Revision as of 23:24, 13 October 2018

Text

2005/12/31-NUREG/CR-6572, Rev. 1, BNL-NUREG-52534-R1, Kalinin VVER-1000 Nuclear Power Station Unit 1, PRA, Procedure Guides for a Probabilistic Risk Assessment
	ML103620076
Person / Time
Site:	Davis Besse
Issue date:	12/28/2010
From:	; Brookhaven National Lab (BNL), NRC/RES/DRA
To:	;
	SECY RAS
Shared Package
ML103620074	List: ML103620075; ML103620076; ML103620077; ML103620078; ML103620079; ML103620080;
References
	License Renewal 2, RAS 19324, 50-346-LR, BNL-NUREG-52534-R1 NUREG/CR-6572, Rev 1
	Download: ML103620076 (213)
	v • d • e

NUREG/CR-6572, Rev. 1 BNL-NUREG-52534-R1 Kalinin VVER-1000 Nuclear Power Station Unit 1 PRA Procedure Guides for a Probabilistic Risk Assessment English Version Brookhaven National Laboratory U.S. Nuclear Regulatory Commission

Office of Nuclear Regulatory Research Washington, DC 20555-0001 NUREG/CR-6572, Rev. 1 BNL-NUREG-52534-R1 Kalinin VVER-1000 Nuclear Power Station Unit 1 PRA Procedure Guides for a Probabilistic Risk Assessment English VersionManuscript Completed: May 2005Date Published: December 2005Sponsored by the Joint Cooperative Program Between the Governments of the United States and Russia The BETA Project

Brookhaven National Laboratory Upton, NY 11973-5000 Prepared for Division of Risk Analysis and Applications

Office of Nuclear Regulatory Research

U.S. Nuclear Regulatory Commission

Washington, DC 20555-0001 NRC Job CodeR2001 iiiABSTRACTIn order to facilitate the probabilistic risk assessment (PRA) of a VVER-1000 nuclear power plant, a set ofprocedure guides has been written. These procedure guides, along with training supplied by experts andsupplementary material from the literature, were used to advance the PRA carried out for the Kalinin NuclearPower Station in the Russian Federation. Although written for a specific project, these guides have general applicability. Guides are procedures for all the technical tasks of a Level 1 (determination of core damagefrequency for different accident scenarios), Level 2 (probabilistic accident progression and source termanalysis), and Level 3 (consequence analysis and integrated risk assessment) PRA. In addition, introductorymaterial is provided to explain the rationale and approach for a PRA. Procedure guides are also provided onthe documentation requirements.

iv 1As a result of a governmental decree in May 2004, GAN was subsumed into a new organization, known as theFederal Environmental, Industrial and Nuclear Supervision Service of Russia (Rostechnadzor).

v FOREWORDDuring the Lisbon Conference on Assistance to the Nuclear Safety Initiative, held in May 1992,participants agreed that efforts should be undertaken to improve the safety of nuclear power plants thatwere designed and built by the former Soviet Union. That agreement led to a collaborativeprobabilistic risk assessment (PRA) of the Kalinin Nuclear Power Station (KNPS), Unit 1,in the Russian Federation. The KNPS Unit 1 PRA was intended to demonstrate the benefitsobtained from application of risk technology towards understanding and improving reactor safetyand, thereby, helping to build a risk-informed framework to help address reactor safety issues in regulations.The U.S. Department of State, together with the Agency for International Development (AID),requested that the U.S. Nuclear Regulatory Commission (NRC) and the Federal Nuclear and Radiation Safety Authority of the Russian Federation (Gosatomnadzor, or GAN) work together to begin applying PRA technology to Soviet-designed plants.

1 On the basis of that request, in 1995, theNRC and GAN agreed to work together to perform a PRA of a VVER-1000 PWR reactor. Under that agreement, the NRC provided financial support for the PRA with funds from AID and technicalsupport primarily from Brookhaven National Laboratory and its subcontractors. KNPS Unit 1 waschosen for the PRA, and the effort was performed under the direction of GAN with the assistance of KNPS personnel and the following four other Russian organizations:*Science and Engineering Centre for Nuclear and Radiation Safety (GANs and nowRostechnadzors technical support organization)*Gidropress Experimental and Design Office (the VVER designer)

Nizhny Novgorod Project Institute, Atomenergoprojekt (the architect-engineer)

Rosenergoatom Consortium (the utility owner of KNPS)One of the overriding accomplishments of the project has been technology transfer. In NRC-sponsored workshops held in Washington, DC, and Moscow from October 1995 through November2003, training was provided in all facets of PRA practice. In addition, the Russian participants developed expertise using current-generation NRC-developed computer codes, MELCOR,SAPHIRE and MACCS. Towards the completion of the PRA, senior members of the Kalinin projectteam began the development of risk-in formed, Russian nuclear regulatory guidelines. Theseguidelines foster the application of risk assessment concepts to promote a better understanding of risk contributors. Efforts such as this have benefited from the expertise obtained, in part, from thetraining, experience, and insights gained from participation in the KNPS Unit 1 PRA project. The documentation of the Kalinin PRA comprises two companion NUREG-series reports:*NUREG/CR-6572, Revision 1, Kalinin VVER-1000 Nuclear Power Station Unit 1 PRA:Procedure Guides for a Probabilistic Risk Assessment, was prepared by BrookhavenNational Laboratory and the NRC staff. It contains guidance for conducting the Level 1, 2, and 3 PRAs for KNPS with primary focus on internal events. It may also serve as a guide for future PRAs in support of other nuclear power plants.

vi*NUREG/IA-0212, Kalinin VVER-1000 Nuclear Power Station Unit 1 PRA: Volumes 1 and 2, waswritten by the Russian team and, by agreement, includes both a non-proprietaryand proprietary volume. The non-proprietary volume, Volume 1, Executive Summary Report, discusses the project objectives, summarizes how the project was carried out, andpresents a general summary of the PRA results. The proprietary volume, Volume 2, containsthree parts. Part 1, Main Report: Level 1 PRA, Internal Initiators, discusses the Level 1portion of the PRA; Part 2, Main Report: Level 2 PRA, Internal Initiators, discusses the Level 2 portion; and Part 3, Main Report: Other Events Analysis, discusses preliminaryanalyses of fire, internal flooding, and seismic events, which may form the basis foradditional risk assessment work at some future time. Carl J. Paperiello, DirectorOffice of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission vii TABLE OF CONTENTS PageAbstract ............................................................................iii Foreword ...........................................................................vList of Figures .......................................................................xList of Tables ........................................................................xi Acknowledgments ...................................................................xiiAcronyms .........................................................................

xiii1.INTRODUCTION ...............................................................1-11.1Background ...............................................................1-11.2Objectives ................................................................1-11.3Scope ...................................................................1-11.4Limitations and General Comments ............................................1-31.5References ...............................................................1-32.APPROACH ...................................................................2-12.1Scope of a PRA ............................................................2-12.2Scope of the Guides ........................................................2-22.2.1 Technical Guidance ...................................................2-22.2.2 Guidance for Peer Review Process ......................................

.2-8 2.3 References ...............................................................2-93.TECHNICAL ACTIVITIES ........................................................3-13.1Plant Familiarization ........................................................3-1 3.1.1Assumption and limitations .............................................3-13.1.2.Products............................................................3-2 3.1.3Task Activities .......................................................3-2 3.1.4Task Interfaces .....................................................

3-113.2Level 1 Analysis...........................................................

3-11 3.2.1Initiating Event Analysis..............................................

3-113.2.1.1Assumptions and Limitations....................................

3-113.2.1.2 Products ...................................................

3-123.2.1.3Analytical Tasks...............................................

3-123.2.1.4Task Interfaces ...............................................

3-193.2.1.5 References .................................................

3-193.2.2Accident Sequence Development .......................................

3-203.2.2.1Assumptions and Limitations....................................

3-203.2.2.2 Products ...................................................

3-203.2.2.3Task Activities................................................

3-213.2.2.4Task Interfaces ...............................................

3-323.2.2.5 References .................................................

3-333.2.3Systems Ana lysis....................................................

3-343.2.3.1Assumptions and Limitations....................................

3-343.2.3.2 Products ...................................................

3-343.2.3.3Analytical Tasks...............................................

3-353.2.3.4Task Interfaces ...............................................

3-543.2.3.5 References .................................................

3-54 3.2.4Data Analysis .......................................................

3-553.2.4.1Assumptions and Limitations....................................

3-553.2.4.2 Products ...................................................

3-553.2.4.3Task Activities................................................

3-56 viii TABLE OF CONTENTS (Continued)

Page3.2.4.4Task Interfaces ...............................................

3-683.2.4.5 References .................................................

3-693.2.5Human Reliability Analysis............................................

3-703.2.5.1Assumptions and Limitations....................................

3-703.2.5.2 Products ...................................................

3-723.2.5.3Task Activities................................................

3-723.2.5.4Task Interfaces ...............................................

3-743.2.5.5 References .................................................

3-75 3.2.6Quantification and Results .............................................

3-793.2.6.1 Assumption and Limitations ....................................

3-793.2.6.2 Products ...................................................

3-803.2.6.3Task Activities ...............................................

3-803.2.6.4Task Interfaces ..............................................

3-873.2.6.5 References .................................................

3-883.3Level 2 Analysis (Probabilistic Accident Progression and Source Term Analysis)

........3-89 3.3.1Plant Damage State Determination.....................................

3-923.3.1.1Assumptions and Limitations...................................

3-923.3.1.2 Products ..................................................

3-923.3.1.3Analytical Tasks..............................................

3-923.3.1.4Task Interfaces ..............................................

3-953.3.1.5 References ................................................

3-95 3.3.2Assessing Containment Challenges .....................................

3-953.3.2.1Assumptions and Limitations...................................

3-953.3.2.2 Products ..................................................

3-963.3.2.3Analytical Tasks..............................................

3-973.3.2.4Task Interfaces .............................................

3-1003.3.2.5 References ...............................................

3-100 3.3.3Containment Performance Characterization ..............................

3-1013.3.3.1Assumptions and Limitations..................................

3-1013.3.3.2 Products .................................................

3-1013.3.3.3Analytical Tasks.............................................

3-1023.3.3.4Task Interfaces .............................................

3-1033.3.3.5 References ...............................................

3-103 3.3.4Containment Probabilistic Characterization ...............................

3-1043.3.4.1Assumptions and Limitations..................................

3-1043.3.4.2 Products .................................................

3-1043.3.4.3 Analytical Tasks.............................................

3-1043.3.4.4Task Interfaces .............................................

3-1073.3.4.5 References ...............................................

3-107 3.3.5Radionuclide Release Characterization..................................

3-1073.3.5.1Assumptions and Limitations..................................

3-1073.3.5.2 Products .................................................

3-1083.3.5.3 Analytical Tasks.............................................

3-1083.3.5.4Task Interfaces .............................................

3-1133.3.5.5 References ...............................................

3-114 ix TABLE OF CONTENTS (Continued)

Page3.4Level 3 Analysis (Consequence Analysis and Integrated Risk Assessment)

...........

3-114 3.4.1Assumption and Limitations ...........................................

3-114 3.4.2 Products ..........................................................

3-114 3.4.3Analytical Tasks ....................................................

3-115 3.4.4Task Interfaces.....................................................

3-117 3.4.5 References........................................................

3-1183.5Flood Analysis ...........................................................

3-119 3.5.1Assumption and Limitations ...........................................

3-119 3.5.2 Products ..........................................................

3-119 3.5.3Analytical Tasks ....................................................

3-119 3.5.4Task Interfaces.....................................................

3-125 3.5.5 References........................................................

3-1253.6Fire Analysis ............................................................

3-125 3.6.1Assumption and Limitations ...........................................

3-126 3.6.2 Products ..........................................................

3-126 3.6.3Analytical Tasks ....................................................

3-126 3.6.4Task Interfaces.....................................................

3-134 3.6.5 References........................................................

3-1343.7Seismic Analysis .........................................................

3-134 3.7.1Assumption and Limitations ...........................................

3-134 3.7.2 Products ..........................................................

3-135 3.7.3Analytical Tasks ....................................................

3-135 3.7.4Task Interfaces.....................................................

3-139 3.7.5 References........................................................

3-1394.DOCUMENTATION .............................................................4-14.1Documentation in Support of Reporting/Communication.............................4-14.2Documentation in Support of Traceability ........................................4-2APPENDIX ARecommended Supplemental CCF Generic Estimates for Kalinin PRA Based on Experience in the U.S. ........................................A-1APPENDIX BSimplified Level 2 Analysis .............................................B-1APPENDIX CExample Consideration of a Flood Scenario in a PRA .......................C-1APPENDIX DExample Consideration of a Fire Scenario in a PRA .........................D-1 xLIST OF FIGURESFigure No.

Page1.1The six components comprising a PRA ............................................1-23.1Master logic diagram .........................................................

3-173.2Example of dependency matrix .................................................

3-363.3Example of fault tree for backup cooling system ....................................

3-383.4Example fault tree for inside spray recirculation .....................................

3-393.5Simple example for CCF analysis ...............................................

3-663.6Example of a decision tree for performance shaping factors ...........................

3-783.7 Relationship among the major parts of a Level 2 PRA ...............................

3-893.8Conditional probability of containment failure .......................................

3-913.9Probability density functions for containment peak pressure (P c) and failure pressure (P f) ...3-1073.10Example of simplified radionuclide release rates ...................................

3-111 xiLIST OF TABLESTable No.Page2-1Technical elements of a PRA ....................................................2-32-2Summary of technical characteristics and attributes of a PRA ..........................2-93-1Technical elements of a PRA ....................................................3-13-2Plant information needed to perform a Level 1 internal event PRA ......................3-43-3Generic information from plants of same/similar design ...............................3-53-4Cross reference of PRA tasks and plant information needed ...........................3-63-5Information needed for internal fire analysis ........................................3-73-6Information needed for internal flood analysis .......................................3-73-7Information needed for seismic analysis ...........................................3-83-8Format for failure modes and effects analysis of key support systems ...................

3-143-9Format for abnormal operating instruction review summary ...........................

3-143-10Generic list of initiating events for VVER-1000 reactors ..............................

3-153-11Safety functions identified in a recent PWR PRA ....................................

3-253-12Equipment hazard susceptibility .................................................

3-473-13Hazards associated with equipment ..............................................

3-483-14Illustration of a typical scenario table .............................................

3-513-15Typical hazard mitigation types .................................................

3-533-16The reliability formulation for the various contributors to the unavailability of a standby component ..........................................................

3-613-17Example of performance shaping factors .........................................

3-763-18Example attributes for grouping accident sequence cutsets ...........................

3-933-19Severe accident phenomena ...................................................

3-993-20Example plant design/operational parameters to be compared to demonstrate similarity for use as surrogate analysis...........................................

3-1003-21Radionuclide grouping scheme used in a Level 2 PRA ..............................

3-1103-22Areas of key radionuclide source term uncertainties ................................

3-1134-1Documentation for the Kalinin PRA project .........................................4-1 xii ACKNOWLEDGMENTSThe following organizations and individuals collaborated in performing the PRA for the Kalinin NPS, Unit 1:U.S. Nuclear Regulatory Commission (NRC)

Charles Ader

Mark Cunningham Mary Drouin Thomas King John LaneScott Newberry Themis Speis Andrew SzukiewiczNRC ContractorsMohammed Ali Azarm, Brookhaven NationalLaboratory (BNL)

Dennis Bley, Buttonwood Consulting Inc.

Tsong-Lun Chu, BNL David Diamond, BNL Ted Ginsberg, BNL David Johnson, PLG Inc.

John Lehner, BNLMark Leonard, DycodaHossein Nourbakhsh, BNL Robert Kennedy, RPK Structural MechanicsConsulting Robert Campbell, EQE International Inc.

Yang Park, BNL Trevor Pratt, BNL Jimin Xu, BNLFederal Nuclear and Radiation Safety Authority of the Russian Federation (GAN), now the FederalEnvironmental, Industrial and Nuclear Supervision Service of Russia (Rostechnadzor)Mikhail Mirochnitchenko Alexandr GutsalovAlexandr MatveevScience and Engineering Center for Nuclear and Radiation Safety Irina Andreeva Tatiana Berg

Valentina Bredova Boris Gordon, Irina Ioudina Artour LioubarskiDmitri NoskovGennadi Samokhin Eugene Shubeiko Vyacheslav Soldatov Sergei Volkovitskiy Elena ZhukovaKalinin Nuclear Power StationGrigori Aleshin Oleg BogatovEugene Mironenko Maxim RobotaevExperimental and Design Office GidropressViatcheslav Kudriavtsev Valeri SiriapinVladimir SheinNizhny Novgorod Project Institute AtomenergoprojektLudmila Eltsova Vladimir Kats Svetlana PetruninaValeri SenoedovAlexander YashkinRosenergoatom ConsortiumVladimir Khlebtsevich xiiiACRONYMS ACRSAdvisory Committee on Reactor SafeguardsANSAmerican Nuclear Society AOIsAbnormal Operating InstructionsBEBasic EventBNLBrookhaven National LaboratoryCARCorrective Action ReportsCCFCommon-Cause Failure CCICore-Concrete Interaction CDFCore Damage Frequency CETContainment Event TreeDCHDirect Containment HeatingDOEU.S. Department of Energy DRRDocument Review RecordsEFCError-Forcing Context EPRIElectric Power Research InstituteESDEvent Sequence Diagram ETEvent TreeFTFault TreeF-VFussell-VeselyGANFederal Nuclear and Radiation Safety Authority of the Russian Federation HFEHuman Failure EventHPIHigh-Pressure Injection HRAHuman Reliability AnalysisIAEAInternational Atomic Energy AgencyIEInitiating Event

INELIdaho National Engineering LaboratoryIMTSInformation Management and Tracking System IRRASIntegrated Reliability and Risk Analysis SystemKNPSKalinin Nuclear Power Station LOCALoss-of-Coolant AccidentMOVMotor-Operated Valve NRCU.S. Nuclear Regulatory Commission xivACRONYMS (Continued)PCAProbabilistic Consequence AssessmentPDSPlant Damage State PQASCProject Quality Assurance Startup ChecklistsPRAProbabilistic Risk Assessment PSFPerformance Shaping Factor PWRPressurized Water ReactorQAQuality AssuranceQARQuality Assurance Audit Reports QHOQuantitative Health Objective R.F.Russian FederationRAWRisk Achievement Worth RCSReactor Coolant System RHRResidual Heat Removal RRWRisk Reduction WorthSGSteam Generator SGTRSteam Generator Tube RuptureSLIMSuccess Likelihood Index Method SSCSystems, Structures, and Components

SSMRPSeismic Safety Margins Research ProgramTRRTechnical Review Reports 1-11. INTRODUCTION1.1BackgroundAt the Lisbon Conference on Assistance to theNuclear Safety Initiative, held in May 1992, it wasagreed that special efforts should be undertaken to improve the safety of the nuclear power plantsdesigned and built by the former Soviet Union. Aspart of these efforts, the U.S. Department of State,together with the Agency for International Development (AID), requested that the U.S.Nuclear Regulatory Commission (NRC) and theFederal Nuclear and Radiation Safety Authority of the Russian Federation (GAN) work together tobegin the application of PRA technology to Soviet designed plants. As a result, the NRC and GANagreed to work together to carry out a probabilisticrisk assessment (PRA) of a VVER-1000 reactor in the Russian Federation (R.F.). Unit 1 at the Kalinin Nuclear Power Station (KNPS)was chosen for the PRA and the effort was carried out under the auspices of GAN with the assistance of several other Russian organizations.

2 Theprocedure guides in this document were wr itten toadvance the PRA which is intended to serve as a demonstration of the PRA process and its utility inthe regulatory process and in plant operations.

Furthermore, it is expected that the overall project will also advance the use of PRA methods andresults in the regulation of nuclear power plants ofVVER design not only in the R.F. but also in other countries with such reactors.1.2ObjectivesIn order to carry out the PRA for KNPS Unit 1, it was decided that the methodology for doing a PRA should be defined and explained in a set of guides.

The writing of the guides would help assure that the PRA would be done according to an internationally acceptable and consistentframework. After individual tasks were completedthe guides could then be used to help in the review of that work.The first draft of the guides was used for theKalinin PRA and now this final report should beuseful to PRA practitioners in other countries, inparticular those with VVER plants. For the Ka lininPRA these guides complemented other forms of technical assistance provided by the NRC--namely, classroom training and workshops. Therefore, itmust be recognized that the guides alone will notprovide the assistance needed to successf ullycomplete a PRA for an organization that is relyingon outside assistance.1.3ScopeThe scope of this guide is a full-scope PRA. Thereare a number of major components that comprise the scope of a PRA as illustrated in Figure 1.1. 1.It is necessary to identify all potential risksand decide on how many of these will be included in the PRA.

2.It is also necessary to determine the extentof the population exposed to the risks (e.g., health effects to the plant personnelor the surrounding population) and the population to be considered in the PRA.3.Accidents can occur while the plant is atfull power, low power, or during a shutdown condition. The plant operating states to be considered in the PRA should, therefore, be clearly identified. 4.The type of possible events that caninitiate an accident also needs to bedefined. Initiating events internal to the plant usually include transients, loss-of-coolant accidents (LOCAs), fires, andfloods. Events external to the plant include seismic events, high wind, and others. Evaluation of sabotage events is not currently included in a full-scope PRA.5.A complete PRA involves three sequentialanalytical parts or levels of risk as shownin Figure 1.1:

2In addition to GAN, the following organizations wereinvolved: GANs Scientific and Engineering Center for Nuclear and Radiation Safety, Kalinin Nuclear Power Station, the Experimental and Design Office Gidropress, Nizhny Novgorod Project Institute Atomenergoproect, and Rosenergoatom Consortium.

1. Introduction 1-2Figure 1.1 The six components comprising a PRA

1. Introduction 1-3*Level 1 - involves the identificationand quantification of the sequences of events leading to core damage;*Level 2 - involves the evaluation andquantification of the mechanisms, amounts, and probabilities of subsequent radioactive materialreleases from the containment; and*Level 3 - involves the evaluation andquantification of the resultingconsequences to both the public and the environment. Consequences to plant personnel are usually not included in a Level 3 PRA.The procedure guides contained in this report donot cover all of the items discussed above and shown in Figure 1.1. The guidance is limited toaccidents involving only the reactor core and thatoccur while the plant is operating at full power.Initiating events internal and external to the plant are considered and included in the scope of this report. Guidance is also provided for all threeanalytical levels. However, the Level 3 PRA guidance is limited to offsite consequences.1.4Limitations and General Comments PRA - GuidesIt was assumed that the team carrying out thePRA would be familiar with the guides developed by the International Atomic Energy Agency(IAEA,1992 and IAEA,1995) for carrying out Level 1 and Level 2 PRAs for internal events. The IAEA documents represent internationallyacceptable approaches. The new guides were toimprove on the existing guides by: (1) taking into account recent work in the field, (2) consideringspecial problems that might be specifically present for the VVER experience, and (3) improving upon the guidance already provided. The idea was not to duplicate the existing guidance found in the IAEA document or the material in other guides thathave been produced by the NRC, e.g., NRC (1981), NRC (1996) and Drouin (1987). Forsubjects not well documented in the open li terature(e.g., the approach taken for human reliabilityanalysis), detailed guidance would be given; fortasks where a firm understanding was already well established and documentation freely available(e.g., system modeling), minimal guidance andappropriate references would be provided.PRA - Assumptions and LimitationsThe following assumptions and limitations aregenerally found in a PRA; regardless of its scope or analytical approach:*The plant is operating within its regulatoryrequirements.*The design and construction of the plantare adequate and satisfy the established design criteria for the plant.*Plant aging effects are not modeled; thatis, constant equipment failure rates are assumed.*The PRA is calculated for an "average"plant configuration. The plant can be inmany different configurations (especiallyduring shutdown) for short periods of time and it is not practical to calculate the risk from all of the potential configurations.

Instead, the average plant risk is calculated using test and maintenance outage events in the PRA models torepresent average unavailabilities of systems (or portions of systems). The average system unavailabilities reflect the availability of the systems during all thedifferent configurations actually experienced in the past operation of the plant. The actual test and maint enanceunavailabilities for the plant systems thus must be calculated using plant-specificoperational data.

1.5ReferencesDrouin, M. T., F. T. Harper, and A. L. Camp, Analysis of Core Damage Frequency fromInternal Events: Methodology, Volume 1,NUREG/CR-4550/1, Sandia National Laboratories, September 1987.IAEA, Procedures for Conducting ProbabilisticSafety Assessments of Nuclear Power Plants (Level 2), Safety Series No. 50-P-8, International Atomic Energy Agency, 1995.

1. Introduction 1-4IAEA, Procedures for Conducting Probab ilisticSafety Assessments of Nuclear Power Plants (Level 1), Safety Series No. 50-P-4, International Atomic Energy Agency, 1992.NRC, Individual Plant Examination Program:Perspectives on Reactor Safety and PlantPerformance, NUREG-1560, U.S. NuclearRegulatory Commission, 1996.NRC, PRA Procedures Guide - A Guide to thePerformance of Probabilistic Risk Assessments forNuclear Power Plants, NUREG/CR-2300, U.S.Nuclear Regulatory Commission, September

1981.

2-12. APPROACH2.1 Scope of a PRAThe scope and quality of a PRA are key indetermining the role PRA results can have in thedecision-making regulatory activity. This sectionrelies heavily on work reported in SECY 0162(NRC, 2000). The scope of a PRA is defined bythe following characteristics:1.Degree of coverage of the potential hazards 2.Degree of coverage of the population exposed to the hazard3.Degree of coverage of plant operating states(POSs) that define the plant's operating mode of concern: from full-power, to low-power, to shutdown modes of operation.4.Degree of coverage of initiating events, eitherinternal or external to the plant boundary, that cause off-normal conditions.5.Level of characterization of risk:a.Level 1 PRA that estimates the CDF(given an event that challenges plantoperation occurs).b.Level 2 PRA that estimates thecontainment failure and radionuclide release frequencies (given a core damage

state occurs).c.Level 3 PRA that estimates the offsiteconsequences from a release, e.g., early and latent cancer fatalities (given a radionuclide release occurs). NRC Regulatory Guide 1.200 (NRC, 2004)describes an approach for determining that the quality of a PRA is adequate and so provideconfidence in its results. This guidance isconsistent with existing NRC PRA policy, and itreflects on-going work by U.S. standard-setting andnuclear industry organizations.Hazards cover a wide range of events that couldpotentially cause damage and health effects. Forthe purpose of performing a PRA of a NPP thehazards considered are those materials located on the site that if released could potentially contaminate the environment and cause healtheffects to the on-site and off-site population.

Generally hazards resulting from the release ofradionuclides are considered. There are threepossible sources of radionuclide release:*Reactor Core*Spent Fuel Pool

Fuel Storage The population that could be exposed to thehazard include on-site workers and members of thepopulation in the vicinity of the plant. The consequences of an accidental release of radioactive material from a nuclear power plant canbe expressed in several forms including impacts on human health, the environment, or economics. Plant operating states (POSs) are used tosubdivide the plant operating cycle into uniquestates such that the plant response can be assumed to be the same for all subsequent accident initiating events. Operational characteristics (such as reactor power level; in-vessel temperature, pressure, and coolant level; equipment operability; and changes in decay heat load or plant conditions that allow new success criteria) are examined to identify those important todefining plant operational states. The important characteristics are used to define the states and the fraction of time spent in each state is estimated using plant specific information. The riskperspective should be based on the total risk connected with the operation of the reactor whichincludes not only full power operation, but lowpower and shutdown conditions. Therefore, to gainthe maximum benefit from a PRA, the model should address all modes of operation.Initiating events are events that have the ability tochallenge the condition of the plant. These eventsinclude failure of equipment from either "internal plant causes" such as hardware faults, operator actions, floods or fires, or "external plant causes" such as seismic or high winds. The risk perspective should be based on the totalrisk connected with the operation of the reactor which includes events from both internal and external sources. Therefore, to gain the maximum benefit from a PRA, the model should address bothinternal and external initiating events.The risk characterization used in risk-informedapplications are the core damage frequency (CDF)and health effects (to the surrounding population);

2. Approach 2-2therefore, to provide the risk perspective for use indecision-making, a Level 1, 2, and 3 PRA is required.2.2 Scope of the GuidesAn essential part of the PRA process is having confidence in the PRA results such that they can be used in decision making. An independent peerreview of the PRA can provide confidence in the results.

Therefore, the scope of the PRA guidesincludes guidance for both performing the technical work, and performing a peer review of the technical work.2.2.1Technical GuidanceAs noted above, the scope of a PRA includes:*the degree of coverage ofpotential hazardspopulation impactedplant operating statesinitiating events*level of risk characterization.

The first major item above defines the scope of thePRA, while the second major item defines the analytical levels to be performed for the givenscope. For this project, the PRA scope is limited tothe following:*hazards including accidents that involve the reactor core*offsite population

accidents occurring while the plant is operatingat full power*initiating events internal and external to theplant The procedure guides contained in this reportaddress this scope for all three analytical levels.The technical elements for each analytical level arelisted in the Table 2-1 and briefly described below.Plant Familiarization and Documentation are notseparate elements in of themselves but rather impact all of the technical elements as noted in Table 2-1. As Plant Familiarization is required forall of the technical elements, it is discussed fi rst.Documentation is discussed last because all of the technical elements provide input this element.The guidelines for performing the tech nicalelements for the above defined scope are providedin Chapter 3. Plant Familiarization Before the technical analysis can beg in, it isimperative that the analysis team becomes familiarwith all aspects of the plant.

The quality ofinformation gathered in this task and the manner in which it is managed is critical to the success of the entire analysis effort. This information gatheringprocess provides assurance that the possible coredamage accident sequences are correctly definedand realistically describe the possible plant

responses.As this task provides the basic plant informationneeded to perform the analytical work the accuracyof the information gathered is crucial. If inaccurateinformation is used (e.g., a plant drawing that is out of date because a pump has been removed from the system without the drawing being updated), the final results are likely to inaccurately reflect theoperational risk of the plant. It is, therefore,important that all information be verified, and amethod for verifying plant information should be developed early in the project.The verification is aided by well organized andplanned plant visits which in part look at the actual plant components and layout and compares them with written descriptions and diagrams. The verification is also aided by the establishment of aplant information data management and retrieval system which is described below.The plant may not be a fixed entity. During (andafter) the period of the PRA anal ysis, design andoperational changes can occur at the plant.

Manymay not have a risk or safety impact. However,some of the changes could have the potential to significantly affect the final results of the analysis.

At the start of the project a configuration freezedate, i.e., the date after which plant changes will not be included in the analysis, should be established.

2. Approach 2-3Table 2-1 Technical elements of a PRA Scope/Levelof AnalysisTechnical Elements (Note)Risk Characterization (full power, internal events - transients and loss of coolant accidents)Level 1* Initiating Event Analysis*Parameter Estimation Analysis* Success Criteria Analysis*Human Reliability Analysis

Accident Sequence Analysis*Quantification Analysis

Systems Analysis*Interpretation of ResultsLevel 2*Plant Damage State Analysis*Quantification *Accident Progression Analysis*Interpretation of Results*Source Term AnalysisLevel 3*Data Collection*Consequence Calculation*Source Term Reduction*Risk IntegrationInitiating Events (Other Events)

Internal Flood*Identification Analysis*Quantification Analysis*Evaluation AnalysisInternal Fire*Screening Analysis*Fire Damage Analysis*Fire Initiation Analysis*Plant Response Analysis ExternalEvents*Screening/Bounding Analysis*Fragility Analysis*Events Analysis*Level 1 Model ModificationRisk Characterization Level 1 PRA The following provides a description of each of theLevel 1 technical elements.Initiating event ana lysis identifies andcharacterizes those random internal events thatboth challenge normal plant operation during poweror shutdown conditions and require successfulmitigation by plant equipment and personnel toprevent core damage from occurring. Events that have occurred at the plant and those that have areasonable probability of occurring are identified and characterized. An understanding of the natureof the events is performed such that a grouping of the events into event classes, with the classes defined by similarity of system and plant responses(based on the success criteria), may be performed to manage the large number of potential events that can challenge the plant.Success criteria analysis determines theminimum requirements for each function (and ultimately the systems used to perform the functions) needed to prevent core damage (or tomitigate a release) given an initiating event occurs.The requirements defining the success criteria arebased on acceptable engineering analyses that represent the design and operation of the plant under consideration. The criteria needed for afunction to be successful is dependent on theinitiator and the conditions created by the initiator.

The code(s) used to perform the analyses for developing the success criteria are validated and verified for both technical integrity and suitability toassess plant conditions for the reactor pressure, temperature and flow range of interest, andaccurately analyze the phenomena of interest.Calculations are performed by personnel qualified to perform the types of analyses of interest and arewell trained in the use of the code(s).Accident sequence analysis models,chronologically, the different possible progres sionof events (i.e., accident sequences) that can occur

2. Approach 2-4from the start of the initiating event to eithersuccessful mitigation or to core damage. The accident sequences account for those systems andoperator actions that are used (and avai lable) tomitigate the initiator based on the defined successcriteria and plant operating procedures (e.g., plantemergency and abnormal operating procedures and as practiced in simulator exercises). The availability of a sy stem includes consideration ofthe functional, phenomenological and operational dependencies and interfaces between and among the different systems and operator actions during the course of the accident progression.Systems analysis identifies the differentcombinations of failures that can preclude the ability of the system to perform its function asdefined by the success criteria. The model representing the various failure combinations includes, from an as-built and as-operated perspective, the system hardware and instrumentation (and their associated failuremodes) and the human failure events that wouldprevent the system from performing its defined function. The basic events representing equipment and human failures are developed in sufficient detail in the model to account for dependenciesbetween and among the different systems, and todistinguish the specific equipment or human event (and its failure mechanism) that has a major impacton the system's ability to perform its function.Parameter estimation analysis quantifies thefrequencies of the identified initiators and quantifiesthe equipment failure probabilities and equipment unavailabilities of the modeled systems. The estimation process includes a mechanism for addressing uncertainties, has the ability to combine different sources of data in a coherent manner, andrepresents the actual operating history andexperience of the plant and applicable genericexperience as applicable.Human reliability analysis identifies and quantifies the human failure events that cannegatively impact normal or emergency plantoperations. The human failure events associatedwith normal plant operation include those eventsthat leave the system (as defined by the success criteria) in an unrevealed, un available state. Thehuman failure events associated with emergency plant operation include those events that, if notperformed, do not allow the needed system to function. Quantification of the probabilities of thesehuman failure events are based on plant andaccident specific conditions, where applicable, including any dependencies among actions and conditions.Quantification ana lysis provides an estimation ofthe CDF given the design, operation and maintenance of the plant. This CDF is based on the summation of the estimated CDF from eachinitiator class. If truncation of accident sequences and cutsets is applied, truncation limits are set so that the overall model results are not impacted significantly and that important accident sequencesare not eliminated. Therefore, the truncation limitcan vary for each accident sequence.Consequently, the truncation value is selected sothat the accident sequence CDF before and after truncation only differs by less than one significant figure.Interpretation of results entails examining andunderstanding the results of the PRA andidentifying the important contributors sorted by initiating events, accident sequences, equipment failures and human errors. Methods such as importance measure calculations (e.g.,

Fussel-Vesely, risk achievement, risk reduction,and Birnbaum) are used to identify the contributions of various events to the model estimation of core damage frequency for bothindividual sequences and the model as a to tal.Sources of uncertainty are identified and their impact on the results analyzed. The sensitivity ofthe model results to model boundary conditions and other key assumptions is evaluated usingsensitivity analyses to look at key assumptions bothindividually or in logical combinations. Thecombinations analyzed are chosen to fully accountfor interactions among the variables.Level 2 PRA The following provides a description of each of theLevel 2 technical elements.Plant damage state analysis groups similar coredamage scenarios resulting from the full spectrumof core damage accidents identified in the Level 1analysis to allow a practical assessment of thesevere accident progression and containmentresponse. The plant damage state analysis defines the attributes of the core damage scenarios that represent important boundary conditions to theassessment of severe accidents progression and

2. Approach 2-5containment response that ultimately affect theresulting source term. The attributes address the dependencies between the containment systems modeled in the Level 2 analysis with the coredamage accident sequence models to fully account for mutual dependencies. Core damage scenarios with similar attributes are grouped together to allowfor efficient evaluation of the Level 2 response.Severe accident progression analysis modelsthe different series of events that challenge containment integrity for the core damage scenarios represented in the plant damage states.

The accident progressions account for interactions among severe accident phenomena and system and human responses to identify credible containment failure modes including fa ilure toisolate the containment. The timing of majoraccident events and the subsequent loadings produced on the containment are evaluated againstthe capacity of the containment to withstand the potential challenges. The containment performance during the severe accident is characterized by thetiming (e.g., early versus late), size (e.g.,catastrophic versus bypass), and location of anycontainment failures. The code(s )

used to performthe analysis are validated and verified for both technical integrity and suitability. Calculations areperformed by personnel qualified to perform the types of analyses of interest and well trained in theuse of the code(s).Source term analysis characterizes theradiological release to the environment resulting from each severe accident sequence leading tocontainment failure or bypass. The characterizationincludes the time, elevation, and energy of the release and the amount, form, and size of theradioactive material that is released to the environment.Quantification integrates the accident progressionmodels and source term evaluation to provide estimates of the frequency of radionuclide releases that could be expected following the identified coredamage accidents. This quantitative evaluation reflects the different magnitudes and timing ofradionuclide releases.Interpretation of results entails examining resultsfrom importance measure calculations (e.g.,Fussel-Vesely, risk achievement, risk reduction, and Birnbaum) to identify the contributions of various events to the model estimation of risk forboth individual sequences and the model as a total.Sources of uncertainty are identified and theirimpact o the results analyzed. The sensitivity of the model results to model boundary conditions and other key assumptions is evaluated using sensitivity analyses to look at key assumptions both individually or in logical combinations. Thecombinations analyzed are chosen to fully accountfor interactions among the variables.Level 3 PRA The following provides a description of each of theLevel 3 technical elements.Data Collection is a compilation of thedemographic and weather-related data needed topredict how the radionuclides will be dispersed tothe environment. Atmospheric dispersion models require the specification of local meteorology andterrain; deposition models require information regarding frequency and intensity of precipitation;dose and health effects models require information regarding local demographics and land use (i.e.,crops grown, dairy activity). Source Term Reduction groups severe accidentprogressions resulting from the full spectrum of severe accidents into a smaller number ofrepresentative release categories to allow a practical assessment of the offsite consequences.The reduction process identifies the attributes that represent important boundary conditions that ultimately affect the offsite consequences.

Accident progressions with these similar attributesare grouped together to allow for efficient evaluation of the Level 3 analysis.Consequence Calculations provide a conditionalestimation of the early and latent fatalities and theextent of land contamination that would be expected following severe accidents. Thisquantification does not reflect the actual risk associated with operating the plant (this isestimated in the risk integration task below), but deterministically calculates for each of therepresentative release categories the dispersal ofthe radioactive plume in the environment, the dose(and associated health effects) to the population and contamination of the surrounding land.Risk Integration combines the results from allprevious analyses (i.e., CDF, release frequencyand conditional fatalities) to compute the selected

2. Approach 2-6measures of risk. For a given consequencemeasure, risk is obtained as the sum over all postulated accidents of the product of thefrequency and consequence of the accident. The methods for computing integrated risk are based on combining the results of all constituent analyses of the PRA, from initiating event and core damagefrequencies calculated in the Level 1 analysisthrough the set of plant damage states and containment ev ent trees and associated sourceterm frequencies estimated in the Level 2 ana lysisto the conditional probabilities of the consequence measures evaluated in the Level 3 analysis. Other Events The following provides a description of each of theOther Events technical elements. In addressing the above elements, because of the nature andimpact of internal flood and fire and external hazards, their attributes need to be discussed separately. This is because flood, fire and externalhazards analyses have the ability to cause initiating events but also have the capability to impact the availability of mitigating systems. Therefore, indeveloping the PRA model, the impact of flood, fireand external hazards needs to be considered ineach of the above technical elements. A summaryof the desired attributes of an acceptable internal flood and fire and external hazards analyses is provided below.Internal Floods Identification analysis identifies those plant areaswhere flooding could pose significant risk. Floodingareas are defined on the basis of physical barriers, mitigation features, and propagation pathways. For each flooding area, flood sources due to equipment (e.g., piping, valves, pumps), internal (e.g., tanks)and external (e.g., rivers) water sources are identified along with the affected SSCs. Floodingmechanisms are examined which include failuremodes of components, human inducedmechanisms, and other water releasing events.

Flooding types (e.g., leak, rupture, spray) and flood sizes are determined. Plant walkdowns are performed to verify the accuracy of the information.Evaluation ana lysis identifies the potentialflooding scenarios for each flood source by identifying flood propagation paths of water from the flood source to its accumulation point (e.g.,

pipe and cable penetr ations, doors, stairwells,failure of doors or walls). Plant design features oroperator actions that have the ability to terminatethe flood are identified. Credit given for flood isolation is justified. The susceptibility of each SSC in a flood area to flood-induced mechanisms is examined (e.g., submerge, spray, pipe whip, and jet impingement). Flood scenarios are developed by examining the potential for propagation and giving credit for flood mitigation. Flood scenarioscan be eliminated on the basis of screening criteria. The screening criteria used are welldefined and justified.Quantification ana lysis provides an estimation ofthe CDF of the plant due to internal floods.

Flooding induced initiating events that represent the design, operation and experience of the plant are identified and their frequencies quantified. TheLevel 1 models are modified and the internal flood accident sequences quantified: (1) modify accidentsequence models to address flooding phenomena, (2) perform necessary calculations to det erminesuccess criteria for flooding mitigation, (3) performparameter estimation analysis to include flooding as a failure mode, (4) perform human reliabilityanalysis to account for PSFs due to flooding, and(5) quantify internal flood accident sequence CDF.Modification of the Level 1 models are performedconsistent with the characteristics for Level 1 elements for transients and LOCAs. In addition,sources of uncertainty are identified and their impact o the results analyzed. The sensitivity of the model results to model boundary conditions andother key assumptions is evaluated using sensitivity analyses to look at key assumptions both individually or in logical combinations. Thecombinations analyzed are chosen to fully account for interactions among the variables.Internal Fires Screening ana lysis identifies fire areas wherefires could pose a significant risk. Fire areas which are not risk significant can be "screened out" from further consideration in the PRA analysis. Bothqualitative and quantitative screening criteria canbe used. The former address whether an unsuppressed fire in the area poses a nuclear safety challenge; the latter are compared against a bounding assessment of the fire-induced coredamage frequency for the area. The potential for fires involving multiple areas should be addressed.

Assumptions used in the screening analysis shouldbe verified through appropriate plant walkdowns.

2. Approach 2-7Key screening analysis assumptions and results,e.g., the area-specific conditional core damage probabilities (assuming fire-induced loss of all equipment in the area), should be documented.Fire initiation analysis determines the frequencyand physical characteristics of the detailed (within-area) fire scenarios analyzed for the unscreened fire areas. The analysis needs toidentify a range of scenarios which will be used torepresent all possible scenarios in the area. Thepossibility of seismically-induced fires should beconsidered. The scenario frequencies should reflect plan t-specific experience, and should bequantified in a manner that is consistent with theiruse in the subsequent fire damage ana lysis(discussed below). The physical characterization ofeach scenario should also be in terms that will support the fire damage analysis (especially withrespect to fire modeling).Fire damage analysis determines the conditionalprobability that sets of potentially risk-significantcomponents (including cables) will be damaged ina particular mode, given a specified fire scenario.The analysis needs to address components whose failure will cause an initiating event, affect the plant's ability to mitigate an initiating event, or affectpotentially risk significant equipment (e.g., throughsuppression system actuation). Damage from heat,smoke, and exposure to suppressants should be considered. If fire models are used to predict fire-induced damage, compartment-specificfeatures (e.g., ventilation, geometry) andtarget-specific features (e.g., cable location relativeto the fire) should be addressed. The fire suppression analysis should account for the scenario-specific time required to detect, respondto, and extinguish the fire. The models and dataused to analyze fire growth, fire suppression, and fire-induced component damage should be consistent with experience from actual nuclear power plant fire experience as well as experiments.Plant response anal ysis involves the modificationof appropriate plant transient and LOCA PRAmodels to determine the conditional core damage probability, given damage to the set(s) ofcomponents defined in the fire damage analysis.All potentially significant fire-induced initiating events, including such "special" events as loss ofplant support systems, and interactions betweenmultiple nuclear units during a fire event, should beaddressed. The analysis should address theavailability of non-fire affected equipment (includingcontrol) and any required manual actions. For fire scenarios involving control room abandonment, theanalysis should address the circuit interactionsraised in NUREG/CR-5088, including the possibilityof fire-indu ced damage prior to transfer to thealternate shutdown panel(s). The human re liabilityanalysis of operator actions should address fireeffects on operators (e.g., heat, smoke, loss oflighting, effect on instrumentation) and fire-spec ificoperational issues (e.g., fire response operatingprocedures, training on these procedures, potentialcomplications in coordinating activities). In addition,sources of uncertainty are identified and theirimpact o the results analyzed. The sensitivity of the model results to model boundary conditions andother key assumptions is evaluated using sensitivity analyses to look at key assumptions bothindividually or in logical combinations. Thecombinations analyzed are chosen to fully accountfor interactions among the variables.External Events Screening and bounding analysis identifiesexternal events other t han earthquake that maychallenge plant operations and require successfulmitigation by plant equipment and personnel toprevent core damage from occurring. The term"screening out" is used here for the processwhereby an external event is excluded from further consideration in the PRA analysis. There are twofundamental screening criteria embedded in the requirements here, as follows: An event can bescreened out either (I) if it meets the certain designcriteria, or (ii) if it can be shown using an ana lysisthat the mean value of the design-basis hazardused in the plant design is less than 10-5/year, and that the conditional core-damage probability is lessthan 10-1, given the occurrence of the design-basis hazard. An external event that cannot be screened out using either of these criteria is subjected to the detailed-analysis.Event Analysis characterizes non-screenedexternal events and seismic events, generally, as frequencies of occurrence of different sizes of events (e.g., earthquakes with various peak groundaccelerations, hurricanes with various maximum wind speeds) at the site. The external events aresite specific and include both aleatory andepistemic uncertainties.

2. Approach 2-8Fragility Analysis characterizes conditionalprobability of failure of important structures, components, and systems whose failure may lead to unacceptable damage to the plant (e.g., coredamage) given occurrence of an external event.

For important SSCs, the fragility analysis is realisticand plant-specific. The fragility analysis is based onextensive plant-walkdowns reflecting as-built, as-operated conditions.Level 1 Model Modification assures that thesystem models include all important external-event caused initiating events that can lead to coredamage or large early release. The system model includes external-event induced SSC failures,non-external-event induced failures (randomfailures), and human errors. The system analysis iswell coordinated with the fragility analysis and isbased on plant walkdowns. The results of the external event hazard analysis, fragility analysis, and system models are assembled to estimate frequencies of core damage and large earlyrelease. Uncertainties in each step are propagatedthrough the process and displayed in the final results. The quantification process is capable ofconducting necessary sensitivity analysis and toidentify dominant sequences and contributors.Documentation Traceability and defensibility provides thenecessary information such that the results caneasily be reproduced and justified. The sources ofinformation used in the PRA are both referenced and retrievable. The methodology used to performeach aspect of the work is described either through documenting the actual process or through reference to existing methodology documents.Assumptions(1) made in performing the analyses are identified and documented along with theirjustification to the extent t hat the context of theassumption is understood. The resu lts (e.g.,products and outcomes) from the various analyses are documented.2.2.2 Guidance for Peer Review ProcessA peer review process can be used to identifyweaknesses in the PRA and the importance of the weaknesses to the confidence in the PRA results.

An acceptable peer review needs to be performed by qualified personnel, needs to be performed according to an established process that comparesthe PRA against desired characteristics andattributes, and needs to document the resultsincluding both strengths and weaknesses of the

PRA.The team qualifications determine the credibilityand acceptability of the peer reviewers. The peerreviewers should not give any perception of a conflict of interest, therefore, they should be independent of the PRA and not have performed any technical work on the PRA. The members ofthe peer review team should have tech nicalexpertise in the PRA elements they reviewincluding experience in the specific methods that are utilized to perform the PRA elements. In addition, knowledge of the specific plant design and operation is essential. Finally, each member ofthe peer review team should be knowledgeable of the peer review process including the desired characteristics and attributes used to assess theacceptability of the PRA. The peer review process includes a documentedprocedure to direct the team in evaluating theacceptability of a PRA. The review process shouldcompare the PRA against the desired PRA characteristics and attributes, which are listed inTable 2-2 below. In addition, to reviewing themethods utilized in the PRA, the peer review also determines if the application of those methodswere done correctly. The PRA models should becompared against the plant design and procedures to validate that they reflect the as-built and as-operated plant. Key assumptions should be reviewed to determine if they are appropriate and if they have a significant impact on the PRA results.

The PRA results should be checked for fidelity withthe model structure and also for consistency with the results from PRAs for similar plants. Finally, the peer review process should examine the procedures or guidelines in place for updating the PRA to reflect changes in plant design, operation, or experience.Documentation provides the necessaryinformation such that the peer review process and the findings are both traceable and defensible. Adescription of the qualifications of the peer review team members and the peer review process should be documented. The results of the peer review foreach technical element and the PRA updateprocess should be described including those areas where the PRA do not meet or exceed the desiredcharacteristics and attributes used in the review

2. Approach 2-9process. This includes an assessment of theimportance of any identified deficiencies on the PRA results and potential uses and how these deficiencies were addressed and resolved.

2.3 ReferencesNRC, Addressing PRA Quality in Risk-InformingActivities, SECY-00-0162, July 28, 2000.NRC, An Approach for Determining the TechnicalAdequacy of Probabilistic Risk AssessmentResults for Risk-Informed Activities, RegulatoryGuide 1.200, issued for trial use, February 2004.Table 2-2 Summary of technical characteristics and attributes of a PRAElementTechnical Characteristics and AttributesPlant Familiarization*identification of plant information sources to provide sufficient plantknowledge such that the PRA model represents the as-built and as-operated plant and reflects the actual operating history*design and operational understanding confirmed by actual plantwalkdowns and interviews of operatorsLevel 1 PRA (internal events -- transients and loss of coolant accidents (LOCAs))

Initiating EventAnalysis*sufficiently detailed identification and characterization of initiators*grouping of individual events according to plant response andmitigating requirements*proper screening of any individual or grouped initiating events Success CriteriaAnalysis*based on best-estimate engineering analyses applicable to theactual plant design and operation*codes developed, validated, and verified in sufficient detail- analyze the phenomena of interest

- be applicable in the pressure, temperature, and flow range of interestAccident Sequence Development Analysis*defined in terms of hardware, operator action, and timingrequirements and desired end states (e.g., CD or PDSs)*includes necessary and sufficient equipment (safety and non-safety)reasonably expected to be used to mitigate initiators*includes functional, phenomenological, and operationaldependencies and interfacesSystems Analysismodels developed in sufficient detail to:*reflect the as built, as operated plant including how it hasperformed during the plant history*reflect the required success criteria for the systems to mitigate eachidentified accident sequence*capture impact of dependencies, including support systems andharsh environmental impacts*include both active and passive components and failure modes thatimpact the function of the system*include common cause failures, human errors, unavailability due totest and maintenance, etc.

2. Approach 2-10Table 2-2 Summary of technical characteristics and attributes of a PRA (contd)

ElementTechnical Characteristics and AttributesParameter EstimationAnalysis*estimation of parameters associated with initiating event, basicevent probability models, recovery actions, and unavailability events that account for plant-specific and generic data*consistent with component boundaries

estimation includes a characterization of the uncertaintyHuman ReliabilityAnalysis*identification and definition of the human failure events that wouldresult in initiating events or pre- and post-accident human failure events that would impact the mitigation of initiating events*quantification of the associated human error probabilities taking intoaccount scenario (where applicable) and plant-specific factors and including appropriate dependencies both pre- and post-accidentQuantification*estimation of the CDF for modeled sequences that are not screeneddue to truncation, given as a mean value*estimation of the accident sequence CDFs for each initiating event group*truncation values set relative to the total plant CDF such that thefrequency in not significantly impactedInterpretation ofResults*identification of the key contributors to CDF: initiating events,accident sequences, equipment failures and human errors*identification of sources of uncertainty and their impact on theresults*understanding of the impact of the key assumptions* on the CDFand the identification of the accident sequence and their

contributorsLevel 2 PRA Plant Damage StateAnalysis*identification of the attributes of the core damage scenarios thatinfluence severe accident progression, containment performance, and any subsequent radionuclide releases*grouping of core damage scenarios with similar attributes into plant damage states*carryover of relevant information from Level 1 to Level 2Severe AccidentProgression Analysis*use of verified, validated codes by qualified trained users with anunderstanding of the code limitations and the means for addressing the limitations*assessment of the credible severe accident phenomena via astructured process*assessment of containment system performance including linkagewith failure modes on non-containment systems*establishment of the capacity of the containment to withstandsevere accident environments*assessment of accident progression timing, including timing of lossof containment failure integrityQuantification *estimation of the frequency of different containment failure modesand resulting radionuclide source terms

2. ApproachTable 2-2 Summary of technical characteristics and attributes of a PRA (contd)

ElementTechnical Characteristics and Attributes 2-11Source TermAnalysis*assessment of radionuclide releases including appreciation oftiming, location, amount and form of release*grouping of radionuclide releases into smaller subset ofrepresentative source terms with emphasis on large early release (LER) and on large late release (LLR)Interpretation ofResults*identification of the contributors to containment failure and resultingsource terms*identification of sources of uncertainty and their impact on theresults*understanding of the impact of the key assumptions* on Level 2resultsLevel 3 Data Collection*data regarding local meteorology and terrain, site demographics,and local land use represent current, plant-specific condition.Source TermReduction*source terms used to calculate offsite consequences preserve thefull range of early (mechanistic) and late (stochastic) health effects that would result from actual Level 2 source terms.

ConsequenceCalculation*variability in weather addressed as major uncertainty in consequencesRisk Integration*integrates results of Level 1, 2 and 3 to compute various measuresof risk.*each of the three PRA Levels are linked together in a self-consistentand statistically rigorous manner.Internal Flood Analysis Identification Analysis*sufficiently detailed identification and characterization of:- flood areas and SSCs located within each area

- flood sources and flood mechanisms

- the type of water release and capacity

- the structures functioning as drains and sumps*verification of the information through plant walkdowns Evaluation Analysis*identification and evaluation of- flood propagation paths

- flood mitigating plant design features and operator actions

- the susceptibility of SSCs in each flood area to the different types of floods*elimination of flood scenarios uses well defined and justifiedscreening criteria

2. ApproachTable 2-2 Summary of technical characteristics and attributes of a PRA (contd)

ElementTechnical Characteristics and Attributes 2-12Quantification *identification of flooding induced initiating events on the basis of astructured and systematic process*estimation of flooding initiating event frequencies

estimation of CDF for chosen flood sequences

modification of the Level 1 models to account for flooding effectsincluding uncertaintiesInternal Fire Analysis Screening Analysis*all potentially risk-significant fire areas are identified and addressed*all required mitigating components and their cables in each fire areaare identified*screening criteria are defined and justified

necessary walkdowns are performed to confirm the screeningdecisions*screening process and results are documented

unscreened events areas are subjected to appropriate level ofevaluations (including detailed fire PRA evaluations as described below) as neededFire InitiationAnalysis*all potentially significant fire scenarios in each unscreened area are addressed*fire scenario frequencies reflect plant-specific features

fire scenario physical characteristics are defined

bases are provided for screening fire initiatorsFire DamageAnalysis *damage to all potentially significant components is addressed;considers all potential component failure modes*all potentially significant damage mechanisms are identified andaddressed; damage criteria are specified*analysis addresses scenario-specific factors affecting fire growth,suppression, and component damage*models and data are consistent with experience from actual fireexperience as well as experiments*includes evaluation of propagation of fire and fire effects (e.g.,smoke) between fire compartmentsPlant ResponseAnalysis*all potentially significant fire-induced initiating events are addressedso that their bases are included in the model*includes fire scenario impacts on core damage mitigation andcontainment systems including fire-induced failures*analysis reflects plant-specific safe shutdown strategy

potential circuit interactions which can interfere with safe shutdownare addressed*human reliability analysis addresses effect of fire scenario-specificconditions on operator performance

2. ApproachTable 2-2 Summary of technical characteristics and attributes of a PRA (contd)

ElementTechnical Characteristics and Attributes 2-13Quantification *estimation of fire CDF for chosen fire scenarios*identification of sources of uncertainty and their impact on theresults*understanding of the impact of the key assumptions* on the CDF

all fire risk-significant sequences are traceable and reproducibleExternal Events Analysis Screening andBounding Analysis*credible external events (natural and man-made) that may affect thesite are addressed*screening and bounding criteria are defined and results are documented*necessary walkdowns are performed

non-screened events are subjected to appropriate level ofevaluationsEvent Analysis*the event analysis is site and plant-specific*the event analysis addresses uncertainties Fragility Analysis*fragility estimates are plant-specific for important SSCs*walkdowns are conducted to identify plant-unique conditions, failuremodes, and as-built conditions.Level 1 ModelModification *important external event caused initiating events that can lead tocore damage and large early release are included*external event related unique failures and failure modes areincorporated*equipment failures from other causes and human errors areincluded. When necessary, human error data is modified to reflect unique circumstances related to the external event under consideration*unique aspects of common causes, correlations, and dependenciesare included*the systems model reflects as-built, as-operated plant conditions

the integration/quantification accounts for the uncertainties in eachof the inputs (i.e., hazard, fragility, system modeling) and final quantitative results such as CDF and LERF*the integration/quantification accounts for all dependencies andcorrelations that affect the results Documentation Traceability anddefensibility*The documentation is sufficient to facilitate independent peerreviews*The documentation describes all of the important interim and finalresults, insights, and important sources of uncertainties*Walkdown process and results are fully described*Assumptions include those decisions and judgments that were made in the course of theanalysis.

3-13. TECHNICAL ACTIVITIESThis chapter provides the guidance for theanalytical tasks needed to perform the technical elements of the PRA for the scope defined in Chapter 2. This scope includes:*hazards involving reactor core accidents *offsite population

accidents occurring while the plant is operatingat full power*initiating events internal and external to the plantThe guides contained in this chapter address thisscope for all three analytical levels.The technical elements for each analytical level arelisted in Table 3-1 and their associated guides described below.Plant Familiarization and documentation are notseparate elements in of themselves but ratherimpact all of the technical elements as noted inTable 3-1. As plant familiarization is required for allof the technical elements it is discussed first.Documentation is discussed in Chapter 4.Table 3-1 Technical elements of a PRA Scope/Levelof AnalysisTechnical Elements (Note)Risk Characterization (full power, internal events - transients and loss of coolant accidents)Level 1*Initiating Event Analysis*Parameter Estimation Analysis*Success Criteria Analysis*Human Reliability Analysis

Accident Sequence Analysis*Quantification Analysis

Systems Analysis*Interpretation of ResultsLevel 2*Plant Damage State Analysis*Quantification *Accident Progression Analysis*Interpretation of Results*Source Term AnalysisLevel 3*Data Collection*Consequence Calculation*Source Term Reduction*Risk IntegrationInitiating Events (Other Events)

Internal Flood*Identification Analysis*Quantification Analysis*Evaluation AnalysisInternal Fire*Screening Analysis*Fire Damage Analysis*Fire Initiation Analysis*Plant Response Analysis ExternalEvents*Screening/Bounding Analysis*Fragility Analysis*Events Analysis* Level 1 Model Modification3.1Plant FamiliarizationThis section describes the Plant FamiliarizationAnalysis task. Before the technical analysis canbegin, it is imperative that the analysis teambecomes familiar with all aspects of the plant. Thequality of information gathered in this task and themanner in which it is managed is critical to the success of the entire analysis effort. Thisinformation gathering process provides assurancethat the possible core damage accident sequencesare correctly defined and realistically describe thepossible plant responses.3.1.1Assumptions and LimitationsThis task provides the basic plant informationneeded to perform the analytical work. Hence, the

3. Technical Activities 3-2accuracy of the information gathered is crucial. Ifinaccurate information is used (e.g., a plantdrawing that is out of date because a pump has been removed from the system without the drawing being updated), the final results are likelyto inaccurately reflect the operational risk of the plant. It is, therefore, important that all informationbe verified, and a method for verifying plant information should be developed early in the project.Verification is particularly important for VVERreactors because the information can come fromseveral different sources. The team leader should establish an appropriate QA process so that theinformation does provide an accuraterepresentation of the as-built condition and current operation of the plant. Note that this verification isalso part of an overall QA program for the project.

The verification is aided by well organized andplanned plant visits which in part look at the actualplant components and layout and compares them with written descriptions and diagrams. Theverification is also aided by the establishment of a plant information data management and retrievalsystem which is described below.The plant may not be a fixed entity. During (andafter) the period of the PRA analysis, design andoperational changes can occur at the plant. Many may not have a risk or safety impact. However, some of the changes could have the potential tosignificantly affect the final results of the analysis.At the start of the project, the team leader should decide on a configuration freeze date, i.e., the dateafter which plant changes will not be included inthe analysis. Therefore, close communication must exist between the team leader and the plant staff member responsible for scheduling plantchanges. This close coordination ensures that the analysts are not dealing with a moving target interms of plant configuration. The potential for theanalysis to be outdated before completion is reduced.Establishing an analysis freeze date is intended tofacilitate the completion of the models in a timelymanner. Indeed, it is likely and desirable for plantchanges (hardware or procedural) to be identified during the conduct of the PRA, possibly as a result of some preliminary task-analysis findings. If a commitment is made to implement these changes in a timely manner, the PRA should thenincorporate them into the plant model afterconcurrence between the team leader and the project sponsors. It should be noted, ho wever,that in a typical plant, changes ranging from smallto major occur frequently. Consideration of all would be a major distraction of the project team and can impact project milestones.3.1.2ProductsThe current task provides significant information toall analytical tasks of the PRA. In addition, the taskwill provide basic information needed for the finaldocumentation. Specifically, the products for thistask are provided below:*A report documenting the outcome of the plantvisit is sent to the various organizations. This allows the utility personnel who have been queried to clarify any misunderstandings and provide traceability of the information received.*After the additional information is obtainedduring the plant visit, the outputs of thepreliminary plant analysis task should befinalized to the extent possible before beingemployed in subsequent tasks in the PRA. *The plant information gat hering effortcontinues throughout the PRA study so that a coherent PRA model is developed that reliablyreflects the plant design and operation.Requests for additional information andadditional plant visits focusing on specific subjects is expected.3.1.3Task ActivitiesIn the plant familiarization process, anunderstanding of the plant is established, providingthe foundation for all subsequent technical analyses and modeling activities. This process involves several activities summarized below, and subsequently discussed in more detail.The second task, Obtain Analysis Information,involves obtaining specific information. Al thoughthis guide concentrates on the type of informationneeded for performing an internal event analysis, preliminary information needed for conductinginternal fire, internal flood, and seismic analyses isalso listed. This information comes from severalsources, including the plant.

3. Technical Activities 3-3The next task involves using the data to perform apreliminary plant analysis to initiate preparation ofother tasks of the PRA, followed by a plant visit (Task 4). The plant visit is scheduled to resolvequestions, confirm and corroborate information already received, and obtain additionalinformation. The process is iterative and the plantvisits selective as discussed in Task 4 More visitsmay be necessary for obtaining addit ionalinformation found lacking as a result of the ongoing analysis or as the program matures. For example, it would be manpower intensive and costprohibitive to conduct during the first visit a spatialinteraction to assess likely fire scenarios beforedominant accident sequences for internal eventshave been appropriately quantified and evaluated.Task 1 - Obtain Analysis InformationPlant-Specific Information Table 3-2 lists plant documents that should containinformation needed for conducting a Level 1 PRA.A brief description about each document and the relevant PRA information each may contain is alsogiven in the table. Much of this information can be obtained prior to any plant visit. However, beforeany specific documents are requested, the projectteam should be made aware of all the poss ibleplant documents that may contain the information indicated and then selectively request those deemed most appropriate for the project. Inparticular, a list of piping and instrumentationdiagrams should be provided to the team andcopies be made available of those diagrams considered most relevant by the team.It is essential to have a senior member of the plantstaff act as a contact point for obtaining plantinformation from each source. This person should: (1) be familiar with the process of acquiring the types of information listed inTable 3-2, (2) provide the indices for the documents and possibly give sample documentsto the PRA team at the beginning of the information gathering task, (3) be able tounderstand why the information is needed, and (4) continue to serve as liaison throughout the project. It is likely that several dif ferentorganizations or groups within an organization willbe asked to provide information or other supportfor the PRA. The idea behind requesting a "senior member" as a permanent point of contact is tofacilitate and expedite the requests for informationmade to these different groups. It is important to ensure that the most up-to-dateinformation is used in the study. Before adocument is requested, it should be known howoften it is updated and whether portions of the document are out of date. Close communication is essential between the PRA team leader and the designated senior plant staff member at the information source for assuring that the requested plant information is up to date.Generic Information from Similar PlantsAnalyses performed for similar plants can also bevery useful. It can enhance the completeness of the PRA model by providing supplemental information on: the reliability of similar plant components, potential accident initiators, potential accident scenarios, and common safety issues.

Three types of generic information that can beconsidered useful for supplementing the PRA arelisted in Table 3-3.Table 3-4 lists all the tasks required for conductingan internal event analysis and cross references each task with the needed information listed in theprevious two tables.Information Needed for Internal Fires, InternalFloods, and Seismic EventsTable 3-5 lists the plant information needed for aninternal fire analysis.

1 Table 3-6 lists theinformation needed to perform an internal flood analysis. Basically, plant-specific flood incident 1Note that in the U.S., information relevant to thistable comes from the plant's implementation of the regulatory requirements specified in Appendix R of 10CFR50. The Appendix R submittal contains: the definition of fire areas, including the fire protection equipment; safe shutdown analysis that assures that a minimum set of plant systems and components are available to shutdown the plant, given a postulated fire with a concurrent loss of offsite power; and combustible loading analysis that identifies the sources of combustibles, including transients and cables. For a fire PRA, in addition to the Appendix R submittal, plant-specific and generic fire incident data and cable location and routing drawings are needed.

The noted table summarizes the information needed from those plants that do not have an Appendix R submittal or its equivalent.

3. Technical Activities 3-4 Table 3-2 Plant information needed to perform a Level 1 internal event PRAPlant DocumentInformation Provided1Final Safety Analysis ReportsGeneral description of the plant, systems, and design basisaccidents submitted to the regulatory agency2System Descriptions, SystemManuals, Equipment Manuals (manufacturers)Detailed system descriptions (possibly used in operator training),operating envelope and success criteria3Piping and Instrumentation Diagrams,System Flow DiagramsSchematics of systems showing piping specifications,components, instrumentation sensors, and flow paths4Elementary Diagrams Control diagrams for components5Electrical One-line Diagrams Showing breakers and components that are connected todifferent electrical buses and motor control centers, control logic6Equipment Layout Drawings Showing location of major components in different plant areas, todetermine accessibility to areas of recovery and potential common cause effects7Emergency Procedures and otherprocedures that help the operators during an accidentAccident scenario development, human reliability analysis,accident mitigation strategies for event tree development8Operating ProceduresFull, low power and shutdown activities9Training Procedures for MitigatingAccidentsAccident scenario development, human reliability analysis10Test and Maintenance Procedures forMajor Equipment, Surveillance ProceduresLow power and shutdown activities, system availability, correctiveand preventive strategies11Maintenance LogsMaintenance unavailability data, mean-time-to-repair, failure frequency12Licensee Event Reports Incident reports that are required to be submitted to the regulatorybody, initiating event source book13Technical Specifications and OtherRegulatory RequirementsSystem model development, limiting condition of systemoperation, allowed down times14Plant Incidents and Analysis Reports,Scram Reports, Operator LogsDescription and analysis of incidents at the plant that may or maynot be reported to the regulatory body, recurring problems15Piping Location and Routing DrawingsRouting of piping throughout the plant 16Analyses and Experiments Pertinent tothe Determination of Mission Success CriteriaDocumentation of experiments and thermal hydraulic analysis thatwere performed to address safety or operational issues, and plant behavior in specific conditions17Failure Mode and Effect AnalysisDetailed documentation of potential failure modes of equipmentand their effect on the rest of the plant18Control Room Instrumentation andControl Layout DrawingsLayout of individual gauges, annunciators, and control switches inthe control room19Descriptions of Known Safety orRegulatory Issues to Be AddressedPotential failure modes and accident scenarios, level of detail ofPRA model needed

3. Technical Activities 3-5Table 3-3 Generic information from plants of same/similar designGeneric Information from Plants ofSame/Similar Design ExamplesAPRAsNovovoronezh PRABAnalysis of Experienced EventsIAEA-TECDOC-749 on Generic Initiating Events forPRA for VVER ReactorsCComponent Failure Data AnalysisIAEA-TECDOC-478 on Component Reliability DataSources in PRA

3. Technical Activities 3-6Table 3-4 Cross reference of PRA tasks and plant information needed PRA TasksPlant SpecificInformation/DocumentationNeeded (Items from Table 3-1)Generic Informationfor Plants of SimilarDesign (Items from Table 3-2)FamiliarizationAllAllSources of Radioactive Releases1,2,6,19A,B,E,F Select Plant Operating States1,2,8A Definition of Core Damage16A,C Selection of Initiating Events 1,2,7,9,12,14,17,19A,B,E,F Definition of Safety Function1,2,7,9,14,16,19A,B,C,E,F Function/System Relationship1,2,7,14,16,19A,B,E System Requirements1,2,3,4,5,6,7,13,14,16,17,19A,B,C,E,F Grouping of Initiating Events1,2,3,4,5,6,7,13,14,16,17,19A,B,E Event Sequence Modeling1,2,6,7,9,12,14,16,19A,B,C,E,F System Modeling1,2,3,4,5,6,7,13,14,16,17,19A,B,D Human Performance Analysis1,2,6,7,9,12,14,16,18A,B,E,F Qualitative Dependence Analysis123456719A,B,E,F Impact of Physical Process on Logic Model1,2,7,9,12,14,16,17,19A,B,C,E,F Plant Damage StateInformation needed for precedingtasks that provide input to the task A,CAnalysis of Initiating Event Frequency1,2,7,9,12,17,19A,B,E,FComponent Reliability and Common Cause Failure10,11,12,19A,B,D,E,FAssessment of Human Error Probabilities1,2,6,7,9,12,14,16,18,19A,B,E,FAccident Sequence Boolean Equations1,2,3,4,5,6,7,13,16,17,19A,E Initial Quantification of Accident SequencesInformation needed for precedingtasks that provide input to the task A,DFinal Quantification of Accident SequencesInformation needed for precedingtasks that provide input to the task A,DUncertainty AnalysisInformation needed for precedingtasks that provide input to the task A,DImportance and Sensitivity AnalysesInformation needed for precedingtasks that provide input to the task A,E

3. Technical Activities 3-7Table 3-5 Information needed for internal fire analysisFire Area Definition - Areas separated by 3-hour rated barriersFire Barriers - Fire doors, fire walls, cable penetrations, cable tray insulations Loading of Combustibles and Their Physical and Combustion Properties - Cables, lubricating oil,paper, etc.Cable Location, Separation, and Routing Drawings - Power cables and control cables Plant-Specific and Generic Fire Incidents Reports Fire Detection Devices - Smoke detectors, heat sensors Fire Suppression Devices - Sprinklers, CO 2, halon system, fire hydrant, fire hose, fire extinguisher,deluge systemFire Contingency Plans - Emergency procedures in case of a fire.

