NRC Generic Letter 88-20, Individual Plant Examination for Severe Accident Vulnerabilities
Individual Plant Examination for Severe Accident Vulnerabilities
https://www.nrc.gov/reading-rm/doc-collections/gen-comm/gen-letters/1988/gl88020.html
S5 09/08/1995 -- S4 06/28/1991 -- S3 07/06/1990 -- S2 04/04/1990 -- S1 08/29/1989 -- -- 11/23/1988
text[edit | edit source]
{{#Wiki_filter: UNITED STATES
NUCLEAR REGULATORY COMMISSION
WASHINGTON, D.C. 20555
November 23, 1988
To All Licensees Holding Operating Licenses and Construction Permits for Nuclear Power Reactor Facilities
SUBJECT: INDIVIDUAL PLANT EXAMINATION FOR SEVERE ACCIDENT
VULNERABILITIES - 10 CFR 50.54(f)
(Generic Letter No. 88-20)
1. SUMMARY
In the Commission policy statement on severe accidents in nuclear power plants issued on August 8, 1985 (50 FR 32138), the Commission concluded, based on available information, that existing plants pose no undue risk to the public health and safety and that there is no present basis for immediate action on generic rulemaking or other regulatory requirements for these plants. However, the Commission recognizes, based on NRC and industry experience with plant-specific probabilistic risk assessments (PRAs), that systematic examinations are beneficial in identifying plant-specific vulnerabilities to severe accidents that could be fixed with low cost improvements. Therefore, each existing plant should perform a systematic examination to identify any plant-Specific vulnerabilities to severe accidents and report the results to the Commission.
The general purpose of this examination, defined as an Individual Plant Examination (IPE), is for each utility (1) to develop an appreciation of severe accident behavior, (2) to understand the most likely severe accident sequences that could occur at its plant, (3) to gain a more quantitative understanding of the overall probabilities of core damage and fission product releases, and (4) if necessary, to reduce the overall probabilities of core damage and fission product releases by modifying, where appropriate, hardware and procedures that would help prevent or mitigate severe accidents. It is expected that the achievement of these goals will help verify that at U.S. nuclear power plants severe core damage and large radioactive release probabilities are consistent with the Commission's Safety Goal Policy Statement. Besides the Individual Plant Examinations, closure of severe accident concerns will involve future NRC and industry efforts in the areas of accident management and generic containment performance improvements. Additional discussion is provided in SECY-88-147 on the interrelationships among these three areas and the role they play in closure of severe accident issues for operating plants. The portion of that document relevant to closure is provided as Attachment 1. Attachment 2 contains a list of references of the IDCOR program technical reports and also some related NRC and NRC contractor reports.
Therefore, consistent with the stated position of the Commission and pursuant to 10 CFR 50.54(f), you are requested to perform an Individual Plant Examination of your plant(s) for severe accident vulnerabilities and submit the results to the NRC.
2 November 23, 1988
2. Examination Process
The quality and comprehensiveness of the results derived from an IPE will depend on the vigor with which the utility applies the method of examination and on the utility's commitment to the intent of the IPE. Furthermore, the maximum benefit from the IPE would be realized if the licensee's staff were involved in all aspects of the examination to the degree that the knowledge gained from the examination becomes an integral part of plant procedures and training programs. Therefore, we request each licensee to use its staff to the maximum extent possible in conducting the IPE by:
1. Having utility engineers, who are familiar with the details of
the design, controls, procedures, and system configurations,
involved in the analysis as well as in the technical review, and
2. Formally including an independent in-house review to ensure the
accuracy of the documentation packages and to validate both the
IPE process and its results.
The NRC expects the utility's staff participating in the IPE to:
(1) Examine and understand the plant emergency procedures, design,
operations, maintenance, and surveillance to identify potential severe
accident sequences for the plant; (2) understand the quantification of
the expected sequence frequencies; (3) determine the leading
contributors to core damage and unusually poor containment
performance, and determine and develop an understanding for their
underlying causes; (4) identify any proposed plant improvements for
the prevention and mitigation of severe accidents; (5) examine each of
the proposed improvements, including design changes as well as changes
in maintenance, operating and emergency procedures, surveillance,
staffing, and training programs; and (6) identify which proposed
improvements will be implemented and their schedule.
3. External Events (Treated Separately)
Licensees are requested to proceed with the examinations only for internally initiated events (including internal flooding) at the present time. Examination of externally initiated events (i. e., internal fires, high winds/tornadoes, transportation accidents, external floods, and earthquakes) will proceed separately and on a later schedule from that of internal events (1) to permit the identification of which external hazards need a systematic examination, (2) to permit development of simplified examination procedures, and (3) to integrate other ongoing Commission programs that deal with various aspects of external event evaluations, such as the Seismic Design Margins Program (SDMP), with the IPE(s) to ensure that there is no duplication of industry efforts. Utilities would be expected to examine and identify any plant-specific vulnerabilities to severe accidents due to externally initiated events. Therefore, while performing your IPE for internally initiated events, you should document and retain plant-specific data relevant to external events (e.g., data from plant walkdowns) such that they can be readily retrieved in a convenient form when needed for later external event analyses that may be required. If a licensee chooses to submit an external event examination at this time, the staff would review it on a case-by-case basis. .
3 November 23, 1988
While current staff efforts are focused on identifying acceptable methods for examining external events, the staff encourages the industry to propose a methodology for examining external events that meets the intent of the severe accident policy; namely, that it is capable of identifying vulnerabilities to external hazards. We will work with NUMARC in developing acceptable methodologies for external hazard examinations.
4. Methods of Examination
The NRC has identified three approaches that satisfy the examination requested by this letter. The methods are:
1. A PRA, provided it is at least a Level I* and uses current methods and
information, plus a containment performance analysis that follows the
general guidance given in Appendix 1 to the is generic letter. The
staff will consider those PRA s that follow the PRA procedures
described in NUREG/CR-2300, NUREG/CR-2815, or NUREG/CR-4550 to be
adequate for performing the IPE, provided the assessment considers the
most current severe accident phenomenological issues (as discussed in
Appendix 1) and the licensee certifies that the PRA is based on the
most current design.
2. The IDCOR system analysis method (front-end only), provided the
enhancements identified in the NRC staff evaluation of the IDCOR
method (to be issued shortly) are applied. Guidance for the back-end
analysis is provided in Appendix 1 and additional guidance will be
issued as described in Section 11 of this generic letter.
3. Other systematic examination methods, provided the method is described
in the licensee response and is accepted by the NRC staff. For those
methods with which the staff is not familiar, a staff review might be
necessary to ensure that the methods are generally acceptable.
For the phase of the evaluation associated with core melting, release of molten core to the containment, and containment performance, the staff recognizes that for a few of the phenomena, notably associated with areas that affect containment performance, there is a wide range of views about their relative probability as well as their consequences. For these issues, additional research and evaluation will be needed to help reduce the wide range of uncertainties. Because of the concern over the ability of containments to perform well during some severe accidents, the staff is conducting a Containment Performance Improvements Program. This program complements the IPE program and is intended to focus on resolving generic containment challenges. License are expected to correct vulnerabilities that may be identified by their IPE results but, because of the generic Containment Performance Improvements Program that complements the IPE, the
____________________ *The PRA levels are defined as follows: Level I - determination of core-damage frequencies based on system and human-factor evaluations; Level II -determination of the physical and chemical phenomena that affect the performance of the containment and other mitigating features and the behavior and release of the fission products to the environment; and Level III - determination of the offsite transport, deposition, and health effects of fission product releases. .
4 November 23, 1988
staff does not require industry to make any major modifications to their containments or other systems that can affect containment performance until the information associated with the containment performance generic issues has been developed by the staff. Hence, industry will not be placed in a position of having to implement improvements before all containment performance decisions have been made.
Appendix 1 provides the utility with guidance to proceed with the evaluation of containment performance to identify plant-specific factors important to containment performance. Following the Appendix 1 guidance will also enable utilities to understand and develop strategies to minimize the challenges and the consequences such severe accident phenomena may pose to the containment integrity and to recognize the role of mitigation systems while awaiting their generic resolution.
5. Resolution of Unresolved Safely/Generic Safety Issues (Relationship to
USI A-45)
Because the resolution of several USI(s) and GSI(s) may require an examination of the individual plant, it is reasonable to use the current IPE process for that examination. For example, Unresolved Safety Issue (USI) A-45 entitled "Shutdown Decay Heat Removal Requirements" had as its objective the determination of whether the decay heat removal function at operating plants is adequate and if cost-beneficial improvements could be identified. We concluded that a generic resolution to the issue (e.g., a dedicated decay heat removal system for all plants) is not cost effective and that resolution could only be achieved on a plant-specific basis. To implement a plant-specific resolution would require each plant to do an examination of its decay heat removal system to identify vulnerabilities. In the IPE, each plant will do an examination of both its decay heat removal system and those systems used for the other safety functions for the purpose of identifying severe accident vulnerabilities. Therefore, we have concluded that the most efficient way to resolve A-45 is to subsume it in the IPE.
