NRC Generic Letter 88-20, Individual Plant Examination for Severe Accident Vulnerabilities
Individual Plant Examination for Severe Accident Vulnerabilities
https://www.nrc.gov/reading-rm/doc-collections/gen-comm/gen-letters/1988/gl88020.html
S5 09/08/1995 -- S4 06/28/1991 -- S3 07/06/1990 -- S2 04/04/1990 -- S1 08/29/1989 -- -- 11/23/1988
text
UNITED STATES
NUCLEAR REGULATORY COMMISSION
WASHINGTON, D.C. 20555
November 23, 1988
To All Licensees Holding Operating Licenses and Construction Permits for
Nuclear Power Reactor Facilities
SUBJECT: INDIVIDUAL PLANT EXAMINATION FOR SEVERE ACCIDENT
VULNERABILITIES - 10 CFR 50.54(f)
(Generic Letter No. 88-20)
1. SUMMARY
In the Commission policy statement on severe accidents in nuclear power
plants issued on August 8, 1985 (50 FR 32138), the Commission concluded,
based on available information, that existing plants pose no undue risk to
the public health and safety and that there is no present basis for
immediate action on generic rulemaking or other regulatory requirements for
these plants. However, the Commission recognizes, based on NRC and
industry experience with plant-specific probabilistic risk assessments
(PRAs), that systematic examinations are beneficial in identifying
plant-specific vulnerabilities to severe accidents that could be fixed with
low cost improvements. Therefore, each existing plant should perform a
systematic examination to identify any plant-Specific vulnerabilities to
severe accidents and report the results to the Commission.
The general purpose of this examination, defined as an Individual Plant
Examination (IPE), is for each utility (1) to develop an appreciation of
severe accident behavior, (2) to understand the most likely severe accident
sequences that could occur at its plant, (3) to gain a more quantitative
understanding of the overall probabilities of core damage and fission
product releases, and (4) if necessary, to reduce the overall probabilities
of core damage and fission product releases by modifying, where
appropriate, hardware and procedures that would help prevent or mitigate
severe accidents. It is expected that the achievement of these goals will
help verify that at U.S. nuclear power plants severe core damage and large
radioactive release probabilities are consistent with the Commission's
Safety Goal Policy Statement. Besides the Individual Plant Examinations,
closure of severe accident concerns will involve future NRC and industry
efforts in the areas of accident management and generic containment
performance improvements. Additional discussion is provided in SECY-88-147
on the interrelationships among these three areas and the role they play in
closure of severe accident issues for operating plants. The portion of
that document relevant to closure is provided as Attachment 1. Attachment
2 contains a list of references of the IDCOR program technical reports and
also some related NRC and NRC contractor reports.
Therefore, consistent with the stated position of the Commission and
pursuant to 10 CFR 50.54(f), you are requested to perform an Individual
Plant Examination of your plant(s) for severe accident vulnerabilities and
submit the results to the NRC.
2 November 23, 1988
2. Examination Process
The quality and comprehensiveness of the results derived from an IPE will
depend on the vigor with which the utility applies the method of
examination and on the utility's commitment to the intent of the IPE.
Furthermore, the maximum benefit from the IPE would be realized if the
licensee's staff were involved in all aspects of the examination to the
degree that the knowledge gained from the examination becomes an integral
part of plant procedures and training programs. Therefore, we request each
licensee to use its staff to the maximum extent possible in conducting the
IPE by:
1. Having utility engineers, who are familiar with the details of
the design, controls, procedures, and system configurations,
involved in the analysis as well as in the technical review, and
2. Formally including an independent in-house review to ensure the
accuracy of the documentation packages and to validate both the
IPE process and its results.
The NRC expects the utility's staff participating in the IPE to:
(1) Examine and understand the plant emergency procedures, design,
operations, maintenance, and surveillance to identify potential severe
accident sequences for the plant; (2) understand the quantification of
the expected sequence frequencies; (3) determine the leading
contributors to core damage and unusually poor containment
performance, and determine and develop an understanding for their
underlying causes; (4) identify any proposed plant improvements for
the prevention and mitigation of severe accidents; (5) examine each of
the proposed improvements, including design changes as well as changes
in maintenance, operating and emergency procedures, surveillance,
staffing, and training programs; and (6) identify which proposed
improvements will be implemented and their schedule.
3. External Events (Treated Separately)
Licensees are requested to proceed with the examinations only for
internally initiated events (including internal flooding) at the present
time. Examination of externally initiated events (i. e., internal fires,
high winds/tornadoes, transportation accidents, external floods, and
earthquakes) will proceed separately and on a later schedule from that of
internal events (1) to permit the identification of which external hazards
need a systematic examination, (2) to permit development of simplified
examination procedures, and (3) to integrate other ongoing Commission
programs that deal with various aspects of external event evaluations, such
as the Seismic Design Margins Program (SDMP), with the IPE(s) to ensure
that there is no duplication of industry efforts. Utilities would be
expected to examine and identify any plant-specific vulnerabilities to
severe accidents due to externally initiated events. Therefore, while
performing your IPE for internally initiated events, you should document
and retain plant-specific data relevant to external events (e.g., data from
plant walkdowns) such that they can be readily retrieved in a convenient
form when needed for later external event analyses that may be required.
If a licensee chooses to submit an external event examination at this time,
the staff would review it on a case-by-case basis.
.
3 November 23, 1988
While current staff efforts are focused on identifying acceptable methods
for examining external events, the staff encourages the industry to propose
a methodology for examining external events that meets the intent of the
severe accident policy; namely, that it is capable of identifying
vulnerabilities to external hazards. We will work with NUMARC in
developing acceptable methodologies for external hazard examinations.
4. Methods of Examination
The NRC has identified three approaches that satisfy the examination
requested by this letter. The methods are:
1. A PRA, provided it is at least a Level I* and uses current methods and
information, plus a containment performance analysis that follows the
general guidance given in Appendix 1 to the is generic letter. The
staff will consider those PRA s that follow the PRA procedures
described in NUREG/CR-2300, NUREG/CR-2815, or NUREG/CR-4550 to be
adequate for performing the IPE, provided the assessment considers the
most current severe accident phenomenological issues (as discussed in
Appendix 1) and the licensee certifies that the PRA is based on the
most current design.
2. The IDCOR system analysis method (front-end only), provided the
enhancements identified in the NRC staff evaluation of the IDCOR
method (to be issued shortly) are applied. Guidance for the back-end
analysis is provided in Appendix 1 and additional guidance will be
issued as described in Section 11 of this generic letter.
3. Other systematic examination methods, provided the method is described
in the licensee response and is accepted by the NRC staff. For those
methods with which the staff is not familiar, a staff review might be
necessary to ensure that the methods are generally acceptable.
For the phase of the evaluation associated with core melting, release of
molten core to the containment, and containment performance, the staff
recognizes that for a few of the phenomena, notably associated with areas
that affect containment performance, there is a wide range of views about
their relative probability as well as their consequences. For these
issues, additional research and evaluation will be needed to help reduce
the wide range of uncertainties. Because of the concern over the ability
of containments to perform well during some severe accidents, the staff is
conducting a Containment Performance Improvements Program. This program
complements the IPE program and is intended to focus on resolving generic
containment challenges. License are expected to correct vulnerabilities
that may be identified by their IPE results but, because of the generic
Containment Performance Improvements Program that complements the IPE, the
____________________ *The PRA levels are defined as follows: Level I -
determination of core-damage frequencies based on system and human-factor
evaluations; Level II -determination of the physical and chemical phenomena
that affect the performance of the containment and other mitigating
features and the behavior and release of the fission products to the
environment; and Level III - determination of the offsite transport,
deposition, and health effects of fission product releases.
.
4 November 23, 1988
staff does not require industry to make any major modifications to their
containments or other systems that can affect containment performance until
the information associated with the containment performance generic issues
has been developed by the staff. Hence, industry will not be placed in a
position of having to implement improvements before all containment
performance decisions have been made.
Appendix 1 provides the utility with guidance to proceed with the
evaluation of containment performance to identify plant-specific factors
important to containment performance. Following the Appendix 1 guidance
will also enable utilities to understand and develop strategies to minimize
the challenges and the consequences such severe accident phenomena may pose
to the containment integrity and to recognize the role of mitigation
systems while awaiting their generic resolution.
5. Resolution of Unresolved Safely/Generic Safety Issues (Relationship to
USI A-45)
Because the resolution of several USI(s) and GSI(s) may require an
examination of the individual plant, it is reasonable to use the current
IPE process for that examination. For example, Unresolved Safety Issue
(USI) A-45 entitled "Shutdown Decay Heat Removal Requirements" had as its
objective the determination of whether the decay heat removal function at
operating plants is adequate and if cost-beneficial improvements could be
identified. We concluded that a generic resolution to the issue (e.g., a
dedicated decay heat removal system for all plants) is not cost effective
and that resolution could only be achieved on a plant-specific basis. To
implement a plant-specific resolution would require each plant to do an
examination of its decay heat removal system to identify vulnerabilities.
