02-20-80 Letter to Honorable Morris K. Udall

ML25175A068
Person / Time
Issue date:	02/20/1980
From:	Plesset M Advisory Committee on Reactor Safeguards
To:	Udall M US HR, Comm on Interior & Insular Affairs
References
Download: ML25175A068 (1)
v • d • e

Text

UNITED STATES NL_ LEAR REGULATORY COMMISSION ADVISORY COMMITTEE ON REACTOR SAFEGUARDS WASHINGTON, D. C. 20555 February 20, 1980 The Honorable Morris K. Udall, Chairman Cormtittee on Interior and Insular Affairs House of Representatives Washington, D. C.

20515

Dear Congressman Udall:

In a letter dated.July 27, 1979, you expressed the hope that the study of Licensee Event Reports by the Advisory Cormti ttee on Reactor Safeguards would address the consistency of actual component failure experience (e.g.

valve failure rates) with that projected in WASH-1400.

You also asked the ACRS to determine the probabilities of occurrence that, prior to the events, would have been predicted for the sequences of events that occurred at Davis-Besse on September 24, 1977 and at Rancho Seco on March 20, 1978 on the basis of WASH-1400 failure rates aoo methodology.

In a letter dated August 15, 1979, the ACRS advised you that it would l.Dldertake to provide a detailed response to your requests and that it hoped to be able to canplete this effort in approximately six months.

Of course, the calculation of the probability of an event sequence, in retrospect, is ill-defined, since it depends entirely upon the ensemble of event sequences in which the one under discussion is embedded. This letter includes what are thought to be reasonable judgments on this point, and the results depend upon these judgments.

With the aid of the NRC Staff, the ACRS invited a large nlltlber of institu-tions in the U.S. and abroad, including the Electric Power Research Insti-tute and the U.S. reactor vendors, to provide data and analyses responsive to your request.

Several groups, includi03 the NRC Staff itself, have subnitted component failure rate data developed since the canpilation was made for the Reactor Safety Study, WASH-1400.

The NRC Staff have s1.m111a-rized the new data in Table 1, which also provides the failure rates used in WASH-1400 for the same components aoo systems.

Some of the information in Table 1 is plotted in Figure 1 and illustrates grapiically the consider-able spread in data obtained and the relative position of WASH-1400.

Also of some interest is the considerable variation observed fran plant to plant which is illustrated in Figure 2. Only plants which reported arrt failures are shown in Figure 2; hence, some plants had much higher failure rates 2572

The Honorable Morris February 20, 1980 than ~H-1400 on certain components while other plants had oo failures during the reporting period studied.

Although to some degree the observed variation may reflect actual differences fran plant to plant, a certain portion of the variation may be due to differences in the reporting requirements specified in the individual plant Technical Specifications and to differences in the responses of reporting personnel.

Turbine-driven pumps generally exhibit a higher failure rate (a factor of 10 to 100) than used in WASH-1400.

The NRC Staff is now giving extra attention to this specific item. Furthermore, a large variation in diesel reliability was observed among the various plants.

The NRC Staff believe that the uncertainties in failure rate data are larger than were projected in WASH-1400, and that the general trend is toward somMtat higher failure rates.

Their preliminary assessment is that this might produce an increase in their best estimate of core melt probability by about a factor of three.

None of the groups who were invited have provided probabilistic analyses, using WASH-1400 failure rates and methodology, of the Rancho Seco and Davis-Besse transients of March 20, 1978 and September 24, 1977 respec-ti vely.

The -"CRS, therefore, asked three, ACRS Fellows to devote effort connensurate with the time available to provide such analyses; the results of their study are included as Attachment A to this letter.

The ACRS believes that the results they obtained are reasonable.

It is clear that the manner of treatment of ht.nan error can have a very large effect on the results obtained.

Also, for the Rancho Seco transient, the numerical results are very sensitive to the context in which failure of control system power is calculated.

The ACRS Fellows also estimated a probability per reactor year of occur-rence of the major sequences which were present in the Three Mile Island 2 accident of March 28, 1979. Of some interest in this regard is an observa-tion by representatives of Electricite de France that by applying WASH-1400 methodology they would calculate an overall probability of the order of 3xl0 -7 for TMI-2, but when the events were connected by strategic opera-tor errors, they found a probability as high as 6xl0 -3.

The ACRS anticipates that, had several institutions provided independent estimates of the probability of the two transients, a considerable varia-tion in their answers would have been likely.

2573

The Honorable Morris February 20, 1980 Although the NRC Staff did not analyze the probability of the Rancho Seco transient using WASH-1400 failure rate data and methodology, they did provide the ACRS with two related memoranda, which are enclosed as Attach-ments Band C for your possible interest.

The ACRS trusts that this letter is responsive to your request.

Attachments:

Sincerely, U~/1/44" Milton S. Plesset Chairman A.

ACRS Fellows Report, *Analysis of Feedwater Transient Sequences in B&W Nuclear Steam Supply Systems,* February 7, 1980 B.

Nuclear Regulatory COfflllission Staff Report, *Evaluation of Davis-Besse and Rancho Seco Feedwater Transients on 9/24/77 and 3/20/78 Using WASH-1400 Data*

C.

Memorandum from F. Rowsome to R. Fraley, *ACRS Query on Material Relevant to Udall Letter: Davis-Besse and Rancho Seco Transients,*

February 12, 1980 2574

I\)

CJ1 CJ1 ClHIPON£NT FAIL ltOIIE MIX Fl~D PUIIPS Fl'IIL. TD STIIRT FI\IL TD RUN ECC8 Putlf'S FAIL TD STMT fftlL TD RUN FIIJL TO ITMT I RUN tlll'INUM. 1/ll'IL IIH

'fil'IIL TO OPERI\TE FIIIL TO RE""IN OPEN CPLUOI MOY'&

FAIL TD Ot'EN Fl'IIL TO CLOSE

&PURIOUS DPERll'ITIDN M.L "ODES SOLENOID WILi/EB FAIL TO OPEN Fll'IJL TO CLOSE SPURIOUS OPEMTIDN FAIL TO OPEMTE AIR-FLUID llll'ILY£S Fll'IJL TO OPEN FftlL TO CLOSE SPURIOUS OPEMTIDN ll'ILL "ODES IHICUUtt \ML;M:S FAIL TO OPEN IIELIEF YALIIE&

FAIL TO OPEN FftlL TO CLOSE 101 LIGHT IOI HEl'IYY PRE"ll'ITURE OPERll'ITION PILOT RELIEF YLl/8 Fll'IIL TO OPERATE Fll'IIL TO RESEAT BELLOWS REL Ill II Fll'IJL TO OPERATE SftF*uy Yll'ILIIE FAIL TO Of>EN f.ll'IJL TD CLOSE SPURIOUS OPERll'ITION CHECK 1/ll'ILYEI REl/t:R&E LEl\kftGE FI\IL TO OPEN Fftll. TO CLOSE

&PURIOIIS OPERIITION Fll'IJL TO OPEMTE PIPEI >3" RUPTURE M.L NODES PIPES <3" RUPTURE ll'ILL flCJIIEI BCRll'I" ROD&

Fll'IJL TO ICRM ELECT, CLUTCH f.ll'IIL TO OPlRftTE PkE"Arurc DISENGll'IGE"ENT NECH, ctu*rcH Fll'IJL Tll OP£MTE PfCEMTURE DIBENOI\OE"ENT 0/1S9'ETB l-Ell'lllll'IGE CONTkOt kOD DFIIVE FUNCTION TABLE I

SUMMARY

OF CURRENT FAILURE RATE DATA SURVEY cu (2)

(3)

(4)

(5)

(6)

LER GENERM.

