Post on 19-Oct-2020
DOE-HTGR-86-011 Revision 3 Volume 2
III1111111
GA PROPRIETARY SUPPLEMENT PROBABILISTIC RISK ASSESSMENT
FOR THE STANDARD MODULAR HIGH TEMPERATURE GAS-COOLED REACTOR
AUTHORS/CONTRACTORS
GA TECHNOLOGIES INC.
ISSUED BY GA TECHNOLOGIES INC. FOR THE DEPARTMENT OF ENERGY
CONTRACT DE-AC03-84SF11963
JANUARY 1987
GA PROPRIETARY INFORMATION
Document Control Desk
Department of Energy Washington, DC 20585
February 7, 1995
Project Number 672
U.S. Nuclear Regulatory Commission Mail Station PI-137 Washington, D.C. 20555
In the meeting between the Department of Energy (DOE) and the Nuclear Regulatory Commission (NRC) held September 29, 1994, the question was raised about the proprietary classification of Volume 2 of the Modular High Temperature Gas-Cooled Reactor (MHTGR) Probabilistic Risk Assessment (PRA).
Please note that in a May 21, 1991, letter from G. C. Bramblett to J. Donohew, it was reported that the proprietary information in Volume 2 had been released with unlimited rights to the U.S. government. For NRC purposes, this can be interpreted to mean that DOE no longer requests that the document be withheld from the Public Document Room under the provisions of 10 CFR 2.790.
However, as noted in that May 21, 1991, correspondence, the MHTGR PRA is still co"sidered Applied Technology and should be so protected.
Sincerely, ~-~
7---/ 4..e;~)~! John W. Herczeg _ Civilian Reactor Development Office of Nuclear Energy
• ~ --l-
Department of Energy Washington. DC 20585
Mr. Jack Donohew MHTGR Project Manager
February 8, 1995
Project No. 672
Advanced Reactor Project Directorate Associate Directorate for Advanced Reactors
and license Renewal Office of Nuciear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, D.C. 20555-0001
Dear Mr. Donohew:
In the May 26, 1993, letter from Mr. J. D. Griffith to Mr. D. M. Crutchfield, the Department of Energy committed to release the "Applied Technology" material associated with the preapplication review for the Standard Modular High Temperature Gas-Cooled Reactor in a timeframe to support the issuance of the Preapplication Safety Evaluation Report (PSER) by the Nuclear Regulatory Commission (NRC). It is our current understanding, based on our meeting with NRC personnel of September 29, 1994, that the PSER is to be completed by February 28, 1995.
We hereby authorize NRC to remove the RApplied TechnologyR distribution restriction and place the following reports into the NRC Public Document Room. These reports are titled RPreliminary Safety Information Document for the Standard Modular High Temperature Gas-Cooled ReactorR and RProbabi1istic Risk Assessment for the Standard Modular High Temperature Gas-Cooled Reactor." These documents are identified as follows:
HTGR-86-024, Volumes 1 through 6, and DOE-HTGR-86-011, Volumes 1 and 2
cc: R. M. Forsse11, GA R. R. Mills, POCO
Sincerely,
~//~'.I . I~/( :ye.~t~/r John W. Herczeg Civilian Reactor Development Office of Nuclear Energy
DOE-HTGR-86-011· . Revision 3 GA-C18718 Volume 2
CAUTION Do not publicly release this doet.ment.
This technical report is being transmitted in advance of DOE patent clearance and no further dissemination or publication shaH be made of the report without prior approval of the DOE Patent Counsel.
This document will be returned upon request or when no longer needed, unless notification has been received that this document has been cleared for release or publication.
GA PROPRIETARY SUPPLEMENT
PROBABILISTIC RISK ASSESSMENT FOR THE
STANDARD MODULAR HIGH TEMPERATURE
GAS-COOLED REACTOR
APPLIED TECHNOLOGY Any Further Distribution by any Holder of this Document or of Other Data Herein to Third Parties Representing Foreign Interests, Foreign Governments, Foreign Companies and Foreign Subsidiaries or Foreign Divisions of U.S. Companies Shall Be Approved by the Director, HTR Development Division, U.S. Department of Energy.
Issued By: GA Technologies Inc.
P.O. Box 85608 San Diego, California 92138·5608
DOE Contract No. DE-AC03-84SF11963
GA Project 6300
JANUARY 1987
j.-
"
<.-
LIST OF EFFECTIVE PAGES
Page Revision Date
Cover 3 1/87
iii 3 1/87
v through xii 3 1/87
xiii through xiv 3 1/87
B-1 through B-56 3 1/87
C-1 through C-93 3 1/87
D-1 through D-83 3 1/87
iii DOE-HTGR-86-011/Rev. 3
CONTENTS
VOLUME 1
1 • SUz..n1AR.Y...........
2. INTRODUCTION AND OBJECTIVES
3. PROBABILISTIC RISK ASSESSMENT METHODOLOGY.
4. PLANT DESCRIPTION • • • • • • • • • • •
5. IDENTIFICATION OF ACCIDENT INITIATORS
6. PLANT RESPONSE AND SYSTEM RELIABILITY MODELS
7. ACCIDENT FREQUENCY ASSESSMENT
8. ACCIDENT CONSEQUENCES ••
9. RISK ASSESSMENT RESULTS •
10. REQUESTED NRC RESPONSE
APPENDIX A: PRIMARY COOLANT LEAK FREQUENCY METHODOLOGY
VOLUME 2
LIST OF EFFECTIVE PAGES
! ABBREVIATIONS
B. PRA DATA BASE •
B.lo
B.2.
Introduction
Terminology
B.2.1. Failure Types.
B.2.2.
B.2.3.
B.2.4.
B.2.5.
Repair Time • •
Common Mode Failure •
Uncertainties • • • •
Operator Response Model •
B.3. Data Tabulation
B.4. References •••••
. . . . .
1-1
2-~
3-1
4-1
5-1
6-1
7-1
8~1
9-1
10.,.1
A-1
iii
xiii
B-1
B-1
B-2
B-2
B-2
B-3
B-3
B-4
B-5
B-53
v DOE-HTGR-86-011/Rev. 3
~fC~ EVENT TREE CONSTRUCTION AND QUANTIFICATION C-l
C-3
C-3
C-4
C-6
'\ 1: -.'
t.: - .
1. ~ .. '_.
... - ~ ...
, . L-- .. 1
.. ' -,,'
'. ~
C.l. Primary Coolant Leaks
C.l.l.
C.l.2.
C.l.3.
C.1.4.
C.l.s.
C.1.6.
C.l. 7.
C.l.8.
·C~2. Loss of
C.2.l.
C.2.2.
C.2.3.
C.2.4.
C.2.s •
C.2.6.
C.2.7.
C.2.8.
Primary Coolant Leak Occurs
Leak Size Distribution
Reactor Tripped with Control Rods • •
Reactor Shutdown Using' Reserve Shutdown Material • • • • • • • • • • • • • • • • C-8
Heat Transport System Cooling Maintained C-9
Cooling Provided by SCS • • • • • • • C-lO
Cooling Provided by RCCS • • • • • • • • • • C-ll
Primary Coolant Depressurized Through HPS C-l2
Main Loop Cooling • • • •
Loss of HTS Cooling
Reactor Tripped With Control Rods •
Reactor Shutdown Using Reserve Shutdown Material •••••
Cooling Provided by SCS • •
Cooling Provided by RCCS
C-l3
C-l4
C-l5
C-l5
C-l6
C-l8
Primary Coolant Depressurized Through HPS C-l9
Cooling Restored Prior to Excessive Vessel Temperature • • • • • • • • • • • • • • • • • C-20
Number of Modules Experiencing Event Sequence • • • • • • • • • • • • •• C-2l
C.3. Earthquake-Induced Failures C-22
C.3.l. Occurrence of Significant Earthquakes. • C-26
C.3.2. Seismic Intensity Range • • • • • • • • • • • C-27
C.3.3. Primary Coolant Boundary Remains Intact • C-28
C.3.4. Cooling Provided by HTS •••••
C.3.S. Reactor Tripped With Control Rods •
C.3.6. Reactor Shutdown Using Reserve Shutdown
C.3.7.
C.3.8.
C.3.9.
Control Equipment • • • • • •
Cooling Provided by SCS •
Cooling Provided by RCCS
Cooling Restore Prior to Excessive Vessel Temperature • • • • • • • . • • . . •
C.3.l0. Number of Modules Experiencing Event
C-29
C-30
C-32
C-33
C-34
C-35
Sequence" • • • • • • • • • • • • • • • • •• C-36
vi DOE-HTGR-86-0ll/Rev. 3
". :-"
C.7.S. Reactor Trip on High Pressure
C.7.6.
C.7.7.
C.7.8.
C.7.9.
Steam Generator Isolation • • •
Delayed Steam Generator Isolation
Steam Generator Dump Occurs • • • •
Steam Generator Pressure Response •
C.7.l0. Shutdown Cooling System Cooling Succeeds
C.7.ll. Cooling Provided by RCCS
C.7.l2. Primary Relief Train Response
C.8. Accidents Initiated by Moderate Steam Generator Leaks •••••••• • • • • • • • • •
C.8.l. Steam Generator Leak Frequency
C.8.2. Moisture Monitor Detection
C.8.3. Reactor Trip on High Moisture
C.8.4. Reactor Trip on High Pressure
C.8.s. Steam Generator Isolation • •
C.8.6. Delayed Steam Generator Isolation •
C.8.7. Steam Generator Dump Occurs •••
C.8.8. Steam Generator Pressure Response •
C.8.9. Shutdown Cooling System Cooling Succeeds
C.8.l0. Cooling Provided by RCCS
C.8.ll. Primary Relief Valve Response.
C.9. Uncertainty Treatment in Frequency Assessment
C.9.l. Uncertainties Considered
C.9.2. Uncertainty Distributions for Release Category Frequencies ••••
C. 10. References. • • • • • • • • • •
D. RELEASE CATEGORY DESCRIPTION AND DOSE QUANTIFICATION
D.1. Consequences from Forced Convection Cooldown Under
C-60
C-61
C-62
C-63
C-6S
C-6S
C-67
C-68
C-68
C-69
C-70
C-71
C-71
C-73
C-74
C-74
C-76
C-76
C-78
C-78
C-79
C-79
C-81
C-81
D-l
Dry Conditions • • • • • • • • • • • • • • • D-2
D.l.l. Data and Methods D-3
D.l.2. Fission Product Release and Dose Assessment
D.l.3. Uncertainty Analysis
viii
D-11
D-14
DOE-HTGR-86-011/Rev. 3
0.2. Consequences from Forced Convection Coo1down Under Wet Conditions • • • • • •
0.2.1. Oata and Methods
0.2.2. Fission Product Release and Oose Assessment
0.2.3. Uncertainty Analysis
0.3. Consequences from Conduction Coo1down Under Ory Conditions • • • • • • • • • • • • •
0.3.1. Oata and Methods
0.3.2. Fission Product Release and Oose Assessment
0.3.3. Uncertainty Analysis
0.4. Consequences from Conduction Coo1down Under Wet Conditions • • • • • • • •
0.4.1. Oata and Methods
0.4.2. Fission Product Release and Oose Assessment
0.4.3. Uncertainty Analysis
0.5. References • • • • •
FIGURES
B-1. Operator response model for the MHTGR •
C-1. Event tree for primary coolant
C-2. Event tree for loss of main loop cooling
C-3. Event tree for earthquake ••
C-4. MHTGR site seismicity curve •
C-5. Event tree for loss of offsite power
C-6.
C-7.
Event tree for ATWS
Event tree for control rod group withdrawal •
C-8. Event tree for small steam generator leak •
C-9. Event tree for moderate steam generator leak
0-1. Time to depressurize the primary system as a function of primary coolant leak size • • • • • • • • • • • •
0-2. RATSAM model used to determine shear stress distribution
0-3. TOAC model used to assess offsite dose at the EAB
0-19
0-21
0-27
0-33
0-36
0-36
0-43
0-48
0-51
0-51
0-57
0-65
0-67
B-56
C-85
C-86
C-87
C-88
C-89
C-90
C-91
C-92
C-93
0-71
0-72
0-73
ix OOE-HTGR-86-011/Rev. 3
FIGURES (Continued)
0-4. Nominal thyroid dose at the EAB for primary coolant leaks . . . . . . · . · · · · · · · · · · · · · · ·
0-5. Nominal lung dose at the EAB for primary coolant leaks
0-6. Nominal bone dose at the EAB for primary coolant leaks
0-7. Nominal Whole body gamma dose at the EAB for primary coolant leaks . . · . · · · · · · · · · · · · · · · · ·
0-8. Probability distribution for the atmospheric dispersion factor used in uncertainty analysis of dose consequences · . . . . . . . . . . . . . . . .
0-9. Thermal transient during a depressurized conduction coo ldo'WIl • • • • • • • • • • • • • • • • • • • •
D-10. Isotherm plot at 80 h during thermal transient due to depressurized conduction cooldown • • • • • • • •
0-11.
:0-13.
Thermal transient during a pressurized conduction coo ldo'Wrl • • • • • • • • • • • • • • • • • • • • •
Cumulative fission product release from core during pressurized conduction cooldown (OC-9) •••••••
Cumulative fission product release from core during a depressurized conduction cooldown with small primary coolant leak (OC-5, -6, -7, and -8) •••••••••
TABLES
B-1. Failure frequency and demand failure probability circulators, blowers, and fans •••••• • ••
B-2.
B-3.
B-4.
Failure frequency and exchangers
Failure frequency and
Failure frequency and and pressure vessels
demand failure probability heat
· · · · · · · · · · · · · · · · demand failure probability pumps
demand failure probability tanks
· · · · · · · · · · · · · · · ·
·
· B-5.
B-6.
B-7.
Failure frequency and demand failure probability piping
Failure frequency and demand failure probability valves
Failure frequency and demand failure probability diesel generator • • • •
B-8. Failure frequency and demand failure probability instrumentation • •• • • • • • • • • • • • •
B-9. Failure frequency and demand failure probability control
. .
systems ••••• · . . . . . . . . . . . . . . . . . .
0-74
0-75
0-76
0-77
0-78
0-79
0-80
0-81
0-82
0-83
B-6
B-8
B-13
B-15
B-16
B-17
B-20
B-21
B-22
x 00E-HTGR-86-011/Rev. 3
TABLES (Continued)
B-10. Failure frequency and demand failure probability plant service systems · · · · · · · · · · · · · · · · · · B-23
B-1!. Failure frequency and demand failure probability electric motors . · · · · · · · · · · · · · · · · · · · · · · · B-24
B-12. Failure frequency and demand failure probability transformers · · · · · · · · · · · · · · · · · · · B-25
B-13. Failure frequency and demand failure probability batteries · · · · · · · · · · · · · · · · · · · · · · · B-26
B-14. Failure frequency and demand failure probability electric conductors · · · · · · · · · · · · · · · · · · · B-27
B-15. Failure frequency and demand failure probability circuit breakers · · · · · · · · · · · · · · · · · · · · · · · B-28
B-16. Failure frequency and demand failure probability turbine plant . . · · · · · · · · · · · · · · · · · · · · · B-29
B-17. Failure frequency and demand failure probability other electrical components · · · · · · · · · · B-30
B-18. Repair times circulators, blowers, and fans · · · · · · B-31
B-19. Repair times heat exchangers B-33
B-20. Repair times pumps · · · · · · · · · · B-36
B-2!. Repair times tanks and pressure vessels · · · · · B-37
B-22. Repair times piping · · · · · · · · · B-38
B-23. Repair times valves · · · · · · · · · · · · · · B-39
B-24. Repair times diesel generators · · · · · · · · · B-41
B-25. Repair times instrumentation · · · · · · · · · · · · B-42
B-26. Repair times control systems · · · · B-43
B-27. Repair times plant service systems · · · · · · · · B-44
B-28. Repair times electric motors · · · · · B-45
B-29. Repair times transformers · · · · · · · · · · · · · · B-46
B-30. Repair times batteries · · · · B-47
B-3!. Repair times electric conductors . . . . . . . . . . . . . B-48
B-32. Repair times circuit breakers · · · · · · · · · · B-49
B-33. Repair times other electrical components · · · · B-50
B-34. Common mode failure factors · · · · · · · · B-S1
xi DOE-HTGR-86-011/Rev. 3
C-l.
C-2.
TABLES (Continued)
Assumed fragilities of key components • • • • • • •
Release category frequency uncertainty distribution parameters • • • • . . . • • • • • • • . . • .
0-1. Initial circulating and plateout inventories of nuclides that are major contributors to radiological consequences
C-24
C-82
of forced convection cooldowns under dry conditions • • 0-4
0-2. Constants in Eq. 0-1 for the excess percentage liftoff 0-6
0-3. Total percent liftoff for various leak sizes ••••• 0-8
0-4. Reactor building and site parameters 0-10
0-5. Cumulative release to environment in curies for forced convection cooldowns under dry conditions • • • • • 0-13
0-6. Nominal dose consequence at the EAB for forced convection cooldowns under dry conditions • • • • • • • • • • • • • • 0-15
0-7. Oose uncertainty analysis at the EAB for forced convection cooldown under dry conditions • • • • • • • • • • • • • • • 0-20
0-8. Initial circulating, plateout, and fuel body inventories of nuclides that are major contributors to radiological consequences of forced convection cooldowns under wet conditions •••••••••••••••• • • • • 0-26
0-9. Cumulative release to environment in curies for forced convection cooldowns under wet conditions • 0-32
0-10. Nominal dose consequence at the EAB for forced convection cooldowns under wet conditions •••••• • • • • • • • • 0-34
0-11. Oose uncertainty analysis at the EAB for forced convection cooldowns under wet conditions • • • • • • • • • • • • • • 0-37
0-12. Initial circulating, plateout, and fuel body inventories of nuclides that are major contributors to radiological consequences of conduction cooldown accidents • • • • • • • 0-41
0-13. Cumulative release to environment in curies for conduction cooldowns under dry conditions • • • • • • • • • • 0-45
0-14. Nominal dose consequence at the EAB for conduction cool-downs under dry conditions • • • • • • • • • • • • • • • • 0-49
0-15. Oose uncertainty analysis at the EAB for conduction cool-downs under dry conditions • • • • • • • • • • • 0-52
0-16. Cumulative release to environment in curies for conduction cooldowns under wet conditions . . . . . . . . . . 0-59
0-17. Nominal dose consequence at the EAB for conduction cool-downs under wet conditions ••• • • • • • • • • • • • • • 0-66
0-18. Oose uncertainty analysis at the EAB for forced convection cooldowns under wet conditions • • • • • • • • • • • • • • 0-68
xii OOE-HTGR-86-011/Rev. 3
AIPA
ATWS
BOP
EAB
ECS
EPZ
HPS
HTGR
HTS
LBE
LOSP
LWR.