You should ensure that your IPE particularly identifies decay heat removal vulnerabilities. To achieve this assurance we have extracted insights gained from the six case studies performed for the USI A-45 program. These insights are discussed in Appendix 5 to this letter and should be considered as you con-duct your IPE. In addition, if a utility (1) discovers a notable vulnerability during its IPE that is topically associated with any other USI or GSI and proposes measures to dispose of the specific safety issue or (2) concludes that no vulnerability exists at its plant that is topically associated with any USI or GSI, the staff will consider the USI or GSI resolved for a plant upon review and acceptance of the results of the IPE. Your IPE submittal should specifically identify which USIs or GSIs it is resolving.
6. PRA Benefits
The NRC recognizes that many licensees now possess plant-specific PRAs or similar analyses. Use of existing PRA analyses is encouraged in achieving the objectives of the IPE. In some cases, the licensee may have to confirm that the existing PRA analyses reflect the current state of the art regarding severe accidents. .
5 November 23, 1988
In addition to being an acceptable method for conducting an IPE, there are a number of potential benefits in performing PRAs on those plants without one. Some examples of potential additional benefits are as follows:
Support for Licensing Actions - PRAs have been used to support
arguments to justify technical specification changes, both routine and
emergency. PRAs would also be useful in supporting other regulatory
actions (e.g., design modifications).
License Renewals - PRAs could be a basis for utilities to establish a
program to ensure that risk-significant components and systems are
identified and maintained at an acceptable level of reliability during
the license renewal period.
Risk Management - A PRA could be used to develop a risk management
program that systematically uses the available information about risk
at a nuclear power plant and identifies alternative combinations of
design and operational modifications, ranks these alternatives
according to the relative benefits of each, and selects an optimum
from the alternatives.
Integrated Safety Assessment - The staff believes that by performing a
PRA a licensee would have the benefit of having developed the
technical basis for an integrated assessment. An integrated safety
assessment would (1) provide integrated schedules for licensing,
regulatory, and safety issues on a predictable basis, (2) evaluate
licensing and generic issues on a plant-specific basis such that they
are weighted against all other pending actions, (3) provide a licensee
with the opportunity to demonstrate with its PRA that various issues
that might be applied to other plants are not justified at that
facility, (4) help improve outage planning, and (5) rank issue
importance such that the most important are dealt with first. This
prioritization of actions benefits the licensees and the NRC by
providing a rational schedule for implementation of actions and
provides a basis for the possible elimination of actions determined to
have low safety significance for the individual plant.
7. Severe Accident Sequence Selection
In performing an IPE, it is necessary to screen the severe accident sequences for the potentially important ones and for reporting to the NRC. The screening criteria to determine the potentially important functional sequences* that lead to core damage or unusually poor containment performance and should be reported to the NRC with your IPE results are listed in Appendix 2. Appendix 4 describes
____________________
- "Sequence" is used here to mean a set of faults, usually chronological,
that result in the plant consequence of interest, i.e., either a damaged core or unusually poor containment performance. A functional sequence is a set of faulted functions that summarizes by function a set of systems faults which would result in the consequence of interest. Functional sequences are to be contrasted with systemic sequences. A systemic sequence is a set of faulted systems that summarizes by systems a set of component failures resulting in a damaged core or unusually poor containment performance. .
6 November 23, 1988
the documentation needed for the accident sequence selection and the intended disposition of these sequences.
It is expected that during the course of the examination, the utility would carefully examine the results to determine if there are worthwhile prevention or mitigation measures that could be taken to reduce the core damage frequency or poor containment performance with the attendant radioactive release. The determination of potential benefits is plant specific and will depend on the frequency and consequence of the accident sequence leading to core damage and containment failure.
8. Use of IPE Results
a. Licensee
After each licensee conducts a systematic search for severe accident vulnerabilities in its plant(s) and determines whether potential improvements, both design and procedural, warrant implementation, it is expected that the licensee will move expeditiously to correct any identified vulnerabilities that it determines warrant correction. Information on changes initiated by the licensee should be provided consistent with the requirements of 10 CFR 50.59 and10 CFR 50.90. Changes should also be reported in your IPE submittal (by reference to previous submittals under 10 CFR 50.59 or 10 CFR 50.90) that responds to this letter (see Appendix 4).
b. NRC
The NRC will evaluate licensee IPE submittals to obtain reasonable assurance that the licensee has adequately analyzed the plant design and operations to discover instances of particular vulnerability to core melt or unusually poor containment performance given a core melt accident. Further, the NRC will assess whether the conclusions the licensee draws from the IPE regarding changes to the plant systems, components, or accident management procedures are adequate. The consideration will include both quantitative measures and nonquantitative judgment. The NRC consideration may lead to one of the following assessments:
1. If NRC consideration of all pertinent and relevant factors indicates
that the plant design or operation must be changed to meet NRC
regulations, then appropriate functional enhancements will be required
and expected to be implemented without regard to cost except as
appropriate to select among alternatives.
2. If NRC consideration indicates that plant design or operation could be
enhanced by substantial additional protection beyond NRC regulations,
then appropriate functional enhancements will be recommended and
supported with analysis demonstrating that the benefit of such
enhancement is substantial and worth the cost to implement and
maintain that enhancement, in accordance with 10 CFR 50.109.
3. If NRC consideration indicates that the plant design and operation
meet NRC regulations, and that further safety improvements are not
substantial or not cost effective, enhancements would not be suggested
unless significant new safety information becomes available.
.
7 November 23, 1988
9. Accident Management
An important aspect of severe accident prevention and mitigation is the total organizational involvement. Operations personnel have key roles in the early recognition of conditions or events that might lead to core damage. The availability of procedures specifying corrective actions and the training of operators and emergency teams can have a major influence on the course of events in case of a severe accident.
Because the conclusions you will draw from the IPE for severe accident vulnerabilities (1) depend on the credit taken for survivability of equipment in a severe accident environment, and (2) will either depend on operators taking beneficial actions during or prior to the onset of severe core damage or depend on the operators not taking specific actions that would have adverse effects, the results of your IPE will be an essential ingredient in developing a severe accident management program for your plant.
At this time you are not required to develop an accident management plan as an integrated part of your IPE. We are currently developing more specific guidance on this matter and are working closely with NUMARC to (1) define the scope and content of acceptable accident management programs, and (2) identify a plan of action that will ultimately result in incorporating any plant-specific actions deemed necessary, as a result of your IPE, into an overall severe accident management program. Nevertheless, in the course of conducting your IPE you may identify operator or other plant personnel actions that can substantially reduce the risk from severe accidents at your plant and that you believe should be immediately implemented in the form of emergency operating procedures or similar formal guidance. We encourage each licensee to not defer implementing such actions until a more structured and comprehensive accident management program is developed on a longer schedule, but rather to implement such actions immediately within the constraints of 10 CFR 50.59.
10. Documentation of Examination Results
The IPE should be documented in a traceable manner to provide the basis for the findings. This can be dealt with most efficiently by a two-tier approach. The first tier consists of the results of the examination, which will be reported to the NRC for review. The second tier is the documentation of the examination itself, which should be retained by the licensee for the duration of the license unless superseded. Appendix 4 contains the minimum information necessary for reporting and documentation.
11. Licensee Response
A document that provides additional licensee guidance for the performance of the IPE (both core damage and containment system performance) and describes the review and evaluation process that the NRC staff will use for assessing the submittals will be issued in draft form within the next few months.
.
8 November 23, 1988
Following the issuance of the draft document, workshops with utility representatives will be scheduled to discuss the IPE objectives and to answer questions that utilities might have on both the IPE generic letter and the guidance document.
Following the completion of the workshops, the NRC, as appropriate, will revise its guidance contained in the guidance documents to take into consideration comments received and will reissue them. Within 60 days of receipt of the final guidance documents, licensees are requested to submit their proposed programs for completing the IPEs. The proposal should:
1. Identify the method and approach selected for performing the IPE,
2. Describe the method to be used, if it has not been previously
submitted for staff review (the description may be by reference), and
3. Identify the milestones and schedules for performing the IPE and
submitting the results to the NRC.
Meetings at NRC Headquarters during the examinations will be scheduled as needed to discuss subjects raised by licensees and to provide necessary clarifications.
Licensees are expected to submit the IPE results within 3 years. The Commission encourages those plants that have not yet undergone any systematic examination for severe accidents to promptly initiate the examination.
