ML18032A583
| ML18032A583 | |
| Person / Time | |
|---|---|
| Site: | Browns Ferry  |
| Issue date: | 08/29/1987 |
| From: | Houston R NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| To: | Ebneter S NRC OFFICE OF SPECIAL PROJECTS |
| Shared Package | |
| ML18032A582 | List: |
| References | |
| NUDOCS 8710080089 | |
| Download: ML18032A583 (20) | |
Text
gy,g RE0(
~GV
~
0 Cy
.y W~
0 o Q
+~
~O
+**++
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D. C. 20555 AUG 2 9 NN ENCLOSURE MEMORANDUM FOR:
Stewart D: Ebneter, Director TVA Projects Division Office of Special Project FROM:
SUBJECT:
R.
Wayne Houston, Acting Director Division of Reactor Accident Analysis Office of Nuclear Regulatory Research PRELIMINARY REVIEW FINDINGS OF BROWNS FERRY PRA The purpose of this memorandum is to provide an overview of the currently available draft version of the Browns Ferry, Unit 1, Probabi listic Risk Assessment (PRA).
The draft Browns Ferry PRA was submitted to the ONRR management review during a meeting between the ONRR management and the Tennessee Valley Authority (TVA) management to discuss plant configuration management issues.
The staff has conducted a limited review of the core damage accident analyses portion of the PRA and has developed more information on the plant safety overview.
The staff did not try to evaluate, at this time, the credibility of the study or resolve any questions that arose from initial reading of the PRA.
In summary our preliminary findings are:
(j.). There is no reason to suspect that additional immediate regulatory action is wa'rranted, because the PRA did not identify significant safety problems.
However, the assessed core damage frequency is very high and we encourage rapid submittal of the revised and updated final PRA.
(2).
From an initial reading of the PRA, the staff did not identify any new significant generic safety issues.
The staff's final review of the final PRA could potentially identify new generic safety issues, if they exist.
However, this conclusion is tentative and could change after our detailed review.
(3).
The Browns Ferry PRA provides extensive safety information on dominant potential core damage sequences.
Because these dominant sequences originate from system dependencies, the staff has gained a significant overview of the Browns Ferry plant safety and understanding of those improvements which could reduce the dominant sequence frequency.
(4)..0ur initial reading of the PRA indicates that core damage is more likely to be induced by means of scram failure events than by other events such as station blackout, loss of feedwater events and reactor vessel isolation events.
This is primarily to the fact that the ATWS related modifications had not been implemented at the time the draft version of the PRA.was performed.
It is noteworthy that "a partial failure to scram" event occurred once during the Browns Ferry Plant's early life.
Based on our current knowledge of the adverse consequences of ATWS induced core damage e'vents and Mark I containment capability to withstand the ATWS events, it is prudent to expedite ATWS related modifications (USI A-9) and to consider carefully the staff s recommendations outlined in Table 3.
(5).
We find that the air s stem (a support system) la s
a ma 'or role in the Browns Ferry plant operation.
The PRA indicates that it is not a highly reliable system, and it provides a wide range of intersystem dependencies resulting in the loss of safety functions.
Similar issues related to air system problems were brought to the attention of the industry and are documented in "NRC Information Notice No. 87-28:
Air Systems Problems to U.
S. Light Water Reactors,"
dated June 22, 1987.
- Thus, the staff believes that the air system dependencies could be minimized (Refer to Table 3 improvements) by design improvements, if necessary.
{6). It appears that the TVA management and its staff are making use of the PRA based systems information to facilitate the resolution of the plant configuration management problems and to establish some prioritization methods needed for resource allocation purposes.
Both the TVA and OSP staffs could encourage and monitor closely the use of PRA by the licensee.
It is noted that the above comments are based on the information provided in the draft PRA and the plant configurations and operational provisions which existed at the time the PRA was performed.
Also, our initial review has identified some major conservatisms and optimisms in the PRA models.
The staff believes that the final BFPRA should reflect realistic modeling assumptions and plant specific data.
A list of these major conservatisms and optimisms that we have observed is provided in Table 4.
For further information, contact E. Chelliah (X28048) of PRAB/RES.