Safe Shutdown Analysis - Analysis demonstrating that a fire postulated at a given location can bemitigated with the plant brought to a safe shutdown condition.Breaker Coordination Study - Studies indicating that the sequencing of the breaker opening andclosing during a postulated fire will not adversely affect the plants ability to mitigate the fire.Table 3-6 Information needed for internal flood analysisPotential Sources of Floods - Storage tanks, lakes, rivers, oceans, reservoirs, their location, elevation,and volumeGeneral Arrangement Drawings - Showing the plant site topography information and the proximity ofplant structures to nearby flood sourcesPotential Path Ways Between the Sources of Flood and Plant Buildings - Piping, pipe tunnels, floordrains, doors, dikes, cable tunnelsInterconnections between different floors and buildings - Doors, dikes, floor drains, pipe tunnels, cabletunnelsPlant Specific Flood Incident Descriptions and Analyses Emergency Procedures for Floods (and procedures for responses to high sump levels)data, potential sources of flood, and pathways fromthe flood sources to plant equipment are needed.Table 3-7 lists the information needed to perform aseismic event analysis. The information is needed to determine the seismic hazards at the plant site and the component fragilities. A hazard ana lysisprovides curves that present the frequency ofoccurrences of seismic events for a range ofground-motion intensities. A fragility analysisprovides component and structure fragilities that are used to calculate the likelihood that the component or structure will fail, given a seismicevent of a certain magnitude.

3. Technical Activities 3-8Table 3-7 Information needed for seismic analysis(a) Information for Performing Hazard AnalysisType of InformationDesirable InformationSeismicity around the region*Documents on historic earthquakes in a wide area surrounding the site*Documents on recent earthquake activities around the site

Documents/references related to the siting of the plant

References on the seismological studies for the region (e.g., magnitude, attenuation)*Recorded ground motions (if not available, use U.S./European records for similar grounds)Geological and groundsurvey (if the site is near the ocean, include seabed survey)*Geological maps; wide area (1/100,000 1/200,000), vicinity (1/1,000 1/5,000),and vertical geological cross-section map*Aerial photographs (if any)

Topological surface survey (existence of lineaments/dislocations)

References on the seismic geostructure around the region (seismotectonics)

Survey on the active faults around the region (e.g., fault length, dislocation speed)Local Soil Condition(the information is also

used in fragility

analysis)*Boring/pit/trench survey results*Soil column profile

Survey on groundwater

Shear wave velocity data (if any)

Laboratory/In-situ test results on rocks and soil(b) Information for Performing Fragility AnalysisType of InformationDesirable Information Documents onStructural Design*Architectural/structural drawings for buildings and components*Engineering specifications on material, fabrication and construction

Design codes/standards used in the plant design

Any material test results (e.g., concrete cylinder tests, foundation bearing tests).

Records on the structural analyses including analysis models Information onComponent/Equipment*Design drawing of components (e.g., support/frame/panel, electric circuit diagrams)*Any available vibration test results

Details of anchorage and related design code/standard

Generic information on the seismic fragility of component/equipment

Records on failure/repair on equipmentOther Information*Any structural analysis performed for the plant (e.g., seismic analysis of reactorbuilding, integrity analysis of vessels/piping).*Past records on the structural integrity (e.g., cracks, rusting, settlement and pastrepair works)*Availability of supply systems (offsite power, water)

3. Technical Activities 3-9Task 2 - Perform Preliminary Plant AnalysisPreliminary analysis of the information gathered willverify that the necessary information is availableand will identify additional information needed. Theanalysis also allows the information to be organizedas inputs to subsequent project tasks. The following descriptions specify the output of the preliminary information analysis. It is expected thatthe specified information may not be readily available and significant effort may be needed toobtain the information. It is up to the team todecide how complete the information has to be before proceeding to the subsequent tasks. Thegathering of this information can be considered the initiation of the remaining PRA tasks. The task leader for each of the tasks will be responsible forthe preliminary analysis.Review of Information from Similar PlantsAny generic information listed in Table 3-3 that iscollected should be reviewed for applicability to the current PRA tasks. A description of the potential use of each item should be given by the task team.

The items in the table may provide insights into potential unique accident sc enarios or failuremechanisms. For example, a review of the Novovoronech PRA might find that failure of the reactor coolant pump seal leading to a LOCA is an important cause of core damage and may have to be considered in the present analysis. Analysis of the issue of the vulnerability of pump seals to LOCA conditions should then be performed, takinginto account plant-specific design features, to determine applicability. Once an issue is identified as applicable, how it can be modeled in the PRA should be described.Initiating Event AnalysisThe plant incidents that are potential accidentinitiating events should be reviewed and tabulated.

For each incident, the following should be noted:

the date, time, and plant condition when it occurred, its impact on plant systems, causes,sequence of events leading to its termination, andchanges in plant design and operations that resulted from it. Discussions of other poss iblecauses of similar events would also be useful.Data AnalysisReported failures on p lant components should betabulated, including: the cause of failure, how thefailure was detected, the plants condition, therepair time, and the effects of the failure on the plant. To quantify the failure probability, thefollowing information is also needed: the number of times the component is used or challenged, the number of similar components at the plant, the test and maintenance strategy, and the time period of the collected data.Systems AnalysisA listing of frontline systems that can potentially beused to mitigate the progression of probableaccidents started by an initiating event and a listingof support systems including those that provide automatic actuation signals should be prepared.The listing should include one paragraph summaries describing the function of each system, the number of trains in each system, the function(s) each system performs, and the syste ms designcapacity. A top-level matrix indicating the systemand support system dependency should be prepared. Information on train-level and component-level dependencies and setpoints for automatic signals should be collected as well.Success Criteria Determination References to existing thermal-hydraulic analysesthat determine the timing of potential accidents and success criteria of the systems employed in theanalysis should be compiled. This compilation willhelp to determine if any additional supporting thermal-hydraulic analysis is needed at this stageof the study.Event Tree/Accident Scenario DevelopmentEvent sequence diagrams based on the relevantemergency procedures for transients, loss-of-offsite power, and LOCAs should be developed.The mitigating functions and the systems associated with the functions should be tabulated.Human Reliability Analysis Relevant emergency procedures should be listed.Diagrams of the detailed layout of instrumentation and controls in the control room should be obtained/prepared and diagram identifierstabulated. A review of the equipment layout

3. Technical Activities 3-10drawing of various buildings should pr oducesimplified system drawings indicating the physical location of key components that may be needed formanual, emergency operation.Task 3 - Plant VisitUsually, the initial plant visit should take betweenthree to five days. Ideally, the entire PRA teamshould participate in the visit. This allows all teammembers to become familiar with the design andoperation of the plant and become acquainted withkey personnel. This first visit should occur after the team has had a chance to provide a preliminaryanalysis of the material requested. The plant visit then provides an opportunity to confirm what the information conveys, why it is needed to perform aPRA, and to clarify any outstanding questions.

Questions and the types of pertinent information needed for the plant visit should be sent to theplant ahead of time so that the visit becomes highly focused. It would be helpful to pre-arrange for communication devices that allow for easier communication during plant walkdowns in noisy areas. To optimize the available time at the plant,an agreed-upon agenda and schedule of areas to visit should be prepared and followed. The plant visit generally consists of the followingactivities:1.Discussions 2 with plant engineering andoperational staff concerning:*normal and emergency configurations of thevarious systems of interest,*normal and emergency operation of thevarious systems during various accidents asoutlined by the analysts,*system interdependencies,

design changes implemented at the plant,

automatic and manual actions taken inresponse to various emergency conditions,*operational problem areas identified by plantpersonnel that might have a potential impact on the analysis,*subtle interactions and failures identified bythe analysts (or from past studies) that might be applicable to the present study, and*detailed discussions regarding emergencyprocedures, including walk-throughs of various accident scenarios.2.Discussions with plant engineering andmaintenance staff concerning:*data (maintenance logs, licensee eventreports, etc.) on specific it ems provided bythe team leader to the data analyst, and*implementation of test/ maintenance procedures.3.Discussions with the plant staff concerningtraining practices for various emergency conditions.4.A visit to the plant simulator (if possible) wherethe operators perform various accidentscenarios, as outlined by the analysis team.5.A tour of the plant focusing on the systemsmodeled, noting such things as:*location of equipment (e.g., elevation),*room accessibility (with or without doors),

type of doors (e.g., flood, fire),

room size,

natural ventilation conditions, and

travel time for operators.6.A tour of the control room, noting such things as:*relative location of panels,*layout of instrumentation on the panels,

type of instrumentation on the panels,

relative location of emergency procedures inthe control room,*type of controls for system and componentactuation on the panels (e.g., buttons, switches, key-locked switches, etc.),*type of annunciators and location on panels, and *annunciator indication.After the additional information is obtained duringthe plant visit, the outputs of the preliminary plantanalysis task (as described in Activity 3) should befinalized to the extent possible before being employed in subsequent tasks in the PRA. The plant information gathering effort continues throughout the PRA study so that a coherent PRA model is developed that reliably reflects the plant 2Discussions are documented where required. Itshould be noted that not all analysts participate in every discussion nor visit every plant area, e.g.,

control room access is usually very restricted.

3. Technical Activities 3-11design and operation. Frequent communicationsbetween the PRA team and the point of contact at the plant is expected. Requests for additionalinformation and additional plant visits focusing on specific subjects is expected.Examples of possible subsequent visits are thefollowing. One visit could be a wal kdown of theplant from a spa tial interactions/internal planthazards perspective; a second (and poss ibleadditional) visit(s) could focus on interacting withplant operators to help develop or validate the plantresponse models. Interaction with the operators tofacilitate the quantification of operator actions isdesirable. It is conceivable that additional effort atthe site will be necessary to collect the desired plant-specific data. Each visit will have a focusedgoal, and, therefore, the makeup of each plant visit team will be tailored for that objective.In practice, it is likely that formal visits aresupplemented by frequent informal communication between the PRA team and the plant. A point ofcontact, who is very familiar with the p lantoperation, should be appointed as a point of contact on the plant side to coordinate inf ormationrequests.3.1.4Task InterfacesThis current task provides significant information toall of the analytical tasks of the PRA. The task provides basic information needed for the final documentation. 3.2Level 1 AnalysisThis section provides guidance for each of the analytical tasks associated with a Level 1 PRA foraccidents initiated by internal events. Section 3.2.1provides guidance for identifying initiating eventsinternal to the plant and is closely related to Section 3.2.2, which describes accident sequencedevelopment. Section 3.2.2 includes subsectionsthat deal with the definition of core damage states, functional analysis and system success criteria, and event sequence modeling. The systems analysis is presented in Section 3.2.3. The systems analysis discussion includes guidance onsystem modeling, qualitative dependency analysis, and the assessment of spatial inter acti ons.Section 3.2.4 describes the data analysis whichincludes assessments of initiating eventfrequencies, component reliability, and common-cause failure probabilities. The human reliabilityanalysis is described in Section 3.2.5.Quantification, which includes initial and final quantification of the accident sequences, and sensitivity and importance analyses is discussed inSection 3.2.6.3.2.1Initiating Event AnalysisThe objective of this activity is to develop a complete list of initiating events grouped intocategories that would facilitate further analyses.

An initiating event is an event that creates adisturbance in the plant and has the potential tolead to core damage, depending on the operation of the various safety systems as well as the response of the plant operators. The initiatingevent analysis is the first activity of a Level 1probabilistic risk assessment (PRA). The initiatingevent analysis consists of identification and selection of events and grouping of these events.3.2.1.1 Assumptions and LimitationsThe present task classifies initiators as eitherinternal or external. Internal initiators are plant upsets that are associated with the malfunction of plant systems, electrical distribution systems, orare a result of operator errors. External initiatorsoriginate outside the plant. They are due to hazards, such as external fires and floods, seismicactivity, or other environmental stresses. Floods(refer to Section 3.5) and fires (refer to Section 3.6) that occur internal to the plant are conventionallytreated in PRA studies as external events; however, they are included in the internal eventcategory in this PRA.The initiating events used in a PRA are by nomeans confined to those postulated for design and licensing purposes nor are they associated withqualitative qualifiers, such as credible oranticipated. Identification of initiating events alsorequires a new way of thinking for design engineers, operators, and regulators, i.e., one focused on the propagation of plant failures.

Review of previ ous analyses and operationalevents can help develop the desired viewpoint.Departures from design, through materialsubstitution or field modifications duringconstruction, must be considered in theidentification of initiating events.Once the set of initiators has been finalized, any

3. Technical Activities 3-12other initiators that could have been included areeither presumed to contribute little to the overall risk or are considered outside the present scope of the project. For the Kalinin PRA, the only external events that are considered in the present scope are: seismic, internal fires, and internal floods.The disposition of low frequency initiating eventsshould be documented. For example, in some PRAs, major structural failure of the pressurevessel is not explicitly represented since it isargued to be such a low frequency event whichdoes not contribute significantly to the risk. In otherPRAs, this event has been quantitativelyconsidered by designating it to a specific initiator category, "excessive LOCA," to describe loss-of-coolant accidents that are beyond the capability of core re-flooding and cooling capabilities. In general, the impact of all possible plantoperating states on the physics and operationalconsiderations leading to specific initiating eventsshould be considered. However, under the presentscope of the Kalinin PRA, the only plant operating state to be considered is full power operation.It should also be recognized that it is not possibleto fully ascertain the completeness of any list of initiators. The initial list of initiators that pertainsspecifically to the plant being analyzed is presumedto be as complete as possible. The PRA ana lysismay subsequently reveal additional initiating events, particularly as subtle interactions involving support systems are more completely understoodby the PRA analysts. Accordingly, the initial grouping of initiators from this task may requiremodification as the PRA proceeds. 3.2.1.2ProductsThe products for the identification and selection ofinitiating events task are:*a list or general description of the informationsources that were used in the task.*specific information/records of events (plantspecific, industry experience, generic data) used to identify the applicable initiating events.*the initiating events considered including boththe events retained for further examination and those that were eliminated, along with thesupporting rationale.*documentation of the failure modes and effectsanalysis performed to identify support systeminitiators and the expected effects on the plant(especially on mitigating systems).*documentation of findings of failure modes andeffects analysis (or equivalent) performed onsystems, structures, and components within thescope of the change but not modeled in the PRA, to assess their impact on the scope andfrequency of initiators.The products for the grouping of events task are:

specific records of the grouping processincluding the success criteria for the finalaccident initiator groups.*any quantitative or qualitative evaluations orassumptions that were made in identifying, screening, or grouping of the initiating events as well as the bases for any assumptions and theirimpact on the final results.3.2.1.3Analytical TasksThe initiating event analysis consists of two taskactivities: Task 1 - Identification and selection of events Task 2 - Grouping of events. These activities are described below in generalterms. An early reference, in which detailedguidance for performing these activities can be found, is NRC (1983). A more recent discussion can also be found in NRC (1997). In addition, it isalso useful to refer to lists of initiating events used in previous PRAs. Such references are provided in Section 3.2.1.5. Prior to describing the two activities, importantassumptions and limitations are provided.Task 1 - Identification and Selection of EventsThere are several ways for identifying internalinitiating events, each having its strengths and limitations. Since the aim is to produce an initiating event list that is as complete as possib le, it isrecommended that all approaches should be followed in parallel, although one approach may be

3. Technical Activities 3-13selected as the main approach. These approachesusually complement each other, especially if theyare performed together. The following lists four ways that internal initiating events can be identified:1.Engineering evaluation2.Reference to previous initiating event lists3.Deductive analysis 4.Operational experience.As described below, these four approachescomplement each other providing reasonableassurance that the list of initiating events is ascomplete as possible.Engineering EvaluationIn this approach, the plant systems (operationaland safety) and major components aresystematically reviewed to determine whether any of the failure modes (e.g., failure to operate,spurious operation, breach, disruption, collapse) could lead directly, or in combination with other failures, to core damage. Partial failures of systems should also be considered. These types of failures are generally less severe than a complete failure, but they may be of higherfrequency and are often less readily detected.Special attention should be given to common-cause initiators, such as the failure of supportsystems (e.g., specific electric power buses, service water, instrument or control air, or roomcooling features). Postulated failures are sought that result in (or require) the plant or turbine to trip(or runback) and can cause additional systems to fail. Reviews of plant and system operating instructions and abnormal operating instructions of Western plants have been found useful foridentifying subtle interactions between systems.

The experience acquired in these investigations should be utilized here as well.Tables 3-8 and 3-9 give examples how failures ofsupport systems and "abnormal operatinginstructions" (AOIs) could be scrutinized andevaluated as part of an effort to identify potentialinitiating events.Reference to Previous Initiating Event List It is useful to refer to lists of initiating events drawnup for previous PRAs on similar plants and from the safety analysis report. This may, in fact, be thestarting point. IAEA (1993a) and INEL (1985), forexample, provide lists of initiators used in selectedlight water reactor full power PRAs. Chu et al.

(1994) and PLG (1985) provide examples for pressurized water reactor shutdown PRAs. IAEA(1994) is of particular interest since it deals directlywith identifying and grouping PRA initiating eventsfor VVER reactors at full power PRAs. Table 3-9, taken from IAEA (1994), provides a list of generic initiators for VVER-1000 plants. Note thatTable 3-10 lists some external initiators as well as a reasonably comprehensive list of internal initiators. IAEA (1992) and IAEA (1993b) areadditional useful sources of information for review.Deductive AnalysisIn this approach, core damage is usually the topevent in a "master logic diagram." To provide orderto the master logic diagram, a hierarchical structure is employed. Each level of the structure is a result of events that categorize the level immediately below. The top event is, therefore, successively broken down into all possible categories of eventsthat could cause the event to occur. Successfuloperation of safety systems and other preventiveactions are not included. The events at the most fundamental level are then candidates for inclusion in the list of initiating events for the plant. An example of such a diagram is given in Figure 3.1 from PLG (1983). Eight hierarchical levels aredepicted in the figure, with core damage at LevelIII. The intended use of this figure had been a bit broader than the objectives of this task.The master logic diagram is a logic tree thatidentifies necessary conditions for occurrence of the top event, i.e., the top event can occur only ifthe lower level events occur. It is used to searchfor initiating events. Generally, additional events defined by an event tree must also occur beforecore damage is certain. (Note that the fault treesused in systems analysis are different logic models.

They identify both necessary and sufficient conditions for failure of the top event, i.e., the top event is guaranteed to occur if and only if thelogic of the tree is actualized.)

3. Technical Activities 3-14Table 3-8 Format for failure modes and effects analysis of key support systems System/SubsystemFailure ModeEffect Initiating Event Category Plant ModelDesignatorComments All systems orsubsystems

under consideration

are identified; for example, the standby

diesel generator fuel

oil supplyThe faults or failure modes identified as part of the failure

modes and effects

analysis are

described; for example, a fault

leading to

inadequate fuel oil to standby dieselsThe impact of thefaults on the plant

response are

described; for example, loss of

standby diesel generator power

source The initiating event categories

impacted by the

failures are

identified The plant models affected by

the failures

are identified Any remarks that would

clarify the

failure modes

and their impact on the

plant models

should be addedTable 3-9 Format for abnormal operating instruction review summaryAOI ReviewedPotential Initiating Event CategoryInitiating Event Category Plant ModelDesignatorComments All operating instructions that

are evaluated

should be identifiedThe initiating event categories affected

should be identified

against the corresponding AOIs The initiating event categories

impacted by the AOIs are identifiedThe plant modelsaffected by the AOIs

are identifiedAny remarks thatwould clarify the AOIs

and their impact on

the plant models

should be added

3. Technical Activities 1May lead to loss of secondary heat sink if loss of condenser vacuum occurs.

2Unavailability of reactor shutdown function is 0.0 (because reactor is tripped) 3-15Table 3-10 Generic list of initiating events for VVER-1000 reactors (IAEA, 1994)General CategoriesInitiating EventsGeneral Plant Transients*Trip of one of two; two of three; or two of four main coolant pumps*Main coolant pump seizure

Total loss of primary coolant system flow/trip of all main coolant pumps

Feedwater flow reduction due to control malfunctions or loss of flow path

Excess feedwater

Inadvertent closure of main steam isolation valve

Inadvertent closure of turbine stop valve

Turbine control valve malfunction

Turbine trip

Total loss of load 1*Generator fault 1*Loss of one 6 kV bus bar

Loss of substation switchyard or unit transformer

Loss of intermediate cooling to main coolant pumps

Spurious reactor trip 2*Reactor scram due to small disturbance 2*Uncontrollable withdrawal of control rod

Uncontrollable withdrawal of control rod group

Inadvertent boron dilution

Control rod ejection without reactor vessel damageAdministrative Shutdowns*Failure of pressurizer spray*Failure of pressurizer heaters

Loss of one feedwater pump

Minor miscellaneous leakage in feedwater/condensate system

Loss of a condensate pump

Inadvertent bypass to condenser

Administratively caused shutdown

Control rod/control rod group drop

Very small LOCA and leaks requiring orderly shutdownLoss of Secondary Heat Removal*Loss of both feedwater pumps*Feedwater collector rupture

Feedwater line rupture that can be isolated by separation of one steam generator and compensated by reserve feedwater pump

Feedwater line rupture that can be isolated by separation of one steam generator and cannot be compensated by reserve feedwater pump

Rupture of feedwater pump suction line

Loss of several condensate pumps

Loss of condenser vacuum

Loss of circulating waterLoss-of-Offsite Power*Loss of grid*Loss of all 6 kV busbars

Failure of unit auxiliary transformer Non-IsolatableSteam/Feedwater Line Leaks Inside Containment*Rupture of feedwater pump discharge line inside containment*Steam line rupture inside containment

3. Technical Activities 3-16Table 3-10 Generic list of initiating events for VVER-1000 reactors (IAEA, 1994) (contd)General CategoriesInitiating Events Non-IsolatableSteam/Feedwater Line Leaks Outside Containment*Rupture of feedwater pump discharge line outside containment*Inadvertent opening of steam generator safety valve

Inadvertent opening of atmospheric steam dump valve

Steam line rupture outside containment between steam generator and isolating

valveIsolatable Steam Leaks*Rupture of main steam collector

Loss-of-Coolant Accidents(LOCAs) Inside

Containment*Reactor pressure vessel rupture

Large LOCA

Medium LOCA

Small LOCA*Small reactor coolant system leakage

Main coolant pump seal leakage

Control rod ejection and LOCA

Pressurizer power-operated relief valve leakageLOCA Outside Containment*Instrumentation/sample tube rupture*Leakage from make-up/letdown system

Leakage from residual heat removal system

Leakage through intermediate cooling system of main coolant pumpsSpecial Initiators(These need to be considered on a plant-specific basis and may lead to events already considered or a very complicated event requiring a failure modes and effects

analysis.)*Loss of noninterruptible AC power busbar*380 V bus failure

Failures in essential DC system

Failures in essential AC power system

Loss of power to protection/control system

Loss of service water system

Loss of intermediate cooling to main coolant pumps

Loss of high pressure air

Loss of room cooling in a vital instrumentation compartment

Loss of room cooling in a normal control system compartment

Spurious actuation of fire suppression systems (sprinkler + CO 2 + other)*Internal flooding (including spurious actuation of sprinkler system or fire extinguisher)

Internal fires

Flying objects including turbine

Hydrogen explosions in generator and gas blowdown systems

3. Technical Activities 3-17Figure 3.1 Master logic diagram

3. Technical Activities 3-18This example traces and documents the thoughtprocess that results from consideration of the question "How can a significant release of radioactive material to the environment around thesite occur?" This question is represented by thebox on Level I of Figure 3.1. Level II represents the argument that such a release must be from either a damaged core or from another source.

(This argument was valid for the plant for which the example master logic diagram was developed.)

Level III represents the argument that a significant release of radioactive material is possible only ifexcessive core damage occurs and the materialescapes to the environment. The remainder of thediagram emphasizes potential contributors to coredamage. Plant sequences that ultimately result inextensive core damage involve either insufficientcooling of the core or other uncorrected mismatches between generated power and heatremoval. This argument is represented by Level IVof the master logic diagram. Level V furtherdelineates the logic for the case of "loss of corecooling" identified in Level IV: loss of core cooling occurs only if the reactor coolant boundary fails orif there is insufficient core heat removal. Level VI presents the logic that insufficient core heatremoval is the result of either direct initiators or indirect initiators. Indirect initiators are those disturbances that require additional plant failures toresult in the indicated impact. Initiating event categories are articulated in Level VII; specificinitiators are then listed in tables that support Level VIII. Operational ExperienceIn this approach, the operational history of the plant(and of similar plants elsewhere) is reviewed forany events that are not included in the list ofinitiating events. This approach is not expected toreveal low frequency ev ents but could identifycommon-cause initiating events. It should also verify that the observed events can be properly represented by the mitigating event categories being developed through exercise of the previous approaches. The list of initiating events should be reviewed for any inadvertent omissions and, as a further check, to remove any repetitions or overlaps. Task 2 - Grouping of EventsOnce the task of assessing the requirements of theplant systems has been completed, the identifiedinitiating events should be grouped (or binned) in amanner that would simplify the ensuing analysis.

Each initiating event group should be composed of events that essentially impose the same success criteria on plant systems. Similarly, special conditions, such as, for example, similar challenges to the operator, similar automatic plant responses, and equipment functionality, shouldalso be factored into this grouping process. In theprocess of grouping, it will become clear that some categories of initiating events will need to besubdivided further. Dividing LOCAs by break size(and perhaps location) is a well known example,but other cases should be expected. Some examples are: steam-l ine break by size, loss offlow by number of failed pumps, and spurious control rod withdrawal by number of rods or rate of reactivity addition. The subsequent ana lysisneeded may be reduced by grouping together initiating events that evoke the same type of plantresponse but for which the front-line system success criteria are not identical. The successcriteria applied to this group of events should thenbe the most restricting for any member of the group. The saving in effort required for analysismust be weighed against the conservatism that thisgrouping introduces. The following criteria shouldbe used when grouping initiating events:*Initiating events resulting in the same accidentprogression (i.e., requiring the same systems and operating actions for mitigation) can be grouped together. The success criteria for each system required for mitigation (e.g., the required number of pump trains) is the same for all initiators grouped together. In addition, all grouped initiators should have the same impact on the operation and performance of each mitigating system and the operator.Consideration can also be given to thoseaccident progression attributes that could influence the subsequent Level 2 analysis (Section 3.3).*In conformance with the criteria above, LOCAscan be grouped according to the size andlocation of the primary system breach.

However, primary breaches that bypass the containment should be treated separately.*Initiating events can be grouped with otherinitiating events with slightly different accident progression and success criteria if it can be shown that such treatment bounds the real core

3. Technical Activities 3-19damage frequency and consequences that wouldresult from the initiator. To avoid a distorted assessment of risk and to obtain valid insights, grouping of initiators with significantly different success criteria should be avoided. The grouping of initiators necessitates that the success criteriafor the grouped initiators be the most stringent success criteria of all the individual events in the group. Note that in a sound baseline PRA, low-frequency initiators are grouped with other relatively high-frequency initiators, rather thanexcluding them from further analysis.3.2.1.4Task InterfacesThis task has extensive interactions with thefollowing other PRA tasks:Plant Familiarization. In this task, plant systemsand major components (including operatinginstructions) are reviewed to determine whetherany of the failure modes could lead directly to coredamage. Special attention is given to identifyingcommon-cause initiators. PRA Scope. Work beyond the full power operatingstate is not currently in the scope for the Ka lininPRA. For studies that consider additional states, new initiating events may need to be considered.Accident Sequence Development. The accidentinitiators provide the starting point for the accidentsequence development, and the dependencies between initiators and system response are crucial to sequence development and quantification.Systems Analysis. In this task, support systemfailures which can cause initiating events areidentified. The initiating events task also providesimportant information to the systems analysis task as to how systems performance is impacted by a particular initiator.Data Analysis. This task provides the informationneeded for the quantification of the initiating eventfrequencies.Human Reliability Analysis (HRA). The HRA couldinfluence or modify the identification and selectionof initiating events. More importantly, the HRA will influence the grouping of initiating events.Fire Analysis. Fires can induce multiple internalinitiating events and affect multiple systems helpfulfor recovery; therefore, revisions to the event treestructures and definitions of top events may be required.Flood Analysis. Floods can induce multiple internalinitiating events and affect multiple systems helpfulfor recovery; therefore, revisions to the event tree structures and definitions of top events may berequired.Seismic Analysis. Earthquakes can causesimultaneous failures in structures and equipmentneeded to prevent core damage. These common-cause failures can require significant revisi ons oradditions to internal event PRA models.3.2.1.5 ReferencesChu, T.-L., et al., Evaluation of Potential SevereAccidents During Low Power and Shutdown atSurry, Unit 1, NUREG/CR-6144, BrookhavenNational Laboratory, June 1994.IAEA, Generic Initiating Events for PSA for VVERReactors, IAEA-TECDOC-749, InternationalAtomic Energy Agency, June 1994.IAEA, Defining Initiating Events for Purpose ofProbabilistic Safety Assessment, IAEA-TECDOC-719, International Atomic Energy Agency, September 1993a.IAEA, Proceedings of the Workshop Organized bythe IAEA and held in Moscow, 1-5 February 1993,Working Material, IAEA-RER/9/005-2/93,International Atomic Energy Agency, February

1993b.IAEA, Report of a Workshop Organized by theIAEA and held in ez, Czechoslovakia, 3-7February 1992, Working Material, IAEA-J4-005/1, International Atomic Energy Agency, February 1992.INEL, Development of Transient Initiating EventFrequencies for Use in Probabilistic RiskAssessments, NUREG/CR-3862, Idaho Nati onalEngineering Laboratory, May 1985.NRC, The Use of PRA in Risk-InformedApplications, NUREG-1602, Draft for Comment, June 1997.

3. Technical Activities 3-20NRC, PRA Procedure Guides: A Guide to thePerformance of Probabilistic Risk Assessments for Nuclear Power Plants, NUREG/CR-2300,Volumes 1 and 2, 1983.PLG, Zion Nuclear Plant Residual Heat RemovalPRA, prepared for Nuclear Safety Analysis Centerof the Electric Power Research Institute, NSAC-84, PLG, Inc., July 1985.PLG, Diablo Canyon Probabilistic RiskAssessment, PLG-0637, prepared for Pacific Gasand Electric Company, PLG, Inc., January 1983.3.2.2Accident Sequence DevelopmentAccident sequence development consists of threeinterrelated tasks--namely, core damage definition,functional analysis and system success criteria, and event sequence modeling. The first of thesetasks defines the plant conditions that correspond to core damage in a manner that allows sequence and system success criteria to be unambiguously defined. The objective of the second task is to identify the success criteria for plant systems andcomponents. The objective of the task on event sequence modeling is to determine the range of possible plant and operator responses to a widevariety of upset conditions and to develop eventtrees for all initiating event categories that aredefined in the task Initiating Event Analysis.3.2.2.1Assumptions and LimitationsThe delineation of the accident sequence ends withthe determination of the status of the core as safeor damaged. The core is defined to be in a safe condition when the consequences of the radionuclide releases from the damaged fuel would be negligible. Realistically, core damage occurswhen the allowable peak fuel cladding temperatureis reached; however, using this definition involves detailed analyses beyond the scope of many studies, so a more conservative definition is oftenemployed. For the Boiling Water Reactors (BWRs) in NUREG-1150, core damage is assumed to occur when the reactor water level is less than two feet above the bottom of the active fuel.

BecausePressurized Water Reactors (PWRs) are not designed to allow steam cooling, core damage isassumed to occur at the time at which the top of the active fuel is uncovered. As knowledge ofaccident progression in the core evolves, lessconservative assumptions concerning coredamage may be used.Plant system components modeled in a PRA areassumed to be fully operational or non-operational.Differentiation is not made between full and partial operation of a component. Therefore, PRA methodology does not usually take into account degraded (e.g., valve partially open) or enhanced performance of a system component (e.g., pump-operating near runout conditions), only operation at nominal performance or inoperable.The front-line systems used as event tree headingsinclude only those systems present in the plantemergency operating procedures for responding to the initiating events defined for the analysis.The Anticipated Transient Without Scram (ATWS)accident sequences for the BWRs are not always fully delineated. ATWS sequences in which the functions; reactor subcriticality, Reactor Coolant System (RCS) overpressure protection andinventory control, and core heating are successful, are assumed to be mitigated. Even if failure of the containment overpressure protection function occurs in an ATWS sequence following success ofthe other functions, the sequence frequency is often below the risk-significant cut-off value, and thus the sequence would be screened from theanalysis.ATWS sequences for PWRs are treated similar tothose for BWRs. As with the BWRs, low sequence probabilities for ATWS scenarios prior to the needfor containment overpressure protection would produce non-dominant sequences even if failure of containment overpressure protection wasconsidered.3.2.2.2ProductsThe products for the core damage definition task are:*a definition of the plant conditions thatcorrespond to core damage and*a definition of those plant conditions thatrepresent successful termination of the accident scenarios.The products for the functional analysis and systemsuccess criteria task are:

3. Technical Activities 3-21*a definition of the safety functions to be modeledas top events in the event sequence analysis and the systems that provide those functions. *a definition of the equipment for which successcriteria will be required, existing analyses thatcould be used to set specific criteria, and new analyses that may be required.*a definition of new supporting analyses for initialsuccess criteria selection.*a definition success criteria resulting from theinitial modeling effort.The products of the event sequence modeling task are:* a set of ESDs that document the range ofpossible plant and operator response to a rangeof upset conditions.* a complete set of event trees to quantify allinitiating events. This product must include complete definitions of top events to supportsystem analysis and HRA. Each event tree must be developed from the relevant ESDshowing which ESD elements are combined intosingle event tree top events, justifying the event tree model as an abstraction of the ESD based on characteristics of the initiating event and approximations well supported by probabil isticand engineering argument.3.2.2.3Task ActivitiesAccident sequence development consists of threeinterrelated tasks:Task 1 - Core damage definition, Task 2 - Functional analysis and system success criteria, and Task 3 - Event sequence modeling. The first of these tasks defines the plant conditionsthat correspond to core damage in a manner that allows sequence and system success criteria to be unambiguously defined. The objective of the second task is to identify the success criteria forplant systems and components. The objective of the task on event sequence modeling is todetermine the range of possible plant and operator responses to a wide variety of upset conditions and to develop event trees for all initiating eventcategories that are defined in the task InitiatingEvent Analysis.Task 1 - Core Damage DefinitionThe objectives of this task are: (1) to define theplant conditions that correspond to core damage in a manner that allows sequence and system success criteria to be unambiguously defined and(2) to specify clearly the plant conditions thatrepresent successful termination of postulated scenarios.To meet the objectives of this task, it must beunderstood that the physical characteristic of thecore that defines core damage has a strong influence on the magnitude of core damage frequency determined by the risk model (refer toTask 2 - Functional Analysis and System Success Criteria). Excessively conservative definitions ofcore damage will yield higher assessed core damage frequencies and, more importantly, willlikely impact the perception of the importance of the individual contributors to risk. Risk models thatdo not fully account for the robustness in the plant design also can contribute to higher damage frequencies.A similar concern exists with specifying theconditions for successful termination of an accidentscenario. Using overly co nservative criteria (e.g.,requiring all scenarios initiated at full power toproceed to cold shutdown for successful accident termination) could strongly influence the model structure and complicate the modelingrequirements with little or no added understandingin the factors contributing to the risk.Likely sources of conservatism are in the analyticaltools (available analyses and computer codes) used in the determination of the outcome of postulated accident scenarios. The definition of core damage must be consistent with the availableanalytical tools.If conservatism built into the definition, criteria,plant models, and analyses is suspected tostrongly influence the end result of an accidentanalysis calculation, then the result should berefined. This should be done selectively using more realistic models, but only after the relative importance of all the accident sequences havebeen initially assessed. It would then be poss ibleto judge the importance of resolving whether a

3. Technical Activities 3-22particular sequence of events could or could notlead to core damage, as initially predicted. Thisiterative nature of reevaluating the results bringswith it a caution: sequence-specific refinement isnot performed on sequences that are not important and, therefore, use of information fromunimportant sequences must be made withcaution. However, it does make use of time andresources more effectively by consistently focusing on the more important accident scenarios.The safety philosophy embedded in the reactordesign, particularly with respect to design basisaccidents, must be reflected in the definitions of"core damage" as well as "success." Impacts ofdesign basis accidents on the public near the site boundaries, and on the operators and engi neerswithin the site boundaries, need to be consideredif the successful termination of such accidents has the potential to impact the plant personnel.A Level 1 PRA usually entails identifying scenariosthat lead to severe core damage and determining the corresponding accident scenario frequencies.

The most important definition that must be made in this task is that of core damage. There are severalpossible degrees of core damage, the seve ritydepending on the extent of core damage and onthe magnitude of the resulting releases of radioactive material from the core. One definitionof core damage is uncovery and heatup of the reactor core to the point where prolonged clad oxidation and severe fuel damage is anticipated. Releases of radioactive material in scenarios thatdo not involve core damage could be of concern, also if these releases are sufficient to trigger emergency responses offsite. Minor radioactivereleases may be from in-core sources or from radionuclides resident in the primary coolant circuit.However, for the Kalinin PRA, core damage will define the scope of the study. The undesired end result of the Level 1 scenarios will then be referred to as core damage in the procedures that follow.The specification of the conditions assumed torepresent core damage must be consistent with theVVER design features as well as with thecapabilities of the analysis tools. For the Kalinin PRA, definition of core damage based on a maximum allowable fuel temperature isrecommended. Other conditions that have been used are based on phenomena, such as UO 2temperature limits, the triple point of the coolant,and the Zr-water autocatalytic tempe rature. Forlight water reactors, core damage has been defined when any one of the follow ing conditionswas met:*Core maximum fuel temperature approaching2200°F (1204°C)*Core exit thermocouple reading exceeding1200°F (649°C)*Core peak nodal temperature exceeding 1800°F(982°C)*Liquid level below the top of the active fuel.

Describing the conditions that characterize the coredamage sequences is also necessary for the PRA.Experience has proven that if a Level 2 analysis isbeing contemplated, then it would be prudent toconsider the interface between the Level 1 and Level 2 analyses while the Level 1 models are being developed. Typically, this interface isexpressed in terms of plant damage states. Even if a Level 2 analysis is not perf ormed,characterization of the damage states will providesignificant insights into the nature of the Level 1 scenarios (e.g., which ones will involve successfulcontainment isolation with containment heat removal available). Each end state of the plant model event treesdefines an accident sequence that results from an initiating event followed by the success or failure ofvarious plant systems and/or operators respondingto the accident. Each accident sequence has a unique "signature" due to the particular combination of system/operator successes and failures. Each accident sequence that results in core damage should be evaluated exp licitly interms of accident progression and the release of radioactive materials. However, since there can bemany such sequences, it may be impractical toevaluate each one since this would entail performing thermal-hydraulic analyses and containment event tree split fraction quantification for each accident sequence. Therefore, for practical reasons, the Level 1 sequences areusually grouped into plant damage states or

accident class bins. Each bin contains thosesequences in which the following features areexpected to be similar: the prog ress ion of coredamage, the release of fission products from the fuel, the status of the containment and containment

3. Technical Activities 3-23systems, and the potential for mitigating sourceterms. Plant damage state bins are used as the entry states (similar to initiating events for the plantmodel event trees) to the containment event trees,as described in Section 3.3.Task 2 - Functional Analysis and System Success CriteriaDevelopment of the success criteria involvesinvestigations into the detailed timing of event sequences. These investigations utilizeengineering analyses to calculate the time progression of plant parameters and human reliability analyses to help quantify operatorresponse. Realistic engineering models can examine many possible scenarios of sequence starting conditions and equipment operability. As a result of developing such detailed information, it becomes possible to define more realisticequipment success criteria and to reduce theuncertainty in the time available to avoid damage.The objectives of this task must be conditioned by the conflicting goals of realism and costs. Althoughthe success criteria of systems/components should be as realistic as possible, the effort needed to develop these criteria should be consistent with therisk importance of the particular system function.A PRA is a large-scale scientific and engineeringanalysis performed for many purposes. The level of effort dedicated to any particular task must bebalanced by its value. Perhaps no task in the PRArequires more balancing of costs and benefits than the skillful selection of realistic success criteria.

Success criteria should specify the minimum equipment needed for successfully mitigating the progression of a postulated accident. Success criteria also help to determine the effects ofdegraded system performance as well as to define the time available for recovery for each alternativesuccess path potentially available to the operators.Defining realistic success criteria requiressupporting analyses. The cost of neutronic and thermal-hydraulic analyses to support maximumrealism in a PRA can be prohibitive. The cost of bounding analyses for traditional design basisanalysis is substantial as well. If all possiblevariations in conditions that are modeled in thePRA were calculated, not in a bounding way butrealistically, an enormous number of calculationswould be required.One must, therefore, begin with a preliminaryjudgment of importance, then use as realistic aspossible evaluations for the issues of highimportance. For items of lesser importance,conservative success criteria must be selected foreach possible modeled condition. Note that realistic means more than best estimate. Best-estimate calculations evaluate the most likelyconditions. Realistic calculations must be a set of results for each set of conditions, weighted by theprobability of that set representing the actualconditions. Frequently, the most risk-significant results are obtained from unlikely, but troublesomeconditions.Defining the success criteria must be an iterativeprocess, starting with best judgments based onexperience, knowledge of existing plantcalculations, and knowledge of the plant PRAmodel and its effects on calculational difficulties. Itprogresses stepwise as systems analyses arecompleted, event trees are constructed and evaluated, and preliminary results are developed.

How this task has been performed is not well documented in existing literature, per haps becausejudgment plays a central role.Selection of the final success criteria, whichprogresses by trial and confirmatory analysis, mustbe driven by the goals of the PRA. The criteriashould be set to ensure that (1) the likelihood that the risk is higher than calculated as a result of errors in the success criteria is relatively small and(2) the leading risk contributors have a highprobability of reflecting the true contributors, ratherthan being artifacts of arbitrarily pessimistic success criteria. In that way, the goals of the PRA can be achieved. The PRA becomes thefoundation for the construction of a coherent safetybasis for the plant. Such a basis permits rational evaluation of a wide range of issues by bothregulators and plant staff. This task is brokendown into three separate activities:1. Determination of safety functions,2. Assessment of function/systemrelationships, and3. Assessment of success criteria.The first two activities are straightforward, withclearly defined products (IAEA, 1992). The thirdinvolves substantial iterative work with other tasksto optimize the value of the PRA, while controlling costs. Work in this activity is often defined by requests from other PRA tasks.

3. Technical Activities 3-24These activities are described below in generalterms. More detailed guidance is provided in the references listed at the end of this chapter. [Inparticular, refer to Drouin (1987), NRC (1997), andNRC (1983).] Selection of success criteria is acontinually evolving element in the PRA process(Bley, Buttemer, and Stetkar, 1988). Activity 1 - Determination of Safety FunctionsSafety functions are any physical functions that caninfluence the progression of a postulated accident sequence by preventing or mitigating core damage or the release of radionuclides foll owing coredamage. The Reactor Safety Study (Rasmussen et al., 1975) introduced high-level safety functions:reactor subcriticality, core heat removal, reactor coolant system integrity, containment cooling, and fission product removal. In order to model safetyfunctions in the event tree/fault tree PRA mod el, itis necessary to relate them to plant systems. Theappropriate plant systems become the top eventsin the event trees. Note that some systems canprovide multiple safety functions and that some functions can be supplied by multiple systems.An example from a recent pressurized waterreactor (PWR) PRA in the U.S. will illustrate the process. In Table 3-11, the high-level safetyfunctions of the Reactor Safety Study are related tomore detailed functions and finally to specific plant systems. In addition to the frontline systems listed in the table, a variety of support systems are required. The link to these systems is provided by the support to frontline system dependency matrix.Finally, the specific plant systems modeled in thePRA will depend on the specific initiating event, themode of operation prior to the initiating event, the time in that mode, and the reliability of each system to provide the function.For each of the initiating events identified in thetask Initiating Event Analysis (Section 3.2.1), the safety functions that will be challenged or can beused to mitigate the initiating event should be identified during this activity. These will be the safety functions that will be modeled in the event tree analysis. The applicable piping andinstrumentation diagrams, systems descriptions,procedures (i.e., emergency, abnormal, and operating procedures or instructions), and designanalyses should be identified and reviewed toensure that the safety functions are correctlyidentified. The list of specific operating modes of Kalinin Nuclear Power Station systems that canprovide these safety functions will be the product of this task. Activity 2 - Assessment of Function/SystemRelationshipThe frontline systems provide the basis for thisactivity. All the support systems that are requiredfor successful operation of each frontline systemand its components are identified. A frontlinesystem dependency matrix is prepared (as introduced in the task on Plant FamiliarizationSection 3.1) which shows (train by train) the impactof support system failures on system operation.Next, a support system dependency matrix is prepared that shows (train by train) the impact of other support system failures on each supportsystem train. Although this activity is performedduring the plant visit described in Section 3.1, it isfunctionally part of this task. The detail andstructure of the dependency matrices depend onthe specific train-by-train design of the plant underinvestigation. The precise structure required for the Kalinin Nuclear Power Station will not be known until the detailed Plant Familiarization is carried out.The dependency matrices form the underlyingbasis for the plant model. They describe the physical interrelationships among systems that arecrucial to proper modeling and are often among the key factors in risk results. This is a relativelystraightforward activity and adequate guidance isprovided in NRC (1997) and Drouin (1987). To anexperienced analyst, the dependency matrices provide the first indication of the plant risk.

Interpretation of these relationships is an i mportantactivity and provides the basis for many judgmentsthat establish the success criteria.

3. Technical Activities 3-25Table 3-11 Safety functions identified in a recent PWR PRAHigh-Level Safety FunctionLower-Level Safety FunctionPlant SystemsReactor subcriticality*Rod control system*Passive-moderator density for large loss-of-coolant accidents (LOCAs)Core heat removalPrimary system flow and mixing*Reactor coolant pumpsPrimary system bleed and feed*Charging system*Pressure relief systemSecondary heat removal*Main steam system (steam dumps, atmospheric steam dumps)

Auxiliary feed system

Main condensate system

Main feed system

Service water systemLong-term shutdown cooling*Residual heat removal system*Main condensate

Main condenserReactor coolant system integrityLeak prevention/isolation*Reactor coolant loop*Pressure relief system, including block

valves

Reactor coolant pump sealsPrimary system depressurization*Pressure relief system*Main steam system (steam dumps, atmospheric steam dumps)

Auxiliary feed system

Main condensate system

Main feed system

Service water systemPrimary system makeup*Charging system*High-pressure injection system

Low-pressure injection systemContainment cooling*Containment spray*Containment fan coolers

Passive--containment heat sinksContainment fission product removal*Containment spray*Passive--steam generators if melt due to steam generator tube rupture

3. Technical Activities 3-26Activity 3 - Assessment of Success CriteriaThe success criteria are among the most importantinformation needed in developing the scenarios in the event trees. The success criteria for the frontline systems and the timing of accident scenarios are determined in this activity. The success criteria specify the minimum equipmentneeded, determine the effects of degraded systems performance, and define the time available for recovery for each alternative successpath available to the operators.In general, the success criterion for a systemchanges with the initiating events and the preceding events in the event trees. Therefore, this task must be done in parallel with the eventtree development task, and a system aticassessment will ensure that the success criteriahave adequate bases. The assessment should account for the definition of core damage, decay heat, and the mission time. If the plant systems can prevent core damage from occurring during the mission time, then the accident sequence is considered successfully terminated. In many cases, calculations required for this Activity 3actually establish the mission time. The determination of success criteria must bebased on tests, thermal-hydraulic analyses, other mechanistic analyses, and documented expert knowledge (Bley, Kaplan, and Johnson, 1992). Inthe U.S., the design-basis accident analyses forma useful source of existing calculations. Credible accidents are defined as single events (e.g.,

double-ended pipe ruptures, pump trip, pump seizure, etc.) followed by the most severe singleactive failure. The most severe of these (i.e., the one with the minimum margin to core damage) isthe design-basis accident. In these calculations,the most pessimistic assumptions on plant parameters are made to bound the consequencesof these accidents. Other analyses of the same or similar plants identified and collected in the task Plant Familiarization are also considered.Emergency procedures and other relevant procedures also provide information relevant to the success criteria. Because of their ready availability, these calculations can be used as first approximations for establishing success criteria. Atthis stage, the criteria are generally conservative.The preexisting information will not be adequate todetermine the success criteria and timing of all possible scenarios. Under the more severeconditions that occur in some PRA sequences(e.g., those with multiple failures), care must betaken to ensure that success criteria are stillconservative. Otherwise, additional engineeringanalyses may be required.The PRA team evaluates where such criteria maybe so pessimistic that they will adversely affect thePRA results, and the team performs analysis to improve those success criteria. The team mustalso look for special conditions when the existing calculations are no longer conservative withrespect to the considerations of the PRA model. Insuch cases, revised success criteria are mandatory.The product of this task will include the successcriteria for all frontline and support systems underall initiating event categories and the accident timing information that is an input to the humanreliability analysis. This task also interfaces with the task Initiating Events. The backupdocumentation (see Chapter 4) should include the details of supporting thermal-hydraulic analysis done specifically for the PRA.The first product of this task will be developedfollowing the initial site visit and will be based uponthe safety functions defined in Activity 1. Analysts will identify equipment for which success criteria will be required. They will identify existing analysesthat could be used to set specific criteria andexamine the potential problems in basing successcriteria on these analyses. Bley, Buttemer, and Stetkar (1988) and Harrington and Ott (1983) provide a variety of examples to illustrate the kindsof analyses that are often performed to support PRAs. The examples suggest areas where newcalculations could enhance the PRA. These results will form the basis for discussions duringthe second site visit which will bring the fullexpertise of the PRA team to bear on success criteria decisions.Examples of calculational issues in support ofsuccess criteria definitions that have proved important in earlier PWR PRAs are provided below:1. Room heatup with no cooling;

2. Time until steam generator dryout followingloss of feedwater;3. Time until local accumulators would be

3. Technical Activities 3-27exhausted following loss of instrument air formain steam isolation valves, steam generator relief valves, pressurizer power operated reliefvalves, etc.;4. Capability of various pumps to survivefunctionally with no cooling water, e.g., wouldthe lube oil temperature stabilize at a safe temperature, would directing portable airblowers on the lube oil cooler help, perhaps ifcovered with wet rags;5. Possibility of pressurizer relief valves liftingfollowing a variety of transients, accounting for realistic modeling of pressurizer steam

space compression;6. Time until the feedwater storage tank isempty following a reactor trip under a varietyof specific conditions, e.g., feedwater failsimmediately and condenser steam sumps failclosed followed by uncontrolled automaticauxiliary feedwater flow; a similar case butoperators control auxiliary feedwater flow,maintaining hot standby conditions; similar case but operators follow normal cooldownrate to cold conditions (i.e., when do theyreach the switchover temperature for residual heat removal cooling); etc.;7. Bleed and feed behavior under a wide varietyof equipment conditions and operator actions, focusing on minimum equipment required andcases in which bleed and feed cooling may not work if not initiated in time;8. Minimum success criteria for injection pumpsfollowing a variety of LOCAs; and9. Pressurized thermal shock calculations undera variety of conditions. This list is only a sampling of analyses that havebeen performed to support PRAs. In the following section, examples of hand calculations, simplecomputer solutions, and the use of elaboratethermal-hydraulic codes are discussed. Therequired analyses vary on a plant-by-plant basis depending on the availability of existingcalculations, specific vulnerabilities at each p lant,the availability of alternative ways to satisfy safetyfunctions, and the tolerable level of conservatism inthe final results. The major responsibility of the analysts in this task is to respond to the requestsfor information generated in the other project tasks,subject to the concurrence of the project manager.The amount of supporting analysis is always a trade-off between technical rigor and theassociated value to the users of the PRA.Early work in PRAs, most notably the ReactorSafety Study (Rasmussen et al., 1975), focused onlarge issues--bringing the probabilistic viewpoint to the field of safety assessment, moving from worst-case bounding analyses toward realism, buildingthe first large-scale models of integrated plant performance, developing the methods to structuresuch models (e.g., event trees and fault trees), andanalyzing events well beyond the design basis ofnuclear power plants (e.g., degraded corephenomena and the progression and impact ofoffsite effects of radionuclide releases). Later, asthe field matured, areas of conservatism, subtle areas of optimism, and areas where more thoroughanalysis could enhance understanding have beenrevealed and studied.In the development of PRA event s equencemodels, success criteria are established for systems and components and for specified operator actions (i.e., top events explicitly shown inthe event trees) that can prevent core damage or containment failure. In their simplest and earliest form, success criteria tell us the minimumequipment configuration (e.g., n of m pumps mustoperate) required to ensure success of a givensafety function for all credible conditions. However,the question remains whether failure to meet conservative success criteria ensures core melt orwhether meeting those criteria ensures success for all possible conditions. Because PRA seeks toquantify risk (i.e., to quantify what credible means),more general success criteria are needed.

Thesenew success criteria must identify the length of time the plant can survive in various equipment configurations--that is, they must identify the timeavailable for specific operator actions or equipmentrecovery. It is not possible to know the available time exactly because of variability in plantconditions and because the teams knowledge is imperfect. This uncertainty is properly expressedas a probability distribution.To establish success criteria, analysts must havewell-founded technical knowledge of how specific plant equipment and operators respond to a verybroad range of operational and accident scenarios.

One can develop an understanding only through a

3. Technical Activities 3-28combination of operational experience, tests, andanalysis. Events that are expected to occur quitefrequently would normally fall into the operationalexperience category. Events that are included in the traditional licensing design basis are oftencovered by testing (sometimes generic in nature) and conservative analyses. These analyses used methods that are approved by regulatoryauthorities and typically i nclude man datedassumptions, e.g., the existence of a single activefailure. In the development of PRA models, many scenarios lie outside the rather narrow traditionallicensing basis of the plant. Therefore, they are notincluded in the accident analyses contained in the plant-specific safety analysis report. Suchscenarios might involve the occurrence of multiplefailures, the availability of both nonsafety- and safety-related equipment, and severe accident scenarios. These are accidents which extend wellbeyond the design basis and address the performance of equipment that can poten tiallymitigate the accident consequences following core damage.Ideally, the results of a wide range of analyses(primarily thermal-hydraulic and structural and occasionally electrical engineering) would be available that use best-estimate data andcorrelations and can cover the very large number of scenarios considered in a PRA. Unfortunately, this is seldom the case, and additional analysesare often needed to support the PRA model. Theadditional analyses can range from simplified mass and energy balances done by hand calculations or small microcomputer-based programs to verysophisticated computer-based models that may include momentum effects, complex control system interactions, and a considerable amount ofempirical data. In recent years, analysts in the nuclear industryhave focused on elaborate computer codes that have permitted solution of many complexphenomena. Along the way, the value of morestraightforward calculations has often beenforgotten. Many questions concerning event sequence timing are simple thermal-hydra ulicproblems. All too often, PRA analysts have shiedaway from refining success criteria because of the cost of running sophisticated codes when low-cost,simple calculations would have adequately answered the question at hand. For example, questions relating to when the PWR steam generators will boil dry with no feedwater, how longwill it take to refill the pressurizer following a severeovercooling event, how does boiling water reactor containment pressure and tem perature varyfollowing vessel isolation, or how quickly do rooms heat up with reduced cooling capability, and whendoes that cause equipment failures.The basic data needed for many of thesecalculations include the American Society of Mechanical Engineers steam tables (Keenan andKeyes, 1950), the critical mass flux of saturatedsteam and water developed by F. J. Moody (1965),the decay heat rates outlined in the American Nuclear Society Guide 5.1 (ANS, 1994), and plant-specific data (power, volumes, pump curves, etc.).More complex computer calculations using state-of-the-art thermal-hydraulic and neutronic codesare also required at times, but the simpler analysisshould be considered first.The recommended approach to follow in selectingengineering analyses to support PRA recognizes real-world budget and schedule constraints, while maintaining adequate depth on the most significant scenarios. It proceeds as follows:1.Use conservative safety analyses on mostscenarios;2. Apply simplified analyses to developpreliminary, less conservative success criteriafor scenarios that appear particularlysensitive;3. Document the analyses and assumptions;

4. Evaluate the point estimate frequencies of theentire PRA model;5. Review results to identify the dominant riskcontributors; and 6. Revise the analysis, as required, to obtainrealistic and accurate results.The preliminary risk results are reviewed to identifythe dominant r isk contributors. Areas where it isimportant and justifiable to evaluate uncertainties or to perform more sophisticated analyses to betterdefine success criteria are then identified. The goal is to understand safety quantitatively, not justto bound the results. Although the engineeringanalyses are "best estimate" and deterministic in nature, there are physical and analytical

3. Technical Activities 3-29uncertainties no matter how sophisticated theanalysis. Sensitivity studies permit evaluation ofthose uncertainties as well as the variabilityassociated with plant operation.Task 3 - Event Sequence ModelingThe objectives of this task are: (1) to determine therange of possible plant and operator responses toa wide variety of upset conditions and (2) to develop event trees for all initiating event categories that are defined in the task Initiating Event Analysis (Section 3.2.1). The event treesmust track sufficient information to permit assignment of each event tree sequence to one of the defined plant damage states. These activities are described below in general terms. More detailed guidance provided in the references listed

at the end of this chapter.The event sequence model is the heart of the PRA.It is the high-level model of how the plant works on a functional basis. It relates functions to plant systems and provides some information on the time sequence of functional interactions. At lower levels, these functions are related to specific plantcomponents and the interrelationships amongthose components. While some PRAs develop event trees directly, this procedure guide requires the intermediate stop of constructing event sequence diagrams (ESDs). These ESDs are more transparently linked to plant operations andresponses described in the operating instructions (especially the emergency operating procedures).They are suitable for review by plant operators andengineers as well as PRA specialists. Theyprovide documentation for the more abstract event tree models and provide a lasting record of the simplifications required to develop event trees suitable for quantification. Familiarity with theESDs can ensure that individual systems, data,and human reliability analysts are aware of the roleof their work within the overall structure of the PRA model.The process of building the event sequencemodels is inexact and is not likely to be completelycodified. The analyst must balance many competing factors: comple tene ss, ease ofmodeling, efficiency of use for specific riskmanagement applications, rigor, flexibility, etc. A little extra effort in the beginning to understand therange of possible applications--those anticipa ted aswell as those that could eventually be needed--cansave enormous effort and cost later. The delineation of Level 1 accident sequencesends with the determination of the status of thecore as safe or damaged as described for the taskCore Damage Definition. For core damage cases,each sequence is further assigned to a plant damage state. These plant damage states aredefined so that all sequences within a state areessentially identical with respect to the questionsaddressed in the Level 2 model. The assumption in the Level 2 analysis will be that these sequences are identical.Plant components modeled in a PRA are generallyassumed to be fully operational or nonoperational.Differentiation is not usually made between full and partial operation of a component. Therefore, PRAmethodology does not usually take into accountdegraded (e.g., valve partially open) or enhanced performance of a system component (e.g., pumpoperating near runout conditions). Precise definition of component functional failure and the possibility of modeling degraded states requirescareful consideration of the potential impact of these degraded states.The International Atomic Energy Agency (IAEA)PRA procedures guide (IAEA, 1992) provides a more prescriptive alternative to accident sequence event tree development. The more flexible ESD approach is recommended for the Kalinin PRA to account for any special design characteristics of the Kalinin VVER-1000 that might affect risk.

Plant-specific consideration of success criteria mayindicate the need to model degraded functionality.Additionally, the ESD approach has the potential tomore thoroughly document the basis for the event sequence model than for the functional event tree/systemic event tree approach recommendedby the IAEA.This task is broken down into three separateactivities:1. Develop fundamental ESDs, 2. Abstract selected PRA event trees from thefundamental ESDs,3. Test remaining initiating events againstfundamental ESDs and existing event trees.These three activities are described in more detail

3. Technical Activities 3-30below. They form a stepwise approach todeveloping the event trees with minimum duplication of effort. The approach is accessible for review by a wide range of experts. Moreover, it can clearly explain the simplifications necessary to develop practical, useful, quantifiable models. This event sequence modeling task forms the underpinning of the entire PRA model and is, therefore, closely linked with other tasks in the

PRA.Activity 1 - Develop Fundamental EventSequence DiagramsAn event sequence model is used to identify themany possible plant response sequences to eachinitiating event. Depending on various combinations of plant equipment and operator response success or failure states, the eventsequences will either be terminated with no coredamage or will lead to core damage and various degrees of plant damage, defined as plant damage states. The ESDs are generally developed in cooperation with operators at the plant to ensurethe model represents the plant as built and as operated.The first step in plant modeling for a PRA is todevelop a general transient ESD, i.e., a model forall events in which high pressure can be maintained in the primary system, active corecooling is required, and high pressure makeup may be needed. This is the most general PRA model, one that can be specialized to address mosttransients and accidents. This ESD should bedirectly applicable to many initiating events, e.g., small LOCA, loss-of-offsite power, reactor trip,and turbine trip.The second fundamental ESD is that of a largeLOCA. For most PWRs, the large LOCA is themost strikingly different ESD because low pressureinjection is required, control rods are not required for nuclear shutdown, and only long-term cooling isrequired. Thus, at least this one new ESD will berequired.Activity 2 - Abstract Selected PRA Event Treesfrom the Fundamental ESDsThe general transient ESD should provide acomplete model for a number of initiating eventgroups including reactor trip, loss of main feedwater, turbine trip, loss-of-offsite power, andloss of primary flow. The ESD displays the basicrelationships between the systems and their impact on the overall plant status and relates those actions required to mitigate the effects of the plant disturbance caused by the initiating event to the steps in the plant emergency procedures. The event trees are developed from the ESDs. The specific actions key in determining the accidentprogression are identified in the ESDs and grouped into top events in the corresponding event tree.This grouping of actions is displayed in the ESDs to document the event tree development. Since theESD does not directly lend itself to accidentsequence quantification, construction of the event trees is a necessary step. A description of theincluded actions and the success criteria for each top event must be developed in detail with the event tree structure. The success criteria identifies the analysis boundary conditions required for the systems analysis tasks. Finally, each sequence inthe event tree must be assigned to its plant damage state.The frontline system response to several differentinitiating event categories may be similar.

Therefore, the same event sequence models may be used to quantify the risks from more than one such initiating event category, although some differences in the fault trees and data may be required for proper quantification. Thesedifferences reflect the different conditions imposed by the specific initiating event category.Activity 3 - Test Remaining Initiating EventsAgainst Fundamental ESDs and Existing Event

TreesThe PRA team working on ESD development willreview each remaining initiating event against the general transient and large LOCA ESDs, identifyingany structural changes that may be required and defining any special conditions that must beaccounted for when the individual event trees areconstructed. The exact number of ESDs and eventtrees required for the PRA will be determined atthis time.Development of the event sequence model is anexercise in addressing a wide variety of open-ended questions. An insightful andexperienced analyst must lead the work integratingknowledge of potential accidents, thermal-hydraulicand neutronic response, plant systems and operations, and systems analysis for PRA. De spite

3. Technical Activities 3-31efforts to formalize the process, much will remainsubjective due to the open-ended nature of theproblems to be solved. Documentation ofassumptions, simplifications, and approximations, and the reasons for them is essential for the understanding and future use and modification ofthe study.Models developed with an eye toward flexibility willserve their owners well in the long term. Forexample, if Level 1 models (NRC, 1983) an ticipateLevel 2 needs, the Level 2 PRA will require far fewer costly revisions to the Level 1 model and far less tortured arguments to tie the completeanalysis together. System fault trees built originallyfor risk evaluation and identification of dominant contributors will need to be expanded, separatingfailure rate into demand- and time-based elements,if test schedule optimization is desired. Definitionsof systems boundaries and decisions concerning the extent of fault tree versus event tree models will affect the ease of testing the effects of designchanges on risk. Generally, changes to the database are easier to implement than changes tothe fault trees, and changes to a fault tree are easier than changes to an event tree.

Many suchtrade-off decisions must be made during the PRA development.To get a better understanding for the thoughtprocess involved in the event sequence modeling task, consider a transient initiating event. Thegeneral transient ESD is used to model events that require a reactor trip, turbine trip, and decay heatremoval for successful mitigation. The normal plant responses for these initiating events are:1.Plant conditions result in a demand for a reactortrip, turbine trip, and generator trip. Sequences with a successful trip are modeled in the eventsequence model. Unsuccessful reactor tripsequences are modeled in a separatetransients-with-failure-to-scram model.2.The exact sequencing of reactor, generator,and turbine trips are design specific and lead todifferent requirements for steam relief.a.If a turbine trip and reactor trip occur firstand are nearly simultaneous, steam generator pressure rises due to the loss of load (turbine trip) and the addition of coredecay heat as well as stored heat. Typically,condenser steam dump valves openautomatically to control the primary systemat the no-load T avg temperature by passingsteam to the plant condensers. If the condensers are not available, secondary steam relief is achieved with the steam generator atmospheric steam dumps.b.If a generator trip occurs first, the same sequence occurs.c.If a reactor trip occurs first and a turbine andgenerator trip are delayed, the tur bineremoves the initial decay heat, reducing the need for steam bypass.3.Feedwater is added to the steam generators bythe auxiliary or emergency feedwater pumps (main feedwater valves may isolate depending on plant-specific design features) to make up the steam generator inventory lost by dumping steam.4.As reactor decay heat decreases and plantconditions return to normal, primary system temperature is maintained at the no-load T avgvalue by the action of the condenser steamdump valves or the atmospheric steam dumps, or through system steam loads. The steam generator water level is maintained by the water level control system or by operator action, and recovery from the plant trip commences.Failure of a turbine trip results in an excessivesteam demand and could result in overcooling the primary system. Automatic steam line isolationshould then occur because of protection system actuation. Failure of steam line isolation andturbine trip leads to a rapid overcooling of theprimary, automatic initiation of the em ergency corecooling system equipment due to the resulting decrease in primary system pressure, and a possible challenge to the reactor pressure vesselintegrity because of pressurized thermal shockshould the RCS be repressurized when the vessel wall is overcooled.Failure of auxiliary feedwater requires operatoraction to restore main feedwater or establish low pressure condensate flow to the steam generators.Failure of the steam generator feed systemsrequires operator action to initiate the "feed and bleed" mode of cooling the primary and the reactor core. Failure of this mode of cooling results in ahigh pressure core melt because of loss of all heat

3. Technical Activities 3-32removal options.If cooling water systems fail, cooling is lost to keyequipment and, in some cases, this can inducesubsequent LOCAs through damage to primarysystem equipment.Having reached this point successfully, long-termcooling needs must be addressed. Finally, coremelt is assumed to occur for t hose eventsequences in which all core cooling is lost or aLOCA occurs with no safety injection. Theoperation of the containment building cooling and fission product removal systems are analyzed inthe core melt sequences since it is necessary toremove decay heat and to minimize the fission product release for these core melt sequences.3.2.2.4 Task InterfacesThe core damage definition task (Task 1) has thefollowing interfaces:The functional analysis and system successcriteria task (Task 2) has the following interfaces:Plant Fam iliarization. Prior to the initial site visit,the plant safety functions should be defined. Thisinformation is essential background material for the site visit. During the site visit, a complete firstdraft of the dependency matrix must be

completed.Core Damage D efinition. If the risk results (seeSection 3.2.6.1, Initial Quantification of AccidentSequences) are found to be heavily dependent upon the precise definition of the state of core damage, then additional calculations could helpdecide the optimal definition. This additional workmay also suggest breaking that state into multiplestates with varying impact. These calculations must take proper account of reactor decay heat to obtain valid results, especially with respect totiming. Such calculations are not in the current scope of the Kalinin PRA. Initiating Event Analysis. Understanding of theKalinin plant systems safety functions andinterrelationships may suggest redefinition of the initiating event groups. Event Sequence Modeling. Activity 1 (Task 2)defines the safety functions to be modeled in theevent trees. Activity 2 (Task 2) helps to define theinterrelationships among systems. Activity 3(Task 2) is initially performed in concert with thepreliminary development of the event sequencemodels. Judgments about the likely impact of Activity 3 (Task 2) assumptions on sequence-model structure and results guide the work. Laterin the PRA, the task on Event Sequence Modeling will require additional Activity 3 (Task 2) work asneeded to strengthen and simplify the models.Systems Analysis. Activity 1 (Task 2) defines thesystems to be analyzed. Activity 2 (Task 2)provides the interrelationships among systems thatdefine the fault tree structure, while Activity 3 (Task 2) provides the success criteria for systems

models.Human Reliability Analysis. Human reliability analysis is heavily dependent on Activity 3(Task 2), which defines the time available for various human actions and the extent of action required to cope with specific event sequences.

Event Sequence Modeling, Human ReliabilityAnalysis, and Activity 3 (Task 2) are deeplyinterrelated.Initial Quantification of Accident Sequences. Inthis task, the results of all the modeling efforts,assumptions, and calculations are realized.Invariably, the results are considered as preliminary, requiring further analyses andrefinements in the models/assumptions employed.Uncertainty analysis in the quantification task willrequire Activity 3 (Task 2) calculations to assessthe range of possible results.