MHTGR
NCSS
NRC
NSSS
OBE
PAG
PPIS
PRA
PSID
ABBREVIATIONS
accident initiation and program analysis
anticipated transients without scram
balance of plant
exclusion area boundary
energy conversion system
emergency planning zone
helium purification system
high-temperature gas-cooled reactor
heat transport system
licensing basis event
loss of normal station power
light water reactors
modular high-temperature gas-cooled reactor
neutron control subsystem
Nuclear Regulatory Commission
nuclear steam supply system
operating basis earthquake
protective action guides
plant protection instrumentation system
probabilistic risk assessment
preliminary safety information document
xiii DOE-HTGR-86-011/Rev. 3
RCCS
RPCWS
RSCE
RSCM
RSS
SCS
SCWS
SPS
SSE
SWS
TBCCWS
UPS
U.S.
reactor cavity cooling system
reactor plant cooling water subsystem
reserve shutdown control equipment
reserve shutdown control material
reserve shutdown system
shutdown cooling system
shutdown cooling water subsystem
safety protection subsystem
safe shutdown earthquake
service water subsystem
turbine building closed cooling water subsystem
uninterruptible power supply
United States
xiv DOE-HTGR-86-011/Rev. 3
BLANKPAGE
B.l. INTRODUCTION
APPENDIX B PRA DATA BASE
This appendix provides the reliability data base utilized in
assessing accident frequencies described in Section 7 and Appendix C
of this document. Event trees are employed to quantify the frequency
of accident sequences Which may result in an unplanned radionuclide
release. Event tree nodal probabilities, describing the probability
of failure of a given system or component, are derived from fault tree
analysis. The base reliability data used in the fault tree analyses are
presented here.
Many data sources were compiled from operating experience in LWR or
nonnuclear applications as well as from HTGR operating experience and
risk analyses. Depending upon the operating environment of a particular
component, the most appropriate reliability data available were used.
In reference to HTGR data, considerable work was accomplished in com
piling reliability estimates during the Accident Initiation and Program
Analysis (AIPA) (Ref. B-1) studies.
This appendix reflects a compilation of all identified applicable
data sources for the MHTGR PRA analysis. As such it represents the most
recent information believed to be available. The reliability data have
been arranged in tables and include
1. Failure modes for systems and component.
2. Failure frequencies (A, l/h).
3. Demand failures (Q, l/demand).
4. Repair times (7, h).
5. Common mode failure factors (P>.
B-1 DOE HTGR-86-0ll/Rev. 3
B.2. TERMINOLOGY
The intent of this section is to supply the reader with an explana
tion of terms and information provided in the reliability tables that
may not be readily apparent.
B.2.1. Failure TyPes (~ and Q)
There are two types of equipment failures shown in the reliability
data tables: operating failures and demand failures. For operating
failures, the failure frequency, ~, for a given component or system is
usually based on the number of failures observed divided by the number
of operating hours. This type of estimate is made When raw data are
available, the resulting failure frequency being given in failures/hour.
For demand failures, the failure frequency, q, for a system or component
is based on the total number of failures observed divided by the total
number of attempts to start, change state, or function.
B.2.2. Repair Time (T)
The time required to restore a failed system or component to normal
operating status is designated the repair time, T. The repair time may
include replacement, repair of the failed unit in place, or bypass of
the component While maintaining acceptable system performance. Because
of the wide range of repair possibilities and unknown elements such as
spare part availability, ease of access, possible decontamination pro
cedures, and repair crew availability, the tabulated repair times cover
a wide range of values and are associated only with the generic equip
ment. Selecting the appropriate value for repair time depends on the
particular situation being studied and should be assessed on a c~se by
case basis.
B-2 DOE HTGR-86-011/Rev. 3
B.2.3. Common Mode Failure cD Factor)
Essential functions or components within a system are frequently
duplicated in order to increase the system reliability. This method of
redundancy is used to ensure the proper function of an essential system
even if several component or functional failures within the system
occurred. Systems comprised of interconnected replicate components,
however, sometime experience a total loss of all functions as a result
of common mode failure. Common mode failures are usually not considered
random independent events within the system but as influences from out
side sources which are common to redundant components.
In order to quantify common mode failures for a system with paral
lel and redundant components, the p factor has been developed. The p factor is defined as the ratio of the common mode failure rate of all
similar redundant components in a system and the total failure rate for
a single one of those components.
B.2.4. Uncertainties
Reliability studies usually employ many input parameters and a
variety of models. These have uncertainties associated with them, some
of which may be in the range of an order of magnitude or more.
Some major factors contributing to uncertainties include,
(Ref. B-1):
1. Uncertainties exist in failure statistics for components that
have had little or no operating experience. This lack of
operating data is especially true for equipment peculiar to
the HTGR.
B-3 DOE HTGR-86-011/Rev. 3
2. Failure statistics for equipment used in standby safety sys
tems are sparse, since the abnormal events for which the
systems are designed seldom, if ever, occur.
3. Failure statistics for various types of testing programs are
often used in lieu of actual use data. Uncertainties exist in
using this analog.
4. The models used to predict the probabilities may overlook some
of the system failure modes.
5. Uncertainties exist in the environment in which the systems
operate.
Lognormal distribution is mostly used in reliability studies for
representing the uncertainty distribution for equipment failure proba
bilities. It can be described by only two parameters, the median and
range, and is especially appropriate for parameters whose uncertainty
may be in order of magnitude or more. For this report a 90% range has
been selected, with the lower range end being the 5% bound and the upper
end the 95% bound. This definition is consistent with the WASH-1400
(Ref. B-3) study and says that there is a 90% probability that the data
points will lie within this range.
The tabulated reliability data are quoted at the lower 5%, median
and upper 95% values.
B.2.5. Operator Response Model
The operator response model chosen for the standard MaTGR reflects
cognitive rather than procedural error. The selected model is depicted
in Fig. B-1 which was extracted from Ref. B-6. The upper and lower
B-4 DOE HTGR-86-011/Rev. 3
dashed lines are interpreted as lower fifth and upper ninety-fifth per
centile values, encompassing a 90% confidence band. The solid line is
interpreted as the median.
Several reasons contribute to the selection of a cognitive error
model:
1. Reliance on computer controlled systems during normal oper
ating conditions.
2. Reliance on passive safety systems during accident conditions.
3. Accident timing and operating systems are different from PWRs,
requiring a different operator response model.
B. 3. DATA TABULATION
The reliability data used in the PRA is presented in Tables B-1
through B-34. Tables B-1 through B-17 provide information pertaining
to system/component failure frequency and demand failure probability.
Tables B-18 through B-33 address system/component repair times, and
Table B-34 summarizes common mode failure factors for all redundant
systems/components considered. All tables follow a similar format. The
first column describes the system or component of interest, the second
column gives the failure mode under consideration, the adjacent columns
provide the reliability data, and the final column provides references.
For each piece of reliability data a lower bound (fifth percentile),
median (fiftieth percentile), and upper bound (ninety-fifth percentile)
value is given in the tables.
B-S DOE-HTGR-86-011/Rev. 3
System-Component Identification
Helium circulators -steam driven, water lubricated
Machine, drive, and lubrication
Power supply
b:I Control system
I 0\
Electric motor driven, oil lubricated
Machine, drive, and lubrication
t:' Power supply 0 tZJ I
:!1 Control system
~ I
00 Electric motor 0\ I driven, magnetic
0 .... bearings .... - Machine and drive i: 4 . w
TABLE B-1 FAILURE FREQUENCY AND DEMAND FAILURE PROBABILITY
CIRCULATORS, BLOWERS, AND FANS
Failure Frequency, A Demand Failure Probability, Q (l/h) (l/Demand)
5th 95th 5th 95th Failure Mode Percentile Median Percentile Percentile Median Percentile
Fail to operate 1 x 10-5 3 x 10-5 9 x 10-5
Loss of steam 3 x 10-6 1 x 10-5 3 x 10-5
Fail to operate 1 x 10-5 3 x 10-5 9 x 10-5
Out of limits 3 x 10-5 1 x 10-4 3 x 10-4
All-unit 1 x 10-4 3 x 10-4 9 x 10-4 malfunction
Fail to operate 1 x 10-5 3 x 10-5 9 x 10-5
Loss of electric 1 x 10-5 3 x 10-5 9 x 10-5 power
Fail to operate 1 x 10-5 3 x 10-5 9 x 10-5
Out of limits 1 x 10-5 1 x 10-4 3 x 10-4
Fan to operate 1 x 10-5 3 x 10-5 9 x 10-5
References
B-2
B-2
B-2
B-2
B-2
B-2
B-2
B-2
B-2
B-2
tilt I ...,
'=' o l".I I
~ C) ~ I
00 Q\ I o .... .... -~ . w
TABLE B-1 (Continued)
Failure Frequency, A Demand Failure Probability, Q (l/h) (1/Demand)
System-Component 5th 95th 5th 95th Identification Failure Mode Percentile Median Percentile Percentile Median Percentile References
Power supply Loss of electric 2 x 10-5 3 x 10-5 9 x 10-5 B-2 power
Control system Fail to operate 1 x 10-5 3 x 10-5 9 x 10-5 A-2
Magnetic bearings Fail to operate 1 x 10-5 3 x 10-5 9 x 10-5 (a)
Solid state control Fail to operate 3 x 10-7 1 x 10-6 1 x 10-5 B-2
Blowers/fans Fail to operate 2 x 10-6 5 x 10-6 1 x 10-4 3 x 10-4 1 x 10-3 3 x 10-3 B-2 (Q) B-5 (A)
(a)A study performed by Jamea Howden and Company Limited indicates that the mean time between failures is on the order of 3 x 104 h. The failure frequency is, therefore, on the order of 3 x 10-5/h as cited in Table B-1. An uncertainty factor of 2 was adopted as the ratio of the median to 5th and 95th percentile failure frequency values predicted upon data cited in Ref. B-21.
b:I ,I CO
t::1 o tz:I 1
~ ~ 1 co 0\ 1 o .... .... -~ ~ . w
TABLE B-2 FAILURE FREQUENCY AND DEMAND FAILURE PROBABILITY
HEAT EXCHANGERS
Failure Frequency, A (l/h)
Demand Failure Probability, Q (l/Demand)
5th 95th 5th 95th System-Component Identification FaUure Hode Percentile Hedian Percentile Percentile Hedian Percentile References
Steam generator
Heat exchangers -general
Feedwater heater
Cooler
Desuperheater
Condenser
Air blast heat
Deaerator
Auxiliary boiler
Tube leak (per 1 x 10-5 plant hour)
All 1 x 10-6
Flow restriction 1 x 10-6
Tube leak 3 x 10-6
All 1 ~ 10-6
All
Tube leak
Rapid loss of vacuum
1 x 10-6
2 x 10-6
1 x 10-6
5 x 10-5
3 x 10-5
1 x 10-5
1 x 10-5
3 x 10-6
1 x 10-5
6 x 10-6
1 x 10-5
Fail to operate 2 x 10-5 2 x 10-4
Failure of level 7 x 10-10 3 x 10-6
Fail to operate 1 x 10-6 3 x 10-5
FaU to deliver steam in T minutes
T 1/3 - 180
T 1 - 60
2 x 10-4
3 x 10-4
1 x 10-4
3 x 10-5
9 x 10-6
1 x 10-4
2 x 10-5
3 x 10-5
2 x 10-3
1 x 10-5
3 x 10-4
3 L 20
1 x 10-4
3 x 10-4
3 x 10-4 9 x 10-4
1 x 10-3 3 x 10-3
(a)
B-2
B-6
B-2
B-2
B-2
B-6
B-2
B-1
B-7
B-2
B-2
(a)The failure frequency for steam generator tubes is predicted upon an assessment performed by Combustion Engineering, Inc. The results of the assessment have been modified to account for a differing number of tubes, tube lengths, plant availability, and welds per tube in the HHTGR steam generator design. The derivation of the failure consists of:
1. Identification of steam generator tube failure modes •
2. Development of a failure mode data base.
tid I \0
'=' o tz:I I
~ ~ I co 0\ I o .... .... -i . w
TABLE B-2 (Continued)
The dominant steam generator tube failure modes identified area
1. Bimetallic weld failure.
2. Corrosion/erosion.
3. Defects in welds of similar metals.
4. Mechanical damage, fretting, and wear.
Data in support of the failure frequencies for each mode were gathered from experience' with coal plant boiler tubes, PWR steam generator tubes, and Peach Bottom I and Fort St. Vrain HTGR steam generators.
Results of the data search indicated a low frequency of failure for bimetallic welds in the HHTGR steam generator. The estimate was based on British experience with bimetallic welds between 2-1/4 Cr - 1 Mo and austenitic steel boiler tubes in their fossil-fired generating plants (Ref. 1-22). Weld failure occurs between dissimilar metals because of differences in thermal expansion coefficients and due to carbon diffusion across the ferritic/weld interface resulting in a decarburized zone in the ferritic steel. The Iritish experience indicated a cumulative failure fraction of about 0.0007 failures for nickel-based weldments of these two dissimilar metal boiler tubes over a 40-year plant lifetime. ApplJing this value to the 3S0 tubes per HHTGR steam generator provides a linear bimetallic weld failure rate of 6 x 10- /module year.
The data search for secondary water side corrosion and erosion of boiler tubes indicated that a much higher tube failure frequency due to this cause has been experienced in PWRs and coal plants (approximately 0.1 to O.S failures per reactor year in PWRs and 1.1 tube failures per plant year in coal plants). PWR tube leak data and coal plant tube leak data have been gathered from Refs. B-23 and 1-24, respectively. The fractional contribution of corrosion to total tube failures in PWRs was obtained from data in Refs. B-2S and 1-26. Strong arguments were made that HTGR secondary water chemistry would be better than the water chemistry in the coal plants and that the 2-1/4 Cr - 1 Mo and the Inconel 800H metals used in the HHTGR steam generator tubes were ~own to be more resistant to corrosion than materials used in the PWRs and coal plants. The lowest report fsilure frequency of 0.11 per reactor year in PWRs was therefore used as a basis for an upper bound HHTGR failure frequency estimate of 3 x 10-2/module year. The PWR data was for total tube failures reported in 1981. Of those failures, 90% were attributed to corrosion and erosion.
Steam generator tube failures due to defects in welds of similar metals at large coal plants were found to occur as frequently as 0.29 per boiler year (Ref. 1-24). The number of occurrences is dominated by the level of quality control in the shop and at the plant site. Assuming that the HHTGR steam generator tube welding will be accomplished entirely in the shop, the fractional contribution of field weld failure (approximately 60% for coal plants) is not considered. The resultant HHTGR steam generator tube failure frequency due to similar weld failure is estimated to be 5 x 10-2 /module year taking into account differences in total tube length and plant availability between the coal plant data and the MHTGR. Data regarding weld failure in PWRs is not applicable to the MHTGR because PWR steam generator tube welds are located in the tubesheets.
till I
...... o
t::1 o P:I I
~ ~ I
00 0\ I o ...... ...... -~ . w
TABLE B-2 (Continued)
Ho data was available on the frequency of wear shield failure. Wear shields were introduced in the Fort St. Vrain design to protect the steam generator tubes from fretting at the support plates. Fretting, but not failure, had been found with the Peach Bottom I steam generator tubes which did not have wear shields. It is predicted that approximately 12 to 18 months are required to fail a steam generator tube after wear shield failure. In the absence of data on wear shield failure, a PWR experience base (Refs. B-23, B-25, and B-26) has been suggested as a reasonable source for failure data for the HHTGR. Based on this PWR experience with mechanical damage, fretting, and wear, a failure rate of 4 x 10-3/module year has been suggested for the HHTGR steam generator tubes from these causes. The PWR data was for total tube failures reported in 1979. Of these failures, 3% were attributed to mechanical damage, fretting, and wear.
The total failure rate of HHTGR steam generator tubes based on the preceeding information is estimated to be approximately 0.09/module year. Since the plant design consists of four modules, the total failure frequency per plant year is approximated as 0.4.
The HHTGR failure frequency data for steam generator tubes was calculated through the use of a series of equations. Equation B-1 represents the total tube failure frequency which is the sum of the four identified contributors. Equations B-2 through B-5 provide the failure -frequency per module year for each identified failure mode. The equations used are as follows:
AT - ABW + AC/E + ASW + AHD,F+W
where ABW - bimetallic weld failure rate,
AC/E - corrosion/erosion failure rate,
Asw - similar weld failure rate,
AHD,F+W - mechanical damage, fretting, and wear failure rate.
HBW * F ABW - ---
where HBW - number of bimetallic welds per steam generator,
F - bimetallic weld cumulative failure fraction,
where
T plant design lifetime (years).
AC/E = Ltubes * A * Atubes C/E
Ltubes - number of tubes * length per tube,
A • availability (h/yr),
(B-1)
(B-2)
(B-3)
~ I .... ....
t:J o tzJ I
~ co 0\ I o .... .... -::0 ~ . w
where
where
TABLE B-2 (Continued)
Atubes C/E • tube failure rate due to corrosion/erosion (per tube foot per hour).
Asw • Ltubea * A * Atubes sw (B-4)
Ltube. • number of tubes * length per tube,
A • availability (h/yr),
Atubes sw • tube failure rate due to failure of welds between similar materials (per tube foot per hour).
AHD,F+W • Ltubes * A * Atubes HD,F+W (B-5)
Ltubes • number of tubes * length per tube,
A • availability (h/yr),
Atubes HD,F+W • tube failure rate due to mechanical damage, fretting, and wear (per tube foot per hour).
~ I .... N
t:1 o tzj I
~ ~ I co 0\ I o .... .... -~ . UJ
TABLE B-2 (Continued)
The HHTGR steam generator tube failure rates were quantified using the following data:
Nbw • 350 welds,
T • 40 yr,
A • (0.90) * (8760 h/yr) • 7884 h/yr,
Ltubes • (350 tubes) * (536.19 ft/tube) • 187,666.5 ft,
F • 0.0007,
Atubes C/E • 2 x 10-1l/tube ft-h,
Atubes SW • 3.4 x 10-11/tube ft-h,
Atubes HO,F+W • 2.7 x 10-12/tube ft-h.
