Text

• fic UNITED STATES f

• g

'esJCLEAR REGULATORY COMMISSION

,, o y '; w

.g WASHINGTON, D. C. 20555

.I 5

e,

%>.....l i

DEC 15 GSD MEMORANDUM FOR:

Robert B. Minogue, Director Office of Nuclear Regulatory Research s

Division of Systems & Reliability.Research [

Robert M. Bernero, Director THRU:

Office of Nuclear Regulatory Research

.FROM:

Frank H. Rowsome, Deputy Director Division of Systems & Reliability Research Office of Nuclear Regulatory Research

SUBJECT:

AWS CALCULATIONS On November 10, 1980 Chaint.an Ahearne requested that the Division of Systems & Reliability Research, SARR, RES, review and comment upon the ATWS calculations presented to the Commission by J. Lellouche of EPRI and W. Minners of NRR.

We committed to do so by December 12.

A summary of our findings follows:

The EPRI ATWS calculations are highly misleading in one important o

respect.

It is not legitimate to calculate :,ystem unavailability j

by comparing the number of component, channel, or subsystem tests in an interval with the number of system failures or the system failure rate in the interval.

The Lellouche nodel implicitly assumes that each and every surveillance test wipes the slate clean i

of undetected and unrepaired failures throughout the whole RPS system.

Subsystem tests do not verify the operability of whola systems.

For example, a test of one channel of a reactor protection system logic cannot detect failures in other channels or in the mechanical-hydraulic portions of the system.

It would be legitimate to compare the whole-system test rate with the whole-system failure rate to obtain system unavailability.

Even the smaller number of tests credited by NRR are not fully comprehensive.

Some failure I

modes could be missed by some of the tests credited by the staff.

i There is a narrow sense in which the tellouche calculations are legitimate.

System failure modes entailing the simultaneous failure of all channels of the RPS logic could be effectively detected by each of the logic subsystem tests, provided that the detection of.a failure immediately triggers not only the repair of m

Robert F. Hinogue the faul-t but also tests (and repairs if necessary) 'of the other

~

channels'. Thus, the Lellouche calculation might be correct for the subset of the many contributors to system unavailability which--

like the Kahl failure of nearly all the logic relays--strikes all logic channels almst simultaneously. There are, however, many It is also other systs failure mdes for which this is not true.

not clear that a detected RPS logic fault triggers the immediate testing of the other channels or logic mdules.

The Lellouche calculation.of RPS unavailability does not properly consider, for example, Bmwns Ferry-like failure edes (blocked scram discharge

Thus, volume) to which conventional surveillance testing is blind.

1 his system unavailability estimates are inecmplete, over-optimistic, and misleading.

The EPRI statistical analysis of the " rectification" of the Kahl o

failure mode appears to be correctly done; it is a legitimate use of statistical methods.

The NRR staff analysis of " rectification" also appears to be correct. i The two positions can be reconciled as follows. We can reject the hypothesis that Kahl-like failures are as likely today as their early appearance in BWR operating experience i

suggests. We cannot distinguish two alternate hypotheses with statistical arguments alone:

(1) Kahl-like failures are really less probable since the event than they were before, or (2) it was a statistical fluke that Kahl happened as early as it did, but its likelihood is unchanged.

There is a compelling case to dismiss the Kahl event from statistical analyses of actual AWS experience.

The Kahl fault was detected and corrected in surveillance testing; it did not result in a genuine RPS failure on demand.

Thus, it is legitimate to ccent Kahl as a precursor but not as a real ATWS occurrence.

Two different and equally legitimate estimates of the probability of AWS precursors can be obtained by (1) counting the Kahl failure and the successes preceding it as well as after it, and (2) counting j

only experience since the Kahl event.

It would be illegitimate to l

dismiss the Kahl failure but to credit the prior successes, as Lellouche correctly acknowledges.

The EPRI arguments are legitimate in pointing out that Kahl-like l

o failures can be effectively screened out by the test program 2nd.in l

noting that a large fraction of genuine failures to scram are likely to occur under circumstances in which no core damage would resul t.

A comprehensive, realistic statistical analysis of the risk posed by AWS events should credit _ both types of opportunity l

to nip failures in the bud, either through repair-in-kind or through l

better-than-before fixes of the kind we hope to see emerging from the Browns Ferry experience.

g

l

' Robert B. Minogue Statistical analyses of very rare events in complex systems are o

very sensitive to the assumptions implicit in the statistical Levels of confidence and other such statistical measures of model.

uncertainty ignore uncertainties originating in completeness or modeling approximations, and shauld not be treated as comprehensive.

Little faith should be accorded to estimates of the ATWS probability and its statistical uncertainty unaccompanied by an analysis of

.these other sources of uncertainty.

Both the EPRI and NRR analyses It is well within the state-of-the-are flawed by this omission.

art to assemble an array of statistical analyses of ATWS likelihood employing models of different implicit assumptions and to compare the statistical inferences with engineering Judgments of plausibility In so doing one can obtain a more illuminating of the assumptions.

and trustworthy picture of ATWS risks than either the staff or the industry has done to date.

