of-the-art over event trees constructed in a more traditional manner, particularly in terms of their usefulness to the NRC in performing its review function. They are, because of their unnecessary complexity, virtually useless to the reviewers in the determination of insights concerning the effects of our conclusions regarding the differences in event phenomenology which are discussed below in Section 3.2.2. We consider it necessary to re-construct the trees in a more reasonable format, incorporating our specific findings, in order to evaluate them. It was not possible to do this because of the limited time available to ' perform the review, the extreme complexity of the trees, and the absence of critical pieces of information in the SSPSA. 3.2.2 Specific Event Tree Findings This section presents review results applicable to specific event trees. 3.2.2.1 Generalized Transient Event Tree (Short Term) A number of areas in the transient tree are unusual, and in some cases cont radictory. First, the text of the tree description states that it is possible to avoid the need for recirculation in bleed-and feed scenarios by l initiating closed loop RHR cooling. It would appear the assumption is that it is possible to reduce the primary pressure below the RHR initiation setpoint by using high pressure injection alone, and that it is possible to do this prior to depleting the RWST. The text does not state what kind of operator actions if any, would be required other than initiating bleed-and-feed and, ( later, RHR. No documentation is provided to support this contention. The 3-27
. - -. . . ~ = -
4 i f- tree structure indicates that the tree itself contradicts the text in this area. The tree indicates that all bleed-and-feed scenarios transfer out of the tree to high pressure recirculation. We believe that the text is e optimistic in this area, and that at the very least, substantial operator action would be required to implement this cooling mode prior to the need for reci rcul ation. In the absence of proper documentation, we conclude that recirculation should always be required for bleed-and-feed scenarios. Since
> this is apparently the way it was modeled on the tree, the SSPSA analysis was quantified correctly.
The SSPSA combined normal turbine trip with MSIV closure into the single event ] TT on the event tree. This led to the combination of secondary cooling by 4 1 startup feedwater and emergency feedwater into the single event EF. These events do not properly represent the plant response. The normal startup feedwater cooling path is through the main feedwater lines with steam cooling
, through the turbine bypass and the condenser, and pump suction from the condenser hotwell: in other words, the use of the normal power conversion system (PCS) for secondary cooling. However, this path is available only if the MSIVs are open (normal turbine trip functions sucessfully). Emergency feedwater can function with the PCS failed (MSIVs closed) since it takes suction from the condensate storage tank. Thus, the way in which TT succeeds l has a direct bearing on the availability of secondary cooling systems. This l-
! also makes a difference for different transient types. Loss of PCS transients would imply that this startup feedwater cooling path was unavailable. The tree should have tieen structured with four events: turbine trip (TT), power conversion system operation (PCS), MSIV closure (MS), and emergency feedwater , ( (EF). PCS would be considered only for non-loss of PCS transients where 3-28
turbine trip succeeded (precluding the need for MSIV closure). This would correct the present problem where the different ways of accomplishing TT and EF as presently defined are not phenomenologically equivalent. The tree does not include an event for a transient-induced small LOCA, i .e., a stuck open PORV following a transient initiator. This event should be included. The probability of occurrence of the event would be the combined probabilities of (1) the valves being demanded given the initiator, (2) failure of one of the valves to reseat, and (3) failure of the operator to ' isolate the stuck valve by closing the appropriate block valve. A reasonable analysis of this was performed in the Millstone Unit 3 PSS (Ref. 3.2-1). Their analysis estimated the event probability to be: P(S2) = lE-2
- SE-3 * .5 = 3E-5 which we consider reasonable and applicable to Seabrook, given the similarities between the plants. (Note: We would have used a higher value for a valve sticking open (4E-2 from NUREC/CR-2728 [Rev. 3.2-2]), but a lower valve for the operator failing to isolate (IE-1 from NUREG/CR-2815 (Ref. 3.2-3), which results in essentially the same answer).
The tree considers two separate events for controlling pressurized thermal shock (PTS), event OM for control of feedwater and event OP for controlling HPI flow. Both of these events are part of the same action, and the key to this action is controlling HPI, since PTS will occur if HPI is not controlled f whether or not FW is controlled, and PTS will be prevented if HPI is controlled whether or not FW is controlled. Separation of these events, while not incorrect in the strict logic model sense, results in the creation of ( additional sequences for no apparent reason and also leads to an improper i 3-29
representation of the operator action in the human reliability models. These events should be combined into a single event OP defined as the operator 4 preventing PTS. For sequences where emergency feedwater succeeds and there are no LOCAs, an f event ON is considered which represents the need for the operator to perform a ! . plant stabilization and cooldown function in order to prevent CST depletion k and core melt prior to 24 hours. This is based on the 200,000 gallons of CST water " reserved" for the emergency feedwater system being used up before 24 -
- hours unless the operator takes some action. We disagree with this assumption for two reasons
- first, there appears to be 89 full power seconds of heat removal capability in the water originally contained in the steam generators
~
at the beginning of the transient. This alone would extend the heat removal capability beyond 24 hours without operator action. In addition, the CST is a r (. 400,000 gallon tank, with an alarm at the 90% (360,000 gallon) level . Plant i procedures require that the tank be refilled if this alarm setpoint is reached. Thus, the probability that the tank would only contain 200,000 i , gallons at the time of the transient is negligible, and credit should be taken for at least 360,000 gallons. This amount would be fully available to the
- emergency feedwater system, since there would be no other use for it during the transient. Obviously, credit for all or only a fraction of this extra l
cooling capacity would mean that cooling would be available for over 24 hours l without operator intervention. We therefore conclude that event ON is not I required for this case. The delection of this decision point from the tree eliminates a large number of extraneous sequences. l 1 { In the case of an RCP LOCA, the SSPSA defines event ON as the operator taking l ! 3-30 i
action to depressurize the primary and reduce break flow, thus extending the time to core melt and resulting in a late rather than early core melt. No calculations are provided to justify this scenario. While it may appear on the surface that reducing pressure should reduce the coolant loss, this may not be the case. First, it is not possible to reduce flow by reducing pressure, while critical flow conditions exist and in the absence of an analysis it is not possible to determine at what pressure critical flow conditions will no longer exist. Furthermore, achieving subcooling may result in passing water only out the break rather than steam, so that there is a concern that mass flow may actually increase during the aggressive cooldown period. We also point out that the assumed flow rates for RCP LOCA used in the SSPSA appear to be arbitrarily selected and extremely optimistic (see Section 3.2.3.1). Thus, in the absense of further analysis, we must conclude g that event ON as presently defined is not capable of delaying core melt in
+his case.
If ON were redefined to include the requirement for low pressure injection (RHR injection mode), we would agree that a late melt would result, since the capability to use secondary blowdown and LPI for small LOCAs in lieu of HPl has been adequately demonstrated in WCAP-9754 (Ref. 3.2-4). The SSPSA assumes that failure of event TT and failure of the operator to control feedwater alone with failure of HP1 (either directly or by failure of the RWST) will result in core melt. This assumption is not realistic. The first two failures result in a severe overcooling transient which is the first step towards PTS. However, the HPI failure means that PTS cannot occur. Thus, we are left simply with the overcooling transient. While this is not the most desirable condition to be in, the nature of this scenario implies ( that sufficient cooling (indeed, more than sufficient cooling) is available to 3-31
prevent core melt. Previous PRAs have not assumed that overcooling results in -( .. core melt, and we have seen no other analysis which leads us to a contrary conclusion. Thus, we conclude that this scenario should not lead to core melt and the tree is therefore incorrect. 3.2.2.2 Small LOCA' (Short Term) The major problem area in the small LOCA' event tree involves the operator action event ON when both emergency feedwater and HPI are successful. For - this scenario, event ON represents the operator taking the necessary actions to reduce the primary system temperature and pressure to establish RHR conditions. The problem with this action and its subsequent effects is twofold. First, the SSPSA assumes that a core melt will result if the operator fails to take this action. This is completely contrary to previous PRAs, NRC licensing requirements, and FSAR analysis. It is well known that the operator need take no action in this case other than switching to high pressure recirculation following the depletion of the RWST. His failure to meet RHR conditions does not preclude his ability to utilize high pressure recirculation, since HPR is capable of pumping water at much higher pressures than RHR. The second problem relates to the assumed effect of the operator successfully performing action ON, that is, the assumption that this will preclude the need for any recirculation. This implies that it is possible for the operator to bring the RCS temperature below 2120 F, thus terminating break flow, before the RWST is depleted. Tne temperature must be lowered this much in order to terminate break flow because the containment can be assumed to be at atmospheric pressure, and the RCS will seek to reach an equilibrium with ( it. Boil-off and coolant loss will continue until the RCS is subcooled at 3-32
. atmospheric pressure, and makeup will have to be continued until this time. .b It has not been demonstrated by detailed analysis that it is possible to accomplish this at Seabrook prior to RWST depletion, and thus the assumption-that recirculation is not required may be optimistic. In the absense of justification,to the contrary we believe that recirculation should be required for all small LOCA events and that the only credit which should be allowed for f
the success of action ON is to reduce RCS pressure such that a failure of i recirculation will lead to a low pressure melt instead of high pressure melt. The SSPSA takes credit for an alternate cooling method wnen auxiliary ! feedwater is available but HPI fails. This involves the operator blowing down the secondary in order to reduce primary pressure and utilize low pressure injection (an operating mode of RHR) to provide makeup. This method has not been credited in most PRAs, however it is included in some of the more recent ones. Analysis of this technique applicable to Westinghouse plants is contained in WCAP-9754, (Ref 3.2-4) and consider it sufficient to allow credit for this cooling method at Seabrook. The SSPSA is optimistic regarding this scenario in one area, however, it assumes that if the operator performs the i depressurization but LPI is not available for some reason, a late melt will i occur. There is no justification provided for this and we are doubtful of the . validity of this assumption. This scenario is an injection phase f ailure and 5 l injection phase failures are generally assumed, logically, to lead to an early melt. Thus, we conclude that this scenario should lead to an early core melt. For this initiator, unlike transients, the combining of turbine trip and MSIV closure into a single event is acceptable since the occurrence of a safety injection signal will result in main feedwater isolation, causing loss of the I ( 3-33
PCS cooling mode discussed in the previous section. Thus, there is no need to make the distinction between TT and MS, since this has no effect on the remaining secondary cooling method utilizing emergency feedwater. The SSPSA assumes that when TT fails (overcooling occurs) and the operator fails to control feedwater that feedwater will be lost. This leads to the assumption that if HPI is unavailable in this situation, a core melt will result. We consider this assumption conservative and do not agree that failing to control feedwater will result in its eventual loss. In these - cases, credit should be given for feedwater continuing to function and the operator depressurizing to allow the LPI mode of RHR to provide the necessary makeup. Given this is the case, the events OM and OP should be combined into a single event for preventing PTS as discussed for the transient tree. ( ' 3.2.2.3 Medium LOCA (Short Term) In general, the medium LOCA tree appears to be a good representation of plant
. response to this initiator. The only error is that the SSPSA assumes an early core melt results in cases where injection phase cooling succeeds and the RHR pumps fail. This is in contrast to the sequences where injection phase cooling succeeds and the RWST suction valves fail closed (wnich would also cause the RHR pumps to fail), where the SSPSA assumes that a late melt occurs. We see no reason for this contradiction, which is contrary to
, assumptions made in previous PRAs that successful injection always results in a late melt if recirculation is unavailable. We believe that the former scenario should lead to a late melt. , 3-34 l l. t
The other problem involves the consideration of functionally redundant or l
- k. .~ extraneous decision points when high pressure injection is available. If HPI is available, it is capable nf supplying all the required cooling in the injection phase of the analysis. It is not necessary to consider other actions to provide injection phase cooling in these situations. However, the tree considers the availability of emergency feedwater and operator action to blow down the secondary and depressurize under these conditions. These events are not required and do nothing to enhance the sequence model. They serve only to create a greater number of sequences which are nominally identical and -
i which thus further dilute the core melt contribution of any one sequence. These decision points should have been excluded in order to improve the insights gained from the analysis. 3.2.2.4 Long Term Plant Response (All Initiators Except Large LOCA) The two long term trees constitute a reasonable representation of plant response in the recirculation phase. The only problem is that the relationship between air purge isolation and containment isolation and the effect of containment spray is not made clear. This issue concerns containment response and source term analysis, so that it is not within the i scope of this part of the review. Thus, we do not believe the tree should be changed unless at some later time it is concluded that the way in which these events are handled f ails to correctly model unique damage states.
- 3.2.2.5 Large LOCA (Short and Long Term)
There are a number of problems with the large LOCA analysis. One of these is 1 { 3-35
that the SSPSA assumes that there is a need in the long term to switch from cold leg recirculation to hot leg recirculation. The basis for this is a perception that boron precipitation within the reactor vessel could lead to coolant blockage. This assumption has not been made in previous PRAs, although we are aware that it is addressed in licensing analyses. We believe this assumption is the result of depending on overly conservative analysis for judging the need for this action. This event should not have been included on the tree. The SSPSA includes the containment enclosure building ventilation (EAH) system on the tree. We do not believe that this system is required to operate for the long term success of the RHR and CS pumps as stated in the SSPSA. This is discussed in greater detail in Section 3.10, which deals with support system g dependencies. However, even if this system is required, we would not agree with the tree structure. First the EAH system is considered in the support state analysis before the tree is entered, and that should be sufficient if handled properly. If that were not sufficient, then the EAH system should have appeared on all the long term trees, not just this one. The way this is handled is inconsistent and generates concern about the proper coordination of the various parts of the study. Furthermore, on the branch where EAH fails, there are decision points for both RHR trains leading to the same plant damage states. This creates unnecessary additional sequences which add nothing to the insights from the analysis. It would be more appropriate to use GF (guaranteed failure) at these decision points. This also raises up a concern that this treatment occurred in the quantification of other trees for various support states, that is, that failure values of 1.0 were not properly applied ( so as to eliminate meaningless sequences from the analysis. This issue is 3-36 ^ l l
discussed further in Section 3.11 of this review. Our conclusion, as stated
.k at the beginning of the paragraph, is that system EAH should not be included on the tree because it is not required for the long term success of the RHR and CS systems.
4 3.2.2.6 Steam Line Break (Short Term. Outside Containment) , This tree bears a significant resenblence to the general transient tree, which is reasonable since an isolated steam line break is very similar in its - phenomenology to most other transients. The blowdown of the faulted steam generator (we note that the success state for main steam isolation allows for the failure of one isolation valve) results in a more rapid initial cooldown, which will cause a safety injection signal, but this is of little consequence. Tnus, all of the comments which were made in Section 3.2.2.1 for the generalized transient tree are also applicable to this tree, except that it is not necessary to consider PCS and TT separately since they would not be available in this case. The one major difference between this tree and the transient tree is that on this tree there is a decision point for HPI in cases where MSIV closure and AFWS succeed. The availability of HPI in this case does not affect the final plant condition in any way, since it performs a redundant cooling function not required for transients when secondary cooling is available. We agree that HP! will be conmanded to start, but whether it does or not is of no concern. Including this decision point serves only to increase the number of sequences on the tree without increasing the understanding of the event in any ( meaningful way. Therefore, this decision point should not be included on the 3-37
tree. 3.2.2.7 Steam Line Break (Short Term. Inside Containment) In our review of this tree, we noted significant differences between it and the steam line break outside containment tree which we could not explain. There appears to be no real basis for expecting or modeling significant differences in plant response between these two events. We can see only two actual differences in the events, which have even the potential to affect
- plant response. The first is that there will definitely be a blowdown of at least one steam generator, since the faulted steam generator cannot be isolated. The effect is minimal, and will result only in a more rapid initial cooldown which will cause a safety injection signal, but this is of little consequence since one is expected anyway. The second difference is that the blowdown will occur inside the containment, causing a pressure increase.
However, as stated in the SSPSA, even total blowdown of all the steam generators (total isolation failure) will not be as serious as the blowdown assumed for a large LOCA. Again, we may expect a containment spray actuation signal to occur, but do not see why it is either necessary or significant. In other words, it does not appear not to supply a needed function for this event and will have no effect on the outcome of the event whether it works or not (unless a core melt occurs, which is another point entirely). In this context, two major differences in the tree structure do not seem to make sense. The first is that boron injection is required when auxiliary feedwater works. There is no justification provided for this, and it is not _( supported by analysis, or by assumptions in any other PRA which we are 3-38
. familiar with. We have no reason to believe that a return to criticality is k'
possible considering all the excess negative reactivity inserted following reactor trip. Further, a return to criticality is not in itself a concern in any case, since the plant could acheive any significant power level. The other difference is that a need for recirculation is assumed. This cannot be correct since there is no LOCA taking place. A steam line break, whether inside or outside containment, does not result in the loss of primary coolant. Therefore, there is no need for primary makeup and hence no requirement for recirculation.
- The only conclusion we can reach given the points in the forgoing discussion is that the differences between the steam line break inside and outside containment trees are not meaningful to this analysis. They do not affect the outcome of plant response scenarios, and are thus misleading. They appear to be artifacts of an overly detailed analysis. We consider all steam line breaks to be sufficiently similar to be represented on the same event tree.
Thus, the steam line break inside containment tree should be eliminated in favor of the more accurate steam line break outside containment tree. 3.2.2.8 Steam Generator Tube Rupture (Short Term) We believe there are significant problems with this tree. The tree is poorly arranged and demonstrates a lack of understanding of a SGTR event. Major , modifications mJst be made to the tree for it to accurately represent plant response to this initiator. ( The first problem pertains to operator actions needed to reduce primary 3-39
l pressure under various scenarios. The SSPSA assumes in cases where HPI is k available that it is not always necessary to control HPI flow in order to reduce pressure. Quite the contrary, allowing full HPI flow (uncontrolled) will always result in an inability to sufficiently reduce the pressure and terminate break flow because the small size of the break and the high HPI flow rate will result in RCS pressure being maintained at least at the level of the SI pump shutoff head. Thus, if no action is taken, all of the coolant in the RWST will be pumped into the secondary while the RCS is still at high pressure. Break flow would therefore continue after RWST depletion and a core - melt will result. This need to terminate HPI should be included in event OR. The SSPSA also assumes that failure of event OR does not necessarily lead to core melt. This assumption is optimistic since, as implied above, failure to reduce primary pressure prior to the depletion of the RWST means failure to terminate break flow, which obviously means eventual loss of all coolant to the secondary and eventual core melt. Thus, the tree should have been modeled that failure of event OR always leads to core melt. Event ON on this tree is said to represent a long term plant stabilization which is representative of the concept of "long term industry response" for sequences where HPI and emergency feedwater are available. This appears to be superflous and without substance. The purpose of long term industry response with respect to the prevention of core melt is not made clear. This event provides an additional requirement to prevent core melt in already stable situations where the operator has successfully controlled RCS pressure and no steam leak is present (break flow stopped, auxiliary feedwater cooling) and no , further action is required. This event is also apparently used, incorrectly l ( ( 3-40 1
as a means of preventing core melt in situations where the operator fails to control pressure or a steam leak occurs. When the operator f ails to control pressure prior to depletion of the RWST, a core melt will result regardless of any last minute industry action. There is sufficient time available for the operator to perform the pressure reduction such that the availability of other action will not affect the success rate. On the otherhand, if the operator fails to reduce RCS pressure in time, he will be unable to do anything else in the short time remaining before core damage. In the case of a steam leak, the SSPSA provides insufficient justification to demonstrate that it is possible
- to terminate break flow prior to the need for recirculation, which would be unavailable in this case since the coolant loss is to the secondary. This is a classic case of an interfacing systems small LOCA, and RCS response would be identical to any other type of small LOCA, as discussed in Section 3.2.2.2.
The conclusion in that section, is that recirculation is required for all small LOCAs. Since recirculation is unavailable for this initiator, a core melt is reasonably assumed to result, again regardless of "long term industry response". Thus, we conclude that event ON is extraneous in this context and that no decision points should appear for event ON for these scenarios. Event ON is also used as the basis for changing an early melt to a late melt for the RCP LOCA case. As with the small LOCA tree, we conclude that this is mildly optimistic at best and that taking credit for any perceived change in plant damage state is unjustified without additional supporting analysis. Thus, event ON is not required for this case. Since the last two paragraphs discussed the only uses of event ON on this tree, and in both cases it was concluded that it was not needed, event ON can be completely removed from the tree. We would, however, agree that a late melt would result if operator ( 3-41
.__..--4.- , . . , - -
_ _.. ._ _ ,_ - -__ ,_._. . . - _ , _ . . _ _ . _ _ . - , , ,,--.___--_..,,.,.,,,y_,.m_,.__ 4
action 00 (secondary depressurization in this case) were combined with success of RHR in the LPI mode, and the tree should have included this. In a similar vein, credit is taken for being able to avoid core melt in situations where HPI has failed and a steam leak occurs. In this case, operator action 00 is used in conjunction with low pressure injection in order to depressurize the secondary, which depressurizes the primary, allowing LPI to replenish lost inventory until break flow can be stopped and the plant cooled down using RHR cooling. As before, the question in this case is - whether the primary pressure can be reduced below atmospheric before the RWST is emptied, since the occurrence of a steam leak creates a classic case of an interfacing systems LOCA. Since the, SSPSA does not provide sufficient justification to demonstrate that this is possible, we conclude that this scenario should lead to a late core melt due to RWST depletion and lack of recirculation capability. Finally, the SSPSA assumes that failure of both auxiliary feedwater and bleed-and-feed will result in a late melt due to the effects of steam generator inventory. This is contradictory to the results of the identical sequences on the transient and small LOCA trees. On both of the other trees, failure of both of the cooling methods results in an early melt, which is in keeping with the logical, and generally universal a. umption in other PRAs that total loss of all short term cooling will, result in an early core melt. It is possible to view the phenomenology of a SGTR event as "between" or " bounded" by the phenomenologies of the other two initiators for this sequence of events. That is, it is more severe than the transient since some coolant loss is involved but less severe than the small LOCA since the coolant loss is to a higher { 3-42
downstream pressure so that the core melt timing would not be significantly different for the SGTR sequence. We therefore conclude that this sequence should result in an early core melt. 3.2.2.9 Anticipated Transients Without Scram We have rev'iewed the SSPSA analysis of ATWS, giving special consideration to the recently released NRC ATWS rule [Ref. 3.2-5]. In performing this review, we were not constrained to accept the new rule in its entirety, but used it to ' provide guidance and information. Significant problems were identified in the ATWS tree. The tree is poorly done and considered unacceptable. The entire tree must be redone in order to get a reasonable assessment of the frequency of the various plant damage states due to ATWS. This section discusses the justification supporting the selection of particular viewpoints for particular ATWS issues. The SSPSA gives credit to the possibility of operator action to effect manual reactor scram following automatic scram failure. This action, however, is not modeled explicitly on the tree: it is applied directly to the failure of RPS leading to ATWS. We believe it is valid to consider this type of recovery, but believe that an action of this import should have been included explicitly on the tree. It is also important to make clear that this recovery action can only be applied to electrical failures of the RPS, so that RPS failures should have been divided into electrical and mechanical failures as in the ATWS rule, with one difference: the rule defined electrical failures as including the breakers, and we would define it as failing to produce a trip signal at the ( 3-43
breakers. This is based on a detailed analysis of a Westinghouse RPS as part of the Ringhals PRA [Refs. 3.2-6 and 3.2-7] which is the most detailed probabilistic/ fault tree analysis of this system known to us. Other PRAs have generally performed very simple analyses or used generic RPS failure numbers. The ATWS Rule used a very simplistic screening analysis for its RPS failure probability estimate. The Ringhals analysis showed that the total RPS failure probability is about 3E-5 per demand and that about one third is due to potentially non-recoverable (in the short term) comon mode breaker faults (mechanical) and the remainder consists of recoverable (by manual scram) electrical signal faults, often combined witn test outages (also recoverable by manual scram). Comon mode control rod and drive failures did not contribute. Since this analysis is much more detailed than the one in the ATWS Rule or the SSPSA, we feel it conclusions should be utilized and a manual g recovery credit applied to electrical failures only. The SSPSA next considers the initial power level, stating that power levels less than 80% will not cause high pressure spikes. This event is not required since we assume all our initiators occur from 100% power. Tne SSPSA fails to consider, however, that the moderator temperature coefficient (MTC) changes with time and that its effect on the pressure spike is dependent on turbine trip success or failure. The SSPSA performed its pressure spike analysis : assuming a moderator temperature coefficient valid over 95% of core life. It should have, instead, considered the fraction of time during the cycle life that the MTC is " unfavorable", that is, when it results in an unacceptably high pressure spike. This was done in the ATWS Rule, and we consider it to be
! a more realistic approach. This fraction is dependent on the occurrence of
( turbine trip, so the turbine trip event must be considered first. The ATWS 3-44
Rule also concluded that whenever extreme overpressure occurred, defined as i exceeding Service Level C, core melt would result. While this is likely to be conservative, the uncertainty of RCS performance at these pressures leads us to conclude that this is the most reasonable assumption to make at this time, as opposed to the SSPSA assumption that severe overpressure results in a small LOCA. Thus, all sequences where MTC is unfavorable lead to core. melt. One additional point on the subject of turbine trip is that both the SSPSA and the ATWS rule assume that electrical failures of the RPS will result in failure of automatic turbine trip. This is not supported by the Ringhals analysis, which . showed that the dominant electrical RPS failure modes did not directly cause turbine trip failure, and that at least one additional failure would be required. The SSPSA should also have assumed that Seabrook will have a diverse (independent of RPS) turbine trip, since the ATWS Rule will require it. Thus, a turbine trip f ailure probability should be applied for all initiators under all conditions. The SSPSA assumes that it is necessary for the operator to shut down the reactor after theinitial phase of the ATWS. This is reasonable, consistent with the ATWS Rule. However, the SSPSA assumes that this action must be taken within ten minutes, which is very conservative. Once the initial phase of the ATWS is over, the power equilibrates at the secondary heat demand and the plant will operate safely for extended periods of time. This is supported by many analyses and a simulator run performed for us on the Seabrook simulator , during the plant visit of August 29-31, 1984. We believe that time frame is more on the order of 60 minutes or more, but 60 minutes is reasonable except when a primary safety valve sticks open or the ATWS tree is entered from a LOCA initiator. In this case, a 20 minute time frame is more appropriate. ( 3-45
. Manual inititation is required for both cases, as shown on the SSPSA tree.
_ (' Additionally, the SSPSA represents this whole procedure on the tree with three events, OH (operator borates), HP (HPI functions), and ON (need for "long term stabilization"). We consider this table unduly confusing and better handled with the one event OH, which would include HPI. Once this is properly performed, the ATWS is over and the event is either success (non-LOCA case), or proceeds in the manner of a normal small LOCA. No additional
" stabilization" event is required, as previously discussed for other trees.
) The SSPSA also assumes that it is possible to mitigate an ATWS by using bleed-and-feed with HPI only if emergency feedwater fails. This would theoretically f provide boration to shut down the reaction simultaneously with bleed-and-feed i cooling. This method has not been considered in most other PRAs, and appears questionable since it is not clear how much coolant can be pumped in under the conditions which would be present and how long it would take to effect shutdown. This assumption takes an inordinately large amount of credit for the ability of HPI to provide flow at operating pressure. It would seem that at best only the charging pumps would be capable of injecting any coolant at all, as the pressure should be too high for the safety injection pumps. Also, there would be much greater amounts of heat to be removed through the PORVs
- with makeup flow than for a normal bleed-and-feed scenario. It is not clear how this heat can be removed and the reactor shut down under these conditions without help from the emergency feedwater system. We therefore, conclude that all sequences with failure of emergency feedwater should all to core melt.
The remaining events on the tree are concerned with long term cooling and should be structured as for a normal event, since the ATWS condition has been { 3-46
- terminated. Thus, the remainder of each sequence behaves like any other ,
I accident. This is treated properly in tne SSPSA since the ATWS sequences l 1 transfer to the same long term trees as the other events. 3.2.3 Issues of Importance to the NRC In their instructions for this review, the NRC listed certain issues which were of concern to them. They wanted to know how these issues were treated in the SSPSA. This section discusses the issues which affect the event tree analysis. 3.2.3.1 Recirculation Pump Seal Failure During Station Blackout This event is explicitly considered on the generalized transient tree. Tne [ SSPSA assumes that a RCP seal LOCA will occur imediately upon loss of all AC power, and that the leak rate is 20 gpm per pump. We disagree with both assumptions. First, it is not reasonable to assume a leak will occur imediately. Both actual experience and NRC analysis show the seals able to remain intact for 30 minutes. Experience also shows that the seals may be able to survive up to one hour. A simple analysis was performed in the Millstone-3 PSS Review [Ref. 3.2-8], and we feel that the conclusions therein are the most realistic way to represent the RCP LOCA. They are as follows:
- no LOCA will occur if power is restored within 30 minutes.
- there is a probability of 0.4 that a LOCA will occur if power l
l f' - is restored in the 30-60 minute time frame, and 3-47
k' y_ a LOCA will certainly occur if power is not restored within 60 minutes. Of course, this is not a perfect representation since a simple step function
- cannot possibly accurately represent what should be a continuous distribution. However, it is more realistic than the instantaneous step function utilized in the SSPSA.
The extremely low flow rate used in the SSPSA unrealistically extends the occurrence of core uncovery and damage for a long time. The SSPSA assumes a 20 gpm/ pump flow rate when NRC (and other) analyses have cited flow rates for total seal failure as 300 gpm/ pump. Even the SSPSA mentions this figure as the upper bound flow rate. We believe there are good reasons to assume that once the seals fail, they will rapidly accelerate to total failure since they are in a degraded condition under high mechanical and thermal stress. We also believe it is more realistic to assume the higher flow rate soon after the occurence of the LOCA. Under this assumption, core damage is more realistically assumed to occur two hours after the station blackout, as assumed in most other PRAs and analyses. Thus, failure to restore power within two hours results in a core damage sequence in any station blackout scenario. These points are also discussed in Section 3.5.2.10, which is concerned with the human reliability analysis of AC power recovery. 3.2.3.2 Depletion of DC Batteries During Station Blackout ( 3-48
(~ This issue is not considered in detail in the event trees, however it is treated in the analysis of recovery of AC power. This is discussed in detail 4 in Section 3.5.2.10. 3.2.3.3 Pressurized Thermal Shock The SSPSA treatment of pressurized thermal shock (PTS) is the most comprehensive ever seen in a PRA. PTS is included directly on each tree for
- which it is applicable, and its treatment is reasonable except for the items discussed in Sections 3.2.2.1 and 3.2.2.2. I 3.2.3.4 Steam Generator Tube Rupture (SGTR) with Stuck Open Secondary Steam i
Relief Valves (SRVs) 3 This event is modeled directly on the SGTR event tree as the steam leak event. It explicitly models instances where the occurrence of a steam leak alters the phenomenology of the scenario and complicates the event sequence, although, as discussed in Section 3.2.2.8, there were problems with the handling of the effects of a steam leak on the occurrence of core melt. The SSPSA also considered steam leak for its effect on plant damage states, and had specific plant damage states to account for this scenario. 3.2.3.5 Anticipated Transients Without Scram (ATWS) Tne analysis of ATWS is handled explicitly on its own event tree as a l [ consequential event following each of the initiator classes. Each of the i 3-49 l
event trees for the various initiators has an implied transfer to the ATWS tree for a failure to scram. Our review of this ATWS tree is described in Section 3.2.2.9. 3.2.3.6 Stuck Open Primary Safety / Relief Valve (S/RV) This event is not properly treated on any of the non-LOCA trees except the ATWS tree. Our coments on this issue are contained in Section 3.2.2.1. e 4 3-50
3.2'.4 NeferencesforSection3.2
.3.2-1~ Northeast Utilities, Millstone Unit 3 Probabilistic Safety Study, August 1983.
3.2-2 NUREG/CR-2728~, Carlson, 0.0., et al Interim Reliability Evaluation Program Procedures Guide .- January 1983. 3.2-3 NUREG/CR-2815, Papazoglou, I.A., et al, Probabilistic Safety Analysis Procedures Guide January 1984. 3.2-4 WCAP-9754, Thompson, C.M., et al, Inadequate Core Cooling Studies of Scenarios with Feedwater Available, June 1980. 3.2-5 SECY-83-293, Felton, J.M. to S.J. Chilk,10CFR50, Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light . Water-Cooled Nuclear Power Plants,' December 1983. 3.2-6 NUS Corporation, Ringhals Unit 2 Probabilistic Safety Study. 3.2-7 Amico, P.J., " Fault Tree Analysis of Westinghouse Solid State Protection System Scram Reliability," Proceedings of the . International Meeting on Thermal Nuclear Reactor Safety, September 1984. { 3.2-8 Garcia, A.A., et al, A Review of the Millstone-3 Probabilistic Safety Study, May 1984. 3-51
l l I k 3.3 SUCCESS CRITERIA '< The functional success criteria used in the SSPSA or the functions of Emergency Core Cooling Early, Emergency Core Cooling Late, and Containment Heat Removal are shown in Table -3.3-1. This table includes most of the
/'
success criteria used in the SSPSA and virtually all of the meaningful ones. 4 , It was relatively difficult to compile this table, since the SSPSA did not display the various success criteria in a concise manner. These criteria were' j spread throughout the event tree development part of the SSPSA, and in some j cases in other areas of the report. The SSPSA included little, if any discussion of success criteria in a functional sense; generally discussing them only at the systems level, so that it was necessary to deduce The functional success criteria from the event sequence diagrams ' and event tree ( 4 models. Review of the functional and systemic criteria determined that they are generally reasonable, with some exceptions. Where the criteria differed
- from criteria used in past PRAs on similar reactors, an examination of the
, , cases of the criteria was undertaken to determine if they were valid. Some of these are discussed in the section on event trees-(Section 3.2 herein) since I they directly affected the event tree structure. Although the documentation j in the SSPSA in many cases contained insufficient justification or references f to support the criteria, the review team was able to verify the criteria in some cases based on experience and through the use of reference material known to us but not cited in the SSPSA. A summary of our findings for each function evaluated is discussed below. I . l ( l s
- 3-52 1
I _ _ - - _ - - - -
3.3.1 Emergency Core Cooling Early ( "; , s l 3.3.1.1 Power Conversion System During Transients
/
4 '. The SSPSA does not take proper credit for the use of the power conversion system to provide cooling during transients. This problem is discussed in , Section 3.2.2.1. The PCS should be included as a valid success criteria in place of the startup feedwater (SFW) pump, which should be considered part of PCS. , 3.3.1.2 Bleed and Feed Cooling The SSPSA assumes that bleed and feed cooling can be used for transients, small LOCAs, steamline breaks inside and outside containment, and steam ( ! generator tube rupturest (success criteria (c), (bh- (e), (c), and (b), respectively, in Table 3.1-1). These success crikeria appear to be reasonable based on prior PRAs and generic Westinghouse anclysis in WCAP-9744 [Ref. 3.3-1]. J 3.3.1.3 High Pressure 1$jection During Small LOCAs i The SSPSS assumes that _ any one-out-ot'-four HPSI pumps are capable of providing this function during small LOCA events. This is not consistent with standard-4
^
4 , ,c FSAR success criteria, but ir generally supported by analysis in more recent fy- PRAs (e.g., Millstone 3 PSS [Ref 3.3-?]h It also follows from the bleed and feed analysis discussed above, thd'is, if one pump is sufficient for feed and - bleed it should also be sufficient for small LOCAs, at least from the 3-53 .'
standpoint of flow rate, since the equivalent break size is smaller. However, ( this break size advantage can also be a disadvantage in certain cases. Y Analysis in the Millstone 3 PSS indicated a potential problem with breaks at the small end of the size range which result in insufficient depressurization of the RCS, so that pressure remains above the shutoff head of the SI pumps. Thus, for some break sizes, if only SI pumps are available (i.e., charging pumps have failed), it may be necessary for the operator to open a PORV in order to lower the RCS pressure. In order to remove what may be an optimistic assumption, we believe the success criteria should require either one-out-of - two charging pumps or one-out-of-two safety injection pumps in combination 3 ' Ideally, this should apply only to a subset of with one-out-of-two PORVs. i small LOCAs at the small end of the scale. However, no analysis available to us . defines the break size or flow rate where this begins to be a problem, so the revised criteria should be applied to the entire break size range. ( 3.3.1.4 Injection Cooling During Medium LOCAs The SSPSA assumes that this function can be accomplished without the need for accumulator injection, contrary to the assumptions of previous PRAs which have assumed that accumulators are required for break sizes in this range. While it is obvious that this is probably true for breaks at the lower end of the l range, which would be similar to small LOCA feed and bleed conditions, it is 8' not clear that this would also be true for larger breaks. A plant specific calculation performed for the Millstone 3 PSS [Ref. 3.3-2] determined that only one HPI pump is required over this break range, in conjunction with three x accumulators. Although this assessment may be conservative, it is the most g recent detailed analysis of this break size for plants similar to Seabrook. 3-54
For this reason, and the fact that no justification of the Seabrook success k criteria is provided in the SSPSA, we believe it appropriate to apply the Millstone 3 success criteria to Seabrook, and therefore to require accumulators for medium LOCA injection cooling. 3.3.1.5 Injection Cooling During Steamline Breaks The SSPSA uses entirely different success criteria for steamline breaks inside and outside containment. This appears to result from an erroneous analysis of . the inside containment case, discussed in detail in Section 3.2.2.7 herein. We believe it appropriate to apply the functional requirements for the outside containment case to the inside containment case. 3.3.1.6 MSIV Closure for Steamline Break Inside Containment ( The SSPSA states that in order to prevent multiple steam generator blowdown for this initiator, three-out-of-four MSIVs must close. This is incorrect. In this case, there is no way to prevent blowdown of the affected steam generator, and the only way to prevent multiple blowdown is to isolate the other three steam generators from the affected one. This means that the MSIV success criteria for this case should be closure of either one-out-of-one MSIVs on the affected steam generator or three-out-of-three MSIVs on the l unaffected steam generators. 3.3.2 Emergency Core Cooling Late ( 3-55 i
( 3.3.2.1 Secondary Cooling for Transients and Steamline Breaks The SSPSA assumes a need for operator action a long time into these events in order to maintain secondary cooling ability. This assumption is overly conservative, for reasons discussed primarily in Section 3.2.2.1. This requirement should be removed from the success criteria. 3.3.2.2 Residual Heat Removal For Small LOCAs . The SSPSA assumes that it is possible to avoid the need for recirculation for this initiator by providing cooling entirely through closed loop RHR cooling. This is an overly optimistic assumption, as discussed in detail in Section 3.2.2.2. No credit should be given for this cooling method. i 3.3.2.3 Long Term Cooling During Steamline Breaks The steamline break inside containment success criteria should be eliminated in favor of tha outside containment case for the same reason discussed in Section 3.3.1.5 for the injection cooling success criteria. 3.3.2.4 Long Term Cooling During SGTR with Secondary Steam Leak The SSPSA assumes that it is possible to provide this function under these conditions. This is an overly optimistic assumption, as discussed in detail in Section 3.2.2.8. The prevention of a late melt during SGTR should in all cases require that no secondary steam leak be present. 3-56
3.3.2.5 Operator Action During SGTR The SSPSA assumes that operatur actions to control various facets of the RCS and secondary pressures / flow rates is not always required. This is not correct for reasons discussed in Section 3.2.2.8. It is also important to note that the "Op. Act." required in the SSPSA is not necessarily appropriate in form, timing, or content. This is discussed in detail in Section 3.5.2.7. . 3.3.3 Containment Heat Removal The succc3s criteria for this function is reasonable and consistent with the plant FSAR and previous PRAs. ( 3.3.4 Revised Success Criteria A revised set of success criteria, which are based on the discussions above, are presented in Table 3.3-2. 3.3.5 References for Section 3.3 i ( 3-57 g r -
REFERENCES for SECTION 3.3 1 3.3-1 WCAP-9744, Tauche, W., Loss of Feedwater Induced Loss of Coolant Accident Analysis Report, May 1980. 3.3-2 Northeast Utilities, Millstone Unit 3 Probabilistic Safety Study, August 1983. i ) 3-58
TABLE 3.3-1
~
Seabrook Stetion FSA Functional Succese Criteria Emergency Core Emergency Core Containment (,'
- Initiator Cooling Early Cooltag Late Best Renoval Transient (a) 1/1 SFW (a) 1/1 SFW + Op. Act. (a) 1/2 CSR or or (core melt sequences only)
(b) 1/2 ErW (b) 1/2 EFW + Op. Act. or or (c) 1/4 RFS1 + 2/2 PORY (c) 1/2 EFSR Small (a) 1/2 EFW + 1/4 EPSI (a) 1/2 EFW + 1/4 EPSI + 1/2 RER Same or or LOCA (b) 1/4 EPSI + 2/2 PORV (b) 1/2 BFSR or or (c) 1/2 ErW + SSR + 1/2 LFSI (c) 1/2 EFW + SSR + 1/2 LPSR Medius (a) 2/4 HFS1 (a) 1/2 BFSR Same or or LOCA (b) I/2 EFW + SSR + 1/2 LFSI (b) 1/2 EFW + SSR + 1/2 LFSR Large (a) 1/2 LFSI + 3/3 ACC (b) 1/2 LFSR Same, but also allowable for LOCA non-core melt sequences (to prevent core melt) Steauline (a) 3/4 MSIV + 1/2 EFW (a) 1/2 EFW + Op. Act. Same or or Break (b) 1/1 KDEFW (b) 1/2 RFSR or (Dutside) (c) 1/4 RFSI + 2/2 PORV Steaaline (a) 3/4 MSIV + 1/2 EFW + (a) 1/2 RFSR Same 1.4 BFSI Break or (b) 1/1 NDEFW + 1/4 EPSI (b) 1/2 EFW + SSR + 1/2 LPSR or (Inside) (c) 3/4 MSIV + 1/2 EFW + SSR + 1/2 LFS1 or (d) 1/1 NDEFW + SSR + 1/2 LFSI (e) 1/4 BFSI + 2/2 PORY SCTR (a) 1/3 S/ETW + 1/4 EPSI (a) 1/3 S/EFW + Op. Act. Same or or (b) 1/4 BPSI + 2/2 PORY (b) 1/2 RER or or (c) 1/3 S/EFW + Op. Act. (c) 1/2 EFSR I i 3-59
TABLE 3.3.2 Revised Seabrook Station Functional Success Criteria Emergency Core Energency Core Containment Initiator Cooling Early Cooling Late Rest Removal l l Transient (a) FCS (a) PCS (a) 1/2 CSR or or (core seit sequences only) (b) 1/2 tm (b) 1/2 EN or or (c) 1/4 EPSI + 2/2 PORY (c) 1/2 EPSR Small (a) 1/2 E n + 1/2 CF (a) 1/2 HFSR Same or or LOCA (b) 1/2 !N + 1/2 SIP + (b) 1/2 EW + SSR + 1/2 LPSR 1/2 FORV or (c) 1/4 EFS1 + 2/2 PORV or (d) 1/2 sm + SSR + 1/2 LFSI . Medium (a) 1/4 EPSI + 3/3 ACC (a) 1/2 RFSR Some or or LOCA (b) 1/2 E W + SSR + (b) 1/2 EW + SSR + 1/2 LPSR 1/2 LFS1 + 3/3 ACC Large (a) 1/2 LPSI + 3/3 ACC (a) 1/2 LFSR Same 14CA Steaaline (a) MSIV* + 1/2 EW (a) MSIV* + 1/2 EW Same of Break (b) 1/1 MDEN (b) 1/1 MDEN (c) 1/4 EPSI + 2/2 PORY (c) 1/2 RFSR [ (a) 1/2 EFb + Op. Act. + No St Same SCTR (a) 1/2 E N + 1/4 EPSI or or (b) 1/4 EPSI + 2/2 PORY (b) 1/2 EPSR + Op. Act. + No SL (c) 1/2 EN + Op. Act.
- See Section 3.3.1.6 i
l I e 3-60
3.4 SYSTEMS (' s f This section presents the results of our review of the system descriptions and analysis performed for the SSPSA. The system descriptions were reviewed for adequacy in supplying the appropriate information to enable us to verify the systems success criteria, models and analysis. The system analysis was i reviewed for model accuracy, validity and completeness for quantifying system response and accident sequences. The system analysis for SSPSA was performed for " front-line" and " support systems. Front-line systems are considered in the event tree top headings for the analysis of the various initiating events. They are designed and required for accident mitigation. Support systems are considered in the event tree developed for an auxiliary system. They are needed to provide power, cooling, actuation and support to the front-line systems. The system descriptions and analysis were provided in SSPSA Chapter 7 and Appendix D). The auxiliary and front-line systems analyzed for the SSPSA are listed below: AUXILIARY SYSTEMS SSPSA . Section, Appendix System 7.2 0.2 Electrical Power System (EPS) i ( 7.3 D.3 Service Water System (SWS) 3.4-1
7.4 D.4 Primary Component Cooling System (PCCS)
)
7.5 D.5 Instrument Air System (IA) 1 7.6 D.6 Reactor Protection System (RPS) Solid State Protection System (SSPS) Emergency Safety Features Actuation System (ESFAS) 7.7 D.7 Containment Enclosure Air Handling System (CEAHS) FRONT-LINE SYSTEMS 7.8 D.8 Emergency Core Cooling System (ECCS) 7.9 D.9 Emergency Feedwater (EFW) 7.10 D.10 Reactor Coolant Pressure Relief 7.11 0.11 Main Steam (MS) 7.12 D.12 Containment Building Spray (CBS) 7.13 D.13 Containment Isolation System (CIS) D.14 Control Room Heating, Ventilation, and Air Conditioning (CRHVAC) Each system was modelled using a reliability block diagram (RBD) instead of the more traditional fault tree model. In the SSPSA, RBD's were contructed using a set of supercomponent blocks. Each supercomponent block is a collection of components in series. Typically the failure of any component within a supercomponent block will fail that block, however, in the SSPSA, some blocks represented combinations of component failures. The RBD's were I then used to develop, by inspection, logical expressions for system's failure 3.4-2
dependent on the specific initiating event, boundary conditions and required system function. The logical expressions were used to quantify the system's failure response for each initiating event. The supercomponent blocks were first quantified using the DPD2 and STADIC computer codes. Once the blocks were quantified, the logical expression for the system was then quantified using the same codes. The result of the system - analysis for the SSPSA was a set of numbers that represented the systems failure response. The mean unavailabilities determined in the SSPSA for each
- system and initiating event are given in Table 1.
The beta factor method was used to analyze common cause failures in SSPSA. Beta factors were derived for specific common cause failure types where data was available. When beta factors could not be derived a " generic" beta factor i of 0.125 was used. A further discussion on beta factors is given in the section on data review. The review results for each system listed above is given in the following subsections, 3.4.1 - 3.4.13. Each subsection is divided into three parts. The first part contains a brief discussion of system configuration and response during accident situations based on the SSPSA system description and the Seabrook FSAR. The second part discusses the RBD system model with ! respect to the its configuration and intended function. Our evaluation of each RBD model considered the consistency between the system model and its success criteria. The SSPSA treatment of test and maintenance, human errors and common cause failures was also evaluated. The last part of each 1 ( subsection contains comments and conclusions reached during our evaluation of l 3.4-3
. _- - -. . - _. - -_ =.
the systems analysis with respect to accuracy, validity and completeness. (. In general, the system descriptions and models adequately represent the l configuations and response of the systems analyzed. The RBD analysis l technique, however, is less detailed than fault tree analysis. The use of RBD's to derive logical expressions is more of an inductive than deductive, process, so that it is more demanding on the analysts knowledge and background. In addition, the process of quantifying at each step reduces the representation of the system failure to a single numerical quantity. There are no cut sets that represent system failure modes. While it is possible to determine which component less insight into the systems failure response and less infonnation is passed onto the next level of analysis, the event trees. The systems models were found to contain many conservative assumptions which j were made mainly to simplify the analysis. In some cases, however, these simplifications eliminated components or subsystems that should have been considered in the analysis. In other cases, the simplifying assumptions attached undeserved significance to components that were included. Although the simplifications produced conservative results, in some cases these results are unrealistic and misleading. For example, conservative assumptions on the need for particular auxiliary components in a system may yield system unavailability results which show the importance of these auxiliary components to be dominant. Realistic assumptions can produce entirely different results, showing those same components to be insignificant, reducing the system unavailability by as much as an order. of magnitude, and showing that other components dominate the system unavailability. l 3.4-4
. - - - . - -- _ _ _ _ - , = . .
Although the SSPSA does not provide measures of component or super-component-k block importance, simplified calculations using SSPSA data and logic equations show how components important to system reliability when realistic assumptions are used can be masked into obscurity by conservative assumptions. One ! consequence of these conservative assumptions is an increase in the final risk estimates. The point is not that the results are two conservative, but that the use of conservative assumptions may unsk important qualitative and/or quantitative information, and that this may subsequently result in incorrect decisions regarding the effects of potential system modifications or upgrades ' on the reliabilir,y of that system. In our evaluation, we were unable to verify the accuracy of the numerical results in the SSPSA. There are two reasons for this. The data upon which
, they base their results is proprietary and was not given. The review of the data is given in section 3.6 herein. The use of DPD2 and STADIC computer codes in the SSPSA to quantify the logical failure expressions produced results that were not reproducible by to a direct calculation using the component mean failure probabilities presented in the SSPSA. For most cases,
! the difference between the stated system mean failure probability and our direct calculation were small, however, during our 2 - 5. In addition, since we do not have the DPD2 and STADIC codes and access to their data, we cannot assess the impact that a correction to a model may have on the overall results. It was even difficult to compare the corrected model results with their stated values for individual systems since we could not varify their i l original numbers. 3.4-5
The text and tables presented in the systems analysis sections contained numerous errors. Most of these errors can be attributed to typing, document production, errors in addition, etc. Although we cannot determine whether these errors were propagated through the remainder of the analysis, the number of errors contained in these sections leave serious doubts about the validity of the results. o O l 3.4-6
3.4.1 ELECTRIC POWER SYSTEM 3.4.1.1 SYSTEM DESCRIPTION The electric power system is designed to provide the AC motive power and DC control power necessary for normal operation as well as for the mitigation of abnormal events that could affect the reactor core, the reactor heat revoval systems, or systems that affect the release of radioactivity to the environment. The electric power system also provides power for the ' instrumentation needed to monitor key plant parameters and to provide input to the safeguards actuation logic and reactor trip logic. During startup the generator step-up transformer (GSU) supplies power from the grid to both unit auxiliary transformers (UATs). After generator synchronization, the generator breaker is closed and the flow of power reverses so that the GSU and UATs are then supplied from the generator. The UATs supply the 13.8 kV buses, the Class IE 4.16 kV buses, and the non-Class IE 4.16 kV buses. The Class 1E system is divided into two redundant trains. Each train consists of a 4.16 kV bus, an emergency diesel generator, 480V load centers, instrument and control power supplies, and two 125V DC batteries. A reserve auxiliary transformer (RAT) in each train provides an alternate source of offsite power l redundant to the UATs. . 3.4-7
I I l 3.4.1.2 SYSTEM ANALYSIS t
\
The following assumptions were made for the system analysis.
- The 4.16 kV switchgear fails after 2 hr without cooling.
- Ventilation is not required in the battery rooms.
- All crossties are open.
- AC power is modeled only down to the 4.16 kV buses. The 480V buses are combined at the 4.16 kV level in a bounding model because failure of the 480V buses is dominated by failure of the associated 4.16 kV
. bus.
- Power is unavailable from the main generator, requiring the generator breaker to open to allow backfeeding of the UATs.
- Failure of service water cooling to the diesel engine jacket water coolers or failure of the fuel oil transfer pump cause diesel generator failure.
- Failure of the emergency power sequencer is equivalent to system failure at the 4.16 kV bus level.
- Operator recovery actions are not included.
- 3. 4.1. 3 RESULTS System mission time was defined as 24 hr following the initiating event with offsite power available, and 6 hr following a loss of offsite power.
Unavailabilities for the Class 1E electric power system were calculated for the following states, given the first condition listed.
~
( s. 3.4-8
State 1 : Offsite Power Available / Buses E5 and E6 Unavailable I EP(1) = 2.55E-7 This is a hardware contribution only. State 2 : Loss of Offsite Power / Buses E5 and E6 Unavailable EP(2) = 7.70E-3 Hardware is more important than maintenance and Congnon Cause. State 3 : Loss of One DC Bus / The Other AC Bus Unavailable EP(3) = 5.84E-2 This is a hardware contribution only. . State 4 : Buses E5 and E6 Available / Both DC Buses Unavailable EP(4) = 2.84E-10 This is a hardware contribution only. State 5 : Buses E5 and E6 Unavailable / Both DC Buses Unavailable i EP(5) = 4.59E-7 This is a hardware contribution only. 3.4.1.4 COMMENTS Equations for system unavailability for the five states were determined by inspection from the reliability block diagram (RBD) in SSPSA Figure D.2-11 on pages D.2-76 and -77. The RBD shows Bus E5 as being powered from offsite power through either UAT-A or RAT-A, or from diesel generator A. Similarly, Bus E6 is shown to be powered from offsite power through either UAT-B or RAT-B, or from diesel generator B. UAT-A is shown to be independent of VAT-8, and RAT-A is shown to be independent of RAT-B. ( 3.4-9
I This representation of independence is not consistent with the description of the UATs given in SSPSA Section D.2.1.3.2.1.2 on page D.2-4 (item a below) nor is it consistent with the description of the RATS given in section D.2.1.3.2.1.3 on page D.2-5 (item b below): ;
- a. "If actuated, the protection relays trip the unit and transfer the plant electrical loads to the RATS. Actuation of a relay for one UAT will isolate or trip both UATs."
- b. " Actuation of a protective relay for one RAT will trip or isolate both '
RATS." Through a check of the electrical drawings and conversations with the Seabrook technical staff, we conclude that the system does function as described in a and b above. Although it is possible for an operator to isolate one UAT and thereby operate the plant electrical system from the other UAT and the appropriate RAT, this is an unlikely situation. In almost all circumstances of a UAT (or RAT) failure, the twin UAT (or RAT) will also be tripped. Therefore, for the purposes of this analysis, the UATs are not independent of each other and the RATS are not independent of each other. The RBD as constructed includes redundancy (through the modeling of independence) which does not actually exist. A revised RBD which correctly models the transformer dependencies is shown in Figure 3.4.1-1. Blocks UA and UB from SSPSA Figure D.2-11 have been combined into block UAT in Figure 3.4.1-
- 1. Similarly, SSPSA blocks EES and ME6 are combined into EE; SSPSA blocks RA and RB are combined into RAT; and SSPSA blocks RBES and RBE6 are combined i into RBE.
3.4-10
1 This correction to the RBD could potentially impact the results for State 1. However, when applying the results for the block hardware failure ! contributions listed in SSPSA Table D.2-10 on page D.2-60 to the complicated expression for State 1 given on page D.2-30, we find that the unavailability is completely dominated by a single term: the product BES
- BE6, so that this correction to the RBD has no effect on the result.
The only common cause failure in the electric power system that was considered
- quantitatively is the failure of both diesel generators to start and run for 6 hr. This contribution was only calculated for State 2, even though State 1 also includes both' diesel generators in its unavailability expression. Since the terms including the diesels generators in that expression are not significant contributors to the result, as discussed above, the omission of the common cause contribution is not significant. However it should have been calculated and reported in SSPSA Table 7.2-4 for completeness.
r Another area of incompleteness concerns the Class 1E 120V AC Distribution System. This system includes 6 instrument buses each with its own inverter. The inverters are normally powered from the emergency buses through 480V motor control center circuits through 480/120V distribution transformers. Backup power is provided from the 125V battery buses. The instrument buses provide power to safeguards and protection instrumentation channels and to the balance of plant Class 1E instrumentation. I Despite the importance of this safety related electrical subsystem, no . I modeling or quantification was performed for it. Although it is claimed that 3.4-11
l the 480V buses are included in calculations for the 4160V buses, the 120V AC ( 1 buses, transformers, and inverters are not included in any logic hardware blocks in the RBD. This system is not represented in any of the failure logic ! expressions, nor is its unavailability quantified. A curious inconsistency is the inclusion of the letter designator "J" representing inverter failure in the list in SSPSA Section D.2.3.1.1 on page D.2-32, and the inclusion of inverter failure datum in SSPSA Table D.2-8 on page D.2-58 . 3.4.2 SERVICE WATER SYSTEM SYSTEM DESCRIPTION The service water system (SWS) provides cooling water to transfer the heat loads from various sources in the primary and secondry portions of the plant to the ultimate heat sink. The SWS consists of a seawater service water system and a cooling tower system and their associated ventilation systems. Cooling water is provided to the primary component cooling heat exchangers, the diesel jacket water coolers, and the secondary component cooling heat exchangers and condenser box priming pump heat exchangers. The seawater service water system consists of two trains, each having one pump running and another as backup. As a redundant backup to the seawater system, the mechanical draft evaporative cooling tower uses the same outlet piping and contains one pump in each of two trains along with three fans, two of which are in comon with Unit 1. The service water pumphouse and the cooling tower each has its own heating and ventilation system. i 3.4-12
SYSTEM ANALYSIS RESULTS ( A total of seven variations of three main cases is analyzed for SWS unavailability. Case 1 considers the seawater SWS unavailability with offsite power available, with two boundary conditions consisting of an 'S' signal (safety injection actuation) present and an "S' signal absent. Case 2 considers the seawater SWS wit'h offsite power unavailable, with two boundary conditions consisting of all support trains available and one support train unavailable. Case 3 considers the unavailability of the cooling tower system
- with three boundary conditions consisting of (1) all support systems available; (2) train A unavailable; and (3) train B unavailable. In this case, the unavailability of train A does not equal that for train B due to an additional fan placed in series in the reliability block diagram for the B train.
The mean system unavailability results as reported in SSPSA Appendix D pages D,3-28, D.3-31, D.3-51 to -53 are as follows. Case 1 - Boundary Condition "S" Signal : 2.32E-4 Common cause dominates hardware and maintenance. Case 1 - Boundary Condition No "S" Signal : 6.43E-6 Hardware dominates maintenance and common cause. i Case 2 - Boundary Condition 1 : 1.10E-3 Comon cause and hardware both contribute significantly. l l l 3.4-13 l
l l Case 2 - Boundary Condition 2 : 1.93E-2 f Hardware contribution only. Case 3 - Boundary Condition 1 : 2.46E-3 Hardware and common cause are more significant than maintenance. Case 3 - B.C. 2 and 3 (no distinction made) : 4.83E-2 Hardware apparently dominates maintenance. Another set of resuls is available in SSPSS Table 7.3-1 on page 7.3-4 in which all of the hardware unavailabilities are different from the Appendix D' , results, while maintenance and common cause numbers are the same. No calculations or explanations are provided to account for the differences. The new totals follow. Case 1 - Boundary Condition 1 : 3.81 E-4 The hardware contribution was increased by a factor of 4 so that hardware and common cause contribute equally. Case 1 - Boundary Condition 2 : 1.65E-4 The hardware contribution was increased by a factor of 24 and . continues to dominate. In defense of this version of the result, our point estimate calculation based on mean values gives a hardware unavailability of 1.56E-4, which compares favorably to the SSPSA Table 7.3-1 entry of 1.55E-4. i 3.4-14
Case 2 - Boundary Condition 1 : 1.25E-3 The hardware contribution was increased by 42%. Case 2 - Boundary Condition 2 : 1.93E-2 The hardware contribution was increased by 1%. Case 3 - No results presented. COMMENTS These comments pertain to the analysis in SSPSA Appendix D.3. The following assumption from page D.3-14 states:
"The failure to close on demand of each SCC heat exchanger inlet isolation valve, (V4, V5) would degrade the cooling function of the affected SWS train during event response operation. Therefore, these two valves are included in the model."
This seems like a reasonable assumption until we examine its consequences. In Case 1, with all support systems available, offsite power available, and an S signal, the equation for service water system unavailability is EQN D.3.1 on t page D.3-17, SWAB = T + Si
- S2 + PI A
- PIB + (Y1 + A
- C + E) *
(Y2 + B
- D + F) + Z + STR l
( 3.4-15
The evaluation gives a mean of 5.04E-5 on page D.3-28. Evaluating the ( equation simply with mean values produces a point estimate of 2.66E-5. Of this result, 70% is attributed to the product E*F (1.85E-5); while 9% is attributed to the tem Yl*F + Y2*E (2.32E-6); 8% (2.22E-6) is attributed to the term Z; 6% is attributed to the product PIA *PIB; 3% is attributed to the product Sl*S2; and 1% is attributed to the tenn T (2.50E-7). Let's examine what these terms represent. On page D.3-27 E = F, and the unavailability is dominated by failure of the motor operated SCC isolation valves V4 and V5 to close on the S signal. Again it's restated that failure to isolate by these valves is assumed to cause failure of the associated SWS train. From page D.3-22 Y1 = Y2, and is dominated by relief dampers DP-60A and DP-608 in the SW switchgear rooms. On page D.3-28, Z is the intake tunnel M0V-44. On page D.3-21, Pl A = PlB, which includes fans and dampers in the pump area of the pumphouse. From pages D.3-25 and D.3-26, A = B, and is dominated by the normally operating service water pumps. Also C = D, which combines the backup service water pumps, check valves, and motor operated valves in the backup pump lines. Finally, T is the tornado check damper, and 51 and S2 are supply fans. The variable STR represents strainer S-10 and S-ll, which can fail by blockage. However, the explanation on page D.3-28 assumes that strainer failure probability is negligible. This is curious since in the PRA for Millstone-3, the most important contributor to service water system unavailability for cases with AC power available to both trains was strainer blockage. ( 3.4-16
We now see that approximately 82% of the system unavailability is attributed ( - to failures of one or both SCC isolation valves, while another 10% is contributed by the pumphouse ventilation system. These unrealistic results are due to the conservative assumptions made for these components. It was assumed that failure of the SCC isolation valves would fail the entire system. However these valves only function to prevent. service water flow to the SCC system after an S signal. Should the valves fail, a small fraction of - the total service water flow normally available to the PCC heat exchangers and diesel jacket water coolers would be diverted to the SCC system. Since offsite power is available, there is no load on the diesels in this case, and the heat removal load from the idling diesels can be easily handled. The PCC heat exchangers would receive less than nomal flow, and after the regulating valves open fully any continued flow deficit would reduce total heat removal from the heat exchangers and increase the outlet water temperatures. Then the components and heat exchangers cooled by the PCC would have small temperature rises in their cooling water. Because of the conservative designs of these components, it is considered very unlikely that any failures will occur as a result of slight temperature increases. Therefore a more realistic assumption for this analysis is that failure of the SCC isolation valves will not fail the service water system in this case. Then E and F are set to zero in the equation for system unavailability, and the result is a reduction by about a factor of 5 to 5.03E-6. Similary, we can improve on the assumptions made for ventilation requirements. On page D.3-14 it is stated that the ventilation fans are . ( probably not required in winter. Yet the assumption made is that ventilation 3.4-17
-,- - - - _ - . - _ - - _ ~.
is always needed. Considering the climate of the New Hampshire coast, we feel an assumption that ventilation is only needed for half the year is still conservative, and a realistic assumption is that loss of ventilation will not cause loss of service water. Evaluating the equation for these two cases gives a system unavailability of 3.43E-6 for the 50% time ventilation needed, and 2.22E-6 for no ventilation needed. This represents reductions in the original unavailability calculation by factors of about 8 and 12 respectively. W have shown how the use of overly conservative assumptions can significantly ' increase the estimate of SWS unavailability and attach dominant importance to components such as SCC isolation valves and pumphouse ventilation fans. Such results could result in incorrect or inappropriate decisions on potential system modifications or upgrades. This case is just one example of how the conservative philosophy used throughout the SSPSA systems analyses makes the quantitative results less meaningful and makes it more difficult to gain useful insights into system reliability. ( 3.4-18
3.4.3 PRIMARY COMPONENT COOLING WATER SYSTEM a 3.4.3.1 SYSTEM DESCRIPTION The primary component cooling water system (PCC) supplies cooling water to prevent overheating of components which are needed for plant operation or to satisfy one or more basic safety functions. These components include : , containment building spray pumps and heat exchangers, residual heat removal s (RHR) pumps and heat exchangers, safety injection pumps, centrifugal charging - pumps, containment enclosure coolers, and reactor coolant pump (RCP) hermal i t! barrier cooling heat exchangers. The PPC water system is divided into three subsystems for this analysis : a PCC system, the RCP thermal barrier cooling system, and the primary auxiliary building air handling (PAH) system. ! ( The PCC system consists of two redundant cooling loops which remove heat from various primary components during power, shutdown, and accident conditions. I Each loop contains two centrifugal pumps, one heat exchanger, and one head ! tank. One pump in each loop normally operates while the other acts as a backup. Flow to nonessential services inside containment is automatically isolated on a P signal by the containment isolation valves. Flow to nonessential services outside of containment is automatically isolated on a T signal by the waste processing building isolation valves. The RCP thermal barrier cooling system includes two heat exchangers in series, two recirculation pumps in parallel, an expansion tank, and motor-operated valves. The PAH ventilation system provides ventilation to the PCC area when , t normal PAH ventilation is unavailable. This is assumed to occur only during 3.4-19
l loss of offsite power conditions. This system includes two redundant trains of supply and exhaust dampers and fans. 3.4.3.2 SYSTEM ANALYSIS The following assumptions were made in the SSPSA analysis.
- Failure to close of the PCC isolation valves for the containment structure and the waste processing building results in failure of the associated PCC train.
e
- No credit is taken for operator actions to recover failed equipment over the 24-hr mission time.
- Ventilation is required for PCC pump operation. The normal PAH ventilation system is always available when offsite power is available. Therefore failure of the backup PAH ventilation system to operate for 24 hr causes failure of the PCC system for loss of offsite power cases only.
The PCC, RCP thermal barrier cooling system, and PAH system unavalabilities were quantified for six cases depending on the availability of service water and offsite power and the need for isolation of the PCC cooling loads inside containment.
- Boundary Condition 1 - Case A : Offsite power available, service water available, no P signal required.
PCC = 1.54E-6 Hardware dominates maintenance and common cause. RCP = 1.12E-4 Hardware contribution only.3 PAH = 0 Assumption. ( 3.4-20
- Boundary Condition 1 - Case B : Loss of offsite power, service i
water available, no P signal required.f PCC = 1.25E-5 Common cause dominates hardware and maintenance. RCP = 2.33E-4 Hardware contributes 55%, common cause 45% . PAH = 7.69E-6 Hardware contributes 71%, maintenance 29% .
- Boundary Condition 1 - Case C .
- Offsite power available, service water available, P signal required,,,
PCC = 1.53E-6 Hardware dominates maintenance and common cause. Results are similar to condition 1 case A. RCP and PAH results are not reported, but should be identical to condition 1 case A.
- Boundary Condition 2 - Case A : Offsite power available, only one train of
{ service watea available, no P signal required.
'- PCC = 9.01E-4 . Hardware contributes 66%, ' maintenance 34% . -
- '.. 1 f ' '
RCP = 1.16E-4 Hardware contribution only. 1 PAH = 0 Assumption.
- Boundary Condition 2 - Cese B : Loss of offsite power, only one train of electric power available, one train of serdce water available, no P signal required.
PCC = 1.05E-3 (Table 7.4-1 page 7.4-3) or P,C 4
% ( , -4 (Table D.4-11 page
/
p D.4-46) Hardware contributes 58%, maintenance 321, common cause 10% .