El/1\LUIITIDN BIBLIS MDNIC PROGRl'I" NCSR NPRDS Wl'ISH-1400 IE-213)

IE-4(3/101 8, IE-3 IE-313/101 2,7£-3 2E-S 3,9E-5 IE-313)

C2,3-l2)E-i 3,SE-4 3E-:SC10)

IE-313) 6,3E-6 IE-4CJ) fIE-3131) 2E-3 IE-4 4,!IE-5 lE-3131 l+SE-4 SE-4 9E-6 IE-3131 ti, :sE-3 l,3E-2 2[-513) 3E-4C3) 2,2£-6 3E-5C3~

IE-4CIOIH C4-71E-3 l,4E-6 IE-513)

• +3£-2C3)H C3-6)E-3 I, 2E-6 SE-6 3E-6 IE-5C3>H 3E-6 IE-513>

4,:SE-6 7E-6 2,IE-7 3E-6(3/IOI

.E--7 lt:SE-5 1,4E-5 IE.-4U>

2E-4 8,4E-6 IE-413>

3,2E-*5 I

1,6£-10/&

lE-lOU00/30)/S f 2,4E-9/&

l,SE-5 IE-10130>1!

I 1,6E-IO/S 3E-l0C 100/3C,~/-S _I 2,4£-9/&

7,7E-6 IE-9130)/8 1,9E-7 IE-413>

1,8E**5 3E-4C3)

IE-6110) 6£-6 3[-413) 4,2E**6 J,8E-6

---

*-r- ------*

(7)

(8)

(9) tlO)

PJCl<.I\RD, LOWE l'\ND WEBTINGHOUSI 1/0LTI\

Gl'IRRJCK IIECHTEL 2.,0E-5 1,7E-5 1,2E-S IE-3 IE-313)

C6-200)E-6 3E-5C 10>

l,SE-511 IE-413)

{2,5E-6ft )

CI-SOIE-4 IE-3131 Cl-!l)E-3 1E-JCJ>

Cl-lOOIE-7 3,SE-6110>

SE-6 tlE-3131 IE-313>

3,SE-613) 3,SE-7 (2-6>E-6 ltC2-SOO>E-5 1,2E-5C2>

itC2-!IO>E-S 1,2E-5C2) 5,SE-612>

it7E-3 3£-5(3)

SE-6 SE-4 l,3E-3UO> 1,4£-6 l,OE-:ZCIO>

l,!IE-613) tl[-2 IE-513>

IE-413) 3,!IE-613>

2,9E-6Cl,2>

SE-3 IE-413) 61-7 11:-6 IE-5 IH,2£-5 IE-lOCJ0>/1 IE-10 lE-9130) 8E-7 IE-9 Cl-251E-6 IE-413>

- ~-. -------

Sheet 1 of 2

I\)

01 CJ)

,u (2)

(J)

(4)

(5)

(6)

(7)

(8)

(9) klO)

.. ER

"'ICkMD, OENERM.

~VM.UIITION WEST INOHOU81 LOWE MID CONPONENT FAIL IIOIII:

818LIS l'ITO"IC PROGRl'I" NCSR NPRbS WASH-1400 VOLTA 01\RRICk

.ECHTEL MTTE~Y M.L IIODEI 7E-6 3,5E-7 1,6E-6C9,8l NO OUTPUT 1,6E-BC9,8>

MTTERY IYSTEM FAILURE ON DEMMID 2E-6 FI\ILURE JE-6C:SI M.L MODEi 6E-6CJ/Jl/f 7E-6 I

I MTTERY CHNIOUI ALL IIODEI 2,2E-6 l,5E-:~~29,9~

DIESEL GENERATOR FIIIL TO ITMT 4,2E-J JE-2<21101 l+2,2E-2 JE-2 JE-2<Jl 3£-5

+c5-50>E-3 JE-2C3>

9,2E-3l*

FAIL TO RUN JE-4(31 JE-3( 101 J,JE-4 7E-4 lE-lClO>

1_,lE-5D OVERl'ILL FIIILURE 1,lE-J CIRCUIT IREAkERS fl\lL TO OPEN 5,BE-7 Cl-lOO>E-4 +2,JE-4<8,91 FIIIL TO CLOSE t.2E-6 5E-6 1,0E-6C 10>

SPURIOUS OPERATION lE-613>

1,2E-7 1E**6<ll 5E-6 4,lE-SClO>

FI\IL TO OPERl'ITE IE-JCJ>

2,lE-6 7,5E-7 lE-lCJ>

lE-6 4E-4C8,9l RELAY&

FIIIL TO OPERATE 9, lE-7 J,JE-7 2,7E-6

<2-5>E-6 3,5E-6C4)

FAIL TO ENERGIZE l,4E-7 IE-4Cl>

SPURIOUS OPERATION' CJ-IO>E-7 5,7E-8Cl5)

MAN, SWITCHEI FIIIL TO OPEN lIE-5(3) l 1,5E-8C71,1 Fl'IIL TO CLOS£ 5,0E-9167,1 SPURIOUS OPERI\TION 6,6E-8Cl,4>

FI\IL TO OPERI\Tt::

lE-7 TORQUE SWITCHES Fl'IIL TO OPERIITE IE-413>

PRESSURE SWITCH FAIL TO OPERIITE J,5E-5 IE-4131 2E-713,3>

PREMATURE OPERATION 9,4E-8C36,5 --

LIN IT SWITCHES FAIL TO OPEN 12,tE-611,9)

FI\IL TO CLOSE 6,2E-7Cl,9l SPURIOUS OPERI\TION 4,2E-6C 1,9)

FAILURE TO OPERI\TE 2,SE-6 JE-4(3) lt2£-5 LIQ, LEV, SENSOR FAIL TO OPERIITE 3,5E-5

<4E-6 C5-IO)E-6 4,4E-6C2, 7t PREMI\TURE OPERATION PRESS, SENIOR FAIL TO OPERATE 3,4E-5

<6E-7 C5-28>E-6 t,7E-7<5,7l OUT OF LIMITS IE-:S<IO>

TEMP, SENSOR f l'IILURE 7,5E-5

<5-IO>E-6 l,5E-6C5,ll OUT Of LIMITS 3E-5C3>

I

NOTES, I, tETTER SUFFIXES ON FAILURE RATES DENOTE THE FOLLOWINOI I\ - UPPER 95% CONf'IDENCE IOUND B -

RATE FOR STATIC BATTERY CHMOER P - PER PLANT HOUR S - PER SECTION OF PIPE D - FOR SIZE CLIISS 1750-2000 kW DIESEL-GENERATORS H - FI\ILURE DIITA FOR HELIUN 2, THE MUNIER OR NU"IERI IN PMtNTHE&ES FOi.LOWiNG FIIILUflE RATES DENOTE THE RANOE FI\CTORS, FOR lXANPLE CKX/YY> "EANS ONE SHOULD Mlll TIPL Y THE "Ellll\N VI\LUE BY XX TO 08TI\IN TH[ UF'f*Efi 95%

CIINf WENCE ltOUND 1\11D l*IVlllE THE. "U*IIIII llf YY TO Ol<Tl\111 THE LOWLR 5X c;oNr 1D£NC£ ltOUNl.1,,. SINGLE NUNBEfi JN PI\Rl::NTHESES JNllJCI\TES rtlE MNGE. fAClUfi JS FOR BOTH THI UPPER ANll LOWER IIOLIN[o,

3. A"+" preceeding a failure rate denotes failure-per-deme All other failure rates are failure-per-hour.

Sheet 2 of 2

DEFINITION OF TERMS Biblis -

NCSR Volta -

LER GA Pickard-MOVs RVs IXis CBs Biblis Nuclear Plant in Federal Republic of Germany Provided by the National Center of Systems Reliability - United KiBJdan Provided by Dr. Guiseppe Volta - Ispra Provided by Licensee Event Report Data Evaluation Provided by General Atomic Company Provided by Pickard, Lowe, and Garrick Motor Operated Valves Relief Valves Diesel Generators Circuit Breakers Biblis NCSR Pumps Fail to Start Volta Vo ta r-t:>Vs Fail to Open LERs GA RVs Fail to

~n Legend:

WASH-1400 0

Volta Biblis IXis Fail to Start Volta Volta CBs Fail to Close Pickard Volta Scran Rods Fail to Insert Figure 1. Data Point Estimate Extremes 2577

~

I 0

c:

~

Qj i:i..

~

0

] a Qj A

~

Qj i:i..

I VJ Qj

,1..1 CII ix:

Qj

~

I

.-1

• r4 CII rz..

