ML20137A629
ML20137A629 | |
Person / Time | |
---|---|
Site: | Millstone |
Issue date: | 12/31/1985 |
From: | Amico P, Atefi B, Gallagher D APPLIED RISK TECHNOLOGY CORP., SCIENCE APPLICATIONS INTERNATIONAL CORP. (FORMERLY |
To: | NRC |
Shared Package | |
ML20137A620 | List: |
References | |
CON-NRC-03-82-096, CON-NRC-3-82-96 NUDOCS 8601140430 | |
Download: ML20137A629 (180) | |
Text
_ - _ _ --
~ ~ ~
e.,... s ... s a wn."RM ~ ~ - .
gg . w, w e - 4,
, c .y, s
. 3, y - .: - ,- .
e +
r REVIEW OF RISK BASED EVALUATION OF INTEGRATED SAFETY ASSESSME$T PROGRAM (ISAP) ISSUES FOR MILLSTONE UNIT 1 FINAL REPORT k
Bahman Atefi Daniel W. Gallagher Phuoc T. Le David C. Aldrich Robert T. Liner, Jr.
and Paul J. Amico*
December 31, 1985 Prepared for U.S. Nuclear Regulatory Comission Washington, D.C. 20555 l
Contract No. NRC-03-82-096 l
- Applied Risk Technology Corporation I 1
1 enlEgggumE=e l
-- = .. :
_w--- '
JME%~
Science Apolications InternationalCorporation Post Office Sox 1303,1710 Goodridge Drive, McLean, Virginia 22102, (703) 821 4300 ,
l 8601140430 860103 l PDR ADOCK 05000245 l P PDR )
TABLE OF CONTENTS Section fage List of Figures .....................
Li st o f Tabl es . . . . . . . . . . . . . . . . . . . . . .
1.0 Introduction . . . . . . . . . . . . . . . . . . . . . . . 1-1 2.0 BRIEF REVIEW OF THE MILLSTONE UNIT I PROBABILISTIC 3AFETY STUDY (PSS) . . . . . . . . . . . . . . . . . . . . 2-1 2.1 Initiating Events . . . . . . . . . . . . . . . . . . 2-1 2.1.1 LOCA Initiators ............... 2-1 2.1.2 Consideration of Interfacing System LOCA's . . 2-5 2.1.3 Transient Initiators . . . . . . . . . . . . . 2-7 2.1.4 Support System Transient . . . . . . . . . . . 2-13 2.2 Event Tree Analysis . . . . . . . . . . . . . . . . . 2-13 0
, 2.2.1 Reactor Transients Event Tree ........ 2-16 2.2.1.1 Loss of Feedwater Event Tree .... 2-17 2.2.1.2 Loss of Normal Power (LNP)
Event Tree ............ 2-17 2.2.1.3 Station Blackout .......... 2-18 2.2.2 Support System Initiator Event Tree ..... 2-18 2.2.3 Loss of Coolant Accident (LOCA) Event Trees ................... 2-19 1
2.2.3.1 Small-Small Break Event Tree .... 2-19 2.2.3.2 Small and Large Break Event Trees . . 2-20 l
TABLE OF CONTENTS (Continued)
Section Eagg 2.2.4 ATWS Event Tree ............... 2-21 2.2.5 Inclusion of Support Systems in Event Tree Quantifications .............. 2-23 2.3 Component and Systems Reliability Analysis ..... 2-24 2.3.1 Component Failure Data . . . . . . . . . . . . 2-24 2.3.2 Plant Systems Reliability Analysis . . . . . . 2-29 2.4 Human Reliability Analysis (HRA) .......... 2-32 2.4.1 Cognitive Error Modeling . . . . . . . . .. 2-33 2.4.1.1 Time-Reliability Correlation (TRC) Model . . . . . . . . . . . . 2-34 2.4.1.2 Systematic Human Action Reliability Procedure (SHARP) . . . 2-38 2.4.2 Procedural Error Modeling . . . . . . . . . . . 2-46 3.0 RESULTS AND INSIGHTS INTO MAJOR CONTRIBUTORS TO THE CORE MELT FREQUENCY ................... 3-1
. 3.1 Comparison Between ISAP and IREP Dominant Accident i
Sequences . . . . . . . . . . . . . . . . . . . . . 3-1 3.2 Insight into Major Contributors to the Core Melt Frequency . . . . . . . . . . . . . . . . . . . . . 3-15 3.3 Discussion of Several Areas of Plant Vulnerability . 3-21 4.0 REVIEW 0F THE MILLSTONE UNIT I ISAP TOPICS . . . . . . . . 4-1 4.1 Comments on the Utility's Method of Public Risk Quantification. .................. :-2
f TABLE OF CONTENTS (Continued)
Section , EASA 4.2 Review of Different Methods for Ranking the Importance of ISAP Topics . . . . . . . . . . . . . . . . . . . . 4-3
, 4.2.1 Change in Core-Melt Frequency. . . . . . . . . 4-4 1
4.2.2 Change in Risk as Measured by the Total Population Exposure (Man-Rem). . . . . . . . . 4-5 4.2.3 Combination of Core-Melt Frequency, Change in Total Population Exposure and Backfit Costs. . 4-7 4.2.4 Consideration of all the Financial Consequences of a Hypothetical Accident . . . . . . . . . . 4-9 4.2.5 Proposed Method for Ranking of the ISAP Topics 4-10 4.3 Topic 1.01: " Gas Turbine Generator Start Logic Modifications" Topic 1.24: " Emergency Power" . . . . . . . . . . . 4-14 4.3.1 Background . . . . . . . . . . . . . . . . . . 4-14 '
4.3.2 Utility Evaluation . . . . . . . . . . . . . . 4-14 4.3.3 Review of the Utility Analysis . . . . . . . . 4-15 4.3.4 Conclusions. . . . . . . . . . . . . . . . . . 4-16 4.4 Topic 1.02: " Tornado Missile Protection". . . . . . . 4-17 i 4.4.1 Background . . . . . . . . . . . . . . . . . . 4-17 4.4.2 Utility Evaluation . . . . . . . . . . . . . . 4-17 4.4.3 Review of the Utility Analysis . . . . . . . . 4-19 4.4.4 Conclusions ................. 4-20
)
TABLE OF CONTENTS (Continued)
Section Elag 4.5 Topic 1.04: "RWCU System Pressure Interlock" .... 4-20 4.5.1 Background . . . . . . . . . . . . . . . . . . 4-20 4.5.2 Utility Evaluation . . . . . . . . . . . . . . 4-21 4.5.3 Review of the Utility Analysis . . . . . . . . 4-22 4.5.4 Concl u s i on s . . . . . . . . . . . . . . . . . . 4-25 4.6 Topic 1.05: " Ventilation System Modification" . . . . 4-25 4.6.1 Background . . . . . . . . . . . . . . . . . . 4-25 4.6.2 Utility Evaluation . . . . . . . . . . . . . . 4-26 4.6.3 Review of the Utility Analysis . . . . . . . . 4-27 4.6.4 Conclusions. . . . . . . . . . . . . . . . . . 4-28 4.7 Topic 1.06: " Seismic Qualification of Safety-Related Piping". . . . . . . . . . . . . . . . . 4-28 i.
4.7.1 Background . . . . . . . . . . . . . . . . . . 4-28 4.7.2 Utility Evaluation . . . . . . . . . . . . . . 4-28 4.7.3 Review of the Utility Analysis . . . . . . . . 4-29 4.7.4 Conclusions. . . . . . . . . . . . . . . . . . 4-30 4.8 Topic 1.12: " Control Room Habitability" . . . . . . . 4-31 4.8.1 Background. . . . . . . . . . . . . . . . . . 4-31 4.8.2 Utility Evaluation. . . . . . . . . . . . . . 4-31 4.8.3 Review of the Utility Analysis . . . . . . . 4-33 4.8.4 Concl usions . . . . . . . . . . . . . . . . . 4-34 l
l l
i
1 TABLE OF CONTENTS (Continued)
Section EA21 l
4.9 Topic 1.13: "BWR Vessel Water Level Instrumentation . 4-35 4.9.1 Background . . . . . . . . . . . . . . . . . . 4-35 4.9.2 Utility Evaluation . . . . . . . . . . . . . . 4-35 4.9.3 Review of the Utility Analysis . . . . . . . . 4-36 4.9.4 Conclusions. . . . . . . . . . . . . . . . . . 4-36 4.10 Topic 1.16.1: " Millstone Unit 1/ Millstone Unit 2 Backfeed" . . . . . . . . . . . . . . . 4-36 4.10.1 Background . . . . . . . . . . . . . . . . . . 4-36 4.10.2 Utility Evaluation . . . . . . . . . . . . . . 4-37 4.10.3 Review of the Utility Analysis . . . . . . . . 4-38 4.10.4 Conclusions ................. 4-39 4.11 Topic 1.17: " Replacement of Motor Operated Valves". . 4-39 4.11.1 Background ................. 4-39 4.11.2 Utility Evaluation . . . . . . . . . . . . . . 4-40 4.11.3 Review of the Utility Analysis . . . . . . . . 4-45 4.11.4 Conclusions. . . . . . . . . . . . . . . . . . 4-47 4.12 Topic 1.189: "ATWS: Upgrading of the Standby Liquid Control System" . . . . . . . . . 4-49 4.12.1 Background . . . . . . . . . . . . . . . . . . 4-49 4.12.2 Utility Evaluation . . . . . . . . . . . . . . 4-49 4.12.3 Review of the Utility Analysis . . . . . . . . 4-50 4.12.4 Conclusions ................. 4-58 l
l i
i
TABLE OF CONTENTS (Continued)
Section Eagg 4.13 Topic 1.21: "Faul t Transfers" . . . . . . . . . . . . 4-59 4.13.1 Background . . . . . . . . . . . . . . . . . . 4-59 4.13.2 Utility Evaluation . . . . . . . . . . . . . . 4-59 4.13.3 Review of the Utility Analysis . . . . . . . . 4-60 4.13.4 Conclusions. . . . . . . . . . . . . . . . . . 4-61 4.14 Topic 2.01: "LPCI Remotely Operated Valves 1-LP-50A and B" . . . . . . . . . . . . . . . . . . 4-62 4.14.1 Background . . . . . . . .......... 4-62 4.14.2 Utility Evaluation . . . . . . . . . . . . . . 4-62 4.14.3 Review of the Utility Analysis . . . . . . . . 4-63 4.14.4 Conclusions. . . . . . . . . . . . . . . . . . 4-63 4.15 Topic 2.04: "High Steam Flow Setpoint I.icrease" . . . 4-64 4.15.1 Background . . . . . . . . . . . . . . . . . . 4-6/
4.15.2 Utility Evaluation . . . . . . . . . . . . . . 4-64 4.15.3 Review of the Utility Analysis . . . . . . . . 4-65 4.15.4 Conclusions ................. 4-66 4.16 Topic 2.06: " Main Condenser Retube". ........ 4-67 4.16.1 Background . . . . . . . . . . . . . . . . . . 4-67 4.16.2 Utility Evaluation . . . . . . . . . . . . . . 4-67 4.16.3 Review of the Utility Analysis . . . . . . . . 4-68 4.16.4 Conclusions ................. 4-70
TABLE OF CON 1ENTS (Continued)
Section Eggg 4.17 Topic 2.07: " Sodium Hypochlorite System". . . . . . . 4-70 4.17.1 Background . . . . . . . . . . . . . . . . . . 4-70 4.17.2 Utility Evaluation . . . . . . . . . . . . . . 4-70 4.17.3 Review of the Utility Analysis . . . . . . . . 4-72 4.17.4 Conclusions ................. 4-74 4.18 Topic 2.08: " Extraction Steam Piping Replacement" . . 4-74 4.18.1 Background . . . . . . . . . . . . . . . . . . 4-74 4.18.2 Utility Evaluation . . . . . . . . . . . . . . 4-75 4.18.3 Review of the Utility Analysis . . . . . . . . 4-77 4.18.4 Conclusions ................. 4-77 4.19 Topic 2.30: "MSIV Clo:ure Test Frequency". ..... 4-78 4.19.1 Background . . . . . . . . . . . . . . . . . . 4-78 4.19.2 Utility Evaluation . . . . . . . . . . . . . . 4-78 4.19.0 Review of the Utility Analysis . . . . . . . . 4-79 4.19.4 Conclusions ................. 4-80 4.20 Topic 2.31: "LPCI Tube Oil Cooler Test Frequency" . . 4-80 4.20.1 Background . . . . . . . . . . . . . . . . . . 4-80 4.20.2 Utility Evaluation . . . . . . . . . . . . . . 4-82 4.20.3 Review of the Utility Analysis . . . . . . . . 4-83 4.20.4 Conclusions. . . . . . . . . . . . . . . . . . 4-83
5.0 REFERENCES
. . . . . . . . . . . . . . . . . . . . . . . . . 5-1
i LIST OF FIGURES
-s Fiaure Eagg 2.1 Logic Tree to Aid in Selection of Expected Behavior Type . 2-40 3.1 Comparison Between Dominant ISAP and IREP Contributors <
to the Core Melt Frequency . . . . . . . . . . . . . . . . 3-15 3.2 Simplified Fault Tree for the Failure of the Alternate ,
SDC System . . . . . . . . . . . . . . . . . . . . . . . . 3-23 3.3 ATWS Event Tree with Main Condenser Available ...... 3-28 ,'
3.4a ATWS Event Tree with Main Condenser Unavailable ..... 3-29 3.4b ATWS Event Tree with Main Condenser Unavailable (Loss of Feedwater) ................... 3-30
~
3.4c ATWS Event Tree with Main Condenser Unavailable
, (Loss of Normal Power) . . . . . . . . . . . . . . . . . . 3-31 4.1 Ranking Scheme Proposed in NUREG-0993. . . . . . . . . . . 4-8 4.2 Simplified Diagram of the RWCU Isolation System. . . . . . 4-23 4.3 Simplified Fault Tree for Failure of RWCA Isolation System 4-24
. 4.4 ATWS Event Tree with Main Condenser Unavailable (Loss of PCS - 86 gpm SLCS) ............... 4-53 4.5 ATWS Event Tree with Main Condenser Unavailable (Loss of Feedwater - 86 gpm SLCS) ............ 4-54 4.6 ATWS Event Tree with Main Condenser Unavailable (Loss of Normal Power Support State 1 - 86 gpm SLCS) . . . 4-55
)
l LIST OF TABLES IAhlt EA9ft 2.1 IREP LOCA Initiators . . . . . . . . . . . . . . . . . . . 2-2 2.2 ISAP LOCA Initiators . . . . . . . . . . . . . . . . . . . 2-4 2.3 ISAP Interfacing System LOCA Event Frequency . . . . . . . 2-6 2.4 Comparison Between ISAP and IREP Initiator Frequencies Included in the " Reactor Transients with Power Conversion System Available" - Category 1 ..... 2-8 2.5 Comparison Between ISAP and IREP Initiator Frequencies l
Included in the " Reactor Trip Events" - Category 3 . . . . 2-9 2.6 Comparison Between ISAP and IREP Initiator Frequencies Included in the " Reactor Transients with Power Conversion System Unavailable" - Category 2 ....... 2-11 2.7 Comparison Between ISAP and IREP Initiator Frequencies Include in the " Loss of Feedwater Transients" - Category 4 . . . . . . . . . . . . . . . . . 2-12 2.8 Comparison Between ISAP and IREP Initiator Frequencies Included in the " Loss of Normal AC Power Transient" -
Category 5 . . . . . . . . . . . . . . . . . . . . . . . . 2-12 2.9 Comparison Between ISAP and IREP Support System Initiator Frequencies .................. 2-14 2.10 Comparison of IREP and ISAP Component Failure Data . . . . 2-26 2.11 Human Errors Evaluated Using the Time Reliability Correlation ....................... 2-35
LIST OF TABLES (Continued) e Iahlt Eage 2.12 Human Errors Evaluated Using the Systematic Human Action Reliability Procedure .................. 2-42 3.1 Comparison Between ISAP and IREP Dominant Accident Sequences ........................ 3-3 3.2 Unavailability of the Alternate Shutdown Cooling System as a Function of Different System Configurations . . . . . 3-24 3.3 Requantification of Millstone Unit 1 ATWS Event Trees .. 3-34 4.1 Proposed Ranking Scheme Based on Change in Core-Melt Frequency ........................ 4-12 4.2 Proposed Supplemental Ranking Scheme Based on Change in Total Population Exposure. . . . . . . . . . . . . . . . . 4-12 4.3 Importance of the Environmental Qualification of Several MOVs Based on Our Proposed Ranking Scheme. . . . . . . . . 4-48 4.4 Requantified ATWS Contribution to Core Melt ....... 4-56 4.5 Change in Public Dose from Installation of 86 gpm SLCS . . 4-57 4.6 Main Condenser Retube Impact Assessment ......... 4-69 4.7 Impact of Not Replacing the Extraction Steam Piping at Millstone Unit 1 . . . . . . . . . . . . . . . . . . . . . 4-76 4.8 Change in Core-Melt Frequency from the Elimination of Monthly MSIV Testing . . . . . . . . . . . . . . . . . . . 4-81 4.9 Change in Core-Mlet Frequency as a Result of Increase in Lube Oil Test Frequenc. ................ 4-84
F .
1.0 INTRODUCTION
The Integrated Safety Assessment Program (ISAP) was developed by NRC to examine the outstanding issues from several NRC programs that are pertinent to each power plant and assess the importance of each issue with respect to its impact on the risk associated with the operation of the plant. The issues that will be considered for each plant in this program include those identified in Phase II of the Systematic Evaluation Program (SEP), pending licensing requirements for the particular facility including TMI Action Plan items, pending Unresolved and Generic Safety Issues, significant events that have occurred during the operation of the plant, and dominant contributors to plant risk based on a plant-specific Probabilistic Safety Analysis (PSA).
An initial screening cf the issues required by the programs mentioned above is performed to arrive at a set of ISAP topics that are appropriate for the specific plant under study. A detailed evaluation of these topics is then performed by the licensee and submitted to the NRC for review. The NRC's analysis of each topic consists of a review of the licensee's submittal, comparison of the plant design and procedures with current licensing criteria, and assessment of the risk significance of each topic for the i
plant under study.
, The first plant being evaluated under this program is Northeast Utilities' Millstone Unit 1, a 660 MWe boiling water reictor. For this plant, a level 1 Probabilistic Risk Assessment (PRA) had previously been performed as a part of the Interim Reliability Evaluation Program (IREP)(1).
This PRA has recently been revised by Northeast Utilities by including design and procedural changes that have taken place since the original IREP study and by updating the appropriate initiating events, component failure rates, test and maintenance frequencies and recovery action probabili-ties (2). In addition, the licensee has evaluated some of the ISAP topics using PRA techniques.
The objective of the present study is to identify and resolve signifi-cant differences between the IREP and ISAP probabilistic risk assessments (referred to in this report as the IREP study and the ISAP study), identify the areas of plant vulnerability, review those topics which were analyzed by the licensee using PRA techniques, and rank the topics with respect to their impact on the safety of the plant.
4 1-1 1
1 It is important to note that due to limitations in time and level of effort, the review of the ISAP study is not performed in the traditional sense of a PRA review. Rather, it is done by comparing the results of each major section of this study with the results of the IREP study. Using this comparison, significant differences between the two studies are identified, and the effect of these differences on the dominant accident sequences and overall core melt frequency are analyzed.
In the next section, a comparison between the ISAP and IREP probabilis-tic risk assessments will be presented. This will consist of comparing the initiating events, event tree analyses, component and system reliability analyses and the human reliability analyses. The comparison between the results of the two studies, insights into major contributors to the core melt frequency, and areas of plant vulnerability is presented in Section 3.0. Section 4.0 contains a review of alternative methods for ranking the importance of a safety-related issue and proposes a ranking scheme that would be best suited for prioritization of the importance of the ISAP topics. This section also includes the results of the review of those ISAP topics that were analyzed by the licensee using PRA techniques. The review of ISAP topics includes comments on the validity of the utility's analysis and ranking of each topic based on our proposed ranking scheme. Finally, all the references cited in this report are listed in Section 5.0.
l I-2 1 1
2.0 BRIEF REVIEW OF THE MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY (PSS) e In this section a brief review of the Millstone Unit 1 PSS performed by the licensee as a part of the ISAP study will be presented. As was dis-cussed earlier, due to limitations in time and level of effort this review is not performed in the same manner as a traditional detailed PRA review.
Rather, it is done by examining the major segments of the PSS for its accuracy in procedures, assumptions, modeling, use of data, and by comparing the results of each of these major segments with the results found in the earlier IREP study.
The major segments of the PSA reviewed and presented in this section include the initiating events, event tree analysis, component and system reliability analysis and human reliability analysis. A review of the results and insights into major contributors to the core melt frequency is presented in Section 3.0.
2.1 Initiatina Events The initiating events in both the ISAP and IREP studies were grouped in
, two broad categories of LOCAs (including interfacing system LOCAs) and transients due to anticipated initiators and support system initiators. '
Each of these broad groups was further divided into subgroups based on the systems required for mitigation of the initiators A comparison between the initiator categories and frequencies used in the two studies follows.
2.1.1 LOCA Initiators In the IREP study the LOCA initiators were grouped into two classes, steam line breaks and liquid line breaks. Each of these classes was further categorized by three break sizes. Table 2.1 shows the LOCA classes, approximate break diameters, systems required for mitigation of these initiators, and frequencies assigned to each initiator. As seen in this tabl e, the major reason for differentiating between the steam line and liquid line breaks is the difference in the systems required for mitigation of the same break sizes. For the small break LOCA, the mitigating systems are the same for the two classes. For the intermediate steam line break, the break would occur above the care level. This will .esuic in an increase 2-1
Table 2.1 IREP LOCA Initiators Approximate Break Diameter Systems Required Frequency LOCA Class (inches) for Mitigation (Events Per Yr)
, 2. Intermediate 5.411D55.90 Feedwater 10-4 Steam Break (ISB) OR LPCI OR ADS & Core Spray
- 3. Large Steam 5.905D120.08 Feedwater 10-4 Break (LSB) OR LPCI OR Core Spray
- ADS & LPCI OR Core Spray
- 6. Large Liquid 6.0510132.60 LPCI 10-4 Break (LLB) OR Core Spray
, 2-2
i . .
in the upward flow cf steam, inhibiting the core spray system from providing sufficient downward coolant ficw to cover the core. Thus, the reactor coolant system (RCS) must be depressurized before the core spray system is effective. This is not true for the Low Pressure Coolant Injection (LPCI) system which injects 1.nto the core from a low vessel level. Thus, the LPCI systera can, without depressurization, cover the core. The situation is reversed in the case of an intermediate liquid break. In this case, because the break area is below the core level, the flow out of the core is downward and the core spray function is not inhibited. However, the LPCI system ,
cannot provide the required mitigation function due to slower vessel pres-1 sure reduction and flow diversion from the liquid break area unless the )
l RCS is depressurized. !
i In the case of large LOCA, for the large liquid break, there is too I
much diversion of the flow out of the break area to make the feedwater system an effective mitigating system, whereas in the case of a large steam break, the feedwater system is an effective mitigating system. l In the ISAP study, the steam and liquid line breaks are not separated.