Enclosure:
As stated I (
1
~
i
('
R.- Wayne HoTiston, Acting Oirector Oivision of Reactor Accident Analysis Office of Nuclear Regulatory Research cc:
E. Beckjord T.
Spei s 0., Ross T. Murley B. Sheron W. Morris R. Starostecki A. Thadani F. Miraglia R. Barrett F.
Coffman
ENCLOSURE Staff's Preliminar Findin s of the Limited Review of the Draft Browns Ferr PRA Back<around During the period of 1982 through 1984, the licensee, Tennessee Valley Authority (TVA), conducted a probabilistic risk assessment (PRA) for the Browns Ferry nuclear power plant, Unit 1, with the help of Pickard, Lowe and Garrick, Inc.
Subsequent to the plant shutdown due to inadequate plant configuration management and other noncompliance to safety requirements, the management of the Office of Nuclear Reactor Regulation (ONRR) and TVA conducted a meeting.
The meeting was held at Chattanooga during the first week of August, 1986 and the discussion was on the results of the draft Browns Ferry'RA (BFPRA).
The above meeting concentrated on the usefulness of the BFPRA in performing system walkdowns and establishing reasonable and meaningful configuration management techniques.
During the meeting, the NRC staff determined that the total core damage frequency for the Browns Ferry plant had been estimated to be well above 1.0E-3 per reactor year.
Although the TVA management indicated the inappropriateness of using draft PRA information for regulatory application purposes, both ONRR and TVA management concluded that the draft PRA, along with other regulatory documents, could be reviewed to determine if major risk outliers existed.
It is the staff's understanding that TVA is in the process of revising the draft Browns Ferry PRA.
Mhen the final PRA is completed, the NRC will review the report and
report the findings.
In the interim, the former Reliability and Risk Assessment Branch (RRAB) of ONRR was actively involved in reviewing the draft BFPRA and other documents, such as the FSAR and a previous PRA study performed for the Browns Ferry plant under the Interim Reliability Evaluation Program (IREP).
(This function has now been transferred to PRAB/RES.)
The staff's preliminary review findings of the draft report are summarized below.
Overall Summar The draft BFPRA is a seven volume document generated by a PRA consultant,
- Pickard, Lowe and Garrick, Inc., with the help of TVA engineers and systems experts.
As it exists, the BFPRA is a draft level 3 PRA, including core damage accident sequence
- analysis, containment (Mark I) response
- analysis, and site specific consequence analysis.
Initiators considered include transients and LOCAs and external events such as seismic events, fires, internal flooding, external flooding, high wind, aircraft impact and turbine missiles.
The systems and sequence analyses were performed in detail.
About 21 initiating events that could contribute to core damage occurrence were analyzed and about 16 frontline and support systems needed to mitigate the transients and LOCAs were modeled to estimate the core damage frequency.
The s'eismic sequence
- analysis, including the structural failure analysis of the BFPRA, is presented in detailed fashion.
The fire analysis and internal flooding analysis are somewhat limited in scope and the core damage frequency due to these events was estimated using bounding assumptions.
The core damage accident analyses of events such as flooding (internal and external), turbine missile, aircraft impact and high winds and tornadoes are qualitative and were performed using conservative assumptions.
In general, the preliminary review
indicates that the BFPRA makes use of the state of the art methods.
The level of detail modeled=in systems and sequence analysis of the PRA is found to be the same as that found in other PRAs performed by the industry, such as the Limerick and Shoreham PRAs.
The total core damage frequency estimated for th' Browns Ferry plant, Unit 1 is about 2E-3 per reactor year.
This estimate is somewhat higher than the typical estimates for similar BWR 4 plants,'such as the Limerick and Shoreham nuclear power plants.
The core damage frequency contributions due to various initiating events are shown in Table 1.
It is clear that the total core damage frequency for Browns Ferry, Unit 1 is dominated by the transients followed by the failure of the decay heat removal systems.
Dominant Se uences r
The BFPRA makes use of lengthy event trees with many possible core damage accident sequences.
The branch point events within the trees consist of system fai lures and successes.
