Text

2005/12/31-NUREG/CR-6572, Rev. 1, BNL-NUREG-52534-R1, Kalinin VVER-1000 Nuclear Power Station Unit 1, PRA, Procedure Guides for a Probabilistic Risk Assessment
	ML103620076
Person / Time
Site:	Davis Besse
Issue date:	12/28/2010
From:	; Brookhaven National Lab (BNL), NRC/RES/DRA
To:	;
	SECY RAS
Shared Package
ML103620074	List: ML103620075; ML103620076; ML103620077; ML103620078; ML103620079; ML103620080;
References
	License Renewal 2, RAS 19324, 50-346-LR, BNL-NUREG-52534-R1 NUREG/CR-6572, Rev 1
	Download: ML103620076 (213)
	v • d • e

NUREG/CR-6572, Rev. 1 BNL-NUREG-52534-R1 Kalinin VVER-1000 Nuclear Power Station Unit 1 PRA Procedure Guides for a Probabilistic Risk Assessment English Version Brookhaven National Laboratory U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Washington, DC 20555-0001

NUREG/CR-6572, Rev. 1 BNL-NUREG-52534-R1 Kalinin VVER-1000 Nuclear Power Station Unit 1 PRA Procedure Guides for a Probabilistic Risk Assessment English Version Manuscript Completed: May 2005 Date Published: December 2005 Sponsored by the Joint Cooperative Program Between the Governments of the United States and Russia The BETA Project Brookhaven National Laboratory Upton, NY 11973-5000 Prepared for Division of Risk Analysis and Applications Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington, DC 20555-0001 NRC Job Code R2001

ABSTRACT In order to facilitate the pro ba bilistic risk assessment (PRA) of a VVER-1000 nuclear power plant, a set of procedu re guide s ha s be en w ritten. Thes e pro ced ure g uides, alon g with training supplied by experts and supplem entary m aterial from the literatu re, we re us ed to advance the PRA carried out for the Kalinin Nuclear Power Station in the Russian Federation. Although written for a specific project, these guides have general applicability. Guides are procedu res for all the technical tasks o f a L evel 1 (determination of core damage frequency for differen t ac cid ent scena rios), Level 2 (probabilistic accident progression an d source term analysis), and Level 3 (consequence analysis and integrated risk assessment) PRA. In addition, introductory material is provided to explain the ration ale an d ap proa ch fo r a PR A. Procedure guides are also provided on the documentation requirements.

iii

iv FOREWORD During the Lisbon Conference on Assistance to the Nuclear Safety Initiative, held in May 1992, participants agreed that efforts should be undertaken to improve the safety of nuclear power plants that were designed and built by the former Soviet Union. That agreement led to a collaborative probabilistic risk assessment (PRA) of the Kalinin Nuclear Power Station (KNPS), Unit 1, in the Russian Federation. The KNPS Unit 1 PRA was intended to demonstrate the benefits obtained from application of risk technology towards understanding and improving reactor safety and, thereby, helping to build a risk-informed framework to help address reactor safety issues in regulations.

The U.S. Department of State, together with the Agency for International Development (AID),

requested that the U.S. Nuclear Regulatory Commission (NRC) and the Federal Nuclear and Radiation Safety Authority of the Russian Federation (Gosatomnadzor, or GAN) work together to begin applying PRA technology to Soviet-designed plants.1 On the basis of that request, in 1995, the NRC and GAN agreed to work together to perform a PRA of a VVER-1000 PWR reactor. Under that agreement, the NRC provided financial support for the PRA with funds from AID and technical support primarily from Brookhaven National Laboratory and its subcontractors. KNPS Unit 1 was chosen for the PRA, and the effort was performed under the direction of GAN with the assistance of KNPS personnel and the following four other Russian organizations:

Science and Engineering Centre for Nuclear and Radiation Safety (GANs and now Rostechnadzors technical support organization)

Gidropress Experimental and Design Office (the VVER designer)

Nizhny Novgorod Project Institute, Atomenergoprojekt (the architect-engineer)

Rosenergoatom Consortium (the utility owner of KNPS)

One of the overriding accomplishments of the project has been technology transfer. In NRC-sponsored workshops held in Washington, DC, and Moscow from October 1995 through November 2003, training was provided in all facets of PRA practice. In addition, the Russian participants developed expertise using current-generation NRC-developed computer codes, MELCOR, SAPHIRE and MACCS. Towards the completion of the PRA, senior members of the Kalinin project team began the development of risk-informed, Russian nuclear regulatory guidelines. These guidelines foster the application of risk assessment concepts to promote a better understanding of risk contributors. Efforts such as this have benefited from the expertise obtained, in part, from the training, experience, and insights gained from participation in the KNPS Unit 1 PRA project.

The documentation of the Kalinin PRA comprises two companion NUREG-series reports:

NUREG/CR-6572, Revision 1, Kalinin VVER-1000 Nuclear Power Station Unit 1 PRA:

Procedure Guides for a Probabilistic Risk Assessment, was prepared by Brookhaven National Laboratory and the NRC staff. It contains guidance for conducting the Level 1, 2, and 3 PRAs for KNPS with primary focus on internal events. It may also serve as a guide for future PRAs in support of other nuclear power plants.

1 As a result of a governmental decree in May 2004, GAN was subsumed into a new organization, known as the Federal Environmental, Industrial and Nuclear Supervision Service of Russia (Rostechnadzor).

v

NUREG/IA-0212, Kalinin VVER-1000 Nuclear Power Station Unit 1 PRA: Volumes 1 and 2, was written by the Russian team and, by agreement, includes both a non-proprietary and proprietary volume. The non-proprietary volume, Volume 1, Executive Summary Report, discusses the project objectives, summarizes how the project was carried out, and presents a general summary of the PRA results. The proprietary volume, Volume 2, contains three parts. Part 1, Main Report: Level 1 PRA, Internal Initiators, discusses the Level 1 portion of the PRA; Part 2, Main Report: Level 2 PRA, Internal Initiators, discusses the Level 2 portion; and Part 3, Main Report: Other Events Analysis, discusses preliminary analyses of fire, internal flooding, and seismic events, which may form the basis for additional risk assessment work at some future time.

Carl J. Paperiello, Director Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission vi

TABLE OF CONTENTS Page Abstrac t . . . . . . . . . . . .......... . . .......... . . .......... . . .......... . . .......... . . . . . . . iii Foreword . . . . . . . . . . .......... . . .......... . . .......... . . .......... . . .......... . . ..... v List of Figures . . . . . . .......... . . .......... . . .......... . . .......... . . .......... . . ..... x List of Tables . . . . . . . .......... . . .......... . . .......... . . .......... . . .......... . . . . . . . xi Acknowledgments . . . .......... . . .......... . . .......... . . .......... . . .......... . . . . . . xii Acronyms . . . . . . . . . .......... . . .......... . . .......... . . .......... . . .......... . . . . . . xiii

1. INTRODUCTION . . . . . . . . . . . . . . . . . . . ...... . . . . . ....... . . . . . ....... . . . . . ....... . . 1-1 1.1 Background . . . . . . . . . . . . . . . . . . . ...... . . . . . ....... . . . . . ....... . . . . . ....... . . 1-1 1.2 Objectives . . . . . . . . . . . . . . . . . . . . ...... . . . . . ....... . . . . . ....... . . . . . ....... . . 1-1 1.3 Scope . . . . . . . . . . . . . . . . . . . . . . . ...... . . . . . ....... . . . . . ....... . . . . . ....... . . 1-1 1.4 Limitations and General Com ments ...... . . . . . ....... . . . . . ....... . . . . . ....... . . 1-3 1.5 References . . . . . . . . . . . . . . . . . . ....... . . . . . ....... . . . . . ....... . . . . . ....... . . 1-3

2. APPROACH . . . . . . . . . . . . . . . . . . . . ....... ..... . . ... . . ..... . . ... . . ..... . . ... . . . . . . 2-1 2.1 Scope of a PRA . . . . . . . . . . . . . ....... ..... . . ... . . ..... . . ... . . ..... . . ... . . . . . . 2-1 2.2 Scope of the Guides . . . . . . . . . ....... ..... . . ... . . ..... . . ... . . ..... . . ... . . . . . . 2-2 2.2.1 Technical Guidance . . . . ....... ..... . . ... . . ..... . . ... . . ..... . . ... . . . . . . 2-2 2.2.2 Guidance for Peer Review Process .... . . ... . . ..... . . ... . . ..... . . ... . . . . . .2-8 2.3 References . . . . . . . . . . . . . . . . ....... ..... . . ... . . ..... . . ... . . ..... . . ... . . . . . . 2-9

3. TECHNICAL ACTIVITIES . . . . . . . . . . ..... . . . . ........ . . . . ........ . . . . ........ . . . . . 3-1 3.1 Plant Familiarization . . . . . . . . . . ..... . . . . ........ . . . . ........ . . . . ........ . . . . . 3-1 3.1.1 Assum ption and limitations .... . . . . ........ . . . . ........ . . . . ........ . . . . . 3-1 3.1.2. Produc ts . . . . . . . . . . . . . . ..... . . . . ........ . . . . ........ . . . . ........ . . . . . 3-2 3.1.3 Task Activities . . . . . . . . . ..... . . . . ........ . . . . ........ . . . . ........ . . . . . 3-2 3.1.4 Task Interfaces . . . . . . . . ..... . . . . ........ . . . . ........ . . . . ........ . . . . 3-11 3.2 Level 1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . .......... . . .......... . . . . . . . . . . 3-11 3.2.1 Initia ting Event An alysis . . . . . . . . . . . . . . . .......... . . .......... . . . . . . . . . 3-11 3.2.1.1 Assum ptions and Limitations . . . . . .......... . . .......... . . . . . . . . . 3-11 3.2.1.2 Products . . . . . . . . . . . . . . . . . . . . .......... . . .......... . . . . . . . . . 3-12 3.2.1.3 Analytical Tasks . . . . . . . . . . . . . . . .......... . . .......... . . . . . . . . . . 3-12 3.2.1.4 Task Interfaces . . . . . . . . . . . . . . . .......... . . .......... . . . . . . . . . . 3-19 3.2.1.5 References . . . . . . . . . . . . . . . . . . .......... . . .......... . . . . . . . . . 3-19 3.2.2 Accident Se que nce Develop m ent . . . . . . . .......... . . .......... . . . . . . . . . . 3-20 3.2.2.1 Assum ptions and Limitations . . . . . .......... . . .......... . . . . . . . . . 3-20 3.2.2.2 Products . . . . . . . . . . . . . . . . . . . . .......... . . .......... . . . . . . . . . 3-20 3.2.2.3 Task Activities . . . . . . . . . . . . . . . . .......... . . .......... . . . . . . . . . . 3-21 3.2.2.4 Task Interfaces . . . . . . . . . . . . . . . .......... . . .......... . . . . . . . . . . 3-32 3.2.2.5 References . . . . . . . . . . . . . . . . . . .......... . . .......... . . . . . . . . . 3-33 3.2.3 Sys tem s A nalysis . . . . . . . . . . . . . . . . . . . . .......... . . .......... . . . . . . . . . . 3-34 3.2.3.1 Assum ptions and Limitations . . . . . .......... . . .......... . . . . . . . . . 3-34 3.2.3.2 Products . . . . . . . . . . . . . . . . . . . . .......... . . .......... . . . . . . . . . 3-34 3.2.3.3 Analytical Tasks . . . . . . . . . . . . . . . .......... . . .......... . . . . . . . . . . 3-35 3.2.3.4 Task Interfaces . . . . . . . . . . . . . . . .......... . . .......... . . . . . . . . . . 3-54 3.2.3.5 References . . . . . . . . . . . . . . . . . . .......... . . .......... . . . . . . . . . 3-54 3.2.4 Data Analysis . . . . . . . . . . . . . . . . . . . . . . . .......... . . .......... . . . . . . . . . . 3-55 3.2.4.1 Assum ptions and Limitations . . . . . .......... . . .......... . . . . . . . . . 3-55 3.2.4.2 Products . . . . . . . . . . . . . . . . . . . . .......... . . .......... . . . . . . . . . 3-55 3.2.4.3 Task Activities . . . . . . . . . . . . . . . . .......... . . .......... . . . . . . . . . . 3-56 vii

TABLE OF CONTENTS (Continued)

Page 3.2.4.4 Task Interfaces . . . . . . . . . . . . . . . . . . ......... . . . ......... . . . . . . . . 3-68 3.2.4.5 References . . . . . . . . . . . . . . . . . . . . . ......... . . . ......... . . . . . . . 3-69 3.2.5 Hum an Re liability An alysis . . . . . . . . . . . . . . . . ......... . . . ......... . . . . . . . 3-70 3.2.5.1 Assum ptions and Limitations . . . . . . . . ......... . . . ......... . . . . . . . 3-70 3.2.5.2 Products . . . . . . . . . . . . . . . . . . . . . . . ......... . . . ......... . . . . . . . 3-72 3.2.5.3 Task Activities . . . . . . . . . . . . . . . . . . . ......... . . . ......... . . . . . . . . 3-72 3.2.5.4 Task Interfaces . . . . . . . . . . . . . . . . . . ......... . . . ......... . . . . . . . . 3-74 3.2.5.5 References . . . . . . . . . . . . . . . . . . . . . ......... . . . ......... . . . . . . . 3-75 3.2.6 Quantification and Results . . . . . . . . . . . . . . . . ......... . . . ......... . . . . . . . . 3-79 3.2.6.1 Assumption and Limitations . . . . . . . ......... . . . ......... . . . . . . . . 3-79 3.2.6.2 Products . . . . . . . . . . . . . . . . . . . . . . ......... . . . ......... . . . . . . . . 3-80 3.2.6.3 Task Activities . . . . . . . . . . . . . . . . . . ......... . . . ......... . . . . . . . . 3-80 3.2.6.4 Task Interfaces . . . . . . . . . . . . . . . . . ......... . . . ......... . . . . . . . . 3-87 3.2.6.5 References . . . . . . . . . . . . . . . . . . . . ......... . . . ......... . . . . . . . . 3-88 3.3 Level 2 Analysis (Probabilistic Accident Progression and Source Term Analysis) . . . . . . . . 3-89 3.3.1 Plant Dam age State Determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-92 3.3.1.1 Assum ptions and Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-92 3.3.1.2 Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-92 3.3.1.3 Analytical Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-92 3.3.1.4 Task Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-95 3.3.1.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-95 3.3.2 Assessing Containment Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-95 3.3.2.1 Assum ptions and Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-95 3.3.2.2 Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-96 3.3.2.3 Analytical Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-97 3.3.2.4 Task Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-100 3.3.2.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-100 3.3.3 Containment Performance Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-101 3.3.3.1 Assum ptions and Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-101 3.3.3.2 Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-101 3.3.3.3 Analytical Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-102 3.3.3.4 Task Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-103 3.3.3.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-103 3.3.4 Containment Probabilistic Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-104 3.3.4.1 Assum ptions and Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-104 3.3.4.2 Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-104 3.3.4.3 Analytical Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-104 3.3.4.4 Task Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-107 3.3.4.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-107 3.3.5 Radionuclide Release Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-107 3.3.5.1 Assum ptions and Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-107 3.3.5.2 Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-108 3.3.5.3 Analytical Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-108 3.3.5.4 Task Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-113 3.3.5.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-114 viii

TABLE OF CONTENTS (Continued)

Page 3.4 Level 3 Analysis (Conseq uence Analysis and Integrated Risk A ssess m ent) ........ . . . 3-114 3.4.1 Assum ption and Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ........ . . . 3-114 3.4.2 Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ........ . . . 3-114 3.4.3 Analytical Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ........ . . . 3-115 3.4.4 Task Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ........ . . . 3-117 3.4.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ........ . . . 3-118 3.5 Flood Analysis . . . . . . . . . . . . . . . . . . . . . . . ......... . . . ......... . . . ......... . . . 3-119 3.5.1 Assum ption and Limitations . . . . . . . ......... . . . ......... . . . ......... . . . 3-119 3.5.2 Products . . . . . . . . . . . . . . . . . . . . . . ......... . . . ......... . . . ......... . . . 3-119 3.5.3 Analytical Tasks . . . . . . . . . . . . . . . . ......... . . . ......... . . . ......... . . . 3-119 3.5.4 Task Interfaces . . . . . . . . . . . . . . . . . ......... . . . ......... . . . ......... . . . 3-125 3.5.5 References . . . . . . . . . . . . . . . . . . . . ......... . . . ......... . . . ......... . . . 3-125 3.6 Fire Analysis . . . . . . . . . . . . . . . . . . . . . . . .......... . . .......... . . .......... . . . 3-125 3.6.1 Assum ption and Limitations . . . . . . .......... . . .......... . . .......... . . . 3-126 3.6.2 Products . . . . . . . . . . . . . . . . . . . . . .......... . . .......... . . .......... . . . 3-126 3.6.3 Analytical Tasks . . . . . . . . . . . . . . . .......... . . .......... . . .......... . . . 3-126 3.6.4 Task Interfaces . . . . . . . . . . . . . . . . .......... . . .......... . . .......... . . . 3-134 3.6.5 References . . . . . . . . . . . . . . . . . . . .......... . . .......... . . .......... . . . 3-134 3.7 Seismic Analysis . . . . . . . . . . . . . . . . . . . . . . ........ . . . . ........ . . . . ........ . . . 3-134 3.7.1 Assum ption and Limitations . . . . . . . . ........ . . . . ........ . . . . ........ . . . 3-134 3.7.2 Products . . . . . . . . . . . . . . . . . . . . . . . ........ . . . . ........ . . . . ........ . . . 3-135 3.7.3 Analytical Tasks . . . . . . . . . . . . . . . . . ........ . . . . ........ . . . . ........ . . . 3-135 3.7.4 Task Interfaces . . . . . . . . . . . . . . . . . . ........ . . . . ........ . . . . ........ . . . 3-139 3.7.5 References . . . . . . . . . . . . . . . . . . . . . ........ . . . . ........ . . . . ........ . . . 3-139

4. DOCUMENTATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 4.1 Docum entation in Support of Reporting/Com munication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 4.2 Docum entatio n in Support of Traceability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 APPENDIX A Recomm ended Supplemental CCF Generic Estimates for Kalinin PRA Based on E xpe rience in the U.S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 APPENDIX B Simplified Level 2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1 APPENDIX C Example Consideration of a Flood Scenario in a PRA . . . . . . . . . . . . . . . . . . . . . . . C-1 APPENDIX D Example Consideration of a Fire Scenario in a PRA . . . . . . . . . . . . . . . . . . . . . . . . . D-1 ix

LIST OF FIGURES Figure No. Page 1.1 The six components comprising a PRA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 3.1 Master logic diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17 3.2 Exam ple of dependency matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-36 3.3 Exam ple of fault tree for backup cooling system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-38 3.4 Exam ple fault tree for inside spray recirculation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39 3.5 Simple example for CCF analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-66 3.6 Exam ple of a decision tree for performance shaping factors . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-78 3.7 Relationship among the major parts of a Level 2 PRA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-89 3.8 Conditional probability of containment failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-91 3.9 Probab ility density functions for containme nt peak pre ssure (P c) and failure pressure (P f) . . . 3-107 3.10 Exam ple of simplified radionuclide release rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-111 x

LIST OF TABLES Table No. Page 2-1 Technical elements of a PRA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 2-2 Summ ary of technical characteristics and attributes of a PRA . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9 3-1 Technical elements of a PRA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 3-2 Plant information needed to perform a Level 1 internal event PRA . . . . . . . . . . . . . . . . . . . . . . 3-4 3-3 Generic information from plants of same/similar design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 3-4 Cross reference of PRA tasks and plant information needed . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 3-5 Information needed for internal fire analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 3-6 Information needed for internal flood analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 3-7 Information needed for seismic analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 3-8 Format for failure modes and effects analysis of key support systems . . . . . . . . . . . . . . . . . . . 3-14 3-9 Fo rm at for abnorm al operating instructio n re view s um m ary . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14 3-10 Generic list of initiating events for VVER-1000 reactors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15 3-11 Safety functions identified in a recent PW R PRA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25 3-12 Eq uipm ent hazard susceptib ility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-47 3-13 Ha zards ass ociated w ith equ ipm ent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-48 3-14 Illustration of a typical scenario table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-51 3-15 Typical hazard mitigation types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-53 3-16 The reliability formulation for the various contributors to the unavailability of a stan dby com pon ent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-61 3-17 Exam ple of performance shaping factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-76 3-18 Exam ple attributes for grouping accident sequence cutsets . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-93 3-19 Severe accident phenomena . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-99 3-20 Exam ple plant design/operational parameters to be compared to demonstrate sim ilarity for use as surrogate analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-100 3-21 Radionuclide grouping scheme used in a Level 2 PRA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-110 3-22 Areas of key radionuclide source term uncertainties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-113 4-1 Do cum enta tion for the K alinin PR A projec t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 xi

ACKNOWLEDGMENTS The following organizations and individuals collaborated in performing the PRA for the Kalinin NPS, Unit 1:

U.S. Nuclear Regulatory Commission (NRC)

Charles Ader John Lane Mark Cunningham Scott New berry Mary Drouin Them is Speis Thom as King Andrew Szukiewicz NR C C ontracto rs Moham med Ali Azarm, Brookhaven National Mark Leonard, Dycoda Laboratory (BNL) Hossein Nourbakhsh, BNL Dennis Bley, Buttonwood Consulting Inc. Robe rt Kennedy, RPK Structural Mechanics Tsong-Lun Chu, BNL Consulting David Diamond, BNL Robert Campbell, EQE International Inc.

Ted Ginsberg, BNL Yang Park, BNL David Johnson, PLG Inc. Trevor Pratt, BNL John Lehner, BNL Jimin Xu, BNL Federal Nu clea r and R adiation Safety Auth ority of th e Russian Fed eration (GAN ), now the Federal Env ironm enta l, Indus trial and Nu clear Supervision Se rvice o f Ru ssia (R ostechn adz or)

Mikhail Mirochnitchenko Alexandr Matveev Alexandr Gutsalov Scienc e and Eng ineering C enter for N uclear an d Ra diation Sa fety Irina Andreeva Dm itri Noskov Tatiana Be rg Gennadi Sam ok hin Valentina Bredova Eugene Shubeiko Boris Gordon, Vyacheslav Soldatov Irina Ioudina Se rgei Volk ovitsk iy Artour Lioubarski Elena Zhu kova Kalinin Nuclear Power Station Grigori Aleshin Eugene Mironenko Oleg Bogatov Maxim Robotaev Experimental and Design Office Gidropress Viatcheslav Kudriavtsev Vla dim ir Shein Va leri Siriapin Nizhn y No vgoro d Project Ins titute Atom energ opro jekt Ludm ila Eltsova Valeri Senoedov Vladimir Kats Ale xander Yashkin Svetlana Petrunina Rosenergoatom Consortium Vladimir Khlebtsevich xii

ACRONYMS ACRS Advisory Comm ittee on Reactor Safeguards ANS Am erican Nuclear Society AO Is Abnormal Operating Instructions BE Basic Event BNL Brook haven N ational Laboratory CAR Co rrective Ac tion R epo rts CCF Com m on-Ca use Fa ilure CCI Core-Concrete Interaction CDF Core Dam age Frequency CET Containment Event Tree DCH Direct Containment Heating DOE U.S. Department of Energy DRR Docum ent Review Records EFC Error-Forcing Context EPRI Elec tric Power Resea rch Institute ESD Event Sequence Diagram ET Event Tree FT Fault Tree F-V Fu ss ell-V esely GAN Federal Nuclear and Radiation Safety Authority of the Russian Federation HFE Hum an Failure Event HPI High-Pressure Injection HRA Hum an Re liability An alysis IAEA International Atomic Energy Agency IE Initiating Event INEL Idaho Na tional Engineering Laboratory IMTS Information Management and Tracking System IRRAS Integrated Reliability and Risk Analysis System KNPS Kalinin Nuclear Power Station LOCA Loss-of-Coolant Accident MOV Motor-O perated Valve NRC U.S. Nuclear Regulatory Comm ission xiii

ACRONYMS (Continued)

PCA Probabilistic Consequence Assessment PDS Plant Dam age State PQASC Project Q uality Ass uran ce S tartup Check lists PRA Probabilistic Risk Assessment PSF Performance Shaping Factor PW R Pressurized W ater Reactor QA Quality Assurance QAR Qu ality Assuran ce A udit R epo rts QHO Qua ntitative Health Objective R.F. Russian Federation RAW Risk A chievem ent W orth RCS Reactor Coolant System RHR Residual Heat Removal RRW Risk R edu ction W orth SG Steam Generator SGTR Steam Gen erator Tube Rupture SLIM Success Likelihood Index Method SSC System s, Stru cture s, and Com pon ents SSMRP Seismic Safety Margins Research Program TRR Te chn ical Review Reports xiv

1. INTRODUCTION 1.1 Background useful to PRA practitioners in other countries, in particular those with VVER plants. For the Kalinin PRA these guides complemented other forms of At the Lisbon Conference on Assistance to the technical assistance provided by the NRC--nam ely, Nuclear Safety Initiative, held in May 1992, it was classroom training and works hops. Therefore, it agreed that special efforts should be undertaken to must be recognized that the guides alone will not improve the safety of the nuclear power plants provide the assistance needed to successfully designed and built by the former Soviet Union. As com plete a PRA for an organization that is relying part of these efforts, the U.S. Department of State, on outside assistance.

together with the Agency for International Development (AID), requested that the U.S.

Nuclear Re gulato ry Comm ission (NRC) and the 1.3 Scope Federal Nuclear and Radiation Safety Authority of the Russian Federation (GAN ) work togeth er to The scope of this guide is a full-scope PRA . There begin the applicatio n of PRA te chnology to Soviet are a number of major components that comprise designed plants. As a result, the NRC and GAN the scop e of a PR A as illustrated in Figu re 1.1 .

agreed to work togeth er to carry ou t a probabilistic risk assess m ent (PRA) of a VV ER -1000 re actor in 1. It is necessary to identify all potential risks the R uss ian Fede ration (R.F .). and decide on how m any of these will be includ ed in the PR A.

Unit 1 at the Kalinin Nuclear Power Station (KNPS) was chosen for the PRA and the effort was carried 2. It is also nec ess ary to determine the extent out under the auspices of GAN with the assistance of the population exposed to the risks of several other Russian organizations.2 The (e.g., hea lth effects to the plant personnel procedu re guides in this document were written to or the surrounding population) and the advance the PRA which is intended to serve as a population to be considered in the PRA.

demonstration of the PR A process and its utility in the reg ulatory process and in plant operations.

Furthermore, it is expected that the overall project 3. Acciden ts can occur while the plant is at will also advance the use of PRA methods and full power, low power, or during a results in the regulation of nuclear power plants of shutdown condition. The plant operating VVER design not only in the R.F. but also in other states to be considered in the PRA should, countries with such reactors. there fore, be clearly identified.

1.2 Objectives 4. The type of possible events that can initiate an accident also needs to be defined. Initiating events internal to the In ord er to carry out the PR A for KN PS Un it 1, it plant usually include transients, loss-of-was decided that the methodology for doing a PRA coolant accidents (LOCAs), fires, and should be defined and explained in a set of guides.

floods. Events external to the plant The writing of the guides would help assure that include seismic events, high wind, and the PRA would be done according to an others. Evaluation of sabota ge events is inte rn atio na lly acc epta ble a n d c o n sistent not currently included in a full-scope PRA.

framework. After individual tasks were completed the guides could then be used to help in the review

5. A complete PRA involves three sequential of that work.

analytical parts or levels of risk as shown in Figure 1.1:

The first draft of the guides was used for the Ka linin PR A and now th is fin al repo rt should be 2

In addition to GAN, the following organizations were involved: GANs Scientific and Engineering Center for Nuclear and Radiation Safety, Kalinin Nuclear Power Station, the Experimental and Design Office Gidropress, Nizhny Novgorod Project Institute Atomenergoproect, and Rosenergoatom Consortium.

1-1

1. Introduction Figure 1.1 The six components comprising a PRA 1-2

1. Introduction

Level 1 - involves the identification (e.g., system m odeling), minimal guidance and and quantification of the sequences of appropriate references would be provided.

events leading to core damage; PRA - Assumptions and Limitations

Level 2 - involves the evaluation and quantification of the mechanisms, The following assu m ptions and limitations are amo u n ts , a n d p ro babi li ti es of generally found in a PRA; regardless of its scope subsequent rad ioactive m ate rial or analytical approach:

releases from the containment; and

The plant is operating within its regulatory

Level 3 - involves the evaluation and requirements.

qu a n tific a tio n o f th e resu ltin g consequences to both the public and

The design and construction of the plant the environm ent. C ons equ enc es to are adequate and satisfy the established plant personnel are usually not des ign criteria for th e plan t.

included in a Level 3 PRA.

Plant aging effects are not modeled; that The procedure guides contained in this report do is, constan t equipment failure rates are not cover all of the items discussed above and assumed.

shown in Figu re 1.1 . The gu idance is limited to acc idents involving only the reactor core and that

The PRA is calculated for an "average" occur while the plant is operating at full power. plant configuration . The plant c an be in Initiating events internal and external to the plant many different configurations (especially are considered and included in the scope of this during shutdown) for short periods of tim e report. Guidanc e is also provided for all three and it is not practical to calculate the risk analytical levels. However, the Level 3 PRA from all of the potential configurations.

guidance is limited to offsite consequences. Instead, the average plant risk is calculated using test and maintenance 1.4 Limitations and General outage events in the PRA mode ls to represent average unavailabilities of Comments systems (or portions of systems). The average system unavailabilities reflect the PRA - Guides availability of the systems during all the d i ff e r e n t c o n f ig u r a ti o n s a c t u a l l y It was assumed that the team carrying out the experienced in the past operation of the PRA would be familiar with the guides developed plant. The actual test and maintenance by the International Atomic Energy Agency unavailabilities for the plant systems thus (IAEA,1992 and IAEA,1995) for carrying out must be calculate d using plant-specific Level 1 and Level 2 PRAs for internal events. The ope rational data .

IAEA documents represent inte rn atio na lly acceptable approaches. The ne w gu ides were to improv e on the existing guide s by: (1) taking into 1.5 References account rece nt work in the field, (2) considering Drouin, M. T., F. T. Harper, and A. L. Cam p, special problems that might be specifically present Analysis of Core Damage Frequency from for the VVER experience, and (3) improving upon Internal Events: Metho dology, Volum e 1, the guidance already provided. The idea was not NUREG /CR-4550/1, Sandia National Laboratories, to duplicate the existing guidance found in the September 1987.

IAEA document or the material in other guides that have bee n pro duc ed b y the NRC , e.g., NRC IAEA, Procedu res for Conductin g Probabilistic (1981), NRC (1996) and Drouin (1987). For Safety Ass ess m ents of N uclear Powe r Plan ts sub jects not we ll documented in the open literature (Level 2), Safety Series No. 50-P-8, International (e.g., the app roac h tak en fo r hum an re liability Atomic Energy Agency, 1995.

analysis), detailed guidance would be given; for tasks where a firm understanding was already well established and docum entatio n freely available 1-3

1. Introduction IAEA, Procedures for Co nducting Probabilistic Safety Ass ess m ents of N uclear Powe r Plan ts (Level 1), Safety Series No. 50-P-4, International Atomic Energy Agency, 1992.

NRC, Individual Plant Examination Program:

Perspectives on Reactor Safety and Plant Perform ance , NU REG -1560, U.S. Nuclear Regulatory Com mission, 1996.

NRC, PRA Procedures Guide - A Guide to the Performance of Probabilistic Risk Assessm ents for Nuclear Power Plants, NUREG/CR-2300, U.S.

Nuclear Regulatory Com mission, September 1981.

1-4

2. APPROACH 2.1 Scope of a PRA radionuclides are considered. There are three possible sources of radionuclide release:

The scope and quality of a P RA are ke y in determ ining the role PRA results can have in the

Reac tor Core decision-making regu latory ac tivity. This section

Spent Fuel Pool relies heavily on work reported in SEC Y-00-0162

Fuel Storage (NRC, 2000). T he scope of a P RA is defined by the following characteristics:

The population that could be exposed to the

1. Degree of coverage of the potential hazards hazard include on-site workers and mem bers of the population in the vicinity of the plant. The

2. Degree of coverage of the population exposed consequences of an accidental release of to the hazard radioactive material from a nuclear power plant can be expressed in several forms including impacts on

3. Degree of coverage of plant operating states hum an h ealth, the en vironm ent, or eco nom ics.

(POSs) that define the plant's operating mode of con cern: from full-pow er, to low -pow er, to Plant operating states (POSs) are used to shutdown modes of operation.

subdivide the plant operating cycle into unique states such that the plant response can be

4. Degree of coverage of initiating events, either assumed to be the same for all subsequent internal or external to the plant boundary, that a c c i d e n t initiating e v e n t s . O p e r a t io n a l cause off-normal conditions.

characteristics (such as reactor pow er level; in-vessel temperature, pressure, and coolant level;

5. Level of characterization of risk:

equipment operability; and changes in decay heat load or plant conditions that allow new success

a. Level 1 PRA that estimates the CDF criteria) are examined to identify those im porta nt to (given an event that challenges plant defining plant operational states. The important operation occurs ).

characteristics are used to define the states and the fraction of time spent in each state is estimated

b. Level 2 PRA that estimates the using plant specific in formation. The risk containment failure and radionuclide perspective should be based on the total risk release frequencies (given a core damage state occurs). connected with the operation of the reactor which includes not only full power operation, but low

c. Level 3 PRA that estim ates the offsite power and shutdo wn conditions. T herefore, to g ain consequences from a re lease, e.g ., ea rly the m axim um benefit from a PR A, the model and latent cancer fatalities (given a should address all modes of operation.

radionuc lide relea se o ccu rs).

Initiating events are e vents that have the ability to NRC Regulatory Guide 1.200 (NRC, 2004) challenge the condition of the plant. T hes e events describes an approach for determining that the include failure of equipment from either "internal quality of a PRA is adequate and so provide plant causes" such as hardware faults, operator confidence in its res ults . This guidance is actions, floods or fires, or "external plant causes" consistent with existing NRC PRA po licy, a nd it suc h as seism ic or high winds.

reflec ts on-going work by U.S. standard-setting and nuclear industry organizations. The risk perspective should be based on the total risk connected with the operation of the reactor Hazards cover a w ide ran ge of e vents that co uld which includes events from both internal and poten tially cause damage and health effects. For external sources. Therefore, to gain the maximum the purpose of perform ing a PRA of a NPP the benefit from a PR A, the m ode l shou ld add ress bo th hazards considered are those materials located on internal and external initiating events.

the site that if released could pote ntia lly contam inate the enviro nm ent and cause health The risk characterization used in risk-informed effects to the o n-site and off-s ite pop ulation. applications are the core damage frequency (CDF)

Generally hazards resulting from the release of and hea lth effects (to the surrounding po pulation);

2-1

2. Approach therefore, to provide the risk perspective for use in all of the technical elements, it is discussed first.

decision-making, a Level 1, 2, and 3 PRA is Docum entation is discussed last because all of the required. tech nical elem ents provide input this elem ent.

2.2 Scope of the Guides The guidelines for performing the technical elem ents for the above defined scope are provided in Ch apte r 3.

An essential part of the PRA process is having confidence in the PRA results such that they can Plant Familiarization be used in decision making. An independent peer review of the PRA can provide confidence in the Before the tec hnical ana lysis can begin, it is results. Therefore, the scope of the PRA guides impe rative that the analysis team becomes familiar includes guidance for both performing the technical with all aspects of the plant. The quality of work, and performing a peer review of the technical information gathered in this task and the m anner in work.

which it is managed is critical to the success of the entire analysis effort. This information gathering 2.2.1 Technical Guidance process provides assurance that the possible core damage accident sequences are correctly defined As noted above, the scope of a PRA includes: and realistically describe the possible plant responses.

the degree of coverage of S potential hazards As this tas k provide s the bas ic plant inform ation S population impacted needed to perform the analytical work the accuracy S plant operating states of the information gathered is crucial. If inacc urate S initiating events information is used (e.g., a plant drawing that is out of date because a pump has been removed from

level of risk characterization. the system without the drawing being updated), the final resu lts are likely to inaccurately reflect the The first major item ab ove defines the scope of the operational risk of the plant. It is, therefore, PRA, while the second major item defines the important that all information be verified, and a analytical levels to be performed for the given method for verifying plant information should be scope. For this pro ject, the PR A sc ope is limited to developed e arly in the projec t.

the following:

The verification is aided by well organized and

hazards including accidents that involve the planned plant visits which in part look at the actual reactor core plant components and layout and compares them

offsite population with written des cription s an d diag ram s. The

acc idents occurring while the plant is operating verification is also aided by the establishm ent of a at full power plant information data management and retrieval

initiating events internal and external to the system which is described below.

plant The plant m ay not be a fixe d entity. During (and The procedu re guides con tained in this report after) the period of the PRA analysis, design and address this scope for all three analytical levels. operational changes can occur at the p lant. Many may not have a risk or safety impa ct. However, The technical elements for each analytical level are som e of the cha nge s co uld ha ve the potential to listed in the Table 2-1 and briefly described below. significantly affect the final results of the analysis.

At the start of the proje ct a configuration freeze Plant Familiarization and Docum entation are not date, i.e., the date after which plant changes will separate elements in of themselves but rather not be included in the analysis, should be impact all of the technical elements as noted in esta blishe d.

Table 2-1. As Plant Familiarization is required for 2-2

2. Approach Table 2-1 Technical elements of a PRA Scope/Level Technical Elements (Note) of Analysis Risk Characterization (full power, internal events - transients and loss of coolant accidents)

Level 1

Initia ting Event An alysis

Pa ram ete r Estim atio n Analysis

Su cc ess C riteria Analysis

Hum an Re liability An alysis

Ac cident Se quence Analysis

Quantification Analysis

Sys tem s A nalysis

Interp retation of R esu lts Level 2

Pla nt D am age State Analysis

Quantification

Ac cident Progress ion Analysis

Interp retation of R esu lts

So urce Term Analysis Level 3

Data Collection

Consequence Calculation

Source Term Reduction

Risk Integration Initiating Events (Other Events)

Internal

Ide ntification Analysis

Quantification Analysis Flood

Evaluatio n Analysis Internal Fire

Sc reening Analysis

Fire D am age Analysis

Fire Initiatio n Analysis

Pla nt R esponse Analysis External

Sc reening/Bo unding Analysis

Fragility An alysis Eve nts

Events A nalysis

Level 1 Model Modification Risk Characterization Success criteria a nalysis determines the minimum req uirem ents for each function (and Lev el 1 PR A ultimately the systems used to perform the functions) nee ded to prevent core dam age (or to The following provides a description of each of the m itigate a release) given an initiating event occurs.

Level 1 technical elements. The requirements defining the success criteria are based on acceptable engineering analyses that I n it ia t in g e v e nt a nalysis identifies and represent the design and operation of the plant characterizes those ran dom internal events that under consideration. The c riteria neede d for a both challenge normal plant operation during power function to be succe ssful is dependent on the or shutdow n conditions and re quire successful initiator and the conditions created by the initiator.

mitigation by plant equipm ent and p ersonn el to The code(s) used to perform the analyses for prevent core damage from occurring. Events that developing the success criteria are validated and have occurred at the plan t and those that have a verified for bo th technical integrity and suitab ility to reasonable probability of occurring are identified assess plant conditions for the reactor pressure, and characterized. An unde rstanding of the nature tem perature and flow range of interest, and of the events is performed such that a grouping of accurately analyze the phe nom ena of interest.

the events into event classes, with the classes Calculations are performed by personnel qualified defined by sim ilarity of system and plant responses to perform the types of analyses of interest and are (based on the success criteria), may be performed well trained in the use of the code (s).

to m anage the large num ber of poten tial events that can c hallenge the plan t. A c c id e n t s e q u e n c e a n a l y s i s m od els ,

chronologically, the different possible progression of events (i.e., accident sequences) that can occur 2-3

2. Approach from the start of the initiating event to either human failure e vents are bas ed o n plan t and successful mitigation or to core damage. The accident specific conditions, where applicable, accident sequences account for those systems and including any dependencies among actions and operator actions that are used (and available) to conditions.

m itigate the initiator based on the defined success criteria and plant operating procedures (e.g., plant Quantification ana lysis provides an estimation of emergency and abnormal operating procedures the CDF given the design, operation and and as practiced in simulator exercises). The maintenance of the plant. This CDF is based on availability of a system includes consideration of the summ ation of the estimated CDF from each the functional, phenomenological and operational initiator class. If truncation of accident sequences dependencies and interfaces between and among and cutsets is applied, truncation limits are set so the different systems and operator actions during that the overall model results are not impacted the course of the accident progression. significantly and that im porta nt accident sequences are not eliminated. Therefore, the truncation lim it S ys te m s ana lysis identifies the different c an vary for each acci dent sequence.

combinations of failures that can preclude the Consequently, the truncation value is selected so ability of the system to perform its function as that the accident sequence CDF before and after defined by the success criteria. The model truncation only differs by less than one significant representing the various failure combinations figure.

includes, from an as-built and as-operated p e r s p e c ti v e, t h e sys t e m h a r d w a r e a nd Interpretation of results entails examining and instrumentation (and their associated failure understanding the results of the PRA and modes) and the hum an failu re events th at w ould identifying the important contributors sorted by prevent the system from performing its defined initiating events, accident sequences, equipment function. The basic events representing equipment failures and human errors. Methods such as and human failures are developed in sufficient im p o r t an c e m e a s u r e c a l c u la t io n s ( e .g .,

detail in the m ode l to acc oun t for dependencies Fuss el-Vesely, risk achievement, risk reduction, between and among the differe nt syste m s, and to and Birnbaum) are used to identify the distinguish the specific equipment or human event contributions of various events to the model (and its failure mechanism) that has a major impact estimation of c ore dam age frequency for both on the system's ability to perform its function. individual sequences and the m odel as a total.

Sources of uncertainty are identified and their Parameter estim ation an alys is quantifies the impact on the res ults an alyzed. The sensitivity of frequencies of the identified initiators and quantifies the model results to model boundary conditions the equipm ent failure pro babilities and equipmen t and other ke y assum ptio ns is evaluated using unavailabilities of the modeled systems. The sen sitivity ana lyses to look at ke y assum ptions both estimation process includes a mechanism for individually or in logical combinations. The addressing uncertainties, has the ability to combine combinations analyzed are chosen to fully account different sources of data in a coheren t man ner, and for interactions among the variables.

represe nts the actual operating history and experience of the plant and applicable generic Lev el 2 PR A experience as applicable.

The following provides a description of each of the Hum an reliability an alys is identifies and Level 2 technical elements.

quantifies the human failure events that can negatively impact normal or emergency plant Plant damage state an alys is groups sim ilar core operatio ns. The hum an failure events associated damage scenarios res ulting from the full spectrum with norm al plant operatio n include those events of core dam age acc idents identified in the Level 1 that leave the system (as defined by the success analysis to allow a practical assessment of the criteria) in an unrevealed, unavailable state. The severe accident progression and containment hum an failure events associated with emergency response. The plant damage state analysis defines plant operatio n include those events th at, if not the attributes of the core damage scenarios that performed, do not allow th e ne ede d system to represent important boundary conditions to the function. Quantification of the probabilities of these assessment of severe accidents progression and 2-4

2. Approach containment response that ultimately affect the both individual sequences and the m odel as a tota l.

resulting source term. The attributes address the Sources of uncertainty are identified and their dependencies between the containment systems impact o the results analyzed. The sensitivity of the modeled in the Level 2 analysis w ith the core mod el results to model boundary conditions and damage accident sequence models to fully account other key assum ptions is evaluated using for mutual dependencies. Core damage scenarios sen sitivity analyses to look at ke y assum ptions both with similar attributes are grouped together to allow individually or in logical combinations. The for efficient evaluation of the Level 2 response. combinations ana lyzed are cho sen to fully account for interactions among the variables.

Sev ere acc iden t pro gressio n analysis m odels the different series of events that challenge Lev el 3 PR A containment integrity for the core damage scenarios represented in the plant damage states. The following provides a description of each of the The accident progressions account for interactions Level 3 technical elements.

among severe accident phenomena and system and human responses to identify credible Data Collection is a compilation of the containment failure modes including failure to dem ographic and wea ther-related da ta needed to isolate the conta inm ent. The tim ing of major predict how the radionuclide s will be d ispersed to accident events and the subsequent loadings the enviro nm ent. Atm ospheric dispersion m odels produced on the containment are evaluated against require the specification of local meteorology and the capacity of the containment to withstand the terrain; deposition models require information potential challenges. T he conta inment performance regarding frequen cy and inten sity of precipitation; during the severe accident is characterized by the dose and health effects models require information timing (e.g., early versus late), size (e.g., regarding local dem ogra phics an d land use (i.e.,

catastrophic versus bypass), and location of any crops g rown, dairy activity).

containment failures. The code(s ) used to perform the analysis are validated and verified for both Sou rce Term Reduction groups severe accident technical integrity and suitability. Calculations are progressions resulting from the full spectrum of performed by personnel qualified to perform the severe accidents into a smaller number of types of analyses of interest and well trained in the representative release categories to allow a use of the cod e(s). practical assessment of the offsite consequences.

The reduction process identifies the attributes that Source te rm analysis characterizes th e represent important boundary conditions that radiological release to the environment resulting ultim ate ly affect the offsite consequences.

from each severe a ccident sequ enc e lead ing to Accident progressions with these similar attributes conta inment failure or bypass. The characterization are grouped together to allow for efficient includes the time, elevation, and energy of the evaluation of the Level 3 analysis.

release and the am ount, form, and size of the radioactive material that is released to the Consequence Calculations provide a conditional environm ent. estimation of the early and latent fatalities and the extent of land contamination that would be Quantification integrates the accident progression expected follo win g severe acc idents . This m odels and source term evaluation to provide quantification does not reflect the actual risk estimates of the frequency of radionuclide releases associated with operating the plant (this is that could be expected following the identified core estimated in the risk integration task below), but damage accidents. This quantitative evaluation determ inistica lly calculates for each of the reflec ts the different magnitudes and timing of representative release categories the dispersal of radionuclide releases. the rad ioactive plum e in the environment, the dose (and associated health effects) to the population Interpretation of results entails exa m ining re sults and contamination of the surrounding land.

from importance m eas ure c alculations (e.g.,

Fu ss el-Ve sely, risk achievem ent, risk reduction, Risk Integration com bines the res ults from all and Birnbaum ) to identify the contributions of previous ana lyses (i.e., CDF, release frequency various events to the model estimation of risk for and conditional fatalities) to com pute the selected 2-5

2. Approach measures of risk. For a given consequence failure of doors or walls). Plant design features or measure, risk is obtained as the sum over all operator actions that ha ve the ability to term inate postulated accidents of the produ ct of the the flood are identified. Cred it given for flood frequency and consequence of the accident. The isolation is justified. The susceptibility of each SSC methods for computing integrated risk are based in a flo od are a to floo d-induced m echanism s is on combining the results of all constituent analyses examined (e.g., submerge, spray, pipe whip, and of the PRA, from initiating event and core damage jet impingement). Flood scenarios are developed frequencies calculate d in the Level 1 analysis by exam ining the potential for propagation and through the set of plant damage states and giving credit for flood mitigation. Flood scenarios containment event trees and associated source can be eliminated on the basis of screen ing term frequencies estim ate d in the Level 2 analysis criteria. The s creening criteria used are well to the conditional probabilities of the consequence defined and justified.

m eas ures evaluated in the Level 3 ana lysis.

Quantification ana lysis provides an estimation of Oth er Even ts the CD F o f the plant due to internal floods.

Flooding induced initiating events that represent The following provides a description of each of the the design, operation and experience of the plant Other Events te chnical elements. In addressing are identified and their frequencies quantified. The the abo ve elem ents , because of the nature and Level 1 models are modified and the internal flood impact of internal flood and fire and external accident sequen ces qua ntified: (1) m odify accident hazards, their attributes need to be discussed sequence m ode ls to address flooding phenomena, separately. This is because flood, fire and external (2) perform necessary calculations to determine hazards analyses have the ability to cause initiating success criteria for flooding mitigation, (3) perform events but also have the capability to impact the parameter estimation analysis to include flooding availability of m itigating system s. T herefore, in as a failure m ode , (4) pe rform hum an re liability developing the PRA m odel, the impac t of flood, fire analysis to account for PSFs due to flooding, and and external hazards needs to be considered in (5) quantify internal flood accident sequence CDF.

each of the above techn ical elem ents. A sum m ary Modification of the Level 1 models are performed of the desired attributes of an acceptable internal consistent with the characteristics for Level 1 flood and fire and external hazards analyses is elem ents for transients and LOCAs. In addition, provided below. sources of uncertainty are identified and their impact o the results analyzed. The sensitivity of the Internal Floods model res ults to m odel boundary conditions and other key assumptions is evaluated using Identification ana lysis identifies those plant areas sen sitivity analyses to look at ke y assum ptions both where floo ding could pose significant risk. Flooding individually or in logical combinations. The areas are defined on the basis of physical barriers, combinations analyzed are chosen to fully account mitigation features, and propagation pathways. For for interactions among the variables.

each flooding area, flood sources due to equipment (e.g., piping, valves, pumps), internal (e.g., tanks) Internal Fires and external (e.g., rivers) water sources are identified along with the affected SSCs. Flooding Screening ana lysis identifies fire areas whe re mechanism s are exam ined which include failure fires could pose a significant risk. Fire areas which m odes of c o m p o n e n t s , h u m a n i n duced are not risk significant can be "screened out" from mechanisms, and other water releasing events. further con sideration in the P RA ana lysis. Both Flooding types (e.g., leak, rupture, spray) and flood qualitative and quantitative screening criteria can sizes are determ ined. Plant walkdowns are be used. The former address whether an performed to verify the accuracy of the information. unsuppressed fire in the area poses a nuclear safety cha llenge; the latter are c om pare d ag ainst a Evaluation ana lysis identifies the potential bounding asses sm ent of the fire-induce d core flooding scenarios for each flood source by damage frequency for the area. The potential for identifying flood propagation paths of water from fires involving multiple areas should be addressed.

the flood source to its accumulation point (e.g., Assum ptions used in the screening analysis should pipe and cab le pen etratio ns, doors, stairwells, be verified through appropriate plant walkdowns.

2-6

2. Approach Key screening analysis assumptions and results, availability of non-fire affected equipment (including e.g., the area-specific conditional core damage control) and any re quired m anual actions. For fire probabilities (assum ing fire-induced loss of a ll scenarios involving control room abandonm ent, the equipment in the area), should be documented. analysis should address the circuit interactions raised in NUREG/CR-5088, including the poss ibility Fire initiation ana lysis determines the frequency of fire-induced damage prior to transfer to the and physical characte ristics of the detailed alternate shutdown panel(s). The hum an re liability (within-area) fire scenarios analyzed for the analysis of operator actions sho uld address fire unscreened fire area s. The a nalysis nee ds to effects on operators (e.g., heat, smoke, loss of identify a range of scenarios which will be use d to lighting, effect on instrumentation) and fire-specific represent all possible scenarios in the area. The operational issues (e .g., fire response operating pos sibility of seismically-induced fires should be procedures, training on these proc edu res, potential considered. The scenario frequencies should complications in coordinating activities). In addition, reflect plant-specific experience, and should be sources of u ncertain ty are identified and their quantified in a manner that is cons istent w ith their impact o the results analyzed. The sensitivity of the use in the subsequent fire dam age analysis model res ults to m odel boundary con ditions and (discussed below). The physical characterization of other key assumptions is evaluated using each scenario should also be in term s th at w ill sensitivity ana lyses to look at ke y assum ptions both suppo rt the fire damage analysis (especially with individually or in logical combinations. The respect to fire mo deling). combinations ana lyzed are cho sen to fully account for interactions among the variables.

Fire dam age an alys is determines the conditional prob ability that sets of potentially risk-significant Externa l Events com pon ents (inc luding cables) will be dam aged in a particular m ode, given a specified fire scenario. Screening and boun ding an alys is identifies The analysis needs to address components whose external events other than earthquake that may failure will cause a n initiating event, affect the challenge plant operations and req uire successful plan t's ability to mitigate an initiating event, or affect mitigation by plant equipment and pers onn el to poten tially risk significant equipment (e.g., through prevent core dam age from occurring. The term suppression system actuation). Dam age from heat, "screening out" is used here for the process smok e, and exposure to suppressants should be whereby an external event is excluded from further considered. If fire models are used to predict consideration in the PRA analysis. There are two fire-induced dam ag e , com partm ent-specific fundamental screening criteria embedded in the features (e.g., ve ntilation, geometry) and requirem ents here, as follows: An event can be target-specific features (e.g., cable location relative screened out either (I) if it meets the certain design to the fire) should be addressed. Th e fire criteria, or (ii) if it can be show n using an analysis suppression analysis should account for the that the mean value of the design-basis ha zard sc enario-specific time required to detect, respond used in the plant design is less than 10-5/year, and to, and extinguish the fire. The models and data that the conditional core -dam age prob ability is less used to analyze fire growth, fire suppression, and than 10-1, given the occurrence of the design-basis fire-induced component damage should be hazard. An external event that cannot be screened consistent with experience from actual nuclear out using either of these criteria is subjected to the power plant fire experience as well as experiments. detailed-analysis.

Plant response analysis involves the modification Event An alys is characterizes non-screened of appropriate plant transient and LOCA PRA external events and seismic events, generally, as models to determine the conditional core damage frequencies of occurrence of different sizes of probability, given damage to the set(s) of events (e.g., earthquakes with various peak ground com pon ents defined in the fire damage analysis. accelerations, hurricanes with various maximum All potentially significant fire-induced initiating wind spe eds ) at the site. The ex ternal events are events, including su ch "s pecial" events as loss of site specific and include both aleatory and plant support systems, and interactions between epistemic uncertainties.

m ultiple nuclear units during a fire event, should be addressed. The analysis should address the 2-7

2. Approach Fragility An alys is characterizes conditional the PRA against desired characteristics and probability of failure of important structures, attributes, and needs to doc um ent the res ults components, and systems whose failure may lead including both strengths and weaknesses of the to unaccepta ble dam age to the plant (e.g., core PRA.

damage) given occurrence of an external event.

For important SSCs, the fragility analysis is rea listic The team qualifications determ ine the cred ibility and plant-specific. The fragility analysis is based on and acc epta bility of the pe er reviewe rs. The peer exten sive plant-walkdo wns reflec ting as -built, reviewers sh ou ld not give any perception of a as-operated conditions. conflict of interest, therefore, they should be independent of the PRA and not have performed Level 1 Model Modification assures that the any technical work on the PRA. The m embers of system models include all important external-event the peer review team should have technical caused initiating events that can lead to core expertise in the P RA elem ents they review damage or large early release. The system m odel including experience in the specific methods that includes external-event induced SS C failures, are utilized to pe rform the P RA elem ents . In non-external-event induced failures (random addition, knowledge of the specific plant design failures), and human errors. The system analysis is and operatio n is essentia l. Fin ally, each mem ber of we ll coordinated with the fragility analysis and is the peer review team should be k nowledgeable of based on plant walkdow ns. The results of the the peer review process including the desired external event hazard analysis, fragility analysis, characteristics and attributes used to assess the and system m odels are assem bled to estim ate acc epta bility of the PR A.

frequencies of c ore dam age and larg e early release. Uncertainties in each step are propagated The peer review process includes a documented through the process and displayed in the final procedu re to direct the team in evaluating the results. The quantificatio n process is capable of acc epta bility of a PRA. The review pro cess should conducting nec ess ary sensitivity analysis and to compare the PRA against the desired PRA identify dominant sequences and contributors. characteristics and attribute s, wh ich are listed in Table 2-2 below . In a ddition, to reviewing the Documentation methods utilized in the PRA, the peer review also determines if the application of those methods Traceability and d efensibility provides the were done correctly. The PRA m odels should be neces sary information such that the results can compared against the plant design and procedures easily be reproduced and justified. The sources of to validate that they reflect the as-built and information used in the PRA are both referenced as-operated plant. Key assumptions should be and retrievable. The m etho dology used to perform reviewed to determine if they are appropriate and each aspect of the work is described either through if they have a significant impact on the PRA results.

documenting the actual process or through The PRA results should be checked for fidelity with reference to existing methodology documents. the m odel structu re and also for consiste ncy with Assum ptions(1) m ade in performing the analyses the results from PRAs for similar plants. Finally, the are identified and docum ente d along with th eir peer review process should examine the justification to the e xten t that the context of the procedures or guidelines in place for updating the assumption is understood. Th e results (e.g., PRA to reflect changes in plant design, operation, prod ucts and outcomes) from the various analyses or experience.

are documented.

D o c u m e n t at io n pro vid es the ne c e s s a ry 2.2.2 Guidance for Peer Review information such that the peer review process and the findings are both traceable and defe nsible. A Process description of the qualifications of the peer review team mem bers and the peer review process should A peer review process can be used to identify be documented. Th e res ults of the peer review for weaknesses in the PRA and the importance of the each technical element and the PRA update weaknesses to the confidence in the PRA results.

process should be described including those areas An acceptable peer review needs to be performed where the PRA do not meet or exceed the desired by qualified personnel, needs to be performed characteristics and attributes used in the review according to an established process that compares 2-8

2. Approach process. This includes an assessment of the Activities, SECY-00-0162, July 28, 2000.

importance of any identified deficiencies on the PRA results and potential uses and how these NRC, An Approach for Determining the Technical deficiencies were addressed and resolved. Adequacy of Probabilistic Risk Assessment Re sults for Risk-Inform ed Activities, Regu latory 2.3 References Guide 1.200, issued for trial use, February 2004.

NRC, Addressing PRA Quality in Risk-Informing Table 2-2 Summary of technical characteristics and attributes of a PRA Element Technical Characteristics and Attributes Plant Familiarization

identification of plant information sources to provide sufficient plant knowledge such that the PRA m odel represents the as-built and as-operated plant and reflects the actual opera ting history

design and operational understanding confirmed by actual plant walkdow ns and interviews of ope rators Level 1 PR A (internal events -- transients and loss of coolant accidents (LO CAs ))

Initiating Event

sufficiently detailed identification and c haracterization of initiators An alysis

grouping of individual events according to plant response and m itigating re quirem ents

proper screening of any individual or grouped initiating events Su cc ess C riteria

based on best-estimate engineering analyses applicable to the An alysis actual plant design and operation

codes developed, validate d, and verified in suffic ient detail

- analyze the phenomena of interest

- be applicable in the pressure, tem perature, and flow range o f interest Accident Sequence

defined in terms of hardware, operator action, and timing Development requirements and desired end states (e.g., CD or PDSs)

An alysis

includes necess ary and sufficient equipm ent (safety and non-safety) reasona bly expected to be used to mitigate initiators

includes functional, phenomenological, and operational dependencies and interfaces Sys tem s A nalysis models developed in sufficient detail to:

reflect the as built, as operated plant including how it has perform ed during the plant history

reflect the required success criteria for the systems to m itigate each identified accident sequence

capture impact of dependencies, including support systems and hars h en vironm enta l imp acts

include both active and passive components and failure modes that impact the function of the system

includ e co m m on c aus e failure s, hum an e rrors , unavailability due to test and m ainten anc e, etc.

2-9

2. Approach Table 2-2 Summary of technical characteristics and attributes of a PRA (contd)

Element Technical Characteristics and Attributes Parameter Estimation

estim atio n of pa ram ete rs associated with initiating event, ba sic An alysis event pro bab ility m ode ls, recovery action s, and un availability events that acco unt fo r plant-spe cific an d ge neric data

consistent with component boundaries

estim ation includes a cha racterization of the unc ertainty Hu m an R eliability

identification and definition of the hum an failu re events th at w ould An alysis result in initiating events or pre- and po st-accident hum an failure events that wo uld im pac t the m itigation of initiating events

qua ntification of the ass ociated hum an e rror proba bilities taking into account scenario (where applicable) and plant-specific factors and including appropriate dependencies both pre- and post-accident Quantification

estimation of the CDF for modeled sequences that are not screened due to truncation, given as a mean value

estimation of the accident sequence CDFs for each initiating event group

truncation values set relative to the total plant CDF such that the frequency in not significantly impacted Interpretation of

identification of the key contributors to CDF: initiating events, Re sults accident sequ ences , equipm ent failures and hum an errors

identification of sources of uncertainty and their impact on the results

understanding of the impact of the key assumptions* on the CDF and the identificatio n of the acc ident s equence and their contributors Level 2 PRA Plant Dam age State

identification of the attributes of the core damage scenarios that An alysis influence severe accident progression, containment performance, and any subsequent radionuclide releases

grouping of core damage scenarios with similar attributes into plant damage states

carryover of rele vant inform atio n from Level 1 to Level 2 Severe Accident

use of verified, validated codes by qualified trained users with an Progress ion Analysis understanding of the code limitations and the means for addressing the limitations

assessment of the credible severe accident phenomena via a structured process

assessment of containment system performance including linkage with failure modes on non-containment systems

establishment of the capacity of the containment to withstand severe a ccident environ m ents

assessment of accident progression timing, including timing of loss of co ntainm ent fa ilure integ rity Quantification

estimation of the frequency of different containment failure modes and resu lting radionuclide source terms 2-10

2. Approach Table 2-2 Summary of technical characteristics and attributes of a PRA (contd)

Element Technical Characteristics and Attributes Source Term

assessment of radionuclide releases including appreciation of An alysis timing, location, amount and form of release

grouping of radionuclide releases into smaller subset of representative source terms with emphasis on large early release (LER) and on large late release (LLR)

Interpretation of

identification of the contributors to containment failure and resulting Re sults source term s

identification of sources of uncertainty and their impact on the results

understan ding of the im pact o f the k ey ass um ptio ns* on Level 2 results Level 3 Data Collection

data regarding local meteorology and terrain, site demographics, and local land use represent current, plant-specific condition.

Source Term

source terms used to calculate offsite consequences preserve the Reduction full rang e of e arly (m ech anistic) and late (s toch astic) hea lth effects that would result from actual Level 2 source terms.

Consequence

variability in weath er addressed as m ajo r un certainty in Calculation consequences Risk Integration

integrates results of Level 1, 2 and 3 to compute various measures of risk.

each of the three PRA Levels are linked together in a self-consistent and statistically rigorous m anner.

Inte rnal Flood Analysis Ide ntification Analysis

sufficiently detailed identification and c haracterization of:

- flood areas and SSCs located within each area

- flood sources and flood mechanisms

- the type of wa ter release and cap acity

- the structures functioning as drains and sumps

verification of the information through plant walkdowns Evaluatio n Analysis

identification and evaluation of

- flood propagation paths

- flood mitigating plant design features and operator actions

- the susceptibility of SSCs in each flood area to the different types of floods

elimination of flood scenarios uses well defined and justified sc reening criteria 2-11

2. Approach Table 2-2 Summary of technical characteristics and attributes of a PRA (contd)

Element Technical Characteristics and Attributes Quantification

identification of flooding induced initiating events on the basis of a structured and systematic process

estimation of flooding initiating event frequencies

estimation of CDF for chosen flood sequences

m odifica tion of the Level 1 m ode ls to ac cou nt for flooding effects including uncertainties Inte rnal Fire Analysis Sc reening Analysis

all potentially risk-significant fire areas are identified and addressed

all required mitigating components and their cables in each fire area are identified

screening criteria are defined and justified

necessary walkdowns are performed to confirm the screening decisions

screening process and results are documented

unscreened events areas are subjected to appropriate level of evaluations (including detailed fire PRA evaluations as described below) as needed Fire Initiation

all potentially significant fire scenarios in each un screene d area are An alysis addressed

fire scenario frequencies reflect plant-specific features

fire scenario physical characteristics are defined

bases are provided for scree ning fire initiators Fire Dam age

damage to all potentially significant components is addressed; Analysis considers all potential component failure modes

all potentially significant damage mechanisms are identified and addressed; damage criteria are specified

analysis addresses scenario-specific factors affecting fire growth, suppression, and component damage

m odels and da ta are consistent with experience from actual fire exp erience a s we ll as experim ents

includ es e valua tion of prop aga tion of fire and fire effec ts (e.g .,

sm oke) be twee n fire com partm ents Plant Response

all potentially significant fire-induced initiating events are addressed An alysis so that their bases are included in the model

includes fire scenario impacts on core damage m itigation and containment systems including fire-induced failures

analysis reflects plant-specific safe shutdown strategy

potential circuit interactions which can interfere with safe shutdown are addressed

hum an relia bility analysis addresses effe ct o f fire scenario-specific conditions on operator performance 2-12

2. Approach Table 2-2 Summary of technical characteristics and attributes of a PRA (contd)

Element Technical Characteristics and Attributes Quantification

estimation of fire CDF for chosen fire scenarios

identification of sources of uncertainty and their impact on the results

understanding of the impact of the key assumptions* on the CDF

all fire ris k-significant s equences are traceable and rep roducible Ex ternal Events A nalysis Screening and

credible external events (natural and man-m ade) that may affect the Bo unding Analysis site are addressed

screening an d bound ing criteria are defined and results are documented

necessary walkdowns are performed

non-screened events are subjected to appropriate level of evaluations Event An alysis

the event analysis is site and plant-specific

the event analysis addresses uncertainties Fragility An alysis

fragility estimates are plant-specific for important SSCs

walkdow ns are con ducted to identify plant-unique conditions, failure modes, and as-built conditions.

Level 1 Model

importa nt externa l event caused initiating eve nts that can lead to Modification core damage and large early release are included

external event related unique failures and failure mod es are incorporated

equipm ent failures from other ca uses an d hum an errors are included. W hen necessary, human error data is modified to reflect unique circumstances related to the external event under consideration

unique aspects of comm on causes, correlations, and dependencies are included

the systems m odel reflects as-built, as-operated plant conditions

the integration/quantification accounts for the uncertainties in each of the inputs (i.e., hazard, fragility, system m odeling) and final quantitative results such as CDF and LERF

the integration/quantification accounts for all dependencies and correlations that affect the results Docum entation Traceability and

The docum entation is sufficient to facilitate independent peer defens ibility reviews

The docum entation describes all of the important interim and final results, insights, and important sources of uncertainties

W alkdown process and results are fully described

Assumptions include those decisions and judgments that were made in the course of the analysis.

2-13

3. TECHNICAL ACTIVITIES This chapter provides the guidance for the The guides contain ed in this chapte r ad dress th is analytical tasks needed to perform the technical scope for all three analytical levels.

ele m ents of the PR A for the scope defined in Chapter 2. This scope includes: The technical elem ents for each analytical level are listed in Table 3-1 and their associated guides

hazards involving reactor core accidents described below.

offsite population

acc idents occurring while the plant is operating Plant Familiarization and documentation are not at full power separa te elements in of themselves but rather

initiating events internal and external to the impact all of the tec hnical elem ents a s note d in plant Table 3-1. As plant fam iliarizatio n is req uired for all of the techn ical elem ents it is discusse d first.

Docum entation is discussed in Chapter 4.

Table 3-1 Technical elements of a PRA Scope/Level Technical Elements (Note) of Analysis Risk Characterization (full power, internal events - transients and loss of coolant accidents)

Level 1

Initia ting Event An alysis

Pa ram ete r Estim atio n Analysis

Su cc ess C riteria Analysis

Hum an Re liability An alysis

Ac cident Se quence Analysis

Quantification Analysis

Sys tem s A nalysis

Interp retation of R esu lts Level 2

Pla nt D am age State Analysis

Quantification

Ac cident Progress ion Analysis

Interp retation of R esu lts

So urce Term Analysis Level 3

Data Collection

Consequence Calculation

Source Term Reduction

Risk Integration Initiating Events (Other Events)

Internal

Ide ntification Analysis

Quantification Analysis Flood

Evaluatio n Analysis Internal Fire

Sc reening Analysis

Fire D am age Analysis

Fire Initiatio n Analysis

Pla nt R esponse Analysis External

Sc reening/Bo unding Analysis

Fragility An alysis Eve nts

Events A nalysis

Level 1 Model Modification 3.1 Plant Familiarization information gathering process provides assurance that the poss ible core dam age acc ident sequences are correctly defined and rea listic ally describe the This section describes the Plant Familiarization possible plant responses.

An alysis task . Before the technical analysis can begin, it is imperative that the analysis team becomes fam iliar w ith all aspects of the plant. The 3.1.1 Assumptions and Limitations qua lity of information gathe red in this task and the manner in which it is managed is critical to the This tas k p rovides the basic plant in formation success of the entire a nalysis effort. This needed to perform the analytical work. Hence, the 3-1

3. Technical Activities accuracy of the inform ation g athe red is cruc ial. If incorporate them into the plant model after inaccurate information is used (e.g., a plant concurrence between the team leader and the drawing that is out of date because a pump has project sponsors. It should be noted, however, been removed from the system without the that in a typical plant, changes ranging from sm all drawing being upd ated ), the fina l results are like ly to m ajor occ ur frequently. Consideratio n of all to inaccurately reflect the operational risk of the wo uld be a m ajor distraction of the project team plant. It is, therefore, important that all information and can impact project milestones.

be verified, and a method for verifying plant information should be developed early in the 3.1.2 Products proje ct.

The current task provides significant inform ation to Verification is particularly important for VVER all analytical tasks of the PRA. In addition, the task reactors because the information can come from will provide basic inform ation needed for the final several different sources. The team leader should documentation. Specifically, the products for this establish an appropriate QA process so that the task are provided below:

i n fo r m a t i o n d o e s p r o vi d e an a c c u r a te representation of the as-built condition and current

A report documenting the outcome of the plant operation of the plant. N ote that this verificatio n is visit is sent to th e various organizations. T his also part of an overall QA prog ram for the proje ct. allows the utility personnel who have been queried to clarify any misunderstandings and The verificatio n is aided by well organized and provide traceability of the information received.

planned plant visits which in part look at the actual plant components and layout and compares them

After the additional information is obtained with written descriptions and diagrams. The during the plant visit, the outputs of the verification is also aided by the establishment of a preliminary plant analysis task should be plant information data managemen t and retrieval finalized to the extent possible before being system which is described below. em ployed in sub seq uen t task s in the PR A.

The plant m ay not be a fixed entity. During (and

The plant information gathering effort after) the period of the PRA analysis, design and continues throughout the PRA study so that a operational changes can occur at the plant. Many coherent PRA m odel is developed that reliably may not have a risk or safe ty im pact. Howe ver, reflec ts the plant design and operation.

som e of the changes could have the pote ntial to Requests for additional information and significantly affect the final res ults of the analysis. additional plant visits focusing on specific At the start of the pro jec t, the team leader should subjects is expected.

decide on a con figura tion freeze d ate, i.e., the date after which plan t change s will not be included in 3.1.3 Task Activities the analysis. Therefore, close comm unication must exist between the team leader and the plant In the plant familiarization process, a n staff m em ber respon sible for scheduling plant understanding of the plant is established, providing changes. Th is close coordination ensures that the the fou ndatio n fo r all s ubsequent tec hnical ana lysts are not dealing with a mov ing target in analyses and modeling activities. This process terms of plant configuration. The potential for the involves several activities summ arized below, and analysis to be outdated before completio n is subsequently discussed in m ore deta il.

reduced.

The second task, Obtain Analysis Information, Establishing an analysis freeze date is intend ed to involves obtaining specific information. Although facilitate the com pletion of the m odels in a tim ely this guide concentrates on the type of information m anner. Indeed, it is lik ely and desirable for plant needed for performing an internal event analysis, changes (ha rdwa re or p rocedural) to be identified preliminary information needed for conducting during the conduct of the PR A, p ossibly as a re sult internal fire, internal flood, and seism ic analyses is of some preliminary task-analysis findings. If a also listed. T his info rm atio n comes from several comm itment is made to implement these changes sou rces, including the plant.

in a timely manner, the PRA should then 3-2

3. Technical Activities The next task involves using the data to perform a m ade to thes e diffe rent g roup s.

preliminary plant a nalysis to initiate preparation of other tasks of the PRA, followed by a plant visit It is im portant to ens ure th at the m ost up-to-date (Task 4). The plant visit is scheduled to resolve information is used in the study. Before a questions, confirm and corroborate information document is requested, it should be known how already rece ived, a nd o btain a dditional often it is updated and whether portions of the information. The p rocess is iterative and the plant document are out of date. Close com m unication visits selective as discussed in Task 4 Mo re visits is essential between the PRA team leader and the may be necess ary for obtain ing additional designated senior plant staff mem ber at the information found lacking as a result of the information source for assuring that the requested ongoing analysis or as the program matures. For plant information is up to date.

example, it would be m anpow er intensive and cost prohibitive to conduct during the first visit a spatial Ge neric Inform ation fro m S imilar P lants interaction to assess likely fire scena rios before dominant accident sequen ces for internal events Analyses performed for similar plants can also be have been appropriately quantified and evaluated. very useful. It can enhance the completeness of the PRA m odel by providing supplemental Task 1 - Obtain Analysis Information information on: the reliability of similar plant components, potential accident initiators, potential Plant-Specific Information accident scenarios, and common safety issues.