10-1 10-2 10-3 DEFINITION OF TERMS

t<<>Vs

- Motor Operated Valves M. Pumps T. Pumps DGs

- Motor Driven Pumps

- Turbine Driven Pumps

- Diesel Generators

.J.

WJVs Fail to

~n T

I I

.1 M. Pumps Fail to Start Figure 2. Plant to Plant Variation 2578 Leg J

~ -

--4 LER Range

- WASH-1400 Range I

I l

0 T. Pumps Fail to Start

~

l 00s Fail to Start T

I l

OOs Fail to Run

ACRS Fellows Report, "Analysis of Feedwater Transient Sequences in B&W Nuclear Steam Supply Systems," February 7, 1980 Attachment A 2579

UNITED STATES NUl.LEAR REGULATORY COMMISSION ADVISORY COMMITTEE ON REACTOR SAFEGUARDS WASHINGTON, D. C. 20555 February 7, 1980 David Okrent, Chairman, Subcommittee on Reliability and Probabilistic Assessment ANALYSIS OF FEE1'NATER TRANSIENT SEQUENCES IN B&W NUCLEAR STEAM SUPPLY SYST'S To aid in the Subcommittee's work in formulating a response to Congressman Udall's letter of July 29, 1979, please find attached a draft of our analysis of the Three Mile Island, Rancho Seco, and Davis Besse events. Using the WASH-1400 event trees and data directly gives meaningless results because several important features of the sequences are omitted. Using an event tree which we constructed for B&W feedwater transients, and using WASH-1400 methodo-logy and data, we obtain the following:

Rancho Seco 1.2 x 10-4/B&W reactor year Davis Besse 1.2 x 10-3/B&W reactor year Three Mile Island 1.5 x 10-4/B&W reactor year A major 1.mcertainty is the characterization of operator behavior. It appears that with appropriate use of WASH-1400 methodology and data, events of this type would be anticipated.

The study will be distributed to all Subcommittee Members and appropriate con-sultants.

If you have any questions, please do not hesitate to call us.

Edward Abbott, ACRS Senior Fellow

-;M,#.E;U John Bickel, ACRS Fellow 2580

~YSIS OF FEEDNATER TRANSIENT SEQUENCES IN B&W NUCLEAR STEA"'1 SUPPLY SYSTEMS E. Abbott, J. Bickel & W. E. Kastenberg ACRS Fellows I.

INTRODUCTIOO This study uses event tree analysis, and existing WASH-1400 methodology and data to determine various sequence probabilities for three different events which have occurred in plants with a B&W Nuclear Steam Supply System. The events evaluated are the March 29, 1979 Accident at Three Mile Island ('IMI),

the March 30, 1978 Loss of Instrument Power Transient at Rancho Seco (RS) and the September 24, 1977 Depressurization Transient at Davis Besse (DB).

The sequence of events at RS and DB are given in Appendix A.

The events are generically classified as loss of main feedwater.

The 'IMI and DB events are similar in that the sequence of.events (i.e., the separate plant and operator actions) are comparable up to the point of the operator manually blocking the power operated relief valve (PORV).

The RS event is similar only in that the initiating event resulted in a loss of main feedwater.

The plant and operator actions, however, are different from 'IMI and DB.

In the first part of this memo, a heuristic analysis of feedwater transients in B&W plants prior to 'IMI is given. This is followed by an analysis using the data, event trees and sequences contained in WASH-1400 for the S2 small break LOCA (break diameter ~2") and for the T-transient.* It must be recognized, however, that WASH-1400 utilzes event sequences characteristic of the Westing-house Nuclear Steam Supply System and its associated protective and engineered safeguard systems. In the last part of the study, we develop a feedwater transient

• A glossary of abbreviations is given in Table I {page 3).

1 2581

event tree sequence unique to B&W plants valid prior to April 1979.

'Ibis tree is applicable to B&W plants where the PORV is designed to lift prior to RPS trip during a feedwater transient.

2 2582

TABLE I GLOSSARY OF TERMS AFWS - Auxiliary Feedwater System oms - Containment Heat Removal System CSIS - Containment Spray Injection System CSRS - Containment Spray Recirculation System eves - Chemical Volume Control System ECI - Emergency Coolant Injection EX:R - Emergency Coolant Recirculation EP - Electric Power DB - Davis Besse ICS - Integrated Control System HPIS - High Pressue Injection System LOCA - Loss of Coolant Accident NNI-Y - non-nuclear instrumentation power bus Y. (power supply for instruments not associated with the determining of the fission rate in the core)

PCS - Power Conversion System PORV - Power (or pilot) operated relief valve Psi - Pounds per square inch PX - probability of failure for system X. (e.g., Pk= probability the RPS system fails to insert the reactor's control rods)

PWR - Pressuriz~ Water Reactors RCS - Reactor Coolant System RHRS - Residual Heat Removal System RPS - Reactor Protective System RS - Rancho Seco 3

2583

S2 - small break LOCA event tree of WASH-1400 for a PWR SFRCS - Steam Feedwater Rupture Control System SHA - Sodium Hydroxide Addition SR - Safety Relief SSR - Secondary Steam Relief T - Transient Event Tree of WASH-1400 for a~

TE - Transient Event

'!MI - Three Mile Island VO - Valve Opens VR - Valve Recloses WASH-1400 - The Reactor Safety Study NURffi-75/014.

4 2584

II.

HEURISTIC ANALYSIS OF B&W FEEtAtlATER 'mANSIENI'S As stated above, the sequence of events at Davis Besse (DB) and Rancho Seco (RS) are given in Appendix A.

'Ihe Three Mile Island ('I) accident is similar to the DB transient up to the last event where the stuck open PORV is isolated at DB but not at 'I*

As discussed later in this develoµnent, the time frames are however, somewhat different.

Examination of the sequences given in Appendix A yields the following heuristic analysis:

1.

'Ihe events for 'I and DB are determined by: a) the frequency of feed-water transients in ?(.JR.s -., 3 per reactor year, b) the fact that in B&W plants prior to April 1979, a feedwater transient causes the PORV to open independent of AFWS operation, and c) failure of the PORV to close (3 x 10-2 per demand). Hence this family of transients would be initiated on the order of 9 x 10-2 per reactor year.

2.

'Ihe eventual outcome of this sequence depends upon a) whether or not the PORV is gagged at the time of transient initiation (50% of the time it is), b) operator action in not interrupting the HPIS, and c) isolating the PORV if it fails to close.

3.

For DB the PORV was not gagged, the operator interrupted the HPIS and did isolate the PORV.

In order to estimate the frequency of the outcane, the probability of these three events must be obtained. A telephone survey of B&W plants by the authors revealed that the PORV is gagged 50% of the 5

2585

time. 'Ihe operator action is more difficult to obtain. WASH-1400 (Appendix III) states that the probability of operator failure ll'lder stress is:

0.9 - 5 minutes after a large LOCA 0.1 - 30 minutes after a large LOCA 0.01 - several hours later

'Ihe average error rate, in a high stress situation is given as 0.2 to 0.3.

In addition, if Pis the probability of operator error, and the number of people present is n, then pn is given as the probability of a collective error.

In practice, the final decision rests with the shift supervisor so that n can vary between 1 and 3 depending on his influence. (See Appendix B)

Qie problem (among others) in using this data is that it is not clear that the operator made an error in defeating the HPIS.

'Ihat is, the procedure followed called for interruption of HPIS with high level indicated in the pressurizer.

In that case, it may have been the procedure that was in error, and the operators failed to recognize it.

Using a probability of 0.5 for the chance of a gagged PORV, (0.3) 3 = 0.027 for defeating the HPIS after several minutes, and using 1-(0.1}3 =.999 for successfully blocking the PORV at 20 minutes yields a frequency for DB IB = (9xl0-2) (0.5) (0.027) (0.999) = l.2xl0-3

4.

At '!MI, the PORV was not gagged, the operator interrupted the HPIS and the PORV was not isolated. Since the decay heat load was greater at 1MI than IB, the failure to block the PORV occurred sooner. 'Ihe operator 6

2586

should have recognized that the PORV had stuck open by the time the quench tank rupture disk blew (about 15 minutes into the transient). 'Ibis yields an estimate of the error probability of (.5) 3.