The various break sizes in this study are categorized into four classes of LOCAs as shown in Table 2.2. The most noticeable difference between the two studies is inclusion in ISAP of a small-small break LOCA with equivalent diameter of greater than 2.5 gallons per minute (gpm) leak (Technical Speci-fication shutdown limit) up to 1.35 inches in diameter. The initiating frequency of this class of LOCA is estimated to be an order of magnitude larger than the small break LOCA. In the lower range of this new small-small' break category, manual shutdown would be necessary whereas automatic trip will occur at the higher range. In addition, at the lower range of this break, automatic depressurization by the Automatic Depressurization System (ADS) might not occur due to lack of high pressure in the drywell necessary for the initiation of ADS. Thus, manual depressurization (MD)
I would be necessary in these situations.
Another difference between the two studies is that the inadvertent opening of safety / relief valves is' classified in the ISAP as a LOCA initia-i tor whereas this event was classified as a transient initiator in the IREP.
This classification should not have any effect on the actual sequence of s
events that are delineated for this initiator.
1 2-3
Table 2.2 ISAP LOCA Initiators Approximate Break Diameter Systems Required LOCA Class (inches) for Mitigation Frequency
.1. Small-Small 2.5gpmsD11.35 Main Feedwater (No Trip) 10-2 OR Feedwater (Trip)
, ADS /MD & Core Spray
OR ADS & Core Spray
- 3. Inadvertent 1.351016.05 Main Feedwater 2.02 x 10-2 Operation of Safety / Relief Valve
- 4. Large LOCA 6.051D LPCI & 10-4 Core Spray 2-4
l l
l Overall, the most important difference between the two studies in the classification of LOCAs, is the creation of a small-small break LOCA in the ISAP study. This class of LOCA with a relatively large initiation frequency and some unique mitigation requirements, has a significant contribution to the ISAP core melt frequency. This will be discussed in Section 3.0 on the '
, overall results. In the case of intermediate and large LOCA's, the major difference between the two studies is the differentiation of liquid and steam break lines. Without this differentiation, the assumptions for sys-tems required for mitigation of a break size might be somewhat more con-servative. Finally, in the case of inadvertent opening of safety / relief valves, the difference between the two studies is the initiator frequency used for this event which is an order of magnitude smaller in the ISAP study due to replacement of the safety / relief valves with a new set of more reliable valves.
2.1.2 Consideration of Interfacina System LOCAs 4
In the IREP study, the interfacing system LOCAs were not considered explicitly. The justification for not considering these events was that in
- the WASH-1400 study (3), the interfacing system LOCAs were not found to be important to risk for BWRs. The Millstone Unit 1 interfacing systems were compared with the Peach Bottom plant analyzed in WASH-1400, and since the systems were similar, no further analysis of these initiators was conducted.
In the ISAP study, five systems interfacing with the primary system were considered in detail for the possibility of initiation of LOCAs. These are the Isolation Condenser, the Shutdown Cooling System, the Reactor Water Cleanup System, the Low Pressure Coolant _ Injection System, and the Core Spray System. Of these systems, the Shutdown Cooling System was eliminated
, from further consideration because only multiple catastrophic failures could create an interfacing LOCA. For the other systems, simple fault trees were used to estimate the frequency of occurrence of unmitigated LOCAs due to interfacing system failure that would lead to a core meltdown. Table 2.3 shows the unmitigated interfacing system LOCAs, their frequencies, and their contribution to the total core melt frequency. As can be seen from these results, the contribution of interfacing system LOCAs to the overall core melt frequency is negligible.
2-5
Table 2.3 ISAP Interfacing System LOCA Event Frequencies Percentage of Frequency Total Core Melt l Event (peryear) Frequency '
1
- 1. Unmitigated Isolation Condenser 1.5E-7 0.02 Tube Rupture
- 2. Unisolated LOCA in the Core 1.1E-7 0.014 Spray System
2-6
- ._ ~ -__ _ _ - . _ . . - _ _ _ _ - - _
l 2.1.3 Transient Initiators
, Two m.jor classes of transients were considered in the ISAP study.
These are the anticipated transients and special initiators that result from l support system failures. The anticipated transients in this study are ;
grouped into the following five categories:
l
- 1. Reactor Transients with Power Conversion System Available l
- 2. Reactor Transients with Power Conversion System Unavailable l 4
- 3. Reactor Trip Events !
- 4. Loss of Feedwater Events !
- 5. Loss of Normal Power Events. l l
The first category of transients in the ISAP study is similar to Category TI, "Most Transients", in the IREP study. Table 2.4 shows the list and l
frequency of transient initiators in this category used in these studies.
The initiator frequencies in the ISAP study were calculated by performing Bayesian updating of the plant-specific data. For the prior distributions, the results of industry experience compiled in the EPRI report EPRI-NP-2230(4) were used. In developing the prior distributions from this source, 4 the data on the first two years of each plant's operation were discarded so o 'that the trips during the startup period would not be included. The data were then fit into a Gamma distribution. Having these prior distributions, the posterior distributions for each initiator were developed by updating the plant-specific initiators.
Looking at Table 2.4, it can be seen that 16 out of 18 top initiators are the same in both categories. Initiators 3 and 11 included in this ISAP category were included in the " transient with power conversion system unavailable" category in the IREP study. Also, initiators 24 to 27 in the ISAP study were included in a new category of " reactor trip events." The mitigating systems required for this category are exactly the same as Cate-4 gory 1. The frequency of these initiators in the ISAP study is shown in Table 2.5.
- To get an idea of the effect of the Bayesan updating on the initiator frequencies, wt can compare the total frequency of the 19 common initiators Insert Table 2.4 2-7
Tablo 2.4 Comparis:n Betwe:n ISAP and IREP Ir.itiatsr Fr:qu:ncies Iccluded in tha "Reacter Transients With Power Conversion System Available"- .'
Category 1 Frequencies (per year)
Initiator ISAP IREP (Plant Specific) (NP-80ll
- 1. Electrical Load Rejection 0.386 1.04
- 2. Turbine Trip 0.742 1.41 '
- 3. Pressure Regulator Falls Open 0.165 Included in Category 2; see Table 2.6
- 4. Pressure Regulator Fails Closed 0.009 0.14
- 5. Turbine Bypass Valve Falls Open 0.089 0.04
- 6. Recirculation Flow Control Fails (Increasing) 0.-011 0.24
- 7. Recirculation Flow Control Fails (Decreasing) 0.006 0.06
- 8. Trip on One Recirculation Pump 0.345 0.02
- 9. Trip of All Recirculation Pumps 0.093 0.06
- 10. Recirculation'Fuicp Seizure 0.000 e
- 11. Feedwater Flow Control Failure (Increasing) 0.444 Included in Category n, 2; see Table 2.6 f3 12. Feedwater Flow Control Failure (Decreasing) 0.630 . 0.43
- 13. Loss of a Feedwater Heater 0.004
- 14. Loss of All Feedwater Heaters 0.096 0.02
- 15. Trip of One Feedwater/ Condensate Pump 0.176 0.2
- 16. Inadvertent Control Rod Withdrawal 0.003 c
- 17. Inadvertent Control Rod Insertion 0.008 0.1
- 18. Partial MSIV Closure Included in Category 2; see Table 2.6 0.04
- 19. Control Valves Fall Closed 0.023 0.51
- 20. Abnormal Startup of Idle Recirc Pump c c
- 21. Low Feedwater During Startup or Shutdown 0.35
- 22. High Feedwater During Startup or Shutdown 0.10
- 23. High Flux Due to Rod Withdrawal at Startup 0.04
- 24. Scram Due to Plant Occurrences Included in Category 3; see Table 2.5 0.35
- 25. Spurious Trip Via Instrumentation, RPS Included in Category Fault 3; see Table 2.5 1.16
- 26. Manual Scram is Out of Tolerance Included in Category Condition 3; see Table 2.5 0.27
- 27. Detected Faults in RPS Included in Category 3; see Table 2.5 0.02
- 28. Cause Unknown ----
0.02
Table 2.5 Comparison Between ISAP and IREP Initiator Frequencies Included in the " Reactor Trip Events" -
Category 3 Frequencies (Per year)
ISAP IREP Initiator (Plant-Soecific) (NP-801) 0.005 Included in T ;
l Instrument Detected Fault in RPS i see Table 2.4 I
0.536 Included in T ;
Scram Due to Plant Occurrences 1 see Table 2.4 1.298 Included in T ;
Spurious Trip Due to RPS Instrumen- 1 tation see Table 2.4 0.119 Included in T ;
Manual Scram (No Out-of-Tolerance see Table 2.4 1
N.S.S.S. Condition)
Total I.958 l
2-9
in Categories 1 and 3. The total frequency of these initiators is 4.46 in the ISAP study and 5.56 in the IREP study. Thus, the ISAP initiators frequency for these categories is about 20 percent lower than the IREP frequency in these categories. The total frequency of initiators in this category considered in the IREP study and not considered by the ISAP in any category is 1.00 which is another 20 percent of the total ISAP frequency.
Overall, the total frequency of the Categories 1 and 3 which have common mitigating systems requirements is 4.58 in the ISAP study and 6.6 in the IREP study. Thus, the total ISAP initiators frequency for these categories is about 30 percent lower than the IREP initiators frequency.
The ISAP Category 2 transients are reactor transients with the p'ower conversion system unavailable. The frequencies of these intitiators are shown in Table 2.6. In this category, the IREP study included two initia-tors caused by support system failures. These initiators were treated separately by the ISAP study and are discussed in Section 2.4. Excluding these events, the total frequency for this category is 0.435 for the ISAP study and 2.02 for the IREP study. Thus, the ISAP initiators frequency is about 80 percent lower in this case.
, The ISAP Category 4 transients are the " loss of feedwater transients" which in the IREP study include two support system initiators and are shown in Table 2.7. Excluding these two events, the loss of feedwater system initiator in the ISAP study is about 60 percent higher than the value in the IREP study.
The fifth ISAP transient category is the " loss of normal power transient" shown in Table 2.8. In this category, the ISAP frequency is about 40 percent lower than the IREP frequency.
Finally, as was mentioned earlier, the inadvertent opening of safety /
relief valves was treated in the ISAP study as an LOCA initiator. This event was considered as a transient initiator in the IREP study. The fre-quency of this event is 2.02 x 10-2 in the ISAP study and 0.2 in the IREP study. The primary reason for this difference is replacement of the old safety / relief valves with a newer, more reliable set of valves.
2-10
- o. .
Table 2.6 Comparison Between ISAP and IREP Initiator Frequencies Included in the " Reactor Transient With Power Conversion System Unavailable" -
Category 2 Frequencies (Per year)
ISAP 1 REP Initiator (Plant-Soecific) (NP-801)
Load Rejection with Turbine Bypass Failure 0.002 Turbine Trip with Turbine Bypass Failure 0.002
- Total Closure of One or More MSIVs 0.405 0.75 Loss of Normal Condenser Vacuum 0.026 0.67 Feedwater Increasing Flow Included in Category 0.31 1; see Table 2.4 Pressure Regulator Fails Open Included in Category 0.29 1; see Table 2.4 !
Loss of Circulating Water System
- 0.06**
Loss of Plant Air Compressors
- 0.06**
~
- Initiators based on support system failure
- Plant-specific data O
d i
1 2-11
I Table 2.7 Comparison Between ISAP and IREP Initiator l Frequencies Included in the " Loss of Feedwater l Transients" - Category 4 Frequencies (Per year)
ISAP IREP Initiator (Plant-Soecific) (NP-801)
Loss of Feedwater 0.096 0.06 Loss of Turbine Building Closed Cooling Water System
- 0.06 Loss of Service Water System
- 0.06 Total 0.096 0.18
- Initiators based on support system failure Table 2.8 Comparison Between ISAP and IREP Initiator Frequencies Included in the " Loss of Normal AC Power Transient" - Category 5 Frequencies (Per year)
ISAP IREP Initiator (Plant-Soecific) (NP-801)
Loss of Offs,ite Power 0.124 0.16 Loss of Auxiliary Power 0.04 Total 0.124 0.2 2-12
= . . - . _ ~ _ , _ _ . . - . . - . . . . . . ~ . - - . -.-- ~ ~ .-. .. ._
i 2.1.4 Suonort System Transients To identify the plant-specific transient initiators due to support l system failures, the ISAP study performed system level failure mode and effect analyses on the following classes of systems:
- 1. Cooling Water Systems
- 2. Electrical Systems
- 3. Power Conversion Systems
- 4. Auxiliary Systems.
As a result of'these analyses, four plant-specific initiators were identi-7 fled. The frequencies of initiation of these events were calculated by a l
dct:ll:J aa:lysi: of tb tupport system responsible for their initiation.
These frequencies and the corresponding values used in the IREP study are shown in Table 2.9. The IREP initiator frequencies shown in this table are calculated using a zero failure approximation, i.e., the values shown are conservative bounding estimates. Overall, for the support system initiators l analyzed in both studies, the ISAP frequencies are from one to two orders of I magnitude smaller than the IREP frequencies based on a more detailed support system analysis. The only exception is the service water system where change in its success criteria in the ISAP study has resulted in an increase in the short-term loss of service water system initiating frequency.
In the next section, a discussion on the event-tree analysis used in the ISAP and IREP studies will be presented. !
2.2 Event Tree Analysis s The event tree analysis performed in the ISAP study has a number of differences from that performed in the IREP study. Some of the differences are conceptual and apply in general to all of 'the event trees, while others 1
2-13 L
l l
Table 2.9 Comparison Between ISAP and IREP Support System Initiator Frequencies Frequency (Per year)
- Initiator ISAP IREP Comments Total Loss of Service 7.83E-3 6.0E-4* Included in T2 in Water (With Recovery) IREP, see Table 2.7 Loss of T.B.S.C.C.W. 8.05E-4 0.06 Included in T3 in IREP, see TabTe 2.7 Loss of R.B.C.C.W. 4.73E-4 -
Loss of 120 V Vital 1.65E-2 -
AC Power loss of Circulating - 0.06 Considered part of Water System transients with loss of PCS in ISAP Loss of Plant Air -
0.06 Considered bounded Compressors by other transients in ISAP
- This number consi recovery factor of 1.0 x 10'gts of an initiating frequency of 0.06 and a
)
l l
2-14
are more specific to a particular tree. The conceptual differences will be discussed here, and the specific differences will be discussed in subsequent sections.
The first difference is that the ISAP study included cognitive operator errors directly on the event trees. These are errors in the decision-making process during an accident. The IREP study did not individually assess these cognitive errors, but rather included them in the assessment of procedural errors. From the standpoint of event tree analysis, this differ-ence in methodology does not significantly affect the final results. When properly evaluated, it makes no difference whether these errors are incleded independently on the tree or are incorporated at the system level. Houver, the method of analysis utilized for the human reliability analysis in the ISAP study is significantly different from that used in the IREP study in that cognitive errors were not included in the IREP study. This is not an issue of event tree modeling, but rather that ofhuman reliability and is discussed in more detail in Section 5.0 on human reliability analysis.
The ISAP study also included recovery actions (such as restoration of offsite power) as events on the event trees. In the IREP study, these actions were evaluated separa.tely and incorporated into the analysis at the sequenco cut set level. This difference does not significantly affect the results of the analysis, since (as above) either method adequately incor-porates the actions evalua,ted.
The ISAP study did not make a distinction between short-term core melts with and without contaiament cooling. That is, no credit was given for the operation of the containment cooling system to delay containment failure given that a core melt was occurring in the early or intermediate time frames. This distinction was made in the IREP study. This does not affect the results of the ISAP study in terms of the core melt frequency and timing, since the containment cooling system cannot prevent a core melt in these scenarios. The only possible effect i; in the area of plant damage states and consequences. This is an insignificant difference between the two studies because the IREP study determined that all of these sequences would have the same consequences whether or not containment cooling was successful (i.e., the release category split fractions were the same in both cases).
2-15
1 l
l l
i The following sections discuss specific differences in the event trees in the ISAP study and those representing the equivalent initiators in the IREP study. However, before beginning those discussions, it is useful to make a general observation regarding the ISAP study event trees versus the IREP study event trees.' Despite the differences in appearance between the two sets of trees, the phenomenologies represented are essentially identical. That is, the functional and systemic failures leading to core melt are nearly the same in both studies. This becomes obvious when one attempts to identify equivalent sequences from both studies. It is generally possible to select any sequence from the ISAP study and identify an equivalent sequence (or sequences) which were analyzed in the IREP study, although the details of the quantification may be different. This exercise is performad in Section 3.0 for the dominant ISAP sequences and is discussed in some detail in that section. The one major exception to this is the Anticipated Transients Without SCRAM (ATWS), which are quantified signifi-cantly differently in the two studies. This is discussed in detail in Section 2.2.4.
2.2.1 Reactor Transients Event Tree The ISAP study event tree includes a cognitive error of the operator failing to decide to restore RPV level when the feedwater system fails to continue to operate after the trip. This error encompasses the entire decision process of attempting to restore feedwater, initiating the isola-tion condenser, or depressurizing the RCS and using low pressure safety pumps, thus creating a linkage between the actions. The IREP study evalu-ated each of these alternatives to provide cooling; however, they were considered separate actions. This is a significant difference between the two studies which can result in substantial differences in human error and recovery actions, as will be discussed in Section 2.4. This difference in methodology is due in part to Mi11 stone's change to symptom-oriented pro-cedures and in part to advances in the methods available to analyze cogni-tive errors which have been developed since the IREP study. This is discussed in more detail in Section 2.4.
The ISAP study eM '.ree also includes an event for restoration of AC power. This is ir i 9 a for the purpose of evaluating support states involving a con::equu.cial loss of power following a non-LNP event. As 2-16
discussed in Section 2.2.4, this was not analyzed in the IREP and has a measurable effect on the results.
2.2.1.1 Loss of Feedwater Event Tree The comments on the reactor transient event tree apply to this event tree as well. The cognitive error modeled in the los of feedwater event tree applies only to those sequences where either the isolation condenser fails or a safety / relief valve sticks open, thus requiring the operator to decide to restore the RPV level.
2.2.1.2 Loss of Normal Power (LNP) Event Tree The ISAP study event tree considers a cognitive error of failing to decide to restore reactor pressure vessel level, which is similar to the failure to manually depressurize the reactor coolant system (RCS) evaluated in the IREP study. The difference is that in the ISAP study, this error is considered to occur prior to reaching automatic safety actuation conditions, and it includes the decisions to manually start the isolation condenser and to attempt to restore offsite power, even though the Isolation Condenser (IC) will eventually start automatically and the operator has additional
, time to actually recover offsite power. This particular handling of this cognitive error, while different from the IREP, yields a logically identical ,
model and thus does not affect the results.
l 4
The ISAP event tree includes an event for cross-connecting the 4.16kv safety busses so that one of the emergency power supplies can pick up some loads from the opposite train. This action only affects the availability of i
shutdown cooling, and only in a minor way. It does not have any significant
- effect on the results.
The ISAP study event tree also includes an event for the recovery of offsite power, which was adequately considered in the IREP study at the sequence cut set level. However, a notable difference is that the IREP study assumed that recovery of offsite power terminated the sequence successfully. The ISAP study, however, models the other actions necessary to initiate the systems required to actually terminate the sequence following the recovery of offsite power. This is a more detailed and l
2-17
accurate method than the IREP assumption, which was based on the belief that these scenarios were unlikely once power was restored. This difference does have an effect on the results.
The ISAP study event tree has an event which represents the actuation signal required for the plant to automatically respond to the loss of normal power event. This was handled in the fault tree models in the IREP study, rather than at the event tree level. Both methods are adequate if properly applied, which is the case.
2.2.1.3 Station Blackout This tree is just a specific version of the LNP tree to cover the case where all AC power is unavailable. Thus, the comments discussed above for the LNP apply similarly to this tree, with two minor modifications.
First, the cognitive decision process includes the additional decision to conserve DC battery power by stripping nonessential DC loads. This was not considered in the IREP study, but did not effect the results.
Second, the tree considers sequences where..the core is damaged but does
, not mel t. This occurs in time frames where the power is not restored in time to prevent the core from briefly becoming uncovered but power is restored prior to significant uncovery. The IREP study did not make this distinction, but it is not important unless one is interested in the possi-bility of minor core damage. The time frames used for preventing core melt are similar to those used in the IREP study, whereas the time frames used for preventing damage are somewhat shorter. Thus, there is nc effect on the core melt sequences.
2.2.2 Sucoort System Initiator Event Trees These ISAP event trees are subsets of the transient and loss of feed-water event trees. They are designed specifically to take into account the changes in system capabilities due to these initiators. The differences discussed for the transient and LOF event trees therefore generally apply to these trees. Otherwise, there is nothing notable about these trees ind, in 2-18 l l
l
~
fact, it would have been equally reasonable to utilize the t.ransient and LOF trees to evaluate these initiators.
' 2.2.3 Loss of Coolant Accident (LOCA) Event Trees The LOCA event trees in the ISAP and IREP studies are fairly similar except for the new ISAP event tree for the small-small break LOCA which is discussed in the next section.
2.2.3.1 Small-Small Break Event Trees This ISAP event tree, which is used for the lower end of the IREP small break size, has a number of differences from the IREP small break event tree. The first difference is that automatic pressure relief does not appear on the tree. In the ISAP study it was concluded that these breaks are too small to result in high drywell pressure; therefore operator action to manually depressurize the reactor is required. This seems to be a reasonable conclusion missed in the IREP study because the IREP study only considered break size ranges analyzed in the FSAR, which did not sepa-rately consider the small-small break size. Intuitively, however, it seems reasonable that there should exist breaks which are small enough that high drywell pressure would not occur. This difference had an effect on the results of the analysis.
