ML20149A898
| ML20149A898 | |
| Person / Time | |
|---|---|
| Issue date: | 06/30/1997 |
| From: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| To: | |
| References | |
| NUREG-1602, NUREG-1602-DRFT, NUREG-1602-DRFT-FC, NUDOCS 9707140029 | |
| Download: ML20149A898 (150) | |
Text
.
i i
I NUREG-1602 i
4 l The Use of PRA in Risk-Informed j Applications I
i l Draft Report for Comment i
U. S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research cl.
'D(c2
~s.,
efp/:
~\\...
lillllH!ll?ll.lll#!!ll Al#7 A888 " '
1602 R PDR
l l
l AVAILABILITY NOTICE Availability of Reference Materials Cited in NRC Publications l
Most documents cited in NRC publications will be available from one of the following sources:
1.
The NRC Public Document Room, 2120 L Street, NW., Lower Level, Washington, DC 20555-0001 l
2.
The Superintendent of Documents, U.S. Government Printing Office, P. O. Box 37082, Washington, DC 20402-9328 3.
The National Technical Information Service, Springfield, VA 22161-0002 Although the listing that follows represents the majority of documents cited in NRC publica-tions, it is not intended to be exhaustive.
Referenced documents available for inspection and copying for a fee from the NRC Public Document Room include NRC correspondence and internal NRC memoranda; NRC bulletins, circulars, information notices, inspection and investigation notices; licensee event reports; vendor reports and correspondence: Commission papers; and applicant and licensee docu-ments and correspondence.
The following documents in the NUREG series are available for purchase from the Government Printing Office: formal NRC staff and contractor reports, NRC-sponsored conference pro-ceedings, international agreement reports, grantee reports, and NRC booklets and bro-chures. Also available are regulatory guides, NRC regulations in the Code of Federal Regula-tions, and Nuclear Regulatory Commission Issuances.
i Documents available from the National Technical Information Service include NUREG-series reports and technical reports prepared by other Federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.
Documents available from public and special technical libraries include all open literature items, such as books, journal articles, and transactions. Federal Reg / ster notices, Federal and State legislation, and congressional reports can usually be obtained from these libraries.
Documents such as theses, dissertations, foreign reports and translations, and non-NRC con-forence proceedings are available for purchase from the organization sponsoring the publica-tion cited.
Single copies of NRC draft reports are available free, to ur axtent of supply, upon written request to the Office of Administration, Distribution and Mail Services Section, U.S. Nuclear Regulatory Commission, Washington DC 20555-0001.
Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library, Two White Flint North 11545 Rockville Pike, Rock-ville, MD 20852-2738, for use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, from the American National Standards Institute,1430 Broadway, New York, NY 10018-3308.
l I
The Use of PRA in Risk-Informed i
4 Applications Draft Report for Comment 4
i i
Manuscript Completed: June 1997 j
Dite Published: June 1997 i
i j
i Division of Systems Technology Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Wtshington, DC 20555-0001 l
4 p
6 I
- %,.. )
COMMENTS ON DRAFT REPORT Any interested party may submit comments on this report for consideration by the NRC staff.
Please specify the report number, draft NUREG-1602, in your comments, and send them by the due date published in the Federal Register notice to:
Chief, Rules Review and Directives Branch Office of Administration Mail Stop T6-D59 Washington, DC 20555-0001 s
i ABSTRACT In August 1995, the Nuclear Regulatory Commission issued a policy statement proposing improved regulatory decisionmaking "by increasing the use of PRA [probabilistic risk assessment / analysis) in all regulatory matters to the extent supported by the state-of-the-art in PRA methods and data." To support the implementation of the Commission's policy, regulatory guidance documents have been developed by the staff (as drafts for public comment) describing how PRA can be used in specific regulatory activities, many of which relate to licensee-proposed changes to their current licensing basis (CLB). In addition, a more general regulatory guide has been developed which describes an overall approach to using PRA in risk-informed regulation. One key aspect of this general guidance is the attributes of an acceptable PRA for such regulatory activities. Detailed discussion is provided for a full-scope PRA (i.e., a PRA that considers both internal and external events for all modes of operation). In addition, discussions are provided for the use and limitations ofimportance measures and sensitivity studies. Finally, the subject of peer review of a PRA is also discussed.
i l
l iii Draft. NUREG-1602
..=
.,~
CONTENTS l
6 r
h82 A B STRA CT............................................................................ ii 1 i
l
- EX EC UTI VE S U M MA RY................................................................ xi FORE WORD......................................................................... xv A B B REVI ATI ON S................................................................... xvii 1.
INTRODUCTI ON.............................................................. 1 - 1 i
i 1.1 B ac kgro und............................................................. 1 - 1 1.2 Obj ec ti v es.............................................................. 1 1.3 Scope.................................................................1-2 1.4 Role in Risk-Informed Regulation.......................................... 1 3 1.5 Report Organization...................................................... 1 -4 2.
INTERNAL EVENT LEVEL 1 PRA FOR FULL POWER OPERATIONS................. 2-1 2.1 Internal Events Analysis................................................... 2-1 2.1.1 Accident Sequence initiating Event Analysis........................... 2-2 2.1.1.1 Considerations for the Baseline PRA........................... 2-2 2.1.1.2 Application impact Considerations............................ 2-6 2.1.1.3 Interface with Other Tasks........... -........................ 2-7 2.1.1.4 Documentation............................................ 2-7 2.1.2 Accident Sequence Analysis......................................... 2-7 2.1.2.1 Considerations for the Baseline PRA.......................... 2-8 2.1.2.2 Application impact Considerations......................
.....,.2-13 j
2.1.2.3 Interfaces with Other Tasks.................................. 2 13 2.1.2.4 Documentation......................................... 2-13 2.1.3 Systems Analysis................................................. 2 14 2.1.3.1 Considerations for the Baseline PRA.......................... 2-14 2.1.3.2 Application impact Considerations........................... 2-18 2.1.3.3 Interfaces with Other Tasks.................................. 2-18 2.1.3.4 Documentation........................................... 2-19 2.1.4 Data A nalysis................................................. 2 20 2.1.4.1 Considerations for the Baseline PRA.......................... 2 20 2.1.4.2 Application Impact Considerations.......................... 2-22 l
2.1.4.3 Interfaces with Other Tasks................................ 2-22 2.1.4.4 Documentation......................................... 2-22 i
2.1.5 Human Reliability Analysis (HRA)................................. 2-23 l
2.1.5.1 Considerations for the Baseline HRA......................... 2-23 2.1.5.2 Application impact Considerations............................ 2-28 2.1.5.3 Interfaces with Other Tasks.................................. 2-29 2.1.5.4 Documentation......................................... 2-29 2.1.6 Accident Sequence Quantification.................................. 2-29 2.1.6.1 Considerations for the Baseline PRA.....................
.2-30 l
l I
)
v Drafl, NUREG-1602 l-
CONTENTS (Cont'd) i Pace 2.1.6.2 Applications impact Considerations......................... 2-32 2.1.6.3 Interfaces with Other Tasks............................ 2-32 2.1.6.4 Documentation.....
. 2-33 2.2 Internal Flooding Analysis..............................
........... 2-3 3 2.2.1 Considerations for the Baseline PRA
.............................2-34 2.2.1.1 Identification and Screening of Flood Sources, Propagation Pathways, and Flood Scenarios..................................... 2-3 4 2.2.1.2 Flooding Model Development and Quantification............. 2-3 5 2.2.2 Application Impact Considerations...................
... 2-36 2.2.3 Interface with other Tasks
. 2-36 2.2.4 Documentation....
......................2-36 2.3 Internal Fire Analysis....
................................2-37 2.3.1 Considerations for the Baseline PRA............................... 2-39 2.3.1.1 Defining Fire Areas of Fire Zones............................ 2-39 2.3.1.2 Equipment identification and Mapping........................ 2-40 2.3.1.3 Fire Source Identification and Quantification.................. 2-40 2.3.1.4 Fire Growth and Spread Quantification....................... 2-40 2.3.1.5 Fire Damage A nalysis................................ 2-41 2.3.1.6 Fire Detection and Suppression................
.. 2-41 2.3.1.7 Human Intervention and Plant Recovery....................... 2-41 2.3.1.8 Fire Model Development and Quantification......
.... 2-4 2 2.3.2 Application impact Considerations.............................. 2-45 2.3.3 Interface with Other Tasks...............................
... 2-45 2.3.4 Documentation
.......... 2-4 6 3.
INTERNAL EVENT LEVEL 2 PRA FOR FULL POWER OPERATIONS............
3-1 3.1 Evaluation of Containment Performance
..................................3-2 3.1.1 Assessment of Challenges to Containment Integrity....................... 3-2 3.1.1.1 Defining the Accident Sequences to be Assessed................ 3-3 3.1.1.2 Assessment of Containment System Performance.............. 3 5 3.1.1.3 Evaluation of Severe Accident Progression................
.. 3-6 3.1.2 Establishing Containment Performance Limits...................... 3-14 3.1.2.1 Considerations for the Baseline PRA....................... 3-15 3.1.2.2 Application Impact Considerations
. 3-16 3.1.2.3 Interfaces with Other Tasks....
.3-16 3.1.2.4 Documentation
........................3-16 3.1.3 Probabilistic Modeling of Containment Performance................. 3-17 3.1.3.1 Considerations for the Baseline PRA...................... 3-17 3.1.3.2 Application impact Considerations
.... 3-19 3.1.3.3 Interfaces with Other Tasks....
.3-20 3.1.3.4 Documentation.......
......... 3-20 3.2 Radionuclide Release Characterization.
........... 3 -2 0 3.2.1 Definition of Radionuclide Source Terms.
.3-21 3.2.1.1 Considerations for the Baseline PRA
.. 3-21 Draft. NUREG-1602 vi
CONTENTS (Cont'd)_
1 East i
3.2.1.2 Application Impact Considerations '............................ 3-22 3.2.1.3 Interfaces with Other Tasks................................. 3-22 3.2.1.4 Documentation........................................... 3-23 3.2.2 Coupling Source Tenn and Severe Accident Progression Analyses.......... 3-23
' 3.2.2.1 Considerations for the Baseline PRA.......................... 3-23 3.2.2.2 ' Application Impact Considerations............................ 3 25 3.2.2.3 Interfaces with Other Tasks.................................. 3-25 3.2.2.4 Documentation........................................... 3-25 3.2.3 Treatment of Source Term Uncertainties.............................. 3-25 3.2.3.1 Considerations for the Baseline PRA.......................... 3-26 3.2.3.2 Application impact Considerations............................ 3-26 '
3.2.3.3 - Interfaces with Other Tasks.................................. 3-26 3.2.3.4 Documentation........................................... 3-27 l
1 l
- 4.
INTERNAL EVENT LEVEL 3 PRA FOR FULL POWER OPERATIONS '................. 4-1 4.1-Accident Consequence Analysis............................................. 4-1
-I
~ 4.1.1 Considerations for the Baseline PRA.................................. 4 2 4.1.2 Application impact Considerations '....................................' 4-2 4.1.3 Interfaces with Other Tasks.......................................... 4-3 1
4.1.4 Documentation '................................................... 4-3 4.2
' Computation of Risk....................................................... 4-3 4.2.1 Considerations for the Baseline PRA................................. 4-3 4.2.2 Application impact Considerations.................................... 4-3
' 4.2.3, Interfaces with Other Tasks.......................................... 4-3 4.2.4 Documentat i on................................................... 4 -4 j
i 5.
EXTERNAL EVENT PRA FOR FULL POWER OPERATION.......................... 5-1 5.1 Level 1 A nalysis......................................................... 5-1 5.1.1 Seism ic A naly sis.................................................. 5-1 5.1.1.1 Considerations for the Baseline PRA.......................... 5-1 5.1.1.2 Application impact Considerations............................ 5-4 5.1.1.3 Interfaces with Other Tasks................................... 5-5 5.1.1.4 Documentation............................................ 5-5
- 5.1.2 Analysis of "Other" External Events................................... 5-7 5.1.2.1 ' Considerations for the Baseline PRA........................... 5-7 5.1.2.2 Application Impact Considerations............................. 5-8 5.1.2.3 Interfaces with Other Tasks.................................... 5-8 5.1.2.4 Documentation............................................ 5-8 5.2 Level 2 Analysis
......................................................5-8 i
5.2.1 - Seism ic A nalysis.................................................. 5-9
)
5.2.2 Analysis of "Other" External Events................................... 5-9 I
vii Draft, NUREG-1602
CONTENTS (Cont'd)
Pm 5.3 Level 3 Analysis
....................................................5-9 5.3.1 Seismic Analysis................
.................5-9 5.3.2 Analysis of "Other" External Events............................. 5-10 6.
INTERNAL AND EXTERNAL EVENT PRA FOR LOW POWER AND SHUTDOWN OPERATIONS.............
..............................6-1 6.1 Internal Events Level 1 Analysis..................
.... 6-2 6.1.1 Plant Operational States.....
............. 6-2 6.1.1.1 Consideration for the Baseline PRA.....
..................6-2 6.1.1.2 Application Impact Considerations
... 6-3 6.1.1.3 Interfaces with Other Tasks
....... 6-3 6.1.1.4 Documentation......................
6-4 6.1.2 Accident Sequence Initiating Event Analysis.................... 6-4 6.1.3 Accident Sequence Analysis.......................
...... 6-5 6.1.4 Systems Analysis..............
..... 6-6 6.1.5 Data A nalysis...........................................
6-6 6.1.6 Human Reliability Analysis (HRA)............................... 6.7 6.1.7 Accident Sequence Quantification.........................
.... 6-7 6.2 Internal Flood Level 1 Analysis....................................... 6-7 6.2.1 Definition and Characterization of Plant Operational States
... 6-7 6.2.2 Initiating Event Analysis...
...........................6-7 6.2.3 Flood Propagation............
...... 6-8 6.2.4 Flood Model Development and Quantification...........
........... 6-8 6.3 Internal Fire Level 1 Analysis.
...... 6-8 6.3.1 Definition and Characterization of Plant Operational States...........
.. 6-9 6.3.2 Initiating Event Analysis.......................
6-9 6.3.3 Identification of Critical Fire Locations.............
6-9 6.3.4 Fire Propagation and Suppression..
6-9 6.3.5 Fire Model Developrnent and Quantification........................ 6-9 6.4 Seismic Level 1 Analysis.............
............................. 6-10 6.4.1 Definition and Characterization of Plant Operational States......
.. 6-10 6.4.2 Initiating Event Analysis.................................. 6-10 6.4.3 Identification of Structures, Systems, and Components (SSCs).........
.6-10 6.4.4 Hazard Analysis..
..... 6-10 6.4.5 Fragility A nalysis......................................... 6-10 6.4.6 Model Development and Quantification.......
.6-11 6.5 Level 1 Analysis of"Other" External Events.
.................... 6-1 1 6.6 Level 2 Analysis 6-1 1 6.6.1 Considerations for the Baseline PRA
... 6-12 6.6.2 Application Impact Considerations...........
........ 6-12 6.6.3 Interfaces with Other Tasks.......
.6-13 6.6.4 Documentation..
.. 6-13 6.7 Level 3 Analysis...
............ 6-13 Draft, NUREG-1602 viii
.~
CONTENTS (Cont'd) 4 EaER APPENDIX A. PRIORITIZATION OF SSCS AND HUMAN ACTIONS....................... A-1 s
A.1 Introd uction and Objective................................................. A-1 i
A.2 PRA-Based Importance Assessment.......................................... A-2 A.2.1 Quantitative importance Measures.................................. A-2 A.2.1.1 Definitions ofimportance Measures............................ A 2 A.2.1.2 Considerations in Calculating importance Measures............... A-5 A.2.2 Qualitative Importance Measures..................................... A-7
}
A.2.3 Considerations for Ranking Using importance Measures................... A-8 l
A.3 Safety-Based Prioritization................................................ A-1 1
^
A.4 I ntegrati on............................................................. A - 14 1i
~
A PPEN DI X B. PRA PEER R EVI EW.................................................... B-1 B.1 Objectives o f the Review......................................
...........B-1 i
B.2 Review Team Composition and Qualifications................................. B-1 j
B.3
- Review Process and Considerations........................................ B-2 B.4
- Documentation of Findings..............................
................B-6 s
4 1
I.
I i
ix Draft, NUREG-1602
EXECUTIVE
SUMMARY
Introduction in August 1995, the Nuclear Regulatory Ccmmission (NRC) issued a policy statement proposing improved regulatory decisionmaking "by increasing the use of PRA [probabilistic risk assessment / analysis] in all regulatory matters to the extent supported by the state-of-the-art in PRA methods and data." To support the implementation of the Commission's policy, regulatory guidance documents are being developed by the staff (currently as drafts fer public comment) describing how PRA can be used in specific regulatory activities, many of which relate to licensee-proposed changes to their current licensing basis (CLB). One key aspect of using PRA for such regulatory activities is what are the appropriate scope and attributes of the PRA. The main purpose of this report is to address the scope and attributes of a PRA that adequately represents the plant design and operation. It is recognized that the scope and attributes of a PRA may be different depending upon its intended use or on the issue being evaluated. Accordingly, this report is intended for use as reference or supporting information which PRA analysts can use to help in making decisions regarding the scope and attributes of a PRA appropriate for their analysis. Thus, this report can be used to help:
Define the main attributes of each task of a PRA that is intended to support risk-informed regulatory decisionmaking, Identify task-by-task issues that should be considered when using a PRA to assess the impact of proposed CLB changes, Provide supporting information for peer reviewers judging the adequacy of a PRA intended to support a
risk-informed decisionmaking, and identify attributes and limitations ofimportance analyses and qualitative ranking methods that are most e
appropriate for use in screening analyses and in categorization of structures, systems, and components (SSCs) and human activities according to their contribution to risk and safety, in addition, this report may be a valuable step in the development of standards for PRAs. As discussed in OMB Circular No. A-119 (FRN, Vol. 58, No. 205, October 26,1993), federal agencies have been directed to make greater use of consensus standards in their activities. As such, the staff will be interacting with technical societies and others to develop such consensus standards in parellel with the finalization of this report.
Scope and Limitations A PRA of a nuclear power plant is an analytical process that quantifies the potential risk associated with the design, operation and maintenance of the plant to the health and safety of the public. Traditionally, a full-scope PRA is used to quantify the risk from accidents initiated in the plant (from internal initiating events such as pipe l
l breaks and external initiating events such as earthquakes) and during both full power and low power / shutdown l
conditions.
The risk evaluation involves three sequential parts or " levels" identification and quantification of the sequences of events leading to core damage (Level 1 analysis); evaluation and quantification of the mechanisms, amounts, l
and probabilities of subsequent radioactive material releases from the containment (Level 2 analysis); and the evaluation and quantification of the resulting consequences to both the public and the environment (Level 3 xi Draft, NUREG-1602 l
analysis). A full-scope PRA, as defined here, does not include evaluation of accidents initiated by sabotage events or that result in releases from other radioactive material sources such as the spent fuel pool, routine, small releases of radioactive material, and does not include the risk to plant personnel from any accident.
The elements of a full-scope PRA, and the attributes for the analysis of each element, presented in this report reflect the following general considerations:
The design, construction, and operational practices of the plant being analyzed is expected to be consistent with its CLB.
The PRA being performed is expected to realistically reflect the design, construction, and operational practices. The Commission's policy statement on the expanded use of PRA indicates that "PRA evaluations in support of regulatory decisions should be as realistic as practicable." Consequently, the PRA used to support risk-informed decisionmaking is expected to reflect the impact of previous changes made to the CLB. In this context, it is presumed that the particular application of PRA for which these attributes apply is quantitative in nature, and that the change under consideration can be modeled in the PRA (by manipulation of basic event information or the event tree / fault tree logic model).
The discussions presented in the report are in terms of functional requirements. In general, prescriptive guidance is not provided, nor are characterizations of specific methods. In some circumstances, however, where an issue is both important to risk results and poorly understood, prescriptive solutions are stated to reduce potential PRA-to-PRA variability.
l The described PRA attributes are meant to cover a wide range of risk-informed regulatory applications.
Additional attributes for specific applications are described in the application-specific regulatory guides.
PRA models have been developed and are being used for real-time monitoring of plant operations (and resulting monitoring of risks). The attributes for such models may be quite different from those for models associated with regulatory applications, and are, therefore, not addressed in this report.
Role in Risk-Informed Regulation This document discusses PRA attributes that support Draft Regulatory Guide DG-1061, "An Approach for Using Probablitistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to Current Licensing Basis,"
and the Draft Standard Review Plan (Chapter 19),"Use of Probabilistic Risk Assessment in Plant-Specific, Risk-Informed Decisionmaking: General Guidance." This report also is referenced by related risk-informed regulatory guides and their corresponding standard review plan chapters. These include DG-1062 on inservice testing, DG-1063 on inservice inspection of piping, DG-1064 on graded quality assurance, and DG-1065 on technical specifications.
As mentioned above, the content of this report is meant to support a wide variety of risk-informed applications that may exceed those covered in the staf1's PRA implementation plan. Each risk-informed application imposes different requirements on the supporting PRA scope and level of detail. This document is intended to be flexible to accommodate and benefit these applications. Some applications are complex and may necessitate a higher standard and high accuracy from a supporting PRA. Since these applications are the most demanding, they dictate the level of technical detail in this document. However, less demanding applications, such as those that need information only about PRA insights, or those that rely on quantitative results only in selected areas of the PRA, Draft, NUREG-1602 xii
may use, as appropriate, simpler models as compared to those described in this document. The process for using risk information in regulatory decisionmaking starts with definition of the scope of the particular application under consideration. This information should be used to identify areas (tasks) in the supporting PRA that are influenced by the application and the type of support information needed. This information, in turn, can be used to define applicable portions of this report. Application-specific regulatory guides include further guidance in this area.
l I
i l
l i.
l l
l r
xiii Draft, NUREG-1602
FOREWORD l
During the last several years, both the U.S. Nuclear Regulatory Commission (NRC) and the nuclear industry have
(
recognized that probabilistic risk assessment (PRA) has evolved to the point where it can be used increasingly as l
a tool in regulatory decisionmaking. In August 1995, the NRC adopted the following policy statement regarding the expanded NRC use of PRA.
The use of PRA technology should be increased in all regulatory matters to the extent supported by the state-of-the-art in PRA methods and deta and in a manner that complements the NRC's deterministic approach and supports the NRC's traditional defense-in-depth philosophy.
PRA and associated analyses (e.g., sensitivity studies, uncertainty analyses, and importance measures) l should be used in regulatory matters, where practical within the bounds of the state-of-the-art, to reduce unnecessary conservatism associated with current regulatory requirements, regulatory guides, license cornmitments, and staff practices. Where appropriate, PRA should be used to support the proposal of j
additional regulatory requirements in accordance with 10 CFR 50.109. Appropriate procedures for including PRA in the process for changing regulatory requirements should be developed and followed.
It is, of course, understood that the intent of this policy is that existing rules and regula; ions will be complied with unless these rules and regulations are revised.
I PRA evaluations in support of regulatory decisions should be as realistic as practicable and appropriate l
supporting data should be publicly available for review.
The Commission's safety goals for nuclear power plants and subsidiary numerical objectives are to be used with appropriate consideration of uncertainties in making regulatory judgements on the need for proposing and backfitting new generic requirements on nuclear power plant licensees.
In its approval of the policy statement, the Commission articulated its expectation that implementation of the policy statement will improve the regulatory process in three areas: foremost, through safety decisionmaking enhanced by the use of PRA insights; through more efficient use of agency resources; and through a reduction in unnecessary burden on licensees. In parallel with the publication of the policy statement, the staff developed an implementation plan to define and organize the PRA-related activities being undertaken. These activities cover a wide range of PRA applications and involve the use of a variety of PRA methods (with variety including both types of models used and the detail of modeling needed). This report focuses on defining the attributes of a PRA that will enable it to support a variety of applications described in the staff PRA implementation plan. These applications vary in complexity and hence the demand on the quality of the supporting PRA will also vary. While reading and reviewing this draft report, the reader should keep in mind that the level of detail and model complexity are influenced by the issue being analyzed.
This report is issued as a draft for comment. Specifically, comments on the following questions are requested:
Have the main attributes of each task of a PRA intended to support risk-informed regulatory I
decisionmaking been defined?
Have task-by-task issues that should be considered when using a PRA to assess the impact of proposed current licensing basis changes been defined?
xv Draft, NUREG-1602
.. ~., - - _ -
~
- Has sufficient supporting information for peer reviewers judging the adequacy of a PRA intended to
+
. support risk-informed decisionmaking been provided?
Have the attributes and limitations ofimportance analyses and qualitative ranking methods that are most appropriate for use in screening analyses and in categorization of structures, systems, and components
'(SSCs) and human activities according to their contribution to risk and safety been adequately discussed?
L s this report a useful step towards development orconsensus standards for PRA methods? What steps
.]
I should be next taken?
l All comments should be addressed in writing within 90 days to:
l Chief, Rules Review and Directives Branch
- OfDee of Administration Mail Stop T6 D59 Washington, DC 20555-0001 This report will be issued in final form after it is revised on the basis of comments received.
M. Wayne Hodg'es, Director F
Division of Systems Technology I
OfDce of Nuclear Regulatory Research i
l Draft,NUREG 1602 xvi
ABBREVIATIONS AC Alternating Current ADS Automatic Depressurization System AEOD Office of Analysis and Evaluation of Operational Data ALARA As Low as Reasonably Achievable ASME American Society of Mechanical Engineers ATWS Anticipated Transient Without Scram BM Birnbaum Measure BWR Boiling Water Reactor CCF Common Cause Failure CCFP Conditional Containment Failure Probability CCI Core-Concrete Interactions CDF Core Damage Frequency CLB Current Licensing Basis CRAC Calculations of Reactor Accident Consequences CRD Control Rod Drive DC Direct Current DCH Direct Containment Heating DDT Deflagration to Detonation Transition DOE Department of Energy ECCS Emergency Core Cooling System EOPs Emergency Operating Procedures EPRI Electric Power Research Institute FCI Fuel Coolant Interaction FIVE Fire Induced Vulnerability Evaluation FMEA Failure Modes and Effects Analysis FSAR Final Safety Analysis Report FV Fussell-Vesely GL Generic Letter HCLPF High-Confidence-and-Low-Probability HEP Human Error Probability HPCI High-Pressure Coolant Injection HRA Human Reliability Analysis HSSCs/LSSCs High and Low Safety Significant Components HVAC Heating, Ventilation, and Air Conditioning IPE Individual Plant Examination IPEEE Individual Plant Examination of External Events ISI In-service Inspection ISLOCA Interfacing System Loss-of-Coolant Accident IST in-service Testing kV Kilovolt LER Licensee Event Report LERF Large Early Release Frequency LLNL Lawrence Livermore National Laboratory xvii Draft, NUREG-1602
ABBREVIATIONS (Cont'd)
LOCA Loss-of-Coolant Accident LOOP Loss of Offsite Power LP&S Low Power and Shutdown LPCI Low-Pressure Coolant Injection MAAP Modular Accident Analysis Program MACCS MELCOR Accident Consequence Code System MCR Minimal Cutset Ranking MOV Motor-Operated Valve MPR Minimal Pathset Ranking MTC Moderator Temperature Coefficient NPSH Net Positive Suction Head NRC Nuclear Regulatory Commission NSSS Nuclear Steam Supply System PCA Probabilistic Consequence Assessment PCS Power Conversion System PDS Plant Damage State POS Plant Operational State PRA Probabilistic Risk Assessment / Analysis PSF Performance Shaping Factor PWR Pressurized Water Reactor QA Quality Assurance QRR Qualitative Risk Ranking RAW Risk Achievement Worth RCIC Reactor Core Isolation Cooling RCP Reactor Coolant Pump RCS Reactor Coolant System RHR Residual Heat Removal RIR Risk informed Regulation RPS Reactor Protection System RPT Recirculation Pump Trip RPV Reactor Pressure Vessel RRW Risk Reduction Worth RWST Refueling Water Storage Tank SAR Safety Analysis Report SBO Station Blackout SERG Steam Explosion Review Group SG Steam Generator SGTR Steam Generator Tube Rupture SLC Standby Liquid Control SRV Safety Relief Valve SSCs Structures, Systems, and Components THERP Technique for Human Error Rate Prediction TS Technical Specifications U.S.
United States Draft, NUREG-1602 xviii
- 1. INTRODUCTION
1.1 Background
During the last several years, both the U.S. Nuclear Regulatory Commission (NRC) and the ntriear industry have recognized that probabilistic risk assessment (PRA)has evolved to the point where it can be used increasingly as a toolin regulatorydecisionmaking. In August 1995,the NRC adopted the following policy statement regarding the expanded NRC use of PRA.
The use of PRA technology should be increased in all regulatory matters to the extent supported by the state-of-t he-art in PRA methods and data and in a manner that complements the NRC's deterministic approach and supports the NRC's traditional defense-in-depth philosophy.
l PRA and associated analyses (e.g., sensitivity studies, uncertainty analyses, and importance measures) e should be used in regulatory matters, where practical within the bo mds of the state-of-the-art, to reduce unnecessary conservatism associated with current regulatory requirements, regulatory guides, license commitments, and staff practices. Where appropriate PRA should be used to support the proposal of additional regulatory requirementsin accordance with 10 CFR 50.109(Ref.1.1). Appropriate procedures for including PRA in the process for changing regulatory requirements should be developed and followed it is, of course, understood that the intent of this policy is that existing rules and regulations will be complied with unless these rules and regulations are revised.
PRA evaluationsin support of regulatory decisions should be as realistic as practicable and appropriate supporting data should be publicly available for review.
The Commission's safety goals for nuclear power plants and subsidiary numerical objectives are to be used with appropriate consideration of uncertainties in making regulatory judgments on the need for proposing and backfitting new generic requirements on nuclear power plant licensees.
l In its approval of the policy statement, the Commission articulated its expectation that implementation of the l
policy statement will improve the regulatory process in three areas: foremost, through safety decisionmaking enhanced by the use of PRA insights;through more effcient use of agency resources; and through a reduction in unnecessary burdens on licensees. In parallel with the publication of the policy statement, the staff developed an implemertation plan to define and organize the PRA-related activities being undertaken. These activities cover a wide range of PRA applications and involve the use of a variety of PRA methods (with variety including both types of models used and the detail of modeling needed). For example, one application involves the use of PRA in the assessment of operational events in reactors. The characteristicsof these assessments dictates that relatively simple PRA models be used. In contrast, other applications may necessitate the use of detailed models.
This report focuses on defining the attributes of a PRA that enable it to support a variety of applications described in the staff PRA implementationplan. These applicationsvary in complexity and hence the demand on the quality of the supporting PRA will also vary. While reading and reviewing this report, the reader should keep in mind that the described level of detail and model complexity are focussed on those risk-informed applications that are most demanding as far as PRA quality is concerned. Allowance for less demanding risk-informed applications 1-1 Draft NUREG-1602
I Introduction is acceptable provided it is properly justified, in addition, discussion is also provided to direct the PRA user to those attributes in each PRA task that may be impacted by risk-informcd applications.
As discussed in OMB Circular No. A-119 (FRN, Vol. 58, No. 205, October 26,1993), federal agences have been directed to make greater use of consensus standards in their activities. This report may be a first step in the development of standards for PRAs. As such, the staff will be interacting with technical societies and others to develop such consensus standards in parallel with the finalization of this report.
1.2 Objectives This report can be used to help:
1.
Defne the main attributes of each task of a state-of-the-artPRA that is intended to support risk-infonned regulatory decisionmaking.
2.
Identify task-by-task issues that should be considered when using a PRA to assess the impact of proposed current licensing basis (CLB) changes.
3.
Provide supporting information for peer reviewers judging the adequacy of a PRA intended to support risk-informed decisionmaking.
4.
Discuss attributes and the limitations ofimportance analyses and qualitative ranking methods that are most appropriate for use in screening analyses and in categorization of structures, systems, and components (SSCs) and human activities according to their contribution to risk and safety.
In addition, staff regards the content of this report as a first step towards the development of consensus standards ofPRAs.
1.3 Scope A PRA of a nuclear power plant is an analytical process that quantifiesthe potentialrisk associated with the design, operationand maintenance of the plant to the health and safety of the public. Traditionally, a full-scope PRA is used to quantify the risk from accidents initiated in the plant (from internal initiating events such as pipe breaks and externalinitiatingevents such as earthquakes)and during both full power and low power /shutdownconditions The risk evaluationinvolves three sequentialparts or " levels": identification and quantification of the sequences ofevents leading to core damage (Level ! analysis); evaluation and quantification of the mechanisms, amounts, and probabilities of subsequent radioactive material releases from the containment (Level 2 analysis); and the evaluation and quantification of the resulting consequences to both the public and the environment (Level 3 analysis). A full-scope PRA,as defined here, does not include evaluation of accidents initiated by sabotage events or that result in releases from other radioactive material sources such as the spent fuel pool, routine, small releases of radioactive material, and does not include the risk to plant personnel from any accident.
Draft, NUREG-1602 1-2
i 1 Introduction The elements of a full-scope PRA, and the attributes for the analysis of each element, are presented in the following sections. While reading and reviewingthis report, the reader should keep in mind the followinggeneral considerations:
l The design, construction,and operational practices of the plant being analyzed is expected to be consistert l
with its CLB.
I The PRA being performed is expected to realistically reflect the design, construction, and operational i
a practices. The Commission's policy statement indicates that "PRA evaluations in support of regulatory decisions should be as realistic as practicable." Consequently, the PRA used to support risk-informed decisionmakingis expected to reflect the impact of previous changes made to the CLB. In this context, it is presumed that the particular application of PRA for which these attributes apply is quantitative in nature, and that the change under consideration can be modeled in the PRA (by manipulation of basic j
event information or the event tree / fault tree logic model).
This document is not a procedures guide for performing a PRA. Such procedures are available in i
numerous documents including NUREG/CR-2300, NUREG/CR-2815, NUREG/CR-2728, l
NUREG/CR-4550, Volume 1, NUREG/CR-4840, and NUREG/CR-5259 (Ref.1.2). This document 1
provides attributes (for each PRA task) against which a PRA study and its supporting documentation can l
be compared, then modified and/or supplemented as needed.
l The discussions described below are provided in terms of functional requirements. In general,
)
prescriptive guidance is not provided, nor are characterizations of specific methods. In some j
circumstances, however, where an issue is both important to risk results and poorly understood, prescriptive solutions are purposely provided to reduce PRA-to-PRA variability.
l l
l The described PRA attributes are meant to cover the most demanding risk-informed regulatory applications,although the principal focus for this draft version of the document has been uses of PRA in CLB changes. Additional attributes for specific applications are described in the application-specific regulatory guides.
PRA models have been developed and are being used for real-time monitoring of plant operations (and
=
l resulting monitoring of risks). The attributes for such models may be quite different from those for i
models associated with regulatory applications, and are not addressed here.
1.4 Role in Risk-Informed Regulation This documentdiscusses FRA attributesthat support Drafl Regulatay Guide DG-1061,"An Approach for Using l
Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to Current Licensing Basis,"
l and the Draft Standard Review Plan (Chapter 19),"Use of Prolabilistic Risk Assessment in Plant-Specific, Risk-l Informed Decisionmaking: GeneralGuidance." This report also is referenced by related risk-informed regulatory guides and their corresponding standard review plan chapters. These include DG-1062 on inservice testing, DG-1063 on inservice inspection of piping, DG-1064 on graded quality assurance, and DG-1065 on technical l
specifications (Ref.1.3).
1-3 Draft, NUREG-1602
i i
1 Introduction As mentioned above, the content in this report is meant to support a wide variety of risk-informedapplicationsthat may exceed those covered in the staff's PRA implementation plan. Each risk-informed application imposes different requirementson the supportingPRA scope and level of detail. This document is intended to be flexible to accommodate and benefit these applications. Some applications are complex and may necessitate a higher standard and high accuracy from a supportingPRA. Since these applications are the most demanding,they dictat:
the level of technical detail in this document. However, less demanding applications, such as those that need informationonly about PRA insight, or those that rely on quantitative results only in selected areas of the PRA, may use, as appropriate, simpler models as compared to those described in this document. The process for using risk information in regulatory decisionmakingstarts with definition of the scope of the particularapplication under consideration. This information should be used to identify areas (tasks)in the supporting PRA that are influenced by the application, and the type of support information needed. This information, in turn, can be used to define applicable portions of this report. Application-specific regulatory guides include further guidance in this area.
1.5 Report Organization Most PRAs performed for U.S. nuclear power plants have focused on accidents initiated by internal events (includinginternal floods and fires)during full power operations. As such, the attributes for a PRA applicable to a power plant during full power operations are described in Chapters 2 through 4, and in significant detail.
Chapter 2 provides the attributes of a Level 1 PRA with emphasis on accidents initiated by internal events.
Chapter 3 follows a similar format to Chapter 2 but for a Level 2 PRA. Attributes of a Level 3 PRA are presented in Chapter 4. Accidents initiated by external events during full power operation are addressed in Chapter 5, which considers all the levels of analysis. In Chapter 6, the attributes of a PRA for low power and shutdown operations are presented. Chapter 6 includes consideration of accidents initiated by internal and external events and for all three levels of analysis. Information on the use and limitations of importance measures is provided in Appendix A.
Finally, Appendix B presents information for peer reviews of a PRA.
l Draft, NUREG-1602 1-4
~
1 Introduction REFERENCES FOR CHAPTER 1 4
1.1.
USNRC,"Backfitting," Code of Federal Regulation, Title 10, Section 50.109, Amended April 18,1989.
4 i
i l
1.2.
"PRA Procedures Guide: A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power l
Plants," NUREG/CR-2300,Vols. I and 2, American Nuclear Society and Institute of Electrical and Electronic l
Engineers, January 1983.
R. A. Bari, et al.,"ProbabilisticSafety Analysis Procedures Guide,' NUREG/CR-2815, BNL-NUREG-51559, l
Vols. I and 2, Rev.1, Brookhaven National Laboratory, August 1985.
(
D. D. Carlson," Interim Reliability Evaluation Program Procedures Guide," NUREG/CR-2728, SAND 82 1104 Sandia National Laboratories, January 1983.
D. M. Ericson, Jr. (editor), et al., " Analysis of Core Damage Frequency: Internal Events Methodology,"
NUREG/CR-4550, SAND 86-2084, Vol.1, Rev.1, Sandia National Laboratories, January 1990.
M. P. Bohn and J. A. Lambright, " Procedures for the External Event Core Damage Frequency Analysis for NUREG-1150," NUREG/CR-4840, Sandia National Laboratories, November 1990.
1.3.
USNRC,"An Approach for Using Probabilistic Risk Assessmentin Risk-informedDecisionsen Plant-Specif~o Changes to the Current Licensing Basis," Draft Regulatory Guide DG-1061, February 1997.
USNRC, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Inservice Testing," Draft Regulatory Guide DG-1062, February 1997.
USNRC,"An Approach for Plant-Specific, Risk-Informed Decisionmaking: Inservice inspection," Draft Regulatory Guide DG-1063, February 1997.
USNRC,"An Approach for Plant-Specific, Risk-Informed Decisionmaking: Graded Quality Assurance," Draft Regulatory Guide DG-1064, February 1997.
USNRC,"An Approach for Plant-Specific, Risk-InformedDecisionmiing: Technical Specifications," Draft Regulatory Guide DG-1065, February 1997.
1 t
i 1-5 Draft, NUREG-1602
- 2. INTERNAL EVENT LEVEL 1 PRA FOR FULL POWER OPERATIONS l
This chapter provides attributes for a Level 1 probabilistic risk assessment (PRA) of a power plant for accidents initiated during full power operations. Full power is defined to encompass the operations that occur while the plant is at greater than 15% of rated power. A Level 1 PRA identifies and quantifies those accident sequences that couki lead to the onset of core damage. A summation of all such accidents leads to an estimate of the core damage l
frequency (CDF). Accidents initiated by internal events are discussed in the following section. Accidents initiated by various external events are addressed in Chapter 5.
I 2.1 Internal Events Analysis This section provides the attributes for performing a Level 1 PRA for analysis ofintemal events at full power l
operation. The attributes are also genemtly applicable to the analysis of external events at full power and for the l
analysis of all events during low power and shutdown conditions. Additional attributes applicable only to the analysisofexternalevents are providedin Chapter 5. Additionalattributesuniqueto the analysis of the risk from low power and shutdown operations are presented in Chapter 6.
A Level 1 PRA is comprised of three major segments:
The identificationof those sequences of events that,if not prevented, could result in a core damage state and the potential release of radionuclides.
The development of models of events that contribute to the core damage sequences.
The quantification of the models in the estimation of the core damage frequency.
As noted, the first element of a Level 1 PRA identifies those sequences of events that, if not prevented,could result in a core damage state and the potential release of radionuclides. This process is typically divided into two tasks:
identificationof the initiatingevents and developmentof the potentialcore damage accident sequences associated with the initiating events.
