ML20209D518
| ML20209D518 | |
| Person / Time | |
|---|---|
| Issue date: | 08/26/1986 |
| From: | Stolz J Office of Nuclear Reactor Regulation |
| To: | Tucker H BABCOCK & WILCOX OPERATING PLANTS OWNERS GROUP, DUKE POWER CO. |
| References | |
| RTR-NUREG-CR-4405 NUDOCS 8609090340 | |
| Download: ML20209D518 (1) | |
Text
yyn 6.~ ol L '
~
. August 26, 1986 Mr. Hal B. Tucker, Chairman lISTRIBUTION Babcock & Wilcox Owners Group (Tocket File) ACRS-10 Duke Power Company NRC PDR EJordan P. O. Box 33189 L PDR JPartlow 422 South Church Street PBDf6 Rdg RIngram Charlotte, North Carolina 28242 R41raglia NThompson 0GC CMcCracken
Dear Mr. Tucker:
Gray File BGrimes
SUBJECT:
REPORTS ON PRA INSIGHTS Enclosed are two draft reports concerning technical insights gained from Probabilistic Risk Assessments (PRAs). These reports are the outcome of an ongoing effort to make available and utilize in numerous technical and managerial activities the information in probabilistic risk assessments regarding the factors which dominate the risk associated with nuclear power plants. This effort includes identification of the features of design or operational.
practices which have been found to be important to safety in the types of plants which have been subjected to risk assessments. In addition, the section on insights into PRA methodologies focuses on areas which are sensitive to the results and the overall perception of plant weaknesses and vulnerabilities.
In particular, these reports contain discussions of: general insights on plant strengths and weaknesses gained from PPAs; the contribution to core melt frequency from classes of sequences induced by various initiating events; a modifications, both hardware and procedural, which have been implemented to -
address problems identified in the conduct or as a result of PPAs; insights into PRA methodologies; and the contribution to measures of risk (core melt frequency and consequences of radioactive releases) from systems, components and events.
These reports will be published in their final forms.in approximately two months. These reports are being provided to the B&W Owners Group, as well as all B&W nuclear power plant licensees, in adunce of formal publication for your information. If, after reviewing these reports, the B&W Owners Group wishes to provide comments to the staff, please provide them by October 1,'1986.
Sincerely, "wrotux. staw at JouW J. stuu.*
John F. Stolz, Director PWR Project Directorate #6 Division of PWR Licensing-B
Enclosures:
As Stated cc w/ enclosures:
See n t page WPaulson;cf
[Pk
'tfssing PBD-6[
CMcCric en Ph JStf y /g /86 f/F/86 g/g/86 {/g/6(6 l
8609090340 860826 PDR TOPRP ENVDW C pop
I k }l NUREG/CR-4405 BNL/NUREG-51931 PROBABILISTIC RISK ASSESSMENT (PRA) INSIGHTS R. FITZPATRICK, L. ARRIETA, T. TEICHMANN, P. DAVIS -
igM fY iy -
QUl (lk .
DATE PUBLISHED - DECEMBER 1985 l
DEPARTMENT OF NUCLEAR ENERGY l BROOKHAVEN NATIONAL LABORATORY UPTON, NEW YORK 11973 I
PREPARED FOR U.S. NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555
.BNL-NUREG-51931 PROBABILISTIC RISK ASSESSMENT (PRA) INSIGHTS R. FITZPATRICK, L. ARRIETA, T. TEICHMANN, P. DAVIS
- MANUSCRIPT COMPLETED - NOVEMBER 1985 DATE PUBLISHED - DECEMBER 1985 DEPARTMENT OF NUCLEAR ENERGY BROOKHAVEN NATIONAL LABORATORY -
UPTON, NEW YORK 11973
'INTERMOUNTAIN TECHNOLOGIES, INC.
! PREPARED FOR U.S. NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555
- CONTRACT NO. DE-AC02-76CH00016 FIN A-3796 i
L
1 ABSTRACT -
l Four different probabilistic risk assessments (PRAs) have been briefly ;
reviewed with the broad objective of ascertainin insights might be '
gained (beyond those alreacty documented in the PRAs)g .by an what independent evalua-tion. This effort was not intended to verify the specific details and results of each PRA but rather, having accepted the results, to see what they might mean on a plant-specific and/or generic level. The four PRAs evaluated were those for Millstone 3, Seabrook, Shoreham, and Oconee 3. Full detailed re-views of each of these four PRAs have been commissioned by the NRC, but only two have been completed and available as further input to this study: the re-view of Millstone 3 by LLNL and the review of Shoreham by BNL.
The review reported here focused on identifying the dominant (leading) initiators, failure modes, plant systems, and specific components that affect the overall core melt probability and/or risk to the public. In addition, the various elements of the methodologies enployed by the four PRAs are discussed and ranked (per NUREG/CR-3852). PRA-specific insights are presented within
- the report section addressing that PRA, and overall insights are presented in the Summary.
?
1
]
4 e ..
4 t
l l
111
- . -~
1 TABLE OF CONTENTS -
Page A85 TRACT............................................................
LIST OF FIGURES.....................................................
iii vii LIST OF TABLES.................................................
AC KNOWLE D GME NTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
EX EC UTI VE S UMMAR Y . . . . . . . . . . . . . . . . . . . . . .. .. . .. xi. .i i. . . . . . . . . .
. INTR 00VCTION....................................................... 1
- 1. INSIGHTS FROM THE MILLSTONE 3 PROBABILISTIC SAFETY STUDY........... 1-1 1.1 In t r odu ct i on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 - 1 1.2 Internal Events............................................... 1-1 1.2.1 Overall Results........................................ 1-1 1.2.2 Dominant Sequences..................................... 1-5
- 1.2.3 Initiating Events...................................... 1-5 1.2.4 System and Component Failures and Failure Modes........ 1-5 1.3 External Events.................................... 1-22 References......................................................... ........... 1-27
- 2. INSIGHTS FROM THE SEABROOK STATION PROBABILISTIC SAFETY ASSESSMENT. 2-1 2.1 I n t r o du ct i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 - 1 2.2 In t e r n a l E ve nt s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 2.2.1 Overall Results........................................ 2-1 2.2.2 Domi na nt Sequ en ce s . . . . . . . . . . . . . . . . . . . .~. . . . . . . . . . . . . . . . . 2- 1 2.2.3 Initiating Events...................................... 2-6 2.2.4 System and Component Failures and Failure Modes........ 2-6 2.3. External Events...................................... ........ 2-21 References................................................ ........ 2-24 i
- 3. INSIGHTS FROM THE SHOREHAM PROBABILISTIC RISK ASSESSMENT........... 3-1 3.1 I n t r o du c t i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 - 1 j 3.2 Internal Events............................................... 3-1 j 3.2.1 Ove ra l l Re su l t s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 i
3.2.2 Dominant Sequences..................................... 3-5 3.2.3 Initiating Events...................................... 3-5 3.2.4 System and Com 3-5 3.3 R1sk.................ponent Failures and Failure Modes........
................................. ....... 3-22 References................................................. ....... 3-22
- 4. INSIGHTS FROM THE OCONEE 3 PROBABILISTIC RISK ASSESSMENT........... 4-1 l 4.1 Introduction..........................................mm... .. . 4-1
' ' 4.2 In t ern a l Event s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 4.2.1 Overall Results........................................ 4-1 4.2.2 Domi n a n t Sequ en ce s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 4.2.3 Initiating Events...................................... 4-4 4.2.4 System and Component Failures and Failure Modes........ 4-4 y
I. ._ _ _ __. - - - - - - - - - - - - - - ---
Page 4.3 Ext er n a l E ve nt s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12 4.4 Risk............................. ............................ 4-20 References............................ ............................ 4-20 l 5.
DISCUSSION AND RANKING OF THE VARIOUS ELEMENTS OF THE METHODOLOGIES. 5-1 i
5.1 I n t r o du ct i on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5- 1 5.2 Discussion of the Elements of the Methodologies............... 5-1 5.2.1 Identi fi cation of Ini tiating Events. . . . . . . . . . . . . . . . . . . . 5-1
! 5.2.2 Estimation of Frequency of Initiating Events........... 5-2 5.2.3 Event Tree Modeling Technique.......................... 5-2 5.2.4 Aggregation of Initiating Events....................... 5-3 5.2.5 Hardwired System Dependency Analysis................... 5-3 5.2.6 Sys t em Interacti on Analysi s . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 i 5.2.7 Treatment of the Post-Accident Heat Removal Phase...... 5-5 i
5.2.8 Evaluation of Human Errors During Normal Operation..... 5-6
' 5.2.9 Evaluation of Human Errors Durin -
5.2.10 Common Mode Analysi s . . . . . . . ...................... . . . . .g an Acci dent. . . . .5-7 . . . . . 5-6
- 5. 2.11 Treatment o f Recovery . . . .~. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 5.2.12 Modeling of AC Power Systems........................... 5-8 5.2.13 Modeling of Logic (Actuation S i 5.2.14 Common Cau s e . . . . . . . . . . . .........................
. . . . ) . .yst ems . . . . . . .5-10 . . . . . . . . . . . 5-9 5.2.15 Component Reli abil i ty Data Base. . . . . . . . . . . . . . . . . . . . . . . . 5-10
' 5.2.16 Use of* Demand Failure Probabilities.................... 5-11 5.2.17 Use of Means Versu s Use of Medians . . . . . . . . . . . . . . . . . . . . . 5-12 l 5. 2.18 System Su cces s Criteri a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12 l 5.2.19 Treatment of Test and Maintenance Outages.............. 5-13
! 5.2.20 En vi ronmental Qu al i fi cati on. . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
) -
5.2.21 External Event Methodol ogy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14 i
- 5. 2. 22 S ou r ce Ter ms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5- 17 i 5.3 Comparison and Ranking of PRA Methodologies for the Four j
- l P1 ants........................................................ 5-18
{ 6.
SUMMARY
..............................................'.............. 6-1 i
Appendix A: DETERMINATION OF LATENT FATALITY RISK (AT >1000 i
FATALITIES) CONTRIBUTION FOR SEA 8R00K...................... A-1 -
1 s
O i
1 f
4 vi i
i i
I
l I
l LIST OF FIGURES -
Figure Page 1.1 Comparison of Millstone 3 early fatality risks, external vs internal events................................................ 1-3 1.2 Comparison of Millstone 3 latent fatality risks, external vs i n t e r n al e ve n t s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 2.1 SSPSA ri s k of early fata11 ti es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 2.2 Risk of latent cancer fatalities (other than. fatal thyroid cancers)....................................................... 2-3 4.1 Oconee Unit 3 risk curves for all internal initiating events:
(a) latent-cancar fatlaities and (b) early fatalities.......... 4-21 4.2 Oconee Unit 3 risk curves for external initiating events (modified plant): (a) latent-cancer fatalities and~(b) earl fatalities..................................................y . ... 4-23 "- ? :
f i
4 l
0 vii -
-- - - - . = - . - - ~. . -
LIST OF TABLES -
Table Page
- 1.1 Mi ll stone 3 Transi ent Ini ti ator Li st. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 1.2 Millstone 3 Dominant Accident Sequences Contributing to Core Melt, Early Fatalities, and Latent Fatalities for Internal Events...... 1-6 1.3 Initiating Event Categories - Contribution to Core Melt Probabi li ty (Internal Events 0nly ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8 1.4 System and Component Failure Contributions to Millstone 3
' Sequences Dominating Core Melt Probability (Internal Events 0nly)............................................................1-9 1.5 System and Component Failure Contributions to Millstone 3 Sequences Dominating Latent Fatality Risk (Internal Events Only). 1-14 1.6 System and Component Failure and Failure Mode Contributions to Core Melt Probability (Internal Events 0nly)...... ... . . . .. . .. ... . 1-15 1.7 System and Component Failure Contributions to Latent Fatalit Ri sk ( Interna l Event s 0n ly ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .y..... 1-18 i
1.8 Summary of System and Component Failures and Failure Mode
- Contri butions to CMP (Internal Event 0nly) . . . . . . . . . . . . . . . . . . . . . . . 1-20 1.9 Summary of System and Cogonent Failures and Failure Mode
- Contributions to Latent Fatlaity Risk (Internal Events Only)..... 1-23 1.10 External Event Initiators Considered in the PSS.................. 1-24 1.11 Summary of External Event Risks from Seismic Events for Millstone 3...................................................... 1-24 1.12 Summary of External Event Ri sks from Fires . . . . . . . . . . . . . . . . . . . . . . . 1-26
) 2.1 Sea brook Trans ient Ini ti ator Li st. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 1 2.2 Seabrook Dominant Accident Sequences Contributing to Core Melt, j Early Fatalities, and Latent Fatalities for Internal Events...... 2-4
- 2.3 Dominant Accident Sequences Grouped by Initiating Event
! ( Int ernal E vent s 0n ly ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7 i 2.4 System and Component Failure Contributions to Seabrook Sequences i
Dominating Core Melt Probability (Internal Events Only).......... 2-8 l 2.5 System and Compo'nent Failure Contributions to Seabrook Sequences
' Dominating Latent Fatality Risk (Internal Events Only)........... 2-13 2.6 System and Component Failure and Failure Mode Contributions to Core Melt Probability for Seabrook (Internal Events Only)........ 2-14
! 2.7 System and Cogonent Failure Contributions to Latent Risk for
.Seabrook (Internal Events 0nly).................................. 2-17
! 2.8 Summary of System and Cogonent Failures and Failure Mode
! Contributions to CMP for Seabrook (Internal Events Only)......... 2-18
! 2.9 Summary of System and Cogonent Failures and Failure Mode
! Contributions to Latent Fatality Risk for Seabrook (Internal l
E ve n t s 0n ly ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 - 2 0 2.10 External Event Initiators Considered in the SSPSA for Seabrook... 2-22 2.11 Summary of External Event Risks from Seismic Event for i
Seabrook..........................................s............... 2-23 2.12 Summary of External Event Risks from Fires for Seabrook.......... 2 23 3.1 Summary of the Categories of BWR Transients Used in SNPS-PRA..... 3-2 3.2 Other Postul ated Low Frequency Transients . . . . . . . . . . . . . . . . . . . . . . . . 3-4 3.3 Leading Sequences for Contribution to CMP from Shoreham PRA and i
B NL Revi ew ( Internal Event s ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 3.4 Accident Sequences for Shoreham Grouped by Initiating Event &
l Ti mi n g ( Int e rn a l 0n ly ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12
' viti ,
i
Table Page 3.5 Initiating Event Categories Contribution to Core Melt (Internal). 3-13 3.6 System and Congonent Failure Contributions to Shoreham Leadin Seq u e n c e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . . . 3-14
........gCM 3.7 Total System and Component Failure Contributions from Leadin Cu t Se t s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....
..g 3-19 3.8 Failure Mode Contribution to CMP from Leading Cut Sets........... 3-21 3.9 System Contribution to CMP from Leading Cut Sets................. 3-21 3.10 Component Contribution to CMP from Leading Cut Sets.............. 3-21 3.11 Summary of Release Parameters for Ex-Plant Consequences.......... 3-23 3.12 Summary of Shoreham Release Categories with Potentially Severe Radi ol ogi ca l Ig a ct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24 3.13 Description of the Severe Release Cate Shoreham PRA. . . . . . . . . . . . . . . . . . . . ............................
. . . . .gori es Identi fi ed by the3-25 4.1 Internal Initiating Events for the Oconee PRA.................... 4-2 4.2 Leading Sequences for Contribution to CMP - Oconee 3 (Internal 4.3 Events).......................................................... 4-5 Mean Annual Core Melt Frequencies for Internal Initiating Events. 4-7 4.4 Internal Initiating Event Categories--Contribution to Core Melt Probability............... ...................................... 4-7 4.5 System and Component Failure Contributions to Oconee 3 Sequences Dominating Core Melt Probability (Internal Eventt)............... 4-8 4.6 Total System and Cogonent Failure Contribution to CMP from Le a d i n g Sequ e n ce s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4- 11 4.7 Failure Mode Contribution to CMP from Leading Sequence / Cut Sets -
. (0conee)...;..................................................... 4-13 4.8 System Contribution to CMP from Leading Sequence / Cut Sets 4.9 (0conee)......................................................... 4-13
! Cog onent Failure Contribution to CMP from Leading Sequence / Cut i
Sets............................................................. 4-13 l 4.10 Mean Annual Core Melt Frequencies for External Initiating Events. 4-14 4.11 Ext er n a l Event s - 0conee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15 l 4.12 Summa ry of Oconee Rel ease Categori es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-23 4.13 Summary of Consequence Ranges for Which Release Cate Af fect Ri sk Cu rves . . . . . . . . . . . . . . . . . . . . . . . . . . .............. . . . . . . . gori es4-24 i 5.1 Comparison and Ranking of PAA Methodologies for Four Plants...... 5-19 j A.1 Contribution of Release Categories to Risk of Latent Cancer
- Fatalities for Seabrook........................................... A-3 i A.2 Contribution of Release Categories to Plant Damage States......... A-3 A.3 Contribution of External Events to Seabrook Plant Damage States... A-4 l
3 C
l ix 3
~_
ACKNOWLEDGMENTS This work was performed for the Reliability a,d Risk Assessment Branch (RRAB) of the U.S. Nuclear Regulatory Connission. Ms. Sarah Davis of RRAB was the technical monitor of the Project. The authors would like to acknowledge the guidance and constructive connentary provided by Ms. Davis throughout this effort. The authors would also like to express their appreciation to Cheryl Conrad, Nancy Nelson, and Sheree Flippen for their untiring efforts in coordi-nating and typing this document.
I e
9 O
ge e e
i 9
e xi
, . . s. .
~
, : . ...,,. 2 EXECUTIVE
SUMMARY
This review of four probabilistic risk assessments (PRAs) with the goal of gaining insights into nuclear plant safety, nuclear plant vulnerabilities, and PRA methodologies was conducted by Brookhaven National Laboratory (BNL) under the sponsorship of the U.S.. Nuclear Regulatory Commission. The four PRAs under investigation are those for Millstone 3, Seabrook, Shoreham, and Oconee 3. This effort was not intended as a vehicle for verifying the specif-ic details and results of these PRAs, but rather -- having accepted the re-sults of the. PRAs -- for ascertaining what the results might mean on a plant-specific and/or generic basis. For two of the four PRAs, those for Millstone '
3 and Shoreham, NRC-sponsored reviews had been cogleted and documented, and i these were utilized in the effort; for the other two, the reviews had not been cogleted.
This review focused on identifying the dominant (leading) initiators, failure modes, plant systems, and specific cogonents that affect the overall core melt probability and/or risk to the public. Each PRA was analyzed with respect to these items, and plant-specific insights were drawn from the re-suits. In addition, the various elements of the methodologies egloyed by the four PRAs were discussed and ranked (per NUREG/CR-3852, " Insights into PRA Methodologies").
l Perhaps the most igortant insight with respect to nuclear safety was the i following, derived from the Oconee PRA:
4
, s
. The core melt probability and public risk associated with the inter-i .
facing systems LOCA (event V), as demonstrated in the Oconee PRA, can be substantially reduced by appropriate selection of operating config-uration and testing procedures and prohibition of testing of the in-terfacing valves with the reactor at power / pressure.
The following are other overall insights gained from this study.
(Plant-specific insights are discussed in connection with each PRA).
All four PRAs were carried out with numerous refinements over the WASH-1400 effort and have yielded more realistic results.
. The core melt error bounds) for probability three ofdue thetoplants internal events and is identical relatively (within close for the I
fourth (Seabrook).
l With the possible exception of the low pressure service water system initiator at Oconee, none of the PRAs shows any internal events to be
" outliers."
The dominant risk sequences represent only a > mal.1_fcact.f on-(typically less than 1%) of the total contribution to core melt probability (CMP) and are characterized by loss of the containment function due to di-rect bypass or overpressurization.
( .
In the two PRAs (Millstone and Seabrook) which specifically documented risk contribution by sequence; interfacing systems LOCA represents Xiii
l , .. . .
l l
l '
fer 98% of the total contribution to early fatalitfes. Although not specifically quantified, the Shoreham PRA appears to identify large LOCA with early suppression pool failure as its leading contributor to eary fatalities.
The leading contributors to latent fatalities would appear to be in-terfacing systems LOCA, large LOCA with early containment failure, station blackout greater than six hours and RCP seal LOCA.
The Shoreham PRA insights listed in Section 3 are driven to a large extent by, one major assugtion within the PRA. The PRA has adopted a generic failure to scram probability from NUREG-0460 and assumes the common mode failure of the control rods to insert to be the only con-tributor. The PRA states that a Shoreham-specific analysis was done and that the results were on the order of 25% lower than the NUREG but l were not user' in .the study. Had these results been used, the CMP as l well as the dominant sequences, failure modes, system failures, and
} conponent failures would all be affected.
l l .
The various plant PRAs show wide variance as to what internal accident i initiators dominated the CMP. For Shoreham boiling water reactor i (BWR), anticipated transient without scram (ATWS) dominated and loss
, of coolant accidents (LOCAs) were insignificant. For Oconee, LOCAs l contributed approximately 30% of the CMP and a large LOCA contributed )
1.5 times as such as a small LOCA. Even the two Westinghouse plants 1 (Seabrook and Millstone) were considerably different from one anoth-er. The Seabrook and the Millstone PRAs both found the CMP contribu-tion of a small LOCA greater than large LOCA,,but a small LOCA contri-i buted 11% in Seabrook and 24% in Millstone.
. The CMP and the percentage contribution from internal and external initiators are shown below for the four PRAs analyzed.
l Total Core Melt Contribution from Contribution from l Probability Internal Initiators External Initiators l Plant (CMP) (%) (%)
i Millstone 5.89E-05 76.4 23.6 l
l Seabrook 2.30E-04 80.0 20.0 l Oconee 2.54E-04 21.3 78.7 Shoreham 5.50E-05 100.0 *
- The study did not consider external events. '
The main insight drawn from these results is that the usual percentage breakdown of the contribution of internal versus external initiators of about 80/20 was fully. reversed in the 0:onee study. The Oconee results are for the modified plant; the external initiator dominance (mainly internal floods) was even more dominant in the original plant.
xiv
INTRODUCTION This report summarizes the findings of an. investigation of four probabil-istic risk assessments (PRAs), those for Millstone 3, Seabrook, Shoreham, and Oconee 3, performed by Brookhaven National Laboratory (BNL) for the Reliabili-ty and Risk Assessment Branch of the U.S. Nuclear Regulatory Commission. The objectives of this work were 1) to identify and rank initiators, systems, com-ponents, and failure modes from dominant accident sequences according to their contribution to core melt probability and public risk; 2) to break down the various elements of the methodologies employed and evaluate and rank them in accordance with the guidelines of NUREG/CR-3852, " Insights into PRA Methodol-ogies"; and 3) to derive from this process plant-specific, methodological, and generic insights. This effort was not intended to verify the specific details and resul;s of each PRA but rather -- having accepted the results -- to see what they might mean on a plant-specific and/or generic basis. The NRC has sponsored full detailed reviews of each of these PRAs, but only two, those for Millstone 3 and Shoreham, were cogleted and fully documented in time to allow their incorporation into this effort.
t Millstone 3 was in its latter phases of construction when the PRA was conpleted. It is a Westinghouse pressurized water reactor (PWR) and shares a coastal Connecticut site .with two other operating nuclear power plants, Mill-stone 1, a General Electric boiling water reactor (BWR), and Millstone 2, a Combustion Engineering PWR. Section 1 of this report presents an analysis of the dominant accident sequences with respect to core melt probability (CMP) and public risk, provides a breakdown of initiators, failure modes, systems, and conponents related to the dominant sequences, and lists the insights de-rived from this effort. ,
Seabrook was also in a construction phase when its PRA was completed.
It is a Westinghouse PWR, located on a coastal New Hampshire site. Section 2 provides a review analogous to that for Millstone but with the major differ-ence that, since internal and external initiating events were not separated in the Seabrook PRA, they were however separated in this report to be consistent with the other report sections. Because of the format of the results in this PRA, the contribution to latent fatalities from external events could not be ascertained in a straightforward way; the nethod used to determine it is de-scribed in Appendix A.
Shoreham also was in a construction phase when the PRA was completed.
It is a General Electric BWR, located on Long Island, New York, on the coast of Long Island Sound. Section 3 provides a review analogous to that for Mill-stone with the following differences: 1) the Shoreham PRA considered only one external initiating event, flooding at level 8 in the reactor building, and combined this with the internal events, and 2) it stopped short of a public risk assessment by providing only the expected radiological releases by re-lease category.
Oconee 3, a Babcock & Wilcox PWR/ is the only fully operational plant of the four in this study. It shares an inland site in South Carolina with two other nuclear power plants, Oconee 1 and Oconee 2, that are essentially iden-tical to it. Unique features here include a dam and reservoir at the site and an earthen dam upstream of the site. Since the lower levels of the turbine building are below the level of the reservoir, turbine building flooding is 1 .
the dominant core melt initiator for this plant. Section 4 provides a review of the Oconee 3 PRA analogous to the others.
In Sections 1 through 4 of this report, insights have been derived on a plant by plant (PRA by PRA) basis. Insights derived by any of the PRAs or their reviews (where available) were, to the extent practicable, not repeated here.
In Section 5 the four PRAs are compared in terms of the various method-ologies applied by each to accomplish the same goals. Table 5.1 explicitly ranks each PRA per NUREG/CR-3852, " Insights into PRA Methodologies," and iri-cludes some additional categories. The latter were added in the evaluation of the methodologies by the project team to provide greater breadth to the com-parison and include some aspects of external events, a subject not addressed in the NUREG report.
Section 6 provides a brief summary of the effort and lists the insights derived from the four PRAs taken as a whole, and those from the individual PRAs that were thought to be worth highlighting. -
O s e O
2
.. ~..
- 1. INSIGHTS FROM THE MILLSTONE 3 PROBABILISTIC SAFETY STUDY
' 1.1 Introduction This section presents an overview of the results from the Millstone 3 Probabilistic Safety Study (PSS)1 and selected insights derived from these re-sults. It also includes comparative results and insights from a review of the PSS performed by Lawrence Livermore National Laboratory (LLNL) for the NRC.2 It is not the purpose of this effort to review the PSS or to judge the validi-ty of the LLNL review. Rather, the results from both the PSS and the LLNL re-view are used as is, and the insights are based entirely on these results.
Following a brief overview o'f the PSS and LLNL results, the leading acci-dent sequences contributing to both core melt probability and risk (of early and late fatalities) are examined in detail to obtain the following insights:
Relative significance of initiating events.
System and component failure contributions to leading accident sequen-
- ces.
Failure mode (i.e., human error, random, dependent, etc.) contribu-tions to leading accident sequences.
' In conjunction with these insights, additional perspective is provided, as appropriate, regarding the relative significance of leading sequences and the different characteristics of the accident sequence " mix" for core melt probability and risk., . ,
~
The results for internal and external accident initiating events are con-sidered separately. This is in accordance with discussions in the PRA refer-ence document 3 and is also consistent wil;h a similar separation in the PSS l itself.
1.2 Internal Events This section presents results and insights from internal initiating events. Internal initiators are defined in the PSS as loss-of-coolant acci-dents and transients, where transients are confined to those disruptions list-ed in Table 1.1 (reproduced from Table 11-2 of the PSS).
1.2.1 Overall Results According to Volume 1,Section V, of the PSS, the total core melt proba-l bility from internally initiated accidents is 4.5E-5/ reactor-year. The PSS l does not provide a value for the individual risk of early and latent fatali-i i
ties, but Volume 1 includes curves of exceedence frequency vs number of fatal-ities (both early and latent) which are compared with WASH-1400 results. The PSS results for both are significantly less (by more than a factor of 10) than -
those in WASH-1400. Figure 1.1 shows a comparison of early fatality risk, '
with the 50% and 90% confidence levels. Figure 1.2 is a similar plot for la-tent fatality risk.
1-1
O Table 1.1 Millstone 3 Transient Initiator List l 1. Control Rod Drive Hochanisa Break or Failure 28. Reduction in Feedwater Temperature
! 2. Control Rod Ejection 29. Total Loss or Feedwater
- 3. Control Pod Withdrawal 30. Increase in Feedwater Flow in One or More Loope
- 4. Control Rod Drop
- 31. Full or Partial closure of One or More HFWIY
- 5. Control Rod trive Hochanism Halrunction 32. Closure or all HFWIva
- 6. Reactor Coolant Pump Trip 33. Feedwater Flow Instability - Operator Error
- 7. Reactor Conlant Pump Locked Rotor 34. Feedwater Flow Instability - Hiscellaneous
! 8. Multiple Reactor Coolant Pump Trips Hechanical Causes l 9. Reactor Coolant Pump Shart Failure 35. Miscellaneous Leakage in Secondary System
- 10. Startup or Inactive Coolant Pump 36. Condenser Leakage
- 12. Inadvertent Sarety Injection Signal i 38. Feedwater Line Break Upstream of HFVIV
- 13. High or Low Pressuriser Pressure 39. Steam Line Break Downstream of MSIVs
- 14. High or Low Pressurizer' Level 40. Steam Line Break Upstream or H3IVs
- 15. Reactor Trip - Spurious Trip, Unknown Cause 41. Full or Partial Closure or One or More H5IY
, 16. Reactor Trip - Manual Trip, Operator Error 42. Closure or all MSIVs k 17. Reactor Trip - Pressure, Temperature or Power 43. One or More Steam Generator Reller Yalves Fails Open Imbalance
- 44. One or Hore Steam Generator Sarety Valves fails Open
- 18. Reactor Trip - Auto Trip, Hardware Error 45. One or More Steam Dump Valves Fails Open
- 19. Loss or Component Coolant 46. Automatic Turbine Trips
- 20. Loss of Instrument Air 47. Throttle valve Closure - EHC Control Problems
- 21. Loss or Service Water 48. Generator Trip or Generator Caused Faults
- 22. Loss or Circulating Water 49. Throttle Valve Opening - EHC Control Problems
- 23. Loss er Condenser Vacuum 50. Reduction or External Load
- 24. Loss or Ofraite Power .
- 51. Loss or External Load
- 25. Loss or Essential Servios Buses 52. Turbine Generator overleed
- 26. Loss or One or More Condensate Pumps 53. Full or Partial Control Bus Failure
- 27. Reduction in Feedwater Flow 4
o e
. o , .. .
1.0-4 ' ' ' ' '
...s.. .
- - - - - - INTERNAL EVENTS !!
EXTERNAL EVENTS ..
1 0-5 .
.. 'i .
.. s ..
l e ..
< NAs,g ..
w --
m g,s N ...
C
- 1.0-6 ..
\ \
o ..
5 ...
w :: .
m
\ ..
g \ ..
w .. g ,.
A ..
.. \ \
w ..
o \
$ 1.0-7 .
\
\
o ::.
w ,
\-
\
g o --
\
x -.
I w ..
\ .. !
u l o ..
\ ..
\ '
I o 1.0-8 \ -
z ..
w :: g g o
w
\ ..
g I ..
- u. ..
g g ..
y ..
1.0-9 l ..
l ..
l ..
1.0-10 .
, , . .. .... - l'.
i i
- o o o e o
- o o o o
. - o o o o o LATENT FATALITIES ~
Figure 1.1 Comparison of Millstone 3 early fatality risks,
- external vs internal events.
1-1
1.0-7 ..
. INTERNAL EVENTS ::
EXTERNAL EVENTS ll 1.0-8 %s%
.. \, s .9
..- s,s m ..
e .. i ..
o 1 e.-
o .. \ ..
< 5 w .
\
a 1.0-9 ..
.. \ ..
.x .. ..
a- :: I -
w .,
I ..
u .. ..
=
\' 9 ..
o %
w w .. .
g ..
u M \
W l.0-10 N N
w .. ..
.. l ..
g ,
o ..
g ..
1 ..
3 .. ..
o .\
w e ..
i* ..
ta.
1.0-11 ..
I ::
- L~~~
~ I s .5-
, .. s ..
s I s ..
. N s -l .. .
I 1 0-12 -
- o o o o
- o o o
- o o o
~
EARLY FATALITIES Figure 1.2 Comparison of Millstone 3 latent fatality risks, external vs internal events 1-4
1.2.2 Dominant Sequences '
Table 1.2, reproduced from Table V-1 of the PSS, lists accident sequences that are leading contributors to core melt probability, early fatalities
(>100), and latent fatalities (>1000). It provides some interesting insights relative to the significance of individual accident sequences and the mix of sequences contributing to core melt probability vs risk:
. No single sequence makes a very large contribution to core melt proba-bility. The leading sequence contributes only 8.5% to the total, and the ten leading sequences together contribute less than 50% (43.1%).
. One single sequence (interfacing systems LOCA) overwhelms all others with regard to early fatalities, contributing 99.8% to the total.
. Two sequences (ranked five and six in the first column) dominate the contribution to latent fatalities (46.3%), and six others are signifi-cant contributors (greater than 2%). ,
The top six leading contributors to core melt probability include sig-nificant contributors also to early fatalities (99.8% contribution from Sequence 5) and latent fatalities (46.3% contribution from Sa-quences 5 and 6).
i 1.2.3 Initiating Events Table 1.3, constructed from information in the LLNL review,2 provides a breakdown of core melt contributors in which accident sequences have been
" binned" on the basis of common accident initiating events. It gives the '
aggregate probability of all sequences in each category as estimated by the PSS and by the LLNL review. The last two columns show that the categories 4
used contribute 96% to the total core melt probability in the PSS and 89% in l the LLNL review.
Transients and small LOCAs dominate core melt probability. In the PSS, transients contributed more than half of the total CMP, and small LOCAs about a quarter. In the LLNL review, transients and small LOCAs I were also found to be dominant, but the small LOCA initiators were l more significant.
For early fatalities, the total probability comes almost entirely
. (99.8%) from the contribution of a single sequence which is initiated by an interfacing systems LOCA.
1.2.4 System and Component Failures and Failure Modes The contribution to core melt probability amLtisk_from.. individual system and conponent failures, as well as failure modes (human error, dependencies, etc.), were examined.
Table 1.4 lists the contribution from system and component failures to each of the ten core melt probability sequences (1 through 10 of Table 1.1).
1-5
l Table 1.2 Millstone 3 D0minant Accident Sequences Contributing to Core Melt. Early Fatalities, and 1.atent Fatalities for Internal Events Percer4 Percent
. Contribution Contribution Percent to Early to Latent -
( rentribution Rank with Fatalities Fatalities
- Respe t, to to (at >100 (at.>1000 Mean Annual Core Holt Fatalities Fatalities Core Helt Sequence Description hequency frequency level) level) l
- l l 1 Ndium LOCA: Failwe of High-Pressure Recirculation . 3 87Fr6 8.5 (0.1
<0.1 l 2 Imse of.Yital DC Bus 1 or 2: Failure or Auxiliary 2.20E-6 4.9 (0.1 (0.1 Feedwater, Failwe of Bleed and Feed Cooling
{ 3 taas or vital AC Bus 1 or 2: Failure or Auxiliary j 1 98F 6 4.4 <0.1 <0.1 Feedwater, Failure of High-Pressure Recirculation 4 Imes of Vital AC Bus 3 or 4: Failure or Auxiliary 1 98F-6 4.4 <0.1 <0.1 l Feedwater, Fa11 r e of High-Pressure Recirculation l 5 Interracing Systems LOCA: Failure of NIR Inlet Valves 1 90Fr6 4.2 98.4 27 9 7
on 6 Imes or Orrsite Ptneers Failure of Both Diesel 1.65Fr6 3.6 (0.1 t.
Generators, Failwe to Recover Ptneer in six hows, 18.4 l Fallwe or Quench Spray Recovery i 7 taas or Orfaite Pouer Fail w e of One ESF Bus, l 1.63Fr6 3.6 <0.1 <0.1 Steam Line Break Inside Containment Failwe of I
Auxiliary Feedwater, Failure of Primary Bleed Thrtmgh FORVs 8
Steam Line Break Outside Containment: Fatire to 1.55F-6 3.4 <0.1 Isolate hin Steam Line, Fallwe of Primary Bleed (0.1 1hrtmsh 10RVs 9 amall LOCA: Fa11re to control Primary Degresswization, Fallwe of High-Presswe Recirculation 1 398-6 31 <0.1 <0.1 -
10 Imrge LOCA: Fallee or im-Pressee Recirculation? 1 37Fr6 3.0 <0.1 (0.1 19 Imss or vital AC Bus 1 or 2: Failure of Opposite 7.23Fr7 1.6 <0.1 Train E3F Cabinet, Failure or Auxiliary Feedwater, 8.0 Fa11re of Bleed and Feed Cooling, Failure of Quench Spray ,
~
W e
9
1 4 .'