After the results areavailable, the highest frequency scenarios areanalyzed by experienced analysts who look for expected contributors that have not rea ched thefinal results. Problems in modeling and successcriteria will be found along with errors in computerinput, calculations, etc. Extensions to the successcriteria calculations of Activity 3 (Task 2) will berequired to correct these problems.The event sequence modeling task (Task 3) hasthe following interfaces:Plant Familiarization. During the initialfamiliarization task, the preliminary ESDs based onthe relevant emergency procedures for transients, loss-of-offsite power, and LOCAs should be

3. Technical Activities 3-33 developed. The mitigating functions and thesystems associated with the functions should be tabulated.Initiating Event Analysis. Event trees must bedeveloped or applied to each initiating event group.Analysis of the impact of event tree questions oneach group may lead to a redefinition of thegroups, combining groups when plant response is sufficiently similar and breaking apart groups orreassigning specific initiating events as newinsights warrant them. Details of each specificinitiating event that can affect systems modeled in the event tree must be properly accounted for.Functional Analysis and Systems Success Criteria.This task and the current task are highly coupledand performed in an iterative fashion. In Task 2 (Functional Analysis and Systems Success Criteria), Activity 1, Determination of Safety Functions, defines the safety functi ons to bemodeled in the event trees. Task 2, Activity 2,Assessment of Function/System Relationships, provides the defining interrelationships among systems. Task 2, Activity 3, Assessment of Success Criteria, is initially performed in concertwith the preliminary development of the eventsequence models. Judgements about the likelyimpact of these assumptions on results and modelstructure guide by the early work. Later in theproject, Task 3 will prompt additional Activity 3work as needed to strength and simplify themodels. Systems Analysis. The event tree sets theboundary conditions for the system models. Aspart of this activity, a qualitative dependency analysis is performed which searches fordependencies to insure that all significant dependencies are reflected in the final models.

Model enhancements to more accurately reflect functional, spatial, and human-induced interactionsmay be required as a result.Human Reliability Analysis. Human reliabilityanalysis (HRA) is heavily dependent on eventsequence modeling. Proper consideration offactors affecting the plant and human context forHRA, including dependencies among human actions, will affect the structure of the event trees.

Conservative, unrealistic systems models cannot be supported with meaningful HRA. Modeling human actions under situations that will not occur is an exercise in irrelevance.Initial Quantification of Accident Sequences. Inthis task, the results of all the modeling efforts,assumptions, and calculations are realized, andinvariably, the results at this point are not satisfactory. After the results are available, thehighest frequency scenarios are analyzed, and experienced analysts look for expectedcontributors that have not reached the final results.Problems in modeling and defining success criteriawill be found along with errors in computer input,calculations, etc. Revisions to the event tree structures and definitions of top events will al mostcertainly be required. Project management mustanticipate substantial effort for review and revision.Fire, Flood, and Seismic Analyses. Event treesfrom the internal events analysis will generallyserve to model fire-, flood-, and seismic-inducedsequences. Because these types of initiating events can induce multiple internal initiating eventsand affect multiple systems helpful for recovery, revisions to the event tree structures anddefinitions of top events may be required.3.2.2.5 ReferencesANS, American National Standard for Decay HeatPowers in Light Water Reactors, AmericanNuclear Society Standards Working Group,ANSI/ANS-5.1-1994, American Nuclear Soc iety, 1994.Bley, D. C., S. Kaplan, and D. H. Johnson, "TheStrengths and Limitations of PSA: Where WeStand," Reliability Engineering and SystemsSafety , 38, pg. 3-26, 1992.Bley, D. C., D. R. Buttemer, and J. W. Stetkar,"Light Water Reactor Sequence Timing: Its Significance to Probabilistic Safety Assessment Modeling," Accident Sequence Modeling: HumanActions System Response, Intelligent Decision Support, G. E. Apostolakis, P. Kafka, andG. Mancini, editors, Elsevier Applied Science, 1988.Drouin, M., et al., Analysis of Core DamageFrequency from Internal Events: Method ologyGuidelines, Volume 1, NUREG/CR-4550, September 1987.Harrington, R. M., and L. J. Ott, The Effect ofSmall Capacity, High Pressure Injection Systems on TQUV Sequences at Browns Ferry Unit One,

3. Technical Activities 3-34NUREG/CR-3179, Oak Ridge National Laboratory, September 1983.IAEA, Procedures for Conducting ProbabilisticSafety Assessments of Nuclear Power Plants (Level 1), Safety Series No. 50-P-4, International Atomic Energy Agency, 1992.Keenan, J. H., and F. G. Keyes, ThermodynamicProperties of Steam, John Wiley, New York, November 1950.Moody, F. J., Maximum Flow Rate of a Single Component, Two-Phase Mixture, AmericanSociety of Mechanical Engineers, New York,February 1965.NRC, The Use of PRA in Risk-InformedApplications, NUREG-1602, Draft Report forComment, June 1997.NRC, PRA Procedures Guide: A Guide to thePerformance of Probabilistic Risk Assessments forNuclear Power Plants, NUREG/CR-2300, U.S.Nuclear Regulatory Commission, January 1983.Rasmussen, N. C., et al., Reactor Safety Study:An Assessment of Accident Risks in U.S.

Commercial Nuclear Power Plants, WASH-1400, NUREG-75/014, U.S. Nuclear Regulatory Commission, October 1975.3.2.3Systems AnalysisThe systems analysis consists of three interrelatedtasks--namely, system modeling, subtleinteractions, and spatial interactions. The first ofthese tasks is the heart of the systems analysis.

The objective of the task on system modeling is to develop the system logic models (e.g., through the use of fault trees) that will be used to support theevent sequence quantification. The objective of the task on subtle interactions is to identify and to explicitly model subtle interactions that could potentially cause single or multiple componentthe U.S., the design-basis accident analyses form a useful source of existing calculations. Credible accidents are defined as single events (e.g.double-ended pipe ruptures, pump trip, pump failures, which are neither covered by a common-cause failure analysis nor addressed in the

dependency matrix. The objective of the task onspatial interactions is to identify potential environmental hazard scenarios at the plant.3.2.3.1Assumptions and LimitationsThe analysis boundaries are based onfunctionality. Therefore, it is important to clearly define the boundaries of the system, which will likely be different than the boundaries specified bythe normal system descriptions. For example, if aportion of a service water line serves only thepumps of the residual heat removal (RHR) system (and failure of that line would only impact the RHRsystem), then the availability of that line would beanalyzed as part of the RHR system. The boundaries of the RHR system for the purpose of this analysis would, therefore, include that specific service water line.Not all systems are analyzed to the same level ofdetail. The appropriate level of analysis detail is governed by the importance of the system inrelation to its role in preventing or delaying core damage and the complexity of the system. Animportant consideration is the depth at which the supporting data best provides a quantitativecharacterization of the unavailability of the system.3.2.3.2ProductsThe products of the system modeling task are:* a portion of the "Systems Analysis" and the"Fault Tree" sections of the backupdocumentation.

the system logic models in electronic formsuitable for use in the sequence quantification activity. The product of the subtle interactions task are:

descriptions of the applicable subtleinteractions that have been identified, thesources of information used, and the guidance as to how these interactions should be modeled within the Kalinin PRA logic models.The product of the spatial interactions task are:

a scheme for describing plant locations, a formspecialized for the plant to assist in the documentation of the plant walkdown, a set of completed walkdown forms, and an informationdatabase that describes the location of hazards as well as plant equipment of interest.

3. Technical Activities 3-35* draft material for the final report. Specifically, adraft portion of the "Spatial Interactions" sectionof the main report will be developed that willinclude a description of the methodology used to identify and screen hazard scenarios and theinformation derived by the analysis. Theinformation derived includes the identification and characterization of plant hazards, the location and relative apportionment of plantequipment according to location, and tables describing the potential hazard scenarios3.2.3.3Analytical TasksTask 1 - System ModelingThe goal of this task is to develop the system logicmodels necessary to support the event model activities, including possibly the determination of the frequency of selected initiating events, alongwith the supporting documentation. This task consists of constructing models for thosesystems to be considered in the PRA. The most usual element of these models is the failure or success of a system. The details of the eventscan be analyzed through one of a number ofsystem modeling techniques (i.e., fault trees, statespace diagrams, reliability block diagrams, or gocharts). These techniques are described below ingeneral terms. More detailed guidance is providedin the references listed at the end of this chapter.[In particular, refer to Drouin (1987) and NRC

(1997).] In addition, an excellent reference tosystems analysis can be found in Section 5 of Ericson et al. (1990). Fault tree analysis is themethod for developing system models in this study. Before any fault trees are developed, it isnecessary to have a very good understanding ofthe system operation, the operation of the system components, and the effects of component failureon system success. Sources of information that the analyst can use to gain this understanding of the normal and emergency operation of the systems are: system training notebooks, systemoperating instructions, system surveillanceinstructions, and maintenance procedures. It is also important for the analyst to understand thesystem requirements within the context of the event tree model and the event tree headings. The analyst should examine all availableinformation collected in Plant Familiarization inorder to gain insights into the potential for independent or dependent failures in the systems and the potential for system interactions. The information contains descriptions of all types of failures that have occurred at the plant and possibly at similar plants.The development of support system-to-supportsystem and support system-to-frontline system dependency matrices, along with a comprehensiveset of explanatory notes that clearly depict the functional relationship between systems and system trains, is needed early on in this analysis.

These matrices may have been drafted as part ofthe task Plant Familiarization but should beupdated and kept current as part of the present task. A simplified example of a dependency matrix is included as Figure 3.2. A schematic for each system needs to bedeveloped. However, the plant drawings areusually very detailed, containing considerably more information than is required in the systems analysis task. A simplified system schematic thatdefines the system to a level of de tailcommensurate with the needs of the systemanalyst is, therefore, necessary.To facilitate the analysis task, a table is created bythe analyst that depicts the status of the systemcomponents (i.e., pumps and valves) under atleast two sets of conditions:*when the plant is operating normally (i.e., theinitial conditions for the analysis) and*when the system responds to a plant initiatingevent.

3. Technical Activities 3-36Figure 3.2 Example of dependency matrix

3. Technical Activities 3-37Note that multiple cases may be necessary indefining the desired component status to all of the plant events of interest.The analyst should also determine the potential foreach system to initiate an accident, should thesystem inadvertently (or prematurely) operate, malfunction, or fail. These will be compared withthe identified initiators (see Section 3.2.1), and new plant initiators will be added, as appropriate. The possible identification of initiating events under thistask is meant to complement the activity describedin Section 3.2.1. In other PRA studies, the system analysts have often developed a level ofunderstanding of the systems and have provided insights into the modes of system failure that makesuch a complementary activity beneficial.Fault tree analysis is a common method used forrepresenting the failure logic of plant systems. Anundesired state of a system is specified, and the system is then analyzed in the context of itsenvironment and operation to find all the credibleways in which the undesired state could occur.

The fault tree is a graphic representation of the various combinations of events that would res ult inthe occurrence of the predefined undesired event.

The events are such things as component hardware failures, human errors, mainte nance ortest unavailabilities, or any other pertinent eventsthat could lead to the undesired state. A fault tree thus depicts the logical interrelations of basicevents that lead to the top event of the fault tree.

These interrelations usually can be depicted as combinations of events in parallel or series, developed to the point where the data are bestdefined. This may be at the component level, subassembly level, or even, in very specific cases, at the system or subsystem level. The systemanalysts must, therefore, work closely with the dataanalysts to determine the level at which the basicevent data are best defined. For example, successful operation of a system may require the operation of a sensor and an associated signalprocessing unit that together constitute a completelogic channel. However, the data analysts may have developed the data only to the level of thelogic channel, in which case only a single basic event (at the logic-channel level) is appropriate inthe fault tree. Alternatively, the data may havebeen expressed in such a manner that makes more than one basic event appropriate. It has been shown that due to inherent conservatisms inmost databases, developing data at too fine a level (e.g., resistors, capacitors, and other electroniccomponents in an amplifier) may result in aninaccurate determination of the performance of theoverall assemblage. For some systems (for example, balance of plant systems), the availabledata may be best defined at a rather high level,such as at the train or system level.An example of a simple fault tree is included asFigure 3.3. The system represented in the faulttree is a backup cooling system represented by top event "BU" in an event tree. Both pumps in thissimple example are initially in standby and eachrepresents 100 percent capacity for delivering therequired flow. Each train is tested periodically using a bypass line, which would render that train inoperable if left in the incorrect position following the test. The two trains share a common suction valve and a common discharge check valve.Motive power, control power, room cooling,actuation signals, and all other support are all assumed available. This assumption is made onlyto simplify the discussion; it would not be appropriate in the PRA system models.Another example is taken from an actual PRAapplication (Chu et al., 1994) that utilized the Integrated Reliability and Risk Analysis System (IRRAS) computer code for fault tree quantification.This example (Figure 3.4) addresses a portion of the logic developed for a fluid system. Thissystem, called the Inside Spray RecirculationSystem, requires both trains to be operable for the success of the particular top event considered.

Transfers to other fault trees that are used todevelop the logic further (e.g., "failure of 120V DCbus 1A") are indicated by triangles.The general techniques for constructing,manipulating, and quantifying fault trees aredescribed in Haasl et al. (1981). However, the following issues merit special consideration in the development of fault trees:

3. Technical Activities 3-38Figure 3.3 Example of fault tree for backup cooling system

3. Technical Activities 3-39 Figure 3.4 Example fault tree for inside spray recirculation

3. Technical Activities 3-401.In order to facilitate consistency of theindividual fault tree analyses, it is necessarythat the definition of system boundaries and the conventions used to represent logic symbols, event coding, and representation of human errors and common cause failures be a priori specified for all the fault tree analysts.It is suggested that one system analysis be prepared before the fault trees for the other systems are started to serve as a guide.

Human actions that occur following theinitiating event are properly treated at the event tree level. The only human actions that shouldbe included as events in the fault trees are those actions that potentially follow test and

maintenance.2.All assumptions made while constructing afault tree should be documented, together with the source (and revision number) of all designinformation used. In this way, consistency willbe promoted throughout the analysis and traceability will be maintained.3.When systems are not modeled in detail andreliability data at the system level are used,failure events that are common with othersystems should be separated out and explicitlyconsidered.4.Computerized methods should be used forhandling the solution and quantification of fault trees to ensure consistency, comprehensiveness, efficiency, and quality.5.It is strongly recommended that clear andprecise definitions of system boundaries be established before the analysis begins. Anymodifications to these definitions should be made known to all the other system analystsduring the course of the analysis. The analysisboundary definitions should be included in thefinal documentation covering the systems modeling. The interface points betweenfrontline systems and various support systems could, for example, be located as follows:*for electrical power supply, at the busesfrom which components considered w ithinthe system are fed;*for actuation signals, at the appropriateoutput cabinets of the actuation system;

and*for support systems providing variousmedia (water, oil, air), at the main header line of the support system.In cases where equipment or piping is sharedbetween several systems, guidance to the proper establishment of the system boundaryis usually provided by the system descriptions and drawings. Such cases must be brought to the attention of the system analysis task leader in order to avoid possible omissions and/or double counting of shared components. 6.It is important that a standardized format beused for coding the basic events in the fault trees. The formatting scheme should be compatible with the IRRAS code for thesystems analysis, and the scheme should also enable the basic events to be clearly related to the following:*component failure mode, *specific component identification and type,*specific system in which the component islocated, and*plant codings for the components.To prepare the system models for either theconcurrent or subsequent evaluation of environmental hazards, the system models should contain additional information on the location of the component and on the susceptibility of the component to theenvironmental hazard of interest (e.g.,earthquake, fire, or flood). It is suggested that information of this type be encoded within the component name or provided on separatetables correlating events with applicableinformation.To assist the analysis of dependent failures(other than those caused by extreme environments), the coding scheme should include information on location, designation of generic type, and test and maintenance

procedures.7.Fault trees should represent all possible failuremodes that may contribute to the system'sunavailability. This should includecontributions due to outages of a system (or aportion of a system) for testing and maintenance. Human errors associated withfailure to restore equipment to its operable

3. Technical Activities 3-41state following testing and maintenance andhuman errors associated with accident response should also be included whereapplicable. Considerations of potential operator recovery actions are often spe cific toaccident sequences and are best treated in thequantification of accident sequences (see

Sections 3.2.6.1 and 3.2.6.2).8.The following aspects of dependent failuresshould be reflected in the fault trees: *interrelations between initiating events andsystem response,-common support system faultsaffecting more than one front line system or component through functional dependencies, -human errors associated withcommon test and maintenance activities, and*components shared among frontlinesystems. Dependent events should be modeled eitherexplicitly or implicitly as noted in the followingpoints: -Multiple failure events for which a clearcause-effect relation can be identified should be explicitly modeled in the systemmodel. The root cause of these ev entsshould be included in the system fault tree so that no further special dependent failuremodel is necessary. This app lies tomultiple failures either caused by aninternal equipment failure (such as cascade failures and functionalunavailability events caused bycomponents) or resulting from a clearlyidentifiable human error (such as humanerror in the steps of a p rescr ibedprocedure).-Multiple failure events that are suscep tibleto dependencies, and for which no clear root cause event can be identified, can be modeled using implicit methods, such as the parametric models (see Section 3.2.3).-There can be instances when there is aset of multiple failure events which explicitmodeling of the cause is feasible (even inprinciple) but not performed because it would be too difficult. Encapsulating the events in a parametric model is the preferred approach. The decision is made by the analyst based on experience and judgment, taking into consideration theaim and scope of the analysis. In other cases, explicit modeling may beimpracticable because the componentfailure data do not allow different failurecauses to be distinguished. Explicitmodeling should in principle go as far as reasonable, largely depending on the resources for the analysis and the level ofdetail required. Otherwise, an upperbound should be assessed and parametric modeling used. The analyst should clearlydocument the parametric modelingapproach, the input, and the events that have been modeled explicitly.9.The operability of some systems in response toan initiating event can be directly affected by the initiating event. Loss-of-coolant accident and loss-of-offsite power are two initiating events that can directly affect the performance of the responding systems. For these cases, the impact of the initiating event on theoperability of each system should be explicitlyincluded in each system fault tree. Thisrepresentation also permits the proper quantification of the accident sequences. In the small event tree/large fault tree approach, which has been adopted in this study, the impact of the initiating events can occur at the component level. 10.To simplify and reduce the size of the faulttrees, certain events are often excluded owing to their low probability in comparison with other events. Examples of simplifying assumptions are illustrated below:-Flow diversion paths for fluid systemsshould be considered only if they could seriously degrade or fail the system. Ageneral rule is that the diversion path maybe ignored for failure to start if the pipe diameter of the diversion path is less than one third of the primary flow path.

3. Technical Activities 3-42-Spurious control faults for componentsafter initial operation should only be considered if the component is expected to receive an additional signal to readjust or change its operating state during theaccident.-Position faults prior to an accident are notincluded if the component receives an automatic signal to return to its operable state under accident conditions.Assumptions of this type must, of course, bedocumented and justified in the PRA report.11.The testing procedures used in the plant mustbe closely examined to see whether implementation of the procedures can introduce potential failure modes. All potentialfailure modes identified must be documented.An example would be if, during testing, the flow path through a valve is isolated, and at the endof the test, the flow path remains closed (possibly due to human error) with no indication that the flow path is still closed.12.Tripping of pumps and other safeguards, intended to protect a component, must becarefully identified since they can be a source of common mode failure. For example, spurious trips of auxiliary feedwater pumps on low suction pressure can lead to system failure if recovery does not occur.13.In a sequence in which some systems succeedwhile others fail, it is important to make the system failures correctly conditional on theother systems' successes. Success trees areone way for expressing this conditional

correspondence. There are certainadvantages that are offered by algorithms which operate on the top event by simplydeleting cutsets that violate the system success specified in the sequence.Fault trees are to be used in the present analysis.Other methods have been used in PRAs. Selectedissues, such as the determination of the frequency of an event initiated by the failure of a norm allyoperating multiple train, may be best addressed by a method other than fault trees. For information purposes, two other methods are highlightedbelow.Task 2 - Subtle InteractionsThe objectives of this task are to identify and toexplicitly model subtle interactions that couldpotentially cause single or multiple componentfailures, which are neither covered by a common cause failure analysis nor addressed in thedependency matrix. Ideally, most interactionswould be caught in the system analyses, dependency matrices, and event tree models. This task would allow the analyst to systematically look for additional interactions that could have beenmissed in the earlier analyses. Subtle interactions are categorized as interactionsbetween components and/or systems that can be caused by changes in the operating environment of the components, by conditions directly related to specific plant design and operational features orfrom the progression of a given accident sequence.

These types of interactions mostly stem frommechanistic causes. If they could be identified a priori, then these interactions could be explicitlymodeled in event trees or fault trees by using house events that would reflect the necessarycausal relationships. Two examples that illustratethese types of interactions are provided below:1.In a two-train, cross-tied system, failure of adischarge check valve (stuck open) could cause failure of the system.

This can occurwhen one pump has been turned on while the pump in the other train has failed to start andrun. In this case, the flow simply recirculatesbackward through the idle pump. Thisconditional interaction within a system woulddepend on a check valve failure in the cross-tieline and on the pump in the other train beingidle. These types of mechanically determined interactions should be identified through detailed system evaluations and accounted for explicitly in system fault trees.2.For certain types of motor-operated valvedesigns and for some systems where these motor-operated valve types are periodicallytested using a low differential pressure (P),there is little or no assurance that the valveswould reliably operate when exposed to a high P attributable to the progression of specificPRA scenarios. The unavailability of these motor-operated valves (both single andmultiple) then would be dependent on the Pthat is imposed by the accident sequence

3. Technical Activities 3-43being analyzed. Appropriate house eventsshould be used in the fault trees that explicitly consider the expected P on valve operabilityfor the scenarios being analyzed. The above examples focused on hardware-oriented subtle interactions. There are also su btlehuman interactions that could cause multiplecomponent failures. These types of human-caused subtle interactions are covered in the taskHuman Reliability Analysis (see Section 3.2.5).The process by which these forms of su btleinteractions are identified is not well structured.There are various information sources in the open literature that can be used for identifying thesetypes of interactions. These sources include: past PRAs, historical events across the industry, and U.S. Nuclear Regulatory Commission (NRC)reports on industry-wide experiences. Thesedocuments are reviewed to see whether theinteractions described are applicable for the specific PRA. Besides these sources ofinformation for identifying potential plant-specificsubtle interactions, the analysis should rely heavily on engineering judgment and in-depth system evaluations to assure that as many interactions as possible are identified and modeled.Notwithstanding, the guidance presented here and the state-of-the-art in PRA meth odology do notprovide any assurances that the list of identifiedinteractions is complete and comprehensive.

Furthermore, the lack of national and international databases documenting subtle interactions hinder future progress towards a comprehensive dependency analysis. Therefore, the extent towhich these analyses are considered as com pletewould depend on the individual capabilities and combined experience of the PRA team. Assigning the occurrence probabilities to these subtleinteractions would, however, be ratherstraightforward once the underlying mechanism fortheir occurrences is understood.The following activities are normally performed aspart of this task. However, it should be noted thatU.S. practice in this area reflects embeddedassumptions regarding U.S. plant design features and maintenance practices. Therefore, for the present application, the guidance provided for thistask should be regarded only as a starting point.Development of a design-specific database on possible subtle interaction for different de signswould be a positive step for future PRAs andaugmentation of current PRAs.Review of LiteratureThe appropriate literature is reviewed and thecurrent understanding of any subtle interactions that are considered applicable to the Kalinin plant is documented. The focus of the literature review deals with information gleaned from past PRAs and reports documenting their insights, various safety studies, generic issues, etc. For example, NUREG/CR-4550 (Ericson, 1990) containsanecdotal information on some of the experiences with subtle interactions found in U.S. plants. Therecould be other, more relevant information sources.A starting point, for example, could be the insights found in current or recent PRA studies for otherVVER plants as those found in the IAEA document WWER-SC-152 (IAEA, 1996).Cataloging Subtle InteractionsThe current understanding of the subtleinteractions, based on major historical events and other formalized studies, is catalogued in a manner suitable for data analysis. Summary of genericissues, issues identified in annual reports (such as NRC, 1996) published by the NRC Office ofAnalysis and Evaluation of Operational Data,annual reports (NRC, 1986) generated by the Accident Sequence Precursor Studies Program, and NRC notices are some of the documentstypically reviewed. Interviews with plant staff couldalso be quite useful in this case.Engineering EvaluationsEngineering evaluations are performed by selectinga group of components that have a common characteristic--for example, same location, same actuation logic, etc. The engineering evaluation could be a set of what if questions that examine the conditions imposed by various scenarios on the system and the performance of components withinthe system. These engineering evaluations should be performed with the help of plant staff who mayalready suspect or be aware of these ty pes ofplant-specific interactions.

3. Technical Activities 3-44DocumentationAny subtle interactions considered relevant to thePRA are documented. One or more ways in whichthe plant logic models (fault trees and event trees) can be augmented are proposed that will appropriately account for the mechanisticprocesses involved with these interactions. Waysfor estimating the probabilities for suchoccurrences are also proposed and, wherever possible, estimates are provided. Thesedocuments should also be distributed to both thesystem and event tree analysts to assureconsistency in approach and completeness in meeting task objectives.Task 3 - Spatial InteractionsThe objective of this task is to identify potentialenvironmental hazard scenarios at the plant. Thisobjective is accomplished by systematicallyidentifying hazard sources and potent iallyvulnerable plant equipment. Hazard scenarios arepostulated from the hazard and plant equipment location information developed in this task. Thistask also includes a screening of the postulatedhazard scenarios. The scenarios that survive thescreening process constitute one of the key inputsto the subsequent detailed flood analysis (see Section 3.5) and fire analysis (see Section 3.6).The equipment location information is also used to support the assessment of seismic events (see Section 3.7).The external events of interest in a PRA can begenerally grouped into two categories: events that are truly external to the plant (e.g., seismic events or severe meteorological phenomena) and events that involve internal hazards (e.g., fires and floods) that can simultaneously affect nominally separatedcomponents. The term "environmental hazards" is used to describe the latter. The primary thrust of the spatial interactions analysis is to provide a firstiteration of the identification and quantification of potential environmental hazard scenarios.

However, the information developed in the spatialinteractions task also supports the analysis of external events, such as seismic events through the identification of the spatial relationships of plant

components.It should be recognized that much of this taskinvolves the use of expert knowledge, engineering judgment, and knowledge of the internal eventsPRA. During the conduct of this task, it is assumedthat the internal events plant model is sufficiently mature so that conservative but defensiblescreening of scenarios can be accomplished. It isunlikely that a "final" plant model will be availablewhen this task is being performed. Therefore, any plant model changes made after the scenario screening process has been performed should be reviewed to determine if the results of the screening process are affected.The analytical approach outlined in this procedureguide is the result of an evolving process. Oneearly attempt to formally address the hazards associated with the spatial relationships of equipment in a plant was performed as part of the Seabrook Probabilistic Safety Assessment (PLG, 1983). The approach has been utilized in many subsequent PRAs, such as the assessment of environmental hazards at Brookhaven National Laboratorys High Flux Beam Reactor (Ho andJohnson, 1994) and in the Gsgen ProbabilisticSafety Assessment (PLG, 1994). Themethodology outlined here begins by first identifying the sources of hazards and constructing scenarios arising from those hazards. Analternative methodology can be constructed that is"target" based rather than "source" based. The twoapproaches are conceptually similar. Both involvea systematic scrutiny of the plant to id entifyhazards and the development of scenarios. Thetarget-oriented approach was chosen for the NUREG-1150 analyses (Bohn and Lambright,1990). An example of the application of thisapproach can be found in Bohn et al. (1990). This task is accomplished by completing fiveactivities:1. Collection of plant information andperformance of a plant walkdown,2. Development of a spatial interaction database,

3. Identification of potential hazard scenarios,

4. Performance of a preliminary screening of theidentified scenarios, and5. Development of scenario tables.Each of these activities is discussed below.

Collection of Plant Information and Performance ofa Plant WalkdownThe spatial interactions analysis starts by collectingand organizing all of the relevant plant information.

3. Technical Activities 3-45This includes a review of the plant generalarrangement and technical drawings to collect information about the plant layout, equipment locations, functions of the equipment, and potential hazard sources. The PRA dependency matrices,system analyses, and event models are also desirable sources of information to help the spatialinteractions analysts become knowledgeable aboutthe plant systems, intersystem dependencies, the initiating events, and the plant response to theinitiating events.A plant walkdown checklist is developed to help thespatial interactions analysts systematically itemizethe information collected during the plant walkdown and for documenting questions that must beresolved. A typical checklist for one zone of the plant wouldcontain the zone ID and name, the building name, the PRA and non-PRA systems and/or trains, any large heat, smoke, or water sources as well as other sources and their locations. For the PRA and non-PRA equipment, the vulnerabilities and hazardsources would be listed. Component separation would be indicated, and photographs or sketches attached. For each hazard source, information regarding location, detection, suppression, access, occupancy, and traffic in the area would be provided.Specific hazards and hazard sources are listed inthe discussion of Activity 2. It should be noted that these checklists serve primarily as "notebooks" forthe analysts, whereas formal documentation of the information is made through the databases andscenario tables discussed below. In most cases, it is not necessary to complete the entire checklistfor a specific location, and a single checklist maybe used to document several similar locations. To prepare for the plant walkdown, a systematicscheme to identify locations within the plant isrequired. As indicated below (in the discussion of Activity 4), it is desirable that, at least initially, broadphysical boundaries be used to define plant locations. These locations may be based on physical considerations, such as walls and doors, or on physical separation distances. In general, it is desirable to define larger zones in buildings, such as the turbine or off-gas buildings, andsmaller zones in buildings, such as the auxiliary building, the control building, or within containment.Existing information, such as the definition of fireareas or flood zones, may be a useful startingpoint. The areas or zones defined at this point willbe refined and revised as the analysis continues (i.e., in the fire and flood analyses). Many areaswill likely be shown to be risk insignificant in thesubsequent screening process. Other areas will beof interest only if the hazard propagates toadjoining areas. Still, other areas will require subdivision in order to appropriately describe therisk scenarios. The important point is that asystematic scheme is required at this time that willaddress all locations in the plant.A plant walkdown is conducted to confirm andaugment the information gathered from thedocuments, to inspect the amount and location of possible tr ansi ent hazards, and to help visualizethe spatial interactions of hazards with equipment.

Photographs, sketches, and notes are often made to document complex configurations. The plant walkdown team is responsible for identifying allpotential hazard sources and the location of equipment of interest throughout the plant. The equipment of interest is equipment whose failure or degraded function would lead to a plant transient,reactor runback or trip, or turbine runback or trip.It also includes equipment that has a role indefining the progression of events following these types of upset conditions. For convenience, werefer to such equipment as PRA-relatedequipment, or more succinctly, "PRA equipment."The team also evaluates the routing of importantelectrical power, control and instrument cables, andsystem piping. It is important that every plant location be systematically examined to ensurecompleteness of the analysis. Development of Spatial Interaction DatabaseThe information and results from these walkdownsare sorted and catalogued to ensure consistency and traceability throughout the analysis.Databases are then developed to minimize thepotential for errors and to enhance the flexibility fordata retrieval and searches. It is anticipated thatexisting database software is adequate.

Thesedatabases contain the following information:*Identification of locations within the facility*Location of all PRA equipment and relatedcables and piping*Susceptibility of equipment, cables, and pipingto hazards*Hazard mitigation features

3. Technical Activities 3-46*Hazards associated with equipment, cables,and piping*Location of all hazards

Potential hazard propagation pathwaysbetween locations*PRA top events that include the affectedequipment.These databases are cross linked so that one canidentify, for example, the PRA equipment, thehazards, and the mitigating features for any given location.The specific PRA-related equipment of interest arethose components (and their cables) whose failure, or change of status, may cause an initiating event or may impair the availability of systems required for accident prevention and mitigation. These components are identified by a thorough review ofthe PRA event and system models. Passivecomponents, such as check valves, are notnormally susceptible to fire or other environmentalhazards but are included in the list to support theseismic analysis. Other passive components, such as manual valves and hoses, are of particular interest if plant operators are required tomanipulate this equipment as part of theiremergency response actions. These actions by the operator may be hindered if a hazard (such asa fire) is present where this equipment is located.

The equipment database also includes power, control, and instrumentation cables that support normal and emergency operation of the PRA

components.The types of hazards considered in the spatialinteractions analysis include:*Fire and smoke*Explosion

Flood water

Water spray

Steam spray

Missiles

Falling objects

Chemical hazards.Equipment in a large complex facility is generallyexposed to a variety of hazards. The compon entsin different systems are susceptible to different specific hazards, based on the characteristics ofthe components, their location, and the types of protection features that are available. For example, electrical cables may be susceptible todamage by a fire, causing loss of power toequipment or generating spurious signals toinstrumentation and control equipment. They arenot generally su sceptible to damage if they aresubmerged by a transient flood, unless electrical contacts are exposed. Table 3-12 lists generaltypes of equipment that are susceptible to damage if a particular hazard occurs in their location.Table 3-13 lists typical hazards that may be created by a variety of components. The identification of specific hazards in each location will provide thebasis for later quantification of the hazard scenarios. Typically, the following categories of plant components are considered as possible ignition sources for nuclear power plant fires:*Batteries*Battery chargers

Cabinets (including logic cabinets, relays,panels, fuses and switches)*Cables (including control and power cables)

Control room equipment

Diesel generators

Heating, ventilation, and air conditioning equipment*Motor-operated valves

Motor control centers

Pumps and chiller units

Air compressors

Switchgear

Turbines

Large transformers

Small transformers

Transient material.For internal floods, the following specific sourcesare sought and documented:*Valves*Piping

Tanks

Heat exchangers

Drains

Heating, ventilation, and air conditioningductwork.It is also desirable to know the nominal pressure ofsome components.The next activity of the analysis uses theequipment/location databases to correlate the sources of specific hazards with the locations of PRA components that are susceptible to damagefrom those hazards.

3. Technical Activities 3-47Table 3-12 Equipment hazard susceptibilityHazard TypeHazard DescriptionEquipment Susceptible to Damagein the Designated AreaCAChemical HazardsAll active components; electrical parts of equipment.EXExplosionAll equipment and components.FOFalling ObjectsAll equipment and components in the pathway.FSFire and SmokeAll active components; electrical parts of equipment.FWFlood WaterAll active components that are not waterproof and allelectrical parts of equipment (not including cables) below water level.MIMissilesAll equipment.SSSteam SprayAll active components that are not waterproof and allelectrical components except for cables.SWWater SprayAll active components that are not waterproof and allelectrical components except for cables.

3. Technical Activities 3-48Table 3-13 Hazards associated with equipmentDescriptionAssociated Hazards*Air CompressorMI, FSAir Handling UnitFS, FW, SWAir-Operated ValveBatteryFS, EXBattery ChargerFSCaustic PipingCACaustic Storage TankCAChillerMI, SS, FW, SWConcrete CoatingFSControl CableFSCraneFODistribution PanelFSElectric HeaterFSElectrical CabinetFSFanFS, MIFilterFSFire HosesFS, SWFlammable GasEX, FSHeat Exchanger/CoolerFW, SWHeater; e.g., spaceFSMotor Control CenterFSMotor-Driven PumpFS, MIMotor-Operated ValveFSOil System; e.g., pump or lubeFS, EXPneumatic ValvePortable Extinguisher (CO 2)MIPortable Extinguisher (Water)MI, SWPower CableFSPressurized CanistersMIPropane GeneratorMI, EX, FSRadiation MonitorRelay CabinetsFSSolenoid ValveFSSprinklers, Dry PipeFW, SWSteam PipingSSSwitchgearFSTransformerFS, EXTransient FuelFSWater PipingFW, SWWater TankFW, SW*Defined in Table 3-12

3. Technical Activities 3-49Identification of Potential Hazard ScenariosThe spatial interactions databases are analyzed tosort and categorize types and sources of potentialhazards in each plant location. Special attention isfocused on all locations that contain PRA equipment. However, locations that do not containPRA equipment are also examined if they contain hazards that may propagate to other locations containing PRA equipment, e.g., flood water that drains from upper floors to lower elevations in a building or causes barrier failure. This activitydefines the scope of the hazard scenarios developed for each plant location.Perform Preliminary ScreeningIt is often possible to eliminate a large number oflocations and hazards from further analysis, based on a qualitative examination of the information from the preceding activities. This preliminary screening analysis considers the following possible impacts for each location from each potential hazard.1.The hazard and the propagation of the hazarddo not cause an initiating event (e.g., a reactortrip or a runback demand) and concurrently donot damage any PRA equipment.2.The hazard may cause an initiating event, butit does not damage any PRA equipment.3.The hazard may cause an initiating event, andit may damage equipment in one or moresystems modeled in the PRA.4.The hazard does not cause an initiating event,but it may damage equipment in one system modeled in the PRA.5.The hazard does not cause an initiating event,but it may damage equipment in more than one system modeled in the PRA.All locations and hazards that satisfy the firstscreening criterion (does not cause an initiating event and does not damage PRA equipment) areeliminated from further consideration in theanalysis. Within the context defined by the PRA models, these hazards have no measurable impact on plant risk.Locations and hazards that may cause an initiatingevent but do not damage PRA equipment (thesecond criterion) are examined more carefully todetermine the type of initiating event that can occur. If the initiating event has been evaluated aspart of the internal events analyses (e.g., reactortrip, loss of feedwater, etc.), no additional analysisis necessary to separately quantify the contribution to plant risk by the external event. The internal initiating event frequency data already account for the contributions from all observed causes, external and otherwise. However, if the hazard cancause an initiating event that has not yet beenconsidered, the location is retained for moredetailed analysis in this portion of the study.A similar screening approach is used for hazardsthat satisfy the fourth criterion (does not cause an initiating event but may damage equipment in one PRA system). If the hazard can cause equipmentfailures that are already included in the system faulttree models and equipment reliability databases, no additional analysis is necessary to separately evaluate these causes for system unavailability.However, if the hazard can cause unique failure modes or introduce dependencies that are not otherwise evaluated in the system fault trees, the location is retained for more detailed analysis inthis portion of the study.All hazards that satisfy the third and fifth screeningcriteria (the hazards can either cause an initiatingevent and impart damage to at least one PRAsystem or it may cause damage to multiple PRAsystems, respectively) are retained for the final activity of the spatial interactions analysis.At this point in the analysis, preliminary screeningis based only on the qualitative criteria summarizedabove. No quantitative information or com parativenumerical analyses are applied to eliminate locations or hazards from further consideration. If there is any question about the applicability of a particular screening criterion, the hazard or locationin question is retained for more detailed analysis in the subsequent activities. Thus, these preliminaryscreening criteria may be applied consistentlywithout the need to reexamine these hazards orlocations, even if the numerical results from therisk models are later refined.The locations that remain after this p reliminaryscreening process are often called "critical locations" or "functional impact locations." Theselocations are defined by a combination of the type of hazard being examined, the physical plant

3. Technical Activities 3-50layout, the types of equipment in each plant area,and the functional impacts that may occur in thePRA models if the affected equipment is damaged.

It is desirable to initially define rather broad physical boundaries for each location. This provides a manageable number of differentlocations that must be examined in the more detailed activities of the analysis. However, the locations must also be defined consistently withrespect to the possible PRA impacts from each hazard scenario. Thus, a particular functionalimpact location may include a single room, part of a room, or a combination of plant areas, and more than one hazard scenario may be developed for each location. A unique designator is assigned toeach functional impact location to facilitate itsidentification in later phases of the analysis.Development of Scenario TablesHazard scenarios are developed for each hazardand each functional impact location that survives the preliminary screening process. Each hazardscenario is defined by an impact, or set of impacts, that may develop if a postulated hazard occurswithin the location. In the full context of the PRA models, a complete scenario always represents a class of events that may occur in real plant experience. For example, a complete fire scenario includes an ignition phase, propagation, detection, suppression, damage to PRA equipment, and the subsequent sequence of equipment responses andoperator actions that result in either safe plantshutdown or core damage. However, at this activity in the analysis process, each hazardscenario is limited to identification of the hazard source and documentation of the PRA equipmentthat may be affected directly by that hazard.To ensure completeness in the more detailedanalyses performed in later activities, the hazardscenarios are typically defined at a rather generallevel and are all encompassing. For example, a fire scenario is defined as "localized" when any fireevent that may occur within the functional impact location does not have any adverse impact on adjacent locations. This fire scenario actu allyrepresents a large class of possible fire events thatrange from very small fires that may damage only one component to a major fire that may damage allequipment in the location.In the spatial interactions analysis, a scenarioalways assumes that the identified hazard damages all of the PRA equipment in the location,regardless of the size, severity, or duration of thehazard event. This is obviously a very conservativeassumption for many actual hazards. For example, a small fire in a corner of a large room may not damage any equipment a few meters from theignition point. However, the application of veryconservative assumptions is acceptable anddesirable in this phase of the analysis. This keepsthe number of individual scenarios within a practically man ageable limit, and it facilitates anefficient screening process to ensure that no potentially important scenarios are overlooked.In practice, the first pass through a quantitativescreening analysis (as described in Sections 3.6and 3.7) typically demonstrates that a large number of these conservatively defined scenarios areclearly insignificant contributors to plant risk.These scenarios are documented and are removedfrom further detailed consideration. A relatively small number of scenarios may not be eliminated during the first application of quantitative screening.For these scenarios, this activity of the ana lysisprocess marks the point at which successive refinements are applied to redefine the scenario, toreexamine its impacts, and to develop morerealistic models for its actual contribution to risk.A unique designator is assigned to each hazardscenario. These designators are later used in thePRA event models to identify each internal hazardinitiating event.

The functional impact locationdesignators are not used to identify the scenariosbecause more than one scenario may be developed for a particular location, e.g., a fire that causes open circuits, a fire that causes shortcircuits, a flood, etc. Each scenario is then documented in a scenario table.If propagation of the hazard scenario is possiblebetween locations (e.g., flood water originates inlocation A and propagates to location B), then aseparate unique scenario is defined and a separate scenario is constructed.Table 3-14 illustrates a typical scenario table. Inthis illustration, each scenario table has a 5-itemheader followed by nine data entries. The header describes the location of the scenario. Thelocation description includes the building, thephysical areas included in the scenario, a shortdescription of the location, and the uniquedesignator for the functional impact location. In the example from Table 3-14, the functional

3. Technical Activities 3-51Table 3-14 Illustration of a typical scenario tableBUILDINGELOCATIONE-0251 LOCATION NAMEDivision 1 Switchgear Room,Elevation 0.0 mLOCATION DESIGNATORS1 SCENARIO DESIGNATOR FIRES11.TYPE OF HAZARD SOURCESwitchgear, Cables, Transients2.SCENARIO INITIATIONFire from any hazard source in Item 1 3.PATH OF PROPAGATIONA.PATH TYPENone (localized)

B.PROPAGATE TO None4.SCENARIO DESCRIPTIONFire damages Division 1 switchgear 5.HAZARD MITIGATION FEATURES Detectors6.SCENARIO FREQUENCY 3.96 x 10-3 per year7.PRA-RELEVANT EQUIPMENT WITHIN THE AREAEquipmentTop EventEquipment ImpactBS1-EPEP Note 1BS1-BABA Note 1BS1-CABA Note 1BS1-CJBA Note 1BS1-BUBU Note 1BS1-EUBU Note 1BS1-FUBU Note 18.RETAINED AFTER SCREENING ANALYSISNo9.NOTES1.It is assumed that any fire in this area affects the power supplies for all equipment poweredfrom 10 kV bus BA, 6 kV bus BU, and 380 V AC bus EP. The split fraction rules for Top Events BA, BU, and EP have been modified to fail power from these buses for all fires in this area.

3. Technical Activities 3-52impact location includes only Room E-0251. Thisroom is the Division 1 switchgear room at Elevation 0.0 m of the electrical building. Thislocation has been assigned the functional impact location designator S1. However, a singlefunctional impact location may also include a large number of physical areas in the plant. The last header item is the scenario designator. Itis often helpful to assign designators that easily identify both the particular type of hazard beingevaluated and the functional impact location. Forexample, designator FIRES1 applies to a fire eventscenario in electrical building location S1. This is especially useful if more than one scenario is developed for a particular location. The following nine data entries are included in eachscenario table. Entries 1 through 5 and 7 (partial) are completed within this tasks activities.

Entries 6, 7 (partial), 8, and 9 are completed duringthe detailed scenario analysis phase (i.e., the fire and flood analyses).1.Type of Hazard Source. This entry documentsthe hazard sources identified during the initialreview of plant information and the plant walkdown. The major fire hazard sources in the switchgear room, for example, shouldinclude the switchgear, electrical cables, and small quantities of transient combustibles that may be brought into the room during maintenance activities.2.Scenario Initiation. This entry identifies thespecific type of hazard. For scenario FIRES1,the hazard is a fire.3.Path of Propagation. The path for poss iblepropagation of the hazard to other locations islisted in this entry. A hazard is designated as localized if it does not propagate to otherlocations. As noted previously, most functional impact locations are defined very broadly toencompass all possible hazard scenarios within the location and to avoid a significantpossibility of propagation between locations.Therefore, according to this practice, mosthazards are designated as localized within thedefined location. Scenario FIRES1 evaluatesa fire confined within the switchgear room.4.Scenario Description. This entry provides abrief description of the scenario.5.Hazard Mitigation Features. This entry brieflysummarizes the hazard mitigation features thatare present in the location. Table 3-15provides a list of typical mitigation features for different types of hazards. The scenario tables generally summarize only automatic detection,automatic suppression, and passive mitigationfeatures. Possible manual mitigation features are not generally listed in these tables. Thus,Table 3-14 notes that the switchgear room contains fire detectors, but it does not identifythe availability of manual fire suppression equipment. The effectiveness of thesemitigation features is not evaluatedquantitatively during the initial scenario screening process. More information may be provided about mitigation features forscenarios that require detailed quantitativeanalyses of hazard initiation, growth,propagation, detection, and mitigation.6.Scenario Frequency. This entry lists the meanannual frequency at which the hazard is expected to occur. This frequency isequivalent to the initiating event frequency for the hazard scenario. It is the total frequencyfor any hazard type being evaluated,regardless of the hazard severity.

Thus,Table 3-14 indicates that the mean frequency for switchgear room fires of any reportable sizeis approximately 3.96 x 10

-3 fire per room-year,i.e., one fire is expected to occur in Room E-0251 every 253 years. Although thisfactor is listed in Table 3-14, the hazardoccurrence frequency is actually assessed during the second phase of the internal planthazard analysis. The frequency assessmentprocess is described in Sections 3.6 and 3.7.

3. Technical Activities 3-53Table 3-15 Typical hazard mitigation typesMitigation Type Hazard Types

CurbFWDrainFW Drain PumpFW Fire DamperFS Fire Detector (Thermal)FS Fire HosesFS Missile ShieldMI Watertight Door (Blockage)FW Nonwatertight Door (Drainage)FW PedestalsFW Portable Extinguisher (CO 2)FSPortable Extinguisher (Dry Chemical)FS Portable Extinguisher (Other)FS Radiant Energy Heat ShieldsFS Sprinklers (Preaction)FS StandpipeFS SumpCA, FW Sump PumpCA, FW Sump or Room Flood AlarmFW Walls (11/2-Hour Rates)FS Walls (Other)FS Yard Fire HydrantFS

As defined in Table 3-12.7.PRA Equipment within the Area. This entrylists all PRA equipment in the location. Thislist is derived from the spatial interactions equipment location databases developed in Activity 2 of the analysis. This entry alsoidentifies the PRA event tree top event foreach component, and it briefly summarizesthe functional impacts assumed to occur if the equipment is damaged by the hazard. 8.Retained after Screening Analysis. Thequantitative screening process is described inlater tasks (see Sections 3.6 and 3.7). This entry documents whether the potential risksignificance of the scenario is small enough to justify its elimination from further detailedanalysis.9.Notes. This entry includes additional detailednotes that document specific inf ormationabout the hazard frequency assessment andthe functional impact analysis.A scenario table is developed for every hazardscenario that is retained from the preliminaryqualitative screening process in Activity 4 of thistask. Each table completely describes the defined scenario, the occurrence frequency of the scenario, and its specific impacts in the PRA models.The risk analysis of environmental hazards isconducted in at least two stages. The fi rst stage,scenario development, begins with the identification of potential environmental hazards at a broad level and ends with an extensive list of hazard scenarios at each location within the plantthat could be potentially significant to risk. This first stage is referred to as a spatial interactions analysis and is the focus of this task. The secondstage, the subject of the fire and flood analyses,performs detailed analyses to determine the plant

3. Technical Activities 3-54impact frequency, evaluates plant recoveryactions, and assesses the risk significance of the scenarios. Initially, for screening purposes, the scenario risk analysis applies conservativeestimates for the occurrence frequencyassessment and plant impact. Upon focusing on the important scenarios that are retained after screening, the analysis increases the level of detailconsidered reducing the conservatism in the original treatment of those scenarios and requantifying the impact to risk.The processes in the overall environmentalhazards risk analysis are inherently counteractiveand must be balanced in a meaningful practical risk analysis. Ideally, the spatial interactions analysis identifies all potential hazard scenariosregardless of occurrence frequency or potential degree of impact on the plant that can cause any conceivable amount of damage. This would ensure that all locations and all possible hazardswill be fully examined. On the other hand, to useavailable resources most efficiently and tomaintain a proper balance throughout the riskassessment process, the detailed scenario risk analysis demands that only relatively risk-significant scenarios be evaluated in detail. This"top-down" approach to risk assessmentminimizes the effort in quantifying the risk associated with unimportant locations. Therefore, the scenarios identified during the spatialinteractions analysis are to be as comprehensive as possible while maintaining a manageable number for the subsequent detailed fire and flood analyses. In practice, experience has shown that the two stages of the analysis of environmental hazards are somewhat iterative and must be closely coordinated.3.2.3.4Task InterfacesPlant Familiarization. This task provides keysource material for the system modeling, subtleand spatial interactions.PRA Scope. The systems of concern are thoseneeded to perform the functions modeled in thePRA. For the Kalinin PRA, this means thesystems modeled for the full power operatingstate. Initiating Event Analysis. The systems ana lysiscan possibly identify additional initiating eventsrelated to a particular system.Accident Sequence Development. The sequencedevelopment task defines the boundary conditionsfor the system models. The minimum success criteria for systems to perform their function areestablished here. System dependencies must be included in the system models.Data Analysis. The component ava ilability used toquantify the system models comes from the dataanalysis. In some cases, the initiating event frequencies found in the data analysis can come from system models.Human Reliability Analysis. Human error eventsare taken into account in the system models, andthe models provide feedback to the HRA.Quantification and Results. The Systems Analysistask must be completed before the quantificationand results of the PRA are completed.Fire, Flood, and Seismic Analyses. The systemmodels developed for the internal events PRA willalso serve for the external event analysis, although additional models or considerations may beneeded. The effect of fire, flood, or seismic event scenarios on plant conditions and resulting subtleinteractions need to be considered when theseevents are including in a PRA. The completion of the Spatial Interaction task is essential before proceeding with the fire and flood analysis. Spatial relationships of plant equipment is also essential for the seismic analysis.3.2.3.5 ReferencesBohn, M. P., et al., "Analysis of Core DamageFrequency: Surry Power Station, Unit 1, Ext ernalEvents," NUREG/CR-4550, Vol. 3, Rev. 1, Part 3,Sandia National Laboratories, December 1990.Bohn, M. P., and J. A. Lambright, "Procedures forthe External Event Core Damage Frequency Analyses for NUREG-1150," NUREG/CR-4840, Sandia National Laboratories, November 1990.Chu, T.-L., et al., Evaluation of Potential SevereAccidents During Low Power and ShutdownOperations at Surry, Unit 1, Vol. 2, NUREG/CR-6144, Brookhaven National Laboratory, June 1994.

3. Technical Activities 3-55Drouin, M., et al., Analysis of Core DamageFrequency from Internal Events: Methodology Guidelines, NUREG/CR-4550, Volume 1, September 1987.Ericson, D. M., et al., Analysis of Core DamageFrequency: Internal Events Methodology, NUREG/CR-4550, Vol. 1, Rev. 1, Sandia National Laboratories, January 1990.Haasl, D. F., et al., Fault Tree Handbook,NUREG-0492, U.S. Nuclear RegulatoryCommission, January 1981.Ho, V. S., and D. H. Johnson, "Probabilistic RiskAnalysis of Environmental Hazards at the High Flux Beam Reactor," Final Report, PLG-0975, prepared for Brookhaven National Laboratory, PLG, Inc., April 1994.IAEA, Insights from PSA Results on theProgrammes for Safety Upgrading of WWERNPPs, WWER-SC-152, 1996-11-29, limited distribution, International Atomic Energy Agency, October 1996.NRC, The Use of PRA in Risk-InformedApplications, NUREG-1602, Draft Report forComment, June 1997.NRC, Analysis and Evaluation of OperationalData-Annual Report, 1994-FY-95, NUREG-1272, Vol. 9, No. 1, U.S. Nuclear Regulatory Commission, July 1996.NRC, Precursors to P otential Severe CoreDamage Accidents: A Status Report, NUREG/CR-4674, U.S. Nuclear RegulatoryCommission, issued periodically (annually) since

1986.PLG, "Gsgen Probabilistic Safety Assessment,"prepared for Kernkraftwerk Gsgen-Dniken AG, PLG-0870, PLG, Inc., February 1994.PLG, "Seabrook Station Probabilistic SafetyAssessment," PLG-300, prepared for PublicService Company of New Hampshire and Yankee Atomic Electric Company, PLG, Inc., December

1983.3.2.4Data AnalysisData analysis consists of three interrelated tasks--

namely, determining (1) the frequency of initiatingevents, (2) component reliability, and (3) common-cause failure (CCF) probabilities. The fi rst ofthese tasks quantifies the frequency of each group of initiating events identified in the task InitiatingEvent Analysis (refer to Section 3.2.1). Thesecond task is to obtain plant-specific estimates of the unavailability of specific equipment. The third task is to determine the final values to be used in the parametric models of common-cause failures.3.2.4.1Assumptions and LimitationsFrom the point of view of expressing the frequencyof initiating events at a specific plant, the ideal situation would be if sufficient experience wasavailable from that plant to fulfill all the dataanalysis needs. The nature of the events ofinterest, however, prevents this from being thecase (and from the point of view of plant performance and safety, the occurrence of suchevents is undesirable). Many events of interest (e.g., large loss-of-coolant accidents [LOCAs]) arenot expected to occur during the life of the plant.

Therefore, additional sources (experience fromidentical or similar plants and expert knowledge) are needed for acquiring supplemental information. This additional information is mergedin such a way that the combined distribution of plant-specific and generic event data becomes more strongly influenced by the plant-specificinformation as t hat evidence matures.Incorporation of evidence from additional sites alsowill allow for the variation of the frequency ofevents among similar plants (i.e., site-to-site variability). This variability may be the result ofunique plant features or because of differences in site characteristics, personnel, and training. 3.2.4.2 ProductsThe products of the task on determining thefrequency of initiating events are:*material for the final report.*the freque ncy information in electronic formsuitable for use in the sequence quantificationactivity.

3. Technical Activities 3-56The component reliability task has two products:*a generic component database based ongeneric VVER data should be developed andsupplied to the system analysis task in supportof fault tree development. The generic datacan also be used in the initial quantification of the event tree sequences. For final quantification of the accident sequences, aplant-specific database has to be used.*documentation including descriptions of thesources of generic and plant-specific data, descriptions of the component failure models used, a summary of plant-specific failureevents, a description of the statistical methods and software used in estimating fai lureparameters, and tables of both generic and plant-specific data that can be used tocalculate the basic event probabilities used inthe PRA. Any assumptions made in theanalysis, e.g., in interpreting plant-specificdata and their application to estimating failureparameters, should be clearly documented.The task on estimating common-cause failureprobabilities has the following products: *a KNPS-specific document providinginformation on the scope of CCF to be modeled including component types and grouping. It should also identify the CCF parametric models to be used including the ways that it could be incorporated in system fault trees. The document should be distributed among all system and dataanalysts.*KNPS-specific CCF rate including a description of approaches used in arriving atthose estimates should be documented.

These estimates would be utilized in the first phase analysis.*the risk significant CCFs identified throughinitial quantifications and the results of sensitivity and importance evaluation shouldbe documented and used for the refined CCF estimates for the second phase analysis andfinal quantification.*the final set of CCF rates generated throughthe second phase analysis should be documented for use in the final quantification.3.2.4.3Task ActivitiesData analysis consists of the following threeinterrelated tasks--namely, determining (1) the frequency of initiating events, (2) component reliability, and (3) common-cause failureprobabilities. Atwood (2003) provides additional guidance on the sources of information and methods available for estimating the parametersused in (1) and (2) above, including quantification of the uncertainties.Task 1 - Frequency of Initiating EventsThe objective of this task is to quantify the currentfrequency of each group of initiating eventsidentified in the task Initiating Event Analysis(Section 3.2.1). It is desired that the frequencies be expressed in the form of uncertaintydistributions and that the determination of the frequencies take advantage of all relevant evidence.The goal of this task is to develop a probabilisticdescription of the frequency of the initiating eventsof interest along with supporting documentation. The objective is to derive an estimate of thecurrent frequency for each initiating event. Assuch, specific cases of data censoring may be both appropriate and desirable. Examples ofappropriate data censoring are given below; in allcases, a justification for censoring is mandatory.The original grouping process would have to berevised if the plant records provide different or additional information that indicates the originalclassification scheme is in error or requires improvement. For example, tripping the mainfeedwater pumps because of instrumentationindicating a high water level in any steam generator may be listed as a reactor trip due to a high steam generator level. However, these trips are considered more important for the subsequentquantification of a scenario initiated by a loss of

feedwater transient than simply a reactor trip,since these trips result in such a condition.Therefore, a strong liaison with the analysts that developed the initiating event grouping is required during this task. Also, it is important to realize that accomplishing the objective of this task requiresan engineering perspective that is supported, rather than led, by a statistician.

3. Technical Activities 3-57Many PRAs have assumed that the frequency ofinitiating events is constant with time. This means the events are statistically random occurrences and the distribution of times between occurrences is exponential. There can be situations when thisassumption may not be valid. One such situation is when an implemented plant change (e.g., a modification to plant hardware or procedures) could prevent, or severely curtail, the recurrence ofan initiator. Past evidence would then not be representative of the likelihood this event mayoccur in the future. Therefore, it would be inappropriate to include this evidence in the plant-specific database. It would be inappropriate toinclude the time period prior to the modification in the database for this initiator as well.The so-called "learning curve," typically associatedwith the operation of a new plant, can alsoinfluence the rate of occurrence of a particularinitiating event. Changes to plant hardware and procedures early in plant life can impact thefrequency of initiators. Typically, the first year of commercial operation is excluded from the data inan attempt to reduce the influence of a new p lant's"learning curve" on the frequency estimations.Likewise, the analysts must detect any si gns ofincreasing initiating event frequencies that could be due to the aging, or wear out, of plant hardware.Plant trip data must be carefully reviewed todetermine if there is evidence of time dependence for specific initiator types. Justification is requiredfor any censoring of data. Censoring may be valid, for example, if, as indicated above, changes to plant hardware or procedures have significantlyimpacted, or even eliminated, the cause of specific

initiators. Ascher and Feingold (1984) provides guidance foraddressing time dependence in reliability analyses.The term "frequency" is used to describe themeasurable, or at least conceptually observable, outcome from experience. Since the outcomes are rarely certain, certainty must be expressed in terms of probability. Thus, the likelihood of a particular class of initiators is expressed in termsof a probabilistic frequency distribution. These distributions can be expressed in several different ways. Kaplan (1981) describes the use of discreteprobability distributions. Combining discrete distributions is straightforward, although a schemeof "rebinning" the results is required for practicalapplications. It is also possible to utilizecontinuous distributions (e.g., Gammadistributions) to represent the probability offrequency data. The Gamma distribution is oneoption and is an attractive choice since the updateof a Gamma distribution also results in a Gamma distribution. The choice of the distributions formwill be determined by the analysts preference andthe calculational tools available.Generally, initiating events can be assigned tothree distinct categories according to the methods applied to determine frequency of occurrence:

general transients, transients induced by system failure, and LOCAs (piping failures).General TransientsThe general transient category includes reactivitytransients and heat removal imbalance transients as well as small LOCAs and very small LOCAs (the latter would include, for example, primarypump seal failures).The frequency of occurrence of initiators in thiscategory is quantified in a two-step Bayesianprocess. The first step involves combining the generic evidence (events per year at similar or identical plants) to arrive at a generic initiating event frequency for each initiator group. In the second step, the plant-specific evidence iscombined with the generic (population) evidence toarrive at the updated plant-specific initiating eventfrequency. Regarding the utilization of generic evidence,much has been written and discussed concerning the differences between VVER-1000 plants and VVER-440 plants. There are many differences that can be of significance from a risk assessment point of view. Notwithstanding, it is recommendedthat the VVER-440 experience not be rejected apriori. It is possible, and indeed likely, that the experience from VVER-440 plants yields relevant data for selected transient initiator categories(such as loss of condenser vacuum and loss-of-offsite power). It is, therefore, recommended thatearly in the initiating event quantification task each initiator category be carefully reviewed in the context of the relevancy of specific VVER-440 experience.

3. Technical Activities 3-58Transients Induced by System FailuresThe frequency of occurrence of transients that arethe result of a system failure (such as the failure of a support system) are determined using fault trees with the initiating event as the top event (see Section 3.2.3).Loss-of-Coolant AccidentsThe approach taken to quantify LOCA frequenciesdepends on how LOCAs are classified. If thecategories are broadly defined (e.g., large, medium, and small LOCAs), then it may bepossible to apply, after careful review, distributionsobtained from previous Western analyses. If, on the other hand, LOCAs are more definitivelydefined (e.g., "LOCA 1" is a failure of the 200-mmpipe between Valve 4-29 and 4-53), then an empirical approach can be adopted, such as the one formulated in Thomas (1981). The Thomas model has been used to express vessel and piping failure rates (for example, see Medhekar, Bley,and Gekler, 1993). It should be noted that the approach would still require data from VVERs or other applicable facilities.Intersystem (or interfacing) LOCAs involve failure,or inadvertent breach, of a high-pressure/low-pressure boundary. The ana lysisbegins with the systematic identification of all such boundary interfaces. Any available evidence concerning overpressurization (in excess of designvalues) of piping at VVER plants will be useful.

Logic models must be developed for each LOCAidentified, taking into account plant-specificfeatures, such as pressure monitoring and test procedures. Experience in Western PRAs has shown that potential human errors, associated withthe testing of valves that are part of the high-pressure/low-pressure boundary, are important inestimating occurrence frequency.Task 2 - Component ReliabilityThe objective of this task is to obtain plant-specificestimates of the unavailability of specificequipment used for PRA quantification. The scope of this task is to develop the databaseneeded for estimating the contributors tounavailability of the basic events modeled insystem fault trees. The task also includesdeveloping component failure models, collecting generic and plant-specific component data, andestimating the parameters of the componentunavailability models. It is important that thecomponent unavailabilities are expressed in the form of uncertainty distributions and that similarcomponents be grouped in the same correlationclass. Assigning a group of components to a correlation class implies that a fully dependentMonte Carlo sampling routine would be utilized for the uncertainty evaluation. Therefore, the uncertainty distributions for all components in acorrelation class should be the same. Theexperience data for all similar components belonging to a correlation class could be used for the estimation of the uncertainty distribution.

Typically, components of the same type exposedto approximately the same environment, and with similar normal operating conditions, are grouped in the same correlation class (e.g., all normallyenergized DC relays). The unavailability of a component can be thoughtof as the fraction of time that a component couldnot meet its demand successfully, eit her becauseit is unavailable due to test or maintenance or it resides in a failed state. Generally speaking, theunavailability is the probability that a componentdoes not perform its intended function when required, and, therefore, it can also encompassthe failure probability per demand. This procedureguide focuses on estimating the following parameters of equipment unavailabilities:*Component failure rates expressed in terms offailure per unit time or failure on demand,*Frequency and duration of corrective(unscheduled) maintenance,*Frequency and duration of preventive(scheduled) maintenance, and*Frequency and duration of testing.The estimations of the above paramet ers arenecessary to evaluate the direct contributors tounavailability from hardware failure, maintenance,and testing. Other contributors to unavailabilityresulting from inadvertently leaving a train in anunavailable state after a test or maintenanceshould be identified and evaluated jointly with the system fault tree (see Section 3.2.3) and human reliability analysis (see Section 3.2.5).

The generalprocess for this task is: 1.Determine the most appropriate level, scope,hardware boundary, and specifications fordata collection through coordination with theteams that performed system fault trees and event trees,

3. Technical Activities 3-592.Establish the current knowledge on theparameters to be estimated by aggregatingthe various sources of generic data and the experience of similar plants, 3.Identify the sources of plant-specific data to beretrieved, reduced, reviewed, and interpreted for the parameters of interest and establishthe plant-specific data summary, and4.Combine plant-specific and generic data when appropriate to estimate the neededparameters and to reflect the associateduncertainties.There are several assumptions and simplificationsthat are currently used in state-of-the-art PRAs.

Awareness of these assumptions and theirverification to the extent possible is an important task in performing PRAs.*Component failure rates are assumed to beconstant and time invariant. This is a limitingassumption that stems from the simplifications that are typically made in PRA quantificationroutines. This assumption does not allow the modeling of any aging or wear out mechanism, and, therefore, it does not allow proper modeling of the benefits ofmaintenance and in-service testing in terms of preventing the aging mechanisms.*Interpretation of what constitutes a failuredepends on the mission and function of theequipment. Engineering review of the failureevents are necessary to decide whether areported event is indicative of a components failure occurrence with a predefined boundary.*Operational testing of a component is typicallytreated as an ideal test capable of detecting every type of failure and failure mode. Sincemost of the tests performed on thecomponents do not simulate actual demandconditions, the tests will not be able to detect all possible failures and failure modes. ThePRA analyst should review the test procedureand decide whether a test should be credited for all possible failure modes. Motor-operatedvalve (MOV) testing practice in the U.S. is anexample of an incomplete test. The MOVsare typically tested with a sm aller pressuredrop across them than is typically experienced in actual demands. The test, therefore, cannot verify if the MOVs will close against thefull accident pressure differential. In this case,special testing for selected MOVs based on their risk significance are implemented toassure their proper operation. Otherexamples of incomplete testing are the teststhat use the mini-flow path of a pump train.

Here, the test only verifies the proper closureof the breakers contacts and the operation of the valve stem for the pump discharge valve under a no-flow (static) condition.*Test-caused failures and human errorsresulting in a component or train being left in an unavailable state after the test areincorporated in the system fault tree modelthrough coordination with the human reliabilityanalysis. Sometimes the human error rates for such events can be estimated directly as part of a data analysis task and incorporatedas part of component unavailability. Care should be taken to assure that such ev entsare properly identified, the human reliability analyst is consulted, and the fault exposuretime for such failure mechanisms is set to a full test interval (rather than one-half testinterval).*Uncertainty distributions of the expected unavailability of a component are typicallyassumed to be lognormally distributed. This assumption, though widely practiced, is not necessary. The uncertainty distribution for component unavailability largely stems fromthe uncertainties associated with the failure rate of the component. The uncertainties associated with the other parameters in thecomponent reliability models, e.g., the averagerepair time, are sometimes not accounted for.This is because of difficulties generally encountered using current computer codes.For example, the Integrated Reliability and Risk Analysis System (IRRAS) code does not allow the analyst to define uncertainties for both the frequency and duration ofunscheduled maintenance. To account for both types of uncertainties, the analyst shouldestimate the resulting unavailabilitycontribution and the associated uncertainty outside the IRRAS code and then input theresults to IRRAS. *The failure rate of a component in the harshenvironment of an accident is usually estimated based on the deterministic criteriaderived from test results, engineering

3. Technical Activities 3-60evaluation, and subjective judgments.Examples are equipment survivability in a boiling water reactor building after drywellfailure, the equipment survivability in a steam-filled room, or failure of the electrical and electronic equipment in the switchgear room after loss of the heating, ventilation, and airconditioning system.*The failure rate associated with rupture of thecomponent boundary and pipe rupture is typically estimated based on generic data,performing simple fracture mechaniccalculations, and using semi-empirical models or subjective judgment. The above assumptions and limitations areinherent in the reliability assessment ofcomponents for PRA use. The uncertaintiesassociated with the component reliability shouldreflect the analysts current level of knowledge for the failure mode of concern. The analyst may initially perform the PRA calculations using crudeconservative estimates, followed by more ri gorousanalyses commensurate with the risk importance of the components.Assessment of the component reliability involvesmodeling and estimation of all the contributors tocomponent unavailability. For this purpose, the components are typically categorized in two groups: standby and operating components. The unavailability models of interest for each group aredescribed below, and the specific parameters tobe estimated in the d ata analysis task areidentified.

Standby ComponentA standby component is a piece of hardware witha predefined boundary that is norm ally in a statedifferent from the state of its safety function. As an example, a normally open valve (normal state)is expected to close (state of its safety function) incertain scenarios. This valve is considered a standby component since its normal and safetystates are different. A standby component can have many failure modes, some of which can bedetected when the component is in its normal stateand others when the component is periodically tested for its safety function. In the earlier example, failure modes, such as the housing rupture or leakage, could be detected when thevalve is in its normal state, whereas the valve actuator failure preventing the valve clos ure canonly be detected during the periodic tests. Theexpected time to detection of a failure is referred to as fault exposure time. For those failure modes detectable by periodic testing, the fault exposure time is one-half the periodic test interval. If cer tainfailure modes can be detected by other activities, such as a walk through or visual inspection, thefault exposure time would be one-half the inspection interval. Finally, some failure modescan be detected almost instantaneously--forexample, by alarm or valve position indicator. Inthis case, the fault exposure time associated withthe failure mode is zero, and the standby component for that failure mode is referred to as a monitored component.Various contributors to standby componentunavailability are:* fault exposure time, i.e., failure during standby*failure to start or failure on demand

failure during mission time

testing

unscheduled corrective repair

scheduled preventive repair.Table 3-16 provides a summary of the formulas tobe used to estimate each contributor and identifiesthe specific parameters to be estimated by reliability data analysis. The last column in thetable shows the needed summary event data for the specific plant under study. Deterministic datafrom sources, such as plant technicalspecifications, is not listed in this column. Thetotal component unavailability would be the sum of all its contributors.Operating ComponentAn operating component is a piece of hardwarewith a predefined boundary that is normally in anoperating state consistent with its safety function.