The initiatingevent task involves identifying those events that challenge normal plant operation and that require successful mitigation in order to prevent core damage. There can be tens to hundreds of events that can challenge the plant. Individual events may, however, be grouped into initiating event classes, with classes defined by similarity of systems and overall plant response.
in the accident sequence development task, the different possible sequences of events that can evolve as a result of each initiator group are identified. The resulting sequences depict the different possible combinations of functionaland/or system successes and failures and operatoractions which lead to either successful mitigation of the initiatingevent or to the onset of core damage. Determinationof what constitutes success (i.e., success criteria) l to avert the onset of core damage is a crucial part of the accident sequence analysis task.
l The second element of a Level 1 PRA involves the development of the models for the mitigating systems or actions in the core damage accident sequences. This task, referred to as systems analysis, involves modeling the failure modes of the plant systems which are necessary to prevent core damage as defined by the core damage l
2-1 Draft, NUREG-1602
2 Internal Event Level 1 PRA for Full Power Operations accident sequences. This modeling process, which is usually done with fault trees, defines the combinations of equipment failures, equipment outages (such as for test or maintenance), and human errors that cause failure of the systems to perform the desired functions.
The third element of a Level 1 PRA involves estimating the plant's CDF and the associated uncertainty. This process is typically divided into three tasks: data analysis, human reliability analysis, and quantification and uncertainty analysis.
The data analysis task involves determining initiating event frequencies, equipment failure probabilities, and equipment maintenance unavailabilities. Plant maintenance and other operating records are evaluated to derive plant-specific equipment failure rates and the frequencies of the initiating events. Where insufficient plant experience exists, failure rates and initiatingevent frequencies based on industry-wide" generic" databases are used to complete the database used in the risk analysis.
The human reliability analysis task is a key task in Level 1 PRA, involving modeling and evaluating the human actions important in the prevention of core damage. This evaluation botS identifies the operator actions and quantifiesthe error probabilitiesof the identified actions. Human reliability analysis is a special area of analysis requiring unique skills to determine the types and likelihoods of human errors germane to the sequences of events that could result in core damage.
The quantificationtask integrates the initiatingevent frequencies, event probabilities,and human error probabilities to calculate the frequency of core damage and its associated uncertainty. As typically used in PRAs, the core damage frequency represents the average annual core damage frequency.
2.1.1 Accident Sequence Initiating Event Analysis initiating events are broadly categorized into two categories, internal initiating events and external initiating events, Internalinitiating events are system and equipment malfunctions inside the plant. Analyzed along with internal initiating events is the loss of offsite electrical power. External initiating events include earthquakes, external flooding (i.e., from water sources outside the plant), transportation occurrences, and high winds. Note that many of these external events can cause a loss of offsite power in addition to other adverse impacts on the plant.
Althoughinternal flooding and fire events are conventionally treated in PRA studies as external events, they are included in the internal event category in this document. This section only addresses conventional internal initiatingevents that occur durmg full power operation including the loss of offsite electrical power. The special case ofinternal flooding and fires are addressed in Sections 2.2 and 2.3, respectively. Initiators during low power and shutdown operation and for external events are provided in Chapter 6.
2.1.1.1 Considerations for the Baseline PRA This section defines the scope ofinitiating events that should be initially considered in a state-of-the-art PRA, as well as criteria for screening out initiators and grouping of the remaining initiators.
InitialScope ofExaminedinitiators Draft, NUREG-1602 2-2 l
2 Internal Event Level 1 PRA for Full Power Operations In a full power PRA, internal events that cause an upset of normal plant operation that requires a reactor trip or unplanned controlled shutdown with the need for core heat removal are considered as initiating events. These events fall into one of two categories as follows:
Loss-of-coolantaccidents(LOCAs)- All events that disrupt the plant by causing a breach in the primary coolant system with a resulting loss of core coolant inventory are modeled. These events include such occurrences as primary system pipe breaks, pressurized water reactor (PWR) steam generator tube ruptures (SGTRs), boiling water reactor (BWR) feedwater pipe breaks, interfacing system loss-of-coohnt accidents (ISLOCAs), reactor pressure vessel (RPV) rupture, and BWR steam pipe breaks.
Transients - All events that disrupt the plant but leave both the core coolant and other water systems' inventory intact are modeled. These occurrences include such items as automatic reactor shutdowns (scrams or trips), unplanned controlled reactor shutdowns (including those caused by degraded equipmert configurations), manual reactor trips or scrams, manual operator actions taken in anticipation of degradirg plant conditions,and transient-inducedLOCAs. In identifyirg the transient events, frequently occurring events (such as turbine trips) and more rare events (such as loss of a support system) are considered.
When ensuring completeness in the initial list ofinitiating events (considered at the onset of the baseline PRA study), the analyst should have performed a comprehensive engineering evaluation that includes the following events:
I t
All generalcategories of events analyzed in Chapter 15 of the Final or Updated Safety Analysis Report (SAR) (e.g., increase or decreases in reactor coolant flow). The Chapter 15 analysis includes both transients and LOCAs.
Events resultingin a loss of primary core coolant. This includes leaks and ruptures of various sizes and at different locations in the primary system (e.g., primary system pipe breaks, penetration failures, SGTRs and vessel rupture), in addition,a systematic search of the reactor-coolant pressure boundary should be performed to identify any active component in systems interfacingwith the primary system that could fail or be operated in such a manner as to result in an uncontrolledloss of primary coolant (commonly referred to as ISLOCAs).
All actual initiating events which have occurred at the plant. Actual plant scrams and unplanned shutdowns as documented in Licensee Event Reports (LERs) and scram reports should be included.
These initiators typically involve faults in the nuclear steam supply system (NSSS) and in the turbine-generator and related systems (referred to hereafter as the balance-of-plant). Plant modifications (not accounted for in the baseline PRA) influencing occurrence rates should be considered.
I All initiating events considered in published PRAs (and related studies) of similar plants.
NUREG/CR-4550(Ref. 2.1) containsa list of transient initiating events that have actually led to reactor trips and that should be considered.
All initiating events that have occurred at conditions other than full power operation (i.e, during low power or shutdown conditions) are included unless it is determined that they are not applicable to full power operation.
2-3 Draft,NUREG 1602 i
i
2 Internal Event Level 1 PRA for Full Power Operations All systems supportingthe operation of other plant systems are reviewed to determine if their loss results e
in automatic scram, manual scram, or a controlled shutdown. Failure Modes and Effects Analysis (FMEA)are generallyused to de' ermine if an initiating event results from complete or partial failure of the system to operate,or from inadvertmt operation of a system. In this method, the analyst determines for each component in the system: (1) its function, (2) the possible failure modes, (3) the failure mechanisms, and (4) the effects of the failure on the system and the plant.
A system is evaluated ifits loss would disrupt the normal operation of the plant. At a minimum, support systems that are examined include alternatingcurrent (AC) and direct current (DC) buses; cooling water or service water systems; instrument and service air; heating, ventilation, and air conditioning (HVAC) systems throughout the plant (including the control room); and instrumentation / control systems.
In d'etermining whether the loss of a plant system or component should be treated as a support system initiating event, the expected level of degradation to other plant systems (specifically, accident mitigating systems) is also determined and evaluated. This may require calculations to determine the resulting envi.onment to which the mitigating equipment is exposed and comparison to equipment qualification information.
Initiating events consisting of multiple equipment failures are included, if the equipment failures result from a common cause. For example, the falute of two DC electrical buses is included as an initiating event, if the failure is due to a common cause.
For multiple unit sites where systems are shared or can be cross-tied,initiatingevents that can impact both units should be identified in addition to those that will only impact a single unit.
An ISLOCA can be an importantaccident seqtence because ofits potentially sigr.ificant contribution to the releases of radioactivity from the plant due to all possible accident scenarios. Therefore,the modelirg ofISLOCAs and particularly the credit given for isolation of the ISLOCA, the predicted size of the ISLOCA, and the effects of the ISLOCA on other equipment can significantly affect the importance of this type of event.
NUREG/CR-5928(Ref. 2.2) describes an acceptable approach to analyzinglSLOCAs at individual plants j
in that report, a spectrum of topics are addressed including the modeling of ISLOCA sequences, the systems and components and their failure modes that should be considered, rupture probabilities for diffen.t types of components including different piping materials and designs, human reliability considerationsfor isolatingor otherwise mitigatingthe LOCA, specific data suggestions for the analysis, and equipment effects considerations. Two additional specific considerations which may be in conflict with NUREG/CR-5928 for a specific plant and hence should be considered when analyzing.lSLOCAs j
include the following:
i (1)
Credit for motor operated valve (MOV) or check valve closure to isolate any resulting leak or rupture can only be taken in the PRA if supporting analysis / testing is available which demonstrates adequate capability of the valve for the expected conditions. This condition can be met by virtue of successfully addressing Generic Letter (GL) 89-10 for the valve (s) in question or by other supporting analyses or test results for valves (e.g., check valves) not covered Draft, NUa EG-1602 2-4 I
I 2 Internal Event Level 1 PRA for Full Power Operations by the licensee's 89-10 program (Ref. 2.3). With such supporting analyses, the nominal failure probability for valve closure can be used; otherwise,it should be assumed that the valve will not close to isolate the breach.
(2)
Any resulting effects on equipment exposed to the breach should consider both the water and steam effects of the breach as well as propagation of that water / steam to other rooms or areas of the plant. Any credit taken for the continued operability of equipment in the expected environment should meet the attributes provided under the " equipment operability" issue discussed later. This includes consideration of whether the valve operators for MOVs will functionto close the valve (even if the valve is determined capable of closing)given its exposure to the expected environment.
Screening Out Initiating Events In a PRA, not every initiating event that causes a disruption of the plant has to be modeled. That is, accident sequences do not have to be developed for every initiating event. In some cases, it is allowable to exclude initiating events. Any of the following criteria can be used to exclude initiating events:
The frequency of the initiating event is less than IE-7 per reactor-year (/ry) when the initiator does not involve either an ISLOCA, containment bypass, or vessel rupture.
The frequency of the initiating event is less than 1E-6/ry and the core damage could not occur unless at a
least two active trains of diverse mitigating systems are independently failed.
The resultingreactortrip is not an "immediate" occurrence. That is, the event does not require the plant j
to go to shutdown conditions until sufficient time has expired during which the initiating event conditims can, with a high degree of certainty (based on supporting calculations), be detected and corrected before normal plant operation would be curtailed (either administratively or automatically).
For example, a steam generator tube rupture event may have a relativelylow contributionto the total core damage frequency but may constitute a significant fraction of total large early releases. Initiating events such as these should not be excluded. The need to understand the potential consequences of an initiating event in order to exclude it from detailed analysis makes the process of excluding initiating events necessarily iterative.
l As another illustration, the loss of switchgear room HVAC may not require the operator to initiate a manual shutdown for eight hours based on a room heatup calculation. During this time, the operator can almost certainly detect and recover the fault using portable cooling equipment (as directed by procedures)and prevent the need for a forced shutdown. In this case, loss of switchgear room cooling could justifiably be eliminated as an initiating event (based on procedural guidance and calculational support).
l l
I l
i 2-5 Draft, NUREG-1602
2 Internal Event Level 1 PRA for Full Power Operations The basis for excludinginitiating events from detailed evaluation should have been established and documented for a peer review and users of the baseline PRA.' The fact that an event has never occurred, by itself,is not a sufficient basis for eliminating an initiating event from evaluation.
Grouping ofInitiating Events Numerousevents and occurrences can disrupt a plant and the response of the plant to many of the events can be l
virtually identical. In such cases, it is acceptable to group the initiating events using the following criteria:
Initiatingevents resultingin the same accident progression (i.e., requiring the same systems and operator actions for mitigation) can be grouped together. The success criteria for each system required for mitigation (e.g., the required number of pump trains) is the same for all initiators grouped together. In addition,all grouped initiators should have the same impact on the operability and performance of each mitigating system and the operator. Consideration can also be given to those accident progression q
attributes that could influence the subsequent Level 2 analysis (refers to Chapter 3).
In conformance with the criteria above, LOCAs can be grouped according to the -ize and location of the primary system breach. However, primary breaches that bypass the containment should be treated I
l separately.
Initiatingevents can be grouped with other initiating events with slightly different accident progression and success criteria ifit can be shown that such treatment bounds the real core damage frequency and consequencesthat would result from the initiator. To avoid a distorted assessment of risk and to obtain valid insights, grouping ofinitiators with significantly different success criteria should be avoided. The groupingofinitiators necessitatesthat the success criteria for the grouped initiators be the most stringent i
success criteria of all the individual events in the group. Note that in a sound baseline PRA, low-frequency initiators are. grouped with other relatively high-frequencyinitiators, rather than excludingthem from further analysis.
2.1.1.2 Application Impact Considerations it is possible that a particular change to a plant's current licensing basis (CLB) may influence this task. The proposed change may result in:
New accident initiators,
+
Higher risk contribution of(initially) screened out initiator (s), and Change in the frequency of modeled initiator (s).
+
For every risk-informed regulatory change, the potential for these three items should be examined. This, examination should consider structure, systems, and components (SSCs) modeled in the PRA as well as those 8 The user (or reviewer) of this baseline PRA and its documentation need to compare the above criteria with those used for grouping initiating events in the PRA. Deviations should be noted especially when they have the potential for limiting the use of the baseline PRA.
Draft, NUREG-1602 2-6
2 Intemal Event Level 1 PRA for Full Power Operations SSCs not modeled. SSCs not modeled in the PRA should be subject to a failuie modes and effects analysia (FMEA)(or equivalent) to assess their impact on accident initiators scope and frequencies.
Note that a proposed CLB change may necessitate reconsideration of the initiating events grouping scheme used in the baseline PRA to bring sharper focus on a subgroup ofinitiators that rnay be sensitive to the change.
2.1.1.3 Interface with Other Tasks Results of reviews of this task should be considered before the onset of reviewing the data analysis (Section 2.1.4) and the accident sequence analysis (Section 2.1.2) tasks. A special empha:,is should be given to limitations in the baseline PRA (or its documentation)related to scope, screening, and grouping ofinitiators which can compromise the sounduss of results of these two interfacing tasks, and consequent.y the adequacy of the baseline PRA to support the proposed risk-informed applications.
2.1.1.4 Documentation The documentation of the initiating event task should be sufficient such that a peer reviewer can reproduce the l
results. At a minimum, the following information pertinent to initiating events should be documented:
A list or general description of the information sources that were used in the task.
Specific information/recordsof events (plant specific, industry experience," generic" data) used to identify the applicable initiating events.
The initiatingevents considered including both the events retained for further examination and those that e
were eliminated, along with the supporting rationale.
Any quantitative or qualitative evaluations or assumptions that were made in identifying, screening or grouping of the initiating events as well as the bases for any assumptions and their impact on the final results.
Documentationof the FMEA performed to identify support system initiators and the expected effects on the plant (especially on mitigating systems).
Specific records of the grouping process including the success criteria for the final accident initiator groups.
Documentationof findings of FMEA (or equivalent) performed on SSCs within the scope of the change but not modeled in the PRA, to assess their impact on the scope and frequency ofinitiators.
2.1.2 Accident Sequence Analysis 1
1 The objective of the accident sequence analysis task is to determine the possible plant responses (sequences) that could occur as a result ofinitiating events. These plant responses are defined in terms of the different possible combinationsof successfuland unsuccessfulfunctions or systems and operator responses required to mitigate an 2-7 Draft, NUREG-1602
~.
i 2 Internal Event Level 1 PRA for Full Power Operations accident initiator. For the Level 1 portion of an analysis, the following discussion is provided for those plant responses or sequences that end with either the plant in a stable state or when the plant has entered into a " severe accident" state in which the onset of core damage is imminent.
Accident sequences are determined by implementinga logical method for identifying the different possible plant responses to the initiating events. The plant safety functions and corresponding plant systems and operator responses that need to occur to mitigate each initiator are used to represent the different possible plant responses i
(or accident progressions sequences).
Differert models can be used to develop the accident sequences. Among these, the two principal methods used are event sequence diagrams and event trees. There are also different types of event trees (e.g., functional versus systemic)and different ways of documentingthe response to each accident initiator (e.g., separate event trees for each initiating event group or a general tree with the initiating event impacts included in system fault trees, or inclusion of support systems and shared equipment in the event tree rather than at a fault tree level). All of these different event tree approaches can be used. The following discussion presents the attributes of the event tree approach to accident sequence analysis since it is the most prevalent technique.
2.1.2.1 Cons!derations for the Haseline PRA This section identifies several key factors to consider in evaluating the baseline PRA used in a risk-informed regulatory application.
Establishing Success Criteria
)
Accident sequence analysis establishes the success criteria which should be met to prevent core damage. The success criteria are thus dependent on the definition of core damage. Core damage has been defined in the past PRAs in variom ways, usually through peak cladding temperature limits or designated levels in the vessel. The i
onset of core damage generally means that no imminent recovery of sufficient coolant injection is anticipated, and therefore, a substantial amount (equivalent to or greater than the design basis) of the radioactive material contained in the gap between the cladding and the fuel is subsequently released. Comparable definitions that result in essentially the same phenomena can be used. Whatever tiu definition chosen for the onset of core damage, it should be supported by calculations. Note that considerable fuel melting may also be expected in most accident sequences with core damage outcomes.
The accident sequence model may include as the event tree headings the necessary safety functions, systems, and operator responses to prevent the onset ofcore damage. Accident sequence models can also delineate the functiom required to protect the containment and influence the amount of radioactive material released.2 The safety functions modeled in a Level 1 PRA include reactivity control, reactor coolant system (RCS) overpressure protection, reactor coolant inventory control and heat removal, and containment overpressure protection (both l
2The attributesprovided in this section do not address event trees where the end state goes past the onset of core j
damage. Functions required for establishing the containment performance and release of radioactive material are identifiedin the Level 2 discussion. Further event tree modeling to establish plant damage states is not addressed in this section.
I Draft, NUREG-1602 2-8
l 2 Internal Event Level 1 PRA for Full Power Operations early and late). The containment overpressure protection functions are listed in the Level I considerationsbecause the corctainment condition can adversely impact the core heat removal and inventory control functions.
The success criteria for each of these functions required to prevent core damage should be established (e.g., the RCS inventory control function can be expressed in terms of required flow rate). Once established, the system and operator responses modeled in a PRA include those frontline, support systems, and operator actions needed to successfully meet the modeled safety function success criteria. The minimum hardware for each identified system (e.g., the number of pump trains) and operator responses required to meet the function success criteria determine the success criteria for responding to each initiating event group.
The use of realistic success criteria provides additional assurance that the relative importance of the quantified accident sequences is as accurate as possible. To further ensure a " realistic" analysis, the use of success criteria which are excessively limiting (such as the success criteria used in design basis assessments) is avoided. For example, the licensing basis may require two out of four emergency core cooling pumps when "best estimate" calculations show that only one out of four pumps will prevent the onset of core damage.
" Realistic" success criteria, rather than the licensing-bases criteria, can be used for both the safety functions and the individualsystems that perform those functions. Therefore, the evaluation does not have to stop with safety-related systems when non-safety-related equipment may be available to perform the needed function, thereby preventing the onset ofcore damage.
For grouped initiators, the accident sequence modeling should reflect the most stringent initiator. For example, the coolant injection requirements for LOCA initiators (which usuallyinvolve a spectrum of break sizes) are based upon the upper end of the break spectrum. For other functions, the requirements may have to be based upon a different initiator included in the group.
The success criteria for preventing core damage can be dependent on the accident progression and timing. For example, for a BWR, the control rod drive (CRD) system may not provide sufficient flow for coolant injection at the beginning of a small LOCA; however, at four hours into the accident (given coolant injection has been occurring), the coolant inventory requirements are reduced and CRD flow is adequate. In addition, the time required to align a system may influence what time frame it can be credited in (e.g., firewater may not be credited early on in an accident (e.g.,a LOCA) since it could require connection of multiple fire hoses, insertion of spool pieces, or opening of remote valves.
In determining" realistic" success criteria, particularly when such criteria are considerably different from the SAR design basis or is not even addressed in the SAR, supporting analyses (e.g., thermal-hydrauliccalculations)should be the basis for the success criteria that is credited in the PRA. Representative examples of criteria often used in PRAs that differ considerably or are not addressed by the design basis criteria are (a) feed and bleed mode for PWR core cooling,(b) primary /secondarysystem depressurizationand use oflow pressure safety injection and/or condensateto the steam generators whenever high pressure safety injection and/or main and auxiliary feedwater are unavailable in PWRs, and (c) in case of BWRs, use of alternate injection systems (such as control rod drive flow or firewater)under conditions w hen all otherinjection systems are unavailable. These represent conditions that go well beyond the single failure considerations applied in the design basis and hence did not have to be treated in the original licensing basis for the plant. While plant-specific calculations are preferred, non-plant-specific calculations (e.g., use of"similar" plant analyses perhaps with modification) are acceptable provided l
2-9 Draft, NUP EG-1602 I
2 Internal Event Level 1 PRA for Full Power Operations appropriatejustification is established. The computer codes used to calculate success criteria (either plant-specific or for a similar plant) should contain the modeling detail present in codes such as RELAP and TRAC (Ref. 2.4) and should be verified for the conditions that exist in the success criteria application.
For instance, anticipated tiansient without scram (ATWS) represents a complicated and "beyond design basis" set of scenarios requiring analysis and supporting calculations to properly characterize the success criteria. The estimated risk contribution of ATWS events is in part a function of modeling approaches and asv.ciated assumptions used in interpretingthe success criteria. For PWRs, what constitutes successfulpressure control often sets the stage for the rest of the analysis. An acceptable basis for successful pressure control is the use of the stress Level C limits of the American Society of Mechanical Engineers (ASME) code for the assumed failure point for the vessel and primary piping from overpressurization. Supporting calculations (preferably plant-specific) are performed to address the critical Moderator Temperature Coefficient (MTC) necessary to emure the unacceptable stress limitis not reached (i.e., the portion of the fuel life when the MTC is sufficiently negative). Furthermore, plant-specificanalyses are preferred to determine the pressure increases associated with failure to trip the turbine during an ATWS. For BWRs, a similar basis for success during an ATWS can be established and then plant-specific considerations are used to interpret the need for:
Recirculation pump trip (RPT) including whether all pumps should trip.
Standby liquid control (SLC) system operation particularly the time the system should be initiated for successful mitigation.
Inhibiting emergency core cooling system (ECCS) injection inside the shroud and inhibiting automatic depressurization.
Requirement for vessel level control during injection by both high and low pressure systems.
Containment and suppression pool cooling to avoid adverse impacts on continued operability of core cooling.
One concern regardingaccident sequence modelingis the loss of reactor coolant pump (RCP) seal cooling. Such a concern arises during consideration ofloss of pump cooling events and loss of all AC events, both of which cause a loss of pump seal cooling and the potential for a primary system LOCA (through the pump seals) requiring reactor coolant makeup. Pump seal failures can also be initiating events for the PRA.
The proper model depends on the pump manufacturer (Westinghouse, Byron Jackson, Bingham) and the seal design. Another consideration which may make a difference is whether or not the pump has been tripped upon loss of seal cooling / injection. In addition,there is a range of opinion as to what would be the proper seal leakage model (meaning the probability of a certain flow rate vs. time) for a given pump. The chosen model can significartly affect the results by considerably altering both the ranking of dominant accident sequences as well as affectingthe overall core damage frequency. The treatment of RCP seal LOCAs is an example of an area whee there is a considerable variation and uncertainty in the accident sequence modeling.
Because of the less than definitive conclusions that have been made as to the appropriate model to use for PRA purposes, this document provides suggested RCP seal LOCA models for incorporation into PRAs and PRA Draft, NUREG-1602 2-10
2 Internal Event Level 1 PRA for Full Power Operations applications until (and if) more information becomes available. Alternate models may be used provided justification is provided for their use. The suggested model approaches provided below are based on the conclusions of the related clicitation issue in the NUREG-1150 study (Ref. 2.5), and consider the modeling approaches used by the licensees in their individual plant examinations (IPEs).
Case 1 - Pumps-tripped condition:
The RCP sealleakage modelis basal on the discussion in Section 5 of NUREG/CR-4550 (Ref. 2.6). A licensee may wish to group similar leak rates from the tables in Section 5, but needs to consider the full range of possible leak rates and probabilities provided in the referenced report. It is suggested that an acceptable approach for plants with the Westinghouse"old" o-ring design pumps is to use the "old" o-ring values (or a suitable equivalent, with justification provided). It is also suggested that an acceptable approach for plants with the newer, trore temperature tolerant Westinghouse design (and all other pump manufacturer designs) is to use the "new" o-ring design values (or a suitable equivalent, with justification provided).
Case 2 - Pumps-not-tripped condition:
The licensee determines the maximum possible flowrate for the applicable pump manufacturerassuming the seals (all stages) are destroyed and no longer provide a flow restriction within the labyrinth. The calculated flowrate is assumed to occur by 30 minutes following the initiating event.
The significance of the above models to the PRA results is still dependent on such factors as the numberof pumps affected, cooling system configuration, and hence probability associated with a total loss of pump cooling, the
)
ability to provide reactor coolant system injection during such conditions (for instance, the B WRs, except for some of the older designs, are generally better able to cope with such a LOCA even under loss of all AC power because of their high-pressure coolant injection (HPCI) and reactor core isolation cooling (RCIC) systems), etc.
Modeling Accident Progressions l
The modeling of the accident sequence progressions necessitates that the response of the plant systems and the l
operator accurately reflect the system capabilities and interactions, procedural guidance, and the timing of the l
accident sequences. Therefore,the development of the accident sequence models should correctly incorporate the l
planned response to an initiator that exists in the plant emergency and abnormal operating procedures and as I
practiced in simulator exercises. In fact, the proceduralguidance along with timing information obtained through thermal-hydraulic calculations serves as the guide in the actual development of the accident sequence models.
Operator actions required to mitigate an accident sequence (e.g., manual initiation of systems or special actions such as controlling vessel level during an ATWS in a BWR) should be modeled (see Section 2.1.5). Therefore, event tree headings should be chronologically placed in the order that the system or operator action is expected to be challenged. Deviations from the chronological representation of the procedural guidance should be well documented.
In developingthe accident sequences,the accident progression (as represented by the logic structure of the model) should also account for dependenciesand interfaces between and among the plant safety functions, systems, and operator actions needed for accident mitigation. The dependencies and interfaces that should be considered include functional, phenomenological, and operational dependencies and interfaces.
2-11 Draft, NUREG-1602
2 Internal Event Level 1 PRA for Full Power Operations Functional dependencies exist where the success of one function is dependent or otherwise affected by the successfailure of another function. There are two dependencies that should be addressed. These dependencies include: (1) interaction of the initiating group with mitigating systems and operator actions and (2) interaction among the mitigating systems and operator actions.
The interactions of the initiatingevent group with available mitigating systems and actions are accounted for either in the accident sequence model or at the system model level. Both immediate effects (e.g., loss of systems such as the power conversion system (PCS) followingloss-of-offsitepower) and delayed effects (e.g., loss of a system due to a loss of HVAC) should be included. Delayed impacts can be subtle and require that both harsh environmentalimpacts (discussed in more detail below) and protective trip logic be considered. An example of protective trip logic concerns is the occurrence of a steam leak detection trip signal resulting due to a high room temperature that could result from a loss of room cooling. The loss of room cooling may occur for various initiators including loss of offsite power, loss of a cooling water systems, or loss of the HVAC system itself.
The interactions among mitigating systems and operator actions are also accounted for either in the accident
)
sequence model or at the system model level. One type ofinteraction is the successful operation of a system precludingthe need for a redundant system performing the same function. The second type ofinteraction is the failure of one system precluding the operation of arother system. An example of these types of functional j
dependencies in both a BWR and PWR is the requirement for the success of primary system depressurization before low-pressurecoolant injection can be utilized. Alternatively, vessel depressurization may cause loss of a system due to pump run-out inducing a subsequent pump trip. Another common example of a functional j
dependency is that battery depletion during a station blackout precludes continued operation of steam-driven systems.
I Phenomenological dependencies manifest themselves where the environmental conditions generated during an accident sequence influence the operability of systems and equipment. Phenomenological impacts can include generation of harsh environments that result in protective trips of systems (e.g., due to high pressures or temperatures), loss of ECCS pump net positive suction head (NPSH) when containment heat removal is lost, clogging of pump strainers from debris generated during a LOCA, failure of components outside the containment j
following containment failure due to the resulting harsh environment, closure of safety relief valves (SRVs) in BWRs on high containment pressure, and coolant pipe breaks following containment failure.
Phenomenological imparts can also be indirect. For example, failure of containment heat removal in a BWR should cause the operator to depressurize the vessel per procedures to maintain suppression pool heat capacity limits. Such an action can result in loss of driving steam for systems such as HPCI and RCIC. Circumvention of some of these failure modes such as bypassing of protective trips, switching suction sources for pumps, and arranging alternate room cooling can be credited either in the accident sequence modeling or system models if the action can be realistically accomplished considering available staffing, the available time to perform the action, and any harsh environment where the actions should be performed. Most of these phenomenologicaldependencies are identified on an individual system basis as pan of the systems analysis (see Section 2.1.3).
1 Operational dependencies that are hardwired or are configuration dependent are present for some systems or components. An example of an operational dependency is that the suppression pool cooling mode of a loop of residual heat removal is not available when the system is in the low pressure coolant injection mode.
Draft, NUREG-1602 2-12
2 Internal Event Level 1 PRA for Full Power Operations Considerationshould also be given to sequences in which the nature of the accident changes. For example, an initial transientmay become a LOCA event due to reactor coolant pump seal failure or a demanded and stuck open primary relief valve. Proper modeling of this progression change accounts for any dependencies among events previously discussed. Transfers to other sequence models to reflect the change in the sequence should be made with due considerationgiven to any differences between the modeled initiators. Screening of such transfers can be performed but should follow the truncation considerationsprovided in Section 2.1.6 (sequence quantification) and should be reevaluated for each risk-informed regulatory application.
2.1.2.2 Application Impact Considerations it is possible that a particular change to a plant's current licensing basis (CLB) may affect the accident sequence analysis task. The proposed change may result in:
New/ fewer event trees being considered; Revised success criteria; a
New dependencies or interfaces; a
New/ fewer and/or rearranged event tree headings due to changes in procedures, equipment, technical a
specifications, etc.;
Revised sequence logic.
2.1.2.3 Interfaces with Other Tasks initiating event analysis and systems analysis will provide information on the impact ofinitiating events on mitigative functions. Systems analysis and human reliability analysis (HRA) will provide information on the interactions among mitigating systems / operator actions and phenomenological interactions / operational dependencies. Systems analysis will provide information used to obtain success criteria and accidert progression.
Thermal-hydraulicanalysis is used in various aspects of this task, e.g., for success criteria, timing, environmental effects,etc. The output of the sequence analysis is used as an input to the HRA task and to generate cutsets used for sequence quantificationtask. The sequence analysis will also guide the systems analysis as reference is made to certain systems or functions in the event trees and the success criteria.
2.1.2.4 Documentation The following information concerning the accident sequence modeling should be reported:
A list or general description of the information sources that were used in the task.
The success criteria established for each initiating group including the bases for the criteria (i.e., the system capacities required to mitigate the accident and the necessary components required to achieve these capacities).
i 2-13 Draft, NUREG-1602
1 2 Internal Event Level 1 PRA for Full Power Operations l
1 The event trees or other types of models used (including all sequences) for each initiating event group.
=
A description of the accident progression for each sequence or group of similar sequences (i.e.,
descriptions of the sequence timing, applicable procedural guidance, expected environmental or phenomenologicalimpacts, dependencies between systems, and other pertinent information required to fully establish the sequence of events).
Any assumptions that were made in developing the accident sequences, as well as the bases for the assumptions and their impact on the final results.
Existing analyses or plant-specific calculations performed to arrive at success criteria and expected sequence phenomena including necessary timing considerations.
Sufficient system operation information (refer to the following section) to support the modeled dependencies.
Input, calculations, etc. (particularly to justify equipment operability beyond its " normal" design parameters and for which credit has been taken).
How the application changes the baseline model in this task.
2.1.3 Systems Analysis There are different analytical techniques that can be used to perform or support a systems analysis. Examples include: FMEA, reliability block diagrams, and fault trees. Fault trees are the preferred method since they are deductive in nature and, if properly performed, can identify all potential failure modes of a system and thus can be used to calculate the unavailability of the system.
2.1.3.1 Considerations for the Baseline PRA Detailed fault tree models are generally required in analyzing the system, although sometimes, a simplified fault tree or the black box approach (treatingthe system as a basic event)is acceptable,as delineated below. The basic concepts for constructing fault trees are described in "The Fault Tree llandbook"(Ref. 2.7). Some considerations applicable to this method are discussed below.
A fault tree can be simplified to include only the dominant types of failures. A single data value, for systems where sufficient experience exists, can be used to represent system's unavailability. In such cases, care should be taken to model those aspects of the system which form dependencies with other systems so that dependent or common cause events are properly handled.
An example of where a simplified fault tree could be utilized is for the automatic depressurization system (ADS) system in a BWR. Here. common cause valve failure and an operator error to manually initiate the system have been shown to be the dominant failure modes for the ADS. Since this system is dependent on several support systems (DC power and instrument air) used by other systems, these support system interfaces would have to be modeled. An example of where a data value is permissible is the teactor protection system (i.e., the failure to Draft NUREG-1602 2-14
2 Internal Event Level 1 PRA for Full Power Operations scram the reactor). In this case, the reactor protection system (RPS) failure modes are independent of other system failures.
Establishing System Analysis Boundaries An accurate representation of the design, operation, and maintenance of each modeled system is essential. The design, operation, and maintenance requirements and practices are revicwed to ensure that the system model reflects the as-built and as-operated system. System walkdowns are performed to confirm the design of the systent Operatorinterviews, system procedure (abnormal operating, maintenance,and testing) revie'vs, and involvement of plant system engineers are also necessary.
The failure criteria defining the top event of the fault tree for each system should match the accident sequence success criteria. Note that in some cases, multiple models for the same system may be needed to address different sequences.
All equipment and components necessary for the system to perform its function (as defined by the accident sequence success criteria) during the postulated accident mission time are considered in the system model. The boundaries of these equipment and components should also be defined. These definitions should match a level of detail where statisticaldata exists in determinir;their failure probabilities In addition, the defined boundaries should be able to reflect the dependencies and interfaces between equipment and systems.
All relevant and possible failure modes for each component should be considered. These failure modes generally include the following:
e liardware faults Failure to change state Failure to operate Out-of-service unavailability Common cause faults e
Operator faults Conditional operability faults including equipment capability and phenomenological faults.
liardware faults are those physical breakdowns of the equipment such that the system or component cannot function as designed (e.g., pump shaft breaks).
In modelingthe out-of-serviceunavailability,both planned and unplanned test and maintenance contributions are considered. The type of testing and maintenance modeled should be consistent with the actual practices of the plant for removing equipment from service for maintenance. These considerations might include technical specification equipment configuration control violations as well as previously identified implementation and program deficiencies with the equipment configuration control process.
2-15 Draft, NUREG-1602
2 Internal Event Level 1 PRA for Full Power Operations Common cause equipment failures are multiple failures that result from a single event or failure. The NRC's Office of Analysis and Evaluation of Operational Data (A EOD) report, " Common Cause Failure Data Collection and Analysis System"(Ref. 2.8) presented in six volumes, provides a suggested common cause failure modeling approach. Volumes 5 and 6 of that report are particularly useful as they directly apply to the modeling (Volume
- 5) and the database (Volume 6) applicable to PRA. Given the current state-of-the-art of common cause failure analysis and the data available, only intra-system common cause failures are generally modeled. Inter system common cause failures should be considered when indicated,as is commonly done in the case of the BWR HPCI-RCIC systems, cited in the AEOD report.
liow common cause events are included in the model may vary (e.g., included in the system fault trees, added after initial cutset review ofindependent failure combinations),but the approach should demonstrate that quantitatively important common cause combinations are not missed. Truncation considerationsshould be consistent with those expectations provided in Section 2.1.6, accident sequence quantification (i.e., truncation of any common cause events would be based on low cutset frequency arguments). In addition, the truncation of any common cause events should be revaluated for every risk-informed regulatoryapplication of the PRA. For cases where the PRA involves the evaluation of common cause among a component type not covered by the AEOD report, the component type closest in design and similarity in the AEOD report can be used to perform the evaluation. In evaluating the human error probabilities, the analyst would also consider common causes and incorpate performance shaping factors (PSFs) to account for dependencies.
Certain types of human error events should also be considered in the systems analysis. These events include, at a minimum, those human actions that cause the system or component to be inoperable when demanded. These events (also referred to as pre-initiator human events) are analyzed as part of the human reliability analysis, discussed in Section 2.1.5. Other human events can be included in the systems analysis model. These events include those actions needed for the operation of the system or component. These events (also referred to as post-initiator human events) are also analyzed as part of the human reliability analysis, discussed in Section 2.1.5.
System models should also treat conditional faults. These failures are discussed below under system dependencis and interfaces.
Supercomponentsor modules can be used. Ilowever,the modularizationprocess should be performed in a manner that avoids grouping events (i.e., component failures, testing and maintenance unavailabilities, and human errors)
)
with different recovery potential (e.g., hardware failures that cannot be recovered versus actuation signals which j
can), human error events, events w hich are mutually exclusive of other events not in the module, and events which occur in other fault trees (especially common cause events). Note that some risk-informed regulatory applications of PRA may necessitate certain events to be removed from modules.
Modeling System Dependencies and Interfaces A PRA should model the dependencies and interfaces between and among the systems and components. At a minimum, the following dependencies and interfaces should be modeled:
System initiation, Actuation, and Operation - those systems that are required for initiation, actuation, and continued operation of the system (i.e., for both the frontline mitigatingsystems and support systems) are identified, e.g., AC and DC power and instrument air. In modeling the initiation and actuation of a Draft NUREG-1602 2-16
l l
2 Internal Event Level 1 PRA for Full Power Operations system, conditions needed for initiation and actuation (e.g., Icw RPV water level) should also be addressed. For example, a condition required to initiate a system automatically may not exist in some l
accident sequences. Thus, failure of that portion of the automatic actuation system has a probability of 1.0 for those accident sequences.
System isolation, Trip, or Failure-those conditions that can cause the system to isolate or trip and those conditionsthat once exceeded can cause the system to fail. At a minimum, conditions that are considered include environmental conditions, fluid temperature and pressure being processed, external water level
(
status, water and air temperature, pressure, humidity, and radiation levels. These conditions may arise when other systems fail to function. Examples of required systems include HVAC, service / component cooling water, heat tracing on piping and tanks to prevent boron solution precipitation, instrumentation (pressure, temperature, level, etc.), and water transfer systems to maintain tank levels.
Examples of conditions that can isolate, trip or fail a system or component include:
For BWRs, high pressure in the RPV will prevent opening of the low pressure injection system isolation valves.
A diesel generator will trip when the high jacket water temperature setpoint is reached. This condition can occur when the supporting cooling water supply to the diesel generator is lost.
i l
Inadequate pump NPSH due to low suction source level or high temperatures, clogging of j
strainers, steam bindingof auxiliary feedwaer pumps, and steam environment effects are a few example of conditions that can fait pumps.
Because of the attempted realistic nature of PRAs, there are many examples of where allowance is made for the operability of equipment beyond its design basis. This credit is allowed to account for the design margins built-in to most equipment used in a nuclear power plant and hence to recognize that equipment may function in conditions that are beyond those accounted for in the design basis. Examples include operability of pumps under saturatcd water suction conditions, steam relief valve operability even when the valve is operating under two-phase flow conditions, battery operability given all charging to the batteries has been lost, human performance under undesirable environment or radiation conditions, etc.
While crediting the potential for this operability supports the intent to provide a realistic analysis, such judgments of operability can often " drive" the results of the analysis and significantly impact the dominant sequences and contributing equipment that most affect the core damage frequency estimated in the PRA; therefore, such judgments should be supported. Test data, actual plant experience, vendor informationregarding experience of similar equipment in other applications, and technical analyses are j
examples of acceptable evidence. Otherwise, it should be assumed that once the expected conditions in the scenario exceed the design basis limits for the equipment, the equipment then fails with a probability of1.0.
System Capability - those conditions that can cause the system, though operable, to not meet the required function. Examples of this nature include flow diversion and insufficientinventoriesof air, water or power to support continued operation of the system for the assumed mission time. Such " failures" are 2-17 Drat *. NUREG-1602
2 Intemal Event Level 1 PRA for Full Power Operations explicitly treated in the modeling process using realistic operability considerations and should be i
supported with analysis; otherwise, it should be assumed once these conditions exist that the equipment / system fails with a probability of 1.0.
Shared Equipment - those components and equipment that are shared among systems. Passive components not typically modeled are included when their failure impacts more than one system (e.g.,
a discharge pipe from a tank feeding two separate systems).
Screening andExcluding Components andFailure Afodes it is not always necessary to model every component or failure mode. However, certain risk informed regulatory applications of the PRA may necessitate that components and/or failure modes not generally included be added to the system models.