Those utilities that choose to use an existing PRA or similar analysis on their plant should (1) certify that the PRA meets the intent of the generic letter, in particular with respect to utility staff involvement, (2) certify that it reflects the current plant design and operation, and (3) submit the results as soon as the analysis is completed but on a shorter schedule than 3 years. Utilities with plants that used the initial IDCOR system analysis in the IDCOR test applications are encouraged to submit their results on a shorter schedule than 3 years. This will ensure review and resolution of any items while the utility's examination team is easily accessible. In this regard, the staff also encourages licensees whose plants have been extensively analyzed under the NUREG-1150 program to submit their IPEs on an expedited basis. This will enable the staff to exercise its review and decision process for determining acceptability of the IPE, the adequacy of the licensee identification of plant-specific vulnerabilities, and the associated modifications using insights and experience from NUREG-1150. Finally, those licensees planning to perform a new Level II or Level III PRA may need more time. The NRC staff will consider requests for additional time for such an examination.
12. Regulatory Basis
This letter is issued pursuant to 10 CFR 50.54(f), a copy of the 10 CFR 50.54(f) evaluation which justifies issuance of this letter is in the Public Document Room. Accordingly, all responses should be under oath or affirmation. This request for information is covered by the Office of Management and Budget under
.
9 November 23, 1988
Clearance No. 3150-0011, which expires December 31, 1989. The estimated average burden hours is 8100 person-hours per licensee response, over a 3-year period including assessment of the new requirements, searching data sources, gathering and analyzing the data, and preparing the required reports. Comments on burden and duplication may be directed to the Office of Management and Budget, Reports Management, Room 3208, New Executive Office Building, Washington, DC 20503.
Sincerely,
Dennis Crutchfield, Acting Associate
Director for Projects
Office of Nuclear Reactor Regulation
Enclosures:
Appendices 1 through 5
w/ attachments 1 and 2
.
APPENDIX 1
GUIDANCE ON THE EXAMINATION OF CONTAINMENT SYSTEM PERFORMANCE
(BACK-END ANALYSIS)
1. Background
The role of the containment as a vital barrier to the release of fission products to the environment has been widely recognized. The public safe%y record of nuclear power plants has been fostered by applying the "defense-in-depth" principle, which relies on a set of independent barriers to fission product release. The containment and its supporting systems are one of these barriers. Containment design criteria are based on a set of deterministically derived challenges. Pressure and temperature challenges are usually based on the design basis loss-of-coolant accident; radionuclide challenges are based on the source term of 10 CFR Part 100. Also, criteria based on external events such as earthquakes, floods, and tornadoes are considered. The margins of safety provided by such practices have been the subject of considerable research and evaluation, and these studies have shown the ability of many containment systems to survive pressure challenges of two to three times design levels. Because of these margins, the various containment types presently used in the United States have the capability to withstand, to varying degrees, many of the challenges presented by severe accidents. For each type of containment, however, there remain failure mechanisms that could lead to either early or late containment failure, depending on both the accident scenarios involved and the containment types.
This appendix discusses the key phenomena and/or processes that can take place during the evolution of a severe accident and that can have an important effect on the containment behavior. In addition, general guidance on the evaluation of containment system performance given the present state of the art of analysis of these phenomena is provided. The evaluation should be a pragmatic exploitation of the present containment capability. It should give an understanding and appreciation of severe accident behavior, should recognize the role of mitigating systems, and should ultimately result in the development of accident management procedures that could both prevent and ameliorate the consequences of some of the more probable severe accident sequences involved. The users of this appendix are referred to Chapter 7 of Volume 1 of NUREG/CR-2300, "PRA Procedures Guide," for a more detailed description of procedures and guidance on containment performance analysis. The additional information provided here summarizes some more recent developments in core melt phenomenology relevant to containment performance, identifies areas of uncertainty, and suggests ways of proceeding with the evaluation of containment performance despite uncertainties,and potential ways of improving containment performance for severe accident challenges. In this reloads, the Severe Accident Prevention and Mitigation Features report (NUREG/CR-4920) summarizes insights gained from industry sponsored PRAs, NUREG-1150, and IDCOR reference plant analyses. The report identifies plant features and operator actions that have been found to be important to either the prevention or the mitigation of severe accidents for a specific plant containment type. The report indicates what may be important to risk and suggests potential improvements in various areas of plant design and operation. These insights and suggestions may be helpful when conducting the IPE and when making decisions on plant improvements.
1-1
.
The systems analysis portion of the IPE identifies accident sequences that occur as a result of an initiating event followed by failure of various systems or failure of plant personnel to respond correctly to the accident. Although the number of possible core melt accident sequences is very large, the number of containment system performance analyses does not have to be as large. The number of sequences can be reduced by grouping those accident sequences that have a similar effect on the plant features that determine the release and transport of fission products.
A containment event tree (CET) could provide a structured way for the systematic analysis of containment phenomena provided:
1. The CET is quantified, i.e., branch point split fractions are
propagated for each sequence based on the most recent data base
regarding important severe accident phenomena including considerations
of uncertainties (e.g., letters from T. Speis, NRC, to A. Buhl, ITC,
"Position Papers for the NRC/IDCOR Technical Issues," dated September
22, 1986; November 26, 1986; and March 11, 1987).
2. The system analysis is integrated with the containment analysis so
that initiating events and system failures (resulting in core damage)
that also impair containment systems are not overlooked.
3. The duration and sequencing of the interacting events are specified,
e.g., the times at which core damage and containment failure occur,
the time of inventory depletion (in particular, as related to recovery
from an accident), the success or failure of equipment or operator
responses, and the failure or degradation of support systems that were
originally available at the onset of the accident.
2. Status of Containment Systems Prior to Vessel Failure
The role of interfaces between the system analysis (front-end) and the containment performance analysis (back-end) is particularly important from two perspectives. First, the likelihood of core damage can be Influenced by the status of particular containment systems. Second, containment performance can be influenced by the status of core cooling systems. Thus, because the influences can flow, in both directions between the system analysis (front-end) and the containment performance analysis (back-end), particular attention must be given to these interfaces.
To ensure consistency within entire sequences, the analysis should include a cross-checking sheet of the following by sequence: (1) the sequence frequency, (2) whether the containment is bypassed, (3) whether the containment is isolated, (4) the containment system and reactor system availability, and (5) the approximate source term. This cross-checking sheet would be reviewed by both the systems analyst and the source term analyst to provide added assurance that the status of key systems is treated consistently in the front-end and back-end analyses. Other options to ensure adequate interfaces can be used instead of the cross-checking list identified above.
In order to examine the containment performance, the status of the containment systems and related equipment prior to core melt should be determined. The first CET nodal decision point is to determine the likelihood of whether the
1-2
.
containment is isolated, bypassed, intact, or failed (i.e., a branch point split fraction). This requires analyses of (1) the pathways that could significantly contribute to containment-isolation failure, (2) the signals required to automatically isolate the penetration, (3) the potential for generating the signals for all initiating events, (4) the examination of the testing and maintenance procedures, and (5) the quantification of each containment-isolation failure mode (including common mode failures).
In the early phase of an accident, steam and combustible gases are the main contributors to containment pressurization. The objective of the containment decay heat removal systems such as sprays, fan coolers, and the suppression systems is to control the evolution of accidents that would otherwise lead to containment failure and the release of fission products to the environs. The effectiveness of the several containment decay heat removal systems for accomplishing the intended mitigating function should be examined to determine the probability of successful performance under accident conditions. This includes potential intersystem dependencies as well as the identification of all the specific functions being performed and the determination of the mission time considering potential failure due to inventory depletion (coolant, control air, and control power) or environmental conditions. If, as a result of the accident sequence, the front-line containment decay heat removal systems fail to function, if their effectiveness is degraded, or if the operator fails to respond in a timely manner to the accident symptoms, the containment pressure would continue to increase. In this case, some systems that were not intended to perform a safety function might be called upon to perform that role during an accident, If the use of such systems is considered during the examination, their effectiveness and probability of success for fulfilling the needed safety function should also be examined. Part of the examination should be to determine if adequate procedures exist to ensure the effective implementation of the appropriate operator actions.
3. Phenomena After Vessel Failure
If adequate heat removal capability does not exist in a particular accident sequence, the core will degrade and the containment could potentially over- pressurize and eventually fail. Efforts to stabilize the core before reactor vessel failure or to extend the time available for vessel reflood should be investigated. For certain accident groups that proceed past vessel failure, the containment pressurization rate could exceed the capability of the mitigating systems to reject the energy associated with the severe accident phenomena encountered with vessel failure. For each such accident sequence, the molten core debris will relocate, melting through and mixing with materials in its path. Depending on the particular containment geometry and the accident sequence groups, a variety of important phenomena influence the challenges to containment integrity.
The guidance provided below deals with this subject at three levels. The first provides some rather general considerations regarding the nature of these phenomena as they impact containment (Section 3.1). The second level considers the manifestation of these phenomena in more detail within the generic high and low pressure scenarios (Sections 3.1.1 and 3.1.2). Finally, the third level provides some specific guidance particularly regarding the treatment of certain important areas of uncertainty (Section 4).
1-3
.