The resultant median tube failure rate per plant hour for the HHTGR is 5 x 10-5• An uncertainty factor of 4 was used to determine the upper 95th and lower 5th percentile values predicted upon data cited in Ref. B-27.
TABLE B-3 FAILURE FREQUENCY AND DEMAND FAILURE PROBABILITY
PUHPS
Failure Frequency, A Demand Failure Probability, Q (l/h) (I/Demand)
System-Component 5th 95th 5th 95th Identification Failure Hode Percentile Hedian Percentile Percentile Hedian Percentile References
Pumps - general All 1 x 10-5 3 x 10-5 3 x 10-4 B-2
Electric motor driven Fail to operate 1 x 10-5 3 x 10-5 9 x 10-5 1 x 10-4 1 x 10-3 3 x 10-3 B-2
Fail to run 3 x 10-4 1 x 10-3 3 x 10-3 B-2 in extreme environment
Hechanical 5 x 10-6 1 x 10-5 4 x 10-5 (a) bI failure I
4 x 10-6 .... Control/local 1 x 10-5 4 x 10-5 (a) w electrical failure
Operator error 1 x 10-6 3 x 10-6 9 x 10-6 (a)
Fail to start 8 x 10-5 8 x 10-4 2 x 10-3 (a) from electrical
C failure 0
3 x 10-7 1 x 10-6 1 x 10-5 tzJ Circuit failure B-2 I ::t:
Intake blockage 1 x 10-6 1 x 10-5 1 x 10-4 B-6 t-:1
~ Steam turbine driven Fan to run 3 x 10-5 1 x 10-4 3 x 10-4 B-2 I 00
1 x 10-5 3 x 10-5 9 x 10,;-5 3 x 10-3 1 x 10-2 3 x 10-2 0\ Feedwater pumps Fail to operate B-2 I 0
Electric motor driven Loss of drive 3 x 10-6 1 x 10-5 3 x 10-5 B-2 .... .... - Loss of power 1 x 10-5 3 x 10-5 9 x 10-5 B-2 \::d ID supply < . w
TABLE B-3 (Continued)
Failure Frequency, A Demand Failure Probability, Q (l/h) (l/Demand)
System-Component 5th 95th 5th 95th Identification Failure Mode Percentile Median Percentile Percentile Median Percentile References
Steam turbine driven Loss of drive 1 x 10-5 3 x 10-5 9 x 10-5 B-2
Loss of power 1 x 10-5 3 x 10-5 9 x 10-5 B-2 supply
Low pressure Fail to run 3 x 10-6 1 x 10-5 3 x 10-5 B-2 feedwater pumps
Air ejector pumps Fail to run 1 x 10-6 3 x 10-6 9 x 10-6 B-2
Condensate pumps Fail to run 1 x 10-5 3 x 10-5 2 x 10-4 B-2 ~ I ~
~ (a)Total failure rate data has been taken from Ref. B-2. Contributions to the total failure rate by the various
t=' o tz:I I
ei ~ I
00 0\ I o ~ ~ -r: < . w
failure modes is taken from Ref. B-18.
t:I:I I ....
VI
o o tz:I I
~ ~ co (J\ I o .... .... -~ . w
System-Component Identification Failure Mode
Tsnks and pressure All vessel - general Disruptive
failure
Welds Leak
Flanges and closure Rupture
Gaskets Leak
Pressurizer Leak
Demineralizer Leak
TABLE B-4 FAILURE FREQUENCY AND DEMAND FAILURE PROBABILITY
TANKS AND PRESSURE VESSELS
Failure Frequency, A Demand Failure Probability, Q (l/h) (l/Demand)
5th 95th 5th 95th Percentile Median Percentile Percentile Median Percentile
1 x 10-9 1 x 10-8 3 x 10-8
(3 x 10-12 (I x 10-10 (3 x 10-9
3 x 10-8 3 x 10-7 3 x 10-6
3 x 10-10 3 x 10-9 3 x 10-8
3 x 10-7 3 x 10-6 9 x 10-6
3 x 10-7 1 x 10-6 3 x 10-6
1 x 10-9 1 x 10-8 3 x 10-8
(a)Failure frequencies are from Ref. B-2 generic vessel failure data.
References
B-2
B-2
B-2
B-2
B-2
B-6
(a)
tlIf , .... 0\
c o tzJ I
~ , co 0\ , o .... .... -f . w
System-Component Identification
Piping - general
TABLE B-S FAILURE FREQUENCY AND DEMAND FAILURE PROBABILITY
PIPING
5th
Failure Frequency, A (l/h)
Demand Failure Probability, Q (l/Demand)
~~ nh ~~ Failure Mode Percentile Median Percentile Percentile Median Percentile References
All (per foot)
Fraction of disruptive failures
2 x 10-11
0.02
2 x 10-10 2 x 10-9
0.05 0.15
B-6
B-2
System-Component Identification
Valves - general
Hotor operated
Hotor operated modu-lating (includes valve operator)
tilt I .... ......
Air solenoid
Air solenoid modu-lating (includes valve operator)
0 0 P:I
Hanual I
~ ~ I Check co 0\ I
0 .... .... -~ < w Injection valve
TABLE B-6 FAILURE FREQUENCY AND DEMAND FAILURE PROBABILITY
VALVES
Failure Frequency, A Demand Failure Probability, Q (lIh) (l/Demand)
5th 95th 5th 95th FaUure Hode PercentUe Hedian Percentile Percentile Hedian Percentile
All 3 x 10-8 1 x 10-6 3 x 10-3
FaU to change 5 x 10-3 6 x 10-3 7 x 10-3 state
FaU to operate 2.4 x 10-6 2.6 x 10-6 2.9 x 10-6
External leak 6 x 10-8 1 x 10-7 2 x 10-7
Plugged 1 x 10-8 3 x 10-8 7 x 10-8
Rupture 1 x 10-10 1 x 10-8 3 x 10-7
FaU to change 1 x 10-3 2 x 10-3 3 x 10-3 state
Fail to operate 7 x 10-7 1 x 10-6 2 x 10-6
External leak 2 x 10-8 1 x 10-7 3 x 10-7
Rupture 1 x 10-10 1 x 10-8 3 x 10-7
FaU to operate 2 x 10-5 6 x 10-5 1 x 10-4
Lesk externally 6 x 10-9 2 x 10-8 6 x 10-8
FaU to change 2 x 10-5 6 x 10-5 2 x 10-4 state
Reverse leak 2 x 10-7 5 x 10-7 2 x 10L6
External leak 2 x 10-8 5 x 10-8 2 x 10-7
Rupture 1 x 10-10 1 x 10-8 3 x 10-7
Control circuit 1 x 10-7 1 x 10-6 1 x 10-5 failure
References
B-8
B-9
B-9
B-9
B-9
B-2
B-9
B-9
B-9
B-2
B-9
B-9
B-9
B-2
B-2
B-2
B-6
TABLE B-6 (Continued)
Failure Frequency, A Demand Failure Probability, Q (l/h) (l/Demand)
System-Component 5th 95th 5th 95th Identification FaUure Hode Percentile Hedian Percentile Percentile Hedian Percentile References
Check valve FaU to operate 2 x 10-8 1 x 10-7 7 x 10-7 B-9 Hydraulic valve All 3 x 10-6 1 x 10-5 3 x 10-5 B-8 actuator
Pneumatic valve All 3 x 10-7 1 x 10-6 3 x 10-6 B-8 actuator
Relief (steam/water) FaU to open 1 x 10-5 1 x 10-4 1 x 10-3 B-6
Spurious/ 3 x 10-6 1 x 10-5 3 x 10-5 B-2
bt . premature open
I Fail to reclose 7 x 10-3 2 x 10-2 6 x 10-2 A-6 ~
00 1 x 10-5 1 x 10-4 1 x 10-3 Relief (helium) FaU to open A-2
Spurious/ 3 x 10-6 1 x 10-5 3 x 10-5 B-2 premature open
Fail to reclose 1 x 10-2 3 x 10-2 9 x 10-2 B-2
Hotor operated FaU to change 3 x 10-5 1 x 10-4 3 x 10-4 B-2 t=' helium isolation state 0 PJ ring valve (with 3 x 10-7 3 x 10-6 3 x 10-5 I Spurious B-2 II: redundant motors) ., operation fJ Bypass leak 3 x 10-7 3 x 10-6 3 x 10-5 B-2 I 00
1 x 10-4 3 x 10-4 9 x 10-4 0'1 Passive helium iso- FaU to change B-2 I 0 lation check valve state ~ ~ Spurious 1 x 10-7 1 x 10-6 1 x 10-5 B-2 -::tt operation ~ < 1 x 10-6 . Bypass leak 3 x 10-6 3 x 10_5 B-2 w
tlII I .... \0
~ o tz:I I
~ ~ I
CD 0\ I o .... .... -f . IJ,)
System-Component Identifieation
Orifiee flow valve (helium)
Failure Hode
External leakl rupture
TABLE 8-6 (Continued)
Failure Frequeney, A (l/h)
Demsnd Failure Probability, Q (l/Demend)
5th 95th 5th 95th Pereentile Hedian Pereentile Pereentile Hedian Pereentile Referenees
3 x 10-10 1 x 10-8 3 x 10-7 8-2
til' I N o
o o PI I
~ ~ I
00 0\ I o ...... ...... -~ . w
System-Component Identificstion
Diesel generator (single unit)
TABLE B-7 FAILURE FREQUENCY AND DEMAND FAILURE PROBABILITY
DIESEL GENERATOR
Failure Frequency, A (l/h)
Demand Failure Probability, Q (l/Demand)
5th 95th 5th 95th FaUure Mode Percentile Median Percentile Percentile Median Percentile References
FaU to start and load on first try
Standby failures 1 x 10-5
FaU to run 1 x 10-5
3 x 10-5 9 x 10-5
8 x 10-5 3 x 10-4
3 x 10-3 3 x 10-2 6 x 10-2 B-3
B-I0
B-11
TABLE B-8 FAILURE FREQUENCY AND DEMAND FAILURE PROBABILITY
INSTRUMENTATION
Failure Frequency, A Demand Failure Probability, Q (l/h) (l/Demand)
System-Component 5th 95th 5th 95th Identification Failure Hode Percentile Hedian Percentile Percentile Hedian Percentile References
Instrumentation - All 1 x 10-7 1 x 10-6 1 x 10-5 B-6 general
Solid state Fail to operate 3 x 10-7 1 x 10-6 1 x 10-5 B-2 instrumentation No output 1 x 10-7 3 x 10-7 9 x 10-7 B-2
Calibration 1 x 10-5 3 x 10-5 9 x 10-5 B-2 shift
til' 1 x 10-6 3 x 10-6 9 x 10-6 I Signal modifier Fail to operate B-2
N .... Setpoint drift 1 x 10-6 3 x 10-6 9 x 10-6 B-12
•• utron flux •• n.or Fail to operate 3 x 10-7 1 x 10-6 4 x 10-6 B-7 (all ranges)
Pressure sensor F~il to operate 7 x 10-10 3 x 10-6 1 x 10-5 B-7
Temperature sensor Out of limits 1 x 10-5 3 x 10-5 9 x 10-5 B-2 t:1
Out of limits 1 x 10-5 3 x 10-5 9 x 10-5 0 Speed (tachometer) B-2 tz:I I sensor
tEl 1 x 10-4 3 x 10-4 9 x 10-4 I-i Hoisture monitor Out of limits B-2
~ sensors I
00 Position (level) Out of limits 1 x 10-5 3 x 10-5 9 x 10-5 0\ B-2
I sensor 0 .... 7 x 10-10 3 x 10-6 1 x 10-5 .... Flow and level sensor Fail to operate B-7 -::0 (using AP)
II) c: PPIS Fail to actuate 1 x 10-5 3 x 10-5 9 x 10-5 B-6 . w SCS
TABLE B-9 FAILURE FREQUENCY AND DEMAND FAILURE PROBABILITY
CONTROL SYSTEMS
Failure Frequency, A Demand Failure Probability, Q (l/h) (l/Demand)
System-Component 5th 95th 5th 95th Identification FaUure Mode PercentUe Median PercentUe PercentUe Median PercentUe References
Main ste.. pressure FaU to operate 3 x 10-6 1 x 10-5 3 x 10-5 B-2 control Drift 1 x 10-5 3 x 10-5 9 x 10-5 B-2
Regulating rod FaU to operate 3 x 10-6 1 x 10-5 3 x 10-5 B-2 control Drift 1 x 10-5 3 x 10-5 9 x 10-5 B-2
Plant protection Spurious signal 2 x 10-6 5 x 10-6 1 x 10-5 B-1 tlrI controls .te~inates feed-• water flow t-) t-)
Signal conditioning FaU to operate 5 x 10-8 4 x 10-6 2 x 10-5 B-7 system
Ste .. line radiation FaU to operate 2 x 10-6 6 x 10-6 1 x 10-5 B-7 monitoring
Pressure switch FaU to operate 2 x 10-11 1 x 10-6 6 x 10-6 3 x 10-6 1 x 10-5 3 x 10-5 B-6 (Q) t::I B-7 (A) 0
Turbine control Out of limits 1 Jt 10-5 3 x 10-5 9 x 10-5 tz:I B-2 • ei Condenser control Out of limits 3 x 10-7 1 x 10-6 3 x 10-6 B-2 fJ RSC! control FaU to operate 2 x 10-6 2 x 10-5 2 x 10-4 B-1 • Q:)
RSCE hopper FaU to operate 6 x 10-7 1 x 10-5 1 x 10-4 B-1 0\
• 0 Neutron control FaUure to 1 x 10-8 1 x 10-5 7 x 10-5 B-1 .... .... insert adequate -l:ItI number of con-CD trol rods < · w
~ I
N W
'=' o tzJ I
ei ~ I co 0\ I o .... .... -~ . w
System-Component Identification
Instrument air
Service water
Offslte power
TABLE B-10 FAILURE FREQUENCY AND DEMAND FAILURE PROBABILITY
PLANT SERVICE SYSTEMS
Failure Frequency, A Demand Failure Probability, Q
FaUure Hode
FaU to operate
FaU to operate
All
5th PercentUe
1 x 10-6
1 x 10-5
6 x 10-6
(l/h)
Hedlan
1 x 10-5
3 x 10-5
1 x 10-5
(l/Demand)
95th 5th 95th PercentUe PercentUe Hedian PercentUe
1 x 10-4
9 x 10-5
2 x 10-5
References
B-2
B-2
B-20
D:I I
N .e-
t:J o tz.I I
~ I 00 0\ I o .... .... -i . w
System-Component Identification
Electric motors and associated equipment
TABLE B-11 FAILURE FREQUENCY AND DEMAND FAILURE PROBABILITY
ELECTRIC MOTORS
Failure Mode
Fail to operate
Fail to run in extreme environment
Failure Frequency, A (l/h)
5th 95th Percentile Median Percentile
3 x 10-6 1 x 10-5 3 x 10-5
3 x 10-4 1 x 10-3 3 x 10-3
Demand Failure Probability, Q (1/DemancU
5th 95th Percentile Median Percentile
1 x 10-4 3 x 10-4 9 x 10-4
References
B-3
B-3
tlI:I I N VI
c ~ I
~ ~ I
00 0\ I o ..... ..... -~ . w
System-Component Identification
Transformers -general
High voltage transformer
Low voltage transformer
TABLE B-12 FAILURE FREQUENCY AND DEMAND FAILURE PROBABILITY
TRANSFORMERS
Failure Frequency, A Demand Failure Probability, Q (l/h) (l/Demand)
5th 95th 5th 95th Failure Hode Percentile Hedian Percentile Percentile Hedian Percentile
All 3 x 10-7 1 x 10-6 3 x 10-6
Trip off Une 1 x 10-6 3 x 10-6 9 x 10-6
Trip off Une 3 x 10-7 1 x 10-6 1 x 10-5
Open/short 3 x 10-7 1 x 10-6 3 x 10-6 windings
Short to ground 3 x 10-7 1 x 10-6 3 x 10-6
References
B-6
B-2
B-2
B-2
B-2
till I ~ G\
g ls:I I
~ ~ I co G\ I o .... .... -~ . w
System-Component Identification
Batteries - general
Battery charger
TABLE B-13 FAILURE FREQUENCY AND DEMAND FAILURE PROBABILITY
BATTERIES
Failure Frequency, A Demand Failure Probability, Q (l/h) (l/Demand)
5th 95th 5th 95th Failure Mode Percentile Median Percentile Percentile Median Percentile
All 3 x 10-7 1 x 10-6 3 x 10-6
Low output 1 x 10-6 3 x 10-6 9 x 10-6 shortened
Voltage 1 x 10-6 3 x 10-6 9 x 10-6 regulation
All 3 x 10-7 1 x 10-6 3 x 10-6
References
B-6
B-3
B-2
B-16
tlII I
N .......