In the IPE, each plant will do an examination of both its decay heat
removal system and those systems used for the other safety functions for
the purpose of identifying severe accident vulnerabilities. Therefore, we
have concluded that the most efficient way to resolve A-45 is to subsume it
in the IPE.
You should ensure that your IPE particularly identifies decay heat removal
vulnerabilities. To achieve this assurance we have extracted insights
gained from the six case studies performed for the USI A-45 program. These
insights are discussed in Appendix 5 to this letter and should be
considered as you con-duct your IPE. In addition, if a utility (1)
discovers a notable vulnerability during its IPE that is topically
associated with any other USI or GSI and proposes measures to dispose of
the specific safety issue or (2) concludes that no vulnerability exists at
its plant that is topically associated with any USI or GSI, the staff will
consider the USI or GSI resolved for a plant upon review and acceptance of
the results of the IPE. Your IPE submittal should specifically identify
which USIs or GSIs it is resolving.
6. PRA Benefits
The NRC recognizes that many licensees now possess plant-specific PRAs or
similar analyses. Use of existing PRA analyses is encouraged in achieving
the objectives of the IPE. In some cases, the licensee may have to confirm
that the existing PRA analyses reflect the current state of the art
regarding severe accidents.
.
5 November 23, 1988
In addition to being an acceptable method for conducting an IPE, there are
a number of potential benefits in performing PRAs on those plants without
one. Some examples of potential additional benefits are as follows:
Support for Licensing Actions - PRAs have been used to support
arguments to justify technical specification changes, both routine and
emergency. PRAs would also be useful in supporting other regulatory
actions (e.g., design modifications).
License Renewals - PRAs could be a basis for utilities to establish a
program to ensure that risk-significant components and systems are
identified and maintained at an acceptable level of reliability during
the license renewal period.
Risk Management - A PRA could be used to develop a risk management
program that systematically uses the available information about risk
at a nuclear power plant and identifies alternative combinations of
design and operational modifications, ranks these alternatives
according to the relative benefits of each, and selects an optimum
from the alternatives.
Integrated Safety Assessment - The staff believes that by performing a
PRA a licensee would have the benefit of having developed the
technical basis for an integrated assessment. An integrated safety
assessment would (1) provide integrated schedules for licensing,
regulatory, and safety issues on a predictable basis, (2) evaluate
licensing and generic issues on a plant-specific basis such that they
are weighted against all other pending actions, (3) provide a licensee
with the opportunity to demonstrate with its PRA that various issues
that might be applied to other plants are not justified at that
facility, (4) help improve outage planning, and (5) rank issue
importance such that the most important are dealt with first. This
prioritization of actions benefits the licensees and the NRC by
providing a rational schedule for implementation of actions and
provides a basis for the possible elimination of actions determined to
have low safety significance for the individual plant.
7. Severe Accident Sequence Selection
In performing an IPE, it is necessary to screen the severe accident
sequences for the potentially important ones and for reporting to the NRC.
The screening criteria to determine the potentially important functional
sequences* that lead to core damage or unusually poor containment
performance and should be reported to the NRC with your IPE results are
listed in Appendix 2. Appendix 4 describes
____________________
- "Sequence" is used here to mean a set of faults, usually chronological,
that result in the plant consequence of interest, i.e., either a damaged
core or unusually poor containment performance. A functional sequence is a
set of faulted functions that summarizes by function a set of systems
faults which would result in the consequence of interest. Functional
sequences are to be contrasted with systemic sequences. A systemic
sequence is a set of faulted systems that summarizes by systems a set of
component failures resulting in a damaged core or unusually poor
containment performance.
.
6 November 23, 1988
the documentation needed for the accident sequence selection and the
intended disposition of these sequences.
It is expected that during the course of the examination, the utility would
carefully examine the results to determine if there are worthwhile
prevention or mitigation measures that could be taken to reduce the core
damage frequency or poor containment performance with the attendant
radioactive release. The determination of potential benefits is plant
specific and will depend on the frequency and consequence of the accident
sequence leading to core damage and containment failure.
8. Use of IPE Results
a. Licensee
After each licensee conducts a systematic search for severe accident
vulnerabilities in its plant(s) and determines whether potential
improvements, both design and procedural, warrant implementation, it is
expected that the licensee will move expeditiously to correct any
identified vulnerabilities that it determines warrant correction.
Information on changes initiated by the licensee should be provided
consistent with the requirements of 10 CFR 50.59 and10 CFR 50.90. Changes
should also be reported in your IPE submittal (by reference to previous
submittals under 10 CFR 50.59 or 10 CFR 50.90) that responds to this letter
(see Appendix 4).
b. NRC
The NRC will evaluate licensee IPE submittals to obtain reasonable
assurance that the licensee has adequately analyzed the plant design and
operations to discover instances of particular vulnerability to core melt
or unusually poor containment performance given a core melt accident.
Further, the NRC will assess whether the conclusions the licensee draws
from the IPE regarding changes to the plant systems, components, or
accident management procedures are adequate. The consideration will
include both quantitative measures and nonquantitative judgment. The NRC
consideration may lead to one of the following assessments:
1. If NRC consideration of all pertinent and relevant factors indicates
that the plant design or operation must be changed to meet NRC
regulations, then appropriate functional enhancements will be required
and expected to be implemented without regard to cost except as
appropriate to select among alternatives.
2. If NRC consideration indicates that plant design or operation could be
enhanced by substantial additional protection beyond NRC regulations,
then appropriate functional enhancements will be recommended and
supported with analysis demonstrating that the benefit of such
enhancement is substantial and worth the cost to implement and
maintain that enhancement, in accordance with 10 CFR 50.109.
3. If NRC consideration indicates that the plant design and operation
meet NRC regulations, and that further safety improvements are not
substantial or not cost effective, enhancements would not be suggested
unless significant new safety information becomes available.
.
7 November 23, 1988
9. Accident Management
An important aspect of severe accident prevention and mitigation is the
total organizational involvement. Operations personnel have key roles in
the early recognition of conditions or events that might lead to core
damage. The availability of procedures specifying corrective actions and
the training of operators and emergency teams can have a major influence on
the course of events in case of a severe accident.
Because the conclusions you will draw from the IPE for severe accident
vulnerabilities (1) depend on the credit taken for survivability of
equipment in a severe accident environment, and (2) will either depend on
operators taking beneficial actions during or prior to the onset of severe
core damage or depend on the operators not taking specific actions that
would have adverse effects, the results of your IPE will be an essential
ingredient in developing a severe accident management program for your
plant.
At this time you are not required to develop an accident management plan as
an integrated part of your IPE. We are currently developing more specific
guidance on this matter and are working closely with NUMARC to (1) define
the scope and content of acceptable accident management programs, and (2)
identify a plan of action that will ultimately result in incorporating any
plant-specific actions deemed necessary, as a result of your IPE, into an
overall severe accident management program. Nevertheless, in the course of
conducting your IPE you may identify operator or other plant personnel
actions that can substantially reduce the risk from severe accidents at
your plant and that you believe should be immediately implemented in the
form of emergency operating procedures or similar formal guidance. We
encourage each licensee to not defer implementing such actions until a more
structured and comprehensive accident management program is developed on a
longer schedule, but rather to implement such actions immediately within
the constraints of 10 CFR 50.59.
10. Documentation of Examination Results
The IPE should be documented in a traceable manner to provide the basis for
the findings. This can be dealt with most efficiently by a two-tier
approach. The first tier consists of the results of the examination, which
will be reported to the NRC for review. The second tier is the
documentation of the examination itself, which should be retained by the
licensee for the duration of the license unless superseded. Appendix 4
contains the minimum information necessary for reporting and documentation.
11. Licensee Response
A document that provides additional licensee guidance for the performance
of the IPE (both core damage and containment system performance) and
describes the review and evaluation process that the NRC staff will use for
assessing the submittals will be issued in draft form within the next few
months.
.
8 November 23, 1988
Following the issuance of the draft document, workshops with utility
representatives will be scheduled to discuss the IPE objectives and to
answer questions that utilities might have on both the IPE generic letter
and the guidance document.
Following the completion of the workshops, the NRC, as appropriate, will
revise its guidance contained in the guidance documents to take into
consideration comments received and will reissue them. Within 60 days of
receipt of the final guidance documents, licensees are requested to submit
their proposed programs for completing the IPEs. The proposal should:
1. Identify the method and approach selected for performing the IPE,
2. Describe the method to be used, if it has not been previously
submitted for staff review (the description may be by reference), and
3. Identify the milestones and schedules for performing the IPE and
submitting the results to the NRC.
Meetings at NRC Headquarters during the examinations will be scheduled as
needed to discuss subjects raised by licensees and to provide necessary
clarifications.
Licensees are expected to submit the IPE results within 3 years. The
Commission encourages those plants that have not yet undergone any
systematic examination for severe accidents to promptly initiate the
examination.