Another difference is that in the ISAP study it was concluded that feedwater system. could not continue to run indefinitely without some opera-tor intervention. The operator is required to start a high-capacity conifen-sate transfer pump to replenish the hotwell to provide sufficient suction water for the feedwater system. This is required to replace water lost through the break. In the IREP study it was assumed that sufficient water would be supplied automatically by the condensate transfer system (CTS);
however, only a small capacity CTS pump will start automatically to replenish the hotwell. Thus, an additional branch appears on the tree for the required action of marually starting a higher capacity pump. This difference had an effect on the results. ,
1 A third difference is the consideration of a cognitive error by the I operator of failing to realize the need to recover RPV level when the 2-19
l l
l l feedwater system has failed. This includes the same actions as the one ;
discussed for the transient trees, and links together all possible actions to recover level. As mentioned before, this has a significant effect on the results. !
The ISAP study also considered a cognitive error of commission, that of the operator misdiagnosing plant conditions and prematurely terminating ECCS flow. This type of error was not considered in the IREP study, and it has an effect on the results. It is discussed in greater detail in Section 2.4 on human reliability analysis.
Finally, the ISAP study event tree has branches for successful long-term cooling using the main condenser or shutdown cooling (SDC) systems. In
(
the IREP study no credit for these cooling methods was allowed because they !
! normally require that the vessel be isolated so that no coolant is lost.
However, it is conceivable that these methods may work for the very nall breaks which comprise this break range. This is especially true when using
' (
the SDC system, where the SDC system can cool water taken from the vessel and return it to the vessel while the vessel level is being maintained by
! circulating torus water tigrough the core spray or LPCI systems to make up i
or continued coolant loss through the break. All that would be required is that adequate mixing take place in the vessel, which is a reasonable assump-l tion. The use of the main condenser is based on the fact that the condenser I 's i under vacuum conditions, while the torus is at about atmospheric pressure. Hence, it is logical to assume that after a period of time all steam would be dumped to the condenser since this should be the path of least resistance. Further, slight coolant losses can be replaced by the
- normal condensate transfer system. Thus, both of these cooling modes appear l
to be reasonable.
2.2.3.2 Small and Larae Break Event Tree There are two major differences between the ISAP study event trees for these initiators and the analogous IREP study event trees. First, both ISAP study event trees contain the cognitive error of commission (premature ,
termination of ECCS flow) mentioned in the previous section. For these initiators this difference does not have any significant effect on the result:. i 2-20
The second difference is that the feedwater system is not considered to be a sufficient mitigating system in the ISAP study for these breaks. This 1s based on the inability, even with manual action, of the condensate l
transfer system (CTS) to provide sufficient makeup flow to the condenser hotwell for breaks of these sizes. Thus, feedwater is assumed to be lost in l
a relatively short time. The IREP study assumed that CTS flow was suffi-cient, except for large liquid breaks, based on the Millstone FSAR. Regard-l 1ess, this difference did not have a significant effect on the results, and further investigation is therefore not warranted.
2.2.4 ATWS Event Tree There are significant differences in the way each of the two studies evaluates ATWS events. The IREP study assumed that an ATWS always resulted in a core melt, except for transients where the power conversion system (PCS) was available and continued to operate. Much study has been done on ATWS since that time, by both the NRC and the nuclear industry, and a much greater unoerstanding of ATWS events has been attained. This understanding has allowed for the modification of plant design and development of new procedures to mitigate ATWS events. The present NRC position on ATWS is contained in therecentlydevelopedATWSrule(10CFR50.62). It is more fruitful to compare the ISAP study evaluation with the analysis in the rule as opposed to that from the IREP study, since the former represents more advanced thinking on ATWS.
l The ISAP study considers two general cases of ATWS: Power Conversion l
l System (PCS) available and PCS unavailable. This is consistent with the ATWS rule. Each case will be considered separately.
For the PCS available case, the I F 4tudy deviates from the rule in i
that it assumes that operator actions are not as complex or imperative as ,
the rule states. It takes substantial credit for the ability of the PCS to l automatically maintain adequate heat removal for an extended period once the
! recirculation pumps are tripped. This is reasonable for the Millstone 1 l
l plant. The need for complex operator actions in a short time frame in the
! ATWS rule is based on certain assumptions in the rule, as follows:
2-21 c . _ _ . - _ _ _ - _ _ _ __ -
"It has been estimated that power will equilibriate at around 20 to 40 percent of full power.... A BWR is typically designed to bypass up to 25 percent of steam flow to the condenser. Thus, if the ATWS trcnsient has not involved MSIV isolation or loss of condenser, a maximum of 15 percent of steam flow will be directed to the suppression pool."
It is this loss of steam to the suppression pool which is the limiting condition for the operator actions in the ATWS rule. However, Millstone 1 is not a typical BWR. Its bypass capability is 1007. of steam flow; thus, there would be no loss of steam to the suppression pool. For this reason, we conclude that the ISAP event tree for an ATWS with PCS available is acceptable despite its deviation from the ATWS rule.
The only other comment we have on this case is that for the sequences where core melt does not occur, core damage is assumed. For this type of sequence, where the condenser is available at least until the reactor is i shut down using the SLCS, no undue stress on the core would be expected.
The shutdown process would appear to be normal, and no core damage resulting in cladding failures and radioactive releases would occur. Thus the end state for these sequences should be success, not damage.
, For the PCS unavailable case, the ISAP study and the ATWS rule are in general agreement on the basis behind the mitigation of an ATWS. That is, they both consider the limiting conditions for success to be injecting boron to shut down the reaction and maintaining sufficient heat capacity in the torus (not exceeding the torus heat capacity temperature limit for the prevailing RCS pressure). Also, the operator actions ir, the ISAP study are the same as those described in the rule. They deviate in the capability of the standby liquid control tystem (SLCS) to mitigate the ATWS and in the absolute limit of 2000 torus temperature. Specifically, the ATWS rule states the following:
"For these cases where all of the reactor power is dissipated in the suppression pool, the suppression pool temperature would exceed 200 0 F slightly even if the operator immediately followed the procedures and actuated the (43 gpm) SLCS. If SLCS capability is increased to 86 gpm, the operator must act within two minutes after the transient begins in order not to exceed the 2000 F suppression pool limit. Therefore, i '.
2-22
- was conservatively assumed that all isolation transients will exceed l the 2000 F containment suppression pool limit with the current SLCS capacity of 43 gpm."
l Thus, an event tree for Millstone I based on the ATWS rule would not l have a success branch for SLCS because it is assumed to have insufficient l capacity. However, it is important to note two things. First, the rule used the word " conservatively" to describe its assumption. Further, the analysis is apparently based on a " typical BWR." Once again, Millstone 1 is l not typical. Its suppression pool is the same size as typical BWR-4s, but its core power is only about 60% of a typical BWR-4. Thus, Millstone 1 has l a greater heat rejection capability (in terms of eg' ivalent full power seconds before exceeding 2000 F). Further, the heat capacity temperature j
limit curve for Millstone does allow the torus temperature to exceed 2000 F l
if the RCS pressure is sufficiently low, although we cannot verify the l acceptability of this curve. Therefore, it may be possible that a 43 gpm l SLCS is sufficient for Millstone 1. For the present, however, we must reserve judgment until we can review thermal / hydraulic calculations of this
! sequence to determine if this is so and how long the operator has to initiate SLCS. If a 43 gpm SLCS is not sufficient, ATWS will become a more
! significant contribution to core melt, assuming all other conditions remain the same (whichtheydonot; see RPS analysis comments in Section 2.3.2, l* operator response comments in Section 2.4.2, and ATWS summary in Section l 3.3). A detailed reanalysis of ATWS, which evaluates the significance of these differences, is given in Section 3.3.
2.2.5 Inclusion of Suncort Systems in Event Tree Ouantifications The ISAP study used an entirely different method from the IREP study to
. consider the effect of support systems on the sequences. In the IREP study the support system fault trees were merged with the front line system fault l trees to create complete fault trees for the front line systems which include all potential support system faults. In the ISAP study, the support l
l systems were evaluated separately and a support system event tree was used l to define support states. These support states define the possible combinations of support system success and failures which can exist following an initiating event. Thus, each event tree is actually evaluated l l
2-23 l
l l
l a number of times (once for each support state), and the system failure l probabilities used are conditional on the support state being evaluated.
I The review of the ISAP support states and the front line systems showed that the system interfaces modeled in the IREP study, as modified by actual plant changes, are adequately represented in the ISAP analysis.
The significant difference between the two support system interface models is that the !$AP study considered the subsequent loss of AC power after a non-LNP initiating event. The IREP study did not consider this possibility. The support states that result from this subsequent loss of power on either emergency bus do contribute to three of the ISAP study dominant accident sequences, all reactor transient initiated sequences. Two of these sequences would not have been dominant sequences if the subsequent l
loss of power support states had not been considered. The total contribution of these two sequences is approximately 57. of the total core melt frequency calculated in the ISAP study.
2.3 Comnonent and Plant Systems Reliability Analysis This section provides a brief review of both the component failure data used and the system reliability analysis performed in the Millstone 1 ISAP study. The review of the component unavailability data consists of a comparison of the data used in the ISAP study with that used in the IREP study. No other attempt has been made to verify the accuracy of the plant specific data used in the ISAP study. The review of the system relia-bility analysis was also primarily a comparison of the ISAP study system models to those used in the IREP study. This comparison was limited to a comparison of the success criteria, support system interfaces, and system descriptions in the two studies. A detailed review of the system fault l
trees used in the !$AP study was not performed. However, the system unavailabilities used in the ISAP study were assessed for their reasonable-ness based on information that could be extracted from the IREP study.
2.3.1 Comoonent Failure Qala The ISAP study applies Bayes Theorem to a combination of generic data '
and plant specific data to develop the failure rate data used in the study.
2-24
O 4 l
l l
WASH-1400 was selected as the generic data source. The demand failure data in WASH-1400 were assigned a Beta distribution to generate prior means and
, variances; a Gamma distribution was assigned to the hourly failure data.
l The means and variances were then modified using the plant-specific data by applying Bayes Theorem.
The IREP study used WASH-1400 data almost exclusively. The only failure data not taken from WASH-1400 were for components not specifically identified in WASH-1400 or components where plant data justified using a plant-specific failure probability instead of the generic data. (All of the components found to be significant contributors to the IREP study dominant l , accident sequences were modeled using generic WASH-1400 data.)
l l Table 2.10 lists the failure data used in the two studies for signifi-cant components, i.e. those components whose failures are important contributors to the core melt sequences, j For most components, the differences between the data used in the two l studies are not significant. There are only three component failures where the differences in the data significantly impacted the quantification of the l , dominant accident sequences. The failure probability used for AC breakers is significantly lower in the ISAP study than in the IREP study, particularly for 4160V breakers. The ISAP study also used a significantly
- smaller failure probability for the diesel generator failure (both failure l to start and failure to run) and for the gas turbine generator failure to
! run once started. All of these reduced failure probabilities would reduce the impact of loss of normal power (LNP) accident sequences. These failuro l probability reductions are a significant reason that the LNP sequences are not as dominant in the ISAP study as they are in the IREP study.
The differences in the remaining component failure probabilities are either insignificant or affect components that do contribute significantly to dominate accident sequences.
l l
l l 2-25
. 4 Table 2.10 COMPARISON OF IREP AND ISAP COMPONENT FAILURE DATA !
1 COMPONENT FAILURE ON DEMAND +
(MEAN)
ISAP IREP*
MOV (Outside Drywell)
I' ail to open 4.45E-3 1E-3 Fail to close 3.00E-3 l 1E-3 MOV (Inside Drywell)
Fail to open 3.79E-3 1E-3 Fail to close 4.90E-3 1E-3 i ECCS check valves Fail to open 1.15E-4 1E-4**
Fail to close 6.60E-4 --
Feedpump check valves Fail to close 2.29E-3 --
i All electric motor-driven pumps
, Fails to start -
1E-3 Fails to run -
9E-5/hr ECCS Pumps Fail to start 7.48E-4 Fail to run 7.99E-5/hr Service Water Pumps l Fail to start 7.89E-4 l Fail to run 3.81E-5/hr Emergency Service Water Pumps .
Fati to start 6.41E-3 l Fail to run 7.99E-5/hr Ref. "IREP-Analysis of the Millstone Point Unit 1. NPP" Vol.1; Table 7.1 a ,b. Data given were based on monthly testing, except where noted IREP used median values, data has been converted to mean values.
- Not modeled in the IREP Study.
+ For components tested only during refueling outages, both studies modified component failure data (for valves and breakers) to account for the impact of the extended ts:t i ryc'.
2-26
. e Table 2.10 COMPARISON OF IREP AND ISAP COMPONENT FAILURE DATA (Continued) f I
COMPONENT FAILURE ON DEMAND '
(MEAN)
ISAP IREP*
1 l R.B.C.C.W. Pumps Fail to start 9.24E-4 Fail to run 9.71E-6/hr Shutdown Cooling Pumps Fail to start 2.84E-3 Fail to run 9.59E-6/hr T.B.S.C.C.W. Pumps l
Fail to start 9.67E-4 Fail to run 1.02E-5/hr Feedwater Pumps Fail to start 9.48E-4 Fail to run 1.46E-6/hr
. Condensate Booster Pumps Fail to start 1.66E-3 Fail to run 5.05E-5/hr Condensate Pumps Fail to start 1.07E-3 Fall to run 8.60E-7/hr Emergency Condensate Tranfer Pumps Fail to start 1.12E-3 Fall to run 7.99E-5/hr C.R.D. Pumps Fail to start 1.57E-3 Fall to run 1.58F-6/hr
~
Ref. "IREP - Analysis of the Millstone Point Unit 1, NPP" Vol.1; Table 7.1 a ,b. Data given were based on monthly testing, except where noted IREP used median values, data has been converted to mean values.
2-27
0 0 Table 2.10 COMPARISON OF IREP AND ISAP COMPONENT FAILURE PS'J5 (continued)
COMPONENT FAILURE ON DEMAND (MEAN)
ISAP IREP, Diesel-Driven Fire Pumps Fall to start 4.77E-2 Fail to run 7.97E-4/hr Motor-Driven Fire Pumps Fail to start 1.13E-3 Fail to run 7.99E-5/hr 4.16KV Breakers Fail to operate 1.34E-4 1E-3 480V Breakers Fail to operate 6.14E-4 1E-3 Diesel Generator Fail to start 6.71E-3 3E-2 Fail to run 1.12E-3/hr 9E-3 Gas Turbine Generator Fail to start 4.80E-2 3E-2***
Fail to run 1.97E-3/hr 9E-3 Battery Charger Fails to operate 1.02E-5 --
- Gas Turbine Generator failure probability was found to be similar to that of Diesel Generator - (Ref. "IREP - Millstone Peint Unit 1"; Vol.
1, pg. 7-2.
i I
l 2-28
2.3.2 Plant Systems Reliability Analysis The review of the plant systems reliability analysis performed in the ISAP study was limited to a review of major differences found between that study and the IREP study. The system descriptions in the two studies were compared with particular emphasis on system success criteria and the systems
, dependencies, i.e. support system interfaces.
A detailed analysis of the fault trees was not possible during the time cvailable for ~the review. However, in some cases changes in the plant design which impacted this part of the analysis were identified.
Differences in the identification of systems used in each study are also noted but not necessarily discussed in detail here.
There are two systems where differences in the success criteria used in the ISAP and IREP studies have resulted in significant changes to the calculated system reliabilities. The most important difference is in the success criteria for the Alternate Shutdown Cooling (SDC) System which is the Containment Cooling (CC) mode of operation of the Low Pressure Coolant Injection (LPCI) system (referred to as LPCI/CC in the Millstone 1 IREP l study). This system is one of the long-term cooling systems and uses the
. Emergency Service Water (ESW) system to remove decay heat. The LPCI system l 1s a two-train system with each train consisting of two pumps and a single heat exchanger (used only in the containment cooling mode). The ESW system consists of two trains with each train consisting of two pumps. Each ESW l system train supports only one LPCI train, i.e., two ESW pumps provide flow to one LPCI system heat exchanger; the other two provide flow to the second heat exchanger. The success criteria used in the IREP study for these systems were one LPCI pump operating with the corresponding heat exchanger and one of two corresponding ESW pumps operating. The ISAP study success criteria for these two systems are much more stringent. The ISAP study assumes that one LPCI pump in each train is required and both heat exchangers are needed. To remove the decay heat, the ISAP study uses a success criterion that requires all four ESW pumps to operate. This change in the success criterion results in a much higher, by nearly two orders of 4
magnitude, alternate SDC system failure probability in the ISAP study than
- in the IREP study. It should be noted that no system failure probabilities were provided in the IREP study. The change in system failure probshilities 2-29 4
e ..w..s. -..--e-,--r- , - , ,. - - , - . _ _ , , , - , - -
,e . . -, . . . , , -,-- --+ .,,. - ,_ -- , - , , - . -----m- - - - -
l l
is based on estimated values for the systems in the IREP study. These estimates are derived from the IREP study sequence quantification. The differences in the system success criterio, account for nearly all of the two orders of magnitude difference in syster failure probability. .
The second system for which different success criteria were used in the two studies is the Service Water System (SWS). In the IREP system relia-bility analysis, the success criteria for the SWS, under all conditions, require one of the four SWS pumps to be operable. In the ISAP study, the SWS' success criteria are sequence dependent. For most seauences, two of
- sequences the SWS success criteria used were either two pumps operable or one pump operable and valve SW-9 must close. (The closure of this valve isolates nonessential cooling loads from the SWS.) This change in system success criteria does not appear to have made a significant difference in the results of these two studies except for the frequency of initiation of a loss of service water transient. The impact on the initiator frequency is
! discussed in Section 2.1.4.
Some minor differences in the support system interfaces used in the two studies were also found. None of these differences would appear to make a significant difference in the results of the studies.
In the Shutdown Cooling (SDC) system, the ISAP study shows a support system interface where the loss of either DC bus (101A or 101B) would result in the loss of the SDC system. The IREP study model of the system indicated that failure of either DC bus would disable only half of the SDC system.
Since the support states where one DC power train is lost do not contribute significantly to the ISAP study results, this difference in support system l requirements does not appear to be significant.
The second difference in support system requirements affects the SWS.
In the ISAP study, the valve that is required to close on an LNP, SW-9, is modeled as being powered from one of the two main AC power trains. In the IREP study, this valve is modeled as being powered from a bus that could be energized by either of the two AC power trains (a normal supply with an automatic transfer to a backup supply). This difference does not appear to significantly affect the results of either study.
2-30
. _ _ - . . . , ,,_.,v,-,, . - - , , ,.,m.,. . - , _ _ , , _ , , ,_ -.__ ,_ , m,. -
Other than these two differences, the modeling of the support system interactions in the two studies are in agreement with each other. The differences in methodologies, support states versus merged fault trees, has
'not resulted in differences in the results of the studies. But the dif-ferent methodologies did result in differences in the way some support systems were modeled. In the IRE? study, there was only one AC power fault tree that included vital and instrument AC, and the actuation logic for the ECCS was included in each system fault tree. In the ISAP study, separate support system fault trees were produced for vital AC, instrument AC, and the actuation logic. These differences did not impact the study results.
At least two equipment changes have been made at Millstone I since the IREP study that were incorporated into the ISAP study. A change in the LNP reset logic was incorporated that would reduce significantly the impact of logic failures. These logic failures were a significant contributor to the ;
IREP study dominant accident sequences. This modification reduces the importance of LNP initiated sequences in the ISAP study. The second modification was to the makeup valve (ICM-10) to the isolation condenser.
The power supply to this valve was changed from AC power to DC power, greatly increasing the reliability of the isolation condenser makeup system, especially during an LNP event. This modification would also reduce the importance of several IREP study LNP sequences.
Finally, the reactor protection system (RPS) was modeled differently in the two studies. The ISAP study used a demand failure probability of approximately SE-5 based on a Bayesian analysis using historical data as of 1979. This is an old analysis and is probably quite conservative. The IREP study used a value of approximately IE-5 based on a detailed fault tree analysis of the system. Common cause mechanical failure was dominant, and there was no contribution from electrical failures. The NRC's ATWS rule (10 l CFR 50.62) agrees with the IREP study in that a IE-5 RPS failure probability I l is a reasonable estimate for the mechanical failure contribution. (This excludes an additional 2E-5 contribution for electrical failure of the RPS for the RPS design existing at the time of the IREP study. If a plant has alternate rod insertion (ARI), the rules state that these electrical contri-butions are eliminated. Millstone Unit I now has ARI.) It would appear that the ISAP study used a conservative estimate for its RPS failure l 1
2-31
probability. The impact of this and other competing factors on the ATWS frequency is discussed further in Section 3.3.
2.4 Human Reliability Analysis (HRA)
There are significant differences between the HRAs performed in the l IREP study and the ISAP study. In particular, two areas are most signifi-4 cant. First, the ISAP study separately considered cognitive errors, which are errors in diagnosing and interpreting plant conditions and deciding (in a conceptual sense) what actions are appropriate. In the IREP study, these types of errors were not explicitly analyzed. At the time of the IREP study, the only useful tool for quantifying human error was the Technique for Human Error Rate Prediction (THERP) (5), a technique which allowed for
- detailed modeling of procedural-type errors on a step-by-step basis. It considered the concept of decision making errors only as it applied to certain steps within a procedure. Since that time, new understanding of the cognitive errors has been gained, allowing for the quantification of the i
decision making process from an overall diagnosis of plant conditions out-side of the step-by-step procedures. The consideration of cognitive errors in this manner is a major advance in HRA, and is generally recognized by experts as being a vast improvement over THERP. It should be noted that
. THERP is still recognized as the state of the art for evaluating strictly procedural errors. .Two useful tools have been developed for the quantifica-tion of cognitive errers: the Time-Reliability Correlation (TRC) model (6),
and the Systematic Human Action Reliability Procedure (SHARP) model (7).
The ISAP study makes use of both of these modeling techniques. The use of cognitive modeling in this study has a significant effect on the results when compared with the IREP study. We believe the ISAP methodology is more reasonable.
The second ,significant difference between the two studies is also related to a change which has taken place since the IREP study. Millstone
, Unit I has converted its procedures to the new " symptom oriented proce-dures." These procedures are more concise, more understandable, and easier to follow than the procedures which existed at the time of the IREP study.
Thus, procedural errors are less likely to occur during certain key operator actions. This has a significant effect on the ISAP results. In most cases, in the ISAP study procedural errors were also considered in addition to 4
l 2-32 1
-e ,- , - --e--- - - - ,
cognitive errors. That is, the probability of failing to properly perform the manipulations required (procedural error) was evaluated given that the operator has properly diagnosed the situation (cognitive success).