Hence at 'IMI

'IMI = (9xl0-2) (0.5) (0.027) (.125) = 1.5xl0-4

5.

For Rancho Seco (RS), the initiating event (loss of non-nuclear instrument-

-3 ation) was estimated to be 8.6x10 per reactor year.

Since this loss initiated the feedwater transient, this value is used, rather than the 3 per reactor year used for DB and 'IMI.

Since the PORV was gagged (0.5), the operators throttled the HPIS (0.027) and the code safety valves opened and closed as required ( 1.0), the frequency of this event is estimated as RS= (8.6xl0-3) (0.5) (0.027) = l.2xl0-4 In the next section, an attempt is made to map these events on the WASH-1400 event trees.

• / Because of the difficulty in estimating the specific failure of the non-nuclear instrumentation (NNI-Y) power supply in the absence of a detailed fault tree analysis, the failure rate for low power, solid state devices was used. It should be noted that the final result is very sensitive to this failure rate and should be viewed as representing the family of NNI failures.

7 2587

III. WASH-1400 EVENT 'IREES In this section, we have attempted to trace the Davis-Besse (DB), Rancho-Seco (RS) and 'fflree Mile Island (TMI) events on the WASH-1400 Transient (T) and Small Break LOCA (52) event trees shown in Figures 1 and 2.

Mapping the sequences occurring at DB and RS on the WASH-1400 T tree without any modifi-cation yields sequence 'IM, which does not result in core melt, and was subse-quently omitted from the dominant risk sequences in WASH-1400.

Mapping '!MI on the T tree yields: (a) sequence 1MLQU if no credit is given for the return of the Auxiliary Feedwater System (AFWS) or 'IMU if credit is given for AFWS.

Both paths do not give credit for actuation of the High Pressure Injection System (HPIS). With HPIS actuation, the corresponding paths are TM and 'IMLQ (See Figure 1). Several problems arise when trying to evaluate these events in terms of this event tree. For the DB and RS events, sequence 'IM does not differentiate between the failure of the PORV to close at DB and the initially gagged PORV at RS.

Second, the sequence is for all transient ini-tiated events and hence does not identify the initial loss of non-nuclear instrumentation (power bus NNI-Y) induced by human action which resulted in the feedwater transient and in the loss of indicators during the transient at RS.

Lastly, for DB and 'IMI, the tree fails to include the fact that the PORV will lift regardless of the availability of the auxillary feedwater supply in B&W plants, and, therefore, neglects the possibility that the PORV fails to close.

For the DB and RS events, the frequency of sequence 'IM for all feedwa-ter trans-ients would be given by:

PTM = PT (1-PK) PM (1-PQ) (1-Pu> (1-Pw>*

Based on WASH 1400 data, PT = 3 feedwater transients per reactor year, PM = 1 (failure to recover the main feedwater system within minutes) and assLDning (1-P1) = 1 we obtain 8

2588

P'

= 3 per reactor year.

For 'IMI, the appropriate sequence {taking into account the return of the AFWS) is '!MU with Hence P'U = 3 x Pu per reactor year where Pu is the unavailability of the HPIS.

Since HPIS was available, but the operators interrupted its operation, PU is chosen as (0.3) 3 which is in the range of WASH-1400 numbers for operator error. Hence for this sequence

-2 P'IMU = 8.lxlO per reactor year.

Again, this tree neglects failure of the PORV to close.

In WASH-1400, it is suggested that transients, for which the PORV fails to close, should be treated as a small break LOCA, and the event tree S2 be used

{Figure 2). Since the LOCA is terminated at both DB and RS, {the PORV is finally blocked at DB and the code safety valve reseats at RS), these events become sequence s2 with a frequency of 3 per year.

Mapping the '1"1I event on the snall break LOCA tree yields sequence s-p.

'lbe initiating frequency S2 is given by S2 = 3 feedwater transients/year x 10-2 failure to close/demand*

= 3 x 10-2 S2 events/yr.

Using a HPIS unavailability of (0.3) 3 due to operator error, '!MI becanes

-4 P'IMI = 8.1xl0 /year Failure to block the PORV is not included in the tree and the PORV failure to close on demand number canes fr.om Appendix V, page V-38 of WASH-1400.

• WASH-1400 states this number bas an error factor of 10.

9 2589

For the particular feedwater transient at Rancho Seco, the probability of loss of non-nuclear instrumentation (which led to loss of feedwater) and the proba-bility that the loss was attributable to human error should be obtained.

Data from WASH-1400 on loss of non-nuclear instrumentation is about 8.6 x 10-3/reactor year. Hence the Rancho Seco initiating event may be on the

-3 order of 8.6 x 10 /reactor year.

IV.

APPLICATI~ OF A B&W EVENT 'IREE TO '!MI, DB AND RS A unique event tree was developed for feedwater transients in B&W plants which is different from those used in WASH-1400.

The differences between the WASH-1400 - PWR and the B&W PWR were described in Section III.

The sequence of events at '!MI is well known and no~ presented here. The events follow along sequence 15 on the attached event tree and are self-explan-atory (Figure 3). The sequence of events for Davis Besse follows sequence 16 on the event tree. The sequence of events for Rancho Seco follows sequence

1. 14 on the event tree.

The probabilities and failure rate data shown below were obtained from WASH-1400 except for those marked with* and*** The uncertainty in P0, and PQ were also obtained from B&W data.

The uncertainty in the other probabilities are difficult to obtain because they depend on human errors, operating pro-cedures, etc., and have not been ascertained. Hence, the final results could have large error bounds.

10 2590

The probabilities for the significant events in the event tree are:

PT - 3 per reactor year (WASH-1400, Appendix V, pg. V-34)

• pp =.s

• • p

-2 Q' = 3 X 10_2 ttl X 10 )

PQ = 3 X 10-2 (+/-1 X 10-2)

Pu,= (.3) 3 (WASH-1400, Appendix III, page III-60)

PQ" = (. 5)3 Po*= c.1>3 For 'IMI the probability is as follows:

II p'I = PT X Pu X (Po> X (Pu.) X (Po.. >

= 3 X.5 X 3 X 10-2 X {.3) 3 (.5) 3

= 1.5 x 10-4/year For DB the probability is as follows:

PDB = PT X Pp X PO x (PU') x (l-PQ 11 )

= 3 X.5 X (3 X 10-2) X (0.3) X (1-(.1) 3)

= 1.2 x 10-3/year (for 'IMI)

(for DB)

For the Rancho Seco event, the probability of the loss of an instrument bus leading to a feedwater transient must be used for PT.

Using WASH-1400 data, the failure rate of low power solid state devices is:

1 x 10-6/hr or 8.6 x 10-3 per year.

• The PP value was obtained fran a telephone survey of B&W plants and their estimate of the frequency of defeating the PORV by blocking or gagging.

• • Obtained £ran B&W 2591

'Ibe probability of the RS family of events is then estimated as PRS = PNNI X pp X PU'

= 8.6 X 10-3 X.5 X (.3) 3

-4

= 1.2 x 10 per reactor year.

These results are summarized as follows:.

TMI DB RS TABLE II.

WASH-1400 B&W T

s2 Feedwater Transient 8.1 X 10-2 8.1 X 10-4 1.5 X 10-4 3

1.2 X 10-3 8.6 X 10-3 1.2 X 10-4 It is important to recognize that the largest i.mcertainty is in charac-terization of operator action. WASH-1400 states that if Pis the prob-ability of operator error, then pfl is the probability of error if the number of personnel in the control room is n.

Because of the super-visory nature of the shift supervisor, the probability may be between P and pfl.

'Ihis report uses. 3 for HPIS unavailability as an average for the initial one-half hour for all three sequences.

Failure to block the PORV is given a probability at.5 at fifteen minutes and.1 at thirty minutes. 'Ihis report does not evaluate in detail the resultant error in the calculations because of a lack of data on operator action.

'Ihe values chosen are considered to be within the ranges of WASH-1400, and consistent with the methodology.