- Apparently the second result referenced above is an error. The main difference between this case and case 2A is that the backup PAH ventilation -
system is required to function here. ! t
's 3.4-21
s RCP = 3.86E-3 (Table D.4-11) or RCP = 3.85E-3 (Table 7.4-1) This is a i ' hardware contribution only. PAH = 2.13E-3 Hardware contributes 57%, maintenance 43% .
- Boundary Condition 2 - Case C . Offsite power available, only one train of service water available, P signal required.
PCC = 8.94E-4 Hardware contributes 66%, maintenance 34% .
. s RCP = 3.85E-3 This is identical to case 28.
- PAH = 0 Assumption.
3.4.3.3 COMMENTS The logic equations for the PCC system without ventilation for the six cases are as follows. l
- PCC-1A = (AB + C)(AB + C)
- PCC-1B = (BB + C')(BB + C')
- PCC-1C = ( AB + C' )( AB + C ' )
, _'
- PCC-2A = AB + C
- PCC-28 = (BB + C')
- PCC-2C = AB + C '
Probless exist in the quantification of the blocks for C and C', which appear ! in every case. A'ccording to the system description on page D.4-6, the containment isolation valves (CC-V168, CC-V57, CC-V121, CC-V122, for loop A) { close automatically on a P signal. Other valves are closed automatically on a 3.4-22
l T signal, but this sit'uation is not included in the boundary conditions ( - considered. Again in section D.4.2.1.1 on page D.4-10 is stated : "The PCC isolation valves for the containment structure and the waste processing building are included in the analysis since the failure of these valves to close on demand given an initiating event will result in failure of the associated PCC train." The initiating event demanding closure of the waste processing building valves (T signal) is not included in the analysis. Finally, the discussion in section D.4.3.1.1.1 on page D.4-16 treats the waste processing isolation valves as if they are closed on a P signal (the same as - the containment isolation valves). 4 Blocks C and C' include all of these valves as well as some others. Several errors are apparent in the quantification of these blocks. In block C, the containment isolation valves are to remain open (no P signal) and failure occurs if any of the four valves transfers closed during operation (4
- 6.41E-6 = 2.56E-5). The waste processing building isolation valves, the spent fuel pool supply valve (CC-V32), and the letdown heat exchanger return valve (CC-V341) are also open and failure occurs if any of them transfer closed during operaticn (4
- 6.41E-6). This is contrary to the failure mode listed in Table D.4-7 on pages D.4-35 to -40. Using these values, the mean value of block C is 1.09E-4 .
i i In block C' a P signal is present, and containment isolation fails if 1 valve out of 2 in either of 2 sets fails to close. This is quantified correctly. However the isolation valves for the nonessential services outside of containment are not affected, and their failure mode is the same as in block ( C. Therefore the mean quantification of block C' is 7.97E-5. 3.4-23
Requantifying the six cases using mean values gives the following point (' estimate results for hardware unavailability.
- PCC-1A = 1.26E-8
- PCC-1B = 4.06E-6
- PCC-1C = 6.82E-9
- PCC-2A = 1.12E-4
- PCC-28 = 9.35E-5
- PCC-2C = 8.26E-5 -
Due to the numerical treatment of probability distributions in the SSPSA, these results are directly comparable to values in SSPSA Table 7.4-1 only for cases 2A, 28, and 2C. We note that the requantified results are lower by factors of about 5 and 7 for cases 2A and 2C respectively, and lower by 85% for case 28. We expect significant changes in the other cases as well. The assumption that ventilation (PAH) is required for PCC system success is overly conservative. Using Table 7.4-1 values, we note that the PAH hardware contributes 79% of the unavailability for the PCC hardware in case 18, and PAH contributes 38% of total unavailability for PCC. In case 28, the PAH contribution is 67% for hardware and 67% of the PCC total. Since the PCC unavailabilities without PAH are expected to decrease in light of the preceeding discussion, the percentage contribution of PAH will be even larger. A thermal analysis is needed to determine the effects (if any) of loss of PAH on the PCC so that realistic assumptions can be used. ( 3.4-24
3.4.4 Instrument Air System 3.4.4.1 System Description The instrument air system provides air for pneumatic instruments and controls. Three air compressors are piped in parallel, discharging to a common header that feeds two air receivers. The two air receivers are connected by a 1" line that contains instrumentation for compressor control . and receiver depressurization isolation. Each receiver outlet branches into ' two discharge paths. One line is connected to a common header that supplies the service air system. The service air system does not perform any safety related functions and is not considered in the SSPSA analysis. The other discharge line from each receiver is connected to its own air drying system l that supplies one of two redundant instrument air loops (headers). The piping from each dryer contains cross-over piping to the other loop 50 that each receiver can supply .th air loops. Two of tne air compressors are connected to emergency buses. Cooling of the compressors is provided by the secondary component cooling (SCC) system, which is cooled by the service water system (SWS). The SCC becomes isolated from the SWS upon either loss of power or a safety injection signal. The SCC is not analyzed in the SSPSA. 3.4.4.2 System Model The instrument air system is not a safety system and is not included as a top i event in the event trees. Loss of instrument air will cause air operated 3.4-25
valves to fail to a predetermined position. There are three sets of safety significant valves that fail in the closed position on loss of instrument air; main feedwater valves, steam atmospheric relief valves (ARV), and condenser steam dump valves (SDV). The ARVs are not considered to require a continuous supply of air since they are equiped with air accumulators. the ARVs are discussed in the section on main steam (3.4.10). Closure of the main feedwater valves will result in a turbine trip and will not allow the main feedwater system to supply coolant to the steam generators for decay heat removal. Loss of instrument air as a loss of feedwater initiator is considered to be included in the data for loss of feedwater transients. The main feedwater system is not considered for accidents involving a loss of power or a safety injection signal. The instrument air system is included as part of the secondary cooling function in the main steam analysis through the dependence of the SDVs. A discussion of the SDVs is given in the section on main steam (3.4.10). The instrument air system is analyzed only under the specific boundary condition for situations were secondary cooling is needed. The reliability block diagram of the instrument air system was used to determine its unavailiability to supply air pressure to both redundant air loops. The model assumes one compressor is operating, one in standby, and one in [ maintenance. Failures in the service air system are assumed to not one in 3.4-26
-.-_.w-, . - - .--,,._.--..c. . .,m - _. --, . , , _ . _ . , _ , , . - _ _ _ _ _ , - . - . _ __-
maintenance. Failures in the service air system are assumed to not affect the instrument air system. Catastrophic failure of either air receiver is assumed to fail the system. Operator recovery actions and pipe breaks are not considered in the analysis. Unless the initiating event is failure of the service water system, the SCC system continues to provide cooling to the compressors. The system unabailability was calculated to be 3.07 E-4 for a mission time of 24 hours. Over 96% of this availability is contributed by common cause - failure of the two available compressors. This failure mode is both compressors fail to run (the standby compressors fails to run after successfully starting). Hardware failures associated with the compressors I contribute about 3.8% to the system unavailability. The system is a normally running system, therefore, test and maintenance was not explicitly included in the analysis. One compressor, however, was
~
considered unavailable due to maintenance. This assumption is conservative. 3.4.4.3 Coments The analysis of the instrument air system is used as a contributor to the failure of the SDVs for secondary heat removal. The event SC (secondary cooling), which includes the SDVs, is used as part of the event tree top event EF, emergency feedwater and steam relief. The event EF is included in many of the sequences that are significant contributors to both core melt frequency and health risk. The degree to which event SC contributes to event EF is ( discussed in the section on emergency feedwater (3.4.8). 3.4-27
l The analysis only considers failure of the air supply loops. There is no consideration for isolation valves and filters between the air supply and specific air-operated valve. For valves which are normally closed and fail closed 1 solation valve failure, clogged filters and human error following test and maintenance should be considered. The dependence of the instrument air system on the SCC system has not been adequately considered. The SCC system will become isolated from its cooling source given a safety injection signal and discontinue operation on loss of - off-site power. These conditions would in turn cause the air compressors to stop due to high temperature. The SCC system is dependent on the service = water system and the engineered safety features actuation system (ESFAS). These dependencies have an effect on the function of the secondary cooling system for sequences requiring decay heat removal for periods longer than 2 hours. This dependence is discussed in the section on event trees (3.2). D 3 J 3.4-28 l
l I 3.4.5 REACTOR TRIP, SOLID STATE PROTECTION SYSTEM, AND ENGINEERED SAFETY FEATURES ACTUATION SYSTEM 3.4.5.1 SYSTEM DISCRIPTION The reactor trip system (RTS), solid state protection system (SSPS) and engineered safety features actuation system (ESFAS) provide for the detection , of off-normal occurrances and the actuation of protective actions should an accident situation develop. The SSPS receives signals from various plant - k sensors and, dependent on those signals, responds by sending signals to the i
\
RTS and/or ESFAS. The RTS trips the reactor.. The ESFAS multiplies the signals it receives to actuate the various systems designed and needed for accident mitigation. The RTS consists of two trains of reactor trip breakers, a manual actuation circuit and 57 neutron absorbing control rod clusters assemblies. Each RTS train contains two breakers (primary and bypass) that connect power from an M-G sets to the control rod drive mechanisms (CRDM) that hold the control assemblies in place. All four breakers are identical. Each breaker contains a DC undervoltage coil that overcomes spring pressure to keep the plunger from opening the breaker. A' shunt trip coil is provided for manual actuation. The bypass breakers are provided to allow breaker testing with the reactor at power. Upon a SSPS or manual actuation signal the breakers trip and remove power from the CRDM coils, allowing the control rod cluster assemblies to fall into the core. The breakers will also trip on loss of electic power or loss of signal from the SSPS. I l 3.4-29
I I 1 The SSPS consists of detectors, analog protection racks, logic protection racks and interconnecting cables. The detectors continuously monitor plant conditions and output to amplifiers in the analog protection racks. The amplifiers feed bistables that trip when a preset condition is exceeded. Each bistable actuates 2 relays. Each relay feeds an independent and redundant logic train, Train A or B, located in the logic protection racks. The logic trains contain solid state matrix elements that output to the RTS and/or ESFAS when a prescribed number of channels indicate an out of tolerance condition. The input detectors, amplifiers and bistables are powered from uninteruptable ' power supplies (UPS) and fail safe on loss of power. The input relays are energized by the bistable and actuate on loss of power (except the containment spray actuation relays that energizes to actuate). The matrix elements are powered from two 15v DC power sources. The two power supplies are auctioneered so that the highest 15v supply actually supplies the load. The two DC power supplies are powered from instrument buses 1A and 1C for Train A, and 1B and ID for Train B. The SSPS receives signals from the following systems:
- 1) Nuclear Instrumentation
- 2) Primary Coolant
- 3) Pressurizer
- 4) Steam Generator
- 5) Containment
- 6) Main Steam.
The detectors, analog racks and logic rack have the capability of being tested ( during power operation. The ESFAS contains masler relays, slave relays and 3.4-30
interconnecting cables. The master relays receive the signals from the SSPS logic trains and distribute them to the appropriate slave relays. The slave relays provide contact multiplication and supply the appropriate signals to proper components needed for transient response. The ESFAS actuates components in the following systems:
- 1) Safety Injection
- 2) Residual Heat Removal
- 3) Chemical and Volume Control
- 4) Emergency Feedwater
- 5) Containment Building Spray
- 6) Main Steam 1
- 7) Main Feedwater
- 8) Turbine Generator
- 9) Enclosure 1.ir Handling
- 10) Service Water
- 11) Primary Component Cooling
- 12) Emergency Diesel Generators i
- 13) Containment Ventilation
- 14) Containment Isolation
- 15) Control Ventilation Two 48v DC power supply in the logic racks provide the trip and actuation signals to each train of the ESFAS master relays. The slave relays route 120v instrument power to the ESF loads. The ESFAS Train A is powered from instrument bus 1A and Train B from bus 1B. The ESFAS relays will fail to
( transmit the actuation signal on loss of power. This system has the 3.4-31
capability of being tested during power operation. t The SSPSA does not provide an adequate discription of the SSPS and ESFAS systems. Imparticular, there is no detailed discussion of the power supplies to the various components. In addition, there are some errors in the descriptions given. There is no discussion of the power supplies to the relays that provide the input signals to the matrix elements of the SSPS. A review of the system ' description (Reactor Protection System, H0-RPS, Rev.0, 08/82) indicates that these relays are continueously powered with 120v AC from the bistables in the detection channels and de-energize to provide the trip signal to the matrix elements. An exception to this arrangement is the containment spray actuation input relays that energize to actuate. This arrangement is typical of other Westinghouse reactor protection system (RPS) detection channels. Section D.6.1.3.2.2 Solid State Logic Protection System of the SSPSA is somewhat ambiguous on the power supply arrangement of the SSPS. This section states that the output relays are disabled on loss of power. However, since the output relays from the matrix elements are the ESFAS master relays, this statement indicates that the " output" relays are from the detection channels. The relays in the detection channels provide a trip on loss of power. The SSPSA does not provide an adequate discription of the power supplies to i the SSPS matrix elements. The RBD (Figures 7.6-3 and D.6-5) shows two DC power supplies, each being supplied from two vital instrument buses, Train A from PP-1A and PP-10, and Train B from PP-ID and PP-1A. A review of the data used to quantify this supercomponent block indicates that these power supplies ( are 24v DC. The system description, however, indicates that each train of the 3.4-32
-se--, -e--e,-ww,- se , wy-<
SSPS is supplied with power from two 15v DC and two 48v DC supplies. One 15v
- k. and 48v supply is powered from vital instrument bus PP-1A and the other from bus PP-1C for SSPS Train A and for SSPS Train B the DC power is supplied from vital instrument buses PP-1B and PP-10. The system description is not completely definitive on which pair of DC supplies actually powers the matrix elements other than stating "each produces 15 vdc for the system electronics and 48 vdc for the trip and actuation output signal". This statement implies that the matrix elements art powered from the 15 vdc supplies. Since power to each train's matrix elements is auctioneered from the two power supplies, a -
malfunction of a single 15/48 supply will not de-energize that logic train. Also indicated on the SSPS RBD is that the 120v AC vital instrument panels are powered from a 120v AC and 120v DC power source. This arrangement is not accurate. The vital instrument buses are powered from uninterruptable power supplies that derive their power from a 480v AC motor control center (MCC) and a 120v DC bus. The batteries chargers for the associated DC bus are also powered from the same 480v MCC. The SSPSA discussion of the ESFAS power supplies is not adaquate. From the f dicussion above, it would seem that the ESFAS master relays are powered from the 48v DC power supplies contained in the logic racks. This may be why the ESFAS RBD (Figure 7.6-4) indicates primary and backup power supplies for each train. The system description does not indicate weather the master relays are AC or DC. The slave relays in each train, however, are AC powered from a single instrument bus, Train A from bus PP-1A and Train B from bus PP-1B. Both the master and slave relays fail to transmit a signal on loss of power. ( 3.4-33
3.4.5.2 SYSTEM MODEL The RTS, and each train of the SSPS and ESFAS are considered as top events in the auxiliary system event tree. Three reliability block diagrams (RBDs) were used to model these systems. Two additional RBDs were used to model super component blocks within the main RBDs. The main RBDs were used to derive several failure expressions dependent on the initiating event for which these systems were questioned. The RTS is required to perform identically for all initiating events. Failure of the RTS is defined as failure of the reactor trip breakers to interupt power to the CRDMs or failure of at least two or more control rod assemblies to fall into the core. Manual activation of a reactor trip was not considered in this portion of the analysis. The RTS was analyzed for the following boundary condition:
- 1) RT(1) - Actuation signals from both SSPS trains are present.
- 2) RT(2) - An actuation signal from a single SSPS train is present.
I
- 3) RT(3) - No actuation signal is required (loss of offsite power).
l i The unavailability of the RTS due to testing was included in the analysis. l This analysis considered a 30 minute test on one train being performed once a l month. The unavailability of the RTS during maintenance or for human errors l l performed during testing and maintenance was not analyzed. Common cause failure of the reactor trip breakers was evaluated using a beta factor of ( 0.110. 3.4-34 l ._ ..- . ._ _ - - - - - - _, - - -. _ _ - _ - - - , _ _ . _ _ . . _ - ,, ._ _ _ _ . _ - _ _ _ _ _ . _
I l i The unavailabilities presented in the SSPSA for the RTS are presented here in Table 3.4.5-1. Also given in this table are the point estimates we calculated using their data (from SSPSA Table D.6-5) and failure expressions for comparison. The requirements of theSSPS are dependent on the specific top event for which the systne must respond. The main SSPS reliability block diagram was used to develop failure expressions for the various top events under the following boundary conditions: SSPS(1). All support systens available (vital instrument power). SSPS(2). Loss of a single support system train (AC power train). Two failure expression were developed for 5 sets of top events. The actions of the SSPS required for the top events along with the signals needed to 9enerate a SSPS response are given below: EVENT SIGNALS REQUIREMENTS ! Large/ Medium LOCA/ 2/4 low pressurizer pressure Generate S and P i l Steam Line Break 2/3 Hi-1 containment pressure signals. For steam 2/3 Hi-2 containment pressure Inside Containment 2/4 Hi-3 containment pressure line break, a steam i 2/3 Hi-2 containment pressure line isolation 2/3 high steam line pressure signal. rate I t 3.4-35 L
l I Small LOCA 2/4 low pressurizer pressure Generate an S signal. 2/3 Hi-1 containment pressure i I SGTR 2/4 low pressurizer pressure Generate an S signal. Steam Line Break 2/3 low steam line pressure Generate an S signal
- Outside Containment 2/3 high steam line pressure and a steam line rate isolation signal.
2/4 low pressurizer pressure ( Transient 2/4 low-low steam generator Generate a emergency level feedwater actuation signal. i Failure of the SSPS is defined as failure to generate all of the required signals, as given above, for the specific initiating event. The unavailability of the SSPS due to test and inspection, maintenance, and human errors during testing was included in the analysis. Detector channel testing was not considered to contribute to the system unavailability because they trip during testing. The analysis of the solid state matrix elements ( considered then being tested for an average of 27 minutes a month. The i 3.4-36 l t
M maintenance interval of a logic channel was stated to be 39 years and the mean l duration of maintenance was 3.55 hours. Human errors performed during maintenance were not considered to contribute to the unavailability. The connon cause contribution to the SSPS logic channels unavailability was considered insignificant in comparison to the common cause instrument miscalibration unavailability deterinined during the testing analysis and 4 therefore was not analyzed in the SSPSA. The RBD model of the parameter channel (PCla, etc.) supercomponent blocks (Figure D.6-7) does not accurately represent the system failure. This model, as configured, incorrectly indicates that each SSFS train receives signals
- from a redundant pair of relays that are tripped by a single detector channel. Each detector channel actually feeds both trains of the matrix elements through an associated input relay, not a pair of relays. Therefore, the quantification of the parameter channel RBD underestimates the contribution to system failure due to the relays. This RBD should only consider the sensor, amplifier and bistable associated with each detector channel. The relays should be considered separately, as indicated on the main SSPS RBD. In addition, relationship of the inverter blocks to the detector channels shown on the RBD is incorrect. The detector channels will trip on i
{ loss of power. There should be 2 redundant inverter blocks that power each I train of the SSPS logic channels. During our review of the SSPS quantification of the parameter channel failure equations, we observed that data listed in the SSPSA Table D.6-5 for the 4 l 3.4-37 l 1
signal modifier was used for the AMP component block. While there is no i problem with the data used, there is no mention in the text that this substitution was made. We have corrected the above mentioned discrepancies in the model and requantified the system hardware failures using point estimate valves and hand calculations. This reanalysis includes the independance of the input relays and the redundacy of the logic channel DC power supplies, and their sources, the inverters. The revised system unavailabilities are presented in Table 3.4.5-1 along with the SSPSA reported values and point estimate calculated using their models and equations. The analysis of the ESFAS system included consideration of failure of the 14 Master relays and the 36 Slave relays in each train. The failure criteria for this system is failure to process any input signal from the SSPS and actuate the required equipment for accident mitigation. The ESFAS was analyzed for two boundary conditions: ESFAS(1) Actuation signals from both SSPS trains are present with all support system available. ESFAS(2) Loss of a single SSPS actuation signal. The ESFAS analysis was performed for the 4 sets of top events given below along with their actuation functions: ( 3.4-38
l i I EVENT FUNCTIONS l (- Large/ Medium LOCA/ Steam Main Feedwater Isolation (S signal) Line Break Inside Containment Emergency Feedwater (S signal) Safety Injection (S signal) Emergency Diesel Startup (S signal) Containment Ventilation Isolation (S signal) Containment Isolation Phase A (S signal) Containment Isolation Phase B (P signal) Containment Spray (P signal) Small LOCA/ SGTR Main Feedwater Isolation (all S signals) Emergency Feedwater Safety Injection Emergency Diesel Startup Containment Ventilation Isolation Containment Isolation Phase A Steam Line Break Outside Same as Small LOCA/SGTR with addition Containment of Main Steam Line Isolation Transient Emergency Feedwater Actuation j The unavailability of tl.e ESFAS due to testing, inspection and human errors i performed during maintenance was not included in the SSPSA analysis. However, 4 the unavailability of this system due to maintenance and comon cause failure 3.4-39
. - . - ~ , _ - . . . - . - . . _ , - _ _ _ _ . . . . - .
was analyzed. The mean duration of maintenance for an ESFAS channel was 14.5 ( hours and the maintenance interval was 5.44 years. The generic beta factor of 0.125 was used to quantify the unavailability due to common cause failures of the ESFAS relays. During our review of the ESFAS failure equations derived for the various initiating events and bounda;ry conditions we discovered that the pwoer supplies to the slave relays were not properly included. The SSPSA indicates that these power supplies are accounted for in the SSPS analysis, but their - accounting is not correct. The failure of a single power supply will not disable the matrix elements, but it could render the slave relays incapable of transmitting the ESF signals. For boundary condition ESFAS(1), the failure of both instrument buses (lA and IB) will result in no signals to the ESF equipment. For boundary condition ESFAS(2), the failure of a single
+
instrument bus will fail the system. The power supplies to the master relays are accounted for in the SSPS analysis since failure of the two instrument buses to each train will also fail the master relays, assuming they are DC powered. l We included the additional term to the ESFAS failure equations and requantified the system unavailabilities. The revised unavailabilities for the ESFAS are given in Table 3.4.5-1 along with the values reported in SSPSA and the point estimates we calculated using their equations and data for - i comparison. l t 3.4-40
3.4.5.3 COMMENTS ( The SSPSA analysis of the Reactor Trip System is valid, accurate and complete. The dominant contributor to the RTS system unavailability is the common cause failure of the trip breaker to open, resulting in the lead screw remaining engaged on the control rod cluster assemblies. The analysis of the Solid State Protection System and the Engineered Safety Features Actuation System, however, contained many discrepancies concerned ' with the actual configuration and operation of these systems. The system descriptions given in the SSPSA did not indicate a good understanding of the workings of these systems. The system models did not accurately represent all of the possible system failures. ( We reworked their models and derived revised point estimate of the hardware unavailabilities using hand calculations. The results of our analysis are given in Table 3.4.5-1 along with the results of hand calculations using their models and point estimate values. A comparison of the point estimates we derived from their models to the point estimates for the revised models given in this table indicates large differences in the SSPS analyses, and insignificant differences in the ESFAS analyses. The main contributor to the differences in the SSPS analyses is the fact that the matrix elements are . powered from two redundant sources that receive power from two separate instrument buses. The contribution to the SSPS unavailability due to the independance of the input relays was insignificant due to the 2/4 and 3/4 logic trip requirements. Our revised point estimate of the SSPS has been ( combined with the other contributors (testing, maintenance, etc.) to system 3.4-41
unavailability and presented in Table 3.4.5-2 along with an indication of the dominant contributor. Also given in this table are the combinations of the hand calculated point estimates using their models and the other contributors. Inspection of Table 3.4.5-2 indicates that for the SLOCA, SLBI and SLB0 initiating events with all support systems available, our revised point estimates of the SSPS system unavailability are an order of magnitude smaller than the point estimates calculated using their models. This difference is due to these cases being dominated by hardware failures. The differences in the other cases are small since they are dominated by either human errors performed during testing and maintenance or the system being unavailable due to testing. The 43 top event sequences that contribute to core melt were reviewed to determine if this decrease in SSPS unavailability would affect the core melt frequency. There is only one non-seismic event sequence that involves the SSPS system in this list. This sequence is an ATWS initiated by a loss of main feedwater with failure of both trains of the SSPS. Since the differences in the SSPS unavailabilities for the transient initiating events are small,
! this cursory analysis indicates that the core melt frequency will not be affected by the errors contained in the SSPS analysis.
In addition, each plant damage was reviewed for dominant non-seismic sequences
- containing SSPS failures. The only plant damage state that contains these I
failures is 3D (early high pressure core melt with no RWST injection and no j containment heat or fission product removal). Three sequences were .
; identified; RT (Reactor Trip), ATT (ATWS initiated by a Turbine Trip) and i
3.4-42 l
ALOMF (ATWS initiated by loss of main feedwater, identified above). Since all these sequences are transient initiated, discrepencies in the SSPS hardware unavailability should not have a significant effect. We, however, feel that a complete reanalysis using revised unavailabilities for the SSPS and ESFAS should be performed to ultimately determine the effect on core melt frequency and plant damage states. l i 3.4-43
TABLE 3.4.5-1 ( REACTOR PROTECTION SYSTEM MEAN UNAVAILABILITIES RTS RT(1) 3.89-5 3.24-6 ---- ---- 5.10-4 5.55-4 2.71-5 ---- RT 2 4.67-3 ---- ---- ---- ---- 4.67-3 4.67-3 ---- RT 3 5.43-6 ---- ---- ---- ---- 5.43-6 5.43-6 ---- SSPS LLOCA SSPS(1) 8.21-7 3.66-9 1.77-9 3.94-4 ---- 3.95-4 1.78-7 7.29-9 MLOCA SSPS(2) 4.24-4 6.25-4 1.04-5 3.94-4 ---- 1.45-3 5.22-4 8.54-5 SLOCA SSPS 8.50-7 3.66-9 1.77-9 6.61-12 ---- 8.54-7 1.78-7 7.29-9 SSPS 5.21-4 6.25-4 1.04-5 6.61-12 ---- 1.16-3 5.22-4 8.54-b SGTR SSPS(1) 8.50-7 3.66-9 1.77-9 2.07-6 ---- 2.92-6 1.78-7 7.29-9 SSPS(2) 5.21-4 6.25-4 1.04-5 2.07-6 ---- 1.16-3 5.22-4 8.54-5 SLB1 SSPS(1) 8.21-7 3.66-7 1.77-9 3.94-4 ---- 3.95-4 1.78-7 3.24-8 SSPS(2) 4.24-4 6.25-4 1.04-5 3.94-4 ---- 1.45-3 5.22-4 8.56-5 SLB0 SSPS 8.50-7 3.66-9 1.77-9 6.61-12 ---- 8.54-7 1.78-7 7.29-9 SSPS 5.21-4 6.25-4 1.04-5 6.61-12 ---- 1.16-3 5.22-4 8.54-5 TRANS SSPS 8.50-7 3.66-9 1.77-9 2.07-6 ---- 2.92-6 1.78-7 7.29-9 SSPS 5.21-4 6.25-4 1.04-5 2.07-6 ---- 1.16-3 5.22-4 8.54-5 ESFAS LLOCA ESFAS(1) 4.05-5 ---- 6.91-6 ---- 6.63-5 1.14-4 1.39-5 1.39-5 MLOCA ESFAS(2) 1.13-2 ---- 3.04-4 ---- ---- 1.16-2 1.13-2 1.14-2 SLOCA ESFAS(1) 3.43-5 ---- 5.49-6 ---- 6.78-5 1.07-4 1.11-5 1.11-5 ESFAS(2) 8.92-3 ---- 3.04-4 ---- ---- 9.34-3 8.92-3 9.01-3 SGTR ESFAS(1) 3.43-5 ---- 5.49-6 ---- 6.78-5 1.07-4 1.11-5 1.11-5 ESFAS(2) 8.92-3 ---- 3.04-4 ---- ---- 9.34-3 8.92-3 9.01-3 SLBI ESFAS(1) 4.20-5 ---- 7.35-6 ---- 6.51-5 1.14-4 1.46-5 1.46-5 ESFAS(2) 1.21-2 ---- 3.04-4 ---- ---- 1.21-2 1.21-2 1.22-2 SLB0 ESFAS(1)3.63-5 ---- 5.94-6 ---- 6.62-5 1.08-4 1.18-5 1.18-5 ESFAS(2) 9.65-3 ---- 3.04-4 ---- ---- 9.95-3 9.64-3 9.73-3 TRANS ESFAS 1.89-6 ---- 3.29-7 ---- 6.05-5 6.30-5 6.90-7 6.97-7 ( ESFAS 9.65-4 ---- 3.04-4 ---- ---- 1.27-3 9.64-3 9.73-3 s 3.4-44 l L
( Table 3.4.5-2 SSPS TOTAL POINT ESTIMATE UNAVAILABILITIES INITIATING B0UNDARY SSPSA POINT REVISED POINT DOMINANT EVENT CONDITION ESTIMATES ESTIMATES CONTIBUTOR LLOCA SSPS(1) 3.94-4 3.94 4 Human Error MLOCA SSPS(2) 1.55 3 1.11 3 Testing SLOCA SSPS(1) 1.83-7 1.27 8 Hardware ' SSPS(2) 1.16 3 7.21 4 Testing SGTR 1) 2.25-6 2.08-6 Human Error SSPS(2) SSPS( 1.16-3 7.23 4 Testing SLBI SSPS(1) 3.95 4 3.94 4 Human Error SSPS(2) 1.55-3 1.12 3 Testing SLB0 SSPS(1) 1.83-7 1.27-8 Hardware SSPS(2) 1.18-3 7.21 4 Testing TRANS SSPS(1) 2.25-6 2.08 6 Human Error SSPS(2) 1.16-3 7.23 4 Testing e 3.4 45
3.4.6 CONTAINMENT ENCLOSURE AIR HANDLING SYSTEM i 3.4.6.1 SYSTEM DESCRIPTION For the purposes of this study, the containment enclosure air handling system (EAH) consists of the containment enclosure cooling system and the containment
~
enclosure emergency air cleaning system (CEEACS). The containment enclosure l cooling system provides cooled recirculated air to maintain room air temperatures no greater than 148' F for continuous operation of equipment during accident conditions. The equipment areas cooled include charging pump areas, safety injection pump areas, residual heat removal and containment spray equipment vaults, and the containment structure annular enclosure area. The system consists of two redundant trains, each having supply and return fans, a return damper, inboard and outboard isolation dampers, and a cooler unit supplied by a train of primary component cooling water. One train of the containment enclosure cooling system operates continously while the other train serves as a backup. The system is isolated from the primary auxiliary building on a T signal. The CEEACS maintains a negative pressure within the containment enclosure during emergency conditions, removes and retains airborne particulates and radioactive iodine, and exhausts filtered air to the unit plant vent. It consists of two redundant trains, each having an exhaust fan and a filter unit. During normal operation the system is in standby. Both trains are automatically started on a T signal. l l \ 3.4-46 ,
F 3.4.6.2 SYSTEM ANALYSIS ( The fundamental assumption in this SSPSA analysis is the following.
" Failure of the containment enclosure cooling system to operate for 24 hours is assumed to cause the long term failure of the components listed in Section D.7.1.1 of this analysis. The requirement for ventilation can be evaluated later if this requirement is a major contributor to system unavailability."
Six cases.are evaluated for CECS unavailability, and two cases for CEEACS unavailability.
- Boundary Condition 1A : All support systems available.
EAH-1A = 1.89E-5 Hardware (PAH to EAH isolation dampers) contribute 89%, maintenance 11% . FAH-6 = 1.33E-5 Maintenance (one CEEACS filter unit) contributes 4 76%, hardware 24% .
- Boundary Condition IB : Loss of offsite power, all support systems available.
EAH-1B = 1.47E-4 Common cause (starting of fan units) contributes 77%, hardware 15%, and maintenance 8% . !
- Boundary Condition 2 : One ESF bus and one T signal available.
t EAH-7 = 4.88E-3 Maintenance (one CEEACS filter unit) contributes 70%, hardware 30% .
- Boundary Condition 2A : Loss of one T signal, offsite power available.
EAH-2A = 8.20E-4 Hardware (failure of a single PAH to EAH isolation i damper) dominates maintenance. 3.4-47
t e, t 4. Boundary Condition 2B : Loss of one PCC train, offsite power available. EAH-2B = 7.58E-3 Maintenance (standby fan train) contributes 67%, hardware
, 33% .
- Boundary Condition 2C : Loss of one PCC train and one T signal offsite power available. '
EAH-2C = 8.38E-3 Maintenance (standby fan train) contributes 61%, hardware 39% .
- Bounda ry Condition 2D : Loss of offsite power and one PCC train, or loss of one ESF bus.
EAH-2D = 7.58E-3 Same result as case 28. 3.4.6.3 COMMENTS There are questions and inconsistencies in the quantification of blocks C and C' in the equations for EAH. From SSPSA Table D.7-5 on page D.7-28, block C consists of the 4 normally open PAH isclation dampers, 2 normally closed isolation dampers, and 12 normally open fire dampdrs. The isolation damper failure mode is failure to transfer to the failed position. Block C' consists of exactly the same components with the same failure modes and unavailabilities. However the total unavailability for block C is 1.53E-5 while block C' is 1.34E-5. No explanation is provided for this apparent discrepancy. In the equations for EAH unavailability, block C is used when offsite power is available, and block C' is used when offsite power is unavailable. However, ( 3.4-48
.f the dampers function the same under either condition) All six isolation dampers change position on either,a T signal (of fsite power available) or on loss of instrument air caused by loss of offsite power.
i* This interpretation is drawn from the following statements. From page 0.7-3: "The pneumatic dampers require compressed air for normal function. Each pneumatic damper moves (on loss of instrument air) to a position which does not interfere with the function of its system during emergency operations." From page 0.7-7: " Failure to isolate the* containment enclosure area cooling from the auxiliary bu(Iding air handling system has been defined for this analysis as a failure of two isolation dampers (one supply and one exhaust damper) to shut following a T signal actuation or loss of the respective ESF bus." s Since blocks C and C' appear to be identical, there is no reason to distinguish between them in the unavailability logic equations. Since no explanation is given as to how these blocks were quantified, we cannot check their differing total unavailabilities. However errors in block C or C' could affect the results for : case 1A, where block C contributes 93% of , / hardware unavalability; and case IB, where block C' contributes 62% of hardware unavailability. We can define block C failure as : (PAH-DP-35A
- PAH-DP-358) + (PAH-DP-36A
- PAH-DP-368) + (EAH-DP-37A
- EAH-DP-378) + 12
- fire damper failure rate ; 2 of 2 supply dampers fail or 2 of 2 exhaust dampers' fail or Z~of 2 charging pump exhaust dampers fail or 1 of 12 fire damprs fails. UsIn'g the mean I unavailabilities as a point estimate we'obtain the unavailability for block C 3.4-49 [
as 1.23E-5. Requantifying cases 1A and IB with this value for block C gives ! hardware unavailabilities of 1.35E-5 (reduced by 18%) and 1.84E-5 (reduced by 15%) respectively. No further mention is made regarding the fundamental assumption about the need for ventilation. No explanations are given disputing the significance of ventilation as a contributor to the unavailabilities of other systems such as emergency core cooling. Therefore we believe an analysis is needed to establish the validity of the ventilation assumption.
- 3.4.7 EMERGENCY CORE COOLING SYSTEM 3.4.7.1 SYSTEM DESCRIPTION
( The emergency core cooling system (ECCS) is designed to remove stored and fisson product decay heat from the reactor core during accidents and transients. The ECCS consists of the Safety Injection (SI) system, Accumulators, the Residual Heat Removal (RHR) system and a portion of the Chemical and Volume Control System (CVCS). Each of these systems have a particular operating pressure and flow rate charateristic that requires their use for specific accidents or accident phases. The SI system consists of two independent trains that take suction from the refueling water storage tank (RWST) during injection and the containment ( recirculation sumps (CRS) during recirculation (in conjunction with an RHR 3.4-50 I 1 _ -- --_-_--- _ ___--__-_-____-_-_--_____--____--_-_____---
m pump). Each SI train consists of a centrifigul pump, valves and interconecting k piping. The dicharge of both SI trains join a single valved header before connecting to the four RHR injection lines on the cold legs of the reactor leg injection, SI train A dicharges to reactor coolant loops 1 and 4 and train B to loops 2 and 3. Both SI pumps are motor-driven and each is powered from a separate 4160v emergency bus. The design pressure of each pump is 1750 psi with a shutoff discharge pressure of 1537 psi. The designed flow rate is 425 gpm at 1170 psi and the maximum flow rate is 650 gpm at 715 psi. Each punp discharge line is provided with a miniflow recirculation line that joins a common header leading to the RWST. Lube oil cooling for each pump is provided by the containment enclosure cooling system. ( The SI system is normally aligned to take suction from the RWST and discharge to the RCS cold legs. For this alignment, all valves in each train are normally open while check valves prevent backflow from the RCS. When an accident condition is detected, the ESFAS provides signals to start the SI pumps and confirm the valve alignment for cold leg injection. Each of the four accumulators contains 850 cubic feet of borated water at a i pressure of 650 psi. During an accident, each accumulator injects into a ! separate RCS cold leg when the primary system pressure drops below the tank i pressure. Each injection line is provided with a motor operated valve (MOV) ( to isolate the associated accumulator during normal plant cooldown. i 3.4-51
The RHR system consists of two separate trains that have the same suction sources as the SI system during both injection and recirculation. The two RHR suction lines from the RWST also supply the containment building spray pumps. Each RE train contains a centrifugal pump, a heat exchanger, valves and interconnecting piping. During normal plant operation, the RHR system is in standby and aligned to take suction from the RWST and inject into all four RCS cold legs. Flow through each RHR heat exchanger is controlled by a normally closed air operated valve located on the heat exchanger bypass line. . On the outlet of each heat exchanger is a normally open air operated flow
- i control valve. A miniflow bypass line for each train is provided to protect the pumps. Valves on these lines open when the flow on the main line is less than 500 gpm and' close when the main line flow is above 1000 gpm. A cross-connection line allows flow transfer between the two trains through two normally open MOVs.
During the recirculation mode, the RHR pumps take suction from the CRSs through two normally closed MOVs. For cold leg recirculation, coolant is supplied to the RCS through the same piping configuration used for cold leg injection. For hot leg recirculation, coolant is supplied to the RCS hot legs 1 and 4. For high pressure recirculation, the RHR pumps are required to supply coolant to the intakes of the SI and Charging pumps. For normal plant cooldown, the RHR pumps can take suction from the two RCS hot - ! legs and discharge through the heat exchangers back to the RCS cold legs. This normal RHR shutdown cooling mode is used to provide long term ECCS cooling. ( I 3.4-52
Both RHR pumps are motor-driven and each is powered from a separate 4160v emergency bus. The design pressure of each pump is 600 psi with a shutoff discharge head of 195 psi. The design flow rate is 3000 gpm at 163 psi and the maximum flow rate is 4500 gpm at 141 psi. Each pump's mechanical seals and associated train heat exchanger is cooled by a separate PCCS train. The pump seals and the heat exchangers only need cooling during the recirculation mode of operation. During periods of miniflow recirculation, cooling to the heat exchanger must be provided. When an accident situation is detected, the ESFAS provides signals to start the RHR pumps and align the system for cold leg injection. When a RWST low-low level signal occurs, the ESFAS provides the signals for switchover from i the injection mode to the recirculation mode. Manual actions are required to align the RHR pumps discharge to the SI and Charging pump's intake for high pressure recirculation. The portion of the CVCS that operates as part of the ECCS consists of two independent pump trains and a common boron injection tank (BIT). Each pump train takes suction from the RWST during injection and consists of a centrifugal pump, valves and interconnecting piping. The discharge of each train joins a common header that leads to the BIT and a valved bypass line. The BIT is provided with a recirculation system that consists of isolation valves, two recirculation pumps and a surge tank. The discharge of the BIT and the bypass line join a common header before branching to the four RCS cold legs. During high pressure recirculation, the centrifugal charging pumps take suction from the CRSs in conjunction with the RHR pumps. ( 3.4-53
Both centrifugal charging pumps are motor-driven and each is powered from a separate 4160v emergency bus. The design pressure for each centrifugal charging pump is 2800 psi with a shut-off pressure of 2684 psi. The design flow rate is 150 gpm at 2514 psi and the maximum flow rate is 550 gpm at 607 psi. A miniflow recirculation line for each pumps protection is provided which diverts flow from the pump's discharge through the seal water heat exchanger and back to the pump's suction. Cooling for each pump's lube oil cooler is provided by a separate PCCS trains. The seal water heat exchanger is cooled by train A of the PCCS. Each centrifugal pump room is cooled by the
- containment enclosure cooling system.
The BIT contains a usable solution volume of 900 gallons with a nominal boric acid concentration of 21,000 ppm. The BIT recirculation system in conjunction with 12 strip heaters prevents boric acid stratification and settling. The recirculation path is isolated on receipt of a safety injection signal. f During normal plant operation, the two centifugal charging pumps are in standby and aligned to take suction from the volume control tank (VCT) and deliver flow to the normal charging path. A normally running positive displacement charging pump provides the normal charging flow and reactor coolant pump seal water injection. The standby charging pumps are automatically started and controlled by the pressurized level control system if the positive displacement charging pump cannot maintain the proper level. The positive displacement charging pump is powered by a non-emergency electrical bus. ! l 3.4-54
l When an accident situation is detected, the ESFAS sends signals to start the ! centrifugal charging pumps, isolate the VCT and normal charging path, open the normally closed suction valves from the RWST and align the BIT for injection l to the RCS cold legs. Reactor coolant pump seal water injection is maintained during this realignment and provided by the three charging pumps. When a low-low RWST level signal in conjunction with a safety injection signal is present, the BIT bypass line begins opening. When the bypass line is fully open the BIT is isolated. Switchover to containment sung recirculation requires manual alignment of the RHR pumps to the charging pumps' intake ' piping. The RWST is the main source of injection and makeup water to the reactor core while the containment recirculation sumps provide a source for coolant reci rculation. Tne RWST contains a minimum of 450,000 gallons of borated water. The two containment sumps receive their coolant from pipe breaks, sprays, etc. inside containment. Each sump has a normally closed " canned" outlet MOV located in the piping tunnel that is opened upon receipt of a low-low RWST level signal in conjunction with an SI signal. I l 3.4.7.2 SYSTEM MODEL The ECCS appears as several top events in all of the initiating event trees. These event trees ask for the unavailability of the different functions the ECCS is designed to perform. Therefore, the ECCS is not analyzed as an integrated system but rather as different configurations performing required l ( functions for a particular initiating event. The event tree top events for i l 3.4-55
the ECCS are given below: 1 RW - Refueling Water Storage Tank HP - High Pressure Injection (SI and CVCS) RA - RWST Train A isolation valve RB - RWST Train B isolation valve
- L1 - RHR miniflow recirculation train A L2 - RHR miniflow recirculation train B
( LR - RHR Shutdown Cooling LA - Low Pressure Injection Train A LB - Low Pressure Injection Train B CSA - Recirculation Sump and Switchover Train A CSB - Recirculation Sump and Switchover Train B PA - Low Pressure Recirculation Train A without RHR Heat Exchanger ( PB - Low Pressure Recirculation Train B without RFR Heat Exchanger 3.4-56
( HA - Low Pressure Recircualtion Train A with RHR Heat Exchanger l le - Low Pressure Recirculation Train B with RIE Heat Exchanger j RC - High Pressure Recirculation HE - Low Pressure Recirculation to RCS Hot Legs with RHR Heat Exchanger HS - Low Pressure Recirculation to RCS Hot Legs with CBS Heat Exchanger LS - RHR Train A Operation for High Pressure Recirculation L6 - RIE Train B Operation for High Pressure Recirculation Logic models of the ECCS were developed for the different subsystems (or parts thereof) and combined into overall failure models for the event tree top events dependent upon the required ECCS function, boundary conditions and the particular initiating event. The success' criteria of the ECCS for each initiating event is given in Table 3.4.7-1. Reliability block diagrams were developed for the injection and recirculation modes of the SI, RHR and CVCS systems along with an RBD for the Accumulators. Added to these are models of the RWST, containment recirculation sumps and the RHR heat exchangers. These RBDs were then used to derive failure expressions for the 4 boundary conditions listed below: l 3.4-57
I l
- 1) Support system available for both trains, !
- 2) Electrical power or actuation signal available to only one train,
- 3) Primary component cooling water available to only one train,
- 4) Only one containment recirculation sump or one R$ pump is available.
The failure expressions were then combined into overall failure 3.4-58
t TABLE 3.4.7-1 .l ECCS SUCCESS CRITERIA AND MISSION TIMES INITIATING FUNCTIONAL SUCCESS MISSION EVENT MODE CRITERIA TIME LLOCA HPI NONE LPI 1/2 RHR Pump to 2 RCS Cold Legs 1 Hour and 3/4 Accumulators 1 Hour LPR 1/2 RHR Pump to 2 RCS Cold Legs 23 Hours HLR 1/2 RHR Pump to 1 RCS Hot Leg 4 Hours MLOCA HPI 2/4 SI and CVCS Pumps to 2 Hours 2 RCS Cold legs LPI 1/2 RHR Pump to 2 RCS Cold Legs 2 Hours ( LPR 1/2 RHR Pump to 2 RCS Cold Legs 22 Hours SLOCA HPI 1/4 SI and CVCS Pumps tc 6 Hours TRANSIENT 2 RCS Cold Legs HPR 1/2 RHR and 1/4 SI and CVCS Pumps 18 Hour to 2 ECS Cold Legs SHUTDOWN 1/2 RHR Pumps to 2 RCS Cold Legs 24 Hours COOLING ATWS HPI 1/2 CVCS Pumps to 2 RCS Cold Legs 2 Hours note: HPI = high pressure injection HPR = high pressure recircualtion LPI = low pressure injection LPR = low pressure recirculation HLR = hot leg recirculation 3.4-59
equations for the event tree top events and quantified for unavailability due ( to hardware, test and maintenance, and common cause. The unavailability due to human errors performed during test and maintenance was considered for the HPI function since the SI pumps' manual discharge valves are closed during testing. The contribution to unavailability due to piping failures was analyzed using failure modes and effects analysis and was found to have a negligible effect. The ECCS mean unavailabilities for the event tree top events are given in ' Table 3.4.7-2. Also given in this table are the dominant contributors to these unavailabilities. Inspection of this table indicates that. hardware failures account for a large portion of the ECCS unavailability. 3.4.7.3 COMMENTS The systems analysis performed for the various subsystems and functional combinations of the ECCS appears to be valid, accurate and complete. However, the many functional modes, boundary conditions and event tree top events along with the lack of correspondence between numerical values presented in the systems analysis section and the event tree input coding tables makes the analysis difficult to follow. We disagree with the high pressure injection success criteria used for the SLOCA/ Transient initiating events. The criteria used in the SSPSA is 1 of the 4 SI and CVCS pumps delivering water to at least two cold legs for 6 hours. ( The SI pumps, however, will not be able to inject coolant into the RCS until 3.4-60
the pressure drops below 1537 psi. For a SLOCA or Transient, it may take many k hours for the RCS to reach this pressure without manual actions. Therefore, the high pressure injection criteria for this case should be 1 of 2 CVCS pumps delivering coolant to two RCS cold legs for 6 hours. Using this revised criteria and the SSPSA data produces point estimate hardware unavailabilities for the SLOCA/ Transient HP top event as much as three orders of magnitude larger than the values reported in the SSPSA. A comparison of the point estimate unavailabilities for the SSPSA HP criteria and the revised criteria is given in Table 3.4.7-3.
- Upon inspecticn of the top 43 sequences that contribute to the core melt frequency, the top event, HP, only appears with an unavailability of 1.0 (i.e., having failed due to a failure in a support system. Therefore, it does not appear that the discrepency in the high pressure injection criteria for the -SLOCA/ Transient initiating event has any significant affect on the core melt frequency. An inpection of the top sequences for the release categories produced similar results.
( 3.4-61
Table 3.4.7-3 _( COMPARISDN OF POINT ESTIMATE UNAVAILABILITIES FOR SLOCA/ TRANSIENT HIGH PRESSURE INJECTION BOUNDARY REVISED SSPSA SSPSA REPORTED CONDITION POINT ESTIMATE POINT ESTIMATE MEAN UNAVAILABILITY 1 Hardware 7.15-4 4.58-7 4.88-7 Total 7.16-4 1.00-6 1.03-6 2 Hardware 2.27-2 1.24-4 1.41-4 Total 2.28-2 1.78-4 1.95-4 3 Hardware 4.78-3 2.87-5 4.56-5 Total 4.80-3 4.72-5 6.41-5 l l l t
- 3.4-62 l
TABLE 3.4.7-2 ECCS MEAN UNAVAILABILITIES AND DOMINANT CONTRIBUTORS TOP BC LLOCA D MLOCA D SLOCA/ D ATWS D EVENT C C TRANSIENT C C RW 1,2,3 2.66-8 HD 5.33-8 HD 1.60-7 HD --- -- HP 1 --- -- 2.43-5 HD 1.03-6 HD/CC 1.06-3 HD - 2 --- -- 3.21-2 HD 1.94-4 HD 2.52-3 HD 3 --- -- 1.35-2 HD 6.41-5 HD 6.52-3 HD RA,RB 1,2,3 3.35-5 HD 3.36-5 HD 3.39-5 HD --- -- L1,L2 1 --- -- 5.07-5 HD/CC 5.49-4 HD/CC --- -- 2,3 --- -- 1.49-2 HD 1.51-2 HD --- -- LR 1 --- -- --- -- 6.21-4 CC --- -- 2 --- -- --- -- --- -- --- -- ( 3 --- -- --- -- 1.12-2 HD --- -- LA,LB 13 4.35-3 HD --- -- --- -- --- -- E 1.23-2 HD --- -- --- -- --- -- LA,LB Single Train 1,3 5.64-3 HD --- -- --- -- --- -- CSA,CSB 1 2.25-4 CC --- -- 2.19-4 CC --- -- 2,3 4.86-3 HD --- -- 4.30-3 HD --- -- PA,PB 1 2.21-4 CC --- -- 1.71-4 CC --- -- i 2,3 1.14-3 HD --- -- 9.60-4 HD --- HA,HB 1 2.19-4 CC --- -- --- -- --- -- 2,3 4.31-3 HD --- -- --- -- --- -- - HE HS 1 7.51-7 HD --- -- --- -- --- -- 2,3 1.12-6 HD --- -- --- -- --- -- RC 1 SI TRAIN 1 --- -- --- -- 2.54-8 CC --- -- NO CVCS 1 --- -- --- -- 2.74-8 CC --- -- 1 I 2 --- -- --- -- 1.18-6 HD --- -- 1 3.4-63
3 --- -- ---- -- 1.11-6 HD --- -- TRAIN B CRS or RHR and SI TRAIN A 4 --- -- --- -- 3.36-6 HD --- -- SI TRAIN B 4 --- -- --- -- 2.86-8 CC --- -- NO CVCS 4 --- -- --- -- 2.96-8 CC --- -- TRAIN A CRS or RHR and 1 SI - TRAIN 4 --- -- --- -- 2.55 8 CC --- -- ND CVCS 4 -- -- --- -- 2.44-8 CC --- -- L5,L6 1 --- -- --- -- 1.72-4 CC --- -- 2,3 --- -- --- -- 1.07-3 HD --- -- note: BC = boundary condition DC = dominant contributor ' I. HD = hardware CC = common cause w 3.4-64
i I 3.4.8 EMERGENCY FEEDWATER SYSTEM 3.4.8.1 SYSTEM DESCRIPTION The Emergency Feedwater (EFW) System provides for heat removal from the reactor coolant system (RCS) through the steam generators (SG) during emergency conditions when the main feedwater system is not available. The EFW system must be capable of reducing RCS pressure and temperature so that the - RHR system can be used for decay heat removal and long term cooling. The EFW system consists of two emergency feedwater pumps, the start-up feed pump (SFP) and associated valves and piping. One EFW pump is motor-driven and receives power from a 4160V emergency bus. The other EFW pump is turbine-driven with steam supplied from two of the four steam generator. The start-up feed pump is motor-driven with power fran a non-emergency 4160V bus. All three pumps take suction from the condensate storage tank (CST). The capasity of the CST is 400,000 gallons, half of which is reserved for use by the EFW system. Each EFW pump has sufficient capacity to supply 100% of the required flow for decay heat removal. Each pump is cooled by its discharge flow and contains a recirculation line to the opposite pump's suction to prevent pump runout. The ! start-up feed pump has twice the capacity of each EFW pump and its lube oil is l cooled by the secondary component cooling (SCC) water system. The SFP has a recirculation path to the condenate storage tank. 3.4-65
1' (.. During EFW system operation, both EFW pumps discharge into a common header which supplies four individual line, one to each of the four steam generators. These lines join an associated main feedwater line downstream of the feedwater isolation valves. Each SG supply line is equipped with a stop- I check valve, two normally open motor-operated valves in series, a manual, normally open isolation valve and flow limiting venturies. The SFP is normally aligned to the main feed lines upstream of the main feedwater heaters through a normally open, manual gear-operated valve. The SFP can be aligned
- to the EFW header through two normally closed, motor-operated valves.
The two EFW pumps will start automatically upon receipt of a loss of offsite power signal, a safet., injection signal or a SG low-low level signal. The SFP will start automatically upon loss of both main feedwater pumps unless a safety injection, loss of offsite power, or high-high SG signal is present. 3.4.8.2 SYSTEM MODEL The analysis of the emergency feedwater system is used for the event tree top event EF, emergency feedwater and steam relief. This top event appears in all the front-line system event trees except the Large LOCA tree. Two reliability block diagrams (RBDs) were used to model the failure of the EFW system. One RBD modeled the failure of the EFW pumps and their associated flow delivery system and the other RBD, modeled the failure of the SFP and its associated system. The success criteria for the EFW system was defined as at l least one pump delivering flow to at least two out of four steam generators 3.4-66
for a period 9 hours following accident initiation, except for some ATWS q events. For these ATWS, it is necessary to achieve flow to all four steam generators. The mission time of 9 hour was used because, as stated in the , SSPSA, this was sufficient time to cool down the RCS to allow RHR shutdown cooling. The R8D for the EFW pumps was used to derive three unavailability expressions:
- 1) all support systems available, EFW (1), *
- 2) the motor-driven pump is unavailable, EFW (2), and,
- 5) the turbine-driven pump is unavailable, EFW (5).
I The RBD for the SFP was used to derive an unavailability equation for only item 1 above, SFP (1). For the ATWS event, the analysis considered failure of two aditional flow paths from the EFW header to the SGs, EFW (6). The system failure models, given above, were then combined with the failure of the condensate storage tank (CST) into EFW system failure models dependent on the initiation event and/cr the auxiliary system state for which the event tree top event, EF, was questioned. The system configurations, accident situation, dominant contributor and unavailabilities presented in the SSPSA are given in Table 3.4.8-1 here. The test and maintenance contribution to system unavailability was considered in the SSPSA. The analysis considered the EFW pumps being tested 14 times a year for a mean duration of 0.721 hours. No testing was considered for the SFP or the valves in the EFW system. Maintenance of the turbine-driven EFW l pump was considered to be performed every 6 months and for the motor-driven l l l 3.4-67 l
. = - - - . . .
pump every 16 months. The maintenance duration for both pumps' was taken to be ( 20.9 hours. Maintenance on the SFP was considered to be every 16 months for a duration of 5 days. Human errors due to test and paintenance were considered in the SSPSA. These errors were failure of the operators to return the EFW pumps or SFP to an i operable state following test and/or maintenance. In addition, failure to discover the misalignment was also considered. Data from the Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Application ' (NUREG/CR-1278) was used in the quantification. In our review of this SSPSA section, the values given on page D.9-27 for the EFW pump unavailability due to test and human interaction were approximately two orders of magnitude lower than the values we calculated using their equations and mean probabilities. These unavailabilities, however, are not significant contributors to the overall system unavalability and, therefore, do not affect the results. No human recovery actions for this system were considered in the SSPSA, although realignment of a EFW pump being tested was allowed when a start signal was received at the pump. The procedures explicitly account for this action. Not considering human recovery actions results in the following modeling assumptions:
- 1) if the CST is found to contain insufficient water inventory during an accident, makeup is not provided from the demineralized water storage tank or the water treatment water, and l
l l 3.4-68 w - e.-.--w-- --w,,_ w .,g-- , , , , , , , , _ , ,,w,, _,,,y.,. -- .-n--.-, .,.-.---,--,--g__w, - --m, --. -- . - -- - - - , - , -
l
- 2) upon a loss of offsite power or closure of the main feedwater l isolation valves, the SFP is not manually aligned to the emergency feedwater lines and its power is not changed from a nonessential to an essential electrical bus.
Common cause failure of the two EFW pumps was included in the analysis. A beta factor was developed for the pumps failing to run and applied to pumps only, excluding their driver type (motor or turbine). The beta factor used was 0.119. No other common cause failures wert included in the analysis. . Dependent failures between the two EFW pumps were considered. If the turbine-driven pump were to fail due to its steam line rupture, there is a possibility that the motor-driven pump's environmental qualifications could be exceeded.- However, due the limited amount of piping involved and the small probability
- of piping failure, this failure mode was not considered to be a significant contributor to the system unavailability. Turbine missiles from the turbine-driven pump could fail the motor-driven pump. This dependent failure was not considered to be significant because of the pump's physical arrangement
( (perpendicular) and the addition of a fire wall between the two pumps. The failure of the EFW pumps and the SFP due to external events was analyzed. The analysis considered fire to be the only significant contributor to the unavailability of these pumps. Floods were not considered to have a , significant impact. - t j 3.4-69 l
l 3.4.8.3 COMMENTS 1 In general, the system models and analysis for the emergency feedwater system were valid, accuate and complete. However, we have connents on the way this analysis is applied to the event tree top event, EF, and its combination with the secondary cooling function of the main steam system. The. event tree top event, EF, appears in all front-line event trees except the Large LOCA tree. Upon inspection of the event trees input coding in SSPSA ' Tables 5.4-10 thru 25, many of the numerical entries do match any of the valves given in the EFW analysis section. The differences are due to combining the results of the EFW system unavailability expressions (EFW (1), EFW (2), EFW (5), EFW (6),SFP (1) and CST) and the secondary cooling analysis (SC (1) and SC (2)) into overall functional failure expressions that are tailored to the specific initiating event and a set of auxiliary system states (represented by the auxiliary tree impact vectors). The functional failure expressions and their results are given in the footnotes to the event tree input coding tables. While the functional success of the EF event is discussed in the event trec description section (5.4) and a dicussion of the auxiliary state's impact on this event is given in tables in this section, we believe that the a discussion of the derivation and analysis of all the I functional failure expressions and their results should be explicitly included s in the text, instead of a footnote. This would allow for a more comprehensive internal review and qualification.
~
We have reproduced the information given in the footnotes to the event tree ( input coding tables in Table 3.4.8-2 herein for all the front-line event trees ' 3.4-70
3 except the large LOCA tree and the seismic initiators. Table 3.4.8-2 also
! includes the Auxiliary Tree Impect Vectors (from SSPSA Table 5.4-2), a brief description of the most limiting case of the auxiliary system state, the EFW configuration and failure expression used to determine the system unavailability with respect to the auxiliary system state and initiating event, the SSPSA mean unavailability derived from the failure expression and the event trees where the mean unavailability values are used.
There were some discrepencies between the values given in the SSPSA ATWS LOSP - input coding table (5.4-25b) and the footnotes given for those values. The values given in this SSPSA table for the 5,7,9, and 11 auxiliary impact vectors are 6.16E-4, while the footnote to these values indicates a value of 2.69E-2. In addition, the values given in this table for the 12,14 and 16 auxiliary vectors are 6.16E-4, while the footnote indicate a value of 1.00. I The correct values that should be used for these entries are dependent on the outcome of the previous event, turbine trip (OT). Inspection of our Table 3.4.8-2 indicates that the SFP is considered available only for some loss of main feedwater transients. This is correct since any accident situation with a loss of offsite power, or that generates an SI signal will render the SFP unavailable. However, upon further inspection, the l SFP is considered available when there is a loss of all component cooling (PCC l or SW) since it is being used for loss of main feedwater transients with auxiliary impact vectors 4,11, and 16.4 loss of all PCC or SW will render the SCC incapable of removing heat from the SFP oil cooler and eventually cause l l t 3.4-71
i I l l l - pump failure. By considering failure of the SFP with loss of all component _( cooling, the unavailabilities of the top event 2.4E- 2, and 1.00 corresponding l to the impact vectors 4.11, and 16. respectively. A similar situation exists with respect to the secondary cooling function, SC. The steam dump valves (SDVs) becomes unavailable upon loss of component cooling or when an SI signal is present because the air compressors are not cooled by the SCC (as previously discussed). The SDVs are also unavailable upon a loss of offsite power due to a loss of instrument air. In addition.
- during the above situations, the atmospheric relief valves (ARVs) only function for 2 hours due the capacity of their air accumulators. Therefore, for accident situations were there is a LOSP, SI signal or a loss in component cooling, the secondary cooling function becomes unavailable within two hours.
( These considerations would render emergency feedwater unavailable for a considerable number of accident situations if only the SDVs and ARVs were relied upon for secondary cooling as stated in the dicussion of the event l trees in SSPSA Section 3.3. Paraphased from this discussion, ' failure of the secondary cooling function results in loss of secondary heat removal'. The 1 SSPSA has not considered the main steam relief. An inspection of the EFW pumps and the SFP characteristic indicates that they have sufficient capacity to lift all 5 safety valves on the main steam lines. Considering that all five valves must fail to open on at least two of l [ four main steam lines results in a very low unavailability for the secondary ' cooling function, considerably lower than the values used for the l l I unavailability of the SDVs or the ARVs. However, by not considering the i 3.4-72 l l l
safety valves in the analysis, several important accident senarios are overlooked. The safety valves have a relatively large probability of failure to close once they have opened and when the SDVs and ARVs fail closed the safety valves would certainly open. Failure of the safety valves to close would necessitate a transfer to the steam line break outside containment event tree for further consideration. The SSPSA has not considered these possible accident scenarios in the analysis. The additional requirement for flow to all four steam generators is only - included in the loss of feedwater ATWS. This criteria is used for those situations in which the reactor power is greater than 80% of full power and the turbine fails to trip. Turbine trip failure will result in continued heat removal from the RCS following loss of feedwater which would limit the effects of the negative moderator temperature coefficient. This situation requires I more RCS heat removal for accident mitigation due to the additional heat generated from more equivalent full power seconds of reactor operation. t 3.4-73
I 1 l
.- l l
Table 3.4.81 ( System Configuration and unavailabilities for the Emergency Feedwater System SYSTEM ACCIDE NT UNAVAILABILITY DOMINANT CONF IGURATION $1TUATlut. (means, per deraand) CONTRIBUTOR CST + SFP (1) *EFW (1) all support 6.76 - 6 SFP - maintenance systems EFW - hardware available, r.o 5!5 signal. loss of MFW CST + SFP (1) *EFW (2) one 55P5 or 7.16 - 4 SFP - maintenance ESFAS channel EFW - hard are unavailable, no motor-driven EFW pump CST + SFP (1) both 55P5 or 1.50 - 2 SFP - maintenance unavailable, no EFW pumps CST + [FW (1) loss of 4.34 - 4 EFW - hardware offsite power. no W W trip.
$15 available CST + EFW (5) 515 signal 5.87 - 3 EFW - hardware available, no turbine-driven EFW pump EFW (6) ATWS 2.70 - 3 piping hardware k,
note: mW = main reedwater system l l l l l l l 3.4-74 l l - . - , _ - -
e-l
- Table 3.4.8-2 EMERGENCY FEEDWATER APPLICATION
(- TO EVENT TREE TOP EVENT i Aux. Tree Aux. EFW Unavail. Event Impact Syste- Configuration per demand Tree Vector State (mean) 0-4 loss of EAN CST + EFW(1) + SC(1) 4.34 - 4 MLOCA l loss of all PCC - SLOCA , loss of all SW SGTR Rx Trip Turoine Trip ATW5 TT ATW5 SLUCA (CST + UW(1)) SFP(1) + SC(1) 6.57 - 6 Loss of W W CST + EFW(1) + SC(2) 6.16 - 4 SLBI SLB0 LOSP ATWS LOSP CST + FFW(1) + EFW(6) + 3.32 - 4 ATW5 LOMFW SC(2) loss of one (CST + EFW(1)) / 2 + 2.41 - 2 MLOCA 55PS/ESFAS (C5T + EFW(2) / 2 + SC(1) SLOCA channel SGTR loss of all PCC Rx TRIP loss of SW/LOSP Trubine Trip ATW5 TT ATW5 SLOCA (C5T + EFW(1) / 2 + 2.43 - 2 SL81 (CST + EFW(2) / 2 + SC(2) SL80 [(CST + EFW(1)) / 2 + 3.61 - 4 Loss of MFW (CST + EFW(2) / 2]* SFP(1) + SC(1) 4 8 3.4-75
3 s I
\
TABLE 3.4.8-2 (CON'T) Aux. Tree Aux, unavail. Event Impact System Configuration per demano Tree Vector State (mean) CST + EFW(1) + SC(1) 6.16 - 4 LOSP c ATWS LDSP
- 1) /2 + 2.69 -2 ATWS LoMfW (C5T (CST + EFW(2)
+ EFW( /2 +
EFW(6) + SC(2 12-16 Loss o' both 1.00 MLDCA 55PS/ESFA5 4 SLOCA Loss of all PLC SGTR Loss of SW/LOSP Rx Trip Turbine Trip
- SLBI SL80 ATW5 LoMFW ATW5 SLOCA SFP(1) + SC(1) 1.50 - 2 Loss of MFW CST + EFW(1) + SC(2) 6.16 -4 LOSP ATWS LOSP 17 - 28 LOSP (CST + EFW(1))/2 + 2.43 - 2 MLOCA 32 - 37 Loss of one (CST + EFW(2))/2 + SLOCA AC bus 5((2) 56TR Loss of one Rx Trip PCC/5W train Turbine Trip
{' Loss of both Loss of MFW 55PS/ESFA5 SLBI channels SL80 ATWS TT Loss of one ATW5 SLOCA OC PCC. ATW5 LCSP
$5PS/E5FAS LOSP (CST + EFW(1))/2 + 2.69 - 2 ATWS LoMFW (CST + EFM(2))/2 +
LFW(6) + SC(2) 26 - 28 same as above (CST + EFW(5))/2 + 5.03 - 1 SL80 35 - 37 0.5 + SC(2) ,
~ '(
4 3,4-76
i
- a f\5 ,
A .%p
' g,.. TASLE 3.4.8-2 (CON'T).
( , Aua. Tree Aua. Un'a vat) . Event Impact System Configuration per demand Tree Vector State (mean) 28-30 5tation C5T + EFW(2) 4.77 - 2 MLOCA Blackout SLOCA Loss of one SGTR
$$PS/ESFA5 Ra Trip Turbine Trip LossofMFW/
SLBI /
$LB0 ATW5 TT r ATW5 SLOCA ATW5 LOSP LOSP CST + EFW(2) + EFW(6) 5.04 - 2 ATWS LeMFW .