Failure of an operating component couldcontribute to an initiator frequency (see Task 1,Frequency of Initiating Events). Failure of anoperating component after the occurrence of the initiator is typically modeled within the system fault trees and is the focus of the discussion here. The two major contributors to the unavailability of an operating component are:1.Unavailability due to repair: An operatingcomponent may be unavailable as a result of failure prior to an initiator and may remain

3. Technical Activities 3-61Table 3-16 The reliability formulation for the various contributorsto the unavailability of a standby componentUnavailabilityContributor ReliabilityFormulaModel ParametersSummary Data NeededFault exposuretime 1-(1-e -T)/(T)or (1/2)T: Standby failure rate T: Surveillance intervalNumber of failures and thetotal observation periodFailure to start orfailure on demand Q d Q d : Failure to start perdemand or failure on demandNumber of start or demandfailures and the total number

of demandsFailure to completethe missionR R: Running failure rate: Mission timeNumber of failures and totaloperating timePeriodic testing(/T p) P r: Expected test duration T p: Periodic test interval P r: Failure probability tooverride or recover from the

testNumber of times the testoverride was needed and the number of times it failed Unscheduledcorrective repair

(+D)T RD: The rate of degraded conditions that require corrective maintenance

T R: Mean repair time Number of degradedconditions and total observation time

Duration of corrective

maintenance Scheduledpreventive repair f m T m f m: Frequency of preventive maintenance

T m: Expected duration ofpreventive maintenance Duration of preventivemaintenance averaged over all different types Notes:*For monitored failure modes T = 0.*For those failure modes detectable by other surveillanceactivities (e.g., vi sual inspection) in addition to periodictesting, T can be estimated by the total time period divided by the number of surveillance activi ties (periodic or otherwise).*For those failure modes not detectable by any surveillanceactivities, T should be set equal to the remaining plantlifetime since the last time component was verified operable (e.g., for a new plant with an expected servicelife of 40 years, T = 40 years) and approximate formulaeshould not be used.*For all other cases T = T

p. *All failure rates should be expressed in terms of time-related failure rates to the extent possible to assureconsistency. For some components, such as theemergency diesel generators, compo nent failures aredivided into standby failure, start failure, and run failure.For other components, such as failure of a motor operatedvalve to open/close, the generic data is reported as failureprobability on demand. Probability of demand failurecould be translated into the equivalent time-related failurerate, if so desired, by dividing the demand failure probability by one-half of the expected time between thedemands (typically the periodic test interval).*For those human errors modeled in fault trees whichindicate leaving a train in an inoperable state after test ormaintenance, the fault exposure time to be used is the full surveillance interval. The unavailability contributions for such human errors should be kept separately, and aseparate test caused unavailability should be estimated.

D is estimated similar to the failure r ate . D is the rateof unscheduled maintenance. It is estimated based onthe number of times, within the data collection period, thata component underwent repair (corrective unscheduled maintenance) even though it was not yet failed.* (1-P t) is the probability of making a component or trainavailable during a surveillance test if an actual demand occurs. In most practical cases, the value of P t is eitherzero or one, respectively, indicating that the unavailabilitydue to a test is either easily recoverable or unrecoverable in time. In those special cases where the available recovery time and the time needed to recover from thetest are comparable, the value P t should be deter minedwith help from the human reliability analyst.

3. Technical Activities 3-62unavailable after the occurrence of the initiator.This unavailability could be simply estimated using the following equation:

Q R = (R T R)/(1+R T R)where R , and T R are defined in Table 3-16.Note that all causes for performing correctiveand preventive maintenance are included in estimating the rate R .2.Unavailability due to failure during the missiontime after the occurrence of the initiator. This unavailability could be simply estimated usingthe following equation:

Q M = ( T M)Here, is the actual failure rate of theoperating component and does not include any degraded conditions, and T M is the expectedmission time associated with the component.All contributors to component unavailability for bothstandby and operating components could besubjected to recovery action if sufficient time isavailable for returning the component to anoperational state. As an example, there could beup to several hours available before a room containing safety equipment heats up to a critical temperature after loss of a cooling fan. Theprobability of successful recovery actions either byrepairing the affected components or by provi dingan alternate means for performing the needed function should be typically modeled at an accident sequence or accident minimal cutset level after the event trees without recovery are quantified.Plant-Specific Data Collection, Interpretation, andEvaluationPast experience with PRA data collection activitieshas shown that no single data source in the plant is sufficient to provide all the needed information.

PRA practitioners had to search through various sources of data to properly identify and interpret a single record. Plant design documentation, operator logs, maintenance records, plant te chnicalspecifications, and surveillance proceduresconstitute the minimum set of information typicallyexamined for determining the data needs for use ina PRA. Event data of interest for component reliability evaluation are (1) information relating to component performance in response to a test or an actual demand and (2) information relating tocomponent down time during testing and maintenance. Information on componentperformance in response to a test or a demand should be interpreted or categorized as failure, degraded, or success. Failure encompasses allevents that render the component either outside the acceptable envelope of the technical specifications or within the PRA definition of the failure and the failure modes of the componentunder study. Degradation encompasses those events that indicate that the component is not in afailed state; however, it could fail eventually if it is not repaired. Generally, all unscheduled repairstriggered by unsatisfactory performance of thecomponent but not by its failure are categorized asdegradations. Some PRA data evaluations havebroken down the degradations into degraded and incipient co nditions depending on the severity ofthe fault and the available time before the condition propagates to a failure. Another area of dataanalysis that may require extensive interpretationdeals with component recovery probability. A component may be made available during certaintesting procedures if an actual demand occurs. A failed component could also be made available for certain failure modes. Such recovery actions typically require manual actions (e.g., realignmentof a suction path or manual start of a pump).These probabilities for recovery actions shouldalways be reviewed by human reliability analysts, even if in some cases the probabilities could be estimated based on the experience data.

Generally, interpretation of collected data is a multi-disciplinary task that requires close cooperationbetween PRA data analysts, PRA system analysts, PRA human factor specialists, and plant operation and maintenance staff. Methods for EstimationVarious parameters derived from the componentreliability models are identified for both standby andoperating components. Some of theseparameters, such as periodic test interval and the preventive maintenance frequency, could beobtained directly from plant-specific procedures and technical specifications. These ty pes ofparameters typically are not statistical in nature andare treated as deterministic information. The remainder of the parameters, such as correctivemaintenance rate, are statistical in nature and should be estimated based on plant-specific andgeneric data sources. Currently, Bayesian analysisis widely accepted as the estimation method. The single-stage Bayesian approach is commonly used

3. Technical Activities 3-63for estimating the parameters for componentreliability models when the generic reliability database provides the estimates of the parametersof the prior distribution. The two-stage Bayesianapproach could be utilized when the generic database contains summary data for other plants(e.g., number of failures and the observation period). The theoretical basis for the Bayesianapproach and formulation and some availablesoftware has been extensively discussed in theopen literature, e.g., Apostolakis et al., 1980 and Apostolakis, 1982. The following provides adiscussion on the single-stage Bayesian approach.

For the two-stage Bayesian routine, the task on initiating event frequency may be consulted.Prior DistributionThe Bayesian approach requires the use of a priordistribution for the parameters to be estimated.Prior distributions are typically obtained from industry-wide data analyses. In some cases, aprior distribution is generated from the failure rateestimates reported in past PRAs. In this situation, the analyst should combine the data from several PRA sources to arrive at one single prior distribution representing plant-to-plant variability.There are several different ways suggested in the past for combining multiple distributions to developa generic prior distribution (Gentillon, 1987; Martzand Bryson, 1984; and Azarm and Chu, 1991). A method typically used to arrive at a generic prior distribution is by constructing a mixture distribution from all sources. The weights associated withdifferent sources are typically the same as long as all the sources are applicable to the type, boundary, and the failure mode of the component under study. In some cases, different weights areassigned depending on the extent to which the generic sources represent the basic event under study. A different method to assure that the resulting generic distribution has a wide enoughuncertainty to reflect faithfully differences among allthe sources is reported (Azarm and Chu, 1991).The choice of method to use is up to the analyst; however, the analyst should examine theconstructed generic distribution to see if it doescover all the means reported by various sourceswithin its 5th and 95th percentiles .LikelihoodThe Poisson and Binomial likel ihoods for failurerate per hour and failure rate per demand arediscussed for the task Frequency of initiatingEvents. However, these likelihood fu nctions arenot appropriate for Bayesian updating of the distribution for the repair duration. Here, thelikelihood may simply be a non-reducible, joint-probability distribution for repair durationsobserved, sometimes referred to as samplinglikelihood. Since this likelihood is not incorporatedin the widely used Bayesian codes, the analyst may decide not to use the Bayesian approach in determining the mean repair distribution especially since the uncertainties associated with mean repairtime are not commonly accounted for in the PRA.

In summary, the likelihood function should, to the extent possible, reflect the process through which the data was generated and collected.Posterior DistributionThe commonly used Bayesian softwareautomatically generates a posterior distribution andtypically outputs the associated parameters of afitted lognormal distribution. An examination of theposterior distribution by the analyst should be doneto assure its appropriateness. This is typically done in three steps. In the first step, the posteriordistribution is compared with the prior distribution.If the mean and variance of the prior are distinctlydifferent from that of the posterior distribution (afactor of 2 or more), then the analyst should verifythat the data shows strong evidence. For data tostrongly affect both the mean and the uncertainty ofthe posterior distribution (i.e., considered to bestrong evidence), the data should contain at least three independent observations. In the second step, the analyst should check the evidence data tomake sure that the data is not strongly affected bythe failures of one component in the group. In some cases, a component failure may not have been diagnosed properly and the repair was incomplete, thereby making the same component fail several times within a short period of time.

Such clustered data should be detected andresolved. In the third step, the analyst shouldassure the adequacy of a lognormal fit to theposterior distribution. The reader should note thatthe use of a lognormal distribution is not essentialwhen using the IRRAS code even though it hasbeen widely practiced in the past. Some posteriordistributions may not resemble a lognormal distribution; therefore, the fitted lognormaldistribution based on matching the first twomoments may not be appropriate. In such cases, a more appropriate fit may be obtained by conserving the mean and the 95th percentile of the distribution rather than the mean and variance.

3. Technical Activities 3-64Also, special care should be given to those caseswhen trying to use the Bayesian approach with zerofailure as the evidence. Updating of the genericfailure rate with the evidence of zero failure is nottypically recommended unless the observationperiod is at least twice the expected mean time tofailure derived from generic prior.Task 3 - Common-Cause Failure ProbabilitiesThe objective of this task is to determine the finalvalues to be used in the parametric models ofcommon-cause failures (CCFs). This wouldinvolve addressing a variety of issues starting withdefining what should be considered as CCFs, how they should be modeled in the context of systemfault trees, and finally how they are to be estimatedusing generic and plant-specific (Kalinin-specific)

data.There are generally two major limitationsassociated with the modeling of CCFs in a PRA.One limitation deals with whether the identificationof CCFs is adequate to assure that the modeled CCFs are comprehensive but not duplicative, and the other limitation deals with the applicability of the CCF generic data to the specific plant being studied. The definition of CCFs is interrelated with thescope and the level of detail in the PRA. Forexample, in the early eighties when PRAs were of limited scope, an event would have been categorized as CCF if more than one failure due toany of the following causes was observed:*fire, flood, seismic, or any other external event,*high temperature, such as loss of heating,ventilation, and air conditioning system,*pre- and post-initiator human errors disablingmultiple components,*design and installation problems, e.g., wrongmaterials,*procedural problems,

aging and wear out,

temporary degradation of components due tosuch causes as improper maintenance and surveillance, and*sneak circuits and unexpectedinterdependencies.However, as the scope, modeling complexities,and the level of detail in PRAs increased, characterization of CCF matured allowing them tobe modeled more explicitly. For example, theanalysis performed to evaluate external eventPRAs, the formal modeling used to directly address loss of the heating, ventilation, and air conditioning system (either as an initiator or as a part of a system fault tree), and the explicit modeling employed to quantify pre- and post-initiator human error rates eliminated the need to distinguish Categories 1, 2, and 3. Furthermore, the probability of CCF can be reduced significa ntlyonce certain CCF failure mechanisms areobserved and subsequent cor rective actions aretaken, as, for example, in Categories 4 and 5.When design/installation problems and/orprocedural deficiencies are detected, correctiveactions are usually put in place to rectify the problems to the extent possible. Finally, some ofthe sneak circuits and unexpected interdependencies could be identified while in theprocess of conducting a relatively detailed PRA.Consequently, CCF estimates have changed overtime as PRAs increased in scope and level ofdetail. Therefore, CCF estimates are only used tocapture those events that are not explicitly modeledin PRAs. The more the scope and level of detail in a PRA, the less would be the number of dependent events not explicitly accounted for in the PRA.Also, some have argued that the CCF estimatesshould also capture and compensate for the inadequacies inherent in simplified PRA quantification algorithms (see Azarm et al., 1993).PRAs performed in the U.S. typically use genericdata on CCFs, at least initially. However, even forthis initial use, the generic data must be tailored forthe specific plant. This is typically done by mapping the industry-wide events (data) against the scope of the PRA, its level of detail, and thecurrent plant practices in order to identify and usethe subset of the events that are most applicable tothe plant. Recently, a published six-volume reportby the U.S. Nuclear Regulatory Commission on CCF (Stromberg, 1995) provides a computerized database of the latest U.S. study on generic CCFestimates.It is recommended that CCF modeling beperformed in two phases. For the first phase, CCF probabilities are to be estimated based on the applicable industry-wide CCF events. The plantmodels then should be quantified, and the majorCCF contributors identified. For those CCF eventswhich significantly contribute to plant risk, further analysis is needed to justify that the CCF estimatesare appropriate.

The results of these analysesshould be explicitly discussed with plant staff andregulators for identification of potential corrective

3. Technical Activities 3-65actions. This would constitute the second phaseanalysis. The final estimates including the impact of any potential corrective actions on the CCF rates should be used for final quantification.Activity 1 - Generic Data The sources of generic data are identified and theassociated CCF eve nts are reviewed to verifyapplicability to the specific plant, i.e., establishinggeneric data which is tailored for the Ka lininNuclear Power Station (KNPS).Activity 2 - CCF RulesThe CCF rules for component types andcomponent grouping within and across systems are communicated to system modelers to assure consistency in modeling.Activity 3 - Plant-Specific DataPlant-specific data indicative of potential CCFoccurrences are collected. A potential CCFinvolves occurrence of multiple fail ures that aresuspected to have been caused by CCF triggering mechanisms. The corrective actions which couldpossibly eliminate the triggering mechanisms arenot given credit at this stage. A Bayesian routine isused for updating the CCF parameters.Activity 4 - Initial Quantification Initial quantification and the associated sensitivityand importance evaluations are performed to identify those CCF events that are risk significant.Activity 5 - Final Quantification Detailed analysis, either qualitative or quantitative,whichever is more appropriate, is conducted toadjust the baseline estimates of the risk significant

CCFs.Guidance is provided below for the followingspecific areas:*Sources of generic data,*Component types for CCFs,

Failure modes for CCFs,

Cause considerations for CCFs,

Component grouping rule for CCFs within asystem,*Component grouping rule for CCFs acrosssystems, *CCF considerations for plant-specific datacollection, and*Estimation of the CCF contributors.Sources of Generic Data The database for the CCF events developed in theU.S. (reported in Stromberg, 1995) should be usedas one of the data sources. The event data shouldbe reviewed and those events that are either duplicative (due to scope and level of effort in theKNPS PRA) or are not applicable (due to spec ificfeatures of KNPS) should be discarded. New CCFrates should be estimated with the remainder of theCCF events. However, in some generic sources of data, the event description may not be available or summarized so that its applicability to a specificplant may not be verifiable. In these cases, acertain degree of subjectivity or conservatism maybe applied. Additional data for CCF not currentlyincluded in the Idaho National Engineering Laboratory report (Stromberg, 1995), e.g., data oninstrumentation and control components, relays, transducers, is provided in Appendix A.Component Types for CCFs Volume 6 of the Idaho National EngineeringLaboratory report specifically identifies variouscomponents for which CCF estimates were determined. However, the component types are categorized based on systems in U.S. pressurizedwater reactors and boiling water reactors, e.g.,pumps in the Service Water System. Generic component types, such as MOVs, without anyfurther categorizations based on systems or any other feature could be sufficient for most CCFmodeling applications. Further classifications of MOVs (for example, to differentiate low-pressure orhigh-pressure applications) should only be performed if supported by data. Appropriate datasearches and CCF estimations should beperformed u sing the database structure in thereference cited to assess whether the CCFestimates significantly change if MOVs are further categorized by low-pressure or high-pressureapplication. It is also recomm ended that thenumber of component types should be kept assmall as possible to make the estimatesmanageable. The breakdown of a component type based on environment, size, and stress (e.g.,pressure) should not be done unless justified by the data. Several different CCF estimates could be obtained generically for a component type fordifferent failure modes, initial conditions, and given

3. Technical Activities 3-66Figure 3.5 Simple example for CCF analysisservice applications. These considerations aresome of the bases for the CCF grouping that are discussed under Component Grouping Rule for CCFs Within a System and Component Grouping Rule for CCFs Across Systems.Failure Modes for CCFs Various component failure modes should bedifferentiated in CCF modeling when different failure modes result in different consequences.For example, two different failure modes, failure toopen and failure to control (stuck in an intermediateposition), may be considered for a standby controlvalve. If these two different failure modes result in different consequences (in terms of system or plant responses), the failures should be kept separateand the CCF data should be differentiated. Cause Considerations for CCFs To develop a complete understanding of thepotential for multiple failures, it is necessary to identify the reasons why these types of failuresoccurred. Understanding the causes of the CCFsis important in evaluating both the event data and proposed plant defenses against CCFoccurrences. Cause classifications proposed inVolume 2 of the Idaho National Engineering Laboratory report could generally be used.Furthermore, the examples provided in this volume are constructive in assuring consistentunderstanding of cause classification for CCFs.Component Grouping Rule for CCFs Within aSystem A set of components within a system that could berepresented by a common-cause group arediscussed using the following simple one-line diagram (Figure 3.5).All six valves in suction and discharge may beconsidered as a CCF group. In this case, specificcombinations of multiple (three or more) failuresare considered to result in system failure.However, the discharge valves are located insidecontainment, and they are neither tested sim ilar tonor as frequently as the suction valves. Hence, the analyst should consider two CCF groups: one for valves V1A, V2A, and V3A and the other forvalves V1B, V2B, and V3B. The contribution of the CCF, and consequently the system unavailability,would be different in these two cases. The latterwould typically result in a lower systemunavailability estimate for the same combinationsof basic events. Therefore, rules should be provided to assure proper grouping of CCF components, thereby preventing potentialunderestimation of system unavailabilities. Sincethere are no step-by-step rules that can be writtenfor prescribing how to group components for CCF,only general guidance can be provided to assist the analysts. A minimum set of considerations that

3. Technical Activities 3-67could be used by the analysts for co mponentgrouping for CCFs are:*types of components with some regard as totheir application, size, function, etc.,*the normal operational state and the failuremode of the component,*the operational activities, such as tests andmaintenance, and their associatedfrequencies, and *similar location and exposure environment. It is also recommended that like componentsproduced by different manufacturers do not necessarily imply that the components belong toseparate CCF groups. Similar components from CCF groups only if the following two conditions aremet:1.The components do not belong to a natural orto a logical redundancy, as do valves V1A, V2A, and V3A in the above example. There isno justification to have separate groupings for these valves if one of the valves was manufactured by Company XYZ, for example, and the other two were not. However, if thedischarge valves V1B, V2B, and V3B are from Company XYZ and the suction valves are not,then there might be some justification for different groups, if the next condition is met.2.The industry d ata should indicate thatmanufacturing and design specifications werethe major contributors to the CCF esti mates.In this case, separate grouping could be used if additional engineering justifications can be provided to show that the components from different manufacturers exhibit different CCF characteristics.Dividing the CCF grouping based on themanufacturer should be a last resort and should be avoided to the extent possible.Component Grouping Rule for CCFs Across Systems Across-system CCFs are not typically modeled inU.S. PRAs. However, the analysts should be aware that although this type of CCF grouping ispossible, it should not be formed by artificial logical boundaries made as a result of fault tree modeling.

Rather, it is recommended that the final accidentsequence minimal cutsets be reviewed, and basedon the criteria provided in Component GroupingRule for CCFs Within A System, the analyst shouldidentify those component groups across systemsfor which CCF modeling need be considered.

Since an across-system CCF group may involve a large number of components, the CCF parametric modeling can become unmanageable. The number of combinations to be used in CCF parametric modeling should be limited. For example, if the multiple Greek letter model is used, factors for five components will be applied to allcomponents in the group (if five fails all fails). CCF Considerations for Plant-Specific DataCollection The system analyst should provide to the dataanalyst the list of components in the CCF groupsfor data collection and interpretation. W henever acomponent from a CCF group has failed, a datafield in the data sheet (to be filled in by dataanalyst) should indicate a request for informationon simultaneous failures of similar components orrecent failures that have occurred over a shortperiod of time. The following definitions for simultaneous and recent failures are suggested:1.For sequentially tested, standby components,simultaneous failures are defined as failuresthat have occurred within a time period less than one test interval. For standby components that are tested in a staggeredfashion, sim ultaneous failures are those thathave occurred in less than one-half the test interval. For operating components failures that have occurred within the PRA mission time are considered as simultaneous failures.2.Recent failures are defined as failures thathave occurred in a time period that is less thanone failure time. To calculate the failure time,the generic mean time between the failures of the component should be divided by the number of the components in the group. As an example, if there are five components in the group and the generic failure rate for the component is 1.0 x 10

-4 per hour (or the meantime between failures is 1.0 x 10 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months ), therecent period would be 2000 hours0.0231 days 0.556 hours 0.00331 weeks 7.61e-4 months (or approximately about three months). If similar failures on this component group haveoccurred over a three-month time period orless, these failure histories should be queriedfor possible common-cause connotations.The system analyst and the data analyst should

3. Technical Activities 3-68work closely together to ensure that the dataqueries will capture the requisite information needed for parametric estimation of CCFs.Estimation of the CCF Contributors Currently, there are four types of methods thatcould be utilized for estimating the CCF rates. Two of these methods are typically used in early stagesof the analysis (Phase 1), whereas the other two methods are typically done after initialquantification (Phase 2). In Phase 1, the actual CCF events from a generic database are reviewed and evaluated against the specific features of the plant design, the current plant practices, and the PRA. This allows the user to specialize events forapplication to a specific plant by assigning an applicability factor to each event. The applicabilityfactor is a value between zero and one. The higher the applicability factor, the more relevant the eventwould be to the specific plant being studied. Thereare some degrees of subjectivity involved inassigning an applicability factor. To use the estimation methodology of Stromberg (1995), an event-by-event assessment is requ ired todetermine the values for three classes of applicability factors. These are R1, CauseApplicability Factor; R2, Coupling Applicability Factor; and R3, Failure Model Applicability Factor.There are some discussions on the assignment of these applicability factors in Mosleh et al. (1989). The second type of analysis that could beperformed deals with the use of plant-specific CCF events. Updating of generic estimates with plant-specific CCF data would be performed for those cases where multiple simultaneous failures have occurred and are suspected to have been causedby CCF mechanisms. The Bayesian update of the CCF model parameters is generally not a straightforward procedure (except for somespecific CCF models, such as the global Betafactor model) and could involve extensivecomputations. There are two alternativeapproaches that could be pursued for plant-specific updating of generic data. One approach is to treat plant-specific data as a part of specialized genericdata and to select the value of one for theapplicability factor. The impact of the plant-spec ificdata in this approach would depend on the size andquality of generic data (e.g., number of CCFs andnumber of demands in the generic database). The higher the quality of the specialized generic data, the less would be the impact of plant-specific data.

The other alternative could be to estimate the CCFmodel parameters based on plant-specific datawhen possible and to use the weighted average ofplant-specific and generic data. The weightingfactor would be subjective depending on theanalysts confidence in generic vs. plant-specific data. The final aggregate results for the CCF parameters should conserve the constraintsimposed by the specific CCF model used.In the Phase 2 evaluation, the CCF estimates couldbe adjusted based on qualitative reasoning on the current plant practices in the areas of defenses against CCFs including the corrective actions proposed by the plant. Methods reported by Bourne et al. (1981) and by Humpherys (1987a, 1987b) are candidates for this type of analysis.

Quantitative analyses could also be performed inthe Phase 2 evaluation based on failure time statistics. In this regard, plant-specific data ontimes of component failures in the CCF group should be collected including any simultaneous failures. Since it is not expected that much data onmultiple simultaneous failures is to be found for usein the Kalinin PRA, reliance on predicting CCF probabilities based on statistical correlation offailure times (clustering) would be the only option.

A method for performing such analysis based on clustering of failure times is described inAzarm et al. (1993).3.2.4.4 Task InterfacesThe task on determining the frequency of initiatingevents has the following interfaces:

it requires input from the Initiating EventAnalysis and provides output necessary for theInitial and Final Quantification of AccidentSequences. *a more subtle interface is found with the taskSystem Modeling. System logic models maybe necessary to quantify specific initiators,such as loss of a support system.*the grouping of the individual initiators basedon the expected plant response is perfo rmedas part of the task Initiating Event Analysis.

Each group includes a number of initiators that have similar responses for the plant systemsand operators. It is important that the understanding of the rationale used in the grouping process be carried over to thepresent task. The component reliability task has the foll owinginterfaces:

3. Technical Activities 3-69Plant Familiarization. The identification of plant-specific data sources for estimating componentfailure parameters is initiated as a part of this task.

In the current task, the plant-specific data arecollected and used in combination with genericdata to estimate the component failure parameters.System Modeling. The output of the current taskprovides input to the task System Modeling.During the preliminary development of system models, generic component data is usually adequate. The component failure parametersestimated using plant-specific data have to beprovided before the system fault trees can be finalized. The level at which data analyses are tobe performed (component, train, etc.) for variousunavailability contributors, the boundary of theequipment, and the associated failure modesshould be coordinated between these two tasks(System Modeling and Component Reliability).Frequency of Initiating Events. Estimation techniques used for component failureunavailability contributors are similar to those forinitiating event frequencies.

Consistency in themethods and software used should be maintained.

The impact of initiating events on the unavailability of some basic events may be determined usingdata analysis--for example, the probability of l oss-of-offsite power after a generator trip.Common-Cause Failure Probabilities. The methodand software used in estimating initiating eventfrequency and estimating common-cause failureprobabilities should be consistent. The plant-specific database developed in the current task could be used for estimating the plant-specific common-cause failure probability estimation.Initial Quantification of Accident Sequences.Component failure parameters, by providing inputto system modeling, are indirect input needed for quantification of accident sequences. The task related to determining common-causefailure (CCF) probabilities has the followinginterfaces:*as discussed earlier, there is an explicitrelationship between CCF modeling and thescope/level of detail in the PRA. There is also direct interaction between this task and the task System Modeling in the area of grouping and modeling of the CCF components. *the analysis of plant-specific data as apotential source for obtaining estimates of CCFand the use of CCF generic data also establish a strong link between this task and the task Component Reliability. *the estimated CCF parameters are then usedin the initial and final quantifications andsensitivity evaluations. The types ofinteractions expected from this task to other interrelated tasks are not simply in the form ofinput/output, rather it involves two-way interactions. As an example, the initial quantification task uses the generic CCFparameters as input; howev er, this task willidentify important CCF groups for which more detailed CCF analysis and estimation would be needed. Similarly, this task would describe specific guidelines for component grouping formodeling of CCF events which will be used inthe system fault trees and for which this taskwould estimate CCF parameters.3.2.4.5 References Apostolakis, G., Data Analysis in RiskAssessments, Nuclear Engineering and Design, 71, pp. 375-381, 1982.Apostolakis, G., et al., "Data Specialization forPlant-Specific Risk Studies," Nuclear Engineeringand Design, 56, pp. 321-329, 1980.Ascher, H., and H. Feingold, Repairable SystemsReliability, Marcel Dekker, Inc., New York, 1984.Atwood, C., et al., Handbook of ParameterEstimation for Probabilistic Risk Assessment,NUREG/CR-6823, Sandia National Laboratories, September 2003.Azarm, M. A., et al., Methods for DependencyEstimation and System Unavailability Evaluation Based on Failure Data Statistics, NUREG/CR-5993, Vols. 1 and 2, Brookhaven National Laboratory, July 1993.Azarm, M. A., and T.-L. Chu, On Combining theGeneric Failure Data for Probabilistic Risk Assessment, Proceedings of the InternationalConference on Probabilistic Safety Assessment and Management (PSAM), February 4-7, 1991. Bourne, A. J., et al., Defenses Against Common-Mode Failures in Redundancy Systems,SRD-R196, Safety Reliability Directorate, January 1981.

3. Technical Activities 3-70Gentillon, C. D., Aggregation Methods forComponent Failure Data in the Nuclear Computerized Library for Assessing Reactor Reliability, EGG-REQ-7775, Idaho NationalEngineering Laboratory, 1987.Humpherys, P., et al., Design Defenses AgainstMultiple Related Failures, Advanced Seminar onCommon-Cause Failure Analysis in ProbabilisticSafety Assessment, Kluwer Academic Publication,edited by A. Amendola, pp. 47-57, ISPRA, I taly,November 16-19, 1987a.Humpherys, P., et al., Analysis Procedures forIdentification of Multiple Related Failures,Advanced Seminar on Common Cause FailureAnalysis in Probabilistic Safety Assessment,Kluwer Academic Publication, edited by A.Amendola, pp. 113-129, ISPRA, Italy, November 16-19, 1987b. Kaplan, S., "On the Method of Discrete ProbabilityDistributions in Risk and Reliability Calculations--Application to Seismic Risk Assessm ent," RiskAnalysis, 1, pp. 189-196, 1981. Martz, H. F., and M. C. Bryson, A Statistical Modelfor Combining Biases in Expert Opinions, IEEE Transaction on Reliability R-33, August 1984.Medhekar, S. R., D. C. Bley, and W. C. Gek ler,"Prediction of Vessel and Piping Failure Rates inChemical Process Plants Using the Thomas Model," Process Safety Progress, Vol. 12,pp. 123-126, April 1993.Mosleh, A., et al., Procedure for TreatingCommon-Cause Failure in Safety and ReliabilityStudies: Analytical Background and Techniques,NUREG/CR-4780, Vol. 2, U.S. Nuclear RegulatoryCommission, January 1989.Stromberg, H. M., et al., Common-Cause FailureData Collection and Analysis System, Vols. 1through 6, INEL-94/0064, Idaho NationalEngineering Laboratory, December 1995.Thomas, H. M., "Pipe and Vessel FailureProbability," Reliability Engineering, 2, pp.83-124, 1981.3.2.5Human Reliability Analysis The objectives of the human reliability analysis(HRA) task are to identify, analyze, and quantifyhuman failure events (HFEs), the PRA eventtree/fault tree model basic events involving human actions. These overall objectives can be clarified by considering two distinct cases:1.Pre-Initiating Event HFEs. This task is toquantify pre-initiating event HFEs.2.Post-Initiating Event HFEs. Many post-initiating event errors of omission w ill havebeen identified during the Event Sequence Modeling and Systems Analysis tasks. This task must extend that list and perform the following activities: *Identify the specific unsafe acts (UAs) andcontext associated with each identified

HFE,*Quantify the chance of each HFE, i.e., theprobability of the HFE given the definedcontext, *Identify and quantify the probability ofhuman recovery for significant sequences, mindful of the dependent effects ofunexpected plant conditions and unfavorable human performanceconditions, i.e., the context for the human action. 3.2.5.1 Assumptions and LimitationsThe post-initiating event HFEs (i.e., those occurringwhile attempting to mitigate the progression of theaccident sequence) pose a much more complicated and risk-significant problem than pre-initiating event HFEs. Because human operators can interact with the plant and itsprocesses in many ways, it would be impos sible toprecisely model all these potential interactions.

Therefore, a structure is required to organize theanalysis along the most fruitful and important lines.Traditional approaches to HRA, such as THERP(Swain and Guttmann, 1983) and SLIM (Embryet al., 1984), focus on those actions required for successful completion of functions modeled in the event trees, i.e., those HFEs that have been knownas errors of omission. However, reviews of operating events at nuclear power plants and other industrial facilities have shown that errors of commission are often involved in the more serious accidents (Barriere et al., 1994; Barriere et al.,

3. Technical Activities 3-711995; Cooper, Luckas, and Wreathall, 1 995; andUSNRC, NUREG-1624). Moreover, the mostserious accidents occur when conditions conspireto make human error very likely, i.e., when bothunusual plant conditions and unfavorable human conditions [performance shaping factors (PSFs)]combine to create an error-forcing context (EFC).For such cases, the HRA problem changes from an attempt to evaluate the likelihood of randomhuman error under nominal conditions (i.e.,expected accident conditions) to one of evaluating the likelihood of the occurrence of EFCs asaddressed in the second-generation method, ATHEANA.A limitation of all first-generation methods is thatthey are not structured to address the question of errors of commission or the search for challengingcontext. A second limitation is that the methods themselves do not provide guidance for theidentification and prioritization of HFEs. Rather,HFEs drop out of the event tree analysis andquantification tasks, leading to a lack ofconsistency in the specific human actions addressed in similar PRAs.

3 Because of theimportance of human UAs in real-world accidents, it is necessary to propose a modification of existingmethods to address these issues. This procedureguide assumes that recently developed search techniques for UAs and EFCs in the ATHEANAmethodology (USNRC, NUREG-1624) can beadapted to existing quantification approaches to enhance the value of the PRA.ATHEANA was developed to increase the degreeto which an HRA can realistically identify, represent, and quantify the kinds of humanbehaviors seen in accidents and near-miss eventsat nuclear power plants and at facilities in o therindustries that involve broadly similar kinds of human/system interactions. In particular,ATHEANA provides this improved capability by:

more realistically searching for the kinds ofhuman/system interactions that have played important roles in accident responses, including the identification and modeling of errors of commission (EOCs) and importantdependencies, and by*taking advantage of, and integrating, advancesin psychology, engineering, plant operations, human factors, and probabilistic riskassessment (PRA) in its modeling and quantification.As is common to all second generation methods,ATHEANA focuses on the context in which theoperators must perform their function. Included intheir focus on context is a systematic approach toidentify important sources of dependency amonghuman actions and between human actions and systems failures in the plant. Such interactions can couple human response to an entire sequence ofseemingly independent cues, greatly increasing thelikelihood of an HFE. All accident sequences which contain multiple HFEs should be examined for possible dependencies. If practical, HFEs which are completely dependent should be re-defined and modeled as a single event.Finally, it is important to recognize that aspects ofthe HRA process for U.S. reactors may not apply toRussian reactors. For example, the PSFs oftraining, staffing, responsibilities, cross training,and cultural impacts on thinking can be different.

Therefore, the assumptions that are implicitlyembedded in quantification for many existing methods, e.g., tables for quantification using the THERP methodology (Swain and Guttmann, 1983),will not apply to the HRA of Russian reactors.Therefore, while first-generation methods can be used to structure the problem of where human error can occur and be corrected, their quantification information is highly suspect. For theRussian PRA project, a structured judgment approach for quantification will be required. For thepre-initiating event HFEs, some modification to the quantification tables in the handbook (Swain and Guttmann, 1983) involving the judgment of Russianexperts will be needed (Forester, et al., 2002). Forthe post-initiating event HFEs, other alternativesshould be considered. For example SLIM (Embrey et al., 1984) provides a structured approach for applying expert judgment based on the evaluation of PSFs for each HFE. The SLIM quantification could be enhanced by the thinking process of ATHEANA. This process entails evaluating themost-likely-to-be-significant UA-EFC pairs, the likelihood of the occurrence of the EFC, and thelikelihood of the HFE under the EFC. This judgment-based evaluation offers a better chance for reasonableness than a table based on 3The exception is SHARP1 (Wakefield, et al., 1992), aprocess for performing HRA (rather than a method for quantification) that provides guidance for the identification and prioritization of HFEs. Unfortunately, too few HRA analyses integrated their selected methods with the systematic SHARP1 process.

3. Technical Activities 3-72inapplicable experience.The final methodology described below representsa compromise among competing factors includingstate-of-the-art methodologies, budget andschedule, practical limitations on the interaction between plant experts and analysts, and other practicalities of the project. Specific caveats aregiven for the approach used for quantification inTask 4. The basic steps of HRA performed in support of nuclear power plant PRA are similar forall approaches; in some methods they are explicitlyincluded, others assume that the steps areperformed as part of the PRA, before the HRA begins. In some methods they are rigorous, inothers they are more intuitive. The guidance provided below for the KNPS HRA is consistent with the basic HRA process described in somewhatdifferent terms in SHARP1, ATHEANA, and the IAEA HRA guidelines (IAEA Safety Series50-P-10). Additional generic guidance on goodpractices to be employed in HRA is available(NRC, 2005) which promotes improved HRA quality.3.2.5.2 ProductsThe results of each pre-initiating event HFEanalysis will be documented in a report. Thisreport will also detail the basis for quantification. IfU.S. data, such as the tables for quantification inthe Swain and Guttmann (1983) handbook, are used, it may be necessary to modify the probabilities to account for Russian and plant-specific characteristics. A detailed list of HFEs will be documented in aletter report. The search process for HFEs will consider the event tree model and those top eventswhere human errors of omission or commissioncan defeat the associated safety function and make core damage likely. An HRA report will be produced documentingActivities 1-4, providing the list of HFEs, detailingthe context and UAs for each HFE, and

documenting the analysis process andquantification results. This product will becomepart of the Backup Documentation, Human Reliability Analysis.A detailed list of normal context and significantEFCs associated with each HFE will bedocumented in a report. The search process for EFCs begins with the HFE, then identifies the mostimportant EFCs in a stepwise process. Thisproduct will specify the UA-EFC pairs identified forquantification and document the search processand associated analyst decisions.

The analysis will document all PRA sequences forwhich recovery was considered, explaining the reasons why recovery was or was not analyzed,and, when analyzed, documenting the analysis, explicitly considering the effects of the context. 3.2.5.3Task ActivitiesThe primary discussion in this section deals withdynamic actions following the initiating event. Asecond class of actions, pre-accident errors that are generally associated with test and repairactivities, can be important in two cases:1.When post-maintenance testing is insufficientto ensure that tested or repaired equipment has been completely restored to service. Inthis context, insufficient testing meansinsufficient by lack of procedural quality, by lack of assurance that the test will beperformed, or by lack of test procedures.2.When pre-accident errors can cause orinfluence post-accident human response,i.e., through a dependency between the pre-and post-accident errors.These types of errors can be modeled using the methods described in the Handbook of Human Reliability Analysis with Emphasis on NuclearPower Plant Applications (Swain and Guttmann,1983), although the recommended values forhuman error probabilities cited will need to beverified as described below.This work is accomplished by completing thefollowing five Tasks:Task 1 Quantification of pre-initiating event HFEs,Task 2Development of a detailed list of post-initiating event HFEs,Task 3Development of a detailed list of significantcontext associated with each post-initiatingevent HFE,Task 4Quantification of post-initiating event HFEs,Task 5Recovery analysis. Each of these tasks is discussed below. Thisapproach represents an extension of the HRA methodology beyond that found in the IAEA

3. Technical Activities 3-73procedure guides (IAEA, 1992). Activity 1 is astand-alone task. The next three, Activities 2-4,are linked together as the step-by-step evaluation of the post-initiating event HFEs. These activities are closely related to other PRA tasks.

Pre-initiating event human errors are identified inthe task System Modeling. Post-initiating eventhuman errors modeled in the fault trees and event trees are identified in the tasks System Modeling and Event Sequence Modeling. Recovery actions will be identified after completion of the initialquantification (see Section 3.2.6.1) and quantified in the final quantification (see Section 3.2.6.2). The ways the actions are included in the event treesand fault trees will be determined in coordination with the activities in System Modeling and EventSequence Modeling. The quantification of these actions will allow System Modeling and Initial Quantification of Accident Sequences to proceed.Task 1 - Quantification of Pre-Initiating Event HFEsPre-initiating event errors may leave part (or all) ofa system unavailable for emergency operation.

These types of errors occur during routine plant operation, testing, and repair activities and maypersist undetected before the occurrence of aninitiating event. They are included only in thesystem fault trees for the following reasons:*The error rates for these actions do notdepend on the sequence of events after an initiating event occurs.*There is generally no significant humandependence between these errors and subsequent operator actions after the initiating event occurs. (Note that the ATHEANA search for EFCs considers cases in which thisassumption of independence may not be

valid.)These types of errors can contribute to systemunavailability if all of the following conditions occur:*A test, inspection, or repair activity isperformed. During this activity, a componentis placed in an alignment that makes it unavailable for emergency operation.*Testing, repair, or operations personnel fail torestore the component to its required status.*The faulty condition is not discovered andcorrected before an initiating event occurs.Swain (THERP) is the generally accepted methodfor determining pre-initiating event HFEs. The methods found in the handbook (Swain and Guttmann, 1983) shall therefore be followed.Task 2 - Development of a Detailed List ofPost-Initiating Event HFEsThe human actions that are directed by plantprocedures form the traditional basis for definingerrors of omission for each initiating event.

TheseHFEs are identified during the Accident SequenceDevelopment task and verified with plant operators.The selection of HFEs must be based on plant-specific design, capabilities, and priorities. Task 3 - Development of a Detailed List ofSignificant Context Associated with Each Post-Initiating Event HFEA number of PSFs could influence operatorreliability, for example:*Time of accident (day or night)*Human interactions among personnel

Scenario effect (the level of severity anddifficulty the operator associates with the accident situation)*Time available to make a decision and performan action*Level of operator knowledge

Existence of training on a given scenario

Quality of training

Quality and availability of procedures

Cognitive complexity

Level of stress

Human-machine interface.Expert opinion, from plant operators, operationssupervisors, and HRA analysts, can be used todevelop an initial list of PSFs and to reduce the number of PSFs to those of most importance.

Note that some factors vary by accident scenario and others are global as they are influenced by plant condition. Both types of factors should beconsidered for each post-initiating event HFE and structured into decision tree logic structures, withthe PSFs used as top events. The decision tree is used in quantification and is shown as part of Task 4 below. Table 3-17 provides examples ofPSFs used in the analysis and their definitions.

3. Technical Activities 3-74Task 4 - Quantification of Post-Initiating Event HFEsAs mentioned in the assumptions and limitations ofSection 3.2.5.1, the approach for quantification represents a compromise among theoretical preferences and budget/schedule requirements aswell as practicalities of the project including available expertise and limitations on theinteraction between plant experts and analysts.

The final approach used is a variation on thedecision tree method (Spurgin, et al., 1980, and Bareith, et al., 1997). The approach is vulnerable to well-known theoretical objections, such as thePSF are not independent; their relationships toeach other and to any probability anchors aredependent on plant conditions and specifics ofeach different scenario; lack of strong controls for bias and reliability; and no formal treatment ofuncertainty is provided.Pre-quantification qualitative analysis attempted toexamine some of the issues of context d escribedin second generation HRA methods andadaptations to the decision tree process attempted to account for dependencies. The benefits of the approach are that the issues important to HRA arewell-examined qualitatively and can be used as the basis for improvements in the future. The approach uses the following basic scheme andis more fully described in the references. Specifics of the final adaptations will be described in theKNPS final PRA report. Using the list of PSFsdeveloped in the previous task, plant operationsexperts assign a weighting factor (referred to as aK-factor) based on the perceived importance ofeach decision tree top event (selected PSF). Asimplified example decision tree is given in Figure3.6. Each branch under the top event is assigned a K-value between 1.0 (for the most beneficial branch) and that PSFs K-factor (for the most detrimental branch). Each path through thedecision tree has an accumulated coefficients on an arbitrary scale, which are obtained by the multiplication of the applicable K-values for eachbranch path associa ted with that end-state. Notethat the higher the coefficient, the more unlikely itis that the operators will successfully accomplishthe required action.The decision tree is used to evaluate specific HFEby having plant operations experts examine the required action against the logic of the tree. Byanswering the questions raised by the decision treelogic, such as "what is the effect of the scenario on the operator?", "How effective is the MMI in helpingthe operator?", and so on, a pathway for a particular HFE through the tree can be drawn, and a corresponding point on the decision tree scale (i.e., in the set of end-states) can be defined. Calibration of the K-values to the probability ofeach HFE is accomplished by separatelyevaluating selected HFEs by other means andscaling the remaining events by the relationshipbetween K-values and probabilities for the anchor events. Some adaptation of the K-values ispossible to account for dependencies among the PSFs.Task 5 - Recovery AnalysisThe same process is used for the analysis ofrecovery actions as for the other post-initiating event HFEs as described in Tasks 3-5 above.3.2.5.4Task InterfacesThis task has extensive interactions with thefollowing other PRA tasks.Plant Fam iliarization. The HRA relies oninformation from the Plant Familiarization task toprovide a basic understanding of plant design,operations, procedures, and crew manning levels.Initiating Event Analysis. Development of initiatingevents should take into account the HRAcontributions.Accident Sequence Development. The HRA relieson the Accident Sequence Development task toidentify a number of post-initiating event HFEs, todescribe how the plant can fail in an integrated sense, and to define the context under which the operators must act. System Modeling. The HRA relies on the SystemModeling task to identify pre-initiating event HFEsand a basic understanding of how systems are operated and are interrelated.Quantification and Results. The InitialQuantification is used to identify specific cases(sequences and cutsets) where human recoveryactions are likely to be carried out and impact the

3. Technical Activities 3-75results. The HRA provides quantified HFEs to usein the quantification of specific cutsets in the Quantification tasks.3.2.5.5 ReferencesBarriere, M. T., et al., Multidisciplinary Frameworkfor Human Reliability Analysis with an Applicationto Errors of Commission and Dep endencies,NUREG/CR-6265, Brookhaven NationalLaboratory, August 1995.Bareith, A., et al., "Treatment of Human Factors forImprovements at the Paks Nuclear Power Plant,"Proceedings of PSAM III, Crete, Greece (1997).

Barriere, M., et al.,"An Analysis of Operational Experience During Low Power and Shutdown and A Plan for Addressing Human ReliabilityAssessment Issues," NUREG/CR-6093,Brookhaven National Laboratory, June 1994.Chien, S. H., et al., "Quantification of Human ErrorRates Using a SLIM-Based Approach,"Proceedings of the 1988 IEEE Fourth Conference on Human Factors and Power Plants, Monterey, California, June 1988.

3. Technical Activities 3-76Table 3-17 Example of performance shaping factors PerformanceShaping Factor Potential BranchesBranch DefinitionAvailable time (timeinterval from the first moment that the initiating event could begin until the moment when it would be no longer possible, accounting for the time to complete the initiating event)LongTime is sufficient to complete the action even if the decision ontaking the action is not made when it first becomes possible to complete the initiating event.MiddleTime is more or less sufficient to complete the action even if thedecision on taking the action is not made when it first becomes possible to complete the initiating event.ShortTime is insufficient or barely sufficient to complete the action ifthe decision on taking the action is not made quickly when it first becomes possible to complete the initiating event or time required to take action is comparable to the time available to complete the initiating event.Scenario effect(influence of the emergency situation on the operator at the moment the initiating event is

complete)EasyWhen the initiating event is completed, the parameters are notchanging quickly, the process is stable, the stress level is not high, and the operator understands the situation and does not expect severe consequences.MediumWhen the initiating event is completed, the parameters arechanging more or less quickly, the stress level is medium, the process is not stable, and the operator understands the situation in general and may expect severe consequences.SevereWhen the initiating event is completed, the parameters arechanging quickly, there are extensive alarm and light signals occurring, the stress level is high, the process is not stable, and the operator may not understand the situation and expects severe consequences.Cognitive complexityfor decision making (cognitive complexity for making the decision on the need to complete an action, taking into account the impact of operator training on the initiating event)SimpleThe need to complete the action is obvious, and the operatorhas good training on the initiating event.DifficultThe need to complete the action is not clearly obvious, and theoperator has some training on the initiating event.Very difficultThe need to complete the action is not obvious, and theoperator has no training on the initiating event.

3. Technical Activities 3-77Table 3-17 Example of performance shaping factors (contd)

PerformanceShaping Factor Potential BranchesBranch DefinitionHuman-machine interface (quality and fitness of the human-machine interface associated with taking action on an initiating event, taking into account the quality of the information required to decide on the need to complete the initiating event)GoodThe human-machine interface for taking action in the face of theinitiating event is well designed, the quality and fitness of the interface allows completion of the action without difficulties, one operator can complete the action, and the information required to make the decision to take the action is good.AdequateThe quality and fitness of the interface for taking action in theface of the initiating event is more or less adequate, and the information required to make the decision to take action is only

adequate.PoorThe interface features are not well designed for taking action inthe face of the initiating event, the operator expects considerable difficulties in taking action, more than one operator is needed to take action, and the information required to make the decision to take action is inadequate for understanding (or the information is absent entirely).Quality ofprocedures (impact of the availability and quality of relevant procedures related to the initiating event)GoodThe initiating event is well described in the procedure, and theprocedure is well known to the operator.PoorThe initiating event is poorly described or not described in theprocedure, and the procedure is not well known to the operator.

3. Technical Activities 3-78Figure 3.6 Example of a decision tree for performance shaping factors

3. Technical Activities 3-79Chu, T.-L., et al., Evaluation of Potential SevereAccidents During Low Power and ShutdownOperations at Surry, Unit 1: Anal ysis of CoreDamage Frequency from Internal Events DuringMid-Loop Operations, Vol. 2, Part 1B, Chapter 8,NUREG/CR-6144, Brookhaven NationalLaboratory, June 1994.Cooper, S. E., W. J. Luckas, and J. Wreath all,Human-System Event Classification Scheme (HSECS) Database Description, BrookhavenNational Laboratory Technical Report L-2415/95-1,December 21, 1995.Embrey, D. E., et al., SLIM-Maud: An Approach toAssessing Human Error Probabilities Using Structured Expert Judgment, NUREG/CR-3518,Vols. 1 and 2, Brookhaven National Laboratory, 1984.Forester, J., Bley, D., Cooper, S., Kolazkowski, A.,Lois, E., Siu, N., Thornsbury, E., and Wreathall, J.,Improved ATHEANA Quantification Process andData Needs, to be published in proceedings of OECD/NEA Working Group W G-Risk Assessment:Building the New HRA: Strengthening the Link between Experience and HRA, Munich, Germany, January 2002.IAEA, Human Reliability Analysis in ProbabilisticSafety Assessment for Nuclear Power Plants"Safety Series 50-P-10, International Atomic EnergyAgency, 1995.IAEA, Procedures for Conducting ProbabilisticSafety Assessments of Nuclear Power Plants(Level 1), Safety Series No. 50-P-4, International Atomic Energy Agency, 1992.Spurgin, A. J., et al., "Operator Reli abilityExperiments Using Power Plant Simulators," EPRINP-6037, Electric Power Research Ins titute, PaloAlto, California (1990).Swain, A. D., and H. E. Guttmann, Handbook ofHuman Reliability Analysis with Emphasis on Nuclear Power Plant Applications, NUREG/CR-1278, Sandia National Laboratories, 1983.USNRC, "Technical Basis and ImplementationGuidelines for A Technique for Human Event Analysis (ATHEANA)," NUREG-1624, Rev. 1, U.S.Nuclear Regulatory Commission, May 2000.USNRC, Good Practices for Implementing HumanReliability Analysis (HRA), NUREG-1792, U.S.Nuclear Regulatory Commission, April 2005.Wreathall, J., and A. Ramey-Smith, ATHEANA: ATechnique for Human Error Analysis--An Overviewof Its Methodological Basis, OECD/NEASpecialists Meeting on Human Performance inOperational Events, Chattanooga, Tennessee, October 13-17, 1997.Wakefield, D.J., G.W. Parry, A.J. Spurgin, and P.Moieni. Systematic Human Action Reliability Procedure (Sharp) Enhancement Project, SHARP1Methodology Report, EPRI TR-101711. Palo Alto, CA: Electric Power Research Institute, 1992.3.2.6Quantification and ResultsThe quantification and results component consistsof three tasks: (1) initial quantification of accidentsequences, (2) final quantification of accident sequences, and (3) sensitivity and importance analyses. The objective of the task on initial quantification is to perform an initial, preliminaryquantification of the set of accident sequences, i.e.,once the event tree-based, system-levelexpressions become available. Through this task,models that represent the response of plant systems and operation actions are linked to plant initiators to form, in terms of basic events, the logicexpressions for accident sequences. The objectiveof the final quantification is to identify those accident sequences considered to be dominantafter initial quantification and to determine whererefinements to the risk profile may be warrantedand then to carry out the new quantification. Theobjective of the sensitivity analysis is to investigatethe implications of modeling choices other than the choices that were actually used. Importanceanalysis is to assess the importance of modelparameters, evaluated within the terms of the model itself.3.2.6.1 Assumption and LimitationsCompromises and assumptions that were made inprevious tasks, such as the event sequence modeling task, the system modeling task, and dataanalysis task, indirectly limit the output from this task. Further limits on the applicability of the outputs from this task directly come from the limitsimposed by the level of truncation employed and the lack of recovery modeling employed in the

3. Technical Activities 3-80model. Since the output from this task is based onpreliminary data and partial modeling (recovery isaddressed in a subsequent task), the inf ormationderived should only be applied to prioritize futurework. The following activities are performed aspart of this task.3.2.6.2 ProductsThe products of the task on initial quantification ofaccident sequences are:1.Based on unrefined data, screeninghuman error probabilities, and taking nocredit for recovery, this task producesreduced logic expressions and associated frequencies for each accident sequence and each plant damage state.2.In addition, although this task does notproduce final results, it must bedocumented to the degree necessary to support an audit of the subsequentmodeling choices that were based on the results of this task. In particular, it shouldbe documented sufficiently to supportreplication of the results. This documentation will take the form of anappendix, as described under the task Documentation. The types of PRA au ditsare discussed in the task Qu ality Assurance.The products for the task on final quantification ofaccident sequences are:the expressions, probability of frequency plots, andassociated mean frequencies for: (a) each accident sequence, before and after recovery is credited and (b) each plant damage state, beforeand after recovery is credited.The products of the task on sensitivity andimportance analyses are: *Importance rankings for systems andcomponents at the conclusion of the study,*Quantification of model sensitivity toalternative choices in controversialmodeling areas (e.g., core damage frequency calculated assuming changes in baseline assumptions),*System-level and component-levelimportance measures based on focused PRA model, *Discussion of "PRA Insights" based onsystem and component importance measures.3.2.6.3Task ActivitiesThe quantification and results component consistsof three tasks: (1) initial quantification of accident sequences, (2) final quantification of accidentsequences, and (3) sensitivity and importance analyses. Task 1 - Initial Quantification of Acci dent SequencesThe objective of this task is to perform an initial,preliminary quantification of the set of accidentsequences, i.e., once the event tree-based,system-level expressions become available.

Through this task, models that represent the response of plant systems and operator actions arelinked to plant initiators to form in terms of basicevents the logic expressions for accident sequences. Initial quantification is described below in general terms. More detailed guidance is provided in some of the references listed at the end of this chapter. In particular, reference should bemade to Drouin (1987) and NRC (1997).1. Boolean Expressions Initiate an algorithm that transforms eachsystem-level accident sequence representation derived from the task Event Sequence Modeling into a component-level, Boolean expressioncontaining the minimal cutsets. 2. System Success Account for system success as necessary by usingthe approximation techniques mentioned below. 3.Truncation Levels Re-run the calculation with different truncationlevels until the calculation runs to completion with as little truncation as possible. Of course, the level of the truncation should be commensurate with the intended application of the PRA study and the level of available data. Identification of potential subtle

3. Technical Activities 3-81interactions between systems and support systemsrequires, for example, retention of higher order cutsets.4. Plant Damage States Formulate and quantify a logic expression for eachplant damage state (corresponding to the logical OR of sequences binned into that state). Since the process described above is theintegration of a large amount of information for the first time, a significant level of review, troubleshooting, and iteration with previous tasks is necessary. An accident sequence expression can be very complex, and subtle logic errors manifest themselves at this stage. Incorrect formulations, in the context of a system model, may lead to erroneous logic at the sequence level. Disallowed system configurations that have been eliminated from system models may emerge again at the sequence level, depending on how disallowed configurations have been dealt with.Much of the point of the detailed modeldevelopment is to properly reflect the conditional relationships between failures of different systems or between the initiating event and subsequent system failures. For example, if a support system failure affects more than one system in asequence, this is likely to be important, and it is essential for this to be properly reflected in the accident sequence expression. Similarly, if a pipe break initiating event can adversely affect mitigating systems, this must be captured. In orderfor these properties to hold, the linkage must be modeled properly, and the sequence quantificationtask must be executed properly. Alt hough theproject controls in the system modeling task shouldhave ensured that the separate system models are properly interfaced, review at this stage to see that it has been done properly is a good idea.System success in a sequence may also besignificant. The conjunction of system A succeeding and system B failing may be much less likely than the unconditional failure of system Bviewed in isolation. It has been found that neglectof this point can seriously distort accidentsequence quantification. Therefore, it is customaryto address this point, even though neglecting it maybe "conservative" and addressing it is troublesome.

Formally, one should construct an expressionwhich logically ANDs system A success withsystem B failure. The feasibility of this will dependon many things, including the software being used.

It has been customary to address this point by formulating a logic expression containing the conjunctions of failures that are considered inconsistent with the sequence logic (success ofsystem A and failure of system B). This logicexpression is then used as a temp late tosystematically delete from the pure failure portionof the accident sequence expression those terms indicated by the template to imply the failure of the system that is supposed to succeed. At best, thisis an approximation and, in applying it, one musttake care not to eliminate "late" system failures thatmay be consistent with "early" system success.

This point is further discussed below.So-called "phased mission analysis" is very closelyrelated to this point. A particular system may be challenged more than once during an accident sequence, perhaps with different mission success criteria. The system modeling must accommodatethe necessary distinctions, but this point is not completely addressed until accident sequencequantification. Certain illogical outcomes must be avoided. A contribution that implies early failureand late success may be an error. Contributing factors are that the failed equipment is eitherrestored (and the restoration is modeled) or that mission success is indeed compatible with bothearly failure and late success. The situation ismore complex with respect to early success and late failure. There may be contributions to late failure from system failures occurring after the earlysuccess that are not necessarily incompatible.

However, care must be taken. Exhaustive treatment of these issues is not common in U.S.full power PRAs, partly because it is burdensome and not necessarily important (see, for example, Drouin, 1987). It appears in many full power PRAsthat failures occurring during standby are much more important than failures occurring after aninitiating event (because the exposure time is much longer). However, it is the analysts burden toaddress these issues and decide whether it isnecessary to allocate modeling resources to them.In general, a conservative approximation will present itself, and this can be adopted if it does notdistort the risk profile in an unacceptablymisleading way. A paper by Xue and Wang (1989) discusses the issues and presents algorithms toinclude during sequence quantification.Obtaining explicit, reduced, complete, basic event

3. Technical Activities 3-82level expressions for all accident sequences wouldbe impracticable for most plant models developed in recent years. The Boolean expressions become too large to be manipulated efficiently. (The large event tree approach may offer certain advantages in this regard.) However, the top event frequency may be dominated probabilistically by a small fraction of the terms in the full expression. Manyterms can then be neglected without significantchange to the results or conclusions. The process of "truncating" these contributions makes accident sequence quantification feasible. Typically, this isimplemented in a computer code by setting a truncation cutoff level and instructing the algorithm to dispose of cutsets whose probability is less thanthe cutoff. The effect of such an algorithm is not always easy to predict; for example, it can depend on the level of detail to which failure events havebeen modeled. If a failure event has been decomposed into a large number of individuallyunlikely basic events, then cutsets containing theseunlikely events are more likely to be truncated thanif a single lumped event is used to capture all of the contributions.If truncation is done without an appreciation of howmuch top event probability is being sacrificed, then it is an uncontrolled approximation. This is an important point. It is customary to base manysensitivity studies and importance analyses on theBoolean expressions obtained through the truncation process. Clearly, the results of such sensitivity studies can be seriously distorted bytruncation. Truncation is, therefore, to be carriedout only to the degree necessary to allow the analysis to go forward in a practical way, and itseffects on later uses of the results must beassessed. Evidently, if a sequence's probability (conditional onthe initiating event) is assessed to be only a feworders of magnitude greater than the truncationlevel used to simplify processing, then the result is clearly suspect. Task 2 - Final Quantification of Acci dent SequencesAt this stage of the analysis, certain portions of themodel may have been constructed in a simple way with a slightly conservative bias in order to obtain aquick look at the risk profile. The objective of thistask is to identify those accident sequences considered to be dominant at this stage of theanalysis and to determine where refinements to therisk profile may be warranted. Two such areas where refinements are necessary are human errormodeling and parametric common-cause modeling. Other areas may have been treated similarly by the analysts. At this stage, sensitivity ofresults to each issue is assessed to determinewhether more work is necessary to improve the model in this regard.Until preliminary sequence models were available,recovery modeling was somewhat premature. Atthis poi nt, leading contributors to sequencefrequencies are further analyzed to see whether recovery modeling changes the resultssignificantly. If so, the sequence expressions areaugmented to more fully address operator/plantrecovery actions."Quantification" implies treatment of uncertainty.For purposes of this task, uncertainty of eachmodel parameter is developed as appropriate inthe tasks on human reliability analysis, component reliability, or common-cause failure probabilities.The propagation of parameter distributions through the integrated model is accomplished by softwarewhose detailed description is beyond the scope of this guide. Ericson et al. (1990) does provide someinformation regarding software used for uncertaintypropagation.Most of the parameters that appear explicitly in aPRA model are not objective physical parameters.Rather, they are frequencies or split fractions thatdepend on manufacturing processes,programmatic activities, management decisions,maintenance practices, operator training, and so on. When a PRA model has been refined to wherethe results are considered state of knowledge and when the PRA model provides a representativepicture of the as-built, as-operated plant, then a keyoutput of the overall project is the body ofembedded assumptions upon which the model structure and model parameters rest. Thetechnical adequacy of the PRA is closely aligned tohow well these assumptions are fulfilled.This point is discussed further in the section onSensitivity and Importance Analyses. 1. Sensitivity and Uncertainty Sensitivity and uncertainty analyses are carried outto ascertain contributors that are dominant to the

3. Technical Activities 3-83risk profile and contributors that are not dominantbut to which results are sensitive. This activity should be done generically, either with emphasison human errors or with emphasis on common-cause parameters and, also generally, with a viewtoward deciding which areas may need attention.The analysts should begin by simply looking at the minimal cutsets to see what is dominant.Computer-assisted analysis can help in this regard.

Some items whose "point" likelihood seems small may actually dominate the results when uncertainty is properly reflected, and this is the kind of item that needs more attention.2. Enhanced Modeling Uncertain probabilities may have beenconservatively quantified in the initial quantificationin order to prevent possible loss of significantscenarios in a screening process. Therefore, at the present stage, items that appear insignificantare likely to be insignificant, unless there is significant uncertainty associated with them.

Decisions are made at this stage as to whethersensitivity items have been modeled well enoughand, if not, how the modeling should be enhanced.3. Recovery Actions Significant recovery actions are identified, andengineering descriptions of these acti ons arefurnished to the analysts responsible for theirquantification. These are actions for which creditcan be justified and for which results are significantly altered. These actions may includethose actions performed in direct response to an accident and/or actions performed in recovering a failed or unavailable system or component. Creditfor both types of actions should not be taken unless procedural guidance and training in therequired actions are part of the operations at theplant.4. Requantification The entire model is requantified using the bestavailable models and data. Propagation ofuncertainty through all models is included in thisactivity. Software for propagating uncertaintydistributions are available and are mentioned in theEricson et al. reference, for example.

Common-Cause ModelingBased on the preliminary accident sequencequantification and on sensitivity and importanceresults, the common-cause quantification isreviewed (see Section 3.2.4), and the resultingparameterization is used in this task.Recovery ModelingIn many plants, particularly older ones, it has beenfound that unacceptable results (unacceptably high accident frequencies) are obtained if it is assumed that no operator action is taken to initiate or reinitiate system operation in the event ofproblems, such as misaligned valves or breakers, spurious system trips, or even outright component failure. It is, therefore, necessary to model actions taken after the initiating event, not only the proceduralized actions represented at the event tree heading level but also actions that couldpotentially be taken to recover failed equipment.Correspondingly, appreciation of the role of these actions in the safety basis has been significantlyenhanced, possibly through the development or revision of emergency operating procedures and other procedural guidance and operator training.Such recovery actions must, in general, bemodeled at or near the cutset level rather than at the system level. Recoverability of a systemdepends on which component has failed and on the environment near the failed component that could jeopardize recovery actions by operators.

There are other factors as well. Is the component accessible? Is the environment too harsh, or even contaminated? How much time will be needed toeffect any necessary repair? The answers to thesequestions depend, in general, on the details ofeach particular cutset. At the very least,recoverability depends on the basic event beinganalyzed. More generally, however, recoverability(even "diagnosability") of each event depends on the state of the rest of the system.As such, everything that is true for the accidentsequence is true for every minimal cutset in thesequence. In addition, each minimal cutset has more specific characteristics that must be accounted for. Modeling of any particular instance of "failure torecover from a basic event" is, of course, aparticular application of human performance modeling. Techniques to accomplish this arediscussed in the task Human Reliability Analysis.

These techniques do not come into play until the

3. Technical Activities 3-84scope and feasibility of each recovery action havebeen established from an engineering point ofview.Occurrence of a particular basic event mayessentially place a system into an irreversible statefrom which recovery of the basic event does notrecover the system, even though no minimal cutset is strictly true with the event recovered. A trivial example would be an event, such as loss of seal cooling, that leads to a transient-induced loss-of-coolant accident. Recovery of cooling will notnecessarily reseal the loss-of-coolant accident. Inaddition to these types of cases in which one component suffers damage as a result of anoth er'sbehavior, it is possible for other kinds of statechanges to occur that are not necessa rilyunrecoverable but whose recovery must be analyzed in the context of the entire cutset.Since each accident sequence may comprisethousands of minimal cutsets, it may be asked how feasible is it to approach recovery mode ling withany rigor at the cutset level. Fortunately, some ofthe above considerations can be formulated logically within some software packages, permittingsome automation of the process of recoverymodeling. This kind of modeling has been veryimportant in the analysis of older U.S. plants.Guidelines for PrioritizationIn order to produce the best possible final res ult, itis important to identify those areas of the model that need the most work. Some rules of thumb for evaluating individualsystems or components are listed here. It is reemphasized that the analysts are responsible forformulating and applying their own reasoning

processes.Items (systems or basic events) that have a highFussell-Vesely importance (or high Risk ReductionWorth) are candidates for reexamination because the overall results are clearly sensitive to these items. If they were improved (e.g., increase insystem availability), the calculated risk woulddiminish. If the quantification upon reexamination is found to be reasonable, then cost-beneficial ways to reduce these contributions should be considered.Items that have a high Birnbaum importance (orhigh Risk Achievement Worth) are also candidatesfor examination because they are frequently challenged. If they have a high Birnbaum importance and a low Fussell-Vesely importance, this is because they have been modeled as veryreliable. The results of the model depend criticallyon the correctness of this modeling, and it isimportant to make sure that the items are trulyreliable.Items that have both high Fussell-Vesely and highBirnbaum importances should be examined verycarefully. Such items are challenged frequently,but they are not considered reliable. These items are high priority items.All of the above comments are affected byuncertainty.The single-event importance measures on whichthe above rules of thumb are based have verylimited meaning. Events that are "important" can be considered to need examination, but generally, unless a model contains significant single-failurecutsets, combinations of events are more importantthan individual events, and the single-eventimportance measures are a poor way to an alyzecombinations. In a related vein, the effects ofembedded assumptions are potentially veryimportant. A marginal success path credited in thePRA can artificially and inappropriately reduce many single-event importances. These matters are discussed further under Sensitivity and Importance Analyses.Task 3 - Sensitivity and Importance AnalysesThere are two major objectives of this task. Oneobjective ("Sensitivity Analysis") is to inve stigatethe implications of modeling choices other than the choices that were actually made in the formulation of the model. This is necessary in order to reinforce the credibility of the model and, by implication, the credibility of the safety basis. Theother objective ("Importance Analysis") is to assess the importance of model parameters, evaluatedwithin the terms of the model itself. This is doneduring modeling tasks in order to help focus resources on the most critical modeling areas and is done at the conclusion of the analysis in order to help in implementation of the safety basis(e.g., optimal allocation of testing and maintenanceresources, based in part on measures of the importance of particular failure probabilities or

3. Technical Activities 3-85particular maintenance unavailabilities).Sensitivity Analysis In developing a Level 1 PRA model, many issuesmay arise due to lack of knowledge about them.