"'Does not apply.

12.

2592

V.

CONCLUSIOOS After mapping the '!MI, DB and RS events on the WASH-1400 Transient and Small Break LOCA trees, constructing an event tree for B&W Feedwater Transients, and employing the WASH-1400 data, the following.'is concluded:

1. As shown in Table II, the values obtained from a B&W transient tree differ from those obtained from the T and s2 event trees in WASH-1400 because the latter trees do not include the necessary features as discussed above.

As noted in Section II, the WASH-1400 event trees cannot be used since the PORV lifts during a feedwater transient. 'lhis clearly shows that the strict use of these event trees to other PNRs yield erroneous results. 'lhis should be obvious because the trees in WASH-1400 are Lnique to the Surry Plant \ffiich is a Westinghouse PWR.

'lhe values obtained above could have been obtained prior to the event sequences discussed because the data, knowledge of the transients and methodology were known.

'lhe only requirement to complete a similar study would have been developnent of a Lnique event tree for B&W plants.

2. The consequences of these sequences of events depend upon the exposure history of the core. At DB, the plant was operating at low power with fresh fuel.

At '1'"1I, the plant was operating at full power well into the fuel cycle.

'lhe time allowed to block the PORV and for re-initiating HPSI before the core is uncovered was different in each case. 'lhese time differences are reflec-ted in the characterization of operator action.

13.

2593

3. 'lhe NRC will construct event and fault trees for individual plants under the Integrated Reliability Evaluation Program (IREP).

1he individual li-censees, however, could easily perform similar stlrlies using available failure rate data and developing a unique event tree for their respective plants. 1his would immediately focus upon needed areas of improvement in operations and provide an independent check to IREP.

14.

2594

APPENDIX A Sequence of Events

'nle sequence of events for Davis Besse is:

T - A spurious initiation of Steam Feedwater Rupture Control System (SFRCS) isolates the steam generators and starts the auxiliary feedwater pl.llTlps.

P - The pressure rise in the primary system causes the Power Operated Relief Valve (PORV) to open.

K - The control room operator manually trips the reactor because the pressurizer level is outside (high) of the operating range.

L - Both auxiliary feedwater pl.llTlps start but only one feeds a generator due to binding in the throttle linkage in the other pump's turbine control system.

P;Q-Code safety valves do oot lift as the PORV is relieving reactor coolant pressure.

Q

- The PORV "simmers" due to a missing relay in the closing circuit and after nine cycles it sticks open.

U - Safety Features Actuation System (SFAS) initiation on low RCS pressure starts the HPI pumps.

U'- The operator cycles the HPI pLDnps to maintain pressurizer level.

Q"- The operators recognize that the PORV is stuck open and shut the block valve.

'nle sequence of events for Rancho Seco is:

T - The loss of one of the two non-nuclear instrLDnentation fuses (NNI-Y) causes the Integrated Control System (ICS) to sense a loss of BTU output and isolates the feedwater system.

2595

P - The primary system pressure rise would have caused the PORV to open but it was gagged shut.

K - The reactor trips on high RCS pressure.

L - The operator manually initiates main feedwater after realizing the NNI-Y failure has blocked the initiation of the auxiliary feedwater system (the auxiliary feedwater pumps initiates automatically on SFAS actuation later on in the transient.)

P - The increased RCS pressure causes one of the two code safety valves to open at a pressure less than maximum setpoint of 2500 psi. 1he subsequent decrease in RCS pressure causes a SFAS initiation (HPI and AFWS start).

Q'- The power safety valves reseat.

U'- NNI-Y is rester~. '!he operators recognize an excessive cooldown (::> 100° F/hr) has resulted. '!hey throttle HPI and auxiliary feed flow to reduce rate of cooldown.

2596

Tl

.-s -* -*

Ill/

Ill/

C\ICI IIMtlS

,cs...

VO VII No.

a0U£NC1 T

It II L

0 u

, T 2 TW 3 TU

• TIii I TIIW I TIIU I

7 TIIL I

j I

TIILO I

I TIILDU

• TIIIJ' Tit

,2 TD tJ TllU

,. TICQ 11 TltQU

,. TltP

'7 Tltlll

,. TOIW TltllU

• TIUIO 11 TICIIOU

• T~

D TIUIIL II TUIIJ' fllGURE I it-1*

ftJl 'l'ranient Svent Tree FIGURE 1 2597 DB & RS TMI-2

• lM-2

Small EP RPS SSR&

CSIS ECI CSRS CHRS ECR SHA ILOCA AFWS SEQUENCE 52 I

K L

C D

F G

H I

1 52 I

71 2 52' I

3 52H 1

4 52HI I

5 s2G,52HG I

6 s2GI, 52HGI I

7 S2F, 52HF 8 s2FI, S1iHFI 9 s2o-Ml I

I 10 s20I 11 520G I

12 S2DGI I

13 s2DF r

I 14 s2DFI 15 s2c I

16 s2co r

17 52L I

18 52LI 19 S2LG I

I 20 s2LGI 21 S2LF Y*

I 22 S2LFI 1

23 S2LC I

24 52K I

25 52KI 26 52KG I

27 52KGI l

28 52KF 29 52KFI 13C 52KC No I

31 y I

32 YK FIGURE I 4-4 PIIR Small LOCA (S2, 1/2-2 inch c!i-..ter) in RCS FIGURE 2 2598

I cu 0

u GJ VJ a) 0

.r; u

C

E:

C I-i )

t i I c-J flft~ I.I' -~ ~ ~c:r 0

.~

!!: z IY' I

I

==

• I I I 11

=

I

~

I 3/4i:;r l ! I

~'l

-~

I

. I i

i

- J i

I

~

... ::2 -...

I

~ *-

.:s I

~..1 '-"'

I i

I 1

Ill

.;-+.

j

~

0 I

~ II\

i

• -*~ ~

~.,_. A -

.,.J

~

~i~..........

fi j Q.

~

~ a"'

-~ * ":j' 1.:,...........

If,

~

I

~....

~~ "'-"'

I

~

~

~

i t

~:""'i * -...

"'t j"'"'

t-II.,

~

I o

2599

APPENDIX B OPERATOR ERROR The rationale for characterization of operator error in WASH-1400 can be demonstrated as fo 11 ows.

Let pf be the prob.ability of :operator failure and let Ps be the probability of operator success.

Tl:ren P

+ *p

= 1 s

'f as it sbotild.

Suppose there a*re n operators in the cont;r.ol room.

Let Pf (1}

be the probability then operators make,a "collective'" error.

In WASH-1400, Pf is given by Since probability must be -conserved, the probability that the n operators make a "collective" success, denoted Ps is p = p = 1-(p )n s

f f

To understand the implications.of such an approach consider the following:

let Pf= 0.1 (individual failure), n=3.

It follows that:

p =

s 1-0.1

= 0.900

( indi vi dual success) p -

f - (0.1) 3

0.. 001 ;(collective failure) p

s 1-(0.1)3

= 0~999 {co 11 ecti ve success) 2600 (2)

( 3)

The possible operator actions are:

Pf Pf Pf =

(0.1) 3

=

.001 Pf pf Ps =

(0.1)2 (0.9)

=

.009 Pf Ps Pf =

(0.l)(0.9)(0.1) -

.009 pf Ps Ps =

(0.l)(0.9) 2

=

.081 Ps pf Pf =

(0.8)(0.1) 2

=

.009 Ps Ps Pf=

(0.9) 2 (0.1)

=

.081 Ps Pf Ps =

(0.9)(0.1)(0.9)

=

.081 Ps Ps Ps =

(0.9) 3

=

.729 1.000 Hence, WASH-1400 can be interpreted as follows:

a)

For a "collective" failure, all n operators must be in error.

b)

For a 11co l lecti ve" success, at 1 east ~

operator must take correct action.

With this interpretation, Ps; Psn i.e. all operators are correct.

As stated in the report, the shift supervisor should have the final word however, to be consistent with the WASH-1400 approach is used, with the interpretation given above.

2601

Nuclear Regulatory Commission Staff Report, "Evaluation of Davis-Besse and Rancho Seco Feedwater Transients on 9/24/77 and 3/20/78 Using WASH-1400 Data" 2602 Attachment B

A.

