EPA-520/3-75-012
REACTOR SAFETY STUDY (WASH-1400):
A REVIEW OF THE DRAFT REPORT
J.S. ENVIRONMENTAL PROTECTION AGENCY
Office of Radiation Programs
-------�
REACTOR SAFETY STUDY (WASH-1400) : A REVIEW OF THE DRAFT REPORT
August 1975
U.S. ENVIRONMEOTAL PROTECTION AGENCY
OFFICE OF RADIATION PROGRAMS
WASHINGTON, D.C. 20460
-------�
FOREWORD
The Environmental Protection Agency has reviewed
environmental impact statements for light-water reactors (LWR)
since 1971. During the course of our reviews, we have emphasized
the need for a thorough evaluation of the environmental risks,
including risks from accidents, associated with IWR technology.
In August 1974, the Atomic Energy Oonroission (ABC) published for
uaaroant a draft report entitled "Reactor Safety Study: An
Assessment of Accident Risks in U.S. Oonroercial Nuclear Power
Plants" (WASH-1400), which was the product of a major effort by
the ABC spanning two years and pouting 3 million dollars. The
Reactor Safely Study is a comprehensive study of reactor safety
and is the first such study to utilize a systems analysis
approach in order to quantify the risks of reactor accidents in
terms of probabilities and consequences, where historical and
enpirical data are inadequate. Since there are presently 53 LWRs
licensed to operate and 188 more under construction, proposed or
planned, it is inoperative that the Reactor Safety Study be
reviewed in depth and as impartially as possible so that the
validity of the study's methodology and results- can be
determined*
The Environmental Protection Agency (EPA) initiated its
review of the Reactor Safety Study in August 1974, including an
$88,000 contract to Intemountain Technologies, Inc. (ITI) of
Idaho Falls, Idaho. The Office of Radiation Programs of EPA
initially conducted a comprehensive review of the environmental
consequence models, the general study methodologies and the
conclusions, and issued formal comments to the Atomic Energy
Ocnmission on November 27, 1974. The ITI effort was directed at
examining .the study's evaluations of accidents and their event
sequences to determine whether any significant failures of
systems or equipment had been omitted or any major error or
system biases of data analysis had been incorporated. For any
areas identified with possibly significant errors or omissions,
the impacts on the risks of the necessary adjustments in the
variables or sequences of events were evaluated and estimated by
ITI.
rflie final ITI report entitled "A Review of the Draft Report
Reactor Safety Study (WASH-1400) ° was submitted to EPA in July
1975. This report served as a partial basis for the preparation
of the final Agency comments on draft WASH-1400, which ware
publicly issued on August 15, 1975.
-------�
This report is now being published in its entirety so that it
will be available as a resource to the scientific comunity and
the general public. All Agency comments presented during the
review are intended to provide constructive criticism which may
be helpful to the Nuclear Ragulatory Contiission (NRC) as it
prepares the final Reactor Safety Study report. (Upon the
reorganization of the ABC to form the NRC and some portions of
the Energy Research and Development Administration on January 19,
1975, the NRC assumed responsibility for completing the Reactor
Safety Study.) This EPA report include** the two sets of formal
Agency comments and the complete ITI report. When the final
Reactor Safety Study is published by the NRC, EPA, with the
assistance of ITI, will undertake a comprehensive review of that
report and will publicly comment to the NRC.
We welcome content on this report and would appreciate
receiving any corrections or critical comments on the ijiformation
and conclusions presented. Please send any such contents to the
Environmental Protection Agency, Office of Radiation Programs
(AW-559), Washington, D.C. 20460.
W. D. Rowe, Ph.D.
Deputy Assistant Administrator
for Radiation Programs
-------�
TAHUT. OF CONTENTS
Part 1: November 27, 1974 Oontnents to the ABC
Part 2: August 15, 1975 Cement letter to the MFC
Part 3: Final Report by ITI Qititled "A Review of the Draft Report
Reactor Safety Study (WASH-1400)"
-------�
PART 1
NOVEMBER 27, 1974 COMMENTS TO THE ABC
-------�
•«,,., ,„,>''"
* I INI TT-D STATES KNVIRONMHN VAL PROTECTION AGENCY
*• ''" WASHINGTON. D C
27NOV1974
Mr. S;nil Lovinc
Project Staff Director
Reactor Safety Study
U.S. Atomic I'inergy Commission
Washington, D.C. 20545
Dear Mr. I.evine:
The Environmental Protection Agency's comments from the initial
phase of its review of WASH-1400 ("An .Assessment of Accident Risks in
U.S. Commercial Nuclear Power Plants") arc transmitted with tins letter.
liccause the assessment reported in WASH-1400 is expected to be
a principal step toward establishing the accident risk associated with
nuclear power plants, we are reviewing it in two phases. The first phase
is represented by the enclosed preliminary comments based on a two-month
review effort. The second phase will include an in-depth review of
selected aspects of the study with technical assistance being provided
to P.PA through a contract with Intermountain Technologies, Inc. This
second phase should be concluded by May 1975, at which time our intent
is to issue a final report detailing all of our comments. During this
period of continuing review we hope to maintain a close liaison with the
Atomic F.ncrgy Commission so that our final report will reflect an up-to-
date awareness of any resolution attained regarding comments by EPA or
others on the draft report.
We have reviewed the work plan for our continuing effort with members
of your staff as well as others in the technical community. We are also
including it as a part of our review comments so that others may be
cognizant of our planned efforts.
Our initial review indicates that the Reactor Safety Study provides
an innovative forward step in risk assessment of nuclear power reactors.
The general methodology and approach utilized in determining risk levels
developed in the Reactor Safety Study appear to provide a meaningful
basis for obtaining useful assessments of accident risks at nuclear power
plants. Certainly, significant improvements in obtaining and utilizing
nuclear plant operating data could considerably narrow the uncertainty
range of risk estimates. We do, however, believe that certain aspects of
-------�
the report require modification and information additions. In particular,
the consequence modeling assumptions appear to underestimate the health
effects resulting from the accident sequences associated with the larger
releases of radioactivity. It is uncertain what the impact of this
apparent underestimation may be on the resultant risk assessment.
Although the report does not make an absolute judgment on nuclear
power plant accident risk acceptability, the comparative risk approach
highlighted in the summary and the main volume of the study will certainly
imply an acceptability judgment to the average reader. EPA recognizes
that the comparative risk approach is a first step in addressing this
question, but by itself is misleading. However, studies in progress by
EPA and others indicate that judgments on "risk acceptability" are
extremely complex, with comparative risk evaluations representing only
one of numerous inputs which must be considered.
We are interested in the plans for application of this methodology
to other reactor systems and other components of the nuclear fuel cycle.
Certainly, we would recommend that studies of this type should be con-
sidered by the applicable AEC successor and that their intent in these
areas be publicly stated.
We would be pleased to discuss our comments with you if they require
any clarification.
Sincerely yours.
W. D. Rowe, Ph.D.
Deputy Assistant Administrator
for Radiation Programs (AW-558)
Enclosure
-------�
ENVIRONMENTAL PROTECTION AGENCY
, 0. C. 20460
November 1974
Garments by the Environaental Protection Agency
on
Reactor Safety Study
AN ASSESSMENT CF AXH3ENT RISKS IN U.S. COHEICIRL
NUO£AR POGR PUNTS
-------�
Table of Contents
Page
Introduction and Conclusions 1
Assessment of Accident Risks. 0. 5
Calculation of Reactor Accident Consequences 6
•
Accident Sequences, Reactor Meltdown
Processes and Radioactivity Releases 11
Definition of Failure Data and Pathways 16
Design Adequacy 19
Sunmary Report, General Contents 20
Additional Contents 21
Attachment - Contract with Interraountain Technologies,
Inc. - Continuing VASH-1400 Rewlaw Tasks
A. Failure Mode Paths Selected for Review 34
B. Critical Radiological Source Term Parameters
Selected for Review 34
-------�
INTROnUCTION AND CONCLUSIONS
Review Perspective
The Environmental Protection Agency has completed a preliminary
review of the draft report "Raactor Safety Study - An Assessment of
Accident Risks in U.S. Commercial Nuclear Power Plants," WASH-1400,
prepared by the Atomic Energy Commission. Our review process will
continue through April 1975 at which time we will issue a final set of
carmants. During this period of continuing review, we hope to maintain a
close liaison with those responsible for the Study so our final commants
will reflect an up-to-date awareness of any resolution attained regarding
comments by EPA or others on the draft report.
EPA* s review of the Study cannot be considered as exhaustive in that
many of the calculations! details and data base have not been checked.
Our focus has rather been one of emphasizing a review of major
assumptions, concepts, methodology and approach. Although EPA's
resources are limited when compared with those utilized in the
development of the Study, it was deemed necessary to do as comprehensive
a review as possible due to the many significant implications the Study
has with regard to areas of EPA responsibility. EPA's primary concerns
deal with the health and safety of the public and the protection of the
environment from the consequences of accident releases. In this respect,
we are involved in the planning for mitigation of these potential
consequences, including the development of appropriate Federal guidance,
and in assuring that the public risks incurred are societally acceptable.
Within this context we attempt to maintain cognizance of accident
analysis activities so that wa can be continually aware of both the
probability of accidents and the consequences for such accidental
releases. Due to the importance we attach to this subject and the broad
range of subject matter considered in the Study, we believe it is
imperative that it receive a thorough and critical review by the general
technical ccmnunity and the public. We realize that much of this review
that we suggest IB already underway or planned. However, we feel that
continents developed on the Study should be referenced in the final version
of the Study and copies of these reviews should ba publicly available.
In continuing its review, EPA has contracted with Intermountain
Technologies, Inc. to assist us in the evaluation of the range of
applicability of the various analytical models and assumptions utilized
in the assessment. The preliminary work plan for this effort is
presented in an attachment to our comments. If, in the initial stages
this detailed review of the selected failure mode paths or critical
source term parameters indicates a general agreement with the Study1 s
evaluation, that portion of the investigation will be terminated and
other failure nods paths or source term parameters may be substituted in
this work plan.
-------�
Review Format
Pol lowing this Introduction and Conclusions section, our review takes
up individual groups of volumes of the WASH-1400 document by first
presenting general comments and then specific comments. This sequence
begins with the main volume of the Study and continues with Appendix VI
(environmental consequences); Appendices V, VII, and VTII (accident
sequence, meltdown processes, and radioactivity releases); Appendices I,
II, ill, and 2V, (definitions of failure pathways), Appendix X (design
adequacy) and the summary volume, in that order. The last section of our
review presents Additional Ccrarents in order of the Study volumes
themselves. These latter cements were not felt to be of the same level
of significance as those referred to in the previous sections of our
review.
Main Gonrnents and Conclusions
EPA has made a broad spectrum of specific comments on the Study,
realizing that they have varying degrees of, impact on final results.
However, as the document is bound to be used as a reference for many
follow-on studies and analyses, we feel it is desirable to make it as
complete and accurate as possible in all its facets. EPA's rnain oontnents
and conclusions, although of a preliminary nature, are as followss
1. The Study is innovative in both its concept and methodology and
provides an innovative forward step in risk assessment of nuclear
power reactors. In this respect, the ABC is to be oonrosndad. The
general methodologies and rationale developed in the Study to
determine risk levels appear to provide a meaningful basis for
obtaining useful assessments of accident risks of nuclear power
plants.
2, Appendix VI (environmental consequences) received particular
attention in our review due to its pertinence to EPA concerns. TMs
appendix was found to be quite weak in a number of respects and not
up to the general thoroughness that appears to permeate many other
sections. Our prelJUninary review indicates, for example, that if the
recommendations of the HEIR Report are followed, the consequences
estimated in the Study may be low, in certain cases, by factors of 2
to 5. In addition, the evacuation model assumed for tha reference
case consequence calculation also appears somewhat overly optimistic.
leased on the information presented in the Study, this could increase
consequences by at most a factor of 2 to 4 (i.e., no evacuation}.
Therefore, the combination of these factors could result in an
underestimate, by about an order of magnitude, of the consequences
associated with the "high" release accident sequences. Since the
liigh release accident sequences are significant, but not dominating,
contributors to the overall risk assessment, the resultant assessed
-------�
risk magnitude would be increased but by a lesser factor. It is
suggested that appropriate modifications should be made or the
rationale for utilizing other assumptions should be provided.
Furthermore, the description of certain critical portions of the
overall calculational process should be significantly expanded to
permit a clear understanding of the relationships between the
radioactive material releases, its dispersion, population
distributions, and the resulting health effects.
3. Although the Study indicates that no absolute judgment on
nuclear power plant acceptability is intended, the comparative risk
approach highlighted in the summary nay well imply an acceptability
judgment to the average reader. It should be further pointed out in
the report that the comparative risk approach is only a first step in
addressing this question and by itself can be misleading. It can be
noted that studies in progress by EPA, National Science Foundation,
and others, indicate that judgments on "risk acceptability0 are
extremely complex, with comparative risk evaluations representing
only one of numerous inputs which must be considered.
4. As can be expected with such a voluminous report, a number of
apparent inconsistencies, format difficulties, and cases of
insufficient supporting information were encountered. Particularly
in Appendix II there were inconsistencies in identification of
components and levels of detail in the various fault trees and system
descriptions. There were also problems with the lack of a readily
accessible glossary of abbreviations and with inadequate cross-
referencing among appendices. It is suggested that the Study be
subjected to the necessary editing to eliminate abbreviations
wherever possible, glossaries be added for those abbreviations used
(e.g., foldout in Appendix I) and the cross-referencing between
appendices be improved. The formats employed in Appendices III and
VII are worthy of consideration for use in all appendices.
5. There is some concern relative to a lack of certainty as to what
tie follow-on actions in this program area will be. This is
intensified by the recent reorganization of the ABC and its functions
and lack of definition as to where this effort will be picked up and
continued. We would expect that some follow-on effort should be
directed toward additional verification that the design, operational,
or other variations among the 100 nuclear plants to which the Study
is applied, do not significantly affect the overall risk calculated
by the Study. Of major interest would be consideration of other
plant designs such as Westinghouse 2 and 4 loop reactor coolant
systems, and BWR Mark II and III containment designs. Other items
such as the use of hydrogen recombiners and differing modes of
containment spray injection should also be considered for
-------�
examination. It is realized that in many of these cases what may
appear as a significant difference on the system or component leval
may not significantly change the overall risks but some docunentation
of this should be presented in order to show that to be the case. A
further concern relative to continuing effort in this area but not
related to this specific Study is the application of this methodology
to other reactor systems and other components of the nuclear fuel
cycle. Certainly we would recommend that these studies slftould be
considered by the applicable ABC successor and that their intent in
these areas be publicly stated.
-------�
ASSESSMENT OF ACCIDENT RISKS IN U.S. QOMMEgCIAL NUCLEAR POMER PLANTS
MAIM VOLUME
General Cpmmantg
The main volume presents a well written introduction to and summary of
various analyses presented in the supporting appendices; therefore,
comments on the material within this volume are generally covered
elsewhere in this review. The discussion in Section 5.3 pertaining to the
process of assessing release category probabilities was especially
informative. The assignment to a category release probability of a 10%
contribution from adjacent categories certainly adds a significant element
of conservatism to the resulting probability values. The Study also
attributes additional conservatism to the Monte Carlo process used to
assess failure rate median values. However, the degree of conservatism
attached to the Monte Carlo process throughout the Study, relative to its
ability to compansate for wide ranges in available input data, may be
somewhat misleading, especially if the log normalized data are "processed"
through a series of "and" or "or" gates. It would appear that, in such
cases, the Monte Carlo process would be expected to yield a point estimate
similar to that attained through a straight additive or multiplicative
process of input value median value failure rates, with an associated
error factor. Although the Monte Carlo process is statistically correct,
a further explanation of this process indicating the differences batwaen
it and the point estimate approach should be presented with regard to the
evaluation of associated error factors, however, it should be noted that
statistical techniques such as this, although appropriate analytical
methodology, can never conclusively show that all critical pathways to an
accident occurrence have been ccnoidered.
Chapter 6 of the main document presents a comparison of the nuclear
accident riflks to other societal risks. Although the Study does not make
an absolute judgment on nuclear power plant accident risk acceptability,
the comparative risk approach oortainly implies an acceptability judgment
to the average reader. EPA recognizes that the comparative risk approach
is a first step in addressing this quastion; however, studies in progress
by the H>A and others indicate that judgments on "risk acceptability" are
extremely complex, with comparative risk evaluations representing only one
of numerous inputs which must ba considered.
Specific Conroants
The question of applicability of the Study results to all current
commercial water reactors is very pertinent. The discussion on page 27
appears to be the only place in the entire report that the question is
considered, and only a brief general assessment is attempted. It is
generally recognized that there are certain design differences in Babcock
& Wilcox and Combustion Engineering plants as well as the Westinghouse
plants of four-loop design (more common than the three-loop system
selected)» Similarly, the BWR containment design, in particular, has
-------�
undergone two major changes (the Mark II and Mark III containments) since
the reference design Peach Bottom plant, which would be expected to at
least change the details of the containment response analyses. It would
appear that tlie Study could benefit significantly by recognizing these
design differences and presenting the necessary arguments which support
the thesis that these design and response differences at the system design
level do not have a major effect on the overall risk assessment. Further
discussion appears warranted and any continuing analyses by the ABC to
furtjier verify this conclusion should be inducted.
On page 45, the safety inprovement analogy with the aircraft and
automobile industries regarding increasing safety with development is
questionable. In both of these cases, safety iflprovemants were
accomplished by utilizing accident experience data. Although there has
been significant variance in safety between particular designs in tJiese
industries, hopefully, similar significant differences will not be the
case in nuclear plant safety designs. Furthermore, these industries have
received increasing governmsnt control with the rise in concern over
inadequacies.
On page 104, the argument for overproduction of fission product
release from molten fuel appears to be partially contradicted by the
discussion in the second paragraph under Meltdown Release Qcmppnent on
page 8 of Appendix VII. Similarly, the large surface area to volume ratio
of the molten fual described on page 119 should enhance the release of
isotopes rather than "limit" it, as indicated. The discussion on page 109
of reduced doaas associated with wind direction change conditions may be
offset by increased evacuation difficulties. It is not clear if tliis has
been considered.
CAICULATICM OF REACTOR
Appendix VI
General Comments
Appendix -VI appears to need substantial modification and information
additions, especially with regard to the health effect calculations. The
approach and methodology, although possibly adequate for the purposes of
die Reactor Safety Study, should not ba precented as the approach and
methodology which calculates the consequences of accidents "as
realistically as is now possible," as indicated in the USAEC's Interim
General Statement of Policy on VBVSH-1400, dated August 28, 1974.
Although some of the factors affecting consequences are adequately
discussed for the purposes of this report, there is no description of the
overall calculational process which would permit a clear understanding of
the relationships between the radioactive material releases, the
-------�
dispersion, the population distributions, and the resulting health
effects. Obviously, many refinements to the various calculation models
are available. Those which were assessed and found negligible in effect
for the purposes of this report should be discuceed to give a better
appreciation of the range of applicability of ths calculation model used.
Specific Ccranants
The reasons given in Section 6.2 of Appendix VI for selection of
critical radioifiotopas do not support the omission of plutonium-241. Data
presented by the UBAEC in the draft WftSH-1327, "Generic Environmental
Statement on ths Dae of Recycle Plutonium in Mbted Oxide Fuel in LWR," on
pages 1*13, I (A)-2, and 11-20, indicate that for exposure by inhalation
of plutaniia within a few years after its production in the LWR uranium
fuel cycle, Pu-241 contributes nnre to the dose than Pu-239. Similarly,
the data referenced by the Study (ICKP-II) and the plutonivxn isotopic mix
of WASH-1327 indicate that Pu-241 contributes more to the dose tlian Pu-239
in the majority of the organ doses considered in Table VI-16 of Appendix
VI, the proportion of their contributions depending upon the solubility of
the plutonium cscosol.
The discusoion of meteorological models and assumptions should be
expanded to diecuse the expected calculational differences incurred with
the Study's uea of a simplified model as opposed to the more conventional
but complex models in general use. For example, it is inferred from the
discussion on page 16 of Appendix VI that much of the meteorological
frequency information is taken from greater heights than the release
heights predicted in this Study. Since wind velocity generally increases
with altitude, using such information will tend to decrease the estimated
downwind dose levels. The acute health effects, therefore, could be
underestimated. Furthermore, the uniform distribution in the crosswind
direction used in the atmospheric model, as described in Section 6.4 of
Appendix VI, is also likely to produce an underestimate of acute health
effects, since the sector averaged dose estimates should be lovsar than
actual peak doses. Finally, without consideration for wind maander, the
constant angular widths chosen appear to broaden the plume more than would
be expected (Raf. Figure A.2, page 408, of "Meteorology and Atomic Energy
- 1968"), again contributing to lower peak doses and thus fewer acute
health effects. It is judged unlikely, however, that any underestimate of
acute health effects resulting from the treatment of meteorological
information and the dispersion model is greater than a factor of two.
-------�
Tire model selected to account for the effect of evacuation on the
calculation of medical consequences is described on page 31 of this
appeixlix. An EPA report, "livacuation Risks - An Evaluation/1 EPA-520/6-
74-002, is referenced in support of certain assumptions used in the
evacuation model. Mthough a number of parametric calculations relating
to the evacuation model assumptions are presented in Table VI-21
(including a no evacuation case study) , we believe the base case
evacuation rncdel to be overly optimistic.
The fPA report on evacuation risks was primarily directed at an
assessment of the risk of death and injury, and the costs associated with
past evacuations of population groups. The data and information utilized
in tliis study v/ere obtained by contacting persons and organizations
involved with previous evacuations precipitated by natural or man-made
causes. Factors which were hypothesized to influence the time required
for the historic data base evacuations included: (1) tune lapse before
onset of inciden£, (2) availability of evacuation plans, (3) time of day,
(4) weather conditions, (5) population size, (6) area size, (7)
dvaracteristics of the area, (8) conditions of roads, (9) nature of
incident, (10) warning time, and (11) population density. No correlation
with evacuation times could be determined for parameters (1) through (9) .
Similarly, since warning time was generally not separable f ran the ,tiwe
associated with acocrnplishment of the evacuation, no quantitative
evaluation of this parameter was made. A correlation of evacuation times
with population density, however, was performed assuming independence from
other parameters. A trend showing an increase in time required for
evacuation was indicated as population density decreased* In applying
tliis conclusion to evacuations which may result from potential nuclear
accidents, an element of caution needs to be exercised. It should be
remembered that the data on historic evacuations generally include
situations applying to small areas or in the case of larger areas, when
there is a lengthy forewarning time. More significant is the fact that
evacuation travel distances were almost always short and safe destination
points were generally obvious.
Since the evacuations called for in the larger consequence accidents
appear to involve evacuation areas of a few hundred square miles, the
application of evacuation tima requirements from the EPA evacuation study
to areas of this size is questionable.
Mthough the Appendix VI discussion states that an outermost liiiut for
evacuation of 20 miles was assumed, it is not clear how this evacuated
population segment is treated in terms of actual dose received.
Siioilurly, in the assessment of property damage on page 63, the
of fectivoness of the 10 ren calculated yearly dose as a basis for
temporary evacuation is unclear since the expected dose rate as a function
of time is not indicated.
-------�
The assumption stated on page G3 regarding a first year projected dose
of 10 rem as the criteria for determining the decision to evacuate nay he
unwarranted,, A suggested value of 10 to 20 rern is cited, but tlte
reference, although relevant,, does not contain such a suggestion,, In it,
the reccsmmsndation is made that for snail population groups, the use of .
evacuation as a protective action be oonsideml if the anticipated
exposure during 30 days might esccead a whol® body dose of 2 rad or a
thyroid dose of 10 rado The reference suggests that undor Icjss favorable
ciEcvs^stances evacuation might net, be considered as a protective action c
unless larger eKpoeores were anticipated0 The reference '.Ices not support
the implication that 5 rem per year or less is acceptable becausa it is
baldtf the oocupatia?ial dose limit? nor dcas it suggest 10 rein or any other
projected dose as a criterion far dsoositsmimtiosio
The evaluation of health effects appears to require signifleant
modification and information additions 0 Our preliminary indications are
that if the HEIR Report (The Effects on Populations of Exposure to I
-------�
10
diseases ;.ind 1-100 congenital anomalies in the first generation after
cxjjosure. However, this is 1/5 of tlia total Iirpact expected. An
additional 40-400 dominant diseases and 4-400 congenital anomalies should
be attributed to future generations (page 53 P23IR).
The reference for the numbers in rads used as criteria for estimating
acute effects is not presented. The average dose which will cause
fatalities to 50% of the people so exposed in 60 days is given by
Luahbaugh, Comas, Edwards, and Andrews (Sect 17 in ADC CQJF G00410, 1964)
as about 235 rads. These autliors estimates for the dose wliich will cause
fatalities to 10% of the people so exposed, I&LQ, ^ of the ortlfir of .75-80
rads with a range of about 40-120 rads. This estimate is of the same
order of magnitude as the estimate of less than 5% mortality in the dose
range of 40-140 rads given in NCRP Report #29. Therefore, the states .lent
on page 37 that there is little chance of death from doses below 100 rads
appears sarewhat optimistic for estimating the possible effects on a large
[opulation. A more accurate estimation of effects would be made using an
cippropriately justified probit analysis with perhaps a cutoff at 40-50
rads.
On page 50, a statement regarding the deleterious genetic changes
exiected per ltf> man-rem of exposure is presented, wliich also appears to
) e a misinterpretation of the HEIR Report. The HEIR Connittee estimated
ijiat tte average mutant persisted in the population for five generations
riot "...in the first and also in all generations..." Therefore, the total
increments shown in Table VI-14 should be five tines greater.
Similarly, the quotation from the HJIR Report (page 91) appearing on
pages 52-53 is truncated to an extent that, in our opinion, a
iid:{interpretation of the BEIR Report results. The paragraph quoted
continues: "By extrapolation, it can be estijnated that the number of
deutlis per 0.17 rem per year in the entire U.S. population may range
rouglily from 3,000 to 15,000 with the most likely value falling in the
r-.uige of 5000 to 7000 (or 3500 per 0.1 rem per year)." Utilizing this last
estimate, tine excess mortality from all forms of cancer calculated in WRSJI
MOO would be almost doubled,-^
Possible clinical effects from acute radiation exposure other tlian
(.loath and radiation sichness are discussed only briefly on ]»ge 46. For
cixorople, temporary aspermia in the male has been observed following
*ixposures as low as 12.5 R. The personal trauma of being unable to
reproduce or of it being recamended that no attempt be made to conceive a
diild for some extended period after exposure is not negligible, at least
J:or normal "peacetime" operations. Furthermore, tte disruption of the
liomeostasis of the finely tuned endocrine system, while possibly amenable
to Jionnone replacement therapy, does not necessarily represent
insignificant individual trauma or financial burden. Therefore, a
significant expansion of this presented discussion appears warranted.
-------�
11
AcciniNr SKQUENass, REACTOR MELTDOWN PROCESSES AND
RADIO/O'IVITY. RKIEASCS Appendices V, VII and VIII
General Garments
Tlmse appendices, which follow various accident sequences through the
meltdown process and associated releases of radioactivity, represent a
significant effort to quantify the consequences of reactor meltdown
accidents. It is recognized that to present a meaningful di55cussion of
the r:any accident sequences evaluated, to relate these sequences to the
timing and physical processes associated with a reactor meltdown, and to
predict the resulting radioactivity releases via several containment
failure mechanisms is a formidable task both technically and
documentarily.
Of these three appendices, Appendix V (possibly because it pulls
together much of the information presented in Appendices VII and VIII)
appears to require some additional effort to resolve apparent
inconsistencies and to supply additional information on accident sequences
other than the large LOCA. Furthermore, the Study should higMight and
expand the sensitivity analyses on BOGS functionability and the evaluation
and significance of the various containment failure mode probabilities.
Our comments on both Appendices VII and VIII are dealt with in the
specific ccnroant section which follows.
Specific Comments
Appendix V
One problem in reviewing Appendix V involves apparent inconsistencies
between tlie various tables which relate accident sequences to release
categories. For example, on pages 21 and 24 (Tables V-3 and V-4), it is
not clear how these lists were compiled. Doth tables do not include some
of the daninant large LOCA sequences from Table V-6 (e.g. AF--$»> and ACD-& •
in category 1, and AF-<5 in category 3) but do include sequences which are
not considered dominant (e.g., ACDGI- a *). Based on the diEJcussion (page
140), it is alao not obvious why sequence ACDGI—a is classified as
release category 1 instead of category 3. Furthermore, in comparing the
probabilities given in Table V-6 with the relative containment failure
irtxie pro) abilities listed in table 2 page 124 of the attachment, certain
sequences listed as "other large LOCA accident sequences" appear to be
significant contributors to a release category probability (e.g., category
2, MIF - °, 3xl(T*fc AD-6 , 4 x 10~U). If these contributions are
numerically correct, tlic sum appearing at the bottom of the table must
only represent the sum of the listed dominant sequence probabilities.
Since the large DXA's do not dominate the probabilities of Table V-16,
-------�
12
information similar to that presented in Table 2 of the attachment, page
124, applicable to small IDCAs and transients would appear pertinent for
inclusion in this appendix.
We would like to emphasize at this point that inclusion in a release
category probability estimate of a 10% contribution from adjacent release
categories adds considerable conservatism to certain sunned release •
category probabilities; however, an attempt should be made to correct and
clarify the interpretation of these suntnary tables.
In the discussion of the smoothing of release category probabilities,
p. 50, it is not clear hew the smoothing technique necessarily swamps any
common mode failure contribution. The presentation would also be
clarified if even just an illustration were included which would shew the
bar chart in Figure V-l reversed in relation to the severity categories.
Considering the interest attached to the ECCS functionability, the
discussion on pages 52-55 is especially pertinent. This sensitivity
analysis discussion might be considerably improved by not only relating
the BCF contributions to overall release category probabilities but also
to the "large HXA" contribution. This latter tBateaJmiship would otsKf D
larger percentage contribution. For example, given a large I0CA (AJ
Followed by BCF (E), one accident sequence would be AE- e with the asms
consequences as AIH-e (category 7). The probability would be AE~ e •» (1 x
10-4) (10~2) (•» 1) « 10-6 assuming the high end of the BCF failure rate.
Although this and other sequences would have a moderate influence on large
DDCA release categories, the limited impact on the overall release
category probability would be highlighted. Since the BCF failure
probabilities are of general interest, it would appear appropriate to
identify the rationale for assuming the failure occurrence range utilized
(10-2-. 10*"5). Considerable confusion is also caused by not including BCF
sequences in Table V-16 while including such sequences in Table V-6.
With regard to the BWR transient tree quantification on page 68, it is
not clear from this discussion, in conjunction with Table V-19, which
transients were slow enough such that credit for reserve shutdown can be
taken .
In attachment 1, Table 2, certain sequences are shown with
"containment rupture - vessel steam explosion" failure mode probabilities
of zero which are nevertheless estimated as 0.01 in Table V-6. Since
similar tables are not included for St and 82 initiating events, the
relationship between the various containment failure mode probabilities
shown in Table V-7 and V-8 cannot be determined (e.g., the relationship
between S2 C-4 and S2 Oa ). ,
-------�
13
Appendix VII
The information contained in Appendix VII is well presented,
sufficiently documented, and based on our preliminary review, presents a
reasonable appraisal of the extent of radioactivity releases.
In discussing the meltdown release component for alkaline eartlis and
noble metals (p.p. 11; 13), the probable values selector! appear somewliat
low if consistency with the selection basis of other released components
(e.g., halogen, alkali metals) is to be maintained. In fact, the text, in
discussing the alkaline earths, indicates a release range of 2-20% and
suggests that the probable value should lie in the upper portion of this
range, yet selects 10% as a most probable value.
On page C-l, last sentence, it is not clear what is referred to by
"...the LPCA's postulated; i.e., successful BOC and recovery,"1 since the
Study is concerned with many LOCAs in which successful BCC and recovery
are not assumed.
In outlining the accident sequence and core response on page C-2, tl>e
basis for the 100% rod failure at a maximum clad temperature of 2200 °F
should be stated since this failure value appears to be quite conservative
in view of vendor calculations (eg. Suw?y, Final Safety Analysis Report).
Also, in the discussion of six critical points involved with the
evaluation of the LOCA prompt release fission product source-term, the
term "release coefficient" (escape fraction) should be made consistent
with nomenclature used elsewhere in the report.
In Appendix K, p. K-19, it is not clear if the text is implying that a
potential important pathway for release of fission products, between the
containment shell and cofferdam, was not considered in f.he Study.
Appendix VIII
The discussion under "Limitations" on page 3 of Appendix VIII contains
a disclaimer regarding the potential non-applicability of "these studies"
(presumably core meltdown studies) to other FWRs and BWRs. As mentioned
previously under the specific ocronents on the main volume of the Study,
the discussion on this topic should be expanded.
In discussing the basic assumptions for the analysis of degraded
accident behavior (p. 7), the basis for assuming that "core melting would
take place without significant metal-water reaction and that there would
be no possibility of steam explosions in tiie reactor vessel" under
conditions of accumulator and pumped ECI failure needs further explanation
to account for the possibility of residual water being left in the vessel
from the blowdown process. With regard to the accident time scale, the
10- 11 second time quoted for essentially complete primary system
-------�
14
depre.'jsurization and tlie time of accumulator discharge appear a factor of
2-3 too short compared to the results in the paper, "Comparison of
Ttermal-llydraulic Response of LOFT and a Large PVJR to LOCA Conditions,"
authored by P. Davis and J. Ductone, presented at the topical meeting on
water reactor safety. CONF-730304, March 1973.
On page 12, the dismissal of the potential for a large energy release
from a steam explosion between tte molten core and water laden'gravel
seems to be contradicted by tlie Armco Incident describe^ on page B-2.
In describing containment response (p-13), the assvniTtion of LPRS
cavitation at the time of containment failure seems pessimistic, if
Regulatory Guide 1 is followed. The guide states, "Emergency core cooling
and containment heat removal systems should be designed so that; adequate
net i»sitive suction head (NPSH) is provided to system pumps assuming
maximum expected temperatures of pumped fluids and no increase in
containment pressure from that present prior to postulated LOCA."
The meltdown- sequence discussion, which includes QIRS and IPRS
failures (p. 17), describes the molten core vessel penetration and
interaction with the water in the reactor cavity and the GSRS water. Our
understanding is that the CSRS water should not be expected in the reactor
cavity except for possibly a small amount of leakage. If this
interpretation is correct, all sources for reactor cavity water need
further clarification. Similarly, on page 21 it appears that CSIS is
assumed not to deliver water to the reactor cavity while the opposite is
true for CSRS.
The assessment of containment failure mode probabilities includes the
probability of containment failure resulting from a steam explosion
estimated as P « 10-2 ( + i,-2). Since we are not aware of any discussion
which indicates that this probability is sequence dependent, the
probabilities associated with certain sequences in Table V-1G are not
understood (e.g., Sp-o, J x 10-* while SjD -£/ b x 10"$and naS2 C-a
which should be at least 2 x 10-* based on 82^-0 of 2 x 10"*). The
lattcir example may be eliminated because containment overpressure failure
occurs before initiation of core meltdown. If this or other sequences are
logical exceptions to the containment failure probability associated with
vessel steam explosion, the exceptions should be discussed.
Tte assessments of containment failure probabilities from hydrogen
combustion or overpressurization both are strongly dependent on the
assumed normal distribution of containment failure pressures of about 100
psia with a 15 psi standard deviation and containment melt-through time
(for which the meaning of the skewed distribution, 18(+10,-5) hours, is
not clear). Given tlie information in figures 4 through 9, general
correlation with containment failure mode probabilities listed In table 2,
attachment 1, Appendix V could be observed. However, such was not the
-------�
15
case for sequences AHF-6 and AB-6 . It would be helpful if the text
provided an example of such a calculation, which would define the various
probabilities listed in the text.
Additional clarifying remarks would seem appropriate at several points
within Appendix A, which discusses the thermal evaluation model. On page
A-16, the assumptions used for the core temperature distribution and
vessel water inventory following blowdown should be stated and justified.
Regarding the fission product release fraction equation, the basis
referred to should be specifically referenced. Similarly, the reasoning
for assuming no change in steaia properties due to hydrogen mixing should
be presented. Under the heading "Ccnvective Heat Transfer" the values
chosen for Tw and hg should be discussed since it would appear that h«
should vary with Qflt and pressure,,
On page A-33, a question arises as to whether vessel failure can occur
by fracture due to thermal stress occurring when the molten core contacts
the lower vessel head.
It is not clear on Page A-J6 if the continued addition of water on top
of the core melt could cause a steam explosion similar to the East German
incident described on page &-3.
The containment failure mode evaluation presented in Appendix E
considers several factors which could affect the ultimate containment
strength. Further discussion or clarification of the potential
significance of these factors on the assumed 100 ± 15 psia failure
pressure appears warranted. Since the assumed failure pressure could
alter the containment failure mode probabilities for several accident
sequences, an indication of the sensitivity of the release category
probabilities to a change in the assumed containment failure pressure
should be provided.
-------�
16
nEFINITICN OF FAILURE DftTA HID PAIHUPVYS
(Appendices If II, III, AND IV)
General Cormsnts
Our review of Appendices I and II has, for the most part, been limited
to questions regarding the treatment of (1) specific failure pathways
which ore not acknowledged in these appendices or (2) the rationale for
dismissal of other failure pathways or their relationsldp to assigned
containment failure mode probabilities. Review of certain sections of
Appendix II is presently anticipated in our continuing review of the
Study.
In our liinited review of Appendix IV, the role of the "common node
failure" in the overall risk assessment process is difficult to assess.
Sane methods, quantification techniques, causes and results are discussed
in Appendix IV, but the material necessary to properly understand the
total role and significance of common mode failures and to determine that
a reasonable degree of completeness has been developed appears to be
spread through Appendices I, II, III and V. Many summary statements in
the earlier and later sections of the report assert the significance of
oonmon mode failures without quantification or reference when, in fact,
the needed material is in other appendices. Further cxos£>-referencing to
such analyses and quantifications which support the assertions of tills
appendix could resolve these concerns.
Specific cornnents
Appendix 1^
In the DGCA functional event tree development (p. 13 footnote), it
appears that the containment building purge system has a probability of
failure which is not acknowledged. Sin4.1arly, the possibility of
containment overpressure failure prior to core melt which is treated in
subsequent appendices, is not included in the discussion on page 31.
In tho development of the PWR small LOCA event tree, Sj, p-132, it
would seem possible that vessel melt-through could occur while the primary
system pressure is above the accumulator injection pressure. After vessel
melt-through, the primary system pressure would be rapidly reduced,
allowing possible accumulator water injection onto the molten core,
potentially causing containment rupture from a steam explosion. It could
not be determined if the containment failure mode probabilities for So.
DOCA's considered this possibility.
-------�
17
With regard to PWR reactor vessel rupture, p. 141,. it is not clear how
the polar crane presents an effective missile barrier for the entire upper
portion of the containment.
On page 145, the reason for not considering rupture of steam generator
tubes and subsequent overpressurization of the secondary system with
potential for rupture outside the containment, should be stated.
SJjnilarly, on page 159 it is not obvious why the situation of automatic
trip failure occurring with loss of electric power sequence was eliminated
fron consideration.
Appendix II, Vol. 2
The discussion of tte electrical power system, offsite cannon mode
failures (p. 33), does not specifically indicate whether eartliquakes have
been considered in assessing common mode failures, especially for power
subsystems which are not specifically designed for earthquake response
(diesel fuel system). Similarly, in the text on page 35, a discussion of
how tlie failure analysis of the diesel generator system accounts for the
failure modes discussed would be an iiqportant addition to tMs section.
The evaluation of the reactor protection system (RPS) dismisses the
impact of a pressurizer vapor space rupture on the RPS (signal initiation)
failure probability. Since it is possible for the low pressurlzar level
signal not to function due to frothing, the effect of such a failure
should be addressed. On page 155, under CSIS failure modes, it appears
that the Refueling Mater Storage Tank (RMET), "suction line plugged,11
should also be listed under single failure resulting in luiavailability of
BWST water.
The Consequence Limiting Control System (CLCS) description on page 174
is confusing since it appears from this discussion that tlie operator may
not be able to switch from CSIS to CSRS until the containment pressure
falls to -0.5 psig (such a pressure may not occur in time to permit
successful switch of these systems).
The results of analysis of system interfaces under Low Pressure
Injection System (LPIS) indicates, on page 280, that momentary
unavailability of water at the start of LPIS pump operation is not
considered a failure, while unavailability of water to the CSKS is
considered a failure for the same reason (Appendix I, p. 102). A
clarification of this situation appears warranted. Also, in listing the
single failure-failure modes for LPIS (p. 284), consideration should be
given to pipe ruptures between J3 and either V4 and V5 (figure 11-53) and
to HWST pump suction drain plug.
In tire examination of potential faults for the Low Pressure
Recirculation System (LPRS) on page 498, it is not clear that pipe
-------�
18
ruptures between PI, P2 and J8 will not cause system failure. The flow
would split between the path to the oold leg and the rupture and,
depending on relative flow resistances, the delivery of water to the oold
leg may not achieve the necessary 300 gptn.