In screening or excluding components or failure modes, the following criteria are suggested:
Screen /ExcludeCompanent-The total failure probability of the component (sum of all failure modes) is at least two orders of magnitude lower than the next highest failure probability of another component in the same system train and the component (to be screened / excluded) does not have any dependencies or interfaces with other components or systems. In some cases, passive components are excluded based on the fact that failure rates for these components are substantially less than active components.
Screen / Exclude Failure Mode - The probability of the failure mode is at least two orders of magnitude lower than the next highest failure probabilityof another failure mode of that component (and there is no high potential for common cause failure). An example is the probability of spurious closure of an MOV compared to the probability ofit failing to open.
2.I.3.2 Application Impact Considerations it is possible that a particularchange to a plant's CLB may affect the systems analysis task. The proposed change may result in:
Additional / fewer systems being modeled, A change in modeling of component / system unavailability, Additional / fewer components may be modeled, The type of component failure modes included in the model, Change in common cause modeling,
+
Change in HRA modeling within the system's fault tree, Component / system operability limits may change, Removal of events from the supercomponent modules, or addition of events to them.
2.1.3.3 Interfaces with Other Tasks The sequence analysis task identifies the plant systems that need to be analyzed. Data analysis task interfaces with the systems analysis task to insure that the same events are treated in both and that the component boundaries are Draft,NUREG 1602 2-18
2 Internal Event Level 1 PRA for Full Power Operations the same in both. Systems analysis task may provide some initiating events and assesses the impact ofinitiating events on systems (used in sequence analysis). Systems analysis cutsets may be used to generate sequence cutsets.
It also provides informationon various types of dependencies for the sequence analysis. Information on success criteria and accident progression is also provided.
2.1.3.4 Documentation 4
The following system analysis information should be documented:
i A list or general description of the information that was used in the development of the system models, e
including a brief discussion of the following:
System function and operation under normal and emergency operations Actual operational history indicating any past problems in the system operation System success criteria and relationship to accident sequence models Human actions necessary for operation of system List of all test and maintenance procedures System schematic illustrating all equipment and components necessary for system operation Records / notes of walkdowns and significant discussions with plant staff.
System dependenciesand shared component interfaces documented using a dependency matrix or dependency diagram indicating all dependencies for all components among all systems (frontline and support)
Table listing failure modes modeled for each component and event quantification General spatial information and layout drawings to support external event analyses Assumptions or simplifications made in development of specific system models.
The nomenclature for the basic events modeled.
The freeze date used to represent the design and operation of the plant.
Any general assumptionsthat were made in the developmentof the systems models, as well as the bases for the assumptions and their impact on the final results.
List of all components and failure modes included in the model, along withjustification for any exclusicn of components and failure modes.
Information and calculationsto support equipment operability considerations and assumptions.
=
References to specific controlled input documents used for modeling (e.g., piping and instrumentation i
diagrams).
l Documentation of modularization process (if used).
i Records of resolution oflogic loops developed during fault tree linking (if used).
2-19 Draft NUREG-1602
i 2 Internal Event Level 1 PRA for Full Power Operations How the application changes the baseline model.
2.1.4 Data Analysis The input parameters for the Level 1 portion of the PRA includes initiating event frequencies, equipment reliabilities, unavailabilities due to out-of-service time, and common cause failure probabilities and associated uncertaintydistributions. For each of these four types of parameters, the task activities includes: identifying the data sources, selecting and screening the raw data, and quantifying data parameters.
2.1.4.1 Considerations for the Baseline PRA The following points are typically considered in performing data analysis:
Initiating Event Frequencies
\\
Selection and grouping ofinitiating events following the discussion in Section 2.1.1 would form the basis for reviewing and identifyingthe particularplant events or generic data that could be used for estimatingthe initiating event frequencies. For transientinitiatingevent frequencies,the number and nature of plant scrams and unplannai shutdowns and the hours the generator is on line should be identified. For initiators where there is little or no plant specific events, generic initiating event frequencies should be used for establishing prior distributions for Bayesian updating with available plant-specificdata. NS AC-188 (Ref. 2.9) provides data on the frequency ofloss.
of-offsite power (LOOP) events. NUREG/CR 5032 (Ref. 2.10) provides an acceptable method of Bayesian updating with plant-specific data. Expert judgement elicitation can be performed according to the method in NUREG/CR-4550, for estimating special parameters such as constructing the site-specific seismicity curve for seismic analysis. Certain initiator frequencies (e.g., loss of support systems) may be estimated by constructing and quantifying plant-specific fault trees.
Equipment Reliability The relevant parameters for equipment reliability are the demand failure probability (for standby equipment, required to start or change state), and the operating failure rate (for equipment that should operate for some time after an accident or transient to mitigate its effect or impact.) The preferred method for estimating equipment reliability parametersis Bayesian updating in which generic data are used as a prior distribution and updated with plant-specifiedata. Generic data sources should be representative of the plant components and the nature of the failures and demands in the pooled data set should be consistent with the plant-specific applications modeled in the PRA. Gerieric data used in the model would be pedigreed andjustified for the applicabilityto the specific-plart under study. The component boundaries and failure modes defined in the model are to be consistent with those in generic and plant-specific data. EPRl/TR-100381 (Ref. 2.11) provides useful information on the process for data collection, and reduction along with examples of equipment boundaries. The raw data needed to estimate these parameters are the number of demands, the number of demand failures, the number of failures observed while running, and the running (operating) time.
In quantifying component reliability, actual demands and those that reasonably approximate conditions for the required accident / transient response should be used. For those cases where demands are not normally tracked (e.g., using a safety pump to regularly fill a tank), demands can be estimated based on establishinga representatiw Draft, NUREG 1602 2 20
2 Internal Event Level 1 PRA for Full Power Operations history. Demands and their associated failures should be collected and tabulated by the nature of the demand (i.e.,
actual, spurious, type of test, etc.). Pooling demands and associated failures can be done when (1) the nature of the demands are similar,(2) the nature of the failures are similar, and (3) the failure probabilities from the pooled sources represent similar statistical populations.
Data used in the component failure probability estimations should be representative of the current component design and operation. Therefore, failure events may be examined in detail to show if plant modifications have climinated the types of failures previously identified and have not introduced other credible failure mechanisms not previously observed. Failures recovered promptly from the control room such that the function of the component was not compromised can be excluded as failures from the data set, provided that the model does not credit such recovery elsewhere. Repeated failures occurring within a small time interval should be counted as a single demand and a single failure if there is a single, repetitive problem that causes the failures. (For example, if a valve fails to open and subsequently receives multiple demands to open, only one failure and one demand should be counted.) For failures discovered by means other than a valid demand, the equipment unavailability resulting from such a failure should be counted against the accumulard equipment unavailability. (For example, an operator discovers while taking log readings that a pump has no oil in its lubrication reservoir rending it inoperable.)
The failure to run rate is used for operating equipment that should operate for an extended period following a demand. This would normally be a time after which the equipment reached rated speed or voltage and ran long enough to be judged a successful start (generally an equilibrium operating state.) The data needed (for equipment normally in standby) are the cumulative hours of operation after a successful start and the number of failures observed during these hours of operation. For equipment normally operating, the data needed are the cumulative operating time and the number of failures observed during these hours ofoperation. For test surveillance or other demands for which the actual run times are distinctly less than the length of the mission time modeled in the PRA, it should be determined whether the failure rate derived from truncated tests or demands is applicable over the mission time.
The statistical estimation techniques would consider the types of parameters to be estimated, and availaisility of generic or plant-specific data in " raw" or " treated" forms. These considerations should also include the choice of prior distribution in case Bayesian techniques are implemented.
Equipment Unavailabilities Out-of-service unavailabilitydata are needed for equipment removed from service for planned or unplanned repair or testing. The data required are the out-of-service time for each component and the total time the component is required to be operable. Coincident outage times for redundant equipment (both intra-and inter-system) should be examined and accounted for based on actual plant experience. Calculations of outage unavailabilities should reflect actual plant experience.
Common Cause Failures Options for estimatingcommon cause failure (CCF) parameters are: (1) Alpha factor models,(2) the Beta factor model, (3) the Multiple Greek Letter model, and (4) the Binomial failure rate model. The data needed for estimatingcommon cause failure probabilitiesare the number ofindependent failures and the number of multiple 2-21 Draft, NUREG-1602
2 Intemal Event Level 1 PRA for Full Power Operations failures due to a common cause. Since there is generally insufficientdata to derive plant-specific estimates of the common cause failure parameters, generic data should be used. However, the generic data should be evaluated to determine their applicabilityto a specific plant. In those cases where some plant-specificdata are available,they can be used to update the generic date. with Bayesian methods. The methods and database from the AEOD report (Ref. 2.8) could be used for deriving common cause failure probabilities.
2.1.4.2 Application impact Considerations It is quite likely that proposed changes to the CLB impact the results of data analysis and the estimated parameters, The proposed changes may result in:
1.
Changes in the frequency of modeled initiator (s),
2.
Changes in the estimated component unavailability contribution due to out of service time, 3.
Changes in the estimated component unavailabilitycontribution due to changes in the component failure rates, and 4.
Potential changes in CCF contributions and new CCF mechanisms.
For every risk-informed regulatory change, the potential for these four items should be examined. This examination should consider SSCs modeled in the PRA as well as SSCs not explicitly modeled (specially those capable ofimpacting the initiating event frequencies). Plant-specific experience data, industry-wide experience data, and the appropriate engineering and reliability model could be used for such examinations.
2.1.4.3 Interfaces with Other Tasks Review findings and considerations for selecting, screening,and grouping initiating events (Section 2.1.1) would be used as needed in refining the initiating event frequencies. The mission times used for component reliability estimations are provided by the accident sequence analysis task. The component specification, failure mode identification,and its initial operatingconditionsare determined from system analysis task. System analysis task also identifies the group of components for CCF analysis and the potential CCF mechanisms. The results from data analysis are used for accident quantification task.
2.1.4.4 Documentation The following information is normally in the baseline PRA documentation. This information would be revised or supplemented as needed following the completion of this task. This information includes:
The initiating event frequencies.
The distribution for demand failure probability, standby failure rate, failure-to-run failure rate, and equipment out-of-service unavailability (as applicable) for each event.
System and component boundaries, mission times, and reliability models used.
The sources of raw data, generic data, and other information used in estimating initiating event frequencies, equipment reliability, or CCF probabilities.
Draft, NUREG-1602 2-22
~-
2 Internal Event Level 1 PRA for Full Power Operations The time period from which plant-specific data were gathered.
Key assumptions made in the data analysis. (The bases for the assumptions and th results should be discussed in the sensitivity analyses.)
Raw data records and related interpretations of those records used to derive the data valu available for review, but need not be part of the PRA submittal.
(
Rationale for and distributions used as priors for Bayesian updates.
Changes resulting from the proposed CLB changes.
2.1.5 Iluman Reliability Analysis (IIRA)
An HRA is essentialin a PRA to identify and evaluate those human actions relevant to the analyzed. Given the high degree of hardware reliability and redundancy, human interfa In fact, human errors have been shown to be important in causing, preventing and mitigating an accident.
contributorsto the frequency of core damage and the potential for a large early release.
such human actions in the baseline PRA and in specific risk-informed applications is thus critical.
2.1.5.1 Considerations for the Baseline HRA Key factors to considerin reviewing (or supplementingor refining) portions of a baseli a human reliability analysis model, selecting human events to model, screening / excluding huma evaluating and quantifying human events, integrating HRA into sequence quantification work. Each of these areas is discussed below.
Selecting HRA AfodeUAfethod Several HRA methods (including databases) are available to evaluate and estimate the prob events'. The strengths and weaknesses of each method should be considered, and the mod appmpriateto the human events and situations being analyzed should be selected selected has certain inherent characteristics (as described below).
Identifying and Selecting Human Events Generally, a baseline HRA identifies and quantifies relevant errors of omission (errors in Currently, methods to address errors of commission (errors involving correctly initiate a specific action).
unintended actions) have not sufficiently evolved to the point that they are typically included relevant errors of omission that are included in a baseline PRA are those human actions that can or component to be unavailable when demanded (referred to as pre-initiators), and t to prevent or mitigate core damage given the initiator has occurred (referred to as post-initi
'J. Wreathall,"HRA Modelingin IPEs: An Evaluationof Methods and Their Application,"NU Brookhaven National Laboratory, to be published.
t l
Draft, NUREG-1602 2-23
2 Internal Event Level 1 PRA for Full Power Operations A PRA considers pre-initiatorhuman events that could resultin an unrevealed unava or component. At a minimum, these events include restoration errors in returning the syste theirnormalstateaftercompletionoftestingandmaintenance,andmiscalibrationerrorr,ofcr (both independent errors and common-cause miscalibration where appropriate).
a cn Events should be included that represent:
failure to restore equipment to correct standby status as a result of carrying out test equipmentrequired to respond to an initiatingevent is realigned away from its required which the demand signal is bypassed or defeated (e.g., testing of SLC system in BWR failure to realign those components (typically valves) which, for the execution of ma required to be realigned away from their normal positions, and are either manually operated with power removed or automatic realignment disabled.
sensors which if miscalibrated could cause failure of a required system to initiate or re generator level sensors.
A PRA should consider both responseand recoverypost-initiator human events. Respo human actions performed in direct response to the accident (i.e., actions deline procedures). Iluman responseactions that are included in a PRA are those actions req operate, control, or terminate those system and components needed to prevent or mitigate modeled response actions include those action needed to ensure that the systems or co
. The requirements of the success criteria dermed for those systems or components in the sy Recovery actions incQde those human actions performed in recovering a failed or u component. Reco'.ery actions may also include using systems in relatively unusual ways. How recovery actions may not be given unless at least some procedural guidance is provided or frequent training that would lead them to perform the required actions. Recovery actio restoration and repair of failed equipment (i.e., hardware failure). Generally, restora loss of PCS, loss ofdiesel generators, and loss of DC buses have been credited actuarial data rather than by HRA methods. Table 8.2-10 of NUREG/CR-4550, Volum acceptable values for these events. NSAC-188 (Ref. 2.9) or a later NSAC report such as acceptablesource ofdata for restoration of offsite power. Due to the general lack of accepta and repair of other equipment is generally not credited in a PRA.
The human events selected for evaluation in a PRA reflect the actual operating and m plant. At a minimum, plant walk-throughs interviews with plant personnel (e.g., trai shift supervisor, shift technical advisors), and procedure review are performed in human events for a PRA. Observation of simulator exercises of the modeled accident provide additional information regarding control room operational practices and cr observations ofmaintenance crew performance can also be made.
The llRA should address both the " diagnosis" and " execution" portion of each post initia Diagnosis is usually assumed to include detecting and evaluating a changed or changin Draft, NUREG-1602 2-24
l 2 Internal Event Level 1 PRA for Full Power Operations drciding what responseis required. Obviously,the complexity can vary, but a diagnosis may entail no more than detecting an indicationin the control room and decidingto execute a prescribed response according to symptom-based emergencyoperatingprocedures(EOPs). Evaluationof the executim of a human action entails examining the activities to be conducted as ins.cated by the diagnosis.
In a PRA, post-initiatorhuman events are generally assumed to entail a diagnosis phase. Exceptions to evaluating a diagnosis phase include those instances when the diagnosis of a previously modeled human event can be shown to include that for a subsequent event.
Failure to explicitly model and evaluate the execution of a human action is appropriate when the HRA method being used stipulates that the likelihood of potential execution failures is included in the diagnosis value for certain
]
kinds of events. However, relatively complex actions may not be contained within the diagnosis value (e.g.,
]
unusual actions performed outside the control room). The application of any HRA method requires the analyst to ensure that the assumptions and characteristicsof the method are appropriate for the event being analyzed. Most existing methods provide alternatives for treatment of different types of events.
Screening / Excluding Human Events There are numerous human events that do not play a " critical" role in initiating, preventing, or mitigating core damage. A screening analysis can be performed to identify and exclude these events from detailed evaluation.
However, the screened human events should be reconsidered for every risk-informed regulatory application of the PRA to ensure that all of the risk contributing actions are included in the application analysis.
Human events, such as all pre-initiators. generally cannot be excluded from consideration based on the argument that these events are included in the componenthardware data. Many human events (such as miscalibration)occtr rarely and are not necessarily reflected in the random failure data. Further, their effects can be subtle in that they impact multiple systems and thus can play a key factor in contributing to core damage.
In screening human events, the following criteria can be used:
if the componentsthat are reconfiguredare misaligned but not disabled and would receive a realignment e
signal on system demand, events associated with realignment of the components can be screened out.
(This is already embedded in the selection criteria suggested above.)
if the activity is a maintenance activity and a full functional test is carried out on completion of maintenance, misalignment of components can be screened out.
if the status of reconfigured components is indicated in the control room, and the expected frequency of reconfigurationis low, compared to the frequency of status checking,the failure to restore can be screened out.
quantitative screening values for post-initiator human errors are typically used in the initial PRA j
e quantification process when the human events are modeled in the event trees as top events or in the fault trees. The screening values assigned should be high enough to ensure that the impact of dependencies between events are not underestimated. If screening values are too low and potential dependencies are 2-25 Draft, NUREG-1602
2 Internal Event Level i PRA for Full Power Operations not considered,important sequences may be truncated. If screeningvalues are assigned before the initial quantification without any examination of the events and potential dependencies, screening values not less than 0.5 (assuming that cutset truncation values around I E-9/ry are used in the quantification process) are recommended for post-initiator human events.
In the final quantification step, if screening values remain for any of the human events, care should be taken so that this situation does not distort the results. Screening values, by definition,are relatively high probabilitias, and when mixed with human events of more realistic values, could erroneously" drive" the results. That is, a sequence i
could become dominant because it included a human event with a screening value that did not properly represent the actual " reliability" of the operator. Following the initial quantification, all the human events not in the truncated sequences and cutsets, should be quantified with a detailed HRA model in order to bring the true significance of human actions to the final results.
Evaluating and Quantifying Human Events The actual performance of the operators is reflected in the estimated likelihood of an operator failing to diagnose, perform, or properly execute the needed action. Therefore, the quantification of the human events, in a PRA, incorporates plant-specific factors and practices. These factors include the following:
Plant " conditions" affecting operator performance including:
=
The quality (type and frequency of training)of the operator training, the written procedures and of the administrative controls.
The environment (e.g., lighting, heat, radiation) under which the operator is working.
The acc:ssibility of the equipment requiring manipulation.
The necessity, adequacy, and availability of special tools, parts, clothing, etc.
The quality of the human-machine interface
)
The availability ofinstrumentation needed to take corrective actions.
The time available to the operatorto determine and perform the desired action, compared with time that
=
is actually needed to determine and perform the action. The available time is accident sequence specific and determined from engineering analysis which include actual time measurements derived from walk-throughs and simulator observaion. The point at which the operators receive relevant indicators is also consideredin determiningavailabletime. Thermal-hydraul' calculations can be used to help determine c
the time available for performing required actions.
Task characteristics such as the number of subtasks and their complexity.
The potential for additional checks (e.g., due to indication of changing plant parameters) on operator actions (immediate recoveries) and the expected arrival of additional support such as an emergency response team.
Dependencies and interfaces between the human events and their relationship to the accident scenario including the following:
Draft, NUREG-1602 2-26
2 Internal Event Level 1 PRA for Full Power Operations For pre-initiators, the capability of the operator to impact more than one component, train, or system is considered. (For example, the likelihood of the operator miscalibrating all level and pressure instrumentation simultaneously should be considered.)
i l
l For post-initiators, the human event is evaluated relative to the specific context of the accident progression. Therefore,for different accident sequences, the human event is evaluated for each sequence. The influence of previous human actions and system performance are considered relative to their influence on the human event under consideration. Time dependency is also l
considered in the sense that the total available time should be considered across the entire sequence. For example, if most the total time available is allocated to the first operator action in a sequence, then the potential success of remaining actions is impacted.
I The following criteria can be used to help ensure that no dependencies exists between human events (i.e., the events are truly independent)-
No common " environmental" factors exists (lighting, temperature, etc.)
No common human-related factors exists (e.g., same/similar procedure, common-cues, same crew a
performing multiple calibrations on the same day, etc.)
Different personnel are involved in diagnosing and executing the human action or series of human actions.
Errors made in performance by the original operator can be " recovered" by the same operator (e.g., new plant status information) and by other plant personnel (e.g., post maintenance verification by a separate operator, role of shift technical advisor, role of emergency response team). Total credit for all such " recoveries" should not exceed a factor of 10 (higher credits should be identified and justified). This suggested limit is based on the uncertaintyassociated with determiningthe actual independenceof the plant personnel and the ability to precisely quantify human performance, particularly considering all the different uncertainties.
Operators can perform numerous activities during an accident to prevent core damage from occurring. Ilowever, the likelihood of these actions can become questionable if too many or unrealistic operator actions are modeled.
j While all reasonable actions for which time is available can be modeled, it is recognized that an operator or control room failure in one instance (e.g., failure to follow procedure)has the potential to influence the likelihood of later i
operator success. Thus, potential dependencies should be considered and it is recommended that for a given cutset, the total " crew" (both control room and ex-control room operators plus any and all other personnel such as the emergency response team) failure probability be bounded to reflect resource limitations and other uncertain factors.
The above factors are used in determining what data are selected from the various HRA methods in deriving the actual human error probabilities (HEPs) The quantified IIEPs are characterized as dictated in the selected HRA method. For example, the Technique for Human Error Rate Prediction (THERP) characterizes data as median values with a log normal distribution. However,the values input into the sequence quantification should be mean values; therefore, depending on the HRA method being used, conversion to a mean might be necessary.
Furthermore,the associated distribution can potentially result in a portion ofit being greater than 1.0 (e.g., HEP mean value of 0.8 with an error factor of 15 will result in the 95% confidencelimit being greaterthan 1.0). In such 2-27 Draft, NUREG-1602 l
l I
2 Internal Event Level 1 PRA for Full Power Operations cases, modification of the distribution is required. An acceptable approach is the use of the maximum entropy -
distribution which sets both the upper and lower limits.
An essentialaspect in the quantificationof the human events is a " sanity" check of the HEPs. The analyst should review the final HEPs relative to each other to check their reasonableness given the plant history and operational practices and experience. For example, the human events with the relatively higher failure probabilities are generally events involving more complex, difficult activities that are performed under more burdensome, time constrained, and stressful circumstances. The human events with the relatively lower failure probabilities are generally events performed under more common, routine and straightforward circumstances.
I t
Integrating HRA Into Sequence Quantifcation The human events in a PRA are integrated into the overall model using several methods. Pre-initiator human events are included directly in the system fault trees where the process ofmodel quantification accounts for human error impact un the results. However, post-initiator human errors can be modeled as a top event in the accident i
sequences development (e.g., event trees),as a basic event in the fault trees, and/or incorporated directly into the cutsets. However, post-initiator events are incorporated into the models, care should be taken so that the actual
{
human error probability used in the quantification process addresses dependencies between operator actions, sequence timing,and the other factors influencing the HEP. The attributes for this incorporation are provided in Section 2.1.6.
i 2.1.5.2 Application impact Considerations it is possible that a particularchange to a plant's CLB may influence the HRA models and results. Proper use of a PRA in a risk-informed regulatory application requires that the impacts of proposed plant or procedural changes be included in the PRA. The actual nature of impact will be application specific. However, in general, the proposed change should be evaluated for the impact en the following HRA considerations:
C The appropriateness of the selected HRA n.ethodology.
Identify if any new human event may occur as a result of the CL,B change. Altematively, determine if an existing human action modeled in the baseline PRA is no longer of concern due to the CLB change.
Review the human actions excluded in the baseline PRA to ensure the exclusion is still appropriate for J
thE CLB change evaluation.
Identify if the CLB change would impact any factor used in quantifying the baseline PRA human events and modify the quantification as appropriate.
Identify if the CLB change would impact human events included in the evaluation of the containment i
performance during a severe accident I
Draft, NUREG 1602 2-28
2 Intemal Event Level 1 PRA for Full Power Operations 2.1.5.3 Interfaces with Other Tasks The HRA portion of a PRA interfaces with severalother PRA tasks. Beginning with the initiating event task, the HRA may be used to suppat the identification of human-related initiating events. The HRA task also identifies the human events to be included in the plant logic model (i.e., the human error events included in the event tree structure)and in the systems models (both pre-accident human errors and response actions). The quantification of post-accident human error probabilities is performed within the context of the accident sequence cutsets and thus can only be performed after a preliminaryquantificationof the PRA model providesthe combination of events and their timing that result in core damage.
The HRA also provides support to the Level 2 portion of a PRA. Human actions required to mitigate a core damage accident and prevent a release can be evaluated using the same techniques used in the Level 1 analysis.
2.1.5.4 Documentation The documentationof an HRA should be sufficientthat a peer reviewercan reproduce the results. At a minimum, the following information pertinent to the baseline HRA should be documented. In addition, modifications to baseline HRA should be documented for each CLB change application evaluation.
A list or general description of the plant information that was used in the HRA.
A list of all human actions evaluated (both pre-and post-initiator).
A list of all HEPs for each human ac+ ion.
A list of factors used in the quantification of the human actions, how they wem derived (their bases), and how they were incorporated into the quantification process:
time available versus time required dependencies plant-specific PSFs diagnosis and execution.
Source of data used to quantify human actions.
Screening values and their bases.
Any assumptions that were made in the human reliability analysis, as well as the bases for the assumptions and their impact on the final results.
2.1.6 Accident Sequence Quantification
(
2-29 Draft, NUREG-1602 i
i l
l l
2 Internal Event Level i PRA for Full Power Operations The model results include point estimates, as well as results of uncertainty analyses and appropriate importance measures and sensitivity analyses,to the extent that these provide additionalinsights and confidence in the resultt.
Factors important to the accident sequence quantification task are discussed in this section.
2.1.6.1 Considerations for the Baseline PRA Selecting the Quantification Model/ Code Several accepted computer codes are available to perform the quantification:however, the computer code actually used should be benchmarked. The computer codes can use the rare event approximationwhen event probabilities are below 0.1. However, use of the minimal cutset upper bound is always suggested as a minimum to avoid overly pessimistic results. The code should be capable of accounting for system successes in addition to system failures in the evaluation of accident sequence cutsets. This can be accomplished using either complimentary logic or a delete term approximation used in many existing codes. In either case, success probabilitiesof equipmert failures and human errors are used in the computation when the probability is not close to 1.0.
Initial sequence quantification can be performed using point estimates. The values used for the point estimates are the mean values of the probability distributions for the basic event failure probabilities. As previously indicated in Section 2.1.5, when screening values are used for post-initiator human error probabilities during the initial quantification,they should be selected to ensure that no potentiallyimportant accident sequence cutsets are eliminated. Cutsetsgenerated from the initial quantification should be reviewed to eliminate invalid cutsets. Final quantificationshould be performed to replace the post-initiator human screening values with appropriate human error values as discussed subsequently, l
Selecting Truncation Values Truncationis an iterative process of eliminating accident sequences and cutsets from further consideration, based on low frequency of occurrence. This truncation is done to simplify the quantification process and make it less time intensive. Truncation is generally performed at a cutset level during the evaluation of each accident sequence where all cutsets of a frequency less than the selected truncation limit are eliminated. Cutset truncation based on the order of the cutset is not performed because cutset order is independent of the quantitative significance of the cutset.
Sequences with low frequencies can be truncated in either the initial or final quantification process, but the truncation should be performed to avoid missing any accident sequences that significantlycontribute to the model i
estimation of total core damage frequency. At least 95% of the total core damage frequency and 95% of the early and late release frequenciesshould be expressed in the model results. Also,it should be verificd that lowering the truncationlimit does not significantlyincrease the model estimation of total core damage and release frequencies.
Truncation has to be considered both before and after operator recovery actions are applied to avoid discarding important sequences. The final truncation limits can be established by an iterative process of demonstrating that the overall model results are not significantlychanged and that no important accident sequences are inadvertently eliminated. As a guide, a truncation value that is four orders of magnitude lower than the final CDF is usually
'The use of importance measures is provided in Appendix A.
Draft, NUREG-1602 2-30
i 2 Internal Event Level 1 PRA for Full Power Operations j
sufficient. Note that the process ofquantificationincludingtruncation should be performed for each risk-informed regulatoryapplicationof the PRA since the impact of the regulatory change can potentially impact which cutsets and sequences can and cannot be truncated.
l Integrating HRA Into the Quantification Process l-Besides the incorporationof human error events directly into the event or fault tree models, events depicting the l
non-recovery probability of proceduralized (or otherwise expected) human actions to mitigate an accident sequence should be added during the quantification phase of the analysis. The number of operator recovery -
actions added to an accident sequence should be limited to " reasonably expected" operator actions. Reasonably expected means that the operator actions are specified in procedures and do not consist of heroic type actions.
[
Also, as discussed in the previous section, the total credit of post-initiator human actions for a given sequence or cutset should be reasonably bounded (e.g., not less than 1E-6/ry).
1 Regardless of the type of human error, care should be taken to identify dependencies among multiple human error events which occur in individual cutsets so that the combined human error probability is not optimistically evaluated. This implies that cutset-specific timing and conditional information should be used in the calculation and application of post-initiator operator actions and other recovery actions. Application of such actions at a sequence level cannot generally be performed.
j Estimating Uncertainties The use of PRA in risk-infamed regulation should take into account the potential uncertainties that exist so that I
an estimate can be made of the confidence level applied to the quantitative results obtained for a particular I
application. The mean values obtained from the PRA are used in the decisionmaking process. Use of the mean value in the decisionmakingprocess does not, however, resolve the need to quantify (to the extent reasonable)and 1
l understand those important uncertainties involved in the PRA and particularly in the risk-informed regulatory i
application of the PRA.
l There are two general types of uncertainty. "Parameteruncertainty"results from the lack of knowledge about the l
correct failure rates used in the models. "Model uncertainty" occurs when alternate models can be constructed l
to represent the accident sequence behavior. (This includes concerns about the model completely representing all significant phenomena.)
Parameter uncertainty should be incorporated into the model. This involves propagation of the failure rate distributions calculated in the data analysis task through the PRA models. Events in the PRA representing the same component failure with the same failure rate are correlated in the uncertainty analysis (correlation can dramatically affect the resulting core damage frequency uncertainty distribution). To the extent practical, modelirs uncertaintyshould also be incorporatedinto the PRA. This can involveapplying weights to different models and propagatingthe impacts of these models through the entire PRA. An alternative is to perform sensitivity analyses to determine the impact of the different models.
Acceptable methods for performing uncertainty analysis include Monte Carlo simulation or the variation known as Latin flypercube Sampling. Equivalentmeans of propagating uncertainties may also be used. The computer codes used for the uncertainty analysis should have been benchmarked to verify that the results provided are i
2 31 Draft, NUREG-1602
2 Internal Event Level 1 PRA for Full Power Operations reasonable. An uncertaintyanalysis should be performed for each risk-informed regulatory applicationof the PRA I
using the retained accident sequences (i.e., the sequences reflecting 95% of the CDF and 95% of the early and late release frequencies). In addition, the uncertainty analysis should be performed using a large enough sample to demonstrate convergence of the results.
Computing Importance Measures and Performing Sensitivities The sensitivity of the model results to model boundary conditions and other key assumptions should be evaluated using sensitivityanalyses to look at key assumptions or parameters both individually or in logical combinations.
The combinations analyzed should be chosen such that interactions among the variables affected by the sensitivitiesare fully accounted for. Areas typically needing evaluation using a sensitivity analysis are modeling assumptions, human error probabiliths, common cause failure probabilities, and safety function success criteria.
The results of these sensitivityanalyses are needed to provide some confidence in the PRA results particularly as applied to risk-informed regulatory applications.
In performing sensitivity analyses, the analyses should not be performed by manipulating (requantifying) the
" retained" accident sequences and cutsets. The sequences and cutsets that were truncated could potentially be impacted and significantlyinfluence the results(e.g., dominant accident sequences and contributors). Therefore, the sensitivity analyses should be performed by requantifying the entire PRA model unless it can be shown that only the retained accident sequences and cursets an impacted.
Importance measure calculations should be performed to provide information regarding the contributions of various components and basic events to the model estimation of total core damage frequency. Typical importance measures are Fussell-Vesely, risk achievement, risk reduction, and Birnbaum. The definition and use of importance measures are discussed in Appendix A.
2.1.6.2 Applications impact Considerations it is quite likely that proposed changes to the CLB will impact the results of this task. The proposed changes should be reviewed to determine if they result in:
Previously truncated cutsets becoming important, Reordering of sequences based on their importance,
+
Changes in the uncertainty analysis,
+
A need for additional sensitivity analyses to be performed, Changing in results ofimportance analyses, Different operator recovery actions.
2.1.6.3 !nterfaces with Other Tasks The systems analysis task may provide information needed to debug the quantification task (e.g., explain why certain cutsets exist, or show where errors were made in modeling). The data analysis task will provide input data l
for the model to be quantified. The sequence anclysis task provides the framework for the model which is j
quantified. The output of the quantificationtask (e.g., the cutsets) can be used to find any errors in the modeling of other tasks. It is also used to provide insights about the plant's risk profile.
i Draft, NUREG-1602 2-32
2 Internal Event Level i PRA for Full Power Operations 2.1.6.4 Documentation The following information regarding the PRA quantification should be documented:
A general description of the quantification process including accounting for systems successes, the truncation values used, how recovery and post-initiatorhuman enors are applied,and a description of the computer codes used.
The total plant CDF and contributions from the different initiating events and accident classes.
A list of the dominant accident sequences and their contributingcutsets. (A dominant accident sequence, from a frequency perspective, rather than a risk perspective, is defined here as one whose contribution to the total CDF is greater than 1%.)
Equipment or human actions that are the key factors in causing the accidents to be non-dominant.
e The results of all sensitivity studies.
The uncertainty distribution for the total CDF and for each dominant accident sequence.
Importance measure results, including at least Fussell-Vesely, risk reduction, and risk achievement.
A list of mutually exclusiw events eliminated from the resulting cutsets and their bases for elimination.
A list of all sequences retained after the final quantification,includinga brief description of the sequence l
and its CDF.
Records of the actual quantification process such as file manipulations, setting of flags to turn portions of logic either on or off, etc.
Records of the process /results when adding non-recovery terms as part of the final quantification.
Records of the cutset review process and any manipulations therein such as eliminating invalid cutsets, requantifying multiple but dependent human errors in the same cutset, etc.
2.2 Internal Flooding Analysis While the internal flooding analysis of a PRA uses much the same processes and has the same attributes of a traditional full power internal events PRA (Section 2.1.1), the internal flooding analysis requires a significant amount of work to define and screen the most important flood sources and possible scenarios for further evaluation.
The major tasks associated with the Level 1 portion of an internal flooding analysis include:
i l
2-33 Draft, NUREG-1602 l
2 Internal Event Level 1 PRA for Full Power Operations Flood source and propagation pathway identification and screening a
Flood scenario identification and screening
=
Flooding model development and quantification.
The information developed during the flooding source and propagation pathway identification is used to identify and quantify the flood scenarios. Results from the identification and quantification flooding scenariosare then used in the flooding model development and quantification task.
the initiatingevent identificationand exclusion portions of the full power internal everits PRA, the first require consideration of different plant characteristics with particular emphasis on the spatia design. Consideration of structures, barriers, drainage designs, and difTerent failure modes (e.g., w of equipment, water spray on electricalequipment)are examples of aspects of the plant that should b in the aternal floodinganalysis that are not necessarilyaddressedin the traditionalinternalevents the flooding scenarios have been screened for detailed quantification,the third task follow and quantification aspects already carried out in the internal events analysis with relatively minor mo Three scoping attributesshould be met to better ensure completeness of the analysis. First, a PRA not only floods as initiatingevents, but also include the possibility of flooding occurring as a subseque some other initiator. Second, both water and steam source effects (i.e., jet impingement, splashing pipe whip, and condensation)should be considered. Finally, flooding induced by both equipment fa as human-induced events (such as failure to properly isolate a potential flood source before d should be examined. Attributesthat are unique to the internal flooding analysis (compared to the inte analysis) are addressed below.
2.2.1 Considerations for the Baseline PRA 2.2.1.1 Identification and Screening of Flood Sources, Propagation Pathways, and Flood Scenarios The first two tasks identified above are performed together in a somewhat iterative manner because numerous interactions between the tasks. The guidance provided in NUREG/CR-4832 (Ref. 2.13) can b for performing the specilic steps necessary to identify and screen the flood scenarios. These s reproduced here; however, certain overriding attributes that should be met in perfonninga sound baselin flooding analysis are highlighted below.
All substantial water and steam sources should be carefully screened.
As a minimum, possible sources should include piping, valves, pumps, tanks, heat exchangers, room coolers, chillers, fire suppres both inadvertent actuation and piping failures), relief valves, potentially large bodies of water as the suppression pool in BWRs and the spent fuel pool), and nearby reservoirs, lakes, rivers, and connected to the plant through some plant systems or structures (such as the ultimate heat sink that is c to the plant through service water system). Any qualitative arguments used to screen or othenvise e sources (e.g., small size, location arguments, effects are similar and greater for another flood source, etc be well documented and based on sound engineering principles and judgment. While probab be used at this stage, they should meet the initiating event exclusion principles provided in Section leakage and rupture failure modes should be considered as well as the potential for human Draft, NUREG 1602 2-34
2 Internal Event Level 1 PRA for Full Power Operations Sources and locations of concern (particularlythe identificationof propagation pathways) should be supported by actual walkdowns of the plant. Flood zone definitions should consider the existence of barriers and drains that can confine the flood to an area Propagation paths from one Good zone to another should consider stairways, doorways, hatches, floor and wall penetrations and cracks, drain lines, HVAC ducts, piping / conduits, etc., and should consider the potential failure of barriers to propagation (e.g., normally closed door failing open once the flood water reaches a certain height behind the door). Any assumptions or otherjudgment used to define and screen out possible locations and pathways should be documented and based on analyses, calculations, or sound engineeringjudgment. Isolation arguments should consider methods of detection, access, and available means to isolate or otherwise mitigate the flood source, and the time to carry out appropriate actions. In addition, the availabilityof other flood mitigation systems or actions such as drain lines or sump purg need to consider sizing and the potential for plugging. With regard to determining possible flowrates, the analyst should consider whethe forced flow (such as from an active pump) or passive Dowrates are expected.
The above information leads to the formulation of possible flood scenarios that should be considered. These scenarios are more completely defined by consideringwhat (and how) equipment is affected in the context of the possible accident sequences that can lead to core damage (as indicated by the internal events analysis). It is, therefore,important that the possible flood-induced failure modes (i.e., susceptibility)of equipment be considered besides the random failures of equipment covered in the internal events analysis. Any guidance used in the Gooding analysis with regard to the failure modes to be considered should be clearly defined and have a reasonable basis. For instance,electricalequipment(buses, motor control centers, batteries, inverters, motors for valves and pumps and fans, etc.), if submerged,or exposed to a high steam environment should be assumed to short-out and, therefore, be unable to operate, at least during the screening steps conducted in the analysis. Mechanical equipment may be considered to fail under special circumstancessuch as when HVAC ducting is flooded and faib because of the water weight and so on. Screeningof potential accident sequences on the basis of what equipment is or is not affected,as w ell as considerationof the above failure modes, should be clearly identified and supported 2.2.1.2 Flooding Model Development and Quantillcation With some modifications, the modeling of the resulting unscreened scenarios uses many of the same sequence models (typically event trees) and system failure models (fault trees) used in the traditionalinternal events analysis The mitigating system fault trees should be modified to account for possible combinations of flood-induced as well as random failures of equipment. The types ofinitiatingevents resulting from internal floods should include not only transients but also LOCAs induced through spurious valve operation. As stated earlier, consideration should be given to both floods as initiators as well as Goods that occur during or as a result of some other transient.
Also, the potential for multiple initiatingevents should be reviewed. The internal event trees can generally be used in a Good analysis but should also reDect additional mitigating systems and actions as appropriate.
The quantification portion of the analysis is essentially the same as described in Section 2.1.6 but should recognize the potential for new or more severe PSFs when considering human failure probabilities and possible recovery actions, llowever, an initial bounding quantification can be performed using pessimistic assumptions on flood l
propagationand equipment susceptibility. Floodingscenarios that survive such bounding assessments should be j
requantified using refined estimates of the flooding impacts (obtained through engineering analysis) to provide a realistic analysis.
2-35 Draft, NUREG-1602
2 Intemal Event Level 1 PRA for Full Power Operations i
2.2.2 Application Impact Considerations in general, the application impact considerations that impact the internal event models identified in Section 2.1 are applicable here. In addition, application impacts on the flooding-specific portions of the analysis also need to be addressed. For example, if an application has the potential ofincreasing the failure probability associated with piping, then the screening performed as part of the original flooding analysis should be reexamined to determine what impact the new failureprobability has on the screened scenarios. Areas that should be reviewed include:
The potential for the introduction of a new flooding source or the removal of an existing flood source.
The potential for changing the flood propagation potential for an existing or new flood source.
The mitigation of a flood source (e.g., isolation) may possibly be affected and should be reviewed.