31 same as above CST + EFW(2) 4.77 - 2 MLCDA
$10CA
!&TR f Am Trip '
Ivrbine Trip .
'T' Loss of MFW' ' '
ATWS TT ATW5 SLOCA $. ATW5 LOSP LOSP CST + EFW(2) + EFW(6) 5.04 - 2 ATW5 LeMFW 1.00 SL81
'( SL80 38 Loss of one CST + EFW(2) 4.77 - 2 MLOCA *g DC. AC bus. $LOCA 55PS/ESFAS Rx Trip Turbine Trip Loss of NFW -
SL81 SLB0 ATW5 SLOCA ATw5 TT LOSP s i I 3.4-77
Yi f-
', TABLE 3.4.8-2 (CON'T)
Unavail. Event Aum. Tree Aa. Tree System Configuration per demand impact Vector State (mean) CST + EFW(2) + EFW(6) 5.04 - 2 ATWS LoMFW Loss of all ((CST + EFW(2))/2 + 2.43 - 2 MLOCA 39 - 40 DC - ((CST + EFW(3))/2 + SC(2) 39 -40 Loss of all CST + EFW(2) 4.77 - 2 MLOCA SLOCA DC - . f 3.4.9 REACTOR COOLANT PRESSURE RELIEF SYSTEM 3.4.9-1 SYSTEM DESCRIPTION ( The reactor coolant pressure relief system is designed to provide primary pressure. relief and cooling for the reactor coolant system (RCS) through the The operation of power-operated relief valves (PORV) and safety valves. system consists of 2 PORVs, each with an associated motor-operated block valve, and 3 spring'. loaded safety valves. In the event of overpressure, the PORVs an( safety valves provide steam discharge to the pressurizer relief tank where steam is condensed by mixing with water. The pressure setpoints for automatic PORV and safety valve actuation are 2385 psig and 2485 psig l respectively. A normally open block valve is located upstream of each PORV and provides isolation for the PORY if excessive leakage develops. . 3.4-78
3.4.9.2 SYSTEM ANALYSIS ( Five cases are analyzed with mean unavailabilities as follows.
- Bleed and Feed : Two of two PORVs need to open on demand. Q = 1.05E-2 This is a hardware contribution only.
- Severe ATWS : One of two PORVs need to open on demand, and three of three safety valves need to open on demand. 0 = 1.56E-3 Hardware contributes 651, common cause 35% .
- Nominal ATWS : Three of three safety valves need to open on demand. 0=
9.85E-4 This is a hardware contribution only.
- Reseating After ATWS : Three of three safety valves and two of twc PORVs or block MOVs need to reseat on demand. Q = 5.86E-2 Tnis is a hardware contribution only.
- Chemical Shutdown in ATWS : One of two PORVs needs to open on demand. Q=
5.72E-4 Common cause contributes 931, hardware 7% . l A sixth case is also listed in SSPSA Table D.10-3 on page D.10-9 for chemical shutdown in ATWS with a single PORV available. The mean unavailability is l 4.27E-3. However this case is not mentioned in the discussion of success l l criteria (Section D.10.1.2), nor is a failure logic expression given for it (Section D.10.2.3). Its quantification is not discussed, and it does not I appear in the results in Table 7.10-1 on page 7.10-3. 3.4-79
'( Except for the inconsisten:y noted above, the analysis for the reactor coolant pressure relief system appears to complete and accurate.
3.4.10 Main Steam System 3.4.10.1 System Description The main steam system provides for heat removal from the primary coolant system. That portion of the main steam system analyzed in the SSPSA consists of the atmospheric relief valves (ARVs), condenser steam dump valves (SDVs), safety relief valves, main steam isolation valves (MSIVs), and the main turbine stop and control valves. Each of the four air-operated ARVs, one on each main steam line, is automatically controlled to regulate its associated steam generator's outlet header pressure. The total capacity of all the ARVs at their setpoint pressure is 10% of the maximum steam flow. Each ARV is supplied air from the instrument air system and is also equipped with ca air accumulator. Tne SSPSA failed to indicate that the accumulators contain enoug5 air to allow for only 2 hours of operation. Tne ARVs will fail closed on loss of air pressure. The ARVs can be controlled manually either at the valve or by adjusting their pressure setpoint on the controller in the control room given a supply of air. During normal operation, the 12 air-operated SDVs are controlled by the difference between primary T(ave) and a T(ref) signal (turbine first-stage I l pressure) to determine how many valves will open to dump steam to the 3.4-80
condenser. For a large load reduction, either one-half or all the dump valves
~( open and then are modulated closed as reactor power approaches turbine power. During primary plant cooldown, the steam dump system is operated in a steam generator pressure control mode. The SDys will fail closed on loss of air pressure. The SDVs can be senually controlled.
The 20 spring-loaded safety relief valves, five on each main steam line, are self actuated and automatically open at pressures from 1,185 to 1,255 psig. The total capacity of the 20 valves . exceeds 110% of the full load steam flow - at a pressure not exceeding 110% of the steam generator shell side pressure. The 4 MSIVs, one on each main steam line, are dsigned to close upon receipt of an ESFAS signal in the event of a main steam line break or turbine trip failure. These valves can be operated manually from the main control board ( and the remote shut down panel. The electrohydraulic turbine control and stop valves control the steam flow to the turbine during normal operation. During a sudden loss of generator load, all stop and control valves close and all SDvs are opened. 3.4.10.2 SYSTEM MODEL l t The various components of the main steam system discussed above are analyzed for the following functions listed below along with their failure criteria and boundary conditions: ( 3.4-81
- 1) Secondary Cooling at least 3 of 4 ARVS fail to open on demand and
(' . at least 7 of 12 SDVs fail to open on demand, the secondary cooling function is analyzed for situations with offsite power available and for low of offsite power.
- 2) Main Steam Line failure of two or more MSIVs to close on Isolation for demand.
Line Breaks and
- Turbine Trip Failure
- 3) Main Steam Line the MSIV on the affected steam line fails Isolation for an to close on demand and one of the open SDCs or i
STGR one of the remaining MSIVs fail to close on demand.
- 4) Main Steam Safety one safety valve fails to lift in response Valve Operation to steam generator conditions; or given for STGR lift, fails to reseat.
(
- 5) Main Stearr Safety at least 3 of 5 safety valves on one or Valve Operation more of the 4 main steam lines fail to open -
for an ATWS on demand. l
- 6) Turbine Trip One turbine stop valve and one turbine control
( valve fail to close on demand. 1 3.4-82 l l
l I ( There are no reliability block diagrams given in the section on main steam l i analysis (D.11) except for the analysis of the SDV control system. The logical expressions are presured to be developed directly from the above given boundary conditions and failure criteria. The unit was considered to be at normal power prior to an initiating event and the analysis assumed that the appropriate external actuation or control signals are present. The logical expressions accuately reflect the systems configuration and operational mode based on the boundary conditions and assumption used in the analysis. There were, however, discrepencies in their presentation of the analysis. These discrepencies are discussed below. The unavailabilities calculated in the SSPSA are given in Table 3.4.10-1. Also given in this table are the unavailabilities calculated using the mean values of the data given in the SSPSA (Table D.11-3) and their logical expressions for comparison. t 3.4-83
. - =- - -, _
Table 3.4.10-1 (. Main Steam Unavailabilities (failure on demand) FUNCTION FAILURE UNAVAILABILITY CAUSE SSPSA USING MEAN (TABLE D.11-4) FAILURE DATA (TABLE D.11-3) i) nconaary Cooling
- a. Offsite Hardware 3. 61-1 0 9.56-11 Power Connon Cause 5.63-8 5.53-8 Available Total 5.65-8 5.53-8
^
- b. Loss of Hardware 1.16-6 3.11-7 Offsite Comon Cause 1 . 81 -4 1. 81 -4 Power Total 1.82-4 1.81-4
- 2) MSIV Hardware 2.54-5 1.39-5 Isolation Common Cause 6.44-5 6.43-5 for Steam Total 8.98-5 7.82-5 Line Break and Turbine
( Trip
- 3) Steam Hardware 8.16-6 8.14-6 Generator Comon Cause -- --
Isolation Total 8.16-6 8.14-6 for SGTR (steam relief)
- 4) Safety Valve Hardware 9.28-3 9.27-3 I Action for Comon Cause -- --
SGTR Total 9.28-3 9.27-3 (steam relief)
- 5) Safety Valve Hardware 2. 01 -1 2.91-1 Action for Comon Cause -- --
SGTR Total 2.01-1 2. 91 -1 (water relief) -
- 6) Safety Valve Hardware 4.72-8 1.41-9 Action for Comon Cause -- --
ATWS Total 4.72-8 1.41-9
- 7) Turbine Trip Hardware 4.49-6 4.35-6 Comon Cause -- --
Total 4.49-6 4.35-6 ( h3TE: Exponential notation is in abbreviated form, i 3.4-84
l Inspection of Table 3.4.10-1 indicates fairly good agreement between their DPD2 calculations and our hand calculation using mean values. However, their calculations for the Safety Valve Actuation for the ATWS event, produced a value that is 30 times our value. This result would tend to indicate that the safety valve failure distribution they used was skewed to the higher failure probabilities or they made an error in recording their result. The equations given on SSPSA Page D.ll-16 in Section D.11.3.1.5, Total . Secondary Cooling Function Failure, are incorrect. The consideration of the ARVs was previously accounted for in the expression given in Section D. l l . 3.1.1. These equations should be Qsc (1) = (Qary-h + Qary-cc) (Osdy) and Osc (2) = (Qarv-h + Qary-cc). The unavailabilities for this event, however, are dominated by common cause and the use of these equations as given does not significantly affect the results. Tne quantification of the Steam Generator Isolation for an SGTR event considers only 3 SDys failing to close on demand along with the failure of the MSIVs. It is not clear why only 3 valves were assumed open. Upon a turbine trip or loss of load at full power, from 6 to 12 valves will open to dump steam to the condenser. For total steam line isolation all the open SDVs , would have to close on demand. For the case with 6 valves open, the unavilability would be 9.36E-6, for 12 valves,1.18E-5. These values should be compared to 8.14E-6 which was calculated from the mean unavailabilities given in the SSPSA. 3.4-85
For the Turbine Trip Event, the values give in SSPSA Section D.ll.3.6.1 for ( Qtsv-h and Qtcy-h do not match Table D.ll-3 entries. These values were derived from the equation given in Section D.11.2.6 and are equivalent to 16 cutsets of the form (TSV) (jTCVk)**0.5, where j,k =1,2,3,4. Comon Cause failures were considered only for the Secondary Cooling and MSIV Isolation for Steam Line Breaks and Turbine Trip events. The Secondary Cooling event considered the comon cause failure of the ARVs to open on demand. For the MSIV Isolation event, comon cause failure of the MSIVs to ' close was considered. For the remainder of the events, comon cause failures were not considered to be a contributor to the their unabilabilities. Haman actions were considered in the event tree top events associated with Secondary Cooling, Turbine Trip and SGTR Isolation. For the remaining events, human action was not considered to have a significant contribution to their unavailabilities. Test, inspection and maintenance are not quantified for the main steam functions analyzed because the system is required to support ongoing plant operation. l Hardware failure during long term secondary cooling for plant stabilization or cooling could be overridden by operator action. Therefore, long tett hardware failura of the secondary cooling function was not analyzed. t[ 3.4-86
I 3.4.10.3 COMMENTS l 1 In general, the logical expressions presented in the analysis of the main steam system are accurate, valid and complete. There were discrepencies as noted above. There is one concern about the secondary cooling function. As indicated in the section on instrument air, a loss of offsite power or a safety injection signal will isolate the secondary cooling system from the service water system and result in loss of instrument air. With a loss of instrument air, the SDVs will fail closed and the ARVs will only operate for 2 hours. Therefore, the analysis given for the secondary cooling function, which includes only SDVs and ARVs, will only be valid for two hours. After this time, seondary cooling would have to rely on the opening of the safety valves for steam relief. No analysis was performed for utilizing the safety valves during secondary cooling. The SSPSA indicated that failures in long term secondary cooling could be overridden by the operator and, therefore, were not considered. After two hours of ARV relief, the only way to restore secondary cooling would be to supply instrument air or manually operate the ARVs. Restarting the instrument air compressors was not considered in the analysis of the instrument air - system. . The secondary cooling function is used in the event tree top event EF, emergency feedwater and steam relief. The effects of the above discussion on this event are discussed in the section on emergency feedwater. ( 3.4-87
3.4.11 CONTAINMENT BUILDING SPRAY SYSTEM i-3.4.11.1 SYSTEM DESCRIPTION The containment building spray system (CBS) is designed to paintain the containment building pressure and temperature within design limits in the event of a main steam line break or LOCA. The CBS system consists of two redundant trains, each having a centrifugal pump, a heat exchanger to the - Primary component cooling rystem, and two spray headers. A spray additive tank (SAT) is shared by both trains. The CBS system is normally in standby. During injection phase it is automatically actuated by a P signal, and the pumps take suction from the refueling water storage tank (RWST). Borated water from the RWST is mixed with sodium hydroxide solution from the SAT, and pumped through the containment spray heat exchangers to the spray nozzles discharging into the containment. The recirculation phase is automatically initiated when a low-low level in the RWST and an 5 signal are detected. The pumps then take suction from the recirculation sump. 3.4.11.2 SYSTEM ANALYSIS The injection and recirculation modes are quantified separately for the three boundary conditions of : (1) all support systems available; (2) loss of one automatic start signal, or one electrical power bus, or one suction path; (3) loss of one PCC train. The mission time for success is I hour for the i injection phase and I week for the recirculation phase. It is assumed that if . 3.4-88
l the test lines were failed open, the loss of the driving head to the train would be sufficient to cause failure due to inadequate spray distribution at the nozzle spray ring headers. Another assumption is that failure of NA0H addition will not cause system failure. The results SSPSA follow.
- Injection Cases CBS-CA/CB(1) = 7.25E-4 Common cause contributes 82%, hardware 14%, and maintenance 41.
CBS-CA/CB(2) = 1.02E-2 Hardware contributes 83%, maintenance 17% . Of the hardware contribution, 51% comes from a failure to open and remain open of the normally closed MOVs between the heat exchangers and the spray headers, and
, 39% comes from the failure to start and run of the CBS pumps.
CBS-CA/CB(3) = CBS-CA/CB(1) = 7.25E-4 This case is identical to case 1 because of the assumption that loss of PCC water flow to the CBS pump seal coolers or to the CBS heat exchangers causes pump failure or containment cooling failure, respectively, only during the recirculation phase.
- Recirculation Cases l
l CBS-XA/XB(1) = 2.27E-4 Common cause contributes 56%, hardware 44%. This result is lower than the injection case by about a factor of 3 because various components have already changed state and only need to continue to ( function for the mission time. 3.4-89
(_ CBS-XA/XB(2) = 6.39E-3 This is a hardware contribution only. CBS-XA/XB(3) = 6.39E-3 This is identical to the previous case.
- Additional Recirculation Cases Four additional recirculation cases were quantified although no system failure equations are given for them in Section D.12.2.3 . The first two, X3/X4, are quantified for boundary conditions 1 and 2/3. They require the operators to start the CBS system manually and operate it for 1 week. The results for these cases are similar to those for the injection cases, only slightly higher because the mission time is I week instead of I hour.
( CBS-X3/X4(1) = 7.43E-4 Common cause contributes 73%, hardware 23%, and maintenance 4%. CBS-X3/X4(2&3) = 1.15E-2 Hardware contributes 85%, maintenance 15%. The next two cases, XC/XD, are again quantified for boundary conditions 1 and 2/3. Tnese cases require that a CBS train and its associated heat exchanger train operate for I week in the recirculation mode. These cases appear to be the same as the first recirculation cases (XA/XB) with the addition of blocks VA and VB representing the heat exchanger trains. 3.4-90
CBS-XC/XD(1) = 4.98E-4 Comon cause contributes 62%, hardware 381. ( CBS-XC/XD(243) = 1.08E-2 This is a hardware contribution only. ; 3.4.11.3 COMMENTS We have several minor points concerning the CBS system analysis. In particular, system failure equations should have been given for the additional recirculation cases. There is an apparent error in the quantification of check valve failure for blocks SA/SB and PA'/PB' (Section D.12.3.1.1 on pages D.12-10 and D.12-11). Using a failure rate of 5.36E-7 per hour from Table D.12-6 times the mission ( interval of 168 hours gives an unavailability of 9.00E-5, compared to the listed result of 1.76E-6 for block SA/SB. Again for block PA'/PB' the check valve unavailability should be given by failure to open on demand plus failure to remain open : 2.69E-4 + (5.36E-7
- 168) = 3.59E-4 . All recirculation cases are affected, however the effect is small (approximately a few percent).
Another apparent error was found in the evaluation of recirculation case X3/X4(283) (Section D.12.3.4 on page D.12-16). In the unavailability equation, the two terms representing the MOVs should contain a "+" operator rather than the "x" operator as shown. However these terms do not significantly I contribute to the total, so the effect of incorrect evaluation of the equation is minor. l ( l l 3.4-91
1 On the CBS system simplified P&ID (Figure D.12-1 on page D.12-34 and Figure ( 7.12-1 on page 7.12-4) the spray additive tank is missing. Even though the SAT was excluded from the analysis, it is still part of the system and should appear on the drawing. In conclusion, no serious problems were found in the CBS system analysis. Therefore, we believe the analysis to be complete, valid, and accurate. 3.4.12 CONTAINMENT ISOLATION SYSTEM 3.4.12.1 SYSTEM DESCRIPTION The containment isolation system (CIS) is designed to prevent radioactive release to the atmosphere in the event of an accident. This system isolates all containment penetrations that are not required for operation of the emergency safeguard features (ESF) systems. The CIS provides double barrier protection for all lines that penetrate the containment. A barrier consists of a valve, a closed system or a diaphram, depending on the location and application. There are two types of containment penetrations. Type I penetrations are part of the reactor coolant pressure boundary or connect directly to the containment atmosphere and penetrate the containment. These penetrations are provided with two valves as isolation barriers, one located inside the containment and one located outside. Lines that penetrate the containmnent ( but are neither part of the reactor coolant pressure boundary or connect to 3.4-92
the containment atmosphere are Type II penetrations. These penetrations are provided with a single valve located outside containment as one of the two isolation barriers. The second isolation barrier is the boundary of these closed system. Most containment isolation valves are manual valves normally in a closed position. However, systems that provide needed functions during normal plant operation are provided with either automatic air-operated valves (A0V), solenoid-operated valves (50V) or motor-operated valves (MOV) that respond to a containment isolation signal. During accident situations, the automatic isolation valves close in response to one of two containment isolation signals. The first of these signals is the T signal, that occurs in conjunction with an SI signal or high containment pressure. The T signal trips a majority of the automatic isolation valves on nonessentional process lines. This is defined as " Phase A" containment isolation. The second signal, " Phase B" isolation, is the P signal tb? occurs in response to high 3 containment pressure and/or containment spray systee actuation. The P signal trips the remainder of the automatic isolation valves. . 3.4.12.2 SYSTEM MODEL The failure criteria used for the CIS model was failure to isolate any one of the containment penetration considered in the analysis. Failure occurs when i 4 3.4-93
both of the isolation barriers do not function properly. The SSPSA reviewed ( the containment penetrations and eliminated many penetrations from consideration using the following criteria:
- 1) penetrations which are not used during normal operation and are isolated by normally closed or locked closed manual isolation valves and/or check valves; and
- 2) high pressure closed systems that will retain radioactivity.
. As a result of their review, the following nine containment penetrations were considered in the CIS analysis:
- 1) Containment online purge system - valves COP-V1 and COP-V2,
- 2) Containment online purge system - valves COP-V3 and C0P V4,
- 3) Equipment ventilation system - valves VG-FV-1561 and VG-FV-1712,
- 4) Floor and equipment drain system - valves WLD-V41 and WLD-V42,
- 5) Floor and equipment drain system - valves WLD-VS1, WLD-V82 and W' D- -
FV-1403,
- 6) Reactor make-up water system - valves RMW-V28, RMW-V29 AND RMW-V30,
- t. 7) Nitrogen gas system - valves FV-4609 and FV-4610, 3.4-94
8) Steam generator blowdown system - one pair of the following valves: SBl and SB-9, SB-3 and 58-10, 58-5 and 58-11, 58-7 and $8-12, 9) Chemical and volume control system, valves CS-V167 and CS-V168. Leakage through penetrations was not considered in the CIS analysis. The analysis also did not consider isolation valve failure due to containment environmental conditions existing during an accident and failures of the
- piping between isolation valves inside and outside of containment.
J ho credit is taken for operator recovery actions to manually close failed - valves. Manual actions were consisdered on a case by case basis. Test, inspection and maintenance were not considered to have a significant inpact on the system unavailability. Operator error was not quantified for this analysis. Common cause failure was considered for the two motor operated valves on the reactor coolant pump seal return line, CS-V167 and CS-V168. A beta factor of 0.0423 was used to quantify their common cause failure to close in response to a containment isolation signal. l No other common cause failures were considered in the analysis. The analysis of the CIS was performed for the 6 conditions listed below: 1) Both Train A and Train B Containment Isolation Signals Present 3.4-95 1
. . - ,.,m _ . . .
- 2) Only Train A Containment Isolation Signal Available, No Loss of
( Offsite Power
- 3) Only Train B Containment Isolation Signal Available, ho Loss of Offsite Power
- 4) Only Train A Containment Isolation Signal Available, Loss of Offsite Power
- 5) Only Train B Containment Isolation Signal Available, Loss of Offsite Power
- 6) No Containment Isolation Signal Available.
( Condition 6 is also applicable to no AC power, no DC power or combinations of failures that result in failure to operate redundant MOVs or 50Vs. Tne results of the SSPSA analysis for the 6 conditions given above are shown l l in Table 3.4.12-1. In our review of their quantification, we recalculatec the system unavailabilities using the mean data given in SSPSA Table D.13-5 and their failure expressions. Our calculated values are also given in Table - 3.4.12-1. 3.4.12.3 COMMENTS The analysis performed for the containment isolation system is valid, accuate ( and complete. i . 3.4-96
( Table 3.4.12-1 Containment 1 solation System Unavailabilities CONDITION FAILURE UNAVAILABILITY CAUSE (mean, per demand) SSPSA OUR VALUE ESTIMATE
- 1) All Signals present Hardware 1.17 - 4 8.38 - 5 Common Cau'se ' 1.82 - 4 1.82 4 Total 2.99 - 4 2.66'- 4
- 2) Loss of Train B Hardware 1.08 - 2 1.06 - 2 1
signal, offsite Total 1.08 - 2 I power available
- 3) Loss of Train A Hardware 1.05 - 2 1.05 - 2 signal, offsite Total 1.05 - 2 power available
(
- 4) Loss of Train B Hardware 9.16 3 9.16 3 signal, loss o' Total 9.16 - 3 offsite power
- 5) Loss of Train A Hardware 9.16 3 9.16 3 signal, loss of Total 9.16 3 offsite power
- 6) No containment Hardware 1.00 ...
isolation signal Total 1.00 ... ( 3.4 97
3.4.13 CONTROL ROOM COMPLEX HEATING, VENTILATION, AND AIR CONDITIONING 1 3.4.13.1 SYSTEM DESCRIPTION The function of the control room HVAC system is to maintain the control room temperature between 70 and 76 Deg.F. and to retain airborne particulates and radioactive iodine during accident conditions (S signal). The system consists of two redundant trains, each having a makeup air fan supplying the common emergency cleanup filter, an emergency cleanup fan, and an air - conditioning unit with condenser fan, compressor, and evaporator fan. There is also an exhaust fan, two air intakes, and numerous dampers. The emergency cleanup fans discharge filtered air into the control building mechanical room with no 5 signal present, and supply the discharge of the evaporator fans on an S signal. The evaporator fans of the air conditioning units supply the control room. One train is normally operating while the other stands by. l
- 3.4.13-2 SYSTEM AMLYSIS Four boundary conditions are quantified. An important addition to the '
analysis is the modeling of operator action needed to restore cooling for loss of offsite power or instrument air cases. It is assumed that the operator can provide adequate alternate ventilation by opening cabinet doors and using portable fans if AC power is available. Then system unavailability is the sum of the unavailabilities due to hardware, maintenance, and common cause, times the probability of operator failure. The operator failure probability is quantified as 2.68E-6 . ( 3.4-98 i
Soundary Condition 1A: No S signal is required, and offsite power is ( available. CRV-1A = 1.20E-10 Of the automatic system failure, hardware contributes 87%, maintenance 13%, for a total of 4.47E-5. Boundary Condition 18: No S signal is required, loss of offsite power or loss of instrument air. CRV-1B = 2.68E-6 Since operator action is required to open discharge dampers and this action is not quantified (unavailability of 1.0) the automatic hardware failure probability is 1.0 . The total system unavailability then equals the probability of operator error in establishing alternate ventilation.
- Boundary Condition 2A: An S signal is required.
CRV-2A = 1.48E-4 Common cause contributes 801, hardware 181, and maintenance 1%. Only the unavailability of the emergency cleanup function is quantified here.
- Boundary Condition 28: An S signal is required and loss of one electric power bus.
CRV-2B = 2.08E-3 Maintenance contributes 531, hardware 47%. Again only the unavailability of the emergency cleanup function is quantified. ( 3.4-99
3.4.13.3 COMMENTS i Two types of operator actions are identified: (1) manually starting the standby ventilation train or opening discharge dampers; and (2) establishing alternate ventilation with portable fans when both trains are unavailable. Only the second operator action is quantified, while the failure probability of the first is arbitrarily set to zero for boundary conditions 1A, 2A, and 2B, and set to 1.0 for boundary condition 18. This treatment is inconsistent. For example in case IB, it is assumed the operator fails to restart normal ventilation after a loss of offsite power, but the failure probability of the operator providing alternate ventilation is quantified. In case 1A, the failure probability of the operato- to start the backup train should the operating train fail is not quantified (effectively zero), while alternate ventilation failure is again included. Case 1A is inconsistent with Case I IB. The other systems analyzed in the SSPSA did not quantify operator actions to recover failed equipment. However, these systems had automatic starting capability for their backup trains. Since the backup train in the control room HVAC system does not start automatically, no credit should be taken for it unless the needed operator actions are also quantified. Were this done, the unavailability for cases IA, 2A, and 2B would increase, while the case IB result would decrease. This SSPSA analysis provided results sufficiently low so that the frequency of control roon HVAC system failure was not considered to have a significant effect on plant or operator response. Therefore, this system does not appear ( in any further analysis. 3.4-100
1 Correcting the treatment of operator failure quantification is not likely to ' } change this conclusion. t 3.4-101
4.3 AIRCRAFT CRASH ANALYSIS Air traffic due to several airports and landing facilities near the Seabrook site is analyzed in the SSPSA. Included art the nearby Hamptom Airport, the Wheelabrator-Frye corporate helipad, the Plum Island Airport, the Pleasant View Airport, and Pease Air Force Base, as well as two major airports within 50 miles of the site, Grenier Field (Manchester fel) and Logan Airport (Boston). Also included are federal airways and direct aircraft routings near the site. These air traffic sources are analyzed to determine the annual
- number of operations of each type of aircraft to or from each airport or along each airway.
Using statistics for approximately a 10-yr period, inflight crash rates per aircraft mile flown were calculated for U.S. air carriers (1.51E-9 mean), and t for U.S. general aviation aircraft (single engine mean 2.28E-7, multiple engine mean 7.23E-8). Crash rates per hour for the applicable military , aircraft were calculated with means ranging from 2E-5 to 3E-6 for various types. l The frequencies of aircraft crashes into different structures of the plant are then calculated through the sunnation, over all types of aircraft and nearby flight paths, of the products of the number of operations of aircraft, the crash rates, the distances traveled by the aircraft while the plant site is i within its potential impact area, and the probabilities of hitting a particular structure given that the aircraft accidents are near the site. I l I 4.3-1 i
The targets considered for aircraft crash include the containment building, ( the primary auxiliary building, the control building, the diesel generator building, the tank farm, the service water pumphouse, and the fuel storage building. A structure fragility analysis concluded that the containment is i< vulnerable only to aircraf t weighing more than the 81,800 pounds of the FB-111A military aircraft, and the other critical structures can withstand the impact of general aviation aircraft up to 12,500 pounds. Therefore general aviation aircraft can damage only unprotected safety related equipment which the RWST. It is concluded that any accident scenario resulting from the crash ' .; of a general aviation aircraft could not cause core melt. A crash of a large aircraft on the containment is assumed to cause a large LOCA and is quantified in the plant model with a mean impact frequency of 1.21E-8 per year. A crash into the control building would cause core melt and ( is quantified with a mean impact frequency of 1.39E-7 per year. A crash into the primary auxiliary building causes core melt due to loss of primary component cooling, and is quantified with a mean impact frequency of 2.00E-7 per year. Loss of the service water system is not quantified because of the cooling tower backup. Loss of the diesel generators is not quantified because a loss of offsite power is also needed for core melt. in summary, the SSPSA presents a complete and thorough analysis of potential t l aircraft crashes, and their conclusions appear to be reasonable. J ( 4.3-2
3.5 HUMAN FACTORS The SSPSA evaluated a number of operator actions required for plant safety under various conditions. The analysis technique used was operator action trees (0ATs). This section presents the results of our review of this analysis from the standpoint of technique and application.
~
3.5.1 General Comments on the Human Factors Analysis The 0AT technique was used to represent the various human actions evaluated. Although we have a number of specific comments which are discussed in the following section, in general, the trees developed were reasonable
~
representations of those actions. One important exception exists in the area of cognitive error analysis (the diagnostic / decision making phase of operator response, as opposed to the procedural / performance phase which was generally handled appropriately). The analysis did not properly account for operator confusion resul1!ing in his taking totally inappropriate action. Although the study discusses this aspect of operator action, and provides an operator confusion matrix for the operator believing that the plant is experiencing a particular initiator when it is not, the analysis is not carried to its logical conclusion. In most cases, the SSPSA analysis treats the operator l l misdiagnosis only when he is required to take a specific action in a given situation and fails to recognize it. This is an " error of omission" by the operator: 1.e., he fails to take an action when one is required. The SSPSA does not, however, treat the case of misdiagnosis causing the operator to take an action when none is called for; i.e., an " error of commission". For ( example, the SSPSA treats operator misdiagnosis during a transient where there l 3.5-1 l t
3 is a potential for pressurized thermal shock (PTS). In this case, the operator misdiagnosis implies that he believes the transient to be progressing on a normal course, with proper turbine trip, and he fails to take action to prevent PTS. However, the SSPSA does not treat operator misdiagnosis during,a small LOCA where the operator believes that it is only a transient caused by an inadvertant safety injection signal and he terminates high pressure 3 injection when the correct action would have been to do nothing. This type of operator error should have been included in the analysis, and specific instances where it applies are discussed in the next section.
- Annther general proDiem appears in the area of the timo available to take various actions. In many cases, the time frames utilized are not justified by either analysis or reference to other PRAs. While this does not have any effect on the structure of the OATS, it will affect their quantification since diagnosis is a function of time available to the operator. Specific problems in this area are discussed in the next section.
The final general problem pertains specifically to the quantification of the 0ATs. The SSPSA does not make clear how the trees were quantified, especially , with respect to the values used for each branch on the trees. A data base is included by reference, but there is insufficient information to determine precisely what values were used in specific situations and how fhey may have been modified. Thus, the resnits of the OAT analysis are not ecsily reproducible, which leads to some doubt about the validity of the SSPSA , 4 results. The individual values used for each branch of the tree should have been provided, along with a justification for their use. Otherwise,
.( verification of any of the final results requires a completeJy n,ew N ,
3.5-2
~.-
requantification of each OAT based on a new assessment of applicable data for '
.'h l each action on the trees. l l
l 3.5.2 Specific Coments This section presents our review results for the individual human actions analyzed or which should be added. It decribes specific changes which we consider necessary to properly evaluate human factors contributions to plant , l damage ' state frequency. "It is extremely important to note that the procedures * ' which pertain to the operator actions reviewed were not provided to us, although we requested them from PSNH through the NRC. Our review is therefore necessarily constrained by the fact that we were unable to examine the source of the 0AT analysis. In the absence of that information, we used our own c> experience with si,milar plants and the Seabrook systens analysis, along with
' pg
- information aquired during a plant tour and simulator session, to make Judgements concerning the likely content of those procedures.
i 3.5.2.1 Operator Actions RT and OH 1 1
~
Tnese actions pertain to operator response to ATWS events. Event RT represents the operator manually tripping the reactor from the control room and event OH represents the operator affecting shutdown over a longer time period when trip fails and the plant survives the initial pressure spike. These events _ are both modeled on one OAT. The analysis assumes that the manual trip function must be performed within
-( one minute, which we judge to be reasonable based on other PRAs and analyses
, 3.5-3
--w---4 - - . , - w,--, - .
w -
.---.n-- - - - - - , -.- _ ,- , - - - - , n.--- -
~
l of the time available to reduce the pressure spike. However, the analysis k, treats the manual trip action improperly. The tree shows the manual action following " operator checks indication" and " operator performs diagnosis", and further, failure of either of these steps fails the subsequent action OH in 1 addition to RT. We disagree with two parts of this analysis. First, the l manual trip action is a normal backup response for the operator. He does not I evaluate the indications or make a diagnosis, but rather responds automatically to the obvious plant upset without evaluating the precise situation. Second, failure of a diagnosis, early in the event should not preclude the eventual shutdown of the reactor by event OH at a later time i.e.. RT and OH should not be completely dpppndent events as shown on the tree. Thus, tne " manual trip" step should appear first, prior to diagnosis. Given failure of this event, the question should then be asked about indications and diagnosis, followed by actions to shut down by event OH. The value selected for the quantification of manual trip should be based solely on instinctive response, as opposed to diagnostics, and thus should have a significantly lower failure probability than cognitive errors in the one minute time frame. It is also important to note, as discussed in Section 3.2.2.9, that this manual trip action applies only to RPS failures in the electrical part of the system. Mechanical failures cannot be recovered in the one minute time frame. i l The SSPSA evaluated event OH based on a need to take action to shut down the reactor, essentially through emergency boration, within ten minutes. We discuss in Section 3.2.2.9 why this is overly conservative and explain our justification for assuming a time frame of at least 60 minutes. Thus, the 0AT should be quantified based on a diagnosis time of 60 minutes, rather than the ( 3.5-4
ten minutes used in the PSA. The only exception to this is the case where a (' small LOCA occurs along with the ATWS, in which event a 20 minute time frame should be used. 3.5.2.2 Operator Actions OD1 and 002 The OAT used to represent these two actions, which represent operator depressurization for LOCAs when HPI fails in order to utilize LPI cooling, is a reasonable representation of the acts required. We disagree, however, with - the allowable time frame for 002, which applies to all cases except medium LOCA. The time frame of one hour used in this case, is contradictory to assumptions used in most past PRAs which allow only 30 minutes for action. Since the 3SPSA offers no justificat19n or analysis for the longer tine frame, it is our opinion that 30 minutes should be used for all cases. This means that there is no reason for event 002, since the only difference between the two actions is the time frame. 3.5.2.3 Operator Actions OM and OP The SSPSA treats the actions OM, operator controls feedwater flow following turbine trip failure (potential PTS event), and OP, operator stabilizes HPI given he has controlled feedwatt.r, on two separate 0ATs. We believe as discussed in Section 3.2.2.1, that this should be considered as a single action, that of the operator preventing PTS, and it should have been modeled . on a single tree. Thus, our first comment is that the OP tree should be appended to the OM tree on each branch for which ultimate success, prevention of PTS, is possible. Prior to doing this, however, the diagnosis event on the { 3.5-5 l l
OP tree should be removed since the contention that this is one action implies that only one diagnosis is required. This combined tree would still require changes due to problems with the individual trees as they now stand. The remainder of this section is concerned with these specific problems. - On the OM tree, complete termination of auxiliary feedwater flow by securing both pumps is considered acceptable except in one case where if the MSIVs are open, boil dry is assumed. However, on another part of the tree where there is a branch for pump termination, the MSIVs are not even considered and an acceptable state is assumed. This structure results in two parts of the tree wnich contradict each other. In any case, it is not apparent how the MSIV position would make any difference. There will always be a need for feedwater flow to prevent a boil dry, since the steam generator SSR valves will lift to release steam to the atmosphere. Complete termination of feedwater is the same as failure of all feedwater in the first place, so that these branches on the tree should always lead to boil dry. Further, since the position of the MSIVs has no effect on the outcome, that event should be removed from the tree. Two unacceptable conditions are represented on the OM tree, overcooling and boil dry. However, these two conditions are both assigned to end state 2. This implies that these two results are considered equivalent in the SSPSA, which is incorrect. The occurrence of boil dry is the same as that which would occur during a total loss of feedwater sequence, and should be considered to result in a core melt. We would give no credit in this case for initiating' bleed-and-feed cooling since it is unlikely that the operator would recover from his initial error by establishing this cooling mode. i ( 3.5-6
Overcooling, on the other hand, does not lead to loss of feedwater and core melt but only to the potential for PTS to occur. This is obviously a much less severe condition. Therefore, boil dry and overcooling should have been treated as separate end states leading to different event sequences. For the OP tree, as stated previously, the diagnosis phase is no longer required. Initial consideration of this event should be handled at the beginning of the combined tree, and failure would result in PTS if all hardware systems function. This also addresses another of our concerns, which
- is end state 4, ask bleed-and-feed. The SSPSA states indirectly that failure to control HPI results in a bleed-and-feed condition due to lifting of the PORVs due to charging pump flow. This is not a true bleed-and-feed situation, and has nothing to do with the outcome of the sequence. The sequence result I
depends only on the availability of feedwater and whether or not the PTS results in vessel rupture. If feedwater is available and vessel rupture does not occur, the plant will be sufficiently cooled whether or not HPI is on, off, or controlled. The remainder of the tree appears to be relatively satisfactory with the goal l apparently being to distinguish between proper flow reduction and too much flow reduction. Another choice, insufficient flow reduction which would result in PTS should be added. This would represent the case where the operator correctly decides to take action but fails to prevent PTS anyway. We also question the need for the branches on the "SI not required" part of the l tree which lead to hardware failure, since the failure of pumps that are not required has no effect on the final result of any accident sequences. Thus, these branches are redundant and should be removed. (' 3.5-7 l
The failure branches on the OP tree (end state 3) properly represent operator ( errors resulting from the operator confusion with regard to believing he should be stabilizing Hi! when he should not. It is proper to consider these errors, however the SSPSA analysis does not make it clear if this is properly handled in their final analysis. The discussion implies that this end state is added to system failure for certain initiating events based on potential operator confusion, but no explaination is provided to describe how this is done and precisely where it is applied and why. We doubt, that this was done correctly, based on our review. An example of one place where we believe this ' concept should be applied is the case of a small LOCA with both EFW and HPI operating, so that the plant appears stable and the operator concludes that he has something like an inadvertant HPI or an overcooling transient. He therefore takes action to control or terminate HPI and does not realize his error until it is too late. This would result in a core melt sequence represented by the failure of HPI. 3.5.2.4 Operator Action ON As discussed in Section 3.2.2, this action need not be considered for any case except for delaying core melt in conjunction with LPI for RCP LOCAs induced by loss of seal cooling. In this case the action required is essentially l identical to action 001, so that the analysis of a separate action ON is not requi red. l 3.5-8 ) (
k~ 3.5.2.5 Operator Action OR The OAT representing this action, the operator initiates bleed-and-feed cooling, is a reasonable representation of the acts required. Most previous PRAs have assumed that with loss of all feedwater, which is when bleed-and-feed would be required, core damage starts at 30 minutes if a LOCA exists and at one hour for transients. The SSPSA allows two hours to initiate bleed-and-feed cooling, apparently for all cases. Since the SSPSA does not provide any justification or analysis for its assumption, we believe that the above mentioned shorter time frames, based on event timings for similar plants, should apply. . 3.5.2,6 Operator Actions for Recirculation (03, LR, HE, HS) All of these actions, which represent some realignment of the ECCS systems during the long term of an event sequence, are modeled on a single 0AT. The SSPSA made this choice because they made the judgement that, while the precise actions required and the time available were different, the actions were identical in a general sense. We agree with this point. . We do not agree, however, with the need for all of these actions. Action LR represents realigning RHR for long term cooling of the core in the RHR mode (suction from the RCS as opposed to the containment sump). As discussed in Sections 3.2.2.1, 3.2.2.2, and 3.2.2.8, the credit given to this mode of cooling to render recirculation unnecessary is not justified. Therefore, action LR is not required. Action HE and HS represent realigning _ 4 3.5-9
1 recirculation for hot leg injection about 20 hours into an event. The two ( actions represent different system availability conditions. As discussed in Section 3.2.2.5, we believe this action not to be required. This leaves only action 03, which represents realignment of the ECCS to provide high pressure reci rculation . The 0AT constructed for this event is a reasonable representation of the actions required, however it appears that it was not actually utilized in the quantification. The SSPSA assumed, that this action is dominated by an error - of omission in performing the procedure, so a simple calculation was performed for this type of error and the result was used to represent the entire action. This is one of only a few cases in the SSPSA where it is possible to reproduce precisely what went into the quantification of a human error probability, and it is the only case which utilized an OAT. The position that this error of omission dominates is arguable, since there is also the possibility that the operator picks the wrong time to perform the action, or makes an error of commission in its performance. These errors should have been included in the quantification (they are accounted for on the 0AT). Furthermore, the quantification contains an error in it. The SSPSA used data directly from NUREG/CR-1278 [Ref. 3.5-1], from a table which pertains to errors of omission in the use of procedures. In the quantification of the ; action, the SSPSA assumes that a high level of dependency exists between the two operators in the control room. The table they cite, however, states that if the procedure is used correctly (one operator reding the procedure with another operator performing the checking), complete dependency should be used. Based on tapes of simulator exercises which we viewed during a plant , [ visit to Seabrook, this is precisely how the procedures are carried out. 3.5-10
l Thus, complete dependency should have been used. Further, it appears that the , (: l actual reading is done by the shift supervisor while each operator performs actions on a different part of the control board. This means that the complete dependency should also be extended to include the shift supervisor. l The SSPSA assumes moderate dependency between the shift supervisor and the operators. The only person not directly involved may be the shift technical advisor, who is free to make independent checks during the performance of the procedure. He can probably be assigned a low, or possibly even zero, level of t dependency rather than the moderate which is used in the SSPSA. In any case, - since the shift supervisor is apparently directly involved in the performance of the procedure and the shift technical advisor is not, they should not have been assigned the same level of dependency. As stated previously, this action is the only operator action in the SSPSA modeled by an 0AT for which the quantification is presented in sufficient detail to reproduce the result. We can only postulate regarding the other actions, but have to assume that the other actions have similar errors in their quantification in the area of dependencies between members of the control room crew. 3.5.2.7 Operator Actions for SGTR (0E, AI, OP41, OP42, OPS 1, OPS 2, 0G) l The SSPSA does not provide OATS for these actions. The actions themselves are too broken up to be useful. OE represents diagnosis of the SGTR, AI , represents isolation of a stuck open secondary ARV, the OP actions represent operator depressurization of the primary under differenc system availability conditions, and OG represents isolation of the faulted steam generator. Tnese 3.5-11
actions should be combined onto a single 0AT which models operator response to SGTR. It would have various conditionals wnich would represent the system availability and indicate acceptable success paths for these conditions, along with various end states. We also disagree with the time frames allotted for the actions involved. The SSPSA uses very short time frames, on the order of 30 minutes. In fact, it is only necessary to reduce pressure and terminate break flow prior to depletion of the RWST, which we would expect to occur on the order of 6 hours after trip - if charging flow is not controlled, based on information provided in Appendix B of the SSPSA. This time frame could probably be extended to perhaps 18 hours if credit is taken for the use of recirculation to utilize water lost to the sump through the PORVs. The longer time f.*ame available should be accounted for. Tnere is also some confusion regarding the nomenclature for these actions. The SGTR event tree has two events, OR and OD, which represent operator actions to control break flow. The OR event has only a passing resemblance to the event OR discussed in Section 3.5.2.5; in this case it represents events OP41 and OP42. Similarly, event OD on the tree also has only a passing resemolance to the event OD discussed in Section 3.5.2.2; in this case it represents events OPSI and OPS 2. 3.5.2.8 Operator Action EFR This action represents recovery of the turbine driven emergency feedwater pump during station blackout conditions. An 0AT was not developed for this action, 3.5-12
and we agree that one is not needed. In essence, a detailed analysis of this recovery is not required for _a very simple reason: the failure to recover this pump will be dominated by failures that are not recoverable. The SSPSA analysis shows this with their value of about 1E-3 for the failure to recover. The use of a value of IE-2 or IE-4 would not change the result. Even a value of IE-1 would have only a very slight and statistically insignificant effect on the result. For this reason, we have not performed a critique of the SSPSA quantification of the operator error, and the failure rate can reasonably be approximated by simply subtracting the fraction of - failures which are recoverable from the total failure rate of the pump. On the other hand, the assumption of what percentage of the failures are recoverable has a greater effect on the result. The SSPSA assumes that one-half of the failures are recoverable. They state that this number is based on experience and plant data from similar units, but the data is not presented.
-The worst case situation would be that no failures are recoverable and therefore the pump failure rate would be a factor of two greater than that
- used in the SSPSA. Under station blackout conditions based on our revised
- analysis of station blackout timing (see Sections 3.2.3.1 and 3.5.2.10), -
i recovery of EFW would only mean that the time for occurrence of core damage would be extended from one to two hours, giving an additional hour to recover electric power and avert core damage. - 3.5.2.9 Operator Actions SWR-1 and SWR-2 - l The SSPSA gives credit for recovery of service water cooling for two possible situations. SWR-1 represents recovering for the loss of main service water 3.5-13 i
flow by placing the backup service water cooling tower into operation. SWR-2 represents recovering from degraded cooling capability due to diversion of service water flow. In this case, failure to automatically isolate non-essential cooling loads is recovered by manually isolating these loads using a backup isolation valve. The SSPSA assumes that the time frames allotted for these recovery actions are based on the limits imposed by the SWR-1 condition, a total loss of cooling. This is somewhat conservative for the SWR-2 case but' not excessively so. The time frames utilized are 30 minutes for preventing failure of high pressure injection pumps and 4 hours for preventing core , damage. The 30 minute time frame seems reasonable but the four hours is suspect. Since loss of service water has a similar effect to loss of all AC power, at least from the standpoint of RCP LOCA and loss of high pressure injection, it should be treated similarly. Tnat is, failure to provide cooling to the core within two hours will result in core damage. The difference in this case is that cooling can be provided by secondary depressurization and low pressure injection. Thus, three time frames are appropriate. Recovery within 30 minutes prevents any failures. Recovery within two hours means high pressure injection failure and RCP LOCA requiring use of LPI cooling. Recovery in the long term (6-8 hours) means core damage can be avoided by recovering recirculation cooling. The SSPSA provides no analysis for this action. There is no 0AT and the final ! answer is giveen without any justification or explanation. This action is not like EFR in that the failures of service water including recovery may not be dominated by non-recoverable failures. A more detailed analysis of this action is warranted. j 3.5-14 ( , l
-. . - - _ =
3.5.2.10 ' Operator Action EPR t This action represents recovery of electric power following station f blackout. The SSPSA provides an impressive detailed analysis that takes into account: (a) ' loss of offsite power at various times following the initiating event, (b) loss of onsite power at various times following loss of offsite
~
power, and (c) recovery of both offsite and onsite power. The analysis demonstated that station blackout is dominated by loss of offsite power at t=0, which did not come as a great surprise to us, since it has always been an - assumption of previous PRAs. We did not perform a detailed of review the part of the methodology ccncerned with the subsequent consequential losses of offsite power because, in our judgement, they could not become important. This greatly simplified our review. { The major problem with the remainder of the analysis rests with the time frames utilized. As discussed in Section 3.2.3.1, much credit is given to the ability of the RCP seals to maintain a low leak rate for extended periods of ' time under blackout conditions, and we consider this credit to be unjustified. The SSPSA assumes that if auxiliary feedwater is operating, the time available for recovery of AC_ power is 13.5 hours, based on their analysis of core uncovery due to RCP LOCA. If auxiliary feedwater is failed, this time l frame becomes either 2 hours (if the operator fails to shed battery load to i + l extend battery life), or 4 hours (if battery life is conserved). The SSPSA also assumes that diesels can be recovered only while the batteries are still functioning and that, offsite power can be recovered at any time. As we have stated earlier, core damage will begin at two hours if auxiliary feedwater is available (see Section 3.5.2.5) and at one hour if it is not (see Section 3.5-15 L _ . _ _ _ _ _
3.2.3.1). Thus, the time frame for preventing core damage is much shorter and ( battery lifetime in this case is not important. Recovery of electric power in the longer term may be important to containment failure mode, and in this case battery lifetime plays a more important role. However, we believe that no credit should be given for the recovery of offsite power after the batteries are depleted, since control power to breakers, switchgear and other instrumentation circuits will have been lost, and significant " heroic" action will be required to restore offsite power to the plant. Thus, the assumption should have been made that the failure to restore any AC power to the plant
- prior to battery depletion results in a " permanent" loss of all AC power.
Recovery of AC electrical power in the long term affects containment failure mode since the power recovery will allow recovery of containment cooling functions. In this case, battery depletion would play a key role in the ability to recover offsite power. The SSPSA considers three cases for battery depletion, at 2 hours, 5.5 hours, and 9.5 hours. The 2 hour time frame represents the licensing requirement for full load-carrying capability and assumes no action on the part of the operators to manually shed load to extend l battery lifetime. The longer lifetimes are based on utility analysis of the effects of operator action to shed two levels of load based on proposed station blackout procedures. Tne 2 hour time frame is most likely , conservative since the conservatisms built into licensing criteria to assure that the 2 hour capability is positively met also assures that the realistic capability is certainly longer. Similarly, these conservatisms most likely would also have an effect on the longer time frames, further lengthening l them. Overall, however, the numbers are approximately what we would expect based on the detailed analysis performed for NUREG/CR-3226 [Refs. 3.5-2 and 3.5-16 l
_ 3.5-3]. In the detailed analysis [3.5-3], surveys and interviews of a number ( of utilities were conducted, and reviews were performed of LERs, analyses of LERs, and other relevant documentation. Battery lifetimes for all plants included in this review ranged from 2-16 hours. A large majority had 4-6 hour range, and most of these were clustered around 5-6 hours. The long lifetimes (up to 16 hours) resulted from detailed analyses which used realistic loads and took credit for the operator following a procedure to accomplish load shedding. The very short (2 hour) took no credit for load shedding and they tended to occur in older plants with undersized batteries. This information .
' provided the basis for selecting five hours as a reasonable estimate for battery life. It was supported by a sensitivity ana. lysis that showed battery lifetimes as short as 2 hours, or as long as 12 hours generally had very little effect on core melt frequency. The SSPSA, as stated above, used three different battery lifetimes (2, 5.5, and 9.5 hours). They assigned split
( fractions of 0.05, 0.80, and 0.15 respectively, to these lifetimes. This assignment was arbitrary and not based on any analysis of the operator actions required, and no justification was provided for these values. We believe that an OAT should have been developed with three end states representative of the three potential lifetimes. We hasten to point out that the battery lifetime values used appear to be very conservative. For example, if we assume that the operator has about one hour to perform load shedding to extend battery l lifetime to 5.5 hours (a reasonable assumption based on the depletion analysis), and apply a screening value based on the time dependent cognitive error model presented in NUREG/CR-2815 [Ref. 3.5-4], the result is a probability of the operator failing to shed load of 0.001. Thus, the split fraction for the two hour depletion time (no action) should of on this order, which is a factor of 500 lower than the value used. As stated previously, we { 3.5-17 L
I believe an OAT should be constructed to represent the proper actions, however, [ the applicable procedures were not provided to us so.that it was not possible for us to construct one. In its analysis, the SSPSA included the possibility that the station blackout condition could occur at some time following the initial loss of offsite power due to failure of the diesels to continue running, in general, the analysis of this condition was well done, but the previousi .ated time frame problems ! i have a profound effect on the results. However, we would not expect failures to run occurring past the two hour time frame to have much of an effect on the final results and thus the corrections needed to the model would be minimal. We reviewed the recovery factors used in the SSPSA for recovery of offsite power and recovery of diesel generators and compared them to the data sources most often used in the analysis of recovery in previous PRAs. The offsite power recovery curve compared very favorably with the data for the Northeast Power Coordinating Council, the region where Seabrook is located, as presented in EPRI NP-2301 [Ref. 3.5-5]. The diesel generator recovery curves were quite optimistic when compared to information presented in NUREG/CR-3226 [Ref. 3.5-2], at least in the short term (the first four hours). The SSPSA values are claimed to be based on LER data and EPRI NP-2433 [Ref. 3.5-6], combined with consideration of auxiliary operator response time to reach the diesel room. In the absence of the information necessary to reconcile the differences in the data from these two sources, we would be inclined to use the more conservative data in the initial quantification and perform a sensitivity analysis to determine if the SSPSA values would have a significant effect on the overall AC power recovery curve. (. i 3.5-18
References for Section 3.5 4 3.5-1 NUREG/CR-1278, Swain, A.D., et al, Handbook of Human Reliability
-Analysis with Emphasis on Nuclear Power Plant Applications, Septenber 1980.
3.5-2 NUREG/CR-3226, Kolaczkowski, A.M., et al, Station Blackout Accident Analyses (Part of NRC Task Action Plan A-44), May 1983. 3.5-3 Personal Telephone Communication, A.M. Kolaczkowski to P.J. Amico, October 1984. 3.5-4 NUREG/CR-2815, Papazoglou, I.A., et al, Probabilistic Safety i Analysis Procedures Guide, January 1984. 3.5-5 EPRI NP-2301, Loss of Offsite Power at Nuclear Power Plants: Data and Analysis, March 1982. 3.5-6 EPRI NP-2433, Diesel Generator Reliability at Nuclear Power Plants: Data and Preliminary Analysis, June 1982. I 3.5-19
3.6 FAILURE DATA t This section presents the results of a review of the failure (and unavaila-bility) rates used in the SSPSA. The review consisted of: (1) Comparison of the individual random component failure rates with similar rates from other sources, and (2) Review of system failure probabilities and unavailabili-ties. The subjects are considered in separate subsections, following. 3.6.1 RANDOM COMP 0NENT FAILURE RATES ' The SSPSA provides a discussion of random component failure rates in Section 6 (Data Analysis). This section provides a good discussion regarding the use of data and the derivation of failure rates. The actual failure values for some 60 components are provided in SSPSA Table 6.2-1. 7 The derivation of the SSPSA Table 6.2-1 values is said to be based on applicable data sources, adjusted for application to the Seabrook plant. However, the actual derivation of the values and data sources, and adjustments employed, are not given. Instead, for these details, reference is made to two reports (6.1-1 and 6.2-14) both of which are indicated as PLG proprietary, and no report titles or dates are provided. These reports were not made availab1e for this review. In order to arrive at a judgment regarding the validity of the SSPSA random component failure rates, the 60 entries in SSPSA Table 6.2-1 were compared . 3.6-1
with 12 othsr data sources. These sources consist primarily of failure rates
;- generated by the NRC and its contractors. However, for added perspective,
' data from two industry-sponsored PRAs were also added. These two PRAs, for the Zion and Millstone Unit 3 plants, were selected because both are for Westinghouse PWRs (similar to Seabrook). Further, in one case (Zion) the PRA was produced by the same organization (PLG) which performed the SSPSA. The
- Millstone Unit 3 PRA, on the other hand, was performed by Westinghouse, and the data sources and derivations are also claimed to be proprietary. This comparison does not imply that any of the data used for comparison is considered more valid or robust than the SSPSA data. Rather, the comparison is used for screening purposes to identify any SSPSA rates which appear to be *
! inconsistent with other sources. If such inconsistencies are found, an attempt is made to determine the reason for the inconsistency, and at the same j time an assessment is made to determine if the inconsistency is likely to have a significant impact on the overall SSPSA risk results. The impact of. component failure rates on system unavailabilities is evaluated in Section ( 3.6.2 following. Table 3.6-1 provides the comparison betweer. the SSPSA values and other data sources. The first column describes each of the 60 components considered in the SSPSA. The second column provides the failure mode, and the third column ! is the mean value used in the SSPSA. Mean values were generally used in the i SSPSA as described on Page 6.2-21. (All values in Table 3.6-1 are mean values except WASH-1400 which are median). These first 3 columns are identical to those in SSPSA Table 6.2-1. The fourth column provides the ratio of the mean l to median SSPSA values, both of which are provided in SSPSA Table 6.2-1. This column is included here to provide an indication of the skewness of the Insert 3.6-2 { 1
~
t-
Table 3.6-1 COMPARISON OF COMPONENT FAILURE RATES v55 Lion SEABROOK Mean NREP/ WASH-1700 LER EGAG P55 Millstone 3 Component Description Fallure Mode Mean* lile3 Tan IREP [1.2] (Medlan) [3] Derived [6] [7] P$$ [8] Other
- 1. Normally Operating Fall to 5 tart on Demand 2.35E-3/d 1.6 4E-3(1,2) 1E-3(2) ZE-3 [4] IE-3 7.Z1E-4(Z) 1. 34E -3 5.JL J[1)
[29] Motor-Driven Pump Fall During Operation 3.36E-5/h 2.1 1E-5(2) 3E-5(2) 3E-5 [4] IE-5 1.32E-6 2.4 7E-5(5) 2.7E-5( 7) (2.3) [29]
- 2. Standby Motor- Fall to Start on Demand 3.29E-3/d 2.0 4E-3(1,2) 1E-3(2) 4E-3 [4] 7.21-4(2) 1.34 to 5.7E 3[29]
Driven Pump 5E 3(4) Fall During Operatton 3.42E-5/h 1.9 1E-5(2) 3E-5(2) IE-5 [4] 0.25 to 1.69 to 1.55E-5(4) 6.9E-5(4)
- 3. Turbine-Driven Fall to Start on Demand 3.3t E-2/d 1.3 4E 2(1,2) IE-2 [4] IE-2 2.29E-2 2.58E-2 1.lE-2[29]
pump Fall During Operation 1.03E-3/h 2.4 2E-5(2) SE-5 [4] IE-5 7.63E-6 6.15E-4 IE-4 (29]
- 4. Ventilation Fan Fall to Start on Demand 4.84E-4/d 1.6 f Fall During Operation 8.89E-6/h 1.3 w
- 5. Cooling Tower Fan Fall to Start on Demand 2.93E-3/d 1.8 Fall During Operattos 7.89E-6/h 1.3
- 6. Control Room Vent- Fall to Start on Demand 8.07E-3/d 1.6
- 11ation Chiller Fali During Operatton 9.44E-5/h 1.3
- 7. Air Compressor Fall to Start on Demand 3.29E-3/d 2.0 Fall During Operation 9.81E-5/h 2.6 8 Moter-Cperated Fall to Operate on Demand 4.30E-3/d 1.5 4E-3 4E-3[5] IE-3 1.55E 3 0.95 to Valves 2.6E3 (6)
Transfer Open/ Closed 9.27E.8/h 1.8 IE-7(open) IE-7 3.14E-8 0.46 to 2E-7(closed) (open) 1.6E-5(open) 2.15E-6(closed) Fall to Close on Demand 1.07E-4/d 1.4 Notes: Ri Demand rates derived from operational rates assuming monthly testing
- Rates are designated /d (per demand) or /h (per hr) i
;2,1 Rates not segregated for normally operating or standby pumps Esponential notation; 2.5E-3 = 2.5x10-3 i 3,1 Rate used for service seater pumps
[ ] Designates reference (4) Range of rates for various standby pumps (RHR. AFWS. St. CS) ( ) Designates footnote (5[ For service water pumps (6s Range of values depending on system (CS. CVCS. ESF) (1) For " alternating" pumps
n - Table 3.6-1 (Cont.) COMPARISON OF COMPONENT FAILURE RATES rn SEA 8R00K Mean MtEP/ WASH-1+.00 LER EG4G Zion Millstone 3 Component Description Failure Mode Mean* De3 Tan IREP[1.2] (Medfan)[3] Derived [6] P55 [7] P55 [8] Other
- 9. Solenold Valve Fall to Operate on Demand z.gJt-J/a z.o (dfrect acting) Transfer Open/ Closed 1.27E-6/h 1.6 During Operatton
- 10. Air-Operated Valve Fail to Operate on Demand 1.52E-3/d 1.4 4E-3(1) 3E-t 9E-4[5] IE-3 1.44E-3 4.6X-3 2E-3[5](5)
Fall to Transfer to 2.66E-4/d 2.7 FAlled Position Transfer Open/ Closed 2.67E 7/h 2.4 IE-7(open) 1.12E-7 4.3E-6(open) During Operation 2E-7 1.37E-6 (closed) (closed) F 11. Electrohydraulic Valves (except Fall to Operate on Demand 1.52E-3/d Transfer Open/ Closed 2.67E-4/d 1.4 2.4 cn g TSV and TCV) During Operatton
- 12. 8utterfly Tempers- Fall to Operate on Demand 1.52E-3/d 1.4 4E-3 2.64E-3 ture Control Valve Fall to Transfer to Failed 2.66E-4/d 2.7 Position
- Transfer Open/ Closed 4.20E.8/h 3.2 1E-7(open) 1.5N-5(open)
During Operation 2E.7 2.15E-6 (closed) (closed)
- 13. Check Valve (stop) Fall to Operate on Demand 9.13E-4/d 2.2 7E-5(1.3) IE-4 4.3) 6E-5 IE-4(4.3) 4.2X-5 3.N-4(3)
IE-5(6.3) ( (3.4)[5] IE-5(6.3) (3) Reverse Leakage (gross) 5.36E-7/h I.7 IE-7(3) 3E 7(3) SE-7 IE-8(3) 8.38E-7 1.56E-5(2.3) During (beration (3)[5] (2.3) Transfer Closed. Plug 1.04E-8/h 1.3
- 14. Cheet valve Fall to Operate on Demand 2.69E-4/d 1.9 7E 5(1.3) IE-4(4.3) 6E-5 4.3 4.23E-5 3.N-4(3) i (other than stop) (3.4)[5] 1E-4(6.3)
IE-3( ) (3) i Reverse Leakage (gross) 5.36E-7/h 1.7 N-6(2.3) 3E-7(3) 5E-7(3) 1E-8(3) 8.38E-7 1.56E 5(2.3)
- During Operatfon (3)[$) (2.3)
- Transfer Closed. Plug 1.04E-8/h 1.3 Notes: I I) Demand rates derived from operational rates assuming monthly testing
- Rates are designated /d (per demand) or /h (per hr) f2) Failure to seat, excessive leakage Esponential notation; 2.5E 2.5x10-3 (3) Rates for check valves in general (not segregated between "stop* and *other than stop",
[ ] Designates reference (4) Faf1 to open ( ) Designates footnote (5) Includes comunand faults (6) Fall to close __ __ __m_____
m n Table 3.6-1 (Cont.) COMPARISON OF COMPONENT FAILURE RATES Pss zien SEABR00E Mean NREP/ WASN-1400 LER EG4G P55 Millstone 3 Component Description Fatture Mode Mean* 11e8 Tan IREP(1.2] (Median)[3] Derived [6] [7] P55 [8] Other
- 15. Manual valve Transfer Open/ Closed 4.20E-8/h 3.2 2E-7(closed) 5. 28E-8 2.15E-6 Operation IE-7(open) (closed) (closed) 4.9E-7(open)
- 16. Relief Valve (other Fall to Open on Demand 2.42E-5/d 2.6 than PORV or Premature Open 6.06E-6/h 1.5 safety)
- 17. Prf mary Safety Fall to open on Demand 3.20E-4/d 2.8 IE 5 4E-3[5] IE-5 Fall to Reseat After 2.81E-3/d 1.3 IE-2(1) 2.98E-3(1) oo Steam Roller gn Fall to heseat After 1.00E-1/d 1.2 1E-2(1) e Water Re11ef on
- 18. PORV Fall to %en on Demand 4.27E 3/d 1.3 Failure to Reseat on 2.50E-2/d 1.3 Demand
- 19. Turbine Stop/ Fall to operate on Demand 1.25E-4/d 1.3 Turbine Control Transfer. Closed During 2.88E-5/h 2.7 valve Operatton Transfer Open During 1.24E-5/h 2.7 Operation
- 20. Pneumatic Damper Fall to Operate on Demand 1.52E-3/d 1.4 Transfer Open/ Closed 2.67E-7/h 2.4 During Operatfon Fall to Transfer to Failed 2.66E-4/d 2.7 Position
- 21. Fire Damper Inadvertent Actuation 4.20E-8/h 3.2 Notes: (1) For "fallure to close, given open" (water or steam flow not considered)
*Ratesaredesignated/d(perdemand)og/h(perhr)
Exponential notation; 2.5E-3 = 2.5 10" [ ] Desf gnates reference * ( ) Designates footnote i i i l l
- -~ ,. ,
Table 3.61 (Cont.) , COMPARISON OF COMP 0 MENT FAILURE RATES I zion rs3 Component DescrIpt1on Failure Mode SEABROOK Mean IREP/ WASH-400 LER EG8G PSS Mtlistone 3 Component Description Failure Mode Mean*- 14FITan IREP[1.2] (Median)[3] Dervied [6] [7] P55 [8] Other l 22. Back Draft Damper Fall to Open on Demand 2.69E-4/d 1.9 j Transfer Closed 1.04E-8/h 1.3 1 23. Heat Exchanger Rupture /Encessive Leakage 1.95E-6/h 1.5 3E-6 IE-9 IE-6 During Operetton IE-6(tube) (shell) 7.13E-7
- 24. Storage Tank Rupture During Operation 2.66E-8/h 2.7 4E-10 8E 10
- 25. Containment Plug During Operetton 7.06E-8/h 2.4 PJ Butiding Spray i
en Nozzle e C4
- 26. Service Water Fall During operation 6.22E-6/h 1.6 3E-5(1) IE-5(1) IE-5(1)
Strainer
- 27. Ventilatf on Filter Plug 1.07E-6/h 2. 7
- 28. Ventilation Louver Ping 1.07E-7/h 2.7 ,
Rupture (per section)
- 29. Pipe 3-inch 8.60E-9/h 9. 4E-9(2) 1E-9 4.56E-9 8.6E-9(2) 8.5E-9(2)
Diameter ( 2*)
- 30. Pipe 3-Inch Rupture (per section) 8.60E-10/h 9. 4E-10(2) 1E-10 4.56E-10 8.6E-10(2) 8.5E-10(2)
Diameter (2-6*) 4.56E 11 ( 6*) t 31. Valve (motor- Disc Rupture 1.5 bE-8/h 5.4 ! operated or check) Notes:
- Rates are designated /d (per demand) or /h (per hr) (1) For all strainers Expnential notation; 2.5E-3 = 2.510-3 (2). Includes plugging
[ J Designates reference ( ) Designates footnote l l l l l
- l i
e -
m Table 3.6-1 (Cont.) COMPARISON OF COMP 3NENT FAILURE RATE 5 r55 non misstone a SEAS 400K Mean letEP/ W45N-1400 LER EG4G PS$ PSS Component Description Failure Mode Mean* W3 Tan IREP[1.2] (Median)[3] Derived [6] [7] [8] Other
- 32. Diesel Generator Fall to Start on Demand 2.14E-2/d 1.6 2E-2 X-2 1E-2(1)[9] 3E-2 1.82E-2 2.3X-3 2.5E-2[10) 4E-2(2)[9]
Fall During the First 1.70E-2/h 2.1 Hour of (Weration Fall After the First 2.50E-3/h 1.7 X-3(3) X-3(3) K-3(1.3) lE-3 5.97E-3 2.X-3(10] Hour of Operetton [g] X-2(2.3) [9]
- 33. Transfonner Fall During Operation 1.5K-6/h 1.5 6E-7(4) 1.7X-6(4) 2.K-6(4)
F (GST. UAT RAT)
- 34. Transformer Fall During Operation 6.87E-7/h 1.54 6E-7(5) 2E-6(6) IE-6(6) 1.7X-6(5) 2.8E-6(5)
N (Station Service 4.16kV to 1480V)
- 35. Transformer Fall During Iberation 1.55E-6/h 2.21 (instrument,
- a80V to 120V)
- 36. Circuit Breater Fall to then on Demand 6.49E-4/d 1.8 IE-3(7.8) 1E-3(7.8)
(AC - 480V and Fall to Close on Demand 1.61E-3/d 1.5 IE-3(7.8) IE-3(7.8) above) Transfer (5en During 8.2K-7/h 2.2 IE-6(8) IE-5(8) Operation
- 31. Circuit Breaker Fall to (Den on Demand 8.3K-4/d 2.7 1E-3(7.8) 1E-3(7.8)
(AC or DC - less Fall to Close on Demand 2.27E-4/d 2.7 IE-3(7.8) 1E-3(1.8) than 480V) Transfer (Den During 2.6K-7/h 2.1 1E-6(8) 1E-5(8) Operat1on i 38. 81 stable Fall to therate on Demand 3.89E-7/d 1.4 3.88E-7 j Spurtous Operation 2.21E-6/h 13.2 notes: p; neenry resung
- Rates are designated /d (per demand) gr /h (per hr) .(2) Monthly testing ~
Enitonential notation; 2.5E-3 =2.5:10*J 3) [ J Designates reference (4) ( Rates Ratesnot for segregated between main and availlary first hour and after first hour of operation transformers j ( ) Designates footnote 1 5) Rates for ESF auntitary power transformer i L6) For all transformers i (7 Falls to operate (8)) Voltage not specified O
% 6( 4% -t- _ _ _ _ _ _ _ _ _
_ . ~ Table 3.6-1 (Cont.) COMPARISON OF COMPONENT FAILURE RATES F55 zion m uistone 3 SEA 8R00K Mean NREP/ WASH-1400 LER EG4G PSS [8] Other Component Descriptfon Fatture Mode Mean* TIR Tan IREP[1.2] (Median)[3] Derived [6] [7] PS5
- 39. Gus Fall During Operation 4.98E-7/h 1.5 X-5(1) IE-8 2.3*i-7(1) 1.52E-6
- 40. Battery (125V DC) Failure of Output During 7.5X-7/h 2.0 2E-6(2) 3E-6(2) IE-6(2) 7.61E-8(2) 1E-6(2)
Operation Failure of (htput on 4.84E-4/d 1.5 Demand
- 41. Battery Chargers Fall During Operation 1.86E-5/h 2.3 6E-7 IE-6 5. 5E-7 3.16E-5
- 42. Motor Generator Fall During Operetton 3.59E 5/h 3.3 1E-5(3) IE-6
- 43. Power Supply Fall During Operation 1. 71 E-5/h 2.3 b 44. Fuse Fafl Open During Operatton 9.20E-7/h 3.2 3E-6 1E-6 IE-6 8. 32E-7 4. 37E-7
- 45. Relay Fall to Operate on Demand 2.41E-4/d 2.2 IE-3 1E-4 IE-4 6.28E-6 4E-6 to IE-4(4)
Fall During Operatton 4.20E-7/h 2.1 1.2E-7 4.1E 7 IE-6(6) 2.43E-7(5) 1.47E-7
- 46. Inverter Fall Durfng Operation 1.83E-5/h 1.6 IE-4 1.09E-5 2.39E-5
- 47. Emergency Power Fall to Operate on Demand 2.40E-6/d 2.7 Sequencer
- 48. $1gnal Modt f f er Fa1I Durfng Operat1on 2.94E-6/h 1.6
- 49. Circuit Ampliffer Fall During Operation 6.25E-6/h I.4
- 50. Flow Transaftter Fall During Operation 6.25E-6/h 1.4 6E-5 X-5( 7.8) IE-6(7) 3.86E-5
- 51. Level Transaftter Fall During Operation 1.57E-5/h I.3 6E-5 3E-5(7.8) 1E-6(7) 1.66E-6 4.29E-5 hotes: (1) Rates are For transrers open'
- Rates are designated /d (per demand) or /h (per hr) (2) Voltage not spectfled Exponential notation; 2.5E-3 = 2.5x10-3 (3) Rate is for electric motors i [ ] Designates reference (4) Range for seven df f ferent types of relays l ( ) Designates footnote (5) Contacts transfer open i
(6) Coll Faflure I (7) For general instrumentation (8) Includes shift ca11bratton errors i
^
m Table 3.6-1 (Cont.) COMPARIS0N OF COMPONENT FAILURE RATES Stnsmmm F)b RKtr/ Lion SEABROOK Mean MREP/ IdASH-1400 LER EGsG PS$ Mfilstone 3 Component Description Failure Mode Mean* W3 Tan IREP[1.2] (Median)[3] Derived [6] [7] PS$[8] Other
- 52. Pressure Fall During Operation 7.60E-6/h 1.6 6E-5 6.52E-5 Transmitter
- 53. Pressure $ witch Fall to Operate on Demand 2.69E-4/d 2.5 IE-4 IE-5
- 54. Control Cable Open c,r Shorted During 4.63E-6/h 1.3 IE-5 3. 3E-6 IE 6(I) 1E-5(2) 4.5E-6
- 55. Trfp Logic Module Failure During Operation 2.93E-6/h 2.7 w Failure to Trfp on Demand 8.52E-5/d 2.7 7
e
- 56. Power Supply Failure Nrfng Dyeration 5. 33E-5/h 2.7 6E-7(3) 'E-6(3) IE 6(3.4) 2.97E 6(3) 2.2HF-H(3)
[Il}
+5VDC}+24VDC (E5FAS
- 57. Power Supply Failure During Operation 1.33E-4/h 2.7 6E 7(3) 3E-6(3) IE 6(3.4) 2.97E-6(3) 2.28E-8(3)
+120V DC (E5FAS) [11]
- 58. Reactor Trfp Fati to Operate on Demand 4.66E-3/d 1.3 4E-3 9. 79E-3 3.38E-4 3reaker *
- 59. Single Control Rod Fall to Insert er > maid 3.26E-5/d 5.5 IE-4 4.6E-5(5)
- 60. (6)
Notes: (i) For wires, per circuit
- Rates are designated /d (per demand) or /h (per hr) (2) Shorts only Esponenttal notation; 2.5E-3 = 2.5x10-3 (3) Vsttage not spectffed
[ J Designate reference (4) Rate for " battery powered system (wet cell)" ( ) Desfgnate footnote (5) Failure to insert fully during scram. Westfighouse plants (6) $$PSA Table 6.2.1 was afssing entry #59
distribution assumed for the comp nsnt failure rates in the SSPSA. (SSPSA Table 6.2-1 also provides the 95th and 5th percentile values. These values have been omitted from Table 3.6-1 in order to minimize the number of ( columns . ) All columns after the fourth provide comparable data from the sources identified in the heading. In several cases, the data source considered only a few specific components, while others considered a large number of different components. In a few cases, to be considered l'ater, no data source was found for the SSPSA component. In examining the Table 3.6-1 comparisons, tne following general observations appear valid:
- 1. Pumps (Components 1, 2 & 3) - SSPSA failures rates for pumps are consistent, and somewhat conservative (somewhat higher rates), with respect to the other data.