Three types of generic informa tion that can be Table 3-2 lists plant docum ents th at s hould conta in considered useful for supplementing the PRA are information needed for conducting a Level 1 PRA. listed in Table 3-3.

A brief description about each document and the relevant PRA information each m ay contain is also Table 3-4 lists all the tasks required for conducting given in the table. Much of this information can be an internal event analysis and cross references obta ined prior to any plant visit. Howe ver, before each task with the needed information listed in the any specific docum ents are requested, the project previous two tables.

team should be made aware of a ll the possible plant documents that may contain the information Information Needed for Internal Fires, Internal indicated and then selectively request those Floo ds, and S eism ic Events deemed m ost appro priate for the proje ct. In particular, a list of piping an d instrum enta tion Table 3-5 lists the plant information needed for an diagrams sho uld be provided to the team and internal fire analysis.1 Table 3-6 lists the copies be made available of those diagrams information needed to perform an internal flood considered most relevant by the team. analysis. Basically, plant-specific flood incident It is essential to have a senior mem ber of the plant staff act as a contact point for obtaining plant 1 information from each source. This person Note that in the U.S., information relevant to this table comes from the plant's implementation of the should: (1) be familiar with the process of regulatory requirements specified in Appendix R of acquiring the types of inform atio n listed in 10CFR50. The Appendix R submittal contains: the Table 3-2, (2) provide the indices for the definition of fire areas, including the fire protection docum ents and possibly give sample documents equipment; safe shutdown analysis that assures that to the PRA team at the beginning of the a minimum set of plant systems and components are information gathering task , (3) be able to available to shutdown the plant, given a postulated understand why the inform ation is needed, and fire with a concurrent loss of offsite power; and (4) continue to serve as liaison throughout the combustible loading analysis that identifies the proje ct. It is likely that several different sources of combustibles, including transients and cables. For a fire PRA, in addition to the Appendix R organizations or g roups w ithin an org anization will submittal, plant-specific and generic fire incident data be aske d to provide informatio n or other suppo rt and cable location and routing drawings are needed.

for the PRA. The idea behind requesting a "senior The noted table summarizes the information needed m em ber" as a perm ane nt point of co ntac t is to from those plants that do not have an Appendix R facilitate and expedite the requests for information submittal or its equivalent.

3-3

3. Technical Activities Table 3-2 Plant information needed to perform a Level 1 internal event PRA Plant Document Information Provided 1 Fina l Safe ty Ana lysis Repo rts Ge neral description of the plant, system s, and design basis accidents submitted to the regulatory agency 2 System Descriptions, System De tailed s ystem des cription s (po ssib ly used in opera tor trainin g),

Ma nuals, Eq uipme nt M anuals opera ting envelope and success criteria (manufacturers) 3 Piping and Instrumentation Diagrams, Schematics of systems showing piping specifications, System Flow Diagrams components, instrumentation sensors, and flow paths 4 Elementary Diagrams Co ntrol diagra ms for co mpone nts 5 Electrical One-line Diagrams Sh ow ing b reak ers a nd c ompon ents that are con nec ted to differe nt electrical buses and motor control centers, contro l logic 6 Equipment Layout Drawings Sh ow ing loc ation of major compon ents in different p lant areas , to determine accessibility to areas of recovery and potential com mon ca use effects 7 Emergency Procedures and other Accident scenario development, human reliability analysis, proc edu res th at he lp the ope rators accident mitigation strategies for event tree development during an accident 8 Operating Procedures Full, low power and shutdown activities 9 Training Procedures for Mitigating Ac cident sce nario developm ent, huma n reliability ana lysis Accide nts 10 Test and Maintenance Procedures for Low power and shutdown activities, system availability, corrective Major Equipment, Surveillance and preventive strategies Procedures 11 Maintenance Logs Ma inten anc e un ava ilability data, mea n-time -to-rep air, failure frequency 12 Licensee Event Reports Incident re ports that are requ ired to be s ubm itted to the reg ulato ry body, initiating event source book 13 Technical Specifications and Other System model development, limiting condition of system Re gula tory Re quire ments operation, allowed down times 14 Plant Incidents and Analysis Reports, Description and analysis of incidents at the plant that may or may Scram Reports, Operator Logs not be reported to the regulatory body, recurring problems 15 Piping Location and Routing Drawings Routing of piping throughout the plant 16 An alyse s an d Experim ents Pertinen t to Documentation of experiments and thermal hydraulic analysis that the Determination of Mission Success were performed to address safety or operational issues, and plant Crite ria behavior in specific conditions 17 Fa ilure Mo de and E ffect Analysis Detailed documentation of potential failure modes of equipment and their effect on the rest of the plant 18 Control Room Instrumentation and Layou t of individual gauges, annunciators, and control switc hes in Control Layout Drawings the control room 19 Descriptions of Known Safety or Potential failure modes and accident scenarios, level of detail of Regulatory Issues to Be Addressed PRA model needed 3-4

3. Technical Activities Table 3-3 Generic information from plants of same/similar design Generic Information from Plants of Examples Same/Similar Design A PRAs Novovoronezh PRA B Analysis of Exp erienced Events IAEA-TECDO C-749 on Generic Initiating Events for PRA for VVER Reac tors C Com ponent F ailure Da ta A nalysis IAEA-T EC DO C-4 78 o n Com pon ent R eliability Data Sources in PRA 3-5

3. Technical Activities Table 3-4 Cross reference of PRA tasks and plant information needed Plant Specific Generic Information PRA Tasks Information/Documentation for Plants of Similar Needed (Items from Table 3-1) Design (Items from Table 3-2)

Familiarization All All Sources of Radioactive Releases 1,2,6,19 A,B,E,F Select Plant Operating States 1,2,8 A Definition of Core Damage 16 A,C Selection of Initiating Events 1,2,7,9,12,14,17,19 A,B,E,F Definition of Safety Function 1,2,7,9,14,16,19 A,B,C,E,F Function/System Relationship 1,2,7,14,16,19 A,B,E System Requirements 1,2,3,4,5,6,7,13,14,16,17,19 A,B,C,E,F Grouping of Initiating Events 1,2,3,4,5,6,7,13,14,16,17,19 A,B,E Event Sequence Modeling 1,2,6,7,9,12,14,16,19 A,B,C,E,F System Modeling 1,2,3,4,5,6,7,13,14,16,17,19 A,B,D Human Performance Analysis 1,2,6,7,9,12,14,16,18 A,B,E,F Qualitative Dependence Analysis 123456719 A,B,E,F Impact of Physical Process on Logic Model 1,2,7,9,12,14,16,17,19 A,B,C,E,F Plant Damage State Information needed for preceding A,C tasks that provide input to the task Analysis of Initiating Event Frequency 1,2,7,9,12,17,19 A,B,E,F Component Reliability and Common Cause 10,11,12,19 A,B,D,E,F Failure Assessment of Human Error Probabilities 1,2,6,7,9,12,14,16,18,19 A,B,E,F Accident Sequence Boolean Equations 1,2,3,4,5,6,7,13,16,17,19 A,E Initial Quantification of Accident Sequences Information needed for preceding A,D tasks that provide input to the task Final Quantification of Accident Sequences Information needed for preceding A,D tasks that provide input to the task Uncertainty Analysis Information needed for preceding A,D tasks that provide input to the task Importance and Sensitivity Analyses Information needed for preceding A,E tasks that provide input to the task 3-6

3. Technical Activities Ta ble 3 -5 Info rm ation need ed for in tern al fire analysis Fire Area De finition - Areas sepa rated by 3-hour rated barriers Fire Barriers - Fire doors, fire walls, cable penetrations, cable tray insulations Loading of C om bustib les and T heir Physical and C om bustio n Properties - Ca bles, lubricating oil, paper, etc.

Cable Location, Separation, and Routing Drawings - Power cables and control cables Plant-Specific a nd G ene ric Fire Incide nts R epo rts Fire Detection Devices - Sm oke de tectors, heat sensors Fire Suppression Devices - Sprinklers, CO 2, halon system, fire hydrant, fire hose, fire extinguisher, deluge system Fire Contingency Plans - Emergency procedures in case of a fire.

Safe Shutdown Analysis - Analysis demonstrating that a fire postulated at a given location can be mitigated with the plant brought to a safe shutdown condition.

Breaker Coordination Study - Studies indicating that the sequencing of the breaker opening and closing during a postulated fire will not adversely affect the plants ability to mitigate the fire.

Ta ble 3 -6 Info rm ation need ed for in tern al floo d an alysis Potential Sources of Floods - Storage tanks, lakes, rivers, oceans, reservoirs, their location, elevation, and volume General Arrangement Drawings - Showing the plant site topography information and the proximity of plant structures to nearby flood sources Potential Path W ays Between the Sources of Flood and Plant Buildings - Piping, pipe tunnels, floor drains, d oors, dik es, ca ble tunnels Inte rconnectio ns betwe en different floors and buildings - Doors, dik es, floor dra ins, pipe tunnels, ca ble tun nels Plant Specific Flood Incident Descriptions and Analyses Em ergency Procedures for Floods (and procedures for responses to high sump levels) data, potential sources of flood, and pathways from occurrences of seismic events for a range of the flood sources to plant equipment are needed. ground-motion intensities . A fragility analysis provides com ponent and structure fragilities that Table 3-7 lists the information needed to perform a are used to calculate the likelihood that the seism ic event analysis. The information is needed component or s tructu re will fa il, given a seism ic to determ ine the seism ic haza rds at the p lant site event of a certain magnitude.

and the component fragilities. A hazard analysis provides curves that present the frequency of 3-7

3. Technical Activities Ta ble 3 -7 Info rm ation need ed for seism ic an alysis (a) Inform atio n fo r Perform ing Ha zard Analysis Type of Information Desirable Information Seismicity around the

Documents on historic earthquakes in a wide area surrounding the site region

Documents on recent earthquake activities around the site

Documents/references related to the siting of the plant

References on the seismological studies for the region (e.g., magnitude, attenuation)

Recorded ground motions (if not available, use U.S./European records for similar grounds)

Geological and ground

Geological maps; wide area (1/100,000 - 1/200,000), vicinity (1/1,000 - 1/5,000),

survey (if the site is and vertical geological cross-section map near the ocean, include

Aerial photographs (if any) seabed survey)

Topological surface survey (existence of lineaments/dislocations)

References on the seismic geostructure around the region (seismotectonics)

Survey on the active faults around the region (e.g., fault length, dislocation speed)

Local Soil Condition

Boring/pit/trench survey results (the information is also

Soil column profile used in fragility

Survey on groundwater analysis)

Shear wave velocity data (if any)

Laboratory/In-situ test results on rocks and soil (b) Inform atio n fo r Perform ing Fragility An alysis Type of Information Desirable Information Documents on

Architectural/structural drawings for buildings and components Structural Design

Engineering specifications on material, fabrication and construction

Design codes/standards used in the plant design

Any material test results (e.g., concrete cylinder tests, foundation bearing tests).

Records on the structural analyses including analysis models Information on

Design drawing of components (e.g., support/frame/panel, electric circuit Component/Equipment diagrams)

Any available vibration test results

Details of anchorage and related design code/standard

Generic information on the seismic fragility of component/equipment

Records on failure/repair on equipment Other Information

Any structural analysis performed for the plant (e.g., seismic analysis of reactor building, integrity analysis of vessels/piping).

Past records on the structural integrity (e.g., cracks, rusting, settlement and past repair works)

Availability of supply systems (offsite power, water) 3-8

3. Technical Activities Ta sk 2 - Pe rform Prelimin ary P lant Analysis tabulated, including: the cause of failure, how the failure was detected, the plants condition, the Preliminary analysis of the inform ation gathe red will repair time, and the effects o f the failure on the verify that the necess ary info rm atio n is available plant. To quantify the failure probability, the and will identify ad ditional inform ation n eed ed. The following information is also needed: the number analysis also allows the information to be organized of times the com ponent is used or challenged, the as inputs to subsequent project tasks. The number of similar components at the plant, the test following descriptions specify the output of the and maintenance strategy, and the time period of preliminary inform ation a nalysis. It is expected that the collected data.

the specified info rm atio n m ay not be re adily available and significant effort m ay be n eed ed to Sy ste ms A nalysis obtain the information. It is up to the te am to decide how complete the information has to be A listing of frontline systems that can potentially be before proceeding to the subsequent tasks. The used to m itigate the pro gression of probable gathering of this information can be considered the acc idents started by an initiating event and a listing initiation of the remaining PRA tasks. The task of support systems including those that provide leader for each of the tasks will be responsible for autom atic actuation signals should be prepared.

the preliminary analysis. The listing should include one paragraph summ aries describing the function of each system, Re view of Informa tion from Sim ilar Plants the number of trains in each system, the function(s) each system perform s, and the systems design Any generic in form atio n listed in T able 3-3 that is capacity. A top-level matrix indicating the system collected should be reviewed for applicability to the and support sys tem dependency should be current PRA tasks. A description of the potential prepared. Inform ation on train-level and use of each item should be given by the task team. component-level dependencies and setpoints for The items in the table m ay provide ins ights into autom atic signals should be collected as well.

potential unique accident scenarios or failure m echanisms. For example, a review of the Success Criteria Determination Novovoronech PRA m ight find that failure of the reactor coolant pump seal leading to a LO CA is an References to existing thermal-hydraulic analyses important cause of core damage and m ay hav e to that determine the timing of potential accidents and be considered in the present analysis. Analysis of success criteria o f the s ystem s em ployed in the the issue of the vulnerability of pump seals to analysis sho uld be com piled. This com pilation will LOCA conditions should then be performed, taking help to determine if any additional supporting into acc oun t plant-s pec ific des ign feature s, to the rm al-hydraulic analysis is needed at this stage determine applicability. Once an issue is identified of the stu dy.

as applicable, how it can be modeled in the PRA should be described. Event Tree/Accident Scenario Development Initia ting Ev ent An alysis Event sequence diagrams based on the relevant em ergency procedu res for transients, loss-of-The plant incidents that are potential accident offs ite power, and LOCAs should be developed.

initiating events should be reviewed and tabulated. The mitigating functions and the system s For each incident, the following should be noted: associated with the functions should be tabulated.

the date, tim e, and plant c ondition when it occurred, its impac t on plant system s, causes, Human Reliability Analysis sequence of events leading to its termination, and changes in plant design and operations that Relevant emergency procedures should be listed.

resulted from it. Discuss ions of other poss ible Diagrams of the detailed layout of instrumentation causes of s im ilar e vents would also be useful. and controls in the control roo m should be obtained/prepared and diagr am identifiers Data Analysis tabulated. A review of the equipment layout Reported failures on plant components should be 3-9

3. Technical Activities drawing of various buildings should produce

deta iled discussions regarding emergency simplified system drawings indicating the physical procedures, including walk-throughs of location of key com pon ents that may be needed for various accident scenarios.

manual, emergency operation.

2. Discussions with plant engineering and Ta sk 3 - Pla nt V isit maintenance staff concerning:

Usually, the initial plant visit should take between

data (maintenance logs, licensee event three to five days. Ide ally, the entire PRA team reports, etc .) on specific items provided by should participate in the visit. T his allows all team the team leader to the data analyst, and m em bers to becom e fa m iliar with the design and

implementation of test/ maintenance operation of the plant and bec om e ac qua inted w ith procedures.

key personnel. This first visit should occur after the team has had a chance to provide a preliminary 3. Discussions with the plant staff concerning analysis of the m ate rial req ueste d. T he plant visit training practices for various emergency then provides an opportunity to confirm what the conditions.

information conveys, why it is needed to perform a PRA, and to clarify any outstanding questions. 4. A visit to the plant simulator (if possible) where Questions and the types of pertinent information the operators perform various accident needed for the plant v isit should be sent to the scenarios, as outlined by the analysis team.

plant ahead of time so that the visit becom es highly focused. It would be helpful to pre-arrange for 5. A tour of the plant focusing on the systems comm unication devices that allow for easier modeled, noting such things as:

com m un ication during plant walkdowns in noisy areas. To optim ize the a vailable time at the plant,

location of equipm ent (e.g., elevation),

an agreed-upon agenda and schedule of are as to

room acces sibility (with or without doors),

visit sho uld be prep ared and followe d.

type of doors (e.g., flood, fire),

room size, The plant visit generally consists of the following

natural ventilation conditions, and activities:

travel time for operators.

1. Discussions 2 with plant engineering and 6. A tour of the control room, noting such things operational staff concerning: as:

normal and emergency configurations of the

relative location of panels, variou s system s of interes t,

layout of instrumentation on the panels,

normal and emergency operation of the

type of instrumentation on the panels, various systems during various acc idents as

relative location of emergency procedures in outlined by the analysts, the control room,

system interdependencies,

type of controls for system and component

des ign ch ang es im plem ente d at the plant, actuation on the panels (e.g., buttons,

automatic and m anual action s ta ke n in switches, key-locked switches, etc.),

response to various emergency conditions,

type of annunciators and location on panels,

operational problem areas identified by plant and personnel that might have a potential impact

annunciator indication.

on the analysis,

subtle interactions and failures identified by After the additional information is obtained during the analysts (or from past studies) that might the plant visit, the outputs of the preliminary plant be applicable to the present study, and analysis tas k (as desc ribed in Activity 3) should be finalized to th e exte nt possible before being employed in subsequent tasks in the PRA. The 2

Discussions are documented where required. It plant information gathering effort continues should be noted that not all analysts participate in throughout the PRA study so that a coherent PRA every discussion nor visit every plant area, e.g., model is developed that reliably reflects the plant control room access is usually very restricted.

3-10

3. Technical Activities design and operation. Frequent comm unications cause failure p roba bilities. Th e hu m an re liability between the PRA team and the point of contact at an alys is is described in Section 3.2 .5.

the plant is expected. Requests for additional Quantification, which includes initial and final information and additional plant visits focusing on quantification of the accident sequences, and specific subjects is expected. sen sitivity and importance analyses is discussed in Section 3.2.6.

Exam ples of possible subsequent visits are the following. On e visit could be a walkdown of the 3.2.1 Initiating Event Analysis plant from a spatial interactions/internal plant hazards perspective; a second (and poss ible The objective of this activity is to develop a additional) visit(s) could focu s on interac ting with com plete list of initiating events grouped into plant ope rators to help develop or validate the plant categories that would facilitate further analyses.

response models. Interaction with the ope rators to An initiating event is an event that creates a facilitate the quantificatio n of op erato r ac tion s is disturbance in the plant an d ha s the potential to desirable. It is conc eivable that additional effort at lead to core damage, depending on the operation the site w ill be necessary to collect the desired of the various safety systems as well as the plant-specific data. Each visit will have a focused response of the plant opera tors. T he initiatin g goal, and, therefore, the makeup of e ach plant visit event analysis is the first ac tivity of a Level 1 team will be tailored for that objective. probabilistic risk asses sm ent (PRA ). The initiating event analysis consists of identification and In prac tice , it is likely that formal visits are selection of events and grouping of these events.

supplemented by frequent informal comm unication between the PRA team and the plant. A point of 3.2.1.1 Assumptions and Limitations con tact, who is very fam iliar with the plant operation, should be appointed as a point of The present task classifies initiators as either contact on the plant side to coordinate information internal or external. Internal initiators are plant requests. upsets that are associated with the malfunction of plant system s, elec trical distribution systems, or 3.1.4 Task Interfaces are a result of operator errors. External initiators origina te outside the plant. T hey are du e to This current task provides significant inform ation to hazards, such as external fires and floo ds, se ism ic all of the analytical tasks of the PRA. The task activity, or other environmental stresses. Floods provides basic information needed for the final (refer to Section 3.5) and fires (refer to Section 3.6) doc um enta tion. that occur internal to the plan t are conventio nally treated in PRA studies as external events; 3.2 Level 1 Analysis howeve r, they are included in the internal event category in this PRA.

This section provides guidance for each of the The initiating events used in a PRA are by no analytical tasks associated with a Level 1 PRA for means confined to those postulated for design and acc idents initiated by internal events. Sec tion 3.2.1 licensing purposes nor are they associated w ith provides guidance fo r ide ntifying initiating events qualitative qualifiers, such as credible or internal to the plant and is closely related to Section anticipated . Identification of initiating events also 3.2.2, which describes accident sequence requires a new way of thinking for design developm ent. Section 3.2.2 includes subsections engineers, operators, and regulators, i.e., one that deal with the definition of core damage states, focused on the propagation of plant failures.

functional analysis and system success criteria, Review of previous analyses and operational and event sequence mode ling. The systems events can help develop the des ired viewpo int.

analysis is presented in Section 3.2.3. The Departures from design, through m ate rial systems analysis discussion includes guidance on substitution or field m odifica tion s d ur ing system modeling, qualitative dependency analysis, construction, must be considered in the and the assessment of spatial interactions.

identification of initiating events.

Section 3.2.4 des cribes the data analysis which includes ass e s s m e n ts of initiating event Once the set of initiators has been finalized, any frequencies, component reliability, and comm on-3-11

3. Technical Activities other initiators that could have been included a re supporting rationale.

either presumed to contribute little to the overall risk or are considered outside the present scope of

documentation of the failure modes and effects the project. For the Ka linin PR A, the only analysis performed to identify support system exte rnal events that are considered in the present initiators and the expected effects on the plant scope are: seismic, internal fires, and internal (especially on mitigating system s).

floods.

documentation of findings of failure modes and The dispositio n of low frequency initiating events effects analysis (or equivalent) performed on should be documented. For exam ple , in some systems, structures, and com pon ents within the PRAs, m ajor structural failure of the pressure scope of the change but not modeled in the vessel is not explicitly rep resente d since it is PRA, to assess their impact on the scope and argued to be such a low frequency event which frequency of initiators.

does not con tribute s ignificantly to the risk. In other PRAs, this event has been quantita tively The products for the grouping of events task are:

considered by designating it to a specific initiator categ ory, "excessive LO CA," to describe loss-of-

specific records of the grouping process coolant accidents that are beyond the capability of including the success criteria for the final core re-flooding an d co oling capa bilities. accident initiator groups.

In general, the impact of all possible plant

any quantitative or qualitative evaluations or operating sta tes on the physics and operational assumptions that we re m ade in identifying, considerations leading to spec ific initiating events screening, or grouping of the initiating events as should be cons idered. However, under the present we ll as the bases for any assum ptio ns and their scope of the Kalinin PRA, the only plant operating impact on the final results.

state to be considered is full power operation.

3.2.1.3 Analytical Tasks It should also be recognized that it is not possible to fully ascertain the completeness of any list of The initiating event analysis consists of two task initiators. The initial list of initiators that pertains activities:

specifically to the plant being analyzed is presumed to be as complete as possible. Th e PRA analysis Task 1 - Identification and selection of events m ay subsequently reveal additional initiating Ta sk 2 - G roup ing of events.

events, particularly as subtle interactions involving suppo rt systems are more completely understood These activities are described below in general by the PRA analysts. Accordingly, the initial terms. An early reference , in which detailed grouping of initiators from this task m ay require guidance for performing these activities can be m odifica tion as the P RA proc eed s. found, is NRC (1983). A more recent discussion can also be found in NRC (199 7). In addition, it is 3.2.1.2 Produ cts also useful to refer to lists of initiating events used in previous PRAs. Such references are pro vided in The prod ucts for the identification and selection of Section 3 .2.1.5.

initiating events task are:

Prior to describing the two activities, important

a list or general description of the information assumptions and limitations are provided.

sources that were used in the task.

Task 1 - Identification and Selection of Even ts

specific information/records of events (plant specific, industry experience, generic data) The re are several ways for identifying internal used to identify the applicable initiating events. initiating events, each having its strengths and limitations. Since the aim is to produce an initiating

the initiating events co nsidered including bo th event list that is as com plete as possible, it is the events retained for further examination and recomm ended that all approaches should be those that were eliminated, along with the followed in parallel, although one approach may be 3-12

3. Technical Activities selected as the main approach. These approaches Reference to Previous Initiating Event List usually complement each other, especially if they are performed together. The following lists four It is use ful to refer to lists of initiating e vents drawn wa ys that internal initiating events can be identified: up for previous PRAs on similar plants and from the safety analysis re port. T his m ay, in fact, be the

1. Engineering evaluation starting po int. IAEA (1993a) and INEL (1985), for

2. Reference to previous initiating event lists example, provide lists of initiators used in selected

3. Deductive analysis light water rea cto r full powe r PRAs . Chu et al.

4. Operational experience. (1994) and PLG (1985) provide examples for pressurized water reactor shutdown PRAs. IAEA As des cribed be low, these four approaches (1994) is of particular interest since it deals dire ctly complem ent each other providing re asonable with identifying and grouping PR A initiating e vents assurance that the list of initiating events is as for VVER reactors at full power PR As. Table 3-9, complete as possible. taken from IAEA (1994), provides a list of generic initiators for VVER-1000 plants. Note that Engineering Evaluation Table 3-10 lists some external initiators as well as a reasonably comprehens ive list of internal In this approach, the plant systems (operational initiators. IAEA (1992) and IAEA (19 93b) are and safety) and major compon ents are additional useful sources of information for review.

systematically reviewed to determine whether any of the failure m odes (e.g., failure to operate, Deductive Analysis spurious operation, breach, disruption, collapse) could lead directly, or in combination with other In this approach, core damage is usually the top failures, to core damage. Partial failures of event in a "m aste r logic diagram ." To provide order systems should also be considered. These types to the m aster logic diagram, a hierarchical structure of failures are generally less severe than a is em ployed . Each level of the structu re is a res ult com plete failure, but they may be of higher of events that categorize the level imm ediately frequency and are often less readily detected. below. Th e top event is, the refore, su cc essively broken down into all possible categories of events Special attention should be given to comm on- that could cause the event to occur. Successful cause initiators, such as the failure of support operation of safety systems an d other preventive systems (e.g., specific electric power buses, actions are not included. The events at the most service water, instrument or control air, or room fundamental level are then candidates for inclusion cooling features). Postulated failures are sought in the list of initiating events for the plant. An that result in (or require) the plant or turbine to trip exam ple of suc h a diagram is given in Figu re 3.1 (or runb ack ) and can cau se a dditional systems to from P LG (1983). Eight hierarchical levels are fail. Reviews of plant and system operating dep icted in the figure, with core damage at Level instructions and abnormal operating instructions of III. The intended use of this figure had been a bit W estern plants have been found useful for broader than the objectives of this task.

identifying subtle interactions between systems.

The experience acquired in these investigations The m aste r logic diagram is a logic tree that should be utilized here as well. identifies necessary conditions for occurrence of the top event, i.e., the top event can occur only if Tables 3-8 and 3-9 give examples how failures of the lower level events occ ur. It is used to search suppo rt systems a nd "abnormal operating for initiating eve nts. G ene rally, additional events instructions" (AOIs) could be scrutinized and defined by an event tree mu st also occur befo re evaluated as part of an effort to identify potential core dam age is certain. (Note that the fault trees initiating events. used in systems analysis are different logic models.

They identify both necessary and sufficient conditions for failure of the top event, i.e., the top event is guarantee d to occur if and only if the logic of the tree is actualized.)

3-13

3. Technical Activities Table 3-8 Format for failure modes and effects analysis of key support systems System/ Initiating Plant Model Subsystem Failure Mode Effect Event Designator Comments Category All systems or The faults or failure The impact of the The initiating The plant Any remarks subsystems modes identified as faults on the plant event models that would under part of the failure response are categories affected by clarify the consideration modes and effects described; for impacted by the the failures failure modes are identified; analysis are example, loss of failures are are identified and their for example, described; for standby diesel identified impact on the the standby example, a fault generator power plant models diesel leading to source should be generator fuel inadequate fuel oil added oil supply to standby diesels Table 3-9 Form at for ab norma l operating instruction review sum mary Potential Initiating Initiating Event Plant Model AOI Reviewed Event Category Category Designator Comments All operating The initiating event The initiating event The plant models Any remarks that instructions that categories affected categories affected by the AOIs would clarify the AOIs are evaluated should be identified impacted by the are identified and their impact on should be against the AOIs are identified the plant models identified corresponding AOIs should be added 3-14

3. Technical Activities Table 3-10 Generic list of initiating events for VVER-1000 reactors (IAEA, 1994)

General Categories Initiating Events General Plant Transients *Trip of one of two; two of three; or two of four main coolant pumps

Main coolant pump seizure

Total loss of primary coolant system flow/trip of all main coolant pumps

Feedwater flow reduction due to control malfunctions or loss of flow path

Excess feedwater

Inadvertent closure of main steam isolation valve

Inadvertent closure of turbine stop valve

Turbine control valve malfunction

Turbine trip

Total loss of load1

Generator fault1

Loss of one 6 kV bus bar

Loss of substation switchyard or unit transformer

Loss of intermediate cooling to main coolant pumps

Spurious reactor trip2

Reactor scram due to small disturbance2

Uncontrollable withdrawal of control rod

Uncontrollable withdrawal of control rod group

Inadvertent boron dilution

Control rod ejection without reactor vessel damage Administrative Shutdowns *Failure of pressurizer spray

Failure of pressurizer heaters

Loss of one feedwater pump

Minor miscellaneous leakage in feedwater/condensate system

Loss of a condensate pump

Inadvertent bypass to condenser

Administratively caused shutdown

Control rod/control rod group drop

Very small LOCA and leaks requiring orderly shutdown Loss of Secondary Heat *Loss of both feedwater pumps Removal *Feedwater collector rupture

Feedwater line rupture that can be isolated by separation of one steam generator and compensated by reserve feedwater pump

Feedwater line rupture that can be isolated by separation of one steam generator and cannot be compensated by reserve feedwater pump

Rupture of feedwater pump suction line

Loss of several condensate pumps

Loss of condenser vacuum

Loss of circulating water Loss-of-Offsite Power *Loss of grid

Loss of all 6 kV busbars

Failure of unit auxiliary transformer Non-Isolatable *Rupture of feedwater pump discharge line inside containment Steam/Feedwater Line *Steam line rupture inside containment Leaks Inside Containment 1

May lead to loss of secondary heat sink if loss of condenser vacuum occurs.

2 Unavailability of reactor shutdown function is 0.0 (because reactor is tripped) 3-15

3. Technical Activities Table 3-10 Generic list of initiating events for VVER-1000 reactors (IAEA, 1994) (contd)

General Categories Initiating Events Non-Isolatable *Rupture of feedwater pump discharge line outside containment Steam/Feedwater Line *Inadvertent opening of steam generator safety valve Leaks Outside Containment *Inadvertent opening of atmospheric steam dump valve

Steam line rupture outside containment between steam generator and isolating valve Isolatable Steam Leaks *Rupture of main steam collector Loss-of-Coolant Accidents *Reactor pressure vessel rupture (LOCAs) Inside *Large LOCA Containment *Medium LOCA

Small LOCA

Small reactor coolant system leakage

Main coolant pump seal leakage

Control rod ejection and LOCA

Pressurizer power-operated relief valve leakage LOCA Outside Containment *Instrumentation/sample tube rupture

Leakage from make-up/letdown system

Leakage from residual heat removal system

Leakage through intermediate cooling system of main coolant pumps Special Initiators *Loss of noninterruptible AC power busbar (These need to be *380 V bus failure considered on a plant- *Failures in essential DC system specific basis and may lead *Failures in essential AC power system to events already *Loss of power to protection/control system considered or a very *Loss of service water system complicated event requiring *Loss of intermediate cooling to main coolant pumps a failure modes and effects *Loss of high pressure air analysis.) *Loss of room cooling in a vital instrumentation compartment

Loss of room cooling in a normal control system compartment

Spurious actuation of fire suppression systems (sprinkler + CO 2 + other)

Internal flooding (including spurious actuation of sprinkler system or fire extinguisher)

Internal fires

Flying objects including turbine

Hydrogen explosions in generator and gas blowdown systems 3-16

3. Technical Activities Figure 3.1 Master logic diagram 3-17

3. Technical Activities This example traces and documents the thought initiating events should be grouped (or binned) in a process that results from consideration of the manner that would simplify the ensuing analysis.

question "How can a significant release of Each initiating event group should be composed of radioactive material to the environment around the events that essentially impose the same success site occur?" This question is represented by the criteria on plant systems. Similarly, special box on L evel I of Figu re 3.1 . Leve l II repres ents conditions, such as, for example, similar the argum ent that such a release must be from challenges to the operator, similar automatic plant either a damaged core or from another source. responses, and equipm ent function ality, s hould (T his argument was valid for the plant for which the also be fa ctore d into this grouping process. In the exam ple m aster logic diagram was developed.) process of gro uping, it will become clear that some Level III represents the argument that a significant categories of in itiatin g events will need to be release of radioactive material is poss ible only if sub divided furthe r. Dividing LOCAs by break size exces sive core dam age occ urs and the m aterial (and perhaps location ) is a well known example, escapes to the e nviron m ent. The remainder of the but other cases should be expected. Some diagram emphasizes potential contributors to core examples are: steam -line break by size, loss of damage. Plant s equences that ultim ate ly res ult in flow by number of failed pump s, and spurious extensive core damage involve either insufficient control rod withdrawal by number of rods or rate of cooling of the core or other uncorrected reac tivity addition. The subsequent analysis mism atches between ge nerated power and heat needed may be reduced by grouping together rem oval. Th is argument is represente d by Le vel IV initiating events that evoke the same type of plant of the m aste r logic diagram . Le vel V further response but for which the front-line system delineates the logic for the case of "loss of core success criteria are not identical. The success cooling" identified in Level IV: loss of core cooling criteria applied to this grou p of e vents should then occurs only if the reactor coolant boundary fails or be the m ost restricting for any mem ber of the if there is insufficient core heat removal. Level VI group. The saving in effort required fo r an alysis pres ents the logic that insufficient core heat must be weighed against th e conserva tism that this removal is the result of either direct initiators or grouping introduces. The following criteria should indirect initiators. Indirect initiators are those be used when grouping initiating events:

disturbances that require add itional plan t failures to result in the ind icated impact. Initiating event

Initiating events resulting in the same accident categories are articulated in Level VII; specific progression (i.e., requiring the same systems initiators are then listed in tables that support Level and operating actions for mitigation) can be VIII. grouped together. The success criteria for each system required for mitigation (e.g., the required Operational Experience num ber of pum p trains) is the sam e fo r all initiators gro uped togeth er. In addition, all In this approach, the operational history of the plant grouped initiators should have the same impact (and of similar plants elsewhere) is reviewed for on the operation and performance of each any events that are not included in the list of m itiga t in g s y s te m a n d t h e o p e r a to r.

initiating events. This approach is not expected to Consideration can also be given to those reveal low frequency events but could identify accident progression attributes that co uld com m on-cause initiating events. It should also influence the subsequent Level 2 analysis verify that the observe d events can be properly (Section 3.3).

represented by the mitigating event categories being developed through exercise of the previous

In con form anc e with the criteria above, LOCAs approaches. The list of initiating events should be can be grouped according to the size and reviewed for any inadvertent omissions and, as a location of the primary system breach.

further check, to remove any repetitions or How ever, primary breaches that bypass the overlaps. conta inm ent sh ould be treated separately.

Tas k 2 - G roup ing of Ev ents

Initiating events can be grouped with other initiating events with slightly different accident Once the task of as ses sing the requirem ents of the progression and success criteria if it can be plant system s has been com pleted, the identified shown that such treatment bounds the real core 3-18

3. Technical Activities damag e frequency and consequences that wo uld for recovery; therefore, revisions to the event tree result from the initiator. To avoid a distorted structures and de finitions of top events may be assessment of risk and to obtain valid insights, required.

grouping of initiators with significantly different success criteria should be avoided. The grouping Flood Analysis. Floods can induce multiple internal of initiators nece ssitates that the succ ess criteria initiating events and affect multiple systems helpful for the grouped initiators be the most stringent for recovery; therefore, revisions to the event tree success criteria of all the individual events in the structures and definitions of top events may be group. Note that in a sound baseline PRA, low- required.

frequency initiators are grouped with other relatively high-frequency initiators, rather than Se ism ic Analysis. Earthquakes can cause excluding them from further analysis. simultaneous failures in structures and equipment needed to prevent core damage. These comm on-3.2.1.4 Task Interfaces cause failures can requ ire sign ificant revisions or additions to internal event PRA m odels.

This task has extensive interactions with the following other PRA tasks: 3.2.1.5 References Plant Familiarization. In this task, plant systems Chu, T.-L., et al., Evaluation of Potential Severe and major components (including operating Ac cidents During Low Power and Shutdown at instructions) are re viewe d to determ ine whether Su rry, Unit 1, NUREG/C R-6144, Brookhaven any of the failure modes could lead directly to core National Laboratory, June 1994.

damage. Spe cial attention is given to identifying com m on-c aus e initiators . IAEA, Generic Initiating Events for PSA for VVER Re acto rs, IAE A-T EC DO C-7 49, In ternational PRA Scope. W ork b eyond the full power operating Atomic Energy Agency, June 1994.

state is not currently in the scope for the Kalinin PRA. For studies tha t consider add itional states, IAEA, Defining Initiating Events for Purpose of new initiating events may need to be considered. Probabilistic Safety Assessment, IAEA-TECDOC-719, International Atomic Energy Agency, Accident Seq uen ce D eve lopm ent. The accident September 1993a.

initiators provide the starting point for the accident sequence development, and the dependencies IAEA, Proceedings of the W orkshop Organized by between initiators and system response are crucial the IAEA and held in Moscow, 1-5 February 1993, to sequence development and quantification. W o r k i n g Ma teri al , IA EA -RE R/9 /0 0 5 - 2 /9 3 ,

International Atomic Energy Agency, February System s Analysis. In this task, support system 1993b.

failures which can c ause initiating events are identified. The initiating events task also provides IAEA, Report of a W orkshop Organized by the important information to the systems analysis task IAEA and held in ez, Czechos lovakia, 3-7 as to how system s perform ance is im pacte d by a February 1992, Working Mate rial, IAEA-J4-005/1, particular initiator. International Atom ic Energy Agenc y, February 1992.

Da ta Analysis. This task provides the information needed for the quantification of the initiating event INEL, Development of Transient Initiating Event frequencies. Frequencies for Use in Probabilistic Risk Asses sm ents , NUREG/CR-3862, Idaho National Human Reliability Analysis (HRA). The HR A c ould Engineering Laboratory, May 1985.

influence or modify the identification and selection of initiating events. More im portantly, the HR A w ill NRC, The Use of PRA in Risk-Informed influence the grouping of initiating events. Ap plicatio ns, NU RE G-160 2, Draft for Co m m ent, June 1997.

Fire Analysis. Fires can induce multiple internal initiating events and affect multiple systems helpful 3-19

3. Technical Activities NRC, PRA Procedure Guides: A Guide to the conservative assumptions concerning core Performance of Probabilistic Risk Assessments for damage m ay be used.

Nuclear P o we r P la n ts , N U R EG/CR-2300, Volumes 1 and 2, 1983. Plant system com ponents modeled in a PRA are assumed to be fully operational or non-operatio nal.

PLG, Zion Nuclear Plant Residual Heat Removal Differentiation is not made between full and partial PR A, prepared for Nu clear Safety An alysis Center operation of a component. Therefore, PRA of the Electric Power Research Institute, NSAC-84, methodology does not usually take into account PLG, Inc., July 1985. degraded (e.g., valve partially open) or enhanced performance of a system component (e.g., pump-P LG , D iab lo C an yon Pr ob ab ilistic Ris k operating near runout conditions), only operation at Asses sm ent, PLG-0637, prepared for Pacific Gas nominal performance or inoperable.

and Electric Com pany, PLG, Inc., January 1983.

The front-line systems used as event tree headings 3.2.2 Accident Sequence include only those systems present in the plant emergency operating procedures for responding to Development the initiating events defined for the analysis.

Accident sequence development consists of three The Anticipated Transient W ithout Scram (ATW S) interrelated tasks--nam ely, core damage definition, accident sequences for the BW Rs are not alw ays functional analysis and system success criteria, fully delineated. ATW S sequences in which the and event sequence modeling. The first of these functions; reactor subcriticality, Reactor Coolant tasks defines the plant conditions that correspond System (RCS ) overpressure protection and to core damage in a manner that allows sequence inventory control, and core heating are successful, and system succ ess criteria to be unam biguously are assumed to be mitigated. Even if failure of the defined. The ob jective of the second task is to containment overpressure protection function identify the success criteria for plant systems and occurs in an ATW S sequence following success of components. The objective of the task on event the other functions, the sequence frequency is sequence modeling is to determine the range of often below the risk-significant cut-off value, and poss ible plant and operator responses to a wide thus the sequen ce wou ld be screene d from the variety of upset cond itions and to develop event analysis.

trees for all initiating event catego ries that are defined in the task Initiating Event Analysis.

ATWS sequences for PW Rs are tre ated sim ilar to those for BW Rs. As with the BW Rs, low sequence 3.2.2.1 Assumptions and Limitations probabilities for ATW S scenarios prior to the need for conta inm ent overpressure pro tec tion would The delineation of the accident sequence end s with produce non-dom inant s equences even if failure of the determination of the status of the core as safe containment overpressure protecti on was or dam aged. Th e core is defined to be in a safe considered.

condition when the consequences of the radionuclide releases from the damaged fue l would 3.2.2.2 Produ cts be negligible. Realistic ally, core dam age occ urs when the allowa ble peak fue l cladding tempera ture The produ cts fo r the c ore d am age definition task is reached; however, using this definition involves are:

detailed analyses beyond the scope of many studies, so a m ore conserva tive definition is often

a definition of the plant conditions that employed. For the Boiling Water Reactors (BW Rs) correspond to core damage and in NURE G-1150, core damag e is ass um ed to occur when the reactor water level is less than two

a definition of those plant conditions that feet above the bottom of the active fue l. Because represent successful termination of the accident Pressurized W ater Reactors (PW Rs) are not scenarios.

designed to allow ste am cooling, c ore dam age is assumed to occur at th e tim e at which the top of The products for the functional analysis and system the active fuel is uncovered. As knowledge of success criteria task are:

accident progression in the core evolves, less 3-20

3. Technical Activities

a definition of the safety functions to be modeled categories that are defined in the task Initiating as top events in the event se quence analysis Event Analysis.

and the system s that provide tho se fu nction s.

Task 1 - Core Damage Definition

a definition of the equipment for which success criteria will be required, existin g analyses that The objectives of this task are: (1) to define the could be used to set specific criteria, and new plant conditions that correspond to core dam age in analyses that may be required. a manner that allows sequence and system suc ces s criteria to be unambiguously defined and

a definition of new supporting analyses for initial (2) to specify clearly the plant conditions that success criteria selection. represent successful termination of postulated scenarios.

a definition success criteria resulting from the initial mode ling effo rt. To meet the objectives of this task, it must be understood that the physical characteristic of the The products of the event sequence modeling task core that defines core damage has a strong are: influence on the magnitude of core damage frequency determined by the risk m ode l (refer to

a set of ESDs that docum ent the range of Task 2 - Functional Analysis and System Success poss ible plant and operator response to a range Criteria). Excessively conservative definitions of of upset conditions. core dam age will yield higher ass essed core damage frequencies and, m ore im portantly, w ill

a com plete s et of event trees to quantify all like ly impact the perception of the importance of initiating events. This product must include the individual con tributors to risk. Risk models that complete definitions of top even ts to support do not fully account for the robustness in the plant system analysis and HRA. Each event tree design also can contribute to higher damage must be developed from the relevant ESD frequencies.

showing which ES D elem ents are com bined into single event tree top events, justifying the event A sim ilar c oncern exists with specifying the tree model as an abstraction of the ESD based conditions for successful termination of an accident on characteristics of the initiating event and scenario. Using overly conservative c riteria (e.g .,

approximations well supported by probabilistic requiring all scenarios initiate d at full power to and eng ineering argum ent. proceed to cold shutdown for successful accident termination) could strongly influence the model 3.2.2.3 Task Activities structure a n d com plica te th e m od elin g requ irem ents with little or no added understanding Accident seq uen ce d evelopm ent cons ists of three in the factors contributing to the risk.

interrelated tasks:

Lik ely sources of conservatism are in the analytical Ta sk 1 - C ore d am age definition, too ls (available analyses and computer codes)

Task 2 - Functional analysis and system success used in the dete rm ination of the outcome of criteria, and postulated accident scenarios. The definition of Ta sk 3 - E vent sequen ce m ode ling. core damage must be consistent with the available analytical tools.

The first of these tasks defines the plant conditions that correspond to core damage in a manner that If conservatism built into the definition, criteria, allows sequence and system success criteria to be plant models, and an alyses is sus pec ted to unam biguously defined. The objective of the strongly influence the end result of an accident second task is to iden tify the success criteria for analysis calculation, then the result should be plant systems a nd components. The objective of refined. This should be done selectively using the task on event sequ enc e m ode ling is to m ore realistic m ode ls, but only after the relative determine the ran ge of p ossible plant and operator importance of all the accident sequ ences have responses to a wide variety of upset conditions and been initially assessed. It would then be possible to develop event trees for all initiating event to judge the imp ortance of resolving whether a 3-21

3. Technical Activities particular seq uen ce o f events could or could not and the Zr-water autocatalytic temperature. For lead to core damage, as initially predicted . This light water reactors, core damage has been iterative nature of reevaluating the results brings defined when any one of the following conditions with it a caution: sequence-specific re finem ent is was m et:

not performed on sequences that are not im porta nt and, therefore, use of information from

Core maxim um fuel temperature approaching unimportant sequences must be m ade with 2200°F (1204°C) caution. Howe ver, it does make use of time and resources m ore effectively by consistently focusing

Core exit thermocouple reading exceeding on the more important accident scenarios. 1200°F (649°C)

The safety philosophy embedded in the reactor

Core peak nodal temperature exceeding 1800 °F design, particularly with respect to design basis (982°C) accidents, m ust be reflected in the definitions of "core dam age" a s well as "success." Impacts of

Liquid level below th e top of the active fu el.

de sig n bas is accidents on the pub lic near the s ite boundaries, and on the operators and engineers Describing the conditions that characterize the core with in the site boundaries, need to be considered damage sequences is also necessary for the PRA.

if the successful termination of such accidents has Experience has proven that if a Level 2 analysis is the poten tial to im pact th e plant personnel. being contemplated, then it would be prud ent to consider the interface between the Level 1 and A Level 1 PR A usually entails identifying scenarios Level 2 analyses while the Level 1 models are that lead to severe core damage and determining being developed. Typically, th is interface is the corresponding accident scenario frequencies. expressed in terms of plant damage states. Even The most important definition that must be m ade in if a Level 2 analysis is not performed, this task is that of core damage. There are several characterization of the damage states will provide poss ible degrees of core dam age, the s everity significant insights into the nature of the Level 1 depending on the extent o f core damage and on scenarios (e.g., which ones will involve successful the magnitude of the resulting releases of containment isolation with containment heat radioactive material from the core. One definition rem oval available).

of core damage is uncovery and heatup of the reactor core to the point where prolonged clad Each end state of the plant model event trees oxidation a nd s evere fuel dam age is anticipated . defines an accident sequence that results from an initiating event followed by the succes s or failure of Releases of radioactive material in scenarios that various plant systems and/or operators responding do not involve core damage could be of concern, to the accident. Each accident sequence has a also if these releases are sufficient to trigger unique "signature" due to the particu lar emergency res ponses offsite . Minor radioactive combination of system/operator successes and releases may be from in-core sources or from failures. Each accident sequence that results in radionuclides resident in the prim ary coolant circuit. core dam age should be evaluate d explicitly in How ever, for the Kalinin PRA, c ore dam age will term s of accident progression and the release of define the scope of the study. The undesired end radioactive materials. However, since there can be result of the Level 1 scenarios will then be referred many such seq uen ces , it ma y be im prac tical to to as core damage in the procedures that follow. evaluate eac h on e sinc e this would enta il performing thermal-hydraulic analyses and The spe cification of th e co nditions as sum ed to containment event tree split fraction quantification represent core damage must be con sistent with the for each accident sequence. Therefore, for VVER design fe atu res as well as with the practical reasons, the Level 1 sequences are capabilities of the analysis tools. Fo r the Kalinin usually grouped into plant damage states or PRA, definition of core damage based on a accident class bins. Each bin contains those maxim um a l lo w a b l e fu e l te mp e ra ture is sequences in which the following features are recomm ended. Other conditions that have been expected to be similar: the progression of core used are based on phenomena, such as UO 2 damage, the release of fission products from the tem perature lim its, the triple point of the coolant, fuel, the status of the containment and containment 3-22

3. Technical Activities systems, and the potential for mitigating source judgment of importance, then use as realistic as terms. Plant damage state bins are used as the poss ible evaluations for the issues of high entry states (similar to initiating events for the plant importance. For items of lesser importance, model event trees) to the containment event trees, conse rvative success criteria must be selected for as described in Section 3.3. each possible modeled condition. Note that realistic means m ore than best estimate. Best-Task 2 - Functional Analysis and System estim ate calculations evaluate the m ost like ly Succe ss C riteria conditions. Realistic calculations must be a set of results for each set of conditions, weighted by the Development of the suc ces s criteria involves prob ability of that set representing the actual investigations into the detailed timing of event conditions. Frequently, the most risk-significant sequences. These i n ve s tiga tion s u tilize results are obtained from unlikely, but troublesome engineering analyses to calculate the tim e conditions.

progression of plant param eters and human reliability analyses to help quantify operator Defining the succes s criteria m ust be an iterative response. Realistic engineering models can process, starting with best judgments based on examine many possible scenarios of sequence experience, kn owle dge of ex isting plant starting con ditions and equ ipm ent opera bility. As calculations, and knowledge of the plant PRA a result of developing such detailed information, it model and its effects on calculational difficulties. It becomes possible to define m ore re alistic progresses stepwise as system s analyses are equipment succe ss criteria and to reduce the completed, event trees are constructed and uncertainty in the tim e available to avoid damage. evaluated, and preliminary results are developed.

The objectives of this task must be conditioned by How this task has been performed is not we ll the conflicting goals of realism and costs. Although documented in existing literature, perhaps because the success criteria of systems/components should judgment plays a central role.

be as realistic as possible, the effort nee ded to develop these criteria should be consistent with the Selection of the final success criteria, which risk importance of the particular system function. progresses by trial and confirmatory analysis, must be driven by the goals of the PR A. T he criteria A PRA is a large-scale scientific and engineering should be set to ensure that (1) the likelihood that analysis performed for many purposes. The level the risk is higher than calculated as a result of of effort dedicate d to any particular task must be errors in the success criteria is relatively small and balanced by its value. Perhaps no task in the PRA (2) the leading risk contributors have a high requires more balancing of costs and benefits than prob ability of reflecting the true contributors, rather the skillful selection of realistic success criteria. than being artifacts of a rbitrarily pe ssim istic Success criteria should specify the minimum success criteria. In that way, the goals of the PRA equipment needed for successfully mitigating the can be achieved. The PRA becom es the progression of a postulated accident. Success foundation for the con struc tion of a cohere nt safety criteria also h elp to determine the effects of basis for the plant. Such a basis permits rational degraded system performance as well as to define evaluation of a wide range of issues by both the tim e available for recovery for each alternative regulators and plant staff. This task is broken success path pote ntia lly available to the operators. down into three separate activities:

Defining rea listic success criteria requires supporting analyses. The cost of neutronic and 1. Determination of safety functions, the rm al-hydraulic analyses to support maxim um 2. Assessm ent of function/system realism in a PRA can be p rohib itive. The cost of relationships, and bounding analyses for traditional design basis 3. Assessm ent of success criteria.

analysis is substantial as well. If all possible variations in conditions that are mod eled in the The first two activities are stra ightforward, with PRA were calculated, not in a bounding way but clearly defined products (IAEA , 1992). The third realistica lly, an enormous number of calculations involves substantial iterative w ork with other tasks would be required. to optimize the value of the PRA, while controlling cos ts. W ork in this activity is often defined by One must, therefore, begin with a prelim inary requests from other PRA tasks.

3-23

3. Technical Activities These activities are described below in general instrumentation diagrams, systems descriptions, terms. More detailed guidance is provided in the procedures (i.e., emergency, abnormal, and references listed at the end of this chapter. [In operatin g procedures or instructions), and design particular, refer to Drouin (1987), NRC (1997), and analyses should be identified and reviewed to NRC (1983).] Selection of success criteria is a ensure that th e safety functio ns are correctly contin ually evolving element in the PRA process identified. Th e list of specific operating modes of (Bley, Buttem er, an d Ste tkar, 198 8). Ka linin Nuclear Power Station systems that can provide these safety functions will be the product of Activity 1 - Determination of Safety Functions this tas k.

Safety functions are any physical functions that can Activity 2 - Assessment of Function/System influence the progression of a postulated accident Relation ship sequence by preventing or mitigating core damage or the release of radionuclides following core The frontline system s provide the basis for this damage. The Reactor Safety Study (Rasmussen activity. All the support systems that are required et al., 1975) introduced high-level sa fety functions: for succe ssful operation of each frontline system reactor subcriticality, core heat removal, reactor and its comp onents are identified. A frontline coolant system integrity, containment cooling, and system dependency matrix is prepared (as fission prod uct re m oval. In order to m ode l safety introduced in the task on P lant Fam iliarization functions in the event tree/fault tree PRA m odel, it Section 3.1) which shows (train by train) the impact is nec ess ary to relate them to plant systems. The of sup port s ystem failures on system operation.

app ropriate plant systems becom e the top e vents Ne xt, a support system dependency m atrix is in the event trees . Note that som e systems can prepared that shows (train by train) the impact of provide multiple safety functions and that some other support system failures on ea ch supp ort functions can be supplied by multiple systems. system train. Altho ugh this activity is performed during the plant visit described in Section 3.1, it is An example from a recent pressurized water function ally part of this tas k. T he d etail and reactor (PW R) PRA in the U.S. will illustrate the structure of the dependency matrices depend on process. In Ta ble 3-11, the high -level safety the specific train-by-train design of the plant under functions of the Reactor Safety Stud y are related to investigation. The precise structure required for m ore detailed functions and finally to specific plant the Kalinin Nuclear Power Station will not be known systems. In addition to the frontline systems listed until the detailed Plant Fam iliarization is ca rried out.

in the table, a variety of support systems are required. The link to these systems is provided by The dependency matrices form the underlying the sup port to frontline system dependency matrix. basis for the plant model. They describe the Finally, the specific plant systems m odeled in the physical interrelationships among systems that are PRA will depend on the specific initiating event, the crucial to proper modeling and are often among the mode of operation prior to the initiating event, the key factors in risk res ults . This is a rela tively tim e in that mode, and the reliability of each system straightforward activity and adequate guidance is to provide the function. provided in NRC (19 97) an d D rouin (1987). To an experienced analyst, the dependency matrices For each of the initiating events identified in the provide the first indication of the plant risk.

task Initiating Event Analysis (Section 3.2.1), the Interpretation of these rela tion ships is an important safety functions that will be challenged or can be activity and provides the basis for many judgm ents used to m itigate the initiating event should be that establish the success criteria.

identified during this activity. These will be the safety functions that will be modeled in the event tree analysis. The applicable piping and 3-24

3. Technical Activities Table 3-11 Safety functions identified in a recent PWR PRA High-Level Safety Lower-Level Safety Function Plant Systems Function Reactor subcriticality *Rod control system

Passive-moderator density for large loss-of-coolant accidents (LOCAs)

Core heat removal Primary system flow and mixing *Reactor coolant pumps Primary system bleed and feed *Charging system

Pressure relief system Secondary heat removal *Main steam system (steam dumps, atmospheric steam dumps)

Auxiliary feed system

Main condensate system

Main feed system

Service water system Long-term shutdown cooling *Residual heat removal system

Main condensate

Main condenser Reactor coolant system Leak prevention/isolation *Reactor coolant loop integrity *Pressure relief system, including block valves

Reactor coolant pump seals Primary system depressurization *Pressure relief system

Main steam system (steam dumps, atmospheric steam dumps)

Auxiliary feed system

Main condensate system

Main feed system

Service water system Primary system makeup *Charging system

High-pressure injection system

Low-pressure injection system Containment cooling *Containment spray

Containment fan coolers

Passive--containment heat sinks Containment fission product *Containment spray removal *Passive--steam generators if melt due to steam generator tube rupture 3-25

3. Technical Activities Ac tivity 3 - As sess ment of S uccess Criteria conditions that occur in some PR A sequences (e.g., those with m ultiple failure s), care must be The success criteria are among the most important taken to ensure that s uccess criteria are still information needed in developing the scenarios in conservative. Othe rwise, additional engineering the event trees. The success criteria for the analyses may be required.

frontline system s and the tim ing of a cc ident scenarios are determined in this activity. The The PRA team evaluates where such criteria may success criteria specify the minimum equipment be so pessimistic that they will adversely affect the needed, determine the effects of degraded PRA resu lts, and the tea m perform s an alysis to systems perform ance, and define the tim e improve those success criteria. The team m ust available for recovery for each alternative success also look for special conditions when the existing path available to the operators. calc ulations are n o long er co nse rvative with respect to the c ons iderations o f the P RA m ode l. In In general, the succes s criterion for a system such cases, revised success criteria are changes with the initiating events and the m andatory.

preceding events in the event trees. Therefore, this task must be done in parallel with the event The product of this task will include the success tree development task , and a system atic criteria for all frontline and support systems under assessment will ensure that the succ ess criteria all initiating event categories and the accident have adequate bases. The assess m ent sh ould timing info rm atio n that is an input to the human account for the definition of core damage, decay reliability ana lysis. Th is task also interfaces with hea t, and the mission time. If the plant systems the tas k Initiating Events. The backup can prevent core damage from occurring during documentation (see Chapter 4) should include the the mission time, then the accident sequence is details of supporting therm al-hydraulic analysis considered successfully terminated. In many done specifically for the PRA.

cases, calculation s required for this Ac tivity 3 actu ally estab lish the m ission time. The first product of this task will be developed following the initial site visit and will be based upon The determination of success criteria must be the safe ty functions d efined in Activity 1. Ana lysts based on tests, thermal-hydraulic analyses, other will identify equipm ent for which success criteria m echanistic analyses, and docu m ented expe rt will be required. They will identify existing analyses knowledge (Bley, Kaplan, and Johnson, 1992). In that could be used to set specific criteria and the U.S., the design-basis accident analyses form examine the poten tial problem s in basing success a useful source of existing calculations. Credible criteria on these analyses. Bley, Buttemer, and acc idents are defined as s ingle events (e.g ., Stetkar (1988) and Harrington and Ott (1983) double-ended pipe ruptures, pump trip, pump provide a variety of exa m ples to illustrate the kinds seizure, etc.) followed b y the mos t severe single of analyses that are often perform ed to suppo rt active failure. The most severe of these (i.e., the PRAs. The examples suggest areas where new one with the minim um m argin to core dam age) is calculations could enhance the PRA. These the design-basis accident. In these calculations, results will fo rm the basis for discuss ions during the most pessimistic assumptions on plant the second site visit wh ich will bring the fu ll param eters are m ade to bound the consequences expertise of the PRA team to bear on success of these accidents. Other analyses of the same or criteria decisions.

sim ilar plants identified and collected in the task Plant Familiarization are also considered. Exam ples of calculational issues in support of Em ergency procedures and other relevant success criteria definitions that have proved procedures also provide information relevant to the important in earlier PW R PRAs are provided below:

success criteria. Because of their ready availability, these calculations can be used as first 1. Room heatup with no cooling; approximations for es tablishing su cce ss c riteria. At this stage, the criteria are generally conservative. 2. T im e until steam generator dryout following The preexisting information will not be adeq uate to loss of feedwa ter; determine the succ ess criteria and tim ing of a ll poss ible scenarios. Unde r the mo re severe 3. T im e un til loc al a cc um ula tors w ou ld be 3-26

3. Technical Activities exhausted following loss of instrument air for for information generated in the other project tasks, m ain steam isolation valves, steam generator subject to the concurrenc e of the project m anager.

relief valves, pressurizer power operated relief The amount of supporting analysis is always a valves, etc.; trade-off between technical rigor and the associated value to the users of the PRA.

4. Ca pab ility of various pump s to su rviv e function ally with no cooling water, e.g ., would Ea rly work in PRAs, most notably the Reactor the lube oil tem perature stabilize at a safe Safety Study (Rasmussen et al., 1975), focused on temperature, would dire ctin g portab le air large issues--bring ing the prob abilistic view point to blowers on the lube oil cooler help, perhaps if the field of sa fety asses sm ent, m oving from worst-covered with wet rags; case bounding analyses toward realism, building the first large-scale mod els of integrated plant

5. Possibility of pressurizer relief valves lifting performance, developing the m ethods to structure following a variety of transients, accounting such m odels (e.g., e vent trees and fau lt trees), and for realistic modeling of pressurizer steam analyzing events w ell beyond the design basis of space compression; nuclear power plants (e.g., degraded c ore phenomena and the progression and impact of

6. T im e un til the feedwater storage tank is offs ite effects of radionuclide releases). Later, as em pty following a reactor trip und er a variety the field m atu red, areas of c onserva tism , su btle of specific conditions, e.g., feedwater fails areas of optimism, and areas wh ere m ore thorough im m ediate ly and condenser steam sum ps fail analysis could enhance understand ing have been closed followed by uncontrolled auto m atic revealed and studied.

auxiliary feedwater flow; a similar case but operators control auxiliary feedwater flow, In the developm ent of PRA event sequence maintaining hot standby conditions; similar mode ls, success criteria are established for case but operato rs follo w norm al coo ldown systems and components and for specified rate to cold conditions (i.e., when do they operator action s (i.e., top events explicitly shown in reach the switchover temperature for residual the event trees) that can prevent core damage or hea t rem oval cooling ); etc.; containment failure. In their simplest and earliest form , suc ces s criteria tell us the minimum

7. Bleed and feed behavior under a wide variety equipment configuration (e.g., n of m pumps must of equipment conditions and operator actions, operate) required to ensure success of a given focusing on m inim um equipment required and safety function for all credible conditions. However, cases in which bleed and feed cooling may the question remains whether failure to meet not work if not initiated in time; conse rvative success criteria ensures core melt or whether meeting those criteria ensures success for

8. Minimum succ ess criteria for injection pumps all possible conditions. Be cau se P RA see ks to following a variety of LOCAs; and quantify risk (i.e., to quantify what credible me ans),

m ore general succ ess criteria are n eed ed. These

9. Pressurized thermal shock calculations under new success criteria must identify the length of a variety of co nditions. tim e the plant can survive in various equipment configurations--that is, th ey m ust identify the tim e This list is only a sam pling of analyses that have available for specific operator actions or equipment been performed to support PRAs. In the following recovery. It is not possible to kn ow the available section, examples of hand calculations, s im ple tim e exactly because of variability in plant computer solutions, a nd the us e of e laborate conditions and because the teams knowledge is the rm al-hydraulic codes are discussed. The imperfect. This uncertainty is properly expressed required analyses vary on a plant-by-plant basis as a probability distribution.

depending on the availab ility of ex istin g calculations, specific vulnerabilities at each plant, To establish success c riteria, analysts mus t have the availability of alternative wa ys to satisfy safe ty well-founded technical knowledge of how s pecific functions, and the tolerable level of conserva tism in plant equipment and operators respond to a very the fina l res ults . The m ajo r responsibility of the broad range of operational and accident scenarios.

ana lysts in this task is to respond to the re que sts One can develop an understanding only through a 3-27

3. Technical Activities com bination of operational experience, tests, and will it take to refill the pressurizer following a seve re analysis. Events that are exp ecte d to occu r quite overcooling event, how does boiling water reactor frequently would normally fall into the operational containment pressure and tem perature vary experience category. Events that are included in following vessel isolation, or how quickly do room s the traditional licensing design basis are often hea t up with red uced cooling capability, and when covered by testing (sometimes generic in nature) does that cause equipment failures.

and conservative analyses. These analyses used methods that are approved by regulatory The bas ic data needed for many of these authorities and typically include man dated calculations include the Am erican Society of assumptions, e.g., the existence of a single active Mechanical Eng ineers steam tables (Keenan and failure. In the development of PRA m odels, many Keyes, 1950), the critical mass flux of saturated scenarios lie outside the rather narrow traditional steam and water developed b y F. J. Moody (1965),

licensing basis of the plant. Therefore, they are not the decay heat rates outlined in the American included in the accident analyses contained in the Nuclear Society Guide 5.1 (AN S, 19 94), a nd p lant-plant-specific safety analysis report. Such specific data (power, volumes, pum p curves, etc.).

scenarios m ight involve the occurrence of m ultiple More complex computer calculations using state-failures, the availability of both nonsafety- and of-the-art therm al-hydraulic and neutronic codes safety-related equipment, and severe accident are also required at tim es, but the sim pler an alysis scenarios. Th ese are a ccidents which exten d well sho uld be con sidered first.

beyond the design basis and address the performance of eq uipm ent that can poten tially The recomm ended approach to follow in selecting m itigate the accident cons equenc es following core engineering analyses to support PRA recognizes damage. real-wo rld budget and schedule constraints, while maintaining ade qua te depth on the most significant Ideally, the results of a wide range of analyses scenarios. It proceeds as follows:

(prim arily thermal-hydraulic and structural and occasionally electrical engineering) would be 1. Use conservative safety analyses on most available that use best-estimate data and scenarios; correlations and can cover the very large number of scenarios considered in a PRA. U nfortun ate ly, 2. Ap ply sim plifie d an alyses to de ve lop this is seldom the case, and additional analyses prelim inary, less conse rvative success c riteria are often needed to support the PRA model. The for scenarios that appear particularly additional analyses can range from simplified mass sensitive; and energy balances done by hand calculations or sm all microcomputer-based program s to very 3. Docum ent the analyses and assumptions; sophisticated computer-based models that may include mom entum effects, complex control 4. Eva luate the point es timate frequencies of the system interactio ns, and a considerable amount of entire PR A m odel; em pirical da ta.

5. Review results to identify the dominant risk In recent years, analysts in the nuclear industry contributors; and have focused on elaborate computer codes that have permitted solution of many complex 6. Revise the analysis, as requ ired, to obtain phenomena. Along the way, the value of mo re realistic and accurate results.

straightforward calculations has often been forgotten. Many questions concerning event The preliminary risk results are reviewed to identify sequence timing are sim ple therm al-hydraulic the dom inant risk contributo rs. Areas w here it is problems. All too often, PR A an alysts have shied important and justifiable to evaluate uncertainties away from refining success criteria because of the or to perform m ore sophisticated analyses to better cost of run ning sop histicated code s wh en low -cost, define success criteria are then identified. The sim ple calculation s w ould have adequate ly goal is to unders tand safe ty quantitatively, not just answered the question at hand. For example, to bound the results. Although the engineering questions relating to when the PW R steam analyses are "be st e stim ate " an d dete rm inistic in generators will boil dry with no feedwater, how long nature, there are physical and analytical 3-28

3. Technical Activities uncertainties no matter how sophisticated the save en orm ous effort and cos t later.

analysis. Sensitivity stud ies perm it evaluation of those uncertainties as w ell as th e variability The delineation of Level 1 accident sequences associated with plant operation. ends with the determ ination of the status of the core as safe or damaged as described for the task Task 3 - Event Sequence Modeling Core Dam age D efinition. For core damage cases, each sequence is further assigned to a plant The objectives of this task are: (1) to determine the damage state. These plant dam age states are range of po ssible plant and ope rator resp ons es to defined so that all sequences within a state are a wide variety of ups et conditions an d (2) to essentia lly identical with respect to the questions develop event trees for all initiating event addressed in the Level 2 model. The assumption categories that are defined in the task Initiating in the Level 2 analysis will be that these sequences Event Ana lysis (Se ction 3.2.1). The event trees are identica l.

must track sufficient information to perm it assignment of each event tree sequence to one of Plant com pon ents m odeled in a PRA are generally the defined plant damage states. These activities assumed to be fully operatio nal or n onoperatio nal.

are described below in general terms. M ore Differentiation is not usually made between full and detailed guidance provided in the references listed partial operation of a com pon ent. Therefore, PRA at the end of this chapter. m ethodology does not usually take into account degraded (e.g., valve partially open) or enhanced The event sequence model is the heart of the PRA. performance of a s ystem com pon ent (e.g., pump It is the high-level model of how the plant works on operating near runout conditions). Precise a functional basis. It relates functions to plant definition of component functional failure and the systems and provides some information on th e pos sibility of m odeling degraded states requires tim e sequence of functional interactions. At lower careful consideration of the potential impact of levels, these func tions a re related to specific plant these degraded states.

com pon ents and the interrelationships among those components. W hile some PR As develop The Inte rnatio nal Ato m ic Energy Agency (IAEA) event trees directly, this procedure guide requires PRA procedures guide (IAEA, 1992) provides a the intermediate stop of constructing event m ore prescriptive alternative to accident sequence sequence diagrams (ESD s). These ESDs are event tree development. The more flexible ESD m ore transparently linked to plant operations and approach is recomm ended for the Kalinin PRA to responses described in the operating instructions account for any special design characteristics of (especially the em ergency operating proce dures). the Kalinin VVER-1000 that might affect risk.

They are suitable for review by plant operators and Pla nt-specific consideration of success criteria may engineers as well as PRA specialists. They indica te the need to m odel degraded fu nction ality.

provide documentation for the m ore abstract event Ad ditionally, the ESD approach has the poten tial to tree m odels and provide a lasting record of the m ore thoroughly document the basis for the event sim plifications required to develop event trees sequence model than for the functional event suitab le for quantification. Familiarity with the tree/s yste m ic event tree approach recom m ended ESDs can ensure that individual systems, data, by the IAEA.

and human reliability analysts are aware of the role of their work within the overall structure of the PRA This task is broken do wn into three se para te m odel. activities:

The process of buildin g the event sequence 1. De velop fund am enta l ESD s, m odels is inexact and is not like ly to be com pletely codified. The analyst must balance many 2. Abstract selected PR A ev ent trees from the competing fac tors: com pleteness, ease of fundamental ESDs, modeling, efficiency of u se for specific risk m anagement applications, rigor, flexibility, etc. A 3. Test rem aining initiating eve nts against little extra effort in the beginning to understand the fundamental ESDs and existing event trees.

range of possible applications--those anticipated as we ll as those that could eventually be needed--can These three activities are desc ribed in m ore deta il 3-29

3. Technical Activities below. T hey form a stepwis e ap proa ch to loss of primary flow . The ES D displays th e basic developing the event trees with minimum relationships between the systems and their impact duplication of effort. The approach is acc essible on the overall plant status and relates those actions for review by a wide range of expe rts. Moreover, it required to mitigate the effects of the plant can clearly explain the simplifications ne ces sary to disturbance caused by the initiating event to the develop practical, useful, quantifiable models. Th is steps in the plant emergency procedures. The event sequence modeling task forms the event trees are developed from the ESDs. The underpinning of the entire PRA model and is, specific actions key in determining the accident therefore, closely linked with other tasks in the progression are identified in the ESDs and grouped PRA. into top events in the corresponding event tree.

This grouping of actions is displayed in the ESDs to Activity 1 - Develop Fundamental Event document the event tree development. Since the Sequence Diagrams ESD does not directly lend itself to accident sequence quantification, construction of the event An event se quence m odel is used to identify the trees is a necess ary step. A description of the many possible plant response sequences to each included actions and the success criteria for each initiating event. Depending on various top event m ust be de velop ed in d etail with the combinations of plant equipment and operator event tree structure. The success criteria identifies response succe ss or failure states, the event the analysis boundary conditions required for the sequences will either be terminated with no core systems analysis task s. F inally, each sequence in damage or will lead to core damage and various the event tree m ust be assigned to its plant degrees of plant damage, defined as plant damage damage state.

states. The ESDs are generally developed in cooperation with operators at the plant to ensure The frontline system response to several different the mod el represents the plant as built and as initiating event categories m ay be similar.

operated. Therefore, the same event sequence m odels may be used to quantify the risks from m ore than one The first step in plant m ode ling for a PR A is to such initiating event category, although some develop a general trans ient ESD, i.e., a model for differences in the fault trees and d ata may be all events in which high pressure can be required for proper quantification. These maintained in the primary system, active core differences reflect the different conditions imposed cooling is required, and high pressure makeup m ay by the specific initiatin g event c ate gory.

be needed. This is the most general PRA mo del, one that can be specialized to address most Activity 3 - Test Rem aining Initiating Even ts trans ients and accidents. This ESD should be Against Fundamental ESDs and Existing Event directly applicable to many initiating events, Trees e.g., sm all LOCA, loss-of-offsite powe r, reactor trip, and turbine trip. The PR A team working on ES D developm ent will review each remaining initiating event against the The second fundamental ESD is that of a large general transient and large LOCA ESDs, identifying LOCA. For m ost PW Rs, the large LOCA is the any structural changes that may be required and most strikingly different ESD be cause low pressure defining any sp ecial cond itions tha t m ust be injection is required, control rods are not required accounted for when the individual event trees are for nuclear shutdown, and only long-term cooling is constructed. The exact number of ESDs and event required. T hus, at least this one new ESD will be trees req uired for the PR A w ill be determ ined at required. this time.