I 1
i Table 1.2 Continued Percent Percent Contribution Contribution Percent to Early to Latent t
Rank tsith l . Contribution Fatalities Fatalities Respect to to (at >100 (at >1000 han Annual Core Melt Fatalities Fatalities Core N1t Sequence Description k equency Ptequency l level) level) l 20 Pt Jeary to Secondary Pouer Mismatch: Failwe of 6.15E-7 1.4 (0.1 6.9 a
Both ESF Cabinets, Failure or Auxiliary Feedwater, i Fa11 w e er Bleed and Feed Cooling, Failure of Quench Spray l 25 Reactor 111p: Failwe of Both ESF Cabinets, Failure 4.87E-7 1.1 (0.1 5.4
! of Auxiliary Feeduater, Failure of Bleed and Feed l ' Cooling, Failure of Quench Spray 31 1brbine Trips Failwe of Both ESF Cabinets, Failwe 3.74E-T 0.8 <0.1 4.1 1
or Auxiliary Feedwater, Fallwe of Bleed and Feed Cooling Failure of Quench Spray 40 Primary to Secondary Pouer Miamatch: Colacident 2.435-7 0.5 <0.1 27 Station Blackout, Small LOCA, Failure of High-L
,i Pressure Injection, Failure of Secondary j Depresswization and Low-Presswe Injection, Failee of Quench Spray Recovery 46 Reactor Trip: Coincident Station Blackout, Small
- a
' 1 92b7 0.4 <0.1 2.1 LOCA, Failure of High-Fressure Injection, Failure i or Secondary Depressurization and Lou-Pressure j Injection, Philure or Quench Spray secovery 54 1brbine 7t1p: Coincident Station Blackout, ana11 14CA, Failure of High-Pressure Injection, Failure 1.427 03 <0.1 07
, or Secondary Depresswization and Low-Pressure l Injection, Failure of Quends Spray Recovery 4
70 less of Vital AC Bus 1 or 2 Failure of Auxiliary 9.36E8 0.2 <0.1 1.2
{ Feedwater, Failure of High-Pressure Recirculation, 1 Fallwe or contalrunent Reciraalation Spray I .
l l .
i I
a i
i 1 ,
Table 1.3 Initiating Event Categories - Contribution to Core Melt Probability (Internal Events Only)
Probability 5 Contribution to CMP Initiator PSS LLNL Rev.' PSS LLNL Review Transients 2 3E-5 3 2E-5 51 32 g Small LOCA 1.1E-5 5.1E-5 24 51 Large LOCA 7.8E-6 4.8E-6 17 5 Interfacing LOCA 1.9E-6 8E-7 4 1 Total 4.'5E-5 1E-4 9b 89 e
9 O
l l
l O
1-8 l
. t Table 1.4 System and Component Failure Contributions to Millstone 3 Sequences Dominating Core Melt Probability (Internal Events Only) .
nadere
$ C.M. %ste Philtre Hxte Omsonert Sequenta Qxtrihtim Philtris ketattlity Qstritutione $ of 1btal hiltres 5 er 1btal lheurie 1
- 1 8.5 IEdb.nieure 5.58-3 Haan enr 15 - -
Reatrudation Omson (hime 26 MNa 12 n-r= cause failurge are Rage 2.5 in the contairmest apw recirmhtica gate I
2 49 hat Feed 5 54 Ihn&m omsonert 53 le and writne 3r Rags te Rap httet. ten 16
, and nrtine Rap
, y Ome m Chuse 10 (Unegocified) 10 1hst,Plue Rente 5 nrtine Rap and 5 test. & le pap I
Phed and Bleed 1.0 Depen &wt 100 10RV 100 hilwe d one a= two (Imo & do pcuer 10RVs ==== art to fail feed he fails 10st) and tieed 1 .
3 4.4 k m Phed 5. 5 4 ihn&m Quponert 53 le and artdre 3r
. Rape le Rap httation 16 and nrtine Rap Qumm (huse to (Unspeatfied) 10 9
e s
O Table 1.,4 Continued
] RWmm i $ C.M. . System Pailwe Ibde Quponert
- Saqiance Qwtritution Phtimus R=e= Witty Qntrituucre $ & M al Pautres 5 & Mal Remarie I
i 3(Cord) 4.4 hat Feed (Qwt) 5.grA Raia pite 5 mrtdre Rap ard 5 test. Tet &lC hap Riab-nemmins 5.ms-2 Ruda 51 Valves (rail 32 Recimdat.ica to marce state)
{
, Valves (ping 19 cr rati to e 1
j ranin cren) i l 4 4.4 k m Feed 5.954 Rmin % 53 le and n rtdre 3r hara l }D hap Acttauen '6 I e and nrtine hap ,
E .
% (htas 10 (Unspecirled) 10 amin Flia Ted 5 Mettre Rap ard 5
- test. # to plup High-heeses 5.952 Rudu 51 Valves (rail 32 . i Recimdatica to darse state) -'
t Valves (pits 19 or rati to
- runnin open) .
5 4.2 Nut 1.gr4 Rusta 100 Valves 100 % stas railtes is also (cntastregido accident irttista-intermi leak) 9
O Table 1.4 Continued Irmirait 5 c.M. systen Pa11tre tide sepean Lxtritutim Quporert Pailwes aptettlity artrituuons y e 1dtal Pailtats 5 & Tbtal asemia 4 3.6 hersmar 4.565-4 theson m use 53 mesals EIwr 53 .
QtendtSgray 8.156-3 Dependert 88 Raps 88 Deperubruy is on l
torrecomy & E 1hann Bvtr in six hours 12 - -
T 36 ESF has 1.45-2 haube 99 Diesel Den.
Fa11tew 8T ISF Otdret 7 ICLS andret 6
~
l hat Feed 4.535 4 Rumba 90 steam artine 90 t
- RmP
! Test & Phirt 5 trldra Rap 5 Feed & Bleed 1.0 Degendert 100 PORY
- 100 Both 10RVs ===mset to be twydred 1
8 3.4 ItL Isotatim J 1.553 rwnn one. 91 valves 91 Feed & Bleed 2.7652 lbrube 6% 10RV 40 Block Valve 24 namn asxr 36 - -
l o
i 1
j -
I s
i Table 1.4 Continued ,
Dmdnert
$ C.H. %sta Pailt a Mxle Chuponert j sentenas contritution Philins hv*=M11ty cortrihtforn , 5of1btal Pa11tns 5of1btal heerle i
1 9 31 P5 Degnesie- 1H Inman Em- 100 - -
inauen itish-lhesin 1.5!B 2 % case 26 valves 12 liecitadat. ten j
. Raps 2.5 i .
InmanIhtr 15 - -
l 10 3.0 Im-messin 4.0 5 3 innen a m - 25 - -
liscimdeuen y .
n -rm those 13.4 _ Valves 9.8 Raps 3.6 Itudu 4.5 Valves 4.5 Pliquirs i
e 9
e e
r ..
7 The information was obtained from various sections of the PSS and from addi-tional analyses needed to extract individual contributions. It should be em- '
phasized that the breakdown of each system within this table was not derived directly from sequence cut sets. Rather, the breakdown came from the analysis of each individual system. This was necessitated because sequence cut sets were not provided. The reader is therefore cautioned that any sequence-dependent failures listed in the table are based upon this review and due to the limited scope of this review the listings may not be exhaustive.
The first column of Table 1.4 identifies the sequence by number corre-sponding to thr. Table 1.1 sequences. The second column provides the core melt probability contribution (in percent) from the individual sequences. The third column lists all of the system failures associated with each sequence, and the fourth column gives the probability of each system failure. It is im-portant to note that these probabilities, as provided in the PSS, are condi-tional that is, dependent upon the initiating event and any preceding system, failures. The fifth column provides the failure mode contributions to each of the system failures.
Five such modes were id.entified in the PSS: common cause, dependent, random, human error, and test. As used herein, dependent ,
failures refer exclusively to failures related to the initiating event and preceding system failures.
The sixth column identifies the fractional contribution of each failure mode to the total system failure probability. For example, in Sequence 1, 15%
of the failure probability of the high-pressure recirculation system is from human error and 26% from comon cause failures. Note that in many cases (including this example) the column six failure mode contributions do not total t'o 100%. This is because only those modes identified in the PSS as dom-inant contributors are considered. Resources did not permit detailed exami-nation of individual cut sets and fault trees to extract further detail on failure modes for lesser contributors. In nearly all cases, however, the failure modes identified in the sixth column account for over half of the total system failure probability, and for many (about lpIdof the systems the identified failure modes contribute over 90% of the total.
The seventh column identifies the components associated with the relevant failure modes. For the dependent and human error modes, no components are identified since for these modes individual component failures are not asso-ciated with the system failure. The eighth column provides the individual component contribution to system failure for each failure mode. For example, for Sequence 1,12% of the system failure probability is che to common mode failures of motor operated valves. The last column provides some clarifying information pertinent to the appropriate system.
Table 1.5 gives information similar to that in Table 1.4, for latent fatality risks. As discussed previously, six leading sequences contribute to latent fatality risks.
Two of these (Numbers 5 and 6) are also contributors l to the core melt probability and therefore_the information-about them, identi-cal to that in Table 1.4, is not repeated. In Table 1.5, the " test" mode of failure has no associated component since the entire system is assumed to be in the test mode and therefore unavailable.
l From information provided in Table 1.4, Table 1.6 was constructed in order to consolidate the contributions to CMP and risk from systems, failure 1-13 l
O Table 1.5 System and Component Failure Contributions to Millstone 3 Sequences Dominating Latent Fatality Risk (Internal Events Only) l Ibmirert I contributtes % stas Pa11tre Ibde (baponert soquence Latent Fatalttles Palltats Ittialdlity (brtritutions $of1btal Palltrts % of 1btal Regerics 5 27 9 See h hle 5 l
6 18.4 see n hie 5
- 19 8.0 Ac Bus 6.15s.2 urrgecirlas - - -
obtaired rtue initiatirs evert dita taas ESF Qbiret 1.1EE-5 Ted 29 - -
Ibrain 58 treio carxis 41 out g aclay 17 Aux Feed 1.0 Degerrbrt 100 - -
g Feed & Bleed 1.0 Degnbrt 100 -- -
4 Oerrh Srrg 1.0 Deperrbrt 100 - -
20 6.9 ESF Catdrets 1.61S-7 lbs 29 - -
Ihrrku 58 testa carxis 41 h t M aelay 17 Aux Feed 1.0 Deperrbrt 100 - -
Feed & Bleed 1.0 Delerxbrt 100 - -
O errh strar 1.0 .Degerriert ,' 100 - - .
25 5.4
- asse as seqtenas 20 stme 31 4.1 Sune as sequence 20 atme
~
l l
l '
l ,
l Table 1.6 System and Component Failure and Failure Mode Contribution To Core Melt Probability (Internal Events Only) hystem Pa11ure Mode Contribution, 5 (Contribution to CMP, 5) i Human Systes Seq. No. $ CMP Common Cause Randon Dependent Error Test Unspecified ,
High-Pressure 1 8.5 12 (1.02)-MOV - -
15 (.47) -
59 (5.0)
Recirculation
- 2.5 ( .21)-P .- -
, 11.5 ( .98)-U - -
l 3 4.4 -
51 (2.2)-P - - - 49 (2.2)
. 4 4.4 -
51 (2.2)-P - - -
49 (2.2)
! 9 31 12 ( .37)-MDT - -
15 (.47) -
59 (1.8) 2.5 ( .08)-P 11.5 ( .36)-U i
l Totals 20.4 3 02 . 4.4 - 1 77 - 11.2
-l i
- 7 Auxiliary 2 4.9 10 ( .4 9)-U 53 (2.6)-P - -
5 (.25) 32 (1.6)
- Feedwater 3 4.4 10 ( .44 )-u 53 (2.3)-P - -
5 (.22) 32 (1.4) 4 4.4 10 (.44)-U 53 (2 3)-P -- -
5 (.22) 32 (1.4) 7 3.6 -
90 (3.2)-P - -
5 (.18) 5 ( .18)
Totals 17.3 1.37 In.4 - -
.87 4.58 Peed & Bleed 2 4.9 - -
100 (4.9) - - -
7 3.6 - -
100 (3.6) - - -
8 3.4 ; -
40 (1.4) PORT --
36 (1.2) - -
24 (.82)BV Totals 11.9 - '
2.2 8.5 1.2 - --
I 4
a O
i . .
.. t i
Table 1.6 Continued System Failure Mode Centribution, $ (Contribution to QtF, $)
l Human j System Seq. No. $ CMP Common Cause Random Dependent Error Test Unspecified
, Residual Heat 5 4.2 - -
100 (4.2) - - -
Removal l
I Totala 4.2 - - 4.2 - - -
Beergency 6 36 53 (1.9)-DO - - - -
47 (1 7) l Electrio !
! Power Totain "A.6 1.0 - -- - - 1.7 ESFBus 7 3.6 -
Sr (3 1)DO -
7 ( .27)ESF
- 6 ( .21)EOLS Totala 1.6 1.6 -
s-a
,8 , M5L Isolation 8 3.4 91 (3.1)-MOV - - - -
9 ( .31) m Totals 1.4 1.1 .31 Primary 9 3.1 - - -
100 (3 1) - -
Depressurization Totala 1.1 - - - 1.1 - -
4 Low-Pressure 10 3.0 25 ( .75) 75 (2.25)
Reoirculation i Totala 1.0 .75 2.25 Lesond HOT = Motor Operated Yalve ESF = Neergency Safeguard Features Actuation System i
P = Pump EGLS = Beersency Generator Load Sequences System t
U = Unspecirled BT = Block Talves DO = Die.sel Generator i
i l .
4 l
modes, and components. In Table 1.6, each system is considered separately, as i indicated in the first column. The second column lists each sequence (identi- l fled in Table 1.1) in which the system appears as a contributor to the se- '
quence probability, and the third column gives the percentage contribution to CMP from each sequence.
The remaining six columns give the failure mode contributions, including an " unspecified" column which p'rovides a quantification of the residual fail-ure mode contribution not specified in the PSS. For the " common cause" and
" random" columns, the component failure contributions to the respective fail-i ure modes are identified. The numerical entries (first number) for these col-umns were obtained from Table 1.5. The number in parentheses is the product of the cogonent failure contribution and the percent contribution of the re-spective sequence (third column) to the CMP. This value is an absolute mea-sure of the significance of each failure mode and component failure to the CMP.
An example will aid in interpreting Table 1.6. The high-pressure recir-culation system (HPRS) appears as a system failure element in four of the CMP '
leading sequences (1, 3, 4, and 9). The total contribution of these four se-quences to the CMP is 20.4% (shown under totals in the "% CMP" column). In
, other words, if the HPRS failure probability could be reduced to 0 under the
- conditions of the four accident sequences, the total CMP calculated by the PSS for internal events would be reduced by 20.4%. For Sequence 1, 26% of the HPRS failure probability derives from comon cause failures, of which 12% are common cause M0V failures, 2.5% pumps, and 11.5% unspecified.
By nultiplying these fractions by the core melt contribution (8.5%), the individual cogonent common cause contribution to core melt" probability for Sequence 1 is obtained (these are the values in parentheses: 1.02, 0.21, and
- 0.98). These contributions are summed as shown in the " totals" row, thus the l
"% CMP" for the four sequences involving the HPRS (20.4) is made up of a 3.02%
contributor from all common cause failures, of which 1.39% is from motor oper-ated valves, 0.29% from pumps, and 1.34% from cogonents not specified in the PSS. Similarly, 4.4% of the 20.4% is from random failures of which the entire contribution is from pug failures. Human error contributes 1.77%, and a con- -
t tribution of 11.2% is from unspecified failure modes of the HPRS. Thus, if it were possible to eliminate common cause failures in the HPRS, the CMP would be i
reduced by 3.02%, or if common cause MOV failures in the HPRS could be elimi-nated, a 1.39% reduction in CMP would occur.
Table 1.7 is similar to Table 1.6 and gives the results for latent fatal-
! ity risks.
{ Table 1.8 consolidates and summarizes the results of Table 1.6 for system i
failure, cogonent failure, and failure mode contributions. Table 1.8 lists i
all systems which appear in the ten leading CMP sequences and the contribution each system imposes on the total CMP for internal event initiated sequences.
Reducing the failure probability to O for each system would produce the corre-sponding reduction in CMP. It should be noted that igroving the reliability of combinations of systems would not necessarily produce a benefit equivalent to the summation of the corresponding CMP contributions because more than one system appears in some sequences. For example, reducing the failure probabil-ity of HPRS and auxiliary feedwater to near 0 would not reduce the CMP by 1-17 i
+
]
j
\
1 Table 1.7 System and Component Failure Contributions to Latent Fatality Risk (Internal Events Only) i
$ Latent Common Human System Seq. # Fatality cause Dependent Randon Error Unspecified Test Quench 6 18.4 -
88 (16.2) -
12 (2.2) - -
Spray 19 8.0 -
100 (8.0) - - - -
20 6.9 -
100 (6.9) - - - -
25 5.4 - 100 (5.4) - - - -
31 4.1 - 100 (4.1) - - - -
Totals 42.0 -
40.6 2.2 - -
Residual 5 27 9 -
100 (27 9) - - - -
Heat Removal Totals 27 9 -
27 9 - - - -
e-.
' 0
- ESFCabinet 8.0
- 19 - -
41 (3.3)-LC -
13 (1.0) 29 (2.3) 17 (1.4)-OR 20 6.9 - -
41 (2.8)-LL -
13 ( .9) 29 (2.0) l 17 (1.2)-OR l 25 5.4 - -
41 (2.2)-LL -
13 ( .7) 29 (1.6) l 31 4.1 - -
41 (1.7)-LL -
13 ( .5) 29 (1.2) 17 ( .7)-OR I *
, Totals 24.4 - - 10-LC -
3.1 71
- 4.2-0R
. Auxiliary 19 8.0 -
100 ( 8.0) - - - - ,
Feedwater 20 6.9 -
100 (6.9) - - - -
25 5.4 -
100 (5.4) - - - -
,j 30 4.1 -
100 (4.1) - - - -
Totals 24.4 24.4 e
Table 1.7 Continued
$ Latent Common Human
- Systen Seq. # Fatality Cause Dependent Randon Error Unspoolfied Test i
1
'l
' Feed & Bleed 19 8.0 -
100 (8.0) - - - -
20 6.9 -
100 (6.9) - - - -
25 5.4 -
100 (5.4) - - - -
31 4.1 -
100 (4.1) - - - -
Totals 24.4 -
24.4 - - - -
i j Emergency 6 18.4 53 (9.8)-D0 -
Electric 47 (8.6) -
i Power
- Totals 18.4 9.8-DG -- - -
8.6 -
AC BUS 19 8.0 - .-
sa 8
100 (8.0) -
i g Totals 8.0 8.0
! LHIEND:
i MOV = Motor Operated Valves j DG = Diesel Generatora i LC = Logio Cards l OR = Output Relay
_. .m * ' ' ' " ~
i i
l t
1 l
e i .
i Table 1.8 Summary of System and Component Failures and Failure Mode Contributions to ' CMP (Internal Event Only)
Failure Mode Contribution (5)
Componnat Failure Common Human Contribution .
Systee $ Contribution Cause Randou Dependent Error Test Unspecified (5)
High-Pressure 20.1 3.0 4.4 - 1.8 - 11.2 4.7-P Recirculation 1.4-HDV-Auxiliary . 17.3 1.4 10.4 - -
.9 4.6 10.4-P Feedwater .
Feed & Bleed 11.9 - 2.2 8.5 1.2 - - 1.4-PORY
.82-BV Residual 4.2 - - 4.2 - - - -
i Heat Removal Y
m hersency 3.6 1.9 - - - -
1.7 1 9-Do Electrio ,
Power ESF Bus 3.6 -
3.6 - - - -
3.1-Do
.27-E5FC
.21-ED LSC MSL 3.4 . 3.1 - - - -' .3 3 1-MDV Isolation .
W e
i .
I.
- Table 1.,8 Continued l
l Failure Mode Cor.tribution ($) 1 i
Component Common Failure Systee Human
$ Contributica Cause Randon Depender.t Error Test Contribution Unspooified ($)
i l Primary 31 - -
- Depressur-31 - -
ination Low-Presstre 30 -- -
Roolroulation '
30 - - -
LEGEND:
P = Pump
- HOV = Ho Lor Operated Yalve PORY = her Operated Relief Yalve BV = Block Valve 7 DG = Di6sel Generator y ESFC = Emirgency safeguard Features Cabinet EGLSC = Emergency Generator Load sequencer Cabinet
- M i
t
' 37.7% (20.4 plus 17.3) because these two _ systems appear together in some of the same sequences (Sequences 3 and 4). The net, effect of reliability im-provements for combinations of systems would have to be determined from Table 1.6.
Table 1.8 also provides the failure mode contributions to CMP for compo-nent contributions (last column).
Table 1.9 is similar to Table 1.8 and gives information for the latent fatality risk.
From the data in Tables 1.8 and 1.9 the following insights are evident:
The high-pressure recirculation, auxiliary feedwater, and feed and bleed system failures dominate the core melt probability from leading core melt sequences in descending order of significance. However, none of these systems is a particularly significant contributor.
Random and dependent failure modes appear to dominate failures of the systems important to CMP, with pumps being the major (but not overly significant) component contributing to failure.
i .
Quench spray system failure is the most significant system failure l contributing to latent fatality risks. This system contributes over 40% to the latent fatalities for the leading sequences.
Dependent failure is the most 1'nportant mode contributing to latent fatality risks. .
Early fatality risks result essentially entirely from the contribution of a dependent failure of the residual heat removal system.
1.3 External Events This section presents a summary of the results of the external events risk analysis from the Millstone 3 PSS. The LLNL review of these results is also considered.
The PSS considered a total of eight external event initiators. These are listed in Table 1.10, with indications of which events were found to be sig-nificant contributors to risk and core melt probability. Only two, earth-quakes and fires (within the plant), were found to be significant, and only these are considered further in this review (except for the LLNL results).
According to the PSS, the total core melt probability [considering re-sults from Amendment 3]" from external events is 1.39E-5/yr, 'of which 9.1E-6 (65%) is from seismic events and the remainder from fires. Thus, external events contribute about 20% to the total CMP. The significance of external events to early and a late fatality risks is shown in Figures 1.1 and 1.2.
External events dominate the early fatality risks and have about the same con-tribution as internal events to latent fatality risks.
Table 1.11 shows the seismic initiated events that dominated core melt probability and latent fatality risks in the PSS assessment. The second 1-22
i Table 1.9 Summary of System and Cqmponent Failures and Failure Mode Contributions to
.i Latent Fatality Risk (Internal Events Only)
Failure Mode Contribution (5)
Component Failure j Common Human Contribution l System 5 Contribution Cause Randon Dependent Error Test Unspecified (5)
I i Quench 42.8 - -- 40.6 2.2 - - -
i Spray
- Residual 27 9 - -
27 9 - - - -
Heat ,
Removal l ESF Cabinet 24.4 - 14.2 - -
71 31 10-LC 4.2-OR i Auxiliary 24.4 - - 24.4 - - - -
7 Feedwater U
Feed & Bleed 24.4 - - 24.4 - - - -
i .
j Beersency 18.4 9.8 - - - - 8.6 9.8-DG Electria -
i Power i
l AC Bus 8.0 - - - - - 8.0 -
i LEOEND: -
1 *
} LC = Logic Card OR = Output Relay DO - Diesel Generation i
i i
Table 1.10 External Event Initiators Considered in the PSS Event Significant i .
Earthquakes Yes Fires (inside plant) Yes External Flood No Internal Flood {
No Extreme Wind No ,
- Aircraft No Hazardr,us Materials (1) No Turbine Missiles No l
(1) Includes storage of on-site materials and transportation of l
. materials near the site.
i Table 1.11 Summary of External Event Risks from Seismic Events for Millstone 3 i
Omtribution to total frun aQ eventa Latent Initiating Contairment M equency i Early htality t Event Response h r Year Core Melt Fatality (>1000)
Loos of Off-Site Power Cooling Failure 5 756 9.5 -
52 ,
small LOCA Cooling Failure 1 956 3.2 -
17 Large LOCA Cooling Failure 6.557 1.1 -
7 LOCA Isolation Failtre 1.0Fe7 .2 - -
, Yotals 91EWi 14 0 76 1-24
. e I
'umn, " Containment Response," indicates the containment function (isolation or cooling) which was lost as part of the sequences associated with the initiating event. The last three columns indicate the percentage that each initiating event and containment response combination contributed to CMP and to early and late fatality risks from seismic events.
The latent fatality column results could not be directly obtained from the Millstone 3 PSS. To derive these values, first the relative significance of external events was determined from Fi At 1000 fatalities, the contribution (at the 0.5 confidence level)gure from1.2.
external events is about 92%
of the total, and at 2000 fatalities, about 94%. Thus, a weighting factor of 0.93 was applied to the external event risks. Of this, about 12%, according to the PSS, is from fire initiated sequences (see Table 1.10). Thus, the con-tribution from seismic events is about 81%. This factor was multiplied by the product of the latent fatality risk release category contribution and the plant damage state contribution from seismic events given in Table 7.5.1-5 of
, the PSS. For exagle, according to Table 7.5.1-5, the M7 release category
! provides 90% of the seismic risk of latent fatalities. The M7 category is made up of four seismic plant damage states, of which the loss of off-site '
power with containment cooling failure contributes 71%. Thus, the seismic contribution to latent fatality risk due to this plant damage state is (0.90)(0.71)(0.81) = 0.52, which is the value in Table 1.11, 4
As Table 1.12 indicates, loss of off-site power with subsequent loss of containment cooling is the dominant contributor to both CMP and late fatality risks. The LOCA event followed by failure of containment isolation dominates the early fatality risks. . .
Table 1.12 provides a summary of the PSS results for fire initiated acci-l dents. The total CMP from fires represents about 8.4% of the overall CMP as i estimated in the PSS from all accidents. Fires in the charging and component cooling pug area and in the cable spreading room are ' dominant CMP contribu-tors, while latent fatality risks, according to the PSS, are dominated by fire in the control room and instrument rack rooms. The latent fatality risk from fires, according to the PSS, represents about 12% of the total from all causes. Fire initiated accidents represent a negligible contribution to early i fatalities.
, The LLNL review 2 of the PSS external . event risk assessment resulted in j the following major conclusions:
- 1. The core melt probability from seismic events for Millstone 3 could be as high as 1E-3 based on a re-analysis of the seismic contribu-i tion.
1
- 2. A revision of the PSS assessment of the contribution to CMP from fires led to an increase in the contribution from 4.8E-6 to 2.8E-5
- ~ (an increase by a factor of about 5.8). The contribution to latent j fatalities, although not explicitly quantified, was judged to be even greater.
- 3. The PSS does not provide an adequate assessment to support the con-clusion that floods are not significant core melt contributors.
! 1-25
_g-------.,---e--,.,.g. y ----w .. ,,,gg ,,, - - . - . - ,,,g- gmy-
.--+------.---w- ~ , , . , . - , - - - , , - - - - - . - ,,-..-..,-w-.---w--,,_m.,,,
Table 1.12 Summary of External Event Risks from Fires Fira Location Frequency 5 Contribution (CMP)- ,
Charging and. 1.1E-6 19 ;
Component Cooling Pump Area
~
Cable Spreading 9 9E-7 17 Room
~
Switchgear Rooms 8.0E-7 1.4
- Control Room 7 3E-7 1.2 Electrical Tunnels 6.9E-7 , 1.2 eInstrument Rack Room 2.4 E-7 .4 Diesel Generator 1.45E-7 -
.2 Enclosures l
~ '
Totals 4 7E-6 j 6.1,
- These sequences c'ominate the latent fatality risks from fires and contribute about 12% to the total PSS latent fatality risk.
I 4
l s
i e
S l
l 1-26
- 4. It is unlikely that winds could be a significant contributor to the CMP.
- 5. The PSS conclusion that aircraft accidents are not significant con-tributors to CMP is reasonable.
- 6. It was not possible to determine whether the screening criteria used to dismiss hazardous material contributors were applied appropriately or consistently.
- 7. The PSS conclusion that turbine missiles are not significant contrib-utors to plant risk is reasonable.
Based on the preceding discussion of " external events, the following in-sights were derived:
The PSS determined that of eight different external events considered, only those accidents initiated by internal fires and earthquakes were of significance to CMP or risk. '
External events are a modest contributor to CMP (20%) with seismic events being the major contributor (65% of total).
Seismic events are : significant contributor to latent fatalities.
Fires do not contribute to early fatalities, and only about 12% to the total latent fatality risk, The leading seismic initiated accidents contributing to CMP and la-tent fatalities are thot;e resulting in loss of off-site power ~with loss of containment cooling.
The leading fire initiated sequences contributing to CMP are fires in the charging and component cooling pump area and cable spreading room. The leading sequences contributing to latent fatality risk are from fires initiating in the control and instrument rack rooms.
Major problems found in the LLNL review of the PSS assessment of ex-ternal events were 1) the CMP from seismic events could be as high as 1E-3/yr, 2) the CMP from fires is underestimated by a factor of almost six (late fatality risks are also underestimated), and (3) it was not possible to validate the screening criteria used by the PSS for haz-ardous material risks.
I REFERENCES
- 1. " Millstone Unit 3 Probabilistic Safety Study ," Northeast Utilities, l, August 1983,
- 2. "A Review of the Millstone 3 Probabilistic Safety Study," NUREG/CR-4142, I
Lawrence Livermore National Laboratory, May 1984
- 3. Probabilistic Risk Assessment (PRA): Status Report & Guidance for Regula-tion Application, NUREG-1050, USNRC, February 1984.
1-27
- 4. " Millstone Unit 3 Probabilistic Safety Study," Amendment 3, November 28, 1984.
9 9
o l
i k
1-28 l
[ . -__ _ _ _ _ _ _
- 2. INSIGHTS FROM THE SEABROOK STATION PROBABILISTIC SAFETY ASSESSMENT 2.1 Introduction This section presents an overview of the results from the Seabrook Sta-tion Probabilistic Safety Assessment (SSPSA)1 and selected insights derived from these results. It is not the purpose of this effort to review the SSPSA. Rather, the results are used as is, and the insights are based entire-ly on these results.
Following a brief overview of the SSPSA results, the leading accident se-quences contributing to both core melt probability and risk (of early and late fatalities) are examined in detail to 'obtain the following insights:
Relative significance of initiating events.
System and conponent failure contributions to leading accident se-quences.
Failure mode (i.e., human error, random, dependent, etc.) contribu-tions to leading accident sequences.
In conjunction with these insights, additional perspective is provided, as appropriate, regarding the relative significance of leading sequences and the different characteristics of the accident sequence * " mix" contributing to core melt probability and risk.
The results for internal and ' external accident initiating events are con-
. sidered separately.
2.2 Internal Events This section presents results and insights from internal initiating events. Internal initiators are defined in the SSPSA as loss-of-coolant acci-dents and transients, where transients are confined to those disruptions list-ed in Table 2.1.
2.2.1 Overall Results According to the Summary Report of the SSPSA, the total best-estimate core melt probability is 1.9E-4/ reactor year. Based on results given in this Summary Report, the individual risk of early fatalities is about 2E-7/ reactor year and for late fatalities (cancer) about 1E-8/ reactor year. Figure 2.1, from the SSPSA, shows a distribution of early fatality risks with confidence i
levels indicated. Figure 2.2 is a similar plot for late fatality risks. Un-like the Millstone 3 PSS, the Seabrook study did not consider internal and ex-ternal initiating events separately.
f 2.2.2 Dominant Sequences j
' Table 2.2 lists accident sequences that are leading contributors to core melt probability, early fatalities (>100), and late fatalities (>1000). It provides some interesting insights relative to the significance of individual 2-1 i
Table 2.1 Seabrook Transient Initiator List
- 1. Reactor Trip
- 2. Turbine Trip
- 3. Total Main Feedwater Loss 1
- 4. Partial Main Feedwater Loss .
t
- 5. Excessive Feedwater Flow
- 7. Closure of One Main steam
- 8. Isolation Valve (MSIV) i
- 9. Closure of all MsIVs
- 10. Core Power Excursion *
- 11. Loss of Primary Flow l 12. Steam Line Break Inside Containment 13 Steam Line Break Outside Containment
- 14. Main Steam Relier Valve Opening
, 15. Inadvertent Safety Injection
- 16. Loss of Off-site Power (1) *
- 17. Loss of One DC Bus (1)
- 18. Total Loss of Service Water (1)
! 19 Total Loss of Component Cooling Water (1)
(1) Classified in the SSPSA as " Common Cause Initiating Events" (Table 5.2-1) l y w*
l
}
l a
2-2 .
i a i i io.s _ - '
a 3
. N 3 to.s _
o ,3 .-
i -.*
i o so B,>=g yg to-,
o.7o g3 - _
- =
W*
w 6 0.50 B0 w !!!
to-* -
0.3o 8
0.1o
'"'g l M 1 I l ll
- io n io t to 2 to 3 so* to s EARLY FATALITIES Figure 2.1 SSPSA risk of early fatalities.
I i i i I 0.95 f
0.90 0.70 0.50 10*I -
gf 0.05 EE
! $uj iG-8 - -
5 i
Oy I
E i
g t!! 10*I - "
5 -
I 10*I -
10 ' ' '
30 0 , 30' ie r io s
ia s 3,5 LATENT CANCER FATAUTIES ,
Figure 2.2 Risk of latent cancer fatalities (other than fatal thyroid cancers).
2-3 .
~
e ---------nr-enr-, -.q- s--- ,- .rn,---
,n, ------------,w- ,,v--- - - ~ ~ - - - - -- - - - - , - , - - - - - - - , - - - - - - - , , -
l .
o i 7 l
1 Table 2.2 Seabrook Dominant Accident Sequences Contributing to Core Melt. Early Fatalities, and Latent Fatalities for Internal Events l
i Percent Percent j Contribution Contritention
Percent to Early to Latent rentribution Fatalities Fatalities .
Rank with to (at >100 (at >1000 Respect to . Mean Annual Core Melt Fatalities Fatalities Core Melt Sequenos Description Frequency Frequency level) level) 1 taas of Orr-atte Power: Lees of On-site AC Power, no 3.3E-5 14.0 * -
5 Recovery before Core h e l 2 taas or Orr-atte Powers Failure of Service Water, 9.25-6 4.0 e 3,3 no Recovery of Orr-site Power 3 sen11 IACA: Failure of Residual Heat Removal .
8.96-6 39 e , a 4 Imos of Hein Feedwaters Failie e of Solid State or 8.3 M 35
- 1.2 Protection System 5 Steen Line Break Inside contairement: Failure of 5.65-6 2.4 *
- co Operator to Establish Long-Terie Heat Removal E 6 Reactor wip: Loes or Primary Component Coo 11as 4.6 M 2.0
- 3.4 7 toss of Orr-site Powers Failure or Wain-A 4.45-6 19 e 0.6 On site, Wain B Service Water, no recovery of Orr-aite Power before Core h r .
8 Imes or err-atte Power Failure or Wain B On-site 4.4 M 19 e 0.6 Power, Wain A Service Water, no Recovery er AC Power bercre. Core Duness 9 Partial taen of Main Foodwaters Failure er Primary 3.8 M 17 *
- Component Coolig
- t 10 taas of One DC Bust Failure or Beersency Feedwater, 32M 1.4 e e no Recovery of Bmergency er Startup Feedwater 11 Beactor Wip Operator Philure to Establish Lons- 3 0Fr6 13 *
- Tern Heat Renoval
?
i
\
9
)
Table 2.2 Continued Percent Percent
' Contribution Contribution Percent to Early to Latent Rank with Contributica Fatalities Fatalities Respect to to (at >100 (at >1000 Core Melt Sequence Description Hean Annual Core Melt Fatalities Fatalities h equency hequency level) level) 12 Turbine Wipt Failure of Primary Component 2.85-6 1.2 e' s Cooling
- 13 1mes of Servlee 11 ster 2.3Fr6 1 e a 14 Partial Loss of Feedeater: Operater Philure to 2 3Fr6 1 e e Establish Long-Term Hoot Demoval 15 small LOCA: Train B 3afety Features Actuation, 2-2Fr6 1 e e Train A Res1& sal Heat Removal 16 Small IDCA: Train A safety Features Actuation ,, _ 2-2Fr6 -
- 1" e
e Train B Besidual Heat Removal 17 1 Whine Wip: Failure of Beactor Wip, Failwe '1.9E-6 .8 e e 7
to Manually Scram and to Effect Energency Beration 18 -
Interfacing systems LOCA
- 1.8Fr6 .8 98 17 5 Totals 1.0FA 44.8 98 29.6 e
.. , . _ _ _ _ _ . ~ . .- _
. .e '. , ,
1 l
accident sequences and the mix of sequences contributing to core , melt proba-bility vs risk:
No single sequence makes a very large contribution to core melt prob-ability. The leading sequence contributes only 14% to the total, and i the ten leading sequences contribute less than 40% (36.7%).
4 j . A single sequence (interfacing systems LOCA) overwhelms all others
! with regard to early fatalities, contributing 98% to the total.
. The interfacing systems LOCA sequence also dominates the contribution to late fatalities (17.5%) from internal events. Only two others are
! significant contributors (greater than 2%).
t
) .
The top ten leading contributors to core melt probability contribute only about 12% to late fatalities and a negligible amount to early fatalities.
2.2.3 Initiating Events 3
Table 2.3, constructed from information in Section 13 of the SSPSA, pro-
- vides a breakdown of internal event core melt contributors in which accident i sequences have been " binned" on the basis of common accident initiating events. It gives the aggregate probability of all sequences in each cate-j gory. As indicated in the last columns, the categories used contribute essen-tially 100% to the total SSPSA core melt probability from internal initiating i events.
i Based on ,the results in Table 2.3, in conjunctton with information in Table 2.2 on early and late risk contributors, the following insights are pro-
- vided
- .
. Transients and small LOCAs dominate core melt probability, with tran-l 'sients contributing almost 85% to the total CMP.
1 For early fatalities, thhe total probability comes almost entirely (98%) from the contribution of a single sequence which is initiated by j; an interfacing systems LOCA. For late fatalities, this same sequence l
- dominates, but is less significant than external events (considered later).
4
! 2.2.4 System and Component Failures and Failure Modes i
i The contribution to core melt probability and risk from individual system and cogonent failures, as well as failure modes (human error, dependencies, etc.), were examined.
Table 2.4 lists the contribution from syst_ ems _and_ component-fai4ttres to each of the 12 core melt probability sequences (1 through 12 of Table 2.2).
The information was obtained from various sections of the SSPSA and from additional analyses needed to extract individual contributions. It should be eghasized that the breakdown of each system within this table was not derived directly from sequence cut sets. Rather, the breakdown came from the analysis of each individual system. This was necessitated because sequence cut sets 2-6
. o, .,
Table 2.3 Dominant Accident Sequences Grouped by Initiating Event (Internal Events Only) ,
Accident Sequence
. Initiating Event Probability 5 of Total Internal Event CMP i
's Transients: 1 Loss of Off-site Power 6.88E-5 37.6 ATWS 1.20E-5 6.5 All Others 7 32E-5 40.0 Small LOCA 1 99E-5 10.8 ;
i Large LOCA ,
e e Interfacing Systems LOCA 1.84E-6 1.0 ,.
Steam Line Break I 7 29E-6 4.0 .
