ML20199K546
| ML20199K546 | |
| Person / Time | |
|---|---|
| Site: | Yankee Rowe |
| Issue date: | 06/30/1986 |
| From: | BROOKHAVEN NATIONAL LABORATORY |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| CON-FIN-A-3824 BNL-NUREG-51984, NUREG-CR-4589, NUDOCS 8607090187 | |
| Download: ML20199K546 (87) | |
Text
-
NUREG/CR-4589 BNL-NUREG-51984 4
Review of Selected Areas of i Yankee Rowe Probabilistic ,
Safety Study Prepared by L. Arrieta, R. G. Fitzpatrick, C. M. Spetteil Brookhaven National Laboratory Prepared for U.S. Nuclear Regulatory Commission i
hDR AOK 50 29 .,
PDR P (j g .j g 7 g j g 7
l NOTICE This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, or any of their employees, makes any warranty, expressed or implied, or assumes any legal liability of re-sponsibility for any third party's use, or the results of such use, of any information, apparatus, product or process disclosed in this report, or represents that its use by such third party would not infringe privately owned rights.
NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one r,f the following sources:
- 1. The NRC Public Document Room,1717 H Street, N.W.
Washington, DC 20555
- 2. The Superintendent of Documents, U.S. Government Printing Office, Post Office Box 37082, Washington, DC 20013 7082
- 3. The National Technical Information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publications, it is not intended to be exhaustive.
Referenced documents available for inspection and copying for a fee from the NRC Pubhc Docu-ment Room include NRC correspondence and internal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investigation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers; and applicant and licensee documents and correspondence.
The following documents in the NUREG series are available for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRC sponsored conference proceedings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regulations in the Code o/
Federal Regulations, and Nuclear Regulatory Comminion issuances.
Documents available from the National Technical information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.
Documents available from public and special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions. Fedirral Register notices, federal and state legislation, and congressional reports can usually be obtained from these libraries.
Documents such as theses, dissertations, foreign reports and translations, and non NRC conference proceedings are available for purchase from the organization sponsoring the publication cited.
Single copies of NRC draft reports are available free, to the extent of supp!y, upon written request to the Division of Technical Information and Document Control U S. Nuclear Regulatory Com-mission, Washington, DC 20555.
Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, from the American Natiqnal Standards Institute,1430 Broadway, New York, NY 10018.
. d . .. -
NUREG/CR-4589 BNL-NUREG-51984 Review of Selected Areas of Yankee Rowe Probabilistic Safety Study Manuscript Completed: March 1986 Date Published: June 1986 Prepared by L. Arrieta, R. G. Fitzpatrick, C. M. Spettell Department of Nuclear Energy Brookhaven National Laboratory Upton, NY 11973 r
Prepared for Division of Safety Review and Oversight Office of Nuclear Reactor Regulation
- U.S. Nuclear Regulatory Commission Washington, D.C. 20555 NRC FIN A3824 I
I
._ : .r " * -
- iii -
ABSTRACT The Yankee Nuclear Power Station Probabilistic Safety Study has been re-viewed in three specific areas. These areas are (1) treatment of initiating i events, (2) treatment of human actions, and (3) treatment of the emergency ac and dc power systems. The results reported here are based on three individual and highly focused reviews. Therefore, the conclusions offered are based within the context of each individual review.
1 1
i 4
I f
l I
i 1
1
~ '
.. . . . .. - - . . . - . n . ..
-v-TABLE OF CONTENTS Page ABSTRACT................................................................. iii LIST OF FIGURES.......................................................... viii LIST OF TABLES........................................................... viii EXECUTIVE
SUMMARY
........................................................ ix
1.0 INTRODUCTION
........................................................ 1 2.0 TREATMENT OF INITIATING EVENTS...................................... 2 2.1 YNPS-PSS Initiating Events Methodology......................... 2 2.1.1 Selection and Grouping.................................. 3 2.1.1.1 Ve ry Sm a l l B re a k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.1.1.2 Sm a l l B r e a k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.1.1.3 In t e rmed i a te B re a k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.1.1.4 Large L0CA..................................... 6 2.1.1.5 Steam Generator Tube Rupture................... 7 2.1.1.6 Excessive Cooldown............................. 7 2.1.1.7 St e am Li ne B rea k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.1.1.8 P l a n t Tr i p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.1.1.9 Loss of ac..................................... 8 2.1.1.10 Decrease i n Feedwater Fl ow. . . . . . . . . . . . . . . . . . . . . 8 2.1.1.11 Decrease in Steam Flow - Loss of Vacuum........ 9 2.1.1.12 Decrease in Steam Flow - NRV Closure. .. .. . . ... . 9 2.1.1.13 Decrease in Steam Flow - Turbine Trip. .. . .. . ... 9 2.1.1.14 Degradation of dc Power Supply................. 9 2.1.1.15 Loss of Control Air............................ 9 2.1.1.16 Loss of Component Cooling...................... 10 2.1.1.17 Loss of Service Water.......................... 10 2.1.1.18 Reactor Vessel Rupture......................... 10 2.1.1.19 Non-Isolable LOCA Outside Containment.......... 10 l 2.1.2 Quanti fication of Initiating-Events Frequency........... 10 2.1.2.1 Quantification of Initiating-Event Categories 1 Through 13.................................. 11 2.1.2.1.1 Development of Prior Distribution Function........................... 11 2.1.2.1.2 Li kel i hood Functi on . . . . . . . . . . . . . . . . . 12 2.1.2.1.3 Development of Posterior Distri-bution............................. 12 2.1.2.1.4 Unidentified Initiating-Event Frequency.......................... 14 2.1.2.2 Quantification of Initiating-Event Category 14 Through 19................................. 14 2.1.2.3 Initiating-Event Frequencies................... 16 2.2 YNPS Core Mel t Frequency Profi l e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.3 Review of Initiating Events.................................... 19 2.3.1 Completeness............................................ 21 2.3.2 Grouping................................................ 21 2.3.3 Qu a n t i f i c a t i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.3.4 Analysis of Results..................................... 26
- vi -
TABLE OF CONTENTS (continued)
Page 2.4 Comparison of YNPS-PSS With Other Similar Studies . ... ... .. . . . .. 34
.2. 5 Conclusions.................................................... 37 2.6 References..................................................... 37 3.0 TREATMENT OF HUMAN ACTI0NS.......................................... 40 3.1 Introduction................................................... 40 3.2 Description of YNPS-PSS Methodology............................ 40 3.2.1 Selection of Human Actions for Quantification........... 40 3.2.1.1 Human Actions During Accident Sequences........ 42 3.2.1.2 Human Actions During Routine Operations........ 42 3.2.2 Quanti fi cation of Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . 42 ,
3.2.2.1 Data Sources................................... 42 3.2.2.2 Development of HEP Distributions in YNPS-PSS... 43 3.2.2.3 Quantification of Human Intervention During Routi ne Pl ant 0perations . . . . . . . . . . . . . . . . . . . . . . 43 3.2.2.4 Quantification of Human Intervention During Accident Sequences............................ 46 3.2.2.5 Results of the Quantification of Human Actions in YNPS-PSS Fault Treas and Event Trees....... 47 3.2.2.6 Results of the YNPS-PSS HRA in Terms of System Failure Contributions to Core Melt (Including Ma n u a l Ac t i o n s ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 3.3 Eval u at i o n o f Y NPS-P SS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 3.3.1 Deficiencies of the PSS................................. 51 3.3.1.1 Treatment of Common Mode Human Errors.......... 55 3.3.1.2 Task Analyses.................................. 55 3.3.1.3 Assumptions Regarding the Effec += of Addition-al Personnel During Accident Sequences on HEPs.......................................... 57 3.3.1.4 Treatment of Cognitive Errors.................. 57 3.3.1.5 Impact of Event-Specific Environmental and Situational Factors on Critical Human Actions....................................... 58 3.3.2 Comparison of Other Studies............................. 59 3.3.2.1 Operating Valves from Control Room............. 59 3.3.2.2 Sta rti ng and Al i gni ng Systems . . . . . . . . . . . . . . . . . . 60 3.4 Conclusions.................................................... 60 3.5 References..................................................... 61 4.0 TREATMENT OF STATION DC AND EMERGENCY AC POWER SYSTEMS.............. 62 4.1 Introduction................................................... 62 4.2 Y NP S El ec t ri cal Sy s t ems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 4.2.1 Description............................................. 62 4.2.2 Specific NRC Concerns With Respect to Design and 0peration.............................................. 64 4.3 Evaluation of YNPS-PRA......................................... 66 4.3.1 Approach................................................ 66 4.3.2 DC Power System Findings................................ 66 4.3.3 AC Power System Findings................................ 69
- vii -
TABLE OF CONTENTS (continued)
Page 4.3.4 Specific NRC Concerns With Respect to the Fault Trees... 70 4.4 Conclusions.................................................... 74 4.5 References..................................................... 74 5.0
SUMMARY
............................................................. 75
6.0 CONCLUSION
S......................................................... 78 J
I i
l 1
^-
i . . .
- viii -
LIST OF FIGURES Figure Title Page 2.3.1 Core melt frequency sensitivity results.................... 33 4.2.1 Mai n one li ne di agram - ac power systems . . . . . . . . . . . . . . . . . . . 63 4.2.2 Main one line diagram - de power systems................... 65 LIST OF TABLES Table Title P_a ge_
2.1.1 Initiating-Event Categories Developed in the MLD........... 4 2.1.2 EPRI-NP-801 PWR Initiating Event........................... 5 2.1.3 Di sc reti zati on Inte rval s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.1.4 Prior and Posterior Probability Density Distributions for Unidenti fi ed Ini ti ati ng Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.1.5 Initiating-Event Frequencies............................... 17 2.2.1 Mean Annual Core Melt Frequency (CMF) by Initiating-Event Category.................................................. 18 2.2.2 Conditional Corp Melt Probability (CCMP) by Initiating-Event Category............................................ 20 2.3.1 Mean Core Melt Frequency Without Plant Experience by Initiating-Event Category................................. 24 2.3.2 Initiating-Event Frequency and Mean Core Melt Frequency by Initiating Event Category.............................. 25 2.3.3 EPRI-NP-2230 Data Used in BNL Review 1..................... 27 2.3.4 NUREG/CR-3862 Data Used in BNL Review 2.................... 28 2.3.5 Initiating-Events Frequencies.............................. 30 2.3.6 Mean Core Melt Frequency by Initiating-Event Category BNL Review 1.................................................. 31 2.3.7 Mean Core Melt Frequency by Initiating-Event Category BNL Review 2.................................................. 32 2.4.1 Comparison of Core Melt Frequency (CMF) Contribution by Initiating-Event Category................................. 36 2.4.2 Comparison of Conditional Core Melt Probabilities by Initiating-Event Category................................. 38 i 3.2.1 Manual Actions Represented in Event Trees.................. 41 3.2.2 Generic Human Error Probability (HEP) Matrix Developed from NUREG/CR-1278........................................ 44 3.2.3 Quantification of Operator Decision to Perform Actions in Yankee Nuclear Power Station-Probabilistic Safety Study... 48 3.2.4 Event Tree Manual Action Quanti fication . . . . . . . . . . . . . . . . . . . . 49 3.2.5 Event Tree Intermedi ate Event Probabili ties . . . . . . . . . . . . . . . . 52 3.2.6 System Contributions to Core Mel t Frequency. . . . . . . . . . . . . . . . 54 3.2.7 Percentage Contribution of Human Errors to System Failure Probabi l i ty of Mi ti gati ng Systems . . . . . . . . . . . . . . . . . . . . . . . . . 56 4.3.1 Li st of YNPS-PSS El ectrical System Faul t Trees . . . . . . . . . . . . . 67 4.3.2 125-V dc Bus Fault Tree Quantification Results............. 68 4.3.3 Observed Diesel Generator Failure Data vs Calculated Failure Probabilities..................................... 71 4.3.4 Comparison of YNPS-PSS and Oconee PRA Failure Rates for Maj o r El ect ri ca l Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 l
l
__,e _
- ix -
EXECUTIVE
SUMMARY
This report summarizes the review by Brookhaven National Laboratory of three specific areas within the Yankee Nuclear Power Station Probabilistic Safe-ty Study (YNPS-PSS). This review was performed for the Reliability and Risk As-sessment Branch of the United States Nuclear Regulatory Commission (NRC). The three areas in which the NRC sought contractor assistance for their overall re-view of the YNPS-PSS were (1) treatment of initiating events, (2) treatment of human actions, and (3) treatment of the emergency ac and de electrical power systems.
The ensuing paragraphs list the major findings and conclusions for each of the three review areas. It should be noted that these individual reviews were specific and highly focused and taken together represent only a small fraction of a complete and integrated PSS review. Therefore, the conclusions offered in this report are based within the context of each individual review and upon the available information.
The initiating event task encompassed review of the selection, grouping, quantification, and contribution to core melt frequency as presented in the YNPS-PSS. Further analyses were also performed which demonstrate the impact of using more recent compilations of generic data as well as an appraisal of the reasons offered in the YNPS-PSS for the dominance of LOCA scenarios to the over-all core melt frequency. The review findings with respect to treatment of ini-tiating events were:
. In the YNPS-PSS, the effect of plant history was to reduce the transients contribution to the CMF by a factor of 2.2 and the total CMF by 34%.
. Using later compilations of generic data (EPRI-NP-2230 and NUREG/CR-3862) increased the CMF by at most thirty percent, except in cases when primary leakage events were inappropriately included as Very Small LOCA occur-rences, which produced an increase of up to half order of magnitude in the CMF (Table 2.3.6).
. In general, the effect of regrouping (PWR-29 event) was a small percent-age increase in the transients contribution to the CMF.
. The effect of including first year and low power events on the generic data base (BNL Review 2) was to about double the contribution of tran-sients to the CMF.
. The LOCAs dominance of the CMF is mostly due to two reasons: (1) the bet-ter than average YNPS operational history leads to a low frequency of transient initiating events (3.54) and (2) transient mitigation capabili-ty (CCMP) of YNPS is substantially better than at most modern plants, mainly be:ause of the high availability of secondary cooling means. The YNPS-PSS takes credit for reestablishing main feedwater to the steam gen-erator under accident conditions while most recent studies do not.
, e .
-x-
. The low CMF calculated in the YNPS-PSS is a result of using low values for LOCA initiating event frequencies, tugether with the factors de-scribed in the previous item. The use of a low frequency for Small LOCAs is justified by the impossibility of having an RCP seal LOCA in this plant (main coolant pumps are canned).
. The reasons offered in the YNPS-PSS for the dominance of LOCAs in the CMF are considered appropriate.
The human actions task encompassed review of the methods used in the YNPS-PSS to model, screen, and quantify human actions in the event trees and system fault trees. The evaluation of the YNPS-PSS treatment of human actions paid special attention to the impact of event-specific environmental and stress con-ditions on critical human actions; the impact of instrument and annunciator mal-functions on decision making and manual actions; as well as the overall compre-hensiveness, adequacy, appropriateness of assumptions, and understated uncer-tainties in the human actions modeling. The review findings with respect to the treatment of human actions were:
. The treatment of cognitive errors shows strengths and weaknesses. One strength is that operator decision to initiate systems and perform manual actions were explicitly quantified as top events in the event trees.
However, the HEP estimates used to quantify these decision making tasks were not developed for cognitive tasks. The lack of detailed information about environmental and stress-related aspects of the tasks made it im-possible for the reviewers to evaluate the appropriateness of the HEP es-timates used in light of recently developed models of human performance at cognitive tasks.
. The assumption that the presence of additional personnel in the control room during accident sequences will reduce the stress level and asso-ciated HEP estimate is debatable for the reasons discussed in Section 3.3.
. The treatment of common mode numan errors in YNPS-PSS is inadequately de-scribed.
. The range of HEP estimates reported in YNPS-PSS for manual actions in-cluded as top events in the event trees fall within the range of HEPs re-ported for similar actions in the Oconee, Zion, and Millstone studies.
. Based on the percentage contribution of human errors to system failures and the percentage contribution of system failures and errors during man-ual actions to core melt frequency, it appears that human factors en-hancements focusing on human intervention in the HPSI and LPSI systems, feedwater initiation and control, and manual'depressurization of the MCS may have the most impact on reducing risk due to human intervention at YNPS.
The electrical power systems task encompassed review of the ac and de sys-tems fault trees to determine their validity. The evaluation of the fault trees paid special attention to the degree of accuracy of the fault tree models i
1
_ ~_ _ , , _ _ _ _ . - _ _ - , . , . . -
- xi -
in representing the plant design and operation; any important missions; and how these models addressed such items as common mode failures, battery charger capa-A Proba-
- bilities, bilisticoperator Safety actions, Analysisand thePower of DC concerns documented Supply in NUREG-0666, Requirements for Nuclear Poser Plants.
The review findings with respect to the treatment of ac and dc electrical power systems were:
. There was no available documentation to either prove or disprove the bat-tery chargers' capability to fully function without their associated bat-te ry . When this item was brought to the attention of YNPS, they stated that it had not been addressed in the PSS and that upon investigation it was determined that battery chargers #1 and #2 were marginal and #3 could not totally function independently of its battery.
. Common mode failures were not modeled in the dc fault trees even though multiple bus ties are present in the design.
. The dc fault trees were not conditioned to reflect specific sequence events. For example, only the battery is available when ac power is lost during a loss of offsite power (LOOP) because given a LOOP event, the battery chargers are automatically tripped and subsequent operator action is required to restore the chargers. The fault trees do not reflect this.
. The ac fault trees do not reflect the fact that many electrical hardware failures cause an immediate and automatic change of state of the power system. Rather they model many possible operator actions through AND gates instead of just one event - operator failure to recover. The pres-ent modeling yields a higher prediction of reliability than would other-wise be calculated.
. The ac fault trees do not address the possibility of a transient induced loss of offsite power event.
. The electrical power system fault trees were not fully linked in the analysis process. Failure to link the support system fault trees to the frontline systems and to each other can lead to overpredicting system re-liability by missing key dependences.
. The ac fault trees were also not conditioned to reflect specific sequence events, e.g., a loss of offsite power would yield only batteries avail-able for bus control and relaying and only the diesel generators for sources of ac power.
. It was concluded that remodeling/requantifying the ac and de power system fault trees in accordance with the above review findings would not be justified unless the overall NRC PSS review effort demonstrated a signif-icant increase in the contribution to core melt probability from these systems.
1
1.0 INTRODUCTION
As part of the Nuclear Regulatory Commission's review of the Yankee Nuclear Power Station Probabilistic Safety Study (YNPS-PSS), the Reliability and Risk Assessment Branch identified three specific areas for contract assistance.
Brookhaven National Laboratory (BNL) was selected to provide this assistance on the following three topics: (1) treatment of initiating events, (2) treatment of human actions, and (3) treatment of station de and emergency ac power sys-i tems.
1 The initiating event task encompassed review of the selection, grouping, quantification, and contributinn to core melt frequency as presented in the
- YNPS-PSS. Further analyses are presented which demonstrate the impact of using more recent compilations of generic data as well as an appraisal of the reasons offered ia the YNPS-PSS for the dominance of LOCA scenarios in the overall core melt frequency. The human actions task encompassed review of the methods used in the YNPS-PSS to model, screen, and quantify human actions in the event trees and system fault trees. The evaluation of the YNPS-PSS treatment of human ac-tions paid special attention to the impact of event-specific environmental and stress conditions on critical human actions; the impact of instrument and annun-ciator malfunctions on decision making and manual actions; as well as the over-all comprehensiveness, adequacy, appropriateness of assumptions, and understated uncertainties in the human actions modeling. The electrical power systems task encompassed review of the ac and dc systems fault trees to determine their va-lidity. The evaluation of the fault trees paid special attention to the degree of accuracy of the fault tree models in representing the plant design and opera-J tion; any important missions; and how these models addressed such items as com-mon mode failures, battery charger capabilities, operator actions, and the con-cerns documented in NUREG-0666, A Probabilistic Safety Analysis of DC Power Sup-ply Requirements for Nuclear Power Plants.
The primary review responsibilities for each of the above three topics were assigned as follows: L. Arrieta reviewed the initiating avents, C. Spettell re-viewed the human actions, and R. Fitzpatrick reviewed the ac and dc electrical i power systems. These individual reviews were specific an I highly focused and taken together represent only a small fraction of a complete and integrated PSS review. Therefore, the conclusions offered in this report are based, within the context of each individual review, upon the available information.
t e
4
- -,- - -- - ,--,--,.e , ,- , , ,o_- . . . , - -- . -.,-
q
- 2-I 2.0 TREATMENT OF INITIATING EVENTS The Yankee Nuclear Power Station Probabilistic Safety Study l(YNPS-PSS) limited itself to internal initiating events at power that could lead to an ex-cessive offsite release. As usual, loss of offsite power was included in this category. The selection of initiating events (IE) was based on WASH-1400, EPRI-NP-801 report.2 and over twenty years of plant experience. Little aggregation of IEs was adopted, and as a result,19 independent categories of initiators were identified. State-of-the-art methodology was used in the estimation of the frequency of IEs. Generic data were specialized using the YNPS operational ex-perience and a one-stage Bayesian update technique. The treatment of IEs in the YNPS-PSS is at the same level as most recent large PSSs.
The study produced conservative and best-estimate results for the core melt
- frequency (CMF). The conservatisms adopted in the evaluation of IEs include consideration of generic data on leakage events as LOCAs requiring ECCS for mit-igation and system failures contributing to initiating events as nonrecoverable. -
The selection, grouping, and quantification of the initiating events as presented in the YNPS-PSS are briefly described in Section 2.1. The CMFs by IE category as well as the reasons offered in the PSS report for the low and LOCA-dominated CMF are included in Section 2.2. These first two sections summarize the basic information available for review and do not necessarily reflect BNL endorsement of its contents. The effect of using later compilations of generic data on the initiating events frequency is presented and discussed in Section 2.3. In accordance with one of the NRC's main goals of this task, an appraisal of the reasons offered in the YNPS-PSS for dominance by LOCA scenarios of CMF, in contrast with dominance by transient scenarios in many other plants is pro-vided in Section 2.4. Finally, the conclusions and the insights produced by this review are presented in Section 2.5.