The accident sequences have been quantified using event tree, fault tree and GO techniques, plant specific and generic initiating event frequencies, and component failure rate data.
A list of the top fifteen dominant sequences, along with their frequency estimates, is provided in Table 2.
The sequences listed in the Table 2 are primarily sequences that are initiated by transients and small LOCAs.
Although the total frequency contribution to core damage by seismic events,and fires is well above 3E-4 per reactor year, it seems that there is no individual seismic or fire initiated sequence whose frequency exceeds 1E-4 per reactor year.
A closer examination of the dominant sequences listed in Table 2 indicates that a unique and dominant risk outlier is not evident.
Each of the fifteen
sequences is estimated to have a frequency estimate in the range of 4E-5 to 1E-4 per reactor year.
Overview Of Plant Safet An initial reading of the BFPRA was conducted to provide a summary overview of the major results of the PRA.
Particularly, the review focussed on the analysis of the dominant sequences and contributions to potential core damage accidents.
The objective was to check whether the risk results, as documented in the report, provide any new insights regarding safety significance.
It is noteworthy that the core damage accident sequence analysis of the PRA is more extensive than the study performed for the containment response analysis and offsite consequence analysis areas.
- Thus, the BFPRA sequence analysis performed by the licensee provides extensive information on the failure contributions of tPe systems and fai lure modes of the components for various potential accident scenarios, affecting plant safety.
The PRA documentation does not report any non-compliances with the single fai lure and separation requirements.
However, the initial reading of the PRA indicates that a scram signal could be generated following a single failure in the plant air headers in the vicinity of the hydraulic control unit (HCU).
A single failure in the air header could also disable and/or degrade the initiation of the ADS system following a failure of the high pressure coolant injection (HPCI) and/or reactor core isolation cooling (RCIC) system.
The single failure analysis of air systems is not reviewed at the accident sequence level under current regulatory review practice.
However, the staff and the licensee could focus attention on the risk significance of the various
single failures in the plant control air system at Browns Ferry.
The identification of all possible single failures in a support system such as the air system, resulting in the loss of independent functioning of distinct safety systems, is a detailed and complex process.
The final BFPRA, and the staff's review of it, could provide additional insights on plant safety.
For ATMS events, the MSIVs close at vessel water level L2 and the turbine driven feedwater
- system, which provides high pressure coolant to the reactor, is lost.
Thus, if the MSIV isolation logic could be changed from L2 to Ll, then the availability of the feedwater system for removing heat from the reactor could be'mproved.
The plant has a two train standby liquid control system.
Moreover, this system is not actuated automatically following ATMS events.
Considering the high probability estimated for SBLC system actuation and test related
- failures, an automatic initiation feature for the SBLC system combined with on line testing capability for the SBLC system to reduce the system unavailability due to testing could reduce the ATWS contribution to the core damage frequency.
It seems that following a transient involving loss of feedwater, the ADS system is not actuated automatically following a low water level in the
- reactor, and the system requires manual action for all transients other than small LOCA events.
Experience indicates that high pressure coolant injection systems have relatively high unavailability, and that low pressure systems have 'very high reliability.
- Hence, design changes to the ADS actuation
circuits such that the system could be automatically actuated upon low level
-L2 in the reactor vessel would permit the low pressure coolant system to provide coolant makeup to the reactor (Refer to also TMI Action Plan Item
.II. K.3. 18),'nd thus provide greater depressurization reliability for the pl ant.
There seems to be excessive air system dependency affecting many systems performance.
Our review indicates that the frequency estimate of a few dominant sequences are greatly affected by the air system dependency.
Appropriate measures to minimize the air system dependency at the sequence level could reduce this contribution to core damage frequency.
A summary of the various possibilities to reduce risk and their overall impact's provided in Table 3.
It is important to note that these options are based on the risk information provided in the draft BFPRA and the plant configurations and operational provisions which existed at the time the PRA was performed and may not reflect the plant as it currently exists.
Also, our preliminary review of the draft PRA indicates that there are some major conservatisms and optimisms in the PRA models.
The staff believes that the final Browns Ferry PRA should reflect realistic modeling assumptions and data.