Appendix !!_ - Volume .3
In the evaluation of the BWR electric power system, an assumption is
made on page 27 that all emergency buses are available immediately prior
to a LOCA based on the Technical Specification requirement that the
reactor be shutdown if an emergency bus is not available. However, it
appears there should be a finite probability that all emergency buses are
not available^which should be dependent on the failure probability of the
failure detection system. Also in discussing off site power cannon node
failures, the emission of earthquake as an initiating event should be
addressed.
Discussion on page 134 relates failure of vacuum breaker valves in the
open position to the defeat of the vapor suppression function. It would
aeern appropriate that the assvmptions regarding the two or wore valve
failures required should be justified with calculations or referenced to
pertinent information. Similarly, the assumption on page 243 that rupture
of branch piping of 2-inch diameter or less will not significantly affect
core spray injection system operation at the time of a LOCA or during
injection requires justification.
Appendix III
This appendix on failure data is well written, well organized and
appears to be appropriately integrated into the Study. In our continuing
review, reflected in the attached work plan, EPA does intend to perform a
selective review of the failure rate data base.
Appendix TV
Our review of Appendix IV, to date, has been limited, especially with
respect to the analysis and quantifications applied in the Study;
therefore, our comments at this time are very general in nature. The
concept and influence of the "common mode failure01 appear to need
additional development. A distinction should be provided between the
causative effects of certain common mode failures in initiating accident
situations vs the influence effect of cannon mode failures resulting
during an established accident sequence (e.g., the influence of a check
valve slam and subsequent water hammer damage as a common mode* initiator
vs the consequence of such an event occurring during an accident in
progress).
-------�
19
The completeness of the consideration given to potential sources of
cannon mode failures also appears to require some expansion. Although?
through searching in other appendices, it is evident that particular types
and areas of cannon mode failures are considered, sources,, such as the
requirement for pump inlet subcooling for emergency coolant recirculattng
systems, pump bearing lubrication systems, instrument and component
service water and air, heat tracing for plateout prevention, control roan
and cable tray fires, drain plugging of storage voter systems, etc, ought
to be discussed and treated in Appendix IV to support the claims and
assertions developed.
Finally, the treatment of the method of screening for relevant comon
mode sources discussed on pages 18 through 39 appears credible but is
unsupported and in need of tabular listing of (or reference to) the
"numerous" types of sources considered in order to demonstrate that the
method is indeed comprehensive in identifying all conceivable component,
system, and operation vulnerabilities to caiman mode failures. The
examples cited are useful but create questions of "vihat else," "how many,"
and what does a complete list look like.
DESIGN ADEQUACY
(Appendix X)
General Garments
This appendix does not appear to be tied in with the rest of the
Study- There is no mention of how the results of this Study were utilized
in the risk assessments. Since Appendix X indicates that a significant
number of the systems examined were either not properly qualified, not
properly analyzed, or didn't meet current standards, it would seem very
important that these deficiencies be readily traceable to tlie quantitative
risks, or that they be shown to be peculiar to the plant analyzed.
Specific Garments
The section on seismic loads (p. 47) appears incomplete in that current
design response spectra were not evaluated for the structures and
equipment. On pages 52 and 57, it is stated that the current spectra
would increase seismic loads (by as much as a factor of 2). It is not
clear what these increases moan relative to the general seismic
vulnerability of the 100 plants and what risks are associated with the
increases.
-------�
SUWAJY REPORT
General Garments
The summary document is a relatively well written volume, which
satisfies its intent through a question and answer format. Our comments
on certain quantifications of assessed iirpact are incorporated into our
review of the Appendix VI volume. Of particular interest was the
discussion comparing the Study predicted consequences with the earlier
WASH-740 evaluation. It would appear that the significance of the four
factors leading to differences in the two studies is substantial. Plume
rise and evacuation and possibly population, as treated in WAS13-1400, have
relatively little inpact on consequence when compared to the effect of the
differences in assumed release of radioactivity to the environment. The
Study indicates that given a PWR core meltdown event, a chance of only
about one in one hundred exists that the resultant containment failure
mode will be other than melt-through with its relatively insignificant
radioactivity release. A somewhat similar case exists for the BWR
meltdown event where a chance of only one in ten exists that the
containment failure mode will be other than containment isolation failure
in the drywell with, again, a relatively insignificant release of
radioactivity. It would appear appropriate that the discussion of this
variable in the summary document should be
-------�
21
Additional Odctnants
Main Volume
Clarifications
1. Page 122, Table 5.2 - It is not clear why AB, ACHF, SjB and SjB do
not lead to containment failure by overpressure since loss of containment
heat removal should lead to overpressure failure.
2. Page 126, Section 5.3.2.1 - The definition of a large IOCA being
a rupture equivalent to a hole greater than 6 inches in diameter is not
consistent with the definition used by vendors, AEORegulatory, etc.,
which is a 0.5 ft2 (9N hole). It is not clear why a different definition
was chosen her*.
3. Page 154, item (1) - The SL-1 accident was a military power
reactor nuclear accident which resulted in 3 fatalities. It appears that
the statement ignores the SL-1 accident.
4. Page 216, last sentence in Section 6.4.7 and Figure 6-10 - The
statement that the calculated probability of a dam failure resulting in
10,000 fatalities "...agrees with the extrapolation of the data..," does
not appear justified. A straight line can be drawn through the three
data points (as was done in Figure 6.9), and, if anything, an upward
inflection of the curve IB indicated by the data, rather' than downward as
drawn, to include the calculated point.
Editorial
1. Page 146, Section 5.4.4 - The source for the probability of
aircraft iapaot accidents should be referenced.
2. Page 150, Section 5.4.6 - Near site explosions, which must be
considered for reactor sites, are not mentioned.
3. Page 200, Section 6.4.1, 1st sentence - The reference does not
agree with the reference at the end of Table 6.8.
4. Page 204, reference 1 - This reference appears incorrect,
"...North Atlantic Hurricanes...11 since the Galveston hurricane is
apparently included (II, described on page 200).
5. Page 205 - The average number of tornado fatalities is stated as
118 while the dte&aien indicated vields a value of 46.
-------�
22
Appendix 1^
Clarifications
1. Page 83, Figure 1-13 - It is not clear why the success path for
containment leakage is chosen as the drywell and the failure path, the
wet well. Wet wall leakage should produce the lesser consequences due to
fission product scrubbing in the torus (see Appendix I, page 37).
2. Page 102, 3rd sentence, and page 134, item F. - The basis for
the CSRS failure assurrption is not clear since CSRS should eventually
operate.
3. Page 199 - Further justifications of the unanticipated transient
probability of 10"5 per year should be presented.
4. Page 205, Figure 1-28 (also Footnote 1, page 207) - The RPS
failure probability for unanticipated transients (Part C) has been
increased from 4 x 10"7 to 4 x 10"6 to account for the fact that only the
scram system may be effective for reactor shutdown. This reduction does
not agree with the fault tree at the bottom of page 68, Appendix V, which
assigns the failure of RPS to scram a value of 1.3 x 10"5.
Editorial
1. Page 45, 3rd paragraph, 1st sentence - It appears that CR-VSE
should be CR-CSE.
2. Page 77, Figure 1-10 - The IJPIS is missing from the BCI segment
of this figure.
3. Page 198, 1st paragraph - The apparent distinction between a
transient which causes a IOCA and a transient which causes a ruptured
reactor coolant system is not clear.
4. Page 222, 4th sentence under KHK3 - This sentence isMt
complete,
5. Page 233 - These footnotes appear to be used in Table 1-13, but
the heading does not match the heading for Table 1-13.
6. Page 259, item 5 - This item appears out of place in that it is
not a "...design feature provided to keep the likelihood of loss of pool
water small..."
-------�
23
Appendix II, Vol. 1
1. Page 11, last paragraph - This disclaimer paragraph seems to
indicate that if data did not exist for a particular system failure
contribution, it was not considered.
Appendix II, Vbl 2
Clarifications
1. Page 253, item 3 at top of page - There does not appear to be any
basis for the assumption that pipe ruptures of 2 inch diameter or less
will not cause failure of accumulator injection,
2. Page 385, Introduction - It is not clear if the SZCS analysis
also applies to the snail break case.
3. Page 490, top of page, and page 529, 1st paragraph - It is not
clear how realignment of the 1PR system to the hot legs will prevent an
"undesirably high boron concentration or accarulation of residue and
debris in the core that cou.lrt result from continuous boiling. " LPR system
water injected in the hot legs will enter the upper plenum, run down the
outer (cold) core and core structure region into the lower plenum, and be
available for boiling in the hot central core region.
4. Page 490, top of page - It appears that closure of Vj£ is also
required to effect the realignment.
5. Page 501, 2nd paragraph - It is not clear why air suction from
the BW9T occur* for this failure in view of the
-------�
24
Appendix III
Editorial
1. Page 187, first line - The bibliography section mentioned here
appears to be missing.
Appendix IV
Clarifications
1. Page 43 - Results of the susceptibility analysis are presented
but no specific reference is given to vjhere the analysis is presented and
the specific fault and event trees to which it was applied.
Editorial
1. Glossaries and definitions are sorely needed for this appendix,
not only to track the latter sections in relation to Appendix II, but to
understand the distinctions between the PWR and BWR treatments.
2. Page 8 - The treatment of ideas at this early stages in the
appendix requires the reference to other unspecified appendices in order
to understand the terms used and messages developed. An introductory
tutorial treatment with a description of the other appendices which
intimately interface with Appendix IV is needed.
3. Page 8-15 - This section could benefit by specific cross
references, examples and limited numerical results to give significance
and meaning to this important portion of the report.
4. Pages 40-41 - The list of "classes of potential common raode
mechanisms" could benefit by a sub-category of items under each major
topic to provide an index of completeness, e.g., where would failure
causes fall for wearout due to exercising a given component; or for
partial or delayed performance due to degradation from lack of service,
or for transient behavior of a component (check valve water hammer).
5. Pages 40-63 - Although Sections 3.3 through 4.0 portray a
reasonable description of the methods applied to the ""quantif ieations6' in
the study, the interpretation could be considerably aided by examples
with numerical results or tabulations, such as that of Tablet IV-4 on
coupling probability.
6. Pages 65 and 87 - These two sections are intended to treat PWRs
and BWRs separately and this should be stated in the introductory
paragraphs.
-------�
7. Pages 65-98 - This Section, "Siatmary of Results," acknowledges
the performance of the "fault analysis" in Appendix II and fron those
results identifies selected "sequences in the event tree...chosen
because...(of) some potential susceptibility for common modes" and
develops "impact" conclusions as "insignificant," "minor impact," etc.
The support for and meaning of these conclusions should be identified.
The event sequences selected for the follow-on discussions appear
without comparative discussion to other cases which have been dismissed.
Although these discussions improve one's insight to the "controlling"
common mode sequences, tabulations or some form of overall results
presentation should be developed to enable the reader to gadn a "feel"
for the relative influence or "impact" of other sequences which could be
important to plants of newer design than those chosen for analysis. The
companion treatment given to the BWRs (page 87), although different in
style, is equally obscure in portraying understanding and confidence that
the treatment of common mode failures is comprehensive and complete.
APPENDIX VI
Clarifications
1. The description of the release and dispersion calculation in
Appendix VI appears sketchy in that there is not a clear description of
the radioactive material release magnitudes as a function of time over
the release durations presented. Thus, any interaction of the airborne
release with the population being evacuated cannot be evaluated. The
description suggests that the fraction of core inventory released is
modeled as a uniform release over the indicated duration of release. An
alternative model could be a distribution of discrete releases as shown
in Figure J-8 of Appendix VII. A clarification of this subject is in
order.
2. The discussion, of the consequence calculation and population
distribution patterns of Appendix VI does not describe the model of the
population distributions used for calculation of consequences within 70
miles; i.e., it is not discernible from the information presented whether
the sector population, originally obtained as a function of distance from
the reactor, was averaged over the first 70 miles or averaged over
segments of sectors using differences in the cumulative populations from
Table VT-6, or whether some other distribution model was used.
3. A more careful explanation of the population averaging method on
page 24 would be helpful. In particular, the top 1% sector's are
reflected in the peak case consequence results. The range of populations
averaged into the top 1% would clarify the nature of the top population
category.
-------�
26
4. 'Hie application of the plume broadening for meander over
extended periods of time, described in Section 6.43 of Appendix VI, needs
to be specified more clearly. Table VI-2 shows categories PWR 6 and PWR
7 having a duration of release of 10 hours and all other categories
having shorter releases; it is not clear whether categories PWR 6 and PWR
7 are the only categories having "releases that last for many hours,"
i.e. categories to which the broadening was applied, or whether the
broadening was applied to shorter releases as well.
5. Because this appendix does not present the necessary information
regarding individual organ or whole body doses as a function of release
category and downwind distance, several questions arise as to the
significance of certain omissions from Table VI-16; namely, (1) lung dose
contribution from noble gas inhalation, (2) consideration of Pu-241, Am,
cm, and u releases, (3) releases of longer lived isotopes, such as 1-129
and H-3, and (4) any possible significant release of activation products.
6. With regard to the evacuation model, clarification is needed of
the manner in which the warning time for evacuation TJ (tine between
awarfsness of impending core melt and leakage for accioent type j) was
determined. It is observed that, in Table VI-2, this tine is constant
for each reactor type and independent of the containment failure mode,
and also that for release category PWR I, awareness of intending core
melt is immediate at the outset of the accident.
7. Page 36, Section 6.6.3. - This section is based on available
data and is apparently extended for standard man only. The uncertainties
in thn estimates, particularly as they apply to differences in age and
state of health, should be at least underscored and, if possible,
explored further.
8. Page 37 - The listing of peripheral blood element response
should be compared to data given by Wald (Chapter 23, Haeraatological
Parameters after Acute Radiation Injury, pp. 253-264 in Manual on
Radiation Haematology, IAEA Technical Report Series No. 123, 1971).
9. Page 47, Section 6.6.4.4. - Reference and justify assumptions,
particularly the "...slightly increased number of induced mutations." If
a value judgment is to be made, a frame of reference must be established.
10. Although reference is made to the BEIR Report, the discussion
regarding Table VI-13 is misleading. This table, taken from p. 171 of
the BEIR Report, refers to the "...absolute risk for those aged 10 or
more at the time of irradiation..." This is neither the complete estimate
of the BEIR Committee nor the only population considered.
11. Page 49, Section 6.6.4.3 - This section does not mention the
rather generalized "increased ill-health" considered in the BEIR Report.
-------�
27
.12. The discussion of thyroid illness on pages 53 and 54 appears to
need considerable clarification. In particular, the apparent treatment
of production of nodules as an illness requiring a surgical process is
not understood. For an estimate of nonfatal malignancies, reference to
the HtfIR Report would seem appropriate.
]3. Page 54, first paragraph - The assumptions on incidence of
nodule formation following thyroid exposure discussed on page 54 should
be justified. For example, data in Reference 42 of the subject draft
report suggest that, in a mixture of external and internal radiations,
yarnra and beta exposures are equivalent. The HEIR Committee points out
studies evidently showing a species difference in response to beta
irradiation of the thyroid and also points out the problems in some
available human and 1-131 data (a thyroid ablating dose is used).
While Reference 42 does mention thyroid nodularity incidences ranging
from 0.47% to 1.6%, it should be pointed out that the 1.6% incidence was
in a population of 30 to 59 years of age and 0.47% was in a general
population. The 0.36% to 1.7% values in controls in various studies
reflect small numbers in the populations and, perhaps, the regions of the
country from which the populations were derived.
Lilien, et al (AM Lilienfeld, M. L. Levin and 1. I. Kessler, Cancer
in the United States, Harvard University Press, 1972), suggest a thyroid
cancer incidence rate of 40/106 persons based on state tumor registry
data. Even if the ratio of fatal to occult cancers of 1 to 100 (ABOC
Tech Report 25-68) is used and the incidence of 40/106 thyroid cancers is
considered fatal, the total incidence of thyroid cancer would be 4000/106
persons. The relationship between these occult carcinomas and the total
number of nodules has not been established yet, but some nodules are
occult thyroid carcinomas. The nodules, as pointed out in Reference 42,
represent malignant and benign tumors, but also nodular goiter,
Hashimoto's thyroiditis, colloid diseases, local hyperplasia, local
lymphnodes, etc.
14. Table VI-15 is somewhat misleading in that it apparently refers
only to acute or subacute fatality and to "illness"1 in which thyroid
should not be included since nodularity is not an '"illness." The table
does not include all effects, e.g. effects of pituitary injury or
carcinogenesis, aspermia, etc.
15. References pertaining to in utero acute fatality and acute
somatic injury are as follows: Evaluation for the Protection of the
Public iii Radiation Accidents; IAEA Safety Series # 21, IAEA Geneva
(1967); Nokkentvod, K^Effect of Diagnostic Radiation on the Human
Fetus; Munksgaard, Copehagen (1968); Griem, M. L. The Ef*fects"o?
Radiation on the Fetus; Lying iji; Journal of Reproductive Medicine
1:367-372 TT968)» Hanintir-Jaoobsen, E. Therapeutic Abortion on Account of
-------�
X-ray Examination During Pregnancy; Danish nodical Bulletin. 6:113-122
71959); Brent, R.L. and Gorson, R.O. Radiation Exposure in Pregnancy
Current Problems in Radiology Vol. 215 (1972); Graham, 8., Levin, M. L.,
Lilienfeld, A.M., Schuman, L.M, Gibson, R., Dowd, J.D., and Hempelmann,
L. Preconception, Intrauterine, and Postnatal Irradiation as Related to
Leukemia, pp. 347-371 in Epidemological Approaches to the Study of
Cancer and Other Chronic DJaeases National Cancer Institute Monograph 19,
NCI (19367.
16. There is also no indication that individual organ doses have
been aggregated as "organ-ran" for sumnation in the estimate of "latent"
cancers and genetic effects. Estimates of some isotopes and the
distribution of organ doses and variations with age can be obtained from
such publications as ICRP-17 (ICRP Publication #17, Protection of the
Patirait in Radionuclide Investigations, Pergamon Press. 1971).
17. Page 55, Section 6.7.3 - The use of ICRP-2 dose models, while
defining what was done, does not seem adequate in light of advances in
the field of physiology and dosimetry. As pointed out by Eve (I.S. Eve.,
"A Review of the Physiology of the Gastrointestinal Tract in Relation to
Radiation Doses from Radioactive Materials," Health Physics 12:131-161,
1966) residence times and mass of contents for the GI tract used in ICHP-
2 may be in error by factors of 2 or 3 an various segments and the values
used for the stomach may be in error by a factor of 24 vrtian residency
time for inhaled material is being evaluated.
Dolphin and Ev« (G.W. Dolphin and I.S. Eve, "Dosimetry of the Gastro-
intestinal Tract", Health Physics, 12:163-172, 1966) suggest that
differences of the order of a factor of 2 result, when a more
sopMsticated GI tract model is used rather than the ICJ3P-2 model.
Eve also made pertinent comments on the dose to the ovary from GI
tract contents and the insensitivity of mucosal cells to radiation
exposure at a depth of less than 140 microns.
The lack of information on particulate aerosol characteristics of the
expected releases used in this section precludes applying the more
accurate Task Group Lung Model or determining the extent of departure
from the simple ICRP-2 model which would be expected. However, the
current biological half-times for the various isotopes could be employed.
18. In the evaluation of damage from an accident, 1:he health effects
and dollar costs appear to be considered as mutually exclusive. This
fails to consider the dollar coats of health effects. There is of
course, the obvious cost of lost productivity but it is also noted, for
instance, that thyroid nodules are passed off as being surgically
treatable with no consideration as to the dollar cost of that treatment.
-------�
29
19. In Section 6.8.4, Nan Oare Accidents, Table VI-23 appears to
over estimate the consequences by up to three orders of magnitude.
Editorial
1. In Section 6.4<,4, for the phrase in parentheses, "vertical
velocity toward the ground," substitute "ratio of the ground
concentration to the integral over time of the adjacent air
concentrations." This substitution will avoid furthering the false
impression that the deposition velocity is indeed the vertical velocity
toward the ground.
2. The PWR 7 category description on page II of Appendix VI needs a
few more words of clarification, since the sprays do not act on the
leakage occurring upward around the containment.
3. In the second paragraph on page 14 of Appendix VI, insert the
word "acute" before the word "illness."
4. On page 14, the sentence "It was fcwd, in particular, that the
wind blew 0.1% of the time toward the 0.1% highest population density
sector" needs clarification. The explanation On page 110 of tha main
volume is much clearer.
5. In Section 6.5.1, the reference to the isolated Idaho Falls site
is of questionable interest, since Idaho Falls is not the site of any
oorrmercial nuclear power plant.
6. Table VI-6, on page 28 of Appendix VI, needs correction in that
it shows, for categories 11 and 12, that the cumulative population
decreases as the distance increases from 2 mile® to 5 miles 0
7. Page 32 - Experience with human radiation effects is not small
and includes much more than Japanese data. The experience with acute
effects is much less.
0. Page 35, Section 6.6.2 - The question of prophylaxis and adverse
affects thereof is an open question. The fact that the treatment may be
worse than the disease in some cases should also be considered.
9. Table VI-II, page 40 indicates up to 5% mortality at 165 rad
(250 R) and a cutoff around 100 rad (150 R). Uncertainties in population
response suggest that there must be a range around these values and that
effects at lower exposure levels are possible.
10. Page 47, Section 6.6.4.2 - There is scrae confusion about the
data studied by the HEIR Committee. Probably most of the data is on
-------�
30
relatively acute exposure to lew IE? radiation, the type most applicable
to the emergency situation studied in the subject report:.
11. In Section 6.8 of Appendix VI, the last sentence on page 67
implies that a Monte-Carlo type of determination was employed, as
contrasted to the assertion in the second paragraph on page 3.
12. The title to figure VI-8 on page 76 should be changed since the
thyroid nodules do not Include all thyroid consequences to be expected.
Appendix VII
Editorial
1. Page C-2, item 2 - Hie core, taken as a whole, cannot "heatup"
from sensible heat as stated here.
2. Page C-9 - The "Little Mamu" program should be referenced to
supporting documentation.
3. Page 1-2, equation (3) - Since this equation involves an
integration over time, a distinction in the various time parameters is
required since C is a function of "t".
Appendix VIII
Clari fications
1. Page A-3, 1st paragraph under Fission-Product Release - It
appears that the pin rupture temperature was assumed to"be l500°F in the
BOIL code calculations. This does not correspond to either of the two
temperatures cited in Appendix VII.
2. Page A-12, last sentence under Bottom Flooding - The meaning of
this sentence is not clear, particularly the reference to "these"
flooding rates, and the reasoning that heatup of cores at elevated
temperatures is not prevented.
Editorial
1. Page 6, top of page - Nomenclature problem: The ECR system
described here appears to be the same as the LPRS system used in most of
the rest of the Study documentation.
2. Page 7, last sentience - The starting time for CSIS is important.
The fact that it must operate for a considerable length of time has
nothing to do with start time considerations.
-------�
31
3. Page 8, 1st paragraph under Core Meltdown - It is not clear what
is included in SIS failure (not previously defined) .
4. Page 34, Accident Time Scale - A discussion similar to this for
the PWR case would clarify the PWR containment discussion.
5. Page A-l, 1st paragraph under Pore Heatup Calculations - In view
of the application of the core heatup results to other PWRs and BWRs, the
statement that some of the results apply only to the specific designs
considered needs elaboration.
6. Page A-6, equation (A-9) - Q apparently should be
7. Page E-9 - The pressures in this assessment should be labelled
psig or psia, whichever is appropriate.
Appendix X
Clarifications
1. Page 6, first paragraph - Although the site geology is
described, a description of what the plant is actually built on
is not mentioned, as was done for the BWR on page 7.
2. Page 45, Note (4) - The Bijlaard formulae have not been defined
in the text.
3. Page 94, first paragraph - It is indicated that the IHSIS (LPIS
elsewhere) injects into the RCS hot legs. Figure 11-53 of
Appendix II, Vol. 2, shows injection into the cold legs and the
text associated with the figure also indicates cold leg
injection.
4. Page 94, third paragraph - The discharge pressure of 300 psig
does not appear compatible with the 225-foot head stated on page
275 of Appendix II, Vol. 2.
5. Page 168, item 2 at bottom of page - This item states that the
assumption of a 40* tilt of the MSIV actuator axis is a
conservative assumption since "one expects vertical installation
to be the usual practice." It is not clear why the actual
orientation for the Surry plant was not determined in order to
establish the validity of this conservation. (Figure 28 shows
an MSIV with about a 40° tilt to the actuator) .
-------�
32
Editorial
1. The nomenclature used for the various reactor systems is not
consistent with the rest of the Study. Examples are:
App A, Page IB - Low Head Safety Injection System vs Low Pressure
Injection Systems
High Head Safety Injection System vs High Pressure
Injection Systems plus Accumulator Systems
Containment Racirculation Spray Systems vs Containment
Spray Recirculation Systems
Core Spray Systems vs Core Spray Injection System
Residual Heat Removal Systems vs Post Accident Heat
Removal.
-------�
33
Sunroary Report
Editorial
1. Page 2, 1st sentence - The sources for the results in Figures 1, 2, &
3 should be identified, and the figures explained in more detail (ie. time
period covered, population covered, etc).
2. Page 8, 1st paragraph, last sentence - Depending on schedules and
definitions, this statement may be incorrect. Port St. Vrain (330 Mte-
ifKSR) should start up this year, and Fulton 1 (1140 MWe-HTGR) is scheduled
for startup in 1979.
3. Page 26, Section 2.21, 1st paragraph - A more effective qualification
of the WASH-740 results would be to quote the cover letter transmitting
the Study to the JCAE in March 1959. This letter, presunably written by
the authors of the report, says, in part:
"Pessimistic valuest leading to great hazards, were chosen for the
nunerical values of many uncertain factors which influence the final
nagnitude of the resulting damage. It can therefore be concluded that
these theoretical estimates are greater than the damages which would
actually result in the unlikely event of such an aocMent."
-------�
34
OOtrrRACT WITH INTEPMOUNTAIN TKCJINOLOGIFS, INC.
CONTINUING WASH-1400 REVIEW TASKS
A. Failure Mode Paths Selected for Review
]. HWR-Reactor Protection System-Review to determine credit taken
2. HWR-Transient #1 for backup Boron injection undrr
'.\. WR-Transicnt #2 BWR transients selected fo]].ovinq
4. W/R-Transient #3 investigation of H'/R Reactor
Protection Syster..
5, PWR-Electric Power Systems - Independent evaluation of Electric
Power System Availability-
fi. PWR-lligh Pressure Injection Review to determine the extent that
System possible troublesome break 1 ocations
7. PWR-Small Break #1 have been accounted for.
8. PWR-Small Break #2
-------�
PART 2
AUGUST 15, 1975 COMMENT IETTER TO THE NBC
-------�
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON. D.C. 20460
15AUG1375
Mr. Saul Levine
Oeputy Director
Office of Nuclear Regulatory itesearch
U.S. Nuclear Ifcgulatory Ccr.mission
Washington, U.C. 20555
Dear I-lr. Levine:
Hie Environnental Protection Agency's convents from the
second phase of its review of draft vasn-1400 ("Reactor Safety
Study/Vn Assessment of Accident Risks in U.S. Commercial Nuclear
Power Plants") are transmitted in this letter.
Because of the significance of the Reactor Safety Study
boward establishing the accident risk associated with nuclear
powar plants, ve chose to review the draft report of the study in
two phases. The comments from our first phase review, an overall
review of the draft WASH-1400, were transmitted, to you by our
letter of November 27, 1974. The second phase review was an
intensive examination of selected areas of draft W&SH-1400 to
determine if there vrere deficiencies in their evaluations and to
estimate the significance of the deficiencies with respect to tie
related risk calculations in draft VBSLI-1400. This effort
provided a deeper appreciation of the degree of thoroughness with
which the Heactor Safety Study staff has applied the study
iiGthodology and of the sensitivity of the study results to
changes in individual parameters or in single event
probabilities.
We have endeavored to keep your staff informed of the
preliminary findings of our second phase review as they became
available. It is hoped that the Keactor Safety Study staff finds
the comments we are now transmitting, as well as our previous
comnents, to be useful in their preparation of the final study
report and in their refinement of the study methodology.
-------�
-2-
LPA obtained additional technical support for the review
effort through a contract with Intermountain Technologies, Inc.
(ITI) of Idaho Falls, Idaho. ITl's report titled "A Review of
the Draft Import Heactor Safety Study (WASH-1400)" is transmitted
with this letter. This report details ITI's findings from its
in-depth examination of selected aspects of the work presented in
draft WASH-1400 in support of our second phase review and it
serves as documentation supporting sane of our Garments. At
present, only a limited number of copies of the TH review are
available; the report will be issued for general distribution
within a few weeks as an EPA report.
Wliile EPA endorses specifically the recanrivjndations of ITI's
report and tlie report's conclusions and observations in general,
the following contents enphasize EPA's position, which is based
in part on ITI's reconnendations as well as on other EPA
findings.
The second phase review findings indicate that although
errors, omissions and other deficiencies were found in areas of
draft NASH-1400, the vast majority of these were found not to
have a significant effect on the overall risk estimates. More
than a dozen areas were investigated in this phase but the only
one which was found to have a significant potential for
increasing the estimate of overall risks was the assessment of
transient-without-scram accidents for boiling water reactors.
The results of our second phase review have not: altered our
opinion that the Reactor Safety Study provides a forward step in
risk assessment of nuclear power reactors, and that the study's
general methodology appears to provide a systematized basis for
obtaining useful assessments of the accident risks where
empirical or historical data are presently unavailable. There
are a number of areas of nuclear power tecl\nology which should be
considered as candidate areas for future application of a refined
form of the Reactor Safety Study methodology, .including different
versions of contemporary light water reactors, high temperature
gas cooled reactors, liquid metal fast breeder reactors, and
variations such as barge mounted power plants.
The Reactor Safety Study has also served to provide a picture
of the state of knowledge of the physical processes and the event
sequences that might occur in a nuclear power plant under severe
accident conditions and of the consequences of such accidents.
It is certain to help in the development of the reactor safety
research program, and it may provide insight leading to
-------�
-3-
innovations in reactor protection systems and encdneered safety
systems.
Although the draft Reactor Safety Study report does not mate
an absolute judgment on nuclear power plant accident risk
acceptability, the comparative risk approach presented in the
sumnary and in the main voluma of the draft report is likely to
imply an acceptability judgment to the average reader. EPA
recognizes that the comparative risk approach is a first step in
addressing this question, but by itself is Misleading. The
summary presentations in draft WASH-1400 serve: to illustrate sane
of the problems with the comparative risk approach, as do sons of
the observations on the subject in ITI's report. It is not an
accurate comparison to conpare risks estinated from calculations
to risks estinated from experience, to omit latent deaths from
comparisons of fatalities nor to compare acute fatalities to
latent. A better appreciation of the risk estimates could be
gained if their uncertainties were added to the graphs. It
should also be acknowledged that the risk from nuclear power is
not only the risk from severe accidents, but it also includes the
risks from normal operation of nuclear power plants, from
associated transportation and storage of radioactive material,
from other fuel cycle facilities, and from such potential
activities as sabotage and terrorist diversion of materials. It
should be made clear in the final WASH-1400 that the study
attempts to quantify the risk of accidents from contemporary
light-water reactors and does not, by itself, make judgments on
the acceptability of quantifications made, althoi^h-sttch
quantifications may be put into perspective through appropriate
conparison with otter risks.
Draft WASH-1400 shews that the transient-^athout-scram
accident sequences for boiling water reactors (BWRs) make a major
contribution to the overall accident risk. The treatment of
several aspects of transient-without-scram accidents should be
carried out in more detail to avoid unrealistically high risk
estimates; an example is the determination of the combinations of
control rods whose failure results in failure to scram. Other
aspects of transient-without-scram accidents need better
justification of the failure probability values chosen; tlie
assessments of the single control rod insertion failure rate, of
the multiple and common mode control rod insertion failure rate,
and of the protection provided by the liquid poison injection
system are such that liigher failure probability values could have
-------�
-4-
boen selected from the information given, with a potential for
increasing overall risks by as inuch as a factor1 of 2.
Some areas were found which appear to be improperly or
incompletely considered but for which insufficient information is
available to determine quantitatively their risk inpact. These
areas include human reliability, conmon mode failure
quantification, some aspects of design adequacy, and the
techniques for calculating the results of small pipe breaks in
pressurized water reactors.
The area of common mode failure, in particular, needs further
elaboration, especially because the concept employed in the
Reactor Safety Study seems to be broader and inclusive of a
greater variety of failures than the usual interpretation of the
term. The assertion that common mode failures do not contribute
much to the overall risk needs extensive and substantial
additional support in the form of comprehensive, logical, and
well-connected coverage of the subject. The recent fire at the
Browns Ferry plant, an example of a common mode failure which
disabled a number of systems of two power reactors
simultaneously, emphasizes the need for thorough examination of
comnon mode failure.
The discussion of design adequacy needs to be expanded to
include explicit description of the manner in which possible
design inadequacies in components, structures, and systems are
accounted for in the study methodology.
The core meltdown and containment response analyses in the
draft VJASH-1400 were found to contain many oversimplifying
assumptions. Even though these assumptions may not have a
significant effect on the overall risk analysis, better
justification for their selection should be provided. These
oversimplifying assumptions appear to fall into t>ro classes;
assumptions made only for calculational convenience which should
be justified by suitable explanation, and assumptions made to
bridge over inadequacies in tiie state of loiowledge of physical
processes, which should be identified as such to emphasize the
need for further research. It appears that there are especially
large uncertainties in knowledge of the behavior of the core and
its surroundings once the core malting begins. The significance
of the oversimplifying assumptions appears to be due to their
influence on the probable sequence of events, i.e., whether tlie
lieating of the core is so rapid that it melts before effective
-------�
-5-
cooling is restored, and, if effective cooling is not restored,
whether the containnent fails by excessive internal pressure or
by soma other mode. For example, in part of the? containment
failure analysis in draft WASII-1400, it is assumed that a molten
core will generate considerable carbon dioxide gas by
decomposition of foundation concrete containing limestone
aggregate. The analysis of save possible accident sequences
shows this gas providing sufficient additional internal pressure
to fail the containment before the pressure is relieved into the
ground by the molten core penetrating the foundation. The
assumption that all foundations contain gas-generating aggregate
appears to lead unrealistically to higher risk estimates.
It would seem reasonable from the explanation in draft WftSll-
1400 of the basis for selection of the pressure at which the
containnent of the example pressurized water reactor is assumed
to fail under accident-created conditions to haive selected a
lower pressure. This explanation should be expanded to provide
more justification for the high pressure selected, because in a
number of possible accident sequences the failure pressure
appears to be a determining factor relative to release of
radioactivity to the atmosphere through the failed containment
wall or release into the ground by the core melting through the
foundation.
The draft WASH-1400 has also served to call attention to
problems associated with the- response to an accident to mitigate
the consequences to the public. In dealing with an accidental
release, the evacuation model of draft WASH-1400 includes a
warning time for evacuation which apparently begins at the time
of awareness of impending core melt. In order to show that the
warning tine for evacuation is determined on a practical basis,
the final report should give examples of the limiting conditions
in the plant which are postulated as bases for the decision to
warn the neighboring population to evacuate, and the plant
instrumentation indications that will tell the operator that the
limiting conditions have been reached.
Examination of design differences between the example
pressurized water reactor (PWR) of the Reactor Safety Study and a
PWR more representative of the expected 1980 population of PWRs
indicates that some results from the example PWR are not
applicable to the whole 1980 PWR population. However, the
differences in overall risks between contemporary types of PWRs
or between contemporary types of boiling water reactors (BWRs)
-------�
-6-
are thought likely to be smaller than those found in the study
between the exanple PWR and tlie exajiple BV7R.
Tlie enclosed ITI report contains figures showing revisions of
heal tli effects data of draft VJASH-1400. Each of these figures
shows the health effects of draft WAS1I-1400 adjusted for one
suggested change only, These figures do not represent EPA's
estimates of consecfuences because the figures do not include all
the necessary corrections to the data of draft WASii-1400.
Similarly, the estimates in the discussion of tritium release
considerations in ITI's report are sufficient to show that the
potential effects of tritium releases are small compared to those
from some other types of radionuclides ; they should not, however,
be construed as presenting an EPA dose model or health effects
calculational procedure .
U.S. Atomic Energy Commission published an "Interim
General Statement of Policy" dated August 21, 1974, with respect
to the Iteactor Safety Study, that states '"The study wlien
conplcted will be tlie subject of thorough evaluation by the
Canmission, tlie independent Advisory Committee on Reactor
Safeguards, and the Commission's staff with respect to both the
basic question whether the risks portrayed by the study are
acceptable from the standpoint of the Contnission's statutory
responsibility to protect the health and safety of the public,
and the related question whether any changes in the Commission's
safety or environmental regulations are warranted,/' A basic
conclusion to such an evaluation is whether or not the risks have
been portrayed by the study with adequate accuracy and precision.
It is recommended that additional care be given to assuring that
the results of the study are realistic and to reducing the
uncertainties .
Our major reservation with res[.>ect to tJiis study is the
implied acceptability of the estimated risks to society .
Although the study has made major inroads into quantification of
accidental risks from nuclear reactors, the acceptability to
society of such accidental risks lias not been analyzed. It
appears that WASH- 14 00 cannot, nor should it, address the
acceptability to society of the risk estimates derived. It is
important, however, that WASIi-1400 not be susceptible to the
interpretation that it presumes such acceptability. Thus, tlie
quantification of risk determined by this study and implications
of their acceptability should be clearly differentiated to
eliminate any potential confusion. The Pcactor Safety Study's
sunirary presentation should be modified to qualify the risk
comparisons with irore emphasis that tJiey are only a first step
-------�
-7-
toward tlie evaluation of risk acceptability £ind that conclusions
with regard to tlie acceptability of tlie risks can only be drawn
otlicr factors arc considered.
vfc are looking forward to the final rc[»rt WASJl-1400, and \-ie
are interested in the plans of the Nuclear Jixjxilatory Ccwninsion
for L'ux^tJicr application of the inethodolajy cbvelopnd in Uie
li.^\cbor .Safety Study. In tliis respect, we urye tJiat a continuouis
effort be maintained -to refine, iiq;jrove and extend tiie
methodology.
We v«uld be pleased to discuss our ccmncnts widi you if they
require ^iny clarification.
Sincerely yours,
VJ0 U. Po-je, Ph.D.
IJeputy Assistant Aur:iinistrator
for l^adiation Proc/rai.is (AiJ-553)
; ;nc].osure
-------�
PART 3
FINAL REPORT BY ITI
A REVIEW OF THE DRAFT REPORT
REACTOR SAFETY STUDY
WASH-1400
-------�
The contract report reproduced as Part 3 of this report was
prepared as an account of work sponsored by the Environmental
Protection Agency. The contract report is being published so that
it will be available as a resource to the scientific ccnmunity and
the general public. It does not necessarily represent the views or
policies of the Environmental Protection Agency. In particular,
the doses and health effects indicated in the contractor report do
not represent EPA's estimates of consequences because the figures do
not jjnclude all the necessary corrections to the data of WASH-1400.
-------�
A REVIEW OF THE DRAFT REPORT
REACTOR SAFETY STUDY (WASH-1400)
By
P. R. Davis
Contract No. 68-01-2244
Project Officer
Dr. Jerry Swift
Office of Radiation Programs
Prepared For
Office of Radiation Programs
U. S. Environmental Protection Agency
Washington, D.C. 20460
-------�
This report was prepared by Intermountain Technologies, Inc. (ITI)
as an account of work sponsored by the Environmental Protection
Agency (EPA). Neither ITI, nor any person acting on behalf of ITI:
a. Makes any warranty or representation, express or
implied, with respect to the accuracy, completeness,
or usefulness of the information contained in this
report, or that the use of any information, appa-
ratus, method or process disclosed in this report
may not infringe privately owned rights; or
b. Assumes any liabilities with respect to the use of,
or for damage resulting from the use of, any infor-
mation, apparatus, method or process disclosed in
this report.
-------�
ABSTRACT
This report presents the results of a review of the draft document,
"Reactor Safety Study - An Assessment of Accident Risks in U.S. Com-
mercial Nuclear Power Plants" (WASH-1400), prepared by the United
Slates Atomic Energy Commission and issued August 1974. The purpose
of the review was to provide the Environmental Protection Agency with
technical support for assessing the range of applicability of the
*
methods, techniques, and data utilized in WASH-1AOO. The review con-
sisted of: (1) a selection, based on a preliminary review, of areas
in WASH-1400 which appeared to contain errors which could have a sig-
nificant effect on the results, and (2) an in-depth technical review
of each area selected to determine the applicability of the results to
the. assessment of nuclear power plant risks.