o o t%J I
~ ~ I co 0\ I o ..... ..... -\:d
~ . w
System-Component Identification
Electric conductor -general
Power cable (per 1000 ft circuit)
Signal wire (per 1000 ft circuit)
TABLE B-14 FAILURE FREQUENCY AND DEMAND FAILURE PROBABILITY
ELECTRIC CONDUCTORS
Failure Frequency, A Demand Failure Probability, Q (l/h) (1/Demand)
5th 95th 5th 95th Failure Hode Percentile Hedian Percentile Percentile Hedian Percentile
All 1 x 10-5 3 x 10-5 9 x 10-5
Open 3 x 10-7 1 x 10-6 1 x 10-5
Ground 1 x 10-7 3 x 10-7 9 x 10-7
Open 3 x 10-7 1 x 10-6 1 x 10-5
Ground 3 x 10-8 3 x 10-7 3 x 10-6
Short to power 1 x 10-9 1 x 10-8 1 x 10-7
References
B-2
B-2
B-2
B-2
B-2
B-2
til:! I
to.) 00
t:J o tzJ I
~ 00 0\ I o .... .... -~ . w
System-Component Identification
Circuit breaker -general
TABLE B-1S FAILURE FREQUENCY AND DEMAND FAILURE PROBABILITY
CIRCUIT BREAKERS
Failure Hode
Fail to change state
Premature transfer
Failure Frequency, A (1/h)
Sth 9Sth Percentile Hedian Percentile
3 x 10-1 1 x 10-6 3 x 10-6
Demand Failure Probability, Q (l/Demand)
Sth 9Sth Percentile Hedian Percentile
3 x 10-4 1 x 10-3 3 x 10-3
References
8-2
8-2
b:f I
N \0
o o PI I
~ ~ I
00 0-I o ..... ..... -~ w
System-Component Identification
Turbine - generator
Bypass valve
TABL~ B-16 FAILURE FREQUENCY AND DEMAND FAILURE PROBABILITY
TURBINE PLANT
Fanure Mode
Inadvertent trip
Fan to change state
5th
Failure Frequency, A (l/h)
95th Percentile Median Percentile
Demand Failure Probability, Q (l/Demand)
5th 95th Percentile Median Percentile
0.03 0.1 0.3
3 x 10-4 1 x 10-3 3 x 10-3
References
A-20
B-1
." I ~ o
8 PJ I
~ ~ I 00 0\ I o .... .... -i . ~
System-Component Identification
Inverter
Feeder
TABLE B-17 FAILURE FREQUENCY AND DEMAND FAILURE PROBABILITY
OTHER ELECTRICAL COHPONENTS
Failure Frequency, A (l/h)
Demand Failure Probability, Q (l/Demand)
5th 95th 5th 95th Failure Hode Percentile Hedian Percentile Percentile Hedian Percentile References
Fail to operate
Fail to operate
3 z 10-5
1 z 10-7 1 z 10-4
1 z 10-6 3 z 10-4
1 z 10-5
B-6
B-6
TABLE B-18 REPAIR TIMES
CIRCULATORS, BLOWERS, AND FANS
Repair Time, r (h)
System-Component 5th 95th Identification Failure Mode Percentile Median Percentile References
Helium circulators - steam driven, All - unit malfunction 2.0 120 1200 B-2 water lubricated
Machine, drive, and lubrication Fail to operate 2.0 250 1200 B-2
Power supply Loss of steam 1.0 37 300 B-2
Control system Fail to operate 1.0 7 70 B-2 bit Out of limits 1.0 1 10 B-2 I w .... Electric motor driven, oil All - unit malfunction 2.0 120 300 B-2
lubricated
Machine, drive, and lubrication Fail to operate 2.0 250 300 B-2
Power supply Loss of electric power 1.0 37 200 B-2
1:1 Control system Fail to operate 1.0 7 70 B-2 0 pj Out of limits 1.0 1 10 B-2 I ::II o-i Fail to start 1.0 7 150 B-2 ~ I Electric motor driven, magnetic 00 0\ bearings I 0 .... Machine and drive Fail to operate 50.0 130 348 (a) .... -l:I:I Power supply Loss of electric power 1.0 37 200 B-2 C1)
< . w
TABLE B-18 (Continued)
Repair Time, r (h)
System-Component 5th 95th Identification Failure Mode Percentile Median Percentile References
Control system Fail to operate 1.0 37 200 B-2
Magnetic bearings Fail to operate 50.0 130 348 (b)
Solid state controller Fail to operate 0.25 6 70 B-2
Blowers/fans Fail to start 4.0 40 100 B-2
Fail to run 10.0 100 1000 B-5
~ (a)Repair time data is predicted on Ref. B-2 with an additional 48 h added to account for startup w N and shutdown of the plant.
o o P:I I
~ ~ I
co C\ I o I-' I-' -::0 ~ . w
(b)Repair time is assumed to be the same as for all failures where the entire circulator assembly is replaced by a spare unit and repaired ex-situ.
tld I
W W
~
System-Component Identification
Steam generator
Heat exchangers - general
Feedwater heater
Cooler
Desuperheater
Condenser
Air blast heat exchanger
Deaerator
~ Auxiliary boiler I
~ ~ I co 0\ I o ~ ~ -i . w
TABLE B-19 REPAIR TIMES
HEAT EXCHANGERS
Failure Mode
Tube leak
All
Tube leak
All
All
Tube leak
.Rapid loss of vacuum
Fail to start
Fail to run
Failure of level control
Fail to start
Fail to run
Fail to deliver steam in T minutes
Repair Time, T (h)
5th 95th Percentile Median Percentile References
30.0 180 7000 B-2(a)
4.0 100 6000 B-2
4.0 30 200 B-2
4.0 30 200 B-2
4.0 30 200 B-2
4.0 60 400 B-2
4.0 60 400 B-2
5.0 24 144 B-1
5.0 24 144 B-1
0.25 6 70 (b)
4.0 40 500 B-2
4.0 40 500 B-2
4.0 40 500 B-2
b:I I
lot ,t:o.
g tzJ I
~ I
00 CJ\ I o .... .... -!:tI ~ . lot
TABLE B-19 (Continued)
(a)Repair times for the 5th and 95th percentiles are from Ref. B-2. The median value for repair time is predicated on the data given below:
Type of assessment Corrective maintenance (tube plugging).
System
Subsystem
Component
Number
Method
Frequency
Approach
Access
Layout
Complexity
Equipment/tools
Radiation level
Heat transport.
Steam generator.
Tubes.
350 as built per module.
Identifying and plugging leak tubes
As required.
In the event of a tube failure, perform leak testing with module shutdown, to locate tube to be plugged. The tube is plugged at both ends. The plugs can be installed manually, which is efficient for small number of leaking tubes and acceptable radiation levels. For larger number of leaking tubes or high radiation levels, a remote automatic system with manual installation would be used.
Most likely remote controlled after manual installation of equipment in high radiation areas.
Steam generator tubes are accessible for plugging at two locations. One location is feedwater tubesheet region below tube bundle, the second location is steam tubesheet region above the tube bundle at the point where steam leaves vessel. Platforms required at access covers on both ends.
Location of tube-moderate. Plugging of tube-moderate.
Location of tube; remote positioner and templet, mass spectrometer, vacuum pump, tubing. Tube plugging; plug, remote positioner (possible), tube preparation and plug installation tools •
High near tubesheet. Low at access covers.
b:I I
W VI
o o P:I I
~ ~ I
00 0'1 I o ..... ..... -::d (\I
< . w
Human factors
Calendar time required
Average number of people
TABLE B-19 (Continued)
Adequate shielding and remote control equipment in high radiation field. Temperature.
7 to 8 days (includes setup and decontamination time).
8 maintenance personnel + 1 health physicist.
Other Design not developed to extent required for detailed assessment. Preliminary appraisal given. Very preliminary time estimate.
(b)Repair times are based on engineering judgment predicted upon Ref. B-2 data for generic equipment.
till I
W CJ\
~ I
~ I
00 CJ\ I o .... .... -i . w
System-Component Identification
Pumps - general
Electric motor driven
Steam turbine driven
Feedwater pumps - electric motor driven
Steam turbine driven
Low pressure feedwater pumps
Air ejector pumps
Condensate pumps
TABLE B-20 REPAIR TIMES
PUMPS
Failure Mode
All
Intake blockage
Fail to operate
Fail to run in extreme environment
Fail to run
Fail to operate
Loss of drive
Loss of power supply
Loss of drive
Loss of power supply
Fail to run
Fail to run
Fail to run
Repair Time, T (h)
5th 95th Percentile Median Percentile References
4 40 400 B-2
6 300 1800 B-18
4 40 400 B-2
4 40 400 B-2
4 40 400 B-2
4 40 400 B-2
4 40 400 B-2
4 40 400 B-2
4 40 400 B-2
4 40 400 B-2
4 40 400 B-2
4 40 400 B-2
4 40 400 B-2
b:I I w .....
o o ~ I
System-Component Identification·
Tanks and pressure vessels - general
Welds
Flanges and closures
Gaskets
Pressurizer
Demineralizer
TABLE B-21 REPAIR TIMES
TANKS AND PRESSURE VESSELS
Repair Time, T (h)
5th 95th Failure Mode Percentile Median Percentile References
All 8 40 104 B-2
Disruptive failure 8 40 104 B-2
Leak 8 40 104 B-2
Rupture 8 40 104 B-2
Leak 8 40 104 B-2
Leak 8 40 104 (a)
Leak 8 40 104 (b)
~ (a)Repair time data is predicted on Ref. B-2 with an additional 48 h added to account for startup ~ ~ and shutdown of the plant. I
~ (b)Repair time is assumed to be the same as for major mechanical failures where the entire circulator I o assembly must be replaced. ~ ~ ~
~
~ . w
~ , w 00
t:J o tz:I , ei ~ , 00 0\ , o ..... ..... -5' . w
System-Component Identification
Piping - general
TABLE B-22 REPAIR TIMES
PIPING
Failure Mode
All (per foot)
Disruptive failure
Repair Time, T (h)
5th 95th Percentile Median Percentile References
2 30 100 B-2
2 30 100 B-2
TABLE B-23 REPAIR TIMES
VALVES
Repair Time, T (h)
System-Component 5th 95th Identification Failure Mode Percentile Median Percentile References
Valves - general All 3 100 3000 B-8
Motor operated Fail to change state 3 24 3000 B-2
Motor operated modulating (includes Fail to operate 3 24 3000 B-2 valve operator) External leak 3 24 3000 B-2
Plugged 3 24 3000 (a) tlIt I Rupture 3 24 3000 B-2 \oJ \0
Air solenoid Fail to change state 3 24 3000 B-2
Air solenoid modulating (includes Fail to operate 3 24 3000 (a) valve operator) External leak 3 24 3000 B-2
Rupture 3 24 3000 B-2 c 0 Manual Fail to operate 3 24 3000 B-2 l"J I
~ External leak 3 24 3000 B-2 ~ Check Fail to change state 3 24 3000 B-2 I co 0\ Reverse leak 3 24 3000 B-2 I 0 .... External leak 3 24 3000 B-2 .... -::G Rupture 3 24 3000 B-2 CD -< . \oJ
System-Component Identification
Hydraulic valve actuator
Pneumatic valve actuator
Relief (steam/water)
Motor operated helium isolation ring ~ valve (with redundant motors) I ~ o
Passive helium isolation check valve
o o Orifice flow valve (helium) M I
~
TABLE B-23 (Continued)
Failure Mode
All
All
Fail to open
Spurious/premature open
Fail to rec10se
Fail to change state
Spurious operation
Bypass leak
Fail to change state
Spurious operation
Bypass leak
External leak/rupture
Repair Time, T (h)
5th 95th Percentile Median Percentile References
3 24 3000 B-8
3 100 3000 B-8
3 24 3000 B-2
3 24 3000 B-2
3 24 3000 B-2
2 100 1000 B-2
2 100 1000 B-2
2 100 1000 B-2
2 100 1000 B-2
2 100 1000 B-2
2 100 1000 B-2
3 24 3000 B-2
~ (a)Repair times are based on engineering judgment predicted upon Ref. B-2 data for generic equipment. I ~ 0\ I o ~ ~ ~
~
~ . w
tlIf I ~ ......
o o t%J I
~ ~ I
00 0\ I o ...... ...... -:;d ~
< w
System-Component Identification
Diesel generator (single unit)
TABLE B-24 REPAIR TIMES
DIESEL GENERATORS
Failure Mode
Fail to start and load on first try
Standby failures
Fail to run
Repair Time, r (h)
5th 95th Percentile Median Percentile References
1 21 400 B-3
1 21 400 B-10
1 21 400 B-2
tlI:I I ~ N
tj o tSJ I
~ ~ I co 0\ I o ..... ..... -~ . w
System-Component Identification
Instrumentation - general
Solid state instrumentation
Signal modifier
Neutron flux sensor (all ranges)
Pressure sensor
Temperature sensor
Speed (tachometer) sensor
Moisture monitor sensors
Position (level) sensors
Flow and level sensors (using AP)
TABLE B-25 REPAIR TIMES
INSTRUMENTATION
Failure Mode
All
Fail to operate
No output
Calibration shift
Fail to operate
Setpoint drift
Fail to operate
Fail to operate
Out of limits
Out of limits
Out of limits
Out of limits
Fail to operate
Repair Time, r (h)
5th 95th Percentile Median Percentile References
0.25 6 70 B-2
0.25 6 70 B-2
0.25 6 70 B-2
0.25 6 70 B-2
0.25 6 70 B-2
0.25 6 70 B-12
0.25 6 70 B-2
0.25 6 70 B-2
0.25 6 70 B-2
0.25 6 70 B-2
0.25 6 70 B-2
0.25 6 70 B-2
0.25 6 70 (a)
(a)Repair times are based on engineering judgment predicated upon Ref. B-2 data for generic equipment •
tld I ~ W
o o ~ I
System-Component Identification
Main steam pressure control
Regulating rod control
Plant protection controls
Signal conditioning system
Steamline radiation monitoring
Turbine control
Condenser control
Pressure switch
TABLE B-26 REPAIR TIMES
CONTROL SYSTEMS
Failure Mode
Fail to operate
Drift
Fail to operate
Drift
Spurious signal termi-nates feedwater flow
Fail to operate
Fail to operate
Out of limits
Out of limits
Fail to operate
Repair Time, T Ch>
5th 95th Percentile Median Percentile References
1.0 7 70 B-2
1.0 7 70 B-2
1.0 7 70 B-2
1.0 7 70 B-2
0.25 6 70 Ca>
0.25 6 70 Ca>
0.25 6 70 Ca>
0.25 6 70 B-2
0.25 6 70 B-2
0.25 6 70 Ca>
~ ~ Ca)Repair times are based on engineering judgment predicated upon Ref. B-2 data for generic equipment. I ~ ~ I o ~ ~ --.
~ . w
System-Component Identification
Instrument air
Service water tlI:I
1 Offsite power .I:-
1::1 o tz:I I
~ ~ I
00 0\ I o ~ ~ -~ . w
TABLE B-27 REPAIR TIMES
PLANT SERVICE SYSTEMS
Failure Mode
Fail to operate
Fail to operate
All
Repair Time, T (h)
5th 95th Percentile Median Percentile References
1 7.0 100.0 B-2
1 7.0 100.0 B-2
4 x 10-2 0.3 10.0 B-1
01 I ~ VI
1:1 o PI I
~ ~ I
co 0\ I o .... .... -~ . w
System-Component Identification
Electric motors and associated equipment
TABLE B-28 REPAIR TIMES
ELECTRIC MOTORS
Failure Mode
Fail to operate
Fail to run in extreme environment
Repair Time, T (h)
5th 95th Percentile Median Percentile References
4 40 400 B-3
4 40 400 B-3
till I ~ CJ\
8 tz:I I
ei ~ I
00 CJ\ I o .... .... -i . to)
System-Component Identification
Transformers - general
High voltage transformer
Low voltage transformer
All
TABLE B-29 REPAIR TIMES TRANSFORMERS
Failure Mode
Trip off line
Trip off line
Open/short windings
Short to ground
Repair Time, T (h)
5th 95th Percentile Median Percentile References
5 200 5000 B-2
5 200 5000 B-2
5 200 5000 B-2
5 200 5000 B-2
5 200 5000 B-2
tlII , ~ ......
t::I o pj , ::x: t-i
fJ , co 0\ , o ..... ..... -~ <: . w
System-Component Identification
Batteries - general
Battery charger
All
TABLE B-30 REPAIR TIMES
BATTERIES
Failure Mode
Low output shortened
Voltage regulation
All
Repair Time, r (h)
5th 95th Percentile Median Percentile References
1 5 100 B-2
1 5 100 B-3
1 5 100 B-2
1 5 100 B-2
t:IIS I ~ 00
t:1 o t1l I
~ ~ I
00 0\ I o .... .... -~ . w
System-Component Identification
Electric conductor - general
Power cable (per 1000 ft circuit)
TABLE B-31 REPAIR TIMES
ELECTRIC CONDUCTORS
Failure Mode
All
Open
Ground
Signal wire (per 1000 ft circuit) Open
Ground
Short to power
Repair Time, T (h)
5th 95th Percentile Median Percentile References
3 5 15 B-2
3 5 15 B-2
3 5 15 B-2
3 5 15 B-2
3 5 15 B-2
3 5 15 B-2
D:I I ~ \0
'=' o tI:J I
~ ~ 00 0\ I o 't:: -i . w
System-Component Identification
Circuit breaker - general
TABLE B-32 REPAIR TIMES
CIRCUIT BREAKERS
Failure Mode
Fail to change state
Premature transfer
Repair Time, T (h)
5th 95th Percentile Median Percentile References
1 6 3000 B-2
1 6 3000 B-2
"" , VI o
g tz:I , ei ~ , 00 0\ , o .... .... -~ . w
Inverter
System-Component Identification
TABLE B-33
REPAIR TIMES
OTHER ELECTRICAL COMPONENTS
Repair Time, T (h)
5th 95th Failure Mode Percentile Median Percentile References
Fail to operate 0.25 6 70 B-2
TABLE B-34 COHHON HODE FAILURE FACTORS
No. of Systems-Components Common Hode Failure Factor, p
Experiencing Total System-Component COIIIIIOn Hode System-Component 5th 95th Identification FaUure Hode FaUure Population PercentUe Hedian Percentile References
Condenser Leak 2 2 2 x 10-3 0.02 0.2 (a)
Feedwater heater Leak 2 2 2 x 10-3 0.02 0.2 (a)
Heat exchanger Flow 2 2 1 x 10-3 5 x 10-2 0.5 (b) restriction
DemineraUzer Leak 2 2 2 x 10-3 0.02 0.2 (a)
BOP piping Rupture 2 2 2 x 10-3 0.02 0.1 B-1 ~ Valves - motor operated FaU to change 2 2 0.1 0.2 0.3 B-17(c) I
\J1 block state 4 4 2 x 10-3 7 x 10-3 2 x 10-2 B-14 .... Hotor operated FaU to operate 3 3 4 x 10-3 2 x 10-2 5 x 10_2 B-14 modulating 2 2 0.05 0.09 0.1 B-14
Check Fail to operate 2 2 0.04 0.1 0.2 B-14 3 3 0.01 0.05 0.1 B-14
Reverse leakage 3 3 0.01 0.06 0.2 B-14 t::=' Turbine bypass valve FaU to change 2 2 0.1 0.2 0.3 B-17 (c) 0 t'II state I tIl Battery Low voltage 2 2 1 x 10-3 0.05 0.5 (b) ~
fJ Inverter FaU to operate 2 2 1 x 10-3 0.05 0.5 (b) I 00
Feeder Fail to operate 0\ 2 2 0.05 0.1 0.2 Cd) I
0 Circuit breaker Premature 4 4 0.05 0.1 0.2 B-16 .... .... - transfer 2 2 0.05 0.1 0.2 B-16 !;I::I Deaerator Low level 2 2 0.04 0.07 0.1 B-7 $ <: . w
System-Component Identification
Pump - general
Circuit breaker
Battery charger
Transformers
~ Diesel generator VI I')
Turbine/generator
Hagnetic bearings
FaUure Hode
FaU to operate
Fail to start
FaU to change state
Fail to operate
All
Fail to start
FaU to run
Trip
Fail to· operate
TABLE B-34 (Continued)
No. of Systems-Components
Experiencing Total Common Hode System-Component
FaUure PopUlation
2 2 3 3
2 2
2 2
8 8
2 2
2 2
2 2
2 2
4 4
Common Hode Failure Factor, p 5th 95th
PercentUe Hedian Percentile References
0.01 0.06 0.2 B-13 0.01 0.06 0.2 B-13
0.1 0.2 0.4 B-17(c)
0.05 0.1 0.2 B-16
1 x 10-3 0.05 0.5 (b)
1 x 10-3 5 x 10-2 0.5 (b)
5 x 10-3 1 x 10-2 3 x 10-2 B-16
1.8 x 10-2 2.2 x 10-2 2.3 x 10-2 B-ll
0.4 0.5 0.7 (e)
1 x 10-3 5 x 10-2 0.5 (b)
(a)Yaluea for condenser, feedwster heater, and demineralizer common mode failures have been assumed to be similar to ~ pipe rupture data cited in Ref. B-1. Upper and lower bounds were determined using an uncertainty factor of 10. o ~ (b)These are generic data taken from Ref. B-16.