-\
t
- 2. Fans, etc. (Components 4 through 7) - No comparable data were found for comparison with these components. However, these components are typically driven by electric motors, and the rates are comparable with other electric motor-driven components (c.f. motor-driven pump) as well as the WASH-1400 rates for electric motors (3E-4/d for start l ,. failures and IE-4/hr for run failures).
( 3.6-10 l i
- -. , - --. , -n.. --,r
- 3. Valv;s (Comp:nents 8 thr: ugh 19, 31) - For th::s2 val ;s and failure modes with comparable data, the SSPSA rates are generally consistent and, in most cases, somewhat conservative. The only excepti n is the ..
t rate for butterfly temperature control valve (#13) transfe'r open/ closed during operation where the SSPSA rate is considerably i D lower than the Millstone 3 PSS and somewhat lower than NREP/IREP. However, this component failure mode has not been found tc;'oe risk significant in PRA studies. s 7 ,, In two cases, solenoid valve (#9) and electrohydraulic vahe (#11), comparable data could not be found. In these instances, the rates
- are generally comparable to other active valves and thus appear reasonable.
\[$st.
The rate for disc rupture l(#31) could not be verified against
~
alternate data sources. This particular valve failure mode is the ( g subject of arv assessment as part of the V-sequence analysis (see e Section 3.1). " , Two additional failure modes could not be verified: #8 (fail to close on demand while indicating closed) and #10 and #12 (fail to transfer to failed position). However, these failure modas have not been observed as significant contributors to important accident sequences in PRAs.
- 4. Dampers (Components 20 through 22) - No data compapisons were found i A .
for these components. For the pneumatic damper,' trd r.at,es .are 3l,'R
~
3.6-11 1
)
4
Ess:ntially th2 same as for air-operated valv:s, which is reasonable. For the fire damper (#21), only an inadvertent actuation failure rate is provided. Neither the validity of the rate nor the i significance of the event could be ascertained. The back draft damper rates are identical to check valve (other than stop) #14, and thus appear reasonable. 1
- 5. Miscellaneous Passive Components (Components 23 through 28) - This group includes six components, with data comparisons available for three. Of these three (#'s 23, 24 and 26), the SSPSA rates appear consistent except for #24 (storage tank rupture). In this case, the SSPSA rate is considerably higher than the two other rates found.
However, storage tank rupture does not appear in any dominant sequences (see SSPSA Section 2) found for Seabrook. Thus, adjusting the SSPSA rate downward to be consistent with other rates would not influence the risk results. ( Data comparisons could not be found for three components (#'s 25, 27 and 28). .However, none of these appear to be significant in terms of risk contribution. Tne coMainment spray nozzle plugging rate (during operation) would have to be mo e than two orders of magnitude nigher in order to contribute to the spray system failure rate of 7.2SE-4 (see SSPSA Section 7) for a 24-hour mission time. Similarly, the probability of plugging of ventilation filters and louvers for the 24-hour mission time assumed for safety injection systems which may have pumps enclosed in rooms requiring ventilation 3.6-12
is insignificant even if tha SSPSA failure rates were substantially increased. ( Pipe Rupture (Components 29 and 30) - Pipe failure rates used in the 6. SSPSA are at the high end of, but consistent with the range of rates from other sources.
- 7. Diesel Generator (Component 32) - The SSPSA diesel generator failure rate is quite consistent with other data sources (the Millstone 3 rate is clearly outside the range of the other 'six data sources).
The diesel generator component has consistently been found to be a
- risk significant element in PRA studies, and the SSPSA is no exception (see SSPSA Section 2). While the SSPSA random diesel generator failure rate is consistent with other data sources, the common cause failure contribution assessed in the SSPSA for the two unit system was found to be significantly lower than other sources, t
This apparent deficiency is explored in some detail in the subsequent subsection (3.10.6) on common cause failures.
- 8. Miscellaneous Electrical Components (Components 33 through 58) ;-
Tnis group consists of a variety of 25 electrical components. Of the 25, comparative failure rates for 20 were found, although in one case, a particular failure mode was unique to the SSPSA data base. For transformers (Components 33, 34, and 35) the SSPSA rates appear reasonable. Although no comparative data could be found for instrument transformers (Component #35), the rate is comparable with the other transformers and thus appears reasonable. l t 3.6-13 i l i l l
Fcr circuit breakers (Ccmp:nents 36 and 37), the rates c:mpare favorably except for the " transfer open during operation" failure mode for less than 480V breakers. In this case, the SSPSA rate ( appears significantly lower than the others. However, this f ailure mode has not been found risk significant in other PRAs, and the difference appears to be of no significant consequence. The bistable rate is consistent for failure to operate on demand. No comparison was found for " spurious operation", but this bistable failure mode has not been found significant in other PRAs, and the failure rate does not seem unreasonable. The next four components (39 through 42) appear to have failure rates consistent with alternate data sources. Component #43 (Power Supply) has no comparative rate but is comparable to the rate for motor generator-(#42), which is also a power supply. The rate appears i reasonable. Components 44, 45 and 46 appear consistent with alternate data. The emergency power sequencer (#47) has no data for comparison. This component sequences electrical loads onto the emergency ac power buses fed by the diesel generators. The dominant failure mode for the emergency power system has been found consistently to be failure of the diesel generators (see following subsection), with rates typically around 2E-3/d. Thus, the emergency power sequencer failure rate is insignificant compared to diesel failures by some three orders of magnitude. 3.6-14 l l e c _. _ ._
Tna nsxt two comp:nents (#'s 48 and 49) have no data comparisons. However, the rates are equivalent to similar types of electrical l components (transformers, transmitters) and thus appear reasonable. Components 50 through 54 all have data comparisons and appear reasonable except #52 (pressure transmitter). In this case, the SSPSA rate seems low compared to the other values. However, this failure (during operation) should be detectable, and no instance is known where the failure is risk significant. This instrument does appear, however as a contributor to failure for several systems as
- indicated in Section 3.6.2 following. Its significance is evaluated in that section.
Component #55 (trip logic module) has no data for comparison. However, the rates are comparable to other electrical components. Further, failure to trip is probably only important with respect to reactor scram. For this event, the reactor trip breaker (#58) has a much higher failure probability (by a factor of 50). The trip logic module failure rate is thus considered acceptable in the context of influencing the overall risk result. The dc power supply components (#'s 56 & 57) have significantly higher failure rates in the SSPSA than comparable data from other sources. However, these failures do not appear in any dominant accident sequences (see SSPSA Section 2). Thus, a reduction in these l ! rates would not influence the study results. f 3.6-15 l
- - - - . - ,, . , . - , , . . ,.n, - - - , - --
l l Tna final two components (#'s 58 and 60)(1) have failure rates consistent with other data. I The fourth column of Table 3.6-1 provides a ratio of the Mean and Median values used in the SSPSA. As indicated previously, this ratio provides a measure of the skewness of the distribution assumed for each component. Generally, a higher ratio implies a larger uncertainty (broader uncertainty bands) in the presumed distribution. In most cases the mean/ median ratio ranges from 1.2 to 3.2. However, in five cases the ratio is significantly larger, ranging from 5.4 (disc rupture of a motor-operated or check valve, '
#31) up to 13.2 (spurious operation of bistable, #38). The basis for these larger values (as well as all other values) could not be determined since their derivation is not provided in the SSPSA and is apparently based on proprietary data. Further, in the case of two components, valve disc rupture
(#31) and spurious bistable operation (#38), no alternate data sources were ( found. For the remaining three (pipe ruptures and single control rod failures, (#'s 29, 30 and 60), the comparative data do not support the large mean to median ratios. This is illustrated in Table 3.6-2 which lists the three components from the SSPSA with high mean to median ratios for which other comparative data exist. The table also lists two additional components from Table 3.6-1 which have low SSPSA mean to median ratios, but very wide ranges from comparative data sources. Table 3.6-2 lists the SSPSA mean to median ratios (second column) and the high and low values from other data (1) SSPSA Table 6.2-1 had #59 missing.
- 3.6-16
s:urc;s (third and fcurth c31umns). Th2 fifth column lists the number of comparative data sources from which the range was obtained. (These sources are listed in Table 3.6-1). The final column provides a range factor which is
'(
simply the ratio of the extremes shown in the third and fourth columns. Table 3.6-2 COMPARISON OF SSPSA MEAN TO MEDIAN RATIO WITH OTHER DATA SSPSA Range from other data Range Component Mean/ Median Low High Number Factor Single Control Rod 5.5 IE-4 4.6E-5 2 2.2 Pipe Rupture, 1 3" 9. lE-9 8.6E-9 5 8.6 Pipe Rupture,_> 3"
- 9. 4.56E-ll 8.5E-10 5 20.
Bus Failure 1.5 lE-8 3E-5 4 3000.
~
Rslay Failure 2.2 4E-6 lE-3 5 250.
-(
Table 3.6-2 illustrates that the SSPSA mean to median ratios are not consistent with the ranges (uncertainties) from other data sources. For example, the range from coinparative data for one of the highest SSPSA mean to median ratios (9 for pipe rupture 13") is a very modest 8.6, while one of the lowest SSPSA mean to median ratios (1.5) is for bus failure which has an extremely large range factor (3000). Similarly, the low mean to median ratio for relay failures is not supported by the t)igh range factor (250) from comparative data. Further, the same mean/ median ratio for both sizes of pipe rupture is inconsistent with the different range factors for these ruptures. 3.6-17
It is difficult to draw any conclusions fr:m this overview of the SSPSA mean to median ratios. The distributions associated with these ratios can be important in estimating risk uncertainties (see Section 5.2). It can be ( concluded that the SSPSA mean to median ratios do not seem consistent with the ranges from other data sources and that it is not obvious why the ratios are significantly larger for the identified five components. However, the validity of the SSPSA mean to median ratios cannot be established without reviewing the basis for their derivation (not included in the SSPSA documentation). 3.6.2 SYSTEM FAILURE PROBABILITIES - This subsection presents the results of a review of the "frontline" and
" auxiliary" systems failure probabilities as assessed in the SSPSA. These probability assessments are summarized in SSPSA Section 7 (Systems Analysis),
and details are provided in SSPSA Appendix D. A total of 6 frontline systems ( and 6 auxiliary systems were considered in the SSPSA. However, in two cases several subsystems of a main system were considered separately, bringing the total number of individual systems quantified to 17. Two of the systems, containment spray and containment isolation were not considered because containment behavior during the severe accidents analyzed in the SSPSA was excluded from the scope of this review. The scope of the review was limited to comparing the system failure and unavailability probabilities to other assessments for similar systems, attempting ~to assess the reasons for and significance of differences found, and review of system unavailability quantification as assessed in Appendix 0 3.6-18 l
ef thm SSPSA. R:scurces wara not available for examining the larga numbar of fault trees utilized in the SSPSA for quantification of system failure, nor was it possible to systematically evaluate plant drawings to assure that the ( fault tree logic accurately represents the plant configuration. However, the SSPSA systems analyses have been evaluated separately as part of the review, and the results are given in Section 3.4 of this report. To accomplish the comparison of system failure probabilities, several independent sources were selected. These included WASH-1400(3) , the Sequoyah RSSMAP study (17) , the Zion PRA(7) , and the Millstone Unit 3 PRA(8)
, gjj of
_ these sources represent risk assessment studies for plants in which the - nuclear steam supply system was supplied by Westinghouse. They represent a rather broad spectrum of combinations of sponsoring and performing organizations. The first two were sponsored by the NRC and performed by government contractors. The WASH-1400 study represents the earliest PRA evaluation, and Sequoyah one of the more recent. The last two are PRAs i sponsored by utilities and performed by private contractors. The Zion PRA was performed by Pickard, Lowe, and Garrick, the same firm which performed the SSPSA. The MP-3 PRA was performed by Westinghouse. In addition to the four PRAs utilized in the comparison, several additonal sources were utilized in wnich failure probabilities for the individual systems were evaluated. . It was recognized that differences exist among the four plants and their individual system designs for which PRAs were used in the comparisons. For example, the Sequoyah plant employs an ice condenser containment while the
- other three PRA plants have large dry containments. Also, the Surry plant
( 3.6-19 l l l
used in ths WASH-1400 evaluation has three primary coolant lo:ps while the others employ four loops. An attempt was made to account for the effect of these and other differences in performing the comparisons. ( The procedure used in the comparative evaluation was as follows:
- 1. System failure data were compiled from the various sources and segregated to be compatible with the systems breakdown employed in the SSPSA.
- 2. The failure rates were compared, and those SSPSA rates which seemed to be significantly outside the range (either higher or lower) were identified.
- 3. For those systems identified in Step 2 preceding, a check was made using the dominant accident sequences identified inthe SSPSA to determine if changing the SSPSA system failure probability to be consistent with other data would influence (either increase or decrease) the core melt probability or early fatality risk.
- 4. For those system failure probability changes identified in Step 3 which influenced the SSPSA results, an evaluation was undertaken to determine if the reasons for and validity of the SSPSA rate could be i established. If errors were found, or if the SSPSA rate could not be l
verified, a requantification of the SSPSA dominant accident sequences was undertaken employing a system failure rate judged to be more appropriate based on rates from alternate data sources. 3.6-20 l L ..
- 5. A review of system unavailabilities as presented in Appendix D of the SSPSA was performed for selected systems.
It should be emphasized that none of the alternate data sources are considered. a priori, to be more valid for any particular system than the SSPSA results. The purpose of the comparison was to identify apparent
" outliers" in the SSPSA system failure quantification for further evaluation.
Table 3.6-3 provides the results of the system failure probability comparisons for the support systems as identified in the SSPSA. It was found that an
- inconsistent and imprecise definition of failure existed in the data sources (including the SSPSA). Frequently, the mission time for the system was not specified, in which case the failure was assumed to be per demand. In other cases, the mission times are not consistent among the studies. However, for short mission times, the demand rate is generally equivalent to the mission rate. Further, for systems which must start from a non-operating condition, the failure rate is usually dominated by start failure of active components.
Thus, for these cases, the mission time is usually not important. These considerations are evaluated further in specific cases. 3.6-21 _ - - _ . ,-, , __ y ,, _ .__-, , _ _ _ , .,-y_ _ - _ _ . _ _ _ _ _ , _ _ _ , , _ _ _ . . _ , , , , , _ _ , . _ , _ _ _ _ ,
Each of tha cight systIms listcd in the first column of Table 3.6-3 will be l considered separately, as follows: l l 3.6.2.1 ELECTRIC POWER The ac and dc power systems were considered separately in the SSPSA, and separate entries are provided in Table 3.6-3. The ac power system consists of the emergency diesel generators and associated hardware necessary for providing ac power to the emergency buses. The de system consists of station batteries and associated hardware. The two systems will be considered separately.
- 3.6.2.1.1 AC POWER The emergency ac power system has consistently been found in PRA studies to be one of the most risk significant systems at nuclear power plants.
Accordingly, a rather extensive survey of various sources of system failure rates was undertaken, resulting in the seven data comparisons shown in Table 3.6-3. The SSPSA rate (for 24 nours) is at the high end of the failure probability range. Only the WASH-1400 rate (per demand) is higher. However, the WASH-1400 rate is based on the assumption that no load sequencer exists at the Surry plant. It was, therefore, assumed that both diesels would fail from the same cause (failure to assume full load). The Seabrook plant has a load ' i l sequencer. Thus, the WASH-1400 rate is not directly applicable for Seabrook. Comparing the remaining rates, the SSPSA value is within a factor of 5 of all rates in the "other" column (except for the low end of the range from Ref. 13). Furthermore, all rates for ac power in Table 3.6-3 are for ~ l 3.6-22 - 1 1
p: ,1 Table 3.6-3 ( ) designates footnote COMPARISON OF SUPPORT SYSTEM FAILURE RATES system nra va w.iguutJJ 3equoyantlij ziontij w -JLaj Utner
- 1. Electric Power I
ACIII 7.7E-3/24 hr IE-2/d IE-3/d 5.3E-4(8)/6hr 4.56E-4/d 1.5E-3(9)[10) , 6 1.IE-3[ 1.8E-3 3/d8E-3EI33/d DCI 4.59E-7/24 hr IE-6(7)/2 hr(II) 6.IE-5(10)[11]jg
- 2. Service Water 2.32E-4(12) 2.2E-8/24 hr. 7.44E-6/24 hr2.7E-5/yr[143 6.43E-6(13)/24
/24 hr. hr.
F cn
- 3. Primary Component Cooling Water 1.54E-6/24 hr. 2.7E-8/24 hr.
a U 4 Instrument Air 3.07E-4/24 hr. d
- 5. Reactor Trip 5.5'*-4/d 3.6E-5/d 2.98E-5(4)/d 1.8E-4/d 3.0E-5/d j 6. Solfd State Protection 2.92E-6(2)/d
- 7. Engineered Safety 6.X.'(2)/d 2.7E-6(5)/d 1.6E-5 I
1.6E-4 gI/d I J 8. Containment Enclosures i Air Handling: Cooling 1.89E-5/24 hr. l Air Cleaning 3.19E-6/24 hr. 8E-4(3)/4 mo. i
! (1) Conditional prooanilities given loss or orrsite power (s) system nas z eiesel generators plus swing unis (2) For transient initiating events (9) One of two diesel generators failure to start af r-cooled 1
(3) Emergency gas treatment af r cleanup system (10) For a system which meets minimum NRC requirements ! (4) Includes only rod drop failure and test and maintenance contributions (11) Actual mission time not specified - 2 hours is assumed bases on 1 (5) Safety injection discussion in Reference 17 (6) Containment spray (12) With safety injection (5) signal . t (7) No ac available (13) Without safety injection (5) signal e i i 1
"d; mand" cr fcr times less than the 24-htur mission time assumed in the SSPSA. The failure to run contribution from the SSPSA (Section 7.2) for the 24-hour interval was found to be a significant failure contributor. Thus, the
(. SSPSA rate for emergency ac power failure is considered valid except for the consnon cause contribution. In assessing the common cause contribution to diesel failures, the SSPSA used beta factors of 0.0133 for failure to start and 0.0325 for failure to run. As discussed in Section 3.10.6', these factors are quite low compared to alternate data sources and the generic beta f actor. To assess the significance of this difference, the diesel generator failure probability was requantified using
- the SSPSA generic beta factor of 0.125. This resulted in a slight increase (less than a factor of 2) in the failure probability of emergency AC power which would not have a significant effect on the SSPSA results.
3.6.2.1.2 DC POWER ( The SSPSA assessment of de power failure is significantly below the other data sources. In examining the derivation of the result as presented in SSPSA Section 7.2 and Appendix 0 (Section D.2), no apparent reason could be found for the low failure rate. However, the information presented is not comprehensive enough to trace the origin of the failure contributions and evaluate their validity. It appears that the failure probability is dominated by independent hardware failures (as indicated by SSPSA Table 7.2-1). The most likely hardware failure is expected to be failure of the battery itself, which is assigned a value of 4.84E-4/d and 7.53E-7/h in the SSPSA as indicated in Table 3.6-1. For a 24-hour period, the two train de power system f ailure i 3.6-24
-a r ---, -
-.,n , - , - . , ,---w--- ---=,.---,-----------r -- -- - - - --,,-n-.- ,w ---
probability w:uld be, assur41ng indipendint failures of batteries only:
.(4.84E-4) (4.84E-4) = 2.34-7 y'
(24) (7.53E-7) (24) (7.53E-7) 3.24E-10 Total 2.34E-7 This result is quite close to the Table 3.6-3 SSPSA result. However, this simple assessment ignores conuson cause contributions, which were apparently also not considered in the SSPSA since SSPSA Table 7.2-1 does not.have an entry for the common cause column, and SSPSA Appendix D (Section D.2) does not consider a common cause contribution. There is no known reason why battery
- failures should be exempt from conuson cause failures. Reference 11, for exanple, concludes that common cause failures dominate system unreliability.
l The SSPSA uses the B-factor approach to assess common cause contributions for i. other systems (see Section 3.10 following) and provides a table of B-factors (5SPSA Table 6.3-2) for various components. No factor is provided for 1 batteries, but a " generic component" factor of 0.125 is provided, and I arguments are given in SSPSA Section 6.3 to support this value. It is also i consistent with the WASH-1400 estimate of 0.1 as a B-factor for generic
- application. Employing a B-factor of 0.125 for consnon cause battery failures yields a failure rate of (0.125) (4.84E-4) = 6.lE-5 for a two-train system.
(The failure to operate contribution for the 24-hour period would be negligible if the same approach is used.) This failure rate is consistent with the value in the "Other" column of Table 3.6-3 from Reference 11. l i However, according to the Reference 11 assessment, the 6.lE-5/d value is for a l system which meets minimum NRC requirements. It is estimated in Reference 11 l that improved surveillance, maintenance, and testing could improve the 3.6-25 1
^
raliability cf th2 dc power system by as much as a factor of 20, bringing th2 failure rate down to 3E-6. It is not known to what extent these improvements might be employed at the Seabrook station. It is expected that some of them would likely be implemented due to the recent emphasis which has been placed on dc reliability. On balance, it seems reasonable to conclude that the SSPSA dc power system failure rate is probably in the' range of IE-5. An attempt was made to quantify the influence of this revised dc power failure rate on the SSPSA core melt probability. The rate is only applicable (conditional) following loss of offsite power, assessed at 0.135/yr per SSPSA Table 6.6-2. If no credit is given for recovery of offsite power during the l- to 2-hour time period in which an irreversible core melt is expected to ensue, and further assuming emergency feedwater cannot operate without de power, the core melt probability for the sequence loss of offsite power followed by loss of dc is: ( 0.135)(IE-5) = 1.35E-6/y r. This conservative result is more than two orders of magnitude lower than the total SSPSA core melt probability of 2.3E-4/yr (SSPSA Section 2.1). Thus, the proposed revision to the dc power loss probability would not impact the total CMP for the Seabrook plant.
~
3.6.2.2 SERVICE WATER The SSPSA failure rate for the service water system following an accident initiating event assuming a 24-hour mission time is provided in Table 3.6.3. . 3.6-26 -
Two values are shown, 2.32E-4 for the casa wh2n an S signal (safsty injection signal following a LOCA) is present, and 6.43E-6(1) when the S signal is not present (non-LOCA initiating event). The rate of 6.43E-6 is reasonably ( consistent with other rates in the table although somewhat higher than most (the Oconee rate would be equivalent to 7E-8/24hr). The rate with a safety injection signal present, on the other hand, is clearly mucn larger than any other value in the table. In view of these differences, a detailed review of the SWS failure assessment as provided in SSPSA Appendix D (Section 0.3) was undertaken. In reviewing the Appendix D SWS failure assessment, it was found that the ' reason for the much higher SWS failure probability for the case of an S signal present was due to the assumption that failure of two Valve closures which isolate the SWS from secondary component cooling (SCC) would fail the SWS function. This failure mode dominates the SWS failure. These valves are automatically closed upon generation of an S signal to maximize SWS flow to
- components critical to successful recovery from a LOCA. Given this assumption, the SSPSA quantification of SWS failure for an S signal present appears valid based on valve failure rates and comon cause contributions (B-factors) used in the SSPSA.
J (1) This value is from SSPSA Table 1.3-10 and is not consistent with the incorrect rate shown in SSPSA Table 7.3-1. i 1 3.6-27
Fcr th2 casa of no S signal presint (i.e., initiating svents othgr than LOCAs), severa'l apparent deficiencies were found in the SSPSA analysis, and l requantification was undertaken. The major deficiencies were: ,
..(. :
- 1. It was assumed in the SSPSA that. fans and dampers in the pumphouse switchgear and pumphouse buildings would be in a non-operating status at the onset of the initiating event. Actually, these systems would be normally operating to supply necessary cooling and ventilation for the SWS components. In fact, according to SSPSA pages D.3-13 and 14, a pre-operational status is assumed.
- 2. It was assumed that common cause failures affecting ventilating. fans and dampers would be negligible. The basis for this assumption does not appear valid. Part of-the basis is apparently derived from the
~
SSPSA ground rule (Pg. D.3-37) that passive devices are assumed to have negligible coninon cause failure potential. This assumption is questionable for some cases as discussed in Section 3.10.
- 3. The failure rate contribution for the pumphouse ventilation failure appears improperly quantified when using the SSPSA failure rates for back draft dampers (SSPSA Table 6.2-1). The revised failure contribution is about 6 times greater.
i The SWS failure probability was requantified using revisions which eliminated i i the three apparently deficient assumptions. Only failure to continue operating contributions were considered for the SWS pumphouse fans and dampers, coninon cause contributions were considered for fans and dampers using
- i 3.6-28 i
a B-factor of 0.1,-and tha crrcrs in the pumphouse ventilation failurs prtbability w:ra corrIctcd. Th2 requantification produced an SWS failure probability of 6E-5/24 hrs compared with the SSPSA result of 6.43E-6/24 hrs. I However, the Seabrook plant design includes a cooling tower system (CTS) which automatically is actuated upon low discharge from the main SWS. The CTS provides the cooling function normally supplied by the SWS. The SSPSA failure rate for the CTS is 2.46E-3/24 hr (SSPSA Table D.3-10). This quantification was reviewed, and it appears reasonable. Thus, the probability of loss of service water function, as requantified herein, would be (6E-5) (2.46E-3) = 1.5E-7. This rate is not a significant contributor to core melt probability - when coupled with initiating event (non-LOCA) frequencies. However, it would raise the SWS failure as an initiating event by about a factor of 10 over the SSPSA rate to 5.4E-5/yr. However, this rate would not be expected to make a significant contribution to the overall SSPSA core melt probability, especially if the CTS backup is considered. ( A special case of SWS failure does appear as a dominant sequence in the SSPSA. This sequence is loss of offsite power followed by SWS failure. The SWS failure probability for this case was reviewed (as provided in SSPSA Section D.3) and found to be reasonable. It is of interest to note that Section 0.3.2.4 of the SSPSA discusses I ristorical nuclear power experience and concludes that a review of the publication Nuclear Power Experience indicates no instances of systems design failure experienced. it is further concluded that instances of actual common cause failure of service water systems in the publication. Section 0.3.5.5
, 3.6-29 <
also concludis that n3 "tru2" conson causa failur4s have beIn riportid. However, according to Reference 13, a service water system failure-did occur at the Brunswick plant, and eight additional instances were found where connon cause failures could have occurred, including two cases of strainer plugging and six cases involving buildup of oyster shells, barnacles, and asian clams 3.6.2.3 PRIMARY COMPONENT COOLING WATER As shown in Table 3.6-3, only one alternate failure rate for PCC could be found (Zion), and this value is significantly less than the SSPSA. Because of this disagreement and also because PCC failure is an important element in ' several dominant accident sequences following initiating events (per SSPSA Table 2.3-5), an in-depth review was undertaken of the SSPSA PCC failure probability as presented in SSPSA Section D.4. In reviewing'the PCC failure quantification, numerous apparent discrepancies were found, as follows: (
- l. Numerical errors - The overall results presented in SSPSA Tables D.4-10 and 0.4-11 cannot be obtained by using the total values for the blocks in Table 0.4-7 in conjunction with the equations on pages 0.4-l 13 and 14 as well as D.4-17. In reviewing this discrepancy, it was
! found that the totals for the blocks in Table 0.4-7 were incorrectly sunned based on the values given for the individual component failure rates. By correcting the sums, the results become reasonably consistent. l l 2. Valve failure mode - It is not apparent why the failure mode " Fail to l transfer to the failed (closed) position" (2.66E-4/d) was used in
, 3.6-30 l
SSPSA Table D.4-7 for tha valvis thich isolata non:ssential c0311ng loads inside and outside containment for those cases in which offsite power is retained. For LOOP cases, the secondary component cooling (: (SCC) system which cools the instrument air system will fail because it is isolated from the SWS thus, (see Pg. 0.5-4). Thus, air compressors would not be expected to operate for cases involving LOOP. Failure of the isolation valves dominate PCC failure for the cases lA, IC, 2A, 28, 2C. (The Table 3.6-3 rate is for Case 1A, all support systems available). These valves apparently transfer to a bypass configuration upon a T or P signal (depending on the type of initiating event), and it is not clear why a failure to operate on
- demand rate (which is about a factor of 6 higher) was not used for the cases (including 1A) in which loss of offsite power does not occur. However, the correct failure mode could not be established with available information. Details on valve actuation logic, type of valve, etc. is required to further evaluate this issue.
(
- 3. Common cause PAH ventilation fans - For the cases of loss of offsite power, the normal primary auxiliary building air handling (PAH) system trips, and PCC system cooling is provided by a subsystem of the PAH which is powered from onsite emergency power and must start from a standby condition. The SSPSA assumed that failure of this system would fail the PCC. In quantifying the failure probability of the PAH subsystem, the SSPSA assumed that comon cause failures of '
ventilation fans to start or run (1 out of 2 required) would be negligible. Tne assumption was based on arguments that (1) assuming failure of PAH (as well as no credit for repair) leads directly to 3.6-31
PCC failure is already ccnservative, (2) certain comon cause events such as fires, turbine missiles, etc "are explicitly recorded as initiating events", (3) use of "what is believed to be a ( conservatively high failure rate for ventilation fans" (4.84E-4/d, 7.89E-6/h), (4) examination of a "large fraction of the reported failures in U.S. nuclear experience (revealed that) no common cause failures' involving HVAC fans other than fires have been identified". In examining this issue, it was concluded that Argument 1 preceding is probably valid although no information was found in the SSPSA or elsewhere which established the extent of this conservatism (time ' available, recovery options, etc). Argument 2 is not directly applicable to the situation being considered. The common cause failures of interest here are not external " shocks" which are considered for initiating events, but rather internal, component related failures which can occur when the system is comanded to ( start. Argument 3 does not seem to be supported by failure data in SSPSA Table 6.2-1 (see Table 3.6-1 of this report). The ventilation fan failure to start rate is one of the lowest of all active components, lower than pumps, all active valves, the cooling tower fans, etc. The failure to run rate is also one of the lowest. The last argument was not verified since readily available pertinent information could not be found. t 3.6-32
--On balanc2. . it does not' appear valid to ign re connon cause vintilaticn fan failurcs. In ordsr to determine the influence of considering such failures, a requantification of the PCC failure rate
{- ~ was undertaken assuming a compon _cause failure rate for ventilation fans. A B-factor of 0.1 was assumed (see Section 3.10 for a discussion of this factor) and was applied to both start and run failures (the run failure is the dominant contributor for a 24 nr-mission time). Requantifying the results produced the following change: SSPSA Revised Case IB (loss of offsite power, F 8.73E-5
- all support systems available)
This change was found to have an insignificant influence on core melt probability since tne PCC failure mode IB does not appear in-any dominant sequences, and the revised increase would not produce a dominant sequence even assuming the Case 1B element occurs in a ( sequence with a probability equal to the lowest of the dominant sequences.
- 4. Connon cause pump failures - In quantifying common cause pump failures in the PCC system, the SSPSA assumed a B-factor of 0.0365 for failure to start, and 0.0232 for failure to run. As discussed in Section 3.10, these values are low compared to other pumps, alternate data, and the " generic" rate (0.125). The basis for these PCC pump B-factors is apparently proprietary. However, the values are- i considered questionable based on Section 3.10 arguments, and a requantification was undertaken using a value of 0.1. This raised 3.6-33
tn2 ccamon causa c:ntributien as c mputed in 'tha SSPSA (by use of tha -
~
equation at the bottom of 0.4-23) from 9.93E-9 to 2.2E-8. This
.- increase does not change the overall PCC unavailability which is
(
.almost two orders of magnitude higher from other causes.
- 5. Common cause valve failures - On SSPSA page D.4-24, it i stated that "Possible common cause failures of these components (motor and air 5
operated valves) have a negligible contribution because, even after ( postulating a generic beta factor, the failure rates are so low as to be negligible." This statement is incorrect in that valve failures (particularly air operated valves) dominate the failure probability ' of each PCC train. t This can be readily seen by examining the values which go into the failure logic equations on SSPSA page D.4-13. For example, the , i . failure logic equation for boundary condition lA is: PCC-1 A = ( AB+C) ( A8+C) 3 where (from Table 0.4-7): i l- A = 8.21E-4 8 = 3.74E-3 i C = 1.14E-3 (corrected sum, see item 1 preceding). j It is readily apparent that element C dominates the product since AB l = 3.lE-6. Element C, which includes all failure possibilities ! external to the two parallel pump paths for each PCC train, is f dominated by MOV and ADV failures, with A0V failures making up over i 1 90% of the 1.14E-3 rate for C. I 3.6-34 i l l l l
If a g;nsric B-factor of 0.1 is assigned to air operatea valves (l) , this is equivalent to the following failure statement: ( given an air-operating valve in train A fails, there is a 10% chance that the same valve in train B will fail from the same cause. Requantifying under this assumption would produce a PCC failure probability for case 1 A of 1.06E-4, some 70 times higher than the total from all causes in SSPSA Table D.4-11. Cases 18 and 1C would also have much higher failure probabilities under this assumptions. Tne large increase in PCC failure probability suggested by this requantification presents a dilema. It is not recomended that these requantified failure rates be adopted for recalculating the SSPSA core melt probability because several important factors which could influence the validity of such requantification remain t unknown. These factors are: (1) Does failure of any single of the air-operated valves in question actually fail the PCC train? These valves merely isolate nonessential heat loads from the PCC train and
- do not directly interrupt PCC operation. It seems unlikely that failure to isolate one of the nonessential loads would prevent the PCC train from providing adequate cooling (1) Reference 18 estimates a B-factor of 0.2 for the air operated valve failure mode " failure to open, close, or operate".
l . l 3.6-35
l to csstntial lcads. How;vir, insufficient information was found in the SSPSA to establish these failure criteria. (2) What is a realistic B-factor for the air-operated valve failure mode assumed in I the SSPSA (failure to transfer to the failed position - see item 2 preceding)? (3) Is it likely that manual correction of failed A0Vs could be accomplished since it appears that even if eventual PCC train Failure would result from an A0V failure, substantial time would likely be available before it occurred? The issue of PCC failure from A0V consnon cause is considered to remain an open item.
- 3.6.2.4 Instrument Air System This system, as described in SSPSA Section D.5, supplies compressed air for pneumatic instruments and controls. The IAS is not a safety system in that its availability is not required to prevent core damage for any initiating event. Furthermore, failure of the system leads only to a loss of feedwater and closure of steam dump (to condenser) valves. Other valves supplied by the system transfer to the " safe" condition upon loss of air pressure. The feedwater loss frequency caused by loss of IAS is assumed to be included, according to SSPSA Section D.5, in the overall feedwater loss frequency. This appears to be a valid assumption. As shown in Table 3.6-3, no IAS failure data were found to compare with the SSPSA result. Thus, a review of the SSPSA quantification was undertaken.
i
, 3.6-36
Th2 only apparent reascn for consid; ring the IAS is for thosa particular accident sequences wherein core cooling might be restored by operation of the secondary cooling system (i.e., restoration of feedwater and steam dump to the condenser). In order to affect such restoration, the IAS must be operating _in order to manipulate the appropriate valves. In examining the dominant accident sequences in SSPSA Table 2.3-S, failure of the IAS does not appear in any sequence. For most important sequences (i .e., loss of offsite power, LOCAs), the IAS is not even considered because it is assumed to fail as a consequence of the initiating event (loss of offsite power) or will not influence accident recovery (LOCAs). Thus except for the possibility that the IAS failure probability could be significantly increased, the system will have no influence on the SSPSA results. As a result of this evaluation, review of the IAS was limited to a brief review of the Section 0.5 quantification. No apparent deficiencies were found in the SSPSA assessment. 3.6.2.5 Reactor Trip The reactor trip system (RTS) failure probability is considered in SSPSA Section D.5, which also includes the engineered safety features actuation system and the solid state logic protection systems. Each of the three ! systems is considered separately in Section 0.5, and they will be considered in separato subsections of tnis review (see 3.6.2.6 and 3.6.2.7 following). ,i < As indicated in Table 3.6-3, Na P.TS failure probability was assessed in the l SSPSA at 5.55E-4/ demand. This value is higher than any of the other four results shown in the table, although it is only a factor of 3 higher than the l l Zion assessment. However, as pointed out previously, the RTS failure appears 3.6-37 l 1 l
in only cna d:minant stquenco'according to SSPSA Table 2.3-5. This sequance
; has a probability of 1.9E-6/yr, which is less than 1% of the total CMP. (The g sequence is also listed as having a negligible contribution to risk). Thus,
. reducing the RTS probability to be consistent with other values, if such a reduction was found to be appropriate, would not have any significant influence on either core melt probability or risk. Conversely, an increase in
' Gt RTS failure probability, considered unlikely in view of the relatively high
~ failure probability used in the SSPSA, would not appear to change the CMP results unless the increase was significant (greater than a factor of 10).
Thi conclusion is based on the fact that, according to SSPSA Table 13.2-12, reactor trip occurs in only 2 sequences of the top 40 contributing to core
/ melt. The total contribution from these two sequences is only 1.3% of the total CMP.
i' 'f As a result of this insensitivity of the CMP and risk results to RTS failure
.: probability, a detailed review of the RTS failure-probability as provided in SSPSA Section D.6 was not performed. Rather, a more general examination was undertaken to identify any gross errors, unjustified assumptions, or invalid analysis. This review did not result in finding any major problems, and the SSPSA result is considered acceptable within the context of the preceding l discussion.
l The review did result in the identification of several apparently minor discrepancies, as follows: i
- 1. Reactor trip system success is defined on SSPSA pg. D.6-2 and again j on pg. 0.6-23 as no more than one control rod failing to insert into -
3.6-38 l
s j y tne c re upon demand. This crit rion app;ars exceedingly conservative and is not consistent with,the subsequent analysis. For example, on Pg. 0.6-22, under " assumptions", it is stated that "the ( "Q top event of interest for the RTS is failure of two or more control e ,' rods to insert ...", and on Pg. D.6-35, the failure of all possible
\
combinations of two or more control rod assemblies is quantified. (The SSPSA apparently means control rod assembly when using only the term control rod). No' basis is provided to justify the failure assumption of either one, or two or more control rod assemblies t failing to insert.
- 2. On SSPSA pg. 0.6-22, the failure of rods to insert are assumed to be
, due to either failures of drive mechanisms to release rods or failure of trip breakers to open. It appears that. an ' additional important failure mechanism is failure to fully insert under gravitational influence given that the assemblies are released. This failure mode appears significant based on available data (12). However, the SSPSA control rod failure rate (3.26E-5/d) based on proprietary data is equivalent to the LER(12) rate (4.6E-5/d, see Table 3.6-1). It thus appears that 9e SSPSA rate includes this mode of failure.
- 3. On SSPSA pg. 0.6-23, it is stated that the relationship between RTS, ESFAS, and SSPS is shown in Figure D.6-1. However, no explanation is provided to aid in understanding the figure, and its interpretation is difficult.
t 3.6-39 _
4 The result of this quantification Cf "all p;ssiblo c mbinations Gf tro or more rods failing to insert upon demand" is provided on SSPSA pg. D.6-
- 35. However, no details of the quantification are provided, and it does
(. not appear possible to verify the result from the information given.
- 5. The basis or justification for several RTS assumptions is not provided, including 30-minute testing interval for each RTS train (SSPSA pg. 0.6-4),
maintenance duration of 15 minutes (D.6-47) and infrequent trip breaker maintenance (D.6-47).
- 6. In quantifying common cause failure contributions for the RTS (SSPSA pg.
D.6-52), no consideration is provided for either failure of drive mechanisms to release, or failure of rod assemblies to insert, given release. 3.6.2.6 Solid State Logic Protection System (SSPS) g No alternate failure rate could be found for the SSPS rate as indicated in Table 3.6-3. Failtre of the SSPS does appear in one of the dominant accident sequences as indicated in SSPSA Table 2.3-5. This sequence is identified as loss of main feedwater followed by SSPS f ailure and is assigned a core melt probability of 8.3E-6, which is about 3.67, of the total CMP. Since the SSPS does appear in a dominant sequence and since no alternate source was found for failure rate comparison, a review of the SSPS quantification for this sytem was undertaken. The failure quantification is provided in SSPSA Section D.6. The SSPS monitors various plant parameters and provides actuation signals to the reactor trip system and the engineered safety features actuation system when these parameters exceed certain limits, indicating the onset of accident 3.6-40
conditions. Th2 failure probability of tha SSPS was evaluated in the SSPSA for six classes of accident initiating events including large/ medium LOCA, , steam line break inside containment, small LOCA, steam generator tube rupture, steam line break outside containment, and transient. For all of these events, the failure probability of the SSPS was estimated to be between 8.54E-7/d and 3.95E-4/d. When this rate is combined with the initiating event frequences used in the SSPSA (see SSPSA Table 6.6-2), the resulting accident sequence probabilities are exceedingly low except for the transient initiated events. Except for the transient initiated sequences, the sequence probabilities would have te be increased some three orders of magnitude to begin to contribute to core melt. As a result of this determination, the SSPS failure probability assessment was give only a quick overview (except for the case of transient initiators) to determine if any discrepancies were obvious which could cause the very large increase in SSPS failure probability required to produce significant sequence probabilities. None were found. For the case of SSPS failure in conjunction with transient initiated accidents, the review was more detailed due to the increased potential for contribution to the core melt probability. The " unavailability expression" due to independent hardware contributions for the SSPS for the transient initiated case is given on SSPSA pg. D.6-38 as: 4(PC)3 + INV2 , p32 + LC2 +2(LC)(PS) 3.6-41
whera PC = Failure to generate a signal which triggers the SSPS. In this case the signal is low steam generator level (2 of 4 low low level si gnals) . INV = Inverter train failure, which consists of power supply, instrument bus, and circuit breakers. PS = Power supply failure LC = Logic channel failure This unavailability expression appears valid. g Using the above expression and values derived for each of the elements, the SSPSA computes an unavailability of 8.5E-7/ demand for the SSPS. In reviewing the component failure rates used to compute the failure probability, the only rate which appeared to be outside the range of alternate data sources was the power supply. In this case, the SSPSA used 5.33E-5/hr (see SSPSA Table D.6-5 and Pg. D.6-36), while alternate data sources suggest a value of about 3E-6/hr (see Table 3.6-1). Using this latter value would produce a significant reduction in the SSPS unavailability due to independent hardware contributions ! as quantified by using the unavailability equation. However, as illustrated by SSPSA Table 0.6-6, the major contribution to SSPS failure is human error (miscalibration), estimated at 2.07E-6 as quantified in SSPSA Section D.6.3.2.2.2. This result contributes over 70% to the total SSPS 3.6-42 s I i
\
l
unavailability. Thus, rsducing the indspend:nt hardware contribution as a result of a reduction in the power supply failure probability would not have a significant impact on the total SSPS unavailability estimate. The human error contribution to SSPS unavailability for transient initiated sequences was reviewed. As indicated previously, this contribution dominates the SSP 3 unavailability. The estimate of the human error contribution, as provided in SSPSA Section D.6.3.2.2 was found to be reasonable, although large uncertainties are obviously . associated with the estimate (see also Section 3.5 of this report for a general assessment of human error considerations in the SSPSA). Two additional contributors, maintenance and common cause, were also ' considered in the SSPSA. Tne maintenance contribution was estimated to nave a very small contribution (1.77E-9 per SSPSA Section D.6.3.3.1.2), and this result appears reasonable. However, the comon cause contribution appears invalid and incomplete. ( The SSPS common cause contribution is considered in SSPSA Section D.6.3.4. Other than external events, which are dismissed, only one paragraph is devoted to the SSPS comon cause contribution (Pg. D.6-52). In this paragraph, only the logic channels ~ are considered, and it is stated that "...the failure rate for a logic channel is so small that the comon cause unavailability contribution is insignificant in comparison to the common cause instrument miscalibration contribution." This conclusion is not quantified and does not
~
appear valid. The f ailure rate for logic channels is, according to Page D.6-36, 8.52E-5 per demand. Using the " generic" beta factor (0.125 per SSPSA Table 6.3.2) since no value is given specifically for logic channels, produces a contribution of 1.lE-5 for failure of both logic channels. Tnis failure , 3.6-43
olcment apptars in tha " unavailability expression" consid: red earlier. Obviously, this result- is not " insignificant" and would, in fact, dominate the SSPS unavailability, being almost four times larger than the current SSPS result. Furthermore, a similar common cause treatment for power supplies and inverters which are not considered in the SSPSA would increase the SSPS unavailability further. In summary, it is concluded that the SSPSA assessment of SSPS unavailability for transient initiators is deficient in that common cause failures are nat adequately treated. Tne deficiency could have an influence on the core melt probability. Requantification of the unavailability would require deriving appropriate B-factors or validating the use of the " generic" values for redundant SSPS components required for transient events. Such a derivation is beyond the scope of the review. g In reviewing the SSPS unavailability estimate as provided in the SSPSA, several problems in addition to the comon cause deficiency were found. All of these were assessed to not have a significant influence on the important results. They are as follows:
- 1. For some initiators (e.g., large break LOCAs), the SSPS actuation relies on pressure sensors in the pressurizer. It was determined ,
previously in Section 3.6 that the SSPSA pressure sensor failure rate - was optimistic compared to alternate data sources. However, raising . the SSPSA pressure sensor failure rate (7.6E-6) by a factor of 10 to i be consistent with other rates did not increase the probability of any accident sequences to a significant level. 3.6-44
- 2. On SSPSA pg. D.6-48, the maintenance frequency is 2.93E-6/hr and is said to be based on the logic channel failure probability. However, this probability is 2.7E-6/hr according to SSPSA pg.-D.6-36. +
- 3. The basis for the probability distribution used to describe various testing time intervals (equation on middle of SSPSA pg. D.6-41) is not provided.
3.6.2.7 Engineered Safety Features Actuation System The ESFAS unavailability quantificantion is presented in SSPSA Section D.6. The function of the ESFAS is to relay actuation signals to various engineered safety systems to mitigate the effects of accident conditions. The ESFAS receives an input signal from the SSPS (see Section 3.6.2.6 preceding) which causes the generation of the actuation signals.
-(
The unavailability estimate in the SSPSA for the ESFAS is 6.3E-5/d. As shown in Table 3.6-3, this estimate is generally consistent with similar unavailabilities from alternate sources. Total ESFAS failure does not appear in any of the SSPSA dominant accident sequences, although failure of one (of two) train in conjunction with additional unrelated failures does appear in two sequences, the core melt probability contribution from each of these sequences is less than 1% of the total. Thus, a reduction in ESFAS unavailability would not influence the SSPSA results, and any increase in unavailability would have to be quite large () a factor of 10) to have an influence on the total core melt probability. As a result of this insensitivity of the core melt probability to tne ESFAS unavailability, to the ( 3.6-45
- , . , . y _ .-
i l core melt prtbability, the ESFAS revicw was not comprehensive. Rather, a screening was performed to determine if any discrepancies existed with the potential for a large increase in unavailability. No such discrepancies were j found from the review, and the ESFAS unavailability quantification appears reasonable. During the review, several minor discrepancies were found, as follows:
- 1. The ESFAS success criteria as described on SSPSA pg. D.6-4 appear quite conservative. Some of the actuation functions would not have any influence on the core melt probability, such as containment sprays, containment isolation, and main steam isolation.
- 2. The quantification of the unavailability expression for transient initiators (SSPSA Section D.6.3.1.3.6) on Pg. 0.6-40 includes an intermediate step in which numerical quantities are substituted for the alpha identifiers in the equation for ESFAS (T1). This step (which is not supplied for any of the other quantifications) is incorrect in that only the first two terms of the equation (which includes 5 terms) are listed. The result (1.89E-6), however, appears to be reasonable (use of mean values for all quantities yields SE-7).
- 3. On SSPSA pg. D.6-54 it is stated that "For the ESFAS, no single cause of failure dominates, with common cause failures and random failures contributing about equally." For transient initiated accidents, the statement is incorrect. As can be seen from SSPSA Table 0.6-6, hardware failures contribute only 3% to the total unavailability, while common cause failures contribute essentially all of the 3.6-46
ramainder. 3.6.2.8 Containment Enclosure Air Handling System The containment enclosure air handling system is described, and its ( unavailability quantified, in SSPSA Section D.7. The system consists of two generally independent subsystems which are considered separately, the containment enclosure cooling system (CECS), and the containment enclosure emergency air cleaning system (CEEACS). The CECS provides pump room cooling for some important support systems, including charging, safety injection, residual heat removal, and containment spray. Tnus, the system can be an important support system for some accident sequences in which sustain ~ed operation of these safe,ty system pumps is required to prevent core damage. The CEEACS, on the other hand, performs no function related to the prevention of core damage accidents but rather acts to limit the release of radioactivity during accident conditions. This review, therefore, concentrated on the CECS ( unavailability quantification. As indicated in Table 3.6-3, very little data on CECS or CEEACS unavailability could be found from alternate sources. The only other datum found was a failure rate for the Sequoyah air cleaning system. This rate is quite comparable to the Seabrook rate. (The Sequoyah rate is equivalent to 6.7E-6/24 nr vs the Seabrook rate of 3.19E-6/24 nr). The loss of CECS does not appear in any of the 43 most dominant core melt sequences as listed in SSPSA Table 13.2-12, nor does it appear in any of the 14 leading sequences contributing to latent fatality risk in SSPSA Table - 2.3-5. Thus, a reduction in CECS unavailability would have no effect on core 3.6-47
melt probability or latent risk, and any increase would have to be significant (> a factor of 10) to impact the results. Thus, only discrepancies with the potential for resulting in a large increase in CECS unavailability would have any impact on the SSPSA results. Accordingly, the CECS unavailability review was limited to a screening effort to find only these large potential problems. The review did not disclose any discrepancies in either the CECS or CEEACS cnavailability quantification as described in SSPSA Section D.7 with the potential for a large increase. During the course of the review, however, several minor problems were encountered, as follows:
- 1. The success criteria on SSPSA pg. D.7-1 include the provision that at least one train of the CECS must operate for 24 hours. Tnis provision seems inconsistent with assumptions made regarding the requirements for ECCS pump room cooling supplied by CECS. For example, Section D.7 states that the charging pumps, safety injected pumps, and RHR pumps will not fail for at least six hours after loss of room cooling (see also expanded discussion of this assumption in Section D.7 following), and mission times of from 1 to 24 hours (depending on the assumed accident and ECC system) are required.
- 2. It is stated on SSPSA pg. D.7-10 that "No credit is taken for operator action to recover failed equipment over the period of this analysis." However, on Pg. 0.7-18, credit is given for operators to diagnose a failed train and take action to actuate the standby train. Furthermore, it appears that no human error contritucion is 3.6-48
censidsr:d fer this action. Two hours is said to b2 available for standby train startup. However, Section D.8 states ECCS pumps will operate for longer than six hours with no room ventialtion.
- 3. On SSPSA pg. D.7-18, boundary conditions 28, 2C and 2D are identified as those states wherein one emergency bus and the other PCC train is disabled. These appear to be incorrect based on the Table on Pg.
D.7-9 in conjunction with the discussion on Page D.7-10.
- 4. The operability states listed on SSPSA pg. D.7-9 include T signal failures for trains A or B with opposite train failure from PCC trains (states G and H). However, these are not considered failed states from the assessment on Page D.7-10.
- 5. The common cause contribution from failure of the operating train and failure of the standby train to operate (given successful start) is not considered, and no discussion is provided for this possibility.
However, assuming a generic B-factor of 0.125 for this case would increase the failure probability by only about a factor of 2. 3.6.2.9 Emergency Core Cooling Systems The emergency Core Cooling System reliabilities are considered in SSPSA Section D.8. The systems considered include the chemical volume control system (CVCS), safety injection system (SIS), accumulators, and residual heat removal system (RHR). These systems, in various combinations, are used to ' provide core cooling for various accident conditions, including loss-of-coolant accidents, steam generator tube ruptures, and various transient 3.6-49 -
avants. Tne emergency core cooling function can be conveniently divided into t to operating modes. These modes are (1) injection, wherein coolant is injected
~
by the ECCS into the reactor coolant system from an external water supply, and (2) recirculation, in which coolant is supplied to the RCS from the containment sump. For each accident class considered, the SSPSA examines the injection and recirculation modes separately although there is obvious dependence between the two since much of the same system hardware is needed for both modes. The SSPSA considers four accident classes; large LOCA, medium LOCA, small LOCA and transients, and ATWS. In each case except ATWS, the injection and recirculation ECCS failure probabilities are quantified separately. For ATWS, the recirculation mode of ECCS is not required. The SSPSA assessment of ECCS unavailability as provided in SSPSA Section D.8 is a lengthy, comprehensive and complex assessment which was found to be confusing and difficult to review in detail. In order to concentrate the review in those areas which appeared to nave the greatest potential for changing the SSPSA results, an examination was undertaken of: (1) the significance of the ECCS systems in terms of CMP and risk contribution, and (2) the unavailability results for the systems as compared to similar i quantifications from alternate sources. From this examination, those ECC systens which have both a significant effect on risk and unavailabilities which are not consistent with alternate evaluations are candidates for in- - depth review. According to SSPSA Table 13.2-11, only small LOCAs (of the three LOCA categories) and transients are significant risk contributors. Neither ATWS - 3.6-50
nor larga and medium LOCAs app 2ar in the table which includes initiating events which contribute more than 0.8% to the total core melt probability. g Thus, core melt accident sequences involving large and medium LOCAs or ATWS followed by ECC failure' are not contributors to the core melt probability, and the failure probability of ECC systems involved in these sequences would have to be raised by more than a factor of 10 before such sequences would begin t contribute to CMP. Further, according to Table 2.3-5 of the SSPSA, no LOCA sequences are contributors to early or late fatality risks. SSPSA Table 2.3-5 indicates that the three small break LOCA sequences which contribute to core melt involve failure of the RHR system. In one case, failure of the total RHR system is included, and in the other two cases, one RHR train coupled with failure of the actuation system to start the alternate train is the failure mode. Examination of Table 3.6-4 of this report reveals that the ECC system failure rates as quantified in the SSPSA for the seven combinat".ons of accident initiators are generally consistent witn the results of alternate evaluations except for large LOCA recirculation and small LOCA injection. For ATWS no comparison could be found, and for medium break LOCAs, no quantification appears to exist in the SSPSA. In the two cases which appear inconsistent, the SSPSA rate seems lower than others, although considerable variation exists in all of the comparisons. As a result of the foregoing evaluatiorI, a more thorough review was given to ' the quantification of ECCS injection for the small break LOCA than for other - ECCS modes. However, no problems were identified in SSPSA Section D.8 of the 3.6-51
SSPSA which had tha pr.tential for larg2 changes in any of the ECCS failure ( I 3.6-S2 t (
- - - - - ' ~ - - _ _
Table 3.6-3 ( ) designates footsote COMPARISON OF SUPPORT SYSTEM FAILURE RATES 5ystem >>rda unan-iguutJJ 3equoyantnij ziontij FW-Jtaj utner
- 1. Emergency Core Cooling:
Large LOCA Injection 4.35E 3/hr 5.6E-3/d 1.9E-3/d 4.7E-4/20 min (li) 7.4E 4(I3) Recirculation 6.65E-4III 1.X-2/24 hr. 4.6E-3(I3) 3.7X -3/24 hr. X-3 Medium LOCA w Injection 5.6E-4(2)/2 hr. II) 9.5E-3/d 3.5E-3II3) 7.4E-9II3) 5.67E-5II3) f us Recirculation 1.06E-3I3)/2 hr.1.X-2/24 hr. 8E-3II3*I4) 3.7X-3/24 hr. 5.85E-3/24 hr. W ATWS Small LOCA/Transfent Injection 9.43E-5(4)/6 hr. 8.6E-3/d 3.5E-3II3) 7.4E-9II3) 5.67E-5(I3) 1.X-3(15] Recirculation 3.9E-4(5) 9E-3/24 hr(II) E-3(13.I4) 3. K -4/24 hr. 5.85E-3/24 hr
- 2. Emergency Feedwater 6.76E-6/9 hr. 3.5E-5/8 hr. IE-5(I3) 4.2E-6(13) 6.8E-5(I3) gg(dh5) .
- 3. RCS Pressure Rollef:
Feed a 81eed 1.05E-2/d Severe ATWS l.56E-3/d 3E-5(8)/d . ATWS 9.85E-4/d Restating after ATWS 5.86E-2/d IE-2/d Chemical Shutdown 5. 74E-4/d 8.6E-3(9)/1 hr. fn ATWS 4 Main Steam System: Secondary cooling 1.82E-4(6)/d MSIV isolation 8.98E-5/d 1.5E 4/d(16)l.2E-3/d(15) 5.G. Isolation for 8.16E-6/d SGTR Safety valve action 9.28E-3/d for SGTR (steam) ' Safety valve action 2.01E-l/d for SGTR (water)
.m
m Table 3.6-4 (Cont.) ( ) designates footnote
') [ ] designates reference documentatloa. i COMPARIS0N OF SUPPORT SYSTEM FAILURE RATES system >>r>A wasn-isuutJJ 5equoyantlij zionLIJ MP-Jtaj utner 4 Main Steam System (Continued)
Safety valve action 4.72E-8/d for ATWS Turbine trip 4.49E-6/d
- 5. Contafnment Building Spray injection 7.25E-4/1 hr. 2.4E-3/0.5 hr. 1.7E-3(13) 5.5E-5(l'3) 3.2E-4(13) w cn Recirculation 2.27E-4/168 hr. 1.0E-4/24 hr. 3.3E-3(13,15) 1.6E-3il3) 2E-3/24 hr.
$ 6. Containment isolation 2.99E-4/d 2.4E-4/d(12)
(1) includes containment sup availability, cold leg recirculation tsu} tor time periods equal to or greater tnan Ju min. (18 hrs.), and RHR cooling for 23 hrs. (11) Includes switch to hot leg recirculation (2) Includes high pressure injection systems. RWST availability, (12) Failure to reduce leakage below 4" diameter hole equivalent (3) includes CVCS for 2 hrs. (13) Time interval not spectfled (4) Includes high pressure injection (6 hrs.) RHR mintflow u rculation (14) Includes failure to realfgn to hot leg rectreulation after 24 hrs. (16 hrs) and RWST available (6 hrs.) (15) Dominated by design features unique to ice condenser contain= ant (5) Includes high pressure rectreulation Systems (8 hrs., containment (16) Steam Ifne break outside containment sump (18 hrs.), RHR pumps (18 hrs), RHR cooling pumps (24 hrs) (17) Does not include accumulators at a rate of 9.5E-4/d (6) Following loss of offsite power (18) Includes a diesel-driven trafn in addition to two MD trains (7) Could not be found (8) Rate for failure of safety and relief valves to open (9) CVCS operates
l1 mod:s, including inj:ction for the small break LOCA. Onn raascn for the somewhat lower SSPSA ECCS failure rate for small breaks is the capability of
, the plant to use either the CVCS or the SI system (one of two trains in either
~{ system) for recovery from small break LOCAs. During the course of the review, several apparent deficiencies were found, none with an obvious potential for significant changes in ECCS faiure rates. These are as follows:
- 1. The basis for many assumptions and conditions is not provided.