The argument by J. Lellouche that the provision of additional o

pressurizer safety valves in PWRs would increase the risk is spurious.

Safety valves may stick open--once lifted--but they are extremely unlikely to fail open at pressures well below their Thus the likelihood of LOCA will not be significantly s etpoint.

increased by the addition of high-quality safety valves set at pressures well above that of existing safety or relief valves.

Also, Lellouche used a failure rate applicable to power operated relief valves rather than for safety valves.

A fault-tree'-b'ased SARR/RES is pursuing the ATWS issue in three ways.

system reliability analysis is being prepared of the Browns Ferry Reactor Protection System (RPS) to assist NRR in determining the adequacy of the The five ongoing Interim Reliability proposed corrective actions.

Evaluation Program studie's include system reliability analyses of the subject plants' RPS.

The ongoing program in failure rate data analysis continues to assemble and refine component failure rates, operator, and maintenance error rates that are useful in synthetic system ret { ability analyses, including RPS systems.

Overview of ATWS Risks Dur experience with WASH-1400, several subsequent risk assessments, reliability eng'neering studies, and our understanding of the ATWS dialogue lead us to a perspective on ATWS summarized below.

The NRR approach to ATWS probabilities is generally conservative RPS failure modes that cannot be detected (noterorthy exception:

in surveillance tests, e.g., scram discharge volume blockage).

The NRR approach also fails to take differences in the severity of ATWS consequences into account.

g 4

c Robart B. Minogue The EPRI,(Le11ouche) approach is unduly optimistic.

The expected frequency,f ATWS events predicted by WASH-1400 and other examples of pro)abilistic risk assessment, including that of Biblis B by the Gennans, fall in the middle ground between the NRR and EPRI estimates.

The offsite consequences of an ATWS-induced core melt are expected to be more severe in small pressure-suppression containments than in large dry containments.

ATWS-initiated core melt sequences appear to be the dominant or one of the dominant contributors to risk for BWRs.

ATWS is also among the nore likely causes of core damage or core melt for BWRs.

ATWS-initiated core melt sequences have not been found among the predicted risk-dominant sequences for PWRs in those risk assessments done to date.

Something like ten percent or less of core damage occurrences are predicted to be caused by ATVS in nest PWRs studied.

Our reading of the literature on ATWS phenomenology suggests that the principal issue for ATWS in PWRs lies in the patential for high reactor coolant system pressures occurring early in ATWS transients.

The high pressure may challenge the integrity of the pressure boundary or pose hazards for interconnected systems, e.g., high pressure makeup and boration systems, which would be needed-to cope with ATWS after the pressure subsides.

Although no PWR risk assessment has found ATWS to be a dominant contributor to risk.both likelihood and pressure spike severity suggest that the ATWS problem for PWRs is nost severe in CE plants, less in B&W plants, and still less in Westinghouse.3 and 4 loop reactors.

We have not examined any Westinghouse 2 loop plants.

We find it disturbing that neither NRR nor the licensees have catalogued the failure codes of their reactor protection systems.

No one systematically detennines which design errors or failure modes are effectively detected in startup or surveillance testing and which can be detected only in genuine scram attempts.

No one passes upon the acceptability of the lacunae in the test program.

The Browns Ferry incident is not the only case in which experience has revealed an RPS failure node to which surveillance testing is blind.

For example, during the startup testing of Crystal River Unit 3, Florida Power Corporation discovered a short in the RPS logic which would disable a channel in a genuine scram but which would not show up in surveillance tests of the affected channel.

We suspect that there are other test loopholes.

D

Robert B. Minogue P -

~

One regulatory strategy is to mandate i=pmved prevention and also ATWS-tolerant designs, i.e., to mandate impmved mitigation as well.

This NRR proposal has the advantage that no extensive case If it is cbne well it should reviews are required of the staff.

However, it has the disadvantrge of not being very discriminating.

4 suffice.

It may mandate expensive backfits that are unnecessary or not It's non-mechanistic approach may leave design safety-effective.

flaws, installation flaws, or some of the test-blind failure modes 1

The staff does not have a good record in the selection unaffected.

~

of design bases that are intended to envelope bmad classes of unanalyzed accident scenarios.-

An alternative regulatory strategy that we believe deserves consideration is to mandate a reliability assurance pmgram for the RPS along the The agency lines of aerospace reliability engineering programs.

would be prescriptive about the analytic methods, thoroughness, The schedule and problem resolution criteria and procedures.

agency would not be prescriptive about backfits, at least not at the outset.

System reliability studies of nuclear safety systems frequently I

expose design ermrs, installation errors, undue susceptibility to These discoveries are maintenance ermr or to failures, etc.

subject to the completeness problem, but in general such qualitative findings hre far more trustworthy than probabilistic risk assessments. '

The reliability assurance program could be tied to qualitative or administrative cuides to acceptability; it need not be primarily For example, qualitative characteristics of discovered quantitative.

failure modes could be used to detemine who has the responsibility for passing upon acceptability.