Generally, these errors are incorporated directly into the system failure rate determinations. A significant exception to this, which is discussed in more detail later, is in the ATWS analysis. For some reason, procedural error was not fully considered despite 1.he rapid and complex nature of the actions required.
. Even with these differences, the HRA in the ISAP study is quite unsophisticated and for the most part " screening values" are used. The analysis performed was very simplified, and the analysts did not take full l advantage of the available modeling tools. Further, there was virtually no ;
detailed documentation of the errors analyzed, either in the summary report l
or in the QA calculation files at the utility's headquarters. This made the review of the HRA extremely difficult and, even after discussions with the analysts, several areas were left where the details of the analysis could not be verified. To a large extent it was only possible to review the '
results of the HRA by comparing them to alternative screening techniques.
2.4.1 Coanitive Error Modelina The ISAP study explicitly models cognitive errors of decision-making.
This was not done in the IREP study. These errors represent incorrect decisions by the operator based on his misunderstanding plant conditions.
This results in the operator failing to enter the appropriate emergency operating procedure (EOP). In the IREP study, the only operator errors leading to a misunderstanding consisted of whether the operator correctly read the instrumentation. That is, if he correctly read the meter /annuncia-tors, it was assumed that he entered the correct procedure. Cognitive error modeling accounts for the addition of the possible error that the operator could fail to correctly interpret the instrumentation even if read correctly. Additionally, the cognitive error concept tends to link together actions which were formerly thought to be relatively independent; i.e., the concept considers that if the operator fails to understand the plant condi-tions he may take no actions whatever. In the case of the ISAP study, this l is particularly important because of the format of the new Millstone 1 l procedures. The procedures in force at the time of the IREP study could be 2-33 l
l 1
- - _ _ - _ - - . - , . . _ _ - _ . 1
very complex and confusing; however, they had a certain amount of independ-ence in that the operator might take an action to restore a sy:: tem, even if he thought he didn't need to, just because it was unavailable. The new, symptom oriented procedures are much easier to comprehend and follow, but they are very restrictive about what the operator should do for a particular plant symptomatic condition. Thus, if the operator fails to correctly interpret the plant condition, he would undertake a series of tasks or a course of nonaction which would fail to aid his situation. In all, the addition of explicit cognitive error modeling and the switch to symptom oriented procedures is a significant reason for differences between the IREP and ISAP PRA results.
, As mentioned previously, the ISAP study utilized two cognitive modeling techniques for quantifying human reliability: SHARP (7) and TRC (6). The next two sections discuss these techniques and the cognitive errors modeled by each.
2.4.1.1 Time-Reliability Correlation (TRC) Model A TRC model is used to determine the probability of the operator fail-ing to make a correct decision based on the amount of time the operator has available. The basic premise of the model is that the driving factor in the decision process is how long the operator has to think about it. Further, this factor is generally independent of other factors and constitutes a reasonable basis for selecting a screening human error probability (HEP).
In order for an analyst to determine the HEP for a particular decision, he need only determine how long the operator has to take action and select the corresponding probability from a time vs. HEP curve. Such curves have been developed by human reliability experts and are published in a number of reports. The ISAP study used a curve from NUREG/CR-3010 (6, Figure 5-2) for quantification.
l The ISAP study used the TRC for evaluating cognitive errors where the j amount of time for making the decision exceeded about ten minutes. Five j errors were evaluated in this way. These errors are shown in Table 2.11.
l For those actions which were related to scenarios considered in the IREP study, the times used in the two studies are in general agreement. For the actions of initiattn; :r.. , c., .,ndensate transfer and conserving batteries 2-34
1 Table 2.11 Human Errors Evaluated Using the Time. Reliability Correlation NUREG/CR-2815 Error Descriotion Time Avail ISAP HEP HEP Operator fails to decide 50 min. 4.5E-4 2E-3 to restore IC makeup (IC operating)
Operator fails to recognize 40 min. 7.0E-4 3E-3 the need to initiate emergency condensate transfer during small-small LOCA w/FW available Operator fails to recognize 10 min. 1.5E-2 0.5 the need to manually ' (FW operating) depressurize during a small LOCA (manual backup to auto actuation)
Operator fails to recognize 50 min. 4.5E-4 2E-3 the need to conserve DC _.
batteries by shedding non-
, essential loads during blackout Operator fails to recognize 20 min. 3.5E-3 0.1 the need to restore RPV level during stuck-open S/RV event ,
l l
2-35 l l
(not considered in the IREP study) the basis for the time frames appear reasonable. It is worth noting, hoaever, that the HEP values used, although taken from an NRC report, do not correspond with the preferred screening values from NUREG/CR-2815, the PSA Procedures Guide (8). The right hand column of Table 2.11 gives the values which would be obtained if the TRC curve from that report is used. These values are significantly higher and could affect the results of the analysis.
After careful consideration, we have determined that the NUREG/CR-3010 curve used in ISAP is inappropriate for the type of analysis performed. The screening curve from NUREG/CR-2815 should have been used. There are two major reasons for this.
First, the NUREG/CR-3010 curve was developed by a single team of analysts from one organization. Although it is singled out in the report and used in the examples, it is actually only one of several curves discussed in the report. The NUREG/CR-2815 curve, on the other hand, is a consensus curve based on multiple information sources and represents the consensus of a multi-organizational group of experts.
i Second, it is apparent from the discussion in NUREG/CR-3010 that the
, curve selected for use in the ISAP study is not intended for use in a screening analysis. Rather, the use of this curve assumes a detailed human reliability analysis, specifically, the development of an operator action tree (OAT) to represent overall operator response. Additionally, when using this curve it is necessary to specifically evaluate the " thinking time" interval based on the following equation:
tT=t0 - tg - ta where 1 .
tT = Thinking time t 0= Overall time from the initiation of an accident sequence to the point by which actions must be completed.
ty = The time after initiation at which appropriate indications or other clues are given.
ta - The time it takes to implement the actions decided upon.
i 2-36
This must be done because this curve represents the HEP as a fJnction of thinking time alone. A further consideration when using this curve is the inclusion of modifications to the HEP due to other effects, such as reluc-
'tance factors. Additionally, this curve only represents a part of a more detailed HRA of any given human action. It can be used ta quantify !
cognitive decision points on an OAT, but should not be assumed to. represent the entire action. The ISAP study did not perform these detailed analyses, which should accompany the use of this curve.
On the other hand, the NUREG/CR-2815 curve was specifically intended as
- a screening curve. Thus, none of the above considerations are necessary when values are used from this curve. This curve takes into account, as much as possible, all t'.e facets of a human action in the determinations of a reliability number. This is obviously not as accurate as a detailed model. For example, for all actions required within a given time t o it implies (by its very structure) that the times t , i t a, and tT are identical for all such actions, as are any procedural error rates associated with them. However, in the absence of a detailed HRA, which is the only way these values can be determined, this curve is expected to give a more reasonable estimate of the HEP for a particular action than the other curve (which applies only to tT). Therefore, this curve is much more appropriate for the simplified analysis performed in the ISAP ' study. It should . be
~
noted, however, that the state-of-the-art in TRC has progressed past the use of a single curve. Different curves for various behavioral types and action conditions should be used. But this would require a more detailed HRA than was performed by the ISAP study analysts.
l As mentioned above and shown in Table 2.11, the values obtained using NUREG/CR-2815 are significantly higher than those used in the ISAP study.
The use of these higher values would affect the ISAP results in two cases.
These cases are the second and last human errors shown on Table 2.11. The use of an HEP of 3E-3 for the second error (instead of 7E-4) would result in i a new dominant sequence, described as follows:
o small-small LOCA l o Feedwater continues operating post-trip o Operator fails to initiate emergency condensate transfer o Feedwater trips on low hotwell level l
2-37 i
The frequency of this sequence would be 3E-5 and it would fall into plant damage state SEl.. This would increase the frequency of this plant damage state by a factor of 2 to 3 and would increase the frequency of
] small-small break core melt by up to a factor of 2. Overall, the total plant core melt frequency would increase by less than 5%.
i i The use of an HEP of 0.1 for the last error (instead of 3.5E-3) would also create a new dominant sequence, described as follows:
o Inadvertent opening of an S/RV o FW fails post trip o Operator fails to recognize the need to restore RPV level The frequency of this sequence would be 2E-5 and it would fall into plant damage state TEl. This would increase the frequency of this plant damage state by less than 10% and would increase the frequency of core melt due to inadvertent opening of an S/RV by a factor of less than 2. Overall, the total core melt frequency would increase by less than 5%.
2.4.1.2 Systematic Human Action Reliability Procedure (SHARP)
The SHARP method of cognitive error quantification differs from the TRC method in the selection of the driving factor behind human performance.
Whereas the TRC method considers the time available as the driving factor, the SHARP method considers the type of action and the expected behavior.
The screening process used in ISAP calls for generating human error proba-bilities based on the type of action and the expected behavior. ,
I In this model, three human behavior categories are defined. These are:
skill-based, rule-based and knowledge-based behavior. The classification of each human action in the ISAP study into one of these categories is based on the following definitions:
o The behavior can be classed as skill-based if the operator is well trained, is motivated to perform th'e task, and has experience in performing the task.
t 2-38
o The behavior can be classed as rule-based if the operator has a su clearly understood set of rules to follow in responding to a well- iY understood transient or situation. -"-
mra' o The behavior can be classed as knowledge-based if the above do not apply or the operator must understand the condition of the plant, interpret some of the instrument readings, or make a difficult DI diagnosis.
Figure 2.1 is a reproduction of Figure 4.2-3 of the ISAP PSS. This figure shows the logic that was used by each analyst in the classification of different human actions into one of the above categories. This guideline t e RPV was used so that the classification done by different analysts would be performed in a consistent manner. It should be noted, however, that a'I f" certain amount of " analyst creativity" is required in using this logic tree. '
i For example, a nonroutine operation which is covered by a well written, ' C understandable procedure might still be classified as knowledge-based if the 3 -
amount of time available is short. In this case, the operator may not have time to access the procedure, which would make the operation equivalent to one which lacked a procedure. dN
. Following the classification of each human action, tM human error Y' probabilities were found using the values reported in Appendix A of the '
- SHARP report (7). To obtain a screening value for a behavior type from the * "
range of values given in Reference 7, a log-normal distribution was assumed ' P for each range of values. The mean and variance for the human error proba- #
bilities in each of these categories used in the ISAP study are shown be1# D "V I Behavior Tvoe Mean Variance ' df fi c
Skill-based 1.3E-3 1.08E-5 3C Rule-based 1.3E-2 1.08E-3 Knowledge-based 1.3E-1 1.08E-1 te It should be noted that the ISAP study application of SHARP was very I simplified. SHARP is intended to be a tool for developing a detailed model l of human response, which could include such things as operator action event trees (OAET), THERP trees, and time reliability correlations (TRC).
2-39
e e r s e . e o o . o r r . r t
s, t
s .e w,uae not n
L L
I K
e t
o n
o.
n o
,s n , a u S n n . ,
E _
R _ - _ _
U _
OO _ _ _ _
E E _ - _
l C Co _ _ _
e t
i e _ - _
n _ _ _
= AC P _ - _
0 PR F _
s n O _ -
-I
- -T e L E _ _
P L S - _
t 9 U _ _ _ _ .
e p
I I
I _ _ - _
y
_ _ - _ T 7 _
r 9
_ _ _ _ o w0 u
L i
e 00 E _ v e
e e f N _ _ _ _ a c S o c A S h
a t a _ _ _ e e 0 t _ _ B N P _ _ _ _
U _
_ d
_ _ _ _ e
_ t
_ _ _ c w N
_ _ _ _ e p
u _
o r L fe L _ _ _ _ x C E f _ E o W iA _ _
n _ . f e w _
_ _ o
_ _ _ n
. _ o
= _ _ .
. . i u S O R E _ _ - _ t e E S - c C V A _
_ e o O C _
l a C P
_ _ e
_ S
_ i n
t O a t _ _
u 0 T e d r O u t
- _ _ i e A a N 0 _ _
n a = o i
_ _ t t
s s e
c O
f e i A _ e f
e R r n TL tc 4 T e S O p
O 0 _ c 0 f i n 0 0 _ g o 0 0 4 o
7 9s 0 _ L
= t a
0 c
i e
s f
S _
S U a _
= E 1 n 0 a e s _ .
T U 2 e
r u
g i
. F s o e
Y n
u.A f
, j! ,1
1 Specifically, the values from Appendix A of the SHARP document used in the ISAP study are screening values which can be used for screening within the SHARP process. However, once that screening is done and the errors with potential safety significance have been identified, it .is absolutely necessary to continue the process and perform a detailed HRA, following the SHARP process to completion, for those errors. It is not acceptable to use the Appendix A screening values as if they w4re final values and to thus base risk decisions on the results using these values. A careful reading of the SHARP document makes it amply clear that the Appendix A material is not a substitute for the entire SHARP process, but is rather one way to perform Step 2 Screening. Thus, the HRA analysts did not fully utilize the SHARP methodology, and it is questionable whether the simplified analysis was reasonable as a screening analysis. However, as discussed further in this sectir,n, the results obtained are generally comparable to those expected from other screening techniques and expert judgment.
The human errors evaluated using the SHARP methodology are shown on Table 2.12. Each of these errors was evaluated ~using SHARP because the 1 operator decision time was assessed to be less than about ten minutes. The most important of these errors is the first one shown on the table. This is the error of the operator failing to recognize that the RPV level is decreasing and that he must respond to it. This error is important for two reasons. First, it appears on virtually all of the event trees because i
- level is the key indicator that there is a problem at the plant (this is true of all BWR's). Second, because of the concept of cognitive errors and the new Millstone Unit I procedures, if the operator fails to recognize the !
need to respond and thus does not enter the level control procedure, it is assumed that he will not take any actions to actuate or recover any systems-which could be used to prevent core melt. The ISAP study assumed that this
, decision had to be made within ten minutes (or in some cases even less) because part of the response includes manually initiating the isolation condenser. If the operator does not do this within ten minutes, it will actuate automatically. We believe that it would have been more reasonable i to use time frames which reflect the actual times available. By way of I
comparison with this alternative approach, Table 2.12 shows estimated actual time frames available to the operator for the three sequence scenarios (Cases A-C) in which this error appears. The time frames shown are the times available for action to prevent core uncovery and core melt. They are 2-41 l
i .*
Table 2.12 (con't.) -
I NUREC/CR-2815 ISAP Est. Actual NEP HEP Time Avail.
Basis Error Gescription N/A Knowledge 1.3E-1 3 min '
( A1WS Ihste = 0.5)
Operator falls to rec,ognf re the need to reduce core power before torus heats up to !!O' F i
( ATUS w/PCS failed) 2E-1 1.3E-1 15 min j Knowledge Operator falls to recognize the need to keep RPV pressure below heat capacity temperature l
limit of the torus ( ATWS w/PCS failed) i 9
1 Y
0 i
i i
l, e
l l
1
taken directly from the ISAP study, where they were used in the station blackout analysis to evaluate offsite pcwer recovery. The core melt time frames are in general agreement with the time frames used for the same 3 scenarios in the IREP study. Using the TRC curve from NUREG/CR-2815, we get HEPs for the three cases for preventing core melt of 0.03, 0.003, and 0.0009. The HEP used for all cases in the ISAP study is the rule-based value of 0.013. While the ISAP value is clearly closer to the TRC values for Cases A and 8 than for Case C, there is virtually no effect on the final (dominant sequence) results. This is because ISAP grouped these three sequence scenarios together wherever they appeared and called it a siingle sequence (see, for example, sequence 2 on Table 3.1). The contribution from each of the three cases to these combined sequences is approximately equal in the ISAP study, (i.e., the three ways of reaching the point where this decision is required; failure of S/RVs to reseat, failure of IC, and failure of IC makeup; each contributes approximately one-third of the sequence probability up to that point). Thus, the average of the three HEP values mentioned above (which is equal to 0.011) is a reasonable approximation of the composite HEP. Clearly, then, using another approach yields the same final result, and we can conclude from this that the value used for this extremely important cognitive error is reasonable. Our only restriction would be that we would consider Case A to be more important, based on the TRC values, than the other cases, whereas the ISAP study would consider them equal. This would be significant if changes were being considered to reduce the frequency of these sequences which did not affect all three cases equally.
The next error shown in Table 2.12 is significant in that it considers co'gnitive operator error of commission. That is, the operator takes an action which is detrimental to the mitigation of an accident due to his misinterpretation of plant conditions. This type of error is seldom con-sidered in a risk assessment, although it has the potential to be signifi-cant. The values used in the ISAP study are reasonable for screening purposes given that we expect that the operator will have approximately 30 minutes to recover from the erroneous action. From the NUREG/CR-2815 TRC curve, 30 minutes corresponds to an HEP of 0.01. This must be combined with the HEP for initially making the error. Even if this were as high as 0.1, ,
which is doubtful, the total expected HEP would be 0.001. Thus, we expect I that the values used in the ISAP study are probably conservative and yet 2-44
l they do not have a significant effect on the results.
Therefore, further detailed analysis is not warranted.
I
! The next two cognitive errors involve response to ATWS w'ith PCS availa-j ble. The first action is somewhat complex in total, i.e., many actions are required, but the only task which is essential in the immediate term is to trip the recirculation pumps. If the operator succeeds in doing that, the PCS will automatically maintain adequately safe conditions until the other actions are completed. No HEP is available from NUREG/CR-2815 for a time I
frame this short however, it would seem that the HEP used in the ISAP study J
is a reasonable screening number. This is because the action is an auto-matic response to observing that rod bottom lights for the control rods are not present. It is an intuitive rather than diagnostic / interpretative action, and an HEP of about 1 in 100 trials seems reasonable. For the second error, the result appears conservative since the operator would have
^
a long time to provide for decay heat removal. However, this error does not ;
contribute to core melt, and so it is sufficient to note that we do not feel l that it is too low.
The final two errors in Table 2.12 pertain to operator diagnosis of the '
need to take certain actions during an ATWS with the PCS unavailable.
,, While the actions are in some ways related, they are considered separately because the symptoms which direct the operator to enter each procedure are
. independent. That is, the procedure the operator enters to reduce core power does not specifically direct the operator to the containment tempera-ture control procedure. The need to perform those actions must be realized separately. Again, for the actions required within three minutes, which are very complex and cannot be delayed as in the ATWS with PCS available case, no NUREG/CR-2815 values can be obtained. However, on an intuitive basis the !
- value used is not unreasonable. We would expect that the operator would '
recognize the ATWS very quickly and have some time to decide on a proper course of action. Thus, the ISAP study number is generally reasonable. For
- the other operator decision required (torus heat capacity), the ISAP study i value used is in general agreement with the value obtained from the i
NUREG/CR-2815 TRC curve. We do note that the ATWS rule uses a value of 0.5 as the HEP for the operator failing to initiate the procedures in time.
- This value includes both of the cognitive errors discussed above. The total
! ISAP study HEP for both errors is .26, only a factor of two smaller than the
~l 2-45 1
i i
ATWS . rule number. This also supports the ISAP study values, since the generic value in the rule is generally recognized as being somewhat con-servative.
2.4.2 Procedural Error Modelino 4
In addition to cognitive errors, the ISAP study also considered proce-
, dural errors. These are the errors which take place after the operator has
, diagnosed the situation, has selected the proper procedure, and is actually trying to perform the required actions. These errors were evaluated at the systems level (i.e. essentially considered in the system fault trees) as was done in the IREP study.
As far as we can ascertain from the limited information available, the ISAP study used two HEP values for procedural errors. A HEP of 0.0013 was used for control room actions involving simple manipulations or systems with which the operators are very familiar. An HEP of 0.013 was used for actions outside the control room or for control room actions which were complex or unfamiliar. These values are essentially identical to the suggested screen-ing values for procedural error given in NUREG/CR-2815 (0.001 for procedural error with recovery potential, common for control room actions, and 0.01 for procedural error without recovery potential, common for actions outside the control room). Thus, these values appear reasonable, and our review indi-cates that these errors have very little effect on the results.
The one notable exception to this general conclusion is for ATWS with PCS unavailable. ,As noted in the previous section, the cognitive' error modeling 'forthisshenarioisreasonable. However, despite the fact that the required actions to reduce water level are complex, no consideration was given to procedural error. The only procedural error considered was failure to properly initiate SLCS (0.013) which is the simple part of the procedure, i The ATWS rule gives a HEP value of 0.1 in this situation for failing to reduce power properly while maintaining RPV water level above the top of active fuel.
Thus, we believe that this procedural error could be a measurable contributor to ATWS core melt, and its exclusion in the ATWS
- analysis is unacceptable. In the absence of a detailed analysis, it is our opinion that a screening value of 0,13 should have been used for this error.
The significance of this conclusion is discussed in Section 3.3. .pa 2-46
l . .
3.0 RESULTS AND INSIGHTS INTO MAJOR CONTRIBUTORS TO THE CORE MELT FREQUENCY 6 In this section, a comparison between the results of the ISAP and IREP studies will be presented. This is done by performing a detailed comparison between the ISAP and IREP dominant accident sequences to find out the major differences between similar sequences and the significance of these differ-
..ences with respect to the overall core melt frequency associated with the operation of the plant. This comparison is presented in Section 3.1. The results of this analysis are used in Section 3.2 to provide overall insights into the major contributors to the ISAP core melt frequency. Section 3.3 e focuses on a few areas where changes to the current system configurations or procedures could conceivably result in major impacts on the plant's dominant accident sequences and overall core melt frequency.