3.1 General Description of the Phenomena Associated with Severe Accident
Considerations
The contact of molten corium with water, referred to as fuel-coolant interaction, can occur both in-vessel and ex-vessel. If the interaction is energetic inside the reactor vessel, it may generate missiles and a rapid pressurization (steam explosion) of the primary system. Early containment failure associated with in-vessel steam explosions is generally considered to be of low enough likelihood to not warrant additional consideration (NUREG-1116). However, smaller, less energetic in-vessel steam explosions are not unlikely and their influence on fission product release and hydrogen generation are still under investigation. If the fuel-coolant interaction occurs ex-vessel, as might happen if molten fuel fell into a water-filled cavity upon vessel meltthrough, it may disperse the corium and lead to rapid pressurization (steam spike) of the containment. In any case, at one extreme, abundant presence of water would favor quenching of the corium mass and the continued dissipation of the decay heat by steaming would lead to containment pressurization. Clearly in the absence of external cooling, the containment will eventually overpressurize and fail, although the presence of extensive, passive heat sinks (structures) within the containment volume would delay the occurrence of such an event. Fuel-coolant interactions can also yield a chemical reaction between steam and the metallic component of the melt, producing hydrogen and the consequent potential for burns and/or explosions.
At the other extreme, when water is not available, the principal interaction of the molten corium is with the concrete floor of the containment. This interaction produces three challenge to containment integrity. First, the concrete decomposition gives off noncondensible gases (CO2, CO) (of certain composition) that contribute to pressurizing the containment atmosphere. Second, concrete of certain compositions decomposes and releases CO2 and steam, which can interact with the metallic components in the melt to yield highly flammable CO and H2, with potential consequences ranging from benign burns at relatively low hydrogen concentrations to rapid deflagrations at high hydrogen concentrations. Third, continued penetration of the floor can directly breach the containment boundary. Also, thermal attack by the molten corium of retaining sidewalls could produce structural failure within the containment causing damage to vital systems and perhaps to failure of containment boundary.
Another type of fuel interaction is with the containment atmosphere. Scenarios can be postulated (e.g., station blackout) in which the reactor vessel and primary system remain at high pressure as the core is melting and relocating to the bottom of the vessel. Continued attack of the molten corium on the vessel lower head could eventually cause the lower head to fail. Because of a potentially high (approximately 2500 psi) driving pressure, the molten corium could be energetically ejected from the vessel. Uncertainties remain related to the effect of the following on direct containment heating: (1) vessel failure area, (2) the amount of molten corium in the lower head at the time of failure, (3) the degree to which it fragments upon ejection, (4) the degree and extent to which a path from the lower cavity to the upper containment atmosphere is obstructed, (5) the fragmented molten corium that could enter and interact with the upper containment atmosphere, and (6) cavity gas temperature. Since the containment atmosphere has small heat capacity, the energy in the fragmented corium could rapidly transfer to the containment atmosphere, causing a
1-4
.
rapid pressurization. The severity of such an event could be further exacerbated by any hydrogen that may be simultaneously dispersed and direct oxidation (exothermic) of any metallic components. Depending upon this and the other factors previously mentioned, this pressurization could challenge containment integrity early in the event.
The BWR Mark I and Mark II containments are normally inerted. Therefore, non-condensible gases such as hydrogen and oxygen released following a severe accident would pressurize the containment, but would not burn or rapidly deflagrate. If the containment is deinerted, additional pressurization events or dynamic loads obtained from global hydrogen burn or detonations must be considered. Local burns are also potentially important as they may degrade the seals around the various penetrations or produce a thermal environment that challenges the operability of important equipment.
Even with the above limited perspective, it should be clear that given a core melt accident, a great deal of the phenomenological progression hinges upon water availability and the outcome of the fuel-coolant interactions; specifically whether a full quench has been achieved and whether the resulting particulates will remain coolable. In general, the presence of fine particulates to any significant degree would imply the occurrence of energetic steam explosions and hence the presence of significant forces that would be expected to disperse the particulates to coolable configurations outside the reactor cavity. Otherwise, the coolability of deep corium beds of coarse particulates is the major concern. A summary of how these mechanisms interface and interact as they integrate into an accident sequence is given below.
3.1.1 Accident Sequences - High-Pressure Scenario
The core melt sequence at high primary system pressure is often due to a station blackout sequence. The high-pressure scenario also represents one of the most significant contributors to risk. The initial stages of core degradation involve coolant boiloff and core heatup in a steam environment. At such high pressures, the volumetric heat capacity of steam is a significant fraction of that of water (about one-third), and one should expect significant core (decay) energy redistribution due to natural circulation loops set up between the core and the remaining cooler components of the primary system. Consensus appears to be developing that as a result of this energy redistribution, the primary system pressure boundary could fail prior to the occurrence of large-scale core melt. The location and the size of failure, however, remain uncertain. For example, concerns have been raised about the possibility of steam generator tube failures and associated containment bypass. If the vessel lower head fails, violent melt ejection could produce large-scale dispersal and the direct containment heating phenomenon mentioned previously. A significant amount of research in the past has not, yet produced definitive results on this issue.
Concerns may also be raised about the potentially energetic role of hydrogen within the blowdown process. The presence of hydrogen arises from two complementary mechanisms: (1) the metal-water reaction occurring at an accelerated pace throughout the in-vessel core heatup/meltdown/slump portion of the transient, and (2) the reaction between any remaining metallic components in the melt and the high-speed steam flow that partly overlaps and follows the melt ejection from the reactor vessel. The combined result is the release of rather large quantities of hydrogen into the containment volume within a short time
1-5
.
period (a few tens of seconds). The implication is that the consideration of containment atmosphere compositions and associated burning, explosion, or detonation potential becomes complicated by a whole range of highly transient regimes and large spatial gradients.
A recent independent review of uncertainties in estimates of source terms from severe accidents by an NRC-sponsored panel of experts (NUREG/CR-4883) provided an additional perspective on these issues and made recommendations for their resolution. In particular, "if direct containment heating or containment bypass through steam generator tube failure contribute importantly to risk, this may indicate a need for a hardware modification or a procedural measure to ensure depressurization before primary system failure. An early study of relative merits of the possibilities available would be valuable." The staff is in favor of adopting the panel recommendation and has initiated a research program to study the effect of depressurization on the core melt progression and the potential benefit in preventing direct containment heating.
3.1.2 Accident Sequence - Low-Pressure Scenario
At low system pressure, decay heat redistribution due to natural circulation flow (in steam) is negligible and core degradation occurs at nearly adiabatic conditions. Steam boiloff, together with any hydrogen generation, is continuously released to the containment atmosphere, where mixing is driven by natural convection currents coupled with condensation processes. The upper internals of the reactor vessel remain relatively cold, offering the possibility of trapping fission product vapor and aerosols before they are released to the containment atmosphere. Throughout this core heatup and meltdown process, the potential to significantly load the containment is small. The first possibility for significant energetic loads on the containment occurs when the molten core debris penetrates the lower core support structure and slumps into the lower plenum. The outcome of this interaction cannot be predicted precisely. Thus, a whole range of behavior must be considered in order to cover subsequent events. At the one extreme the interaction is benign, yielding no more than some steam (and hydrogen) production while the melt quickly reagglomerates on the lower reactor vessel head. At the other extreme an energetic steam explosion occurs. It may be possible to distinguish intermediate outcomes by the degree to which the vessel integrity is degraded. In analyzing this phase of the accident scenario, the important tasks are to determine the likelihood of containment failure and to define an envelope of corium relocation paths into the containment. The latter is needed to ensure the assessment of the potential for such a phenomenon as liner meltthrough.
Consideration should also be given to ex-vessel coolability as the corium can potentially interact with the concrete. The non-energetic release (vessel lower head meltthrough) and spreading upon the accessible portions of the containment floor below the vessel needs to be examined. There is a great deal of variability in accessible floor area among the various designs for some PWR cavity designs. The area over which the core debris could spread is rather small given whole-core melts and the resultant pool being in excess of 50 cm deep. In the absence of water, all these configurations would yield concrete attack and decomposition of variable intensity. In the presence of water (i.e., containment sprays), even deep pools may be considered quenchable and coolable. However, the possibility exists for insulating crusts or vapor barriers at the corium-water interface.
1-6
.
Both of these two extremes should be considered. The task is to estimate the range of containment internal pressures, temperatures, and gas compositions as well as the extent of concrete floor penetration and structural attack until the situation has been stabilized. In general, pressurization from continuing core-concrete interactions (dry case) would be considerably slower than from coolable debris configurations (wet case) because of the absence of steam pressurization. As a final and crucial part of this scenario, one must address the combustible gas effect. This must include evaluation of the quantities and composition of combustible gases released to the containment, local inerting and deinerting by steam and CO2, as well as hydrogen mixing and transport. Also included should be consideration of gaseous pathways between the cavity and upper containment volume to confirm the adequacy of communication to support natural circulation, and recombination of combustible gases in the reactor cavity.