I 2.1 YNPS-PSS Initiating-Events Methodology i This section summarizes the methodology used in the YNPS-PSS to select, group, and quantify accident-initiating events. Occurrence of IEs at shutdown conditions were considered as contributing negligibly to the risk and were dis-regarded.
. The selection of IEs for this study was performed in three major steps. !
First, a Master Logic Diagram (MLD) was developed to identify initiating-event categories that could lead to excessive offsite release. Second, the forty classes of PWR events provided in EPRI-NP-801 report were reviewed. As a third /
and last step, the MLD categories and the EPRI-NP-801 events were reviewed by personnel faciliar with the design, operation, and transient performance of the plant to add any events not included in the first two steps.
The impact of each initiator on plant response was evaluated to determine
- which initiators had similar effects on the plant. The similar initiators were j grouped into specific initiating-event categories.
The selected IEs and their grouping in categories are fully described in Section 2.1.1.
--,--,7 ,,7,< . , -, . - - - . .~_r m.-. y,y, x-%r.ei_ _, _ . _ _ _ - _ _ _ . .__ - . . _ - - - - . ,--r .---y-_-----,,, - , - - - - , , .
~
- n. .
e -
The quantification of the initiating-event frequency were assessed using the llowing general procedure:
- WASH-1400 data for piping ruptures was used as a base line to assess LOCA 4-
- and high energy line rupture probabilities.
. EPRI-NP-801 data were used as a base line in assessing the frequency of
,'f the remaining types of initiating events.
. Yankee Nuclear Power Station (YNPS) experience during the last twenty years was reviewed. Each plant trip was assigned to the appropriate ini-tiating-event category.
. . The YNPS probability of frequency distribution for each initiating-event category was determined using a one-stage Bayesian technique and the in-formation developed above.
For some special IE categories, such as Non-Isolable LOCA outside the vapor containment and Degradation of dc Power, plant-specific frequencies were deter-mined on'the basis of design and operational characteristics of the plant.
Details about the quantification procedure and the values used in the YNPS-PSS for each IE category are included in Section 2.1.2.
- An analysis of the IE methodology and a sensitivity evaluation, including the 1mpact of plant experiences on the IE frequency, is presented in Section 2.3.
2.1.1 Selection and Grouping A MLD was developed to serve as a road map for searching for accident ini-tiators. The MLD is presented in Figure 3.3 of Reference 1 and it is a fault tree of the plant in a broad overview with " excessive offsite release" as the top event. Level 10 of this diagram provides a listing of categories of possi-ble IE types which could affect plant operation. Table 2.1.1 lists the 27 IE categories identified in' the MLD.
I 1 To minimize the event tree development task and draw event trees for only these classes of IEs that challenge the plant and mitigative systems in a rea-sonably unique and important manner, a further critical evaluation of the 27 IE categories listed in Table 2.1.1 was performed. This evaluation process pro-ceeded in the following manner.
The 40 classes of PWR events provided in EPRI-NP-801 and reproduced in Ta-ble 2.1.2 were reviewed. Each of these events was compared to the 27 categories developed in the MLD, and it was concluded that each of them could be accommo-oated within one of the 27 categories. Subsequently, a critical evaluation of each of the 27 categories was performed to produce an adequate resolution of specific categories for the task of event tree development. This process in-volved the review of the MLD and EPRI-NP-801 events by plant design, operation, and transient performance personnel with the purpose of identifying any other events, developing finer resolution of the broad categories developed in the MLD, and involving those categories having similar impacts on the plant. The result of this process was the definition of 19 specific IE categories with suf-ficiently different impact to require individual evaluation. All 40 PWR events,
- listed in Table 2.1.2, were assigned to one of these 19 categories.
i l
. , . _ . _ , . _ _ _ _ _ _ _ _ . . . _ . _ _ m. _.. - _ _ . __ ._ _ _ _ _
. - .: e . . . c .
Table 2.1.1 Initiating-Event Categories Developed in the MLO
- 1. Increase in main coolant pressure
- 2. Decrease in main coolant pressure
- 3. Reactor vessel rupture
- 4. Steam generator tube rupture
- 5. Very small LOCA
- 6. Small LOCA
- 7. Intermediate LOCA
- 8. Large LOCA
- 9. Increase in main coolant system inventory
- 10. Dilution
- 11. Rod withdrawal
- 12. Rod ejection
- 13. Inadvertent rod insertion
- 14. Rod drop
- 15. Boration
- 16. Increase in main coolant system flow
- 17. Decrease in main coolant system flow
- 18. Increase in steam flow
- 19. Feedwater induced increase in secondary heat removal
- 20. Decrease in steam flow
- 21. Feedwater induced decrease in secondary heat removal
- 22. Degradation of the ac power supply
- 23. Degradation of the dc power supply
- 24. Decrease in component cooling water delivery
- 25. Decrease in service water delivery
- 26. Decrease in control air delivery
- 27. Non-isolable LOCA outside containment 4
I
. : ...:. . .. . . .. . : . a : .. i .
-S-Table 2.1.2 EPRI-NP-801 PWR Initiating Event PWR-1 Loss of RC (1 Loop)
PWR-2 Uncontrolled rod withdrawal PWR-3 CRDM problems and/or rod drop PWR-4 Leakage from control rods PWR-S Leakage in primary system PWR-6 High or low pressurizer pressure PWR-7 Pressurizer leakage PWR-8 Pressurizer relief or safety valve opening PWR-9 Inadvertent safety injection signal PWR-10 Containment pressure problems PWR-11 CVCS malfunction - boron dilution PWR-12 Pressure temperature power imbalance PWR-13 Startup of inactive coolant pump PWR-14 Total loss of RCS flow PWR-15 Loss or reduction in feedwater flow (1 loop)
PWR-16 Total loss of feedwater (all loops)
PWR-17 Full or partial closure of MSIV (1 loop)
PWR-18 Closure of all MSIVs PWR-19 Increase in feedwater flow (1 loop)
PWR-20 Increase in feedwater flow (all loops)
PWR-21 Feedwater flow instability - operator error PWR-22 Feedwater flow instability - miscellaneous mechanical causes PWR-23 Loss of condensate pumps (1 loop)
PWR-24 Loss of condensate pumps (all loops)
PWR-25 Loss of condenser vacuum PWR-26 Steam generator leakage PWR-27 Condenser leakage PWR-28 Miscellaneous leakage in secondary system PWR-29 Sudden opening of steam relief valves PWR-30 Loss of circulating water PWR-31 Loss of component cooling PWR-32 Loss of service water system PWR-33 Turbine trip, throttle valve closure, EMC problems PWR-34 Generator trip or generator caused faults PWR-35 Loss of station power PWR-36 Loss of power to necessary plant system PWR-37 Spurious auto trip - no transient condition PWR-38 Auto / manual trip due to operator error PWR-39 Manual trip due to false signals PWR-40 Spurious trips - cause unknown
. . - , . . .. /...,: . c ,. s: ,..c.. . w-b The so-callej unidentified event was added to the IE categories that were judged that might not contain all possible initiators in a attempt to account for any event which has not been explicitly identified.
The final 19 IE categories and the specific events assigned to each are listed and briefly described below.
2.1.1.1 Very Small Break This category includes all primary side leakages which are sufficiently large not to be mitigated by the charging pumps and which require the secondary side for decay heat removal . The specific IEs included are:
. Ruptures in the primary side with an equivalent diameter >3/8 in and <1 in.
. Leakages from Controi Rods (PWR-4) (correspond to specific IEs listed in Table 2.1.2).
. Leakages in Primary System (PWR-5) .
. Pressurizer leakages (PWR-7).
. Pressurizer Relief or Safety Valve Opening (PWR-8).
This category corresponds to the MLD category 5.
2.1.1.2 Small Break All primary side ruptures not requiring accumulator actuation or secondary side heat removal are in this category. The following specific IEs are in-cluded:
. Ruptures in the primary side with an equivalent diameter >l in. and >2 in.
This category correspond to the MLD category 6.
2.1.1.3 Intermediate Break This category includes all primary side piping ruptures resulting in moder-ately rapid primary depressurization and requiring high and low pressure injec-tion but not secondary side for core heat removal. The following specific IEs are included:
. Ruptures in the primary side with an equivalent diameter >2 in and <6 in.
. Rod Ejection - This event requires that the control rod housing breaks off and the size of the resulting vessel penetration is equivalent to the break size in this category.
This category involves the MLD categories 7 and 12.
2.1.1.4 Large LOCA This category includes all primary side piping ruptures resulting in a rap-id depressurization, accumulator actuation and low pressure injection and which does not require a scram or secondary side heat removal . The specific IEs in-cluded are:
'~
.: .: . ;x - .. . .
_7_
. Rupturas in the primary side with an equivalent diameter >6 in.
This category corresponds to the MLD category 8.
2.1.1.5 Steam Generator Tube Rupture This category includes all steam generator tube leakages or ruptures. The specific IEs considered are:
. Steam Generator Leakages (PWR-26)
This category corresponds to the MLD category 4.
2.1.1.6 Excessive Cooldown Events leading to an increase in heat removal in one steam generator or in all four steam generators due to excessive feedwater addition are grouped in this category. The specific IEs included are:
. Increase in feedwater flow in all loops (PWR-20).
. Steam System piping failures upstream of Nonreturn valves (NRVs).
. Sudden opening of a large SG safety valve.
. Feedwater line breaks downstream of check valves.
. Unidentified initiating event.
This category involves the MLD category 19 and part of category 18.
2.1.1.7 Steam Line Break This category considers IEs in which increase in heat removal occurs in all four steam generators. The specific IEs included are:
. Steam line break in common steam line downstream of NRVs.
. Malfunction in turbine steam flow control resulting in steam flow in-crease.
. Stuck open turbine admission valves.
. Unidentified initiating event.
This category corresponds to the MLD category 18 events not included in the Excessive Cooldown category. Both Excessive Cooldown and Steam Line Break cate-gories refer to transients resulting in excessive heat removal, the difference being the " intensity." Excessive Cooldown is mild transients that do not chal-I lenge the Safety Injection actuation while Steam Line Break (affecting all four I
steam generators) does. The MLD category 18, Increase in Steam Flow, was con-sidered to be too broad for modeling with a single event tree and was therefore subdivided in the manner described above (finer resolution).
2.1.1.8 Plant Trip 1
l The IEs grouped under this category are all plant trips requiring orderly plant shutdown (eithe automatic or manual) and spurious trip actuation without the occurrence of abnormal conditions. These IEs do not substantially affect
! plant safety. The specific IEs included are:
i
! 4
~ ..
. Loss of main coolant system (MCS) flow - one loop (PWR-1).
. Uncontrolled rod withdrawal (PWR-2).
. Control rod drive mechanism (CRDM) problems and/or rod drop (PWR-3).
. High or low pressurizer pressure (PWR-6).
. Inadvertent safety injection signal (PWR-9).
. Containment pressure problems (PWR-10).
. CVCS malfunction-boron dilution (PWR-11).
. Pressure temperature power imbalance (PWR-12).
. Startup of inactive coolant pump (PWR-13).
. Total loss of MCS flow (PWR-14).
. First year problems with NRV closures (PWR-17).
. Increase in feedwater flow in one loop (PWR-19).
. Feedwater flow instability - operator error (PWR-21).
. Miscellaneous leakage in secondary system (PWR-28).
. Sudden opening of steam relief valves (PWR-29).
. Loss of component cooling (PWR-31).
. Loss of service water (PWR-32).
. Loss of power to necessary plant systems (PWR-36).
. Spurious auto trip - no transient condition (PWR-37).
. Auto / manual trip due to operator error (PWR-38).
. Manual trip due to false signals (PWR-39).
. Manual trip - cause unknown (PWR-40)
. Unidentified initiating event.
This category involves the MLD categories 1, 2, 9, 10, 11, 13, 14, 15, 16, and 17.
2.1.1.9 Loss of ac This category includes all occurrences of complete loss of offsite ac sup-ply. The following specific IEs are included:
. Loss of offsite power (PWR-35).
. Unidentified initiating event.
This category corresponds to the MLD category 22.
2.1.1.10 Decrease in Feedwater Flow This category includes all events that lead to loss or reduction in feedwa-ter flow. The specific IEs included are:
. Loss or reduction in feedwater flow - one loop (PWR-16).
. Total loss of feedwater - all loops (PWR-16).
. Feedwater flow instability - miscellaneous mechanical causes (PWR-22).
. Loss of condensate pumps - one loop (PWR-23).
. Loss of condensate pumps - all loops (PWR-24).
l . Loss of circulating water (PWR-30).
1
. Feedwater line header breaks.
l . Unidentified initiating event.
This category corresponds to the MLD category 21.
..a-- ,
]
2.1.1.11 Decrease in Steam Flow - Loss of Vacuum This category includes all losses of condenser vacuum events. The specific IEs included are:
. Loss of condenser vacuum (PWR-25).
- . Condenser leakage (PWR-27).
. Unidentified initiating event.
This and the next two categories resulted from a subdivision of the MLD a category 20 in order to develop event trees with a finer resolution for the de-crease in steam flow events.
2.1.1.12 Decrease in Steam Flow - NRV Closure All decreases in steam flow due to main steam isolation valves (NRVs) clo-sure events are grouped in this category. The specific events included are:
. Full or partial closure of NRV - one loop (PWR-17).
. Closure of all NRVs (PWR-18).
. Unidentified initiating event.
This category corresponds to a subset of the MLD category 20.
2.1.1.13 Decrease in Steam Flow - Turbine Trip This category includes decreases in steam flow due to spurious tripping of the turbine or main generator. The specific IEs included are:
. Turbine trip, throttle valve closure, and EHC problems (PWR-33).
. Generator trip or generator cause faults (PWR-34).
. Unidentified initiating event.
This category also corresponds to a subset of the MLD category 20.
2.1.1.14 Degradation of de Power Supply This category includes all single and multiple dc bus failures. The spe-cific IEs considered are:
. Loss of dc bus No.1.
. Loss of dc bus No. 2.
. Loss of dc bus No. 3.
. Loss of dc bus Nos.1 and 2.
. Loss of dc bus Nos.1 and 3.
. Loss of dc bus Nos. 2 and 3.
. Loss of dc bus Nos.1, 2, and 3.
This category corresponds to the MLD category 23.
2.1.1.15 Loss of Control Air This category includes losses or decreases in control air delivery events, and correspond to the MLD category 26. These events and the next two categories
- ; .u- . .-. .
gories (Loss of Component Cooling and Service Water) were treated as independent IE categories because in addition to producing a plant trip, they also degrade the operaotlity of several mitigating systems. For this reason they are called "ccmmon cause events."
2.1.1.16 Loss of Component Cooling All losses or decreases in component cooling water delivery events are in-cluded in this category. These also are " common cause events" and correspond to the MLD category 24.
2.1.1.17 Loss of Service Water This category includes losses or decreases in service water delivery events. They too are " common cause events" and correspond to the MLD category 25.
2.1.1.18 Reactor Vessel Rupture This category includes all reactor vessel ruptures and combinations of pri-mary side ruptures which are beyond the ECCS capabilities. These initiators would lead directly to core melt. These events correspond to the MLD category 3 2.1.1.19 Non-Isolable LOCA Outside Containment Under this category, all LOCAs bypassing the containment were included.
The possible paths identified and included in the analysis are:
. Relief valves associated with Main Coolant System (pressurizer relief and safety valves and loop safety valves).
. Safety Injection System.
. Shutdown Co,oling System.
. Charging and Volume Control System
. Main Coolant System Drains
. Main Coolant System Sampling
. Component Cooling Water System
. Heat Exchanger Failures These paths were identified by reviewing all the containment penetrations containing, interfacing, or directly connected to the main coolant fluid. This category of initiators would also lead directly to core melt. This category corresponds to the MLD category 27.
2.1.2 Quantification of Initiating-Event Frequency The YNPS-PSS used basically two approaches to quantify the frequency of the initiating events. The first, consisting of a one-stage Bayesian technique, was used when there was applicable industry and plant-specific data available on the occurrence of the event. The first thirteen IE categories, described in Sec-tions 2.1.1.1 through 2.1.1.13, were quantified using this approach. A second approach, which calculates IE frequency on an event-by-event basis, was adopted to evaluate the remaining six categories.
The 19 IE categories described in Sections 2.1.1.1 through 2.1.1.19 will be from here on referred to as IE categories 1 to 19, respectively.
4
. . .x. .-
2.1.2.1 Quantification of Initiating Event Categories 1 Through 13 The frequency of these first thirteen categories were obtained by one-stage Bayesian update of data from EPRI-NP-801 and WASH-1400 pipe rupture frequencies with YNPS plant-specific history. The information from EPRI-NP-801 and WASH-1400 piping ruptures data serves as the generic data base for frequency of oc-currence of each specific transient. This was then updated by one-stage Bayesian inference using the YNPS scram history.
2.1.2.1.1 Development of Prior Distribution Function EPRI-NP-801 contains a summary of the number of times that certain types of events have occurred during the history of commercial nuclear power. The infor-mation contained in Tables B.128 through B.167 of Reference 2, excluding the YNPS data, was the raw material for estimating the probability of each event listed in Table 2.1.2. First-year and low-power (<25%) occurrences were exclud-ed from these EPRI tables. To convert these raw data to an expression of the probability of frequency of occurrence for each event, the following procedure was used.
The log-normal distribution was chosen to represent IE frequency distribu-tions. The first (M ) and 1 second (M )2 moments about the origin for the lognor-mal distribution are given respectively by:
M = exp[p + a2 /2] ,
i (1) 2 M2 = exp[2p + 2o ], (2) where y and o are the parameters uniquely defining the log-normal distribution.
When the population is relatively large (>10), the first and second moments can 4 be estimated as:
M = { wj tj ,
i (3)
- i 2
M (4) 2*fWi +1 ,
where 4j is the frequency of occurrence expressed in events per year at plant i, and wj is the weighting factor expressed as the ratio of the total number of operating years at plant i to the industry total. Once the moments of the log-normal distribution are calculated from Eqs. (3) and (4), the distribution parameters are obtained by solving Eqs. (1) and (2) for u and a yielding:
u = 2inM g-0.51nM 2 , (5) o2 = InM 2-21nM 1 (6)
For pipe rupture events, WASH-1400, Table III 6-9, provides occurrence fre-quencies in terms of the five (Q 5 ), fifty (Q 5 o), and ninety-five (Qg5) confi-dence level fractiles. In these cases the log-normal parameters y and a were obtained by:
w - - .. .
p = In Q 5o (7) o = (in Q ,3 p)/1.645 . (8)
Using this y and a 2, the frequency of events was approximated by a log-nor-mal curve which was divided into 14 discrete intervals, each 26Z wide and cen-tered in Zj (i=1,2, .. .14) .
The parameters y and a were used to obtain Pj from the tabulated standard normal distribution by p-(Z g+aZ) g-(Zj -aZ)
Pj = N( ) - N( ), (9) and the log-normal coordinate Xj is obtained from the transformation:
X4 = exp(p + oZj ) , (10) where Xj is.the frequency of the initiating event and Pj is the prior proba-bility of that frequency. The discretization intervals used are shown in Table 2.1.3, where zj = (p - Zj)/o. This process yielded the discretized prior frequency distributions.
2.1.2.1.2 Likelihood Function The likelihood function represents the likelihood of the actual frequency of the observed events at the YNPS, given the prior frequency. A Poisson dis-tribution was used as the likelihood function. For a given plant experience of r failures over an operation period of T years, the likelihood of the prior fre-quency Xj is (X4 T)r L(E/X4 ) = pg exp[-X$ T] , (11) where L(E/Xj) is the likelihood of evidence E (r failures in T years) having an occurrence frequency Xj.
2.1.2.1.3 Development of Posterior Distribution The discretized form of Bayes's theorem is P(X9 )L(E/Xy )
, (12)
P(Xi /E) = { P(X )L(E/X 4 $ )
i
.' ._ . ../.; . _. . ..:. ' . . .
Table 2.1.3 Discretization Intervals i P zj 4 --
.00135 -3.50
.00486 -2.75
.01659 -2.25
.04400 -1.75
.09190 -1.25
.14980 -0.75
.19150 -0.25
.19150 0.25
.14980 0.75
.09190 1.25
.04400 1.75
.01659 2.25
.00486 2.75 o
.00135 3.50
_ _ . _ .._i. .
where s P(X4 ) - prior discretized probability of frequency Xj ,
L(E/X ) - likelihood of evidence E having a frequency Xj ,
P(X /E) - posterior discretized probability of frequency Xj given the evidence E.
Therefore, this process produces a posterior discretized probability dis-tribution (DPD) for event "i" given the generic industry data fitted to a log-normal (prior DPD) and the plant operational experience through the likelihood function. This method is usually referred to as one-stage Bayesian technique for updating data. Reference 3 describes the method in detail.
2.1.2.1.4 Unidentified Initiating-Event Frequency The frequency of the unidentified initiating event was estimated by the frequency of an identified initiating event which has never occurred in commer-cial PWRs in general, nor at the YNPS in particular. The same method described above was used for obtaining the unidentified initiating-event frequency. In this case, however, the prior probability distribution was no longer an outcome of data manipulation but rather a best-judgment expression.
The upper and lower bounds of the frequencies were based on the fact that no unidentified event has occurred in over a thousand reactor years of opera-tion. The upper bound accounts for the possibility that the event could be more frequent while the lower bound accounts for the possibility that the event could be less frequent than the value selected. However, the actual values assigned to these bounds are not included in the YNPS-PSS report. In all, the prior probability density distribution is divided into 14 intervals, each with its representative frequency and probability. Using YNPS specific data, i .e., zero unidentified initiating events in 20.75 years, a posterior probability distribu-tion was generated. The prior and posterior probability distributions for this unidentified initiating event are shown in Table 2.1.4.
2.1.2.2 Quantification of Initiating-Event Categories 14 Through 19 The quantification of the last six IE categories was not performed using the methodology described above. In this section the methodology adopted for quantification of these categories is briefly described.
Degradation of de Power Supply - IE Category 14 The initiating-event frequencies for a loss of a single bus and two buses and complete loss of dc power were obtained with fault tree analysis and engi-neering judgment. All combinations of buses failures listed in Section 2.1.1.14 were evaluated on a point estimate basis only.