In the sections of WASH-1400 reviewed, certain errors, omissions, and
inconsistencies were found. Most of these deficiencies were found not
to have a significant effect on the overall results and conclusions of
the- study, although most tended to increase the calculated risks. In
some cases, the effects of an apparent deficiency could not be deter-
mined due to lack of information or resources. In these cases, sensi-
tivity studies would be necessary to determine if the deficiencies are
significant. One area, the risk contribution from boiling water reac-
tor anticipated transients, was judged to present a potential for sig-
nificant] y increased risks.
WASH-J400 provides a major contribution to risk assessment related to
nuclear power plants. The methods, data base, and analysis used in
WASH-1400 form an important foundation for a systematic approach
ii
-------�
to help identify technical areas needing additionaj. research and develop-
ment to further reduce risks from nuclear power.
%
This report was submitted in fulfillment of Contract Number 68-01-2244
by Intermountain Technologies, Inc., under sponsorship of the Environ-
mental Protection Agency. Work was completed as of May 1975.
iii
-------�
CONTENTS
ABSTRACT ii
LIST OF FIGURES vi
LIST OF TABLES ix
ACKNOWLEDGEMENTS xi
SECTIONS:
I. CONCLUSIONS 1
II. RECOMMENDATIONS A
III. INTRODUCTION 8
IV. GENERAL RESULTS 17
V. ANALYSIS 21
A. Failure Mode Paths 2l
1. BWR Reactor Protection System Failure 22
2. BWR Transient Accidents 33
3. BWR Electric Power System Failure 34
4. PWR Electric Power System Failure 37
5. PWR High Pressure Injection System 46
Failure
6. PWR Small Break Loss of Coolant 63
Accident Analyses
7. PWR Loss of Power Transient 75
Accident Sequence
8. BWR-PWR Component Failure Modes 86
and Rates
9. PWR Low Pressure Injection System 108
Failure
10. PWR Low Pressure Recirculation 113
System Failure
iv
-------�
Page
B. Consequence Areas 119
1. Parametric Studies of Core Meltdown 120
(PWR)
2. Containment Response - Failure 128
Pressure (PWR)
3. Containment Response - Pressure 137
History (PWR)
4. Tritium Release Considerations 151
(BWR-PWR)
VI. GENERAL OBSERVATIONS 156
VII. REFERENCES 175
VIII. GLOSSARY 180
APPENDIX A 181
-------�
LIST OF FIGURES
No.
1 Effect of Changes in BWR Reactor Protection 28
System Analysis
2 Effect of Reducing Frequency of BWR Transient 35
Accidents by 1/3
3 Revised Quantitative Pictorial Summary for 50
One of Three HPIS Pumps with Point Failure
Estimates
4 Quantitative Pictorial Summary of HPIS Failure 51
with Point Estimates Showing Effect of Q f
Increase
5 Revised Quantitative Pictorial Summary for 52
Two of Three HPIS Pumps with Point Failure
Estimates
6 HPIS-LPIS Piping Intersection Diagram 55
7 Quantitative Pictorial Summary of HPIS Failure 56
with Point Estimates Showing Effect of Q
(Single Failure) Increase
8 HPIS Modified Double Failure Contribution 58
Summary
9 Time Top of Core Uncovered vs Break Size - 68
Pump Discharge Break
2
10 Two Phase Fluid Level vs Time for 0.2 ft 69
Pump Discharge Break
11 Core Fluid Level vs Time for 0.087 ft2 Pump 70
Discharge Break
12 Fluid Pressure in Core Region vs Time for 71
Various Break Sizes - Pump Discharge Break
vi
-------�
No. Page
13 Peak Clad Temperatures vs Break Size at 73
Pump Discharge Break
14 Pipe Rupture Failure Data (Pipes >3-inch 88
Diameter)
15 Pipe Rupture Failure Data (Pipes <3-inch 91
Diameter)
16 Pump Failure to Run Data 93
17 Diesel Generator Failure to Start Data 95
18 Revised Diesel Generator Failure to Start 98
Data
19 Low Pressure Injection System Unavailability 110
Contributions with Revised Numbers in
Parentheses
20 Comparison of Trojan and Surry Low Pressure 112
Injection Systems
21 Revised LPRS Contribution Pictorial Summary 116
22 RELAP4 Nodalization 122
23 Core Liquid Level and Core Reflood Rate as 125
Function of Time after Slowdown
24 Surry Containment Pressure During LOCA with 140
CS1S and CSRS Failure
25 Surry Containment Pressure During LOCA with 142
EPS Failure and No H? Combustion
26 Surry Containment Pressure During LOCA with 143
EPS Failure and H- Combustion
27 Evacuation Effectiveness vs Containment 146
Failure Time (T )
28 Trojan Containment Pressure During LOCA with 149
Assumed Containment Safeguards Failures
vii
-------�
No. Page
29 Comparative Risk Curve from WASH-1400 157
30 Acute Fatality Curve from WASH-1400 160
31 Comparative Risk Curve with Uncertainties 161
Shown as Quoted on Pg. 153 of Main Document
(WASH-1400)
32 Whole Body Man-Rem Curve from WASH-1400 163
33 Acute vs Total Fatalities 164
34 Total Fatalities with Uncertainties, Using ' 165
Figure VI-7 of Appendix VI, WASH-1400
35 Acute Fatalities Showing the Effect of More 168
PWRs than BWRs
36 Effect of Reducing Average Power of BWRs 170
from 3200 MWt to 2400 MWt and PWRs from
3200 MWt to 2650 MWt
viii
-------�
LIST OF TABLES
No. Page
1 Initial Failure Mode Path Review Areas 10
2 Final Failure Mode Path Review Areas 12
3 Initial Consequence Areas Selected for 15
Review
4 Final Consequence Areas Selected for 16
Review
5 Results of Review of Engineered Safety 18
Systems Failure
6 Results of Review of Accident Sequences 19
7 Results of Review of Component Failures 19
8 Results of Review of Accident Consequence 20
Areas
9 Sensitivity of BWR Release Probability 24
to Control Rod Failure Probability
10 Increase in Average Acute Fatalities Per ..25
Year from Increase in Control Rod Failure
Probability
11 Error Rate: Service Water Valves to Lube 48
Oil Cooler not Opened by Operator when
Pump Starts (FXVPASWX)
12 HPIS Comparison - Surry vs Trojan 60
ix
-------�
Page
Nk>.
13 HP1S Pump Success - Failure Combinations 61
for Trojan and Surry
14 Small Break LOCA Computer Codes Used by 66
PWR Vendors
15 Revised Probability Values for PWR Loss 81
of Power Transient with Containment Failure
16 Comparison Between WASH-1400 and Revised 82
Release Category 1 & 2 Probabilities
17 Comparison Between WASH-1400 and Revised 84
Average Acute Fatalities per Year from PWR
Loss of Power Transient Accident
18 Diesel Generator Failure-to-Start Data 97
.19 Distribution of PWRs Expected to be 171
Operating by 1980
-------�
ACKNOWLEDGEMENTS
The valuable assistance of the following individuals is hereby
acknowledged:
.1. Dr. A. P. Moser, Utah State University, for assistance in the
area of determining containment failure pressure.
2, Dr. R. T. Jensen, Intermountain Technologies, Inc., for assist-
ance in calculating core heatup and containment pressurization
following a LOCA.
'i. Mr. Ronald M. Wells, STAFCO Associates, for assistance in ana-
lyzing the PWR and BWR Electric Power Systems.
A. Mr. Frank Petree, Consulting Engineer, for assistance in analyzing
BWR transient events and scram failures.
!>. Mr. W. C. Gekler, Holmes and Narver, Inc., for assistance in re-
viewing the failure rate data base and other areas pertaining to
component failures.
f). Mr. S. 0. Johnson and Mr. G. F. Brockett, Intermountain Technologies,
Inc., for overall guidance during the effort.
7. Mrs. Helen Brown, Intermountain Technologies, for typing and editing.
XI
-------�
I. CONCLUSIONS
The purpose of the effort described in this report was to review a
draft of WASH-1AOO (Reactor Safety Study) in selected areas to deter-
mine the range of applicability of the methods, techniques, and data
used in determining the risk of nuclear power. The objective of the
review was to probe selected areas of the report to the extent neces-
sary (1) to determine if the particular area was correctly evaluated
and, if not, (2) to estimate a measure of the significance of any
errors, omissions, etc, found in the risk calculations in WASH-1400.
This section presents the conclusions of the review.
WASH-1400 represents a comprehensive and much needed assessment of the
risks of nuclear power in the United States. It is by far the most
extensive such assessment ever attempted, and represents a significant
improvement over previous assessments of reactor safety. It will like-
ly become a principal basis for many decisions regarding the safety of
nuclear power for generating electricity in the United States and for
guiding future reactor safety research and development.
It should be recognized that in any first effort of the magnitude'and
complexity of the Reactor Safety Study, errors, omissions, and other
deficiencies are certain to occur. The existence of these deficien-
cies should not be construed as invalidating any of the WASH-1400 results
unless such deficiencies can be clearly demonstrated to have a substan-
tial effect on the results. Nevertheless, because of the potential
importance of WASH-1400 to future policy decisions, it would appear
appropriate to correct to the extent possible even the minor deficien-
cies which do not appear to have a significant effect on the results.
-------�
Some of the conclusions presented in this section are based on numer-
ical revisions of a particular area with new risk values computed for
the purpose of establishing the significance of an apparent deficiency.
It should be emphasized that these revised risk values are, in most
cases, gross approximations provided only to establish some measure of
the potential significance and to.provide justification for a recom-
mendation that a particular area requires additional analysis. The
specific conclusions from the review are as follows:
(1) Although errors, omissions, inconsistencies, and questionable
assumptions were found in many areas of WASH-1400, the vast
majority of these deficiencies were found not to have a signifi-
cant effect on the overall risk assessments.
(2) The summary presentations in WASH-1400 for comparing the risks of
nuclear power with other man-caused risks are sometimes mislead-
ing and incomplete. Factors such as obscuring latent deaths from
nuclear power, not illustrating calculational uncertainties in
nuclear power risks, and making comparisons of calculated nuclear
risks with actual risks from other sources without emphasizing the
distinction sufficiently, all tend to undermine the strength of
the WASH-140Q conclusions, both expressed and implied.
(3) The WASH-1400 risk assessment from transient without scram acci-
dents for boiling water reactors appears to be the most signifi-
cant analysis problem found in the report. In this case, a
preliminary sensitivity study indicates that re-evaluation of the
consequences of this accident may increase the WASH-1400 calcu-
lated risks from BWRs.
(A) Several areas were found which appear to be improperly or incom-
pletely considered but for which insufficient information is
available to determine quantitatively their risk impact. These
areas include
-------�
human reliability
PWR small break calculational techniques
common mode failure quantification
some aspects of design adequacy.
(5) The validity of applying the results of the risk assessment using
the Surry reactor, chosen to represent all PWRs in WASH-1400, to
the 60 to 70 PWRs expected to be in operation by 1980 needs addi-
tional consideration in WASH-1400. In several areas, design dif-
ferences between the Surry plant and a plant more representative
of the 1980 plant population indicate that the Surry results may
not apply. Surry represents a PWR design similar to only about
20 percent of the anticipated 1980 PWR population.
(6) The core meltdown and containment response analyses were found to
contain many oversimplifying assumptions. Although these assump-
tions may not have a significant effect on the overall risk
analysis, very little justification was included in the analyses
for selecting the assumptions.
(7) The basis for selecting the PWR containment failure pressure was
found to be deficient, and the failure pressure, selected appears
to be too high.
-------�
II. RECOMMENDATIONS
(1) Although most of the deficiencies found in WASH-1400 did not
appear to have a significant effect on the overall quantitative
risk assessments, such deficiencies should be repaired, along
with the major problems found, for the following reasons: (a)
the existence of errors, omissions, inconsistencies and question-
able assumptions in the report tends to undermine the confidence
gained by the reader in the results, especially since in many
cases the significance of such deficiencies cannot be assessed
without detailed analysis, (b) as the more significant deficien-
cies in the report are repaired, the effect of some of the minor
problems could be amplified. Changes in reactor design, as well
as operating and maintenance characteristics, could shift the
emphasis and accentuate the significance of deficiencies which
presently appear to be minor.
(2) The final results of the Study, especially those portions pertain-
ing to comparisons between nuclear and other man-made risks,should
be revised to clearly and consistently indicate:
(a) That the nuclear risks are calculated while other risks
are derived from actuarial data,
(b) The substantial uncertainty associated with the nuclear
risk calculations,
(c) The latent death risk from nuclear power plants.
-------�
(3) The areas of
human reliability,
commpn mode failures, and
design adequacy
are not quantified or explained to the extent nescessary to deter-
mine if proper consideration has been given to them in computing
overall risks. Some of these areas appear to be improperly con-
sidered. It is recommended that additional information be pro-
vided which will clearly indicate in a systematic and consistent
manner how these areas were evaluated and how the results were
included in the risk assessments.
In addition, selected aspects of the use of the failure data
considered in the report should be improved, particularly the
assessment of pipe rupture probability. These are specifically
identified in Section V of this report.
(A) Additional analysis is recommended to justify and confirm the valid-
ity of the simplifying assumptions selected for the core melt-
down and containment response analysis contained in Appendix VIII
of WASH-1400. A reassessment of the PWR containment failure
pressure is also recommended as it appears that too high a value was
used. .A lower value would increase the risks from PWR accidents.
(5) Efforts should commence immediately to extend the Study to cover:
(a) PWR designs other than that represented by the Surry plant
selected for analysis in WASH-1400 - Of the 60 to 70 PWRs
expected to be operating by 1980 (stated to be covered by
the WASH-1400 results), only about 20 percent are of the
Surry design. Some of the plants differ in design consider-
ably from the Surry plant, and no assurance is available
-------�
that the Surrv results apply to these plants as assumed t>v
WASH--1/.DO.
(h) Plants which will commence operation beyond 1980 - The Study
considers only the 100 reactors expected to be in operation
by 1980. This represents only slightly more than 40 percent
of all reactors currently operating, under construction, or
on order. In view of the fact that the Study, by the time
the final report is issued, will have taken something over
three years to complete, it is not too soon to begin an ex-
tension of the Study to encompass plants scheduled for oper-
ation beyond 1980. An analysis of risks from offshore plants
should be considered in such an extension.
(c) Gas-cooled reactors - Although gas-cooled reactors at present
represent a relatively small (one operating and six ordered)
segment of the total reactor commitment in the United States,
their risks need to be quantified to complete the reactor
risk assessment. It is possible that the gas-cooled reactor
could become a significant part of the reactor population in
the future. Also, an early risk assessment could identify
problem areas which could be eliminated before large scale
operation of these plants commences.
(6) The Study should be continuously maintained. It is likely that
the power plants covered by the Study will undergo design, opera-
tional, and maintenance and testing changes, some of which may be
required by regulatory agencies. These changes should be factored
into the Study in a timely manner to determine the effect of such
changes on the risk evaluation. As the number of operating re-
actor-hours increases, the component failure rate and accident
frequencies should be monitored and periodically factored into
the Studv. This would improve the statistical basis in the Study,
-------�
and could alter some of the results. Continuous maintenance of
the Study would not only sharpen the focus of the quantitative
risk assessments, but would also have the potential of promptly
identifying problem areas, as well as proving the methods used
in the Study.
-------�
HI. INTRODUCTION
la August 1974, the United States Atomic Energy Commission (AEC) issued
a draft document, entitled "Reactor Safety Study - An Assessment of
Accident Risks in U.S. Commercial Nuclear Power Plants" (WASH-1AOO).
Tlio document concludes that risks to the general public from power
reactor accidents are substantially less than from other man-made
risks and most natural disasters.
It; is expected that both the methodology and the conclusions of WASH-
1400 will have a major impact on the assessment of the risks to the
public from the operation of nuclear power plants. It is thus extreme-
ly important that the final version of WASH-1400 be as correct as pos-
sible, in its completeness, technical analysis, data base, and conclu-
sions. It is recognized that in any new effort of the nature and
magnitude of the "Reactor Safety Study," errors, omissions, misin-
terpretation of data, etc, are certain to occur in spite of the best
efforts of the authors. However, it is important that such deficien-
c.ies be minimized.
The purpose of the effort described in this report was to review WASH-
1400 in selected areas to determine the range of applicability of the
methods, techniques and data used in determining the risk of nuclear
p.ower. The objective of the review was to probe selected areas of the
report to the extent necessary in an attempt (1) to establish if the
particular area was correctly evaluated and, if not, (2) to establish
.1 measure of the significance of any errors, omissions, etc, found in
the risk calculations in WASH-1400.
-------�
In many cases the stated risks were numerically revised to assess the
impact of the particular discrepancy found in the WASH-1400 analysis.
It should be emphasized that these revisions are, in most cases, gross
approximations provided only to establish a measure of the potential
significance and to provide justification for a recommendation that a
particular area be re-analyzed. In most instances, a rigorous and
detailed analysis, beyond the scope of the effort described herein, is
required to arrive at a definitive numerical revision of the risk.
The effort proceeded in three subtasks, as follows:
Subtask I - This, phase consisted of a general review of the entire
document to select those areas requiring an in-depth assessment. This
phase culminated in the preparation of a work plan which described
these areas and the basis for their selection. This work plan is
included in this report as Appendix A. Each area was selected based
on (1) a determination that it may have a significant impact on the
overall risk and (2) a determination that errors may exist in the
analysis of the area as presented in WASH-1400. The areas selected
were grouped into two categories. The first category included those
areas related to failure mode paths identified in WASH-1400. These
failure mode paths included the accident event sequence as well as the
failure modes of the safety system designed to control the accident.
A total of 12 areas were initially selected for an in-depth assessment.
This number was later reduced to 10 as a result of combining and
slightly altering two areas. The second category consisted of those
areas related to establishing the consequences of each accident se-
quence. The areas were selected based on: (1) the area should sig-
nificantly influence either the magnitude or the time of release of
the radioactive material from the containment, and (2) the area, based
on the Subtask I review, was suspected to be incorrectly quantified,
improperly applied,or significant but not considered. A total of six
areas were initially selected for analysis. This number was later
-------�
reduced to four when it was found expedient and logical to combine
some of the areas.
Subtask II - This phase consisted of an in-depth assessment of the
failure mode paths selected in Subtask I of the WASH-1AOO review. The
paths initially selected consisted of the following:
Table 1 - INITIAL FAILURE MODE PATH REVIEW AREAS
1. BWR reactor protection system failure
2. BWR anticipated transient accident sequence (#1)
3. BWR anticipated transient accident sequence (//2)
4. BWR anticipated transient accident sequence (#3)
5. PWR electric power system failure
6. PWR high pressure injection system failure
7. PWR small break loss of coolant accident sequence //I
8. PWR small break loss of coolant accident sequence #2
9. PWR loss of power transient accident sequence
10. Component failure rates (BWR and PWR)
11. PWR low pressure injection system failure
12. PWR low pressure recirculation system failure
After starting the review of each of the above areas, it became evident
that some modifications to the list were in order. The first such
change was made to items 2, 3 and A (BWR anticipated transient accident
sequences). It became clear that an in-depth analysis of these acci-
dent sequences would require resources beyond the limits provided in
the. contract. Each analysis would require the use of complex computer
codes in which transient thermal-hydraulic and reactivity effects must
be accounted, for. (An example of such a calculation may be found in
Reference 1).
10
-------�
Thus, items 2, 3 and 4 in Table 1 were replaced by a single item,
entitled "BWR Transient Accidents."
The second modification occurred after preliminary investigation into
items 7 and 8 (PWR small break accident sequences //I and //2) revealed
that, in order to properly investigate small break accidents, it would
be necessary to perform complex transient thermal-hydraulic calcula-
tions. These calculations would require the use of computer codes not
available except in proprietary versions used by PWR vendors. In re-
viewing the capability of such codes, it was found that substantial
differences in results existed in the calculations as published by the
vendors. It was thus concluded that a useful task would be to perform,
a detailed review of.existing analytical techniques aimed at evaluat-
ing the credibility of the results. Since WASH-1400 assumes, based on
vendor calculations as approved by AEC-Regulatory (now the Nuclear
Regulatory Commission), that adequate core cooling is provided for all
i ' .
small break accidents (if emergency core cooling systems operate as
designed), it becomes important to examine the vendor calculations.
This effort takes on added significance based on the WASH-1AOO conclu-
sion that small break accidents are a dominant contributor to the
overall PWR risk assessment. Thus, items 7 and 8 of Table 1 have been
replaced by a single item, entitled "PWR small break loss of coolant
accident analysis review."
The third, and final, modification was to add a review of the BWR loss
of power accident to the list. This item was added when inconsisten-
cies and errors were found in the assumptions relative to operation of
the emergency diesel generators in the BWR fault tree of WASH-1400.
As a result of these modifications, the initial list of review areas
(Table 1) was changed to the following list:
11
-------�
Table 2 - FINAL FAILURE MODE PATH' REVIEW AREAS
1. BWR reactor protection system failure
2. BWR transient accidents
3. BWR electric power system failure
4. PWR electric power system failure
5. PWR high pressure injection system failure
6. PWR small break loss of coolant accident analyses
7. PWR loss of power transient accident sequence
8. BWR-PWR component failure modes and rates
9. PWR low pressure injection system failure
10. PWR low pressure recirculation system failure
The review procedure was identical for the areas in Table 2 which con-
sist of "systems." Thus, for areas 1, 3, 4, 5, 9 and 10, the review
consisted of three principal parts. The first part involved' a detailed
review of the fault trees presented in WASH-1400 (Appendix II, Vol. 2
and 3) to determine if the failure modes and associated fault tree
logic were consistent and correct. In addition, failure rates were
traced through the trees to assure that the final system unavailability
values were correctly computed. The second part consisted of deter-
mining if significant potential failure modes of each system could be
found which were overlooked. The third part of the procedure (appli-
cable only to PWR systems) consisted of a comparison of the system as
analyzed in WASH-1400 for the Surry reactor to a plant more represen-
tative of contemporary PWR design.
(2)
The reactor selected for this comparison was the Trojan reactor
which is scheduled to come on line in 1975. This third part was
included since the results in WASH-1400 are alleged to apply to ap-
proximately 100 reactors (Summary Report - WASH-1400) which are ex-
pected to be in operation by 1980, although the detailed fault tree
and consequences analyses of WASH-1400 were specifically done for the
(3)
Surry and Peach Bottom reactors. The Surry reactor is a 2441 MWt,
12
-------�
three-loop pressurized water reactor designed by Westinghouse Electric
Corp. Of the approximately 67 pressurized water reactors scheduled to
be operating by 1980 , only 14 (21 percent) will be of the three-
loop Surry design. Approximately 22 (33 percent) will be of the four-
loop design represented by Trojan. (Beyond 1980, based on current
reactor orders, the number of four-loop plants is expected to exceed
50 percent of all:PWRs.) It was thus concluded that the applicability
of the WASH-1400 analyses to all PWRs expected to be operating by 1980
could best be determined by ascertaining the applicability of the
results to a representative four-loop PWR. It is also considered ap-
propriate that a similar comparison be made for other PWR designs (see
Section 11, Recommendations).
In order to accomplish the Surry-Trojan comparisons, a detailed com-
pilation was prepared of the design and operating 'features for the
Trojan systems selected in Table 2. From this compilation, the Surry
fault trees from WASH-1400 were examined to determine if they were
applicable to the Trojan system. Any differences were noted, and the
significance of the differences were evaluated where possible with
existing information.
With respect to BWRs, the Peach Bottom design analyzed in WASH-1400
represents 67 percent (22) of the 33 BWR plants scheduled to be operat-
ing in 1980- Thus, Peach Bottom is representative of the majority of
BWRs to which the WASH-1400 results are stated to apply, and a compari-
son between Peach Bottom and a BWR of more contemporary design was not
deemed necessary as part of this review. It should be noted, however,
that the basic Peach Bottom design, particularly the containment struc-
ture (designated Mark I) has been superseded by a sequence of two
designs called Mark II and Mark III^ . Beyond 1980, the Mark I design
will represent an increasingly smaller number of BWR plant designs.
Summarizing, the review of each Table 2 system consisted of: (1) a
review of the failure modes presented in WASH-1400 including the
13
-------�
application of failure rate data; (2) an investigation to determine
ii any additional significant failure modes of the system could be
found, and (3) a comparison between the PWR system analyzed in WASH-
J400 and a PWR reactor of more contemporary design.
For the accident sequences listed in Table 2 (areas 2 and 7), the
"event tree" sequence as contained in Appendix I was reviewed along
with supporting information contained elsewhere in WASH-1400. The
review consisted of determining if the accident event sequence and
time of events were properly considered. Where appropriate, the prob-
ability of the accident was reviewed. The effectiveness of systems
designed to mitigate the accident sequence was explored in some cases,
and events considered likely to occur which were not discussed in
WASH-1400 were analyzed.
Area 6 of Table 2, "PWR small break loss of coolant accident analyses,"
has been discussed previously in this section. In summary, this re-
view consisted of determining if the small break loss of coolant acci-
dent analysis performed by the vendors is appropriate as used in
WASH-1400.
Area 8 of Table 2, "BWR-PWR component failure rates," consisted of re-
viewing Appendices III (Failure Date), IV (Common Mode Failures), and
X (Design Adequacy) of WASH-1400. The review was directed towards de-
termining that:
(a) the data sources utilized in WASH-1400 were applicable
and properly applied,
(b) applicable data sources were considered,
(c) common mode failures were properly considered and
accounted for,
(d) appropriate attention was given to considerations
of design adequacy, and
14
-------�
(t1) component failure rote vaiuas were properly computed from
the, data USC.d.
Jn all ol the areaH lioted in Tab It* Zf miseel.1aneoun errors, I
tfncicH, ftc, which were judged to have only minor Impact on the re-
, have buc-n included in « separata neetioii ol ett«h review.
cen»iit«id o£ flnalyaln^ uceldmit consequence
seltn-tt'd during 8ubu«»k 1. The aceaa Hdloctud and the boslH foi
welection aru discussed in Appundix A, Thy aroaM eonsisted ol I HOHC
find parfltnetera affecting the magnitude and timw sequence ol
of fission ptoduets to th« eontainmc'iit I rom Clio core during an
acc-idtin! . Excluded from the analysis contained heroin, with the ex-
ception of tritium rtlease, was any eonslderation of factors affe
the dJHtrlbut^on and biological «£fect of fiwsion produetfl beyond the
containracntt boundary. A rc-vli^w of thiw aroa (Appendix V] of WASH-
wa« done .Independently by the Knviifonmtntal Protection Agency.
Tltf Initial JJwt of are MM we,U>c,ted is shown in Table 3.
TabJe t - 'INITIAL CONSEQUENCE AKKAH
SELECTED FOR RRVTBW
I. Cote Parameters Prior to Meltdown Calculation
?. Core Meltdown CalculatlonH
'I. Contttinmt'nt Response " Failure T'r^HHute (PWR)
ft. Containment ResponH^ - Preisure History (PWR)
f>. AppllcabJ.Hty of Containment Respotme to Other BWR-PWR
fi. TritJtim Release ConMlde.ratlonH
Thin (JHt wan modified when J t became obvJouM tluu t'ontlnuley could be
Improved bv eombininR 1 with U and 5 with 'I. In utM-teral, It wa« ln\- '
b'le to quantitatively determine the effect ol different parametric
-------�
assumptions regarding the state of the core prior to the meltdown
(area 1) transient without performing the meltdown calculation (area 2).
Area 5 was combined with area 3 in order to provide a more direct com-
parison of containment response between the reactors selected in WASH-
1400 and those of more recent designs. Thus, the consequence areas
selected became the following:
Table A - FINAL CONSEQUENCE AREAS
SELECTED FOR REVIEW
1. Parametric Studies of Core Meltdown (PWR)
2. Containment Response - Failure Pressure (PWR)
3. Containment Response - Pressure History (PWR)
4. Tritium Release Considerations (BWR-PWR)
16
-------�
IV. GENERAL RESULTS
The results of the review of the areas described in Section III and
Appendix A are presented in summary form in Tables 5, 6, 7 and 8.
Table 5 presents the results of the review of emergency systems de-
signed to control the consequences of the various accidents considered
in WASH-1400. Each system is considered, and the results of each part
of the review are presented. The results are classified as discrep-
ancies having an insignificant (I), significant (S), or indeterminate
(M) effect on the overall risk. The letter "N" is used to indicate
that "no discrepancy was found. "Significant" is defined as any change
that appears to result in a factor of two or greater change in the
acute deaths computed in WASH-1400. The symbol (+) means that the
risks would appear to be increased if the discrepancy were resolved
and (-) means they would appear to be decreased.
Table 6 is a similar comparison of the two accident sequences reviewed.
As in Table 5, the results of each accident sequence review are indi-
cated by symbols in the table. The legend below the table explains
the symbols, which are similar to those used in Table 5.
The results of the item 8 (BWR and PWR Component Failure Rates) review
area are shown in Table 7. Three areas were evaluated: Component
Failure Data (Appendix III), Common Mode Failures (Appendix IV), and
Design Adequacy (Appendix X). The main general review categories are
shown. "Quantified" refers to the extent to which the information in
each Appendix was numerically evaluated in a form suitable for appli-
cation to the main WASH-1400 risk assessments. "Complete" refers to
the extent to which applicable data sources were used and whether ap-
propriate aspects of the subject being evaluated in each Appendix were
17
-------�
Table 5 - RESULTS OF REVIEW OF ENGINEERED SAFETY SYSTEMS FAILURE
Errors
Omissions
Compari-
son-PWR
only
BWR Reactor
Protection
System
S (+)
N
—
BWR Electric
Power System
I (+)
N
—
PWR Electric
Power System
I (+)
I (+)
M (-)
PWR High Pres-
sure Injection
System
I (+)
I (+)
M (+)
PWR Low Pres-
sure Injection
System
I (+)
N
M (-)
PWR Low Pres-
sure Recircu-
lation System
I (+)
I (+) |
i
I (+)
-------�
Table 6 - RESULTS OF REVIEW OF ACCIDENT
SEQUENCES
Errors
Omissions
BWR Transient
Accident
I (-)
N
PWR Loss of Power
Transient Accident
N
I (+)
N - no discrepancy found.
I - discrepancy found, but assessed to result in an insignificant
change in the overall risk.
M - discrepancy found, but the risk impact could not be definitely
determined due to limited resources or insufficient informa-
tion.
(+) - correction of the discrepancy would result in an increase in
the overall risk.
(-) - correction of the discrepancy would result in a decrease in
the overall risk.
Table 7 - RESULTS OF REVIEW OF COMPONENT
FAILURES
Component Failure Data
Common Mode Failures
Design Adequacy
Quantified
Yes
Partially
No
Complete
Yes
Yes
No
Applied
Yes
Partial-
ly
Indeter-
minate
Errors
Yes
No
No
19
-------�
considered. "Applied" refers to the extent to which the results were
translated into the main stream of the WASH-1400 risk evaluations.
The "Errors" column is an assessment of whether errors of potential
significance were found in each Appendix reviewed. In most cases, due
to incomplete information, it was not possible to establish the signi-
ficance of the shortcomings found in each Appendix. The results shown
in Table 7 represent general assessments in the four rather broad cate-
gories. Specific and detailed assessments can be found under Section
V, item 8.
The results of the consequences area review are shown in Table 8. Ex-
cept in the case of Tritium Release, which was not discussed in WASH-
1400, no omissions were found. There were, however, apparent errors
in the WASH-1400 analyses for the other three areas, as shown in
Table 8. In none of the cases was an attempt made to quantify the
change because of limited resources or lack of sufficient information.
Table 8 - RESULT OF REVIEW OF ACCIDENT
CONSEQUENCE AREAS
Errors
Omissions
Parametric Studies
of PWR Core Melt-
down
M (+)
N
PWR Containment
Response-Pressure
History
M (?)
N
PWR Containment
Response- Failure
Pressure
M (+)
N
BWR-PWR
Tritium
Release
(1)
I (+)
(1) not considered in WASH-1400.
I -discrepancy found but assessed to result in an insignificant
change in the overall risk.
M -discrepancy found, but the risk impact could not: be definitely
determined due to limited resources or insufficient information.
N -no discrepancy found.
(+) -correction of the discrepancy would result in an increase in
the overall risk.
(?) -change in risk could not be determined.
20
-------�
V. ANALYSIS
This section presents the detailed analysis of each of the areas se-
lected in WASH-1400 for review as discussed in the Introduction and in
the work plan included as Appendix A. The analysis is divided into
two parts. The first part includes those areas which affect the fail-
ure mode paths considered in WASH-1400. These ten areas are listed in
Table 2 of the Introduction, and include: (a) six reactor systems,
(b) three accident sequences, and (c) an assessment of component fail-
ure modes and rates.
The second part of the analysis includes the four consequence areas
selected for review as listed in Table 4 of the Introduction. For
these four areas, a review was made of the WASH-1400 analysis (if con-
sidered therein), and an independent analysis was conducted and com-
pared with WASH-1400 results.
A. FAILURE MODE PATHS
The ten failure mode paths considered in this part of the analysis were
reviewed in the following manner: For the six reactor systems, the re-
view consisted of a general review of information contained in WASH-1400,
an assessment of any omissions found, and, for the PWR systems, a de-
termination of the applicability of the Surry reactor system analysis
to the corresponding Trojan reactor system. For the three accident
sequences, the review consisted generally of an assessment of the acci-
dent sequences considered and the validity of selected assumptions.
The assessment of component failure modes and rates includes a review
of Appendices III (Failure Rate Data), IV (Common Mode Failures), and
X (Design Adequacy) of WASH-1400. The review proceeded as follows:
21
-------�
1. BWK Reactor Protection System Failure
Cent-raj Review - An .in-depth review was performed of the BWR reactor
protection system failure-to-scram analysis. The analysis, presented
in Appendix II, Vol. 3, Section 6.2 of WASH-1400, was found to be
correct except for two areas in the analysis of three adjacent rods
failing to insert upon scram demand, and the credit taken for liquid
poison injection.
The probability that three adjacent rods will fail to scram from hard-
ware failures is assessed in Section 6.2, page 106 of WASH-1400 to be
!>.8xlO . This event is a major contributor to the failure-to-scram
probability from all sources (1.3xlO~ ) derived in WASH-1400. It is
assumed that the failure of any three adjacent rods to insert results
in failure to render the core subcritical. This assumption is describ-
ed as "extremely conservative," and it is not clear why a more realis-
tic determination was not attempted, particularly in view of the fact
that the charter for the Reactor Safety Study specifically called for
a "realistic assessment" (page 15, main document). As will be seen,
this assumption can have a substantial influence on the calculated
risks to the public from BWRs.
The value of 5.8x10 was derived, through a series of calculations
and manipulations, from the failure rate data derived from BWR operat-
ing experience as described in Section 3.2 of Appendix III to WASH-
1400. According to Section 3.2, there have been two control rod fail-
ures reported out of 16,200 individual rod insertions. This yields a
failure rate of 2/16,200 = 1.2x10 per demand, which was rounded to
1.0x10 . This means that, for a core with 185 control rods (repre-
sentative of current BWRs), a rod insertion failure would be expected
to occur once in every 54 scrams. This appears to be a low, but not
'necessarily unreasonable, number. However, in view of the potential
critical importance of this value, it would be appropriate to substan-
tiate its validity. In particular, the data base should be probed to
assure that:
22
-------�
O) All rod insertion failures were indeed reported. There is a
tendency not to report failures which are easily correctable,
not considered important, or are not reported due to misinter-
pretation of the AEC's failure reporting criteria.
(2) All applicable data have been included. The data base, two
failures out of 16,200 for the year 1972, provides only 90
percent confidence that the failure rate is between 2x10
_A
and 3x10 , viewing the 16,200 scrams as a large number of bi-
nomial tests. This uncertainty was not considered in Appendix
III. More recent data from 1973 to date, mentioned on page 31
of Appendix III, and alleged to support the 1972 data, should
be included to statistically improve the failure rate. In ad-
dition, Table III-5 shows a total of six BWR control rod failures
-4
(which would yield a failure rate of 3x10 ) not two as indicated
on Table III-7 from which the failure rate was derived. Table
III-7 is said to be compiled from data in Table III-5, and the
number of failures correspond in all cases except control rods.
It is not clear why the difference exists.
An extensive fault tree analysis of a BWR control rod insertion fail-
ure during scram was performed by Acero . He concludes, based par-
tially on data obtained from General Electric Co., that the probability
of a control rod failing to insert upon a scram demand is about 3x10 ,
a factor of 30 higher than the value used in WASH-1400. While this
value seems unreasonably high and not supported by reported experience
(also, some assumptions in Acero's work can be disputed), the differ-
ence needs to be resolved.
To determine the sensitivity of the calculated overall public risk
from BWRs to the failure probability of control rod insertion upon
scram demand, a sensitivity study was performed. Table 9 gives the
increase in probability of a radioactive release in BWR release
23
-------�
Categories 1, 2 and 3 (Appendix V, page 38), assuming a value of
LxlO for the control rod insertion
pvob«l»t, I (\ v ,
The first column, "RPS Failure Probability," is the failure probability
of the reactor protection system from all causes, including failure to
insert three adjacent control rods. "Total Scram Failure Probability"
Includes the RPS failure plus manual initiation of the liquid poison
injection system.
It is emphasized that technical justification does not exist for using
_3
a failure probability of 10 for a single control rod insertion fail-
ure. It is simply a convenient value with which to establish sensi-
tivity, and it lies between the WASH-1400 number and Acero's result.
Categories 1, 2, and 3 are the only categories out of the six included
in WASH-1400 which are affected by the failure to scram.
Table 9
SENSITIVITY OF BWR RELEASE PROBABILITY TO CONTROL ROD FAILURE
PROBABILITY
WASH-1400 evalua-
tion with single
control rod, fail-
ure - 1x10 Uj
Sensitivity study
evaluation with
single control
rod failure =
1x10" 3
IPS Failure
Probability
1.3xlO-5 (2)
3.9xlO~4
Total Scram
Fail. Prob.
4xlO-7 (2>
1.2xlO~5
Release Probability
Categ.l
9xlO-7(3>
7x!0"6
Cat eg. 2
2xlO-6(3)
2xlO~5
Categ.3
lxlO-5(3)
9.8xlO~5
(1) Appendix III, Pg. 39, WASH-1400
(2) Appendix V, Pg. 68, WASH-1400
(3) Appendix V, Pg. 38, WASH-1400
24
-------�
Table 10 gives the change in overall risk from BWR accidents, in aver-
age acute fatalities per year, as a result of changing tnie single
-4 -3
control rod failure probability from 10 to 10 .
Table 10
INCREASE IN AVERAGE ACUTE FATALITIES PER YEAR FROM INCREASE IN
CONTROL ROD FAILURE PROBABILITY^)
Category
o
0
i-H
X
s
1
CO
H
M
M
H
1— 1
CO
s
CO
1
2
3
4
5
I
2
3
4
5
Probability Average Acute
Per Year Fatalities
9xlO~7
2xlO"6
IxlO"5
3xlO"5
lxlO~5
7xlO"6
2xlO~5
9.7xlO~5
3xlO"5
IxlO"5
1.7
48.0
3.0
3.9
1.1
WASH- 1400 TOTAL -
1.7
48.0
3.0
3.9
1.1
Average Acute
Fatalities/yr
1.5xlO~6
9.6xlO~5
3xlO~5
1.2xlO~A
IxlO"5
2.7xlO~A
l'.2xlO~5
9.6xlO~A
*' •• ft
"I" j *0 V 1O
IxlO"5
SENSITIVITY STUDY TOTAL « l;«XlO~3
All WASH-1400 values from Table VI-20, Appendix VI, pg. 71.
•"4
Thus, changing the single control rod failure probability from 10 to
_3
10 results in an increase of about a factor of five in the calculated
average acute fatalities per year from all BWR accidents.
Since the BWR risks, based on the foregoing analysis, appear to be
quite sensitive to the probability of a single rod failing to scram
upon demand during a transient accident, it is important that the
25
-------�
single rod scram failure probability be accurately assessed. In parti-
cular, additional, more extensive data (which is apparently available)
should be included in the assessment; the reason for including only two
of six reported failures needs to be analyzed and explained; and
Acero's analysis should be considered.
A second area which appears somewhat questionable in the WASH-1400
analysis of RPS failure occurs on page 105 of Appendix II (Vol. 3).
In determining the probability of three adjacent control rods failing
to insert on scram demand, consideration is given to common mode fail-
ures. On page 105, the following assessment is present:
"The probability of any three rods failing to enter the core
was assessed on the basis that complete independence is a
nonconservative assumption, while tight coupling of these
failures is probably overly conservative. Complete inde-
pendence yields:
(lxlO~A) (lxlO~S (lxlO~4) - lxlO~12
A tight coupling assessment is based on observed common mode
failures, which are approximately 10 percent of observed
failures. However, the majority of these cause only degra-
dation of the component, approximately 10 percent result in
failure. Thus, the assumption of tight coupling yields:
(Ixl0~4)(lxl0~2) - lxlO~6
The log-normal median between these values is:
(Ixl0~12)(lxl0~6) - lxlO~9
Using this value..."
-9
The value of 1x10 was subsequently used to compute the RPS failure
probability. The above discussion in WASH-1AOO seems to imply that
the common mode contribution is 0.01 times the single component fail-
ure rate. Thus, the actual value to be used, based on this discussion,
would appear to be 1x10 , rather than some combination (In this case,
log-normal median) with the uncoupled failure rate.