A list of some major modeling conservatisms and optimisms identified in,the PRA model is provided in Table 4.
We recommend that the licensee review the existing plant configuration and operational provisions, update the
- PRA, and evaluate system improvements, if neccessary, with the objective of reducing the estimated high core damage frequency at this time.
Table 1
A.
Scope Level 3
PRA; Internal Events and External Events only; Performed Primarily by Pickard, Lowe 8 Garrick Group B.
Site Located on the North Shore of Wheeler Lake in Limestone County of Alabama State;
- Athens, AL. Located 10 Miles Northeast;
- Decatur, AL. Located 10 Miles Southeast C.
Plant BWR/4 Reactor; 3 Units; Mark I Containment; Designed to withstand
- Fires, Seismic events, Floods and High winds; DBE 0.2.g.
and OBE 0. l.g; owned and operated by Tennessee Valley Authority D.
Core Damage Frequency Internal Events Seismic Events Fires External. Flooding Tornadoes and High Winds Aircraft Impact Turbine Missiles Internal Flooding 1.5 E-3/RY 1.4 E-4/RY 1.5 E-4/RY Negligible Negligible Negligible Negligible 1.2 E-6/RY E.
Sequence Frequency Loss of Coolant Inventory 3.7 E-4/RY Loss of Decay Heat Removal -
5.2 E-4/RY
Loss of'cram Function
'tation Blackout 1.5 E-4/RY 3.0 E-5/RY
Table 2
A Summar Descri tion of Dominant Se uences Description of dominant sequences Sequence Frequency Per RY 01.
ATWS followed by failure to provide the torus cooling AC power is assumed to be available.
- 1. 09E-4 02.
A transient followed by a stuck open relief valve and the failure to provide torus cooling over a period of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
- 1. 04E-4 03.
Loss of the control air supply system followed by the failure of manual alignment of the RHR system to provide shutdown cooling.
- 9. 58E-5 04.
A transient followed by a stuck open relief valve and the failure of common actuation signals of many safety systems.
- 9. 21E-5 05.
A small LOCA followed by the failure to provide torus cooling over a period of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
- 8. 67E-5 06.
Inadvertent open relief valve followed by the failure to provide torus cooling over a period of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
- 7. 57E-5 07.
Loss of feedwater followed by failure to provide high pressure coolant make up.for 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and the fai lure to depressurize the reactor manually.
- 7. 28E-5
Table 2 (Cont'd)
A Summar Descri tion of Dominant Se uences Description of dominant sequences Sequence Frequency Per RY 08.
Inadvertent open relief valve followed by the failure of the common actuation signals of many safety systems.
6 ~ 70E-5 09.
MSIV closure 'followed by the failure to provide high pressure coolant makeup for 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and the failure to depressurize the reactor manually.
- 6. 25E-5 10.
Loss of the control air supply system followed by the start failures of the RHR system and the fai lure of the manual alignment of the RHR system to provide torus cooling over a period of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
- 6. 08E-5 ll.
A transient followed by a stuck open relief valve when the plant electrical power status is at state ¹1.
- 5. 34E-5 12.
Inadvertent open relief valves when the pl ant el ectri cal power status is at state ¹1.
- 3. 89E-5 13.
Inadvertent open relief valves followed by the failure to manually scram the reactor and the closure of all main steam isolation valves.
- 3. 79E-5
Table 2 (Cont'd)
A Summar Descri tion of Dominant Se uences Description of dominant sequences Sequence Frequency Per RY 14.
A feedwater ramp-up transient followed by the failure to restart the feedwater pumps and the failure to provide high pressure coolant makeup to the reactor for a period of six hours and failure to depressurize the reactor manually in a timely fashion.
- 3. 77E-5 15.
A loss of offsite power event followed by the common mode failure of the diesels and the failure to provide high pressure coolant
.inventory make up to the reactor.
- 3. E-5 Note:
The BFPRA models the power failures in the form of sixteen combinations (available, not available) of performance of the four half 2 KV shutdown boards.
For example, for power state ¹1, the shutdown board A is unavailable and all other shutdown boards are available.
For the power state ¹16, all the shutdown boards are available.