Loss of Control Air - IE Category 15 A qualitative evaluation was carried out to assess the occurrence frequency of loss of control air. Because of the redundancy and diversity of this system, and its backup systems, a complete and irrecoverable loss of control air supply was considered highly unlikely. However, for the sake of completeness, the un-identified IE frequency was assigned to this category.
, . _ . . . . . _. L _ . . .
Table 2.1.4
. Prior and Posterior Probability Density Distributions for Unidentified Initf ating Events Prior Probability Density Distribution Frequency of Events /per Year Probability of Frequency 8.728E-06 1.350E-03 2.180E-05 4.860E-03 4.012E-05 1.659E-02 7.385E-05 4.400E-02 1.359E-04 9.190E-02 2.502E-04 1.498E-01 4.604E-04 1.915E-01 8.478E-04 1.915E-01 1.561E-03 1.498E-01 2.873E-03 9.190E-02 5.288E-03 4.400E-02 9.733E-03 1.660E-02 1.792E-02 4.860E-03 4.474E-02 1.350E-03 Prior Mean = 1.344E-03 Prior Variance = 6.572E-06 Posterior Probability Density Distribution Frequency of Events /per Year Prodability of Frequency 8.728E-06 1.385E-03 2.180E-05 4.984E-03 4.012E-05 1.701E-02 7.385E-05 . 4.508E-02 1.359E-04 9.404E-02 2.502E-04 , 1.529E-01 4.606E-04 1.947E-01 8.478E-04 1.932E-01 1.561E-03 1.490E-01 2.873E-03 8.903E-02 5.288E-03 4.062E-02 9.733E-03 1.402E-02 1.792E-02 3.485E-03 4.474E-02 5.661E-04 Posterior Mean = 1.236E-03 Posterior Variance = 4.478E-06
Loss of Component Cooling - IE Category 16 Similar to the loss of control air, only a qualitative evaluation was per-formed to assess the occurrence fr2quency of loss of component cooling. Because of the redundancy and diversity of this system and its backup systems, a com-plete and irrecoverable loss of component cooling was also considered very im-probable. However, for the sake of completeness, the unidentified IE frequency was assigned to this category. This value is about two orders of magnitude larger than the values reported on other studies for this system.
Loss of Service Water - IE Category 17 Loss of service water frequency was also qualitatively evaluated. For the same reasons described above, complete loss of this system was considered very unlikely, and the unidentified IE frequency was assigned to this category too. This value was considered as a very conservative upper bound for complete loss of service water.
Reactor Vessel Repture - IE Category 18 Reactor vessel rupture is defined in WASH-1400 to be a rupture in the ves-sel beyond ECCS capabilities. The WASH-1400 frequency for this event (2.66 x 10-7/yr) was adopted in this study. This value represents a very small contri-bution to core melt frequency, but these events have a potential to induce con-tainment failures with a much higher probability than for other core melt se-quences. Consequently, from risk consideration aspects, this IE category could not be disregarded.
Non-Isolable LOCA Outside Containment - IE Category 19 A detailed evaluation of each path that could potentially lead to a non-isplable LOCA outside containment was performed. Among all paths listed in Sec-tion 2.1.1.19, only the Shutdown Cooling System isolation valve failures and the Safety Injection System check valve failures yielded a nonnegligible contribu-tion to the occurrence frequency of this type of LOCA. The calculated frequency for this IE category was 2x10-7/yr.
2.1.2.3 Initiating-Event Frequencies The initiating-event frequencies were calculated by suaming up the fre-quency distributions of all specific events included in each category as listed in Sections 2.1.1.1 to 2.1.1.13, and updating the prior distributions with the methodology described in Section 2.1.2. The resulting means and variances for all IE categories are shown in Table 2.1.5. This table also contains the YNPS scram history allocation to the various IE categories. The actual scram history over the 20.75 years of plant operation consisted of 108 scrams; however, 37 of these were considered not applicable for the YNPS study, although the reason for disregarding them is not included in the YNPS-PSS report. However, it is possi-ble that these events did occur during low power (< 26%) or the first year of operation, which would make them not applicable in the context of the YNPS
- study, l
I i
Table 2.1.5 Initiating Event Frequencies YNPS Scram Posterior Posterior Initiating Event Category Prior Mean Data l Mean Variance
- 3. Intermediate LOCA 7.99E-04 0 7.50E-04 3.01E-06
- 4. Large LOCA 2.66E-04 0 2.63E-04 3.92E-07
- 5. Steam generator tube 2.51E-02 0 1.06E-02 2.06E-04 rupture
- 6. Excessive cooldown 2.95E-03 0 2.74E-03 9.35E-06
- 7. Steam line break 2.95E-03 0 2.73E-03 9.35E-06
- 8. Plant trip 2.19E-00 49 2.35E-00 1.42E-02
- 9. Loss of ac 1.66E-01 1 6.16E-02 2.13E-03
- 10. Decrease in FW flow C.86E-01 3 1.98E-01 8.06E-03
- 11. Loss of vacuum 4.90E-02 0 1.47E-02 3.31E-04
- 12. NRV closure 1.88E-01 0 4.32E-02 1.19E-03
- 13. Turbine trip 1.06E-00 18 8.49E-01 3.77E-02
- 14. Degradation of de power
. Single bus 3.00E-03 3.00E-033 ( 2)
. Double bus 1.00E-05 1.00E-05 3 ( 2)
. All buses 1.00E-06 1.00E-063 ( 2)
- 15. Loss of control air 1.34E-03 0 1.24E-03 4.48E-06
- 16. Loss of component cooling 1.34E-03 0 1.24E-03 4.48E-06
- 17. Loss of service water 1.34E-03 0 1.24E-03 4.48E-06
- 18. Reactor vessel rupture 2.66E-07 0 2.66E-07 3 4.32E-13
- 19. Non-isolable LOCA Outside containment 2.00E-07 0 2.00E-07 3 4.32E-13 1
20.75 years of plant operation.
2 Point estimate evaluation only.
3 Not updated.
Table 2.2.1 Mean Annual Core Melt Frequency (CMF) by Initiating-Event Category Initiating-Event CMF Cumulative Cunalative Category ' Contribution Percent CMF Percent LOCAs
. Intermediate 4.62E-06 27.2 4.62E-06 27.2
. Very small 3.71E-06 21.8 8.33E-06 49.0
. Large 2.60E-06 15.3 1.09E-05 64.3
. Small 1.71E-06 10.0 1.27E-05 74.3
. RV rupture 2.66E-07 1.6 1.30E-05 75.9
. Non-isolable 2.00E-07 1.2 1.32E-05 77.1 Transients
. Turbine trip 8.85E-07 5.2 1.40E-05 82.3
. Steam gen tube rup. 7.70E-07 4.5 1.48E-05 86.8
. Loss of ac 6.81E-07 4.0 1.55E-05 90.8
. Decrease in FW flow 5.39E-07 3.2 1.60E-05 94.0
. Excessive cooldown 4.08E-07 2.4 1.64E-05 96.4
. Steam line break 3.83E-07 2.2 1.68E-05 98.6
. Degradation of dc 8.20E-08 0.5 1.69E-05 99.1
. Plant trip 6.51E-08 0.4 1.70E-05 99.5
. NRV closure 4.07E-08 0.2 1.70E-05 99.7
. Loss of vacuum 1.10E-08 0.06 1.70E-05 99.8
. Loss of control air <1.10E-08 <0.06 1.70E-05 99.8
. Loss of comp. cooling <1.10E-08 <0.06 1.70E-05 99.9
. Loss of service water <1.10E-08 <0.06 1.70E-05 100.0 l
' '~
2.2 YNPS Core Melt Frequency Profile
$ The baseline mean core melt frequency (CMF) for the YNPS was assessed to be 1.70x10-s/ and 5.2x10-5,respectively.
yr with fiveThe andmean ninety-five CMF byconfidence bounds initiating-event category of 4.0x10-6 along with the percentile contribution of each cateoory is shown in Table 2.2.1. Loss-of-coolant accidents dominate the core melt frequency for this plant for a number of reasons, including:
. Transient-induced non-LOCA events have a low frequency of occurrence.
The operational history of YNPS is substantially better than the industry average.
. Secondary cooling means are more substantial than at most modern plants.
There are ten pumping trains and eight flow paths for supplying feedwater for the steam generators.
. Main coolant pumps are canned; a LOCA, induced by coolant pump failures, is not possible.
. Emergency feedwater does not require service water, component cooling wa-ter, or control air; the steam-driven emergency feedwater pump does not require either ac or dc power.
. There are three totally separate and self-contained diesel generators.
Their performance has proved to be substantially better than industry i
average.
. More margin exists to design limits than found in more modern designs.
Plant operates at lower temperature and pressures and has, relative to its power, larger main coolant system and secondary system inventories than more recent plants.
Besides the LOCAs' dominance, the calculated CMF for this plant is substan-tially lower than the values obtained for other plants in similar studies. Sev-eral of the reasons stated above for the low CMF imply that YNPS mitigative cap-abilities, given an IE, are significantly better than at most other plants. Ta-ble 2.2.2 shows the conditional core melt probability (CCMP) by IE category for the YNPS. The CCMP is defined as the ratio of the CMF contribution from an IE category divided by the IE category occurrence frequency, and it actually mea-sures the plant nonmitigation probability given the occurrence of a given IE.
These CCMPs will be used in Section 2.4 for comparison purposes.
2.3 Review of Initiating Events The BNL review of the YNPS-PSS treatment of initiating events was conducted following the guidance provided in NUREG/CR-3485" whenever possible. Further-5 more, the suggestions provided in NUREG/CR-2815 were followed insofar as they applied to the focused objectives of the present review.
- Aspects of completeness, grouping, and quantification of initiating events
- were the three main areas addressed in the review.
i The effect of alternative grouping and quantification of initiating events on the CMF are presented. The importance of the plant operational experience on the calculated core melt frequency was also evaluated.
-- .-,--..---.y - -
. . , y ---- ,
Table 2.2.2 Conditional Core Melt Probability (CCMP) by Initiating-Event Category Initiating-Event Category IE Frequency CMF CCMP LOCAs
. Intermediate 7.50E-04 4.62E-06 6.16E-03
. Very small 2.34E-03 3.71E-06 1.59E-03
. Large 2.63E-04 2.60E-06 9.89E-03
. Small 1.10E-03 1.71E-06 1.55E-03
. RV rupture 2.66E-07 2.66E-07 1.00E-00
. Non-isolable 2.00E-07 2.00E-07 1.00E-00 ,
. Turbine trip 8.49E-01 8.85E-07 1.04E-06
. SGTR 1.06E-02 7.70E-07 7.26E-05
. Loss of ac 6.16E-02 6.81E-07 1.11E-05
. Decrease in FW flow 1.98E-01 5.39E-07 2.72E-06
. Excessive cooldown 2.74E-03 4.08E-07 1.49E-04
. Steam line break 2.73E-03 3.83E-07 1.40E-04
. Degradation of dc 1.00E-05 8.20E-08 8.20E-03*
. Plant trip 2.35E-00 6.51E-08 2.77E-08
. NRV closure 4.32E-02 4.07E-08 9.42E-07
. Loss of vacuum 1.47E-02 1.10E-08 7.48E-07
. Loss of control air 1.24E-03 <1.10E-08 <8.87E-06
. Loss of comp. cooling 1.24E-03 <1.10E-08 <8.87E-06
. Loss of service water 1.24E-03 <1.10E-08 <8.87E-06
2.3.1 Completeness The YNPS-PSS addressed the issue of IE completeriess basically through a four-step procedure as follows:
. A MLD was developed to identify initiating events that could lead to ex-cessive offsite release.
. The forty classes of PWR events provided in EPRI-NP-801 report were re-viewed.
. The initiators identified in the previous two steps were reviewed by per-sonnel familiar with the design, operation, and transient performance of the plant to add any events not previously as counted for.
. The unidentified event was added in an attempt to account for any other events not included. External events were purposely left out, with the intention of addressing them in the future as an independent task.
The BNL review of the initiating-event selection started with a thorough evaluation of the YNPS-PSS selection procedure. Subsequently, lists of accident initiators considered in other studies for similar plants and the set of acci-dent precursors selected in NUREG/CR-2497 6 were reviewed. Issues of ongoing NRC programs, listed in Table A.1 of Reference 5, were also considered. Finally, a search was performed to identify any combination of IEs with a potential for a nonnegligible contribution to the plant core melt frequency or risk.
The results of this review can be summarized with the following statements:
. No further significant single initiating event was identified.
. No combination of IEs with a potential for a nonnegligible contribution to the plant core melt frequency or risk was identified.
. Combinations of steam generator tube ruptures induced by LOCA events were not considered in the study. The inclusion of these accident scenarios are considered optional in present plant specific PSSs.
. On the basis of the results of similar studies, the exclusion of external initiators may have a significant effect on the study results.
. Inclusion of the unidentified initiating event solves the issue of com-pleteness in a formal way. However, evaluation of the frequency of the occurrence of this event is a separate matter.
2.3.2 Grouping Grouping of initiating events in the YNPS-PSS was based on the effect of each initiator on plant response. All initiators that challenge the plant and mitigative systems in a reasonable, unique, and important manner were grouped in a single category.
The YNPS-PSS report does not include the plant response matrices. This made the review of the mitigative requirements for each initiator difficult.
Therefore, mitigative requirements for selected initiators only were reviewed.
The number of IE categories adopted in the YNPS-PSS is slightly larger than in most similar studies.
l Anticipated transients without scram (ATWS) scenarios were not treated as a separate group of initiators as in most other studies. Instead, they were ad-
- dressed in a simplified manner in the various transient event trees.
l l '
The assignment of specific IEs to the various IE categories was reviewed and the results are stated below.
The YNPS-PSS baseline evaluation assumed the generic data on leakage events (PWR-4, 5, and 7 of Table 2.1.2) as LOCAs requiring ECCS for mitigation and as-signed these events to the very small LOCA category. This was included as a conservatism in the study. These events are defined in EPRI-NP-801 as leakages requiring reactor shutdown. It is very likely that most of these events re-quired shutdown because of Technical Specifications requirements. However, to identify which of these reported leakage events was a true LOCA requiring ECCS for mitigation, the basic EPRI data would have to be reviewed. The impact of this assumption on the YNPS-PSS was minor. However, if more recent compilations
, of generic data are used, this assumption may increase the very small LOCA fre-quency by an order of magnitude as shown in Section 2.3.3.
The Sudden Opening of Steam Relief Valves (PWR-29) was assigned to the Plant Trip category. Assigning these events to the Excessive Cooldown category would be more appropriate. The effect of this relocation is presented in Sec-tion 2.3.3.
Loss of. component cooling and loss of service water events were assigned to individual IE categories because of their effect on several plant system (com-mon-cause events). The assignment of these events (PWR-31, 32) to the Plant Trip category seems incorrect because it results in a double counting of these initiators. The quantitative effect of these inclusions is, however, negligi-ble.
First year problems with NRV closures were considered as " break-in" prob-lems and were assigned to the " Plant Trip" category. This was not considered appropriate, especially considering that NRV Closure is one of the IE catego-ries. If first-year problems with these valves are not considered applicable data, they should be disregarded, not relocated.
2.3.3 Quantification The BNL review of initiating-event quantification was based on the same methodology used in the YNPS-PSS and described in Section 2.1.2.1. The fre-quency of IE categories 1 through 13 were thoroughly reviewed and reevaluated in order to assess the impact of using more recent compilations of generic data and also of some minor regrouping described in Section 2.3.2. The degradation of dc power frequency is part of Task 3 and therefore was not addressed here.
< A small computerized algorithm was developed to carry out the calculational procedure described in Section 7.1.2.1. As a first step the quantification ex-ample presented in Section 5.4.1.3 of the PSS report was reproduced to check the algorithm and the PSS quantification procedure.
From Table 5.5 of the PSS report, it was inferred that the first-year and low-power (<26%) events were excluded from the generic data base. The effect of this exclusion is assessed in BNL Review 2, which used the most recent compila-tion. of generic data supplied by NUREG/CR-3862.7 The information supplied in the PSS report for the calculation of IE fre-quencies was not suitable in some cases. For instance, according to the infor-
mation supplied in the report and in Reference 2 the Very Small Break frequency would be 1.10E-03 instead of 2.34E-03 listed in Table 5.11 of the PSS report.
Also, it was not possible to reproduce the frequencies for the Excessive Cool-down and Steam Line Break categories.
The details of how the unidentified IE prior probability distribution was generated are not supplied in the YNPS-PSS report. It seems that the absence of evidence of such events in about 1000 years of nuclear power experience was used to assign a mean or median in the range of 10-3 and then prescribe a range fac-tor to generate upper and lower bounds. The ir.clusion of the unidentified IE produced a negligitle effect on the calculated CMF.
The ATWS IE frequency was based on a plant specific study of YNPS scram system made in 1974. Two scram system success criteria were defined, one for nonovercooling transients (any 13 of 24 rods) and the other for overcooling transients (23 of 24 rods), with demand failure probabilities of 1.0x10-5 and 1.5x10 , respectively. In this respect, the YNPS-PSS treatment of ATWS was more refined when compared to other recent PSSs.
The LOCAs dominate the core melt frequency for this plant. This dominance was partially attributed to the fact that the non-LOCA transient-induced events have a low frequency of occurrence because of better-than-average operational history of YNPS. To evaluate the impact of the plant history on the calculated CMF, the results were reevaluated using the prior means, from Table 2.1.5, for the initiating-event frequencies. The results of this reevaluation are shown in Table 2.3.1. The effect of plant experience was to reduce the CMF from 2.28E-05 to 1.70E-05 (less 34%) and increase the LOCAs' dominance from 63.1 to 77.1%.
However, the transient contribution to the CMF was reduced from 8.50E-06 to 3.80E-06 (a factor of 2.2) by the plant experience. Therefore, the plant expe-rience it is not a major reason for the LOCAs dominance in this plant, and it has made only a minor contribution (less 34%) in the calculated total core melt frequency.
The effect of excluding first year and low power events (<26%) from the EPRI-NP-801 generic data base was assessed by retaining these events and re-evaluating the transient IE frequencies for each category. The result of this reevaluation are shown in Table 2.3.2, along with their impact on the CMF. In this case, the transient contribution to the CMF increased to 2.06E-05 repre-senting 59% of the total. Therefore, the effect of disregarding first-year and low-power events was to reduce the transient contribution from 2.06E-05 to 8.50E-06 (a factor of 2.4) . In summary, the combined effect of excluding first-year data, low-power data, and the plant experience was more than a half order of magnitude reduction (2.2x2.4 = 5.3) in the absolute contribution of tran-sients to the CMF.
Occurrence of some IEs at low power would actually lead to more severe transients than at high power (e.g., excessive cooldown events). The exclusion of all low-power events from the generic data base may in some cases be a non-conservative assumption. Also, the exclusion of first-year data may not be jus-tified if effects of aging and errors of construction are not considered, which was the case in the YNPS-PSS.
The generic data base effect on the IE frequencies and on the CMF was also evaluated. In the first review, designated BNL Review 1, the frequencies were
Table 2.3.1 Mean Core Melt Frequency Without Plant Experience by Initiating-Event Category Initiating-Event CMF Cumulative Cumulative Category Contribution Percent CMF Percent
~~
. Intermediate 4.94E-06 21.7 4.94E-06 21.7
. Very small 4.24E-06 18.6 9.18E-06 40.3
. Large 2.65E-06 11.6 1.18E-05 51.9
. Small 2.02E-06 9.1 1.39E-05 61.0
. RV rupture 2.67E-07 1.2 1.41E-05 62.2
. Non-isolable 2.00E-07 0.9 1.43E-05 63.1 Transients
. FW flow decrease 2.41E-06 10.6 1.68E-05 73.6
. Loss of ac 1.84E-06 8.1 1.86E-05 81.7
. FW flow decrease 1.82E-06 8.0 2.04E-05 89.2
. Turbine trip 1.11E-06 4.9 2.15E-05 94.6
. Excessive cooldown 4.39E-07 1.9 2.20E-05 96.5
. Steam line break 4.14E-07 1.8 2.24E-05 98.3
. NRV closure 1.75E-07 0.7 2.26E-05 99.0
. Degradation of dc 8.20E-08 0.4 2.27E-05 99.4
. Plant trip 6.07E-08 0.3 2.27E-05 99.7
. Loss of vacuum 3.67E-08 0.2 2.28E-05 99.9
. Complete loss of air <1,00E-08 <0.05 2.28E-05 99.9
. Complete loss of SW <1.00E-08 <0.05 2.28E-05 99.9
. Complete loss of CC <1.00E-08 <0.05 2.28E-05 100.0
Table 2.3.2 Initiating Event Frequency and Mean Core Melt Frequency by Initiating Event Category
- Initiating Event Initiating Event CMF Cumulative Cumulative Category Frequency Contribution CMF Percent LOCAs
. Intermediate 7.99E-04 4.94F-06 4.94E-06 14.2 .
. Very small 2.67E-03 4.24E-06 9.18E-06 26.3 P
. Large 2.66E-04 2.65E-06 1.18E-05 33.8 i
. Small 1.33E-03 2.02E-06 1.39E-05 39.8
. RV rupture 2.66E-07 2.66E-07 1.41E-05 40.4 5
. Non-isolable 2.60E-07 2.00E-07 1.43E-05 41.0 ,.
Transients !;
. Steam Gen. Tube Rup. 8.14E-02 5.91E-06 2.02E-05 57.9
. Decrease in FW flow 1.93E-00 5.26E-06 2.55E-05 73.1 , c
. Excessive cooldown 2.33E-02 3.46E-06 2.89E-05 82.8 n3
. Loss of ac power cn 2.67E-01 2.96E-06 3.19E-05 91.4
. Turbine trip 2.17E-00 1.81E-06 3.37E-05 96.6 '
. NRV closure 4.19E-01 3.90E-07 3.41E-05 97.7 s
. Steam line break 2.95E-03 3.83E-07 3.45E-05 98.9
. Plant trip 6.05E-00 1.67E-07 3.47E-05 99.4
. Loss of vacuum 1.63E-01 1.22E-07 3.48E-05 99.7 '
. Degradation of dc --
8.20E-08 3.49E-05 100.0
. Loss of control air 1.34E-06 <1.10E-08 3.49E-05 100.0
. Loss of service water 1.34E-06 <1.10E-08 3.49E-05 100.0 :
. Loss of compclent cooling 1.34E-06 <1.10E-08 3.49E-05 100.0
- Including first year and low power events from EPRI-NP-801 and excluding plant experience.