Activity 2 - A bstra ct Se lected PR A Even t Trees Development of the event sequence model is an from the Fundamental ESDs exercise in addressing a wide variety of open-ended que stions . An insightful and The general transient ESD should provide a experienced analyst m ust lead the work integrating com plete m odel for a number of initiating event knowledge of potential accidents, therm al-hydraulic groups including reactor trip, loss of m ain and neutronic response, plant systems and feedwa ter, turbine trip, loss-of-o ffsite power, and operations, and systems analysis for PRA. Despite 3-30

3. Technical Activities efforts to formalize the process, m uch will rem ain autom atic ally to control the primary system subjective due to the open-ended nature of the at the no-load Tavg temperature by passing problems to be solve d. Do cum enta tion of steam to the plant condensers. If the assumptions, simplifications, and approximations, conde nsers are not available, secondary and the reasons for them is essential for the steam relief is achieved with the steam understanding and future use and modification of generator atmospheric steam dum ps.

the stu dy.

b. If a genera tor trip oc curs first, the sam e Models developed with an eye tow ard flexibility will sequence occurs.

serve their owners well in the long term. For example, if Le vel 1 m ode ls (NRC , 1983) an ticipate c. If a reactor trip occurs first and a turbine and Level 2 needs, the Level 2 PRA will require far generator trip are delayed, the turbine fewer costly revisions to the Level 1 model and far removes the initial decay heat, reducing the less torture d arg um ents to tie the com plete need for steam bypass.

analysis together. Sys tem fau lt trees built originally for risk evaluation and identification of dominant 3. Feedwater is added to the steam generators by contributors will need to be expanded, separating the auxiliary or emergency feedwater pumps failure rate into demand- and time-based elements, (main feedwater valves may isolate depending if tes t sc hedule optim ization is desired. Definitions on plant-specific design features) to mak e up of systems boundaries and decisions concerning the steam generator inventory lost by dumping the extent of fa ult tree versus e vent tree m odels steam.

will affect the ease of testing the effects of design changes on risk. G enerally, changes to the 4. As reactor decay heat decreases and plant database are easier to implem ent than c han ges to conditions return to normal, primary system the fault trees, and ch anges to a fault tree are tem perature is m aintained a t the no-load T avg easier than cha nge s to an event tree. Many such value by the action of the condenser steam trade-off decisions must be made during the PRA dum p valves or the atmospheric steam dum ps, developm ent. or through system steam loads. The steam generator water level is maintained by the water To get a better understanding for the thought level control system or by operator action, and process involved in the event sequence mod eling recovery from the plant trip comm ences.

task, consider a transient initiating event. The general transient ESD is used to model events that Failure of a turbine trip results in an excess ive require a reactor trip, turbine trip, and decay heat steam dem and and could res ult in overcooling the removal for successful mitigation. The normal primary system. Automatic steam line isolation plant responses for these initiating events are: should then occur because of protection system actuation. Failure of steam line isolation and

1. Plant conditions result in a demand for a reactor turbine trip leads to a rapid overcooling of the trip, turbine trip, and generator trip. Sequences prim ary, automatic initiation of the em ergency core with a succe ssful trip are modeled in the event cooling system equipment due to the resulting sequence m odel. U nsuccess ful reacto r trip decrease in prim ary system pressure, and a sequences are m ode led in a sep arate poss ible challenge to the reactor pressure vessel transients-with -failure -to-scram m odel. integrity because of pressurized thermal shock should the RCS be repressurized when the vessel

2. The exact sequ encing of reactor, gene rator, wall is overcooled.

and turbine trips are de sign spe cific an d lead to different requiremen ts for steam relief. Failure of auxiliary feedwater requ ires operator action to restore ma in feedwater or establish low

a. If a turbine trip and reac tor trip occur first pressure conden sate flow to the steam generators.

and are nearly sim ultaneous, steam Failure of the steam generator feed systems generator pre ss ure ris es due to the loss of requires operator action to initiate the "feed and load (turbine trip) and the add ition of core bleed" mode of cooling the primary and the reactor decay heat as well as stored heat. T ypically, core. Failure of this mode of cooling results in a condenser ste am dum p valves open high pressure core melt because of loss of all heat 3-31

3. Technical Activities removal options. subsequent LOC As through dam age to prim ary system equ ipm ent.

If coo ling wa ter system s fail, cooling is lost to key equipment and, in some cases, this can induce Having rea ched this point success fully, long-term preliminary development of the event sequence cooling needs must be addres sed. Finally, core models. Judgments about the likely impact of m elt is assum ed to occur for those event Activity 3 (Task 2) assumptions on sequence-sequences in which all core coo ling is lost or a model structure and results guide the work. Later LOCA occurs with no safety injection. The in the PRA, the task on Event Sequence Modeling operation of the containment building cooling and will require additional Activity 3 (Task 2) work as fission product removal syste m s are analyze d in needed to strengthen and simplify the models.

the core melt sequences since it is nec ess ary to rem ove decay heat and to m inimize the fiss ion Systems Analysis. Activity 1 (Task 2) defines the product release for these core melt sequences. system s to be analyzed. Activity 2 (Task 2) provides the interrelationships among systems that 3.2.2.4 Task Interfaces define the fau lt tree structu re, wh ile Activity 3 (Task 2) provides the success criteria for systems The core damage definition task (Task 1) has the models.

following interfaces:

Human Reliability Analysis. Hum an reliability The functional analysis and system success analysis is heavily de pendent on Ac tivity 3 criteria task (Task 2) has the following interfaces: (Task 2), which defines the time available for various human actions and the extent of action Plant Fam iliarization. Prior to the initial site visit, required to cope with specific event sequences.

the plant safety functions should be defined. This Event Sequen ce M ode ling, Hu m an R eliability information is essential background material for Ana lysis, and Activity 3 (T ask 2 ) are deeply the site visit. During the site visit, a complete first interrelated.

draft of the dependency matrix must be completed. Initial Quantification of Accident Sequences. In this task, the results of all the modeling efforts, Core Dama ge D efinition. If the risk results (see assum ptio ns, and calculations are realized.

Section 3.2.6.1, Initial Quantification of Accident Invariably, the results are considered as Sequences) are found to be heavily dependent prelim inary, requiring further analyses and upon the precise definition of the state of core refine m ents in the models/assumptions employed.

damage, then additional calculation s could help Un certainty ana lysis in the q uan tification task will decide the optim al definition. T his additional work require Activity 3 (Task 2) calculations to assess may also suggest breaking that sta te into m ultiple the range of possible results. After the results are states with varying impact. These calculations available, the highest frequency sce narios are must take proper account of reactor dec ay hea t to analyzed by experienced analysts who look for obtain valid results, especially with respect to expected con tributors that have not reached the timing. Such calculations are not in the current final res ults . Problem s in mode ling and success sco pe o f the K alinin PR A. criteria will be found along with errors in computer input, calculations, etc. Exte nsions to the success Initiating Ev ent An alysis. Understanding of the criteria calculations of Activity 3 (Task 2) will be Ka linin plant systems safety functions and required to correct these problems.

interrelationships may suggest redefinition of the initiating event group s. The event sequence m odeling task (Task 3) has the following interfaces:

Event Seq uen ce M ode ling. Activity 1 (Task 2) defines the safety functions to be modeled in the Plant Familiarization. During the initia l event trees. Activity 2 (Task 2) helps to define the familiarization task, the preliminary ESDs based on interrelationships am ong syste m s. A ctivity 3 the relevant emergency procedures for transients, (Task 2) is initially performed in concert with the loss-of-o ffsite power, and LOCAs should be 3-32

3. Technical Activities developed. The m itigating functions and the Initial Quantification of Accident Sequences. In systems associated with the functions should be this task, the results of all the modeling efforts, tabulated. assumptions, and calculations are realized , and invariably, the results at this point are not Initiating Event Analysis. Event trees must be satisfactory. After the results are available, the developed or applied to each initiating event group. highest frequency sce narios are analyzed, and An alysis of the impac t of event tree questions on experienced anal ysts look for ex pec ted each group may lead to a redefinition of the contributors that have not reached the final results.

groups, combining groups when plant res ponse is Problems in modeling and defining success criteria suffic iently similar and breaking apart groups or will be found a long with errors in com pute r input, reassigning spe cific initiating events as new calculations, etc. Revisions to the event tree insigh ts warrant them . Deta ils of ea ch specific structures and definitions of top events will almost initiating event that can affect system s m odeled in certainly be required. Project managem ent must the event tree m ust be properly accoun ted for. anticipate sub stantial effort for review and revision.

Fu nctional Analysis and System s S uccess Criteria. Fire, Flood, and Seismic Analyses. Event trees This task and the current task are highly coupled from the internal events analysis will generally and performed in an iterative fashion. In Task 2 serve to model fire-, flood-, and seismic-induced (Functional Analysis and Systems Succ ess sequences. Because these types of initiating Criteria), Activity 1, D eterm ination of Safety events can induce m ultiple internal initiating e vents Functions, defines the safety functions to be and affect multiple systems helpful for recovery, modeled in the event trees. Task 2, Activity 2, revisions to the event tree structures and Assessm ent of Function/System R elationships, definitions of top events may be required.

provides the defining interrelationships among systems. Task 2, Activity 3, Assessme nt of 3.2.2.5 References Success Criteria, is initially perform ed in concert with the pre lim inary development of the event ANS, American National Standard for Decay Heat sequence models. Judgemen ts a bout th e lik ely Powe rs in Light W ater Reactors, American impact of these assumptions on resu lts and model Nuclear Soc iety Standards W orking Group, structure guide by the early work. Later in the ANSI/ANS-5.1-1994, American Nuclear Society, proje ct, Task 3 will pro m pt additional Activity 3 1994.

work as needed to strength and simplify the m ode ls. Ble y, D. C., S. Kaplan, and D. H. Johnson, "The Strengths and Lim itations of PSA: W here W e Systems Analysis. The event tree sets the Stand ," Reliability Engineering and Systems boundary conditions for the system models. As Safety, 38, pg. 3-26, 1992.

part of this activity, a qualitative dependency analysis is performed which searches for Ble y, D. C., D. R. Buttemer, and J. W . Stetkar, dependencies to insure that all significant "Light W ate r Reacto r Sequence T im ing: Its dependencies are reflected in the final models. Significance to Probabilistic Safety Assessme nt Model enhancem ents to m ore acc urate ly reflect Mo deling," Accident Sequence Modeling: Human function al, spa tial, and human-induced interactions Actions System Response, Intelligent Decision m ay be requ ired as a re sult. Suppo rt, G. E. Apostolakis, P. Kafka, and G. Mancini, editors, Elsevier Applied Science, Human Re liability A nalysis. Human reliability 1988.

analysis (HRA ) is heavily dependent on event sequence m odeling. Proper consideration of Drouin, M., et al., Ana lysis of Core Damage factors affecting the plant and human context for Frequency from Internal Eve nts: M ethodology HRA, including dependencies among hum an G uid elin es, V o lu m e 1 , N UREG/CR -4550, actions, will affect the structure of the event trees. September 1987.

Conservative, unrealistic systems m odels cannot be supported with meaningful HRA. Modeling Harrington, R. M ., and L. J. Ott, The Effect of human actions under situations that will not occur Sm all Capacity, High Pressure Injection Systems is an exercise in irrelevance. on TQU V Sequences at Browns Ferry Unit One ,

3-33

3. Technical Activities NURE G/CR-3179, Oak Ridge National Laboratory, 3.2.3.1 Assumptions and Limitations September 1983.

The analysis boundaries are based on IAEA, Procedures for Co nducting Probabilistic function ality. Th erefore, it is im portant to clearly Safety Ass ess m ents of N uclear Powe r Plan ts define the boundaries of the syste m , wh ich will (Level 1), Safety Series No. 50-P-4, International like ly be different than the boundaries specified by Atomic Energy Agency, 1992. the normal system desc ription s. F or exam ple, if a portion of a service water line serves only the Keenan, J. H., and F. G . Keyes, Th ermodynam ic pumps of the residual heat removal (RHR) system Properties of Steam , John W iley, New York, (and failure of that line would only impact the RHR November 1950. system ), then the availability of that line would be Moody, F. J., Ma xim um Flow Ra te of a S ingle analyzed as part of the RHR system. The Compon ent, Tw o-Phas e Mixture, Am erican boundaries of the RHR system for the purpose of Society of Mechanical Engineers, New York, this analysis would, th erefore, include that sp ecific February 1965. service water line.

NRC, The Use of PRA in Risk-Informed Not all systems are analyzed to the same level of Application s, NURE G-1602, Draft Report for detail. Th e appropriate level of an alysis deta il is Com ment, June 1997. governed by the importance of the system in relation to its role in preventing or delaying core NRC, PRA Procedures Guide: A Guide to the damag e and the complexity of the system. An Performance of Probabilistic Risk Assessments for important consideration is the depth at which the Nuclear Power Plants, NUREG/CR-2300, U.S. supporting data best provides a quan titative Nuclear Regulatory Com mission, January 1983. characterization of the una vailability of the system.

Rasm ussen, N. C., et a l., R eacto r Safety S tud y: 3.2.3.2 Produ cts An Assessment of Accident Risks in U.S.

Com mercial Nuclear Power Plants, W ASH-1400, The products of the system m odeling task are:

NURE G-75/014, U.S. Nuclear Regula tory Com mission, October 1975.

a portion of the "Systems Analysis" and the "F au lt Tree" sections of the backup 3.2.3 Systems Analysis doc um enta tion.

The system s an alysis co nsists of three interrelated

the system logic m od els in elec tronic form tas ks --n am ely , s y s te m m ode ling, su btle suitab le for use in the sequence quantification interactions, and spatial interactions. The first of activity.

these tasks is the heart of the systems analysis.

The objective of the task on system m odeling is to The product of the subtle interactions task are:

develop the system logic models (e.g., through the use of fault trees) that will be used to support the

descriptions of the applica ble subtle event sequence quantification. The objective of interactions that have been identified, the the task on subtle interac tions is to iden tify and to sources of information used, and the guidance explicitly model subtle interactions th at c ould as to how these interactions should be modeled pote ntia lly cause single or multiple compone nt within the Kalinin PRA logic models.

the U.S., the design-basis accident analyses form a useful source of existing calculations. Credible The product of the spatial interactions task are:

accidents are defined as single events (e.g.

double-ended pip e ruptures, pump trip, pump

a scheme for des cribing plant loc ations , a form failures, which are neither covered by a comm on- sp ec ialized for the plant to assist in the cause failure analysis nor addressed in the documentation of the plant walkdown, a set of dependency m atrix. The objective of the task on completed walkdow n form s, and an information spatial interactions is to identify potential database that describes the location of hazards environm enta l hazard sc enarios at the plant. as w ell as plant eq uipm ent of interest.

3-34

3. Technical Activities

draft material for the final rep ort. Specifically, a operating instructions, system surveillance draft portion of the "Spatial Interactions" section instructions, and m ainten ance pro cedures. It is of the m ain report will be developed that will also importa nt for the analyst to understand the include a description of the methodology used system requirements within the context of the to identify and screen hazard scenarios and the event tree m ode l and the event tree he adings.

information derived by the analysis. The information derived includes the identification The analyst sh ould exam ine all available and characterization of plant hazards, the information collected in Pla nt F am iliarizatio n in location and re lative apportion m ent of plant order to gain insights into the potential for equipment according to location, and tables independent or dependent failures in the systems describing the potential hazard scenarios and the potential for system interactions. The information contains descriptions of all types of 3.2.3.3 Analytical Tasks failures that ha ve occu rred at the p lant and possibly at similar plants.

Task 1 - System M odeling The developm ent of suppo rt system-to-supp ort The goal of this tas k is to develop the syste m logic system and support system-to-frontline system m odels necessary to support the event model dependency matrices, along with a com prehens ive activities, including possibly the determination of set of exp lanatory notes that clea rly depict the the frequency of selected initiating events, along functional relationship between systems and with the sup porting do cum enta tion. system trains, is needed early on in this analysis.

These matrices may have been drafted as part of This task consists of constructing models for those the task Plant Fa m iliarization but should be systems to be considered in the PRA. The most updated and kept current as part of the present usual elem ent of these m odels is the fa ilure or task. A simplified example of a dependency success of a system. The details of the events m atrix is inc luded as Figure 3.2 .

can be analyzed through one of a number of system modeling tec hniques (i.e., fault trees , state A schematic for each system needs to be space diagram s, reliability block diagrams, or go developed. Howev er, the plant drawings are charts). These techniques are desc ribed below in usually very detailed, containing considerably more general term s. More detailed guidance is provided information than is required in the system s in the references listed at the end of this chapter. analysis task. A simplified system schem atic that

[In particular, refer to Drouin (1987) and NRC defines the system to a level of de tail (1997).] In addition, an exc ellent reference to com m ens urate with the needs of the system systems analysis can be found in Section 5 of analyst is, th erefore, necessary.

Ericson et al. (1990). Fault tree analysis is the method for developing system m odels in this To facilitate the analysis task, a table is created by stud y. the analyst that depicts the status of the system com pon ents (i.e., pumps and valves) under at Before any fau lt trees are developed, it is least two sets of conditions:

neces sary to have a very good understanding of the system operation, the operation of the system

when the plant is operating normally (i.e., the components, and the effects of com ponent failure initial conditions for the analysis) and on system suc ces s. Sources of information that

when the system responds to a plant initiating the analyst can use to gain this understanding of event.

the norm al and em erge ncy opera tion of the systems are: s ystem training noteboo ks , system 3-35

3. Technical Activities Fig ure 3.2 Exam ple o f depend ency m atrix 3-36

3. Technical Activities No te that m ultiple cases m ay be necessary in the fault tree. Alternatively, the data m ay have defining the desired component status to all of the been expressed in such a manner that mak es plant even ts of inte rest. m ore than one basic event appropriate. It has been sho wn th at due to inherent conservatism s in The analyst should also determine the potential for most databases, developing data at too fine a level each system to initiate an accident, should the (e.g., resistors, c apacito rs, and othe r ele ctronic system inadvertently (or prematurely) operate, com pon ents in an amplifier) may result in an malfunction, or fail. These will be com pared with inaccurate determination of the performance of the the identified initiators (see Section 3.2.1), and new overall assemblage. For some systems (for plant initiators will be added, as appropriate. The example, balan ce o f plant system s), the available poss ible identification of initiating events under this data may be best defined at a rathe r hig h level, task is meant to complement the activity described such as at th e train or s yste m level.

in Section 3.2.1. In other PRA studies, the system analysts have often developed a level of An example of a simple fault tree is included as understanding of the systems and have provided Figure 3.3. T he s ystem represented in the fa ult insigh ts into the modes of system failure that make tree is a backup cooling system represented by top such a com plem entary activity beneficial. event "BU" in an event tree. B oth pum ps in this sim ple example are initially in standby and each Fa ult tree analysis is a com m on method used for represe nts 100 percent capacity for delivering the representing the failure logic of plant systems. An required flow . Ea ch train is tes ted periodically undesired state of a system is specified, and the using a bypass line, which would render that train system is then ana lyzed in the con text of its inoperable if left in the incorrect position following environment and operation to find all the credible the test. The two trains share a comm on suction wa ys in which the unde sired state could occur. valve and a com mon discharge check valve.

The fault tree is a graphic representation of the Motive power, control power, room cooling, various combinations of events that would res ult in actuation sign als , and all other support are all the occ urrence of the pred efined un des ired event. assumed available. This assumption is made only The events are such things as component to sim plify the discus sion; it would not be hardware failu res, h um an errors, m aintenance or appropriate in the PRA system m odels.

test una vailabilities, or any other pertine nt eve nts that could lead to the undesired state. A fault tree Another example is taken from an actual PRA thus depicts th e logical interrelations of b asic application (Chu et al., 1994) that utilized the events that lead to the top event of the fault tree. Integrated Reliability and Risk Analysis System These interrelations usually can be depicted as (IRRAS) com puter code for fault tree quantification.

combinations of events in parallel or series, This example (Figure 3.4) addresses a portion of developed to the point where the data are best the logic developed for a flu id syste m . This defined. Th is m ay be at th e com ponent level, system, called the Ins ide Spray Recirculation subass em bly level, or even, in ve ry specific cases, System, requires both trains to be operable for the at the system or subsystem level. The system success of the particular top event considered.

ana lysts must, therefore, work closely with the data Transfers to other fault trees that are us ed to ana lysts to determine the level at which the basic develop the logic further (e.g., "failure of 120V DC event data are best defined. For example, bus 1A") are indicated by triangles.

successful operation of a system m ay require the operation of a sensor and an associated signal The general techniques for constructing, processing unit that together con stitute a com plete manipulating, and quantifying fault trees are logic channel. However, the data analysts may described in Haasl et al. (1981). However, the have developed the da ta only to the level of the following issues merit special consideration in the logic channel, in which case only a single basic development of fault trees:

event (at the logic-channel leve l) is a ppropriate in 3-37

3. Technical Activities Figure 3.3 Example of fault tree for backup cooling system 3-38

3. Technical Activities Figure 3.4 Example fault tree for inside spray recirculation 3-39

3. Technical Activities

1. In order to facilitate consistency of the

for support systems providing various individual fault tree analyses, it is necessa ry m edia (water, oil, air), at the main header that the definition of system boundaries and line of the support system.

the conventio ns used to represent logic symbols, event coding, and representation of In cases where equipment or piping is shared human errors and comm on cause failures be between several system s, g uidance to the a prio ri sp ecified for all the fault tree analysts. proper establishm ent of the system bounda ry It is suggested that one system analysis be is usually provided by the system descriptions prepared before the fault trees for the other and draw ings. Suc h ca ses m ust be bro ugh t to systems are started to serve as a guide. the attention of the system analysis task leader Hum an actions that occur following the in order to avoid possible omissions and/or initiating event are properly treated at the event dou ble co unting of sh ared com pon ents .

tree level. The only human actions that should be included as events in the fault trees are 6. It is im porta nt that a standa rdized form at be those actions that potentially follow test and used for coding the basic events in the fa ult maintenance. trees. The formatting scheme sh ould be com patible with the IRRAS code for the

2. All assumptions made while constructing a systems analysis, and the scheme should also fault tree s hou ld be d ocu m ente d, togethe r with enable the basic events to be clearly related to the source (an d revision num ber) of all design the following:

information used. In this way, co nsiste ncy will be promoted throughout the analysis and

com pon ent fa ilure m ode ,

traceability will be maintained.

specific component identification and type,

specific system in which the component is

3. W hen systems are not modeled in detail and located, and reliability data at the system level a re used,

plant codings for the components.

failure events that are comm on with other systems should be separate d out and explicitly To prepare the system m odels for either the considered. concurrent or subsequent evaluation of environmental hazards, the system m odels

4. Computerized methods should be used for should conta in additional information on the handling the solution and quantification of fault location of the component and on the trees to ensure c o n s is t e n c y, sus cep tibility of the component to the com prehensiveness, e ffic iency, a nd quality. environmental hazard of interest (e.g .,

earthquake, fire, or flood). It is suggested that

5. It is strongly recom mended that clear and information of this type be encoded within the precise definitions of system boundaries be component name or provided o n se para te established before the analysis begins. Any tables correlating events w ith applicable modifications to these definitions should be information.

made known to all the other s ystem ana lysts during the course of the analysis. T he analysis To assist the analysis of dependent failures bounda ry definitions should be included in the (other than those caused by extrem e final documentation covering the systems environm ents), the coding schem e should modeling. The interface points between include information on location, designation of frontline systems and various support systems generic type, and test and maintenance could, for example, be located as follows: procedures.

for electrical power supply, at the buses 7. Fa ult trees should re present all possible failure from which com ponents considered within modes that m ay contribute to th e system's the system are fed; unava i la b ility. T h i s s h o u ld i n c lu d e contributions due to outages of a system (or a

for actuation signals, at the a ppro priate portion of a system) for testing and output cabinets of the actuation system; maintenance. Hum an e rrors ass ociated w ith and failure to restore equipm ent to its operable 3-40

3. Technical Activities state following testing and maintenance and - The re can be instances when there is a human errors associated with accident set of multiple failure events which explicit response should also be included where modeling of the cause is fe asible (even in applicable. Considerations of potential principle) but not perform ed because it operator recovery actions are often spe cific to wo uld be too difficult. Encapsulating the accident sequen ces and are best treated in the events in a parametric model is the quantification of accident sequences (see preferred approach. The decision is made Sections 3.2.6.1 and 3.2.6.2). by the analyst based on experience and judg m ent, tak ing into consideration the

8. The following aspects of dependent failures aim and scope of the analysis. In other sho uld be reflec ted in the fau lt trees: cases, ex plic it model i ng m ay b e im practica ble because the com ponent

interrelations between initiating events and failure data do not allow different failure system response, causes to be distinguished. Ex plicit modeling should in principle go as far as

- comm on supp ort system faults reasonable, largely depending on the affecting more than one front line resources for the analysis and the level of system or component through detail required. Otherwise, an upper functiona l depe nde ncies, bound should be assessed and param etric modeling used. Th e analyst s hould clearly

- human errors ass ociated w ith document the pa ram etric m od elin g com m on test and maintenance approach, the input, and the events that activities, and have been m odeled explicitly.

com pon ents shared among frontline 9. The operability of som e syste m s in resp ons e to system s. an initiating event can be directly affected by the initiating event. Loss-of-coolant accident Dependent events should be modeled either and loss-of-offs ite pow er are two initiating explicitly or implicitly as noted in the following events that can directly affect the performance points: of the responding systems. For these cases, the im pact of the initiating event on the

- Multiple failure events for which a clear ope rability of each system should be explicitly cause-effect relation can be identified included in each system fault tree. Th is should be explicitly m odeled in the system representation also permits the proper m odel. The root cause of these events quantification of the accident seq uen ces . In should be included in the system fault tree the small event tree/large fault tree approach, so that no further special dependent failure which has been adopted in this study, the model is necessary. This applies to impact of the initiating events can occur at the m ultiple failures either caused by an com pon ent level.

internal equipment failure (such as c a s c a d e f a il u re s a n d f u n c t io n a l 10. To simplify and reduce the size of the fau lt u n a v a i l a b i l i t y e v e n ts c a u s e d b y trees, certain events are often excluded owing components) or resulting from a clearly to their low probability in comparison with other identifiable hum an error (such as human events. Examples of simplifying assumptions error in the steps of a prescribed are illustrated below:

procedu re).

- Flow diversion paths for fluid systems

- Multiple failure events that are susc eptible should be considered only if th ey could to dependencies, and for which no clear seriously degrade or fail the system . A root cause event can be identified, can be general rule is that the divers ion pa th may modeled using implicit methods, such as be ignored for failure to start if the pipe the param etric m odels (see Sec tion 3.2.3). diameter of the diversion path is less than one third of the primary flow path.

3-41

3. Technical Activities

- Spurious con trol faults for com pon ents Task 2 - Subtle Interactions after initial operation should only be considered if the component is expected The objectives of this ta sk are to identify an d to to receive an additional signal to readjust explicitly model subtle interaction s th at c ould or change its operating state during the poten tially cause single or multiple component acc ident. failures, which are neither covered by a comm on cause failu re analysis nor addressed in the

- Position faults prior to an accident are not dependency m atrix. Ideally, most interactions included if the component receives an would be caught in the system analyses, autom atic signal to re turn to its operable dependency m atrices, a nd event tree m odels. This state under accident conditions. task would allow the analyst to systematically look for additional interactions that c ould have been Assumptions of this type must, of course, be m issed in the earlier a nalyse s.

doc um ente d an d jus tified in the PR A report.

Su btle interactions are categorized as interactions

11. The testing procedures used in the plant must between compo nen ts and/or systems that can be be clo se ly examined to see whether caused by changes in the operating environment of implementation of the procedures can the com pon ents , by conditions directly related to introduce poten tial failure m odes. All potential specific plant design and operational features or failure modes identified must be documented. from the progression of a given accident sequence.

An example would be if, during testing, the flow These types o f interactions mostly stem from path through a valve is isolated, and at the end m echanistic causes. If they could be identified a of the test, the flow path remains closed priori, then these interactions could be explicitly (possibly due to hum an e rror) w ith no modeled in event trees or fault trees by using indication that the flow path is still closed. house events that would reflect the necess ary causal relationships. Two examples that illustrate

12. Tripping of pumps and other safeguards, these types of interactions are provided below:

intended to protect a component, must be carefully identified since they can be a source 1. In a two-train, cross-tied system, failure of a of com m on m ode failure. For example, discharge check valve (stuck open) could spurious trips of auxiliary feedwater pumps on cause failu re of the system . This can occur low suction pressure can lead to system failure when one pump has been turned on while the if recovery does not occur. pum p in the other train has failed to start and run. In th is case, the flow simply recirculates

13. In a sequence in which som e systems succeed back ward through the idle pum p. T his wh ile others fail, it is important to make the conditional interac tion within a system would system failures correctly conditional on the depend on a check valve fa ilure in the cross-tie other systems ' success es. Succe ss trees are line and on the pump in the other train being one way for expressing this conditional idle. These types of mechanically determined c or r es pondenc e . T h e re a re certain interactions should be identified through advantages that are offered by algorithms detailed system evaluations and accounted for which operate on the top event by sim ply explicitly in system fault trees.

deleting cutse ts th at violate the system success specified in the sequence. 2. For certain types of motor-operated valve designs and for some systems where these Fault trees are to be used in the present analysis. m otor-operated valve types are periodically Other m etho ds h ave bee n us ed in P RA s. Selected tested using a low differential pressure ()P),

issues, such as the determination of the frequency there is little or no assurance that the valves of an event initiated by the failure of a norm ally wo uld reliably operate when exposed to a high operating multiple train, may be best addressed by )P attributable to the pro gression of specific a m eth od other than fa ult trees. F or info rm atio n PRA scenarios. The unavailability of these purposes, two other m ethods are highlighted m otor-operated valves (both single and below. multiple) then would be dependent on the )P that is im pos ed b y the ac cident sequence 3-42

3. Technical Activities being analyzed. Appropriate house events augmentation of current PRAs.

should be used in the fau lt trees that ex plicitly consider the expected )P on va lve operab ility Review of Literature for the sce narios be ing an alyzed.

The appropriate literature is reviewed and the The above examples focused on hardware- current understanding of any subtle interactions oriented subtle interactions. There are also subtle that are considered applicable to the Ka linin plant human interaction s that c ould cause m ultiple is documented. The focus of the literature review component failures. These types of human- deals with information gleaned from past PRAs and cause d subtle interactions are covered in the task reports doc um enting their insights, various sa fety Hum an Re liability Analysis (see Sec tion 3.2.5). studies, generic issues, etc. For example, N U R EG /C R -4550 (Ericso n, 1 99 0) co nta ins The process by which these forms of subtle anecdotal information on som e of the experiences inte ractio ns are identified is not well structured. with subtle interactions found in U.S. plants. There The re are various information sources in the open could be other, more relevant information sources.

literature that can be used for identifying these A starting point, fo r exa m ple, co uld be the ins ights types of interactions. These sources include: past found in current or rece nt PRA studies for other PRAs, historica l events across the industry, and VVER plants as those found in the IAEA document U.S. Nuclear Regulatory Com mission (NRC) W W ER-S C-152 (IAEA, 1996).

repo rts on industry-wide experiences. These doc um ents are reviewed to see whether the Cataloging Subtle Interactions interactions described are applicable for the specific PRA. Besides these sources of The cu rre nt u nd ersta nd ing of the subtle information for identifying poten tial plant-specific interactions, based on major historical events and subtle interactio ns, the analysis should re ly heavily other formalized studies, is catalogued in a manner on engineering judgment and in-depth system suitab le for data analysis. Summ ary of generic evaluations to assure that as many interactions as issues, issues identified in annual reports (such as p o s s i b l e a r e id e n t if ie d a n d m o d e l e d . NRC, 1996) pu blished by the NRC O ffice of Notwithstanding, the guidance presented here and An alysis and Evaluation of O pera tional Data, the state-of-the-art in PRA m ethodology do not annual reports (NRC, 1986) generated by the provide any as suranc es that the list of identified Accident Sequence Precursor Studies Program, interactions is complete and comprehensive. and NRC notices are some of the documents Furthermore, the lack of national and international typic ally review ed. Inte rviews with plant s taff could databases documenting subtle interactions hinder also be quite useful in this case.

future progress towards a compreh en sive dependency ana lysis. Th erefore, the ex tent to Engineering Evaluations which these analyses are considered as com plete would depend on the individual capabilities and Engineering evaluations are performed by selecting combined experience of the PRA team. Assigning a group of components that have a comm on the occurrence probabilities to th ese subtle characteristic--for example, same location, same i n te r a c ti o n s wou ld, how eve r, b e ra t h er actuation logic, etc. The engineering evaluation straightforward once the underlying mechanism for could be a set of what if questions that exam ine their occurrences is understood. the conditions imposed by various scenarios on the system and the performance of com ponents with in The following activities are normally performed as the system. These engineering evaluations should part of this task. However, it should be noted that be perform ed with the help of plant staff who may U.S. prac tice in this area reflects embedded already suspec t or be aware of these types of assumptions regarding U.S. plant design features plant-spe cific interaction s.

and m aintenance prac tices. Therefore, for the present application, the guidance provided for this task sho uld be rega rded only as a starting po int.

Development of a design-specific database on poss ible sub tle interaction for diffe rent designs wo uld be a positive step for future PRAs and 3-43

3. Technical Activities Documentation PRA. During the conduct of this task, it is assumed that the internal events plant m odel is suffic iently Any subtle interactions considered relevant to the m ature so that co nservative but defensible PRA are docum ented. One or m ore ways in which screening of scenarios can be acc om plished. It is the plant logic models (fault trees and event trees) unlike ly that a "final" plant m odel will be available can be augm ented are pro posed that w ill when this task is being performed. Therefore, any appropriately acc oun t for the m ech anis tic plant m odel changes m ade after the scenario processes involved with th ese interac tions. W ays screening process has been performed should be for estimating the probabilities for such reviewed to determine if the results of the occurrences are also proposed and, wherever screening process are affected.

possible, estim ates are p rovide d. These doc um ents should also be distributed to both the The analytical approach outlined in this procedure system and event tree analysts to assure guide is the result of an evolving process. One consistency in approach and com pleten ess in early attempt to formally address the hazards meeting task objectives. associated with the spatial relationships of equipment in a plant was performed as part of the Task 3 - Spatial Interactions Seabrook Probabilistic Safety Assessment (PLG, 1983). The approach has been utilized in man y The objective of this task is to identify potential subsequent PRAs, such as the assessment of environmental haza rd sc ena rios at the plant. This environmental hazards at Brookhaven National objective is acc om plished by system atic ally Laboratorys High Flux Beam Reactor (Ho and identifying hazard sources and potentially Johnson, 1994) an d in the Gsgen Probabilistic vulnerable plant e quipm ent. Hazard sc enarios are Safe ty A sses s m en t ( PL G , 1 99 4) . T he postulated from the hazard and plant equipment methodology outlined here begins by first location inform atio n developed in this tas k. Th is identifying the sources of hazards and constructing task also includes a screening of the postulated scenarios arising from those ha zards . An hazard scenarios. The scenarios that survive the alternative methodology can be constructed that is screening proc ess con stitute one o f the k ey inputs "targe t" based rather than "source" based. The two to the subsequent detailed flood analysis (see approaches are conceptua lly sim ilar. Both involve Section 3.5) and fire analysis (see Se ction 3.6). a system atic sc rutiny of the plan t to id entify The equipment location information is also use d to hazards and the developm ent of scena rios. The support the assessment of seismic events (see target-oriented approach was chosen for the Section 3.7). NUREG -1150 ana lyses (B ohn and Lam bright, 1990). An exam ple of the applicatio n of this The external events of interest in a PRA can be app roac h ca n be foun d in Bohn et al. (1990).

generally grouped into two categories: events that are truly external to th e plan t (e.g., seism ic events This task is accom plished by com pleting five or severe meteorological phenomena) and events activities:

that involve internal hazards (e.g., fires and floods) that can sim ulta neously affect nominally separated 1. C olle ctio n of p la n t in f o r m a t io n a n d components. The term "environmental hazards" is performance of a plant walkdown, used to describe the latter. The primary thrust of 2. Development of a spatial interaction database, the spa tial interac tions a nalysis is to provide a first 3. Identification of potential hazard scenarios, iteration of the identification and quantification of 4. Performance of a preliminary screening of the potential en vironmental hazard scenarios. identified scenarios, and How ever, the information developed in the spatial 5. Development of scenario tables.

interactions task also supports the analysis of external events, such as seismic events through Each of these activities is discussed below.

the identification of the spatial relationships of plant components. Collection of Plant Information and Performance of a Plant Walkdown It should be recognized that much of this task involves the use of expert knowledge, engineering The spatial interac tions a nalysis starts by collecting judg m ent, and knowle dge of the interna l events and organizing all of the relevant plant information.

3-44

3. Technical Activities This includes a review of the plant general areas or flood zones, may be a useful starting arrangement and technical drawings to collect point. The areas or zones defined at this point will information about the plant layout, equipment be refined and revised as the analysis continues locations, functions of the equipment, and potential (i.e., in the fire and flood analyses). Many areas hazard sources. The PRA dependency matrices, will likely be shown to be risk insignificant in the system analyses, and event models are also subsequent screen ing proce ss. Othe r areas will be desirable sources of in form atio n to help the spatial of interest only if the hazard prop aga tes to interactions analysts becom e knowledgeable about adjoining are as. Still, other are as will require the plant systems, intersystem dependencies, the subdivision in order to appropriately describe the initiating events, and th e plant response to the risk scenarios. The im portan t point is that a initiating events. sys tem atic schem e is required at this time that will add ress all loca tions in the plant.

A plant walkdown checklist is developed to help the spatial interactions ana lysts syste m atically item ize A plant walkdown is conducted to confirm and the information collected during the plant walkdown augment the information gathered from the and for documenting questions that must be documents, to inspect the amount and location of resolved . poss ible transient haza rds, and to help visua lize the spa tial interac tions o f haza rds with eq uipm ent.

A typical checklist for one zone of the plant wo uld Photographs, sketches, and notes are often made conta in the zone ID and name, the building name, to document complex configurations. The plant the PRA and non-PRA systems and/or trains, any walkdown team is responsible for identifying all large heat, smo ke, or water sources as well as potential hazard sources and the location of other sources and their locations. For the PRA and equipment of interest throughout the plant. The non-PRA equipment, the vulnerabilities and hazard equipment of interest is equipment whose failure or sources would be listed. Component separation degraded function would lead to a plant transient, wo uld be indicated, and photographs or sketches reactor runback or trip, or turbine runback or trip.

attached. For each hazard source, information It also includes equipm ent tha t has a role in regarding location, detection, suppression, access, defining the progression of events following these occupancy, and traffic in the area would be types of upset conditions. For convenience, w e provided. refer to such equipment as PRA-related equ ipm ent, or more succinctly, "PRA equipment."

Sp ecific hazards and haza rd sources are listed in The team also evaluates the routing of important the discussion of Activity 2. It should be noted that electrical power, control and instrument cables, and these check lists serve primarily as "notebooks" for sys tem pip ing. It is important that every plant the analysts, whereas formal documentation of the location be system atically exam ined to ensure information is made through the databases and com pleten ess of the ana lysis.

sc enario tables discussed below. In most cases, it is not necessa ry to com plete the entire checklist Development of Spatial Interaction Database for a specific location, and a single checklist may be u sed to docum ent several sim ilar locations. The inform ation a nd re sults from these walkdowns are sorted and catalogued to ensure consistency To prepare fo r the plant wa lkd ow n, a system atic and traceability th ro ug ho ut th e a na lysis .

schem e to identify locations w ithin the plant is Databases are then d eveloped to m inim ize the required. As indicated below (in the discussion of potential for errors and to enhance the flexibility for Activity 4), it is desirable that, at least initially, broad data retrieva l and s earc hes . It is anticipated that physical boundaries be used to define plant existing databas e so ftware is adeq uate . These locations. These locations may be based on databases contain the following information:

physical considerations, such as walls and doors, or on physical separa tion distanc es. In general, it

Iden tification o f locations w ithin the fa cility is desirable to define larger zones in buildings,

Location of all PRA equipment and related such as the turbine or off-gas buildings, and cables and piping sm aller zon es in buildings, s uch as th e auxiliary

Susce ptibility of equipment, cables, and piping building, the control building, or within conta inm ent. to hazards Existing informa tion, such as the definition of fire

Hazard mitigation features 3-45

3. Technical Activities

Hazards associated with equipment, cables, damage by a fire, caus ing loss of p owe r to and piping equipment or ge nera ting sp urious signals to

Location of all hazards instrumentation and con trol equipment. Th ey are

Potential hazard propagation pathw ays not generally susceptible to dam age if they are between locations subm erged by a transient flood, unless electrical

PRA top events that include the affected con tacts are exposed. Table 3-12 lists general equ ipm ent. types of equipment that are susceptible to damage if a particular hazard occurs in their location.

These databases are cross linked so that one can Table 3-13 lists typical hazards that may be created identify, for example, the PRA equipment, the by a variety of components. The identification of hazards, and the mitigating features for any given specific hazards in each location will provide the location. basis for later quantification of the hazard scenarios. Typically, the following categories of The specific PRA -related equipm ent of interest are plant components are considered as possible those components (and their cables) whose failure, ignition sources for nuclear power plant fires:

or change of status, may cause an initiating event or may impair the availability of systems required

Batteries for acc ident prevention and m itigation. T hese

Battery chargers com pon ents are identified by a thorough review of

Ca binets (including logic cabinets, relays, the PR A event and system m odels. Passive panels, fuses and switches) components, such as check valves, are not

Cables (including control and power cables) norm ally sus cep tible to fire or other environmental

Control room equipment hazards but are included in the list to sup port the

Diesel generators seism ic analysis. Other passive components, such

Heating, ventilation, and air conditioning as m anual valves and hoses, are of particular equipment interest if plant op erato rs are req uired to

Motor-operated valves m anipulate this equipm ent as part of their

Motor co ntrol centers emergency response actions. These actions by

Pum ps a nd c hiller units the operator may be hindered if a hazard (such as

Air com pressors a fire) is present where this equipment is located.

Switchgear The equipm ent database also includes power,

Turbines control, and instrumentation cables that support

Large transform ers normal and emergency operation of the PRA

Sm all transform ers components.

Transient m ate rial.

The types of hazards considered in the spatial For internal floods, the following spec ific sources interactions analysis include: are sought and documented:

Fire and smoke

Valves

Explosion

Piping

Flood water

Tanks

W ater spray

Heat exc hangers

Steam spray

Drains

Missiles

Heating, ventilation, and air conditioning

Falling obje cts ductwork.

Chem ical hazards.

It is also desirable to know the nominal pressure of Equipment in a larg e com plex facility is generally some com ponents.

exposed to a variety of hazards. The co m pon ents in different systems are susceptible to different The next activity of the analysis uses the specific hazards, based on the characteristics of equipment/location databases to correlate the the components, their location, and the types of sources of specific hazards with the locations of protection features that are available. For PRA com pon ents that are susceptible to damage example, electrical cables m ay be s usc eptible to from those hazards.

3-46

3. Technical Activities Tab le 3-12 Equ ipme nt haz ard sus ceptibility Hazard Type Hazard Description Equipment Susceptible to Damage in the Designated Area CA Chem ical Hazards All active com pon ents ; electrical parts of e quipm ent.

EX Explosion All equipment and components.

FO Falling Ob jects All equipm ent and com ponents in the path wa y.

FS Fire and Smoke All active com pon ents ; electrical parts of e quipm ent.

FW Flood W ater All active com ponents that are not w ate rproof and all electrical parts of equipment (not including cables) below wa ter level.

MI Missiles All equ ipm ent.

SS Steam Spray All active com ponents that are not w ate rproof and all electrical components except for cables.

SW W ater Spray All active com ponents that are not w ate rproof and all electrical components except for cables.

3-47

3. Technical Activities Table 3-13 Hazards associated with equipment Description Associated Hazards*

Air Compressor MI, FS Air H andling U nit FS, FW, SW Air-Operated Valve Ba ttery FS, EX Battery Charger FS Caustic Piping CA Caustic Storage Tank CA Chiller MI, SS, FW, SW Concrete Coating FS Co ntro l Ca ble FS Crane FO Distribution Panel FS Electric Heater FS Electrical Cabinet FS Fan FS, MI Filter FS Fire Hoses FS, SW Flammable Gas EX, FS Heat Exchanger/Cooler FW, SW Heater; e.g., space FS Motor Control Center FS Motor-Driven Pump FS, MI Motor-Operated Valve FS Oil System; e.g., pump or lube FS, EX Pneumatic Valve Portable Extinguisher (CO 2) MI Po rtable Exting uish er (W ater) MI, SW Po we r Ca ble FS Pressu rized C anis ters MI Propane Generator MI, EX, FS Radiation Monitor Re lay Ca bine ts FS Solenoid Valve FS Sprinklers, Dry Pipe FW, SW Steam Piping SS Switchgear FS Transformer FS, EX Transient Fuel FS W ater Piping FW, SW W ater Tank FW, SW

Defined in Table 3-12 3-48

3. Technical Activities Identification of Potential Hazard Scenarios second criterion ) are exa m ined m ore c arefully to determine the type of initiating event that can The spatial interactions database s are analyzed to occur. If the initiating event has been evaluated as sort and categorize types and sources of potential part of the internal events analyses (e.g., reactor hazards in each plant location . Sp ecial atten tion is trip, loss of fee dw ate r, etc.), no additional analysis focused on all locations that contain PRA is necessary to separately quantify the contribution equ ipm ent. However, locations that do not conta in to plant risk by the external event. The internal PRA equipment are also exam ined if they conta in initiating event frequency data already account for hazards that may propagate to other locations the contributions from all observed causes, containing PRA equipment, e.g., flood water that external and otherwise . However, if the hazard can drains from upper floors to lower elevations in a cause an initiating event that has not yet been building or causes barrier failure. This activity considered, the location is retained for m ore defines the scope of the hazard scenarios detailed analysis in this portion of the stu dy.

developed for each plant location.

A similar screening approach is used for hazards Perform Preliminary Screening that satisfy the fourth criterion (does not cause an initiating event but may damage equipment in one It is often possible to eliminate a large number of PRA system ). If the hazard can cause equipment locations and hazards from further analysis, based failures that are alre ady included in the system fau lt on a qualitative examination of the information from tree models and equipment reliability databases, the preceding activities. This preliminary screening no ad ditional analysis is necessary to separately analysis considers the follo win g possible impac ts evaluate these causes for system unavailability.

for each location from each potential hazard. How ever, if the hazard ca n cause unique failure modes or introduce dependencies that are not

1. The hazard and the propagation of the hazard otherwise evaluated in the system fault trees, the do not cause an initiating event (e.g., a reactor location is retained for m ore deta iled analysis in trip or a runback demand) and concurrently do this portion of the stud y.

not dam age any PRA equ ipm ent.

All haza rds that satisfy the third an d fifth screening

2. The hazard may cause an initiating event, but criteria (the hazards can either cause an initiating it does not dam age any PRA equipm ent. event and im part dam age to at least one PRA system or it may cause damage to multiple PRA

3. The hazard m ay cause an initiating event, and systems, respectively) are retained for the final it may damage equipm ent in one or m ore activity of the spatial interactions analysis.

systems modeled in the PRA.

At this point in the analysis, preliminary screening

4. The hazard does not cause an initiating event, is based only on the qualitative criteria summ arized but it may damage equipment in one system above. No qua ntitative information or com parative modeled in the PRA. num erical ana lyses a re ap plied to elim inate locations or hazards from further consideration. If

5. The hazard does not cause an initiating event, there is any question about the applicability of a but it may damage equipment in more than particular screening criterion, the hazard or location one system modeled in the PRA. in question is re tain ed for m ore deta iled analysis in the subsequent activities. Thus, these preliminary All locations a nd h azard s that satisfy the first screening criteria m ay be applied consiste ntly screening criterion (does not cause an initiating without the need to reexamine these hazards or event and does not dam age PR A equipm ent) are locations, even if the numerical results from the eliminated from further consideration in the risk m odels are later refined.

analysis. W ithin the context defined by the PRA models, these hazards have no measurable impact The locations that remain after this preliminary on plant risk. screening process are often called "critical locations" or "function al impac t locations." These Locations and hazards that may cause an initiating locations are defined by a combination of the type event but do not damage PRA equipment (the of hazard being examined, the physical plant 3-49

3. Technical Activities layout, the types of equipment in each plant area, regardless of the size, severity, or duration of the and the functional impacts that m ay occur in the hazard event. This is obviously a very conservative PRA models if the affected equipment is damaged. assumption for many actual hazards. For example, It is desirable to initially define rather broad a small fire in a corner of a large room m ay not physical boundaries for each location. This damage any equipment a few meters from the provides a m anagea ble num ber of different ignition point. However, the application of very locations that mus t be exam ined in the more conse rvative assumptions is acceptable and detailed activities of the analysis. However, the desirable in this phase of the ana lysis. This keeps locations must also be defined c ons istently with the number of individual scenarios within a respect to the possible PRA impacts from each practica lly man ageable limit, and it facilitates an hazard sce nario. Thus, a particular functional efficient screening process to ensure that no impact location may include a single room, part of potentially important scenarios are overlooked.

a room, or a combination of plant areas, and m ore than one hazard scenario may be developed for In practice, the first pass through a qu antitative each location. A unique designator is assigned to screening analysis (as described in Sections 3.6 each functional im pac t location to fac ilitate its and 3.7) typically demonstrates that a large number identification in later phases of the analysis. of these conservatively defined scen arios are clearly insignificant contributors to plant risk.

Development of Scenario Tables These scenarios are documented and are removed from further detailed consideration. A relatively Hazard scenarios are developed for each hazard sm all number of scenarios may not be eliminated and eac h fun ctiona l imp act loc ation th at survives during the first application of quantitative screening.

the preliminary screening process. Each h azard For these sc ena rios, this activity of the analysis sc enario is defined by an impact, or set of impacts, process marks the point at which successive that may develop if a postulated hazard oc curs refine m ents are a pplied to redefine the sce nario, to with in the location. In the full context of the PRA reexamine its impac ts, and to develop m ore m odels, a com plete s cenario always represents a realistic models for its actual contribution to risk.

class of events that m ay occur in real plant experience. For example, a com plete fire scenario A unique designator is assigned to each hazard includes an ignition phase, propagation, detection, scenario. These designators are later us ed in the suppression, damage to PRA equipment, and the PRA event m odels to identify each internal hazard subsequent sequence of equipment responses and initiating event. The functional impact location operator actions that result in either safe plant designators are not used to identify the scenarios shutdown or core dam age. H ow ever, at th is because m ore than one scenario m ay be activity in the analysis process, each h azard developed for a particular location, e.g., a fire that scenario is lim ited to identification of the hazard causes open circuits, a fire that causes short source and documentation of the PRA equipment circuits, a flood, etc. Each scenario is then that may be affected directly by that hazard. documented in a scenario table.

To ensure completeness in the more detailed If propagation of the hazard scenario is possib le analyses perform ed in later activities, the hazard between locatio ns (e.g., flood wate r originate s in scenarios are typically defined at a rather general location A an d pro pag ates to loca tion B), then a level and are a ll encom pas sing. For e xam ple, a sep arate unique scenario is defined a nd a sep arate fire scenario is defined as "localized" when a ny fire scenario is constructed.

event that may occur within the functional impact location does not have any adverse impact on Table 3-14 illustrates a typical scenario table. In adjacent locations. This fire scenario actu ally this illustration, each scenario table has a 5-item represe nts a large class of p oss ible fire events that header followed by nine data entries. The header range from very small fires that may dam age only describes the loc ation o f the s cen ario. The one com ponent to a m ajor fire that may dam age all location description includes the building, the equipment in the location. physical areas included in the scen ario, a short description of the location, and the unique In the spatial interactions analysis, a scenario designator for the functional impact location. In the always assum es that the identified hazard example from Table 3-14, the functional damages all of the PRA equipment in the location, 3-50

3. Technical Activities Ta ble 3 -14 Illustration of a typic al scenario table BUILDING E LOCATION E-0251 LOCATION NAME Division 1 Switchgear Room, Elevation 0.0 m LOCATION DESIGNATOR S1 SCENARIO DESIGNATOR FIRES1

1. TYPE OF HAZARD SOURCE Switchge ar, Cables, Trans ients

2. SCENARIO INITIATION Fire from any hazard source in Item 1

3. PATH OF PROPAGATION A. PATH TYPE None (localized)

B. PROPAGATE TO None

4. SCENARIO DESCRIPTION Fire damages Division 1 switchgear

5. HAZARD MITIGATION FEATUR ES Detectors

6. SCENARIO FREQUENCY 3.96 x 10-3 per year

7. PRA-RELEVANT EQUIPMENT W ITHIN THE AREA Equipment Top Event Equipment Impact BS1-EP EP Note 1 BS1-BA BA Note 1 BS1-CA BA Note 1 BS1-CJ BA Note 1 BS1-BU BU Note 1 BS1-EU BU Note 1 BS1-FU BU Note 1

8. RE TA INE D A FT ER SC RE EN ING AN ALYSIS No

9. NOTES

1. It is assumed that any fire in this area affects the power supplies for all equipment powered from 10 kV bus BA, 6 kV bus BU, and 380 V AC bus EP. The split fraction rules for Top Events B A, B U, and EP have been m odified to fail pow er from these buses for all fires in this area.

3-51

3. Technical Activities impact location includes only Room E-0251. Th is Therefore, according to this practice, most room is the Division 1 switchgear room at hazards are designated as localize d within the Elevation 0.0 m of the electrical building. This defined location. Scenario FIRES1 evaluates location has been assigned the functional impact a fire confined within the switchgear room.

location des ignator S1 . However, a single functional impact location may also include a large 4. Scenario Description. This entry provides a num ber o f physical are as in th e plan t. brief description of the scenario.

The last header item is the scenario des ignator. It 5. Haza rd Mitigation Fe atu res. T his entry briefly is often helpful to assign designato rs that easily summ arizes the hazard mitigation features that identify both the particular type of hazard being are present in the location. Table 3-15 evaluated and the functional impact location. For provides a list of typical mitigation features for example, designator FIR ES1 ap plies to a fire event different types of hazards. The scenario tables sc enario in electrical building location S1. This is generally sum m arize only automatic detection, especially useful if more than one scenario is autom atic suppression, and passive mitigation developed fo r a pa rticular location . features. Possible manual mitigation features are not generally listed in these tables. Thus, The following nine data entries are included in each Table 3-14 notes that the switchgear room sc enario table. En tries 1 through 5 and 7 (p artial) contains fire detectors, but it does not identify are com pleted within this tasks activities. the availability of manual fire suppression Entries 6, 7 (partial), 8, and 9 are completed during equ ipm ent. The effectiveness of these the detailed scena rio analysis ph ase (i.e., the fire m itiga tio n featu res is not e valua ted and flood analyses). quantitatively during the initial scenario screening process. More information may be

1. Type of Hazard Source. This entry docum ents provided about mitigation features for the hazard sources identified during the initial scenarios that require detailed quantitative review of plant information and the plant an alys es of hazard initiation, gro wth ,

walkdown. The m ajor fire hazard sources in propagation, detection, and mitigation.

the switchgear room , for ex am ple, sh ould include the switchgear, electrical cables, and 6. Sc enario Frequency. This entry lists the mean sm all quantities of transient combustibles that annual frequency at wh ich the hazard is may be brought into the room during expected to occur. This frequency is maintenance activities. equivalent to the initiating event frequency for the haza rd scenario. It is the total frequency

2. Sc enario Initiation. This entry identifies the for any hazard type being evaluated, specific type of hazard. For scenario FIRES1, regardless of the hazard severity. Thus, the hazard is a fire. Table 3-14 indicates that the mean frequency for switchgear room fires of any reporta ble size

3. Path of Propaga tion. The path for possible is approxim ate ly 3.96 x 10 -3 fire per room-year, propagation of the haza rd to other locatio ns is i.e., one fire is expecte d to occur in listed in this entry. A hazard is designated as Room E-0251 e very 253 years. Alth ough this localized if it does not propagate to other factor is listed in Table 3-14, the hazard locations. As noted pre viously, most functional occurrence frequency is actually assessed impact locations are de fined very bro adly to during the seco nd p has e of the internal plant encompass all possible hazard scenarios haza rd analysis. The frequency assessment within the location and to avoid a significant process is described in Sections 3.6 and 3.7.

pos sibility of propagation between locations.

3-52

3. Technical Activities Table 3-15 Typical hazard mitigation types Mitigation Type Hazard Types*

Curb FW Drain FW Drain Pump FW Fire Dam per FS Fire D ete cto r (T herm al) FS Fire Hoses FS Missile Shield MI W atertight Door (Blockage) FW Nonwatertight Door (Drainage) FW Pe desta ls FW Portable Extinguisher (CO 2) FS Po rtable Ex ting uisher (D ry Chem ical) FS Portable Extinguisher (Othe r) FS Radiant Energy Heat Shields FS Sprinklers (Preaction) FS Standpipe FS S um p CA, FW S um p Pum p CA, FW Sum p or Roo m Flood Alarm FW W alls (11/2-Hour Rates) FS W alls (Other) FS Yard Fire Hydrant FS

As defined in Table 3-12.

7. PRA Equ ipm ent within the Area. This entry the functional impact analysis.

lists all PRA equipm ent in th e location . This list is derived from the spatial interactions A scenario table is developed for every hazard equipment location databases developed in sc enario that is retained from the preliminary Activity 2 of the analysis. This entry also qualitative screening process in Activ ity 4 of this identifies the PRA event tree top event for task. Each table completely describes the defined each com pon ent, and it briefly summ arizes scenario, the occurrence frequency of the the functional impacts assumed to occ ur if the scenario, and its specific impacts in the PRA equ ipm ent is d am age d by the haza rd. models.

8. Re tained after Screening Analysis. The The risk analysis of environmental hazards is quantitative screening process is described in con duc ted in at least tw o stages . The first stage, later tasks (see Sections 3.6 and 3.7). This sc en ar io development, begins wit h th e entry documents whether the potential risk identification of potential environmental hazards at significance of the scenario is sm all eno ugh to a broad le vel and ends with an extensive list of justify its elimination from further detailed hazard scenarios at each location within the plant analysis. that cou ld be p oten tially significan t to risk. This first stage is referred to as a spatial interactions

9. Notes. Th is entry includes additional detailed analysis and is the focus of this task. The second notes that docum ent specific information stage, the subje ct o f the fire and floo d analyses, about the hazard frequency assessment and perform s detailed analyses to determine the plant 3-53

3. Technical Activities impact frequency, e valuates plant recovery Accident Sequence Developm ent. The sequence actions, and assesses the risk significance of the development task defines the bound ary conditions scenarios. Initially, for screening purposes, the for the system m odels. The m inimum success sc enario risk analysis applies conservative criteria for systems to perform their function are es t im at es for the occurrence frequ ency established here. System dependencies must be assessment and plant impact. Upon focusing on included in the system m odels.

the important scenarios that are retained after screening, the analysis increases th e level of d eta il Da ta Analysis. The component availability used to considered reducing the conservatism in the quan tify the system m ode ls com es from the data original treatment of those scenarios and analysis. In some cases, the initiating event requantifying the impact to risk. frequenc ies found in the data analysis can come from system m odels.

The pro cess es in the overall environmental hazards risk analysis are inherently counteractive Human Reliability Analysis. Hum an e rror events and must be balanced in a meaningful practical are take n into account in the system models, and risk analysis. Ideally, the spatial interactions the models provide feedback to the HRA.

analysis identifies all potential hazard scenarios regardless of occurrence frequency or potential Quantification and Results. The Systems Analysis degree of impact on the plant that can cause any task mus t be completed before the quantification conceivable am ount of da m age. T his would and results of the PRA are completed.

ensure that all locations and all possible hazards will be fully e xam ined. On the other hand, to use Fir e, Flood, and Seismic Analyses. The system available resources m ost efficiently and to m odels developed for the internal events PR A w ill m ain tain a proper balance throughout the risk also serve for the external event analysis, although assessment process, the detailed scenario risk additional m odels or c onsideratio ns m ay be analysis demands that only relatively risk- needed. The effect of fire, flood, or seismic event significant scenarios be evaluate d in detail. T his scenarios on plant conditions and res ulting subtle "top-down" approach to risk assessment inte ractio ns need to be considered when these minimizes the effort in quantifying the risk events are including in a PR A. The com pletion of associated with unimportant locations. Therefore, the Spatial Interaction task is essential before the scenarios identified during the spatial proceeding with the fire and flood analysis. Spatial interactions analysis are to be as comprehensive relationships of plant equip ment is also essential as possible while maintaining a manageable for the seismic analysis.

number for the subsequent detailed fire and flood analyses. In practice, experience has shown that 3.2.3.5 References the two stages of the analysis of environmental hazards are somewhat iterative and must be Bohn, M. P., et al., "Analysis of Core Damage closely coordinated. Frequency: Surry Powe r Statio n, U nit 1, External Eve nts," NU REG /CR-4550, V ol. 3, Rev. 1, Part 3, 3.2.3.4 Task Interfaces Sandia National Laboratories, December 1990.

Plant Familiarization. This task provides key Bohn, M. P., and J. A. Lambright, "Procedures for source m aterial for the system m odeling, s ubtle the External Event Core Damage Frequency and spatial interactions. Analyses for NUREG-1150," NUREG/CR-4840, Sandia National Laboratories, November 1990.

PRA Scope. The systems of concern are those needed to perform the functions modeled in the Chu, T.-L., et al., Evaluation of Potential Severe PRA. For the Kalinin PRA, this means the Accidents During Low Power and Shutdown systems modeled for the full power operatin g Operations at Surry, Unit 1, Vol. 2, NUREG/CR-state. 6144, Brookhaven National Laboratory, June 199 4.

Initiating Ev ent An alysis. The syste m s analysis can pos sibly identify additiona l initiating events related to a particular system.

3-54

3. Technical Activities Drouin, M., et al., Analysis of Core Damage 3.2.4 Data Analysis Frequency from Internal Events: Methodology Gu idelines , N U REG/CR-4550, Volume 1, Da ta analysis consists of three interrelated tasks--

September 1987. nam ely, determining (1) the frequency of initiating events, (2) component reliability, and (3) comm on-Ericson, D. M., et al., Analysis of Core Damage cause failure (C CF ) probab ilities. The first of Fr eq ue nc y: Intern al E ve nts M eth od olo gy, these tasks quantifies the frequency of each group NURE G/CR-4550, Vol. 1, Rev. 1, Sandia National of initiating events identified in the task Initiating Laboratories, January 1990. Event Analysis (refer to Section 3.2.1). The second task is to obtain plant-specific estimates of Haasl, D. F., et al., Fault Tre e Hand boo k, the unavailability of specific equipm ent. The third N U R E G - 0 4 9 2 , U .S. N u c l e a r R e g u l a to ry task is to determine the final values to be used in Com mission, January 1981. the parametric models of comm on-cause failures.

Ho, V. S., and D. H. Johnson, "Probabilistic Risk 3.2.4.1 Assumptions and Limitations An alysis of Environmental Hazards at the High Flux Beam R eactor," Final Report, PLG-0975, From the point of view of expressing the frequency prepared for Brookhaven National Laboratory, of initiating events at a specific plant, the ideal PLG, Inc., April 1994. situation would be if sufficient experience was available from that plant to fulfill all the data IAEA, Insights from PSA Results on the analysis needs. The nature of the events of Program mes for Safety Upgrading of W W ER interest, howe ver, prevents this from being the NP Ps, W W ER-SC-152, 1996-11-29, limited case (and from the point of view of plant distribution, Internationa l Atom ic E nergy Agency, performance and safe ty, the occurrence of such October 1996. events is undesirable). Many events of interest (e.g., large loss-of-coolant acc idents [LO CA s]) are NRC, The Use of PRA in Risk-Informed not expected to occ ur du ring the life of the plant.

Application s, NURE G-1602, Draft Report for Therefore, additional sources (experience from Com ment, June 1997. identical or similar plants and expert knowledge) are nee ded for ac quiring sup plem enta l NRC, Analysis and Evaluation of Operational information. Th is additional info rm atio n is merged Data-Annual Report, 1994-FY-95, NURE G-1272, in such a way that the combined distribution of Vo l. 9, No. 1, U.S. Nuc lear Regulatory plant-specific and generic event data becomes Com mission, July 1996. m ore strongly influ enced by the plant-specific i n fo r m a t i o n a s that evi d e n c e m a t u r e s .

NRC, Precursors to Potential Severe Core Incorporation of evidence from additional sites also D a m a g e A c c id e n ts : A S t a tu s R epo rt, will allow for the variation of the frequency of NURE G/CR-4674, U.S. Nuc lear Regulatory events am ong sim ilar plants (i.e., site-to-site Com mission, issued periodically (annually) since variability). This variability may be the result of 1986. unique plant features or because of differences in site ch arac teristics , pers onn el, and training.

PLG, "Gsgen Probabilistic Safety As ses sm ent,"

prepared for Kernkraftwerk Gsgen-Dniken AG, 3.2.4.2 Produ cts PLG-0870, PLG, Inc., February 1994.

The products of the task on determining the PLG, "Seabrook Station Probab ilistic Safe ty frequency of initiating events are:

Asses sm ent," PLG-300, prepared for Public Service Com pany of New Hampshire and Yankee

m aterial for the final rep ort.

Ato m ic Electric Com pany, PLG, Inc., December

the frequency information in electronic form 1983. suitab le for use in the sequence quantification activity.

3-55

3. Technical Activities The com ponent reliability task has two products: 3.2.4.3 Task Activities

a generic component database based on Da ta analysis consists of the following three gen eric V VER data should be developed and interrelated tasks--namely, determining (1) the supplied to the system a nalysis task in sup port frequency of initiating events, (2) component of fault tree develop m ent. T he g ene ric data reliab ility, and (3) c omm on-cause failure can also be used in the initial quantification of probabilities. Atwood (2003) provides additional the event tree sequences. For final guidance on the sources of information and quantification of the acc ident sequen ces , a methods available for estim ating the param eters plant-specific database has to be used. used in (1) and (2) above, including quantification of the uncertainties.

docum entation including descriptions of the sources of g eneric and plant-specific data, Tas k 1 - Freq uenc y of Initiating Even ts desc ription s of the com ponent failure m odels used, a sum m ary of plant-specific failure The objective of this tas k is to quantify the current events, a description of the statistical methods frequency of each group of initiating e vents and software used in estimating failure identified in the task Initia ting Event An alysis parameters, and tables of both generic and (Section 3.2.1). It is desired that the frequencies plant-specific data that can be use d to be express ed in the form of uncertainty calculate the basic event probabilities used in distributions and that the determination of the the PRA. Any assumptions made in the frequencies take advantage of all relevant analysis, e.g., in interpretin g plant-specific evidence.

data and their application to estimating failure parameters, should be clearly documented. The goal of this tas k is to develop a pro babilistic description of the fre que ncy of the initiating events The task o n estima ting com m on-caus e failure of interest along with supporting d ocu m enta tion.

prob abilities ha s the following pro duc ts:

The objective is to derive an estimate of the

a KNPS-sp ec ific do cu m en t providin g current frequen cy for e ach initiating eve nt. As information on the scope of CCF to be such, specific cases of data censoring may be modeled including component types and both appropriate and desirable. Exam ple s of grouping. It should also identify the CCF app ropriate da ta censoring are given below; in all param etric models to be used including the cases, a jus tificatio n fo r censoring is m andatory.

wa ys that it could be incorporated in system fault trees. The document should be The original grouping process would have to be distributed am ong all system an d da ta revised if the plant records provide different or analysts. additional information that indicates the original classification schem e is in error or requires

KNPS-specific CCF rate including a im provem ent. For ex am ple, tripping the m ain descriptio n of approaches used in arriving at feedwater pum ps b eca use of instrum enta tion those estimates should be documented. indicating a high water level in any steam These estimates would be utilized in the first generator may be listed as a reactor trip due to a phase analysis. high stea m generator level. However, these trips are considered m ore important for the subsequent

the risk significant CCFs identified through quantification of a scenario initiated by a loss of initial quantifications and the results of feedwater transient than simply a reactor trip, sen sitivity and im portance evaluation should since these trips result in such a condition.

be documented and used for the refined CCF Therefore, a strong liaison with the analysts that estimates for the second phase analysis and developed the initiating event grouping is required final quantification. during this tas k. Also, it is im porta nt to realize that accomplishing the objective of this task requires

the fina l set of CCF rates generated through an eng ineering perspec tive that is sup porte d, the second phase analysis should be rather than led, by a statistician.

documented for use in the final quantification.

3-56

3. Technical Activities Many PRAs have assumed that the frequency of of "rebinning" the results is required for prac tical initiating events is constant with time. This means applicatio ns. It is also poss ible to utilize the events are statistically random occurrences c o n t in u o u s d i s tr ib u t io n s (e . g ., G a m m a and the distribution of times between occurrences distributions) to represent the probability of is exponentia l. There can be situa tion s w hen this frequency data. The G am m a distribution is one assumption may not be valid. One such situation option and is an attractive cho ice since the upda te is when an im plem ente d plan t change (e.g., a of a Gamm a distribution also results in a Gam ma modification to plant hardware or procedures) distribu tion. The c hoice of the distributions form could prevent, or severely curtail, the recurrence of will be determined by the analysts preference and an initiator. Past evidence would then not be the calculational tools available.

representative of the likelihood this event may occur in the future. Therefore, it would be Generally, initiating eve nts c an b e as signed to inapprop riate to includ e this e viden ce in th e plan t- three distinct categories according to the methods specific database. It would be ina ppro priate to applied to determine frequency of occurrence:

include the time period prior to the modification in general transients, transients induced by system the datab ase fo r this initiato r as well. failure, and LO CAs (piping failures).