These include: Failure of PCC cooling fails SI pump is 5 minutes (Pg. 0.8-5). Si pumps assumed to f ail "at some time longer than 6 hrs" if containment enclosure cooling system fails (Pg. 0.8-5). Failure of PCC during RHR miniflow "is assumed to fail RHR pumps within 1 hour." (Pg. 0.8-8). CVCS pumps will f ail during recirculation "at some time longer than 6 hrs" if containment enclosure cooling fails (Pg. D.8-10). Automatic valves (M0Vs) failing by transferring open is not considered as a failure mode (Pg. 0.8-20). (A check of the failure rate for the mode as given in Table 3.6-1 herein indicates that this failure mode should not be a significant contributor.) i 3.6-55
.- o - - , , , - - - , - - - - - - - - - - _ . - - - - - - - - - -
- 2. - It doas not_ appsar that the ECCS failure mode for medium LOCA recirculation has been quantified. No failure expressions for this mode are provided in SSPSA Subsection D.8.2.3.2 and do not appear to
(- be provided elsewhere. However, the unavailability for this mode
)
should be similar for the large LOCA case and would thus not be a contributor.
- 3. It was determined during the review of consnon cause contributions (SSPSA Section 0.8.3.4) that B-factors used for two ECCS components appeared to be inconsistent with alternate sources and also with the
" generic" B-factor (0.125) used in the SSPSA. These two components were (1) the high pressure injection pumps where a B-factor of 0.0588 was used for fail to start and 0.0640 for fail during operation, and (2) the RHR pumps, where a B-factor of 0.0667 was used for fail to start. A description of the derivation of B-f actors and values from p alternate sources is given in Section 3.10 of this report, along with an evaluation of the B-factors used in the SSPSA.
To determine if B-factors more consistent with alternate data for the high , pressure and RHR pumps would have a significant effect on system failure probabilities, the consnon cause failure contributions as presented in Section D.8.3.4 were requantified using B-factors of 0.125 for both components. Tnis requantification produced no significant (less than a factor of 2 in all l cases) change in the ECCS failure probabilities for those systems and modes which employ the high pressure or RHR pumps. 3.6-56
3.6.2.10 Emerg:ncy Feedwater System The assessment of emergency feedwater unavailability is contained in SSPSA Section D.9. As shown in Table 3.6.1 of this report, the assessed unavailability is 6.76E-6 for the case of no loss of offsite power and 4.34E-4 for loss of offsite power. Each result is for an assumed mission time of 9 hours. These results compare favorably with the other values listed from alternate evaluations in Table 3.6-1. The other values, except as noted, are for loss of offsite power (LOOP) conditions, although for the alternate assessments dependency of offsite power is generally minimal. The Seabrook design is somewhat unique in this aspect of offsite power dependency. The reason for the dependency is that the startup feed system (which utilizes on motor-driven pumps) is unavailable as an element in the emergency feedwater system under LOOP conditions since, according to the SSPSA, lube oil cooling would be lost. An examination of SSPSA Table i3.2-12 reveals that emergency feedwater failure appears in four sequences which contribute about 2.4% to the total core melt probability (CMP). None of these sequences, according to SSPSA Table 2.3-5, are dominant contributors to early or late fatality risks. Thus, emergency feedwater failure is a small contributor to CMP and not a dominant contributor to risk of fatalities. This result is not consistent with some other PRA results wherein emergency (auxiliary) feedwater system failure was found to be I a leading contributor to CMP in sequences involving loss of all ac power. The major reason for this difference appears to be the assumption in the SSPSA that pump seal failures will always occur at Seabrook upon loss of all ac power which lead directly to core melt (if ac power is not recovered) ! regardless of the status of the emergency feedwater system. l l t 3.6-57
In reviewing tha SSPSA quantification of emergency fe:dwater failure as provided in Section D.1, no problems were found with the apparent potential to change the failure quantification to the extent required to influence the overall SSPSA results. However, several errors and other discrepancies were found, as follows:
- 1. The discussion on SSPSA pg. D.9-2 regarding the prevention and detection of condensate storage tank freezing is vague and sketchy.
The " methods" and " systems" available for detection and prevention are not defined, and failures are expected to be "probably" remedied. No discussion is provided of procedures and tech spec requirements, if any.
- 2. SSPSA pg. D.9-3 discusses the automatic isolation feature of the emergancy feedwater (EF) supply if flow exceeds 450 gpm. The possibility of this feature failing and putting the EF in an isolation condition does not appear to be considered in the subsequent system failure assessment.
- 3. The penultimate paragraph on SSPSA pg. D.9-4 indicates that both trains of the solid state protection system (SSPS) are required to actuate both emergency feedwater trains. Further, train B is required to actuate either EF train. This appears to disagree with the SSPS assessment wherein system success is defined as a signal from at least one SSPS train (Page D.6-2).
( 3.6-58 -
- 4. SSPSA pg. D.9-15 (1st Paragraph) states that operatiCn of tha turbine-driven EF pump is not dependent on a source of power.
-However, de power is usually required for monitoring and control.
The potential dc power dependence is not considered in the SSPSA. S. The unavailability quantification on SSPSA pg. 0.9-16 includes a statement that failures of the startup prelube oil pump required for j the startup feed pump are included "as failures of the startup feed pump". However, the startup feed pump failure rate used is the general rate, for motor driven pumps, most of which would not be expected to have a dependency on prelube oil pumps (although the SSPSA data base is proprietary and this cannot be confirmed). However, including a factor for prelube oil pump failure would not appear to have any significance on the failure of emergency
~
feedwater. (
- 6. In assessing the common cause failure contributions, it is stated on SSPSA pg. D.1-32 that a " fire wall partition" separates the two emergency feedwater pumps. In inspecting this area during the Seabrook plant tour on August 29, 1984, no such wall was found to exist. Further, plant personnel indicated that no plans exist to construct such a wall. If this remains the case, fires, missiles, or flooding caused by one pump failure could readily fail the second
. pump since they are very close together (a few feet). In attempting to assess the potential significance of such failures, it was I determined, based on current SSPSA results in Section D.9, that given a failure of the first pump, the failure mode would have to disable
( 3.6-59 e
" * - +-,e-7 % q. ,,~-w
.the stcond pump about 10% of th3 time to prcduco an emergency feedwater system failure probability approximately equal to the current SSPSA value (4.34E-4). This 10% contribution would appear to be quite nigh for such failures.
3.6.2.11 Reactor Coolant Pressure Relief The reactor coolant pressure relief system failure probability is considered in SSPSA Section 0.10. Three pressure relief scenarios are considered: (1) feed and bleed cooling, (2) ATWS (including severe ATWS), and (3) recovery from ATWS (including reseating of valves and opening of PORVs to allow CVCS operation). According to Table 3.6-4 of this report, the only comparable evaluation of . pressure relief unavailability which could be found is from WASH-1400. This comparison indicates the SSPSA probabilities may be too high. f An examination of SSPSA Tables 13.2-12 ano 2.3-5 reveals that the reactor coolant system pressure relief function does not appear in any of the dominant
. sequences for either core melt probability or fatalities. Thus, any reduction in pressure relief unavailability would have no effect on SSPSA results, and any increase,would have to be significant in order to influence the results.
The pressure relief unavailability assessment in the SSPSA is almost exclusively dominated by valve failure probabilities, either failure to open, failure to close, or transferring closed. The valves of interest in this regard are the two PORVs, the two block valves in series with the PORVs (both ( 3.6-60
MOVs), and th2 thrcs safety relief valve. As indicatcd in Table 3.6-1, th2 SSPSA failure rates for these valves appear reasonable based on comparisons with alternate data sources although large variations exist in some cases. A review of the reactor coolant pressure relief unavailability as presented in the SSPSA disclosed no significant discrepancies. However, some minor problems were found, as follows:
- 1. The feed and bleed success criteria (SSPSA pg. D.10-1) assumes only that the two PORVs need to open. However, for some feed and bleed scenarios, cycling of these valves may be required. *
- 2. No basis is provided for the fraction of the time (0.1) a block valve is assumed to be closed due to PORV leakage (designated "f" on SSPSA pg.
0.10-5). To determine the influence of this assumption, a sensitivity study was performed. It was found that the results are not sensitive to the assumed valve for "f". For example, it could be raised to a value of 0.5 and would only increase the pressure relief unavailability a maximum of 25% considering all cases.
- 3. No consideration was given in the SSPSA assessment for the case where both block valves might be closed due to PORV leakage. (According to Pg. 0.10-3, technical specifications would allow continued operation under such conditions). To determine if such a condition might contribute to the pressure relief unavailability, an analysis was performed assuming: (1) -
both block valves would be closed 10% of the time, and (2) a B-factor of 4 ( 3.6-61 e-~ - -
0.125 for tha connon cause contribution of bath block valvas failing to open. All other valves were identical to those in the SSPSA. This analysis-revealed that oniy a 10% increase in pressure relief unavailability would result for the case most sensitive to this condition.
- 4. According to SSPSA pg. D.10-3, power must be removed from the block valves if they are closed following detection of PORV leakage. This power removal is, presumably, to prevent inadvertent reopening of the valves.
However, depending on system logic and operator actions required, it may be difficult to open the valves, resulting in an increase in the e probability of the valves failing to open. Such a consideration is not ' included in the SSPSA quantification for the case where block valves are closed (Pg. 0.10-5). 3.6.2.12 Main Steam System Failure probabilities for various modes of operation of the main . steam system are quantified in SSPSA Section D.11-1. The main steam system, according to the SSPSA, functions to provide adequate and prevent excessive heat removal from the primary system. To determine the risk significance of the steam system failure, SSPSA Tables 2.3-5 and 13.2-12 were examined. Four sequences were found in which a main steam system function appeared to be an element in the accident sequence. In . all of these cases, however, the function was secondary pressure relief in conjunction with emergency feedwater operation. Further, in all cases, the emergency feedwater failure probability dominated over secondary pressure relief. The emergency feedwater failure probability was assessed at from 1.0 , ( 3.6-62 -
(as a constquence of prGceding SSPS failure) to 4.3E-4 for two of the sequences. This compares with a secondary pressure relief failure probability of 4.72E-8 for the ATWS case (a more severe condition than the four accident sequences being considered). The secondary pressure relief failure was not explictly quantified in SSPSA Section D.5 for accidents represented by the four sequences. . Therefore, the various functions of the main steam system do not appear to be significant i terms of core melt accident probability determinations. As shown in Table 3.6-4 of this. report, very few independent assessments of main steam system failure probabilities could be found. For the only two cases where 'a comparison was found, the alternate value for MSIV isolation is very similar to the SSPS. For the other case, steam generator isolation, the alternate assessment is significantly higher than the SSPSA result, but the accident condition is different (steam generator tube rupture vs main steam line break). The review of the. main steam system failure quantification in SSPSA Section 0.11 did not disclose any discrepancy with the apparent potential for changing the overall SSPSA results. However, several less significant apparent Siscrepancies were found, as follows:
- 1. The relatively extensive treatment of main steam system functions in the SSPSA is unique compared to most other PRAs and may well be an advancement ,
in PRA completeness. However, the SSPSA does not provide an adequate explanation in Section 0.11 of the relationship between failure of the main steam system functions and the progression of severe accidents. In i 3.6-63 i i l l
-particular, thm SSPSA dsfinition of system success critsria (Pg. D.11-1) does not indicate the consequences of failure or what measure of success was actually used. It appears in this regard that failure to meet at least some of the success criteria does not lead to severe core damage accidents.
- 2. In assessing the connon cause contribution for atmospheric relief valves (ARVs), the SSPSA assumes (Pg. D.11-15) that a B-factor of 4.23E-2 is appropriate because "...of the similar complexity of the control circuits of the ARVs and a typical M0V." While this assumption may be valid, it appears questionable and not substantiated by data. The B-factor for MOVs '
is quite low, almost a factor of 3 less than the generic B-f actor (0.125) which is used in the SSPSA for other components which were not explicitly quantified with a proprietary data base. In view of tnis difference, it was considered appropriate to re-examine those steam relief system functions in which multiple ARV actuations were assumed to be required. Of the six main steam system functions quantified, multiple ARV actuation appears only in the secondary cooling function. Requantifying the secondary cooling function failure probability using a B-factor of 0.125 raises the probability for the offsite power available case to 1.66E-7, a factor of about 2 above the SSPSA result (see SSPSA Table D.11-4) and increases the loss of offsite power case by a factor of about 3 (to 5.35E-4).
- 3. In assessing the common cause contribution from multiple MSIV failures, the SSPSA assumes again a B-factor of 0.0423 based on "...similar l
l 3.6-64 n , _g--_.g y - ,--.--m- - - , - - . ,-
,,.~,_nn- ,. _
complexity of the etntrol circuits of the MISIV and a typical M0V." As discussed in item 2 preceding, this assumption is questionable and not fully justified. To determine the influence of assuming that the generic B-factor (0.125) applies, the main steam system isolation failure probability for main steam line breaks or turbine trips was requantified SSPSA Section 0.11.3.2, the only instance where multiple MSIV closures appear). This requantification results in an increase of about~a factor of 2.4 in the failure probability, to a value of 2.15E-4.
- 4. The SSPSA argues (section D.11.3.4.?.) that no common cause contribution is expected from multiple failures of main steam system safety valves. The argument is based on the premise that missetting of pressure setpoints would not have any effect because "the magnitude of a missetting error is limited by the spring selection on the safety valves. Also, an error as
[ muct as 100 pounds over design pressure does not affect system response in this event." The argument does not, however, indicate what the maximum missetting error actually is and whether tnis error is within the 100 pound margin. Furthermore, no mechanical comon cause contribution (such as multiple corrosion seizing of the valves) is considered. In view of these shortcomings, requantification was undertaken of those main steam system functions involving multiple lifting of safety valves using a B-factor of 0.125. The only instance where such a consideration appears to be of significance is for the case of safety valve action for ATWS. In this case, a requentification using a common cause B-factor of 0.125 for the safety valves produced a result of 4.1E-5 compared to 4.72E-8 as i 3.6-65 ] i
quantified in SSPSA S:cticn 0.11.3.5. While this difference is quite 1 significant, the probability of ATWS (on the order of IE-4) makes the combined probability of ATWS and steam system safety valve failure so low that it would not be a risk contributor even if core melt were assumed to occur. 3.6.2.13 Control Room Complex Heating, Ventilation, and Air Conditioning (HVAC) The assessment of control room HVAC failures is provided in SSPSA Section 0.14. Control room HVAC failures are treated as a failure following the initiation of an accident sequence from other causes. A mission time of 24 ' hours is assumed for all cases. Control room HVAC failures do not contribute to any of the dominant sequences for-core melt probability or fatality risk as indicated in SSPSA Tables 13.2.12 and 2.3-5. Thus, these HVAC failures were found to be an insignificant contributor to the SSPSA results. As shown in Table 3.6-1 of this report, no alternate evaluations of control room HVAC failure were found. The SSPSA appears to be one of the few PRAs (perhaps the c.11y one) which provides an assessment of this consideration. SSPSA Section 0.14 concludes that, based on the SSPSA assessment, failures of the control room HVAC "do not significantly affect plant response or operator I. I response to the initiating events of interest". Based on a review of Section l D.14, no discrepancies were found which appear to have the potential of invalidating this conclusion. However, several discrepancies, which appear to be minor relative to the overall results and conclusions, were found, as t 3.6-66 l
follows:
- 1. The control room HVAC description provided in SSPSA Section D.14 is inadequate for an understanding of the system operation.
- 2. It is not clear, as indicated on SSPSA pg. D.14-3, why opening of DP-53A or DP-538_ dampers is necessary to restore control room air conditioning on loss of offsite power. These danpers do not appear (SSPSA Fig. D.14-1) to be associated with the air conditioning system.
- 3. There appears to be little or no basis for some assumptions given on SSPSA' pg. D.14-5. These include:
i
). failure of vital instrument and control systems is assumed to occur 2 hours after control room high temperature alarms have initiated.
I
- b. during station blackout, vital instrumentation is assumed to last at least 8 hours without operator action. (A personal letter is referenced but not provided to support this assumption.)
- 4. The quantification of system unavailability from hardware failures (SSPSA Section D.14.3.1) does not provide enough detail. A general formula to
! cover any number of components is provided, but the specific components . considered, and their assumed failure rates are not provided. (This lack of detail i; inconsistent with tne other system quantifications in SSPSA Appendix D.) [ l 3.6-67 L
S. The fr;quincy of occurrence for maintcnance for th2 (merg:ncy cleanup fans (approximately every four years) seems excessively infrequent. The basis is stated to be in SSPSA Table 6.4-1 (type 4). However, these components , are not listed in the table.
- 6. In assessing the common cause contribution to control room HVAC failures, it is assumed (SSPSA pg. D.14-10) that there is no conunon cause link between failure of an operating air conditioning train and failure of an identical train (in standby) to start and operate. No basis is provided for this assumption other than the trains "are indifferent operating modes". Assuming no link between the operating modes of identical trains even if one is initially in standby appears questiona)le. To determine if consideration of such a common cause contribution could be important, an }
assessment was done assuming that the second train could fail in the operating mode from the same cause as the operating train. A generic B- - factor of 0.125 was assumed. The only case where this consideration applies is no S signal required with offsite power available (Condition 1A as defined on SSPSA pg. D.14-4). The reassessment resulted in a factor of 8 increase in the failure probability of the air conditioning function. However the SSPSA failure probability for this case (1.2E-10) is so low that the increase would have no effect on the overall significance of HVAC-failure. 3.6.3 Conclusions _ Based on the review of component failure rates and system failure probabili-ties as presented in the SSPSA, the following conclusions have been derived. (. 3.6-68
0; tails pertaining to thasa conclusions may be found in SIctions 3.6.2 and 3.6.3 preceding. l.
- 1. Tne SSPSA component failure probabilities appear, in general, reasonable. While some differences were found in comparison with alternate sources, wide variations were also found among these sources in many instances. The SSPSA component failure rates do not appear, on balance, biased in either the conservative or optimistic direction with respect to alternate data sources. No instance was found in which changing an SSPSA component failure rate to be consistent with alternate sources would make a significant change in the SSPSA results for risk or core melt probability. It should be noted that the data based used, and adjustments made to it for application to Seabrook, is apparently proprietary and not made available for this review. In several cases, no comparative data were found. Tnis is due, in part, to the rather
( comprehensive treatment of component failure rates in the SSPSA compared to other PRAs and data sources.
- 2. The mean to median relationship in the SSPSA appeared, for the most part, reasonable. However, in a few cases, this relationship was found to be questionable and r.ot consistent with alternate data. Tne significance of these differences was not evaluated in tnis review, but they would not be expected to have any significant impact on results.
- 3. The system failure rates generally appeared to be reasonable. The-SSPS system failure rates did not agree in some cases with alternate sources, and no comparison could be found in others. Further, a persistent concern
( 3.6-69
was found in the tr:atment of ctmon causa failures. Tnise concerns included: (1) exclusion of passive and other components from comon cause failures, (2) use of very low beta factors for some components, (3) no .-[ common cause link between different operating modes. In spite of these i problems, no instance was found where requantifying the system failure probability resulted in a significant change in the SSPSA results. In a few cases, however, it was not possible to draw definitive conclusions about the influence of these concerns. In numerous instances, as noted in preceding subsections, the SSPSA does not provide the basis for assumptions made in quantifying system unavailabilities. ( 3.5-70 yr -w ,- - --------y- -
3.6.3 References for Section 3.6 ( 3.1 National Reliability Evaluation Program (NREP) Procedures Guides, NUREG/CR-2815, Final Draft, September 9, 1982. 3.2 Probabilistic Safety Analysis Procedures Guide, NUREG/CR-2815, Brookhaven National Lab., January 1984. 3.3 Reactor Safety Study, WASH-1400, USNRC, October 1975.. 3.4 Data Summaries of Licensee Event Reports of Pumps at U.S. Commercial Nuclear Power Plants, NUREG/CR-1205, January 1980. 3.5 Data Summaries of Licensee Event Reports of Valves at U.S. Commercial Nuclear Power Plants, NUREG/CR-1363, June 1980. - 3.6 Generic Data Base for Data and Models Chapter of the National Reliability Evaluation Program (NREP), EG&G-EA-5887, June 1982. 3.7 Zion Probabilistic Safety Study, Commonwealth Edison Co., Copyright 1981. 3.8 Millstone Nuclear Power Station Unit 3 Probabilistic Safety Study, Northeast Utilities,1983. 3.9 Data Summaries of Licensee Event Reports of Diesel Generators at U.S. Commercial Nuclear Power Plants, NUREG/CR-1362, March 1980. 3.10 Reliability of Emergency AC Power System at Nuclear Power Plants, NUREG/CR-2989, July 1983. 3.11 A Probabilistic Safety Analysis of DC Power Supply Requirements for Nuclear Power Plants, NUREG-0666, April 1981. 3.12 Data Summaries of Licensee Event Reports of Control Rods and Drive Mechanisms at U.S. Commercial Nuclear Power Plants from January 1,1972 to April 30, 1978, NUREG/CR-1331, February 1980. 3.13 " Reliability of the Emergency AC Power System at Nuclear Power Plants", R.E. Battle, etal., presented at International Meeting on Thermal Nuclear Reactor Safety, August 29-September 2,1982 Cnicago, NUREG/CR-0027 3.14 Reactor Safety Study Methodology Applications Program: Oconee #3 PWR Power Plant, NUREG/CR-1659, G.J. Kolb, etal., Sandia Laboratories, May 1981. 3.15 " Auxiliary Feedwater Systems Reliability", Ebasco Services, presented at International Meeting on Thermal Nuclear Reactor Safety, August 29
- Septenber 2,1982, Chicago, NUREG/CR-0027.
( 3.6-71
3.17 Rractor Safety Study Methodology Appi1 cations Prc4 ram: Seaaoyan el PWR
- Power Plant, NUREG/CR-1659, February 1981.
3.18 Comon Cause Fault Rates for Valves, NUREG/CR-2770, EG&E -Idaho, Inc., February 1983. ( l l I 3.6-72
~
3.7 OPERATING EXPERIENCE ANALYSIS ( The quantification of system unavailability, event sequence occurrence and public risk provides. important results from any PRA. The validity of these results depends on the use of operating experience to derive appropriate failure data. In the SSPSA, operating experience is used as an important 1 input for determining the frequency of initiating events, random failure rates, maintenance unavailabilities, common cause beta factors and human .
- errors. This section provides a review of the use of operating experience in the SSPSA for each of these areas. !
A Bayesian method is used to develop the SSPSA data base. For this method, a prior body of knowledge is updated with new evidence to derive a present state . ( of knowledge about c parameter. In this case the parameter is a probability distribution for the frequency of an elemental ev~ent, for example, a compenent failure rate or an initiating event frequency. If the new evidence used to update prior information is plant speci.fic, then the resulting parameter will also be plant specific. Generally, there are three types of data available for use in a PRA; general engineering knowledge, historical information and plant specific experience. The SSPSA uses industry-wide sources (historical information) as the prior state of knowledge and updates these sources using engineering knowledge of
'the Seabrook plant, engineering judgement as to the applicability of these l
data, plant specific information from other PWRs similar to Seabrook, data ( from other PRAs, and proprietary information. Since Seabrook is currently I
. 3.7-1 I - -- _ _ _ _ . - - - . .. - --. . . _ -- .
under construction, no plant specific operating experience is available. ( The general sources upon which the SSPSA bases its data are given in the references. The specific data sources, information used and the details of the development of each specific data rate, maintenance frequency, etc. have been retained as proprietary information and not available for review. The SSPSA data base is reviewed in Section 3.6, Failure Data. 3.7.1 INITIATING EVENTS . Operating experience was used to determine the frequency of the initiating events identified for the SSPSA analycis. There are twenty-four initiating events other than external " events" analyzed. Since Seabrook is not an operating plant, no plant specific operating experience is available. t Therefore, estimates of the frequency distributions were largely based on generic industry experience from other operating plants. The primary sources used in this analysis include an EPRI compilation of transient data (Ref. 3.7-
- 8) and. Nuclear Power Experience (Ref. 3.7-6).
l The initiating events are devided into two general groups. The first group is composed of those events for which the available data from other ~ nuclear power , plants were judged to be relevant. The second group consists of those events for which the industry- wide data does not apply. For this group, the frequency of the initiating event was determined from an analysis of the
' specific Seabrook systems involved, using generic industry data. The two groups of initiating events are listed below.
(
. 3.7-2
Group 1 - Initiating Events Quantified Using Data From ( Operating fiuclear Power Experience Excessive LOCA Large LOCA Medium LOCA Small LOCA, Nonisolable Small LOCA, Isolable Steam Generator Tube Rupture . Reactor Trip Turbine Trip Total Loss of Main Feedwater Partial Loss of Main Feedwater Excessive Feedwater Flcw , (' Loss of Condenser Vacuum Closure of One MSIV Closure of All MSIVs Core Power Excursion Loss of Primary F1v. i Steam Line Break Inside Containment Steam Line Break Outside Containment j Main Steam Relief Valve Opening Inadvertent Safety Injection l' Loss of Offsite Power f Loss of One DC Bus (
, 3.7-3 l
Group 2 - Initiating Events Quantified By Performing (. Seabrook Specific Systems Analysis Interfacing Systems LOCA Total Loss of Service Water Total Loss of Primary Component Cooling Water For the Group 1 initiating events, the EPRI study was the principal source of . data. The data in this study were reviewed and edited for use in the SSPSA. The editing resulted in the removal of incidents not deemed applicable to Seabrook and the addition of other incidents from other sources. The final result was a list of the number of events and total operating times for each of the 36 PWR plants included in the data base. ( The EPRI study, however, was performed for ATWS initiators and does not provide data on LOCA initiators. Therefore, several sources of nuclear industry data including Nuclear Power Experience (NPE) were reviewed to obtain
. plant population data for these initiators. This data includes several events judged applicable to the SSPSA study that occurred during nonpower operation of nuclear plants.
l The loss of offsite power initiating event data were based on review of those incidents at all nuclear power plant sites in the United States. Similarly, the data for loss of one DC bus and steam generatorrupture initiating events were obtained from a review of NPE. ( 3.7-4 1
The data collected for use in quantifying the Group 1 events were the basic ( input to the Bayesian data analysis prccess for the generation of a frequency distribution of each of the initiating event groups. The list of specific incidents and the details of how the frequencies were quantified have been retained as proprietary information and were not available for our review. The quantification of the Group 2 init%~,41g events was obtained by a Seabrook system specific analysis. This analysis determined the propability of failure of the specific systems involved in the initiating event based on tha system . components and configuration. The component failure data was taken from industry-wide sources. Within the framework of the limited information available to us, our review of the use of operating experience in determining the frequency of initiating i events at Seabrook identified no major concerns. The methodology employed and the discussion given in the SSPSA are appropriate for the analysis. However, without reviewing the actual data and quantification, a complete assessment of the accuracy, validity and completeness of the analysis could not be made. The use of nation-wide data for the quantification of the Loss of Offsite Power initiator causes us a minor concern. In the context of the Bayesian procedure, the nation-wide data should be used as the prior distribution and region specific information should be used as the update. This procedure would account for the plants on the Northest Inter-tie which experience a-higher incidence of hurricanes and other severe weather. In light of this , discussion, the frequency of the Loss of Offsite Power initiating event could { be optimistic. f 3.7-5
3.7.2 Q PONENT FAILURES 1 The SSPSA component failure data was developed for macroscopic component failure modes. Based on the level of detail employed in the system models, macroscopic component failure modes were defined and component failure rates developed that incorporated the various failure modes of each component. For example, the SSPSA MOV failure data incorporates valve mechanical failures, MCC contactor failures, local control circuitry failures, valve motor failures and failures of any other auxiliaries directly associated with the valve or - its prime mover. The data development effort used a Bayesian procedure. A subjective
" weighting factor" was assigned to each piece of data, based upon the perceived compatibility of the source with the desired failure rate
( information. The weights are assigned by assessing either a range factor or sigma parameter for the likelihood function of each source. The SSPSA indicates that specific failure rate data from nuclear power plants
~
examined in previous and ongoing studies was used along with various industry-wide data compendia. The IEEE STD-500 (Ref. 3.7-2) was mentioned. However, the list of generic data sources specifically used for the development of component failure rates and unavailabilities was retained as proprietary inforniation. A review of the component failure data is given in Section 3.6, Failure Data. ( 3.7-6
3.7.3 MAINTENANCE DATA ( The maintenance data used in the SSPSA was generally based on accumulated experience from other nuclear power plants. Since the Seabrook plant has no operating experience, generic test and maintenace intervals and repair times from a broad base of industry experience were used. These data were then updated usin5 Bayes theorem to account for the Seabrook plant specific system configuration, general test and maintenance procedures, technical specification and administrative restrictions. , The data analysis considered only non-cold shutdown operating conditions. The activities are not delineated; they include repairs experienced during ' operation, repairs during testing, removal from service for special testing or inspecticn, minor adjustments, hardware nodification, etc. i The SSPSA determines the state of knowledge distributions for the unavailability of components due to maintenance by multiplying the frequency and mean duration of maintenance distributions together using discrete probability distribution (DPD) arithmatic. The frequency and duration of maintenance distributions and the resultant unavailability distributions are developed for the four general component categories listed below. Type 1 - Standby Pumps, Tested Montoly Type 2 - Norcally Operating Components, Low Failure Rate ( Type 3 - Component Requiring Relatively Frequent Maintenance - 3.7-7
-* = .a.- - --- - -
( Type 4 - Component Requiring Relatively Infrequent Maintenance Within the context of the limited information available to us, our review of the development of maintenance unavailabilities using operating experience found no major concerns. The actual data and analysis has been retained as proprietary information. The methodology employed is valid and the discussion of the analytical considerations indicates completeness. However, we are concerned with the application of only four maintenance unavailabilities to the many and various components throughout the plant. Specifically, the application of a general maintenance unavailability to an important component that has been found from operating experience to be less reliable and require extensive repair. Therefore, important components e identified in the systems analysis that have been found to be particularly unreliable and/or that have long repair times should be considered on a case-by-case basis. 3.7.4 COMMON CAUSE FAILURE PARAMETERS (BETA FACTORS) The analysis of dependent failures such as certain common cause failures are implicitly treated in the SSPSA by using beta factors to account for their contribution to systems' unavailability. Examples of these common cause failures are design errors, contruction errors, procedural deficiencies and unforeseen environmental conditions. 3.7-8
m The development of beta factors is based on historical evidence and limited to
-( several key. components identified through a review of the systems analysis and their impact on system unavailability.
The main source of data was Nuclear Power Experience (Ref. 3.7-6). Other sources are said to have been consulted - especially in the case of diesel generators but they are not identified in the SSPSA. For each key component, the data sources were reviewed to indentify actual or potential common cause failures. Appropriate weights were assigned to these , failures and posterior distribution of the beta factors were calculated using Bayes' Theorem. The prior distributions used in the calculations were mostly uni form. However, for component with little data, nonuniform " generic" distributions were used. These" generic" distributions are based on the variability of beta factors for several other components judged representative , of typical components 'and failure modes. i The details of the collected data and classification of events as well as the development of the beta factor distribution for each component have been retained as proprietary information, and not provided to the review. 4 Our review of the use of operating experience for the development of beta , factors found no area of concern. For the beta factor treatment of dependent failures, the methodology and discussions in the SSPSA, to the extent given, are valid and complete. However, a thorough assessment of the data and development of the beta factors could not be performed due to the fact that j . this information is proprietary and it was not made available for review. ( 3.7-9 l .
>-, -,-r-- , - - , , . - - - , --,~~,,,-,,------m- ,- .._ - ~ -,,--- - ---n-,-.--a,e,,,,,.,,a a_,,-. .,. e ,, , , . - ~ . , , ,- -, . - ~ ~ ..,-v, -- , , - - , - .-
3.7.5 HUMAN ERRORS
.(
Operating experience provides an important input to the quantification of human errors in nuclear power plants. The principal source of information used in the SSPSA is the Nuciear Re'gulatory Commission human reliability handbook (Ref. 3.7-7). This work provides qualitative and quantitative information for assessing human performance in numerous situations. In the SSPSA, lognormal distributions of human error rates are developed. . These distributions use the best estimate human error probabilities given in the handbook as median values and the upper bound estimates as the 90th percentile. This procedure a: counts for a greater uncertainty about the error rates than the generic source. Tne best estimate and upper bound values are chc:cr. for the particular huan a: tion that is analyzed. The SSPSA analysis , { also considers the dependence between human errors when two or more tasks are performed. The human error rate distributions presented in the SSPSA apply to normal tasks. High stress situations, such as large LOCAs, are analyzed where they
. a ri se. A complete discussion of human error failure data and its use in the SSPSA is provided in Section 3.5, Human Factors.
3.7.6 CONCLUDING REMARKS i In general, the methodology and discussion given in the SSPSA indicates an adequate treatment of the cary considerations necessary to develop a plant 4 ( specific failure data base from current operating experience in the nuclear f - 3.7-10 . _ _ _ _ J
indust ry. The sources of data reported in the SSPSA comprise a broad base of ( industry-wide experience and informatio.i. Based on the above discussion, the operating experience analysis provides a generally acceptable data base for estimating system unavailability, accident sequence occurrence and public risk at Seabrook. We do, however, have reservations about the proprietary nature of the actual data used and analysis performed for determining the data base. Without reviewing the actual analyses, we can not make a complete assessment of its , accuracy, validity and completeness. We have two minor concerns with the operating experience analysis presented in the SSPSA. The first is that the use of nation-wide data to estimate the frequency of the loss-of-power initiating event without consideration of ( nortbestern regional data may yield an optimistic value for the frequency of this event. The second is the use of only four categories for quantifying the maintenance unavailability of all components at the Seabrook plant. The maintenance unavailability of safety significant components that have been
- found to be unreliable and/or require extensive repair times should be treated on a case-by-case basis.
t 3.7-11
~ __
REFERENCES for SECTION 3.7 ( 3.7-1 U.S. . Nuclear Regulatory Commission, " Reactor Safety Study: An Assessment of Accident Risk in U.S. Commercial Nuclear Power Plants, " Appendix III, " Failure Data," WASH-1400 (NUREG/75-014), October 1975. 3.7-2 Nuclear Power Engineering Committee of the IEEE Power Engineering . Society, "IEEE Guide to the Collection and Presentation of Electrical, Electronic and Sensing Component Reliability Data for Nuclear Power Generation Stations," IEEE STD-500, June 1977. 3.7-3 Hubble, W. H., anc Miller, C.F., " Data Summaries of Licensee Event Reports of Valves at U.S. Commercial Nuclear Power Plants," NUREG/CR-1363, EGG-EA-5125, Jure 1G80. 3.7-4 " Zion Probabilistic Safety Study", Commonwealth Edison Company, o September 1981. 3.7-5 Hannaman, G. W., GCR Reliability Data Bank Status Report, General Atomic Co., GA-A14839 UC-77, July 1978. 3.'7-6 Nuclear Power Experience , Petrolium Information Corporation, August 1981. ! 3.7-7 Swain, A. D., and Guttmann, H. E., " Handbook of Human Reliability 3.7-12
Analysis with Emphasis on Nuclear Power Plant Applications," ( Draft Report, NUREG/CR-1278, October 1980. 3.7-8 Electric Power Research Institute, "ATWS: A Reappraisal, Part III, Frequency of Anticipated Transients," EPRI NP-2230,1981. 3.7-9 Seabrook FSAR, RAI 440.133. o 6 d 3.7-13
-- . . _ . - ,. ___ _ - - _ ~ . _ . ~ _ - _ _ -_._- _ _ _ _ _ _ _ _ _ _ . _ . . . _ _ - . _ _ . - . - _ _ - - _ _
k 3.8 ANALYSIS CODES
-(
The overall methodology used in the SSPSA requires the used of any computer codes to generate the results. Computer codes were used for data preparation
. and analysis, dependent failure analysis, the development of internal and external initiating event frequencies, construction and analysis of the plant model, analysis of accident phenomenology and containment response, i development of the site model, analysis of accident consequences, and the quantification of core melt frequency and risk curves. The more than 20 . .
computer codes used for these analyses are listed in Table 3.8-1. This , section presents a brief discussion of these computer codes and their uses in the SSPSA. Complete code descriptions can be found in the references. r i~ 3.8.1 DATA ANALYSIS i i The accuacy and validity of the plant and site analysis depends on the use of
- appropriate data. Several computer codes were used to aggregate the various ,
data sources for use in the matrix formalism. The Bayesian update codes, i . ELN0R2 and BEST, were used to develop plant and component specific failure i frequency distributions using generic industry-wide data, engineering knowledge and expert opinion for the quantification of initiating events and , system unavailability. The BETINV code was used to estimate percentiles of . the beta probability density function for the analysis of common cause
~
dependencies among components. The RTIME code was used to calculate the probability distributions of mean repair time using a set of actual' repair times. These repair time distributions were used in the analysis of system i maintenance unavailability. - 3.8-1
- ( 3.8.2 EXTERNAL EVENTS ANALYSIS The values used for the frequency of occurrence of external events are c detennined from existing data and expert opinion-aided by various computer codes. Data for two external events, fires and earthquakes, was developed using computer calculations.
The analysis of fires was performed using the COMBP and THEAT computer , codes. These computer codes deterministically model the behavior of fires in compartments and against heat barriers, particularly during early periods of early fire growth. The output from these codes includes heat release rates, gas temperatures, fuel burning rates and thermal heat flux at user-specified locations. These codes are used to estimate the extent and type of fire damage that may occur and the frequency of occurrence. Because fires and other external events are major sources of common cause i failures in systems, the SETS code is used to determine minimum cutsets and L frequencies for spatially interacting senarios. , The assessment of seismic failures in the SSPSA was performed using the SEIS4 code. This code combines the individual fragilities of equipment, compnnents and structures into aggregate ditributions based upon the event tree results for each seismic accident sequence senario. A Boolean expression linking.the l top event to the response of the components is developed. The aggre' gate 3.8-2 i
fragility distributions are then assembled with the seismicity distributions
! for the site. The results of this process are the frequency of occurrence of the plant damage states for each particular seismic senario.
3.8.3 PLANT MODEL ANALYSIS The matrix nethodolgy employed in the SSPSA for developing and analyzing the plant model requires the use of several computer codes. The individual matrices for early and late response of the auxiliary and frontline systems - are assembled into the plant matrix using the MAXIMA code. This code also provides information needed to determine dominant paths through the plant model. The CROSS code, used for matrix manipulation, performs standard matrix addition and multiplication, diagonalizes a row matrix and triagonalizes a general matrix. Once the plant matrix is developed and analyzed, it is decomposed to find dominant sequence and paths through each of the individual matrices. This unraveling process is performed using the RAVEL code. L The individual matrices are analyzed using the COSET and ETC6 codes. The
~ - COSET code combines small event trees into complete event trees for input to
- ETC6. The ETC6 code calculates the conditional frequencies of the entries in each of the individual matrices. This code also processes, draws and quantifies general and release category event trees.
The plant model quantification is performed by the DPD2 and STADIC codes.. .The DPD2 code performs various algebraic operations on independent discrete probability distributions. When the probability distributions have unlike or arbitrary shapes and various levels of dependencies, the STADIC code is 3.8-3 .
used. This code combines distributions using a Monte Carlo simulation ; ( technique and provides mean, standard deviations and confidence limits. The RAS systen of codes is used to (,uantify fault trees developed in the frontline systems models. The DPD2 and STADIC codes are also used to estimate joint probabilities for failure frequencies of multicomponent systems. These codes were used to calculate core melt frequency. The uncertainty associated with the risk esticates are calculated using the MXDPD code. This code performs algebraic . manipulations on ordinary and discrete probability distribution matrices. 3.8.4 ACCIDENT PHENOMENA, CONTAINMENT AND SITE ANALYSIS The a,alysis of accident phenomena, containment reponse and accident 4 consequences in the SSPSA were calculated using the MARCH, C0C0 CLASS 9, CORRAL and CRACIT codes. These codes mathematically model the physical systems and surrounding environs of the plant to deterministically calculate the behavior of pcstulated accident sequences. The CRACIT code contains some statistical model used to assess risk. Tne FARCH code calculates the thermal hydraulic behavior of the primary coolant system, nuclear core and containment system during accidents. The input to this codes is the state of the safety and auxiliary systems determined by the event sequence analysis. Depending on the accident sequences, MARCH calculates the phenomena.and timing of the core meltdown and containment failure. The MARCH codes contains models for primary system ( blowdown, primary system temperature and pressure, reactor vessel coolant I l l l 3.8-4
inventory, core heat generation and transport, core melting and slumping, ( metal-water reactions, fission product .'elease and transport, reactor vessel melt-through, molten core coolant interactions, core concrete interactions, hydrogen combustion and containment temperature and pressure response. For the SSPSA, the output from the MARCH calculations are used as input to the CORRAL and C0C0CALSS9 codes. The C0C0 CLASS 9 code is used primarily as a replacement for the containment analysis subroutines in the MARCH code. This code calculates the containment . behavior, including integrity, for a broad range of pressure transients l including LOCAs and main steam line breaks. The CORRAL code uses the reactor coolant system, core and containment response as input and calculates the release and transport of radionuclides within containment. The release mechanisms include cladding rupture, fuel melting, vaporization and stera explosions. For each release mechanism, the fractions of the noble gases, elemental iodine, organic iodine, and particulates released from the core to the containment and from the containment to the
- environmt : are calculated. The output information from the CORRAL code is used as input to the CRACIT code.
The CRACIT codes contains mathematical and statistical models to calculate the atmospheric fission product transport and its effects on the surrounding environment. This code accounts for meteorological, population and evacuation data along with the inventory and timing of radionuclide release. The output of this code provides information on the population health risk and offsite i financial damage. 3.8-5
3.8.5 CONCLUDING REMARKS ( The more than 20 computer codes used in the SSPSA appear to be adequate for the analysis. Many of these, particularly the accident phenomena codes, are widely used for PRA studies. A detailed assessment of each of these codes is beyond the scope of our review. However, we do have some comments. The MARCH code was developed from the analysis performed in the Reactor Safety Study (WASH-1400) and contains limited detail and depth about the various , phenomena analyzed. Care must be taken on specifying the input to this code and the calculational results generally have large uncertainties. The DPD arithmatic employed in the SSPSA provides an adequate method for combining probability distributions. The random variable space, however, must ( be appropriately discretized in order to give sufficient representation to the tails of the resultant distribution. If this is not done, discrepancies can result. .
~
e 3.8-6 m, _--,-n,-~ - n----
Table 3.8-1 COMPUTER CODES USED IN THE ( SEABROOK STATION PROBABILISTIC SAFETY STUDY COMPUTER REFERENCE FUNCTION CODE BEST 3.8-1 Two-stage Bayesian Update 3.8-2 BETINV Beta Factor Development CCC0 CLASS 9 3.8-3 Containment Analysis COMPB 3.8-4 Fire Analysis CORRAL 3.8 5 Fission Product Release and Transport Within Containment CCSET 3.8-6 Small Event Tree Combination CRACIT --- Site and Risk Analysis - CROSS 3.8-7 Matrix Manipulation DPD2 3.8-9 Discrete Probability Distribution . Arithmatic ELNOR2 3.8-8 Two-stage Bayesian Updste ETC6 3.8-10 Event Tree Processor 1 MAXIK4 .-. Matrix Manipulation 3.8-7
Table 3.8-1 (Cont.) COMPUTER CODES USED IN THE [ SEABROOK STATION PROBABILISTIC SAFETY STUDY COMPUTER REFERENCE FUNCTION CODE MARCH 3.8-11 Accident Phenomenology Analysis MXDPD 3.8-12 Matrix Algebra and Uncertainty Analysis
. RAS 3.8-13 Reliability Analysis System consisting of PREP, M0CUS, FATRAM, KITT-1, POCUS, SRTPRN and COMCAN RAVEL ---
Matrix Manipulation RTIME 3.8-14 Repair Time Estimation SEIS4 3.8-15 Seismic Risk Assessment SETS 3.8-16 Fault Tree and Boolian Equation
~
Manipulation l STADIC 3.8 16 Monte Carlo Simulation i 3.8-8
m. REFERENCES for SECTION 3.8 t 3.8-1. Mosleh, A. and Rao, D., "8EST Computer Code," to be published. 3.8-2. Rao, D., "8ETINV Computer C' ode," to be published. 3.8-3. Bordelon, F. M., and Murphy, E. T., "WCAP-8327 Containment Pressure Analysis Code (C0CO)," July 1974. 3.8-4. Siu, N. 0., "COMPB Computer Code," to be published. 3.8-5. Burian, R. J., and Cybulskis, Q., " CORRAL II Users Manual," Battelle Columbus Laboratories, January 1977. 3.8-6. Wheeler, D. M., " COSET Computer Code," PLG-0269, April 1983. 3.8-7. Wheeler, D. M. and Bley, D. C., " CROSS Computer Code," PLG-0219, February 1982. 3.8-8. Kaplan, S., et al, "Two-Stage Bayesian Update Computer Code (ELN0R2)," PLG-0283, May 1983. 3.8-9. Kaplan, S., et al, " Discrete Probability Distribution (DPD2) Computer Code," to be published. 3.8-10. Wheeler, D. M., "Ever.t Tree Code 6 (ETC6)," PLG-0270b, May 1983. 3.8-9
--e ,
3.8-11. Wooten, R. 0., and Avci, H. I., " MARCH (Meltdown Accident ( Accident Response Characteristics) Decription and User's Manual," NUREG/CR-1711, BMI-2064, Battelle Columbus Laboratories, October, 1980. 3.8-12. Lin, J. C., Kaplan, S., and Riechers, L.' H., "MXDPD Computer Code," PLG-0224, March 1982. 3.8-13. Rasmuson, D. M., Marshall, N. H., and Burdick, G. R., " User's . Guide for the Reliability Analysis System (RAS)," TREE-1168, E.G.& G. Idaho, Inc., September 1977. 3.8-14. Kaplan, S. et al, Repair Time Computer Code (RTIME)," PLG-P142, September.1931. , 3.8-15. Lin, J. C. , and. Kaplan, S. , "SEIS4:' A Computer Program for Seismic Risk' Assessment," PLG-0222 March 1982. 3.8-16. 'Worrell, R. B. , and Stach, D. W. , "A SETS User's Manual for the Fault Tree Analyst," NUREG/CR-0465, SAND 77-2051, November 1978. 3.8-17. Rao, D., " COMP 3RN - A Computer Code for Modeling Compartment Fires," NUREG/CR-3239, UCLA-ENG-8257, University of California, Los Angeles, May 1983, t 3.8-10
3.9 Accident Sequences f I This section presents a review of the SSPSA assessment of the progression of accident sequences. The scope of the review is limited to the progression of accidents up to and including the breaching of the reactor vessel. It does , not ir.clude any review of ex-vessel phenomena or containment response as assessed in the SSPSA. Further, the review is limited to a qualitative evaluation of the validity of methods and assumptions employed in the SSPSA and excludes independent analysis of the accident progression. The SSPSA description of accident progression analysis is scattered throughout several sections in the report. However, the most detailed analysis, which , appears to fonn the basis for related assumptions and analysis, is embodied in Appendix H, subsections H.2.1 (Assessment of Physical Processes) and H.2.2 Core and Containment Transient Analyses). In addition, an overview of the core and containment response analysis is provided in Section 11.1, and two additional areas of specific accident sequence analysis were found (Appendix B. Vol. 4; Thermal Hydraulic Analysis of Selected Accident Scenarios, and Section 11.5.3, Time Window Analysis). All of these parts of the SSPSA were reviewed for validity and consistency. Each will be considered separately in the following subsections. 3.9.1 Review of Appendix H, Section H.2.1 This section of the SSPSA provides a general description of accident phenomena expected to occur during severe core damage accidents at Seabrook. The discussion does not consider accident specific variations, but is limited to 3.9-1
overall considerations. (Specific accident scenarios are considered separately in Appendix B which is considered later in this section.) According to Section H.2.1, the Seabrook accident progression assessment relies heavily on similar assessments provided for the Zion [3.91) and Indian Point [3.9-2] risk assessment studies and refers to these studies for further detail. These studies have been the subject of intensive NRC review, and discrepancies found in such reviews may also apply to the SSPSA analysis. The Seabrook assessment of severe accident physical processes up to the point of reactor vessel failure as described in Section H.2.1 of the SSPSA appears to be reasonable and represent generally state-of-the-art knowledge (as of late 1983). No discrepancies were found which appeared to have the potential for justifying significant changes in the assumed accident progression. However, a few apparently minor discrepancies were noted, as follows:
- 1. Section 2.1.2 (In-vessel Phenomena) - This section indicates that the potential for in-vessel core cooling with reduced flow rates was considered in the analysis. However, it is not clear how such analyses were included in the various scenarios or how such cooling was accounted for in the core melt probability determinations (see also item 2 following).
- 2. Section 2.1.2 (In-vessel Phenomena)- It is stated here that 150 gpm could maintain the core water level at 1% decay heat levels. This value appears to be optimistic. A simple heat balance indicates that about 210 gpm are required to remove 1% of the core decay heat. The influence of these potential differences appears minimal, but is not clear since it is not 3.9-2
indicated (as stated in 1 above) to what extent these minimum cooling ( scenarios were used in the SSPSA.
- 3. General - Recent detailed analyses indicate that some severe accident phenomena could occur which might alter the SSPSA conclusions. For example, in a recent assessment [3.9-3], a high potential was found for establishing a recirculation path in the upper plenum during core heatup. One of the consequences of this phenomenon is expected to be more extensive metal-water reaction (due to recirculation of steam to hotter core regions). The Section H 2.1.2 assessment in the SSPSA (Pg. H.2.1-4) estimated only a 30% reaction (although, according to Section 2.1.2.1, " considerably" more hydrogen is employed in the containment assessment). Further, it has been suggested [3.9-33 that primary system temperatures may become elevated to the extent that gross failure may occur for high pressure accident scenarios.
3.9.2 Review of Appendix, Section H.22 -This section, entitled Core and Containment Transient Analysis, provided a description of analytical tools and models used for the Seabrook severe accident progression analysis and also provides detailed accident progression assessments for specific sequences. Many of the computer codes used for the analysis were described as proprietary and are, therefore, (presumably) not available for review. As a result, and , also due to limited resources, the review consisted principally of examining the assumptions and results to check for reasonableness and consistency with similar assessments fonn other sources (for example, Ref. 3.9-4). As a result of the review, it was concluded that no major discrepancies appeared to exist which had the potential for producing major changes in the overall results of the accident progression analysis. However, several problems were found which are described in the remainder of this section. The 3.9-3
i most significant of these is probably the analysis of the V-sequence accident 1 progression (see No. 1 following). In this case, it was determined that the SSPSA assessment represents one of numerous possible scenarios which encompass a broad range of consequences. The SSPSA case appears to be at the extreme conservative end of the spectrum and probably does not represent the most ' likely scenario, as discussed in the following:
- 1. V-Sequence Progression Assessment - The SSPSA analysis of the V-sequence progression is provided on pages H.2.2-34 and H.2.2-44. The description provided is quite sketchy and many details are not given. Further, the assessment ignores the many possible alternative scenarios which may be more probable and produce smaller consequences. (According to SSPSA Section 1.3, the V-sequence is by far the most significant contributor to early fatalities and also is a major contributor to latent fatalities, particularly for the larger number of calculated fatalities.) Several other discrepancies were also found. All are considered separately, as follows:
- a. According to page H.2.2-34, the "best estimate" V-sequence accident is expected to be a rupture of the two MOVs on the RHR suction side. However, according to SSPSA Section 6.6 the injection side RHR rupture (from check valve failure) has a higher probability. The difference is 1.03E-6/yr for injection side failures and 8.12E-7/yr for suction side. However, the progression of the accident does not appear to be particularly sensitive to the location (injection vs suction) of the RHR rupture unless the possibility of a submerged rupture location is considered (which can substantially reduce radionuclide release). Such a consideration does not appear to be evaluated in the SSPSA.
3.9-4
- b. On page H.2.2-34 it is stated that "...the primary system transient is
( similar to that in the AL sequence. However, the containment pressure is expected to be lower...". the containment pressure is irrelevant for the V-sequence since the containment is bypassed. 1
- c. According to page H.2.2-44, core cooling is assumed to be lost in 29.3 minutes. The basis for this time estimate is not given, and it appears to be excessively short for most possible V-sequence scenarios. The loss of core cooling for the V-sequence is dependent on the depletion time for the RWST.
l [ This depletion time, in turn, depends on assumptions made regarding the actuation, operability, and manual termination of pumps which use the RWST for a water source. According to SSPSA Appendix B, the minimum available RWST inventory is 350,000 gallons. Further, there exist eight pumps which could potentially draw water from the RWST during the V-sequence; two each for the safety injection, clarging, RHR, and containment building spray systems. The containment building sprays will not be automatically actuated (since there is no increase in containment pressure), and, according to page H.2.2-34, the operator is assumed not to manually actuate the sprays (this appears to be a reasonable assumption). Assuming all remaining pumps operate and using imformation contained in Appendix B, the minimum RWST depletion time would appear to be 37 min., about 8 min. longer than assumed on page H.2.2-44. While this difference does not appear to be significant, additional considerations argue for a more significant extension of RWST depletion time. For example, it seems highly likely that the RHR pump associated with the ruptured train will be inoperable due to the abrupt high energy steam and v l 3.9-5
water release associated with rupture of the 8 inch line in the vicinity of ( the pump. If this pump is assumed to be disabled and RWST draining to the rupture is considered negligible compared with the operating pump flow, the RWST depletion time is extended to just over 60 minutes. A possibly more likely scenario would be for the operator to recognize the onset of a V-sequence accident and take action to conserve RWST inventory. This could be done by closing valves CBS-V2 and V-5 (see SSPSA Fig. D.8-5). Under these conditions, the loss of core cooling (assuming no other actions) would not occur until over three hours. If the operator were to further secure all but one safety injection pump (the 450 gpm capacity of one pump is more than enough to remove decay heat), the inventory would be maintained for about 13 hours. The probability of appropriate operator action under V-sequence accident circumstances is unknown and not considered in the SSPSA. However, during the plant visit, Seabrook operating personnel assured us that procedures exist for dealing with the V-sequence. These procedures were requested but have not yet been received.
- 2. Page H.2.2-21 The only basis given for the pump seal leakage rate is an internal Westinghouse memo. The rates quoated (20 gpm for 10 hours and 300 gpm thereafter) are not consistent with assmptions made for other PRAs (e.g., Zion and Millstone Unit 3). This assumption eculd have a significant effect on the accident sequence progression, and its basis should, therefore, be provided in the SSPSA.
- 3. Figures 2.2.4-1N and 2.2.4-10 showing hydrogen accumuction for the TE-sequence do not appear consistent with other figures describing the accident 3.9-6
i
)
or the description of the TE sequence on page H.2.2-35. For example, these ( curves show no hydrogen release until after about 350 minutes, but page H.2.2-35 indicates core starts to melt at 283 minutes. Vessel melt through is indicated on SSPSA Figures 2.2.4-1A at about 300 minutes. Significant hydrogen production would precede both of these events.
- 4. Section 2.2.8 (Pg. H.2.2-69) provides an analysis or core recovery times and flow requirements. It is stated to be for "the more dominant scenarios". However, the analysis does not include the V-sequence which is the most dominant sequence for early fatalities and among the dominant contributions to latent fatalities.
- 5. It is not clear whether or how the results of SSPSA 5sction 2.2.8 (Core Recovery Time Window and Flow Requirements) were used in the SSPSA. No indication could be found of such use or the significance of the considerations.
- 6. The results presented for the TE-sequence (loss of all ac power) on Page H.2.2-35 are not consistent with a recent similar, independent analysis for the Seabrook plant (Ref. 23). For example, the SSPSA shows steam generator boil dry in 8220 seconds while the Reference 3.9-4 result is 4903 seconds (loss of effective heat sink). Fuel melting is predicted by the SSPSA in 16980 seconds, while Reference 3.9-4 results show 13860 (probably not a significant difference). The Reference 3.9-4 calculation did not assume a pump seal LOCA, while the SSPSA assumed 20 gpm per pump for the first 10 hours. However, this difference does not appear significant in terms of secondary boil-off time or time to core melt.
3.9-7 ,
3.9.3 Review of Section 11.1, Cnre and Containment Response Analysis ( Overview - This section presents only a very general overview, and no discrepancies were found. 3.9.4 Review of Section 11.5.3; Time Window Analysis - This section reiterates and expands the Section H.2.2 analyses for two cases of station blackout. The results appear consistent with the Section H.2.2 results, and no discrepancies beyond those noted in Section 3.9.2 preceding were found. The Section 11.5.3 analyses are stated (pg.11.5-12) to be used for estimating the time available for corrective actions. However, how the results were used and what correction actions are assumed are not stated or referenced to other sections in the S$PSA. 3.9.5 Review of Appendix B; Thermal-Hydraulic Analysis of Selected Accident Scenarios - This short section provides several simplified thermal-hydraulic analyses. The purpose and the use of the analyses are stated. Only one discrepancy was found during the review of Appendix 8. The analysis of steam generator dryout following scram with no feedwater indicated that dryout would occur in about 1.5 hours. While this result is reasonably consistent with an independent analysis (Ref. 3.9-4 4903 sec), it is not consistent with other parts of the SSPSA. For example, both Section H.2.2 and 11.5.3 show dryout times of 2.98 hours for the TE accident sequence which appears to be the same case considered in Appendix 8 (simul-teneous loss of ac power and auxiliary feedwater). 3.9.6 References for Section 3.9 3.9-8
3.9-1 Zion Probabilistic Safety Study Commonwealth Edison Co., (' 1982. 3.9-2 Indian Point Probabilistic Safety Study, Power Authority of the State of New York and Consolidated Edison Co. of New York, 1982. 3.9-3 "PWR Primary System Temperature During Postulated Severe Accidents", V. Denny and B. R. Seghal, presented at the ANS ' Winter Meeting, November 11-16, 1984. 3.9-4 Analysis of a Station Blackout Transient at the Seabrook Nuclear Power Plant, EGG-NTP-6700, P. D. Baylerss and R. Chambers, EG4G Idaho, September 1984. 3.9-5 "On the Analysis of Dependent Failures in Risk Assessment and Reliability Evaluation" K. N. Fleming, et.al., Nuclear Safety September-October 1983 (Vol. 24-5), Pg. 637. L 3.9-9
1 3.10 Dependencies - This section presents the results of a review of the ( SSPSA treatment and analysis of dependencies. In the context of this } review, dependencies are defined as initiating events or system and component failures which have a potentially detrimental influence on the probability of successive failure. Failures involving dependencies have i been found to very important to nuclear reactor risk, both in PRA studies l such as the SSPSA as well as actual accidents (e.f., the fire at Browns Ferry). l Dependent failures fall into three distinct types, as proposed by Reference 3.9-5. These types, with a definition of each, are:
- 1. Comrnon Cause Initiating Event - In this case, an initiating event occurs t
. which simultaneously causes multiple system failures and/or degrades !
- (
l systems, increasing their unavailability. The most dramatic examples of this type of dependency are external events, such as earthquakes, which can - cause multiple system degradations. However, some internal initiating 1 l events, such as loss of offsite power, also represent important internal
- initiating events with dependencies.
t q I ' ! 2. Intersystem Dependency - In this case, a system failure occurs which I causes the simultaneous degradation (either failure or an increase in i unavailability) of other systems. An example of such a failure would be the ; I l setvice water system (see Section 3.6 herein) which causes the evental loss l of numerous components which depend on SWS for cooling. 7 4 q t 3. Intercomponent Dependency (Comon Cause Failure) - This dependency , i 3.10-1 i j
involves the simultaneous (or near simultaneous) failure of components from ( the same cause. This type of dependenc/ is often referred to as common cause failure, a term which will be used in the remainder of this section. An example of common cause failure would be the simultaneous failure to start of pumps in a multi '. rain system due to seized pump shafts caused by excessive corrosion. The SSPSA considers all thre! types of dependencies. In SSPSA Section 8 a general discussion is provided of the treatment of dependencies. The , assessment of dependencies in specific applications is considered and described throughout the SSPSA. All of these assessments were included in our review of SSPSA dependencies and include the sections listed in Table 3.10-1. Table 3.10-1 i SSPSA SECTIONS WHICH CONSIDER DEPENDENT FAILURES SECTION VOLUME TITLE 4.3.1.4 1 Common Cause Initiating Events 4.3.4.2 1 Common Cause Failure Rates 4.3.5 1 Plant Model Analysis of Dependent Failures 4.3.6 1 Spatial Interaction Analysis 6.3 2 Common Cause Failure Parameters (B-factors)
- 8. 2 Dependent Failure Analysis Appendix E 5 Support Materials for Spatial
( Interaction Study 3.10-2
In addition to these sections, the SSPSA quantifies the influence of ( dependent failures in several additional sections which are not considered in the review here but are addressed in separate sections of this report. For example, in SSPSA Appendix D (Detailed Systems Analysis) considers common cause contributions to system failures. These contributions are reviewed separately in Section 3.6.2 of this report. Similarly, SSPSA Section 5 considers the influence of initiating event dependencies. The review of this part of the SSPSA is covered in Section 3.1 of this report. The review of the sections listed Table 3.10-1 resulted in the following determinations, with each section considered separately: 3.10.1 Review of Section 8, Dependent failure Analysis - This section provides a brief overview of the significance of dependencies and of methods i employed in the SSPSA to acount for them. The section appears to provide an appropriate recognition of the significant importance of dependencies. It also provides (Section 8.2) an analysis of " spatial interaction" which is stated to be (pg. 8-1) a1 added consideration of dependencies not found in other FRAs. The meaning of " spatial interactions" in the context of dependent failures is not explicitly defined in Section 8, but is considered in detail in Section 4.3.6 and Appendix E (see following appropriate sections of this report for review). In reviewing Section 8, no major problems were enceuntered, however, the following deficiencies and indonsistencies were found: .
- 1. Pace 8.1 The last paragraph on this page discussed common cause
( failures and concludes that explicitly modeled common failures did not, in 3.10-3
most cases, produce a significant contribution in the SSPSA. It is further ( stated that an exception to this conclusion was the service water system "in which plugged strainers was an important explicitly modeled common cause failure". This statement is incorrect in that the SSPSA analysis of service water system failure (Section D.3, Vol. 4) concludes that strainer plugging "is considered negligible in comparison with that of other hardward failere... (pg. D.3-28) and "... loss of service water via this (strainer plugging) mechanism was found to be insignificant...".
- 2. Page 8.1 This page discussed the derivation and use of beta factors in quantifying common cause failures. The discussion indicates that for some components, actual data were used to derive B-factors, while in other
{ cases where no event data were available, a " generic" beta factor distribution was used. It is further stated that "...use of this generic ( distribution is supported by the observation that beta factors tend to be
! relatively independent of component type." This contention appears to be unsupported and inconsistent with. beta factors used in the SSPSA in that of -
the only nine components for which specific beta factors were derived (see SSPSA Table 8.1-5 or 63-2), the mean values of the factors differed by a factor of 20. Furthermore, the beta factors for the six electric motor-driven pumps (fail during operation) var,ies by a factor of more than 12. These are similar components, and large beta factors variations would not be
~
expected. ( A further discussion of these variations and their significance is' provided in Section 3.10.6 following.)
- 3. Section 8.2, General - This section is somewhat confusing and difficult
( to understand. The actual use and significance of the spatial interaction i 3.10-4
analyses is not clear. Furthermore, numerous assumptions and judgements ( were made (pg. 8.2-7,11, and 13) which increase the uncertainty of the analysis. The spatial interaction analysis was apparently employed (1st paragraph, Pg. 8.2-1) only for evaluation of external events. A review of the SSPSA treatment of external events is contained in Section 4.0 of this report. 3.10.2 Review of Section 4.3.1.4. Common Cause Initiating Events - This section presents a very short (less than one page) overview of common cause . Initiating events and the SSPSA method for considering them. No problems were found in the review of this section. 3.10.3 Review of Section 4.3.4.2, Common Cause Failure Rates - This very brief section explains the use and derivation of beta factors applied to t common cause failures. No problees were found in this section. However, it should be noted that the actual data used and specific criterion and judgement applied to derive beta factors are not disclosed in this section or elsewhere in the SSPSA. It appears that both the data used and
. evaluations of them for beta factor determinations are proprietary. A much more extensive discussion of beta factors and common cause failures is provided in Section 6.3 of the SSPSA which is reviewed in Section 3.10.5 following.
3.10.4 Review of Section 4.3.5, Plant Model Analysis of Dependent Failures This section of the SSPSA presents an overview of how each type of dependent failure is identified, modeled, and quantified. This section generally ( provides a good description and appropriately describes the significance of 3.10-5
l dependent failures. ( During the review of this section, several discrepancies, inconsistencies, and questionable assumptions were found, as follows:
- 1. Page 4.3 It is stated here (last paragraph) that "Any missing dependent failures (i.e., those not adequately addressed in the SSPSA) would be those that make negligible contribution to risk." This appears to be an over-statement which cannet be substantiated. While the SSPSA appears to have ,
made a concerted and reasonably rigorous effort to identify and quantify important dependent failures, there is no way to prove that all such failures have been discovered.
- 2. Page 4.3 In discussing the beta factor model (Section 4.3.5.5.3), the following equation is derived:
+O
~
V3 = (1-bd ) Ad (l' Odd dd where; Vs = system probability of failure on demand for a one-of-two system A d = failure-on-demand probabilty i Bd = fraction of demand failures due to common causes. 3.10-6
It is further stated that, "For Bd and Ad on the order of 0.1 or less, the
'( first term can generally be neglected". This statment is incorrect. In the first place, if Bd and x are 0.1, the first tenn contributes almost 50% to the total. Second, it is readily apparent that the first term becomes more significant as Bd becomes less than 0.1. It is true, however, that for virtually all cases encountered in nuclear plant system reliability (with Ad = 0.01 or less, and B appr d
mately equal to 0.0, ne mst tenn can be neglected as it contributes less than 10%. f 3. Page 4.3 The last paragraph indicated that "...it is reasonable to assune that common cause failures would impact the two standby pumps in the run rode, but not standby / operating combinations." this conclusion appears ] somewhat questionable. Typically, the operating / standby pump combination for a train is in close proximity (share the same local environment and share ( support systems (e.g., lube oil, lube oil cooling). This suggests the possibility of common cause failures even if the pumps are initially.in different operating modes. Wnile the extent of such common cause coupling is
- unknown, the possibility cann
- t be arbitrarily dismissed. However, in
- reviewing the Section D assessment of system failure probabilities, common i cause failures for different operating modes were considered and in no case could a significant impact on the SSPSA results be found (see Section 3.6 herein for details).
I
- 4. Page 4.3 The top of the page discussed the derivation of beta factors for selected components, and a corparison of these factors with an alternate source is presented in Table 4.3-15 (Pg. 4.3-86). However, the comparison 1 shows that the Seabrook beta factors are consistently lower (non-conservative)
\ 4 3.10-7 + i
than the other values by a factor ranging from 2.3 to over 12 (for diesel ( generators). No specific explanation is provided for these differences. (See also Section 3.10.6 following wherein an evaluation of the SSPSA beta factor values is presented.)