For example, the success criteria for systems indifferent boundary conditions may be unknown,and the level of detail of a system model may needto be determined. One way to resolve the issue on success criteria is to perform detailed deterministicanalysis including testing and experiments. In thiscase, sensitivity calculations can possiblydetermine the most important cases that should be deterministically evaluated. In the case of systemmodeling, sensitivity calculations based on a simplified logic model can potentially determine that a more detailed model is not necessary. PRA areas that are prime candidates for sen sitivityanalysis include: failure data, human reliabilityanalysis, common-cause failure analysis, successcriteria, and pump seal models.Likely examples of highly significant issues are thefeasibility of a particular recovery action takingplace during an accident or a question of event tree structure (whether a given core damage sequencecan be transformed into a successful outcome byoperation of a particular system) or perhaps a question of binning (whether the phenomenology of a particular sequence warr ants placing it into onebin or another). If the sensitivity issue is such that extensivemodeling would have to be undertaken in order to treat each possible outcome thoroughly and if suchtreatment is infeasible within the scope of theproject, then it may be necessary to live with significant uncertainty in the results. Such anoutcome is a rational input to consideration of follow-on work. Particularly important instances of sensitivitycalculations are those that establish the robustness of the mission success criteria assumed in the system models. These success criteria cansignificantly affect the logic structure of the model.Similarly, assumptions might h ave been maderegarding whether certain transients cause safetyrelief valves to lift, and this can affect event tree structure. It must be the responsibility of the analysts to identify priorities in these areas.After the base case PRA model is finalized, thePRA can be used in different applications.Sensitivity calculations are often performed to evaluate the changes in plant risk as a result ofchanges in plant design, operation, and operator training. The changes at the plant may be tocorrect the vulnerabilities identified in the PRA study or to implement changes in regulatoryrequirements. For example, as part of the Individual Plant Examination program of U.S.plants, the utilities are required to performsensitivity calculations to evaluate any plantimprovements made as a result of the IndividualPlant Examination. Other PRA applications includechanges in allowed outage times in the Technical Specifications, increases in test or inspection intervals of the inservice testing program andinservice inspection program, and planning of online maintenance activities. Importance Analysis This section refers to importance analysesperformed on sequence-level Booleanexpressions. When the plant model has been brought to a stageat which accident sequences are expressed interms of trains and components (with componentfailures in support systems explicitly factored in),then a great deal of information is present in these sequence-level expressions. Some conclusions may suggest themselves from inspection of the expressions, but generally, their complexity makeit impractical to try to derive insights in this way. At this stage, it is potentially useful to perform importance calculations w hich rank modelparameters (such as basic event probabilities)according to how much the model parameter influences the results or how much change in the results would take place if the parameters were to change. These results are useful in deciding howmuch work to invest in carefully quantifying modelparameters. In more advanced applications, onecan assess the importance of conjunctions of events; the importance of a conjunction can help todecide whether to invest in searching for dependencies between the elements of the conjunction. When the PRA is substan tiallycomplete and the safety basis has been formulated, the importance analysis can help toestablish how to allocate performance over the elements of the safety basis and, in particular, howto allocate testing and maintenance effort over the

3. Technical Activities 3-86elements of the safety basis. Finally, once the model has been brought intoessentially final form, the importance analysis is the primary tool for deriving "insights" from the PRA.

Importance information transcends the complexityof a plant logic model to provide a kind of sensitivity-type information that is understandableand can be very valuable. For example, in manyprevious studies, the top event frequency has been found to be dominated by a few contributors. That is, it has been found that scenarios that have in common relatively few "important" events sum to alarge fraction of calculated top event frequency. A finding of this kind is important to discuss in the conclusions of the PRA. The reasons for such a circumstance should be identified and discussed.At various stages of model development (cf."relationship to other tasks" above), it is useful todevelop importance ranking tables as part of amodel review and debugging effort. It is firstimportant to review the leading terms in the logic expressions for the various accident sequences in order to ensure that they make sense, but, in general, these expressions are too large to bereviewed entirely by inspection. Importancerankings by their nature provide information about the entire expression (information that must be interpreted with great care). Events at the top of the lists should be questioned: why are theseevents ranked highly? If the answer is not obvious,then the modeling should be checked, both in the logic aspects and in the quantification aspects. Ananalogous question should be asked about eventsat the bottom of the lists: why are these eventsranked low? Again, if the answer is not obvious, then the model should be checked. Gener ally,surprises on the importance lists are either indications of modeling error or signal theemergence of a modeling insight. Events at the top of one or more importance lists need to bequantified with great care. Events appearing at the top of lists based on different measures should be examined with great care; such a case maycorrespond to a critical function being unreliablyperformed. This would clearly warrant attention,both in modeling and perhaps in plant operation. There are some applications for which importancemeasures are not suited. Generally, if conventional importance analysis suggests that a particular system, structure, and component (SSC) isimportant, then it probably is; if conventionalimportance analysis suggests that a particular SSCis not important, this conclusion cannot beaccepted without careful exploration of the reason for that result. Conclusions from importance tablesare, therefore, to be drawn very carefully. Duringmodel development, however, importance ana lysisis a very useful way to develop understanding of the model. The activities to be done for the importanceanalysis are:1.In support of the Human Reli abilityAnalysis (see Section 3.2.5), generateimportance rankings for human errors(Fussell-Vesely and Birnbaum and/or RiskReduction and Risk Achievement Worths).2.In support of the parametric common-cause analysis (see Section 3.2.4),generate importance rankings forcommon-cause events (Fussell-Veselyand Birnbaum and/or Risk Reduction and Risk Achievement Worths). 3.Generate Fussell-Vesely importances forfrontline systems. 4.When modeling is complete, generate finalversions of the above to support the discussions of the PRA insights in the finalreport.An Alternative Model to Sensitivity AnalysisTwo approaches to resolving a modeling issuewithout performing extensive deterministicevaluation can be identified:1.Based on the best judgment of the analyst,one modeling assumption is adopted as a base case, and other assumptions areevaluated in a sensitivity study.2.Probabilistic weights, representing degreeof belief in each assumption, are assignedto all possible assumptions and used with the logic models based on theassumptions. In a Bayesian approach, such weights can beupdated using any additional information that becomes available in the future.

3. Technical Activities 3-87Approach 1 represents the practice of a typicalPRA. Approach 2 represents an improvedapproach which specifically address thesensitivity of the issue to alternative assumptionsbut requires more extensive effort. It has been successfully applied in the NUREG-1150 study (NRC, 1990) to some of the issues in severeaccident modeling where extensive expert opinionelicitation was performed. Its NUREG-1150application to Level 1 PRA issues is more limited in scope.Limitations of Importance MeasuresSingle-event importance measures are sometimespresented as if they were capable of ranking model parameters in an objective way. However, nosingle model parameter can be ranked in isolation; the significance of each parameter depends in general on the model structure and on the values of all the other parameters. There are, of course, many other parameters, and it is correspondingly infeasible to analyze sensitivity to all combinationsof variations of all parameters. All "sensitivity"results (chiefly importance measures of one kind oranother) must be interpreted in light of thisfundamental limitation. Particular instances of these limitations are:

Failure modes that are not modeledcannot emerge as "significant" fromconventional importance analysis. *For any given model parameter, theassociated importance measures arecalculated conditional on all other model parameters behaving essentiallynominally. *Within the linked fault tree approach, theimportance measures are calculated from a truncated model (truncated collection of minimal cutsets) and are correspondingly limited. These points show that conclusions based onimportance measures must be weighted in light of how the importance measures were calculated. Agiven item may show up as "unimportant" because it is logically in parallel with several other items (which can, therefore, compensate for its failure).

Unfortunately, these other items are likely to showup as unimportant for the same reason, meaningthat none of the SSCs in parallel is "important." Itis possible for none of the SSCs in a critical function to show up as "important" in tables calculated in the usual way. The users of these importance measures have tounderstand their definitions and limitations. Some of the shortcomings can be addressed with additional sensitivity calculations. For exam ple, alower truncation limit can be used to determine the sensitivity of the importance measures. The joined importance of groups of components can also becalculated. Relaxing requirements for those components that are individually ranked low shouldbe further justified by demonstrating that thecombined risk impact would also be low.3.2.6.4 Tasks InterfacesThe task related to initial quantification has thefollowing interfaces:All Internal Event Analytical Tasks. This task is thefirst attempt to integrate all previous work,especially all of the individual system models, intoone consistent model whose framework was developed in the event sequence modeling. As apractical matter, this task also requires at leastpreliminary data, which emerge from assessmentof human reliability and component reliability.

Although described here as a single task, Initial Quantification of Accident Sequences is part of an iterative process involving all previous tasks. Incarrying out this task, it is generally necessary toapproximate ("truncate") the sequenceexpressions, and this approximation is generallycontrolled through the quantification process. Theproper modeling of each system conditional on the states of other systems is revisited as the preliminary sequence results become available.Iterating between the sequence models and the system-level models takes place during this task toassure proper conditionality between systems andto search for logic errors in sequence cutsets.Based on this preliminary quantification, priorities are to be reviewed, and additional modeling or datarefinement needs are assessed. In a subsequent task, leading contributors to sequence frequencies are analyzed further to see whether recovery modeling changes the results significantly. If so,the sequence expressions are augmented to reflectrecovery.The task related to final quantification has the

3. Technical Activities 3-88following interfaces:All Internal Events Analytical Ta sks. This taskintegrates the results of all previous analysis tasksafter they have been refined during the Initial Quantification of Accident Sequences. It isassumed that debugging has been done as part ofthe initial accident sequence quantification task. Level 2/3 Analyses. Output from the FinalQuantification task provides information onaccident sequence definition and on frequency of occurrence directly to the Level 2 task (refer toSection 3.3) which in turn pro vides source terminformation to the consequence and risk integration task (refer to Section 3.4). Whether or not Level2/3 analyses are performed depends on the scope of the PRA (refer to Chapter 2).The task related to sensitivity and importanceanalyses has the following interfaces:During model development, all of the major taskactivities will be performed iteratively; sensitivityand importance analyses are performed using themodel available at the time to prioritize theresources. After completion of the model development, sensitivity and importance analysesare performed to evaluate the impacts of alternative assumptions and changes in plantdesign and operations on plant risks.The following discussion reflects the logicalhierarchy rather than the time ordering of the tasks.

Sensitivity analysis is discussed first because itsoutcome has the potential to change the way inwhich the modeling is conducted. Importance analysis is discussed second. Tasks whose outputs are candidates for sensitivitystudies include the following: *Initiating Event Analysis (formulation of themodel can be sensitive to this),*Functional Analysis and Systems SuccessCriteria (changing success assumptionscan have major impacts), and*System Modeling.

Tasks during which importance analysis isespecially beneficial include the following: *Common-Cause Failure Probabilities(effort allocated to quantification ofcommon-cause model parameters should be a function of how important these parameters are, in the sense discussed below),*Initial Quantification of Accident Sequences, and*Final Quantification of Accident Sequences.When all of the quantification tasks aresubstantially complete, importance results should be generated comprehensively and systematicallyin order to support the discussion of insightsgenerated for the final documentation. In addition, sensitivity calculations can be performed toevaluate the risk impact of design improvementsand alternative modeling assumptions. In some simple cases, sensitivity calculations can be performed using the importance results.3.2.6.5 ReferencesDrouin, M., D., et al., "Analysis of Core DamageFrequency from Internal Events: Methodology Guidelines," NUREG/CR-4550, Volume 1, September 1987.Ericson, D., et al., Analysis of Core DamageFrequency: Internal Events Methodology,NUREG/CR-4550, Vol. 1, Rev. 1, Sandia NationalLaboratories, 1990.NRC, The Use of PRA in Risk-InformedApplications, NUREG-1602, Draft Report forComment, June 1997.NRC, Severe Accident Risks: An Assessment forFive U.S. Nuclear Power Plants, NUREG-1150,U.S. Nuclear Regulatory Commission, December 1990.NRC, PRA Procedure Guides: A Guide to thePerformance of Probabilistic Risk Assessments for Nuclear Power Plants, NUREG/CR-2300, U.S.

Nuclear Regulatory Commission, January 1983.Xue, D. and X. Wang, "A Practical Approach forPhased Mission Anal ysis," Reliability Engineeringand System Safety, 25, 333, 1989.

3. Technical Activities 3-89Figure 3.7 Relationship among the major parts of a Level 2 PRA3.3Level 2 Analysis (Probabilistic Accident Progression and Source Term Analysis)The primary objective of the Level 2 portion of aPRA is to characterize the potential for, and magnitude of, a release of radioactive material from the reactor fuel to the environment given the

occurrence of an accident that damages thereactor core. To satisfy this objective, a Level 2PRA couples two major elements of analysis to acompleted Level 1 PRA:1.A structured and comprehensiveevaluation of containment performance in response to the accident sequence identified from the Level 1 analysis.2.A quantitative characterization ofradiological release to the environment that would result from accident sequences that involve leakage from the containment pressure boundary.Figure 3.7 illustrates each of these elements andindicates how they relate to each otherconceptually.In an earlier version of this procedure guide(NUREG/CR-6572, Vol. 3 Part 1) the attributes of a simplified approach to conducting the analyses associated with each of the technical elements was presented. This simplified approach is reproduced in Appendix B.In the current version of the procedures guide theattributes of comprehensive Level 2 PRA are presented. A detailed description of the attributes of conducting the technical analyses associated with a comprehensive Level 2 PRA is providedbelow. One type of containment performance assessmentin response to such accidents would be to perform a deterministic calculation with a validated, first-principles model of accident progression. Such a calculation would generate a time-history of loads imposed on the containment pressure boundary.These loads would then be compared against structural performance limits of the containment.

If the loads exceed the performance limits, the containment would be expected to fail; conversely,if the performance limits surpass the calculatedloads, the containment would be expected tosurvive. In such an assessment, the overall

3. Technical Activities 3-90frequency of accidents resulting in a release to theenvironment would simply be the frequency of accident sequences in which the calculated containment loads exceed the performance limits.Unfortunately, neither the current knowledgeregarding many aspects of severe accident progression nor (albeit to a lesser extent) theknowledge regarding containment performance limits is sufficiently precise to conduct such ananalysis. Rather, in a PRA, an assessment of containment performance is performed in a manner that explicitly considers impreciseknowledge of severe accident behavior, the resulting challenges to containment integrity, and the capacity of the co ntainment to withstandvarious challenges. Therefore, the potential for arelease to the environment is typically expressed interms of the conditional probability of containmentfailure (or bypass) for the spectrum of accidentsequences (determined from Level 1 PRA analysis) that proceed to core damage. Figure 3.8 indicates how the conditional probabilityof containment failure is calculated. For eachLevel 1 core damage accident sequence (frequency, F i), the probability of the variouscontainment failure modes are calculated. For example, the probability of early containmentfailure (ef i), containment bypass (bp i), latecontainment failure (lf i) and no containment failure (nf i) are determined. For the example shown inFigure 3.8, Accident Sequence 1 completelybypasses the containment and thus the conditional probability of bypass given the occurrence of thisaccident is unity. These characteristics could result from an accident such as an interfacingsystem LOCA. Alternatively, Accident Sequence 2 could result in several different containment failuremodes or no containment failure. For this accident,the probability of early failure (0.5) could be causedby several mechanisms such as overpressure,shell melt-through and others. Containmentbypass (0.1) could be the result of induced steam generator tube rupture (for PWRs only). Whether the containment fails late (0.2) or not at all (0.2) depends on several factors including the operabilityof containment heat removal systems. Once the probabilities of these containment failure modes has been determined for each accident sequence, the probabilities conditional on total core damage are calculated. The probability of early containment failureconditional on core damage (CCFP ef) is determinedby summing (i=1n) the early failure probabilitiesfor all accident sequence weighted by their respective frequencies (F i). The summation is thendivided by the total core damage frequency (CDF).A similar approach is used to determine theconditional probabilities of bypass accidents, latecontainment failure and no containment failure.In addition to estimating the probability of aradiological release to the environment, the Level 2 portion of a PRA of a nuclear reactor characterizes the resulting release in terms of magnitude, timing, and other attributes important to an assessment ofoff-site accident consequences. This informationhas two purposes. First, it provides a quantitativescale for ranking the relative severity of variousaccident sequences; secondly, it represents the "source term" for a quantitative eva luation of off-site consequences (i.e., health effects, property damage, etc.), which are estimated in the Level 3 portion of a PRA (refer to Section 3.4).

3. Technical Activities 3-91Figure 3.8 Conditional probability of containment failure

3. Technical Activities 3-92This section describes the attributes of a Level 2PRA analysis, emphasizing the scope and level of detail associated with major elements of a Level 2analysis, rather than the specific methods used toassemble a probabilistic model. This approach is deliberately used because several diff erentmethods have been used to generate and displaythe probabilistic aspects of severe accident behavior and containment performance. By far,the most common methods are those that use standard event and/or fault tree logic structures;however, some practitioners use other techniques.Further, the specific way in which ostensibly similarlogic structures are organized and solved (numerically) can differ substantially from one studyto another, primarily as a result of differences in quantification techniques and associated computersoftware offered by vendors of PRA services. Inprinciple, any of these methods can be used to produce a Level 2 PRA provided that they encompass the scope and level of detail described below.As indicated above, the two major technicalactivities of a Level 2 PRA are (1) determination of the conditional probability of containment failure or bypass for accident sequences that proceed tocore damage and (2) a characterization of theradiological source term to the environment for each sequence resulting in containment failure orbypass. These major technical activities arehowever composed of several component parts:*Plant Damage State Determination*Assessing Containment Challenges

Containment PerformanceCharacterization*Containment ProbabilisticCharacterization*Radionuclide Release Characterization

Quantification of ResultsEach of these technical activities are discussed inthe following section.3.3.1Plant Damage State DeterminationThe primary objective of this task of a Level 2 PRAis to characterize the type and severity of challenges to containment integrity that may ariseduring postulated severe accidents. An analysis todetermine these characteristics acknowledges the dependence of containment response on details ofthe accident sequence. Therefore, a critical firststep is developing a structured process for defining the specific accident conditions to be examined.

Attributes have to be determined of reducing the large number of accident sequence developed for Level 1 PRA analysis to a practical number for detailed Level 2 analysis.3.3.1.1Assumption and LimitationsBecause of the diversity and redundancy of sa fetysystems designed to prevent and/or mitigatepotential accident conditions in a nuclear plant,multiple failures must occur for an accident toproceed far enough to damage the reactor fuel.The primary purpose of a Level 1 PRA analysis isto identify the specific combinations of system or component failures (i.e., accident sequence cut sets) that would allow core damage to occur. Unfortunately, the number of cut sets generated bya Level 1 analysis is very large (typica lly greaterthan 10,000). It is impractical to evaluate severeaccident progression and resulting containment loads for each of these cut sets. As a result, the common practice is to group the Level 1 cut setsinto a sufficiently small number of "pl ant damagestates" to allow a practical assessment of the challenges to containment integrity resulting from the full spectrum of accident sequences.3.3.1.2ProductsIn general, sufficient informat ion should beprovided to allow an independent analyst toreproduce the results. At a minimum, the following products are expecteda thorough description of the procedureused to group (bin) individual accident sequence cut sets into plant damage states, or other reduced set of accident scenarios for detailed Level 2 analysisa listing of the specific attributes or rulesused to group cut setsa listing and/or computerized data baseproviding cross reference for all cut sets toplant damage states and vice versa3.3.1.3Analytical TasksThis technical activity involves two tasks:

3. Technical Activities 3-931. Defining PDS Characteristics2. PDS BinningEach of these tasks are described in detail in thefollowing sections.Task 1 - Defining PDS CharacteristicsThe number of plant damage states produced bythis grouping (or "binning") process cannot beestablished a priori. Rather, a Level 2 PRA firstdefines the attributes of an accident sequence that represent important initial or boundary conditions to the assessment of severe accident progression or containment response or characteristics of system operation that can have an important effect on the resulting environmental source term.

Example attributes are shown in Table 3-18.Table 3-18 Example attributes for grouping accident sequence cut sets AttributePossible statesAccident InitiatorLarge, Intermediate, or Small LOCAs Transients LOCA outside the containment pressure boundarySteam Generator Tube RuptureReactor Coolant System(RCS) Pressure at the

Onset of Core DamageHighLowStatus of EmergencyCoolant Injection SystemsOperate in injection mode, but fail upon switchover torecirculation coolingFail to operate in injection modeStatus of SteamGenerators (PWRs)Auxiliary feedwater operates/failsSecondary isolated/depressurizedStatus of Residual HeatRemoval SystemsOperateFailedStatus of Containment at Onset of Core DamageIsolated Not isolated Status of ContainmentSafeguard SystemsSprays always operate/fail or are available if demandedSprays operate in injection mode, but fail upon switchoverto recirculation coolingFan coolers always operate/fail or are available if demandedContainment venting system(s) operate/failHydrogen control system(s) operate/fail

3. Technical Activities 3-94The functional effect of the specific failuresrepresented by the terms in each accident sequence cut set are then mapped into possible plant damage states according to the bin ningattributes. There is no "unique" list of attributes against which this exercise should be conducted for a Level 2 analysis; Table 3-18 simply provides examples, not an exhaustive list. A comprehensivelist of attributes for representative PWR and BWR Level 2 analyses can be found in NUREG/CR-4551, Volume 3 (Breeding, 1990) and Volume 4 (Payne, 1990), respectively. Alt hough many ofthese attributes can be applied generically across many different reactor/containment designs,special a ttributes are often necessary to addressplant-specific design features (e.g., isolationcondenser operation in certain BWRs.) In a Level2 PRA, any characteristic of the plant response to a given initiating event that would influence eithersubsequent containment response or the resulting radionuclide source term to the environment is represented as an attribute in the plant damage state binning scheme. These characteristicsinclude the following:The status of systems that have thecapacity to inject water to either the reactor vessel or the containmentcavity. Defining system status simply asfailed or operating is not sufficient in aLevel 2 analysis. Low-pressure injectionsystems may be available but not operating at the onset of core damage because they are "dead-headed" (i.e.,reactor vessel pressure is above their shutoff head). Such states are distinguished from "failed" low-pressureinjection to account for the capability of dead-headed systems to discharge afterreactor vessel failure (i.e., providing a mechanism for flooding the reactor cavity).The status of systems that provide heatremoval from the reactor vessel orcontainment

. Careful attention is paid tothe interactions between such systemsand the coolant injection systems. For example, the status properly accounts for limitations in the capability of dual-function systems such as the RHR system in most BWRs (which provides pumping cap acityfor LPCI and heat removal for suppression

pool cooling).Recoverability of "failed" systems afterthe onset of core damage

. Typicalrecovery actions include restoration of ACpower to active components and alignmentof nonsafety-grade systems to provide(low-pressure) coolant injection to the reactor vessel or to operate containment sprays. Constraints on recoverability(such as no credit for repair of failedhardware) are defined in a manner that is consistent with recovery analysis in the Level 1 PRA.The interdependence of varioussystems for successful operation

. Forexample, if successful operation of a low-pressure coolant injection system isnecessary to provide adequate suction pressure for successful operation of ahigh-pressure coolant injection system,failure of the low-pressure system (by anymechanism) automatically renders thehigh-pressure system unavailable. Thisinformation may only be indirectly availablein the results of the Level 1 analysis, but isexplicitly represented in the plant damagestate attributes if recovery of the low-pressure system (after the onset of core damage) is modeled.Task 2 - PDS BinningSeveral subtle aspects of the mapping of accidentsequence cut sets from the Level 1 analysis toplant damage states used as input to a Level 2 analysis are worth noting at this point:The entire core damage frequencygenerated by the Level 1 accidentsequence analysis is carried forward intothe Level 2 analysis. The reason for conserving the CDF is to allow capture ofthe risk contribution from low-frequency, high-consequence accident sequences.The mapping is performed at the cut setlevel, not the accident sequence level.

There are several reasons for this level of detail: -Depending on the level of detailrepresented in the Level 1 accident sequence event trees, it may be impossible to properly

3. Technical Activities 3-95capture the effects ofsupport system failuresand other dependencies among the various binning attributes without reviewing the basic events that caused a system failure.-Recovery of failed systems afterthe onset of core damage is considered in the containment performance assessm ent of aLevel 2 PRA. For this activity tobe modeled correctly, system failures that are "recoverable" are distinguished from failures thatare "not recoverable." This information typically lies onlywithin the sequence cut sets.Note that the definition ofrecoverable is consistent with the recovery analysis performed in theLevel 1 PRA.-To appropriately model humanreliability related to operatoractions that occur after the onset of core damage, information regarding prior operatorperformance (i.e., prior to the onset of core damage) is carried forward from the Level 1 analysis.Again, this information typicallylies only within sequence cut sets.For some accident sequences, the statusof all systems may not be determined from the sequence cut sets. For example, if the success criteria for a large break LOCA ina PWR require successful accumulator operation, the large LOCA sequence cut sets involving failure of all accumulatorswill contain no information about the statusof other coolant injection syst ems.However, realistic resolution of the statusof such systems often provides amechanism for representing accident sequences that are arrested before substantial core damage and radionuclide release occur. In a Level 2 analysis, these systems are not simply assumed to operate as designed. Rather, their failurefrequencies are estimated in a mannerthat preserves relevant support systemdependencies. These are then numerically combined with the sequence cut set frequency from the Level 1analysis.3.3.1.4Task InterfacesThis task is the critical interface between theLevel 1 and Level 2 portions of the PRA. The entire core damage frequency generated by theLevel 1 PRA is carried forward into the Level 2analysis. The various core damage accidentsequences are grouped into a smaller num ber ofplant damage states for processing through the Level 2 analysis. These plant damage states aredefined so that all of the accident sequences grouped into a particular plant damage state can be treated the same in terms of accident

progression analysis. The output of this task is aset of plant damage states with the correspondingfrequencies.3.3.1.5 ReferencesBreeding, R. J., et al., Evaluation of SevereAccident Risks: Surry Unit 1, NUREG/CR-4551, Volume 3, SAND86-1309, Sandia National Laboratories, October 1990.Payne, A. C., et al., Evaluation of Severe AccidentRisks: Peach Bottom Unit 2, NUREG/CR-4551, Volume 4, SAND86-1309, Sandia NationalLaboratories, December 1990.3.3.2Assessing Containment ChallengesThis Level 2 PRA task has two objectives:1. Assess the reliability of containmentsystems during severe accidents, and2. Characterize severe accident progressionand the attendant challenges tocontainment integrity.3.3.2.1 Assumptions and LimitationsThe reliability of systems whose primary function isto maintain containment integrity during accidentconditions is incorporated into the accident sequence analysis performed during a Level 1

3. Technical Activities 3-96PRA. Such systems may include containmentisolation, fan coolers, distributed sprays, and hydrogen igniters. An assessment of the reliabilityof these systems is incorporated into a Level 2 analysis to ascertain whether they would operateas designed to mitigate containment response during core damage accidents. The methods, scope, and technical rigor used to evaluate the reliability of these systems are comparable to thoseused in the Level 1 analysis of other "front-line" systems (refer to Section 3.2.3).The element of a Level 2 PRA that often receivesthe most attention is the evaluation of severeaccident progression and the attendant challenges to containment integrity. This is becauseconsiderable time and effort can be spent performing computer code calculations of dominantaccident sequences. Further, exercising broad-scope accident analysis codes [such as the Modular Accident Analysis Program (MAAP)(EPRI, 1994) or MELCOR (Summers, 1994)provides the only framework within which theimportant interactions among severe accident phenomena can be accounted for in an integrated fashion. Consequently, the results of these calculations typically form the principal basis forestimating the timing of major accident events and for characterizing a range of potential containment

loads.Although code calculations are an essential part ofan evaluation of severe accident progression, their results do not form the sole basis for characterizingchallenges to containment integrity in a Level 2 PRA. There are several reasons for this:1.Many of the models embodied in severeaccident analysis codes address highlyuncertain phenomena. In each case, certain assumptions are made (either bythe model developers or the code user) regarding controlling physical processes and the appropriate formulation of models that represent them. In some instances, the importance of these assumptions can be tested via par ametric analysis.However, the extent to which the results ofany code calculation can be demonstrated to be robust in light of the nume rousuncertainties involved is severely limited by practical constraints of time and resources. Therefore, the assumptions inherent in many code models remainuntested.2.None of the integral severe accident codescontain models to represent all accidentphenomena of interest. For example, models for certain hydrodynamic phenomena such as buoyant plumes, intra-volume natural circulation, and gas-phase stratification, are not represented inmost integral computer codes. Sim ilarly,certain severe accident phenomena, such as dynamic fuel-coolant interactions (i.e.,

steam explosions) and hydrogen detonations, are not represented.3.It is simply impractical to perform anintegral calculation for all severe accidentsequences of interest.As a result, the process of evaluating severeaccident progression involves a strategic blend of plant-specific code calculations, applications ofanalyses performed in other prior PRAs or severeaccident studies, focused engineering analyses of particular issues, and experimental data. Themanner in which each of these sources of information are used in a Level 2 PRA is described below.3.3.2.2ProductsIn general, sufficient information in thedocumentation of assessing containment system challenges is provided to allow an independent analyst to reproduce the results. At a minimum,the following information is documented:For the activities related to assessing the reliabilityof containment systems:a description of information used todevelop containment systems' ana lysismodels and link them with other system reliability models (This documentation isprepared in the same manner as that generated in Level 1 analysis of other systems as discussed Section 3.2.3).For the activities related to characterizing severeaccident progression:a description of plant-specific accidentsimulation models (e.g., for MAAP [EPRI,1994] or MELCOR [Summers, 1994])

3. Technical Activities 3-97including extensive references tosource documentation for input

dataa listing of all computer code calculationsperformed and used as a basis for quantifying any event in the containment probabilistic logic model including a uniquecalculation identifier or name, a description of key modeling assumptions or input data used, and a reference to documentation of calculated results (If input and/or output data are archived for quality assurancerecords or other purposes, an appropriatereference to calculation archive records isalso provided.)a description of key modeling assumptionsselected as the basis for performing "base case" or "best-estimate" calculations of plant response and a description of the technical bases for these assumptionsa description of plant-specific calculationsperformed to examine the effects of alternate modeling approaches or assumptionsif analyses of a surrogate (i.e., 'similar')plant are used as a basis forcharacterizing any aspect of severeaccident progression in the plant being analyzed, references to, or copies ofdocumentation of the original analysis, and a description of the technical basis for assuming applicability of resultsfor all other original engineeringcalculations, a sufficiently completedescription of the analysis method, assumptions and calculated results isprepared to accommodate an independent(peer) review3.3.2.3Analytical TasksThis technical activity involves two tasks:1. Containment System Analysis2. Evaluation of Severe Accident ProgressionEach of these tasks are described in detail in thefollowing sections.Task 1 - Containment System AnalysisFault tree models (or other techniques) forestimating failure probabilities are developed andlinked directly to the accident sequence modelsfrom the Level 1 PRA. This linkage is necessary toproperly capture the important influence of mutual dependencies between failure mechanisms forcontainment systems and other systems. Obvious examples include support system dependencies, such as electrical power, component cooling water,and instrument/control air. Other dependenciesthat need to be represented in a manner consistent with the Level 1 system models are more subtle,however, as illustrated by the following examples:Indirect failure of containment systemscaused by harsh environmental conditions (resulting from failure of a support system)are represented in the assessment ofcontainment system reliability. Anexample is failure of reactor or auxiliary building room cooling causing the failure ofcontainment systems because of high ambient temperatures.The influence of containment systemoperation prior to the onset of coredamage is accounted for in the evaluation of system operability after the onset ofcore damage. For example, consider anaccident sequence in which containment sprays successfully initiate on anautomatic signal early in an accidentsequence. If later in the sequence (butprior to the onset of core damage)emergency operating procedures direct reactor operators to terminate containmentspray operation to allow realignment ofemergency coolant injection systems, the configuration of the containment spray system (and thus its reliability) differ froma sequence in which containment sprays would not have been demanded prior to the onset of core damage.The human reliability analysis associatedwith manual actuation of containmentsystems (e.g., hydrogen igniters) accountsfor operator performance during earlierstages of an accident sequence. Thisanalysis follows the same practices usedin the Level 1 analysis as described in Section 3.2.5.

3. Technical Activities 3-98The long-term performance of containmentsystems is also evaluated although the issues to be considered may differ substantially from thoselisted above. This evaluation accounts fordegradation of the environment within which systems are required to operate as an accidentsequence proceeds in time. Examples of factorsthat may arise after the onset of core damage include:loss of net positive suction head (NPSH)for coolant pumps due to suppression poolheat up in BWRsplugging of fan cooler inlet plena as aresult of the accumulation of aerosols (generated perhaps as a consequence of core-concrete interactions) in PWRsfailure of systems with componentsinternal to the containment pressure boundary as a result of high temperaturesor pressure associated with hydrogen

combustionIn all cases, the assessment of failure probabilityfor containment systems are based on realisticequipment performance limits rather than bounding(design-basis or equipment qualification) criteria.Task 2 - Evaluation of Severe AccidentProgressionThe following are used to determine the number ofplant specific calculations that would be performed using an integral code to support a Level 2 PRA:At least one integral calculation(addressing the complete time domain of severe accident progression) is performedfor each plant damage state. However, this may not be practical depending on thenumber of plant damage states developed according to the above discussion. At aminimum, calculations are performed to address the dominant accident sequences (i.e., those with the highest contribution tothe total core damage frequen cy).Calculations are also performed toaddress sequences that are anticipated toresult in relatively high radiological releases (e.g., containment bypassscenarios).In addition to the calculations of aspectrum of accident sequences describedabove, several sensitivity calculations areperformed to examine the effects of majoruncertainties on calculated accident behavior. For example, multiplecalculations of a single sequence areperformed in which code input parametersare changed to investigate the effects of alternative assumptions regarding thetiming of stochastic events (such as operator actions to restore water injection),

or the models used to represent uncertain phenomena (such as the size of the opening in containment following over-pressure failure). These calculationsprovide information that is essential to the quantitative characterization of uncertaintyin the Level 2 probabilistic logic models (refer to the discussion of l ogic modeldevelopment and assignment ofprobabilities below).Table 3-19 lists phenomena that can occur duringa core meltdown accident and which involve considerable uncertainty. This list was based on information in NUREG-1265 (NRC, 1991),

NUREG/CR-4551 (Gorham-Bergeron, 1993) andother studies. It is recognized that considerable

disagreement persists within the technicalcommunity regarding the magnitude (and in somecases, the specific source) of uncertainty in severalof the phenomena listed in Table 3-19. A majorobjective of the expert panels assembled as part ofthe research program that culminated in NUREG-1150 (NRC, 1990) was to translate the range of technical opinions within the severe accident research community into a quantitative measure ofuncertainty in specific technical issues. In a Level2 PRA, the results of this effort are used as guidance for defining the range of values of uncertain modeling parameters to be used in the sensitivity calculations described above.

3. Technical Activities 3-99Table 3-19 Severe accident phenomena PhenomenaCharacteristics of accident phenomena Hydrogen generation and combustionEnhanced steam generation from melt/debris relocationSteam starvation caused by degraded fuel assembly flow blockageClad ballooningRecovery of coolant injection systemsSteam/hydrogen distribution within containmentDe-inerting due to steam condensation or spray operationInduced failure ofthe reactor coolant system pressure boundaryNatural circulation flow patterns within the reactor vesselupper plenum, hot legs, and steam generatorsCreep rupture of hot leg nozzles, pressurizer surge line, andsteam generator U-tubesDebris bedcoolability and core-concrete interactionsDebris spreading/depth on the containment floorCrust formation at debris bed surface and effects on heattransferDebris fragmentation and cooling upon contact with waterpoolsSteam generation and debris oxidationFuel coolantinteractionsPotential for dynamic loads to bounding structuresHydrogen generation during melt-coolant interactionMelt/debris ejectionfollowing reactor

vessel failureMelt/debris state and composition in the lower headMode of lower head failureDebris dispersal and heat transfer following high-pressuremelt ejectionA fundamental design objective of the int egralsevere accident analysis codes used to support Level 2 PRA (e.g., MAAP, MELCOR) is that theybe fast running. Efficient code operation isnecessary to allow sensitivity calculations to be performed within a reasonably short time and withminimal resources. One consequence of this objective, however, is that many complex phenomena are modeled in a relatively simplemanner or, in some cases, are not represented at all. Therefore, a state-of-the-art Level 2 PRAaddresses the inherent limitations of integral code calculations in two respects. First, the importanceof phenomena not represented by the int egralcodes are evaluated by some other means (i.e.,either application of specialized computati onalmodels or experimental investigation). Secondly,the effects of modeling simplification are examinedby comparisons with mechanistic codecalculations. There are obvious practical benefits to applying oradapting results of completed studies of severeaccident progression in other plants to the PRA ofinterest. If the applicability of such studies can bedemonstrated, substantial savings can be achievedby eliminating unnecessary (repetitive) analysis.Application of analyses from studies of similar plants is common in Level 2 PRAs.

However, suchanalyses can not completely supplant the plant-specific evaluations described above.The prerequisite for applying results of studies foranother plant is a demonstration of similar ity inplant design and operational characteristics such that the same results would be generated if plant-

3. Technical Activities 3-100specific analyses were performed. Demonstrationof similarity involves a direct comparison of key plant design features and, if necessary, scaling analysis. Examples of features to be included insuch a comparison are listed in Table 3-20. Theeffects of differences in these design features isexamined, and techniques for adapting or scalingthe results of the surrogate analyses developed.Table 3-20 Example plant design/operational parameters to be compared todemonstrate similarity for use as surrogate analysisComponentDesign characteristics of componentReactor CoreNominal PowerNumber of Fuel AssembliesNumber of Fuel Rods per AssemblyCore Mass (UO 2, Cladding, Misc. support structures)

Reactor VesselInside DiameterHeightNominal Operating PressureNumber of Safety/Pressure Relief ValvesSafety / Relief Valve relief valve design flow rateReactor Coolant System Liquid VolumeContainmentTotal Free VolumeDesign PressureNominal Internal Operating PressureAtmosphere compositionReactor Cavity Floor AreaPenetration arrangement and constructionWater Capacity before Spill-over into Reactor CavityConcrete (floor) compositionIn summary, evaluating severe accidentprogression involves a complex process of plant-specific sensitivity studies using integral codes,mechanistic code calculations, use of prior calculations, experimental data and expertjudgement. Examples of this process are given in Appendix B for each of the phenomena listed inTable 3-19 above.3.3.2.4Task InterfacesTask 1 assesses the reliability of containmentsystems for those severe accidents identified in the Level 1 PRA. Fault tree models (or other techniques) for estimating failure probabilit ies aredeveloped and linked directly to the accident sequence models from the Level 1 PRA.Task 2 has a critical interface with the plantdamage state determination (refer toSection 3.3.1). For each of the plant damage states defined in Section 3.3.1, an evaluation of the severe accident progression would be performed in Task 2. The output of these tasks is used together with theanalyses performed in Section 3.3.3 to develop arange of potential containment failure modes and their corresponding frequencies.3.3.2.5 ReferencesEPRI, MAAP4 - Modular Accident AnalysisProgram for LWR Power Plants, RP3131-02,

3. Technical Activities 3-101Volumes 1-4, Electric Power Research Institute, 1994.Summers, R. M., et al., MELCOR Computer CodeManuals - Version 1.8.3, NUREG/CR-6119, SAND93-2185, Volumes 1-2, Sandia NationalLaboratories, 1994.NRC, Uncertainty Papers on Severe AccidentSource Terms, NUREG-1265, U.S. Nuclear Regulatory Commission, 1991.Gorham-Gergeron, E. D., et al., Evaluation ofSevere Accident Risks: Methodology for the Accident Progression, Source Term,Consequence, Risk Integration, and UncertaintyAnalyses, NUREG/CR-4551, SAND86-1309,Sandia National Laboratories, December 1993.NRC, Severe Accident Risks: An Assessment forFive U.S. Nuclear Power Plants, NUREG-1150,Volume 1, Main Report, U.S. Nuclear Regulation Commission, 1990.3.3.3Containment PerformanceCharacteristicsThe objective of this element of a Level 2 PRA is todetermine the limits (or capacity) that thecontainment can withstand given the range andmagnitude of the potential challenges. Thesechallenges take many forms, including internal pressure rises (that occur over a sufficiently longtime frame that they can be considered "static" in terms of the structural response of thecontainment), high temperatures, thermo-mechanical erosion of concrete structures, and under some circumstances, localized dynamic loads such as shock waves and internally generated missiles. Realistic estimates for thecapacity of the containment structure to wit hstandthese challenges are generated to provide a metric against which the likelihood of containment failurecan be estimated.3.3.3.1Assumptions and LimitationsA thorough assessment of containmentperformance generally begins with a structuredprocess of identifying potential containment failuremodes (i.e., mechanisms by which integrity might be violated). This assessment commonly beginsby reviewing a list of failure modes identified inPRAs for other plants to determine theirapplicability to the current design. Such a list was incorporated into NUREG-1335 (NRC, 1989), theNRC's guidance for performing an IPE. Thisreview is then supplemented by a systematic examination of plant-specific design features and emergency operating procedures to ascertainwhether additional, unique failure modes areconceivable. For each plausible failure mode, containment performance analyses are performedusing validated structural response models, as well as plant-specific data for structural materials and their properties.Unfortunately, current models for the response ofcomplex structures to even "simple" loads (such as internal pressure) are not sufficiently robust toallow simultaneous prediction of a failure thresholdand resulting failure size. This is particularly truefor structures composed of non-homogeneous materials with highly non-linear mechanical properties such as reinforced concrete. As a result, calculations to establish performance limits are supplemented with information fromexperimental observations of containment failurecharacteristics and expert judgment. Examples ofthis process can be found in Task 2 below.3.3.3.2ProductsIn general, sufficient information in thedocumentation of analyses performed to establish quantitative containment performance lim its isprovided that allows an independent analyst toreproduce the results. At a minimum, the following information is documented for a PRA:a general description of the containmentstructure including illustrative figures toindicate the general configuration, penetration types and location, and major construction materialsa description of the modeling approachused to ca lculate or otherwise definecontainment failure criteriaif computer models are used (e.g., finiteelement analysis to establish over-pressure failure criteria), a description ofthe way in which the containment structureis nodalized including a specific discussionof how local discontinuities, s uch aspenetrations, are addressed

3. Technical Activities 3-102if experimentally-determined failure dataare used, a sufficiently detailed description of the experimental conditions todemonstrate applicability of results to plant-specific containment structures3.3.3.3Analytical TasksThis technical activity involves two tasks:1. Containment Structural Analysis2. Containment Failure Mode AnalysisEach of these tasks are described in detail in thefollowing sections.Task 1 - Containment Structural AnalysisIn a Level 2 PRA, the attributes of the analysesnecessary to characterize cont ainmentperformance limits are consistent with those of the containment load analyses against which they will be compared:They focus on plant-specific containmentperformance (i.e., application of reference plant analyses is generally inadequate).They consider design details of thecontainment structure such as:-containment type (free-standingsteel shell; concrete-backed steel shell; pre-stressed, post-tensioned, or reinforced concrete)-the full range of penetration sizes,types, and their distribution(equipment and personnel

hatches, piping penetrations,electrical penetration assemblies, ventilation penetrations)-penetration seal configuration andmaterials-discontinuities in the containmentstructure (shape transitions, wallanchorage to floors, changes in steel shell or concretereinforcement)They consider interactions between thecontainment structure and neighboringstructures (the reactor vessel andpedestal, auxiliary building(s), and internal

walls).For many containment designs, over-pressure hasbeen found to be a dominant failure mechanism.

In a state-of-the-art Level 2 PRA, the evaluation ofultimate pressure capacity is performed using aplant-specific, finite-element model of thecontainment pressure boundary including sufficientdetail to represent major discontinuities such as those lis ted above. The influence of time-varyingcontainment atmosphere temperatures is taken into account by performing the calculation for areasonable range of internal temperatures. To theextent that internal temperatures are anticipated to be elevated for long periods of time (e.g., duringthe period of aggressive core-concreteinteractions), thermal growth and creep rupture ofsteel containment structures is taken into account.Task 2 - Containment Failure Mode AnalysisThe characterization of containment per formancelimits is not simply a matter of defining a thresholdload at which the structure "fails." A Level 2 PRAattempts to distinguish between structural damagethat results in "catastrophic failure" of the containment from damage that results in significant leakage 4 to the environment. Leakage is oftencharacterized by a smaller opening (i.e., one that may not preclude subsequent increases in containment pressure). Failure to isolate the containment is also considered. It is very important to assess both the l ocation and size of thecontainment failure because of the implications for the source term calculation, e.g., given the samein-vessel and ex-vessel releases insidecontainment, a rupture in the drywell of a Mark II containment would typically result in higher releases to the environment than a leak in the wetwell.The NUREG-1150 Expert Panel for StructuralResponse Issues assessed the containment overpressure failure issue for the Peach Bottom (Payne, 1990), Sequoyah (Gregory, 1990), Surry(Breeding, 1990) and Zion plants (Park, 1993).The assessments of the expert panel aredocumented in NUREG/CR-4551, Volume 2, Part 3(Breeding, 1990). Two of these plants have free-standing steel containments and two havereinforced concrete containments. In addition to 4Significant leakage is defined relative to the designbasis leakage for the plant. Leakage rates greater than 100 times the design basis have been found risk significant in past studies.

3. Technical Activities 3-103the distr ibutions the expert panel provided foroverpressure failure loads for these containmentstructures, the panel also provided conditional probabilities for failure location and failure mode(leak, rupture or catastrophic rupture). Both

containment types were considered to bevulnerable to the propagation of cracks intoruptures. For a single containment, the panel assessed the conditional probability of multiplefailure locations and sizes. For example, sixdifferent location/size failures (failure modes) wereobtained for overpressure failure for the PeachBottom containment: (1) wetwell leak, (2) rupture, no suppression pool bypass (discontinuity strains at T-stiffeners), (3) wetwell rupture, suppression pool bypass (membrane failure), (4) drywell leak(bending strain at the downcomers), (5) drywell head leak (gasket failure), and (6) dry well rupture(in main body near p enetration due to loss ofconcrete wall back support).Failure location and size by dynamic pr essureloads and internally generated missiles are also probabilistically examined. The structural re sponseexpert panel for NUREG-1150 assessed the sizeand location of the containment breach by dynamic pressure loads for Grand Gulf (Brown, 1990)(reinforced concrete) and Sequoyah (free-standing steel). Both leaks and ruptures were predicted tooccur in the containment response to detonations at Grand Gulf, and ruptures were predicted tooccur at Sequoyah. Alpha mode failure (for all NUREG-1150 plants) and steel shell melt-through of a containment wall by direct contact of coredebris (for Peach Bottom and Sequoyah) were treated as rupture failures of containment inNUREG-1150. Basemat m elt-through is generally treated as aleak in most Level 2 PRAs because of the protracted times involved as well as the predicted radionuclide retention in the soil. If a bypass of containment, such as an interfacing systemsLOCA, is predicted to occur, then its effective sizeand location (e.g., probability that the break issubmerged in water) are also estimated in order toperform the source term calculations.3.3.3.4Task InterfacesThese tasks have a critical interface withassessing containment challenges (refer to Section3.3.2). For each of the plant damage statesdefined in Section 3.3.1, an evaluation of thesevere accident progression would be performed inTask 2 of Section 3.3.2. This information isneeded to characterize containment performance.The output of these tasks is used together with theanalyses performed in Section 3.3.2 to develop a range of potential containment failure modes and their corresponding frequencies.3.3.3.5 ReferencesNRC, Individual Plant Examination: SubmittalGuidance, NUREG-1335, U.S. Nuclear RegulatoryCommission, August 1989.NRC, Severe Accident Risks: An Assessment forFive U.S. Nuclear Power Plants, NUREG-1150, U.S. Nuclear Regulatory Commission, December

1990.Breeding, R. J., et al., Evaluation of SevereAccident Risks: Quantification of Major InputParameters, Experts: Determination of StructuralResponse Issues, NUREG/CR-4551, Volume 2, Part 3, Sandia National Laboratories, October 1990.Brown, T. D., et al., Evaluation of Severe AccidentRisks: Grand Gulf Unit 1, NUREG/CR-4551, Volume 6, SAND86-1309, Sandia National Laboratories, December 1990.Payne, A. C., Evaluation of Severe AccidentRisks: Peach Bottom Unit 2, NUREG/CR-4551, Volume 4, SAND86-1309, Sandia National Laboratories, December 1990.Gregory, J. J., et al., Evaluation of SevereAccident Risks: Sequoyah Unit 1, NUREG/CR-4551, Volume 5, SAND86-13 09, Sandia NationalLaboratories, December 1990.Park, C. K., Evaluation of Severe Accident Risks:Zion Unit 1, NUREG/CR-4551, Volume 7, BNL-NUREG-52029, Brookhaven National Laboratory, March 1993.

3. Technical Activities 3-104 3.3.4Containment Probabilistic Characterization3.3.4.1Assumptions and LimitationsOne feature that distinguishes a stat e-of-the-artLevel 2 PRA from other, less comprehensiveassessments is the way in which uncertainties arerepresented in the characterization of containment performance

5. In particular, explicit and quantitativerecognition is given to uncertainties in the individualprocesses and parameters that influence severeaccident behavior and attendant containment

performance. These uncertainties are thenquantitatively integrated by means of a probabilisticlogic structure that allows the conditional probab ilityof containment failure to be quantitatively estimated, as well as the uncertainty in the containment failure probability.Two elements of such an assessment aredescribed below. First, the characteristics of the logic structure (i.e., containment event tree) used to organize the various contributors to uncertaintyare described. However, the major distinguishing element of a full-scope approach to characterizingcontainment performance is the manner in which the CET is quantified. That is whether or not uncertainty distributions for major events areassigned and propagated through the logic model.

The key phrase here is uncertainty distributions (i.e., point estimates of probability are not universally applied to the logic model).

Characteristics of these distributions and the manner in which they are used in a typical logicmodel are described later in this section.3.3.4.2ProductsThe following documentation is generated todescribe the process by which the conditional probability of containment failure is calculated:a listing and description of the structure ofthe overall logic model used to assemble the probabilistic representation of containment performance (Grap hicaldisplays of events trees, fault trees orother logic formats are provided toillustrate the logic hierarchy and eventdependencies.)a description of the technical basis (withcomplete references to documentation of original engineering analyses) for the assignment of all probabilities orprobability distributions with the logic structurea description of the rationale used toassign probability values to phenomena or events involving subjective, expert

judgmenta description of the computer programused to exercise the logic model and calculate final results3.3.4.3Analytical TasksThis technical activity involves two tasks:1. Containment Event Tree Construction2. Containment Event Tree QuantificationEach of these tasks is described in detail in thefollowing sections.Task 1 - Containment Event Tree ConstructionThe primary function of a "containment event tree,"or any other probabilistic model evaluating containment performance, is to provide a structured framework for organizing and rankingthe alternative accident progressions that mayevolve from a given core damage sequence. Indeveloping this framework, whether it be in theform of an event tree, fault tree or other logicstructure, several elements are necessary to allow a rigorous assessment of containment performance:Explicit recognition of the important timephases of severe accident progression.

Different phenomena may control the nature and intensity of challenges tocontainment integrity and the release and transport of radionuclides as an accidentproceeds in time. The following time frames are of particular interest to a Level 2 analysis:

5Uncertainties in the estimation of fission productsource terms are also represented in a full-scope Level 2 PRA; however, this topic is discussed in

Section 3.3.5.

3. Technical Activities 3-105-After the initiating event, butbefore the onset of core damage.This time period establishes important initial conditions for containment response after core damage begins.-After the core damage begins, butprior to failure of the reactor vessel lower head. This period is characterized by core damage and radionuclide release (from fuel) while core material is confined within the reactor vessel.-Immediately following reactorvessel failure. Prior analyses of

containment performance suggestthat many of the important challenges to containment integrity occur immediatelyfollowing reactor vessel failure.

These challenges may be short-lived, but often occur only as a direct consequence of the release of molten core materials from the reactor vessel immediately following lower head failure.-Long-term accident behavior.Some accident sequences evolverather slowly and generaterelatively benign loads tocontainment structures ea rly inthe accident progression.However, in the absence of somemechanism by which energy generated within the containmentcan be safely rejected to the environment, these loads maysteadily increase to the point of failure in the long-term.When linked end-to-end, these timeframes constitute the outline for most probabilistic containment performancemodels. Within each time frame, uncertainties in the occurrence or intensityof governing phenomena are systematically evaluated.Consistency in the treatment of severeaccident events from one time frame toanother. Many phenomena may occurduring several different time frames of asevere accident. However, certain limitations apply to the composite (integral)contribution of some phenomena over the entire accident sequence and these arerepresented in the form ulation of aprobabilistic model. A good example is hydrogen combustionin a PWR containment. Hydrogen generated during core degradation can be released to the containment over severaltime periods. However, an importantcontribution to the uncertainty incontainment loads generated by a combustion event is the total mass of hydrogen involved in a particularcombustion event. One possibility is that hydrogen released to the containment over the entire in-vessel core damage period is allowed to accumulate without being burned (perhaps) as a result of theabsence of a sufficiently strong ignition source. Molten core debris released to thereactor cavity at vessel breach couldrepresent a strong ignition source, which would initiate a large burn (assuming the cavity atmosphere is not steam inert).

Because of the mass of hydrogen involved, this combustion event mightchallenge containment integrity. Another possibility is that while the same totalamount of hydrogen is being released tothe containment during in-vessel core degradation, a sufficiently strong ignition source exists to cause several small burnsto occur prior to vessel breach. In this case, the mass of hydrogen remaining in the containment atmosphere at vessel breach would be very small in comparison to the first case, and the likeli hood of asignificant challenge to containmentintegrity at that time should becorrespondingly lower. Therefore, the logic for evaluating the probability of containment failure associated with a large combustion event occurring at the time of vessel breach is able to distinguish these two cases and preclude the possibility of alarge combustion event if hydrogen was consumed during an earlier time frame.

3. Technical Activities 3-106Recognition of the interdependencies ofphenomena. Most severe accident phenomena and associated events requirecertain initial or boundary conditions to be relevant. For example, a steam explosioncan only occur if molten core debris comes in contact with a pool of water. Therefore, it may not be meaningful to consider ex-vessel steam explosions during accident scenarios in which the drywell floor (BWR) or reactor cavity (PWR) is dry at the time of vessel breach. Logic models for evaluating containment performancecapture these and many other suchinterdependencies among severe accidentevents and phenomena. Explicitrepresentation of these interdependencies provides the mechanism for allowing complete traceability between a particularaccident sequence (or plant damage state)and a specific containment failure mode.Task 2 - Containment Event TreeQuantificationThere are many approaches to transforming thetechnical information concerning containment loadsand performance limits to an estimate of failureprobability, but three approaches appear todominate the literature. In the first (least rigorous)approach, qualitative terms expressing various degrees of uncertainty are translated intoquantitative (point estimate) probabilities. Forexample, terms such as "likely" or "unlikely" areassigned numerical values (such as 0.9 and 0.1).Superlatives, such as "very" likely or "highly"unlikely, are then used to suggest degrees ofconfidence that a particular event outcome is appropriate. The subjectivity associated with thismethod is controlled to some extent by developing rigorous guidelines for the amount and quality of information necessary to justify progressivelyhigher confidence levels (i.e., probabilitiesapproaching 1.0 or 0.0). Nonetheless, this methodis not considered an appropriate technique for assigning probabilities to represent the state ofknowledge uncertainties (such uncertainties tend todominate a Level 2 PRA, rather than uncertainty associated with random behavior.) in a PRA.Among its weaknesses, this approach simplyproduces a point estimate of probability and is nota rigorous technique for developing probabilitydistributions.The second technique involves a convolution ofpaired probability density functions. In thistechnique, probability density functions aredeveloped to represent the distribution of credible values for a parameter of interest (e.g.,

containment pressure load) and for its corresponding failure criterion (e.g., ultimatepressure capacity). This method is more ri gorousthan the one described above in the sense that itexplicitly represents the uncertainty in each quantityin the probabilistic model. The basis for developing these distributions is the collective set ofinformation generated from plant-specific integralcode calculations, corresponding sensitivitycalculations, other relevant mechanisticcalculations, experimental observations, and expertjudgment. The conditional probability ofcontainment failure (for a given accident sequence)is then calculated as the intersection of the two

density functions (see Figure 3.9).While this technique provides an explicit treatmentof uncertainty at intermediate stages of the analysis, it still ultimately generates a point estimate for the probability of containment failurecaused by a particular mechanism.The contributions to (and magnitude of) uncertaintyin the final (total) containment failure probability is discarded in the process.The third technique involves adding an additionalfeature to the technique described above. That is,the probability density functions representing uncertainty in each term of the containmentperformance logic model are propagatedthroughout the entire model to allow calculation of statistical quantities such as importance measu res.One means for accomplishing this objective is theapplication of Monte Carlo sampling techniques(such as Latin Hypercube). The application of thistechnique to Level 2 PRA logic models, pioneered in NUREG-1150 (NRC, 1990), accommodates a large number of uncertain variables.

3. Technical Activities 3-107Figure 3.9 Probability density functions for containment peak pressure (P c) and failure pressure (P f)ProbabilityOther techniques have been developed forspecialized applications, such as the direct propagation of uncertainty technique developed to assess the probability of containment failure as a result of direct containment heating in a l arge dryPWR. However, these other techniques are constrained to a small number of variables and arenot currently capable of applications involving the potentially large number of uncertain variablesaddressed in a Level 2 PRA.3.3.4.4Task InterfacesThese tasks have a critical interface with theevaluation of the severe accident progression(refer to Task 2 of Section 3.3.2). The output of these tasks is a range of potentialcontainment failure modes and their corresponding frequencies which provide input to radionucliderelease characterization (Section 3.3.5).3.3.4.5 ReferencesNRC, Severe Accident Risks: An Assessment forFive U.S. Nuclear Power Plants, NUREG-1150,U.S. Nuclear Regulatory Commission, December 1990.3.3.5Radionuclide Release CharacterizationThe second, albeit equally important, product of aLevel 2 PRA is a quantitative characterization of radiological release to the environment resulting from each accident sequence that contributes tothe total core damage frequency. The specific manner in which radionuclide sourceterms are characterized in a Level 2 analysis isdescribed first. Attributes of coupling the evaluation of radionuclide release to analyses of severe accident progression for particularsequences are also described. Finally, attri butesof addressing uncertainties in radionuclide source terms are described.3.3.5.1Assumptions and LimitationsIn many Level 2 analyses, the characterization ofradiological release is used solely as a semi-quantitative scale to rank the relative severity ofaccident sequences. In such circumstances, a rigorous quantitative evaluation of radionuclide release, transport, and deposition may not be necessary. Rather, order-of-magnitude estimatesof the size of release for a few representative radionuclide species provide a satisfactory scalefor ranking accident severity. In a state-of-the-artLevel 2 PRA, however, the characterization of radionuclide release to the environment providessufficient information to completely define the "source term" for calculating off-site health and economic consequences for use in a Level 3 PRA.

3. Technical Activities 3-108Further, the rigor required of the evaluation ofradionuclide release, transport, and deposition directly parallels that used to evaluate containmentperformance: Source term analyses (deterministiccomputer code calculations) reflect plant-specific features of system design andoperation. In particular, the models usedto calculate radionuclide source terms faithfully represent plant-specificcharacteristics such as fuel, control material, and in-core support structure composition and spatial distribution; configuration and deposition areas of primary coolant system and containmentstructures; reactor cavity (or drywell floor)configuration and concrete composition; and topology of transport pathways from the fuel and/or core debris to the environment.Calculations of radionuclide release,transport, and deposition representsequence-specific variations in primarycoolant system and containmentcharacteristics. For example, reactor vessel pressure during in-vessel core meltprogression and operation (or failure) ofcontainment safeguard systems such as distributed sprays are represented in a manner that directly accounts for theireffects on radionuclide release and/ortransport. The procedure for organizingthe numerous accident sequences

generated in a Level 1 PRA into areasonably small number of groups that exhibit similar radionuclide releasecharacteristics is described below.Uncertainties in the processes governingradionuclide release, transport, and deposition are quantified. Uncertaintiesrelated to radionuclide behavior under severe accident conditions are quantifiedto characterize uncertainties in the radionuclide source term associated withindividual accident sequences. This is achieved in the same way uncertainties for the phenomena governing severe accident progression are used tocharacterize uncertainty in the probabilityof containment failure (described below).3.3.5.2ProductsIn general, sufficient information of thedocumentation of analyses performed to characterize radiological source terms is providedthat allows an independent analyst to reproduce the results. At a minimum, the followinginformation is documented for a PRA:a summary of all computer codecalculations used as the basis for estimating plant-specific source terms for selected accident sequencesa description of modeling methods usedto perform plant-specific source term calculations including a description of the method by which source terms areassigned to accident sequences for which computer code (i.e., MAAP [EPRI, 1994]or MELCOR [Summers, 1994])calculations were not performedif analyses of a surrogate (i.e., "similar")plant are used as a basis forcharacterizing any aspect of radionuclide release, transport, or deposition in theplant being analyzed, references to, orcopies of documentation of the original analysis, and a description of the technical basis for assuming applicability of resultsa description of the method by whichuncertainties in source terms are addressedfor all other original engineeringcalculations, a sufficiently com pletedescription of the analysis method, assumptions and calculated results isprepared to accommodate an independent (peer) review3.3.5.3Analytical TasksThis technical activity involves three tasks:1. Definition of Radionuclide Source Terms2. Coupling Source Term and SevereAccident Progression Analyses3. Treatment of Source Term UncertaintiesEach of these tasks is described in details in thefollowing sections.

3. Technical Activities 3-109Task 1 - Definition of Radionuclide SourceTermsThe analysis of health and economicconsequences resulting from an accidental releaseof radionuclides from a nuclear plant (in a Level 3 PRA) requires specification of several parameters(from a Level 2 PRA) that define the environmental source term. Ideally, the following information is developed:the time at which a release beginsthe time history of the release of allradioisotopes that contribute to early(deterministic) and late (stochastic) health consequencesthe elevation (above local ground level) atwhich the release occursthe energy with which the release isdischarged to the environmentthe size distribution of radioactive materialreleased in the form of an aerosol (i.e.,particulate)As in many other aspects of a comprehe nsivePRA, it is impractical to generate this informationfor the full spectrum of accident conditions produced by Level 1 and 2 analyses. To address this constraint, several simplifications are made ina Level 2 analysis. In particular, the following assumptions are typically made regarding theradioactive material of interest:All isotopes of a single chemical elementare released from fuel at the same rate.Chemical elements exhibiting similarproperties in terms of their measured rateof release from fuel, physical transport bymeans of fluid advection, and chemical behavior in terms of interactions with other elemental species and bounding structuralsurfaces can be effectively modeled as one composite radionuclide species.

Typically, the specific properties of asingle (mass dominant) element are used to represent the properties of all species within a group.The combination of these two assumptions leadsto a radionuclide grouping scheme that reduces the total number of modeled radionuclide species to nine groups, as shown in Table 3-21.Although the species listed above are releasedfrom fuel in their elemental form, it is firmlyestablished that many species quickly combine with other elements to form compounds as theymigrate away from the point of release. Theformation of these compounds and the associated change in the physio-chemical properties of individual radionuclide groups are taken intoaccount in the analysis of radionuclide transportand deposition. In particular, volatile radionuclidesspecies, such as iodine and cesium, may be transported in more than one chemical form - each with different properties that affect their transport.Chemical forms of these radionuclide groupsrepresented in the source term analysis of a full-scope PRA include:Radionuclide GroupChemical forms for transport II 2, CH 3 I , HI [vapor]CsI [aerosol]CsCsOH, CsI [aerosol]A second simplification in the characterization ofradionuclide release involves the treatment oftime-dependence. Temporal variations inradionuclide release are calculated as a natural product of deterministic source term calculations.However, in a Level 2 PRA these variations arereduced to a series of discrete periods ofradiological release, each of which is described by a starting time, a duration, a (constant) release rate, and a release energy. For example, resultsof an integral severe accident/source term codecalculation might suggest the radiological release rate shown as the solid line in Figure 3.10. Thecontinuous release rate is simplified to represent major characteristics or the release history such as an early, short-lived, large release rate immediately following containment failure (sometimes referred to as the "puff release"),followed by two longer periods of a sustained release. The specific characteristics of t hesediscrete release periods may vary from oneaccident sequence (or plant damage state) to another, but the timing characteristics (i.e., start

3. Technical Activities 3-110Table 3-21 Radionuclide grouping scheme used in a Level 2 PRAGroupRep.elementElementsrepresented by the groupImportant isotopes within the group1XeXe, KrXe-133, Xe-135, Kr-85, Kr-85M, Kr-87, Kr-882II, BrI-131, I-132, I-133, I-134, I-135 3CsCs, RbCs-134, Cs-136, Cs-137, Rb-86 4TeTe, Sb, SeTe-127, Te-127M, Te-129, Te-129M, Te-131, Te-132, Sb-127, Sb-1295SrSrSr-89, Sr-90, Sr-91, Sr-92 6RuRu, Rh, Co, Mo, Tc, PdRu-103, Ru-105, Ru-106, Rh-105, Co-58, Co-60, Mo-99, Tc-99M7LaLa, Y, Zr*, Nb,Nd, Pr, Am, Mc, Sm La-140, La-141, La-142, Y-90, Y-91, Y-92, Y-93, Zr-95, Zr-97, Nb-95, Nd-147, Pr-143, Am-241, Cm-242, Cn-2448CeCe, Np, PuCe-141, Ce-143, Ce-144, Np-239, Pu-238, Pu-239, Pu-240, Pu-2419BaBaBa-139, Ba-140*Radionuclide Zirconium (not the structural metal)

3. Technical Activities 3-111Figure 3.10 Example of simplified radionuclide release ratestime and duration) are the same for eachradionuclide group (i.e., only the release rate variesfrom one group to another for a given release period). The total number of release periods istypically small (i.e., 3 or 4) and represents distinctperiods of severe accident progression. For example, the following time periods may berepresented:Very early[containment leakage prior tocontainment failure]Puff release[immediately following containmentfailure]Early[relatively large release rate periodaccompanying containmentdepressurization following breach of the containment pressure boundary]Late[long-term, low release rate aftercontainment depressurization]Note that the above time periods are for illustrativepurposes only; others are developed, as necessary, to suit the specific results of a plant-specific assessment.Task 2 - Coupling Source Term and SevereAccident Progression AnalysesThe number of unique severe accident sequencesrepresented in a Level 2 PRA can be exceedingly large. Comprehensive, probabilistic considerationof the numerous uncertainties in severe accident progression can easily expand a single accident sequence (or plant damage state) from the Level 1 systems analysis into a large number of alternativesevere accident progressions. A radionuclidesource term must be estimated for each of these accident progressions. Clearly, it is impractical toperform that many deterministic source term

3. Technical Activities 3-112calculations.A common practice in many Level 2 PRAs(although insufficient for a state-of-the-art PRA) isto reduce the analysis burden by grouping the alternative severe accident progressions into "source term bins" or "release categories." Thisgrouping process is analogous to the one used at the interface between the Level 1 and Level 2analyses to group accident sequence cut sets intoplant damage states. The principal objective of the source term grouping (or binning) exercise is toreduce the number of specific severe accident scenarios for which deterministic source termcalculations must be performed to a practical value. A structured process similar to the one described in Section 3.3.1 (related to the assessment of accident sequences addressed in a Level 2 PRA) is typically followed to accomplish thegrouping. Characteristics of severe accidentbehavior and containment performance that havea controlling influence on the magnitude and timing of radionuclide release to the environment are used to group (or bin) the alternative accidentprogressions into appropriate release categories.

A deterministic source term calculation is then performed for a single accident progression withineach release category (typically the highestfrequency) to represent the entire group.As indicated above, this approach is inadequate fora state-of-the-art Level 2 analysis because the radionuclide source term for any given severeaccident progression cannot be calculated withcertainty. The influence of uncertainties related tothe myriad processes governing radionuclide release from fuel, transport through the primarycoolant system and containment, and deposition onintervening structures is significant and must bequantified with a similar level of rigor afforded tosevere accident progression uncertainties.Further, a state-of-the-art Level 2 PRA isperformed in a manner that allows the relativecontribution of individual parameter uncertainties to the overall uncertainty in risk to be calculated directly (i.e., via rank regression or some other statistically rigorous manner). This requires aprobabilistic modeling process that combines theuncertainty distributions associated with theevaluation of accident frequency, severe accident progression, containment performance, and radionuclide source terms in an integrated, consistent fashion.In performing this integrated uncertainty analysis,special care must be taken to ensure consistency between uncertain parameters associated withradionuclide release, transport, and deposition and other aspects of accident behavior. In particular, the analysis must account for importantcorrelations between the behavior of radionuclides and the other characteristics of severe accident progression. For example;The magnitude of radionuclide release fromfuel is known to be influenced by the magnitude of Zircaloy (clad) oxidation.

Therefore, the distributions of plausible values for the release fraction of various radionuclides are correlated to the distribution of values for the fraction of clad oxidized in-vessel.In the NUREG-1150 (NRC, 1990)assessments, uncertainty in the retention efficiency of aerosols transported through the primary coolant system was found to depend strongly on primary coolant system pressure during in-vessel melt progression. Higherretention efficiencies were attributed tosequences involving low coolant system pressure than those involving high pressure.These and other similar relationships are describedin the experts' determination of source term issuesin NUREG/CR-4551, Volume 2 (Harper, 1990).Task 3 - Treatment of Source TermUncertaintiesResults of the Level 2 PRAs described in NUREG-1150 indicate that uncertainties associated withprocesses governing radionuclide release fromfuel; transport through the primary coolant system,secondary coolant system (if applicable), andcontainment; and deposition on boundingstructures can be a major contributor to theuncertainty in some measures of risk. For example, uncertainties in the magnitude ofradionuclide release from fuel during in-vessel melt progression, and uncertainties in the amount of retention on the shell (secondary) side of steamgenerators were found to be among the largest contributors to the overall uncertainty in earlyfatality risk associated with steam generator tuberupture events (a significant contributor to the coredamage frequency in some PWRs). Similarly,uncertainties in processes such as radionuclide release during core-concrete interactions and late

3. Technical Activities 3-113release of iodine initially captured by pressuresuppression pools were found to be important contributors to various risk measures in BWRs.Uncertainties in the p rocesses specifically relatedto radionuclide source term assessment are, therefore, represented in a state-of-the-art Level 2PRA. When deter ministic codes are used toestimate the source term, it is important to accountfor all of the relevant phenomena (even when the code does not explicitly include models for all of the phenomena). When a model is not available forcertain important phenomena, it is not acceptable to simple ignore the phenomena. Instead, alternative methods are used, such as consultingdifferent code calculations, using specialized codes, or assessing relevant experimental results.

A systematic process and calculation tools toaccommodate source term uncertainties into the overall evaluation of severe accident risks weredeveloped for the Level 2 PRAs described in NUREG-1150. A detailed description of thisprocess and the associated tools is not provided here; the reader is referred to NUREG/CR-4551, Vol. 2, Part 4 (Harper, 1990), NUREG-1335 Appendix A (NRC, 1989), and NUREG/CR-5360 (Jow, 1993), for additional information on thesetopics. In addition, when estimating consequences in the PRA, it is also important to accurately represent the timing of the release. Past studieshave shown that the number of early fatalities canbe particularly sensitive to when the release occursrelative to when the general public is beingevacuated. Hence, it is also important that the approach used to estimate the source termproperly accounts for timing characteristics of the release. Table 3-22 summarizes the areas in which keyuncertainties are addressed in a Level 2 analysis.