The so-called "learning curve," typically associated Ge nera l Tran sients with the operation of a new plant, can also influence the rate of occurrence of a particular The general transient category includes reac tivity initiating event. Changes to plant hardware and trans ients and hea t rem oval imb alance tra nsients procedures early in plant life can impact the as well as small LOCAs and very small LOCAs frequency of initiators. Typically, the first year of (the latte r would include, for exam ple, primary comm ercial operatio n is excluded from the data in pum p seal failures).

an attem pt to reduce the influence of a new plant's "learning curve" on the frequency estimations. The frequency of occurrence of initiato rs in this category is quantified in a two-step Bayesian Likewise, the analysts m ust detec t any signs of process. The first step involves combining the increasing initiating event frequencies that co uld generic evidence (events per year at similar or be due to the aging, or wear out, of plant identical pla nts) to arrive at a generic initiating hardware. event frequency for each initiator group. In the second step , the plant-specific evidence is Plant trip data m ust be ca refully reviewed to combined with the generic (pop ulation) evide nce to determine if there is evidence of time dependence arrive at the updated plant-specific initiating event for spe cific initiator type s. Justification is required frequen cy.

for any censoring of data. Censoring may be valid, for example, if, as indicated above, changes to Regarding the utilization of generic evidence, plant hard ware or p rocedu res have sign ificantly much has been written and discussed concerning impacted, or even eliminated, the cause of s pecific the differe nce s be twee n VV ER -100 0 plan ts and initiators. VVER-440 plants. There are many differences that can be of significance from a risk assessm ent Ascher and Feingold (1984) provides guidance for point of view . Notw iths tan ding, it is recomm ended addressing tim e dependence in reliability analyses. that the VVER -440 experience not be rejected a priori. It is possible, and indeed likely, that the The term "frequency" is used to describe the experience from VVER-440 plants yields relevant measurable, or at lea st co nce ptually observable, data for selected transient initiator categories outcome from experience. Since the outcomes (such as loss of condenser vacuum and loss-of-are rarely certain, certainty must be expressed in offs ite pow er). It is, therefore, recomm ended that terms of pro bab ility. Thus, the likelihood of a early in the initiating event quantification task each particular class of initiators is expresse d in terms initiator category be carefully reviewed in the of a probabilistic frequency distribution. These context of the relevancy of specific VVER-440 distributions can be expressed in several different experience.

ways. Kap lan (1981 ) des cribes the use of discrete prob ability distribution s. Com bining discrete distributions is straightforward, although a scheme 3-57

3. Technical Activities Transients Induced by System Failures una vailability m ode ls. It is important that the component unavailabilities are expressed in the The frequency of occurrence of transients that are form of un certainty distributions and that similar the res ult of a system failure (such as the failure of com pon ents be grouped in the same correlation a support system) are determined using fault trees class. Assigning a group of components to a with the initiating event as the top event (see correlation class implies that a fully dependent Section 3.2.3). Mo nte Carlo sampling routine would be utilized for the uncertainty evaluation. Therefore, the Los s-of-Co olant Acc idents unc ertainty distributions for all components in a correlation class sh ould be the sa m e. The The app roac h tak en to quantify LOCA frequencies experience data for all sim ilar com pon ents depends on how L OC As are c lassified. If the belonging to a correlation class could be used for categories are broadly defined (e.g., large, the estimation of the uncertainty distribution.

m edium, and small LOCAs), then it may be Typically, com ponents of the same type exposed poss ible to apply, after careful review, distributions to app roximately the s am e en vironm ent, and w ith obtained from previous Western analyses. If, on sim ilar norm al operating conditions, a re gro uped in the other hand, LO CAs are m ore definitively the same correlation class (e.g ., all norm ally defined (e.g., "LO CA 1" is a failure of the 200-m m ene rgized DC relays).

pipe between Valve 4-29 and 4-53), then an empirical approach can be adopted, such as the Th e un availability of a component can be thought one formulated in Thom as (1981). The Thomas of as the fraction o f time that a compon ent co uld model has been used to express vessel and piping not m eet its dem and successfully, either because failure rates (for example, see Medhek ar, Ble y, it is unavailable due to te st o r m ainten ance or it and Gekler, 1993). It should be noted that the resides in a failed state. Generally speaking, the approach would still require data from VV ERs or una vailability is the probability that a component other applicable facilities. does not perform its intended function when required, and, therefore, it can also encompass Intersystem (or interfacing) LOCAs involve failure, the failure prob ability per de m and . This proce dure or i n a d ve r t en t b re a ch, of a h i g h- guide focuses on estimating the following pressure /low-pressure bou nda ry. T he analysis parameters of equipment unavailabilities:

begins with the systematic identification of all such boundary interfaces. Any available evidence

Com ponent failure rates expressed in terms of concerning overpressurization (in excess of design failure per u nit time or failure on dem and ,

values) of piping at VVER plants will be useful.

Frequency and duration of corrective Logic m odels m ust be developed for each LOCA (unscheduled) maintenance, identified, tak ing into account plant-specific

Frequency and duration of preven tive features, such as pressure monitoring and test (scheduled) maintenance, and procedures. Experience in W estern PRAs has

Frequency and duration of testing.

shown that potential human errors, associated w ith the testing of valves that are part of the high- The estimations of the above parameters are pressure /low-pressure bounda ry, are important in neces sary to evaluate the direct co ntributors to estim atin g occ urrence frequency. una vailability from hardware failure, maintenance, and testing . Other con tributors to unavailability Tas k 2 - Co mp onen t Reliability resulting from inadvertently leaving a train in an unavailable state after a test or maintenance The objec tive of this tas k is to obtain plant-specific should be ide ntified and e valua ted jointly with the estimates of the unavailability of specific system fault tree (see Section 3.2.3) and hum an equipment used for PRA quantification. The reliability analysis (see Section 3.2.5). The general scope of this ta sk is to develop the database proc ess for this task is:

needed for es timating th e co ntributors to unavailability of the basic events m odeled in 1. Determine the most appropriate level, scope, system fault tree s. The task also includes hardware boundary, and specifications for developing component failure models, collecting data collection through coordination with the generic and plant-specific component data, and teams that performed system fault trees and estimating the parameters of the com ponent event trees, 3-58

3. Technical Activities

2. Establish the current knowledge on the full accident pressu re differe ntial. In this case, param eters to be estimated by aggregating special testing for selected MOVs based on the various sources of generic data and the the ir risk significance are im plem ente d to exp erience o f sim ilar plants , assure their proper operation. Other examples of incomplete testing are the tests

3. Identify the sou rces of p lant-spec ific data to be that use the mini-flow path of a pump train.

retrieved, reduced, reviewed, and interpreted Here, the tes t only verifies the proper c losure for the param eters of interest and establish of the breakers contacts and the operation of the plant-specific data summ ary, and the valve stem for the pump discharge valve under a no-flow (static) condition.

4. Com bine plant-specific and generic data when appropria te to es tim ate th e needed

Test-caused failures and hum an errors param eters and to reflect the associated resulting in a com ponent or tra in being left in uncertainties. an unavailable sta te after the test are incorporated in the system fault tree model The re are several assumptions and simplifications through coordination with the hum an re liability that are currently used in state-of-the-art PRAs. analysis. Som etimes the human error rates Awareness of these assum ptio ns and their for such events c an be estim ate d directly as verification to the extent possible is an important part of a data analysis task and incorporated task in performing PRAs. as part of com ponent una vailability. Care should be taken to as sure that suc h events

Component failure rates are assumed to be are prope rly identified, the hu m an re liability constan t and tim e invariant. T his is a limiting analyst is consulted, and the fault exposu re assumption that stems from the simplifications tim e for such failure m ech anism s is se t to a that are typically m ade in PRA quantification full test interval (rather than one-half test routines. This assumption does not allow the interval).

modeling of any aging or wear out m echanism , and, therefore, it does not allow

Uncertainty distributions of the expected proper m ode ling of th e benefits of unavailability of a com ponent are typically maintenance and in-service testing in terms of assumed to be lognormally distributed. This preventing the aging mechanisms. assumption, though widely practiced, is not necess ary. The uncertainty distribution for

Interpretatio n of what cons titutes a failure component una vailability largely stems from depends on the mission and function of the the uncertainties associated with the failure equ ipm ent. Engineering review of the failure rate of the com ponent. T he uncertainties events are neces sary to decide whether a associated with the other parameters in the reported event is indicative of a com ponents component reliability models, e.g., the average failure occurrence with a predefined boundary. repair time, are sometimes not accounted for.

This is because of d iffic ulties generally

Operational testing of a com ponent is typically encountered using current computer codes.

treated as an ideal test capable of detecting For example, the Integrated Reliability and every type of failure and failure mode. Since Risk Analysis System (IRRAS) code does not most of the tests perform ed on the allow the analyst to define uncertainties for com pon ents do not simulate actual demand both the frequency and duration of conditions, the tests will not be able to detect unscheduled maintenance. To account for all possible failures and failure m odes. The both types of uncertainties, the analyst should PRA analyst should review the test procedu re esti m ate t h e re s u l ti n g u na vaila bilit y and decide whether a test should be credited contribution and the associated uncertainty for all possible failure m ode s. Motor-operated outside the IRRAS code and then input the valve (MOV) testing pra ctic e in the U.S. is an results to IR RA S.

exam ple of an incomplete test. The MOVs are typically tested with a sm aller pressure

The failure rate of a component in the harsh drop across them than is typically experienced environment of a n acc ident is usually in actual demands. The test, therefore, estimated based on the dete rm inistic c riteria cannot verify if the MOVs will close against the derived from test results, engineering 3-59

3. Technical Activities evaluation, and subjective judgm ents . only be detected during the periodic tests. The Exam ples are equipment survivability in a expe cted time to detection of a failure is referred boiling water reactor building after drywell to as fault exposure time. For those failure modes failure, the equipment survivability in a steam- detec tab le by periodic testing, the fault expos ure filled room , or failure of the electrical and tim e is one-half the periodic test inte rval. If certain electronic equipment in the switchgear room failure modes can be detected by other activities, after loss of the heating, ventilation , and air such as a walk through or visual inspection, the conditioning system. fault exposure time would be one-half the inspection interva l. Fin ally, some failure modes

The failure rate associated with rupture of the can be detec ted almost instantaneously--for component boundary and pipe rupture is example, by alarm or valve position ind icator. In typically estimated based on generic data, this case, the fault exposure time as soc iated w ith per f orm in g sim ple fracture me chanic the failure mo de is zero, and the standby calculations, and using sem i-em pirical m odels component for that failure mode is referred to as a or su bjec tive judgm ent. m onitored c om pon ent.

The above assum ptions and limitations are Various contributors to standby component inherent in the reliability asse ssm ent o f unavailability are:

com pon ents for PRA use. The uncertainties associated with th e com ponent reliability should

fault exposu re time, i.e., failure during standby reflect the analysts current level of knowledge for

failure to start or failure on demand the failure mode of concern. The ana lyst may

failure during m ission tim e initially perform the PRA calculations using crude

testing conse rvative estimates , followed b y more rigorous

unsc heduled corrective re pair analyses comm ensurate with the risk importance

sched uled preventive repair.

of the components.

Table 3-16 provides a summ ary of the formulas to Assessment of the component reliability involves be use d to estim ate each contributor and identifies modeling and estimation of all the contributors to the specific parameters to be estimated by component unavailability. For this purpose, the reliability data analysis. The last column in the com ponents are typically categorized in two tab le shows the needed summ ary event data for groups: standby and operating components. The the specific plant under stu dy. D ete rm inistic data una vailability models of interest for each group are from sources, such as plant technical described below , and the spec ific para m eters to specifications, is not listed in this column. The be estimated in the data analysis task are total component unavailability would be the sum of identified. all its contributors.

Standby Component Operating Component A sta ndby com ponent is a piece of hardw are with An operating component is a piece of hardwa re a predefined boundary that is norm ally in a state with a predefined boundary that is normally in an different from the state of its safety function. As operating state consistent with its safety function.

an exam ple, a norm ally open valve (normal state) Failure of a n operating com ponent c ould is exp ecte d to close (sta te of its safety function ) in con tribute to an initiator frequency (see Task 1, certain scenarios. This valve is considered a Frequency of Initiating Events). Fa ilure of an standby com pon ent since its norm al and safe ty operating component after the occurrence of the states are different. A standby component can initiator is typically modeled within the system fau lt have many failure modes, some o f which can be trees and is the focus of the discussion here. The detected when the com pon ent is in its norm al state two major contributors to the unavailability of an and others w hen the com ponent is periodically operating component are:

tested for its safety function. In the earlier example, failure modes, such as the housing 1. Un availability due to repair: An operating rupture or leakage, could be detected when the component may be unavailable as a result of valve is in its norm al state, whereas the valve failure prior to an initiator and may remain actuator failure preventing the valve closure can 3-60

3. Technical Activities Table 3-1 6 Th e reliability form ulation for the various contributo rs to the unavailability of a standby component Una vailability Reliability M odel Parameters Summ ary Data Needed Contributor Fo rm ula Fault exposu re 1-(1-e -8T)/(8T) 8: Standby failure rate Num ber of failures and the tim e or . (1/2)8T T: Surveillance interval total observation period Failure to start or Qd Q d : Failure to start per Num ber of start or demand failure on demand demand or failure on demand failures and the total number of demands Failure to com plete 8R 2 8 R: Running failure rate Num ber of failures and total the mission 2: Mission tim e operatin g tim e Periodic testing (J/T p) P r J: Expected test duration Num ber of times the test T p: Periodic test interval override was needed and the P r: Failure prob ability to number of times it failed override or recover from the test Unscheduled (8+8 D)T R 8 D: The rate of degraded Num ber of degraded corrective re pair conditions that require conditions and total corrective maintenance observa tion tim e T R: Mean repair time Duration of corrective maintenance Scheduled fm T m f m: Frequenc y of preventive Duration of preventive preventive rep air maintenance m ainten ance averaged over all T m: Expected duration of different types preventive maintenance Notes:

For monitored failure modes T = 0. probability by one-half of the expected time between the

For those failure modes detectable by other surveillance demands (typically the periodic test interval).

activities (e.g., visual inspection) in addition to periodic

For those human errors modeled in fault trees which testing, T can be estimated by the total time period indicate leaving a train in an inoperable state after test or divided by the number of surveillance activities (periodic maintenance, the fault exposure time to be used is the full or otherwise). surveillance interval. The unavailability contributions for

For those failure modes not detectable by any surveillance such human errors should be kept separately, and a activities, T should be set equal to the remaining plant separate test caused unavailability should be estimated.

lifetime since the last time component was verified

8D is estimated similar to the failure rate 8. 8D is the rate operable (e.g., for a new plant with an expected service of unscheduled maintenance. It is estimated based on life of 40 years, T = 40 years) and approximate formulae the number of times, within the data collection period, that should not be used. a component underwent repair (corrective unscheduled

For all other cases T = Tp . maintenance) even though it was not yet failed.

All failure rates should be expressed in terms of time- * (1-Pt ) is the probability of making a component or train related failure rates to the extent possible to assure available during a surveillance test if an actual demand consistency. For some components, such as the occurs. In most practical cases, the value of Pt is either emergency diesel generators, component failures are zero or one, respectively, indicating that the unavailability divided into standby failure, start failure, and run failure. due to a test is either easily recoverable or unrecoverable For other components, such as failure of a motor operated in time. In those special cases where the available valve to open/close, the generic data is reported as failure recovery time and the time needed to recover from the probability on demand. Probability of demand failure test are comparable, the value Pt should be determined could be translated into the equivalent time-related failure with help from the human reliability analyst.

rate, if so desired, by dividing the demand failure 3-61

3. Technical Activities unavailable after the occurrence of the initiator. component down time during testing and This una vailability could be s imply estim ated maintenance. Information on compone nt using the following equation: performance in respon se to a test or a demand should be interpreted or categorized as failure, Q R = (8 R T R)/(1+8 R T R) degraded, or success . Fa ilure encom pass es all events that render the component either outside where 8 R , and T R are defined in Table 3-16. the accepta ble envelope of the technical No te that all causes for perform ing corrective specifications or within the PRA definition of the and preventive m ainten ance are included in failure and the failure modes of the component estimating the rate 8 R . under study. Degradation encompasses those events that indicate that the component is not in a

2. Un availability due to failure during the mission failed state; h ow ever, it co uld fail e ventu ally if it is time afte r the occu rrence o f the initiator. This not repa ired. G ene rally, all unsche duled repairs una vailability could be simply estimated using triggered by unsatisfactory perform ance of the the following equation: component but not by its failure are categorized as deg rada tions. Som e PR A data evaluations have Q M = (8 T M) broken down the degradations into degraded and incipient conditions depending on the severity of Here, 8 is the actual failure rate of the the fau lt and the available time before the condition operating component and does not include any propagates to a failure. An othe r area of d ata degraded conditions, and T M is the expected analysis that may require extens ive interpretation m ission time as soc iated w ith the com pon ent. deals with com ponent recovery pro bability. A component m ay be m ade available during certain All contributors to component unavailability for both testing pro cedures if an actual demand occ urs. A standby and operating com ponents could be failed component could also be made available for subjected to recovery action if su ffic ient tim e is certain failure modes. Such recovery actions available for returning the component to an typic ally require m anu al actions (e .g., realignment operational state. As an example, there could be of a suction path or manual sta rt of a pum p).

up to several hours available before a room These pro babilities for rec overy action s should containing safety equipment heats up to a critical alw ays be reviewed by hum an reliability analysts, tem perature after loss of a cooling fan. The even if in some cases the probabilities could be prob ability of successful recovery actions either by estimated based on the experience data.

repa iring the affected com pon ents or by providing Generally, interpretation of collected data is a m ulti-an alternate mea ns for performing the needed disciplinary task that requires close cooperation function should be typically modeled at an accident between PR A da ta analysts, PRA system analysts, sequence or accident minimal cutset level after the PRA human factor specialists, and plant operation event trees without recovery are quantified. and m ainten anc e staff.

Pla nt-Sp ecific Data Collection, Interpretation, and Methods for Estimation Evaluation Various parameters derived from the component Past experience with PRA data collection activities reliability models are identified for both standby and has shown that no single data source in the plant is operating components. Some of these sufficient to provide all the needed information. parameters, such as periodic test interval and the PRA practitioners had to search through various preventive maintenance frequency, could be sou rces of d ata to properly identify an d interp ret a obtained directly from plant-specific procedures single record. Plant design documentation, and technical spec ifications. These types of operator logs, ma intenance records, plant technical param eters typically are not statistical in nature and specifications, an d s urveillance procedures are treated as deterministic information. The con stitute the m inim um set of info rm atio n typically remainder of the param eters, such as c orrective examined for determ ining the data needs for use in maintenance rate, are statistical in nature and a PRA. Event data of interest for component should be estim ated based on plant-specific and reliability evaluation are (1 ) inform ation re lating to generic data sources. Cu rrently, B ayesian analysis component perform ance in response to a test or an is widely acce pted as the es timation m etho d. The actual dem and and (2) inform ation re lating to single-stage Bayesian approach is comm only used 3-62

3. Technical Activities for estimating the parameters for component Events. However, these likelihood functions are reliability m ode ls when the ge neric reliability not appropriate for Ba yesian updating of the database provides the estimates of the param eters distribution for the repa ir duration. Here, the of the prior distribution. The two-stage Bayesian likelihood m ay simply be a non-reducible, joint-approach could be utilized when the generic prob ability distribution for repair durations database con tains s um m ary data for o ther p lants observed, sometimes referred to as sampling (e.g., number of failures and the observation likelihood. Since this likelihood is not incorporated period). The theoretical basis for the Bayesian in the widely used Bayesian codes, the analyst may approach and fo rm ulation and som e available decide not to u se the Bayesian approach in software has been extensively discussed in the determining the mean repair distribution especially open literature, e.g., Apostolakis et al., 1980 and since the uncertain ties associated with m ean re pair Apostolakis, 1982. The following provides a tim e are not comm only accounted for in the PRA.

discussion on the single-stage Bayesian approach. In summ ary, the likelihood function should, to the For the two-stage Bayesian routine, the task on extent possible, reflect the process through which initiating event frequency may be consulted. the data was generated and collected.

Prior Distribution Posterior Distribution The Bayesian approach requires the use of a prior The comm onl y used B ayesi an soft ware distributio n for the parameters to be estimated. autom atic ally generates a posterior distribution and Prior distributions are typically obtained from typic ally outputs the assoc iated param eters of a industry-wide data ana lyses. In s om e ca ses , a fitted lognormal distribution. An examination of the prior distribution is generated from the failure rate posterior distribution by the analyst s hould be done estimates reported in past PRAs. In this situation, to assure its appropriateness. This is typica lly the analyst should combine the data from several done in three steps. In the first step, the posterior PRA sources to arrive at one single prior distribution is compared with the prior distribution.

distribution rep resentin g plant-to-plant variability. If the mean and variance of the prio r are distin ctly The re are several different ways suggeste d in the different from that of the posterior distribution (a past for combining m ultiple distributions to develop factor of 2 or m ore), the n the analyst s hould verify a generic prior distribution (G entillon, 1987 ; Ma rtz that the data shows strong evidenc e. Fo r data to and Bryson, 1984; and A zarm and Ch u, 1991). A strongly affect both the mean and the unce rtainty of method typically used to arrive at a generic prior the posterior dis tributio n (i.e., c onsid ered to be distribution is by constructing a mixture distribution strong evidence), the data should contain at least from all sources. The weights a ss ociate d with three independent observations. In the second different sources are typically the same as long as step, the analyst sh ould check the evidence data to all the sources are applicable to the type, make sure that the data is not strongly affected by boundary, and the failure mode of the component the failures of on e co m pon ent in the gro up. In under stu dy. In some cases, different weights are som e cases, a com ponent failure m ay not have assigned depending on the extent to which the been diagnosed properly and the repair was generic sources represent the basic event under incomplete, thereby making the same com ponent stu dy. A different method to assure that the fail several times within a short period of time.

resulting generic distribution has a wide enough Such clustered data should be detected and unc ertainty to reflect faithfully differences am ong all resolved. In the third step , the analyst sh ould the sources is reported (Azarm and Ch u, 1991). assure the adequacy of a lognormal fit to the The cho ice of m ethod to use is up to the analyst; posterior distribution. The reader should note that howeve r, the analyst should examine the the use of a lognormal distribution is not essential constructed gen eric distribution to see if it does when using the IRRAS code even though it has cover all the means reported by various sources been widely practiced in the past. Some posterior within its 5th and 95th percentiles . distributions may not resem ble a lognormal distribution; therefore, the fitted lognormal Likelihood distributio n based on matching the first two mom ents may not be appropriate. In such cases, The Poisson and Binom ial likelihoods for failure a more appropriate fit may be obtained by rate per hour and failu re rate per dem and are conserving the mean and the 95th percentile of the discussed for the task Frequency of initiating distribution rather than the mean and variance.

3-63

3. Technical Activities Also, special care should be given to those cases analysis performed to evalu ate external event when trying to use the Bayesian approa ch with zero PRAs, the formal modeling used to directly address failure as the evidence. U pdatin g of the generic loss of the heating, ventilation, and air conditioning failure rate w ith the evidence of zero failure is not system (either as an initiator or as a part of a typic ally recomm ended unless the observation system fau lt tree), and the explicit m odeling period is at least tw ice the exp ecte d m ean time to employed to quantify pre- and post-initiator human failure derived from gen eric prior. error rates eliminated the need to distinguish Categories 1, 2, and 3. Furthermore, the Task 3 - Com mon -Cause Failure Probabilities prob ability of C CF c an be red uced significantly once certain CC F failure mec hanism s are The objective of this task is to determine the final observed and sub seq uen t corrective actions are values to be used in the param etric models of taken, as, for example, in Categories 4 and 5.

comm on-cause failure s (CCFs ). T his would W hen design/installation problems and /or involve addressing a variety of issues starting with procedural deficiencies are detected, corrective defining what should be considered as CCFs, how actions are usually put in place to rectify the they sho uld be m ode led in the context of system problems to the extent p ossible. Finally, some of fault trees, and finally how they are to be estimated the sn ea k c ircuits an d un exp ecte d using generic and plant-specific (Kalinin-specific) interdependencies could be identified while in the data. process of conducting a relatively detailed PRA.

Consequently, CC F estim ates have changed over The re are generally two major limitations tim e as PRAs increased in scope and level of associated with the modeling of CCFs in a PRA. detail. Therefore, C CF estim ates are o nly used to One limitation dea ls with whether the identification capture those events that are not explicitly modeled of CCFs is adequate to assure that the modeled in PRAs. The more the scope and level of d eta il in CCFs are com prehensive but not duplicative, and a PRA, the less would be the number of dependent the other limitation deals with the applicability of the events not ex plicitly accounted for in the PRA.

CCF generic data to the specific plant being Also, som e have argued that the CCF estimates stud ied. should also capture and compensate for the inadequacies inherent in simplified PRA The definition of C CFs is interrelate d with the quantification algorithms (see Azarm et al., 1993).

scope and the level of detail in the PRA. For PRAs perform ed in the U .S. typically use generic example, in the early eighties when PRAs were of data on CCFs, at least initially. However, even for limited scope, an event would have been this initial use, the generic data must be tailored for categorized as CC F if m ore th an o ne fa ilure du e to the specific plant. This is typically done by any of the following causes was observed: m apping the industry-wide events (data) against the scope of the PRA, its le vel of detail, and the

fire, flood, seismic, or any other exte rnal event, current plant practices in orde r to identify and use

high tem pera ture, such as loss of heating, the subset of the events that are m ost applica ble to ventilation, and air conditioning system, the plant. Recently, a published six-volume report

pre- and post-initiator human errors disabling by the U.S. Nuclear Regulatory Comm ission on multiple components, CCF (Strom berg , 1995) provide s a c om pute rized

design and installation problems, e.g., wrong database of the latest U.S. study on generic CCF materials, estimates.

procedural problems,

aging an d we ar ou t, It is recom m end ed that CCF modeling be

tem porary degradation of co m pon ents due to performed in two phases. For the first phase, CCF such causes as improper maintenance and probabilities are to be estimated based on the surveillance, and applicable industry-wide CCF events. The plant

sneak c i rc u i ts and unexpecte d m odels then should be quantified, and the major interdependencies. CCF contributors identified. For those CCF events which significantly contribute to plant risk, further How ever, as the scope, modeling complexities, analysis is needed to justify that the CCF estimates and the level of detail in PRAs increased, are app ropriate. The results of these analyses characterization of CCF m atured allowing them to should be explicitly discussed with plant staff and be m odeled m ore explicitly. For example, the regulators for identification of potential corrective 3-64

3. Technical Activities actions. This would constitute the second phase

CCF considerations for plant-s pec ific data analysis. The final estimates including the impact collection, and of any potential corrective actions on the CCF rates

Estimation of the CCF contributors.

should be used for final quantification.

Sources of Generic Data Activity 1 - Generic Data The databas e for the C CF events developed in the The sources of generic data are identified and the U.S. (reported in Stromberg, 1995) should be used associated CC F events are reviewed to verify as one of the data sources. Th e event data should app licability to the s pec ific plant, i.e., establishing be reviewed and those events that are either generic data which is tailored for the Kalinin duplicative (due to scope and level of effort in the Nuclear P ower Station (KNP S). KNPS PR A) or a re not applicable (du e to specific features of KNPS) should be discarded. New CCF Activity 2 - CCF Rules rates sho uld be estim ated with the remainder of the CCF events. Ho we ver, in som e generic sources of The CCF rules for component types and data, the event description may not be available or component grouping within and across systems summ arized so that its applicability to a specific are com m unicated to system m odelers to assure plant m ay not b e verifiable. In these cas es, a consistency in modeling. certain degree of su bjec tivity or conservatism m ay be applied. Ad ditional data for CC F n ot c urrently Activity 3 - P lant-S pec ific Data included in the Idaho National Engineering Laboratory repo rt (Strom berg , 1995), e.g., data on Pla nt-specific data indicative of potential CCF instrumentation and control components, relays, occurrences are collected. A potential CCF transducers, is provided in Appendix A.

involves occurrence of m ultiple failures that are suspected to have been caused by CCF triggering Component Types for CCFs mechanisms. Th e corrective actio ns which could poss ibly eliminate the triggering m echan isms are Volume 6 of the Idaho National Engineering not given credit at th is stage. A Bayesian rou tine is Laboratory rep ort sp ecifically identifies various used for updating the CCF parameters. com pone nts for which CC F estim ates were determined. However, the component types are Activity 4 - Initial Quantification categorized based on systems in U.S. pressurized water reac tors a nd b oiling wa ter rea ctors , e.g.,

Initial quantification and the asso ciated sen sitivity pumps in the Service W ate r Syste m . Generic and importa nce evaluations are perform ed to component types, s uch as M OV s, witho ut any identify those CCF events that are risk significant. further categorizations based on systems or any other feature could be sufficient for most CCF Activity 5 - Final Quantification modeling applications. Further classifications of MOVs (for exam ple, to differentiate low-pressure or Detailed analysis, either qualitative or quantitative, high-pressure applications) should only be whichever is more appropriate, is c ond ucte d to performed if supported by data. Appropriate data adjust the baseline estimates of the risk significant searches and CCF estimations should be CCFs. performed using the database structure in the reference cited to assess whether the CCF Guidance is provided below for the following estimates significantly change if MOV s are further specific areas: categorized by low-pressure or high-press ure application. It is also recomm ended that the

Sources of generic data, number of co m pon ent type s sh ould be k ept as

Com ponent types for CCFs, sm all as possible to make the estimates

Failure modes for CCFs, manageable. The breakdown of a component type

Cause considerations for CCFs, based on environm ent, size, and stres s (e.g .,

Com ponent grouping rule for CCFs within a pressure) should not be done unless justified by system, the data. Several different CCF estimates could be

Com ponent grouping rule for CCFs across obtained generically for a component type for system s, different failure modes, initial conditions, and given 3-65

3. Technical Activities service app lications. These considerations are Cause Considerations for CCFs som e of the bases for the C CF g rouping that are discussed under Component Grouping Rule for To develop a complete understanding of the CCFs W ithin a System and Com ponent Grouping pote ntial for m ultiple failure s, it is nec ess ary to Rule for CCFs Across Systems. identify the reaso ns w hy thes e types of failures occurred. Understanding the causes of the CCFs Failure Modes for CCFs is im portant in evaluating both the event data and p r o p o s e d plant de fe ns es ag ain s t C C F Various component failure modes should be occurrences. Cause classificatio ns pro posed in differentiated in CCF mod eling when different Volume 2 of the Idaho National Engineering failure modes result in different consequences. Laboratory report could generally be used.

For example, two different failure modes, failure to Furthermore, the examples pro vided in this volume open and failure to control (stuck in an inte rm ediate are c o nstructive in ass u r in g c o n s is t e nt position), m ay be considered for a standby control understanding of cause classification for CCFs.

valve. If these tw o different failure m odes res ult in different consequences (in terms of system or plant Component Grouping Rule for CCFs W ithin a respons es), the failures s hou ld be k ept sepa rate System and the C CF data sho uld be differe ntiated .

A set of components within a system that could be represented by a comm on-cause group are discussed using the following simple one-line diagram (Figure 3.5).

All six valves in s uction and discharge may be wo uld be different in these two cases. The latter considered as a C CF g roup. In th is case, s pecific wo uld typically re sult in a lower system Fig ure 3.5 Simple e xam ple for C CF ana lysis combinations of m ultiple (three or more) failures una vailability estimate for the same combinations are considered to res ult in system failure. of basic events. Therefore, rules should be How ever, the discharge valves are located inside provided to assure proper grouping of CCF con tainm ent, and they are neither tested sim ilar to components, thereby preve nting p oten tial nor as frequently as the suction valves. Hence, the underestimation of system unavailabilities. Since analyst should consider two CCF groups: one for there are no step-by-step rules that can be written valves V1A, V2A, and V3A and the other for for prescribing how to group components for CCF, valves V1B, V2B, and V3B. The contribution of the only general guidance can be provided to assist the CCF, and consequently the syste m unavailability, analysts. A minimum set of considerations that 3-66

3. Technical Activities could be used by the analysts for component Rule for CCFs W ithin A Sys tem , the analyst sh ould grouping for CCFs are: identify those component groups across system s for which CCF modeling need be considered.

types of componen ts with so m e reg ard a s to Since an across-system CCF group may involve a their ap plication , size, fun ction, e tc., large number of components, the CC F p aram etric

the normal operational state and the failure modeling can become unm anageable. The m ode of the com pon ent, number of com binations to be used in CCF

the operational activities, such as tests and param etric modeling should be limited. For maintenance, and their ass oc ia ted example, if the multiple Greek letter model is used, frequencies, and factors for five components will be applied to all

sim ilar location an d ex pos ure e nviron m ent. com pon ents in the group (if five fails all fails).

It is also recom m ended that like co m pon ents CCF Considerations for P lant-S pec ific Data produced by different manufacturers do not Collection necess arily imply that the com pon ents belon g to separate CCF groups. Similar components from The system an alyst sh ould provide to the da ta CCF gro ups only if the following two conditions are analyst the list of components in the CCF groups m et: for data collection and interpretation. W henever a component from a CCF group has failed, a da ta

1. The components do not belong to a natural or field in the data shee t (to be filled in by data to a logical redundancy, as do valves V1A, ana lyst) should indicate a request for inform ation V2A, and V3A in the above exam ple. There is on simultaneous failures of sim ilar com pon ents or no justification to have separate groupings for recent failures that have oc curred over a s hort these valves if one of the valves was period of time. The following definitions for manufactured by Company XYZ, for example, simultaneous and recent failures are suggested:

and the other two were not. However, if the discharge valves V1B, V2B, and V3B are from 1. For sequentially tested, standby components, Com pany XYZ and the suction valves are n ot, simultaneous failu res are defined as failures then there might be some justification for that have occurred within a time period less different group s, if the n ext c ond ition is m et. than one test interval. For standby com pon ents that are tested in a staggered

2. The industry data should indicate that fashion, sim ultaneous failures are those that manufacturing and design specifications were have occurred in less than on e-half the te st the major contributors to the CCF estimates. interval. For operating com ponents failures In th is case, se parate grouping could be used that have occurred within the PRA mission if additional engineering justifications can be time are considered as simultaneous failures.

provided to show that the components from different manufacturers exhibit different CCF 2. Recent failures are defined as failures that characteristics. have occurred in a time period that is less than one failure time. To calculate the failure time, Dividing the CCF grouping based on the the generic mean time between the failures of manufacturer should be a last resort and should be the com ponent should be divided by the avoided to the extent possible. number of the components in the group. As an example, if there are five components in the Component Grouping Rule for CCFs Across group and the generic failure rate for the Systems component is 1.0 x 10 -4 per hour (or the mean tim e between failures is 1.0 x 104 hours0.0012 days 0.0289 hours 1.719577e-4 weeks 3.9572e-5 months ), the Across-system CCFs are not typic ally m odeled in recent period would be 2000 hours0.0231 days 0.556 hours 0.00331 weeks 7.61e-4 months (or U.S . PRAs. However, the analysts should be approxim ate ly about three months). If similar aware that although this type of CCF g rouping is failures on this com ponent grou p have possible, it should not be formed by artificial logical occurred over a thre e-m onth time pe riod or boundaries m ade as a res ult of fault tree modeling. less, these failu re histories should be queried Rather, it is recomm ended that the final accident for possible common-cause connotations.

sequence m inim al cuts ets be reviewed, and based on the criteria provided in Com ponent Grouping The system ana lyst and the data analyst s hould 3-67

3. Technical Activities work closely together to ensure that the da ta model parameters based on plant-s pec ific data queries will capture the requisite inform ation when pos sible and to use the weighted average of needed for parametric estimation of CCFs. plant-specific and generic data. The weighting factor would be subjective depending on the Estimation of the CCF Contributors analysts confidence in generic vs. plant-specific data. The final aggregate results for the CCF Currently, there are four types of methods that param eters should conserve the cons traints could be utilized for estimating the CCF rates. Two imposed by the specific CCF m odel used.

of these m eth ods are typically used in early stages of the analysis (Phase 1), whereas the other two In the Phase 2 evaluatio n, th e C CF e stim ate s could m et hods are typically done after initia l be adjusted based on qualitative reasoning on the quantification (Phase 2). In Phase 1, the actual current plant practices in the areas of defenses CCF events from a generic database are reviewed against CCFs including the corrective actions and evaluated against the specific features of the proposed by the plant. Methods reported by plant design, the current plant practices, and the Bourne et al. (1981) and by Hum pherys (1987a, PRA. This allows the user to specialize events for 1987b) are candidates for this type of analysis.

application to a specific pla nt by assigning an Qua ntitative analyses could also be perform ed in app licability factor to each e vent. The ap plicab ility the Phase 2 evaluatio n based on failu re tim e factor is a value between zero and one. The higher statistics. In this regard, plant-specific data on the applicability factor, the m ore relevant the event times of com pone nt failures in the CCF group wo uld be to th e specific plant being studied. There should be collected including any simultaneous are som e degrees of subje ctivity involved in failures. Since it is not expected that m uch data on assigning an applicability factor. To use the m ultiple sim ultane ous failures is to be found for use estimation m ethodology of Stromberg (1995), an in the Kalinin PRA, reliance on predicting CCF event-by-event assessment is required to probabilities based o n statistical correlation of determine the values for three classes of failure times (clustering) would be the only option.

applicability factors. These are R1, Cause A method for performing such analysis based on Applicability Fac tor; R2, Coup ling Ap plicab ility clustering of failure times is described in Factor; and R3, Failure Mo del Applica bility Factor. Azarm et al. (1993).

The re are some discussions on the assignment of thes e ap plicab ility facto rs in M osleh et al. (1989 ). 3.2.4.4 Task Interfaces The second type of analysis that could be The task on determining the frequency of initiating performed deals with the use of plant-specific CCF events has the following interfaces:

events. Updating of ge neric estim ates with plant-specific CCF data would be performed for those

it requires input from the Initiating Event cases where multiple simultaneous failures have An alysis and provides output neces sary for the occ urred an d are sus pec ted to have been caused Initial and Final Quantification of Accident by CCF m echanisms. The Bayesian update of the Seque nce s.

CCF m ode l param eters is gen erally not a

a more subtle interface is found with the task straightforward procedure (except for some System Mo deling. System logic models may specific CCF m odels, such as the g lobal Beta be necess ary to quantify specific initiators, factor model) and could involve extensive such as loss of a support system.

computations. The re are two alternative

the grouping of the individual initiators based approaches that co uld be pursued fo r pla nt-specific on the expected plant response is performed updating of generic data. One approach is to treat as part of the task Initiating Event Analysis.

plant-specific data as a part of specialized generic Each group includes a number of initiators that data and to select the value of one for the have similar responses for the plant systems app licability factor. The impact of the plant-specific and ope rators. It is im porta nt that the data in this approach would depend on the size and understanding of the rationale used in the qua lity of gene ric data (e.g., number of CCFs and grouping process be carried over to the number of demands in the generic database). The pres ent task.

higher the quality of the specialized generic data, the less would be the impact of plant-specific data. The component reliability task has the following The other alternative could be to estimate the CCF interfaces:

3-68

3. Technical Activities Plant Familiarization. The iden tification o f plant- potential source for obtaining estimates of CCF specific data sources for estimating component and the use of CCF generic data also establish failure param eters is initiated as a part of this task. a strong link between this task and the task In the current task, the plant-specific data are Co m pon ent R eliability.

collecte d and used in com binatio n with generic

the estimated CCF param eters are then used data to estimate the component failure parameters. in the initial and final quantifications and sen sitivity evaluations. The types of System Modeling. The output of the current task interactions expected from this task to other provides input to the task System M odeling. interrelated tasks are not simply in the form of During the preliminary develo pment of system input/output, rather it involves two-way models, generic component data is usually interactions. As an example, the initial adequate. The c om ponent failure param eters quantification task uses the generic CCF estimated using plant-specific data have to be param eters as input; however, this tas k w ill provided before the system fault trees can be identify important CCF groups for which m ore finalized. The level at which da ta analyses are to detailed CCF analysis and estimation would be be performed (component, train, etc.) for various needed. Similarly, this task would describe una vailability contributors, the boundary of the specific guidelines for component grouping for equ ipm ent, and the associated failure modes modeling of CCF events which will be used in should be coordinated between these two tasks the system fault trees and for which this task (System Mod eling and Com ponent R eliability). would estimate CCF parameters.

Frequency of Initiating E ven ts. Estimation 3.2.4.5 References t e c hniques u s ed f o r c o m p o n e n t fa i lu re una vailability contributors are similar to those for Apostolakis, G., D ata An alys is in Ris k initiating event freq uen cies. Consistency in the Asses sm ents , Nuclear Engineering and Design, methods and software used should be maintained. 71, pp. 375-381, 1982.

The impac t of initiating events on the un availability of some basic events may be determined using Apostolakis, G., et al., "D ata Specialization for data analysis--for example, the proba bility of loss- Plant-Specific R isk S tudies ," Nuclear Engineering of-offsite power after a generator trip. and Design, 56, pp. 321-329, 1980.

Comm on-Cause Failure Probabilities. The m ethod Ascher, H., an d H. Feingold, Repairable Systems and software used in estimating initiating event Re liability, Marcel Dekker, Inc., New York, 1984.

frequency and estim ating com m on-caus e failure probabilities sho uld be con sistent. Th e plan t- Atwood, C., et al., Handbook of Parameter spe cific database developed in the current task Estimation for Probabilistic R isk A sse ssm ent, could be used for estim atin g the plant-specific NU REG /CR-6823, Sandia National Laboratories, comm on-cause failure probability estimation. September 2003.

Initial Quantification of Accident Sequences. Azarm , M. A., et al., Methods for Dependency Com ponent failure parameters, by providing input Estimation and System Unavailability Evaluation to system m odeling, are indirect input needed for Based on Failure Data Statistics, NUREG/CR-qua ntification of ac cident seque nce s. 5993, Vols. 1 and 2, Brookhaven National Laboratory, July 1993.

The task rela ted to determining comm on-cause failure (CCF) probabilities has the following Azarm , M. A., and T.-L. Chu, On Combining the interfaces: G eneric Failure Data for Probabilistic Risk Asses sm ent, Proceedings of the International

as discussed earlier, there is an explicit Conference on Probabilistic Safety Assessment relationship between CCF m odeling and the and Ma nag em ent (P SAM), Feb ruary 4-7, 19 91.

scope/level of d eta il in the PRA. There is also direct interaction between this task and the Bourne , A. J., et al., Defenses Against Com mon-task System Modeling in the area of grouping Mode Failures in Redundancy Systems, and m ode ling of the CCF com pon ents . SR D-R 196 , Safety Reliability Directorate, January

the analysis of plant-specific data as a 1981.

3-69

3. Technical Activities Gentillon, C. D., Aggregation Methods for 3.2.5 Human Reliability Analysis Com ponent Failure Data in the Nuclear Com puterized Library for Assessing Reactor The objectives of the hum an relia bility analysis Re liability, E G G -REQ-7775, Idaho National (HRA) task are to identify, analyze, and qua ntify Engineering Laboratory, 1987. human failure events (HFEs), the PRA event tree/fault tree model basic events involving human Hum pherys, P., et al., Design Defenses Against actions. These overall objectives can be clarified Multiple Related Failures, Advanced Seminar on by considering two distinct cases:

Com mon-Cause Failure Analysis in Probabilistic Safety Ass ess m ent, Kluwer Academic Publication, 1. Pre-Initiating Event HFE s. This tas k is to edited by A. Amendo la, pp. 47-57, IS PR A, Italy, quantify pre-initiating event HFEs.

November 16-19, 1987a.

2. Post-Initiating Event HFE s. Many po st-Hum pherys, P., et al., Analysis Procedures for initiating event errors of omission will have Identification of M ultiple Related Failure s, been identified during the Event Sequence Advanced Seminar on Comm on Cause Failure Modeling and Syste m s A nalysis tas ks . This An alysis in Probab ilistic Safe ty Assess m ent, task must extend that list and perform the Kluwer Aca dem ic Publication , edited by A. following ac tivities:

Am endola, pp. 113-129, ISPRA, Italy, November 16-1 9, 1987b .

Identify the spec ific uns afe acts (UAs) and context associated with each identified Kaplan, S., "On the M etho d of D iscre te Pro bab ility HFE, Distributions in R isk and R eliability Calculations--

Qua ntify the chance of each HF E, i.e., the Application to Se ism ic Risk A sse ssm ent," Risk prob ability of the HFE given the defined An alysis, 1, pp. 1 89-1 96, 1981 . con text,

Identify and quantify the probability of Ma rtz, H. F., and M. C. Bryson, A Statistical Model human recovery for significant sequences, for Com bining Biases in Expert Opinions, IEEE mindful of the dep end ent effec ts of Transaction on Reliability R-33, August 1984. u n e x p e c t e d pla n t c o n d it io n s a nd u n f a v o r a ble h u m a n p e r f o r m a n c e Med heka r, S. R., D. C. Bley, and W . C. Gek ler, conditions, i.e., the context for the human "Prediction of Ve ss el and Piping Fa ilure Ra tes in action .

Chem ical Process Plants Using the Thomas Mo del," Process Safety Progress, Vol. 12, 3.2.5.1 Assumptions and Limitations pp. 123-126, April 1993.

The post-initiating event HFEs (i.e., those occurring Mosleh, A., et al., Procedure for Treating wh ile attem pting to m itigate the progression of the Com mon-Cause Failure in Safety and R eliability accident sequence) pose a m uch more Studies: Analytical Bac kgroun d an d T ech niques, complicated and risk-significant problem than NURE G/CR-4780, Vol. 2, U.S. Nuclear Reg ulatory pre-initiating event HFEs. Because human Com mission, January 1989. operators can interact with the plant an d its processes in m any ways, it would be impos sible to Stromberg, H. M., et al., Com m on-Ca use Fa ilure precisely mod el all these potential interactions.

Da ta Collection and Ana lysis Syste m , Vols. 1 Therefore, a structure is required to organize the through 6, INE L-94 /006 4, Idaho National analysis along the most fruitful and important lines.

Engineering Laboratory, December 1995. Traditional approaches to HRA, such as THERP (Swa in and Guttmann, 1983) and SLIM (E m bry Thom as, H. M., "Pipe and Vess el Failure et al., 1984), focus on those actions required for Probab ility," Reliability Engineering, 2, pp.83-124, successful completion of functions modeled in the 1981. event trees , i.e., those HF Es that have been known as errors of omission. However, reviews of operating events at nuclear power plants and other industrial facilities have shown that errors of comm ission are often involved in the more serious accidents (Barriere e t al., 1994; Ba rriere e t al.,

3-70

3. Technical Activities 1995; Coope r, Luc kas, and W reath all, 1995; and dependencies, and by USNRC, NURE G-1624). Moreover, the most serious accidents occur when conditions conspire

taking advantage of, and integrating, advances to m ak e hum an error very likely, i.e., whe n bo th in psychology, engineering, plant operations, unusual plant conditions and unfavorable human human factors, an d p ro ba bilis tic r isk conditions [perform ance sh aping factors (PS Fs)] assessment (PRA) in its modeling and combine to create an error-forcing context (EFC ). quantification.

For such cases, the HRA problem changes from an attemp t to evaluate the likelihood of random As is common to all second generation methods, human error under nominal conditions (i.e., ATHEANA focu ses on the co ntex t in which the expected accident conditions) to one of evaluating operators m ust perform their function . Inc luded in the likelihood of the occurrence of EFCs as their focus on con text is a system atic ap proa ch to addressed in the second-generation method, identify important sou rces of dependency among ATHEANA. human actions and between human actions and systems failures in the plant. Such interactions can A limitation of all first-generation methods is that couple human response to an entire sequence of they are n ot stru cture d to addre ss th e qu estion of seem ingly independent cues, greatly increasing the errors of comm ission or the search for challenging likelihood of an HFE. All accident sequences context. A se con d lim itation is tha t the m ethods which contain multiple HFEs should be examined themselves do not provide guidance for the for possible dependencies. If practical, HFEs identification and prioritization of HFEs. R ather, which are completely dependent should be HFEs drop out of the event tree analysis and re-defined an d m ode led as a sing le event.

quantificatio n tasks, leading to a lack of consistency in the specific human actions Fin ally, it is important to rec ogn ize that aspects of addressed in similar PRAs. 3 Because of the the HRA process for U .S. rea ctors m ay not a pply to importance of h um an UA s in real-world accidents, Russian reac tors. For example, the PSFs of it is nec ess ary to propose a modification of existing training, sta ffing, responsibilities, cross training, methods to address thes e issues. Th is procedure and cultural imp acts on thinking ca n be differe nt.

guide assumes that recently developed search Therefore, the assu m ptions that are im plicitly techniques for UAs and EFCs in the ATHEANA embedded in quantification for many existing methodology (USN RC , NUR EG -1624) can be methods, e.g., tables for quantification using the adapted to existing quantification approaches to THERP m ethodology (Swain and Guttmann, 1983),

enhance the value of the PRA. will not apply to the HRA of Russian reactors.

Therefore, while first-generation methods can be ATHEA NA was developed to increase the degree used to structure the problem of where human to which an HR A c an rea listic ally identify, error can occur and be correcte d, th eir represe nt, and quantify the kinds of human quantification inform ation is highly su spe ct. For the behaviors seen in accidents and nea r-m iss events Russian PRA project, a structured judgment at nuclear power plants and at facilities in other approach for quantificatio n will be re quired. For the industries that involve broadly sim ilar kinds of pre-initiating event HFEs, som e modification to the human/system interactions. In particular, quantification tables in the handbook (Sw ain and AT HEA NA provides this im proved capability by: Guttmann, 198 3) invo lving the judgm ent of Russian exp erts will be ne eded (Fores ter, et al., 2002). For

m ore rea listic ally searching for the kinds of the post-initiating event HFEs, other alternatives human/system interactions that have played should be considered. F or exam ple SLIM (Embrey important roles in accident responses, et al., 1984) provides a structured approach for including the identification and modeling of applying expert judgment based on the evaluation errors of comm ission (EOCs) and impo rtant of PSFs for each HFE. The SLIM quantification could be enhanced by the thinking process of ATHEANA. This proces s en tails eva luating the 3

The exception is SHARP1 (Wakefield, et al., 1992), a most-likely-to-be-significant UA-EFC pairs, the process for performing HRA (rather than a method for likelihood of the occurrenc e of the EFC, and the quantification) that provides guidance for the likelihood of the HFE under the EF C. This identification and prioritization of HFEs. Unfortunately, judgment-based evaluation offers a better chance too few HRA analyses integrated their selected for rea sonableness than a table based on methods with the systematic SHARP1 process.

3-71

3. Technical Activities inapplicable experience. important EF Cs in a step wis e process . This product will specify the UA-EFC pairs identified for The final methodology described below represe nts quantification and document the search process a com prom ise am ong com peting factors including and associated analyst decisions.

state-of-the-art methodologies, budget and schedule, practical limitations on the interaction The analysis will document all PRA sequences for between plant experts and analysts, and other which recovery was considered, explaining the practicalities of the project. Specific caveats are reasons why recovery was or was not analyzed, given for the approach used for quantificatio n in and, when analyzed, documenting the analysis, Task 4. The basic steps of HRA perform ed in exp licitly con sidering the effects o f the c onte xt.

suppo rt of nuclear power plant PRA are similar for all approaches; in some m ethods they are explicitly 3.2.5.3 Task Activities included, others as sum e that the steps are perform ed as part of the PRA, before the HRA The primary discussion in this section d eals with begins. In som e m ethods they are rigorous, in dynam ic action s followin g the initiating e vent. A others they are more intuitive. The guidance second class of actions, pre-accident errors that provided below for the KNPS HR A is consistent are generally associated with tes t and re pair with the basic HRA process described in somewhat activities, can be important in two cases:

different terms in SHARP1, ATH EANA, and the IAEA HRA guidelines (IAEA Safety Series 1. W hen post-maintenance tes ting is insufficient 50-P-10). Additional generic guidance on good to ensure that tested or repaired equipment practices to be em ployed in H RA is available has been com pletely res tored to service. In (NRC, 2005) which promotes improved HRA this context, insufficient testing means quality. insufficient by lack of procedural quality, by lack of as suranc e that the tes t will be 3.2.5.2 Produ cts performed, or by lack of test procedures.

The results of each pre-initiating event HFE 2. W hen pre-accident errors can cause or analysis will be documented in a repo rt. Th is influence post-accident human response, report will also detail the basis for quantification. If i.e., through a dependency between the pre-U.S. data, s uch as th e tables for quantificatio n in and post-accident errors.

the Swain and G uttman n (1983) han dbook , are These types of errors can be modeled using the used, it may be necessary to modify the methods described in the Handbook of Huma n probabilities to account for Russian and plant- Re liability Analysis with Emphasis on Nuclear spe cific ch arac teristics . Power Plant Applications (Swain and Guttmann, 1983), although the recomm ended values for A detailed list of HFEs will be documented in a human error probabilities cited will need to be letter report. The search process for HFEs will verified as described below.

consider the event tree model and those top events where hum an errors of omission or comm ission This work is accomp lished by completing the can defeat the associated safety function and following five Tasks:

m ake co re da m age likely.

Task 1 Quantification of pre-initiating event HFEs, An HRA report will be produced documen ting Task 2 Development of a detailed list of post-Activities 1-4 , providing the list of HF Es , detailing initiating event HFEs, the context and UAs for each HFE, and Task 3 Development of a detailed list of significant d o c u m ent ing t h e a n a ly s is p r o c e s s a nd context associated with each post-initiating qua ntification results. This product will become event HFE, part of the Backup Docum entation, Hum an Task 4 Qua ntification of post-initiating event Reliability Analysis. HFEs, Task 5 Re covery analysis.

A detailed list of normal context and significant EFCs associated with each HFE will be Each of these tas ks is discussed below. T his documented in a report. The search process for approach represents an extension of the HRA EFCs begins with the HFE, then identifies the most methodology beyond that found in the IAEA 3-72

3. Technical Activities procedu re guides (IAEA, 1992). Activity 1 is a

The faulty condition is not discovered and stand-alone task . The next three, Activities 2-4, corrected before an initiating event occurs.

are linked together as the step-by-step evaluation of the post-initiating event HFEs. These activities Sw ain (THERP) is the generally accepted method are closely related to other PRA tasks. for determining pre-initiating event HFEs. The Pre-initiating event hum an errors are identified in m ethods found in the handbook (Swain and the tas k S yste m Modeling. Post-initiating event Guttmann, 1983) shall therefore be followed.

human errors modeled in the fault trees and event trees are identified in the tasks System Modeling Task 2 - Development of a Detailed List of and Event Sequence Modeling. Recovery actions Post-Initiating Event HFEs will be identified after co m ple tion of the initial quantification (see Section 3.2.6.1) and quantified The human actions that are directed by plant in the final quantifica tion (see S ection 3.2.6.2). The procedures form the traditional basis for de fining wa ys the actions are included in the event trees errors of omission for ea ch initiating event. These and fault trees will be determined in coordination HFEs are identified during the Accident Sequence with the activities in System M odeling and Event Development task and verified with plant operators.

Sequence Modeling. The quantification of these The selection of HFEs must be bas ed o n plan t-actions will allow System Modeling and Initial spe cific de sign, capabilities, an d priorities.

Quantification of Accident Sequences to proceed. Task 3 - Dev elopm ent of a D etailed List of Significant Context Associated with Each Task 1 - Qu antification of Pre-Initiating Event Post-Initiating Event HFE HFEs A number of PSFs could influence operator Pre-initiating event errors m ay leave part (or all) of reliability, for example:

a system unavailable for emergency operation.

These types of errors occur during routine plant

Tim e of a ccident (d ay or night) operation, tes ting , and re pair activities and may

Hum an interactions among personnel persist undetected before the occurrence of an

Sc enario effect (the level of severity and initiating event. They are included only in the difficulty the opera tor as soc iates w ith the system fault trees for the following reasons: accident situation)

T im e available to m ake a d ecision and perform

The error rates for these actions do not an action depend on the sequence of events after an

Level of operator knowledge initiating event occurs.

Ex iste nce of tra ining on a given scenario

Quality of training

The re is generally no significant human

Quality and availability of procedures dependence between these errors and

Co gnitive c om plexity subsequent operator actions after the initiating

Level of stress event occ urs. (Note that the ATHEANA search

Hum an-machine interface.

for EFCs considers cases in which this assumption of independence may not be Expert opinion, from plant operators, operations valid.) supervisors, and HRA analysts, can be used to develop an initial list of PSFs and to reduce the These types of errors can contribute to system number of PSFs to those of most importance.

una vailability if all of the following cond itions occ ur: No te that some factors vary by acc ident s cenario and others are global as they are influenced by

A test, inspectio n, or repair ac tivity is plant condition. Both types of factors should be perform ed. During this activity, a component considered for each post-initiating event HFE and is placed in an alignment that mak es it structured into de cision tree logic structu res, with unavailable for emergency operation. the PS Fs used as top events. Th e decision tree is used in quantification and is shown as part of

Te sting, re pair, or ope rations pe rsonne l fail to Task 4 below. Table 3-17 p rovides examples of restore the component to its required status. PSFs used in the analysis and their definitions.

3-73

3. Technical Activities Task 4 - Quantification of Post-Initiating Event answering the questions raised by the decision tree HFEs logic, such as "wh at is the effect of the scenario on the operator?", "How effective is the MMI in helping As mentioned in the assumptions and limitations of the ope rator?", and so on, a pathwa y for a Section 3.2.5.1, the approach for quantification particular HFE through the tree can be drawn, and represents a comprom ise among theoretical a corresponding point on the decis ion tree scale preferences and bud get/sche dule requ irem ents as (i.e., in the set of end-s tates) can be defined.

we ll as practicalities of the project including available expertise and limitations on the Calibration of the K-values to the probability of interaction between plant experts and analysts. each HFE is acc om plished by separately The final approach used is a variatio n on the evaluating selected HFEs by other means and decision tree method (Spurgin , et al., 1980, and scaling the rem aining events by the re lationship Bareith, et al., 1997). The approach is vu lnerable between K-values and probabilities for the anchor to well-known theoretical objections, such as the events. Som e adaptation of the K-valu es is PSF are not independe nt; their relationsh ips to poss ible to account for dependencies am ong the each other and to any probability anchors are PSFs.

dependent on plant conditions and specifics of each different scenario; lack of strong controls for Ta sk 5 - Reco very Ana lysis bias and re liability; and no formal treatment of uncertainty is provided. The same process is used for the analysis of recovery actions as for the other post-initiating Pre-quantification qualitative ana lysis attem pted to event HFEs as described in Tasks 3-5 above.

examine som e of th e issues of co ntex t described in second generation HRA m ethods and 3.2.5.4 Task Interfaces adaptations to the decision tree process attempted to account for dependencies. The benefits of the This tas k h as exten sive interactions with the approach are that the issues im portant to HRA are following other PRA tasks.

well-examined qualitatively and can be used as the bas is for im prov em ents in the fu ture. Plant Fam iliarization. The HRA relies on information from the P lant Fam iliarization task to The approach uses the following basic scheme and provide a basic understanding of plant design, is more fully described in the references. Specifics operations, procedures, and crew manning levels.

of the final adaptations will be described in the KNPS final PRA report. Using the list of PSFs Initiating Event Analysis . Development of initiating developed in the previous task, plant operations events should take into account the HRA experts assign a weighting facto r (refe rred to as a contributions.

K-factor) based on the perceived importance of each decision tree top event (s elected P SF ). A Accident Seq uen ce D eve lopm ent. The HRA relies simplified exam ple decision tree is given in Figure on the Accident Sequence Developm ent task to 3.6. Each branch under the top event is assigned identify a number of post-initiating e vent HF Es, to a K-va lue be twe en 1.0 (for the m ost beneficial describe how the plant can fail in an integrated branch) and that PSFs K-factor (for the most sense, and to define the context under which the detrimental bran ch). Eac h pa th through the ope rators m ust act.

decision tree has an accum ulated coefficients on an arbitrary scale, which are obtained by the System Modeling. The HRA relies on the System m ultiplication of the applicable K-values for each Mod eling task to identify pre-initiating event HFEs branch path ass ociated with tha t end-state . Note and a basic unde rstan ding of ho w systems a re that the higher the coeffic ient, the m ore unlik ely it operated and are interrelated.

is that the operators will successfully accomplish the required action. Quantification and Re sults . T he Initia l Quantification is used to identify specific cases The decision tree is used to evaluate specific HFE (sequences and cutsets) where hum an recove ry by having plant operations experts examine the actions are likely to be carried out and impact the required action against the logic of the tree. By 3-74

3. Technical Activities results. The HRA provides quantified HFEs to use Procee dings of PSA M III, Crete, Greece (19 97).

in the quantification of specific cutsets in the Quantification tasks. Barriere, M., et al.,"An Analysis of Operational Experience During Low Power and Shutdown and 3.2.5.5 References A Plan for Addres sing Hum an R eliability Assessm ent Issu es," NURE G/CR-6093, Barriere, M. T., et al., Multidisciplinary Frame work Brookhaven National Laboratory, June 1994.

for Hu m an Re liability An alysis with an Application to Errors of Comm ission and Dependencies, Chien, S. H., et al., "Quantification of Human Error N U R E G /C R - 6 2 6 5 , B r o o k h a v e n N a t io n a l R a t e s U si ng a S LIM-B ased A ppro a c h ,"

Laboratory, August 1995. Proceedings of the 1988 IEEE Fourth Conference on Hum an Fa cto rs and Pow er Plants , Monterey, Bareith, A., et al., "Treatment of Hum an Factors for California, June 1988.

Im prov em ents at the Paks N uclear Power Plant,"

3-75

3. Technical Activities Table 3-1 7 Exa mple of perfo rma nce shaping factors Performance Potential Branch Definition Shaping Factor Branches Available tim e (tim e Long Time is sufficient to complete the action even if the decision on interval from the first taking the action is not m ade whe n it first becom es p oss ible to mom ent that the com plete the initiating event.

initiating event co uld begin until the Middle Time is more or less sufficient to complete the action even if the m om ent wh en it decision on taking the action is not made when it first becomes would be no longer pos sible to com plete the initiating event.

possible, accounting for the time to Short Tim e is insufficient or barely suffic ient to c om plete th e actio n if complete the the decision on taking the action is not made quickly when it first initiating event) becom es poss ible to com plete th e initiatin g event or tim e requ ired to ta ke action is com para ble to the tim e available to com plete the initiating event.

Scenario effect Easy W hen the initiating event is completed, the parameters are not (influence of the changing quickly, the process is stable, the stress level is not emergency situation high, and the operator understands the situation and does not on the operator at expect severe consequences.

the mom ent the initiating event is Medium W hen the initiating event is com pleted, the param eters are complete) changing more or less quickly, the stress level is medium, the process is not stable, and the operator understands the situation in general and may expect severe consequences.

Severe W hen the initiating event is com pleted, the param eters are changing quickly, there are exten sive alarm and light s ignals occurring, the stress level is high, the process is not stable, and the opera tor m ay not u nde rstan d the situation and exp ects severe consequences.

Co gnitive c om plexity Sim ple The need to complete the action is obvious, and the operator for decision making has goo d training on the initiating event.

(cognitive c om plexity for making the decision on the need Diffic ult The need to complete the action is not clearly obvious, and the to complete an ope rator has som e training on the initiating event.

action , taking into account the impact of operator training Ve ry difficult The need to complete the action is not obvious, and the on the initiating ope rator has no training on the initiating eve nt.

event) 3-76

3. Technical Activities Table 3-17 Example of performance shaping factors (contd)

Performance Potential Branch Definition Shaping Factor Branches Hum an-machine Good The hum an-machine interface for taking action in the face of the interface (quality and initiating event is well designed, the quality and fitness of the fitness of the interface allows completion of the action without difficulties, one human-m achine operator can complete the action, and the information required interface associated to make the decision to take the action is good.

with taking action on an initiating event, Adequ ate The quality and fitness of the interface for taking action in the taking into account face of the initiating event is more or less adequate, and the the quality of the inform atio n re quired to m ak e the decision to tak e actio n is only information required adequate.

to decide on the Poor The interface fea tures are not we ll designed fo r takin g actio n in nee d to com plete the fa ce o f the initiating event, the o pera tor ex pec ts the initiating event) considerable difficulties in taking action, more than one operator is needed to take action, and the information required to make the decision to take action is inadequate for understanding (or the informa tion is absen t entirely).

Quality of Good The initiating event is well described in the procedure, and the procedures (impact procedu re is well known to the operator.

of the availability and quality of relevant procedures related Poor The initiating event is poorly described or not described in the to the initiating procedu re, and the proced ure is not well known to the operator.

event) 3-77

3. Technical Activities Figu re 3.6 Ex am ple of a dec ision tre e for p erform anc e shapin g factors 3-78

3. Technical Activities Chu, T.-L., et al., Evaluation of Potential Severe USNRC, Good Practices for Implementing Hum an Accidents During Low Power and Shutdown Re liability Analysis (HRA), NUREG-1792, U.S.

Operations at Su rry, Unit 1: Analysis of Core Nuclear Regulatory Com mission, April 2005.

Dam age Freque ncy fro m Internal Events During Mid-Loop Operation s, Vol. 2, Part 1B, Chapter 8, W reath all, J., and A. Ram ey-Sm ith, AT HE AN A: A N U R E G / C R - 6 1 4 4 , B r o o k h a v e n N a t io n a l Technique for Human Error Analysis--An Overview Laboratory, June 1994. of Its Methodological Bas is , O E C D /N EA Specialists Meeting on Hum an Perform ance in Coop er, S. E., W . J. Lucka s, a nd J. W reath all, Operational Events, Chattanooga, Tennessee, Human-System Event Classification Scheme October 13-17, 1997.

(HSECS) Database Description, Brookhaven National Laboratory Technical Report L-2415/95-1, W akefield, D.J., G.W . Parry, A.J. Spurgin, and P.

Decem ber 21, 1995. Moieni. System atic H um an A ction R eliability Procedure (Sharp) Enhancement Project, SHARP1 Em brey, D. E., et al., SLIM-Ma ud: A n Ap proa ch to Methodology Report, EPRI TR-101711. Palo Alto, Assessing Hum an Error Probabilities Using CA: Electric Power Research Institute, 1992.

Structured Expert Judgment, NUREG/CR-3518, Vols. 1 and 2, Brookhaven National Laboratory, 3.2.6 Quantification and Results 1984.

The quantification and resu lts com pon ent cons ists Forester, J., Bley, D ., Coope r, S., Kolazkowski, A., of three tasks: (1) initial quantification of accident Lois, E., Siu, N., Th orns bury, E., and W reath all, J., sequences, (2) final quantification of accident Improved AT HEA NA Q uantification Process and sequences, and (3) sensitivity and importance Da ta Needs, to be published in proceedings of analyses. The objective of the task on initial OECD/NEA W orking Group W G-Risk Assessment: quantification is to perform an initial, preliminary Bu ilding the New HRA: Strengthening the Link quantification of the set of acc ident sequen ces , i.e.,

between Experience and H RA, Munich, Germ any, once the event tree-based , system-level January 2002. expressions become available. Through this task, m odels that represent the response of plant IAEA, Hum an Re liability An alysis in Probabilistic systems and operation actions are linked to plant Safety Assessment for Nuclear Power Plants" initiators to form, in terms of basic events, the logic Safety Series 50-P-10, International Atomic Energy expressions for accident sequenc es. The o bjective Agency, 1995. of the final quantification is to identify those accident sequences considered to be dominant IAEA, Procedures for Co nducting Probabilistic after initial quantification and to determ ine where Safety Asses sm ents of Nuc lear Power Plan ts refine m ents to the risk profile may be warranted (Level 1), Safety Series No. 50-P-4, International and then to carry out th e new quantification. The Atomic Energy Agency, 1992. objective of the sen sitivity ana lysis is to inves tigate the implications of modeling choices other than the Spurgin, A. J., et al., "Ope rator Reliability choices that were actually used. Importance Experim ents Using Power Plant Simulators," EPRI analysis is to assess the importance of model NP-6037, Electric Power Research Institute, P alo parameters, evaluated within the terms of the Alto, California (1990). m odel itself.

Swain, A. D., and H. E. Guttmann, Handbook of 3.2.6.1 Assumption and Limitations Hum an Reliability Analysis with Emphasis on Nuclear Power Plant Applications, NUREG/CR- Com promises and assumptions that were made in 1278, Sandia National Laboratories, 1983. previous tasks, such as the event sequence modeling task, the system m ode ling task, an d da ta USNRC, "Technical Basis and Implementation analysis task, ind irectly lim it the outpu t fro m this Guidelines for A Technique for Hum an Event task. Further limits on the applicability of the An alysis (ATHEANA )," NURE G-1624, Rev. 1, U.S. outp uts from this tas k d irectly com e from the lim its Nuclear Regulatory Com mission, May 2000. imposed by the level of truncation employed and the lack of recovery modeling employed in the 3-79

3. Technical Activities m odel. Since the output from this tas k is based on

System-level and com pon ent- level preliminary data and partial m odeling (recovery is importance measures based on focused addressed in a su bse que nt task), the information PR A m ode l, derived should only be applied to prioritize future work. The follow ing ac tivities are performed as

Discussion of "PRA Insights" based on part of this task. system and com pon ent importance measures.

3.2.6.2 Produ cts 3.2.6.3 Task Activities The products of the task on initial quantification of accident sequences are: The quantification and resu lts com pon ent cons ists of three tasks: (1) initial quantification of accident

1. Based on unrefined data, screening sequences, (2) fina l quan tification of accident human error pro babilitie s, and taking no sequences, and (3) sensitivity and importance credit for recovery, this task produces ana lyses.

reduced logic expressions and associated frequencies for each accident sequence Task 1 - Initial Q uantification of Accident and each plant damage state. Sequences

2. In add ition, although this task does not The objective of this tas k is to perform an initial, produce final res ults, it must be preliminary quantification of the set of accident documented to th e degree necessary to sequences, i.e., once the event tree-based, suppo rt an audit of the subsequent system-level expressions become available.

modeling choices that were based on the Through this task, models that represent the results of this tas k. In particular, it should response of plant systems and operator actions are be docum ented sufficiently to support linked to plant initia tors to form in term s of ba sic replicatio n o f the results. This events the logic express ions for accident documentation will take the form of an sequences. Initial quantification is described below appendix, as described under the task in general term s. M ore deta iled guidance is Docum entation. The types of PR A au dits provided in some of the references listed at the end are discussed in the task Qu ality of this ch apte r. In particular, reference should be Assurance. m ade to Drou in (1987) and N RC (1997).

The products for the task on final quantification of 1. Boolean Expressions accident sequences are:

Initiate an algorithm that transforms each the expressions, probability of frequency plots, and system-level accident sequence representation associated mea n frequencies for: (a) each de rived from the task Event Sequence Modeling accident sequence, before and after recovery is into a component-level, Boolean expression credited and (b) ea ch p lant da m age state, before con taining the m inim al cuts ets.

and after recovery is credited.

2. System Success The products of the task on sens itivity and importa nce ana lyses a re: Account for system success as necessary by using the appro xim ation techn iques m ention ed b elow.

Importance rankings for systems and com pon ents at the conclusion of the stu dy, 3. Truncation Levels

Q uantification of m odel sensitivity to Re-run the calculation with different truncation alternative choices in controversial levels until the c alculation runs to com pletion with modeling areas (e.g., core damage as little truncation as possible. Of course, the level frequency calculated assuming changes in of the truncation should be comm ensurate with the baseline assum ptions), intended application of the PRA study and the level of available da ta. Identification of p ote ntia l subtle 3-80

3. Technical Activities interactions between systems and support systems system B failure. The feasibility of this will depend requires, for example, retention of higher order on many things, including the software being used.

cutsets. It has been customary to address this point by formulating a logic expression containing the

4. Plant Dam age States conjunctions of failures that are considered inconsistent with the sequence logic (success of Form ulate and quan tify a logic expression for each system A and failure of s yste m B). This logic plant damage state (corresponding to the logical expression is then used as a template to OR of se que nce s binn ed into that state). sys tem atic ally delete from the pure failure portion of the accident sequ ence ex pression those terms Since the process described above is the indicated by the template to imply the failure of the integration of a large amount of information for the system that is supposed to succeed. At best, this first time, a significant level of review, is an approxim atio n and, in ap plying it, one must troubleshooting, and iteration with previous tasks is take care not to e liminate "late" system failures that necess ary. An accident sequence expression can may be consistent with "early" system success.

be very complex, and subtle logic errors manifest This point is further discussed below.

themselves at this stage. Incorrect formulations, in the con text of a system m ode l, may lead to So-called "phased m ission analysis" is very closely erroneous logic at the sequence level. Disallowed related to this point. A particular system m ay be system configurations that have been eliminated challenged m ore than once during an accident from system m odels may emerge again at the sequence, perhaps with different mission success sequence level, depending on how disallowed criteria. The system m ode ling m ust acco m m oda te configurations have been dealt with. the necessary distinctions, but this point is not com pletely addressed until accident sequence Much of the point of the detailed model quantification. Certain illogical outcomes m ust be development is to properly reflect the conditional avoided. A contribution that im plies early failure relationships between failures of different systems and late success may be an error. Contributing or between the initiating event and subsequent factors are that the faile d equipm ent is either system failures. For example, if a support system restored (an d the re sto ration is modeled) or that failure affects more than one system in a mission success is indeed compatible with bo th sequence, this is likely to be important, and it is early failure a nd late success. The situatio n is essential for this to be properly reflected in the m ore complex with respect to early success and accident sequence expression. Similarly, if a pipe late failure. T here m ay be c ontributions to late break initiating event can adversely affect failure from system failures occurring after the early mitigating systems, this must be captu red. In order success that are not necessarily incompatible.

for these properties to hold, the linkage mu st be How ever, care m ust be taken . Exhaustive modeled pro perly, and the sequence quantification treatm ent of these issues is not comm on in U.S.

task m ust be exec uted prope rly. Although the full power PRAs, partly because it is burdensome project controls in the system m odeling task should and not necessarily important (see, for example, have ensured that the separate system m odels are Drouin, 1987). It appears in many full power PRAs properly interfaced, review at this stage to see that that failures occurring during standby are much it has been done properly is a good idea. m ore im porta nt than failures occurring after an initiating event (because the exposure tim e is much System success in a sequence may also be longer). However, it is the analysts burden to significant. The conjunction of system A address these issues and decide whethe r it is succeeding and system B failing may be much less neces sary to allocate modeling resources to them.

like ly than the unconditional failure of system B In general, a conserva tive approxim atio n will viewed in isolation . It has been found that neglect present itself, and this can be adopted if it does not of this po int can seriously disto rt accident distort the risk pro file in an unaccepta bly sequence quantification. Therefore, it is custom ary misleading way. A paper by Xue and W ang (1989) to add ress this p oint, even though neglecting it may discusses the iss ues and pres ents algorithm s to be "conservative" and addressing it is troublesome. include during sequence quantification.