26
-------�
Obviously, the "tight coupling" assessment of 0.01 times the single rod
failure rate is not based on observed common mode failures of control
rods since too few have occurred. However, the "observed failures"
from which the 0.01 was derived are not identified, nor is there any
Justification for applying this rate (and assuming it represents a
"tight coupling") to BWR control rod failures. Both of these consid-
erations must be included in order to establish the validity of the
assessment. In addition, the basis for combining a common mode fail-
ure contribution with a loose coupling failure contribution by use of
a log-normal median technique needs explanation and justification.
Based on the foregoing discussion, a computation was done assuming a
value of 1x10 for three adjacent rods failing to insert. The net
result was to raise the calculated total BWR risks by a factor of 30
and the average risks correspondingly (see Figure 1.)
A third consideration relative to the probability of reactor shutdown
which appears to be incorrectly assessed in WASH-1400 is the credit
taken for operator action in .activating the liquid poison injection
system. According to Appendix V (page 68) of WASH-1400, the failure
of "Reserve Shutdown," which includes automatic recirculation pump
trip plus manual actuation by the operator of the liquid poison injec-
tion system, is dominated by operator failure and is assessed to be
_2
3x10 . It does not appear reasonable to take credit for manual
actuation of the liquid poison injection system in the event of RPS
failure for the following reasons:
(1) According to the description in Reference 8, in order to actuate
the liquid poison injection system, the operator must locate a
key, insert it in the proper console location and turn it. This
action fires explosive valves which allow the injection of sodium
pentaborate solution into the primary system. Since BWRs are de-
signed to operate without any soluble poison in the primary sys-
tem, the injection of sodium pentaborate solution is an undesirable
27
-------�
IE
O
E
' EC
ID
O
I — I I I Mill] - 1 'I I I HIM - 1 I | II
'
WR - Tight Coupling of Control Rods
verage (witA WASH-UOO Pwk curve)
R - Elimination of Poison Injection
verage (wit WASH-1400 PWR curve)
I ^
1
\ » A.I v ^^
V -mv I
103
ACUTE FATALITIES. X
Figure 1 ~ Effect of Changes in BWR
Reactor Protection System Analysis
28
-------�
event, requiring extensive system cleanup. The operator is un-
doubtedly aware of these consequences from liquid poison injec-
tion, and will be inhibited from using the system. The use of a
key to actuate the system imposes additional requirements on the
operator over the use of a simple switch. Such requirements,
coming during a high stress condition caused by failure to scram
during a reactor transient, should increase substantially the
likelihood of operator error. Table 111-13 in Appendix III of
WASH-1400 assesses the error rate of an operator after the first
30 minutes in an extreme stress situation as 10 , and even
greater for shorter times. In order for the liquid poison injec-
tion to be effective, the operator must fire the explosive valves
within 10 minutes of the transient event ' . In view of these
considerations, it is not clear why an operator error rate of
3xlO~2 was used in WASH-1400.
(2) Recent studies of anticipated-transient-without-scram accidents
have concluded that manual injection by the operator of liquid
poison cannot be considered, in most cases, as a backup to the
reactor protection (scram) system. WASH-1270 concludes, on
page 33, "Liquid poison injection systems (LPIS), as designed and
used at present, have too slow a response to deal effectively
with some possible failure-to-scram circumstances." The report
subsequently discards manual poison injection as a backup for
scram failure during anticipated transients. A report by General
(12)
Electric , manufacturer of BWRs, concludes "This analysis (of
anticipated transients) indicated that manual action (of the
liquid poison injection system) would be too slow to be generally
applied, and automatic initiation of the liquid control system is
required."
(3) Aside from the issue of operator reliability, there is some ques-
tion regarding the ability of the liquid poison injection to ef-
fectively reduce the core power level quickly enough to prevent
29
-------�
core damage in the event of an anticipated transient. General
Electric , in response to an AEC-Regulatory requirement
that BWR reactor protection system reliability during anticipated
transients be augmented, has proposed, in addition to automatic
initiation of the poison injection system, an increase in the
"liquid (poison) control system capacity." This proposal is
currently under review by the Nuclear Regulatory Commission. It
thus appears, according to General Electric, that even if the
liquid poison is injected automatically immediately after the
anticipated transient, its capacity may presently be insufficient
to control the event as evaluated against NRC requirements.
in view of the foregoing considerations, it does not appear reasonable
to consider manual actuation of the liquid poison injection system as
a backup to the reactor protection system in the event of some severe
anticipated transients. To assess the effect of eliminating the LPIS
from consideration, a sensitivity computation, similar to that per-
formed for the reactor protection system, was completed. A value of
1.3x10 (WASH-1400 evaluation of RPS failure) was used for failure of
reactor shutdown instead of 4x10 (used in WASH-1400 considering
liquid poison injection). The results are shown in Figure 1, and are
about the same as for the factor of 10 increase in control rod inser-
tion failure probability analyzed earlier in this section. The in-
crease in probability results in about a factor of 5 at a given acute
fatality number. The average risk curve would increase by about a
factor of 3 at low acute fatalities, and a negligible amount at high
acute fatalities. However, this is a conservative assessment since
it does not appear that all 10 of the anticipated transients assumed
r.o occur per year in WASH-1400 are severe enough to create an offsite
risk in the event of scram failure. As discussed in item 2 of this
section (BWR Transient Accidents), only about three severe transients
per year might be anticipated. This would nearly offset the increase
in risk associated with eliminating credit taken for manual liquid
poison injection discussed previously. Since a wide variety of
30
-------�
initiating events are lumped into anticipated transient accidents, it
would seem prudent for the WASH--1400 analysis to consider these sepa-
rately to determine under what circumstances scram is required, how
quickly core shutdown is needed to prevent core melt, and under what
conditions the liquid poison injection system can be considered as a
backup. The WASH-1400 analysis presently considers all. anticipated
transients on the same bases.
It should he noted that the changes proposed by General Electric in
Reference 12 could, if accepted by the AEC and shown to be effective,
reduce the probability of reactor shutdown failure in the event of an
anticipated transient. Since WASH-1270 recommends an increase in
reactor shutdown reliability, some modifications to the BWRs, if not
GE'R current proposal, will presumably be made. These modifications
will alter the WASH-1400 risk assessment.
Omissions - No omissions were found in the WASH-1400 analysis.
(1°_11° Lyj'A0.!1? ~ *ne effect of the revisions to WASH-1400 considered in
this section would result in an increase in BWR risks. The quantita-
tive increases presented serve only to illustrate the sensitivity of
questionable analyses in WASH-1400 and the need for additional study.
Anticipated future changes in BWR reactor shutdown reliability would
be expected to reduce the BWR risks. A realistic assessment of the
number and location of control rods required to shut down the reactor
would also likely lead to reduced risks, as indicated at the beginning
of this section.
Miseellaneous Comments - The following comments on WASH-1400 were
developed during the course of the review of the BWR Reactor Protection
Syst era:
(I) Apjp_eruH x JLIj__Vo_!U_ 3, Page 105-106 - The entire development of the
hardware contribution to the reactor protection system failure
31
-------�
(Q ) needs substantially 'more description .uul oxplanation. The
tirst sent cure of page 105 should, it apprais, road " I'lu- piobtibi 1
ity of any specific three rods..." Also, i lie numerical value of
l'(3A) - 3.0x10 cannot be obtained from tin1 pi frediuu equation.
Also, it appears in the analysis that random (rather than adjacent)
rod failures sufficient to cause scram failure have not been con-
sidered, nor have configurations of greater than three adjacent
rods.
(2) Main Document, Page 236 >- The statement that there have been 2000
reactor years of military and commercial power reactor experience
with no nuclear accidents is not correct. Depending on the defi-
nition of "nuclear accidents," numerous accidents have occurred
and, in at least one case, a stationary, low power, military
reactor (SL-1) experienced a nuclear excursion which killed three
people. (Due to differences in design, the initiating event for
this accident would not cause an excursion in commercial power
reactors.)
(3) Appendix II, Vol. 3, Section 87 - It is not clear why the values
computed for RPS unavailability differ so much throughout this
section. The median unavailability computed by Monte Carlo simu-
lation is quoted as 1.3x10 " ((X.™.) on page 92. The point esti-
MtD ' _,
mates which contribute to Q.™., add up to 8x1.0 , and the Contri-
MED
bution Pictorial Summary (Fig. 11-131, page 123) lists a value
of 2.47x10 as the total for RPS unavailability. Also, the
triple failure contribution in this figure (2.8x10 ) doesn't
agree with the point estimate (5.8x10 ) on page 92.
(A) Appendix V, Page 68 - The RPS failure value in the figure was ob-
tained from the value calculated on page 92 of Appendix II, .Vol.3.
However, this latter value was based on the occurrence of a LOCA,
while the application on page 68, Appendix V, is for transient
32
-------�
events. Although a difference in RPS failure probability may not
be significant between a Loss-of-Coolant-Acident (LOCA) and a
transient, different sensors measuring different quantities are
used to initiate scram for the two accidents.
2. BWR Transient Accidents
General Review - BWR transient accidents are described and analyzed in
Appendix I, Section 4.3.2 of WASH-1400. The accidents appear to be
properly considered except for the assumptions made regarding the like-
lihood of the initiating event.
Likelihood of transient event - The assumed frequency in WASH-1400 for
"anticipated" transients is 10 per year, as assessed on pages 56 and
57 of Appendix V, WASH-1400. This frequency is based on information
contained in Reference 13, which indicates about 10 BWR transients per
reactor year. However, only about three of these shutdowns were severe
enough to require an immediate core shutdown to prevent core damage.
That is, only three would qualify as anticipated transients requiring
quick core shutdown. During 1973, according to Reference 14, an
average of two such transients occurred per reactor. Reference 12
develops a list of nine transients, based on operational experience,
which "have the potential of a frequency of occurrence of at least once
in four years of reactor operation at power conditions such that a sig-
nificant transient results and scram is called upon to shut down the
reactor." Assuming, on the average, nine transients in four years per
reactor results in 2.25 transients per reactor year. It thus appears
that a realistic estimate of anticipated transient frequency would be
three per year rather than 10 as used in WASH-1400.
A factor of three reduction (from 10 to 3) in the yearly frequency of
anticipated transients would, reduce the probability of release by a
factor of three for BWR release categories 1 through 4, since each is
dominated by anticipated transient accidents. This would, in turn,
33
-------�
10J F
a:
o
nrm—n i mm—pi i MINIi i i in
j r
PWR I
Average; | WASH-.UOO
WR
BWR TransleJi
Accidents feeduced
JJ I III i III I I 111 I I. .1 I 1
io3
ACUTE FATALITIES. X
Figure 2 - Kffect of Reducing Frequency
of BWR Transient Accidents by 1/3
35
-------�
required emergency (diesel) power for providing sufficient low pressure
coolant injection (LPCI) capacity during large losr,-of-coolant acci-
dents .
The discussion on pages 12, 34, and 35 of Appendix II, Vol. 3, implies
that all four diesel generators must be lost coincident with loss of
net to cause insufficient power to engineered safety features (ESFs).
A review of the Low Pressure Coolant Injection System (Section 6. A. 2,
Appendix II, Vol. 3) reveals that three of four LPCI pumps are required
in the event of a large LOCA. Review of the Peach Bottom electrical
distribution (Table 8.5.2b of Reference 8) indicates each LPCI pump
(RHK pump in that table) is powered from a separate 4 kV bus. There-
fore, loss of two diesel generators, hence two 4 kV buses, results in-
insufficient power to the LPCI pumps. Loss of off-site net plus two
diesel generators should then be the event which causes Insufficient
LPCI capacity rather than total loss of all a-c power (including four
diesels). The discussion of tripping diesels due to starting surges
(page 35, Appendix II, Vol. 3) should, therefore, be modified. Sec-
tion 5.3 of Appendix III states the probability of this event for two
diesel generators is 1x10 . This will increase the overall probabil-
ity of insufficient power to ESFs by a factor of 10, to 1x10
A study was performed to determine the effect of increasing the prob-
ability of sufficient emergency electrical power to the CPCI pumps by
a factor of 10, from 10 to 10 . According to Section 6. A. 2 of
Appendix II, Vol. 3, the median estimate of LPCI unavailability is
-2
.1.5x10 . Thus, the contribution to unavailability from the emergency
power system is negligible, even if increased a factor of 10 from the
value used in WASH- 1400.
js - No omissions in WASH-1400 were found during the review of
the BWR electric power system.
36
-------�
s_- Correcting the probability of BWR emergency power fail-
ure by increasing the WASH-1400 value by a factor of 10 will result in
an insignificant increase in calculated risks from BWR accidents.
Miscellaneous Comments - The following comments on WASH-1400 were
developed during the course of the review of the BWR electric power
system failure analysis:
(1) Appendix II, Vol. 3, Section 6.1 - The common mode failure of all
four diesels due to blockage of the cooling water return line
may be a significant contributor. It appears that this failure
has not been considered in Appendix 11.
(2) Appendix II. Vol. 3, Page 43 - It is not clear why Q'(EDG) (fail-
ure of emergency diesel generator) is calculated by computing an
average between a diesel being unavailable and a running diesel
failing. It seems that either failure mode results in the diesel
being unavailable and the probabilities of the two modes should
be added.
(3) Appendix II1 Vol. 3^ Section 6.4.2 - it is not clear why the Q
_2 n&Li
for total LPC1. system unavailability (1.5x10 ) is lower than one
-2
of its contributors, Q^, = 1.7x10
Test & Maint.
4• PUR Electric Power System Failure
General Review - The failure modes and analysis presented in Appendi-
ces II (Vol. 2) and III of WASH-1400 were reviewed. No errors leading
to a definitive, significant change in PWR risks due to electric power
'"allure were found. However, a significant number of minor errors,
discrepancies, and questionable assumptions were found. In some cases,
Lhe effect of the error could not be definitely assessed due to a lack
of information. In all such cases, it was judged qualitatively that
the effect would not be significant; however, additional effort is
37
-------�
required to provide sufficient, credibility to such judgments. The
errors, discrepancies and questionable assumptions are as follows:
(1) Availability of Power at LOCA - The assumption in Appendix II,
Vol. "2, Section 5.1 that all emergency buses are available im-
mediately prior to LOCA is questionable. The basis for this
assumption is that the Technical Specifications require reactor
shutdown if an emergency bus becomes unavailable. The following
should be considered:
(a) There is a finite probability that Technical Specifications
will be violated, either intentionally or unintentionally.
A number of AEC-reported "abnormal occurrences" have involved
violation of Technical Specifications. Such violations
would probably be grouped under the heading of "human reli-
ability," with values of the same order of magnitude as
-2 -A
discussed in Section 6.1 of Appendix III (10 to 10 ).
Unavailability of a bus, coupled with violation of a Tech-
nical Specification, may be an insignificant contributor to
total unavailability, but until quantified, an assessment
cannot be made.
(b) The indicators and annunciators designed to tell the operator
he is without a bus have a finite probability of failure.
Such a failure is considered for HPIS failure on the fault
tree on Figure 11-70, Appendix II, Vol. 2, and assigned a
-4
point unavailability value of 1.1x10 . This probability,
although minor, does not. appear to be considered for the PWR
Electric Power System Failure.
(?.) Detection of Bus Failures - The assumption (Appendix II, Vol. 2,
Section 51) that faults do not exist on a bus at inception of
LOCA may he questionable. The methods and frequencies of detect-
ing failures (annunciators, ground detectors, maintenance, etc)
will strongly influence the validity of this assumption. Another
38
-------�
consideration should be the operator action required if a ground
is detected on the bus. The Technical Specifications do not
specify any required action. However, normal ground isolation
procedures involve sequentially de-energizing selected buses
until the ground is found. There is also a finite probability
that undetected faults exist on a bus. Until these considera-
tions are quantified, insufficient data exist to determine the
impact that such bus faults would have.
(.'!) Time Invariant Failure Rate - In the cumulative failure proba-
bility discussion on page 30, Appendix II, Vol. 2, the assumption
that effective failure rate (X) remains constant with time appears
to be neither conservative nor realistic. In particular, grounds
and faults associated with grounds resulting from a harsh LOCA
environment would be expected to increase with time. An AEC
evaluation of eight LOCA incidents in BWRs showed that grounds
occurred during two of the eight incidents. During one of the
Incidents, grounding of components resulted in loss of capability
of control room annunciators to properly indicate the status of
both the EGGS and plant radiation instruments. The eight inci-
dents involved primary coolant releases of relatively short dura-
tion. Extended exposure to a LOCA environment might be expected
to cause long range degradation of electrical insulation and/or
components.
d-\) Operator Error, Breaker Opening - Appendix II, Vol. 2, Section 5.1
-4
assigns a probability of 10 to the operator inadvertently open-
ing breaker 15H3 or 15H8 under stress. Such a value does not
appear in Table 111-13, nor does corresponding discussion appear
in the "Human Reliability" section of Appendix III. Furthermore,
if the operator is required to take any specific actions during a
LOCA which involves operating breakers from the control room, a
-4
probability of 10 for improper action seems to be quite low
39
-------�
compared with thf probability of operator errors described in
Table JJ.J-J3.
(')) '*at-JLery Unavai labili ty - From the discussion of d-c bus unavail-
ability on pages 26 and 39, Appendix 11, Vol. 2, it is not clear
what types of faults lead to the unavailability of station bat-
teries (assigned P. value of 10 ). Since faults leading to bat-
Lery unavailability preclude use of the" d-c bus, then mere un-
availability of the d-c bus will cause insufficient power to ESF.
Availability of net becomes insignificant because, even though
net. power is supplied to the 4160-volt and 480-volt emergency
buses, d-c control power is not available to start the ESF loads.
Therefore, further discussion and clarification is needed to
evaluate the major contributing factors to q (battery) since it
can be a significant factor in determining the probability of
power to ESF.
Oraiss iojis - Severn] omissions were found in the WASH-1400 analysis of
the PWR electric power system. It is possible that some failure modes
discussed herein were considered but rejected due to low probability
of occurrence or due to insignificant consequences. It is also pos-
sible that: the failure modes were considered but deleted when the
t.-in 11. trees were simplified. A discussion should be provided in the
text if failure modes fall into these categories to give some reason-
able assurance of completeness. It does not appear that any of the
omissions found would significantly contribute to the overall risk,
hut further analysis is required to substantiate this conclusion. The
following omissions were found:
(I) Operator Error, Opening of Breakers - Appendix II, Vol. 2, Sec-
-4
t.ion S. I assigns a value of 10 to the operator inadvertently
opening breakers 15H3 or 15H8 under stress. It seems logical to
assume that an equal probability exists for him to open other
breakers from the control room. These include breakers 15E1,
40
-------�
15C2, 15F1, 15H7, 14H1, 14H10, 14H6, etc, each o£ which may de-
energize its respective emergency bus. Addition of these events
to the fault trees of Figure 11-23, Sheets 2 and 3, increases the
probability of insufficient power to each bus by a factor of two
to three.
(2) Maintenance Caused Unavailability - Operator induced maintenance
errors and unavailability due to maintenance do not appear on the
fault trees. It is possible that no maintenance is performed on
the electrical system during operation. However, maintenance.
errors, such as improperly racking breakers in or miscalibration
of relays in control circuits, could contribute to bus unavail-
ability.
(3) Diesel Generator Unavailability - Due to simplification of the
fault tree in Figure 11-23, Sheet 8, it is impossible to tell if
the considerations for diesel generator availability, discussed
on pages 35-38, Appendix 11, Vol. 2, are included. The importance
of the diesel generator warrants inclusion of Its subtree as a
separate sheet in Figure 11-23.
(4) Common Mode Failures - Some common-mode failures appear to have
been overlooked or discarded in the analysis. These include the
following:
(a) It is possible that an earthquake, equal to or greater than
the safe shutdown earthquake, would cause a loss of both
onsite and offsite power. Appendix X states that neither
the a-c nor the d-c switchgear could be assessed as to seis-
mic design adequacy. On the basis of this statement, it
appears that common mode failure due to an earthquake should
be evaluated in the fault tree.
-------�
(b) A relay failure in the circuitry of breakers 15H8 and 15H3
could result in placing the emergency diesel generator on
the 4160v emergency bus while the bus is still enetgized by
the preferred (offsite) source. If the diesel is paralleled
out of phase with the offsite source, excessive torque and
current can result, tripping both sources. This may be sig-
nificant since failure of a relay to energize is assigned a
value of lxlO~A/Demand in Table III-l.
(c) Physical location of various ESF load breakers should be
evaluated. If a short circuit exists across a load breaker,
it may result in drawing excessive current across the break-
er and creation of an electric fireball within the switch-
gear. This fireball, by virtue of its heat and high current,
can cause the other breakers in the vicinity (within the
same switchgear) to trip open. It is not clear from the
discussion that such an evaluation was made.
Trojan Comparison - Comparison of the Surr.y electric power system with
that of Trojan revealed several differences. It appears that the dif-
ferences would result in a higher value of electric power system reli-
ability for the Trojan reactor than for Surry. The amount of increase
Is probably small, but an in-depth assessment is required before the
difference can be quantified. The differences are as follows:
(1) A major contributor to loss of all electrical power was loss of
net, due to challenging the system's transient stability limit.
_3
The probability (10 ) that offsite power would be lost as a
result of LOCA is based on "generalized information for plants
east of the Rockies." The applicability of such a data base to
Trojan (or other plants west of the Rockies) may not be valid.
\2) Surry uses three emergency diesels to supply two plants, while
Trojan uses two diesels for a single plant. A failure or main-
42
-------�
tenance outage of the "shared" Surry diesel results in two plants
losing diesel redundancy, while at Trojan failure or maintenance
on a diesel affects only one plant. This results in a slight
increase in diesel availability at Trojan.
(3) The emergency loads that each diesel generator is required to
supply at Surry.comprise a total of 2320 kW, or 85 percent of
the diesel rating of 2750 kW. The Trojan emergency loads com-
prise 3364 kW or 76 percent of the AA16 kW ratings. These num-
bers indicate that there should be a slightly higher probability
of overloading the Surry diesel when it picks up emergency loads
than for the Trojan plant. However, other considerations such
as overloading which depends on the magnitude of the starting
current surges for various components must be considered. A re-
lated factor, the diesel generator loading sequence, seems to be
spread over a slightly longer time span for Trojan. This should
reduce the probability of overloading the diesel if required
during an accident.
(A) The d-c system of Trojan is slightly more redundant than Surry.
Each of the two battery chargers supplying each battery is power-
ed from a separate motor control center at Trojan, while at Surry
the same motor control center supplies both chargers for each
battery.
(5) Two variations in the Technical Specifications between Surry and
Trojan were found. A primary offsite source can be unavailable
for up to 7 days at Surry while only A8 hours is allowed at
Trojan before shutting down. Conversely, Trojan is allowed to
operate without a power source to an emergency bus for up to A8
hours, while Surry requires shutdown if any emergency bus is de-
energized. The first variation causes the Trojan electric power
system to be more reliable, while the latter results in less
reliability. (It should be noted that the Trojan Technical
A3
-------�
Specifications used in this review are those currently included
in the Trojan FSAR. They have not been approved for use during
reactor operation.)
Conclusions - The following conclusions are derived from the .review of
the PWR electric power system:
(1) Although numerous inconsistencies, minor errors, and questionable
assumptions were found in the WASH-1400 failure analysis of the
PWR electric power system failure, none appeared to have the po-
tential for materially changing the overall PWR risk assessment.
More detailed analysis is required, however, to quantitatively
substantiate this conclusion.
(2) Some minor omissions were found in the WASH-1400 PWR electric
power system failure analysis. None appeared to have the poten-
tial for materially changing the results of the analysis.
(
(3) Due to several differences noted between the Surry and Trojan
electric power systems, it is not possible to conclude that the
results of the Surry analysis applies to the Trojan type reactor.
It appears that the electric power system availability for the
Trojan class of reactor may be slightly better than for Surry.
Miscellaneous Comments - The following comments on WASH-1400 were
developed during the course of the review of the PWR electric power
system:
(1) General - Regulatory Guide 1.93 concerning the availability
of electric power sources has recently been published. The in-
fluence that this Regulatory Guide would have on the availability
of power sources should be evaluated. For example,, the Regulatory
Guide allows operation of a nuclear plant at reduced power levels
for specified time periods following loss of an offsite or onsite
44
-------�
power source, even though Technical Specifications might prohibit
such operation. Therefore, the initial assumption that ojffsite
power is available at inception of LOCA may not be entirely valid.
(2) Appendix II. Vol.. 2. Page 27 - It is not clear in the battery
capability discussion whether some minimum battery specific grav-
ity is assumed. The Surry Technical Specifications do not specify
a minimum allowable specific gravity. Operating procedures may
include such a requirement, but the text discussion should address
this subject.
(3) Appendix II. Vol. 2 - The legend provided in Tables II-5, II-6,
II-7, and II-8, and the discussion on page 36, Appendix II, Vol. 1
do not correspond to the symbols shown on the fault trees. As
an example, the middle fault tree of Figure 11-23, Sheet 3, con-
tains a symbol showing:
ZCB 3007S
ZCB 3008S
The prefix "Z" is not shown as a system in Table II-5 while the
suffix "S" indicates a short to ground in Table II-8 rather than
failure by .opening. Consistency with the rest of the study is
needed in the use of failure mode symbols.
(4) Appendix II. Vol. 2. Pages 9 & 10 - It is not clear why failures
of the emergency power systems were not evaluated for the period
between 24 hours and one month after LOCA. It may be an error in
the text.
(5) Appendix II. Vol. 2. Pages 46 to 55 - Values of "X" and "q" were
unavailable in many cases except in an abbreviated form on these
pages. The Loss of Power Transient did not have a table such as
-------�
11-12, to provide the values used in individutij fault trees. In
many cases, failure values used in the trees were modified ver-
sions of data obtained from Table III-l. Modifications were
based on "engineering judgment," and although the engineering
judgment may be sound, there is no supporting discussion in the
text.
r>. PWR High Pressure Injection System (HPIS) Failure
General Review - The failure modes and analysis of the PWR high pres-
sure injection system presented in Appendix II, Vol. 2, Section 5.6.4
of WASH-1400 were reviewed. The following discrepancies were found:
(.1.) Operator Failure to Open Service Water Valves to Lube Oil Coolers -
As pointed out on page 313 of Appendix II, Vol. 2, the operator
must manually open a valve in the service water system to the
standby pump lube oil coolers in the event that a standby pump is
required. Otherwise, the pump will fail from overheated lube oil.
This operator action is required any time that either standby
HPIS pump is needed to protect the core from overheating during
a small break LOCA. This can occur under the following circum-
stances: (1) when failure of the operating pump occurs after a
small break in any part of the primary system except the "reactor
vessel cavity," and (2) when a small break occurs in the reactor
vessel cavity. In the latter case, two pumps are required; there-
fore, even if the operating pump does not fail, the operator must
open at least one of the valves to allow service water flow to
the lube oil coolers. The probability that the operator fails to
open the service water valves to the two standby pump lube oil
heat exchangers is assigned a value of 1x10 in Appendix II.
The value appears to be low based on information presented in
Appendix III of WASH-1400. The ability of an operator to cor-
rectly respond to a given accident situation is dependent on many
factors, as indicated in Appendix III. Dominant among these
-------�
factors are (1) the stress level as perceived by the operator when
the accident occurs, and (2) the time interval allowed for the
action following the onset of the stress condition. The occur-
rence of a small break is likely to produce a high stress condi-
tion for the operator, especially if the break is large enough to
create a pressure transient in the system which significantly
alters instrument readings in the control room and trips several
annunciators. The description of the operator action required
to open the valves, the failure of which is assumed to result in
failure of the pump, states "Service water valves to lube oil
cooler not opened by operator when pump starts" (Item FXVPASWO on
page 348 of Appendix II, Vol. 2). The pump is started automatic-
ally by the safety injection control system upon receipt of sig-
nals of low pressure and low pressurizer level. Thus, for all
but very small breaks, the pump will be started quickly. In the
event of a small break, it is likely that a high stress condition
will be perceived by the operator, and he will be required to act
soon after the break if a standby HPIS pump is required. Under
these conditions, if the operator is required to act within 60
seconds, his estimated error rate is approximately 1.0 according
to Appendix III (page 130) of WASH-1400. However, despite the
failure statement for FXVPASWX, the pump will undoubtedly operate
for some time before its lube oil becomes hot enough to cause
failure. If this time interval is longer than 30 minutes, the
error rate in an extreme stress condition is 10 (page 131).
However, a small break probably won't create an "extreme" stress
condition. The error rate for a "high" stress condition for
-2
action required after several hours is 10 according to Appen-
dix III (page 131). It would appear then that the proper error
' _i
rate for the operator during a small break is between 10 and
-2 -2
10 . For the purpose of this discussion, a rate of 5x10 will
be used.
47
-------�
The operator failure probability to open the service water valve
to the lube oil heat exchanger for the second.standby pump given
that he fails to open the valve to,the first standby pump is
assumed to be also 10 in the Appendix 11 analysis for the HP1S.
In Appendix 111, page 130, an error rate of approximately 1.0 is
given: "If an operator fails to operate correctly one of two
closely coupled valves or switches in a procedural step, he also
fails to operate the other valve." This description appears to
apply to the- situation under discussion.
Summarizing, the following table (Table 11) compares the failure
(or error) probability given in Appendix II, Vol. 2 for the fail-
ure of the operator to open the service water valves to the heat
exchanger in the HPIS with what is judged to be a more reasonable
assessment.
Table 11
ERROR RATE: SERVICE WATER VALVES TO LUBE OIL COOLER NOT
OPENED BY OPERATOR WHEN PUMP STARTS (FXVPASWX)
Event WASH-1400 Error Rate As Assessed Herein
-3 -2
1. Operator fails 10 5x10
to open first
valve
2. Operator fails 10~ 1
to open second
valve
To determine the significance of the differences in Table II-6A,
it is necessary to analyze appropriate fault trees in Appendix II,
Vol. 2. The operator error being considered is included in a
failure group labeled Q , a group which includes seven events of
the same type as the operator failure being analyzed. The total
for failure group Q (with FXVPASWX - lxlO~3) is 2.3xlO~2.
-2
Using a value of 5x10 for FXVPASWX increases Q.. to a value of
48
-------�
-2
7.2x10 . Q-c appears explicitly in two fault trees, Figure II-
63, page 371 and Figure 11-64, page 372 of Appendix II, Vol. 2;
Figure 11-63 is reproduced with alterations as Figure 3. The
fault tree top event failure probability has been recomputed
_2
using a value for Q_, of 7.2x10 . Also, the subtree for the
event "3 charging pumps fail" has been replaced to reflect the
fact that operator failure to open both service water valves to
-2
the lube oil heat exchangers is 5x10 . This completely dominates
other failure combinations which could result in both standby
pump failures. As seen in Figure 3, the top event probability is
-6 -4
raised by a factor of about 50 (from 7.0x10 to 3.7x10 ) when
revisions are made. (All revised numbers are shown in parenthe-
ses.) However, when this change is factored into the overall
availability of the system (Figure 4), the change becomes insig-
nificant, from 3.6x10 (when one of three charging pumps re-
_3
quired) to 4.0x10 (revised numbers shown in parentheses) since
other single and double failures dominate.
For the case when two of three pumps are required, the applicable
fault tree from Appendix II, Vol. 2, is Figure 11-64 (page 372)
which has been reproduced and revised as Figure 5. As'before,
the numbers in parentheses are revised failure rates based on the
values In Table 11. Starting from the left side of Figure 5, the
subtree under the event, "Failure of 2 Charging Pumps when 1 Out
for MAINT," has been revised to reflect the increase in Q5_ +
Q-, under "Standby Charging Pump Fails to Start or Run 24 Hrs."
zo
On the right hand side of Figure II-6C, the value .2 (Qoc + Q»,)
_2 -1 25 26
has been increased from 4.8x10 to 1.5x10 to reflect the in-
creased value used for Q7r- A new event has been added at the
extreme right of the figure, "Operator Fails to Open Valves to
Lube Oil Heat Exchanger." This has been added to reflect the
unit probability used that if the operator fails to open the
first valve, he will also fail to open the second, thus disabling
both pumps. Since this event is (incorrectly) included under the
49
-------�
J_
F.Hurt 0(3
. Cuffing Pump«
No"* Out for
MAINT
19 «lO- _
(3.6x 10 )
Out
For
MAINT
No
CHP-i
3 Charging
Pumps Fail
Oj4(OI
7.J « 10'
2.< « ICC2
(This subtree in WASH-1400 replaced by
subtree on far right.)
2.Ja»0-3
(7.2 X 10"2)
Figure 3 - Revised Quantitative Pictorial Summary for One of
Three HPIS Purops with Point Failure Estimates
-------�
Single
Failures
SF
1.1 x Id'3
Double
Failures
DF
UDF
2.5 x 10'3
Failure Of HPIS
To Deliver
Sufficient Water
To RCS When
Cold Leg LOCA
Q - 3.6 x 10' (1/3 Charging Pumpi Required) (4.0 .* 10
Q - 6.0 x 10"3 (2/3 Charging Pumps Required) (6.0 x 10" )
Charging
Pump
Failures
CF
°CF
7.0 x lO^ (1/3 Required) (3.7 x 10~)
2.4 x 10'3 (2/3 Required> (5.6 x 10~2)'
Figure A - Quantitative Pictorial Summary of HPIS Failure
With Point Estimates Showing Effect of Qcf Increase
-------�
Ui
N>
Eilter Of
2Sl*mlby
PurapiFul
r^ 2.4 n 10-2
(1.5X10 ) (2.3x ID"2)
Figure 5 - Revised Quantitative Pictorial Suraaary for Two of Three HPIS Pumps
With Point Failure Estimates
1 1
ThiOOc
Samaiy
f«*
Ftik
o»«o»
WoiarS
(2.3 sllT2)
Operator
falls to
open valves
to lube oil
beat is** '
changer
-------�
events "1 Standby Pump Fails" (Q + Q ) as well as "The Other
Standby Pump Fails" (Q?c. + Q'>f.) > tne operator error rate contri-
bution to these values (lxlO~3) must be subtracted out. This
yields the new values as shown in the parentheses. Recomputing
the values "up" the fault tree produces a probability for "Charg-
~2
ing Pump Failure 2/3 Pumps Required" of 5.6x10 versus a value
_T
of 2.4x10 calculated in WASH-1400. This new value has been
translated to Figure 6 (Figure 11-60 of Appendix II, Vol. 2) and
—2
ultimately a failure (Q) of 6.0x10 is computed for "Failure of
HPIS to Deliver Sufficient Water to RCS when Cold Leg LOCA" (2/3
Charging Pumps Required). This value is a factor of id higher
than the WASH-1400 value. The significance of these changes on
the ultimate risks to the public are difficult to determine since
the distinction between a small break accident which requires one
of three charging pumps and one which requires two of three does
not appear to have been separately considered in computing the
risks. The discussion of small break accidents in Appendix I,
pages 123-132 does not acknowledge the "reactor vessel cavity"
break as one which requires two of three HPIS pumps. In Appen-
dix V, Table V-7, the failure probability of emergency coolant
injection for PWR small breaks (denoted by the letter D) appears
_2
to be 1x10 . It is not clear how this number was computed, nor
whether it included considerations of 2/3 charging pump failures.
In any event, it does not appear that the changes discussed here
will have a significant influence on the risks. However, the
corrections should be made and new risks computed.
Omissions - This review discusses omissions found in the WASH-1400
analysis of the HPIS.
.(1) Low Pressure Injection System (LPIS) Check Valve Failure - Con-
nected to the three HPIS injection lines near the injection point
to the reactor primary system are three (one in each line) lines
from the LPIS. These lines contain check valves near the
53
-------�
connection point with the HP1S lines to prevent, in case of a
small break accident, the HPIS from injecting high pressure water
into the LP1S. Figure 6 (a portion, simplified and enlarged, of
Figure 11-65 from Appendix II, Vol. 2) shows the piping and valve
arrangement at the intersection of the HPIS and LPIS. It appears
that if any of the three LPIS check valves are failed open either
before, at the initiation of, or during HPIS injection, some HPIS
flow will be diverted into the LPIS. Since the LPIS is designed
only Cor low pressure operation, it will probably rupture. Be-
cause the HPIS flow to the three cold legs is connected by a
common header, and since the LPIS lines are large (6") relative
to the HPIS injection line (3"), a significant portion of the
HPIS flow could be diverted in the event of a LPIS check valve
failure. It thus appears that a single failure of either of the
three LPIS check valves (CV120, CV220, CV320 on Figure 6) will
fail the HPIS. The probability of a check valve .failure is given
as 1.3x10 on page 339 (dominant fault FCV02200). Assuming that
the failure of the check valves are independent, the probability
-3
of any one of the three failing is 3x1.3x10 or approximately
4x10 - The effect of this single failure mode on the overall
system failure mode is shown on Figure 7, a revision of Figure
11-60 in Appendix II, Vol. 2. As can be seen, the effect is not
-3
very significant, increasing failure probability from 3.6x10
-3
to 7.6x10 for the case when one of three charging pumps are re-
-3 -3
quired, and from 6.0x0 to 9.9x10 when two of three are
required.
(2) Additional Double Failures - Three HPIS double failures which may
have some significance appear to be ignored in Appendix II, Vol.2.
These are:
(a) Failure of both valves in the drain line of the Volume
Control Tank to close after a small break accident (desig-
nated valves 1115C and 1115E in Appendix II).
-------�
CV100
SI235
6" Lines
:old Leg 1
CV200
-<]—
\J
To Cold
Leg 2
CV300
~<1
XJ
Id Leg 3
CV120
^ — ^
SI236
h /i
. CV220
CV320
V xl
SI-237
.. h /\
[) l
From HPIS
Froa LPIS
Figure 6 - HPIS - LPIS Piping Intersection Diagram
-------�
Un
Single
Failures
SF
1.1 x 10'3
(5.1 x 10~3)
Double
Failures
OF
UDF
2.5 x 10'3
Failure Of HPIS
To Deliver
Suffici«nt Water
To RCSWhen
Cold Leg LOCA
Q • 3.6 x 10"3 (1/3 Charging Pumps Required) (7.6
Q = 6.0 x 10'3 (2/3 Charging Pumps Required) <9'9 x 10
-:33>
Charging
Pump
Failure*
CF
QCF
7.0 x 10'6 (1/3 Required)
2.4 x 10'3 (2/3 Required^
Figure 7 - Quantitative Pictorial Summary of HPIS Failure With
Point Estimates Showing Effect of Q^. (Single
Failure) Increase
-------�
(b) Failure of both valves in the normal charging line to
close after a small break accident (designated valves
MOV 1289A and 1289B in Appendix II).
(c) Failure of both valves in the boric acid recirculation
system to close after a small break accident (designated
valves 1884A and 1884B in Appendix II).
The closing of the above three sets of valves is part of the auto-
matic sequence to align the HPIS into the injection mode follow-
ing a small break LOCA. Presumably, the failure of any set of
the valves fails the operation of the HPIS, although it is pos-
sible that such failures will result in only partial degradation
of the system. However, partial degradation of a safety system
is normally assigned failure in WASH-1400. Therefore, these
double valve failures should be considered in the double failure
category.
Figure 8 shows all HPIS double failure contributions considered
in Appendix II plus the three sets of double valve failures des-
cribed previously. The numbers in parentheses are the revised
values considering these failures, and assuming a failure prob-
ability of 2.0x10 per valve which seems to be close to the
average value assumed for valves failing to open. As can be
-3
seen, the increase in double failure probability (from 2.5x10
to 3.7xlO~ ) is not significant.
Trojan Comparison - This review consists of a comparison between the
Surry reactor system, used in WASH-1400 as a basis to compute risks
for all PWRs, and the Trojan
Westinghouse 4-loop designs.
(2)
for all PWRs, and the Trojan reactor system , representative of
(3)
According to the Surry Final Safety Analysis Report , protection
against small breaks up to 6 inches in diameter is afforded by a high
57
-------�
oo
Volume Control
Tank Drain Valvesj
1115C and 1115E
Fail to Close
Normal Charging
Line Valves MOV
1289A & MOV 1289B
Fail to Close
x Kf"4 )
(•» x
Boric Acid Re-
circulation Line
Valves TV 188AA
& 1884B Fail To
Close
x nr")
Fieure 8 - HPIS Modified Double Failure Contribution Susssary
-------�
pressure injection flow rate of 150 gpm, equivalent to the design flow
rate of one (out of a total of three) charging pump. The Trojan FSAR
indicates that a flow rate of 575 gpm (minimum engineered safety equip-
ment - one charging and one safety injection pump) affords protection
for the core for breaks up to 6 inches in diameter. Since the Trojan
charging pumps (a total of two) are rated at 150 gpn, the total charg-
ing system capacity (300 gpm) is less than that assumed to protect the
system for all small breaks up to 6 inches. To provide for such pro-
tection, the Trojan design includes a safety injection system (SIS),
considered part of the HP1S. The SIS consists of two pumps, with
associated piping and hardware, each rated at 425 gpn. It thus re-
quires the capacity of at least .one charging pump plus one SIS pump
to protect the Trojan core for breaks up to 6 Inches. Table 12 sum-
marizes the differences in requirements as well as design for the
Surry and Trojan HPIS.