3.1 Comparison Between ISAP and IREP Dominant Accident Secuences To better understand the major contributors to the core melt frequency at the system level, a detailed analysis of the most dominant ISAP core melt sequences was performed. This was done examining the ISAP study dominant core melt sequences and comparing them with the corresponding IREP study dominant core melt sequences. The analysis was performed by comparing the
. sequence of events, the effect of methodologies on identifying the sequence of events, and the core melt frequency. With respect to core melt fre-quency, the ISAP study calculations used mean component failure data whereas the IREP study calculations used median values. To compare the sequence frequencies in the two studies, a simple conversion factor was used to convert the IREP study results to mean values based on the following argu-ment. Most of the generic component failure probabilities have been
- developed by assuming that the components have a log-normal failure rate distribution. These data in most cases have an error factor of either 3 or
- 10. For components with an error factor of 3, the mean value is 1.25 times the median value. For components with an error factor of 10, the mean value is 2.66 times the median value. Since the components centributing to failure of different systems are a combination of those with an error factor 3 and 10, a multiplier of 2 was used to convert the median IREP study core melt frequencies to maan values. Note that the objective of comparing similar ISAP study and IREP study core melt frequencies is to identify those sequences that have large (order of magnitude) differences and focus on the 3-1
~ . _ - . - . . , , - , , _ _ . , - . - - - - , . _ . - - - ,- , . - . _ , . , , , _ , , - , , , . - . . - _ , - , . - . . .,
l
\
basic reasons for these kinds of difference. With the level of uncertainty associated with most component failure data,. much finer comparison does not l provide any meaningful insights. With this fact in mind, Table 3.I presents l the dominant accident sequences found in the ISAP study along with the corresponding IREP study dominant accident sequences. The sequences are grouped by their common initiator where the ISAP study sequence numbers in
.the first column correspond to the sequence numbers identified in Table 5.3-5 of the Millstone Unit 1 Probabilistic Safety Study (2). A brief analysis of each sequence follows. j i
For sequence number 2, the ISAP and IREP sequences are fairly similar.
The frequency of the ISAP sequences is lower than IREP sequences principally i due to reductions in the failure probabilities of several components, namely, the diesel generator, gas turbine, and AC breakers previously shown in Table 2.I0. In addition, modification to LNP logic circuits to eliminate ,
single relay failures, and to IC makeup to remove AC dependency from the makeup admission / control valve, also helped to reduce the sequence fre-quency.
The same comments are applicable to sequence number 3 except that the LNP logic modifications have no effect here. Also, changes in the emergency
, operating procedures have reduced the chance of operator error in failing to depressurize the Reactor Pressure Vessel (RPV) and use the available low pressure pumps.
In sequence number 8, the contribution to core melt frequency is simi-lar in both the ISAP and IREP studies. Competing differences have opposite effects. Reduction in failure rates of the gas turbine and switchgear breakers and a modification to the IC makeup admission valve power supply tend to reduce the frequency of the ISAP sequences. However, a change in the alternate Shutdown Cooling (SDC) system success criterion, which requires both trains of the Low Pressure Coolant Injection (LPCI) system and all four Emergency Service Water (ESW) pumps, increases the frequency of the ISAP sequence. The change in the success criterion of the alternate SDC system has substantially (by about two orders of magnitude) increased the probability of failure of this system and its contribution to the total core melt frequency. This is one of the areas that will be discussed in more detail in Section 3.3. l 3-2
o Table 3.1 Comparison Between ISAP and IREP Dominant Accident Setrsences ,
ISAP 5equences IREP 5equences Frequency Failure of Frequency Sequence * - Median Seq. # Initiator Support Systems Sequence Description (Mean) (Mean) 2 LNP Station AC Blackout o Correct cognitive decision (7.0E-5) T4LCEFG(9) R.0E-5 (9nly DC buses are to initiate IC and restore T4KCEFG(3) (1.6E-4) energized) normal power. f 4JCEFG(2) o S/R valves reclose. IC is initiated, IC makeup falls and AC power not restored before CM Initiates (i.e.,
within 90 minutes).
OR S/R valves reclose, IC Initiation and restoration fall , and AC power not re- .
Stored hefore CM Inittaes (i.e., within 45 minutes).
OR S/R valve sticlis open and AC power not restored before w CM Initiates (i.e., within 4 25 minutes). .
3 LMP None o Cognitive error in decision (3.7E-5) T4KCD(4) 1.3E-4 OR not to restore RPV level. T4LCn(5) (2 p.-4)
AC Bus 14E o S/R valves reclose and auto T4JCD(1)
IC Initiation or IC makeup failed.
OR S/R valve sticiis open, o Auto FWCI initiation failed.
Random failure for SSil.
Failure given (Q = 1) for SSf3. (No other auto system is available.)
8 LMP AC Bus 14E o Correct cognitive decision to (6.5E-5) T4KCMG(12) 2.9E-5 restore RPV level. T4tCMG(10) (5.8E-5) o S/R valves reclose and T4CMG(8) initiation and restoration of IC or IC makeup falls.
OR S/R valve stids open, o FW falls (given).
o Manual depressurization is successful.
O Table 3.1 Comparison Between ISAP and IREP Oominant' Accident Sequences (continued) 15AP 5equences INEP 5equences Frequency Fallure of Frequency Sequence
- Median l Seq. # Initiator Support Systems Sequence Description (Vean) (Mean)
S (cont'd) o Low pressure pumps inject.
o Of f-site AC power recovery falls.
- o 14E bus energlied by cross-connection to diesel-generator, o SDC falls. (Isote
- rW and circulating water pumps cannot be loaded on the diesel generator. Therefore, the main condenser is not credited.
-l Also, both trains of the alter- -
nate SDC cannot be powered by I
the diesel.)
15 LNP AC Bus 14E o Correct cognitive decision to (8.6E-6) TKCMG{l2) 4 2.9E-5 restore RPV level. T4LCMGt10) (5.RE-5) w o S/R valves reclose. T4JCMG(8) 8 Initiation and restoration of IC or IC makeup falls.
1 DR 5/R valve sticEs OPen.
o FW failed given (Q = 1.0) for
$583 o Manual depressurization is successful.
o Low pressure pumps talect, o Off-site AC recover) e.ils.
o Energizing AC bus 14E oy cross-connection falls. ,
o SDC falls. (Isote: The main condenser cannot be used un-less IW is operating. Also, both trains of the alternate SDC canact be powered by the i diesel generator.)
i ,
I T
E
_ y , ._.- - - r- -_
- }
i e
Table 3.1 Comparison Between ISAP and IREP Doninant Accident Sequences (continued)
- ISAP 5equences IREP 5equences frequency Failure of Frequency Sequence Median Seq. # Initiator Support Systems Sequence Description (Mean) 'Mean) 9 LMP AC Bus 14E Same as in sequence f8. except: (4.0E-5) None o Off. site AC power recovery succeeds, o Restoration of main condenser and IC makeup falls. (The latter is credited only in sequences where the S/R valves have reciosed.)
LNP Total (2.20E-4) 2.39E-4 (4.78E.4) 7 Small Break leone o Blowdown steam condensers (1.6E.4) LILR)CC < E.6 w LOCA in torus as vacuum breakers [ISB)CEG e
m remain closed, o fu continues to run and
, maintains RPV level for short time until it trips on low hotwell level, o Correct cognitive decision to switch to low pressure pumps, o Core spray pumps inject and operator correctly maintains i RPV level, o Containment cooling (i.e..
torus cooling) falls. (No other system is adequate to provide long-term decay heat removal following a small break.)
1 Loss of Mone o S/R valves reclose and au'o (7.6E.5) T3KD < E.6 feedwater IC initiation falls. T3JD OR S/R valve sticfs open.
o Cognitive error in decision not to restore RPV level.
(No other auto system is available.)
1 O
s Table 3.1 Comparison Between ISAP and IREP Dominant Accident Sequences (continued) ,
15AP 5equences IREP 5equences Frequency Failure of frequency Sequence Median Seq. f Initiator Support Systems Sequence Description (Mean) (Mean) 12 Loss of
~
makeup falls. T3JMG DR 5/R valve sti ds open.
' o Correct cognitive decision to restore RPV level.
o Restoration of IC or IC sukeup falls (credited only in sequences where S/R valves reclose).
o Restoration of FW falls, o Manual depressurization is successful.
o Low pressure pumps inject, o SDC ar.d alternate SDC fall.
(a loss of e Feedwater Total (9.7E.5) cE.6 C4 ,
4 Reactor None o FW falls to run post scram. 3.5E.5 Tg pKCD <E.6 Transients OR Random failure for 55fl. Tl2LCD
~
AC~Eus 14E Failure given (q = 1) for TI ,2JCD SSf3 o Cognitive error in decision not to restore RPV level.
o S/R valves reclose and auto IC inittacion or IC makeup falls.
OR S/R valve sti d s open.
11 Reactor None o FW falls to run post scram. (3.2F-5) Tt ,prtMG (<E.6)
Transients OR Random failure for SSfl. TI 2LCMG
~
AC Nus 14E failure given (Q = 1) for TI,2JCPG 55f3 o Correct cognitive dectston to.
recover RPV level.
o FW restoration falls.
. I 1
Table 3.1 Comparison Between ISAP and IREP Dominant Accident Sequences (continued) - .
ISAP Sequences IREP 5equences Frequency Frequency Sequence Median Fallure of Support Systems Sequence Description (Mean) (Mean)
Seq. f Initiator fil (cont'd) Random failure for SSfl.
Failure given (q = 1) for SSf3.
o S/R valves reclose.
Initiation and restoration of IC and IC makeup falls.
OR S/R valve stliYs open.
o Manual depressurization is
.Jceessful, o tow pressure pumps inject, o AC Los 14E energlied by cross-connection (credited only for SSf 3 case).
o FV continues to operate post (4.5E-5) T2MMG 2.0E-6 16 Reactor None (4.0E-6)
Transients scram. T2HLMG(21) o The main condenser is isolated T2JMG as a heat sink due to MSIV
'e* closure post scras.
'4 o S/R valves reclose, initiatlun and restoration of IC or IC makeup falls.
OR S/R valve stl Es open, o Restoration of the main condenser falls, o SDC and alternate SDC fall.
o FW falls (given). 1.4E-5 < E-6 5 Reactor AC Bus 14E and TI.2KCEFG _
Transients 14F. Both fall to o Correct cognitive decision TI,2LCEFG fast transfer post to restore and stabilize RPV. TI,2JCEFG scras, i.e., station level.
AC blackout - only o S/R valves reclose and DC buses (both) initiation and restoration energized. of IC or it makeup falls.
OR S/R valve sticis open. (No other system is available.)
Reactor 2.0E-6 Transients Total 1.26E-4 (4.0E-6)
.t
o ct Table 3.1 Comparison Between ISAP and IR[p Dominant Accident Sequences (continued) ,
15AP 5equences sutr sequences Frequency Fallure of Frequency Sequence Median Support Systems Sequence Description Seq. f Initiator (Nean) (Nean)-
?
'- 6 Small-Saall Mone o Blowdown steam condenses 6.9E-6 (58)CD ~<F-6 Break LOCA in torus as vacuum breakers remain closed.
o FW continues to run post scram.
O Cognitive error in decision not to start condensate transfer pump (to replenish the hotwell) or use low pressure pumps, o FW eventually trips on low hotwell level (given).
- 14 Small-Small Mone o Blowdown steam condenses in 1.35E-S (58)CD <~ E-6 Break LOCA torus as vacuum breakers remain closed.
O FW continues to run post scram.
o Correct cognitive decision Y to start emergency condensate 03 pump.
o Emergency condensate pump starts and transfers inventory from the CST to the hotwell, o Operator falls to disregard the indicated level when the drywell temperature reaches the RPV saturation temperature and ther-lore prematurely terminates or throttles '
injection.
18 Small-Saall None o Blowdown steam condenses in 8.3E-6 (58)NG <E6 Break LOCA torus as vacuum breakers remain closed.
o TV continues to operate post scram, o Correct cognitive decision to start emergency condensate transfer pump.
o Emergency condensate transfer pump starts and transfers inventory from the CST to the hotwell.
4-Table 3.1 Comparison Between ISAP and IREP Dominant Accident Sequences (continued) ,
15AP Sequences IREP Sequences Frequency Failure of Frequency Sequence Median Seq. I initiator Support Systems 3equence Description (Mean) (Mean) 18 (cont'd) o Correct cognitive decision to disregard the indicated RPV level when the drywell heats up to RPV saturation temperature.
o Restoration of the main con.
denser falls, o SDC and alternate SDC fall.
Small.Small
( Break LOCA Total 2.87E.5 < E.6 10 Loss of Ser. None o Correct cognitive decision to 3.4E-S T3KMG <~ E-6 vice Water except restore RPV level. T3LMG System the 5WS o S/R valves reclose, initta- T3MG I#
up tion and restoration of IC or ,
IC makeup falls.
QR S/R valve sticks open.
o Manual depressurization is successful, o Low pressure pumps inject.
o Alternate SDC falls. (Note:
both fW ar.d SDC are unavail.
able due to loss of SW.)
17 Inadvertent None o FW continues to operate post 1.9E-5 TSHMG <~ E.6 Opening of a scram. TS"G Safety / Relief o MSIVs close post scrae due to Valve low pressure, isolating the main condenser as a heat sink, o Restoration of the main condenser falls, o Soc and alternate SDC fall.
1
i Table 3.1 Couparison Between ISAP and IREP Dominant Accident Sequences (continued) ;
13nr Sequences IREP 5equences frequency Fallure of Frequency Sequence 'kdlan Seq. # Initiator Support Systems Sequence Description (Mean) (Mean) 13 Large Break None o Blowdown steam condenses 1.6E-5 < E-6 (LLS)G LOCA ~
in torus as vacuum breakers remain closed, o ECCS signal is generated, o Core spray pumps start and inject automatically.
o Correct operator decision to disregard indicated high level when the drywell heats
.up to RPV Saturation condition, o Containment cooling (i.e..
torus cooling) fa115. (No other system is adequate to provide long-term decay heat removal following a large lereak.)
Y o o *Mumbers in parentheses indicate IREP sequence core melt ranking from IREP study.
i l
l ... . -
Sequence number 15 is very similar to sequence number 8, so the same comments apply.
For ISAP sequence number 9, there is no equivalent IREP sequence. This is due to the fact that the IREP study did not treat situations where an LNP followed by recovery of offsite power could result in core melt. The
. assumption was made in the IREP study that recovery of the offsite power would successfully terminate the sequence. Consideration of this scenario in conjunction with the increased failure rate of the alternate SDC system in the ISAP study have made this sequence dominant.
A Overall, the LNP sequences in the ISAP and IREP studies are fairly similar. When there are differences in the frequency of similar core melt sequences, they are principally due to either the luer plant-specific component failure probabilities for the diesel gewr-dor, gas turbine, and AC circuit breakers or higher unavailability for the alternate SDC system due to the revised success criterion for this system.
The next sequence in Table 3-1 is the Small Break LOCA, sequence number
- 7. This ISAP break size combines the IREP intermediate breaks with the upper end of the IREP small breaks. The contribution from this sequence is i ,
dominant in the ISAP study because of the change in the success criterion for containment cooling (alternate SDC system) which was mentioned previously.
The next two sequences are initiated by loss of the feedwater system.
In sequence number I, the IREP study treated recovery of feedwater and the use of manual depressurization with low pressure pumps as two distinct 1 operator actions. The ISAP study considered the cognitive-based error of l the operator failing to make the correct diagnosis of the need to restore RPV level. This linked the two actions to a single root cause, which 2 resulted in a higher combined failure probability in the ISAP study. This was somewhat counteracted by a decrease in initiating event frequency, but the combined effect was to make this sequence dominant.
It is important to note that inclusion of cognitive human error on the
, event trees is one of the major differences between the ISAP and IREP accident sequence development methodology. As mentioned above, this change 3-11
, _ .~ . - _ . ._ ___ ..___ _ _ _ __ _ __
has resulted in a larger combined human error probability with a significant effect on the dominant accident sequences ano everall core melt frequency.
Another important point about this sequence is the need for manual depres-surization of the RPV before any low pressure pumps can be used. The automatic depressurization at Millstone Unit I requires coincident indica-tion of low-low RPV level, high drywell pressure, and a two minute persist-
'ance of the low-low water level. In addition, there must be an indication of at least one low pressure ECCS pump running. Thus, in all the non '0CA sequences where there would be no high drywell pressure, the automatic depressurization will not be initiated. This implies that if there is an operator cognitive error in restoring the RPV level, the whole low pressure injection system consisting of the LPCI and core spray pumps would be defeated. This brings up the possibility of addition of an automatic depressurization capability for non-LOCA sequences, which is another area discussed in more detail in Section 3.3.
The progression of events in sequence number 12, which is the second loss of feedwater sequence, is very similar in the ISAP and IREP studies.
The main difference in the sequence frequencies is due to the higher failure probability of the alternate SDC system, discussed earlier.
The next four sequences are reactor transient sequences. In sequence number 4, the progression of events in the ISAP and IREP sequences is similar. The major reason that the ISAP sequence is more dominant is the cognitive human error in failing to restore the RPV level which combines several human error failures that are considered separately in the IREP sequences. This was discussed previously for sequence number 1. The higher probability of failure assigned to this cognitive error is the prime contri-butor to its higher frequency in the ISAP study.
In sequence number 11, the ISAP and IREP accident sequences are similar. The main reason for higher core melt frequency in the ISAP study is the higher unavailability associated with the alternate SDC system discussed before.
Sequence number I6 is affected by a number of competing differences.
First, the initiating event frequency of the transient is lower in the ISAP study. Also, the IREP study did not give credit for recovering the main 3-12
condenser due to limitations in the MSIV equalizing lines which prevented e equalizing differential pressure on the valve disks within a reasonable time. A modification to enlarge those lines has been accomplished, allowing
~ the ISAP study to take this credit. These differences tend to reduce the contribution of these sequences. However, this is more than counteracted by
.the increase in alternate SDC system failure rate due to the change in the success criterion, which increases the overall contribution of the sequence.
The last transient sequence is sequence number 5. The main difference between the two studies is that the IREP study did not treat the possibility of station blackout for sequences not initiated by loss of normal power, assuming instead that the contribution was not significant. Consideration of this possibility in the ISAP study caused this sequence to become dominant.
The next three sequences are small-small break LOCAs. This initiator in the ISAP study represents an approximate break size resulting in at least 2.5 gpm leakage up to an approximate break diameter of 1.35 inches. This break size represents the lower end of the IREP small break, which includes break diameters of up to approximately 5.24 inches. The frequency of occur-rence of the small-small break LOCA in the ISAP study is an order of magni-tude larger than the small break frequency in the IREP study. Breaks in the lower end of this range require manual initiation of depressurization because high drywell pressure does not occur. In addition, the IREP study assumption that the condensate transfer pumps (CTP) would start automati-cally is not entirely correct. The high flow emergency CTP is required for these breaks, and must be started manually. In sequence number 6, both of these actions are coupled by a cognitive-based error (similar to sequence number 1). The high initiation frequency for this sequence along with the need for manual depressurization and start of condensate transfer pumps,
! which are coupled in one cognitive human error, have resulted in a high sequence frequency compared to that found in the IREP study.
i In sequence number 14, operator error of commission in misdiagnosing the plant conditions and taking an action to terminate a safety system prematurely was considered in the ISAP study. The IREP study did not ade-quately treat this type of error. Consideration of this type of human error 3-13
- .---- . . - . _ - . - - . - - - - - - _ _ . - - _ _ - _ . - - -. - - -- - l
4 along with a much higher initiator frequency resulted in a more dominant sequence compared to the IREP study sequences.
In sequence number 18, the ISAP study includes a failure to restore the
- main condenser. As previously mentioned, the IREP study concluded that restoration of the main condenser after isolation was not practical but
. credit was given for this action in the ISAP study due to a plant modifica-tion. This credit is compensated for by a higher initiating frequency and higher failure probability for the alternate SDC system, making this
- sequence more dominant than the IREP study sequence.
Overall, the higher initiating frequency, the combined cognitive error in performing depressurization and startup of condensate transfer pumps, the consideration of operator error of commission in misdiagnosing the plant condition, and the higher alternate SDC system failure probability result in ,
higher frequency small-small break LOCAs in the ISAP study compared with the IREP small break LOCA sequences.
3 In sequence number 10 the ISAP study gave credit for recovery of the
! Service Water System (SWS) only in the short term, including it in the ;
initiator frequency. This results in the complete unavailability of the SDC system for all LOSW sequences, and greatly increases this sequence's contribution compared to the IREP study. The IREP study gave substantial credit for long-term SWS recovery, allowing for the SDC system to be used.
Additionally, the ISAP success criteria for SWS following a trip are more restrictive than that used in the IREP study, resulting in an overall increase in the frequency of the loss of service water in the short term. I
- Combining this with an increased alternate SDC failure rate due to a change )
in its success criteria made this sequence dominant. I In sequence number 17, several competing effects result in the ISAP sequence being more dominant. The initiating event frequency in the ISAP study is significantly lower than the IREP study due to a plant modification and installation of more reliable safety / relief valves. This reduction in
- initiator frequency is opposed by two factors. First, in the ISAP study, it was assumed that the main condenser would be initially lost, whereas in the
- IREP study it was assumed it could continue to run post-scram. Second, there is a higher failure probability of alternate SDC system in the ISAP 3-14 l
i study. The combined effect of these factors is to make the ISAP sequence more dominant than the IREP sequence.
The last dominant accident sequence in Table 3.1 is sequence riumber 13, initiated by at large break LOCA. The sequence of events in the ISAP and i IREP studies is very similar in this case. The primary reason for a more Jominant ISAP sequence is the higher failure probability of the containment
- cooling (alternate SDC system).
In the next section a summary of the major contributors to the ISAP
- core melt frequency will be presented.
3.2 Insiahts into Ma.ior Contributors to the Core Melt Frecuency.
)
In tha last section, a detailed comparison between the ISAP and IREP studies dominant accident sequences was presented. This comparison provided some insights into changes, both systemic and procedural, that have taken place at Millstone Unit I since the original IREP study was performed, and the significance of these changes with respect to dominant accident sequences and the overall core melt frequency. Figure 3.1 shows the contri-bution of major classes of initiators to the total core melt frequency in
, both studies. The principal reasons for changes in the dominant contribu-tors were explained in the last section during the discussion of individual dominant sequences. To put the results in better perspective, a summary of I
these differences by the major classes of initiators identified in Figure 3.1 is presented here. More detail on these differences can be found in the appropriate sections in this report.
- 1. Loss of Normal Power (LNP); Overall decrease in the ISAP study vs 4 the IREP study core melt contribution.
Reasons for this decrease:
- a. Reductions in failure rate data of the diesel generator, gas j turbine generator, and switchgear breakers.
, b. Modification to LNP logic to eliminate single relay failures.
, 3-15 l
-. - - _ - - -. . - - _ - _ _ - - -l
9 4
100 i oo.. Milistono 1 PSS Millstone 1 IREP y BC--
i j 70--
i -e
=s y eO--
O
! 3 M C SD--
k l
'N i fg 40--
O se 30--
l 20--
i 10--
M I
O LNP THANS LOPCS LOF h'
LOSW SB h
SSB N.
PORV LOOHR SKOUT V'.