(Inside Containment)
- Negligible 1
e e
e J* e O
2-7
It o
a ..
b Table 2.4 System and Component Failure Contributions to Seabrook Sequences Dominating Core Melt Probability (Internal Events Only) lI
- n irarc j* $ C.M. %eten hiltre 2de Quponert . 9 j; sequence Qwaribution h11wes hve= Witty astritations 5 er 1btal milists 5or1btal muerts
)'
i 1 14 Qe-mite ac 7.45-3 ann &u 57 Diesel oe w ate s .56.2 Om hois is easised l name- n-r. thuey M Diesel Galeratas W available te amouvery j, M & missaremos 15 - -
1 I w- 1 Dependert 100 - -
[
Omtat. '
R ap Sent Out. Ekt. 1 Dependet 100 - - 1ho trains Sgrgs
.: 2 4 Sevice 1.154 n-na Quee 68 Ross 44.8 R is asmand 9
! ro lister Rin&m 22 (1) (1) fra are avatiaMe te j != mo y on.c as r.nw.
n=r*= 0xdat 1 Dependet 100 h15es 23.2 "
- Rap Sant C
Qwt. Ekt. 1 Dependet 100 - -
Slrge
~~
! 3 3.9 andent Ihat 5.55-4 cm Omme 50 Rap 50 i ihmanal nin&m 39 (1) (1) 1 hirtananos 11 - -
em ,e .e me e m*
e +
l
. - . _ . - - - -- - .- - .-. - -. . ~ . -- - . .
. i
-Table 2.4 Continued i
. ,. -]
5 c.M. 4stan hilire mde Quyosure Sequence Costrituuan hiltres h d ebility Outriintiene y er 1btal hilures $ er Mal m
- 4 3.5 Salad state '2.954 namn afw 71 - -
hetection Ibsuka -
29 (1) i
%8 tan (1) ,
i Amente tip 1.0 Dependast 100 - -
BuurgencF Feechster 1.0 W . 100 - -
h 1.0 ' Dependast 100 - -
Cort. Elsk. 1.0 Dependast 100 - --
3rsts
-ro e
e 5 -
2.4 Dneur Hunt. 1.354 namn hvw 100 - -
kmasat .
(Im s 3ern) 6 2.0 Prhary Qup. 1.554 lbsuku 5 Valm CooH85 95 Ramete Giotast 1.0 Berendast 100 - -
i h ap Seal e
e W
i s ,
j- . .
4 5
e 4
I
j .
W SN l l 5 SN I l R I a .
1 I I l l
- 1 -
3 i g R R R R R R R R
- R 8
~
5 1ll 1111 i111 ii
! !!,, !!,, i ,
g,i i 11 a 1 11 a i,l i
, a i I ..il . i i I 1 1 gl , ,
i - . .
2-10
l
! l .
1 ;
di a
l !.
s i i l>
1 2 .
I 1 5 8 i j i lj-i jg i
i is !
s a = e at a
. s a
l .
- ))'3 I 1 flI -
- 9.1 s 1 1 1 ii t
b ,b ct l
$3 5 2 's 1i
]w -
-] ~
s 4
l1 33 2-11
o .
were not provided. The reader is therefore cautioned that any sequence-depen-dent failures listed in the table are based upon this review and due to the limited scope of this review the listings may not be exhuastive.
The first column of Table 2.4 identifies the sequence by number corre-sponding to the Table 2.2 sequences. The second column provides the core melt probability contribution (in percent) from the individual sequences. The third column lists all of the system failures associated with each sequence, and the fourth column gives the probability of each system failure. It is im-portant to note that these probabilities, as provided in the SSPSA, are condi-tional, that is, dependent >pon the initjating event and any preceding system failures. The fifth column provides the failure mode contributions to each of the system failures. Five such modes were identified in.the SSPSA: comon cause, dependent, random (also called " hardware"), human error, and test and maintenance. As used herein, dependent failures refer exclusively to failures related to the initiating event and preceding system failures.
The sixth column identifies the fractional contribution of each failure mode to the total system failure probability. For exagle, in Sequence 1, 57%
- of the failure probability of the on-site ac power system is from random fail-ures and 26% from comon cause failures. Note that in many cases (including this example) the column six failure mode contributions do not total to 100%.
This is because only those modes found in the SSPSA as dominant contributors are considered. Resources did not permit detailed examination of individual cut sets and fault trees to extract further detail on failure modes for lessor contributors. In nearly all cases, however, the failure modes identified in the sixth column account for over half of the total system failure probabili-ty, and for many of the systems the identified failure modes contribute over 90% of the total. -
The seventh column identifies the cogonents associated with the relevant failure modes. For the dependent, test and maintenance, and human error modes, no cogonents are identi'ied since for these modes individual component failures are not associated with the system failure. The eighth column pro-vides the individual component contribution to system failure for each failure mode. For example, for Sequence 1, 56.2% cf the system failure probability is due to random failures of diesel generators. The last column provides some clarifying information pertinent to the appropriate system.
! Table 2.5 gives information similar to thati in Table 2.4 for latent fa-tality risks. As discussed previously, five leading sequences contribute to l latent fatality risks. Four of these are also contributors to the core melt probability and therefore the information about them, identical to that in Table 2.4, is not repeated.
From information provided in Table 2.4, Table 2.6 was constructed in order to consolidate the contributions to CMP and risk from systems, failure modes, and components. In Table 2.6, each system is considered separately, as indicated in the first column. Tae second column lists each sequence (identi-fled in Table 2.2) in which the system appears as a contributor to the se-quence probability, and the third column gives the percentage contribution to CMP from each sequence.
2-12 i
e
O 1
Table 2.5 System and Component Failure Contributions to Seabrook Sequences Dominating Latent Fatality Risk (Internal Events Only) i m j % == I* % dan hilwe 2de Quponut - '
- W Whtice htimes Wutr overitut. tens 5 s 1btat huwes 5 e w at amme.te l
} 1 5 i
2 ta l
- l 4 1.2 (See1hble2.4) l 6 3.4 m
18 U.S anstM M saa M was 100 4 stas thutes is also 7 . ,
sooidmet irttiate e-Q
~~ -- - - . _ _ . _ . . . . . _ _ . . - - . - - - -
4 I
l l
I I
i a
l i
i J
~
l
Table 2.6 System and Component Failure and Failure Mode Contributions to Core Melt Probability .
for Seabrook (Internal Events Only)
System railure Mode Contributions, 5 (Contribution to Otr. 5)
Undetermined i set- s.m_ 1r ce r- = cou m-Ruman Test and or -
non. 21 r. ru- m i -+ -- ma. n==sried C:ssite AC 1 14 16 (2.2)-DO 56 (7.8)-D0 Power 15 (2.1) 13 (1.8) 1 service water 2 4 45 (1.8)-P ,32 (1 3)-(1) - - -
23 ( .9)-Y .
Residual Heat 3 3.9 50 (2.0)-P 39 (1.5)-(1)
Removal 11 (.4) -
Solid State 4 3.5 -
29 (1)-(1) -
71 (2.5) - -
Protection Decay Heat 5.11 3.7 -
Removal 100 (3.7) - -
m
- 4. (Long Term) a Primary 6,9,12 4.9 -
90 (4.4)-Y component to (.5) cooling onsite Ac 7,8 3.8 -
82 (3 1)-D0 Power-Train 18 (.7) s A or B Servlee 7,8 38 -
60 (2 3)-Y water-Train 18 (.7)
A or B 22 ( .8)-P
..,.e .,
l .
s e
' 0
1 11 s '
- 3g E C. .a .
g i I I
.I .l I -
'l*s i
- l I i I A"j >
5 a\
8 ;ll! I I I I
- r. e 3
I 1
8 2 2
& il , 5 66
. 11 g .
v . A - S8 8 i c 2 8 t w 1 I I I I 3
- ei -
- l*
f.'
- 3
. I e- o I !
t i I I l
.1 e .
N N a i A A o e'
i J 44 1 , 2 J. , , ,
b ,.
A
- E 6 $~ a A 8 i
l E3 h4 h k.*
i a
8 jm j .sj j
- t. 2 a$2 1
i 2-15
- c. .
I
(
i The remaining six columns give the failure mode contributions, including an " unspecified" column which provides a quantification of the residual fail-ure mode contribution not readily identified in the SSPSA. For the " common l cause" and " random" columns, the cogonent failure contributions to the re-
- spective failure modes are identified.
The numerical entries (first number) j for these columns were obtained from Table 2.4. The number in parentheses is
! the product of the cogonent failure contribution and the percent contribution j of the respective sequence (third column) to the CMP. This value is an abso-i lute measure of the significance of each failure mode and cogonent failure to I
the CMP.
An example will aid in interpreting Table 2.6. The on-site ac power sys-
' tem appears as a system failure element in one of the CMP leading sequences (No. 1). The total contribution of this sequence to the CMP is 14% (shown under totals in the "% CMP" column). In other words, if the on-site ac power system failure probability could be reduced to 0 under the conditions of the accident sequence, the total CMP calculated by the SSPSA for internal events
, would be reduced by 14%. For Sequence 1,16% of the on-site ac power system I failure probability derives from common cause diesel generator failures, 56% -
i from random diesel generator failures, etc.
By multiplying these fractionr. by the core melt contribution (14%), the individual cogonent common cause contribution to core melt probability for Sequence 1 is obtained (these are the values in parentheses: 2.2, 7.8, 2.1, i
and 1.8). Thus, the "% CMP" for the sequence involving on-site AC power (14%)
is made up of a 2.2% contributor from common cause diesel generator failures, 7.8% from random diesel generator failures, 2.1% from test and maintenance, ,
! and 1.8% from undetermined or unspecified in the SSPSA. Thus, if it were pos-sible to eliminate connon cause failures in the,on-site ac power system, the CMP would be reduced by 2.2%, or if random failures in the diesel generators '
could be eliminated, a 7.8% reduction in the CMP would occur.
l Table 2.7 is similar to Table 2.6 and gives the results for latent fatal-ity risks.
]
Table 2.8 consolidates and summarizes the results of Table 2.6 for systen.
failure, component failure, and failure mode contributions. Table 2.8 lists all systems which appear in the twelve leading CMP sequences and the contribu-i tion each system imposes on the total CMP for internal event initiated se-
- quences. Reducing the failure probability to 0 for each system would produce
! the corresponding reduction in CMP. It shoeld be noted that ig roving the re-liability of combinations of systems would not necessarily produce a benefit equivalent to the summation of the corresponding CMP contributions because more than one of the systems may appear in some sequences.
Table 2.8 also provides the failure mode contributions to CMP for each cogonent contribution (last column).
Table 2.9 is similar to Table 2.8 and gives information for the late fa-tality risk.
From the data in Tables 2.8 and 2.9, the following insights are evident:
2-16 .
O
' l Table 2.7 System and Component Failure Contributions to Latent Risk for Seabrook (Internal EYents Only) i l
System Failure Mode Contributions, 5 (Contribution to OtP, $)
t
- 8. Undetermined j System Seq. No. Himan Test and or contrmtion Common Cause Random Dependent Error Maintenance Unspoeified I
l
- Residual Heat 18 17 5 -
100 (17.5)-Y - - - -
, Removal onsite AC 1 5 16 (.8)-Do
- 56 (2.8)-D0 15 (7.5)
Power -
13 (.65)
Primary 6 3.4 -
90 (3 1)-Y - '
Component 10 (.34)
Cooling i
service water 2 13 45 (.6)-P 32 ( .4)-(1) - - - -
, 23 (.3)-Y
- y Solid State 4 1.2 -
29 ( .3)-(1) -
71 (.9) - -
1 Protection 3
i-Reactor Coolant 1,2,6 9.7 - -
100 (9.7) - - -
l Pump Seal
- Cont. b1dg. 1,2,4 7.5 - -
100 (7 5) - - -
Sprays -
f.
Emergency 4 1.2
! Feedwater 100 (1.2) - - -
i High-Pressure 4 1.2 Makeup 100 (1.2) - - -
)
l l
l i
f f
l
i *
\
Table 2.8 Summary of System and Component Failures and Failure Mode Contributions to CMP for Seabrook (Internal Events Only) .
j
, Failure Mode Contribution (5)
Component Failure cameon . Hausen Test and Contribution 3y =6 - t e-* =t henti on huma en ' - - Dan d at F;a DImintena - 3--- nified (f) i I Besetor Coolant 26.9 - -
26.9 - - - -
! Pump Seal
! onsite 14 2.2 7.8 - - 2.1 1.8 10-DG AC Power
] -
Primary 4.9 - 4.4 '- - - .5 4.4-V i Component j Cooling j F.eersoney 4.9 - -
4.9 -
Feedwater 3'
- 7 Service 4 2.7 1.3 - - - - 1.8-P
$ Water .9-Y 1
! Roaldual 3.9 2.0 1.5 - - .4 - 2.0-P l Rat i
i Removal 1
) onsite AC 3.8 -
31 - - -
.7 3.1-D0 L 1 Power-Train l l AwB j '
Service Water 3.8 -
31 - - -- .6 2 3-V Trmin A or B .8-P l - ~ - - . . . . . . . . . .
4 J
l i l
j .
I i
j ..
4 Tabl e' 2.8 Continued
, . Failure Mode Contribution (5) 1 . Component i Failure .
- em Human Test and
- Contribution l Systee 5 Contribution Cause Random Dependent Error Maintenance Usapecified ($)
Decay Nest 3.7 - - -
37 -
] Removal
- j (Long Term) l Solid State 3.5 - 1 - 2.5 .
j Protection j Remotor Trip 3.5 - -
35 - - - -
i i High-Freasure 3.5 - -
3.5 - - - -
1 Makeup
- -N" " * * * * ~ ~ -. . , , , , _
3 -
W l
l i
1 1
I 1
l t
+
l 1
i I
i l
l i
i
- i 1
i =
l 3
1 '
a
i Table 2.9 Sunnary of System and Component Failures and Failure Mode Contributions to Latent Fatality Risk for Seabrook (Internal Events Only)
Mn 7bde contribution (5)
~,--
3 Fates Whaber Human Test and hilm
\
i Castribution Onnen aandon W Irror Maintenance Unspoeffied Contribution (5)
- nesidual 18 17.5 Heat memoval 17 5 - - - -
17.5-7
- neecter (beleet 1.2.6 97 hap Seal ~
97 - - - -
Coet. sids. 1.2.4 7.5 -
Sprays 7.5 - - - -
i onette aC huer 3
.8 2.8 -
.75 .65 3.6-00 a
- y Fesmery 6
, e _ 3.4 -
3.1 - - -
.34 3 1-Y NW o
f-l Service 2 1.3 Water .9 .4 - - - -
.6-P
.3-Y Solid State 4 1.2 -
protection 3 -
.3 - - -
": _ T. 4 1.2
- 1.2 Feedwater - - - -
}
} ate rr.eme. 4 i.2 - -
1 N i. - - - -
= = ,
96@ g
' e I
l .
l
6 -
s, The reactor coolant pump seal, on-site ac power, primary component cooling, and emergency feedwater system failures are major contribu-tors to the core melt probability from leading core melt sequences in descending order of significance. However, none of these systems is a particularly significant contributor. It should be noted that, in some cases, dependent failures are dominant contributors.
Random and dependent failure modes appear to dominate failures of the systems ig ortant to CMP, with diesel generators being the leading (but not overly significant) component contributing to failure.
Residual heat removal system failure is the most significant system 4
failure contributing to late fatality risks.
Random and dependent failures are the most important mode contributing to late fatality risks.
Early fatality risks (as discussed previously) result essentially en-i tirely from the contribution of a dependent failure of the residual '
heat removal system.
2.3 External Events This section presents a summary of the results of the external events risk analysis from the SSPSI..
The SSPSA considered a total of eight external event initiators. These are listed in Table 2.10, with indications of which events were found to be significant contributors to risk and core melt probability. Only two, earth-quakes and fires (within the plant), were found to be significant.
According to the SSPSA (Table 13.2-11), the total core melt probability from external events accounts for 20% of the total CMP, of which about 11% is from fires and the remainder (9%) from seismic events.
Table 2.11 shows the seismic initiated events that dominated core melt probability and late fatality risks in the SSPSA assessment. This information was not directly obtainable from the SSPSA results, but was derived by the procedure described in Appendix A. Because of assumptions and methods of es-timation, the results are approximate only. The second column of Table 2.11
" Containment Ressonse " indicates the containment function (isolation or cool-ing) which was Lost as part of the ' sequences associated with the initiating event. The last three columns indicate the approximate percentage that each initiating event and containment response combination contributed to CMP and to early and late fatality risks from seismic events.
As Table 2.11 indicates, loss of off-site power with subsequent failure of containment isolation (<3" openings) is the dominant contributor both to CMP and to early and late fatality risks.
Table 2.12 provides a summary of the SSPSA results for fire initiated accidents. Fires in the control room are dominant CMP and late fatality risk contributors. Fire initiated accidents represent a negligible contribution to
, early fatalities.
2-21
Table 2.10 External Event Initiators Considered in the SSPSA for Seabrook Event Signiticant Seismio Yes Fires (Internal) Yes Wind No Tornado Missiles No Aircraft . No Hazardous Charicals No Floods No Fires (External) No 6
e e
9 p.,
- h o
9 2-22
.o, ,
Table 2.11 Summary of External Event Risks from Seismic Events for Seatrook 5 Contribution Contai ment hequency Core Early late Initiating Event Responas Par Year hit htality htality Loss of Offsite Power Small Isolation 1 75-5 7.4 ~.5 42 9 Failure (<3")
l Laras Isolation 2 38-7 e e 2.6 ,
Failes (>3")
Failure of Solid State Laras Isolation 1.6E-7 8
- 1.8 -
Protection System hilwe (>3") t Totals 1 75-5 74 ~.5 47 3 ,
- Negligible Table 2.12 Sunmary of External Event Risks from Fires for Seabrook
$ Contribution Fire Location Frequency CMP Early Fatalities Late Fatalities
~
Control Roos 8 7E-6 38 e 2.0
- Frimary Component 4.1E-6 1.8 e 9
Cooling Area Cable Spreading 3 5E-6 1.5 e .8 Room Turbine Building 2 3E-6 1.0 e
- l Totals 1. 86 E-5 8.1 8 37
- Negligibl e 4
2-23
Based on the preceding discussion of external events, the following in-sights were derived:
The SSPSA determined that, of eight different external events con-sidered, only those accidents initiated by internal fires and earth-quakes were of significance to CMP or risk.
External events are a modest contributor to CMP (20%), with seismic events cont 'ibuting about 9% and internal fires about 11%.
Seismic events are a significant contributor to late fatalities *
(about 47%). Fires do not contribute to early fatalities, and only about 4% to the total late fatality risk.
The leading seismic initiated accidents contributing to CMP and late fatalities are those resulting in loss of off-site power with loss of containment isolation.
The leading fire initiated sequences contributing to CMP and late '
fatalities are fires in the control room. Fires did not contribute to early fatalities.
REFERENCES
- 1. "Seabrook Station Probabilistic Safety Assessment," Pickard, Lowe and Garrick, Inc., December 1983.
O
+
e 2-24 .
i
- 3. INSIGHTS FROM THE SHOREHAM PROBABILISTIC RISK ASSESSMENT 3.1 Introduction This section presents an o
~
abilistic Risk Assessment (PRA)yerview of the results and selected from insights the Shoreham derived from these Prob-re- '
a sults. It also includes cog arative results and insights from a review of the PRA performed by Brookhaven National Laboratory for the NRC.2 It is not the t
purpose of this effort to review the PRA or to judge the validity of the BNL review. Rather, the result s from both the PRA and the BNL review are used as is, and the insights are provided based entirely on these results.
4 Following a brief overview of the PRA and BNL results, the leading acci-dent sequences contributing to core melt probability are examined in detail to obtain the following insights:
Relative significance of initiating events.
System and cogonent failure contributions to leading accident sequen- '
ces.
i .
Failure mode (i.e., human error, random, dependent, etc.) contribu-i tions to leading accident sequences.
In conjunction with these insights, additional perspective is provided as i l
appropriate, regarding the relative significance of leading sequences and the different characteristics of the accident sequence " mix" for core melt proba-
! bility.
The scope of the Shoreham PRA did not include external events 'except for
- flooding at elevation 8 of the reactor building. Therefore, the results for 1
internal and external accident initiating events are considered together both
) here and in the PRA itself. Section 3.3 addresses risk; however, this subject t was not fully developed in.the PRA.
I j 3.2 Internal ' vents E
i events.
This section presents results and insights from internal initiating I Internal initiators are defined in the PRA as loss-of-coolant acci-dents, transients and manual shutdowns, initiators coupled with failure to i
scram, and other low frequency transient events. Transients are confined to those disruptions listed in Table 3.1 and have been grouped into six major categories. Table 3.2 lists the plant-specific low frequency transients.
3.2.1 Overall Results i
According to the PRA, the total core melt probability from internally J
initiated accidents is 5.SE-5/ reactor-year. The PRA does not address the in-dividual risk of early and latent fatalities. The BNL review requantified the
, PRA CMP and arrived at a value of 1.42E-4/ reactor-year.
i
'l 3-1 i
Table 3.1 Summary of the Categories of BWR Transients Used in SNPS-PRA
.; Transient Initiator Groua
- 1. Electric Load Rejection ,
Ty
- 2. Electric Load Rejection with Turbine Bypass Valve Failure , TC r
, 3. Turbine Trip TT
- 4. Turbine Trip with Turbine Bypass Valve Failure TC
- 5. Main Steam Isolation Yalve closure .
Tg j i
- 6. Inadvertent Closure of One MSIV (Rest lOpen) TT l
- 7. Partial MSIV Closure TT
- 8. Loss of normal Condenser Vacuum TC
- 9. Pressure Regulator Fails Open Ty
- 10. Pressure Regulator Fails Closed TT
- 11. Inadvertent Opening of a Safety / Relief Valve (Stuck) TI ..
- 12. Turbine Bypass Fails'0 pen TT .!
l' .
- 13. Turbine Bypass or Control Valves Cause Increased Pressure Ty
- (.Cl os ed)
,1
- 14. Recirculation Control Failure -- Increasing Flow TT
- 15. Recirculation'dontrol Failure -- Decreasing Flow - Ty
- 16. Trip of One Recirculation Pump .
TT ,
- 17. 2 Trip of All Recirculation Pumps TT
- 18. Abnormal Startup of Idle Recirculation Pump Ty
- 19. Recirculation Pump Seizure Ty
- 20. Feedwater -- Increasing Flow at Power , TT
- 21. Loss of Feedwater Heater IT 3-2 m . _ _ . ... .. . .. ... .. . . . ,. _ . ,, , , , , ,.
Table 3.1 Continued .
Transient Initiator Grouc
- 22. Loss of All Feedwater Flow Tp
- 23. Trip of One Feedwater Pump (or Condensate Pump) Ti
- 24. Feedwater -- Low Flow TT i
- 25. Low Feedwater Flow During Startup or Shutdown TT
- 26. High Feedwater Flow During Startup or Shutdown TT f
- 27. Rod Withdrawal at Power TT
- 28. High Flux Due to Rod Withdrawal at Startup TT .i
- 29. Inadvertent Insertion of Rod or Rods '
TT
- 30. Detected Fault in Reactor Protection System TT
- 31. Loss of Offsite Power TE
- 32. Loss of Auxiliary Power (Loss of Auxiliary Transformer) TT
- 33. Inadvertent Startup of HPCI/HPCS TT 34 Scram due to Plant Occurrences T' T.
- 35. Spurious Trip via Instrumentation, RPS Fault 'TT
- 36. Manual Scram -- No Out-of-Tolerance Condition TT
- 37. Cause Unknown TT i
' ~!
I NOTE:
TT - Turbine Trip TM - MSIV Closure TC - Loss of Condenser TI - Inadvertent Open Relief Valve TE - Loss of Offsite Power TF - Loss of Feedwater Flow I
3-3
o .
Table 3.2 Other Postulated Low Frequency Transients Transient Initiator
- 1. Excessive Release of Water into Elevation 8 of the Reactor Building (Sum Over Maintenance Component Failure Initiators).
- 2. Loss of DC Power Bus. ,
- 3. Reactor Water Level Measurement System - Reference :
Line Leak. I 4 Drywell Cooler Failure.
- 5. Loss ~of Service Water. , ,
- 6. Loss of AC Power Bus.
4 6.
O 4 $8 e
l l
I 3-4
. ., t ..
. i 3.2.2 Dominant Sequences-1 Table 3.3, reproduced from Table 5-14 of the BNL Review, lists accident sequences that are leading contributors to core melt probability, based upon the PRA and the BNL review. It provides some interesting insights relative to the significance of individual accident sequences and the mix of sequences contributing to core melt probability:
In the PRA, no single sequence makes a very large contribution to core
- melt probability. The leading sequence contributes only 12% to the total, and the 15 leading sequences contribute 55%.
The BNL results are similar in that the leading sequence contributes only 7% to the total, and the 15 leading sequences contribute 60%.
P It should be noted that the BNL results for percent contribution are calculated on a total CMP different from that in the PRA, and that the top five BNL sequences have a higher frequency than the leading PRA sequence. ,
- 3.2.3 Initiating Events Table 3.4, constructed from information in the BNL review 2 provides a
' breakdown of core melt contributors in which accident sequences have been
" binned" on the, basis of common accident initiating events and early vs late core melt. It gives the aggregate p'robability of all sequences in each cate-gory as estimated by the PRA and by the BNL review, as well as from the fif-teen leading sequences of each review fou'nd in Table 3.3. As indicated in the
- fourth and sixth columns, the cate gories used c~ontribute 99.8% to thi total PRA core melt probability and 99.3% to the BNL estimate.
t .
The information in Table 3.4 from the total CMP listings was used to es-tablish the relative contribution from important initiating event classes.
Table 3.5 gives the data for five initiating event categories. Based on the results in Table 3,5, the following insights are provided:
Transients overwhelmingly dominate core melt probability with a great-er than 95% contribution in both the PRA and BNL review.
The PRA and BNL reviews were very consistent in this area. The major difference was in "the LOCA contribution, for. which BNL estimated a lower percentage, but the actual frequencies were close.
3.2.4 System and Component Failures and Failure Modes The contribution to core melt probability from individual system and com-ponent failures, as well as failure modes (human error, dependencies, etc.)
were examined. This analysis does not include the BNL review results. Table 3.6 gives the contribution from system and component failures to each of the 15 PRA core melt probability sequences (1 through 15 of Table 3.3). The in-formation was obtained from various sections of the PRA and from additional analyses needed to extract individual contributions. It should be emphasized that the breakdown of each system within this table was not derived directly from sequence cut sets. Rather, the breakdown came from the analysis of each 3-5
s 4
Table 3.3 Leading Sequer!ces for Contribution to CMP from Shoreham PRA and BNL Review (Internal Events)
Leading Shoreham PRA Class / '-
Sequences Cumulative Sequence Description Subclass Probability % CMP % CMP ,
- 1. T(M2)C(M)C(2) MSIV closure transient with failure to IV 6.4E-6 12 12 l scram and failure of one of the standby liquid control system loops. .
- 2. T(C)UX Loss of condenser transient with failure IA 2.1E-6 5 17 of all high pressure injection systems and failure to depressurize.
- 3. T(T)QUX Turbine trip with failure of feedwater, IA 2.4E-6 5 22 all high pressure injection systens, and depressurization.
?> 4. T(D)D(IgQ Loss of a dc bus with failure of the IA 2.2E-6 os 4 26 diesel generators for at least two hours and recovery of the offsite power system after 30 minutes as well as a loss of feedwater.
S. T(E) IV DUX Loss of offsite power with recovery in IB 2.2E-6 4 30 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />, loss of the diesel generators for at least 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, failure of all high pressure injection systems, and failure to depressurize.
- 6. FS(0)00X Reactor building flood with failure of ID 1.7E-6 3 33 feedwater, all high pressure injection j systens and depressurization.
l 4
Table 3.3 Continued '
Leading Shoreham PRA Class /
Sequences Cumulative Sequence Description Subclass Probability % CMP % CMP
! 7. T(E)III(C)DV Less of offsite power with recovery in IB 1.5E-6 3 36 four hours, failure to scram, failure to ,
recover the diesel generators ip two hours, and failure of the low pressure injection function.
i 8. T(F)C(M)U Loss of f.eedwater with mechanical IC 1.5E-6 3 39
. failure to scram and failure of the
, high pressure injection function.
l 9. T(E)C(M)UD Loss of offsite power with mechanical IV 1.5E-6 3 42 i failure to scram, failure of the high I pressure injection function and failure i y> to recover the diesel generator within N
two hours.
l 10. T(C)W'W" Loss of condenser transient followed by II 1.5E-6 3 45 loss of containment cooling (late melt).
- 11. M(S)QUX Manual shutdown with failure of feedwater, IA 1.3E-6 2 47 the high pressure injection function, and depressurization.
l 12. T(E)III(A)DUV Loss of offsite power for four hours with IB 1.2E-6 2 49 1 a large LOCA, diesel generator failure with no recovery in two hours, failure of the high pressure injection function and failure to depressurize.
e 0
e.
Table 3.3 Continued Leading Shoreham PRA Class /
Sequences
, Cumulative Sequence Description ' Subclass Probability % CMP % CMP
- 13. T(E)W(D) . Loss of offsite power with failure of II 1.1E-6 2 51
, containment cooling and failure to restore the diesel genertor within two hours.
14 T(R)RQUX Loss of level measurement transient with IA 1.1E-6 2 53 loss of the redundant reactivity control system, loss of feedwater, loss of the
- HPI function, and failure to depressurize. '
- 15. T(F)C(M)C(2) Loss of feedwater transient with mechani- IV 1.0E-6 2 55 cal failure to scram and failure of one of the standby liquid control, system loops.
ca 03 l
6 e
e 9
e
- t Table A3 Cbntinued l Leading BNL Review Class /
Sequences Cumulative Sequence Description Subclass Probability % CMP % CMP
, 1. T(T)C(M)K(Q) Turbine trip with mechanical failure IV 1.0E-5 7 7 to scram, failure of alternate rod insertion, and failure of feedwater.
4
- 2. T(E)lDGL Loss of offsite power. recovered in 30 IB 1.0E-6 7 14 minutes with failure of the dieshl generators, drywell heat removal, and level control.
I 3. FS(0)QUX Reactor building flood with failure of IA ~
1.0E-5 7 21 feedwater HPI functions, and depres-
, surization.
4 T(M)C(M)KU(H) MSIV closure transient with mechanical IV 8.3E-6 6 jy failure to scram, failure of alternate 27 e
rod insertion, failure of HPI function, and operator fails to initiate RHR within, two hours.
5 T(T)C(M)KUH Turbine trip with mechanical failure to IV 6.7E-6 5 32 scram and failure of alternate rod insertion. HPI function, and operator initiation of RHR in two hours.
- 6. T(E)IV D ' Loss of offsite power with recovery in 10 IB 6.7E-6 5 37 hours4.282407e-4 days <br />0.0103 hours <br />6.117725e-5 weeks <br />1.40785e-5 months <br />, and failure of the diesel genera-tors to be recovered within two hours.
.- m I . __ ____ _ _ _ _
~
l M '
Table 3.3 Continued Leading BNL Reviem Class / Cumulative Sequences Sequence Description Subclass Probability % CMP % CMP
- 7. T(T)QUX Turbine trip with failure of feedwater, IA 5.5E-6 4 41 -
HPI function, and depressurization. -
- 8. T(T)C(M)C(2) Turbine trip with mechanical failure to IV 4.2E-6 3 44 scram and failure of one standby liquid control system loop.
- 9. T(C)UX Loss of condenser with failure of HPI IA 4.2E-6 3 47 function and failure to depressurize. i
- 10. T(T)C(M)U(H) Turbine trip with mechanical failure to IV 3.9E-6 3 50 scram and failure of HPI function and failure of operator to initiate RHR within j two hours.
i* 11. T(E)IIIDUX Loss of offsite power with recovery in IB 3.3E-6 2 52 Es four hours and failure to recover diesel generators within two hours, failure of HPI function, and failure to depressurize.
- 12. T(SW)TSUV Loss of service water with failure to ID 2.6E-6 2 54 crosstie turbine building service water and the unavailability of the power con-version system (for both injection and heat sink functions), the failure of HPI function and failure of LPI functions.
i
- 13. T(SW)TSUX Same as above except'that instead of failure IA 2.6E-6 2 56 of the LPI function there is failure to depressurize. .
O e e G
I e
.o*
Table 3.3 Continued Leading BNL Review Sequences Class / Cumulative Sequence Description Subclass Probability % CMP % CMP
- 14. T(M)QUX MSIV closure transient with failure of IA 2.5E-6 2 58 feedwater, HPI functions, and depressuri-zation.
- 15. T(C)W Loss of condenser with failure of contain- II 2.5E-6 2 60 ment heat removal functions.
I.
t e
C i
6 1
\
J .
l a _
t 3 6 8 6 3 o 0 0 0 0 T 4 9 1 3 9 .
) 1 1 2 5 1
y l
n O
s 5 5 l 9e 5 - 6 - 5 a nc - E - E -
n r
Lin Nde 0 E
4 7 -
E 5 - 3 1
E 3
$au e eq L e 2 2 2 3 8 t S I
n
(
l .
g a 8 7 2 7 0 4 n t o 8 2 1 0
4 0
6 0
3 i T 2 1 5 i
m 1 T
d n 9e s
6 6 5
a nc - - E 6
6 5
Sin E E 8 - E - E - E t Pde 9 5 1 6 9 9 6 n Nau Seq 4 1 1 2 -
8 2 e Le D v S E e g
n l a
i 7 1 0 8 t t 4 0 3 8 9 7 1 2 -
o 0 a T 0 7 8 1 9 i 2 3 3 9 t 1 i
I n
5 5 y l 5
- E
- 7
- E
- 6 5
7 4
b La E 6 E 5 E E E E Nt 9 - 2 3 2 3 5 0 4 d So T 2 5 5 e
p 1 1 4 2 1 u
o r 9 G l a 7 m t 8 9 8 6 6 a o 1 5 8 4 8 1 0 8 T 7 h 1 7 2 1 3 1 5 9 e 1 3 1 2 9 r
o h 5 6 S 6 6 - 6 - 6 5 8 5 l - - E s E - - - -
r Sa Pt E
9 E
0 1
8 E
0 0
5 E
0 E E E o No
$T 9 4 7 6 f 4 1 1 7 1 1 3 5 -
s -
e c
n e T u s N 0 E -
q s 1 A I a -
e l 8 C 8 C
O S
N I
I V
I V -
S S C 1 I L A I -
A I R t D I I T C I n I e
d i -
c s -
t c n A s t t s
i e e r k n
e n e s
n u
l 4 e i i a i l p s s r a l y n n T F e 3 T a a w r r I t y -
e c e T T e n r ~
s t e D S l n ) ) s a m L b e n n a L n e A a q u e v
ev l i d T T C e . a i O e i i r r t t t s T S D a n n t D
(
D C L e o u
( t C O r , s /
p S e A n A S A o U h C a C W C o T t O r O T O L A O L T L A L YM i! ' ;
1, 4,
Table 3.5 Initiating Event Categories Contribution to Core Melt (Internal)
Initiator % Contribution to CMP Shoreham BNL LOCA 3.6 1.28 LOCA Outside Drywell 0.067 0.1 ATWS 32.35 31.7 LOOP 17.8 20.4 Other Transients 45.98 45.8 Total s 99.8 99.28 O
- m e
b 3-13 .
s b O
, 1 Table 3.6 System and Component Failure Contributions To Shoreham Leading CM Sequences -
t 1 &M System Dontnant Component Sequence Contribution Failures Probability Failure Contributton 1 of Total Failures s of Total
- l. T(M2)C(M)C(2) 11.5 SCRAM IE 5 Common Cause 100 Control Rods 100
, SLC 1.05E-1 Human 95.2 - -
2 T(C)UI 5.6 RCIC 6.873E-2 Test and P.afntenance 16 - -
Random . ,64 Pressure Sensors 8. 7 Temperature Eles. 37.8 MOV's 17.5 HPCI 9.63E-2 Test and Maintenance 10.4 - -
i
' Human 13.5 - -
Random 45.5 Pump and Turbine 15.5 M0V's 30 ADS 8.56E-4 Cannon Cau'se 47 Solenoid Valves 35 Contam. Air Supply 12 Human 33 Y
N
- 3. T(T) QUI 4.3 Feedwater 5.46E-2 Common Cause 11 ,
- Human 58.6 -
Random 4.4 Pressure Sensors 4.4 RCIC*
HPCl*
- ADS *
- 4. T(D)D(I)Q 4.1 Diesels 3.8 10-3 Common Cause 90 Randan 10
' Feedwater*
4
- Analyzed Above
- '" ** e seg e-e, _ _ _ _ _
M i
Tv l
J Table 3.6 Continued 1 CM System Dominant Component Sequence Contributton Failures Probability Failure Contribution 1 of Total Failures 1 of Total 5 T(E)IVDUI 4.1 LPCS 3.62E-3 Human 58 - -
Common Cause' 13.5 Pumps (Motor-driven) 100 Dependent . , 7.1 Test and Maintenance 3.9 - -
LPCI 2.68E.3 Human 82 - -
Dependent - 9.7 Test and Maintenance 5.2 Diesels
- HPCI*
RCIC*
ADS *
- 6. FS(0)QUE 3. 0 Feedwater*
HPCl*
RCIC*
g ADS *
. e Q 7. T(E)IIICDV 2.7 SCRAM
- Diesels
- LPCS*
LPCl*
- 8. T(F)C(M)U 2. 7 SCRAM
- HPCI*
RCIC*
' Analyzed Above e
d
~
Table 3.6 Continsed 1 CM System Dominant Component Sequence Contrioution Failures Probability Failure Contributton 1 of Total Failures 1 of Total 4
9 T(E)C(M)UD 2.7 SCRAM
- HPCl*
4 RCIC*
Diesels
- i 10 T(C)W'W" 2.7 RCICSC 1.4E-1 Human 37 - -
Randas 7. 5 MOVs 5.7 i Pressure Sensors 1.8 RHR 4.83E-4 Dependent 54 Test and Maintenance 29 - -
Common cause 7. 3 Pumps 100 -
Condensate 1.23E-1 Human 20 - -
Dependent 1
- 11. M(S) QUI 2.3 Feedwater*
IPCI*
RCIC*
- i y, 12. T(E)tII(A)0UV 2.2 Olesels' w HPCl*
RCIC*
' LPCI* .
LPCS* ,
' Analyzed Above 4
r .