4. General Guidance on Containment Performance
In the approach outlined in this appendix, emphasis is placed on those areas that would ensure that the IPE process considers the full range of severe accidents. The IPE process should be directed toward developing a plant-specific accident management scheme to deal with the probable causes of poor containment performance at each plant. To achieve these goals, it is of vital importance to understand how reliable each of the CET estimates are, and what the driving factors are. Decisions on potential improvements should be made only after, appropriately considering the sources of uncertainties. Of course, preventing failure altogether is predicated upon recovering some containment heat removal capability. Given that in either case pressurization develops on the time scale of many hours, feasible recovery actions could be planned as part of accident management.
It is the staff's view that the bulk of phenomenological uncertainties affecting containment response is associated with the high-pressure scenarios. Unless the licensee can demonstrate that the primary system can be reliably depressurized, a low probability of early containment failure should not be automatically assumed. Similarly, for BWRs it should not be assumed that the availability of the automatic depressurization system (ADS) in an event will ensure that reactor vessel failure will always occur at low pressure, since the operability of the ADS, in some plants, depends on maintaining a requisite differential pressure between containment and the reactor coolant systems.
Low-pressure sequences, by comparison, present few remaining areas of controversy. For BWRs, phenomenological uncertainties are associated with the behavior of combustibles and the spreading of the corium on the drywell floor. For PWRs, these areas include the coolability behavior of deep molten corium pools and the behavior of hydrogen (and other combustibles) in the containment atmosphere. The staff's views and guidance concerning each one of these areas is briefly summarized below.
The concerns about deep corium pools arose from experiments with top-flooded melts that exhibited crust formation and long-term isolation of the melt from the water coolant. Such noncoolable configurations would yield continuing concrete attack and a containment loading behavior significantly different from coolable ones. On the other hand, it has been pointed out that small-scale
1-7
.
experiments would unrealistically not favor coolability. The staff views this as an area of uncertainty and recommends that assessments be based on available cavity (spread) area and an assumed maximum coolable depth of 25 cm. For depths in excess of 25 cm, both the coolable and noncoolable outcomes should be considered. Along these lines the IPE should document the geometric details of cavity configuration and flow paths out of the cavity, including any water drain areas into it as appropriate.
With respect to hydrogen, the staff concerns are related to completeness of the current understanding of hydrogen mixing and transport. In general, combustibles accumulate very slowly and only if continuing concrete attack is postulated. For the larger dry containments, because of the large containment volume and slow release rates, compositions in the detonable range may not develop unless significant spatial concentrations exist or significant steam condensation occurs. In general, the containment atmosphere under such conditions would exhibit strong natural circulation currents that would tend to counteract any tendency to stratify. However, condensation-driven circulation patterns and other potential stratification mechanisms could limit the extent of the containment volume participating in the mixing process. For those plants with igniters (ice-condenser and Mark III plants), the buildup of combustibles from continuing corium-concrete interactions could be limited by local ignition and burning. However, oxygen availability as determined from natural circulation flows could limit the effectiveness of this mechanism. Finally, in all cases inerting/deinerting thresholds and ignition aspects need additional attention. The staff recommends that, as part of the IPE, all geometric details impacting the above phenomena (i.e., heat sink distribution, circulation paths, ignition sources, water availability, and gravity drain paths) should be documented in a readily comprehensible form, together with representative combustible source transients.
For normally inerted BWRs, the concerns with combustibles relate to potential burns and/or explosion events in deinerted Mark I or Mark II containments or in the secondary containment building following containment failure. The staff recommends that, unless deinerting can be satisfactorily ruled out by probability, its occurrence and consequences should be included in the event trees. Regarding the secondary containment, the staff believes that consideration of combustibles in it is essential with respect to the reactor building effectiveness in limiting the source term.
Finally, uncertainties arise for all plants because of lack of knowledge on how the corium will spread following discharge from the reactor vessel. For Mark I containments, such uncertainties impact the configuration of the corium-concrete interaction process and also the potential for drywell liner meltthrough. It is recommended that an assessment of the debris coolability, based on available water sources, should be performed to determine the possibility for liner meltthrough. For Mark II containments, uncertainties are associated with the retention of corium on the drywell floor (and associated corium-concrete interactions) and the extent of fuel-coolant interactions in the suppression pool. For PWR containments, the reactor cavity configuration will influence the potential for direct attack of the liner by dispersed debris, as well as the potential for basemat failure or structural failure due to thermal attack. The staff recommends that the IPE document describe the detailed geometry (including curbs, standoffs) of the drywell floor.
1-8
.
As discussed earlier, a CET provides a,structured way for a systematic analysis of containment phenomena. Separate CETs representing the high-pressure and low-pressure sequences deal with uncertainties discussed earlier.
In general terms, and consistent with the overall IPE objectives, the staff guidance on the approach to the back-end analysis can be summarized as follows:
1. The approach should focus on containment failure mechanisms and
timing. Releases should be based on corresponding release categories
and associated detailed quantifications from reference plant analyses
and applied to the plant being examined.
2. All severe accident sequences that meet the criteria of Appendix 2
should be considered and reported.
3. System/human response should be realistically integrated with
phenomenological aspects into simplified, but realistic, containment
event trees for the plant being examined. Allowance should be made
for the probability of recovery or other accident management
procedures (particularly for long-term responses).
4. The quantification of the containment event trees should both (a)
clearly take into account the expected progression of the accident and
(b) aim to envelop phenomenological behavior (i.e., account for
uncertainties). This implies:
a. Identification of the most probable list of potential containment
failure mechanisms applicable to the plant under consideration
(e.g., see Table 7-1, NUREG/CR-2300).
b. Use of existing structural analyses to determine the ultimate
pressure capability of the containment, i.e., the quasi-static
internal pressure resulting in containment failure. These should
be modified as necessary to take into account any unique aspects
that could substantially modify the range of possible failure
pressures.
c. Use of available separate-effects analyses for the other
potential containment failure mechanisms to determine other
failure modes to which the plant might be vulnerable. As stated
earlier, there are some severe accident phenomenological issues
(e.g., direct containment heating and containment shell
meltthrough) where research has not produced conclusive results
on the challenges that these phenomena could pose to containment
integrity. Consideration must be given to strategies to deal
with those severe accident issues. For example, although there
appears to be no consensus on whether water availability will
fully quench the debris and keep it coolable and hence prevent
Mark I containment shell meltthrough, there is a broad agreement
that the presence of water will scrub the fission products and
could substantially reduce the radionuclide released even if
containment shell meltthrough were to occur. Utilities should be
aware of these insights and experience when conducting the IPE
and should develop appropriate strategies to deal with those
phenomenological issues while awaiting their generic resolution
as discussed in Section 4 of the IPE generic letter.
1-9
.
d. Development of a plant-specific probability distribution function
of failure likelihood for the range of failure pressures.
e. Any claim of decontamination factors for the secondary
containment in the analyses should consider the possibility of no
natural circulation, resulting in less time for aerosol
deposition, as well as localized hydrogen burns causing reactor
building failure and forcing the reactor building atmosphere out
into the environment.
5. Documentation should be presented concerning how any calculation was
performed, what assumptions have been made, and how these phenomena
couple to other aspects of the analysis. Any use of codes within the
IPE to calculate accident progression up to and including the source
term calculation should be described along with the circumstances
under which the code was used, the version of the code used, any code
revisions used, the key modeling and input assumptions, and the
calculated results.
6. The insights gained from the containment performance analysis should
be factored into the utility's accident management program.
1-10
.
APPENDIX 2
CRITERIA FOR SELECTING IMPORTANT SEVERE ACCIDENT SEQUENCES
Sequence Selection Criteria
The following screening criteria should be used to determine which potentially important functional sequences* and functional failures (based on the procedure established in NUREG/CR-2300) that might lead to core damage or unusually poor containment performance should be reported to the NRC in the IPE submittal. They do not represent a threshold for vulnerability. All numerical values given in this appendix are "expected"** values.
1. Any functional sequence that contributes 1E-6*** or more per reactor
year to core damage,
2. Any functional sequence that contributes 5% or more to the total core
damage frequency,
3. Any functional sequence that has a core damage frequency greater than
or equal to 1E-6 per reactor year and that leads to containment
failure which can result in a radioactive release magnitude greater
than or equal to the BWR-3 or PWR-4 release categories of WASH-1400,
4. Functional sequences that contribute to a containment bypass frequency
in excess of 1E-7 per reactor year, or
5. Any functional sequences that the utility determines from previous
applicable PRAs or by utility engineering judgment to be important
contributors to core damage frequency or poor containment performance.