S reevaluated by replacing the EPRI-NP-801 data by EPRI-NP-2230s data. In this case, first-year and low-power events (<26%) as well as the YNPS data were ex-cluded from the EPRI-NP-2230 data base. The raw data used in this review are shown in Table 2.3.3. In this review, the generic data were updated using the same plant history reported in the YNPS-PSS. For the second review, designated BNL Review 2, the EPRI-NP-801 generic data were replaced by NUREG/CR-3862 data.
Here, the Yankee data were also excluded but first-year and low-power events were retained. Furthermore, the YNPS data reported in NUREG/CR-3862 were used to update the generic data. The raw data used in this review are shown in Table 2.3.4. Mean IE frequencies along with their variances produced by these two re-views as well as Yankee PSS values are shown in Table 2.3.5. In this table, on-ly initiating-event categories that were impacted by the changes in generic data base are listed.
Both reviews produced a major change in the very small LOCA frequency, about an order of magr.itude increase due to assigning leakage events (PWR-4, 5, and 7) to this IE category. Considering that the YNPS main coolant pumps are canned, and therefore no seals LOCA are possible, those frequencies are probably too high for this plant.
The effects of the revised IE frequencies on the CMF are shown in Tables 2.3.6 and 2.3.7 for BNL Reviews 1 and 2, respectively. Both cases produced an overwhelming dominance of LOCAs, about 90%, mainly because of the high very small LOCA frequencies.
In BNL Review 1, the absolute contribution of transients to the CMF actual-ly decreased from 3.80E-06 in the PSS baseline results to 3.50E-06. However, in BNL Review 2, the absolute contribution of transients increased by a factor of 2, going from 3.80E-06 to 7.50E-06. This is basically due to the inclusion of first-year and low-power events in the generic data base. In a new plant, these events would have had a much larger effect since the frequencies used in BNL Re-view 2 were already decreased by the better-than-average plant experience of YNPS.
As pointed out in Section 2.2.3, the " Sudden Opening of Steam Relief Valves" (PWR-29) event is believed to be more appropriately assigned to the Ex-cessive Cooldown instead of to the Plant Trip category. The effect of this re-grouping was also evaluated. Relocating this event has a negligible effect on the Plant Trip frequency but a major effect on the Excessive Cooldown frequency, an increase of about an order of magnitude. The actual increase in the Exces-sive Cooldown frequency is from 2.74E-03 to 2.21E-02 for the Yankee PSS, to 1.67E-02 for the BNL Review I and to 1.85E-02 for the BNL Review 2. This re-grouping produces an increase on the CMF due to a larger contribution from tran-sient initiators.
As previously mentioned, the assignment of leakage events (PWR-4, 5, and 7) to the Very Small LOCA category was considered unrealistic. BNL Reviews 1 and 2 were reevaluated disregarding these leakage events which resulted in BNL Reviews 3 and 4. These results and the results of regrouping are shown in Figure 2.3.1.
2.3.4 Analysis of Results BNL Review results are summarized in the hirtogram shown in Figure 2.3.1.
The top two bars illustrate the effect of plant history on the calculated CMF,
. - w.. ..--._2._~
. : ,e.
.c.. .
- 27 -
.. .. . e. e 3.. -
. .. .3...m. e.. 3. . .... e.
. . e.,. e.
8e ....
~3 .
e.
3 -- =a-- .
= a, o, .. ... . .. . e. . ,
- . . . .. . . - 5
~
~ . .
3 - _
c.
- e. . .- n ~
. __n e. _ _ e. .,
N
.... - .. .,e... .. .
- - O g --- . . .
g _ n - -
e
. e. _ _
N n .
N
. N
& . . n n .
~ .. _ n.
b _.
3 ,
} ~
.a ..r. I> .,
~
& e. .
E. .
- a _ . .
.6 .
o
- 15 . o 3
- e. $
. 3 ~. - e. - -, .~
. R a.
> Q
.- .s. .
e.
e.
.o.
O.c.
~. ,a~ .. ~
)'g E.u w --
... . _ ...~. _ . ....... . . . _ e W
~ _ .
o c.
m
. .. . - - . , c. . . - . ..
g N g g
o - 41.
. . o. .- ,. - -
io - u . u .
Aa&>..- e. .
.3 . . 8 -2 i t_.i o8.8.-!
.- ,E
,a. a .
. 8 .. - 2*
. a
. .s e.
- ,. u.o _. t 3 1 3- et _a t " .g . 8 8 9 tto . .v -.
Ek3382 O
. . Ed'.8 e_ . . , . em > .
- em
>0
- e. e. m. - . a. O. N e. c.
e p. N es pg O
,. . . Y. ?3. L T h . . .'l? L' >',L3 , , ' ,
i P. f 8
NO 8
+
s r
e o
6 0003023 00064 000508 0% 5 3 1 87 84234005 08 53 7 1924 0001 53 5 3 % S 3 2 2 6 3 06 t 2 1663 1 8 131 21 12 5 11 8 11 1 100 00 5 1 1 10091 1 9 4 99 9 9 9 0 8 887 0 2 4 2 4 00 3 64 22 4 4 1 4 3 4 3 5 I I 3 1 4 0 9 1 I 3 3 0 1 1
- 3 6F e4 0 F l 6 I 691 5 63 1 21 3 3 17 2 1 l 3 I 838 2 0 S 3 7 28 9 2 02 0 6 8 1 6 1 8 4 6 4 2i 4 2l 8 3 3 4 2 7 3 I I 7 8 32 3 1 3 3 I 3 i 4 3 6 3 I I I 9 8 3 1 8 3
5 3 2S 22I S I I % 3 8 3 3 3 I 2% 4 I 4 4
3 9 2 S l 2 59 % 9 8 227 9 9 1 S 28 4 6 3 3 233 S 4 4 3 7 3 6 S 8 9 43 7 08 3 1 1 1 1 1 1 6 8 92 2 0 26 5 2 7 32 1 1 1 1 1 67 16 1
5 9 2 7 6 8 1 1 1 2
3 2 8
3 0
3 i 1 l 3 I l 1 4 2 9 3 I 2 I 2 I 2
8 2 3 I I 1 2I S I I I 2 I I 1 8 3 1 2
7 I 2 1 2
1 I 4 4 6 I I I I 2 2 2 1 I I 2
S 3 22 I 23 1 33 2 2 2 l 22 3 4 4 2 r 4 I 2 e 2 9 I w b.
e m 3 2 7 1 3 S2 l le 2 1 2 I 1 v
e y R r 2 8 21 28 1 02 o 2 2 7 1 4 5 I 2 8 3 I l 3 61 2 3 l L e g N a e B t 2 h
1 1 54 0 4 7 9 8 9 I 62 a a 2 1 1 13 1 8 I 3 2 C
- 4. l : t 0 3 d a 2 3 3 e a a 2 s o ls e
u l 9 4 I 4 2 6 4 I 7 SI oi t a 1 3 25 3 3 l 01 8 3 S S 2 3 l
b t a
c a e 1 3 t r
a a i T 8 3 2 3 I T D f 1 i R 2 c u 6 e P 7 9 4 3 5 1 I 3 7 S 2 9 2 8
3 S p 1 I I 4 3 $ 2 R 6 1 1 2 I 2 I 2 l S1 l 2 23 S C 1 9 3
/
G E
R U
S I
3 1
291 13 66 5 3 i 2 1 2 1 3 2 l 5 4 02 28 59 9 3 1 2 1 2 64 3 8 4
5 1
l 2 i 1 7 7 1
1 1 1 N
4 I I l 4 1 I 1 l 1 l 3 1 1
2 S I 2I l 3 2 6 I 8 1 I I l 2 2I 2I 1 I 1 I I I 1 4 I 9 I 0 2 1
9 5 4 4 I 8 3 3 2 4 3 2 8 1 8 5 I 2 l I 3 7 I I 6 2 3 1 5 7 1 I 2 I I 2 8 4 7 3 2 7 6 3 0S 26 1 i 2e4 4 3 3 3 3 I 5 2 I 6 5 3 7 7 2
$ 1 l 2 4 I I I i e66 1 4 I 2 5 8 8 I 8 2I 4 1 ) S2 8 3 2 3 4 I
2 i 3 I n 2 2 4 da l s u.
t 1 a
o t e t t e s a fl h ah s h a e u ol 2 t eC a c a c l k n tal s o l
s c e t
a o
ro D N i B n al s ao eb od e ePp n iooI h i SeC t e a
P t C I ya 2 I P P sl 2 1 n l n n e R a t e n yi 1 e o a e2 e e
o o
P a O $s t s t e y ey e a e r aC I o e e1 r l
h wI t a s a l 8li ta e
. a ,
id ad e r aik r rr l r od r l
a m
o a. r l t n a n l c e k I j l
a ahR S
E. o P h P PI a o v S ubS o Ol T P I NomcF r a u rl o o looO 7 OI OA P hCC t N r a el oI o a o I M
r T
- 1. 2.3 .4 . S 67 . . 8 9. . . 01 . . . . . . . . . . . 8. . . . . . . . . .
1 1 1 2 34561 1 1 1 1 7 18 9 02 2 2 22 23 242 52 26 27 18 90 1
4
r 1E, .
'Y L<.i
} r. + , ' , } ;
, 8 s 4 5 5 1 5 1 I 87 0 4 7 5 0 5 2 8 8 0 9 r 5 2 087 0 a
e
- 5. I. 05527 05 4 205 4 6 5 Y 7 7 7 6 6 6 6 65 503 3 2 2 2 2 l 0 5 9
2 2
3 0 2 4
3 2653 22 1 3 3 1 5 9 6 1
7 9 S 0 63 25 9 4 05 I 5 27 5 0 5 5 I 2 1 1 1 4
I 1 5 5 8 2 I I 2 5 2 3
7 3 I I 5 I I 2 2 2 3 5
5 6
5 I 2 1
5 5
5 1 22I 9 23 5 5 5
5 4
5 69 1 28 4 8 0 I 4 1 1 5 82 I 5 I 8 1
8 3 0 5 8 23 3 7 41 3 8 27 3 I 3 3 2 3 3 2 1
2 9 4
2 1
2 2 5
1 5
4 2 1 8 8 05 I I 3 I I 2 2
9 1 9
2 8 I l 1 1 I I 5
2 5 7 I 1 2 5 1
6 I 3
2 1 5 I 2I 24 6 1 8 2
6 r 4 I e 2 4 b
m u 3 I 2 2 2 N 2 6 i 2
y 5
r 2 I 5 1 5 I 25 4 23 2 2 o
g 2 1 4
1 e 7 t 8 I 4 2 4 2 I 3 3 a 2 2 5 3 22 2 2 1
C
) t 0 I I 8 n 2 9 d e e i s 9 5 3 4 u n a
1 1 2 5 64 3 6 2 1 4 I 8 1
n T r
8 i 3 1 I 2 I 5 1
t l 1 n w P 7 2 4 2 3 9
o 1 6
I C 6
( 1 1 3 4 223 I 8 I 7 3 I 1 9 2 6
5 4 5 1 1 1 5 5 9 6 2 9 1 1 4 0 3 5
0 1 84 9 5 I 63 I I 2 5 6
3 4 3 2 I 1
1 2
3 l 1
e l 2 5 I 5 3 2 b 1 5
a 8 I T 18 2 1
0 2 1
9 2 2
8 4 2 S I
7 2
6 3 1 1 9 I 5 I i I I 91 4 7 5
3 62 7 I I 4 I 93 I 1 3 1 0 2 2
2 1 4
7 i
2 3 I 3 I I 6 62 2 23 0 0 1 3 1
3 3 Iy s I ri t e el 1 2 n l i v l e 2 i l i l s e ei 2 t o a s n n n P V cleRCt I B e1 n A a ey y 2 e3 ahc l n n 2 e
e Pla n r e la r y 2 r y e =
e eL v t es mv s e h 2 2 n o emioL i
d e . y l leiv r r o8 O r etr vl le Gu q u.
l t k A In As St Cr Ca Sa DF e amC1 u o 4 N Sa eo sS A msF a a t et l e a h
- 1. 2 . 5. 4 .5 .6 7. 8. 9.0 . . 1. 2. 5. 4, 5. 6 . , , .
F 8 9 t a a
$ 1 5 5 5 3 5 5 5 4 4 4 4 4 4 4 4 4 4 T o v h
S
' - ~~
Table 2.3.5 Initiating Events Frequencies -
Yankee PSS BNL Review 1 BNL Review 2 (EPRI-NP-801) (EPRI-NP-2230) (NUREG/CR-3862)
Initiating Event Category Mean Variance Mean Variance Mean Variance ,
. Very small LOCA 2. 34E-03 1.51E-05 1.33E-02 2.59E-04 4.37E-02 1.24E-03
. Excessive cooldown 2.74E-03 9.35E-06 2.74E-03 9.35E-06 9.82E-03 1.68E-04
. SGTR 1.06E-02 2.06E-04 4.34E-03 6.63E-05 1.63E-02 2.76E-04 t t
. Plant trip 2.35E-00 1.42E-02 2.31E-00 2.91E-02 2.64E-00 1.18E-01
. Loss of ac 6.16E-02 2.13E-03 4.82E-02 1.41E-03 1.90E-01 6.62E-03 :
i L
. FW flow decrease 1.98E-01 8.06E-03 2.69E-01 9.75E-03 5.11E-01 1.84E-02 E$ ,
I
. Turbine trip 8.49E-01 3.77E-02 8.77E-01 3.59E-02 9.95E-01 3.60E-02
. NRV closure 4.32E-02 1.19E-03 4.28E-02 1.07E-03 7.85E-02 2.22E-03 ,
. Loss of vacuum 1.47E-02 3.31E-04 3.94E-02 1.05E-03 5.67E-02 1.32E-03 4
9 h
i.
Table 2.3.6 Mean Core Melt Frequency by Initiating-Event Category BNL Review 1*
Initiating-Event CMF Cumalative Cumulative Category Contribution Percent CMF Percent LOCAs
. Very small 2.11E-05 61.9 2.11E-05 61.9 l
. Intermediate 4.64E-06 13.6 2.57E-05 75.5 l
. Large 2.62E-06 7.7 2.84E-05 83.2 l
. Small 1.71E-06 5.0 3.01E-05 88.2
. RV-rupture 2.67E-07 0.8 3.03E-05 89.0
. Non-isolable 2.00E-07 0.6 3.05E-05 89.6 Transients
. Turbine trip 9.14E-07 2.7 3.15E-05 92.3
. FW Flow decrease 7.32E-07 2.1 3.22E-05 94.4
. Loss of ac 5.33E-07 1.6 3.?7E-05 96.0
. Excessive cooldown 4.08E-07 1.2 3.31E-05 97.2
. Steam line break 3.83E-07 1.1 3.35E-05 98.3
. SGTR 3.15E-07 0.9 3.38E-05 99.2
. Degradation of dc 8.20E-08 0.2 3.39E-05 99.4
. Plant trip 6.40E-08 0.2 3.40E-05 99.6
. NRV closure 3.99E-08 0.1 3.40E-05 99.7
. Loss of vacuum 2.95E-08 0.1 3.40E-05 99.8
. Loss of control air <1.10E-08 <0.04 3.40E-05 99.8
. Loss of comp. cooling <1.10E-08 <0.04 3.41E-05 99.9
. Loss of service water <1.10E-08 <0.04 3.41E-05 99.9
- Based on EPRI-NP-2230 generic data excluding first-year and low power (<25%)
events.
[ ,.
'd 5 4 - J" Table 2.3.7 Mean Core Melt Frequency by Initiating-Event Category BNL Review 2*
Initiating-Event CMF Cumulative Cumulative Category Contribution Percent CMF Percent LOCAs
. Very small 6.95E-05 80.4 6.95E-05 80.4
. Intermediate 4.64E-06 5.4 7.41E-05 85.8
. Large 2.62E-06 3.0 7.68E-05 88.8
. Small 1.71E-06 2.0 7.85E-05 90.8
. RV-rupture 2.67E-07 0.3 7.87E-05 91.1
. Non-isolable 2.00E-07 0.2 7.89E-05 91.3 Transients
. Loss of ac 2.10E-06 2.4 8.10E-05 93.7
. Excessive cooldown 1.46E-06 1.7 8.25E-05 95.4
. SGTR 1.18E-06 1.4 8.37E-05 96.8
. FW flow decrease 1.05E-06 1.2 8.47E-05 98.0
. Turbine trip 9.94E-07 1.2 8.57E-05 99.2
. Steam line break 3.83E-07 0.4 8.61E-05 99.6
. Degradation of dc 8.50E-08 0.1 8.62E-05 99.7
. Plant trip 7.31E-08 0.1 8.63E-05 99.8
. NRV closure 7.31E-08 0.1 8.63E-05 99.9
. Loss of vacuu.. 4.24E-08 0.05 8.64E-05 100.0
. Loss of control air <1.10E-08 <0.02 8.64E-05 100.0
. Loss of comp. cooling <1.10E-08 <0.02 8.64E-05 100.0
. Loss of service water <1.10E-08 <0.02 8.64E-05 100.0
- Based on NUREG/CR-3862 generic data.
l l
l
77.1% 22'.91[ 1.70x10-5 YNPS-PSS I- - l Transients i iLOCAs *
,c YNPS-PSS without 63.1% '36.9% ,', -' '. 2.28x10-5 plant experience YNPS-PSS without ;
plant experience 411 .
59% '
3.49x10'5 and including ist ;
year and low power .
events. ,
YNPS-PSS Regrouping j 66.4% '/33.6% 1.99x10-5 18.4% 21.'6% . 1.67x10-5 BNL Review 3 ,
LJ t-CO 4
69.8% - 3'O.21.' l.88x10-5 BNL Heview 3 Regrouping 63.6% 36.4% 2.06x10-5 ggL p,,,,,4 ;
- ' ', . l 59.8% 40.2%' ' - 2.19x10-5 BNL Review 4 Regrouping Figure 2.3.1 Core melt frequency sensitivity results.
(Results of BNL Revicas 1 and 2 are presented in Tables 2.3.6 and 2.3.7.)
while the third shows the effect of retaining first-year and low-power events on the CMF. Transient contributions to the CMF are substantially attenuated by the
, plant record while LOCA contributions are only slightly decreased. This is a direct consequence of the Bayesian update technique, which for plants with long operational experience (over 20 years for YNPS), yield posterior mean fre-quencies that are dominated by the plant history for high prior means (>10-2) while rare-event frequencies (LOCAs) are basically unaffected by plant experi-
- ence.
BNL Review 3 produced CMFs slightly lower than the Yankee PSS baseline re-sults. This indicates that the effect of changing the generic data base (from EPRI-NP-801 to EPRI-NP-2230) is negligible if the first-year and low-power events are disregarded.
BNL Review 4 shows the effect of retaining first-year and low-power events. The transient contribution to the CMF frequency increased by more than a factor of 2 (2.2) in this case, despite the strong plant history attenuation effect.
Regrouping. in all cases, substantially increased transient contributions to the CMF. This behavior is due to the fact that the CCMP for excessive cool-down events is about four orders of magnitude larger than the CCMP for plant trip events, as shown in Table 2.2.2, which means that excessive cooldown events demand more of the plant mitigation capabilities.
The main results of several sensitivity evaluations performed in the pre-sent review are shown in Figure 2.3.1. Loss-of-Coolant Accidents dominated the CMF in all cases, because the better-than-average plant history has a strong at-tenuation effect on transients and a negligible effect on LOCAs' contribution to the CMF. Furthermore, the exclusion of first-year and low-power events from the generic data base substantially decreased the transients' contribution to the CMF.
In order to identify further reasons for this dominance as well as for the low CMF, the YNPS-PSS results are compared to other similar studies in the next section.
2.4 Comparison of YNPS-PSS With Other Similar Studies A few selected similar studies were chosen for comparison with YNPS-PSS.
Five recent PWR PSSs performed by the industry were elected for this purpose.
The following aspects were compared:
. Initiating-Event Frequencies
. CMF by Initiating-Event Category
. Relative contribution to the CMF of LOCAs versus transients (absolute and percentile)
. Total CMF Comparison of these studies has shown that the selected LOCA IE categories are very similar, except for Oconee which did not include an intermediate LOCA category, and YNPS which subdivided the small LOCA into two categories (Small and Very Small). On the other hand, there was a wide variation in the grouping
of transient IE categories. A meaningful comparison of individual IE categories would represent a major task. Therefore, transients were collapsed into a sin-gle category for comparison purposes, and the results are summarized in Table 2.4.1. The Very Small and Small LOCA categories of YNPS were added and listed in the Small LOCA category in this table.
The core melt frequencies for these six plants ranged from 1.70E-05 for YNPS to 1.30E-04 for Indian Point 3. All CMFs shown in Table 2.4.1 are based on internal IEs only. Despite the LOCA's dominance in the YNPS-PSS, its absolute contribution (1.32E-05) is the second lowest when compared to the LOCA's contri-bution for the other five plants. Therefore, the LOCA's dominance in YNPS is not due to an unusual high frequency of LOCA scenarios. In contrast, the abso-lute contribution of transients to the CMF for YNPS (3.80E-06) is about a full order of magnitude lower than the corresponding values for all other five plants. Consequently, this is the main reason for the LOCA's dominance and low CMF displayed in the YNPS-PSS.
The LOCA's dominance on the CMF in the Yankee PSS is not a unique occur-rence. The results of Indian Point 2 and 3 also display this behavior, while Zion results are almost evenly split between LOCAs and transients.
The frequency of transients used in the various studies shows a broad vari- ,
ation, from 3.54/yr for YNPS to 22.5/yr for Indian Point 2. This, of course, is a reflection of the plants' operational history, except for Millstone 3 which has none. The IE frequency for Small LOCAs ranges from 3.44E-03 for YNPS to 3.54E-02 for Zion, a full order-of-magnitude variation. This feature is associ-ated with the inclusion of pressurizer PORV failures in the Small LOCA catego-ry. Large LOCA frequencies also displayed a large variation from 2.63E-04 for YNPS to 2.16E-03 for Indian Point 3.
This comparison of IE frequencies, among these six plants, shows that YNPS-PSS used the lowest values for transients, small, and large LOCAs, and one of the lowest for intermediate LOCAs.