Fo rm ally, one should construct an expression which logically ANDs system A su cce ss w ith Obtaining explicit, reduced, c om plete, b asic event 3-81

3. Technical Activities level expressions for all accident sequences would analysis and to determ ine where refine m ents to the be impracticable for most plant models developed risk profile may be warranted. Two such areas in recent years. The Boolean expressions become where refineme nts are necess ary are human error too large to be manipulated efficiently. (The large model i ng and param etri c comm on-cause event tree approach may offer certain advantages modeling. Other areas may have been treated in this regard.) However, the top event frequency sim ilarly by the ana lysts. At this stage, sensitivity of may be dom inated pro babilistica lly by a sm all results to each issue is assessed to determine fraction of the terms in the full expression. Many whether more work is necessary to improve the terms can then be neglected without significant model in this regard.

change to the results or conclusions. The process of "truncating" these contributions mak es accident Until preliminary sequence m odels were available, sequence quantificatio n fe asible. Typically, th is is recovery m odeling was som ewhat premature. At implemented in a computer code by setting a this point, leading contributors to sequence truncation cutoff level and instructing the algorithm frequencies are further analyzed to see whether to dispo se o f cuts ets whose probability is less than recovery m o d e l i n g ch an ge s th e re su lts the cutoff. T he effect of such an algorithm is not significantly. If so, the sequenc e expres sions are always easy to predict; for example, it can depend augmented to m ore fully addre ss o pera tor/plant on the level of detail to which failu re events have recovery actions.

been m odeled. If a failure event has been decom posed into a large num ber of individually "Q uantification" implies treatm ent of unc ertainty.

unlike ly basic events, then cutsets containing these For purposes of this task, uncertainty of each unlike ly events a re m ore lik ely to be truncated than model parameter is developed as appropriate in if a single lumped event is used to capture all of the the tasks on human reliability analysis, component contributions. reliability, or comm on-cause failure probabilities.

The propagation of parameter distributions through If truncation is done without an appreciation of how the integrated model is accomplished by software much top event probability is being sacrificed, then whose detailed description is beyond the scope of it is an uncontrolled approximation. This is an this guide. Ericson et al. (1990) does provide some important point. It is cu stom ary to base many information regarding software used for unc ertainty sen sitivity studies and importance analyses on the propagation.

Boolean expressions obtained through the truncation process. Clearly, the results of such Most of the parameters that appear explicitly in a sen sitivity studies can be seriously distorted by PRA m odel are not objective physical parameters.

truncation. Tru nca tion is, the refore, to be carried Rather, they are frequencies or split fractions that out only to the degree necessary to allow the d e p e n d o n m a n u f a c t u r in g p r o c e s s e s ,

analysis to go forward in a pra ctical way, and its programm atic activities, managem ent decisions, effec ts on later uses of the results m ust b e maintenance practices, operator training, and so ass ess ed. on. W hen a PRA m odel has bee n refined to where the results are considered state of knowledge and Evide ntly, if a sequence's probability (conditional on when the PRA model provides a repres entative the initiating event) is assessed to be only a few picture of the as-built, as-operated plant, then a key orders of magnitude greater than the truncation output of the overall proje ct is the body of level use d to simp lify pro cess ing, the n the re sult is embedded assum ptions upon which the model clearly susp ect. structure and model parameters rest. The technical adequacy of the P RA is closely aligned to Task 2 - Final Q uantification of Accident how well these assumptions are fulfilled.

Sequences This point is discussed further in the section on At this stage of the analysis, certain portions of the Sensitivity and Im porta nce Ana lyses.

model may have been constructed in a simple way with a slightly conservative bias in order to obtain a 1. Sensitivity and Uncertainty quick look at the risk profile. The objective of this task is to identify those accident sequences Sensitivity and unc ertainty analyses are carried out considered to be dom inant at this stage of the to ascertain contributors that are dominant to the 3-82

3. Technical Activities risk profile and contributors that are not dominant quantification and on sensitivity and importance but to which results are se nsitive. T his ac tivity results, the com m on-cause quantificatio n is should be done generically, either with em phasis reviewed (see Section 3.2.4), and the resulting on hum an errors or with emphasis on comm on- parameterization is used in this task.

cause param eters and, also generally, with a view toward deciding which areas may need attention. Recovery Modeling The analysts should begin by simply looking at the minimal cutse ts to see what is dom inant. In many plants, particularly older ones, it has been Com puter-assisted analysis can help in this regard. found that unacceptable results (unacceptably high So m e item s w hose "po int" like lihood seem s sm all accident frequencies) are obtained if it is assumed may actua lly dom inate the results whe n un certainty that no operator action is taken to initiate or is properly reflected, and this is the kind of item reinitiate system operation in the event of that needs more attention. problems, such as misaligned valves or breakers, spurious system trips, or even outright component

2. Enhanced Modeling failure. It is, therefore, necessary to model actions taken after the initiating event, not only the U nc er tain p r o b a b il it ie s m a y h a ve b e e n proceduralized actions represented at the event conservatively quantified in the initial quantification tree heading level but also action s th at c ould in orde r to prevent possible loss of significant poten tially be taken to recover failed equipm ent.

scenarios in a screening process. Therefore, at Correspondingly, appreciation of the role of these the present stage, items that appear insignificant actions in the safety basis has been significantly are likely to be insignificant, unless th ere is enhanced, possibly through the development or significant uncertainty associated with them . revision of emergency operating procedures and Decisions are made a t this stage as to whether other procedural guidance and operator training.

sen sitivity items have been m odeled well enough and, if not, how the modeling should be enhanced. Such recovery actions must, in general, be modeled at or near the cutset level rather than at

3. Recovery Actions the system level. Recove rability of a system depends on which component has failed and on Significant recovery actions are identified, and the environment near the failed component that engineering descriptions of these actions are could jeopardize reco very ac tions b y operators.

furnished to the analysts responsible for the ir The re are other factors as well. Is the component quantification. These are actions for which credit accessible? Is the environment too harsh, or even can be justified and for w hich results are contaminated? How m uch time will be n eed ed to significantly altered. These actions may include effect any necess ary repair? The answers to these those actions performed in direct response to an questions depend, in general, on the details of accident and/or actions performed in recovering a each particular cutse t. At the very least, failed or unavailable system or co m pon ent. Credit recoverab ility depends on the basic event being for both types of actions should not be taken analyzed. Mo re ge nera lly, however, rec overability unless procedu ral guidance and training in the (even "diagnosability") of each event depends on required actions are part of the operations at the the state of the rest of the system.

plant.

As such, everything that is true for the accident

4. Requantification sequence is true for every m inim al cuts et in the sequence. In addition, each minimal cutset has The entire m odel is requantified using the best m ore specific characteristics that must be available m ode ls and data. Propagation of acc oun ted fo r.

unc ertainty through all models is included in this activity. Software for propag ating u nce rtainty Modeling of an y particu lar instance of "failure to distributions are available and are mentioned in the recover from a basic event" is, of co urse, a Ericson et al. reference, for example. particular application of human performance Comm on-Cause Modeling modeling. Tech niques to acco m plish this are discussed in the task Human Reliability Analysis.

Based on the pre lim inary accident sequence These techniques do not come into play until the 3-83

3. Technical Activities scope and feas ibility of each reco very action have high Risk Achievement W orth) are also candidates been established from an engineering point of for exa m ination because they are frequently view. challenged. If they have a high Birnbaum importance and a low Fussell-Vesely importance, Occurrence of a particular basic event may this is because they have bee n m odeled as very essentia lly place a system into an irreversible state reliable. The results of the model depend critica lly from which recovery of the basic event does not on the correctness of this m odeling, and it is recover the system, even though no minimal cutset important to make sure that the item s are truly is strictly true with the event recovered. A trivial reliable.

exam ple would be an event, such as loss of seal cooling, that leads to a transient-induce d loss-of- Items that ha ve both high F ussell-Vesely and high coolant acc ident. Recovery of cooling will not Birnbaum importanc es shou ld be exam ined very necess arily reseal the loss-of-c oolant accident. In carefully. Such items are challenged frequently, addition to th ese types of c ases in which one but they are not considered reliable. These items component suffers damage as a result of another's are high priority items.

behavior, it is pos sible fo r othe r kind s of s tate changes to occur that are not necessarily All of the above comm ents are affected by unrecoverable but whose recovery must be uncertainty.

ana lyzed in the con text of the e ntire cutse t.

The single-event importance m easures on which Since each accident sequence m ay comprise the above rules of thumb a re based have very thousands of minimal cutsets, it may be asked how lim ited meaning. Events that are "important" can feasible is it to approach recovery m ode ling with be considered to need exam ination , but generally, any rigo r at the cutse t level. F ortun ate ly, some of unless a model contains significant single-failure the above considerations can be form ula ted cutsets, com binations of events are more important logically within some software packages, permitting than individual events, and the single-event som e automation of the process of recovery importance measures are a poor way to an alyze modeling. This kind of m ode ling has be en very com binations. In a related vein, the effects of important in the analysis of older U.S. plants. embedded assum ptio ns are poten tially very importa nt. A m arginal suc ces s pa th credited in the Guidelines for Prioritization PRA can artificially and inappropriately reduce m any single-event importances. These matters In order to produce the best possible final res ult, it are discussed furthe r un der Sensitivity and is im portant to identify those areas of the model Importance Analyses.

that need the m ost w ork .

Task 3 - Sensitivity and Importance Analyses S om e rules of thumb for evaluating individual systems or components are liste d here. It is The re are tw o major objectives of this task. One reemphasized that the analysts are res ponsible for objective ("Sensitivity Analysis") is to investigate formulating and applying their own reasoning the implications of modeling choices other than the processes. choices that were actua lly made in the formulation of the m odel. This is necessa ry in order to Items (systems or basic events) that have a high reinforce the credibility of the m odel and, by Fu ss ell-V esely importance (or high Risk Reduction implication , the credibility of the safe ty basis. The W orth) are candidates for reexamination because other objective ("Importance Analysis") is to assess the overall results are clearly sensitive to these the importanc e of m odel param eters, evaluated items. If they were im proved (e.g., increase in with in the terms of the model itself. This is done system availability), the calculated risk would during modeling tasks in order to help focus diminish. If the quantification upon reexamination resources on the most critical modeling areas and is found to be reasonable, then cost-beneficial is don e at the con clusion of the analysis in orde r to wa ys to reduce these contributions should be help in implem entatio n of the safety basis considered. (e.g., optimal allocation of testing and maintenance resources, based in part on measures of the Items that have a high Birnbaum importance (or importance of particular failure probabilities or 3-84

3. Technical Activities particular maintenanc e unavailabilities). After the base case PRA m odel is finalized, the PRA can be used in different applications.

Sensitivity Analysis Sensitivity calculations are o ften p erform ed to evaluate the changes in plant risk as a result of In developing a Level 1 PRA m odel, many issues changes in plant design, operation, and operator may arise due to lack of knowledge about them. training. The ch ang es a t the plant m ay be to For example, the success criteria for system s in correct the vulnerabilities identified in the PRA different boundary conditions may be unknown, study or to implement changes in regulatory and the level of detail of a system m odel may need requirem ents. For example, as part of the to be determined. One way to resolve the issue on Individual Plant Examination program of U.S.

success criteria is to perform detailed dete rm inistic plants, the utilities are required to perform analysis including tes ting an d ex perim ents . In this sen sitivity calculations to evaluate any plant case, sensitivity calculations can possibly improv em ents m ade as a result of the Individual determine the most important cases that should be Plant Examination. Other PRA applications include dete rm inistically evaluated . In the case of system changes in allowed outage times in the Technical m odeling, sensitivity calculations based on a Specifications, increases in test or inspection simplified logic model can potentially determine inte rva ls of the inservice testing program and that a more detailed model is not necessary. PRA inservice inspection program, and planning of areas that are prime candidates fo r sen sitivity online m ainten anc e ac tivities.

analysis include: failure data, hum an re liability analysis, com m on-caus e failure analysis, success Importance Analysis criteria, and pump seal models.

This section refers to importance analyses Lik ely examples of highly significant issues are the p e r f o rm e d o n s e q ue n c e -l ev e l B o o l e a n feasibility of a particular recovery action taking exp ressions.

place during an accident or a question of event tree structure (whether a given core damage sequence W hen the plant model has been brought to a stage can be transform ed into a success ful outcome by at which accident sequences are express ed in operation of a particular system ) or perhaps a terms of trains and com ponents (w ith component question of binning (whether the phenomenology of failures in support systems ex plicitly factored in),

a particular sequence w arrants placing it into one then a great deal of information is present in these bin or ano ther). sequence-level expressions. Some conclusions may suggest themselves from inspection of the If the sensitivity issue is such that extensive expressions, but generally, their complexity make m ode ling wo uld ha ve to be un derta ken in ord er to it im practica l to try to derive insights in this way. At treat each possible outcome thoroughly and if such this stage, it is potentially useful to perform treatment is infea sible w ithin the s cop e of the importance calculations which rank model proje ct, then it m ay be n ece ssa ry to live with param eters (such as basic event probabilities) significant unc ertainty in the res ults. Such an according to how much the model parameter outcom e is a rational input to consideration of influences the results or how much change in the follow-on w ork . results wou ld take plac e if the p aram eters were to chang e. These results are useful in deciding how Pa rticularly importa nt insta nce s of s ens itivity m uch wo rk to invest in carefully quantifying model calculations are those that establish the robustness param eters. In more advanced applications, one of the mission success criteria assumed in the can ass ess the importance of conjunctions of system m ode ls. These success criteria can events; the importance of a conjunction can help to significantly affect the logic structure of the m odel. decide whether to invest in searching for Sim ilarly, ass um ptions m ight have been made dependencies between the eleme nts of the regarding whe ther c ertain trans ients c aus e sa fety conjunction. W hen the PRA is substan tially relief valves to lift, and this can affect event tree com plete and the safety basis has been structure. It must be the responsibility of the formulated, the impo rtanc e an alysis ca n he lp to analysts to identify priorities in these areas. establish how to allocate performance over the elem ents of the safety basis and, in particular, how to allocate testing and maintenance effort over the 3-85

3. Technical Activities elem ents of the safe ty basis. importa nt, then it probably is; if conventional importance analysis suggests that a particular SSC Fin ally, once the model has been broug ht into is not im portant, this conclusion cannot be essentia lly fina l form , the im portance analysis is the accepted without careful exploration of the reason prim ary tool for deriving "insights" from the PRA. for that result. Conclusions from importance tables Importance information transcends the com plexity are, therefore, to b e drawn very carefully. During of a p lant logic model to provide a kind of model developm ent, howe ver, im portance analysis sensitivity-type info rm atio n that is understan dable is a very useful way to develop understanding of and can be very valuable. For example, in many the m ode l.

previous studies, the top event frequency has been found to be dominated by a few contributors. That The activities to be done for the impo rtance is, it has bee n found that s cenarios th at have in analysis are:

comm on rela tively few "important" events sum to a large fraction of calculated top event frequ enc y. A 1. In support of the Hum an Reliability finding of this kind is important to discuss in the An alysis (see Sectio n 3.2.5), gen erate conclusions of the PR A. The reasons for such a importance rankings for hum an errors circumstance should be identified and discussed. (Fussell-Vesely and Birnbaum and/or Risk Reduction and Risk Achievem ent W orths).

At various stages of model development (cf. 2. In support of the parametric com m on-

"relationship to othe r task s" ab ove), it is useful to cause analysis (see Section 3.2.4),

develop importance rank ing tables as part of a gen erate im portance rank ings for model review and debu gging effort. It is first comm on-cause events (Fu ss ell-V esely important to re view th e leading term s in the logic and Birnbaum and/or Risk Reduction and expressions for the various accident se quences in Risk A chievem ent W orths ).

order to ensure that the y m ak e sense, but, in general, these expressions are too large to be 3. Ge nera te Fussell-Vesely importances for reviewed entirely by inspection. Importance frontline syste m s.

rankings by their nature provide information about the entire expression (information that m ust be 4. W hen mod eling is complete, generate final interpreted with great care). Events at the top of versions of the above to support the the lists should be questio ned: w hy are these discussions of the P RA insights in the final events rank ed h ighly? If the answer is not obvious, repo rt.

then the m odeling should be checke d, both in the logic asp ects and in the quantification aspects. An An Alte rnativ e M odel to Sensitivity Analysis analogous que stion s hou ld be a sk ed a bou t even ts at the bottom of the lists: why are these events Two approaches to resolving a modeling issue ranked low? Again, if the answer is not obvious, without performing extensive determ inistic then the model should be checked. Generally, evaluation can be identified:

surprises on the importance lists are either indica tions of modeling error or signal the 1. Based on the best judgm ent of the analyst, em ergence of a modeling insight. Events at the one modeling assumption is adopted as a top of one or m ore imp ortan ce lists need to be base case, and o ther assum ptions are quantified with great care. Events appearing at the evaluate d in a sensitivity stu dy.

top of lists based on different measures should be examined with great care; such a case may 2. Probabilistic weights, representing degree correspond to a critical function being unreliably of belief in each assum ption, are assigned perform ed. This would clearly warrant attention, to all possible assu m ptions and use d with both in m ode ling and pe rhap s in plant operation. the logic m odel s based on the ass um ptions .

The re are some applications for which importance measures are not suited. Generally, if conventional In a Bayesian approach, such weights can be importance analysis suggests that a particular updated using any additional information that system, structure, and com ponent (SS C) is becomes available in the future.

3-86

3. Technical Activities Approach 1 represents the practice of a typical that none of the SSCs in para llel is "imp ortan t." It PRA. Approach 2 represents an improved is possible fo r non e of the SS Cs in a critical approach which spec ifically addre ss th e function to show up as "im portant" in tables sensitivity of the issue to alternative assumptions calculated in the usua l way.

but requires more extensive effort. It has been success fully applied in the NUREG-1150 study The users of these im porta nce m eas ures have to (NRC, 1990) to som e of the issues in severe understand their definitions and limitations. Som e accident m odeling where exten sive expert opinion of the shortc om ings can be addre sse d with elicitation was perform ed. Its NURE G-1150 additional sensitivity calculations. For exam ple, a application to Level 1 PRA issues is m ore lim ited in lower truncation limit can be used to determine the scope. sen sitivity of the importa nce m eas ures . The joined importance of groups of components can also be Limitations of Importance Measures calculated. Relaxing requirements for those com pon ents that are individually ranked low should Single-event importance measures are sometimes be furthe r justified by dem onstratin g that the presented as if they were capable of ranking model combined risk impact would also be low.

param eters in an objective way. However, no single model parameter can be ranked in isolation; 3.2.6.4 Tasks Interfaces the significance of ea ch param ete r de pends in general on the model structure and on the values The task related to initial quantification has the of all the other parameters. There are, of course, following interfaces:

many other param ete rs, and it is correspondingly infeasible to analyze sensitivity to all combinations All Internal Event Analytical Tasks. This task is the of variations of all parameters. All "sensitivity" first attempt to integrate all previous work, results (chiefly importance measures of one kind or especially all of the individual system m ode ls, into another) m ust be inte rpreted in light of this one consistent model whose framework was fundam enta l limitation. developed in the event sequen ce m ode ling. As a practical m atter, this task also requires at least Particular instances of these limitations are: preliminary data, which emerge from a ssessment of hum an relia bility and com ponent reliability.

Failure m ode s that are not m odeled Although described here as a single task, Initial cannot em erge as "sig nificant" from Quantification of Accident Sequences is part of an con ventional im porta nce ana lysis. iterative process invo lving all pre vious task s. In carrying out this task, it is generally nec ess ary to

For any given model parameter, the app rox i m ate ( " tr u n c a t e ") th e s e q u e n c e associated importance m easures are expressions, and this approxim atio n is generally calculated conditional on all other model controlled through the qua ntification proc ess . The p a r a m e t e r s b e h a v in g e s s e n ti a l l y proper modeling of each system conditional on the nom inally. states of other systems is revisited as the preliminary sequence results become available.

W ithin the linked fault tree approach, the Iterating between the sequence models and the importance measures are calculated from system-level m odels takes place during this task to a truncated model (truncated collection of assure proper conditionality between systems and minimal cutsets) and are correspondingly to search for logic errors in sequence cutsets.

limited . Based on this preliminary quantification, priorities are to be reviewed, and add itional m ode ling or data These points sho w that conclusions based on refinement needs are assessed. In a subsequent importance measures m ust be weighted in light of task, leading contributors to sequence frequencies how the importance m eas ures were ca lculated. A are analyzed further to see whether recove ry given item m ay show up as "unimportant" because m odeling cha nge s the resu lts significantly. If so, it is logica lly in pa rallel with several other items the sequence expressions are augmented to reflect (whic h can, therefore, com pensa te for its failure). recovery.

Unfortun ate ly, these other item s are likely to show up as unimportant for the same reason, meaning The task related to final quantification has the 3-87

3. Technical Activities following interfaces:

Com mon-Cause Failure Probabilities (effort allocated to quantification of All Internal Events Ana lytical Tasks. This task comm on-cause m odel param ete rs should integrates the res ults of a ll previous analysis tasks be a fun ction o f how importa nt these after they have been refined during the Initial param eters are, in the sense discussed Quantification of Accident S equ enc es. It is below),

assumed that debugging has been don e as part of

Ini ti al Quantification of Accident the initial ac cident seque nce qua ntification task . Sequences, and

Fi nal Qu anti fic atio n of A ccident Level 2/3 Analyses. Output from the Final Sequences.

Quantification task provides information on accident sequence definition and on frequency of W hen all of the quantification tasks are occurrence directly to the Level 2 task (refer to substan tially com plete, im portance re sults s hould Section 3.3) w hich in turn provides source term be generated comprehensively and system atic ally inform ation to the consequence and risk integration in order to support the discussion of insights task (refer to Section 3.4). W hether or not Level generated for the final documentation. In addition, 2/3 analyses are performed depends on the scope sen sitivity calculations can be perform ed to of the PRA (refer to Chapter 2). evaluate the risk impact of desig n im prov em ents and alternative modeling assumptions. In some The task related to sensitivity and importance sim ple cases, sensitivity calculations can be analyses has the following interfaces: performed using the importance results.

During m odel developm ent, all of the major task 3.2.6.5 References activities will be perform ed itera tively; sens itivity and importance analyses are performed using the Drouin, M., D ., et al., "Analysis of Core Damage model available at the time to prioritize the Frequency from Internal Events: Methodology resources. After completion of the model Gu idelines ," NURE G/CR-4550, Volume 1, developm ent, sensitivity and importance analyses September 1987.

are performed to evaluate the impacts of alternative assumptions and changes in plant Ericson, D., et al., Analysis of Core Dam age design and operations on plant risks. Frequency: Internal Events Me thod ology, NURE G/CR-4550, Vol. 1, Rev. 1, Sandia National The following discussion reflects the logical Laboratories, 1990.

hierarchy rather than the time ordering of the tasks.

Sensitivity analysis is discuss ed firs t becaus e its NRC, The U se of PRA in Risk-Informed outcome has th e pote ntia l to change the way in Application s, NU REG -1602, Draft Report for which the modeling is conducted. Importance Com ment, June 1997.

ana lysis is disc uss ed s eco nd.

NRC, Severe Accident Risks: An Assessment for Tasks who se o utpu ts are can didates fo r sen sitivity Five U.S. Nuc lear Power Plants, NUREG -1150, stud ies include the fo llowing: U.S. Nuclear Regulatory Com mission, December 1990.

Initiating Event Analysis (formulation of the m odel can be s ensitive to this), NRC, PRA Procedure Guides: A Guide to the Performance of Probabilistic Risk Assessments for

Functional Analysis and Systems Success Nuclear Power Plants, NUREG /CR-2300, U.S.

Criteria (changing success assum ptions Nuclear Regulatory Com mission, January 1983.

can have major impacts), and Xue, D. and X. W ang, "A Practical Approach for

System M odeling. Phased Mission Analysis," Reliability Engineering and System Safety, 25, 333, 1989.

Tasks during which im portance analysis is esp ecially beneficial includ e the following:

3-88

3. Technical Activities 3.3 Level 2 Analysis 1. A structured and comprehen siv e evaluation of containment performance in (Probabilistic Accident response to the accident sequence Progression and Source identified from the Level 1 analysis.

Term Analysis) 2. A qu an titative characterization of radiological release to the environment The prim ary objective of the Level 2 portion of a that would result from accident sequences PRA is to ch arac terize the potential for, and that involve leakage from the containment m agnitude of, a release of radioactive material pressure boundary.

from the reactor fuel to the environment given the occurrence of an accident that damages the Figure 3.7 illustrates each of these elements and reactor core. To satis fy this obje ctive, a Level 2 indicates how they relate to each other PRA couples two major elements of analysis to a conceptua lly.

completed Level 1 PRA:

Figure 3.7 Relationship among the major parts of a Level 2 PRA In an earlier version of this procedure guide One type of containment performance assessment (NUREG /CR-6572, Vo l. 3 Part 1) the attributes of in respons e to such ac cidents would be to perform a simplified approach to conducting the analyses a determ inistic calculation with a validated, first-associated with each of the technical elements was principles model of accident progression. Such a presented. This simplified approach is reproduced calculation would generate a time-history of loads in Appendix B. imposed on the conta inm ent pressure boundary.

These loads would then be compared against In the current version of the procedures guide the structural performance limits of the containm ent.

attributes of comprehensive Level 2 PRA are If the load s ex cee d the perform anc e lim its, the presented. A detailed description of the attributes containment would be exp ecte d to fail; conversely, of conducting the technical analyses associated if the perform ance limits surpass the calculated with a comprehensive Level 2 PRA is provided loads, the containment would be expected to below. survive. In such an assessm ent, the overall 3-89

3. Technical Activities frequency of accidents resulting in a release to the by several mechanisms such as overpressure, environment would simply be the frequency of shell m elt-through and others. Containment accident sequences in which the calculated bypass (0.1) could be the result of induced steam containment loads exceed the performance limits. generator tube rupture (for PW Rs on ly). W hether the containment fails late (0.2) or not at all (0.2)

Unfortun ate ly, neither the current knowledge depends on several factors including the ope rability regarding m any aspects of severe accident of containme nt heat removal systems. Once the progression nor (albeit to a lesser extent) the probabilities of these containment failure modes knowledge regarding containment performance has been determined for each accident sequence, limits is sufficiently precise to conduct such an the probabilities conditional on total core damage analysis. Rather, in a PRA , an assessment of are c alculated.

containment performance is perform ed in a manner that ex plicitly considers im precise The probability of early containm ent failure knowledge of severe accident behavior, the conditional on core dam age (CCFPef) is determined resulting challenges to containment integrity, and by summ ing (i=16n) the early failure probabilities the capacity of the containment to withstand for all accident s equence weighte d by their various cha llenges. There fore, the po tential for a respective frequencies (F i). The summ ation is then release to the environment is typically expressed in divided by the total core dam age freque ncy (CDF ).

terms of the conditional probability of containment failure (or bypass) for the spectrum of accident sequences (de term ined from Level 1 PRA ana lysis) that p roceed to core da m age .

Figure 3.8 indicates how th e co nditional probab ility A similar approach is used to determine the of conta inm ent failure is calculated. For each conditional prob abilities of bypas s ac cidents, late Level 1 core damage accident sequence containment failure and no containment failure.

(frequency, F i), the probability of the various containment failure modes are calculated. For In addition to estimating the probability of a example, the pro bability of early containment radiological release to the environment, the Level 2 failure (efi), contain m ent bypass (bp i), late portion of a PRA of a nuclear reactor characterizes containment failu re (lf i) and no containment failure the resulting release in terms of m agnitude, timing, (nfi) are determ ined. F or the exam ple show n in and other attributes im porta nt to an assessment of Figure 3.8, Accident Sequence 1 completely off-s ite accident consequences. This information bypasses the containment and thus the conditional has two purpo ses . First, it provides a quan titative probability of b ypass given the occurrence of this scale for ranking the relative severity of various accident is unity. These characteristics could accident sequences; secondly, it represents the result from an accident such as an interfacing "source term " for a q uan titative evaluation of off-system LOCA. Alternatively, Accident Sequence 2 site con seq uen ces (i.e., health effects, prope rty could result in several different containm ent failure dam age, etc.), which are estimated in the Level 3 modes or no containment failure. For this ac cident, portion of a PRA (refer to Section 3.4).

the probability of early failure (0.5) could be caused 3-90

3. Technical Activities Figu re 3.8 Condition al probab ility of con tainm ent failure 3-91

3. Technical Activities This sec tion de scribes the attribute s of a L evel 2 the accident sequence. Therefore, a critical first PRA analysis, emphasizing the scope and level of step is developing a structured process for defining detail associated with major elements of a Level 2 the specific accident conditions to be examined.

analysis, rather than the spec ific m etho ds u sed to Attributes have to be determined of reducing the assem ble a prob abilistic m ode l. This approach is large number of accident sequence developed for deliberately used because several different Level 1 PRA analysis to a practical number for methods have be en u sed to gen erate and display detailed Level 2 analysis.

the probabilistic aspects of severe accident behavior and con tainmen t perform ance. By far, 3.3.1.1 Assumption and Limitations the most com mon m ethods are those that use standard event and/or fault tree logic structures; Because of the diversity and redundancy of sa fety howeve r, some practitioners use other techniques. systems designed to prevent and/or m itigate Further, the specific way in which ostensibly similar potential accident conditions in a nuclear plant, logic structures are organized and solved m ultiple failures m ust occur for an a ccident to (num erically) can differ substantially from one study proceed far enough to damage the reactor fuel.

to another, primarily as a result of differences in The primary purpose of a Level 1 PRA analysis is quantification techniques and associated computer to identify the spec ific combinations of system or software offered by vendors of PRA services. In component failures (i.e., accident sequence cut principle, any of these methods can be used to sets ) that w ould allow core d am age to occur.

produce a Level 2 PRA provided that they encompass the scope and level of detail described Unfortun ate ly, the number of cut sets generated by below. a Level 1 analysis is ve ry large (typica lly greater than 10,00 0). It is im practical to evaluate severe As indicated above, the two m ajor technical accident progression and resulting containment activities of a Level 2 PRA are (1) determination of loads for each of these cut sets. As a result, the the conditional probability of containment failure or comm on prac tice is to g roup the Level 1 cut s ets bypass for accident seque nce s that proc eed to into a sufficiently sm all num ber o f "plant damage core damage and (2) a characterization of the states" to allow a practical assessm ent of the radiological source term to th e environm ent for challenges to containment integrity resulting from each sequence resulting in containment failure or the full spectrum of accident sequences.

bypass. These m ajo r technical activities are however composed of several component parts: 3.3.1.2 Produ cts

Plant Dam age State Determination In general, sufficient information should be

Assessing Containment Challenges provided to allow an indepen den t analyst to

Containment Performance reproduce the results. At a minimum , the following Characterization products are expected

Contain m ent Probabilistic Characterization C a thorough de scription of the procedure

Radionuclide Release Characterization used to group (bin) individual accident

Qu antifica tion of Results sequence cut sets into plant damage states, or other reduced set of accident Each of these technical activities are discuss ed in sc enarios for detailed Level 2 analysis the following section.

C a listing of the specific attributes or rules 3.3.1 Plant Damage State use d to group cut sets Determination C a listing and/or computerized data base providing cros s referen ce fo r all cut sets to The primary objective of this task of a Level 2 PRA plant damage states and vice versa is to characterize the type and severity of cha llenges to con tainm ent inte grity that may arise during postulated severe acc idents. An ana lysis to 3.3.1.3 Analytical Tasks determine these characteristics acknowledges the dependence of containment response on details of This technical activity involves two tasks:

3-92

3. Technical Activities

1. Defining PDS Characteristics established a priori. Rather, a Level 2 PRA first

2. PDS Binning defines the attributes of an accident sequence that represent important initial or boundary conditions Each of these tasks are described in detail in the to the assessment of severe accident progression following sections. or containment response or characteristics of system operation that can have an important effect Task 1 - Defining PDS C haracteristics on the resulting environmental source term .

Exam ple attributes are shown in Table 3-18.

The number of plant damage states produced by this gro uping (or "binning") process cannot be Tab le 3-18 Exam ple attributes for g roup ing accid ent seq uenc e cut sets Attribute Possible states Accident Initiator C Large, Intermediate, or Small LOCAs C Trans ients C LOC A outside the containm ent pressure b oundary C Steam Gen erator Tube Rupture Reactor Coolant System C High (RCS) Pressure at the C Low Onset of Core Damage Status of Emergency C Op erate in injection mode, but fail upon switchover to Coolant Injection recirculation cooling Systems C Fail to operate in injection mode Status of Steam C Au xiliary feedwa ter operate s/fails Gen erators C Secondary isolated/depressurized (PW Rs)

Status of Residual Heat C Op erate Rem oval Systems C Failed Status of Containment at C Isolated Onset of Core Damage C Not isolated Status of Containment C Sprays always operate/fail or are available if demanded Safeguard Systems C Sprays operate in injection mode, but fail upon switchover to recirculation cooling C Fan coolers always operate/fail or are available if demanded C Contain m ent ventin g syste m (s) op erate /fail C Hydrogen control syste m (s) op erate /fail 3-93

3. Technical Activities The functional effect of the specific failures C Reco verability of "failed" systems after represented by the terms in each accident the onset of core damage. Typical sequence cut set are then mapped into possible recovery actions include restoration of AC plant dam age states ac cording to the binning power to active com ponents and alignment attributes. There is no "unique" list of attributes of nonsafety-grade systems to provide against which this exercise should be conducted (low-pressure) coolant injection to the for a Level 2 analysis; Table 3-18 sim ply provides reactor vessel or to operate containmen t examples, not an exhaus tive list. A com prehens ive sprays. Constra ints on reco vera bility list of attributes for representative PW R and BW R (such as no cred it for repair of failed Level 2 analyses can be found in NUREG /CR- hardware) are defined in a manner that is 4551, Volume 3 (Breeding, 1990) and Volume 4 consistent with recovery analysis in the (Payne, 1990), re spectively. Although many of Level 1 PRA.

these attributes can be applied generically across many different reactor/containment designs, C The interdependence of various special attrib utes are often necessary to address system s for successful operation. For plant-specific design features (e.g., isolation exam ple, if successful operation of a low-condenser operatio n in certain BW Rs.) In a Level pressure coolant injec tion system is 2 PR A, an y characteristic of the p lant res pon se to necessary to provide adequate suction a given initiating event that would influence either pressure for successful operation of a subsequent containment response or the resulting high-pressure coolant injection system, radionuclide source term to th e environm ent is failure of the low-pressure system (by any represented as an attribute in the plant damage m echanism ) autom atic ally renders the state binning scheme. These characteristics high-pressure system unavailable. This include the following: information may only be indirectly available in the results of the Level 1 analysis, but is C The status of sy stem s that have the explicitly rep resente d in the plant damage capac ity to inject water to either the state attributes if recovery of the low-reactor vessel or the containment pressure system (after the onset of core cavity. Defining system status simply as damage) is modeled.

failed or operating is not sufficient in a Level 2 analysis. Low-pressure injection Task 2 - PDS Binning systems may be available but not operating at the onset of core damage Several subtle aspects of the mapping of accident because they are "dead-he ade d" (i.e., sequence cut sets from the Le vel 1 analysis to reactor vessel press ure is above their plant damage states used as input to a Level 2 shutoff head). Such states are ana lysis are worth noting at this point:

distinguished from "failed" low-pressure injection to account for the capability of C The entire core damage frequency dead-headed system s to discharge after generated by the Level 1 accident reactor vessel failure (i.e., providing a sequence ana lysis is carried fo rward into mechanism for flooding the reactor cavity). the Level 2 analysis. The reason for conserving the CDF is to allow capture of C The status of s ys te ms that provide heat the risk contribution from low-frequency, removal fro m the reactor vessel or high-consequence accident sequences.

containment. Ca reful atte ntio n is paid to the interactions between such system s C The mapping is performed at the cut set and the coolant injection systems. For level, not the accident s equence level.

example, the status properly accounts for The re are several reasons for this level of limitations in the capability of dual-function deta il:

systems such as the RHR system in most BW Rs (which provides pumping cap acity - Depending on the level of d eta il for LPCI and heat removal for suppression represented in the Level 1 pool cooling). accident seq uen ce e vent trees, it may be im poss ible to properly 3-94

3. Technical Activities capture the effects of that preserves relevant support system suppo rt system failu res de pe nd en cie s . T h e s e a r e then and other dependencies num erically combined with the sequence a m o n g t h e va r i o us cut set frequency from the Level 1 binning attributes without analysis.

r e vie win g t h e b a s ic events that caused a 3.3.1.4 Task Interfaces system failure.

This task is the critical interface between the

- Recovery of failed systems after Level 1 and Level 2 portions of the PRA. The the onset of core dam age is entire core damage frequency generated by the considered in the containment Level 1 PRA is carried fo rward into th e Level 2 performance assessm ent of a analysis. The various core damage accident Level 2 PR A. Fo r this ac tivity to sequences are grouped into a sma ller num ber of be modeled correctly, system plant damage states for processing through th e failures that are "recoverable" are Level 2 analysis. These plant dam age states are distinguished from failures that defined so that all of the accident sequences are "no t recoverable." This grouped into a particular plant damage state can information typically lies only be treated the same in terms of accident with in the sequence cut sets. progression analysis. The output of this task is a No te that the definition of set of plant dam age states with the corresponding recoverable is consistent with the frequencies.

recovery analysis performed in the Level 1 PRA. 3.3.1.5 References

- To appropriately model human Breeding, R. J., e t al., Evaluation of Severe reliability related to operator Accident Risks: Surry Unit 1, NURE G/CR-4551, actions that occur after the onset Volume 3, SAND86-1309, Sandia National of core dam age, inform ation Laboratories, October 1990.

r e g a r d in g prior o pera tor performance (i.e., prior to the Payne, A. C., et al., Evaluation of Severe Accident onset of core damage) is carried Risks: Peach Bottom U nit 2, NURE G/CR-4551, forward from the Level 1 analysis. Volume 4, SAND86-1309, Sandia National Again, this inform atio n typically Laboratories, December 1990.

lies only within sequence cut sets.

3.3.2 Assessing Containment C For some accident sequences, the status of all systems may not be determined from Challenges the sequence cut sets. For example, if the success criteria for a larg e break LO CA in This Level 2 PRA task has two objectives:

a PW R req uire successful accumulator operation, the large LOCA sequence cut 1. Assess the reliability of containmen t sets involving failu re of a ll accum ulators systems during severe accidents, and will contain no information about the status of other coolant injec tion systems. 2. Ch arac terize severe accident progression How ever, realistic resolution of the status and the a ttend ant challenges to of such systems often provides a conta inm ent inte grity.

m echanism for representing accident sequences that are arrested before 3.3.2.1 Assumptions and Limitations substantial core damage and radionuclide release occur. In a Level 2 analysis, these The reliability of systems whose prim ary fun ctio n is system s are n ot sim ply ass um ed to to m aintain containment integrity during accident ope rate as designed . Rather, their failure conditions is incorporated into the accident frequencies are estimated in a manner sequence analysis performed during a Level 1 3-95

3. Technical Activities PRA. Such system s m ay include containment untested.

isolation, fan coolers, distributed sprays, and hydrogen igniters. An ass ess m ent of the re liability 2. None of the integral severe accident codes of these system s is incorporated into a Level 2 conta in m ode ls to rep resent all accident analysis to ascertain whether they wo uld op erate phenomena of interest. For example, as designed to mitigate containment response mod els for ce rta in h ydr od yn am ic during core damage accidents. The methods, phenomena such as buoyant plumes, scope, and technical rigor used to evaluate the intra-volume natural circulation, and gas-reliability of these system s are com para ble to those phase stratification , are not represente d in used in the Level 1 analysis of other "front-line" most integral com puter codes. S im ilarly, system s (refer to Section 3.2.3). certain severe accident phenomena, such as dynam ic fu el-coolant intera ctions (i.e.,

The element of a Level 2 PRA that often receives s t e a m e x p l o s io n s ) a n d hyd r o g en the most attention is the evaluation of severe detonations, are not represented.

accident progression and the attendant challenges to containment integrity. This is because 3. It is simply impractical to perform an considerable tim e and effort can be spent integral calculation fo r all severe accident performing computer code calculations of dominant seq uen ces of interest.

accident sequences. Further, exercising broad-scope accident analysis codes [such as the As a result, the proce ss of evaluating severe Modular Ac cident An alysis Program (MAAP) accident progression involves a strategic blend of (EP RI, 1994) or MELCO R (Summ ers, 1994) pla nt-specific code calculations, applications of provides the only fram ework within which the analyses performed in other prior PRAs or severe important interactions among severe accident accident studies, focused engineering analyses of phenomena can be acc ounte d fo r in an integrated particular issues, and experimental data. The fashion. Consequently, the results of these manner in which each of these sources of calculations typically form the principal basis for information are used in a Level 2 PRA is described estimating the timing of major accident events and below.

for characterizing a range of potential containment loads. 3.3.2.2 Produ cts Although code calculations are an essential part of In general, sufficient inform ation in the an evaluation of severe accident progress ion, the ir documentation of assessing containment system results do not form the sole basis for characterizing challenges is provided to allow an independent challenges to containment integrity in a Level 2 analyst to reproduce the results. At a minimum ,

PRA. There are several reasons for this: the following information is documented:

1. Many of the m odels em bodied in severe For the activities related to assessing the reliability accident analysis codes addre ss highly of containment systems:

uncertain phenomena. In each case, certain assumptions are made (either by C a description of inform ation u sed to the m odel developers or the code user) develop conta inm ent sys tem s' analysis regarding con trolling physical processes m odels and link them with oth er system and the appropriate formulation of m odels reliability models (This docum entatio n is that represent them. In some instances, prepared in the same m anner as that the importance of these assumptions can generated in Level 1 analysis of other be tested via parametric analysis. system s as discus sed Se ction 3.2.3).

How ever, the extent to which the results of any code calculation can be demonstrated For the activities related to charac terizing severe to be ro bus t in light of the num erous accident progression:

uncertainties involved is severely limited by practical constraints of time and C a description of plant-specific accident resources. Therefore, the assumptions simulation models (e.g., for MAAP [EPRI, inherent in m any code m odels rem ain 1994] or MELCOR [Sum m ers, 1994])

3-96

3. Technical Activities including extens ive referen ces to Ta sk 1 - Con tainment Sys tem Analysis source documentation for input data Fa ult tree models (or other techniques) for estimating failure probabilities are developed and C a listing of all computer code calculations linked directly to the accident se quence m odels performed and used as a basis for from the Level 1 PR A. T his linkage is nec ess ary to quantifying any event in the containment properly capture the important influence of mutual probabilistic logic model including a unique dependencies between failure mechanisms for calculation identifier or name, a description containment systems and other systems. Obvious of key mode ling assum ptions or inpu t data examples include support system dependencies, used, and a reference to documentation of such as electrical power, com ponent coo ling water, calculated results (If input and/or output and instrum ent/contro l air. Other dependencies data are archived for quality assurance that need to be represented in a manner consistent records or other purposes, an appro priate with the Level 1 syste m m odels are more subtle, reference to calculation archive rec ords is however, as illustrated by the following examples:

also provided.)

C Indirect failure of containment systems C a description of key modeling assumptions caused by harsh environmental conditions selected as the basis for performing "base (resulting from failure of a support system) case" or "best-estimate" calculations of are represented in the assessment of plant response and a description of the containment system reliability. An technical bases for these assumptions exam ple is failure of reactor or auxiliary building room cooling causing the failure of C a description of plant-specific calculations containment system s because of high performed to examine the effects of ambient temperatures.

altern ate mo d e ling approaches or assumptions C The influence of containment system operation prior to the onset of core C if analyses of a surrogate (i.e., 'sim ilar') damage is acc ounte d fo r in the evaluation plant are used as a basis for of system operability after the onset of characterizing any aspect of severe core damage. For example, consider an accident progression in the plant being accident sequence in which containment analyzed, references to, or copies of sp rays succ es sfully in itiate on an documentation of the original analysis, and autom atic signal early in an accident a description of the technical basis for sequence. If later in the sequence (but ass um ing ap plicab ility of res ults prior to the onset of core damage) emergency operating procedures direct C for all other original engineering reactor operators to terminate containment calculations, a suffic ien tly co m ple te spray operation to allow realignment of desc ription of the analysis method, emergency coolant injection systems, the assumptions and calculated res ults is configuration of the containment spray prepared to accommodate an independent system (and thus its reliability) differ from (peer) review a sequence in which containm ent sp rays wo uld not have bee n de m and ed p rior to 3.3.2.3 Analytical Tasks the onset of core damage.

This technical activity involves two tasks: C The human reliability analysis associated with m anual actuation of containment

1. Contain m ent Sys tem Analysis systems (e.g., hydrogen igniters) acc oun ts

2. Evaluation of Severe Accident Progression for operator perform ance during earlier stages of an accident sequence. T his Each of these tasks are de sc ribed in detail in the analysis follo ws the sam e practic es used following sections. in the Level 1 analysis as described in Section 3.2.5.

3-97

3. Technical Activities The long-term performance of containment address sequences that are anticipated to systems is also evaluated although the issues to be result in relatively high radiological considered m ay differ sub stan tially from those releases (e.g., c ontainm ent bypass listed above. T his evaluation accounts for scena rios).

degradation of the environment within which system s are required to operate as an accident C In addition to the calculations of a sequence proceeds in tim e. Exam ples of factors spectrum of accident sequences described that m ay arise after the onset of core damage above, several sensitivity calculations are include: performed to exam ine the effects of major uncertainties on calculated accident C loss of net positive suction head (NPSH ) behavior. For example, multiple for coo lant pu m ps d ue to suppression pool calculations of a single sequen ce are heat up in BWRs performed in which code input param eters are changed to inves tigate the effects of C plugging of fan cooler inlet plena as a alternative assumptions regarding the result of the acc um ulation of a erosols timing of stochastic events (such as (generated perhaps as a consequence of operator actions to restore water injection),

core-concrete interactions) in PWRs or the m odels used to represent uncertain phenomena (such as the size of the C failure of system s with com pon ents opening in containme nt following over-internal to the containment pressure pressure failure). These calculations bounda ry as a result of high temperatures provide information that is essential to the or pressure associated with hydrogen quantitative characterization of unc ertainty combustion in the Level 2 probabilistic logic m odels (refer to the discussion of logic model In all cases, the as ses sm ent of failure prob ability d e v e lo p m e n t a n d a s s ig n m ent o f for containment systems are based on re alistic probabilities below).

equipment performan ce limits rather than bounding (design-basis or equipment qualification) criteria. Table 3-19 lists phenomena that can occur during a core m eltdown accident and which involve T ask 2 - Evaluation of Severe Accident considerable uncertainty. This list was based on Progression inform ation in NUR EG -1265 (N RC , 1991),

NUREG/CR-4551 (Gorham-Bergeron, 1993) and The following are u sed to determine the number of other studies. It is recognized that c onsiderable plant specific calculations that would be performed disagreement persists within the technical using an integral code to support a Level 2 PRA: com m unity regarding the magnitude (and in some cases, the specific source) of uncertainty in several C At least one integral calculation of the phenomena listed in Table 3-19. A major (addressing the complete time domain of objective of the expert panels assembled as part of severe accident progression) is performed the research program that culminated in NUREG-for each plant damage state. However, 1150 (NRC, 1990) was to translate the range of this may not be practical depending on the technical opinions within the severe accident number of plant damage states developed research com m unity into a quantitative m easure of according to the above discussion. At a unc ertainty in specific technical issues. In a Level m inim um , calculations are perform ed to 2 PRA, the results of this effort are used as address the dominant accident sequences guidance for defining the range of values of (i.e., those with the highest contribution to uncertain m odeling parameters to be used in the the total core damage frequency). sensitivity calculations described above.

Calculations are also pe rform ed to 3-98

3. Technical Activities Table 3-19 Severe accident phenomena Phenomena Characteristics of accident phenom ena Hydrogen generation C Enhanced steam generation from m elt/debris relocation and combustion C Steam starvation caused by degraded fuel assembly flow blockage C Clad ballooning C Recovery of coolant injection systems C Steam/hydrogen distribution within containment C De-inerting due to steam condensation or spray operation Induced failure of C Natural circulation flow patterns within the reactor vessel the reactor coolant upper plenum , hot legs, and steam generators system pressure C Creep rupture of hot leg nozzles, pressurizer surge line, and bounda ry steam generator U-tubes Debris bed C Debris spreading/depth on the containment floor coolability and core- C Crust formation at debris bed surface and effects on heat concrete interactions transfer C Debris fragmentation and cooling upon contact with water pools C Steam generation and debris oxidation Fuel coolant C Potential for dynamic loads to bounding structures interactions C Hydrogen generation during melt-coolant interaction Melt/debris ejection C Melt/debris state and composition in the lower head following reactor C Mod e of lower head failure vessel failure C Debris dispersa l and heat transfer following high-pressure melt ejection A fundam ental design objective of the integral b y compari sons wi th m e c h a n i s t ic code severe accident analysis codes us ed to suppo rt calculations.

Level 2 PRA (e.g., MAAP, MELCOR ) is that they be fast ru nning. Efficient co de operatio n is The re are obvious practical benefits to applying or necessary to allow sensitivity calculations to be adapting results of completed studies of severe performed with in a rea sonably short tim e and with accident prog ression in other plants to the PRA of minimal resources. One consequence of this interest. If the applicability of such studies can be objective, however, is that many complex dem ons trated, substantial savings can be achieved phenomena are m ode led in a relatively sim ple by elim inating unnecessary (repetitive) analysis.

manner or, in some cases, are not represented at Application of analyses from studies of similar all. Therefore, a state-of-the-art Level 2 PRA plants is com m on in Level 2 PRA s. However, such addresses the inherent limitations of integral code analyses can not completely supplant the plant-calculations in two re spe cts. F irst, the importance specific evaluations described above.

of phenomena not represented by the integral codes are e valua ted by som e other m ean s (i.e., Th e pre requ isite for a pplying re sults of studies for either app lication o f spe cialized c om puta tional another plant is a demo nstration of sim ilarity in m odels or ex perim enta l investig atio n). Se condly, plant design and operational characteristics such the effects of modeling simplification are examined that the sam e res ults would be generated if plant-3-99

3. Technical Activities specific analyses were performed. Dem onstration effects of diffe renc es in these des ign features is of similarity involves a direct comparison of key examined, and techniques fo r ada pting or scaling plant design features and, if necessary, scaling the results of the surrogate analyses developed.

analysis. Examples of features to be included in such a com parison are listed in Table 3-20. The Tab le 3-20 Exam ple plant d esign/op erational param eters to be com pared to demon strate sim ilarity fo r use as surrog ate a nalysis Component Design characteristics of component Reac tor Core C Nom inal Power C Num ber of Fuel Assemblies C Num ber of Fu el R ods per As sem bly C Core Mass (UO 2, Cladding, Misc. support structures)

Reactor Vessel C Inside Diameter C Height C Nom inal Operating Pressu re C Num ber of Safety/Pressure Relief Valves C Safety / Re lief Valve relief valve design flow ra te C Reactor Coolant System Liquid Volume Containment C Total Free Volume C Design P ressure C Nom inal Internal Operating Pres sure C Atmosphere composition C Reactor Cavity Floor Area C Penetration arrangement and construction C W ater C apa city befo re Spill-over into Reac tor Cavity C Concrete (floor) composition In sum m ary, eva luatin g s e v e re accident Task 2 has a critical interface with the plant progression involves a com plex process of p lant- d a m a g e s t a te d e t e rm i n a t io n ( r e f e r to specific sensitivity studies using integral codes, Section 3.3.1). For each of the plant damage m echanistic code calculations, use of prior states defined in Section 3.3.1, an evaluation of the calculations, experimen tal data and expert severe accident progression would be pe rform ed in judg em ent. Ex am ples of this process are given in Ta sk 2.

Ap pendix B for each of the phenomena liste d in Table 3-19 above. The output of these tasks is used together with the analyses perform ed in Section 3.3.3 to develop a 3.3.2.4 Task Interfaces range of potential containment failure modes and their corresponding frequencies.

Task 1 assesses the reliability of containment systems for those severe accidents identified in the 3.3.2.5 References Level 1 PRA. Fault tree models (or other techniques) for estim atin g fa ilure pro babilities are EPRI, MAAP4 - Modular Ac cident An alysis developed and linked directly to the accident Program for LWR Power Plants, RP3131-02, sequence models from the Level 1 PRA.

3-100

3. Technical Activities Volumes 1-4, Electric Power Research Institute, PRAs for other pla nts to dete rm ine their 1994. applicability to the current design. Such a list was incorporated into NUREG-1335 (NRC, 1989), the Sum mers, R. M., et al., MELCOR Com puter Code NR C's guidance for performing an IPE. Th is Manuals - Version 1.8.3, NURE G/CR-6119, review is then supplemented by a systematic SAND93-2185, Volum es 1 -2, Sa ndia National examination of plant-specific design features and Laboratories, 1994. emergency operating pro cedures to ascertain whether additional, unique failure mod es are NRC, Uncertainty Papers on Severe Accident conceivable. For each plausible failure mode, Source Terms, NUREG -1265, U.S. Nuclear containment perform ance an alyses are performed Regulatory Com mission, 1991. using validated structural res ponse m odels, as well as plant-specific data for structural materials and Gorham-G ergeron, E. D., et al., Evaluation of their properties.

Severe Accident Risk s: Method ology for the Accident Progre ssion, Source T erm , Unfortun ate ly, current models for the response of Consequence, Risk Integration, and Uncertainty complex structures to even "simple" loads (such as An alyses , NURE G/CR-4551, SAND86-1309, internal pressure) are no t sufficiently robust to Sandia National Laboratories, December 1993. allow simultaneous prediction of a fa ilure threshold and resulting failure size. T his is particularly true NRC, Severe Accident Risks: An Assessment for for structures composed of non-homogeneous Five U.S. Nuclear Power Plants, NUREG -1150, m ate rials with highly non-linear mechanical Volume 1, Main Report, U.S. Nuclear Regulation properties such as reinforced concrete. As a Com mission, 1990. result, calculations to estab lish perform anc e lim its are suppl emented with information from experimental observations of con tainmen t failure 3.3.3 Containment Performance characteristics and exp ert jud gm ent. Examples of this process can be found in Task 2 below.

Characteristics 3.3.3.2 Produ cts The objective of this element of a Level 2 PR A is to determine the lim its (or capa city) that the In general, sufficie nt in form ation in the containment can withstand given the range and documentation of analyses performed to establish magnitude of the potential challenges. T hese quantitative conta inm ent perform ance lim its is challenges take many forms, including internal provided that allow s an indep end ent analyst to pressure rises (that occur over a sufficiently long reproduce the results. At a minimum , the following tim e fram e that th ey can be considered "s tatic " in information is documented for a PRA:

terms of the structural response of the containm ent), high temperatures, therm o-C a general description of the containment mechanical erosion of concrete structures, and structure including illustrative figures to under some circumstances, localized dynam ic indica te the ge ne ra l co nf igu ra tion, loads such as shock w aves and internally penetration types and location, and major generated m issiles. Rea listic estimates for the constructio n m ate rials capac ity of the containm ent structure to withstand these challenges are generated to provide a m etric C a desc ription of the modeling approach against which the likelihood of co ntainme nt failure used to calculate or otherwise define can be estimated.

conta inm ent failure criteria 3.3.3.1 Assumptions and Limitations C if com pute r m ode ls are use d (e.g ., finite element analysis to establish over-A thorough ass essm ent of c ontainmen t pressure failure criteria), a description of performance generally begins with a structured the way in which the containment structure process of identifying potential containment failure is nodalized including a specific discussion modes (i.e., mechanisms by which integrity might of how local discontinuities , such as be violated). This assessment comm only begins penetrations, are addressed by reviewing a list of failure m odes identified in 3-101

3. Technical Activities C if experimentally-determ ined failure d ata For many containm ent designs, over-press ure has are used, a sufficiently detailed description been found to be a dominant failure mechanism .

of the experimental conditions to In a state-of-the-art Level 2 PRA, the evaluation of dem ons trate app licability of results to ultim ate pressure capacity is performed using a plant-specific containment structures plant-specific, finite-element m odel of the containment pressure boundary including sufficient 3.3.3.3 Analytical Tasks deta il to represent major discontinuities such as those listed above. The influence of time-varying This technical activity involves two tasks: containment atmosphere tem peratures is taken into account by performing the calculation for a

1. Contain m ent Structu ral Analysis reasonable range of interna l tem pera tures . To the

2. Contain m ent Fa ilure Mode Analysis extent that internal temperatures are anticipated to be elevated fo r long periods o f tim e (e.g., during Each of these tasks are described in detail in the the pe r io d o f a g g re s si ve core-concrete following sections. interactions), thermal growth and creep rupture of steel con tainm ent structu res is taken into acc oun t.

Ta sk 1 - Con tainment Stru ctu ral Analysis Ta sk 2 - Con tainment Failure M od e Analysis In a Level 2 P RA , the attributes of the analyses n e c e s s a r y t o c h a ra c t e ri ze c o n ta i n m e n t The cha racterization of co ntainm ent performance performance limits are consistent with those of the limits is not sim ply a m atte r of defining a threshold containment load analyses against which they will load at which the structure "fails." A Level 2 PRA be compared: attem pts to distinguish between structural damage that results in "catastrophic failure" of the C They focus on plant-specific containment containment from damage that results in significant performance (i.e., application of reference leakage4 to the environment. Leakage is often plant analyses is generally inadequate). characterized by a smaller opening (i.e., one that may not preclude subsequent increases in C They consider design details of the containment pressure). Failure to isolate the containment structure such as: containment is also considered. It is very important to assess both the location and size of the

- containment type (free-standing containment failure because of the implications for steel shell; concrete-backed steel the source term calculation, e.g., given the same s h e l l ; p r e - s tr e s s e d , p o s t - in-vessel and ex-vessel releases in sid e tensioned, or reinforced concrete) con tainm ent, a rup ture in th e drywe ll of a Mark II

- the full range of penetration sizes, containment would typically result in higher types, and their dis tributio n releases to the environment than a leak in the

( e q u i p m e n t a n d p e r s o n n el we twe ll.

hatc hes, pip ing pe ne trations, electrical penetration assemblies, The NURE G-1150 Expert Panel for Structural ventilation penetrations) Response Issues assessed the containment

- penetration seal configuration and overpressure failure issue for the Peach Bottom m ate rials (Payne, 1990), Sequ oyah (Grego ry, 1990), Surry

- discontinuities in the containment (Breeding, 1990) and Zion plants (Park, 1993).

structure (shape transitions, w all The assessments of the expert panel are anchorage to floors, ch anges in documented in NU RE G/C R-4 551 , Volume 2, Part 3 steel shell or c o n c re te (Breeding, 1990). Two of these plants have free-reinfo rcem ent) standing steel containments and two have reinforced concrete containm ents . In add ition to C They consider interactions between the containment struc ture and neighboring structures (the reactor vessel and 4 Significant leakage is defined relative to the design pedesta l, auxiliary building(s), and internal basis leakage for the plant. Leakage rates greater walls). than 100 times the design basis have been found risk significant in past studies.

3-102

3. Technical Activities the distributions the expert panel provided for severe accident progress ion would be perform ed in overpress ure failure loads for these containment Task 2 of Section 3.3.2. This inform atio n is structures, the panel also provided conditional needed to charac terize containment performance.

probabilities for failure locatio n and failure mode (leak, ruptu re or catastrop hic rupture ). Both The output of these tasks is used together with the containmen t types were considered to be analyses performed in Section 3.3.2 to develop a vulnerable to the p ropa gation of crack s into range of potential containment failure modes and ruptures. For a single containment, the panel their corresponding frequencies.

assessed the conditional pro bability of m ultiple failure locations and sizes . Fo r ex am ple, six 3.3.3.5 References different location/size failures (failure mod es) were obtained for overpressure failure for the Peach NRC, Individual Plant Examination: Subm ittal Bottom containment: (1) wetwell leak, (2) rupture, Guidance, NURE G-1335, U.S. Nuclear Regulatory no suppression pool bypass (discontinuity strains Com mission, August 1989.

at T-stiffeners), (3) wetwell rupture, suppression pool bypass (m em brane failure), (4) drywell leak NRC, Severe Accident Risks: An Assessment for (bending strain at the downcom ers), (5) drywe ll Five U.S. Nuc lear Power Plants, NU REG -1150, head leak (gasket failure), and (6) drywell rupture U.S . Nuclear Regulatory Com mission, Decem ber (in m ain body near penetration due to loss of 1990.

concrete w all back suppo rt).

Breeding, R. J., et al., Evaluation of Severe Failure location and size by dynamic pressure Accident Risks: Quantification of Major Input loads and internally generated missiles are also Parameters, Experts: Determination of Structural probabilistic ally examined. The structural response Response Issues, NUREG /CR-4551, Volume 2, expert pan el for N UR EG -115 0 as ses sed the size Part 3, Sandia National Laboratories, October and location of the containment breach by dynam ic 1990.

pressure loads for Grand Gulf (Brown, 1990)

(reinforced concrete) and Sequoyah (free-standing Brown, T. D ., et al., Evaluation of Severe Accident steel). Both leaks and ruptures were predicted to Risks: Grand Gulf Unit 1, NUREG /CR-4551, occur in the containment response to detonations Volume 6, SAND86-1309, Sandia National at Grand Gulf, and ruptures were predicted to Laboratories, December 1990.

occur at Sequoyah. Alpha mode failure (for all NURE G-1150 plants) and steel shell melt-through Payne, A. C ., Evaluation of Severe Accident of a containment wall by direct contact of core Risks: Peach Bottom U nit 2, NURE G/CR-4551, debris (for Peach B ottom a nd Seq uoyah) were Volume 4, SAND86-1309, Sandia National treated as rupture failu res of contain m ent in Laboratories, December 1990.

NU RE G-115 0.

Gregory, J. J., et al., Evaluation of Severe Basemat m elt-through is generally treated as a Accident Risks: Sequoyah Unit 1, NUREG/CR-leak in most Level 2 PRAs because of the 4551, Volume 5, SAND86-1309, Sandia National protracted times involved as well as the predicted Laboratories, December 1990.

radionuclide retention in the soil. If a bypass of con tainm ent, such as an interfacing systems Park, C. K., Evaluation of Severe Accident Risks:

LOCA, is predicted to occur, then its effective size Zion Unit 1, NUREG /CR-4551, Volume 7, BNL-and location (e.g ., probability tha t the bre ak is NURE G-52029, Brookh aven Na tion al Laborato ry, submerged in water) are also estim ated in orde r to March 1993.

perform the source term calculations.

3.3.3.4 Task Interfaces These tasks have a critical interface w ith assessing containment challenges (refer to Section 3.3.2). For each of the plant damage states defined in Section 3.3.1, an evaluation of the 3-103

3. Technical Activities 3.3.4 Containment Probabilistic other logic formats are provided to illustrate the logic hierarchy and event Characterization dep end enc ies.)

3.3.4.1 Assumptions and Limitations C a des cription of the technical basis (with complete references to documentation of One feature that distinguishes a state-of-the-art original engineering analyses) for the Level 2 PRA from other, less com prehens ive assignment of all probabilities or ass ess m ents is the way in which unc ertainties are prob ability distributio ns with the logic represented in the characterization of containment structure performance 5. In particular, explicit and quan titative recognition is given to uncertainties in the individual C a description of the ra tionale use d to processes and param eters that influence severe assign probability values to phenomena or accident behavior and attendant containment eve nts involving subjective, expert performanc e. These uncertainties are then judgment quantitatively integrated by mean s of a pro babilistic logic structure that allows the conditional probability C a description of the computer program of conta inm ent failure to be quantita tively used to exercise the logic model and estimated, as well as the uncertainty in the calculate final res ults conta inm ent failure pro bability.

3.3.4.3 Analytical Tasks Two eleme nts of such a n asses sm ent are described below. First, the characteristics of the This technical activity involves two tasks:

logic structure (i.e., containme nt event tree) used to organize the various contributors to uncertainty

1. Containment Event Tree Construction are described. However, the major distinguishing

2. Containment Event Tree Quantification element of a fu ll-scop e ap proa ch to characterizing containment performance is the manner in which Each of these tas ks is described in detail in the the CE T is qua ntified. T hat is wh ether or not following sections.

unc ertainty distributions for major events are assigned and propagated through the logic m odel.

Task 1 - Containment Event Tree Construction The key phrase here is uncertainty distributions (i.e., point estimates of probability are not The primary function of a "containm ent event tree,"

un ive rs ally applied to th e lo gic m od el) .

or any other probabilistic model evaluating Characteristics of these distributions and the containment performance, is to provide a manne r in which they are used in a typical logic structured framework for organizing and ranking model are described later in this section.

the alternative accident progressions that may evolve from a given core damage sequence . In 3.3.4.2 Produ cts developing this framework, whether it be in the form of a n event tree, fault tree or o the r log ic The following do cum enta tion is ge nera ted to structure, several elements are necessary to allow describe the process by which the conditional a ri g o ro u s a s s e s s m e n t o f c o n ta i n m e nt probability of containment failure is calculated:

performance:

C a listing and description of the structure of C Ex plicit rec ognition of the im portant tim e the overall logic model used to assem ble phases of severe accident progression.

the p ro b a b il is tic re p re s e ntation of Different phenomena m ay control the containment perform ance (G raphical nature and intens ity of challenges to displays of events trees, fault trees or containment integrity and the release and transport of radionuclides as an accident proceeds in time. The following tim e 5

Uncertainties in the estimation of fission product frames are of particular interest to a source terms are also represented in a full-scope Level 2 an alysis:

Level 2 PRA; however, this topic is discussed in Section 3.3.5.

3-104

3. Technical Activities

- After the initiating event, but during several different time fram es of a before the onset of core damage. severe accident. How ever, ce rtain This time period establishes limitations apply to the com posite (integral) im portant initial conditions for contribution of some phenomena over the containment respon se after core entire accident sequence and thes e are damage begins. represented in the form ulation of a prob abilistic m ode l.

- After the core damage begins, but prior to failure of the reactor A good ex am ple is hydrogen combustion vessel lower head. This period is in a PW R containment. Hydrogen characterized by core damage generated during core degradation can be and radionuclide release (from released to the c onta inm ent over several fuel) while core m ate rial is tim e periods. H owe ver, an important confined with in the rea cto r vess el. contribution to t h e unc er tain ty in containment loads generated by a

- Im m ediate ly following reactor combustion event is the total mass of vessel failure. Prior analyses of hydrogen involved in a pa rtic ula r containment performance suggest combustion event. One possibility is that that many of the important hydrogen released to the containment over c h all e n g e s t o c o n ta i n m e n t the entire in-vessel core damage period is integr ity o c c u r im m e d i a t e ly allowed to accumulate without being following rea cto r vess el failure. burned (perhap s) as a res ult of the These challenges may be short- absence of a sufficiently strong ignition lived, but often occur only as a source. Molte n core debris released to the direct consequence of the release reactor cavity at vess el breach could of molten core materials from the represent a strong ignition source, which re a c t o r v e s s e l i m m e d i a te ly wo uld initiate a large burn (assuming the following lower head failure. cavity atmo sphere is not steam inert).

Because of the mas s of hydrogen

- Long-term accident beha vior. involved, this com bustio n event might S om e accident sequences evolve challenge containment integrity. Another rather slowly and generate poss ibility is that while the same total re la tive ly b e n i gn l o a ds to amou nt of hydrogen is being released to containment structures early in the containm ent during in-vessel core t h e a c c i d e n t p r o g r e s s io n . degradation, a sufficiently strong ignition How ever, in the absence of som e source exists to cause several small burns mechanism by which energy to occur prior to vessel breach. In this generated with in the containment case, the m ass of hyd rogen re m aining in can be safely rejected to the the containm ent atmosphere at vessel environm ent, these loads may breach would be very small in comparison ste adily increase to the point of to the first case, and the like lihood of a failure in the long-term. significant challenge to containment integr ity at th at tim e shoul d be W hen link ed end-to-end, th ese tim e correspondingly lower. Therefore, the frames constitute the outline for most logic for evaluating the probability of probabilistic containment performance containment failure associated with a large models. W ithin each time fram e, combustion event occurring at the time of uncertainties in the occ urrence or inten sity vessel breach is able to distinguish these of g o v e r n in g phenomena are two cases and prec lude the poss ibility of a systematically evaluated. large combustion event if hydrogen was consumed during an earlier time fram e.

C Consistency in the treatmen t of severe accident events from one tim e fram e to another. Many phenom ena m ay occur 3-105

3. Technical Activities C Recognition of the interdependencies of Am ong its w eakn esses, th is approach sim ply phenomena. Most severe accident prod uce s a point es timate of p robability and is not phenomena and ass ociated events require a rigorous techniq ue fo r developing proba bility certain initial or boundary conditions to be distributions.

releva nt. For example, a steam explosion can only occur if molten core debris comes The second technique involves a convolution of in contact with a pool of water. Therefore, paired probability density function s. In this it may not be m eaningful to consider ex- technique, probability density functions are vessel steam explosions during accident developed to represent the distribution of c redible scenarios in which the drywell floor (BW R) values for a p aram eter o f interest (e.g.,

or rea cto r cavity (PW R) is d ry at the tim e containment pressure load) and fo r its of vessel breach. Logic models for corresponding failure c riterion (e .g., ultim ate evaluating containment performance pressure capacity). This m eth od is m ore rigorous capture these and many other such than the one described above in the sense that it interdependencies among severe accident explicitly represents the uncertainty in eac h qu antity eve nts and phenomena. Explicit in the probabilistic model. The basis for developing representation of these interdependencies these distributio ns is the collective set of provides the mechanism for allowing inform ation generated from plant-specific integral com plete traceability between a particular code calc ula tion s, c orresp on din g se nsitivity accident seq uen ce (o r plant damage state) calc ulatio n s , oth er re levan t m ech anis tic and a specific containment failure mode. calculations, experim enta l obse rvation s, and expert judg m ent. Th e conditional prob ab ility of T a s k 2 - C o n t a in m e n t E v ent T ree containment failure (for a given accident sequence)

Quantification is then calculated as the intersection of the tw o density functions (see Figure 3.9).

The re are many approaches to transforming the technical information concerning containment loads W hile this technique provides an explicit treatment and performance lim its to an estim ate of failure of uncertainty at intermediate stages of the probability, but three approaches appear to analysis, it still ultimately generates a point dom inate the literature. In the first (least rigorous) estim ate for the probability of containme nt failure approach, qualitative terms expressing various caused by a particular mechanism.

degrees of un certainty are trans lated in to quantitative (point estimate) probabilities. For The contributions to (and magnitude of) un certainty example, term s such as "likely" or "unlikely" are in the final (total) containm ent fa ilure pro bab ility is assigned num erical values (such as 0.9 and 0.1). discarded in the process.

Superlatives, such as "very" likely or "highly" unlike ly, are then used to suggest degrees of The third technique involves adding an additional confidence that a particular event outco m e is feature to the technique described above. That is, app ropriate. The su bjec tivity associated with this the probability density functions representing method is controlled to some extent by developing unc ertainty in each term of the containment rigorous guidelines for the amount and quality of performance log ic m od el are propagate d information necess ary to ju stify pro gressively throughout the entire model to allow calculation of higher confidence levels (i.e., probabilities statistical quantities such as importance measures.

approaching 1.0 or 0.0). Nonetheless, this method One means for accomplishing this objective is the is not considered an appropriate technique for application of M onte C arlo sam pling techniques assigning pro babilities to represent the state of (such as Latin H ypercube). The applicatio n of this knowledge uncertain ties (such uncertain ties tend to technique to Level 2 PRA logic models, pioneered dom inate a Level 2 PRA, rath er tha n un certainty in NURE G-1150 (NRC, 1990), accomm odates a associated with random behavior.) in a PRA. large number of uncertain variables.

3-106

3. Technical Activities Probability Figu re 3.9 Pro bab ility density func tions for conta inme nt peak pressu re (P c) and failure pres sure (P f)

Other techniques have been developed for 3.3.5 R a d i o n u c l i d e Release specialized applications, such as the direct Characterization propagation of uncertainty technique developed to assess the probability of containment failure as a The second, albeit equally importa nt, product of a result of direct containment heating in a large dry Level 2 PRA is a quantitative characterization of PW R. However, these other techniques are radiological release to the environment resulting constrained to a small number of variables and are from each accident seq uen ce that contributes to not currently capable of applications involving the the total core da m age frequen cy.

poten tially large number of uncertain variables addressed in a Level 2 PRA.