- "-*~*--.- . . _ . _ _
~
- I
C Table 3.6 Continued 1 Of System Dominant Comoonent Sequence Contribution Failures Probability Failure Contribution 1 of Total Failures 5 of Total
- 13. T(E)W(D) 2 RHR
- Condensate
- Diesels *
.o 14 T(R)RQUX 2 Feedwater*
HPCl*
RCIC*
I ADS
- 15 T(F)C(M)C(2) 1.8 SCRAM *
- SLCS*
1 o
e
- Analyzed Above
~ - - * '
t; l
l t
t .
=
i i
individual system. This was necessitated because sequence cut sets were not provided. The reader is therefore cautioned that any sequence-dependent. fail-ures listed in the table are based upon this review and due to the limited scope of this review the listings may not be exhaustive.
The first column of Table 3.6 identifies the sequence by number and des-ignation corresponding to the Table 3.3 sequences. The second column provides
- the core melt probability contribution (in percent) from the individual se-quences. The third column lists all of the system failures associated with each sequence, and the fourth column gives the probability of each system failure. It is igortar.t to note that these probabilities, as provided in the PRA, are conditional, that is, dependent upon the initiating event and any preceding system failures. The fifth column provides the failure mode contri-butions to each of the system failures. Five such modes were identified in the PRA
- coninon cause, dependent, random, human error, and test. As used herein, dependent failures refer exclusively to failures related to the initi-ating event and preceding system failures.
~
The sixth column identifies the fractional contribution of each failure mode to the total system failure probability. For example, in Sequence 1, 95.2% of the failure probability of the standby liquid control system is from human error and the remainder is not specified. Note that in many cases (in-cluding this example) the column six failure mode contributions do not total to 100%. This is because only those modes identified in the PRA as dominant contributors are considered. Resources did not permit detailed examination of i individual cut sets and fault trees to extra ^ct further detail on failure modes l for lesser contributors. In nearly all cases, however, the failure modes i identified in the sixth column account for over half of the total system fail-ure probability, and for many of the systems the identified failure modes con-tribute over 90% of th*e total.
The seventh column identifies the components associated with the relevant failure modes. For the dependent and human error modes, no components are identified since for these modes individual cogonent failures are not as sociated with the system failure. The eighth column provides the individual component contribution to system failure for each failure mode. For example, for Sequence 1, essentially 100% of the scram system failure probability is
- due to common mode failure of the control rods to insert.
From information provided in Table 3.6, Table 3.7 was constructed in order to consolidate the contributions to CMP from systems, failure modes, and i components. In Table 3.7, each system is considered separately, as indicated in the first column. The second column lists the number of sequences (identi-fied in Table 3.3) in 'which the system appears as a contributor to the se-quence probability, and the third column gives the aggregate percentage con-tribution to CMP from these sequences. '.
The remaining six major columns give the failure mode contributions, in-cluding an " unspecified" column which provides a quantification of the resid-ual failure mode contribution not specified in the PRA. For the " common cause" and " random" columns, the cogonent failure contributions to the re-l spective failure modes are identified. The numerical entries for these col-umns were obtained by taking the product of the component failure or failure mode contribution from Table 3.6 and the percent contribution of the i
, 3-18
_ - . . _ . _ . - _ . _ _ _ _ _ _.- ~_
Table 3.7 Total System and Component Failure Contributions from Leading Cut Sets e Or ,
RAN00N MMAN TEST &
5f51EM SE0s. 1 CMP COMMON CAUSE
. ERAGR5 MAIN 7 INf5PEC. SEPENDENT Overall Control Solenold Contas. Ibterfred Overall Pressure Temp. Turtine 1 aods valves Air Supply Pumps Unspec. 1 Sensors Eles. MOV's & Pump SCRAM 5 21.4 21.4 21.4 12.66 0.64 SLC 2 13.3 20.22 2.75 11.85 5.53 5.06 6.32 acIC 10 31.5 13.15 8.67 4.48 3.9 3.0 8.04 HPCI 9 28.9 7.45 2.56 7.03 4.26 A05
- 6 21.3 10.0 l
1.73 0.69 0.69 9.2 4.08 FEEDWATER 5 15.7 1.73 e 16.02
- 1.78 OIESEL5 6 17.8 16.02 ,
1.22 5.22 0.35 I.58 0.64
- LPC5 3 9.0 1.22 7.30 0.47 0.28 0.87
- LPCt 3 9.0 0.20 0.05 0.15 1.0 1.5 ACIC5C 1 2.7 .
to 't.36 0.46 2.54 4.7 0.34 0.34 L Rm 2 0.H 3.71 0.05 CONDENSAIE 2 4.7 34.26 47.33 10.24 32.87 4.1 TOTAL 5 50.71 21.4 7.45 2.56 8.56 17.75 3.49 18.85 14.35 4.48 .
w
- em e.eer
"** +em ees= = , in-ea
.m' l
l i
i
- I
respective sequence (third column of Table 3.7) to the CMP. This value is an absolute measure of the significance of each failure mode and component fail-ure to the CMP.
An example will aid in interpreting Table 3.7. Tne reactor core isola-tion cooling system (RCIC) appears as a system failure element in ten of the CMP leading sequences. The total contribution of these ten sequences to the CMP is 31.6% (shown under the "% CMP" column). In other words, if the RCIC failure probability could be reduced to 0 under the conditions of the ten accident sequences, the total CMP calculated by the PRA would be reduced by 31.6%. For the ADS, 47% of its failure probability derives from common cause failures, of which 35% are common cause SOV failures and 12% arise from con-taminated air supplies (Table 3.6). By multiplying these fractions by the core melt contribution (Column 3), the individual cogonent coJnmon cause con-tribution to core melt probability is obtained.
Tables 3.8, 3.9, and 3.10 consolidate and summarize the results of Table 3.7 for failure mode, system failure, and component failure contributions to ,
CMP, respectively. Table 3.9 lists all systems which appear in the 15 leading CMP sequences and the contribution each system imposes on the total CMP for internal event initiated sequences. Reducing the failure probability to 0 for each system would produce the corresponding reduction in CMP. It should be noted that improving the reliability of combinations of systems would not necessarily produce a benefit equivalent to the summation of the corresponding CMP contributions because more than one system appears in some sequences. The net effect of reliability improvements for combinations of systems would have to be determined from Table 3.6. ,
From the data in Tables 3.8, 3.9, and 3.10, the following insights are evident:' -
. The reactor core isolation cooling and high pressure coolant injection system failures dominate the core melt probability from leading core melt sequences in that order. However, neither of these systems is a particularly significant contributor.
. Common cause failure appears to dominate failures of the systems igortant to CMP, however, this is driven by the major role of ATWS in the leading CMP sequences.
Human error contributes almost 50% (47.33%) of the overall CMP.
. With respect to failure to scram, it is clear that the assugtions made about scram failure probability and the total dominance by CMF of the control rods drive the conclusions derived from Tables 3.5, 3.7, 3.8, 3.9, and 3.10. The PRA states that these assugtfons were taken directly from NUREG-0460 and that their own evaluation of the specific Shoreham design (not used in the PRA) would reduce the scram system contribution to CMP to around 10%. This could have a large impact on the insights derived from the above tables.
3-20
__ m __ .
s-- -- -
. _ _ - _ _ _ _ _ _ _ __ _ _ _ _ - ~
Table 3.8 Failure Mode Contribution to CMP from Leading Cut Sets FAILURE MODE % CONTRIBUTION COMMON CAUSE 50.71 HUMAN 47.33 ,
RAND 0M 34.26 UNSPECIFIED 32.87 TEST & MAINTENANCE 10.74 DEPENDENT 4.1 Table 3.9 System Contribution to CMP Table 3.10 Component Contribution to from Leading Cut Sets CMP from Leading Cut- Sets SYSTEM % CONTRIBUTION COMPONENT % CONTRIBUTION _
RCIC 31.6 CONTROL RODS 21.4
~
HPCI 28.9 MOVs 14.35 SCRAM 21.4 TEMP. ELEMENTS 11.85 :
ADS 21.3 SOLENOID VALVES 7.45 DIESELS 17.8 TURBINE & PUMP 4.48 i
FEEDWATER 15.7 PRESSURE SENSORS 3.49 SLC 13.3 MOTORIZED PUMPS 1.56 ,
LPCS 9. 0 "'
LPCI 9.0 .
RHR 4.7 i CONDENSATE 4.7
! RCICSC 2.7 3-21 j l
3.3 Risk .
Long Island Lighting Company divided the PRA effort into three phases:
- 1) the probabilistic evaluation of event sequences; 2) was an in-plant conse-quence evaluation, and 3) the ex-plant consequence evaluation. The results of Phase 1, i.e., the core melt probabilities, are addressed in Section 3.2, above. This section would normally address the results of Phase 3, but Phase 3 is not a part of the published PRA. Therefore, the results of Phase 2 are briefly results.addressed although this is not a satisfactory substitution fgr Phase 3 Phase 2 of the PRA was not included in the BNL PRA review.
The PRA allocated the core melt sequences into 16 re~ lease categories, the parameters of which are defined in Table 3.11 (Table 5.3.2 of the PRA).
The severe potential radiological impacts and frequencies are summarized in .
Table 3.12 (from Table 2 of the PRA), which shows that only three of the 16 release categories have been designated as severe (7,13, and 14). These are described in Table 3.13. The PRA defines its qualitative measures of radiolo-gical inpact as follows:
Severe -- the entire core inventory of the noble gases is released, and large fractions of the volatiles and particulates are released.
Moderate -- a large fraction of the noble gases and some fraction of the volatiles and particulates are released.
Minor -- primarily noble gases are released, and small fractions of the-volatiles and particulates are released; this implies that very long warning times are available to inplement protective actions to mitigate the effects of the release. .
4 Negligible -- a very small fraction of the fission products is released i
since core melt is arrested, ca the containment leakage is very slow; this also implies that protective actions may not be required.
The following insights are offered based on the foregoing:
The three " severe" release categories represent about 0.33% of the total core melt probability and expectedly have the shortest warning times.
These three release categories would be expected to dominate early ~
fatalities.
Interfacing systems LOCA is included in the severe category, but it does not appear to dominate as it does in some of the other studies.
REFERENCES
- 1. "Probabilistic Risk Assessment Shoreham Nuclear Power Station," Long Island Lighting Co./SAI, June 1983.
l
- 2. "A Review of the Shoreham Nuclear Power Station Probabilistic Risk Assessment," NUREG/CR-4050, Brookhaven National Laboratory, Junte 1985.
l 3-22 d
- - - - - . l - . - - _"* _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ , _ , _ _ _ _, _ _ _ _ _ _ _ , _ _ _ , _ _ , _ __ , ,__p_ __ _ _ _ , _ _ _ _ _ _ ,
s I
i l .
l
. .ee .
's,' *o - .
R S S
- R R S S. S .
=
-xgt .
==s ,
I.R ..
i 8 s.we w . . i e ;
e ;
i 5 .
c
.g=. . . . .
o o E.E u EN
>< 3 S S S S S S S S S S S S S S c ,w a dd-O. .
e .
X 48 w i WE4 c -g, -
o g-.
" 35 m .m . ~ ~ . . . .
~ ~ ~ ~ n n - ~ ~ ~ ~ ~ - . .
5-
= NEW w
+' l 4
o I .
.b. 8 "E a.
5 w. . . . . . .a . . o o o o o . .
'
- Eg 4 4 d 4 4 4 4 d d : : .: 4 4 1, m . 5a
- e *M G
E ,
i .
i
- E :
o w
- 5. c.' .
.. . o. a. ..
u gw
_g
. m m. e e n n n n n n - n n w w n - - m n
- e. e. .e. e. .e. a. m.
.- w l d
=
- E! .
m - .
>=
.o W o.~.o . . . ~.a . . .
. . ~. ~.o oe. e o oe. w.
=. m. .. . .
- .o o.
. o.
. - . - - o.
o o - - - - - .o o .o
. .E E W e e a w w a er a se a er er er er
- .-= P C.w a I
- o. o. n. o. e. e.s e. . ~. ~. e. e as m.
su
. n. e.
M .nd.e.x. E N N N .H g me W W n m W N a S em
- 5 m.
ae
'" " " * * * * * * - - - - -o ~=*~ m . w N .A
- 28. ;
a.#. 4>*
e 3-23
Table 3.12 Summary of Shoreham Release Categories with Potentially Severe Radiological Impact Accident Classes Potential Release Contributing to Radiological Frequency Category Release Category Impact of Release 7 III Severe 1.5x10-7 13 Y Severe 2.5x10-8 14 V Severe 1.1x10-8 O
e 0 0 e
e a
3-24 l
1
. - . . _ . = . - - - . - - - . . - --- - _ . . - _ . _ . . _ - _ . - - . . -- . _ _ - . . . _ _ - . . - - .. - -
k Table 3.13 Description of the Severe Release Categories Identified by the Shoreham PRA -
)l Dominant Accident
! Release Sequence Contribution Category General Description
- Basis For In-Plant Analysts j
, 7 1his release category is representative of a Class III accident Large LOCA, failure of vapor suppression, sequence in which the containment falls early in the accident early overpressure failure of containment.
I sequence due to inadequate pressure suppression capability. The fission products released from the core region are discharged .
, directly to the drywell atmosphere and are not significantly
! attenuated prior to leakage from the drywell. This category
[ includes large LOCA and RPV failure accident sequences, which
! challenge containment integrity early in the sequence.
l 13 This release category is representative of Class V accident Interfacing LOCA, the suppression pool is ,
sequences which involve core meltdown following a LOCA out- partially effective in mitigating releases.
i side containment. The SRVs are actuated in order to mitigate j the release of fission prodxts to the environment by providing an alternative path into the containment (i.e., suppression l pool) during the in-vessel release period.
~
k m
14 '
This release category is representative of Class V accident Interfacing LOCA, failure of SRVs.
j sequence which involve core meltdown following a LOCA out- -
) side containment. The SRVs are assumed not to be opened, i and the fission products released from the fuel totally j bypass the containment. I
! i i
l - . . . . - -- - -
l l
1 s
i 1
,i l
- g 4 4 8 9
9 O
6 e
4
-~___- M
1
- 4. INSIGHTS FROM THE OCONEE 3 PROBABILISTIC RISK ASSESSMENT 4.1 Introduction This section presents an overview of the results from the Oconee 3 Proba- !
bilistic Risk Assessment (PRAil and selected insights derived from these re-sults. The review of the PRA being done by Brookhaven National Laboratory for i the NRC was not conpleted at the time this study was undertaken. It is not the purpose of this effort to review the PRA or to judge its validity. ;
Rather, the results from the PRA are used as is, and the insights are based entirely on these results. -
Following a brief overview of the PRA, the leading accident sequences contributing to both core melt probability and risk (of early and late fatali-ties) are ex.amined in detail to obtain the following insights:
Relative significance of initiating events.
System and component failure contributions to leading accident se- '
quences.
Failure mode (i.e., human error, random, dependent, etc.) contribu-tions to leading accident sequences.
In conjunction with these insights, additional perspective is provided, as appropriate, regarding the relative significance of leading sequences and the different characteristics of the accident sequence " mix" for core melt probability and risk.
I The core melt proba'bility results for internal and external accident int-tiating events are considered separately, in Sections 4.2 and 4.3. This is in accordance with discussions in the PRA reference document 2 and is also consis-tent with a similar separation in the PRA itself. Both internal and external events were combined in the PRA in developing the public risk assessment, and they are combined also in Section 4.4.
The Oconee PRA identified turbine building flooding as the dominant ini-i tiator within the PRA study; as a result, the plant was modified and certain
- aspects of the PRA were requantified. It is inportant to keep in mind that the published PRA contains a mix of pre- and post-modification quantification and that in this study the post-modification information was used whenever available and, whereever a mix of data was used, the distinction was noted.
4.2 Internal Events This section presents results and insights from internal initiating events. Internal initiators are defined in the PRA as loss-of-coolant acci-
_ dents and transients. These initiating events are listed and defined in Table 4.,1 (reproduced from Table 3.5 of the PRA).
4.2.1 Overall Results l
The total core melt probability from internally initiated accidents is 5.4E-5/ reactor year. For Oconee, this represents only 21.3% of the total 4-1
Table 4.1 Internal Initiating Events for the Oconee PRA Event Description .
LOSS-OF-COOLANT ACCIDENTS S Small-break LOCA A break or leak 1/2 to 4 inches in effective diameter. These are spontaneous events:
induced LOCAs were treated directly.
As Large LOCA A break or rupture greater than 4 inches in ,
effective diameter except those noted be- '
low. l-Aeg Interfacing-system LOCA A large loss of coolant through the valves acting as a boundary between high and low RCS pressure.
~
RPV RUPTURE: Vessel rupture A loss of reactor-vessel integrity precluding the ability to maintain coolant inventory.
S3g: Steam-generator tube A rupture of a steam-generator tube resulting rupture in an RCS leak greater than 100 gpm. j TRANSIENT EVENTS Tti Reactor / turbine trip An event resulting in reactor trip but not significantly degrading the operability of equipment needed to respond to the event. .
k T2 Loss of main feedwater An interruption of main-feedwater flow from l
both trains of the system. Some events re-l sulting in a loss of main feedwater are treated separately as defined by other ,
l T3 Partial loss of main A degradation of the feedwater system suffi-feedwater cient to cause a trip but not precluding an immediate feedwater response after the trip. Failure of one main-feedwater pump is an example.
T:4 Loss of condenser A reduction of condenser vacuum to a level
,, vacuum resulting in a feedwater-pump trip. Recov-ery of this event considers the level of degradation caused by the potential initi-ating events.
T5subF Failure of offsite Substation fadit resulting in plant isolation power at the from the electrical grid.
subs ta tion 4-2
. . . -. r
Table 4.1 Continued Event Description TRANSIENT EVENTS (continued)
}
TSFEEDF Failure of elec- Failure of the local grid or feeders result-trical grid or ing in a loss of power to the plant. l main feeders -
1 T1 6 Loss of instrument A reduction in instrument-air pressure to a air level where valves and instruments cannot provide their intended function.
A 10-minute loss resulting in plant trip was assumed for the calculated T6 frequency. t T:7 Excessive feedwater Feedwater events leading to the overfilling i of a steam generator and hence an overcool-ing transient.
T:8 Spurious engineered-safeguards signal A spurious initiation of safeguards equip-ment. The effect specifically modeled is the initiation of HPI flow.
T:9 Steamline break A rupture of a large secondary steamline.
Effects of breaks inside and outside con-tainment were detailed. .
T 10: Feedline break Failure of a major feedwater line resulting in failure of main feedwater.
T ij: Lo'ss of ICS power bus KI Failure of power provided by bus KI to the t ICS.
T12: Loss of service Failure of the LPSW system resulting in water insufficient flow in the main headers or i
failure to vital equipme.nt.
T 12(108): Loss of service Failure of the LPSW system due, to the spe-water due to cific failure mode involving valve LPSW-transfer of
- 108. This is a subset of T12i treated dif-LPSW-108 ferently for recovery actions.
l Tj3: , Spurious low- Incorrect instrument measurement of pres-
! pressurizer-pressure l ' signal
.surizer pressure. Sensed signal is lower g.
than the true value.
T j4: Loss of power to bus 3TC Failure of bus or switchgear 3TC resulting in power loss to many plant loads. Plant and main-feedwater trip are the first effects.
. 4-3
. ._ . ~. . . . ..
t
. (internal + external) core melt probability. The significance of internally initiated events to early and late fatality risks is discussed in Section 4.4.
4.2.2 Dominant Sequences Table 4.2 -lists the accident sequences that are leading contributors to core melt probability. It provides the following insight relative to the sig-
- nificance of individual accident sequences
. .The top 12 sequences provide 82% of the contribution to core melt probability. The leading sequence contributes 24% to the total, and is three times as probable as any of the others.
4.2.3 Initiating Events
, Table 4.3 provides a breakdown of total core melt contributors on the basis of accident initiating events. This information was used to establish the relative contributton from important initiating event classes. The re-suits are given in Table 4.4, in which four initiating event categories are used. Based on these results, the following insights are provided:
Transients dominate core melt probability.
Loss of service water contributes nearly one quarter of the CMP.
. Large LOCA* contributes about 1.5 times as much as small LOCA.
4.2.4 System and Component Failures and Failure Modes The contribution' to core melt probability from individual system and com-
- ponent failures, as well as failure modes (human error, dependencies, etc.),
were examined. Table 4.5 shows the contribution from system and component failures to each of the listed core melt sequences. This information was ob-tained directly from the PRA by examining the leading cut sets of each se-quence. The Oconee PRA was unique in that this information was provided di-rectly by sequence aad thus a much more accurate extraction of the data for Table 4.5 was possible than for the other PRAs examined in this study. Note that the eleven sequence types in Table 4.5 do not correspond exactly to the top twelve sequences in Table 4.2. This is the result of a further binning process whereby similar sequences were combined into a single sequence type within a plant damage bin. For example, Sequence 1 in Table 4.2 represents j only LPSW as the initiating event whereas Sequence 1 in Table 4.5 also in-cludes some loss of ac power events that in turn fail LPSW. As this latter configuration of sequences .was presented in the PRA with accompanying leading cut sets, these sequences were the ones analyzed. As it. turns out, the bin-ning process yields eleven sequence types contributing 85% of the total core melt probability from internal events.
The first column of Table 4.5 identifies the sequence by number and des-Ignator. The second column provides the core melt probability contribution, in percent, from the individual sequence and in parenthesis the percent by weight of the cut sets examined. The third column Ifsts all of the system failures associated with each sequence. The fourth column gives the contribu-tion in percent to the total CMP, i.e., column 2 times the parenthetical 44 1 g as w
- ae** ++ 4ee e .-e een
- Table 4.2 Leading Sequences for Contribution to CMP - Oconee 3 (Internal Events) <
Leading .
Cumulative Sequences Sequence Descript, ion Probability % CMP % CMP
- 1. T12BU Failure of LPSW fails HPI pumps unless operator action 1.3x10-s 24 24 and failure to initiate SSF seal injection leads to RCS leak with no make-up
- 2. SY X SBLOCA with successful HPI. LOCA actuates RBSS and 5.0x 10-6 9 33 33 either operator fails to terminate of RBCS is unavailable '
and RBSS must be left on. HPR fails to be initiated successfully upon depletion of BWST.
- 3. TioBU Large feedwater line break causes loss of MFW and EFW. 4.8x10-6 9 42 Feedwater from other sources fails to be initiated and HPI cooling fails.
- 4. AX A Failure of LPR to initiate or run 'after large LOCA. 4.8x10-6 9 51
- 5. AX g Large LOCA with successful injection. High flow develops 3.3x10-6 6 57 in LPR leading to pump cavitation and '
failure if not remedied. - ~
! 6. TsBU Loss of instrument air resulting in loss of MFW. Failure 3.2x10-s 6 63 of EFW, failure to recover feedwater, and HPI cooling fails. .
j 1
- 7. TWS ATWS (turbine trip) MFW fails and either injection or 2.8x10-6 5 68
- long term cooling fails.
- 8. TSBU Loss of offsite power resulting in loss of instrument air 2.4x10-6 4 72 and MFW. Failure of EFW, failure to recover feedwater r and HPI cooling fails. !
- 9. TWS ATWS (turbine trip), moderator tenperature coefficient 1.7x10-6 3 75 j less than 95% yields large pressure transient with resulting LOCA. Injection systems fail to provide q makeup.
4
Table 4.2 Continued Leading Sequences Cumulative
, Sequence Description Probability % CMP % CMP
- 10. TWS ATWS (turbine trip), same as sequence 9 above except 1.5x10-6 3 78 that long term cooling fails following successful injection.
- 12. VR Reactor vessel rupture. 1.1x10-6 2 82 a
E I
e e
e a
Table 4.3 Mean Annual Core Melt Frequencies for Internal Initiating Eventsa
% CMP Loss of service water 1.3-5 24.06 Large-break LOCA 9.0-6 16.65 Small-break LOCA 6.1-6 11.29 Transient without scram 6.0-6 11.10 Feedwater-line break 4.8-6 8.88 Loss of instrument air 3.2-6 5.92 Steam-generator tube rupture 2.7-6 5.00 Loss of offsite power 2.4-6 4.44 Turbine / reactor trip 1.8-6 3.33 Loss of main feedwater 1.2-6 2.22 Other transients 2.6-6 4.81 Reactor-vessel rupture 1.1-6 2.04 Interfacing-system LOCA 1.4-7 0.26 ,
Total 5.4-5 100.00 abased on analysis of the unmodified plant.
Table 4.4 Internal Initiating Event Categories--
Contribution to Core Melt Probability
% Contribution l Initiator Probability to Internal. CMP l
Transients 3. 5E-5 64.77 LOCA 1.62E-5 29.98 St. Gen. Tube Rupt. 2. 7E-6 .
5.00 Interfacing LOCA 1.4E-7 0.26 Totals - 5.4E-5 ~ 100.00 4
4-7
i Table 4.5 System and Component Failure Contributions to Oconee 3 Sequences Dominating Core Melt Probability (Internal Events)
Seq. Related Sequence Leading Cut Set Dominant Related
% CM Cont. System Contr16utions Failure Mode Sequence % Component
(% Cut Sets Ex) Failures % Total CMP Contributors Total CMP Failures % Total CMP
- 1. T128U 28 (97.53) LPSW 27.31 (97.53) Dependent 1.12 (4.0) i Random 26.18 (.93.5) MOV HPI 27.31 (97.53) Dependent 16.35(58.4) 27.31 (97.53)
- 2. SY X 9 (99.3) HPR 33 8.937 (99.3) Human 8.26 (91.8)
Random 0.61 (7.5) ;
- 3. TioBU 9 (97.9)
MFW 8.81 (97.9) Dependent 8.81 (97.9)
EFW 8.81 (97.9) Dependent 8.81(97.9)
HPI 8.81 (97.9) Human 8.31(97.9)
- 4. AX 9 (98)
, A LPR 8.82 (98) Human 8.82 (98) b 5. TgBU 9 (98.6) HPI 8.87 (98.6) Human 8.87 (98.6)
MFW 8.87 (98.6) Dependent 8.87 (98.6)
EFW 8.87 (98.6) Dependent 6.25 (69.4)
Random 2.63 (29.2) UST 2.63 (29.2) 6 AX 6 (97.6)
A LPR 5.86 (97.6) Human 5.09 (84.8)
Dependent 0.7 (11.6)
Random 0.07 (1.2) MOV 0.07 (1.2)
MFW 4.47 (89.3) Unspec HPI 2.32 (46.4) Unspec LPR 2.15 (42.9) Unspec 9
e 8
}
L .
Table 4.5 Continued i
Seq. Related Sequence Leading Cut Set Dominant Related
% CM Cont. System Contributions Failure Mode % Component Sequence (% Cut Sets Ex) Failures % Total CMP Contributors Total CMP Failures % Total CMP
HPI 2.13 (71) Dependent 2.13 (71)
SRV 0.55 (18.2) Dependent 0.55 (18.2)
EFW 0.37 (12.4) Unspeci fied 0.37 (12.4)
MFW 0.12 (4) Unspecifled 0.13 (4)
LPR 2.36 (79.6) Dependent 2.36 (78.6)
EFW 0.68 (22.6) Unspeci fled 0.68 (22.6)
MFW 0.30 (10) Unspecified 0.30 (10)
SRV 0.56 (18.6) Unspecified 0.56 (18.6)
- 10. T 28U 2 (77.3) HPI 1.55 (77.3) Human 1.55 (77.3)
?
EFW 1.55 (77.3) Random 1.55 (77.3) UST 1.28 (64.2)
- TD Pump 0.15 (7.5)
.MOV 0.11 (5.4)
A0V/S0V 0.1 (5)
LPSW 0.062 (3.1) Human 0.038 (1.9)
Random 0.024 (1.2) Pumps 0.015 (0.73)
MOV 0.01 (0.52)
- 11. VR 2 (100) RPV 2 (100) Random 2 (100) Vessel 2 (100)
Note - Numbers in parentheses in column 2 represent the percent by weight of the total sequence cut sets examin-ed (i.e. the leading cut sets). Numbers in parentheses in columns 4, 6 and 8 represent the percent by weight of the total sequenc,e cut sets examined that involved the given item.
h e
e 0
I percent of the column 2 total CMP that was found by examination of the leading cut sets (28 x 07.53% = 27.31); it is important to note that the probabilities that these percentages represent are conditional, that is, dependent upon the initiating event and any preceding system failures (the numbers in parentheses i
are again percent of cut sets). The fifth column provides the failure mode contributions to each of the system failures. Four such modes were dominant in the PRA: common cause, dependent, random, and human error. As used here-in, dependent failures refer to failures related to the initiating event or in some instances to preceding system failures.
The sixth column gives the contribution in percent to the total CMP and in parenthesis the percent of the column 2 total CMP that was found by exami-nation of the cut sets. For example, in Sequence 1, 93.5% of the failure con .
tribution of the low-pressure service water system is from random failure and 4.1% from dependent failures. Note that in many cases (including this exam-ple) the column six failure mode contributions do not total to 100% of the column 4 numbers in parentheses. This is because only those modes identified as leading contributors were considered.
The seventh column identifies the components associated with the relevant f ailure modes. For the dependent and human error modes, no components are identified since for these modes individual component failures are not asso-ciated with the system failure. The eighth column provides the indiv1 dual component contribution to system failure for each failure mode. For example, in Sequence 1, 58.4% of the low pressure service water system contribution to the overall sequence CMP is due to failures of motor operated valves and this yields an overall 16.35 percent contribution to the CMP (28 x 58.4% = 16.35).
From information provided in Table 4.5, Table 4.6 was constructed in order to consolidate the contributi6ns to internal CMP from systems, failure modes, and components. In Table 4.6, each system is considered separately, as indicated in the first column. The second column lists the number of se-quences (identified in Table 4.5) in which the system appears as a contribu-tor, and the third column gives the summation of percent contribution to CMP for each system.
The remaining five major columns give the failure rcode contributions, including an " unspecified" column which provides quantification of the resid-ual failure mode contribution not easily determined in the cut sets. For the
" random" column, the component failure contributions to the respective failure modes are identified. The numerical entries for these columns were obtained directly from Table 4.5 and represent the direct percent of the internal CMP of each failure mode and component failure.
An example will aid in interpreting Table 4.6 The high-pressure injec-
,-tlon system (HPI) appears as a system failure element in six of the CMP lead-ing sequences. The total contribution of these six sequences to the CMP veri-fled by cut set examination, is 50.99%. In other words, if the HPI failure probability could be reduced to 0 under the conditions of the six accident se-quences, the total CMP calculated by the PRA for internal events would be re-duced by at least 50.99%. The HPI failure contribution to CMP consists of 19.23% human, 29.44% dependent, and 2.32% unspecified.
4-10
. y' Table 4.6 Total Systen and Component Failure Contrhtlons to DF from Leadin9 Sequences Randon 1 CW System { 5eq Contr N tion 1 CMP MOV Pump UST A0V/50V RK hssel mspec thauen Dependent Common Cause mspeciffed LP5W 2 27.37 26.194 15.36 3.13 . 6.7 0.038 1.12
?
HP1 6 50.99 19.23 29.44 2.32 55F 1 27.31
- 27.31 HPR 1 8.937 0.61 0.61 8.26 '
MFW 5 22.57 17.68 4.89 EFW 5 20.28 4.18 0.11 0.15 3.91 0.1 15.06 1.05 LPt 4 19.19 0.07 0.07 13.91 3.06 2.15 SCRAM 3 8.96 8.96 RPV 1 2 2 2 Totals 33.05 17.15 3.28 3.91 0.1 2 6.7 68.75 66.36 8.96 10.41 k
s l
- c. * . '
_.,,,_ _ . l i
Tables 4.7, 4.8, and 4.9 consolidate and summarize the results of Table 4.6 for failure mode, system failure, and component failure contributions to CW. Table 4.8 lists all systems which appear in the eleven leading CMP se-quences and the contribution each system imposes on the total CMP for internal event initiated sequences. Reducing the failure probability to O for each system would produce the corresponding reduction in CMP. It should ba noted
, that improving the reliability of combinations of systems would not necessar-11y produce a benefit equivalent to the stanmation of the corresponding CMP contributions because more than one system appears in all sequences. The net effect of reliability improvements for combinations of systems would have to j be ' determined by a close examination of Table 4.5. A similar statement can be made for combinations of components. '
From the data in Tables 4.7, 4.8, and 4.9 the following insights are evi-
- dent
l .
Human and dependent failure modes appear to dominate failures of the systems important to CMP.
. HPI appears in over half of the total CMP contribution. Its major contributing failure mode arises from its dependence on service water i for cooling and its second leading failure mode derives from human er-ror mostly associated with failure to initiate in time in scenarios such that auto initiation would not be counted upon.
Failure of the Safe Shutdown Facility (SSF) appears in over one quart-er of the total CMP and is totally associated with operator failure to initiate in time. ,
Random component failures do not play a significant role 'in the top 80% of the CMP. The failure of MOVs dominates this category and most of this comes from the failure of valve 108 in the service water sys-i tem, which initiatas a transient and terminates service water cooling.
1 4.3 External Events l This section presents a stanmary of the results of the external events analysis from the Oconee 3 PRA.
1 The PRA considered a total of five external event initiators. These are
! listed in Table 4.10, with indications of the percent contribution to external i CMP. Even after plant modifications, turbine building flooding is still the dominant initiator.
According to the PRA, the total core melt probability from external '
events is 2.0E-4/yr. Thus, external events contribute 78.7% to the total i CW. The significance of external events to early and late fatality risks is
! discussed in Section 4.4.
- The PRA explicitly provides the leading ' cut sets for the external events
- contribution to CMP. The cut sets are categorized by plant damage bin. Table i 4.11 is the cogilation from examining 86.1% (by weight) of the cut sets for external CMP. The first column lists the initiator category, and the second provides its overall numerical contributton to CMP, from Table 4.10. Column 4-12 l
.:.-_-__ _.__ - _ = __- ._ - =. _ :_ - =.-.:._--_.,.....--.,. , ,. - -
a., ,
Table 4.7 Failure Mode Contribution to CMP from Leading Sequence / Cut Sets (0conee)
Failure Mode % Contribution Random 33.05 Human 68.75 -
Dependent 66.36 Common Cause 8.96 i
Unspeci fied 29.29*
81.12% (by weight) of the cut sets for the total CMP were investigated leaving 18.88% not investigated and 10.41% from Table 4.6 Table 4.8 System Contribution to CMP from Leading Sequence / Cut -
- Sets (0conee)
System % CMP
MFW 22.57 EFW 20.28 LPR 19.19 SCRAM 8.96 HPR 8.94 RPV 2.0 Based upon investigation of 81.12%
(by weight) of total CMP cut sets.
Table 4.9 Component Failure Contribution to CMP from Leading Sequence /
Cut Sets Component % CMP
- M0V 17.15 UST 3.91 Pump 3.28 RPV 2.0 A0V/SOV 0.1 Based upon investigation of 81.12% (by weight) of total CMP cut sets.
4-13
4 0 '
. - o
. Table 4.10 Mean Annual Core Melt Frequencies for ,
External Initiating Eventsa
% CMP Turbine-building flooda 8.8-5 44.2 s
Ea rthquakeb 6.3-5 31.7 External floodb .. 2.5-5 12.6 Tornadob 1.3-5 6.5 Fi reb 1.0-5 5.0 Total 2.0-4 100.00
. abased on analysis of the modified plant, bBased on analysis of the unmodified plant.
9 0
~
e e
4-14
.y.
t
. e
. 9
~
Table 4.11 Enternal twents - Oconee
- ptANT IRillATOR 1 CATEGOAf EITEte4L tan 4GE ftT. SEO. EIT. T9ANSIENT CW 312 CW # CW BEP(IDENT I EI RESPONSE FAILURE RAISipt 1 (t CW NtNMI CW SEl5Mit 6.3E-5 1 1.It-5 1 8.4 (7E-7) Ass. bids. mesenary wells WW 5et FTC 0.4
' EFW MPI 2 8.g (l.OE 6) Condenser Notwell. NW CCW piping SRV FTC 3.g EfW ,
3 HPI 0.2 ( 41- 7) letdoise piping LPI A6 power HPl 4 0.2 (4(-7) Letdown plpjeg LPI Aus. b1dg. mesenary wells HPI 5 0.1 (Pf-7) Feedseter Heaters NW StV FTC
' St5per storage tank D.1 EFW AC power MPI s e.2 (x-7) AC peer wW 5ev FTC o.2 EFW TDP cooling ITW ll 2.6f-6 1 1.3(2.6f-6) Jocassee Den til 4.6E-5 15F 1 5.0 AC power 2 7.5(It-5)(I.St-5),Aus. bids. wells HPl HPI WW Af W 3 5.0(11-5) Condenser MFW Efu
$5F power /3 (1.675) 4 0.5(IE-6 F $$F/3 1.67 $$F/3 1.67
! UST eedwater Meater WW $5F/2 0.25
- b w
- - --~ ~ -
i
! +
.e
- 9
~
. w
-g ea u Og
.nu J
.E I E F
.b --
EE gIe - !
E. --
E* $$ g g s02 wk ezz k- .-
Ok
=. . =~z w AkAkkb .
]
- a 0 -
- 2 2 2
$ g E Es. g5 2 2 O
=
2 sa a
a- ~es si
~:
e a
a a m -m-a-a 2
w c a v g3 a
zg e3 n 3 . sna.ns:
a MMMA M4 w21 ERw21sik d54202 3
. *
- M
- i MMW
- bb d5 $ 5 $ 5 ddd
.. . , .f .
, ., , .e, .,~,.,
o e e e o e o n -
g- _ - - - _
O M W M , W W 4 : 4
- 4 a 8
3[-
e
]
e
=k A
- ol 8.
5
- .5 3
I 8
3" * .a 4-16
.,e *
- o Eg M - .W w mu a 4 4 4 a 0 0 i EI A
S m
S
.a eu .a Eg . . . . = = .
nu a a d .3 4 4 4 7
4 3 ..
Y YR u y R R 2 I w 2 $2 2 k l l I B R R BR R R t
z -
I.I EE m
t e " M' "k*f3 E* kg-~h m
- " **" *f h t . t = k 1 : 1 1" 2 . " t"h e" "t**t a . k "k k "=1 '
.i I
1 1
" = l 1
- t 3 =lm 1 t
2 t
2 1
d I I J 4
nj
- c. 5.y, e 2
2 e, 2 t 3 .