- 5. Page 4.3 Section 4.3.5.5.5 indicates that passive components were assumed to be excluded from common cuase failures. No justification is provided for the assumption. While it may be true for some passive components (e.g., pipes) wherein very low frequencies of common cause failures would be .
expected, it is not at all clear that the same conclusion exists for others which were apparently assumed to be passive (e.g., batteries, dampers, check valves). In fact, one of the hignent beta factors found in the literature (Ref. 3.10-1) is for strainers which would normally be considered passive cocponents. The influence of this assumption is considered in specific cases f of SSPSA system failure probability determinations in Section 3.6.2 of this I report. 3.10.5 Review of Section 4.3.6, S patial Interaction Analysis - This brief section cescribes the SSPSA inplenentation of spatial interaction analysis which is applied to external initiating events. No problems were found in the review of this section. (See Section 4.0 of this report where the SSWPSA assessrent of external events is reviewed.) 3.10.6 Review of Section 6.3, Conmon Cause Failure Parameters (Beta-factors)- Section 6.3 of the SSPSA discusses the derivation of beta factors and provides a table (Table 6.3-2, Pg. 6.3-9) of numerical values used for beta factors. ( In reviewing this section, the following discrepancies were found: l 3.10-8
- 1. Page 6.3 It is stated that "For Sd ""d Ad n ne er f 0.1 or less, h the first term (of Equation 6.3.3) can generally be neglected." This statement is incorrect in that the first tenn is significant if S and A d
are 0.1 and becomes more significant as a becomes smaller. (See Item 2 d under preceding Section 3.10.4 of this report.)
- 2. Page 6.3-5, Section 6.3.3 - Tnis section describes in general and qualitative terms how the numerical values for the beta factors were derived. The section indicates that " appropriate weights" and other ,
judgr: ental factors were considered and applied to the data base, however, - the actual data used, and the specific process of categorizing the data, and the actual values used for the various factors, and their basis, are not provided. This detail is stated to be provided (Page 6.3-6) in Reference 6.3-5, but this is listed vaguely as "Pickard, Lowe and Garrick, I Inc., Proprietary Data". Some of the beta factors so derived are inconsistent with altrnate data sources and appear questionable on other ground as described in the following item.
^
- 3. Table 6.3-2 (Pg. 6.3-9), Beta Factor Distributions - This table presents the values used for beta factors in the SSPSA. Since details of the numerical derivation of these values is not provided in the report and is apparently proprietary (see previous item), a comparison was undertaken to determine if the SSPSA beta factors are consistent with alternate data sources. Table 3.10-2 illustrates this comparison. ,
in reviewing the SSPSA beta factors shown in Table 3.10-2 and comparing i them with alternate data sources, the following discrepancies were found. 3.10-9
m m m '
~.
Table 3.10-2 COMPARISOR OF BETA FACTORS G-;-- e .t Failure SSPSA WASH Reference NUREG/CR NUREG/CR IIUREG/CR nuntG/CR Description Mode (mean) 1400 2098 NUNEG/CR IIUllEG/CR IIUNEG/CR 1363 2770 2099 1362 2999 1205 [3.10-41 [3.10-21 [3.10-31 [3.10-5] [3.10-6] [3.10-73 [3.10-83 [3.10-9] [3.10-9] Fall to Start 0.05P8 0.24 III High Pressure -- 0.14 0.307 -- -- -- -- -- Injection Pung Fall During 0.0640 -- 0.06 0.349 -- -- -- -- -- -- (51 and CC) Operation 0.24 III Containment Fati to Start 0.125 -- -- 0.307 -- -- -- -- --
. Spray Pump Fall During 0.0223 -- -- 0.349 -- -- -- -- -- --
Operation Service Water Fati to Start 0.111 -- -- 0.307 -- -- -- -- -- 0.24 III Pump Fall During 0.0762 -- -- 0.349 -- -- -- -- -- -- Operation ta o Component Fati to Start 0.0365 -- -- 0.307 -- -- -- -- -- 0.24 III Cooling Pue , Fall During 0.0232 -- -- 0.349 -- -- --
- 1., Operation RHR Pump Fati to Start 0.0667 0.307 0.24 UI Fail During 0.0276 -- -- 0.349 -- -- -- -- -- --
Operation Emergency Feed. Fall During 0.118 -- -- -- -- -- -- water Pug Operation -- -- -- (turbine-driven and motor-driven) ' Motor-0perated Fail to Open/ 0.0423 -- 0.23 Valve Close on 0.05 0.03 -- -- -- -- Demand Diesel Generator Fati to Start 0.0146 -- 0.13 -- -- Fall to Run 0.0325 0.077 0.16 0.076 -- 0.14 -- -- -- -- -- -- -- Reactor Trip Fall to Oper- 0.111 -- -- -- --
- Breaker ate on Demand Generic --
0.125 0.10 -- -- Co conent -- -- -- -- -- ,- (1) Identified at fraction of failures which were conren cause " candidates".
- a. The rather wide variation in beta factors between the components
( listed and tne " generic component" (used for all components not listeo) seems unusual and is not consistent with arguments elsewhere in the SSPSA to the effect that components tend to have similar beta factors (see Item 2 in Section 3.10.1 preceding for a further discussion of this issue). The beta factors for the nine components listed vary from 0.12 (diesel generator, fail to start) to 2.24 (RHR pump, fail during operation) times the generic beta factor. Furthermore, the beta factors indicate an optimistic bias with . respect to the generic value in that for 13 of 15 cases the values are less than the generic number.
- b. The large beta factor variation among pumps is difficult to resolve, and no explanation is provided. It would be expected that pumps I
would have similar beta factors, but there is a factor of more than 10 betweer tne highest and lowest values. Furthermore, there is a wide variation between beta factors for start and run (during operatica) failures for the same pumps. For example, in the case of
- high pressure injection pumps, the beta factors for these two modes are essentially identical, while the containment spray and RHR pumps, the difference is a factor of 6 and 4, respectively.
- c. As illustrated in Table 3.10-2, the SSPSA beta factors (third column) are frequently not consistent with values from other sources (fourth through twelfth columns). The SSPSA generic beta factor (0.125) is comparable to the WASH-1400 value (0.1), but there is a significant
( difference for other SSPSA components and values from References 3.10-11
3.10-2 and 3.10-3 (fifth and sixth columns). In all but one case, ( the SSPSA values are significaatly lower. The SSPSA values for motor-operated valves is consistent with two NUREG sources (seventh and eighth columns) but the diesel generator failure to start beta factor is significantly lower than other sources (although there is a wide variation). However, it has been determined (see Section 3.6.2.1 herein) that use of a beta factor of 0.125 for diesels would not have an overly significant effect. It is not necessarily contended here that the SSPSA values are flawed because they are not consistent with other values. The derivation of beta factors takes a considerable amount of judgment and interpretation of data. None of the beca factor determinations in Table 3.10-2 were reviewed as part of this effort, and no known verification of any of them exists. However, it is of I concern that the SSPSA values are consistently lower (optimistic) with respect to other sources (which produces lower system failure rates) and that inconsistencies appear to exist a,ong the SSPSA rates.
~
- Since the SSPSA basis for the Table 3.10-2 beta facto 5rs is proprietary and was not nade available for review, qualitative sensitivity studies were undertaken to determine the influence on, core melt probability and risk of changes in tne SSPSA beta factors. The results of these studies are given in Section 3.6 of this report wherein changes in system failure probabilities as a result of using a generic beta factor of 0.125 for the Table 3.10-2 components were evaluated. i 3.10-12
3.10.7 - Review of Appendix E, Support Materials for Spatial Interaction Study l ( This Appendix, except for short introductory paragraphs on Pages E.1-1, E.2-1, and E.3-1, consists entirely of tables and computer output files related to ; I the assessment of dependencies for accidents initiated by in-plant fires. The information was not reviewed in any detail, but appears to be comprehensive, j See Section 4.2 of this report for a review of fire-induced accident sequences as evaluated in the SSPSA using data from Appendix E. 3.10.8 - Conclusions - Based on a review of the SSPSA treatment of . dependencies, the following conclusions appear valid:
- 1. The SSPSA appears to recognize the significant influence that dependencies can have on accident sequence probabilities.
(
- 2. The SSPSA methodology for identifying and accounting for dependencies appears reasonable and valid. While no important omissions were found in the treatment of dependencies, it cannot be concluded that none exist based on this limited review.
- 3. Several concerns were found in the SSPSA treatment of common cause failures and the derivation and use of beta-factors. However, in no case were any of the concerns found to have a potentially important influence on the results. In addition to the review of SSPSA dependencies as presented in this section, a further consideration of them may be found in Section 4.0 (External Events), 3.2 (Event ,
Trees), and 3.1 (Initiating Events). , ( 3.10-13
l ( .10.9 References for Section 3.10 i 3.10-1 PRA Procedure Guide, NUREG/CR-2300, January 1983. 3.10-2 "A Comparison of Three Methods for the Quantitative Analysis of I Common Cause Failures", K. N. Fleming and P. H. Raabe, ANS Conference on Probabilistic Analysis of Nuclear Reactor Safety, Los Angeles, May 1978. . 3.10-3 Data Summaries of Licensee Event Reports of Pumps at U.S. Commercial Nuclear Power Plants, NUREG/CR-1205, January 1980. 3.10-4 Reactor Safety Studj, WASH-1400, USNRC, October 1975. ( 3.10-5 Data Summaries of Licensee Event Reports of Valves at U.S. Commercial Nuclear Power Plants, NUREG/CR-1363, June 1980.
- 3.10-6 Common Cause Fault Rates for Valves, NUREG/CR-2770, EG&G Idaho, Inc. , February 1983.
3.10-7 Common Cause Fault Rates for Diesel Generators: Estimates Based on Licensee Event Reports at U.S. Commercial Nuclear Power Plants, 1976-1978, NUREG/CR-2099, C. L. Atwood and J. A. Stevenson, EG&G Idar.o, Inc., June 1982. ( 3.10-14
3.10-8 Data Summaries of Licensee Event Reports of Diesel Generators of ( U.S. Commercial N.lclear Fower Plants from January 1,1976 to December 31, 1978, I;UREG/CR-1362, EG&G Idaho, March 1980. 3.10-9 Reliability of Emeroency AC Power Systems at Nuclear Power Plants, NUREG/CR-2989, July 1983.
~
e 3.10-15 l 1
4.0 EXTERNAL EVENT ANALYSIS k. The approach to the evaluation of external events taken in the SSPSA included qualitative assessments to identify events for further (quantitative) analysis. The external event types considered in the SSPSA are earthquakes, fires, aircraft accidents, internal and external flooding, hazardous materials, extreme wind, and turbine missiles. Our review covers each of these subjects in the sections which follow. - In general, the range of external event types considered in the SSPSA is reasonable and consistent with the external events assessed in other PRAs as well as those suggested by the PRA Procedures Guide. ( The methodologies used in the detailed assessments are generally reasonable and consistent with the state-of-the-art; however, there are notable l' disagreements in several areas. One of the most important disagreements concerns seismic hazard, in which the SSPSA hazard assessment results are believed to be optimistic and the uncertainty underestimated. l Two of the external event initiators had core melt probabilities large enough to make a contribution to the total core melt probability from all causes. The most dominant is seismic events with a contribution of 2.89E-5 per year, followed by fire with a contribution of 2.61E-5 per year. I l ( 4-1 l .. --_ _ . , . - . , - _ _ _ , _ - . - - . _ -
l ( 4.1 Seismic Events 4.1.1 Seismic Hazard 4.1.1.1 Review Approach A critical review was conducted of Appendix F.1 of the SSPSA which describes the methodology and analysis of the seismic ground motion hazard at the Seabrook site. Section 9.2 of the SSPSA summarizes the seismic risk methodology and the results of the probabilistic seismic hazard analysis which is provided in Appendix F.1. To assist in the review, the services of a , consultant, Professor Alan L. Kafka, were retained by JBA to review Appendix F.1 from the seismologist's viewpoint. Professor Kafka's report is provided in Appendix A to this review, while important points are incorporated in the body of this report. As part of the review, the interim results of USNRC research performed by Lawrence Livermore National Laboratory, the Seismic Hazard Characterization ( Program (SHCP),(1) are used. Although specific probabilistic estimates for the Seabrook site are not available, seismic source zone characterizations and seismicity parameter estimates provided by the experts who participated in the SHCP are used as a basis for comparison with the Seabrook seismic hazard analysis. As a result of earlier work conducted at LLNL for the Systematic Evaluation Program (SEP), specific probabilistic hazard estimates were made for the Seabrook site (2) . Although not current, a qualitative comparison of these results with the SSPSA hazard analysis are made. The review of the seismic hazard analysis in the SSPSA concentrated on a number of issues. To begin, the adequacy and appropriateness of the analysis approach to estimate the probability distribution on the frequency of ground 4 motion is considered in Section 4.1.1.2. Individual elements of the seismic hazard analysis: seismogenic zones, seismicity parameters, and the ground motion characterization are reviewed in Sections 4.1.1.3-5, respectively. In Section 4.1.1.6 a brief comparison between the SSPSA hazard analysis results and those of other studies is made. In Section 4.1.1.7 conclusions and recommendations are given. ( 4.1-1
4.1.1.2 Seismic Hazard Methodology The seismic hazard analysis methodology used in the SSPSA follows well-established procedures for evaluating the frequency of exceedance of ground shaking (3,4). The basic steps in the analysis are: o Collect historical seismicity data, geophysical, geologic, and tectonic information. e Establish seismic source zones based on available data and expert input regarding the causative mechanism of earthquakes. e Develop seismicity parameters that describe the spatial and temporal frequency of earthquake occurrences (i.e., maximum magnitude, b-values, activity rates). e Select a method of characterizing ground shaking and corresponding ground motion attenuation models. I e For each of the above steps, solicit expert opinion regarding alter-native approaches to model the occurrence of seismic events and the intensity of ground motion. e For each hypothesis solicit expert probability assignments that characterize the degree-of-belief in each alternative. e For the family of seismic hazard modeling alternatives, calculate the frequency of exceedance of ground motion per year. l Aggregate the results to establish the probability distribution on e l the frequency of exceedance. The use of this procedure in the SSPSA to evaluate the ground shaking hazard at the plant site is considered appropriate and adequate. l l l ( 4.1-2 -
l l In actual applications, the analyst has considerable latitude to define k the level of detail in the analysis. For example, the analyst controls the selection of experts, the method of soliciting expert opinion, and the degree of documentation in reporting the study results. Overall, the seismic hazard , 1 analysis used in the SSPSA is the same methodology utilized in previous PRA's l submitted to the USNRC(5-8) . In some respects, the SSPSA study constitutes an improvement over previous studies, in that a greater level of detail was used in sampling alternative model hypotheses. In all, 144 hazard curves were generated in the SSPSA, which is generally more than in previous PRA's (e.g., Zion'- 27, Indian Point - 15, and Limerick - 6, and Millstone - 184). The adequacy of individual aspects of the analysis is discussed in subsequent sections. 4.1.1.2.1 Soliciting Expert Opinion To a large extent, seismic PRA's and seismic hazard analyses in particular rely heavily on expert judgement to estimate the value of key parameters and the uncertainty in such estimates. Thus, an integral part of the analysis is associated with soliciting expert input. For the most part, an ad hoc ( approach has been taken in past seismic PRA's in soliciting expert input and in establishing subjective probability weights. There are generally recognized inadequacies associated with this type of approach. Among these are: arbitrary assignment of subjective probability weights, failure to identify the sample space of a random variable (i.e., range of possible values), bias, miscalibration, lack of coherence in expert statements, and failure to adequately assess the uncertainty in expert judgments, among other potential problems. We suspect that the SSPSA suffers from a number of these problems, although it is difficult to establish this quantitatively. In - comparison, however, the approach used in the SSPSA is similar to that in previous studies. In this review, three aspects of the process of soliciting expert judgments and subjective probabilities are considered. These consist of: 1 m 4.1-3 (
e Methodology - approach used to solicit and combine multiple l I expert input, e Application - how the methodology was applied, how many experts were used, and e Documentation - completeness in reporting the results of the study. Within the context of these broad categories, comments on the approach used in the SSPSA seismic hazard analysis are given. 4.1.1.2.2 Analysis Approach The SSPSA does not provide a specific discussion on the method used to quantify the uncertainty in key aspects of the hazard analysis. The report states that more conservative and less conservative alternatives with respect to a best estimate hypothesis, are examined. However, there is no definitive discussion of the approach taken to identify alternative hypotheses, solicit individual expert judgments, and combine the input from a group of experts. ( From previous experience in reviewing seismic PRA's and in our reading of the SSPSA, we conclude that an ad hoc approach was used. At a minimum, an ad hoc process of evaluating the uncertainty in seismic hazard estimates suffers from a lack of a systematic, coherent approach for quantifying expert judgments. At worst, subjective probability assignments estimated in this way could be an inappropriate characterization of the professional uncertainty in the seismic hazard. It is true that the state-of-the-art in this area is advancing rapidly. Nonetheless, a clear presentation of the approach used in the SSPSA should be provided. In the seismic hazard analysis report, limited documentation is provided regarding the assessment of subjective probabilities assigned to alternative model hypotheses. Specifically, limited information is available on the following: 4.1-4 (
- ---------__------------__---__--___-___--__---______________A
- e. experts who provided alternative model assump; ions and subjective I weights for seismic source zones, seismicity parameters, and attenuation models, e methodology used to solicit expert input and the procedure to combine input from a group of experts, ;
e supporting scientific basis for individual model hypotheses. As a result of the limitations in these areas, there is inadequate documentation to support the probability distribution on the frequency of exceedance per year of ground shaking. In effect, the reader is expected to accept the modeling uncertainties which have been expressed on faith. In past seismic hazard studies conducted for PRA's(5-8) , a limited number of experts (possibly only one) were consulted to evaluate the modeling uncertainty in various phases of the analysis. As a result, the process of identifying credible parameter values or model hypotheses may be self-limiting in the sense that the one or tuo experts participating in the analysis represent a restricted sample of the range of possible expert opinions. This observation is supp]rted by the fact that a comparison between seismic hazard studies utilizing many experts and those using only one or two, show greater variability in the probability distribution on frequency. In Figure 4.1.1-1, an example is shown of the logarithmic standard deviation of the frequency of exceedance at different peak ground acceleration levels as estimated in various site-specific seismic hazard studies, and in the LLNL Seismic Hazard ! CharacterizationProject(1) Other, more direct comparisons that support this t conclusion are included in this review. In our review of the LGS-SARA (9) ,a similar concern was expressed that the uncertainty in key parameters in the hazard analysis was not adequately represented, which ultimately limits the assessment of the probability distribution on the frequency of ground motion. A second issue that is strongly influenced by the number of experts involved in the analysis is the central tendency of the hazard curves, when compared to the results of a multi-expert analysis. For example, it might be 4.1-5 (
anticipated that the results of a hazard analysis that utilizes a limited ( number of experts (i.e., one or two), could diverge from those of study using many experts. That is, any one expert in a small group can differ from the
- group and affect the results significantly.
In summary, an ad hoc approach was used in the SSPSA seismic hazard analysis to identify alternative modeling assumptions and to quantify 2 sub,iective probability weights denoting degree-of-belief. In general, the SSPSA seismic hazard analysis is consistent with other PRA's that have included external events. At the same time, the study fails to thoroughly document essential aspects of the analysis,. and thus results of the q uncertainty analysis are at least partly unsupported. , 4.1.1.3 Seismogenic Zones ! In Section 3.0 of Appendix F.1 of the SSPSA, the seismogenic zone hypotheses included in the seismic hazard analysis are reported. In sum, six l alternative hypotheses and zonations were identified. Each zone is considered as an alternative configuration, wherein " earthquakes are considered to be of ( similar tectonic origin so that future seismic events can be modeled by a single function describing earthquake occurrences in time, space, and size" ! (SSPSA,F.1-6,AppendixF.1). For each zone that was included in the j analysis, a brief sunnary was reported. The delineation of seismic zones is a difficult task since it requires an f evaluation of the mechanism of earthquake occurrences in the region surrounding a site. Since the origin of earthquakes in the Eastern U.S. is l presently unknown, the seismic hazard analyst in consultation with physical scientists, must conduct an analysis that quantitatively documents the state-l ! of-information with respect to the causative mechanism of earthquake occurrences. Available information exists partially in the form of physical ! data (i.e., observed geologic, geophysical properties), observation (i.e., l historic seismicity), and scientific hypothesis that attempt to provide a j coherent explanation of earthquake occurrences. Due to the limited physical data base and observational record, there is considerable scientific i ( 4.1-6 I
, , _ - - - . . , . - , , , . . - . - , y _ , , -,_ ..myy m.y n _ ,m ...._,,,m..,,.,c,-_,_ , , . , i_.,_,,,,.._.,.,,,__.._-,,,_,.,.,____-_,,,4. - - , _,,
speculation regarding the cause of earthquakes in the East. As a result, the I analyst must rely more on the opinions and speculation of experts, rather than physical data in order to establish source zones. The delineation of seismogenic zones becomes a matter of practical importance in the seismic hazard analysis since it establishes the geometric pattern of earthquake occurrences relative to a site. In addition, it also defines the subset of historic earthquakes that serve as the principal basis to estimate seismicity parameters for each seismogenic zone. In Appendix F.1 of the SSPSA, a limited discussion is provided to support the choice of each of the six seismogenic zones used in the analysis. Given the overall importance of the definition of source zones and the highly . subjective nature by which they are generated, the supporting basis provided for each hypothesis in the report is considered to be inadequate (a total of 2 pages). In our view, a complete, comprehensive discussion should be given to support a hypothesis and the degree of credibility assigned to it (i.e., the subjective probability weight). The discussion should focus on a number of issues which include (but may not be limited to): ( e regional geologic and tectonic structure assessments of crustal stress patterns e e geophysical data e correlation of historic seismicity patterns with known (or hypothesized) geologic and tectonic structures l e summary of the hypothesized earthquake-generation process based on f the above points. Clearly, Appendix F.1 of the SSPSA does not adequately discuss these issues for each hypothesis. 4.1-7 l l l r
In the SSPSA six seismogenic zone hypotheses were considered. They are: e FSAR zones e FSAR - combined zones e Northern Appalachian zone e Ossipee - Cape Ann zones e White Mountain zone e Boston-Ottawa zone As discussed in Professor Kafka's review, provided in Appendix A, these or any other set of source zone descriptions that attempt to explain the cause of earthquakes in the Eastern U.S. are highly speculative. The review of the seismogenic zones defined in the SSPSA is based principally on the input provided by Professor Kafka and a qualitative comparison with the interim results of the SHCP. On a quantitative basis, the adequacy of the seismogenic zones is measured in terms of the seismicity parameters estimated for each zone. This is addressed in the next section. As a general observation, the family of seismogenic zone hypotheses defined in the SSPSA appear to speculate that a considerable degree of detail is known as regards the mechanism of earthquake occurrences in the vicinity of the Seabrook station. In our opinion, the definition of source zones near the site, specifically the FSAR, FSAR-Combined, and the Ossipee-Cape Ann zones express greater detail than the state-of-knowledge warrants. This observation appears to be generally supported by the expert base maps reported in Reference 1. It could be argued that a site-specific hazard analysis warrants a greater level of detail in defining seismogenic zones. We would agree, however no basis in scientific fact or logic is offered in the SSPSA to support this. Thus, the degree of credibility assigned to these hypotheses, should in our opinion, be low. The assignment of subjective probability weights is discussed later in this section. 4.1-8 l
In addition to the seismogenic zones defined in the seismic hazard report, (' Appendix B to the SSPSA hazard study provides calculations for two additional seismogenic zones, Charleston Zone 1 and Charleston Zone 2. These zones were not incorporated in the final seismic hazard calculations. In Appendix A to this report, Professor Kafka suggests that the pattern of seismicity and the state-of-knowledge with respect to earthquake occurrences does not rule out the possibility that the entire Eastern U.S. and Southeastern Canada is a seismogenic zone. Although speculative, as are other hypotheses, this zone would allow "New Madrid-type" events to occur at the site. The basis for this hypothesis lies in part with the observed alignment of principal stresses and geologic features that exhibit a , southwest / northeast trend from approximately the New Madrid area to Southeastern Canada. It also represents the hypothesis that the occurrence of large earthquakes (M >7) cannot be ruled out in the Eastern U.S. Based on a comparison with the base maps of the experts who participated in the SHCP, we have concluded that the seismogenic zones in SSPSA-Appendix F.1, including those in Appendix B, generally account for the principle ( attributes of the range of zones in the SHCP. From a qualitative perspective, this is to say that the SSPSA is generally consistent with the zonations in the SHCP. At the same time it is felt that the SSPSA probably has not characterized the uncertainty in zone descriptions as discussed below. For each of the seismogenic zone hypotheses defined in the SSPSA, probability weights were subjectively assigned to reflect the degree-of-belief that it is the correct one. As has been the case in past seismic PRAs submitted to the USNRC, an ad hoc approach was used in the SSPSA to assign probability weights to each seismogenic zone hypothesis. Based on the , discussion in Appendix F.1 it is not apparent to what degree the subjective , probability assignments were based on the credibility of the scientific attributes of each hypothesis. In part, it appears that indifference is shown ~ towards three general zonation hypotheses, and a fourth is given considerably less credibility. db 4.1-9 ('
}
We have a number of specific concerns regarding the assignment of I subjective probability weights to each seismogenic zonation. First, it is not stated in the report, which expert (s) actually assigned the probability weights. Was more than one expert involved in the solicitation process; if so, how were the probability assignments of the experts combined? In view of the fact that expert opinion (as opposed to statistical analysis) is the sole basis for these probabilities, each expert who provided input should be identified. Secondly, a clear discussion of the logical basis for each probability assignment should be provided. At this time it is not apparent what or how scientific evidence supports the probability values used in the analysis. As discussed in Section 4.1.1.2, there is concern that seismic hazard assessments adequately represent the probability distribution on variables that must be subjectively accessed. It is not clear from the SSPSA-Appendix F.1 that a complete sample of expert opinions regarding seismic source zones was conducted. If experience from previous seismic hazard analyses applies here as well, then in fact only one or two experts participated in the process, thus limiting the range of viewpoints considered. In this context, ( the discussion earlier in this section highlighted the views of Professor Kafka, who has a differing opinion regarding the definition of seismogenic zones. These differences are evident in the probability assignments he would assign to the hypotheses defined in the SSPSA. Professor Kafka's probability assignments are given in Table 4.1.1-1 with the values from the SSPSA. We hasten to point out that the probability weights reported in Table 4.1.1-1 are not proposed here as the correct values. They are, however, an opposing assessment not incorporated (even implicitly) by the SSPSA. This information is provided in support of our view that only a limited sample of reasonable seismogenic zone hypotheses were incorporated in the study. Although we generally agree with the statement in the SSPSA-Appendix F.1 that the results of the analysis are not heavily dependent on the subjective weights, this is only true given the sample space of hypotheses has been adequately defined. If it has been, then reasonable variations of probability weights generally do not drastically affect the results. 4.1-10 (
4.1.1.4 Seismicity Parameters The adequacy of the assessment of seismogenic zones is realized in the quantification of seismicity parameters and ultimately in the predicted spatial distribution of earthquake occurrences near a site. The latter is difficult to assess without the detailed results of a seismic hazard analysis program and thus, is not addressed here. In this section, a review is conducted of the seismicity parameters defined for each seismogenic zone. We again utilize the results of SHCP to make quantitative comparisons with the SSPSA results. To assess the level and rate of seismicity in the vicinity of the Seabrook station, the following sources of information were used: ' e description of seismogenic zones e the Chiburis catalog (10) of historical earthquakes e a magnitude-intensity relation developed by Weston Geophysical (ll) I e expert input. With this information, the following seismicity parameters were estimated: e seismic activity rates e Richter b-values l l e maximum magnitudes. In determining the seismicity parameters for each seismogenic zone, a number of initial assumptions were made. First, a lower bound on earthquake magnitude of 4.5 was assumed. This value was selected on the basis that earthquakes of magnitude less than 4.5 are not capable of causing damage to safety-related equipment and structures at the Seabrook station. We are in 4.1-11 (
general agreement with this assumption. We believe this is reasonable since accelerations produced by events less than magnitude 4.5 are incapable of sustained ground motion intensities necessary to produce structural damage. In our opinion, including events of magnitude less than 4.5 can result in hazard curves that have a disproportionately high contribution to the frequency of accelerations near the SSE level and higher from small magnitude earthquakes.(12) It was also assumed in the SSPSA that the distribution of earthquake magnitudes could be described by a log-linear relation. Although the adequacy of this model is often questioned, it is an appropriate assumption. In the remainder of this section, each of the sources of input and the seismicity , parameter estimates are reviewed. Seismogenic Zones The adequacy of the seismogenic zones defined in the SSPSA was reviewed in the previous section. Their role in the estimation of seismicity parameters is to establish the subset of earthquakes in the historic catalog that is (' used. Earthquake Catalog In the SSPSA seismic hazard analysis, the Chiburis catalog (10) was used. It is generally recognized that problems of accuracy and completeness exist in most earthquake catalogues. Potential problems are not restricted to historic earthquakes, where they are naturally expected. Recent studies have pointed to inconsistencies in magnitude estimates of smaller events as well (mb < 5.0) . This could have a strong influence on activity rate estimates, due to the relatively high rate of occurrence of small magnitude earthquakes. The problem of record completeness was addressed in the SSPSA by identifying periods of completeness for various intensities. No basis is given to support these estimates. In view of the fact that the earthquake catalog is the only source of infonnation used to establish seismic activity rates and Richter b-values, it ( 4.1-12
l is appropriate to cross-check with at least one other earthquake catalog. For example, was the earthquake catalog reported in the Seabrook FSAR consulted? Magnitude-Intensity Relationship In order to establish a frequency distribution for the occurrence of earthquake magnitudes, a relationship is required to convert historic earthquakes, defined in terms of Modified Mercalli Intensity (I,) to earthquake magnitude. To do this, the following relation was used(11) , mb = 0.44 + 0.67 I, (1) Two concerns are raised with respect to the conversion of eI values to earthquake magnitude; first, the mb data exhibit considerable scatter about a ) derived mb - Ie relation. For example, scatter of 10.5-1.0 magnitude units about a least squares fit to the data is typical. The second concern deals with the adequacy of considering only one magnitude-intensity relation. ( Since I, values are subject to the large variation in local ground shaking, t5ey likewise exhibit considerable scatter when related to earthquake magnitude. In our opinion, this source of random variability should be taken into account in converting I evalues to magnitude. Of greater concern is the best estimate relationship that defines mb in terms of I,. Experience from previous seismic hazard studies (6, 8) indicates that the choice of a magnitude-intensity relation can increase the frequency of exceedence by a f actor of 1.5 to 2 or more. In our opinion, the sole use of Equation 1 to convert intensity values to earthquake magnitude is inappro-priate and may be unconservative. Other reasonable relations (i.e., Nuttli-Herrmann, Street and 1.acroix) are available and should be included in the study. 4.1-13 (
Expert Input ( In order to assess the uncertainty in the frequency distribution of earthquake occurrences, subjective input was used to define alternative model hypotheses. Expert input played a role in estimating each of the seismicity parameters. As in the case of establishing seismogenic zones, an ad hoc procedure was used to identify alternative model hypotheses and to assign subjective probability weights. Specific concerns related to each parameter are discussed later. In the SSPSA the experts who participated in the assessment of seismicity parameters were not identified. In our opinion, the process of utilizing and soliciting expert input to evaluate seismicity parameters was not well documented in the seismic hazard , report. Seismic Activity Rates To evaluate the rate of earthquake occurrences in a seismogenic zone, the number of events per year is estimated. In the SSPSA, two estimates of the seismic activity rate were obtained, based on the procedures used to determine ( the Richter b-value (discussed in the next section). The report states that no uncertainty in activity rates was considered in the assessment. Based on coments given under the discussion of Richter b-values, low credibility should be given to the seismic activity rates evaluated on the basis of an assumed b-value of 0.90. As discussed in the next section, this alternative modeling approach is not appropriate, and should be given low credibility. In order to assess the SSPSA hazard analysis in light of the interim results of the SHCP, an approach was taken to make a general comparison batween the activity rate estimates of the two studies. The procedure used was as follows. For each zone that encompasses the Seabrook s.te, the seismic activity rate was defined as the number of events per year per square kilometer. In this way the effect of zone size does not influence this initial comparison between seismogenic zones and between the two hazard analyses. This approach assumes that the zone which encompasses the Seabrook site has the greatest contribution to the hazard. I 4.1-14
In the case of the SHCP, the best estimate activity rate for each zone was I used, and corrected to give the activity for events mb >4.5. For simplicity, only the expert base maps were used. Also, the uncertainty in activity rates defined by the SHCP was not considered in the analysis. We expect the effect of this simplificaton is to underestimate the uncertainty in the activity rate. The activity rates for each seismogenic zone were then assigned a probability weight to form a probability distribution. In the SSPSA, individual weights were taken as the product of the probability of the zone hypothesis and the probability assigned to each method used to calculate activity rates. In the SHCP, probability weights were defined according to the weights assigned to each expert based on their self weighting. Recall, only the expert base maps were used. Figure 4.1.1-2 shows the cumulative probability distribution on seismic activity rates for each study. Based on this data, the mean activity rates (shown on the figure) are remarkably similar. If the complete uncertainty in activity rates was included for the SHCP results, we would expect a wider distribution and higher mean value. Overall the two distributions are similar ( in range and distribution shape. This comparison tends to support the idea that the SSPSA zones generally account for the variations in seismogenic zones in the SHCP, in a best-estimate sense in terms of normalized seismic activity rates. Richter b-values The Richter b-value defines the relative distribution of large earthquakes to smaller events that occur in each seismogenic zone. In the SSPSA two . approaches were used to estimate b-values. In the first approach, a b-value . was estimated from a least squares fit of the number of events as a function of earthquake magnitude. A second estimate of b-values was obtained by ' assuming an alternate value of 0.90 for each seismogenic zone. The estimates of b-values using these approaches were given equal weight. In addition to uncertainty in the best estimate, statistical uncertainty about the mean was . lg 4.1-15
also taken into account. One standard deviation was taken to be 20 percent of k the estimated mean. The uncertainty in estimating b-values is attributed in part to the scarcity of earthquake occurrence data in the Eastern U.S. The occurrence or non-occurrence of one moderate-size earthquake can drastically alter b-value estimates. It is stated in the SSPSA that the two methods of estimating b-values represents two possible extreme approaches. The case of the Thrust Complex zone in the FSAR zones is offered in support of this. However, the SSPSA does not mention the comparison for the Eastern New England zone of the FSAR-Combined hypothesis, where the b-values are 0.93 and 0.90. The assumed value of 0.90 does not represent an extreme estimate in this case. The fact , that the calculated value is close to the assumed value does not erase the initial concerns regarding lack of data to estimate b-values. The basis given in support of the assumed b-value of 0.90 is the first expert opinion survey conducted by LLNL(13) . We note, however, that in the SHCP the experts (many of whom participated in the first study) did not indicate a preference for a " generic" definition of b-values, and instead used ( calculated values for each of their zones. To compare the SSPSA estimate of b-values to those obtained in the SHCP, an approach similar to that to compare the seismic activity rates of the two studies was used. In this case the distribution of b-values is again based on the probability weights assigned to the best estimate values for the expert base map zones. For simplicity, the range of values for a given zone in the SHCP and the statistical uncertainty used in the SSPSA were not considered. Figure 4.1.1-3 shows the comparison of the two studies. From this, we observe that the SSPSA tends toward less steep b-values than do the experts in the SHCP. The affect of this, everything else being equal, would be to assign l higher relative likelihood to large magnitude earthquakes. The SHCP distribution on the other hand allows for steeper b-values, resulting in greater relative likelihood of smaller events. The SHCP results may be a product in part of the lower-bound magnitude of 3.75. l l 4.1-16 ( l t
It should be pointed out that this comparison, by itself, provides only a ( limited basis to speculate on the impact these differences have on the hazard analysis calculations. Since the b-values are correlated with estimated activity rates, they must be considered jointly in order to determine their influence on the frequency of earthquake occurrences. It is difficult therefore to subjectively assess the overall interaction effect of activity l rates and b-values, q From the comparison of the two studies we conclude that the SSPSA assigns greater weight to b-values less steep than the experts in the SHCP. This result is dominated to a large degree by the 0.50 weight assigned to the assumed b-value of 0.90. This result, by itself, tends towards greater , relative likelihood of large magnitude earthquakes. The approach used in the SSPSA of assigning 0.50 to an assumed b-value, in our opinion is not appropriate. The credibility that should be assigned to this approach in general, and the 0.90 value in particular, is low, relative to a direct calculation of b-values and to other procedures that could have. been used to estimate the uncertainty in the mean b-value estimate. ( Maximum Magnitudes The estimate of the maximum earthquake size for each seismogenic zone is an important step in the hazard analysis. In the SSPSA, a best estimate of the maximum magnitude was obtained by adding 0.50 magnitude units to the maximum historical event that occurred in the zone. A three-point distribution on maximum magnitude was then established by taking 10.30 magnitude units about the best estimate value. Each value in the distribution ! was equally weighted. This approach is often used to obtain a distribution maximum magnitude estimates. It has the advantage that it is systematic and easy to follow, and is based on the maximum historical earthquake observed in a seismogenic zone. On the other hand, it suffers from the fact that the range about the best estimate value is arbitrary. It also relies heavily on the magnitude estimates of historic earthquakes for which magnitudes were not originally assigned. 4.1-17 [
In regard to this last point, Professor Kafka points out that there is k also the possiblity that considerable uncertainty exists in the estimate of 4 epicentral intensities for events that occurred offshore. Based on estimates provided in References 11 and 14, Professor Kafka concludes that it would not be unreasonable to state that the Northern Appalachian zone has experienced an intensity IX or magnitude 6.5 event. In this case, the best estimate for maximum magnitude ise l = X or mb s7.1. Although this hypothesis does not constitute the " correct" value for the best estimate of the maximum magnitude, it does underlie the uncertainties in the approach and the reliance on the earthquake catalog. The results of the SSPSA for maximum magnitude are compared to the SHCP . results in a manner similar to that used to compare activity rates and b-values. In this case the complete distribution assigned by the experts in the SHCP was used. The comparison is shown in Figure 4.1.1-4. The mean estimates of the maximum magnitudes are quite similar, 6.34 and 6.45 for the SSPSA and the SHCP, respectively. The SHCP results indicate greater variability in the opinions of the experts. This is not unexpected, since the SSPSA undoubtedly did not utilize the same number of experts as did the SHCP (although we don't ( know how many experts were used in the SSPSA). From a central tendency perspective, the results of the two studies are in agreement. In the SSPSA the range about a best estimate of the maximum magnitude was taken as t0.30 magnitude units. In comparison to the range defined by the experts in the SHCP for seismogenic zones that encompass the Seabrook station, the upper- and lower-bound values generally have a range of t0.30 to 10.50 magnitude units about the best estimate value. We conclude that the 0.30 value used in the SSPSA is reasonable. 4.1.1.5 Ground Motion Attenuation 4.1.1.5.1 Introduction To describe the variation of earthquake intensity as a function of magnitude and distance, four attenuation models were used. In Section 4.1-18 {
4.1.1.5.2 these relationships are reviewed. In Section 4.1.1.5.3 the use of k an upper-bound on ground acceleration to truncate the seismic hazard curves is discussed. 4.1.1.5.2 Ground Motion Models A preliminary assessment of the four ground motion models used in the seismic hazard analysis has been made. We have utilized the compilation of Eastern U.S. attenuation relationships provided in Reference 1. The four attenution models used in the SSPSA are: e Nuttli and Herrmann(15) , e Campbell (16) e An acceleration / intensity (AI) model e An acceleration / intensity / distance model (AID) ( Based on an initial comparison of these models, the range of estimates is divided into two distinct groups, the first two models listed, and the last two. Sensitivity calculations on the seismic hazard reported in Appendix F.1 verify this observation. In comparing the four attenuation models used in the SSPSA to those reported in the SHCP, a major part of the variability in the complete f amily of attenuation relations is accounted for by the SSPSA. However, as in previous comparisons with the SHCP results, the complete range of variability is not considered. Further comparison to the SHCP best estimate attenuation relations indicates that the four SSPSA attenuation models generally make l < lower predictions of acceleration at distances between 10 and 100 km. From our experience it is believed that the major contribution to the hazard comes from this distance range. 4.1-19 [
The use of intensity-based attenuation relationships raises a number of k concerns. In this case, the process of developing acceleration attenuation relations is a two-step process in that once site intensities have been determined, a conversion to peak ground acceleration must be made. The range of alternative models to make this transformation is wide. However, the relationship actually used in the SSPSA is at the higher end of the range. Due to the two-step transformation required to predict peak ground accelerations, greater variability is incorporated in the prediction model. This added source of variability is ignored in the SSPSA. A second concern, centers on the basic use of intensity as a means to f predict ground motion. Since intensity is, by definition, a subjective ' measure of the severity of building response, it is limited in its ability to resolve the issue of ground-shaking intensity. As a result, there is an inherent bias in intensity relationships designed to predict peak ground acceleration. This bias is related to the fact that the process of damaging structures has filtered the input ground motion to produce a particular observed outcome (i.e., structural damage). g In the SSPSA it is not reported which, if any, experts were consulted to select the attenuation models or to assign probability weights to them. The discussion expresses indifference toward the four models used in the study, and assigns equal weight to them. We question, for example, whether a comparison was made to the strong motion data available for the Eastern U.S. in order to establish the probability weights? To account for the randomness of ground motions about a median ground notion prediction, a lognormal distribution was used with a logrithmic standard deviation of 0.60. In our opinion, this value is appropriate for use with magnitude / distance attenuation models. However, in the case of the acceleration / intensity models, a larger estimate of the randomness is warranted due to the two-step transformation required to predict ground accelerations. From the review of the ground-motion models, we conclude that the credibility assigned to the AI and AID models may be high. Based on a simple - 4.1-20 j
comparison to the best estimate SHCP attenuation models, the four SSPSA b attenuation relationships tend to predict lower accelerations in the distance range of principle interest to the calculations of seismic hazard at Seabrook. 4.1.1.5.3 Upper-Bound Accelerations In the SSPSA an approach is used to truncate the seismic hazard curves to reflect the belief that upper bounds on ground accelerations exist. The argument used is the same as that in other seismic PRAs(5-8) . The explanation for limiting accelerations consists of two steps. The first step is the asstaption that there is a maximum intensity associated with each seismogenic zone corresponding to the maximum magnitude for that zone. This is assumed to be true by seismologists. The second step relates the predicted accelerations
- for masonry structures with the qualitative descriptions of the Modified Mercalli Intensity (MMI) scale. These bounds are then used to truncate the seismic hazard curves generated for each zone.
The basis for the argument leading to maximum acceleration values in the second step is as follows. Masonry structures are selected since they are the only engineered components for which damage is systematically described in the I MI scale. If the accelerations are higher than predicted, then a higher MMI value (corresponding to more damage) would occur. However, since the maximum MI values are limited by the seismologist, a higher acceleration is not possible. It follows directly that if upper bounds on intensity exist then upper bounds on damage exist since intensity is a scale which measures damage. Although it is believed by the reviewers that it is more appropriate not to truncate the hazard curves but to reflect a limit on damageability in the fragility curves, the effect of modifying the hazard curves produces the same ' i result. Thus, if upper bounds exist for lower intensity values, similar limits should apply for higher intensity values for engineered concrete . ! structures. However, it is difficult to quantify this belief at this time. . The effect of truncating hazard curves is generally considered to have a minor effect on risk calculations. If accelerations in the range of 0.40g to ' 4.1-21 l
- . - . . - - - - - - - . ,,..-n ._, _ - - -
0.70g dominate the SSPSA frequency of core-melt estimate, we believe this { conclusion holds here as well. 4.1.1.6 Comparison with Results of Other Studies In this section a qualitative comparison is presented between the results of the SSPSA seismic hazared analyzis and other studies available for the site. These studies include the results of USGS hazard assessments conducted for the contiguous U.S.(17) and calculations made by LLNL for the Seabrook site using the Systematic Evaluation Program (SEP) data as input.(2) Site-specific results from the SHCP are not available for Seabrook. However, results computed in the SHCP and the SEP are in general agreement in a median ' sense.(1) A comparison with the SEP results should provide some insights into possible differences between the results that would be given by the SHCP and the SSPSA. In Figure 4.1.1-5, reproduced from Appendix F.1 of the SSPSA, a comparison is shown between the USGS results for the Seabrook site and the SSPSA study results. As indicated in the figure, the USGS results lie at about the 84th percentile level. However, the USGS study does not account for the randomness in ground motion. If they had, the results would be even higher. In a median sense the results differ by a factor of 2-4 for accelerations beyond 0.10g. Without the benefit of a detailed review of the USGS study, it is difficult to know the precise reason for these differences. However, we are in general agreement with the basic conclusions reached in Appendix B to SSPSA-Appendix F.1 regarding the USGS results. That is, the USGS study does not signifi-cantly conflict with the SSPSA hazard analysis. We conclude this in light of our review of the SSPSA. Also, as indicated in Appendix B, the maximum magnitude estimate of mb = 6.4 is quite similar to the average value of 6.3 assumed in the SSPSA. In the same figure, the SEP synthesis results are shown for the Gupta-Nuttli attenuation relation. If we assume this result would be consistent in a median sense with SHCP results for Seabrook, a factor of about ten difference exists between the two studies (i.e., SHCP and SSPSA). This poses a situation similar to those encountered at Millstone and Limerick where an ( 4.1-22
equally large disparity between the applicant's estimates and those of the SHCP were observed. The reasons for these potential differences at Seabrook are varied and cannot be quantified at this time since the SHCP results are not available. However, based on the comparisons made in this review to the SHCP and previous experience, the following comments can be made: o We suspect only minor differences in seismic hazard estimates exist due to variations in seismogenic zones, activity rates, b-values and maximum magnitude estimates. e The choice of a lower bound magnitude of 3.75 may result in an increased frequency of occurrence at a given acceleration due to the significantly higher rate of occurrence of events less than mb = 4.5. e The ground-motion attenuation models used in the SHCP predict higher accelerations than those in the SSPSA. This could lead to significant differences in the hazard predictions. I e The use of the Weston Geophysical mb-Ie relationship has probably biased the SSPSA hazard results low. On a site-specific basis, it is difficult to predict the precise influence certain factors will have on the seismic hazard results. However, we suspect that in the list of factors cited above, a number of them may have a factor of 2 to 3 affect on the hazard calculations. In our opinion, the most appropriate characterization of seismic hazard at Seabrook is probably between the results presented by these studies, since there are aspects of each with which we do not agree. 4.1.1.7 Conclusions and Recommendations Based on the results of this preliminary review of the seismic hazard aspects of the SSPSA, a number of initial insights have been obtained. Within l the scope of the review conducted to date, it is difficult to quantitatively I 4.1-23 ( w ny .--- .m. - - _ w ,-,---, ---, - - - - - - . - - - - - . - . . . _ - -__ -
N l estimate the impact these insights may have on the hazard assessement. In addition to these insights, recomendations are given to the NRC to further review the SSPSA analysis and to the applicant. In order to more fully substantiate the insights documented here, we recommend that the review be continued to include an assessment of the historical seismicity in the region near the Seabrook site. In addition, we feel further in-depth comparisons between the SSPSA and SHCP can be made in order to better quantify similarities and differences that may exist. Our analysis to date has provided the following insights to the SSPSA; General Coments: - e The methodology to evalute the frequency of exceedance is adequate and appropriate to characterize the seismic hazard at the Seabrook i site. e Throughout the seismic hazard analysis, an ad hoc approach was used ( to solicit expert opinions and to document the basis on which subjective probability assessments were made. Appendix F.1 is not, in our opinion, a tractable presentation of the information used in the analysis or of the process by which the model uncertainty is quantified. Seismogenic Zones: e Based on a qualitative comparison between the SSPSA seismogenic zones and those in the SHCP interim report, it appears that the essential features of the variation between the SHCP experts has been captured by the six seismogenic zones used in the SSPSA. e Tne level of detail used to define seismogenic zones in the vicinity of the Seabrook site, in our opinion, implies a greater level of knowledge about the cause of earthquakes than is generally believed 4.1-24 [
to exist. Information put forth in the SSPSA does not discount this 7 conclusion. Seismicity Parameters; , e The estimate of seismic activity rates has been made using only one earthquake catalog. Given the concern for errors and catalog completeness, a cross-check or independent estimate using another catalog is appropriate. This conclusion holds as well for other seismicity parameters. e To convert intensity values of historic earthquakes to magnitude, a single relationship, developed by Weston Geophysical, was used. This l was considered inappropriate given the large scatter in I,-mb data, and the significant effect this.part of the analysis can have on the estimate of seismicity parameters and seismic hazard curves. e A comparison of activity rates in the SHCP and SSPSA were made for I ( the zones that encompassed the Seabrook site. By normalizing the activity rates by the area of each zone, a direction comparison was I made. The mean of the two studies were remarkably similar, however the SSPSA f ails to fully capture the uncertainty expressed by the group of experts in the SHCP. e In estimating Richter b-values, it was assumed with 0.50 probability that b = 0.90 in all seismogenic zones. In our opinion, assuming a
" generic" value for b is inappropriate. This assumption does not, as stated in the SSPSA, represent an extreme estimate of b-values.
e A comparison of the SHCP and SSPSA probability distribution on b-values indicates the SSPSA assigns higher probability weight to slopes that are less steep, and thus, by themselves allow greater relative likelihood to large magnitude events. The SSPSA does not, 4.1-25 ( 1
t however, incorporate as much uncertalnty in b-values as does the ( SHCP. e The approach used to establish a distribution on maximum magnitude is i considered reasonable and within general practice. A comparison of the SHCP and SSPSA probability distributions on e maximum magnitude indicate general agreement between the two studies. Again the SSPSA agrees in a mean sense with the SHCP, but does not fully characterize the uncertainty in maximum magnitude estimates. i Ground Motion Attenuation e The ground motion attenuation models used in the SSPSA are reasonable and embody the major part of the uncertainty in the suite of relationships documented in the SHCP interim report. In general, we feel the four attenuation models used in the SSPSA predict lower ( accelerations than the suite of models used in the SHCP. e The probability weights assigned to the AI and AID models (0.25 - each), in our opinion, are high. Reconenendations to the Applicant Based on the insights summarized above, the following recommendations are - made: l e Identify the experts used in each phase of the study. e Incorporate a Charleston-type seismogenic zone in the analysis. l l e Assign lower weight to the FSAR, FSAR-combined and Ossipee-Cape Ann zones. 4.1-26 l L
{ e Document the supporting basis for each seismogenic zone. e Revise the estimate of seismicity parameters incorporating the following:
- at least one additional earthquake catalog alternative mb-Ie relationships
- model uncertainty in Richter b-values that is zone specific e Document the basis for the completeness factors used in the analysis.
e Assign lower weight to the AI and AID attenuation models. e Include greater randomness about the AI and AID median attenuation functions. e Remove the acceleration truncation of the seismic hazard curves. - ( < i l 4.1-27 i
i
.i REFERENCES
(
- 1. Bernreuter, D. L., J. B. Savy, R. W. Mensing, and D. H. Chung, " Seismic Hazard Characterization of the Eastern United States: Methodology and Interim Results for Ten Sites," Lawrence Livermore National Laboratory, Prepared for U. S. Nuclear Regulatory Commission, NUREG/CR-3756, UCRL-53527, 1984.
- 2. Bernreuter, D. L., " Seismic Hazard Analysis of the Seabrook Site," l Lawrence Livennore National Laboratory, Prepared for U.S. Nuclear Regulatory Commission, not dated. -
- 3. American Nuclear Society and the Institute of Electrical and Electronics
. Engineers, "PRA Procedures Guide," Vol. 1 and 2. U.S. Nuclear Regulatory Commission, NUREG/CR-2300, 1983.
- 4. Cornell, C. A., "Probabilistic Seismic Hazard Analysis: A 1980
{ Assessment," Proceedings of the Joint U.S.-Yugoslavia Conference on Earthquake Engineering, Skopje, Yugoslavia,1980.
- 5. Pickard, Lowe, and Garrick, " Zion Probabilistic Safety Study," Prepared for Consolidated Edison, Co., not dated.
- 6. Pickard, Lowe, and Garrick, " Indian Point Probabilistic Safety Study,"
Prepared for Consolidated Edison Company of New York, Inc., and Power Authority of the State of New York, Copyright 1982.
- 7. NUS Corporation, " Limerick Generating Station - Severe Accident Risk Assessment," Prepared for Philadelphia Electric Company,1983.
- 8. Northeast Utilities Service Company, " Millstone Unit 3 Probabilistic Safety Study," August, 1983.
' 4.1-28
( 4 's
--,gr---- ,- ----r.y-w --, -v- a- -e --=.wc,m-- -- -
'l 9. Azarm, M. Z., et al., "A Review of the Limerick Generating Station Severe Accident Risk Assessment; Review of Core-Melt Frequency," Engineering and Risk Assessment Division, Department of Nuclear Energy, Brookhaven National Laboratory, U.S. Nuclear Regulatory Commission, NUREG/CR-3493, BNL-NUREG-51711, 1984.
- 10. Chiburis, E., " Seismicity, Recurrence Rates and Regionalization of the Northeastern United States and Adjacent Southeastern Canada," U.S. Nuclear Regulatory Commission, NUREG/CR-2309, 1981.
- 11. Weston Geophysical Corp., " Estimation of Seismicity Parameters for New
- England," Report prepared for Yankee Atomic Electric Co., 1982.
- 12. Dames and Moore, " Sensitivity of Seismic Hazard Results at Millstone to LLNL Study Assumptions on Attenuation and Seismicity," Final Report to Northeast Utilities,1984.
( 13. Bernreuter, D. L., " Seismic Hazard Analysis: Application of Methodology, Results and Sensitivity Studies," Lawrence Livennore National Laboratory, prepared for U.S. Nuclear Regulatory Commission, Vol. 4, NUREG/CR-1582, 1981.
- 14. Smith, W. E. T., " Earthquakes of Eastern Canada and Adjacent Areas, 1534-1927," Pub. Dom. Obs., 26, 271-301, 1962.
- 15. Nuttli, O. W., and R. B Herrmann, " Consequences of Earthquakes in the Mississippi Valley," Preprint 81-519, American Society of Civil Engineers Annual Meeting, St. Louis, October 1981.
- 16. Campbell, K. W., "A Ground Motion Model for the Central United States Based on Near-Source Acceleration Data," Proceedings, Earthquakes and Earthquake Engineering: the Eastern U.S., Knoxville, Tenn.,1981.
4.1-29
( 17. Algermissen, S. T., D. M. Perkins, P. C. Thenhaus, S. L. Hanson, and B. L. Bender, "Probabilistic Estimates of Maximum Acceleration and Velocity in Rock in the Contiguous United States," U.S. Geological Survey, Open File Report 82-1033. e i I. 1 b f I L 4.1-30 { l
. . . . _ . . .. -. =_ _ .
Table 4.1.1-1 b Sunnary of Subjective Probability Weights on Seismogenic Zones Probability Weights Seismogenic Zone SSPSA This Review FSAR Zones 0.20 0.00* ! FSAR - Combined Zones 0.10 0.00* Northern Appalachian Zone 0.30 0.50 Ossipee and Cape Ann Pluton Zones 0.15 0.00* White Mountain Zone 0.15 0.00* Boston-Ottawa Zone 0.10 0.00 Charleston Zone 1 0.00 0.20 i Charleston Zone 2 0.00 0.20 EUS-SEC** 0.00 0.10 (
- At most the sum total weight given to these zones would be 0.20, with the remaining weights varying accordingly. -
I
** Professor Kafka's seismogenic zone that considers the Eastern U.S. and Southeastern Canada as one zone.
4 4.1-31 (' l t --
k 4 . . . , . . . . l O Limerick-SARA Q Zion SSMRP , A Zion-0&M (no truncation) - g Indian Point-0&M (no truncation) C
@ Indf an Point-WCC h 3 _ g Limerick-LLNL _
. Millstone PSS h j Seabrook-0&M -
A g 0 ~ 0 La Crosse-LLNL *
~*r*
X Watts Bar-LLNL Q 0 O X W Q W E C l , 2 - p g E A - D A T
-43 M + A A
m R & g . * - a o , *
- p o t , , e i
a - g .
" e -
* . 3 e g E .
A
. . . . t . . . . I
,8 .5 1 PGA (g)
Figure 4.1.1-1 Comparison of the Logarithmic Standard Deviation on the Frequency of Exceedance as a Function of Peak Acceleration. 4.1-32
k 1.00 - ~ ~ ~
/
0.75 - n
= 38
[ \ SSPSA v = 1.45
/
$ f 0.50 - ,
o k' ) 0.25 - f 9
/
h ( 0 , i i i i i i 0 1 2 3 L vn, Normalized Activity Rate (M>4.5) 2 (events /yr/km x 10-6) Figure 4.1.1-2 Comparison of the SSPSA and SHCP Normalized (by Zone Area) Seismic Activity Rates.
.I
( ' 4.1-33 l
I 1.00-9,
/
Y 0.75- I n' 0.50-J A I*- 0.25 ' I SSPSA
- ~ E = -0.83 1
0 - I i ' ' '
-1.8 -1.6 -1,4 1.2 -1.0 -0.80 -0.60 -0.40 Richter b-Values Figure 4.1.1-3 Comparison of the SSPSA and SHCP Probability Distribution on the Best Estimate b-Values.
i 1 4 4 ' 4.1-34 i
k 1.0 - 4 SSPSA # / N ,,x = 6.34 O 0.80- M-p' \ SHCP, R ,,, = 6.45
/
3 0.60_ 3
- / '
2 / E #
/
[ 0.40-
/
/
/
0.20- d
/
( Y 7 cr' 0 i i i i i 5.5 6.0 6.5 7.0 7.5 Maximum Magnitude Figure 4.1.1-4 Comparison of the SSPSA and SHCP Probability Distributions on Maximum Magnitude. I 4.1-35
~
0 0 _ = - rE l
\ .
d
\ .
n
, \ ( m. a s
X N . S G A .
)
S U
.\ e
\ 0 h
( . ( t
\ '
s N m d n
^ Y s
N h mN O a
\ '
mIT s e v s s' . A r . s s
\
\ ,
R E Ct ue i dS s . L r P c E s =* \ . E ak zo s u g \ s n
\ .
1 0C C Hr ao Ge _ k- w _ -
- .E- A Aa Se b
_ N_ g - __ .l D PS S N N_x =- = r
- N U
Se h N x -
-N _-
__ r
- O h et R t r n o X -
\ __ - __
_ __ - n O ff o mK r - A nt ol s EEE i su LLL m E is III m P re n aR TTT
- p NNN -
. mP EEE -
oE
. CS CCC .
RRR . EEE _ ,
. 5 PPP _
. 1 lll . 1 iii ,
TTT , e 4 406 , 851 , e
=: = ,
r _ u A00 . _ .2 g _ 0 i
-]? :E: j1 t:~ - F i: iif E I
3 4 5 0 0 0 E E E I I I
- oU>d< uo > zWDOtmto a_ NEzE aUzE n t t
*.7wm
4.1.2 Seismic Hazard / Fragility Interface 4.1.2.1 Introduction In this section, the approach used in the SSPSA to characterize the interface between the seismic hazard and fragility parts of the seismic risk analysis are reviewed. The initial step in the hazard / fragility interface consists of a characterization of ground motion that represents the potential of ground shaking to damage safety-related structures and equipment. The second aspect deals with the selecton of an appropriate site-response spectrum. These two steps are coupled since the selection of an effective method of characterizing ground motion depends in part on the response , spectrum used. In the following sections, each of these aspects of the SSPSA
- seismic analysis are discussed.
. 4.1.2.2 Earthquake Ground Motion Characterization In characterizing the potential of earthquake ground motion to damage safety-related structures and equipment at the Seabrook station, ground motion ( intensity is expressed in terms of peak ground acceleration (PGA), a site-j specific response spectrum, and an earthquake duration factor which is incor-porated in the fragility analysis. . The subject of characterizing the damage potential of earthquake shaking i is a topic of on-going development and at times a troublesome and difficult i issue to understand. The SSPSA seismic PRA is yet another study that has l attempted to deal with this problem. As background, a brief review is given of previous attempts to develop a damage effective ground motion parameter.
Background
The Zion (ZPSS) and Indian Point (IPPSS) PRAs(1, 2) were the first attempt to define a damage effective ground acceleration which was applied in a seismic rick analysis of nuclear power plants. In developing a damage l effective acceleration, two steps were taken. First, an effective peak . I acceleration (EPA) was defined which was an acceleration value that could be l l 4.1-37 (
used to scale a broad-band response spectrum (e.g., WASH 1255 spectrum) such that the predicted spectral accelerations in the frequency range of 2 to 10 Hz are consistent, in a median sense, with spectral levels of real earthquakes in the earthquake magnitude range of interest. As indicated in References 1 and 2 the EPA value is dependent on earthquake size. For small magnitude events, the EPA is significantly less than the instrumentally recorded peak accelera-tion (IPA). This is due partially to the fact that smaller magnitude earth-quakes have narrow, peaked response spectra and short durations. For large magnitude events, which have a broader response spectrum shape, the effective peak acceleration would equal the IPA. The consequence of anchoring a broad-band response spectrum shape to an EPA is an elastic-response spectrum that is median centered in the 2 to 10 Hz frequency range. To determine a median-centered, seismic analyses in the broad-band spectrum, Structural Mechanics Associates, Inc. (SMA), authors of the seismic analyses in the ZPSS and IPPSS and of the SSPSA seismic fragility studies, reconsnended that the EPA be set to, EPA = 1.25
- A3F (1) where A3F is the third-highesti peak acceleration or sustained acceleration in a low-pass filtered acceleration record. Frequencies beyond 9 Hz were eliminated. Implied in Equation 1 is the assumption that earthquakes that contribute to f ailure are small to moderate size events (i.e., 5.3 < M <6.3)
In the next step, the elastic-response spectrum is modified to reflect its potential to damage structures or equipment with natural frequencies in the 2 to 10 Hz range. The basis for this second step is the fact that in order for damage to occur, a structure or equipment item must experience multiple cycles of response. Consequently, for small magnitude earthquakes that have relatively short durations, the amount of damage expected is small, and thus the damage effective response would be significantly below the elastic response level. For large magnitude events, which last longer, little or no modification is required, according to the Zion method. 4.1-38 (
In order to estimate the damage potential of earthquake ground motion, a damage effective acceleration was defined as, EPA A D" F (
=
p
*A 3F (2) where the f actor F is a function of earthquake magnitude and duration, and the level or type of damage. The intent of the F factor is to account for the less damaging effects of small earthquakes by effectively reducing the intensity of ground motion that is input to a structure. At the time the Zion '
and Indian Point studies were done, only limited information on the possible values of F was available. It was felt that F would likely be in the range of 1 to 3. Thus, a single value of 1.25, reported to be conservative, was , used. This resulted in AD=A3p, and the need to shift the seismic hazard curves, originally defined in terms of peak ground acceleration, by a factor s 1/1.23 to damage effective acceleration vilues. (The f actor used to scale peak ground acceleration to A3F is 1/1.23 not 1/1.25, which is noted for the I careful reader who studies References 1 and 2.) With respect to the approach used in the ZPSS and IPPSS, a number of coments are given. First, the definition of effective peak acceleration is based on the use of a broad-band response spectral shape, which when anchored to the EPA gives the median spectral acceleration in the 2 to 10 Hz frequency range. For Zion and Indian Point, the median spectral shape in Reference 3 was used. As a result, the definition of EPA is strongly dependent on these factors, and would presumably change, if a different broad-band spectrum was used, or a different frequency range were considered. Estimates of EPA are therefore relative to these factore. If a magnitude-dependent spectral shape was used, the estimate of an EPA would be different. This is discussed later in this section. In support of Equation 2, SMA reported the results of a study where the response spectra for twelve earthquakes were compared to WASH 1255 broad-band response spectra anchored to an EPA (as defined in Equation 1). Although the 4.1-39 (
I visual comparisons in Reference 4 appear convincing, statistical analyses were not conducted to empirically define an appropriate EPA relationship. There is an implied modeling uncertainty in this approach, since a more realistic approach could have been used to determine a quantitative definition of effective peak acceration. In comparing actual earthquake response spectra to broad-band spectra scaled by an EPA, the mean plus one standard deviation WASH 1255 amplification spectrum was used in Reference 4. It would have been more appropriate, in our opinion, to have used the median-centered amplification spectrum. As a result, there is some doubt in our minds as to the appropriateness of Equation 1 to estimate an EPA, and thus there may be a bias in the 1.25 , factor. The arguments given are less convincing without the benefit of a statistical analysis to support their conclusions. From Reference 4 we note that the estimate of effective peak acceleration is explicitly defined for frequencies less than 8 Hz, while the Zion and Indian Point studies assume an applicable range of 2 to 10 Hz. This appears to be inconsistent. Following the Zion and Indian Point studies, the Limerick Severe Accident Risk Assessment (Limerick SARt) was published (5). In this study, the results of recent research work were used to revise the seismic risk model. Ground motion intensity was expressed in terms of effective peak acceleration and a broad-band response spectrum. However, in performing the seismic risk calculations, the seismic hazard curves were shif ted to convert from peak ground acceleration to AD=A Thus, an adjustment identical to that in the 3F. ZPSS and IPPSS was made, suggesting the F factor in Equation 2 was again taken as 1.25. However, in the Limerick SARA an earthquake duration f actor of 1.4 was incorporated in the fragility analysis to account for the less damaging effects of small magnitude earthquakes. The earthquake duration factor has the effect of increasing structure capacities when the size of the expected earthquakes is small, as opposed to decreasing the hazard, by the 1/F factor given in Equation 2. It was concluded in our review with concurrence by SMA, ( 4.1-40
l that the F factor in Equation 2 and the earthquake duration f actor included in l the fragility analysis accounted for the same phenomena, and therefore only one factor should be used. On this basis we concluded that for the methodology used in the Limerick SARA, the earthquake ground motion hazard is more appropriately characterized by the EPA as defined by Equation 1, keeping in mind that the factor on A3p is still a function of earthquake magnitude. In summary, the F factor previously used to shift the accelerations in the seismic hazard analysis, was incorporated in the seismic fragility analysis for Limerick, as an earthquake duration f actor. When the earthquakes that contribute to risk are small, then the duration factor serves to increase the capacity of structures, because of the less damaging effects of smaller, , shorter duration earthquakes. The medtan value of this factor as used by SMA was 1.40 based on work reported in Reference 6. This represented an increase from the previous value of 1.25 used in ZPSS and IPPSS. In our review of the Limerick study we generally agreed with this approach, but felt the factor of 1.40 may be too high. Overall, the Limerick SARA study represented an improvement in the seismic risk analysis. Detailed coments on this method are provided in Reference 7. ( The next effort to establish a realistic ground motion characterization and seismic fragility model was perfonned for the Millstone 3 PSS. This approach is summarized below. Based on the work reported in Reference 6, a procedure somewhat different from that used in previous PRAs was developed, in terms of the seismic hazard, peak ground acceleration was used to charac-terize the intensity of ground motion. In addition, a magnitude-dependent response spectrum shape, developed by Lawrence Livermore National Laboratory (LLNL) was used, rather than the WASH 1255 broad-band spectrum. A response spectrum shape corresponding to earthquakes with magnitudes S.3 to 6.3 was selected, which according to the Millstone 3 PSS seismic hazard analysis, was the range of earthquake magnitudes that contributed to accelerations around 0.179, the SSE level. As discussed above in regards to the ZPSS and IPPSS, the characterization of effective peak ground acceleration was defined relative to the frequency 4.1-41 (
range of interest, a WASH 1255 broad-band spectrum, and earthquake magni-( tude. In the case of Millstone 3, rather than using a broad-band spectrum, a magnitude-dependent spectrum was selected. As a result, the definition of effective peak acceleration used in ZPSS and IP?SS no longer applies. Instead, the effective peak acceleration for a median-centered, nagnitude-dependent response spectrum is the instrumental peak accelerat. ion. To understand this, recall that in the case where a broad-band spectrum is used, if large earthquakes are dominant contributors to risk, then the EPA used to scale the spectrum shape is equivalent to the IPA. This uill be the case since the response spectra of large magnitude events are also broad-banded. The same analogy can be made when a magnitude-dependent spectrum is used. In this case then, peak ground acceleration was the appropriate parameter to characterize strong ground motion for the Millstone 3 seismic analysis. In previous PRAs the effect on seismic capacity of earthquake magnitude and duration was accounted for by shifting the seismic hazard curve (e.g., ZPSS and IPPSS) or increasing the seismic capacity relative to an EPA value~ (e.g., Limerick SARA). Based on recent research, larger magnitude earthquakes that have longer durations and thus produce many cycles of structure response, will exhibit less ductility at failure than smaller events with short durations, and lower levels of ground shaking intensity. In Reference 6, the available or effective ductility in single-degree-of-freedom systems (500F) subjected to earthquake ground shaking was calculated. Coments concerning using S00F models to predict the nonlinear response of multi-degree-of-freedom (M00F) structures are given in Section 4.1.3.5. The results of Reference 6 provided the basis to estimate an Inelastic Energy Absorption factor of safety, based on an effective ductility and the Riddell-Newmark formula. The effective ductility, u*, is estimated to account for the influence of earthquake magnitude and duration. In this approach, the following formulation was used, u * = 1.0 + CD(u -1.0) (3) where the factor CD is a function of earthquake magnitude and u is the 4.1-42 (
structure ductility ratio. For earthquakes in the magnitude range 4.5 to 6.0, CD was given as 1.4, suggesting the effective ductility is higher for small magnitude events. For large earthquakes, CD was given as 0.70, which produces lower effective ductility. Since the magnitude range 5.3 to 6.3 was assumed to make the greatest contribution to risk at the Millstone 3 site, a CD value of 1.3 was assumed. This value was subjectively selected to reflect the slightly higher magnitudes that are expected. Overall, the approach used in the Millstone 3 PSS represented an improve-ment over past PRAs. However, a major concern raised in the review of the Millstone 3 PSS(9) was the observation that depending on the natural frequency . of a structure, CDwill vary at low frequencies, from a value greatar than 1.0, implying greater effective ductility, to less than 1, or less effective ductility, for higher frequency structures. This observation was independent of both magnitude and ductility ratio. Intuitively, this appears reasonable since we expect a structural system to respond in an oscillatory manner, consistent with its natural frequency, in an earthquake. With some stiffness ( degradation there may be a shift in the natural frequency of a structure. Nonetheless, it is reasonable to expect that high frequency structures and components will experience many more cycles of response than structures with lower natural frequencies for the same amplitude and duration of ground motion input. Consequently, lower effective ductilities for higher frequency structures are anticipated. This can have a significant impact on the estimate of the effective ductility. It should be noted that the total impact of this observation is dependent on earthquake magnitude and the ductility ratio. To illustrate this relationship it was estimated that for structures with natural frequencies of 2.14 Hz and ductilities of 1.85 and 4.27, CD should be greater than 1.0 for large magnitude earthquakes, as opposed to 0.70 as suggested by SMA. As a general concern, only 10 earthquake records were used to estimate the This is a relatively small sample set to CD values in Reference 6. effectively estimate the magnitude / duration and frequency dependence of CD
- 4.1-43
(
In our review of Millstone 3 PSS(9) , it was concluded that anchoring a ( magnitude-specific response spectrum to the IPA is appropriate. In addition, the use of an effective ductility was also considered an appropriate concept; however, in addition to depending on magnitude it is also frequency dependent. Seabrook Station Probabilistic Safety Assessment In characterizing the potential for earthquake ground shaking expected at the Seabrook site to damage safety-related structures and components, an approach similar to that used in the Limerick SARA was followed in the SSPSA. The intensity of ground shaking was expressed in terms of peak ground acceleration and a site-specific response spectrum was used. To account for , the potential of earthquakes of the size expected to occur at Seabrook, an earthquake duration factor was incorporated in the fragility analysis (SSPSA, Appendix F.2, p. F.2-27) to increase the capacity of ductile structures. We utilize the similarity of this approach to the one used in the LGS-SARA, in order to sunnarize our comments. In our review of the LGS-SARA (7) , two major criticisms of the ground ( motion characterization model were expressed. The first dealt with the i belief, and eventual concurrence by SMA that there was a double counting of the influence of the size of earthquakes expected to dominate the hazard at a site. This error involved a shift of the hazard curves from peak ground acceleration to an effective peak acceleration and the incorporation of an earthquake duration factor in the fragility analysis. In the SSPSA, the hazard curves are defined in terms of peak ground acceleration, which in our opinion is appropriate. The second concern raised in the LGS-SARA and other reviews deals with the estimate of the earthquake duration f actor itself. These concerns also apply directly to the SSPSA. As a point of reference, it is our understanding the SSPSA was completed prior to the Millstone 3 PSS. This bears some relevance to this review in that the Millstone 3 study utilized a slightly different approach to the problem of hazard / fragility interface, and probably more closely represents the current thinking of SMA, the authors of both 4.1-44 (
both studies. Nonetheless, the basic objective in the SSPSA was the same, as ( was the data used to estimate the relevant f actors in each study. An important initial assumption made in the analysis is that earthquakes in the magnitude range from 5.3 to 6.3 dominate the frequency of occurrence of ground accelerations experienced at the site. Based on the preliminary review in Section 4.1.3, it is estimated that accelerations in the range 0.40g to 0.70g dominate the mean frequency of core-melt calculation. If this is in fact the case, it is our judgment that the assumption that events in the range 5.3 < M s 6.3 are the dominant contributors to the hazard is appropriate. If the range of significant accelerations should change, this assumption should be re-examined. . Based on our review of the SSPSA and previous PRAs, we summarize below our findings with respect to the hazard / fragility interface. The supporting basis < for these conclusions is based on the background provided previously in this section and in the complete reviews of the seismic PRAs cited, e In the context of the SSPSA hazard / fragility interface approach, it is appropriate to use PGA as a ground motion parameter to scale a ( site-specific response spectrum, e Based on our review of the LGS-SARA I9) , we feel the parameters of the duration factor require revision. We concluded in Reference 9 that the median duration f actor may be over-estimated and the uncertainty
~
under-estimated. e Of greater concern is the dependence of the duration factor on the ~ response frequency of ductile, safety-related structures. Our analysis of the data in Reference 6 indicates a strong dependence of the median duration factor on structure frequency, e The data used to evaluate the duration factor is quite limited in view of the complexity of the problem and the variability in the results. This f act alone makes it difficult to assign low modeling uncertainty to this factor. 0 4.1-45
( In our opinion, the methodology used in the SSPSA to describe the hazard /fragiity interf ace does not capture the damageability aspect of ground motion input to structures. In principle, the Millstone PSS is a more realistic approach, although it suffers from the same limitations cited here for the SSPSA. Rather than use a generic (in a frequency sense) duration factor, it is more approprite to determine a frequency specific value, either by use of the data reported directly in Reference 6,-or by interpolation. Additional comaents concerning the duration factor and its use for M00F structures and equipment are given in Section 4.1.3. 4.1.2.3 Response Spectrum Shape In the SSPSA a magnitude-dependent response spectrum shape was used to characterize the intensity of ground motion. This is a change from other PRAs where a broad-band spectral shape has been used. When using a magnitude-dependent response spectrum the definition of effective peak acceleration
. changes as a more realistic shape is considered.