- Core Melt Contributor 1
Figure 3.1 Comparison Between Dominant ISAP and IREP Contributors to the Core Melt Frequency.
- d. Change to symptom-oriented procedures eliminated confusing procedure for initiating manual depressurization when required, reducing human error probability.
The only mitigative factor that limited the amount of decrease in the ISAP study core melt contribution was an increase in the failure proba-bility of the alternate SDC system due to changes in its success criterion.
- 2. Transients (TRANS); Overall increase in the ISAP study vs the IREP study core melt contribution.
Reasons for this increase:
- a. Cognitive error modeling and symptom-oriented procedures linked failure to restore FW and failure to depressurize to a single decision process, increasing overall probability of human error and recovery failure.
- b. Consideration of the possibility of loss of normal power following a non-LNP initiating event.
- c. Increase in failure rate of alternate SDC system due to change in success criteria.
Mitigative factors which limited amount of increase:
- a. Decrease in initiating event frequency,
- b. Modification to MSIV equalization lines allowing for recovery of main condenser for cooling.
3-17 l
l
. e i
- 3. Loss of Power Conversion System (LOPCS); Overall decrease in the ISAP study vs the IREP study core melt contribution.
Reasons for this decrease:
.. a. Reduction of initiating event frequency.
- b. Modification to MSIV equalization lines allows for recovery of main condenser for cooling.
The only mitigating factor that limited the amount of decrease in the ISAP study core melt contribution was the increase in the failure probability of the alternate SDC system due to changes in its success criteria,
- 4. Loss of Feedwater (LOF); Overall increase in the ISAP study vs the IREP study core melt contribution.
Reasons for this increase:
, a. Cognitive error linkage between recovery of FW and failure to depressurize.
- b. Increase in alternate SDC failure rate.
The only mitigative factor that limited the increase in the ISAP core melt contribution was the reduction in the initiator frequency.
- 5. Loss of Service Water System (LOSW); Overall increase in the ISAP study vs the IREP study core melt contribution.
Reasons for this increase:
- a. No long term recovery credit for service water system.
- b. Increase in alternate SDC system failure rate.
3-18
1
- c. Increase in frequency of short-term LOSW due to change in
< success criteria.
- 6. Small Break LOCA (SB); Overall increase in the ISAP study vs the IREP study core melt contribution.
The principal reason for the increase in the ISAP core melt contribution is the increase in failure probability of the alter-nate'SDC system.
- 7. Small-Small Break LOCA (SSB); Overall increase in the ISAP study vs the IREP study core melt contribution.
Reasons for this increase:
- a. Special consideration of breaks which do not actuate Automatic Pressure Relief (APR) because no high drywell pressure would be present, requiring operator action to ,
depressurize.
. b. Need for operator action to start hi5h-capacity emergency condensate transfer pumps to supply sufficient flow to the hotwell.
- c. Cognitive error modeling and symptom-oriented procedures link the above two actions to a single decision process.
- d. Consideration of cognitive error of commission in prematurely terminating injection due to misinterpretation of instrumentation.
l
- e. Increase in initiating event frequency.
The only mitigative factor that limits the amount of increase in the i
ISAP core melt contribution is the credit allowed for providing long-term cooling with the condenser or SDC system due to low break flow rate.
3-19 e . _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ - _ _ _ _ _ - - _ _
l
- 8. Inadvertent Opening of Power Operated Relief Valve (PORV); No major change between the two studies core melt contribution due to j several compensating effects.
Factors resulting in an increase in the ISAP study the core melt contribution: l
- a. Increase in alternate SDC system failure rate.
- b. Automatic loss of condenser due to low pressure (pressure cannot be kept up after trip). -
Factors resulting in a decrease in the ISAP study core melt con-tribution:
- a. Credit allowed for recovery of condenser due to equalization )
line modification.
l l l b. Initiating event frequency reduced due to modification to install more reliable valves.
In addition to the above classes of initiators, three groups of events are also compared in Figure 3.1. The first one is the group of events
, leading to core melt that include Loss of Decay Heat Removal (LODHR) func-tion. In this case, the ISAP dominant sequence frequencies have increased l substantially due to the increased failure probability of the alternate SDC system as a result of the change in its success criteria.
I The second group is the Station Blackout (BKOUT) sequences. In this case the ISAP dominant sequence frequency has decreased due to:
- 1. Reductions in failure rate data of diesel and gas turbine genera-tors and switchgear breakers.
- 2. Modifications to LNP logic to eliminate single relay failures.
3-20
The last group of events shown in Figure 3.1 is the Anticipated Tran-sients Without Scram (ATWS) sequences. The overall ISAP core melt contribu-tion in this case has decreased due to credit allowed for operator action to initiate the standby liquid control system (43 gpm) and to take other actions to mitigate the event. This decrease was limited by a significant
. increase in the RPS failure probability, based on a simple statistical analysis. This event was assumed to lead to core melt in the IREP study.
This assumption is one of the topics that will be discussed in more detail in the next section.
3.3 Discussion of Several Areas of Plant Vulnerabil'ity In this section, three areas with significant contributions to the core melt frequency are discussed in detail. These areas were chosen for more detailed discussion because they are areas where changes in the system configuration or procedures can result in substantial reductions in their contribution to the core melt frequency.
The first area is the reliability of the alternate SDC system. Refer-ring to Figure 3.1, it can be seen that sequences involving loss of the l, decay heat removal system contribute to about 65% of the ISAP study total core melt frequency. This contribution is substantially higher in the ISAP study than in the IREP study. As mentioned previously, this increase is primarily due to the higher failure probability associated with the alter-nate SDC system. The increase in the failure probability of the alternate SDC system is due to the change in its success criteria. .
In the IREP study, the success criterion for this system consists of successful operation of one LPCI pump and the associated containment cooling heat exchanger with one Emergency Service Water (ESW) pump removing heat from the heat exchanger. Based on thermal hydraulic calculations performed by the licensee for the PSS, the success criteria for the systems were changed in the ISAP study by requiring two LPCI containment cooling heat exchangers with one LPCI pump per heat exchanger and all four emergency service water pumps to remove the heat from the containment cooling heat exchangers. This change has dramatically increased the failure probability of this system.
3-21 l
To assess some alternatives in reducing the failure probability of this system, the detailed fault tree for this system, shown in Figure 3.2.24-2 of the Millstone Unit 1 PSS, was simplified and is shown in Figure 3.2. Based on the current configuration, the failure probability of this system with no support system failure is 0.148. Three scenarios for improvement in the reliability of this system were examined. In the first case, it was assumed
.that the LPCI/ containment cooling loops are made redundant. In the second case, it was assumed that the emergency service water loops are made redun-dant. In the third case, it was assumed that both of the above improve-ments were incorporated. Table 3.2 shows the results of these evaluations.
Incorporation of redundancy in the LPCI system alone resulted in the reduc-tion of the failure probability of the alternate SDC by a factor of about 1.7. The effect of making the ESW loop redundant is a reduction in the failure probability of the alternate SDC system by a factor of about 2.2.
If both of these changes are incorporated, the failure probability of this system can be reduced by a factor of about 40. As was mentioned earlier, 65% of the ISAP core melt frequency was due to failure of long-term decay heat removal. Assuming that both the LPCI and ESW loops are made redundant results in a reduction in the ISAP study core melt frequency from 8.07x10-4 to 2.95x10-4, a reduction of about a factor of 3.
. Using NRC's $1000/ man-rem guidelines, the following relationship can be used to suggest an approximate level of expenditure that would be justified for any type of corrective action that could lead to a reduction in core melt frequency:
E- CM
- MRR * $1000 *Y (3.1) man-rem where E= The expenditure that is justified for the specific correction CM - Change in core melt frequency as a result of the correction MRR = Man-rem release that could occur as a result of a core melt accident and containment failure at the plant under consideration
$1000 = $I000 per man-rem NRC guideline man-rem Y= Number of years left in the life of the plant 3-22
o TAILURE OF THE ALi[RnATE 50C ST51[M l
,' I I
l FAILURE OF i FAILumE Or 4 E5W SYSTEM 5 i
I sm I
I I I I I Com0tl CAUSE Com0N CAUSE I
IAllDRE OF FAILURE OF TAILURE OF TAILURE OF E5W 8 FAILURE Of (SW A LPCI 1 RAINS LPCI PUMPS LPCI PUMP 5 PUMP OR ltX PupF OR HI O O {
. O 2.5]E-4 O
3.50E-4 4.6?E-2 3.69E-2 i .I I W FAILURE OF IUue00M FAILURE OF LPCI IRAIN VALVE LPCI TRAIN
] m A B FAILURES I W O O 3.17E-2 3.17E-2 7
, I I WALVE FAILURES VALVE FAILURES IN IN .
' IRAIN A TRAIN 8 O O 2.07E-2 2.07E-2 Figure 3.2 Simplified Fault Tree for the Failure of Alternate SDC System i
I
4 Table 3.2 UNAVAILABILITY OF THE ALTERNATE SHUDTOWN COOLING SYSTEM ~
AS A FUNCTION OF DIFFERENT SYSTEM CONFIGURATIONS System Alternate Shutdown Cooling Configuration System Unavailability i 1. Present 0.148
- 2. LPCI/ Containment 0.085 Cooling Loops Redundant
- 3. Emergency Service Water (ESW) 0.066 Loops Redundant
i e
e 3-24
6 For Millstone Unit 1, the utility has estimated a 3x10 man-rem release I in the event of a core melt and containment failure. Also, 25 years was
,used as the number of years left in the life of the plant. Based on these values and a core-melt reduction of 5.12x10-4 as a result of changes to the alternate SDC system discussed above, approximately 38 million dollars of expenditure would be justified for these corrective actions.
The second area analyzed in more detail is the area involving those core melt sequences which require manual depressurization of the RPV.
Depressurization is required in those events where the feedwater system is either unavailable or incapable of providing sufficient water to the core and therefore low pressure systems are needed to keep the core covered.
Millstone Unit I has an Automatic Depressurization System (ADS) which is initiated when there is a coincident indication of reactor water low-low level for two minutes, high drywell pressure and indication that at least one low pressure pump is running. Because of the requirement of high dry-well pressure, automatic depressurization occurs only when a LOCA has occurred. In other cases, such as loss of feedwater or other types of transients and the lower range of small-small break LOCAs, depressurization does not occur automatically. In these sequences, if there is a cognitive operator error in not restoring the RPV level, the low pressure systems such as LPCI and core spray systems will be automatically defeated since the reactor pressure has to be below about 350 PSI before the pumps in these systems can inject into the core.
The ISAP study dominant accident sequences that include this type of cognitive human error, i.e., failure to depressurize the reactor manually, contribute to about 21Y. of the total core melt sequences. The most dominant sequence among these is the loss of feedwater transient that contributes about 9.5Y. of the total core melt frequency. If in these sequences there is the possibility of an automatic depressurization despite the cognitive operator error, the frequency of these core melt sequences will be reduced by the failure probability of the ADS.
The results of the analysis of the ADS in Millstone Unit 1 is given in Table 3.2.18 1 of the PSS. Based on this table, the failure probability of ADS with both DC buses available is 0.13. Currently the relay contacts in 3-25
this system are never tested. If a more frequent (such as monthly) test of these relay contacts is performed, the failure probability of this system can be reduced by about two orders of magnitude.
Based on the present system configuration and procedures, inclusion of an automatic depressurization system in the ISAP study sequences which involve human error to depressurize the RPV will result in about an order of magnitude reduction in their contribution to the total core melt frequencv The net effect of this is a reduction of about 18% in the total ISAP study core melt frequency. Using equation 3.1, an approximate expenditure of 11 million dollars would be justified for this correction.
There could be several negative aspects associated with addition of an automatic depressurization option to these sequences. The first one is the possibility of early depressurization before all efforts in restoration of the feedwater system are exhausted. Another very important negative aspect could be the possibility of automatic depressurization after isolation condenser 'has been initiated and is successfully removing heat from the core. Thus, it is crucial that these negative aspects of addition of an automatic depressurization system for non-LOCA sequences are considered very carefully before any decision on this issue is made.
The final subject considered is the Anticipated Transients Without
. Scram (ATWS). Other sections of this report noted various areas related to ATWS which were believed to be deficient or to contain erroneous assumptions or conclusions. These areas were numerous enough that it was not easy to determine what effect they would have on the overall quantification of ATWS 1 sequences. Therefore, it was necessary to requantify the ATWS event trees to get some idea as to what the core melt contribution from ATWS would be if these deficiencies were remedied.
One area could not be completely clarified. The ISAP study assumed that a 43 gpm SLCS was sufficient to mitigate an ATWS with condenser isola-tion (loss of PCS). While there is some reason to believe that this may be true, no plant-specific analysis was performed to verify this. The assump-tion was based on engineering judgment and extrapolation from analysis performed for other plants. The NRC's ATWS rule states that 43 gpm is not sufficient for this type of ATWS, based on a self-proclaimed conservative 1
3-26
analysis. How conservative the analysis is and how plant-specific features ,
at Millstone 1 might affect the analysis cannot be determined without a plant-specific analysis. Therefore, the ATWS trees have been requantified for two separate cases. Case 1 assumes that the 43 gpm SLCS is capable of mitigating an ATWS with condenser isolation, just as was done in the ISAP study. Case 2 assumes that the 43 gpm SLCS is not capable of mitigating an ATWS with condenser isolation, and thus all such ATWS events would lead directly to core melt. It should be noted that there is no question that the 43 gpm SLCS can mitigate an ATWS when the condenser is not isolated (PCS available) because of Millstone l's 100% bypass capability.
The requantification of ATds for Case 1 was performed with the following changes made from the ISAP study. These changes are discussed only briefly here, but generally reflect detailed comments made earlier in this report. The ATWS trees used for the requantification are shown on Figures 3.3 and 3.4.
The PSS failure probability for the RPS was judged to be too conservative for the design of the Millstone 1 RPS. The probability was changed from 5.4E-5 to IE-5, which was taken from the ATWS rule.
The procedural HEP for initiating SLCS and lowering power by controlling RPV level was raised from 0.013 to 0.13. This increased the failure probability of event Y1 from 0.031 to 0.16.
Even though it is assumed in this case that the 43 gpm SLCS is ,
capable of mitigating an ATWS with the main condenser isolated, it is apparent that it is probably not capable of keeping the torus temperature below 176 degrees. This is the point at which the low pressure safety injection pumps lose sufficient NPSH. Thus, no credit should be allowed for these pumps and the failure proba-bility of event E should be 1.0.
The PSS assumed that both the SDC system and torus cooling were required to prevent core molt. Torus cooling is not actually required for an extremely long time since initiation of SDC stops torus heatup. Therefore, the assumption that both are required is 3-27
l 1
i ATVS TBV's Op action Feedsater SLCS Op action Main Shutdoen Sequence Sequence j sith main maintain trips Rx maintain functions initiates condenser cooling Class Prob.
wJ a pressure and recirc level (emual) long-ters (manuoD i
available (auto) pusps (auto) cooling ATVS HI 070 Cl YI 071 H3 M1 I
j OK 4.5900E-5 4
s en-2 OK 1.6655E-6 i W t. M-t A
R2 2.2711E-7
'* *-2 R2 6.2949E-7
-f.m TE2 8.6750E-7 TE2- i5.1297E-7
- E"
T-2 6.5596E-7 I LM-3 i T-2 2.4133E-7 i
! Figure 3.3 ATWS Event Tree With Main Condenser AvailaF'.
i
)
i 1
I 1
1 m -. -, _
ATVS Rectre Feedeoter Op action SLCS (mon) Op action 2 SRVs Feedeoter LPCI or CS Shutdown Sequence Sequence withu.: pumps restor- baroninj. and op torus open restored injection cooling Class Prob.
main trip otton and level controls temp. (manual) (monuol) (! pump, conde.aer (cuto) control level control acmuel)
AT S V C5 072 Y1 073 1 C3 E M2 1.9661E-6 DMC
. TL2 1.1931E-6 DMG 0. 0 Y .
As5E-2 E TEI 0. 0 TEl 2.1793E-7 2
M -8 TE2 6.5675E-9 1*
TE2 4.9067E-7 AelE-1 TE2 7.1893E-7
- f. u -1 TE2 6.7142E-7 125E-8 LIDE-2 TE2 5.3751E-9 a_.ImE-3 TE2 3.1500E-8 Fiqure 3.4a ATWS Event Tree With Main Condenser Unavailable
O f W l
ATVf Recirc Op oction Feedeoter SLCS (man) Op actiom 2 SRVs Feedeoter LPCI or CS Shutdown Sequence Sequence l sithout pumps restore FV restor- and op torus open restored injection cooling Close Prob.
j main trip inJ. baron ation controls temp. (manual) (manuol) (1 pump, wd,. ser (auto) ctrl level level control scmuol) i ATVS V 072 C5 Y1 073 I C3 E N2 l
i DMG 2.9998E-7
- "~'
TL2 1.9178E-7 DMG 0. 0
- "~'
)
5 o
- AE-2 TE1 0. 0 1.s TE1 3.5031E-9
- ~'
TE2 1.0557E-9 1"-' TE2 7.8871E-9
" ~' '
TE2 1.15'ME-7 1*' TE2 1.0792E-7 l
Au-7 Au-t TE2 1.2405E-7
""~'
- TE2 5.7600E-9
- u
)
Ficure 3.4b ATWS Event Tree With Main Condenser Unavailable (Loss of Feedwater)
)
l ATVS Rectre Feedeoter op action SLCS (mm) Op actiam 2 SRVs Feedeoter t.PCI or CS Shutdown Sequence Sequence without pumps baroninj. and op torus open restored injection cooling Class Prob.
soin trip m d level controls temp. (manual) (manual) (1 pump, wa,s- (auto) control level control manual)
.TVS V C5 072 Y1 073 I C3 E N2 DMG 3.0881E-7 TL2 1.9615E-7 DNG 0. 0
$ . e.eg-2 N -'
TE! 0. 0 TE1 3.5830E-8 TE2 1.0797E-9
- 2' TE2 8.0670E-8
- ~'
TE2 1.1820E-7
- # ~'
TE2 1.1039E-7
.a - : t.ex-1 TE2 1.6476E-7 TE2 6.120E-9 Figure 3.4c ATWS Event Tree With Main Condenser Unavailable (Loss of Normal Power)
overly conserv'tive. Event M2 success has been redefined as requiring only SDC, which reduces the failure probability from 0.49 to 0.39. It is worth noting that this change does not mean that torus cooling can be used in the Alternate SDC mode as a backup to SDC. The use of Alternate SDC (or any other torus recirculation system) is precluded during ATWS events because they would dilute the boron concentration and return the reactor to criticality.
For 'the loss of feedwater (LOF) ATWS, recovery was improperly applied directly to the initiator frequency. It should have been applied after the cognitive decision of the operator to respond to the ATWS event. The ATWS tree has been modified specifically for this case so that the cognitive decision (072) appears before the feedwater system event (CS). Event C5 has been redefined for this case as feedwater restoration. Credit for restoration of feed-water is applied only when the cognitive decision is successful.
The failure probabilities for these events are taken directly from the PSS.
The ATWS requantification is shown on Figures 3.3 and 3.4, with the
. values for each event and sequence presented on the trees. Figure 3.3 is for non-iso?atic, (PCS available) transients. Figure 3.4 is for condenser
.isolaiion (W3 of PCS) transients (3.4a is loss of PCS alone, 3.4b is for loss of feedwater including a calculation for loss of service water and loss of TBSCCW, and 3.4c is for loss of normal pcwer).
The requantification of ATWS case 2 assumed that the 43 gpm SLCS could not mitigate an ATWS isolation transient. This calculation is very straightforward, since the assumption means that all ATWS with the main condenser isolation transients lead directly to core melt. Thus, the major contribution to core melt frequency is equal to the total frequency of all transients where the main condenser is unavailable times the RPS failure probability. This includes isolation transients in which the main condenser is initially available but subsequently is isolated (sequences 7 and 8 on Figure 3.3). The core-melt frequencies shown on the non-isolation tree (Figure 3.3) obviously remain unchanged.
3-32
r-The overall results of the requantification of ATWS for both cases are shown in Table 3.3. The results are presented in terms of the plant damage state. For both cases, the requantified values for total ATWS core melt are smaller than the ISAP study values by a factor of about 2 to 3. This is I l
because the overly conservative ISAP RPS failure probability more than compensates for the other areas which are generally non-conservative. An interesting result is that the two cases presented are only about 15% apart in total ATWS related core melt frequency. That is, taking credit for the
! 43 gom SLCS only reduces ATWS related core melt frequency by 15%. The only significant effect is at the plant damage state level, where the "no credit" case results in a much higher percentage of ATWS related early mel ts. The difference in the frequency total core melt (ATWS and non-ATWS) between l these two cases is negligible.
I:
l 1
l l
I I
l 3-33 L _ _ _ _ _ _ --_-_- - - _ _ _--_ ___ _ - - - - - - - - - _ - - - -
. . , l l
Table 3.3 REQJANTIFICATION OF MILLSTONE 1 ATWS EVENT TREES Plant Damage Frequency Per Year State Case 1 - Credit for Case 2 - No Credit 43 com SLCS for 43 com SLCS TE2 4.lE-6 8.4E-6 TEl 2.9E-7 ---
TL2 2.6E-6 9.0E-7 TOTAL 7.0E-6 9.3E-6 (Note: No credit for 43 gpm SLCS is for isolation transients only.
Credit is always allowed for non-isolation transients.)
l l
3-34 I
4.0 REVIEW OF THE MILLSTONE UNIT 1 ISAP TOPICS In this section the ISAP topics analyzed by the licensee using FRA techniques will be reviewed., As was mentioned previously, only a portion of all the ISAP topics for the Millstone Unit I are analyzed by the licensee using PRA techniques. This report is only concerned with the review of this portion of the topics.
The licensee used three methods for evaluating the impact of resolution of each topic on public risk. In Method A, the change in core-melt frequency and public risk (measured inman-rem) as a result of the resolution of a topic was evaluated. For those topics where direct quantification of change in core-melt frequercy or man-rem exposure was not possible. engineering judgment was used for ranking of the topic. This method is referred to as Method B. Finally, for those topics where the impact on public risk is non-radiological, Method C, consisting of calculation of public risk in terms of early and latent fatalities and conversion of these numbers to equivalent total person-rem exposure was used.