~ (c)The 5th percentile value was estimated from the median and 95th percentile by assuming a lognormal distribution. C)
~ (d)Data has been assumed to be similar to that for circuit breakers.
~ (e)Based upon operational experience with the gas-cooled HAGNOX reactors of the Central Electricity Generating Board b (CEGB) in Ref. B-28. The methodology of Ref. B-19 was used to obtain the 5th and 95th percentile values • .... ....
. -.~ ~ . w
B.4. REFERENCES
B-l. Fleming, K. N., et a1., "HTGR Accident Initiation and Progres
sion Analysis Status Report - Phase II Asses~ment," GA Report
GA-A15000, April 1978.
B-2. Hannaman, G. W., "GCR Reliability Data Bank Status Report,"
GA Report GA-A14839, July 1978.
B-3. "Reactor Safety Study: Appendix III Failure Data, Appendix IV
Common Mode Failure," U.S. Nuclear Regulatory Commission Report
WASH-1400 (NUREG 75/104), October 1975.
B-4. "State of the Art of Solid-State Motor Controllers," NUREG/
CR-4180, September 1984.
B-5. "Nuclear Plant Reliability Data System (NPRDS) - 1980 Annual
Report of Cumulative System and Component Reliability,"
NUREG/CR-2232.
B-6. "Generic Data Base for Data and Models Chapter of the National
Reliability Evaluation Program (NREP) Guide," EG&G Idaho Report
EGG-EA-5887, June 1982.
B-7. "Common Cause Fault Rates for Instrumentation and Control
Assemblies," NUREG/CR-3289, May 1983.
B-8. "IEEE G~ide to the Collection and Presentation of Electrical,
Electronic, Sensing Component, and Mechanical Equipment Relia
bility Data for Nuclear-Power Generating Stations," IEEE
Std. 500-1984.
B-9. "Data Summaries of Licensee Event Reports of Valves at U.S.
Commercial Nuclear Power Plants," January 1976 through December
1980, NUREG/CR-1363, Revision 1, October 1982.
B-10. "Operating Units Status Report, Licensed Operating Reactors:
Data for Decision," Nuclear Regulatory Commission Monthly
Publications, NUREG-0020-1-12, 1976 (Gray Books).
B-11. "Common Cause Fault Rates for Diesel Generators: Estimates Based
on Licensee Event Reports at U.S. Commercial Nuclear Power
Plants, 1976-1978," NUREG/CR-2099, June 1982.
B-12. Melvin, J. G. and R. B. Maxwell, "Reliability/Maintainablity,"
Chalk River Nuclear Laboratories Report AECL-4607, January 1974 •
..
B-53 DOE HTGR-86-011/Rev. 3
B-13. "Common Cause Fault Rates for Pumps, 1972-1980," NUREG/CR-2098,
February 1983.
B-14. "Common Cause Fault Rates for Valves, 1976-1980," NUREG/CR-2770,
February 1983.
B-1S. Edwards, G. T., and I. A. Was ton , "A Study of Common Mode
Failure," Safety and Reliability Directorate Report SRD R146,
UKAEA, July 1979.
B-16. "Seabrook Station Probabilistic Safety Assessment," Pickard,
Lowe, and Garrick, Inc., Report PLG-0300, December 1983.
B-17. "Synthesis of Experience Data for Risk Assessment and Design
Improvement of Gas-Cooled Reactors," GA Report GA-A14924,
Hay 1978.
B-18. DNuclear Plant Reliability Data System (NPRDS) 1979 Annual
Reports of Cumulative System and Component Reliability," South
west Research Institute, San Antonio, Texas, September 1980,
NUREG/CR-1635.
B-19. "HTGR Accident Initiation and Progression Analysis Status
Report - AIPA Risk Assessment Methodology," ERDA Report GA-A13617
Vol. II, October 1975.
B-20. "HTGR Accident Initiation and Progression Analysis Status
Report - Phase I Analyses and R&D Recommendations," ERDA Report
GA-A13617, Vol. IV, December 1975.
B-21. Humphreys, M., and B. K. Daniels, "How Do Electronic System
Failure Rate Prediction Compare With Field Experience?"
sas/GR/58, October 1982.
B-22. Nicholson, R. D., and A. T. Price, "Service Experience of
Nickel-Based Transition Joints, "Central Electricity Generating
Board, Great Britain.
B-23. Nuclear Power Experience, Petroleum Information Corporation.
B-24. National Electric Reliability Council (NERC).
B-25. Tatone, O. S., and R. S. Pathania, DSteam Generator Tube
Performance: Experience With Water-Cooled Nuclear Power Reactors
During 1978," Nuclear Safety. V. 21. 6, November-December 1980.
B-54 DOE-HTGR-86-011/Rev. 3
B-26. Tatone, O. S., and R. S. Pathonia, "Steam Generator Tube
Performance: Experience With Water-Cooled Nuclear Power Reactors
During 1979, AECL-7251, March 1981.
B-27. "Safety Risk Assessment of the HTGR Steam Cycle/Cogeneration
Plant," GA Report GA-A17000, May 1983.
B-28. Cave, L., R. S. Cow, and A. J. J. MacArthur, "Effects of Loss of
Grid Supply on U.K. Nuclear Power Stations," presented at
LlKAEA/JAPC/CEGB/SSEB Meeting, 1975.
B-55 DOE-HTGR-86-011/Rev. 3
10-1
> !:: -' ca 10-2 cC CD CI ~ A. ~
10-3 CI ~ ~ Y.I
Z < ~ 10-4 = :c
10-5
HT-001(106)
----------------, , -- , --- , -- \ --, , "- \ '\ '\
'\ , '\ '\ , ,
'\ '\ , '\ . ... . -----. . -----. , ------, , , , " ,
'\ '\
'\
'--, " --
102
TIME IN MINUTES
" 'OlIo 'OlIo -,
Fig. B-1. Operator response model form the MHTGR
" OlIo, --
B-56 DOE-HTGR-86-011/Rev. 3
APPENDIX C EVENT TREE CONSTRUCTION AND QUANTIFICATION
As discussed in Section 7, event trees were utilized to assess the
frequency of accidents contributing to plant risk. This appendix
details the manner in which event trees were constructed and quantified
for the risk assessment.
In this assessment, event trees were constructed and quantified for
each of the seven initiating events defined in Section 5. These
initiating events are
1. Primary coolant leaks.
2. Loss of main loop cooling.
3. Earthquakes.
4. Loss of offsite power with turbine trip.
5. Anticipated transients requiring scram.
6. Inadvertent control rod withdrawal.
7. Small and large steam generator leaks.
This set of initiating events were selected in Section 5 as covering the
dominant precursors to radiological release commensurate with the cur
rent stage of the MHTGR design. As such, they are believed to provide
adequate bases for meeting the objectives of this study as discussed in
Section 1. Utilizing the Section 6 discussions of plant response to
these initiating events and system reliability models, event trees were
constructed to depict various event sequences possible following each
initiator. Each event sequence's frequency was then assessed by evalu
ating the initiating event frequency and branch point conditional proba
bilities within an event tree using fault tree or other appropriate
methodologies as described in Section 3. Finally, the initiating event
C-1 DOE-HTGR-86-011/Rev. 3
frequency and subsequent event probabilities were statistically combined
to yield a frequency for each event tree sequence.
The component level data base used in the frequency assessment is
described in Appendix B. This data base includes component operating
failure rates, demand failure probabilities, common mode failure frac
tions, repair times, and uncertainty distributions. Appendix B also
contains the offsite power reliability and restoration model used in the
assessment. Appendix A contains the probabilistic failure models used
in predicting the failure rate and size distribution for primary coolant
leaks.
The technique used to quantify the uncertainty in frequency proba
bilities is the same as that used in the Reactor Safety Study (Ref. C-l)
and is known as the Monte Carlo method of error propagation. The method
consists of statistically combining the uncertainty distribution for
the input parameters associated with the fault tree evaluation using
Monte Carlo si~lation to arrive at an uncertainty distribution for the
top, event, or fault tree probability. In a similar manner, the various
event probability distributions, so generated, can be statistically com
bined to arrive at uncertainty distributions for the various event tree
sequence frequencies. With the use of the methods introduced earlier,
an algebraic expression is obtained relating the desired branch point
probabilities to the input parameters, e.g., failure rates, repair
times, and common mode parameters. Uncertainties in the input param
eters are considered by assigning an uncertainty distribution to each
parameter. This information is then input to the computer code STADIC-2
(Ref. C-2), which uses Monte Carlo simulation of the distributions to
generate an uncertainty distribution in the branch point probability as
well as the mean and median estimates for the accident sequence frequen
cies. Appendix C contains further discussion of the methods used to
quantify the uncertainties.
C-2 DOE-HTGR-86-011/Rev. 3
Each of the accident initiators are discussed with their corres
ponding event trees in Sections C.l through C.8. Sequential subsections
of Appendix C describe the manner that each tree's initiating event fre
quency, as well as branching probabilities of subsequent events, were
quantified. In cases where the median sequence frequency exceeded 10-8
per year and a radionuclide release occurred, the event sequence is
designated with an appropriate release category designation as shown on
the Appendix C event trees. Frequency distributions for event sequences
contributing to the same release category are then statistically summed
to determine the frequency distributions for the release category.
These category frequency distributions are listed in Section C.9.
C.l. PRIMARY COOLANT LEAKS
As an initiating event, primary coolant leaks are of interest for
several reasons. Because of the activity circulating with the primary
coolant or plated out around the primary coolant circuit, failure of the
primary coolant pressure boundary necessarily results in some, albeit
limited,release of radionuclides to the environment regardless of any
subsequent plant response. Additionally, if the leak is of sufficient
size, the damage to surrounding equipments resulting from the leak may
threaten the integrity of core cooling systems and allow for graphite
oxidation as a result of air ingress. Given that a leak occurs, various
possible plant responses which affect consequence determination are
possible. These various scenarios are depicted as event sequences in
Fig. C-l. In this section, the likelihood of these various scenarios or
event sequences occurring is discussed.
C.l.l. Primary Coolant Leak Occurs
The initiating event in Fig. C-l is a primary coolant leak that
engenders a module shutdown. Because the helium purification subsystem
is sized so that it can automatically maintain primary coolant pres
sure for leaks smaller than about 3 x 10-5 in.2, no shutdown would be
C-3 DOE-HTGR-86-0ll/Rev. 3
required. Therefore, this leak size is used in this assessment to dif
ferentiate between "normal leakage" and transients. Using this working
definition, only pressure boundary failures resulting in greater leak
sizes than this are included within the accident initiating event.
While simultaneous leaks in two or more of the independent modules are
theoretically possible, excluding the outside forces (both external
events and multiple module thermal transients) which are covered else
where, the likelihood of this is sufficiently small to be ignored here.
As shown in Fig. C-1, the median frequency of a leak larger than
3 x 10-5 in. 2 occurring in anyone of the four modules is assessed at
0.26 per year. This frequency was determined utilizing a probabilistic
model, which is described in Appendix A. The model divides the problem
into two parts:
1. The frequency at which a leak of any size occurs (event 1 of
Fig. C-1).
2. The conditional probability that the leak exceeds a particular
size, given a leak occurs (event 2 of Fig. C-1).
In the Appendix A model, the frequency at which a leak of any size
occurs is estimated based upon operating experience data, available
literature, and probabilistic fracture mechanic studies.
C.1.2. Leak Size Distribution
Given that a leak occurs, it may occur over a spectrum of sizes
ranging from the more likely leaks only somewhat larger than the 3 x
10-5 in. 2 threshold to large leaks such as a connecting pipe failure.
Based upon the probabilistic leak model described in Ref. C-3, the
largest leak having a significant probability of occurrence is failure
of the 13 in. 2 relief valve or its connecting pipe. Because plant
systems response and resulting offsite doses are dependent upon leak
C-4 DOE-HTGR-86-011/Rev. 3
size, it is convenient to divide up the event tree based on leak size.
Event 2 in Fig. C-l provides the relative probabilities of leak size
ranges:
1. 3 x 10-5 to 2 x 10-3 in. 2•
2. 2 x 10-3 to 3 x 10-2 in. 2•
3. 3 x 10-2 to 1 in. 2•
4. 1 to 13 in. 2•
As previously discussed, no module shutdown is required if the depres
surization area is less than 3 x 10-5 in. 2 because the HPS automatically
maintains primary coolant inventory.
For leak sizes between the threshold of 3 x 10-5 and 2 x 10-3 in.2,
no impact on the performance of other systems is predicted, and the
branch probabilities of subsequent events can be calculated independent
of the initiating event. Therefore, leaks in this size range are
grouped together.
If the leak size is greater than or equal to 2 x 10-3 in. 2 and is
located in the HTS circulator enclosure, it is estimated that the
resulting primary coolant depressurization may damage the circulator
wiring. Thus, there is a possibility that the initiating event causes
an HTS failure in the affected module by damaging the HTS circulator.
A leak size of greater than or equal to 2 x 10-3 in. 2 results in a
primary coolant egress rate in excess of the normal building leakage
rate causing the reactor building dampers to lift, increasing the build
ing leakage rate. Consequently, this leak size is important with
respect to reactor building response during the accident.
It is assessed that a break of 3 x 10-2 in. 2 located in the SCS
circulator enclosure is the critical leak size for SCS circulator damage
for that module. Hence, if such a primary coolant leak occurs in the
C-5 DOE-HTGR-86-011/Rev. 3
SCS circulator enclosure, the initiating event is assumed to incapaci
tate the SCS.
Leak sizes greater than 1 in. 2 are estimated to require less than
1 h for the primary coolant to depressurize. Because transferring
significant primary coolant to helium storage by pumping down through
the HPS before it leaks could not be accomplished in this time, HPS
pump downs do not appreciably alter the consequences from accidents due
to leaks greater than 1 in. 2 •
A 13-in. 2 break corresponds to a guillotine rupture of a primary
relief train line. Other possible contributors to this size range of
1 to 13 in. 2 are leaks due to bolted vessel closures and joints, welds,
etc., as discussed in Appendix A.
C.1.3. Reactor Tripped with Control Rods
Since the initiating event is a primary coolant leak large enough
to require a module shutdown, one of the first responses to the leak is
a reactor trip. The PPIS is designed to monitor for primary coolant
leaks. Upon sensing a low primary coolant pressure [less than 5800 kPa
(835 psia) as discussed in Section 6.1.1], the PPIS will initiate a
reactor shutdown by insertion of the outer control rods. Event 3
considers the probability of successfully accomplishing this normal
trip.
The probability that the module fails to trip independent of the
effects of the leak is based on the model developed in Ref. C-3 and dis
cussed briefly in Section C.5. The failure model includes malfunction
of the redundant channels, common mode failure of the control rod
drives, common mode failure of the scram contractors, or common mode
failure in the PPIS scram logic. While failure should properly be
defined as failure to insert sufficient control rods to achieve a hot
shutdown, the number of control rods required to achieve this varies
C-6 DOE-HTGR-86-011/Rev. 3
with operating history. As a simplifying assumption which does not
significantly impact results, failure to insert three or more control
rods (still leaving sufficient rods to achieve cold shutdown under most
conditions) is assumed to constitute a failure to trip.
The probability that the module fails to trip can also be dependent
on the primary coolant leak. Several mechanisms were identified by
which a leak might re~ult in dependent failures of systems or subsystems
important to events 3 through 6 of Fig. C-1. Three dominant mechanisms
were identified:
1. Pressure/pressure forces.
2. Heat.
3. Missiles.
They were not found to affect the failure probability for reactor trip
as discussed below.
In order to fail to have a reactor trip, the Neutron Control Sub
system must fail to insert control rods. A failure mechanism which
could prevent reactor trip involves a shearing of the control rod guide
assemblies in the upper plenum due to forces imposed on the guide assem
blies by helium flow out a hole in the reactor vessel head. However, it
is estimated that the hole size on the reactor head that is necessary to
prevent reactor trip by this mechanism is several orders of magnitude
larger than the largest sized hole assessed as having any reasonable
probability of occurrence.
Two other mechanisms having the potential to cause a dependent
failure to trip - heat and missiles - were also dismissed. The Neutron
Control Subsystem is immersed in stagnant helium inside the primary
coolant boundary. It would take a significant but undetermined amount
of time for hot helium leaking out through a Control Rod Drive Housing
to make inoperative the enclosed control elements. Furthermore, the
C-7 DOE-HTGR-86-011/Rev. 3
failure of a single rod or a pair of rods to go into the core does not
prevent a successful reactor trip. Each Control Rod Drive Housing also
protects its Neutron Control Subsystem from missiles. In addition, a
thermal barrier/gamma shield protects all lines to the housing from heat
and missiles. In any case, severing the electrical lines to a Control
Rod Drive Housing would result in the control rods dropping into the
core.