It should be noted that different break sizes (up to 6 inches) will
require different injection flow rates to protect the core. In the
Trojan case, the 575 gpm requirement is based on a conservative analy-
sis of the most demanding (in terms of injection requirements) break
size. Not all break sizes up to 6 inches will require a 575 gpm in-
jection flow rate. (The same can be said of the 150 gpm flow rate
used for Surry.) However, in the absence of information relative to
break size probabilities in the up-to-6-inch size range, as well as
incomplete information relative to flow rate requirements as a func-
tion of break size, a more detailed assessment for Trojan was not
possible, and an analysis similar to that done by WASH-1400 for Surry
was used Instead.
59
-------�
Table 12 - HPIS COMPARISON
SURRY vs TROJAN
Surry Trojan
Minimum flow (gpm)
System(s)
No. of Pumps
Pump Flow Rate
150
Charging Only
3
575
Charging + Safety Injection
2 (Charging)
2 (Safety Injection)
15C (Charging)
425 (Safety Injection)
The basic design of the HPIS for the two plants is quite similar, and
excluding pump failures,'comparison of the failure modes for the hard-
ware in the two systems indicates no significant differences exist.
However, since the Trojan system requires at least two pumps out of a
total of four from two independent sets of two pumps, and Surry re-
quires only one from a single set of three pumps, the Surry HPIS pump
failure analysis does not apply to Trojan. The significance of the
I _ '
difference is difficult to assess without undertaking a detailed analy-
sis of the Trojan system. However, an indication may be obtained by
considering Table 13 which lists all the pump operating-failure com-
.:''*•' A
binations for the two plants. Six out of sixteen of the Trojan com-
binations result in HPIS failure, while only one of eight Sulrry
combinations fail the HPIS. This may indicate that the Trojan HPIS
failure probability is higher than Surry. However, until a complete
analysis of the Trojan (or any Westinghouse 4-loop) system is accom-
plished, including appropriate consideration of pump motor failure
rates, common mode failures, etc, no specific conclusions can be sup-
ported. In view of the fact that small break accident sequence prob-
abilities are significant contributors to some of the release categor-
ies (particularly Categories 3, 4 and 7, this analysis has added
importance.
Conclusions - Based on. a review of the HPIS failure analysis contained
in Appendix II, Vol. 2 of WASH-1400, the following conclusions are de-
rived:
60
-------�
Table 13 - HPIS PUMP SUCCESS-FAILURE COMBINATIONS FOR TROJAN & SURRY
NO.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
H.
15.
16.
TROJAN SURRY
Charging
Pumps
A
runs
runs
runs
runs
runs
fails
runs
runs
fails
fails
fails
fails
fails
.fails
runs
fails
B
runs
runs
runs
runs
fails
runs
fails
fails
runs
runs
fails
fails
fails
fails
fails
runs
SIS
Pumps
A
runs
runs
fails
fails
runs
runs
runs
fails
runs
fails
fails
fails
runs
runs
fails
fails
B
runs
fails
runs
fails
runs
runs
fails
runs
fails
runs
fails
runs
fails
runs
fails
fails
HPIS
System
Suc-
ceeds
X
X
X
X
X
X
X
X
X
X
Fails
X
X
X
X
X
X
Charging Pumps
A
runs
runs
runs
fails
fails
fails
runs
fails
n
runs
runs
fails
runs
fails
runs
fails
fails
C
runs
fails
runs
runs
runs
fails
failti
fails
HPIS System
Succeeds
X
X
X
X
X
X
X
•>
,__,
Fails
X
61
-------�
(1) There do not appe.it 11< !•<• .inv s i^ul t I i';mt nicn-* \\\ I IIP
-------�
(4) Page 327, Section 4.5 - The list of significant single failures
in this section does not correspond to the single failures quan-
tified on pages 334 and 335. For example, RWST drain plugged and
RWST vent plugged (item 13, page 329) do not appear to be con-
sidered on pages 334 and 335.
I
6. PWR Small Break Loss of Coolant Accident Analysis
This review involved the investigation of analytical methods used by
PWR vendors to calculate the consequences of a small break LOCA. Since
WASH-1400 contains a small break LOCA description, and even more de-
(17 18 19)
tailed descriptions are readily available ' ' , only a very brief
discussion, necessary for understanding the subsequent discussion of
small break LOCA analysis techniques, will be provided here. A small
break is currently defined as a rupture in the PWR primary system which
2
produces an area of 0.5 ft (9-inch diameter circular hole) or less.
(This definition does not correspond to that used in WASH-1400; a hole
6 inches in diameter or less, but the difference is not significant.)
Following a small break, the primary system begins to depressurize.
When the pressurizer pressure falls below a preset value, the reactor
trips (scrams). Other signals cause the HPIS pumps to be started.
When the primary system pressure falls below the maximum HPIS injection
pressure (around 1800 psi), check valves open and cold water is inject-
ed into the primary system. When the system pressure falls to the ac-
cumulator injection pressure (about 650 psi), water from the accumu-
lator is injected. At lower pressures, additional emergency cooling
water is injected from low pressure injection systems.
For a small break LOCA, the critical time from the standpoint of re-
storing and maintaining adequate core cooling occurs during the first
1000 seconds or so. During this time period, a complex dynamic inter-
action is taking place in the core involving energy production, energy
redistribution and energy removal. Energy is being produced by the
63
-------�
continued fissioning process which is slgnllicunt until the core is
shut down by insertion of control rods or by steam voids which even-
tually form in the core. Decay heat also contributes to the energy
production in the core. Significant energy redistribution occurs in
the core when the heat transfer from the fuel pin cladding to the pri-
mary coolant is reduced. Energy then accumulates in the cladding and
a rise in cladding temperature occurs. One of the most important
parameters during this process of energy removal and redistribution
is the heat transfer effectiveness from the clad to the coolant. This
heat transfer process is governed by coolant properties of pressure,
temperature, flow and quality. It is very difficult under the tran-
sient conditions existing during the small break LOCA to calculate
accurately all of these quantities.
Once the fluid properties have been calculated, heat transfer coeffi-
cients must be derived in order to calculate the amount of heat lost
from the core cladding. Since there is at present no rigorous, direct
way to calculate heat transfer coefficients from basic physical prin-
ciples, correlations which are primarily based on steady-state experi-
mental results must be used.
The procedure for calculating the core temperature distribution fol-
lowing a small break LOCA is very uncertain. Dynamic fluid property
calculations in the core region are very difficult; the application of
fluid-condition-dependent heat transfer correlations based on steady-
state conditions to the transient fluid conditions calculated to exist
in the core is somewhat uncertain, and the correlations themselves are
discontinuous and occasionally inaccurate when compared to steady-stat»
experimental heat transfer data other than that from which they were
derived. These uncertainties are allegedly accounted for by conserva-
tism, in the calculations.
It should be noted that very little emphasis has been placed on the
development of small break LOCA analytical techniques in recent years.
64
-------�
The primary emphasis has been on achieving an adequate analysis for
describing the large break LOCA, since it was considered to be the major
risk to the health and safety of the general public. WASH-1400, as
noted in Section III, concludes that the small break LOCA is a major
risk.
Each of the three PWR vendors (Westinghouse, Babcock & Wilcox, Combus-
tion Engineering) has developed an analytical method to calculate the
reactor system response following a small break LOCA. Table 14 lists
the computer codes used by each vendor for the calculation. One of
the basic features of each computational technique is the nodalization
scheme employed, as shown in the third column of Table 14. This column
describes the number and general location of nodes, or volumetric
regions, selected by each vendor for his particular calculation. When
the calculation is performed, the thermohydraulic processes are com-
puted separately within each node. The fluid properties, heat trans-
fer from surfaces, fluid flow, etc, are thus Identical throughout each
node, and the calculated quantities for each node are actually average
quantities calculated to exist in the node. As can be seen in Table
14, recent versions of each of the codes contain about the same number
of nodes.
A detailed description of each code is not available because many of
the basic features are proprietary. Some features of the codes are
explained in References 17 through 20, and since these references ar^
*
readily available, the information contained therein will not be,
included in this discussion.
One way to assess the capability of the codes in a relative sense is
to compare results obtained by the various codes for similar calcula-
tions. Since the reactors sold by all three vendors are similar in
power level, operating conditions, fluid volume, configuration, etc,
it is expected that these calculations would yield generally similar
results.
65
-------�
Table 14 - SMALL BREAK LOCA COMPUTER CODES USED BY PWR VENDORS
VENDOR
CODE NAME(S)
NOD ALT 7. AT I ON SUMMARY
REMARKS
Wcstinghouse
SLAP
WFLASH
3 nodes: 1 in steam generator, 1 in
pressurizer , 1 in balance of primary
system
16 nodes in primary system, 2 In
secondary, 1 In pressurlzer
The WFLASH code was intro-
duced by' Westinghouse in
Hay 1974; previously, small
break analyses were per-
formed by the SLAP code.
Combustion
Engineering
CEFLASH-4
WALSOB
Greater than 15 nodes for primary
system*
1 node for primary system
WALSOB used for hot leg
- breaks and very small cold
leg breaks; CEFLASH-4
used for all other small
breaks.
Rabcock &
Wllcox
CRAFT,
FOAM
14 nodes for primary ays tea, 1 node
for containment, 1 node for secon-
dary (CRAFT)
The FOAM code computes
liquid level in the core
region based on Input ob-
tained from a CRAFT calcu-
lation.
'Actual number of nodes proprietary
-------�
As discussed previously, one of the critical parameters in the small
break LOCA, from the standpoint of assessing accident risks, is the
rate of heat transfer from the core. This rate is strongly dependent
on the fluid conditions calculated to exist in the core region. It
is important, therefore, to be able to accurately calculate fluid con-
ditions in the core, particularly the pressure history and the core
fluid level.
(1) Core Uncovery Time - Figure 9 presents the calculated core uncov-
ery time (i.e.?the time following the initiation of the break when
the steam-water interface which develops in the vessel drops be-
low the level of the top of the core) for each of the vendors'
PWRs. For the three cases, the break location (pump discharge)
is the same, the initial primary fluid conditions are very nearly
the same, the core locations are similar and the upper plenum
3 3
volumes are very nearly the same (all 2100 ft ± 120 ft ). Thus,
it would be expected that, except for minor differences due to
small design variations, the core uncovery times for the three
plants should be comparable. As Figure 9 indicates, the core
uncovery times vary substantially from about 80 seconds to 520
2
seconds for 0.1 ft breaks. For larger breaks, the agreement is
somewhat better, but never closer than about a factor of two for
the two larger break sizes for which comparative data is avail-
able. Figures 10 and 11 show comparisons of the two-phase core
fluid level during the transient. Figure 10 is a comparison be-
2
tween two vendors for 0.2 ft pump discharge breaks. Although
the general shape of the curves is somewhat similar, they are
displaced in time some 150 seconds, a substantial difference.
2
Figure 11 is a similar comparison for 0.87 ft pump discharge
break. Again, the shapes are vaguely similar, but displaced in
time some 600 seconds, a very large difference.
(2) Pressure History - Figure 12 compares the decompression pressure
history as calculated by the three vendors for various break
67
-------�
600
SOO
00
u
•I
u>
u
c
V
hi
o
u
e.
o
j!
H
MOO
300
200
100
A-
_L
0.1
1
1
1
I
Q- Westlnghouse '(Ref, U)
Q- Westlnghouse (Ref. V.)
&- Combustion Engineer'.03
V- Babcock & Wilcox (R-t--. 19)
1
O.I 0.3 0.%
Break Site (ft2)
Figure 9 - Tl»e Top of Core uncovered vs Break Sis* - *u»p Discharge Break
T
_L
o.s
-------�
"S 2.0
M
o
V
oi J.S
LJ
o
CJ
o
1.0
V
n
JC
a,
.5
Weotinghouse
(Ref. 21)
•Top of Core
Bottom of Core
100
200
Time (Sec")
300
MOO
Figure 10 - Two-Phase Fluid Level vs Time for 0.2 Ft Tump Discharge Break
-------�
1 6
^ !>•
u
U.
a
o
O
CO
0
O
kl
U
~4
a
12
10
Q - Babcock & Ullcox
(Ref. 19)
O - Westlnghouse
(Ref. 22)
Time (Sec)
Figure 11 - Core Liquid Level vs Time for 0.087 Ft Purap Plscharge Break
-------�
130Q
A - Conbustlon Engineering
(Ref. 17)
V - Babcock & Wilcox (Ref. .19)
D - Westinghbuse (Ref. 2.1)
O ~ Wescinghouse (Ref. 22)
10Q
900
Figure 12 - Fluid Pressure in Core Region vs Time for Various Break Sizes - Pump Discharge Break
-------�
130Q
A - Cocbustion Enalneprlng
(Ref. 17)
V - Babcock & Wllcox (R«f- 19)
Q - Westinghbuse (Ref. 21)
O - Westlnghouae (Ref. 22)
100
087 ft2
800 900
Figure 12 - Fluid Pressure In Core Region vs Time for Various Break Sizes - Pump Discharge Break
-------�
.sixes. Since the total primary system volumes are similar for
I he three plants (12,000 ft .» 550 f t ) , and initial fluid con-
ditions are similar, it would be expected that system pressure
declines would be very similar for the three plants during a LOCA.
This should be especially true for small breaks since the minor
differences in pressure drops that exist in the primary system
due to different design details would be minimized because of the
very Low flow rates. However, as illustrated in Figure 12, very
substantial differences exist in the core pressure history during
2
the accident.. Considering the 0.1 ft plots, along with the
2
0.087 and 0..11 (the nearest published calculations to 0.1 ft ),
the difference in time from the fastest calculated blowdown to
the slowest ranges around 400 seconds, a very large discrepancy.
For the 0.2 ft break, comparing the only two plots available, a
difference of nearly 120 seconds exists in the time to reach 900
psia, wlt.fi the difference becoming larger (nearly 400 seconds at
200 psla) as the pressure decreases.
O) CLadding Temperature - From these very large discrepancies illus-
trated in Figures 9 through 12, it would be expected that the clad
hot spot temperature results would be quite different.
Figure 13 shows these results and, as expected, there is consid-
erable variation. The temperatures plotted are the maximum cal-
culated for the entire spectrum of small breaks by each vendor.
They vary from 1075 to 1743°F. The two values by Westinghouse
2
for the 0.087 ft break correspond to two different calculational
techniques. The higher temperature (1400°F) corresponds to a
pre-May 1974 calculation utilizing the one-primary-system-volume
SLAP code. The more recent Westinghouse technique, using the
WFLASH code with J6 nodes, shows the maximum at the same break
size, but predicts a lower value (1150°F). The two Combustion
Engineering points correspond to a similar change in nodalization,
with the. important exception that the high value (1743°F)
72
-------�
corresponds to a multi-node analysis (CEFLASH with more than 15
nodes) used by Combustion Engineering since March 1973, while the
lower temperature (1075°F) corresponds to a single node calcula-
tion using WALSOB. Thus, for the Combustion Engineering calcula-
tions, not only does the maximum temperature occur at a different
2
break size (0.087 versus 0.3 ft.), the values are different (1150
versus 1743°F for the most recent calculations), and 'the trend
from multi-noding to single nodlng is reversed. The B&W maximum
2
occurs for a 0.5 ft break with a predicted temperature of 1120°F.
Under each temperature value the time after break initiation that
the temperature was calculated to occur is indicated. The trend,
though not entirely consistent, is for the maximum temperature to
occur earlier with increasing break size. This is expected since
larger break sizes result in faster depressurization and earlier
water loss from the core.
The reasons for the large differences in results described in the pre-
ceding discussion cannot be definitely established since details of
the various analytical techniques are proprietary. Portions of some
of the discrepancies may be attributed to variations in operating de-
sign parameters, assumed operating conditions, and variations in the
design and operational behavior of the ECC systems for the three plants.
However, these differences are quite small and do not appear to pro-
vide a reasonable explanation for the substantial variations.
Conclusions - Based on the large differences in results as calculated
by the PWR vendors for the small break LOCA, it is concluded that the
WASH-1400 assumption (based on these calculations as accepted by AEC-
Regulatory) of adequate core cooling for all small breaks if ECC sys-
tems work is not sufficiently justified. The fact that in none of the
calculations do core temperatures become great enough to cause damage
which may lead to melting provides some confidence that adequate core
cooling may be achieved. However, the large differences in results
indicate that the processes occurring during the accident are not well
-------�
corresponds to a multi-node analysis (CEFLASH with more than 15
nodes) used by Combustion Engineering since March 1973, while the
lower temperature (1075°F) corresponds to a single node calcula-
tion using WALSOB. Thus, for the Combustion Engineering calcula-
tions, not only does the maximum temperature occur at a different
2
break size (0.087 versus 0.3 ft ), the values are different (1150
versus 17A3°F for the most recent calculations), and 'the trend
from multi-noding to single noding is reversed. The B&W maximum
2
occurs for a 0.5 ft break with a predicted temperature of 1120°F.
Under each temperature value the time after break initiation that
the temperature was calculated to occur is indicated. The trend,
though not entirely consistent, is for the maximum temperature to
occur earlier with increasing break size. This is expected since
larger break sizes result in faster depressurization and earlier
water loss from the core.
The reasons for the large differences in results described in the pre-
ceding discussion cannot be definitely established since details of
the various analytical techniques are proprietary. Portions of some
of the discrepancies may be attributed to variations in operating de-
sign parameters, assumed operating conditions, and variations in the
design and operational behavior of the ECC systems for the three plants.
However, these differences are quite small and do not appear to pro-
vide a reasonable explanation for the substantial variations.
Conclusions - Based on the large differences in results as calculated
by the PWR vendors for the small break LOCA, it is concluded that the
WASH-1400 assumption (based on these calculations as accepted by AEC-
Regulatory) of adequate core cooling for all small breaks if ECC sys-
tems work is not sufficiently justified. The fact that in none of the
calculations do core temperatures become great enough to cause damage
which may lead to melting provides some confidence that adequate core
cooling may be achieved. However, the large differences in results
indicate that the processes occurring during the accident are not well
-------�
understood, and that significant effects may be overlooked or improper-
ly considered. In view of the fact that the small break LOCA is a
dominating contributor to public risk from PWRs, it is imperative that
a substantial justification be provided to establish that ECC systems
are adequate for small break LOCAs. In addition, a systematic analysis
to demonstrate that ECC protection exists for all small break locations
has apparently not been provided for the three PWRs. It is essential.
that such an analysis be provided to assure that ECC protectidn is
afforded for all small break locations. Such an analysis is mandatory
in order to provide independent assurance that the ECC protection for
small breaks does in fact exist and that the conservatism claimed for
the calculations can be substantiated. • • « ;
*j
7. PWR Loss of Power Transient Accident Sequence
This accident sequence is described in general terms, applicable to
all PWR transients, in Appendix I (Section 4.3.1) of WASH-140Q. A
more specific consideration of the PWR loss of power transient accident
is given on pages 64 through 67 of Appendix V. In this latter descrip-
tion, the significance of this, accident on the PWR radioactive release
spectrum is stressed. An examination of Table V-16 (Appendix V) re-
veals that this transient is the dominant contributor to the Category
2 release for PWRs. From Table VI-20 of Appendix VI, it is evident
that PWR release Category 2 has one of the highest probabilities of
occurrence, and results in the highest number of acute fatalities of
any release category. As will be seen, this category contributes to
over half of the calculated acute deaths per year for PWRs. Thus, the
PWR loss of power transient accident is a significant contributor to
PWR accident risks as calculated in WASH-1400.
The accident is initiated by a loss of off-site electrical power. If
offsite power is not restored within one-half hour, and the onsite
emergency power sources fail, heat removal from the primary system
essentiallv ceases after the steam generators boil dry. Since core
75
-------�
decay heat (scram is assumed to occur when power is lost) continues to
be transferred to the primary system water, the primary system pressure
rises until relief valves open. The water in the core region turns to
steam, heat transfer from the core decreases, and eventually the core
approaches melting. Melting can occur, in which case the molten, core
is assumed to fall into the lower vessel plenum after sufficient melt-
ing has occurred. Vessel melt-through then is anticipated, followed
by melt-through of the containment base material. According to WASH-
1400 (Appendix I), containment failure can be caused by four' events
during this accident sequence: •_ '
(1) Accumulation and explosion of hydrogen in the containment . from
metal-water reaction in the core (designated y) •
(2) A steam explosion in the lower vessel plenum which drives the
vessel head into the containment causing failure (designated a).
(3) Excessive pressure as a result of evolved gases produced by
decomposition of the concrete base mat of the containment from
heating by the molten core material (designated 6) .
Melt-through of the concrete base mat (designated e).
The probability of the accident sequence described, independent of the
containment failure mode, is calculated in WASH-1400 (Appendix V,
page 66) by evaluating the symbols:
TMLB1
where
— 1
T is the probability of loss of offsite a-c power - 2x10
M is the probability of nonrecovery of offsite power in
1/2 hour (after which heat removal from the primary
system ceases) «* 2x10
76
-------�
decay heat (scram is assumed to occur when power is lost) continues to
be transferred to the primary system water, the primary system pressure
rises until relief valves open. The water in the core region turns to
steam, heat transfer from the core decreases, and eventually the core
approaches melting. Melting can occur, in which case the molten core
is assumed to fall into the lower vessel plenum after sufficient melt-
ing has occurred Vessel melt-through then is anticipated, followed
by melt-through of the containment base material. According to WASH-
1400 (Appendix I), containment failure can be caused by four events
during this accident sequence:
(1) Accumulation and explosion of hydrogen in the containment from
metal-water reaction in the core (designated y)•
(2) A steam explosion in the lower vessel plenum which drives the
vessel head into the containment causing failure (designated a).
(3) Excessive pressure as a result of evolved gases, produced by
decomposition of the concrete base mat of the containment from
heating by the molten core material (designated 6).
(A) Melt-through of the concrete base mat (designated e).
The probability of the accident sequence described, independent of the
containment failure mode, is calculated in WASH-1400 (Appendix V,
page 66) by evaluating the symbols:
TMLB'
where
T is the probability of loss of offsite a-c power » 2xlO~ .
M is the probability of nonrecovery of offsite power in
1/2 hour (after which heat removal from the primary
system ceases) = 2x10
76
-------�
L is the probability of failure of the auxiliary feedwater
-A
system - 1.5x10
B' is the probability of nonrecovery of offsite and onsite
a-c power sources within 1/2 to 1-1/2 hours after the
transient event = 5x10
The probability of the sequence TMLB' , then, is':
(0.2)(0.2)(1.5xlO~4)(0.5) = 3xlO~6
In assessing the probability of the various modes of containment
failure, the following values are computed in Appendix VIII of WASH-
1400:
Y - 0.13 6 = 3xlO"2
a = 10~2 e = 0.8
Thus, the probability of a PWR loss of power transient accident with
various containment failure modes are calculated to be
TMLB' - a = 3x10
3
-7
TMLB1 - 6 = 1x10 ? (rounded from 9xlO~8)
TMLB1 - Y = 4x10
TMLB' - e = 3x10 (rounded up from 2.4x10 )
These values are listed in Table V-16, Appendix V of WASH-1400, and
assigned radioactive release categories depending on the calculated
release from each sequence as assessed in Attachment 1 to Appendix V.
There appears to be a potential mode of containment failure overlooked
in WASH-1400 during a loss of power accident. During the accident,
the primary system pressure will remain at or near the set ppint of
the pressure relief valves (above the operating pressure of ^2200 pai).
The superheated steam generated in the core region will, maintain the
system pressure. When the core eventually melts through the bottom of
the reactor vessel (assuming no steam explosion in the vessel), the
primary system pressure will be rapidly relieved (see also Comment No.l
under General Comments at the end of this section). The molten material
77
-------�
will be spewed into the reactor vessel cavity, and the steam (and
water which flashes to steam) in the primary system will rapidly (with-
in a lew seconds) exit the reactor vessel into the containment causing
an abrupt pressure rise. As the primary system pressure rapidly decays
to about 600 psi, the accumulators will begin discharging cold water
into the reactor vessel downcomer. This water will flow down the re-
ctor vesseJ and directly out the hole created by the core melt-through.
The water will impact the molten mass in the reactor vessel cavity.
Large amounts of energy, in the form of steam, will be generated and
released to the containment, causing an additional loading just seconds
after the primary system blowdown. Calculations have not been per-
formed, but it is possible that this second abrupt pressure loading
will fail the containment, especially in the absence of the operation
of containment heat removal systems, which must be assumed to be dis-
abled due to the loss of electrical power. In addition, a steam ex-
plosion may he more likely under these conditions, as discussed below,
than when the molten core contacts water in the lower plenum of the
reactor vessel. Neither of these potential containment failure modes
is considered in WASH-1400.
Little is known about the thermodynamics of explosions when water comes
into contact with molten material. Numerous examples of explosions
have occurred under these conditions, some of which are described in
Appendix VIII (Appendix B) of WASH-1400. Appendix VIII (pages 27-29)
also derives an expression for the probability of a vessel steam ex-
plosion which causes containment failure by blowing the vessel head
against the containment. The formula used to compute the probability
is
P, = Pr a a ,
1 fw sxs cf
where
I' is the probability that the fuel will come in contact with
water. This factor considers the possibility that the fuel
will become vaporized (and not available to cause the explo-
sion) or that there will be no water left in the lower plenum
when the molten core falls.
78
-------�
a is a terra which describes the likelihood that the explosion
sxs
will occur if the molten core comes into contact with the
water. This term includes the empirical observation that
saturated water, which will exist in this case, does not
appear to be nearly as effective in causing steam explosions
as subcooled water. The term also includes a consideration
that the fuel may not: disperse in the water sufficiently to
cause an explosion. The value .of a is largely a matter
sxs
of judgment based on observations from various sources of
molten material-water interations.
•
a is the probability that the vessel head, following the steam
explosion, will cause rupture of the containment.
These quantities are assigned the following values in WASH-1400, with
large uncertainty bounds,
P.. = 0.89
fw
H = 0.1
SXS
(x r = 0. 1
cf
which yields a (rounded) value for P.. of
PI = 0.01
This value is used for a, as described previously in WASH-1400.
To assess the probability of containment failure under the conditions
of rapid primary system blowdown at the time of vessel melt-through,
followed by impingement of accumulator water on the molten core mass
in the reactor vessel cavity, it is necessary to reconsider the terms
used to compute a. In this case P, is probably greater than the
iw
WASH-J.400 value of 0.89 since water availability. is assured by the
accumulator discharge. Thus, P, = 1 appears a reasonable, if slightly
rw
conservative, value. The value of oc should be raised since:
sxs
(J) subcoolc'd water from the accumulators will come into contact with
the molten core mass, whereas saturated water is appropriate for
79
-------�
tin- i\»s<- assumed in WASH 'I-»00. Sivlu'ooltfil w<*t6l \\\ ('(UUftt't \t\\\\
molten material enhances the probability of an explosion. Although
some heating of the accumulator water will occur as It flows through
the inlet pipes and the vessel downcomer, the short path lengths
involved and the high volumetric flow rate caused by the high pres-
sure drop between the accumulator tank and the primary system will
probably minimize this effect. Appendix VIII (Page 49) states that
the probability of a steam explosion when molten fuel drops into
subcooled water is 0.5 versus 0.01 for the saturated water case.
(2) Intimate contact between the accumulator water and the molten mass
in the reactor cavity will likely occur because of the impingement
of the accumulator water on the molten mass. Also, some dispersion
of the molten material is likely due to the large area of the re-
actor vessel cavity floor. Both of these effects will enhance the
probability of a steam explosion over the case considered in WASH-
1400. In view of these considerations, and in light of the uncer-
tainty involved, it seems appropriate to assign a value of 1.0 to
this quantity.
The term a f, which accounts for the likelihood of containment failure
from impingement of the reactor vessel head on the containment dome,
is probably the most uncertain of all the factors. For the case of
the reactor vessel cavity steam explosion, the pressure pulse which
accompanies the explosion will be superimposed on the containment pres-
sure already existing from the rapid primary system blowdown occurring
at the time of vessel melt-through.. This will tend to increase the
probability of containment failure from overpressure.
It is impossible, without further analysis beyond the scope of this
effort, to determine the extent to which a ,. should be increased for
cr
the reactor vessel cavity steam explosion. In order to maximize the
80
-------�
sensitivity to this parameter, and to conservatively account for the
uncertainty, a value of 1.0 was assumed.
Table 15 summarizes the changes which would occur in the WASH-1400
analysis from the considerations of the preceding discussion.
Table 15 - REVISED PROBABILITY VALUES FOR PWR LOSS OF
POWER TRANSIENT WITH CONTAINMENT FAILURE
Parameter
WASH-1400
Revised
Pfw
0.89
1.0
a
sxs
0.1
1.0
acf
0.1
1.0
a/a'*
0.01
1.0
TMLB'
-6
3x10
3x!0"6
TMLB'-a/a1
-8
3x10
3x!0"6
* a is the WASH-1400 containment failure mode consisting of the re-
actor vessel head impacting on the containment dome as a result of
a steam explosion in the lower reactor vessel plenum; a" is the
containment failure mode consisting of the reactor vessel head
impacting on the containment dome or containment overpressure,
either of which result from a steam explosion in the reactor vessel
cavity.
Table 16 is a revision of a portion of Table V-16, Appendix V, WASH-
1400. The table shows the contribution to release categories 1 and 2
of the PWR loss of power transient (TMLB1) as described previously.
The sequences show three modes of containment failure: a (vessel
steam explosion), y (hydrogen explosion), and 6 (overpressure from
gases'evolved due to concrete base mat heating). The additional mode
of containment failure described previously is shown as TMLB'-a'.
This sequence has been somewhat arbitrarily placed in release category
2. A precise determination of its proper release category placement
would entail a rather complex analysis of the fission product release
associated with this new accident sequence. However, it should fall
into Category 1 or 2 since it is similar to, and chronologically be-
tween sequences TMLB'-a and TMLB'-6. Its placement in Category 2
will maximize its influence on the PWR risks.
81
-------�
Table 16 - COMPARISON BETWEEN WASH-1400 and REVISED
PWR RELEASE CATEGORY 1 and 2 PROBABILITIES
RELEASE CATEGORIES
Transient
Event - T
T-Probabilities
1
TMLB' -g
3xlO~8
(3xlO~8) *
9xlO~8
(9xlO~8)
2
TMLB' - o
4x10" 7
(4xlO~7)
TMLB1 - 6
-7
1x10
(0)
TMLB' - a'
o
(3xlO~6)
5xlO~7
(3.4xlO~6)
i
Summation of all accident sequences per release category
'
i i
Median
7xlO~7
. (7xlO~7)
5xlO~6
(7.9xlO~6)
* Numbers in parentheses are revised values as described in the
accompanying discussion.
82
-------�
The numbers in parentheses in Table 16 are revised figures resulting
from consideration of sequence TMLB'-a1. Since the probability of a'
(containment failure from accumulator water impacting the core melt in
the reactor vessel cavity) has been assigned a probability of one, the
release contribution from TMLB'-6 must be eliminated (reduced to zero)
since it would occur after the a1 event. As shown in the table, the
median value for the summation of all accident sequences per release
category for Category 2 is raised from 5x10 to 7.9x10 . To deter-
mine the significance of this increase on the average acute fatalities
per year from PWR accidents, the appropriate parts, with revisions, of
Table VI-20 (Appendix VI) from WASH-1400, are shown In Table 17. The
average acute fatalities per year are determined by the product of the
accident probability per year and the average acute fatalities for
each release category. The increase in Category 2 as a result of the
.-A -A
sequence TMLB'-a', as shown in Table 17, is from 3.1x10 to 5.0x10 .
This results in a total increase, from all accident sequences which
-4 -4
cause acute fatalities, of from 5.4x10 to 7*3x10 , a 35 percent
increase. (It should be noted that, using the WASH-1400 technique of
adding 10 percent from adjacent categories, Categories 1 and 3 will
be increased as a result of the increase in Category 2. However, as
can be seen in Table 17, the increase in average acute fatalities per
year will not be significant.)
Conclusions - The possibility of containment rupture from either over-
pressurization or damage from vessel head impact as a result of a
steam explosion or generation when accumulator water impacts the molten
core mass in the reactor vessel cavity following a loss-of-power tran-
sient accident seems to have been overlooked by WASH-1400. A somewhat
conservative evaluation of the effect of this accident indicates that
the average acute fatalities per year from all PWR accidents could
increase by as much as 35 percent. Further analysis is required to
firmly establish the effect of this change.
83
-------�
Table 17 - COMPARISON BETWEEN WASH-1400 AND REVISED AVERAGE ACUTE
FATALITIES PER YEAR FROM PWR LOSS OF POWER TRANSIENT ACCIDENT
c
c
2
1
ae
t/>
3
O
Id
CO
M
S
pvm
Release
Category
1
2
3
4
5
1
2
3
4
5
Accident
Probability
Per Year
7 x 10~7
5 x 10~6
5 x 10~6
5 x 10~7
1 x 10~6
7 x 10~7
8 x ID'6
5 x ID'6
5 x ID" 7
1 x 10~6
Average
Acute
Fatalities
34
62
39
2.7
.22
Average
Acute Fatalities
Per Year
2.4 x 10~5
3.1 x 10-4
2.0 x 10-4
1.4 x 10~6
2.2 x 10~7
WASH-1400 Total -5.4 X ' 10-4
34
62
3.9
2.7
.22
2. ,4 x 10-5
5.Q x 10~4
2.0 x 10~4
1.4 x 10~6
2.2 x 10~7
Revised Total - 7.3 x '10~4
84
-------�
Miscellaneous Comments - In reviewing the WASH-1400 analysis of the PWR
loss-of-power transient accident, the following comments were developed:
(1) Appendix VIII, page A-32 to 34 - The analysis of reactor vessel
melt-through by the molten core as described here appears to
apply only to the LOCA case where essentially no pressure exists
in the primary system at the time of melt-through. For transient
accidents, the primary system pressure can be as high as the
pressure relief valve settings (in excess of 2200 psi) at the time
that the molten core begins to heat up the lower reactor vessel
head. This pressure could accelerate reactor lower head failure
and alter the chronology of the accident sequence from that pre-
sented in WASH-1400 (Appendix V) which uses the Appendix VIII
analysis.
\
(2) Appendix VIII, Table B-2, page B-10 - It is not clear what the
column labelled "T,C" represents.
O) Appendix V, page 62 - The assumption is made here that a transient
accident which results in failure of reactor coolant system relief
and safety valves to close becomes a small LOCA and the PWR small
LOCA event trees were considered to be applicable. It should be
noted that assumptions in WASH-1400 relative to the small break
LOCA sequence and requirements for core protection are based on
vendor calculations of the accident. These calculations are made
assuming steady state conditions exist prior to the accident (see,
for example, page 15.3-3 of Reference 2.2). A transient accident
creates off-normal core thermal and fluid hydraulic conditions
(see Reference 23). These differences could alter both the se-
quence of the accident as well as requirements for core protection.
85
-------�
8. bWH-l'WR Component Failure Modes and Rates
This Suction presents the results and con i:l us inns of the review of
Appendices III (Failure Data), IV (Common Mode Failures) and X (De-
sign Adequacy) of WASH-1400. In reviewing these appendices, the fol-
lowing questions were considered:
(1) Are the data sources used in Appendix III applicable and
properly applied?
(2) Are there other applicable data sources which were not used
by WASH-1400?
(3) Have common mode failures been properly considered and accounted
for in Appendix IV?
(4) Has appropriate attention been given .to consideration of design
adequacy, including environmental effects, aging, etc?
(5) Are the component failure rate values properly computed from
the data used by WASH-1400?
The findings related to the above questions for each Appendix are
as follows:
Assessment of Failure Data (Appendix III) - The component failure rate
assessment of median, upper and lower bounds, and the error factor
based on data in Table III-l does not appear to be consistent. The
credit taken for nuclear design and fabrication ia also not adequately
explained or consistently applied. Examples of deficiencies in failure
rate assessment are:
Pipe rupture data, pipes >3 inches - The portions of Appendix III
pertinent to the derivation of large pipe rupture probabilities are
widely scattered, inconsistent and difficult to reconcile. Units for
86
-------�
pipe failures are mixed, and not readily converted; it is not clear
which data values pertain to "LOCA sensitive piping"; it is difficult
to determine which failure rates apply to nuclear, non-nuclear, nuc-
lear processing, etc, piping; the definitions of pipe "failyre", "rup-
ture", "complete rupture", "complete severance" are ndt given although
these terms are each used; and it is not apparent which data apply to
which pipe size, since several different pipe size categorizations ;are
used.
Table III-l presents the results of the data survey in which pipe rup-
tures are presented for "Hi Quality" (not defined) pipe greater thdh
3 inches in diameter. The units used in Table III-l are ruptures per
section per hour. The data in Table III-l are plotted as Figure 14
/ f\»\ / o c ^
(log-normal paper) using a method suggested by Gumbel and Ferrell
which merely adjusts the position of the data points slightly to ac-
count for the fact that other data may exist which fall near the ex-
tremes. A best fit curve has been drawn through the data and the
WASH-1400 curve, using the upper, lower and median values given in
Table III-l, and is shown for comparison. The circled values are ap-
parently derived from nuclear experience, as indicated by the headings
in Table III-l and the descriptive material provided for the Table
III-l references on pages 191-199. As can be seen, the WASH-1400
assessed range is substantially lower (two orders of magnitude at the
median 'value) than the best fit curve. The reasons for this disparity
are not apparent, even though section 2.1 (page 18) states that the
Table III-l values "...formed the bases for the assessed ranges."
Table III-3 (page 26) lists a comparison of WASH-1400 assessments with
industrial experience. Under the "Active Mechanical Hardware" portion
of the table, pipe "Plug/Rupture" failures are listed. While it is
not clear why "plug" (plugged pipe) failures were included in this
table and not in Table III-l, the assessed upper and lower bounds for
greater than 3-inch diameter pipe correspond to the values given in
87
-------�
10
-6
iiiiO Table III-l Data Points
Figure 1«
Pipe Rupture Failure Data
!• (Pipes >3 inch Diameter)
Cumulative Percentage
88
-------�
Table III-l. However, the lower bound listed for industrial experience
is 3x10 /hr and there is no corresponding value from any source in
the Table 1II-1 tabulation even though Section 2.2 (page 18) states
that the Table 1II-2 values are "extractions" from Table III-l.
An examination of 1972 nuclear experience is presented in Section 3,
page 29. Table III-6 (page 38) contains piping failures based on 11
-9
failures for 1972, and a failure rate of 1x10 per hour per foot is
derived. Conversion of this rate to the units used (ruptures/section/
hr) in Table III-l is difficult. The rate would be 8.76xlO~ failures
per year per foot. Page 184 states that the amount of pipe per plant
is "taken as roughly 170,000 feet." The amount of pipe per section
varies. Page 101 states that a pipe section is "approximately 10 to
100 feet." Thus, there are, very roughly, 1700 to 17,000 pipe sections
-2
per plant. The Table III-6 pipe failure rate becomes 1.5x10, - to .
1.5x10 failures/section-year with a large uncertainty resulting -from
conversion uncertainties. However, since it is not clear -.(1) what Is
meant by a pipe "failure" for the nuclear experience data in Table
III-6, (2) what pipe sizes the nuclear data represents, or (3) which
piping on the plants was considered in the data, a comparison between
the Table III-l and III-6 values is probably not valid.
Another problem appears to exist in Table III-6 which lists 280,000
feet as the total length of piping considered in the survey for eight
PWRs and 315,000 feet as the total length for nine BWRs.i This pro-
duces a pipe length per plant of 35,000 for both types. This does not
agree with the 170,000-foot value quoted on page 184 of Appendix III.
Section 6.3 (page 174) provides a discussion of how LOCA initiating
pipe rupture rates were derived for used in WASH-1400. For pipes
-4
larger than 6 inches, a rate of 1x10 per plant per year is listed.
Substantial discussion is included in support of this rate, and the
rate appears to be reasonably well justified in epite of the problems
discussed previously. However, in the Nuclear and Nuclear-Related
89
-------�
Experience subsection (page 178), reference is made to the "1972
nuclear history examined for the general data base." Ten failures are
listed, while the 1972 nuclear data in Tables II1-5 and III-6 each list
11 failures. It is not clear why these numbers are different.
Pipe Rupture Data, Pipes <3 inches - Many of the deficiencies listed
previously for the Appendix III discussion of pipes greater than 3
inches exist for pipes less than 3 inches. Figure 15 shows A compari-
son between the WASH-1400 assessment and a best fit of the data given
in Table III-l. Again, the WASH-1400 assessed range falls below a
best fit to the data. As before, the apparent reason is to account
for the improved failure rate for nuclear piping, yet the nuclear ex-
perience data points as indicated on Figure 15 do not substantiate the
assumed improvement. According to Table III-l, the U.S. nuclear ex-
-9
perience gives a value of 1x10 , which was assumed to be the median
value in the WASH-1400 assessment. However, the nuclear experience
_9
value given in Table III-2 is 2x10 for pipes less than 3 inches. It
is not clear why these numbers are different.