The specific manner in which radionuclide source terms are characterized in a Level 2 analysis is 3.3.4.4 Task Interfaces described first. Attributes of coupling the evaluation of radionuclide release to analyses of T hese task s ha ve a critical interface with th e severe accident progression for particular evaluatio n of the severe accident progression sequences are also described. F inally, attributes (refe r to Task 2 of S ection 3.3.2).

of addressing uncertainties in radionuclide source terms are described.

T he output of these tasks is a range of potential containment failure modes and their corresponding 3.3.5.1 Assumptions and Limitations frequencies which provide input to radionuclide release charac terization (Section 3.3.5).

In m any Le vel 2 analyse s, the characterization of radiological rele ase is used solely as a sem i-3.3.4.5 References quantitative scale to rank the relative severity of accident sequences. In such circumstances, a NRC, Severe Accident Risks: An Assessment for rigorous quantitative evaluation of radionuclide Five U.S. Nuclear Power Plants, NUREG -1150, release, transport, and deposition may not be U.S. Nuclear Regulatory Com mission, Decem ber necessary. Rather, order-of-magnitude estimates 1990.

of the size of release for a few represe ntative radionuclide species pro vide a satisfactory scale for ranking accident severity. In a state-of-the-art Level 2 PRA, however, the characterization of radionuclide rele ase to the environment provides sufficient information to completely define the "source term" for calculating off-site health and econom ic consequences for use in a Level 3 PRA.

3-107

3. Technical Activities Further, the rigor required of the evaluation of 3.3.5.2 Produ cts radionuclide release, transport, and deposition directly parallels that used to evaluate containment In ge ne ral, sufficien t inform ation o f the perform anc e: documentation of analyses perform ed to cha racterize rad iological source term s is provided C Source term analyses (de term inistic that allows an independent analyst to reproduce computer code calculations) reflect plant- the res ults . At a m inim um, the following specific features of system design and information is documented for a PRA:

operation. In particular, the models used to calculate radionuclide source term s C a sum m ary of all com pute r code fa ithf ully r e p r e s e nt p l a n t - s p e c i f ic calculations used as the basis for characteristics such as fuel, control estimating plant-specific source terms for m ate rial, and in-core sup port structure selected accident sequences composition and spatial distribution; configuration and deposition areas of C a desc ription of modeling methods used primary coola nt system and containment to perform pla nt-specific source term structures; reactor cavity (or drywell floor) calculations including a description of the configuration and concrete composition; m ethod by which source term s are and topology of transport pathways from assigned to accident sequences for which the fuel and/or core debris to the computer code (i.e., MAAP [EPRI, 1994]

environm ent. o r M E L C O R [ S u m m e r s , 1 9 9 4 ])

calculations were not performed C Calculations of radionuclide release, transp ort, and deposition represent C if ana lyses o f a su rrogate (i.e., "sim ilar")

sequence-specific variations in prima ry plant are used as a basis for c oola n t s yste m an d c on tain men t characterizing any aspect of radionuclide characteristics. For ex am ple, reactor release, trans port, or dep osition in the vessel pre ss ure during in-vessel core m elt plant being analyzed, references to, or progression and opera tion (or failure) of copies of documentation of the original containment safeguard systems such as analysis, and a description of the technical distributed sprays are represented in a basis for assuming applicability of resu lts manner that directly acc ounts for their effects on radionuclide release and/or C a description of the method by which transp ort. The procedure for organizing uncertainties in source term s are the numerous accident sequences addressed generated in a Level 1 PRA into a reasonably small number of groups that C for all other original engineering ex hib it similar radionuclide release calculations, a sufficiently com plete characteristics is described below. description of the analysis method, assumptions and calculated res ults is C Uncertain ties in the processes governing prepared to a c co m m o d a t e an radionuclide release, transport, and independent (peer) review deposition are q uan tified. Un certainties related to radionuclide behavior under 3.3.5.3 Analytical Tasks severe accident conditions are quantified to characterize u ncertain ties in the This technical activity involves three tasks:

radionuclide source term associated with individual accident se quences. T his is 1. Definition of Ra dionuclide Source T erm s achieved in the same way uncertainties 2. Coupling Source Term and Severe for the phenom ena gove rning severe Accident Progression Analyses accident progression are used to 3. Treatment of Source Term U ncertainties characterize u ncertain ty in the prob ability of containmen t failure (described be low). Each of these tasks is described in details in the following sections.

3-108

3. Technical Activities Task 1 - Definition of Radionuclide Source The combination of these two assumptions leads T erms to a radionuclide grouping scheme that reduces the total number of modeled radionuclide species T he analy s is o f h e a l th a n d e c o n omic to nine groups, as shown in Table 3-21.

consequences resulting from an accidental release of radionuclides from a nuclear plant (in a Level 3 Although the species listed above are released PRA) requires specification of several param eters from fuel in their elem ental form , it is firm ly (from a Level 2 PRA) that define the environmental established that many species quickly com bine source term . Ide ally, th e fo llowing info rm atio n is with other elements to form compounds as they developed: m igrate away from the point of release. The formation of these compounds and the associated C the time at which a release begins change in the physio-chemical properties of individual radionuc lide gro ups are taken into C the time histo ry of the release of a ll account in the analysis of radionuclide transport radioisotopes that contribute to early and dep osition. In particular, volatile radionuclides (deterministic) and late (stochastic) hea lth species, such as iodine and cesium, m ay be consequences transported in more than one chemical form - each with different properties that affect their transport.

C the elevation (above local ground level) at which the release oc curs Chem ical forms of these radionuclide groups represented in the source term analysis of a full-C the energy with w hich the re lease is scope PRA include:

discharged to the environment Radionuclide Chem ical forms for C the size distribution of radioactive material Group transport released in the form of an aerosol (i.e.,

particulate) I I2, CH 3I , HI [vapor]

CsI [a erosol]

As in many other aspects of a comprehensive PRA, it is impractical to generate this information Cs CsO H, CsI [a erosol]

for the full spectrum of accident conditions produced by Level 1 and 2 analyses. To address A second simplification in the characterization of this constraint, several simplifications are made in radionuclide rele ase involves the treatment of a Level 2 analysis. In particular, the following time-dependence. Te m poral variation s in assumptions are typically made regarding the radionuclide release are calculated as a natural radioactive m aterial of intere st: product of determ inistic source term calculations.

How ever, in a Level 2 PRA these variations are C All isotopes of a single chemical element reduced to a series of discrete periods of are released from fuel at the same rate. radiological release, each of which is described by a starting time, a duration, a (constant) release C Chem ical elements exhibiting similar rate, and a release en ergy. For ex am ple, res ults properties in terms of their m eas ured rate of an integral severe acc ident/source term code of release from fuel, physical transport by calculation might suggest the radiological release means of fluid advection, and chemical rate shown as the solid line in Figure 3.10. The behavior in terms of interac tions w ith other continuous release rate is simplified to represent elemental species and bounding structural m ajor characteristics or the release history such surfaces can be effectively modeled as as an early, short-lived, large release rate one composite radionuclide species. imm ediately following containment failure Typically, the specific properties of a (sometimes referred to as the "puff release"),

single (mass dom inant) element are used followed by two longer periods of a sustained to represent the properties of all species release. The sp ecific c hara cteristics of these within a group. discrete release periods may vary from one accident sequence (or plant damage state) to another, but the timing charac teristics (i.e., start 3-109

3. Technical Activities Table 3-21 Radionuclide grouping scheme used in a Level 2 PRA Group Rep. Elem ents Important isotopes within the group element represented by the group 1 Xe Xe, Kr Xe-133, Xe-135, Kr-85, Kr-85M, Kr-87, Kr-88 2 I I, Br I-131, I-132, I-133, I-134, I-135 3 Cs Cs, Rb Cs-134, Cs-136, Cs-137, Rb-86 4 Te Te, Sb, Se Te-127, Te-127M, Te-129, Te-129M, Te-131, Te-132, Sb-127, Sb-129 5 Sr Sr Sr-89, Sr-90, Sr-91, Sr-92 6 Ru Ru, Rh, Co, Mo, Ru-103, Ru-105, Ru-106, Rh-105, Co-58, Co-60, Mo-Tc, Pd 99, Tc-99M 7 La La, Y, Zr*, Nb, La-140, La-141, La-142, Y-90, Y-91, Y-92, Y-93, Zr-Nd, Pr, Am , M c, 95, Zr-97, Nb-95, Nd-147, Pr-143, Am-241, Cm -242, Sm Cn-244 8 Ce Ce, Np, Pu Ce-141, Ce-143, Ce-144, Np-239, Pu-238, Pu-239, Pu-240, Pu-241 9 Ba Ba Ba-139, Ba-140

Radionuclide Zirconium (no t the structural m eta l) 3-110

3. Technical Activities Figure 3.10 Example of simplified radionuclide release rates tim e and duration) are the same for each containment depressurization]

radionuclide gro up (i.e., on ly the release rate varies from one group to another for a given release No te that the above time periods are for illustrative period). The total number of release periods is purposes only; others are developed, as typic ally sm all (i.e., 3 or 4) and represe nts distinct necessary, to suit the specific results of a plan t-periods of severe accident progression. For spe cific as ses sm ent.

example, the following time pe riods may be represented: Task 2 - Coupling Sou rce T erm and Sev ere Accident Progression Analyses Ve ry ea rly [co nta in m e n t leakage p ri o r to containment failure] The number of unique severe accident sequences represented in a Level 2 PRA c an be exceedingly Puff release[im m ed iate ly following containmen t large. Com prehensive, pro babilistic consideration failure] of the numerous uncertainties in severe accident progression can easily expand a single accident Ea rly [relatively large release rate period sequence (or plant damage state) from the Level 1 accompanying c o n t a in m e n t systems analysis into a large num ber of alternative depressurization following breach of severe accident progressions. A radionuclide the conta inm ent pressure boundary] source term m ust be estim ated for each of these accident pro gressions. Clearly, it is impractical to Late [long-term , low release rate after perform that man y deterministic source term 3-111

3. Technical Activities calculations. In performing this integrated uncertainty analysis, special care must be taken to ensure consistency between unc ertain para m eters as soc iated w ith A comm on practice in many Level 2 PRAs radionuclide release, transport, and deposition and (although insufficient for a state -of-th e-art PR A) is other aspects of accident behavior. In particular, to reduce the analysis burden by grouping the the an alys is m ust account for important alternative severe a ccident progress ions into correlations between the behavior of radionuclides "source term bins" or "release categories." This and the other characteristics of severe accident grouping process is analogous to the one used at progression. For example; the interface between the Level 1 and Level 2 analyses to group a ccident sequ enc e cu t sets into C The magnitude of radionuclide release from plant damage states. The principal objective of the fuel is known to be influenced by the source term grouping (or binning) exercise is to magnitude of Zircaloy (clad) oxidation.

reduce the number of specific severe accident Therefore, the distributions of p lausible values scenarios for which determ inistic source term for the release fraction of various radionuclides calculations must be performed to a practical are correlated to the distribution of values for value. A structured proces s s im ilar to the one the fractio n of clad oxidize d in-ve ss el.

described in Section 3.3.1 (related to the assessment of accident se quences address ed in a C In the N U R E G - 11 5 0 ( N RC , 1 9 9 0)

Level 2 PRA) is typically followed to accomplish the assessments, uncertainty in the retention grouping. Charac teristics of severe accident efficiency of aerosols transported through the behavior and con tainmen t perform ance that have prim ary coolant system was found to depend a controlling influence on the magnitude and timing strongly on primary coolant system pressure of radionuclide release to the environm ent are during in-vessel me lt progression. Higher used to group (or bin) the alternative accident retention efficienc ies were a ttributed to progressions into appropriate release categories. sequences involving low coolant system A determ inistic s ource term calculation is then pressure than those involving high pressure.

performed for a single accident progress ion with in each release c ateg ory (typically the highest These and other similar relationships are described frequency) to represent the entire group. in the experts' determination of source term issues in NUR EG /CR-45 51, Volum e 2 (Harpe r, 1990).

As indicated above, this approach is inadequate for a state-of-the-art Level 2 analysis because the Task 3 - Trea tmen t of Source Term radionuclide source term for any given severe Uncertainties accident prog ression can not be ca lculated with certainty. The influe nce of un certainties related to Re sults of the Level 2 PRAs described in NUREG-the myriad processes governing radionuclide 1150 indicate that uncertainties as soc iated w ith release from fuel, transport through the prim ary processes governing rad ionuclide rele ase from coolant system and containment, and deposition on fuel; transport through the primary coolant system, intervening structures is significant and must be secondary coolant system (if applicable), and quantified with a similar level of rigor afford ed to con tainm ent; and deposition on bounding severe ac cid ent progression uncertainties. structures can be a m ajor c ontributor to the Further, a state-of-the-art Level 2 PRA is uncertainty in some measures of risk. For performed in a m ann er tha t allows the relative example, uncertainties in the magnitude of contribution of in dividual param ete r un certainties to radionuclide release from fue l during in-ve ss el m elt the overall uncertainty in risk to be calculated progression, and uncer tainties in the amount of directly (i.e., via rank regression or some other retention on the sh ell (sec ond ary) side of ste am sta tistic ally rigorous m anner). This requires a generators were found to be am ong the largest probabilistic modeling process that combines the contributors to the overall uncertainty in early unc ertainty distributions associated with the fatality risk associated with steam generator tube evaluation of accident frequency, severe accident rupture events (a significant contributor to the core progression, conta inmen t performance, and damage frequency in som e PW Rs). Sim ilarly, radionuclide source terms in an integrated, uncertainties in processes such as radionuclide consistent fashion. release d uring core -concrete interactions and late 3-112

3. Technical Activities release of io dine initially captured by pressure have shown that the number of early fatalities can suppression pools were found to be important be particularly sensitive to when the release occu rs contributors to various risk m easures in BW Rs. relative to when the general public is being evacuated. He nce, it is also im portant that the Uncertainties in the processes specifically related approach used to estima te the source term to radionuclide source term assessm ent are, properly accounts for tim ing characteristic s of the therefore, represented in a state-of-the-art Level 2 release.

PRA. W hen deterministic co des are u sed to estim ate the source term , it is important to account Table 3-22 sum m arizes the areas in which key for all of the relevant phenomena (even when the uncertainties are addressed in a Level 2 analysis.

code does not explicitly include m odels for all of the These key uncertainties are derived, in part, from phenom ena). W hen a model is not available for the results of the NUREG-1150 analyses, as well certain im portant phenom ena, it is not ac cepta ble as more recent statemen ts of key source term to simple ignore the phenomena. Instead, uncertainties published by the NRC for light-water alternative methods are used, such as consulting reac tor licensing purp ose s.

different code calculations, using specialized codes, or assessing relevant experimental results. 3.3.5.4 Task Interfaces A systematic proces s an d ca lculation tools to accom m oda te sou rce term unc ertainties into th e These tasks have a critical interface with the overall evaluation of severe accident risks we re containment prob abilistic chara cterization (refer to developed for the Level 2 PRAs desc ribed in Ta sk 2 of S ection 3.3.4).

NURE G-1150. A deta iled desc ription of this process and the associated tools is not provided The outpu t of these tasks is a range of potential here; the reader is referred to NUREG/CR-4551, containment failure m odes, release fractions (or Vol. 2, Part 4 (Harper, 1990), N UR EG -1335 source terms), and their correspo n d ing Ap pendix A (NRC, 1989), and NUREG /CR-5360 frequencies. The output of the Level 2 analysis (Jow, 1993), for additional information on these provides input to the consequence analysis topics. In addition, when estimating consequences (Section 3.4).

in the PRA , it is also important to a ccurate ly represent the timing of the release. Past studies Table 3-22 Areas of key radionuclide source term uncertainties Magnitude of radionuclide release from fuel during core damage and material relocation in-vessel (prima rily for volatile and se m i-volatile radionuclide species).

Chem ical form of iodine for transport and deposition.

Retention efficiency during transport through the primary and secondary coolant systems (particularly for long release pa thways).

Mag nitude of radionuclide release from fuel (primarily refractory metals) and no n-radioactive aerosol generation during core-concrete interactions.

Decontamination efficiency radionuclide flow streams passing through pools of water (BW R suppres sion pools and P W R con tainmen t sum ps).

Late revaporization and release of iodine initially captured in water pools.

Capture a nd retention efficiency of aerosols in containmen t and secon dary enclosure buildings.

3-113

3. Technical Activities 3.3.5.5 References source term. In specific cases of plant location, such as, for exam ple, a mou ntainous area or a EPRI, MAAP4 - Modular Accident Analysis valley, more detailed dispersion models that Program for LWR Power Plants, RP3131-02, incorporate terrain effects may have to be Volumes 1-4, Electric Power Research Institute, considered. There a re other physical param eters 1994. that influence dow nwind conc entrations. Dry deposition velo city can vary over a wide range Sum mers, R., M, et al., "MELCOR Com puter Code depending on the particle size distribution of the M anuals -- Version 1.8.3," NUREG /CR-6119, released m aterial, the surface roughness of the SAND93-2185, Volumes 1-2, Sandia National terrain, and other factors. An assessment of these Laboratories, 1994. uncertainties focused on the factors which influence dispersion and deposition has been NRC, Severe Accident Risks: An Assessment for carried out recently (Harper et al., 1995). Earlier Five U.S. Nuclear Power Plants, NUREG -1150, ass ess m ents of the assumptions and uncertainties U.S. Nu clear Re gulatory Com mission, Decem ber in con seq uen ce m ode ling we re reporte d in other 1990. PRA procedu res guides (N RC , 1983).

Harpe r, F. T., et al, Evaluation of Severe Accident Besides atmospheric transport, dispersion, and Risks: Qu antifica tion of Ma jor Inp ut Pa ram eters , deposition of released material, there are several NURE G/CR-4551, Volum e 2, S AND86-1309, other assumptions, limitations, and uncertainties Sandia National Laboratories, December 1990. embodied in the param eters tha t impact consequence estimation. These include: m odels NRC, Individu al Plan t Exa m ination: Sub m ittal of the weathering and resuspension of material Gu idance, NU REG -1335, U.S. Nuclear Regulatory deposited on the ground, modeling of the ingestion Com mission, August 1989. pathw ay, i.e., the food chains, ground-crop-man and ground-crop-animal-dairy/meat-man, internal Jow, H. J., et al., "XSOR Co des Us er M anu al," and external dosimetry, and the h ealth e ffec ts NURE G/CR-5360, Sandia National Laboratories, model para m eters . Other so urces o f unc ertainty 1993. arise from the assumed values of parameters that determine the effectiveness of emergency response, such as the shielding provided by the building stock in the area where pe ople are 3.4 Level 3 Analysis assumed to shelter, the speed of evacuation, etc.

(Consequence Analysis Com parison of the results of different consequence and Integrated Risk codes, which em bod y different approaches and values of these parameters, on a standard problem Assessment) are contained in a stu dy sponsored by the Organization for Economic Co-operation and In this section, the an alyses performed as part of Development (OEC D, 1994 ). An u nce rtainty the Level 3 portion of a proba bilistic risk analysis of the COSYM A code results using the ass ess m ent (P RA ) are des cribed. expert elicitation method is currently being carried out (Jones, 199 6).

3.4.1 Assumptions and Limitations 3.4.2 Products In m ost Level 3 (i.e., consequence) codes, atm ospheric trans port o f the re leased m ate rial is Docum entation of the ana lyses p erform ed to carried out assuming Gaussian plume dispersion. estim ate the consequences associated with the This ass um ption is gen erally valid for flat terra in to accidental release of rad ioactivity to the a distan ce o f a few k ilom eters from the po int of environment should contain suffic ient information release but is inaccurate both in the im m ediate to allow an independent analyst to reproduce the vicinity of the reactor building and at farther results. At a minimum , the following information distances. For m ost P RA applications, howe ver, should be documented for the Level 3 analysis:

the inaccuracies introduced by the assumption of Gaussian plumes are much sm aller than the uncertainties due to other factors, such as the 3-114

3. Technical Activities

identification of the consequence code and the to the environment include:

version used to carry out the analysis,

a description of the site-specific data and

land contamination assumptions used in the input to the code,

specifications of the source term s used to run

surface water body (e.g., lakes, rivers, etc.)

the code, and contamination.

discussion and definition of the emergency response parameters, Groundwater contamination has yet to be included

a description of the computational process in a Level 3 analyses, although it may be important used to integrate the entire PRA m odel to consider it in certain specific cases.

(Lev el 1 - Le vel 3),

a sum m ary of all calculated resu lts including The econom ic im pacts are m ainly estim ate d in frequency distributions for each risk m easure. terms of the costs of cou nterm easures take n to protect the population in the vicinity of the plant.

3.4.3 Analytical Tasks Th ese cos ts ca n include:

A Level 3 PRA consists of two major tasks:

short-term costs incurred in the evacuation and relocation of people during the emergency

1. Consequence analyses conditional on various phase following the accident and in the release mechanisms (source terms) and destruction of contaminated food, and

2. Com putation of risk by integrating the results

long-term costs of in terdicting contaminated of Levels 1, 2, and 3 analyses. farmland and residential/urban prop erty which cannot be decontam inated in a cost-effective Ta sk 1 - Con seq uence Analysis m a n n e r , i .e . , w h e r e the c ost o f decontamination is greater than the value of The consequences of a n acc identa l rele ase of the prope rty.

radioactivity from a nuclear power plant to the surrounding enviro nm ent ca n be express ed in The costs of medical treatment to potential several ways: impact on human health, impact on accident victim s are not genera lly estimated in a the environment, and impact on the economy. The Level 3 analysis, although approaches do exist for consequence measures of most interest to a Level incorporating these costs (M ubayi, 1995) if required 3 PRA focus on the impact to human health. They by the application.

should include:

The results of the calculations for each

number of early fatalities, consequence m easure are usually reported as a com pleme ntary cumulative distribution function.

number of early injuries, They can also be repo rted in terms o f a distribution--for exa m ple, on es that show th e 5th

number of latent cancer fatalities, percentile, the 95th percentile, the median, and the m ean .

population dose (person-rem or person-sieve rt) out to various distances from the plant, A probabilistic consequence assessment (PCA) code is needed to perform the Level 3 analysis.

individual early fata lity risk defined in the early Such codes normally take as input the fatality QHO , i.e., the risk of early fatality for the characteristics of the release or so urce term average individual within 1 mile from the plant, provided by the Level 2 analysis. These and characteristics typically include for each specified source term : the release fractions of the core

individual latent canc er fatality risk d efined in inventory of key radionuclides, the timing and the latent cancer QHO , i.e., the risk of latent duration of the release, the height of the rele ase cancer fatality for the average individual with in (i.e., whether the release is elevated or ground 10 m iles of the plan t. level), and the energy of the release. PCA codes incorporate algorithms for performing weather The con seq uen ce m eas ures that focus on im pac ts sampling on the plume transport in order to obta in 3-115

3. Technical Activities a distribution of the concentrations and dosim etry analyst mak e assumptions on the values of which reflec t the uncertainty and/or variability due param eters related to the implem entation of to weath er. The codes also m odel various protective actions following an accident. The types protective action countermeasures to perm it a of param ete rs involved in evaluating these actions more realistic c alculation of dos es a nd h ealth include the following:

effects and to assess the efficacy of these different actions in reducing consequences.

delay time between the declaration of a general emergency and the initiation of an Several PCA codes a re currently in use for em ergency response action, such as calculating the consequences of postulated evacuation or sh eltering ; this delay tim e may radiological releases. The NRC supports the use be site specific, of the MACCS (Jow, 1990 and Chanin, 1993) and MACCS2 (Chanin and Young, 1997) PCA codes

fraction of the offsite population which for carrying out nuclear power plant Level 3 PRA participates in the emergency response action, analyses. A number of countries in Europe support the use of the C OS YMA (KfK and NRPB, 1991 and

effective evacuation speed, Jones, 1996) PCA code for their Level 3 analyses.

degree of radiation shielding provided by the PCA codes require a substantial amount of building stock in the area, information on the local m ete orology, dem ography, land use, crops gro wn in various seasons, foods

projected dose limits for long-term relocation of consumed, and prop erty values. For example, the the population from contaminated land, and input file for the MACC S code requires the following information:

projected ingestion dose limits used to interdict contaminated farmland.

Meteorology - one year of hourly data on:

windspeed and direction, atm osp heric stability The selected values assumed for the above (or class, precipitation rate , prob ab ility of similar) parameters need to be justified and precipitation occurring at specified distances documented since they have a sign ificant impact from the plant site, and height of the on the consequence calculations.

atm osphe ric inversion layer.

In summ ary, the PCA code selected for the

Dem ography - population distribution around calculation of c onsequences should have the the plant on a polar grid defined by 16 angular following capabilities:

sectors and user-specified annular radial sectors, usually a finer grid close to the plant

incorporate impact of weather variability on and one that becomes progressively coarser at plume transport by performing stratified or greater distances. Mo nte Carlo sampling on an annual set of relevant site meteorological data,

Land Use - fraction which is land, land which is agricultu ral, major crops, and growing season.

allow for plume depletion due to dry and wet deposition mechanisms,

Ec onom ic Data - value of farmland, value of nonfarm property, and annual farm sales.

allow for buoyancy rise of energetic releases, The MACC S User Manual (Chanin, 1990) and the

include all possible dose pathways, external MACCS2 Us er Guide (C hanin and Young, 1997) and internal (such as cloudshine, groundshine, may be consulted for a complete description of the inhalation, resuspension inhalation, and site input data necess ary. ingestion) in the estimation of doses, In add ition to site d ata, a PCA code should have

employ validated health effects m odels based, provisions to m odel countermeasures to protect the for example, on (ICRP, 1991) or BEIR V public and provide a more realistic estimate of the (National Research Council, 1990) dose doses and hea lth effects following an accidental factors for converting rad iation doses to early release. The MACC S code requires that the and latent health effects, and 3-116

3. Technical Activities

allow for the m ode ling of c oun term eas ures to Task 2 - Com putation of Risk perm it estimation of a more realistic impact of acc idental releases . The final step in a Level 3 PRA is the integration of resu lts from all previous analyses to compute The ab ov e- cite d m eth od s f or es tim atin g individual measures of risk. The severe accident consequences are, in general, adequate for progressio n and the radionuclide source term acc idents caused by internal initiating events during analyses conducted in the Level 2 portion of the both full power operation and shutdown conditions. PRA, as well as the consequence analysis How ever, for external initiating events, such as conducted in the Level 3 portion of the PRA , are seism ic events, certain changes may be needed. performed on a conditional basis. That is, the For example, the early warning systems and the evaluations of alternative severe accident road network m ay be disrupted so that initiation progressions, resulting source terms, and and execution of emergency response actions may consequences are performed without regard to the not be possible. Hence, in addition to changing the abs olute or relative frequency of the postulated potential source terms, a seismic event could also accidents. The final computation of risk is the influence the ability of the close-in populatio n to process by which each of these portions of the carry out an early evacuation . A Level 3 seism ic accident analysis are linked together in a self-PRA should, therefore, include consideration of the consistent and statistically rigorous m anner.

impac ts of diffe rent lev els of earth qua ke severity on the co nse que nce ass ess m ent. An important attribute b y which the rigor of the process is likely to be judged is th e ab ility to To use a consequence code, generally the dem onstrate traceability from a specific accident following da ta elem ents are re quired: sequence through the relative likelihood of alternative severe accident progressions and

reac tor rad ionuclide invento ry, measures of associated containment performance (i.e., early versus late failure) and ultimately to the

accident source terms defined by the release distribution of fission product source terms and fractions of important radionuclide groups, the consequences. This traceability should be timing and duration of the release, and the dem onstrable in both directions, i.e., from the ene rgy and he ight of the release, ac cident sequence to a di stributio n of consequences and from a specific level of accident

hourly m eteorological data at the site as consequences back to the fission product source recomm ended, for example, in Regulatory terms, containment performance m easures, or Guide 1.23 (NR C, 1986), collected over one o r, accident sequences th at c ontribute to that preferably, more years and processed into a consequence level.

form usa ble by the cho sen cod e, 3.4.4 Task Interfaces

site population data from census or other reliable sources and processed in con form ity The current task requires a set of release fractions with the requirements of the c ode , i.e., to (or source terms) from the Level 2 analysis provide population information for each area (Section 3.3) as input to the consequence analysis.

elem ent on the grid us ed in th e co de,

site economic and land use data, specifying The consequences are calculated in terms of:

the important crops in the area , value and (1) the acute and chronic ra diation doses from all exte nt of fa rm and non farm prop erty, pathw ays to the affected population around the plant, (2) the consequent health effects (such as

d e f in i n g the e m er ge nc y response early fatalities, e arly injuries, and latent cancer countermea sures, including the possible tim e fatalities), (3) the integrated population do se to delay in initiating response after declaration of som e specified distance (such as 50 miles) from warning and the likely participation in the the point of release, and (4) the contamination of respon se b y the offsite po pulation. land from the depo sited m aterial.

The consequence measures to be calculated depends on the applicatio n as defined in PRA 3-117

3. Technical Activities Scope. Generally, in a Level 3 analysis, a Jones, J. A., et al., "Uncertainty Analysis on distribution of consequences is obtained by CO SYM A," Proceedings of the Com bined 3rd statistical sampling of the weather conditions at the COSYMA Users Group and 2nd International site. Each set of consequences, howe ver, is MACCS Users Group Meeting, Portoroz, Slovenia, conditional on the characteristics of the release (or 41228-NUC 96-9238, KEMA, Arnhem, the source term) w hich are evaluate d in the Level 2 Netherlands, September 16-19, 1996.

analysis.

Jow, H. N., et al., "MELCOR Accident An integrated risk assessm ent combines the Consequence Code System (MA CCS), Volume II, results of the Levels 1, 2, an d 3 analyse s to Model De sc ription ," NUREG /CR-4691, S andia com pute the selected measu res of risk in a self- National Laboratories, February 1990.

consistent and statistically rigorous manner. The risk measures usually selected are: early fatalities, KfK and NR PB, "CO SYM A - A Ne w Program latent cancer fatalities, population dose, and Package for Accident C ons equ enc e As ses sm ent,"

quantitative health objectives (QHOs) of the U.S. C E C B r u s s e ls , E U R 1 3 0 2 8, Nuclear Re gulato ry Com m ission (NR C) S afety Kernforschungszentrum (Karlsruhe) and National Goals (NRC, 1986). Again, the actual risk Radiological Protection Board, 1991.

m easures calculated will depend on the PRA Scope. Mubayi, V., et al., "C ost-Benefit Consideratio ns in R e g u l a t o r y A n a l ys i s ," NU RE G/C R - 6 3 9 5 ,

3.4.5 References Brookhaven National Laboratory, 1995.

Chanin, D.I., and M. L. Young, "Code Manual for National Research Council, "Health Effects of MACC S2: Volume 1, User's Guide," SAND97- Expos ure to Low Levels of Ion izing Radiation,"

0594, Sandia National Laboratories, March 1997. BEIR V, W ashington, DC, 1990.

Chanin, D.I., et al., "M AC CS Version 1.5.11.1: A NRC, "Severe Accident Risks: An Assessm ent for Maintenance Release of the Code," NUREG/CR- Five U.S. Nuclear Power Plants," NUREG -1150, 6059, Sandia National Laboratories, October 1993. Vo l. 1, Main Rep ort, U.S. Nuclear Reg ulatory Com mission, 1990.

Chanin, D.I., et a l., "MELCOR Accident Consequence Code System (MAC CS), Volume 1, NRC, "Safety Goals for the Operation of Nuclear Us er's Guide," NUREG /CR-4691, Sandia National Power Plants, Po licy Statem ent, Federal Register, Laboratories, February 1990. Vo l. 51, N o. 149, U.S. Nuclear R egulatory Com mission, August 4, 1986.

Harpe r, F. T., et al., "Probabilistic Accident Consequence Un certainty A nalysis, Dispersion, N R C , Onsi te Meteorological P rogra m s, and De po sitio n U nc er tain ty As ses sm ent, " Regu latory Guide 1.23, U.S. Nu clear Regu latory NURE G/CR-6244, Sandia National Laboratories, Com mission, April 1986.

1995.

NRC, PRA Procedures Guide - A Guide to the ICRP, 1990 Recomm endations of the ICRP, Performance of P robabilistic Risk Ass ess m ents for Annals of the ICRP, Vol. 21, No. 1-3, ICRP Nuclear Power Plants, NURE G/CR-2300, Vol. 2, Publication 60, International Com mission on U.S. Nuclear Regulatory Comm ission, 1983.

Radiological Protection, Pergamon Press, Oxford, England, 1991. OECD, "Probabilistic Accident Consequence A ssessment Codes, Second I nterna tional C ompa rison ", Organi sati on for E co nom ic Cooperation and Development, Nuclear Energy Agency, Paris, France, 1994.

3-118

3. Technical Activities 3.5 Flood Analysis

Care sho uld be take n to include in the analysis those scenarios initiated by a non-flood incident (such as a pipe break) that might The analytical tasks associated with a Level 1 involve the introduction of wate r or ste am into probabilistic risk a sse ssm ent (P RA ) for accidents areas that include equipment of interest in the initiated by events internal to the plant (such as PRA. Th is requires the analyst to w ork c losely trans ients and loss-of-coo lant accidents) are with those who are developing the event described in previous chapters. Other events both sequence models to assure that all such internal and external to the plant can cause unique events are accounted for in the m odel.

initiating events or influence the way in which a Norm ally, the impact of flood water, spray, or plant responds to an accident. Cha pter 1 identifies steam resulting directly from a pipe break is three types of events (i.e., internal fires, internal already considered in the event sequence floods, and seism ic e vents ) that req uire model if the failure results in a reactor or manipulation of the Level 1 internal event PR A in turbine trip.

order to adequately model the plant response.

Analyses for other internal hazards (other than In this section, the way in which a Level 1 PRA is fire or flood) identified in the task Spatial m od ified in order to model accidents initiated by Interactions should be carried out as part of internal floods is described.

this task using the guidelines presented here.

Such hazards could include the dropping of 3.5.1 Assumptions and Limitations heavy objects or the spillage or leakage of caustic m ate rial.

W hen preparing this section, some assumptions and limitations were made as indicated below:

3.5.2 Products

It is assumed that flood and spray incidence During the conduct of this task, the scenario tables data from VVERs are available. The flood and initiated in the Spatial Interactions Task are spray incidence data should be of sufficient expanded upon and refined (an example of such a resolution to allow characterization according tab le is provided in Appendix C). The completed to the source of the flood or spray (e.g., piping and refined scenario tables mak e up a key product failure, tank failure, etc.) and any other for this effort.

characteristics of the pos tulated event (e.g.,

maintenance error, pass ive failu re, dynam ic A description of the m etho dology and the data failure, etc.).

analyses utilized to perform the floo d analysis will be developed.

It is assumed that a reasonable and practical quantitative screening criterion for culling out risk-insignificant events can be developed that 3.5.3 Analytical Task would facilitate the completion of this task.

W hile the internal flooding analysis of a PRA uses

The guidelines presented closely parallel those much the same processes and has the same given in the procedure guide for the ta sk F ire attributes of a traditional full power interna l events An alysis because of the sim ilarity in the basic PRA, the internal flooding analysis requires a activities involved. However, since different significant amount of work to define and screen the ana lysts typically undertake the consideration most important floo d sources and possible of fire and flood analyses, individual procedu re scenarios for further evaluation. These differences guides have been developed for each activity. are described below in gene ral terms. Mo re Also, detailed phenomenological analyses are detailed guidance can be found in NRC (1997) and typic ally of secondary importance in conducting Bohn (1 990 ).

investigations of the impact of internal hazards in support of a PRA. Such investigations have The specific goals of this task include the the characteristic approach that can be development of a flood frequency database, the described as an "iterative conservative determination of the frequency of specific flood screening" of scenarios. scenarios, the further development and refinement of flood scenarios, the determ ination of the flood damage to equipment and of the plant response, 3-119

3. Technical Activities and the quantification of the flood-induced occurrence frequencies ass essed during this scenarios including the assignment to specific plant activity of the pro cess satisfy the following damage states. The hazard occurrence frequency objectives:

and a set of "worst-case" plant imp acts are assessed for each scenario developed in the

The hazard scenario frequency must spa tial interac tions a nalysis. consiste ntly acc oun t for industry flood and spray data and any plant-specific experience Each scenario is then screene d qu antitatively to tha t had occ urred in the type of location being determine its risk significance in relation to other modeled.

initiating events. Scenarios that are quantita tively insignificant are documented and removed from

The hazard scenario frequency must provide a further consideration. If a scenario remains conse rvative upper bound in case m ore quantitatively significant compared with the detailed event scenarios need to be developed screening criteria, it is reta ined for further for the location. In these cases, the total evaluation. Additional analyses are then performed sc enario frequency may be consiste ntly to systematically refine the hazard initiating event subdivided to more realistically represent any frequency and its functional impacts and to develop specific event scenario in the location. Having a m ore realistic a sse ssm ent of its risk significance. a conservative upper-bound frequency for the During this process, the original flood or spray gross scenario implies that the frequency of sc enario is often subdivided into more detailed these more subtle, refined scenarios are scenarios to m ore s pec ifically accoun t for actual captured, even after screening.

impac ts that can occur within the hazard location.

Screening is, therefore, performed at various These objectives are somewhat counteractive.

stages of the scenario-refinem ent process until The first goal is to develop an event frequency that final quantification of the PRA event sequence is as realistic as possible for a plant-specific risk mode ls. The goals are accomplished by the ass ess m ent. The second goal is to develop an performance of five tasks: event fre quency th at is suffic iently con servative to ensure that the hazard scenario is not

1. Assessm ent of the Flood an d Spra y inappropriate ly screened from the PRA models.

Occurrence Frequencies, Thus, in effect, the analysis must develop an initial

2. Asses sm ent of W orst-cas e Plant Im pac t, f r e q u e n c y e s t im a t e that i s "r e a s o n a b ly

3. P er f orm a n c e of Q uan titative Scena rio conservative" for each defined scenario.

Screening,

4. Refinement of Scenario Frequency and Impact This first activity involves a thorough review of the Analysis, industry exp erience d ata to develop a "specialized

5. Retention of Risk Significant Scenarios. generic database." This database should account for design features of the plant, the scope of the Each of these activities is discussed below which PRA models, and the characteristics of the specific mak es use of the information found in Bohn hazard. Each event in the industry-experience (1990). database should be reviewe d to determ ine its app licability and to catego rize the e vent with Task 1 - Assessment of Flood and Spray respect to the types of hazard s cenarios defined.

Occurrence Frequencies As for flood incidence data, if data from plants other than VVE Rs are u sed, care must be taken to T he objective of the scenario frequency inte rpret the data properly.

assessm ent is to consistently quantify a pla nt-specific hazard occurrence rate for each The resulting database should contain summ aries location identified in the task Spatial Interactions as of only those events that are relevant for the plant being vulnerable to the impacts of internal floods or being mod eled, for the specific operating spray. conditions being evaluate d, and for the specific scope of the functional impact locations and hazard Since a quantitative screening process is to be sc enarios defined in the analysis. This database performed during the detailed scenario analysis should be docu m ente d an d sh ould provide the phase of the internal plant hazards analysis, it is, generic industry experience input to the hazard therefore, very im porta nt that the hazard frequency analysis.

3-120

3. Technical Activities A two-stage Bayesian analysis combines the spray), regardless of the size of the location, the industry data with actual experience from the plant. number of affected components, and the observed The first stage of the Bayesian analysis develops a distribution of hazard severities. The assumed generic frequency distribution for each hazard that failure m ode fo r flood or s pray events is usually consiste ntly accounts for the obs erve d site-to-site loss of function of the susceptible equipment. For variab ility in the industry experience data. The most locations, this assessmen t provides second stage upd ates this ge neric frequen cy to numerical risk contributions that may be several account specifically for the actual historical times highe r than those that would be evaluated experience at Kalinin. through a more detailed analysis. This is because the occurrenc e frequenc y for most hazards is Estimates are made of the fraction of each hazard dom inated by relatively insignificant eve nts, e.g.,

and hazard type for each location. These relatively small leakage events. However, the estimates are necessary in order to partition the impac ts are postu late d to be the res ult of an hazard occurrence fre qu en cie s to specific extrem ely large flood or spray event, which is a loca tions. In m ost c ase s, it is nec ess ary to highly unlike ly, low frequen cy eve nt. This approach combine data for various types o f haza rds to ensures that a conserva tive upper bo und is develop the best p ossible frequency estimate for a evaluated for the risk contribution from any hazard particular loc ation. event that may dama ge m ultiple com ponents with in the location. That is, an event frequency of m ore This pro cess is consiste nt w ith th e evaluation of a ll frequen t, insignificant events is linked to postulated other data in the PRA, including the frequencies for impac ts that may be attributable to a less frequen t, internal initiating events, component failure rates, more catastrophic scenario.

component maintenance unavailabilities, and equipment comm on-cause failures. The impact assessments do not account for the relative timing of possible failures or for design Task 2 - Asses sm ent of W orst-Case Plant features that may prevent certain combinations of Impact fo r Each Sce nario failures. For exam ple, the PR A s uccess criteria may require tha t a pum p m ust be tripped to avoid In the task Spatial Interactions, PRA-related poss ible damage after loss of oil cooling. A equipment that may be damaged by each hazard possible flood scenario may affect a control panel in a particular functional impact location was for the cooling wate r sup ply pum p. The worst-case identified. In this activity, analysts who are very im pacts from this sc ena rio are bou nde d by the familiar with the PRA event sequence models and following combination of conditions:

system fault tree s de velop a conse rvatively bounding set of im pac ts for each hazard scenario.

It is assum ed that the cooling wate r supply is These impacts determine the specific equipment disabled by the flood event. This condition failure m odes assigned when the haza rd scenario requires that the pump m ust trip.

is evaluated in the PRA risk m odels.

It is assumed that the pump trip circuits are The initial assessm ent of these im pacts are disabled by the flood or spray event if these considered to be the worst-case combination of circuits are locate d in the sam e susceptib le failures that could reasonably be caused by the cab inet.

hazard. It is important to ensure that the assigned impac ts provide a conservative upper bound for all

It is assumed that power remains available for actual failures that may occur during any flood or the pump m otor until the pump is damaged spray scenario in the location. If it is determined bec aus e of lack of co oling.

that the scenario is qua ntitatively insign ificant w ith these bounding im pacts, then there is assurance The impact assessments do not account for that a m ore realistic evaluation would confirm that poss ible operator actions to override or bypass the attendant risk would also be muc h lower than faulty control circuits or to operate equipment the screening value. locally. No recovery actions are modeled for any damage caused directly by the hazard event.

At this point in the analysis, it is conservatively Other operator actions are modeled only within the assumed that all equipm ent in the location is context of the entire sequence of events initiated by damaged by the hazard (either by submergence or the hazard scenario, co nsiste ntly w ith dynam ic 3-121

3. Technical Activities actions evaluated for similar internal initiating by the com bined effects from failures induced by events. the internal flood scenario, independent equipment successes and failures, and appropriate operator Ac cordingly, the most conservative combination of actions. All sequences that lead to core damage impac ts that could possibly occur, withou t rega rd to are recorded, and the total core damage frequency the relative timing of failures or the actual likelihood is compared with a numerical screening criterion to for any of the spec ific impac ts, are used in this determine the relative risk significance of the ass ess m ent. scenario.

As this activity proceeds, the affected PRA

If the total core damage frequency from all equipment and the functional impacts from each sequences initiated by the scenario falls below hazard scenario are listed in data entry 7 of each the screening criterion, it is concluded that the sc enario table. In most cases, explanatory notes hazard produces an insignificant contribution to are provided also in data entry 9 to m ore overall plant risk. The screening evaluation is com pletely document the bases for the assigned documented, and the scenario is removed impacts. from furthe r consideratio n in the PRA m odels.

If a particular hazard scen ario requires m ore

If the total core dam age frequency from the detailed analysis, this activity is the starting point sc enario is higher than the screening criterion, since the refinement process may involve several the scenario is retained for further analysis in iterations. Each iteration typically includes a critical the PRA.

reexam ination of on ly the m ost im porta nt im pac ts to p l a n t e q u i p m e n t fo r th at s ce na rio .

If the poten tial plant da m age state Conserva tively bounding assumptions are retained consequences from the scenario are unusual for impac ts that have a relatively insignificant effect or severe, the scenario is retained for further on overall risk. The g oals of this p rocess are to analysis, even if its total core damage succ essively relax the most significant worst-case frequency is below the screening criterion.

assumptions for each scenario, w hile retaining an overall conservative approach throughout the Although the m ech anics of th is proces s are quite screening process. straightforward, several considerations mu st be noted to develop the proper perspective and Task 3 - Perform ance o f Quantita tive Sce nario context for this critical activity in the analysis.

Screening The m ethods used to assess the hazard initiating Each flood or spray scenario is characterized by a event frequency and the s cenario imp acts ensu re hazard occurrence frequency and a set of that the evaluated core damage frequency is a functional impacts that affect the availability of conservative upper bou nd for the actual core various PRA com ponents and syste m s. In this damage frequency that may occur from any activity of the analysis, each scenario is propagated particular scenario in the location. The amount of through the PRA risk m odels to determine a conservatism depend s on a variety of factors, quantitative upper bound for its tota l contribution to which cannot be estimated directly without plant risk. In the Kalinin PRA, it may be considerable examination of the underlying m odels app ropriate to add house events to th e syste m fau lt and analyses. However, the applied methods trees to re present the im pact o f specific provide assuran ce that the conditional core environm enta l hazard-induce d failure s. damage resulting from this scenario will not occur at a higher frequency.

No te that since the same plant event sequence logic m odels are used to qua ntify the impact of the This screening approach is not unique to the postulated environmental hazards as were used for evaluation of internal plant hazards . Implicit and the internal event initiators, the plant d am age state explicit screening criteria are applied at all levels of assignments are consistent with those already a practical risk assessm ent. The issue of basic developed for the internal events m odel. event truncation in previous tasks can be construed as so m e form of sc reen ing. It is worth In general, each scenario results in a large number noting that the screening criterion used in this task of individual detailed event sequences determined effectively defines an absolute lower limit for the 3-122

3. Technical Activities resolution of concerns about the risk significance from internal plant hazards. Scenarios that fall Task 4 - Refine me nt of Scenario Frequency below the limit are, by definition, considered to be and Im pact Analysis insignificant, and the relative importance of each scenario that remains above the limit is evaluated Each hazard scenario having a total core damage consiste ntly with all other events m od ele d in the frequency that exceeds th e screening criterion is PRA. retained fo r further an alysis in the PR A m ode ls.

Selection of the num erical screening criterion is not If furthe r an alysis is warranted, an iterative process a simple task. There are no general guidelines or is performed to refine the models. This process "accepted" numerical values th at c an be bro adly involves careful reexamination of all assumptions applied for any particular analysis. The selected and succ essive application of the pre vious analysis value should be: activities to syste m atic ally develop m ore re alistic m odels for the scenario definition, the hazard

low enough to ensure that the screened frequency, and the assigned impacts. One or m ore scenarios are truly insignificant to the total risk, of the following refinements are typically made during this phase of the analysis:

high enough to facilitate a practical analysis and to limit efforts to develop detailed m odels

The scenario may be subdivided into a set of for unimportant events, and several constituent scenarios that are based on physical characteristics of the location and

relatively insensitive to any future refine m ents the hazard sources. This process allows the in the PRA event sequence models, system assignment of m ore re alistic equipm ent analyses, and data. impac ts from each of the specific hazard conditions.

Based on the above, the screening pro cess should begin when the results from the internal initiating

The hazard may be subdivided into various events phase h ave reached a p oint of relative severity levels that are based on observed m aturity and stability, i.e., a point at which the experience from the generic and plant-specific internal events re sults are n ot expec ted to change databases. Each hazard severity level is "significantly." Screening values are typically examined to define a more realistic set of selected to ensure that the total core damage impac ts that could be caus ed b y an event w ith frequency from each screened scenario is less tha t se verity.

than approximately 0.05 percent to 0.1 percent (i.e., 1/20 to 1/10 of 1 percent) of the total core

The assum ed im pacts from control circuit damage frequency from all other contributors. malfunctions may be reexamined to determine Thus, for ex am ple, if the s creening criterion is whether the assumed failure modes can num erically equal to 0.1 percent of the total core actua lly occur in combination. Models may damage frequency from all other causes, an also be developed to probabilistica lly account abs olute minimum of 1,000 screened hazard for the relative timing of these failures.

scenarios would be needed to double the total core dam age frequency. If the screening analysis is

The event sequences that are initiated by the performed at an earlier stage of the PRA modeling hazard m ay be refined to include possible process, it is generally recomm ended that the operator reco very ac tions th at m ay be p ut into screening values be set at even a smaller place to m itigate the haza rd or its impac ts percentage of the pre lim inary core damage before specific event seque nce s pro gres s to frequency. This avoids the need for inefficient core damage.

rescreening of the internal hazard scenarios after modeling refinements reduce the contributions The refinem ents a pplied for a particu lar scenario from all other initiators. depend on specific characteristics of the hazard, the location, and the fun ctio nal impacts from the The final screening value thus cannot be original analysis. The results from the screening determined at th is time. For persp ective, however, evaluations often provide valuable insights about the screening value used in one recent study was the most important assump tio ns and 1 x 10 -9 core dam age even t per year. conservatisms that mus t be reexamined. The 3-123

3. Technical Activities refinement process for a particular scenario may

In other cases, a scenario may be retained involve several iteratio ns. Ea ch iteratio n typically only after considerable additional analyses includes a critical reexamination of only the most have been perform ed to refine conservative important impac ts for that scenario. Conservatively assumptions about its frequency and impacts, bounding assumptions are retained for all im pac ts either by refining the scenarios or by using that remain relatively insignificant to overall risk. phenomenological modeling.

The goa ls of this process are to syste m atic ally relax the most significant worst-case assumptions Because of these differences, it is not poss ible to for each scenario, while retaining an overall develop meaningful estimates for the amount of conse rvative approach throughout success ive conservatism that may remain in any particular screening evaluations. scenario. However, the scenarios that have been reanalyzed should contain lesser conservatism W henever a hazard sc ena rio is subdivide d, a than scenarios retained from an earlier stage of the sep arate sum m ary table is developed to document analysis.

each refined scenario. These tables have the sam e format as the original scenario tables. They It is not possible to develop an y m eaningful list the frequency for each refined hazard event and numerical estimates for the "actual" core damage the specific impacts assigned to that event. The frequency ass ociated w ith the screened scenarios.

tables also document all deterministic and The analysis process is structured to ensure that probabilistic analyses perform ed to develop the this frequency is very small compared with other sc enario frequency and its impacts. Each refined contributors to plant risk, but the value is certain ly sc enario is reevaluated in the PRA event trees and not zero. In support of the analysis conclusions, it fault trees, and the re sults are ree xam ined in is only possible to examine a conservative relation to the quantitative screening criteria. upper-bound numerical value that may be derived from the successive screening evaluation s. T his Scenario refinem ent ca n continu e fu rther if value is certain ly neithe r a b est nor realistic warranted. Analyses that consider leakage rates, estim ate of the core damage frequency from these drainage rates, component vulnerabilities, and scenarios. However, the "true" core damage potential m itigative actions, for example, can be frequency m ust be considerably lower than this used to support the rem oval of conservatism s in composite screening value.

selected scenarios. It is expected that such analyses will be required only for a limited number The approach outlined in this pro cedure guide is of flood or spray scenarios. structured to produce a systematic, top-down, iterative estimate of the risk due to postulated Task 5 - Retention of Risk-Significant internal flood or spra y even ts. A parallel and very Scenarios similar approach is adopted to determine the risk associated with fires. Both analyses rely on the A com bination of technical and practical results of a structured spatial interactions analysis.

considerations determine the final set of scenarios retained for qu antifica tion in the PR A results. All Sp ecific scenarios that involve flooding or spraying scenarios that exceed the quantitative screening of hot water or steam can degrade the ambient criteria are retained in the PRA m odels. Howe ver, environm ent. Ho we ver, not m uch inform atio n is the degree of refinem ent m ay vary considerably available concerning the operatio n of eq uipm ent in among these scenarios: high tem pera ture o r hum id environm ents . In that case, it is usua lly assum ed that the equipment

In some cases, the worst-case core damage would fail (fail to continue to run or fail to start for frequency estim ate for an initial hazard motors; fail to transfer for valves) if the sc enario m ay be numerically higher than the environmental qualification envelope for the screening value, but the scenario remains a particular piece of equipmen t is exceeded.

very small contribution to overall plant risk. Consideration of the environmental impact on Extensive effort to furthe r refine these control circ uitry (es pecially solid-state equipm ent) scenarios is not justified by practical is m ore complex. Control failures and/or spurious considerations, and they are sim ply re tain ed in signals can be postula ted . The analysis should the PR A results with their co nservatively bounding frequencies and impacts.

3-124

3. Technical Activities clearly specify what failure modes are m odeled and con tribute appreciably to the frequenc y of core should outline the rationale for choosing these damage (or to specific undesirable plant damage failure modes. states) are retained for further analysis and/or refine m ent.

The development of flood scenarios should include the consideration of propag ation of the floo d via Refinement m ay involve suc h co nsiderations a s the doorways, drains, and ventilation duc twork. These extent of the damage in itially postulated. The pathw ays should have been considered in the process proceeds until the scenarios that rem ain information developed as part of the task Spatial appropriately represent the risk asso ciated with Interactions. In addition, if the failure of barriers or internal floods while containing acceptable structures due to static loading is credible and conservatisms.

could lead to a more severe flood impact, failure of such barriers should also be considered. 3.5.4 Task Interfaces Typically, no credit is taken for drains as a means The current task utilizes the same overall analysis of mitigating a flood unless it is found in approach and procedures developed for the subsequent iterations that the drains may be an internal event PRA. In particular, this task build s important facto r in the d efinition o f the s cen ario. In on the information developed in the task on Spatial that case, their performance should be Interactions. The c onduc t of this task will require investigated, at least probabilistically. In some input from the tasks on Initiating Event Analysis, plants, the flow characteristic of individual drains Frequency of Initiating Events, Event Sequence has not been demonstrated since start-up, in which Modeling, and System Modeling. As scenarios are case assurances must be given that construction being developed to address floods, it is likely that material or other debris has not significantly altered specific operator actions will be identified, thus the capabilities of the specific drains under requiring an interface with the task Human consideration. Re liability Analysis.

Flood frequencies are derived for a generic nuclear Output from the Flood Analysis task provides power plant based on potential flood sources. For information on accident sequence definition and on example, a flood frequency may be determined for frequency of o cc urrence directly to the Level 2 "heat exchan gers" (due, for exam ple, to errors task, which in turn provides source term during m aintenance eve nts) at a nuclear power information to the consequ ence an d risk integration plant similar to the one under consideration using task. W hether or not Level 2/3 analyses are industry data. Although "generic" in nature, the performed depends on the scope of the PRA.

data is spe cialized a nd s creene d to match closely the characteristics of the specific plant under 3.5.5 References consideration. The ge neric flood hazard frequencies are to be updated with the actual Bohn, M. P., and J. A. Lambright, "Procedures for experiences at Kalinin.

the External Event Core Damage Frequency for NU RE G-115 0," NUREG /CR-4840, Sandia National The location of the specific hazards has been Laboratories, November 1990.

determined in the task Spa tial Interactions.

Estimates are req uired in this task for the fractions NRC, The Use of PRA in Risk-Informed of each flooding source (e.g., tanks or piping)

Applications, NURE G-1602, Draft Report for found in each location.

Com ment, June 1997.

For a specific location, the frequency of occurrence of a flood or spray of any size is determined by 3.6 Fire Analysis summ ing the fractional contribution of occurrence from each floo d or spray haza rd fou nd in that The analytical tasks as sociated with a Level 1 location. probabilistic risk a sse ssm ent (P RA ) for accidents initiated by events internal to the plant (such as A quantitative screen ing value is developed to transients and loss-of-coo lant accidents) are identify those scen arios that will be carried forward described in previous sections. Other events both in the analysis. Only those scenarios that internal and external to the plant can cause unique 3-125

3. Technical Activities initiatin g events or influence the way in which a COMPBRN (Ho et al., 1991) are typically of plant responds to an accident. In this section, the secon dary importance for assessing the overall way in which a Level 1 PRA is modified in orde r to impact of fire hazards. Through c onservative model accidents initiate d by internal fires is screening, there might be a few scenarios des cribed. which m ay warrant the use of these types of detailed analyses in support of a typical fire 3.6.1 Assumptions and Limitations PRA. It is assumed that a reasonable and prac tical quantitative screening criterion can be developed that would facilitate the completion W hen preparing this section, some assumptions of this tas k w ith m inim al use of c om plex fire and limitations were made as indicated below:

modeling codes.

1. It is as su m ed tha t fire incidence data from

5. It should also be noted that these guidelines VVERs are available. The fire data should be closely parallel those needed to perform the of sufficient resolution to allow categorization task Flood Analysis. Although these guidelines according to fire source (e.g., cable, might seem to duplicate those found in the switchgear, logic cabinet, etc.). If data are not task Flood Analysis, individual procedu re available, or are incomplete, expert knowledge guides have been developed since different can be utilized.

ana lysts are presumed to perform these tasks separately.

2. The ap proa ch ou tlined for treating the possibility of damage to electric cab les du e to fire assumes that cable function and routing 3.6.2 Products information are known. If this is not the case, alternative app roac hes are a vailable to During the perform anc e of this task , the sc enario address this type of damage. These tables that were initiated in the Spatial Interactions alternative approac hes will tend to be m ore Task are expanded upon and re fined (an exam ple conservative and overstate the contribution to of such a table is provided in Appendix D). The core damage due to fire. One such alternative completed and refined scenario tables mak e up a wo uld be to assume that if a fire damages a key product fo r this effort.

cable of a given division, then all equipm ent in that division is assumed to be unavailable. A description of the methodology and the analyses Refinements to that alternative approach are, utilized to perform the fire analysis will be of course, possible if limited cable routing and developed.

function information are known.

3.6.3 Analytical Tasks

3. A simple and straightforward treatment of "hot shorts" and open circuits in control circuits is A full power internal fire PRA utilizes the same outlined herein. This approach, which does not overall analysis approach and procedures used in treat the time dependence of circuit damage performing a full power traditional internal events modes in a sophisticated m anner, is assumed PRA. In fact, there are many points of to adequately and conserva tively represent the com m ona lity between the traditiona l internal events functional impact from these damage analysis and an internal fire risk analysis. These phenomena. A m ore a dvance d ap proa ch to include the use of the sam e fundamental plant circuit analysis is provided in LaChance systems models (event trees and fault trees),

(2003). similar treatmen t for random failures and equipment unavailability factors, s im ilar m ethods of

4. This investigation has a cha rac teristic overall risk and uncertainty quantification, and approach that can be described as an iterative similar methods for the plant recovery and human conse rvative screening of scenarios. The factors analysis. Consistency of treatment of these approach is to successively relax the most comm onalities is an im portant feature in a fire risk significant worst-case assumptions of each analysis. Although the overall evaluation process fire-initiated scenario and re-evaluate the is the sam e, there are diffe renc es in th e events impact of the fire on plant performance. postulated to occur in response to an internal fire De tailed phenomenological fire growth event as com pared to those from a traditional analyses found in such computer codes as internal event. These differences are described 3-126

3. Technical Activities below in general terms. More detailed guidance A quantitative screening process is performed can be fo und in NR C (1 997 ) and Boh n (19 90). during the deta iled scenario analysis phase of the analysis. The screening process applies numerical The specific goals of this task include the criteria to determine the relative risk significance of development of a fire frequency database, the each fire scenario. If it is determ ined that a determination of the frequen cy of specific fire scenario is insignificant compared with these scenarios, the further development and refinement numerical screening criteria, th at s cenario is of fire scenarios (including the consideration of fire removed from further consideration in the PRA grow th and suppression), the determination of the models. Therefo re, it is very im portant that the fire fire damage and plant response, and the occurrence frequencies assessed during this quantification of the fire scenarios including the activity of the pro cess satisfy the following assignment to specific plant damage states. The objectives:

hazard occurrence freque ncy and a set of "worst-case" plant impacts are assessed for each

The frequency of the postu late d scenario must sc enario developed in the spatial interactions consiste ntly accoun t for industry fire data and analysis. Each scenario is then screened any plant-specific experience for the type of quantitatively to determine its risk sig nificance in hazard being evaluated in the type of location relation to other initiating events. Scenarios that being modeled.

are found to be quantitatively insignificant are d o c u m e n t e d a n d r e m o v e d f r o m f u r th e r

The frequency of the postu late d scenario must consideration. For those sc enarios that are provide a conservative upper bound for the retained, additional analysis is perform ed to actual frequency of more detailed event sys tem atic ally refine the initiating event frequency scenarios that may eventually be developed for and functional impacts an d to develop a m ore the location. In other words, th e total scenario realistic assessment of the risk significance of each frequency may be consistently sub divided to retained scenario. Section 4 of Bohn and m ore re alistica lly rep resent any specific event Lambright (1990) provides a more detailed sce na rio in the loc ation, if it is neces sary to discussion of the analysis of fire-induced develop m ore detailed m odels for the location.

scenarios, once the fire scenarios have been identified. The goals for this activity are These two objectives are somewhat counteractive.

accomplished by the performance of five tasks: The first objective is to develop an event frequency that is as re alistic as possible while the second

1. Assessment of the Fire Hazard Occurrence objective is to develop an event frequency that is Frequencies sufficiently conserva tive to ensure that the hazard

2. Assessment of W orst-case Plant Impact for sc enario is not inappropriately screened from the Ea ch Sc enario PRA mod els. Thus, in effect, the analysis must

3. P er f orm a n c e of Qu a n tita tive Scenario develop an initial frequency estim ate that is Screening "reasonably conservative" for each defined

4. Refinement of Scenario Frequency and Impact scenario.

An alysis

5. Retention of Risk Significant Scenarios. The first activity of the fire frequency assessment involves a thorough review of the industry Each of these activities is discussed below. experience data to develop a "sp ecialize d generic data bas e." This database should account for Task 1 - Asses sm ent o f the F ire Haz ard design fea tures of the plant being evaluated and Occurrence Frequencies should be consistent with the scope of the PRA model and with the characteristic s of the specific Each fire scenario in the spatial interactions haza rd scenarios de fined for the ana lysis. If data analysis is defined at the location level, i.e., a from plants other than VVERs are used, care must sc enario describes a fire of any severity that can be taken to properly interpret the data. Fire occur anywhere in a given location. The o bjective incidents that have occurred at a given loca tion in of the scenario frequency assessment is to quantify a particular plant may be applicable for enhancing consiste ntly a plant-specific fire hazard occurrence the fire-incident datab ase fo r a d ifferent location in rate for each of these locations. the Kalinin Nuclear Power Station. The experience data m ust also be scree ned to rem ove fire events 3-127

3. Technical Activities that occurred during periods other than plant example, an air compressor may be located in an operation, such as during construction or refueling open corner of a large cable spreading room. The (since the Kalinin PR A only considers th e ris k of air com pressor m ay n ot be important for the PRA power operation). A tabulation of both U.S. and models. However, the spa tial interac tions a nalysts international fire incidents , including the KN PS Un it defined the functional impact location to include the 1 fire of 1 984, and insights from them are available entire cable spreading room. The estimated from Nowlen (20 01). frequency for fire events in this location must account for the com posite nature of the fire The product from this activity of the frequency hazards. It is unreasonable to develop a fire assessment process is the specialize d generic occurrence frequency based only on "ca ble database. This database should contain only the spreading room" fire events, even though the PRA hazard event summ aries considered relevant for impac ts are derive d only from failures of the the plant being modeled, for the specific operating cables. Use of only cable spreading room fire data conditions being evaluate d, and for the specific would underestim ate the expecte d frequency of scope of the functional impact locations and fires in this location. On the other hand, it is also scenarios defined in the analysis. This database unreasonable to develop a fire occurrence should be documented and should provide the frequency that is based on data from plant ge ne ric industry experien ce inp ut to the locations that typically contain air compressors, environmental hazard frequency analysis. e.g., open area s of a turbine building. Direct use of only these data could significantly overestimate the The industry event data can be com bined with expected frequency of fires in the cable spreading actual plant-specific experience through a room because of lower traffic densities, less two-stage Bayesian analysis that form s th e basis transient combustibles, etc. in these rooms as for the fire hazard frequency assessm ent. This compared to in the turbine building.

process is consistent with the evaluation of all other data in the PRA, including the frequencies for These situations are addressed by developing a internal initiating events, component failure rates, com pos ite haza rd freque ncy tha t acc oun ts for the component maintenance unavailabilities, and types of equipm ent and the relative density of equipment comm on-cause failures. equipment in each location. Continuing with the above example, a com pos ite fire frequency would Bayesian analysis allows the industry data to be be developed for the cable spreading room by combined with actual experience from the plant adding a fraction of the "turbine building air being stu died. T he first sta ge of this analysis com pressor" fire event frequency data to the cable develops a generic frequency distribution for each spreading room fire event frequency data. The hazard that consistently accounts for the observed fractions are generally based on the equipment site-to-site variability in the industry experience locatio n information documented in the spatial data. The second stage updates this generic interactions analysis. They are also often based on frequency to accou nt specifica lly for the actual general observations from the plant walkdown and historical experience at Kalinin. the persona l experience and judg m ent of the fire analysis experts. The fractions are not usually Estimates are made of the fraction of each ha zard derived from detailed deterministic models or and hazard type for each locatio n. F or exam ple, it numerical analyses. The primary objective of this wo uld be noted that two of the six batteries at the process is to develop a re asonable estimate for the plant are found in a specific location. The hazard frequency that consistently accounts for the determ ination of the fraction of cables found in a actual configuration of equipment in the location.

specific location would also be m ade by a Thus, for the cable spreading room exam ple, it is structured estimation process. These estimates not reasonable to assess a fire event frequency are necessary in order to partition the hazard that is only based o n either extreme of the occ urrence frequen cies to specific location s. available data. It see m s rea son able to acknowledge that the air com pressor may In most cases, it is necessary to combine data for con tribute to the frequency of fires in the room.

various types of hazards to develop the best The precise fractio n used in the frequency poss ible frequency estimate for a particular calculation m ay be based only on the analyst's location. Th is type of "composite" frequency judg m ent. However, once the fraction is analysis is best illustrated by an example. For documented, it is po ss ible to test whether the 3-128

3. Technical Activities results are sensitive to that judgm ent by sim ply The assumed failure modes depend on the normal varying the numerical value with in re asonable status of the equipment, the PRA m odel success bounds. criteria, characteristics of the location, and the type of vulnerability. Fo r ex am ple, an electrical cable Task 2 - Assessment of Worst-Case Plant may not be vulnerable to a floo ding event at a Impact fo r Each Sce nario given location even if it were submerged by the flooding incident but is susceptible to potential The task Spa tial Interactions identifies the PRA- dam age had a fire occu rred in that loc ation.

related equ ipm ent that m ay b e damaged by each hazard in a particular functional impac t location . In All fires that affect electrical cables are assumed to this activity, analysts who are very familiar with the eventua lly cause an open circuit in the cables.

PRA event sequence models and syste m fau lt How ever, "hot shorts " m ay occur when insulation trees develop a conservatively bounding set of fails between adjacent conductors or between impac ts for each hazard scenario. These impac ts energized conductors and ground. These short determine the specific equipment failure m odes circu its are only of concern in those portions of assigned when the hazard scenario is evaluated in instrumentation and control circuits that produce the PRA risk m odels. signals to operate equipment. For example, a hot short in a power cable cannot start a motor.

The initial impacts assigned during this phase of Therefore, hot shorts in power cables are modeled the analysis are considered to be the worst-case with the same impacts as open circuits ; it is combination of failures th at c ould conceivably be assum ed that the affected motor will not operate.

caused by the haza rd. It is importa nt to ensure that How ever, a hot short in a control circuit may cause the assigned impacts provide a conservative upper a spurious signal to sta rt the m oto r, if pow er is bound for all actual failures that may occur during available to it. The impacts from p os sib le hot any fire scenario postulated to occur in the location. sho rts in control circuits are assessed by first If it is determined that the scenario is quantitatively assuming that power is available to operate the insignificant even within the context of these component when the sh ort circuit occurs and then bounding impac ts, then there is reasonable assuming that the powe r fails. F or exam ple, it is assurance that a more realistic appraisal of the assumed that a hot short will cause a spurious potential impact would confirm the risk to be much signal to open a normally closed motor-operated lower than the screening value. The following valve. It is further assum ed that powe r is a vailable exam ples illustrate the types of considerations to the valve motor, that the valve opens used for assigning worst-case impacts. successfully, and that power is then lost to the valve m oto r. T hus, th e net effe ct from this At this point in the analysis, all equipment in the assessment is to leave the valve failed in the open location is assume d dam aged by the fire, position. This assessment of hot shorts is applied regardless of the size of the location, the number of only for equipment failure modes that have a affected componen ts, and the observe d distribution negative im pact o n the availability of PRA of hazard severities. For most plant locations, the equ ipm ent. The m ode ls do n ot include c redit for numerical risk contributions may be several times po ss ible hot shorts that may reposition higher than from a m ore deta iled hazards analysis com pon ents in their required configuration for because the occurrence frequency is usually accident mitigation.

dominated by relatively insignificant eve nts, e.g.,

sm all fires of short duration and not by a fire that The sam e types of as sum ptions are a pplied to could pre sum ably damage all equipment in a given solid-s tate electronic circuits. It is first assumed location. This approa ch ensu res that a that spurious control signals will reposition conse rvative upper bo und is generated for the risk equipment in a state that has the worst possible contribution from any fire hazard event that may impact on PRA system availability. After the damage multiple components within the location. equipment has changed state, it is then assumed For example, it is not necessary to determine that subsequent open circuits will prevent which specific cables may be damaged in a autom atic or manual signals from restoring the particular set of cable trays if the impact components to the desired state.

assessment ass um es that any fire in the location damages all cables. The impact assessments do not account for the relative timing of possible failures or for design 3-129

3. Technical Activities features that may prevent certain combinations of activity is the starting point for refinement of the failures. For example, the PRA success criteria sc enario and a m ore realistic a sse ssm ent of its may require that a pump mus t be tripped to avoid impacts. The refinem ent process m ay involve poss ible dam age after los s of oil c ooling. A several iterations. Each iteration typically includes poss ible fire sc ena rio m ay affe ct co ntrol circuits a critical reexamination of only the most important that signal cooling water supply valves, e lectronic impac ts for that sc enario. C onserva tively, circu its that process th e auto m atic signals to trip bounding assum ptions are retained for impacts that the pump, and circuit breaker controls for the have a relatively insignificant effect on overall risk.

electrical bus that supplies power to the pump The goals of this process are to successively relax m otor. The worst-case im pacts from this scenario the most significant worst-case assumptions for are bounded by the follo win g com binatio n of each scenario, wh ile re tain ing an overall conditions: conse rvative approach throughout the screening process.

It is assumed that the cooling wate r supply is disabled by hot shorts and/or open circuits that Task 3 - Performance of Quantitative affect the valve controls. This condition Scenario Screening requires that the pump m ust trip.

Each hazard scenario is characterized by a hazard

It is ass um ed that the pum p trip circuits are occurrence frequency and a set of functional disabled by hot shorts or open circuits that impac ts that affect the availability of various PRA affect the electronic circuits. com pon ents and system s. In this activity of the analysis, each scenario is propagated through the

It is assumed that power remains available for PRA risk models to determine a quantitative upper the pum p m oto r un til the pum p is damaged. If bound for its total contribution to plant risk. Thus, the affected bus also supplies power to other for example, scenario FIRES1 from Table 3-15 is PRA equ ipm ent that m ust opera te to m itigate evaluated with an initiating event fre quency of the event, it is assumed that power is not approximately 3.96 x 10 -3 fire per room-year. The available for these com ponents as well. general transient event trees in that study were quantified for this event, assuming that all This asses sm ent provides the m ost conse rvative equipment m odeled by Top Events BA, BU, com binatio n of impac ts that could possibly occur, and EP are failed. All other PRA equipment not without regard to the relative timing of failures or affected directly by this fire are allowed to function the actual likelihood for any of the specific impacts. at performance levels consistent with the availabilities evaluated in the respective system The impac t assessm ents at this stage of the analyses. In the Kalinin PRA, it m ay be m ore analysis does no t account for poss ible operator app ropriate to add house events to th e syste m fau lt actions to override or bypass faulty control circuits trees to represent th e im pact of specific or to operate equ ipm ent loc ally. No recovery environm enta l hazard-induce d failure s.

actions are modeled for any damage caused directly by the fire hazard event. Other operator The plant damage state assignments will be actions are m odeled only within the context of the consistent with those already developed for the entire sequence of events initia ted by the hazard internal events model, since the same plant event scenario, consiste ntly w ith dynamic actions sequence logic models are employed to quantify evaluated for similar internal initiating events. the impac t of the postulated fire hazard as were used for the internal event initiators.