Because of this broad variability in the IE frequencies used in the various studies, the conditional core melt probability (CCMP) by IE was used to gain ad-ditional insights from the comparison. As defined in Section 2.2, the CCMP ac-tually measures the plant nonmitigation probability given the occurrence of a given IE. This attribute has the advantage of being independent of the IE fre-quencies used in the study, and it actually measures the plant performance under accident conditions.
The CCMPs by initiating-event category were calculated for each of the six plants and are shown in Table 2.4.2. The first row of this table shows that the Small LOCA CCMP for YNPS (1.58E-03) is about average. Therefore, for Small LOCAs YNPS has an average mitigation capability. The same findings apply for Intermediate LOCAs. For Large LOCAs, however, the YNPS CCMP (9.89E-03) is the largest among the six plants, which means that it has the lowest mitigation cap-ability for these initiators. Overall, we could say that the YNPS has an about average capability for mitigating LOCAs. The last row in Table 2.4.2, shows that the transient CCMP for YNPS (1.0SE-06) is the lowest among the six, which implies that this plant has the highest mitigation capability for transients.
O
- . . o. ~ ~ e .e 4
. o. o. o. o. o. o. o.
- W e a e wa
.s . ~. ~. 8 e.I
.c ~.o . ,
e 5
~. ,. .e c ~ ~
- ~ ~e
~.
- i. 0
.t .* ,
- o. 3 e o
~ ~
-..3 . W
- o. o.
- o .,a W e
.- . e , 3 8 3 1% a a a a a a 8
- ~ . e, 2 8 w
8 8w 9 9 99 . .
=
s o o, ..oe g
g
.s e
o.
. -. -. as.,.g.~...
8 8 ~
t o~
, . . ~
. . o. 9 o. o.
- - .?
- a 8
} 1 J A .-* : *
, o'
~
a 8
- .=
e ~ ~ , e, e o I a .= o. e. o. o. o. o
- o. . . ., . . w
.~ ,
.s c. .. . . . .
Ep. .
g . -. . ,. -. o R. .- .o
. o
.= -
4 3.
- = , O o M M e. ~ ~
B
. s
- h t
N e
N e
o N
o
.e oe o
2 8
.s e ~ ~ e ce
. e e c.
c.
o 3
o.
o.
w o.
e o
o.
.o o.
o.
e.
o
. ,o e. .
.s.
-. ,. me ,-
1:
" -2 8 5-
> 2, 8o m o .
e e. ~ ~
t
. o. o. o. o o.
I- :
g
- * * *
- 8 i
. . s. . .,. e.
b s - -. -. c.
P.
f .E. . e ~ ~ c ec
. 8 o. o. o. -J
. o. o. o. o.
5 *2 6s W M
- 2 *
- e.
- 3 o e E. ~B o. o.
d J -J J . - J
- d ad*-
- 8 5 !.
2 n
.e
.% v.,
s , , c. ~ ~
. o o o o o 8 1 4 a -a a
- d --
o 3 , e o o. . .E ,l Et i e
- a J J Z '.**
-a g
~
- I 3 8 8 8 o. 8 e o.
ec
- o. o. 1 .b ..
a 5' S.s 2 * *
- 8
- M, e* ,. . i. t-
. . e. o. e.
e ~,.
- e. e - m - m g j 8 ._. .T x .%
o, , , -
o 8
- 28
. .e o. o. o. ~. m .
a
- Et
=
. J2 a - 2 Jo 5 a 8 : 2
.*5
%8
. i ". i.
- 6 .
F = 2 .
=-
t- 1
- .4 * *.- : .ft a9 2 3. 2 - -4 15 1 *,
-3 1
- s 1 1
.... 3.t .
8 1 5:* y->
. . . . . ~s .o 8.s..$ .o - ~--
W-
The overall insight drawn from Table 2.4.2 is that the YNPS is about aver-age as far as mitigating LOCAs are concerned and it is better than average for mitigating transien_ts. This combined with the use of low LOCA and transient initiating frequencies results in a low-power and LOCA dominated core melt fre-quency.
2.5 Conclusions The treatment of initiating events in the YNPS-PSS was reviewed to provide an appraisal of the reasons offered in the PSS for the dominance of LOCA scenar-ios on the core melt frequency. To this end, aspects of completeness, grouping, and quantification of the initiating events were evaluated. The effects of us-ing more recent compilations of generic data and of some regrouping of events on the IE frequencies were assessed. Also, the effects of plant experience and ex-clusion of first-year and low-power event data on the calculated CMF were evalu-ated. A comparison of the YNPS-PSS results with other similar studies was made.
The BNL review findings are summarized below:
. In the YNPS-PSS, the effect of plant history was to reduce the transient contribution to the CMF by a factor of 2.2 and the total CMF by 34%.
. Use of later compilations of generic data (EPRI-NP-2230 and NUREG/CR-3862) increased the CMF by at most 30%, except in cases when primary leakage events were inappropriately included as Very Small LOCA occur-rences, which produced an increase of up to a half order of magnitude in the CMF (Table 2.3.6).
. In general, the effect of regrouping (PWR-29 event) was a small percent-age increase in the transients' contribution to the CMF.
. The effect of including first-year and low-power events on the generic data base (BNL Review 2) was to almost double the contribution of tran-sients to the CMF.
. There are twu main reasons for the LOCA's dominance of the CMF: 1) the better-than-average YNPS operational history leads to a low frequency of transient initiating events (3.54) and 2) transient mitigation capability (CCMP) of YNPS is substantially better than at most modern plants, mainly because of the high availability of secondary cooling means. The YNPS-PSS takes credit for reestablishing main feedwater to the steam generator under accident conditions while most recent studies do not.
. The low CMF calculated in the YNPS-PSS is a result of using low values for LOCA-initiating event frequencies, together with the factors de-scribed in the previous item. The use of a low frequency for Small LOCAs is justified by the impossibility of having an RCP seal LOCA in this plant (main coolant pumps are canned).
. The reasons offered in the YNPS-PSS for the dominance of LOCAs in the CMF are considered appropriate.
2.6 References
- 1. Yankee Nuclear Power Station Probabilistic Safety Study, December 1982,
- 2. EPRI-NP-801, ATWS: A Reappraisal Part III - Frequency of Anticipated Tran-sients, July 1978.
4 S
t s
Table 2.4.2 Comparison of Conditional Core Melt Probabilities by Initiating Event Category Initiating Event Millstone Indian Indian .
Category 3 Zion Point ?. Point 3 Oconee YNPS 4, .
LOCAs ,
. Small 1.74E-04 4.60E-04 8.92E-04 4.05E-03 2.03E-03 1.58E-03
. Intermediate 8.99E-03 5.66E-03 6.67E-03 6.34E-03 ----
6.16E-03
~
. Large 6.11E-03 6.60E-03 8.21E-03 4.23E-03 9.68E-03 9.89E-03 Transients 3.14E-06 2.07E-06 1.46E-06 1.40E-06 5.37E-06 1.05E-06 .
4 l
= .I y 9 J
_ ___ ______.___m
. . . :. . . . i. - 7 . v - : v: .
1
- 3. G. Apostolakis,'S. Kaplan, B. J. Garrick, and R. J. Duphily, Data special-ization for plant specific risk studies, Nucl . Eng. Design Sji (1980). _
- 4. NUREG/CR-3485, Probabilistic Safety Analysis Review Manual, (draft) May 1985.
- 5. NUREG/CR-2815, Probabilistic Safety Analysis Procedures Guide, January
! 1984.
- 6. NUREG/CR-2497, Precursors to Severe Core Damage Accidents: 1969-1979 A Status Report, June 1982.
- 7. NUREG/CR-3862, Development of Transient Initiating Event Frequencies for Use in Probabilistic Assessments, May 1985.
- 8. EPRI-NP-2230, ATWS: A Reappraisal Part III - Frequency of Anticipated Tran-sients, January 1982.
i b
i i
s l
- - . , . - . , , - - , . . . - . , . - . , , - - , - - ~ . - . . . - -. , , . , . . - - , . _ ,
^
- 2.
- .w x :w .;: w ' . W ^ ~
' - ' ' ~ '
.=.~
3.0 TREATMENT OF HUMAN ACTIONS 3.1 Introduction A number of the accident-mitigating systems at Yankee Nuclear Power Station (YNPS) are manually initiated. Therefore, human intervention in the testing, maintenance, and operation of these sa'fety systems during routine conditions and
, accident management during abnormal conditions may have an important effect on
- risk. The treatment of human actions during accident sequences and in key sys-tem fault trees is evaluated in this section. '
4
- .The specific purposes of this review were to evaluate the treatment of hu-l man intervention within YNPS-PSS,1 including dynamic, latent, and common-mode human errors. Dynamic human errors are operational errors that occur after an i accident sequence has been initiated. These include cognitive errors, decision-
! making errors, and errors committed during the manual actuation and control of mitigating systems and system components. Latent human errors are testing, maintenance, and operational errors that occur during routine operating condi-tions. Such errors have an effect on risk because they may lead to failures of key systems which initiate accident sequences or are needed to mitigate acci-dents. >
! The scope of this review was to evaluate the methods used in the YNPS-PSS to model, screen, and quantify human actions in the system fault trees and event trees with special attention to actions involving decisionmaking and manual ac-tuation and control (including turning off) of systems and system components. A l specific concern of the review was YNPS-PSS's consideration of the impact of event-specific environmental and stress conditions on critical human actions and the impact of instrument and annunciator malfunctions on decisionmaking and man-i ual actions. Additional concerns of this review were the comprehensiveness, ad-equacy, appropriateness of assumptions, and understated uncertainties in the hu-man actions modeling in the system fault trees and event trees.
3.2 Description of YNPS-PSS Methodology i
,- This section describes the methods and reports the results of the human re-
{ liability analysis (HRA) segment of YNPS-PSS.
i 3.2.1 Selection of Human Actions for Quantification l Two major categories of human intervention were addressed in the YNPS-PSSI :
(1) interactions with equipment during accident sequences and (2) interactions with equipment during routine plant operations, testing, and maintenance. In-teractions with equipment during accident sequences were "primarily related to decisions and tasks related to energizing mitigating features available at the plant," (p. 7-15). Manual initiation of mitigating systems at YNPS "could range i from turning a switch in the control room to manually operating a valve locally l outside the control room (p. 7-23). Interactions with equipment during routine
! operation included " maintenance, testing, calibration, valve alignment, and so l forth," (p. 7-22).
i
. . . L2 : c, . v . '. . * * ' '
Table 3.2.1 Manual Actions Represented in Event Trees (Table 7-4 YNPS-PSS)
Reopen Main Steam Line Non-Return Valves to Established Condensor Heat Sink Isolate a Steam Generator - Due to Tube Rupture or Other Problems Restart Main Feedwater After Trip - Note: This is the Normal Mode of Post-Trip Feedwater Addition Start Emergency Feedwater System Initiate Chemical Shutdown - If Scram Problems Exist Initiate Charging System Align Charging System to Secondary Initiate and Align One Train of Safety Injection to Secondary Manually Control Main Coolant System Pressure with Letdown, Drains or PORV Manually Open PORV for Feed and Bleed Cooling Mode Terminate Safety Injection - e.g., for Main Steam Line Rupture with Multiple Failures or Steam Generator Tube Rupture Reestablish Secondary Following Multiple Steam Generator Blowdown - Caused by Multiple Failures Manually Depressurize Steam Generator Following Small LOCA with Loss of High Pressure SI Injection Isolate Main Coolant System LOOP Following Steam Generator Tube Rupture Selectively Cool Steam Generators Following a Steam Generator Tube Rupture 4
. . . __ . ~ .
3.2.1.1 Human Actions During Accident Sequences Key operator functions required for the successful mitigation of accident sequences were identified and included as top events in the event trees. Ac-cording to the PSS, the event trees were developed in greater detail than was typical for studies of that time in order to "more accurately model multiple failure scenarios and to provide a convenient means of assessing the importance of operator performance" (p. 8-18). The manual actions represented in the event trees are listed in Table 7-4 of YNPS-PSS which is reproduced below as Table 3.2.1.
The manual actions represented in the event trees were addressed at two levels: (1) operator decision to perform the function and (2) actions necessary to perform the function given operator decision to do so.
3.2.1.2 Human Actions During Routine Operations System fault trees were developed to represent individual system configura-tions and failure modes. Human errors during routine operations, testing, main-tenance, calibration, valve alignment, and other actions required to initiate and operate safety systems during accidents were modeled as basic events in fault trees. Basic events represented the limit of resolution of input data and were expanded into contributing events (p. 7-16). Common-mode failures of sys-tems due to human actions--such as human errors during testing and maintenance-
-were considered to be " generally the most probable type of common-mode fail-ure," (p. 9-6). These types of common-mode failure reportedly were accounted for in the fault tree quantification procedure. Common-mode calibration errors and maintenance errors were evaluated during fault tree development and quanti-fication. System top event failure probabilities were derived from the quanti-fication of the basic events in the fault trees.
3.2.2 Quantification of Human Actions 3.2.2.1 Data Sources Generic data found in NUREG/CR-12782 vere used to quantify human actions modeled as basic events in the fault trees and as top events in the event trees. The Human Error Probability (HEP) estimates in NUREG/CR-1278 are re-ported for specific tasks in the form:
HEP = .005 (.002 .02) ,
where the first value is the best estimate and the values within parentheses are the fifth and ninety-fifth percentiles, respectively, of a suggested log-normal density function. For fault tree and event tree quantification in the YNPS-PSS, these values were transformed into means and variances using the log-normal dis-tribution properties from Eqs. 7-12 to 7-17 of YNPS-PSS.
The specific methods employed to apply these estimates in the YNPS-PSS are discussed below.
3
L : _, _ _ -
l 3.2.2.2 Development of HEP Distributions in YNPS-PSS The YNPS-PSS analysts developed a generic HEP matrix from the HEP estimates found in NUREG/CR-1278 for errors of commission and omission and for selected I tasks in order to minimize differences in interpretation of the data matrices I from NUREG/CR-1278 among members of the project team. The generic HEP matrix (Table 3.2.2) from Table 7-3 of YNPS-PSS is .eproduced below.
It is generally believed that there is an " optimum" level of stress at which human performance is best. Less than optimum levels of stress result in poorer task performance, presumably because individuals are less motivated, less attentive, and exert less effort. Greater than optimum levels of stress also result in poorer task performance, presumably because physiological and psycho-logical responses to perceived stress interfere with task performance.
Following the example in NUREG/CR-1278, the YNPS-PSS used " shaping factors" to modify the HEP distributions to reflect the effects of different levels of stress on perfonnance. Four levels of stress and corresponding shaping factors were identified and are listed below.
Stress Level Shaping Factor Optimum 1 Low 2 Moderate 5 High For all tasks, HEP = .25 with variance = 9.40E-2 persistent high stress conditions.
To calculate the HEP distributions for each stress level, the baseline HEP from NUREG/CR-1278 was multiplied by the proper shaping factor.
The data presented in NUREG/CR-1278 and reproduced as Table 3.2.2 were based on the assumption that a single operator performed each task. However ,
according to the YNPS-PSS analysts, a total of three qualified operators, a shift supervisor, and a shift technical advisor would be present in the control room at 10 minutes after the initiation of any event. The YNPS-PSS project team attempted to account for the effects of additional manpower and supervisory per-sonnel on human error probabilities (HEPs) by adjusting the stress level down-ward one level for each task. That is, if the stress level associated with a particular operator function was " moderate," the HEP mean and variance associat-l ed with the " optimum" stress level was used.
l The YNPS-PSS analysts reviewed the task descriptions in PSS Table 7-3 and l
identified an appropriate task description for each human action in the YNPS-PSS fault trees and event trees. Then a stress level was determined for the ac-tion, and the corresponding HEP distribution was used to quantify human actions in the YNPS-PSS fault trees and event trees.
3.2.2.3 Quantification of Human Intervention During Routine Plant Operations Human actions during routine operations, testing, and maintenance were quantified as basic events in the fault trees using the optimum stress level l
y_ _ . - - - - ft
Table 3.2.2 Generic Human Error Probability (HEP) Matrix Developed from NUREG/CR-1278 (Table 7-3 YNPS-PSS) i Stress Levels Uptimu:n (Il Low (2) Moderate (5) High*
Task Description llEP Mean Va riance Hean Variance Mean Yarlance Mean Vartance .
- 1. Annunciator Response 3.4x10-4 1.48x10-7 6.8x10-4 5.9tx10-7 1.7x10-3 3.70x10-6 .25 9.40x10-2 l Errors of Cometssion 2-- In fonadI5nTroe' Di splay 1.6x10-2 3 3.2x10-2 3 2 4.56x10-2 .25 9.40x10-2 <
- 3. Check Reading Display 3 1.82x10 5 6.8x10-3 7.29x10 4 8.0x10 1.7x10- 2 3,70,30-4 .25 9.40x10-2
- 4. Checking Operation 3.4x10 7.7x10- 2 1.48x10 1.16 x 10- 3 1.5x10-1 5.9ta10 3 2 .. ,4
- 5. Operating Hanual Controls 2.7x10-2 4.32x10-3 5.4 x10-2 1.7 3 x10- 2 3.85x10-1 4.64x10 2.90x10 .25 1.35xto-I 1.08:10- 2 .. 9.40x10-2
$ 6. Operator Changing #10V 4.0x10-3 1.03x10-5 8.0x10-3 ' 4.13x*0-5 2.0xto-2 2.58x10-4 .25 9.40x10-2 (frois ctrl rooa)
- 7. Hafntenance 4.0x10-3 1.03x10-5 8.0xt'0-3 4.13x10-5 2.0x10-2 2.58x10-4 .25 9.40x10-2 ,
m Errors of Ostssion Y A B- TocE Vilire Afier Restoration 3 5 1.6x10-2 1.65x10-4 2 1.03xto-3 .25 m &
9.40x10-2
- 9. Initiate Restoring Valve 8.1x10 2.0x10- 3 4.13106 2.58 x10- 4,o,go-3 1.03x10-5 4.tx10 1.0x10-2 6.4 5x10-5 .25 9.40x10-2 g a Position v Selected Tasks: l I WIkaround Inspections 10:- Using IIIecETlil Irroperly 1.2x10-2 5 3,ygnio-4 1
2.4x10-2 6.0x10-2 2.32x10-3 .25 9.40x10-2
!!. Using Checklist Improperly .20 9.28x10 2 .40 .103 -- -- --
- 12. M - Checklist .72 2.50x10 2.2 7x10- 2 .. .. .. .. ..
- 13. Failure to follow 1.2x10-2 9.28x10-5 2.42x10-2 3,73,g0-4 6.0x10-2 2.32x10-3 .25 9.40x10-2 Procedures
- 14. Passive laspection 3 8.1x10-2 .162 1.65xto-2 .405 .103 -- -- <
- 15. Read AnnuncI4 tor tamp 1.21x10-3 4,g3,50 9.28 x10-7 2.42x10-3 3.71x10-6 6.la10-3 2.32x10-5 .25 9.40x10-2
- for very high stress (large LOCA) set all values to those shown except for dashes which are set to 1.0 with zero variance.
P
Table 3.2.2 (Continued) 1 Stress levels b Optimum III Low Iz) Haderate (5) High*
Task Descrfption ifEP Nan Giance han Variance kan variance Mean Variance
- 16. Read Digital Display 1.21:10-3 9.28x10-7 3 3.71x10-6 6.tx10-3 2.32x10-5 .25 9.40x10-2
- 17. Read Analog Heter 4.0 10-3 1.03410-5 2.42x103 5 2 2.50x10-4 .25 9.40x10-2
- 18. Read Analog Chart Recorder 8.tx10-3 4.13 x10-5 8.0x10 1.6x10- 2 4.13x10 4 2.0x10 4.1x10-2 1.03 x10-3 .25 9.40x10-2
- 19. Read a Graph 1.2x10-2 9.28410-5 1.65x10 4 6.0x10-2 2.32x10-3 .25 9.40410-2
- 20. Read Printing Recorder 6.8x10-2 3 2.42x10-2
.136 3.71x10 .34 2.37r10- 2 .148 -- --
- 21. Record Hare Than 3 Digits 4.0x10-3 5.92x10 5 3 4.13x10-5 8.0x10-2 2.58x10-4 .25 9.40x10-2
- 22. Arittunetic frrors 4.0x10-2 1.03 10 3 1.03 x10- 8.0x10 0.0x10- 2 4,g3,go 63 2.58 10-2
.202 .25 9.40x10-2
- 23. Fall to Detect Deviant 1.21x10-3 9.28x10-7 2.42x10-3 3.71st o- 6.1x10-3 2.32x10-5 .25 9.40x10-2 Display m
- 24. Check-Read Meters lilth 1.21:10-3 9.28x10-7 2.42x10-3 3.71x10-6 . 6.txto-3 2.32x10-5 .25 9.40x10 -5
- Limit Marks '
- 6
- 25. Failure to Recall Oral 8.0x10-3 3.89410-9 1.6x10-2 1.56x10-3 4.0x10-2 9.73x10-3 .25 9.40x10-2 m 3 Instructions
- m a Select Vrong Panel Control M ,
26FAnong Croup 5IETTir- 4.0x10-3 1.03x10-5 8.0x10-3 4.13x10-5 2.0x10-2 2.58x10-9 .25 9.40x10-2 Controls 27 If functionally Grouped 8.0x10-3 3.89x10-4 1.6x10-2 1.56x10-3 4.0x10-2 g,73,go 4 3 .25 9.40x10-2
- 28. If Part Himic Type Panel 3 1.08 x10-5 3 4.32x10-5 6.5x10-3 2.70x10- .25 9.40x10-2 29 Set fluitiposition Switch 1.3x10 2 6.6 7x10-2 2.6x10 5,g,g o- 2 .266 -- -- -- --
- 30. Hate Connector 2.9x10 1.4x10- 2 6.40 10-4 2.8x10-2 2.56 10-3 7.0x10-2 1.60x10-3 .25 9.40x10-2
- 31. Turn Control in Wrong 3.40x10-2 g,40,go-3 6.30x10-2 5.92x10-3 .170 3.70x10-2 .25 9.40x10-2 Direction .