INTRODUCTION In this report we have evaluated the Loss of Main Feedwater transients which occurred at Davis-Besse-1 on 9/24/77 and at Rancho Seco on 3/20/78 and compared them with the accident at Three Mile Island-2 on 3/29/79. A summary is provided of the Davis-Besse and Rancho Seco events. The behavior of important safety systems is compared.

An event tree for Loss of Main Feedwater transients is provided, and each transient sequence is identified in the context of the event tree, WASH-1400 data.

Certain caveats should be made.

First, WASH-1400 was performed for the Westinghouse-designed Surry plant, not a B&W reactor.

We have not done the kind of major in-depth analysis here that was done for WASH-1400.

Such an analysis would require considerable effort and funds.

Second, it should be recognized that there are significant uncertainties in the WASH-1400 data.

Third, the evaluation refers to pre-TMI system behavior and transients.

B.

DISCUSSION OF DAVIS-BESSE TRANSIENT

1.

Event Summary - Davis-Besse On September 24, 1977 a series of events occurred at the Davis-Besse Unit 1 which resulted in depressurization of the primary system from a normal operating pressure of 2150 psi to 900 psi in approximately eight minutes, and the release of approximately 11,000 gallons of water in the form of steam within the containment through the pressurizer quench tank rupture disc.

On the afternoon of Saturday, September 24, 1977 the main turbine was shut down to repair a leak in a pressure sensing connection on a steam 2603

line from the turbine governing valves to the turbine inlet. The reactor was being neld critical at approximately 9~ thermal power.

At 2134 hours0.0247 days <br />0.593 hours <br />0.00353 weeks <br />8.11987e-4 months <br />, a spurious half trip occurred in the Steam Feedwater Rupture Control System (SFRCS).

This caused the startup feedwater valve on the No. 2 steam generator (which is the normal feed path at this power level) to close. Closure of this valve resulted in a low No. 2 steam generator level, which then resulted in a normal full trip of the SFRCS for this condition and initiation of the SFRCS.

SFRCS initiation closes both main steam isolation valves and initiates feed-water flow to both steam generators from their individual steam-driven auxiliary feedpumps.

The half trip and resulting full trip of the SFRCS caused a reduction in heat removal from the primary system and a corresponding temperature/

pressure rise in the primary system.

The pressure rise in the primary system caused the pressurizer power relief valve to lift. This valve then rapidly oscillated closed-to-open approximately nine times and remained in the full open position.

The chattering of the relief valve was caused by the physical absence of a relay in the valve control logic circuitry. The relay normally provides for a deadband between "open" and "close" setpoints.

An empty relay socket was found in the logic cabinet after the event.

The temperature rise in the primary system caused an increase in the pressurizer level, and the operator manually tripped the reactor on high pressurizer level approximately two minutes after the half trip on the SFRCS occurred.

The pressurizer power relief valve, in the full open position. rapidly reduced the primary system pressure, and a Safety Features Actuation 2604 System (SFAS) trip occurred at the 1600 psi setpoint of the primary system. The power relief valve discharge goes to the pressu_rizer quench tank, which became overloaded and overpressurized, and approximately 4 1/2 minutes after reactor trip the rupture disc in this tank relieved due to overpressure, venting the steam into the containment. Approximately 20 minutes after reactor trip, the operators diagnosed the reason for the primary system depressurization as being the power relief valve, and from the control room closed the motorized block valve ahead of the power relief valve, terminating the loss of primary coolant into the containment.

Subsequent operator action using makeup pumps and high pressure injection pumps stabilized the primary system pressure and pressurizer level and a controlled shutdown to cold shutdown conditions followed.

The major physical damage from the incident was to the reflective metal insulation on the lower part of t:he No. 2 steam generator, which received the jet of steam coming from the pressurizer quench tank. A ventilating duct in the area of the quench tank was dimpled and required straightening.

Twenty-three panels of reflective metal insulation required replacement.

Entry into the containment was made at 0550 Sunday, September 25, 1977 for cleanup operations.

Another event occurred in the a>urse of this incident that did not contribute materially to the above events, but did result in the No. 2 steam generator going dry. This was the failure of the No. 2 auxiliary feedpump to come up to full speed (3600 rpm) following the SFRCS trip. This feedpump came up to approximately 2600.rpn and stayed a*t this level with no flow to the steam generator Mntil approx1nate1y 12 1nutes after reactor trip, when the operators placed its control in *nual and 2605 brought it up to full speed (conmencing feedwater flow to the steam generator).

2.

Key Systems Behavior - Davis-Besse An important fact to bear in mind while discussing the Davis-Besse transient of 9/24/77 is that only one full-power day of operation had been accumulated at the time of the event (see Table 1). This means that considerably less decay heat was being generated in the core than was the case at TMI-2.

In addition, the Davis-Besse reactor was only at 9% power when the main feedwater was lost. A high pressure reactor trip did not occur (it did at TMI in 9 seconds), confirming the slower, milder nature of the Davis-Besse transient.

Operator reaction to the transient was effective. Although the pressurizer level increased off-scale in the first ten minutes, the operators apparently realized the pressurizer level increase was misleading and caused by steam formation in the primary system.

However, the operators did turn off the HPI pumps (just as at TMI) after only three minutes of operation.

The pressurizer relief valve stuck open early in the transient. The operators diagnosed this problem and closed the block valve after 21 minutes into the transient. At TMI a similar problem took 138 minutes to diagnose.

The ability to diagnose and take remedial action in 21 minutes helped to tenninate the Davis-Besse transient with a minimum of damage.

3.

Event Tree Evaluation - Davis-Besse The events at Davis-Besse on 9/24/77 can be depicted in an event tree (Figure 1). The Davis-Besse transient is 12 on the event tree. This 2606 may be compared with sequence #3 which is the TMI-2 sequence. The event tree is for a category of transients which begin with a loss of all main feedwater (TM).

In the case of Davis-Besse, this was apparently initiated by a faulty input buffer in the logic control of the Steam Feedwater Rupture Control System.

WASH-1400 estimated three of these feedwater transients to occur per year at each reactor.

In the 12 months prior to the TMI-2 accident, the average number of feedwater transients at B&W reactors was three per year (see Table 2), confirming the WASH-1400 value. It should be noted that a larger number of feedwater transients occur in the first few years of operation, and a smaller number after that. Perhaps 2 to 3 times this number might be appropriate for early operation. Plants which have operated longer than a few years may average 1 to 2 feedwater transients per year.

Within about ten seconds after the main feedwater system had tripped, increasing reactor pressure caused the pressurizer relief valve to open.

This valve then failed to close, causing a small L0CA.

The WASH-1400 failure rate estimated for this failure mode was lxlo-2 per demand with a factor 10 uncertainty up and down.

More recent data in light of the TMI-2 accident indicate three relief vale failures in this mode in about 150 demands, or a failure rate (to reclose) of ~2x10-2 per demand, again confirming the WASH-1400 failure rate.

At the same time that the relief valve was opening in the primary system, the auxiliary feedwater system was being aligned to the steam generators 2607 and auxiliary feedwater flow had connenced successfully shorily thereafter.

About 30 seconds later, the operator trfpped the reactor manually because of rising pressurizer level.

Reactor pressure did not reach the setpoint of the pressurizer safety valves and they were not called on to open.

The ECCS system automatically actuated on low pressure (1600 psi) in the High Pressure Injection (HPI) mode about 1 1/2 minutes after the pressurizer relief valve stuck open.

After the HPI system operated successfully for about three minutes, the operator manually terminated HPI.

Because of the nature of the transient, this was regarded as successful operation of ECCS.

The probability of this category of transient occurring in a B&W reactor, as predicted using WASH-1400 failure data, is estimated as follows:

3 Loss of Main Feedwater/yr.

X Relief Valve Fails to Close C.

DISCUSSION OF RANCHO SECO TRANSIENT

1.

Event Summary - Rancho Seco

=

3xlo-2 per reactor year On March 20, 1978 an excessive cooldown transient was experienced while operating at 70% power (IE Report 50-132).