I t
I The impact of a floodingevent on accident mitigatingequipment may be altered by a plant modification j
+
and should be reviewed.
. The potential for new or additionalinitiatingevents resulting from plant modification and impacts on the a
models used in the accident sequence quantification (i.e., event trees, fault trees, and HRA) should also be reviewed.
2.2.3 Interface with Other Tasks This task uses extensively the information gathered and models developed in the internal event analysis. In particular,the fault trees and event trees developed for intemal events are modified and used for modeling floods.
2.2.4 Documentation The process ofidentifying flood sources, flood pathways, flood scenarios, and their screening, and intemel flood
{
model development and quantification should be documented for both the baseline PRA and any modifications i
made in analyzing a modification to the plant CLB In addition to the information normally documented in a traditionalintemal events analysis,at a minimum,the followinginformation should be documented for an intemal l
flooding analysis:
)
l l
a definition of the flood zones used in the analysis and the reason for eliminating any of these areas from further analysis, l
a list of flood sources considered in the analysis and any rules used to eliminate these sources, a discussion on the propagation pathways between flood zones and any assumptions, calculations,or other e
bases for eliminating any of these propagation pathways, j
a listingof accident mitigatingequipmentlocated in each flood zone not screened from further analysis, Draft,NUREG 1602 2-36 l
2 Internal Event Level 1 PRA for Full Power Operations a list of any assumptions concerning the impacts of submergence, spray, temperature, or other flood-e induced effects on equipment operability, a discussion of how the internal event analysis models were modified for the internal flooding analysis, a
a list of the flood frequenciesand component failure probabi5 ties from flood effects and their bases, and a
a discussion of any calculations or other analyses used to refine the flooding evaluation.
+
2.3 Internal Fire Analysis A full power internal fire PRA utilizes the same overall analysis approach and procedures used in performing a full power traditionalinterrni events PRA (Section 2.1). In fact, there are many points of commonality between the traditional internal events analysis and an internal fire risk analysis. These include the use of the same fundamental plant systems models (event trees and fault trees), similar treatment for random failures and equipment unavailability factors, similar methods of overall risk and uncertainty quantification, and similar methods for the plant recovery and human factors analysis. Consistency of treatment of these commonalities is an important feature in a fire risk analysis. It is also important that the documentation of an internal fire risk analysis parallel that of a traditional internal events PRA, with supplemental documentation of the unique fire related aspects of the analysis provided as necessary.
Although the overall evaluation process is the same, there are differences in the events postulated to occur in response to an internal fire event as compared to those from a traditional internal event. These unique features should be accounted for in a sound baseline fire risk analysis. The main differences between a traditional internal events analysis and an internal fire analysis are as follows:
Physical Plant Partitioning - physical partitioning of the plant into fire analysis areas and zones Equipment identification and Mapping - identification of plant components not typically considered in an internal events analysis, including in particular electrical power, instrumentation, and control cables, and the mapping of such equipment to specific locations Fire Source Identificationand Quantification-identificationofignition sources and quantificationof their frequency Fire Growth and Spread Quantification - determination of fire growth and spread Fire Damage Assessment - the assessment of fire-induced damage to plant equipment Fire Detection and Suppression - determination of the effectiveness of fire detection and suppression iluman Interventionand Plant Recovery-identificationof the impact of a fire event on the possibilityand e
likelihood of post-fire human actions (including the impact of contradictory or failed indication).
t 2-37 Draft, NUREG-1602
2 Internal Event Level 1 PRA for Full Power Operations The major analysis elements described in Section 2.1 for a traditional internal events analysis are also applicable to an internal fire analysis. Differences that arise come from the fact that the fire analysis has to account for the effects of the fire and should provide for the specific treatment of the actual fire phenomena associated with the postulated fire event as presented above. A fire analysis generally consists of three phases:
initial area screening e
secondary area screening, and a
detailed analysis.
a The initial area screening phase of the analysis identifies the limited subset of plant fire areas which should be considered for more detailed analysis. This initial screening is based on consideration of the nature of the components / systems located within a fire area without specific consideration of the phenomena involved in the fire growth and damage processes. The components located within a given fire area are identified and the impact of their failures on plant systems are assessed to determine the potential for a fire in the fire area to represent an initiating event.
The secondary area screening phase is then applied to further refine the areas requiring detailed quantification by inclusion of a rudimentary treatment of the fire phenomena. This secondary screening process may be performed at progressive levels of detail. Initially,the secondary screening analysis includes a high estimate of the total fire frequency from all fire sources in a particular area, with the further assumption that all fires would result in damap to all equipment in the affected area with a probability of 1.0. If the resulting fire risk estimate falls below the specified truncationvalue, then the area requires no further consideration. if an area cannot be truncated on this basis, then further screening can be applied in which low estimates of fire intervention factors are introduced.
Iloweven as the analysis becomes more refined, the level of detail considered should also become more refined, resultingin be "bluning"of the "line" between a secondary screening analysis and a detailed area quantification (see next paragraph). For example,if some credit for successful fire suppression before critical fire damage is to be given, then the analysis should include consideration of physical factors which might make it unrealistic to assume that interventionwould be successful. A typical example of this would be a case in which a critical cable was located directly above an energetic potential fire source such as a switchgearcabinet such that if the fire were to be ignited, then damage would occur in a very short time.
For the subset of fire areas which survive the initial and secondary screening phases of the analysis, a detailed quantification of the fire risk for each fire source postulated to exist in that fire area is performed. Generally, at this point in the analysis,the fire areas defined in the screening analyses are further partitioned into fire zones for detailed quantification. This partitioning essentially results in the definition of what specific components are considered to be threatened by a fire event.
As part of each phase in a fire PRA, the potential effects of a fire within a single fire area or zone and the effects ofinter-area and inter-zonal considerations (i.e., the effects of multiple fire areas or fire zones in combination to represent significant contributorsto fire risk) are determined. The assessment of the potential that a fire in one fire area or zone might impact equipment in an adjacent fire area or zone is particularly important for the high hazard fire areas (in which a fire might threaten even a three-hour rated boundary), zones bounded by fire barriers ofless than three-hour rating, and fire areas or zones separated by active fire barrier elements (such as normally open fire doors, water curtains,ventilationdampers,etc.). Consideration should be given to the likelihood that fire barrier j
Draft, NUREG-1602 2-38
2 Internal Event Level 1 PRA for Full Power Operations penetration seals might fail under certain types of fire conditions (such as larger fires or fires immediately proximate to the seals).
Within each of the assessment phases, the fire-specific differences between a traditional internal events analysis and an internal fire analysis should be dealt with. The level of detail applied to the assessment of each of these specific differences depends largely on the phase of the fire analysis. That is, the screening phases may include only a rudimentary treatment of certain differences, whereas the detailed quantification phase will require a specific and comprehensivetreatmentofeach difference. Attributes for each specific difference are presented in the following sections. In addition, fire-unique attributes for each of the PRA analyticaltasks identified in Section 2.1 are provided.
2.3.1 Considerations for the Baseline PRA This section provides the attributes of a detailed fire PRA that could be utilized as the base model in the evaluatial of a CLB modification. The fire-specific aspects of the PRA are discussed as well as the interfaces with the internal event PRA models.
2.3.1.1 Defining Fire Areas or Fire Zones Since the physical partitioningof the plant effectiwly defines which components and systems will be considered simultaneou sly vulnerable to a common fire event (with the exception of the final inter-area or inter-zonal fire analysis stage). the partitioning process significantly impacts the final analysis results.
The termsfire area andfire rone are widely used in fire risk assessment and are also recognized terms with specific definitionsin the context of fire protection. Afire arca is generally defined in the fire protection context as a physical region which is fully bounded by three-hour rated fire barrier systems (as certified by the ASTM El19 fire performance test). The above traditional fire protection community definition of a fire area is consistently applied in fire risk analyses, but it should be recognized that the term fire zone can represent many different levels of physical separation. That is, the termfire rone has a more flexible and judgmental definition, and is generally associated with any physical region bounded by lesser fire barrier elements. In some cases, fire zones can be defined in risk assessments as regions with no specific physical boundary elements which are nonetheless considered to represent the physical limits ofinfluence for any fire in that region. For example, a multi-level fire area separated by floor / ceilings with open equipment hatches might be defined for the purposes of analysis as several separate fire zones despite the presence of an open pathway between the zones. Similarly, a physical region of 20 feet of horizontal separation with no intervening combustibles (an Appendix R provision) can be cited as defining the limit of a fire zone despite the lack of any physical barrier between adjacent fire zones.
Since there is flexibility in the definition of a fire zone, a fire analysis should define each fire zone identified and used in the analysis.
With respect to the three analysis phases identified above, a fire PRA can use the following partitioning process:
initial area screening is based on the consideration of fire areas as traditionally defined in the fire e
protection context. Fire zones, as used in fire risk assessments, are not used.
2-39 Draft, NUREG-1602
l l
2 Internal Event Level 1 PRA for Full Power Operations Secondary area screeningis initially based on the use fire areas. As the screening becomes progressively more detailed,the use of fire zones becomes acceptable as long as such use is supported by specific and detailed considersion of the fire phenomena involved. (NOTE: This is generally inconsistent with the intent of the screening process, but is acceptable if all relevant fire phenomena are considered.)
Detailed area quantification is based on the use of fire areas or fire zones, whichever is appropriate.
2.3.1.2 Equipment identification and Mapping The critical plant systems and components ofinterest to the analysis should be identified. This is generally based on an examination of the risk important systems considered in the traditional internal events analysis described in Section 2.1, supplemented by consideration of fire-related plant documentation such as the plant Appendix R submittal, and verified by plant walkdowns. Consideration of only the plant Appendix R systems is not an adequate basis for analysis in a fire PRA. Electrical cables (power, instrumentation, and control) for all systems and components should be included in this assessment. Afler identifying the equipment, the location (s) of each of the componentsidentified should be traced to specific plant locations. This step can involve multiple levels of detail. For example, for the purposes ofinitial screening, mapping a piece of equipment to a specific area is sufficient. For secondary screening, mapping to fire areas or fire zones is warranted. In contrast, detailed quantificationof area or zone fire risk requires that the equipment be mapped to very specific locations within the fire area or zone This is because the area ofinfluence of most fires will be limited to a subset of the fire area or zone, and because the proximity of the critical equipment to the fire source will directly and profoundly impact the timing of equipment damage.
1 2.3.1.3 Fire Source Identification and Quantification The fire analysis should both identify possible fire sources in a given plant location, and quantify the frequency I
with which each of those fire source might initiate a fire event. This includes both fixed fire sources (pumps, motors, electrical panels, switchgear transformers, fuel and oil storage media, hot pipes such as diesel generator exhaust pipes, electrical cables, etc.) and transient sources (trash, maintenance activities including equipment and supplies, sources ofliquid or gaseous flammable material leaks, short term storage items,long term storage items, etc.). A fire events database is typically used to support this part of the analysis. In general, a fire analysis considers all possible fire sources. Consideration of only the single most significant or largest fire source in a given area is not generally considered an adequate basis for the analysis. This is because the fire threat is a combination of several factors and the largest or most significant perceived fire threat may not, in fact, represent the bounding condition in the context of fire risk.
2.3.1.4 Fire Growth and Spread Quantification The fire analysis should also quantify the potential for an initial fire source to both grow within the limits of that initial fire source and for the fire to spread to other nearby flammable materials by considering the maximum credible size (both the intensity and physical extent) associated with the initial source and the potential for that fire j
source to ignite other nearby materials. The analysis of fire growth within the initial fire source may be based on l
either a fire computer model or on available test data, but the analysis of fire spread to other nearby materials requires the application of a proven fire growth computer model of some type.
l Draft, NUREG-1602 2-40
2 Internal Event Level 1 PRA for Full Power Operations 2..l.5 Fire Damage Analysis Based on the fire growth analysis,a prediction is made as to how the fire will impact the environment surromding the critical components of interest and in turn how that environment will impact the operability of those components. In a fire PRA, the timing of equipment damage is one of the two most critical factors to be determined (the second is fire detection and suppression, discussed in the next section below). In order to pass beyond the initial screening steps to final quantification,the analysis should consider not only if damage will likely occur, but also the time interval between ignition of the fire and the onset of equipment damage. This process should include the identificationof both the modes or mechanisms of fire damage (typically simple heating of the component but also potentiallyincluding smoke deposition)and the threshold exposure associated with the onset of equipment damage (such as damage temperature).
l 2.3.1.6 Fire Detection and Suppression In general, the quantification of fire risk involves an assessment of the competing process of fire growth and damage behavior and that of fire intervention through detection and suppression (unless it is judged that time to damage is very short). He analysis of fire detection and suppression, including the timing of these intervention mechanisms,is the second of the two most critical factors associated with a fire risk analysis. This is a multi-path process which should include considerationof both fixed systems and manual intervention (both the detection and suppression events may involve actions by either fixed fire protectim systems or plant personnel). The detection and suppression analyses should be linked (detection alone is largely worthless without suppression, but suppression should be predicated on fire detection unless fire self extinguishment is postulated), and the fire d; mage and fire intervention analyses should be performed on a consistent basis because comparison of fire damage times to fire interventiontimes is the ultimate driving force for the risk quantification. Hence, both parts of the analysis should be based on consistent treatment of the relevant fire phenomena.
In addition to the potential for the fire itself to damage the critical equipment ofinterest, a fire analysis should consider the possibility that application of fire suppressants (e.g., water, halon, or carbon dioxide) might also lead to supplemental equipment damage. This aspect of the analysis requires consideration of both the potential effects of the fixed fire suppression systems and the possible intervention by fire fighting personnel. The most difficult aspect of this analysis typically involves the manual intervention aspects. This is because the analysis should include consideration of fire fighting access routes, the potential for the build-up of a dense smoke layer (which would increase the likelihood of misdirected water sprays), and the level of training and pre-fire planning provided to the fire fighting personnel.
2.3.1.7 Iluman Intervention and Plant Recovery The final step in quantification involves an assessment of human intervention and plant recovery following the fire event by using the same process as that used in the traditionalinternal events analysis. The impact of the fire on the level of operator stress, and hence, the likelihood that operators might make mistakes in the recovery process, should be considered. Second,the presence of a fire in a given area is generally assumed to prevent plant personnel from taking recovery actions which require access to or through the affected fire area until well after the fire has been extinguished. If operator initiated repairs (recovery) of equipment damaged in a fire is considered,thenjustificationshould be provided that demonstratesthe operators ability to make the repairs. This analysis should also include a careful examination of the plant's alternate shutdown capability for certain plant fire 2-41 Draft, NUREG-1602
2 Intemal Event Level 1 PRA for Full Power Operations scenarios (typicallythose involvingthe main control room or cable spreading rooms). This aspect of the analysis includes the consideration of potential fire-induced failures which might not be evident at the remote shutdown station (s),and the level of plant equipment and systems control which is available outside the main control room.
2.3.1.8 Fire Model Development and Quantification The following paragraphs identify the unique fire analysis attributes associated with the PRA and quantification modification of the internal events models for use in the fire analysis.
Initiating Events The same set ofinitiating events identified in the traditionalintemal events analysis are considered in the internal fire analysis. For example, if LOCAs are considered, then fire-induced LOCAs (i.e., spurious valve openings) should be considered. Initiatingevents that cannot be caused by a fire-induced equipment failure, or by potential operator responses to a fire event, can be eliminated. Note, for example, that even though fire-induced equipment damage in a given fire area or zone might not directly lead to an initiating event, the analysis should consider the potential that operators might take actions on a preventative basis to shut down the plant in the event of a significant fire, and that the postulated fire might render safe shutdown systems inoperable or unavailable. Fire-induced initiators that require fires in two noncontiguous fire areas can be eliminated from the analysis.
Accident Sequence Analysis The analysis should include a specific treatment of each of the specific fire scenario differences which have been discussed in Sections 2.3.1.1 through 2.3.1.7. In addition, any fire-unique dependencies should be considered.
Systems Analysis The fire PRA should include consideration of spatial dependencies for the following:
j cables (e.g., power, instrumentation,and control)-thelocation of the cables both to and through the fire
]
areas / zones, all other components vulnerable to fire-induced damage or failure (e.g., pumps, valves actuators, motors,
+
switches, and electrical panels),
components not vulnerable to fire-induced damage or failure may be eliminated from the analysis (e.g.,
e large piping is not typically included in fire risk analyses).
Fire-induced system dependenciesshould be considered in a fire PRA. In particular,the analysis should consider the potential for common cause failure of multiple components / systems due to the effects of a given fire. This potential is unique from a traditional internal events analysis because the effects of a fire (e.g., heat and smoke) can travel quickly throughout a given fire area or zone, and can also extend beyond the limits of a single fire area Draft, NUREG-1602 2-42
2 Internal Event Level 1 PRA for Full Power Operations or zone under certain circumstances. Effects which should be addressed include: smoke, suppression agent 5
effects,and temperature. If any of these can affect the performance of a component, then their impact should be considered. The fire PRA should also include consideration of direct thermal heating of components due to convective and radiative heating of targets by the fire.
For power and control cables, fire PRA should include some consideration of the three recognized potential failure modes;namely, conductor to-groundshorts (which might result in simple loss of function or power bus failure),
conductor-to-conductor shorting within a multiconductor cable (which might simulate the effects of a switch closing or cause a shorting of a power supply bus), and conductor-to-conductor shorting between adjacent cables (which might cause spurious operation of plant equipment, or cause destructive voltages to be applied to a lower voltage system). Each mode should be considered,and screening of failure modes is based on physical proximity cnd systems impact considerations.
Fire Modeling Lessons leamed from previous fire PRA studies indicates that caution should be exercised hi areas, such as:
Selection of cable ignition and damage criteria, Credit taken for in-cabinet smoke detection.
Performance shaping factors associated with emergency HEPs, especially in a degraded environment caused by fire, Modeling ofinitiation and effectiveness of automatic suppression, and When the fire-inducedvulnerabilityevaluation(FIVE) methodology (Ref.2.14)is used to address NRC-a mandated enhancements such as additioml fire initiating events, proper consideration of certain passive components, thermal damage thresholds, self-ignited cable fires, earthquake induced fires, and containment fires.
l l
I l
l
'A potentially important mode of fire damage not usually included in a typical fire PRA is smoke damage.
]
As research is this area matures, failures associated with smoke should be included in the fire analysis.
i I
I 2-43 Draft, NUREG-1602 l
. 2 Intemal Event Level 1 PRA for Full Power Operations DataAnalysis Current sources of fire data should be used to support the fire analysis. A baseline PRA should:
consider industry-wide experience with Bayesian updating based on plant-specific experience when.
-l
+
estimating fire frequency, 4
l use a current state-of the-ar; fire growth code to determine the impact of fire propagation, and :
l
+-
4 include a quantification of uncertainty associated with all critical input values.
[
Human Reliability Analysis (HRA)
In a fire analysis, the impact of a fire on the operator's ability to perform actions should be included in the
[
identification and selection of the human actions. In particular, the impact of a fire on human stress levels and human reliability should be included in the HRA analysis. Further, the analysis should include the consideration of how the fire event might impact faultyindications and operator actions which require access to or through the j
affected fire area (generally credit should not be given to such actions until well after the fire is presumed to be
- fully suppressed due to heat and smoke buildup and other related factors). The presumption that fire damaged
+
equipment can be repaired as a part of the short-term fire recovery should be specifically justified on the basis of available repair items and plant procedures. A fire PRA should consider the possibility that manual fire detection and suppression are one possible path to fire intervention. The potential for manual fire detection and suppression should include consideration of the following issues:
Detection:-
l the nature of the fire event (human caused or equipment failure related),
for general plant areas, who is there,when are they there, and how frequently are they there (occupancy a
factors), and
'l for the main control room, the configuration of the control room, its ventilation system, and in particular, the configurationof the ventilation system's retum air handling ducts (which might significantly impact the timing of manual detection).
j Suppression:
j who is on the fire brigade (operators, security staff, health, safety, general maintenance staff, etc.), their e
training, their equipment, and their experience facing actual fire situations, i
l 1
the time required for manual suppression (including initial response time as a function of zone, time to j
assemble and equip an effective fire fighting team, time to assess the fire situation, and time to actually suppress the fire), and 1
Draft, NUREG-1602 2-44
2 Internal Event Level 1 PRA for Full Power Operations collateral damage caused by application of suppressant agents, even if direct fire-induced damage was e
successfully mitigated.
23.2 Application Impact Considerations in general, all application impact considerations identified in Section 2.1 are applicable for the internal events model used in the fire analysis, in addition, a proposed CLB change can impact the fire-specific portions of the cnalysis. For example, if an application has the potential ofincreasing the failure probability associated with a motor operatedvalve,then any screeningperformed as part of the baseline fire analysis should be reexamined to determine what impact the new failure probability has on the screened sequences.
Specific factors which should be reviewed for each application include:
The appropriateness of the fire zones and area definitions used in the analysis and corresponding equipment mapping.
The potential for the introduction of a new fire source (or conversely, the elimination of a fire source).
The potential for a change in the fire growth and propagation potential.
The potential for a change in the fire damage potential of equipment.
Changes in the fire PRA model including the potential for different initiating events, additional spatial failure modes required in the system fault tree ~ and modified human event error probabilities.
233 Interface with Other Tasks In general, the interfaces identified in Section 2.1 are also applicable here. Moreover, the applicable Level 1 internal events logic models should be identifiedand modified to account for fire induced damage. Fire-induced accident scenarios are assigned to plant damage states similar to those used in the conventional internal event analysis. In addition, the following interfaces among fire-specific analysis tasks should be considered:
the fire area and zone definitions will be used to identify the components can be affected by a fire, the affected components will impact the development of the system models, e
the fire source identificatbn and quantification results will impact the initiating event identification and e
quantification task, results from the fire growth and spread task, the fire damage assessment task, and the fire detection and e
suppression task will impact the final sequence quantification, and information from the fire growth and spread task and fire damage assessment task will influence the e
human reliability analysis task.
2-45 Draft, NUREG-1602 l
I
2 Intemal Event Level 1 PRA for Full Power Operations 2.3.4 Documentation In addition to the information normally documented in a traditional internal events analysis, the following information should be reported in a fire PRA:
A discussion of how the sub-set ofinitiating events relevant to the fire analysis was developed, and in particular, how the internal events set was screened for relevance to fire.
A list or general description of the information used to develop the fire area / zone locations.
A description of the process used to identify the fire areas / zones.
=
A list and description of the identified fire areas / zones.
A list of the cables and components considered in the analysis.
A mapping of risk important components and systems to fire areas or zones.
Justification for any system or component / cable for which location information was not provided.
A list of any databases, experimental results, plant procedures, plant experience, or analysis tools (such as fire computer models or correlations) used to support each step of the fire phenomena analysis.
A list of(andjustification for) the specific parameter values associated with the analysis of specific fire scenario factors.
A list of the critical inputs and outputs associated with each scenario analyzed in a format sufficient to i
+
allow independent verification of the analysis results and in a level of detail appropriate to the stage of the analysis under consideration (e.g., screening versus detailed quantification).
A specific discussion of how the HRA operator recovery analysis was " customized" or " modified" to account for the unique conditions of a fire event, including how manual fire detection and suppression factors were incorporated into the quantification of the fire growth, damage and intervention models.
Results from the initia! screening, secondary screening (if applied), and detailed quantification stages of the analysis.
i Draft, NUREG-1602 2-46
2 Internal Event Level 1 PRA for Full Power Operations REFERENCES FOR CHAPTER 2 2.1 D. M. Ericson,Jr. (editor),et al., " Analysis of Core Damage Frequency: Internal Events Methodology,"
NUREG/CR-4550, Vol.1, Rev.1, Sandia National Laboratory, January 1990.
2.2 W. J Galyean, P. G. Ellison, and J. A. Schroeder,"lSLOCA Research Program Final Report," EG&G Idaho Falls, NUREG/CR-5928, July 31,1993.
2.3
" Safety Related Motor-OperatedValve Testing and Surveillance,"U.S. Nuclear Regulatory Commission Generic Letter 89-10, June 28,1989.
2.4 V. li. Ransom, et. al.,"RELAPS/ MOD 3 Code Manual," Vols.1 -5,NUREG/CR-5535, EGG-2596, EG&G Idaho inc., June 1990.
J. C. Lin, et. al., " TRAC-PFl/ MOD 2 Code Manual," Vols.1-4, Los Alamos National Laboratory, LA-12031 M, NUREG/CR-5673,1994.
2.5 USNRC," Severe Accident Risks: An Assessnent for Five U.S. Nuclear Power Plants," NUREG-il50, December 1990.
2.6
" Analysis of Core Damage Frequency from internal Events: Expert Judgment Elicitation on Internal Event issues," NUREG/CR-4550, SAND 86-2084, Vol. 2, April 1989.
2.7 USNRC," Fault Tree 11andbook," NUREG-0492, March 1980.
2.8 H. M. Stromberg,et al.," Common Cause Failure Data Collection and Analysis System," INEL-94/0064, Vols.1-6, Idaho National Engineering Laboratory, December 1995.
2.9
" Loss of Offsite Power at U.S. Nuclear Power Plants Through 1991," Nuclear Safety Analysis Center, NSAC-188, March 1992.
2.10 R. L. Iman and S. C. Hora,"Modeling Time to Recovery and initiating Event Frequency for Loss of Offsite Power Incidents at Nuclear Power Plants," NUREG/CR 5032, Sandia National Laboratories, January 1988.
2.11 T. Morgan, G. W. Parry, and C. S. Chuan," Nuclear Plant Reliability: Data Collection and Usage Guides,"
EPRiffR 100381, April 1992.
2.12 Table 8.2-10, D. M. Ericson, Jr. (editor), et al., " Analysis of Core Damage Frequency: Internal Events Methodology," NUREG/CR-4550, Vol.1, Rev.1, Sandia National Laboratories, January 1990.
2.13 W. L. Ferrell et al.," Analysis of the LaSalle Unit 2 Nuclear Power Plant: Risk Methods Integration and Evaluation Program (RMIEP)," NUREG/CR-4832,Vol.10, Sandia National Laboratories, October 19T.
2.14
" Fire Induced Vulnerability Evaluation," EPRI TR-100370, April 1992.
2-47 Draft, NUREG-1602 l
l
- 3. INTERNAL EVENT LEVEL 2 PRA FOR FULL POWER OPERATIONS This chapter provides attributes for performing a Level 2 probabilistic risk assessment (PRA) of a plant operating at full power..A Level 2 PRA evaluates contahment response to severe accidents and determines the magnitude l
l and timing of the radionuclide release from containment. Consequently, those PRA applications that deal with l
containment performanceobviously need a Level 2 analysis as described in this chapter. A Level 2 analysis is also j
l needed if the application requires that a numerical value for the frequency of a particular release be determined.
l Finally, if a particular PRA application requires estimates of offsite consequences and integrated risk, as, for example,in the calculation of the U.S. Nuclear Regulatory Commission (NRC) Safety Goal Quantitative Health i
Objectives (QHOs), then a Level 2 PRA coupled with a Level 3 PRA is needed. Accidents initiated by internal events including internal fires and floods are addressed in the following section. Accidents initiated by various external events are addressed in Chapter 5.
The primary objective of the Level 2 portion of a PRA is to characterize the potential for, and the magnitude and aning c,f, a release of radioactive material to the environment given the occurrence of an accident that results in sufficient damage to the core and causes the release of radioactive material from the fuel. To satisfy this objective, a quality Level 2 PRA is comprised of three major parts:
A quality Levell PRA, which provides information regarding the accident sequences to be examined and their frequency. The attributes for performing the analyses associated with this aspect of a PRA are described in Chapter 2 and are not discussed further here.
A structured and comprehensive evaluation ofcontainment performance in response to the accident sequences identified from the Level I analysis.
A quantitativecharacterizationofradiologicairelease to the environmentthat would result from accidert sequences which breach the containment pressure boundary.
f A detailed description of the attributes for conducting the technical analyses associated with each part is provided below.
The current state of knowledge regarding many aspects of severe accident progression and (albeit to a lesser extent)the state of knowledge regardingcontainment performance limits is imprecise. Therefore, an assessment of containment performance should be perfonned in a manner that explicitly considers uncertainties in the knowledge of severe accident behavior,the resulting challenges to containment integrity, and the capacity of the containment to withstand various challenges. The potential for a release to the environmentis typically expressed in tenns of the conditional probability of containment failure (or bypass) for the spectrum of accident sequences l
l (determined from Level 1 PRA analysis) that proceed to core damage.
In addition to estimating the probability of a release to the environment, the Level 2 portion of a PRA should characterizethe resultingradiologicairelease to the environment in terms of the magnitude of the core inventory that is released, timing of the release, and other attributes important to an assessment of offsite accident consequences. This information provides (1) a quantitative scale with which the relative severity of various l
accident sequences can be ranked and (2) represents the ' source term' for a quantitative evaluation of offsite consequences (i.e., health effects, property damage, etc.) which are estimated in the Level 3 portion of a PRA.
i 3-1 Draft, NUREG-1602
3 Internal Event Level 2 PRA for Full Power Operations in the description of the Level 2 PRA below, emphasis is placed on the level ofdetailassociated with the major elementsofa Level 2 analysis,ratherthan the specific techniques used to conduct the analysis. This approach is emphasized because several ditTerent methods can be used to calculate the probabilistic aspects of severe accident behavior and containment performance. The most common methods are those that use event-and/or fault-tree logic structures;however,other techniquescan also be used. Further,the specific methods of quantifying similar i
logic structures can differ from one study to another. In principle, any of these methods can be considered adequate provided it encompasses the level of detail described below.
As indicated above, the two major products of a Level 2 PRA are (1) the conditional probability of containment failure or bypass for accident sequences that proceed to core damage and (2) a characteri2ation of the radiological source term to the environment for each sequence resulting in containment failure or bypass. Although the analyses conducted to generate these products are closely coupled, the characteristics of the analysis to generate them are be<t described separately. llence, characteristics of a probabilistic evaluation of containment performance are described in Section 3.1; characteristics of the accompanying estimates of radionuclide release are described in Section 3.2.
3.1 Evaluation of Containment Performance Although the specific analysis tasks within various Level 2 PRAs may be organized difTerently,the followingthree critical elements are included:
An assessmentof the range of challengesto containnent integrity (i.e., determination of possible failure mechanisms and range of structural loads);
Characterization of the capacity of the containment to withstand challenges (i.e., determination of performance limits); and
)
A process oforganizingand integratingthe uncertaintiesassociated with these two evaluations to generate an estimate of the conditional probability that containment would fail (or be bypassed) for a given accident sequence.
Attributes for developing each of these elements are described below.
3.1.1 Assessment of Challenges to Containment Integrity The primary objective of this element of a Level 2 PRA is to characterize the type and severity of challenges to containment integrity that may arise during postulated severe accidents. An analysis to determine these characteristics acknowledges the dependence of containment response on details of the accident sequence.
Therefore, a critical first step is developing a structured process for defining the specific accident conditions to be examined. Attributes for determining which of the many accident sequences generated by Level 1 PRA analysis should be further examined for impact on containment are defined in two parts:
l 1.
Attributes for reducing the large number of accident sequences developed for Level 1 PRA analysis to a practical number for detailed Level 2 analysis, and Draft, NUREG-1602 3-2
3 Internal Event Level 2 PRA for Full Power Operations 2.
Attributes for performing and coupling the assessment of containment system performance (i.e., reliability analysis) with Level 1 accident sequence analyses.
3.1.1.1 Defining the Accident Sequences to be Assessed The primary purpoce of a Level 1 PRA analysis is to identify the specific combinations of system or component failures (i.e., accident sequence cutsets) that would allow core damage to occur. Unfortunately, the number of cutsets generated by a Level 1 analysis is very large (typically greater than 10,000). It is impractical to evaluate severe accident progression and resulting containment loads for each of these cutsets. As a result, the common practice is to group the Level I cutsets into a sufficiently small number of ' Plant Damage States (PDSs)' to allow a practical assessment of the challenges to containment integrity resulting from the full spectrum of accident sequences.
I Considerations for the Baseline PRA Any characteristic of the plant response to a given initiating event that would influence either subsequent containment response or the resulting radionuclide source term to the environment would be represented as an attribute in the PDS binning scheme. These characteristics include:
The status ofsystems that have the capacity to inject water to either Ihe reactor vesselor the containment cavity (or drywelipedestal). Defining system status simply as " failed" or " operating" is not sufficient in a Level 2 analysis. Low-pressurcinjection systems may be available but not operating at the onset of core damage because they are ' dead-headed' (i.e., reactor vessel pressure is above their shutoff head). Such states are distinguished from low-pressureinjectia1 ' failed' to account for the capability of dead-headed systems to discharge after reactor vessel failure (i.e., providing a mechanism for flooding the reactor cavity).
The status ofsystems thatprovide heat removalfrom the reactor vesselor containment. Careful attention should be paid to the interactions between such systems and coolant injection systems. For example, limitations in the capability for dual-function systems such as the Residual Heat Removal (RHR) system in most boiling water reactors (BWRs)(which provides pumping capacity for low-pressure coolant injection (LPCl] and heat removal for suppression pool cooling) should be properly accounted for.
Recoverability of ' failed' systems after the onset of core damage. Typical recovery actions include restoration of alternating current (AC) power to active components and alignment of non-safety-grade systems to provide (low-pressure) coolant injection to the reactor vessel or to operate containment sprays.
Constraints en recoverability (such as no credit for repair of failed hardware)are defined in a manner that is consistent with recovery analysis in the Level 1 PRA.
The interdependence ofvarious systemsfor successful operation. For example, if successful operation l
of a LPCI system is necessary to provide adequate suction pressure for successful operation of a high-pressure coolant injection (HPCI) system, failure of the low-pressure system (by any mechanism) automatically renders the high-pressure system unavailable. This information may only be indirectly availablein the results of the Level 1 analysis, but should be explicitly represented in the PDS attributes if recovery of the low-pressure system (after the onset of core damage) is modeled.
l 3-3 Draft, NUREG-1602 I
l
3 Internal Event Level 2 PRA for Full Power Operations Several subtle aspects of the mapping of accident sequence cutsets from the Level 1 analysis to the PDSs used as input to a Level 2 analysis should be noted at this point.
The entire core damage frequency (CDF) generated by the Level 1 analysis is carried forward into the definition of the PDSs which are the entry points to the Level 2 analysis. A minimum (' cut-off')
frequencyis not defined as a means of screening out 'less-important' accident sequences. The objective is to allow the risk contribution from low-frequency /high-consequeneciccident sequences to be captured The mapping from the Level 1 analysis to the PDSs is performed at the cutset level, not the accident
+
sequence level.
For some accident sequences,the status of all systems may not be determined from the sequence cutsets.
For example, if the success criteria for a large break loss-of-coolant accident (LOCA) in a pressurized water reactor (PWR) require successful accumulator operation, the large LOCA sequence cutsets involving failure of all accum ulators will contain no information about the status of other coolant injecticn systems. Realistic resolution of the status of such systems, however, often provides a mechanism for representingaccident sequences that are arrested before substantial core damage and radionuclide release occurs. In a Level 2 analysis,these systems are not simply assumed to operate as designed. Their failure frequencies are estimated in a manner that prcserves relevant support system dependencies. These are then numerically combined with the sequence cutset frequencies from the Level 1 analysis.
Application impact Considerations It is possible that a particular change to a plant's current licensing basis (CLB) may affect the way in which accident sequences are binned into PDSs. For instance, if the proposed change involves the operability of a particular containment system, this could influence the manner in which the system is accounted for in the PDS attributes.
Interfaces with Other Tasks This task provides the interface between the accident sequences identified by the CDF analysis and the subsequert accident progression analysis. The large number of cutsets generated by the Level 1 analysis is reduced to a practicalnumber of PDSs which serve as the starting point for the Level 2 unalysis. This task is a crucial step in assuring that the accident sequences are correctly characterir.ed in terms of containment perfonnance and radionuclide release.
Documentation in general, sufficient information should be provided in the documentation to allow an independent analyst to reproduce the results. At a minimum, the following should be provided:
a thorough description of the procedure used to group (bin) individual accident cutsets into PDSs, or other e
reduced set of accident scenarios for detailed Level 2 analysis, 1
l l
Draft,NUREG 1602 3-4 l
t l
~~ -.-_.-...
+
3 Intemal Event Level 2 PRA for Full Power Operations a listing of the specific attributes or rules used to group cutsets, and e
a listing and/or computerized database providing cross reference for cutsets to PDSs and vice versa.
e 3.1.1.2 Assessment of Containment System Performance r
The reliabilityof systems whose primary function is to maintain containment integrity during accident conditions are not always completely incorporated in the accident sequence analysis performed by a Level 1 PRA. Such systems may include containment isolation, fan coolers, distributed containment sprays, and hydrogen igniters.
Neglectingthese systems (or a simplified representationof them)in Level 1 analyses is common practice because i
their operation may not play any role in preventing core damage following a postulated accident initiating event.
An assessment of the reliability of these systems is, therefore, incorporated in a Level 2 analysis to ascertain whether they would operate as designed to provide containment response during core damage accidents.
Considerations for the Baseline PRA The methods, scope, and technical rigor used to evaluate the reliability of the containment isolation / heat removal systems are comparable to that used in the Level I analysis of other 'frontline' systems (refer to Chapter 2). Fault tree models (or other techniques) for estimating failure probabilities are developed and linked directly to the accident sequence models from the Level 1 PRA. This linkage is necessary to properly capture the important influence of mutual dependencies between failure mechanisms for containment systems and other systems.
Obvious examples include support system dependencies,such as electrical power, component cooling water, and instrument / control air. Other dependencies that need to be represented in a manner consistent with the Level 1 system models, however, are more subtle. For example, Indirect failure of containment safety systems due to harsh environmental conditions (resulting from e
failure of a support system) should be represented in the assessment of containment system reliability.
One important example is failure of reactor or auxiliary building room cooling causing the failure of
]
containment systems due to high ambient temperatures.
]
The impact of containment system operation prior to the onset of core damage should be accounted for
=
in the evaluation of system operability after the onset of core damage.
The human reliability analysis associated with manual actuation of containment systems (e.g., hydrogen igniters) should take into account operator performance during earlier stages of an accident sequence.
This analysis should follow the same practices used in the Level 1 analysis as described in Chapter 2.
The long-term performance of containment systems should also be evaluated although the issues to be considered may differ substantially from those listed above. Degradation of the environment within which systems are required to operate as an accident sequence proceeds in time should be taken into account.
in all cases,the assessment of failure probability for containment systems should be based on realistic performance limits rather than bounding (design basis or equipment qualification) criteria.
i l
3-5 Draft, NUREG-1602
3 Internal Event L.evel 2 PRA for Full Power Operations Application Impact Considerations I
As noted in the introduction, the containment systems may be incorporated into the PRA model in a rather simplified fashion. It is possible that a panicular change to a plant's CLB may affect the way a containment system performs or is operated. The modeling of this system should, therefore, be at a level of detail which can reflect this change in performance or operation.
Interfaces with Other Tasks The results from this task provide some of the information necessary for the quantification of the containment event trees. This task also interfaceswith the system performanceevaluationsperformed for the Level 1 analysis.
Documentation i
i Documentationof containment system performance assessments should include a description of information used to develop containment systems' analysis models and link them with other system reliability models. This documentationshould be preparedin the same manner as that generated in the Level 1 analysis of other systems (previously discussed Chapter 2).
3.1.1.3 Evaluation of Severe Accident Progression Accident analysis codes [such as the Modular Accident Analysis Program (MAAP)(Ref. 3.1) or MELCOR (Ref. 3.2)] provide a framework within which the evolution ofevents in a severe accident can be accounted for l
in an integrated fashion. Consequently, the results of these calculations typically provide a basis for estimating the timing of major accident events and for characterizing a range of potential containment loads.
Although code calculations are a useful part of an evaluation of severe accident progression, their results do not form the sole basis for characterizing challenges to containment integrity in a quality Level 2 PRA. There are several reasons for this:
1 Many of the models embodied in severe accident analysis codes address highly uncertain punomena.
+
In each case, certain assumptions are made (either by the model developers or the code user) *garding controlling physical processes and the appropriate formulation of models that represent them. 'n some instances, the importance of these assumptions can be tested via parametric analysis. However, the extert to which the results of any code calculation can be demonstrated to be robust in light of the numerous uncertairties involved is severely limited by practical constraints of time and resources. Therefore, the j
assumptions inherent in many code models remain untested.
None of the integral severe accident codes contain models to represent all accident phenomena ofinterest.
+
For example, models for certain hydrodynamic phenomena such as buoyant plumes, intra volume natural circulation,and gas-phase stratification,are not represented in most integral computer codes. Similarly, certain severe accident phenomena, such as dynamic fuel-coolantinteractions(i.e., steam explosions)and hydrogen detonations, are not represented.
i It is simply impractical to perform an integral calculation for all severe accident sequences ofinterest.