Those utilities that choose to use an existing PRA or similar analysis on
their plant should (1) certify that the PRA meets the intent of the generic
letter, in particular with respect to utility staff involvement, (2)
certify that it reflects the current plant design and operation, and (3)
submit the results as soon as the analysis is completed but on a shorter
schedule than 3 years. Utilities with plants that used the initial IDCOR
system analysis in the IDCOR test applications are encouraged to submit
their results on a shorter schedule than 3 years. This will ensure review
and resolution of any items while the utility's examination team is easily
accessible. In this regard, the staff also encourages licensees whose
plants have been extensively analyzed under the NUREG-1150 program to
submit their IPEs on an expedited basis. This will enable the staff to
exercise its review and decision process for determining acceptability of
the IPE, the adequacy of the licensee identification of plant-specific
vulnerabilities, and the associated modifications using insights and
experience from NUREG-1150. Finally, those licensees planning to perform a
new Level II or Level III PRA may need more time. The NRC staff will
consider requests for additional time for such an examination.
12. Regulatory Basis
This letter is issued pursuant to 10 CFR 50.54(f), a copy of the 10 CFR
50.54(f) evaluation which justifies issuance of this letter is in the
Public Document Room. Accordingly, all responses should be under oath or
affirmation. This request for information is covered by the Office of
Management and Budget under
.
9 November 23, 1988
Clearance No. 3150-0011, which expires December 31, 1989. The estimated
average burden hours is 8100 person-hours per licensee response, over a
3-year period including assessment of the new requirements, searching data
sources, gathering and analyzing the data, and preparing the required
reports. Comments on burden and duplication may be directed to the Office
of Management and Budget, Reports Management, Room 3208, New Executive
Office Building, Washington, DC 20503.
Sincerely,
Dennis Crutchfield, Acting Associate
Director for Projects
Office of Nuclear Reactor Regulation
Enclosures:
Appendices 1 through 5
w/ attachments 1 and 2
.
APPENDIX 1
GUIDANCE ON THE EXAMINATION OF CONTAINMENT SYSTEM PERFORMANCE
(BACK-END ANALYSIS)
1. Background
The role of the containment as a vital barrier to the release of fission
products to the environment has been widely recognized. The public safe%y
record of nuclear power plants has been fostered by applying the
"defense-in-depth" principle, which relies on a set of independent barriers
to fission product release. The containment and its supporting systems are
one of these barriers. Containment design criteria are based on a set of
deterministically derived challenges. Pressure and temperature challenges
are usually based on the design basis loss-of-coolant accident;
radionuclide challenges are based on the source term of 10 CFR Part 100.
Also, criteria based on external events such as earthquakes, floods, and
tornadoes are considered. The margins of safety provided by such practices
have been the subject of considerable research and evaluation, and these
studies have shown the ability of many containment systems to survive
pressure challenges of two to three times design levels. Because of these
margins, the various containment types presently used in the United States
have the capability to withstand, to varying degrees, many of the
challenges presented by severe accidents. For each type of containment,
however, there remain failure mechanisms that could lead to either early or
late containment failure, depending on both the accident scenarios involved
and the containment types.
This appendix discusses the key phenomena and/or processes that can take
place during the evolution of a severe accident and that can have an
important effect on the containment behavior. In addition, general
guidance on the evaluation of containment system performance given the
present state of the art of analysis of these phenomena is provided. The
evaluation should be a pragmatic exploitation of the present containment
capability. It should give an understanding and appreciation of severe
accident behavior, should recognize the role of mitigating systems, and
should ultimately result in the development of accident management
procedures that could both prevent and ameliorate the consequences of some
of the more probable severe accident sequences involved. The users of this
appendix are referred to Chapter 7 of Volume 1 of NUREG/CR-2300, "PRA
Procedures Guide," for a more detailed description of procedures and
guidance on containment performance analysis. The additional information
provided here summarizes some more recent developments in core melt
phenomenology relevant to containment performance, identifies areas of
uncertainty, and suggests ways of proceeding with the evaluation of
containment performance despite uncertainties,and potential ways of
improving containment performance for severe accident challenges. In this
reloads, the Severe Accident Prevention and Mitigation Features report
(NUREG/CR-4920) summarizes insights gained from industry sponsored PRAs,
NUREG-1150, and IDCOR reference plant analyses. The report identifies
plant features and operator actions that have been found to be important to
either the prevention or the mitigation of severe accidents for a specific
plant containment type. The report indicates what may be important to risk
and suggests potential improvements in various areas of plant design and
operation. These insights and suggestions may be helpful when conducting
the IPE and when making decisions on plant improvements.
1-1
.
The systems analysis portion of the IPE identifies accident sequences that
occur as a result of an initiating event followed by failure of various
systems or failure of plant personnel to respond correctly to the accident.
Although the number of possible core melt accident sequences is very large,
the number of containment system performance analyses does not have to be
as large. The number of sequences can be reduced by grouping those
accident sequences that have a similar effect on the plant features that
determine the release and transport of fission products.
A containment event tree (CET) could provide a structured way for the
systematic analysis of containment phenomena provided:
1. The CET is quantified, i.e., branch point split fractions are
propagated for each sequence based on the most recent data base
regarding important severe accident phenomena including considerations
of uncertainties (e.g., letters from T. Speis, NRC, to A. Buhl, ITC,
"Position Papers for the NRC/IDCOR Technical Issues," dated September
22, 1986; November 26, 1986; and March 11, 1987).
2. The system analysis is integrated with the containment analysis so
that initiating events and system failures (resulting in core damage)
that also impair containment systems are not overlooked.
3. The duration and sequencing of the interacting events are specified,
e.g., the times at which core damage and containment failure occur,
the time of inventory depletion (in particular, as related to recovery
from an accident), the success or failure of equipment or operator
responses, and the failure or degradation of support systems that were
originally available at the onset of the accident.
2. Status of Containment Systems Prior to Vessel Failure
The role of interfaces between the system analysis (front-end) and the
containment performance analysis (back-end) is particularly important from
two perspectives. First, the likelihood of core damage can be Influenced
by the status of particular containment systems. Second, containment
performance can be influenced by the status of core cooling systems. Thus,
because the influences can flow, in both directions between the system
analysis (front-end) and the containment performance analysis (back-end),
particular attention must be given to these interfaces.
To ensure consistency within entire sequences, the analysis should include
a cross-checking sheet of the following by sequence: (1) the sequence
frequency, (2) whether the containment is bypassed, (3) whether the
containment is isolated, (4) the containment system and reactor system
availability, and (5) the approximate source term. This cross-checking
sheet would be reviewed by both the systems analyst and the source term
analyst to provide added assurance that the status of key systems is
treated consistently in the front-end and back-end analyses. Other options
to ensure adequate interfaces can be used instead of the cross-checking
list identified above.
In order to examine the containment performance, the status of the
containment systems and related equipment prior to core melt should be
determined. The first CET nodal decision point is to determine the
likelihood of whether the
1-2
.
containment is isolated, bypassed, intact, or failed (i.e., a branch point
split fraction). This requires analyses of (1) the pathways that could
significantly contribute to containment-isolation failure, (2) the signals
required to automatically isolate the penetration, (3) the potential for
generating the signals for all initiating events, (4) the examination of
the testing and maintenance procedures, and (5) the quantification of each
containment-isolation failure mode (including common mode failures).
In the early phase of an accident, steam and combustible gases are the main
contributors to containment pressurization. The objective of the
containment decay heat removal systems such as sprays, fan coolers, and the
suppression systems is to control the evolution of accidents that would
otherwise lead to containment failure and the release of fission products
to the environs. The effectiveness of the several containment decay heat
removal systems for accomplishing the intended mitigating function should
be examined to determine the probability of successful performance under
accident conditions. This includes potential intersystem dependencies as
well as the identification of all the specific functions being performed
and the determination of the mission time considering potential failure due
to inventory depletion (coolant, control air, and control power) or
environmental conditions. If, as a result of the accident sequence, the
front-line containment decay heat removal systems fail to function, if
their effectiveness is degraded, or if the operator fails to respond in a
timely manner to the accident symptoms, the containment pressure would
continue to increase. In this case, some systems that were not intended to
perform a safety function might be called upon to perform that role during
an accident, If the use of such systems is considered during the
examination, their effectiveness and probability of success for fulfilling
the needed safety function should also be examined. Part of the
examination should be to determine if adequate procedures exist to ensure
the effective implementation of the appropriate operator actions.
3. Phenomena After Vessel Failure
If adequate heat removal capability does not exist in a particular accident
sequence, the core will degrade and the containment could potentially over-
pressurize and eventually fail. Efforts to stabilize the core before
reactor vessel failure or to extend the time available for vessel reflood
should be investigated. For certain accident groups that proceed past
vessel failure, the containment pressurization rate could exceed the
capability of the mitigating systems to reject the energy associated with
the severe accident phenomena encountered with vessel failure. For each
such accident sequence, the molten core debris will relocate, melting
through and mixing with materials in its path. Depending on the particular
containment geometry and the accident sequence groups, a variety of
important phenomena influence the challenges to containment integrity.
The guidance provided below deals with this subject at three levels. The
first provides some rather general considerations regarding the nature of
these phenomena as they impact containment (Section 3.1). The second level
considers the manifestation of these phenomena in more detail within the
generic high and low pressure scenarios (Sections 3.1.1 and 3.1.2).
Finally, the third level provides some specific guidance particularly
regarding the treatment of certain important areas of uncertainty (Section
4).
1-3
.