$ 3 3 3 3 y
W W C. G. C. 3
~
. W W W W W W *
~E5 s si i i i i i d
n
~
~ ~
n ~ - n
~ w . d d e o.
g ~ = n e . . % -
i T
EI 9 n
W i d .
1
,I.
3 e
e b
T Y *
- I
$ N W i D d 4 i
i e
l_d es i
E
i
,h f"n
=
as m:
4-17
1
.. .. l
=I
. dda d 4 ,
= == l.
= == 1 I a.m.E. EE ,
i
= ...
Ja a d 4 a da aa ,
I ff
=
a w= =
f= =
1 I I G.m E
- 5.E E. m. 9a. f..a i
R i Ig gs- ==== .. ==..ggf=..g..g.,E
=.. = mm.m
=.
s '
{
n .
- r
.I E
= .
~
G G B
= -
=
2 d . , e. e E e. e E. ;
3 5 %
. 3
- e. e. e. e. e. e. e. e.
. x == = =x = w !. -
E! d. dd d dd d i a:
. .~ . .
.I 4 a d a a 4 a a a -
r - 3 0* 2 3
g I g. =a . . .~ = .
{ % g I .4.;J l
- 12 %# ti ~
x a
c3: 53
. ~13 E*.2j $$;
?
l
-12" 4cs:-
i I e t-I a g}.1:t
- Ss_-.}$
t I.;.4
, I g23'I8 1 2 . -- .
(g
- "I_'Isi 83 E :ssal.i_1 c
.r--* * ::-si ~'e ,
I tees 4
=. s. T:4 .
- h k kb s.
- n * * ::. .r.r.h
. as
! 25 i i
e 4-18 .
-:: -..__- .- . - ~ _ _ , . _ . . - _ . , . - - . . -____
l **,
- i i three lists the plant damage bin, and column four provides that bin's numeri-a cal contribution to CMP. Columns five and six simply order the sequences within each bin and provide the percent and (numerical) contribution to CMP of each sequence. The seventh column provides the initial transient response of the plant (i.e., what broke). The eighth column lists all the dependent sys-tem failures based upon the initiating event and plant response, and the final four columns track those additional' random or human errors that also occur-red. Because each sequence entry has multiple cut sets provided for review, i some table entries have fractions next to them denoting in what fraction of the total sequence they played a part. - All percentages represent % of total external CMP.
j Review of Table 4.11 provided the following insights with respect to ex-4 ternal events: .
9 . External events comprise 78.7% of the total CMP.
Major dependent system failures were found in all 86.1% of the cut ,
sets examined, and 100% of the external CMP cut sets are expected to 1
display this phenomenon.
The external events of the study were severe enough that in well over 50% of the sequences additional failures were not needed for core j melt. -
Random failures were included in 34.32% of the cut sets. This cate-gory was dominated by failures in the SSF (23%) and primary system SRVs.failing to close following actuation (10.4%).
! ,. Humarf error acccunted for only 11.22% of the external CMP, but this category was totally dominated by human errors associated with the SSF l (10.52%).
l .
In the seismic sequences, the auxiliary building masonary walls are capable of failing MFW, EFW, and HPI if they crumble.
All of the tornado sequences were similar in that they all started i with LOOP, RX trip, and trip of MFW.
i l
Only one fire area was analyzed in the PRA. This was the cable shaft area, in which a fire can result in failure of any or all of the fol-l lowing:
- d. LPI controls,
- e. fan cooler power and controls,
- f. RB spray centrols,
- g. PORY and block valve controls.
Cut sets were not provided for the external flood initiator which was <
taken to be failure of the Jocassee Dam. Dam failure is capable of
. 4-19 e a a- . am m m
flooding the turbine and SSF buildings, thus failing MFW, EFW, HPI, LPI, and SSF functions.
In spite of the modifications to the turbine building to improve the plant response to turbine building flooding, this initiator is still the overall largest contributor to CMP.
4.4 ' Risk I
. The PRA presents curves of exceedance frequency vs number of fatalities for both early and latent cancer fatalities. Figure 4.1 shows the latent and early fatality curves for internal initiating events, and Figure 4.2 shows i
j similar curves for external initiating events. The PRA did not explicitly de- !
fine leading cut sets for the risk aspects of the study as it did for CMP.
Six major release categories were defined for Oconee, with the general characteristics given in Table 4.12. The consequence ranges for these six categories are summarized in Table 4.13. Categories 3 and 5 were found to have no neaningful contribution to health effects. The mean frequency per year and its relation to the overall CMP are also given, as are the split be-tween internal and external events for each release category. The following insights on risk are derived from the foregoing:
35.25% of the CMP does not enter into any risk category.
An additional 63% of the CMP represents low to intermediate conse-quence portions of the CCDFs.
. The highest risk category represents 0.01% of the total CMP.
. The overall split in CMP between internal and external events is approximately 20% to 80%. In all but one release category, external events exhibit a larger than 80% contribution. . The PRA notes that the Reactor Building Sprays are relatively more likely to fail under ex-ternal events than internal. The discrepancy in release category 2 (i.e., internal >30%) is based on the inclusion of the sequences that include steam generator tube rupture with a stuck open SRV on the same generator, which yields a direct path to the environs.
REFERENCES
- 1. NSAC 60, "A Probabilistic Risk Assessment of Oconee Unit 3." June 1984,
- 2. Probabilistic Risk Assessment (PRA): Status Report and Guidance for Regu-lation Application NUREG-1050, USNRC, February 1984.
4-?0
=*e a
1 1
- . . . . .; . . . . .; ......g ......g ...
4,_
10-5 ,-
i (a) e . Total !
]
o [2*
. g 1
' 3*
~~ ~
o 10-7 r x
o
- 1B" 7:
a r a i1A* ,
o :
g10-9 r--
< i -
i
.. . . .I
. .I ..I 100
..I ...I .-
101 102 103 104 Number of latent-cancer fatalities t1 i I I I i 10-3 10 -2 10 -1 1 10 increase in rdte of fatalities (%)
......g .
....j .
- 2*
8
~
G . Total (b) -
o 10-s __
s : _
o i 5
D . 5 g .
o .
f 10-8 3. At -
g : :
c -
c 1 0 -
,1 ,l ,, ,i --
100 101 102 103 Number of early fatalities Figure 4.1 Oconee Unit 3 risk curves for all 'nternal initiating events: (a) latent-cancer fatalities and fatalities.
- Release categories as defined (b) Tab.y ear in e 4.12.
4-21
g . , . ., .......; . .g
......g .
10 -4 4* .
- e o
r
- (a) -]
8 :
- Total Ix r:1B* ~
/ '
,
- 10 -s r- t ,
o E 2 5
- 3* '
+ -
-- 10 -s r - x g i i c -
a r i7 i 1 0 '
! . .I . . . .I .....! . ....I . . .....! d -
100 101 102 103 104 Number of latent cancer fatalities ll l l l l l 10 -3 10 -2 30-1 1 10 increase in rate of fatalities (%)
e 10-7 3 2* -
o -
(b) _. -
1 Total g .
y -
o 10-e __
e : 1 A*-
e . .
o .
E -
E10-8 c
c
.I .. .I ...I ..!
100 101 102 1os Number of early fatalities Figure 4.2 Oconee Unit 3 risk curves for external initiating events (modified plant): (a) latent-cancer fatalities and (b) early fatalities.
- Release categories as defined in Table 4.12.
4-22 -
i Table 4.12 Summary of Oconee Release Categories Warning Time Duration Time Elevation Containment of of for of Energy Release Release Release Evac. Release Release Category (Hr) (Hr) (Hr) 6 (Meters) (10 Btu /Hr) 1A Puff 1 2.5 0.5 1. 5 21.5 289.0 Puff 2 3.0 . . . , , 2,. 5 2.0 21.5 77.0 18 24.0 0.5 20.0 21.5 289.0 2 1.5 3.5 0.5 0 33.0 3 1.5 1.5 0.5 0 33.0 4 62,0 0.5 60.0' 21.5 289.0 5 1.5 3.0 0.5 0 0.08 O
4-23
t Table 4.13 Sa'ummary of Consequence Ranges for Which Release Categories Af fect Risk Curves Latent han 1 Overall 1 Contributton 1 Contribution Release Cancer Early Frequency Total External Internal Category Fatalltfes Fatalttles (Yr-8) CPF Events Events Comuments IA 6000-11000 1000-7000 2.9E-8 .01 85.55 14.45 RCIA ranges represent the highest-consequence
, portions of the CCOFs.
18 100-1000 No effect 2.2E-6 .87 93.41 6.59 RCIO ranges represent a narrow segment of the intermediate-consequence of the CCDFs 2 100-6000 1-2000 2.2E-6 .87 68.32 31.68 RC2 ranges represent intermediate- to high-consequence portions of all CCDFs and low- to high-consequence portions for,early fatalities 3
No effect its effect - - - -
. 4 1-100 No effect 1.6E-4 63 92.49 7.51 RC4 ranges represent the e
low- to intermediate-
% consequence portions of the CCDFs 5 lb effect its effect - - - -
^
l 1
i .
l
. e e
~ - -.- - _ _ . _ - _ - - - - . - _ - - -. .- . _ . -- .-
i
, 5. DISCUSSION AND RANKING OF THE VARIOUS ELEMENTS OF THE METHODOLOGIES j 5.1 Introduction
' The four subject PRAs have been analyzed in accordance with the guide-lines of NUREG/CR-3852, " Insights into PRA Methodologies." Section 5.2 pro-j' vides a brief description of how each of the PRAs handled the various aspects involved in performing a PRA as outlined in the NUREG report. Section 5.3 in- !
cludes a table in which the areas discussed above are ranked against one
- another (PRA to PRA) by using the levels of effort developed in the NUREG re-j port, which are defined in Section 5.2 for each area. Note that the ranking process prescribed in the NUREG report did not in all cases result in a rank-
) ing category that truly matched what was actually done in the PRA effort.
l Therefore, the ranking required a certain amount of judgment, which introduced
- some uncertainty into the results.
t
- 5.2 Discussion of the Elements of the Methodologies The following items correspond to the 20 categories listed in NUREG/CR-l 1 3852, with some rearrangement in the order of presentation, as well as some j' additional items added for the current evaluation because the NUREG report did not address external events.
5.2.1 Identification of Initiating Events
(
Description Levels of Effort i Identify transients and A. Use WASH-1400 (16)
LOCA initiating events , B. WASH-1400 plus EPRI NP-801 .
{ C. Generic events plus plant specific (17) j a. Millstone i Extensive review of plant operating data plus plant specific assessment.
, Used three LOCAs plus special LOCAs (interfacing system and R.V.), SGTR, SL I'
break inside and out of containment and 14 transients.
- b. Seabrook Used Master Logic Diagram (similar to fault tree with top event being re-lease of radioactive materials) which branches downward into initiating events.' Also used Plant Heat (energy) Balance Fault Tree to provide more de- l t
tail, then used historical initiating events, other PRAs, feedback from risk
', model, FMEA. '
- c. Shoreham i
The PRA utilized WASH-1400, other PRAs, LERs, and plant specific items to generate the set of initiating events.
(.
- d. Oconee The PRA used available sources as well as plant specific analyses for de- '
i termining the initiating events.
i l' 5-1
.o ,*
5.2.2 Estimation of Frequency of Initiating Events Description Levels of Effort Work performed to estimate A. Generic data the frequencies of initiating 8. Generic data and plant specific events C. Two-stage Bayesian
- a. Millstone Based on domestic PWR experience plus site specific LOOP estimate. For relatively frequent events, classical statistical methods used, for rare events, Bayesian approach. .
- b. Seabrook l Used data from other power plant experience for events applicable to Sea-i brook. For plant specific initiators. (interfacing systems LOCA, loss of ,
- S.W.S., and CCW loss) did a plant specific analysis. Used EPRI-2230 as pri-
- mary source for events which have already occurred. Data were modified, other
- sources used, and frequency computation performed (proprietary). For LOCA and steam breaks, used Nuclear Power Experience and other data. Frequency deter-l mination for these events also proprietary.
j c. Shoreham .
The PRA used the following sources in the order of their priority for j quantifying the frequencies of initiating events: a) plant specific, b) NRC i
data, c) General Electric Co., d) WASH-1400, and e) IEEE 500. .
- d. Oconee The PRA used generic data and used a one-stage Bayesian update of the
, generic date for plant specific data, where available.
5.2.3 Event Tree Modeling Technique i Description Levels of' Effort i Options for accident sequence A. Small systemic event trees for
! modeling using event trees each initiating event class -
i 8. Large event trees for each plant l state i
Millstone a.
Approach is consistent with PRA Procedures Guide (NUREG-2300). Used plant functional event tree model. Used support state concept to account for support system failures. Functional event trees used, and six top events de-fined with a total of 44 systems used (some duplications) for the top events.
Very comprehensive event trees. For example, 55 different sequences are de-fined for the loss of off-site power initiators for a particular support state.
5-2
- b. Seabrook Used event sequence diagrams which are used to construct event trees.
Twelve event sequence models used to cover all initiating events. Very com-prehensive event trees. For example, the generalized transient event tree has 159 possible sequences.
- c. Shoreham The PRA developed and quantified separate event trees for those initiat-ing events which may have a strong effect on the system available for accident mitigation and plant cooldown.
- d. Oconee The PRA employed the systemic event tree approach.
5.2.4 Aggregation of Initiating Events ,
Description Levels of Effort The extent to which initiating A. Complete aggregation; one initiating events are combined as entry event category for all accidents points for event trees C. Aggregation based on function or phenomena E. Little or no aggregation
- a. Millstone Very little aggregation employed. Used 17 event ' trees to represent all 21 internal event initiating events considered,
- b. Seabrook Some aggregation done for similar initiating events. A total of 58 ini-t1ating events (24 internal, 34 external) were grouped into 12 event trees.
- c. Shoreham The PRA did do some aggregation based upon function or phenomena.
- d. Oconee Some aggregation was performed.
5.2.5 Hardwired System Dependency Analysis Description Levels of Effort i
l Identification and quanti. A. Engineering judgment based on prior i
fication of ig act of hardwired knowledge and insights system dependencies C. Systematic hand analysis based on system diagrams E. Large-scale Boolean reduction code 5-3
- a. Millstone Used support state method in which each support system interaction with front-line systems was defined and analyzed deterministically. Five support systems were identified, and eight support states were used with different combinations of support system ava11 abilities. These eight support states were obtained by combining the initial 72 support states into groups with similar plant states. A craputerized support state model was employed to analyze the support state dependencies.
- b. Seabrook Two support sytem matrices were developed to relate support system inter-dependencies, as well as support system dependencies, with front-line system dependencies. A total of 10 support systems were defined, and their depen-dency with 11 front-line systa.ms/ functions was assessed. Boundary conditions were defined which corresponded to various combinations of support system failures. System unavailabilities were then quantified for appropriate .
boundary conditions.
- c. Shoreham Ac power, de power, and service water were explicitly modeled in the event trees. The remaining support systems were modeled in the fault trees.
For the three above, an event tree was used to screen the quantitative contri-bution of these dependences out of the systemic event trees. Once calculated,
, these contributions were then transferred to the applicable initiator for spe-cial processing through an event tree logic diagram suitad to represent the predetermined conditions gf the support system. .
- d. Oconee The major support systems were developed in fault trees and combined with the appropriate frontline systems using SETS to solve the sequences.
5.2.6 System Interaction Analysis Description f.evels of Effort System interactions other A. No analysis to identify interactions than hardwired C. Engineering insights D. Plant walk-through
, E. Plant walk-through coupled with detailed analysis of failure modes and effects
- a. Millstone In general, intersystem physical interactions modeled only for external common cause initiators. For internal events, physical interaction dependen-cies are embodied in success criteria and damage limits for components. Some were modeled in conjunction with intersystem functional dependencies. Inter-system physical interactions were modeled on an event and sequence specific basis.
5-4
- b. Seabrook Spatial interactions were considered for external initiating events.
Drawings and other plant studies were used, as well as plant walk-throughs, to establish spatial interactions which could be important. The SETS computer code is used to quantify and identify the important spatial interactions.
- c. Shoreham Engineering insights and plant walkdowns were used as inputs to the plant modeling. In one specific case, a common cause analysis was also performed and related to flooding at elevation 8 of the reactor building.
- d. Oconee The PRA includes the results of plant walkdowns and detailed analyses of potential threats and attendant vulnerabilities.
5.2.7 Treatment of the Post-Accident Heat Removal Phase Description Levels of Effort Consideration of accident A. 24-hr duration with no recovery duration and equipment of mechanical failures recoverability assumptions .B. Realistic accident durations without recovery of mechanical failures C. Realistic accident durations with recovery of mechanical failures
- a. M111sto5e For purposes of system unavailability analysis, a 24-hour mission time was generally assumed. However, for accident recovery analyses, realistic accident times were estimated, and recovery of systems with assumed mechanical failures was considered.
- b. Seabrook .
For purposes of system unavailability analysis, a 24-hour mission time was generally assumed with plant conditions stable and expectation of con-tinued cooling. The possibility of manual recovery of mechanical failures was assumed in selected cases including the turbine driven auxiliary feedwater, the service water system, and the electric power system. In these cases, realistic. estimates of accident times were made.
- c. Shoreham -
Operator actions which are required by procedures or which are possible to remedy a failed system are depicted and evaluated. Realistic accident time intervals were used for the mission times.
- d. 0,conee Realistic accident time intervals were used, and the leading cut sets were examined individually to determine what recovery measures could be taken.
54
.. ) . - , 3 5.2.8 Evaluation of Human Errors During Normal Operation Description Levels of Effort Quantification of the effect of A. Conservative scoping human error 1, human errors during plant values operation (miscalculation, C. Human error estimates (i.e., NUREG-unsafe valve alignment, etc.) 1278) with a non-detailed analysis E. Human error estimates using detailed methodology (i.e., THERP tree "analy-
. sis)
- a. F.111 stone Conservative screening values were used throughout the study based on data from NUREG-1278. Since operating procedures were not developed for Mill-stone .3 at the time of the PRA, procedures from Units 1 and 2 were used. ,The THERP analysis was used to determine human error contribution to conponent unavailability. -
- b. Seabrook Human errors are accounted for in assessing system reliability. Contri-butions from outage due to maintenance (planned and unplanned) or tests as well as human errors in testing and maintenance are considered. The principal source of human error rate used was NUREG-1Zl8.
- c. Shoreham- <
The PRA'used NUREG/CR-1278 as the ' source for maintenance and operations errors and further includes items such as stress and response times.
- d. Oconee The PRA evaluates the human errors by a detailed analysis which accounts for ambiguity, stress, time available, etc.
5.2.9 Evaluation of Human Errors During an Accident Description Levels of Effort Quantification of human errors A. Conservative scoping human error which could occur during an values accident sequence C. Human error estimates (i.e., NUREG-1278) with a non-detailed analysis E. Human error estimates using detailed methodology (i.e., THERP tree analy-sis)
- a. Millstone Both cognitive (decision making) and procedural errors are considered.
The time available for action is evaluated, in addition to the diagnostic information available to the operator based on the accident scenario. The complexity of the required action is also taken into account. Recovery of 5-6
failed systems was considered in selected cases. The methodology employed was generally the cognitive error model in the NREP Procedures Guide. Human error rates from NUREG-1278 were generally used. The THERP analysis was used to de-
> s termine human error contributiort to component unavailability via restoration errors.
- b. Seabrook ,
Operator action trees were employed in evaluating human error contribu-e tions during accidents. The plant simulator was used to assist in defining potential operator errors by inputting accident scenarios and evaluating oper-
' ator plant status perception matrix. Error rates were established by the PRA study team.
- c. Shoreham The PRA does not consider errors of comission by the operator. The error model in the NREP Procedures Guide was used with data from NUREG/CR- ,
1278.
i',
- d. Oconee The PRA utilizes the same very detailed methodology as discussed for normal operation above in evaluating postaccident human errors.
5.2.10 Common Mode Analysis Description Levels of Effort ,.
Level of effort applied to A. No comon made human error analysis common rpode human error B. Selective analysis of common mode analysis '
human error analysis D. More potential. common mode failures and more consistent evaluation than B
- a. Millstone Multiple comon cause human errors of design, test / maintenance, and in-correct calibration and operation were considered. The binomial failure rate model was employed, based on actual operating plant statistics corrected as necessary to reflect specific features of Millstone 3.
- b. Seabrook
' Common cause human errors were considered and quantified by use of the beta-factor model, and also by the dependence model provided in NUREG-1278.
Judgment was applied to determine the degree of dependence between human errors.
- c. Shoreham The PRA utilized this methodology in evaluating the miscalibration of four level sensors. It also modeled coupling between operators.
, 5-7
p i. '.
J
- d. Oconee -
The PRA included connon cause human error analysis in a number of in-i stances and included within this the coupling between operators when more than
.'one would/could be involved in the particular scenario.
i 5.2.11 Treatment of Recovery i
_ Description Levels of Effort Possible operator recovery A. No recovery
, actions B. Recovery from human errors and auto-l matic actuation systems failures D. Recovery from human error, actuation system failure, and individual conponents
- a. Millstone .
D Analyses were performed to determine time intervals and flow rate re-i quirements for recovery of risk dominant sequences. System recovery actions.
l use of _ alternative systems, and recovery of failed cogonents were considered 4
and quantifled.
- b. Seabrook j , Recovery was considered for risk significant accident sequences where operator action was considered to be feasible. Recovery of L failed automatic
. systems (i.e., turbine driven auxiliary feedwater) was considered, as was re- '
covery of failed support systems (i.e., service water, control room H&V, con-tainment enclosure air cooling system). Extensive analysis of recovery from loss of AC power was performed, including recovery of failed diesel gener-
, ators. .
- c. Shoreham Operator recovery actions were included for human errors, failure of automatic actuation systems, and selected conponents,
- d. _0conee l All leading cut sets were examined to determine what recovery actions were possible and what the appropriate probabilities should be.
5.2.12 Modeling of AC Power Systems Description Levels of Effort Level af detail in modeling and A. Past PRA models of AC power systems quantifying AC power support C. Simple, non-detailed models system E. Detailed fault trees with support system interfaces 5-8
i
- s. Millstone AC power (main electrical system) modeling was detailed, extensive, and plant specific. Diesel generator failure rates were based on tests of Millstone 3 diesel generators and similar units. Support system interfaces and dependencies were assessed in detail.
- b. Seabrook AC power (electric power system) modeling was detailed, extensive, and plant specific. Support system interfaces and dependencies were assessed 'in detail,
- c. Shoreham The power syisem was divided into three areas: offsite, onsite AC, and DC, and each was modeled in plant-specific detail.
d.
Oconee The Oconee power system is quite unique and all aspects were modeled in I specific detail.
5.2.13 Modeling of Logic (Actuation) Systems Description Levels' of Effort Level of detail in modeling and A. Using past PRA models of lo ic sys-quantifying logic equation sys- tems (unreliability of -10 /
tems train)
C. Simple models E. Detailed fault tree models
- a. Millstone The engineered safety features actuation system is the actuation system for the Millstone 3 plant. It was modeled with detailed fault trees based on i plant specific design as well as test and maintenance procedures and schedules which are to be implemented at the plant.
- b. Seabrook The actuation systens for Seabrook consist of the reactor trip, engineer-ed safety features actuation, and solid state logic protection systens. These systems were analyzed together, utilizing detailed fault trees based on plant specific design and test and neintenance procedures and schedules planned for the plant.
- c. Shoreham Logic systens were modeled in plant-specific detail.
5-9 1 .
D. Oconee Logic systems were modeled in plant-specific detail.
5.2.14 Common Cause Description Levels of Effort Level of effort expended to A. No common cause analysis perform hardware common cause B. Analysis on a few components analyses identified by engineering judgment C. Consistent analysis using nuclear experience data
- a. Millstone The common cause analysis consisted of a detailed assessment, consistent-ly applied, using operating nuclear plant data. The binomial failure rate ,
model was employed for common cause system and hardware analysis.
- b. Seabrook Common cause failures were consistently treated either explicitly by identifying causes of common cause failure and incorporating them explicitly in the systens, or implicitly by using certain parameters to account for their contribution to system failure. The basic parametric model used to quantify common cause failures was the beta factor nethod. Some beta factors were quantified with design specifi,c muclear plant data screened for applicab,ility to Seabrook. Where data were sparse or nonexistent, a generic beta factor was ,
used.
- c. Shoreham Common causa analysis was included in the modeling of the reactor build-ing flood at elevation 8.
j d. Oconee l
Some common cause analysis was included in the PRA and was directed by engineering judgment.
5.2.15 Component Reliability Data Base Description Levels of Effort Type of data base used in PRA A. Generic data only (e.g., WASH-1400 or IREP data base)
C. Generic data augmented by plant specific for a few inportant fault types E. Generic and plant specific enploying Bayesian treatment 5-10
- a. Millstone The data were generated primarily from the Westinghouse Data Base, which is proprietary. These data are based extensively on Westinghous nuclear plant operating experience, which covers a time span of 1972 through 1981 and con-tains over 200 reactor-years of plant operation. For cases with little or no nuclear data for the hardware, ten other data sources were used.
- b. Seabrook Component failure rate distributions were developed based on information from a variety of generic data sources as well as detailed plant specific data collected in the process of performing PRAs on several other plants. Details regarding the generation of each specific failure rate are proprietary. A Bayesian updating procedure was used to integrate data from several sources into uncertainty distributions for failure rates. Operating experience data were used, and screening of LERs was performed for particularly risk sensitive components. ,
~
- c. Shoreham .
The data base utilized plant-specific data vhere possible; however, the plant had no operacional data base.
- d. Oconee The PRA used generic data as a prior and then performed a one-stage Bay-esian update based on available plant-specific data.
5.2.16 Use of Demand Failure Probabilities Description Levels of Effort
~
Treatment of demand failure A. Use of demand failure probability probabilities from a generic directly from generic data base data base for components with C. Use of generic demand failure very long test intervals probabilities combined with long test period
- a. Millstone .
The probability of failure on demand was derived by obtaining the ratio of the total number of failures on demand (from various data sources) to the total number of challenges.
- b. Seabrook The method used for derivation of demand failure probabilities could not be found in the PRA. Proprietary documents are referenced as sources of in-formation used to develop demand failure distributions.
5-11
- c. Shoreham Demand failure rates are converted to failure probabilities over the appropriate time interval.
- d. Oconee The probability of failure on demand was derived where possible from plant-specific data by taking the ratio of number of failures (from various plant records) to number of challenges over the plant's life.
5.2.17 Use of Means Versus Use of Medians Description Levels of Effort Use of means or medians of data A. Use of either means or medians for conponent fault quantifi- (No other levels considered) cation ,
- a. Millstone Mean values were used for component failure rates.
- b. Seabrook Mean values were used for component failure rates.
- c. Shoreham Mean values were used for component failure rates.
- d. Oconee Means were used as the point value estimates from the data distributions.
5.2.18 System Success Criteria Description Levels of Effort Determination of system success A. Use system criteria in the Final criteria Analysis Report C. Realistic, plant specific phenomeno-logical analysis
- a. Millstone A majority of the success criteria were based on best-estimate plant spe-cific safety analysis. However, certain success critarb rely.-on-the-safety- - ~
analysis from the Millstone 3 FSAR.
- b. Seabrook No specific overall discussion of system success criteria was found in the PRA. However, the study generally used best estimate.
5-12
- c. Shoreham The PRA success criteria represent realistic requirements and were deter-mined in part from vendor deterministic analyses.
- d. Oconee The PRA success criteria represent realistic requirements.
5.2.19 Treatment of Test and Maintenance Outages Description Levels of Effort Modeling of test and maintenance A. Generic data for maintenance fre-outage contributions quencies and test and maintenance outage times B. Generic data with repair times based on plant specific data ,
D. Plant specific data for all test and maintenance parameters
- a. Millstone Test outages are based on test frequencies required in the Millstone 4
Technical Specifications and the reported times to test. Operational data for Millstone Units 1 and 2 were used for the time to test pugs and valves, assuming that the test time is log normally distributed. Cogonent unavaila-bility due to maintenance outages was based on random failure rates and assumed repair times. The Millstone Unit 3 Technical Specification limit on downtime for any train was used as the upper bound repair time, and Millstone Units 1 and 2 experience was used to establish minimum repair time. Log nor-mal distribution was assumed.
- b. Seabrook Test outages are based on technical specifications for Seabrook. Four maintenance frequency distributions were developed for four general component categories based on component type, service duty, and technical specification inoperability limitations. Log normal distributions were assumed. The dis-tributions for the duration of maintenance were developed for the four general maintenance categories. The distributions were based primarily on the applied inoperability time limitations for.each component category. Details of the development of the distributions are proprietary.
- c. Shoreham Plant specific data are not avai.lable for this plant, and essentially WASH-1400 input was used.
- d. Oconee The PRA combined generic data with plant-specific data wherever available to develop the test and maintenance data base.
1 5-13
__ _________ __ _. . _ _ _ . - ~ - - . _ _ _ _ _ _ _ . _ _ _ . _ _ . _ _ _ _ _ _ _ _ , __
,. s a 5.2.20 Environmental Qualification Description Levels of Effort Modeling of environmental A. Not considered qualification of equipment B. Engineering judgment C. Calculation of environments, and failure assumed for severe environ-ment exposure E. Calculation of environments, and l modification of failure probabili- '
ties l l
- a. Millstone I Environmental effects including grit, moisture / humidity, tegerature, electromagnetic interference, radiation exposure, and vibration were analyzed on the basis of the binomial failure rate common cause model using data from operating reactors (corrected for application to Millstone 3). Further detail '
not provided.
- b. Seabrook i I
Environmental effects are mentioned as failure contributors, but the methodology and data used for evaluating such effects could not be ,found in l the SSPSA except for external events that create environmental stress. In i these cases, a spatial interaction analysis was used.
. c. Shoreham i Could not find subject addressed in the PRA. !
- d. Oconee Engineering judgment was used to augment the evaluation as to whether l certain components needed for a successful sequence could function in the ex-pected environment carried by the sequence.
l 5.2.21 External Event Methodoloqy Description Levels of Effort Scope and treatment of ex- Not applicable (not considered in ,
ternal events NUREG/CR-3852) l
- a. Millstone
- -Ei ght external events were considered: earthquakes, fires inside the plant, internal and external flooding, winds (and associated missiles), air- ,
craft crashes, transportation and storage of hazardous materials, and turbine !
mi ssiles. The events were initially screened for significance by examining j
their frequency and severity and the vulnerability of the plant to damage from them. The screening showed only earthquakes and fires to be significant 5-14 !
= __ _ _
i ..; , , .,
l contributors. Briefly, the methodology used for these two contributors was as
. follows:
- 1. Earthquakes - The probability of earthquakes near the site was esti-mated. Seismic fault trees for various core damage states were de-veloped, and seismic fragility analyses for various plant systems were perfomed. Probability distributions for fragilities were devel-oped assuming a Weibull distribution. The base events of the seismic core melt fault tree were quantified, yielding a seismic core melt frequency and uncertainty. Seismic related containment event trees were prepared and quantified for seismic related containment failure modes. The consequence analyses were modified to account for slower evacuation speeds and alternative routes.
- 11. Fires - Fire probabilities in certain plant areas were assessed on the basis of utility e;tperience. Mechanistic models of fire propaga-tions and the effects of mitigation were evaluated. Fire related operator actions and human errors were quantified. Overall fire re- ,
lated core melt frequencies were computed, and consequence analysis was done in a manner similar to that used for internal events.
~
- b. Seabrook Eight external events were considered: seismic, fires, aircraft acci-dents, wind, turbine missiles, internal floods, external floods, and hazardous chemicals. A limited bounding analysis was applied for some of the events to show, for the largest predicted sizes, that either no damage of concern would result or the frequency of damaging plant components which could lead to core melt would be negligible compared with that of other events. This bounding analysis eliminated from further consideration all external events except seismic, fires, and aircraft crashes. For these three, the following method-ology was employed:
- 1. Seismic - The frequency of ground motion of various magnitudes was
, determined. The fragility of plant structures and conponents was de-l termined by estimating the ground acceleration that would cause fail-ure. A plant logic model was develcped which related system failures (including nonseismic failures in conjunction with seismic failures) to core damage. These steps were combined to produce estimates of core melt frequency and related plant damage states. For the major seismic contributors, calculation of the probability distribution of plant damage state frequencies was completed.
- 11. Aircraft Crash - Aircraft activity near the Seabrook site was examin-ed, and crash rates at_the site were estimated based on this activity
and U.S. aircraft accident rates for the past 10 years. Fragilities for structures identified as potential targets at the site were esti-mated, and plant damage states were identified for various crash sce-narios. From these estimates, the probability of a severe accident and the consequences from aircraft crashes at the site were calcu-lated. The contribution to core melt probability and risk'was found to be negligible.
5-15
iii. Fires - The fire analysis is based on the location of important cables and equipment previously assessed for the plant by the util-ity. The frequencies of fires were derived from data collected from all U.S. nuclear power plants. The igact of fires on instrumenta-tion was analyzed explicitly for the cable spreading room and control room. A list of 11 fire zones judged to have the largest potential of plant damage from fire was developed. The frequencies and conse--
quences of fire suppression efforts was considered. From these re-sults, the contribution from fires to core melt probability and risk was estimated.
- c. Shoreham "The only external event considered in the PRA was flooding of elevation 8
- of the reactor building. This initiator was combined into the internal events category.
- d. Oconee Six external events were considered: seismic, tornado, fires, external .
floods, flooding events from sources within the plant, and aircraft impact.
All remaining events in the external events list were eliminated from consid-eration by determining their inapplicability to the Oconee site. The aircraft igact initiator 'was eliminated by screening calculations which verified that their frequency of occurrence was too low to present an important contribution to core melt frequency or risk. For the external flood initiator, a detailed bounding analysis showed that failure of the Jocassee Dam contributed about 10% of the total core melt frequency. For the remaining four external initia-tors the following methodology was egloyed: * *
- 1. Seismic - The frequency of occurrence of ground motions of various magnitudes was evaluated to obtain the seismicity hazard. The capa-cities of igortant plant structures and equipment to withstand 4
earthquakes were evaluated to determine the conditional probability of failure as a function of ground acceleration. The internal initi-ator fault tree and event tree models were modified to reflect plant response to seismic events and then solved to obtain Boolean expres-sions for the seismic event sequences. The Boolean expressions were quantified by using the probabilistic site seismicity and the fragil-ities for plant structures and equipment.
- 11. Tornado - The frequency of occurrence of tornadoes with wind speed above 150 gh was evaluated from historical data in the area. A tor-nado event tree was constructed and quantified by using judgmental data for the tornado effects on systems and equipment.
iii. Fires - The analysis was limited to areas where the most damage could be anticipated. The frequencies of fires were derived from the ex-perience of all U.S. nuclear power plants. Simple models were used to assess the propagation of fires in cable trays and the temperature rise in compartments due to fires. The analysis of the fire-initiated sequences was not detailed. It did not include the timing of events, the possibility of restoring lost functions, and the pos-sibility of errors of commission.
l -
5-16
"n 1 j . _.. _
iv. Internal Floods - The initial analysis of internal flooding was done by using a survey and overview technique. Flood sources and critical locations were identified. The frequency of flood initiating events was estimated from U.S. nuclear power plant experience combined with ,
, Oconee plant experience. Core melt sequences were constructed based on information obtained from the above efforts plus the understanding obtained from the analysis of the internal initiator sequences. The results indicated that turbine building flooding dominated the core
- melt frequency. In view of that, a refined analysis was carried out including detailed fault tree models for all turbine-building floods in order to obtain a more plant specific quantification of their fre-quencies. Since the turbine-building flooding continued to dominate the results, it was decided to make some plant modifications. Fur-ther evaluation of these sequences, including the modifications, were then performed.
5.2.22 Source Terms
- Description Levels of Effort Characteristics of radionuclide Not applicable (not considered in release from accident sequence NUREG/CR-3853)
- a. Millstone Fission product release to the containment was calculated by the MARCH /
M00 MESH /CORCON/C0C0 CLASS 9 code package. The CORR $L-2 code was used to compute fission product fractions available for release from the containment. Some 30 CORRAL runs were made corresponding to plant damage states. These results
- were grouped 'into 13 release categories depending on similarities of timing and release magnitude. To account for fission product attentuations in the primary system and in the containment from physical mechanisms not considered in CORRAL, a discrete probability distribution method was used. In this meth-od, the point estimate release estimates from CORRAL were multiplied by dis-crete factors of one or less with corresponding probabilities assigned to each factor. These factors and probabilities were derived by expert judgment ap-plied to the separate transport and deposition stages.
- b. Seabrook Time-dependent releases calculated in the CORRAL-II code were used to de-l fine the point estimate release categories. Thirteen release categories were used based on containment failure mode, availability of sprays, and whether the reactor vessel cavity was assessed to be wet or dry. The MARCH, MODMESH, ;
CORCON, and C0C0 CLASS 9 codes were used to define thermal-hydraulic conditions '
in the primary system and containment. The discrete probability distribution ,
approach was used to estimate factors (all 1.0 or less), and their probabil- l ity, which were applied to the CORRAL-II point estimate results< These-param i 1
eters were established by expert judgment. I
- c. Shoreham The PRA employed the MARCH code to calculate system pressure, tenpera-ture, core-coolant interactions, and containment conditions for " binned" 5-17
- r. .
i groups of accident sequences. WASH-1400 assu g tions and recent studies of re-leases from fuel were used to establish the inventory available, and the CORRAL code was used to calculate the effects of the transport and removal mechanisms on fraction of available inventory in each control volume of the containment and the total release to the atmosphere, and its composition, as a function of time.
D. Oconee The CORRAL code (USNRC,1975) was used to analyze the release and trans-port of radionuclides inside the containment. The radionuclide inventories
- and release mechanisms were taken from the RSS (WASH-1400) and altered as nec-essary to reflect new information concerning releases. Many sensitivity studies were performed to determine the effect of known uncertainties and varying assumtions. The entire spectrum of releases was then grouped into six release categories.