The affected PRA equipment and the functional impac ts from each hazard scenario are listed in Each hazard scenario generally results in a large each scenario table as shown in Sec tion 3.2.3 number of individual detailed event sequences (refer to data entry 7 in Table 3-14 as an exam ple). determined by the combined effects from the In most cases, explanatory notes are also provided hazard-induced failure s, the i ndepe ndent in data entry 9 to document more com pletely the equipment successes and failures, and ap prop riate bases for the assigned impacts. operator actions. All sequences that lead to core damage are recorded, and the total core damage If a particular hazard scen ario requires m ore frequency is com pare d with a numerical screening detailed analysis after the initial screening, th is criterion to determine the relative risk significance 3-130

3. Technical Activities of the scenario. insignificant. The relative importance of each sc enario that rem ains above the lim it is consisten tly

If the total core dam age frequency from all evaluated with all other events modeled in the sequences initiated by the fire-initiated PRA.

sc enario falls below the screening criterion, it is concluded that the hazard produces an Selection of the screening criterion is not a sim ple insignificant contribution to overall plant risk. task. There are no general guidelines or The screening evaluation is documented, and "accepted" numerical values that ca n be broadly the scenario is removed from further applied for any particular analysis. The selected consideration in the PRA models. value, however, must satisfy the following criteria:

If the total core damage frequency from the

The value must be low enough to ensure that fire-initiated scenario is higher than the the screened scenarios are truly insignificant to screening criterion, the scenario is retained for the total risk from the plant being evaluated.

further analysis in the PRA.

The value m ust be high enough to facilitate a

If the poten tial plant da m age state practical analysis that limits unreasonable consequences from the fire-initiated scenario efforts to develop detailed models for are unusual or severe, the scenario is retained unimportant events.

for further analysis, even if its total core damage frequency is below the screening

The value chosen should be re latively criterion. insensitive to future refinements in the PRA event sequence models, systems analyses, Although the m ech anics of th is proces s are quite and data.

straightforward, several considerations must be noted to develop the proper perspective and In gen eral, these criteria are best served by context for this important activity in the overall delaying the screen ing proce ss u ntil the res ults analysis. from the analyses of interna l initiating events have reached a point of rela tive m atu rity and sta bility, T he methods used to assess the hazard initiating i.e., a point at which the interna l events results are event frequen cy and the attendan t im pacts from not expected to change "significantly." Screening the postulated scena rio ensure that the evaluated values are typically selected to ensure that the total core damage frequency is a conservative upper core damage frequency from each screened bound for the actual core damage frequency that sc enario is less than approxim ate ly 0.05 percent to may occur from any particular scenario in the 0.1 perc ent (i.e., 1/2 0 to 1/10 of 1 percent) of the location. The amount of conservatism depends on total core damage frequency from all other a variety of factors that cannot be estimated contributors. Thus, for example, if the screening directly without considerable examination of the criterion is numerically equal to 0.1 percent of the underlying models and analyses. However, the total core dam age frequency from all other causes, applied methods do provide assurances that no an absolute minimum of 1,000 scre ened ha zard similar scenario can yield a higher core damage scenarios would be required to double the total frequency evaluated during the screening analysis. core dam age frequen cy. If the screening analysis is performed at an early stage of the PRA modeling The applied screening criterion is a n ab solute process, it is then generally recomm ended that the numerical value that defines what is con sidered to screening values be set equal to a smaller be an "insignificant" core dam age frequency. This percentage of the preliminary core damage type of analysis is not unique to the evaluation of frequency results. This avoids the need for internal plant hazards. In fa ct, im plicit and explicit inefficient rescreening if, and when, PRA modeling screening criteria are applied at all levels of a refinements have reduced the contributions from all practical risk a sse ssm ent. How ever, it is worth other accident initiators.

noting that the screening criterion for this analysis effectively defines a n ab solute lowe r limit for the Thus, the final screening value cannot be resolution of concerns about the risk significance determined at th is time. For some perspective, from internal plant hazards. Scenarios that fall howeve r, the screening value used in one recent below the limit are, by definition, considered to be study was 1 x 10 -9 core dam age even t per year.

3-131

3. Technical Activities Task 4 - Refinement of Scenario Frequency recovery action s to m itigate the haza rd or its and Im pact An alysis impac ts before specific event sequences progress to core damage.

Each fire hazard scenario that yields a total core damage frequency exceeding the screening

Models may be developed to m ore rea listic ally criterion is retained for further analysis in the PRA account for phenomenological processes that models. The level of effort and the focus of these occur during the stag es of fire initiation, analyses are determined by a balanced growth, detection, and mitigation.

examination of all the contributors to plant risk. In many cases, the upper-bound core damage The refinements that are applied for the frequency may be higher than the value used for reevaluation of a p articular scenario depend on screening the hazard, but the scenario remains a specific characteristics of the fire hazard, the very sm all contributio n to overall plant risk. location, and the functional impa cts from the Extensive effort to further refine these scenarios is original analysis. The results from the screening not jus tified by practica l consideration s. T heir evaluations often pro vide valuable insights into the conservatively bounding frequencies a nd im pac ts sensitivities of the mos t important assumptions and are simply retained in the PRA results. conservatisms. The refinement process for a particular scenario may involve several iterations.

An iterative process is performed to refine the Each iteration typically includes a critical models, if further analysis is warranted. This reexamination of only the m ost im porta nt im pac ts process involves careful ree xam ination of a ll for that scenario. Conservatively bounding assumptions and suc cessive app lication of the assumptions are retained for all impacts that pr ev io u s a n a l ys i s a c ti v it ie s to d ev elo p rem ain relatively insignificant to overall risk. The syste m atic ally m ore realistic m odels for the goals of this p rocess are to systematically relax the scenario definition, the hazard frequency, and the most significant worst-case assumptions for each assigned impacts. One or more of the following scenario, while re tain ing an overall conservative refine m ents are typically made during this phase of approach throu gh ou t su cc es sive scree nin g the analysis: evaluations.

The scenario may be subdivided into a set of W henever a hazard s cen ario is s ubd ivided, a constituent scenarios that are based on sep arate summ ary table is developed to document physical characteristics of the location and the each refined scenario. These tables have the hazard sources. This process allows the sam e format as the original scenario tables. They assignment of more realistic equipment list the frequency for each refined hazard event and impac ts from each of the specific haza rd the specific im pacts assigned to that event. The conditions. tables als o document all deterministic and probabilistic analyses performed to develop the

The hazard m ay be subdivided into various scenario frequency and its impacts. Each refined severity levels that are based on observed sc enario is reevaluated in the PRA event and fau lt experience from the generic and plant-specific trees, and the results are reexamined in relation to databases. Each hazard severity level is the quantitative screening criteria.

examined to define a more realistic set of impac ts that could be caus ed b y an event w ith Sc enario refinement can continue further.

tha t se verity. Analyses may be required to refine how such phenomena as fire grow th, detection, and

The assumed impacts from hot shorts and suppression are addressed in specific scenarios.

control circuit m alfunctions may be reexamined If this is the case, codes, such as CO MP BR N IIIE to determine whether the assum ed failure (Ho, 199 1), are available an d ha ve been use d to mod es can actually occur in combination. suppo rt the probabilistic evaluation of specific fire M o de ls ma y a l s o b e d e v e lo p ed to scenarios. In practice , such codes are typically probabilistic ally account for the relative timing only used for a sm all num ber o f scena rios. In fa ct, of these failures. many PRAs do not carry the scenario refinement process to the point where such codes as

The event sequen ces initiated by the hazard CO MP BR N are us ed.

may be refined to include possible operator 3-132

3. Technical Activities Task 5 - Retention of Risk Significant structured to produce a systematic, top-down, Scenarios iterative, quantitative estimate of the risk from fires in nuclear power plants. A parallel and very similar A com bination of technical and practical approach is adopted to determ ine the risk considerations determ ine the final set of plant asso cia ted with internal flooding. Both analyses internal fire scenarios retained for quantificatio n in rely on the results of a structured spatial the PR A results . All scenarios that exceed the interactions analysis, however, each having quantitative screening criteria are retained in the different nuances.

PRA models. However, among these scenarios, the degree of refinem ent m ay vary considerably. In fires, significant damage, especially to electronic equ ipm ent, may be caused by smok e. The

The worst-case core damage frequency construction of postulated scenarios should estimate for an initial hazard scenario m ay in consider the impact of smok e as well as potential som e cases be numerically higher than the negative impacts of fire mitigation systems.

screening value, but the scenario still yields a Operation of m itigation systems could affect the very sm all contribution to overall plant risk. performance of operating equipm ent and could Extensive effort to further refine these hinder or delay operators from entering specific scenarios is not justified by practical areas for conducting emergency procedures. The considerations, and they are sim ply re tain ed in effectiveness of fire detection and mitigation the PR A results with their co nservatively equipment are impo rtant factors when describing a bounding frequencies and impacts. fire scenario (starting with fire initiation and proceeding to growth, propagation, detection, and

In other cases, a scenario may be retained m itigation).

only after considerable additional analyses have been perform ed to refine conse rvative Also, some fire-incident databases already have a assumptions about its frequency and impacts. m easure of d ete ctio n and m itigation included in them. Specifically, some databases would not Because of these differences , it is not possible to include a fire that is imm ediately detected and develop m ean ingful num erical estim ates for the extinguished. Only fires that are "s ignificant" are in amount of c onserva tism that m ay re m ain in any such databases (i.e., some m easure of mitigation particular scenario. However, it is generally true is implicitly included in the data). Therefore, it is that sce narios that have bee n su bjec t to important to understand the nature of the data reexamination and refinement should include less used before credit for detection and m itigation is inherent conservatism than scenarios retained cla imed in the re finem ent of scena rios. It m ay from an early stage of their definition. prove easier to refine the frequency or impact of a particular scenario, and thus allow screening of the It is also obviously not possible to develop any scenario, rather than to claim explicitly consider meaningful num erical estim ate s for the "ac tua l" m itigation.

core damage frequency associated with the screened sce narios. The analysis process is Fire frequencies are derived for a generic nuclear structured to ensure that this frequency is very power plant based on fire sources. For example ,

sm all, compared with other contributors to plant a frequency is determined for "cable fires" at a risk, but the value is certain ly not zero. In support nuclear power plant similar to the one under of the analysis conclusions, it is only possible to consideration using industry data. Although examine a worst-case conservative upper-bound "generic" in nature, the data is specialized and numerical value that m ay be derived from the screened to closely match the characteristics of the succe ssive screening evaluatio ns. This value is specific plant under consideration.

certainly not a realistic estimate of the actual core dam age frequency from these scenarios. The generic fire hazard frequencies should be How ever, it can be stated with assurance that the updated with the actual experiences at Kalinin.

"true" core dam age fre quency must be considerably lower than this composite screening The location of the specific hazards has been value. determined in the task Spatial Interactions.

Estimates are required in this task for the fractions The approach outlined in this procedure guide is of each hazard source (e.g., cables, motor control 3-133

3. Technical Activities centers, and logic cabinets) found in each location. Research Institute, May 1991.

For a specific location, the frequency of occurrence LaChance, J., et al., Circuit Analysis - Failure of a fire of an y size is determined by summ ing the Mode and Like lihood Ana lysis, NURE G/CR-6834, fractional contribution of occurrence from each Sandia National Laboratories, September 2003.

hazard found in that location.

Nowlen, et al., Risk Methods Insights Gained from A qua ntitative screen ing value is developed to Fire Incidents, NUREG /CR-6738, U.S. Nuclear identify those scen arios that will be carried forward Regulatory Com mission, September 2001.

in the analysis. In other words, only those scenarios that contribute appreciably to the NRC, The Use of PRA in Risk-Informed frequency of c ore dam age (o r to specific Application s, NUREG -1602, Draft Report for undesirable plant damage states) are retained for Com ment, June 1997.

further analysis.

3.7 Seismic Analysis Scenarios that survive the quantitative screening are refine d, as app ropriate. Refinement may The analytical tasks associated with a Level 1 involve such considerations as the extent of the probabilistic risk a sse ssm ent (P RA ) for accidents damage initially postulated. The process proceeds initiated by events internal to the plant (such as iteratively until the s cen arios that rem ain trans ients and loss-of-c oolant accidents [LOC As])

appropriately represe nt the risk a sso ciated with are des cribed in Section 3.2. O ther e vents both fires while containing acceptable conservatisms.

internal and external to the plant can cause unique initiating events o r influence the way in which a 3.6.4 Task Interfaces plant resp ond s to an accident. In this section, the way in which a Level 1 PRA is m odified in orde r to The current task utilize s th e sam e overall analysis model accidents initiated by earthquakes occurring approach and procedures developed for the at or near the plant site is described. This means internal event PRA. In particular, this task builds that the frequency and severity of the ground on the information developed in the task Spatial motion must be coupled to m odels that address the Interactions. The c onduc t of this task will require cap acity of plant structures and com pon ents to input from the tasks de aling with Initiating Event survive each possib le earthquake. The effects of Analysis, Frequency of Initiating Events, Event structural failure must be assessed, and all the Sequence Modeling, and Sys tem Modeling. It is resulting information about the likelihood of also likely that spec ific ope rator actions will be equipment failure must be evaluated using the identified in the fire scenarios, thus prompting an Level 1 internal event probabilistic logic model of interfa ce w ith the task Hum an R eliability Analysis. the plant. T his procedure guide is largely based on several earlier guides and studies (Bohn and Ou tput from the Fire Analysis task provides Lam bright, 1990; IAEA, 1995; and PG &E, 1988 ).

information on accident sequence definition and on Material from these sources is used here without frequency of occurrence directly to the Level 2 task spe cific citations.

which in turn p rovide s so urce term inform ation to the consequence and risk integratio n task.

3.7.1 Assumptions and Limitations W hether or not Level 2/3 analyses are performed depends on the scope of the PRA.

A seism ic PRA ass um es that a single parameter (effective ground acceleration) characterization of 3.6.5 References the earthquake, when combined with treatments of unc ertainty and dependency, can provide an Bohn, M. P., and J. A. Lambright, "Procedures for ade qua te representation of the effects of s eism ic the External Event Core Damage Frequency for events on plant operations. This approach NUREG-1150," NURE G/CR-4840, Sandia National acknowledges that different earthquakes (in terms Laboratories, November 1990. of energy, frequency spectra, duration, and ground displacem ent) can have the same effective Ho, V. S., et al., "COM PBRN IIIE: An Interactive acceleration. Therefo re, th ere is not only Com puter Code for Fire Risk Analysis," randomness in the frequency of earthquakes but UCLA-ENG -9016, EPRI-NP-7282, Electric Power also larg e uncertain ty in th e specific characteristics 3-134

3. Technical Activities of earthquakes of a given effective acceleration. 3.7.2 Products These uncertainties have implications for modeling dependencies among failures of various equipment The products of this task include, as a minimum ,

under exc itation by earthquakes of a particular the developm ent of a seism ic haza rd cu rve, a effective acceleration. Systems analysts and listing of seismically sensitive equipment and their fragility experts m ust w ork closely together to fragility values, an identification of seismic-induced determine how to model these dependencies. initiators and their frequencies, a listing of the seism ic cutse ts, and the quantification of the A nuclear power plant is usually designed to ens ure s e i s m i c - in d u ced sce nario s inc luding th e the survival of all buildings and em erge ncy safety ass ignm ent of spe cific plant dam age states.

systems for a particular size ea rthqu ake, i.e., a design basis or a safe shutdown earthquake. The Specifically, this task will generate documentation assumptions used in the design proc ess are on the following:

determ inistic and are subject to considerable uncertainty. It is not po ssible, for exam ple, to 1. The seismic hazard curve and its basis.

predict accurately th e worst e arthq uake that will occur at a given site. Soil properties, mechanical 2. The original equipment and structures list for properties of buildings, and damping in buildings inclusion in the fragility analysis, and the and internal structures also vary significantly. To results of the walkdown (composition of the model and analyze the coupled phenomena that wa lkdown team and their areas of expertise, con tribute to the frequency of radioactive release, revisions to the equipment and struc tures list, it is, therefore, necessary to consider all significant changes pro jec ted in ana lysis requirem ents as sources of uncertainty as well as all significant a result of on-site observations). T he fragility interactions. Total risk is then obtained by curves for plant s tructu res and pro babilistic considering the entire spectrum of p ossible safety assessment-related equipment and the earthquakes and integrating their calculated details of the fragility analysis.

consequences. This point underscores an important requirement for a seismic PRA--that the 3. The com plete s eism ic PRA process, i.e., how nuclear power plant must be exam ined in its the plant logic modeling team worked with the entirety, as a system. structural analysis team that produced the fragility analysis in defining equipment and During an earthq uak e, all parts of the plan t are structures to be analyzed, how the walkdown excited simultaneously. There may be significant was conducted including how the structural correlation between component failures, and, ana lysts and systems analysts jointly screened hence, the redundancy of safety systems could be equ ipm ent, how logic mod els were m odified to comprom ised. For example, in order to force incorpo rate structural failures and new emergency core coo ling wa ter into the reactor core eq ui p m e n t f a il u re m o d e s , s u m m a r y following a pipe leak or break, certain valves must presentations of the results of the seism ic open. To ensure reliability, two valves are located hazard and fragility analyses, and the results of in para llel so that should on e valve fail to open, the quantification of the seismic PRA model second valve would provide the necessary flow path. Since valve failure due to random causes 3.7.3 Analytical Tasks (corrosion, electrical defect, etc.) is an unlik ely event, the provision of two valves provides a high The scope of the seismic analysis should include:

degree of reliability. However, during an earthquake, both valves would experience the Task 1 Se ism ic H aza rd Analysis sam e accelerating forces, and the likelihood is high Task 2 Structures and Com ponent Fr ag ility that both valves would be dam aged, if one valve is An alysis damaged. Hence, the redundancy built into the Task 3 Pla nt Logic Analysis design would be comprom ised. The potential Task 4 Quantification impact from this "co m m on-c aus e" failure pos sibility represe nts a potentially significant risk to safely Each of these tasks is discussed below. These shutting down nuclear power plants during an tasks are linked in that the first two are use d to earthquake.

form ulate the required changes to the internal events plant model to support seismic PRA.

3-135

3. Technical Activities Alth ough the first three tas ks will be performed by ground m otion (a ttenuation) model. Questions different gro ups, th ese groups m ust wo rk in directed to experts cover the following areas:

conce rt to ensure proper and consistent modeling (a) the configuration of seismic source zones, of se ism ic-indu ced events. (b) the maximum mag nitude or inten sity earthquake expected in each zone, ©) the Se ism ically induced failures can cause one or earthquake activity rate and occurrence statistics m ore of the internal event initiators already associated with each zone, (d) the methods for described in Section 3.2 to occur. Although predicting ground motion attenuation in the zones specific seism ic acc eleration s are generally from an earthquake of a given size at a given considered to yield specific initiating events, the distance, and (e) the poten tial for soil liquefaction.

results from such accelerations mus t inte rrupt full power operations in functional ways already Using the info rm atio n provided by experts, seism ic described in previous task s. The d ifference with hazard evaluations for the site are performed. The se ism ic events, as compared to other upset hazard results thus obtained using e ach expert's conditions, is that m ultiple plant functional initiators input are com bined into a single hazard estimate.

may occur along with seismically induced failures Approaches use d to gene rate the su bjec tive inpu t, of equipme nt needed for controlling the event to assure reliab ility by feedback loops and cross-sequence as well as physically and psyc hologically checking, and to account for biases and modes of impacting operator performance. judgm ent are described in detail in Bernreuter (1981).

Ta sk 1 - Se ism ic Haza rd An alysis To perform the seism ic PRA, a fam ily of hazard For a given site, the hazard curve is derived from curves and either ensembles of time histories or a combination of recorded earthquake data, site ground motion spectra must be available. To estimated earthquake magnitudes of known events obtain these for a site with no previous for which no data are available, review of local inves tigation usually involves 6 to 12 months of geological investigations, and us e of expert effort to develop and process a database on judgment from seism ologists an d ge ologists earthquake occurrences and attenuation relations familiar with the region. Th e reg ion aroun d the site as des cribed ab ove. For some locations (say within 100 km ) is divided into zones, each (e.g., sites in the western United States, where the zone having an (assumed) uniform m ean rate of hazard curves are closely tied to local tecton ic earthquake occurrence. This mean occurrence features that ca n be identified and for which a rate is determined from the historical rec ord, as is significant datab ase of recorded earthquak e tim e the distribution of earthquake magnitudes. An histories exists), it is usually necessary to go attenuation law is determined that relates the through this process for each individual plant site.

ground acceleration at the site to the ground acceleration at the earthquake source, as a Evaluation of the site-specific haza rd curve is function of the earthquake magnitude. The generally performed by geologists and ground unc ertainty in the attenuation law is specified by the motion spe cialists using the methods desc ribed in standard deviation of the data (from which the law Bernreuter (1981), IAEA (199 3), and PG&E (1988).

was derived) about the mea n attenuation curve.

These four pieces of information (zonation, mean Task 2 - Structures and Comp onent Fragility occurrence rate for each zone, magnitude Analysis distribution for each zone, and attenuation) are combined statistically to generate the hazard curve. Using the models developed for internal events PRA as a basis, a list of equipment and the The low level of seis mic activity and the lack of buildings that house them m ust be provided to the instrument rec ordings generally m ak e it difficult to fragility analysts. Necessarily, this list will combine carry out a seismic hazard analysis using histo ric sim ilar equipment into convenient categories rather data alone. Current s eism ic ris k m ethod use the than identifying each of the possible risk-related judgment of experts who are familiar with the area com pon ents in the plant. T ypically, equ ipm ent w ith under consideration to augment the database. median acc eleration capacities of about 4g or higher will not be analyzed because the frequency Expert opinion is solicited on input parameters for of such events that can generate this acceleration both the earthquake occurrence model and the on equipment is very low.

3-136

3. Technical Activities The fragility descriptions are based on a two-

Responses of components with different parameter lognormal distribution where R is the vibrational frequencies are esse ntia lly logarithm ic standard deviation due to randomness uncorrelated even when mounted on the same in the earthquake and U is the logarithm ic floor.

standard deviation due to uncertainty or state of knowledge (Kennedy et al., 1980; Kaplan, Perla,

Fragilities of components with different and Bley, 1983). A simplified composite or mean vibrational frequencies and adjacently m ounted fragility curve (Kaplan, Bie r, and Bley, 1992) can be sho uld be treated as indep end ent.

defined with a single com posite logarithm ic standard deviation, U. The tails of these

The piping fragility should be treated such that distributions are considered to be conservative. each segment, between rigid supports or Therefore, the follo win g is the basis for truncation between equipment, is considered to be of the fragility curves in th is project: independent of the other segments.

1. The unc ertainty variability, U, should not be

The fragility of conduits and cable trays is truncated. considered to represent all the conduits and cable trays largely because of the natural

2. The rand om variab ility, R, sh ould be truncated flexibility existing in cables; that is, individual at about 1 perce nt failure fractio n fo r relatively cable trays and conduits are not considered ductile com ponent failure m odes, su ch as in independently. By their very nature, large piping system s and in civil structures. In physical movem ents do not mean cable failure.

addition to the civil structures and piping, com pon ents in the plant tha t are generally in

The fragility of he atin g, ventilatio n, and air this category are: conditioning ducts is considered to represent that of all the ductwork supporting a single

- reactor internals safety system.

- pressurizer

- reactor coolant pumps Using these guidelines, th e plant m odel assumes

- control rod drives total dep end enc y for iden tical equipm ent at the site

- component cooling water surge tank (that is, if one fails, all of the same type fail). All

- battery racks other equipment situations follow the definitions

- impulse lines abo ve or othe rwise are cons idered inde pen den t.

- cab le trays and s upp orts

- heating, ventilation, and air conditioning Ta sk 3 - Pla nt L og ic Ana lysis ducting and supports.

Seismic event trees should be derived from those

3. For all other plant components, the truncation already developed from the internal events point should be at a significantly low er failu re analysis. Howe ver, passive components, such as fraction, 0.1 perc ent. pipe segm ents , tanks, and structures w hich were not modeled because of their low probability of Since the response spectra from a given failure, m ust now be included in the event tree earthquake are com mon to all of the plant analyses. Seismic failure of passive components com pon ents to some degree, we can expect some is possible and must be investiga ted in the fra gility correlation of failure between components having analysis of Activity 2. Com pon ent failure du e to similar vibrational frequencies. Studies to assess seism ic failure of structures hou sing (or supporting) these correlations (Kenned y et al., 1988) the component must be considered as well. These concluded the following: new failure modes will entail revision of fault trees and event trees generated in the internal events

Except at high frequencies (greater than about analysis. One p articular seismic-related failure 18 Hz), re spo nse s of identica l com pon ents mod e is relay ch atter (B ley et al., 198 7; Bu dnitz, with the same frequencies should be treated Lam bert, and Hill, 1987; La m bert a nd B udn itz, as totally dependent, even when mounted at 1989). Re lays m ay chatter m om entarily (electrical different elevations in differe nt structures con tacts open and close) causing lockup of control located at the site. circu its that can only be overrid den by com pletely de-energizing the control circuits, which can be a 3-137

3. Technical Activities difficult situation for op erato rs to d iagnose . A combined with the random failure probabilities, are com parable issue is fire-induced spurious signals used to probabilistically cull these trees that that have to be addressed in a fire risk analysis. assures that important correlated cutsets are not lost (involving dependen t seismic failure m odes).

Earthquakes can lead to seismically induced fires, which m ay be d ifficult to control due to the effect of Com ponent seismic fragilities are obtained either the earthquake on plant accessibility and human from a generic fragility database or developed on a performance. Similarly, seismically induced floods plant-specific basis for components not fitting the should be investigated. Just the impacts on generic component descriptions. At least two acc ess ibility and hum an performance can cause sources of fragility data are available. T he first is human failure events that would otherwise not a datab ase of ge neric fragility functions for occur under normal circumstances. seism ically induced failures originally developed as part of the SSMR P (S m ith et al., 1981). Fragility LOCAs (from vess el ru ptu re, large, m edium an d functions for the generic categories we re sm all LOCAs) and transient events should be developed based on a combination of experimental included in the seism ic ana lysis. The two types of data, design analysis reports, and an ex tensive transients that sh ould be considered are those in expert opinion su rvey. The e xpe rim enta l data which the powe r conversion system is initially utilized in developing fra gility curves were obtained available and those in which the power conversion from the results of the manufacturers qualification system is unavailable as a direct consequence of tests, independent testing lab failure data, and data the initiating event. obtained from an extensive U.S. Corps of Engineers testing program . These d ata were The frequencies of vessel rupture (reactor sta tistic ally combined with the expert opinion pressure vessel) and large LOCA events can be survey data to produce fragility curves for the determined from the pro bability of seism ic failure of generic component categories.

the major reactor coolant system com ponent supports. The medium and small LOCA in itiating A second useful source of fragility In form atio n is a event frequencies can be computed based on a compilation of s ite-specific fragilities (Cam pbell statistical distribution of pipe failures computed as et al., 1985) de rived from pas t se ismic PRAs part of the Seismic Safety Margins Research prepared by Lawrence Livermore National Program (SSM RP). Laboratory. By selecting a suite of site-specific fragilities for any particular component, one can The probability of transients with the power obtain an estim ate of a generic fragility for that conversion system unavailable is based on the com pon ent.

prob ability of loss-of-offs ite pow er. This will alwa ys be the dominant cause of these transients (for the Following the pro babilistic screening of the seism ic m ajority of plants for which loss-of-offsite power accident sequences, plant-specific fragilities are causes loss of m ain feedw ater). The pro bab ility of developed for com ponents not fitting in the generic the transients with the power conversion system data base categories as determined during the plant available is computed from the condition that the visit. Thes e are developed either by analysis or by sum of a ll the initiating event probabilities an extrapolation of the seism ic equipment considered must be unity. The hypothesis is that qualification tests.

given an earthquake of reasonable size, at least one of the initiating events will occur. Building and component seismic responses (floor slab spectral accelerations as a function of The fault tree s de velop ed fo r the inte rnal events acceleration) are computed at several peak ground analysis are used in this analysis although the fau lt acceleration values on the hazard curve. Three trees will re quire m odificatio n to include basic basic asp ects of s eism ic response (best estimates, events with seismic failure modes and resolving variability, and correlation) must be estimated.

the trees for determining pertinent cutsets for seism ic PR A ca lculation s. A screening analysis is For soil sites, SHAKE code calculations (Schnabel, performed to iden tify the seism ic cutsets. Lysm er, and Seed, 1972) can be perform ed to Cons ervative bas ic eve nt probabilities, based on assess the effect of the local soil column (if any) on the seism ic failure probabilities evaluated at a high the surface p eak grou nd a cce leration and to earthquake peak ground acceleration level develop strain-dependent soil properties as a 3-138

3. Technical Activities function of acceleration level. This permits an basic modeling structure could be used to predict appropria te eva luation of the effects of seismic failure of structures and components.

nonhomogeneous underlying soil conditions that can strongly affect the building responses. How ever, the usual practice in seism ic PRA is still to employ outside experts to perform the seism ic Building loads, accelerations, and in-structure hazard and fragility analyses. These exp erts must response spectra can be obta ined from m ultiple work very closely with the PRA team to ensure that tim e history analyses using the plant design, fixed- seism ic failure modes of equipm ent im ply base beam element mod els for the structures functional failure as required for PRA m odels.

combined with a best-estim ate m odel of the soil E xam ples abo und of PRA errors caus ed b y the colum n un derlying the plant. lack of co m m unication b etwe en s ystem s an alysts and struc tural an alysts.

Task 4 - Quantification 3.7.4 Task Interfaces Quantification proceeds through a process of convolution of the seismic hazard curves with the The current task utilize s th e sam e overall analysis structures and com ponent fra gility curves to obtain approach and procedures developed for the prob ability of each elements failure under each internal event PR A. In particular, this task builds discrete earth qua ke acc eleration, alon g with on the information developed in the task Spatial integrated plant response and proper treatment of Interactions. The c onduc t of this task will require coupling due to the e arthq uak e. Then, for each input from the tasks dealing with Initiating Event acceleration range, the failure probabilities due to Analysis, Frequency of Initiating Events, Event the earthquake are propagated through the event Sequence Modeling, and Sys tem Modeling. It is tree/fault tree model along with the probabilities of also likely that specific operator actions will be independent failu res. E ss entially, for each discrete identified in the seismic scenarios, thus prompting earthquake acceleration level, the quantification an interface with the task Human R eliability process follows the activities for the interna l events Analysis.

analysis. One of the fundamental distinctions is the integration of the exce eda nce frequen cy probab ility Output from the Seismic Analysis task provides curve for seismic events into the overall results. information on accident sequence definition and on frequency of occurrence directly to the Level 2 task The theory behind, and practice involved with, which in turn p rovide s so urce term inform ation to performing a seismic PRA are well documented in the con seq uen ce a nd risk integration task.

the open literature and will not be replicated here. W hether or n ot Level 2/3 analyses are performed Papers that describe the m ethodology for depends on the scope of the PRA.

conducting a seismic PRA for nuclear power plants (in particular, Ang and Newmark, 1977; and 3.7.5 References Ke nnedy, 1980) begin concep tually and then m ove to fully plant-specific analysis techniques. The Ang, A. H.-S. and N. M. New m ark, A Probabilistic SSMRP generated significant information that Se ism ic Assessment of the Diablo Canyon Nuclear underpins m uch of the later work in this area Power Plant, Report to U.S. Nuc lear Regulatory (Sm ith et al., 198 1). W ith the publication of the C om m is s i o n , N. M . N ew m ar k C on su ltin g Zion and Indian Point Probabilistic Safety Studies Engineering Services, Urbana, IL, Novemb er 1977.

(ComE d, 1981; ConEd, 1983), the basic approach becam e well established. More recently, the Bernreuter, D. L., Seismic Hazard Analysis:

Diablo Canyon Long-Term Seismic Program Application of M etho dology, Re sults and Sen sitivity (PG&E, 1988), perform ed by a U.S. utility company Stud ies, NURE G/CR-1582, Lawrence Livermore with strong review and direction provided by the National Laboratory, October 1981.

U.S. Nuclear Re gulatory Co m m ission , extended the thoroughness of seismic PRA by including Ble y, D. C ., et al., "T he Im pact o f Seism ically extensive tes ting and analysis involving all Induced Relay Chatter on N uclear Plant R isk,"

disciplines related to seismic risk. This detailed Transactions of the N inth International Conference work led to improvem ents in the seismic PRA on Structural Mechanics in Reactor Technology, m odels and gene rally supported the idea that the Vol. M, "Structural Reliability Probabilistic Safety Assessm ent," pp. 23-28, August 17-21, 1987.

3-139

3. Technical Activities Bohn, M. P., and J. A. Lam bright, Procedures for Kaplan, S., H. F. Pe rla, and D. C . Bley, "A the External Events Core Dam age Frequency Methodology for Seism ic R isk Analysis of Nuclear An alysis for NUREG-1150, NUREG/CR-4840, Power Plants," Risk Analysis, Vol. 3, No. 3, Sandia National Laboratories, November 1990. September 1983.

Budnitz, R. J., H. E. Lambert, and E. E. Hill, Relay Ke nnedy, R. P., et al., Studies in Support of Chatter and Operator Response after a Large Fragility Analysis for Diablo Canyon Lon g-Term Earthquake: An Improved PRA Me thod ology with S ei smic P r o g r a m , S tr u ctur al M ec ha nic s Cas e S tu d ie s , N U R E G /C R - 4 91 0 , F uture Associates, 1988.

Resources Associates, Inc., August 1987.

Ke nnedy, R. P., et al., Probabilistic S eism ic Safety Cam pbell, R. D ., et al., "Seismic Risk Assessment Study of an Existing Nuclear Po wer Plant, Nuclear of System Interactions ," Transactions of the Eighth Engineering and Design, 59, pp. 315-338, 1980.

International Conference on Structural Mechanics in Reactor Technology, Brussels, Belgium, August Lam bert, H.E ., and R. J. Budnitz, "Relay Chatter 19-23, 1985. and Its Effects on N uclear Plant Safety,"

Transactions of the Tenth International Conference Com Ed, Zion Probabilistic Safety Stu dy, on Structural Mechanics in Reactor Technology, Com monwealth Edison Co., 1981. Los Angeles, California, August 1989.

ConEd, Indian Point Probabilistic Safety Study, PG&E, Diablo Canyon Long Term Seism ic Consolidated Edison Co. and New York Power Program , Pacific Gas and Ele ctric C om pany, Authority, 1983. 1988.

IAEA, Treatm ent of External Ha zards in Sc hnabel, P. B., J. Lysmer, and H. B. Seed, Probabilistic Safety Assessment for Nuclear Power S HA KE A Computer Program for Earthquake Plants: A Safety Practice, Safety Series No. 50-P- Response Analysis of Horizontally Layered Sites, 7, International Atomic Energy Agency, 1995. EERG 12, Earthquake Engineering Research Center, University of California at Berkeley, 1972.

IAEA, Probabilistic Safety Assessment for Seism ic Eve nts, IAE A-TEC DOC-724, Inte rnatio nal Atomic Sm ith, P. D ., et al., Se ism ic Safety M argins Energy Agency, 1993. Research Program - Pha se I F inal Repo rt, NUREG/CR-2015, Vols. 1-10, Lawrenc e Liverm ore Kaplan, S., V. M. Bier, and D. C. Bley, A Note on National Laboratory, 1981.

Fam ilies of Fragility Curves Is the Com pos ite Curve Equivalent to the Mean C urve? Nuclear Engineering and Design, 1992.

3-140

4. DOCUMENTATION This chapter establishes guidance for documenting Re ports for each of the major technical activities of a PRA. Documentation of the PRA has two major the PRA. All of this docum enta tion is the n us ed to objectives: recast the m odel and results into the Executive Su m m ary. Finally, an Overall Proje ct S um m ary is

Present the results of the study (i.e., developed, which pres ents key results and insights comm unicate information), and from the work .

Provide traceability of the work. 4.1 Documentation in Support of Reporting/Communication Docum entation begins with detailed information gathering, calculation sheets, model construction, Table 4-1 briefly sum m arizes the reports use d to and com puter work. Th is m ate rial is fo rm ally document the KNPS PRA . The distribution of documented in task reports that becom e these reports is also indicated in the table. Each appendices to th e PRA R eport. These details , in report is discussed in more detail below.

turn, are abstracted and reorganized into the Main Table 4-1 Documentation for the Kalinin PRA Project Rep ort Distribution Exe cutiv e Su mmary Re port NURE G/IA-0212, Volume 1

- Level 1, Internal E vents

- Level 2, Internal E vents Pu blicly Available

- Oth er Events 1 Main Repo rt-Level 1 PRA, Internal Initiators NU RE G/IA -021 2, Vo lum e 2, P art 1 Main Repo rt-Level 2 PRA, Internal Initiators NU RE G/IA -021 2, Vo lum e 2, P art 2 Main Repo rt-Other Events Analysis (Fire, Flood, Seismic) NU RE G/IA -021 2, Vo lum e 2, P art 3 Proprietary/Restricted Distribution Procedure Guides for a Probabilistic Risk Assessment NURE G/CR-6572, Revision 1 Pu blicly Available 1

Does not include quantitative results for core damage frequency and radionuclide release frequency 4-1

Appendix A The Procedure Guides for a Probabilistic Risk peer review of the PR A. T his se ctio n provides Assessm ent report documents the technical general guidance. Reference should be m ade to approach used for the PRA. It was written by the the technical activities described in Chapter 3 for U.S. team and was m ade available at an early guidance on specific products expected from stage of the project in order to guide the work individual tech nical activities.

being done in the R.F. The guides helpe d to assure that the PRA would be done according to Docum entation supporting the PRA technical an internationally acceptable and consistent activities should be legible a nd re trievab le (i.e.,

framework. traceable). PR A docum entatio n should clearly indica te the owners approval authorization, as The Project/Executive Summ ary report contains appropriate.

the objectives of the project, a summ ary of how the project was carried out, and a general summ ary of The m ethodology that was used in performing the the results of the PRA. The PRA considered only technical activities in Chapter 3 should be identified the reactor core as a potential source and only full either in owner-spec ific docum ents or through power operation. A Level 1 PRA (assessment of reference to existing m etho dology doc um ents . In core damage frequency) and a Level 2 PRA addition, any general assumptions, interfaces with (containment perform ance) we re carried out in other PRA elements, nomenclature, definition of detail. A Le vel 3 P RA was not performed but terms, or other specific element items that need to guidance on performing such a PRA was provided. be included should be documented.

The Main Report documents the Level 1 PRA Information sources, both plant-specific and performed for ac cidents initiated by internal events generic, used in performing the technical activities at the KNPS. The report was written by the should be documented including those sources Russians and contains an explanation of the that are m and atory.

methods use d an d the resu lts of the overall analysis as well as the analysis done for the Assum ptions and limitations made in performing technical activities within the Level 1 PRA. the technical activities should be documented.

including those decisions and judgm ents that were The Main Re port also docum ents th e Level 2 made in the course of the analys is. The Internal Events PRA. This was also written by the justification should also be inc lude d; the Russians and contains an explanation of the justification should provide sufficient detail to allow methods used and the re sults of the overall a reviewer to understand the a ppropriateness of analysis as well as the analysis done for the the ass um ptio n or the lim itatio n. G eneral or technical activities within the Level 2 PRA. generic assumptions and limitations should be documented.

The Main Report also includes a description of the analyses performed for Other Events. The section T he products and outcomes from the technical summ arizes the analyses that were performed for activities should be documented. These prod ucts acc idents initiated by internal floods, fire and and outcomes should include those products or seism ic events. It was written jointly by the deliverables that are necessary to understand the Ru ssian-Am erican team . process used to satisfy the technical activities.

The Appendices for the Level 1 and Level 2 The documentation of the technical activities Internal Events PRA were written by the Russians should indicate the person(s) who developed or and com plem ent the Main Re port by pro viding prepared the product or outcome and the person(s) more details on the Level 1 and Level 2 analyses. who reviewed or oth erw ise ve rified th e appropriateness of the product or outcome with a 4.2 Documentation in Support of printed name and associated signature. The person(s) reviewing, verifying, or otherwise Traceability checking pro ducts and outc om es should not have participated in the preparation of the product or Docum entation should be performed in such a outcome for which they were assigned.

m anner that facilitates applications, updating and A-1

APPENDICES A THROUGH D Appendix A APPENDIX A RECOMMENDED SUPPLEMENTAL CCF GENERIC ESTIMATES FOR KALININ PRA BASED ON EXPERIENCE IN THE U.S.

T his a p p e n d ix p rovid e s i n fo r m a t i o n on A.1 Pressure Sensors supplemental comm on-cause failure (CCF) estimates for som e of the instrumentation and Pressu re sensors include both mechanical (spring control components wh ich are not cu rrently assisted force balance) and electrical (balanced contained in Strom berg et al. (199 5). The specific capacitors) transducers. They can be used for components of concern are:

m eas urem ents of pressure and pressure differential (delta p ressure). The m eas urem ents

Pressu re senso rs on delta press ure could be indirectly used for level

Senso rs: flux monitors and flow measurements. Different types of

Senso rs: tempe rature detectors pressure sensors used for different applications

Relays can have significantly different failure rates.

Analog channel How ever, the estimated generic CC F param eters

Digital channel.

do not differentiate between different types and applications. Such ge neric CCF e stim ate s could The re is not currently a specific reference be used for the initial phase of quantification.

addres sin g the CC F for all of the above Limited failure data was analyzed in Atwood (1983) components. Several different references were for pressure sensors; howe ver, the pressure reviewed, and that portion of data which was sensors, their logic channel, relays, and switches considered app ropriate wa s us ed to arrive a t the were all com bined. Another study of pressu re final recomm ended values. Som e references were transm itters focusing on a specific manufacturer of of a proprietary nature and, therefore, could neither the electrical type (Carbonado et al., 1991) focuses be referenced n or quoted. Such references were on specific types of failure mechanisms, i.e., loss used as a check on the final results to ensure that of fill oil. Carbonad o and Azarm (1993) uses a the recomm ended uncertainty ranges cover the beta factor of 0.21 for con ditional failure proba bility CCF values reported in these proprietary of at least two pressure transmitters out of a group references. The rec om m ended va lues are of three. Other studies of pres sure transm itters all provided in the form of the Beta factor for various indica te that these types of com ponents are group sizes. The references that were reviewed typic ally reliable, fully tested infrequently, and there for this appendix (excluding the proprietary is a high potential for dependent failures. Based on references) are given below.

the review of all the materials, Table A-1 provides the reasonable generic data for use as the prior for pressure transmitters.

Table A-1 Generic CCF rates for pressure transmitters used as pressure, level, or flow m onitors Group Size 2 or More 3 or M ore 4 or M ore Lognormal Error Given 1 Given 1 Given 1 Factor 2 0.15 NA NA 6 3 0.2 0.1 NA 6 4 0.2 0.1 0.1 6 A-1

Appendix A A.2 Sensors: Flux Monitors based on actuarial data of onsite electrical power system in U.S. nuclear power plants. The use of a global error factor is justified since the level of This includes source ra nge m onitors (typic ally redundancy in most cases was 2. Both studies do proportional counters), interm ediate range m onitors not differentiate between different types and (typically compensated ionization chambers), and applications of relays (e.g., mas ter vs. s lave) for fina lly, p o w e r r a ng e m o n i t o rs (typ ica lly CCF rates. Azarm et al. (1994) focuses on the uncompensated ionization chamb ers). Atwood specific relay manufacturer and indirectly provides (1983) and Azarm et al. (1989) were reviewed and a global Beta factor by determining the F factor.

both indicated that CCF rates for such com pon ents In Azarm et al. (1994), (1/F) is the ratio of the are very low. Therefore, it is recom m end ed that a actual system unavailability accounting for global Beta factor of 0.01 with an error factor of 3 independent plus dependent contributions divided be used for these types of flux monitors.

by the indepe nde nt portion. T his study considers that CCFs of the relays are due mainly to slow A.3 Sensors: Temperature acting CC F m echan isms , such as insulation wear-Detectors out and varnish deposition on the relay contacts.

These global Beta factors, therefore, are sensitive Atwood (1983) provides the CCF rate for to test intervals; a short test interval will detect resistance temperature detectors. The majority of individual failures before becom ing m ultiple failure modes are due either to moisture leakage or failures. For a test interval of about one ye ar, a high resistance of the resistors. Some drift failures global Beta factor of about 0.06 for a group size of were also reported. The reasonable values 2, and a global Beta factor of 0.02 for group sizes provided in Table A-2 are primarily based on the of three or m ore is estim ated . It is important to actu al event data reported in Atwo od (19 83) with note that increasing the test interval by a factor of the exception of error factors which are subje ctively 2 could double the values of the be ta factors ass igned. estimated. The refore, we re com m end a Be ta factor of 0.06 with an error factor of 2 .2 for a group size of 2 and a Beta facto r of 0.0 2 with an error A.4 Relays factor of 3 fo r a gro up s ize of three o r m ore w ith earlier adjustment of a test interval if it exceeds A globa l Beta fac tor of 0 .07 is rep orted for rela ys in one year.

Hassan and Vesely (1 997). Sim ilarly, Martinez-Garret and Azarm (199 4) report a globa l Beta factor of 0.06 with an error facto r of 2.2 for rela ys Table A-2 G ene ric CC F rates for res istanc e tem pera ture d etecto rs excluding the in-core thermocouples Group Size 2 or M ore 3 or M ore 4 or More Lognormal Error Given 1 Given 1 Given 1 Factor 2 0.14 NA NA 6 3 0.14 0.07 NA 6 4 0.2 0.1 0.07 6 A.5 Analog Channel am plifier to feed a device or a relay, or a comparator to provide input to a logic channel.

Solid-state analog circuits have been in use for An analog channel is typically responsible for signal many years, and there is good understanding of conditioning by methods, such as modulation, the ir failure mechanisms. CCF of analog circuits de-modulation, filtering, or amplifying. The last due to heat, humidity, electrical surges, lightening, stage of an analog channel is either a driver A-2

Appendix A smok e, and vibration have been observed in the Azarm , M. A ., et al., Dependent Failures and Two pas t. The CCF rates for analog chann els are Case Studies, BNL Technical Report W 6082, application dependent; however, Hassan and Brookhaven National Laboratory, August 1994.

Ve sely (1997) and Azarm et al. (1989) provide som e generic CCF rates for the analog channels, Azarm , M . A., et al., Level 1 Internal Event PRA i.e., 0.07 from Hassan and Vesely (1997) and 0.05 for the High Flux Beam Reactor, BNL Technical from Azarm et al. (1989). Prim arily based on these Re port, Brookhaven National Laboratory, August references, a glob al Beta factor of 0.07 should be 1989.

used for analog channels (regardless of group size). An error factor of 6 is recom m ende d to Carbonado, J., and M. A. Azarm , Evalua tion of indica te the variation of this g lobal beta facto r with Surveillance and Technical Issues Regarding the specific application type. ATWS Mitigation System s, BNL Tech nical Report L-1311, Brookhaven National Laboratory, June 18, A.6 Digital Channels 1993.

Carbonado, J., et al., Evaluation of Surveillance A digital channel could be a programm able logic and Technical Issues Regarding Rosemount module, a logic circuitry, a processor unit with the Pressure Transmitter Loss of Fill-Oil Failures, BNL associated mem ory and bus structure, etc. The Technical Report L-1311, Brookhaven National com pon ents in a digital channel could be m ade Laboratory, December 1991.

using a variety of different semiconductor technologies. The CCF associated with these Hassan, M., and W . E. Vesely, Digital I&C com pon ents are mostly driven by external causes; Systems in Nu clear Power Plants: Risk Screening therefore, they should operate in a controlled of Environmental Stressors and a Comparison of environm ent. A global Beta facto r of 0.001 is Hardw are Unavailability with Existing Analog reported for logic modules in Hassan and Ve sely System, NURE G/CR-6579, November 1997.

(1997). An error factor of 10 to in dic ate the significant variability and uncertainty in this CCF Ma rtinez-G arret, G., and M. A. Azarm , Reliability estim ate is re com m end ed.

Assessm ent of Electrica l Pow er Supp ly to Onsite Class 1E Buses at Nuclear Power Plants, BNL A.7 References Technical Report l-2505 , Brookhaven National Laboratory, June 7, 1994.

Atwood, C. L., Com mon-Cause Fault Rates for Instrumentat io n a n d Control Assemblies, Stromberg, H. M., et al., Com m on-Ca use Fa ilure NURE G/CR-2771, Idaho Na tion al Engineering Da ta Collection and Analysis System , Vols. 1 Laboratory, February 1983. through 6, INE L-94 /006 4, Idaho National Engineering Laboratory, December 1995.

A-3

APPENDIX B SIMPLIFIED LEVEL 2 ANALYSIS B.1 Background simplified con tainm ent event tree (CET) and redefinition of the phenom enological portion in term s of a physically based pro bab ilistic In this appendix, the analyses performed as part of framew ork. Such an approach provides a the Level 2 portion of a probabilistic risk streamlined procedu re for asses sm ent of severe assessm ent (PRA) are described. The analyses accident risks that further allows for a direct described in this appendix were previously evaluation of potential accident managemen t published in an earlier version of this procedure strategies.

guides (NUREG /CR-6572, Vol. 3, Part 1, September 1999). The approach described is a This appendix describes six major procedural simplified Level 2 PRA and is included here for activities for assessment and managem ent of com pleteness. The approach described in the severe accident risks (see Figure B.1).

m ain body of revised procedure guide is a full-Section B.2.1 provides guidance on development sco pe L evel 2 PR A.

of plant dam age states (PDS s) (A ctivity 1). Section B.2.2 discusses the developm ent of a simplified A Level 2 PRA consists of five major parts:

CET (Activity 2). The determination of the likelih ood of occurrence of severe accident

1. Plant damage states, phenomena leading to various containm ent failure

2. Containment event tree analysis, m odes are also discussed in this section

3. Release categorization (Activity 3). Guidance is provided for determ inistic

4. Source term analysis, analyses including consideration of uncertainties

5. Severe accident management strategies.

for severe accid ent iss ues . Sec tion B.2.3 discusses the accident progression grouping B.2 Task Activities (source term categori zation, A cti vity 4).

Section B.2.4 provides guidance on an evaluation The purpose of this appendix is to provide a guide of release and trans port o f radionuclides leading to for assessment and m anagem ent of severe an estimation of environmental source terms for acc ident risks in VVER s. each accident progres sion grouping (Activity 5).

Output from Activity 5 provides the information Probabilistic accident progression and source term needed to perform an offsite consequence analyses (Level 2 PRAs) address the key assessment (Level 3 PRA). Sec tion B.2.5 phenomena and/or processes that can take place discusses the develop m ent of pote ntial plant-during the evolution of severe accidents, the specific accident managem ent strategies to reduce response of containment to the expected loads, the frequency of accident progression groups with and the transport of fission products from dam aged large-release con cerns (A ctivity 6). Attac hm ent 1 core to the environment. Such analyses provide describes the key phenomena and/or processes information about the probabilities of accidental that can take place during the evolution of a severe radiological releases (sou rce term s). The analyses accident and that can have an important effect on also indicate th e re lative safety im portance of the containm ent behavior.

events in terms of the po ssibility of offs ite radiological releases, which provide a basis for B.2.1 Plant Damage States d e v e lo p m e n t of p lan t-s pe cif ic a c c i d e nt managem ent strategies. The role of in terfaces betw een the syste m analysis (Level 1 PRA) and the containment performance A concern associated with the res ults of L evel 2 analysis is particularly important from two PRAs stems from their known s usc eptibility to perspectives. First, the likelihood of co re damage p h e n o m e nolo g i c a l u n c e r ta i n ti e s . These can be influenced by the status of particular uncertainties are often of such a magnitude that containment systems . Second, containment they m ake the decision-m aking proce ss d ifficult. performance can be influenced by the status of The re is much to be gained, therefore, from core cooling systems. Thus, because the assessment of se vere acc ident risks , by reformulation of the Level 2 methodology into a B-1

Appendix B Figure B .1 Ma jor proced ural activities for assess me nt and ma nage me nt of severe accident risks influences can flow in both directions between the than others. For example, some PDSs will system analysis and the containment performance com pletely bypass containment, such as accidents analysis, particular attention must be given to these in which the isolation valves between the high-interfaces. pressure reactor coolant system (RCS) and the low-pressure secondary systems fail causing a The Level 1 PRA analysis identifies the specific l o s s -o f - c o o la n t a c c i d e nt (L O C A ) ou tsid e combination of system or component failures (i.e., con tainm ent. Other examples include failure of the accident sequen ce cutsets) wh ich can lead to core steam gen erato r (SG) tubes and loss of damage. The nu m ber o f cuts ets gene rated b y a conta inmen t isolation. Early loss of containment Level 1 analysis is very large. It is neither practical integrity can be the re sult of internal initiating nor necessary to assess the severe accident events and can also be caused by external progression, containment response, and fission initia tors (such as seismic events). In past PRAs product release fo r eac h of th ese cuts ets. As a for some U.S. plants, seismic initiators have been result, the comm on practice is to group the Level 1 important contributors to the frequency of loss of cuts ets into a sufficiently small number of plant con tainm ent iso lation.

damage states to allow a practical assessm ent and managem ent of severe accident risks. For those situatio ns where the contain m ent is initially intact, some PD S groups will cause m ore A PDS sh ou ld be defined in such a way that all severe containment loads (e.g., elevated pressures accident sequences associated with it can be and tem pera tures ) than others. Fo r exa m ple, a treated identic ally in the accident progression transient event with loss of coolant injection and analysis. That is, the PDS definition must containment heat removal (e.g., failure of recogn ize all distinctions that matter in the accident containment sprays) will result in a core meltdown progression analysis. It is clear that some PDSs with the reactor coolant system at high pressure.

will be more challenging to containment integrity A high-pressure core meltdown has the poten tial to B-2

Appendix B cause m ore severe conta inm ent loads than say a VVER analysts should verify that the attributes LOCA with the containment heat removal systems given in Table B-1 are appropriate and ask operating. Accidents initiated by seismic events themselves whether VVERs have som e other also tend to be important contributors to the features that also belong on this table. It s hould frequency of the severe PD S groups. T his is also be noted that the PDS groups in Ta ble B-1 because seism ic events have the potential to assum e that seismic events will not cause any cause multiple equipment failu res and hence re sult unique containment failure modes but simply in more severe PDS groups. influence the frequency of the more severe PDS groups. If unique failure mod es are identified in the Before PDS s are defined, the analyst must identify external event PRA, then Table B-1 should be plant conditions, systems, and features that can expanded accordingly.

have a significant impact on the subsequent course of an accident. All potential combinations of the B.2.2 Containment Event Tree PDS characteristics that are physically possible are Analysis tabulated and assigned an identifier. The PDS m atrix is usually developed by a Level 2 analyst and then reviewed by a Level 1 analyst for The evaluation of accident progression and the co m pa tibilit y with the p l a n t mo d e l and attendant cha llenges to conta inm ent inte grity is an completeness in the appropriate dependencies. essential element of a risk assessm ent. The key The matrix is revised, as necessary, until all phenomena and/or processes that can take place requ irem ents specified by the Level 1 and Level 2 during the evolution of a severe accident and that ana lysts are deemed satisfactory. For exam ple , can have an im portant effe ct o n contain men t the PD S s hould be defined such that it yields a behavior are described in Attachment 1. The unique set of conditions for entering the discussion in Attac hm ent 1 identifies those issues containment event tree. A Level 2 analyst may find that need to be consid ered whe n attem pting to it necessary or convenient to distinguish amo ng characterize the progress ion of severe a ccidents groups of scenarios that have been assigned to a and the potential for various containm ent failure comm on PDS. This might be the case if distinct modes or bypass mechanism s. Of particular sc enario types have be en a ssigned to a particular importance is to determine the effectiveness of PDS but su bsequently prove to have different Level those systems that are relied upon to mitigate the 2 signatures. The past ex perience of the Level 2 consequences of severe a ccidents . Attac hm ent 1 analyst helps to reconcile these issues. lists some of the considerations that need to be addressed by the VVER analysts prior to taking All of the plant m ode l inform ation o n the ope rability credit for a s ystem in the Level 2 PR A. In status of active systems that are important to the particular, it should be determined whether or not timing and magnitude of the release of radioactive the equ ipm ent unde r con sideration is qua lified to m ate rials must be passed into the CET via the operate successfully in the harsh environmental definition of the PDS. Therefore, the plant model conditions (high temperature, pressure, humidity, event trees mus t also address those active ra dio ac tivity, aeroso l c oncentration, etc.)

systems and functions that are im porta nt to associated with core m eltd ow n acc ident. The containment isolation, containment heat removal, discussion in Attachment 1 can be summ arized by and the rem oval of radioactive material from the using event sequence diagrams such as those containment atmosp here. A containment spray sho wn in Figures B.2 a nd B .3.

system is a good example of such a system.

A relatively simple set of PDS attributes is, therefore, proposed in Table B-1 that will identify those acciden ts that are m ore c hallenging to containment integrity than others. The attributes given in T able B-1 allow th e accident sequences generated in the Level 1 analysis for both inte rnal and ex ternal events to be processed through the simplified CET described in Section B.2.2. The B-3

Appendix B Table B-1 Plant damage state attributes Initiator Type *Large, intermediate, or small LOCAs

Trans ients

Bypa ss e vents

- Interfacing systems LOCA

- Steam generator tube rupture (SGTR)

Status of Containment at Onset *Isolated of Core Damage *Not isolated Status of Containment Systems *Sprays (if any) always operate/fail or are available if demanded

Sprays opera te in injec tion m ode , but fail upon switchover to recirculation cooling Electric Power Status *Available

Not available Status of Reactor Core Cooling *Fails in injection mode System *Fails in recirculation mode Heat Removal from the Steam *Always operate/fail or are available if demanded Gen erators *Not operating and not recoverable B-4

Appendix B Figure B.2 Event sequence diagram for accidents in which the containment is bypassed or not isolated Figure B.3 Event sequence diagram for accidents in which the containment is initially intact B-5

Appendix B First, it is most important to determine the status of An early release can be caused by several different containm ent prior to core dam age . Thus, the first failure m echanism s, w hich are discuss ed in event (in both diagrams) after accident initiation is Attachment 1 and will be explained in m ore deta il to determ ine containment status. If the later in this procedure guide. However, for the containment is bypass ed o r not isola ted purposes of d eveloping a simple event sequence (Figure B.2 ), then it is inevitable that radionuclides diagram, it is known that these failure mechanisms will be released to the environm ent after core are strongly influenced by the pressure in the damage. Therefore, the diagram focuses on those reactor coolant system and whether or not core events that will influence the magnitude and timing damage can be terminated by restoring coolant of the release. injection prior to vessel meltthrough. It is also poss ible that the damaged core can be retained in Radionuclides released while the core is in the the reactor vessel by extern al coo ling if the cavity reactor vessel are term ed in-vessel release. is flood ed.

accidents (such as interfacing systems LOC A). It is possible that the break location outside of If the core debris cannot be cooled and retained in containme nt is under water. If the radionuclides the reactor vessel, the potential exists for pass through such a pool of water, then significant containment failure at the time of reactor vessel scrubbing or retention of the aerosols can oc cur, meltthrough. If the contain m ent does not fail which reduces the source term to the e nviron m ent. early, then the potential exists for late Sim ilarly, for an accident in which the containment containment failure. In this conte xt, late is is not isolated, conta inm ent sp rays can significantly defined as several hours to days after the core lower the airborne concentration of radionuclides m elts throu gh the vesse l. Late failure can occur as w ith a c orres p o n d i n g re d uction in th e a result of high pressures or temp eratures if active environm enta l source term . containment heat rem oval systems are not available. Th ese types of failures are usually It is importa nt to determine if coolant injection can structural failures and can occur above ground. If be res tored and core m elt arrested in the reactor the cavity is dry or the core is not coolable, late vessel (as happened in the T hree Mile Island Unit 2 containment failure can occur as a result of the accident) prior to vessel meltthrough. If core core debris melting through the conc rete b ase m at.

damage is not term inated in-vessel, it is important Under these circumstances, the release would be to know if the region under the vessel is flooded. below ground. Of course, if the contain m ent is not A flooded cavity could cool the core debris and bypassed and does not fail (early or late), then the prevent core-concrete interactions (CCIs) (coolable release to the environment will be via containment debris bed) and eliminate radionuclide release from leakage. The VVER analysts should construct this m echan ism (i.e., no ex-vessel release). event sequence diagram s of the type shown in How ever, if the cavity is dry, extensive CCIs can Figures B.2 and B.3 th at reflect plant-specific occur res ulting in significant radionuclide rele ase features that have the potential to influence severe (i.e., ex-ve ssel re lease occurs) an d the possibility acc ident prog ression.

of basem at m eltth rough. It is also necessary to determine whether or not the flow path from the The nex t step in the process is to determine the damage core to the environment is flooded or probabilities of potential containment failure modes affected by spray operation. and bypass mechanism s conditional on the occurrence of each plant damage state identified in Alte rnatively, if the containment is isolated and not Section B.2.1. This step is normally achieved by initially bypassed, the event sequence diagram using event trees that incorporate events such as (Figure B.3) focuses on identifying when the those shown in Figures B.2 and B.3 and address containment might fail or be bypassed during the the issues discussed in Attac hm ent 1. A CET is a cause of a severe a ccident. For clarity, only three structured fram ework for organizing the different potential release mechanisms are included in the accident progressions that may evolve from the diagram. An early release is defined as a release various core damage accident seq uen ces . The top that occurs prior to or shortly after the core debris events in a CET are developed so that the m elts thro ugh the reacto r vessel. likelihood of whether the containment is isolated, bypassed, faile d, or remains intact can be B-6

Appendix B determined. CE Ts can vary from rela tively sm all particular acc ident sequen ces . W hether or not the trees with a few top events developed for each systems succe ssfully operate during a se vere plant dam age state gro up to very large and accident has to be evaluated (re fer to complex trees that are able to acc om m odate all Attachment 1) as part of the Level 2 PR A. In plant dam age state s. A n exam ple of a simplified addition, any operator actions that are in the formal CET is provided in Table B-2. operating procedures for the plant should be included in the P RA . Howe ver, after core damage, This CE T is based on the event sequence there are a number of actions that an operator diagram s in Figures B.2 and B.3 and also could tak e that c ould term inate and significantly incorporates the issues discussed in Attachment 1. m itigate the consequences of a core meltdown The top events in the CET are the key attributes for accident but which are n ot part of the operating a typical U.S. pre ssu rized water reactor with a procedures. Operator action s of this nature should large-dry con tainm ent. T he V VER analysts should be included in severe accident managem ent verify the completeness of Table D-2 and strategies and should complement the normal plant determine if VVER plants have some other operating procedures. The discussion below features that sh ould be incorporated into the CET. indicates where opportunities (in Questions 4, 6, 7, 10, 11, and 14) exist for implem enting accident S om e of the CET questions correspond to the managem ent strategies.

availability of various systems whereas other questions are relate d to the likelihood of physical The analyst should first quantify the CET without phenomena leading to containment failure. For the benefit of these accident managem ent example, it is initially important to determine if the strategies. The CE T can be re adily requ antified to containment is isolated or bypassed (Q uestion 1). assess the impact of any strategy on the likelihood This question can be answered based on of containment failure or bypass. Decisions related inform ation c onta ined in the P DS s. to implementing accident management strategies should be based on the integrated risk results.

How ever, the likelihood of containment failure Section B.2.5 describes some of the considerations (Question 13) de pends on quantifying uncertain that must be taken into account when developing phenomena which are, in turn, strongly influenced thes e stra tegies .

by the pressure (Question 6) in the reactor coolant system during core m eltdown and ves sel failure The CET also includes several highly complex (refer to the discussion in Attachment 1). In a phenomenological issues associated with the similar manner, the issue of de bris bed c oolability progression of a core meltdown accident. A two-(Question 15) is a n o t h e r i m p o r t a nt step approach is provided to assess the likelihood phenomenological issue that strongly influences of various containment failure modes induced by the potential for containm ent failure (Question 16) these highly com plex severe accident phenomena.

in the late time fram e. As a first s tep , a relatively sim ple scoping analysis should be performed. If, however, the scoping Table B-2 identifies those questions that can be analysis is inconclusive, then a more detailed quantified from system (and hum an) reliability second ste p would be needed. T his second step analyses including consideration of potential is de sc rib ed bel ow for som e of t h e s ev er e a c c iden t m an ag em en t str ate gie s phenomenological questions in the CET.

(Questions 1, 2, 3, 4, 5, 6, 7, 10, 11, and 14) and those that require phenomenological analyses Question 1 - Is the containment isolated or not (Questions 8, 9, 12, 13, 15, and 1 6). An approach bypassed?

for dealing with each question in the CE T is presented below. Quantification of those questions This question can be answered based on in the CET that deal with system (and hum an) information in the PDS. A negative respo nse to reliability analyses are in part based on information this question includes accidents in which the contained in the PDS groups. containment fails to isolate as w ell as accidents that bypass containment (such as interfacing How ever, the PDS groups only provide information systems LO CA and SG TR ). This question applies on which systems are poten tially available for B-7

Appendix B Table B-2 Nodal questions for a simplified CET Top Event Question Prior Dependence Question Type

1. Is the con tainm ent iso lated o r not None Based on PDS bypassed?

2. W hat is the status of reactor core None Based on PDS cooling system?

3. Is power available? None Based on PDS

4. Are the sprays actuated prior to 3 Based on PDS and accident reactor vessel meltthrough? managem ent

5. Is heat removal from the steam None Based on PDS generators possible?

6. Does the reactor coolant system 2, 3, 5 Based on PDS, design and depressurize? acc ident m ana gem ent

7. Is in-vessel coolant injection 2, 3 Based on PDS and accident restored? managem ent

8. Does thermally induced steam 6 Phenomena generator tube rupture o ccur?

9. Do es the co ntainm ent fa il prior to 1, 4, 6 Phenomena reactor vessel meltthrough?

10. Is the break location under water for 1, 2, 7 Based on PDS design and bypass accidents? accident managem ent

11. Is the region under the reactor 2, 4 Based on PDS, design and vess el flo oded or d ry? accident managem ent

12. Is reactor vessel breach prevented? 6, 7, 11 Phenomena and design

13. Does containment fail at vessel 6, 8, 9 Phenomena breach?

14. Do the sprays actuate or continue 3, 4 Based on PDS and accident to operate after vessel breach? managem ent

15. Is th e core debris in a coolable 4, 11 Phenomena configuration?

16. Does containment fail late? 9, 11, 13, 14, 15 Phenomena B-8

Appendix B only to accidents in which the conta inm ent fa ils to strategies involve the use of alternate water supply isolate or is bypassed at or before ac cid ent systems. Sec tion B.2.5.1 describes some of the initiation. Accident sequences that result in the con siderations that need to be taken into account containment becoming bypassed (such as induced when developing accident managem ent strategies SGTR) after core dam age do not apply to th is related to containment spra y operation. In addition, question. Thes e accidents are included under the Attachment 1 stresses that it is also nec ess ary to response to Question 8 below. carefully assess wheth er or n ot a sys tem will be able to perform the intended function under the Question 2 - W hat is th e statu s of rea ctor core harsh environm ental conditions of a severe coo lin g syste m ? acc ident.

This question can also be answered based on Question 5 - Is heat removal from the steam information in the P DS . If the coolant injection generators possible?

pum p fails in the injection mode, then the con tents of the water s torag e tanks will not be injecte d into Information contained in the PDS can be used to con tainment (unless the containment spray determine if heat removal from the steam operates). For some containment designs, the generators is possible for each of the accident reactor cavity can only be flooded if the contents of sequences under consideration. Heat removal the wate r stora ge tanks are injecte d into from the steam generators is one possible way of con tainm ent. The VV ER analysts s hould ascertain depressurizing the RCS. Thus, the success of whether or not this is also true for the VVER som e accident managem ent strateg ies de signed to containment design under consideration. The dep ressurize the RCS (refer to Question 6 and response to this question influences the response Section B.2.5 .2 below) are contingent on a po sitive to Question 11 below. response to this question.

Question 3 - Is power available? Question 6 - Does the reactor coolant system depressurize?

This question is answered from information in the PDS. The status of powe r availability is important For accidents initiated by transients a nd sm all for determining whether or not certain actions can break LO CA, the RC S w ill remain at high pressure be undertake n during the cours e of th e ac cident. unless the operators depressurize the RCS or For example, spray system operation requires induced failure of the RC S press ure bound ary power (unless a dedicated powe r supply is occurs (thermally induced SGTR is addressed provided) so that the response to this question under Question 8 below ). For accidents initiated by directly influences the response to Questions 4 and interm ediate and large break LO CA, the RC S w ill

14. Power is also needed to depressurize the RCS dep ressurize and be at low pressure prior to core (Question 6) and restore in-vessel coolant injection damage. Thus, information in the P DS related to (Que stion 7). the initiator type (i.e., a transient event or a small break LOCA versus a large or an interm ediate Question 4 - Are the sprays ac tuated p rior to LO CA ) can be used to answer this que stion.

reactor vessel meltthrough?

How ever, it is generally recognized that if the RCS This question can be answered in part based on remains at high pre ss ure (i.e., transients a nd sm all information in the PDS but can also be influenced break LOC As) during a c ore m eltdow n ac cident, by potential accident management strategies. the challenges to containment integrity will be m ore Containment sprays can be autom atic ally actuated severe than for low-pressure sequences.

based on a high contain m ent pressure signal. Consequently, various accident management Under these circumstances and if po we r is strategies have be en p ropo sed to depressurize the available, the spray system would be actuated RCS for those accidents that wou ld otherwise be early in the accident. However, it has been characterized as high RC S press ure sequences.

suggested that delaying spray operation to later Depressurization can potentially be achieved by times may be more beneficial from an accident heat rem oval through the steam generators mana gement perspective. Other potential (positive res ponse to Questio n 5) or by direct B-9

Appendix B pressure relief of the RCS. Again, the ability of This question deals with the like lihood of a these systems to adequately depressurize the RCS hydrogen combu stion event failing the containment during severe accident conditions needs to be prior to vessel failure. In order to determine the ca re fu lly ev alu a t ed . H o w ever, prior to likelihood of failure, the magnitude of the pressure implementing RCS depressurization strateg ies, a rise caused by a hydrogen combustion event has number of advers e effects need to be considered to be com pare d ag ainst the ultim ate capa city of the as indicated in Section B.2.5.2. con tainm ent. The ultimate capacity of the containment is usu ally a facto r of 2.5 to 3 times the Question 7 - Is in-vessel coolant injection design pre ss ure. In a separate pro jec t, the N RC is restored? sponsoring res earch at the Ru ss ian Ac adem y of Sciences in which a finite element model of the This question can be answered based on Ka linin contain m ent is being developed. T his information in the P DS . At a minimum , power and model will be us ed to pred ict the response of the water must be available in order to restore containment structure to pressure loads in order to injection. In addition, for some accidents, the RCS determine the ultimate pressure capacity. The must be depressurized (if only low head injection results of this activity can be used to help qua ntify pumps are available) in order to restore coolant the CET for the Kalinin plant. It should be noted injection. Injecting water into a damaged reactor that in order to quantify the CET , a fragility curve core is done to terminate core meltdown and (i.e., a probability of failure versus pressure curve) establish a coolable geom etry. Several accident is needed. Developing these fragility curves managem ent strategies have been proposed for require engineering judgment and information injecting water into the RCS (refer to obtained from the finite element analysis and other Section B.2.5.3). sou rces. Ex am ples of ho w fragility curves can be developed are given in Breeding et al. (1990) which Question 8 - Does thermally induced steam describes how an expert panel addressed gen erato r tube ruptu re occur? structural response issues.