3.1 General Description of the Phenomena Associated with Severe Accident
Considerations
The contact of molten corium with water, referred to as fuel-coolant
interaction, can occur both in-vessel and ex-vessel. If the interaction is
energetic inside the reactor vessel, it may generate missiles and a rapid
pressurization (steam explosion) of the primary system. Early containment
failure associated with in-vessel steam explosions is generally considered
to be of low enough likelihood to not warrant additional consideration
(NUREG-1116). However, smaller, less energetic in-vessel steam explosions
are not unlikely and their influence on fission product release and
hydrogen generation are still under investigation. If the fuel-coolant
interaction occurs ex-vessel, as might happen if molten fuel fell into a
water-filled cavity upon vessel meltthrough, it may disperse the corium and
lead to rapid pressurization (steam spike) of the containment. In any
case, at one extreme, abundant presence of water would favor quenching of
the corium mass and the continued dissipation of the decay heat by steaming
would lead to containment pressurization. Clearly in the absence of
external cooling, the containment will eventually overpressurize and fail,
although the presence of extensive, passive heat sinks (structures)
within the containment volume would delay the occurrence of such an event.
Fuel-coolant interactions can also yield a chemical reaction between steam
and the metallic component of the melt, producing hydrogen and the
consequent potential for burns and/or explosions.
At the other extreme, when water is not available, the principal
interaction of the molten corium is with the concrete floor of the
containment. This interaction produces three challenge to containment
integrity. First, the concrete decomposition gives off noncondensible
gases (CO2, CO) (of certain composition) that contribute to pressurizing
the containment atmosphere. Second, concrete of certain compositions
decomposes and releases CO2 and steam, which can interact with the metallic
components in the melt to yield highly flammable CO and H2, with potential
consequences ranging from benign burns at relatively low hydrogen
concentrations to rapid deflagrations at high hydrogen concentrations.
Third, continued penetration of the floor can directly breach the
containment boundary. Also, thermal attack by the molten corium of
retaining sidewalls could produce structural failure within the containment
causing damage to vital systems and perhaps to failure of containment
boundary.
Another type of fuel interaction is with the containment atmosphere.
Scenarios can be postulated (e.g., station blackout) in which the reactor
vessel and primary system remain at high pressure as the core is melting
and relocating to the bottom of the vessel. Continued attack of the molten
corium on the vessel lower head could eventually cause the lower head to
fail. Because of a potentially high (approximately 2500 psi) driving
pressure, the molten corium could be energetically ejected from the vessel.
Uncertainties remain related to the effect of the following on direct
containment heating: (1) vessel failure area, (2) the amount of molten
corium in the lower head at the time of failure, (3) the degree to which it
fragments upon ejection, (4) the degree and extent to which a path from the
lower cavity to the upper containment atmosphere is obstructed, (5) the
fragmented molten corium that could enter and interact with the upper
containment atmosphere, and (6) cavity gas temperature. Since the
containment atmosphere has small heat capacity, the energy in the
fragmented corium could rapidly transfer to the containment atmosphere,
causing a
1-4
.
rapid pressurization. The severity of such an event could be further
exacerbated by any hydrogen that may be simultaneously dispersed and direct
oxidation (exothermic) of any metallic components. Depending upon this and
the other factors previously mentioned, this pressurization could challenge
containment integrity early in the event.
The BWR Mark I and Mark II containments are normally inerted. Therefore,
non-condensible gases such as hydrogen and oxygen released following a
severe accident would pressurize the containment, but would not burn or
rapidly deflagrate. If the containment is deinerted, additional
pressurization events or dynamic loads obtained from global hydrogen burn
or detonations must be considered. Local burns are also potentially
important as they may degrade the seals around the various penetrations or
produce a thermal environment that challenges the operability of important
equipment.
Even with the above limited perspective, it should be clear that given a
core melt accident, a great deal of the phenomenological progression hinges
upon water availability and the outcome of the fuel-coolant interactions;
specifically whether a full quench has been achieved and whether the
resulting particulates will remain coolable. In general, the presence of
fine particulates to any significant degree would imply the occurrence of
energetic steam explosions and hence the presence of significant forces
that would be expected to disperse the particulates to coolable
configurations outside the reactor cavity. Otherwise, the coolability of
deep corium beds of coarse particulates is the major concern. A summary of
how these mechanisms interface and interact as they integrate into an
accident sequence is given below.
3.1.1 Accident Sequences - High-Pressure Scenario
The core melt sequence at high primary system pressure is often due to a
station blackout sequence. The high-pressure scenario also represents one
of the most significant contributors to risk. The initial stages of core
degradation involve coolant boiloff and core heatup in a steam environment.
At such high pressures, the volumetric heat capacity of steam is a
significant fraction of that of water (about one-third), and one should
expect significant core (decay) energy redistribution due to natural
circulation loops set up between the core and the remaining cooler
components of the primary system. Consensus appears to be developing that
as a result of this energy redistribution, the primary system pressure
boundary could fail prior to the occurrence of large-scale core melt. The
location and the size of failure, however, remain uncertain. For example,
concerns have been raised about the possibility of steam generator tube
failures and associated containment bypass. If the vessel lower head
fails, violent melt ejection could produce large-scale dispersal and the
direct containment heating phenomenon mentioned previously. A significant
amount of research in the past has not, yet produced definitive results on
this issue.
Concerns may also be raised about the potentially energetic role of
hydrogen within the blowdown process. The presence of hydrogen arises from
two complementary mechanisms: (1) the metal-water reaction occurring at an
accelerated pace throughout the in-vessel core heatup/meltdown/slump
portion of the transient, and (2) the reaction between any remaining
metallic components in the melt and the high-speed steam flow that partly
overlaps and follows the melt ejection from the reactor vessel. The
combined result is the release of rather large quantities of hydrogen into
the containment volume within a short time
1-5
.
period (a few tens of seconds). The implication is that the consideration
of containment atmosphere compositions and associated burning, explosion,
or detonation potential becomes complicated by a whole range of highly
transient regimes and large spatial gradients.
A recent independent review of uncertainties in estimates of source terms
from severe accidents by an NRC-sponsored panel of experts (NUREG/CR-4883)
provided an additional perspective on these issues and made recommendations
for their resolution. In particular, "if direct containment heating or
containment bypass through steam generator tube failure contribute
importantly to risk, this may indicate a need for a hardware modification
or a procedural measure to ensure depressurization before primary system
failure. An early study of relative merits of the possibilities available
would be valuable." The staff is in favor of adopting the panel
recommendation and has initiated a research program to study the effect of
depressurization on the core melt progression and the potential benefit in
preventing direct containment heating.
3.1.2 Accident Sequence - Low-Pressure Scenario
At low system pressure, decay heat redistribution due to natural
circulation flow (in steam) is negligible and core degradation occurs at
nearly adiabatic conditions. Steam boiloff, together with any hydrogen
generation, is continuously released to the containment atmosphere, where
mixing is driven by natural convection currents coupled with condensation
processes. The upper internals of the reactor vessel remain relatively
cold, offering the possibility of trapping fission product vapor and
aerosols before they are released to the containment atmosphere.
Throughout this core heatup and meltdown process, the potential to
significantly load the containment is small. The first possibility for
significant energetic loads on the containment occurs when the molten core
debris penetrates the lower core support structure and slumps into the
lower plenum. The outcome of this interaction cannot be predicted
precisely. Thus, a whole range of behavior must be considered in order to
cover subsequent events. At the one extreme the interaction is benign,
yielding no more than some steam (and hydrogen) production while the melt
quickly reagglomerates on the lower reactor vessel head. At the other
extreme an energetic steam explosion occurs. It may be possible to
distinguish intermediate outcomes by the degree to which the vessel
integrity is degraded. In analyzing this phase of the accident scenario,
the important tasks are to determine the likelihood of containment failure
and to define an envelope of corium relocation paths into the containment.
The latter is needed to ensure the assessment of the potential for such a
phenomenon as liner meltthrough.
Consideration should also be given to ex-vessel coolability as the corium
can potentially interact with the concrete. The non-energetic release
(vessel lower head meltthrough) and spreading upon the accessible portions
of the containment floor below the vessel needs to be examined. There is a
great deal of variability in accessible floor area among the various
designs for some PWR cavity designs. The area over which the core debris
could spread is rather small given whole-core melts and the resultant pool
being in excess of 50 cm deep. In the absence of water, all these
configurations would yield concrete attack and decomposition of variable
intensity. In the presence of water (i.e., containment sprays), even deep
pools may be considered quenchable and coolable. However, the possibility
exists for insulating crusts or vapor barriers at the corium-water
interface.
1-6
.
Both of these two extremes should be considered. The task is to estimate
the range of containment internal pressures, temperatures, and gas
compositions as well as the extent of concrete floor penetration and
structural attack until the situation has been stabilized. In general,
pressurization from continuing core-concrete interactions (dry case) would
be considerably slower than from coolable debris configurations (wet case)
because of the absence of steam pressurization. As a final and crucial part
of this scenario, one must address the combustible gas effect. This must
include evaluation of the quantities and composition of combustible gases
released to the containment, local inerting and deinerting by steam and
CO2, as well as hydrogen mixing and transport. Also included should be
consideration of gaseous pathways between the cavity and upper containment
volume to confirm the adequacy of communication to support natural
circulation, and recombination of combustible gases in the reactor cavity.