5.3 Comparison and Ranking of PRA Methodologies for the Four Plants ,
This section presents, in unified tabular form, the methodological char-acteristics of the four PRAs examined (Millstone 3, Seabrook, Shoreham, and Oconee), in the light of criteria defined in NUREG/CR-3852 (Table 5.1).
Several introductory remarks are in order, particularly in the light of.
the uncertainties and in some cases the lack of coglete definition remarked on in the introduction above.
- 1. The treatment of certain topics was not uniform, one aspect being treated in one,way (e.g., generically) while another was treated dif-ferently (e.g., plant specifically). In those cases the " level of effort" was described by a mixed notation, e.g., B/C or D/A.
! 11. . Only one of the plants under consideration (0conee) is actually oper-ational. In the other cases, the terminology " plant-specific" as ap-plied to experiential data is moot. However, in many of these cases generic data have been combined with particularly relevant data from analogous plants and equipment. When this was done, the characteri-zation of the treatment (level of effort) was " starred" (e.g., A*).
iii. No external event data were available for Shoreham.
iv. Related investigations regarding containment are, however, available for Shoreham, and for cogleteness they are stated here:
The containment response was obtained by detailed specific analy-
, ses and numerical calculations.
l .
No special assumptions (such as steam explosions, etc.) were t
included.
The ultimate external consequence analysis for Shoreham is not available at present.
l l
5-18
9 1 i
'l e'
Table 5.1 Comparison and* Ranking of PRA Methodologfes for Four Plants Topic Designator Topic Description Levels of Effort PH11 stone Seabrook Shoreham Oconee 1 IIE Identification of inttfating A WASH-1400 initiators used events C C C C B WASH-1400 plus EPRI NP-801 used (generic data)
C Generic data plus plant specific data 2 FIE . Frequency of initiating A Generic (for example from NP-801) C B/C* A*
events 8 Generic plus classical use of plant C specified data C Two stage Bayestari 3 ET Evant tree modeling A Small systemic event trees characteristics 8 Large event trees including global B B A A human actions 4 AIE Aggregation of initiating A Complete aggregation events E C C C C Functional (phenomenological) aggregation E No or little aggregation 5 SDA System hardwired dependency A Use of engineering judgment on analysts C Systematized hand analysts 1 1 C E y, E Boolean reduction code used 6 SIA System interaction analysis A No analysis performed C 2 C Engjneering insight C/D E D Plant walkthrough E FMEA plus plant walkthrough
- 7 PAHR Treatment of the postaccident A Standard (WASNh1400) accident length used i
heat removal phase D D D D (24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />)
- B Realistic accident length based on sequence requirements D Realistic accident length and component recovery considered 8 HN Human errors during normal A Scoping human error analysis E operation C Non-detailed human error analysis E C E E Detailed human error analysis s -
r 4
Table 5.1 Continued Topic ,
Designator Topic Description Levels of Effort Millstone Seabrook Shoreham Oconee 9 HA Human errors during A Scoping hisman error analysis E E \E E
{ accident progression C Non-detailed human error analysis .
E Detailed hissan error analysis 10 CM Common mode hisman error A Mo analysis performed D D 8 D analysis B Analysis performed on an inconsistent basis D Detailed consistent analysis performed 11 R Treatment of recovery A No recovery actions considered D D D D C Recovery of human errors and actuation
- faults considered D Recovery of human errors, actuatf on faults and individual component faults considered 12 AC Modeling of ac power systems A Previous study results used E E E E C Simple non-detailed models used E Detailed system models used Y' 13 L Modeling of logic systems A Previous study results used E E E E N
- C Simple non-detailed models used E Detailed system models used 14 CC Common cause analysis A No analysis performed C C 8 8 8 Analysis performed on components determined by engineering judgment C Detailed comprehensive analysis performed 15 DB Data base used A Generic A 1 A* E C Generic plus classical plant specific E Plant specific, Bayesian 16 DFP Use of demand failure A Use of generic demand failure probabilities A 2 A C -
probabilities for long test periods C Use of failure rates developed from DEP for long test periods 17 MVM Use of mean vs use of medians A Use of mean failure rates A A A A A Use of median failure rates b
4
. (
U
.4 i
e Table 5.1 Continued Topic Designator Topfc Description Levels of Effort Millstone Seabrook Shoreham Oconee 18 SSC Determination of system A FSAR data used C 2 1,
success criteria C Plant specific (realistic) analysis performed C C 19 TM Modeling of test A Generic data used maintenance outages 8 8 A 8 R Generic data plus plant spectfic repair times used D Plant specific data used 20 EQ Modeling equipment A Do not consider 8 environmental qualification
' 8 Use engineering judgment 2 A C C Estimate environmental conditions at time of accident and use manufncturers' specifica-tions for equipment 21A EXE External initiating events A Not included D D 8 Ceneric events used D i
C Some plant specific events used us D Comprehensive data used -
r'o 218 FEE Frequency of external
- -* A Generic data used initiators B Regional data used C C C C Plant specific (local) data used 21C MEE Methodology of external A Engineering judgment C i
event treatment 8 Screening only C B/D C Screning plus detailed evaluation D Quentitative formalism 22 ST Source tern A WASH-1400 C B ANS C C C J C WASH-1400 plus refinements D Specific calculations 1 - None of defined levels of effort define methodology. See Section 5.2 for details.
2 - Could not be determined.
d e
9 e
9
- 6.
SUMMARY
This section is intended to highlight the insights derived from the study. The PRA-specific insights with respect to initiators, failure modes, system failures and component failures are included in Sections 1 through 4 and, with few exceptions, will not be repeated here. The " generic" insights derived from the study are presented with the note that it was difficult to glean numerous " generic". insights from only four PRAs, representing three dif-ferent reactor types, although this in itself may be an insight.
l The following are the insights bounded by the above discussion:
All four PRAs were conducted with numerous refinements over the WASH-1400 effort and have yielded more realistic results.
The core melt probabilities due to internal events are identical (within error bounds) for three of the plants, and that for the fourth (Seabrook) is relatively close. .
With the possible exception of the low pressure service water system i
' initiator at Oconee, none of the PRAs shows any internal events to be
" outliers."
The dominant risk sequences represent only a small fraction (typically
- less than 1%) of the total contribution to CMP and are characterized by loss of the containment function due to direct bypass or overpres-surization.
In the two PRAs (Millstone and Seabrook) which specifically documented risk contribution by sequence; interfacing systens LOCA represent over 98% of the total contribution to early fatalities. Although not spe-cifically quantified, the Shoreham PRA appears to identify large LOCA with early suppression pool failure as its leading contributor to l early fatalities.
1 The CMP and risk associated with the interfacing systems LOCA (event .
V), as demonstrated by the Oconee PRA, can be substantially reduced by appropriate selection of operating configuration.. testing procedures, The leading contributors to latent fatalities would appear to be in-terfacing systems LOCA, large LOCA with early containment failure, station blackout greater than six hours and RCP seal LOCA.
The Shoreham PRA insights listed in Section 3 are driven to a large 1 extent by one major assumption within the PRA. The PRA has adopted a generic failure to scram probability from NUREG-0460 and assumes the i
common mode failure of the control rods to insert as the only contrib- '
utor. The PRA states that a Shoreham-specific analysis was done and that the results were on the order of 25% lower than the NUREG, but were not used in the study. Had these results been used, the CMP as well as the dominant sequences, failure modes, system failures, and component failures as presented in this report would all be changed.
T k
6-1 1
. ,- -- - . . . , _ . - . . - _ , . _ , , _ _ - ,,---,._--e . - - - - . , - . . . . , , _ - - _
The different plant PRAs showed wide variance as to what internal accident initiators dominated the CMP. For Shoreham (BWR), ATWS domi-nated and LOCAs were insignificant. For Oconee, LOCAs contributed approximately 30% of the CMP and large LOCA contribution was 1.5 times that of small LOCA. Even the results for the two Westinghouse plants (Seabrook and Millstone) were considerably different from one anoth-er. Seabrook and Millstone both found small, LOCA greater than large LOCA in tern:s of contribution to CMP, but small LOCA contribution was 11% in Seabrook and 24% in Millstone.
The core melt probability (CMP) and the percentage contribution from internal and external initiators are shown below for the four PRAs analyzed.
Total Core Melt Contribution from Contribution from Probability Internal Initiators External Initiators Plant (CMP) (%) (%) .
Millstone 5.89E-05 -
76.4 23.6 .
Seabrook 2.30E-04 80.0 20.0 Oconee 2.54E-04 21.3 -
78.7 Shoreham 5.50E-05 100.0 *
, *The study did not consider external events. -
The main insight drawn from these result's is that the usual breakdown of percentage contribution by internal versus external initiators of about 80/20 was fully 1eversed in the Oconee study. The Oconee results are for the modi-fled plant; the external initiator dominance (mainly internal floods) was even more dominant in the original plant.
6-2
qs- % _. __
4 i Appendix A DETERMINATION OF LATENT FATALITY RISK (AT >1000 FATALITIES)
CONTRIBUTION FOR SEABROOK i l
i This appendix describes the procedure used in deriving accident sequence contributions to latent fatalities from external events, based on the Seabrook SSPSA results. The SSPSA does not provide information from which these con-tributions can be directly obtained, but the results provided are detailed enough to allow estimation of the contributions by combining appropriate fac-tors.
The SSPSA latent fatalities are computed from source terms associated l with release categories defining the necessary radforuclide release parame- !
ters. Each release category is made up of plant damage states having similar )
i characteristics relative to the disposition of radionuclides. Each plant dam- t i age state consists of accident sequences grouped into the damage states on the ,
basis of similar outcomes regarding the end state of the plant following the assumed sequence. The SSPSA provides the relative contributions of leading accident sequences to plant damage states, the relative contribution of plant damage states to release categories, and the relative release category contri-bution to latentfatality risks. By extraction of appropriate contributions from each of these steps, the relative significance of individual accident se-quences (or groups of sequences) to latent fatality risk can be estimated.
The first step in the procedure was to determine the relative contribu-tion of the various release categories to latent fatality risk. This informa-tion is given in Table A.1 (extracted from Table 13.2-7b of the SSPSA). The last column show's the contribution from the release categories averaged over the 1,000 and 10,000 fatality levels. To be consistent with othe estimates in this report, the level above 1,000 fatalities was chosen as the risk parame-ter. The 100,000 level was neglected because of its extremely low probabili-ty. This averaging is a crude estimate, but is considered valid because the release category contributions for 1,000 and 10,000 are similar, as shown in Table A.1; within 5% of the average in all cases but one (S6V), for which the
- average is 13% from the two contributions.
After establishing the contribution from each release category to the la-tent fatality risk, the next step was to determine the plant damage state con-
- tribution to each release category. This information (from Table 13.2-8 of the SSPSA) is given in Table A.2 for the four release categories of interest.
' The plant damage states (7FP, etc.) identify certain plant accident conditions which result in particular release categories. t The next step in the procedure was to examine the accident sequences 1 which are the leading contributors to each plant damage state to determine connon features, including which sequences are initiated _by-external-events -
{
l and their relative significance. This information is found in SSPSA Tables 13.2-13c through 13.2-131. By examining these sequences, and grouping them appropriately, Table A.3 was formulated. It includes only those plant damage i states which had significant contributors (more than a few percent) from acci- 1 dent sequences initiated by external events.
l A-1 1
r , ,
From the information in Tables A-1, A-2, and A-3, the contribution to latent . fatalities from accident sequences initiated by external events can be readily obtained. For example, for seismic events causing loss of off-site power and containment isolation failure (<3"), the product of the contribution of these accidents to plant damage state 7FP (90%) and the contribution of 7FP to release category S2V (60.6%), and the contribution of S2V to the latent fatality risk (48%) are computed. Similarly, all accident groupings in Table A-3 are computed. The result is given in Table 2.11 of the main report.
Table A.1 Contribution of Release Categories to Risk of Latent Cancer Fatalities for Seabrook
% Contribution 1000 10000 Release Category Fatalities Fatalities Average ,
S2V 51.2 44.8 48 S6V 11.9 35.5 23.7 S3 15.9 9.55 12.7 S3V 17.1 7.65 12.4
~
Totals 96.1 97.5 96.8 W
Table A.2 Contribution of Release Categories to Plant Damage States
% Contribution to Damage States Release 1
Category 7FP 3FP 1FP 80 4D 1F 3F 7F 7D 3D S2V 60.6 34.6 4.75 l S6V 77.6 20.5 1.46
\
S3 94.4 4.8 )
S3V 78.3 21.4 i
A-?
l
7 6-
.- G s
v Table A.3 Contribution of External Events to Seabrook Plant Damage States Seismic, Solid State .
Protection Failure, Plant Damage Seismic, LSOP Containment Fire, Loss of State Containment Isolation Seismic, LOSP Containment Isolation Failure (<3") Containment Cooling Failure (>3") Isolation Failure (>3")
7FP 90 3FP 85 80 30 .
3F 32 46 -
w I
e 4
l I
e I
.., g , ,;
WAC POS48 335 U S. .UCLE AR Rt1WLA704, Comussstops I atPon? .wweta ede,aes e, reaC.eer war d.e. 8 8ays h'E BIBUOGRAPHIC DATA SHEET NUREG/CR-4405 BNL-NUREG-51931 See sessTmWCTsCas4 Oas fut nEvemSE
- 2. TefLE Amo Suetsf LS 3 Lt.vt OLA s Probabilistic F.isk Assessment (PRA) Insights e D.YE miromi Com*LETED
,,,,,,,,,,, Novem"b'eY l 1985'
R. Fitzpatrick, L. Arrieta, T. Teichmann, P. Davis
,,, ' '" ""I" ' ' " " ' , . . ,
/
I F. ,tmpomusseG onGa.i2.TBOss .Aut aseo MAsuNG AOomg5S edassw er to Camp 3. PROJGCTsTASE/,voma u.e t .uusta Brookhaven National Laboratory "'a oa an. 1.o.u.
Upton, New York 11973 FIN A-3796 -
.. o o.. o.... 4. r.o= =... ..o -..u.a .oo. u ,,-- ,, Cee., ,I.r,..o. .,nar
- Division of Safety Technology Office of Nuclear Reactor Regulation , ,...oo Cov .. .. ,,_ e. s 1
U.S. Nuclear Regulatory Commission Washington, DC 20555 1
J
.3. A457mACT ,JO,eseres er.'euss Four different probabilistic risk assessments (PRAs) have been briefly reviewed -I with the broad objective of . ascertaining what insights might be gained (beyond those i already documented in the PRAs) by an independent evaluation. This effort was not intended to verify the specific details and results of eech PRA but rather, having .
accepted the results, to see what they might mean on a plant-specific and/or generic i
level. The four PRAs evaluated were those for Millstone 3 Seabrook, Shoreham, and Oconee 3. Full detailed reviews of each of these four PRAs have been commissioned by I
the NRC, but only two have been completed and available as further input to this study:
- the review of Millstone 3 by LLNL and the review of Shoreham by BNL. ,
The review reported here focused on identifying the dominant (leading) initiators, failure modes, plant systems, and specific components that affect the overall core melt probability and/or risk to the public. In addition, the various elements of the ;
methodologies employed by the four PRAs are discussed and ranked (per NUREG/CR-3852). !
l PRA-specific insights are presented within the report section addressing that PRA, and :
I overall insights are presented in the Summary.
l l
.. C .r..as......... ,.uc. ,ro..
- i. g..31, ,
l Probabilistic risk assessment Seabrook Unlimited i Insights Shoreham Millstone Oconee ,,,,co,,,,,,,,,,,,,,,,,
a r.. n l
. io. .r.. . . .w. . . . . , . .
Unelassified
, r.. -
Unclassified i , . . . o. ..c u l is emica i l
- - . , - - . - - . ~ . - - , . , . , . . - - . . - . . ,
.. s .,4 Q .
INSIGHTS GAINED FROM PROBABILISTIC RISK ASSESSMENTS Sarah M. Davis Reliability and Risk Assessment Branch Division of Safety Technology Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission September 20, 1984 O
e e
e *
- WWi1'
Table of Contents
- 1. Introduction 1.1 Purpose and Applications
- 1. 2 Sources, References, and Additional Sources .
4 1.3 Contents
- 2. Summary - Insights Gained From PRA Results 2.1 Human Error 2.2 Support Systems 2.3 Initiating Events 2.4 External Events
- 3. Insights into PRA Methodologies -
- 4. Measures of Contribution 4.1 Cutset Evaluation 4.1 Importance Ranking Appendix A - Plant Specific Importance Ranking Res'ults Appendix B - Discussions of Selected Topics - Insights Gained From PRA Results l
l l
l l
l l
l l . .
o . ., o 4
- 1. 0 Introduction 1.1 Purpose and Applications The purpose of this report is to provide an update of the draft report
" Insights Gained From Four Probabilistic Risk Assessments" issued in' March '
1983.
The expansion of this report to include 15 PRAs is part of an ongoing effort in the Reliability and Risk Assessment Branch (RRAB), Division of Safety Technology, NRR, of making available and using the information in Probabilistic Risk Assessments (PRAs) to highlight factors which have been found to dominate the risk assoc'iated with operation of varying types of nuclear power plants. This effort will also identify design or operational
- practices which have been found to be important to safety in the types of plants which have been subjected to risk assessments. In addition,
, methodological differences will be noted. The evaluation of the impact of different treatments of methodological topics on the perception of plant vulnerabilities was undertaken in a separate program in RRAB, Insights on PRA Methodology. Conclusions from this task comprise Section 3.0 of this report.
l The focus of the report is on the PRAs themselves. The purpose of this task is. not a critique of these studies. For the purpose of gleaning insights and l
calculating impbrtance measures, the assumptions and conclusions of the studies were accepted as valid with the intent to learn from these conclusions and O e
previda additional perspectives to the insights and inferences that can be drawn and their applicability to reactor safety and the use of PRA in general.
It is expected that this information will continue to aid in the assessment of safety issues in the absence of plant specific studies. This has already been done in many areas such as the Systematic Evaluation Program involving operating reactors and Severe Accident considerations in Environmental Statements for plants in the licensing phase.
This compilation of risk assessment information and insights can potentially ,
benefit both the industry and NRC staff. Insights drawn from PRAs done to 1
date can be used by utilities to examine current plant design / operation in '
order to identify any weaknesses or vulnerabilities found in plants with similar char'acteristics.
This information can also be used as a checklist for the conduct of future PRAs to increase awareness of problems that have already been identified and to systematically check the applicability to a specific plant.
The methodology assessment provides an awareness of the effects of the methodology on the PRA results when structuring future PRA studies. This ,
assessment focuses on those aspects of the methodology to which the results -
appear to be sensitive.
These insights can enable those performing PRAs to S
-,~--o--- - , .--,,,. . .-- , , .,,_,_,,, ._,,,n , , _ _ , , , . _ _ _ , _ _ _ , , _ _ _ _ _ _ _ , , , , , , , , , _ , _ -_ __ _ _ , . _ _ _ _ _ . , _,,,-_,,--.-_._,,p-_.__, ,,.,,-,.,,,,, ,
be aware of those areas of analysis where it may be beneficial to expend resources and explore details of additional analyses. This can also aid in focusing the review on the more sensitive areas. Some of the areas found to .
have a significant impact are system dependency analyses, human error .
evaluations and electrical systems analyses.
Another facet of the purpose of this ongoing effort is to increase awareness and sensitivity of NRC staff to the importance of systems and components derived from PRA results. The availability of this collected information ,
will hopefully serve to familiarize NRC staff reviews as to overall PRA insights, both design and methodological nature, and aid the staff in a number of specific areas. The insights gained from PRAs may be useful in numerous ongoing technical activities and can also provide information to cognizant branches for the identification of generic safety issues. The focus on importance which this effort provides can prove useful to plant project managers in the prioritization of plant specific work schedules for actions or modifications to operating reactors. In addition, these insights can be useful to resident inspectors for focusing activities on areas where potential problems or weaknesses have been identified in similar plants. .
The insights gained from methodology assessment can provide valuable guidance to RRA8 enabling project managers for PRA reviews to focus the l
review on areas sensitive to methodological assumptions and aid in the interpretation and application of results. Cutsets derived or identified k
r.. --
l in calculations of the importance ranking of systems and components can be l
used in evaluating new safety issues or proposed modifications of plants l
through the processing and dissemination of information obtained from PRAs, l
For those plants subjected to extensive review,.the review process !
olucidated some significant differences in identification and/or quantification of dominant accident sequences. Critiques and revised estimates of significant sequences are provided in NUREG/CR-2934 (Indian l Point Units 2 and 3), NUREG/CR-3300 (Zion), NUREG/CR-3028 and NUREG/CR-3493 (Limerick), and EGG-EA-5765 (Big Rock . Point) for those PRAs which received extensive review by NRR staff.
' Final results of the reviews were not available during the conduct of the importance calculations and thus are not l
reflected in the discussions of plant specific importance rankings. It l t
should be emphasized that this report is not intended to be a representation of the current safety profile of the plants under consideration but rather a presentation of PRA results and insights derived from the conduct of such l
studies. l The inclusion of examples of modifications implemented by applicants / licensees and significant review findings is intended to illustrate the valuab.le information provided by PRAs and PRA reviews which lead to a much deeper understanding of plant safety and areas of -
vulnerability as well as strength. In many instances this provides a tool with which to more readily identify cost effective means of improving plant safety. i These examples are, however, by no means exhaustive and appropriate caution should be exercised in utilizing the information presented in this
! report.
! I Wk
5-
- 1. 2 Sources of Material
'Klong with the "PRAs themselves, a major source of information used in this report is DRAFT NUREG/CR-3495, " Calculation of Failure Importance Measures For Basic Events and Plant, Systems in Nuclear Power Plants", to be published later this year.' The ' purpose of this project, done under contract to RRAB by Sandia National Laboratories, was to develop and utilize a methodology which extracts minimal cutsets from dominant accident sequences in order to examine and rank systems, components and failure modes as to their contribution to core melt frequency, release, and risk using various measures of importance and risk. (The definition and interpretation of these terms will be expanded more fully in later sections of this report.)
Other sources which contain cataloging of sequences, generic sequence development and insights are the Technical Reports from the Industry Degraced Core Rulemaking Program (IDCOR) sponsored by the Nuclear Industry, the Draft Report For Comment, NUREG-1050, "Probabilistic Risk Assessment (PRA): Status Report and Guidance for Regulatory Application", published by
-* Office of Nuclear Regulatory Research, EPRI NP-3265 Interim Report, "A Review of Some Early Large-Scale Probabilistic Risk Assessments", and "
reports from the Accident Sequence Evaluation Program, part of the Severe Accident Research Program. These and other documents and programs also provide perspectives on the use of PRA and various insights of a global and plant specific nature.
w m u-_-----_
. .) , .
- 1. 3 Contents of Report "Following this"section are Tables 1 1-1 3 . ..
Listed in Table 1.1 are the plants and program sponsors, with overall core melt frequency.as reported in the PRA and the date of publication. The PRAs are generally characterized by four categories:
WASH-1400 - The Reactor Safety Study (RSS), a pioneering program of a full-blown risk assessment using Surry 1 and Peach Bottom 2 as representative -
of PWRs and BWRs, respectively. A critique of this documentation was performed by the Risk Assessment Review Group (also known as the Lewis Committee Report) in NUREG/CR-0400. '
1 Reactor Safety Study Methodology Applications Program RSSMAP) -
initiated after the RSS, these are truncated ~ WASH-1400-type evaluations __
based on judgement and experience with analysis of accident sequences identified in WASH-1400.
Interim Reliability Evaluation Program (IREP) - the Crystal River-3 Safety Study was the pilot effort in this program initiated in the year following the Three Mile Island accident. These analyses were principally concerned with probability of core melt with no detailed review of containment failure or o'ffsite consequences. (The Calvert Cliffs 1 IREP report was not available when the calculations of importance ranking were performed and thus, was omitted from this analysis). '
. 9 Industry Sponsored PRAs - Those used in the importance ranking work are full scope risk assessment employing various methodologies depending on the authors and purpose of the study.
Others have been received by NRC with reviews ongoing or not yet initiated which were not available for the task of importance calculations. They are Millstone 3, Shoreham, Midland, Seabrook, Yankee Rowe, and GESSAR (standardized BWR design).
Listed in Table 1.2 are the contributions to core melt frequency from sequence initiators for the 15 PRAs under consideration. This provides a general measure of the contributions made by classes of sequences to core melt frequency 'for various types and designs of plants. Following in Table 1.3 are some of the modifications made to these plants which would be expected to impact the dominant sequences initiated by the events listed in Table 1.2. Section 2.0, Summary Insights Gained from PRA Results, contains summary tables of insights gleaned from numerous PRAs in areas such as Human Error, Support System Importance, Initiating Events and External Event Analyses. Appendix B provides more detailed discussions of the background for selected items from Section 2.0. Section 3.0 provides t 9 naary of " Insights into PRA P
Methodologies." Section 4.0, ris ,p;r* of Contribution, contains a discussion of methods for obtaining a quantitative estimate of the importance of system and component failures to overall core melt frequency and risk, and specific results are discussed for each plant in Appendix A.
TABLE 1.1 -
PLANT TYPE PRA ESTIMATED CORE SCOPE NAME SPONSOR MELT FREQUENCY AND DATE PUBLISHED
, AS REPORTED IN PRA SURRY PWR NRC- 6 x 10 5/RY INTERNAL EVENTS ONLY WASH-1400 10/75 PEACH BOTTOM BWR NRC- ~3 x 10 5/RY 2 INTERNAL EVENTS ONLY WASH-1400 10/75 SEQUOYAH 1 PWR NRC- ~6 x 10 5/RY INTERNAL EVENTS ONLY RSSMAP 2/81 OCONEE 3 PWR NRC- 8 x 10.s/RY INTERNAL EVENTS ONLY RSSMAP 5/81 GRAND GULF 1 BWR NRC- ~4 x 10 s/RY INTERNAL EVENTS ONLY RSSMAP 10/81 l CALVERT CLIFFS PWR NRC- ~2 x 10 3/RY INTERNAL EVENTS ONLY l 2 RSSMAP
, 5/82
! CRYSTAL RIVER PWR NRC- ~4 x 10 4/RY INTERNAL EVENTS ONLY 3 IREP 12/81 ARKANSAS PWR NRC- 5 x 10 5/RY INTERNAL EVENTS ONLY NUCLEAR ONE IREP
- 6/82 BROWNS FERRY BWR iNRC- 2 x 10 4/RY 1
INTERNAL EVENTS ONLY IREP 7/82 MILLSTONE 1 BWR NRC- 3 x 10 4/RY INTERNAL EVENTS ONLY IREP 5/83 i BIG ROCK BWR INDUSTRY 1 x 10 3/RY INTERNAL AND EXTERNAL -
! POINT I EVENTS 3/81 ZION PWR INDUSTRY ~6 x 10 5/RY INTERNAL AND EXTERNAL EVENTS i
l 9/81 l INDIAN POINT PWR INDUSTRY ~5 x 10 */RY
- INTERNAL AND EXTERNAL.
2
- EVENTS 4/82 l
1
.. , j l
TABLE 1.1 (CON'T.)
PLANT TYPE PRA ESTIMATED CORE SCOPE NAME SPONSOR MELT FREQUENCY AND DATE PUBLISHED AS REPORTED IN PRA -
INDIAN POINT PWR INDUSTRY ~2 x 10 4/RY 3 INTERNAL AND EXTERNAL EVENTS 4/82 LIMERICK 1 BWR INDUSTRY ~2 x 10 s/RY INTERNAL AND EXTERNAL EVENTS 3/81 REVISED AND EXPANDED TO INCLUDE EXTERNAL EVENTS 4/83 NOTE:
This table shows the estimated core melt frequency as reported in each of the ~15 Probabilistic Risk Assessments (PRAs). In many cases, staff review resulted in revised estimates not reflected in this table. For other cases, reviews are ongoing.
be exercised in viewing these results. Caution should Many of the licensees / applicants made modifications to both hardware and procedural aspects of the design and operation of plants, which would be expected to impact the overall core melt frequency. There are large uncertainties associated with the values in this table and interplant comparisons cannot be appropriately made since the PRAs were performed under differing scopes, l methodologies, and assumptions and the results are presented by using varying measures (point estimates, medians, or means).
1
- ~
, . 10 TABLE 1.2 SEQUENCE CONTRIBUTION TO CORE MELT FREQUENCY (GROUPED BY INITIATING EVENT * -
ROUNDED T0 NEAREST 5%)
PLANT NAME WIND OR LOCA TRANSIENT ATWS FIRE SEISMIC TORNADO SURRY 1 65 25 10 PEACH BOTTOM 2 70 30 SEQUOYAH 1 95 5 -
5- .. 0CONEE 3 70 25 5 i GRAND GULF 1 ,, 15 70 15 CALVERT CLIFFS 2 95 -
5 CRYSTAL RIVER 3 75 25 ARKANSAS NUCLEAR 25 70 5 ONE 1 BROWNS FERRY 1 75 25 MILLSTONE 1 95 5 BIG ROCK POINT 55 15 5 25 ZION (1 AND 2) 65 20 15 INDIAN POINT 2 10 10 40 30 i
10 ,
l INDIAN POINT 3 65 35 i
LIMERICK 1 100 l
3
- e. .se e e me
. . .. . l
- 11 TABLE 1.3 PLANT NAME i MODIFICATIONS ADDRESSING DOMINANT SEQUENCES I SURRY 1 4
The identification of the Interfacing LOCA (Event V) as a dominant contributor to risk led to the requirement of the capability for the strategic :
testing of the check valves in high/ low pressure boundaries.
SEQUOYAH 1 Special administrative controls incorporated in new Technical Specifications addressed the identified problem peculiar to ice condenser containment designs.
A more strategic testing procedure was instituted for the check valves of concern in the interfacing systems LOCA event.
OCONEE 3 The licensee took actions addressing Event V, eliminated the AC power dependency of the turbine driven train of the Emergency Feedwater System, instituted emergency procedures to prevent cavitation of ECCS pumps during certain postulated events, made modifications to the Instrumentation and Control System, and instituted preventive measures regarding the possibility of accident sequences induced by turbine building flooding.
CALVERT CLIFFS 2 The Auxiliary Feedwater system was modified to include automatic initiation logic and a third i motor-driven EFW pump train was added (to both units) with the ability to valve in the motor-driven train from each unit into the motor-driven train of the other unit.
CRYSTAL RIVER 3 The licensee made improvements to operater training ,
and procedures for switchover from ECCS injection to recirculation, removed the AC dependency of the turbine driven EFW pump and plans to institute -
procedures for local manual control of this pump and instituted testing procedures addressing Event V.
ARKANSAS NUCLEAR ONE-1 Modifications made during the course of the study included revised battery testing procedures, testing of actuation circuitry of switchgear room coolers and corrections in ECCS pump testing procedures.
_ . $-'s -
TABLE 1.3, (CON'T.)
PLANT NAME MODIFICATIONS ADDRESSING DOMINANT SEQUENCES MILLSTONE 1 The licensee implemented changes addressi,ng insights gained through the risk assessmint process:
Corrected single failure vulnerability in the LNP (loss of normal power) logic; removed the AC power dependency of the isolation condenser; and instituted procedural and equipment provisions for manual control of the normally closed valve in the isolation condenser.
BIG ROCK POINT Modifications made by the utility addressing the significant contributors to core melt based on their PRA included remotaly operated make-up to the emergency condenser from the fire system; post-accident valve position (locks); early containment spray following a LOCA; additional isolation valves on the primary coolant system; and high pressure recycle.
ZION During the staff review of the PRA the licensee agreed to take the following actions:
Institute refill procedure of the RWST tc accommodate the containment spray system.
Open PORV block valves.
Improved Safety System Room Cooler surveillance.
In addition, the staff modified Technical Specifications decreasing the allowable outage time for two Auxiliary Feedwater pumps.
INDIAN POINT 2 The licensee proposed modifications to the control
- building roof and ceiling to accommodate high seismic accelerations. The staff established the -
meteorological bases for a technical specification requiring orderly anticipatory shutdown of Indian Point, Unit 2 when hurricanes are approaching the site.
INDIAN POINT 3 In accordance with existing regulations concerning fire protection (Appendix R), the staff imposed the implementation of five interim actions to reduce risk of core melt from fire pending the licensee's Appendix R submittal. The interim modifications involved the provision of an alternate power source ;
to vulnerable shutdown related components.
6 __-_____.__ _.____._ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ -
, l 13 -
TABLE 1.3, (CON'T..)
1 1
PLANT NAME MODIFICATIONS ADDRESSING DOMINANT SEQUENCES LIMERICK During the course of the Limerick PRA, the applicant took steps to implement the following:
Alternate 3A ATWS Fixes (plus modifications beyond ,
those designated in Alternate 3A); modifications to l the ADS air supply; modifications to RHR System;-
separate ECCS nozzles; and procedural changes to achieve an alternate method of room cooling for the HPCI and RCIC pump rooms.
~
i d
l
+--p- - - - - , - ,,,.-w,, , --,-,---w..p. - ,-y -
..,.-m-9,% _w--,-,e
- m.-.,,, -.w--nw- - -,r-_m y - --- w--. ---
14 - .
2.0 Summary-Insichts Gained From PRA Results The structure of a PRA systematically leads to a set of accident sequences comprising an initiating event, a combination of system failures with a calculated estimate of the probability of occurrence and the associated plant damage state. In full scale PRAs, these results are used to estimate the probability of containment failure, the mode of failure, and the magnitude of a release to the environment following a breach or bypass of containment. The set of accident sequences considered " dominant" with respect to core melt are those sequences with probabilities of occurrence which constitute the major portion of the overall core melt probability with the' remaining portion being the cumulative probabilities of a large number of sequences with significantly lower probabilities of occurrence. Sequences considered " dominant" to risk take into account the probability of occurrence and the estimated magnitude of release represented by their placement into defined release categories.
In the context of an accident sequence, system failure is not quantitatively defined as an overall unavailability of the system per se, but rather as a -
combination of cut sets that lead to failure of the system function. A cutset (or failure path) is the minimal set of component failures which disable the system from performing the required function (function being defined by system success criteria for the sequence). Thus, the combination e
of cut sets are a prescribed set of failures and events which must occur for the accident sequence to take place.
Examination of dominant accident sequences and their cutsets in a PRA .
provide plant specific insights into areas of vulnerability and weakness as well as strengths of design and operation for that plant. One method of obtaining insights in a quantitative manner is that of importance ranking.
The insights into the relative importance of systems, components and basic events on a plant by plant basis are discussed in Appendix A. However, the greatest value of the conduct and results of a PRA are the qualitative insights into plant design and cperation which are gained that significantly aid in our awareness and judgement regarding the factors vital to overall plant safety. For this reason, some of the insights gained in the process of Probabilistic Risk Assessment have been compiled in this report and are presented in tabular form in this section. More detailed discussions of the background and effects of selected topics from this section are contained in Appendix B.
It has become apparent that as risk assessment techniques have evolved, areas of investigation have expanded and changed reflecting the attitude intrinsic l to the methodology. That is, the emphasis given possible failure modes, either by general assumptions or by methods of collecting data and calculating probabilities, can greatly affect which factors of unavailability dominate l
the results. This is especially true in the area of quantifying the
. o .
16 -
probability of human error, the importance of support system dependencies, the selection of initiating events, and the inclusion of external events analyses.
Some of the overall insights gained in these areas are presented in the following sections.
o 4
9
.,n . . - -
.---..---g.-- -. - -- - ----
9 2.1 Human Error, Recovery Actions and Procedures, Test and Maintenance Summary Table 1.
Potential causes of failure of manual switchover from ECCS injection, to recirculation in PWRs (Generic Issue 24):
(a) Premature switchover causing pump cavitation (b) Failure to reinitiate safety injection pumps when needed in conjunction with the high pressure pumps during recirculation (c) Incorrect reconfiguration of valves for recirculation phase.
I 2.
Potential causes of common cause failures due to human error:
(a) Redundant actuation circuitry fails due to miscalibration performed by the same individual on one shift (b) Components left in the incorrect position following test or maintenance activities:
(i) redundant actuation fails due to control switch being incorrectly left in manual mode.
~
i
- 3. Failure to open drain valves between upper and lower containment areas in plant with an ice condenser containment so that discharged water does not reach sump for recirculation phase, thus failing ECCS .
recirculation.
G
4.
Event V - Periodic t.esting of the integrity of the double isolation valves on the suction side of the RHR system can' reduce the likelihood of these valves rupturing sequentially over a period of time or operating cycles resulting in an interfacing system LOCA initiating event.
5.
Valve position indication may be misleading to the operator if it is not directly off the stem, e.g., connected actuator subsequently becomes disengaged from the stem.
6.
Staggered testing and calibration of redundant trains of equipment reduces the potential for common cause failures (2.(a)) by the operator of not only actuation circuitry but other vital safety functions (e.g., DC Batteries see Support System summary).
7.
Lack of surveillance (either direct or indirect) or extended surveillance periods for components, both active and passive, in vital safety systems may increase the unreliability of the safety function.
The components most likely to elude surveillance are manual valves, as was mentioned, whose position or disc integrity may be important to a
-safety function. .
- 8. Recovery Actions and Procedures: ,.
(a) Reliance on the operator to establish high pressure cooling in the feed and-bleed mode following failure of the Emergency e
4 Feedwater System could potentially be alleviated by improving the reliability of the EFS or automating the High Pressure Recirculation System for loss of feedwater scenarios. Improved operator training may aid in reducing the likelihood of operator error in this action.
(b) Procedures and training for depressurizing the steam generators and using the condensate booster pumps (pressure 400-500 psi) in the event of loss of feedwater (both main and emergency feedwater) greatly enhances the reliability of the decay heat removal , ,
function following a reactor trip.
4 e
T _ - - - - - - - - ---
2.2 Support Systems Summary Table 1.
Cooling of both emergency feedwater pumps is supplied by an AC powered service water system, thus loss of al.1 AC disables both trains of emergency feedwater. The pumps were modified to self-cooling designs.
2.
DC bus supplies actuation power to the turbine driven emergency feedwater pump and a diesel generator (the breaker connecting the bus fails to close). A single DC bus. failure disables two emergency feedwater pumps in the event of a loss of offsite power.
- 3. Strippin'g vital loads from the safety buses on a safety injection signal (even though offsite powr has not been lost) and then reloading them sequentially on the bus reduces the reliability of the safety function.