____________________
- " Sequence" is used here to mean a set of faults, usually chronological,
that result in the plant consequence of interest, i.e., either a damaged core or unusually poor containment performance. A systemic sequence is a set of faulted systems that summarizes by systems a set of component failures resulting in a damaged core or unusually poor containment performance. A functional sequence is a set of faulted functions that summarizes by function a set of systems faults which would result in the consequence of interest.
- For those cases where only point estimates are generated, the licensee
shall propose a suitable factor that adjusts the overall value to the "expected" level.
- lE-6 denotes abbreviated scientific notation for I x 10-6.
2-1
.
APPENDIX 3
ACCIDENT MANAGEMENT
There already is an international consensus that the cause and consequences of a severe core damage accident can be greatly influenced by the operator's actions. In addition, the ability of essential equipment to survive the environment resulting from severe accidents is an important consideration in mitigating a severe core damage accident and managing its progression. The failure of essential equipment can (1) incapacitate or remove systems needed to respond to severe accidents or (2) misinform the operator.
The NRC has initiated a research program to examine the efficacy of generic accident management strategies. We intend to periodically meet with industry (NUMARC) to compare the results of our respective programs. However, the staff has done some preliminary work in defining the key elements of a severe accident management program.
Since your IPE results will ultimately play a significant role in the development of such a program for your plant, we are providing you with the results of our work at this time. The main elements of an accident management program should address: (1) the organizational responsibilities and structure needed to direct the responses to a severe accident, (2) the instrumentation, procedures, and alarms needed to diagnose severe accidents, and the procedures and equipment needed to accomplish the functions necessary to prevent and to mitigate leading accidents, and (3) the procedures and training needed for operators to be skilled in possible remedial actions.
Suggested Elements of an Accident Management Program
1. Organization
The first element of any severe accident management program is to assign responsibilities for dealing with these accidents and to identify the necessary organizational structure.
The utility should decide which operators are to be trained to manage severe accidents or if a separate evaluation team is to be established to direct the operators. Clear lines of decision making authority should be established. For example, if containment venting is an option that could conceivably be considered during the course of an accident to prevent overpressure failure, then the person responsible for making that decision should be clearly identified to all involved personnel. Analyses of ultimate containment strength, the venting pressure, and the advantages, disadvantages, and potential consequences should also have been evaluated beforehand, and the decision makers should be properly trained from the evaluation results to make an informed decision.
2. Instrumentation and Equipment
Practically every aspect of plant operation is likely to be involved in accident management. Coordination among the various organizational units is vital for communicating the status and the control of needed equipment. It should be clear (1) what information is needed to make decisions, (2) who is responsible
3-1
.
for obtaining the information, (3) what instruments plant personnel can rely on to determine the status of the plant, and (4) what essential equipment is needed to mitigate severe accidents and the time interval for which it is needed. Survivability of specific equipment needs to be evaluated by establishing whether the qualification of equipment for design basis events is sufficient to support the assumed performance of this equipment during severe accidents.
For sequences with a significant potential to progress beyond core melt, means of maintaining containment integrity is the main goal. Heat removal from the containment and retention of fission products are the most important functions. Equipment needed to accomplish these functions should have been identified and appropriate preparations made. All reasonable preparations to enable operators to recognize approaching containment failure, to assess possible remedial actions, and to accomplish the necessary functions should be provided. Potentially adverse action should be identified and evaluated. For example, recovery and initiation of containment sprays after the containment has a substantial quantity of steam and hydrogen can condense the steam and may leave a detonable mixture of hydrogen. Similarly, spraying into a containment that has been vented could result in a vacuum and possible implosion.
If special equipment might be needed to both prevent and mitigate severe accidents, provisions might be made to ensure its timely availability. The responsibility to take such action should be assigned, and the individuals responsible should know where to procure the needed equipment.
3. Procedures and Training
The accident management plan should be developed to accomplish these functions for each set of the leading accident sequences despite the degraded state of the plant. There should be consistency and smooth transition between the emergency operating procedures and the accident management plan. The plan should be checked against the existing organizational structure to ensure that responsibilities for managing each accident are clearly defined and the responsible personnel are adequately trained.
3-2
.
APPENDIX 4
DOCUMENTATION
At a minimum, the following information on the IPE should be documented and submitted to the NRC:
1. Certification that an IPE has been completed and documented as
requested by the provisions contained in this generic letter. The
certification should also identify the measures taken to ensure the
technical adequacy of the IPE and the validation of the results,
including any uncertainty, sensitivity, and importance analysis.
2. A list of all initiating events, the containment phenomena, and the
damage states examined.
3. All function event trees and containment event trees (including
quantification) as well as all data (including origin and method of
analysis). The fault trees (or equivalent system failure models) for
the systems identified, using the criteria of Appendix 2, as main
contributors to core damage or unusually poor containment performance
should also be provided.
4. The support state models for the IDCOR IPEMs, including descriptions
of all applicable findings from the visual inspections.
5. A description of each functional sequence selected by the criteria of
Appendix 2, including discussion of accident sequence progression,
specific assumptions, and human recovery action.
6. The estimated core damage frequency and the likelihood or conditional
probability of a large release. The timing of significant large
releases for each of the leading functional sequences. A list of
analysis assumptions with their basis should be provided along with
the source of uncertainties.
7. Identification of the USI(s) and GSI(s), if applicable, that have been
assessed to estimate their contribution to the core damage frequency
or to unusually poor containment performance.
8. A description of the technical basis for resolving any USI or GSI when
applicable.
9. A list of the potential improvements, if any (including equipment
changes as well as changes in maintenance, operating and emergency
procedures, surveillance, staffing, and training programs) that have
been selected for implementation and a schedule for their
implementation or that are already implemented. Include a discussion
of the anticipated benefit as well as any drawbacks.
10. A description of the review performed by a utility party not directly
involved in producing the IPE to evaluate or oversee the IPE review.
11. Documentation on the level of licensee staff involvement in the IPE.
4-1
.
Retained Information
The documentation pertaining to the examination that must be retained by the utility for the duration of the license or until superseded includes applicable event trees and fault trees, current versions of the system notebooks if applicable, walk-through reports, and the results of the examination. In general, all documents essential to an audit of the examination should be retained. In addition, the manner in which the validity of these documents has been ensured must be documented. For any actions taken by the operators for which credit is allowed in the IPE, the licensee should establish a plant procedure, to be used by those plant staff responsible for managing a severe accident should one occur, that provides assurance that the operators can and will take the required action. Plant owner groups are encouraged to develop generic guidelines from which utilities can develop plant-specific accident management programs and/or procedures.
4-2
.
APPENDIX 5
DECAY HEAT REMOVAL VULNERABILITY INSIGHTS
As part of the Unresolved Safety Issue (USI) program, six limited scope PRAs were performed under the USI A-45 project, "Shutdown Decay Heat Removal Requirements," to assess the decay heat removal (DHR) function in existing plants.* The results showed that DHR-related core damage risk is in a range, on some plants, where attention may be warranted regarding whether or not such risks can be lowered in a cost-effective manner. The results also showed that the sources of DHR-related core damage risk are highly plant specific.
The following insights have been gained as a result of those six PRAs. The insights are summarized here in order to assist licensees in the conduct of their IPEs as they relate to their search for potential core damage risk associated with DHR-related severe accident sequences. Although licensees are requested in the generic letter to proceed with the examination only for internally initiated events at the present time, insights from both internal and external events are provided in this appendix to indicate what may be important to decay heat removal function vulnerabilities when performing the IPE for externally initiated events.
Areas where such cost-effective improvements might be possible were identified for severe accident sequences initiated by transients and small-break loss-of-coolant accidents and were frequently related to lack of redundancy, separation,and physical protection in safety trains for internal fires, floods, sabotage, and seismic events.
Such areas for possible improvement were particularly apparent in plant support systems. At the support system level, there is often less redundancy, less separation and independence between trains, poorer overall general arrangement of equipment from a safety viewpoint, and much more system sharing as compared to the higher level systems. These situations suggest the possible need to investigate corrective actions that could reduce the probability that single events such as a fire, flood, or insider sabotage could disable multiple trains (or single trains with a multiple purpose) thereby creating an inability to cool the plant.
_____________________ * See the following NUREG/CR reports:
4448, "Shutdown Decay Heat Removal Analysis of a General Electric BWR3/
Mark I," March 1987.
4458, "Shutdown Decay Heat Removal Analysis of a Westinghouse 2-Loop
Pressurized Water Reactor," March 1987.
4713, "Shutdown Decay Heat Removal Analysis of a Babcock and Wilcox
Pressurized Water Reactor," March 1987.
4762, "Shutdown Decay Heat Removal Analysis of a Westinghouse 3-Loop
Pressurized Water Reactor," March 1987.
4767, "Shutdown Decay Heat Removal Analysis of a General Electric
BWR4/Mark I," July 1987.
4710, "Shutdown Decay Heat Removal Analysis of a Combustion Engineering
Pressurized Water Reactor," July 1987.
5-1
.