Thus, the failure probability for reactor trip is assessed as
independent of these three potential mechanisms by which the occurrence
of primary coolant leak may influence plant system and subsystem
performance.
C.l.4. Reactor Shutdown Using Reserve Shutdown Material
As described above, the MaTGR is designed to respond to a primary
coolant leak by shutting down the reactor with the control rods. How
ever, in the unlikely event that this normal trip does not occur a
secondary means of shutting down the reactor is automatically activated;
and the reserve shutdown material (boronated pellets) is dumped into the
core. In event 3, the operation of this secondary means of shutdown is
considered.
Three cases for consideration exist. If the control rod trip is
successful, as is the case in the top branch of Fig. C-l, then there is
no call for insertion of the reserve shutdown material and the event is
shown with a dotted line. In the second case where the normal trip has
failed, the probability of the RSCE being successfully inserted can be
calculated independent of the leak or normal trip failure.
Independent failures of the RSCE are modeled similar to failures in
the normal trip system and are discussed further in Section C.S.
C-8 DOE-HTGR-86-011/Rev. 3
C.1.5. Heat Transport System Cooling Maintained
Following reactor trip, shutdown core cooling must be provided
until either the primary coolant leak is repaired and the module is
returned to power operation or until decay heat levels are so low as to
no longer require operation of any of the MHTGR core cooling systems.
Event 5 considers the probability that cooling can be provided by the
HTS.
Two general categories of HTS failure are addressed in event 5:
1. Failure of the HTS to survive the initiating event.
2. Failure of the HTS to continue operating given that it has
survived the initiating event.
Leak-induced HTS failures were only found to have significant
impact on the failure probability for event 5 in the 2 x 10-3 to 3 x
10-2 in. 2 size range. As discussed in Section C.1.2, the conditional
probability of a leak this size occurring in the HTS circulator enclo
sure and damaging circulator wiring such that the HTS is unable to
remove decay heat has been considered.
The reliability model of core cooling provided by the HTS is
discussed in Section C.2 in some detail and is therefore not discussed
further here. The assessed probability that the HTS fails independently
of the initiating event is 0.17. This can be seen in Fig. C-1 for all
leak sizes where the probability of a leak-induced failure is negligible
(i.e., all cases except the 2 x 10-3 to 3 x 10-2 in. 2 size range). This
result is based on the HTS failure rate given in the next section and
assuming a two-month cooling mission time. That is to say, the module
is not returned to service (not repaired) before two months, but after
this time the fuel could be off loaded, if necessary.
C-9 DOE-HTGR-86-011/Rev. 3
C.1.6. Cooling Provided by SCS
If HTS cooling is lost in event 5, coolant flow can be restored by
either the PPIS or the operator starting the SCS. Event 6 considers
whether or not the SCS is successfully started, and if it is started,
whether it runs until HTS cooling is restored.
As in the case of HTS cooling considered in event 5, two categories
of SCS failure are addressed:
1. Failure of the SCS to survive the initiating event.
2. Failure of the SCS to successfully operate due to failures
independent of the leak, given that it survived the initiating
event.
As discussed in Section C.l.2, leak-induced SCS failures are
important if a leak greater than 3 x 10-2 in. 2 occurs in the right loca
tion of the SCS circulator enclosure. However, the probability of such
a leak causing SCS failure is assessed as much lower than other causes
of SCS failures. Hence, the failure probability for event 5 is domi
nated by the independent failure probability of the SCS.
This independent failure probability of the SCS is calculated
considering failure to start plus the probability that the SCS fails to
operate due to system failures independent of the leak. Using the
detailed failure model described in Section 6.2.2, the probability of
not successfully starting the SCS is calculated. These calculations of
probability are, of course, conditional probabilities contingent upon
the outcome of preceding events (specifically the loss of the HTS). The
analysis here is similar to that of Section C.2, where it is discussed
further.
Even after the SCS starts, event 6 is not judged as successful
unless SCS cooling is maintained until HTS cooling is restored. The
C-10 DOE-HTGR-86-011/Rev. 3
fault tree models of Section 6.2.2 are requantified to assess the run
ning reliability of the SCS, again conditioned upon prior events. These
system re1iabi1ities are expressed as probability densities, combined
with a complementary cumulative distribution function for HTS restora
tion and integrated over time. Consistent with the mission time assump
tion made for the HTS, it is assumed that the SCS must run long enough
so that the combined running time of the HTS and SCS is two months.
Taking the resultant probability that the SCS does not run and
combining it with'the probability that the SCS fails to start gives the
leak size independent probability for event 6. This combined failure
probability is assessed at 0.03 as shown in Fig. C-l.
C.l.7. Cooling Provided by RCCS
Should both HTS and SCS cooling fail, the MHTGR is capable of
rejecting shutdown heat loads by conduction, localized convection, and
radiation to the reactor vessel wall where radiation and convection
carry the heat to the air-cooled Reactor Cavity Cooling System (RCCS)
panels. In event 7, the probability that the RCCS is successful in
providing cooling is considered.
Success of the RCCS is defined as the system continuing to operate
until either of the following conditions exist:
1. One of the two forced core cooling modes is restored (main
loop cooling or the SCS).
2. Decay heat levels are sufficiently low so that a subsequent
loss of cooling would not lead to temperatures threatening
vessel integrity. It is estimated that approximately 38,000 h
of cooling by any combination of HTS/SCS/RCCS is sufficient
time for decay heat to decrease below levels that could
C-ll DOE-HTGR-86-011/Rev. 3
produce excessive vessel temperatures should all three heat
removal systems become subsequently unavailable.
Since the system is continuously operating during normal operation of
the plant, no change of state or other equivalent to a "failure to
start" exists. Furthermore, as discussed in Section 6.2.5, no meteoro
logical or operating conditions outside of those associated with major
disruptive events have been identified which could preclude RCCS oper
ation. Only failures involving the extremely unlikely major structural
collapse of the safety-related RCCS have been identified as capable of
causing RCCS flow blockage. As an estimate of this very low failure
probability, 1 x 10-6 per module has been assigned to the independent
failure probability for event 7.
C.1.8. Primary Coolant Depressurized Through HPS
The design response of the MHTGR to a primary coolant leak is for
the PPIS to automatically initiate an intentional vessel depressuriza
tion through the BPS on low primary coolant pressure and high reactor
building radiation. By pumping some primary coolant to the helium stor
age bottles, the amount of circulating and lifted-off activity released
can be reduced. Event 8 considers whether this pumpdown is successful.
As discussed in Section 6.1.1.1, when the effective leak area is
greater than 1 in.2, the pump down rate is ineffective. Therefore, there
are no branches under the pumpdown event in Fig. C-1 for leak sizes
greater than 1 in. 2•
The HPS unavailability and failure to operate probability are
computed taking into account the common support dependencies between the
HPS and the systems which provide HTS cooling and SCS cooling (i.e.,
electric power and service water systems).
C-12 DOE-HTGR-86-011/Rev. 3
As an example of these common dependencies, loss of electric power
is an HPS failure mode. Consequently, the pumpdown failure probability
is conditionally dependent upon whether the HTS and SCS function suc
cessfully or fail. Therefore, if the HTS operates during the first
30 h following the reactor trip, then the probability that the HPS is
deprived of power during its mission time is zero because the HTS and
HPS are both connected to the nonessential distribution system, and the
intentional depressurization time is 30 h or less. However, if the
HTS fails during the first 30 h, even if the SCS operates successfully,
there is a chance that the pumpdown fails due to a loss of power because
the HPS (unlike the SCS) is not connected to the backup electrical sys
tem. These dependencies are reflected in the different failure proba
bilities assessed for the pump down top event, as a function of the
status of HTS and SCS cooling. The analysis also considers manual
actuation of the pumpdown in the event the automatic start signals fail.
The fault tree analysis for evaluation of the pumpdown event is
described more fully in Section 6.2.3.
C.2. LOSS OF MAIN LOOP COOLING
The loss of main loop cooling is initiated by equipment failures
within the plant which preclude continued operation of the HTS in one or
more modules. As.an initiating event, the loss of main loop forced cir
culation core cooling is of interest as a challenge to the function of
removing core heat and consequently a potential precursor to the incre
mental releases from fuel as discussed in Section 5 (see Fig. 5-1).
Given that such an event occurs, various possible MHTGR responses
resulting in differing alternative cooling modes are possible. These
various scenarios are depicted as event sequences in Fig. C-2. In this
section, the likelihood of these various scenarios or event sequences
occurring is discussed.
C-13 DOE-HTGR-86-011/Rev. 3
C.2.1. Loss of HTS Cooling
As shown in Fig. C-2, the assessed median frequency of event 1, a
loss of HTS cooling, is 2.6 per plant year. The fault tree analysis
used in this quantification is described in considerable detail in Sec
tion 6.2.1. Failures which render the HTS inoperative include not only
failures of equipment within the HTS but also failures of equipment in
the balance of plant (BOP) that are needed for ultimate heat rejection
(e.g., feedwater, condensate, and circulating water systems) as well as
failures in important support systems (e.g., service water, electrical
distribution).
In the fault tree evaluation, distinction is made between those
failures that would affect only one reactor module and those failures
which would impact HTS cooling in all four modules. While failure of
HTS cooling in two or three modules is also possible, system configura
tion in the MHTGR is such that this is considerably less likely. Gen
erally, failures in the individual module's HTS are localized to that
module; whereas BOP failures capable of preventing HTS cooling affect
all four modules. Approximately 80% of the HTS failures included in
event 1 are of the single module type, while the remaining 20% result
in a loss of HTS cooling to all four modules.
There are two general categories of failures which can also pre
clude continued HTS operation but are not included within this initiat
ing event. These are the external events, such as earthquakes or loss
of offsite power and certain in-plant equipment failures (steam gener
ator leaks), which can place additional challenges on the plant beyond
just interrupted forced cooling and also, in the case of external
events, may have a significant impact on system independence modeling.
Because of this, the plant response to these initiators is more
conveniently described with separate fault trees.
C-14 DOE-HTGR-86-011/Rev. 3
C.2.2. Reactor Tripped With Control Rods
Immediately following a loss of HTS cooling, the PPIS is designed
to sense the condition and shut down the reactor by inserting the outer
set of control rods. This reduction in power is performed to assure
that the generated core heat more nearly matches the heat removal capa
bilities of the alternative cooling modes available. Event 2 considers
the probability of successfully accomplishing this.
Normally, a control rod trip would be expected to be triggered by
the main loop trip. However, several other diverse means of sensing the
loss of main loop cooling and triggering the control rod insertion are
available. These include the redundant sensor channels monitoring neu
tron flux to helium mass flow, steam generator inlet temperature and
primary coolant pressure. Beyond failure of the sensor channels, a
failure to trip might result from common mode failure of the control rod
drives, common mode failure of the scram contractors, or common mode
failure in the PPIS scram logic. As seen in Fig. C-2, the PPIS and rod
control equipments are assessed as having a high reliability, and the
probability of them suffering the requisite common mode failures to
preclude shutdown with the control rods is low.
C.2.3. Reactor Shutdown Using Reserve Shutdown Material
As described above, the MHTGR is designed to respond to a loss of
HTS cooling by shutting down the reactor with the control rods. How
ever, in the unlikely event this normal trip does not occur, a secondary
means of shutting down the reactor is automatically actuated, and the
reserve shutdown material (boronated pellets) is dumped into the core.
In event 3, the operation of this secondary means of shutdown is
considered.
Two cases for consideration exist. If the control rod trip is
successful, as is the case in the top branch of Fig. C-2, then there is
C-1S DOE-HTGR-86-011/Rev. 3
no need for insertion of the reserve shutdown material, and the event is
shown with a dotted line. In the less probable case where the normal
trip has not succeeded, a demand for the RSCE exists, and the event
branch point presents the likelihood of success or failure. This secon
dary shutdown can be triggered, after a 30-s delay, either by high neu
tron flux to circulator speed ratio or high primary coolant pressure.
Besides multiple failures of these independent sensor channels, failure
of automatic insertion of RSCE material could be caused by failure of
the PPIS, common mode failure of several RSCE hoppers or failure of the
Class 1E 120 V ac UPS or 125 V dc. In the case of the ac power failure,
the operator may still manually actuate the RSCE.
C.2.4. Cooling Provided by SCS
The mismatch between generated heat and heat removal following
the loss of HTS cooling is dealt with in t~ ways simultaneously by the
PPIS. In addition to reducing heat generation by initiating a reactor
shutdown (events 2 and 3), the PPIS also attempts to restore coolant
flow by starting the SCS. Event 4 considers whether or not the SCS is
successfully started, and if it is started, whether it runs until HTS
cooling is restored.
Depending uPQn the number of modules losing HTS cooling, a demand
for between one and four SCS loops is made. Using the detailed failure
model described in Section 6.2.2, the probability of not successfully
starting all the required loops is calculated. These calculations of
probability are, of course, conditional probabilities contingent upon
the outcome of preceding events (specifically the loss of the HTS). For
example, several of the HTS failure modes included in event 1 and lead
ing to loss of cooling in four modules are systems whose failure would
also preclude operation of or reduce the redundancy within the SCS.
These systems include plant service water, 4160 to 480 V ac distribution
and the Class 1E 120 V ac UPS. Thus, if only one module has lost cool
ing and HTS cooling in the three other modules continues, the failure
C-16 DOE-HTGR-86-011/Rev. 3
probability of one SCS to start up can be calculated by directly quanti
fying the SCS fault tree from the data base. In contrast, if four mod
ules have lost cooling, then the likelihood that these various common
systems were the cause of the initial failure must be considered in
evaluating the SCS fault tree. The results of these two calculations
can then be combined appropriately, accounting for the relative frac
tions of HTS failures that involve multiple versus single module fail
ures. The impact of these common dependencies between the HTS and SCS
is to limit the probability of success for the SCS.
Even after the SCS starts, event 4 is not judged as successful
unless SCS cooling is maintained until HTS cooling is restored. The
fault tree models of Section 6.2.2 are requantified to assess the run
ning reliability of the SCS, again conditioned upon prior events. These
system reliabilities are expressed as probability densities, combined
with a complementary cumulative distribution function for HTS restora
tion and integrated over time. The probability that one or more SCS
loops fail to run for the required time is added to the probability that
they fail to start as the total failure probability for event 4. Note
that the probability of event 4 in the lower portion of Fig. C-2 corres
ponds to a sequence in which the control rod trip has failed in a single
module; whereas in the upper portion of the event tree, multiple module
cases are considered. The probability of the control rod trip failing
in more than one module was found negligible.
While the Beta Factor Method is employed in describing common mode
failures between like SCS components within a given module, independence
is assumed from module to module except where explicit common failure
modes are identified in the model of Section 6 (e.g., the common elec
trical power and cooling water loops).
C-17 DOE-HTGR-86-011/Rev. 3
C.2.5. Cooling Provided by ReCS
Should both HTS and SCS cooling fail, the MHTGR is capable of
rejecting shutdown heat loads by conduction, localized convection, and
radiation to the reactor vessel wall where radiation and convection
carry the heat to the air-cooled RCeS panels. In event 5, the proba
bility that the RCCS is successful in providing cooling is considered.
Success of the RCCS is defined as the system continuing to operate
until either of the following conditions exist:
1. One of the two forced core cooling modes is restored (main
loop cooling or the SCS).
2. Decay heat levels are sufficiently low so that a subsequent
loss of cooling would not lead to excessive vessel tempera-
tures.
Since the system is continuously operating during normal operation of
the plant, no change of state or other equivalent to a "failure to
start" exists. For any given module, failure of the RCCS requires that
something happen to preclude continued operation of all four of the
initially operating, passive, and redundant natural draft loops.
As discussed in Section 6.2.5, no meteorological or operating con
ditions have been identified which could preclude RCCS operation. Only
failures involving the extremely unlikely major structural collapse of
the safety-related RCCS have been identified as capable of causing Rces
flow blockage. In the lower portion of Fig. C-2, in which a single
module has experienced a failure to trip with control rods, the event 5
branching probability reflects the assessed failure probability of a
single RCCS (1 x 10-6). In contrast, the upper portion of the figure
includes multiple module demands upon the RCCS and the probability of
one RCCS failure in several modules is seen to be somewhat higher.
C-18 DOE-HTGR-86-011/Rev. 3
C.2.6. Primary Coolant Depressurized Through HPS
The unique design of the MHTGR allows that even if all three
engineered cooling systems fail, including not only the forced circula
tion main and SCS cooling loops but also the passive and redundant RCCS,
core heat loss to the surrounding environment is sufficient to limit the
core temperature transient and prevents large-scale fuel failure. In
fact, the maximum fuel temperatures during conduction coo1down are not
strongly affected by Whether or not RCCS cooling is available. However,
under these conditions (i.e., loss of all three cooling systems), the
reactor vessel may experience wall temperatures significantly in excess
of its design limit, depending upon the history of prior cooling. Dur
ing such an accident, it is expected that the operator would initiate
action to depressurize the primary coolant system so as to reduce the
stress experienced by the overheated vessel. Such a depressurization is
routinely performed prior to refueling or certain maintainence activi
ties and is accomplished by pumping down the primary coolant inventory
through the HPS and to the helium storage bottles. Event 6 in Fig. C-2
considers the likelihood that such a pumpdown is successful given
failures of the HTS, SCS, and RCCS.
A fault tree depicting the failure model for pump down through the
HPS is shown and discussed in Section 6.2.3. In the quantification of
event 6, this model is conditionally evaluated dependent" upon prior
occurrences in the event sequence.
As shown in the model, pumpdown can be either manually or auto
matically initiated. However, since the automatic PPIS startup is
intended to mitigate releases due to primary coolant leaks, the primary
coolant pressure low setpoint for pump down startup would not be effec
tive in this accident. Therefore, the initiation of pumpdown is depen
dent upon operator intervention. From Appendix B, the probability of
the operator failing to take corrective action within the first several
hours available to start the pumpdown is 0.001.
C-19 DOE-HTGR-86-0ll/Rev. 3
If only one of the four modules has experienced a loss of cooling,
none of the support systems common to the HTS and HPS fail. Thus, HPS
pump down failure is independent of the HTS failure. Neglecting initia
tion, such an independent failure is assessed as having a probability of
about 0.001. On the other hand, possible failure modes for cooling loss
in four modules include failures in Reactor Plant Cooling Water (RPCWS),
Plant Service Water (SWS), or normal in-house electrical power. These
systems are common to both forced cooling systems and the HPS. Thus,
given a failure in four loops, the conditional probability that the HPS
does not operate is increased to 0.35. Combining the conditional
probabilities appropriately leads to a median probability for failure in
event 6 of approximately 0.07.