Following the calculation of the change in public risk (measured in man-rem) as a result of modification due to each topic, the importance of each topic was scored by the utility on a scale of -10 to +10. The scale used is linear with each unit corresponding to an expected exposure of 400 inan-rem. A zero score implies no change in public risk. A negative score implies an increase in public risk and a positive score implies a decrease in public risk. Thus, a decrease in public risk of 4000 man-rem or more as a result of a modification due to an ISAP topic is given the maximum scale of +10. Alternatively, an increase in public risk of 4000 man-rem or more that might occur as a result of a change due to an ISAP topic is given the maximum negative scale of -10.
In evaluating the public risk impacts of those ISAP topics which were analyzed using Method A, the licensee used a man-rem exposure relationship based on the Millstone Unit 1 PSS results. Since this relationship is important in prioritization of the topics, some comments on the validity of the assumptions used in this relationship will be provided in Section 4.1.
41
e In order to rank the importance of the topics reviewed in this report, a review of the different methods that are appropriate for this purpose was performed. The results of this review, along with a recommended scheme for ranking the importance of ISAP topics, are presented in Section 4.2. This is followed by the results of the review of individual topics.
4.1 Comments on the Utility's Method of Public Risk Ouantification Public safety impacts of individual ISAP topics were evaluated using either direct quantification based on the Millstone Unit 1 PSS results, engineering judgment, or quantification of equivalent radiological impacts.
Direct quantification of public risk impacts was performed using the following equation:
A R = TK APjxMj where AR = total change in public risk, man-rem T = remaining plant life (25 years)
K = 3x106 man-rem / core-mel t APj = change in frequency of plant damage state i Mj = a multiplier that depends on the performance of the contain-ment and consequence mitigating systems The constant K coupled with the multiplier Mj is a measure of the accident radiological release and public health impact. Mi values of either 0.5,1.0 or 1.5 were assumed depending principally on containment failure mode and timing.
The K value of 3x106 man-rem / core-meltwasbasedonconsideration and adjustment of information in the Sandia Siting Study (9) and the Millstone ;
Unit 3 PSS (10). However, the actual population exposure that would result from a core-melt at Millstone Unit 1 is highly uncertain and would depend j strongly on containment failure mode and timing. For example, man-rem values calculated in the Sandia Siting Study and reported in NUREG/CR-2723 (11) for hypothetical core-melt releases at Millstone 1 vary broadly as indicated below.
l 4-2 l l
l
Release Fractions Accident for I, Cs, Te Man-rem
- SST1 0.5 - 0.6 3x107 SST2 3x10 3x10-2 2x106 SST3 10 2x10-4 7x103 The release fractions assumed for SST1, 2 and 3 were based on WASH-1400 vintage source term methodology and therefore are likely to be somewhat conservative.
The limited containment analysis performed for Millstone Unit I as part of the IREP study concluded that the most likely core-melt releases corre-sponded to release categories BWR3 and BWR4 from WASH-1400. These categories had release fractions for I, Cs and Te of 0.1-0.3 for BWR3 and 8x10'4 - 5x10-3 for BWR4. Again, these are likely to be somewhat I conservative.
Based on the information above, and our awareness of the large '
uncertainties involved, we feel that a " representative" estimate of 3x106 l, man-rem / core melt is reasonable. However, given the extreme variability (orders of magnitude) due to aspects of containment performance, the assump- i tion of only a limited range of Mg values (all close to 1) seems unjustified. Either a broader and more representative range should be used, ,
or the factor should be dropped altogether. Developing a more l representative range would require that at least a limited containment analysis be performed. However, having that analysis would allow increased confidence in translating core-melt frequency changes into changes in public health risk.
4.2 REVIEW OF DIFFERENT METHODS FOR RANKING THE IMPORTANCE OF ISAP TOPICS One of the most attractive features of using Probabilistic Risk Assessment (PRA) techniques for the analysis of an issue is that this
- Total man-rem over all distances (not limited to 50 miles).
4-3
technique allows the analysts to generate numerical values for the importance of the issue. This numerical value could, for example, be the effect of resolution of the is' sue on the core-melt frequency or total population exposure or the overall risk (public health and economic) asso-ciated with the operation of the plant. This is an important advantage for using the PRA techniques despite the commonly known uncertainties associated with the numerical results. Currently there are a number of different j importance measures that are used in PRA analyses. The objective of this l
section is to present an overview of the major methods currently used for (
l ranking the importance of an issue and discuss the advantages and disadvan-tages of each method. This is followed by a recommended method that would be best suited for ranking of the ISAP topics.
4.2.1 Chance in Core Melt Frecuency I
A simple and relatively straightforward method for assessing the importance of an issue is to evaluate the effect of resolution of the issue on the core-melt frequency of the plant. The issues could be ranked in terms of either a numerical scale or any other scheme such as high, medium and low.
The change in core-melt frequency along with a high, medium or low ranking was used in the assessment of the importance of the issues that were analyzed as a part of the Systematic Evaluation Program (SEP). The follow-ing approximate guidelines were used for ranking of each individual issue.
If the change in core-melt frequency as a result of resolution of an issue was above approximately 10% of the plant's total core-melt frequency, the issue was ranked as high. If the change in core-melt frequency was between 1% and 10% of the plant's total core-melt frequency, the issue was ranked as medium. Those issues that their resolution resulted in less than 1% of the plant's total core-melt frequency were ranked as low in importance.
These guidelines on ranking of the issues were further supplemented by suggestion on how to treat issues falling into each category with respect to implementation of the recommended modifications.
The major advantages of using the change in core-melt frequency as a measure of importance of an issue include:
4-4 l
_ - - - - I
. 1. Calculation of change in core-melt frequency as a result of the resolution of an issue is relatively straightforward.
- 2. The level of uncertainty associated with core-melt frequency estimates is lower than those associated with more sophisticated measures of importance, such as public risk, that require esti-mates of accident source term and containment failure probability.
- 3. There is an inherent measure of economic protection (ple.nt invest-ment) along with public health and safety protection built into this measure. This point will be discussed in more detail in later sections.
The major disadvantage of this measure is that core-melt frequency does not necessarily correlate with public health risk. This is due to the fact that effects of containment as a fission product retention mechanism and consequence factors such as site population, meteorology or evacuation are not included in this measure. Lack of consideration of containment perform-ance would be very important in the case of nuclear power plants with substantial capability for scrubbing and retention. of fission products following a large scale core-melt accident. Also, characteristics of the specific site could have a large influence on the overall risk associated with a large scale core-melt accident.
4.2.2 Chance in Risk as Measured by the Total Population Exoosure (Man-Rem) i The second method for assessment of the importance of an issue is to I evaluate the effect of resolution of the issue on public risk, as measured for example by total population exposure (man-rem). To calculate the total l exposure received by the general population surrounding a nuclear power I plant as a result of a core-melt accident, a containment failure analysis, source term analysis, and site consequence analysis must be performed for the plant under consideration.
The obvious advantage of this method is that it includes the plant's containment and site characteristics. Thus, it represents a better measure of public risk. The disadvantage of this method is that additional effort in plant-specific containment and site consequence analysis is required 4-5 i
be fore the effect of resolution of each issue on the total population exposure can be calculated, s
One way to reduce this level of effort is to perform a simple containment and site consequence analysis using other studies on similar plants. For example, if there are existing containment failure analyses on similar plants with fairly similar containment designs, this information could be used to develop representative containment failure mode probabili-ties and source terms for the plant under study. This could be done by taking the release categories developed for the reference plant, adjusting these release categories based on any differences between the reference plant and the plant under study, and subjectively assigning each of the dominant accident sequences developed for the plant under study to the appropriate release categories. In this way a surrogate set of release category source terms and probabilities could be developed.
For the site consequence analysis, the results of Sandia National Laboratories Siting Study (9) or other similar studies, could be used. In Sandia's Siting Study, consequences associated with several hypothetical core-melt accidents at each nuclear power plant in the United States were evaluated. The source terms used for this study were based on a generic set I o
developed by the NRC and referred to as the Siting Source Terms (SSTs) (12).
For the consequence analyses, meteorological records from 29 National l Weather Service stations were used to represent site, meteorology for plants around the country. This was supplemented by the use of actual site wind rose data. Site-specific population data and a generic evaluation model were used in this study. The end result of the study was a substantial amount of information such as total population exposure (man-rem), early and latent fatalities and early and latent injuries for each SST and each plant site in the United States.
l Once surrogate release category source terms for the plant under study I are developed using detailed studies on similar plants, the results of the Siting Study could be used to crudely estimate the consequences of each core-melt sequence in terms of population exposure (man-rem) or early and latent injuries and fatalities.
l l
l l
4-6
- . _ _ . ~ . .-
As was mentioned earlier, the consequence analyses performed in the Siting Study were based on generic release categories SST 1 through 3.
Those results must be modified based on the surrogate source terms developed earlier. This could be done by first collapsing the surrogate release cate-gories so that they correspond at least roughly, to SST 1 through 3. Then scaling factors for each release category in relation to the SSTs could be found. Using these scaling factors, the results found by the Siting Study for the plant under consideration could be modified to estimate the conse-quences associated with each core-melt sequence.
It is important to note that although this method is very approximate, it could provide results that might not be substantially different than those found based on a more detailed plant-specific analysis. This is due to the large uncertainties associated with containment and consequence analyses.
4.2.3 Combination of Core Melt Freauency. Chance in Total Pooulation Exoosure and Backfit Costs So far we have discussed the advantages and disadvantages of using either change in core-melt frequency or public health risk (represented by
- the change in total population exposure) for resolving an outstanding issue.
In an attempt to combine the special features of change in core-melt fre-quency, change in total population exposure, and cost associated with any ,
proposed modifications, a ranking scheme has been proposed in NUREG-0993 which is reproduced as Figure 4.1 (13). The basic reasoning behind assign-ing a high, medium or low importance to an issue is as follows.
i The resolution of an issue is always ranked high 1.f one of the following exists:
l
- a. The expected benefit in terms of reduction in total population exposure over the life of the plant is 1000 man-rem or more. l l
- b. The change in core-melt frequency of the plant is 10-S/ reactor-year or more.
4-7 4
Legend:
D L M H H =HIGH priority H M = MEDIUM priority m L = LOW priority D = DROP -
i 3~,
3,000 _
- E P &
~
6 a
D L M M H 1 m .
- E i ha x
8 4
i,
?
- !mU
,m s.
100 E
j -
D L L M i
H 8
a E
W T 10 C
N E D D L M 8 H 8
2 W
10P 10' 10 10' Man-Rem / Reactor 5x10' 5x10' 5x10' 5x10' Man-Rom (Total, All Reactors) 1&* 10~7 10 4 10* Core-Melt /RY 5x10-7 5x10' 5x10 5 5x104 Core-Melt /Yr.
Change in Risk -
I l
- c. The benefit in terms of reduction in total population exposure j over the life of 111 affected reactors is greater than 50,000 man- i rem (this is based on 500 man-rem / reactor for 100 reactors). j
- d. The change in core-melt frequency of all affected plants is greater than 5x10-4 per year.
The resolution of an issue can be ranked as high even if c' ore-melt frequency and population exposure reductions are lower than the above thresholds if the cost associated with the modification is sufficiently low.
For example, as shown in Figure 4.1, if the cost of resolution of an issue is below 3000 man-rem /3106 (i.e., $333/ man-rem), then it would be ranked high if the change in core-melt frequency and population exposure were in the r.axt lower range.
The resolution of an issue is always ranked medium if it is 10 or more percent of the high criteria. The ranking would always be low if it is between one and 10 percent of the high criteria. Finally, an issue would be dropped if its resolution results in benefits that are less than .1% of the high criteria.
Obviously to use this ranking scheme or a similar ranking scheme, it is necessary to have core-melt, containment and consequence analysis results for the plant under study. In addition, an estimate of the cost of perform-ing the proposed modifications for resolution of each issue should be available.
4.2.4 Consideration of all of the Financial Consecuences of a Hvoothetical Accident In reviewing the different ranking schemes so far, the major benefits accounted for in resolving a safety issue have been the reduction in core-melt frequency or total population exposure.
In reality a large series of financial benefits are also associated with avoidance of an accident. Some of these fall into the categories of onsite and offsite costs. Offsite costs include costs associated with health effects (both in terms of lost life and injury), property damage, 4-9
interdiction of crops, decontamination costs, lost wages..and relocation expenses of evacuated population (11). Onsite costs consist of items such as capital costs due to loss of the plant, replacement power cost and plant cleanup costs. In general, onsite costs have been shown to dominate offsite costs for most core-melt accidents (11).
If these benefits are included in the cost-benefit analysis of an issue, then a much higher level of expenditure might be justified for reso-lution of an. issue compared to the situation where the criterion is only based on reduction of total man-rem exposure. This issue becomes much more important in those types of accidents such as Three Mile Island where the population exposure as a result of the accident is minimal but the onsite costs due to the total loss of the plant, lack of electrical generation income and cleanup costs are substantial. Thus, miner accidents with respect to public health and safety could have tremendous financial conse-quences, and therefore higher expenditures are warranted to avoid them than would be indicated by analyses simply addressing population exposure reduction.
In the next section a simple ranking scheme proposed for ranking of the ISAP topics will be discussed.
4.2.5 Procosed Method for Rankina of the ISAP Tooics The brief review of different ranking schemes has shown that each method has certain advantages and disadvantages. Thus, no single method would be completely satisfactory for all cases.
There are several considerations ~that must be kept in mind when choosing a method for ranking of the ISAP topics. The first is that the method should be simple, straightforward, and not require a substantial ,
amount of effort for ranking of each topic. The variables used for ranking of each topic should be a good measure of probability of occurrence of an accident and release of radioactive material outside the containment, i.e.,
a good measure of risk associated with the operation of the plant. Even though public health and safety are the primary objectives of the NRC regu-lations, the ranking method should in an indirect way sddress the substan-
' 4 M!t> and affsite financial costs associated with a major accident.
4-10
, -d With all these factors in mind, a two-step ranking scheme consisting of consideration of. change in core-melt frequency and total population exposure is proposed. The first step consists of evaluating the change in core-melt -
frequency as a result of the resolution of the topic. Change in core-melt frequency is proposed as the primary measure of importance of the issues for ;
several reasons. First, it provides a direct measure of the importance of any proposed hardware or procedural change as a result of resolution of an
, issue. The only exception would be a change that affects containment or accident mitigation performance. Also, change in core-melt frequency is i relatively straightforward and the level of confidence in the final numeri-cal results is higher than numerical results for risk measures that must include containment and consequence analyses. Finally, there is an inherent measure of financial risk associated with core-melt frequency. If the I
primary measure of importance were the population exposure, then in cases where there is core damage but minor or no relene of radioactivity, the importance of the issue would be unjustifiably ranked low.
Table 4.1 shows the proposed ranking based on change in core-melt frequency. As can be seen in this table, the numerical criteria used for ranking of the issues are fixed as opposed to criteria that are based on a percentage of core-melt frequency for the plant under study. This is more rational since it will not penalize those plants with low core-melt fre-quency and help those plants with high core-melt frequency.
The cutoff core-melt frequency of 5x10-5 per year for ranking an issue high was chosen based on consideration of the Commission's proposed safety '
goal core-melt frequency of 10-4 per year and our previous experience with the SEP Phase II which had shown that issues resulting in changes in core- I melt frequency of about 5x10-5 per year and higher are important contr!bu-E tors to the dominant core-melt sequences (14). The other cutoff points are l i
one and two orders of magnitude lower than the high cutoff rate.
1 The second step in this ranking process is to estimate the total popu-lation exposure as a result of resolution of the issue. The purpose of this second step is to upgrade the ranking that was done based on change in core-melt frequency so that low frequency events that could lead to large conse-quences are ranked higher than the ranking used based on the change in core-melt frequency alone. In addition, this second step allows ranking of 4-11 l
Table 4.1 Proposed Ranking Scheme Based on Change in Core-Melt Frequency i
Change in Core-Melt Frequency As a Result of the Resolution of An Issue (per year) Rank CM >5x10-5 High 5x10-6< CM <5x10-5 Medium 5x10-7< CM <5x10-6 Low .
CM <5x10-7 Drop Table 4.2 Proposed Supplemental Ranking Scheme Based on Change in Total Population Exposure Change in Total Population Exposure as a Result of the Resolution of an Issue (man-rem) Rank Total Exposure (E) > 5000 High 500 < E < 5000 Medium 50 < E < 500 Low E < 50 Drop 4-12 l 1
those issues that only affect containment performance and would not be ranked in step 1 above. Table 4.2 shows the proposed supplemental ranking scheme using change in total population exposure.
For example, based on the results of the Siti_ng Study, the total popu-lation exposure as a result of an SST2 release is in the order of 2x106man- '
rem (11). The SST2 corresponds to accidents involving loss of core cooling with containment emergency safety functions available. For this type of release category the 5,000 man-rem criteria approximately corresponds to the 5x10-5/ year core-melt frequency which is the lower end of high ranking based on change in core-melt frequency. The total population exposure for an SST1 release is on the order of 2x10 7man-rem (11). The SSTI corresponds to the most severe radioactive release following a core-melt accident. It involves failure of core cooling and containment emergency safety functions with severe breach of containment. For this type of release category the 5,000 man-rem criteria corresponds to the 5x10-6/ year which is the lower end of medium ranking based on change in core-melt frequency.
Thus, for' the case where the change in core-melt frequency is on the order of 5x10-6 and it involves a severe containment failure and radinactive release, the issue would be ranked medium using the change in cere-melt frequency criteria. But the total exposure criteria of Ta51e 4.2 will upgrade this ranking to high. This will ensure that low probability events with large consequences are ranked appropriately.
Finally, it should be emphasized that for most plants a simple containment and consequence analysis using existing information and surrogate source terms would be sufficient for developing the total population exposures for this ranking scheme. Thus, there should not be a need for a large effort in performing a sophisticated containment and consequence analysis.
4-13
4.3 Tooic 1.01: " Gas Turbine Generator Start Loaic Modifications" Tooic 1.24: "Emercency Power" 4.3.1 Backaround The NRC has a continuing concern over the reliability of emergency power sources. A number of internal studies as well as virtually all PRAs have indicated that loss of offsite power is a major contributor to core mel t. The Hillstone Unit 1 ISAP study found that 30% of the core melt frequency was due to this initiator, with over one third of that due to failure of the gas turbine generator. The purpose of this combined issue is to evaluate the possible improvement of gas turbine reliability by making modifications in two particular areas: by-passing nonessential protective trips during emergency operation and improving the gas turbine preventive maintenance program.
4.3.2 Utility Evaluation This issue was evaluated using Method A of the utility's prioritization procedure. For each of the areas mentioned above, a number of modifications
. were suggested. The effect of the modifications was evaluated by reviewing the operating history of the gas turbine, in particular the failures it has experienced, and determining if the implementation of the modifications would eliminate any future occurrences of previously observed failures. The failure probability of the gas turbine was then recalculated with the
" eliminated" failures removed from the data base. The new, lower gas tur-bine failure rate was then used to requantify the failure rate of the gas turbine AC power train. This resulted in lower split fractions for support states involving loss of this train. The event tree sequences were then requantified using the new split fractions.
The analysis was broken down into four parts, the implementation of which would have the following descriptions and effects. The first involved by-passing the only two nonessential start trips not already by-passed (gas <
turbine light-off speed and generator excitation speed). Two previous failures were attributed to these trips. The analysis stated that since the I trips would not be by-passed under normal conditions, they would not h totally eliminated. It was assumed that only one of the failures would be 4-14 J
eliminated by this modification. The second part involved by-passing the l only nonessential operating trip not already by-passed (high lube oil temperature). It l was subsequently determined that it was in actuality by- ;
passed, thus further analysis was not required.
The third part regarded ,
improvements in the preventive maintenance program not already in place. l Only improved governor maintenance was identified as having potential to '
eliminate failures, and three were identified. The fourth part proposes to by-pass five nonessential' generator trips (loss of excitation, opening of the exciter breaker, negative sequence, reverse power, and generator under-speed).
No failures due to these trips have occurred in the operating history of the unit, but for the purposes of the analysis it was assumed as a bounding value that one failure would be eliminated. Thus, the total number of trips eliminated was five.
This resulted in a reduction in core ,
melt frequency of about IE-5, essentially all of which was in plant damage states TE1 and TII. The sum total reduction in risk from all the suggested modifications was 375 man-rem over the life of the plant, or a prioritiza-tion score of I out of 10.
4.3.3 Review of the Utility Evaluation The analysis performed for this issue is straightforward and methodo-logically sound. That is, we concur with the elimination of past failures from the data base to account for a modification of the system / procedures and a recalculation of core melt frequencies based on the reduced number of failures. Thus, our review of this issue need only deal with two specific areas. First, are the suggested modifications reasonable and inclusive?
Second, was the determination of the number and t,ype of " eliminated" failures also reasonable? This was done by reviewing in detail the historical data on Millstone I gas turbine failures (15).
Treating the review by parts, as the analysis was performed, we have a few mostly minor comments. For the first part, there is no statistical basis for the argument which only eliminated one of the two failures. If the trips had been by-passed the failures would not have occurred during a real emergency demand, and thus both failures should have been eliminated.
We agree that there are no other failures which would be eliminated by by-passing these trips. The third part (the second part being moot) has properly identified three governor failures as being preventable with 4-15 t-
,_,_ _ ,___--------r
improved maintenance. Our review of the seven governor-related failures concurred with this finding. However, we identified two additional failure ~s
- which we feel could have been prevented by improved maintenance procedures.
These are (1) a failure due to oxidation on the wiper arm of a variable potentiometer, and (2) a failure caused by oil impregnating a speed signal cable which' resulted in a loss of speed signal. Better visual inspection and/or cleaning of these areas during maintenance could eliminate further occurrences of these failures. This increases the number of failures elimi-nated by this part of the issue to five. For the fourth part,- our review concurs with the analysis that no failures have occurred due to the trips to be by-passed. It is debatable whether the assumption of one additional failure eliminated is reasonable in light of the existence of actual fail-ures for the other parts of the analysis. The absence of failures due to these trips could be said to indicate that this part of the proposed modifi-cations has little benefit compared to the other parts. Thus, we lean towards n'ot crediting any further elimination of failures due to this part of the modifications. This leaves us with a total elimination of seven failures from modifications in the first and third parts of the analysis as opposed to the utility result of five failures from the first, third, and fourth parts. This would result in a total core melt reduction in plant damage states TEI and TIl of about 1.4E-5.