Select Har.ual Valve from 12- Ciroup of~5imilar vilves 8.1x10-3 4.13x10-5 1.6x10-2 1.65x10-4 4.tx10-2 g,o3,go-3 .25 9.40x10-2
- For very high stress (large LOCA) set all values to those shown except for dashes which are set to 1.0 with zero variance, i
data presented in PSS Table 7-3. According to the YNPS-PSS, plant procedures s were reviewed to determine the practices used to perform specific routine opera-tion functions--maintenance, testing, calibration, valve alignment, etc. They state that " procedure use and type of check off, information display, and func-tion review process were examined" (p. 7-22).
According to the YNPS-PSS, no credit was taken for corrective action by personnel in the fault trees or event trees despite the availability of adequate time to do so.
3.2.2.4 Quantification of Human Intervention During Accident Sequences As stated above, manual actions required during accident sequences were ad-dressed at two levels in YNPS-PSS: (1) Operator decision to perform the func-tion (e.g., initiate a mitigating system) and (2) operator actions required to perform the function given the decision to do so.
- a. Operator Decision to Perform an Action Operator decision to perform required functions during accident sequences were quantified in the following manner.
- 1. The task descriptions from PSS Table 7-3 (Generic Human Error Probabil-ity [ HEP] Matrix Developed from NUREG/CR-1278) were reviewed. Two types of task descriptions were selected as applicable to the manual actions included in the event trees. These task descriptions were both under the category of Errors of Commission and referred to " Operating Manual Controls (#5)," and " Operator Changing M0V from Control Room
(#6)."
The relevant data from PSS Table 7-3 are:
HEP Stress Level ~Mean Variance Operating Manual Optimum (1) 2.7E-2 4.32E-3 Controls (#5) Low (2) 5.4E-2 1.73E-2 Moderate (5) 1.35E-1 1.08E-2 High 0.25 9.40E-2 Operator Changing Optimum (1) 4.0E-3 1.03E-5 MOV from Low (2) 8.0E-3 4.13E-5 Control Room (#6) Moderate (5) 2.0E-2 2.58E'4 High 0.25 9.40E-2 ii. Each manual action was assigned to a task description, i.e., either #5 (Operating Manual Controls) or #6 (Operator Changing MOV from Control Room). The rationale for assigning a manual action to one or the other task description was not provided. Note that the HEPs associated with Operating Manual Controls (#5) are an order of magnitude greater than the HEPs associated with Operator Changing M0V from Control Room (#6) at all stress levels.
- a. - .
111. A stress level was established for each manual action, apparently based on " knowledge of the environmental conditions--i .e., stress--and the procedural requirements...to guide selection of appropriate HEP parame-ters for each action" (p. 7-24). However, the specific environmental conditions or quality of the procedures associated with each action were not described in the YNPS-PSS.
Table 3.2.3 presents the results of these procedures. The first column lists the manual actions which were quantified in terms of operator decisions to perform the action. These actions are listed in order of increasing stress level assigned by the YNPS-PSS analysts. The second column lists task descrip-tion from PSS Table 7-3 which was assigned to each manual action. The third column lists the stress level assigned to each manual action. The fourth column lists the HEP mean and variance from PSS Table 7-3 which was used to quantify the error probability of operator decision to perform the action.
- b. Evaluation of Actions Necessary to Perform a Function Given Operator Selection According to the YNPS-PSS, operator errors in aligning systems during an event were assessed during the fault tree development and quantification by se-lecting an appropriate task description from PSS Table 7-3, noting the time available and determining the stress level for the action. Again, details of this process were not documented in the YNPS-PSS.
3.2.2.5 Results of the Quantification of Human Actions in YNPS-PSS Fault Trees and Event Trees The HEPs assigned to the human related top events in the event trees repre-sent the combined system / operator function failure rate plus failure rate due to operator decision. That is, the system top event failure probability distribu-tions were combined with the HEP distributions associated with operator decision to perform the function. The logical union of the two distributions resulted in the distribution used to quantify the top event of the event tree.
Table 3.2.4 (Table 7-6 from YNPS-PSS) shows the HEP distributions (;neans and variances) assigned to each of the manual actions represented in the YNPS-PSS event trees. Column 1 of Table 3.2.4 lists the manual action top events.
The letter / number combination in parentheses after the description of each manu-al action refers to the location in each event tree for this manual action. For example, for the first manual action " Reopen NRV," H1 indicates that this action is represented in Event Tree 1 as top event H. Column 2 lists the task descrip-tion assigned from the generic data matrix (PSS Table 7-3). Column 3 lists the stress level assigned to the task. Columns 4 and 5 list the mean HEP and vari-ance assigned to each manual action.
It was stated that for some actions the human error contribution to system /
function failure rate was small compared to mechanical failure contribution be-
- cause time available to perform the action was long. These manual actions were
- indicated in PSS Table 7-6 with a single asterisk. For other actions, the con-l tribution of human error to system / function failure was comparable to the con-1 tribution from mechanical failure because time available was not extensive.
These actions were indicated by a double asterisk in PSS Table 7-6.
Table 3.2.3 Quantification of Operator Decision to Perform Actions in Yankee Nuclear Power Station-Probabilistic Safety Study Manual Table 7-3 Stress HEP Action Reference
- Level Mean Variance Reopen NRV 6 Optimum 4.0 E-3 1.03 E-5 Isolate SG M0V
& Bailey 6 Optimum 4.0 E-3 1.03 E-5 Isolate SG in Emerg. Feed Mode 6 Optimum 4.0 E-3 1.03 E-5 Restart Boiler Feed Pumps ** 6 Optimum 4.0 E-3 1.03 E-5 Emergency Boiler Feed 6 Optimum 4.0 E-3 1.03 E-5 Manual Pressure Control 6 Optimum 4.0 E-3 1.03 E-5 PORV Manually Open 6 Optimum 4.0 E-3 1.03 E-5 Isolate FW to Bad SG 6 Optimum 4.0 E-3 1.03 E-5 Isolate Affected SG 6 Optimum 4.0 E-3 1.03 E-5 Shut off SI 6 Optimum 4.0 E-3 1.03 E-5 Manually Open PORV or Drains 6 Optimum 4.0 E-3 1.03 E-5 Charging System ** 5 Optimum 2.7 E-2 4.32 E-3 SI off 5 Optimum 2.7 E-2 4.32 E-3 Establish FW** 5 Optimum 2.7 E-2 4.32 E-3 Isolate MCS Affected Loop ** 5 Optimum 2.7 E-2 4.32 E-3 Cool Unaffected SG 5 Optimum 2.7 E-2 4.32 E-3
- Task Description Number (from PSS Table 7-3):
6 - Operator changing M0V (from Control Room) 5 - Operating manual controls.
- The error probability assigned to this top event in the event tree was modified by the system failure probability.
Table 3.2.3 (continued)
Manual Table 7-3 Stress HEP Action Reference
- Level Mean Variance Steam EBF** 6 Low 8.0 E-3 4.13 E-5 Chemical Shutdown ** 5 Low 5.4 E-2 1.73 E-2 Charging to SG** 5 Low 5.4 E-2 1.73 E-2 SI to SG** 5 Low 5.4 E-2 1.73 E-2 Establish Secondary 5 Moderate 1.35 E-1 1.08 E-2 Manual SG Depressurization 5 Moderate 1.35 E-1 1.08 E-2 Depressurize MCS with PORV or Drains 6 Moderate 2.0 E-2 2.58 E-4 Close Manually PORV or Drains 6 Moderate 2.0 E-2 2.58 E-4 Shut off SI when
- Task Description Number (from PSS Table 7-3):
6 - Operator changing M0V (from Control Room) 5 - Operating manual controls.
- The error probability assigned to this top event in the event tree was modified by the system failure probability.
)
4 0
l
Table 3.2.4 Event Tree Manual Action Quantification (Table 7-6 YNPS-PSS) .
Event Tree Desertption PSS-Table 7-3 Ref. stres Level Mean Versance Roopen NRW (HI) 6 optinua 4.0 x 10-3 1.03 x 10-5 Isolate S.C. HOV & Batley (11,116,017) 6 Optinua 4.0 x 10~3 1.03 x 10-5 Isolate S.C. When in Emergency Feed Mode (KI,516,F17) 6 Op timus 4.0 x 10~3 1.03 x 10-5 Restart a n (Jt,C7,H16,C17,E18)** 6 Optimum 1.39 x 10-2** 5.37 x 10-5..
E a r (Ll ,H7, F13,C l 4,E15, F15,I I 6,Isl 7, Fl a 6 Op timus 4.0 x 10~3 1.03 x 10-5 Cl.eetcal Sinatdown (Cl,05,C6,C8,C10,Cl2,W14,C15,E16,E17,C18)** 5 Law 7.84 x 10-28
- 2.12 x 10~3e*
Charging to S.C. (Mt.J7,Hl3,Il4,Wl5,Kl6,Jlf, Hit)** 5 Low 8.2 3 x 10-2 *
- 2.31 x 10~36
- ISI to S.C. (NI,K7,II),J14,Il5,Ll6,Kl7,118)lt 5 Low 6.14 x 10-2** 1.89 x 10~3**
Manual Fressure Control (E2,E3,E4,N5) 6 Op timum 4.0 x 10~3 1.03 x 10-5 FORV Hanually open (F2,F3,F4,R5,R7,H8,H14) 6 Optinue 4.0 x 10~3 1.03 x 10-5 Cha rgi ng Sy s t em (C2,C3,H5,17,ul 2,C l 3,u! 4,C15,J 16,I I 7,C 18) *
- 5 op tinua 8.16 x 10-2 2.32 x 10~3 Si off (L5) 5 Optimus 2.7 x 10-2 4.32 x 10'3 g ,
Estabitsh Secondary (05) 5 Hoderate 1.35 x 10-I 1.08 x 10-2 g m Manuel S.C. Depresurisation (C8) 5 Moderate 1.35 x 10*I 1.08 x 10-2 p o Isolate FW to sad SC (!!2) 6 Op timus 4.0 x 10~3 1.03 x 10-5 Establish Feeduster (J12) 5 Optimum 1.0 x 10~4 6.09 x 10~8 Isolate MCS Mfected 14op (012)* 5 Optinue 2.54 x 10~3 8.78 x 10'I Isolate Affected S.C. (Fl2) 6 Optinue 4.0 x 10~3 1.03 x 10-5 Cool Unaf fected S.C. (QI2) 5 Op timum 2.7 x 10-2 4.32 x 10-3 Depressertre MCS With FORV or Dralne (Sl2) 6 HoJerate 2.0 x 10'2 2.58 x 10-4 Close Manustly FokV or Close Dratas (T12) 6 Moderate 2.0 x 10-2 2.58 x 10
St.t off S.I. (012) 6 optimum 4.0 x 10'I I.03 x 10-5 Hanually Open FORV or Dratne (V12) 6 Op t imum 4.0 x 10-3 1.03 x 10-5 _
Slast Of f St W!en MCS at Pressure or LOCA (W12) -
High 1.00 Steam EsF (Fl4)** 6 Low 5.5 8 x 10-2 *
- 2.36 x 10~4 86
- llumna Error Contributton Negligible
- Huutaa Error Contributton Included
I 1
According to the YNPS-PSS, nine of the mitigating system configurations modeled in the fault trees were manually initiated. Therefore, successful oper-ation of these system configurations requires that the operator decide to initi-ate the system and perform the actions necessary to initiate it correctly. Ta-ble 3.2.5 (Table 9-2 of YNPSS-PSS which is reproduced below) presents the fail-ure probabilities used in the system fault trees and event trees. Column 1 identifies the system configuration, Column 2 describes the system failure cri-teria, Column 3 presents the probability of safety system failure due to hard-r ware failures and operator errors while maintaining, testing, and operating the l system. These probabilities are the results of system fault tree development and quantification. Column 4 presents the probability of safety system failures due to hardware failores and human errors in performing actions (Column 3) com-bined with the failure of the operator to decide to initiate a system. These probabilities were used to quantify the intermediate events of the YNPS-PSS j event trees. Since human errors are an important contributor to the failure of these nine system functions, human factors enhancements involving components of
, these systems may be most valuable in reducing core damage frequency at YNPS.
t
- 3.2.2.6 Results of the YNPS-PSS HRA in Terms of System Failure Contributions to f Core Melt (Including Manual Actions) 1 Information presented in Chapters 8 and 9 of the YNPS-PSS was used to iden-tify the systems and manual actions where human errors could have the most im-pact on risk. Table 3.2.6 (Table 8-4 of YNPS-PSS) shows the percentage contri-I bution of system failures and manual actions to core melt frequency at YNPS.
i Chapter 9 of YNPS-PSS summarized the results of the fault tree quantification
- procedures and presented the percentage contribution of human errors to system j configuration failure probabilities. These results are presented in Table j 3.2.7.
\
! HPSI and LPSI systems include SIAS, LPSI, HPSI, SISG subsystems. Human er-rors contributed from 11.5% to 60% to failures of these systems. By multiplying i the percentage contribution of HPSI and LPSI failures to core melt frequency by the mean of the contribution of human error to the failure of these systems (24%), it was determined that human errors contribute 10% to core melt fre-quency. Operator er" ors in initiating / controlling feedwater contributed 5.3% to core melt frequency, i
i These calculations indicate that human errors involving HPSI and LPSI sys-tems, Feedwater Systems, and manual depressurization of the Main Coolant System j may have the most effect on core damage frequency. Therefore, human factors en-i hancements which address the manual actions required to test, maintain, and op-l erate these systems may have the most benefit.
i l 3.3 Evaluation of YNPS-PSS
! 3.3.1 Deficiencies of the PSS
- The major deficiency in the YNPS-PSS from the perspective of reviewing and I evaluating the document in regard to human factors issues is the insufficient
! information provided, which makes it impossible to trace through some of the de-tails of the YNPS plant-specific procedures. The documentation is sometimes not specific enough for an outside reviewer to reproduce important results. In some cases, assertions are made without clear supporting evidence. In particular, j the following key deficiencies are noted.
i i
i
Table 3.2.5 Event Tree Intermediate Event Probabilities (Table 9-2 YNPS-PSS)
Event Tree System Top Intermedi-Event Prob- ate Event System ability Probability Tree Failure Criteria (Mean)a (Mean)b Safety Inj . Failure of one of one HPSI or one of to Steam one LPSI pumps to provide flow to Gen.(SISG) one of four steam generator second-aries. 7.38x10-3 6.14x10- 2 Recirc. Large break: failure of three of three HPSI pumps to take suction from the vapor container sump and discharge via two intact loop cold legs or one cold leg and the hot leg injection line (except for a break in loop four).
Hot leg injection required to prevent C boron precipitation after 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. 2.7x10-3 2.7x 10- 3 Intermediate, small break: failure of three of three HPSI pumps or three of three LPSI pumps to inject via same paths as above. LPSI pump is requir-ed to boost the HPSI pump head. Hot leg injection is not required to pre-vent boron precipitation. 1.14x10- 3 1.14x10-3c Charging and Failure of one or more charging pumps to Volume Con- provide makeup to the primary from the trol (CVCS) PWST or SIT. 2.76x10- 2 8.16x10-2 Failure of one or more charging pumps to provide borated water to the primary for chemical shutdown from the BAMT. 2.44x10- 2 7.84x10- 2 Failure of one or more charging pumps to provide makeup to one steam generator
, secondary from the DWST, PWST, or SIT. 2.83x10- 2 8.23x10-2 Main Feed- Failure of all three condensate pumps or water System all three boiler feed pumps or failure of flow paths to all four steam genera-tor secondaries. 9.9x10-3 1.39x10- 2
2 .
o , :
1 53 -
Table 3.2.5 (Continued)
. Event Tree System Top Intermedi-Event Prob- ate Event System ability Probability Tree Failure Criteria (Mean)a (Mean)b Emergency Failure of both electrical driven and Feedwater the steam driven pump or failure of System the DWST and PWST or failure of the flow paths to all four steam genera-tor secondaries. 4.8x10-6 4.0x10-3 Failure of the steam driven pump or failure of the DWST flow paths to all four steam generator second-aries. 4.7x10- 2 5.58x10-2 aColumn 3 presents the probability of safety system failure due to hardware failures and operator errors while maintaining, testing, and operating the sys-tem. These probabilities are the results of system fault tree development and quantification.
bColumn 4 presents the probability of safety system failures due to hardware failures and human errors in performing actions (Column 3) combined with the failure of the operator to decide to initiate a system. These probabilities were used to quantify the intermediate events of the YNPS-PSS event trees.
call operator actions included in the system fault tree.
e
_. _ - , _ , _ . r .-_
Table 3.2.6 System Contributions to Core Melt Frequency (Table 8-4 YNPS-PSS)
Contribution to Core System (or Action) Melt Frequency (%)
HPSI and LPSI Systems 48.8 Recirculation System 10.1 Reactor Protection System and Chemical Shutdown System (Includes Operator Errors) 10.0 Operator Failure to Manually Depressurize MCS for Small LOCAs if HPSI Fails 9.5 Accumulator 6.2 Operator Errors in Initiating / Controlling Feedwater 5.3 Failure of MCS Loop Isolation Valves to Close During Steam Generator Tube Rupture Plus Operator Errors in Responding to Event 4.6 Diesel Generators Plus Steam-Driven Emergency Feed Pump (Including Operator Errors) - Loss of ac - 2.4 Pressurized Thermal Shock Induced Reactor Vessel Failure Due to Operator Errors During Degradation of dc Power Events 0.5
3.3.1.1 Treatment of Common-Mode Human Errors The discussion of common-mode human errors is vague and does not explain how they were analyzed. For example (p. 9-5 to 9-6): "If an operator forgets to turn one control switch, it is highly probable that he will forget to turn other control switch. This type of common mode failure is accounted for in the fault tree quantification procedure.... For the YNPS systems, common mode human error was found not to be significant to important systems."
Despite this assertion, there is no clear explanation of how common mode human errors were considered in the system dependency analyses (p. 8-6 to 8-14;
- p. B-3 to B-6), nor whether the prior identification of shared components--a shared component is defined as a component whose failure appeared in two or more fault trees--recognized shared human components. One statement would suggest that dependent component identification was limited exclusively to hardware (B-4): "The major components examined were limited to pumps, valves, piping, electrical buses, and motor control centers."
The YNPS-PSS concluded that " common mode human error was found not to be significant for important systems...[primarily because] most of the systems are manually initiated and thus common mode calibration errors were not applicable."
[p. 9-6] However, since the Reactor Protection System is manually initiated, common-mode calibration errors were evaluated. Common mode maintenance errors were considered unimportant for most systems, because failure of one of two paths was assumed to fail the system.
In written comments on the BNL Review of YNPS-PSS and during a teleconfer-ence call between BNL, Yankee Atomic Electric Company (YAEC), and NRC on March 5, 1986, YAEC stated that common-mode human error was addressed in the system interdependency matrices in Chapters 8 and 9 of the PSS. BNL found no new in-formation in these chapters which provided additional information on how common-mode human errors were modeled and quantified.
Because of lack of information, it is impossible to evaluate the rea-sonableness of the YNPS-PSS analysts' assumptions or conclusions regarding com-mon mode human error.
3.3.1.2 Task Analyses Insufficient information is provided in the YNPS-PSS about the operator tasks which were assessed in the study. The manual actions listed in PSS Table 7-4 were described in no greater detail. According to the document, a stress level was established for each manual action taking into account procedure use and type of checkoff, information display, function review process, environmen-tal conditions, plant maintenance, testing, calibration practices, and time available to perform the action. However, information regarding these factors was not provided in the document. Therefore, it is very difficult if not impos-sible, for outside reviewers to avaluate the appropriateness of the stress levels assigned to operator actions in the YNPS-PSS.
In addition, the YNPS-PSS contains no table comparable to PSS Table 7-6 for operator actions represented in the fault trees. Therefore, it is not possible to evaluate the appropriateness of the methods used to quantify actions perform-ed during routine operations and accident conditions in YNPS-PSS.
Table 3.2.7 4 Percentage Contribution of Human Errors to Unavailability of Mitigating Systems Contribution of Human System Subsystem Error to Failure (%)
HPSI & LPSI LiAS 20-60 LPSI 17-25 HPSI 13.4-23 SISG 11.5 Recirculation <5.0 1 1 Reactor Protection
& Chemical Shutdown 21.7 1
Accumulator 26.0 t
Feedwater Main Feedwater 84.2 EFW (steam driven) 95 i
i
?
I t
1 f,
+
-+my,- ,3-+- y ..._,,_,,,_,,,,-.,,,--_3,.-_-..-,e..
- -
- yy ,._y, - ~ ,_-y, y ,,y,-----,.-.,g-,-, . - - - , - - - . - -m---
-- + , 2 -
3 3.3.1.3 Assumptions Regarding the Effects of Additional Personnel During Accident Sequences on HEPs As described above in Section 3.2.2.2, the YNPS-PSS project team attempted to account for the effects of additional manpower and supervisory personnel on HEPs by adjusting the stress level downward one level for each task. That is, if the stress level associated with a particular operator function were "moder-ate," the HEP mean and variance associated with the " optimum" stress level were used.
This approach may have been used beceuse the YNPS-PSS analysts assumed that errors would be less likely when there were additional personnel in the control room because of (1) the increased opportunity for supervision and error correc-tion or (2) a reduction in overall operator workload. These assumptions may be inappropriate for the following reasons:
- Many of the manual actions quantified in the event trees included action performed outside the control room where additional personnel would not be available to supervise.
4
- Each operator in the control room may be responsible for performing sep-arate tasks and therefore fail to detect another operator's errors.
- The presence of additional people in a control room introduces unique problems involving team coordination and communication which may in-crease error probability.
- In addition, on p. 7-22, the authors of the YNPS-PSS state that no cred-it for recovery from operator errors was given when quantifying human actions.
The YNPS-PSS acknowledged that their methods for accounting for additional personnel in the control rcom were simplistic, and that the proper procedure for quantifying HEPs for team-based performance is to perform a detailed task analy-sis taking into consideration recovery factors based on the presence of addi-tional manpower and supervision.