C.2.7. Cooling Restored Prior to Excessive Vessel Temperature
Whether or not the primary coolant pressure is successfully
reduced, vessel side wall temperatures begin to rise when all three
cooling systems are lost. If allowed to rise high enough, the integrity
of the vessel is uncertain. However, the large core heat capacity, the
core power density, and heat dissipation to the environment assure that
this heatup is very slow. Therefore, there are days to weeks (depending
upon the initial temperatures and prior cooling history) to restore
cooling before an excessive vessel temperature is reached. Event 7
considers the probabiiity that cooling is restored prior to the vessel
experiencing such excessive temperatures.
Restoration of cooling with either the HTS, the SCS, or the RCCS
is sufficient to arrest the vessel wall temperature transient. Since
the SCS and HTS repair times are estimated as much shorter than the RCCS
repair time, only HTS and SCS restoration are considered in event 7.
For the event sequences in which the primary coolant pressure is
successfully relieved through the HPS, reactor vessel loads consist of
the weight associated with vessel support and the weight of the core.
C-20 DOE-HTGR-86-0ll/Rev. 3
These loads are very small compared to the design load at pressure.
Therefore, no failure is expected as a result of strength loss until
temperatures are significantly in excess of the design temperature. For
the assessment, excessive vessel temperature has been estimated to be
760°C (1400oF), at which point the material undergoes a phase change.
It should be noted, however, that while no detailed analysis has been
performed to predict temperature-induced vessel failure, scoping calcu
lations suggest that the vessel may remain intact even at temperatures
much higher than 760°C (1400oF). Analyses of conduction cooldown with
out the RCCS show that the time available for restoration of either the
HTS or SCS prior to reaching this temperature is at least 95 h.
For the conduction cooldown event sequences without the RCCS and
where pumpdown through the HPS is unsuccessful, the primary coolant
remains at pressure and the reactor vessel is under considerably higher
stress than in the depressurized case. Under such conditions, it is not
expected that the vessel could survive the high temperatures (and the
resultant strength loss) described above. For the pressurized assess
ment, a temperature of 4BOoC (900°F) has been defined as excessive. The
time available for repair before this temperature is reached is 50 h.
C.2.B. Number of MOdules Experiencing Event Sequence
The final branch point in Fig. C-2 depicts the number of modules
experiencing the event sequence. For instance, on the uppermost branch
of the event tree can be seen the 20% to BO% split described in Sec
tion C.2.1 of single versus multiple HTS failures given that an HTS
failure has occurred. Further down the tree, if SCS cooling has not
C-21 DOE-HTGR-B6-011/Rev. 3
been successful one, two, three, or four SCS loops may have failed to
operate. The relative probabilities of these four SCS failure possi
bilities are shown.
In the lower branches of the tree involving failure of the RCCS and
failure to trip with the outer control rods, only one module is likely
to experience the event sequence since these systems are designed as
independent between modules. The disruptive external events which would
have the potential to defeat this independence are not postulated in
this event tree.
C.3. EARTHQUAKE-INDUCED FAILURES
The equipment damage produced by the vibrations during an earth
quake causes seismic events to be the most important class of external
events because it (1) simultaneously challenges redundant equipment in
each of the modules; and (2) poses one of the few potential risks to
passive equipment. The radiological risk from seismic events is never
theless limited because severe earthquakes with intensities sufficient
to damage key systems and structures are very unlikely, and only a few
components are required to function in any case. Plant response follow
ing a seismic event is dependent upon the fragility of structures, sys
tems, and components and upon the magnitude of the earthquake as shown
in Fig. C-3.
In performing the seismic analysis of the conceptual MHTGR design,
several preliminary assumptions are necessary. First, it is necessary
to assume site seismicity characteristics. Since the standard MHTGR is
not designed for a specific site, site parameters have been selected to
envelop the characteristics of approximately 85% of reactor sites and
potential reactor sites in the_U.S. as discussed in Section C.3.1. For
seismicity purposes, a safe shutdown earthquake (SSE) of 0.3 g has been
C-22 DOE-HTGR-86-011/Rev. 3
selected as the basis for the design of structures, systems, and compo
nents required to meet lOCFRlOO dose limits. All other equipment and
structures are designed to ANSI AS8.l Zone 3 specifications.
Secondly, assumptions must be made regarding the fragility of
the plant. As noted in Ref. C-6, seismic-induced failure data is not
generally available for a specific plant. Since only a very limited
accounting for plant specific variations of the conceptual design can be
made, it was assumed that the plant will be constructed in a manner com
parable to existing Light Water Reactors (LWRs). Thus, available data
was reviewed; and after accounting for differences between LWR and MHTGR
designs, representative equipment and structure fragilities were
selected.
The median fragilities and concomitant uncertainty parameters used
in this analysis are summarized in Table C-l. Components included in
this analysis were selected by reviewing Chapter 6 system diagrams and
fault trees in conjunction with fragility data in Refs. C-4, C-6, C-7,
and C-8. The fragility of each system was calculated based upon only
those components with the lowest fragilities (i.e., the "key component
fragilities" in Table C-l). Furthermore, only one component in a group
of similar components was included in the assessment of a system's fra
gility. In many instances, the lack of detailed design information
resulted in a typical value being assumed for a piece of equipment
and/or a structure's fragility (e.g., buildings, pumps, feedwater
heaters). A more extensive list of component fragilities was felt
unwarranted, considering the status of the standard MHTGR conceptual
design.
The fragility data in the literature is developed primarily from
analysis and engineering judgement supported by limited test data. Such
fragility estimates contain considerable uncertainty, which is usually
represented by two factors in the literature. One factor accounts for
the random variability in a particular earthquake's characteristics, and
C-23 DOE-HTGR-86-0ll/Rev. 3
TABLE C-1 ASSUMED FRAGILITIES OF KEY COMPONENTS
System and Component
Building (general)
Pumps (general)
Feedwater heaters (general)
Steam generator
Supports
Piping
Piping supports
Valves (general)
Service water
HX
Pumps
Piping
Piping supports
Building
Reactor
Reactor pressure vessel supports
Control rod drives
Control rod guide tubes
Reserve shutdown channels
Reactor Cavity Cooling System
RCCS
Reactor Building
Electrical
120 V ac distribution panels -Chatter Permanent damage
Inverters
125 V dc buses -Chatter Permanent damage
Batteries and racks
Peak Acceleration (g)
Reference
C-4
C-6
C-6
C-6, C-7, C-8
C-6, C-7, C-8
C-6, C-7, C-8
C-6, C-7, C-8
C-6, C-7, C-8
C-6, C-7, C-8
C-6, C-7, C-8
C-6, C-7, C-8
C-4
C-7
C-6, C-7, C-8
C-13(a)
C-13(a)
C-4
C-4
C-6 C-6 C-6
C-6 C-7
C-6
5th
0.92
0.8
0.8
1.5
2.2
1.7
1.5
0.8
0.8
3.0
1.7
0.92
50th
1.5
1.0
1.0
2.0
3.0
2.2
2.2
1.0
1.0
4.2
2.2
1.5
1.0 1.7
1.7 2.0
0.5. 2.1
0.5 2.1
1.3
1.9
0.32 0.64 1.7
0.32 1.3
0.51
2.0
2.5
0.6 1.2 2.7
0.6 2.0
1.0
95th
2.4
1.2
1.2
2.5
3.8
2.7
3.0
1.2
1.2
5.4
2.7
2.4
2.9
2.3
9.9
9.9
3.0
3.4
1.1 2.2 4.4
1.1 3.1
2.0
C-24 DOE-HTGR-86-011/Rev. 3
TABLE C-1 (Continued)
Peak Acceleration (g)
System and Component Reference 5th 50th
Non-class IE
Switchgear - Chatter C-6 0.40 0.72 Permanent damage C-6 0.80 1.4
Diesels C-7 0.92 1.5 Diesel oil tanks and anchor C-7 0.55 1.0 Transformer C-6 0.72 1.4 Motor control center C-6 0.8 1.4 4160 buses C-7 0.22 0.40 Switchyard C-7 0.22 0.40
Offsite :eower - Ceramic insulator C-6 0.15 0.20
(a) Based upon experimental data in conjunction with preliminary calculations as explained in Section C.3.5.
95th
1.3 2.6
2.5 1.7 2.7 2.6 0.73 0.73
0.28
C-25 DOE-HTGR-86-011/Rev. 3
the second factor accounts for uncertainty in measuring a particular
component's seismic response. The first factor was included in this
assessment by assuming the random variability follows a logarithmic
relationship in which the median values listed in Table C-l correspond
to peak ground accelerations causing 50% of the components to fail. The
second factor is included by utilizing a Monte Carlo selection process
from each component's fragility uncertainty distribution, whose param
eters are also listed in Table C-l.
Component fragilities were statistically combined with the proba
bility of a particular ground acceleration to estimate plant system
response following an earthquake. The likelihood of event sequences
corresponding to different plant responses is discussed in this section.
The results, summarized in Fig. C-3, were obtained for one module. How
ever, since the earthquake affects all four modules similarly, these
results have been assumed to apply to all four modules. System
responses shown in Fig. C-3 represent not only the failure probability
due to an earthquake, but also the probability of failure independent
of the earthquake. Each system's independent failure probability was
obtained using results from the main loop cooling event tree (Sec-
tion C. 2).
C.3.1. Occurrence of Significant Earthquakes
Event 1 of Fig. C-3 corresponds to the occurrence of earthquakes
with seismic intensity greater than 0.06 g. Since seismographic data
demonstrate that the ground is in constant motion, a 0.06 g de1iminator
has been introduced to differentiate between "earthquakes" a~d normal
seismic background in which no damage to typical commercial or
residential structures is expected.
To obtain the frequency at which earthquakes with intensities above
0.06 g occur, it was necessary to define a seismicity curve of a site
with characteristics corresponding to the design requirements of the
C-26 DOE-HTGR-86-011/Rev. 3
MHTGR reference site. Results from Ref. C-4 indicate that Watt's Bar
seismicity characteristics are representative of an actual plant site
which corresponds to the MHTGR design requirement that the standard
plans be "certified in accordance with NRC requirements over a range of
conditions that envelop approximately 85% of domestic U.S. sites"
(Ref. C-5). Seismicity data for the Watt's Bar site, which has a SSE of
0.25 g, was used to construct the MHTGR site seismicity curve shown in
Fig. C-4. This seismicity curve indicates that the frequency of earth
quakes having an intensity above 0.06 g is 5.6 x 10-3 per plant year.
There is an unavoidable conservatism in using the site seismicity
curve depicted in Fig. C-4 since it does not completely account for
attenuation effects which limit the maximum ground accelerations occur
ring. For mechanical reasons, it is felt that there is a maximum accel
eration attainable, although the scatter in available data indicates
unusually high ground accelerations are possible at low frequencies.
Hence, it is felt that seismic hazard curves are only valid down to fre
quencies of 10-5 per year. The stringent MHTGR design goal (Ref. C-5)
requires, however, that accidents with frequencies several orders of
magnitude below 10-5 per year be considered. Although the validity of
data obtained by extrapolating a seismicity curve to such low fre
quencies may be questionable, it is necessary for calculations in this
assessment.
C.3.2. Seismic Intensity Range
Given that an earthquake of significant intensity occurs (greater
than 0.06 g), it may occur over a spectrum of ground accelerations rang
ing from the more likely earthquakes only slightly larger than the
0.06 g threshold described above to severe earthquakes of intensity much
higher than the plant site SSE. Because plant system response is highly
dependent upon the earthquake intensity, it is convenient to divide up
the event tree based upon earthquake intensity.
C-27 DOE-HTGR-86-011/Rev. 3
Event 2 in Fig. C-3 provides the relative probabilities of four
earthquake intensity ranges:
1. 6 x 10-2 to 0.2 g.
2. 0.2 to 0.4 g.
3. 0.4 to 0.8 g.
4. 0.8 to 2.0 g.
These intensity ranges were selected because seismic activity contrib
utes negligibly to plant component failure probabilities when the ground
acceleration is below 0.2 g. Preliminary studies, based upon informa
tion in Refs. C-6 and C-7, disclose that above approximately 0.2 g, main
loop cooling may be disrupted due to spurious signals (chatter from
electrical system equipment. Earthquakes are not, however, expected to
impact the RCCS or control system reliability at intensities below
0.8 g.
C.3.3. Primary Coolant Boundary Remains Intact
Event 3 in Fig. C-3 considers whether the primary coolant boundary
remains intact following an earthquake. As discussed in Section C.1,
primary coolant release is important because of the potential to release
the limited amount of activity circulating with the primary coolant and
plated out upon primary circuit surfaces. In addition, the plant
response following an earthquake will vary depending upon whether
the reactor is pressurized or depressurized.
The literature was reviewed to assess the fragility of equipment
which guarantees the primary coolant boundary remains intact. It was
found that piping is generally predicted to be capable of withstanding
peak ground accelerations in excess of 2.0 g. In fact, the support
structures for the steam generators and reactor vessel were found to be
the most susceptible to earthquakes if their fragilities are assumed to
be comparable to the 1.7 g fragility of the reactor vessel supports
C-28 DOE-HTGR-86-011/Rev. 3
given in the Seabrook PRA (Ref. C-7). Thus, it has been conservatively
assumed that an acceleration sufficient to fail the vessel supports is
sufficient to result in a leakage area of greater than 0.03 in. 2 •
As shown in Fig. C-3, this fragility assumption results in a
negligible probability of a primary coolant system boundary failure
following earthquakes with intensities lower than 0.8 g, and only a 6%
probability for a rupture during earthquakes with intensities between
0.8 to 2.0 g.
C.3.4. Cooling Provided by HTS
Event 4 considers whether HTS cooling continues following an earth
quake. As discussed previously, components in the HTS were reviewed to
determine the type and manner of failures which could preclude HTS oper
ation. As discussed in Section C.4, a loss of offsite power does not
preclude HTS operation if onsite power and other necessary equipment are
available. Thus, the earthquake-induced HTS failure probability was
estimated by the probability that the HTS fails due to system component
and onsite power failure plus the conditional probability that given
the system components and onsite power were available, a loss of off
site power occurred in conjunction with both turbines failing to remain
online. The fragilities selected for this analysis are included in
Table C-1. Although several systems and components were included in
this assessment, the HTS is susceptible to earthquakes because of the
low fragilities of
1. Offsite power (failure of ceramic insulators).
2. 4160 bus and switchyard.
3. 125 V dc bus (chatter).
4. 120 V ac distribution panel (chatter).
5. Non-class 1E switchgear (chatter).
C-29 DOE-HTGR-86-011/Rev. 3
Although small earthquakes could cause the latter three components to
produce a signal to shut down the HTS, these components are not perma
nently damaged and could be used later in the transient.
The results of this analysis indicate that for earthquakes with
peak accelerations less than 0.2 g, there is a 97% probability that HTS
cooling will continue. Above 0.4 g peak ground accelerations, however,
it is not anticipated that the BTS will remain operational because of
the high probabilities that a loss of offsite power, failures of the
4160 buses and switchyard, and/or relay chatter of the 125 V dc buses
and 120 V ac distribution panels will occur.
C.3.5. Reactor Tripped With Control Rods
Immediately following a loss of HTS cooling, the PPIS is designed
to sense the condition and shut down the reactor by inserting the outer
set of control rods. This reduction in power is performed to assure
that the generated core heat more nearly matches the heat removal capa
bilities of the alternative cooling modes available. Event 5 considers
the probability of successfully accomplishing this.
As discussed in Section C.2.2, redundant mechanisms exist by which
the PPIS may sense the loss of main loop cooling and trigger control rod
insertion. Furthermore, if the PPIS were disabled because of the earth
quake there is the probability that the controls will be inserted by
gravitational forces (if power is lost) or by the operator.
A failure to scram following an earthquake may be due to
earthquake-induced as well as normal operational failures. As discussed
in Section C.2., the control rod drive mechanisms are extremely reliable
and have a low failure probability. However, the probability that the
control rods fail to scram the reactor was estimated as the sum of
earthquake-induced failures and failures due to other mechanisms given
that the earthquake did not preclude scram.
C-30 DOE-HTGR-86-011/Rev. 3
In this assessment, two mechanisms were considered by which an
earthquake could cause a failure of the rods to shut down the reactor.
The first mechanism assessed was if the ground acceleration was suffi
cient to cause misalignment between the control rods and guide tubes
such that the number of rods necessary for shutdown could not be
inserted. This misalignment did not preclude shutdown; the second
mechanism assessed was the probability of ground accelerations suffi
cient to damage enough control blocks that the rods necessary for
shutdown could not be inserted.
In order to evaluate the above probabilities, several assumptions
and data are needed. Based upon engineering judgment, a conservative
assumption was made that at least 21 of the 24 outer control rods must
be inserted for shutdown. Although under most conditions, fewer rods
are required for shutdown, this conservative simplification was employed
since the exact number of control rods needed is dependent upon factors
such as core life, operating history, and conditions (such as moisture
presence, etc.).
The fragility of each control rod guide tube was assumed as 2.0 g
with an uncertainty factor of 1.1. Scoping calculations were performed
to estimate the stresses produced in graphite blocks at certain ground
accelerations. These stresses were compared with experimentally
obtained data for the graphite block's ultimate strength (Ref. C-13) to
predict the number of blocks damaged due to a particular ground accel
eration. These preliminary results indicate that a peak ground accel
eration of 2.1 g with an uncertainty factor of 4.7 could damage three
blocks. Given that three blocks are damaged, there exists the possibil
ity that two or three of the block failures occur within the same col
umn. However, for this assessment, it was conservatively assumed that
the failures occurred in different fuel block columns. Using the fact
that approximately one of every outer three blocks contains a control
rod, the probability of an acceleration sufficiently damaging control
blocks to preclude shutdown was reduced by one-third. Then, the total
C-31 DOE-HTGR-86-011/Rev. 3
probability that the earthquake prevented reactor trip by the rods was
estimated by combining the probability that the earthquake resulted in
guide tube misalignment with the conditional probability that the guide
tubes remained in place, but control block damage prevented shutdown.