The like lihood of a temperature-induced creep T he magnitude of the pressure loads caused by rupture of the SG tubes depe nds on s everal factors combustion events can be determined by a number including the therm al-hydraulic conditions at of approaches. As a first step, the amount of various locatio ns in the primary and s econd ary hydrogen generated during in-vessel core systems, which determine the temperatures and meltdown can be estimated. The pressure rise the pressures to which the SG tubes are subjected from the combustion of this hydrogen can then be as the accident progress es. Other relevant factors calculated by assuming adiabatic energy transfer to include the effective temperature required for creep the conta inm ent atmosphere. If the containment rupture failure of the SG tubes and the presence of can withstand this bounding adiabatic pressure defects in the SG tubes which increase the load, then no further analysis for this potential likelihood of rupture. failure mode is needed and the conditional prob ability of containm ent failure via this Therm ally induced SGTRs can occur after the SGs mech anism prio r to rea cto r vess el m eltth rough is have dried out and very hot gas is circulating. The zero. How ever, if the adiabatic load is close to or horizontal SG design in VV ER s m ost like ly exceeds the containment capacity, then a m ore precludes counter-current natural circulation flow in detailed analysis of this failure mechanism is the hot leg. However, the possibility of water seal nee ded .

clearing at the bottom of the downcomer and at the cold leg loop seals is a pote ntia lly important issue The extent of containment loading due to hydrogen for therm ally induced failure of the SGs and should combustion is largely a function of the rate and be studied for VVERs. magnitude of hydrogen production and the na ture of the com bus tion of this hydroge n. Uncertainties Question 9 - Do es th e co nta inm ent fail prior to associated with hydrogen loading arise from an reactor vessel meltthrough? incom plete state of understanding of various phenomena associated with hydrogen generation and combustion. These phenomena include in-B-10

Appendix B vessel hydrogen gene ration, hydrogen transp ort Experimental studies of hydrogen combustion have and mixing, hydrogen deflagration, hydrogen been performed to understand the combustion detonation, and diffusion flames. behavior under expected plant conditions, and there is a reasonably complete database at several The issue regarding in-vessel hydrogen generation scales for ignition limits, combustion completeness, centers on the rate and quantity of hydrogen flame speed, and burn pressure for a hydrogen-production and the associated hydrogen-steam steam-air mixture.

mass and energy release rates from the RCS.

These parameters strongly influen ce th e Improved correlations for flame speed and flam m ability of the bre ak flow, the containment combustion completeness have been derived by atmosphere, and the magnitude, timing, and W ong (1987). These correlations were derived location of potential hydrogen combustion. based on the com bustion data from the Variable Geo m etry Experim ental S ystem (Benedick, The degree of m ixin g and rate of transport of Cum mings, and Prassinos, 1982 and 1984); Fu lly hydrogen in the containment building is an Instrumental Test Se ries (Marshall, 1986); Nevada important factor in determ inin g the mode of Test Site (T hom son , 1988); Acurex (To rok et al.,

com bus tion. Hydrogen gas released during an 1983); and W hiteshell (Kumar, Tamm , and accident can stratify, particularly in the absence of Ha rrison et al., 198 4) ex perim ents .

forced circulation and if there are significant temperature gradients in the co ntainm ent. A physically based probabilistic framework like Hydrogen released with steam can also form ROAAM (Theo fanous , 1994) ca n be use d to locally high concentrations in the presence of determine the uncertainty distribution for the peak condensing surfaces. Should the hydrogen pressure in the containment due to hydrogen acc um ulate in a locally high concentration, then combustion. The quasi-static loads from hydrogen flame acceleratio n and deton atio n could occur. combustion can be obta ined by an adiabatic Hydrogen mixing and distribution in a containment isochoric complete combustion model and then be is sensitive to the hydrogen injection rate and the corrected to account for burn completeness and availability of forced circulation or induced expansion into nonparticipating compartments.

turbulence in the containment. The results of The un ce rta inty distribution for hydrogen large-scale hydrogen com bus tion tes ts performed concentration and ignition frequencies should be at the Nevada Test Site appear to qualitita tively used in the quantification of the pressure suppo rt the notion that operating the spray system distribution for com parison with th e ultim ate will result in a well-mixed atmosphere (Thom son, pres sure ca pab ility of the con tainm ent.

198 8).

Question 10 - Is the break location under water Hydrogen deflagrations involve the fast reaction of for bypass accidents?

hydrogen through the propagation of a burnin g zone or com bustion wave after ignition. The Core damage accident sequences that bypass combustion wave travels subsonically and the containment (such as interfacing system s LOCA) pressure loads developed are, for practical usually result in significant fission product release purposes, static loads. Deflagrations are the most to the environm ent. The relatively high like ly mode of com bustion during degraded core environmental release for these acc idents occurs accidents. In fact, the deflagration of a premixed because the release path bypasses attenuation atmosphere of hydrogen-air-steam occurred during m echanism s (such as sprays or wa ter pools) that the Th ree M ile Island Unit 2 accident. The wo uld otherwise be available to reduce the source likelihood and nature of deflagration in term. A possible accident management strategy containm ents is strongly influenced by several for containment bypass accidents is to flood the param ete rs--nam ely, composition requirement for break location outside of containm ent (re fer to ignit ion, av aila bilit y o f i g n it io n s o u rces, Section B.2.5.4) for those cases that would completeness of bu rn, flame speed, and otherwise not be flooded.

propagation between compartments. In addition, combustion behavior is influenced by the effec ts of operating sprays.

B-11

Appendix B Question 11 - Is the region under the reactor prob ability of successful arrest was assumed to be vess el flooded or dry? 1.0. A sim ilar tim e frame appropriate for VVERs, based on core heatup characteristics and the This question can be answered by reference to the potential for core coolability, s hould be developed.

PD S. For example, in some containment designs if the water in th e water storage tanks is injected The likelihoo d of p reve nting vess el breach by cavity into containment, then the reactor cavity will be flooding dep end s on several fa ctors , such as the flooded (i.e., a failure in the rec irculation m ode in pressure in the primary system, the configuration of Question 2). However, in other containment the cavity, the extent of submergence of the designs, accident managem ent strategies are reactor vessel, and easy access of water to the needed to ensure that sufficient water is injected bottom of the reactor vessel. Under high RCS into conta inm ent in order to flood the re actor cavity. pressure circumstances, due to pressure and thermal loading, it is like ly that vessel breach Flooding the reactor cavity can be beneficial during cannot be prevented by cavity flooding.

a core meltdown accident in two re spe cts. F irst, a flooded cavity would externally cool the reactor Under low RCS pressure circum stances, the vessel and (for some reactor designs) could likelihood of preventing vessel breach by external prevent the core debris from m elting through the flooding can be evaluated by determining the bottom vessel head. This would prevent ex-vessel thermal load distribution on the inside boundary of core debris interactions and the environmental the lower head, the critical heat flux limitation on consequences of the accident would be the outside boundary of the lower head (which is significantly redu ced . Second , even if the core affected by the insulation) and the structural debris doe s m eltthrou gh the vesse l head , it could integrity of the lower head, when subjected to static be cooled by the water in the cavity and if a and dynam ic loads (i.e., fuel-coolant interactions).

coolable debris bed is formed, the potential for Detailed discussions and application of ROAAM to core-concrete interactions would be eliminated. this issue for the Loviisa Nuclear Plant (VVER-440)

Although a flooded cavity has obvious advantages, in Finland and an advanced U.S. light water reactor som e of the poten tial adverse effects d iscussed in (AP600) design can be found elsew here (Tu om isto Section B.2.5.1 need to be con sidered before and Theofanous, 1994; and T heo fanous et al.,

implementing containment flooding strategies. 1995). Some ideas to enhance the assessment basis as well as performance in this respect for Question 12 - Is reactor vessel breach application to larger and/o r higher po wer den sity prevented? reactors are also provided by T heofanous et al.

(1995).

This question deals with the likelihood of preventing vessel breach by retaining the core Question 13 - Does containment fail at vessel debris in the re acto r vessel. T his could be breach?

achieved in two ways--namely, by restoration of an in-vessel coo lant injec tion (po sitive res pon se to The likelihoo d of c onta inment failure at vessel Question 7) or by externally cooling the lower head breach depends on several factors, such as the of the vessel (positive response to Q uestion 11). pressure in the primary system, the amount and tem perature of the core debris exiting the vessel, Accidents in which in-vessel coolant is restored the size of the hole in the vessel, the amount of with in a certain tim e fram e after the start of core water in the cavity, the configuratio n of the cavity, damage can arrest the accident progression and the structural capability of the containment without vessel breach. For these accidents, building. Atta chm ent 1 iden tifies the pre ssure in subsequent questions related to containment the RC S as the m ost im porta nt consideration for failure at vessel breach are not pertinent. For a assessing the likelihood of containment failure at typical U.S. pressurized water reactor design, vessel breach. Therefore, this question depends credit for in-vessel arresting of the accidents has hea vily on the re spo nse to Ques tion 6.

been given for cases where water flow is restored with in 30 minutes of the onset of the core damage. Low-Pressure Sequences If cooling is restored within 30 minutes, the B-12

Appendix B Under low R CS pres sure circum stan ces , various its sup plem ent (P ilch, Yan , and Th eofano us, 1994).

m echanisms could challenge conta inm ent inte grity. The basic understanding upon which the approach These include rapid steam generation caused by to quantification of DCH loads is based is that core debris contacting water in the cavity and interm ediate com partm ents trap m ost of the debris hydrogen combustion. Again, scoping calculations dispersed from the reactor cavity and that the can be performed to calculate bounding estimates thermal-chemical interactions during this dispersal of the pressure loads under these circumstances. process are limited by the incoherence in the These bounding pressure loads can be compared steam blowdown and m elt entrainment processes.

to the capacity of the contain m ent b uilding to W ith this un ders tand ing, it is pos sible to reduce determine the like lihood of failure. However, it is most of the complexity of the DCH phe nom ena to unlike ly that these bounding press ure loads w ill a single parameter: the ratio of the m elt exceed the ultim ate capac ity of the Kalinin entrainment time constant to the system blowdown con tainm ent. The probability of containm ent failure tim e constan t wh ich is referred to as the coherence conditional on a low-pressure accident sequence ratio.

is, therefore, expected to be relatively low (approxim ate ly 0.01) and driven by rem ote events, DCH loads also depend on parameters that such as energetic fuel-coolant interactions of cha racterize the system initial conditions, prima ry sufficient magnitude to project missiles through the system pressure, temperature and composition containment structure. A recent report (Basu and (i.e., hydrogen m ole fraction), melt quantity and Ginsberg, 1996) of a steam explosion review group composition (i.e., zirconiu m and stainless steel pres ents an updated assessment of the likelihood mass fraction), and initial containme nt pressure of an in-vessel steam explosion causing and compos ition. The key component of the containment failure. This report can be used as a framework, therefore, is the causal relations basis for quantifying the CET. between these parameters and the resulting containment pressure (and temperature). Of these High-Pressure Sequences parameters, some are fixed, some vary over a narrow range, and som e are so uncertain that they The most important failure mechanisms for high- can be approached only in a very bounding sense.

pressure core meltdown sequences are associated Plant-specific ana lyses s hou ld be p erform ed to with high-pres sure m elt ejec tion. Ejection of the quantify the probability density functions for the core debris at high pressure c an caus e the core initial melt parameters. However, sequence debris to form fine particles that can directly heat uncertainties can be enveloped by a small number the containment atmosphere (i.e., direct of splinter scenarios without assignment of containment heating [DCH]) and cause rapid probability. These distribution functions, combined pressure spike s. D uring high-pressure m elt with a tw o-cell equilibrium m ode l for containm ent, ejection, the hot particles could also ignite any can be used to obta in a probability density function com bustib le gases in containment, thereby adding for the peak containment pressure.

to the pressure pu lse. T he p oten tial for DCH to cause containment failure depends on several The resulting distribution for peak containment factors, such as the primary system pressure, the pressure is then com bined with fragility curves size of the ope ning in the vessel, the temp erature (probabilistica lly distributed them selves) for the and composition of the core debris exiting the containment structure to obtain a prob ability vess el, the amount of water in the cavity, and the distribution of the failure frequ enc y (Pilch et al.,

dispersive cha racteristics of the rea cto r cavity. 1996). NUREG /CR-6338 (Pilch et al., 1996)

Sim ple bounding ca lculations for high-press ure provides further discussion on how th e sequences are unlikely to be conclusive (i.e., they methodolo gy and scenarios described in (Pilch, will alm ost c ertainly exce ed the ultim ate capa bility Yan, and T heofano us, 1994) we re used to address of the containment). Therefore, a more detailed the DCH issue for 34 W esting hou se p lants w ith ana lysis of this failure m ech anism is nee ded . large volume containments. This report could be helpful for extrapolating the approach to a VVER Discussions on application of ROAAM to this issue con tainm ent.

is reported in The Probability of Containment Failure by Direct Containment Heating in Zion, and B-13

Appendix B Question 14 - Do the sprays actuate or continue Formation of a coolable debris bed depends on to operate after vessel breach? several facto rs, su ch a s the m ode of co ntact between the core d ebris and wate r, the size This question depends in part on the info rm atio n in distribution of the core debris particles, the depth of the PD S but is also influenced by accident the debris bed, and the water pool. As a general managem ent considerations. For some accident rule, unless the debris bed is calculated to be thin, sequences, powe r is a vailable and the sprays w ill both a coolable and noncoolable configuration continue to operate during recirculation. In other should be considered for the purposes of CET accident sequences, power will be restored and quantification.

accident m anagem ent strateg ies are ne ede d to ensure the spray operation is restored in an Question 16 - Does containment fail late?

app ropriate man ner. Section B.2.5.1 provides guidance on developing accident managem ent This question deals with the likelihood of strategies for spray operation. containment failure long after vessel breach. The likelihood and timing of the late containmen t failure Question 15 - Is the core de bris in a coo lable depends on the presenc e of w ater in th e ca vity configuration? (response to Question 11 ), core deb ris coolability (response to Question 15), and the availability of This question addresses the likeliho od o f coo lability containment hea t rem oval system s (respo nse to of the core debris released into the rea cto r cavity. Question 14). Each possible combination of Co olability of the core debris requires that the responses is discussed below.

cavity region under the vessel be flooded (response to Question 11) and that the m olten core Dry Cavity m ate rials are fragm ente d into particles of sufficient size to form a coolable configuration. Debris bed If the cavity is dry, the core debris will in general coo lability is an important issue because if the not be coolable and Q uestion 15 is irrelevant.

debris form s a coolable geom etry, the only source Extensive CCI will occ ur and noncondensible for containment pressurization will be the gases, steam and rad ionuclides w ill be re leased to generation of steam from boiloff of the overlying con tainm ent. Containment pressurization rates water. Un der these circum sta nces, if containment can be obtain ed by sim plified energy balance heat removal systems are available, then late calculations assuming bounding values. In containment failure would be pre vente d. E ven in addition, combustible gases (H 2 and CO) will also the abs enc e of c onta inm ent heat rem oval, be released during CC I and could re sult in pressurization from water boiloff is a rela tively slow combustion events. The impact of combustion can process and would res ult in very late containment be evaluated in a m anner similar to the approach failure allowing time for remedial actions. discussed in Question 9. Furthermore, the Furthermore, a coolable debris geom etry would likelihood of basemat penetration resulting from lim it penetration of the core debris into the basemat CCI should also be evaluated fo r the dry cavity and thus prevent this potential failure mode. This, case. The projected consequences of basem at in turn, limits CCIs and prevents radionuclide meltthrough are, however, relatively minor releases from the core debris (i.e., no ex-vessel compared with an above-ground failure of the fission product release). containment that might be caused earlier by a combustion event or high-pressure loads.

The re is, how ever, a significant like lihood that, even if a wate r supply is available, the core debris Floo ded Cavity will not be coolable and, th erefore, w ill attack the con crete basem at. Under these circumstances, If the cavity is flooded , then the respo nse to noncondensible gases would be re leased in Question 15 (core debris coolability) is very addition to steam and add to containment important to CE T q uan tification. Each possibility is pressurization. Also, if significant CCI occurs, the discussed below.

core debris could penetrate the basemat (depending on the thickness of the concrete) and Core debris coolable. If the core debris is coolable, ex-vesse l radionuclide release will occur. CCI does not occur and all of the decay heat goes B-14

Appendix B into boiling water. If the containment heat removal B.2.4 Source Term Analysis systems are operating, then late containment failure by overpress urization will be prevented.

Also penetration of the basem at by the core debris The m agnitude and co m position of radioactive will be prevented. If the containment heat removal m ate rials rele ased to th e environmen t and the systems are not operating, then con tainmen t failure associated energy content, time, release elevation, will eventua lly occur un less rem edial actions are and duration of release are collectively termed the taken. source term. The source term analysis tracks the release and transport of the ra dioactive m ate rials Core debris uncoo lable. If the core debris is not from the core, through the RCS, then to the coolable, CCI will occur and the impact of containment and other buildings, and finally into the noncondensible and com bustion gases will have to environm ent. The removal and retention of be taken into account for CE T q uan tification. In radioactive materials by natural processes, such as addition, the potential for basemat m eltthrough will deposition on surface s, and by engineered s afety also have to be assessed. systems, such as sprays, are accounted for in each location.

B.2.3 Release Categorization For the analysis of source term s, a sim ple param etric app roac h is recom m end ed s imilar to The CET analysis generates conditional that used in NUREG/CR-5747 (Nourbakhsh, 1993).

probabilities for a large n um ber o f end states (i.e., This method describes source terms as the potential ways in which rad ioactivity could be product of release fractions and transmission released to the environment). Some of these end factors at succe ssive stages in the accident states are either identical or similar, in terms of key progression. The parameters entering this source radionuclide release characteristics. These end term form ulation can be derived from existing states are, therefore, grouped to a smaller number databases supplem ented by a few plant-specific of release categories. code calculations (e.g., using the MELCOR code).

Using the resulting sim plified form ulation, a set of These release categories, which are often referred source terms that will have a one-to-one to as release bins or so urce term bins, should be correspondence with each of the source term defined on the basis of appropriate attributes that categories (see Section B.2.3) can be obtained.

affect radiologica l releas es a nd p otentia l offsite consequences. These attributes are plant s pecific B.2.5 Development of Severe but should include:

Accident Management

timing and size of conta inment failure or Strategies bypass

operation of s prays (if operating what is Severe accident managem ent strategies consist of the spray duration time) those actions that are taken during the course of

whether or not the core debris is flo oded (if an acc ident to prevent core dam age , term inate flooded is a coolable debris bed formed) core dam age prog ression (and retain the core

whe ther or not the RCS is depressurized with in the vessel), maintain conta inm ent inte grity, prior to vessel breach and minimize offsite releases. Severe accident

whether or not vessel breach is prevented managem ent strategies also involve preplanning (if vessel breach is prevented, ex-vessel and pre paratory m easures for severe accident release is also prevented) management guidance and procedures, equipment

whether or not the break location is above and design modifications, and severe accident or below ground level managem ent training.

whether or not the break location is under water for bypass events. The assessm ent m eth odology discussed in Sections B.2 .1 th rough B.2.5 pro vides a basis for the developm ent and e valua tion of potential plant-specific accident managem ent strategies. The integrated results of procedural activities 1 to 5 B-15

Appendix B (Figure B.2) will be a set of accident progression Development report entitled, Implementing Severe groups (release categories) with corresponding Accident Ma nag em ent in N uclear Powe r Plan ts, frequency and radionuclide release characteristics (OEC D, 1996).

(source term). Potential accident managem ent strategies can then be developed to reduce the B.2.5.1 Spray o r Injection of W ater into frequency of (or eliminate) accident progression Containment groups with large release concerns.

The use of the spray system or other means to All accident recovery/managem ent action s should inject water into conta inm ent is a potential severe rem ain consistent between the Level 1 PRA and accident m ana gem ent strateg y (Qu estion s 4, 1 1, the CET analyses. The recovery actions prior to and 14) for all three tim e fram es considered in the initiation of core dam age (prevention strategies) CET in Section B.2.2. Containment sprays can should be credited in the Level 1 PRA, while any have a number of beneficial effects on severe actions beyond the initiation of co re da m age (pos t- accident prog ression. There a re, ho wev er, a core damage accident mitigation) should be number of potentially adverse effects, which should evaluated as a part of the Level 2 PRA be considered before implementing a containment ass ess m ent. spray strategy at a particular plant. The pros and cons associated with spray operation during a The sim plifie d contain m ent event tree discussed in severe accident are described below for each Section B.2.2 (refer to Table B-2) identified a pote ntial strategy.

number of opportunities for implem enting accident managem ent strategies. The severe accident Co ntrolling Containm ent Atm osp here managem ent strategies identified are:

Containment sprays can be used to cool and

spray or injection of water into containment depress urize the containment atmosphere and (Questions 4, 11, and 14) thus prevent overpressure failure o f the

RCS depressurization (Question 6) containme nt. Sprays can also remove fission

in-vessel water addition to a degraded prod ucts from the containment atmo sphere so that core (Question 7) if containm ent integrity is lost, the environmental

flooding the break location for bypass source term will be lower than it would otherwise events (Q uestion 10). have be en w ithout the effect of sprays.

Careful evaluation of the feasibility and the relative A potential adverse effect of restoring containment advantages and disadvantages of each of these spray operation during the later stages of an accident managem ent strategies is nee ded prior to accident is the deinerting of a previously steam-their implementation at any specific plant. Plant inerted atmosphere. This could produce conditions layout and geometry, the capacity and redundancy that wou ld allow c om bus tion of a large quantity of of emergency p lant s yste m s, a s w ell as specific hydrogen. Cons equently, any strategy to restore balance of plant fea tures , can determ ine wheth er containment spray operation late in an accident a particular strategy is feasible or mak es sense sequence should consider the impact of hydrogen under a certain accident scena rio at a particular combustion.

plant. For instance, containm ent pressure capability, areas for debris spreading, size of External Cooling of the Reactor Vessel sumps, elevation of the reactor vessel, reactor cavity geometry and elevation, water storage tank In some containments, external flooding of the capacities, flow ra tes of safety and non safety reactor vessel is fe asible if sufficient water is injection systems, and number of equipment trains injected into containmen t. This would provide an are only a few of the items which will influence the external heat sink for the rea cto r vess el and could decisions to be made at a specific site with regard reduce the boiloff of the in-vessel coolant. In many to severe a ccident m ana gem ent. For further designs, the vessel lower head could be protected discussions on the results of severe accident via external flooding, and this external cooling managem ent research and im plementation, refer could prevent or delay vessel failure. By to the Organization for Economic Co-operation and preventing the core debris from melting through the B-16

Appendix B vessel lower head, this accident management B.2.5.2 R eactor C oolant S ystem strategy would eliminate ex-vessel interactions Depressurization between the core and water and/or concrete.

RCS depressurization (Question 6 in the CET) can A potential adverse effect ass ociate d with th is be accomplished via relief valves or via heat strategy is that if vessel failure does occur, then removal through the SG s. Regardless of the accumulated water could interact with the molten method used, RCS depressurization provides core deb ris. Th ese fuel-c oolant interactions are many positive re sponses to severe accidents but like ly to be accompanied by rapid steam generation may also involve some undesirable effects.

and additional hydrogen pro duc tion. W hile these interactions could be energetic, they are unlike ly to RCS depressurization increases the opportunity for threaten containment integrity. Nevertheless, the injecting water into the RCS from a number of low impact of fuel-coolant interactions should be pressure sources. These include the designed considered prior to implementing a containment low-pressu re safety injection systems, accum ulator flooding strate gy. tanks, and other, unconventional sources, such as fire water systems. Bes ides providing oppo rtunity Flo od ing Ex-Vesse l Co re D ebris f o r a d d i ti o n a l i n je c t io n s o u r c e s , R C S depressurization reduces the stress on the en tire In some designs, adding or redistributing w ater to RCS and thus reduces the likelihood of the containment prior to vessel failure could protect unintentional failure of this fission product barrier against conta inm ent failure by such mechanisms in c l u d in g c o n t a in i n g b yp as s v ia S G TR .

as direct a ttac k o f the contain m ent boundary or Depressurization will also reduce the natural containment pen etrations. If water is added after circulation flows in the reactor pressure vessel and vessel failu re and debris ejection, it can, depending steam generators tubes, thereby reducing thermal on the design, provide a heat s ink for the debris loads in both com pon ents . Depressurization also and a water pool to scrub fission products. decreases the driving potential for high-pressure m elt eje ctio n if the core debris eventu ally m elts A potential adverse effect of this strategy is the through the vessel head.

steam pro ductio n re sulting from the interaction of sprayed or injected wate r with core debris. This On the negative side, depressurization through the interaction can be substantial depending on the relief valves w ill increase the rate at which water flow rate and the relative timing of water hydrogen is discharged into the containment and addition and debris addition into the con tainm ent. could, depending on the depressurization rate, The amount of steam generated by molten core increase core oxidation and degradation. Als o, if debris entering a water pool depends on poo l depth the RCS pressure is reduced, the potential for and whether or not the debris is quenched. The triggering energeti c in-vessel fuel-coolant threat posed by steam production to containment interactions is increased, but it is considered integ rity will very m uch depend on the previously unlike ly that such energetic interactions would fa il existing containm ent pressure and on the status of the rea cto r pressure vess el.

containment heat rem oval m echanism s. In addition, if external water sources are sprayed or Depress urization via the re lief valves would injected into the conta inm ent, wate r could increase the flow of fission products into the acc um ulate and may lead to flooding of vital containment and reduce the time available for containment areas reducing or eliminating deposition of fiss ion produ cts in th e RCS . For a containment heat rem oval or the press ure c o n t a in m e n t w i th a n is o l a ti o n f a i lu r e ,

sup pres sion func tion in so m e co ntainm ents . depressurization of the RCS would increase containment pressure and lead to larger flows through the isolatio n breach. For a bypassed con tainm ent, R CS depressurization would decrease the flow through the bypass failure.

If RCS depressurization is accomplished via steam generator heat removal, then special consideration B-17

Appendix B must be given to prote ct steam gen erato r tube generated, and embrittled fuel and cladding could integrity. RCS pressurization will tend to increase be shattered. At very small rates of water addition, the pressure difference across the steam generator quenching may not be achieved and substantial tubes and, therefore, could lead to a tube failure or hydrogen could be generated with accident increase an alre ady existin g leak . This is prog ression being acc elerated.

especially true after core melt has occurred and the SG tubes are at high temperature. Also, since SG For a badly damaged core, which is still within the depressurization will increase the heat transfer in RCS, similar consideration to those above would the tubes, hydrogen may concentrate there and also apply. However, whether even large water im pair the heat transfer process and limit the flow rates can quench the core debris will depend amount of RC S depres surization achievable . on the specific geometry of the reconfigured debris.

Injection of water into the secondary side of the Furthermore, if there is a compact debris bed, its steam generators would be expected to occur as poro sity and, therefore, its coolability may be they depressurize. This would further increase the reduced by the eventual distillation of the boron or heat transfer from the primary to the second ary other m aterials in the water.

side and enhance RCS depressurization.

How ever, injection of cold water on the s econd ary After the core debris has melted through the side would increase the thermal stresses on the reactor vessel, water injecte d in-ve ss el would help SG tubes and could lead to rupture and to m inim ize fission product revaporization and cool containment bypass. Ob vious ly, this possibility debris remaining in the vessel. In addition, water decreases at higher water temperatures and lower flowing out of the break in the lower vessel head flow rates. In addition, the presence of water on wo uld help to cool debris in the reactor cavity and the second ary side would scrub fission products perhaps reduce containment gas temperatures. In which have leaked from the primary to the the long term, this water could quench the debris secondary side. and arrest CCI. Again, whether the ex-vessel debris would be quenched depends on the flow B.2.5.3 In-Vessel Water Addition to a rate of the water and the configuration of the Deg rade d C ore debris. W ater w ould also h elp to scrub volatile and nonvolatile fission products released from the fue l.

W ater addition to a degraded core may cool the core deb ris and lead to a safe, stable state. The consensus of the reacto r safety comm unity is that even if there are indications of a damaged reactor core, water should be injected when it becomes available. However, there may be a num ber of undesirable effects accompanying this action that plant personnel should be aware of and prepared for beforehand. These effects include the generation of steam as well as hydrogen plus the pos sibility of the core materials returning to a critical sta te. T he succ essful term ination of the accident as well as the extent and relative importance of the related phenomena depend on the timing and rate of the water addition and whether the water source is borated or unborated.

During the early stages of core damage, large am oun ts of water would rapidly quench the overheated core . Some steam would be produced but wou ld be u nlikely to substan tially pressurize the RCS or produce large amounts of hydrogen.

Sm aller rates of water addition would lead to a slower quenching, additional hydrogen would be B-18

Appendix B W ater addition to the ex-vessel core debris also description of information used to develop has im plicatio ns for conta inmen t inte grity. containment systems analysis models and link Depending on the water flow rate, significant them with other system reliability m odels. This steam generation and consequent containment documentation should be prepared in the sam e pressurization can result. Additional hydrogen manner as that generate d in the Level 1 analysis generation within containment can take place. of other systems.

Continued injection into the containment from outside (i.e., not normal emergency cooling Docum entation of analyses of severe accident system sources) m ay lead to flooding of progression should include the following:

containment areas wh ere critical equipment resides. The fac t that different water flow rates

a description of plant-specific accident can lead to a decrease (because of quenching and simulation m odels including extensive termination of steam generation) or increase references to source documentation for (because of steam, hydrogen production, and gas input data, space com pression) in containm ent pressure has particular significance for an unisolated or

a listing of all computer code calculations bypasse d co ntainm ent. performed and use d as a bas is for quantifying any event in the containment B.2.5.4 Floo ding the B reak L oca tion fo r probabilistic logic model including a Bypa ss Ev ents unique calculation identifier or n am e, a description of key modeling assumptions This severe accident m anagem ent ac tion is aimed or input data used, and a reference to at providing fission product scrubbing. A water documentation of calculated results. (If source, such as servic e wate r, could be used if the input and/or output data are archived for break location can be identified and a connection qua lity assurance records or other to the water system is available. An adverse effect purposes, an app ropriate referen ce to of this strategy is that flooding could impact the calculation archive records is also operatio n of equipment located near the site of provided.),

break.

a de sc rip tion of k ey m od elin g assum ptions selected as the basis for B.3 Products performing base case or best estimate calculations of plant response and a In general, sufficient information should be description of the tec hnical bases for provided in the documentation to allow an these assumptions, independent analyst to reproduce the res ults. At a minimum , the following should be provided:

a desc ription of p lant-specific calculations performed to exam ine the effects of

a thorough description of the procedu re altern ate mode ling approaches or used to group (bin) individual accident assumptions, cuts ets into PDSs, or other reduced set of accident scenarios for detailed Level 2

if analyses of a surrogate (i.e., sim ilar) analysis, plant are used as basis for characterizing any aspect of severe accident progression

a listing of the sp ecific a ttributes or rules in the plant being analyzed, references to, used to group cutsets, and or copies of, documentation of the original analysis, and a description of the technical

a listing and/or com puterized database basis for assuring the applicability of providing cross reference for cutse ts to results, and PDSs and vice versa.

for all other original engineering D o c u m e n t a ti o n o f c o n ta i n m e n t s y s t e m calculations, a sufficiently com plete performance assessm ents should include a description of the analysis method, B-19

Appendix B assum ptions, and calcu lated illustrate the logic hierarchy and event re su lts is p re p a r e d to depend encies),

acc om m oda te an independent (peer) review.

a description o f the techn ical basis (w ith com plete references to documentation of In general, sufficient information in th e original engineering analyses) for the documentation of ana lyses p erform ed to establish assignment of all probabilities or quantitative containment perform ance lim its is prob ability distributio ns with the logic provided that allow s an indep end ent analyst to structure, reproduce the results. At a minimum , the following information is documented for a PRA:

a description of the rationale use d to assign probability values to phenomena or

a general description of the containment eve nts involving subjective, expert structure including illustrative figures to judgment, and indicate the general configuration, penetration types and location, and major

a description of the computer program construction materials, used to exercise the logic model and calculate final results.

a description of the modeling approach used to calculate or otherwise define Docum entation of analyses perform ed to containment failure criteria, cha racterize radiological source term s should provide sufficient information to allow an

if com puter m ode ls are use d (e.g ., finite independent analyst to reproduce the results. At e l e m e n t a n a l ys i s to e sta blis h a m inim um , the following information should be overpressure failure criteria), a description documented in a PRA:

of the way in which the containment structure is nodalized including a specific

the radionuclide grouping scheme used discussion of how local discontinuities, and the assumptions m ade to obtain it such as penetrations, are addressed, and should be clearly described, and

if experimentally determined failure d ata

the time pe riods con sidered for the are u s e d , a sufficie ntly d eta iled release and the rationale for the choices description of the experimental conditions made.

to dem ons trate applica bility of results to plant-specific containment structures. Docum entation of analyses performed to cha racterize radiological source term s should T he following documentation is generated to provide sufficient information to allow an provide the results and describe the process by independent analyst to reproduce the results. At which the conditional probability of containment a m inim um , the following information should be failure is calculated: documented in a PRA:

tabulated conditional probabilities of

a summ ary of all com puter code various con tainm ent fa ilure m ode s with calculations used as the basis for specific characterizations of time phases estimating plant-specific source term s for of severe a ccident progress ions (e.g., selected accident sequences, s pecifically early vs. late containm ent failures), identifying those with potential for large releases,

a listing and description of the structure of the overall logic m odel used to assem ble

a description of modeling methods used the p ro babilistic representation of to perform plant-specific source term containme nt performance (graphical calculations; this includes a description of displays of event trees, fault trees, or the method by which source term s are other logic fo rm ats are provide d to assigned to accident sequences for which B-20

Appendix B computer code ca lculations we re Kum ar, R. K., H. Tamm , and W. C. Harrison, not perform ed, Interm ediate -Scale Co m bustio n Studies of Hydrogen-Air-Steam Mixtures, EPRI NP-2955,

if analyses of a surrogate (i.e., sim ilar) Electric Power Research Institute, 1984.

plant are used (as a basis for characterizing any aspect of radionuclide M ar sh al l , B . W . , H y d ro g e n :A ir :S t e a m release): transport or deposition in the F l a m m a bility Lim its a nd Co m bu stio n plant being analyzed, references to, or Characteristics in the FITS Ves sel, NUREG/CR-copies of documentation of the original 3468, Sandia National Laboratories, 1986.

analysis, and a description of the technical basis for assuming applicability of results. Nourbakhsh, H. P., Estim ate of R adionuclide Release Characteristics into Containment Under Documentation of analyses perform ed to Severe Accident Conditions, NUREG/CR-5747, cha racterize radiological source term s should Brookhaven National Laboratory, November 1993.

provide sufficient information to allow an independent analyst to reproduce the results. At O E C D , Im p l e m e n t i n g S e v e r e A c c i d e nt a minimum , a description of the method by which Managem ent in Nuclear Power Plants, uncertainties in source terms are addressed Organisation for Economic Co-operation and should be documented for a quality PRA. Development, Nuclear Energy Agency, 1996.

Pilch, M. M., et al., Reso lutio n of the Direct B.4 References Containment Heating Issue for all W estinghouse P l ants with Large Dry Containm ent o f Subatm ospheric Containm ent, NUREG/CR-6338, Basu, S. and T. Ginsberg, A Reassessment of the Sandia National Laboratories, February 1996.

Potential for an Alpha-Mo de Co ntainme nt Failure and a Review of the Current Understanding of Pilch, M. M., H. Yan, and T. G. Theofanous, The Broader Fuel-Coolant Interaction Issues, NUREG- Probab ility of Containment Failure by Direct 1524, U.S. N uclear Regulatory Comm ission, Containment He atin g in Zion, NUREG /CR-6075, August 1996. Sandia National Laboratories, 1994.

Benedick, W . B., J. C . Cum m ings, and P. G . Theofanous, T. G ., et al., In-Vess el Co olability Prassinos, Combustion of Hydrogen:Air Mixtures and Retention of C ore M elt, DOE/ID-10460, July in the VGES Cylindrical Tank, NUREG /CR-3273, 1995.

Sandia National Laboratories, 1984.

Theofanous, T. G., D e a ling wit h Benedick, W . B., J. C. Cummings, and P. G. Phenomenological Uncertainty in Risk Analysis, P r a s s in o s , E x p e r im e n t a l R e s u lts f r o m W orkshop I in Advanced T opics in Reliability and Com bustion of Hydrogen:Air Mixtures in an Risk Analysis, Annapolis, MD, October 20-22, Inte rm ediate -Scale Tank, Proceedings of the 1993, NUREG/CP-0138, October 1994.

Second International Conference on the Impact of H y d r o g e n o n W a t e r R e a c to r S af e t y , Thom son, R. T., Large-Scale Hydrogen NUREG/CP-0038, Sandia National Laboratories, Com bustion Exp erim ents , Volume 1: Methodology 1982. and Results, EPRI NP-3878, Electric Power Research Institute, October 1988.

Breeding, R. J., et al., Evaluation of Severe Accident Risks: Quantification of Major Input Torok, R., et al., Hydrogen Combustion and Parameters, Exp erts: Determination of Structural Control Studies in Intermediate Scale, EPRI Response Issues, NUREG/CR-4551, Volume 2, NP-2953, Electric Power Research Institute, 1983.

Part 3, Sandia National Laboratories, October 1990.

B-21

Appendix B Tuom isto, H. and T. G. Theofanous, A Consistent Approach to Se vere Acc ident Ma nag em ent, Nuclear Engineering and Design, 148, 171-183, 1994.

W ong, C. C., HECTR An alys is of Nevada Test Site (NTS) Premixed Combustion E xpe rim ents ,

SAND87 -0956, Sandia National Laboratories, 1987.

B-22

Appendix B ATTACHMENT 1 GUIDANCE ON THE EXAMINATION OF CONTAINMENT SYSTEM PERFORMANCE INTRODUCTION STATUS OF CONTAINMENT SYSTEMS PRIOR TO VESSEL This app end ix disc uss es the key phenomena FAILURE and/or processes that can take place during the evolution of a severe accident and that can have In order to examine the containment performance, an important effect on the containm ent behavior.

the status of the containment systems and related In addition, general guidance on the evaluation of equipment prior to core melt should be determined.

containment system p erformance given the present This requires analyses of (1) the path ways that state of the art of a nalysis of these phenom ena is could significantly contribute to conta inm ent-provided. Th e evaluation should be a pragm atic isolation failure, (2) the signa ls required to exploitation of the present containm ent ca pability.

auto m atica lly isolate the penetration, (3) the It should give an understanding and appreciation of potential for generating the signals for all initiating severe accident behavior, should recognize the events, (4) the examination of the testing and role of m itigating system s, a nd should ultim ate ly maintenance procedures, and (5) the quantification result in the development of accident management of each containment-isolation failure mode procedures that could both prevent and am eliorate (including com m on m ode failures).

the consequences of som e of the m ore probable severe accident sequences involved. The In the early phase of an accident, steam and information provided here summ arizes som e m ore com bustib le gas es a re the m ain co ntributors to recent developm ents in core melt phenomenology containment pressurization. The objective of the relevant to containment performance, identifies containment decay heat removal systems, such as areas of uncertainty, and suggests ways of sprays, fan cooler, and the suppression systems, proceeding with the evaluatio n of contain men t is to control the evolution of accidents th at w ould performance despite uncertainties, and potential otherwise lead to containment failure and the wa ys of improving containment performance for release of fission products to the environs. The severe accident challenges.

effectiveness of the several containment decay heat rem oval systems for accomplishing the The system s analysis portion of the probabilistic intended m itigating fu nction sho uld be exa m ined to risk assessment (PRA) identifies accident determi ne the p r o b a b il it y o f s uccess ful sequences that oc cur as a resu lt of an initiating performance under ac cident co nditions. T his event followed by failure of various systems or includes potential intersystem dependencies as failure of plant p ersonn el to respond correctly to the we ll as the identification of all the specific functions accident. Although the num ber of poss ible core being perform ed and the dete rm ination of the m elt accident sequ ences is very large, the number mission time considering potential failure due to of conta inment system performance analyses does inventory depletion (coolant, control air, and control not have to be as large. The number of sequences power) or e nvironm ental conditions. If, as a res ult can be reduced by grouping those accident of the accident sequence, the frontline containment sequences that have a s im ilar effect on the plant decay heat removal systems fail to fun ctio n, if their features that determ ine the release and transpo rt effectiveness is degraded, or if the op erato r fails to of fission products.

respond in a timely manner to the accident symptoms, the contain m ent pressure would continue to increase. In this case, some systems that were not intended to perform a safety function might be called upon to perform that role during an acc ident. If the use of such systems is considered during the exam ination, their effectiveness and prob ability of s uccess for fulfilling the needed B-23

Appendix B safety function should also be examined. Part of explosions are not unlike ly and their influ ence on the exam ination should be to dete rm ine if ade qua te fission product release and hydrogen generation procedures exis t to ensure the effec tive are still under investigation. If the fuel-coolant implementation of the appropriate operator actions. interaction occ urs ex-vess el, as m ight happen if molten fuel fell into a water-filled cavity upon vessel PHENOMENA AFTER VESSEL FAILURE meltthrough, it may disperse the corium and lead to rapid pressurization (steam spike) of the If ade qua te heat removal capability does not exist con tainm ent. In any case, at one extreme, in a particular accident se quence, the core will abundant presence of water would favor quenching degraded and the contain m ent co uld poten tially of the corium m ass and the continued dissipation overpressurize and eventua lly fail. Effo rts to of the decay heat by ste am ing would lead to stab ilize the core before rea ctor vessel failure or to containment pres surization. Clearly in the absence extend the time available for vessel reflood should of external cooling, the conta inm ent will eventu ally be investigated. For certain accident groups that overpressu rize and fail, although the presence of proceed past vessel failure, the containment extensive, pas sive h eat sink s (structures) within pressurization rate could exceed the capability of the containmen t volume would delay the the mitigating systems to reject the energy occurrence of such an event. Fuel-coolant associated with the severe accident phenomena interactions can also yield a chem ical reaction encountered with vessel failure. For each such between steam and the metallic component of the accident sequen ce, the m olten core debris will m elt, producing hydrogen and the consequent relocate, melting through and mixing with m ate rials potential for burns and/or explosions.

in its path. Depending on the particular containment geometry and the accident sequence At the other extreme, when water is not available, groups, a variety of important phenomena the principal interaction of the m olten c orium is with influence the challenges to conta inm ent inte grity. the concrete floor of the containm ent. This interaction produces three challenges to The guidance provided below deals with this conta inm ent integrity. First, the co ncrete subject at three levels. The first provides som e decom position gives off noncondensible gases rather general considerations regarding the nature (CO 2, CO) that contribute to pressurizing the of these phenomena as they impact con tainm ent. containment atmosphere. Second, concrete of The second level considers the manifestation of certain compositions decompo ses and releases these phenom ena in m ore detail w ithin the generic CO 2 and steam, which can interact with the m eta llic high and low press ure scenarios. Finally, the third com pon ents in the m elt to yield highly fla m m able level pro vides som e specific guidance particularly CO and H 2, with potential consequences ranging regarding the treatment of certain important areas from benign burns at relatively low hydrogen of uncertainty. concentrations to rapid deflagrations at high hydrogen concentrations. Third, continued pen etration of the floor can directly breach the General Description of the containment boundary. Also, thermal attack by the Phenomena Associated with Severe molten corium of retaining sidew alls could produce Accident Considerations structural failure within the containment causing damage to vital systems a nd perhap s to failure of The contact of molten corium with water, referred conta inm ent boundary.

to as fuel-coolant interaction, can occur both in-vessel and ex-vessel. If the interaction is energetic Another type of fuel interactio n is with the inside the rea cto r vessel, it may generate missiles con tainment atmosphere. Scenarios can be and a rapid pressurization (steam explosion) of the postulated (e.g., station blackout) in which the primary system . Ea rly containm ent failure reactor vessel and primary system rem ain at high associated with in-vessel steam explosions (alpha pressure as the core is m elting and re locating to mode failu re) is g enerally considered to be of low the bottom of the vessel. Continued attack of the enough likelihood to not warrant additional molten corium on the vessel lower head could consideration (Basu an d Ginsbe rg, 1996). eventua lly cause the lower head to fail. Because of How ever, smaller, less energetic in-vessel steam a potentially high driving pressure, the molten B-24

Appendix B corium could be energetically ejected from the fraction of that of water (about one third), and one vess el. Uncertainties remain related to the effect should expect significant core (decay) energy of the following on direct containment heating: (1) redistribution due to natural circulation loops set up vessel failure area, (2) the amount of molten between the core and the re m aining cooler corium in the lower head at the time of failure, (3) com pon ents of the prim ary syste m . As a result of the degree to which it fragments upon ejection, (4) this ene rgy redistribution, the primary system the deg ree a nd e xten t to wh ich a path from the pressure boundary could fail prior to the lower cavity to the upper containment atmo sphere occurren ce of large-scale core m elt. The location is obstructed, (5) the fragmente d molten corium and the size of failure, however, remain uncertain.

that could enter and interact with the upper For example, concerns have been raised about the containment atmosphere, and (6) cavity gas pos sibility of ste am gen erato r tube failures and temperature. Since the con tainm ent atm osphere associated containment bypass. If the vessel lower has small heat capac ity, the energy in the head fails, violent melt ejection could produce fragmented corium could rapidly transfer to the large-scale dispersal and the direct containment conta inment atmosphere, causing a ra pid heatin g phenom enon m ention ed pre viously.

pressurization. The severity of such an event co uld be further exacerbated by any hydrogen that may Concerns may also be raised about the poten tially be sim ulta neously dispersed and direct oxidation energetic role of hydrogen within the blowdown (exothermic) of a ny m etallic compo nen ts. process. The pre sence of hydrogen arises from Depending upon this and the other factors two com plem entary m echanism s: (1) the m eta l-previously m ention ed, this pre ss urization could water reaction occurring at an accelerated pace cha llenge con tainm ent inte grity early in the event. throughout the in-vessel core heatup/meltdown/slump portion of the transient and Even with the above lim ited perspective, it s hould (2) the rea ctio n betw een any re m aining m eta llic be clear that given a core melt accident, a great com pon ents in the melt and the high-speed steam deal of the phenomenological progression hinges flow that partly overlaps and fo llows th e m elt upon water availability and the outco m e of the fu el- ejection from the reactor vessel. The combined coolant interactio ns; sp ecifically whethe r a full result is the release of rather large quantities of quench has been achieved and whether the hydrogen into the containment volume within a resulting particulates will rem ain co olable. In short time period (a few tens of seconds). The general, the presence of fine particulates to any implication is that the consideration of containment significant degree would imply the occurrence of atm osphe re compositions and associated burning, energetic steam explosions and hence the explosio n, or detonation potential becomes presence of significant forces that would be com plicated by a whole range of highly transient expected to disperse the particulates to coolable regimes and large spatial gradients.

configurations outs ide the reactor cavity.

Otherwise, the coolability of deep corium be ds of The NU REG -1150 severe accident risk study coarse particulates is the m ajor c onc ern. A (NRC, 1990) was the first system atic attem pt to sum m ary of how these mechanisms interface and treat direct containment heating (DCH) from a PRA interact as they integrate into an accident perspective by integrating s equ enc e pro bab ilities sequence is given below. with uncertainties associated with initial/boundary conditions and phenomenological uncertainties Accident Sequences: High-Pressure associated with predicting containment loads.

Scenario Since the completion of the NUREG-1150 study, advances have bee n m ade in the ability to predict The core melt sequence at high primary system the pro bability of contain m ent failure by D CH in pressure is often due to a station blackout pressurized water reactors. The U.S. Nuclear sequence. The high-pressure scenario also Regu latory Com m ission has identified DCH as a represe nts one of the most significant contributors major issue for resolution in the Revised Severe to risk. The initial stages of core degradation Accident Research plan and has sponsored involve coolant boiloff and core heatup in a steam an alytic al and experim ental program s for environm ent. At such high pressures, the understanding the key physical processes in DCH.

volum etric heat capacity of steam is a significant B-25

Appendix B An extensive database resulted from scaled containment atmosphere. Throughout this core counterpart experim ents c onducte d by Sandia heatup and m eltdow n pro ces s, the potential to National Laboratory and Argonne National significantly load the containment is small. The Laboratory. This database has allowed the first pos sibility for significant energetic loads on the development and validation of simple analytical containment occurs when the m olte n core debris m odels for predicting the con tainment load s. In penetrates the lower core support structure and particular, a two-cell equilibrium m odel was slumps into the lower plenum. Th e outc om e of this developed based on insight from the experimental interaction cannot be predicted prec isely. Th us, a program and has been used in the DCH issue wh ole ran ge of b ehavior m ust be considered in resolution process. The two-cell equilibrium m odel order to cover subsequent events. At the one takes into account the coherence between the extreme, the interaction is benign, yielding no m ore entrained deb ris and the reac tor coolant system than som e stea m (an d hydrogen) production while blowdown steam. the melt quickly reagglomerates on the lower reactor vessel head. At the other extreme, an The results of a probability assessm ent of DCH- energetic steam explosion occurs. It may be induced con tainm ent failu re for the Zion Nuclear poss ible to disting uish intermediate outcomes by Power Plant were published in NUREG /CR-6075 the degree to w hich the vessel integrity is and its supplement (Pilch, Yan, and Theofanous, deg rade d. In analyzing this phase of the accident 1994). NUREG /CR-6338 (Pilch et al., 1996) used scenario, the important task s are to determine the the methodology and scenarios described in likelihood of containment failure and to define an NURE G/CR-6075 to address the DCH issue for all envelope of co rium relocation p aths into the W estinghous e p l a n ts w i th l a rg e volum e con tainm ent. The latter is needed to ensure the containments, including 34 plants with large dry assessment of the potential for such a con tainm ents and 7 plants with subatm ospheric phenomenon as liner meltthrough.

contain ments. DC H loa ds versus s treng th evaluation were perform ed in a consistent manner Consideration should also be given to ex-vessel for all plants. The phenomenological modeling was coo lability as the corium can potentially interact closely tied to the experimental database. P lant- with the concrete. The non-energetic release specific analyses were performed, but sequence (vessel lower head meltthrough) and spreading uncertainties were enveloped by a small number of upon the accessible portions of the containment splinte r scenarios w ithout a ssig nm ent o f floor below the vessel needs to be examined.

probabilities. The results of screening calculations The re is a gre at deal of variability in accessible reported in NURE G/CR-6338 indicate that only one floor area am ong the various designs for some plant showe d a containm ent conditional failure pressurized water reactor cavity design s. The area prob ability based on the mean fragility curves over which the core debris could spread is rather greate r than 0.001. The containment conditional sm all given who le-core m elts and the resultant pool failure pro bability for this one plant was found to be being in excess of 50 cm deep. In the absence of less that 0.01. water, all these configuratio ns would yield con crete attack and decom pos ition of va riable inte nsity. In Accident Sequences: Low-Pressure the pre sence of wate r (i.e ., co nta inm ent sp rays),

even deep pools m ay be considered quenchable Scenario and coolable. How ever, the poss ibility exists for insulating crusts o f va por ba rriers at the corium-At low system pressure, decay heat redistribution water interface.

due to natu ral circ ulation flow (in stea m ) is negligible and core d egradation occu rs at nearly Both of these two extremes should be considered.

adiabatic con ditions. Steam boiloff, togeth er with The task is to estimate the range of containm ent any hydrogen generation, is continuously released internal pressures , tempe ratures, and gas to the contain m ent atm osphere, where m ixing is compositions as well as the exten t of co ncrete floor driven by natural convection c urrents cou pled with penetration and structu ral atta ck until the situation condensation processes. The upper internals of has been stabilized. In general, pressurization the reactor vessel rem ain relatively cold, offering from continuing core-concrete interactions (dry the pos sibility of trapping fission product vapor and case) would be considerably slower than from aerosols before they are released to the B-26

Appendix B coolable debris configurations (wet case) because each one of these areas is briefly summ arized of the absence of steam pressurization. below.

As a final and crucial part of this scenario, one The concerns about deep corium pools arose from must address the com bustible gas effe ct. Th is exp erim ents with top-flooded melts that exhibited must include evaluation of the quantities and crust form atio n and long-term isolation of the m elt composition of combustible gases released to the from the water coolant. S uch noncoolable con tainm ent, local inerting and deinerting by steam configurations wou ld yield con tinuing con crete and CO 2, as well as hydrogen m ixing and tra nsp ort. attack and a containment loading behavior Also included should be consideration of gaseous significantly different from coolable ones. On the pa thw ays between the cavity and upper other hand, it has been pointed out that sm all-s cale containment volume to confirm the adequacy of exp erim ents would unrealistically not favor comm unication to support natural circulation and coolability. This is an area of uncertainty and it is recombination of c om bustib le gases in the reactor recomm ended that assessments be based on cavity. available cavity (spread) area and an assumed m axim um coolable depth of 25 cm. For de pth s in GENERAL GUIDANCE ON excess of 25 cm, both the coolable and noncoolable outcomes should be considered.

CONTAINMENT PERFORMANCE Along these lines, the PRA should document the geom etric details of cavity configuration and flow In the approach outlined in this appendix, em phasis paths out of the c avity, including an y water dra in is placed on those areas that would ensure that the areas into it as appropriate.

PRA process considers the full range of se vere accidents. The PRA process should be directed W ith respect to hydrogen, the concerns are related toward developing a plant-specific accident to com pleteness of the current understanding of managem ent scheme to deal with the pro bable hydrogen m ixing and transport. In general, causes of poor containment performance. To com bustibles accum ulate very slowly and only if achieve these go als, it is of vital im porta nce to continuing concrete attack is postulated. For the understand how reliable each of the containmen t larger dry containments, because of the large event tree estimates are , and what the driving containment volume and slow release rates, factors are. Decisions on potential improv em ents compositions in the detonable range may not should be made o nly a fte r ap prop riately develop unless significant spatial concentrations considering the sources of uncertainties. Of exist or significant steam condensation occurs. In course, pre ventin g fa ilure altogethe r is predicated general, the contain ment atmosphere under such upon recovering some contain ment heat removal conditions would exhibit strong natural circulation capability. Given that in either case pressurization currents that would tend to counteract any develops on the tim e scale of many hours, fea sible tendence to stratify. However, condensation-driven recovery actions could be planned as part of circulation patterns and other potential stratification acc ident m ana gem ent.

m echanism s could limit the extent of the containment volume participating in the mixing The bulk of phenomenological uncertainties process. For these plants with igniters, the buildup affecting containment response is associated with of com bustibles from con tinuing corium -concrete the high-pressure scenarios. Unless it can be interactions could be limited by local ignition and demonstrated that the primary system can be burning. Howev er, oxygen availability as reliably depress urized , a low probability of ea rly determined from natural circulation flow s could lim it containment failure should not be autom atic ally the effectiveness of this m echanism . It is assumed.

recomm ended that, as part of the PR A, a ll geom etric details impacting the above phenomena Low-pres sure sequences, by comparison, present (i.e., heat s ink distribution, circulation paths, few remaining areas of co ntroversy. These areas ignition sources, w ate r availability, a nd gra vity drain include the coolability behavior of deep molten paths) be documented in a rea dily com prehens ive corium pools and the behavior of hydrogen (and form , togeth er with rep resenta tive com bustib le ot her c om b u s ti b le s ) in th e c o n ta i n m e nt source transients.

atmosphere. The views and guidance concerning B-27

Appendix B Fin ally, unc ertainties arise for all plants because of NRC, Severe Accident Risks: An Assessment for lack of knowledge on how the corium will spread Five U.S. Nuclear Power Plants, NUREG -1150, following discharge from the reactor vessel. The U.S. Nuclear Regulatory Com mission, Decem ber reactor cavity configuration will influence the 1990.

potential for direct attack of the liner by dispersed debris, as well as the potential for basemat failure Pilch, M. M., et al., Resolution of the Direct or structural failure due to thermal attack. The s taff Containment Heating Issue for all W estinghouse recomm ends that the PRA docum ent describe the Plan ts with La rg e D ry C ontainm ent o f detailed geometry (including curbs and standoffs) Su batm ospheric Containment, NUREG /CR-6338, of the drywell floor. Sandia National Laboratories, February 1996.

REFERENCES Pilch, M. M ., H. Yan, and T . G. The ofanous, The Probab ility of Containment Failure by Direct Basu, S., and T. Ginsberg, A Reassessmen t of Containment Heating in Zion, NUREG/CR-6075, the Poten tial for an Alpha-M ode C ontain m ent Sandia National Laboratories, 1994.

Failure and a Review of the Current Understanding of Broader Fuel-Coolant Interaction Iss ues ,

N U R E G - 1 5 2 4 , U . S . N u c le a r R e g u la t o ry Com mission, August 1996.

B-28

APPENDIX C EXAMPLE CONSIDERATION OF A FLOOD SCENARIO IN A PRA An exam ple of the analysis of a typical flood NF = total frequency of flooding events for sc enario is given fo r further guidance. T his scenario FLOODB exam ple gives some indication of the process required to construct detailed flood scena rios for N F,M = frequency of floo ding eve nts that m ay initial refinem ent. occur during maintenance activities In one rec ent probabilistic risk asses sm ent (PRA ), N F,O = frequency of flooding events that m ay an internal flooding scenario, designated FLOODB, occur at other times.

was defined to bound the freque ncy and im pac ts from potential flooding events in the annulus. Th is flooding scenario was retained after the original C.1 Maintenance Events screening evaluations.

The frequency of maintenance-related flooding The annulus con tains relatively large, open, events was evaluated by the following expression:

interconnected floor areas at the lowest level, Eleva tion-6.0 m . All elevations in the annulus are N F,M = 3 * [8 mf d(T/2)(N SW /3) + 8 m(8,760)f ff c +

also interconnected through open stairwells and 8 md m(N SW /3)fc]

floor grating. Th erefore, it w as concluded that only one water source pre sents a significant hazard for where submerging PR A eq uipm ent that is located at Eleva tion-6.0 m. Scenario FLOODB acc oun ts for 8m = f r e q u e nc y o f T F h e a t e x c h an g e r floods that originate from the nuclear service water maintenance (maintenance events per (VE) connections to the nuclear component cooling hour) water (TF) heat exc han gers . It was conserva tively assumed for the screen ing an alysis that a flood fd = likelihood that personnel fail to restore the from any one of the three heat exchangers would heat exchanger vault to normal conditions be of sufficient size and would continue long after maintenance has been completed; enough to submerge all equipment at Elevation-6.0 e.g., failure to reclose the door (error per m.

m ainten anc e event)

Each TF heat exchanger is enclosed in a watertight T = tim e interval between routine annulus vault sealed by a normally closed door. Therefore, inspections (hours) in addition to evaluatin g the frequency of events that could cause significant flooding from the VE N SW = frequency of Other Service W ate r system, the analysis for scenario FLOOD B also S y s te m - R e l a t e d Flo o d i n g E v e n ts accounts for coincident failure of these barriers.

(flooding events per plant year)

Exam ination of the event summ aries in the flood ff = fraction of maintenance events that lead database reveals tha t a num ber o f flood ing events directly to inadvertent loss of system in the generic database have involved personnel integrity (flooding events per maintenance errors during testing and maintenance activities.

event)

Therefore, the analysis for scenario FLOODB evaluated tw o m ajor contributions to the flooding fc = likelihood that personnel fail to stop the event fre quency:

flood before equipment is damaged, e.g.,

failure to turn off the VE pumps or close NF = N F,M + N F,O the va ult doo r (erro r per flooding event) where dm = m ean d ur atio n o f T F hea t exchanger maintenance (hours per maintenance event).

C-1

Appendix C The expression contains an overall multiplication

Frequency of TF He at Exchanger factor of 3 beca use the term s inside the brac kets Maintenance (8 m). The m ean frequency of TF evaluate the total maintenance-related flooding heat exchanger m ainten anc e from the plant-frequen cy for o nly one hea t exchan ger vault. specific PRA database is 3.91 x 10 -5 maintenance event per heat exch anger hou r.

The first term in the expression acco unts for a condition in which maintenance has been

Failure to Reclose W atertight Door (fd). A performed in one of the heat exchanger vaults (8 m). nominal value of 5 x 10-3 error per How ever, personnel m ay fa il to secure the maintenance event is used for this error rate.

watertight door properly after the maintenance This value is based on generic human error work has bee n com pleted (fd). A flo od will occur if rates that are typically applied for failures to the VE connection fails (N sw/3) before the operators restore equipment to the proper configuration discover the open doo r during the ir routine after testing or maintenance activities.

inspections (T/2). The fraction (T/2) in this term acc oun ts for the fact that the average exposu re

Annulus Inspection Interva l (T). It is assumed period for this condition is one-half the annulus for this analysis that a routine inspection of routine inspection interval. The fraction (N sw/3) the annulus is performed at least once each acc oun ts for the fact that approximately one-third shift and that the open door would be of the tota l frequency for Other Service W ater discovered during this inspection. Therefore, System-Related Flo od ing Events from the the average time interval between inspections database is allocated to each of the three TF heat is eight hours.

exchanger vaults.

Frequency of Service W ater F looding Events The second term in the expression accoun ts for a (N SW ). The da tabase shows that the mean condition in which maintenance is performed in one frequency of Other Service W ater System-of the heat exc hanger vaults (8 m). However, Related Events is 3.81 x 10 -3 flooding event personnel errors during the m aintenance wo rk per plant year. The data analysis portion of cause a flood from the VE system (f f). the PR A do cum ents that all of this frequency Maintenance and operations personnel fail to stop was conservatively allocated to the TF heat the flood before the PRA equipment is submerged exchanger vaults in the annulus.

(f c). The m ultiplication factor of 8,760 in this term con verts the hourly frequency of TF heat

Fraction of Maintenanc e Events that Involve exchanger maintenance into an equivalent annual Floods (f f). The flooding events database frequency. used con tains o ne e vent related directly to errors during heat exchanger maintenance.

The third term in the expression acc ounts for a The database includes experience from a condition in which m aintenance is perform ed in one total of 740 plant years of operation through of the heat exchanger vaults (8 m). A floo d will July 1987. The generic mean frequency of occur if the VE connection fails (N sw/3) during the heat exchanger maintenance from Module VI maintenance interva l while the wate rtight door is is approxim ate ly 4.15 x 10-5 maintenance open (d m). Maintenance and operations personnel event per heat ex changer ho ur. It is fail to stop the flood before the PRA equipm ent is conservatively assumed that each plant in the submerged (f c). The fraction (N sw/3) in this term flooding events database contains only two acc oun ts for the fact that approxima tely one-third heat exchangers. Therefore, the total number of the total frequency for Other Service W ater of heat exchanger m ainte nance events in System-Related Flooding Events in the flood 740 plant years is approxim ate ly:

database is allocated to each of the three TF heat exchanger vaults. 2*(4.15 x 10 -5)*(8,760)*(740) = 538 m ainten anc e events The following num erical values were used in this analysis: Thus, an approxim ate estim ate for variable f f is 1/538 floods per heat exchanger m aintenance event. How ever, the re is C-2

Appendix C substantial uncertainty about this 8 mf d(T/2)(N SW /3) = 9.93 x 10 -10 flood per year es tim a te . T h e refore, a lognorm al prob ability distribution was c reate d to 8 m(8,760)f ff c = 4.86 x 10 -6 flood per year represent this conditional frequency, using a median value of 2 x 10-3 and a 8 md m(N SW /3)fc = 1.43 x 10 -8 flood per year range factor of 10. The resulting m ean value for f f is 5.33 x 10 -3 flood per heat T he total frequency of heat exchanger exc han ger m ainten anc e event. maintenance-related floo ding events is three times the sum of these contributions for each heat

Failure to Stop the Flood before Dam age excha nger:

Occ urs (f c). lf a flood begins while personnel are in the heat exchang er vau lt, there are N F,M = 1.46 x 10-5 flood per year several opportunities to stop the flow before the annulus is flooded to a depth that will C.2 Events Not Related to submerge the PRA equipment. For example, local personnel m ay call the control room and Maintenance request that the appropriate VE pumps be stopped. Loc al person nel m ay also try to The frequency of flooding events th at are not close the watertight doors to contain the flood related to heat exchanger maintenance activities water inside the vault. It is very unlikely that was evaluated by the following expression:

no attempts would be made to alert the control room or to sto p the flo od locally if N F,0 = N SW f v + 8 v(T/2)N SW personnel were in the area and w ere physically able to respond. A lognormal where prob ability distribution was crea ted to account for a variety of possible conditions that could N SW = frequency of O the r S er vic e W ate r delay res ponse until th e PRA equipm ent is S y s te m - R e l a t e d F l o o d in g E v e n ts submerged. This distribu tion ac cou nts (flooding events per plant year) generally for such factors a s extrem ely severe floods that incapacitate all personnel in the fv = likelihood that a closed vault door fails vault, unexpecte d com m unication delays , when a flood occurs inside the vault failure of independent indications in the (failures pe r flood ing event) control room, etc. A m edian value of 1 x 10 -3 and a range facto r of 10 were as signed to 8v = frequency that a heat exchanger vault account subjectively for these possible door is opened and left open during conditions. In other words, it was assumed norm al plant operation (errors per hour) that approximately one flood in one thousand events would be severe en oug h to disable the T = tim e interval between routine annulus local personnel and would continue long inspections (hours).

enough to subm erge the PRA equipment before it is discovered and controlled. The The first term in the exp ression acc ounts for a mean value for f c from this distributio n is 2.66 condition in which the VE connection fails in one of x 10 -3 failures per flooding event. the three heat exchanger vaults (N sw). The heat exchanger vault door is closed when the flood

Mean Duration of T F H eat E xchanger occurs, but it fails (f v).

Maintenance (d m). The mean duration of TF hea t exc han ger m ainten anc e from the plant- The second term in the expression accounts for a specific PRA database is 108 hours0.00125 days 0.03 hours 1.785714e-4 weeks 4.1094e-5 months per condition in which personnel have opened one of m ainten anc e event. the heat excha nger vault doors and have inadverten tly left it open (8 v). A flood will occur if These values we re us ed to estim ate the following the VE connection fails (N sw) before the operators contributions from each of the three maintenance discover the open door during their routine conditions: inspections (T/2). The fraction (T/2) in this term C-3

Appendix C acc oun ts for the fact that the average ex posure was estim ate d by assuming that any one of period for this condition is one-half the annulus the three vau lt doors may be left open routin e inspection interva l. inadverten tly approxim ate ly once in five years during plant power operation. Therefore:

The following numerical values were used in this analysis: 8 v high = 1/(3

5

0.88

8,760)

Frequency of Service Water Flooding Events = 8.65 x 10-6 error per hour.

(N sw). The plant-specific database shows that the m ean frequen cy of O ther Service W ater In this calculation, the factor of 3 accounts for System-Related Events is 3.81 x 10 -3 flooding the three heat exchanger vault doors; the event per plant year. The database factor of 5 accounts for the assumed documentation also indicates that all of this frequency of one error in five years; the factor frequency was conserva tively allocated to the of 0.88 is the average availability factor for the TF heat exchanger vaults in the annulus. pla nt; and the factor of 8,760 converts the annual frequency into an equivalent hourly

Failure of Clo sed W atertight Door (fv). The frequency.

heat exchanger vault doors are designed specifically to contain a flood from the VE

Annulus Inspection Interval (T). It is assumed system. No detailed structural analyses were for this an alysis tha t a routine inspection of performed to evaluate the capacity of these the annulus is performed at least once each doors under realistic loading conditions. shift and that the open door would be However, structural evaluations of other discovered during this ins pec tion. Therefore, equipment at the plant and analyses at other the average time interval between inspections plants have typically concluded that the is eight hours.

likelihood for failure is extrem ely small under realistic loading co nditions, i.e., the structural These values were used to estimate the following design safety margin is typically quite large. contributions from each condition:

A nom inal value of 1 x 10 -6 failure per flooding event was u sed for f v. N SW f v = 3.81 x 10-9 flood per year

Frequency that a Vault Door is Left Open (8 v). 8 v(T/2)N SW = 1.32 x 10-7 flood per year The TF heat exchanger vault doors are norm ally closed at all tim es unless w ork is The total frequency of flooding events that are not being performed in a vault. The frequency of related to m aintenance activities is the sum of m aintenance-related flooding events accounts these contributions:

for the fraction of time that a door may be open for maintenance work. Variable 8 v N F,0 = 1.36 x 1-7 flood per year.

acc oun ts for the combined frequency of other activities that open a door and the likelihood C.3 Frequency of FLOODB that it m ight be left open, e.g., special inspections, maintenance or modification The total initiating event frequency for internal planning, etc.

flooding scenario FL OO DB is the sum of the two major contributions:

The re is no evidence from plant records or from discuss ions with plant operations NF = N F,M + N F,0 personnel that any of the TF heat exchanger vault doors has ever been found open during

= 1.46 x 10-5 + 1.36 x 10 -7 the 12-year period examined for this analysis.

How ever, a conservative upper bound for 8 v

= 1.47 x 10-5 flood per year.

C-4

Appendix C The plant model was quantified with the above Sp ecifically, all equipment at the lowest level of the initiating event freq uen cy and with changes made annulus were assumed to be unavailable following to the affec ted event tree top event and system the flood.

mod els to reflect the impact of the flood.

C-5

APPENDIX D EXAMPLE CONSIDERATION OF A FIRE SCENARIO IN A PRA An example of a portion of a fire analysis in a fault trees. The event m odel is requantified using recent PRA is summ arized in Table D-1. In the the fire frequency determ ined fo r this scenario scenario sum m arized in T able D -1, a fire is along with the system and event level impacts, postulated to occ ur in the D ivision 2 Electronics resulting in a determination of the plant response to Room affecting all equipment in that room. The fires in this area. The results, in this case, showed analysis of the frequency of all fires in that location, that the scenario could be screened from further based on the num ber of electronic cabinets, consideration after this first round of refine m ent. If amount of cable, and the likelihood of transient fire that had not been the case, the scenario would sources had been assessed to have a mean value have received furthe r attention an d refinem ent. In of 2.11 x 10 -5 fire per year. The fire was retained such a case, th e scenario would have been divided after the screening pro cess that co nsidered only into two scenarios: one scenario of relatively low the occurrence frequency. The impacts on the frequency that im pacte d all the cabinets in the systems considered in the PRA were determined room and a second scenario of relatively high nex t. These are summ arized in the "notes" section frequency that im pacted only the cabinet with the of the table in the form of the specific impacts on m ost s evere effect on the plant.

event tree top events (or split fractions) or system D-1

Appendix D Ta ble D -1 Ex am ple fire sc enario table BUILDING E LOCATIONS E0456, E0457, E0459 LOCATION NAME Division 2 Electronics Cabinets Room ,

Elevation 7.6 me ters LOCATION DESIGNATOR L2 SCENARIO DESIGNATOR FIREL2

1. TYPE OF HAZARD SOURCE

2. SCENARIO INITIATION

3. PATH OF PROPAGATION A. PATH TYPE None (localized)

B. PROPAGATE TO N/A

4. SCENARIO DESCRIPTION Fire affects all Division 2 electronics cabinets , includin g reactor protection.

5. HAZARD MITIGATION FEATUR ES Detectors, Halon

6. SCENARIO FREQUENCY 2.11E-05 per year

7. PRA EQUIPMENT W ITHIN THE AREA Equipment Top Event Equipment Impact Division 2 electronics cab inets Note 1 Note 1

8. RE TA INE D A FT ER SC RE EN ING AN ALYSIS YES

9. NOTES This fire scenario affects all cabinets in this room.

1. The impacts from these fires are bounded by disabling all equipm ent co ntrol and actua tion signals from Division 2. The following split fraction rules are used to account for the possible impacts from open circuits that may prevent equipment from operating and short circuits that may cause spurious actuation signals.

Top Event BB (10 kY nonessential power) is failed.

Top Event BY (6 kV essential power) is failed.

Top Event S1G2 (Division 2 actuation signal relays) is failed.

Top Event REC1 (recovery of offsite power to the 6 kV essential buses) is failed.

D-2

Appendix D Table D-1 Example fire scenario table (contd)

The split fraction rules for Top Eve nts PZR L (pressurizer low level), RC SP (reac tor coolant system low pressure), CNTP (containment high pressure), SG lL (steam generator 1 low level), SG2L (steam generato r 2 lo w level), and SG3L (steam generator 3 low level) are modified to account for loss of the Division 2 signals for these fractions.

The split fraction rules for Top Event TFIS are modified to account for possible los s of th e isolation signa l for valve TF 8O SSOI.

The split fraction rules for Top Even ts TFR B and T FSB are modified to account for poss ible spurious isolation signals for valves TFlOSO S2 , TF 6O SO Ol, an d T F6050 30. T op E vents TFRB and TFSB are failed for these fires.

T he split fractio n ru les for Top Event SU FW are m odified to acc ount for poss ible spurious main feedwater isolation signals for steam generator 2.

The split fraction rules for Top Event CHF are m odified to account for possible spurious isolation signals for valve TA305003. Top Event CHEF is failed for these fires.

The split fraction rules for Top Event RCPS are modified to account for loss of the Division 2 autom atic reactor coolant pump trip signals. Top Event RCPS is failed if reactor coolant pump YD2O is running and nuclear component cooling water flow is lost to the bearing oil coolers.

The split fraction rules for Top Events LDI, LDO, and CIB are modified to account for loss of the Division 2 isolation signals for the letdown line valves.

The split fraction rules for Top Event LPC are modified to account for Division 2 isolation signals that prevent RHR cooling from Train TH2O.

D-3

ML103620076

Text

Navigation menu

Search