Human errors were found to be of special significance. The six studies modeled errors of omission (e.g., delays or failures in performing specified actions), and it was found that in many cases the resulting risk was very sensitive to the assumptions made and to the way such errors were modeled.
Consequently, great care is warranted in the development of human error models. In addition, it is likely that errors of commission are also important (i.e., where the operator misdiagnoses a situation and takes an improper action that is not be related to the actual, current plant situation). Although such "cognitive" errors are much more difficult to model, efforts to take them into account will result in a more complete picture of DHR-related risk.
Of equal importance to human errors is the credit that is allowed for recovery actions, which can have a very significant effect upon the resulting risk. Some of the more important recovery actions are recovering offsite power, fixing local faults of batteries or diesel generators, actuating safety systems manually, realigning auxiliary feedwater steam and feedwater flowpaths, and manually opening locally failed motor-operated valves. Considering the importance of such human recovery actions, considerable effort is justified in the development of the methods and assumptions used in these areas.
Transient events that are initiated or influenced by a loss of offsite power were found to contribute significantly to risk. A new rule, 10 CFR 50.63, has been issued June 21, 1988 (53 FR 23203) as a resolution to USI A-44, "Station Blackout." Implementation of this rule will reduce the risk from such events.
For PWRs, the ability to cool the plant through "feed and bleed" operations could have a significant effect upon the DHR-related core damage risk. However, care must be taken that feed and bleed operations would actually be undertaken in a real emergency situation in sufficient time to prevent core uncovery and subsequent damage. In view of the potential benefits, significant effort might be justifiable in ensuring that procedures and training are actually in place sufficient to warrant credit for feed and bleed cooling.
Just as the origins of DHR-related risk are plant specific, the effects of corrective actions are also quite plant specific and must be evaluated on a plant-by-plant basis. In choosing which potential corrective actions to investigate in more detail, a general principle is that the modifications having the highest potential for reducing the risk, for the lowest cost, will be those that increase the redundancy or availability of systems shared between units.
In summary, both the DHR-related risk and the effects of various corrective actions are highly plant specific. The dominant risks are divided between internal and external causes, and the areas of support systems and human response are of particular significance. Studies show that various cost- effective corrective actions may be possible to reduce DHR-related core damage risk after its source has been identified.
5-2
.
ATTACHMENT-1
CLOSURE OF SEVERE ACCIDENT ISSUES FOR OPERATING REACTORS
(Excerpted from SECY 88-147)
The Commission has ongoing a number of programs related to severe accident behavior in operating light water reactors. Each program addresses a specific aspect of severe accident behavior and may in fact result in a proposed specific action on the part of the staff or Commission towards the regulated industry. However, neither the staff nor Commission has yet defined for the industry which programs are critical to resolving the severe accident issues for their plants and what specific steps must be taken by each licensee to achieve this resolution.
Completion of this resolution process is termed "closure" of severe accident issues. Actions resulting from two tracks; namely, generic issues and plant-specific issues, must be taken for severe accident closure. Closure for generic severe accident issues will be obtained when the Commission takes action in the form of rulemaking, or states whatever its required approach is. Closure for plant-specific severe accident issues will be obtained when each licensee has completed certain evaluations and implemented certain programs such that events which comprise the dominant contributions to risk for each plant are identified and that practical enhancements to the design, procedures, and operation are made such that further improvements can no longer be justified by backfit analysis pursuant to 10 CFR 50.109. However, specific plant and operational improvements may be identified which do not meet the backfit rule, but if implemented, would significantly alter the risk profile of the plant, improve the balance of reliance on both prevention and mitigation, or substantively reduce uncertainties in our understanding. Any such improvements identified will be brought forward to the Commission with recommended action on a case-by-case basis. Closure of a single issue or combination of issues is achieved when the above is satisfied for that issue or those issues addressed.
It should be noted that "closure" does not imply that all severe accident activities will cease. Certain activities, such as research in the areas of severe accident phenomena and human performance will continue beyond "closure." These activities are designed to provide confirmation of previous judgments. It is expected that as a result of continuing research, experience, and other activities, additional issues or questions regarding judgments related to severe accidents may arise. These will be considered and disposed of on a case-by-case basis, and are not expected to bring into question the previous conclusions regarding closure.
The following sections describe in detail the steps that each licensee is expected to complete in order to achieve severe accident closure for each of its operating reactors.
A1-1
.
1. Completing Individual Plant Examinations (IPEs)
The IPE program is intended to be "an integrated systematic approach to an examination of each nuclear power plant now operating or under construction for possible significant risk contributors (sometimes called "outliers") that might be plant specific and might be missed absent a systematic search."
Each licensee is expected to perform an IPE using a method acceptable to the staff. As will be described in the staff generic letter implementing the IPE, the staff expects that in many cases utilities, in the performance of their IPEs, may find and will voluntarily remedy uncovered vulnerabilities by making the necessary safety improvements (conforming to the requirements of 10 CFR 50.59). However, through the review of IPE submittals, the staff may find it necessary to employ established plant-specific backfit criteria to assure that justifiable corrections are made.
For the phase of the evaluation associated with identification of dominant core melt sequences (commonly referred to as the "front end" analysis of a PRA), there is little controversy regarding methods, and we expect the industry decision process with respect to potential modifications to be straightforward. For the phase of the evaluation associated with core melting, release of molten core to the containment, and containment performance, the staff recognizes that for a few of the phenomena, notably in areas which affect containment performance, there is a wide range of views about their relative probability as well as their consequences. For these issues additional research and evaluations will be needed to help reduce the wide range of uncertainties. Because of concern over the ability of containments to perform well during some severe accidents, the staff is conducting a Containment Performance Improvements Program (for more details see Item 3 below). This program complements the IPE program and is intended to focus on resolving generic containment challenges, including issues associated with the phenomena mentioned above.
The NRC and industry currently have ongoing research programs to address these few issues. However, until a sufficient understanding of these phenomena is developed, each licensee will be faced with the need to be able to understand the potential range of probabilities and consequences associated with these issues.
Accordingly, we would expect each licensee to implement a Severe Accident Management Program which provides training and guidance to their operational and technical staff on understanding and recognizing the potential consequences of these phenomena.
We do not plan to require a licensee to consider external events in its IPE at this time. The staff is currently studying methods it would find acceptable for examining plants for severe accident vulnerabilities from external events, and will be meeting with NUMARC regarding these methods as well as the scope of an external event examination. We expect completion of the methods development within 12 to 18 months. Closure with respect to external events will be achieved upon completion of an examination of each plant, as needed, for external event vulnerabilities consistent with the conclusions of the staff studies described above.
A1-2
.
2. Accident Management.
The staff has concluded that significant risk reductions can be achieved through effective severe accident management. We also believe that the IPE conclusions reached by licensees for their plants will explicitly rely on certain operator actions, or on operators not taking actions which could adversely affect both the probability and consequences of a severe accident.
Hence, a key element to severe accident closure for each plant will be the implementation of a Severe Accident Management Program. Since information on severe accident phenomena and effective accident management strategies will continue to be developed by both NRC and industry over the next several,years, closure is not predicated on having a "complete" accident management program in place. Rather, closure is based on each licensee having an Accident Management Program framework in place, that can be expanded, modified, etc. to accommodate new information as it is developed.
3. Containment Performance Improvements
As a result of concerns related to the ability of containments to withstand some generic challenges associated with severe accidents, the staff has undertaken a program to determine what, if any, actions should be taken to reduce the vulnerability of containments to severe accident challenges, and to reduce the magnitude of releases that might result from such challenges.
Staff efforts have first focused on the BWR MARK I containment. The staff studies are primarily focused on the potential generic vulnerabilities of these containments, and not plant unique vulnerabilities, which is the primary focus of the IPEs. The staff schedule calls for an interim report on BWR MARK Is to be submitted to the Commission in June of this year, with final recommendations due in the fall of this year. The other types of containments are to be assessed by the fall of 1989.
The IPE generic letter is now expected to be issued by July of this year, and licensees will have approximately four months to respond identifying their plan for conducting the IPEs. Following the four-month period, it is expected they will commence with their IPEs. It is further expected that any modifications to Mark I containments that the staff may recommend will be available to the industry before they start their IPEs. For the other containment types, the fact that any staff recommendations will not be available until after they have commenced with their IPEs is a concern. However, the IPE generic letter will state that the staff does not expect the industry to make any major modifications to their containments until the information associated with the generic issues which affect containment performance has been developed by the staff. Hence, the industry will not be placed in a position of having to implement improvements before all containment performance decisions have been made.
4. Use of Safety Goal in the Closure Process
The staff expects to use safety goal policy and objectives, including the 10(-6)/reactor-year "large release" guideline, to assist in the resolution and 10 closure of severe accident issues. Resolution and closure of issues are expected to be of two different types, either plant unique or generic. Safety
A1-3
.
goals and objectives are to be used only for the resolution of generic issues, i.e., severe accident issues common to a defined generic class of plants. Resolution of plant unique issues is to be accomplished on a case by case basis,using the information developed by Individual Plant Examinations (IPE) as is described in Section 1.