These key uncertainties are derived, in part, fromthe results of the NUREG-1150 analyses, as wellas more recent statements of key source termuncertainties published by the NRC for light-water reactor licensing purposes. 3.3.5.4Task InterfacesThese tasks have a critical interface with thecontainment probabilistic characterization (refer toTask 2 of Section 3.3.4). The output of these tasks is a range of potentialcontainment failure modes, release fractions (or source terms), and their correspondingfrequencies. The output of the Level 2 analysisprovides input to the consequence analysis (Section 3.4).Table 3-22 Areas of key radionuclide source term uncertaintiesMagnitude of radionuclide release from fuel during core damage and material relocation in-vessel (primarily for volatile and semi-volatile radionuclide species).Chemical form of iodine for transport and deposition.

Retention efficiency during transport through the primary and secondary coolant systems(particularly for long release pathways).Magnitude of radionuclide release from fuel (primarily refractory metals) and non-radioactiveaerosol generation during core-concrete interactions.Decontamination efficiency radionuclide flow streams passing through pools of water (BWRsuppression pools and PWR containment sumps).Late revaporization and release of iodine initially captured in water pools.

Capture and retention efficiency of aerosols in containment and secondary enclosurebuildings.

3. Technical Activities 3-1143.3.5.5 ReferencesEPRI, MAAP4 - Modular Accident AnalysisProgram for LWR Power Plants, RP3131-02, Volumes 1-4, Electric Power Research Institute, 1994.Summers, R., M, et al., "MELCOR Computer CodeManuals -- Version 1.8.3," NUREG/CR-6119, SAND93-2185, Volumes 1-2, Sandia National Laboratories, 1994.NRC, Severe Accident Risks: An Assessment forFive U.S. Nuclear Power Plants, NUREG-1150,U.S. Nuclear Regulatory Commission, December 1990.Harper, F. T., et al, Evaluation of Severe AccidentRisks: Quantification of Major Input Parameters,NUREG/CR-4551, Volume 2, SAN D86-1309,Sandia National Laboratories, December 1990.NRC, Individual Plant Examination: SubmittalGuidance, NUREG-1335, U.S. Nuclear RegulatoryCommission, August 1989.Jow, H. J., et al., "XSOR Codes User Manual,"NUREG/CR-5360, Sandia National Laboratories, 1993.3.4Level 3 Analysis(Consequence Analysis and Integrated Risk Assessment)In this section, the analyses performed as part ofthe Level 3 portion of a probabilistic riskassessment (PRA) are described. 3.4.1Assumptions and LimitationsIn most Level 3 (i.e., consequence) codes,atmospheric transport of the released material is carried out assuming Gaussian plume dispersion.

This assumption is generally valid for flat terrain to a distance of a few kilometers from the point ofrelease but is inaccurate both in the immediatevicinity of the reactor building and at fartherdistances. For most PRA applications, however,the inaccuracies introduced by the assumption of Gaussian plumes are much smaller than the uncertainties due to other factors, such as thesource term. In specific cases of plant location,such as, for example, a mountainous area or avalley, more detailed dispersion models thatincorporate terrain effects may have to beconsidered. There are other physical parametersthat influence downwind concentrations. Dry deposition velocity can vary over a wide range depending on the particle size distribution of the released material, the surface roughness of theterrain, and other factors. An assessment of these uncertainties focused on the factors which influence dispersion and deposition has been carried out recently (Harper et al., 1995). Earlier assessments of the assumptions and uncertaintiesin consequence modeling were reported in otherPRA procedures guides (NRC, 1983).Besides atmospheric transport, dispersion, anddeposition of released material, there are several other assumptions, limitations, and uncertainties embodied in the parameters that i mpactconsequence estimation. These include: models of the weather ing and resuspension of materialdeposited on the ground, modeling of the ingestion pathway, i.e., the food chains, groun d-cr op-manand ground-crop-animal-dairy/meat-man, internal and external dosimetry, and the health effectsmodel parameters. Other sources of uncertaintyarise from the assumed values of parameters that determine the effectiveness of emergency response, such as the shielding provided by the building stock in the area where people areassumed to shelter, the speed of evacuation, etc.

Comparison of the results of different consequencecodes, which embody different a pproaches andvalues of these parameters, on a standard problem are contained in a study sponsored by the Organization for Economic Co-operation and Development (OECD, 1994). An unce rtaintyanalysis of the COSYMA code results using theexpert elicitation method is currently being carried out (Jones, 1996).3.4.2ProductsDocumentation of the analyses performed toestimate the consequences associated with theaccidental release of radioactivity to theenvironment should contain sufficient info rmationto allow an independent analyst to reproduce the results. At a minimum, the following informationshould be documented for the Level 3 analysis:

3. Technical Activities 3-115*identification of the consequence code and theversion used to carry out the analysis,*a description of the site-specific data andassumptions used in the input to the code,*specifications of the source terms used to runthe code, and*discussion and definition of the emergencyresponse parameters,*a description of the computational processused to integrate the entire PRA model(Level 1 - Level 3), *a summary of all calculated results includingfrequency distributions for each risk measure.3.4.3Analytical TasksA Level 3 PRA consists of two major tasks:1. Consequence analyses conditional on variousrelease mechanisms (source terms) and2. Computation of risk by integrating the res ultsof Levels 1, 2, and 3 analyses.Task 1 - Consequence AnalysisThe consequences of an accidental release ofradioactivity from a nuclear power plant to thesurrounding environment can be expressed inseveral ways: impact on human health, impact on the environment, and impact on the economy. The consequence measures of most interest to a Level 3 PRA focus on the impact to human health. They should include:*number of early fatalities,

number of early injuries,

number of latent cancer fatalities,

population dose (person-rem or person-sievert) out to various distances from the plant,*individual early fatality risk defined in the earlyfatality QHO, i.e., the risk of early fatality for theaverage individual within 1 mile from the plant, and*individual latent cancer fatality risk defined inthe latent cancer QHO, i.e., the risk of latent cancer fatality for the average individual within10 miles of the plant.The consequence measures that focus on impactsto the environment include:*land contamination

surface water body (e.g., lakes, rivers, etc.)contamination.Groundwater contamination has yet to be includedin a Level 3 analyses, although it may be important to consider it in certain specific cases.The economic impacts are mainly estimated interms of the costs of countermeasures taken toprotect the population in the vicinity of the plant.

These costs can include: *short-term costs incurred in the evacuation andrelocation of people during the emergency phase following the accident and in the destruction of contaminated food, and*long-term costs of interdicting contaminatedfarmland and residential/urban property whichcannot be decontam inated in a cost-effectivemanner, i.e., where the cost ofdecontamination is greater than the value ofthe property. The costs of medical treatment to potentialaccident victims are not generally estimated in aLevel 3 analysis, although approaches do exist for incorporating these costs (Mubayi, 1995) if requiredby the application.The results of the calculations for eachconsequence measure are usually reported as acomplementary cumulative distribution function.They can also be reported in terms of adistribution--for example, ones that show the 5thpercentile, the 95th percentile, the median, and themean. A probabilistic consequence assessment (PCA)code is needed to perform the Level 3 analysis.

Such codes normally take as input the characteristics of the release or source termprovided by the Level 2 analysis. These characteristics typically include for each specified source term: the release fractions of the coreinventory of key radionuclides, the timing andduration of the release, the height of the release (i.e., whether the release is elevated or groundlevel), and the energy of the release. PCA codesincorporate algorithms for performing weathersampling on the plume transport in order to obtain

3. Technical Activities 3-116a distribution of the concentrations and dosimetrywhich reflect the uncertainty and/or variability dueto weather. The codes also model various protective action countermeasures to permit amore realistic calculation of doses and health effects and to assess the efficacy of these differentactions in reducing consequences.Several PCA codes are currently in use forcalculating the consequences of postulated radiological releas es. The NRC supports the useof the MACCS (Jow, 1990 and Chanin, 1993) and MACCS2 (Chanin and Young, 1997) PCA codesfor carrying out nuclear power plant Level 3 PRA analyses. A number of countries in Europe supportthe use of the COSYMA (KfK and NRPB, 1991 andJones, 1996) PCA code for their Level 3 analyses.PCA codes require a substantial amount ofinformation on the local meteorology, demography,land use, crops grown in vari ous seasons, foodsconsumed, and property values. For example, theinput file for the MACCS code requires the following information:*Meteorology - one year of hourly data on:windspeed and direction, atmospheric stabilityclass, precipitation rate, probability ofprecipitation occurring at specified distances from the plant site, and height of the atmospheric inversion layer.*Demography - population distribution aroundthe plant on a polar grid defined by 16 angular sectors and user-specified annular radialsectors, usually a finer grid close to the plant and one that becomes progressively coarser at greater distances.*Land Use - fraction which is land, land which isagricultural, major crops, and growing season.*Economic Data - value of farmland, value ofnonfarm property, and annual farm sales.The MACCS User Manual (Chanin, 1990) and theMACCS2 User Guide (Chanin and Young, 1997)may be consulted for a complete description of the site input data necessary.In addition to site data, a PCA code should haveprovisions to model countermeasures to protect thepublic and provide a more realistic estimate of thedoses and health effects following an accidentalrelease. The MACCS code requires that theanalyst make assumptions on the values ofparameters related to the implementation ofprotective actions following an accident. The typesof parameters involved in evaluating these actions include the following:*delay time between the declaration of ageneral emergency and the initiation of an emergency response action, such asevacuation or sheltering; this delay time maybe site specific,*fraction of the offsite population whichparticipates in the emergency response action,*effective evacuation speed,

degree of radiation shielding provided by thebuilding stock in the area,*projected dose limits for long-term relocation ofthe population from contaminated land, and *projected ingestion dose limits used to interdictcontaminated farmland.The selected values assumed for the above (orsimilar) parameters need to be justified anddocumented since they have a significant impacton the consequence calculations.In summary, the PCA code selected for thecalculation of consequences should have the following capabilities:*incorporate impact of weather variability onplume transport by performing stratified or Monte Carlo sampling on an annual set of relevant site meteorological data,*allow for plume depletion due to dry and wetdeposition mechanisms,*allow for buoyancy rise of energetic releases,

include all possible dose pathways, externaland internal (such as cloudshine, groundshine, inhalation, resuspension inhalation, andingestion) in the estimation of doses,*employ validated health effects models based,for example, on (ICRP, 1991) or BEIR V (National Research Council, 1990) dose factors for converting radiation doses to earlyand latent health effects, and

3. Technical Activities 3-117*allow for the modeling of countermeasures topermit estimation of a more realistic impact of accidental releases. The above-cited methods for estimatingconsequences are, in general, adequate for accidents caused by internal initiating events duringboth full power operation and shutdown conditions.However, for external initiating events, such asseismic events, certain changes may be needed.

For example, the early warning systems and the road network may be disrupted so that initiation and execution of emergency response actions may not be possible. Hence, in addition to changing the potential source terms, a seismic event could also influence the ability of the close-in population tocarry out an early evacuation. A Level 3 seismicPRA should, therefore, include consideration of the impacts of different levels of earthquake severity on the consequence assessment.To use a consequence code, generally thefollowing data elements are required: *reactor radionuclide inventory,

accident source terms defined by the releasefractions of important radionuclide groups, the timing and duration of the release, and theenergy and height of the release, *hourly meteorological data at the site asrecommended, for example, in Reg ulatoryGuide 1.23 (NRC, 1986), collected over one or,preferably, more years and processed into a form usable by the chosen code, *site population data from census or otherreliable sources and processed in conformitywith the requirements of the code, i.e., toprovide population information for each area element on the grid used in the code, *site economic and land use data, specifyingthe important crops in the area, value andextent of farm and nonfarm property, *defining the emergency responsecountermeasures, including the possible timedelay in initiating response after declaration of warning and the likely participation in the response by the offsite population. Task 2 - Computation of RiskThe final step in a Level 3 PRA is the integration ofresults from all previous analyses to compute individual measures of risk. The severe accidentprogression and the radionuclide source termanalyses conducted in the Level 2 portion of the PRA, as well as the consequence analysisconducted in the Level 3 portion of the PRA, areperformed on a conditional basis. That is, the evaluations of alternative severe accidentprogressions, resulting source terms, andconsequences are performed without regard to theabsolute or relative frequency of the postulatedaccidents. The final computation of risk is the process by which each of these portions of theaccident analysis are linked together in a self-consistent and statistically rigorous manner.An important attribute by which the rigor of theprocess is likely to be judged is the ability todemonstrate traceability from a specific accidentsequence through the relative likelihood of alternative severe accident progressions andmeasures of associated containment performance (i.e., early versus late failure) and ultimately to thedistribution of fission product source terms and consequences. This traceability should be demonstrable in both directions, i.e., from the accident sequence to a distribution ofconsequences and from a specific level of accident consequences back to the fission product source terms, containment performance measures, or accident sequences that con tribute to thatconsequence level.3.4.4Task InterfacesThe current task requires a set of release fractions (or source terms) from the Level 2 analysis (Section 3.3) as input to the consequence analysis.The consequences are calculated in terms of:(1) the acute and chronic radiation doses from all pathways to the affected population around the plant, (2) the consequent health effects (such asearly fatalities, early injuries, and lat ent cancerfatalities), (3) the integrated population dose tosome specified distance (such as 50 miles) from the point of release, and (4) the contamination of land from the deposited material. The consequence measures to be calculateddepends on the ap plication as defined in PRA

3. Technical Activities 3-118Scope. Generally, in a Level 3 analys is, adistribution of consequences is obtained by statistical sampling of the weather conditions at the site. Each set of consequences, however, is conditional on the characteristics of the release (or source term) which are evaluated in the Level 2analysis.An integrated risk assessment combines theresults of the Levels 1, 2, and 3 analyses tocompute the selected measu res of risk in a self-consistent and statistically rigorous manner. Therisk measures usually selected are: early fatalities, latent cancer fatalities, population dose, and quantitative health objectives (QHOs) of the U.S.Nuclear Regulatory Commission (NRC) SafetyGoals (NRC, 1986). Again, the actual risk measures calculated will depend on the PRA Scope.3.4.5ReferencesChanin, D.I., and M. L. Young, "Code Manual for MACCS2: Volume 1, User's Guide," SAND97-0594, Sandia National Laboratories, March 1997.Chanin, D.I., et al., "MACCS Version 1.5.11.1: AMaintenance Release of the Code," NUREG/CR-6059, Sandia National Laboratories, October 1993.Chanin, D.I., et a l., "MELCOR AccidentConsequence Code System (MACCS), Volume 1,User's Guide," NUREG/CR-4691, Sandia NationalLaboratories, February 1990.Harper, F. T., et al., "Probabilistic AccidentConsequence Uncertainty Analysis, Dispersion,and Deposition Uncertainty Assessment,"NUREG/CR-6244, Sandia National Laboratories, 1995.ICRP, 1990 Recommendations of the ICRP,Annals of the ICRP, Vol. 21, No. 1-3, ICRPPublication 60, International Commission on Radiological Protection, Pergamon Press, Oxford, England, 1991.Jones, J. A., et al., "Uncertainty Analysis onCOSYMA," Proceedings of the Combined 3rdCOSYMA Users Group and 2nd InternationalMACCS Users Group Meeting, Portoroz, Slovenia,41228-NUC 96-9238, KEMA, Arnhem, the Netherlands, September 16-19, 1996.Jow, H. N., et al., "MELCOR Acci dentConsequence Code System (MACCS), Volume II, Model Description," NUREG/CR-4691, SandiaNational Laboratories, February 1990.KfK and NRPB, "COSYMA - A New ProgramPackage for Accident Consequence Assessment,"CEC Brussels, EUR 13028, Kernforschungszentrum (Karlsruhe) and National Radiological Protection Board, 1991.Mubayi, V., et al., "Cost-Benefit Considerations inRegulatory Analysis," NUREG/CR-6395,Brookhaven National Laboratory, 1995.National Research Council, "Health Effects ofExposure to Low Levels of Ionizing Radiation,"BEIR V, Washington, DC, 1990.NRC, "Severe Accident Risks: An Assessment forFive U.S. Nuclear Power Plants," NUREG-1150,Vol. 1, Main Report, U.S. Nuclear Regulatory Commission, 1990.NRC, "Safety Goals for the Operation of NuclearPower Plants, Policy Statement, Federal Register,Vol. 51, No. 149, U.S. Nuclear RegulatoryCommission, August 4, 1986.NRC, Onsite Meteorological Programs,Regulatory Guide 1.23, U.S. Nuclear Regulatory Commission, April 1986.NRC, PRA Procedures Guide - A Guide to thePerformance of Probabilistic Risk Assessments forNuclear Power Plants, NUREG/CR-2300, Vol. 2,U.S. Nuclear Regulatory Commission, 1983.OECD, "Probabilistic Accident ConsequenceAssessment Codes, Second InternationalComparison", Organisation for EconomicCooperation and Development, Nuclear Energy Agency, Paris, France, 1994.

3. Technical Activities 3-1193.5Flood AnalysisThe analytical tasks associated with a Level 1probabilistic risk assessment (PRA) for accidentsinitiated by events internal to the plant (such as transients and loss-of-coolant accidents) aredescribed in previous chapters. Other events bothinternal and external to the plant can cause unique initiating events or influence the way in which aplant responds to an accident. Chapter 1 identifiesthree types of events (i.e., internal fires, internalfloods, and seismic events) that requiremanipulation of the Level 1 internal event PRA in order to adequately model the plant response.In this section, the way in which a Level 1 PRA ismodified in order to model accidents initiated byinternal floods is described.

3.5.1 Assumptions

and LimitationsWhen preparing this section, some assumptionsand limitations were made as indicated below:* It is assumed that flood and spray incidencedata from VVERs are available. The flood andspray incidence data should be of sufficient resolution to allow characterization according to the source of the flood or spray (e.g., piping failure, tank failure, etc.) and any other characteristics of the postulated event (e.g.,maintenance error, passive failure, dynamic failure, etc.).* It is assumed that a reasonable and practicalquantitative screening criterion for culling outrisk-insignificant events can be developed that would facilitate the completion of this task.* The guidelines presented closely parallel thosegiven in the procedure guide for the task FireAnalysis because of the similarity in the basic activities involved. However, since different analysts typically undertake the considerationof fire and flood analyses, individual procedure guides have been developed for each ac tivity.Also, detailed phenomenological analyses aretypically of secondary importance in conductinginvestigations of the impact of internal hazards in support of a PRA. Such investigations havethe characteristic approach that can be described as an "it erative conservativescreening" of scenarios.*Care should be taken to include in the analysisthose scenarios initiated by a non-flood incident (such as a pipe break) that might involve the introduction of water or steam intoareas that include equipment of interest in the PRA. This requires the analyst to work closelywith those who are developing the eventsequence models to assure that all such events are accounted for in the model.

Normally, the impact of flood wat er, spray, orsteam resulting directly from a pipe break is already considered in the event sequence model if the failure results in a reactor or turbine trip.*Analyses for other internal hazards (other thanfire or flood) identified in the task SpatialInteractions should be carried out as part of this task using the guidelines presented here.Such hazards could include the dropping of heavy objects or the spillage or lea kage ofcaustic material.3.5.2ProductsDuring the conduct of this task, the scenario tables initiated in the Spatial Interactions Task areexpanded upon and refined (an example of such a table is provided in Appendix C). The completed and refined scenario tables make up a key product for this effort. A description of the methodology and the dataanalyses utilized to perform the flood analysis willbe developed.3.5.3Analytical TaskWhile the internal flooding analysis of a PRA usesmuch the same processes and has the same attributes of a traditional full power internal eventsPRA, the internal flooding analysis requires a significant amount of work to define and screen the most important flood sources and possiblescenarios for further evaluation. These differences are described below in general terms. Moredetailed guidance can be found in NRC (1997) and Bohn (1990). The specific goals of this task include thedevelopment of a flood frequency database, the determination of the frequency of specific flood scenarios, the further development and refinement of flood scenarios, the determination of the flood damage to equipment and of the plant response,

3. Technical Activities 3-120and the quantification of the flood-inducedscenarios including the assignment to specific plant damage states. The hazard occurrence frequency and a set of "worst-case" plant impacts areassessed for each scenario developed in the spatial interactions analysis. Each scenario is then screened quantitatively to determine its risk significance in relation to otherinitiating events. Scenarios that are quantitatively insignificant are documented and removed from further consideration. If a scenario remainsquantitatively significant compared with thescreening criteria, it is retained for furtherevaluation. Additional analyses are then performedto systematically refine the hazard initiating event frequency and its functional impacts and to develop a more realistic assessment of its risk significance.During this process, the original flood or sprayscenario is often subdivided into more detailed scenarios to more specifically account for actualimpacts that can occur within the hazard location.

Screening is, therefore, performed at various stages of the scenario-refinement process u ntilfinal quantification of the PRA event sequencemodels. The goals are accomplished by the performance of five tasks:1. Assessment of the Flood and SprayOccurrence Frequencies,2. Assessment of Worst-case Plant Impact,

3. Performance of Quantitative ScenarioScreening,4. Refinement of Scenario Frequency and ImpactAnalysis,5. Retention of Risk Significant Scenarios.Each of these activities is discussed below whichmakes use of the info rmation found in Bohn (1990).Task 1 - Assessment of Flood and Spray Occurrence FrequenciesThe objective of the scenario frequencyassessment is to consistently quan tify aplant-specific hazard occurrence rate for eachlocation identified in the task Spatial Interactions asbeing vulnerable to the impacts of internal floods or spray.Since a quantitative screening process is to beperformed during the detailed scenario analysisphase of the internal pl ant hazards analysis, it is,therefore, very important that the hazardoccurrence frequencies assessed during thisactivity of the process satisfy the followingobjectives:*The hazard scenario frequency mustconsistently account for industry flood andspray data and any plant-specific experience that had occurred in the type of location being

modeled.*The hazard scenario frequency must provide aconservative upper bound in case more detailed event scenarios need to be developed for the location. In these cases, the total scenario frequency may be consistentlysubdivided to more realistically represent any specific event scenario in the location.

Havinga conservative upper-bound frequency for the gross scenario implies that the frequency of these more subtle, refined scenarios are captured, even after screening.These objectives are somewhat counteractive.The first goal is to develop an event frequency that is as realistic as possible for a plant-specific risk assessment. The second goal is to develop anevent frequency that is sufficiently conser vative toensure that the hazard scenario is notinappropriately screened from the PRA models.Thus, in effect, the analysis must develop an initialfrequency estimate that is "reasonablyconservative" for each defined scenario.This first activity involves a thorough review of theindustry experience data to develop a "specializedgeneric database." This database should account for design features of the plant, the scope of thePRA models, and the characteristics of the spec ifichazard. Each event in the industry-experience database should be reviewed to determine itsapplicability and to categorize the event withrespect to the types of hazard scenarios defi ned.As for flood incidence data, if data from plantsother than VVERs are used, care must be taken tointerpret the data properly.The resulting database should contain summariesof only those events that are relevant for the plant being modeled, for the specific operatingconditions being evaluated, and for the spec ificscope of the functional impact locations and hazardscenarios defined in the analysis. This database should be documented and should provide thegeneric industry experi ence input to the hazardfrequency analysis.

3. Technical Activities 3-121A two-stage Bayesian analysis combines theindustry data with actual experience from the plant.The first stage of the Bayesian analysis develops a generic frequency distribution for each hazard that consistently accounts for the observed site-to-sitevariability in the industry experience data. Thesecond stage updates this generic frequency toaccount specifically for the actual historical experience at Kalinin.Estimates are made of the fraction of each hazardand hazard type for each location. These estimates are necessary in order to partition thehazard occurrence frequencies to spec ificlocations. In most cases, it is necessary tocombine data for various types of hazards todevelop the best possible frequency estimate for aparticular location. This process is consistent with the evaluation of allother data in the PRA, including the frequencies for internal initiating events, component failure rates, component maintenance unavailabilities, and equipment common-cause failures.Task 2 - Assessment of Worst-Case PlantImpact for Each ScenarioIn the task Spatial Interactions, PRA-relatedequipment that may be damaged by each hazard in a particular functional impact location was identified. In this activity, analysts who are veryfamiliar with the PRA event sequence models and system fault trees develop a conservativelybounding set of impacts for each hazard scenario.These impacts determine the specific equipment failure modes assigned when the hazard scenario is evaluated in the PRA risk models.The initial assessment of these impacts areconsidered to be the worst-case combination offailures that could reasonably be caused by the hazard. It is important to ensure that the assigned impacts provide a conservative upper bound for all actual failures that may occur during any flood or spray scenario in the location. If it is determined that the scenario is quantitatively insignificant withthese bounding impacts, then there is assurance that a more realistic evaluation would confirm thatthe attendant risk would also be much lower than the screening value.At this point in the analysis, it is conservativelyassumed that all equipment in the location isdamaged by the hazard (either by submergence orspray), regardless of the size of the location, thenumber of affected components, and the observed distribution of hazard severities. The assumed failure mode for flood or spray events is usu allyloss of function of the susceptible equipment. For most locations, this assessment provides numerical risk contributions that may be several times higher than those that would be evaluatedthrough a more detailed analysis. This is because the occurrence frequency for most hazards is dominated by relatively insignificant events, e.g.,

relatively small leakage events. However, theimpacts are postulated to be the result of an extremely large flood or spray event, which is ahighly unlikely, low frequency event. This approachensures that a conservative upper bound isevaluated for the risk contribution from any hazardevent that may damage multiple components withinthe location. That is, an event frequency of more frequent, insignificant events is linked to postulatedimpacts that may be attributable to a less frequent,more catastrophic scenario.The impact assessments do not account for therelative timing of possible failures or for designfeatures that may prevent certain combinations of failures. For example, the PRA success criteriamay require that a pump must be tripped to avoidpossible damage after loss of oil cooling. Apossible flood scenario may affect a control panel for the cooling water supply pump. The worst-caseimpacts from this scenario are bounded by thefollowing combination of conditions:*It is assumed that the cooling water supply isdisabled by the flood event. This condition requires that the pump must trip.*It is assumed that the pump trip circu its aredisabled by the flood or spray event if these circuits are located in the same susceptiblecabinet.*It is assumed that power remains available forthe pump motor until the pump is damaged because of lack of cooling. The impact assessments do not account forpossible operator actions to override or bypassfaulty control circuits or to operate equipment locally. No recovery actions are modeled for anydamage caused directly by the hazard ev ent.Other operator actions are modeled only within the context of the entire sequence of events initiated bythe hazard scenario, consistently with dynamic

3. Technical Activities 3-122actions evaluated for similar internal initiating events.Accordingly, the most conservative combination ofimpacts that could possibly occur, without regard tothe relative timing of failures or the actual likelihood for any of the specific impacts, are used in thisassessment.As this activity proceeds, the affected PRAequipment and the functional impacts from each hazard scenario are listed in data entry 7 of eachscenario table. In most cases, explanatory notes are provided also in data entry 9 to morecompletely document the bases for the assigned impacts.If a particular hazard scenario requires moredetailed analysis, this activity is the starting point since the refinement process may involve several iterations. Each iteration typically includes a critical reexamination of only the most important impacts to plant equipment for that scenario.Conservatively bounding assumptions are retainedfor impacts that have a relatively insignificant effecton overall risk. The goals of this process are tosuccessively relax the most significant worst-case assumptions for each scenario, while retaining anoverall conservative approach throughout the screening process.Task 3 - Performance of Quantitative ScenarioScreeningEach flood or spray scenario is characterized by ahazard occurrence frequency and a set offunctional impacts that affect the availability of various PRA components and systems. In thisactivity of the analysis, each scenario is propagatedthrough the PRA risk models to determine a quantitative upper bound for its total contribution toplant risk. In the Kalinin PRA, it may beappropriate to add house events to the system faulttrees to represent the impact of specific environmental hazard-induced failures. Note that since the same plant ev ent se quencelogic models are used to quantify the impact of thepostulated environmental hazards as were used for the internal event initiators, the plant damage stateassignments are consistent with those already developed for the internal events model.In general, each scenario results in a large numberof individual detailed event sequences determinedby the combined effects from failures i nduced bythe internal flood scenario, independent equipment successes and failures, and appropriate operator actions. All sequences that lead to core damage are recorded, and the total core damage frequency is compared with a numerical screening criterion to determine the relative risk significance of the scenario.*If the total core damage frequency from allsequences initiated by the scenario falls below the screening criterion, it is concluded that the hazard produces an insignificant contribution tooverall plant risk. The screening evaluation is documented, and the scenario is removed from further consideration in the PRA models.*If the total core damage frequency from thescenario is higher than the screening criterion, the scenario is retained for further analysis inthe PRA.*If the potential plant damage stateconsequences from the scenario are unusual or severe, the scenario is retained for further analysis, even if its total core damage frequency is below the screening criterion.Although the mechanics of this process are quitestraightforward, several considerations must be noted to develop the proper perspective and context for this critical activity in the analysis.The methods used to assess the hazard initiatingevent frequency and the scenario impacts ensurethat the evaluated core damage frequency is a

conservative upper bound for the actual coredamage frequency that may occur from any particular scenario in the location. The amount of conservatism depends on a variety of factors,which cannot be estimated directly without considerable examination of the underlying models and analyses. However, the applied methods provide assurance that the conditional coredamage resulting from this scenario will not occur at a higher frequency.This screening approach is not unique to the evaluation of internal plant hazards. Implicit andexplicit screening criteria are applied at all levels ofa practical risk assessment. The issue of basicevent truncation in previous tasks can be construed as some form of screening. It is worthnoting that the screening criterion used in this taskeffectively defines an absolute lower limit for the

3. Technical Activities 3-123resolution of concerns about the risk significancefrom internal plant hazards. Scenarios that fall below the limit are, by definition, considered to be insignificant, and the relative importance of eachscenario that remains above the limit is evaluated consistently with all other events modeled in the PRA.Selection of the numerical screening criterion is nota simple task. There are no general guidelines or"accepted" numerical values that can be broadly applied for any particular analysis. The selected value should be:*low enough to ensure that the screenedscenarios are truly insignificant to the total risk,*high enough to facilitate a practical analysisand to limit efforts to develop detailed modelsfor unimportant events, and*relatively insensitive to any future refinementsin the PRA event sequence models, system analyses, and data.Based on the above, the screening process shouldbegin when the results from the internal initiating events phase have reached a point of relative maturity and stability, i.e., a point at which theinternal events results are not expected to change"significantly." Screening values are typicallyselected to ensure that the total core damage frequency from each screened scenario is less than approximately 0.05 percent to 0.1 percent (i.e., 1/20 to 1/10 of 1 percent) of the total coredamage frequency from all other contributors.

Thus, for example, if the screening criterion isnumerically equal to 0.1 percent of the total coredamage frequency from all other causes, an absolute minimum of 1,000 screened hazardscenarios would be needed to double the total coredamage frequency. If the screening analysis is performed at an earlier stage of the PRA modeling process, it is generally recommended that the screening values be set at even a smallerpercentage of the preliminary core damage frequency. This avoids the need for inefficient rescreening of the internal hazard scenarios after modeling refinements reduce the contributions from all other initiators.The final screening value thus cannot bedetermined at this time. For perspective, however,the screening value used in one recent study was

1 x 10-9 core damage event per year.Task 4 - Refinement of Scenario Frequencyand Impact AnalysisEach hazard scenario having a total core damagefrequency that exceeds the screening criterion isretained for further analysis in the PRA models. If further analysis is warranted, an iterative processis performed to refine the models. This process involves careful reexamination of all assumptions and successive application of the previous analysis activities to systematically develop more realisticmodels for the scenario definition, the hazard frequency, and the assigned impacts. One or more of the following refinements are typically made during this phase of the analysis:*The scenario may be subdivided into a set ofseveral constituent scenarios that are based on physical characteristics of the location and the hazard sources. This process allows theassignment of more realistic equipmentimpacts from each of the specific hazard conditions.*The hazard may be subdivided into variousseverity levels that are based on observedexperience from the generic and plant-specific

databases. Each hazard severity level isexamined to define a more realistic set of impacts that could be caused by an event with that severity.*The assumed impacts from control circuitmalfunctions may be reexamined to determine whether the assumed failure modes can actually occur in combination. Models may also be developed to probabilistically ac countfor the relative timing of these failures.*The event sequen ces that are initiated by thehazard may be refined to include possible operator recovery actions that may be put intoplace to mitigate the hazard or its impacts before specific event sequences progress to core damage.The refinements applied for a particular scenariodepend on specific characteristics of the hazard, the location, and the fun ctional impacts from theoriginal analysis. The results from the screening evaluations often provide valuable insights about the most important assumptions and conservatisms that must be reexamined. The

3. Technical Activities 3-124refinement process for a particular scenario mayinvolve several iterations. Each iteration typicallyincludes a critical reexamination of only the most important impacts for that scenario. Conservativelybounding assumptions are retained for all impactsthat remain relatively insignificant to overall risk.The goals of this process are to systematically relax the most significant worst-case assumptions for each scenario, while retaining an overallconservative approach throughout successivescreening evaluations.Whenever a hazard scenario is subdivided, aseparate summary table is developed to documenteach refined scenario. These tables have the same format as the original scenario tables. They list the frequency for each refined hazard event and the specific impacts assigned to that event. The tables also document all deterministic and probabilistic analyses performed to develop thescenario frequency and its impacts. Each refined scenario is reevaluated in the PRA event trees and fault trees, and the results are reexamined in relation to the quantitative screening criteria.Scenario refinement can continue further ifwarranted. Analyses that consider leakage rates, drainage rates, component vulnerabilities, and potential mitigative actions, for example, can beused to support the removal of conservatisms inselected scenarios. It is expected that such analyses will be required only for a limited number of flood or spray scenarios.Task 5 - Retention of Risk-SignificantScenariosA combination of technical and practicalconsiderations determine the final set of scenarios retained for quantification in the PRA results. Allscenarios that exceed the quantitative screening criteria are retained in the PRA models. However,the degree of refinement may vary considerablyamong these scenarios:*In some cases, the worst-case core damagefrequency estimate for an initial hazardscenario may be numerically higher than the screening value, but the scenario remains avery small contribution to overall plant risk.Extensive effort to further refine t hesescenarios is not justified by practical considerations, and they are simply retained inthe PRA results with their conservatively bounding frequencies and impacts.*In other cases, a scenario may be retainedonly after considerable additional analyses have been performed to refine conservative assumptions about its frequency and impacts, either by refining the scenarios or by usingphenomenological modeling.Because of these differences, it is not possible todevelop meaningful estimates for the amount of conservatism that may remain in any particular scenario. However, the scenarios that have been reanalyzed should contain lesser conservatismthan scenarios retained from an earlier stage of the analysis.It is not possible to develop any meaningfulnumerical estimates for the "actual" core damage frequency associated with the screened scenarios.The analysis process is structured to ensure thatthis frequency is very small compared with othercontributors to plant risk, but the value is certainlynot zero. In support of the analysis conclusions, itis only possible to examine a conse rvativeupper-bound numerical value that may be derived from the successive screening evaluations. Thisvalue is certainly neither a best nor realistic estimate of the core damage frequency from thesescenarios. However, the "true" core damage frequency must be considerably lower than thiscomposite screening value.The approach outlined in this procedure guide isstructured to produce a systematic, top-down,iterative estimate of the risk due to postulatedinternal flood or spray events. A parallel and verysimilar approach is adopted to determine the risk

associated with fires. Both analyses rely on theresults of a structured spatial interactions analysis.Specific scenarios that involve flooding or sprayingof hot water or steam can degrade the ambient environment. However, not much information isavailable concerning the operation of equipment inhigh temperature or humid environments. In thatcase, it is usually assumed that the e quipmentwould fail (fail to continue to run or fail to start for motors; fail to transfer for valves) if theenvironmental qualification envelope for the particular piece of equipment is exceeded.Consideration of the environmental impact oncontrol circuitry (especially solid-state equipment)is more complex. Control failures and/or spurious signals can be postulated. The analysis should

3. Technical Activities 3-125clearly specify what failure modes are modeled andshould outline the rationale for choosing these failure modes.The development of flood scenarios should includethe consideration of propagation of the flood viadoorways, drains, and ventilation ductwork. Thesepathways should have been considered in theinformation developed as part of the task Spatial Interactions. In addition, if the failure of barriers or structures due to static loading is credible andcould lead to a more severe flood impact, failure of such barriers should also be considered.Typically, no credit is taken for drains as a meansof mitigating a flood unless it is found in subsequent iterations that the drains may be an important factor in the definition of the scenario. Inthat case, their performance should beinvestigated, at least probabilistically. In some plants, the flow characteristic of individual drainshas not been demonstrated since start-up, in which case assurances must be given t hat constructionmaterial or other debris has not significantly altered the capabilities of the specific drains underconsideration.Flood frequencies are derived for a generic nuclearpower plant based on potential flood sources. For example, a flood frequency may be determined for "heat exchangers" (due, for example, to errorsduring maintenance events) at a nuclear p owerplant similar to the one under consideration usingindustry data. Although "generic" in nature, thedata is specialized and screened to match closelythe characteristics of the specific plant under consideration. The generic flood hazardfrequencies are to be updated with the actualexperiences at Kalinin.The location of the specific hazards has beendetermined in the task Spatial Interactions.Estimates are required in this task for the fractions of each flooding source (e.g., tanks or piping) found in each location.For a specific location, the frequency of occurrenceof a flood or spray of any size is determined by summing the fractional contribution of occurrence from each flood or spray hazard found in thatlocation.A quantitative screening value is developed toidentify those scenarios that will be carried forward in the analysis. Only those scenarios thatcontribute appreciably to the frequency of coredamage (or to specific undesirable plant damagestates) are retained for further analysis and/orrefinement.Refinement may involve such considerations as theextent of the damage initially postulated. The process proceeds until the scenarios that remain appropriately represent the risk associated withinternal floods while containing acceptable conservatisms.3.5.4Task InterfacesThe current task utilizes the same overall analysisapproach and procedures developed for the internal event PRA. In particular, this task buildson the information developed in the task on Spatial Interactions. The conduct of this task will requireinput from the tasks on Initiating Event Analysis, Frequency of Initiating Events, Event Sequence Modeling, and System Modeling. As scenarios arebeing developed to address floods, it is likely thatspecific operator actions will be identified, thus requiring an interface with the task Human Reliability Analysis. Output from the Flood Analysis task providesinformation on accident sequence definition and on frequency of occurrence directly to the Level 2task, which in turn provides source term information to the consequence and risk integrationtask. Whether or not Level 2/3 analyses are performed depends on the scope of the PRA.3.5.5ReferencesBohn, M. P., and J. A. Lambright, "Procedures for the External Event Core Damage Frequency forNUREG-1150," NUREG/CR-4840, Sandia Nat ionalLaboratories, November 1990.NRC, The Use of PRA in Risk-InformedApplications, NUREG-1602, Draft Report forComment, June 1997.3.6Fire AnalysisThe analytical tasks associated with a Level 1 probabilistic risk assessment (PRA) for accidentsinitiated by events internal to the plant (such as transients and loss-of-coolant accidents) aredescribed in previous sections. Other events bothinternal and external to the plant can cause unique

3. Technical Activities 3-126initiating events or influence the way in which aplant responds to an accident. In this section, the way in which a Level 1 PRA is modified in order tomodel accidents initiated by internal fires isdescribed. 3.6.1Assumptions and LimitationsWhen preparing this section, some assumptionsand limitations were made as indicated below:1. It is assumed that fire incidence data fromVVERs are available. The fire data should beof sufficient resolution to allow categorization according to fire source (e.g., cable, switchgear, logic cabinet, etc.). If data are notavailable, or are incomplete, expert knowledge can be utilized.2. The approach outlined for treating thepossibility of damage to electric cables due tofire assumes that cable function and routinginformation are known. If this is not the case, alternative approaches are available toaddress this type of damage. These alternative approaches will tend to be more conservative and overstate the contribution tocore damage due to fire. One such alternativewould be to assume that if a fire damages a cable of a given division, then all equipment in that division is assumed to be unavailable.

Refinements to that alternative approach are, of course, possible if limited cable routing and function information are known.3. A simple and straightforward treatment of "hotshorts" and open circuits in control circuits is outlined herein. This approach, which does not treat the time dependence of circuit damage modes in a sophisticated manner, is assumedto adequately and conservatively represent thefunctional impact from these damage phenomena. A more advanced approach tocircuit analysis is provided in LaChance

(2003).4. This investigation has a characteristicapproach that can be described as an iterativeconservative screening of scenarios. Theapproach is to successively relax the most significant worst-case assumptions of each fire-initiated scenario and re-evaluate the impact of the fire on plant performance.Detailed phenomenological fire growth analyses found in such computer codes asCOMPBRN (Ho et al., 1991) are typically ofsecondary importance for assessing the overall impact of fire hazards. Through conservativescreening, there might be a few scenarios which may warrant the use of these types ofdetailed analyses in support of a typical firePRA. It is assumed that a reasonable andpractical quantitative screening criterion can bedeveloped that would facilitate the completion of this task with minimal use of complex fire modeling codes.5. It should also be noted that these guidelinesclosely parallel those needed to perform the task Flood Analysis. Although these guidelines might seem to duplicate those found in the task Flood Analysis, individual procedureguides have been developed since different analysts are presumed to perform these tasksseparately.3.6.2ProductsDuring the performance of this task, the scenariotables that were initiated in the Spatial InteractionsTask are expanded upon and refined (an example of such a table is provided in Appendix D). The completed and refined scenario tables make up a key product for this effort.A description of the methodology and the analysesutilized to perform the fire analysis will be developed.3.6.3Analytical TasksA full power internal fire PRA utilizes the same overall analysis approach and procedures used in performing a full power traditional internal eventsPRA. In fact, there are many points ofcommonality between the traditional internal eventsanalysis and an internal fire risk analysis. Theseinclude the use of the same fundamental plantsystems models (event trees and fault tr ees),similar treatment for random failures andequipment unavailability factors, similar meth ods ofoverall risk and uncertainty quantification, and similar methods for the plant recovery and human factors analysis. Consistency of treatment of thesecommonalities is an important feature in a fire risk analysis. Although the overall evaluation process is the same, there are differences in the eventspostulated to occur in response to an internal fireevent as compared to those from a traditionalinternal event. These differences are described

3. Technical Activities 3-127below in general terms. More detailed guidancecan be found in NRC (1997) and Bohn (1990). The specific goals of this task include thedevelopment of a fire frequency database, the determination of the frequency of specific firescenarios, the further development and refinement of fire scenarios (including the consideration of firegrowth and suppression), the determination of thefire damage and plant response, and the quantification of the fire scenarios including the assignment to specific plant damage states. The hazard occurrence frequency and a set of "worst-case" plant impacts are assessed for each scenario developed in the spatial interactions analysis. Each scenario is then screened quantitatively to determine its risk significance inrelation to other initiating events. Scenarios that are found to be quantitatively insignificant aredocumented and removed from furtherconsideration. For those scenarios that areretained, additional analysis is performed to systematically refine the initiating event frequencyand functional impacts and to develop a morerealistic assessment of the risk significance of eachretained scenario. Section 4 of Bohn andLambright (1990) provides a more detailed discussion of the analysis of fire-induced scenarios, once the fire scenarios have beenidentified. The goals for this activity areaccomplished by the performance of five tasks:1. Assessment of the Fire Hazard OccurrenceFrequencies2. Assessment of Worst-case Plant Impact forEach Scenario3. Performance of Quantitative ScenarioScreening4. Refinement of Scenario Frequency and ImpactAnalysis5. Retention of Risk Significant Scenarios.Each of these activities is discussed below.Task 1 - Assessment of the Fire Hazard Occurrence FrequenciesEach fire scenario in the spatial interactionsanalysis is defined at the location level, i.e., ascenario describes a fire of any severity that can occur anywhere in a given location. The objectiveof the scenario frequency assessment is to quantifyconsistently a plant-specific fire hazard occurrencerate for each of these locations.A quantitative screening process is performedduring the detailed scenario analysis phase of theanalysis. The screening process applies numerical criteria to determine the relative risk significance ofeach fire scenario. If it is determined that ascenario is insignificant compared with these numerical screening criteria, that scenario isremoved from further consideration in the PRA models. Therefore, it is very important that the fireoccurrence frequencies assessed during this activity of the process satisfy the followingobjectives:*The frequency of the postulated scenario mustconsistently account for industry fire data andany plant-specific experience for the type of hazard being evaluated in the type of location being modeled.*The frequency of the postulated scenario mustprovide a conservative upper bound for the actual frequency of more detailed event scenarios that may eventually be developed for the location. In other words, the total scenariofrequency may be consistently subdivided tomore realistically represent any specific eventscenario in the location, if it is necessary to develop more detailed models for the location.These two objectives are somewhat counteractive.The first objective is to develop an event frequencythat is as realistic as possible while the secondobjective is to develop an event frequency that issufficiently conservative to ensure that the hazardscenario is not inappropriately screened from the PRA models. Thus, in effect, the analysis must develop an initial frequency estimate that is "reasonably conservative" for each defined scenario.The first activity of the fire frequency assessmentinvolves a thorough review of the industry experience data to develop a "specialized genericdatabase." This database should account fordesign features of the plant being evaluated and should be consistent with the scope of the PRA model and with the characteristics of the specifichazard scenarios defined for the analysis. If data from plants other than VVERs are used, care mustbe taken to properly interpret the data. Fire incidents that have occurred at a given location ina particular plant may be applicable for enhancing the fire-incident database for a different location in the Kalinin Nuclear Power Station. The experience data must also be screened to remove fire events

3. Technical Activities 3-128that occurred during periods other than plantoperation, such as during construction or refueling (since the Kalinin PRA only considers the risk ofpower operation). A tabulation of both U.S. and international fire incidents, including the KNPS Unit1 fire of 1984, and insights from them are availablefrom Nowlen (2001).The product from this activity of the frequencyassessment process is the specialized genericdatabase. This dat abase should contain only thehazard event summaries considered relevant forthe plant being modeled, for the specific operating conditions being evaluated, and for the spec ificscope of the functional impact locations andscenarios defined in the analysis. This database should be documented and should provide the generic industry experience input to theenvironmental hazard frequency analysis.The industry event data can be combined withactual plant-specific experience through atwo-stage Bayesian analysis that forms the basisfor the fire hazard frequency assessment. This process is consistent with the evaluation of all other data in the PRA, including the frequencies forinternal initiating events, component failure rates, component maintenance unavailabilities, and equipment common-cause failures.Bayesian analysis allows the industry data to becombined with actual experience from the plant being studied. The first stage of this analysis develops a generic frequency distribution for each hazard that consistently accounts for the observedsite-to-site variability in the industry experiencedata. The second stage updates this generic frequency to account specifically for the actualhistorical experience at Kalinin.Estimates are made of the fraction of each hazardand hazard type for each location. For example, itwould be noted that two of the six batteries at the plant are found in a specific location. The determination of the fraction of cables found in aspecific location would also be made by astructured estimation process. These estimates are necessary in order to partition the hazardoccurrence frequencies to specific locations. In most cases, it is necessary to combine data forvarious types of hazards to develop the bestpossible frequency estimate for a particularlocation. This type of "composite" frequency analysis is best illustrated by an example. Forexample, an air compressor may be located in anopen corner of a large cable spreading room. The air compressor may not be important for the PRAmodels. However, the spatial interactions analystsdefined the functional impact location to include the entire cable spreading room. The estimatedfrequency for fire events in this location must account for the composite nature of the firehazards. It is un reason able to develop a fireoccurrence frequency based only on "cable spreading room" fire events, even though the PRA impacts are derived only from failures of thecables. Use of only cable spreading room fire datawould underestimate the expected frequency of fires in this location. On the other hand, it is also unreasonable to develop a fire occurrence frequency that is based on data from plant locations that typically contain air compressors, e.g., open areas of a turbine building. Direct use ofonly these data could significantly overestimate the expected frequency of fires in the cable spreading room because of lower traffic densities, less transient combustibles, etc. in these rooms as compared to in the turbine building.These situations are addressed by developing acomposite hazard frequency that accounts for thetypes of equipment and the relative density ofequipment in each location. Continuing with the above example, a composite fire frequency wouldbe developed for the cable spreading room by adding a fraction of the "turbine building aircompressor" fire event frequency data to the cablespreading room fire event frequency data. The fractions are generally based on the equipment location information documented in the spatialinteractions analysis. They are also often based on general observations from the plant walkdown andthe personal experience and judgment of the fireanalysis experts. The fractions are not usuallyderived from detailed deterministic models or numerical analyses. The primary objective of thisprocess is to develop a reasonable estimate for the hazard frequency that consistently accounts for theactual configuration of equipment in the location.Thus, for the cable spreading room example, it isnot reasonable to assess a fire event frequency that is only based on either extreme of the available data. It seems reasonable toacknowledge that the air com pressor maycontribute to the frequency of fires in the room.The precise fraction used in the frequencycalculation may be based only on the analyst'sjudgment. However, once the fraction isdocumented, it is possible to test whether the

3. Technical Activities 3-129results are sensitive to that judgment by simplyvarying the numerical value within reasonable bounds.Task 2 - Assessment of Worst-Case PlantImpact for Each ScenarioThe task Spatial Interactions identifies the PRA-related equipment that may be damaged by eachhazard in a particular functional impact location. Inthis activity, analysts who are very familiar with thePRA event sequence models and system faulttrees develop a conservatively bounding set ofimpacts for each hazard scenario. These impacts determine the specific equipment failure modes assigned when the hazard scenario is evaluated in the PRA risk models.The initial impacts assigned during this phase ofthe analysis are considered to be the worst-case combination of failures that could conceivably becaused by the hazard. It is important to ensure thatthe assigned impacts provide a conservative upper bound for all actual failures that may occur during any fire scenario postulated to occur in the location.If it is determined that the scenario is quantitativelyinsignificant even within the context of thesebounding impacts, then there is reasonableassurance that a more realistic appraisal of thepotential impact would confirm the risk to be much lower than the screening value. The following examples illustrate the types of considerations used for assigning worst-case impacts.At this point in the analysis, all equipment in thelocation is assumed damaged by the fire, regardless of the size of the location, the number of affected components, and the observed distributionof hazard severities. For most plant locations, the numerical risk contributions may be several times higher than from a more detailed hazards analysisbecause the occurrence frequency is usu allydominated by relatively insignificant events, e.g.,small fires of short duration and not by a fire thatcould presumably damage all equipment in a given location. This approach ensures that aconservative upper bound is generated for the riskcontribution from any fire hazard event that may damage multiple components within the location.

For example, it is not necessary to determine which specific cables may be damaged in a particular set of cable trays if the impactassessment assumes that any fire in the location damages all cables.The assumed failure modes depend on the normalstatus of the equipment, the PRA model success criteria, characteristics of the location, and the type of vulnerability. For example, an electrical cable may not be vulnerable to a flooding event at a given location even if it were submerged by theflooding incident but is susceptible to potential damage had a fire occurred in that location. All fires that affect electrical cables are assumed toeventually cause an open circuit in the cables.

However, "hot shorts" may occur when insulationfails between adjacent conductors or between energized conductors and ground. These short circuits are only of concern in those portions ofinstrumentation and control circuits that produce signals to operate equipment. For example, a hot short in a power cable cannot start a motor.

Therefore, hot shorts in power cables are modeledwith the same impacts as open circuits; it isassumed that the affected motor will not operate.

However, a hot short in a control circuit may causea spurious signal to start the motor, if power is available to it. The impacts from possible hotshorts in control circuits are assessed by first assuming that power is available to operate thecomponent when the short circuit occurs and thenassuming that the power fails. For example, it isassumed that a hot short will cause a spurioussignal to open a normally closed motor-operated valve. It is further assumed that power is availableto the valve motor, that the valve opens successfully, and that power is then lost to thevalve motor. Thus, the net effect from thisassessment is to leave the valve failed in the openposition. This assessment of hot shorts is applied only for equipment failure modes that have a negative impact on the availability of PRAequipment. The models do not include credit for possible hot shorts that may repositioncomponents in their required configuration foraccident mitigation.The same types of assumptions are applied tosolid-state electronic circuits. It is first assumedthat spurious control signals will reposition equipment in a state that has the worst poss ibleimpact on PRA system availability. After the equipment has changed state, it is then assumed that subsequent open circuits will prevent automatic or manual signals from restoring thecomponents to the desired state.The impact assessments do not account for therelative timing of possible failures or for design

3. Technical Activities 3-130features that may prevent certain combinations offailures. For example, the PRA success criteriamay require that a pump must be tripped to avoid possible damage after loss of oil cooling. Apossible fire scenario may affect control circuitsthat signal cooling water supply valves, electronic circuits that process the automatic signals to tripthe pump, and circuit breaker controls for the electrical bus that supplies power to the pumpmotor. The worst-case impacts from this scenarioare bounded by the following combination of conditions:*It is assumed that the cooling water sup ply isdisabled by hot shorts and/or open circuits thataffect the valve controls. This condition requires that the pump must trip.*It is assumed that the pump trip circuits aredisabled by hot shorts or open circuits thataffect the electronic circuits.*It is assumed that power remains available forthe pump motor until the pump is damaged. Ifthe affected bus also supplies power to other PRA equipment that must operate to mitigate the event, it is assumed that power is not available for these components as well.This assessment provides the most conservativecombination of impacts that could possibly occur,without regard to the relative timing of failures or the actual likelihood for any of the specific impacts.The impact assessments at this stage of theanalysis does not account for possible operatoractions to override or bypass faulty control circuitsor to operate equipment locally. No recoveryactions are modeled for any damage caused directly by the fire hazard event. Other operator actions are modeled only within the context of the entire sequence of events initia ted by the hazardscenario, consistently with dynamic actionsevaluated for similar internal initiating events.The affected PRA equipment and the functionalimpacts from each hazard scenario are listed in each scenario table as shown in Section 3.2.3(refer to data entry 7 in Table 3-14 as an example).In most cases, explanatory notes are also providedin data entry 9 to document more completely thebases for the assigned impacts.If a particular hazard scenario requires moredetailed analysis after the initial screening, thisactivity is the starting point for refinement of thescenario and a more realistic assessment of itsimpacts. The refinement process may involveseveral iterations. Each iteration typically includes a critical reexamination of only the most important impacts for that scenario. Conservatively, bounding assumptions are retained for impacts that have a relatively insignificant effect on overall risk.The goals of this process are to successively relax the most significant worst-case assumptions for each scenario, while retaining an overallconservative approach throughout the screening process.Task 3 - Performance of QuantitativeScenario ScreeningEach hazard scenario is characterized by a hazardoccurrence frequency and a set of functional impacts that affect the availability of various PRA components and systems. In this activity of theanalysis, each scenario is propagated through the PRA risk models to determine a quantitative upper bound for its total contribution to plant risk. Thus, for example, scenario FIRES1 from Table 3-15 is evaluated with an initiating event frequency ofapproximately 3.96 x 10

-3 fire per room-year. Thegeneral transient e vent trees in that study werequantified for this event, assuming that all equipment modeled by Top Events BA, BU,and EP are failed. All other PRA equipment notaffected directly by this fire are allowed to functionat performance levels consistent with the availabilities evaluated in the respective system analyses. In the Kalinin PRA, it may be more appropriate to add house events to the system faulttrees to represent the impact of spec ificenvironmental hazard-induced failures. The plant damage state assignments will beconsistent with those already developed for the internal events model, since the same plant event sequence logic models are employed to qua ntifythe impact of the postulated fire hazard as were used for the internal event initiators.Each hazard scenario generally results in a largenumber of individual detailed event sequences determined by the combined effects from thehazard-induced failures, the independentequipment successes and failures, and appropriate operator actions. All sequences that lead to coredamage are recorded, and the total core damage frequency is compared with a numerical screeningcriterion to determine the relative risk significance

3. Technical Activities 3-131of the scenario.*If the total core damage frequency from allsequences initiated by the fire-initiatedscenario falls below the screening criterion, itis concluded that the hazard p rodu ces aninsignificant contribution to overall plant risk.

The screening evaluation is documented, and the scenario is removed from further consideration in the PRA models.*If the total core damage frequency from thefire-initiated scenario is higher than thescreening criterion, the scenario is retained for further analysis in the PRA.*If the potential plant damage stateconsequences from the fire-initiated scenario are unusual or severe, the scenario is retained for further analysis, even if its total coredamage frequency is below the screening criterion.Although the mechanics of this process are quitestraightforward, several considerations must be noted to develop the proper perspective and context for this important activity in the overallanalysis.The methods used to assess the hazard initiatingevent frequency and the attendant impacts fromthe postulated scenario ensure that the evaluatedcore damage frequency is a conservative upperbound for the actual core damage frequency that may occur from any particular scenario in thelocation. The amount of conservatism depends on a variety of factors that cannot be estimated directly without considerable examination of the underlying models and analyses. However, the applied methods do provide assurances that no similar scenario can yield a higher core damage frequency evaluated during the screening analysis.The applied screening criterion is an absolutenumerical value that defines what is considered tobe an "insignificant" core damage frequency. This type of analysis is not unique to the evaluation of internal plant hazards. In fact, implicit and explicitscreening criteria are applied at all levels of apractical risk assessment. However, it is worthnoting that the screening criterion for this analysis effectively defines an absolute lower limit for theresolution of concerns about the risk significance from internal plant hazards. Scenarios that fall below the limit are, by definition, considered to beinsignificant. The relative importance of eachscenario that remains above the limit is consistently evaluated with all other events modeled in the

PRA.Selection of the screening criterion is not a simpletask. There are no general guidelines or "accepted" numerical values that can be broadly applied for any particular analysis. The selected value, however, must satisfy the following criteria:*The value must be low enough to ensure thatthe screened scenarios are truly insignificant to the total risk from the plant being evaluated.*The value must be high enough to facilitate apractical analysis that limits unreasonable efforts to develop detailed models for unimportant events.*The value chosen should be relativelyinsensitive to future refinements in the PRAevent sequence models, systems analyses, and data.In general, these criteria are best served bydelaying the screening process until the resultsfrom the analyses of internal initiating events havereached a point of relative maturity and sta bility,i.e., a point at which the internal events results arenot expected to change "significantly." Screening values are typically selected to ensure that the totalcore damage frequency from each screenedscenario is less than approximately 0.05 percent to

0.1 percent

(i.e., 1/20 to 1/10 of 1 percent) of thetotal core damage frequency from all other contributors. Thus, for example, if the screening criterion is numerically equal to 0.1 percent of the total core damage frequency from all other causes, an absolute minimum of 1,000 screened hazardscenarios would be required to double the total core damage frequency. If the screening analysisis performed at an early stage of the PRA modelingprocess, it is then generally recommended that the screening values be set equal to a smaller percentage of the preliminary core damage frequency results. This avoids the need for inefficient rescreening if, and when, PRA modeling refinements have reduced the contributions from allother accident initiators.Thus, the final screening value cannot bedetermined at this time. For some perspective, however, the screening value used in one recentstudy was 1 x 10

-9 core damage event per year.

3. Technical Activities 3-132Task 4 - Refinement of Scenario Frequencyand Impact AnalysisEach fire hazard scenario that yields a total coredamage frequency exceeding the screening criterion is retained for further analysis in the PRA models. The level of effort and the focus of these analyses are determined by a ba lancedexamination of all the contributors to plant risk. Inmany cases, the upper-bound core damage frequency may be higher than the value used for screening the hazard, but the scenario remains a very small contribution to overall plant risk.Extensive effort to further refine these scenarios isnot justified by practical considerations. Theirconservatively bounding frequencies and impactsare simply retained in the PRA results.An iterative process is performed to refine themodels, if further analysis is warranted. Thisprocess involves careful reexamination of allassumptions and successive application of theprevious analysis activities to develop systematically more realistic models for thescenario definition, the hazard frequency, and theassigned impacts. One or more of the following refinements are typically made during this phase ofthe analysis:*The scenario may be subdivided into a set ofconstituent scenarios that are based on physical characteristics of the location and the hazard sources. This process allows the assignment of more realistic equipment impacts from each of the specific hazardconditions.*The hazard may be subdivided into variousseverity levels that are based on observedexperience from the generic and plant-spec ificdatabases. Each hazard severity level isexamined to define a more realistic set ofimpacts that could be caused by an event with that severity.*The assumed impacts from hot shorts andcontrol circuit malfuncti ons may be reexaminedto determine whether the assumed failuremodes can actually occur in combination.

Models may also be developed to probabilistically account for the relative timingof these failures.*The event sequences initiated by the hazardmay be refined to include possible operatorrecovery actions to mitigate the hazard or itsimpacts before specific event sequencesprogress to core damage.*Models may be developed to more realisticallyaccount for phenomenological processes that occur during the stages of fire initiation,growth, detection, and mitigation.The refinements that are applied for thereevaluation of a particular scenario depend onspecific characteristics of the fire hazard, thelocation, and the functional impacts from theoriginal analysis. The results from the screening evaluations often provide valuable insights into thesensitivities of the most important assumptions and conservatisms. The refinement process for aparticular scenario may involve several iterations.

Each iteration typically includes a critical reexamination of only the most important impactsfor that scenario. Conservatively bounding assumptions are retained for all impacts that remain relatively insignificant to overall risk. The goals of this process are to systematically relax themost significant worst-case assumptions for each scenario, while retaining an overall con servativeapproach throughout successive screening evaluations.Whenever a hazard scenario is subdivided, aseparate summary table is developed to documenteach refined scenario. These tables have thesame format as the original scenario tables. They list the frequency for each refined hazard event and the specific impacts assigned to that event. The tables also document all deterministic and probabilistic analyses performed to develop thescenario frequency and its impacts. Each refined scenario is reevaluated in the PRA event and fault trees, and the results are reexamined in relation tothe quantitative screening criteria.Scenario refinement can continue further.Analyses may be required to refine how such phenomena as fire growth, detection, andsuppression are addressed in specific scenarios.

If this is the case, codes, such as COMPBRN IIIE(Ho, 1991), are available and have been used tosupport the probabilistic evaluation of specific fire scenarios. In practice, such codes are typicallyonly used for a small number of scenarios. In fact,many PRAs do not carry the scenario refinementprocess to the point where such codes as COMPBRN are used.

3. Technical Activities 3-133Task 5 - Retention of Risk SignificantScenariosA combination of technical and practicalconsiderations determine the final set of plantinternal fire scenarios retained for quantification inthe PRA results. All scenarios that exceed thequantitative screening criteria are retained in the PRA models. However, among these scenarios, the degree of refinement may vary considerably.*The worst-case core damage frequencyestimate for an initial hazard scenario may in some cases be numerically higher than the screening value, but the scenario still yields a very small contribution to overall plant risk.Extensive effort to further refine these scenarios is not justified by practicalconsiderations, and they are simply retained inthe PRA results with their conservatively bounding frequencies and impacts.*In other cases, a scenario may be retainedonly after considerable additional analyses have been performed to refine conservative assumptions about its frequency and impacts.Because of these differences, it is not possible todevelop meaningful numerical estimates for theamount of conservatism that may remain in anyparticular scenario. However, it is generally true that scenarios that have been subject toreexamination and refinement should include less inherent conservatism than scenarios retained from an early stage of their definition.It is also obviously not possible to develop anymeaningful numerical estimates for the "actual" core damage frequency associated with thescreened scenarios. The analysis process isstructured to ensure that this frequency is very small, compared with other contributors to plantrisk, but the value is certainly not zero. In supportof the analysis conclusions, it is only possible to examine a worst-case conservative upper-bound numerical value that may be derived from the successive screening evaluations. This value iscertainly not a realistic estimate of the actual coredamage frequency from these scenarios.

However, it can be stated with assurance that the"true" core damage frequency must beconsiderably lower than this composite screeningvalue.The approach outlined in this procedure guide isstructured to produce a systematic, top-down,iterative, quantitative estimate of the risk from fires in nuclear power plants. A parallel and very similar approach is adopted to determine the riskassociated with internal flooding. Both analyses rely on the results of a structured spatial interactions analysis, however, each having different nuances.In fires, significant damage, especially to electronicequipment, may be caused by smoke. Theconstruction of postulated scenarios should consider the impact of smoke as well as potential negative impacts of fire mitigation systems.Operation of mitigation systems could affect theperformance of operating equipment and could hinder or delay operators from entering spec ificareas for conducting emergency procedures. The effectiveness of fire detection and mitigation equipment are important factors when describing afire scenario (starting with fire initiation andproceeding to growth, propagation, detection, and mitigation). Also, some fire-incident databases already have ameasure of detection and mitigation included inthem. Specifically, some databases would notinclude a fire that is immediately detected andextinguished. Only fires that are "significant" are insuch databases (i.e., some measure of mitigation is implicitly included in the data). Therefore, it is important to understand the nature of the data used before credit for detection and mitigation isclaimed in the refinement of scenarios. It mayprove easier to refine the frequency or impact of aparticular scenario, and thus allow screening of the scenario, rather than to claim explicitly consider mitigation.

Fire frequencies are derived for a generic nuclearpower plant based on fire sources. For example, a frequency is determined for "cable fires" at a nuclear power plant similar to the one under consideration using industry data. Although "generic" in nature, the data is specialized and screened to closely match the characteristics of the specific plant under consideration.The generic fire hazard frequencies should beupdated with the actual experiences at Kalinin.The location of the specific hazards has beendetermined in the task Spatial Interactions.Estimates are required in this task for the fractions of each hazard source (e.g., cables, motor control

3. Technical Activities 3-134centers, and logic cabinets) found in each location.For a specific location, the frequency of occurrenceof a fire of any size is determined by summing thefractional contribution of occurrence from each hazard found in that location.A quantitative screening value is developed toidentify those scenarios that will be carried forward in the analysis. In other words, only thosescenarios that contribute appreciably to thefrequency of core damage (or to spec ificundesirable plant damage states) are retained for further analysis.Scenarios that survive the quantitative screeningare refined, as appropriate. Ref inement mayinvolve such considerations as the extent of thedamage initially postulated. The process proceeds iteratively until the scenarios that remainappropriately represent the risk associated with fires while containing acceptable conservatisms.3.6.4Task InterfacesThe current task utilizes the same overall analysisapproach and procedures developed for the internal event PRA. In particular, this task builds on the information developed in the task Spatial Interactions. The conduct of this task will requireinput from the tasks dealing with Initiating EventAnalysis, Frequency of Initiating Events, Event Sequence Modeling, and System Modeling. It isalso likely that specific operator actions will beidentified in the fire scenarios, thus prompt ing aninterface with the task Human Reliability Analysis.Output from the Fire Analysis task providesinformation on accident sequence definition and on frequency of occurrence directly to the Level 2 task which in turn provides source term information tothe consequence and risk integration t ask.Whether or not Level 2/3 analyses are performed depends on the scope of the PRA.3.6.5ReferencesBohn, M. P., and J. A. Lambright, "Procedures for the External Event Core Damage Frequency for NUREG-1150," NUREG/CR-4840, Sandia NationalLaboratories, November 1990.Ho, V. S., et al., "COMPBRN IIIE: An Interac tiveComputer Code for Fire Risk Analysis,"UCLA-ENG-9016, EPRI-NP-7282, Electric PowerResearch Institute, May 1991.LaChance, J., et al., Circuit Analysis - FailureMode and Likelihood Analysis, NUREG/CR-6834,Sandia National Laboratories, September 2003.Nowlen, et al., Risk Methods Insights Gained fromFire Incidents, NUREG/CR-6738, U.S. NuclearRegulatory Commission, September 2001.NRC, The Use of PRA in Risk-InformedApplications, NUREG-1602, Draft Report forComment, June 1997.3.7Seismic AnalysisThe analytical tasks associated with a Level 1 probabilistic risk assessment (PRA) for accidentsinitiated by events internal to the plant (such as transients and loss-of-coolant accidents [LOCAs])

are described in Section 3.2. Other events both internal and external to the plant can cause unique initiating events or influence the way in which a plant responds to an accident. In this section, theway in which a Level 1 PRA is modified in order to model accidents initiated by earthquakes occurring at or near the plant site is described. This means that the frequency and severity of the ground motion must be coupled to models that address the capacity of plant structures and components to survive each possible earthquake. The effects ofstructural failure must be assessed, and all the resulting information about the likelihood of equipment failure must be evaluated using the Level 1 internal event probabilistic lo gic model ofthe plant. This procedure guide is largely based onseveral earlier guides and studies (Bohn and Lambright, 1990; IAEA, 1995; and PG&E, 1988).Material from these sources is used here without specific citations.

3.7.1 Assumptions

and LimitationsA seismic PRA assumes that a single parameter(effective ground acceleration) characterization of the earthquake, when combined with treatments of uncertainty and dependency, can provide anadequate representation of the effects of seismic events on plant operations. This approach acknowledges that different earthquakes (in termsof energy, frequency spectra, duration, and ground displacement) can have the same eff ectiveacceleration. Therefore, there is not onlyrandomness in the frequency of earth quakes butalso large uncertainty in the specific characteristics

3. Technical Activities 3-135of earthquakes of a given effective acceleration.These uncertainties have implications for modeling dependencies among failures of various e quipmentunder excitation by earthquakes of a particular effective acceleration. Systems analysts andfragility experts must work closely together todetermine how to model these dependencies.A nuclear power plant is usually designed to ensurethe survival of all buildings and emergency safetysystems for a particular size earthquake, i.e., adesign basis or a safe shutdown earthquake. Theassumptions used in the design process aredeterministic and are subject to considerableuncertainty. It is not possible, for example, to predict accurately the worst earthquake that will occur at a given site. Soil properties, mechanical

properties of buildings, and damping in buildingsand internal structures also vary significantly. To model and analyze the coupled phenomena thatcontribute to the frequency of radioactive release,it is, therefore, necessary to consider all significant sources of uncertainty as well as all significant interactions. Total risk is then obtained by considering the entire spectrum of possibleearthquakes and integrating their calculatedconsequences. This point underscores an important requirement for a seismic PRA--that the nuclear power plant must be examined in its entirety, as a system.During an earthquake, all parts of the plant areexcited simultaneously. There may be significant correlation between component failures, and, hence, the redundancy of safety systems could be compromised. For example, in order to force emergency core cooling water into the reactor corefollowing a pipe leak or break, certain valves must open. To ensure reliability, two valves are locatedin parallel so that should one valve fail to open, thesecond valve would provide the necessary flow path. Since valve failure due to random causes (corrosion, electrical defect, etc.) is an unlikelyevent, the provision of two valves provides a high degree of reliability. However, during an earthquake, both valves would experience thesame accelerating forces, and the likelihood is high that both valves would be damaged, if one valve is damaged. Hence, the redundancy built into the design would be compromised. The potential impact from this "common-cause" failure possibilityrepresents a potentially significant risk to safelyshutting down nuclear power plants during anearthquake.3.7.2ProductsThe products of this task include, as a minimum,the development of a seismic hazard curve, alisting of seismically sensitive equipment and their fragility values, an identification of seismic-inducedinitiators and their frequencies, a listing of theseismic cutsets, and the quantification of the seismic-induced scenarios including theassignment of specific plant damage states. Specifically, this task will generate documentationon the following:1.The seismic hazard curve and its basis.