It could be given teeth by expanding the reportage and responsibility provisions of 10 CFR 50.54 to embrace the lacunae of the reliability assurance program.

It makes a reality This regulatory strategy has several advantages.

out of the policy that the industry has the prime responsibility Those, far closer than the staff could ever be to the for safety.

design and operation of the RPS, must take responsibility for its Second, if it can be done well, it could be far more adequacy.

effective in rooting out safety flaws than the NRR proposal.

Third, it should be very much more cost-effective.

i

Robert B. Minogue thf-,

The reliability assurance option has the disadvantages that neither the staff nor the industry has much experience with aeruspace reliability engineering practices and it places a-burden of review.

and quality verification upon the staff.

Despite these very real disadvantages, we think the advantages predominate.

]O Frank H. Rowsome, Deputy Director Division of Systems & Reliability Research' Office of Nuclear Regulatory Research W

e

(

1

[

~

d DRAFT ENVIRONMENTAL IMPACT ASSESSMENT FOR PROPOSED ATils RULEMAKING a

ELEftENTS OF ASSESSMENT BACKGROUND l

- PROPOSED RULE REQUIREMENTS IMPACT CO?lSIDERED

- RADIOLOGICAL

- ECON 0l11C e BASIS OF ASSESSMENT 4 1 l

SECY 80-409

< 6

.NUREG-0460 i

B0UNDING CONSIDERATIONS FOR OCCUPATIONAL EXPOSURE

,o

(

1

a RADIOLOGICAL IMPACT CONSIDERATIO!!S

• OCCUPATIONAL EXPOSURE BASIS:

- B0UNDING ASSESSMENT ASSilMED TO BE INSTALLf. TION OF RELIEF VALVES 0*l PRIMARY

~

SYSTEf1 - ACTUAL PLANT I! SED

- GROSS EXTRAPOLATIO!! TO OTliER MODIFICATIONS RESULTS:

- 410 fWl-REM / PLANT FOR VALVE INSTALLATION (100 fMN-REM /PLAllT TOTAL TOTAL IMPACT:

- 0.15 PREl%TURE CNICER DEATilS 0.375 CASES FOR GENETIC EFFECTS OVER NEXT 5 6E.NERATIOMS

- NO EARLY FATALITIES OR llEALTil EFFECTS REfMRKS:

- APPR0XIl%TELY 300 WORKERS INVOLVED

- CANCER DEATils DUE TO NATURAL CAUSES n 1 IN 5i!f 60 WORKERS 10% OF LIVED 0RN OFFSPRING llAVE SERI0llS GENETIC DISORDERS 4

t 4

9

RADIGLOGICAL IMPACT CONSIDERATIONS 4-

-

• POPULATION EXPOSURE

- TWO TYPES OF IMPACTS

- NORMAL OPERATIO!!

1

- ATWS EVENT i

• RESULTS I

- NORMAL OPEPATION

't

- IMPROVE RELIABILITY OF SCRAM

- ESSErlTIALLY N0 IMPACT Ofl POPULATION EXPOSURE

- ATHS EVENTS

- OVERALL ENVIR0t!MEf!TAL RISK FOR ATHS EVENTS COMPARABLE TO OVEPALL RISK FROM NORMAL OPERATION

- ESSENTIALLY NO IMPACT Oi! POPI'LATION EXPOSU.E 9

i

.w,

e ECON 0f1IC IMPACT CONSIDERATIONS REPLACEMENT POWER

- STAFF ESTIMATES 4 TO 6 HEEKS PLANT SHUTDOWN FOR ATWS.

MODIFICATIONS I

- REFUELI46 0UTAGES (1978 AVERAGE)

BWR'S 5.8 WEEKS PWR'S 7.8 WEEKS l!

- TOTAL OUTAGES (1978 AVERAGE)

BWR'S 12.9 WEEKS PWR'S 13.0 WEEKS ECONOMIC IMPACTS (N0 REPLACEMENT POWER COSTS)

- STAFF ESTIMATES DIRECT COST GI INDIRECT COSTS 4

- LARGEST IMPACT ESTIMATED 4 3% OF CAPITAL COST OF NUCLEAR 9 /1000 f1lle PLANT)

PLANT (AT~$1 X 10 i

i

l TOTAL ESTIMATED COST T AE MI)IFICATIOS (DiascT & INDIRECT, lb REPtKeerr PCW.R COSTS) bb N b'h

$ffh6 Pas'69 GEUSD 6

7 02 E

0 6

0 B&W 0

6 0

W 3

4 E

'69-84 GEOR) 31 22 682 E

E 6

B&W 13 6

78 W

47 4

188 fbsT '84 GEOR) 15 14 210 E

8 5

W B8W 1

5 0

W H

4 i

I i

TOTAL 150 1A26 l

l t

• 1980 DouAas l

l l

l l

-