+
Draft, NUREG-1602 3-6
l l
3 Internal Event Level 2 PRA for Full Power Operations i
l As a result,the process of evaluatingsevere accident progressioninvolves a strategic blend of plant-specific code i
calculations, applications of analyses performed in other prior PRAs or severe accident studies, focused j
engineering analyses of particular issues, and experimental data. The manner in which each of these sources of information are used in a Level 2 PRA is described below.
Considerations for the liaseline PRA The followingare used to determine the number of plant-specific calculations that would be performed using an i
integral code to support a Level 2 PRA:
At least one integral calculation (addressing the complete time domain of severe accident progression) l is performed for each plant damage state. Ilowever, this may not be practical depending on the number of plant damage states developed according to the above discussion. At a minimum, calculations are i
performed to address the dominant accident sequences (i.e., those with the highest contribution to the total core damage frequency). Calculations are also performed to address sequences that are anticipated to result in relatively high radiological releases (e.g., containment bypass scenarios).
In addition to the calculations of a spectrum of accident sequences described above, several sensitivity calculations are performed to examine the effects of major uncertainties on calculated accident behavior.
For example, multiple calculations of a single sequence are performed in which code input parameters are changed to investigatethe effects of alternative assumptions regarding the timing of stochastic events (such as operator actions to restore water injection)or the models used to represent uncertain phenomena (such as the size of the opening in containment following overpressure failure). These calculations provide information that is essential to the quantitative characterization of uncertainty in the Level 2 probabilistic logic models (refer to the discussion of logic model development and assignment of probabilities below).
Table 3.1 lists phenomenathat can occur during a core meltdown accident and involve considerable uncertainty.
Table 3.1 Severe accident phenomena Phenomena Charseteristles of accident phenomena liydrogen generation and
. Enhanced steam generation from melt / debris relocation combustion
. Steam starvation caused by degraded fuel assembly flow blockage
. Clad ballooning
. Recovery of coolant injection systems l
. Steam / hydrogen distribution within containment
. De-inerting due to steam condensation or spray operation Induced failure of the reactor
. Natural circulation flow patterns within the reactor vessel upper plenum, hot legs, and coolant system pressure steam generators boundary
. Creep rupture of hot leg nozz.les, pressurizer surge line, and steam generator U-tubes 3-7 Dran, NUREG-1602
3 Internal Event Level 2 PRA for Full Power Operations Table 3.1 Severe accident phenomena Phenomena Characteristics of accident phenomena Debris bed coolability and Debris spreading / depth on the containment floor.
core-concrete interactions Crust formation at debris bed surface and effects on heat transfer Debris fragmentation and cooling upon contact with water pools Steam generation and debris oxidation a
l'uct coolant interactions Potential for dynamic loads to bounding structures liydrogen generation during melt-coolant interaction e
Melt / debris ejection following
. Melt / debris state and composition in the lower head reactor vessel failure
- Mode oflower head failure
- Dcbris dispenal and heat transfer following high-pressure melt ejection Shell melt-through failure in
+ Melt spreading dynamics Mark I containments
- Effects of water
. Shell heat transfer and failure mechanism This list in Table 3.1 was based on information in NUREG-1265 (Ref. 3.3), NUREG/CR-4551 (Ref. 3.4), and othe studies. It is recognized that considerable disagreement persists within the technical community regarding the magnitude (and in some cases, the specific source) of uncertainty in several of the phenomena listed in Table 3.1.
]
A major objective of the panels assembled as part of the research program that culminated in NUREG-ll50 (Ref. 3.5) was to translate the range of technical opinions within the severe accident research community into a quantitative measure of uncertainty on specific technical issues. In a Level 2 PRA, the results of this effort are
)
used as guidance for defining the range of values of uncertain modeling parameters to be used in the sensitivity calculations described above.
A fundt. mental design objective of the integral severe accident analysis codes used to support a Level 2 PRA j
(e.g., MAAP, MELCOR) is that they be fast running. Efficient code operation is necessary to allow sensitivity calculationsto be performed within a reasonably short time and with minimal resources. One conseqtence of this objective,however,is that many complex phenomena are modeled in a relatively simple manner or, in some cases, are not represented at all. Therefore,a level 2 PRA addresses the inherent limitationsofintegral code calculatiors in two respects. First,the importanceofphenomenanot represented by the integral codes are evaluated by some other means (i.e., either application of specialized computational models or by comparison with experimental investigations). Secondly,the effects of modeling simplificationsare examined by comparisons with mechanistic code calculations.
In summary, evaluatingsevere accident progression involves a complex process of plant-specific sensitivity studies l
using integral codes, mechanistic code calculations, use of prior calculations, experimental data, and expett judgment. Examples of this process are given for each of the phenomena in Table 3.1 in the following sections.
Hydrogen Generation and Combustion Draft, NUREG-1602 3-8
3 Intemal Event Level 2 PRA for Full Power Operations 4
Hydrogen phenomena was identified in the NUREG-1150 study as an area where considerable uncertainty existed and, hence, issues associated with hydrogen phenomena were addressed by NUREG-1150 panels. These expert panels explicitly considered the uncertainties associated with key phenomena and accounted for uncertainties in the initialand boundaryconditions. Distributionsthat characterized these uncertainties were developed by these panels and provide a convenient and important framework for assessing uncenainties for this application.
The uncertaintyin the amount of hydrogen produced during the in-vessel phase of a severe core damage accident was addressed in the NUREG 1150 study by the In-Vessel Panel. Results from this panel are provided in NUREG/CR-4551, Vol. 2, Part 1, for both PWRs and BWRs. In this report, distributions are provided for the percentage ofin-vessel zirconium that is oxidized.
Clearly,as evident by the NUREG-1150 distributions,thereis considerable uncertaintyin the amount of zirconitm oxidized in vessel and the use of a single number (for example from a MELCOR or MAAP code calculation)is
]
not adequate. While these codes can all predict the amount of hydrogen produced during an accident, the amounts that they predict often vary since they model the phenomena differently. Similarly, a series of sensitivity evaluations with a single code is usually not sufficientto assess the uncertaintiessince typically a single code will not include all of the rekvant phenomena. Instead, a PRA should include distributions steh as those developed by the In-Vessel Panel to characterize the uncertainty in the amount of hydrogen generated during the in-vessel phase of the accident.
Uncertainties in the impact of hydrogen combustion phenomena on the containment were addressed in the NUREG-ll50 study by the Containment Loads Expert Panel. For PWRs, hydrogen combustion is a more significantconcern in the smaller volume ice condensercontainmentsthan it is in the large volume containments.
For BWRs, hydrogen combustiod is typically only a concern for plants with Mark Ill containments since both the Mark I and Mark 11 containments are inerted during normal operation and past PRAs have considered this method reliable under most accident conditions. Hence, the Containment Loads Expert Panel assessed the combustion phenomena at the Grand Gulf plant (BWR, Mark 111) and the Sequoyah plant (PWR, Ice Condenser). Infornntion regardingthe incorporation of this information into the NUREG-1150 PRAs are provided in NUREG/CR-4551, Vol. 5 (Ref. 3.6) for the Sequoyah plant analysis and in NUREG/CR-4551, Vol. 6 (Ref. 3.7) for the Grand Gulf plant analysis.
Since information relevant to hydrogen combustion tends to be specific to the plant and the accident sequences being analyzed, relevant deterministiccalculationsare used to provide guidance when determining the amount of steam in the containment atmosphere and for determining the distribution of gases in the various compartments.
Considering these characteristics, the concentrations of hydrogen, oxygen, and steam are determined for each containment volume where combustion is a concern. These concentrations are then used to detenniue whether a combustible mixture exists. Of particular concern are local areas where hydrogen can accumulate and thereby form a mixture that can potentially detonate. For compartmentalized containments, such as ice condenser containments, there can be considerable uncertainty in these concentrations for the various compartments necessitatingthe developmentof uncertaintydistributions. A discussionof these uncertaintiesfor an ice condenser
'Here combustion refers to combustion in the containment. However, following failure of the containment, combustion of hydrogen in the reactor buildings surrounding Mark I and Mark 11 containments can also be a concern. Combustion in the reactor building surroundinga Mark I plant was addressed by the Containment Load; Expert Panel and is discussed in Section 5.3 of NUREG/CR-4551, Vol. 2, Rev.1, Part 2.
3-9 Draft, NUREG-1602
3 Internal Event Level 2 PRA for Full Power Operations containment can be found in Section 5.2 of NUREG/CR-4551 Vol. 2, Part 2, Rev.1. The calculation of the total concentration of hydrogen in containment takes into account both the hydrogen produced in-vessel and ex-vessel (through the core-concrete interaction) in cases where the containment does not fail at vessel breach.
Combustible mixtures that form in the containment can be ignited from a number of sources including igniters, AC powered equipment,and hot surfaces. For situationswhere there are no identifiable ignition sources, such as
]
during a station blackout,it is still possible for a combustible mixture of hydrogen to ignite since ignition requires very little energy. The ignition of hydrogen under this last condition was addressed in NUREG-ll50 by the Containment Loads Panel. Results from this panel are provided in Section 5.1 for the Grand Gulf plant (BWR, Mark 111) and Section 5.2 for the Sequoyah plant (PWR, Ice Condenser) NUREG/CR-4551, Vol. 2, Part 2. The panel provided distributions that characterized the uncertainty in the ignition frequency for situations where AC power is not available in the containment.
Quasi-static loads from hydrogen combustion events were assessed in the NUREG-1150 study by the Containmert Loads panel for both the Grand Gulfand the Sequoyah plants. Generally,the experts based the peak overpressures on the adiabatic isochoric complete combustion model and then corrected the pressures to account for burn completeness heat transferand expansion into non-participating compartments. For the PWR plant, the experts felt that the uncenainty in the peak overpressure was small compared to tiie uncertainties in the hydrogen concentration and ignition frequencies and, hence, a single estimate of the peak overpressure as a function of hydrogen concentration was provided instead of a probability distribution. These estimates are provided in Section 5.2 in NUREG/CR-4551, Vol. 2, Part 2, Rev.1. For the BWR plant the uncertainty in the peak overpressure was driven by the uncertaintyin the burn completeness (although it was also acknowledged by these experts that the uncertainty in the ignition frequency is a key uncertainty associated with the hydrogen combustien phenomena)and, hence.probabilitydistributions were developed. The distributions developed by this panel are provided in Section 5.1 of NUREG/CR-4551, Vol. 2, Part 2.
Since the publication of NUREG-1150,some additional research has been conducted on combustion of hydrogei-i air-steam mixtures in condensingenvironments(Ref. 3.8). In these experiments, ignition was provided by thermal igniters. These experimentalresults provide relevant infonnation that was not available during the NUREG-1150 study and may be referenced when assessing the peak pressure in a rapidly condensing environment with igniters available.
Hydrogen detonations in the Grand Gulf and Sequoyah containments were also addressed by the Containment l
Loads Expert Panel and are discussed in Sections 5.1 and 5.2 of NUREG/CR-4551, Vol. 2, Rev.1 Part 2, I
respectively. The panel assessed the frequency of a deflagration to detonation transition (DDT). The DDT frequency was analyzed considering different locations within the containment and different concentrations of hydrogen within each location. The probability distributions that characterize the uncertainty in the DDT frequency are broad for both the BWR and the PWR plants. Given that a detomtion occurs, the expert panel also assessed the resulting peak impulse. The geometryin the area where the ignition occurs is a key uncertainty that affects the likelihood that a DDT will occur. Similarly,the interaction between the detonation wave and structure; is a key uncertainty that affects the peak impulse.
)
Induced Failure ofthe Reactor Coolant System (RCS) Pressure Boundary Draft, NUREG-1602 3-10
l 3 Internal Event Level 2 PRA for Full Power Operations The possibilityof a temperature-induced rupture of the steam generator (SG) tubes is affected by several factors including the thermal hydraulic conditions at various locations in the primary system, which determine the temperatures (and the time at those temperatures) and the pressures to which the SG tubes are subjected as the accident progresses. Other relevant factors include the effective temperature required for creep rupture failure of the SG tube and the presence of pre-existing defects in the SG tubes which increase the likelihood of rupture.
In NUREG-l l50, this issue was treated in the expert elicitation process. All experts agreed that hot leg failure, including failure of the surge line, was much more likely to occur before a rupture of a steam generator tube. Two I
experts felt that pre-existingdefects in the SG tubes could lead to a higher probability of SG tube rupture (SGTR).
The third expert felt that due to the long time lag between temperatures in the hot leg and the SG tubes, the l
frequency of temperature-induced SGTR was so small that it could be expressed as a (small) constant value regardless of pre-existing defects.
A conditional probability distribution of temperature-induced SGTR was developed in NUREG-1150 by aggregating the individual distributions provided by three experts. A discussion of the phenomenon and the assignment of the conditional probability distribution of temperature-induced SGTR is contained in NUREG/CR-4551,Vol. 2. This distributionwas applied in the accident progressionevent trees developed for the Zion and for the Surry plants in NUREG-1150. The Zion and Surry repats [NUREG/CR-4551, Vol. 7 (Ref. 3.9) and NUREG/CR-4551, Vol. 3 (Ref. 3.10) respectively] can be consulted for information related to how the conditionalprobability distribution of temperature-induced SGTR should be applied to obtain the split fractions for the containment event tree for this issue.
Debris Bed Coolability and Core-Concrete Interaction (CCI)
Debris coolability is an important issue because if the debris is brought to a coolable geometry, the only source for containment pressurizationwill be the generation of steam from boiloff of the overlying water. This is a slow process and, in the absence of containment heat removal, would result in very late containment failure allowing ample time for remedial actions. Furthermore, a coolable debris geometry would limit basemat penetration.
In addition,if a coolable debris bed is formed in the cavity or pedestal and makeup water is continuously supplied, then interactions between the core debris and concrete will be minimized and release of radioactive material from this source would be avoided.
If CCI does occur (i.e., the debris bed is not coolable), experimental results indicate that the presence or absence of an overlying water pool does not have much effect on the downward progression of the melt front.
The mechanisms that govern debris coolability are conduction heat transfer, shrinkage cracking, gas sparging and melt eruption, and crust failure under the weight of the water. Experimentalresearch (Ref. 3.11) has been carried out to investigate this issue. These tests include the SWISS-1 and -2 (Ref. 3.12), FRAG-3 and -4,(Ref. 3.13)
WETCOR 1 (Ref. 3.14), and MACE (Ref. 3.15) series of tests. This experimental information would be considered in a quality PRA when developingdistributions for the likelihood of forminga coolable debris bed for a particular plant configuration. The expert panel convened for molten core-concrete interaction issues as part of the NUREG-1150 effort is an example of how major input parameters for this issue are quantified.
J i
Fuel-Coolant Interactions i
3-11 Draft, NUREG-1602
3 Internal Event Level 2 PRA for Full Power Operations
]
For an accident leading to a severely damaged core, the probabHity of an in-vessel steam explosion causing early containment failure was assumed in WASH-1400 to be between 0.1 and 0.01. In 1985, the first Steam Explosion l
Review Group (SERG-1) workshop was held to systematicallyevaluate the alpha-mode failure issue. Theexperts who participated in that workshop reviewed the then current understandingof the potential for containment failure from in-vessel steam explosion,and reached a nearly unanimous opinion that the probability of alpha-mode failu e is less than that used in WASH 1400. NRC-sponsoredresearch carri:d out since 1985 has played a major role in developing an understandingof the key physical processes involved in energetic fuel coolant interactions (FCis).
In June 1995, the seccw SERG (SERG-2) workshop was held to revisit the alpha-mode failure issue and to evaluate the current understanding of other FCI issues that could potentially contribute to risk, such as shock loading of the lower head and ex-vessel support structures. The estimates of failure probability expressed by SERG-2 experts were generally an order of magnitude lower than the SERG-1 estimates.
Mell/ Debris Ejection Following Reactor Vessel Failure in certain severe accidents,the failure of the reactor pressure vessel (RPV) can occur while the RCS is at elevated pressure. In these accidents, the expulsion of the molten core debris and blow down of the RCS could lead to a very rapid and e Neient heat transfer to the containment atmosphere, possibly accompanied by oxidation reactions and hydrogen ecmbustion that further enhance the energy transfer. These processes, which lead to containment pressurization,are collectivelyreferred to as direct containment heating (DCH). Overpressurizationresulting from DCH is a significant containment challenge that can lead to early containment failure.
The results of a probabilistic assessment of DCH-induced containment failure for the Zion Nuclear Power Plant were published in NUREG/CR-6075 (Ref. 3.16) and its supplement. NUREG/CR-6338 (Ref. 3.17) used the methodologyand scenarios describedin NUREG/CR-6075 to addressthe DCH issue for all Westinghouse plants with large volume containments, including 34 plants with large dry containments and seven plants with subatmosphericcontainments. DCH loads versus strength evaluation were performed in a consistent manner for all plants. The phenomenologicalmodelingwas closely tied to the experimentaldatabase. Plant-specificanalpes were performed, but sequence uncertainties were enveloped by a small number of splinter scenarios without assignment of probabilities. The results of screening calculations reported in NUREG/CR-6338 indicate that only j
one plant showed a conditional contaiament failure probability (CCFP) based on the mean fragility curves greater than 0.001. The CCFP for this one plant was found to be less than 0.01. These results can, therefore, be used for Level 2 PRAs for Westinghouse plants with large volume containments. For BWRs and other PWR plants, the methodology reported in NUREG/CR-6338 for performing load /strengthevaluations using the plant-specific input to the two-cell equilibrium model or appropriate containment analysis codes, can be used to provide a PRA-integrated perspective on this issue. For plants with ice condensercontainments,it is believed that the ice chamber in the plant can, to a certain extent, trap dispersingcore debris, and provide cooling to moderate the effect of DCH.
Shell Melt-through Failure in Mark 1 Containments To address the shcIl melt issue in NUREG-ll50, a panel of expercs was convened to provide input as to the probability of shell melt for five scenarios: (1) low and medium flew with water,(2) low and medium flow without water,(3) high flow with water,(4) high flow without water and two cf three parameters (pressure, fractim of metal,and superheat)high, and (5) high flow without water and two of three parameters (pressure, fraction of Draft, NUREG 1602 3-12
---4 3 Internal Event Level 2 PRA for Full Power Operations metal, and superheat) low. The individual elicitations were then averaged and presented in Table 6-1 of NUREG/CR-4551, Vol. 2, Part 2.
In a more recent report, Theofanous,et al. published a probabilistic methodology in NUREG/CR-6025(Ref.3.18) as an overall systematic approach for addressing the Mark I shell melt-through issue.
The above approachesare examples of generatingprobabilisticinformationon shell melt-through. A Level 2 PRA would investigate plant-specific design features including pedestal door arrangement (and relative alignment of downcomers), drywell floor area and sump volumes and, in particular, the amount of fuel in the reactor and the downcomer entrance height above the drywell floor. The downcomer entrance height affects not only the amount of water attainable on the floor, but more importantly,if the amount of fuel is sufficient that melt can run directly into the downcomer, liner failure is virtually assured. The probabilities of shell melt-through should apply to a I
steel lined reinforced concrete containment; however, if sufficient technical basis is provided, the effective failure size in the containment structure may be adjusted accordingly (though there should be no credit given for "self-healing" of the containment boundary).
Application Impact Considerations A change in a plant's CLB can affect the way a plant system performs or operates. If the plant system (s) in question could have an influence on the accident progression, then the accident progression analysis should account for the change in the systems' performance or operation. For example, a degraded power supply to hydrogen igniters could inDuence the likelihood and severity of a hydrogen combustion event in the containment, or the removal of a backep water supply could reduce the chances for achieving debris bed coolability and increase the possibility of core-concrete interaction. An operational example would be a change in procedures related to j
the restart of the reactor coolant pumps under degraded core conditions which could influence the likelihood of an induced failure of the RCS pressure boundary.
Interfaces with Other Tasks This task provides the bulk of the information for quantifying the containment event trees. The conditions produced by the various severe accident phenomena should also be considered for the assessment of the performance of containment systems.
Documentation Documentation of analyses of severe accident progression should include the following:
a description of plant-specific accident simulation models (e.g., M A A P or M ELCOR) including extensisc a
references to source documentation for input data, a listing of all computercode calculations performed and used as a basis for quantifying any event in the e
containment probabilisticlogic model includinga unique calculation identifier or name, a description of key modeling assumptions or input data used, and a reference to documentation of calculated results. (If input and/or output data are archived for quality assurance records or other purposes, an appropriate reference to calculation archive records is also provided.),
3-13 Draft, NUREG-1602
3 Internal Event Level 2 PRA for Full Power Operations a description of key modeling assumptions selected as the basis for performing " base case" or "best-estimate" calculations of plant response and a description of the technical bases for these assumptions,-
a description of plant-specific calculations performed to examine the effects of alternate modeling e
approaches or assumptions, if analyses of a surrogate (i.e.,'similar') plant are used as a basis for characterizing any aspect of severe e
accident progressionin the plant being analyzed references to, or coph of, documentation of the original analysis, and a description of the technical basis for assuring the applicability of results, and for all other original engineeringcalculations,a sufficientlycomplete description of the analysis method, assumptions, and calculated results is prepared to accommodate an independent (peer) review.
3.1,2 Establishing Containment Performance Limits The objective of this element of a Level 2 PRA is to determine the loading limits (or capacity)that the containmert can withstand given the range and magnitude of the potential challenges. These challenges take many forms, including internal pressure rises (that occur over a sufficientlylong time frame that they can be considered" static" in terms of the structuralresponse of the containment),high temperatures,thermo-mechanical erosion of concrete structures,and under some circumstances, localized dynamic loads such as shock waves and internally generated missiles. Realistic estimates for the capacity of the containment structure to withstand these challenges are generated to provide a benchmark against which the likelihood of containment failure can be estimated.
In a Level 2 PRA, the attributes of the analyses necessary to characterize containment performance limits are consistent with those of the containment load anelyses against which they will be compared:
They focus on plant-specific containment performance (i.e., application of reference plant analyses is generally inadequate).
They consider design details of the containment structure, such as:
containment type (free-standing steel shell; concrete-backed steel shell; pre-stressed, post-tensioned, or reinforced concrete) the full range of penetration sizes, types, and their distribution (equipment and personnel hatches, piping penetrations, electrical penetration assemblies, ventilation penetrations) penetration seal configuration and materials discontinuitiesin the containment structure (shape transitions, wall anchorage to floors, changes in steel shell or concrete reinforcement).
They consider interactions between the containment structure and neighboring structures (the reactor vessel and pedestal, auxiliary building (s), and internal walls).
Draft, NUREG-1602 3-14 j
l 3 Internal Event Level 2 PRA for Full Power Opera ans r
3.1.2.1 Considerations for the Baseline PRA A thorough assessment of containment performance generally begins with a structured process ofidentifying potential containment failure modes (i.e., mechanisms by which integrity might be violated). This assessment commonly begins by reviewing a list of failure modes identified in PRAs for other plants to determine their applicability to the current design. Such a list was incorporated in the NRC's guidance for performing an individual plant examination (IPE)(Ref. 3.19). This review is then supplemented by a systematic examination of plant-specific design features and emergency operating procedures to ascertain whether additienal, unique failure modes are conceivable. For each plausible failure mode, containment performance analyses are performed using validated structural response models, as well as plant-specific data for structural materials and their properties.
For many containment designs, ove rpressure has been found to be a dominant failure mechanism. In a quality Level 2 PRA, the evaluation of ultimate pressure capacity is performed using a plant-specific, finite-element model of the containment pressure boundary including sufficient detail to represent major discontinuities such as those listed above. The influence of time-varying containment atmosphere temperatures is taken into account by performingthe calculation for a reasonable range ofinternal temperatures. To the extent that internal temperatures are anticipated to be elevated for long periods of time (e.g., during the period of aggressive core-concrete interactions), thermal growth and creep rupture of steel containment struc% a den into account.
The characterizationof containment performance limits is not simply a mattodefining a threshold load at which the structure" fails." A Level 2 PRA attempts to distinguishbetween structuraldamage that results in "catastroph'c failure" of the containment from damage that results in significant leakage: to the environment. Leakage is often characterized by a smaller opening (i.e., one that may not preclude subsequent increases in containment pressure).
Failure to isolate the containment is also considered. It is very important to assess both the location and size of the containment failure because of the implications for the source term calculation, e.g., given the same in-vessel and ex-vessel releases inside containment, a rupture in the drywell of a Mark 11 containment will result in higher releases to the environment than a leak in the wetwell.
Current models for the response of complex structures to even " simple" loads (such as internal pressure) are not sufficiently robust to allow simultaneous prediction of a failure threshold and resulting failure size. This is particularly true for structures composed of non-homogeneous materials with highly non-linear mechanical propertiessuch as reinforcedconcrete. As a result,calculationsto establish performance limits are supplemented with information from experimental observations of containment failure characteristics and expert judgment.
Examples of this process can be found in NUREG-1150.
Failure location and size by dynamic pressure loads ud internally generated missiles should also be probal,ilisticallyexamined. The structuralresponse panel for NUREG-1150 assessed the size and location of the containment breach by dynamic pressure loads for Grand Gulf (reinforced concrete) and Sequoyah (free-standing steel). Both leaks and ruptures were predicted to occur in the containmentresponse to detor.ations at Grand Gulf, and ruptures were predicted to occur at Sequoyah. Alpha mode failure (for all NUR EG-1150 plants)and steel shel 2Significant leakage is defined relative to the design basis leakage for the plant. Leakage rates greater than 100 times the design basis have been found risk significant in past studies.
3-15 Draft NUREG-1602
3 Internal Event Level 2 PRA for Full Power Operations melt-through of a containment wall by direct contact of core debris (for Peach Bottom and Sequoyah) were treated as rupture failures of containment in NUREG-ll50.
Basemat melt-through is generally treated as a leak in most Level 2 PRAs because of the protracted times involved as well as the predicted radionuclide retention in the soil. If a bypass of containment, such as an interfacing systems LOCA, is predicted to occur, then its effective size and location (e.g., probability that the break is submerged in water) are also estimated in order to perform the source term calculations.
3.1.2.2 Application Impact Considerations A change in the plant's CLB could impact the limits of containment performance. The containment structural capability or the reliability of containment isolation could be affected by changes in equipment or inspection levels, etc. If this is a consideration, the analysis of the containment performance limits should be detailed enough to account for such an impact. For instance, if a change in the CLB could affect the cantainment isolation system, this system should be modeled in sufficient detail to reflect this change.
3.1.2.3 Interfaces with Other Tasks The containnent performance limits established by this task form a crucial input to the probabilistic assessment of the containment performance and the ability of the containment to withstand the challenges from severe accidents.
3.1.2.4 Documentation in general. sufficient information in the documentation of analyses performed to establish quantitative containmert performance limits is provided that allows an independent analyst to reproduce the results. At a minimum, the i
following information is documented for a PRA:
a general description of the containment structure including illustrative figures to indicate the general configuration, penetration types and location, and major construction materials, a description of the modeling approach used to calculate or otherwise define containment failure criteria, j
e l
if computer models are used (e.g., finite element analysis to establish overpressure failure criteria), a descriptionof the way in which the containmentstructure is nodalized including a specific discussion of hoiv local discontinuities, such as penetrations, are addressed, and if experimentallydetermined failure data are used, a sufficimtly detailed description of the experimental condition 2 to demonstrate applicability of results to plant-specific containment structures.
Draft, NUREG-1602 3-16
3 Internal Event Level 2 PRA for Full Power Operations i
l l
3.1.3 Probabilistic Modeling of Containment Performance 1
i The way in which uncertaintiesare represented in the characterizationofcontainment performance' is an importara considerationin a Level 2 PRA. In particular, explicit and quantitative recognition should be given to uncertainties in the individual processes and parameters that influence severe accident behavior and attendant containment performance. These uncertaintiesare then quantitativelyintegrated by means of a probabilisticlogic structure that allows the conditional probability of containment failure to be quantitatively estimated, as well as the uncertainty in the containment failure probability.
Two elements of such an assessment are described below. First, the characteristics of the logic structure used to organize the various contributors to uncertainty are described. However, the major distinguishing element of an approach to characterizingcontainment performanceis the assignment and propagation of uncertainty distributiors for major events in the logic model. The key phrase here is uncertainty distributions (i.e., point estimates of probabilityare not universally applied to the logic model). Characteristics of these distributions and the manner l
m which they are used in a typical logic model are described later in this section.
i 3.1.3.1 Considerations for the Baseline PRA The primary function of a " containment event tree," or any other probabilistic model evaluating containment
)
l performance,is to provide a structured framework for organizingand ranking the alternative accident progressions l
that may evolve from a given core damage sequence or a plant damage state. In developing this framework, w hetherit be in the form of an event tree, fault tree or other logic structure,several elements are necessary to allow i
a comprehensive assessment of containment performance:
l l
Explicit recognition of the important time phases of severe accident progression. Different phenomeaa
=
may control the nature and intensityof challenges to containment integrity and the release and transport of radionuclidesas an accident proceeds in time. The following time frames are of particular interest to a Level 2 analysis:
1 After the initiating event, but before the onset ofcore damage. This time period establishes important initial conditions for containment response after core damage begins.
Aper the core damage begins, butprior tofailure ofthe reactor vessellower head This period is characterized by core damage and radionuclide release (from fuel) while core material is confined within the reactor vessel.
Immediatelyfollowing reactor vesselfailure. Prior analysis of containment performance suggests that many of the important challenges to containment integrity occur immediately following reactor vessel failure. These challenges may be short-lived, but often occur only as a direct consequence of the release of molten core materials from the reactor vessel immediately following lower head failure.
l
'Uncertaintiesin the estimation of radionuclide source terms are also represented in a Level 2 PRA; however, this l
topic is discussed in Section 3.2.
l 3-17 Draft, NUREG-1602
3 Internal Event Level 2 PRA for Full Power Operations Long-term accident behavior. Some accident sequences evolve rather slowly and generate relatively benign loads to containment structures early in the accident progression. However, in the absence of some mechanism by which energy generated within the containment can be safely rejected to the environment,these loads may steadily increase to the point of failure in the long term.
When linked end-to-end, these time frames constitute the outline for most probabilistic containment performance models. Within each time frame, uncertainties in the occurrence or intensity of governing phenomena are systematically evaluated.
Consistency in the treatment of severe accident events from one time frame to another. Many phenomern
=
may occur during severaldifferenttime framec of a severe accident. However, certain limitations apply to the composite (integral)contributionof some phenomena over the entire accident sequence and these are represented in the formulation of a pro'oabilistic model.
A good example is hydrogen combustion in a PWR containment. Hydrogen generated during core degradation can be released to the containment over several time periods. However, an important contribution to the uncertainty in containmentloads e nerated by a combustion event is the total mass of hydrogen involved in a particular combustion event. One possibility is that hydrogen released to the containment over the entire in-vessel core damage period accumulates without being burned (perhaps) as a result of the absence of a sufficiently strong ignition source. Molten core debris released to the reactor cavity at vessel breach could represent a strong ignition source, which would initiate a large burn (assuming the cavity atmosphere is not steam inert). Because of the mass of hydrogen involved, this combustion event might challenge containmentintegrity. Anotherpossibility is that while the same total j
amount of hydrogen is being released to the containment during in-vessel core degradatim, a sufficiently strong ignition source exists to cause several small burns to occur prior to vessel breach. In this case, the
)
mass of hydrogen remaining in the containment atmosphere at vessel breach would be very small in comparisonto the first case, and the likelihood of a significant challenge to containment integrity at that time should be correspondinglylower. Therefore,the logic for evaluatingthe probability of containment failure associated with a large combustion event occurring at the time of vessel breach is able to j
distinguish these two cases and preclude the possibility of a large combustion event if hydrogen was consumed during an earlier time frame.
Recognition of the interdependencies of phenomena. Most severe accident phenomena and associated events require certain initial or boundary conditions to be relevant. For example, a steam explosion can only occur if molten core debris comes in contact with a pool of water. Therefore, it may not be meaningfulto considerex-vessel steam explosions during accident scenarios in which the drywell floor (BWR) or reactor cavity (PWR) is dry at the time of vessel breach. Logic models for evaluating containment performance capture these and many other such interdependencies among severe accident events and phenomena. Explicit representation of these interdependencies provides the mechanism for allowing complete traceability between a particular accident sequence (or PDS) and a specific containment failure mode.
There are many approaches to transforming the technical information concerning containment loads and performance limits to an estimate of failure probability, but three approaches appear to dominate the literature.
5 Draft, NUREG-1602 3-18
3 Internal Event Level 2 PRA for Full Power Operations in the first (least rigorous) approach, qualitative terms expressingvarious degrees of uncertainty are translated into quantitative (point estimate) probabilities. For example, terms such as "likely" or "unlikely" are assigned numericalvalues(such as 0.9 and 0.1). Superlatives, such as "very" likely or " highly" unlikely, are then used to suggest degrees of confidence that a particular event outcome is appropriate. The subjectivity associated with this method is controlled to some extent by developing rigorous attributes for the amount and quality of information necessary toj ustify progressively higher confidence levels (i.e., probabilitiesapproaching 1.0 or 0.0). Nonetheless, j
this method is not considered an appropriate technique for assigning probabilities to represent the state of knowledge uncertainties in a PRA. Among its weaknesses, this approach simply produces a point estimate of 4
probability and is not a rigorous technique for developing probability distributions.
l The second technique involves a convolutionof paired probability density functions. In this technique, probability density functions are developed to represent the distrih tion of credible values for a parameter ofinterest (e.g.,
containment pressure load) and for its corresponding failure criterion (e.g., ultimate pressure capacity). This a
method is more rigorous than the one described above in the sense that it explicitly represents the uncertainty in each quantity in the probabilistic model. The basis for developing these distributions is the collective set of information generated from plant-specificintegral code calculations, corresponding sensitivity calculations, other relevant mechanistic calculations, experimental observations, and expert judgment. The conditional probability of containment failure (for a given accident sequence) is then calculated as the convolution of the two density functions. While this technique provides an explicit treatment of uncertaintyat intermediate stages of the analysis, it still ultimately generates a point estimate for the probability of containment failure caused by a particular mechanism. The contributionsto (and magnitude of) uncertaintyin the final (total) containment failure probability is discarded in the process.
l The third technique involves adding an additional feature to the technique described above. That is, the probability density functions representingunceitaintyin each term of the containment performancelogic model are propagated throughout the entire model to allow calculation of statisticalattributes such as importance measures. One means for accomplishingthis objective is the application of Monte Carlo sampling techniques (such as Latin Hypercube sampling). The application of this technique to Level 2 PRA logic models, pioneered in NUREG-il50, accommodates a large number of uncertain variables. Other techniques have been developed for specialized applications, such as the direct propagation of uncertainty technique developed to assess the probability of l
containment failure as a result ofdirect containment heatingin a large dry PWR (Ref. 3.16). However,these ather techniquesare constrainedto a small number of variables and are not currently capable of applications involving the potentially large number of uncertain variables addressed in a quality Level 2 PRA.
3.1.3.2 Application Impact Considerations A change in a plant's CLB could. affect the likelihood with which certain containment failures occur and the uncertainties associated with these failures. If this is the case, the probabilistic containment model should be detailed enough to account for the effects of such changes.
)
'Such uncertainties tend to dominate a Level 2 PRA, rather than uncertainty associated with random behavior.
3-19 Draft, NUREG-1602
3 Internal Event Level 2 PRA for Full Power Operations 3.1.3.3 Interfaces with Other Tasks This task integrates many of the results produced from the other tasks discussed. For instance, the containment performance limits established under the previous task provide many of the anchor points for the probability distributions used in this task.
3.!.3.4 Documentation The following documentationis generated to provide the results and describe the process by which the conditiomi probability of containment failure is calculated:
tabulated conditional probabilities of various containment failure modes with specific characterizations of time phases of severe accident progressions (e.g., early vs. late containment failures),
a listing and description of the structure of the overall logic model used to assemble the probabilistic representaion of containment performance (graphical displays of events trees, fault trees or other logic formats are provided to illustrate the logic hierarchy and event dependencies),
a description of the technical basis (with complete references to documentation of original engineering analyses) for the assignment of all probabilities or probability distributions with the logic structure, a description of the rationale used to assign probability values to phenomena or events involving a
subjective, expert judgment, and a description of the computer program used to exercise the logic model and calculate final results.
1 3.2 Radionuclide Release Characterization The second,albeit equally important, product of a Level 2 PRA is a quantitative characterization of radiological release to the environment resulting from each accident sequence that contributes to the total CDF. In many Level 2 analyses, this information is used solely as a sere-quantitative scale to rank the relative severity of accident sequences. In such circumstances, a rigorous quantitative evaluation of radionuclide release, transport, and deposition may not be nececsary. Rather, order-of-magnitude estimates of the release for a few important radionuclide species provide a satisfactory scale for ranking accident severity. In a Level 2 PRA, however, the characterizationof radionuclide release to the environment provides sufDcient information to completely define the " source term" for use in a Level 3 PRA to calculate offsite consequences. Further, the level of rigor required of the evaluation of radionuclide release, transport, and deposition directly parallels that used to evaluate containment performance. That is, Source term analyses (deterministiccomputercode calculations) reflect plant-specific features of system a
design and operation. In particular, plant-specific characteristics, such as quantity of fuel, control rod material, and in-core support structure composition and spatial distribution; configuration and deposition areas of primary coolant system and containment structures; reactor cavity (or drywell floor) configuratim and concrete composition;and the topology of transport pathways from the fuel and/or core debris to the environment are faithfully represented in the models used to calculate radionuclide source terms.
Draft, NUREG-1602 3-20 l
3 Internal Event Level 2 PRA for Full Power Operations Calculationsof radionuclide release, transport, and deposition represent sequence-specific variations in primary coolant system and containment characteristics. For example, reactor vessel pressure during in-vessel core melt progression and the operation (or failure) of containment mitigation systems such as distributed sprays are representedin a manner that allows for their effects on radionuclide release and/or transport to be directly accounted for. Radionuclide release calculations also need to take into account scrubbing of the release by passive systems, such as overlying pools of water in the reactor cavity or the suppression pool in BWRs.
Uncertainties in the processes governing radionuclide release, transport, and deposition are quantified.
In the same way uncertaintiesin the phenomena goveming severe accident progression are quantified to characterize uncertainty in the probability of containment failure (described above), uncertainties related to radionuclide behavior under severe accident conditions are quantified to characterize uncertainty in the radionuclide source term associated with individual accident sequences.
The specific manner in which radionuclidesource terms are characterized in a Level 2 analysis is described first.
Attributes for coupling the evaluation of radionuclide release to analyses of severe accident progression for particularsequences are also described. Finally, attributes for addressing uncertaintiesin radionuclidesource terms are described.
3.2.1 Definition of Radionuclide Source Terms 3.2.1.1 Considerations for the Baseline PRA The analysis of offsite consequences resulting from an accidental release of radionuclides performed in a Level 3 PRA requires specificationofseveral parameters from a Level 2 PRA which define the environmentalsource ternt ideally, the following information is developed:
4 the time at which a release begins, the time history of the release of all important radionuclides that contribute to health effects, e
the chemical form of the radionuclides, e
the elevation (above local ground level) at which the release occurs, e
the energy with which the release is discharged to the environment, and e
the size distribution of radioactive material released in the form of an aerosol (i.e., particulate).
As in many other aspects of a comprehensive PRA, it is impractical to generate this information for the full spectrum of accident conditions produced by Level 1 and 2 analyses. To address this constraint, several simplifications are made in a Level 2 analysis. The most significant of these are outlined below.
The followingassumptionsare typically made in a Level 2 analysis regarding the radioactive material ofinterest:
3-21 Draft, NUREG-1602
3 Internal Event Level 2 PRA for Full Power Operations All radionuclides of a single chemical element are released from the fuel at the same rate.
Chemicel elements exhibiting similar properties in terms of their measured rate of release from fuel, physical transport through the reactor coolant system and the containment and chemical behavior in tenns ofinteractions with other elemental species and structural surfaces can be effectively modeled as one composite radionuclide species. Typically, the specine properties of a single (mass dominant) element j
are used to represent the properties of all species within a group.
Although the radionuclidespecies are released from fuel in their elemental form, many species quickly combine with other elements to form compounds as they migrate away from their point of release. The formation of these compounds and the associated change in the physico-chemical properties ofindividual radionuclide groups are taken into account in the analysis of radionuclide transport and deposition. In particular, volatile radionuclide species, such as iodine and cesium, may be transported in more than one chemical form-each with different properties that affect their transport.
Another simplificationin the characterizationof radionuclide release involves the treatment of time-dependence of the release. In a Level 2 PRA,these variations are reduced to a series of discrete periods of radiological release, each of which is described by a statting time, a duration, and a (constant) release rate. The release rate may be simplified to represent major characteristics of the release history such as an early, short-lived, large release immediately following containment failure followed by a longer period (s) of a sustained release. The specific characteristics of these discrete release periods may vary from one accident sequence (or plant damage state) to another, but the timing characteristics (i.e., start time and duration)should be the same for each radionuclide group (i.e., only the release rate varies from one group to another for a given release period). The total number of release periods is typically small(i.e.,3 or 4) and represent distinct periods of severe accident progression. For example, the following time periods are representative of an accident leading to early structural failure of containment:
Very early (containment leakage prior to containment failure)
Puff release (immediately following containment failure) l Early (relatively large release rate period during aggressive corium-concrete interactions),
+
Late (long-term, low release rate following CCI).