In response to BNL's critique of the YNPS-PSS approach for assessing HEPs associated with the operating team, YAEC commented that:
"While YAEC agrees in principle, they feel that their admit-tedly simple approach was adequate, and don't feel signifi-cantly different results would be obtained by the more de-tailed approach." (3/5/86) 3.3.1.4 Treatment of Cognitive Errors Potentially important cognitive errors include operator errors during moni-toring, information processing, and decisionmaking during accident sequences in
! nuclear power plants. The YNPS-PSS addressed cognitive errors by quantifying operator decision to actuate mitigating system configurations and perform miti-gating actions during accident sequences. HEPs for these actions were then com-i' bined with system / function failure probabilities derived from fault tree quanti-fication. Thus, failure of operators to decide to actuate mitigating systems was explicitly modeled in the YNPS-PSS.
--- _ _ - . . _ _ . , _ ~ _ - , . - - - - - J , , . - . . - _ , . - _ - - . - _ , , .
Decisions to perform these manual actions were included as top events in the event trees and were quantified as described above in Section 3.2. NUREG/
CR-1278 was used as the source of HEP estimates for operator decisions. At the time this YNPS-PSS was performed, NUREG/CR-1278 (" Draft Report for Interim Use and Comment," October 1980) did not include HEP estimates for decisionmaking and diagnostic tasks. The YNPS-PSS analysts applied HEP estimates for actions in-volving operating manual valves locally and operating MOVs from the control room to quantify operator decisions to perform manual actions.
The YNPS-PSS used the following HEP estimates for operator decisions to perform manual mitigating actions:
Manual actions from control room:
Optimum stress 0.004 Moderate stress 0.02 Manual actions including local operation of valves:
Optimum stress 0.027 Low stress 0.054 Moderate stress 0.0135 The appropriateness of these estimates for quantifying the YNPS-PSS deci-sion-making tasks in light of new techniques for HRA conid not be determined be-cause of the lack of information in the PSS. For example, if the amount of time available to perfora each manual action during specific event sequences had been stated, it would have been possible to apply the Operator Action Tree - Time Re-3 liability Correlation (0AT-TRC) from NUREG/CR-3010 to requantify the manual ac-tions.
The final revision of NUREG/CR-1278 (August 1983) included new human per-formance models and methods for quantifying diagnosis of abnormal events in nu-clear power plants. Chapter 21 provided an example of how to use these models to quantify " Failure to Initiate Steam Generator Feed-and-Bleed Procedures" fol-lowing loss of both normal and emergency feed to all SGs associated with a PWR.
This example is similar to many of the operator decision-making tasks modeled in YNPS-PSS. After an extensive task analysis, an HEP of 0.01 with an error factor of 10 was established for " Control room personnel fail to correctly diagnose the abnormal event within 20 minutes after annunciation, based on presence of R0, SR0, SS, and STA," reference Table 20-3, #3 (p. 21-6).
Again, if detailed task analysis information had been provided in the YNPS-PSS, it would have been possible to requantify specific YNPS tasks using the hu-man performance models and HEP estimates in the 1983 revision of NUREG/CR-1278. ,
3.3.1.5 Impact of Event-Specific Environmental and Situational Factors on Critical Human Actions
. Two initial goals of this review were to examine how the YNPS-PSS addressed
! (1) the impact of event-specific environmental and stress conditions on critical j human actions and (2) the impact of instrument and annunciator malfunctions on 4
critical decisions and manual actions. Section 7 of the YNPS-PSS states that
" knowledge of the environmental conditions--i .e., stress..." was considered to
. .. . ,. L ,: .
establish a stress level and select the appropriate HEP distribution for each manual action. However, no additional information is provided about the envi-ronmental conditions that would enable us to understand the extent to which the impact of event-specific environmental and stress conditions on human perfor-mance were considered. It does not appear that the impact of instrumant and an-nunciator malfunctions on critical decisions and manual actions were considered in the YNPS-PSS.
In written comments on the BNL Review of YNPS-PSS (dated 3/5/86), YAEC stated that:
...the manner in which the operators operate the plant by using redundant indicators, the fact that a larger number of the operations are manual which re-quire more attention to instruments instead of relying on annunciators, and the constant perusal of the boards and remote indicators by operators during events, minimizes the impact of an annunciator malfunction to the point that it has no effect on the PSS. In this manner, YAEC feels that annunciator malfunctions have been considered..."
BNL agrees that if YAEC operators are trained to use redundant indicators to assess plant status rather than relying on annunciators, then the effect of instrument and annunciator malfunctions on risk is minimized and may be insig-nificant.
3.3.2 Comparison to Other Studies BNL developed a computerized data base of HEPs reported in various PRA-type studies for 19 nuclear power plants. This data base of human errors reported in the RSSMAP study of Oconee Unit 3,5 Zion PRA,6 and the IREP study of Millstone Unit 17 was searched for HEPs referring to operating (opening / closing) valves, and starting and aligning systems during accident sequences. The range of HEPs found in this data base for these actions were compared to HEPs for selected manual actions from PSS Table 7-6.
3.3.2.1 Operating Valves from Control Room The range of HEPs reported for this type of action in other studies were as follows:
Millstone 7 0.05 to 0.001 Zion 6 0.009 Oconee5 0.015 to 0.0003 The YNPS-PSS used the following mean HEPs for actions involving operating valves from PSS Table 7-6:
- Reopen Non-Return Valve from control room under optimum stress = 0.004.
- Manually open Pressure Operated Relief Valve from control room under op-timum stress = 0.004.
- Manually close Pressure Operated Relief Valve from control room under moderate stress = 0.02.
1
. . .. : . .q ' : a.
3.3.2.2 Starting and Aligning Systems The range of HEPs reported for this type of action in other studies were:
Millstone 7 0.05 to 0.003 Oconee5 0.1 to 0.000025 The YNPS-PSS used the following mean HEPs for starting and aligning sys-tems:
- Restart Main Feedwater after Trip (Restart BFP) from the control room under optimum stress = 0.004 ,
- Start Emergency Feedwater System (EBF) from the control room under opti-mum stress = 0.004 Initiate Chemical Shutdown from outside control room under low stress =
0.0784
- Initiate and align One Train of Safety Injection to Secondary (ISI to SG) from outside control room under low stress = 0.0614
- Initiate Charging System from outside control room under optimum stress
= 0.027
- Align Charging System to Steam Generator from outside control room under low stress = 0.0823 The values of HEPs used in the YNPS-PSS fell within the range of HEPs re-ported in other PRAs for similar actions.
3.4 Conclusions The treatment of human intervention in the YNPS-PSS was reviewed because a number of the accident-mitigating systems at YNPS are manually initiated.
Therefore, human intervention in the testing, maintenance, and operation of these systems may have an important impact on risk. The methods used for ana-lyzing dynamic and latent human actions, including cognitive and common-mode er-rors, were evaluated.
Many of the initial goals of this review could not be achieved because the YNPS-PSS did not provide detailed information about their methods, assumptions, and analyses. BNL review findings are summarized below.
- The treatment of cognitive errors shows strengths and weaknesses. One strength is that operator decisions to initiate systems and perform man-ual actions were explicitly quantified as top events in the event trees. However, the HEP estimates used to quantify these decision-making tasks were not developed for cognitive tasks. The lack of de-tailed information about environmental and stress-related aspects of the tasks made it impossible for the reviewers to evaluate the appropriate-ness of the HEP estimates used in light of recently developed models of human performance at cognitive tasks.
- .+ - : - -
< ' v. . c .
- The assumption that the presence of additional personnel in the control room during accident sequences will reduce the stress level and associ-ated HEP estimate is debatable for the reasons discussed in Section 3.3 above.
- The treatment of common-mode human errors in YNPS-PSS is inadequately described.
- The range of HEP estimates reported in YNPS-PSS for manual actions in-cluded as top events in the event trees fall within the range of HEPs reported for similar actions in the Oconee, Zion, and Millstone studies.
- Based on the percentage contribution of human errors to system failures and the percentage contribution of system failures and errors during manual actions to core melt frequency, it appears that human factors en-hancements focusing on human intervention in the HPSI and LPSI systems, feedwater initiation and control, and manual depressurization of the MCS may have the most effect on reducing risk due to human intervention at YNPS.
The major focus of this review has been to identify deficiencies in the hu-man reliability analyses of the YNPS-PSS. Many of the deficiencies noted may be due to the state of the art of human reliability analysis and current issues at the time the PSS was performed.
3.5 References
- 1. Yankee Nuclear Power Station Probabilistic Safety Study, December 1982.
- 2. NUREG/CR-1278, Handbook of Human Reliability Analysis with Emphasis on Nu-clear Power Plant Applications: Draft Report, October 1980.
- 3. NUREG/CR-3010, Post Event Human Decision Errors: Operator Action Tree / Time Reliability Correlation, November 1982.
- 4. NUREG/CR-1278, Handbook of Human Reliability Analysis with Emphasis on Nu-clear Power Plant Applications: Final Report, June 1983.
- 5. NUREG/CR-1659 (Vol. 2), Reactor Safety Study Methodology Applications Pro-gram: Oconee #3 PWR Power Plant, printed January 1981, revised May 1981.
- 6. Zion Probabilistic Safety Study, Commonwealth Edison,1981.
- 7. NUREG/CR-3085, Interim Reliability Evaluation Program: Analysis of the Millstone Point Unit 1 Nuclear Power Plant, May 1983.
t *
,. ,, i : -.
- 4.0 TREATMENT OF STATION DC AND EMERGENCY AC POWER SYSTEMS 4.1 Introduction The scope of the electrical power system review included the determination from available information of the validity of the power system fault trees (ac and dc). Specifically, the review encompassed the degree of accuracy of the fault tree models in representing the plant design and operation, any important omissions, and how these models addressed such items as common-mode failures, battery charger capabilities, operator actions, and the concerns documented in NUREG-0666.1 4.2 YNPS Electrical Systems 4.2.1 Description YNPS is fed by two offsite power lines (Cabot and Harriman) that terminate on the station 115-kV bus (see Figure 4.2.1). The unit generator is also con-nected to this bus via the main step-up transformer. The three main power bus-ses (2400-V) of the station (busses 1, 2, and 3) power the four main coolant pumps. Bus 1 is fed from the main generator and has two main coolant pumps.
Busses 2 and 3 each have one main coolant pump and are powered from a station service transformer directly from the Harriman and Cabot lines, respectively.
Bus 1 can be connected to either bus 2 or bus 3 via bus ties, and upon a unit trip the operator must make this connection manually. The station main 480 bus-ses (6-3, 4-1, and 5-2) are fed from the Cabot line, the unit generator, and the Harriman line, respectively. Bus 4-1 may be manually connected to either bus 6-3 or bus 5-2 via bus ties. The three station emergency busses (E. bus 1, E.
bus 2, and E. bus 3) are also 480-V and are powered either by their own dedi-cated diesel generator or by station 480-V busses 6-3, 4-1, and 5-2, respective-ly. There are also two emergency MCCs (#1 and #2) which can be manually trans-ferred from E. bus 1 or E. bus 3 and E. bus 2 or E. bus 3, respectively.
The YNPS dc power system consists of three batteries (1, 2, and 3), four dc busses (1, 2, 3, and 3A), and four battery chargers (l', 2, 3, and Spare) (see Figure 4.2.2). Busses 3 and 3A are in separate locations, tied together by ca-ble with a breaker on one end and a disconnect switch on the other, and together form train 3 of the dc power system. Battery 1 and battery charger 1 are con-nected to bus 1 etc., and the spare battery charger can be connected to bus 1, 2, or 3A. Bus 2 can be manually connected to bus 1 or bus 3A via bus ties.
When normal power supplies are not available to the 480-V emergency busses, their respective diesel generators are automatically started and connected to provide backup emergency power. When normal power is lost to the 2400-V busses and there is a need for the service water pumps, the component cooling water pumps or the emergency feed pumps, operator action is required to enable the diesel generator to power these busses. Certain documentation provided for this review suggested that more than one diesel generator might be required to be phased upon a given 2400-V bus due to loading conditions in order to successful-ly start a given load. However, in direct discussions with YNPS personnel, it was stated that the plant does not allow any actions that would parallel the diesel generators. Further details on the structure and operation of the YNPS power system can be found in the PSS 2 and the FSAR.3 i
i
. :. . .. : . ~ . . . . .
u 33 . -
i i, s
w m
L l .ii ,1 .
ea
.- .r_
I i il,l i j i gr 8 L
Iii l l
- i. 111 li i e ii iIL l i
l l um!E,'
is l!18
' 8I 10 ilIg 1I li l I
l 4
1 i l ij l,g. ....
j
.g;l]! j iill h Il ! alii 11 llll1, l NIh I ii i
i 3(,lilIll!!!llliiil 3 p! : I i .I!!!lI .r 111llli i
!!li;ll!}llll:lllik.....ll l il i ll 11 iniiijl i
- ! 4 .
g..o..s.> p. ,_we .
.s,
, w I
l
.....- y.
.i . .tkh...ag,I!.!!.!.ll 1
- d. n3 ;
.-rl y f-* @+ !!igl
^
v H-l-r q E
}' i. u h I I, h
~
I j kl.lg ]
i, .
1 g 7 ,i s i .... 5~::::7. . ........... ..if.!1%..-"--~4 ;)il
- ?
'* "qselij t .M -
I!
-- :g:. --
f ,Ii h 9
Q ;p' l<
-L -b i -.-
l I
. 3 gj Il ,! illn iyl.
+
.sa.l
_L Ig ME
- i: ::
x.
7 r.e, ::I Nr i ilt 4un g
/g :
...L....... y gdV .. :S.........-...;.9....
1 .
1*lY
'i
.Q-
...... -g y
.l ..., ,-
g3
--- --s- "
C il .. 3- l ,,gy I ils
.[f g CI
- di 7 [M I l ;;- h
[ l i- T g .. rf24-fGN
'.': '~ j iSQ; i . t!!i I:I_ (- !1 a g b
" M : J. g e rg hgg i gj f i.
1: I' .h! ! t ili' g tLys--l: I :
yi gd. iii( F g y :
m i :a rt. Ie gi, g,
- l1 *j
- ! 'lin3 I 4: s ;
' l*y y I
'nr'i r r
a.
d r-t i i m '
M, o u' p y+..i y;;_...A
=
11 ;; -h i! ;Tpj%sb 3giptrew , .y y .i, M:: ;g #
.' lI !. -ir , r '
. : h: . i:ijj::. i'r ule.. j'l ~
- t a 1 .l l [
- : :
'l l
, b[;2.f1jP gi, ii :e -- -
'l,-
. j e
F 2 c
, ! ; 1
- 11 13q...a i.- )
%;l
.,%If.r!h!.K.T ~
l P S' ii ._t y. ::
!re -
h.e.__:pmc.,.:i i- SY
' My -iI!m.!iy l!Iy i ity 1 .
i:
i . e 2"":i: 4, e , J#d. S :H,,j ie i- : 'li i
., 24, i
-ti ii 'x;gi iby. . .
..:.g -
01 is.. f . p
- iji.l ~
, . s 4._ili
- g. .i -
u g
r +W
- 3 i !.3-4I
{l{'! "
i i
ill i ! ., .- I 3,.
rii
...j..p. 3 .. . . ....m .... .:. g g g 33. i,;41 d
_3YIN r_ji. _ ;!
t I
I q
E c
11
- :tre: v im, Y.t.u
. . ii n
i ;
up I;T !:
M s
-Y !
Ei
.a--
ii p
lb t
R o_Md .k i.i
~ D p,g -I Mo g4 :jj.. !;i i.
? !..).y5
. v. -
. q. .
Ig.%(J i
.. . .y-$--: .yg,.
_ i e ii w[l it: -~i?-
t r
. l 11iw, A--*; ...p......--..< ; -
y ,
q T, '++*n 44 i tu, <!.
. 5_ ii I 1 n! r .e p-
_g g ti - zl t
,:- 4 . 1.g'e.t;nM ;uI w ,
l !.. --%--d ' ' }I .......p.1; lii3 !:'g g' -[.3 il a f ]Gs i,
ph.
+
F ~f ':- '
$ll
!! Ni %i ,
- 5 J.. .L.- k. j h lh. 1. 4- . lt k kf ! $ 1 5 3, ".
s j ! I, i lY
, h_
[h L.17:.t $1 .-
8 ih lW'y. I I h 3 '.--
$ ~
..~ [ 6 gy. OY
^
y ;T .' .I 5 {-
a s
hL. @ . .._Y-f._.~*{.
.p'
! x
.k
)x;y, , in ,
I
."* Wii.'EiF4ii.'d .
! hly ,
l 1
t 4.2.2 Specific NRC Concerns with Respect to Design and Operation The following items concerning the ac and de power systems were specifical-ly considered in this review:
- a. redundancy of dc and emergency ac busses,
- b. bus ties,
- c. battery failure on demand,
- d. battery depletion following station blackout,
- e. loss of dc due to loss of ventilation, and
- f. loss of emergency ac following loss of normal ac power.
. The YNPS has a three-train ECCS and each of these redundant trains has its own emergency ac and supporting dc bus as described in Section 4.2.1.
. There are no direct bus ties between the three emergency ac busses. How-ever, the remainder of the major ac power system busses can be tied to at least one other bus at its own voltage level through bus ties. Each of the dc busses can also be directly tied to at least one other dc bus.
These bus ties are described in Section 4.2.1, and the concerns generated by this review are addressed in Sections 4.3.2 (dc) and 4.3.3 (ac).
. Battery failure on demand due to prior undetected battery failure after a loss of offsite power or undetected faults between battery tests due to lack of battery status monitoring and annunciation is not addressed in the YNPS-PSS (see Section 4.3.2 for further details).
. Battery depletion following station blackout is not addressed in the fault tree models or in the electrical system descriptions provided for review. This particular subject should actually be addressed in the event trees and not in the fault trees and review of the event trees was beyond the scope of the project. Therefore, no comments can be offered on this particular subject.
. Loss of dc due to loss of ventilation was not addressed in the fault trees or system descriptions. However, in the absence of any specific details of the physical plant with respect to this subject, omission of this failure mode is not considered to be significant, unless the bat-teries are confined in very small sealed rooms. In subsequent direct discussions, YNPS personnel confirmed that loss of ventilation is not a problem for the dc systems.
. Loss of emergency ac, following loss of normal ac power, due to failure of diesel generators to start or continue running for sufficient length of time was included in the study through incorporation of generic LER data. As discussed in Section 4.3.3, plant-specific diesel generator fault trees, although available, were not used in the YNPS-PSS analysis.
m
. . . . ~ . . . . . - . . .. - - - - -
65 -
,, g - - = .
, N.
N *%
N #%
.e i '
- l; {t jgy
- j. :
3 ij l
r ps . .
l'
!.i:
- b'!
t l!i . ! ilb t
nel
- i. I: .i s pi-u.
y l'lt gi is'15 stir,. r ji.p il 58
'. < o 5 =-
a g
s .i ,
! U:. i : 1:
i m
b)i
- . I Irti- i:il firi . 4 z 2g0:>l il
!.: ind.;
I I , i ID:a n
!.I l1:;I ig * ,uei.i ;).
g.
- ii8 ! J!ji isi'.d.r.I.!.II!!!..I
- Il i s t __M_ __*
' 4 4
5- .a
- d. .l jul l
_.a f sfF;.'e'l! l 1 I -
sf g. h. 3 iP: .'
2
.b!II ).I' ki hh!} l!}I
.I y!g{M t. 3 I'111- l.ji
. . O *i
$ < s-I hii' I M-- -
,4 )'.:e s a : l : I tisillH4i .f i.rt i E.- ~ -
g . *= a --=Es:::::@ % :: @ :..; 't; . . .: ,r
.5 y8hl!
,, i.,
5, p M . 7p .
_Il' g is si.
- 7. l-t i , , t)- .
.....a* !:v;[t: gmera
,i 13 3,i, ..u a,
-C > .4: . t 4 h m. .u. --W '.:'.=?.'t < ;s 'd ' ! '
3.I . iT "3:n'! ' "" f1 : 'TP: ! gl
,..:4,Ii}Y...T' c, -
- l. -L je l
- * *: ::: lT3t.i g .; .r. .d' :ti' l';.t 3.; il.p* i .t' e
- j l ~2;, at _;3 io . .m
. . ., l,f ll*%
'%."". ; h gs e,j gi 2 l ., f I
l i-" - - . -. ' ':: ..'*. =
Is .t""l; I
! ! N{3 Dli!!l 8l--C 8 . Imu elem I "~,
l*
- l. t >
.7* :.l'."."
I Ii -C la l
" *
- Ni
.I C f_t g i
I* c Q)
+a
-w,- l t 8I , ai i*
,I
' .r7 L. I--C I
l.: IL gg g
A i
M i I w i r . . . . : . .- .- ,~
i.a'i > gi m
.m= 2 ., 9, i .
1l.-c. . i i o ui
- ._^f. r_
ti si si s.,
c
!. A- , j.-8 i
. . . . ..gf. .in si _ ;_-J-e.i^r . !G n. $
m ,'.i .
.. i'
.s l i . =r;:~.:' - - a t _ .a t a i
i._u i t _Ti - -
.==
z.:::
o
,L1. - <-- - . = =
,i s..
a
.-~ ~ . :: :: =: -
a 6 } .
gl .Al:
- ... 'i A -
..@. ... _,1 - .:.,E == {${
FJ
=l. *:.T.: $- -* ^ .'A4*" e
- i o~f ,, =
- i n n , . = .=:= :- A ,i
- -- . - c.
!!!A, -
. . . . _ . . i: ir ', uc:52 8: .
r . ; e, e
jM, .-<1s :; . .. ;l .A:
v ur.sm o i, , c g; ---" , j; . ~i
- r. == _.;,== .-
p -
e x a.ia: , . .
a, : .a, ,
- i. -._. l
, :.:n t
y.
=s ., :-
m.
j.A 'i i
.a.m ll.A[
m g
- .11
- . .:- I$.A ', ,_
- . - --m .h i .
E
- .--<in , '
=
i if L' = .' % .T i
i.a., .r ,
. - . . n 4 w; ; _
u.
i >
i .A' . . . .::..: 3,i.h' i 5.5.y d.;
i .. .
. 7:.'**'.",,**.* 42, 7
-Q, , -s.. . --r-... . -
.. . , /p e _ @t r.- W,,.i4M-.9 d.-.-.-.,11 O
.i l...----g Mild .I.-_ .I 1 ... >1] i; . s r.! g *iawl , w* I 1 '.
i a :.. .
.s . l as t
~
'q't',,,.
.. .1 . lI
- - 'l := .. 8 m,
n..