Tabl e 3
A Summary of Possible Plant Improvements Resulting from Preliminary Review and Thei'r Impact on Safety Possible Plant Improvements 1.
Changes to MSIV isolation set points -
L2 to Ll.
Effect on Plant Safety Reduces the frequency of the vessel isolation transients and increases the chance of recovering the power conversion system to mitigate the transients 2.
Changes to provide on line test capability of the SBLC system.
Reduces the frequency of the ATMS sequences and SBLC system unavailability.
3.
Changes to facilitate automatic ADS actuation upon low water or high drywell pressure
+same as II.K.3.18 Item).
Increases the reliability of the overall ADS and reduces the level fr equency of loss of coolant inventory makeup sequences following a transient.
4.
Changes to provide the minimized control air system dependence Reduces the frequency of some dominant sequences involving the loss of control air system.
, TABLE 4 A
SUMMARY
OF COMMENTS ON THE OPTIMISMS AND PESSIMISMS MODELED IN THE PRA ATWS EVENTS:
2.
3.
5.
The reactor vessel will be isolated on level 2 following a failure to scram event.
If plant.improvements related to ATWS Issue will be included in the PRA model, then the assumption that v'essel will be isolated on level 1, could increase the availability of the normally available feedwater and condensate systems to remove the heat.
Therefore, certain sequences involving the ATWS event following the MSIV closure event could be reduced significantly.
Although the event tree considers that the recirculation pump trip following a fail to scram event is needed to avoid core
- damage, the PRA documentation indicates that it is a conservative assumption.
Similar BWR PRAs performed by the industry indicate that the the neccessity of the pump trip to avoid core damage is realistic.
It is noted that the PRA does not give credit to the use of condensate system as a long term low pressure coolant makeup to the vessel for certain sequences.
The use of the condensate system could require many operator actions to provide adequate inventory makeup to the hotwell.
- However, where sufficient time is available, such as sequences involving the long term loss of RHR systems, the.credit for recovery could be considered carefully.
Fail to control HPCI flow to the vessel is assigned a probability estimate of 4.29E-5.
The above estimate seems to be low unless the model includes the design features that include the ADS inhibit switch and associated operating procedures following the ATWS event.
The PRA should document the details of the human reliability analysis and results to support the conclusion.
Fail to initiate the SBLC system is assigned a probability estimate of 0.003 per demand.
The other BWR PRAs including the probabi listic work performed under the ATWS rule making process seem to indicate somewhat a
higher estimate.
The PRA should document the human reliability analysis performed as part of the PRA, if any, to support the above estimate.
LOSS OF CONTROL AIR:
Upon decreasing air pressure in the station air headers, the station air system could be connected to the plant air system.
The PRA does not give credit to the interconnection.
The recovery of the station air thru the
/
interconnection could depend on the pressure decay time and existing operating procedures for the recovery and should be considered.
STUCK OPEN'SRVs EVENT:
1.
If the recovery of the safety relief valve opening fai lure is considered, the means of treating the dependency on plant air in the event sequence must be documented.
2.
The condensate system could be used as a low pressure coolant make up source.
and this system is not taken credit in the PRA.
This could involve timely operator actions to provide adequate supply to the hotwell.
INADVERTENT OPEN RELIEF VALVE EVENT:
1.
The PRA does not discuss the impact of the dependence of normal AC power on the frequency contribution.
MSIV CLOSURE EVENT'.
It is indicated that closure of one MSIV will result in excess flow in three other steam lines.
But, it is not clear that the frequency of MSIV closure initiating event accounts for that contribution.
2.
The recovery of the condenser hotwell involves the reopening the MSIVs in fifteen minutes.
The PRA should assess the reasonableness of the assumption based on the plant specific data, if any.
LOSS OF FEEDWATER EVENT:
Reopening of the MSIVs following the event would involve establishing certain levels of vacuum in the condenser.
Considering the short time available to the operators, the PRA should assess the reasonableness the appropriate credit for the recovery operations.
The PRA should also assess the reasonableness of the recovery modeling of the CRD and FW systems within initial thirty minutes following the event.
4' Z
/