4. General Guidance on Containment Performance
In the approach outlined in this appendix, emphasis is placed on those
areas that would ensure that the IPE process considers the full range of
severe accidents. The IPE process should be directed toward developing a
plant-specific accident management scheme to deal with the probable causes
of poor containment performance at each plant. To achieve these goals, it
is of vital importance to understand how reliable each of the CET estimates
are, and what the driving factors are. Decisions on potential improvements
should be made only after, appropriately considering the sources of
uncertainties. Of course, preventing failure altogether is predicated upon
recovering some containment heat removal capability. Given that in either
case pressurization develops on the time scale of many hours, feasible
recovery actions could be planned as part of accident management.
It is the staff's view that the bulk of phenomenological uncertainties
affecting containment response is associated with the high-pressure
scenarios. Unless the licensee can demonstrate that the primary system can
be reliably depressurized, a low probability of early containment failure
should not be automatically assumed. Similarly, for BWRs it should not be
assumed that the availability of the automatic depressurization system
(ADS) in an event will ensure that reactor vessel failure will always occur
at low pressure, since the operability of the ADS, in some plants, depends
on maintaining a requisite differential pressure between containment and
Low-pressure sequences, by comparison, present few remaining areas of
controversy. For BWRs, phenomenological uncertainties are associated with
the behavior of combustibles and the spreading of the corium on the drywell
floor. For PWRs, these areas include the coolability behavior of deep
molten corium pools and the behavior of hydrogen (and other combustibles)
in the containment atmosphere. The staff's views and guidance concerning
each one of these areas is briefly summarized below.
The concerns about deep corium pools arose from experiments with
top-flooded melts that exhibited crust formation and long-term isolation of
the melt from the water coolant. Such noncoolable configurations would
yield continuing concrete attack and a containment loading behavior
significantly different from coolable ones. On the other hand, it has been
pointed out that small-scale
1-7
.
experiments would unrealistically not favor coolability. The staff views
this as an area of uncertainty and recommends that assessments be based on
available cavity (spread) area and an assumed maximum coolable depth of 25
cm. For depths in excess of 25 cm, both the coolable and noncoolable
outcomes should be considered. Along these lines the IPE should document
the geometric details of cavity configuration and flow paths out of the
cavity, including any water drain areas into it as appropriate.
With respect to hydrogen, the staff concerns are related to completeness of
the current understanding of hydrogen mixing and transport. In general,
combustibles accumulate very slowly and only if continuing concrete attack
is postulated. For the larger dry containments, because of the large
containment volume and slow release rates, compositions in the detonable
range may not develop unless significant spatial concentrations exist or
significant steam condensation occurs. In general, the containment
atmosphere under such conditions would exhibit strong natural circulation
currents that would tend to counteract any tendency to stratify. However,
condensation-driven circulation patterns and other potential stratification
mechanisms could limit the extent of the containment volume participating
in the mixing process. For those plants with igniters (ice-condenser and
Mark III plants), the buildup of combustibles from continuing
corium-concrete interactions could be limited by local ignition and
burning. However, oxygen availability as determined from natural
circulation flows could limit the effectiveness of this mechanism.
Finally, in all cases inerting/deinerting thresholds and ignition aspects
need additional attention. The staff recommends that, as part of the IPE,
all geometric details impacting the above phenomena (i.e., heat sink
distribution, circulation paths, ignition sources, water availability, and
gravity drain paths) should be documented in a readily comprehensible form,
together with representative combustible source transients.
For normally inerted BWRs, the concerns with combustibles relate to
potential burns and/or explosion events in deinerted Mark I or Mark II
containments or in the secondary containment building following containment
failure. The staff recommends that, unless deinerting can be
satisfactorily ruled out by probability, its occurrence and consequences
should be included in the event trees. Regarding the secondary
containment, the staff believes that consideration of combustibles in it is
essential with respect to the reactor building effectiveness in limiting
the source term.
Finally, uncertainties arise for all plants because of lack of knowledge on
how the corium will spread following discharge from the reactor vessel.
For Mark I containments, such uncertainties impact the configuration of the
corium-concrete interaction process and also the potential for drywell
liner meltthrough. It is recommended that an assessment of the debris
coolability, based on available water sources, should be performed to
determine the possibility for liner meltthrough. For Mark II containments,
uncertainties are associated with the retention of corium on the drywell
floor (and associated corium-concrete interactions) and the extent of
fuel-coolant interactions in the suppression pool. For PWR containments,
the reactor cavity configuration will influence the potential for direct
attack of the liner by dispersed debris, as well as the potential for
basemat failure or structural failure due to thermal attack. The staff
recommends that the IPE document describe the detailed geometry (including
curbs, standoffs) of the drywell floor.
1-8
.
As discussed earlier, a CET provides a,structured way for a systematic
analysis of containment phenomena. Separate CETs representing the
high-pressure and low-pressure sequences deal with uncertainties discussed
earlier.
In general terms, and consistent with the overall IPE objectives, the staff
guidance on the approach to the back-end analysis can be summarized as
follows:
1. The approach should focus on containment failure mechanisms and
timing. Releases should be based on corresponding release categories
and associated detailed quantifications from reference plant analyses
and applied to the plant being examined.
2. All severe accident sequences that meet the criteria of Appendix 2
should be considered and reported.
3. System/human response should be realistically integrated with
phenomenological aspects into simplified, but realistic, containment
event trees for the plant being examined. Allowance should be made
for the probability of recovery or other accident management
procedures (particularly for long-term responses).
4. The quantification of the containment event trees should both (a)
clearly take into account the expected progression of the accident and
(b) aim to envelop phenomenological behavior (i.e., account for
uncertainties). This implies:
a. Identification of the most probable list of potential containment
failure mechanisms applicable to the plant under consideration
(e.g., see Table 7-1, NUREG/CR-2300).
b. Use of existing structural analyses to determine the ultimate
pressure capability of the containment, i.e., the quasi-static
internal pressure resulting in containment failure. These should
be modified as necessary to take into account any unique aspects
that could substantially modify the range of possible failure
pressures.
c. Use of available separate-effects analyses for the other
potential containment failure mechanisms to determine other
failure modes to which the plant might be vulnerable. As stated
earlier, there are some severe accident phenomenological issues
(e.g., direct containment heating and containment shell
meltthrough) where research has not produced conclusive results
on the challenges that these phenomena could pose to containment
integrity. Consideration must be given to strategies to deal
with those severe accident issues. For example, although there
appears to be no consensus on whether water availability will
fully quench the debris and keep it coolable and hence prevent
Mark I containment shell meltthrough, there is a broad agreement
that the presence of water will scrub the fission products and
could substantially reduce the radionuclide released even if
containment shell meltthrough were to occur. Utilities should be
aware of these insights and experience when conducting the IPE
and should develop appropriate strategies to deal with those
phenomenological issues while awaiting their generic resolution
as discussed in Section 4 of the IPE generic letter.
1-9
.
d. Development of a plant-specific probability distribution function
of failure likelihood for the range of failure pressures.
e. Any claim of decontamination factors for the secondary
containment in the analyses should consider the possibility of no
natural circulation, resulting in less time for aerosol
deposition, as well as localized hydrogen burns causing reactor
building failure and forcing the reactor building atmosphere out
into the environment.
5. Documentation should be presented concerning how any calculation was
performed, what assumptions have been made, and how these phenomena
couple to other aspects of the analysis. Any use of codes within the
IPE to calculate accident progression up to and including the source
term calculation should be described along with the circumstances
under which the code was used, the version of the code used, any code
revisions used, the key modeling and input assumptions, and the
calculated results.
6. The insights gained from the containment performance analysis should
be factored into the utility's accident management program.
1-10
.
APPENDIX 2
CRITERIA FOR SELECTING IMPORTANT SEVERE ACCIDENT SEQUENCES
Sequence Selection Criteria
The following screening criteria should be used to determine which
potentially important functional sequences* and functional failures (based
on the procedure established in NUREG/CR-2300) that might lead to core
damage or unusually poor containment performance should be reported to the
NRC in the IPE submittal. They do not represent a threshold for
vulnerability. All numerical values given in this appendix are
"expected"** values.
1. Any functional sequence that contributes 1E-6*** or more per reactor
year to core damage,
2. Any functional sequence that contributes 5% or more to the total core
damage frequency,
3. Any functional sequence that has a core damage frequency greater than
or equal to 1E-6 per reactor year and that leads to containment
failure which can result in a radioactive release magnitude greater
than or equal to the BWR-3 or PWR-4 release categories of WASH-1400,
4. Functional sequences that contribute to a containment bypass frequency
in excess of 1E-7 per reactor year, or
5. Any functional sequences that the utility determines from previous
applicable PRAs or by utility engineering judgment to be important
contributors to core damage frequency or poor containment performance.