Ia- i 7:.*[i
. . . , = ,, , '
l , ,
".*.*.'.'.'[.
+ .... .....
'l'e,_...-p.-.--*...*
u . w s fa- e a .e.e.. .
t1 T.1:-) - -- -1rci. i.~::.j . :. :- .--4'1
. . - ... u .
4.3 Evaluation of YNPS-PRA 4.3.1 Approach The PSS presented 17 fault trees (see Table 4.3.1) covering each of the ma-jor ac and dc busses in the plant. In order to fully review the accuracy and completeness of these fault trees the following additional information was re-quested by BNL and provided by YNPS:
. Detailed electrical power system drawings including bus relaying, breaker control circuits, and MOV control circuits.4.5
. Leading minimal cut sets for each of the electrical power system fault trees.
. Basic event data for the elements of the electrical power system fault trees.
. The set of operating procedures associated with the electrical power sys-tem including the testing and surveillance procedures required by the Technical Specifications.
. The plant emergency procedures that related to the electr! cal power sys-tems.
4.3.2 DC Power System Findings In reviewing the de power system, no documentation was available to either prove or disprove the plant battery chargers' capability to function fully with-out their associated batteries. The YNPS-PSS fault trees are developed assuming that the battery chargers are fully capable of handling maximum transient load-ings without support of the batteries, and this is a typical assumption made in previous PRAs. However, general electrical power systems design practices do not conform to this assumption. Normally the batteries are sized for maximum transient loading, as they must be capable of functioning without any ac power.
The battery chargers, on the other hand, are usually not sized to meet maximum transient loading because this adds expense to the design and it is usually as-sumed that the transient loading in excess of the chargers' capability will be handled by the battery. Table 4.3.2 (including the Note) is taken from the PSS and shows the calculated failure probabilities which are dominated by physical failure of the bus itself. If the battery chargers can not function indepen-dently of the batteries, then the mean failure probabilities for the dc busses of Table 4.3.2 all become 1.1E-31 pending operator recovery in a scenario not directly covered by procedures. This higher failure probability is dominated by battery failure on demand although this battery failure mode is not included in the YNPS modeling. In subsequent direct discussions with YNPS personnel, it was acknowledged that this concern about the battery chargers had not been consid-ered in the PSS. YNPS further stated that their investigation into this item revealed that battery chargers 1 and 2 were marginal and number. 3 definitely could not handle maximum transient loading.
Another item of the dc system review is the fact that there is no inclusion of common mode failures in the fault trees. An exception is taken to the state-ment in the note of Table 4.3.2 which indicates the seemingly interdependent u
- c - - 7
- - ,
.'~
Table 4.3.1 List of YNPS-PSS Electrical System Fault Trees .
- 1. 2.4-kV Bus 1, energized by the Cabot line (Y-177) or the Harriman line (Z-126).
- 2. 2.4-kV Bus 1, energized by Y-177 or Z-126,
- 3. 2.4-kV Bus 3, energized by Y-177 or Z-126.
- 4. 2.4-kV Bus 2 (for the emergency boiler feed pump), energized oy Y-177, ,
Z-126 or the Emergency Diesel Generator (DG3).
- 5. 2.4-kV Bus 3 (for the emergency boiler feed pump) energized by Y-177, Z-126, or DGl.
- 6. 480-V Bus 6-3, energized by Y-177, Z-126, or DGl.
I 480-V Bus 4-1, energized by Y-177, Z-126, or DG2.
~
7.
j 8. 480-V Bus 5-2, energized by Y-177, Z-126, or DG3.
i 9. Emergency Bus 1, energized by Y-177, Z-126, or DGl.
- 10. Emergency Bus 2, energized by Y-177, Z-126, or DG2.
- 11. Emergency Bus 3, energized by Y-177, Z-126, or DG3.
- 12. Transformer Bus B, energized via the Emergency Motor Control Center No.1 (EMCC1) or the Vital Bus.
- 13. Vital Bus, energized via Transformer Bus B, 480-V Bus 6-3 or the Station
- Battery System.
- 14. 125-V dc Bus 1, energized by Battery No.1, the remainder of the de system, or by the 480-V ac system. ;
! 15. 125-V dc Bus 2, energized by Battery No.2, the remainder of the dc system, or by the 480-V ac system.
- 16. 125-V de Bus 3, energized by Battery No.3, the remainder of the de system, or the 480-V ac system.
- 17. 125-V dc Bus 3A, energized via 125-V dc Bus 3, 125-V dc Bus 2 or by the 480-V ac system.
1
-y -
+- -~ , -,,,,-9w,-,--mg-+w ,-r-- __,y-, ,- ---- -
_ . . - .; _ ._.m _m __ m.
Table 4.3.2 125-V dc Bus Fault Tree Quantification Results 2 The mean failure probabilities calculated for the four 125-V dc bus fault trees and their corresponding standard deviations are listed below.
Mean Failure Fault Tree Probabilities Standard Deviation 125-V dc Bus 1 1.59x10-6 2.62x10- 6 125-V dc Bus 2 1.78x10-6 2.89x10- 6 125-V dc Bus 3 1.60x10-6 2.28x10-6 125-V dc Bus 3A 1.58x10-6 2.24x10-6
" Note that all four failure probabilities are nearly the same. This is due to the fact that the failure to power each bus is dominated by the physical failure of the bus itself which contributes over 98% of the total failure probability of each bus. Failure to provide power to the busses would require multiple fail-
. ures because of the multiple power sources and cross-tying capability and thus is an unlikely event. This multiple power source feature of the 125V dc busses makes what first appeared to be highly interdependent busses, in reality, inde-pendent busses in terms of failure probability.a 2 9
. . . . . . . . . . -a -__ ._
1 j
busses are really independent: the bus ties, which by procedure are used during battery maintenance, do indeed have the potential to compromise the independence of the dc busses. According to NUREG-0666, having the tie breaker in a design would increase the dc busses' unreliability by about a factor of 2. This in-crease in unreliability, however, is not considered here to be significant. In 4 direct discussion of this item with YNPS personnel, it was stated that YNPS pol-icy does not allow any dc bus ties to be closed with the reactor at. power.
The third item concerning the dc power system fault trees is the lack of F conditioning with respect to the sequences. For example, in a loss-of-offsite-powar (LOOP) sequence, only the battery is available to power the dc bus; how-ever, the fault tree also includes battery charger contributions. Another de-tail in this sequence, not included in the dc power system trees, is that,given a LOOP, the battery chargers are automatically tripped and the operator is in-structed by procedure to manually restore the battery chargers. In direct dis-cussion of this item with YNPS personnel, it was stated that their interdepen-dency matrix was an attempt to address this concern and the similar concerns discussed in Section 4.3.3 of this report on the ac power system. Review of this matrix was beyond the scope of this project.
, In summary, the only review finding concerning the dc power system that would have a significant effect on the quantification of the dc fault trees
! themselves is ,the assumption associated with the battery chargers' capability to function without their associated batteries. However, given the insignificant
! role the de power system currently plays in the overall core melt probability, refining the de power models would not be expected to quantitatively change this situation.
i
! 4.3.3 AC Power System Findings i The fault tree modeling of the ac power _ system was found to be quite de-tailed and comprehensive in the areas that it focused on. The following items indicate areas where it is felt that improvements could be made.
The first item of concern is the way in which the temporal aspects of the j various fault events have been neglected and the evuts have simply been placed l
together in the fault trees. This appears to be an extension of what was done j throughout the PSS in modeling both immediate hardware failures and longer-term j operator failures to recover in the same fault tree. The case of the electrical power system is somewhat different. In many cases within the power system, when
! a hardware failure occurs, the power system immediately changes state. For ex-ample, loss of power to any higher-level bus which normally feeds an emergency bus causes an immediate starting and loading of the diesel generator dedicated to that emergency bus. The YNPS fault trees ignore this and include in the mod-el (through AND gates) the possibility of supplying power via the many bus ties within the design. These latter actions would be more correctly modeled as a single act of operator failure to recover. Viewing the operator actions within the power system fault trees as true recovery actions might also necessitate considering higher stress levels to be associated with these actions and, there-fore, might also call for a higher probability of failure to be assigned. No
! attempt was made in this review to requantify the power system fault trees in
- light of this item as it would necessitate an effort well beyond the scope of i this limited review.
J
- a. -_- , -. - ___ _
The second item concerns the fact that none of the ac power system fault trees address the possibility of a transient induced loss of offsite power.
This event is typically taken to be 1E-3 and if it were to be incorporated into the existing fault trees (coupled with operator failure to recover) would become one of the leading cut sets for each of the nonemergency ac busses. However, this potential addition to the ac power system fault trees will have no substan-
! tial effect on the overall core melt frequency given the relatively low impor-tance of the loss of offsite power in the PSS, and given the infrequency of transient induced loss of offsite power compared to the LOOP initiator in the PSS.
The third item concerns the assumed initial conditions of the ac power sys-tem which were used to define the initial state from which the fault trees were developed. These conditions were that a successful isolation of the main gener-ator had already been completed. This means that the main unit generator was already tripped off line at the start of the event and a number of critical cir-cuit breaker operations had also been successful. The modeling of this aspect of the ac power system proved to be a vital item in the systems interactions re-view of Indian Point Unit 3.6 However, following direct discussions with YNPS personnel, with respect to the specific concerns of this review, it was con-1 cluded that the assumed initial conditions for the power system were appropri-i ate.
1 The fourth item concerns not linking the electrical power system fault i trees in the analysis. Failure to link the support system fault trees to the 4
frontline systems and to each other can lead to overpredicting system reliabili-ty. In addition, although three fault trees were developed, one for each of the diesel generators, these were not used in the analysis. Instead, the PSS used the generic data in Table 4.3.3 (Table B-5 in the PSS) and stated this to be conservative. The YNPS-specific failure probabilities shown in Table 4.3.3 are
- less than the generic failure probabilities used in the analysis but are close
,~
and do not reflect the fact that the dc power failure contribution is not inde-
]
pendent as it also appears in other places in the fault trees. The PSS further i states that the three diesel generator fault trees were solved separately and
] the cut sets were manually compared to see if common cut sets did occur. This i item is not considered to represent a significant impact in the quantification j of the electrical power system fault trees.
The fifth item concerns the lack of conditioning the fault trees for vari-ous sequences. Most notably, a loss of offsite power would yield only the bat-i teries available for bus control and relaying and only the diesel generators for 4 sources of ac power. Again, given the relatively low importance of the loss of offsite power in the PSS, the above refinements would not be expected to make a significant change to the overall core melt probability.
^
4.3.4 Specific NRC Concerns with Respect to the Fault Trees The following items concerning the ac and dc fault trees were specifically considered in this review:
- a. definition of the top events,
- b. test and maintenance unavailability,
- c. common-mode failure modeling,
- d. human errors,
.. .. . : ^ -
~ ~ ^
1 Table 4.3.3 Observed Diesel Generator Failure Data vs Calculated Failure Probabilities 2
! Number of Calculated Observed
- 4 Failed Mean Failure Average Failure Diesel Generators Probability Probability 1 1.67x10-2 4.0x10- 2 2 +9.07x10-4 ++2.3x10-3 3 +8.58x10-5 +++1.9x10-4
- Generic data obtained from LERs through December 1978.
+ Estimated common mode failure contribution to YNPS DG failures.
++ Majority of this va?ue is due to common-mode failure.
+++All common mode.
i r
I I
-. _ . . , 1, _ .. - _ - . _ . _ _ . _ _ . - - _ , ,- . . . _ _ - _ _ _ _
- e. consequential failures coupled to initiating events and environmental effects,
- f. failure data,
- g. omitted significant component or status sensor faults,
- h. modeling assumptions, and
- i. leading cut sets.
. Table 4.3.1 lists all the ac and de fault trees and these were reviewed as part of this project. The table also indicates the various potential power sources considered in each fault tree. The corresponding 17 top events are defined as loss of power at the particular bus.
. The only candidates for testing and maintenance (T&M) activities within the power systems are the diesel generators and the batteries. The die-sels were not part of the PSS model; however, the diesel generator fault trees only considered the fuel system with respect to T&M. The batteries were not considered unavailable due to testing and maintenance in the models. This is not considered a significant omission with respect to the batteries because the testing that would render the batteries inoper-able is performed only at shutdown and the Technical Specifications se-verely limit unavailability due to maintenance.
. With respect to common-mode failures, the diesel generator data used in the PSS did account for common mode failures (see Table 4.3.3); however, the de system did not address this subject (see Section 4.3.2).
. Findings with respect to modeling of human errors are discussed in Sec-tion 4.3.3.
. Consequential failures coupled to environmental effects were not address-ed in the power system fault trees. Given the limited scope of this study and no information that correlates power system components to in-plant hazards, no meaningful comments can be made on this item. Conse-quential failures / system status coupled to initiating events is addressed in Sections 4.3.2 and 4.3.3.
. Failure data for the major electrical components are listed in Table 4.3.4 along with similar failure rates used in the Oconee and Indian Point 2 PRAs. Note that both the Oconee and Indian Point 2 PRAs basical-ly used the same gener.ic sources as the YNPS-PSS. However, they updated the generic data with specific plant experience for all electrical compo-nents where plant data were available; the YNPS-PSS updated only a few components. Based on this fact, the differences between the three data sets for electrical components are not seen as significant.
. No omitted status sensor faults were identified during this review.
. Sections 4.3.2 and 4.3.3 describe the modeling assumptions that were found to be either missing or less than optimal in the review.
. Leading cut sets for each of the electrical power fault tree top events were provided in the YNPS-PSS and were reviewed against the detailed electrical drawings provided for this project. Nothing was found to challenge any of the leading cut sets presented. As discussed in Sec- )
i
. .. 1 , ; ,
Table 4.3.4 4 - Comparison of YNPS-PSS With Other PRA tai ture Rats; 70.- Major Electrical Items
- Generic Data YNPS Indian Failure Data Mean Plant-Spe- Oconee Point 2 Item Mode Source h r- 1 cific Update PRA7 PRA8 Battery All modes S4 9.2E-6 7.2E-6 8.2E-8 8.2E-8 Circuit Breakers Spur.0p. S2 1.15E-7 ---
9.9E-8 4.8E-7 Fail to close S2 2.6E-6/d ---
8.9E-4/d 2.5E-5/d Fail to open S2 5.5E-4/d ---
3E-4/d 6.4E-4/d Power Cable All modes S3 2.7E-6 --- 8.8E-6 ---
Battery Charger All modes S4 1.08E-5 --- SE-6 2.0E-6 Static Inverter All modes S2 1.26E-5 1.22E-5 4.3E-5 1.5E-5 M-G Set No output S2 3.8E-5 7.1E-6 --- ---
Fuse Spur.0p. S2 3.7E-8 --- ---
8.3E-8 Relay All modes S2 6.74E-6 --- 6.2E-6 2.4E-7 Switchgear Bus All modes S2 2E-7 ---
1.8E-7 ---
Station Service XFMR All modes S3 4.25E-7 4.07E-7 7.3E-7 7.6E-7 S2: IEEE STD-500/Dec. 1977.
S3: IEEE STD-493/1980.
S4: NUREG/CR-1635 Sept. 1980.
. . w: :.' . :
' ~
' ~ ~~
.. l. ;
l
)
tions 4.3.2 and 4.3.3, additional leading cut sets would be anticipated s if all the review items were addressed as revisions to the fault trees.
As further discussed in Sections 4.3.3 and 4.3.4, the actual modifica-tions suggested would require a significant effort beyond the scope of this project and would not be expected to quantitatively change the over-all core melt probability due to the small contribution to core melt probability the electrical power systems make as currently quantified.
4.4 Conclusions Two items from this review could have an impact on the quantification of the electrical power system fault trees. The first relates to the dc system and the performance capabilities of the YNPS battery chargers in the absence or failure of their accompanying battery. The second item relates to the ac sys-tems and the suggestion that they be modified to reflect operator recovery ac-tions more accurately. Ho.vever, because the ac and dc power systems do not pro-
,- vide a significant contribution to the overall core melt probability, it is not recommended that modification of the ac fault trees be attempted unless results 1 from other areas of the NRC's PSS review would indicate that such an undertaking is warranted.
4.5 References
- 1. NUREG-0666, A Probabilistic Safety Analysis of DC Power Supply Requirements of Nuclear Power Plants, April 1981.
- 2. Yankee Nuclear Power Station Probabilistic Safety Study, Section B.4.3, Electrical Systems, December 1982.
- 3. Yankee Nuclear Power Station Final Safety Analysis Report, Section 226, July 1985.
- 4. YNPS Electrical Drawings, Series 9699-FE, 97 sheets.
- 5. YNPS Electrical Drawings, Series 9699-ESK, 22 sheets.
. 6. NUREG/CR-4207, Fault Tree Application to the Study of System Interactions at j Indian Point 3, to be published.
- 7. NSAC/60, Oconee PRA, June 1984.
t
- 8. Indian Point Probabilistic Safety Study, Power Authority of the State of New
! York and Consolidated Edison Company of New York, Inc.1982.
i 1
5.0
SUMMARY
This report covers the review of three specific aspects of the YNPS-PSS:
initiating events, human actions, and electrical power systems. The following paragraphs summarize the review findings in each area of the review.
The review findings with respect to the treatment of initiating events were:
. In the YNPS-PSS, the effect of plant history was to reduce the transients
- contribution to the CMF by a factor of 2.2 and the total CMF by 34%.
. Using later compilations of generic data (EPRI-NP-2230 and NUREG/CR-3862) increased the CMF by at most thirty percent, except in cases when primary leakage events were inappropriately included as Very Small LOCA occur-rences, which produced an increase of up to half an order of magnitude in the CMF (Table 2.3.6).
. In general, the effect of regrouping (PWR-29 event) was a small percent-age increase in the transients contribution to the CMF.
. The effect of including first-year and low-power events on the generic data base (BNL Review 2) was to almost double the contribution of tran-sients to the CMF.
. The CMF is dominated by the LOCAs primarily for two reasons: (1) the bet-ter-than-average YNPS operational history leads to a low frequency of transient initiating events (3.54) and (2) transient mitigation capabil-ity (CCMP) of YNPS is substantially better than at most modern plants, mainly because of the high availability of secondary cooling means. The YNPS-PSS takes credit for reestablishing main feedwater to the steam gen-erator under accident conditions while most recent studies do not.
. The low CMF calculated in the YNPS-PSS is a result of using low values for LOCA initiating-event frequencies, together with the factors describ-ed in the preceding item. The use of a low frequency for Small LOCAs is justified by the impossibility of having an RCP seal LOCA in this plant (main coolant pumps are canned).
. The reasons offered in the YNPS-PSS for the dominance of LOCAs in the CMF are considered appropriate.
The review findings with respect to the treatment of human actions were:
. The treatment of cognitive errors shows strengths and weaknesses. One strength is that operator decision to initiate systems and perform manual actions were explicitly quantified as top events in the event trees.
However, the HEP estimates used to quantify these decisionmaking tasks were not developed for cognitive tasks. The lack of detailed information about environmental and stress-related aspects of the tasks made it im-possible for the reviewers to evaluate the appropriateness of the HEP es-timates used in light of recently developed models of human performance
- at cognitive tasks.
~
.21 ~ . 2 - ~~.._ ~_ _ ~ 1: ~~
~
. The assumption that the presence of additional personnel in the control room during accident sequences will reduce the stress level and associat-ed HEP estimate is debatable for the reasons discussed in Section 3.3.
. The treatment of common mode human errors in YNPS-PSS is inadequately de-scribed.
. The HEP estimates reported in YNPS-PSS for manual actions included as top events in the event trees fall within the range of HEPs reported for similar actions in the Oconee, Zion, and Millstone studies.
. From the percentage contribution of human errors to system failures and the percentage contribution of system failures and errors during manual actions to core melt frequency, it appears that human factors enhance-ments focusing on human intervention in the HPSI and LPSI systems, feed-water initiation and control, and manual depressurization of the MCS may have the most effect on reducing risk due to human intervention at YNPS.
The review findings with respect to the treatment of ac and dc electrical power systems were:
I
. There was no available documentation to either prove or disprove the bat-tery chargers' capability to function fully without their associated bat-teries. When this item was brought to the attention of YNPS, they stated that it had not been addressed in the PSS and that upon investigation it was determined that battery chargers #1 and #2 were marginal and #3 could not totally function independently of its battery.
. Common n:.de failures were not modeled in the dc fault trees even though
! multiple bus ties are present in the design.
. The dc fault trees were not conditioned to reflect specific sequence events. For example, only the battery is available when ac power is lost such as during a loss of offsite power (LOOP) because given a LOOP event, the battery chargers are automatically tripped and subsequent operator action is required to restore the chargers. The fault trees do not re-flect this.
l . The ac fault trees do not reflect the fact that many electrical hardware failures cause an immediate and automatic change of state of the power system. Rather they model many possible operator actions through AND gate instead of just one event - operator failure to recover. The pres-ent modeling yields a higher prediction of reliability than would other-wise be calculated.
. The ac fault trees do not address the possibility of a transient-induced loss-of-offsite-power event.
. The electrical power system fault trees were not fully linked in the analysis process. Failure to link the support system fault trees to the frontline systems and to each other can lead to overpredicting system re-liability by missing key dependences.
9
. The ac fault trees were also not conditioned to reflect specific sequence events, e.g., a loss of offsite power would yield only batteries avail-able for bus control and relaying and only the diesel generators for sources of ac power.
9
-- _ ~ _ s
_ _ . _ . _ . . . .:_._ __ . _a _ . . a.- . _ _ . . _ . u,. <. ,
78 -
4
6.0 CONCLUSION
S The major conclusions developed from each of the three topical reviews are as follows.
With respect to the treatment of initiating events, the reasons offered for the dominance of LOCAs in the contribution to core melt frequency were consid-ered appropriate. With respect to the treatment of human actions, it was con-cluded that human factors enhancements in the HPSI and LPSI systems, feedwater initiation and control, and manual depressurization of the main coolant system would have the most impact on reducing risk due to human intervention although actual implementation of any such measures is considered unwarranted. And, with respect to treatment of ac and dc power systems, it was concluded that remodel-ing/requantifying the fault trees in accordance with the review findings would not be justified unless the overall PSS review effort demonstrates a significant increase in the contribution to core melt probability from these systems.