Non-nuclear instruments were lost including steam generator and pressurizer levels and all RCS tempera-tures. loss of RCS hot leg temperature input to the ICS caused tenninafion of feedwater flow.

Reduced heat removal in the steam generators caused RCS temperature and pressure to increase. The reactor tripped on high RCS pressure followed by a turbine trip. The secondary sides of both 2608 steam generators emptied due to operation of condenser bypa~s valves, atmospheric dump valves and auxiliary sieam loads. Although nonnal control room indications were lost, the computer typewriter will print alanns when setpoints are reached.

In addition, selected plant parameters can be monitored on the ICS computer printout. With the aid of computer indication, pressurizer level was maintained by manual operation of a high-pressure injection pump.

"A" steam generator level control initiated emergency feedwater injection (level control was actually lost at time zero, but the channel drifted slowly downward while 11811 channel drifted slowly upward).

The turbine-driven auxiliary feedwater pump had started on loss of feedwater flow.

RCS cooldown started as a result of emergency feedwater flow to "A" steam generator and possibly main feedwater pump flow (manually operated).

Decreasing RCS pressure (1600 psig) actuated HPI pumps and the motor-driven auxiliary feedwater pump.

Full auxiliary feedwater was initiated to both steam generators.

The RCS reached a minimum of 1475 psig and was then increased and maintained at 2000 psig by manual control of an HPI pump.

Restoration of the non-nuclear instrumentation restored all lost indications and controls. Operating personnel secured the auxiliary feedwater pumps and started RCS pressure reduction using the pressurizer spray.

2.

Key Systems Behavior - Rancho Seco The incident at Rancho Seco on March 20, 1978 involved a loss of main feedwater due to operator-induced failure in the ICS non-nuclear 2609

instrumentation. The incident was aggravated by the fact that (1) the plant ICS reacted to erroneous instrument readings causing delays 1n initiating AFW injection and subsequently allowing excessive AFW injection.

and (2) the operators had a very limited number of instrument readings which they could trust to manually bring the plant to an orderly shutdown.

Since the reactor was at 70% power and had logged considerable operating time {3 1/2 years of commercial operation), the decay heat to be removed I

was significant, similar to TMI-2.

Auxiliary feedwater was not available for seven minutes after MFW trip.

However, this delay was not as serious as at TMI-2 because there was no small LOCA in progress; i.e., a pressurizer safety valve had opened and closed properly.

The transient was eventually brought under control by the operators' diagnosis of which electrical ~ircuit breakers had opened, and then closing them.

3.

Event Tree Evaluation - Rancho Seco The Reactor Safety Study (RSS) stated that on the average a plant can expect about three main feedwater losses of a few minutes duration per year. This value was obtained from the operating experience available at the time the RSS was in progress.

The nature of the three main feedwater losses per year was not discussed in great detail. Therefore, the breakdown of the various causes of feedwater transients (such as the Rancho Seco incident) in quantitative tenns is not provided in the RSS.

2610 The NRC has investigated feedwater transients at B&W plants and has reported this information in NUREG-0560.

At least five of the main feedwater losses attributable to !CS-related failures or malfunctions were identified in that document.

Among these fs the Rancho Seco incident. There were many other main feedwater losses which licensees felt were not significant enough to be reportable. It is not known how many of these were ICS or non-nuclear instrumentation failure related. The average failure rate of main feedwater for B&W plants subsequent to RSS was reconfirmed at three per year.

The RSS identified several potential transient-initiating events which are associated with the loss of feedwater.

Among those identified were the loss of main feedwater pumps and malfunction of control, loss of condensate pumps, loss of A.C. power to the feedwater system, and others.

The probability of occurrence of any one specific initiating event may be small.

However, when assembled into appropriate categories, the net probability of a given type of transient may be considerable.

In this regard, the probability of the event at Rancho Seco is a small part of the larger probability that the main feedwater system will be lost.

This transient may be classified as belonging to sequence 11 on the event tree shown in Figure 1. However, this ICS/NNI initiated transient could have been more severe than it was. That is, the loss of NNI *which resulted in erroneous instrument readings delayed the automatic injection of AFW; perhaps even more significant, operator information on the status of the plant was severely limited throughout the transient. The erroneous instru-ment readings eventually "drifted" to the point of AFW injection some seven minutes into the transient even though the steam generator was 2611 apparently dried out by the end of the first minute. It appears that the capability existed at all times for manual action to initiate AFW injection.

If erroneous instrument readings or manual actions had never initiated AFW injection, this event would have followed the path of sequence 10 in Figure 1.

Another sequence of significance for this initiating event is sequence #3.

If a pressurizer relief valve had become stuck open, this event could have been worse than the TMI-2 sequence, depending on operator actions, because of the additional problem of a lack of instrument readings.

However, the specific initiating event, ICS/NNI failure or malfunction, may be somewhat less likely than main feedwater losses due to other causes.

Using WASH-1400 data, the overall sequence #1 would have a probability of occurrence of three times per year per plant; the specific {and potentially more severe) case where the loss of NNI is the cause 1s expected to be a much smaller subset of this category.

2612

I\)

0)

~

REACTOR POWER REACTOR HISTC~Y (A) TURBirJE RE/\CTG:1 TR! P MFW TABLE 1 COMPARISON OF THREE B&W REACTOR INClDEilT EVENT SEOUEMCES TMl-2 (3/29/79) 97%

DAVIS BESSE (9/24/77) 9%

RANCHO SECO c3no1za>

70%

IN COMMERCIAL OPERATION

~1 FULL POWER DAY OF IN COMMERCIAL OPERA-TION 3 1/2 YEARS, THREE MONTUS, TRIPPED IMMEDIATELY,

.~UTOf*1ATIC AFTER 8" Q~*!

HI REACTOR PRESSURE (2355 PSI),

BOTH PUMPS TRIP IMME-DI/\TELY, OPERATIOU, DOWN ALREADY.

TRIPPED AFiER 5",

MANUAL (1 MIN. 47")

AUTOMATIC AFTER 5" ON BECAUSE OF RISING HI REACTOR PRESSURE, PRESSURIZER LEVEL.

1 PUMP TRIP IMMEDIATELY REDUCED TO ZERO FLOW 1 PUMP TRIP 58" LATER, BY FAULTY ICS SIGi'IAL (SOME MFW INITIATIOI BY OPERATOR PROBABLE AFTER 7 MIU,),

AFW I\)

PRESSURIZER O>

.,:i..

RELIEF VALVE PRESSURIZER TMI-2 (3/29/79)

TABLE 1 (CONT.)

DAVIS BESSE (9/24/77)

RAi*ICHO SECO (3/20/78)

NO AFW FOR 8 MIN.

1 PUMP/SG WORKING WITHIN NO AFW FOR 7 r11u.

OPENED AFTER 3" AND STUCK OPEN.

BLOCK VALVE CLOSED AFTER 138 ru N.

SEVERELY MISLEADING 46",

1 PUMP "UNAVAILABLE" (TURBINE DEGRADED).

AVAIL-ABLE MANUALLY AFTER 12 MIN, OPENED AFTER 1 MIN. 6",

CYCLED RAPIDLY 9 TIMES IN 23" AND STUCK OPEN (STEM GALLING).

BLOCK VALVE CLOSED IN 20 MIN.

LEVEL INCREASED OFF LEVEL INDICATION.

SCALE.

GAGGED CLOSED.

snv OPEUED f,~m CLOSED Pl10PErtLY NO LEVEL PROBLb'I,

TABLE 1 (CONT,)

TMl-2 DAVIS BESSE RANCHO SECO (3/29/79)

(9/24/77)

(3/20/73) I

ccs HPI AUTOSTARTED (1600 MPI AUTOSTARTED (1600 HPI r-1ANUAL AND PSI> AT 2'02", 1 PUMP PSI) AT 2 MIH, 57" AND INTERMITTENT DURING TR I PPED AFTER RUNN I rm PERMITTED TO RUN FOR FI RST 13 r-1 IN, THEN 2 Mlil, 36",

OTUER 3 MHL 5",

MANUAL AUTOSTART (1600 P~I)

PUNP THROTTLED TO SHUTDOWN BECAUSE r~ Ir: I MUM FLC~: '

PRESSURIZER LEVEL I\)

NORr1P,L, CJ)

CTI I t!STRUMEf*ITS MOST O.K, O.K.