The staff is preparing a Safety Goal Policy Implementation Plan (Revised) that incorporates the following, as directed by the Commission (Staff Requirements Memorandum dated November 6, 1987):
(1) Information on how the staff proposes to implement OGC guidance on the
use of averted on-site costs in backfit analyses.
(2) Whether averted off-site property damage costs should be included in a
more explicit manner in backfit analyses.
(3) Whether $1,000/person-rem remains an appropriate cost/benefit
criterion.
(4) A discussion of options for defining a "large release."
(5) A discussion of options for specifying appropriate plant performance
objectives.
(6) Responses to Commissioner Bernthal's questions regarding population
density considerations, and whether it would be acceptable for a plant
to have no containment if it met the large release criterion by
prevention of core melt (core damage) alone.
This plan will also reflect the consideration given by the staff to ACRS recommendations and the results of several meetings with the ACRS on this subject.
Resolution of severe accident generic issues using safety goal objectives is expected to proceed as follows. PRA information from a variety of sources, including both staff generated PRAs, (e.g., NUREG-1150) and utility generated PRAs (IPE) will be used to make comparisons with applicable safety goal objectives in accordance with the implementation plan. The staff will identify the reasons why particular plants appear to meet or not meet these objectives and assess these reasons in relation to current regulatory requirements. This assessment will constitute a testing of the effectiveness of these requirements or their implementation and is expected to result in the identification of potential changes to regulatory requirements that, for some plants, would be expected to result in safety enhancements. These, in turn, will be subject to appropriate regulatory analysis as provided in the Commission's backfit rule 10 CFR 50.109. Those that can be shown to provide substantial safety benefit and are cost-effective will be proposed to the Commission for backfit, possibly in the form of rulemaking. The staff expects that this process would have no impact on classes of plants for which there is reasonable assurance that safety goal objectives are met. This expectation is based upon the intent to identify those features of design and/or performance that are already in place at plants meeting safety goal objectives and to structure any new requirements such that they do not require changes or additions at these plants.
A1-4
.
The staff's revised Safety Goal Implementation Plan is scheduled to reach the Commission in August, 1988. The first application is expected to be reflected in the staff's recommendations to the Commission in the Fall of 1988 on potential improvements to BWR MARK I severe accident containment performance.
5. Summary of Closure Process
In summary, the steps which each licensee is expected to take to achieve closure on severe accidents for its plants are as follows:
o Complete the IPEs; identify potential improvements, evaluate and fix
as appropriate.
o Develop and implement a framework for an Accident Management Program
that can accommodate new information as it is developed.
o Implement any Commission-approved generic requirements resulting from
the staff Containment Performance Improvement Program; this should
constitute closure of containment performance generic issues.
While programs for improved plant operations and research in the area of severe accidents will continue, completion of the above by a licensee is considered to constitute "closure" of the severe accident issue for the plant in question. Specific issues that may arise in the future as a result of ongoing research will be treated on a case-by-case basis and will not affect the closure process.
A1-5
.
ATTACHMENT 2
LIST OF REFERENCES OF THE IDCOR PROGRAM REPORTS AND KEY NRC REPORTS
IDCOR Reports
Tech. Report No. Title
1.1 Safety Goal/Evaluation Implications for IDCOR 2.1 Ground Rules for Industry Degraded Rule Making Program 3.1 Define Initial Likely Sequences 3.2 Assess Dominant Sequences 3.3 Selection of Dominant Sequences 4.1 Containment Event Trees 5.1 Human Error Effects on Dominant Sequences 6.1 Risk Significant Profile for ESF and Other Equipment 7.1 Baseline Risk Profile for Current Generation Plants 9.1 Preventive Methods to Arrest Sequences of Events
Prior to Core Damage w/Revision 1
10.1 Containment Structural Capability of LWRs 11.1/11.5 Estimation of Fission Product and Core Material
Characteristics
11.2 Identifying Pathways of Fission Product Transport 11.3 Fission Product Transport in Degraded Core Accidents 11.6 Resuspension of Deposited Aerosols 11.7 FAI Aerosol Correlation 12.1 Hydrogen Generation During Severe Core Damage Sequences 12.2 Hydrogen Distribution in Reactor Containment Buildings 12.3 Hydrogen Combustion in Reactor Containment Buildings 13.2-3 Evaluation of Means to Prevent, Suppress or Control
Hydrogen Burning in Reactor Containments
14.1A Key Phenomenological Models for Assessing Explosive
Steam Generation Rates
14.1B Key Phenomenological Models for Assessing Non-Explosive
Steam Generation Rates
15.1 Analysis of In-Vessel Core Melt Progression 15.1A In-Vessel Core Melt Progression Phenomena 15.1B In Vessel Core Melt Progression Phenomena 15.2A Effect of Core Melt Accidents on PWRs with Top Entry
Instruments
15.2B Final Report on Debris Coolability, Vessel Penetration,
and Debris Dispersal
15.3 Core-Concrete Interactions 16.1 Assess Available Codes, Define Use and Follow and
Support Ongoing Activities
16.1A Review of MAAP PWR and BWR Codes 16.2-3 MAAP Modular Accident Analysis Program User's Manual,
Vols. I & II
16.4 Analysis to Support MAAP Phenomenological Models 17 Equipment Survivability
A2-1
.
ATTACHMENT 2 (Continued)
17.5 Draft Final Report: An Investigation of
High-Temperature Accident Conditions for Mark-1
Containment Vessels
18.1 Evaluation of Atmospheric and Liquid Pathway Dose 18.2 Completion of Conditional Complementary Cumulative
Distribution Functions
19.1 Alternate Containment Concepts 20.1 Core Retention Devices 21.1 Risk Reduction Potential 22.1 Safe Stable States 23.1 Uncertainty Studies for PB, GG, Zion, Sequoyah 23.1B Peach Bottom - Integrated Containment Analysis 23.1Z Zion - Integrated Containment Analysis 23.1S Sequoyah - Integrated Containment Analysis 23.1GG Grand Gulf - Integrated Containment Analysis 23.4 MAAP Uncertainty Analysis 23.5 Containment Bypass Analysis 24.4 Operator Response to Severe Accidents 85.1 IDCOR 85 Program Plan 85.2 Technical Support for Issue Resolution 85.3 IPEM A1 Thru B2
IPE Applications PB, Susquehanna, Zion, Oconee,
BWR User's Guide
85.4 Reassessment of Emergency Planning Requirements
With Present Source Terms
85.5A Revised Source Terms 85.5B Source Terms and Emergency Planning 86.20C Verification of IPE for Oconee 86.3A2 IPE Source Term Methodology for PWRs 86.3B2 IPE Source term Methodology for BWRs 86.20G Verification of IPE for Grand Gulf 86.25H Verification of IPE for Shoreham
A2-2
.
NRC and NRC Contractor Reports
Tech. Report No. Title
NUREG-0956 Reassessment of the Technical Bases for
Estimating Source Term
NUREG-1032 Evaluation of ion Blackout Accidents at
Nuclear Power Plants
NUREG-1037 Containment Performance Working Group Report NUREG-1079 Estimates of Early Containment Loads from Core
Melt Accidents
NUREG-1116 A Review of the Current Understanding of the
Potential for Containment Failure from
In-Vessel Steam Explosions
NUREG-1150 Volumes 1-3 Reactor Risk Reference Document NUREG-1265 Uncertainty Papers on Severe Accident Source
Terms
NUREG/CR-2300 PRA Proceed Guide NUREG/CR-2815 Probabilistic Safety Assessment Procedures
Guide
NUREG/CR-4177 Volumes 1-2 Management of Severe Accidents NUREG/CR-4458 Shutdown Decay Heat Removal Analysis of a
Westinghouse 2-Loop PWR
NUREG/CR-4550 Volumes 1-4 Analysis of Core Damage Frequency from
Internal Events
NUREG/CR-4551 Volumes 1-4 Evaluation of Severe Accident Risks and the
Potential for Risk Reduction
NUREG/CR-4696 Containment Venting Analysis for the Peach
Bottom Atomic Power Station
NUREG/CR-4700 Volumes 1-4 Containment Event Analysis for Postulated
Severe Accidents
NUREG/CR-4767 Shutdown Decay Heat Removal Analysis of a GE
BWR4/Mark I
NUREG/CR-4881 Fission Product Release Characteristics into
Containment Under Design Basis and Severe
Accident Conditions
NUREG/CR-4883 Review of Research on Uncertainties in
Estimates of Source Terms from Severe
Accidents in Nuclear Power Plants
NUREG/CR-4920 Volumes 1-5 Assessment of Severe Accident Prevention and
Mitigation Features
NUREG/CR-5132 Severe Accident Insights Report }}