4.3.4 Conclusions t
, Our estimate of reduction in core melt frequency from the resolution of this topic is 1.4E-5/ year, 40% higher than the utility estimate. Further, we disagree in how this reduction is obtained. The modification to by-pass two nonessential start trips should remain an integral part of the total modification package, as should improvements in preventive maintenance of the governor. However, additional improvements to the preventive mainte- -
nance program to better inspect and clean key electrical and mechanical l components to detect insipient failures due to fluid leakage and corrosion /
oxidation should be added. Further, we disagree as to the need to include l the by-pass of nonessential generator trips.in the modification package since there ...a .: illstone I h cie shown ti.at significant erosion degradation 4-74
- - =. _ -.
< :s exists in some of this piping. The purpose of this utility initiated issue is to evaluate the effectiveness of replacing this piping in the near term with new, more erosion resistant piping and associated hardware.
4.18.2 Utility Evaluation Failure of this piping has the potential to result in two different initiating events. The first is a~ steam break outside containment (a form of interfacing systems LOCA). In order for this to occur, both'the MSIVs and the turbine stop valves would have to fail to isolate following the extraction steam pipe break. The utility concluded that this is not very likely'to occur and that this would have a negligible effect on risk. The second initiator is a loss of PCS (MSIV closure), which is what would occur if the above mentioned valves successfully isolated the RPV following the pipe break. If the piping is not replaced, it was assumed that the poten-tial for a break would increase the overall frequency of this initiator, which presently has an estimated frequency of 0.435/yr.
In order to estimate the amount of the increase, the utility calculated the rate of erosion in the extraction piping. It was determined that if the piping was not replaced in the next refueling cycle, but rather field repairs were performed on piping where leaks are observed, wall thicknesses in most unrepaired welds would approach 0% by the end of the cycle. It was assumed that one pipe failure would occur in each 24-month refueling cycle until the piping was replaced (which would occur within 10 years in any case). This raised the loss of PCS frequency by 0.5/ year over that time frame, to a total of 0.935/ year. The change in risk was calculated over that 10-year period by using Method A of the utility's prioritization procedure. The plant damage state frequencies were recalculated by substi-tuting t'he higher loss of PCS frequency in the computer model and generating new numbers. The results by plant damage state are shown in Table 4.7. The total core-melt frequency reduction is 2.3E-5. This equates to a risk reduction of 709 man-rem. The issue was therefore given a score of 1.75 out of 10.
4-75
, . - ,-- - , _ , , - . - > , . - - - - - - - - . - - - - - - .n . . - . , -- -e-- - ~~
Table 4.7 Impact of Not Replacing the Extraction Steam Piping at Millstone Unit 1 Base Case Without Extraction Steam (As-Is) Piping Replacement M.S.I.V. Closure Frequency l 0.435/Yr 0.935/Yr Plant Damage State Frequencies TE1 2.57x10-4 2.62x10-4 TE2 1.41x10-5 1.53x10-5 TIl 2.26x10-4 2.30x10-4 TL2 8.25x10-5 9.49x10-5 1
i 4-76 i
l a <>
L 4.18.3 Review of the Utility Evaluation The evaluation of this issue appears reasonable. The conclusio.n that the likelihood of a failuie of both the MSIVs and the turbine stop valves is very small is supported by the Millstone 1 IREP study. That study came to a similar conclusion when considering the potential for unisolated steam breaks outside the containment. Thus, we agree that the total benefit of replacing the extraction steam piping is in preventing an increase in the frequency of loss of PCS transients.
The analysis performed is very straightforward once the frequency of extraction steain pipe break is determined. Thus, we feel that the only ques-tion at issue is the determination of that frequency. If indeed the welds are in as bad shape as is presented by the utility, and we have no reason to believe that they are not, then the astumption that a pipe break will
- occur during the next refueling cycle is clearly reasonable. It is even
! conceivable that a larger number of breaks may occur if none of them is 4 massive, that is, if they cause a trip but do not cause substantial damage which might force the utility into some immediate replacements. On the other hand, a massive break in the next cycle might result in action to immediately replace all the piping, thus reducing the 10-year (5-cycle) exposure time used in the calculation. All in all, we feel the number used by the utility is reasonable for a prioritization analysis. However, it is
! important to note that the results are directly proportionate to the exposure time and the number of breaks per cycle. For example, the benefit of replacing the piping now versus ten years from now might be about 700 man-rem, but the benefit of replacing them now versus waiting one extra refueling cycle (two years) is only one-fifth of that. Similarly, if it is likely that the degradation is so bad that field maintenance cannot prevent two breaks from occurring during each cycle, the benefit would be twice that value.
4 4.18.4 Conclusions l The reduction in large-scale core-mel't frequency as a result of resolution of this topic is about 2E-5/ year. According to the ranking j scheme used in this report, the priority of this issue is medium.
t 1
4-77
- .._ . .-_ -= _ -
, , [A 4.19 Tonic 2.30: "MSIV Closure Test Freauency" 4.19.1 Backaround Once per month, the utility is required to test the operation of MSIV limit switches by closing each of the MSIVs 10% and verifying that the limit switch contacts close. These limit switches are part of the reactor protec-tion system and provide an anticipatory trip of the reactor if the MSIVs close prior to the occurrence of conditions which will cause the trip on high flux or high pressure. The utility has become concerned that these tests might be increasing risk b) increasing the frequency of loss of PCS initiating events since on two occasions during this testing a valve has overtravelled, resulting in a steam line isolation signal and closure of all MSIVs. The purpose of this issue.is to determine if there is any benefit to reducing the test frequency to quarterly, and performing the test in conjunction with the 60% power full MSIV closure time test.
4 4.19.2 Utility Evaluation i The utility identified three potential effects of the reduced testing.
First, by not testing the limit switches as often, the failure probability of the switches could increase. This effect was rejected on the basis that the RPS had sufficient backup trip functions such that any increase i'n switch unreliability would have no significant effect on overall RPS relia-bility. Second, the failure probability of the MSIVs could increase. This was rejected on the basis that the 10% closure test did not utilize the same parts of the valve actuator that were used for MSIV fast closure (isolation) and that the valve was only partially closed, which'did not demonstrate its
. isolation function. Third, eliminating testing at 100% power would reduce
< the frequency of loss of PCS transients. The historical frequency of loss of PCS transients was recalculated excluding the two trips which occurred during testing, and it was determined that the reduced testing would yield a reduction in the loss of PCS transient frequency from 0.435/ year to 0.27/ year.
This issue was evaluated using Method A of the utility's prioritization i procedure. The analysis consisted of substituting the new frequency for the base case frequency and requantifying the models. This resulted in a 4-78
--,,-n - - - - - > - , - + - - -- -
, 3 reduction in total core-melt frequency of 8E-6/ year. About half of this was in plant damage states TEI and TIl while the other half of this was in damage state TL2. This corresponds to a risk reduction of 600 maa-rem over the life of the plant and a prioritization score of 1.5 out of 10.
4.19.3 Review of the Utility Evaluation Each of the three. potential effects of reduced testing and the utility resolution of them was considered in the review. That the reduced testing would not effect the reliability of the RPS was easily verified. First, the RPS unavailability at Millstone is completely dominated by mechanical failure, especially considering that the plant has an alternate rod insertion (ARI) system. Thus a slight change in the reliability of the electrical portion of the system would not be expected to affect the overall reliability. Further, a review of the detailed RPS analysis in the Millstone 1 IREP study (1) showed that, even without ARI, the total elimination of this trip function would not affect the reliability of the electrical portion of the RPS. Thus, the utility assumption that sufficient backup to this trip signal exists is borne out by the review.
The assumption that reduced testing of the valves will not reduce the reliability of the valves is somewhat more questionable. While we agree that many of the potential valve failure moles are not tested during the monthly test, it does demonstrate that the valve disk and stem are not binding. Thus, reduced testing could lead to increased occurrence of this failure mode. However, even if the overall failure rate of the valves was tripled (as the test interval would be) we doubt that there would be a significant increase in failures to isolate. This is because with two MSIVs
. in each line and the backup isolation provided by the turbine stop valves, the, isolation function is very reliable. Both the PSS and the Millstone 1 IREP study concluded that failure to isolate was a negligible contributor to risk, and it would take a vast increase in the failure probability to make it anything other than negligi* ale.
Finally, the recalculation of the loss of PCS frequency by eliminating the two events which occurred during the 10% closure testing is intuitively reasonable.
4-79
l We do, however, have a problem with the results. While we do not question the reduction noted in the plant damage states presented, we question the absence of plant damage state TE2, which results only from ATWS events. The reduction of loss of PCS frequency would be expected to reduce this damage state also, since these initiators are a significant contributor to risk from ATWS. In order to estimate this additional effect, the
. modified loss of PCS ATWS analysis presented in Section 3.3 was utilized. ;
i The loss of PCS ATWS tree was requantified by replacing the baseline initiating event frequency (0.435) with the new value (0.27). This resulted in a reduction in the frequency of damage state TE2 of 7E-7. The other damage states on this tree were not considered since they are dominated by non-ATWS events which are already included in the utility evaluation. i 1
4.19.4 Conclusion As can be seen from Table 4.7, the reduction in large-scale core-melt frequency as a result of resolution of this issue is about 9E-6/ year. Using the ranking scheme proposed, this topic would be ranked medium.
J 4.20 Tooic 2.31: "LPCI Lube Oil Cooler Test Freauency" 4.20.1 Backaround One of the major conclusions to be found in the Millstone Unit 1,PSS performed by Northeast Utilities is that failure of the long-term cooling function was the major contributor (contributing approximately 64%), to the core-melt frequency. One reason is the high unavailability calculated for the LPCI system in the alternate shutdown cooling (SDC) mode. This issue '
was initiated by the utility in an attempt to improve the reliability of the ,
i m
alternate SDC system.
i Each of the two trains of the LPCI system contains two LPCI pumps. I The lube oil for the two pumps' motor bearings is cooled by drawing water from the discharge line of the LPCI pumps. This cooling water passes through a single solenoid valve, 1-LP-52A for Train A and I-LP-52-8 for Train B, before the coolicq line caparates and connects to both pumps.
Until recently the operability of the solenoid valves was inferred only by 4-80 l
4
. Table 4.8
. Change in Core-Melt Frequency.from the Elimination of Monthly MSIV Testing Change in Core-Plant Damage Melt Frequency State (PerYear)
TE1 and TIl - 4 E-6 TL2 - 4 E-6 TE2
- 7 E-7 TOTAL - 8.7 E-6 f.
4 e
4-81 l l
. ~ . _ m a -
,u .ax .-,-a a..:- ,a .
, +
1 tests performed during each refueling outage. (This is the situation modeled in the PSS.) The high failure probability of these solenoid valves, tested during refueling outages only, was a significant contributor to the alternate SDC system unavailability.
The utility's proposed modification is to verify the operation of the solenoid valves during the monthly LPCI pump tests. The reduced test interval would shorten the failure' detection time and reduce the failure probability for the solenoid valves.
4.20.2 Utility Evaluation To evaluate this issue the utility first calculated the change in 1 the failure probability of the solenoid valves due to the increased, monthly, testing. The valve failure probability used in the PSS is 2.75E-2 per demand. This is based on WASH-1400 data and a 22-month test interval.
This failure probability was reduced to 1.25E-3 to take credit for the increased testing.
J Using this lower solenoid valve failure probability the utility recalculated the unavailability of the alternate SDC system. (The effect on l the LPCI system was not calculated, because the utility felt the effect would be small .) The reduction of the failure probability for these two
' solenoid valves reduces the system anavailability for support state 1, from 0.148 to 9.55E-2. The reduction in the system unavailability is this large because failure of either solenoid valve results in a system failure.
The reduced system unavailability was used in a recalculation of the core-melt frequency. The core melt frequency was reduced from
. 8.07-E4/yr to 6.86E-4/yr, a reduction of 1.21E-4/yr. Approximately 80% of this reduction occurs in plant damage states SIl and TIl (both intermediate core melts) and the remainder occurs in AL2, SL2, and TL2 (late core melts).
The calculated public risk benefit is 5500 man-rem.
4-82
h i
l l
4.20.3 Review of the Utility Evaluation l
A review of the dominant sequences in the Millstone 1 PSS indicates that there are nine dominant accident sequences whose frequency would be affected by th'e resolution of this issue. (The valve failure probability reduction and the reduction in the system unavailability are both appropriately modeled.) These nine sequences contribute 3.8E-4/yr to the Millstone 1 PSS core-melt frequency. If the alternate SDC system failure probability is reduced from .148 to .0955 in these sequences, the core-melt frequency is reduced by 1.2E-4/yr as shown in Table 4.9. This is in agreement with the utility results. However, the utility estimate of the reduction in public risk appears to be low. Using the utility's conse-quence model we have calculated a benefit of approximately 6500 man-rem from the core-melt frequene,y reduction of the dominant sequences. These results are also presented in Table 4.9.
4.20.4 Conclusions The utility assessment of the benefit, in terms of reduced core-melt frequency, that the increased test frequency of the LPCI lube oil cooler solenoid valves provides is reasonable. Howev'er, using the utility's consequence model SAIC has calculated a public risk benefit nearly 20%
greater than that calculated by the utility.
Despite the slight differences in the utility and SAIC evaluations of this issue, it is apparent that the increased testing of the LPCI lube oil cooler solenoid valves significantly reduces the core-melt frequency and public risk of Millstone Unit 1. Based on the proposed ranking scheme, this t
issue would be ranked as being of high safety significance.
It should be noted that this issue addresses only part of a much larger issue, the reliability of the Millstone 1 long-term cooling systems. The resolution of the lube oil cooler test frequency issue does impact the potential benefits that could result from the resolution of ISAP issue 2.28 "Long Term Cooling Study." However, this issue (Issue 2.31) does not address all of the problems that need to be addressed in the long term cooling study, since failure of the long-term cooling function is still a dominant contributor to the plant core-melt. frequency.
4-83
Table 4.9 Change in Core-Melt Frequency as a Result of Increase in Lube Oil Test Frequency PSS Plant PSS Modified ACore Melt Public APublic Sequence Damage Frequency Frequency Frequency Health Risk
- State (/yr) (/yr) (/yr) Multiplier person-rem 7 SIl 1.6E-4 1.0E-4 5.7E-5 .5 2100 9 TIl 4.0E-5 2.6E-5 1.4E-5 .5 520 10 TIl 3.4E-5 2.2E-5 1.2E-5 .5 450 11 TIl 3.2E-5(l) 3.0E-5 2E-6 .5 75 12 TIl 2.1E-5 1.4E-5 7.4E-6 .5 280 13 All 1.6E-5 1.0E-5 5.6E-6 .5 210 16 TL2 4.5E-5 2.9E-5 1.6E-5 1.5 1800 17 TL2 1.9E-5 1.2E-5 6.7E-6 1.5 750
, 18 SL2 8.3E-6 5.4E-6 2.9E-6 1.5 330 Total 3.8E-4 2.5E-4 1.2E-4 6500 (1)0nly 5E-6/yr of this number is affected by this issue. The remainder is the result of system failures in support state 3 where this modification yields no benefit for the alternate SDC system.
4-84
5.0 REFERENCES
- 1. Interim Reliability Evaluation Program: Analysis of the Millstone Unit 1 Nuclear Power Plant, NUREG/CR-3085, January 1983.
- 2. Millstone Unit 1 Probabilistic Safety Study, NUSCO 147, July 1985.
- 3. Reactor Safety Study "An Assessment of Accident Risks in U.S.
Commercial Nuclear Power Plants," WASH-1400 (NUREG-75/014), October 1975.
- 4. ATWS: A Reappraisal, Part 3: Frequency of Anticipated Trannsients, EPRI NP-2230, January 1982.
- 5. Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications, NUREG/CR-1278, October 1980.
- 6. Post Event Human Decision Errors: Operator Action Tree / Time Reli-ability Coorelation, NUREG/CR-3010, November 1982.
- 7. Systematic Human Action Reliability Procedure (SHARP), EPRI NP-3583, l . June 1984.
l
- 8. Probabilistic Safety Analysis Procedures Guide, NUREG/CR-2815, January 1984.
l
- 9. Aldrich, D.C. et al., " Technical Guidance for Siting Criteria Develop-ment",NUREG/CR-2239, SAND 81-1549,De6 ember 1982.
- 10. Millstone Unit 3 Probabilistic Safety Study, August 1983.
- 11. Strip, D.R., " Estimates of the Financial Consequences of Nuclear Power l
Reactor Accidents," NUREG/CR-2733, SAND 82-1110, September 1982.
12.* Blond, R . ,' et.al.,
"The.g.lopmentofSevereAccidentSourceTerms:
1957-1981," NUREG-6773, NoveNer 1982.-
5-1
3 .
/
r b.
P'
.,Y e
1 j r
M -
1
(
t _.
. ^ Km A
./
.s, W
Y,-
23
-7 q . pa-~ ,4 4 .
1, f
1 ' 4t
(
.h y-.
e , >
,a.
t 9
T.
P s.
=. e > . , y' 1
6
'i'
'3 s
m
,.- t i
}
4 n E
, _.'.; -' ,..1.. . , - p y xy
- 2 A- L .-p; ' '."t..+ L. ;,
,1 n%
. .4, ? ;.
. . _ . .. ?. ) ,. D-
, s. --.r .t . .y ,
7, s ..,g
.4 ,g,. :
- . - g.., .g.
. ,yf
$ - . 1 . Q,- ; y
., ,- 4.
- .. . ci, -
g .. ,, ,., ,< -e,c
< . .a. j; ..g,a', . W., j . ; , y ,
.a.
te y
, , V . ..m > a. s, .. ?, . ; . -
w >c + . . ,.
,,,.s.
,;- . L.. _. ,-
, i- . .. , - , -. , . - . .
... y . .,.s..,.,..
,..r. s
. s, . y. ,, ..- + . . . . , . . , - . .- ,, . .,..*
.' , , , ,'y .,.
a '..'
, . . ,4 ,,. . ., . '._.,3,
. , .4
-..r.) + ' + ' .
,4- 'C-' ,J .' i , , '#e 3 '-+ ' . *-- . ,' .. ', -
l-
,-,..~. ' - .- . . ' ,
er- p...vs. .. Q),, '. . -.I..- u J ' + n -
, *, p ' i.'+- .=.: x
(,
,ra , -_y ... 4 5
- - * *t'.+ , ,,b'4 ,,/,.; -g -
1, ,
$ ( ~; g.,i ' . , '
<r .,
,4 y. .a.y _, .;y -- 7 . y , .-;. . . , ,.;. ,4 ,,. g 7 ._ . , . .
- - - e . ,, , g- _ '
^
.._t_ .* ,.+ .-
,fh *', , g.3 , + *
.~ .. . .; -e t x .. . . * , y y7' . . .s.. 1 e] .
- . ..v.s- .u- :
-g..,...-. :. ,
-g* . / m ,4 f. . .
a . ,, . f .. .. , ., >, . , $.. .- ,
e .,j., '
.-.4 ..,? ,
,. , . ,3. t , .
-..-~.-..:. .y: .,,..en,.
,r , 2-
, t. ; , ., , .y . , s> - , , .4
.; . . ,, .. '1_f
... . ::h*e *:. . -;t -_ 3,, -%
.e a,$, -
": q _ n x; t
. sy ',. ,.s-' "
,3.._.. g. .a. ,
F* *
. . f. ?. .. k--
'- v f.- , ' _ ...,: . t.5'k ,s e
a
>i ,a. ,.
o ,- < .7..' -. 'g .
..g,,~. _ , -4. . ; < .
, 3. . . -
... , . g. ,
9, , 7 6p ,. 1 -*@., , .,
- y 7_ n..g
+.
_.,... pg y , , .. . ,y : 4,- .. *
.. w- .
t.. .
. l,, g .
- . L
- 13. Emrit, R. et al., "A Prioritization of Generic Safety Issues," NUREG-0933, December 1983.
- 14. " Safety Goals for Nuclear Power Plant Operation," NUREG-0880, May 1983.
- 15. Letter from W.G. Counsil to D.G. Eisenhut, "Haddam Neck Plant, Millstone Nuclear Power Station, Unit Nos. I and 2, Information Requested by Generic Letter 84-15," February 4, 1985.
- 16. Twisdale, L.A. and Dunn, W.L, "Probabilistic Analysis of Tornado Wind Risks," Journal of the Structural Division. ASCE, Vol. 109, No. 2, February 1983.
- 17. Letter from Harold Denton to Victor Stello, Jr., " Proposed Requirements Resulting from Resolution of USI A-46, Seismic Qualification of Equipnont' in Operating Plants," June 7,1985.
- 18. Letter from Dennis M. Crutchfield to W.G. Counsil, "SEP Safety Topics III-6, Seismic Design Considerations and III-11, Component Integrity -
Millstone Nuclear Power Station Unit 2," July 6, 1982.
. 19. Budnitz, R.J. et al., "An Approach to the Quantification of Seismic Margins," NUREG/CR-4334, August 1985.
- 20. " Severe Accident Sequences Analysis Program Anticipated Transients Without Scram Simulators for Browns Ferry Nuclear Plant Unit 1,"
NUREG/CR-4155, EGG-2379, February 1985.
5-2 .
- 13. Emrit, R. et al., "A Prioritization of Generic Safety Issues," NUREG-0933, December 1983.
- 14. " Safety Goals for Nuclear Power Plant Operation," NUREG-0880, May 1983.
- 15. Letter from W.G. Counsil to D.G. Eisenhut, "Haddam Neck Plant, Millstone Nuclear Power Station, Unit Nos. I and 2, Information Requested by Generic Letter 84-15," February 4, 1985.
- 16. Twisdale, L.A. and Dunn, W.L, "Probabilistic Analysis of Tornado Wind Risks," Journal of the Structural Division. ASCE, Vol. 109, No. 2, February 1983.
- 17. Letter from Harold Denton to Victor Stello, Jr., " Proposed Requirements Resulting from Resolution of USI A-46, Seismic Qualification of Equipment in Operating Plants," June 7, 1985.
b
- 18. Letter from Dennis M. Crutchfield to W.G. Counsil, "SEP Safety Topics III-6, Seismic Design Considerations and III-11, Component Integrity -
Millstone Nuclear Power Station Unit 2," July 6,1982.
. 19. Budnitz, R.J. et al., "An Approach to the Quantification of Seismic Margins," NUREG/CR-4334, August 1985.
- 20. " Severe Accident Sequences Analysis Program Anticipated Transients Without Scram Simulators for Browns Ferry Nuclear Plant Unit 1," ;
NUREG/CR-4155, EGG-2379, February 1985.
i
+
o 5-2