- 4. DC bus faults can cause a reactor trip initiating event with concomitant failure of multiple core and containment cooling system trains.
- 5. Potential causes of DC battery failure or degradation:
(a) Common mode test or maintenance error (rectified by staggered testing) 9
4 21 -
(b) Maintenance personnel may leave battery charger disconnected from bus following maintenance activities. During this time, loads will be supplied by the battery itself causing degradation in battery capability. -
(c) Loss of ventilation in battery rooms (d) Excess voltage during equalizing charge (e) Following test or maintenance, jumpers may not be removed from cells.
- 6. Failure of battery fails the Isolation Condenser return valve and a diesel generator emergency power train.
- 7. Ventilation required for equipment operability may fail in rooms with redundant equipment due to the thermostat never being checked or power to ventilation system is not on an emergency power bus.
- 8. Diesel Generator may not operate following loss of offsite power due to loss of service water required to provide DG cooling from service water pump powered by emergency bus supplied by a failed diesel generator.
- 9. Sight glass in air lock may not sustain as high an overpressure as the rest of the containment.
I i
. , - %--------- -= =v-t+- r-M-= -w ---- - ----w----$- -www-- ----- ---
e----v--qeuw e-et e- r --
-'-'-wwww-'w---C
. o . .
o 22 - -
10.
Fan coolers provide a redundant containment cooling function in many plants.
However, the fan coolers may fail in a post-core melt environment due to hydrogen burns failing electrical cabling or air borne particulates clogging fan filters.
11.
Failures in the Component Cooling Water System (CCW) have been identified as extremely important support system failures which have the potential of being an initiating event along with disabling mitigative systems required for that sequence. These aspects are '
discussed together in the next section on Initiating Events.
t l
l O
moosee*
- t=
+
2.3 Initiatina Events Summary Table 1.
A Component cooling Water System (CCW) pipe break causes loss of cooling to t,he reactor coolant pump seals and to the charging pumps whichp " rovide seal injection flow. Loss of seal cooling and injection flow may result in seal failure (i.e. , small LOCA).
Core melt may ensue because the high head safety injection pumps (ECCS) also fail due to loss of CCW cooling. Thus, a single .
initiating event (loss of CCW) may directly result in core melt.
2.
Loss of cooling to reactor pump seals for short periods of time (30 minutes to an hour) may result in' seal. failure even when the RCP pumps have been tripped.
3.
Auxiliary component cooling water pumps driven by the ECCS pump motors may reduce dependence of ECCS on the main CCW system.
i 4.
The ability to share CCW systems in multi-unit sites may increase the reliability of CCW flow to safety systems. .
5.
Small break LOCAs appear to be dominated by RCP seal failure and steam generator tube ruptures in PWRs.
I i
l l
l l
t 6.
J. Small break LOCAs appear to be dominated by stuck open safety / relief valves in BWR.
7.
Depending on the location of small break LOCAs (e.g., below reactor in pedestal cavity), the result may be to fail filling the sump prior to initiation of recirculation pumps due to flow path geometry inside containment, thus failing ECCS recirculation.
t
- 8. Interfacing Systems LOCA:
The likelihood of this event can be substantially reduced through strategic testing of the valves at the high/ low pressure boundary. For many plants, the valves of
. ~
t concern are the check valves in the RHR or Low Pressure Injection lines. However, from the Indian Point PRA, additional conditions have been recognized. The motor-operated isolation valves in the
On the other hand, since much of the piping and the
, RHR heat exchanger are within containment, failure of the heat exchanger or piping in this area is no longer a sequence which I bypasses containment but rather a LOCA within containment that depends on the availability of emergency mitigative systems. This
( conf,iguration is somewhat unusual which underscores the importance i .
of identifying plant-specific features which may render previously identified events less likely as well as verifying the existence
. of vulnerabilities found in othe plants.
i I
l
,, i .
2.4 External Events Summary Table
- 1. During a severe seismic event, adjoining structures which are not adequately separated or joined together could respond out of phase so that one or both structures fail, losing vital safety functions or equipment in one or both buildings.
- 2. During a severe seismic event, panels in hung ceilings in the .
control room could fail, incapacitating the reactor operators and/or the control room itself.
- 3. The frequency of seismic events for many parts of the country is being reassessed and may be greater than previously thought.
- 4. The damage zone of a fire may be much larger than the immediate fire area because of the hot gas layer that forms at the top of the room. Equipment or cabling located along the ceiling could subsequently fail even though they are not in the direct fire path.
- 5. Hurricane and tornado winds have been identified as .important contributors to loss of offsite power events with intensities that may also damage buildings and equipment.
S e ve e - w-he $
__a
. . 4 .
2 C.
A severe seismic event resulting in failure of the service water system disables the diesel generators thus resulting in loss of all emergency AC power, i
i .
i i
I i
f f
1 1
I h
a b
e
. o \.
4 ~
III. Insights Into PRA Methodolooies About 20 probabilistic risk analyses of nuclear power plants have been -
performed in the United States. These analyses have been performed by ~
different organizations using different degrees of sophistication or detail in the various methodological topic areas encompassed by a probabilistic study.
The staff has sponsored a survey of six PRA studies to evaluate the impact of the level of effort (detail) expended in each topic area on the perception of plant vulnerability and/or core melt likelihood. The results of this survey are presented in " Insights into PRA Methodologies", NUREG/CR-3852.
The various topics considered in the study and the suggested level of treatment for each of the topics is presented in Table 3.1. Half of the topics were considered to have a significant impact on the perception of plant vulnerabilities as noted by the asterisks (*) in Table 3.1.
l O
i l
.e . > -
[
Idble J.! hugge5LCelL.cVel5 of 1.llert Oerived From .
Empirical Ef fert - Impact Analysis .
ferie a,ea
}.3ses sed t e.ee of g f fe,I lepic 4,ea
. sgested te.el es (88eg esi .
Ident ef tsellea of leangleat and 1144
(. use generse saltseter dets plus aC - sandel sag of a( pe.ee (. use asa. detailed erste. a. dest.
plaat spettf6g da*a. g,gg,ag g, y , detailed ., ,e med,1, gie.
emessatest *
,
- note j),
' I Olt . Deterasmet ten of Se Une 1eae*It data augmented by 4 .
Medgling pf leglg tygteet (. use tingle mea.detalled taste
- fregeency of traagtemt glattltal est of plant.4 pet tfit modegg, and 10(4 taltesters data.
(C -
Coaasa toute smalstes II , Istat tree madellag' 8 telect tempeaeast for eastests O. Use leall nytttelt e.eml treet. er .ellag englaterlag jedjeecag t ec ha t e.e s -
- 8. Use esege e ent trees ea<l.dlag 5 gleses n==sa actieas. es . Selec tion of te*peaeat 4 Use generlt 88ta.
.ga . g,gtee hardeleed ofe . use of desame fallene (. (e=tider ef fect of leag sett E. Ule Seeless redwestem sede.
de,end,a. ,easi,... ,,ebsblI6tles laterealt sa tempement fa'l=**
.es . t, stem enterestesa pesa.ipiie..
4 De ael perfor= ma eaalyset toned .
saal,isi en eage=eering satigass. noe - wie of aesas es ele of 4
.edtens use .esa fall.ee reses. e.
as e .
wir median fall.ee esses.
.,esih,ni .I tae p..I a.. demi besi ,e.e.a. : .. vie ,esii i.. accidemi ieasini 9%ete
.. ,d .* iee., ace ,egeire-emii.
.,( -
.,,,f,s o.a .5 inii s ai en,
,,,at,
(. vie f a<iesasi as,<e,aise- e' i,an...at in. . ale,..
g
- sue .
si. mas errect earlag s C. Ute men. detailed hvaan error 11(. . seterstaatson of syste. C. use plaat specefit. realettes.
aermal operette= analysts. (etteria analyllt to deteratet appropeest gyggee se<cegg gelteria.
at .
s'.aan errets dealag (. One detailed human erre' aggldent pengeestlea analysis. In . Modelleg of lett sad 4 Une generlg was.allabillllet.
(
,m . (emaea mode human S. Use sa analyses based sa (q . (autreamental
(. (eattder emelrea* ental effects c er,.a ansig i. enginee eng 1.dse-eat. goggggggelgen gemeenent s, c attulait ea.8anaaeac n
. Breatment of rete ery coadio.a. en...atered.
C. (easeder t he r et e.e e y o f hwana a erreas and 4(teatlea faellt.
e
\
mete 1: (helte et detall can depend spea the level of ef fort espended la ether topic areas, part 8celarly 104 O f the suggested 104 level of e f fort (level () is used. the suggested level of e f fort for the topic ares &C8ee is level (. *-
h 4
9
These topics should be given careful .onsideration when performing a PRA and also when reviewing a study. The suggested level of effort to realize an acceptable level of analysis is only significant for three topic areas, namely:
4
~ .
(a) System hardwired dependencies (b) Modeling of ac power systems (c) Human errors during an accident.
Analysis of system hardwired depndencies and modeling of ac power systems are related topics that deal with auxiliary systems that support vital safety functions.
Of concern are the potential cross-connections in the auxiliary system that effectively defeat redundancy in the safety functions.
The analysis require detailed fault trees that include these potential interdependencies and a Boolean reduction code capable of processing the large matrices obtained.
The task could be reduced somewhat if a determination is made at the outset abut the realistic requirements with regard to auxiliary cooling either through direct coolers attached to a component or through room cooling.
l Modeling of human errors during an accident is concerned with depicting a realistic expectation of operator actions during an accident. These actions are those related to preexisting training and training and procedures and do not include random acts. Although the suggested level of effort for this topic includes detailed task analyses to portray the actions of interest, the results are still highly dependent on the analyst's bias in assessing 6
. - - . ,, ,,-_--.__-.---__,_.r , ,, . ,-- ,,-,,,-.____._c,,_,._.,,--._,r, --
--.m.,, ,#_ %., _y,- . - - - - . - . -_., __-. --,. - - -,m,---, , - , _ . . _
~
the performance shaping factors that impact the quantification of human errors. This area deserves careful attention in the review process because of this sensitivity.
Actuation and control logic and recovery of failed components or actions also have significant impact on the perceived plant vulnerabilities, but the study indicated that less detailed effort was required for these topics to achieve reasonable results. These topics are related to modeling of ac power and human actions during an accident and therefore should probably be ,
considered as a package when deciding what level of effort.to devote to a PRA analysis.
A related topic, not directly addressed by the survey, is the treatment of component operability under conditions beyond their design point. For example, do pumps fail if they don't have lube oil cooling ur will equipment inside containment operate in a post core-melt environment. The sponsored reviews of PRA studies have shown that assumptions made in these studies regarding system / component success criteria have a significant impact on the PRA results. Many of these sensitive areas have been highlighted in the previous insights section. Because of this sensitivity to analyst's -
judgement on component operability, it is very incortant that these assumptions be explicitly identified in the PRA 4tudies along with justification and/or sensitivity studies to display the impact of the assumption.
e en
V 4.0. Measures of Contribution
, 4.1 Cut Set Evaluation To gain insight into the relative importance of particular system failures, it is possible to review all the minimal cutsets (which can number in the tens of thousands) via computerized search to determine which ones contain the system failures of interest. It is then possib?e to determine what -
percentage of the plant's core melt frequency is contributed by sequences containing these system failures in the cut sets.
As with " dominant" sequences, the dominant minimal cutsets, those which have probabilities dominating a large portion of the sequence frequency, are of primary importance. There may be system failures of interest in the remaining cut sets of a sequence, but they are of considerably lower probability and contribute significantly less to the sequence (customarily, below a prescribed low probability or. small contribution cutoff).
In order to focus on the important contributors identified, we restrict our
- attention to the dominant minimal cutsets of an accident sequence. Since all elements in a sequence cutset contribute multiplicative1y to the cut sat, it is not possible to attribute the precise contribution of system failure elements to overall core melt frequency. However, the existence of a large
o .
contribution to core melt frequency of sequences containing particular system failures would indicate that examination of the elements of those sequences may identify areas where reductions in core melt frequency or risk are possible through various improvements.1 1
- f 1
l It is important to realize that " dominance" is arrived at quantitatively.
There are large uncertainties associated with sequences due to statistical, accurate modelling and completeness issues.
! Therefore, the estimated higher probabilities for of other sequences.dominant sequences or events may suppress the significance Uncertainties in sequences not only affect the interpretation of those as sequences equally likely. as dominant but also the consideration of other sequences
---w-,--- - - -- - -- -- --.. -- ---- --
4.2 Importance Ranking A further method which can be used to arrive at the relative importance of
, particular systems is the application of importance measures.
An importance measure often used is the "Fussel-Vesely" measure o,f importance. The interpretation of the values given for each term (system / basic event) is the probability that the defined term contributed to total core melt frequency, given that a core melt has occurred. It is important to recall the definition of system in this context. It is not '
overall system unavailability but rather the probability that a combination of components in that system (defined by dominant cutsats) have failed given that a core melt has occurred. In this way, we can get some measure of the relative importance of a system or component but not the contri,bution to the
~
core melt frequency, as presented in the cutset approach above.1 As was previously mentioned' even when the dominant cut sets are identified for each dominant sequence in a PRA, the most that can be said is that the component or system failure was contained in cut sets which contribute some percentage to j overall core melt. However, this does not tell you numerically how big a part was played by the failure of that component or system within the cut set. It i
is for this reason importance measures were developed, since an accident ,
l sequence does not comprise a series of overall system failures but rather a series of cut sets or failure paths of system components which lead to the plant damage state.
-~ -
5 Vith both techniques, it is important to realize that the lack of appearance of particular systems or events.may be due to deficient i modelling and/or assumptions. As with other assessments of results, the issue of completeness contributes to uncertainty.
l
- , ,, ---m-w-nm-
I 'I e ].
i The analysis performed by Sandia National Laboratories under contract to RRAB examined 13 PRAs (15 plants) in order to rank basic events / component failures by their calculated measure of importance. Before discussing the l
results, a very important point concerning the use of importance measures is l necessary. While a " system" may have the highest measure of importance and l
thus has the potential to yield the highest relative decrease in core melt frequency from an increase in availability, practically speaking, the achievability of that increase must be considered. A system with a high l
measure of importance may itself already have a high reliability. Further methods of increasing its reliability may introduce additional complexity 1
and new failure modes (common cause failures for example) so that the modifications may not introduce the expected reduction in core melt frequency and may therefore not be the most effecient allocation of t
resources to increase safety.
Ketping this in mind, it is still useful to examine the results of importance ranking and failure modes of systems in the dominant sequences as presented in the PRAs subjected to this type of analysis. This information j is provided for each plant in Appendix A.
$0 I
r I
35 -
, APPENDIX A Plant Specific Importance Rankina Results Surry STEAM ,
PLANT GCNERATOR .
MWe PRA VENDOR LOOPS CONTAINMENT J RATING STUDY Westinghouse 3 Dry, 775 RSS Subatmospheric (WASH-1400)
Since detailed information on the dominant sequence cutsets were not -
published in WASH-1400, the events that were ranked are general in nature, i.e. , system level terms.
With respect to core melt frequency, the initiating events, small and fJedium LOCA and loss of offsite power transients, are dominant along with six basic events which contribute adre than 10 percent to core melt frequency. Small LOCAs are ranked first followed by the High Pressure Injection System and Auxiliary Feedwater System. The HPIS failure is dominated by single and double hardware failures and AFWS failure is dominated by failures due to test and maintenan:e in the turbine driven train. Diesel failures (with non recovery) are followed by human errors in aligning the Low and High
- lc> Pressure Recirculation systems in importance.
Three sequences dominate risk (in this case defined by those sequences which result in releases in PWR categories 1, 2 and 3).
.-.,,.--,w - - - - - - , - - - ,--------g - -,,yc y y + w. -----we - - ,.-e-
.o ,
Event V, the interfacing systems LOCA, dominated by test and maintenance i
errors, is ranked first and is the most dominant basic event since it results in a release probability of 1 in category 2. Improved procedures and check valve testing capability have contributed to the reduction of the Event V sequence probability since the identification of this sequenc.e
! Event V is esentially a LOCA which bypasses containment, thus resulting in a release directly to the environment.
The second is Station Blackout (TMLB) which is dominated by the LOSP ,
transient, failure of emergency AC power and non recovery of offsite AC power.
The importances of AFWS, Recovery and AC power are equal because sequence TMLB has only one cutset. The severity bf the release is due to the fact that there are no heat removal or containment cooling systems available.
The third sequence is a small LOCA'with failure of the Containment Spray Injection System, dominated by human error faults during test and i maintenance. Its importance measure is less than one half of Event V, but it results in a category 3 re' lease. The failure of CSIS results in '
insufficent water in the sumo at i..a time the CSRS is initiated, thus the -
spray pumps would fail. With the sprays not available to provide overpressure protection, the containment fails and, in the case of Surry, the ECCS pumps no longer have adequate net positive suction head to continue operating.
This is a sequence that is dependent on the containment and NPSH requirements of the ECCS pumps specific to a plant.
Peach Bottom STEAM PLANT GENERATOR MWe PRA VENDOR LOOPS CONTAINMENT RATING STUDY General Mark I 1065 RSS Electric (WASH-1400)
As with Surry, detailed cutsets were not presented in the Peach Bottom analysis in WASH-1400. The events ranked are on the system level.
Two sequences dominate both measures of importance, core melt frequency and risk (core melt with release) the remaining dominant sequences are all at least two orders of magnitude less than the frequencies of TW, failure of decay heat removal given a transient and TC, the ATWS.
- Failure of decay heat removal is dominated by failure of the Low Pressure Injection System in the Residual Heat Removal mode induced by failure of the High Pressure Service Water System to provide cooling to the RHR heat exchangers.
Though the initiating transients were combined in the modelling of transient sequences in the Peach Bottom analysis, by considering the -
fraction of transients with loss of offsite power assumed for this task, the transients without loss of offsite power were dominant with regard to core melt frequency (ranked higher than transients with LOSP).
"~~
38 - '
TC, failure to achieve subcriticality following a transient event, is dominated by the human error of failure of the operator to manually scram upon failure of the Reactor Protection System and mechanical failure of RPS.
Thcugh the probability of the operator error is four orders of magnitude higher than failure of the RPS, they are ranked equally since they both appear in only one cutset. '
e O
e e
l l
l l
.~
39 - .
Sequoyah STEAM PLANT GENERATOR MWe PRA VENDOR LOOPS CONTAINMENT RATING STUDY ,
Westinghouse 4 Ice Condenser 1148 RSSMAP The Sequoyah study was first performed under RSSMAP and does not contain as much detail regarding cutsets as later RSSMAP studies.
The LOCA (small and medium) are among the most important basic events since all but one dominant sequence, Event V, is initiated by a LOCA. Thus, every cutset includes a LOCA initiator.
With regard to core melt frequency, sequences initiated by LOCAs followed by failure of ECCS recirculation, ECCS injection, and a common mode failure of l
recirculation including containment sprays are ranked in importance first, second and third respectively. Event V is last, with regard to core melt frequency.
ECCS recirculation failure is dominated by two human errors: the operator fails to open valves in suction lines to Low Pressure Recirculation System ~
pumps discharge (-failure to realign correctly) and operator failure to realign LPRS and HPRS for hot leg injection after 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. It is questionable whether the second operator error truly constitutes failure of recirculation. Hot leg injection is assumed to be needed within the first e, em.m *
---,,...----y_, , --. . - - - - - - -
-,-----..,,,my -
.y --
day following a cold leg break in order to flush the accumulation of boron, residue and debris. Hot leg injection may not be needed for all small LOCA break sizes and there was no determination of the break size which would necessitate this action. The remaining failure of HPRS is insufficient ventilation air to the charging pumps during recirculation.
Failure of ECCS injection following a LOCA is dominated by combinations of hardware failures in the charging lines or pumps of HPIS and hardware failures in safety injection lines or pumps of the HPIS.
1 The human error associated with the common mode failure of recirculation as discussed in Section II is ranked equally with human errors on the basic event level.
This common mode contributor to failure of ECCS recirculation and containment spray recirculation is caused by the failure to open the drains between the upper and lower containment compartments following maintenance and refueling operations. In this way, water collects in the upper compartment rather than flowing down to the containment sump thus failing to provide coolant for recirculation and damaging ECCS and CSRS pumps by cavitation.
With regard to risk, both the LOCA followed by common mode failure of recirculation (SHF) and Event V (interfacing systems LOCA) were assigned to release category 2 with a probability of 1. Ranked in terms of basic events, the small LOCA is ranked first, followed by human error associated with common mode failure of upper compartment drain, and Event V.
l l
Special administrative controls have been incorporated in the Technical Specifications for Sequoyah addressing the identified drain blockage problem, unique to ice condenser plants.
Capability and a more strategic testing procedure for check valves in the pressure boundry have~been instituted to address the interfacing systems LOCA event.
l l -
4
- * * * " . .s
. l Oconee 3 I
4
' STEAM PLANT GENERATOR ,
MWe PRA l VENDOR LOOPS CONTAINMENT RATING STUDY
! Babcock 2 Ory l and 886 RSSMAP l
i Wilcox l i
l Eight sequences are dominant with respect to core melt frequency. Transient -
initiated sequences dominate with frequencies which differ by small factors (2 or less). Three sequences initiated by small and medium LOCAs are in the same range.
i At the system level, operator errors are ranked first, with respect to core melt frequency. The four events are about equal in importance. These are:
(1) failure of Low Pressure Injection System due to test valves left incorrectly positioned, (2) failure of operator to align HPRS to LPRS discharge for recirculation mode, *
(3) failure of oper4 tor to open sump valves for recirculation mode, and l
(4) failure of operator to initiate High Pressure Injection System following an ATWS event.
1
The human errors in aligning ECCS systems dominate because the next two events in order of importance are transient initiators and event Q, Pressurizer Safety / Relief Valve (S/RV) fails to reclose.
Thus two of the dominant sequences are transient induced LOCAs with event Q appearing in every cutset for these sequences.
These events are followed by failure of the Low Pressure Service Water System (LPSW) due to hardware failures of the pump in each of two trains.
Along with small LOCA and transient initiators non-recovery of the Power Conversion System and failure of the Reactor Protection System are followed with importance measures very close -
together.
Though the operator failing to initiate HPIS following mechanical failure of the RPS is ranked first with other human errors, the HPIS availability may be much lower following very high reactor coolant system '
pressures during an ATWS sequence.
Though tha HEP assigned to this manual .
action is high (about .1) it is also questionable'that. successful actuation would be possible or that subcriticality would be achieved in time to prevent plant damage.
The remaining failures with lower importance ranking involve hardware failures in Low Pressure Injection System, Engineered Safeguards Actuation Devices System and ECCS and Containment Spray Recirculation which include the same hardware faults as those during the injection phase plus failure of the sump valves to open for the ~
recircuhtion phase.
Recall, that human error failing ECCS injection and tw.irculation are ranked the highest of basic events.
This means that these systems are important, but treating the human as a system or a subsystem results in this failure mode (human error) being ranked first, even though the remainder of the system failure contributions are ranked much lower (hardware failures).
_ . o -
1 4
With respect to risk, most of the eight sequences still dominate with the addition of Event V which becomes a dominant contributor to risk though it i was not dominant to core melt. Also, the medium LOCA followed by failure of ECCS injection sequence is no longer dominant (with respect to risk).
Three additional points should be made.
(1) Reactor Coolant Pump seal failures were not included in this analysis.
Were they to be considered, the frequency of small LOCAs could be greater than that assumed for this study. However, there could be additional recovery actions to be considered in a requantification of these small L CA sequences.
l (2) During the course of the study, the licensee modified the AFWS by removing the AC power dependency of the turbine driven pump. In -
addition, Oconee has a back-up system to the AFWS, the High Head j l
Auxiliary Service Water System with a dedicated AC and DC power source !
t independent of emergency AC power sources for other systems. i l
(3) for emergency AC power, Oconee can utilize either of two hydro generators. Oconee also has backup from one of two turbine generators which are available for loi.g term operation. This contributes to the absence of a station blackout scenario as a dominant accident sequence l
in this analysis (i.e., the sequence contributed slightly,less than 5%
to overall core melt frequency).
- - - - er-- y---y-- - ~4 _ _ , - - , 7-m- --w
_ 45 -
EFWS and HPI primarily fail due to hardware failures of the Low Pressure Service Water System, not loss of all AC power.
O g.
O
.. .o t i
Grand Gulf I
i i
STEAM PLANT GENERATOR VENDOR MWe PRA LOOPS CONTAINMENT RATING STUDY General Mark III Electric 1250 RSSMAP 1
Five sequences contribute 5% or more to overall core melt frequency, four transient initiated sequences and one LOCA initiated sequence. With respect to core melt frequency and risk (rankings are essentially the same) the system level terms are dominated by failure of the Standby Service Water System (SSWS), recovery actions by plant personnel, transient initiators and unrecovery of offsite power and mechanical failure of the RPS. The remaining system terms are dominated by hardware failures, such as the case of the Residual Heat Removal System (RHRS). The SSWS supplies cooling to the RHRS heat exchangers. Fourofthedominantsequencesinvoivefailureof the RHRS to remove heat from the suppression pool or the containment.
(Recovery terms are expressed in a general nature - failure to correct test or maintenance faults or other corrective actions within 28-30 hours.)
Inspection of the system level cutsets shows that SSWS failures are in most of the 'cutsets of these sequences, with only a few cutsets containing RHRS hardware fsilures. So the high importance of SSWS reflects the heavy dependence of RHRS success upon SSWS success. SSWS failure is dominated by valve and pump failures in both of the SSWS trains. Operator errors, test l
l
_ _ ~
---rw--
." . . e
,- f and maintenance faults, and hardware faults have been combined together in the definition of these events. Thus, the actual amount of importance due to human versus hardware faults cannot be determined by importance calculations.
J For both events, failure of a safety / relief valve to rescat and mechanical failure of the RPS, failure probabilities were taken direc.tly from WASH-1400.
For RHRS and the Reactor Core Isolation Cooling System (RCICS), failuras are defined by general terms as combinations of control circuit, hardware and maintenance faults leading to system unavailability.
Emergency AC Power is dominated by failures of both diesel generators. It
- should be noted that the diesel generators for Grand Gulf are the subject of a Task Force investigating the reliability of diesel genc?ators made by Transamerican DeLeval, Inc.
The conclusions of this Task Force could affect the assessment of emergency.AC pcwer availability for Grand Gulf. However, i
1 Grand Gulf has installed, in addition to the diesel generators, three gas turbines, where twa of three provide adequate power for plant shutdown.
G I
t
. o Calvert Cliffs 2 STEAM PLANT GENERATOR VENDOR MWe PRA LOOPS CONTAINMENT RATING STUDY Combustion 2 Dry Engineering 850 RSSMAP Three sequences dominate the core melt frequency. All three sequences are transient initiated (as were all sequences discussed as dominant sequences in the PRA). Those transient initiated sequences with failure of all secondary cooling contribute over 90% to overall cora melt frequency. The system level importance ranking results, not suprisingly, show that only three system level components are significant: the Auxiliary Feedwater System (AFWS), operator errors and the Power Conversion System. All other systems have a very small contribution to core melt frequency.
4 In many of the subevents of AFWS failure, the operator errors and hardware faults are combined into one unavailability, so it is not readily apparent in the importance results as to what amount is due to operator error and that which is due to hardwcre faults. How ver, the single most dominant subevent is operator failure to manually initiate AFWS. The remaining portion of the unavailability is due to failere check valves, manual valves, control valves, motor-operated valves and the AFWS turbine pump. However, as noted, a term for human error has been bumped with these unavailabilities to yield a single vclue.
d
,. Following these terms and unavailability of the PCS, with much smaller measures of contribution, are transient initiators and failure of emergency AC power due to both diesel generators failing from maintenance and start failures and a failure of a control valve in the Salt Water System, which provides jacket cooling to the diesels. The only other human error identified in event ranking is that of the operator failing to restore AFWS by opening manual bypass valves in steam admission line (given that other failures have not made this action impossible or ineffective).
The same three sequences dominate risk with the addition of one other sequence. Hardware and operator faults in the AFWS still dominate all other events with significant contribution to plant risk by the PCS faults. The inclusion of the fourth sequence, that in which failure of PCS and AFWS is followed by failure of the containment fans and sprays, accounts for a small but significant importance of the DC Power System. This fault is a miscalibration of the battery charger charging rate, which allows the batteries to degrade and fail when demanded. This fault is actually a human
(
error, though it is modelled as a DC Power System fault. It is independent of all other system faults and operator actions. .
This study was based on an AfWS which has since been upgraded. The original system was a manually operate 6 two-train system. The upgraded system is an automatically initiated system with two steam driven pumps and one electric pump (there were only two steam driven pumps at the time of the study) with the option of valving in the motor-operated train of the AFWS of Unit 1 into
e ,
the motor driven train of Unit 2 by operator action. It was estimated to reduce the overall core melt frequency by an order of magnitude. The Calvert Cliffs, Unit 1 IREP study is expected to provide a more detailed, up-to-date assessment of the Calvert Cliffs Units which are essentially identical.
l t
Crystal River 3 STEAM PLANT- GENERATOR ~
MWe PRA VENDOR LOOPS CONTAINMENT RATING STQDY Babcock 2 Dry 906 and IREP Wilcox Of the set of sequences designated as dominant in the Crystal River-3 (CR-3) study, only three contribute 5% or more to core melt frequency. Two are initiated by small LOCAs, and one is initiated by a loss of offsite power transient.
The system level importance ranking results for both core melt and risk show that small LOCAs are the most important initiating events with operator errors dominating system failures with an importance measure equal to that of the small LOCA (see Section II.A-Human Error). The DC and emergency AC power systems have significant contributions with hardware failure of the Emergency Feedwater System ranked last with a small importance measure.
The three dominant operator errors involve improper operator actions during switchover from injection to recirculation mode of emergency core coeling or during the recirculation phase. All actions which must take place to l
._,_._y - -
,.,-.....y__,, ,y,m,,, ,
.--,_,y9 ---- - - _ , _,, 3 m-- - . - ,
4 switchover to recirculation are manual actions versus some plants where some valves receive automatic signals for change of state based on level
, indicators.
A relatively high probability of error is attached to the performance of actions under accident conditions and in consideration of the quality and clarity of emergency procedures. Specifically, the operator is subject to any of several errors:
(1) premature switchover, where the operator.reconfigures for recirculation too soon causing pump cavitation due to insufficient net positive suction head, (2) after terminating the low pressure injection pumps (which initiate upon the same actuation signal that startes the high pressure pumps), the operator fails to reinitiate the low pressure pumps i
1 for recirculation during which time the high pressure pumps take suction from the low pressure pumps discharge, or i
-(3) the operator incorrectly reconfigures the systems for -
i recirculation.
I i
- For emergency AC power, the individual diesel generator unavailabilities are the same. However, diesel generator 8 is dependent on the B battery in the j OC system. The breaker connecting diesel train B to the bus would not close with failure of the DC train B. In addition, the turbine driven emergency i
c feedwater pump, which has a DC powered control valve would also be rendered inoperable by failure of battery B. Thus, with failure of battery B plus simultaneous failure of diesel generator A, emergency cooling is dependent on the availability of emergency AC power from Crystal River fossil units 1 and 2. The loss.of offsite power initiated sequence frequency would be higher without the two' fossil units available at the site.
It should be noted that the frequency of small LOCAs did not include consideration of RCP seal failures nor were they considered in the Station ,
Blackout scenarios. These sequence frequencies could possibly be higher if RCP seal failure contribution were included as an initiator or subsequent failure to loss of all AC power. Howevar, some changes have occurred since the study, such as post-TMI staffing requirements and improved emergency procedure which would affect the calculated human error probabilities.
O
Arkansas Nuclear One 1 STEAM -
PLANT GENERATOR VENDOR MWe PRA LOOPS CONTAINMENT RATING STUDY Babcock 2 Dry and 820 IREP Wilcox Of the fourteen sequences designated as dominant in the ANO-1 study, nine sequences contributed 5% or more to overall core melt frequency. .All of '
these ANO-1 sequences have frequencies fairly close in value to each other.
Therefore, many system level terms have similar importance measures.
DC power is ranked highest among system level terms with the highest importance measure.
Seven other system terms have relatively significant contributions.
The DC power system is a two division system with two normal battery .
chargers (one standby) and no ability to cross-tie DC buses. Cross-tied DC buses allows transferring a bus faults, a common mode failure discussed in '
NUREG-0666, "A Probabilistic Safety Analysis of DC Power Supply Requirements for Nuclear Power Plants." DC power system failure is dominated by the single most dominant basic event, a common mode failure caused by human error during test and maintenance. Previous to the ANO-1 study, testing 1 -
55 -
procedures allowed both batteries to be tested on the same day by the same personnel. As a result of the ANO-1 study, quarterly tests of the two station batteries are now required to be performed on a staggered basis, one battery every six weeks.
In addition, the DC (and AC) switchgear room cooler actuation circuitry is now required to undergo a complete test. The previous test procedure omitted a portion of the circuitry. Another potential problem was identified concerning the actual energy capacity of the station batteries. The DC system is powered from the AC system through the battery charges. Although the battery output voltage is monitored, it is not clear whether this reflects the discharge voltage of the battery itself or that which the charger is supplying. This monitoring may not adequately characterite battery status (see Section II, Summary Insights, (B) Support Systems).
t Following a loss of offsite power transient in importance and equal to the basic event Q, failure of pressurizer relief valves to reseat, is the transient initiator of a loss of a DC b'us (see Section II, (B) and (C)).
Failure of this bus results in multiple failures of accident mitigating systems:
(1) fails 2 of 3 High Pressere Infection System pumps, (2) fails 2 of 4 Reactor Building Cooling System fans,
.. . .- v o -
(3) fails 1 of 2 Emergency Feedwater System Turbine Pump flow control valves, and (4) fails EFS motor-driven pump.
The detailed modelling of the DC power system in the ANO-1 study resulted in the identification of the large importance of the DC power system as both an initiator and contributor to accident sequences with regard to core melt.
Following hardware failures in the EFS in importance are small LOCAs and operator errors.
The reliability of the EFS affects the need for an operator action, Yailu're of which is one of the dominant operator error terms.
Because of the importance of the EFS in mitigating transients such as loss-of all AC power and loss of AC or DC bus event, the licensee took actions to i
improve the EFS reliability by modifying the check valve configuration to the condensate storage tank and improved the starting procedure for the emergency diesel generator so that it can be manuclly started in the event '
of loss of DC power. These modifications were made for the interim period '
until the resolution of the generic progru regarding modifications to upgrade Emergency Feedwater Systems. The improved reliability of the EFS would hopefully minimize the reliance on operator actions for certain sequences.
In this case, the operator error is failure tp provide heat removal upon failure of the EFS by initiating the HPI pump in the feed-and-bleed mode. This operator error probability was considered optimistic
~~L - - . . . - . . . .
in the ANO-1 study due to the assumption of a longer time frame for the operator to successfully establish feed-and-bleed. Both sequence and core melt frequency are sensitive to this error and thus could likely be higher than those calculated in the study. In addition to other modifications for the interim, the licensee has implemented ATOG (Abnormal Transient Operating Guidelines) and modified the operator training program which could aid in minimizing this human error. The only other dominant human error is failure of the operator to initiate HPI following failure of the Reactor Protection System.
(See the discussion for Oconee 3 concerning the probability and 1 effectiveness of this action.)
The small LOCA frequency is dominated by Reactor Coolant Pump Seal failures. However, there were six RCP seal failures at ANO-1 over a 3 year period which were not included in the RCP seal failure frequency in the IREP study. Since sequences involving small LOCAs are important contributors to core melt, the overall core melt frequency could potentially be higher than that calculated in the study. To improve RCP seal performance, the licensee initiated a RCP seal upgrade program that includes modifying internal parts and controlled bleed-off flow rate. This is also an interim measure pending the resol.ution and recommendations from Generic Issue 23, Reactor Coolant Pump Seal .
Failures. (See Section II, (C).) '
The High Pressure Injection System and Reactor Building Spray Injection
. System-follow-in~importance and share two basic events wherein pipe segment or valve faults result in failure of suction to HPIS pumps and 1 of 2 RBSI l
pumps.
l l
With regard to risk, the same basic elements dominate with the replacement of the EFS as the highest ranking system. DC power no longer dominates due to the relatively low probability of severe release (Category 2) of the loss of offsite power initiated sequence with subsequent failure of DC power by the dominant common mode failure. This common mode failure term appears only in this sequence.
i l
l l
l h 1
I i
l
Browns Ferry 1 STEAM PLANT GENERATOR MWe PRA VENDOR LOOPS CONTAINMENT RATING STUDY General #
Mark I 1098 IREP Electric '
Due to the absence of sequence fault trees and cutsets in the Browns Ferry 1 (BF-1) study, meaningful importance ranking was difficult to perform. .
Minimal cutsets were derived from simplified sequence logic diagrams and system uravailability cutsets. The results of this importance ranking should be viewed with this severe limitation in mind. It is evident in that' two of the three sequences which dominate core melt frequency (and risk) are transient initiated with failures of the Residual Heat Removal System (RHRS). These two sequences account for over 60 percent of core melt frequency, yet the importance calculations performed on the derived minimal cutsets result in a suspiciously small importance measure.
The three sequences are transient initiated, two by loss of the Power Conversion System (FCS), one by loss of offsite power.
The system level results show only two systems, along with the transient initiators, with significant importance, the Reactor Protection System (RPS) e o
y-..-- .n, - - p - - , , - - - - - - - - -
~ ._ .
and emergency AC power. Failure of RPS consists of only one event, the frequency of failure to scram taken from NUREG-0460, " Anticipated Transients Without Scram For Light Water Reactors," following a loss of offsite power.
The dominant fault of the emergency AC power system was taken from the discussion of the sequence initiated by loss of offsite power. This is a combination of three diesel generators failing, however, no description or quantification was given for this event.
t Looking over the Boolean terms, it may be useful to note the failure modes of the RHRS.