Based on the assumption that the earthquakes in the magnitude range MS.3 ( to M6.3 are the dominant contributors to seismic hazard at the Seabrook site, a magnitude-dependent response spectrum shape was used in the SSPSA. We agree with the assumption that events of this size (5.3 < M s 6.3) are the dominant contributors to the site hazard. This is conditional, however, on the conclusion reached in Section 4.1.3 that peak ground accelerations in the range 0.40g to 0.70g are the dominant contributors to risk. If this acceleration range were to change (i.e., if higher accelerations were found to dominate risk), then assumptions on the size of earthquakes that dominate the hazard should be re-examined. 4
'The site-specific response spectrum shape used in the SSPSA was developed by LLNL and reported in Reference 10. The spectrum shape was developed for rock sites, based on an analysis of recorded strong motion records. In general, we agree with the approach of using a site-specific spectrum based on local soil characteristics and the magnitude of earthquakes that are expected to occur.
f 4.1-46
- =_ - . . - - - - -. . - -= . . _. -
In addition to the. spectrum shape used in the SSPSA, LLNL conducted a seismic hazard analysis for the Seabrook site.Ill) In their study, LLNL made estimates of site response spectra using two methods. In the first approach, the results of the Systematic Evaluation Program (SEP) were used to predict l probabilistic response spectra with 1000- and 4000-year return periods. In the second analysis, recorded response spectra from past earthquakes were compiled and a distribution on actual spectral ordinates (as opposed to i normalized) was developed. Figure 4.1.2-1 presents a comparison of these results. < Based on the comparison in Figure 4.1.2-1, we observe that the SSPSA spectrum, scaled to 0.25g, is in general agreement with the SEP 1000-year , spectrum at frequencies higher than about 4-5 Hz. The largest variation j appears to be about 20 percent, with the SSPSA predicting lower spectral j accelerations. It is interesting to note that the median spectrum derived from real earthquake records is considerably below the SSPSA spectrum anchored to j 0.25g. In general, the shape of the "real" spectrum is consistent with that 1 of the SSPSA spectrum. ( An additional comparison between the SSPSA spectrum shape and the SEP results can be made by scaling the SSPSA spectrum shape to the_ acceleration f ! that has a median frequency of occurrence of 10-3 (or 1000-year return I period). This acceleration is approximately 0.095g, or a factor of 2.6 below the SEP acceleration at the same return period. This margin between the twu ~ studies is considered of greater significance than the small differences in response spectra shown in Figure 4.1.2-1. The differences between the SSPSA and SEP study were discussed in Section 4.1.1. j
- In conclusion, we agree with the site-specific spectrum used in the SSPSA. The assumption that magnitude 5.3-6.3 events dominate the frequency of ground motion, is consistent with our understanding of the range of accelera-tions that contribute to risk. If this range should change (f.e., 0.40g to 4
0.70g), then the assumption on magnitude should be re-examined. Additional coments concerning the uncertainty in the response spectrum factor used in the fragility analysis are given in Section 4.1.3.2. , 4.1-47
,_m.----,...,. ..-.,,.,.o.-_,.-.,_,.m--_-- ., - ~ ~,.._ ~ ~ ,, .. . , -,. ~ _ _ , - - - _-~_-m-,-.4-__,,
F REFERENCES
- 1. Pickard, Lowe, and Garrick, " Zion Probabilistic Safety Study," Prepared for Consolidated Edison, Co., not dated.
- 2. Pickard, Lowe, and Garrick, " Indian Point Probabilistic Safety Study,"
Prepared for Consolidated Edison Company of New York, Inc., and Power Authority of the State of New York, Copyright 1982.
- 3. Newmark, N. M., "A Study of Vertical and Horizontal Earthquake Spectra,"
WASH 1255, Nathan M. Newnark Consulting Engineering Services, Prepared for U.S. Atomic Energy Commission, April 1973, i (
- 4. Kennedy, R. P., W. P. Tong, S. A. Short, " Earthquake Design Ground Acceleration Versus Instrumental Peak Ground Acceleration," Prepared for Nathan M. Newnark Consulting Engineering Services, Structural Mechanics Associates Report No. SMA 12501.01R, December 1980.
(
- 5. NUS Corporation, " Limerick Generating Station - Severe Accident Risk Assessment," Prepared for Philadelphia Electric Company,1983.
- 6. Kennedy, R. P., et al., " Engineering Characterization of Ground Motion Effects of Characteristics of Free-Field Motion on Structural Response,"
SMA 12702.01, Prepared for Woodward-Clyde Consultants,1983.
- 7. Azarm, M. Z., et al., "A Review of the Limerick Generating Station Severe Accident Risk Assessment; Review of Core-Melt Frequency," Engineering and Risk Assessment Division, Department of Nuclear Energy, Brookhaven National Laboratory, Prepared for U.S. Nuclear Regulatory Commission, NUREG/CR-3493, BNL-NUREG-51711,1984.
4.1-48 ( I
- 8. Northeast Utilities Service Company, " Millstone Unit 3 Probabilistic
( Safety Study, August 1983.
- 9. Reed. J. W. and M. W. McCann, Jr., " Review of the Revised Millstone Unit 3 Probabilistic Safety Study Seismic Fragility," J8A Report 105-045, Jack R.
Benjamin and Associates, Inc., May 1984.
- 10. Bernreuter, D. L., " Seismic Hazard Analysis, Application of Methodology, Results, and Sensitivity Studies," Vol. 4, Lawrence Livermore National Laboratory, Prepared for the U.S. Nuclear Regulatory Commission, NUREG/CR-1582, October, 1981.
- 11. Bernreuter, D. L., " Seismic Hazard Analysis of the Seabrook Site,"
prepared for the U.S. Nuclear Regulatory Canmission, not dated. l ( t 4.1-49 [
I, eesovency -n z see s to o to on ist i f f I f f ffI f f f a f f fff I t f f t t t 100.0
- 4. ._ . .. i . . ._ . a ..,. .. . .. . _u ......s. , .x ..
_f_ .
.,.s..._t_..__._........
, ,s ,
- g. ,_ _ y . .. :. _ . . _ . . , . . . ..
,m __i ,
..__3
.y j,A,. . w.
. _../: , , . .. . . .. . . . ,,,,
.x m ., a - ,
--- ;... q. .
.. . ~ ~~ -- .
--> -- y' v.x.x .
_.s .. . . m . /. ~....
..&.. ;- r. . e. .
g* ., < . . .. s ...s .' '
. a. .
j
. . .N. . * *
- ._3.y .q.r_. .p . .._.... ;. 'SEP, 4000 yr U >x s .
*. * . ,g .
* . ,s . - e .l [ ;
- ' / .:7,.' ' K..: / ,r . s.
3 . ,
- s -
%. I i g io.o _ w ._ . . . . . . .. SEP, 1000 yr
-p .- ._-- * . -:- .- /. .. .-.
_,v.__. . .x . A
. c _i.w ....;. . __. ._.......x... .sspsA u. -
g:_.:.- . _ ,p __ g.? .-. p .N.
;./.
'e,
- f. . . .,
3,
' . , x _ __.. , . ,
. ._./...... .
...gi,....
N. . 5. g s f
/s s. N , . . . > - ,..x.x
. . . .N,,.. .*t t
a \. ..
\ , -}
* . . e m
y % ..... ,. . '
^V' - -
LLNL, Real
..._...s...,.......,.
_p . 2. . ..
. _._. _. .. _: .. .. .. _. .. ._ . K, .f.
i . Spectra
. c._ _.
__..w._ ._ m ... __ . s y ., ._,--
...,.., ./. ,. .
= .x.x _ . - , .
,. _ _ .. ,..,.,N . .
g
... . . g. .,. . s_..
( 3 . . _...,. e. .
. . . . F..... ..
.S
.: >s. . .
. , ,a . .-
., . .s. . . . 3 , . ._ . . _g. <_. .,
u.
+i .
- s /, , . . ., .
= .
. :.:. \., ? .i _* . _-{g ._... . , / _ a <.3..... .. . .n ._ : . . _.
- o. .
./. :. '<-
. ..\-
,>4
. /:,. .
./- N. .
a o' s j.. t p: i
- a. -._s._s__................w..
- ..r_. . . . m
_....._ .... ,._/..~... . .. _ .
..:...g
.x .
.p s*
._.m.. m..m. . _ _ i.. ..: . h.
.m....._.A_...u...,,.
y; m- ; ;;r.'
., ,.. . . Q. . . - -N . . . . _ . . y. ..:.
q e.:i.. . _. , .T. . .%._ . . . . . ,. . ., _7
.' 6.- ... _ _
. s. c. , ,,.N.
,/..
. .,. s.. . _A .. . s. . . . . . ..
,, i
/. ,:. , . .
.s .
.. . 4 . .,
... ...N., /.. .4.,.... . .. , ... .. . .,/. . . s.. . .
~ . .
A . . . . .. . . . .
. s,
,4 , .
. ..i s y^, . >. . . . - _ . ...
~j .
t . .
.\
0 01 o ei ei ie io. PEnlOD=SEC Figure 4.1.2-1 Comparison of the SSPSA Response Spectrum Shape Anchored to 0.25g, to the SEP 1000 and 4000 Year Return Period Spectra, and the Median of the Real Earthquake Spectra ( Reported in Reference 11. 4.1-50
4.1.3 Seismic Fragility Assessment ( 4.1.3.1 Introduction A preliminary review of the seismic fragility data for structures and equipment used in the SSPSA was conducted. In Appendix F.2 of the SSPSA, the report prepared by the structural consultant, which documents the fragility analysis, is presented (l). Section 9.2 in the main part of the SSPSA discusses the seismic hazard, fragility, and systems analysis. Table 9.2-3 in that section lists the key equipment which have median acceleration capacities less than 2.0g. This table is repeated as Table 4.1.3-1 in this report for reference. . Calculations which support the fragility values given in Reference 1 were obtained from the applicant. However, because of limited time to perform the review, a detailed check of the calculations for key contributors was not performed. This review task has been performed in past seismic PRA reviews and is helpful in evaluating the engineering bases for the fragility values used in the PRA. In addition, this is the first seismic PRA that has been reviewed in which fault trees and/or Boolean equations for system failures have not been available. Except by reconstructing the event and fault trees from scratch, it is virtually impossible to determine which components are the dominate contributors to core melt and risk; and further, it is also impossible to determine the relative contributions of the key contributors. Thus, we had no basis for focusing the review other than the list of key components given in Table 4.1.3-1. For the purposes of the preliminary review, we have concentrated our effort toward evaluating the capacities of the lower strength components in this table. Based on experience in past seismic PRA reviews, it is unlikely that the capacities of structure and components outside this list would, on close scrutiny, have revised values as low as the lowest capacity equipment listed in Table 4.1.3-1. It is somewhat surprising that the mean frequency of core melt reported in the SSPSA (i.e., 2.89-5 per year) is so high. Seabrook is a newer plant which has been designed using the current USNRC itcensing requirements. This 4.1-51 1
I l concern was on our minds throughout the review. The reasons for the high mean I core melt frequency are discussed in this report. One perspective which justifies our concern can be appreciated using Table 4.1.3-2 where the mean seismic hazard data from the SSPSA are given. It can be shown, assuming the seismic failures of the structures and components are independent, that the mean frequency of core melt can be directly found by integrating the mean hazard curve with the mean systems fragility curve. By examining the mean hazard data (i.e., Table 4.1.3-2) and knowing the mean frequency of core melt (i.e., 2.89-5 per year), the core melt peak ground acceleration capacity value (i.e., a central value such as the median of the mean core-melt fragility curve) can be directly inferred. Note that the mean ' core-melt fragility curve is produced by a probabilistic combination of the individual component fragility curves through the logic of the event and fault trees which lead to core melt. The value of 2.89-5 per year (which is the core-melt mean frequency value) corresponds to a peak ground acceleration value between 0.50g and 0.60g as seen in Table 4.1.3-2. Hence, it is likely that the core melt central 4 capacity value lies between 0.50g and 0.70g. Because of variability in the fragility curve, the acceleration range of 0.40g to 0.70g is where the major l contribution to core melt is likely to occur. The central capacity range is i on the low side compared to other PRAs. For example, the Indian Point Unit 3 PRA had a mean frequency of core melt equal to 3.1-6 per year with a central capacity value of 0.8g(2) , Because the system fault trees or Boolean equations are not available, sensitivity analyses, where different fragility values are investigated, could not be performed. Hence the review focused primarily on the key components listed in Table 4.1.3-1 and it was assumed that this table contains the dominant contributors. I The following tasks were performed in the review: e Reviewoffragilityreport(1) 4.1-52 ( l l l
o Inspection of Seabrook plant (, e Comparison to other PRA results e Review of selected fragility calculations. The first two task were more global in content compared to the last two tasks. The fragility report describes the general methodology and assumptions used in the analysis and gives example calculations. During the plant inspection, as much of the plant as possible was walked down. In both these tasks, all safety-related structures and components were considered, not just those listed in Table 4.1.3-1. In the third task where the results of the SSPSA were compared to other PRAs, the emphasis was placed on the key components. The purpose of this task was to provide another perspective which shows that the calculated capacities of the equipment at Seabrook are relatively low compared to other plants. Finally, in the last task we looked at the fragility calculations to provide an explanation why the capacities of the key components are so low. Because I of limited time available to perform this task, only a quick review of the calculations could be performed. The following subsections correspond to the four tasks listed above. The last subsection provides conclusions and recomendations based on the review of the SSPSA and experience gained from reviews of other seismic PRA fragility analyses. 4.1-53
~ - - - ,,-,,,,n-, , . - - - - - - - - - --a . -- ,, , ,, - , . - - . . - - , _ - - , , . . , , , , - _
Table 4.1.3-1 ( Seabrook Key Equipment For Seismic Analysis (Same as SSPSA Table 9.2-3) Median' Acceleration Capacity Synbol Structure / Equipment , 1 Reserve Auxiliary Transfomers 0.30 0.25 0.62 2 Unit Auxiliary Transfomers 0.30 0.25 0.62 3 Switchyard 0.40 0.25 0.54 4 4 Switchgear 0.41/1.52* 0.32 0.31/0.48 5 Motor-Driven Emergency Feed Pumps 0.66 0.40 0.56 6 Stream-Driven Emergency Feed Pump 0.66 0.40 0.56 7 Spray Additive Tank 0.75 0.40 0.32 8 120V AC Instrument Buses 0.75 0.42 0.36 9 480V Motor Control Centers 0.78/>2* 0.36 0.61 , 480V Transfomers, Buses 0.79/>2* 0.37 0.72 10 0.86 0.40 0.33 ( 11 RWST PCC Heat Exchangers 0.99 0.37 0.49 12 Diesel Fuel Oil Day Tanks 1.03 0.39 0.48 13 RHR Pumps 1.07 0.34 0.65 14 Safety Injection Pumps 1.07 0.34 0.65 15 1.07 0.34 0.65 16 Charging Pumps Control Room Evaporator Units 1.18 0.16 0.50 f 17 l (diesel generator building) 1.50 0.38 0.44 18 Reactor Internals 1.51 0.36 0.35 19 Diesel Generators 1.71 0.36 0.39 20 Steam Generators Service Water Cooling Tower Fans 1.71 0.41 0.39 21 ' Reactor Coolant Pumps 1.74 0.35 0.32 22 Reactor Building Crane 1.75 0.25 0.55 23 1.86 0.41 0.41 , 24 MSIVs
- Fragility shown is for recoverable chatter and trip, respectively.
Structural f ailure is significantly greater. ( 4.1-54 I
, ~ - . - . , - - - - - , . - - . . - , , , - - - - - - - , - . . . , _ , . , , - . _ _ . , , , . - . - - , , _ , . . , , - , _ , , - . - , , - - , - - - , , --,---. ,.. - ,. .-
Table 4.1.3-2 ! Mean Seismic Hazard Data Peak Ground Frequency of Acceleration (g) Exceedance (per year) 0.10 1.3-3 0.20 3.1-4 s 0.30 1.3-4 - 0,40 6.1-5 0.50 3.2-5 0.60 1.7-5 0.70 1.0-5 0.80 6.0-6 0.90 3.5-6 ( l.00 2.3-6 f i k i t 4 4.1-55 ( 4 1
4.1.3.2 Characteristics of the Fragility Analysis for Seabrook j ( The Seabrook f acility is a modern naclear power plant which has been designed for the current USNRC licensing requirements. The. structural design was conducted based on post 1973-era seismic requirements which reflect the i
! current criteria for resisting earthquakes (e.g., USNRC Regulatory Guide 1.60
> and 1.61', SRSS combinations of three earthquake components, floor spectra i
broadening, modal combinations including consideration of closely-spaced modes,etc.). The plant was designed for a 0.25g SSE peak ground acceleration , value. The equipment also was designed for a simultaneous occurrence of a loss of coolant accident and the SSE. It is unlikely (i.e., very small probability) that these two events will occur at the same time; hence there is extra capacity to resist seismic loads. The structures at Seabrook are founded on rock or at some location on fill concrete. All safety-related equipment is contained within seismic category I structures. The containment which has 3.5 to 4.5 foot thick walls is surrounded by an enclosure structure which is 15 inches thick at the thinnest point. There is approximately a 5-foot gap between the containment and the
~ enclosure. No block walls are located in any Category I structure.
( The fragility analysis for Seabrook is similar to other seismic PRAs conducted for Zion, Indian Point, Millstone 3, and Limerick. The methodology used in the SSPSA for seismic effects is appropriate and adequate to obtain a rational measure of the probability distribution of the frequency of core melt. The procedures used to quantify seismic risk is based on simple i probabilistic models which use some data, but currently rely heavily on engineering judgment. The documentation of the basis for the fragility values does not carefully distinguish between the categories of infomation which were used. The use of subjective or data-based information (either analysis or testing) should be specifically noted to infom the reader. In addition, sensitivity analyses should be performed to indicate the robustness of the assumptions. As ' discussed in this report, we are concerned that the capacities of the key equipment are on the conservative side. m [ 4.1-56 l'
Structural fragility data in the SSPSA are presented in the form of I fragility curves which plot the fraction of f ailures versus effective peak ground acceleration. In the SSPSA, Seismic Category I Structures are considered to f ail functionally when inelastic deformations of the structures under seismic load are sufficient to potentially interfere with the operability of safety-related equipment attached to the structures. Thus, the conditional probabilities of failure for a given free field ground acceleration for structures correspond to operability limits and do not represent a structural collapse. In contrast, equipinent can fail either due to a structural f ailure or an operational f ailure. The approach used to develop fragility curves (f ailure fraction as ~ function of peak ground acceleration) for structures was to first determine the median f actor of safety against f ailure and its statistical variability for the safe shutdown earthquake (SSE). Then the median ground acceleration , causing f ailure was obtained by multiplying the SSE acceleration level by this l factor. The overall safety f actor was determined by evaluating the safety factors i for a number of parameters, which fell into two categories: structural capacity and structural response. Parameters influencing the factor of safety on structural capacity include the strength of the structure comparec to the design stress level and the inelastic energy absorption capacity (ductility) of a structw a to resist load beyond yield. In the SSPSA, an additional parameter, earthquake duration f actor, is also included in computing the median f actor of safety on structural capacity. Structural response for a given ground acceleration is made up of many factors. The most significant of these include: (1) ground motion and the associated ground response spectra for a given free field peak ground acceleration, (2) energy dissipation (damping), (3) structural modeling (which includes frequency and mode shape), (4) method of analysis, (5) combination of The dynamic response modes, and (6) combination of earthquake components. derivation of each f actor of safety considered variability (i.e., randomness 4.1-57 ( j
and uncertainty). In each case, a median safety f actor was assigned along I with two variability parameters. When combining the median safety factors of contributing parameters, their variabilities were also combined to define the fragility curve. From the overall median safety factor, the median peak ground acceleration associated with failure is determined as discussed above.
~
The entire fragility curve for any structure can be expressed in terms of a best estimate of the median ground acceleration capacity and two random variables, one representing the inherent randomness of the event ( Sp ) and the other corresponding to uncertainty associated with predicting' response to an event ( gu)* O by definition is irreducible. For example, it is not r possible, at least in the foreseeable future, to predict the exact time- , history of an earthquake event at a given site, assuming that the occurrence of the event can be predicted. Su , in a sense, represents a measure of our lack of knowledge to the mathematically model a structure for predicting responses to a seismic event. As our knowledge advances, this uncertainty can hopefully be reduced. The procedure for determining the fragility parameters for equipment are i similar. In addition to the capacity and response parameters developed for the equipment, the structure response parameters (i.e., soil-structure interaction, response spectra, modeling, and damping) for the supporting building must also be included. In the fragility analysis the primary sources of information include: e Final Safety Analysis Report (FSAR) e Plant-specific design reports e Plant-specific test reports , o Generic fragility test data l l l l 4.1-58 l
e Seismic analysis requirements e Stress acceptance (i.e., Code) requirements The level of effort expended for the seismic fragility analysis is estimated to be approximately one to two man years. The PRA analysis is generally based on the original calculations performed for the plant design. The conservatism in the seismic design were systematically factored out, which increases the SSE capacity to a median failure capacity level. It is stated l in the fragility report (1) that the original calculations were not checked for l accuracy or consistency. Also, the original analyses, which were based on elastic analysis were extrapolated to the f ailure condition. No nonlinear dynamic analyses were performed for any of the equipment or structures. The analysis approach relies heavily on the experience of the seismic PRA engineer and demands a great deal of judgment. As a minimum, the consistency i of the original calculations which are used in the seismic PRA should be verified (e.g., do the floor response spectra reflect the most current, but more importantly, the most realistic plant conditions?). In addition, [ calculations for dominant contributions, which are used in the fragility analyses, should be checked carefully, particularly for cases where field inspection cannot be used to verify the adequacy of the controlling failure mode. It is implied in Reference 1 (see bottom of page F.2-117) that the analysis process was iterative, in that components which contribute signifi-cantly to the final results were reevaluated in more detail to reduce uncertainty. Other than this one statement, no indication was found in the fragility report or supporting calculations to suggest that this was actually ' done. We consider the iterative process to be extremely important. A procedure for establishing a lower bound cutoff on the structure and equipment fragility curves is given in the fragility report. Although we agree that such a bound exists for most components, there is nothing suggested ) 4.1-59 l
l as a quantative basis for establishing a cutoff. The procedure given in i Reference 1 places the lower-bound cutoff approximately two to three standard deviations below the median. It is not clear from other parts of the SSPSA that the cutoffs defined in Reference 1 were actually used when the fragility curves were integrated with the hazard curves. As discussed in Section 4.1.3.1, the acceleration range which contributes to the mean frequency of core melt is well contained within the body of the hazard curves. For this reason it is unlikely that the lower-bound cutoffs, if actually used, signifi-cantly affected the results. Note that the lower-bound cutoffs can affect the results when the family of system core melt fragility curves occur at high acceleration values , relative to the hazard curves. For cases where several components in series dominate the frequency of failure, the sum of the lower density function tails are important for relatively strong components which dominate. Here the presence or absence (i.e., truncation) of tails will significantly affect the results. However, for the Seabrook SSPSA, it appears that truncation is not important. ( Design and construction errors are not generally considered in the seismic SSPSA. However, it is stated (see SSPSA, page F.2-23) that a possibility exists that unidentified errors may exist which can affect the seismic capacity. Potential crrors could occur any.ehere. For example, errors may be present in the original design calculations or in the construction of the plant (i.e., the plant was not built according to the intent of the designer). In addition, errors may exist in the fragility calculations themselves in the form of misinterpretation of the assumptions concerning what was actually done (note that the original design calculations which form the basis of the fragility analyses were not checked). For newer plants like Seabrook, it is our intuitive belief that the "true" seismic risk is not controlled by the f ailure modes we identify and evaluate, but by the frequency of failure conditions due to undiscovered errors. However, our guess is that the frequency of significant errors is very 4.1-60 (
small. If errors could be found then they would be evaluated and the results I If the risk is found to be unacceptable, then the folded into the analysis. error would be fixed. For example, the potential problem of impact between the Unit 1 and Unit 2 control room roofs discovered in the Indian Point PRA was subsequently fixed since its frequency of core melt (i.e., 1.4-4 per year) is obviously too high. From one viewpoint, this situation represents a fonn of " error" which was uncovered many years after the plant was completed, during the PRA analysis. We believe that until design and construction errors are systematically addressed in the seismic PRA analysis, we must view the numerical results cautiously. At best they should be considered in a relative rather than an , absolute sense. Fragility values are given in Reference 1 for relay chatter. A median value of 0.41g is given for the relay chatter capacity of the switchgear. This is the lowest relay chatter capacity that has been reported to date in any PRA submitted to the USNRC for review. From the calculation file it was learned that the switchgear median capacity estimate is based on fragility ( test data for Seabrook. Evidently an entire switchgear cabinet was tested and unacceptable ch:,tter occurred. Subsequently, each component was individually qualified. The median capacity value of 0.41g is based on this test data. The relay chatter capacities were not used in the systems analysis since it was assumed that relay chatter, subsequent breaker trip, or other change of electrical state is 100 percent recoverable. Based on results of sensitivity analysis conducted during the review of the GESSAR II seismic PRA (to be published), if relay chatter is assumed to be unrecoverable the frequency of core melt increases by a f actor of 5 to 10. Similar results would be expected for the SSPSA if relay chatter is not recoverable. This is the first seismic PRA where a duration factor, to reflect the diminished damage characteristics of low magnitude earthquakes, was used in the equipment analysis (note it was used first for structures in the Limerick PRA). We concur that the concept of a duration f actor is as appropriate for 4.1-61 (
~ - - - - _ _ _ _ _ - _ _ _ _ - ----'---------.._m._ ___ _
equipment as for structures; however, our comments given in Section 4.1.2 also ( apply to equipment. It is stated in Reference 1 that it is assumed in the fragility analysis that the earthquakes which contribute to the frequency of core melt are between M5.3 and M6.3. This assumption primarily affects the value of the duration factor. As discussed in Section 4.1.1 and elsewhere, this appears to be a reasonable assumption. We noted that damping values in the structures corresponding to failure of the equipment were consistently evaluated. Because the structures have high capacities, the failure of the equipment will correspond to acceleration levels at which the structures are essentially elastic and not above the yield . level. Thus, the median damping values in the structures should correspond to i generally uncracked response. The difference in the median capacities for equipment at Seabrook for the case of low and high damping values is a factor ! of approximately 1.2, which is moderately significant. Concern about this issue has been expressed in previous PRA reviews, and we believe it is realistic to include this refinement in the fragility analysis (2, 3, 4) , ( One area for which we disagree concerns the assumption of a generic logarithinic stindard deviation for the modelling f actor for equipment. The following values were assumed in the fragility analysis: Su l Simple single-frequency systems 0.10 Medium complex systems 0.15 Complex systems 0.20 This uncertainty reflects the change in response caused by the variability i of the natural frequencies (primarily the fundamental frequency) due to assumptions concerning the complexity of the mathematical model, boundary conditions, and material properties. The logarithmic standard deviation for uncertainty is for response due to the uncertainty in the frequency and is 4.1-62 l f w-_,- - , - _ . - , - - - , ,y. , . . , . . . , _ _ _ - , , , , - . , - . , _ _ . - . - . . _ . - . . -
- - - ,,,.,m -- ,. --. - - - - . _ .
very much dependent on the change in the floor response spectral ordinates (at I the median damping value) due to changes in equipment frequency. The generic values used in the fragility analysis may not be appropriate for cases where the equipment fundamental frequency is near a steep resonant peak. For this situation, a slight shift in frequency can cause a drastic change in the elastic response. This description is somewhat overly simplified since at failure the shift in the frequency due to nonlinear behavior of the equipment will complicate the shift in response. We believe that in the fragility analysis for each component, the logarithmic standard deviation should be calculated explicitly. No indication was found that failure of connecting pipes between buildings , due to sliding of the buildings was considered. This failure mode was investigated in the Millstone 3 PRA where median capacities between 1.29 and 1.6g were calculated.(9) Millstone 3, like Seabrook, is also located on a rock site. The cooling tower at Seabrook has backfill on the west side. It is possible that this structure could slide in that direction. In addition, the foundation of the tank farm, which houses the RWST and spray additive tank also could slide. The other structures appear to be securely restrained by [ rock; although this conclusion was not systematically confirmed for all buildings. If sliding is considered, it is likely that some building median capacities will be less than the current lowest capacity of 2.lg; however, it is doubtful that the median capacities based on a sliding f ailure mode would be less than 1.09 Hence it is unlikely that this failure mode, if evaluated, would significantly effect the results of the SSPSA. l We noted in the summary table of equipment fragility values given in Refrence 1 (i.e., Table 5-12) that the fragility values for piping are for individual sections of piping between anchor points. Also, the fragililty values for cable trays and ductings are for sections of these systems within a particular room. Implied in the notes given at the bottom of this table is the suggestion that a system may be composed of several sections which are independent. We find nowhere in other parts of the SSPSA report any indication that this issue was considered further. 4.1-63
If it can be shown that a system (i.e., piping, cables, or ducting) is ( composed of n independent sections, then the frequency of f ailure for that system will increase by a factor of approximately n. It should be verified i that this issue is not a significant problem. This concern has also been addressed in past PRA reviews.(2, 3, 4) We noted in the SSPSA that an uncertainty logarithmic standard deviation value is given for the spectral shape f actor. In past PRAs this parmeter has been assumed to be zero. It is assumed in the SSPSA that 6, is equal to one-third S ;p however, no basis for this relationship is given. Based on site-specific spectra and generic spectral shapes, this relationship appears to be on the low side. , Finally, median fragility capacity values for equipment are reported only where the capacities are equal to or less than 2.0g pga. Where calculated values exceed 2.0g pga the median capacity is reported as greater than 2.0g. We agree that this is a reasonable practice since any capacity greater than 2.0g is somewhat speculative since no direct experience for earthquakes in this range exist. ( 4.1.3.3 Plant Inspection An inspection of the Seabrook Station was conducted on August 29 and 30, 1984. The purpose of the visit to the site was to become f amiliar with the plant structures and equipment, to perform a walkdown of the plant, and to gain understanding of the plant operations which could affect the structural fragility analysis. Both Drs. Reed and McCann of JBA participated in the inspection related to the review of the fragility analysis. Mr. Robert Tucker of Yankee Atomic was the principal representative of the plant who led the j tour and answered structural and equipment-related questions. Each of the structures and components listed in Table 4.1.3-1 was inspected. In addition, other potentially critical components, based on experience in past PRAs and plant walkdowns were also looked at. The following observations are made based on the plant inspection. 4.1-64 1 1 l l
The cooling tower was constructed to provide an alternate source of service water in the event of an earthquake which fails the intake tunnel to the service water pump house. It was learned during the plant tour that only five percent of the cross-sectional area of the tunnel is needed for safety-related functions. Based on past earthquake experience of tunnels in rock, it is unlikely that 100 percent of the cross-sectioned area would be lost in the event of an earthquake with a 2.0g peak ground acceleration (pga) or less. Hence, from a probabilistic viewpoint, the cooling tower and service water intake tunnel represent parallel sources 4of service water. The controlling capacity of the cooling tower given in Reference 1 is the cooling tower f an blades (median capacity equal to 1.719 ). The cooling tower , structure itself has a capacity greater than 2.09 The brick fill in the tower was inspected during the walkdown. It is similar to hollow reinforcing block in shape and probably does not have a high seismic capacity. It is particularly vulnerable to high level earthquakes of long duration. Although the capacity likely exceeds the SSE level, the brick fill is a brittle system ~ which will degrade, crush, and subsequently restrict the spaces thrchgh which the cooling water passes. It is doubtful that the capacity of the brick fill is equal to the minimum cooling tower capacity of 1.719 No analysis of this element was found in the structural calculation or in Reference 1. However, ~ it is unlikely that a low capacity for the brick fill will significantly affect the frequency of core melt since there are two sources of service water. The refueling water storage tank and the spray additive tank are contained in the tank f arm, which is a box-like structure which encloses the tanks. Based on information obtained during the plant tour, the roof is apparently
~
constructed of concrete plank on structural steel. No capacity analysis of this structure is discussed in Reference 1; however, structure response factors used in the equipment analysis are provided. This structure should be analyzed since its capacity may be less than the capacities of the RWST and the spray additive tank. I 4.1-65 l _
It is stated in Reference 1 that no non-Catagory I structures could fail and affect Category I structures or equipment. Based on the tour of the plant, it is clear that the Turbine Building, if it collapsed, could f all and impact the control building, the emergency feedwater pump building, or the condensate storage tank (CST). The wall and roof slabs of the two buildings are at least two feet thick. The top of the CST is not protected. However, similar to the situation for tornado missiles, failure of the CST roof is not a critical event. The side of the CST is protected by a two-foot thick concrete wall. The worst situation would occur if the turbine building crane is parked at the east wall of the building. If it failed with the turbine building it possibly could cause significant damage to one or more of the three structures mentioned above. Either the operating procedures should require that the crane be parked away from the east end or an analysis should be conducted to verify that failure of the crane and turbine building will not cause significant damage to the three safety-related structures. The ceiling above the control room was inspected. It consists of typical fiberboard panels found in other plants. Evidently these panels are going to be replaced with even lighter Owens-Corning Textured Insulation panels. If either type of panel fell during an earthquake, it is unlikely that it would cause damage or injure an operator. However, it might be psychologically distracting. The control room ceilings at Indian Point were problems discovered during the review of the PRA perfonned for Units 2 and 3(2) The. heavy asbestos panels above the ceilings in the Indian Point control rooms are not present at Seabrook. It is concluded that the control room ceiling at Seabrook is not a seismic problem. Anchorage of electrical equipment has been a problem in the past. Switchgear, motor control centers, and other electrical cabinets were i inspected. The cabinets which were observed were securely welded to channels l embedded in the floor slabs. The connections all looked adequate. The battery racks were also inspected. They look extremely rugged and were securely bolted to the structure. 4.1-66 (
The service water pump shaft at the Zion plant was the weakest component I in the seismic PRA(3) The pump shafts, both in the service water pump house and in the cooling tower at Seabrook are laterally supported at several points along the suction shaf ts and at their ends. No block walls were found in any Category I structures which were toured. All added fire walls are constructed of metal studs with sheetrock surfaces. This lightweight construction does not pose any seismic hazard. The diesel oil tank, which is located in the lower level of the diesel building was inspected. It is a rugged tank that is well anchored. No mention of this tank was found in the fragility report (1) or in the supporting calculations. The fragility of this component does not appear to be . important; although for completeness, fragility parameter values should be developed. The general impression of the plant was that it was well constructed. Except for the items discussed above, the safety-related structures all appeared to have high seismic capacity. Relative to other plants, the equipment and piping appear to be well supported. ( 4.1.3.4 Fragility Comparison With Other PRAs As discussed in the introduction (Section 4.1.3.1), it is somewhat surprising that the mean frequency of core melt (i.e., 2.89-5 per year) is so high considering that Seabrook is a new plant designed based on current USNRC licensing requirements. The basis for this coment can be seen from two comparisons with fragility values from other PRAs. In the first comparison, dominant contributors from the Limerick and Millstone 3 PRAs are compared with the list of key components listed in SSPSA Table 9.2-3, which is repeated in this report in Table 4.1.3-1. The capacities of the first 14 key Seabrook equipment are given in Table 4.1.3-3. In addition to median, B> r Bu and sevalues, two additional columns of infonnation are provided. The column labeled "95-5" gives the 95 4.1-67 (
percent probability of not exceeding a 5 percent frequency of failure. This
.( value is obtained from the following equation.
"95-5" ='Ae-1.65(> rs + 8u) (1)
The calculation is similar to the standard classical statistical measure of a "95 percent confidence of not exceeding a 5 percent probability of occurrence." This measure is arbitrary (i.e., a "99-1" or "90-10" could have
'been used). However, it is a standard measure which has an intuitive feel of being safe. This measure has been quoted for other PRA analyses (5) and thus provides a consistent basis for making a quick comparison.
The last column in Table 4.1.3-3 is the ratio of the "95-5" values to the SSE value (i.e., 0.259). Note that except for two values, all other ratios are 1.0 or less. Tables 4.1.3-4 and 4.1.3-5 give similar sets of values for the dominant contributors from the Millstone 3 and Limerick PRA fragility data (5). Also given are the ratios of the "95-5" values to the SSE (i.e., 0.179 for Millstone 3 and 0.15g for Limerick). Both these plants are new and were also ( designed using current USNRC licensing requirements. Note that in both. tables ' all ratios of the "95-5" to SSE value equal or exceed 1.7 and most ratios exceed a value of 2.0. Note also that on the average the combined logrithmic standard deviation values for Seabrook are 30 to 40 percent larger than similar values for Millstone and Limerick. By comparing the results from Seabrook with the corresponding results from Millstone 3 and Limerick, it is clear that if the Seabrook fragility values are to be believed, the Seabrook plant is relatively weaker (i.e., campared to j the SSE design value). This is also consistent with the high mean frequency of core melt calculated in the SSPSA (i.e., 2.89-5 per year). In addition, if the fragility values for Seabrook are believed, the relatively low ratios of "95-5" to SSE in the range of 0.5 to 1.0 do not provide absolute comfort that the plant will resist an earthquake with a peak ground acceleration of 0.25g (i.e., the SSE value). 4.1-68 (
A second comparison is given in Table 4.1.3-6 where fragility parameter I values for four key equipment items from the SSPSA are compared with corres-ponding values from four other pressurized water reactors (PWRs). The four components were selected from the upper part of Table 4.1.3-3 (i.e., lower capacity values). They were also selected in order to have reasonable confidence that the corresponding components from the other PRAs are the same. Hopefully, these components are significant contributors to the frequency of core melt. However, because we do not have Boolean equations for the seismic sequences, we are only speculating. As seen in Table 4.1.3-6, the medium capacities for Seabrook equipment are generally significantly less than the corresponding values from the other , plants which are listed. In addition, except for the Su value for the instrument buses, the logrithmic standard deviation values for Seabrook are all larger than values from the other plants. From Equation 1, it is clear why lower median capacities, coupled with larger logarithmic standard deviation lead to small "95-5" values compared to other plants, including _ older facilities (i.e., Zion and Indian Point). The capacities of the key components in the seismic SSPSA appear to be { generally relatively low. We disagree with the impression given by the following statement made in the Seabrook fragility report (Ref.1, p. F.2-159): 1 "The majority of the equipment within the Seabrook plant which are seismically qualified have relatively high ground acceleration capacities." . Although we did not systematically look at all the equipment for which fragility values were developed, the lower capacity key equipment do not have relatively high ground acceleration capacities. It is likely that these components are the ones that dominate the results. 4.1-69 (
l I 4.1.3.5 Fragility Calculations { The median capacities of structures at Seabrook are all greater than 2.0g; thus, no structures were included in the list of key components (see Table 4.3.1-1). In development of the structural capacities, a ductility factor of 2.21 and a duration f actor of 1.4 were assumed except for the service water pump house and condensate storage tank. For the pump house, a lower ductility factor was used (i.e., Fu = 1.62) because the first natural frequency is high (i .e. , f = 17.5Hz) . In the case of the tank, which is required to remain leak tight, ductility and duration factors of 1.0 were used to reflect an assumed elastic functional capacity. Note that the ductility factor of 2.21 is used in most of the structure's capacity analyses based on the single-degree-of-freedom (SD0F) Riddell/Newmark model(6) with an assumed story drif t ductility value of 3.5 and 10 percent critical damping. The duration factor of 1.4 is discussed in Section 4.1.2. Since the structures at Seabrook are generally multi-degree-of-freedom (M00F) structures, the ductility factor is not the same as given by a SD0F model. This concern has been raised several times in past PRA ( reviews (2,3,4). A recent study has been conducted to investigate the nonlinear response characteristics of M00F structures subjected to real and artificial earthquake time histories (7). Both small magnitude (i.e., Parkfield and Melondy Ranch) and larger magnitude (i.e., El Centro 1979 and artificial) events were used in the analysis. It is stated in this study that if the ductility demand is nearly constant up the height of the structure, then the use of S00F models to predict the ductility factor for MD0F structures is appropriate. On the other hand, if the demand is highly nonunifonn (i.e., it is concentrated essentially at one level, while the rest of the structure remains elastic), then a 500F model may unconservatively predict the ductility factor. For the case of a MD0F structure supported by a rock foundation, if the nonlinear response is concentratred, then a ductility factor of 1.6 corres-ponding to a maximtsn strong drif t ductility of 3.5 is appropriate. Even if a 4.1-70 (
story-drift ductility of 5 is allowed, the ductility f actor is only 1.8. This I is in contrast to the ductility factor of 2.21 which is used for most of the structures. We also are concerned about the use of the duration factor of 1.4. As discussed in Section 4.1.2, this factor is a function of both earthquake magnitude and structure frequency. In addition, it is a function of the relationship of the fundamental frequency to the frequency of the peak of the ground response spectrum. In Reference 7, it can be seen that for the Melondy Ranch record, the frequency of the structure investigated is below the frequency of the spectral peak; hence as the structure softened, the input decreased. In contrast, the frequency of the structure investigated is above . the frequency of the Parkfield record spectral peak; hence as the structure sof tened, the frequency fell into the peak of the response spectrum and the input increased. In conclusion, the combined ductility / duration factor for the Melondy Ranch record is much higher than the factor for the Parkfield record corresponding to a given allowable story-drift ductility value. Table 4.1.3-7 suninarizes the fragility infonnation for the Seabrook i 7 structures. A quick review of calculations suggests that the nonlinear response is generally concentrated rather than distributed. No evidence is found to indicate that the ductility demand was calculated throughout the height of the structure. Instead, the analysis focused on the areas where the f ailure was most likely to occur. At most, the combined ductility / duration f actor of 3.1 (i.e., 2.21 times 1.4) would be reduced to 1.6 to 1.8. For the case of the auxiliary building and service water cooling tower, the median capacities could reduce to 1.39 and 1.lg, respectively. Both these reduced capacities are relatively high (i.e., compared to key equipment - see Table 4.1.3-1), thus it is unlikely that this change, if found to be appropriate, would significantly affect the frequency of core melt calculated and reported in the SSPSA. As discussed in Section 4.1.3.4, the capacities of the key Seabrook components appear to be low relative to components from other modern plants 4.1-71 I i l
and also appear to be on the low side for PWR plants in general. The motor-driven and turbine-driven emergency feed pumps median capacities of 0.669 appear to be particularly low. In reviewing the supporting calculations, an , error of 10 percent was apparently found during the analysis and corrected, but was not changed in the fragility report. Based on the corrected calculations, the median capacity should be 0.73g, not 0.66g. The strength f actor of 1.86 used for these pumps was based on a total shaft deflection of 0.0042 inches due to the SSE with an allowable value of 0.005 inches. Two assumptions were made in the fragility calculations. It was assumed that one-half of the stresses are due to seismic and the other half are due to normal loads (i.e., impeller thrust, dead weight, and driver , torque). Also, it was assumed that failure of the shaft will occur at a deflection 20 percent larger than the allowable design value of 0.005 inches. No basis for either of these assumptions is given. Based on the various values and assumptions, the strength f actor, F s, was obtained as follows: p , 1.2 (0.005) - 0.5 (.0042) = 1.86 i s 0.5 (.0042) As an example, if failure occurs instead at a displacement 40 percent larger than the allowable value and if only 40 percent of the stresses are seismic, then the strength factor would be 2.67, which would increase the median capacity to 1.05g (a 43 percent increase). It appears that the strength factor calculation is sensitive to the assumptions. In addition, the earthquake forces oscillate back and forth, which means that the stresses on the shaft seal are intermittent and less likely to f ail the seal as compared to the case where the displacement is applied statically. These thoughts are somewhat speculative and slanted to the optimistic side. However, compared to past PRAs (see Table 4.1.3-6) and to generic capacities for horizontal pumps from the Seismic Margins Research Program (SSMRP) which give median spectral capacities of 2g to 3g(8), it is 4.1-72 i
somewhat surprising that the Seabrook emergency feed pump capacities are so i low. Note that the emergency feed pumps are rigid and are located essentially at ground level; hence, there should not be much dynamic amplification. If the Seabrook emergency feed pump capacity turns out to be realistic then there may be problems with the capacities for the same pumps at other plants. Note that for the Zion and Indian Point PRAs a generic capacity was used, while for the Millstone 3 PRA the capacity was based on an impeller impact capacity from plant specific analys'is data (see Table 4.1.3-6 for capacities from these PRAs). The calculations for the RHR pumps at Seabrook were also quickly reviewed. The capacity factor corresponding to an anchor bolt failure mode - was based on the assumption that the reported stresses correspond to 70 percent of the SSE allowable. No benefit was taken for the fact that a portion of the stresses may be due to normal SSE operating loads. Also, it is likely that the actual bolt stress due to the SSE is much less than 70 percent of the allowable design valJes. The SSMRP generic median capacity value for this class of pump is 2g to 3g(8) The RHR pump at Seabrook is a rigid ( component and is located in the' equipment vault 40 feet below the ground level; hence very little dynamic amplification will occur. The median peak . ground capacity of 1.079 for this pump should be closer to the generic capacity. Note that the capacity for the RHR pump in the Zion and Indian Point PRAs is based on an impeller deflection f ailure mode while in the Millstone 3 PRA nozzle flange stresses controlled the capacity (see Table 4.1.3-6 for RHR capacities from these PRA's). The calculations for the component cooling water heat exchanger also did not consider the effect of normal operating loads, which may increase the capacity. There also is an indication that in reality A325 bolts may have been used instead of A307 bolts as assumed in the fragility analysis. If this were true, the capacity f actor would approximately double. Note that for the Zion PRA, support stresses controlled the capacity, while in the Indian Point PRA a shell buckling f ailure mode dominated. 4.1-73 i
We noted for the switchyard capacity that a median value of 0.40g is {.' used. According to the calculations, this value was assumed based on engineering judgment. For the reserve and unit auxiliary transformers, the median capacity of 0.30g is based on a sliding analysis f ailure mode using a coefficient of friction equal to 0.4. In past PRAs the capacity of outside electrical components were based on f ailure of ceramic insulators at a median capacity of 0.20g. This value is based on experience from past earthquakes where f ailure of ceramic insulators occurred for one-half the plants for accelerations greater than 0.20g. Although it is not likely that increasing the switchyard median capacity from 0.29 to 0.3g will significantly affect the frequency of core melt, we are curious whether new information is available to ' increase the switchyard and outside transfonner capacities. 4.1.3.6 Conclusions and Recommendations Based on a preliminary review of the results from the SSPSA, the mean frequency of core melt value of 2.89-5 per year appears to be high relative to the hazard curves used in the analysis (i.e., this impression is conditional on the hazard curves being correct. See Section 4.1.1 for consnents on the g hazardcurves). Seabrook is a newer plant which has been designed to the current USNRC licensing requirements. A quick check suggests that the central capacity of the core melt fragility curve appears to be somewhere between 0.50g and 0.70g which seems on the low side. When the capacities of the key components at Seabrook are compared to the dominant contributors to core melt from the Millstone 3 and Limerick PRAs, the Seabrook capacities again look low. The measure that is used is the ratio of the "95-5" value (i.e., the capacity corresponding to a 95 percent probability of less than a 5 percent frequency of failure) to the SSE value. Values for key equipment at Seabrook are generally less than 1 while values for Limerick and Millstone 3 are generally 2 or larger. Finally, comparing fragility parameter values between Seabrook and other PWRs (new and old), the capacity values of the equipment considered also look small for Seabrook. 4.1-74 (
In looking quickly at the calculations, there appears to be conservatisms ('- in the median capacities for the key components which were reviewed. In addition, the logarithmic standard deviations are on the average 30 to 40 percenc larger than similar values used in the Limerick and Millstone 3 PRAs. In p"st PRA reviews, we have commented on the fragility calculations concerning the median values and variabilities (2, 3, 4) In general, we believe that both the median values and the logrithmic standard deviations have been on the low side (note that these two effects tend to cancel each other out). What appears to have happened at Seabrook is that the logarithmic standard deviations have increased, which we feel is reasonable; however, the median values nave decreased further, which does not appear to be reasonable. , In past PRA reviews, we have also encouraged plant-specific analyses for dominant contributors as opposed to capacities being based on generic data (2,3,4) Seabrook capacities generally are based on plant-specific data--much more so than for past seismic PRAs. However, in developing plant-specific capacities, conservative assumptions have been made which has produced conservative median values. I Our comments are somewhat speculative since the entire set of calculations have not been looked at and evaluated in detail. In addition, no alternate analyses have been performed to test the effect of different assumptions on the frequency of core melt. Finally, we are unable to perform sensitivity analyses since neither f ault trees nor Boolean equations are available. We recomend that a more complete review of the fragility calculations be conducted to complete the review. In addition, Boolean equations for the plant sequences should be obtained and sensitivity analyses conducted to determine the impact of different fragility values. Based on our preliminary review we believe that the capacities of the dominant contributors to core melt and risk (see Table 4.3.1-1) should be re- ! evaluated to determine whether the capacities are truly as low as indicated. We are optimistic that the capacities are larger. However, if the capacities l are in reality as low as reported, then the capacities of identical components 4.1-75 (
in other plants for which seismic PRAs have been performed should be reviewed I, to justify why their capacities should be larger. As a matter of completeness, the tank f arm building, diesel generators, and the cooling tower brick fill should be analyzed and fragility parameters developed for these components. In addition, it should be confirmed that the turbine building and traveling crane capacity is sufficiently high, or that failure of the turbine building and crane will not affect the CST, control building, or the emergency feedwater building. The potential for secondary components f ailing, falling, and impacting primary safety-related components has not been systematically addressed since the plant is still under construction. At the completion of construction, , secondary camponents should be reviewed and their capacities incorporated into the SSPSA if they are weaker than the primary components already considered. Finally, the issue of the independence of failure of piping, cable, or ducting sections within a system should be considered by the applicant. There is infonnation in the fragility report (1) which suggests that the f ailure of piping segments, ducting, or cable trays between rooms may be independent, i
=
4.1-76 (
Table 4.1.3-3 k- Capacities of Seabrook PRA Key Equipment Ratio Sr 8u 8u 1 2 Structure / Equipment 95-5 95-5/SSE Switchgear Chatter 0.41g 0.32 0.31 0.45 0.14g 0.6 Trip 1.52g 0.32 0.48 0.58 0.41g 1.6 Motor Driven Emergency 0.669 0.40 0.56 0.69 0.14g 0.6 Feed Pumps Steam Driven Emergency 0.669 0.40 0.56 0.69 0.14g 0.6 Feed Pump . Spray Additive Tank 0.75g 0.40 0.32 0.51 0.239 0.9 120V AC Instrument 0.75g 0.42 0.36 0.55 0.21g 0.8 Buses 480V Motor Control 0.789 0.36 0.61 0.71 0.16g 0.6 Centers (Chatter) 480V Transformers, 0.799 0.37 0.72 0.81 0.13g 0.5
- i. Buses (Chatter)
Refueling Water 0.86g 0.40 0.33 0.52 0.269 1.0 Storage Tank PCC Heat Exchanger 0.999 0.37 0.49 0.61 0.24g 1.0 Diesel Fuel Oil Day Tank 1.03g 0.39 0.48 0.62 0.25g 1.0 RHR Pumps 1.07g 0.34 0.65 0.73 0.21g 0.8 Safety Injection Pumps 1.079 0.34 0.65 0.73 0.21g 0.8 Changing Pumps 1.079 0.34 0.65 0.73 0.21g 0.8 - ! Control Room Evaporator 1.18g 0.16 0.50 0.52 0.40g 1.6
- Units I 1. 95 percent probability of not exceeding a 5 percent frequency of failure.
- 2. . SSE is 0.25g.
4.1-77 t
Table 4.1.3-4 Capacities of Millstone 3 PRA Dominant Risk Contributors (5) Ratio 8 Structure / Equipment O r 8u c 95-5 1 95-5/SSE 2 Emergency Generator 0.889 0.20 0.46 0.50 0.30g 1.8 Enclosure Building Wall Footing Refueling Water 0.88g 0.30 0.36 0.47 0.30g 1.8 Storage Tank Diesel Generator 0.919 0.24 0.43 0.49 0.309 1.8 Oil Cooler Reactor Vessel 0.999 0.31 0.33 0.45 0.34g 2.0 Core Geometry Control Building 1.00g 0.24 0.33 0.41 0.39g 2.3 Diaphragm Control Rod Drive 1.00g 0.30 0.38 0.48 0.33g 1.9 System ( Service Water Pump 1.30g 0.24 0.49 0.55 0.399 2.3 House Sliding Engineering Safeguard 1.70g 0.23 0.43 0.49 0.57g 3.4 Features Building Shear Wall Containment Crane Wall 2.20g 0.39 0.38 0.54 0.62g 3.6
- 1. 95 percent probability of not exceeding a 5 percent frequency of failure.
- 2. SSE is 0.179 4.1-78
Table 4 1.3-5 ( Capacities of Limerick PRA Dominant Risk Contributors (5) Ratio Structure / Equipment N 8r 8u 8c 95-5 1 95-5/SSE2 Reactor Internals 0.67g 0.28 0.32 0.43 0.25 1.7 Reactor Enclosure and 1.05g 0.31 0.25 0.40 0.42g 2.8 Control Structure Shear Wall Reactor Pressure Vessel 1.25g 0.28 0.22 0.36 0.55g 3.7 Standby Liquid Control 1.33g 0.27 0.19 0.33 0.62g 4.1 Tank Diesel Generator Heat 1.55g 0.28 0.43 0.49 0.48g 3.2 and Vent 4160 to 480V Transformer 1.669 0.26 0.49 0.55 0.48g 3.2 i
- 1. 95 percent probability of not exceeding a 5 percent frequency of failure.
- 2. SSE is 0.15g.
4.1-79 i
- Table 4.1.3-6
, ( Comparison of Equipment Fragility Parameters Indian Indian Equipment Seabrook Zion Point 2 Point 3 Millstone 3 Emergency Feed Pumps (Steam and Motor Driven) Median 0.66g 6.859 15.00g 15.00g 3.30g Sr 0.40 0.33 0.20 0.20 0.19 8u 0.56 0.45 0.51 0.51 0.41 120V to 125V AC Instrument Buses Median 0.75g 0.60g >l.65g > l.19g >1.50g Br 0.42 0.37 0.41 0.28 - 0.36 0.50 0.53 0.48 - Su I RHR Pumps Median 1.07g 4.22g 1.70g 1.70g > 2. 50g 0.34 0.21 0.15 0.15 - Sr 8 0.34 0.34 ! u 0.65 0.30 - Component Cooling Water Heat Exchanger Median 0.999 8.32g 5.43g 6.13g >l.50g er 0.37 0.22 0.19 0.20 - Su 0.49 0.38 0.29 0.30 - 4.1-80 (
4.1.3-7
'( Sumary of Structure Fragility Analysis Failure Ductility Median Structure Mode Factor Cariacity Location of Failure Reactor Containment Wall Shear 2.21* 8.8g -9.0 ft. (near base)
Flexure 2.21* 7.6g -9.0 ft. (near base) Enclosure Wall Shear 2.21* ' 8.29 at base at openings Building Flexure 2.21* 10.49 at base at openings Primary Auxiliary Building Wall Shear 2.21* 4.0 South wall Flexure 2.21* 2.6g North wall comon with RHR Vault Service Water Pump _A House Wall Shear 1.62** 2.lg North-South motion Service Water Cooling Tower Flexure 2.21* 2.4 North and South t I walls out-of-plane Control / Diesel Wall Shear 2.21* 5.2g East wall Generator Building Flexure 2.21* 3.0 West wall
- A duration factor of 1.4 is also assumed.
** No duration f actor and a lower ductility value is assumed because the failure mode is defined as leakage.
'l 4.1-81
( I
H i REFERENCES ! (
- 1. Wesley, D. A., et al., " Seismic Fragilities of Structures and Components at the Seabrook Generating Station, Units 1 and 2," Prepared for Pickard, f Lowe, and Garrick, Inc., SMA 12911.01, September, 1983,
- 2. Kolb, G. J., et al., " Review and Evaluation of the Indian Point Probabilisite Safety Study," Prepared for U.S. Nuclear Regulatory Commission, NUREG/R-2934, December, 1982.
- 3. Berry, D. L., et al., " Review and Evaluation of the Zion Probabilistic Safety Study," Prepared for U.S. Nuclear Regulatory Commission, NUREG/R-3300, May 1984.
- 4. Azarm, M. Z., et al., "A Review of the Limerick Generating Station Severe Accident Risk Assessment; Review of Core-Melt Frequency," Engineering and Risk Assessment Division, Department of Nuclear Energy, Brookhaven
( National Laboratory, Prepared for U.S. Nuclear Regulatory Commission, NUREG/R-3493, July 1984.
- 5. Kennedy, R. P., M. K. Ravindra, and R. H. Sues, " Dominant Contributors to Seismic Risk--an Appraisal," Presented at the EPRI/NRC Workshop on Nuclear Power Plant Re-evaluation for Earthquakes Larger than SSE, San Francisco, California, October 15-17, 1984.
4 6. Riddell, R., and N. M. Newmark, " Statistical Analysis of the Response of Nonlinear Systems Subjected to Earthquakes," Department of Civil ~ Engineering, Report UILU 79-2016, Urbana, Illinois, August 1979. i 4.1-82 ( i L
4
- 7. Kennedy, R. P., R. H. Kir.caid, and S. A. Short, " Engineering Characterization of Ground Motion - Task II - Effects of Ground Motion Characteristics on Structural Response Considering a Typical PWR Reactor Building with Localized Nonlinearities and Soil-Structure Interaction Effects," prepared for Woodward-Clyde Consultants, draft, June 1984.
- 8. Cover, L. E., et al., " Handbook of Nuclear Power Plant Seismic Fragilities
- Seismic Safety Margins Research Program," Prepared for U.S. Nuclear Regulatory Commission, NUREG/CR-3558, draft, December 1983.
/
- 9. Wesley, D. A., et al.,'" Seismic Fragilities of Structures and Components s at the Millstone 3 Nuclear Power Station," prepared for Northeast utilities, SMA 20601.01-R1-0, March 1984.
t ( I b i k' f y 1 t 4.1-83 N
( Appendix A Consulting Report of , Professor Alan Kafka Review of the SSPSA Seismic Hazard Analysis i 4.1 A-1
e i A Review of "Appendir F: Seismic Hazard at Seabrook Nuclear Station" by Dames and Moore. Inc. DRAFT October 9, 1984 Alan L. Kafka Weston Observatory Department of Geology and Geophysics Boston College Chestnut Hill, MA 02167 ( 4.1 A-2
( TABLE OF CONTENTS t
- 1. Introduction
- 2. Evaluation of Overall Methodology
- 3. Seismogenio Zones .
- 4. Maximum Magnitude
- 5. Rate of Seismic Activity
( 5.1 Completeness and Accuracy , of Historical Catalogue 5.2 Long-term Rate of Seismic Acivity
- 6. Richter b-Value
- 7. Conclusions
( 4.1 A-3
Pago 1 (
- 1. INTRODUCTION Appendix'F of the Seabrook Station Probabilistic Safety Assessment Report evaluates the seismic risk at Seabrook Nuclear Station. Although the study described in Appendix F uses a probabilistic approach, many of the assumptions and hypotheses used in the hazard analysis depend on deterministic models of the '
cause of earthquakes in the eastern United States. For example, the configuration of seismogenic zones in the northeastern United States depends on deterministic models of earthquake processes in the i'nterior of the North American plate. Also, the assumption that the rate of seismicity does not change depends on the deterministic assumption that earthquake processes occur in this region in such a manner that no change in the character of tectonic strain accumulation or release is expected. The maximum magnitude earthquake assumed for a given seismogenic zone is also dependent on aspects of deterministic models of earthquake processes in this region. The purpose of this report is to review the methods and conclusions found in Appendix F with particular emphasis on the deterministic assumptions that are used in the study. The overall methodology described in Appendiz F is evaluated, and specific comments are included on seismogenic zonation, maximum magnitudes, seismicity rates, and b-values. ( 4,1 A-4
Page 2 ; l b 2. EVALUATION OF OVERALL METHODOLOGY USED l The difficulty in assessing earthquake hazards at sites in the EUS results from the need to address two key issues: (1) A realistic assessment must emphasize that there is no deterministic model that describes the cause of 1 earthquakes in the EUS in general, or (certainly in most
- cases) at the site in particular.