ONLY PRESSURIZER LEVEL AND RCS PRES-SURE TRUSTED BY OPERATORS DURING FIRST 75 fllN,

I\)

O>

O>

TABLE 2 WASH-1400 FAILURE RATES

1.

MAIN FEEDWATER CTM)

2.

REACTOR TRIP CK)

3. AUXILIARY FEEDW/\TER CL)

4.

PRESSURIZER RELIEF VALVE OPENS <P1>

5. SAFETY VALVES OPEN CPz)

6.

PRESSURIZER RELIEF VALVE CLOSES (Q1>

7.

SAFETY VALVES CLOSE CQ2)

8.

ECCS - HI PRESSURE INJECTim~ CC) 9, ECCS DEGRADED OPERATIOil cc1,

• ANALYSIS UNIQU~ TO sur.nv FAILURE RATE 3/YR 3.6xlo-5;n*

3.7x10-S;n*

lxl0-2/D 3x10-51D lxlo-210 lxlo-210 3 I 7x10-3 *

> 3.7xl0-3

• Memorandum From F.. Rowsome to R. Fraley, "ACRS QYery on Material Relevant to Udall Letter: Davis-Besse and Rancho Seco Transients,"

February 12, 1980 Attachment C 261T

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D. C. 20555 February 12, 1980 MEMORANDUM FOR:

Raymond F. Fraley, Executive Director Advisory Committee on Reactor Safeguards FROM:

Frank H. Rowsome, Deputy Director Probabilistic Analysis Staff Office of Nuclear Regulatory Research

SUBJECT:

ACRS QUERY ON MATERIAL RELEVANT TO UDALL LETTER:

DAVIS BESSE AND RANCHO SECO INCIDENTS The following question was posed by Congressman Udall's letter of July 27, 1979:

• Please determine the probabilities of occurrence that, prior to the events, would have been predicted on the basis of WASH-1400 failure rates and methodology as to the probabilities of the sequences of events that occurred at Davis Besse on September 24, 1977 and at Rancho Seco on March 20, 1978."

Needless to say, the predictive probability for a particular historical event can have any value between one and zero depending upon the breadth of the class of events that is taken to represent it. In most cases, a few classifications appear to be "natural" in the sense that "vertabrates" are a natural and distinct grouping of animals. However, there are commonly several levels of event resolution at which one might consider the problem, analogous to the heirarchy of biological classifications: kingdom, phylum,

..., species.

I shall attempt to address Congressman Udall's question using the level of event sequence resolution most natural to WASH-1400, while attempting to sketch answers to several more useful questions, ~uch as:

Did WASH-1400 consider or predict accidents of this type?

Could WASH-1400 methods have alerted analysts to the possibility of such accidents if the methods had been applied to the affected plants?

What improvements in WASH-1400 methods or data are needed to properly consider such sequences in risk assessment?

Can WASH-1400 methods serve a useful function in analyzing actual experiences?

The Davis-Besse incident, the Rancho Seco incident, and the accident at TMI all entailed feedwater transients, i.e., cessation in the normal delivery of feedwater to the steam generators. The Reactor Safety Study estimated that feedwater transients can be expected to occur between once a year and ten 2618

Raymond times a year at each nuclear plant. The best estimate in WASH-1400 is three feedwater transients per reactor year. There were roughly 30 reactor years of experience accumulated at B&W reactor plants as of March 28, 1979, the date of the accident at Three Mile Island. WASH-1400 would hav~ lead us to expect between 30 and 300 feedwater transients, most likely about 100 feedwater transients at B&W plants up to that time.

In fact, there were about 150 feed-water transients at B&W plants, in good agreement with WASH-1400 failure rate data.

In two of the incidents, the September 24, 1977 incident at Davis Besse and the accident at Three Mile Island, the pressurizer relief valve opened and failed to close, giving rise to a small loss-of-coolant accident (LOCA).

WASH-1400 identified this possibility and estimated that the probability that a pressurizer relief valve, having once opened, would fail to close at somewhere between

.001 and.10, with.01 (a one percent chance) as the most likely value.

On the other hand, the pressur,zer relief valve opens only very rarely during feedwater transients at Westinghouse plants, the kind studied in WASH-1400.

Therefore, the Reactor Safety Study did not predict a high expected frequency for failed-open pressurizer relief valves initiated by feegwater transients.

Had a WASH-1400 type analysis been performed for a B&W plant and had the authors recognized that almost all feedwater transients cause the opening of this valve in B&W plants (before the TMI-inspired changes), then the analysis would have predicted between zero and five (most likely one} occurrences of a stuck open pressurizer relief valve following a feedwater transient in the 30 B&W reactor years. In fact, there were two:

Davis Besse on September 24, 1977 and Three Mile Island on March 28, 1979.

The Reactor Safety Study (RSS) did not attempt to distinguish by probability the many types of faults that can give rise to feedwater transients. These were lumped tog,.ther in one broad category. However, the RSS did acknowledge that some of the failure mechanisms that can trigger a feedwater transient might also compromise the reliability of the systems called upon to respond to the feedwater transient.

One example of such common-cause failures was found to be important to the risk in WASH-1400; it is the loss of all AC power at the station. The failure mechanisms responsible for the March 20, 1978 incident at Rancho Seco was a failure of the "Non-Nuclear Instrumentation" DC power supplies.

It is also a common-cause failure that both triggered the feedwater transient and also compromised the reliability of the backup auxiliary feedwater system.

Although this class of common mode failures was described and one example was found to be important in WASH-1400, nothing quite like this scenario was found for Surry in WASH-1400.

The Surry plant does not depend upon non-safety grade equipment for the autostart of its auxiliary feedwater system. Therefore, Surry is imnune to the class of accidents in which non-safety grade instrument power supply failure trips main feedwater and defeats the nonnal autostart of energency feedwater.

2619

Raymond At Rancho Seco the failure of the autostart o*f auxiliary feedwater (AFW) was not regarded as a principal cause for concern emerging from the incident, although the risk assessment perspective sµggests that it should have been high among the warning flags raised by the event.

It should be noted that the auxiliary feedwater pumps were started at the outset and that their discharge control values did receive two "open" commands.

The first of these occurred when one of the faulted steam generator level signals happened to drift into the range triggering AFW delivery. The second occurred after the overcooling commenced in response to the ECCS actuation signal. Thus, neither of these signals could be counted upon to mitigate the initiating event.

In the event that WASH-1400 methods had been applied to Rancho Seco, ft is unlikely that the specifics of the short circuit and fuse fa i 1 ure would have been considered that led to the NNI-Y power supply failure.

However, it is reasonable to expect that such a study would have idencified the dependency of the auxiliary feedwater autostart system upon the Integrated Control System, and the dependence of both the res and the instruments upon the NNI buses.

In summary, the RSS did identify events of the broad class represented by the DB and TMI incidents: feedwater transients with stuck open pressurizer relief valves. The RSS did identify the class and some examples of common mode failures that cause a feedwater trip and degrade the reliability of the auxiliary feedwater system, as at Rancho Seco, but it did not and could not have been expected to predict the right frequency of occurre.nce for these classes of accidents at B&W plants. A risk assessment of B&W plants might reasonably have been expected to have identified the high susceptibility to transient-fnduced LOCA intrinsic in the B&W design - the frequent challenge of the pressurizer relief valve that lead to the Davis Besse and TMI accidents.

Had the risk assessment been coupled with a careful review and adequacy assessment for operator emergency procedures, the susceptibility of plants to accidents such as TMI or the Rancho Seco* incident could have been foretold.

Risk assessment methods also provide a useful framework for organizing the "what if" questions surrounding an actual, historical incident. Application of these techniques can be used to help identify the safety significance of operating occurrences.

Frank H. Rowsome, Deputy Director Probabilistic Analysis* Staff Office of Nuclear Reguilatory Research 2620