+
Note that the above time periods are for illustrative purposes only; others are developed, as necessary, to suit the specific results of a plant-specific assessment.
3.2.1.2 Application impact Considerations The impact of any suggested changes on availability of systems that mitigate radionuclide releases should be assessed.
i 3.2.1.3 Interfaces with Other Tasks The radionuclide groupings and release periods chosen will provide the basis for the remaining radionuclide source term tasks.
i i
i Draft, NUREG-1602 3-22
4 i
3 Intemal Event Level 2 PRA for Full Power Operations 3.2.1.4. Documentation Documentation of analyses performed to characterize radiological source terms should provide sufficient informationto allow an independent analyst to reproduce the results. At a minimum, the following information should be documented in a PRA:
The radionuclide grouping scheme used and the assumptions made to obtain it should be clearly described.
2 4
The time periods considered for the release and the rationale for the choices made,
.i 3.2.2 Coupling Source Term and Severe Accident Progression Analyses The number of unique severe accident sequences represented in a Level 2 PRA can be exceedingly large.
Comprehensive,probabilisticconsideration of the numerous uncertainties in severe accident progression can easily propagate one accident sequence (or plant damage state) from the Level I systems analysis into 104 to 10' j
alternativesevere accidentprogressions. A radionuclidesource term should be estimated for each of these accidert progressions. Clearly, it is impractical to perform that many deterministic source term calculations.
3.2.2.1 Considerations for the Baseline PRA A common practice in many Level 2 PRAs (although insufficient for a comprehensive assessment) is to reduce 1
the analysis burden by grouping the alternative severe accident progressions into ' source term bins' or ' release I
categories.' This groupingprocessis analogous to the one used at the interface between the Level 1 and Level 2 j
analysis to group accident sequence cutsets into plant damage states. The principal objective of the source term grouping (or binning) exercise is to reduce the number of specific severe accident scenarios, for which deterministicsource term calculations should be performed, to a practical value. A structured process similar to the one described in Chapter 2 (related to the assessment of accident sequences addressed in a quality Level 2 a
PRA)is typically followed to perfonn the grouping. Characteristicsof severe accident behavior and containment performance that have a controlling influence on the magnitude and timing of radionuclide release to the environment are used to bin (or group) the alternative accident progressions into appropriate release categories.
A determinis1ic source term calculation is then performed for a single (typically the highest frequency) accident progression within each release category to represent the entire group.
]
As indicated above, this approach is inadequate for a Level 2 analysis because the radionuclide source term for any given severe accident progression cannot be calculated with certainty. The influence of uncertainties related to the myriad processes governing radionuclide release from fuel, transport through the primary coolant system and containment, and deposition on intervening structures, is significant and should be quantified with a similar level of rigor afforded to severe accident progression uncertainties. Examples of these uncertainties were given in Chapter 2. Further,a Level 2 PRA is performedin a manner that allows the relative contribution ofindividual parameter uncertaintiesto the overall uncertaintyin risk to be calculated directly(i.e., via rank regression or some other statisticallyacceptable manner). This requires a probabilistic modeling process that combines the uncertainty distributions associated with the evaluation of accident frequency, severe accident progression, containment performance, and radionuclide source terms in an integrated, self-consistent fashion.
3-23 Draft NUREG-1602
3 Internal Event Level 2 PRA for Full Power Operations In performing this integrated uncertainty analysis, special care should be taken to ensure consistency between uncertainparameters associated with radionuclide release, transport and deposition, and other aspects of accident behavior. In particular,importantcorrelationsbetween the behavior of radionuclidesand the other characteristics i
of severe accident progression should be accounted for. These correlations and other similar relationships are
~
described in NUREG/CR-4551 (Ref. 3.20).
t I
L I
i i
5 Draft NUREG-1602 3 24
3 Intemal Event Level 2 PRA for Full Power Operations 3.2.2.2 Application Impact Considerations if the complete integrated uncertainty approach associated with a Level 2 analysis is performed,it is not likely that changes in a plant's CLB will impact the coupling of the source term and the accident progression analysis.
If c grouping or binning process is chosen and only deterministic source term calculations are performed for specific accident scenarios,then care should be taken that the chosen accident scenarios are capable of reflecting any impact a change in the plant's CLB may have on the source terms.
3.2.2.3 Interfaces with Other Tasks As noted in the description above, this task requires the integration of the distributions obtained from the evaluationof accident frequency, accident progression, containment performance, and radionuclide source terms.
3.2.2.4 Documentation Documentation of analyses performed to characterize radiological source terms should provide sufficient informationto allow an independent analyst to reproduce the results. At a minimum, the following information should be documented in a PRA:
A summary of all computer code calculations used as the basis for estimatirg plant-specific source terms for selected accident sequences, specifically identifying those with potential for large releases.
A description of modeling methods used to perform plant-specific source tenn calculations; this includes a description of the method by which source terms are assigned to accident sequences for which computcr code (e.g., MAAP or MELCOR) calculations were not performed.
if analyses of a surrogate (i.e., 'similar') plant are used (as a basis for characterizing any aspect of e
radionuclide release): transport or deposition in the plant being analyzed, references to, or copies of documentation of the original analysis, and a description of the technical basis for assuming applicability of results.
3.2.3 Treatment of Source Term Uncertainties Results of the Level 2 PRAs described in NUREG-ll50 indicate that uncertainties associated with processes governing radionuclide release from fuel, transport through the primary coolant system, secondary coolant system (if applicable), and containment, and deposition on bounding structures, can be a major contributor to the uncertainty in some measures of risk.
Uncertainties in the processes specifically related to radionuclide source term assessment should, therefore, be r: presented in a Level 2 PRA. A systematic process and calculation tools to accommodate source tenn uncertaintiesinto the overall evaluation of severe accident risks were developed for the Level 2 PRAs described in NUREG-1150. A detailed description of this process and the associated tools is not provided here, and the reader is referred to NUREG/CR-4551, Vol. 2, Pan 4 (Ref. 3.20), NUREG-1335, Appendix A (Ref. 3.19),
NUREG/CR 5360 (Ref. 3.21), and NUREG/CR-5747 (Ref. 3.22) for additional information on these topics.
3-25 Draft, NUREG-1602
3 Internal Event Level 2 PRA for Full Power Operations 3.2.3.1 Considerations for the Baseline PRA
' The areas in which key uncertainties are addressed in a Level 2 analysis are summarized below:
Magnitude of radionucliderelease from fuel during core damage and relocation of the released material in-vessel (primarily for volatile and semi-volatile radionuclide species),
1 1
Chemical form ofiodine for transport and deposition.
Retention efficiency during transport through the primary and secondary coolant systems, Magnitude of radionuclide release from fuel (primarily refractory metals) and non-radioactive aerosol generation during corium-concrete interactions, Decontamination efficiency of radionuclide flow streams passing through pools of water (BWR suppression pools and PWR containment sumps),
Late revaporization and release ofiodine initially captured in water pools, and Capture and retention efficiency of aerosols in containment and secondary enclosure buildings.
When deterministic codes are being used to estimate the source term, it is important to account for all of the relevant phenomena even when the code does not explicitly include models for all of the phenomen. When a model is not available for certain important phenomena, it is not acceptable to simply ignore the phenomena.
Instead, alternative methods, such as consulting different code calculations, using specialized codes, or assessing relevant experimental results, should be used.
When consequences are being estimated in the PRA, it is important to accurately represent the timing of the release. Past studies have shown that the number ofearly fatalities can be particularly sensitive to when the release occurs relative to when emergency response actions such as a general evacuation of the close-in population are initiated. Hence, it is also important that the approach used to estimate the source term properly accounts for timing characteristics of the release.
3.2.3.2 Application Impact Considerations it is not likely that changes in a plant's CLB will impact the treatment of uncertainties in the radionuclide source term.
3.2.3.3 Interfaces with Other Tasks The establishment of uncertainties in the radionuclide source term requires correct propagation of uncertainties through the accident progression.
Draft, NUREG-1602 3-26
i 3 Internal Event Level 2 PRA for Full Power Operations
-3.2.33 ' Documentation Documentation of analyses performed to characterize radiological source terms should provide sufficient infonnationto allow an independentanalyst to reproduce the resuks. ' At a minimum, a description of the method by which uncertainties in source terms are addressed should be documented for a quality PRA.
)
i 1
l 3-27 Drail, NUREG-1602
l l
l 3 Intemal Event Level 2 PRA for Full Power Operations REFERENCES FOR CHAPTER 3 1
l 3.1 EPRI,"MAAP4-Modular Accident Analysis Program for LWR Power Plants," RP3131-02, Vols.1-4, Electric Power Research Institute,1994.
3.2 R. M. Summers, et al., "MELCOR Computer Code Manuals - Version 1.8.3," NUREG/CR-6119, SAND 93-2185, Vols.1-2, Sandia National Laboratories,1994.
3.3 USNRC, " Uncertainty Papers on Severe Accident Source Terms," NUREG-1265,1991, 3.4 F. T. Harper, et al., " Evaluation of Severe Accident Risks: Quantification of Major Input Parameters, Expert Opinion Elicitation on in-Vessel Issues," NUREG/CR-4551, Vol. 2, Rev.1, Part 1, Sandia National Laboratories, December 1990.
3.5 USNRC," Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants," NUREG-1150, December 1990.
3.6 J. J. Gregory,et al.," Evaluation of Severe Accident Risks: Sequoyah, Unit 1," NUREG/CR-4551, Vol.
5, Rev.1, Parts I and 2, December 1990.
3.7 T. D. Brown, et al., " Evaluation of Severe Accident Risks: Grand Gulf, Unit 1," NUREG/CR-4551, Vol. 6, Rev.1, Parts 1 and 2, December 1990.
3.8 T. Blanchat and D. Stamps, " Deliberate ignition of Hydrogen-Air-Steam Mixtures Under Conditions of Rapidly Condensing Steam", SAND 94-3101C, Presented at the 22nd Water Reactor Safety Meeting (WRSM), Bethesda, MD, October 24-26,1994.
3.9 C. K. Park, et al.," Evaluation of Severe Accident Risks: Zion Unit 1," NUREG/CR-4551 Vol. 7, Rev.
1, BNL-NUREG-52029, Brookhaven National Laboratory, March 1993.
3.10 R. J. Breeding,et al.," Evaluation of Severe Accident Risks: Surry Unit 1," NUREG/CR-4551, SAND 86 1309, Vol. 3, Rev.1, Part 1, Sandia National Laboratories, October 1990.
3.11
- 1. S. Basu,"An Overview of the Ex-Vessel Debris Coolability Issue," Presented at the 21st Water Reactcr Safety Meeting (WRSM), Bethesda, MD, October 26,1993.
j 3.12 R. E. Blose,et al.," SWISS: Sustained Heated Metalle Melt / Concrete Interaction with Overlying Water Pools," NUREG/CR-4727, July 1987.
3.13 W. W. Tarbell, et al., " Sustained Concrete Attack by Low Temperature, Fragmented Core Debris,"
NUREG/CR-3024, July 1987.
3.14 R. E. Blose, et al., " Core-Concrete Interactions with Overlying Water Pools - The WETCOR-1 Test,"
NUREG/CR-5907, November 1993.
Draft, NUREG-1602 3-28
- [
4 t
3 Internal Event Level 2 PRA for Full Power Operations
~
]
3.15 B. W. Spencer, et al.."Results of MACE Tests M0 and M1," Proceedings of the 2nd CSNI Specialists
}
Meeting on Molten Core Debris Concrete Interactions, Karlsruhe, Germany, Report No.
I NEA/CSN!/R(92)l0, April 1992.
3.16 M. M. Pilch, et al., "The Probability of Containment Failure by Direct Containment Heating in Zion,"
NUREG/CR-6075, Sandia National Laboratories,1994.
4 3.17 M. M. Pilch, et al.,"Resolutionof the Direct ContainmentHeating issue for all Westinghouse Phnts with l
Large Dry Containment or SubatmosphericContainmert," NUREG/CR-6338, SAND 95-2381, February l'
1996.
l 3.18 T. G. Theofanous et al., "The Probability of Mark-l Containment Failure by Melt-Attack of the Liner,"
i NUREG/CR-6025, November 1993.
i
. 3.19 USNRC," Individual Plant Examination: Submittal Guidance," NUREG-1335, August 1989.
3.20 F. T. Harper, et al.," Evaluation of Severe Accident Risks: Quantification of Major input Parameters,"
I NUREG/CR-4551,S AND86-1309,Vol. 2, Rev.1. Part4: Experts' Determinationof Source Term Issues, l
Sandia National Laboratories,1992.
i 3.21 H J. Jow, et al., "XSOR Codes User Manual," NUREG/CR-5360, SAND 89-0943, Sandia National Laboratories,1993.
4 3.22 H. P. Nourbakhsh," Estimate of Radionuclide Release Characteristics into Containment Under Severe j
Accident Conditions," NUREG/CR-5747, BNL-NUREG-52289, November 1993.
t 3-29 Draft, NUREG-1602
- 4. INTERNAL EVENT LEVEL 3 PRA FOR FULL POWER OPERATIONS l
This chapter provides attributes for a Level 3 probabilistic risk assessment (PRA) for accidents initiated during full power operations of a nuclear power plant. A Level 3 PRA evaluates the consequences of an accidental release of radioactivity to the environment. Therefore, those PRA applications (e.g., averted dose, impact of evacuation strategies on early fatalities,etc.) that need information on offsite consequences should include a Level 3 PRA. A Level 3 PRA is also needed if the applicationnecessitatesthat rumerical values for risk be determined l
(e.g., for comparison with the U.S. Nuclear Regulatory Commission's [NRC's] quantitative health objectives
[QHO]). Accidents initiated by internal events including internal fire and floods are addressed in the following section. Accidents initiated by external events are addressed in Chapter 5.
l l
Analysis tasks performed as part of the Level 3 portion of a full-scope PRA consist of two major elements:
accident consequence analysis, and computation of risk by integrating the results of Level 1,2 and 3 analyses.
a Attributes for an analysis in each of these areas are described below.
4.1 Accident Consequence Analysis The consequences of an accidental release of radioactive material from a nuclear power plant can be expressed l
in several forms; for example, impacts on human health, the environment, and economic impacts. The l
consequencemeasures of most interest to a Level 3 PRA focus on impacts on human health. Specific measures of accident consequences developed in a Level 3 PRA should include:
Number of early fatalities Number of early injuries Number oflatent cancer fatalities Population dose to various distances from the plant Individualearly fatality risk defined in the early fatality QHO (i.e., risk to the average individual within e
I mile of the site boundary)
Individuallatent cancer risk defined in the latent cancer QHO (i.e., risk to the average individual within I
10 miles of the plant) i Land contamination.
e 4
l 4-1 Draft, NUREG-1602
4 Internal Event i.evel 3 PRA for Full Power Operations 4.1.1 Considerations for the Baseline PRA Several probabilistic consequence assessment (PCA) codes are currently in use for estimating the consequences of postulated radiological releases. The MACCS computer code "is supported by the NRC for use in nuclear H
power plant Level 3 PRAs. An earlier version of this code was used in the analyses repcrted in NUREG-115042),
The MACCS code necessitates a substantial amount of supporting information on local meteorology including windspeed, atmospheric stability,and precipitation. demography, land use, property values, etc. (Ref. 4.1 provides a complete description of the input data necessary.) In a full-scope evaluation of accident consequences, this information should represent current, site-specific conditions.
In addition, MACCS requires that the analyst make assumptions on the values of several parameters related to the implementation of protective actions following an accident, for example:
The (site-specific) time needed to warn the public and initiate the emergency response action (e.g., evacuation
+
or sheltering),
The effective evacuation speed, The fraction of the ofTsite population which effectively participates in the emergency response action, The degree of radiation shielding afforded by the building stock in the area, The projected dose limits assumed to trigger normal and hot spot relocation during the early phase of the
- accident, The projet i ed dose limits for long-term relocation from contaminated land, and The projected ingestion doses used to interdict contaminated farmland.
Since the values assumed for the above parameters have a significant impact on the consequence calculations, the selected values need to bejustified and documented.
4.1.2 Application Impact Considerations it is unlikely that a change in a plant's current licensing basis (CLB) would effect the accident consequence assessment. However,if the application necessitates knowledge of a particular risk measure (e.g., population dose for cost-benefit analysis or individual risk for comparison to the NRC's QHOs), then the consequeice model used should be able to calculate these parameters.
D. I. Chanin, et al.,"MELCOR Accident Consequence Code System (MACCS), User's Guide," NUREG/CR-4691, SAND 86-1562, Sandia National Laboratories,1990.
42USNRC," Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants," NUREG-1150, December 1990.
Draft,NUREG 1602 42
l l
4 Intemal Event Level 3 PRA for Full Power Operations 1
4.1.3 Interfaces with Other Tasks This task interfaces with the output of the Level 2 PRA and provides the magnitude of various risk measures conditional on a release occurring. The output of this task is used in the computation of risk (Section 4.2).
t 4.1.4 Documentation Documentation of analyses performed to estimate consequences associated with the accidental release of l
radioactive materialto the environment should provide sufficient infonnation to allow an independent analyst to l
reproduce the results. At a minimum, the following information should be documented for a PRA:
A description of the site-specific data and assumptions used to perform the consequence calculations.
4.2 Computation of Risk The final step in a Level 3 PRA is the integration of results from all previous analyses to compute the selected measures of risk. The severe accident progression and the fission product source term analyses conducted in the l
Level 2 portion of the PRA, as well as the consequence analysis conducted in the Level 3 part of the PRA, are performed on a conditional basis. That is, the evaluations of attemative severe accident progressions, resulting source terms, and consequences, are performed without regard to the absolute or relative frequency of the postulated accidents. The final computation of risk is the process by which each of these portions of the accident analysis are linked together in a self-consistent and statistically rigorous manner.
4.2.1 Considerations for the Baseline PRA The important attribute by which the rigor of the process is judged is the ability to demonstrate traceability from a specific accident sequence through the relative likelihood of altemative severe accident progressions and measures of attendant containment performance (i.e., early versus late failure) and ultimately to the distribution of fission product source terms and accident consequences. This traceability should be evident in both directions, l
i.e., accident sequence to a distributionof consequences and from a specific level of accident consequences back to the fission product source terms, containment performance measures, or accident sequences that contribute to that consequence level.
4.2.2 Application Impact Considerations 1
It is unlikely that a change in a plant's CLB would effect the method used to compute risk. However, if the i
applicationnecessitatesknowledge of a particuir risk measure (e.g., population dose for cost-benefit analysis or individual risk for comparison to the NRC's QHOs), then the risk integration model used should be able to calculate these parameters.
4.2.3 Interfaces with Other Tasks This task interfaces with the output of the Level 1 and 2 PRA tasks and calculates various risk measures.
4 4-3 Draft, NU76G-1602
4 Intemal Event Level 3 PRA for Full Power Operations 4.2.4 Documentation Documentation of analyses performed to estimate risk should provide sufficient information to allow an independentanalyst to reproduce the results. At a minimum,the followinginformation should be documented for a PRA:
i A description of modeling methods used to assign consequences to individualaccident sequences represented l
e in the probabilisticlogic model; this includes a description of the method by which the full spectrum of sevem accident source terms generated as part of the uncertainty analysis are linked to a limited number of actual consequence calculations.
A description of the computational process used to integrate the entire PRA model (Level 1 through Level 3).
A summary of all calculated results including frequency distributions for each risk measure.
i l
i Draft, NUREG-1602 4-4
- 5. EXTERNAL EVENT PRA FOR FULL POWER OPERATION 1
I The analysis of external events in a probabilisticrisk assessment (PRA) necessitates different considerations than l
those for an intemal events analysis. This chapter discusses the attributes which should be considered in performingor reviewing a baseline external event PRA for full power operation. In addition, considerations for using the external event PRA models for evaluatingthe risk-significanceof a proposed licensing modification are also presented.
l 5.1 Level 1 Analysis This section presents the considerations for performing a Level I seismic PRA while at full power. In addition, l
l considerationsfor performinga Level 1 PRA analysis of other external events which can be important at various plant sites (e.g., high winds, tornados, hurricanes, and nearby transportation accidents) are also presented. The evaluation of external events during low power and shutdown conditions is discussed in Chapter 6. Since the analysis of external events generally utilize the models generated for the internal events analysis, the l
considerationsdiscussedin Chapter 2 are also applicable for these events. The PRA considerations presented in
)
this section thus focuses on those Level 1 modeling aspects which are unique to the external events. However, i
the influence of the external events on the internal event Level 1 models (e.g., the impact of stress level, equipmert l
accessibility, and lack of indications caused by an external event on the human reliability assessment) is also discussed.
l 5.1.1 Seismic Analysis l
The objective of a seismic PRA is to analyze the risk due to core damage accidents initiated by earthquakes. This l
means that the frequency and severity of earthquakes should be coupled to models of the capacity of plant structures and components to survive each possible earthquake. The effects of structural failure should be l
assessed, and all the resulting information about the likelihood of equipment failure can be evaluated using the l
internal events PRA logic model of the plant modified as appropriate to include seismic-induced events.
l The basic elements of a seismic PRA include (1) hazard analysis, (2) structure response analysis,(3) evaluation l
l of component fragilities and failure modes, (4) plant system and sequence analysis, and (5) containment and l
containment system analysis.
This section highlights the major points to consider in the performance of a seismic PRA. Further details are i
contained in NUREG-1407 (Ref. 5.1), NUREG/CR-2300 (Ref. 5.2), and NUREG/CR-2815 (Ref. 5.3).
5.1.1.1 Considerations for the Baseline PRA In a seismic PRA, seismic-infuced failures in addition to random hardware failures are modeled. They can lead to accident initiating events as well as failures of components and systems that are needed to mitigate an accident.
In an internalevents PRA, usually only active componmts are modeled. In a seismic PRA, passive components, such as pipe sections, tanks,and structures,have to be included. Unique failure modes of these components have to be identified and added to the logic model. In addition, relay chatter is a unique component failure mode during an earthquake that should be addressed.
5-1 Draft, NUREG-1602
5 External Event PRA for Full Power Operation One important aspect of a seismic es ent is that all parts of the plant are excited at the same time. This means that there may be significant correlation between component failures, and hence, the redundancy of safety systems could be compromised. The correlation could be introduced by common location, orientation, and/or vibration frequency. This type of" common cause" failure represents a unique risk to the plant that is reflected in a seismic PRA.
An additional consideration in the performance of a seismic PRA is the formation of both a well-organized walkdown team and a peer review team with combined experience in both system analysis and fragility evaluation Ideally, the peer review should be conducted by individuals who are not associated with the initial evaluation to ensure ideally both technical quality control and technical quality assurance of the PRA results and documentation Identification of Structures, Systems, and Components to be Included in the Seismic Analysis The systems, structures and components (SSCs) modeled in the internal events PRA, internal fire PRA (Section 2.3), and internal flood PRA (Section 2.2) can be used in the identification of potential seismic induced initiating events, component failure modes, and accident scenarios. They provide the starting point for the identification of SSCs to be included in the seismic analysis. In addition, a review of the fire and flood analyses can help identify the potential for seismic-inducedfires and floods. For example, failure of a heat exchanger or tank could lead to a flood that impacts other components. Similarly, rupture of an oil storage tank can cause a fire.
During the plant familiarization in preparation for performing a seismic PRA, plant documentation regarding equipment layout, design, and construction of the SSCs identified in the internal events PRA are typically reviewed. During this procest iditionalSSCs may be identified. During the plant walkdown, visual inspection of the equipmentlayout, compo,
.1stallation,and anchoring should identify SSCs whose failure could impact I
the risk of the plant. The plant walkdownis critical to identify as-designed,as-built,and as-operated seismic weak links in plants. Information is gathered to determine the significant failure modes of the SSCs and if the failure of an SSC would impact other equipment needed to mitigate the accident. For example, failure of a structure could cause failure of equipment nearby due to falling debris. More detailed attributes for a walkdown can be found in Sections 5 and 8 of the Electric Power Research Institute (EPRI) Seismic Margins Methodology (Ref. 5.4).
Initiating Events Analysis Seismic-inducedinitiating events typically include transients, loss-of-offsite power (LOOP), and loss-of-coolant
{
accidents (LOCAs). The postulated collapse of a major structure,such as the reactor bu3 ding or turbine building, l
can be considered as an additionalinitiatingevent or as a basic cause for an initiating event that has been already identifiedin the intemalevents PRA. As mentioned previously,seismicallyinduced fire and flood events can also be potentially identified. It is possible to have multiple initiating events for a given seismic event. This can be treated approximately by choosing the initiator with the worst impact from the standpoint of core damage probabilityand consideringadditional failures that are seismically induced. A systematic evaluation of the SSCs is performed to identify the causes of potential initiating events. In a manner similar to the way initiating events are grouped for an internal events PRA, the seismic failures can be grouped based on their impact on the plant.
The results of the evaluation should produce a list of failures for each initiating event. The identified failures are i
then used to guide the quantification of the frequencies of the initiating events.
Ilazard Analysis l
Draft, NUREG-1602 5-2 1
l l
5 External Event PRA for Full Power Operation l
In the 1980s, the methodologies for performing seismic hazard analysis were developed for the Eastern-U.S. sites by Lawrence Livermore National Laboratory (LLNL)(Ref. 5.5) and EPRI (Re f. 5.6). However, theseismic hazard curves by these two methodologies were significantly different for many of the eastern sites. As a result of the 1993 revision orthe LLNL hazard curves (Ref. 5.7), either approach is currently considered to be acceptable. In l
1993, an effort was also initiated to develop a method to produce more consistent seismic hazard curves (jointly l
supported by the NRC, EPRI, and the U.S. Department of Energy [ DOE]). This recent development in seismic l
haiard analysis could also be used for future seismic PRAs. In the seismic hazard evaluation, site-specific soil conditions should be incorporat:d into the site-specific hazard curves to provide a true site-specific hazard l
evaluation. The potential for soil liquefaction should also be considered in a site-specific evaluation.
I To quantify both the seismic hazard and componera fragilities, a ground motion parameter needs to be selected.
Traditionally, the peak ground acceleration or zero-period spectral acceleration has been used to represent the intensity of the earthquake hazard, which tends to introduce a significant uncertainty in the lower frequency range.
To mitigate this problem,the average spectralaccelerationis recommended for use since it expresses the ground l
motion intensity in terms of average response spectral values over the significant frequency range of interest for most structures and equipment (e.g.,5 Hz to 15 Hz). If an upper bound cutoff to ground motion at less than 1.5 g l
peak ground accelerationis assumed,sensitivitystudies should be conducted to determine whether the use of this l
cutoff affects the delineation and ranking of seismic sequences.
I Fragility Analysis The fragility of a component or structure is defined as the conditional probability of failure given a value of the ground motion parameter. All the potential failure modes, both structural and functional, need to be examined to quantify the fragility value of a component. 'Ihe sources ofinformation that can be used in a fragility evaluation include the plant-specific design and test data, available experimental results, experience in past earthquakes (e.g.,
for offsite power loss), and generic fragility values from past studies.
l l
Generic fragility parameters can be used in the initial screening of components and structures. However, the appropriateness of the generic fragility parameters has to be verified during the plant walkdown as well as by reviewing the documentation on component and structure fragilities. The high-confidence-and-low-probability (HCLPF)value can be used to screen components and structures without quantification of the seismic fault trees or event trees. Screening using a specified g-level for components and structure can be used to eliminate components with higher HCLPFs from further considerationin the PRA. However,if he core damage frequency (CDF) results indicate significant importance of components at the specified g-level, then components screened at this level should be added to the model and the results recalculated.
l l
in the final PRA model, all components and structures that appear in the dominant accident cutsets should have site-specific fragility parameters that are derived based on plant-specific information, such as anchoring and installationof the componentor structure. The methodologies for fragility analysis are discussed in a number of references, for example, NUREG/CR-2300 and EPRI NP-6041. It is desirable to incorporate the results of the latest available test data into the analysis and to also include aging effects in the component and structure fragility evaluation.
Seismic Model Development and Quantification 5-3 Draft NUREG-1602
5 External Event PRA for Full Power Operation Seismic event trees can be developed by modifying the event trees developed for the internal events PRA, as appropriate. The event trees should consider events that can occur during an earthquake including a LOOP, statim blackout (SBO), other transients, and LOCAs of different sizes as well as multiple initiators. The fault trees -
developed for internal events can also be modified to include failures induced by earthquakes,as well as the impact j
of failed instrumentationor contradictingindications. The random failme and human errors included in the fault trees for the internal events analysis should be retained for the seismic analysis. Relay chatter and recovery actiom can be included in the analysis using the information given in Section 3.1.1.4 of NUREG-1407.
The logic models should demonstrate that simultaneous failures of multiple SSCs (including a cross system boundary,if applicable)as a result of the earthquake are adequately modeled. Most of the seismic-induced failures can be adequately modeled by adding seismic-induced failure events in the fault trees for the affected systems.
In terms ofinitiating events, a combinatica cf multiple initiating events has to be considered. For example, a LOCA with simultaneous LOOP or SBG snould be considered in the risk assessment.
The fault trees and event trees should be quantified with a sufficient number of g-values to cover the range of possible earthquake levels. For each g-value, the event trees are quantified to determine the conditional core damage cutsets and conditionalcore damage probability. Integration /summationof the products of the conditional core damage probability and the hazard curve over all g-values provides the overall CDF due to seismic events.
Quantificationcan be done in two or more iterations. The initial screening quantificationcan be done by partially
.using generic component fragilities. The final quantification should use site-specific fragilities for those componentsthat appearin the dominant cutsets. Care should be taken to treat system successes and high failure probabilitiesproperly by the computeralgorithm used. The uncertainties in the results should be fully quantified j
and displayed.
5.1.1.2 Application Impact Considerations j
A particularchange to a plant's current licensing basis (CLB) may influence the response of the plant to seismic events and thus influence the risk to the plant and public. The use of a seismic PRA in a risk-informed regulatory application necessitates that the impact of proposed plant or procedural changes be incorporated into the PRA evaluation. The actual nature of the impact will be application specific. However,ia general,the proposed chany 1
should be evaluated for the impact on the following seismic PRA considerations:
Identify if any additional SSCs should be included in the seismic model. Alternatively, the application may result in the removal of a SSC from consideration.
t Review the impact of the proposed change on the identified seismic-induced initiating events including
+
their grouping.
The fragility of a component or structure may potentially be affected by a proposed change in a plant's
+
CLB. The appropriateness of generic and plant-specific fragilities should be reviewed in light of a proposed change.
Draft, NUREG-1602 5-4
i l
5 External Event PRA for Full Power Operation i
The structure and quantificationofdeveloped event trees and fault trees used in the seismic PRA should l
=
be modified as appropriate to reflect the proposed plant modification.
l 5.1.1.3 Interfaces with Other Tasks A seismic PRA can utilize the PRA models used to evaluate internal events. In general, the models are modified to include seismic-induced failures in addition to the random failures modeled in an internal event PRA. Thus,
(
the performanceofa seismic PRA necessitatesinterfaceswith severalinternal event PRA tasks,includinginitiatirg event identification, accident sequence analysis, systems analysis, data analysis, and human reliability analysis (HRA).
5.1.1.4 Documentation The documentationof a seismic PRA should be sufficientto enable a peer reviewer to reproduce the results. The process ofidentifyingSSCs to be includedin the seismic analysis should be documented. The process should be demonstratedto be systematic and complete. An example of a set of screeningcriteria are the attributes in Sectim 2 of the EPRI Seismic Margins Methodology (Ref. 5.4). A list of any SSCs that were screened out should be provided with the screening criteria / assumptions. A list of SSCs that were included in the seisnic analysis should be provided, along with the findings and procedures of the plant walkdown.
The following infonnation should be documented for each SSC:
The type of component and the plant-specific identification number, e
The location and orientation of the component in the plant, e
Support and anchorage details, e
Evaluation results of possible seismic interactions, Inspection results on the condition of components and anchorages, Photographs (if appropriate), and I
e Results of screening.
e The screening criteria for seismically induced initiating events should be documented. The criteria should be consistent with those used in the internal events analysis. The quantification of seismically induced initiating events is documented with enough detail so that a knowledgeablereader could reproduce the quantitative results.
l The description of the seismic hazard method should be provided, together with the information used to characterize the seismicity near the site, the local soil conditions, and the potential for soil liquefaction.
The results of the seismic hazard analysis includes the seismic hazard curves for different confidence levels l
(typically for 5,10,20,30,40,50,60,70,80,90,95 percentile), and the corresponding response spectra. The l
seismic hazard should be quantified for both horizontal and vertical components.
The following information for documenting the seismic hazard evaluation should be considered:
5-5 Draft, NUREG-1602
5 External Event PRA for Full Power Operation Description of the seismic hazard analysis method, including the identification of computer codes used in the analysis.
If a plant-specifichazard analysis method is used, all the assumptions / parameters regarding the seismic zoning. source parameters of each seismic zone (magnitude-frequencyrelationship), attenuation formula, and the local soil conditions.
Hazard curves and the associated response spectra.
The methodologies used to quantify the fragility values of components,together with key assumptions, should be described sufficiently to allow for a peer review. A detailed list of the component fragility values should be provided that includes the method of seismic qualification,the dominant failure mode, source of information, and the location of the component. The fragility descriptors(median acceleration, uncertainty,and randomness)should be tabulated for all SSCs modeled, and the technical bases for the values used for each SSC should be provided.
Identification of the HCLPF values of all SSCs modeled is also recommended along with the basic fragility parameters. Both sequence-level and component-level HCLPF values should be provided to support decisions related to the identification and listing of seismic vulnerabilities.
The following information should be considered for documenting a fragility analysis:
The description of the fragility analysis methodologies and key assumptions, Detailed fragility tables, a
Results of screening, and HCLPF values.
The following information on seismic model development and quantification should be documented:
A description of the modeled initiatingevents including how SSC failures may cause the initiating events.
A description of the seismic event trees with descriptions of the top events and seismic-induced failure events modeled. The modificationsmade to the event trees developed for the internal events PRA should be discussed in detail.
The assumptions made rdated to correlated failures and how they were applied. For example, pumps from redundant trains of the same system are usually located in the same building and have the same orientation. Seismic-induced failures of pumps located in the same building are pessimistically assumed completely correlated unless more detailed analysis is performed to better quantify the correlation. A table containing all the correlated failures should be provided. The basis of tee assumptions for correlations or lack thereof should be elabcmed.
The impact of structure failures. A table listing all the structures considered and the components or functions they affected should be provided.
Draft, NUREG-1602 5-6
5 External Event PRA for Full Power Operation Failures of components can lead to fire and flood in addition to loss of their functions. Detailed documentation of the evaluation of seismically induced fires and floods should be provided.
Description of quantification methodology.
A discussion of the risk profiles and dominant scenarios is for each earthquake magnitude.
A discussion on considerations for uncertainties in seismic risk quantification. This should include the treatment of uncertainties for both hazard and fragility curves.
5.1.2 Analysis of"Other" External Events Analysis of"other" external events for full power considerations should generally follow the processes already provided for full power analysis ofinternal event initiators. However,there are a few noteworthy differences that are discussed below.
5.1.2.1 Considerations for the Baseline PRA The determinationof what "other"extemal events need to be considered necessitatesthe review of many possible events that could occur. NUREG/CR-4839(Ref. 5.8), for instance, provides a lht of possible external events that should be considered for inclusion in this portion of the PRA.
This topic is further complicated by the fact that unlike the internal initiators,the "other" external events very often need to be described using a hazard curve rather than a single frequency estimate. This complicates the ability to screen out "other" external events on probabilistic grounds. Hence, screening of these events relies much more on sound deterministic arguments. The screening of any external events, therefore, necessitates adequate justification and documentation.
Modeling of accident sequences, equipment failures, and human errors generally follows the internal events, full power attributes, except that spatial and plant layout factors become relevant as is the case for internal fire and flood events. For instance, structural and barrier considerations need to be included; equipment, barrier, and structural failures need to be modeled using fragility curves; new relevant failure modes and equipment operability issues need to be includedin the analysis based on the effects of the external event; and the models should allow for appropriatecombinations of external event-induced failures with the random failures already included in the internal events analysis.
Correspondingly,the data values (or curves) used for the failure probability of equipment, structures, barriers, and for human error should consider the effects of the external event as the hazard severity changes. This could mean that greater failure probabilities are used than in the internal events analysis.
Finally,the quantification aspects of the analysis necessitate a much more sophisticated analysis technique (and hence computer code capabilities and validation) in order to properly determine the CDF resulting from these "other" external events. This technique should integrate the full spectrum of hazard potential (as delineated by the hazard curve) and the spectrum of failure probabilities in the model (defined by fragility curves and other 5-7 Draft, NUREG-1602 l
.5 External Event PRA for Full Power Operation means to describe how failure probabilities of plant equipment and human errors change as a function of the hazard severity).
5.1.2.2 Application impact Considerations As with the case of the analysis ofinternal events (including fires and floods) an 4 seismic events, a proposed change in a plant's CLB can potentially impact the risk from ot!ier external ever*. The actual nature of a proposed plant modificationor proceduralchange will determine how the PRA ev-:aation of these other external events is impacted. In general, the following factors should be considered ;u the risk evaluation of such a change:
The screening of other extemalevents should be reviewed for a proposed modification to a plant's CLB to determine if the other external events considered or not considered in the baseline analysis are still appropriate.
Potentialchanges to SSC fragilities resulting from the CLB change for the modeled external events should be considered.
The potential for additional spatial-related failure mechanisms should be reviewed.
l Changes to the existing baseline PRA models and data (including HRA values) necessary to account for the CLB modification should be identified.
5.1.2.3 Interfaces with Other Tasks The evaluation of other external events can utilize the PRA models used to evaluate internal events. The internal event models are modified to include additional failure modes induced by the external events. Thus, the analysis of other external events necessitates interfaces with the internal event PRA tasks, including primarily initiating i
event identification, accident sequence analysis, systems analysis, data analysis, and HRA.
j 5.1.2.4 Documentation The following information should be considered for documenting a PRA analysis of"other" external events:
A discussion of the process and the results of the screening of"other" external events.
i Details regarding how the retained events are modeled, particularly how the internal event models are a
modified for the analyses to include spatial impacts.
A discussion of the externalevent hazard curves and the fragility curves for components and structures.
A discussion on how the human error rates are impacted by the external events.
The results of the analyses.
5.2 Level 2 Analysis Draft, NUREG-1602 5-8
5 Extemal Event PRA for Full Power Operation This section addresses some factors to consider when performing a Level 2 seismic PRA while at full power. It also provides considerations for performing a Level 2 PRA analysis for other external events (e.g., high winds, I
tornados, hurricanes,and nearby transportationaccidents). In general, the considerations for performing a Level 2 PRA for externalevents are the same as for an internal event Level 2 PRA. Thus, only those factors unique to external events are provided in the subsequent sections.
5.2.1 Seismic Analysis l
As with the Level 1 portion of the seismic analysis, the Level 2 analysis should consider the impact of an earthquake on the core damage mitigating systems and the containment. The attributes for performing and i
documentingboth the baseline and application-specifictevel 2 portion of the seismic analysis includes the same
(
considerationsas discussed for the internal events analysis. In addition, the potential for an earthquake resulting l
in the failure of containmentisolation valves to close, failure of containment spray systems, or failure of standby gas treatment systems all should be evaluated. This can be accomplished as is done in the Level 1 analysis by j
including seismic-induced failures in the internal events Level 2 models.
5.2.2 Analysis of "Other" External Events As with the Level 1 portion o f the analysis of "other" external events, the baseline and application-specificLevel 2 analysis should consider the impacts of the extemal events on the mitigation of core damage accidents. The impact of the identified external events on mitigating systems thus necessitates the same considerations as listed above for the other Level 1 analyses. In addition,any direct impacts on the containment from the extemal events should be evaluated and documented.
l 5.3 Level 3 Analysis i
t This section identifies some factors to consider when performing a Level 3 analysis of the consequences from externalevents that occur during full power operation. In general,the performanceof the Level 3 analysis utilizes the same models used in evaluation ofinternalevents. The major difference is in the consideration of the' impact of external events on emergency response actions, such as evacuation of the close-in population. It is unlikely that a CLB change w ould impact the Level 3 modeling.
5.3.1 Seismic Analysis The attributes in Chapter 4 are also, in general, applicable for a seismic analysis. However, under some circumstances,an eanhquake can present conditionsthat would change the consequence assessment generated for the internal events analysis. In addition to changing the potential source terms, an earthquake can influence the l
ability of the population surrounding a plant to evacuate upon declaration of a general emergency. A Level 3 seismic PRA should, therefore, include consideration of the impacts of different levels of earthquakes on the consequence assessment (Ref. 5.9). A thorough discussion and documentation of the assumptions used in the y
consequence assessment should be provided.
i l
5-9 Draft, NUREG 1602
5 Extemal Event PRA for Full Power Operation
)
1 5.3.2 Analysis of"Other" External Events The impact on the Level 3 analysis should be included in the evaluation of other extemal events. The primary concem is the impact of the extemal events on the potential for evacuation. The attributes provided in Chapter 4
)
also apply for the Level 3 analysis of"other" extemal events. How any unique ways in which the extemal events might impact the Level 3 analysis should be evaluated and documented.