(2) It is nevertheless incumbent upon seismologists and engineers to provide a practical guide .for siting critical facilities that incorporates the present state of knowledge in the field. ( How does the study described in Appendix F deal with these two issues? The probabilistic approach used in Appendix F provides practical results that elucidate the sensitivity of hazards assessments at the site to variations in seismogenic ' zonation and seismicity parameters. The study is lacking, however, in that it fails to emphasize that no theory has yet been developed that explains the cause of earthquakes in the EUS. . For example, the report states that "the first step is to delineate zones of potential future earthquake occurrences, using seismicity, geology, and tectonic evidence." For most (if not all) parts of the EUS. however, studies of seismicity, geology. ! i 4.1 A-5
Pago 3 and " tectonic evidence" have failed to produce a model that describes the cause of earthquakes in this region. This is particularly true for the northeast United States where the site is located. The results of the study are practical, only to the extent that they cover the entire range of possible scenarios for zonation and seismicity parameters. While it is impossible, at the present time. to decide whether a source zone is properly - characterized in terms of the cause of earthquakes, it is important to ask-if the source zones and seismicity parameters used cover the full range of possibilities. The addition of Appendix B (Comparison of Seismic Hazard Results with Other Tectonic Models) to the main body of the report provides, at least indirectly, a more realistic picture of the present state of knowledge of earthquake processes in the EUS. As stated in Appendix B. the concern that large earthquakes may be possible along the entire eastern seaboard derives more from an understanding that such events cannot be ruled out at any location, than from a widely-accepted theory about their ! causative mechanism. The discussion in Appendix B of theories that allow large earthquakes (at least the size of the 1886 Charleston, SC event) to occur in the vicinity of Seabrook, NH is essential, but such possibilities could have been discussed more directly. 4.1 A-6
Pago 4 I 3. SEISMOGENIC ZONES Section 3.0 of Appendix F describes the seismogenic zones used in the hazard analysis. In this section, a seismogenic zone is defined as "[a zone] within which earthquakes are considered to be of similar tectonic origin so that future seismic events can be modelled by a single function describing earthquake occurrences in time, space, and size." It is important to note ' that since the tectonic origin of all earthquakes along the entire eastern seaboard is at present unknown, all of the hypothesized seismogenic zones discussed in Appendix F are highly specu'lative. The authors of Appendix F do not mention this. The recent study by Bernreuter et al. (1984) of Lawrence f Livermore National Laboratories (LLNL) indicates that there are significant differences of opinion about what is an appropriate model for seismogenic zonation of the EUS. The zonation models given in Appendiz F cover the essential features of the range of models given by experts polled for the LLNL study. With the addition of the models given in Appendix B, the models used represent almost any scenario that could be proposed for examining the effects of large earthquakes at the Seabrook site. There are, however, two aspects of the zonation models given in appendix F that I find problematic. First, the FSAR zones, the FSAR combined zones, and the Ossippee - Cape Ann zones include greater detail than the current state of knowledge i 4.1 A-7 _ . - . _ _ _ - - . _ . a
Page 5 l warrants. Second, I would include a zone consisting of the entire EUS and southeastern Canada east of the Rocky Mountains. The association of seismicity with such specific structures as mafic plutons or even the entire White Mountain zone, while interesting speculation. is speculation nonetheless. The total of the subjective weights that have been assigned to zonation models with this level of detail is 0.6 (i.e. FSAR - 0.20: combined FSAR - 0.10; Ossippee and Cape Ann plutons - 0.15: and
- White Mountain - 0.15). Given the highly speculative nature of such hypotheses, I would not include them as seismogenic zones.
If they are to be included, then an upper limit of at most 0.2 for the sum of subjective weights is probably more appropriate. The most detailed seismogenic zone that I would include is the Northern Appalachian zone which, as stated in Appendix F.
" represents the hypothesis that specific seismic structures in New England cannot be identified."
The zonation models and subjective weights that I would assign for the Seabrook site are as follows: Northern Appalachian Zone 0.50 Charleston Zone 1 0.20 l
< Charleston Zone 2 0.20 EUS - SEC 0.10 EUS-SEC represents the entire EUS and southeastern Canada east of i the Rocky Mountain front.
4.1 A-8
Page 6 b The EUS-SEC zone is included as a possibility because earthquakes generating intensities as great as III are known to have occured in the eastern United States (New Madrid, MO 1811 and 1812). While "New Madrid type" earthquakes are not known to occur near Seabrook, NH, I am not yet convinced that such an event can be ruled out at the site. To quantify this uncertainty. I assign a probability of 0.10 to the credibility of the hypothesis that the entire EUS-SEC is one seismogenic zone. There is one specific question that I have regarding the seismogenic zones given in appendix F. What is the largest earthquake contained in the B)ston-Ottawa seismogenic zone shown in Fi'gure 87 The 1935 Timistaming. Quebec earthquake, although reported as a rather low intensity (MM intensity VII), has been assigned an a b of 6.2 in the Chiburis (1981) catalogue. It is not clear from Figure 8 whether this event is included in the Boston - Ottawa seismic zone. I agree, however, with the conclusion in Appendix F that the existence of a Bosten - Ottawa seismogenic zone is not a very credible hypothesis.
- 4. MAXIMUM MAGNITUDE The results discussed in Appendix F are obviously dependent on an accurate estimate of the maximum magnitude earthquake that could occur in the vicinity of the site. Since the cause of earthquakes in the eastern United States is unknown, it is
^ ( 4.1 A-9
, , . . . , - . - , - - - . - - . - , , , . . , _ . . ~
Page 7 k difficult to decide what known events in this region are part of the same seismogenic zone as the site. If, for example, all earthquakes along the eastern seaboard are generated by the same mechanism, then the 1886 earthquake in Charleston. SC (MM intensity of X) should be considered in the same seismogenic province as Seabrook. NH. The study described in Appendix B shows that the possibilty of a " Charleston type" earthquake at the site, in itself, does not imply larger hazard than has been - calculated in the main body of the report. This is a significant result, and I think this additonal information provided in Appendix B is essential. As discussed above in Section 3.0, howev'er, the possibility of earthquakes at the site even larger than the Charleston, SC event cannot be absolutely ruled out. The 1755 earthquake that occured off the coast of Cape Ann, MA is probably the most important historical event considered in the assessment of the earthquake hazard at the Seabrook site. While Smith (1962) assigned a maximum MM intensity of II for this event, Weston Geophysical (1982) reevaluated the intensities reported for this event. They concluded that the highest intensities onshore near Cape Ann were MM intensity of VII, but they located the event offshore where ground shaking may have been higher. There are large uncertainties associated with intensities reported in the historical catalogue of earthquakes in general, as well as particular problems inherent in assigning epicentral intensity values to an event that was located ( 4.1 A-10
Pago 6 offshore. I do not think that it is overly conservative to consider the Northern Appalachian zone as having experienced an historical event of intensity IX. I consider a maximum credible magnitude for this zone to be an ab of at least 7.1 (I, of -X).
- 5. RATE OF SEISMIC ACTIVITY I do not agree with the assumption that historical rates of seismic activity are relatively well-determined, even in the eastern United States. There are two questions that must be addressed here. First, is the catalogue of earthqukaes for the eastern United States completely and accurately recorded?
Second, even assuming that this catalogue is complete and accurate for the period of time covered. does it accurately represent the long-term rate of seismic activity in this region? 5.1 Completeness and Accuracy of Historical Catalogue There are obvious problems with the completeness and accuracy of the Chiburis (1981) catalogue. The authors of Appendix F should have mentioned that there is undoubtedly some _ bias in the distribution of seismicity shown in Figure 1 due to incomplete reporting and/or recording of events. While the lower bound of m 3-4.5 is probably appropriate in terms of structural damage, it is not clear to what extent the incompleteness of the catalogue for events that small could effect other parts of the i 4.1 A-11 I i
Page 9 ~k study. Incompleteness of the catalogue could, for example, have l an effect on the various studies of determination of seismogenic
; . zones. The report states that, consistent with the level of effort available for this study, it relies heavily on the work of others.. T4is approach is justified, and a serious evaluation of I
the completeners of the catalogue used is justifiably beyond the i scope of the study. Nonetheless, the report could have included more discussion of the completeness of the catalogue and the - possible effects of incompleteness on the various aspects of the
- study. For example, in section 4.0 the authors give a table of periods of historical completeness for various intensities, but fail to discuss how the values in the table were determined.
There have been a number of recent studies that indicate a , ( lack of systematic methods for calculating magnitudes of EUS earthquakes smaller than ab of about 5.0 (Ebel, 1982: Kafka et al., 1980: Hermann and Kijko, 1983). Many of the smaller and more recent events in the Chiburis (1981) catalogue are affected by this problem. The choice of a lower bound magnitude of a b=4.5 i should help to minimize these errors to some extent, since many events above this threshold are recorded by a number of regional and teleseismic stations. Nonetheless, this problem with ! magnitudes should be noted. More serious errors undoubtedly result from the conversion of I, in the historical catalogue to a. b It is well-known that _ f [ the relationship between I e and m b for historical events exhibits l 1 4,1 A-12
Pere 10 k a great deal of scatter, and the authors could have mentioned this problem. 5.2 Long-term Rate of Seismic Activity It is not clear that we are seeing the long-term seismic processes revealed by the 200-300 years of history analyzed in Appendix F. The occurrence of just one " Charleston type" or "New Madrid type" earthquake in New England would change our entire
- concept of the rate of activity and the maximum magnitude in this region. Yet, such events cannot be completely ruled out.
The authors of Appendix F overstate the conclusions found in l McGuire (1977). This is an example of how the report implies (at least in style, if not in fact) that more is known about eastern earthquakes than really is known. As stated in their report; their methodology is dependent on the assumption that "no change in the character of tectonic strain accumulation or release is expected." Do we really have any idea of what the process of strain accumulation is in the vicinity of Seabrook, NH7 If we do not know what makes strain accumulate, then how do we know that the " character of tectonic strain accumulation" won't change? 4
- 6. RICHTER b-VALUE Richter b-value is one of the most difficult seismicity parameters to estimate for earthquakes in the EUS. Across the ,
( 4.1 A-13
Prgo 11 globe b-values range from about 0.5 to 1.5. Ebel (1984) determined a b-value of 0.84 for earthquakes recorded by local seismic networks in New England. Aggarwal and Sykes (1978) determined a b-value of 0.73 for earthquakes recorded in New York State. Both of these studies were limited by the the lack of an appropriate magnitude scale that is calibrated with a global or regional scale such as mb 0#
"bLg. Chinnery and Rogers (1973) determined a b-value of 0.95 for earthquakes in southern New England but their value was based on a relationship between I, and " local magnitude" with no description of how magnitudes were determined. In a recent study of earthquakes in southeastern New York and northern New Jersey (Kafka et al., 1984), we have estimated a bLg for earthquakes recorded by local seismio networks during the past decade, and we obtained a b-value of 1.16 for these events.
The abovementioned studies suggest that b-values used for hazard assessments in the northeast United States should cover a range of at least 0.7 to 1.2. Given the sparse and inaccurate magnitude data avalable, however, it is probably better to use a b-value of 1.010.5 for this region. l l
- 7. CONCLUSIONS Appendix F of the Seabrook Station Probabilistic Safety Assessment Report provides results that elucidate the sensitivity
'( 4.1 A-14
Pago 10 (- of hazards assessments at the site to variations in seismogenio zonation and seismioity parameters. These results are of obvious practical value. Nonetheless, the general writing style of Appendix F gives an unrealistic impression that more is known about earthquakes in the EUS than really is known. For example, the study relies heavily on the concept of seismogenic zones "within which earthquakes are considered to be of similar tectonio origin " but fails to state explicitly that the tectonio origin of all esrthquakes along the entire eastern seaboard remains a mystery. Also, the following technical problems have been found with Appendix F. (1) A seismogenio zone consisting of the entire EUS and southeastern Canada should be included with some small subjective weight. I have chosen a subjective weight of 0.1 for such an hypothesis. (2) The association of seismioity with specific structures such as mafic plutons or even the entire White Mountain zone, while interesting speculation, represents greater detail than the current state of knowledge warrants. The most detailed seissagenio zone that I would include is the Northern Appalachian zone. (3) I do not think that it is overly conservative to ( 4.1 A-15
Pega 13 i '~ consider the Northern Appalachian zone as having experienced an historical earthquake of epicentral intensity II. I consider a maximum credible magnitude for this zone to be an a b of at least 7.1 (I, of -X). ( 4 4.1 A-16
Pege 14-4 8 REFERENCES Aggarval, Y.P., and L.R. Sykes, Earthquakes, faults and nuclear power plants in southeastern New York- and northern New Jersey, Science. 200, 425-429. 1978. Bernreuter. D.L., J.B. Savy, R.W. Mensing, and D.H. Chung, Seismic hazard characterization of the eastern United States: Methodology and interim results for ten sites, U.S. Nuclear Regulatory Commission, NUREG/CR-3756, 1984. Chiburis, E., Seismicity. recurrence rates, and regionalization ' of the northeastern United States and adjacent southeastern Canada, U.S. Nuclear Regulatory Agency, NUREG/CR-2309, 1981. Chinnery, M.A., and D.A. Rogers, Earthquake statistic in southern New England, Earthquake Notes. 44(3), 89-103, 1973. Ebel, J.E., M measurements for northeastern United States earthquakes, Bubl. Seis. Soc. Am. 72, 1367-1378, 1982 Herrmann,
~
R.B., and A. Kijko, Short-period Lg magnitudes: instrument, attenuation, and source affects, Bull. Seis. Soc. Am. 73(61, 1835-1850, 1983. I Kafka, A.L., E.A. Schlesinger-Miller, N.L. Barstow, and L.R. Sykes, Earthquake activity in the greater New York City area: Magnitudes, seismicity, and geologic structures, (preprint) submitted to Bull. Seis. Soc. Am.,1984. McGuire, R.K., Effects of uncertainty in seismicity on estimates of seismic hazard for the east coast of the United States, Bull. Seis. Soc. Am. 87(3), 827-848, 1977. Smith, W.E.T., Earthquakes of eastern Canada and adjacent areas, 1534-1927, Pub. Dom. Obs. 26, 271-301, 1962. Weston Geophysical Corp., Ectimation of seismicity parameters for New England, Report prepared for Yankee Atomic Electric Co., 1982. l l 4.1 A-17 l
- _ _ _ _ _ ~ . . . _ _ _ _ _ _ _ _ _ _ ~ - . - _ . _ _ . _ _ . - - . _ .
7 _ 4.2 FIRE EVENTS ( This section present the results of our review of the fire analysis performed for the SSPSA. This review is limited to an evaluation of the methodology and , l results used to assess the risk from fires at the Seabrook Station, Unit 1. A review of the event tree analysis for the plant response.is given in Chapter 3. The methodology used in the SSPSA for the evaluation of risk from fires is - adapted from Reference 4.2-1. We have reviewed the fire analysis for the three major areas given below:
- 1. Fire-Hazard Analysis - The identification and screening of critical areas within the plant in which a fire can I
cause an initiating event and also affect the performance of safety systems. The development of the frequency of fires in each of these areas.
- 2. Fire-Propagation Analysis - The analysis of the size, growth, detection and supression of fires at each critical location. This analysis includes an assessment of the -
impact of the fire on the plant systems.
- 3. Plant and Systems Analysis - The development and analysis of accident sequences caused by fires that lead to core damage states. The development of the frequency of each
( core damage state due to fires. 4.2-1
( A fourth major area in the analysis of fires at nuclear power plants is the Release-Frequency Analysis. For this analysis, the contribution to the frequency of each release category due to fires is assessed. In the SSPSA, this release frequency analysis is performed in the overall matrix methodology. The fire induced accident sequences that result in core damage are identified and quantified. Each of these accident sequences is then cast as an initiating
- event for the corresponding front line event tree (corresponding to the fire induced initiating event) and processed through the plant matrix. The fire induced sequences are then combined with the other accident sequences into plant damage states. The containment behavior is then analyzed for each plant damage state and the release categories developed.
4.2.1 FIRE-HAZARD ANALYSIS The spatial interaction analysis, SSPSA Section 8.2, was used as the initial screening for the analysis of risks due to fires. In this section, fire scenarios were considered and importance ranked based on conservative bounding estimates of accident frequency. The most important scenarios were analyzed further in the section on fire analysis, SSPSA Section 9.4. Based on the spatial interaction analysis, the SSPSA assesse'd the possible. initiating events that may be caused by fires. Several initiating events were
~
postulated and further analyzed. From this analysis, a set of initiating ( events for the fire risk analysis was identified. 4.2-2
The SSPSA reviewed the plant fire analyses for compliance with Appendix R of k 10CFR50. Their review verified the location of components required for safe shutdown and identified locations where the distance between redundant components of two trains of systems necessary to prevent core damage is less than 20 feet of free space. The result of this review was a limited list of locations with potential for core damage. With this limited list of locations and the set of initiating events identified, a shorter list of areas judged to have the highest potential for - core damage from a fire was selected for rigorous analysis. The initiating events and the specific areas analyzed in the SSPSA are given below. LOCATION EQUIPMENT INITIATING EVENT ( RHR Equipment Vault Control and Instrumentation none Cables for one SI, RHR, and CBS pump Cable Spreading Room Control and Instrumentation Loss of Electric Cables Power T PORV Stuck Open Loss of PCC Control Room Control and Instrumentation Loss of Electric Cables Power Loss of SW and ( Cooling Tower 4.2-3 -
Loss pf PCC L Electrical Tunnel 1 Power, Control and Reactor Trip Instrumentation Cables - Electrical Tunnel 3 Power, Control and Reactor Trip Insrtumentation Cables Primary Auxiliary Power and Control Cables Loss of SW Air - Building (PAB) Electrical Cabinets Handling Loss of PCC Turbine Building Offsite Power Cables LOSP ( Service Water Electrical Cabinets Loss of SW Air Building Handling Data for determining the frequency of fires at the various locations chosen in the SSPSA analysis was obtained from Nuclear Power Experience (Ref. 4.2-2). Little data is available for fires that affect nuclear power plant safety. However, the data that is available has been categorized by plant compartment. A Bayesian method is employed in the SSPSA for determining the frequency of fires at specific locations. A prior fire frequency distribution is updated with appropriate data from each plant for each compartment under I consideration. The data used for the update is thoroughly reviewed for 4.2-4
applicability to the Seabrook Station. The result is a family of curves that i are used to determine an expe:ted (average) curve. This distribution represents the plant-to-plant variability of the fire rate within each compartment. The compartment fire rate is then multiplied by an area geometry factor to account for the specific location within a compartment where a fire would affect the safety related equipment. This geometry factor is the ratio of the area within which a fire will affect the equipment to the total area of the compartment. When no data is available for a specific compartment under consideration in the SSPSA, tne fire frequency for a similar compartment, ' adjusted for location difference, is used. 4.3.2 FIRE-PROPAGATION ANALYSIS The fire propagation analysis performed in the SSPSA results in the ( conditional unavailability of the specific equipment at the location under consideration, given a fire occurs. The analysis considers fire growth, propagation, size, severity, detection and suppression. These parameters are considered explicitly for each specific location and the type and arrangement o of equipment therein. The analysis of fire growth and damage is performed by a simple heat tranfer model called the deterministic reference model (DRM). This model is contained in the COMPBRN computer code (Ref 4.2-3) and is used to calculate the time to involve all the equipment (mostly cables) under consideration. Damage occurs when the equipment reaches a specified temperature. I 4.2-5 .
Three sizes of initial fires were considered in the SSPSA analysis: small, I medium and large. The small fire roughly corresponds to burning cable insulation in a cable tray ( 400 Btu). The medium and large fires are considered to be burning on the floor in the vicinity of the equipment and roughly correspond to a 1 and 2 foot diameter oil fire (4,000 and 40,000 Btu), respectively. Fires from other combustible materials were also considered. It was judged that all three fire sizes were almost equally likely to occur. The fires sizes and the range of the physical characteristics of the equipment - under consideration were used in the computer code to calculate a distribution of the propagation time for each fire. Each distribution was then adjusted by ' a multiplicative parameter to account for the large state-of-knowledge uncertainty in modeling fire behavior. The overall fire propagation or growth tir.e was then determined by combining the distribution for the three fire ( sizes, acccunting for the severity of each. The fire severity is a conditional frequency of the fire size causing failure, given a fire at that location and near the specific equipment.
- Fire detection and supression accounts for the possibility of extinguishment prior to equpment failure. This possibility is represented by a conditional frequency that the fire is not extingushed by time t, the time equipment failure occurs. The distribution for this frequency considers the specific location of the fire, the number of personel who pass within the location, the type of detection equipment present, and the type and location of fire supression equipment available to extinguish the fire.
I 4 4.2-6
The combination of the fire occurence frequency distribution and the equipment I conditional unavailability distribution results in an unconditional frequency distribution for the failure of spccific equipment due to a fire. The specific equipment is usually power, control and/or instrumentation cables that will cause an initiating event and render both trains of safety related systems unavailable for mitigation. The unavailability of a single train of the safety related equipment was considered for one location in the SSPSA analysis. 4.2.3 PLANT AND SYSTEMS ANALYSIS Failure of specific equipnent due to fire is considered in the plant and systems analysis. The fire induced initiating events and component failures are logically combined with operator actions into sequences of events that will cause core damage for each location. In the SSPSA, most locations considered for the fire analysis were chosen because they lead directly to core damage by fire induced initiating events and component failures with no operator actions. However, for the cable spreading room fire, an event sequence diagram was used to account for the possible fire locations, initiating events, additional equipment failures and
~
operator actions. This analysis resulted in sequences of events that lead to
- core damage and provided a framework for their quantification.
Operator actions are analyzed for each specific fire location under consideration, and many different operator related scenarios can be . l ( envisioned. In general, the operator must diagnose the equipment failures and 4.2-7
the-location of fire, and take actions to mitigate its effect. These actions k must be done before core damage. For locations where the local power and/or i I control cables are affected, the operators can take local control of the ) cqt:1pment. For locations where power to specific equipment or the site in general are affected, the operator can use alternative power sources. For the control room and cable spreading room fires, the operator can take control of the plant at the remote shutdown system panel. The analysis of these and other operator actions in the SSPSA considers the level of stress, the availability of, and the operator's familiarity with procedures to handle ' specific occurrences, diagnosis error due to erroneous information, and the level of confusion that may exist. The operator action analysis is then combined with the fire failure analysis to deterrine tne frequency distribution for the contribution to core damage due to fires. In the SSPSA, these frequency distributions are then cast as initiating events and processed through the plant model. The SSPSA results for the fire analysis are given in Table 4.2-1. 4.2.4 CONCLUDING REMARKS The fire analysis performed for the SSPSA appears accurate and valid. The methodology employed represents the state-of-the-art in fire risk analysis at nuclear power plants. The SSPSA mean values for core damage due to fire at the various location analyzed are reasonable and fall withiri the range of-those calculated from other fire risk analyses at nuclear power plants (IE-4 to IE-7). About 11 percent of the core melt frequency is due to the eight I fire induced accident sequences that appear in the 43 top contributors. 4.2-8
( We have not rigorously verified the contents of the various compartments and fire areas analyzed, nor have we extensively reviewed the plant for additional areas where fire induced initiating events and component failure could lead to core damage. However, we believe the analysis identified all significant locations through their initial screening process and the use of the 10CRF50 Appendix R fire assessment. We are, however, concerned about the manner in which the fire induced
- initiating events are processed through the plant matrix. It appears that they are used in the initiating event vector for the associated combination of auxiliary and front-line event trees. Care must be taken that components or systems that are failed in the fire event are not also considered in the event tree analysis. For example, a fire event that includes failure of the PCC cust have an associated auxiliary and front-line event tree in which the PCC event is either not considered or is represented by a value of 1.0. Although it is not absolutely clear, it appears that the SSPSA may not have considered the need to avoid multiplying the unavailability of an event that is failed by the external initiator (the fire) by the unavailability of the same event due to failure from internal initiators. If this did occur, the probabilities of g the sequences involved would have been incorrectly evaluated and optimistic.
4.
2.5 REFERENCES
FOR SECTION 4.2 4.2-1. Apostolakis, G., Kazarians, M., and Bley, D. C., "A Methodology for Assessing the Risk from Cable Fires," Nuclear Safety , Vol. 23, No. 4, ( pp. 391-407, July-August 1982. 4.2-9 ,
1 l t ( 4.2-2. Nuclear Power Experience, a Division of Petroleum. Information Corporation, Nuclear Power Experience . December 1981. 4.2-3. Sui, N. 0., "COMPBRN - Computer Code for Modeling Compartment Fires," NUREG/CR-3239, UCLA-ENG-8257, University of California, Los Angeles, May 1983. TA8LE 4.2-1 FIRE ANALYSIS RESULTS LOCATION INITIATING EVENT FREQUENCY (ry-1) t Cable Speading Room FSRCC 3.6E-6 Cable Spreading Room Factored into Initiating 5.2E-7 Event FSRAC Control Room FCRCC 9.0E-6 Control Room FCRSW 2.1E-6 Control Room FCRAC 2.1E-6 ( Electrical Tunnel 1 FET1 3.4E-4 4.2-10
,-mmros-
TABLE 4.2-1 (Cont.) 5
, FIRE ANALYSIS RESULTS LOCATION INITIATING EVENT FREQUENCY (ry-1).
Electrical Tunnel 3 FET3 1.7E-4
+
Pricary Auxiliary Factored into Loss of 7.0E-5 Bufiding Service Water Initiating 3.8E-4 (4 locations) Event 7.0E-5 6.8E-5 ( Prirary Auxiliary / Factored into Loss of 4.2E.6 3 Building , Prinary Component' Cooling
. . ~
Inittating Event Turbine Building ' FTBLP 6.0E-4 Service Water Factored into Loss of 2.5E-4 Building Service Water Initiating .i Event 4 4.2-11 k
, , . - , . . . - . - - . , . , . - , , ,-- - . . ~ - - - - .
i 4.3 AIRCR$FTCRASH' ANALYSIS ( Air traffic due to several airports and landing facilities near the Seabrook s,ite is analyzed in the SSPSA. Included are the nearby Hamptom Airport, the Wheelabrator-Frye corporate helipad, the Plum Island Airport, the Pleasant f View Airport, and Pease Air Force Base, as well as two major airports within 50 miles of the site, Grenier Field (Manchester NH) and Logan Airport (Boston). Also included are federal airways and direct aircraft routings near the site. These air traffic sources are analyzed to determine the annual . , number of operations of each type of aircraft to or from each airport or along each airway. s Using statistics for approximately a 10-yr period, inflight crash rates per aircraft mile ficwn were calculated for U.S. air carriers (1.51E-9 mean), and for U.S. general aviation aircraft (single engine mean 2.28E-7, multiple engine mean 7.23E-8). Crash rates per hour for the applicable military aircraft were calculated with means ranging from 2E-5 to 3E-6 for various types. The frequencies of aircraft crashes into different structures of the plant are i then calculated tirough the summation, over all types of aircraft and nearby flight paths, of the prn+. cts of the number of operations of aircraft, the crash rates, the distances traveled by the aircraft while the plant site is within its potential impact area, and the probabilities of hitting a particular structure given that the aircraft accidents are near the site. 4.3-1
~
The targets considered for aircraft crash include the containment building, (. tne primary auxiliary building, the control building, the diesel generator building, the tank farm, the service water pumphouse, and the fuel storage building. A structure fragility analysis concluded that the containment is vulnerable only to aircraft weighing more than the 81,800 pounds of the FB-111A military aircraft, and the other critical structures can withstand the impact of general aviation aircraft up to 12,500 pounds. Therefore general aviation aircraft can damage only unprotected safety related equipment which the RWST. It is concluded that any accident scenario resulting from the crash , of a general aviation aircraft could not cause core melt. A crash of a large aircraft on the containment is assumed to cause a large LOCA and is quantified in the plant model with.a mean impact frequency of 1.21E-E per yea r. A crash into the control building would cause core melt and ( is quantified with a mean impact frequency of 1.39E-7 per year. A crash into the primary auxiliary building causes core melt due to loss of primary conpenent cooling, and is quantified with a mean impact frequency of 2.00E-7 per year. Loss of the service water system is not quantified because of the Loss of the diesel generators is not quantified because
. cooling tower backup.
a loss of offsite power is also needed for core melt. In summary, the SSPSA presents a complete and thorough analysis of potential aircraft crashes, and their conclusions appear to be reasonable. ( 4.3-2
4.4 INTERNAL FLOODS t The SSPSA treatment of internal flooding consists primarily of a qualitative evaluation on the basis of location. A quantitative analysis was performed only on the turbine hall. The method used for quantitative analysis includes identification of the. locations where a single flood can cause an initiating event and sinultaneously fail needed safety systems, calculation of the frequency of these floods, calculation of flood severity, consideration of mitication, identification of flood accident sequences and calculation of ' their frequencies. The stated purpose was to find those scenarios which might dominate a plant damage state. The initiatir.g ever.ts the SSPSA considered important are a small LOCA and the loss of cffsite power. A small LOCA can occur if the PORVs and block valves i are inadvertently cpened, and a flood in the control room causes a hot short in the centrol circuitry preventing their reclosure. Offsite power may be lost due to a flood in the turbine building which damages relay cabinets located there. Many locations were considered for flooding and the qualitative analysis perferrec for most of them concluded that flooding was not important. A brief sumary cf these locations follows. Containcent Euilding - Since no safe shutdown equipment is located here and floocs within containment are easily isolated, plant safety is not jeopardized. ( 4.4-1
Emergency Feedwater Pumphouse - Flooding within the EFW pumphouse is included ( in the system unavailability analysis. Potential floods from the pumphouse to electrical tunnels and penetrations located beneath the pumphouse were considered unimportant because stairwell doors or the pumphouse floor plug must fail in order to propagate the flood. Main Steam and Feedwater Enclosures - Flooding of one of the two separate enclosures could lead to a partial failure of the main steam lines, main feedwater, and one train of service water. However sufficient equipment ' survives to assure a safe plant shutdown. RHR Spray Equipment Vault - An unrestricted flood from the RWST can fail all six pumps of the RHR, SI, and CSS systems. However, no initiating event is caused by this flood, and tne estimated system unavailability due to flooding i is much smaller than from other caures. A flood from the PCC system can fail three pumps (one train from each safety system), and is dismissed. Similarly, possible flooding froa the fire protection hose station is dismissed. Control Building - The first floor contains two switchgear rooms and four battery roons, and has no sources of internal flooding. One outside flood source of the fire protection hose station is not considered important. The outside source from a turoine hall flood is analyzed separately. The second floor contains the cable spreading room, which has no outside flood sources and is not significantly affected by internal floods. The third floor contains the control room, which could be flooded by either potable water ( 4.4-2
-piping or fire protection hose stations. However, these floods are discarded I from further consideration because it is unlikely that a sufficient water depth could be reached to jeopardize plant operations.
Electrical Tunnels - These could be flooded externally from a flood in the EFW system or internally by the fire protection system. However, the cables are designed to remain functional when submerged, so these locations are dismissed from further analysis. Diesel Generator Building - This building has a separate section for each diesel generator. Although several flood sources are available, it is postulated that rost single floods can only fail one of the two. generators. Considering the importance of diesel generators for safe plant shutdown for nany accident sec;uences, a more extensive analysis of diesel flooding would be (. desirable. Primary Auxiliary Building - Many flood sources are present here. A flood from a limited water source (<500,000 gal.) could fail all three charging pumps, but this would not hinder safe shutdown. A very large flood from the service water system could jeopardize the four PCC pumps. However the plant operators would have at least one hour to mitigate the spill, so the PCC pumps are considered icpregnable to floods. Mechanical Penetration Area - The piping of several vital systems as well as isolation valves are located here. Floods are possible, but this equipment is considered impregnable. ( 4.4-3
r. Other Areas of the Plant - Potential flooding is not considered important in I tne following areas: waste processing ouilding, fuel storage building, service water pumphouse, containment enclosure ventilation area, fire pumphouse, and the nonessential switchgear area. Cooling tower floods are not considered because the tower is a standby system. However, a large volume of water is present there, and the effects of possible tower floods on nearby buildings should be considered. I The only quantitative evaluation done was for a flood in the turbine building
- and switchgear room. The sources of a "large" or "very large" flood in the turbine building include the circulating water piping and equipment, feedwater and condensate systems, service water system, and fire protection sprinkler system. A flood depth o'f one foot is assumed sufficient to fail relay cabinets located in the turoine building, which causes a loss of offsite
( power. A few inches of leakage through a door into switchgear room A would fail emergency bus E5. From there leakage through another door into switchgear room B would fail emergency bus E6. The event tree for turbine building flood sequences is quantified using flood frequencies for the two severities which were developed using Bayesian techniques on available flooding incident data. Probability distributions l l were assigned for the operators mitigating a large flood, and for leakage into the switchgear rooms. Resulting probability distributions for the three sequences of interest were calculated with the DPP computer ' program. ( 4.4-4 l . . . _ - .
The mean frequencies per reactor year are : Loss of o,ffsite power 3.2E-4 Loss of offsite power and Bus E5 2.5E-6 Loss of offsnte power and Buses E5 and E6 8.5E-8 The quantificatien of turbine building floods appears to be adequate, while ' the qualitative treatment of flooding in other locations consisted of a screening evaluation.
-(
~
4 ( 4.4-5
4.5 External Flooding { 4.5.1 Background The Seabrook plant site is situated along the western shore of Hampton Harbor. The plant structures are located on an area called "The Rocks," which is surrounded on three sides by low-lying marshes. The plant is approximately 2 miles from the Atlantic Ocean. As part of the external event analysis of the SSPSA, the possibility of severe accident scenarios initiated by external flood events was addressed. As a new plant, Seabrook has been designed according to current NRC standards , (Regulatory Guide 1.59, Revision 2). As such, the design basis is generally conservative, and thus we would expect that external flood events do not pose a significant hazard to the plant. Based on a preliminary review of the SSPSA sections related to external flooding, comments are provided in the following sections. ( 4.5.2 Flood Initiators The principle source of infonnation used in the SSPSA to assess the hazards due to external flood events was the Seabrook FSAR. The possible flood events considered in the FSAR were: e stream flooding from Probable Maximum Precipitation (PMP) e open coast surge flooding e wave height e combination of surge and stream flooding . e tsunami induced flooding e seiche flooding e flooding caused by dam f ailure Also considered was the possibility of: 4.5-1
,e, ,, - - - - - - - - - - -n - ,. , w ,-. ,
e ice flooding
~
[ e local intense precipitation.
~
Although many of these events could occur at or near the plant site, their magnitude precluded most of them from consideration as significant hazards. Based on a review of the Seabrook FSAR, the authors of the SSPSA conclude that the sources of flooding which could pose a significant hazard to safety-related structures and equipment are the Probable Maximum Hurricane (PE) combined with a standard project stonn (SPS). The occurrence of floods generated by all other events was considered not possible or too remote to consider. The basis for this conclusion is founded principally on determi-nistic calculations that do not account for the inherent randomness of flood events or the uncertainty in estimating their magnitude. The estimates of extreme floods are typically based on compounded conservatisms. Thus, the conclusions that most, if not all of the flood events considered, are extremely remote events. Based on our preliminary review of the Seabrook FSAR and a draf t report of the recently completed flood insurance study for Seabrook,(1) we agree that j storm surge due to hurricanes and stonn precipitation represent the greatest possible hazard to the plant site. This conclusion is based in part on a belief that the calculations and results documented in the FSAR are correct. 4.5.3 Methodology l To evaluate the frequency of flooding on the plant site (above elevation 20 feet MSL), a point estimate procedure was used. The analysis consisted of asstsning point estimate values for the frequency of flooding. Also, the uncertainty about this frequency was assumed. The results of this analysis to estimate the frequency of the joint occurrence of the PM and SPS is sunnarized below: i 4.5-2 l
Elevation Event (ft. MSL) Frequency PMH - 10-4 SPS given the PMH occurs - 0.10 Combined Frequency 14.6 10-5 The basis for these estimates is not provided in the SSPSA. The above frequency estimates were then extended to evaluate the frequency of flooding at elevations that would impact plant structures. It is stated in j the SSPSA that flood levels must reach at least 21' MSL in order to present a hazard. The frequency of this event was estimated to be 10-6 It was also , assumed that the uncertainty in the frequency of occurrence could be described by a lognormal distribution. At the 95th percentile, it was assumed that the frequency of flooding 21' MSL would be less than 5 x 10-6 per year. l The frequency estimates reported above are not supported by either a statistical or probabilistic analysis. Equally unsubstantiated is the estimate of the uncertainty in the frequency of occurrence and assumption that ( this uncertainty is lognormally distributed. In general, our experience would suggest that the frequency in extreme flooding events is considerably greater than that sssumed, and that the probability distribution on the frequency of extreme events is not well represented by a lognonnal distribation. The meteorologic and hydrologic processes that may lead to possible flooding at the Seabrook site is a f ar more complicated random process than implied by the SSPSA or the deterministic FSAR calculations. For example, it is not apparent from our preliminary review that the joint occurrence of the P41 and SPS is the most critical and most likely to occur. Clearly, j pertebations of the parameters of either event could result in more or less ' severe flooding. The point is, that due to the randomness of hurricane and storm occurrences, whether they are independent or correlated random events, an entire suite of possible flood events are possible. We have examined the SSPSA flood hazard estimates in light of the flood insurance study calculations made for Seabrook. The direct applicability of r ( 4.5-3
-p.- - , , , -
these results is limited since the lowest frequency event predicted by these studies is 2 x 10-3 per year. To obtain a first order assessment of the ( frequency of flooding at plant elevations, we attempted a number of extrapola-tions of this infomation. Although direct extrapolation is arbitrary and potentially misleading, by considering a number of alternative approaches, we should be able to envelope the range of possible frequency estimates. We conclude from this exercise that the frequency of flooding at the 21' MSL elevation is an extremely remote event whose frequency is less than 10-5 The estimate of 10-6 in the SSPSA is, in our opinion, conservative. 4.5.4 Conclusions Relative to the risk posed by other external events, past experience suggests that the contribution of external flooding is small. Based on a preliminary review of the SSPSA external flooding analysis, we would agree that this is the case at Seabrook. This conclusion is due in part to the risk estimates for other external events. For example, seismic events have a mean core-melt frequency of 2.89-5 per year. If this estimate should change (to a smaller value), the relative contribution of external flood events would be higher. In the SSPSA, as in past PRA's that have considered external flooding, an ad hoc, point-estimate procedure was used to calculate the frequency of occurrence of extreme floods. In generel, this approach is inappropriate for use in PRAs. If the relative contribution to plant risk of external flood events should be higher, a formal, more comprehensive flood hazard assessment should be conducted. l l t 4.5-4
REFERENCES (
- 1. Stone and Webster Engineering Corporation, " Flood Insurance Study, Town of
~
Seabrook, Rockingham County, New Hampshire," Prepared for Federal Insurance Administration, Federal Emergency Management Agency, December, 1983. l ( 4.5-5
4.6 HAZARDOUS CHEMICALS AND TRANSPORTATION EVENTS k This section considers the potential for accident initiation due to industrial activities near the plant. The events considered important enough for analysis include the hazardous concentration of toxic or flammable gases inside the control room, and the unrecoverable loss of offsite power due to a truck crash into the transmission lines. Hazardous chemicals are located both near and on the Seabrook site. The USM- , Bailey Division plant 1 mile from the Seabrook plant contains two 30,000-gallon tanks of liquefied petroleum gas. At the Seabrook site, there is onsite storage of hydrazine, ammonia, morpholine, sulphuric acid, sodium hydroxide, sodium hypochlorite, and fuel oil. The risks from onsite storage of hazardous chemicals are assumed to be small and are not analyzed further. ( Four scenarios involving a release of LPG and various points of ignition and cloud movement are analyzed. Of these, two have serious consequences. In scenario #2, an LPG explosion disables power lines coming into the plant, causing an unrecoverable loss of offsite power. The calculated point estimate frequency for this event is 1.1E-6 per year. In scenario #3, the hazardous gas mixture causes control room inhabitability, with a calculated point estimate frequency of 4.4E-7 per year. Hazardous chlorine gas can also enter the control room as the result of a nearby tanker truck accident. This scenario is estimated to occur with a frequency of 2.6E-7 per year. Adding this to the previous result, the frequency of control room inhabitability is estimated at 7E-7 per year, and it is not considered a significant contributor to risk. Gas pipeline accidents 4.6-1 l
were also briefly considered and dismissed as unimportant. The possibility of I an onsite truck accident damaging the offsite power transmission lines was analyzed. A section of the plant access road runs very close to the transmission lines. Although guardrails will prevent passenger cars from impacting the transmission lines, it is possible for a truck to crash the guardrail and damage all three lines, causing an unrecoverable loss of offsite power. A detailed analysis of crash statistics and kinetic energy calculations was done to arrive at a mean frequency of nonrecoverable loss of offsite power due to a truck accident of 2.76E-4 per year. This was - considered significant enough to include as an initiating event in the plant model quantification. This analysis appears to be complete and valid. l ( 4.6-2 )
4.7 Wind Events 4 Section 9.8 of the SSPSA addresses wind and tornado initiated senarios. The section deals entirely with tornado-related effects. However, since safety-related structures are conservatively designed for a wind speed of 360 mph, the effects of hurricanes and other types of winds are implicitely included. Our conclusion is that the probability of damage to safety-related equipment due to wind effects is conservatively on the order of 1.0-7 per year. The format of our comments given below on the wind analysis in the SSPSA parallel the subsections in SSPSA Section 9.8. 4.7.1 Tornado Wind Hazard and Frequency It is argued in Section 9.8.2 of the SSPSA that the effects of tor-nado windspeed are not significant. We agree with this conclusion; although our basis is different. All safety-related equipment necessary 1 for the safe-shutdown in the event of a tornado strike are contained within concrete structures at least 2 feet thick which have been designed for a windspeed of 360 mph. This speed corresponds to a Fujita . scale F6 tornado (windspeed from 319 to 380 mph). However, this size of tornado has never been observed anywhere. l A printout of the tornado data base for the years 1950 through 1983
- were obtained from the National Severe Storm Forecast Center (NSSFC) in Kansas City, M0. Within a 125 nautical mile (nmi) radius of Seabrook (approximately 144 statute miles) 253 tornado events have been reported in this time period with an average tornado damage area of 0.353 mi2, This area is approximately three times the average damage area value of 0.124 mi2 based on tornados within a 50 mi radius of the site reported in SSPSA Section 9.8.2. However, the NSSFC also gives an average 2
I tornado damage area of 0.238 mi for tornados within a 2 degree square centered on the site. Since the area of the 2 degree square is less than the area enclosed by the 125 nmi radius but larger than an area enclosed by a 50 mi radius it appears that tornados closer to the site are generally smaller. 4.7-1
A review of the tornados in the NSSFC data base and a history of ( Fujita scale F4 and F5 tornados (i.e. wind speeds from 207 to 318 mph) in the U.S. from 1880 to 1982 (Ref.1) indicate that three F4 tornados ] (windspeed from 207 to 260 mph) have occurred since 1880 within 125 nmi of the Seabrook site. No F5 tornados have been reported in this l region. One of the F4 tornados occurred approximately 50 miles away in Massachusetts in 1953. This tornado killed 50 people, injured 1288, and did approximately 50 million dollars damage. The destruction was enor- . mous, but there was no evidence of F5 damage; hence, the tornado was rated as a F4 intensity. Although it is argued in Section 9.8.2 of the SSPSA that frequency of tornados with windspeeds greater than 360 mph is less than 1.0-7 per year, this estimate is based on a fraction of F6 tornados equal to 0.0005. Since an F6 tornado has never been observed and the largest tornado in the Seabrook area is only an F4, it is some-what speculative to assign any non-zero probability value for tornados greater than 360 mph at the Seabrook site. In addition, the strength of the structures likely exceeds a capacity of 360 mph due to conservatisms i inherent in the design process. We conclude that the frequency of f ailure of safety-related structures at Seabrook due to tornado wind-speed is conservatively less than 1.0-7 per year. 4.7.2 Tornado Wind Fragility of Structures
^
j It is stated in Section 9.8.3 of the SSPSA that the refueling water j storage tank (RWST) and condensate storage tank (CST) may be subject to failure from negative or positive pressures generated by tornado winds. Since the CST is surrounded by a 2-foot thick concrete wall this ! is not likely. The roof may fail, but the concrete walls will protect
- the water from leaking out. The RWST is contained in an enclosure which is not tornado proof; thus, the failure of this structure may impact the RWST. However, as discussed below the RWST is not needed in the event of a tornado strike.
4.7-2 4
--.-,+r-n, --,- - - - , - - _ . , - - - - , , , , - , _ , , . , _ , , , . _ - . - , . - _ , _ . - ,,_....._,_,--,.,,,,,,n,_, _ , , , , - . . , . . . , _ , , . ~ , , , _ , - . , - , . , , n , - - --
i 4.7.3 Tornado Wind Initiated Scenarios 4 l We agree with the conclusion given in SSPSA Section 9.8.4 that wind speed-initiated scenarious are not significant. 4.7.4 Tornado Missile Hazard and Frequency The approach used in SSPSA Section 9.8.5 to determine the frequency 1 of tornado missile impact on the plant structures was based on extrapo-lation of a tornado missile analysis performed in an EPRI stu@ (Ref. 2). A missile impact density (actually scabbing damage rather than
- ispact was calculated) was defined to be the ratio of annual frequency of scabbing of any plant safety-related structure divided by the total surface area of all safety-related structures (stated to be 500,000 2
ft ). Two values were obtained from the EPRI study: one for the case of one unit operating while the other unit was being built and the other for the case of both units operating. These values were adjusted for ( the difference in the tornado strike frequencies between the EPRI stu@ and the Seabrook site. The adjusted tornado missile impact densities were then multiplied by areas of the different Seabrook structures and j the two cases were combined for each structure in proportion to the expected time duration (i.e. 3/40 for case 1 and 37/40 for case 2) to obtain an average lifetime (i.e. 40 years) value. There are several problems with the approach used. First, it is implied that the structure walls are the critical elements. In fact all walls of the category I structures (except the tank farm and cooling tower) are constructed of 2-foot thick concrete. It is improbable that any tornado generated missile could spall a 2-foot thick concrete bar-rier. This conclusion is supported by tests performed by Sandia Labora-tories, where a 12-inch diameter 743 pound pipe at 202 fps impact did
- not cause any backface scabbing of a 24-inch concrete panel (Ref. 3).
This velocity is greater than the Region I design velocity of 154 fps for this class of missile (Ref. 4). ( 4.7-3
A more important concern are openings in the walls such as door-I ways, vents, louvres, and exhaust and HVAC openings. A recent tornado missile analysis for Seabrook published in September 1983, addresses this more important problem (Ref. 5). The mean annual frequency of a tornado hitting the Seabrook site (i.e. 7.77-5 per year) was used as a measure of the site tornado hazard in SSPSA Section 9.8.5. This value is a point strike value which does not include consideration of the size of the plant facilities. This value was cogared to the tornado strike frequency of 2.3-3 given in the EPRI report (Ref. 2) and a scaling factor of .034 (i.e. 2.3-3/7.77-5) was calculated and used to adjust the EPRI results. We believe that this is incorrect since the tornado strike frequency of 2.3-3 is an area strike value, which assimes a hit occurs if any part of the tornado touches the site. This value is considerably larger than the corresponding point strike value. The analysis in Reference 2 was performed using USNRC Region I tornado hazard characteristics. The corresponding point site frequency I value is 5.9-4 per year (a factor of almost 4 smaller than 2.3-3) which can be obtained from Reference 6. Based on this discrepancy the fre-quency values given in SSPSA Table 9.8-2 are low by a factor of approxi-mately 4. A second problem with the SSPSA tornado missile hazard analysis concerns the population of potential missile implied in the calcula-tions. The number of missiles assumed in the EPRI stu@ is equal to 5000 missiles during the construction phase and a 1000 missiles during the operations phase. In cogarison, the analysis reported in Reference 5 included a total of 66,796 potential missiles at Seabrook which were estimated based on a plant site survey. Thus the number of missiles assumed in the EPRI study are low by a factor of 10 as compared to the missile population at the Seabrook site. The analysis presented in Reference 5 is believed to be more repre-sentative of the risk imposed by tornado missiles at the Seabrook site. Since it was published in September 1983, and the SSPSA was i 4.7-4
( published in December 1983, it is not clear why the results of Reference 5 were not incorporated in the probabilistic safety analysis. The analyses in Reference 5 used the TORMIS methodology developed for EPRI (Ref. 2). A survey of tornado missiles was conducted and structures at the plant, including vulnerable openings, were modeled. Simulation runs were made using a total of 34,000 missile histories. A site-specific tornado hazard study was not performed. The tornado occurrence rate was adjusted based on the point strike probability at the site (i.e. 7.77-5 per year) and the value estimated for Region C which is a finer subdivision of the USNRC Region I (Refs. 6 and 7). , i Note that the value of 7.77-5 per year assumed for the Seabrook site is consistent with the value obtained using the NSSFC data base based on 125 nmi radius area as well as the 2 degrees square area. However, the frequency value assumed for Region C in Reference 5 is 1.2-4 per year, which appears to be low. Based on Reference 7 and an approximate check using other sources, a value of 5.7-4 is more realistic. Thus the results reported in Reference 5 may be high (i.e. conservative) by a I factor of 4 to 5. The authors of Reference 5 imply that a detailed site-specific tornado analysis would also decrease the risk. The probability of penetrating any one of the 30 targets (i.e. doorways, vents, louvres, and exhaust and HVAC openings) associated with safety related structures was calculated to be 1.2-6 per year. This value is conservative considering that penetration of an opening does not imply failure of the components contained in the building. Damage is probably at least another order of magnitude smaller. In addition, this value was obtained by simply adding the probability of impact values from the individual targets. These probabilities are not I mutually exclusive and a more realistic approach (and less conservative) would be to substract the joint probabilities, if they were known. In conclusion, we believe that failure of a safety-related com-ponent due to tornado missile impact is conservatively on the order of . 1.0-7 per year. I 4.7-5
t 4.7.5 Tornado Missile Fragility In regard to SSPSA Section 9.8.6, the results presented in Table 9.8-2 are not appropriate as discussed above. However, for all safety-related components, except for the cooling tower and the RWST which is located in the tank farm, the frequency of tornado missile damage is small (i.e. less than 1.0-7 per year). The cooling tower is not needed 1 during a tornado event, since the normal service water system will function. The RWST also is not needed during a teraado as discussed in l 1 Section 6.2.2.3 of the FSAR. It is stated in this section that neither 1 the RWST or the spray additive tank are protected against tornado missile since a tornado and simultaneous accident are not considered. If a tornado damages a tank, the plant will be shut down. 4.7.6 Tornado Missile Initiated Scenarios In regard to SSPSA Section 9.8.7, it is unlikely that a tornado ( missile will penetrate any openings into the diesel generator building (i.e. less than 1.0-6 per year). It is even more unlikely that the missile would damage the diesel generator or related components. The probability that both diesel generators are rendered inoperable is insignificant. It is implied in this section that the RWST is required in the event that a tornado occurs and offsite power is lost (which will occur with a conditional probability close to 1.0). As discussed above, the RWST tank is not needed in the event that a tornado occurs; hence, its probability of failure (which may be relatively high) is not important. e W 4 4.7-6
l l i REFERENCES t
- 1. Grazulis, T.P., " Violent Tornado climatography 1880-1982," Prepared for U.S. Nuclear Regulatory Commission, NUREG/CR-3670, May 1984.
- 2. Twisdale, L. A., Dunn, W.L., and Chu, J., " Tornado Missile Risk Analysis," Prepared for Electric Power Research Institute, EPRI NP-768, May 1978.
- 3. Sandia Laboratories, " Full-Scale Tornado-Missile Impact Tests,"
Prepared for Electric Power Research Institute, EPRI NP-440,1977.
- 4. U.S. Nuclear Regulatory Commission, Standard Review Plan Section 3.5.1.4, " Missiles Generated by Natural Phenomena," Rev. 2, Washington, D.C. , July 1981.
- 5. Applied Research Associates, Inc., "Seabrook Nuclear Power Plant Tornado Missile Analysis," Prepared for United Engineers and Con-structors, Inc. , Final Report C569, September 1983.
- 6. Reinhold, T.A. and Ellingwood, B., " Tornado Damage Risk Assessment,"
Prepared for U.S. Nuclear Regulatory Commission, NUREG/CR-2944, September 1982.
- 7. Twisdale, L.A. and Dunn, W.L., "Probabilistic Analysis of Tornado Wind Risks," Journal of Structural Engineering, Vol.109, No. 2,
; February 1983.
l 4.7-7
- - - - - - , , ,e-e.-------,- -,,- -.--, - , , , , , ,,w----- ---,- -
--~n--
4.8 TURBINE MISSILES HAZARD ( Missiles generated from main turbine failures can potentially cause failures in safety related systems. These safety related failures in combination with the main turbine failure could possibly lead to undesirable consequences. The SSPSA estimates the annual frequency of failure for several specific systems due to turbine missiles. These failures along with the main turbine failure
~(
are then used as initiating events and processed through the plant model. The turbine missile hazard analysis accounts for the frequency of missile generation due to turbine failure, the conditional probability of a missile striking vital equipment or systems given a missile has been generated and the conditional probability that failure of the impacted equipment or system will result given missile impact. The combination of these three probabilities results in the annual frequency of the initiating event caused by the specfic system failure. The Seabrook Station uses General Electric (GE) turbine-generators. Two turbine failure modes for release of external missiles were considered: failures at normal operating speeds and overspeed failures. The data used to quantify the frequency of turbine missile generation was obtained from two sources (Ref. 4.8-1 and 4.8-2) judged applicable to the Seabrook plant. The SSPSA used the highest reported values from the two sources as the upper bound (95th percentile) and the lowest values as the lower bound (5th percentile) to contruct a lognormal distribution for the frequency of turbine missile generation for each turbine failure mode. ( 4.8-1
To estimate the conditional probability of missile impact and the condition ( probability.of resultant equipment or system failure requires an analysis of missile size, energy and possible trajectories as well as the location of the 1,mportant targets. This analysis was performed for both Seabrook units and given in the FSAR (Ref. 4.8-3). Th'e analysis considered low and high trajectory missiles for both turbine failure modes. The values used in the SSPSA were taken from the FSAR analysis and considered possible equipment and system failures at unit 1 from the unit 2 turbine failure. The results of the turbine missile hazard analysis are given in Table 4.8-1. Six initiating events were indentified. Five of these events resulted from direct impact of the missile, while one event, described as the " impact induced large LOCA (TMLL)", resulted from missile impact on the containment building. This eyent would also cause failure of containment isolation and ( loss of the containment spray system. The quantification of two initiating events, TMSLB and TMLCV, assumed a one-to-one correspondence between missile generation and system failure, since the values used for the initiating event frequency are equivalent to the missile generation frequency.
.4.8.2 CONCLUDING REMARKS The turbine missile hazard analysis performed in the SSPSA appears reasonable and acceptable. It also appears reasonable that no turbine missile initiated event sequence occurs in the top 43 contributors to core melt or as a dominant ' contributor to any of the plant damage states.
( 4.8-2
TABLE 4.8-1
-(
RESULTS OF THE
. TURBINE MISSILE HAZARD ANALYSIS Initiating Event System Frequency (mean,ry-1) l 4
TMSLB Main Steam Line Break 8.30E-5 TMCR Control Room 3.98E-7 TMLCV Loss of Condenser Vacuum 8.30E-5 ( TMLL Large LOCA, 7.44E.8 Containment Building, Containment Spray System TMCST Condensate Storage Tank 6.09E-8 TMPCC Primary Component Cooling 1.27E-8 4.8-3 i
4.
8.3 REFERENCES
FOR SECTI0'i .4.8 ( 4.8-1. Bush, S., and Heasier, P., " Probability of Turbine Missi.le Generation," paper presented at the EPRI Steam Turbine Missile Disc Interity Seminar, New Orleans, April 6-8, 1981. 4.8-2. " Hypothetical Turbine Missiles - Probability of Occurrence," General Electric Memo Report, March 1973. 4.8-3. "Seabrook Final Safety Analysis Report," Public Service Company of New Hampshire, Section 3.5, Arendment 45. h t 4.8-4
5.0
SUMMARY
AND CONCLUSIONS ( This chapter provides a sununary of the results of the review and a description of the conclusions. It is important to note that the entire review effort, and thus also these conclusions are necessarily subject to a number of significant limitations: the principal one being that the review is based almost entirely on the documentatation contained in the SSPSA and the FSAR. These were the only documents relevant to Seabrook that were available early enough in the project to be thoroughly reviewed. Other documents considered essential to perform a comprehensive review, such as written procedures delineating operator actions in various accident scenarios, and details of system design and operation not included in the SSPSA and FSAR were not available during the course of the review. Although this material had been j requested from PSNH early in the review, there was no response until near the completion of this draft report. The limited information contained in that response could not be considered in the review effort or incorporated herein, except for a tornado missile analysis and some of the seismic fragility calculations. In addition, no response was received to a set of questions submitted to PSNH covering numerous subject areas important, or potentially important to the results, so that our conclusions were necessarily made without that information. A single plant visit in late August 1984 was useful and provided valuable information to the reviewers, but it could not substitute for missing a documents and answers to detailed technical questions. 4 1 2 i 5-1 ! i i
The lack of cooperation by PSNH with the review effort significantly i complicated and hindered the review process and made it impossible to reach meaningful conclusions in several areas of the review. 5.1 PROBLEMS AND OMISSIONS Ine review identified numerous problems and omissions in the SSPSA, none of which were found to make significant contributions to the frequency of core melt, but some of which we believe to be important and noteworthy. The single most important problem may be described as the general inscruta-bility of the overall analysis to the review process. We have listed below, as examples, a few of the items from the internal events
~
analysis that we consider important: some of these are essentially descriptions of the causes of the inscrutability we perceive in the SSPSA; others address specific problems in the analysis. We must also note, however, . that it is possible some of these might have been resolved in meetings and/or discussions with PSNH, or in documentation that could have been provided by them. Additional discussion of these items is included in the apprcpriate sections of this report. l
- 1. Two support system initiators were insufficiently evaluated:
Loss of a single Vital 120 VAC bus (icstrument AC) Loss of a single service water or component cooling train ( 5-2 i
,- _ _ . - ~ - . - .-
4 i 7 2.
~
Too many classes of gene;Al transient initiators diluted the sequence ( , contributions and. masked insights.
- 1. Too much credik was taken in the SSPSA for isolable small LOCAs which
/
t resulted in a too small isolable small LOCA frequency.
- 4. The documentation of the bases for many of the assumptions used in the event tree / success criteria analysis was inadequate.
i
- 5. The event tree models utilized too many top events, and those selected were not at the same level of detail. The result was too many sequences, and trees which wers useless for engineering insights. Dominant contributors were seriously diluted, resulting in the absense of clear indications of dominance.
I j 6. Event trees were often complicated by the inclusion of extraneous decision points which did not significantly affect the final outcome of a sequence (in a phenomenological sense).
- 7. Too much credit was taken for operator actions which avoided the need for recirculation during SLOCA (or similar) events, and for other operator actions j
which were used to -delay core nelt.
- 8. Thereappearedtobealackofunderstandingofthe important phenomeno-logical aspects of Steam Line Break (SLB) inside containment, SGTR, and ATWS, which resulted in seriously flawed models, t
5-3
y'
- 9. Too much credit was given to the ability of the RCP seals to remain virtually intact in the absence of cooling. This greatly extended the time available to respond to station blackout, greatly reducing the contribution of this event.
- 10. The human factors analysis is not well documented, so that the results are not verifiable / reproducible.
- 11. Errors of commission due to operator misdiagnosis of plant conditions were not adequately treated.
%)
- 12. The SSPSA results are subject of the limitation that the support state methodology used is highly dependent on the ability of the analysts to recognize any subtle interfaces or interactions within or between the systems, without the help of an integrated fault tree / event tree model. We find that it is extremely difficult, if not impossible, to verify that all of these subleties have been properly treated.
5.2 TREATMENT OF UNCERTAINTY The SSPSA treats uncertainty in a distributed fashion in numerous sections of l the report. The different parts of the model for which uncertainty is i j considered include: the radionuclide release analysis, the consequence calculations (part of site model analytical procedure), matrix operations, beta factors (for coninon cause failure), failure pressure of gross containment l t 5-4 L
failure modes, release categories, containment failure, risk significant containment sequences (part of containment event tree quantification), site matrix uncertainty, and quantification (part of risk assembly and decomposition). The SSPSA also describes methods for discussing uncertainty, and provides the mathematical background for the propagation of uncertainties. Since our review does not include the containment and site model portions of the SSPSA, we have excluded these portions of the uncertainty treatment from our review. SSPSA Appendix Sections A.1.5 and A.3 present a fundamental mathematical introduction to the concepts of the probability of frequency and the J propagation of uncertainty. An example of a risk curve in probability of frequency format is explained. Combining probability distributions is accomplished through any of three methodr. These methods include Monte Carlo, moments, and discrete probability distributions (DPD). The DPD method is the most frequently used method in the SSPSA. The DPD method defines a set of doublets which represent a discrete approximation to a continuous probability density function. The DPD is chosen to represent the state of knowledge with respect to a particular variable, and is suited for easy use in numerical procedures. However, when the operations are performed on wide distributions, the Monte Carlo method becomes more practical. SSPSA Sections 4.6.4 and 13.1.2 describe the propagation of uncertainties through the various Seabrook models within the context of the matrix manipulations used to obtain point estimates. These point estimates are the l t sole quantification of the many billions of event sequences considered. The l l 5-5
l quantification of the uncertainty in the risk curves is accomplished by l separately modeling the propagation of uncertainties in the core melt frequency, the frequency of each plant damage state, and the frequency of each release category. Only dominant contributors are considered in the uncertainty calculations. These contributors are found with the MAXIMA computer program, which performs a search and prioritization of accident scenarios through the plant model using information generated in the quantification of the event trees. Probability distributions that describe the uncertainty in the frequency of each element of an accident sequence are derived using the DPD method. These results are input to the STADIC computer program which uses a Monte Carlo error propagation procedure to calculate the probability distribution of the core melt frequency. The uncertainty propagation for the release category frequencies is also modeled using a Monte Carlo procedure. Finally, the quantification of uncertainty in the risk curves is accomplished by combining uncertainty distributions in the release category frequencies with those in the site matrices using the DPD method emboitted in the MXDPD computer program. SSPSA Section 6.3.2.2 discusses the treatment of uncertainty in choosing a beta factor for common cause failure analysis. The two causes of uncertainty l identified are: (1) uncertainty arising from the limited size of the data sample upon which the beta factor is based; and (2) ambiguity in the failure i data description which hinders classification as independent or dependent failure. Both of these uncertainty sources are adequately handled using a Bayesian approach. t 5-6 i i
The PRA Procedures Guide (NUREG/CR-2300) lists three swrces of uncertainty which arise in system and plant models. These tre labeled data uncertainty, model uncertainty, and completeness uncertainty. Data uncertainty includes uncertainty in the failure rate cf components, the probability of failure on demand, and the unavailability due to test or maintenance. The SSPSA adequately handled data uncertainty by defining discrete probability distributions and propagating it through the system models using the DPD method. Model uncertainty includes uncertainty in the choice of the particular mathematical model used to represent a system and in the parameters ' used in that model. Uncertainties in the model are not considered important and were not treated in the SSPSA. Model parameter uncertainties are treated along with data uncertainties. Completeness uncertainty arises from the incomplete treatment of various plant considerations such as the list of initiating events, the contributors to system failure, tne identification of accident sequences, the definition of plant damage states, and the proper accounting of systems interactions and human errors. This is very difficult to quantify, however sensitivity analyses can be performed on the important assumptions for each of the above categories to help achieve a qualitative perspective on the uncertainty. Some brief sensitivity studies are occasionally alluded to in the SSPSA systems analyses, but they are not presented. Much more could have been done in this area. 5-7
3 5.3 OVERALL EVALUATION OF SSPSA The overall results presented in the SSPSA are briefly outlined below.
- The risks described in the SSPSA are low, but the core melt probability is larger than the NRC's proposed safety goal.
- A large number of accident sequences contribute to the total core melt probability. The single most dominant sequence contributes less than 15% '
of the total, and the to 27 contribute just more than 50% of the total. -
- The V-sequence accident totally dominates the risk of early fatalities.
(
- External events are not important risk contributors, in contrast to other recent PRA results (e.g., Zion, Indian Point, Oconee (NSAC / utility analysis), Millstone - 3).
- The most important initiating event in terms of core melt probability is loss of offsite power.
An examination and review of the dominant sequences identified in the SSPSA was performed in light of the various concerns that have been identified in Chapters 3 and 4 herein for internal and external events. This examination was necessarily limited by our inability to reconstruct and reevaluate the event trees with consideration of these concerns, and to then compare the new ( results to the SSPSA results. It was not possible to perfonn this evaluation 5-8 l -
and comparison because of the lack of cooperation by PSNH, and the absence of (' important and necessary information (including answers to technical questions). ! We have nevertheless made the judgement that the dominant sequences presented in the SSPSA generally appear to be reasonable (although conservative) in a quantitative sense. That is to say that we would expect to find that the quantitative results of a new evaluation would not find the probability of core melt to be significantly larger than described in the SSPSA, because of ' the generally conservative quantitative approaches and assumptions incorporated in many places in the SSPSA. We are unable to make a similar statement about the qualitative results for the many reasons described elsewhere in this report. Significant differences in the operator actions / errors involved in the event trees, differences in success criteria that we have suggested, and the use of less complex event trees are believed likely to provide different qualitative results, and therefore different insights. l These judgments, of course, cannot be substantiated without the performance of a new qualitative and quantitative (simplified) evaluation which incorporates i the differences we have identified. These judgements are provided here to convey the best overall sense of the observations we have made in the course of the review. l l l l 5-9 l
l DISCLAIMER This decament was prepared as na accommt of work spammered by an agency of the Unieed Senees Government ( Neither the Umisse Semese Geeerummons mer the University of Califerais mer any of their employees, makes any warreasy, empress er inspeisd. er esammes any legal liability er resposoihility for the accuracy. . . er usefeiness of any inferenesse, apparatus, product, er process disclemed, or repressets that its use weeld met infringe privasely sweed riches. Reference hereim se any specific commercial products, process, or service by trade manne, tredeemerk. % or otherwise, does not ascessarily cosessente er imply les sedersament, recessnesadaties, or feveries by the Uniese Seness Government er the University of Califersia. The views and opseseas of authors empressed herete de met -- 2, steer er reflect these of the Uniend Senere Ge+ermaseet er the University of Califormen and shall not be used for advertising er predmet endernement perpenes. l Herk performed ender the asepices of the U.S. Departneret of Energy by burence Liverusere Natiemal IJbe story I ender Contract 47405-Eng4. t E}}