____________________
- " Sequence" is used here to mean a set of faults, usually chronological,
that result in the plant consequence of interest, i.e., either a damaged
core or unusually poor containment performance. A systemic sequence is a
set of faulted systems that summarizes by systems a set of component
failures resulting in a damaged core or unusually poor containment
performance. A functional sequence is a set of faulted functions that
summarizes by function a set of systems faults which would result in the
consequence of interest.
- For those cases where only point estimates are generated, the licensee
shall propose a suitable factor that adjusts the overall value to the
"expected" level.
- lE-6 denotes abbreviated scientific notation for I x 10-6.
2-1
.
APPENDIX 3
ACCIDENT MANAGEMENT
There already is an international consensus that the cause and consequences
of a severe core damage accident can be greatly influenced by the
operator's actions. In addition, the ability of essential equipment to
survive the environment resulting from severe accidents is an important
consideration in mitigating a severe core damage accident and managing its
progression. The failure of essential equipment can (1) incapacitate or
remove systems needed to respond to severe accidents or (2) misinform the
operator.
The NRC has initiated a research program to examine the efficacy of generic
accident management strategies. We intend to periodically meet with
industry (NUMARC) to compare the results of our respective programs.
However, the staff has done some preliminary work in defining the key
elements of a severe accident management program.
Since your IPE results will ultimately play a significant role in the
development of such a program for your plant, we are providing you with the
results of our work at this time. The main elements of an accident
management program should address: (1) the organizational responsibilities
and structure needed to direct the responses to a severe accident, (2) the
instrumentation, procedures, and alarms needed to diagnose severe
accidents, and the procedures and equipment needed to accomplish the
functions necessary to prevent and to mitigate leading accidents, and (3)
the procedures and training needed for operators to be skilled in possible
remedial actions.
Suggested Elements of an Accident Management Program
1. Organization
The first element of any severe accident management program is to assign
responsibilities for dealing with these accidents and to identify the
necessary organizational structure.
The utility should decide which operators are to be trained to manage
severe accidents or if a separate evaluation team is to be established to
direct the operators. Clear lines of decision making authority should be
established. For example, if containment venting is an option that could
conceivably be considered during the course of an accident to prevent
overpressure failure, then the person responsible for making that decision
should be clearly identified to all involved personnel. Analyses of
ultimate containment strength, the venting pressure, and the advantages,
disadvantages, and potential consequences should also have been evaluated
beforehand, and the decision makers should be properly trained from the
evaluation results to make an informed decision.
2. Instrumentation and Equipment
Practically every aspect of plant operation is likely to be involved in
accident management. Coordination among the various organizational units
is vital for communicating the status and the control of needed equipment.
It should be clear (1) what information is needed to make decisions, (2)
who is responsible
3-1
.
for obtaining the information, (3) what instruments plant personnel can
rely on to determine the status of the plant, and (4) what essential
equipment is needed to mitigate severe accidents and the time interval for
which it is needed. Survivability of specific equipment needs to be
evaluated by establishing whether the qualification of equipment for design
basis events is sufficient to support the assumed performance of this
equipment during severe accidents.
For sequences with a significant potential to progress beyond core melt,
means of maintaining containment integrity is the main goal. Heat removal
from the containment and retention of fission products are the most
important functions. Equipment needed to accomplish these functions should
have been identified and appropriate preparations made. All reasonable
preparations to enable operators to recognize approaching containment
failure, to assess possible remedial actions, and to accomplish the
necessary functions should be provided. Potentially adverse action should
be identified and evaluated. For example, recovery and initiation of
containment sprays after the containment has a substantial quantity of
steam and hydrogen can condense the steam and may leave a detonable mixture
of hydrogen. Similarly, spraying into a containment that has been vented
could result in a vacuum and possible implosion.
If special equipment might be needed to both prevent and mitigate severe
accidents, provisions might be made to ensure its timely availability. The
responsibility to take such action should be assigned, and the individuals
responsible should know where to procure the needed equipment.
3. Procedures and Training
The accident management plan should be developed to accomplish these
functions for each set of the leading accident sequences despite the
degraded state of the plant. There should be consistency and smooth
transition between the emergency operating procedures and the accident
management plan. The plan should be checked against the existing
organizational structure to ensure that responsibilities for managing each
accident are clearly defined and the responsible personnel are adequately
trained.
3-2
.
APPENDIX 4
DOCUMENTATION
At a minimum, the following information on the IPE should be documented and
submitted to the NRC:
1. Certification that an IPE has been completed and documented as
requested by the provisions contained in this generic letter. The
certification should also identify the measures taken to ensure the
technical adequacy of the IPE and the validation of the results,
including any uncertainty, sensitivity, and importance analysis.
2. A list of all initiating events, the containment phenomena, and the
damage states examined.
3. All function event trees and containment event trees (including
quantification) as well as all data (including origin and method of
analysis). The fault trees (or equivalent system failure models) for
the systems identified, using the criteria of Appendix 2, as main
contributors to core damage or unusually poor containment performance
should also be provided.
4. The support state models for the IDCOR IPEMs, including descriptions
of all applicable findings from the visual inspections.
5. A description of each functional sequence selected by the criteria of
Appendix 2, including discussion of accident sequence progression,
specific assumptions, and human recovery action.
6. The estimated core damage frequency and the likelihood or conditional
probability of a large release. The timing of significant large
releases for each of the leading functional sequences. A list of
analysis assumptions with their basis should be provided along with
the source of uncertainties.
7. Identification of the USI(s) and GSI(s), if applicable, that have been
assessed to estimate their contribution to the core damage frequency
or to unusually poor containment performance.
8. A description of the technical basis for resolving any USI or GSI when
applicable.
9. A list of the potential improvements, if any (including equipment
changes as well as changes in maintenance, operating and emergency
procedures, surveillance, staffing, and training programs) that have
been selected for implementation and a schedule for their
implementation or that are already implemented. Include a discussion
of the anticipated benefit as well as any drawbacks.
10. A description of the review performed by a utility party not directly
involved in producing the IPE to evaluate or oversee the IPE review.
11. Documentation on the level of licensee staff involvement in the IPE.
4-1
.
Retained Information
The documentation pertaining to the examination that must be retained by
the utility for the duration of the license or until superseded includes
applicable event trees and fault trees, current versions of the system
notebooks if applicable, walk-through reports, and the results of the
examination. In general, all documents essential to an audit of the
examination should be retained. In addition, the manner in which the
validity of these documents has been ensured must be documented. For any
actions taken by the operators for which credit is allowed in the IPE, the
licensee should establish a plant procedure, to be used by those plant
staff responsible for managing a severe accident should one occur, that
provides assurance that the operators can and will take the required
action. Plant owner groups are encouraged to develop generic guidelines
from which utilities can develop plant-specific accident management
programs and/or procedures.
4-2
.
APPENDIX 5
DECAY HEAT REMOVAL VULNERABILITY INSIGHTS
As part of the Unresolved Safety Issue (USI) program, six limited scope
PRAs were performed under the USI A-45 project, "Shutdown Decay Heat
Removal Requirements," to assess the decay heat removal (DHR) function in
existing plants.* The results showed that DHR-related core damage risk is
in a range, on some plants, where attention may be warranted regarding
whether or not such risks can be lowered in a cost-effective manner. The
results also showed that the sources of DHR-related core damage risk are
highly plant specific.
The following insights have been gained as a result of those six PRAs. The
insights are summarized here in order to assist licensees in the conduct of
their IPEs as they relate to their search for potential core damage risk
associated with DHR-related severe accident sequences. Although licensees
are requested in the generic letter to proceed with the examination only
for internally initiated events at the present time, insights from both
internal and external events are provided in this appendix to indicate what
may be important to decay heat removal function vulnerabilities when
performing the IPE for externally initiated events.
Areas where such cost-effective improvements might be possible were
identified for severe accident sequences initiated by transients and
small-break loss-of-coolant accidents and were frequently related to lack
of redundancy, separation,and physical protection in safety trains for
internal fires, floods, sabotage, and seismic events.
Such areas for possible improvement were particularly apparent in plant
support systems. At the support system level, there is often less
redundancy, less separation and independence between trains, poorer overall
general arrangement of equipment from a safety viewpoint, and much more
system sharing as compared to the higher level systems. These situations
suggest the possible need to investigate corrective actions that could
reduce the probability that single events such as a fire, flood, or insider
sabotage could disable multiple trains (or single trains with a multiple
purpose) thereby creating an inability to cool the plant.
_____________________ * See the following NUREG/CR reports:
4448, "Shutdown Decay Heat Removal Analysis of a General Electric BWR3/
Mark I," March 1987.
4458, "Shutdown Decay Heat Removal Analysis of a Westinghouse 2-Loop
Pressurized Water Reactor," March 1987.
4713, "Shutdown Decay Heat Removal Analysis of a Babcock and Wilcox
Pressurized Water Reactor," March 1987.
4762, "Shutdown Decay Heat Removal Analysis of a Westinghouse 3-Loop
Pressurized Water Reactor," March 1987.
4767, "Shutdown Decay Heat Removal Analysis of a General Electric
BWR4/Mark I," July 1987.
4710, "Shutdown Decay Heat Removal Analysis of a Combustion Engineering
Pressurized Water Reactor," July 1987.