2.The original equipment and structures list forinclusion in the fragility analysis, and the results of the walkdown (composition of thewalkdown team and their areas of expertise, revisions to the equipment and structures list,changes projected in analysis requirements asa result of on-site observations). The fragilitycurves for plant structures and probabilisticsafety assessment-related equipment and the details of the fragility analysis.3.The complete seismic PRA process, i.e., howthe plant logic modeling team worked with thestructural analysis team that produced the fragility analysis in defining equipment andstructures to be analyzed, how the walkdownwas conducted including how the structural analysts and systems analysts jointly screenedequipment, how logic models were modified toincorporate structural failures and newequipment failure modes, summary presentations of the results of the seismic hazard and fragility analyses, and the results ofquantification of the seismic PRA model3.7.3Analytical TasksThe scope of the seismic analysis should include:Task 1Seismic Hazard AnalysisTask 2 Structures and Component Frag ilityAnalysisTask 3Plant Logic Ana lysisTask 4QuantificationEach of t hese tasks is discussed below. Thesetasks are linked in that the first two are used toformulate the required changes to the internalevents plant model to support seismic PRA.

3. Technical Activities 3-136Although the first three tasks will be performed bydifferent groups, these groups must work in concert to ensure proper and consistent modelingof seismic-induced events. Seismically induced failures can cause one ormore of the internal event initiators already described in Section 3.2 to occur. Although specific seismic accelerations are generally considered to yield specific initiating events, the results from such accelerations must interrupt fullpower operations in functional ways already described in previous tasks. The difference withseismic events, as compared to other upset conditions, is that multiple plant functional initiatorsmay occur along with seismically induced failures of equipment needed for controlling the event sequence as well as physically and psychologicallyimpacting operator performance.Task 1 - Seismic Hazard AnalysisFor a given site, the hazard curve is derived froma combination of recorded earthquake data, estimated earthquake magnitudes of known eventsfor which no data are available, review of local geological investigations, and use of expertjudgment from seismologists and geologistsfamiliar with the region. The region around the site(say within 100 km) is divided into zones, each zone having an (assumed) uniform mean rate of earthquake occurrence. This mean occurrencerate is determined from the historical record, as is the distribution of earthquake magnitudes. An attenuation law is determined that relates the ground acceleration at the site to the ground acceleration at the earthquake source, as a function of the earthquake magnitude. The uncertainty in the attenuation law is specified by thestandard deviation of the data (from which the lawwas derived) about the mean attenuation curve.

These four pieces of information (zonation, mean occurrence rate for each zone, magnitude distribution for each zone, and attenuation) are combined statistically to generate the hazard curve.The low level of seismic activity and the lack ofinstrument recordings generally make it difficult tocarry out a seismic hazard analysis using historicdata alone. Current seismic risk method use thejudgment of experts who are familiar with the area under consideration to augment the database.Expert opinion is solicited on input parameters forboth the earthquake occurrence model and theground motion (attenuation) model. Questionsdirected to experts cover the following areas:

(a) the configuration of seismic source zones, (b) the maximum magnitude or intensityearthquake expected in each zone, ©) theearthquake activity rate and occurrence statisticsassociated with each zone, (d) the methods for predicting ground motion attenuation in the zones from an earthquake of a given size at a given distance, and (e) the potential for soil liquefaction.Using the information provided by experts, seismichazard evaluations for the site are performed. Thehazard results thus obtained using each expert'sinput are combined into a single hazard estimate.

Approaches used to generate the subjective input,to assure reliability by feedback loops and cross-checking, and to account for biases and modes of judgment are described in detail in Bernreuter

(1981).To perform the seismic PRA, a family of hazardcurves and either ensembles of time histories or site ground motion spectra must be available. Toobtain these for a site with no previousinvestigation usually involves 6 to 12 months ofeffort to develop and process a database onearthquake occurrences and attenuation relations as described above. For some locations(e.g., sites in the western United States, where thehazard curves are closely tied to local tectonicfeatures that can be identified and for which asignificant database of recorded earthquake time histories exists), it is usually necessary to go through this process for each individual plant site.Evaluation of the site-specific hazard curve isgenerally performed by geologists and ground motion specialists using the methods described inBernreuter (1981), IAEA (1993), and PG&E (1988).Task 2 - Structures and Component F ragilityAnalysisUsing the models developed for internal eventsPRA as a basis, a list of equipment and thebuildings that house them must be provided to the fragility analysts. Necessarily, this list will combinesimilar equipment into convenient categories ratherthan identifying each of the possible risk-related components in the plant. Typically, equipment withmedian acceleration capacities of about 4g orhigher will not be analyzed because the frequency of such events that can generate this acceleration on equipment is very low.

3. Technical Activities 3-137The fragility descriptions are based on a two-parameter lognormal distribution where R is thelogarithmic standard deviation due to randomnessin the earthquake and U is the logarithmicstandard deviation due to uncertainty or state ofknowledge (Kennedy et al., 1980; Kaplan, Perla, and Bley, 1983). A simplified composite or mean fragility curve (Kaplan, Bier, and Bley, 1992) can bedefined with a single composite logarithmicstandard dev iation, U. The tails of t hesedistributions are considered to be conservative.

Therefore, the following is the basis for truncationof the fragility curves in this project:1.The uncertainty variability, U, should not betruncated.2.The random variability, R, should be truncatedat about 1 percent failure fraction for relativelyductile component failure modes, such as inpiping systems and in civil structures. Inaddition to the civil structures and piping, components in the plant that are gener ally inthis category are:-reactor internals-pressurizer

-reactor coolant pumps

-control rod drives

- component cooling water surge tank

-battery racks

-impulse lines

-cable trays and supports

- heating, ventilation, and air conditioningducting and supports.3.For all other plant components, the truncationpoint should be at a significantly lower failurefraction, 0.1 percent.Since the response spectra from a givenearthquake are common to all of the plantcomponents to some degree, we can expect somecorrelation of failure between components having similar vibrational frequencies. Studies to assess these correlations (Kennedy et al., 1988) concluded the following:*Except at high frequencies (greater than about18 Hz), responses of identical components with the same frequencies should be treatedas totally dependent, even when mounted at different elevations in different structureslocated at the site.*Responses of components with differentvibrational frequencies are essentiallyuncorrelated even when mounted on the same

floor.*Fragilities of components with differentvibrational frequencies and adjacently mounted should be treated as independent.*The piping fragility should be treated such thateach segment, between rigid supports or between equipment, is considered to beindependent of the other segments.*The fragility of conduits and cable trays isconsidered to represent all the conduits and cable trays largely because of the natural flexibility existing in cables; that is, individual cable trays and conduits are not considered independently. By their very nature, largephysical movements do not mean cable failure.*The fragility of heating, ventilation, and airconditioning ducts is considered to represent that of all the ductwork supporting a singlesafety system.Using these guidelines, the plant model ass umestotal dependency for identical equipment at the site (that is, if one fails, all of the same type fail). Allother equipment situations follow the definitions above or otherwise are considered independent. Task 3 - Plant Logic AnalysisSeismic event trees should be derived from thosealready developed from the internal eventsanalysis. However, passive components, such aspipe segments, tanks, and structures which werenot modeled because of their low probability of failure, must now be included in the event tree analyses. Seismic failure of passive components is possible and must be investigated in the fragilityanalysis of Activity 2. Component failure due toseismic failure of structures housing (or supporting) the component must be considered as well. These new failure modes will entail revision of fault trees and event trees generated in the internal ev entsanalysis. One particular seismic-related failuremode is relay chatter (Bley et al., 1987; Budnitz, Lambert, and Hill, 1987; Lambert and Budnitz, 1989). Relays may chatter momentarily (electricalcontacts open and close) causing lockup of controlcircuits that can only be overridden by completelyde-energizing the control circuits, which can be a

3. Technical Activities 3-138difficult situation for operators to diagnose. Acomparable issue is fire-induced spurious signals that have to be addressed in a fire risk analysis.Earthquakes can lead to seismically induced fires,which may be difficult to control due to the effect ofthe earthquake on plant accessibility and human performance. Similarly, seismically induced floods should be investigated. Just the impacts on accessibility and human performance can causehuman failure events that would otherwise not occur under normal circumstances.LOCAs (from vessel rupture, large, medium andsmall LOCAs) and transient events should be included in the seismic analysis. The two types oftransients that should be considered are those in which the power conversion system is in itiallyavailable and those in which the power conversionsystem is unavailable as a direct consequence of the initiating event.The frequencies of vessel rupture (reactor pressure vessel) and large LOCA events can bedetermined from the probability of seismic failure ofthe major reactor coolant system component supports. The medium and small LOCA initiatingevent frequencies can be computed based on a statistical distribution of pipe failures computed as part of the Seismic Safety Margins ResearchProgram (SSMRP).The probability of transients with the powerconversion system unavailable is based on theprobability of loss-of-offsite power. This will alwaysbe the dominant cause of these transients (for the majority of plants for which loss-of-offsite powercauses loss of main feedwater). The probability ofthe transients with the power conversion system available is computed from the condition that thesum of all the initiating event probabilitiesconsidered must be unity. The hypothesis is that given an earthquake of reasonable size, at least one of the initiating events will occur.The fault trees developed for the internal eventsanalysis are used in this analysis although the faulttrees will require modification to include basicevents with seismic failure modes and resolving the trees for determining pertinent cutsets for seismic PRA calculations. A screening analysis isperformed to identify the seismic cutsets.Conservative basic event probabilities, based onthe seismic failure probabilities evaluated at a high earthquake peak ground acceleration levelcombined with the random failure probabilities, areused to probabilistically cull these trees that assures that important correlated cutsets are not lost (involving dependent seismic failure modes).Component seismic fragilities are obtained eitherfrom a generic fragility database or developed on a plant-specific basis for components not fitting thegeneric component descriptions. At least two sources of fragility data are available. The first isa database of generic fragility functions forseismically induced failures originally developed as part of the SSMRP (Smith et al., 1981). Fragility functions for the generic categories weredeveloped based on a combination of experimental data, design analysis reports, and an extensiveexpert opinion survey. The experimental datautilized in developing fragility curves were obtainedfrom the results of the manufacturers qualification tests, independent testing lab failure data, and dataobtained from an extensive U.S. Corps of Engineers testing program. These data were statistically combined with the expert opinionsurvey data to produce fragility curves for the generic component categories.A second useful source of fragility Information is acompilation of site-specific fragilities (Campbellet al., 1985) derived from past seis mic PRAsprepared by Lawrence Livermore National Laboratory. By selecting a suite of site-specific fragilities for any particular component, one can obtain an estimate of a generic fragility for thatcomponent.Following the probabilistic screening of the seismicaccident sequences, plant-specific fragilities aredeveloped for components not fitting in the generic database categories as determined during the plantvisit. These are developed either by analysis or byan extrapolation of the seismic equipmentqualification tests.Building and component seismic responses (floorslab spectral accelerations as a function ofacceleration) are computed at several peak ground acceleration values on the hazard curve. Three basic aspects of seismic response (best estimates,variability, and correlation) must be estimated.For soil sites, SHAKE code calculations (Schnabel,Lysmer, and Seed, 1972) can be performed toassess the effect of the local soil column (if any) on the surface peak ground acceleration and todevelop strain-dependent soil properties as a

3. Technical Activities 3-139function of acceleration level. This permits an appropriate evaluation of the effects ofnonhomogeneous underlying soil conditions that can strongly affect the building responses.Building loads, a ccelerations, and in-structureresponse spectra can be obtained from multipletime history analyses using the plant design, fixed-base beam element mod els for the structurescombined with a best-estimate model of the soilcolumn underlying the plant.Task 4 - QuantificationQuantification proceeds through a process ofconvolution of the seismic hazard curves with the structures and component fragility curves to ob tainprobability of each elements failure under eachdiscrete earthquake acceleration, along with integrated plant response and proper treatment of coupling due to the earthquake. Then, for eachacceleration range, the failure probabilities due to the earthquake are propagated through the event tree/fault tree model along with the probabilities of independent failures. Essentially, for each discreteearthquake acceleration level, the quantificationprocess follows the activities for the internal eventsanalysis. One of the fundamental distinctions is the integration of the exceedance frequency probabilitycurve for seismic events into the overall results.The theory behind, and practice involved with,performing a seismic PRA are well documented in the open literature and will not be replicated here.

Papers that describe the methodology for conducting a seismic PRA for nuclear power plants(in particular, Ang and Newmark, 1977; and Kennedy, 1980) begin conceptually and then moveto fully plant-specific analysis techniques. The SSMRP generated significant information thatunderpins m uch of the later work in this area(Smith et al., 1981). With the publication of theZion and Indian Point Probabilistic Safety Studies (ComEd, 1981; ConEd, 1983), the basic approach became well established. More recently, the Diablo Canyon Long-Term Seismic Program (PG&E, 1988), performed by a U.S. utility companywith strong review and direction provided by theU.S. Nuclear Regulatory Commission, ext endedthe thoroughness of seismic PRA by including extensive testing and analysis involving alldisciplines related to seismic risk. This detailedwork led to improvements in the seismic PRAmodels and generally supported the idea that thebasic modeling structure could be used to predictseismic failure of structures and components.However, the usual practice in seismic PRA is stillto employ outside experts to perform the seismic hazard and fragility analyses. These experts mustwork very closely with the PRA team to ensure thatseismic failure modes of equipment imply functional failure as required for PRA models.Examples abound of PRA errors caused by the lack of communication between systems analystsand structural analysts. 3.7.4Task InterfacesThe current task utilizes the same overall analysisapproach and procedures developed for the internal event PRA. In particular, this task buildson the information developed in the task Spatial Interactions. The conduct of this task will requireinput from the tasks dealing with Initiating EventAnalysis, Frequency of Initiating Events, Event Sequence Modeling, and System Modeling. It isalso likely that specific operator actions will be identified in the seismic scenarios, thus prompting an interface with the task Human Rel iabilityAnalysis.Output from the Seismic Analysis task providesinformation on accident sequence definition and on frequency of occurrence directly to the Level 2 task which in turn provides source term information tothe consequence and risk integration task.

Whether or not Level 2/3 analyses are performed depends on the scope of the PRA.3.7.5ReferencesAng, A. H.-S. and N. M. Newmark, A Probab ilisticSeismic Assessment of the Diablo Canyon Nuclear Power Plant, Report to U.S. Nuclear RegulatoryCommission, N.M. Newmark ConsultingEngineering Services, Urbana, IL, November 1977.Bernreuter, D. L., Seismic Hazard Analysis:Application of Methodology, Results and SensitivityStudies, NUREG/CR-1582, Lawrence L ivermoreNational Laboratory, October 1981.Bley, D. C., et al., "The Impact of SeismicallyInduced Relay Chatter on Nuclear Plant Risk,"Transactions of the Ninth International Conferenceon Structural Mechanics in Reactor Technology

,Vol. M, "Structural Reliability Probabilistic SafetyAssessment," pp. 23-28, August 17-21, 1987.

3. Technical Activities 3-140Bohn, M. P., and J. A. Lambright, Procedures forthe External Events Core Damage Frequency Analysis for NUREG-1150, NUREG/CR-4840,Sandia National Laboratories, November 1990.Budnitz, R. J., H. E. Lambert, and E. E. Hill, RelayChatter and Operator Response after a Large Earthquake: An Improved PRA Methodology withCase Studies, NUREG/CR-4910, FutureResources Associates, Inc., August 1987.Campbell, R. D., et al., "Seismic Risk Assessmentof System Interactions," Transactions of the EighthInternational Conference on Structural Mechanics in Reactor Technology, Brussels, Belgium, August19-23, 1985.ComEd, Zion Probabilistic Safety Study,Commonwealth Edison Co., 1981.ConEd, Indian Point Probabilistic Safety Study,Consolidated Edison Co. and New York Power Authority, 1983. IAEA, Treatment of External Hazards inProbabilistic Safety Assessment for Nuclear PowerPlants: A Safety Practice, Safety Series No. 50-P-7, International Atomic Energy Agency, 1995.IAEA, Probabilistic Safety Assessment for SeismicEvents, IAEA-TECDOC-724, International AtomicEnergy Agency, 1993.Kaplan, S., V. M. Bier, and D. C. Bley, A Note onFamilies of Fragility CurvesIs the Composite Curve Equivalent to the Mean Curve?

NuclearEngineering and Design , 1992.Kaplan, S., H. F. Perla, and D. C. Bley, "AMethodology for Seismic Risk Analysis of NuclearPower Plants," Risk Analysis, Vol. 3, No. 3, September 1983.Kennedy, R. P., et al., Studies in Support ofFragility Analysis for Diablo Canyon Long-TermSeismic Program, Structural MechanicsAssociates, 1988.Kennedy, R. P., et al., Probabilistic Seismic SafetyStudy of an Existing Nuclear Power Plant, NuclearEngineering and Design , 59, pp. 315-338, 1980.Lambert, H.E., and R. J. Budnitz, "Relay Chatterand Its Effects on Nuclear Plant Safety,"

Transactions of the Tenth International Conferenceon Structural Mechanics in Reactor Technology

,Los Angeles, California, August 1989.PG&E, Diablo Canyon Long Term SeismicProgram, Pacific Gas and Electric Company, 1988.Schnabel, P. B., J. Lysmer, and H. B. Seed,SHAKEA Computer Program for Earthquake Response Analysis of Horizontally Layered Sites,EERG-72-12, Earthquake Engineering Research Center, University of California at Berkeley, 1972.Smith, P. D., et al., Seismic Safety MarginsResearch Program - Phase I Final Report,NUREG/CR-2015, Vols. 1-10, Lawrence LivermoreNational Laboratory, 1981.

4-14. DOCUMENTATIONThis chapter establishes guidance for documentinga PRA. Documentation of the PRA has two major objectives:*Present the results of the study (i.e.,communicate information), and*Provide traceability of the work.

Documentation begins with detailed informationgathering, calculation sheets, model construction, and computer work. This material is form allydocumented in task reports that becomeappendices to the PRA Report. These details, inturn, are abstracted and reorganized into the MainReports for each of the major technical activities ofthe PRA. All of this documentation is then used torecast the model and results into the ExecutiveSummary. Finally, an Overall Project Summary is developed, which presents key results and insightsfrom the work. 4.1Documentation in Support of Reporting/CommunicationTable 4-1 briefly summarizes the reports used todocument the KNPS PRA. The distribution ofthese reports is also indicated in the table. Each report is discussed in more detail below.Table 4-1 Documentation for the Kalinin PRA ProjectReportDistributionExecutive Summary Report - Level 1, Internal Events - Level 2, Internal Events

- Other Events 1NUREG/IA-0212, Volume 1Publicly AvailableMain Report-Level 1 PRA, Internal Initiators Main Report-Level 2 PRA, Internal Initiators Main Report-Other Events Analysis (Fire, Flood, Seismic)NUREG/IA-0212, Volume 2, Part 1NUREG/IA-0212, Volume 2, Part 2 NUREG/IA-0212, Volume 2, Part 3Proprietary/Restricted DistributionProcedure Guides for a Probabilistic Risk AssessmentNUREG/CR-6572, Revision 1Publicly Available 1Does not include quantitative results for core damage frequency and radionuclide release frequency Appendix A A-1The Procedure Guides for a Probabilistic RiskAssessment report documents the technical approach used for the PRA. It was written by the U.S. team and was made available at an earlystage of the project in order to guide the work being done in the R.F. The guides helped toassure that the PRA would be done according toan internationally acceptable and consistent framework.The Project/Executive Summary report containsthe objectives of the project, a summary of how the project was carried out, and a general summary of the results of the PRA. The PRA considered onlythe reactor core as a potential source and only fullpower operation. A Level 1 PRA (assessment of core damage frequency) and a Level 2 PRA(containment performance) were carried out indetail. A Level 3 PRA was not performed butguidance on performing such a PRA was provided.The Main Report documents the Level 1 PRAperformed for accidents initiated by internal eventsat the KNPS. The report was written by theRussians and contains an explanation of the methods used and the results of the overall analysis as well as the analysis done for thetechnical activities within the Level 1 PRA.The Main Report also documents the Level 2Internal Events PRA. This was also written by the Russians and contains an explanation of the methods used and the results of the overallanalysis as well as the analysis done for thetechnical activities within the Level 2 PRA.The Main Report also includes a description of theanalyses performed for Other Events. The section summarizes the analyses that were performed foraccidents initiated by internal floods, fire andseismic events. It was written jointly by theRussian-American team. The Appendices for the Level 1 and Level 2Internal Events PRA were written by the Russians and complement the Main Report by providing more details on the Level 1 and Level 2 analyses.4.2Documentation in Support of TraceabilityDocumentation should be performed in such amanner that facilitates applications, updating andpeer review of the PRA. This section providesgeneral guidance. Reference should be made tothe technical activities described in Chapter 3 for guidance on specific products expected fromindividual technical activities. Documentation supporting the PRA technicalactivities should be legible and retrievable (i.e.,traceable). PRA documentation should clearlyindicate the owners approval authorization, asappropriate.The methodology that was used in performing thetechnical activities in Chapter 3 should be identified either in owner-specific documents or throughreference to existing methodology documents. Inaddition, any general assumptions, interfaces withother PRA elements, nomenclature, definition of terms, or other specific element items that need to be included should be documented.Information sources, both plant-specific andgeneric, used in performing the technical activities should be documented including those sources that are mandatory. Assumptions and limitations made in performingthe technical activities should be documented.including those decisions and judgments that weremade in the course of the analysis. Thejustification should also be included; thejustification should provide sufficient detail to allow a reviewer to understand the appropriat eness ofthe assumption or the limitation. General or generic assumptions and limitations should be

documented.The products and outcomes from the technicalactivities should be documented. These productsand outcomes should include those products or deliverables that are necessary to understand the process used to satisfy the technical activities.The documentation of the technical activitiesshould indicate the person(s) who developed or prepared the product or outcome and the person(s) who reviewed or otherwise verified theappropriateness of the product or outcome with aprinted name and associated signature. The person(s) reviewing, verifying, or otherwisechecking products and outcomes should not haveparticipated in the preparation of the product or outcome for which they were assigned.

APPENDICES A THROUGH D Appendix A A-1APPENDIX ARECOMMENDED SUPPLEMENTAL CCF GENERIC ESTIMATESFOR KALININ PRA BASED ON EXPERIENCE IN THE U.S.This appendix p rovides information onsupplemental common-cause failure (CCF) estimates for some of the instrumentation andcontrol components which are not curre ntlycontained in Stromberg et al. (1995). The spec ificcomponents of concern are:*Pressure sensors*Sensors: flux monitors

Sensors: temperature detectors

Relays

Analog channel

Digital channel.There is not currently a specific referenceaddressing the CCF for all of the abovecomponents. Several different references werereviewed, and that portion of data which wasconsidered appropriate was used to arrive at thefinal recommended values. Some references wereof a proprietary nature and, therefore, could neitherbe referenced nor quoted. Such references were used as a check on the final results to ensure thatthe recommended uncertainty ranges cover the CCF values reported in these proprietary references. The recommended values areprovided in the form of the Beta factor for various group sizes. The references that were reviewed for this appendix (excluding the proprietary references) are given below.A.1Pressure SensorsPressure sensors include both mechanical (springassisted force balance) and electrical (balanced capacitors) transducers. They can be used for measurements of pressure and pressuredifferential (delta pressure). The measurementson delta pressure could be indirectly used for leveland flow measurements. Different types ofpressure sensors used for different applicationscan have significantly different failure rates.

However, the estimated generic CCF parametersdo not differentiate between different types and applications. Such generic CCF estimates couldbe used for the initial phase of quantification.Limited failure data was analyzed in Atwood (1983) for pressure sensors; however, the pressure sensors, their logic channel, relays, and switches were all combined. Another study of pressure transmitters focusing on a specific manufacturer ofthe electrical type (Carbonado et al., 1991) focuses on specific types of failure mechanisms, i.e., loss of fill oil. Carbonado and Azarm (1 993) uses abeta factor of 0.21 for conditional failure probabilityof at least two pressure transmitters out of a group of three. Other studies of pressure transmitters all indicate that these types of components aretypically reliable, fully tested infrequently, and thereis a high potential for dependent failures. Based on the review of all the materials, Table A-1 provides the reasonable generic data for use as the prior for pressure transmitters.Table A-1 Generic CCF rates for pressure transmitters used as pressure, level, or flow monitors Group Size2 or More Given 13 or More Given 14 or More Given 1Lognormal ErrorFactor20.15NANA630.20.1NA6 40.20.10.16 Appendix A A-2A.2Sensors: Flux MonitorsThis includes source range monitors (typicallyproportional counters), intermediate range monitors(typically compensated ionization chambers), andfinally, power range monitors (typicallyuncompensated ionization chambers). Atwood (1983) and Azarm et al. (1989) were reviewed andboth indicated that CCF rates for such components are very low. Therefore, it is recommended that aglobal Beta factor of 0.01 with an error factor of 3be used for these types of flux monitors.A.3Sensors: TemperatureDetectorsAtwood (1983) provides the CCF rate forresistance temperature detectors. The majority of failure modes are due either to moisture leakage orhigh resistance of the resistors. Some drift failures were also reported. The reasonable values provided in Table A-2 are primarily based on theactual event data reported in Atwood (1983) with the exception of error factors which are subjectivelyassigned. A.4RelaysA global Beta factor of 0.07 is reported for relays inHassan and Vesely (1997). Similarly, Mar tinez-Garret and Azarm (1994) report a global Betafactor of 0.06 with an error factor of 2.2 for relaysbased on actuarial data of onsite electrical powersystem in U.S. nuclear power plants. The use of aglobal error factor is justified since the level ofredundancy in most cases was 2. Both studies do not differentiate between different types and applications of relays (e.g., master vs. slave) forCCF rates. Azarm et al. (1994) focuses on thespecific relay manufacturer and indirectly providesa global Beta factor by determining the F factor.In Azarm et al. (1994), (1/F) is the ratio of the actual system unavailability accounting for independent plus dependent contributions divided by the independent portion. This study considersthat CCFs of the relays are due mainly to slow acting CCF mechanisms, such as insulation wear-out and varnish deposition on the relay contacts.

These global Beta factors, therefore, are sensitiveto test intervals; a short test interval will detect individual failures before becoming multiplefailures. For a test interval of about one ye ar, aglobal Beta factor of about 0.06 for a group size of 2, and a global Beta factor of 0.02 for group sizes of three or more is estimated. It is impo rtant tonote that increasing the test interval by a factor of2 could double the values of the beta factors estimated. Therefore, we recommend a Betafactor of 0.06 with an error factor of 2.2 for a groupsize of 2 and a Beta factor of 0.02 with an errorfactor of 3 for a group size of three or more with earlier adjustment of a test interval if it exceeds

one year.Table A-2 Generic CCF rates for resistance temperature detectorsexcluding the in-core thermocouplesGroup Size2 or More Given 13 or More Given 1 4 or More Given 1Lognormal ErrorFactor20.14NANA630.140.07NA6 40.20.10.076A.5Analog ChannelAn analog channel is typically responsible for signalconditioning by methods, such as modulation,de-modulation, filtering, or amplifying. The last stage of an analog channel is either a driveramplifier to feed a device or a relay, or acomparator to provide input to a logic channel.

Solid-state analog circuits have been in use formany years, and there is good understanding of their failure mechanisms. CCF of analog circ uitsdue to heat, humidity, electrical surges, lightening, Appendix A A-3smoke, and vibration have been observed in thepast. The CCF rates for analog channels are application dependent; however, Hassan and Vesely (1997) and Azarm et al. (1989) provide some generic CCF rates for the analog channels, i.e., 0.07 from Hassan and Vesely (1997) and 0.05from Azarm et al. (1989). Primarily based on thesereferences, a global Beta factor of 0.07 should beused for analog channels (regardless of group size). An error factor of 6 is recommended toindicate the variation of this global beta factor withthe specific application type.A.6Digital ChannelsA digital channel could be a programmable logicmodule, a logic circuitry, a processor unit with the associated memory and bus structure, etc. The components in a digital channel could be madeusing a variety of different semiconductortechnologies. The CCF associated with these components are mostly driven by external causes;therefore, they should operate in a controlled environment. A global Beta factor of 0.001 isreported for logic modules in Hassan and Vesely (1997). An error factor of 10 to indicate thesignificant variability and uncertainty in this CCF estimate is recommended. A.7ReferencesAtwood, C. L., Common-Cause Fault Rates for Instrumentation and Control Assemblies,NUREG/CR-2771, Idaho National EngineeringLaboratory, February 1983.Azarm, M. A., et al., Dependent Failures and TwoCase Studies, BNL Technical Report W6082, Brookhaven National Laboratory, August 1994.Azarm, M. A., et al., Level 1 Internal Event PRAfor the High Flux Beam Reactor, BNL TechnicalReport, Brookhaven National Laboratory, August 1989.Carbonado, J., and M. A. Azarm, Evaluation ofSurveillance and Technical Issues Regarding ATWS Mitigation Systems, BNL Technical ReportL-1311, Brookhaven National Laboratory, June 18, 1993.Carbonado, J., et al., Evaluation of Surveillanceand Technical Issues Regarding Rosemount Pressure Transmitter Loss of Fill-Oil Failures, BNLTechnical Report L-1311, Brookhaven National Laboratory, December 1991.Hassan, M., and W. E. Vesely, Digital I&CSystems in Nuclear Power Plants: Risk Screeningof Environmental Stressors and a Comparison of Hardware Unavailability with Existing AnalogSystem, NUREG/CR-6579, November 1997.Martinez-Garret, G., and M. A. Azarm, ReliabilityAssessment of Electrical Power Supply to OnsiteClass 1E Buses at Nuclear Power Plants, BNLTechnical Report l-2505, Brookhaven NationalLaboratory, June 7, 1994.Stromberg, H. M., et al., Common-Cause FailureData Collection and Analysis System, Vols. 1through 6, INEL-94/0064, Idaho NationalEngineering Laboratory, December 1995.

B-1APPENDIX BSIMPLIFIED LEVEL 2 ANALYSISB.1BackgroundIn this appendix, the analyses performed as part ofthe Level 2 portion of a probabilistic riskassessment (PRA) are described. The analyses described in this appendix were previouslypublished in an earlier version of this procedureguides (NUREG/CR-6572, Vol. 3, Part 1, September 1999). The approach described is asimplified Level 2 PRA and is included here for completeness. The approach described in the main body of revised procedure guide is a full-scope Level 2 PRA. A Level 2 PRA consists of five major parts:

1.Plant damage states,2.Containment event tree analysis, 3.Release categorization 4.Source term analysis, 5.Severe accident management strategies.B.2Task ActivitiesThe purpose of this appendix is to provide a guidefor assessment and management of severeaccident risks in VVERs. Probabilistic accident progression and source termanalyses (Level 2 PRAs) address the key phenomena and/or processes that can take placeduring the evolution of severe accidents, the response of containment to the expected loads, and the transport of fission products from damagedcore to the environment. Such analyses provideinformation about the probabilities of accidental radiological releases (source terms). The analysesalso indicate the relative safety importance ofevents in terms of the possibility of offsite radiological releases, which provide a basis for development of plant-specific accident management strategies.A concern associated with the results of Level 2PRAs stems from their known susc eptibility tophenomenological uncertainties. These uncertainties are often of such a magnitude that they make the decision-making process difficult.There is much to be gained, therefore, from assessment of severe accident risks, byreformulation of the Level 2 methodology into asimplified containment event tree (CET) andredefinition of the phenomenological portion interms of a physically based probabilisticframework. Such an approach provides astreamlined procedure for assessment of severeaccident risks that further allows for a directevaluation of potential accident management strategies.This appendix describes six major proceduralactivities for assessment and management of severe accident risks (see Figure B.1).Section B.2.1 provides guidance on d evel opmentof plant damage states (PDSs) (Activity 1). SectionB.2.2 discusses the development of a simplifiedCET (Activity 2). The determination of the likelihood of occurrence of severe accidentphenomena leading to various containment failuremodes are also discussed in this section (Activity 3). Guidance is provided for deterministicanalyses including consideration of uncertaintiesfor severe accident issues. Section B.2.3discusses the accident progression grouping (source term categorization, Activity 4).Section B.2.4 provides guidance on an evaluationof release and transport of radionuclides leading toan estimation of environmental source terms for each accident progression grouping (Activity 5).Output from Activity 5 provides the informationneeded to perform an offsite consequence assessment (Level 3 PRA). Section B.2.5discusses the development of potential plant-specific accident management strategies to reducethe frequency of accident progression groups withlarge-release concerns (Activity 6). Attachment 1describes the key phenomena and/or processes that can take place during the evolution of a severeaccident and that can have an important effect on the containment behavior.B.2.1Plant Damage States The role of interfaces between the system analysis (Level 1 PRA) and the containment performanceanalysis is particularly important from twoperspectives. First, the likelihood of core damagecan be influenced by the status of particular containment systems. Second, containment performance can be influenced by the status of core cooling systems. Thus, because the Appendix B B-2Figure B.1 Major procedural activities for assessment and management of severe accident risksinfluences can flow in both directions between thesystem analysis and the containment performance analysis, particular attention must be given to these interfaces.The Level 1 PRA analysis identifies the specificcombination of system or component failures (i.e.,accident sequence cutsets) which can lead to coredamage. The number of cutsets generated by aLevel 1 analysis is very large. It is neither practical nor necessary to assess the severe accident progression, containment response, and fission product release for each of these cutsets. As aresult, the common practice is to group the Level 1cutsets into a sufficiently small number of plantdamage states to allow a practical assessment and management of severe accident risks.A PDS should be defined in such a way that allaccident sequences associated with it can be treated identically in the accident progressionanalysis. That is, the PDS definition must recognize all distinctions that matter in the accident progression analysis. It is clear that some PDSswill be more challenging to containment integritythan others. For example, some PDSs willcompletely bypass containment, such as accidentsin which the isolation valves between the high-pressure reactor coolant system (RCS) and thelow-pressure secondary systems fail causing aloss-of-coolant accident (LOCA) outsidecontainment. Other examples include failure of thesteam generator (SG) tubes and loss ofcontainment isolation. Early loss of containment integrity can be the result of internal initiatingevents and can also be caused by external

initiators (such as seismic events). In past PRAsfor some U.S. plants, seismic initiators have been important contributors to the frequency of loss of containment isolation. For those situations where the containment isinitially intact, some PDS groups will cause moresevere containment loads (e.g., elevated pressuresand temperatures) than others. For example, a transient event with loss of coolant injection and containment heat removal (e.g., failure of containment sprays) will result in a core meltdownwith the reactor coolant system at high pressure.A high-pressure core meltdown has the potential to Appendix B B-3cause more severe containment loads than say aLOCA with the containment heat removal systemsoperating. Accidents initiated by seismic events also tend to be important contributors to the frequency of the severe PDS groups. This isbecause seismic events have the potential tocause multiple equipment failures and hence resultin more severe PDS groups.Before PDSs are defined, the analyst must identifyplant conditions, systems, and features that can have a significant impact on the subsequent courseof an accident.

All potential combinations of thePDS characteristics that are physically possible aretabulated and assigned an identifier. The PDSmatrix is usually developed by a Level 2 analystand then reviewed by a Level 1 analyst for compatibility with the plant model andcompleteness in the appropriate dependencies.

The matrix is revised, as necessary, un til allrequirements specified by the Level 1 and Level 2analysts are deemed satisfactory. For example,the PDS should be defined such that it yields a unique set of conditions for entering the containment event tree. A Level 2 analyst may find it necessary or convenient to distinguish among groups of scenarios that have been assigned to a common PDS. This might be the case if distinctscenario types have been assigned to a particularPDS but subsequently prove to have different Level2 signatures. The past experience of the Level 2analyst helps to reconcile these issues.All of the plant model information on the operabilitystatus of active systems that are important to the timing and magnitude of the release of radioactivematerials must be passed into the CET via the definition of the PDS. Therefore, the plant modelevent trees must also address those activesystems and functions that are important tocontainment isolation, containment heat removal, and the removal of radioactive material from the containment at mosphere. A containment spraysystem is a good example of such a system.A relatively simple set of PDS attributes is,therefore, proposed in Table B-1 that will identifythose accidents that are more challenging tocontainment integrity than others. The attributes given in Table B-1 allow the accident sequences generated in the Level 1 analysis for both internaland external events to be processed through the simplified CET described in Section B.2.2. TheVVER analysts should verify that the attributesgiven in Table B-1 are appropriate and ask themselves whether VVERs have some other features that also belong on this table. It shouldalso be noted that the PDS groups in Table B-1assume that seismic events will not cause anyunique containment failure modes but simply influence the frequency of the more severe PDS groups. If unique failure modes are identified in theexternal event PRA, then Table B-1 should be expanded accordingly.B.2.2Containment Event Tree AnalysisThe evaluation of accident progression and theattendant challenges to containment integrity is anessential element of a risk assessment. The key phenomena and/or processes that can take place during the evolution of a severe accident and that can have an important effect on containment behavior are described in Attachment 1. The discussion in Attachment 1 identifies those issuesthat need to be considered when attempting tocharacterize the progression of severe accidentsand the potential for various containment failure modes or bypass mechanisms. Of particular importance is to determine the effectiveness of those systems that are relied upon to mitigate the consequences of severe accidents. Attachment 1lists some of the considerations that need to be addressed by the VVER analysts prior to taking credit for a system in the Level 2 PRA. In particular, it should be determined whether or notthe equipment under consideration is qualified to operate successfully in the harsh environmental conditions (high temperature, pressure, humid ity,radioactivity, aerosol concentration, etc.)associated with core meltdown accident. Thediscussion in Attachment 1 can be summarized by using event sequence diagrams such as those shown in Figures B.2 and B.3.

Appendix B B-4Table B-1 Plant damage state attributesInitiator Type*Large, intermediate, or small LOCAs*Transients

Bypass events

-Interfacing systems LOCA

-Steam generator tube rupture (SGTR)Status of Containment at Onset of Core Damage*Isolated*Not isolatedStatus of Containment Systems*Sprays (if any) always operate/fail or are available if demanded*Sprays operate in injection mode, but fail upon switchover to recirculation coolingElectric Power Status*Available*Not availableStatus of Reactor Core CoolingSystem *Fails in injection mode*Fails in recirculation modeHeat Removal from the SteamGenerators*Always operate/fail or are available if demanded*Not operating and not recoverable Appendix B B-5Figure B.2 Event sequence diagram for accidents in which the containment is bypassedor not isolatedFigure B.3 Event sequence diagram for accidents in which the containment is initially intact Appendix B B-6First, it is most important to determine the status ofcontainment prior to core damage. Thus, the firstevent (in both diagrams) after accident initiation is to determ ine containment status. If thecontainment is bypassed or not isolated(Figure B.2), then it is inevitable that radionuclideswill be released to the environment after coredamage. Therefore, the diagram focuses on those events that will influence the magnitude and timingof the release. Radionuclides released while the core is in thereactor vessel are termed in-vessel release.accidents (such as interfacing systems LOCA). Itis possible that the break location outside of containment is under water. If the radionuclides pass through such a pool of water, then significant scrubbing or retention of the aerosols can occur,which reduces the source term to the environment.Similarly, for an accident in which the containmentis not isolated, containment sprays can significantlylower the airborne concentration of radionuclides with a corresponding reduction in theenvironmental source term. It is important to determine if coolant injection canbe restored and core melt arrested in the reactor vessel (as happened in the Three Mile Island Unit 2accident) prior to vessel meltthrough. If coredamage is not terminated in-vessel, it is i mportantto know if the region under the vessel is flooded.

A flooded cavity could cool the core debris andprevent core-concrete interactions (CCIs) (coolabledebris bed) and eliminate radionuclide release fromthis mechanism (i.e., no ex-vessel release).However, if the cavity is dry, extensive CCIs can occur resulting in significant radionuclide release(i.e., ex-vessel release occurs) and the possibility of basemat meltthrough. It is also necessary to determine whether or not the flow path from the damage core to the environment is flooded or affected by spray operation.Alternatively, if the containment is isolated and notinitially bypassed, the event sequence diagram(Figure B.3) focuses on identifying when thecontainment might fail or be bypassed during the cause of a severe accident. For clarity, only threepotential release mechanisms are included in the diagram. An early release is defined as a release that occurs prior to or shortly after the core debris melts through the reactor vessel. An early release can be caused by several differentfailure mechanisms, which are discussed in and will be explained in more detaillater in this procedure guide. However, for the purposes of developing a simple event sequence diagram, it is known that these failure mechanisms are strongly influenced by the pressure in thereactor coolant system and whether or not coredamage can be terminated by restoring coolant injection prior to vessel meltthrough. It is alsopossible that the damaged core can be retained inthe reactor vessel by external cooling if the cavityis flooded. If the core debris cannot be cooled and retained inthe reactor vessel, the potential exists for containment failure at the time of reactor vessel meltthrough. If the containment does not failearly, then the potential exists for latecontainment failure. In this context, late isdefined as several hours to days after the core melts through the vessel. Late failure can occur asa result of high pressures or temperatures if activecontainment heat removal systems are notavailable. These types of failures are usuallystructural failures and can occur above ground. If the cavity is dry or the core is not coolable, latecontainment failure can occur as a result of the core debris melting through the concrete basemat.Under these circumstances, the release would be below ground. Of course, if the containment is notbypassed and does not fail (early or late), then the release to the environment will be via containment leakage. The VVER analysts should construct event sequence diagrams of the type shown inFigures B.2 and B.3 that reflect plant-spec ificfeatures that have the potential to influence severeaccident progression. The next step in the process is to determine theprobabilities of potential containment failure modes and bypass mechanisms conditional on the occurrence of each plant damage state identified in Section B.2.1. This step is normally achieved by using event trees that incorporate ev ents such asthose shown in Figures B.2 and B.3 and address the issues discussed in Attachment 1. A CET is astructured framework for organizing the differentaccident progressions that may evolve from thevarious core damage accident sequences. The top events in a CET are developed so that the likelihood of whether the containment is isolated, bypassed, failed, or remains intact can be Appendix B B-7determined. CETs can vary from relatively smalltrees with a few top events developed for each plant damage state group to very large andcomplex trees that are able to accommodate all plant damage states. An example of a simplifiedCET is provided in Table B-2.This CET is based on the event sequencediagrams in Figures B.2 and B.3 and also incorporates the issues discussed in Attachment 1.

The top events in the CET are the key attributes for a typical U.S. pressurized water reactor with alarge-dry containment. The VVER analysts shouldverify the completeness of Table D-2 anddetermine if V VER plants have some otherfeatures that should be incorporated into the CET.Some of the CET questions correspond to theavailability of various systems whereas otherquestions are related to the likelihood of physicalphenomena leading to containment failure. Forexample, it is initially important to determine if the containment is isolated or bypassed (Question 1).This question can be answered based on information contained in the PDSs. However, the likelihood of containment failure(Question 13) depends on quantifying uncertainphenomena which are, in turn, strongly influenced by the pressure (Question 6) in the reactor coolant system during core meltdown and vessel failure(refer to the discussion in Attachment 1). In asimilar manner, the issue of debris bed coolability(Question 15) is another importantphenomenological issue that strongly influences the potential for containment failure (Question 16)in the late time frame.Table B-2 identifies those questions that can bequantified from system (and human) re liabilityanalyses including consideration of potential severe accident management strategies (Questions 1, 2, 3, 4, 5, 6, 7, 10, 11, and 14) andthose that require phenomenological analyses (Questions 8, 9, 12, 13, 15, and 16). An approachfor dealing with each question in the CET is presented below. Quantification of those questions in the CET that deal with system (and human) reliability analyses are in part based on informationcontained in the PDS groups.However, the PDS groups only provide informationon which systems are potentially available forparticular accident sequences. Whether or not thesystems successfully operate during a severeaccident has to be evaluated (refer toAttachment 1) as part of the Level 2 PRA. Inaddition, any operator actions that are in the formal operating procedures for the plant should be included in the PRA. However, after core damage,there are a number of actions that an operatorcould take that could terminate and significantly mitigate the consequences of a core meltdownaccident but which are not part of the operatingprocedures. Operator actions of this nature shouldbe included in severe accident management strategies and should complement the normal plantoperating procedures. The discussion below indicates where opportunities (in Questions 4, 6, 7, 10, 11, and 14) exist for implementing accidentmanagement strategies.The analyst should first quantify the CET withoutthe benefit of these accident managementstrategies. The CET can be readily requantified toassess the impact of any strategy on the likelihood of containment failure or bypass. Decisions related to implementing accident management strategies should be based on the integrated risk results.

Section B.2.5 describes some of the considerationsthat must be taken into account when developing these strategies. The CET also includes several highly complexphenomenological issues associated with the progression of a core meltdown accident. A two-step approach is provided to assess the likelihood of various containment failure modes induced by these highly complex severe accident phenomena.As a first step, a relatively simple scoping analysis should be performed. If, however, the scoping analysis is inconclusive, then a more detailedsecond step would be needed. This second stepis described below for some of the phenomenological questions in the CET.Question 1 - Is the containment isolated or notbypassed?This question can be answered based oninformation in the PDS. A negative response to this question includes accidents in which thecontainment fails to isolate as well as accidentsthat bypass containment (such as interfacing systems LOCA and SGTR). This question applies Appendix B B-8Table B-2 Nodal questions for a simplified CETTop Event QuestionPrior DependenceQuestion Type1.Is the containment isolated or not bypassed?2.What is the status of reactor corecooling system?

None NoneBased on PDSBased on PDS3.Is power available?NoneBased on PDS4.Are the sprays actuated prior toreactor vessel meltthrough?5.Is heat removal from the steamgenerators possible?

3 NoneBased on PDS and accidentmanagementBased on PDS6.Does the reactor coolant system depressurize? 2, 3, 5Based on PDS, design andaccident management 7.Is in-vessel coolant injectionrestored?2, 3Based on PDS and accidentmanagement8.Does thermally induced steamgenerator tube rupture occur?6Phenomena9.Does the containment fail prior toreactor vessel meltthrough?1, 4, 6Phenomena10.Is the break location under water forbypass accidents?1, 2, 7Based on PDS design andaccident management11.Is the region under the reactorvessel flooded or dry?2, 4Based on PDS, design andaccident management12.Is reactor vessel breach prevented?6, 7, 11Phenomena and design 13.Does containment fail at vessel breach?6, 8, 9Phenomena14.Do the sprays actuate or continueto operate after vessel breach?3, 4Based on PDS and accidentmanagement15.Is the core debris in a coolableconfiguration?4, 11Phenomena16.Does containment fail late?9, 11, 13, 14, 15Phenomena Appendix B B-9only to accidents in which the containment fails toisolate or is bypassed at or before accidentinitiation. Accident sequences that result in the containment becoming bypassed (such as induced SGTR) after core damage do not apply to thisquestion. These accidents are included under theresponse to Question 8 below.Question 2 - What is the status of reactor corecooling system?This question can also be answered based oninformation in the PDS. If the coolant injectionpump fails in the injection mode, then the con tentsof the water storage tanks will not be injected into containment (unless the containment spray operates). For some containment designs, thereactor cavity can only be flooded if the contents of the water storage tanks are injected into containment. The VVER analysts should ascertainwhether or not this is also true for the VVERcontainment design under consideration. The response to this question influences the response to Question 11 below.Question 3 - Is power available?This question is answered from information in thePDS. The status of power availability is importantfor determining whether or not certain actions can be undertaken during the course of the accident.For example, spray system operation requires power (unless a dedicated power sup ply isprovided) so that the response to this question directly influences the response to Questions 4 and

14. Power is also needed to depressurize the RCS (Question 6) and restore in-vessel coolant injection (Question 7).Question 4 - Are the sprays actuated prior toreactor vessel meltthrough?This question can be answered in part based oninformation in the PDS but can also be influenced by potential accident management strategies.

Containment sprays can be automatically actuatedbased on a high containment pressure signal.Under these circumstances and if power is available, the spray system would be actuated early in the accident. However, it has been suggested that delaying spray operation to later times may be more beneficial from an accident management perspective. Other potentialstrategies involve the use of alternate water supplysystems. Section B.2.5.1 descri bes some of theconsiderations that need to be taken into accountwhen developing accident management strategies related to containment spray operation. In addition,Attachment 1 stres ses that it is also necessary tocarefully assess whether or not a system will be able to perform the intended function under theharsh environmental conditions of a severeaccident.Question 5 - Is heat removal from the steamgenerators possible?Information contained in the PDS can be used todetermine if heat removal from the steam generators is possible for each of the accidentsequences under consideration. Heat removal from the steam generators is one possible way of depressurizing the RCS. Thus, the success of some accident management strategies designed todepressurize the RCS (refer to Question 6 and Section B.2.5.2 below) are contingent on a positiveresponse to this question.Question 6 - Does the reactor coolant systemdepressurize?For accidents initiated by transients and smallbreak LOCA, the RCS will remain at high pressureunless the operators depressurize the RCS or induced failure of the RCS pressure boundaryoccurs (thermally induced SGTR is addressedunder Question 8 below). For accidents initiated byintermediate and large break LOCA, the RCS willdepressurize and be at low p ressure prior to coredamage. Thus, information in the PDS related tothe initiator type (i.e., a transient event or a smallbreak LOCA versus a large or an intermediateLOCA) can be used to answer this question. However, it is generally recognized that if the RCSremains at high pressure (i.e., transients and smallbreak LOCAs) during a core meltdown accident,the challenges to containment integrity will be more severe than for l ow-pressure sequences.Consequently, various accident managementstrategies have been proposed to depressurize theRCS for those accidents that would otherwise becharacterized as high RCS pressure seq uences.Depressurization can potentially be achieved byheat removal through the steam generators(positive response to Question 5) or by direct Appendix B B-10pressure relief of the RCS. Again, the ability ofthese systems to adequately depressurize the RCS during severe accident conditions needs to becarefully evaluated. However, prior toimplementing RCS depressurization strategies, anumber of adverse effects need to be consideredas indicated in Section B.2.5.2.Question 7 - Is in-vessel coolant injectionrestored?This question can be answered based oninformation in the PDS. At a minimum, power andwater must be availa ble in order to restoreinjection. In addition, for some accidents, the RCSmust be depressurized (if only low head injection pumps are available) in order to restore coolant injection. Injecting water into a damaged reactor core is done to terminate core meltdown andestablish a coolable geometry. Several accident management strategies have been proposed for injecting water into the RCS (refer to Section B.2.5.3).Question 8 - Does thermally induced steamgenerator tube rupture occur?The likelihood of a temperature-induced creeprupture of the SG tubes depends on several factors including the thermal-hydraulic conditions atvarious locations in the primary and secondarysystems, which determine the temperatures and the pressures to which the SG tubes are subjected as the accident progresses. Other relevant factors include the effective temperature required for creep rupture failure of the SG tubes and the presence ofdefects in the SG tubes which increase thelikelihood of rupture.Thermally induced SGTRs can occur after the SGshave dried out and very hot gas is circulating. Thehorizontal SG design in VVERs most likelyprecludes counter-current natural circulation flow inthe hot leg. However, the possibility of water seal clearing at the bottom of the downcomer and at the cold leg loop seals is a potentially important issuefor thermally induced failure of the SGs and should be studied for VVERs.Question 9 - Does the containment fail prior toreactor vessel meltthrough?This question deals with the likelih ood of ahydrogen combustion event failing the containment prior to vessel failure. In order to determine the likelihood of failure, the magnitude of the pressurerise caused by a hydrogen combustion event hasto be compared against the ultimate capacity of the containment. The ultimate capacity of thecontainment is usually a factor of 2.5 to 3 ti mes thedesign pressure. In a separate project, the NRC is sponsoring research at the Russian Academy of Sciences in which a finite element model of theKalinin containment is being developed. This model will be used to predict the response of thecontainment structure to pressure loads in order to determine the ultimate pressure capacity. Theresults of this activity can be used to help quantifythe CET for the Kalinin plant. It should be notedthat in order to quantify the CET, a fragility curve(i.e., a probability of failure versus pressure curve)is needed. Developing these fragility curves require engineering judgment and informationobtained from the finite element analysis and othersources. Examples of how fragility curves can bedeveloped are given in Breeding et al. (1990) which describes how an expert panel addressedstructural response issues.The magnitude of the pressure loads caused bycombustion events can be determined by a number of approaches. As a first step, the amount of hydrogen generated during in-vessel coremeltdown can be estimated. The pressure risefrom the combustion of this hydrogen can then be calculated by assuming adiabatic energy transfer tothe containment atmosphere. If the containmentcan withstand this bound ing adiabatic pressureload, then no further analysis for this potential failure mode is needed and the conditionalprobability of containment failure via thismechanism prior to reactor vessel meltthrough iszero. However, if the adiabatic load is close to or exceeds the containment capacity, then a moredetailed analysis of this failure mechanism is needed. The extent of containment loading due to hydrogencombustion is largely a function of the rate and magnitude of hydrogen production and the natureof the combustion of this hydrogen. Uncertaintiesassociated with hydrogen loading arise from anincomplete state of understanding of variousphenomena associated with hydrogen generation and combustion. These phenomena include in-Appendix B B-11vessel hydrogen generation, hydrogen transportand mixing, hydrogen deflagration, hydrogen detonation, and diffusion flames.The issue regarding in-vessel hydrogen generationcenters on the rate and quantity of hydrogenproduction and the associated hydrogen-steam mass and energy release rates from the RCS.

These parameters strongly influence theflammability of the break flow, the containmentatmosphere, and the magnitude, timing, and location of potential hydrogen combustion.The degree of mixing and rate of transport ofhydrogen in the containment building is an important factor in determining the mode ofcombustion. Hydrogen gas released during an accident can stratify, particularly in the absence offorced circulation and if there are significant temperature gradients in the containment.Hydrogen released with steam can also formlocally high concentrations in the presence ofcondensing surfaces. Should the hydrogen accumulate in a locally high concentration, thenflame acceleration and detonation c ould occur.Hydrogen mixing and distribution in a containment is sensitive to the hydrogen injection rate and the availability of forced circulation or inducedturbulence in the containment. The results of large-scale hydrogen combustion tests performedat the Nevada Test Site appear to qualititativelysupport the notion that operating the spray systemwill result in a well-mixed atmosphere (Thomson,1988). Hydrogen deflagrations involve the fast reaction ofhydrogen through the propagation of a burning zone or combustion wave after ignition. Thecombustion wave travels subsonically and the pressure loads developed are, for practicalpurposes, static loads. Deflagrations are the most likely mode of combustion during degraded coreaccidents. In fact, the deflagration of a premixed atmosphere of hydrogen-air-steam occurred duringthe Three Mile Island Unit 2 accident. Thelikelihood and nature of deflagration in containments is strongly influenced by severalparameters--namely, composition requirement forignition, availability of ignition sources,completeness of burn, flame speed, andpropagation between compartments. In addition, combustion behavior is influenced by the effects ofoperating sprays.Experimental studies of hydrogen combustion havebeen performed to understand the combustion behavior under expected plant conditions, and there is a reasonably complete database at severalscales for ignition limits, combustion completeness,flame speed, and burn pressure for a hydrogen-steam-air mixture.Improved correlations for flame speed andcombustion completeness have been derived by Wong (1987). These correlations were derived based on the combustion data from the VariableGeometry Experimental System (Benedick,Cummings, and Prassinos, 1982 and 1984); Fully Instrumental Test Series (Marshall, 1986); NevadaTest Site (Thomson, 1988); Acurex (Torok et al.,1983); and Whiteshell (Kumar, Tamm, andHarrison et al., 1984) experiments. A physically based probabilistic framework likeROAAM (Theofanous, 1994) can be used to determine the uncertainty distribution for the peak pressure in the containment due to hydrogencombustion. The quasi-static loads from hydrogen combustion can be obtained by an adiab aticisochoric complete combustion model and then be corrected to account for burn completeness and expansion into nonparticipating compartments.

The uncertainty distribution for hydrogenconcentration and ignition frequencies should be used in the quantification of the pressuredistribution for comparison with the ultimatepressure capability of the containment.Question 10 - Is the break location under waterfor bypass accidents?Core damage accident sequences that bypasscontainment (such as interfacing systems LOCA)usually result in significant fission product release to the envi ronment. The relatively highenvironmental release for these accidents occursbecause the release path bypasses attenuationmechanisms (such as sprays or water pools) that would otherwise be available to reduce the source term. A possible accident management strategyfor containment bypass accidents is to flood the break location outside of containment (refer toSection B.2.5.4) for those cases that would otherwise not be flooded.

Appendix B B-12Question 11 - Is the region under the reactorvessel flooded or dry?This question can be answered by reference to thePDS. For example, in some containment designs if the water in the water storage tanks is injectedinto containment, then the reactor cavity will beflooded (i.e., a failure in the recirculation mode inQuestion 2). However, in other containmentdesigns, accident managem ent strategies areneeded to ensure that sufficient water is injected into containment in order to flood the reactor ca vity.Flooding the reactor cavity can be beneficial duringa core meltdown accident in two respects. First, aflooded cavity would externally cool the reactor vessel and (for some reactor designs) could prevent the core debris from melting through thebottom vessel head. This would prevent ex-vessel core debris interactions and the environmentalconsequences of the accident would besignificantly reduced. Second, even if the coredebris does meltthrough the vessel head, it could be cooled by the water in the cavity and if acoolable debris bed is formed, the potential for core-concrete interactions would be eliminated.Although a flooded cavity has obvious advantages, some of the potential adverse effects discussed in Section B.2.5.1 need to be considered beforeimplementing containment flooding strategies.Question 12 - Is reactor vessel breachprevented?This question deals with the likelihood ofpreventing vessel breach by retaining the coredebris in the reactor vessel. This could beachieved in two ways--namely, by restoration of an in-vessel coolant injection (positive response toQuestion 7) or by externally cooling the lower head of the vessel (positive response to Question 11).Accidents in which in-vessel coolant is restoredwithin a certain time frame after the start of coredamage can arrest the accident progression without vessel breach. For these accidents, subsequent questions related to containment failure at vessel breach are not pertinent. For a typical U.S. pressurized water reactor design, credit for in-vessel arresting of the accidents hasbeen given for cases where water flow is restored within 30 minutes of the onset of the core damage.If cooling is restored within 30 minutes, theprobability of successful arrest was assumed to be1.0. A similar time frame appropriate for VVERs, based on core heatup characteristics and the potential for core coolability, should be developed.The likelihood of preventing vessel breach by cavityflooding depends on several factors, such as thepressure in the primary system, the configuration ofthe cavity, the extent of submergence of the reactor vessel, and easy access of water to the bottom of the reactor vessel. Under high RCS pressure circumstances, due to pressure andthermal loading, it is likely that vessel breachcannot be prevented by cavity flooding.Under low RCS pressure ci rcumstances, thelikelihood of preventing vessel breach by externalflooding can be evaluated by determining thethermal load distribution on the inside boundary of the lower head, the critical heat flux limitation on the outside boundary of the lower head (which isaffected by the insulation) and the structural integrity of the lower head, when subjected to s taticand dynamic loads (i.e., fuel-coolant interactions).

Detailed discussions and application of ROAAM tothis issue for the Loviisa Nuclear Plant (VVER-440)in Finland and an advanced U.S. light water reactor (AP600) design can be found elsewhere (Tuomistoand Theofanous, 1994; and Theofanous et al.,1995). Some ideas to enhance the assessmentbasis as well as performance in this respect for application to larger and/or higher power densityreactors are also provided by Theofanous et al.

(1995).Question 13 - Does containment fail at vesselbreach?The likelihood of containment failure at vesselbreach depends on several factors, such as the pressure in the primary system, the amount andtemperature of the core debris exiting the vessel,the size of the hole in the vessel, the amount of water in the cavity, the configuration of the cavity,and the structural capability of the containment building. Attachment 1 identifies the pressure inthe RCS as the most important consideration forassessing the likelihood of containment failure at vessel breach. Therefore, this question depends heavily on the response to Question 6. Low-Pressure Sequences Appendix B B-13Under low RCS pressure circumstances, var iousmechanisms could challenge containment integrity.These include rapid steam generation caused by core debris contacting water in the cavity andhydrogen combustion. Again, scoping calculations can be performed to calculate bounding estimates of the pressure loads under these circumstances.These bounding pressure loads can be compared to the capacity of the containment b uilding todetermine the likelihood of failure. However, it isunlikely that these bounding pressure loads willexceed the ultimate capacity of the Ka linincontainment. The probability of containment failureconditional on a low-pressure accident sequence is, therefore, expected to be relatively low (approximately 0.01) and driven by remote events, such as energetic fuel-coolant interactions of sufficient magnitude to project missiles through the containment structure. A recent report (Basu and Ginsberg, 1996) of a steam explosion review group presents an updated assessment of the likelihoodof an in-vessel steam explosion causingcontainment failure. This report can be used as a basis for quantifying the CET.High-Pressure SequencesThe most important failure mechanisms for high-pressure core meltdown sequences are associatedwith high-pressure melt ejection. Ejection of thecore debris at high pressure can cause the core debris to form fine particles that can directly heat the containment atmosphere (i.e., direct containment heating [DCH]) and cause rapid pressure spikes. During high-pressure melt

ejection, the hot particles could also ignite anycombustible gases in containment, thereby addingto the pressure pulse. The potential for DCH tocause containment failure depends on several factors, such as the primary system pressure, the size of the opening in the vessel, the temperatureand composition of the core debris exiting the vessel, the amount of water in the cavity, and the dispersive characteristics of the reactor cav ity.Simple bounding calculations for high-pressure sequences are unlikely to be conclusive (i.e., theywill almost certainly exceed the ultimate capability of the containment). Therefore, a more detailed analysis of this failure mechanism is needed. Discussions on application of ROAAM to this issueis reported in The Probability of Containment Failure by Direct Containment Heating in Zion, andits supplement (Pilch, Yan, and Theofanous, 1994).The basic understanding upon which the approach to quantification of DCH loads is based is thatintermediate compartments trap most of the debris dispersed from the reactor cavity and that thethermal-chemical interactions during this dispersal process are limited by the incoherence in the steam blowdown and melt entrainment processes.With this understanding, it is possible to reducemost of the complexity of the DCH phenomena toa single parameter: the ratio of the meltentrainment time constant to the system blowdowntime constant which is referred to as the coherence ratio.DCH loads also depend on parameters thatcharacterize the system initial conditions, primarysystem pressure, temperature and composition (i.e., hydrogen mole fraction), melt quantity andcomposition (i.e., zirconium and stainless steel mass fraction), and initial containment pressureand composition. The key component of the framework, therefore, is the causal relationsbetween these parameters and the resulting containment pressure (and temperature). Of these parameters, some are fixed, some vary over anarrow range, and some are so uncertain that they can be approached only in a very bounding sense.

Plant-specific analyses should be performed toquantify the probability density functions for the initial melt parameters. However, sequence uncertainties can be enveloped by a small number of splinter scenarios without assignment ofprobability. These distribution functions, combinedwith a two-cell equilibrium model for containment,can be used to obtain a probability density function for the peak containment pressure.The resulting distribution for peak containmentpressure is then combined with fragility curves(probabilistically distributed themselves) for thecontainment structure to obtain a probabilitydistribution of the failure frequency (Pilch et al.,1996). NUREG/CR-6338 (Pilch et al., 1996)provides further discussion on how themethodology and scenarios described in (Pilch, Yan, and Theofanous, 1994) were used to addressthe DCH issue for 34 Westinghouse plants withlarge volume containments. This report could be helpful for extrapolating the approach to a VVER containment.

Appendix B B-14Question 14 - Do the sprays actuate or continueto operate after vessel breach?This question depends in part on the information inthe PDS but is also influenced by accident management considerations. For some accident sequences, power is available and the sprays willcontinue to operate during recirculation. In other accident sequences, power will be restored and accident management strategies are needed toensure the spray o peration is restored in anappropriate manner. Section B.2.5.1 providesguidance on developing accident management strategies for spray operation.Question 15 - Is the core debris in a coolableconfiguration?This question addresses the likelihood of coolabilityof the core debris released into the reactor cav ity.Coolability of the core debris requires that thecavity region under the vessel be flooded(response to Question 11) and that the m olten corematerials are fragmented into particles of sufficientsize to form a coolable configuration. Debris bedcoolability is an important issue because if thedebris forms a coolable geometry, the only source for containment pressurization will be the generation of steam from boiloff of the overlying water. Under these circumstances, if containmentheat removal systems are available, then latecontainment failure would be prevented. Even in the absence of containment heat removal, pressurization from water boiloff is a relatively slowprocess and would result in very late containment failure allowing time for remedial actions.Furthermore, a coolable debris geometry would limit penetration of the core debris into the basemat and thus prevent this potential failure mode. This, in turn, limits CCIs and prevents radionuclide releases from the core debris (i.e., no ex-vessel

fission product release).There is, however, a significant likelihood that,even if a water supply is available, the core debriswill not be coolable and, therefore, will attack theconcrete basemat. Under these circumstances, noncondensible gases would be released inaddition to steam and add to containment pressurization. Also, if significant CCI occurs, the core debris could penetrate the basemat(depending on the thickness of the concrete) andex-vessel radionuclide release will occur.Formation of a coolable debris bed depends onseveral factors, such as the mode of contactbetween the core debris and water, the sizedistribution of the core debris particles, the depth of the debris bed, and the water pool. As a general rule, unless the debris bed is calculated to be thin, both a coolable and noncoolable configurationshould be considered for the purposes of CET quantification.Question 16 - Does containment fail late?This question deals with the likelihood ofcontainment failure long after vessel breach. The likelihood and timing of the late containment failuredepends on the presence of water in the cavity(response to Question 11), core debris coolability(response to Question 15), and the availability of containment heat removal systems (response toQuestion 14). Each possible combination of responses is discussed below.Dry CavityIf the cavity is dry, the core debris will in generalnot be coolable and Question 15 is irrelevant.

Extensive CCI will occur and noncondensiblegases, steam and radionuclides will be released tocontainment. Containment pressurization ratescan be obtained by simplified energy balancecalculations assuming bounding values. Inaddition, combustible gases (H 2 and CO) will alsobe released during CCI and could result in combustion events. The impact of combustion can be evaluated in a manner similar to the approach discussed in Question 9. Furthermore, the likelihood of basemat penetration resulting from CCI should also be evaluated for the dry cavitycase. The projected consequences of basemat meltthrough are, however, relatively minor compared with an above-ground failure of the containment that might be caused earlier by acombustion event or high-pressure loads.Flooded CavityIf the cavity is flooded, then the response toQuestion 15 (core debris coolability) is veryimportant to CET quantification. Each poss ibility isdiscussed below.Core debris coolable. If the core debris is coolable,CCI does not occur and all of the decay heat goes Appendix B B-15into boiling water. If the containment heat removalsystems are operating, then late co ntai nmentfailure by overpressurization will be prevented.Also penetration of the basemat by the core debris will be prevented. If the containment heat removalsystems are not operating, then containment failurewill eventually occur unless remedial act ions are taken.Core debris uncoolable. If the core debris is notcoolable, CCI will occur and the impact of noncondensible and combustion gases will have tobe taken into account for CET quantification. Inaddition, the potential for basemat meltthrough willalso have to be assessed.