1 Draft, NUREG-1602 5-10
5 Extemal Event PRA for Full Power Operation REFERENCES FOR CHAPTER 5 l
5.1 J. T. Chen, et. al.,"Proceduraland Submitul Guidance for the Individual Plant Examination of External Events (IPEEE) for Severe Accident Vulnerabilities," NUREG-1407, U.S. Nuclear Regulatory Commission, June 1991.
5.2 J. W. Hickman,"PRA Procedures Guide: A Guide to the Performanceof ProbabilisticRiskAssessments for Nuclear Power Plants."NUREG/CR-2300,Vol;. I and 2, American Nuclear Society and Institute of Electrical and Electronic Engineers, January 1983.
5.3 M. McCann,et al.,"Probabilist'c Safety Analysis Procedure Guide," NUREG/CR-2815, Vol. 2, Rev.1, Brookhaven National Laboratory, August 1985.
5.4 "A Methodology for Assessment of Nuclear Power Plant Seismic Margin,"EPRI Report N)-6041,1988.
5.5 D. L. Bernreuter, J. B. Savy, R. W. Mensing, and J. C. Chen, " Seismic Hazard Characterization of 69 Nuclear Plant Sites East of the Rocky Mountains," NUREG/CR-5250, Lawrence Livermore National Laboratory, January 1989.
5.6 Electric Power Research Institute,"Probabilistic Seismic Hazard Evaluations at Nuclear Power Plant Site; in the Central and Eastern United States: Resolution of the Charleston Earthquake issue," Prepared by Risk EngineeringInc., Yankee Atomic Power Company and Woodward Clyde Consultants,EPRIReport NP-6395-D, April 1989.
5.7 USNRC," Revised Livermore Seismic Hazard Estimates for 69 Nuclear Power Plant Sites East of the Rocky Mountains," NUREG-1488, October 1993.
l 5.8 M. K. Ravindra and H. Banon, " Methods for External Event Screening Quantification: Risk Methods Integration and Evaluation Program (RMIEP) Methods Development," NUREG/CR-4839, Sandia National Laboratories, July 1992.
5.9 R. J. Breeding, et al.," Evaluation of Severe Accident Risks, Surry Unit 1," NUREG/CR-4551, Sandia National Laboratories, October 1990.
I I
l
[
5-11 Draft, NUREG-1602 l
l
- 6. INTERNAL AND EXTERNAL EVENT PRA FOR LOW POWER AND SHUTDOWN OPERATIONS The purpose of this chapter is to specify the necessary attributes of a full-scope probabilistic risk assessment (PRA) of low power and shutdown (LP&S) operating conditions. The tasks discussed are basically the same as those described in Chapters 2 through 5. This chapter will focus on any differences and/or additional tasks imposed by l
the analysis of LP&S conditions. However, note that it is not the intent of this discussion to prescribe how to perform a PRA for LP&S conditions.
For those LP&S tasks that are significantly different from those of full power operation, the differences and additionalconsiderationsare discussed for the baseline PRA. In addition, the potential impacts of risk-informed applications, interfaces with other tasks, and required documentation are discussed in separate subsections. For those LP&S tasks that are very similar to the tasks of full power operation, this fact is stated and references to the full power sections are made without further elaboration.
The scope of the LP&S analysisincludesall plant operating conditions except for full power, which is described in Chapters 2 through 5. Examples of states included in an LP&S analysis are low power (e.g., power < 15%),
hot shutdown / standby, cold shutdown, and refueling.
The risk associated with the operation of a plant in a particular operational state is estimated based on the average risk per year. Thus, the fractions of time associated with the operation of the plant in the various states should sum i
to 1.0. This implies that if the full power risk has been calculated based on being in full power operation for an entire year, then the results of the full power analysis should be reduced by the fraction of time the plant is not at full power on a per year basis (e.g.,if the plant is at full power 70% of the time on a per year basis, the full power risk on a per year basis would be 0.7 times the originally calculated full power risk value). Likewise, the risk associated with any individual operating state should include the fraction of time the plant is in that particular plant operational state (POS).
For LP&S conditions,the fuel is assumed to remain in the reactor vessel. Risk associated with spent fuel stored l
in the spent fuel pool, and cases where fuel is partially cr totally off-loaded to the spent fuel pool during refueling, l
are considered out of the scope of this document.
Typically, the plant operating states of a refueling cycle can be grouped into four distinct categories:
Power operation (i.e., full power operation),
l Controlled shutdown to below x% power (where x represents the transition point from low power to full power operations),
I Scram, and Refueling outage.
As stated previously,the analysis of full power operation is described in earlier Chapters 2 through 5. The analysb of"OK" sequences originating from a full power analysis are excluded from the LP&S analyses; thus, the fractiors 6-1 Draft, NUREG-1602 l
i 6 PRA for Low Power and Shutdown Operations 1
of time spent in operational states resulting from a plant scram are not included in the analysis of risk during LP&S. The basis for this is the assumption that the mission time used in the full power analysis is sufficient to adequately cover the operation of the plant during these states and that the data used to determine component unavailabilities for full power conditions already accounts for the known component unavailabilities during these l
states.
This leaves controlled shutdowns and refueling outages. In both cases, plant-specific historical data and current operating procedures are used to determine both the fraction of time spent in these states and to determine the unavailability of equipment in each operating state.
6.1 Internal Events Level 1 Analysis As stated in Chapter 2, a Level 1 PRA is comprised of three major elements. For LP&S conditions, an additional considerationshould be added to the accident sequence delineation task of a PRA. The purpose of this addition is to subdivide the operating cycle of the plant into sufficient POSs to allow the analysts to adequately represent the plant as it transitions from one operating state to another. While the number of POSs may vary from plant-to-plant owing to the different operational characteristics of the plants, the important concept is the subdivision of the operation cycle into sufficient detail to allow the PRA analysts to accurately represent the status of the plant both from a systems availabiiny mai a decay heat viewpoint.
6.1.1 Plant Operational States The objective of the POS identification and quantification task is to subdivide the plant operating cycle into sufficient detail such that the analysts can represent the plant operating within specific POSs, transitioning from one POS to another, and determining the fraction of time spent in each POS.
6.1.1.1 Considerations for the Baseline PRA Identifying POSs A POS is "a plant condition for which the status of plant systems (operating, standby, unavailable)can be specified with sufficient accuracy to model subsequent accident events"(Ref. 6.1). In addition to the status of plant systems, knowledge about the decay heat load, and thus changes in success criteria, is important when identifying the POSs, In an LP&S PRA, the plant's operatingcycle is subdivided into different POSs. The characteristics important to the identification of the POSs are as follows:
reactor power level, a
in-vessel temperature, pressure, and coolant level, a
equipment normally operating and required to maintain the current operating parameters, and changes in the decay heat load or plant conditions (e.g., raised water level with upper pools connected a
during refueling at a boiling water reactor [BWR]) that allow new success criteria.
Draft, NUREG-1602 6-2
j 6 PRA for Low Power and Shutdown Operations Examples of POSs for pressurizedwater reactors (PWRs) and BWRscan be found in NUREG/CR-6144(Ref. 6.2) and NUREG/CR-6143 (Ref. 6.1), respectively. It is possible that some special tests and operational activit' s, that e
are of relatively short duration, require that the plant be placed in a configuration that is very different from the normal configuration of a POS. Such a configuration may not need to be treated as a separate POS. However, i
such test configurations should be identified and their contribution to risk evaluated.
Determining POS Fractions For each POS identified, detailed plant-specificinformationis collected such that the time spent in each POS can be determined. To determinethe POS fractions for a refuelingoutagc, plant-specific information on the previous four refueling outages is collected. Ifless than four outages are available,then information from all outages except the first is used. For controlled shutdown POSs, the fractions are determined by collecting plant-specific information from the previous five years of operation. Ifless than five years are available, the data from all years are used.
Scr eening of POSs j
Screening of POSs should be performed by identifyingavailable diverse and redundant means of removing decay heat and mitigatingaccidents. Supporthg deterministic analyses and quantitative screening risk calculations are used to providejustificationfor screeningout a POS. For example, during refueling operation with the refueling cavity filled, calculations should be performed to demonstrate that time to core damage is very long in different postulated accident scenarios.
6.1.1.2 Application Impact Considerations A change in the current licensing basis can affect this task in the following way:
Changes in the frequency of outages, Changes in the number of POSs, Changes in the duration of the POSs, and Changes in the other parameters used in defining the POSs.
a The potential for these changes has to be evaluated for each risk-informed change in the current licensing basis (CLB).
In evaluating the risk impacts of plant changes, the inclusion of contributions from LP&S provides a more complete risk assessment.
6.1.1.3 Interfaces with Other Tasks This task defines the initial conditions of the plant to be analyzed in all the subsequent tasks. In this task, the key parametersare specified for each POS. In the subsequent tasks, further characterization of the POSs is needed to complete the assessment. A PRA model similar to that for full power operation is developed for each POS.
6-3 Draft, NUREG-1602
6 PRA for Low Power and Shutdown Operations 6.1.1.4 Documentation The following information are documented for an LP&S PRA:
A list or general description of the information sources used in the task.
A discussion of the POSs identified during the task. The discusion should specifically define each POS and describe how each POS was determined.
Assumptions that were made during the identification of the POSs. The bases for the assumptions and their impact on the final results are also discussed.
)
A description of the configurationof the systems, including those that are needed for continuous operation I
in the POSs.
The time history information used to determine the POS fractions, including the amount of time spent in each POS for each refueling and controlled shutdown outage.
The fractions of time calculated for each POS for both refueling and controlled shutdown outages.
A list of special tests and operational activities that significantlychange the plant configurationof a POS.
List of PRA changes from risk-informed applications.
6.1.2 Accident Sequence Initiating Event Analysis I
The objective of the initiating events task is the same as that described in Section 2.1.1, with the exception that for those POSs where the reactor is already shutdown, the requirement for a reactor trip is eliminated; however, the possibility of recriticality events is considered.
The LP&S specific considerationsare provided for identifyingadditionalinitiating events, excluding events from consideration, grouping the individualinitiating events, and documenting the work only when they differ from or are in addition to those contained in Section 2.1.1.
I In an LPAS PRA,all those internal events that cause an upset of normal plant operation (some of which require a reactor trip) with the subsequent need for core heat removal are identified as initiating events. These events fall into one of four categories to follows:
Loss-of-coolant accidents (LOCAs)- For LP&S conditions, those events that result in a diversion of water from the reactor vessel to some location where the water is recoverable, plus pipe rupture events in operating systems connected to the reactor vessel where the inventory loss may or may not be recoverable, are considered.
Transients - All full power events applicable to the LP&S conditions are considered.
Draft, NUREG-1602 6-4 1
6 PRA for Low Power and Shutdown Operations Decay Heat Removal Challenges-All events that result in the isolation or loss of the normally operating decay heat removal system during shutdown conditions are considered.
Reactivity Excursions -- All events that lead to inadvenent reactivity insertion or problems with flow instability where the core is operated with a local high power-to-mass-flow ratio are considered.
Special Issues or Scenarios-Scenarios and issues identified in existing studies should be included. For example, reactivity accident scenario identified in the French Study (EPS 900)(Ref. 6.3), low-temperatue overpressurization, failure of cavity seal, and failure of thimble iube seals should be addressed.
In ensuring " completeness" in identifying all potential initiating events for an LP&S PRA, the analyst should perform an engineering evaluation considering all events as described in Section 2.1.1, plus the analyst should evaluate those events that are unique to or have happened during shutdown operational states. Table 4.1.2 of N UREG/CR-6143,Vol. 2 (Ref. 6.1) and Table 4.1-3 of NUREG/CR-6144,Vol. 2 (Ref. 6.2) contain lists of event that have been considered during previous LP&S analyses.
The considerations associated with excluding and grouping initiating events are the same as those provided in Section 2.1.1. In addition, application impact considerations, interfaces with other tasks, and documentation guidelines are similar to those discussed in Section 2.1.1 for full power operation.
6.1.3 Accident Sequence Analysis For this task, considerations are provided for selecting the accident sequence model, establishing the success criteria, modeling the accident dependencies, and documenting the work only when they differ from or are in addition to those presented in Section 2.1.2.
In addition to the considerationsdescribed in Section 2.1.2, top events representing the fractions of time spent in different system configurations (e.g., fraction of time the primary containment is open or the fraction of time a specific decay heat removal system is operating) are required if such information is needed to model accident progression to core damage.
As discussed in Section 2.1.2, inclusioe of operator actions in the models is imponant. Due to the nature of shutdown conditions,more reliance may be placed on operatorintervention. Thus, particularcare should be given to the incorporation of human actions in me development of the event tree structure used to model the plant's response to any particular initiating event. Plant operating procedures should be examitied carefully to determine how they will impact the operator's response during an accident.
Given the time dependency of the decay heat load, an LP&S PRA will examine the systems for unique configurationsthat may prove successfulduring shutdown conditions (e.g., gravity injection, reflux cooling, and altemate decay heat removal system). If these system configurations are deemed success criteria, then the LP&S PRA will make use of the systems by further subdividinga POS into different time windows. These time windows, which could be represented by sub-POSs, allow for more realistic assessments of the impact of the decay heat loads on accident scenarios. Regardless of whetherthese subdivisionsare classifiedas time windows or sub-POSs, the accident sequence models contained in an LP&S PRA will properly account for the differences introduced in10 the accident sequence progression models.
6-5 Draft, NUREG-1602
6 PRA for Low Power and Shutdown Operations The considerations associated with the modeling of accident dependencies and documentation are the same as those provided in Section 2.1.2. In addition, application impact considerations, interfaces with other tasks, and documentation are similar to those discussed in Section 2.1.2 for full power operation.
6.1.4 Systems Analysis The LP&S considerations are the same as those described in Section 2.1.3. It should be noted that during shutdown conditions the alignment of systems may be significantly different as compared to that of full power operation, many instruments and indications may not be available,and consequentlya higher likelihood of human initiated accidents may occur.
6.1.5 Data Analysis For this task, considerations are provided for identifying the data sources and models, selecting the data input needs, quanty ing data parameters, and documenting the work only when they differ from or are in addition to y
those preserJed in Section 2.1.4.
For selecting data input, the only modifications to the considerations described in Section 2.1.4 are as follows:
in reviewingincidents for potential initiators, all incidents that meet the definition of an initiating event a
as given in Section 6.1.2 are considered in an LP&S PRA. However, the frequency of these events will be different from the frequency at full power operation. Plant-specific operating experience during LP&S should be used to estimate the frequency of these events in each plant operating state.
In reviewingthe incidents on componentperformance, all incidents that could affect the performance of equipment during the POS are considered in an LP&S PRA. In quantifying equipment reliability parameters and common cause failure probabilities, data from all POSs should be used to quantify these parameters as described in Section 2.1.4. liowever, each event should be considered to determine if there are conditions such that the probability or rate of the failure event would be different depending on the POS.
In quantifyingcomponent unavailability from test and maintenance, only incidents occurring during the POS are included in an LP&S PRA. Only plant-specificoperationalexperience during LP&S operations should be used in estimating equipment unavailability. Additional consideration of concurrent unavailabilityand plant operationalprocedures during each POS, outage times for redundant equipment (both intra-and inter-system) should be examined and accounted for based on actual plant experience.
It is very likely that in a selected POS the configuration of some systems and components changes. The j
fraction of time that a system or component spends in each possible configuration has to be estimated using plant-specific data supplemented with plant-specific operation procedures and outage schedules.
i Application impact considerations and interfaces with other tasks are similar to those discussed in Section 2.1.4 for full power operation. For documentation,the only additionalinformationto be reported are the fraction of time associated with being in a particular POS, the conditional probability associated with being in a specific system configuration, and the information used to generate these values.
Draft, NUREG-1602 6-6
l l
6 PRA for Low Power and Shutdown Operations l
l 6.1.6 Human Reliability Analysis (HRA)
Given the increased dependency on the human for performing actions during shutdown conditions, human interfaces become even more critical in causing, preventing, and mitigating an accident than is the case during full power conditions.
The LP&S considerations are the same as those described in Section 2.1.5. It should be noted that during shutdown conditions, many systems may be in a configuration very different from those during full power operation, many instrumentation may not be available and a higher likelihood of human initiated accidents can exist.
l 6.1.7 Accident Sequence Quantification The LP&S considerations are the same as those described in Section 2.1.6.
6.2 Internal Flood Level 1 Analysis The purpose of this section is to describe the attributes of a state-of-the-art internal flood PRA for a plant during LP&S operations. Only those attributes that are unique to floods during LP&S operations are discussed. The PRA tasks that are the same as those for a full power intemal flood PRA and LP&S internal events PRA are discussed in Sections 2.2 and 6.1, respectively.
The approach used in performing a full power flood analysis PRA can be used for an LP&S PRA flood analysis.
However, the differences between LP&S and full power operation have to be accounted for in its application. The main differences between LP&S and full power operation are the initial conditions of the plant, definition of initiating events, and systems / functions needed to mitigate an accident. These are the subjects that are discussed in this section in terms of the key tasks of an LP&S internal flood PRA.
The considerations associated with the potential impacts of the changes in CLB, interfaces with other tasks, and documentation of an LP&S internal flood analysis are the same as those discussed for a full power PRA.
l 6.2.1 Definition and Characterization of Plant Operational States l
A main difference between an LP&S internal flood PRA and a full power internal flood PRA is the initial l
conditions of the plant. The initial conditions defined and characterized in the LP&S internal events PRA, i.e.,
outage types and POSs, should be used in an LP&S internal flood PRA.
l l
6.2.2 Initiating Event Analysis A flood initiating event during L P&S conditions can be defined as a flood that causes an initiating event as defined in the LP&S internal events PRA.
l The causes of internal floods identified in the full power internal flood PRA should be evaluated, taking into consideration the unique plant configuration and operating conditions during LP&S operations, to determine their i
i l
6-7 Draft NUREG-1602 i
I
6 PRA for Low Power and Shutdown Operations applicability to LP&S conditions. For example, a pipe section that is a source of flood for full power operation may be isolated during shutdown conditions. If a source of floods is found applicable to LP&S conditions, the method of quantifying its frequency used in the full power analysis should be reviewed for its applicability to LP&S conditions. For example, a pipe section that is a source of floods during full power operation may be subject to much lower pressure and temperature during shutdown. Therefore, the likelihood of its rupture may be significantly different from that of full power operation.
In addition to those flood sources identified in the full power intemal flood PRA, a review of the shutdown configurationsof plant systems and the operating procedures used during LP&S operations should be performed to identify unique sources of floods during LP&S conditions. A plant walkdown during shutdown should also be performed to identify such sources of floods.
6.2.3 Flood Propagation The same approach as that used in a full power flood PRA can be used in an LP&S internal flood PRA. Flood propagation modeling includes estimating the quantity of water that may be involved, identifying the pathways and barriers for flood propagation,identifyingthe failu e modes of the components that would be affected by the floods,and estimatingthe timingof the scenarios. The unique shutdown conditions of the plant have to be taken into consideration. For example, the refueling water storage tank (RWST) inventory during refueling operation may be significantly lower than that during full power operation and flood barriers including dams, floor plugs, and anti-reverse flow devices in drain lines may be removed during shutdown condition.
6.2.4 Flood Model Development and Quantification
]
LP&S intemal flood event trees should be developed by modifying the event trees developed for the LP&S internal events PRA. The fault trees developed for the LP&S internal events PRA should be modified to account for the j
flood-induced failures.
6.3 Internal Fire Level 1 Analysis The purpose of this section is to describe the attributes of an internal fire PRA for a plant during LP&S operatbns.
Only those attributes that are unique to fires during LP&S operations are discussed. The PRA tasks that are the same as those for a full power internal fire PRA and LPAS intermi events PRA are discussed in Sections 2.3 and 6.1, respectively, i
The approach used in performing a full power internal fire PRA can be used for an LP&S internal fire PRA.
(
However,the differencesbetween LP&S and full power operation have to be accounted for in its application. The l
main differences between LP&S and full power operation are the initial conditions of the plant, definition of initiatingevents,and systems /functionsneeded to mitigate an accident. These are the subjects that are discussed in this section in terms of the key tasks of an LP&S internal fire PRA.
The consideratbns associated with the potential impacts of the changes in CLB, interfaces with other tasks, and documentation of an LP&S internal fire analysis are the same as those discussed for a full power PRA.
t Draft, NUREG-1602 6-8
i l
6 PRA for Low Power and Shutdown Operations 63,1 Definition and Characterization of Plant Operational States A main difference between an LP&S internal fire PRA and a full power internal fire PRA is the initial conditions of the plant. The initial conditions defined and characterized in the LP&S internal events PRA, i.e., outage types and POSs, should be used in an LP&S internal fire PRA.
63.2 Initiating Event Analysis A fire-inducedinitiatingevent during LP&S conditions can be defined as a fire that causes an initiating event as defined in the LPAS internal events PRA. For example, a fire that causes interruption of the residual heat removal (RHR) system is a fire-induced initiating event. The definition of a fire-induced initiating event should be used in the identification of critical fire locations of an LP&S PRA.
The fire frequency quantificationshould be performed in the same way it is done for full power operations. A fire incidence databaseincludingincidents during shutdown should be used. In reviewing the database, those events that are applicable to LP&S conditions should be identified.
633 Identification of Critical Fire Locations l
l A critical fire location for an LP&S conditionis a location of a postulated fire that would lead to an initiating event and at the same time afTect the systems and components needed to mitigate the accident. The approach developed in a full power fire PRA can be used in an LP&S fire PRA. The information collected during a full power fire PRA, including critical fire locations, provides useful background information for an LP&S PRA. However, in an LP&S PRA, a somewhat different set of systems and components needs to be taken ine consideration, and the identificationof eriticallocations has to be performed based on the definition of applicable initiating events. For example, loss of RHR can occur due to a fire that affects the RHR system or its support systems. Such a fire may not constitute an initiatingevent for full power operation. To identify possible fire locations, tracing of the cables for the components of these systems would be necessary. Similarly, the systems / functions needed to mitigate an l
accident during shutdown are not exactly the same as those needed for full power operation. Therefore,the critical fire locations of an LP&S PRA are not necessarily the same as those of a full power fire PRA.
l' l
63.4 Fire Propagation and Suppression i
The same approach as that which was used in a full power fire PRA can be used in an LP&S internal fire PRA.
However, the shutdown conditions of fire barriers and systems needed for detection and suppression of a fire should be taken into consideration. For example, a fire door being kept open during shutdown to facilitate movement of equipment will impact the propagation of a fire, and additional activities during shutdown may increase the likelihood of a fire being detected early.
63.5 Fire Model Development and Quantification LPAS internal fire event trees should be developed by modifying the event trees developed for the LP&S internal events PRA. The fault trees developed for the LP&S internal events PRA should be modified to account for the fire-induced failures.
6-9 Draft, NUREG-1602
6 PRA for Low Power and Shutdown Operations l
6.4 Seismic Level 1 Analysis l
The purpose of this section is to describe the attributes of an LP&S seismic PRA. Only those attributes that are unique to an LP&S seismic PRA are discussed. The PRA tasks that are the same as those for a full power seismic PRA and LP&S internal events PRA are discussed in Sections 5.1.1 and 6.1, respectively, i
i l
The approach used in performing a full power PRA can be used for an LP&S PRA. However, the differences between LP&S and full power operation have to be accounted for in its application. The main differences betwem l
LP&S and full power operation are the initial conditions of the plant, definition of initiating events, and j
systems /functionsneeded to mitigate an accident. These are the subjects that are discussed in this section in terms of the key tasks of an LP&S seismic PRA.
l The consideratbns associated with the potential impacts of the changes in CLB, interfaces with other tasks, and documentation of an LP&S seismic internal fire analysis are the same as those discussed for a full power PRA.
l 6.4.1 Definition and Characterization of Plant Operational States A main difference between an LP&S seismic PRA and a full power seismic PRA is theinitial conditions of the plant. The initial conditions defined and characterized in the LP&S internal events PRA, i.e., outage types and POSs, should be used in an LP&S seismic PRA.
l 6.4.2 Initiating Event Analysis A seismically induced initiating event during LP&S conditions can be defined as an earthquake that causes an initiating event as defined in the LP&S internal events PRA. The seismic-inducedinitiatingevents should include loss-of-offsitepower (LOOP), loss of RilR, and LOCAs. Seismically induced fire and flood events should also be identified.
6.4.3 Identification of Structures, Systems, and Components (SSCs)
The SSCs to be corsidered in an LPAS seismic PRA should not be limited to those considered in the full power seismic PRA. This is due to the fact that the SSCs that either can affect an initiating event or are needed to mitigate an accident during LP&S operations are not identical to those considered in a full power seismic PRA.
However, the same approach as that used in a full power seismic PRA can be used.
6.4.4 Hazard Analysis l
The hazard analysis performed for a full power seismic PRA can be used.
l l
6.4.5 Fragility Analysis The fragilityanalysisof an LP&S seismic PRA should account for the shutdown-specificconfigurationorsysterrs and components. For example, the RWST may be only partially filled during the refueling operation and its Draft, NUREG 1602 6-10
~ _.
6 PRA for Low Power and Shutdown Operations fragility would be significantlydifferent from the case when it is full, and the steam generators are maintained at
" wet layup" (filled with water) and their fragility would be significantlydifferent from that of full power operatiort 6.4.6 Model Development and Quantification Seismic event trees for LP&S operations should be developed by modifying the event trees developed for the LP&S internal events PRA. The fault trees developed for internal events should be modified to include failures induced by earthquakes.
6.5 Level 1 Analysis of"Other" External Events l
Much of what should be considered for "other" (e.g., high winds, tornados, etc.) external events during LP&S operation has already been covered in Section 5.1.2 of this report. The following covers additiond considerations beyond those already included in that section.
l The inclusion or exclusion of"other"initiatingevents needs to be re-examined and may need to be altered because ofexpected plant configurations or activities during LP&S operation. For instance, expected reconfiguration of some barriers (opening of doors normally closed during full power operation), introduction of temporary i
equipment such as scaffolding, periods of an open containment, fuel potentially in more vulnerable configurations than at full power, and introduction of new external hazards by personnel (e.g., caustic cleaning solvents, more vehicles onsite, etc.) are examples of why previously eliminated "other" external events may need to be i
reconsidered for analysis.
l Similarly,the expected changes in plant configurations and equipment operability periods should be considered when modelingthe possible mitigation pathways and hence the success and failure scenarios should an external l
event occur.
Additionally,the hazard frequencies need to be re-examined and may need to be changed in cases where they may be affected by plant personnel, such as greater vehicle use affecting the frequency of transportation accidents.
And finally,the data values (or curves) for both plant equipment failure and human errors need to be re-examined to account for such things as temporary installations,possible temporary degradation of equipment, less operability status indication for the operators, and detrimental effects for some human performance shaping factors (more noise, crowded conditions, etc.).
The consideratbns associated with the potential impacts of the changes in CLB, interfaces with other tasks, and documentationof an LP&S "other" external event analysis are the same as those discussed for a full power PRA.
6.6 Level 2 Analysis The object of the Level 2 analysis is to assess the potential for release of radionuclides due to accidents during LP&S conditions.
I 6-11 Draft, NUREG-1602
6 PRA for Low Power and Shutdown Operations 6.6.1 Considerations for the Baseline PRA Generally, the considerations provided in Chapter 3 for full power operation are also applicable to LP&S conditions. However, it should be noted that,just as the equipment required to prevent core damage during the Level 1 analysis can be affected by LP&S operating conditions, so too can the equipment considered during a Level 2 analysis. If certain recovery actions, e.g., restoration of RHR pumps, need to be performed inside the containment after bulk boiling of the reactor vessel inventory has commenced, the impact of environmental conditionsinside the containmenton the chances of success of such actions need to be assessed. In addition, the containment may be open during certain shutdown POSs. These factors should be accounted for in the Level 2 analysis. Furthermore, care should be exercised when accounting for the physical and phenomonological differences associated with the characterization of radionuclide release during shutdown states.
The following are Level 2 considerations that should be evaluated:
Level 2 Systems - Containment systems, such as sprays, may not be required in some of the shutdown POSs. As a result,they may be out of service for extended periods of time. The status of such systems should be identified.
ContainmentStatus-In some shutdown POSs, containment closure is not required. As a result, personnd hatches, equipment hatches, and containment penetrations may be left in an open position. The probabilityof an initially open containment has to be taken into consideration in the Level 2 analysis. The possibility that the operator would re-establishcontaimrent integrity subsequent to an accident initiating event has to be evaluated. Considerationshould be given to the status of electric power, equipment, and material needed to re-establish containment integrity.
Decay of Radioactive isotopes - The impact oflow decay heat levels on accident progression in LP&S POSs and the decay of short-lived radioactive isotopes which impact early health effect should be properly accounted for.
These key uncertaintiesare derived,in part, from the results of the LP&S PRAs (Refs. 6.1 and 6.2) as wel as more recent statementsof key source term uncertainties published by the NRC for light-water reactor licensing purposes (Ref. 6.4). Configurations where air can enter the reactor vessel, such as when the i
vessel head has been removed for refueling, have been postulated to cause an enhanced release of certain radionuclides. The effect that air ingression has on the source term in such configurations needs to be assessed and, ifimportant, included in the Level 2 model.
6.6.2 Application Irnpact Considerations The considerations in assessing the risk impact of a change in the CLB are the same as those discussed in Chapter 3 for full power operation. In addition, the impacts on the shutdown specific issues discussed in Section 5.3.1 should be evaluated.
Draft, NUREG-1602 6-12
. ~.
l 6 PRA for Low Power and Shutdow.4 Operations i
6.6.3 Interfaces with Other Tasks l
The interfaces between a Level 2 LP&S analysis and Levels 1 and 3 analyses are the same as those for full power -
l operation.
l l-6.6.4 - Documentation 1
The documentationrequirementof a Level 2 LP&S analysis is the same as that of a Level 2 analysis of full power l
operation.
i i
6.7 Level 3 Analysis l
The discussions provided in Chapter 4 for full power operation are also applicable to LP&S conditions.
i l
l l
l l
l I
e 6-13 Draft, NUREG-1602
6 PRA for Low Power and Shutdown Operations
. REFERENCES FOR CHAPTER 6
. 6.1 D. Whitehead, et al., " Evaluation of Potential Severe Accidents During Low Power and Shutdown
)
Operations at Grand Gulf, Unit 1," NUREG/CR-6143, SAND 93-2440, Sandia National Laboratories, 1994.
Vol.1: Summary of Results Vol. 2: Analysis of Core Damage Frequency from Internal Events for Operational State 5 During a Refueling Outage -
Vol. 3: Analysis of Core Damage Frequency from Internal Fire Events for Plant Operational State 5 During a Refueling Outage Vol.4: Analysis of Core Damage Frequency from Internal Flooding Events for Plant Operational State 5 During a Refueling Outage Vol. 5: Analysis of Core Damage Frequency from Seismic Events for Plant Operational State 5 During a Refueling Outage.
Vol. 6: Evaluation of Severe Accident Risks for Plant Operational State 5 During a Refueling Outage r
6.2
. T-L. Chu, et al.," Evaluation of Potential Severe Accidents During Low Power and Shutdownoperations at Surry Unit 1," NUREG/CR-6144, BNL-NUREG 52399, Brookhaven National Laboratory,1994.
t Vol.1: Summary of Results
.Vol. 2: Analysis of Core Damage Frequency from Internal Events during Mid-loop Operations
' Vol. 3: Analysis of Core Damage Frequency from Internal Fires during Mid-loop Operations Vol. 4: Analysis of Core Damage Frequency from Internal Floods during Mid-loop Operations Vol. 5: Analysis of Core Damage Frequency from Seismic Events during Mid-loop Operations l
Vol. 6: Evaluation of Severe Accident Risks during Mid-loop Operations 6.3 EPS 900,"A PSA for the Standard French 900 MWe PWR," Main Report, April 1990.
6.4 L. Soffer, et al., " Accident Source Terms for Light Water Nuclear Power Plants," Final Report, NUREG-1465, U.S. Nuclear Regulatory Commission,1995.
r i
Draft, NUREG-1602 -
6-14
I APPENDIX A. PRIORITIZATION OF SSCS AND HUMAN ACTIONS A.1 Introduction and Objective l
The objectives of this appendix are two fold. The first objective is to discuss the role ofimportance measures within the risk-informed regulatory framework. This is necessary because the framework does not explicitly rely on risk-ranking methods for the acceptance of the proposed regulatory modifications. The second objective is to provide discussions on the following three areas:
methods and limitations of quantitative prioritization, techniques for qualitative prioritization, and e
attributes of an integrated approach to prioritization in support of risk-informed applications.
j i
l Prioritizationis typically performed both quantitativelyand qualitatively. Quantitative prioritizationis done based on probabilistic risk assessment (PRA) and by use of quantitativeimportance measures. Qualitative prioritization are done based on the defense-in-depth concept and by use of both PRA information and current deterministic l
safety considerations. Regardless of the specific regulatory application, prioritization can be conducted as an intermediate step to differentiate between the high safety significant(^ 0 and low safety significant components (HSSCs/LSSCs). Relaxing requirements for LSSCs is expected to have less aggregate risk impact than if requirements are relaxed for HSSCs. This application of ranking (e.g., relaxing requirementsfor LSSCs) does not l
guarantee that the acceptance criteria are met. However,importance measures can be used as a part of a systematic I
process of adding and removing components from the LSSC list.
Risk ranking provides an information base that can be used for implementation and monitoring phases of risk-informed and performance-based regulatory alternatives as discussed in Section 2.5 of DG-1061(^D. This is j
especiallyimportantin those applications where the risk impact of the proposed changes in requirements cannot j
be accurately estimated. Qualitative engineering and operational reasoning along with a database of the l
importance measures can be used to helpjustify proposed changes to the current licensing bases. If the importanw l
analysis indicates that a particular SSC is an HSSC, then it probably is; on the other hand, if the importance analysis indicates that the SSC is not important, then this conclusion should not be accepted without careful investigation of the reasons.
The remainder of this appendix discusses the theoretical bases and physical interpretatiom for various importance measures. It also discusses the use ofimportance measures in risk prioritization and identifies their potential limitations. This general guidance is tailored to support specific applications, as appropriate, and may be further described in application-specific guides.
l
^' Letter from A. Thadani(NRR Associate Director for Technical Review) to C. Pipton (Vice President, NEI)," Terminology for Categorizing Systems Components and Structures in Risk-Informed Regulatory Applications," dated May 8,1996.
^ USNRC,"An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decision on Plant-Specific Changes to the Current Licensing Basis," Draft Regulatory Guide DG-1061, February 1997.
l-A-1 Draft, NUREG-1602 l
I
Appendix A Prioritization ofSSCs and Human Actions A.2 PRA-Based Importance Assessment p
Several different importance measures are typically calculated on the basis of PRAs'^4^ *). Some importance measures use the numerical risk information contained in PRAs; these are referred to as quantitative importance measures. Quantitativeimportancemeasures typically determine the change in risk measures assc:iated with the failure or success of equipment or human actions. Here, risk measures refer to both core damage frequency (CDF) and large early release frequency (LERF). By contrast, PRA-based qualitative importance measures do not use j
the risk contributioninformation,rather they use the logic information contained in PRAs. Qualitativeimportanm measures typically determinethe reduction or increase in the number oflayers of defense against an accident as a result of the failure or success ofequipment or human actions.
Definitions of various importance measures, their formulation, physical interpretation, and limitations are discussed in this section. Various sensitivity analyses are suggested to account for the known limitations'^ 53 in using the results ofvarious importance measures. Some considerations for grouping of various equipment using the calculated importance measures are summarized.
A.2.1 Quantitative Importance Measures A.2.1.1 Definitions ofImportance Measures Fussell-Vesely (FV) and Risk Reduction Worth (RRH) Importance Measures An important element of the results of a PRA is the sorted list of the accident sequence minimal cutsets. For those applicationswhere PRA assumptions and data are not challenged,the ranked list of minimal cutsets could provide a means for prioritization. In some applications where PRA assumptions, model, and data may be questioned j
(e.g., previously unrecognized motor-operated valve [MOV] failure modes in MOV testing applications),the PRAs may first have to be updated.
The ranked list of accident sequence minimal cutsets provides important insights concerning the combination of failure events that contribute to core damage and public risk. This information could be used to establish defenses against the major risk contributors. A ranking scheme using the minimal cutset contribution is the most straightforward. Since the minimal cutsets are sorted on the basis of their frequerries, one may decide to identify all components within the scope of the application that also show up in the dominant minimal cutsets. Depending on the application,the dominant minimal cutsets could be determined based on their total contribution to risk (e.g, account for 95% of the CDF for allinitiators from internal and external events including shutdown PRA). Rankirg
^ $W. E. Vesely and T. C. Davis, " Evaluation and Utilization of Risk Importances," NUREG/CR-4377, August 1985.
-l
W. E. Vesely, M. Belhadj, and J. T. Rezos, "PRA Importance Measures for Maintenance Prioritization Applications," Joumal of Reliability Engineering and System Safety, Vol. 43, pp. 307-318,1994.
^ 5W. E. Vesely,"The Use of Risk Importances for Risk-Based Applications and Risk-Based Regulations,"
Proceedings of the PSA '96, Park City, Utah, September 29-October 3,1996.
Draft, NUREG-1602 A-2
i l
Appendix A Prioritization of SSCs and Human Actions based on minimal cutset contributions is typically performed in order to focus resources and refine the requirements to gain a significant safety benefit.
]
l i
The major deficiency with this ranking scheme is its poor discrimination capability. For example, a component that belongs to a cutset contributing 5% to the CDF will be ranked higher than a component that may belong to several minimal cutsets each contributing 1% or less to core damage, even though the net contribution of all of these cutsets could be more than 5%. To overcome this deficiency, specific importance measures known as the FV measure and RRW have been developed.
i The FV measure is defined by the probabilitiesof the cutsets containingan event divided by the sum of all cutsets, j
Mathematically,the FV measure is calculated by the change in risk when the component is unoperational minus th:: risk when the componentis operationalover the baseline risk multiplied by the component unavailability. That is, FV=P(x)[E(Rk =l)-E(R =0)]/[E(R)]
where P(x) is the unavailabilityof component"x," E(R)is the baseline expected risks, and E(Rlx=1) and E(Rlx=0) are conditional expected risks when the component x is unoperational and operational, respectively. The l
conditional and the unconditional expected risk are related based on the following probabilistic equation:
E(R) =P(x)E(Rk = 1) +(I -P(x))E(Rh =0)
Substituting the auxiliary probabilistic equation for the FV equation would yield the following result:
FV= 1 -[E(Rh =0)/E(R)] =1 -(1/RRW) where RRW in the second term in the right-hand side of the equation is known as the RRW importance measure.
Therefore, the FV and RRW measures are closely related.
Either FV and RRW perform the same function as ranking based on minimal cutset contributions, but do so in a more refined manner. The primary objective of these importance measures is to identify components within the scope of the applicationthat can result in the greatest risk benefit if more resources are allocated to improve their reliability. An example to illustrate the use of FV and RRW measures for relaxing requirements is discussed below.
l l
The FV and RRW importance measures can be used to justify relaxation of requirements when the effect of l
relaxing requirements can be estimated in terms of component reliabilities. However, in this case, the analyst f
should first assume that the requirements are relaxed for all components within the scope of the regulatory requirement. The impact of such relaxation on component reliabilities should then be estimated, and the PRA input data should be updated. The use of the FV measure with the new baseline PRA can also identify component for which the requirementsshould not be relaxed. Relaxation of the requirements for the remaining components A-3 Draft, NUREG-1602 l
l
Appendix A Prioritization of SSCs and Human Actions could then be justified. In the latter approach, the impact of the requirements is integrated into the ranking analyses.
Birnbaum Measure (BM) andRisk Achievement Worth (RA H)
The BM is simply the contribution of all cutsets involving an event x divided by the nominal unavaileility of that event. Mathematically, a single component BM is defined by:
i BM(x)=E(Rlf,=I)-E(RlP,=0) where E(RjP,=0) and E(RlP,=1) are the expected risk, when the unavailability of component x is set to zero and one, respectively, The BM and RAW measures are closely related. By dividingthe above equation with the nominal expected risk, the following relationship is obtained:
[BM(x)/E(R)] =RA F(x)-(I/RRW(x))
where RAW (x)is the RAW for x, and it is defined by the expected risk when the unavailability of component x is set to one divided by the expected nominal risk value. Since RA W is usually much greater than one and RRW is usually very close to one (but always greater than one), an approximate relationship for BM would be as follows l
BM(x)= E(R).[RA W(x)-1].
l This equation shows the close relationship between RAW and BM. However, it should be noted that the BM is.
an absolute measure and it is not normalized with the expected risk (E(R)). This is in contrast with all other importance measures discussed so far(FV, RRW, and RAW), which are normalized by the expected risk. Use of absolutemeasures would facilitate the comparison ofimportance results for different sensitivity runs within a plant.