.!•
A further area of confusion is introduced in Tables III-2 and 3 where
pipe plugging data appear to be included for all pipe sizes. In
Table 111-10 (Summary of Assessment for Mechanical Hardware), a plug
failure is said to apply only to pipes <3 inches. A .plugged pipe
would usually result in an entirely different accidents (noli a LOCA)
than a ruptured pipe, and it is not clear why the twlij&are combined
since the results are used for LOCAs. Also, the pipft failure mode for
the nuclear data compiled in Section 3.2 is not identified.if
A further area of confusion exists relative to pipe $lze. Table III-l
classifies pipe as either greater or less than 3 inches; the .'pipe fail-
ure data discussion in Section 5.4 of Appendix III classifies pipe
failures as initiating events for LOCAS in three size categories -
1/2- to 2-inch, 2- to 6-inch and greater than 6 inch. Page 175 of
Section 6.4 indicates that the pipe rupture data used in WASH-1400
could be broken into two classes, either greater than 4 inches or less
90
-------�
I .> ,-' .1 .V, .01
.> l t j 10 M jo w >• la TO
Cumulative Percentage
*.«•
91
-------�
than 4 inches. It is not clear how the data were used to obtain fail-
ure rates depending on pipe size. Further confusion is generated in
Section 6.4 by citing numerous pipe failure data sources, some of
which are not apparently listed in Table II1-1, although part of the
problem may be due to typographical and reference number errors in
the source headings of Table III-l.
Check valve failures - The tabulated description of this failure mode
in Table III-l is "reverse leak", yet in Table 111-10, which summarizes
the WASH-1400 assessments, the failure is described as "internal leak
(severe)." (The same failure value is used.) It is not clear which
failure mode is being considered - any leak or only severe leaks.
(Presumably, reverse leak and internal leak for check valves is equiv-
alent.) In view of the rather significant nature of severe reverse
leakage in check valves determined elsewhere in WASH-1400 (see Sec-
tion 4.4, Appendix V), a detailed discussion of what constitutes a
severe reverse leakage in check valves should be provided.
Relief valve failure-to-reseat - The relieve valve failure mode, "Fail-
ure-to-reseat", is not assigned a rate in Table III-l. Yet, a value
1 O
of 10~ to 10~ is cited ("estimated on an engineering basis") for
this mode on pages 62 and 69 of Appendix V. This mode should be in-
cluded in Table III-l and its failure rate derivation should be dis-
cussed in Appendix III. Apparently, data are available for this fail-
ure mode since the valve malfunctions tabulated for 1972 on pages 54
to 59 of Appendix III show that 5 of 13 relief valve malfunctions were
of the failure-to-reseat mode.
Pumps failure-to-run - A log-normal plot of pump failure-to-run rates
from data sources given in Table III-l is shown in Figure 16.. As can
be seen, 13 of the 14 data points for failure-to-run in a normal en-
vironment fall below the WASH-1400 assessed median value of 3x10 hr~ ,
apparently indicating, in this case, nuclear experience indicated a
higher failure rate than non-nuclear experience. However, the U.S.
92
-------�
ill
r *
f!
ii
(!) Table III-l, Extreme Environment Data
Points
O Table HI-1, Normal Environment Data
Points
WASH-1400 Assessed Range
Extreme Environment v
Best Fit Plot
Extreme En.viron.r~
WASH-1^.00 Assesned Range
Post Accident
• Fit Plot
T: Normal Environ.
WASH-1400 Assessed
Normal Environment
Figure 16
Pump Failure to -Run Data
10 ". t±ii
10
-6 [-
Cumulative Percentage
93
-------�
Nuclear Uperating Expi-r.i (.-no' column of Table 111-1 gives a value of
3x10 lir . (In many other cases in the Table, the value in this column
was used for the assessed median.) It appears inconsistent to use a
higher value, particularly when the non-nuclear data argue for a lower
assessment.
Three data points are given in Table HI-1 for failure-to-run under a
severe environment. A best fit plot of these data, shown in Figure 16,
is essentially equivalent to the WASH-1400 assessed range for failure-
to-run after recovery of the post-accident environment and a factor of
two to five below the assessed range for severe environment before post-
accident recovery. The reasons for these differences are not clear.
Diesel generator failure-to-start - The data points used in Figure
III-8 have been replotted on log-normal probability paper as shown in
Figure 17. The values suggest a negative skew to the distribution of
failure rates, and indicate either that the sample selection was poor
or that log-normal distribution is inappropriate.
When reviewing the other data contained in Table III-l, it is found
that, the plotted points (Figure 111-18) represent three out of five
data points with the two omitted data points being much lower than the
plotted points.
It appears that the range of failure-to-start rates as assessed by
WASH-1400 for diesel generators is too narrow. It also appears that
the range of rates tabulated and the resulting plot given in Figure
II1-18 indicate that the proper range cannot be established from the
available data.
An investigation was made of diesel generator failure rate sources.
He(erring to the failure rate tabulations for diesel generator failure
rates in Table III-l, particularly for failure to start, it was
found that important sources of data referenced in the AEG Report
-------�
s
III
SILO..'"n
WASH-1400
Assessed Range
n t....rt>rr'*..,::.frTrtrT ... —...
rjriTrrrn-.rn::- Best Fit to Fig. ni-18 Points: "r
Data Point from Fig. III-18J-
Q Data Point fron Table III-lp
|.i Diesel Generator Failure to Start i
.01 , tO TO -^3
Cumulative, Percentage
95
-------�
UOE-OS-002 were not listed. In addition, the data cited in Table
1II-1 for the UKAEA Systems Reliability Service (SRS) appear to be high
at least a factor of ten when compared with the SRS reference in
(27)
OOE-OS-002 and to the value given in the SRS Report SRD-R-16 .
Specific examples are:
(1) UKAEA statistics referenced in Section 4.4 of OOE-OS-002 show a
-2 -2
failure-to-start probability of 1x10 to 2x10 per demand, not
IxlO"1 as given in Table III-l, WASH-1400.
(2 7 y •' • •
(2) UKAEA Report SRD-R-16 . ', Table III, lists a failure-tO-start
-2 -1 i '
probability of 2x10 per demand, not 1x10 per demand and a
-5 -1 -3
failure to run rate of 0.2 per year or 2x10 hr , not 1x10 as
given in Table III-l, WASH-1400.
(3) A U.S. Army study referenced in Section 4.4 of OOE-OS-002 gives
a computed probability of failure-to-start as 7x10 per demand.
(4) A General Motors report referenced in Section 4.4 of OOE-OS-002
-2
gives a failure-to-start probability of 1x10 per demand for GM
units in service as peaking units from 1957 to 1969.
(5) Statistics compiled from U.S. nuclear power plants and reported
in Table VII of OOE-OS-002 establish a failure-to-start probabil-
-2 -2
ity ranging from 1.5x10 to 3.4x10 per demand. The range re-
flects variations in manufacturer and capacity of the units.
(28)
In addition to the preceding data, the Edison Electric Institute
provides failure-to-start data for 203 diesel generator units repre-
senting 806 unit years of operation. These data establish a failure
rate for starts of approxlm,
starts in 118,563 attempts.
_2
rate for starts of approximately 9x10 based on 107,679 successful
The data listed in Table III-l for diesel generator failure-to-start
and failure-to-run (complete plant) should be revised to include the
preceding data. A log-normal plot of failure-to-start data, including
96
-------�
the preceding data, is given in Figure 18. This plot is based on the
data points from Table 18.
Table 18 - DIESEL GENERATOR FAILURE-TO-START DATA
Source
UKAEA (SRS)
U. S. Army
General Motors
USAEC (OEE-OS-002)
LMEC (Table III-l)
IEEE Trans (Table III-l,
NRTS (Table III-l)
EEI Pub 74-57
Failure-to-Start/Demand
2x10
7x10
1x10
3x10
1.2x10
1x10
1x10
9x10
-2
-3
-2
— 2
i
-3
-5
-8
-2
The tabulation in Table 18 omits U.S. and UKAEA data from Table III-l
which are probably covered by the data in the tabulation. The data
are .plotted using the method of Gumbel and Ferrell.
It appears, based on Figure 18, that WASH-1400 has used a median value
three times larger than suggested by the larger collection of data and
that the error factor associated with the revised data is 30, not 3 as
shown in WASH-1400. The overall conclusion is that the WASH-1400
assessed data may be unnecessarily conservative.
Human Reliability Analysis (Appendix III) - The final human reliability
assessments used in WASH-1400 are described as being values adjusted
from the basic "General Error Rate Estimates" given in Table 111-13.
While the factors considered in adjusting these basic rates appear
appropriate, as qualitatively described following Table 111-13 (page
131), very little in the way of quantitative assessments are presented.
Referring to these basic error rates as being "lower", "higher", or
'markedly reduced", is quite vague.
97
-------�
]0
-1
-2
10
w g
g 3
.J UJ
•H Q
zs
10
-3
r..1
if
il
10
10
— Assessed Rang
~n-"--l—nr-r-l-TT
: . . i -t : : I : i . • f - -T.
;;;:|; • Not Considered
> to »i» JO *9 X1 to TO IV
Cumulative Percentage
98
-------�
trrc/r contribution values appear explicit ly in rhp t«»ilt
tree analyses in Append i.\ 11 vVi-l^. 2 ouvt .J0 . ih^c v -\j> . .
This added probability increases the value e^t imatfcd ._^nHj$Jl^j' . .. ;'.
example by a factor of three. , ', ''.
(2) The conclusion that all three people in the control,, room would
recognize that the RWST level had reached 14. .5. percent and that
action is required seems highly optimistic (page 150). Each
operator would likely be quite busy and would not check the other
99
-------�
two to see that they are performing correctly. In addition, it
is possible that only one operator would be reading the written
instructions and the others would not necessarily be aware of the
significance of and action required by the various gauges and
i
alarms.
-2
(3) The rationale for assuming an error rate of 10 for selecting
the wrong valve control switches rather than the basic error rate
of 10 appears arbitrary as presented in the last paragraph on
page 151. Though the rate selected may be appropriate, it would
appear that additional rationale is required, rather than simply
_2
saying that 10 was picked because the previously selected "basic"
value of 10 seemed too large in this situation.
(4) The example does not clearly identify the failure being evaluated.
From reading the discussion, it appears that the event of inter-
est is failure-to-open MOV-860A and B. Lack of a tightly developed
statement of the problem, approach, and results in this example
seriously diminishes its value. The example should be revised to
identify clearly the event of interest.
(5) The example discussion does not indicate how much time is avail-
able after making a wrong decision to correct the error. The
greater the length of time available, the more chance ttlere is
for error feedback to lead to error recovery. Of course, with
longer times required to recover the error, the magnitude of
consequences may increase. Hence, there must be a time limit for
which error recovery has no real value in consequence limitation.
This point is not discussed. The errors and questionable assump-
tions in this example do not lend confidence that human reliabil-
ity factors were handled appropriately in the many other situa-
tions which are assigned values without supporting analysis or
discussion.
100
-------�
Mi scellanejjU.s Conini<.'nLs (jAj>^>i.ind_i_x_ll_I_} - The following commence w«r«
developed during the review of Appendix III:
(1) It.would be helpful if the discussion of data treatment on pages
15 to 18 were replaced with a discussion having content similar
to that of Section 3.6.1 of Appendix II. The methods of data
treatment given in Section 3.6.1 of Appendix II are much more
lucid and appropriate than the discussion now contained in
Appendix III. In particular, the reasoning associated with use
of the log-normal distribution for data range selection is much
better developed in Appendix II and belongs also in Appendix III.
(2) Both Appendix II and Appendix III should include a brief dis-
cussion to indicate that the log-normal distribution is used to
establish a range of failure rate values, while the exponential
distribution is used to estimate the probability of failure. It
is only by carefully reading the text (page 83 of Appendix II)
that .it is clear that the exponential distribution has been used
for computing failure probabilities.
(3) The failure rate data source given in Table III-l for Holmes &
(29)
Narver is incorrect. The report which should be cited is HN-199
for the four-month data collection activity at Connecticut Yankee
(Haddam Neck). Also, no reference is made to a much larger body
of reported nuclear experience data contained in HN-185
(4) The quantity n on page 33 should be nf.
(5) The last two sentences of the second paragraph on page 33 seem
inconsistent. Specifically, if any task error rate less than
10 is viewed with skepticism, then any error rate computed to
be less than 10 should be rounded up to 10 rather than being
dropped as implied in the last sentence and as specifically il-
lustrated in the example in paragraph one on page 151, where an
101
-------�
estimated error rate of 10 led to the decision to drop the
rrror from further consideration. It would seem more rea
to assign a value of 10 to any critical human error which was
— s
iound bv estimate to he less than 10
(6) In the equation at the top of cage 172, it appears that the
T1 t + 1
second exponential term, exp , should be
T' t + 1 T
exp
(7) The heading "Valves (SOV)" in Table III-l appears to be misplaced
and should be moved down one row.
(8) In several instances, the WASH-1400 assessed ranges for component
failure rates are significantly narrower than would be Indicated
by the data listed in Table III-l. Two notable examples are
"Electrical Clutch Failure" and "Motor Operated Valves Failure-
to-Operate."
(9) Page 26, Table III-3 - This table is labelled "Active Mechanical
Hardware" and includes pipe failures. Pipes should not be con-
sidered "active mechanical hardware."
Common Mode Failures (Appendix IV) - The lack of a clear common mode
failure definition in WASH-1400 tends to confuse the treatment of these
failures. Common mode failures are defined very broadly in Appendix
III, page 40, as "failures having a common cause." Another definition
is given in the first paragraph, page 5 of Appendix IV, namely, "mul-
tiple failures which are dependent." This latter definition is con-
fusing because it introduces -the concept of "dependent" without identi-
fying whether they are dependent on a single external influence,
dependent on each other, or both. All failures are dependent on some-
thing. Therefore, dependency is not a concept peculiar to common mode
failure. Elsewhere in Appendix IV the phrases "dependent and common
mode" and "common mode and dependency" are used. Use of dependent or
102
-------�
dependency along with common mode clutters the concept since a special
case of dependency is implicit in "common mode."
Normally, common mode failure is defined as a single cause which fails
more than one redundant item or function. Several investigators have
promulgated this definition of common mode failure. For example,
W. C. Gangloff uses it in the first paragraph of his introduction.
(32)
Similarly, Green and Bourne define common mode failures in this
manner. The American Nuclear Society also offers a similar concept in
(33)
Paragraph 3.6.8 of the draft standard N18.8 . In this document,
common mode failures are defined in context as follows:
"The designer shall recognize that the redundant or diverse
channels do not necessarily have independent failure modes.
He shall seek to eliminate multiple channel failures origi-
nating from a common cause. The failure modes of redundant
and diverse equipment, channels, and systems and the condi-
tions or operations that are common to them shall be studied
to determine that a predictable common failure mode does not
exist." .
Finally, the AEC (now Nuclear Regulatory Commission) in Regulatory
(34)
Guide 1.6 has discussed common mode failures in tontext with the
use of redundancy in standby power systems. Here, common mode fail-
ures are discussed in conjunction with loss of redundancy through a
common failure cause.
Insufficient information is contained in Appendix IV relative to quan-
tification of common mode failures for specific application to the
systems analyzed in Appendix II. Although a reasonable qualitative
description of common mode failures is given, exactly how these con-
siderations were numerically applied to specific systems does not
appear adequate. A related deficiency is that the Appendix does not
contain a clear presentation of a systematic approach used in
103
-------�
identifying and quantifying common mode failures. A flow chart de-
scribing each step taken in such identification and quantification
would be very valuable.
Section 5.3, "PWR LOCA Sequence Common Mode Failure Evaluation,"
especially needs a quantitative evaluation. Only one quantitative
value is given. It would be useful if calculated probability were
presented for many of the common mode failures discussed. This could
be done in tabular form by sequence.
Miscellaneous Comments (Appendix IV) -
(1) General - Sections 5.5.1 and 5.2, as labelled in the table of
contents and in the text, are identical to Sections 6, 6.1 and
6.2. The fact that Section 5 pertains to PWRs and Section 6 to
BWRs should be identified in these titles. Also, to be consis-
tent, Sections 5.3 and 6.3 should be the same, and a Section 6.4,
equivalent to 5.4, should be added.
(?.) Page 7, Table IV-1, Item V-2 - While design adequacy is mentioned
here and is addressed in Appendix X, neither Appendix X nor
Appendix IV identifies the probabilities or frequencies associated
with earthquakes or other external events which might give rise
to common mode failures. Appendix IV is deficient in this respect.
Even if the probabilities of these external events are addressed
in other parts of WASH-1400, Appendix IV is the proper place to
discuss them quantitatively and qualitatively with respect to
their contribution to common mode failure. ) '':• ..-• ,
(3) Page 44, Last Paragraph - The choice of a log-normal,distribution
for common mode failure probabilities is used, but no Justifica-
tion is provided other than the previous arguments given for 00107
ponent failure rates. The use of log-normal distributions for
common mode failures should be justified by indicating that:
104
-------�
(a) Experience with common mode failures demonstrates the
acceptability of the log-normal distribution, or
(b) There is no major difference in results when using any
other, possibly acceptable, distribution for the common
mode failure distribution.
(4) Section 5.2, Summary of Methods - This section should be titled
"Summary of Evaluations." Reference is made to subsections 4.1
and 4.2 on page 70. There are no such subsections.
Design Adequacy (Appendix X) - This Appendix describes the results of
an effort performed to determine whether external phenomena and ad-
verse environmental conditions from .accidents represent a common mode
failure potential. However, the Appendix falls short in its evaluation
because there seems to be no conclusion or summary which clearly states
which conditions represent a problem, what the magnitude of the effect
is, and how such considerations were utilized in the system failure
evaluations elsewhere in WASH-1400.
What appears to be required in Appendix X is a systematic probabilis-
tic determination of the likelihood of common mode failures from ex-
ternal events and accident conditions. Such a determination should
consider the probability of the external event exceeding the design
condition as well as the probability that the design and/or', fabrication
T,
is inadequate for events less severe than the design condition. This
approach would result in a quantified evaluation amenable to incorpora-
tion into the general format of the WASH-1400 risk evaluations.
Appendix X indicates that in a significant number of cases insufficient
information was available to determine design adequacy. It is not
clear how these cases were accounted for in the risk assessments.
The evaluation does not seem to be complete in that only a limited num-
ber of equipment and structure selections were made (a "sample"
105
-------�
according to page 1). Section 3 does indicate that the selection was
biased towards selecting those components and systems which had safety
functions and were vulnerable to high stress. However, the Appendix
does not indicate how large the sample is in relation to all systems
and components of interest.
Conclusions - As a result of the review of Appendices III, IV and X,
the following responses have been developed to the questions posed at
the beginning of this Section:
(1) Are data sources used in WASH-1400 applicable and properly
applied?
The general answer is "yes." There are, however, specific
instances cited in the detailed review where application is
questionable, such as the application of pipe rupture data by
selecting an assessed range of failure rates below the composite
nuclear/non-nuclear experience shown in Table III-l. Nuclear
piping may be less susceptible to failure, but justification for
the improvement is not developed in Appendix III. This example
can be extended to any instance in which the WASH-1400 assessed
ranges fall below best fit plots for composite nuclear/non-nuclear
failure rate data.
Some of the data sources listed in Appendix III may be marginally
applicable to nuclear systems. However, it is believed that the
method of using this data in WASH-1400, a log-normal distribution
with sampling from an assessed range, allows for use of this data.
As a final conclusion on data application, it is noted that major
orders-of-magnitude of errors in selection of assessed ranges
were not found. However, as noted in the detailed review, in-
stances were identified where the assessed range was considered
over-optimistic or over-conservative. The impact of these arguable
106
-------�
range selections on accident probabilities should be evaluated
on a selective, worst case, basis. While other applicable data'
sources can be found for specific failures, no major applicable
compilation appears to be omitted. To obtain other data sources
would be desirable but not necessary except in those instances
where the data listed in Table III-l are scattered or of such
small sample size as to make the log-normal/assessed range ap-
proach technically weak.
(2) Have common mode failures been properly considered and accounted
for?
This question cannot be conclusively answered from reviewing
Appendix III and Appendix IV. Much of the specific treatment
of common mode failures is discussed in other appendices. A
major criticism of Appendix IV is the lack of a clearly defined,
systematic approach to identifying and evaluating common mode
failures. While there is an extensive listing of common mode
failures in Appendix IV discussions, no quantitative evaluation
of all listed failures is given.
(3) Has appropriate attention been given to consideration of design
adequacy, including environmental effects, aging, etc?
Appendix X provides extensive engineering review of selected
equipment and structures in the BWR and PWR plants used as refer-
ence designs for this study. These reviews evaluate both design
calculations and actual installation, pointing out deficiencies
in engineering design and construction which may be a source of
a single failure or common mode failure. This information is
then used in other appendices to modify basic failure rates and
to assign frequencies to common mode failures. Thus, design
adequacy has been addressed in considerable detail with respect
to the two plants involved.
107
-------�
However, a generic treatment was not provided for design adequacy
in typical BWRs and PWRs. Appendix X does not contain a summary
discussion of the probability that specific equipmofct will be
designed properly. At best, the summary tables in .Appendix X
provide a qualitative indication of which selected systeflsd or
equipment may be marginally adequate. One must look, throughout
the appendices to evaluate the question of appropriate attention
to design adequacy. It is recommended that the question of prob-
ability of adequate design be addressed in Appendix X.
(4) Are the component failure rate values properly computed from dat$
used by WASH-1400?
The log-normal distribution used in developing assessed ranges
of failure rates appears reasonable. It is doubtful that any
other statistical treatment would change the results of the study
significantly. While the log-normal distribution appears suitable,
the computation or selection of failure rate ranges from avail-
able data is questionable in some instances. Specific examples
of this point may be found in the detailed review.
9. PWR Low Pressure Injection System Failure
General Review - A review was performed of the PWR low pressure injec-
tion system (LPIS) failure analysis as presented in Appendix II, Vol. 2
of WASH-1400. The analysis was found to be correctly done except for
the consideration of operator error.
Figure 11-54, page 299 of Section 5.6.3 (Appendix II, Vol. 2) of WASH-
1400 illustrates the reduced fault tree for the LPIS system. This tree
consists of single and double fault contributions. Under the double
fault contribution, there is a subtree labelled "Failure in Pumps and
Control of Cause Failure" (see Comment 3 under Miscellaneous Comments).
This subtree consists of two identical branches for failures in "A"
108
-------�
train components causing loss of the "A" train and failures in "B"
train causing loss of the "B" train. Each branch contains two operator
errors, each of which disables one train: valve A01 (186AA) closed or
valve A03 closed for train "A", and valve B02 or valve B03 closed for
train "B". This operator error probability is apparently assigned a
value of 1x10 in all cases, since using this value to compute the
double failure contribution produces the same value as the double
failure contribution used in WASH-1400 (Figure 11-57). Since it is
expected that the controls of each set of valves (A01, B01 find A03,
B03) are identical and close to each other, it does not appear realis-
tic to assign the same operator error probability for closing the
second valve in each set unless the first valve is closed inadvertently
rather than deliberately. If the operator is motivated to deliberately
close the first valve because he is confused, has incomplete or erron-
v
ecus knowledge of the system, is following the wrong procedure, etc,
then it would appear likely that he would deliberately close the second,
since both valves in each set are identical and are installed in iden-
tical parallel lines and perform the same function. Appendix III of
WASH-1400 states on page 130 that an error rate of 1.0 is assigned for
the event "If an operator fails to operate correctly one of two close-
ly coupled valves or switches in a procedural step, he also fails to
correctly operate the other valve."
Assigning a conservative value of 1.0 for an operator error of closing
the second valve in either set after he has closed the first (with a
-3
probability of 1x10 as was used in WASH-1400) increases the double
failure contribution from 9.2x10 to 9.7x10 . Figure 19 is a repro-
duction of Figure 11-57 in Appendix II, Vol. 2 of WASH-1400, modified
to show the effect of this change. The modified values are shown in
parentheses under the WASH-1400 values. As can be seen, this change
in the double failure contribution increases the overall LPIS system
— 3 —2
unavailability from 4.2x10 to 1.4x10 , an increase of a factor of
three. To assess the influence of this increase on the overall risk
requires an analysis of accident sequences involving LPIS failure
109
-------�
However, a generic treatment was not provided for design adequacy
in typical BWRs and PWRs. Appendix X does not contain a summary
discussion of the probability that specific equipment will be
designed properly. At best, the summary tables in Appendix X
provide a qualitative indication of which selected systems or
equipment may be marginally adequate. One must look throughout
the appendices to evaluate the question of appropriate attention
to design adequacy. It is recommended that the question of prob-
ability of adequate design be addressed in Appendix X.
(4) Are the component failure rate values properly computed from data
used by WASH-1400?
The log-normal distribution used in developing assessed ranges
of failure rates appears reasonable. It is doubtful that any
other statistical treatment would change the results of the study
significantly. While the log-normal distribution appears suitable,
the computation or selection of failure rate ranges from avail-
able data is questionable in some Instances. Specific examples
of this point may be found in the detailed review.
9. PWR Low Pressure Injection System Failure
General Review - A review was performed of the PWR low pressure injec-
tion system (LPIS) failure analysis as presented in Appendix II, Vol. 2
of WASH-1400. The analysis was found to be correctly done except for
the consideration of operator error.
Figure 11-54, page 299 of Section 5.6.3 (Appendix II, Vol. 2) of WASH-
1400 illustrates the reduced fault tree for the LPIS system. This tree
consists of single and double fault contributions. Under the double
fault contribution, there is a subtree labelled "Failure In Pumps and
Control of Cause Failure" (see Comment 3 under Miscellaneous Comments).
This subtree consists of two identical branches for failures in "A"
108
-------�
F fiiluro
it n >0'3
UMS
Unavailability
4J a ID'1
(l.A x 10~2)
BJ n 10
(9.66 x 10~3)
Figure 19 - -i.ow Pressure Injection System Unavailability Contributions with Revised
Humb.ers in Parentheses
-------�
(designated "D") as a dominant accident sequence for release categories
3, 4, 5 and 7 under large LOCA (the LPIS is required only for large
I.OCAs). However, the contribution from these sequences is less than
1 percent of the total from all accidents in each release category for
Categories 3, 4 and 5 and about 3 percent for Category 7. Thus, a
factor of three increase in the LPIS failure portion of the accident
sequence would not have a significant effect on the overall risk result,
Omissions - No omissions requiring an in-depth review were found.
Trojan Comparison - A determination of the applicability of the Surry
LPIS failure to the Trojan reactor resulted in the following:
(1) Pump capacities, injection pressures, and other pertinent param-
eters are the same for the Surry and Trojan plants. Piping lay-
outs and system components arrangements are generally similar.
Figure 20 shows flow diagrams for the two systems. The diagrams
are similar except that the Trojan system pumps to four reactor
coolant loops while Surry pumps to three. Indicated on Figure 20
by circled numbers are major single failure contributions causing
total system failure. In all cases, these failures are valve
failures. The Trojan system has three such contributions while
the Surry system contains six. It would thus be expected, since
single failures dominate the system unavailability (see Figure
20), that the Trojan system has a lower unavailability. However,
in view of the small contribution to the overall risk from fail-
ure of the Surry LPIS, this difference would not be significant.
Conclusions - No errors or omissions of significance were found in the
WASH-1400 analysis of the PWR low pressure injection system failure.
Due to similarities in design and operation between the Surry and
Trojan Jow pressure injection systems, the Surry analysis is largely
applicable to Trojan. Because of fewer single failure possibilities,
the availability of the Trojan LPIS should be somewhat higher.
Ill
-------�
M>H>K
SURRY
W.i tor
Tank
IXHM-
To Hot Lep.s
Figure 20 - Comparison of Troj in and Surry Low Prcssurp Injection Sysfm?;
-------�
Miscellaneous Comments - In reviewing Section 5.6.3 of Appendix II,
Vol. 2, the following comments were developed:
(1) Page 284 - The single failures here do not correspond to the
single failures listed on the single failure subtree in Figure
11-54. Further, neither considers the Refueling Water Storage
Tank (RWST) drain plugged to be a single failure, as was done for
the HPIS, where it was concluded to be not significant.
(2) Page 297, Figure 11-53 - There appear to be inconsistencies be-
tween Figure 11-53 and Figure 11-65 (page 373). Figure 11-53
shows two LPIS lines connecting to two HPIS lines outside the
containment and then entering the containment and going to hot
leg injection. Figure 11-65 shows three LPIS lines connecting
to three HPIS lines inside the containment.
(3) Page 299, Figure 11-54 - The statement in the box at the top of
the left hand subtree under "Double Cut Set" reads "(1) Failure
in Pumps and Controls or Cause Failure." This statement is not
clear and needs to be revised.
10. PWR Low Pressure Recirculation System (LPRS) Failure
General Review - A review was performed of the PWR LPRS failure as pre-
sented in Section 5.9, Appendix II, Vol. 2 of WASH-1400. The analysis
was found to be correctly done except for a consideration of operator
error. The operator action required to successfully initiate low pres-
sure recirculation is not clearly specified in Section 5.9. On page
489, it is stated that the operator needs to open either or both of
the valves in the pump suction lines to the containment sump (these
valves are labelled V-24 and V-25 on Figure 11-90, and 1860A (A05) and
1860B (B05) on Figure 11-95) and also close the valve in the suction
line to the Refueling Water Storage Tank (RWST). On page 495, the
transition from low pressure injection to recirculation is defined as
113
-------�
opening J>jot_h V-24 and V-25. On page 498, it is stated that the RWST
suction line valve need not be closed. For this analysis,, it will be
assumed that the operator only needs to open one valve; either 1860A
or 1860B. The failure of the operator to perform this action is
included as a common mode contribution to system failure in Section
5.9. The probability of operator failure for this action is assigned
-3
a value of 3.0x10 . Since the action required to open either valve
is identical, the two acts are assumed to be completely coupled; ie,
the probability of failing to open the second valve is one, given that
the operator fails to open the first. Section 5.9 also assumes that '
operator failure probability to realign the LPRS injection to the hot
legs from the cold legs after 24 hours is also 3x10 . The total com-
mon mode failure for continued LPRS availability, consisting only of
ttiese operator errors, is thus computed to be 6.0x10
-3
The probability of 3x10 assigned to the failure of the operator to
open at least one suction line valve to the containment sump appears
to be too low. The basis for the value is not clear. Appendix III,
Section 6.1.2 of WASH-1400, discusses "Human Performance Data", and
describes generally how human failures and errors were quantified and
applied to the computations (in Appendix II) of system unavailability.
This section includes a sample calculation of the probability that the
operator fails to open either valve 1860A or 1860B due to (a) no action
taken and (b) incorrect action taken. For (a), a negligible value was
derived, and for (b) a value of 10 was selected. From this discus-
-2
sion, it appears that a value of 10 should have been used as the
probability that the operator fails to open either of the valves,
-3 -2
rather than 3x10 . In addition, it appears that 10 is also too low
based on other considerations. The "basic error rate" for "Operator
fails to act correctly after the first 30 minutes in an extreme stress
condition" is given as 10 in Table 111-13, page 131 of Appendix III.
According to the text in Section 5.9, this basic rate was altered to
account for other factors. .However, the factors considered to justify
-2
the reduction to 10 are not delineated; a statement is merely made:
114
-------�
"The basic error rate of 10 was assessed to be too large for this
_2
type of action (opening containment sump valves for the LPRS), and 10
was accordingly selected as the nearest order of magnitude estimate."
An apparent conflict with this assessment exists on page 135 of the
same section. Here it is stated that: "The basic error rates in
Table 111-13 were modified by assigned (sic) higher rates to situations
where the arrangement and labelling of controls to be manipulated were
potentially confusing. For example, motor operated valves MOV-1860A
and MOV-1860B..." The discussion goes on to describe how the operator
;
could confuse the controls for these valves with others. This dis-
cussion seems to argue that the basic error rate of 10 is even too
low.
It is recognized that many factors must be considered in order to
determine with confidence the human error rate for an activity under
a given set of circumstances. Such a determination is beyond the scope
of this effort. However, it does not appear, based on the information
presented, that the value of 3x10 used in WASH-1400, Appendix II
(Vol. 2) for failure to open valves 1860A and/or 1860B is justified,
and, further, it appears that a higher value is more appropriate. In
order to determine the effect of this parameter on the overall risk
assessment, avalueof 10 was used. This value does not appear un-
reasonable based on information contained in Appendix III of WASH-1AOO
as discussed above.
-3-1
The increase from 3x10 to 10 for operator failure to open valves
_3
1860A and/or 1860B changes the LPRS system unavailability from 7.9x10
to 1x10 . This change is illustrated in Figure 21, which is a re-
vised version of Figure 11-96 from Appendix II, Vol. 2, of WASH-1AOO.
The revised numbers are shown in parentheses. Translating this in-
crease to probabilities for the PWR release sequences (Table V-16,
page 37 of Appendix V) yields the following changes (all median values):
(1) Category 3 increases from 5x10 to 7x10
115
-------�
LPRS
System
Unavailability
Single Failure
Contribution
Double Failure
Contribution
1.1 x 10
,-5
1.8 x 10'3
7.9 x 10
•3
(1 x 10
I
Test And
Maintenance
9.8 x 10"5
Figure 21 - Revised LPRS Contribution Pictorial Summary
-------�
1 ' — fl — ft
(2) Category 5 increases from 1x10 to 2x10
-5 -4
(3) Category. 7 increases from 6x10 to 1.4x10
To assess the significance of these release category probability in-
creases to the general population, the revised numbers were compared
with the corresponding numbers in Table VI-20 (page 71, Appendix VI).
Since only Categories 1 through 4 produce acute fatalities (average)
of greater than one per accident, the increases in Categories 5 and 7
are of little consequence. The increase in Category 3 is small and
thus would not significantly increase the overall risk.
Two other apparent problems with the LPRS reduced fault tree used in
WASH-1400 were found during the general review. These are as follows:
(1) Figure 11-91 - It is not clear why "operator error,^operator
closes MOV 1890C" is not included as a single failure under
"Single Failures Which Can Cause Insufficient LPRS Flow."
(2) Figure 11-91 - A.subtree to the top event "Pump B01 Fails to
Start and Pump A01 Fails to .Continue Running" includes three
valve faults. These valve faults (B03 and B02) do not haye. any-
thing to do with pump malfunction. These valve faults should be
included in the suction line (B03) and discharge line (B02) faults
which are parts of separate subtrees B03. However', neither of
these valve faults appear under suction line failures or discharge
line failures. They do appear under the top event "Pumps A01 and
B01 Discontinue Running." Again, these valves do not have any-
thing to do with the top event. It thus appears that these valve
failures have been counted twice, and in neither case have they
been included where they logically belong.
Omissions - This review resulted in the finding of an additional fail-
ure mode which was not considered. Appendix I of WASH-1400 (page 24)
117
-------�
states that only cold leg breaks (for large LOCAs) were considered
since this location presents the most stringent demand on ECCS. Ap-
pendix IT (Vol. 2) states (page 490) that "...although no written
procedures were found to be available, it was assumed that at some
time during the first day following a cold leg break the LPR system
should be realigned to inject into the hot legs..." Failure to per-
form this activity was assumed to result in failure of the LPRS. The
-3
probability assigned to this operator failure mode was 3x10 . (In
view of the fact that no emergency procedures were apparently avail-
able to the operator, this failure probability seems much too low.)
It is not clear whether the operator will be able to distinguish be-
tween a hot leg and a cold leg break. If a hot leg break occurs, and
the operator, assuming a cold leg break, switches to hot leg circula-
tion, an LPRS failure may ensue for the same reasons as stated on
page 490, Appendix II, Vol. 2. It is not expected, however, that such
a failure would contribute to the overall risks because of the time
elapsed (24 hours) before the action is taken and the relatively in-
significant risk associated with LPRS failure, as discussed under the
general review.
'!.' r o j an Comp ar is on - This review resulted in determining that the pump
capacities, injection pressures, and other pertinent parameters are
the same for the Surry and Trojan plants. Piping layouts and system
components arrangements are similar. Two exceptions to this similarity
should be noted:
First, on page 498 of Section 5.9, it is stated that ruptures
in either pump discharge line up to the intersection of the two
lines will not cause system failure because the downcomer in the
pressure vessel will have been filled and the system need only
deliver 300 gpm to be successful. Since Trojan operates at a
power level about 1/3 higher than Surry, it will require an LPRS
flow of about 400 gpm to be successful. Depending on relative
pressure drops, a line break as described above may disable the
118
-------�
Trojan system. However, since line ruptures are relatively un-
likely, this difference, if it exists, would not be expected to
make any significant difference in the overall risks.
Second, part of the procedure for switching from low pressure
injection to recirculation for Trojan includes aligning the LPRS
such that part of the flow is injected into the containment
sprays. The entire switchover for the Trojan (see Reference 2,
Section 6.3.2.2.2) thus takes some 20 steps (versus 5 for Surry).
This would increase slightly the probability of operator error,
but the difference should not be significant.
Conclusions - The errors found in the WASH-1400 analysis of the Surry
LPRS appear to be insignificant. No omissions which have a significant
effect on the overall risks of nuclear power were found in the WASH-
1AOO analysis of the Surry LPRS. In addition, the analysis of the
Surry LPRS should apply, with only minor modifications, to the Trojan
LPRS.
Miscellaneous Comments -
(1) Appendix II, Vol. 2, page 490 - It appears that valve V10 needs
to be closed to ensure hot leg injection. This is not listed
in the procedure.
B. CONSEQUENCE AREAS
The analysis of the four consequence areas selected for review are
presented here. For the core heatup and containment pressurization
analysis contained in WASH-1400, a review was made of the assumptions
and methods used. In addition, independent calculations using dif-
ferent techniques were performed and compared to the WASHK1400 results.
For the PWR containment failure pressure assessment given in WASH-1400,
a review was completed and a revised failure pressure was proposed
119
-------�
based on information contained in WASH-1400 and the Surry Safety Analy-
sis Report. For the fourth area, tritium release consequences follow-
ing a major accident, a calculation was completed to show the biological
effects of tritium release from the containment. An analysis of tritium
release was not included in WASH-1400.
1. Parametric Studies of Core Meltdown (PWR)
This section presents a review of the PWR Core Meltdown analysis de-
veloped in Appendix VIII of WASH-1400. In addition, an independent
analysis of selected core meltdown sequences is presented. The pur-
pose of this section is to determine the applicability of the WASH-1400
core meltdown analysis as used in assessing the risks of nuclear power.
WASH-1400 Analysis - The computer code BOIL, described in Appendix
VIII of WASH-1400, was written by Battelle Columbus Laboratories to
calculate core heatup and meltdown during reactor accidents where water
initially in the core is boiled away by the core fission product decay
heat. BOIL was also written to calculate the core heatup for cases
with very low bottom-flooding rates (<0.2 in/sec) and the dry heatup
of the core in the absence of water. The code performs energy balances
on the fuel rods and flow channel fluid to predict the water tempera-
ture and boiloff rate and the fuel rod temperature. Three different
models are used to predict the heat transfer and molten fuel transport
within molten fuel regions.
The BOIL code uses a simplified approach to solve a complex problem.
The BOIL code solution is, however, consistent with the state-of-the-
art, and the simplifying assumptions appear reasonable.
Independent Core Meltdown Analysis - In attempting to select a computer
code to perform an independent core meltdown analysis, none could be
found which could be directly used to calculate the effects of fuel
slumping after the core begins to melt. Most of the codes currently
120
-------�
being used for reactor thermal-hydraulics calculations are not intended
for predicting fuel pin cladding temperatures above the 2200°F per-
mitted by the ECCS acceptance criteria . It was decided to make the
required modifications to the RELAP4 computer code to permit a dry
core heatup analysis until the hottest region in the core begins to
melt. The core was assumed to be in a dry steam environment, but steam
boiloff from the lower plenum due to heat transfer from hot reactor
vessel walls was permitted. This case is representative of a LOCA with
failure of all ECCS, and is recognized to be conservative because the
passive accumulator systems will almost certainly provide some core
cooling for some time after blowdown is complete.
The RELAP4 model used in the analysis (Figure 22) consisted of five
fluid volumes: One each for the upper and lower plenums and three
volumes in the core. Sixteen core heat slabs were defined, and two
heat slabs transferred heat to the lower plenum. A hot core region
representing the hottest 10 percent of the core fuel rods was also
modeled by eight heat slabs connected to core fluid volumes in the
same manner as the average core. The reactor primary system and fuel
(3)
rod dimensions were obtained from the Surry SAR . The core axial
and radial peaking factors were obtained from Battelle . The aver-
age fuel pins were represented by eight core heat slabs, two each of
which connect.to the fluid volumes at core inlet and outlet, and four
to the central core fluid volume.
The heat transfer from the pressure vessel walls to the lower plenum
water was modeled using two heat slabs representing the lower head and
cylindrical walls up to the core inlet level.