5-1
.
Human errors were found to be of special significance. The six studies
modeled errors of omission (e.g., delays or failures in performing
specified actions), and it was found that in many cases the resulting risk
was very sensitive to the assumptions made and to the way such errors were
modeled.
Consequently, great care is warranted in the development of human error
models. In addition, it is likely that errors of commission are also
important (i.e., where the operator misdiagnoses a situation and takes an
improper action that is not be related to the actual, current plant
situation). Although such "cognitive" errors are much more difficult to
model, efforts to take them into account will result in a more complete
picture of DHR-related risk.
Of equal importance to human errors is the credit that is allowed for
recovery actions, which can have a very significant effect upon the
resulting risk. Some of the more important recovery actions are recovering
offsite power, fixing local faults of batteries or diesel generators,
actuating safety systems manually, realigning auxiliary feedwater steam and
feedwater flowpaths, and manually opening locally failed motor-operated
valves. Considering the importance of such human recovery actions,
considerable effort is justified in the development of the methods and
assumptions used in these areas.
Transient events that are initiated or influenced by a loss of offsite
power were found to contribute significantly to risk. A new rule, 10 CFR
50.63, has been issued June 21, 1988 (53 FR 23203) as a resolution to USI
A-44, "Station Blackout." Implementation of this rule will reduce the risk
from such events.
For PWRs, the ability to cool the plant through "feed and bleed" operations
could have a significant effect upon the DHR-related core damage risk.
However, care must be taken that feed and bleed operations would actually
be undertaken in a real emergency situation in sufficient time to prevent
core uncovery and subsequent damage. In view of the potential benefits,
significant effort might be justifiable in ensuring that procedures and
training are actually in place sufficient to warrant credit for feed and
bleed cooling.
Just as the origins of DHR-related risk are plant specific, the effects of
corrective actions are also quite plant specific and must be evaluated on a
plant-by-plant basis. In choosing which potential corrective actions to
investigate in more detail, a general principle is that the modifications
having the highest potential for reducing the risk, for the lowest cost,
will be those that increase the redundancy or availability of systems
shared between units.
In summary, both the DHR-related risk and the effects of various corrective
actions are highly plant specific. The dominant risks are divided between
internal and external causes, and the areas of support systems and human
response are of particular significance. Studies show that various cost-
effective corrective actions may be possible to reduce DHR-related core
damage risk after its source has been identified.
5-2
.
ATTACHMENT-1
CLOSURE OF SEVERE ACCIDENT ISSUES FOR OPERATING REACTORS
(Excerpted from SECY 88-147)
The Commission has ongoing a number of programs related to severe accident
behavior in operating light water reactors. Each program addresses a
specific aspect of severe accident behavior and may in fact result in a
proposed specific action on the part of the staff or Commission towards the
regulated industry. However, neither the staff nor Commission has yet
defined for the industry which programs are critical to resolving the
severe accident issues for their plants and what specific steps must be
taken by each licensee to achieve this resolution.
Completion of this resolution process is termed "closure" of severe
accident issues. Actions resulting from two tracks; namely, generic issues
and plant-specific issues, must be taken for severe accident closure.
Closure for generic severe accident issues will be obtained when the
Commission takes action in the form of rulemaking, or states whatever its
required approach is. Closure for plant-specific severe accident issues
will be obtained when each licensee has completed certain evaluations and
implemented certain programs such that events which comprise the dominant
contributions to risk for each plant are identified and that practical
enhancements to the design, procedures, and operation are made such that
further improvements can no longer be justified by backfit analysis
pursuant to 10 CFR 50.109. However, specific plant and operational
improvements may be identified which do not meet the backfit rule, but if
implemented, would significantly alter the risk profile of the plant,
improve the balance of reliance on both prevention and mitigation, or
substantively reduce uncertainties in our understanding. Any such
improvements identified will be brought forward to the Commission with
recommended action on a case-by-case basis. Closure of a single issue or
combination of issues is achieved when the above is satisfied for that
issue or those issues addressed.
It should be noted that "closure" does not imply that all severe accident
activities will cease. Certain activities, such as research in the areas
of severe accident phenomena and human performance will continue beyond
"closure." These activities are designed to provide confirmation of
previous judgments. It is expected that as a result of continuing
research, experience, and other activities, additional issues or questions
regarding judgments related to severe accidents may arise. These will be
considered and disposed of on a case-by-case basis, and are not expected to
bring into question the previous conclusions regarding closure.
The following sections describe in detail the steps that each licensee is
expected to complete in order to achieve severe accident closure for each
of its operating reactors.
A1-1
.
1. Completing Individual Plant Examinations (IPEs)
The IPE program is intended to be "an integrated systematic approach to an
examination of each nuclear power plant now operating or under construction
for possible significant risk contributors (sometimes called "outliers")
that might be plant specific and might be missed absent a systematic
search."
Each licensee is expected to perform an IPE using a method acceptable to
the staff. As will be described in the staff generic letter implementing
the IPE, the staff expects that in many cases utilities, in the performance
of their IPEs, may find and will voluntarily remedy uncovered
vulnerabilities by making the necessary safety improvements (conforming to
the requirements of 10 CFR 50.59). However, through the review of IPE
submittals, the staff may find it necessary to employ established
plant-specific backfit criteria to assure that justifiable corrections are
made.
For the phase of the evaluation associated with identification of dominant
core melt sequences (commonly referred to as the "front end" analysis of a
PRA), there is little controversy regarding methods, and we expect the
industry decision process with respect to potential modifications to be
straightforward. For the phase of the evaluation associated with core
melting, release of molten core to the containment, and containment
performance, the staff recognizes that for a few of the phenomena, notably
in areas which affect containment performance, there is a wide range of
views about their relative probability as well as their consequences. For
these issues additional research and evaluations will be needed to help
reduce the wide range of uncertainties. Because of concern over the ability
of containments to perform well during some severe accidents, the staff is
conducting a Containment Performance Improvements Program (for more details
see Item 3 below). This program complements the IPE program and is
intended to focus on resolving generic containment challenges, including
issues associated with the phenomena mentioned above.
The NRC and industry currently have ongoing research programs to address
these few issues. However, until a sufficient understanding of these
phenomena is developed, each licensee will be faced with the need to be
able to understand the potential range of probabilities and consequences
associated with these issues.
Accordingly, we would expect each licensee to implement a Severe Accident
Management Program which provides training and guidance to their
operational and technical staff on understanding and recognizing the
potential consequences of these phenomena.
We do not plan to require a licensee to consider external events in its IPE
at this time. The staff is currently studying methods it would find
acceptable for examining plants for severe accident vulnerabilities from
external events, and will be meeting with NUMARC regarding these methods as
well as the scope of an external event examination. We expect completion
of the methods development within 12 to 18 months. Closure with respect to
external events will be achieved upon completion of an examination of each
plant, as needed, for external event vulnerabilities consistent with the
conclusions of the staff studies described above.
A1-2
.
2. Accident Management.
The staff has concluded that significant risk reductions can be achieved
through effective severe accident management. We also believe that the IPE
conclusions reached by licensees for their plants will explicitly rely on
certain operator actions, or on operators not taking actions which could
adversely affect both the probability and consequences of a severe
accident.
Hence, a key element to severe accident closure for each plant will be the
implementation of a Severe Accident Management Program. Since information
on severe accident phenomena and effective accident management strategies
will continue to be developed by both NRC and industry over the next
several,years, closure is not predicated on having a "complete" accident
management program in place. Rather, closure is based on each licensee
having an Accident Management Program framework in place, that can be
expanded, modified, etc. to accommodate new information as it is developed.
3. Containment Performance Improvements
As a result of concerns related to the ability of containments to withstand
some generic challenges associated with severe accidents, the staff has
undertaken a program to determine what, if any, actions should be taken to
reduce the vulnerability of containments to severe accident challenges, and
to reduce the magnitude of releases that might result from such challenges.
Staff efforts have first focused on the BWR MARK I containment. The staff
studies are primarily focused on the potential generic vulnerabilities of
these containments, and not plant unique vulnerabilities, which is the
primary focus of the IPEs. The staff schedule calls for an interim report
on BWR MARK Is to be submitted to the Commission in June of this year, with
final recommendations due in the fall of this year. The other types of
containments are to be assessed by the fall of 1989.
The IPE generic letter is now expected to be issued by July of this year,
and licensees will have approximately four months to respond identifying
their plan for conducting the IPEs. Following the four-month period, it is
expected they will commence with their IPEs. It is further expected that
any modifications to Mark I containments that the staff may recommend will
be available to the industry before they start their IPEs. For the other
containment types, the fact that any staff recommendations will not be
available until after they have commenced with their IPEs is a concern.
However, the IPE generic letter will state that the staff does not expect
the industry to make any major modifications to their containments until
the information associated with the generic issues which affect containment
performance has been developed by the staff. Hence, the industry will not
be placed in a position of having to implement improvements before all
containment performance decisions have been made.
4. Use of Safety Goal in the Closure Process
The staff expects to use safety goal policy and objectives, including the
10(-6)/reactor-year "large release" guideline, to assist in the resolution
and 10 closure of severe accident issues. Resolution and closure of issues
are expected to be of two different types, either plant unique or generic.