B.2.3 Release CategorizationThe CET analysis generates conditionalprobabilities for a large number of end states (i.e.,potential ways in which radioactivity could bereleased to the environment). Some of these end states are either identical or similar, in t erms of keyradionuclide release characteristics. These end states are, therefore, grouped to a smaller number of release categories.These release categories, which are often referredto as release bins or source term bins, should bedefined on the basis of appropriate attributes that affect radiological releases and potential offsiteconsequences. These attributes are plant specificbut should include:*timing and size of containment failure or bypass*operation of sprays (if operating what isthe spray duration time)*whether or not the core debris is flooded (ifflooded is a coolable debris bed formed)*whether or not the RCS is depressurizedprior to vessel breach*whether or not vessel breach is prevented(if vessel breach is prevented, ex-vessel release is also prevented)*whether or not the break location is aboveor below ground level*whether or not the break location is underwater for bypass events.B.2.4 Source Term AnalysisThe magnitude and composition of radioactive materials released to the environment and theassociated energy content, time, release elevation, and duration of release are collectively termed the source term. The source term analysis tracks the release and transport of the radioactive materialsfrom the core, through the RCS, then to the containment and other buildings, and finally into the environment. The removal and retention ofradioactive materials by natural processes, such as deposition on surfaces, and by engineered safetysystems, such as sprays, are accounted for in each location. For the analysis of source terms, a simpleparametric approach is recommended similar to that used in NUREG/CR-5747 (Nourbakhsh, 1993).This method describes source terms as theproduct of release fractions and transmission factors at successive stages in the accidentprogression. The parameters entering this source term formulation can be derived from existing databases supplemented by a few plant-spec ificcode calculations (e.g., using the MELCOR code).Using the resulting simplified formulation, a set ofsource terms that will have a one-to-one correspondence with each of the source termcategories (see Section B.2.3) can be obtained.B.2.5Development of Severe Accident Management

StrategiesSevere accident management strategies consist ofthose actions that are taken during the course of an accident to prevent core damage, terminate core damage progression (and retain the corewithin the vessel), maintain containment integrity,and minimize offsite releases. Severe accident management strategies also involve preplanning and preparatory measures for severe accident management guidance and procedures, equipmentand design modifications, and severe accident management training.The assessment methodology discussed inSections B.2.1 through B.2.5 provides a basis forthe development and evaluation of potential plant-specific accident management strategies. Theintegrated results of procedural activities 1 to 5 Appendix B B-16(Figure B.2) will be a set of accident progressiongroups (release categories) with corresponding frequency and radionuclide release characteristics (source term). Potential accident management strategies can then be developed to reduce the frequency of (or eliminate) accident progression groups with large release concerns.All accident recovery/management actions shouldremain consistent between the Level 1 PRA and the CET analyses. The recovery actions prior toinitiation of core damage (prevention strategies) should be credited in the Level 1 PRA, while anyactions beyond the initiation of core damage (post-core damage accident mitigation) should be evaluated as a part of the Level 2 PRAassessment. The simplified containment event tree discussed inSection B.2.2 (refer to Table B-2) identified a number of opportunities for implementing accident management strategies. The severe accident management strategies identified are:*spray or injection of water into containment(Questions 4, 11, and 14)*RCS depressurization (Question 6)

in-vessel water addition to a de gradedcore (Question 7)*flooding the break location for bypassevents (Question 10).Careful evaluation of the feasibility and the relativeadvantages and disadvantages of each of theseaccident management strategies is needed prior totheir implementation at any specific plant. Plant layout and geometry, the capacity and redundancy of emergency plant systems, as well as specificbalance of plant features, can determine whethera particular strategy is feasible or makes sense under a certain accident scenario at a parti cularplant. For instance, containment pressure capability, areas for debris spreading, size ofsumps, elevation of the reactor vessel, reactor cavity geometry and elevation, water storage tank capacities, flow rates of safety and nonsafety injection systems, and number of equipment trains are only a few of the items which will influence the decisions to be made at a specific site with regardto severe accident management. For fur therdiscussions on the results of severe accident management research and implementation, refer to the Organization for Economic Co-operation andDevelopment report entitled, Implementing SevereAccident Management in Nuclear Power Plants,(OECD, 1996).B.2.5.1Spray or Injection of Water intoContainmentThe use of the spray system or other means toinject water into containment is a potential severeaccident management strategy (Questions 4, 11,and 14) for all three time frames considered in theCET in Section B.2.2. Containment sprays can have a number of benefi cial effects on severeaccident progression. There are, however, anumber of potentially adverse effects, which shouldbe considered before implementing a containment spray strategy at a particular plant. The pros andcons associated with spray operation during a severe accident are described below for eachpotential strategy. Controlling Containment AtmosphereContainment sprays can be used to cool anddepressurize the containment atmosphere andthus prevent overpressure failure of thecontainment. Sprays can also remove fission products from the containment atmosphere so thatif containment integrity is lost, the environ mentalsource term will be lower than it would otherwisehave been without the effect of sprays. A potential adverse effect of restoring containmentspray operation during the later stages of an accident is the deinerting of a previously steam-inerted atmosphere. This could produce conditions that would allow combustion of a large quantity ofhydrogen. Consequently, any strategy to restorecontainment spray operation late in an accident sequence should consider the impact of hydrogen

combustion.External Cooling of the Reactor VesselIn some containments, external flooding of thereactor vessel is feasible if sufficient water isinjected into containment. This would provide anexternal heat sink for the reactor vessel and could reduce the boiloff of the in-vessel coolant. In manydesigns, the vessel lower head could be protected via external flooding, and this external cooling could prevent or delay vessel failure. Bypreventing the core debris from melting through the Appendix B B-17vessel lower head, this accident managementstrategy would eliminate ex-vessel interactions between the core and water and/or concrete.A potential adverse effect associated with thisstrategy is that if vessel failure does occur, then accumulated water could interact with the moltencore debris. These fuel-coolant inter actions arelikely to be accompanied by rapid steam generationand additional hydrogen production. While theseinteractions could be energetic, they are unlikely tothreaten containment integrity. Nevertheless, the impact of fuel-coolant interactions should be considered prior to implementing a containment flooding strategy.Flooding Ex-Vessel Core DebrisIn some designs, adding or redistributing w ater tothe containment prior to vessel failure could protectagainst containment failure by such mechanisms as direct attack of the containment boundary or containment penetrations. If water is added after vessel failure and debris ejection, it can, dependingon the design, provide a heat sink for the debris and a water pool to scrub fission products.A potential adverse effect of this strategy is thesteam production resulting from the interaction ofsprayed or injected water with core debris. Thisinteraction can be substantial depending on the water flow rate and the relative timing of water addition and debris addition into the containment.The amount of steam generated by molten core debris entering a water pool depends on pool depthand whether or not the debris is quenched. Thethreat posed by steam production to containment integrity will very much depend on the previouslyexisting containment pressure and on the status ofcontainment heat removal mechanisms. In addition, if external water sources are sprayed or injected into the containment, water could accumulate and may lead to flooding of vitalcontainment areas reducing or eliminating containment heat removal or the pressuresuppression function in some containments. B.2.5.2Reactor Coolant System DepressurizationRCS depressurization (Question 6 in the CET) canbe accomplished via relief valves or via heat removal through the SGs. Regardless of themethod used, RCS depressurization provides many positive responses to severe accide nts butmay also involve some undesirable effects.RCS depressurization increases the opportunity forinjecting water into the RCS from a number of low pressure sources. These include the designedlow-pressure safety injection systems, accumulatortanks, and other, unconventional sources, such as fire water systems. Besides providing opportunityfor additional injection sources, RCSdepressurization reduces the stress on the entireRCS and thus reduces the likelihood of unintentional failure of this fission product barrierincluding containing bypass via SGTR.

Depressurization will also reduce the naturalcirculation flows in the reactor pressure vessel andsteam generators tubes, thereby reducing thermalloads in both components. Depressurization alsodecreases the driving potential for high-pressure melt ejection if the core debris eventually melts through the vessel head.On the negative side, depressurization through therelief valves will increase the rate at whichhydrogen is discharged into the containment and could, depending on the depressurization rate, increase core oxidation and degradation. Also, ifthe RCS pressure is reduced, the potential for triggering energetic in-vessel fuel-coolantinteractions is increased, but it is considered unlikely that such energetic interactions would failthe reactor pressure vessel.Depressurization via the relief valves wouldincrease the flow of fission products into thecontainment and reduce the time available for deposition of fission products in the RCS.

For acontainment with an isolation failure,depressurization of the RCS would increasecontainment pressure and lead to larger flowsthrough the isolation breach. For a bypassedcontainment, RCS depressurization woulddecrease the flow through the bypass failure.If RCS depressurization is accomplished via steamgenerator heat removal, then special consideration Appendix B B-18must be given to protect steam generator tubeintegrity. RCS pressurization will tend to increase the pressure difference across the steam generatortubes and, therefore, could lead to a tube failure or increase an already existing leak. This isespecially true after core melt has occurred and the SG tubes are at high temperature. Also, since SG depressurization will increase the heat transfer inthe tubes, hydrogen may concentrate there and impair the heat transfer process and limit theamount of RCS depressurization achievable.Injection of water into the secondary side of the steam generators would be expected to occur as they depressurize. This would further increase the heat transfer from the primary to the secondaryside and enhance RCS depressurization.

However, injection of cold water on the secondary side would increase the thermal stresses on the SG tubes and could lead to rupture and containment bypass. Obviously, this possibilitydecreases at higher water temperatures and lower flow rates. In addition, the presence of water on the secondary side would scrub fission productswhich have leaked from the primary to the secondary side.B.2.5.3In-Vessel Water Addition to a Degraded CoreWater addition to a degraded core may cool thecore debris and lead to a safe, stable state. Theconsensus of the reactor safety community is thateven if there are indications of a damaged reactor core, water should be injected when it becomes available. However, there may be a number of undesirable effects accompanying this action that plant personnel should be aware of and prepared for beforehand. These effects include the generation of steam as well as hydrogen plus thepossibility of the core materials returning to acritical state. The successful termination of the accident as well as the extent and relativeimportance of the related phenomena depend on the timing and rate of the water addition and whether the water source is borated or unborated.During the early stages of core damage, largeamounts of water would rapidly quench the overheated core. Some steam would be producedbut would be unlikely to substantially pressurize the RCS or produce large amounts of hydrogen.

Smaller rates of water addition would lead to a slower quenching, additional hydrogen would begenerated, and embrittled fuel and cladding couldbe shattered. At very small rates of water addition, quenching may not be achieved and substantial hydrogen could be generated with accident progression being accelerated. For a badly damaged core, which is still within theRCS, similar consideration to those above wouldalso apply. However, whether even large waterflow rates can quench the core debris will depend on the specific geometry of the reconfigured debris.

Furthermore, if there is a compact debris bed, its porosity and, therefore, its coolabi lity may bereduced by the eventual distillation of the boron or other materials in the water.After the core debris has melted through thereactor vessel, water injected in-vessel would helpto minimize fission product revaporization and cooldebris remaining in the vessel. In addition, water flowing out of the break in the lower vessel headwould help to cool debris in the reactor cavity and perhaps reduce containment gas temperatures. In the long term, this water could quench the debris and arrest CCI. Again, whether the ex-vessel debris would be quenched depends on the flow rate of the water and the configuration of thedebris. Water would also help to scrub volatile andnonvolatile fission products released from the fuel.

Appendix B B-19Water addition to the ex-vessel core debris alsohas implications for containment integrity.

Depending on the water flow rate, significant steam generation and consequent containment pressurization can result. Additional hydrogen generation within containment can take place.

Continued injection into the containment fromoutside (i.e., not normal emergency cooling system sources) may lead to flooding of containment areas where critical equ ipmentresides. The fact that different water flow ratescan lead to a decrease (because of quenching and termination of steam gen eration) or increase(because of steam, hydrogen production, and gas space compression) in containment pressure hasparticular significance for an unisolated orbypassed containment.B.2.5.4Flooding the Break Location for Bypass EventsThis severe accident management action is aimedat providing fission product scrubbing. A watersource, such as service water, could be used if thebreak location can be identified and a connection to the water system is available. An adverse effect of this strategy is that flooding could impact theoperation of equipment located near the site ofbreak.B.3ProductsIn general, sufficient information should be provided in the documentation to allow an independent analyst to reproduce the results. Ata minimum, the following should be provided:*a thorough description of the procedureused to group (bin) individual accidentcutsets into PDSs, or other reduced set ofaccident scenarios for detailed Level 2analysis,*a listing of the specific attributes or rulesused to group cutsets, and*a listing and/or computerized databaseproviding cross reference for cutsets toPDSs and vice versa.

Documentation of containment systemperformance assessments should include adescription of information used to developcontainment systems analysis models and link them with other system reliability models. Thisdocumentation should be prepared in the same manner as that generated in the Level 1 ana lysisof other systems.Documentation of analyses of severe accidentprogression should include the following:*a description of plant-specific accidentsimulation m odels including extensivereferences to source documentation for input data,*a listing of all computer code calculationsperformed and used as a basis forquantifying any event in the containmentprobabilistic logic model including aunique calculation identifier or name, adescription of key modeling assumptions or input data used, and a reference todocumentation of calculated results. (Ifinput and/or output data are archived for quality assurance records or otherpurposes, an appropriate reference tocalculation archive records is also

provided.),*a description of key modelingassumptions selected as the basis for performing base case or best estimate calculations of plant response and a description of the technical bases for these assumptions,*a description of plant-specific calculationsperformed to examine the effects of alternate modeling approaches or assumptions,*if analyses of a surrogate (i.e., similar)plant are used as basis for characterizing any aspect of severe accident progressionin the plant being analyzed, references to, or copies of, documentation of the originalanalysis, and a description of the technical basis for assuring the applicability of results, and*for all other original engineeringcalculations, a sufficiently completedescription of the analysis method, Appendix B B-20assumptions, and calculatedresults is prepared to accommodate an independent (peer) review.In general, sufficient information in thedocumentation of analyses performed to establishquantitative containment performance lim its isprovided that allows an independent analyst toreproduce the results. At a minimum, the followinginformation is documented for a PRA:*a general description of the containmentstructure including illustrative figures to indicate the general configuration,penetration types and location, and major construction materials,*a description of the modeling approachused to calculate or otherwise define containment failure criteria,*if computer models are used (e.g., finiteelement analysis to establishoverpressure failure criteria), a descriptionof the way in which the containment structure is nodalized including a spec ificdiscussion of how local discontinuities, such as penetrations, are addressed, and*if experimentally determined failure dataare used, a sufficiently detaileddescription of the experimental conditions to demonstrate applicability of results to plant-specific containment structures.The following documentation is generated toprovide the results and describe the process by which the conditional probability of containment failure is calculated:*tabulated conditional probabilities ofvarious containment failure modes withspecific characterizations of time phasesof severe accident progressions (e.g.,

early vs. late containment failures),*a listing and description of the structure ofthe overall logic model used to assemble the probabilistic representation ofcontainment performance (graphical displays of event trees, fault trees, or other logic formats are provided toillustrate the logic hierarchy and eventdependencies),*a description of the technical basis (withcomplete references to documentation oforiginal engineering analyses) for the

assignment of all probabilities orprobability distributions with the logicstructure,*a description of the rationale used toassign probability values to phenomena or events involving subjective, expert

judgment, and*a description of the computer programused to exercise the logic model and calculate final results.Documentation of analyses performed tocharacterize radiological source terms shouldprovide sufficient information to allow an independent analyst to reproduce the results. At a minimum, the following information should bedocumented in a PRA:*the radionuclide grouping scheme usedand the assumptions made to obtain itshould be clearly described, and*the time periods considered for therelease and the rationale for the choices

made.Documentation of analyses performed tocharacterize radiological source terms shouldprovide sufficient information to allow an independent analyst to reproduce the results. At a minimum, the following information should bedocumented in a PRA:*a summary of all computer codecalculations used as the basis for estimating plant-specific source terms forselected accident sequences, specifically identifying those with potential for largereleases,*a description of modeling methods usedto perform plant-specific source term calculations; this includes a description of the method by which source terms areassigned to accident sequences for which Appendix B B-21computer code calculations werenot performed, *if analyses of a surrogate (i.e., similar)plant are used (as a basis for characterizing any aspect of radionuclide release): transport or deposition in theplant being analyzed, references to, or copies of documentation of the originalanalysis, and a description of the technical basis for assuming applicability of results.

Documentation of analyses performed tocharacterize radiological source terms should provide sufficient information to allow an independent analyst to reproduce the results. Ata minimum, a description of the method by which uncertainties in source terms are addressed should be documented for a quality PRA.B.4ReferencesBasu, S. and T. Ginsberg, A Reassessment of the Potential for an Alpha-Mode Containment Failureand a Review of the Current Understanding of Broader Fuel-Coolant Interaction Issues, NUREG-1524, U.S. Nuclear Regulatory Commission, August 1996.Benedick, W. B., J. C. Cummings, and P. G.Prassinos, Combustion of Hydrogen:Air Mixtures in the VGES Cylindrical Tank, NUREG/CR-3273,Sandia National Laboratories, 1984.Benedick, W. B., J. C. Cummings, and P. G.Prassinos, Experimental Results from Combustion of Hydrogen:Air Mixtures in an Intermediate-Scale Tank, Proceedings of theSecond International Conference on the Impact of Hydrogen on Water Reactor Safety,NUREG/CP-0038, Sandia National Laboratories, 1982.Breeding, R. J., et al., Evaluation of SevereAccident Risks: Quantification of Major Input Parameters, Experts: Determination of StructuralResponse Issues, NUREG/CR-4551, Volume 2,Part 3, Sandia National Laboratories, October

1990.Kumar, R. K., H. Tamm, and W. C. Harrison,Intermediate-Scale Combustion Studies ofHydrogen-Air-Steam Mixtures, EPRI NP-2955,Electric Power Research Institute, 1984.Marshall, B. W., Hydrogen:Air:SteamFlammability Limits and CombustionCharacteristics in the FITS Vessel, NUREG/CR-3468, Sandia National Laboratories, 1986.Nourbakhsh, H. P., Estimate of RadionuclideRelease Characteristics into Containment Under Severe Accident Conditions, NUREG/CR-5747,Brookhaven National Laboratory, Nove mber 1993.OECD, Implementing Severe AccidentManagement in Nuclear Power Plants,Organisation for Economic Co-operation and Development, Nuclear Energy Agency, 1996.Pilch, M. M., et al., Resolution of the DirectContainment Heating Issue for all Westinghouse Plants with Large Dry Containment ofSubatmospheric Containment, NUREG/CR-6338,Sandia National Laboratories, February 1996.Pilch, M. M., H. Yan, and T. G. Theofanous, TheProbability of Containment Failure by Di rectContainment Heating in Zion, NUREG/CR-6075,Sandia National Laboratories, 1994.Theofanous, T. G., et al., In-Vessel Coolabilityand Retention of Core Melt, DOE/ID-10460, July 1995.Theofanous, T. G., Dealing withPhenomenological Uncertainty in Risk Anal ysis,Workshop I in Advanced Topics in Reliability andRisk Analysis, Annapolis, MD, October 20-22,1993, NUREG/CP-0138, October 1994.Thomson, R. T., Large-Scale HydrogenCombustion Experiments, Volume 1: Methodologyand Results, EPRI NP-3878, Electric Power Research Institute, October 1988.Torok, R., et al., Hydrogen Combustion andControl Studies in Intermediate Scale, EPRINP-2953, Electric Power Research Institute, 1983.

Appendix B B-22Tuomisto, H. and T. G. Theofanous, A ConsistentApproach to Severe Accident Management,Nuclear Engineering and Design, 148, 171-183, 1994.Wong, C. C., HECTR Analysis of Nevada TestSite (NTS) Premixed Combustion Experiments,SAND87-0956, Sandia National Laboratories, 1987.

Appendix B B-23ATTACHMENT 1GUIDANCE ON THE EXAMINATION OFCONTAINMENT SYSTEM PERFORMANCEINTRODUCTIONThis appendix discusses the key phenomenaand/or processes that can take place during the evolution of a severe acc ident and that can havean important effect on the containment behavior.In addition, general guidance on the evaluation of containment system performance given the pr esentstate of the art of analysis of these phenomena is provided. The evaluation should be a pragmaticexploitation of the present containment capa bility.It should give an understanding and appreciation of severe accident behavior, should recognize therole of mitigating systems, and should ultimately result in the development of accident management procedures that could both prevent and am elioratethe consequences of some of the more probablesevere accident sequences involved. Theinformation provided here summarizes some more recent developments in core melt phenomenologyrelevant to containment performance, identifies areas of uncertainty, and suggests ways ofproceeding with the evaluation of containmentperformance despite uncertainties, and potential ways of improving containment performance for severe accident challenges.The systems analysis portion of the probabilisticrisk assessment (PRA) identifies accidentsequences that occur as a result of an initiatingevent followed by failure of various systems or failure of plant personnel to respond correctly to theaccident. Although the number of possible coremelt accident sequences is very large, the numberof containment system performance analyses doesnot have to be as large. The number of sequences can be reduced by grouping those accident sequences that have a similar effect on the plant features that determine the release and transportof fission products.STATUS OF CONTAINMENTSYSTEMS PRIOR TO VESSEL

FAILUREIn order to examine the containment performance,the status of the containment systems and related equipment prior to core melt should be determined.This requires analyses of (1) the pathways thatcould significantly contribute to containment-isolation failure, (2) the signals required to automatically isolate the penetration, (3) thepotential for generating the signals for all initiating events, (4) the examination of the testing andmaintenance procedures, and (5) the quantificationof each containment-isolation failure mode (including common mode failures).In the early phase of an accident, steam andcombustible gases are the main contributors tocontainment pressurization. The objective of thecontainment decay heat removal systems, such as sprays, fan cooler, and the suppression systems, is to control the evolution of accidents that would otherwise lead to containment failure and therelease of fission products to the environs. The effectiveness of the several containment decayheat removal systems for accomplishing the intended mitigating function should be examined todetermine the probability of successfulperformance under accident conditions. Thisincludes potential intersystem dependencies as well as the identification of all the specific functions being performed and the determination of the mission time considering potential failure due to inventory depletion (coolant, control air, and controlpower) or environmental conditions. If, as a resultof the accident sequence, the frontline containment decay heat removal systems fail to function, if theireffectiveness is degraded, or if the operator fails torespond in a timely manner to the accident symptoms, the containment pressure wouldcontinue to increase. In this case, some systemsthat were not intended to perform a safety functionmight be called upon to perform that role during an accident. If the use of such systems is consideredduring the examination, their effectiveness andprobability of success for fulfilling the needed Appendix B B-24safety function should also be examined. Part ofthe examination should be to determine if adequate procedures exist to ensure the effectiveimplementation of the appropriate operator actions.PHENOMENA AFTER VESSEL FAILUREIf adequate heat removal capability does not existin a particular accident sequence, the core willdegraded and the containment could potentially overpressurize and eventually fail. Efforts tostabilize the core before reactor vessel failure or toextend the time available for vessel reflood should be investigated. For certain accident groups thatproceed past vessel failure, the containment pressurization rate could exceed the capability of the mitigating systems to reject the energy associated with the severe accident phenomena encountered with vessel failure. For each such accident sequence, the molten core debris willrelocate, melting through and mixing with materialsin its path. Depending on the particular containment geometry and the accident sequence groups, a variety of important phenomena influence the challenges to containment integrity.The guidance provided below deals with thissubject at three levels. The first provides some rather general considerations regarding the natureof these phenomena as they impact containment.The second level considers the manifestation ofthese phenomena in more detail within the generichigh and low pressure scenarios. Finally, the thirdlevel provides some specific guidance particularly regarding the treatment of certain important areas of uncertainty.

General Description of thePhenomena Associated with Severe

Accident ConsiderationsThe contact of molten corium with water, referredto as fuel-coolant interaction, can occur both in-vessel and ex-vessel. If the interaction is energ eticinside the reactor vessel, it may generate missilesand a rapid pressurization (steam explosion) of the primary system. Early containment failure associated with in-vessel steam explosions (alphamode failure) is generally considered to be of lowenough likelihood to not warrant additional consideration (Basu and Ginsberg, 1996).However, smaller, less energetic in-vessel steamexplosions are not unlikely and their influence onfission product release and hydrogen generation are still under investigation. If the fuel-coolantinteraction occurs ex-vessel, as might happen ifmolten fuel fell into a water-filled cavity upon vessel meltthrough, it may disperse the corium and lead torapid pressurization (steam spike) of the containment. In any case, at one extreme,abundant presence of water would favor quenching of the corium mass and the continued dissipation of the decay heat by steaming would lead to containment pressurization. Clearly in the absenceof external cooling, the containment will eventuallyoverpressurize and fail, although the presence ofextensive, passive heat sinks (structures) w ithinthe containment volume would delay the occurrence of such an event. Fuel-coolant interactions can also yield a chemical reactionbetween steam and the metallic component of the melt, producing hydrogen and the consequentpotential for burns and/or explosions.At the other extreme, when water is not available,the principal interaction of the molten corium is withthe concrete floor of the containment. Thisinteraction produces three challenges tocontainment integrity. First, the concrete decomposition gives off noncondensible gases (CO 2, CO) that contribute to pressurizing thecontainment atmosphere. Second, concrete of certain compositions decomposes and releases

CO 2 and steam, which can interact with the meta lliccomponents in the melt to yield highly flammableCO and H 2, with potential consequences rangingfrom benign burns at relatively low hydrogen concentrations to rapid deflagrations at high hydrogen concentrations. Third, continued penetration of the floor can directly breach the containment boundary. Also, thermal attack by the molten corium of retaining sidewalls could producestructural failure within the containment causing damage to vital systems and perhaps to failure ofcontainment boundary.Another type of fuel interaction is with thecontainment atmosphere. Scenarios can be postulated (e.g., station blackout) in which the reactor vessel and primary system remain at high pressure as the core is melting and relocating tothe bottom of the vessel. Continued attack of the molten corium on the vessel lower head could eventually cause the lower head to fail. Because of a potentially high driving pressure, the molten Appendix B B-25corium could be energetically ejected from thevessel. Uncertainties remain related to the effect of the following on direct containment heating: (1) vessel failure area, (2) the amount of molten corium in the lower head at the time of failure, (3) the degree to which it fragments upon ejection, (4) the degree and extent to which a path from thelower cavity to the upper containment atmosphereis obstructed, (5) the fragmented molten coriumthat could enter and interact with the upper containment atmosphere, and (6) cavity gas temperature. Since the containment atmos pherehas small heat capacity, the energy in the fragmented corium could rapidly transfer to the containment atmosphere, causing a rapid pressurization. The severity of such an event could be further exacerbated by any hydrogen that may be simultaneously dispersed and direct oxidation(exothermic) of any metallic components.Depending upon this and the other factors previously mentioned, this pressurization could challenge containment integrity early in the event.Even with the above limited perspective, it shouldbe clear that given a core melt accident, a great deal of the phenomenological progression hinges upon water availability and the outcome of the fuel-coolant interactions; specifically whether a fullquench has been achieved and whether the resulting particulates will remain coolable. In general, the presence of fine particulates to anysignificant degree would imply the occurrence of

energetic steam explosions and hence thepresence of significant forces that would be expected to disperse the particulates to coolableconfigurations outside the reactor cavity.Otherwise, the coolability of deep corium beds of coarse particulates is the major concern. Asummary of how these mechanisms interface and interact as they integrate into an accidentsequence is given below.Accident Sequences: High-Pressure ScenarioThe core melt sequence at high primary systempressure is often due to a station blackout sequence. The high-pressure scenario also represents one of the most significant contributorsto risk. The initial stages of c ore degradationinvolve coolant boiloff and core heatup in a steamenvironment. At such high pressures, thevolumetric heat capacity of steam is a significantfraction of that of water (about one third), and oneshould expect significant core (decay) energy redistribution due to natural circulation loops set up between the core and the remaining cooler components of the primary system. As a result ofthis energy redistribution, the primary systempressure boundary could fail prior to theoccurrence of large-scale core m elt. The locationand the size of failure, however, remain uncertain.

For example, concerns have been raised about the possibility of steam generator tube failures and associated containment bypass. If the vessel lower head fails, violent melt ejection could produce large-scale dispersal and the direct containment heating phenomenon mentioned previously.Concerns may also be raised about the poten tiallyenergetic role of hydrogen within the blowdownprocess.

The presence of hydrogen arises fromtwo complementary mechanisms: (1) the metal-water reaction occurring at an accelerated pace throughout the in-vessel coreheatup/meltdown/slump portion of the transient and(2) the reaction between any remaining metallic components in the melt and the high-speed steamflow that partly overlaps and follows the melt ejection from the reactor vessel. The combined result is the release of rather large quantities of hydrogen into the containment volume within ashort time period (a few tens of seconds). Theimplication is that the consideration of containment atmosphere compositions and associated burning,explosion, or detonation potential becomes complicated by a whole range of highly transientregimes and large spatial gradients.The NUREG-1150 severe accident risk study(NRC, 1990) was the first systematic attempt totreat direct containment heating (DCH) from a PRAperspective by integrating sequence probabilitieswith uncertainties associated with initial/boundary conditions and phenomenological uncertainties associated with predicting containment loads.Since the completion of the NUREG-1150 study,advances have been made in the ability to pr edictthe probability of containment failure by DCH in pressurized water reactors. The U.S. NuclearRegulatory Commission has identified DCH as amajor issue for resolution in the Revised S evereAccident Research plan and has sponsoredanalytical and experimental programs forunderstanding the key physical processes in DCH.

Appendix B B-26An extensive database resulted from scaledcounterpart experiments conducted by Sandia National Laboratory and Argonne National Laboratory. This database has allowed the development and validation of simple analytical models for predicting the containment loads. Inparticular, a two-cell equilibrium m odel wasdeveloped based on insight from the experimental program and has been used in the DCH issueresolution process. The two-cell equilibrium model takes into account the coherence between theentrained debris and the reactor coolant systemblowdown steam.The results of a probability assessment of DCH-induced containment failure for the Zion NuclearPower Plant were published in NUREG/CR-6075 and its supplement (Pilch, Yan, and Theofanous, 1994). NUREG/CR-6338 (Pilch et al., 1996) usedthe methodology and scenarios described in NUREG/CR-6075 to address the DCH issue for all Westinghouse plants with large volume containments, including 34 plants with large drycontainments and 7 plants with subatmosphericcontainments. DCH loads versus strengthevaluation were performed in a consistent manner for all plants. The phenomenological modeling was closely tied to the experimental database. P lant-specific analyses were performed, but sequenceuncertainties were enveloped by a small number of splinter scenarios without assignment ofprobabilities. The results of screening calculations reported in NUREG/CR-6338 indicate that only one plant showed a containment conditional failureprobability based on the mean fragility curvesgreater than 0.001. The containment conditionalfailure probability for this one plant was found to beless that 0.01.Accident Sequences: Low-Pressure ScenarioAt low system pressure, decay heat redistributiondue to natural circulation flow (in steam) is negligible and core degradation occurs at nearlyadiabatic conditions. Steam boiloff, together withany hydrogen generation, is continuously released to the containment atmosphere, where mixing isdriven by natural convection currents coupled with condensation processes. The upper internals of the reactor vessel remain relatively cold, offering the possibility of trapping fission product vapor andaerosols before they are released to thecontainment atmosphere. Throughout this coreheatup and meltdown process, the potential to significantly load the containment is small. The first possibility for significant energetic loads on thecontainment occurs when the molten core debrispenetrates the lower core support structure and slumps into the lower plenum. The outcome of thisinteraction cannot be predicted precisely. Thus, awhole range of behavior must be considered in order to cover subsequent events. At the oneextreme, the interaction is benign, yielding no morethan some steam (and hydrogen) production whilethe melt quickly reagglomerates on the lower reactor vessel head. At the other extreme, anenergetic steam explosion occurs. It may be possible to distinguish intermediate outcomes bythe degree to which the vessel integrity is degraded. In analyzing this phase of the accidentscenario, the important tasks are to determine thelikelihood of containment failure and to define an envelope of corium relocation paths into thecontainment. The latter is needed to ensure theassessment of the potential for s uch aphenomenon as liner meltthrough.Consideration should also be given to ex-vesselcoolability as the corium can potentially interactwith the concrete. The non-energetic release(vessel lower head meltthrough) and spreading upon the accessible portions of the containment floor below the vessel needs to be examined.

There is a great deal of variability in accessiblefloor area among the vari ous designs for somepressurized water reactor cavity designs.

The areaover which the core debris could spread is rathersmall given whole-core melts and the resultant poolbeing in excess of 50 cm deep. In the absence of water, all these configurations would yield concreteattack and decomposition of variable intensity. Inthe presence of water (i.e., containment sprays),

even deep pools may be considered quenchable and coolable. However, the possibility exists forinsulating crusts of vapor barriers at the corium-water interface.Both of these two extremes should be considered.The task is to estimate the range of containment internal pressures, temperatures, and gascompositions as well as the extent of concrete floorpenetration and structural attack until the situationhas been stabilized. In general, pressurization from continuing core-concrete i nteractions (drycase) would be considerably slower than from Appendix B B-27coolable debris configurations (wet case) becauseof the absence of steam pressurization.As a final and crucial part of this scenario, onemust address the combustible gas effect. Thismust include evaluation of the quantities and composition of combustible gases released to the containment, local inerting and deinerting by steamand CO 2, as well as hydrogen mixing and transport.Also included should be consideration of gaseous pathways between the cavity and uppercontainment volume to confirm the adequacy of communication to support natural circulation andrecombination of combustible gases in the reactorcavity.GENERAL GUIDANCE ONCONTAINMENT PERFORMANCEIn the approach outlined in this appendix, emphasisis placed on those areas that would ensure that the PRA process considers the full range of severeaccidents. The PRA process should be directed toward developing a plant-specific accidentmanagement scheme to deal with the probablecauses of poor containment performance. Toachieve these goals, it is of vital importance tounderstand how reliable each of the containment event tree estimates are, and what the driving factors are. Decisions on potential improvementsshould be made only after appropria telyconsidering the sources of uncertainties. Of course, preventing failure altogether is predicatedupon recovering some containment heat removal capability. Given that in either case pressurizationdevelops on the time scale of many hours, feasible recovery actions could be planned as part ofaccident management.The bulk of phenomenological uncertaintiesaffecting containment response is associated withthe high-pressure scenarios. Unless it can be demonstrated that the primary system can bereliably depressurized, a low probability of early containment failure should not be automatically assumed.Low-pressure sequences, by comparison, presentfew remaining areas of controversy.

These areasinclude the coolability behavior of deep moltencorium pools and the behavior of hydrogen (and other combustibles) in the containmentatmosphere. The views and guidance concerningeach one of these areas is briefly summarizedbelow.The concerns about deep corium pools arose fromexperiments with top-flooded melts that exhibitedcrust formation and long-term isolation of the meltfrom the water coolant. Such noncoolableconfigurations would yield continuing concreteattack and a containment loading behavior significantly different from coolable ones. On the other hand, it has been pointed out that small-scaleexperiments would unrealistically not favorcoolability. This is an area of uncertainty and it isrecommended that assessments be based on available cavity (spread) area and an assumedmaximum coolable depth of 25 cm. For depths in excess of 25 cm, both the coolable and noncoolable outcomes should be considered.

Along these lines, the PRA should document the geometric details of cavity configuration and flow paths out of the cavity, including any water drainareas into it as appropriate.With respect to hydrogen, the concerns are relatedto completeness of the current understanding of hydrogen mixing and transport. In general,combustibles accumulate very slowly and only ifcontinuing concrete attack is postulated. For the larger dry containments, because of the large containment volume and slow release rates, compositions in the detonable range may not develop unless significant spatial concentrationsexist or significant steam condensation occurs. In general, the con tain ment atmosphere under suchconditions would exhibit strong natural circulation currents that would tend to counteract anytendence to stratify. However, condensation-drivencirculation patterns and other potential stratification mechanisms could limit the extent of the containment volume participating in the mixing process. For these plants with igniters, the buildup of combustibles from continuing corium-concreteinteractions could be limited by local ignition andburning. However, oxygen availability asdetermined from natural circulation flows could limit the effectiveness of this mechanism. It is recommended that, as part of the PRA, allgeometric details impacting the above phenomena(i.e., heat sink distribution, circulation paths,ignition sources, water availability, and gravity drainpaths) be documented in a readily comprehensiveform, together with representative combustiblesource transients.

Appendix B B-28Finally, uncertainties arise for all plants because oflack of knowledge on how the corium will spreadfollowing discharge from the reactor vessel. The reactor cavity configuration will influence the potential for direct attack of the liner by dispersed debris, as well as the potential for basemat failureor structural failure due to thermal attack. The staffrecommends that the PRA document describe the detailed geometry (including curbs and standoffs) of the drywell floor.REFERENCESBasu, S., and T. Ginsberg, A Reassessment ofthe Potential for an Alpha-Mode Containment Failure and a Review of the Current Understandingof Broader Fuel-Coolant Interaction Issues, NUREG-1524, U.S. Nuclear RegulatoryCommission, August 1996.NRC, Severe Accident Risks: An Assessment forFive U.S. Nuclear Power Plants, NUREG-1150,U.S. Nuclear Regulatory Commission, December 1990.Pilch, M. M., et al., Resolution of the DirectContainment Heating Issue for all Westinghouse Plants with Large Dry Containment ofSubatmospheric Containment, NUREG/CR-6338,Sandia National Laboratories, February 1996.Pilch, M. M., H. Yan, and T. G. Theofanous, TheProbability of Containment Failure by DirectContainment Heating in Zion, NUREG/CR-6075,Sandia National Laboratories, 1994.

C-1APPENDIX CEXAMPLE CONSIDERATION OF A FLOOD SCENARIO IN A PRAAn example of the analysis of a typical f loodscenario is given for further guidance. This example gives some indication of the process required to construct detailed flood scenarios for initial refinement.In one recent probabilistic risk assessment (PRA),an internal flooding scenario, designated FLOODB,was defined to bound the frequency and impactsfrom potential flooding events in the annulus. This flooding scenario was retained after the originalscreening evaluations.The annulus contains relatively large, o pen,interconnected floor areas at the lowest level, Elevation-6.0 m. All elevations in the annulus arealso interconnected through open stairwells and floor grating. Therefore, it was concluded that only one water source presents a significant hazard forsubmerging PRA equipment that is located atElevation-6.0 m. Scenario FLOODB accounts forfloods that originate from the nuclear service water(VE) connections to the nuclear component coolingwater (TF) heat exchangers. It was conservativelyassumed for the screening analysis that a f loodfrom any one of the three heat exchangers would be of sufficient size and would continue long enough to submerge all equipment at Elevation-6.0 m.Each TF heat exchanger is enclosed in a watertightvault sealed by a normally closed door. Therefore, in addition to evaluating the frequency of events that could cause significant flooding from the VEsystem, the analysis for scenario FLOODB also accounts for coincident failure of these barriers.Examination of the event summaries in the flooddatabase reveals that a number of flooding eventsin the generic database have involved personnel errors during testing and maintenance activities.Therefore, the analysis for scenario FL OODBevaluated two major contributions to the flooding event frequency:F=F,M + F,O whereF = total frequency of flooding events forscenario FLOODBF,M = frequency of flooding events that mayoccur during maintenance activities F,O =frequency of flooding events that mayoccur at other times.C.1Maintenance EventsThe frequency of maintenance-related flooding events was evaluated by the following expression:F,M = 3 * [m f d (T/2)(SW/3) + m(8,760)f f f c +m d m (SW/3)f c]where m =frequency of TF heat exchangermaintenance (maintenance events per

hour)f d =likelihood that personnel fail to restore theheat exchanger vault to normal conditions after maintenance has been completed; e.g., failure to reclose the door (error permaintenance event)T=time interval between routine annulusinspections (hours)SW =frequency of Other Service WaterSystem-Related Flo oding Events (flooding events per plant year) f f=fraction of maintenance events that leaddirectly to inadvertent loss of sy stemintegrity (flooding events per maintenanceevent)f c=likelihood that personnel fail to stop theflood before equipment is damaged, e.g.,failure to turn off the VE pumps or closethe vault door (error per flooding event) d m =mean duration of TF heat exchangermaintenance (hours per maintenance

event).

Appendix C C-2The expression contains an overall multiplicationfactor of 3 because the terms inside the bracketsevaluate the total maintenance-related floodingfrequency for only one heat exchanger vault.The first term in the expression accounts for acondition in which maintena nce has beenperformed in one of the heat exchanger vaults (m).However, personnel may fail to secure thewatertight door properly after the maintenance work has been completed (f d). A flood will occur ifthe VE connection fails (sw/3) before the operators discover the open door during their routineinspections (T/2). The fraction (T/2) in this termaccounts for the fact that the average exposureperiod for this condition is one-half the annulus routine inspection interval. The fraction (sw/3)accounts for the fact that approximately one-thirdof the total frequency for Other Service WaterSystem-Related Flooding Events from the database is allocated to each of the three TF heat exchanger vaults.The second term in the expression accounts for acondition in which maintenance is performed in one of the heat exchanger vaults (m). However,personnel errors during the maintenance workcause a flood from the VE system (f f).Maintenance and operations personnel fail to stopthe flood before the PRA equipment is submerged (f c). The multiplication factor of 8,760 in this termconverts the hourly frequency of TF heatexchanger maintenance into an equivalent annual frequency.The third term in the expression accounts for acondition in which maintenance is performed in one of the heat exchanger vaults (m). A flood willoccur if the VE connection fails ( sw/3) during themaintenance interval while the watertight door isopen (d m). Maintenance and operations personnelfail to stop the flood before the PRA equipment issubmerged (f c). The fraction (sw/3) in this termaccounts for the fact that approximately one-third of the total frequency for Other Service Water System-Related Flooding Events in the flood database is allocated to each of the three TF heat exchanger vaults.The following numerical values were used in thisanalysis:*Frequency of TF Heat ExchangerMaintenance (m). The mean frequency of TFheat exchanger maintenance from the plant-specific PRA database is 3.91 x 10

-5maintenance event per heat exchanger hour.*Failure to Reclose Watertight Door (f d). Anominal value of 5 x 10

-3 error permaintenance event is used for this error rate.

This value is based on generic human error rates that are typically applied for failures torestore equipment to the proper configurationafter testing or maintenance activities.*Annulus Inspection Interval (T). It is assumedfor this analysis that a routine inspection of the annulus is performed at least once each shift and that the open door would bediscovered during this inspection. Therefore, the average time interval between inspections is eight hours.*Frequency of Service Water Flooding Events (SW). The database shows that the meanfrequency of Other Service Water System-Related Events is 3.81 x 10

-3 flooding eventper plant year. The data analysis portion of the PRA documents that all of this frequencywas conservatively allocated to the TF heat exchanger vaults in the annulus.*Fraction of Maintenance Events that InvolveFloods (f f). The flooding events databaseused contains one event related directly toerrors during heat exchanger maintenance.The database includes experience from a total of 740 plant years of operation through July 1987. The generic mean frequency ofheat exchanger maintenance from Module VIis approximately 4.15 x 10

-5 maintenanceevent per heat exchanger hour. It is conservatively assumed that each plant in theflooding events database contains only two heat exchangers. Therefore, the total number of heat exchanger maintenance events in740 plant years is approximately:2*(4.15 x 10

-5)*(8,760)*(740) = 538maintenance eventsThus, an approximate estimate for variable f fis 1/538 floods per heat exchangermaintenance event. However, there is Appendix C C-3substantial uncertainty about thisestimate. Therefore, a lognormalprobability distribution was created torepresent this conditional frequency,using a median value of 2 x 10

-3 and arange factor of 10. The resulting meanvalue for f f is 5.33 x 10

-3 flood per heatexchanger maintenance event.*Failure to Stop the Flood before DamageOccurs (f c). lf a flood begins while personnelare in the heat exchanger vault, there are several opportunities to stop the flow beforethe annulus is flooded to a depth that willsubmerge the PRA equipment. For example, local personnel may call the control room and request that the appropriate VE pumps bestopped. Local personnel may also try toclose the watertight doors to contain the flood water inside the vault. It is very unlikely that no attempts would be made to alert the control room or to stop the flood loc ally ifpersonnel were in the area and werephysically able to respond. A lognormalprobability distribution was created to accountfor a variety of possible conditions that could delay response until the PRA equipment issubmerged. This distribution accountsgenerally for such factors as extremely severefloods that incapacitate all personnel in the vault, unexpected communication delays, failure of independent indications in thecontrol room, etc. A median value of 1 x 10

-3and a range factor of 10 were assigned toaccount subjectively for these possible conditions. In other words, it was assumed that approximately one flood in one thousand events would be severe enough to disable the local personnel and would continue long enough to submerge the PRA equipmentbefore it is discovered and controlled. Themean value for f c from this distribution is 2.66 x 10-3 failures per flooding event.*Mean Duration of TF Heat Ex changerMaintenance (d m). The mean duration of TFheat exchanger maintenance from the plant-specific PRA database is 108 hours0.00125 days 0.03 hours 1.785714e-4 weeks 4.1094e-5 months permaintenance event.These values were used to estimate the followingcontributions from each of the three maintenance conditions:m f d (T/2)(SW/3) = 9.93 x 10

-10 flood per yearm (8,760)f f f c = 4.86 x 10

-6 flood per yearm d m (SW/3)f c = 1.43 x 10

-8 flood per yearThe total frequency of heat exchangermaintenance-related flooding events is three timesthe sum of these contributions for each heat exchanger:F,M =1.46 x 10

-5 flood per yearC.2Events Not Related to MaintenanceThe frequency of flooding events that are notrelated to heat exchanger maintenance activities was evaluated by the following expression:F,0 = SW f v + v (T/2)SW whereSW =frequency of Other Service WaterSystem-Related Flooding Events (flooding events per plant year) f v=likelihood that a closed vault door f ailswhen a flood occurs inside the vault (failures per flooding event)v=frequency that a heat exchanger vaultdoor is opened and left open during normal plant operation (errors per hour)T=time interval between routine annulus inspections (hours).The first term in the expression accounts for acondition in which the VE connection fails in one of the three heat exchanger vaults (sw). The heatexchanger vault door is closed when the floodoccurs, but it fails (f v).The second term in the expression accounts for acondition in wh ich personnel have opened one ofthe heat exchanger vault doors and have inadvertently left it open (v). A flood will occur ifthe VE connection fails (sw) before the operatorsdiscover the open door during their routineinspections (T/2). The fraction (T/2) in this term Appendix C C-4accounts for the fact that the average exposureperiod for this condition is one-half the annulus routine inspection interval.The following numerical values were used in thisanalysis:*Frequency of Service Water Flooding Events (sw). The plant-specific database shows thatthe mean frequency of Other Service WaterSystem-Related Events is 3.81 x 10

-3 floodingevent per plant year. The database documentation also indicates that all of thisfrequency was conservatively allocated to theTF heat exchanger vaults in the annulus.*Failure of Closed Watertight Door (f v). Theheat exchanger vault doors are designed specifically to contain a flood from the VEsystem. No detailed structural analyses wereperformed to evaluate the capacity of these doors under realistic loading conditions.However, structural evaluations of other equipment at the plant and analyses at otherplants have typically concluded that thelikelihood for failure is extremely small underrealistic loading conditions, i.e., the structuraldesign safety margin is typically quite large.

A nominal value of 1 x 10

-6 failure per floodingevent was used for f v.*Frequency that a Vault Door is Left Open (v).The TF heat exchanger vault doors arenormally closed at all times unless work is being performed in a vault. The frequency of maintenance-related flooding events accountsfor the fraction of time that a door may be open for maintenance work. Variable vaccounts for the combined frequency of otheractivities that open a door and the likelihood that it might be left open, e.g., special inspections, maintenance or modificationplanning, etc.There is no evidence from plant records orfrom discussions with plant operationspersonnel that any of the TF heat exchanger vault doors has ever been found open during the 12-year period examined for this analysis.However, a conservative upper bound for vwas estimated by assuming that any one ofthe three vault doors may be left open inadvertently approximately once in five years during plant power operation. Therefore:v high = 1/(3

5

0.88

8,760)= 8.65 x 10

-6 error per hour.In this calculation, the factor of 3 accounts forthe three heat exchanger vault doors; the factor of 5 accounts for the assumed frequency of one error in five years; the factor of 0.88 is the average availability factor for the plant; and the factor of 8,760 converts the annual frequency into an equivalent hourly frequency.*Annulus Inspection Interval (T). It is assumedfor this analysis that a routine inspection ofthe annulus is performed at least once each shift and that the open door would bediscovered during this inspection.

Therefore,the average time interval between inspections is eight hours.These values were used to estimate the followingcontributions from each condition:SW f v = 3.81 x 10

-9 flood per yearv (T/2)SW =1.32 x 10

-7 flood per yearThe total frequency of flooding events that are notrelated to m aintenance activities is the sum ofthese contributions:F,0 = 1.36 x 1

-7 flood per year.C.3Frequency of FLOODBThe total initiating event frequency for internalflooding scenario FLOODB is the sum of the twomajor contributions:F = F,M + F,0= 1.46 x 10

-5 + 1.36 x 10

-7= 1.47 x 10

-5 flood per year.

Appendix C C-5The plant model was quantified with the aboveinitiating event frequency and with changes madeto the affected event tree top event and systemmodels to reflect the impact of the flood.Specifically, all equipment at the lowest level of theannulus were assumed to be unavailable following the flood.

D-1APPENDIX DEXAMPLE CONSIDERATION OF A FIRE SCENARIO IN A PRAAn example of a portion of a fire analysis in arecent PRA is summarized in Table D-1. In the scenario summarized in Table D-1, a fire is postulated to occur in the Division 2 Electronics Room affecting all equipment in that room. The analysis of the frequency of all fires in that location,based on the number of electronic cabinets, amount of cable, and the likelihood of transient firesources had been assessed to have a mean value of 2.11 x 10

-5 fire per year. The fire was retainedafter the screening process that considered only the occurrence frequency. The impacts on the systems considered in the PRA were determined next. These are summarized in the "notes" section of the table in the form of the specific impacts onevent tree top events (or split fractions) or systemfault trees. The event model is requantified usingthe fire frequency determined for this scenario along with the system and event level impacts, resulting in a determination of the plant response to fires in this area. The results, in this case, showed that the scenario could be screened from further consideration after this first round of refinement. Ifthat had not been the case, the scenario wouldhave received further attention and refinement. Insuch a case, the scenario would have been divided into two scenarios: one scenario of relatively lowfrequency that impacted all the cabinets in the room and a second scenario of relatively highfrequency that impacted only the cabinet with the most severe effect on the plant.

Appendix D D-2Table D-1 Example fire scenario tableBUILDINGELOCATIONSE0456, E0457, E0459LOCATION NAMEDivision 2 Electronics Cabinets Room,Elevation 7.6 metersLOCATION DESIGNATORL2 SCENARIO DESIGNATOR FIREL21.TYPE OF HAZARD SOURCE2.SCENARIO INITIATION 3.PATH OF PROPAGATIONA.PATH TYPENone (localized)

B.PROPAGATE TON/A4. SCENARIO DESCRIPTIONFire affects all Division 2 electronics cabinets, includingreactor protection.5. HAZARD MITIGATION FEATURESDetectors, Halon6.SCENARIO FREQUENCY2.11E-05 per year7.PRA EQUIPMENT WITHIN THE AREAEquipmentTop EventEquipment ImpactDivision 2 electronics cabinetsNote 1Note 18.RETAINED AFTER SCREENING ANALYSISYES9.NOTESThis fire scenario affects all cabinets in this room.

1.The impacts from these fires are bounded by disabling all equipment control and actuation signalsfrom Division 2. The following split fraction rules are used to account for the possible impacts from open circuits that may prevent equipment from operating and short circuits that may cause spurious actuation signals.*Top Event BB (10 kY nonessential power) is failed.*Top Event BY (6 kV essential power) is failed.

Top Event S1G2 (Division 2 actuation signal relays) is failed.

Top Event REC1 (recovery of offsite power to the 6 kV essential buses) is failed.

Appendix D D-3Table D-1 Example fire scenario table (contd)*The split fraction rules for Top Events PZRL (pressurizer low level), RCSP (reactor coolantsystem low pressure), CNTP (containment high pressure), SG lL (steam generator 1 low level), SG2L (steam generator 2 low level), and SG3L (steam generator 3 low level) aremodified to account for loss of the Division 2 signals for these fractions.*The split fraction rules for Top Event TFIS are modified to account for possible loss of theisolation signal for valve TF8OSSOI.*The split fraction rules for Top Events TFRB and TFSB are modified to account for poss iblespurious isolation signals for valves TFlOSOS2, TF6OSOOl, and TF605030. Top EventsTFRB and TFSB are failed for these fires.*The split fraction rules for Top Event SUFW are modified to account for possible spuriousmain feedwater isolation signals for steam generator 2.*The split fraction rules for Top Event CHF are modified to account for possible spuriousisolation signals for valve TA305003. Top Event CHEF is failed for these fires.*The split fraction rules for Top Event RCPS are modified to account for loss of the Division 2automatic reactor coolant pump trip signals. Top Event RCPS is failed if reactor coolant pumpYD2O is running and nuclear component cooling water flow is lost to the bearing oil coolers.*The split fraction rules for Top Events LDI, LDO, and CIB are modified to account for loss ofthe Division 2 isolation signals for the letdown line valves.*The split fraction rules for Top Event LPC are modified to account for Division 2 isolationsignals that prevent RHR cooling from Train TH2O.

@@ Line 867: / Line 867: @@
 : 3. Technical Activities 3-118Scope. Generally, in a Level 3 analys is, adistribution of consequences is obtained by statistical sampling of the weather conditions at the site. Each set of consequences, however, is conditional on the characteristics of the release (or source term) which are evaluated in the Level 2analysis.An integrated risk assessment combines theresults of the Levels 1, 2, and 3 analyses tocompute the selected measu res of risk in a self-consistent and statistically rigorous manner. Therisk measures usually selected are:  early fatalities, latent cancer fatalities, population dose, and quantitative health objectives (QHOs) of the U.S.Nuclear Regulatory Commission (NRC) SafetyGoals (NRC, 1986). Again, the actual risk measures calculated will depend on the PRA Scope.3.4.5ReferencesChanin, D.I., and M. L. Young, "Code Manual for MACCS2:  Volume 1, User's Guide," SAND97-0594, Sandia National Laboratories, March 1997.Chanin, D.I., et al., "MACCS Version 1.5.11.1:  AMaintenance Release of the Code," NUREG/CR-6059, Sandia National Laboratories, October 1993.Chanin, D.I., et a l., "MELCOR AccidentConsequence Code System (MACCS), Volume 1,User's Guide," NUREG/CR-4691, Sandia NationalLaboratories, February 1990.Harper, F. T., et al., "Probabilistic AccidentConsequence Uncertainty Analysis, Dispersion,and Deposition Uncertainty Assessment,"NUREG/CR-6244, Sandia National Laboratories, 1995.ICRP, 1990 Recommendations of the ICRP,Annals of the ICRP, Vol. 21, No. 1-3, ICRPPublication 60, International Commission on Radiological Protection, Pergamon Press, Oxford, England, 1991.Jones, J. A., et al., "Uncertainty Analysis onCOSYMA," Proceedings of the Combined 3rdCOSYMA Users Group and 2nd InternationalMACCS Users Group Meeting, Portoroz, Slovenia,41228-NUC 96-9238, KEMA, Arnhem, the Netherlands, September 16-19, 1996.Jow, H. N., et al., "MELCOR Acci dentConsequence Code System (MACCS), Volume II, Model Description," NUREG/CR-4691, SandiaNational Laboratories, February 1990.KfK and NRPB, "COSYMA - A New ProgramPackage for Accident Consequence Assessment,"CEC Brussels, EUR 13028, Kernforschungszentrum (Karlsruhe) and National Radiological Protection Board, 1991.Mubayi, V., et al., "Cost-Benefit Considerations inRegulatory Analysis," NUREG/CR-6395,Brookhaven National Laboratory, 1995.National Research Council, "Health Effects ofExposure to Low Levels of Ionizing Radiation,"BEIR V, Washington, DC, 1990.NRC, "Severe Accident Risks:  An Assessment forFive U.S. Nuclear Power Plants," NUREG-1150,Vol. 1, Main Report, U.S. Nuclear Regulatory Commission, 1990.NRC, "Safety Goals for the Operation of NuclearPower Plants, Policy Statement, Federal Register,Vol. 51, No. 149, U.S. Nuclear RegulatoryCommission, August 4, 1986.NRC, Onsite Meteorological Programs,Regulatory Guide 1.23, U.S. Nuclear Regulatory Commission, April 1986.NRC, PRA Procedures Guide - A Guide to thePerformance of Probabilistic Risk Assessments forNuclear Power Plants, NUREG/CR-2300, Vol. 2,U.S. Nuclear Regulatory Commission, 1983.OECD, "Probabilistic Accident ConsequenceAssessment Codes, Second InternationalComparison", Organisation for EconomicCooperation and Development, Nuclear Energy Agency, Paris, France, 1994.
 : 3. Technical Activities 3-1193.5Flood AnalysisThe analytical tasks associated with a Level 1probabilistic risk assessment (PRA) for accidentsinitiated by events internal to the plant (such as transients and loss-of-coolant accidents) aredescribed in previous chapters. Other events bothinternal and external to the plant can cause unique initiating events or influence the way in which aplant responds to an accident. Chapter 1 identifiesthree types of events (i.e., internal fires, internalfloods, and seismic events) that requiremanipulation of the Level 1 internal event PRA in order to adequately model the plant response.In this section, the way in which a Level 1 PRA ismodified in order to model accidents initiated byinternal floods is described.
-.5.1 Assumptions and LimitationsWhen preparing this section, some assumptionsand limitations were made as indicated below:* It is assumed that flood and spray incidencedata from VVERs are available. The flood andspray incidence data should be of sufficient resolution to allow characterization according to the source of the flood or spray (e.g., piping failure, tank failure, etc.) and any other characteristics of the postulated event (e.g.,maintenance error, passive failure, dynamic failure, etc.).* It is assumed that a reasonable and practicalquantitative screening criterion for culling outrisk-insignificant events can be developed that would facilitate the completion of this task.* The guidelines presented closely parallel thosegiven in the procedure guide for the task FireAnalysis because of the similarity in the basic activities involved. However, since different analysts typically undertake the considerationof fire and flood analyses, individual procedure guides have been developed for each ac tivity.Also, detailed phenomenological analyses aretypically of secondary importance in conductinginvestigations of the impact of internal hazards in support of a PRA. Such investigations havethe characteristic approach that can be described as an "it erative conservativescreening" of scenarios.*Care should be taken to include in the analysisthose scenarios initiated by a non-flood incident (such as a pipe break) that might involve the introduction of water or steam intoareas that include equipment of interest in the PRA. This requires the analyst to work closelywith those who are developing the eventsequence models to assure that all such events are accounted for in the model.
+====3.5.1 Assumptions====
+and LimitationsWhen preparing this section, some assumptionsand limitations were made as indicated below:* It is assumed that flood and spray incidencedata from VVERs are available. The flood andspray incidence data should be of sufficient resolution to allow characterization according to the source of the flood or spray (e.g., piping failure, tank failure, etc.) and any other characteristics of the postulated event (e.g.,maintenance error, passive failure, dynamic failure, etc.).* It is assumed that a reasonable and practicalquantitative screening criterion for culling outrisk-insignificant events can be developed that would facilitate the completion of this task.* The guidelines presented closely parallel thosegiven in the procedure guide for the task FireAnalysis because of the similarity in the basic activities involved. However, since different analysts typically undertake the considerationof fire and flood analyses, individual procedure guides have been developed for each ac tivity.Also, detailed phenomenological analyses aretypically of secondary importance in conductinginvestigations of the impact of internal hazards in support of a PRA. Such investigations havethe characteristic approach that can be described as an "it erative conservativescreening" of scenarios.*Care should be taken to include in the analysisthose scenarios initiated by a non-flood incident (such as a pipe break) that might involve the introduction of water or steam intoareas that include equipment of interest in the PRA. This requires the analyst to work closelywith those who are developing the eventsequence models to assure that all such events are accounted for in the model.
 Normally, the impact of flood wat er, spray, orsteam resulting directly from a pipe break is already considered in the event sequence model if the failure results in a reactor or turbine trip.*Analyses for other internal hazards (other thanfire or flood) identified in the task SpatialInteractions should be carried out as part of this task using the guidelines presented here.Such hazards could include the dropping of heavy objects or the spillage or lea kage ofcaustic material.3.5.2ProductsDuring the conduct of this task, the scenario tables initiated in the Spatial Interactions Task areexpanded upon and refined (an example of such a table is provided in Appendix C). The completed and refined scenario tables make up a key product for this effort. A description of the methodology and the dataanalyses utilized to perform the flood analysis willbe developed.3.5.3Analytical TaskWhile the internal flooding analysis of a PRA usesmuch the same processes and has the same attributes of a traditional full power internal eventsPRA, the internal flooding analysis requires a significant amount of work to define and screen the most important flood sources and possiblescenarios for further evaluation. These differences are described below in general terms. Moredetailed guidance can be found in NRC (1997) and Bohn (1990). The specific goals of this task include thedevelopment of a flood frequency database, the determination of the frequency of specific flood scenarios, the further development and refinement of flood scenarios, the determination of the flood damage to equipment and of the plant response,
 : 3. Technical Activities 3-120and the quantification of the flood-inducedscenarios including the assignment to specific plant damage states. The hazard occurrence frequency and a set of "worst-case" plant impacts areassessed for each scenario developed in the spatial interactions analysis. Each scenario is then screened quantitatively to determine its risk significance in relation to otherinitiating events. Scenarios that are quantitatively insignificant are documented and removed from further consideration. If a scenario remainsquantitatively significant compared with thescreening criteria, it is retained for furtherevaluation. Additional analyses are then performedto systematically refine the hazard initiating event frequency and its functional impacts and to develop a more realistic assessment of its risk significance.During this process, the original flood or sprayscenario is often subdivided into more detailed scenarios to more specifically account for actualimpacts that can occur within the hazard location.
@@ Line 906: / Line 908: @@
 The screening evaluation is documented, and the scenario is removed from further consideration in the PRA models.*If the total core damage frequency from thefire-initiated scenario is higher than thescreening criterion, the scenario is retained for further analysis in the PRA.*If the potential plant damage stateconsequences from the fire-initiated scenario are unusual or severe, the scenario is retained for further analysis, even if its total coredamage frequency is below the screening criterion.Although the mechanics of this process are quitestraightforward, several considerations must be noted to develop the proper perspective and context for this important activity in the overallanalysis.The methods used to assess the hazard initiatingevent frequency and the attendant impacts fromthe postulated scenario ensure that the evaluatedcore damage frequency is a conservative upperbound for the actual core damage frequency that may occur from any particular scenario in thelocation. The amount of conservatism depends on a variety of factors that cannot be estimated directly without considerable examination of the underlying models and analyses. However, the applied methods do provide assurances that no similar scenario can yield a higher core damage frequency evaluated during the screening analysis.The applied screening criterion is an absolutenumerical value that defines what is considered tobe an "insignificant" core damage frequency. This type of analysis is not unique to the evaluation of internal plant hazards. In fact, implicit and explicitscreening criteria are applied at all levels of apractical risk assessment. However, it is worthnoting that the screening criterion for this analysis effectively defines an absolute lower limit for theresolution of concerns about the risk significance from internal plant hazards. Scenarios that fall below the limit are, by definition, considered to beinsignificant. The relative importance of eachscenario that remains above the limit is consistently evaluated with all other events modeled in the
-PRA.Selection of the screening criterion is not a simpletask. There are no general guidelines or "accepted" numerical values that can be broadly applied for any particular analysis. The selected value, however, must satisfy the following criteria:*The value must be low enough to ensure thatthe screened scenarios are truly insignificant to the total risk from the plant being evaluated.*The value must be high enough to facilitate apractical analysis that limits unreasonable efforts to develop detailed models for unimportant events.*The value chosen should be relativelyinsensitive to future refinements in the PRAevent sequence models, systems analyses, and data.In general, these criteria are best served bydelaying the screening process until the resultsfrom the analyses of internal initiating events havereached a point of relative maturity and sta bility,i.e., a point at which the internal events results arenot expected to change "significantly."  Screening values are typically selected to ensure that the totalcore damage frequency from each screenedscenario is less than approximately 0.05 percent to 0.1 percent (i.e., 1/20 to 1/10 of 1 percent) of thetotal core damage frequency from all other contributors. Thus, for example, if the screening criterion is numerically equal to 0.1 percent of the total core damage frequency from all other causes, an absolute minimum of 1,000 screened hazardscenarios would be required to double the total core damage frequency. If the screening analysisis performed at an early stage of the PRA modelingprocess, it is then generally recommended that the screening values be set equal to a smaller percentage of the preliminary core damage frequency results. This avoids the need for inefficient rescreening if, and when, PRA modeling refinements have reduced the contributions from allother accident initiators.Thus, the final screening value cannot bedetermined at this time. For some perspective, however, the screening value used in one recentstudy was 1 x 10
+PRA.Selection of the screening criterion is not a simpletask. There are no general guidelines or "accepted" numerical values that can be broadly applied for any particular analysis. The selected value, however, must satisfy the following criteria:*The value must be low enough to ensure thatthe screened scenarios are truly insignificant to the total risk from the plant being evaluated.*The value must be high enough to facilitate apractical analysis that limits unreasonable efforts to develop detailed models for unimportant events.*The value chosen should be relativelyinsensitive to future refinements in the PRAevent sequence models, systems analyses, and data.In general, these criteria are best served bydelaying the screening process until the resultsfrom the analyses of internal initiating events havereached a point of relative maturity and sta bility,i.e., a point at which the internal events results arenot expected to change "significantly."  Screening values are typically selected to ensure that the totalcore damage frequency from each screenedscenario is less than approximately 0.05 percent to
+===0.1 percent===
+(i.e., 1/20 to 1/10 of 1 percent) of thetotal core damage frequency from all other contributors. Thus, for example, if the screening criterion is numerically equal to 0.1 percent of the total core damage frequency from all other causes, an absolute minimum of 1,000 screened hazardscenarios would be required to double the total core damage frequency. If the screening analysisis performed at an early stage of the PRA modelingprocess, it is then generally recommended that the screening values be set equal to a smaller percentage of the preliminary core damage frequency results. This avoids the need for inefficient rescreening if, and when, PRA modeling refinements have reduced the contributions from allother accident initiators.Thus, the final screening value cannot bedetermined at this time. For some perspective, however, the screening value used in one recentstudy was 1 x 10
 -9 core damage event per year.
 : 3. Technical Activities 3-132Task 4 - Refinement of Scenario Frequencyand Impact AnalysisEach fire hazard scenario that yields a total coredamage frequency exceeding the screening criterion is retained for further analysis in the PRA models. The level of effort and the focus of these analyses are determined by a ba lancedexamination of all the contributors to plant risk. Inmany cases, the upper-bound core damage frequency may be higher than the value used for screening the hazard, but the scenario remains a very small contribution to overall plant risk.Extensive effort to further refine these scenarios isnot justified by practical considerations. Theirconservatively bounding frequencies and impactsare simply retained in the PRA results.An iterative process is performed to refine themodels, if further analysis is warranted. Thisprocess involves careful reexamination of allassumptions and successive application of theprevious analysis activities to develop systematically more realistic models for thescenario definition, the hazard frequency, and theassigned impacts. One or more of the following refinements are typically made during this phase ofthe analysis:*The scenario may be subdivided into a set ofconstituent scenarios that are based on physical characteristics of the location and the hazard sources. This process allows the assignment of more realistic equipment impacts from each of the specific hazardconditions.*The hazard may be subdivided into variousseverity levels that are based on observedexperience from the generic and plant-spec ificdatabases. Each hazard severity level isexamined to define a more realistic set ofimpacts that could be caused by an event with that severity.*The assumed impacts from hot shorts andcontrol circuit malfuncti ons may be reexaminedto determine whether the assumed failuremodes can actually occur in combination.
@@ Line 916: / Line 921: @@
 Fire frequencies are derived for a generic nuclearpower plant based on fire sources. For example, a frequency is determined for "cable fires" at a nuclear power plant similar to the one under consideration using industry data. Although "generic" in nature, the data is specialized and screened to closely match the characteristics of the specific plant under consideration.The generic fire hazard frequencies should beupdated with the actual experiences at Kalinin.The location of the specific hazards has beendetermined in the task Spatial Interactions.Estimates are required in this task for the fractions of each hazard source (e.g., cables, motor control
 : 3. Technical Activities 3-134centers, and logic cabinets) found in each location.For a specific location, the frequency of occurrenceof a fire of any size is determined by summing thefractional contribution of occurrence from each hazard found in that location.A quantitative screening value is developed toidentify those scenarios that will be carried forward in the analysis. In other words, only thosescenarios that contribute appreciably to thefrequency of core damage (or to spec ificundesirable plant damage states) are retained for further analysis.Scenarios that survive the quantitative screeningare refined, as appropriate. Ref inement mayinvolve such considerations as the extent of thedamage initially postulated. The process proceeds iteratively until the scenarios that remainappropriately represent the risk associated with fires while containing acceptable conservatisms.3.6.4Task InterfacesThe current task utilizes the same overall analysisapproach and procedures developed for the internal event PRA. In particular, this task builds on the information developed in the task Spatial Interactions. The conduct of this task will requireinput from the tasks dealing with Initiating EventAnalysis, Frequency of Initiating Events, Event Sequence Modeling, and System Modeling. It isalso likely that specific operator actions will beidentified in the fire scenarios, thus prompt ing aninterface with the task Human Reliability Analysis.Output from the Fire Analysis task providesinformation on accident sequence definition and on frequency of occurrence directly to the Level 2 task which in turn provides source term information tothe consequence and risk integration t ask.Whether or not Level 2/3 analyses are performed depends on the scope of the PRA.3.6.5ReferencesBohn, M. P., and J. A. Lambright, "Procedures for the External Event Core Damage Frequency for NUREG-1150," NUREG/CR-4840, Sandia NationalLaboratories, November 1990.Ho, V. S., et al., "COMPBRN IIIE:  An Interac tiveComputer Code for Fire Risk Analysis,"UCLA-ENG-9016, EPRI-NP-7282, Electric PowerResearch Institute, May 1991.LaChance, J., et al., Circuit Analysis - FailureMode and Likelihood Analysis, NUREG/CR-6834,Sandia National Laboratories, September 2003.Nowlen, et al., Risk Methods Insights Gained fromFire Incidents, NUREG/CR-6738, U.S. NuclearRegulatory Commission, September 2001.NRC, The Use of PRA in Risk-InformedApplications, NUREG-1602, Draft Report forComment, June 1997.3.7Seismic AnalysisThe analytical tasks associated with a Level 1 probabilistic risk assessment (PRA) for accidentsinitiated by events internal to the plant (such as transients and loss-of-coolant accidents [LOCAs])
 are described in Section 3.2. Other events both internal and external to the plant can cause unique initiating events or influence the way in which a plant responds to an accident. In this section, theway in which a Level 1 PRA is modified in order to model accidents initiated by earthquakes occurring at or near the plant site is described. This means that the frequency and severity of the ground motion must be coupled to models that address the capacity of plant structures and components to survive each possible earthquake. The effects ofstructural failure must be assessed, and all the resulting information about the likelihood of equipment failure must be evaluated using the Level 1 internal event probabilistic lo gic model ofthe plant. This procedure guide is largely based onseveral earlier guides and studies (Bohn and Lambright, 1990; IAEA, 1995; and PG&E, 1988).Material from these sources is used here without specific citations.
-.7.1 Assumptions and LimitationsA seismic PRA assumes that a single parameter(effective ground acceleration) characterization of the earthquake, when combined with treatments of uncertainty and dependency, can provide anadequate representation of the effects of seismic events on plant operations. This approach acknowledges that different earthquakes (in termsof energy, frequency spectra, duration, and ground displacement) can have the same eff ectiveacceleration. Therefore, there is not onlyrandomness in the frequency of earth quakes butalso large uncertainty in the specific characteristics
+====3.7.1 Assumptions====
+and LimitationsA seismic PRA assumes that a single parameter(effective ground acceleration) characterization of the earthquake, when combined with treatments of uncertainty and dependency, can provide anadequate representation of the effects of seismic events on plant operations. This approach acknowledges that different earthquakes (in termsof energy, frequency spectra, duration, and ground displacement) can have the same eff ectiveacceleration. Therefore, there is not onlyrandomness in the frequency of earth quakes butalso large uncertainty in the specific characteristics
 : 3. Technical Activities 3-135of earthquakes of a given effective acceleration.These uncertainties have implications for modeling dependencies among failures of various e quipmentunder excitation by earthquakes of a particular effective acceleration. Systems analysts andfragility experts must work closely together todetermine how to model these dependencies.A nuclear power plant is usually designed to ensurethe survival of all buildings and emergency safetysystems for a particular size earthquake, i.e., adesign basis or a safe shutdown earthquake. Theassumptions used in the design process aredeterministic and are subject to considerableuncertainty. It is not possible, for example, to predict accurately the worst earthquake that will occur at a given site. Soil properties, mechanical

ML103620076: Difference between revisions

Revision as of 23:24, 13 October 2018

Contents

Text

3.5.1 Assumptions

0.1 percent

3.7.1 Assumptions

Navigation menu

ML103620076: Difference between revisions

Revision as of 23:24, 13 October 2018

Text

3.5.1 Assumptions

0.1 percent

3.7.1 Assumptions

Navigation menu

Search