The initial peak fuel rod temperature at the start of core heatup after
blowdown was assumed to be 1200°F, and the reactor vessel wall temper-
ature was assumed to be 571 F. The core decay heat was assumed to
follow the ANS standard . The core heatup was assumed to begin 30
seconds after the start of blowdown. Runs were made with and without
121
-------�
Q)
3
U- C
O J3
Upper Plenum
Lower Core
Fluid Volume
o
3
P-. C »
oj:
a) -H r
UJ60-
tO Q/ */
OJ CN
£
Upper Core
Fluid Volume
c
o v>
•H ^O
6t tO
a »H
ij f^
c
z
c
o in
"QJ
3
li. C W
OjD
01 — I tt)
60 OO-i
to QXO
ti a;
a) >J
_c
_
Lower Plenum
O .0
3 O
to •
O u
^1 C3
TJ a
•* o
*-< c
tj
Lower Dome
One Heat Slab
Figure 22 - RELAP4 Nodalization
122
-------�
reducing the decay heat to account for fission product losses. One
run was also made which assumed no cladding metal-water reaction.
The minimum time required to the start of a PWR core melting was as-
sumed in WASH-1400 (see Appendix I, page 121) to be 16 minutes. The
RELAP4 model described above predicts that core melting begins'at 4.5
minutes if fission product release is neglected, and at 5.2 minutes
when the BOIL code fission product release equations are programmed
into RELAP4. If metal-water reaction is neglected, the core melting
time is extended to 17 minutes. The case with no metal-water reaction
corresponds to a case where no liquid exists in the lower plenum after
blowdown, as was apparently assumed in the BOIL code dry heatup calcu-
lations. Thus, although boiloff of the residual water in the lower
plenum does not provide significant cooling, it does provide enough
steam for the metal-water reaction to greatly accelerate the heatup
rate and, therefore, should be included in core heatup and meltdown
analysis. It is not realistic to assume that no water will be left
In the lower plenum following blowdown, especially if ECC accumulators
are assumed to function.
The core heatup analysis in WASH-1400 assumes that the core is either
initially covered by water, covered by water up to the 6-foot eleva-
tion, or completely dry. The first case corresponds to failure of the
core heat removal system after the ECC systems have functioned success-
fully; the second apparently represents partially successful ECCS; and
the last represents total failure of all ECCS.
The assumption of a dry heatup is conservative because the passive
accumulator systems can be realistically assumed to provide core cool-
ing for some time after the accident. A core reflood rate analysis
was, therefore, performed as part of this review to determine the re-
flood rate history to be expected for a case with accumulator injection
only. The analysis also predicts the core liquid level which can be
123
-------�
expected at the beginning of core boiloff. The analysis must be con-
sidered as scoping in nature because of the unknown end-of-bypass time
and the estimations used for accumulator injection rate and loop re-
sistances. These values were selected on the basis of previous exper-
ience with similar calculations. One accumulator was assumed to inject
into the primary system. The core carryover rate fraction was assumed
r i: p\
to be constant at C.8, based c.:. PWR-FLECHT resultsv ' after the core
water level reached one foot,i.e.,80 percent of the water predicted to
enter the core was assumed to be carried out of the core to the con-
tainment. Figure 23 shows the core reflood rate and t:he core liquid
level as a function of time after blowdown is initiated. The core
reflood began at 20 seconds and continued until 200 seconds. The core
liquid level at the end of the reflood was calculated to be 3.3 feet.
Detailed calculations of the core temperature response during this
time period would require computer code modifications which are beyond
(58)
the scope of this study. However, examination of PWR-FLECHT data
shows that for an average reflood rate of 1 inch/sec, the core will be
quenched to a level of less than 6 feet at 200 seconds. Host of the
core will, therefore, be at temperatures greater than 900°P at the
beginning of core boiloff. This is different from either the totally
dry or totally quenched assumptions in WASH-1400.
The cooling effect of the short term reflood and the resulting 3-foot
water level in the core can only be estimated. A reasonable estimate
would delay the rapid core heatup calculated for an initially dry core
by an estimated 5 minutes. The estimate assumes a 2-minute delay due
to reflood and a 3-minute delay due to boiloff of the 3 feet of water.
The 5-minute estimate could be increased due to level swell in the
core or decreased because of increased metal-water reaction resulting
from the higher steam supply. In either case, it appears that the
time required for initiation of core melt during a LOCA accompanied
by a loss of electrical power will be greater than the 4.5 minutes
calculated herein for the no fission product release case, but less
than the 16 minutes reported in WASH-14QO.
124
-------�
60
80
100 120 140 160
Time After Start of Slowdown (seconds)
180
200
Figure 23 - Core Liquid Level and Core Reflood Rate as a
Function of Time after Slowdown
-------�
Conclusions - An independent core heatup analysis for a LOCA accompanied
by failure of all ECCS was performed using the RELAP4 computer code.
The calculations were performed only until fuel melting was predicted
to begin. The RELAP4 analysis showed the time to the beginning of
fuel melt to be between 4.5 and 5.2 minutes compared to the 16 minutes
reported in WASH-1400. The difference is apparently due-to metal-water
reaction. The RELAP4 model calculated a steam flow to the core from
the lower plenum due to heat transfer from the reactor vessel walls
thus resulting in a substantial metal-water reaction. In the BOIL
code, there is no steam flow during a dry core" heatup and, therefore,
no metal-water reaction is calculated. A RELAP4 calculation assuming
no metal-water reaction was performed arid the calculated time to ini-
tial fuel melting was 17 minutes.
The impact of these observed differences upon the final results of
WASH-1400 is difficult to assess directly. A decrease in the time
to initiate core melt would slightly increase radiation levels and
decrease evacuation times, both tending to increase the consequences
of the accident. Additional analysis is required to determine if this
is a significant effect. If the effect is significant, the core heatup
case assuming accumulator injection needs further assessment since the
calculations presented herein are different than the WASH-1400 results.
Miscellaneous Comments - Specific comments on the core heatup and BOIL
code equations and assumptions as described in Appendix A of Appendix
VIII are as follows:
(1) Page A-3 - The fission-product-release fraction is given by equa-
tion (A-2) for rod temperatures between 1500 and 2000°F and by
equation (A-3) for rod temperatures greater than 2000°F. The
report states that the value from one or the other equation is
used. If this is true, the release fraction from both equations
should be equal at 2000°F. This is not the case. Equations (A-2)
and (A-3) could not be checked because their sources are not
126
-------�
referenced. In addition, the 1500°F initial cladding rupture
temperature is inconsistent with cladding rupture temperatures
cited in Appendix VII. Rod (cladding) rupture is assumed to
begin at 1200-1400°F on page C-2 of Appendix VII, and a lower
limit of 1400°F is stated on page 3.
(2) Page A-3 - The Baker-Just rate law is assumed to be applicable
until the fuel is completely melted. The applicability of the
Baker-Just rate law has not been verified above the melting temp-
erature of Zircaloy.
(3) Page A-4 - The radiation interchange factor given by equation
(A-5) assumes the radiating and receiving surfaces to be parallel
planes. Since this equation is used for calculation of radiation
exchange between the fuel rods and the structure above or water
below the core, the interchange factor should assume intersecting
»
perpendicular planes.
(4) Page A-5 - Equation (A-6) assumes a "common gas" with a Prandtl
number of 0.
proach 0.88.
(6)
(35)
number of 0.78 . High temperature steam Prandtl numbers ap-
(5) Page A-5 - Equation (A-7) assumes a constant water temperature
and a constant boiling heat transfer coefficient. These assump-
tions need to be justified since the system pressure and fuel rod
heat flux are changing with time.
Page A-6 - The Q n in equation (A-9) should be 0 . .
b melt * xquench
(7) Page A-7 - Integration of equation (A-10) to get equation (A-lOa)
assumes (T - T) in last term on right-hand side of equation (A-10)
Kl
remains constant during the time step. Since that term is vari-
able, justification for this assumption should be provided.
127
-------�
(8) Page A-8 - The dry heatup model assumes steam and fission product
flow from the core is due only to volumetric expansion of the
gases. This is a good estimate if there is water in the lower
plenum at a level high enough to seal the core inlet. If the
core inlet is not water sealed, natural circulation through the
core could transport the steam and fission products to the con-
tainment at a much higher rate than will volumetric expansion.
(9)" Page A-ll - It is stated that the BOIL code does not include an
entrainment model. This is not entirely true because, for the
low or zero flooding rate cases considered, the mixture level
model in BOIL accounts for all entrainment which will occur.
(10) Page A-12 - The core meltdown models should consider clad melting
and slump occurring prior to fuel melting. The major effects
would be earlier flow channel blockage for meltdown models A&B
and reduced fuel mass and metal-water reaction for model C.
(11) Page A-1A - A possible fourth meltdown model should consider con-
vection heat flux within the molten pool in all three directions.
This would be consistent with the data of Hesson referenced in
WASH-1400.
(12) Page A-18 - The steam generation rates given in Figure A-2 are
wrong. The steam generation rate from decay heat in a full
covered core one hour after shutdown is approximately 1900 Ib/min.
2. Containment Response - Failure Pressure (PWR)
This section reviews sub-Appendix E of Appendix VIII of WASH-1400,
entitled "Containment Failure Modes Evaluation." The purpose of the
review is to determine (a) if the containment failure pressure select-
ed for the Surry reactor, and used in other parts of the study in
128
-------�
consequence assessments, is appropriately selected and reasonably
justified, and (b) if the containment failure pressure assumed for
Surry applies to Trojan, a reactor more representative of the reactor
type which the results of the study are applied.
(3)
Surry Nuclear Plant - The Surry nuclear containment building is a
vertical circular cylinder with a spherical dome. The inside radius
of the cylinder is 63 feet. The walls of the cylinder are 4-1/2 feet
thick and consist of reinforced concrete. The dome is also reinforced
concrete and is 2-1/2 feet thick. The inside of the containment is
,lined with a 3/8-inch thick steel liner which serves as a membrane to
distribute the load to the reinforced concrete structure.
The structure is designed to contain a pressure of AS psig with a
safety factor of 1.5 with respect to yield of the reinforcing steel.
Assuming propar design, proper construction practices, and use of
materials which meet specifications, a pressure of 1.5x45 » 67.5 psig
will cause yielding of the reinforcing steel. No credit for support-
ing strength is given to the steel liner in the design since it is to
serve as a membrane only. The ACI Code calls for a yield capacity
factor of 0.9 to provide for small, adverse variations in material
strength, workmanship, control, etc. Thus, 90 percent of the actual
yield strength of the reinforcing steel was used as the design basis.
The Paul E. Mast consultant report contained in Appendix E of WASH-
1400 gives the pressure which will cause yielding of the reinforced
steel to be 75 psig. To obtain this value, a nominal safety factor
of 1.5/0.9 «= 1.67,instead of the design safety factor of 1.5,was used.
Thus, the 10 percent reduction in design strength as called for in the
ACI Code is essentially cancelled.
The Mast report presents an analysis which shows that,after yielding,
the cracks in the concrete will increase from 0.03 inches to approxi-
mately 0.5 inches. This progressive stage of cracking during yield
129
-------�
is accompanied by essentially no increase in load carrying capacity
of the structure. The report states that the liner integrity will
become important at this point a»ut that the lavge strain
-------�
Appendix E concludes on the basis of the Mast and Sampath reports, on
pages E-2 through E-4, that the PWR (Surry) containment "...can be ex-
pected to fail at 100 ± 15 psia (85 ± 15 psig)." The conclusion is
based on using the lower bound of 75 psig calculated by Mast, plus 17 .
psig attributed to the yield strength of the liner - something Mast
indicated shouldn't be depended upon, and which seems to be in conflict
with the statements at the bottom of page E-2: "It (the steel liner)
has a relatively low strength in comparison with that of the reinforced
concrete and depends on the latter for support. No allowance is given
to the strength of the liner in the design of the structure."
In the evaluation of the Sampath report in WASH-1400, it is concluded
on page E-4 that the predicted failure pressure (75 psig) may be overly
conservative, and that the expected threshold of failure is taken to
be the "approximate mean" of the Sampath and Mast (plus 17 psi) values.
The mean between these two values is 83.5 psig, somewhat less than the
selected value of 85 psig.
(2)
Trojan Nuclear Plant - The Trojan containment building is a vertical
circular cylinder with a spherical dome. The inside diameter of the
cylinder is 124 feet, the wall is 3-1/2 feet thick and is pre-stressed
reinforced concrete. The dome is 2-1/2 feet thick and is also pre-
stressed reinforced concrete. The inside of the containment is lined
with a 1/4-inch thick steel plate which serves as a membrane. The
reinforced concrete structure includes both vertical and hoop tendons.
These tendons are jacked to a stress level of 0.8f or 145,000 psi.
The ACI Code calls for a reduction in strength of both the rein-
forcing steel and the stressing tendons. The reduced strength is
54,000 psi and 182,000 psi for the reinforcing steel and the tendons,
respectively.
The design is such that the structure will contain a pressure of 60
psig with a safety factor of 1.5 with respect to yielding. Thus, if
construction practices and quality of materials are at least par, when
131
-------�
the internal pressure is 90 psig (104.7 psia), a state of impending
yielding will exist and failure is imminent.
The cylindrical part of the containment structure has about 7000 psi
compressive stress in the hoop reinforcing steel due to pre-stress.
Upon a 90 psig loading, the stress in the hoop reinforcing steel will
increase to 37,000 psi tension - an increase of 44,000 psi. The stress-
ing tendons must strain as much as the reinforcing steel and their
elastic moduli are equal; therefore, the stress in the tendons will
.increase to 189,000 psi (145,000 + 44,000). At this stress level, the
tendons will have either yielded or be near the beginning of yield.
A substantial portion of any pressure increase past this point will
have to be supported by the reinforcing steel. A pressure increase of
one psig above the design pressure could cause as much as a 7000 psi
stress rise in the reinforcing steel. Thus, failure is impending at
any rise above 90 psig.
Since the concrete is pre-stressed, the cracking at design pressure
will be small. However, additional pressure beyond this point will
cause the cracks to grow rapidly until a "weak link" develops. Some
possible weak links are as follows:
(1) the concrete may crack to the point where it will no longer
support radial shear. At this point, failure at the base could
occur or a penetration such as the equipment hatch may blow out,
(2) the liner may tear at a point of high strain concentration,
(3) a pre-stressing tendon may snap, releasing a tremendous amount
of strain energy and causing failure due to rapid crack propaga-
i
tion.
It is difficult to say exactly what internal pressure one of these weak
links would support. However, since both the reinforcing steel and the
132
-------�
pre-stressing tendons are at yield when the internal pressure is 90
psig, a slight increase in pressure will cause a large strain increase
in certain areas. These strain concentrations could lead to immediate
failure. The failure of one tendon would precipitate the failure of
other adjacent tendons when stressed at this high level. For example,
when the stress in a hoop tendon is 182,000 psi, the stored strain
energy is 2,440,000 foot-pounds. If this tendon were to snap, this
amount of energy would have to be immediately absorbed in the surround-
ing structure. If most or all of this energy were to be concentrated
at a particular location, failure would certainly occur. Thus, when
the structure is pressurized to the point that the ttmdons begin to
fail, the complete structure will possibly fail in a catastrophic
manner.
Several differences exist between the Surry and Trojan containment
structures. The Trojan structure is pre-stressed, reinforced concrete
the Surry structure is reinforced concrete but not pre-stressed. The
concrete in the Trojan structure is initially in compression due to
pre-stressing. Thus, the cracks in the concrete at yield are smaller
than those in the Surry containment. The analyses for the modes of
failure should be somewhat different for the two structures. Each
tendon in the Trojan containment is made up of 180 (1/4-inch diameter)
steel wires. The tendon system is a primary component of the load
support system. If the tendons fail under design load, the entire
structure could fail catastrophically.
The liner plate in the Trojan is 1/4-inch thick steel - in the Surry,
it is 3/8-inch thick steel. This difference is probably not too im-
portant since the liner plate will not influence the failure mode to
a great degree in either structure.
Conclusions - The assumed failure pressure used in WASH-1400 for PWR
containments of the Surry design, 85 psig, does not appear to be
133
-------�
sufficiently justified, and appears to be too high. This conclusion is
based on the following:
The use by Mast of a safety factor of 1.67 instead of 1.5 is
not justified.
The addition of 17 psi in Appendix E of WASH-1400 to the failure
pressure calculated by Mast appears to be improper since Mast
indicates it should not be allowed and credit for liner strength
is not permitted in the design. Under accident loading, the
liner will be in compression due to thermal expansion. Thus,
at the point where the reinforcing steel is starting to yield,
the liner will not be supporting any of the internal pressure
load. The liner, at this point, not only contributes nothing to
the pressure carrying capacity of the structure, but due to
thermal expansion, is exerting even more load on the reinforced
concrete structure.
Both the Mast and Sampath analyses stress that discontinuities
in design (such as penetrations), insufficient design details,
and possible imperfections in fabrication were not accounted for
in the analysis, and could be important. It appears that the
failure pressure should be reduced in an attempt to account for
these factors. For example, Sampath argues:
"It should be emphasized that the conclusions reported here must
be considered as tentative. The reason is that,-due to severe
constraints on both time and the lack of details, many areas
received only a cursory examination or were not pursued at all."
(Page E-22)
"A number of different failure mechanisms were considered and,
so far as possible, quantitative estimates made for each. The
accuracy associated with the estimated failure pressures was
limited by the lack of specific design details." (Page E-23)
134
-------�
"The liner amd the reinforcing near the inside face are only
inches apart. This circumstance probably required very careful
workmanship during construction to achieve proper consolidation
of the concrete and its integrity is somewhat suspect. However,
assuming that this section is properly constructed..." (Page E-24)
"The structure has an excess of steel (in the neighborhood of
5 percent whereas it is usual to find 1-2 percent steel in typical
well-designed concrete structures). Proper compaction of concrete
under such conditions would be difficult to achieve." (Page E-29)
In addition, the section in Appendix E which concludes that the
failure pressure is 85 psig contains a discussion of the effect
of penetrations, discontinuities and other factors. It is con-
cluded on page E-4 that "Such considerations are difficult to
quantify, at best, and cannot be evaluated in the absence of
specific details on design, quality of workmanship, and results
of nondestructive examinations. Other factors bearing on the
failure potential of major penetrations include the manner in
which they are anchored to the concrete and the reinforcing
steel, the reinforcing of the liner around such penetrations, and
the attachment of the liner to the penetrations. The signifi-
cance of these factors will obviously vary with the details of
each design." (Page E-4) 7
In view of the above considerations, it appears unjustified to use a
containment failure pressure of 85 psig (100 psia) for the Surry con-
tainment building. Due to the complex nature of the containment struc-
ture, uncertainties in the design, fabrication and material quality,
all that can be said with any degree of certainty is that the building
will withstand a pressure to which it is designed and tested. (Ac-
(41)
ceptance testing is required at: 1.15 times design.) In addition,
the building will probably hold 1.5 times design pressure, or 67.5 psig
(82.2 psia) as discussed previously. In the absence of any destructive testing
135
-------�
information, any pressure it will contain above thla Value i
tion. It is probable that th.- building will withstand pressures in
t-xoi'ss ot this valui-, but in v u-w uf the rapid s^reya b\\U4\M? VUl*
P\pssvm> Ari,i ovn, , „», ,,,, nini. i,.fi discussed above, the unknown excess
could be yery small.
Regarding the applicability of the Surry containment failure pressure
to the Trojan containment building, the design differences discussed
abovt- would render such application invalid without further supporting
analysis. In the concluding discussion, it is stated on page E-l that
"To tbe extent possible, the extension of the results ^o other contain-
ments of similar design has been indicated." There is .no indication of
any such extension in the conclusions other than the results apply to
a "reinforced-concrete containment building design 'for an internal
pressure of 60 psia..." Containment buildings of the more representa-
tive Trojan PWR design are designed for 75 psia. Even though the
»•£
Trojan and other 4-loop PWRs are designed for a higher containment
pressure, the loss-of-coolant accident produces a higher pressure.
The effect of these differences upon the time at which containment
overpressure failure occurs is discussed in detail under item 3 of
this section.
Miscellaneous Comments - During the review of sub-Appendix E of Ap-
pendix VIIT in WASH-1AOO, the following comments were developed:
(1) Throughout sub-Appendix E, units of psi, psia, psid, and psig
are intermixed, which tends to confuse the quantitative assess-
ments of containment pressure.
(2) A pressure of 5 psi is added to the computed failure pressure in
the Paul E. Mast section of sub-Appendix E. There does not
appear to be any justification included for the increase.
136
-------�
3. Containment Response - Pressure History (PWR)
This section presents the results of a review of the WASH-1400 con-
tainment response analysis for the Surry reactor plus two independent
calculations of PWR containment response.
WASH-1400 Analysis - Appendix VIII contains little discussion of the
analysis methods and assumptions used to calculate the reported con-
(53)
tainraent response. Discussions with BMI personnel revealed that
the containment pressure behavior calculations were made without the
use of a computer, using simple energy and mass balances. Computer
(39)
codes, such as the CONTEMPT-LT Codev ', are readily available and
be used for transients of the type investigated in WASH-1400.
The assumptions used for the WASH-1400 PWR containment pressure response
analysis are discussed on pages A-27 through A-30 of Appendix VIII.
The discussion includes the following major topics: Energy Sources,
Containment Heat Sinks, Containment Atmosphere, and Containment Leakage.
The general approach used in WASH-1400 in treating the potential energy
sources was to justify ignoring some sources by assuming some of them
to be offset by some potential energy absorbing effects. For example,
all of the decay heat is assumed to result in steam generation while
the metal-water reaction energy is assumed to go entirely into heating
up the reactor core. The additional water flow to the containment due
to entrainment during core reflood is neglected. These assumptions may
not affect the end results of the study, but more rigorous assumptions
appear to be required in the absence of supporting information Justify-
ing the assumptions used.
2
A constant steam-condensing coefficient of 150 Btu/hr-ft -°F was as-
sumed for all "cold" heat sinks within the containment. This assumption
while not consistent with experimental data and state-of-the-art con-
(54)
tainment analysis , is not expected to greatly affect the long-term
137
-------�
containment response of interest. The major heat sinks in the contain-
ment are concrete and the heat transfer to concrete will become conduc-
tion limited early in the transient. However, the analysis could have
gained credibility through the use of state-of-the-art correlations for
condensation coefficients rather than using a gross assumption.
The containment leakage assumptions in WASH-1400 appear reasonable
compared to usual containment design values. The source and justifi-
cation of the assumed leakage rates should, however, be provided In
the report.
(39)
Independent Surry Containment Analysis - The CONTEMPT-LT computer
code was used to calculate the Surry containment pressure response for
two LOCAs. The LOCAs chosen for analysis were: (1) a large cold leg
break accompanied by loss of all electric power to the emergency safe-
guard systems, including containment sprays and emergency core cooling
systems; and (2) a large cold leg break (pump discharge) accompanied
by loss of containment sprays.
The CONTEMPT-LT model included simulation of containment dry well, the
reactor primary system, and engineered safeguard systems. The model
also included heat conduction to or from various structures within both
the containment and the reactor primary system. The system dimensions
(3)
and initial conditions were obtained from the Surry SAR . The heat
transfer coefficients for heat transfer to or from containment and
primary system structures were also obtained from the SAR. The primary
coolant mass flow to the containment during blowdown was obtained from
the SAR and the fluid enthalpy was defined by the primary system energy
content prior to blowdown. The mass flow table in the SAR does not
include the reflood phase of the accident. For this analysis, reflood
was assumed to begin at 15 seconds and continue until an assumed core
quench time of 600 seconds. The delivery rate to the core was assumed
to be equivalent to a cold reflood rate of 6 inches/second for 4 seconds,
138
-------�
1.5 inches/second to 300 seconds, then decreasing linearly to zero at
600 seconds. The remainder of the ECCS delivery was assumed to spill
to the containment sump. Eighty percent of the reflood water entering
the core was assumed to be carried out the top of the core and through
the steam generators, where it was heated to the secondary system
temperature before flowing to the containment. After 600 seconds, the
mass and energy flow from the reactor primary system is due to the core
decay heat and conduction of residual heat from primary system metal.
For the case where all electric power (including that to the ECCS) was
assumed to fail, the core reflood was assumed to be as predicted in
Section V B-l of this report.
The Surry containment pressure response as predicted by the CONTEMPT-LT
model for the assumed failure of the containment spray injection system
(CSIS) and the containment spray recirculation system (CSRS) is shown
in Figure 24. The corresponding curve from WASH-1400 is also shown in
Figure 24. There is a significant difference between the two curves
for the first ten minutes of the transient. There are two major reasons
for the differences. The decrease in containment pressure predicted
by CONTEMPT-LT is due to high heat transfer rates to cold heat sinks
in the containment. The only apparent significant difference between
the WASH-1400 and CONTEMPT-LT models is in the modeling of the contain-
ment walls and dome. The WASH-1400 model considered only the steel
liner and the CONTEMPT-LT model considers the steel liner and the con-
crete walls as a composite slab with negligible contact resistance be-
tween the steel and the concrete. The pressure rise occurring between
3 and 10 minutes predicted by CONTEMPT-LT is due to the liquid carry-
over during core reflood. The WASH-1400 analysis neglects this effect.
After 10 minutes, the reactor decay heat becomes the controlling factor
in the containment pressure transient and, thus, the pressure transients
from the two analyses are nearly equal. The WASH-1400 assumed failure
pressure (100 psia) is shown along with a revised lower limit failure
pressure of 82.2 psia as discussed previously in Section V B-2 of this
139
-------�
12J
110
10 .
CSIS and CSRS Failure
(CONTEMPT-LT)
WASH-1400 Assumed
Failure Pressure
CSIS and CSUS Failure
(WASH-UOO)
Revised Lower
Limit Failure Pressure
I I 1 I I I t
U.I
10
100
1000
Time
Figure 24 - Surry Containment Pressure During LOCA with. CSIS and CSRS Failure
-------�
report. The CONTEMPT-LT analysis along with the revised failure pres-
sure predicts containment overpressure failure at 63 minutes compared
to the 230 minutes predicted in WASH-1400. The fact that the offsetting
effects of containment heat loss and core reflood entrainment reduces
the difference between long-term containment pressures predicted by the
CONTEMPT-LT and WASH-1400 analyses is fortuitous and cannot be assumed
to occur during all accident sequences.
Figure 25 compares the CONTEMPT-LT and WASH-1400 results for the LOCA
accompanied by a complete loss of electric power. The pressure versus
time curves are terminated when the reactor pressure vessel water has
completely boiled away. (CONTEMPT-LT is incapable of calculating beyond
this point.) Neither case predicts containment failure, but CONTEMPT-
LT predicts a peak pressure of 81 psia which is nearly equal to the
revised lower limit of 82.2 psia. If combustion of the hydrogen gen-
erated by metal-water reaction in the core is considered, the pressure
transients become as shown in Figure 26. The WASH-1400 analysis ex-
ceeds the 82.2 psia failure pressure in 25 minutes and reaches 100 psia
at 70 minutes. Heat transfer to structures within the containment
delays the containment failure time predicted by the CONTEMPT-LT model
until 174 minutes. The water in the reactor pressure vessel is com-
pletely boiled away before the pressure calculated by CONTEMPT-LT
reaches the WASH-1400 failure pressure of 100 psia.
The containment failure mode and time at which the failure occurs de-
termine the extent of the fission product release, the radiation level
of the release, and the effectiveness of the population evacuation
procedures. The CONTEMPT-LT analysis of the Surry containment and re-
definition of containment failure pressure performed in this study (see
Section V B-2)indicates significant differences from those in WASH-
1400 for containment failure modes and times. For the two LOCA cases
analyzed, one was found to result in a containment overpressurization
failure at a much earlier time than predicted in WASH-1400 and the other
141
-------�
100
90
80
70
N3
60
50
30
20
10
WASH-1400
— — — — 82.2 psia (Revised
Lower Limit Failure
Pressure)
CONTEMPT-LI
I « tllllfl
0.1
1.0
1000
10 100
Timo (minutes)
Figure 25 - Surry Containment Pressure During LOCA with EPS Failure and No H-
Combustion
-------�
100
90
U>
t 7o
3
60
50
40
30
20
10
WASH-1AOO
82.2 psia Revised
Lower Limit Failure
Pressure
CONTEMPT-LT
• I 1 t I I
i i i il
i i i t i i 1 i 1
I I I I 1
0.1
1.0 10 100 iUOO
Time (Minutes)
Figure 26 - Surry Containment Pressure During LOCA with EPS Failure and
^ Combustion
-------�
case predicts that the containment overpressure failure predicted in
WASH-1400 will not occur until a significantly Iqter time.
An investigation was undertaken to determine the significance of the
difference between the containment failure times assessed in WASH-1400
and the times calculated herein. The containment failure time will
influence the radioactive source term available for release, the time
available for evacuation of the population potentially available for
exposure, and the probability of containment failure by melt-through
as opposed to overpressure. The radioactive source term available for
release will decrease as the containment failure time is extended due
to (1) increased deposition and plateout of the radioactive material
on internal containment surfaces, and (2) extended radioactive decay
time. The change in the amount of fission product deposition and
plateout in the containment is not a strong function of time as pointed
out in Appendix VII (Appendix J) of WASH-1400. The reduction in the
source term from radioactive decay for the times involved in the con-
tainment failure calculations is also not significant. An indication
of the composite effect of decay time and deposition and plateout on
the radioactive source terra can be obtained from Appendix VI of WASH-
1400. As shown in Table VI-2 of that appendix, an increase in time
of release from 1.5 to 2.5 hours has an insignificant effect on the
fraction of core fission product inventory released.
It was not possible, due. to uncertainties associated with the applica-
tion of the evacuation model used in WASH-1400 (see Miscellaneous
Comments at the conclusion of this analysis), to determine quantitative-
ly the effect of changes in evacuation times associated with the cal-
culated containment failure times. However, a simplified analysis was
done in an attempt to determine the sensitivity of the accident risks
to evacuation times.
WASH-1400 predicts that containment overpressure failure at 100 psia
will occur at 230 minutes and the revised 82.2 psia lower limit is
144
-------�
reached at 105 minutes for a LOCA accompanied by loss of containment
safeguards. Using the failure pressure of 82.2 psia recommended in
this study and the CONTEMPT-LT analysis results in a containment over-
pressure failure at 63 minutes. The CONTEMPT-LT analysis predicted
100 psia at 140 minutes. One effect of this difference will be upon
the population evacuation effectiveness. (It should be noted that the
validity of the WASH-1400 evacuation model has been questioned by the
(58)
Environmental Protection Agency .) The magnitude of this effect
can be estimated by examining the evacuation model equation .given on
page 31 of WASH-1400 Appendix VI as
- a+(l-a)exp [-M^-TL+T )] (1)
where
F = Fraction of population remaining after evacuation
a = Fraction of population unaffected by evacuation
X = Measure of the evacuation rate
t, = Transport time to mesh point i
T = Time between awareness of impending core melt and
leakage for accident type j
TL = Time lag associated with interpretation of data and
issuance of warning to evacuate.
Assuming a » 0.1, TL = 0.02 day, A = 8.3 days , and a 20-mile radius
to the population as in WASH-1400 , and further assuming a 2.5 meter/
second wind velocity, the above equation (1) becomes
F - 0.1+0.9 exp [-8.3(1+0.129)1 (2)
Figure 27 is the plot of equation (2). If t. is assumed to equal the
time to containment overpressure failure, the WASH-1400 failure time
of 230 minutes allows for all but 18 percent of the population to be
evacuated. The 63 minute failure time predicted in this study results
in failure to evacuate 31 percent of the population. Thus, the number
of people exposed will be increased.by 72 percent if the results of
this study are used.
145
-------�
o
3
fj
a
0.4
CO
c
I 0.3
c
o
3
0.
o
ex
U4 0.2
o
o
«H
u
o
0.1
0.1 + 0.9 exp [-8.3 (T + 0.129)]
200
AOO
600
800
1000
1200
1400
T , minutes
Figure 27 - Evacuation Effectiveness versus Containment Failure Time (T,)
-------�
For the assumed LOCA accompanied by complete loss of electrical power,
WASH-1400 predicted containment failure time is 70 minutes. This would
result in 30 percent of the population being subject to exposure. The
corresponding analysis in this study shows that containment over-
pressure failure and significant leakage will not occur until 174
minutes. For this containment failure time, the fraction of the popu-
lation subject to exposure obtained from Figure 4 is 21 percent, a
reduction of 9 percent from the WASH-1400 value. Neither of these
changes is of major significance.
The effect of changing the probability of containment melt-through as
opposed to containment failure by overpressure could not be assessed
due to lack of information. If the containment failure is predicted
to occur earlier for a particular accident sequence, then the probabil-
ities of containment failure by melt-through could be reduced, and
some accidents which were calculated to result in melt-through failure
could change to overpressure failure and the risks would increase
since overpressure failure presents a substantially greater hazard to
the exposed population. It is stated on page 31, Appendix VIII of
WASH-1400, "Since overpressure (failure) of the containment and con-
tainment melt-through can occur at approximately the same time, it is
necessary to consider the competition between the two events." A re-
assessment of these two failure modes and their effect on the accident
risks for the appropriate accident sequences appears to be needed based
on the results of the containment overpressure failure times calculated
herein.
Trojan Containment Analysis - To assess the assumed general appllcabil-
o
ity of the WASH-1400 results to all PWR power plants, a scoping analysis
was performed on the Trojan Containment System. The purpose of the
analysis was to determine which assumed loss of safeguards would result
in containment overpressure failure during a large break LOCA. In
modeling the Trojan containment with the CONTEMPT-LT computer program,
only the containment volume and its associated heat absorbing structural
147
-------�
components were considered. The mass and energy flow from the reactor
primary system were supplied in table form from data provided in the
Trojan SAR . The containment safeguards systems, when effective,
were assumed to operate at the times and capacities specified in the
SAR. No attempt was made to account for events such as the molten core
dropping into a pool of water, hydrogen combustion, C0_ formation as
the core melts through the containment floor, or failure of the emer-
gency core cooling systems. The LOCA chosen for this analysis was the
double-ended pump suction guillotine break designated in the Trojan SAR
as the design basis accident. The containment overpressure failure
pressure was assumed to be 90 psig as discussed in Section V, B-2.
The results of the Trojan containment analysis are presented in Fig-
ure 28. Containment overpressure failure was found to occur at 50
minutes when all containment safeguards fail and at 190 minutes when
the fan coolers and low pressure recirculation system are assumed to
fail. These failure times bracket the 63-minute containment failure
s,
time predicted for the Surry LOCA with loss of containment safeguards.
4.
Conclusions - An independent assessment of the Surry containment re-
sponse analysis indicates that (1) for the case assuming CSIS and CSRS
failure, the containment failure time will be reduced from the WASH-
1400 time of 230 minutes to 63 minutes, and (2) for the case assuming
complete loss of electrical power, the containment failure would occur
about 100 minutes later than predicted in WASH-1400. Except for the
possible effect of changing the probability distribution between con-
tainment failure by overpressure and failure by melt-through, which
was not assessed, the effect of the different containment failure times
does not appear significant.
The Trojan analysis indicated that the Trojan containment failure time
is comparable to Surry. However, the differences in containment fail-
ure pressure and engineered safety systems for the two reactors may
lead to a different assessment of risks. A detailed assessment for the
148
-------�
120
,10
100
90
80
70
60
in
a.
s
10
in
c
a;
6
§ 40
u
JO
20
10
Design Basis Accident
with Containment Safeguards
All Containment Safeguards Pallet!
104.7 psi.-i Failure Pressure
LPRS and Fan Coolers Failure
Fan Cooler F.-iilure
Failure of All Containment
Sprays
0.1
1.0
10 100
Time (Minutes)
OCT
Figure 28 - Trojan Containment Pressure During LOCA with Assumed Containment
Safeguards Failures
-------�
Trojan design would be required in order to establish the significance
of these differences.
Miscellaneous Comments - The following comment was developed during the
review of the containment failure assessment contained in WASH-1400:
(1) It is not entirely clear how containment failure times and evacu-
ation times were computed and used in WASH-1400. The time of re-
lease of the fission products given in Table VI-2 (Appendix VI,
page 9) does not appear to correspond to the calculated time of
containment failure for PWR release Categories 2 and 3 which are
dominated by accidents culminating in containment failure by over-
pressure. For example, accident sequence S?C-6, which dominates
PWR release Category 3 (Appendix V, Table V-16), is a small break
accident with loss of containment sprays resulting in containment
failure by overpressure. According to Appendix VIII of WASH-1400
(Figure 6), the containment failure is calculated to occur in
about 200 minutes, while Table VI-2 shows a release time of 2 hours
(120 minutes). It is not clear why these values differ.
For the PWR Category 1 release, Table VI-2 of WASH-1400 indicates
identical times (1.5 hours) for "time of release" and "warning
time for evacuation." Page 32 of Appendix VI indicates (Table
VI-7) that a constant time lag (TL) "...associated with inter-
pretation of data and issuance of warning to evacuate" was used
for all accidents. It would thus appear that the warning time
for evacuation would always have to be 1/2 hour less than the time
of release.
The definitions of TL, t. on page 31 are not clear (eg, what is
the difference between "...awareness of impending core melt..."
and "...interpretation of data...?") and their relationship to
the headings of Table VI-2 is not apparent.
150
-------�
4. Tritium Release Considerations (BWR & PWR)
This section presents an assessment of the radiological hazards associ-
ated with the release of tritium during a power reactor LOCA in which
core meltdown and containment failure are assumed. The assessment is
based on a very conservative, scoping analysis. The risks associated
with tritium release during a reactor accident were not considered as
part of the Reactor Safety Study (WASH-1400). It is concluded that the
radiological hazards associated with the tritium release are negligible
compared with the hazards presented by other fission products released
during the accident.
Tritium Inventory During Reactor Operation - Tritium exists in the fuel
of a power reactor, being produced as a fission product at the rate of
4 (42)
one tritium atom for every 1 to 2x10 fissions . Tritium also exists
in the primary system coolant, being generated from neutron reactions
with chemical constituents in the coolant (boron, lithium, deuterium).
A small amount of tritium produced in the fuel can leak through the
fuel pin cladding into the coolant. The amount of tritium expected to
exist in the fuel and in the coolant will be treated separately.
(43)
(1) Tritium accumulation in the fuel - A recent calculation indi-
cates that the equilibrium amount of tritium existing in a 3558
MWt PWR core is expected to be 11,530 Ci. The amount present in
a BWR core should be comparable.
(2) Tritium accumulation in the reactor coolant - The equilibrium
amount of tritium in the reactor coolant for a 3300 MWt PWR has
(43)
been calculated to be 5200 Ci at the end of plant life (40
years), conservatively assuming no letdown and leakage of the
(45)
primary system coolant. A second calculation , done for a
2200 MWt PWR of different design, yields an equilibrium value
of about 1000 Ci at a low 6.3 ml/sec (0.1 gpm) primary coolant
(44)
removal rate. A conservative production rate for a BWR is
151
-------�
0.53 uCi/sec, which would result in an end of plant life inventory,
assuming no losses, of 6685 Ci.
For the purposes of this study, the largest amount calculated,
6685 Ci, will be used as the source term.
Biological Effects of Tritium Release During a LOCA - In order to con-
servatively assess the biological effects of tritium release during a
LOCA, the following assumptions are made:
(1) All tritium in the primary system coolant is released to the con-
tainment during blowdown.
(2) All tritium in the fuel is released during the core meltdown.
(3) The containment fails immediately after core meltdown, and the
entire tritium inventory in the containment, (representing 100
percent of coolant inventory plus 100 percent of fuel inventory)
is released.
(4) The release occurs at ground level.
(5) The release is assumed to be continuous during the assumed 0.5 hour
release time. The 0.5 hour release time corresponds to the short-
est release time calculated from the Reactor Safety Study
(47)
Under these assumptions, the inhalation dose for a human receptor is :
where D is infinite (lifetime) dose in rems
A is dose conversion constant
E is average decay energy in MeV/dis
B is breathing rate of the receptor
152
-------�
C is the'average concentration of tritium
in ground level air
T is exposure duration in days
\e is tritium elimination rate for receptor
M Is mass of body water
Sirre tritium is a beta emitter, the whole body dose from the radio-
active cloud can be ignored. Also, consistent with assumptions used
in WASH-1400 for other isotopes, the dose from ingestion of signifi-
cantly contaminated vegetation, milk, meat or water is ignored since
these sources can be detected and isolated from human consumption. In
addition, for the LOCA considered, evacuation would be effected before
any significant ingestion of the contaminated foodstuffs could occur.
The numerical values for the terms in equation (1) are as follows:
A = 5.1xlO~ rem - g - dis/pCi-MeV-day
E = 6.3xlO~3 MeV/dis
B = 20m /day (adult)
5m /day (infant)
Ae = 0.069/day (adult)
0.22/day (infant)
M = 43,000 gra (adult)
6,100 gm (infant)
Using the above values, equation (1) becomes:
D = 4.19xlO~9 CT - for adult and, (2)
_Q
D = 2.39x10 CT - for infant. (3)
In the above equation, C, the ground level concentration, is evaluated
from the following equations:
C = K Q (4)
153
-------�
where
K is the weighted mean dispersion constant (sec/m ),
and
Q is the release rate in pCi/sec,
K has been evaluated , assuming average weather conditions, to be:
— -6 3
K = 2x10 sec/m at 1 Km from the source, and
K = 1x10 sec/m at 5 Km from the source.