They are in order of the attempted importance ranking:
Isolation Signal Faults - RHRS Control Circuit Faults no output RHRS Reactor Core Isolatica Cooling System Control Circuit faults Failure of Inboard Torus Cooling Valves Operator errors of failure to manually initiate Shutdown Ccoling Mode of RHR Residual Heat Removal Service Water System interface faults Emergency Equipment Cooling Water System Motor Control Circuit faults
61 -
l Millstone 1 STEAM PLANT GENERATOR MWe PRA VENDOR LOOPS CONTAINMENT RATING STUDY General Mark I 652 IREP Electric In the Millstone 1 study, loss of offsite power transient initiated sequences comprised 85% of overall core melt frequency, other transients 14% and LOCA initiated sequences comprised only 1%. Of the 11 sequences designated as dominant in the study, 8 contributed 5% or more to core melt frequency a~nd an addition 3, just under the 5% cutoff, contributed to risk so that 10 sequences were analyzed in the importance calculations.
Seven sequences dominated core melt frequency with six of the seven i
initiated by loss of offsite power followed by failure to cool the core at, high pressures. The other dominant sequence was initiated by loss of the Power Conversion System followed by a failure to scram.
The system level importance results. are in agreement with the major .
engineering insights summarized in the PRA. The highest ranking event is obviously the loss of offsite powir initiating event followed by:
---ww-wrw,-w--, , ------g----i---y ,y www- y-
- rw-------a w--N w--e -'=-----+----w--- -w--
62 -
- failure to recover offsite power with one-half hour failure of emergency AC power systems operator failure to manually depressurize the Reactor Coolant System failure of a safety / relief valve to reclose failure of the Isolation Condenser.
With progressively smaller importance measures are:
failure of Feedwater Coolant Injection System (FWCI)
Service Water System faults failure of the Reactor Protection System.
Mi11 stone's high pressure emergency cooling systems are highly dependent on the gas turbine emergency power source which has a relatively low reliability.
Since the Automatic Pressure Relief system is such that i;_t is actuated only 1
l during a LOCA, for transient initiated events, the operator must manually depressurize the RCS upon failure of the high pressure cooling systems to allow the low pressure systems to operate.
It is noted in the PRA that the emergency procedure is poorly written and confuJing, thus a high failure probibility was assumed for this task. This deficiency in the procedures was subsequently. corrected.
Adding to the importance of emergency AC power is the dependency of the Low Pressure Coolant Injection System on both the diesel and g&s turbine trains o.
-s- -- ,_ -
-n., ,---e, , . - - - , - --,-,--,,,..--, ,- , - . - - , - - - - - - - , - - - - - . ,
/
of emergency AC power. Also, the Isolation Condenser Make Up System is failed upon loss of the gas turbine generator, which in turn fails the Isolation Condenser. .
At the basic event level, er.ergency AC power is dominated by failure of the diesel generator and by several circuit breaker failures which prevent the loading of emergency AC loads onto the gas turbine buses.
In addition to contributions from hardware failures, actuation circuitry failures and a small contribution from test and maintenance errors by which pressure sensors fail the FWCI, Service Water System faults fail cooling to the FWCI pumps.
Also, failure of the SWS heat exchangers fail cooling to the Diesel Generator.
Or,e of the contributors to the station blackout scenarios was a pair of single failures in the_ loss of normal power (LNP) logic which caused the LNP signal to fail to reset after tripping key breakers, preventing the emergency generators from picking up emergency equipment loads.
Subsequently, the licensee redesigned part of LNP logic to el.iminate the single failures.
In addition, the AC dependency of the IC makeup valve'was removed, thus removing this failure mode of the Isolation Condenser and the licensee instituted procedural and equipment provisions for the operator to take
,, een -e- =
- manual control of the IC return valve to allow for recovery of its CC power source, Battery A, fails.
With regard to risk, the ATWS sequence has the highest importance and only two of the six LOSP initiated sequences resulted in a core melt at high RCS pressure and are dominant to risk.
The Millstone PRA assigns a much higher probability of containment failure due to in vessel steam explosions at low pressures than at high pressures. Therefore, low pressure sequences tend to
[
dominate risk (which 1mplies that the operator successfully depressurized the RCS) and emergency AC power is important due to the dependency of the LPCI on the diesel and gas turbine trains. However, for low pressure l
1 sequences, recovery of offsite power must take place in a period of 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> j
l rather than the short time frame for high pressure sequences (about to 2 l
hours).
e e
.. .o Big Rock Point STEAM PLANT GENERATOR MWe PRA VENDOR LOOPS CONTAINMENT RATING STUDY General 4 Pre-Mark -
75 Electric ~ Independent Consumers Power Company Sequence fault trees and cutsets were not published in the Big Rock Point (BRP) PRA. Cutsets were developed for this analysis from descriptions ~
of the dominant accident sequences and are of a very general nature. The cutsets are essentially at the event tree level (i.e., combinations of systems failures not refined further to the component level).
Five sequences dominate core melt frequency. These sequences are initiated by a steam line break, interfacing systems LOCA, fire, loss of offsite power and loss of instrumer; air.
The system level importance results are essentially the same as basic event importances. Only operator errors and fire events have more than one basic event.
t The most dominant basic event is failure of a safety / relief valve to reseat. This is followed by fire and operator error.
g * --*---myq. ---c -r -
- - - - - . , + - - - - - - - - - - -- - ---+wwwe-m -p-w.
, -ymm---w-y-
i Fire in the Cable Penetration Area (inside containment) which affects all safety system cables is the initiating event with the only subsequent failure of fire being suppressed manually..
The dominant operator error is the failure to send someone into the containment to open a valve which is part of the fire protection system but
- is being used to supply makeup water to the emergency condenser. If someone is sent in, there is still a probability of the valve not opening, reflected by the importance value of this valve whica enables successful operation of the emergency condenser. The other operator error is failure of the operator to switch the demineralized water pump over to emergency AC power
- after loss of offsite power or loss of instrument air.
The remaining events of significance are not discussed or quantified in the i
PRA, however, some are listed below:
l Interfacing System LOCA due to failure of a single valve isolation line in recirculation and shutdown cooling system Failure of operator to manuall; close main steam isolation valve -
Loss of and failure to restore instrument air
, Failure of Post Incident System in the event of an Interfacing Systems LOCA below the core due to valves being in the wrong position.
l l
l
=w-ww-w- v w ,pw -
- ~
With regard to risk, most events are less important to risk than core melt due'to the large fraction of release category probabilities in low risk release categories. Only the fire events have a high probability for release' in category 3. (Release categories were redefined in the BRP study due to the uniqueness of the plant in consideration of its size and location.) There is essentially negligible risk associated with the BRP sequences.
As a result of the PRA, the licensee did, however, make modifications to reduce the probability of core melt and plant damage:
(1) Remotely operated fire water supply valve to the emergency condenser, (2) Post-Incident System modifications such that the eight manual valves-can only be locked in the correct position, (3) Early Enclosure Spray - elimination of a 15 minute delay so that enclosure spray can automatically actuate during a safety valve opening event or steam line break in containment to avoid degredation of essential equipment due to excessive temperature, (4) Procedure changes to permit High Pressure Recycle using the main feedwater system which will lessen the dependence on the ROS, and (5) Additional isolation valves on the Primary Coolant System.
m
--w e - __*----
Zion 1 and 2 STEAM PLANT GENERATOR MWe PRA VENDOR LOOPS CONTAINMENT RATING STUDY Westinghouse 4 Dry 1100 Independent for Commonwealth Edison by Pickard Lowe
& Garrick, Inc.
Sequence fault trees or cutsets were not published in the Zion PRA so that the information used for this importance ranking task was . derived from sequence definitions and system descriptions. There were a large number of
- dominant sequences for Zion with frequencies very close together and with
! the exception of one sequence', these frequencies are all below 10 5 Since only 4 sequences contributed 5% or more to core melt, this cut-off l
probability excluded many sequences from the importance analysis so the l cumulative effect of many lower frequency sequences is not reflected in this analysis. One other point of difference in this PRA is the study's contention that the containment will not fail following every core melt.
Therefore, these four sequences dominate. core melt frequency for this analysis, but only 1 of the 4 dominates core melt with ' release or risk.
Three sequences are LOCA initiated (small, medium and large) followed by failure of recirculation cooling. The fourth is initiated by a seismic
- event which indicues loss of all AC power. Only this sequence results in containment failure and a release. .
With respect to core melt, system level results are dominated by operator error, the small LOCA initiator, Residual Heat Removal System and the seismic event. With progressively smaller importance measures are the medium and large LOCA initiators, combinations of haroware failures and trains or. pumps out for maintenance for the Charging Pumps and Safety Injection Pumps and Containment Sump blockage.
i The two dominant human errors are failure of the operator to manually switch over to recirculation at the proper time or to stop the Refueling Water Storage Tank (RWST) Pump at' Low-Low level given a medium or large LOCA. The short time frame for the medium and large LOCA creates a more stressful environment for the operator, thus having a higher failure probability.
However, the frequencies of medium and large LOCAs are one and two orders of magnitude smaller, respectively, than that for small LOCAs.
The dominant failure modes of the RHRS are somewhat vaguely defined in the l
Zion study, but basically involve combinations of RHR Pump under maintenance with hardware failures of both trains of RHR so that pumps or motor-operated
, valves fail on demand.
l l
l l
i l
l - . .
e' The seismic event dominates core melt and risk and contains only two elements, the seismic event initiator and' loss of all AC power. However, looking at the seismic core melt fault tree branch expansion, a Reactor Coolant Pump Seal failure will follow due to loss of service water components through failure of the pumps (directly or " indirectly" by collapse,of Crib house pump enclosure roof or unavailability of the water supply from the seismic event). Similarly for diesel generator failure, the failures can be direct, loss of DC start power or " indirectly" by Auxiliary Building concrete Shear Wall failure. Direct failures and Auxiliary Building Shear Wall failures contribute to failure of onsite AC power cables.
It should be noted that the single failure of the Auxiliary Building Concrete Shear Wall fails both onsite AC power cables and offsite AC power cables.
RCP seal failures were not included in the small LOCA data base i
though it was a contention of the study that the high frequency assured for small LOCA initiators (3.5 x 10 2/ reactor year) implicitly accounted for this concern.
Event V, the 'nterfacing systems LOCA was recognized as a contributor to risk due to the potential of a large release outside of containment. The licensee did institute strategic check valve testing during the course of the study, i
M#
e, be c
71 -
Indian Point 2 i
STEAM PLANT GENERATOR MWe PRA VENDOR LOOPS CONTAINMENT RATING STUDY
+
Westinghouse 4 Dry 873 Independent for Power Authority of New York and Consolidated Edison by PL&G, Inc.
Sequence fault trees and cutsets were not published in the Indian Point (IP2) PRA. Basic events were developed from sequence definitions and system descriptions. .
Core Melt with Release is dominated by external events. The sequences are a seismic event resulting in loss of AC power, fire in the electrical tunnel or switchgear room, and loss of all AC power due to hurricane winds. The fire and seismic initiated events are of approximately equal importance.
l
-l Since the values of basic events in tnese sequences were not included in the PRA, they were modelled as one event sequence for this analysis. However, some' subsequent failures and failure modes were discussed. ~
b 9
,n.- -
, , , - - - - - - - - - -r,--w,,~~ , - - - -
-wmv--r---r-- v- wwew - - - - ~- - , - - - - - m- ~ - - - - - - ' ' ' - ~ - - - - ~ ^ - ' ' ' ' -
~
,, *[ .
The primary hazards in the seismic and hurricane events are loss of offsite power due to the intensity of the event and loss of control and/or auxiliary AC power. Loss of control power may occur due to the failure of panels in the ceiling of the control room during a seismic event which incapacitates the operators or the control room itself. Loss of onsite AC power can result from severe winds stripping away sheet metal building cover thus exposing the diesel generators.
It was recognized that a fire in any of three locations (the Auxiliary Building end of the electrical tunnel, the Control Building and of the tunnel, or the i
switchgear room) not only fails control power, but could also fail power to the Charging Pumps, Containment Spray Pumps, Auxiliary Feedwater System, Safety Injection Pumps and Component Cooling Water pumps. It was recognized that a fire of this kind results in a small LOCA due to reactor coolant pump seal failures and subsequent core melt due to the loss of high pressure safety injection.
The same sequences along with another fire initiated sequence and loss of
~
offsite power initiated sequence dominate core melt frequency:
Fire in the e'lectrical tunnel right stack which would result in core I
melt due to RCP seal failure LOCA, determined in the study to result in i
no release to the environment due to the availability of containment
, cooling, and l
l
--, --.~e e-- , - - - - . - - , . . . _ . - - . , . - - , . - - - - - - . - _ , . - - , , - , _ , , - , _ , . . , , - . . - - -
. u - - - - - . - - --- - -
/ .
P' i -
73 -
Loss of offsite power and failure of emergency AC power. However, a gas turbine generator is available and can be started within is hour thus providing power to containment coolin'g systems. The study concluded that core melt would occur but with no release to the environment.
Containment integrity was enhanced by features such as the large volume, high failure pressure, and the makeup of the containment material (basaltic concrete basemat which releases less gas upon contact with molten fuel than the more common limestone concrete and thus leads to lower post-melt-down containment pressure.)
l t
__ ,es M $
- , ---- - - - _ _ ----y, - . _ , , . , _ wm.---, , - -,. - - .
s . 7*
- Indian Point 3 STEAM '
PLANT GENERATOR MWe PRA VENDOR LOOPS CONTAINMENT RATING STUDY 3 Westinghouse 4 Dry 965 Independent for Power l
i Authority of New York and Consolidated Edison by PL&G, Inc.
Only one sequence was determined to be important to core melt with release.
i Similar to the fire sequence for Indian Point 2, this sequence is initiated by a fire in either the switchgear room or the cable spreading room. These initiators can result in a failure of power to the Charging Pumps, the Containment Spray Pumps, the Component Cooling Pumps and the Safety Injection Pumps. A small LOCA in the reactor coolant pump seals would result and t7e loss of the containment sprays and fanc would result in containment failure. This sequence dominates risk with a probability of 1 in PWR release category 2.
Three additional sequences contributed over 5% to core melt frequency but were detenined to result in no release to the environment. These sequences are initiated by LOCAs (small, medium and large) followed by failure of i
l 1
_ _ _ . . _ _ , ~ - _ , , _ _ . . . - . _ _ _ _ . _ -
recirculation core cooling, either in the low pressure or high pressure mode. The Recirculation System is described as one system in the IP3 study, so no division of basic events in Low Pressure or High Pressure systems was made. The small LOCA is ranked first of the basic events. The Recirculation System failure is dominated by a term defined as failure of all three Safety Injection pumps followed by a term which was a factor calculated to account for undetermined unavailability of all SI pumps and motor-operated valves due to errors in design, installation, or manufacturing. These are followed by terms with much smaller importance measures most involving hardware failure of recirculation pumps and operator error in switching or failure to switch to the Residual Heat Removal pumps.
Fire in the switchgear room or tunnel entrance of the cable room is followed by operator error. The operator error term is dominated by failure to initiate switchover to recirculation modo following a LOCA.
Interfacing Systems LOCA in the RHR suction line was identified as important to risk.
~
l f =. .
l
Limerick STEAM PLANT GENERATOR MWe PRA VENDOR LOOPS CONTAINMENT RATING STUDY General Mark II 1055 Independent by GE and SAI, Inc.
for Philadelphia Electric Company This analysis was based on an early version of the Limerick PRA study. "
Limitations in the content and format of this study resulted in the derived cutsets and events being of a very general nature with a virtual one to one i
correlation between event tree terms, system terms and basic events. There was no sequence by sequence description and the quantification of the events on the event tree was not shown. In addition, the frequency of each accident sequence was divided among several containment failure modes specific to the Limerick study. There was an attempt, though, of correlating these categories to WASH-1400 BWR release categories.
Three sequences contributed 5% or more to overall core melt frequency. With respect to core melt and risk, they are ranked in the same order as are the system level terms. All three are transient initiated sequences. The first is a loss of offsit< power transient, the second a transient involving main steam isolation valve closure and the third is a turbine trip. __ Loss of l
l
,, ,+-,.--_m, _,--_,m,-,,,,__,,,,____,y, ,,,.,_,.,m,- , _ _ ,4y_ _,,p , - ., _,,, . . , , . , - , _,,g__,,,,,,, , ,,,- .,-,,, _
offsite power is followed by failure of High and Low Pressure Injection Systems.
MSIV closure is followed by loss of the Feedwater System or the Condenser and failure of HPIS and the Automatic Depressurization System.
The turbine trip is followed by failure of the FWS, the HPIS and the ADS.
Failure of HPIS is ranked first, defined only by failure of the High Pressure Coolant Injection System or failure of the Reactor Core Isolation Cooling System.
These are followed by the loss of offsite power transient, Low Pressure Emergency Core Cooling System availability, Feedwater recovery, timely actuation of the ADS, MSIV closure and subsequent feedwater loss, and the turbine trip. All of the systems (and basic events) identified have significant contributions to core melt. However, no further system or event importance insights could be derived and no quantification or description of system failures were give1.
However, during the course of the Limerick PRA, a number of design and procedural weaknesses were identified and the applicant has taken steps to imple' ment the following:
Alternate 3A ATWS Fixes (includes alternate rod insertion, recirculation pump trip, feedwater runback, scram volume instrumentation, MSIV isolation setpoint change and automatic Standby Liquid Control System along with the installation of a 3d SLC pump),
m -
78 - -
Modifications to the ADS air supply system (added redundant solenoids),
Modifications to RHR System (added crossover valves for the Service Water System, and Procedural changes to achieve an alternate metnod of room cooling for the HPCI and RCIC pump rooms.
9 9
0 8
9
. *- uim +
- Appendix B Discussions of Selected Topics - Insights Gained From PRA Results B.1 Human Error .
An area which is sersitive to the structure of the analysis, to both the assumptions of the study and the bias of the analyst, is human error.
It has been playing an increasingly large role in risk assessment, -
especially in the years following the accident at Three Mile Island 2.
It has been necessary at the same time to focus research on the
, techniques of quantification of human error probabilities. The work done for NRC by Sandia Laboratories (Handbook of Human Reliability Analysis With Emphasis on Nuclear Power Plant Applications, by A. D. Swain and H. E. Guttman (NUREG/CR-1278) provides a much needed methodology for quantifying human error. However, there is still a great deal of subjectivity in the inclusion of the human in a system model and the calculated probability of error and research is continuing with the purpose of improving the methodology of calculating human error
- contribution to accident sequences. For example, the treatment of human -
error in the-Crystal River 3 Safety Study results in operator error being the dominant failure mode of the safety injection systems. A relatively high probability of error is attached to the performance of actions under
., r .
accident conditions. Specifically, the operator is subject to any of several errors in the manual switchover from the injection phase to the recirculation phase and during the phases themselves:
Premature Switchover - the operator reconfigures for recirculation too soon causing pump cavitation due to insufficient net positive suction head. -
After terminating injection pumps, the operator fails to manually -
reinitiate injection when required.
The operator incorrectly reconfigures the system for recirculation. (See discussion of Crystal River-3 Importance Ranking)
Since these particular operator errors appear in many PRAs of plants with manual switchover, improved training and procedures, which were l
instituted for CR-3 operators, and automatic switchover from injection to recirculation are being considered in Generic Issue 24 - Automatic Emergency Core Cooling System Switch to Recirculation.
However, the rise to dominance of sequences involving the failure of l emergency core cooling systems due to operator error is not the only i
, impact of the estimated high probability of human error. As implied by I
I L
.. 6 their designation, " dominant" accident sequences are those with probabilities of occurrence which are above those of other sequences.
i Sometimes the difference is great and the cut-off probability value is clear. In other cases, the dominant sequences cumulatively dominate the total probability of core melt, but the difference between particular " dominant" sequences and other sequences can be small. In this case, the ECCS failure sequences are, for the most part, driven to dominance by the operator error contribution. It is therefore important to realize that the appearance of other sequences as dominant '
may be suppressed largely because of the assumption and calculation of the probability of human error. Investigation through sensitivity and uncertainty analyses may be particularly important in cases such as this.
I i
For the reference PWR in WASH-1400, Surry, and a few others, the human ,
error contributions were principally in the areas of test and maintenance activities and common cause failures. The test and maintenance contributions included actual downtime and components left in the incorrect position following test or maintenance. The common cause failures were often associated with incorrect calibrations performed on'similar components. These contributions highlight
- the need for explicit procedures and independent checks. The common mode
__ contribution from operator error in the control room was also included tut with a lower estimated probability. There has since been work to I . .
. _ . _ _ _ . _ . . ~ . _ _ _ _ _ _ _ . _ _ . . , _ _ . _ _ _ . _ _ . _ _ , _ _ . ._ . . _ _ , _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - . . _ _ _ _ _ _ . . - - _ _ _ _ _ _ _ . _ . _ .
. o - -
.. j *
. support an increase in the probability of human error in the control room when taking into account the quality of emergency procedures and the stressful environment of accident conditions. Emergency Procedure Guidelines (EPGs) should be of substantial value in this area.
As a result of the Sequoyah risk assessment performed as part of RSSMAP, a vulnerability which can be induced by human error and particular to the design (ice condenser containment) was identified.
It is a common mode failure which results in the failure of the EmergencyCoreCoolingRecirculationSystem(ECCS)andtheCor.;ainment Spray Recirculation System (CSS). Between the upper and lower containment compartments are two drains which are closed during refueling.
If these drains are inadvertently left closed or become clogged, water that has been sprayed into the upper compartment will be prevented from returning to the sump. Eventually all the water would be transferred to the upper compartment thus emptying the sump. In the recirculation phase both the ECCS and the CSS take suction from the sump and would, therefore, be failed when the switchover occurs. This failure mode results in dominant accident sequences accounting for 70% of the total probability of release in category 2 and 10% of the category 3
- probability o.f release. These sequences point out the need for stringent checking procedures and fault detection capabilities. The need for strategic testing procedures is indicated by the fact that the Interfacing Systems LOCA (check valve failures causing the high
- - - - - - - - - - , , ,,__.3,..---__-.- ___ ..___,,_y. , , . , - _ - _ , - - , _ _ , _ , , _ _ _ _ ,_-.,, _ ,,-.-__-.--- ,_, .
.. y.
. o.
83 -
pressure primary coolant to fail the low pressure piping outside containment) remains an important sequence for Sequoyah as well as other plants. The emphasis given failure modes resulting from test and maintenance actions and procedures is evident in the number of sequencesandreipasacategoriesdominatedbythesefailuremodes.
The ability of the operator to recover and correct events leading to an accident sequence is another controversial and evolving part of the analysis of the role of the human in accident sequences. These activities range from the operator establishing the feed-and-bleed mode of high pressure injection to the operator manually opening valves or, upon observation of parameters displayed in the control room, manually actuating a system or component that was supposed to have received a signal for automatic actuation. This is illustrated in the ANO-1 IREP study where the probability of the operator establishing feed-and-bleed within 20 minutes (for a Babcock and Wilcox plant) of the transient initiating event and failure of Emergency Feedwater System was optimistic in light of other human error probability (HEP) analyses for this action. The overall core melt probability was found to be
~
sensitive to the values assumed for this and other HEPs and others which implies the possibility of certain sequences and overall core melt frequency being greater due to the uncertainty in assessing operator error probabilities.
Improving the reliability of the EFW system, automating the high pressure recirculation system, or improving operator i
,. e m +
- Fr T mz- -"'----- 24--"T* - - " -
wy6rwN' ' ' '*"*--"""'--' ' ' =se= em- '"-- - ' " *--- - ' ' ' ' ' --- Iwn wav-""'-*k ---'-'--"'-"'mv-*------' '"- " ' '- " - T"-----
p.
84 - -
training are potential ways of minimizing the HEPs in dominant accident sequences and thus reduce overall core melt frequency.
The treatment of human error was a point of discussion in the WASH-1400 and other.PRA critiques and, as has been mentioned, techniques to quantify human error probability are still being refined. However, the assessments of human error contribution in these studies do point out the effect of assumptions and perceptions on the failure modes which dominate accident sequences.
O .
I i
4 e
., p.
B.2 Support Systems An area that is investigated as part of determining failure modes for ,
hardware components is that of dependency, especially undesirable depen <ancy of redundant components on a common support system. A prime example is the dependency identified in the Crystal River 3 Safety Study of the AC power dependency of the two emergency feedwater pumps via their cooling medium, the Nuclear Services Closed Cycle Cooling System. Once recognized, Florida Power Corporation proposed self-cooling designs for ,
each pump to eliminate this dependency. This AC dependency through various support systems was found in other plants as well. The discovery of specific, not readily apparent hardware faults (system failures induced by support system faults, for example) through rigorous risk assessment techniques (fault trees, FMEAs, etc.) is one of the primary objectives of a risk assessment. Obviously, there is a trade-off between resources and time and the rigor of the risk assessment methodology which must enter into the selection of the type of risk assessment to be performed, in general. This issue is addressed in Insights Into PRA Methodologies,Section III.
j It has been found that another support electric power system, normal and emergency DC power, has the potential of significantly contributing to accident sequences leading to core melt.
- -- - - - , - ,,e ,----.--n-,. - - . . - - - - , - - - , , - - - - - - - , - - - ,w-- --- -,-----,n-,-- ,-,a e- e , --_- - , - - - - - - - - - - - - , - - - - -
.. 5 In assessing the contribution of DC Power System failures to the core melt frequency or potential risk of nuclear power plants, several elements must be considered. Considering the DC power system alone, it is clear that the system function is of high importance. Since most plants rely heavily on DC power for plant instrumentation and control, during normal operation, a failure in the DC power system would create an unstable condition, thus potentially becoming an accident initiating event. In accident conditions initiated by another event, subsequent DC power failures can affect the progression, timing, and severity of an accident.
The treatment of DC power systems in PRAs have varied widely from i
very poor and cursory to much more detailed and thorough. Thus, i
the validity of conclusions drawn from the presentation of only numerical results would be highly questionable. Specific examples of DC power system treatment in some PRAs may provide a context for any numerical importance results and to illustrate the effects that assumptions, methodology and review may have on the depiction of the DC power system importance.
"For example, the original Zion Safety Study analyzed the DC power system which has two divisions per unit in addition to a fifth diesel generator, battery, and emergency DC bus which are shared by the two units. A loss of DC bus initiated sequence was modelled and quantified in the PRA. It was not found to be a
)*
significant contributor (thus the cutsets of this sequence would not be considered " dominant" cutsets). Upon review, a DC dependency of the PORVs was identified which would then constitute part of sequence which contributed ~14% to the estimated overall core melt frequency.. Upon further review'and analysis, it was found that appropriate operator recovery actions could reduce this contribution to about 2%. It should be noted that the Zion Safety Study DC power system modelling did not contain consideration of failures due to common cause or human error. Therefore, while the examination of PRA results in this report does provide us with insights, it is possible that many PRAs have understated the relative importance of DC power. Because of the intrinsic importance of electrical power to plant safety functions, these uncertainties should be considered in evaluating results.
Keeping this in mind, it may still prove helpful to examine the results of importance ranking and failure modes of the DC power system as presented in the PRAs analyzed. Of the 15 PRAs, only a few plants contained DC power in the importance rankings. At this
' point, it does not appear that the absence of DC power in the rankings I
indicates negligible importance of DC power systems but rather indicates i
thatcloserattentionshouldbegiventomodellingofdCpowerandthe effects of DC Power System faults.
,i a
9 k
.--e- .
.. c.
The ANO-1 study, in our judgement, contains a more thorough and careful analysis of DC power than previous risk assessments. The system consists of two divisions with two normal battery chargers (one standby) and no ability to cross-tie DC buses.* For ANO-1, the rank of the importance measure of the DC power system reflects the high contribution of cutsets containing DC power failures. The DC failure elements of the dominant cutsets were combinations of local faults of DC buses and batteries, but were dominated by a common mode failure of both station batteries. However in the ANO-1 report, failure of a single DC bus treated as an accident initiator, was identified as important since this can cause a reactor trip initiating event with concomitant failure of several safety system trains.
Results in NUREG-0666, "A Probabilistic Safety Analysis of DC Power Supply Requirements for Nuclear Power Plants" indicated that one of the potential causes for failure of multiple station batteries was a common mode test and maintenance error. This possibility was found to exist at Cross-tied DC buses which allow transferring of bus faults was a common mode failure discussed in NUREG-0666. The reduced ability to cross-tie buses is also true for Zion where interlocks minimize the likelihood of this occurrence.
l l
l -
.e V*
., the ANO-1 plant and as a result of the ANO-1 IREP study, quarterly tests of the two station batteries are now required to be performed on a staggered basis, i.e., one battery every six weeks. (See ANO-1 Importance Ranking) Previously, the procedure allowed both batteries, tobetestedontgesamedaybythesamepersonnel.. In addition AC and DC switchgear room cooler actuation circuitry are new required to undergo a complete test. The previous test procedure omitted a portion of the circuitry. Another potential problem was identified concerning the actual energy capacity of the station batteries. Normally, the DC -
system is powered from the AC system through the battery chargers.
Unless the AC supply is interrupted, the capcity of the batteries is ambiguous. Although the battery output voltage is monitored,
'it is not clear whether this reflects the discharge voltage of the battery itsel or that which the charger is supplying. This monitoring may not adequately characterize battery status.
The Crystal River-3 (CR-3) Safety Study analysis considered DC power only in the context of a failure event subsequent to loss of AC power (offsite). The DC power system is a two train system with two normal battery chargers (one standby). Though many areas of potential degradation or failure were noted, they were not I
l modelled and quantified due to the assumption that an operating l system is constantly monitored and failures would be detected 1 .
. , _ . _ _ _ _ _ _ - _ , _ _ _ _ _ _ _ - _ . _ _ , . _ _. _ . . . . _ . _ - - _ _ _ _ _ . - - - - . _ _ . ~ , . _ .
.e O*
quickly. Potential degradation or failure could occur in various ways: .
Work on a charger requires that it be disconnected from the DC bus. Maintenance personnel may leave the switch, which disconnects charger from the bus, in the "off" position.
However, wh.en maintenance is being performed on a charger, the spare charger is switched on line. After work is completed, the original charger might not be placed back on line even though the spare charger has been disconnected.
This condition can be discovered during daily check of charging voltage. During the time a battery is not on float charge, loads will be supplied by the battery itself causing degradaticn in battery capability.
t Batteries are housed in rooms requiring ventilation. Loss of ventilation can cause batteries to fail or degrade and i
possibly a significant (explosive) mixture of hydrogen can i
develop if charging continues after loss of ventilation.
l t
During. equalizing charge, excess voltage may be applied and possibly severely damage the battery.
During tests for grounds, all or part of the battery may be taken off line (momentarily).
l l
l
.. p, ,
Cells may be jumpered for test or maintenance and jumpers may not be removed which could degrade battery capability.
These and.any other common mode or human error failures were not explicitly modelled in the DC power system analysis nor was the ability to cross-tie buses addressed.
Realizing that the role of DC Power may have been understated in the modelling, the importance measure for DC power at CR-3 was -
ranked fifth of six events. This is due entirely to the identification of a DC power dependency involved in a dominant sequence which contributed ~15% to the estimated core melt' frequency. The sequence is initiated by a loss of offsite power (with no recovery odelled). In the sequence cutset, the CR-3 l DC power system is completely characterized by battery B. Failure of battery B fails both the B diesel generator (the breaker 7 t
connecting the bus fails to close) and the turbinc driven emergency feedwater pump. With simultaneous failure of diesel A, emergency cooling is dependent on the availability of emergency AC power from the Crystal River Fossil Units 1 and 2 at the site. -
For this loss of offsite power case, the unavailability of the batteries dominates the unavailability of each DC-train. Though discharge (by contact making ammeters) and charging current are checked each shift, voltage, specific gravity and electrolyte level m - -
.. 6..
of each battery cell are measure once each quarter. Pilot cells are checked weekly.
The Millstone 1 DC power system is composed of two systems, the 125 volt DC station battery system and the 124 volt DC system.
The normal source of 124 volt DC power when AC is available is through the battery chargers, one of which is connected to each of four batteries. There are no ties or cross connections.
Considering the AC and DC power systems as being dependent on each -
other, the three battery chargers and their associated AC feeds were deliberately left out of the DC power fault tree. DC power was ranked last out of the 12 front line and support systems with regard to importance to core me,1t frequency. Though it was determined in the Millstone study that loss of a DC bus would not cause a reactor trip, thus not contribute to accident initiation, an important DC dependency was identified. The dependency of the Isolation Condenser (IC) on a single DC power source contributec to certain station blackout scenarios. The reason for this is that the IC return valve gets its power from DC battery A, as do
,all the breakers on the diesel generator emergency power train.
Thus, failure of battery A fails both the IC and the diesel train. This combined with the gas turbine train failure, disables all AC power in the plant plus the DC powered IC. (This fault was rectified by the utility, See Millstone 1 Importance Ranking).
i
, , . _ - - - -, - . - - - . ,-.m- - - - - . - . - - - . - , - , -
.. a. .
In the case of the Limerick PRA, the DC power system was not identified as a significant contributor to core melt frequency nor did it,show up in the importance measure ranking. In this case, the lack of dominant cutsets containing DC power failures may not '
be due to poor modelling but rather due to the design of the DC power system at Limerick. Limerick has a highly redundant system with four divisions, four diesels, and four batteries per plant.
In addition, the probability of recovery of AC power at various times during the sequence was modelled. .
In our judgement, the review of results of PRAs indicate the potential for DC power system failures having high importance and significantly contributing to accident scenarios ieading to core melt on a plant specific basis. Much more attention should be given to the modelling of DC power systems in PRAs and the effects of the modelling should be carefully reviewed and analyzed. This is especially true in looking for DC power failures as initiating events, DC dependencies of front line mitigating systems or components, test and maintenance practices, human errors and toanon mode failures as well as design or hardware faults. -
The focus on support system dependencies has widened greatly due to the increasing awareness of the importance and effects of support system faults and failures on normally operating and emergency systems.
.. o5 94 - -
Additional areas are receiving a greater degree of investigation such as Heating and Ventilation Systems and cooling / Service Water Systems.
l Heating and ventilation can be vital to sustain an environment in which l
1 components are operable, especially in consideration of the mission time for various accident scenarios. FailureofCoolingWatdrand l
l Service Water Systems can themselves be accident initiating events while simultaneously failing mitigative systems. For example, failure of component Cooling Water not only contributes to failure modes of ECCS pumps but may also induce a Reactor Coolant Pump Seal LOCA (see -
section B.3, Initiating Events, for discussion regarding RCP seal failure LOCAs). This is in addition to the significant role cooling'/
service water systems play in accident scenarios resulting from other initiating events (transients and LOCAs). This is illustrated by the contribution to failure of decay heat removal from failures in the Residual Heat Removal Service Water System in the Browns Ferry results, as well as for other plants, and other events such as failure of diesel generator cooling, pump cooling, and room cooling. The importance of cooling water systems is discussed further in the following section, B.3, on initiating events.
,,_,___-,----w
r . .
, , , P*
95 -
B.3 Initiating Events As mentioned in the previous section, there has been an increasing awareness of the failure of support systems having the potential to initiate an accident sequence.
As seen in the results of the ANO-1 IREP analysis, four dominant sequences, with respect to both core melt and risk, are transients initiated by an Engineered Safeguards DC buses. This is an example of the initiating event of a sequence contributing to the failure of mitigating systems for that sequence. The list of mitigating events -
considered in PRA has expanded to those which, alone or in combination with other system failures, disable systems needed to mitigate the accident sequence events.
Another area which has come into recognition as an important contributor and initiator of accident sequences is that of Reactor Coolant Pump Seal failures. Seal failures can occur as a result of failures in support systems (i.e., Component Cooling, Seal Injection Pumps) and can also be l the primary initiating event. Seal, failure has resulted in a loss of primary coolant to the containment at flow rates greater than normal
-sakeup capacity of the plant, thus, constituting a small LOCA. With small LOCAs often being a major contributor to core melt frequency, the added consideration of seal failures may well add to sequence and overall core melt frequency. In the ANO-1 results, an RCP seal LOCA initiated sequence was ranked second with regard to core melt
- , . ,--- , , - - -g
-. . v'o i O l c>
l . ,
frequency. A point of discussion in the ANO-1 Insights review is the absence in the small LOCA data base of several seal failures experienced at ANO-1. It follows that loss of component cooling, as me.ntion in section B, Support Systems, can also be considered an initiating event. In the Zion and Indian Point PRAs and reviews, loss of CCWS 'causes small LOCA and disables injection. The information gleaned from these PRAs resulted in the identification of this issue as a Generic Issue 23 with a safety priority ranking of "high." I RCP I
seal failures are also receiving more attention in Station Blackout '
(Loss of normal AC and emergency AC power) sequences since the loss of seal injection due to loss of component cooling could result in a !
small LOCA with no AC powered containment cooling systems available.
In some plants, such as Zion, loss of service water is also a focus of support system failure initiating event since service water provides cooling for both the component cooling water and the diesel generators.
With concomitant loss of offsite power, it again becomes a case of a small LOCA (RCP seal failures) with no AC powered ECCS or containment cooling systems.
i These are a few examples of increased awareness of potential
, ' accident initiators which may degrade mitigating systems gleaned l from information derived from system analyses and fault trees performed during tha course of PRAs.
- , is v
9 B.4 External Events
~
One of the most obvious changes in PRAs is the increased and detailed attention given to accident sequences intiated by external events (earthquake, fire, flood (internal as well as external I flooding are considered in external events), tornadoes, etc.).
Many of the early PRA programs concentrated exclusively on internal initiators, primarily LOCAs and transients. The most recent industry sponsored PRAs have included external events analyses,.though the greatest uncertainty is associated with these analyses. We are i
_ still on the learning curve of quantifying the frequency and I consequences of these events, though some have been foci of much
., work to date, as in the case of fire for example. Fire was found to be a dominant contributor to core melt and risk in the Indian Point PRA, emphasizing the importance of fire protection and separation of redundant systems and components such as electrical cables.
Seismic initiated sequences are important in both Zion and Indian Point FRAs, inducing loss of AC power for Zion. The primary hazards identified in the seisitic and hurricane events for Indian Point 2 loss of offsite power due to the intensity of the event and loss of control power or emergency AC power., Loss of control power may occur due to the failure of panels in the ceiling of the control room during
____a seismic event which incapacitates the operators or the control room itself.
Loss of onsite AC power can result from severe winds stripping away sheet metal building cover thus exposing the diesel generators. .
~
I i