Safety
A1-3
.
goals and objectives are to be used only for the resolution of generic
issues, i.e., severe accident issues common to a defined generic class of
plants. Resolution of plant unique issues is to be accomplished on a case
by case basis,using the information developed by Individual Plant
Examinations (IPE) as is described in Section 1.
The staff is preparing a Safety Goal Policy Implementation Plan (Revised)
that incorporates the following, as directed by the Commission (Staff
Requirements Memorandum dated November 6, 1987):
(1) Information on how the staff proposes to implement OGC guidance on the
use of averted on-site costs in backfit analyses.
(2) Whether averted off-site property damage costs should be included in a
more explicit manner in backfit analyses.
(3) Whether $1,000/person-rem remains an appropriate cost/benefit
criterion.
(4) A discussion of options for defining a "large release."
(5) A discussion of options for specifying appropriate plant performance
objectives.
(6) Responses to Commissioner Bernthal's questions regarding population
density considerations, and whether it would be acceptable for a plant
to have no containment if it met the large release criterion by
prevention of core melt (core damage) alone.
This plan will also reflect the consideration given by the staff to ACRS
recommendations and the results of several meetings with the ACRS on this
subject.
Resolution of severe accident generic issues using safety goal objectives
is expected to proceed as follows. PRA information from a variety of
sources, including both staff generated PRAs, (e.g., NUREG-1150) and
utility generated PRAs (IPE) will be used to make comparisons with
applicable safety goal objectives in accordance with the implementation
plan. The staff will identify the reasons why particular plants appear to
meet or not meet these objectives and assess these reasons in relation to
current regulatory requirements. This assessment will constitute a testing
of the effectiveness of these requirements or their implementation and is
expected to result in the identification of potential changes to regulatory
requirements that, for some plants, would be expected to result in safety
enhancements. These, in turn, will be subject to appropriate regulatory
analysis as provided in the Commission's backfit rule 10 CFR 50.109. Those
that can be shown to provide substantial safety benefit and are
cost-effective will be proposed to the Commission for backfit, possibly in
the form of rulemaking. The staff expects that this process would have no
impact on classes of plants for which there is reasonable assurance that
safety goal objectives are met. This expectation is based upon the intent
to identify those features of design and/or performance that are already in
place at plants meeting safety goal objectives and to structure any new
requirements such that they do not require changes or additions at these
plants.
A1-4
.
The staff's revised Safety Goal Implementation Plan is scheduled to reach
the Commission in August, 1988. The first application is expected to be
reflected in the staff's recommendations to the Commission in the Fall of
1988 on potential improvements to BWR MARK I severe accident containment
performance.
5. Summary of Closure Process
In summary, the steps which each licensee is expected to take to achieve
closure on severe accidents for its plants are as follows:
o Complete the IPEs; identify potential improvements, evaluate and fix
as appropriate.
o Develop and implement a framework for an Accident Management Program
that can accommodate new information as it is developed.
o Implement any Commission-approved generic requirements resulting from
the staff Containment Performance Improvement Program; this should
constitute closure of containment performance generic issues.
While programs for improved plant operations and research in the area of
severe accidents will continue, completion of the above by a licensee is
considered to constitute "closure" of the severe accident issue for the
plant in question. Specific issues that may arise in the future as a result
of ongoing research will be treated on a case-by-case basis and will not
affect the closure process.
A1-5
.
ATTACHMENT 2
LIST OF REFERENCES OF THE IDCOR PROGRAM REPORTS AND KEY NRC REPORTS
IDCOR Reports
Tech. Report No. Title
1.1 Safety Goal/Evaluation Implications for IDCOR
2.1 Ground Rules for Industry Degraded Rule Making Program
3.1 Define Initial Likely Sequences
3.2 Assess Dominant Sequences
3.3 Selection of Dominant Sequences
4.1 Containment Event Trees
5.1 Human Error Effects on Dominant Sequences
6.1 Risk Significant Profile for ESF and Other Equipment
7.1 Baseline Risk Profile for Current Generation Plants
9.1 Preventive Methods to Arrest Sequences of Events
Prior to Core Damage w/Revision 1
10.1 Containment Structural Capability of LWRs
11.1/11.5 Estimation of Fission Product and Core Material
Characteristics
11.2 Identifying Pathways of Fission Product Transport
11.3 Fission Product Transport in Degraded Core Accidents
11.6 Resuspension of Deposited Aerosols
11.7 FAI Aerosol Correlation
12.1 Hydrogen Generation During Severe Core Damage Sequences
12.2 Hydrogen Distribution in Reactor Containment Buildings
12.3 Hydrogen Combustion in Reactor Containment Buildings
13.2-3 Evaluation of Means to Prevent, Suppress or Control
Hydrogen Burning in Reactor Containments
14.1A Key Phenomenological Models for Assessing Explosive
Steam Generation Rates
14.1B Key Phenomenological Models for Assessing Non-Explosive
Steam Generation Rates
15.1 Analysis of In-Vessel Core Melt Progression
15.1A In-Vessel Core Melt Progression Phenomena
15.1B In Vessel Core Melt Progression Phenomena
15.2A Effect of Core Melt Accidents on PWRs with Top Entry
Instruments
15.2B Final Report on Debris Coolability, Vessel Penetration,
and Debris Dispersal
15.3 Core-Concrete Interactions
16.1 Assess Available Codes, Define Use and Follow and
Support Ongoing Activities
16.1A Review of MAAP PWR and BWR Codes
16.2-3 MAAP Modular Accident Analysis Program User's Manual,
Vols. I & II
16.4 Analysis to Support MAAP Phenomenological Models
17 Equipment Survivability
A2-1
.
ATTACHMENT 2 (Continued)
17.5 Draft Final Report: An Investigation of
High-Temperature Accident Conditions for Mark-1
Containment Vessels
18.1 Evaluation of Atmospheric and Liquid Pathway Dose
18.2 Completion of Conditional Complementary Cumulative
Distribution Functions
19.1 Alternate Containment Concepts
20.1 Core Retention Devices
21.1 Risk Reduction Potential
22.1 Safe Stable States
23.1 Uncertainty Studies for PB, GG, Zion, Sequoyah
23.1B Peach Bottom - Integrated Containment Analysis
23.1Z Zion - Integrated Containment Analysis
23.1S Sequoyah - Integrated Containment Analysis
23.1GG Grand Gulf - Integrated Containment Analysis
23.4 MAAP Uncertainty Analysis
23.5 Containment Bypass Analysis
24.4 Operator Response to Severe Accidents
85.1 IDCOR 85 Program Plan
85.2 Technical Support for Issue Resolution
85.3 IPEM A1 Thru B2
IPE Applications PB, Susquehanna, Zion, Oconee,
BWR User's Guide
85.4 Reassessment of Emergency Planning Requirements
With Present Source Terms
85.5A Revised Source Terms
85.5B Source Terms and Emergency Planning
86.20C Verification of IPE for Oconee
86.3A2 IPE Source Term Methodology for PWRs
86.3B2 IPE Source term Methodology for BWRs
86.20G Verification of IPE for Grand Gulf
86.25H Verification of IPE for Shoreham
A2-2
.
NRC and NRC Contractor Reports
Tech. Report No. Title
NUREG-0956 Reassessment of the Technical Bases for
Estimating Source Term
NUREG-1032 Evaluation of ion Blackout Accidents at
Nuclear Power Plants
NUREG-1037 Containment Performance Working Group Report
NUREG-1079 Estimates of Early Containment Loads from Core
Melt Accidents
NUREG-1116 A Review of the Current Understanding of the
Potential for Containment Failure from
In-Vessel Steam Explosions
NUREG-1150 Volumes 1-3 Reactor Risk Reference Document
NUREG-1265 Uncertainty Papers on Severe Accident Source
Terms
NUREG/CR-2300 PRA Proceed Guide
NUREG/CR-2815 Probabilistic Safety Assessment Procedures
Guide
NUREG/CR-4177 Volumes 1-2 Management of Severe Accidents
NUREG/CR-4458 Shutdown Decay Heat Removal Analysis of a
Westinghouse 2-Loop PWR
NUREG/CR-4550 Volumes 1-4 Analysis of Core Damage Frequency from
Internal Events
NUREG/CR-4551 Volumes 1-4 Evaluation of Severe Accident Risks and the
Potential for Risk Reduction
NUREG/CR-4696 Containment Venting Analysis for the Peach
Bottom Atomic Power Station
NUREG/CR-4700 Volumes 1-4 Containment Event Analysis for Postulated
Severe Accidents
NUREG/CR-4767 Shutdown Decay Heat Removal Analysis of a GE
BWR4/Mark I
NUREG/CR-4881 Fission Product Release Characteristics into
Containment Under Design Basis and Severe
Accident Conditions
NUREG/CR-4883 Review of Research on Uncertainties in
Estimates of Source Terms from Severe
Accidents in Nuclear Power Plants
NUREG/CR-4920 Volumes 1-5 Assessment of Severe Accident Prevention and
Mitigation Features
NUREG/CR-5132 Severe Accident Insights Report