The value of Q for this problem is:
fuel inventory + coolant inventory
release time
or, from the previous discussion,
Thus,
C = (1.0xl013)(2xlO~6) = 2xlO? pCi/m3 (5)
nt a distance of 1 Km.
Substituting the value of C from equation (5) into equations (2) and
(3) yields:
D = 8.4xlO~2 T rem (adult) (6)
and
D = 4.8x10 2 T rem (infant) (7)
Assuming an exposure time of one day, the doses become
D = 84 mrem (adult)
154
-------�
and
D = 48 mrera (infant).
Assuming the worst weather conditions (Class F), the ground level con-
centration can be a factor of seven higher, giving dose rates of
D = 588 mrem (adult)
and
D = 336 mrem (infant).
It has been observed that tritiated water vapor can be absorbed through
the skin and produce an internal dose effect up to as large as that ob-
tained from inhalation ' . Assuming, conservatively, that such an
effect occurs, the doses would be doubled, and would become
D = 1076 mrem (adult)
and
D = 672 mrem (infant).
Conclusions - The doses at 1 Km during Pasquill Class F weather due to
100 percent tritium release from the reactor coolant and fuel during a
LOCA are insignificant 0.076 mrem - adult and 672 mrem - infant) when
compared with doses from other fission products at the same location.
It requires, according to WASH-1400 , 3,000 to 5,000 rem to the lung
3 3
to produce an acute fatality, or an adult dose 2.7x10 to 4.5x10 times
larger than those calculated due to tne tritium release. The incidence
of lung cancer fatalities due to radiation is 1-2 deaths per year per
million man-rem . Thus, for the adult doses computed, an exposed
population at 1 Km of about 850,000 adults would be required before any
lung cancer deaths would be expected from the tritium released during
the assumed accident. Similar comparisons could be made for the whole
body dose or other organ doses from tritium.
155
-------�
VI. GENERAL OBSERVATIONS
While the main thrust of this report is to present the detailed analy-
sis of specific areas in WASH-1400 in an attempt to determine their
applicability, it is considered at least as important to discuss and
explore some of the more fundamental, far-reaching implications and
limitations of the document. Current indications are that WASH-1400
could become the single most important document forming the basis for
decisions in this country regarding the safety of nuclear power for
generating electrical energy. It is essential, therefore, that the
report present the safety risks in a comprehensive and unambiguous
manner, using the best available scientific methods and technology.
Lt is in this spirit that the following observations are presented.
A. COMPARATIVE RISK CURVE
The net result of the WASH-1400 analysis is depicted in Figure 29.
This curve appears in the summary report of WASH-1400 (Figure 1,
page 3), and in the main document (Figure 6.1, page 189). It shows the
frequency of accidents versus the number of fatalities for several man-
caused events including accidents in 100 nuclear power plants. This
curve has been widely published to show that the risks to the general
population from nuclear power plant accidents is much less than from
any other man-made cause examined. In view of the significance of this
curve, and its widespread use to convey the implication to the public
Lhat reactors are safe, it is imperative that the comparison which it
depicts is valid. In reviewing the basis for the curve, several fac-
tors were found which tend to undermine the credibility of the compari-
sons. (These factors are in addition to the more detailed technical
problems discussed in Section V.) The factors are as follows:
156
-------�
1/10
1/100
Hi 1/1000
o
c
O)
3
cr
u.
1/10.000
1/10.000.000
1/100.000 \ r i
1/1.ooo.ooo -r - _^°-^§rr^n«_
10
1000 10.COO
Fatalities
100.000 1,000.000
Figure 29 - Comparative Risk Curve
from WASH-1400
157
-------�
L• Calculated versus Actual Risks
Figure 29 from WASH-1400 compares nuclear power plant risks calculated
in WASH-1400 with actual risk data from the other man-caused events.
An important question is, obviously, how closely do the calculated
risks compare with actual risks from nuclear power plants? The curve
is misleading, in that risks appear to be compared on a common basis,
when in fact actual risks from other causes are compared to calculated
risks from nuclear power.
An interesting feature of the curve is that all man-caused risks,
except nuclear, fall in an envelope of width less than a factor of 100
(frequency value for a given number of fatalities) even though the
risks come from extremely diverse sources. The nuclear risks, on the
other hand, fall over two decades below the lower limit of the envelope.
This large difference in risks is obviously not a valid reason, in
itself, for disputing the WASH-1400 results, but it does raise the
question of whether the curve is a valid comparison of risks or illus-
trates how uncertain nuclear risk calculations are.
At the very least, the curve should clearly indicate that the nuclear
power plant risks are calculated risks as opposed to actual risks.
i
2. Calculational Uncertainties
Throughout WASH-1400, frequent reference is made to the uncertainties
in the various calculations, and numerical bounds are stressed on most
results. However, in Figure 1 of the WASH-1400 summary report (repro-
duced as Figure 29) no such uncertainty bounds are displayed in the
f-urve, nor is any hint given in the accompanying text as to the confi-
-------�
uncertainties in the calculations are indicated. Pursuing further,
the source of Figure 29, Figure 5.3 (main document, page 153 of WASH-
1400) appears as the precursor to the risk comparison curve. This
curve is reproduced as Figure 30. Here, in fine print at the bottom,
the uncertainties are quoted. Applying these uncertainties to Figure
30 and translating them to Figure 29 yields Figure 31. As shown, the
uncertainty is rather large, and is biased in the direction of increased
risk. Both of these factors tend to amplify the need for clearly show-
ing the uncertainties in this important curve. Displaying this uncer-
tainty also gives a strong indication that the comparisons are made on
a different basis; ie, the nuclear risks are, calculated and the others
are from actual data (see preceding comment).
3. Acute versus Total Fatalities
Figure 29, extracted from WASH-1400, shows fatalities versus frequency
of events for 100 nuclear power plants. The implication given is that
these fatalities are the total deaths expected as a result of the
nuclear accident. However, these fatalities from 100 nuclear power
plants are acute fatalities derived directly from Figure VI-5 from
Appendix VI, page 72 of WASH-1400. (This curve is the same as that
included in the main document, page 153 of WASH-1400.) This curve Is
reproduced as Figure 30. (Figure 29 is obtained by multiplying the
ordinate of Figure 30 by 100 to account for 100 nuclear plants.) Fig-
ure 30 is clearly labelled "Acute Fatalities." For some reason, the
word "acute" was unfortunately dropped from the abscissa in Figure 29.
"Acute" is used to describe deaths which occur immediately after, and
as a result of, the accident. One unique characteristic of nuclear
power plant accident calculations Is the large number of calculated
latent deaths (occurring over a 20-year period following the accident)
caused by the release of radioactivity. Essentially all of these
latent deaths are the result of cancer induced by exposure to radio-
activity from the nuclear plant accident. According to WASH-1400, a
value of 100 latent deaths per 10 man-rem was used to compute the
159
-------�
c
O
u
O
c
rimiij ni nmi]
I I
I
i
AVERAGE CURVE I
I =
I I Mill ll I I I I
III I I I I I I
10°
-10? ItP
ACUTE FATALITIES. X
10&
• nd > in tont4OM*nt*
Figure 30 - Acute Fatality Curve
from WASH-1400
In t
i 1/3
160
-------�
1/10
- 1/100
O
UJ
iH 1/1000
c
O)
1/10.ODO.OOO
___: i
1
1/10.000
1/100.000
1/1.000.000
10
IQ:XJ • VO.ODO
Fs'.alities
100.000 1.000tOOO
Figure 31 - Comparative Risk Curve
with Uncertainties Shown
as Quoted on Pg. 153 of
Main Docunent (KASH-UOO)
161
-------�
.Intent deaths from the nuclear accidents (Appendix VI, page 34). To
determine the total number of latent deaths, Appendix VI (page 73)
states, "The number of latent deaths due to cancer over a 20-year period
subsequent to the accident can be obtained by multiplying the bottom
-4
scale (of Figure VI-7) by 10 ..." Figure Vl-7 is reproduced as Figure
32. To obtain a relationship between acute and latent fatalities,
Figure 32 was translated to Figure 30, using the factor of 10 as
given in WASH-1400. This produces Figures 33. As can be seen, for
every number of acute deaths, there is a corresponding, and much larger,
number of latent deaths. Using these curves, Figure 31 was redrawn to
include total nuclear accident fatalities. The result is shown in
Figure 34, with error bounds given in WASH-1400 also included. As can
he seen, there is a significant difference in total fatalities for
nuclear plant accidents. WASH-1400 does not state whether fatalities
from other man-made causes are acute or total. However, it should not
make any significant difference, since for most of the accidents used,
a very small fraction of latent deaths would be expected.
The comparison of only acute fatalities from nuclear plant accidents
with fatalities from other man-made causes is considered somewhat mis-
leading. The total risk, in terms of all fatalities, would appear to
be a significant parameter with which to judge the safety of nuclear
power, although it is recognized that the perceived risk from latent
deaths may be less than that from acute deaths. It should be noted
that the discussion in the Summary Report of WASH-1400 does not include
latent deaths, but uses only acute fatalities (although they ate not
labelled as such) in discussing the nuclear plant risks.
4. Extrapolation of Man-Caused Risks
The comparative risk curves used in WASH-1400 to illustrate the results
of the risk calculations (reproduced as Figure 29) shows several man-
caused risks, 'i ne basis for these plots is derived from the analysis
contained in Chapter 6 of the main WASH-1400 document. The solid
162
-------�
10
109
103
10«
V.'HOl.E BODY f.'.AN-ftCM X
Figure 32 - Whole Body Man-Rem Curve
from WASH-1400
163
-------�
x
A
c;
n:
O
IT
E nrrnrrn—rrn n
,___: |_
I I
Total Fatalities
(Average) '
WASH-MOO
Acute fatalities
(Average)
FATALITIES. X
Figure 33 - Acute vs. Total Fatalities
164
-------�
indicades extrenu
data pcfint
~ 1/100
I _
!H 1/1000
100 Nuclear
Power Plants
(WASH-1400 Acute
Fatalities)
100 Nuclear Power Plants
Total Fatalities
1/1.000,000
1/10.000.000
10
1000 10.000
Fatalities
100.000 1.000.000
Figure 34 - Total Fatalities, with Uncertainties,
Using Figure VI-7 of Appendix VI,
WASH-1400
165
-------�
curves extend out to some fatality value, then become dashed before
terminating. It is not clear what the dashed portions of the curves
imply. The usual implication is that the dashed portion indicates an
extrapolation beyond the point where the data ends. However, in the
case of the WASH-1400 curve, the data ends at a value considerably
before the end of the solid portion of the curve. The extrapolated
portion of the curves is based on various arguments presented in Chap-
ter 6 which necessarily have a different basis for each type of risk.
Some extrapolations appear valid, others are somewhat questionable.
lror example, the discussion of fatalities from dam failures given in
the WASH-1400 main document concludes with a calculated frequency
(].0~ ) for a dam failure causing 10,000 fatalities. This calculated
value is said to " agree quite well with the extrapolation of the
data," and a curve (Figure 6.10, page 216) is shown to illustrate the
point. The calculated point does not, in fact, agree well at all with
the extrapolation of the data. The data argue for an extrapolation
with the opposite inflection than was used.
Figure 34 shows the extreme data points for each curve, indicated by
an arrow. As can be seen, a< significant extrapolation was done for
each of the man-caused risk curves, particularly for air crashes. (No
data was quoted in Chapter 6 for chlorine releases.) Each of these
extrapolations has some uncertainty associated with it, and it would
be useful to present such uncertainty on the curve. As a minimum, the
clashed portion of the curve should start at the extreme data point to
clearly indicate the point at which extrapolation commences.
B. NUCLEAR PLANT CHARACTERISTICS
According to WASH-1400, the calculated risks apply to the 100 nuclear
power plants expected to be in operation by 1980. Indeed, recent re-
(4 5)
vised estimates ' confirm that 100 power plants are scheduled to be
on-line by 1980. However, several characteristics of these plants are
different than those assumed by WASH-1400. These differences are:
166
-------�
^ • Distribution of Plant Jy_p_e
Ac-cording to recent * estimates, by 1980 there will be 33 BWRs and
67 PWRs operating. Thus, the total risks from all plants must be
weighted two-ro-one towards PWRs. WASH-1400 uses an unweighted aver-
age to determine the risks from these plants in arriving at the final
risk assessments, this is done for acute fatalities, acute illnesses,
whole-body man-rem, property damage, etc (Figures VI-5 through VI-9
of Appendix VI). To determine the difference between such unweighted
averaging and the actual case accounting for the preponderance of PWRs,
the acute fatalities, as presented in Appendix VI (Figure VI-5, page
72) and reproduced here as Figure 30, were adjusted. Figure 35 pre-
sents the results of adjusting the average risk to account for the
projected existence of twice as many PWRs. Since the risks are gener-
ally about the same for the two plants, not much change is evident in
the biased averaging. However, a detailed examination shows some dif-
ferences which may be significant depending on how the results are
used. For example, an accident which has a probability of 10 would
result in an average of 70 acute fatalities according to the WASH-1400
curve, compared to 86 with the revised curve, a 23 percent increase.
A somewhat lower fatality number occurs below an accident probability
of about 6x10
Kven though, in a gross sense, the change does not appear significant,
it is not good scientific practice to compute unweighted averages when
it is obvious that weighting is called for.
2. Power Levels
According to Appendix VI (page 68) of WASH-1400, the risks were calcu-
lated assuming all 100 plants operate at 3200 MWt. The actual average
power level for the 33 BWRs scheduled to be operating in 1980 will be
2400 and for the 67 PWRs, 2650 MWt . Since accident consequences are
167
-------�
ID 3 F—rnrrrnTT]—TT
TTrnr~T~TTTnTTi—rnrrmni i
i i
i I I
I
*- -I f-
|
91 i i i i mil 11 IIIMH i t iimiiv im i i inn i i i i i mi
_1
AVERAGE CURVE |
(WASH-]400) I
Revised Average
(Weighted to account
for more PWRs)
ACUTE FATALITIES. X
Figure 35 - Acute Fatalities Showing
the Effect of More PWRs
than BWRs
168
-------�
directly related to the amount and type of radioactivity released,
which is, in turn, a linear function of power level, a reduction in
assumed power level should have a proportional reduction in accident
consequences. Figure 36 shows the reduction in acute fatalities from
the WASH-1400 numbers when the computed reductions are accounted for
(the results are also weighted to account for the more numerous PWRs
as discussed in "A" above), conservatively assuming, as was done in
WASH-1400, that all of the plants run continuously at full power. The
difference does not appear very significant, although the average acute
fatalities are reduced from 400 to 300 for an accident whose probability
is 10 . Also, the average maximum fatalities are reduced from 2300 to
about 1700, a 25 percent reduction. Again, these seemingly insignifi-
cant differences can, under certain circumstances, become important.
It should be noted that the most severe accident consequences calculated
won't change since there will be 3200 MWt reactors operating in 1980.
3- PWR Design Variations
According to Reference 4, the PWRs expected to be on-line by 1980 are
distributed, by vendor (and by number of primary loops in the case of
Westinghouse designs), according to Table 19.
The WASH-1400 PWR risks are computed based only on the Surry reactor
which is a Westinghouse 3-loop design , representative, according to
Table 19, of 21 percent of all PWRs scheduled to be operating by 1980.
Risks from other PWR types are not computed in WASH-1400, and an assess-
ment of the effect of considering the more numerous Westinghouse 4-loop
(2)
reactors (represented by the Trojan reactor ) is analyzed elsewhere
in this report. Not considered, either herein or in WASH-1400, are the
effects on PWR risKs represented by the Combustion Engineering and
Babcockfi, Wilcox designs (representing a total of 34 percent of the
plants). These designs are different from the Westinghouse plants
(see, for example, References 49 and 50), and it cannot be assumed,
169
-------�
X
A
o
cc
IE
to
O
o:
i 'I i mm—i i | IIMIJ nrn
I i •
i ^ |.
WASH-1400 Values
Revised to reflect
lower power levels
I
AVERAGE CURVE
, / A^
= I .-/ i \
103
ACUTE FATALITIES. X
Figure 36 - Effect of Reducing Average Power of BWRs
from 3200 MWt to 2AOO MWt and PWRs
from 3200 MWt to 2650 MWt
170
-------�
Table 19 - DISTRIBUTION OF PWRs EXPECTED
TO BE OPERATING BY 1980
Reactor Vendor
VJestinghouse
Westinghouse
Westinghouse
Combustion
Engineering
Babcock & Wilcox
Type
2- loop
3-loop
4- loop
*
*
Number
8
14
22
10
13
% of Total
12
21
33
15
19
* Only one basic type is marketed by Combustion Engineering and Babcock
& Wilcox.
a priori, that the Surry risk analyses can be applied across the board
to these plants as was done in WASH-1400.
C. REALISTIC VERSUS CONSERVATIVE ASSUMPTIONS
Page 15 of the main report in WASH-1400 contains a list of "specific
objectives" which were added to the original charter. The second of
these states that the Reactor Safety Study will "perform a more realis-
tic assessment (of nuclear power plant risks) as opposed to the 'con-
servatively oriented' safety approach taken in the licensing process
for nuclear power plants." While this is a laudable approach, it does
not seem to have been consistently followed. In many cases, the report
contains assumptions which are described as conservative. In most
instances, the effect of the assumption is negligible, and the authors
appear to have fallen into the tempting position of making conservative
assumptions, unlikely to be challenged, in lieu of more extensive anal-
ysis when the assumption does not have a deleterious effect on the
result. The pitfall in this approach is that special applications of
the results or alterations of the analysis due to new data or techniques
171
-------�
can cause Insignificant conservative assumptions to become significant
conservative assumptions.
There are many areas where, due to inadequate analytical techniques
and/or lack of data, conservative assumptions may be justified, and
WASH-1400 did appropriately use conservative assumptions in many cases.
In at least one case, however, WASH-1400 makes an acknowledged conser-
vative assumption which, based on analyses conducted in Section V,
item 1 of this report, could be significant. In this case, WASH-1400
made the "extremely conservative" (Appendix II, Vol. 3, page 94) assump-
tion that any three adjacent BWR control rod insertion failures during
scram would not render the core subcritical. It seems likely that, in
this case, information is available from which to make a realistic
assumption. As discussed in Section V, Item 1, this can become a very
crucial assumption, significantly influencing the ultimate BWR public
risks.
Realistic assumptions, with well justified error bounds, should be used
whenever possible in an important scientific work such as WASH-1400.
I). COMPARISON OF RISKS BETWEEN NUCLEAR AND OTHER MEANS OF ELECTRICAL
POWER GENERATION
The WASH-1400 comparisons of risks between nuclear power generation and
risks from other selected man-caused sources is one important aspect
in judging the acceptability of nuclear power. However, there are
other considerations that must be evaluated in arriving at a final
judgment, one of the more significant of which is the comparison of
risks from other means of generating electrical power, an issue not
considered in WASH-1400. Such a comparison would allow a determination
of which means of generating electrical power imposes the least addi-
tional risk on the general population, an issue quite different from
the comparison between nuclear power risks and other man-caused risks.
172
-------�
In this regard, Chapter 13 of Reference 57 assesses some of the risks
associated with electrical power generation from coal-fired plants.
It should also be noted that the risks calculated in WASH-1400 for 100
nuclear power plants include only risks from reactor accidents in the
power plants. Risks from uranium mining, fuel reprocessing, spent fuel
transportation, sabotage, Pu diversion, radioactive waste transporta-
tion and storage, etc, are not included. WASH-1400 does point out
Initially that the report covers only risks from reactor accidents.
However, the risk curves are merely entitled "100 Nuclear Power Plants."
Some readers may erroneously conclude that the curves represent the
total risks associated with the operation of 100 nuclear power plants.
The risk associated with all fuel and waste handling activities re-
quired to support the operation of these plants is not included.
E. GENERAL INCONSISTENCIES
WASH-1400 contains many inconsistencies including variations in approach
and different levels of depth in detail considered. Many of these are
mentioned in Section V. Although these inconsistencies do not neces-
sarily invalidate the results, they do tend to undermine the confidence
the reader obtains in the credibility of the results. These inconsis-
tencies should be minimized.
F. CONCLUSIONS
WASH-1400 represents the most significant effort ever attempted at
quantifying the public risks associated with nuclear power. Although
modest attempts have been made similar to the WASH-1400 technique
of quantifying reactor risks, the depth and breadth of the Study is
unprecedented. Although not a new idea (such a study was suggested by
(52)
Pugh in 1969) , the Study contains many innovations that substan-
tially improve the perspective of power reactor safety. The so-called
173
-------�
111,-.
aximum credible accident" approach used for many years by the AEC
has clearly been shown to be an oversimplified method for evaluating
* / C O \
nuclear safetv under current conditions (as also i-oinled out by Fugh
' 'v •-.v . • '• '' ',., i.•;.>-.< .-,11/TI \ e. •, * .1,1,1 e.n
-------�
VII. REFERENCES
1. Hsu, C. and Shotkin, L., "Calculation of a Loss of Condenser Vacuum
ATWS in a Gd-Core BWR," BNL-18577 (January 1974).
2. "Final Safety Analysis Report - TROJAN Nuclear Plant," Portland
General Electric Co., Docket No. 50-344, as amended through
January 1974.
3. "Final Safety Analysis Report - Surry Power Station, Units 1 and
2," Virginia Electric and Power Co.
4. "World List of Nuclear Power Plants," Nuclear News Buyers Guide
(February 1974).
5. "Nuclear Plant Construction Progress," Nuclear Industry, Vol. 21,
No. 12 (December 1974).
6. Wade, G. E. , "Evaluation and Current Status of the BWR Containment
System," Nuclear Safety, Vol. 15, No. 2 (March-April 1974).
7. Acero, M., "Fault Tree Analysis of Reactor Safety Systems," Masters
Thesis, University of California, Berkeley (1974).
8. "Final Safety Analysis Report, Peach Bottom Atomic Power Station,
Units No. 2 & 3," Philadelphia Electric Co., Vol. 2, Section 3.8
(October 1970).
9. "Reactor Safety Study - An Assessment of Accident Risks in U.S.
Commercial Nuclear Power Plants," WASH-1400 (Draft): Appendix I,
Accident Definition and Use of Event Trees, p 240 (August 1974).
10. "Final Safety Analysis Report, Edwin I. Hatch Nuclear Plant Unit 1,"
Georgia Power Co., Appendix L, Vol. VI (October 1971).
11. "Technical Report on Anticipated Transients Without Scram for
Water-Cooled Power Reactors," WASH-1270, Regulatory Staff, USAEC
(September 1973).
12. Classen, L. B. , Eckert, E. C., "Studies of BWR Designs for Mitiga-
tion of Anticipated Transients Without Scram," NEDO-20626 (October
1974).
13. "Evaluation of Nuclear Power Plant Availability," OOE-ES-001,
USAEC Office of Operations Evaluation (January 1974).
]4. "Nuclear Power Plant Operating Experience During 1973," OOE-ES-004,
USAEC Office of Operations Evaluation (December 1974).
175
-------�
lr). "Evaluation of Incidents of Primary Coolant Release from Oper-
ating Boiling Water Reactors," Office of Operations Evaluation,
Directorate of Regulatory Operations (Oct. 30, 1972).
16. "Regulatory Guide 1.93, Availability of Electric Power Sources,"
U.S. Atomic Energy Commission, Directorate of Regulatory Standards
(Dec. 1974).
17. Longo, J. Jr., Kern, R.C., "The Small Break Loss of Coolant Acci-
dent," Topical Meeting on Water-Reactor Safety, March 26-28, 1973,
CONF-730304, pg. 136.
18. Augustine, G.L., "Small Break Loss of Coolant Accident Analysis
for PWR Systems (SLAP Digital Computer Code)," WCAP-7983 (Decem-
ber 1972).
J9. Jones, R.C., et al, "Multinode Analysis of Small Breaks for B&W's
205 Fuel-Assembly Nuclear Plants with Internal Vent Valves," BAW-
10074 (November 1972).
20. Ward, L.W., "Simplified Small Break Slowdown Models," 1974 Annual
Meeting, American Nuclear Society, June 23-27, 1974, Philadelphia,
Pa., TANSAO 181-401.
21. "Final Safety Analysis Report - Units 1 and 2, Diablo Canyon Site,"
Section 15.3.1, Amendment 5 (March 1974).
22. "Final Safety Analysis Report - Units 1 and 2, Diablo Canyon Site,"
Section 15.3.1, Amendment 10 (May 1974).
23. "Westinghouse Anticipated Transients Without Trip Analysis,"
WCAP-8330 (August 1974).
24. Gumbel, E.J., "Statistical Theory of Extreme Values," NBS AMS 33
(1954).
25. Ferrell, E.B., "Probability Paper for Plotting Experimental Data,"
IQC, XV, 1 (1958).
26. AEC Report OOE-OS-001, "Diesel Generator Operating Experience at
Nuclear Power Plants."
27. Ablitt, J.F., "Accident Probability Reduction by the Application of
Service Reliability Data," SRD-R-16 (1973).
28. "Report on Equipment Availability for the Ten Year Period 1964-
1973," Edison Electric Institute Publication //74-57 (December 1974).
29. Garrick, B.J., et al, "Collection of Reliability Data at Nuclear
Power Plants," HN-199 (December 1968).
176
-------�
30. Garrick, B.J., Gekler, W.C., Pomrehn, H.P., "An Analysis of Nuclear
Power Plant and Safety Experience," HN-185 (1966).
31. Gangloff, W.C., "Common Mode Failure Analysis," Paper T 74355-4,
IEEE PES Summer Meeting & Energy Resources Conference, Anaheim,
California (July 1974).
32. Green, A.E., Bourne, A.J., Reliability Technology. Wiley (1972).
33. ANS Standard N 18.8, 'Criteria for Preparation of Design Basis for
Systems that Perform Protective Functions in Nuclear Power Gener-
ating Stations" (Oct. 1973).
34. Regulatory Guide 1.6, "Independence Between Redundant Standby
(Onsite) Power Sources and Between Their Distribution Systems"
(March 10, 1971).
35. McAdams, W.H., Heat Transmission, McGraw-Hill, New York (1954).
36. Concluding Statement of Position of the Regulatory Staff/'Accept-
ance Criteria for Emergency Core Cooling Systems for Light-Water
Cooled Nuclear Power Reactors,-'Docket No. RM-50-1, U.S. Atomic
Energy Commission.
37. Moore, K.V. and Rettig, W.H., "RELAP4 - A Computer Program for
Transient Thermal Hydraulic Analysis," ANCR-1127 (December 1973).
38. Cadek, F.F., et al, "PWR FLECHT (Full Length Emergency Cooling
Heat Transfer)", Final Report, WCAP-7665 (April 1971).
39. Wheat, L.L. and Wagner, R.W,, "CONTEMPT-LT Users Manual," Aerojet
Nuclear Co., Interim Report 1-214-74-12.1 (August 1973). .
40, "Criteria for Reinforced Concrete Nuclear Power Containment Struc-
tures," American Concrete Institute Committee 349 (January 1972).
41. Regulatory Guide 1.18, "Structural Acceptance Test for Concrete -
Primary Reactor Containments" (December 12, 1972).
42. Locante, J., Malinowski, DD., "Tritium in Pressurized Water Reactors,"
Westinghouse Electric Corporation, Las Vegas Tritium Symposium,
CONF-710809 (September 1971).
43. Lentsch, J.M., et al, "Accumulation and Release Tritium in PWRs,"
PGE-8001 (November 1973).
44. Smith, J.H., Gilbert, R.S., "Tritium Experience in Boiling Water
Reactors," General Electric - Nuclear Energy Division, Las Vegas
Tritium Symposium, CONF-710809 (September 1971).
177
-------�
45. Turner, S.E., "Evaluation of Methods for Removing and Concentrating
Tritium Oxide in Water/' Southern Nuclear Engineering, Inc. , SNE-
125 (May 1973).
46. "Reactor Safety Studys An Assessment of Accident Risks in U.S.
Commercial Nuclear Power Plants/1 WASH-1400 (Draft); Appendix VI0 Calcu-
lation of Reactor Accident Consequences.
47. Anspaugh, L.R. „ et al, "The Dose to Man Via Food-Chain Transfer
Resulting from Exposure to Tritiated Water Vapor/' Lawrence Liver-
more Laboratory, Las Vegas Tritium Symposium, CONF-7IOSQ9 (Sept. 1971).
48. Bryant, P.M., "Methods of Estimation of the Dispersion of Windborne
Material and Data to Assist in Their Application," AMSS(lP)-R-42
(May 1964).
49. "Final Safety Analysis Reports, Rancho Seco Nuclear Generating
Unit No. 1 „" Sacramento Municipal Utility District (Babcock 6 Hilcox).
50. "Final Safety Analysis Report, Millstone Nuclear Power
Unit II," Connecticut Power and Light Co., Combustion Engineering.
51. Schlucher, R. , Cady0 K.D., "Estimate of the Risk of Accidental
Radiological Exposure from a BWR," Cornell University (April 1972).
52. Pugh, M.C., "Probability Approach to Safety Analysis/" TRG Report,
1949 (1969).
53. Wooten, R.W. , Battelle Columbus Laboratories, Personal Cossaunication
(January 14, 1975).
54. Slaughterbeck, D.C., "Review of Heat Transfer Coefficient® for Con-
densing Steam in a Containment Building Following a Loss-of-Coolant
Accident ," IN- 1388 (September 1970).
55. Proposed ANS Standard, "Decay Energy Release Rates Following Shut-
down of Uranium-Fueled Thermal Reactors," ANS-5.1 (October 1971).
56. Baker, Louis, Jr., Just, Louis C. , "Studies of Metal-Hater Reactions
at High Temperatures: III. . .Experimental and Theoretical Studies
of the Zirconium-Water Reaction," ANL-6548 (May 1962) .
57. "Air Quality and Stationary Source Emission Controlp" Prepared for
the Committee on Public Works, United States SenatGpby the Hafcional
Academy of Sciences (March 1975) .
178
-------�
58. Letter, W. D. Rowe (EPA) to Saul Levine (AEC) (November 1974).
59. International Committee on Radiological Protection, Publication
No. 2,"Report of Committee II on Permissible Dose for Internal
Radiation" (1959).
60. Osborne, R.V., "Absorption of Tritiated Water Vapor by People,"
Health Physics. Vol. 12, No. 11 (1966).
179
-------�
VIII. GLOSSARY
AEC Atomic Energy Commission
BWR Boiling Water Reactor
PWR Pressurized Water Reactor
RPS Reactor Protection System
LPIS Liquid Poison Injection System, Low Pressure Injection
System
GE General Electric Company
LOCA Loss of Coolant Accident
LPCI Low Pressure Coolant Injection
RHR Residual Heat Removal
ESF Engineered Safety Feature
HPIS High Pressure Injection System
SIS Safety Injection System
RWST Refueling Water Storage Tank
LPRS Low Pressure Recirculation System
RSS Reactor Safety Study (WASH-1400)
SAR Safety Analysis Report
EPS Electric Power System
180
-------�
APPENDIX A
A. INTRODUCTION
This Appendix describes Subtask I of the WASH-1400 review, which con-
sisted of selecting items which were' to be subsequently given an in-
depth review. The criteria for selection of the items ia presented,
as well as the specific reason that each selection was made. The
items are divided into two categories. The first category consists
of failure mode paths and the second category includes critical con-
sequence areas. The items selected, as described in this Appendix,
were subsequently modified as the in-depth review proceeded. The
modifications, and the final items selected, are described in Section
III (Introduction) of this report.
B. DEFINITION OF FAILURE MODE PATHS AND CRITICAL CONSEQUENCE AREAS
For the purposes of this Study, failure mode paths are defined as
accident sequences involving only the primary system and directly
associated subsystems which are calculated to culminate in core melt-
down. Critical consequence areas are those areas directly associated
with the time sequence and magnitude of radioactive release from the
containment building following or during a failure mode path event.
Thus, failure mode paths are paths or sequences, following an
181
-------�
accident initiating mechanism, in which the thermal-hydraulic response
of the reactor core is of primary concern. Critical consequence areas,
on the other hand, refer to the disposition of fission products released
from the primary system during the failure mode path event.
Failure mode paths are characterized in WASH-1400 by event trees which
culminate in core melt. The fault trees used to compute the probability
of each failure in the event tree are also considered part of the fail-
ure mode path. The response of the containment and the attendant dis-
position of radioactive material is considered separately in WASH-1400.
Thus, the definitions used here are consistent with the general format
of WASH-1400.
Failure mode paths which were considered for selection can be categor-
ized as one of the following:
(1) An accident sequence (path) which was overlooked and thus not con-
sidered by the Study. This sequence could include an overlooked
initiating mechanism or an overlooked failure mode path following
a given initiating mechanism.
(2) An accident sequence incorrectly analyzed in the Study. This could
include faulty event tree logic, or incorrect application or manipu-
lation of failure probabilities.
(3) A protection system malfunction overlooked. This includes an
omission in the fault tree analysis of protection system functions.
Overlooked common mode failures are also included.
(4) An incorrectly analyzed protection system function. This includes
incorrect logic on protection system fault trees or incorrect
application or manipulation of component failure probabilities.
182
-------�
Similarly, critical consequence areas can be categorized as:
(i) Parameters affecting containment leakage or failure sequences
which were overlooked in the Study,
(2) Parameters in the containment leakage or failure sequence which
were incorrectly analyzed,
(3) Containment protection system failure sequences which were over-
looked, and
(A) Containment protection system fault trees which were incorrectly
analyzed.
C. CRITERIA FOR SELECTION OF FAILURE MODE PATHS
The following criteria were used in selecting the failure mode paths:
(1) The path must appear to have a significant impact on the results
of the Study. This applied both to overlooked paths and to ap-
parently incorrectly analyzed paths.
(2) If a path from the Study is selected, it must appear to be incor-
rect on the basis of either some apparent problem in the internal
logic or analysis of the path or on a judgment of the validity of
the r'esult.
I). FAILURE MODE PATHS SELECTED
The following failure mode paths were selected for an in-depth review.
A discussion of the reasons for the selection is included based on the
Selection Criteria presented in Section III.
183
-------�
1. BWR Reactor Protection System (refer to Appendix II, Vol. 3,
Section 6.2 of WASH-1400)
This system constitutes a protection system designed to mitigate numer-
ous accident sequences. As a failure mode path, it falls in Category 4
of Section II. The selection of this system is based on the following
factors:
(a) The computed failure probability of the system, as presented in
the Study, appears to be unreasonably low.
(b) The system is required for a wide range of accidents. In particu-
lar, it is required during high probability transient events and
its failure could lead to severe consequences.
(c) Credit is taken during the more likely transients for actuation
and operation of the standby liquid control system to deliver
sodium pentaboratje solution to the reactor coolant system and
thus affect reactor shutdown. The ability of this system to be
effective in time to arrest many transients is questionable, and
its use in this regard appears to be in conflict with an AEC-
Regulatory assessment
2. BWR Anticipated Transient //I
This transient accident, as well as the next two (see below) will be
selected later in the effort based on the following:
(a) The transient selected will be one which is both likely and imposes
the most stringent requirements on the reactor protective system.
This latter factor cannot be assessed until the protective system
is examined in detail as proposed under item 1 above.
184
-------�
(b) The transient selected will be one which was not considered by
the Study and which meets the requirements of (a) above.
3. BWR Anticipated Transient //2
See 2 above.
4. BWR Anticipated Transient //3
See 2 above.
5. PWR - Electric Power System Availability
The availability of this system during all major accidents, is critical
to the mitigation of the accident consequences. The failure probability
computed in the Study appears to be low for such a complex system. Thus,
the PWR electric power system has been selected as a Subtask II review.
6. PWR - High. Pressure Injection System (HPIS)
This system was selected since it must operate during the relatively
high probability small break accident condition. There is no backup
system to the PWR-HPIS (as there is in a BWR); thus, its failure
strongly influences the overall consequence assessment. Some aspects
of the system, such as the apparent necessity for operator action to
actuate the pump lubrication system may not have been accounted for.
185
-------�
7. PWR - Small Break LOCA //I
This accident has been selected because of the following considerations:
(a) The accident has a relatively high probability,
(b) It appears that the Study may have overlooked and/or improperly
treated specific small break locations, and
(c) The consequences of a small break LOCA, as indicated by the Study,
are a dominating factor in the overall consequences.
The specific Small Break accident, in terms of break size and location,
has not been selected. The selection will be based on the following:
(a) The break size and location which impose the most stringent re-
quirements on the HPIS (item 6 above).
(b) The break size and location which results, assuming failure of
the HPIS, in the most severe consequences.
8. PWR - Small Break LOCA Transient #2
See item 7 above.
9. PWR - Loss of Power Transient
This accident was selected because it may represent a relatively prob-
able event (see discussion under item 5 above), and because the conse-
quences can be severe. It appears that some events important to the
accident consequence, such as discharge of accumulators after core
melt-through, may have been omitted.
186
-------�
10. Component Failure Rates
Although not specifically a failure mode path, this activity has been
selected since it provides the basis for the system failure rates
being reviewed. As presently envisioned, this activity will apply to
several of the systems investigated under Subtask II. It will consist
of an independent evaluation of failure fates for those components
which have been Identified as critical to the determination of system
failure rates.-
11. PWR - Low Pressure Injection System (LPIS)
This system was selected for the following reasons:
(a) The successful operation of the LPIS is required to prevent core
meltdown for all LOCAs with a pipe break greater than i» 6-inch
diameter.
(b) There is no backup system to the LPIS.
(c) The failure probability of the LPIS, as calculated in WASH-1400,
appears to be too low.
12. PWR - Low Pressure Recirculation System (LPRS)
This system was selected because:
(a) The successful operation of the LPRS is required to prevent core
meltdown for all LOCAs with a pipe break greater than ^ 6 Inches
in diameter
(b) There is no backup system to the LPRS.
187
-------�
(c) Successful operation of this system depends on operator action,
and it is not clear if this activity has been properly accounted
for by the Study.
E. SELECTION CRITERIA FOR CRITICAL CONSEQUENCE AREAS
The following criteria were used in selecting the critical consequence
areas:
(1) The area must significantly influence either the magnitude of
the radioactive source or the time of release of the source
from the containment to the environs, or both.
(2) The area, as indicated by the Study, must either be
(a) incorrectly quantified,
(b) improperly applied,
(c) judged significant but not considered by the Study.
F. CRITICAL CONSEQUENCE AREAS SELECTED
The following critical consequence areas have been selected for fur-
ther investigation in Subtask III of the contract. A discussion of
the reasons for the selection is included, and is based on the selection
criteria presented in Section V.
1. Core Parameters Prior to Meltdown Calculation
The core parameters of fuel and clad temperature and water level are
critical initial conditions for subsequent calculations of the time to
188
-------�
core melt which, in turn, establishes the time of release of radio-
activity from the core to the containment. It appears that the assump-
tions used in establishing these parameters are questionable, and other
values for these parameters, which may be more likely and appear to have
the potential of causing a significant change in .the time to core melt,
have not been considered.
2. Core Meltdown Calculations
At the time of fuel melt, large quantities of radioactive material are
released from the core and become available for release to the contain-
ment. Thus, the time of core melt becomes a significant parameter in
determining the radiological consequences of the accident. For this
reason, this calculation has been selected for review. In addition,
some of the methods utilized in the Study to compute heat transfer from
the core appear to be questionable. This task includes an independent
calculation of core heatup, utilizing available applicable computer
codes.
3. Containment Response-Pressure History (PWR)
The pressure response of the containment following a LOC& blowdown is
critical in determining accident consequences. Containment leakage and
containment rupture, which are determined by containment pressure response,
provide the only mechanisms for airborne release of radioactivity outside
the containment. The PWR containment pressure histories appear to be low
when compared with similar calculations for other PWR plants. For these
reasons, the PWR Containment Response-Pressure History has been selected
as a Subtask III critical area.
189
-------�
4. Containment Response-Failure Pressure (PWR)
The pressure at which the containment is assumed to rupture ie a critical
parameter in the accident consequences analysis since the rupture event
causes a puff release of fission products residing in the containment. ,
Since the containment pressure buildup is a time-dependent parameter,
(.In- assumed containment failure pressure can have a significant influence
on (.he time of fission product release. In addition, the fission product
inventory available for release depends on the residence time of the
•fission products in the containment .vessel, since plateout, washout, and
radioactive decay are all time-dependent phenomena.
r). Applicability of Containment Response to Other PWR Systems
This item concerns the applicability of the containment response analysis
contained in the Study to more recent PWR designs. Specifically, the
results do not consider the PWR ice condenser and fan cooler contain-
ment designs. The containment response and failure modes could be
significantly different for these designs.
6. Tritium Release Considerations
The Study does not consider the potential radiological consequences of
the release of tritium during a LOCA. Tritium is contained in both the
primary system coolant and the reactor core. As a result of a suggestion
hy the Environmental Protection Agency, this area will be studied.
U.S. GOVERNMENT PRINTING OFFICE: 1975—110-610:41
190
-------� |