A fundamental probability relationship between the BM measure and the change in the expected risk as a result of a change in component unavailability can be established using the following relationship:
AE(R) =BM(x).AQ(x) where AE(R) and AQ(x) are the changes in the expected risk and the unavailability of the component x.
t l'
Draft, NUREG-1602 A-4
Appendix A Prioritization of SSCs and Human Actions A.2.1.2 Considerations in Calculating Importance Measures The theoretical bases of various importance measures and their physical interpretations were discussed earlier.
The basis of the importance measures were discussed independent of the application. This section discusses practical considerations for calculating the following component-level importance measures:
truncation limit, a
completeness of risk models, a
measures of risk, a
component failure modes, implicit contributors, e
explicit dependencies, and e
implicit dependencies.
Consideration of Truncation Limit The truncation limit is an important aspect of a risk evaluation and, therefrre, plays an important role in the ranking process. Some PRA codes are designed to provide an upper bound estimate on the frequency of the truncated cutsets. These codes typically accumulate the frequencies of the cutsets truncated in a residue bin.
Therefore, it would be easy to identify the fraction of risk (e.g., CDF) captured given a probabilistic truncation limit. Truncation limits should, therefore, be chosen such that at least 95% of the CDF or risk is captured.
Depending on the PRA level of detail (module level, component level, or piece-part level), this may generally translate into a cutset truncation limit from 1.0E-12 to 1.0E-8 (per year).
Another important consideration for determining a truncation limit is imposed by the FV measure and ranking criteria. As an example, if the numerical cutoff criteria of 0.1% (0.001) is proposed for the FV importance measure, a truncation limit with enough resolution for estimating a FV of 0.001 should be at least 1000 times smaller than the total calculated risk (or CDF). This would ensure the survival of at least one minimal cutset after truncationwith a contributionof 0.1% of total CDF. However,the FV measure for a componentis the summaton of the contribution of all minimal cutsets containingthat component;therefore,it would be important for more than one minimal cutset to survive the truncation. This would require that the truncation limit be lowered at least by l
a factor of 10 to ensure appropriate coverage.
The third considerationfor determininga truncationlimit deals with the extent to which the basic PRA events are covered by the PRA-generated minimal cutsets that survive the truncation limit. PRAs typically model up to a couple of thousands of basic events. Dependingon the truncationlimit, some of these basic events may not show up in the final minimal cutsets generated by the PRA (i.e.,those that survive the truncationlimit). The importmce measures associated with these basic events then cannot be evaluated. The truncation limit, therefore, must be selected such that the fraction of basic events not accounted for in the final list of minimal cutsets is less than l
10% of all basic events. This trtmcation limit criterion could be application dependent. For example,in in-serv'ce l
testing (IST) application,90% of all basic events related to pumps and valves modeled in the PRA may correspord to a truncation limit of IE-11. However, to satisfy the same criteria for graded QA may require a much lower truncation limit (which may not be practical). Application-specific truncation criteria are re-visited in each application-specific guide.
A-5 Draft, NUREG-1602 l
l
Appendix A Prioritization of SSCs and lluman Actions In summary,three requirementsshould be met for selectinga probabilistictruncationlimit for the purpose of risk-based ranking:
The truncation limit should be low enough to capture a large fraction of risk measures (e.g., at least 95%
The truncation limit should be low enough to ensure capturingcomponents within the range of FV critern of interest (e.g.,10d multiplied by the total estimated CDF and LERF).
The truncation limit should be low enough to account for at least 90% of all basic events in the final set ofminimalcutsets. This criterion may be too restrictive, and depending on the application may need to be modified.
Completeness ofthe Risk Model Importance measures may be calculated based on a portion of the risk (e.g., for internal events at full power) or the overall plant risk (intemal and external events including shutdown risk). Depending on the completeness of the risk model, qualitative assessments (safety based) should be utilized for portions of the plant operation not included in the PRA assessment. When the importance measures are calculated, care should be taken in accounting for all contributors to the importance measure as well as the appropriate normalization (consistent with the PRA scope). When importance measures need to be calculated for overall risk, the results could be tabula
- d to show specific contributorsto the importance measures from the PRA scope (internal, external, etc.) along v the overall importance measures.
Considerations ofMeasures ofRisk Importance measures can be calculated for various risk measures (e.g., CDF, containment failure probability, and release category frequency). Currently,importance measures are calculated for CDF and LERF. LERF covers all scenarios involving early containment failure and containment bypass. Importance measures (both normalized and non-normalized) calculated at different PRA levels cannot be combined (summed).
Consideration of Component Failure Modes A component can perform several different functions,each with hs v,vn unique failure modes modeled in a PRA.
For example, failure to open and re-close could be two different failure modes modeled in a PRA for an MOV.
Importance measures can be calculated for all failure modes. Care should be taken in evaluating the overall importance of a component (to avoid missing some failure modes). The overall component importance measure and the contribution of each ofits failure modes to the overall measure could be tabulated. Here, a combined measure could be used as the overall importance measure.
Consideration ofimplicit Contributors Many components are not explicitly modeled in PRAs; however, their risk contributionis implicitly accounted for.
For example, many components in the balance of plant are not explicitly modeled in the PRA, but their risk contributionsare implicitlyaccounted for through the frequency ofinitiating events. Some importance measures Draft, NUREG-1602 A-6
)
Appendix A Prioritization of SSCs and Human Actions could be calculated for the implicitly modeled components. For a component not explicitly modeled in the PRA, the analyst should first identify those basic PRA events that could be affected by the failure or success of the given component. In the second step, the analyst should determine the contributionof the implicitly modeled componert to the unavailability of the explicitly modeled PRA basic events. For example, the importance of the rupture of a pipe segment not included in the model could be evaluated based on the failure of the modeled component located in that segment. For those cases where such evaluation could not be performed quantitatively, qualitative evaluation discussed later in this appendix could be used. The above 2-step analysis would provide sufficient information for calculating all types of importance measures discussed earlier for a component that is implicitly modeled in a PRA.
Consideration ofExplicit Dependencies Various types of dependenciesare explicitly accounted for in PRAs. For example, common cause failures (CCfs) are sometimes explicitly accounted for through use of CCF parameters (such as beta factors). Importan:e measures calculated for a component should account for the contributions from the explicit dependencies. In most cases, PRAs are structured such that these dependencies could be easily accounted for in calculating importance measures (specifically FV measure);however,this is not always the case. Care should be taken to ensure that all dependency contributors are accounted for and the results ofimportance measures are tabulated to show the individual dependency contributions.
Consideration ofImpilcit Dependencies Various dependencies are implicit in PRAs. For example, many transducers are explicitly modeled in PRAs as a part of actuation logic and can also provide information ncMed for successful manual action. On the other hand, some instrumentation, monitors,or fault indicators may not be modeled in the PRA. Information from these items may be needed for successfulrecovery actions. Care should be given to consider their impact on other (explicitly modeled) basic events.
A.2.2 Qualitative Importance Measures PRA-based qualitative risk ranking (QRR)is sometimes performed to show that defense-in-depth would not be compromised as a result of changes in requirements or design. There are two types of qualitative ranking designal explicitly to address the defense-in-depthconcept. These are minimal cutset ranking (MCR) and minimal pathset ranking (MPR). Since in most cases these two methods provide consistent results, only the MCR method will be discussed here. A simplified system block diagram (Figure A.1)is used to facilitate the discussion of this ranking method.
X5 X1 X3 X2 y
A-7 Draft,NUREG 1602
- - - - = _ -
t l
l Appendix A Prioritization of SSCs and Human Actions i
Figure A.1 Example system block diagram for discussion purposes i
MinimalCutsetRanking (MCR)
The MCR method ranks components based on the lowest order of the minimal cutsets when the removed. The lowest order of the minimal cutsets (number ofelements in the minima!
above system (Figure A.1)is one, and there is only one minimal cutset of order one (failure of X3 will rende system inoperable). If component X3 is remov:d, the lowest order of the minimal cutsets would be zero.
j However,if any other component (e.g., X 1, X2, X4, or X5) is removed, the lowest order of minimal cutsets w be one, and, in all cases, there would be two minimal cutsets of order one. Therefore, we infer that X3 is structurally more important than other components. The following procedure is typically used for MCR:
For each component or basic event, the minimum order of cutsets (m) and the number of unique m cutsets with that order (n)is determined when the basic event is set to true. For this application,the crder of cutsets is determined by excluding all recovery actions, and the initiating events (i.e., the cutset rank i
is based only on component failures).
The components are then ranked based on the increasing values of m (i.e., the lowest order of minimal cutsets). For those basic events that have the same value of m, the ranking would be based on the decreasing value of n (the numberofminimal cutsets with the lowest order). This step is typically done for each initiator separately.
MCR is a qualitativemethod and does not rely on the probabilityor quantitativerisk as a result of removing a bas l
event from consideration. It can be used as a supplementaljustification for quantitative importance ranking.
A.2.3 Considerations for Ranking Using Importance Measures j
One applicationarea considered for use ofimportance measures is risk ranMng. Risk ranking applications involw i
relative ranking of all components based on their importance measures, and subsequent binning of the compone in two (high and low) or three (high, medium, and low) classes. The binning is usually performed to ellocate resources commensurate with component grouping. This may also result in enhancing the requirements for the components in the high bin category and may relax requirements for components in the low bin category, in this regard, care should be taken to ensure that relaxing requirements for components in the low bin category could i
not potentially degrade plant safety or multiple lines of defense.
The remainder of this section identifies special considerations for risk ranking, including those resulting from limitations of importance measures pertaining to ranking applications.
This section also provides recommendations to deal with following issues in order to ensure that the components in the low bin category will L
not degrade safety:
multiple component considerations, l
consideration for defense-in-depth,
+
l.
consideration for allowable plant configurations,
+
3 consideration for binning criteria, and
+
i t
Draft, NUREG-1602 A-8
Appendix A Prioritization of SSCs and Human Actions l
consMeration for uncertainty evaluation.
Multiple Component Considerations 1
For those components assigned to the low risk category, the aggregate impact of changes in requirements of multiple components on safety should be assessed. For example, a set of MOVs may be in a low category since each MOV individuallydoes not have a significantimportance measure. If the requirements for this set of MOVs are changed, however, the failure rate of each individual MOV may increase. The aggregate impact of the i
l increased failure rates for all MOVs might contribute significantly to risk. The underlying reason could be the appearance of some combination of these MOVs in the same cutset. The multiple component considerations is i
designed to identify which combinationof these MOVs might be risk significant (therefore, requiring them to be shifted te a higher category). It should be emphasized that this concern about multiple components is also valid for components of different types, as long as they show up in the same cutset and are assigned to the low risk category. One acceptable way to address this issue is to identify all minimal cutsets containing at most one component from other categories (high or medium). If such a minimal cutset exists, some of the low category components should be moved to a higher bin to ensure that at least two or more higher category components are i
in all minimal cutsets.
Considerationfor Defense-in-Depth The following sensitivity analyses are recommended to ensure that multiple lines of defense are not degraded and defense-in-depth concept is not compromised as a result of relaxing the requirements on the low category components:
Ensure that all minimal cutsets contain at least two component failures for which requirements are not relaxed. This ensures that there are e.t least two lines of defense in each cutset not affected by the regulatory change. (Either outside the scope of the application or categorized as medium or high.)
Identify sets of contributors associated with major lines of defense, primary pressure boundary, safety functions, and containment systems. Prioritize the contributors within each set to assure a balanced coverage of all lines of defense.
Considerationfor Allowable Plant Configurations Plant Technical Specifications (TS) allow two or more components to be down simultaneously for repair or other activities. The embedded assumption in the TS is that the remaining components provide adequate safety protection. If these remaining components are assigned to the low category, their high reliability may not be ensured. The following analyses could be performed to ensure that multiplelines of safety are maintained during all allowable configurations:
The applicant should first identify those configurationsthat are allowed by plant TS that result in accidert l
sequence minimal cutsets composed entirely of com ponents categorized as LSSC (excludingthe initiator)
Such configurations should be prevented, or some of the low category components should be moved to the high category to ensure that no minimal cutsets totally rely on low category components during such I
configurations.
A-9 Draft, NUREG-1602
.---.-.. -. -. _ - - ~. _. -
Appendix A Prioritization of SSCs and Human Actions Considerationfor Binning Criteria The cutofferiteria for binning components based on their importance measures may var,,
m one application to another. Nonetheless, these criteria should be determined such that the total risk increase as a result of relaxing requirements for low category components are controlled. As an example, relaxing certain requirements could increase the unavailability of the affected components at most by a factor of 2. At the same time, the total risk increase as a result of such relaxation is planned to be controlled under 10% of the baseline core damage frequency. The binning criteriathen should assure that the contribution of all basic events assigned to LSSC bin when their unavailabilitiesare increased by a factor of 2 stays below the 10% of the baseline CDF. The binning criteria, therefore,could vary depending on the application and the expected changes in the unavailabilities of the affected components.
The above procedure and criteria for binning are more appropriate than cutoff criteria based on an individual FV.
This process also explicitly accounts for the impact of the relaxation in terms of increasing the measure.
component unavailability;therefore,the cutofferiteria can vary from one application to another (and even within a specinc application) depending on the extent of relaxation requested.
Considerationsfor Uncertainty Evaluation The effects of PRA uncertaintieson the risk importance measures and their utilization need to be addressed. Even though formal uncertainty analysis can be performed, such an evaluation may not be necessary. Sensitivity analyses could be performed as a substitute for a formal uncertaintyevaluation. The following sensitivity analyscs are designed to reveal any additional high risk or marginal risk importance that could occur under different plausible assumptions or scenarios which then can be included in the higher class as a precaution against PRA uncertainties.
Component-Specific Sensitivity Analyses This sensitivity analysis is designed to address the failure rate uncertainty of a component and its potential impact on ranking. For those components that are ranked low, a sensitivity analysis using the 95th percentile of the unavailabilitydistributionsof the componentscould be performed to determinethe impact on FV measures. This could be done for each component or human error individually. The unavailabilityofsome components with large j
uncertainties,such as check valves, could cause them to shift from the low to high categories. If this occurs, the components could be shifted to a higher category to account for the uncertainty distribution.
Sensitivity Analysesfor a Component Group i
Sensitivity analyses are designed to address the correlated change in a failure rate of a group of components. The sensitivity analyses could also address the correlated changes in the failure rate of a group of components from such causes as aging and wear. For a group of components (e.g., breakers), identify those that are binned in the j
low category. Increase the mean failure rate of all selected components in a manner consistent with a generic error factor associated with the component type. Identify those components that are shifted to a higher category for further consideration to be removed from the low bin category.
Draft,'NUREG-1602 A-10
_m
, ~__ _
Appendix A Prioritization of SSCs and Human Actions Sensitivity Analysisfor CCFs CCFs are modeled in PRAs to account for dependent failures of redundant components within a system.
Dependencies among similar components performing redundant functions but across systems (in two different systems)are generally not modeled in PP As. Component-levelimportance measures (e.g., RAW, RRW, and FV) are typically calculated based on assumed nominal values of modeled basic events. Some component importance measures (i.e., FV measure) could account for the direct risk contributions from associated basic component events, such as failure to start and failure to run, and indirect contributions through the impact on the probability of other basic events (such as human errors, recovery actions, and most importantly CCFs). Therefore, a component may be ranked HSSC mainly because ofits contribution to CCFs, or a component may be ranked as LSSC mainly because it has negligible or no contribution to CCFs. A component may be ranked insignificant either because of omission of CCF contributors or because of the assignment of an insignificantCCF contributbn.
Thus, removing or relaxing requirements may increase the CCF contribution,thereby changing the ranking order.
The following approach ensures that relative ranking of components include proper consideration of the CCF j
contributions:
If a componentis rankedlow because the CCF is not included in the PRA model, revisit the CCF models I
to ensure that the assumption of no CCF is valid (especially under the potential relaxation of requiremens for low risk components).
l Set all CCF contributions to zero and rank the components. Special care should be given to truncation l
=
I limits used in PRA quantincation for this case run. Identify components that shift to a higher category.
To defend against the uncertaintiesassociated with CCF contribution,these components should be treated as higher-category components.
Sensitivity Analysisfor Recovery Actions PRAs typically model recovery actions especially for dominant accident sequences (but not for all sequences).
Quantificationof recovery actions typically depends on the time available for diagn asis and performingthe action, training, procedures,and knowledge of operators. There is a certain degree of subjectivity involved in estimating the success probability for the recovery actions. The concerns in this case stem from Mtuations where very high success probabilitiesare assigned to a sequence, resulting in rela ed components being ranked risk insignificant.
Sensitivity analyses can be used to show how the SSC ranking may change if one removes all recovery actions (setting their failure probability to one). The objective is to determine if a component that was ranked low will f
move up to a high or medium risk category, if so, the component should be removed from the low category.
A.3 Safety-Based Prioritization The major objective for safety-based prioritization is to evaluate and identify those areas where proposed regulatorychanges may result in potentially undesirable safety degradations which cannot be easily shown with the PRA based prioritization. This could include those items (SSCs and human actions) that either are not l
explicitly modeled in PRA or are not within the current scope of the PRA. It also could include those safety concerns that are not captured by the severe accident risk typically modeled in PRAs. Specific areas of safety i
A-11 Draft, NUREG-i602 l
i Appendix A Prioritization ofSSCr,and Human Actions concerns are defense-in-depth and the plant safety margins. The specific issues to be addressed are discussed below.
Defense-in-Depth To assure that the philosophy of defense-in-depth is maintained, the following should be examined:
1.
Assure reasonable balance among prevention of core damage, prevention of containment failure, and consequence mitigation.
Compliance with decision guidelines for CDF and LERF could assure to a great extent balance between the prevention of core damage and ea.y containment failure. Considerations for emergency planning and r
potential for late containment failures should also be accounted for to assure that these mitigative features and the associated SSCs are not degraded by the proposed change.
2.
Avoid overreliance programmatic activities.to compensate for weaknesses in plant design.
There could be instances that meeting the quantitative guidelines for CDF and LERF are strongly dependent on the credit taken for programmaticactivities. Overrelbnce on programmatic activities such as maintenance, surveillance, and recovery actions to compensate for the proposed change should be avoided. The sensitivity analyses on the recovery actions proposed earlier and the data related discussion in the body of this report could be used for addressing this issue.
3.
Maintain system redundancy, independence, and diversity.
The qualitative PRA results, i.e., the accident sequence minimal cutsets, show what combinations of passive and active failures would cause core damage or radioadivity release, and thereby reflect directly on the defense-in-depth concept. The minimal cutsets can show the effective redundancy and diversity of the plant design. Qualitative PRA results should be used to demonstrate that system redundancy, independence,and diversityare maintained commensuratewith the expected frequencyand consequences of challenges to the system.
4.
Maintain defense against potential CCF and the avoid introduction of new CCF mechanisms.
Relaxation ofprogrammatic activities could exacerbate an existing CCF mechanism or could introduce new sources of CCFs. Even though the CCF treatment is reserved for CCFs within a systen, here we are concern about the CCFs across systems, i.e., concurrent trends of degrading reliability among a set of components for which requirements are relaxed.
5.
Independence of barriers is not compromised.
Generally,the barriers are passive and of such a diverse nature that changes in requirements are unlikely to cause them to fail or degrade dependently. However,there are some failure mechanisms that could be of concern under certain application specific proposals. One such mechanism, which could cause failure of more than one defense-in-depthbarrier,is the CCF mechanism. For example,ifa new CCF mechanisn i
Draft, NUREG-1602 A-12 I
i
i l
Appendix A Prioritization of SSCs and Human Actions I
is introduced for both inboard and outboard isolation valves, then primary coolant rupture outside the containment could bypass the containment. In this case, the potential could exist for failure of two defense-in-depth barriers even though highly unlikely. Identification and proper application specific treatmentof such mechanisms capable of failing or degrading multiple barriers should be considered in proposed changes.
6.
Defenses against human errors are maintained.
Considerationsto avoid overrelianceon human actions for protecting the core and the defense-in-depth barriers were discussed earlier. Defenses against human errors which under a change request may become more likely and contribute significantlyto risk should also be taken. The proposed changes and its effect on potential human errors should be assessed. Careful attention should be paid to those cases where a proposed change could impact the performance and reliability of those equipment used by the operators to perform the necessary actions, e.g., lighting, communication devices, instrumentation and control devices, and other operator aids, such as alarms and displays.
Safety Margins To assure adequate safety margins are maintained, the following should be examined:
1.
Code and standards or alternatives approved for use by the NRC are met.
Specific considerations outlined in application specific guide should be followed to assure that the proposed changes are not in conflict with NRC approved codes and standards (e.g., ASME standard referred to in 10 CFR Part 50.55a).
2.
Safety analysis acceptance criteria in the Final Safety Analysis Report (FS AR) are met.
The impact of the proposed changes on the assumptions, initial,and boundary conditions used for FSAR safety analysis should be examined to assure the changes are within the acceptable limits and the existing safety margins are maintained.
There are other qualitative considerations that need to be examined to assure that categorizing a component as a LSSC will not result in an adverse safety impact. There should be at least one set of supporting SSCs that are categorized high and could prevent the occurrence of the initiators and the failure of the supercomponents that are modeled in PRAs. This is one way of assuring that the low frequencies for the initiators and high reliability of supercomponents that are credited in PRAs are maintained specially when they are either of high or medium importance. The examinationof the followingquestions can help the qualitative prioritization of those SSCs not explicitly modeled in PRAs:
1.
Can the failure of the SSC result in the eventual occurrence of an initiating event?
l l
2.
Can the failure of the SSC result in a failure of a supercomponent that is modeled in the PRA and expected to be either high or medium SSC7 A-13 Draft, NUREG-1602
i App:ndix A Prioritization of SSCs and Human Actions i
3.
Does the SSC belongto a set of redundantcompcnents such that they are susceptible to a CCF and their failure could cause eventual failure of a supercomponent or an initiator in PRA which is expected to be j
either in high or medium categories?
l 4.
Does the SSC belong to a componentclass in which relaxing the requirements may significantly impact its reliability (e.g., the role of periodic overhaul in circuit breakers)?
1 5.
Can the SSC support operator and recovery actions specially those credited in the PRA?
6.
Is the SSC currently included in the scope of current regulatory requirements?
7.
Does the SSC play an important role in the post severe ucident activities (e.g., monitoring)?
.When an SSC is categorized based on qualitative considerations, discussion should be provided on the SSC function, reasons for selecting the category, why it was not modeled in a PRA, and the potential impact of proposed changes if any.
A.4 Integration Following the earlier discussion, an SSC or a human action may be assigned to a category by a quantitative PRA-based prioritization,a qualitative PRA-based prioritization, or a qualitative safety-based prioritization. An integral list of SSCs and human errors belonging to a given category taking into account theses different prioritization methods needs to be constructed for most of the applications. A process for this integration is
)
summarized below.
Combined Quantitative List i
Results of the quantitativeprioritizationusing the baseline PRA (based on CDF and LERF) are combined simply by identifyingas HSSCs based on either CDF or LERF. Low risk significant list (LSSCs) is comprised ofitems common to both CDF and LERF. A combined list of the HSSCs md the LCCSs that are covered by the scope of the risk-informed application and are within the scope of PRA then could be constructed.
Combined Qualitathe List items (SSCs and human actions) within the scope of risk-informed application under consideration and not identified in the combined quantitative list as high risk significant would be the subject for qualitative prioritization. Qualitative ranking (as described in Sections A.2.2 and A3) would include both the qualitative PRA-based and the qualitativesafety baseditems. Qualitative ranking is done based on examination of the PRA minimal cutsets, defense-in-depth consideration, safety margin consideration, and general safety consideration, especially for those items that are either not explicitly modeled in the PRA or not within the scope of the PRA.
Items examined by different approaches for qualitative ranking that are identified as high safety significant are combined and listed. Contributing factors and the reasons behind this ranking should be documented.
IntegratedList Draft.NUREG 1602 A-14
- -..~..-.. - - -_.._ -. _ -.-.
= _ -. - -. _ -....... ~.
Appendix A Prioritization of SSCs and Human Actions l
l Those items identified as HSSCs (quantitative)and those identified as high safety significance (qualitative) could j
be combined into a more comprehensive safety significance list. All remaining items within the scope of the j
application then could be listed in a less safety significance item list. There could be some instances where an i
additional category such as medium safety significanceis defined. The process ofintegration described here could
.still be applied.
Use oftheIntegratedList The integrated HSSC and LSSC lists could be used to identify the candidates for either risk beneficial changes or potential regulatory relaxations. Compensatory measures could be considered for those items in the integrated more safety significance list since substantial risk reduction could be achieved. Regulatory relaxation could be i
considered for those items in the integrated LSSC list since major saving in resources could be obtained without
_ degradingsafety. The lists of high and low safety significant (HSSC/LSSC) items are expected to be robust and should not change significantlyas a result of the proposed changes. However, if post change ranking indicates that some items have shifted from low safety significant to high safety significant list, those items should be considered l
- for performance monitoring and phasing in implementation of changes.
I l
l l
i l
l i
l 1
l l
l I
i i
I l
l A-15 Draft, NUREG-1602 I
i
APPENDIX B. PRA PEER REVIEW An independent peer review is a way of assuring the adequacyof the probabilistic risk assessment (PRA) used in risk-informed regulatory applications and to examine the validity of the risk impact estimated for the proposed changes. This appendix discusses the objectives and scope of an independent peer review and describes an example process for conducting the peer reviews.
B.1 Objectives of the Review Independent peer reviews are performed to address both the adequacy of the PRA used for a risk-informed regulatorysubmittaland the validity of the estimated risk impact resulting from the proposed changes. The peer review is a means of assuring technical quality of the PRA and its applications. The subject of peer review is further addressed in NUREG/CR-6372'8 d. The specific goals of the peer review are:
to determine tlx 4dequacy of the baseline PRA to support one or more types of applications, e
to determine the validity of the input information sources, assumptions, models, data, and analyses e
forming the basis for the proposed change (or changes), and to determine the validity of the results obtained in the analyses and the correspondingconclusions related to the proposed change (or changes).
To provide assurance that the approaches were generally applied appropriately,the peer reviewers should compare the baseline PRA against the attributes listed in this report and perform spot checks on each portion of the baselim PRA and its risk-informedapplication. The peer reviewershould report those problems that are significant enough to change the conclusion of whether or not a proposed change (s) is risk significant. The peer reviewers should separatelynote problems that would not change the conclusions for the particular change being proposed but are expected to be significant for other changes that might be proposed in the future.
B.2 Review Team Composition and Qualifications The peer reviews will normally need to be performed by a team, rather than an indMdual, because the basic tasks in the analyses generally involve expertise in multiple disciplines. For the PRA peer review and depeiding on the scope of the baseline PRA, experts may be needed iri.r e following areas: systens analysis, data analysis, human reliability analysis (HRA), severe accident phenomena (if a Level 2 analysis was performed for the submittal),
source term (ifa Level 2 analysis was performed for the submittal), consequence modeling (if a Level 3 analysis was performed for the submittal), seismic n alysis(if part of submittal), fire analysis (if part of submittal), and for analysis of"other" external events as appu priate for the plant site.
Each peer reviewer must have experience with nuclear power plants in performingthe PRA task that the reviewer is assigned to review. This experience is expected to include knowledge of typical inputs, assumptions, methods and techniques, models, scope, level of detail, data, and form of results for the assigned review area. The 8 '" Senior Seit.., Hazard Analysis Committee Report," NUREG/CR-6372, Vols 1&2, April 1997.
B-1 Draft, NUREG-1602 1
Appendix B PRA Peer Review reviewers should be cognizant of the issues addressed in this report and understand the impact of the delineated attributeson the quality of PRA. The reviewers should also have at least a general familiarity with the plant desigt being analyzed. At least one member should have a good knowledge of the specific plant and its operation.
B.3 Review Process and Considerations The peer review proceeds in two phases. In the first phase, the adequacy of the baseline PRA to support the intended applications is determined. In the second phase, the use of the baseline PRA for estimating the risk impact for one or more applications is reviewed. It is more efticient to conduct peer reviews in an interactive manner, especially before the completion of the application. In the second phase review,the peer reviewers could accept a previous peer review team's conclusionsfor the baseline PRA model but would examine any previously unresolved issues that were documented by the previous peer review team (s) to determine whether they are important for the current application. The peer reviewers also examine any changes made to the baseline PRA to determine the acceptability of tne change, and the reasonableness of the results. A meeting of the review team would begin with a discussion of the proposed change, to ensure that the team has a good understanding of the proposed change and its implications.
The two major functions to be performed by the peer reviewers are to determine if the analyses are acceptable,and the results are reasonable. The peer reviewers should substantiate their conclusions. These two peer review functions are applicable for each PRA tasks and for both of the two review phases.
The first function of the peer review is to examine the inputs, techniques,and analyses for the PRA. In performirg the review, attention is given to the completeness and the accuracy ofinformation so that the PRA reflects a realistic picture of the as-built, as-operated plant. The analyses assumptions are based on the use of plant walkdowns. controlled documentationconcerningthe plant design and operation, involvement of plant staff, and a " freeze date" for the analysis (including any updates). The peer review would examine the analyses inputs to determine that the sources of data are justifiable and traceable.
The second function of the peer review is to verify that the results of the study are reasonable. The pect reviewers compare the results against studies from similar plants. Major differences are identified and rationalized. Selectal portions of the study, especially those with significant impact on the conclusions of the study, are selected for independent re-evaluation.
The comments generated by the peer reviewer would be documented and specific recommendations highlighted.
The utility response including their commitments regarding potential modifications to the analyses would also be documented for future reviews.
The following provides a summary discussion on the major inputs and outputs to the baseline PRA tasks that are examined by the peer review team. The level of detail for the review should be commensurate with the scope of the applications. A list of example issues and considerations for evaluating the risk impact of the proposed changes on a Level 1 internal event PRA is provided in Table B.l.
Draft, NUREG-1602 B-2
Appendix B PRA Peer Review Table B.1 Example ofissues and considerations for risk impact evaluation of proposed changes Level 1 (Internal Event PRA)
Initiating Events Does the application introduce potential for new initiating events?
a Does the application address changes that lead to a modification of the initiating event groups?
Does the application necessitate a reassessment of the frequencies of the initiating event groups?
Success Criteria Does the application necessitate modification of the success criteria either for support or frontline systems?
Event Trees Does the application necessitate the introductionof new branches or top events to represent new concerrs not adequat y addressed in event trees?
Does th: application affect the dependency among the event tree branches thereby requiring re-ordering of branch points?
System or Component Reliability Models Does the application impact system unavailabilities in ways that underestimate the reliability results predicted by the current simplified models ?
Does the applicationimpact the support functions to systems and componentsin such ways as to alter the dependency in the models?
PRA Data Does the application change the conditions and environment under which systems and/or components are a
demanded such that the current failure rates may need to be changed?
Does the application changes the failure rates such that the previous plant-specific data may not be adequate?
Does the application changes the data such that it may require additional test and data analysis effort?
e Dependent Failure Analysis Does the application introduce the potential for new common-cause failures (CCFs)?
Could the application changes the CCF component groups already modeled in the PRA?
Could the application affect the CCF probabilities? How is this addressed?
Iluman Reliability Analysis Does the application involve procedure changes?
Could the application introduce new human error potentials?
Does the application change the available time for human actions?
Does the application affect the recovery actions?
B-3 Draft, NUREG-1602
Appendix B PRA Peer Review Level 1 Modeling The items to be examined for the overall examination are discussed first. The documentation that should be furnished to the review team is discussed in Chapter 3 of DG-1061(82> and throughout various chapters in this report. The items for review for the overall examination are:
The initiating events included in the PRA are reviewed to assess the completeness of the initiators considered,to assess whether the basis for excluding any initiatorsis adequate,to check for new initiators introduced by the proposed change (s), and to determine the reasonableness of the initiator frequencies used in the PRA.
The reviewers consider whether the success criteria for each initiator is reasonable, check the impact of proposed changes in these criteria, and determine if there is an adequate basis for any success criteria that is not typical for the type of plant being reviewed.
The accident sequence models are examined to determine whetherthe plant response to the initiators are appropriately accounted for in the event trees.
The modeling of systems is reviewed to determine whether the failures considered are comprehensive.
Operability during accident and harsh environments (e.g., trip points for reactor core isolation cooling l
system)would be considered as well as the completenes of the failure modes (e.g., failure to start, run),
including common cause failures and human errors.
The system dependency matrix is reviewed to assess whether dependencies are appropriately considered in the PRA.
The operatoractions that are included in the PRA, the failure probabilities for the actions, and the basis for excluding actions from the analysis are reviewed to determine the completeness of the analysis and the reasonabl.;nessof the probabilitiesestimated for each operator action (in the baseline and post ch.nge case).
While the peer review is not expected to provide a detailed review of all failure frequencies / probabilities used in the PRA, the methods used for determining the failure frequencies / probabilities (including common cause treatment) are examined. The adequacy ofdata sources are also assessed together with the failure frequencies / probabilities (including common cause values), and the associated uncertainties.
The adequacy of the quantification method, including the screening criteria, cutset truncation level, and use of recovery actions are addressed.
Ti.e development of plant operating states (POS) and the calculated fraction of time in each POS is reviewed if the PRA includes a low power / shutdown evaluation.
82USNRC,"An approach for Using Probabilistic Risk AssessmentinRisk-informed Decisions on Plant-Specific Changes to the Current Licensing Basis," Drafl Regulatory Guide DG-1061, February 1997.
Draft, NUREG-1602 B-4
Appendix B PRA Peer Review If a fire analysis is included in the PRA, the following is examined:
e development of fire areas / zones, including the basis for screening, adequacy of cable tracing, including adequacy ofjustification provided by utility for any cables not traced, adequacy of damage modes considered in the analysis, adequacy of fire propagation analysis, including treatment of fire suppression and barrier failure probabilities, and adequacy of HRA models.
if a seismic analysis is included in the PRA, the adequacy of the seismic hazard curve used in the PRA is reviewed. The reviewers also examine the approach used to calculate component fragilities and the calculated fragilities for reasonableness.
To supplement the items listed above, the independent peer reviewers also perform detailed spot checks of selected accident sequence models (e.g., event trees), systems models (e.g., fault trees), and the associated quantification.
The reviewers are also expected to spot check the documentation of plant walkdowns (done for any operating mode and for internal or external events).
Level 23 Modeling The review needed for the Level 2/3 analysis will depend on the approach used by the licensee. If the licensee chooses to use the simplified approach described in Appendix B of DG-1061, then the review will only need to consider the approach used to map the Level I results into the simplified event trees (unless the peer review team judgesthe DG-1061 Appendix B partitioningfactorsto be inadequate). If a full Level 2/3 analysis is performed, the review team will need to evaluate the adequacy of the Level 2/3 analyses relative to the attributes described in this NUREG report.
If the simplified Level 2/3 treatment is used, the following would be checked:
Examine the criteria used to group the Level I cutsets into categories for calculating the split fractions for the system response branches in the simplified event trees to assess whether or not the Level I results are appropriately characterized for the Level 2 results.
Review the approach used to calculate the split fractions to ensure they are calculated correctly and examine the calculated split fractior,s to determine whether they appear reasonable.
If a full Level 2/3 analysis is performed, the following would be checked against the attributes provided in this report:
Examine the criteria used to group the Level I cutsets into appropriate plant damage states.
The event trees (er equivalent system models)are reviewed to d-termine whether the treatment of severe accident phenomena is comprehensive for the plant under consideration. The treatment of systems and B-5 Draft, NUREG-1602
Appendix B PRA Peer Review phenomena are reviewed, including the basis for probabilities,to determine if they are consistentwith the attributes provided in this report.
The containment failure modes and the associated probabilities are reviewed to verify they are reasonable The source term and consequence modeling and inputs are reviewed to determine whether tney are a
consistent with the attributes provided in this document.
The process used to bin results for the Level 2/3 analysis are checked (e.g., plant damage states, accident progression bins, or source term groups)to enture that the grouping maintains the separate effects of the key factors affectingthe results. The actual mechanics of the binning are examined for selected cases to determine whether the calculations were performed correctly.
Review ofPRA Results in addition to reviewing the inputs to the PRA, the peer review team would also provide an independentevaluatici of the sensibilityof the results. The review would focus on the appropriatenessof the identified dominant accident sequences, and when a full Level 2/3 analysis is performed, the containment failure modes, releases and consequences. The review would also consider whether the aspects of the plant design, operation, and maintenance that are found to contribute most to risk in the PRA are reasonable. The results examined are:
The top cutsets are scanned, looking for unreasonable combinations of events.
The sequence level contributions to CDF calculated before and after crediting recovery actions are scanned for reasonableness.
The total plant CDF (including uncertainty) calculated before and after the proposed change are assessed a
for reasonableness.
The frequencies for the early containment failure and containment bypass are reviewed for reasonablenes if the utility is performing a simplified Level 2 analysis. The frequencies of accident progression pathways as grouped for source term calculations, the frequencies and magnitudes of source terms, the individual early and latent fatality frequencies,and the uncertainty characterizationsfor these frequencies are assessed for reasonableness if the utility is performing a full Level 2/3 PRA.
B.4 Documentation of Findings The documentationshould incluch descriptions of the peer review process and findings and the utility responses to the peer review findings. For the peer review of a baseline PRA, the adequacy of the individual PRA tasks as compared to the attributesof an acceptable PRA should be documented. Any wet.knesses of the PRA should be clearly identified. For a particular application of the PRA, the appropriateness of the PRA manipulation should be documented especially with regards to identified weaknesses in the baseline PRA. The documentation of findings should be included with the submittal of the proposed change to the NRC.
Draft, NUREG-1602 B-6
NRC FORM 334 U.s. NUCLEAR REGULATORY COMMisslON
- 1. REPORT NUMBER QJEg (Amelgned by NRC, Add Vol., supgL, Rev.,
E"'-
BIBLIOGRAPHIC DATA SHEET
""*^"*"'"""""*"*'"*"d (See behchone an gereveree)
- 2. TITLE AND SUBTITLE NUREG-1602 Tha Uss of PRA in Risk 4nformed Applications 3.
DATE REPORT PUeLISHED l
uoNTH YEAR Draft Report for Comment June 1997
- 5. AUTHOR (S)
- 6. TYPE OF REPORT Technical 7.PERICOCOVERED thcAuswDease)
- 8. PERFORMING ORGAN;ZATION - NAhE AND ADDRESS (rMic, povase Dvets, omc= or Aegm u S. NurJour Reg *try ccrwressam, and madng e&*ses, sco,* ectr.
pounde nome and madng addoes)
Division of Systems Technology Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington, DC 20555-0001
- 9. SPONSOttlNG ORGANIZATION. NAME ANO ADCRESS (rMac, type seme es ecovet soonencer. pawnse NRc Ovmen, omco or seem u s wcmer Aspudeery e-
~
a and madng addees)
Sims as 8, above.
1o. SUPPLEMENTARY NOTES A. El-Bassioni, NRC Project Manager
- 11. ABSinACT(2 mrds er Jue)
In August 1995, the Nuclear Regulatory Commission issued a policy statement pnv< sing improved regulatory decisionmaking "by increasing the use of PRA [probabilistic risk assessment / analysis] in all regulatory ruatters to the extent supported by the state-of-the-art in PRA methods and data." To support the implementation of the Commission's policy, regulatory guidance documsnts have been developed by the staff (as drafts for public comment) describing how PRA can be used in specific regulatory activities, many of which relate to licensee-proposed changes to their current licensing basis (CLB). In addition, a more general regulatory guide has been developed which describes an overall approach to using PRA in risk-informed regulation. One key aspect of this general guidance is the attributes of an acceptable PRA for such regulatory activities. Detailed discussion is provided for a fulhscope PRA (i.e., a PRA that considers both internal and external events for all modes of operation). In addition, discussions are provided for the use and limitations of importance measures and sensitivity studies. Finally, the subject of peer review of a PRA is also discussed.
- 12. KEY WORDS/DESCRIPTORS (Uni ards or pheos #wt wd aesm# reeeechere m beatng tw supcrt) 13 AvALABLf,'r STATEMENT probabilistic risk assessment unlimited risks 14 SECURffYCLASSFCATION risk 4nformed applications (rn.e pop.)
reliability unclassified availability (rn Repcro unclassified
- 15. NUMBER OF PAGES
- 16. PRICE NRC FORM 335 g4EQ The kwm was e4ectronacelly produced by Emo Federal Fonne. Inc.
1 L
Printed on recycled paper Federal Recycling Program J
" ~ " ~ ' ' " "
~
~
IS @
SIN na cgm a
85-E$
Em h
b
- s s RE o
mso og o 5 z' h
EE k
W=5 l
n s
Z l
i._....
. _ _ _