C.3.6. Reactor Shutdown Using Reserve Shutdown Control Equipment
As described above, the MHTGR is designed to respond to a loss of
HTS cooling by shutting down the reactor with the control rods. How
ever, in the unlikely event that this normal trip does not occur, a
secondary means of shutting down the reactor is automatically actuated,
and the reserve shutdown material (boronated pellets) is dumped into the
core. In event 6 of Fig. C-3, the operation of this secondary means of
shutdown is considered.
Two cases for consideration exist. If the control rod trip is
successful, as is the case in the top branch of Fig. C-3, then there is
no call for insertion of the reserve shutdown material, and the event is
shown with a dotted line. In the less probable case where the normal
trip has not succeeded, a demand for the RSCE exists, and the event
branch point presents the likelihood of success or failure. This sec
ondary shutdown can be triggered, after a 30-s delay, either by high
neutron flux to circulator speed ratio or high primary coolant pressure.
Besides multiple failures of these independent sensor channels, failure
of automatic insertion of RSCE material could be caused by failure of
the PPIS, common mode failure of several RSCE hoppers or failure of the
Class IE 120 V ac UPS or 125 V dc. In the case of the ac power failure,
the operator may still manually actuate the RSCE. However, in order for
the boron pellets to be released following actuation of this switch, a
120 V dc bus is required to supply electricity for heating the fusible
link, which melts, allowing pellets to enter the core.
The RSCE failure probability following an earthquake was estimated
as· the sum of earthquake-induced failures and failures due to other
C-32 DOE-HTGR-86-011/Rev. 3
mechanisms given that no earthquake-induced failures occur. Earthquake
induced RSCE failures were assumed to be contingent upon Whether the bus
to the link could supply electricity and if the reserve shutdown chan
nels remained intact so that the boron pellets could be inserted. The
fragility of the reserve shutdown channels was assessed to be similar to
control rod guide tubes, having a median value of 2.1 g. The median
fragility of the 125 V dc bus was assessed as 2.0 g, as shown in
Table C-1.
As can be seen in Fig. C-3, there is a very low probability of a
large earthquake occurring in Which neither the control rods nor the
reserve shutdown control equipment trip the reactor. However, as dis
cussed in Section 6.1.5.2, the negative temperature coefficient by
itself assures that no offsite release results even if such a situation
occurs. Therefore, even in this extremely unlikely scenario, the pas
sive safety characteristics of the MHTGR perform to ensure that the
consequence of this failure is minimal.
C.3.7. Cooling Provided by SCS
If an earthquake results in a loss of HTS cooling, the mismatch
between generated heat and heat removal is dealt with in two ways simul
taneously by the PPIS. In addition to reducing heat generation by ini
tiating a reactor shutdown (events 5 and 6), the PPIS also attempts to
restore coolant flow by starting the SCS. Event 7 considers Whether or
not the SCS is successfully started, and if it is started, Whether it
runs until HTS cooling is restored. The failure of the SCS following an
earthquake was calculated as the sum of earthquake-induced failures and
the conditional probability of failure due to other mechanisms Which was
calculated using results from the method described in Section C.2.4.
The SCS fragility was estimated with many of the component fragili
ties used to estimate the HTS system fragility, since both of these sys
tems depend upon the service water system and the electrical system.
C-33 DOE-HTGR-86-011/Re~. 3
However, the SCS is less susceptible to earthquakes than the HTS. Spu
rious signals due to earthquake vibrations that cause the HTS to trip do
not damage the SCS. Furthermore, backup diesel generators may be used
to power the SCS; thus, the failure of offsite power plus turbine trip
is not expected to preclude SCS operation. The SCS failure probability
due to mechanisms other than earthquakes was estimated as 0.05% using
the models described in Section 7.2.4. The combined SCS failure proba
bility is calculated as 9% for peak ground accelerations less than
0.2 g, 35% for accelerations in the 0.2 to 0.4 g range, and nearly 100%
for accelerations greater than 0.4 g.
C.3.8. Cooling Provided by RCCS
Should both HTS and SCS cooling fail, the MHTGR is capable of
rejecting shutdown heat loads by conduction, localized convection, and
radiation to the reactor vessel wall where radiation and convection
carry the heat to the air-cooled RCCS panels. In event 8, the probabil
ity that the RCCS is successful in providing cooling is considered. The
RCCS failure probability following an earthquake was estimated as the
sum of earthquake-induced failures and failures due to other mechanisms
given that no earthquake-induced failures occur.
The RCCS is a passive system constructed to meet a 0.3 g safe shut
down earthquake. The reactor cavity is a portion of the underground
silo in which the reactor is mounted. This silo is substantially
buttressed by interior shear walls and is joined at the top by a heavy
shear wall box structure which contains the coaxial ducts of the RCCS.
The structure surrounding this ducting extends upward to the RCCS
inlet/exhaust structure, which terminates above the reactor maintenance
enclosure roof (see Fig. 4-10).
C-34 DOE-HTGR-86-011/Rev. 3
Based upon Ref. C-13, the RCCS was assessed as having a median fragility
of 2.0 g.The failure probability for event 8 was calculated by combin
ing the failure probability associated with the RCCS fragility and the
independent failure probability of the RCCS (1 x 10-6 per demand).
C.3.9. Cooling Restore Prior to Excessive Vessel Temperatures
When all three cooling systems are lost, vessel side wall tempera
tures begin to rise. If allowed to rise high enough, the integrity of
the vessel is uncertain. However, the large core heat capacity, the
core power density, and heat dissipation to the environment assure that
this heatup is very slow. Therefore, there are days to weeks (depending
upon the initial temperatures and prior cooling history) to restore
cooling before an excessive vessel temperature is reached. Event 9
considers the probability that cooling is restored prior to the vessel
experiencing such excessive temperatures.
Restoration of cooling with either the HTS, the SCS, or the RCCS is
sufficient to arrest the vessel wall temperature transient. However,
only SCS repair is considered in event 9 because of its accessibility,
and ability to function without offsite power, and estimated shorter
repair time.
Event 9 is assessed by assuming there are 50 h available for SCS
repair prior to when the pressurized vessel reaches excessive tempera
tures. As discussed in Section C.2.7, it is estimated that loads in a
pressurized vessel could produce failures at temperatures in excess of
480°C (900°F). It is assumed in Section C.2.7 that a pressurized vessel
could reach such temperatures in 50 h. In estimating the likelihood of
repair it is assumed that repair efforts do not begin until 10 h after
the earthquake owing to the general confusion and attention given to
personnel injuries with which the plant crew may have to deal.
C-35 DOE-HTGR-86-011/Rev. 3
For the event sequences in which the primary coolant pressure is
successfully relieved through the HPS, reactor vessel loads consist of
the weight associated with vessel support and the weight of the core.
These loads are very small compared to the design load at pressure.
Therefore, no failure is expected as a result of strength loss until
temperatures are significantly in excess of the design temperature. For
the assessment, excessive vessel temperature has been estimated to be
760°C (14000 F), at which point the material undergoes a phase change.
It should be noted, however, that while no detailed analysis has been
performed to predict temperature-induced vessel failure, scoping calcu
lations suggest that the vessel may remain intact even at temperatures
much higher than 760°C (14000 F). Analyses of conduction cooldown with
out the RCCS show that the time available for restoration of either the
HTS or SCS prior to reaching this temperature is at least 95 h.
For the conduction cooldown event sequences without the RCCS and
where pumpdown through the HPS is unsuccessful, the primary coolant
remains at pressure and the reactor vessel is under considerably higher
stress than in the depressurized case. Under such conditions, it is not
expected that the vessel could survive the high temperatures (and the
resultant strength loss) described above. For the pressurized assess
ment, a temperature of 480°C (900°F) has been defined as excessive. The
time available for repair before this temperature is reached is 50 h.
C.3.10. Number of MOdules Experiencing Event Sequence
The final branch point in Fig. C-2 depicts the number of modules
experiencing the event sequence. For instance, on the uppermost branch
of the event tree can be seen the 20% to 80% split described in Sec
tion C.2.1 of single versus multiple HTS failures given that an HTS
failure has occurred. Further down the tree, if SCS cooling has not
been successful one, two, three, or four SCS loops may have failed to
operate. The relative probabilities of these four SCS failure possi
bilities are shown.
C-36 DOE-HTGR-86-011/Rev •. 3
C.4. LOSS OF NORMAL STATION ELECTRICAL POWER
The normal station electrical power equipment refers to the normal
loads in the energy conversion train for power production such as the
HTS circulators, condensate pumps, and feed pumps. A loss of normal
station power occurs when, for any reason, the power flow from the grid
(via the main or auxiliary transformers) is lost and the turbine genera
tors inadvertently trip instead of maintaining their load and continuing
to remove heat.
A LOSP is of interest as an initiating event because it is
externally caused, and because it can simultaneously challenge multiple
systems. For example, if offsite power is lost and both turbines trip,
all four cooling loops are shut down which challenges core heat removal
and, consequently, may result in incremental fuel releases from thermal
mechanisms as discussed in Section 5. Various responses are possible
following a loss of all offsite power due to the number of cooling modes
possible as shown in Fig. C-5. This section discusses the likelihood of
event sequences corresponding to possible plant response scenarios.
C.4.1. Loss of Offsite Power and Turbine Trip
Event 1 of Fig. C-5 corresponds to the frequency of a LOSP followed
by the inadvertent trip of both turbines. Unlike conventional U.S.
light water plants, the MHTGR main turbine generator is designed not to
trip following a LOSP so that it may continue to supply in-house loads.
The continued operation of the turbines and MaTGR at a reduced load fol
lowing a LOSP is possible, in part, because of high MaTGR core heat
capacity. The median annual frequency of 5 x 10-3 shown in event 1 of
Fig. C-5 was calculated by statistically combining the frequency of a
loss of offsite power occurring in conjunction with the demand failure
probability of both turbines. U.S. reactor operating experience data in
C-37 DOE-HTGR-86-011/Rev. 3
Ref. C-2 indicates a loss of offsite power occurs with a median fre
quency of 0.1 per year. Based upon experience with turbines in gas
cooled MAGNOX reactors (Refs. C-14 and C-1S), the probability of both
turbines failing to remain online following a loss of offsite power is
assessed at 0.05. The British plant experience is particularly applica
ble to the MHTGR in this event since the turbines in their plants were
also designed to have the capability of remaining online following a
loss of offsite power.
C.4.2. Reactor Trip With Control Rods
Following a loss of all station non-uninterruptible ac power, the
PPIS, Which receives power from the uninterruptible power source sup
plied by the de power system batteries, will sense the mismatch between
the circulator speed to feedwater flow and signal a main loop shutdown.
The signal to shut down the BTS results in the PPIS also initiating a
signal to trip the reactor with the outer control rods. Note that the
rods will not drop due to loss of power because the control rod drives
receive power from the Class 1E UPS, Which may receive power from other
sources than normal station and offsite power. Event 2 considers the
probability that the reactor is tripped by inserting the outer control
rods.
As discussed in Section 6.1, there are diverse means by Which the
PPIS may sense the loss of main loop cooling and trigger control rod
insertion. In addition to initiating a trip because of the HTS shut
down, the PPIS may initiate a trip because of the high neutron flux to
helium mass flow ratio, high primary pressure, or the high steam gener
ator helium inlet temperature. ·Mechanisms exist Which may result in a
failure to trip, such as common mode failures of the control rod drives,
the scram contactors or the PPIS scram logic. However, this equipment
is assessed as having a high reliability. Hence, a low probability is
shown in Fig. C-S for the failure of the control rods to shut down the
reactor.
C-38 DOE-BTGR-86-011/Rev. 3
C.4.3. Reactor Shutdown Using Reserve Shutdown Material
Failure of reactor trip using the control rods has been shown to be
very unlikely. However, even if the control rods fail to shut down the
reactor, it is designed such that it may be shut down using the RSCE.
Event 3 considers the operation of this secondary means of reactor shut
down which consists of actuating a signal for RSCE hoppers to release
boronated pellets into the core.
As noted in the discussion of the loss of main loop cooling event
tree in Section C.2.3, the PPIS and control rod equipment are assessed
as having a high reliability, and it is unlikely that the common mode
failure necessary to preclude shutdown would occur. Hence, there would
not be any demand for reserve shutdown material, which is why event 3 is
shown as a dotted line in the top part of Fig. C-S. A discussion of the
diverse means by which the RSCE may be actuated and the model which was
used to calculate this system's failure probability may be found in
Section C.2.3.
C.4.4. Cooling Provided by SCS
Given that a LOSP and inadvertent trip of both turbines occur,
normal station power would be lost, precluding forced circulation by the
HTS. The PPIS responds to this condition by not only initiating a reac
tor shutdown, but also, in order to ensure core decay heat removal, ini
tiating a signal to start the SCS which will receive backup power from
the diesel generators. Event 4 considers the probability that the SCS
successfully starts on the diesel generators, and given that it starts,
the probability that the SCS runs until restoration of offsite power and
HTS cooling. The calculation of this event is different than the manner
in which it was calculated for the HTS in Section C.2.4 for several rea
sons. For example, the initiating event in this case, a loss of normal
station power, results in all four modules being shut down and requiring
SCS cooling. Furthermore, startup of the SCS is dependent upon the
C-39 DOE-HTGR-86-011/Rev. 3
startup of the backup generator since neither offsite nor normal
in-house power is available.
The conditional probabilities of SCS operation are calculated using
the failure models described in Section 6.2.2. Note that these proba
bilities are contingent upon preceding events. For example, since off
site and normal in-house power is not available, their failure are not
considered in evaluating the probability of SCS operation.
For SCS operation to be successful, cooling must be started and
maintained until power is restored. The SCS fault tree models in Sec
tion 6 were quantified to calculate the probability of an SCS unit fail
ing to start and then requantified to calculate the probability of an
SCS unit failing to run. The probability that an SCS unit fails to run
was assessed by first obtaining a probability density function corre
sponding to SCS failure from the reliability of one or more units.
Then, the appropriate probability density function of a particular
number of SCS units failing to run was combined with a complementary
cumulative distribution function corresponding to the probability for
offsite power restoration and integrated over the required mission time
of 150 h. (According to Ref. C-9, this was the longest observed time to
restore offsitepower.) Finally, the probability of event 4 was calcu
lated by combining the probability that one or more SCS loops fail to
start with the probability that they fail to run. Note that the proba
bility of event 4 in the lower portion of Fig. C-5 corresponds to a
sequence in which the control rods fail in a single module; whereas in
the upper portion of the event tree, multiple module cases are con
sidered. The probability of the control rod trip failing in more than
one module was found negligible.
As discussed in Section C.2.4, the Beta Factor Method was employed
to describe common mode failures between like SCS components within a
given module. However, modules are assumed to fail independently except
where explicit common mode failures are identified in Section 6 models.
C-40 DOE-HTGR-86-011/Rev. 3
C.4.S. Cooling Provided by RCCS
In the event that both the HTS and the SCS are not operational,
shutdown heat loads from the MHTGR vessel may be transferred via conduc
tion, radiation, and convection to the air-cooled RCCS panels. Event S
considers the probability that the passive and redundant, natural draft,
RCCS loops are successful in providing cooling. The success probability
for RCCS operation in this event was calculated using the same model
described in Section C.2.S for loss of main loop cooling event tree
calculations.
C.4.6. Number of Modules Experiencing Event Sequence
The initiating event, a LOSP and both turbines tripping, results in
HTS cooling being lost in all four modules. Hence, all modules experi
ence sequence AA in Fig. C-S. The number of modules experiencing a loss
of both HTS and SCS cooling may range from one to four (sequences AB
through AE), depending upon the specific SCS failure mode. Only one
module is shown in Fig. C-S for sequences considering failures of the
RCCS, reactor control rods, and the RSCE (sequences AF through AI).
Since the scram and RCCS systems in each mmodule are considered indepen
dent, it is less likely that simultaneous failure of the RCCS or scram
systems in multiple modules would occur. Hence, the frequencies of
sequences considering failures in more than one module would be lower
than the frequencies shown in Fig. C-S.
C.S. ANTICIPATED TRANSIENTS REQUIRING SCRAM
There are a number of off-normal plant transients for which the
PPIS is designed to detect the upset condition and as a part of the
automatic response, reduce the heat that must be removed from the core
by initiating a reactor shutdown (scram) in one or more modules with the
control rods. Such a transient without successful scram is of interest
as a challenge to the continued control of core heat generation. In
C-41 DOE-HTGR-86-011/Rev. 3
challenging this function, the ATWS represents a potential precursor to
failure of the primary coolant boundary (relief valve lifting) simulta
neous with the incremental releases from fuel involving thermal effects
discussed in Section 5. The various possible MHTGR responses to this
challenge are depicted in the event sequences in Fig. C-6. In this
section, the likelihood of these various scenarios occurring is
discussed.
C.5.1. Anticipated Transient Occurs
Transients requiring automatic or relatively prompt shutdown of the
reactor, event 1 of Fig. C-6, have been assessed as having a frequency
of occurrence of approximately 25 times per plant year. These tran
sients are characterized by plant conditions which either directly pre
clude a normal plant shutdown or which, if allowed to persist for the
extended period of time associated with normal shutdown, would lead to
exceeding design limits.
The assessed frequency of occurrence is based upon the plant avail
ability data base (Ref. C-10). System outage causes were screened for
those capable of causing reactor trip as opposed to those which lead to
only power output reduction or additional maintenance or repair at some
later date. In addition, for each identified transient it was noted
whether the outage cause would require trip in one, two, or four mod
ules. This approach tends to yield a somewhat high estimate of the
frequency at which reactor scram is demanded, as not all failures in
systems capable of causing trip would cause a trip. However, at the
present design stage of the MHTGR, the approximation is not,unreason
able. To provide some perspective, the estimate can be compared to the
light water reactor experience of something over six scrams per reactor
per year. Noting that, on the average, a single transient in the MHTGR
causes a scram in 1.6 reactor modules, the estimated frequency of 25
transients per plant year corresponds to 40 scrams per plant year or
10 scrams per reactor module per year.
C-42 DOE-HTGR-86-011/Rev. 3
C.5.2. Reactor Tripped With Control Rods
For the majority of the transients described by event 1, the PPIS
is designed to sense the abnormal condition(s) and shut down the reactor
by inserting the outer set of control rods. This action helps assure a
prompt turnaround in any reactivity, thermal, or primary coolant pres
sure transients the plant may be experiencing. Furthermore, reactor
shutdown and the subsequent drop in temperature can arrest reactions
between the core graphite and any ingressed water or air. Event 2 con
siders the probability of successfully accomplishing this shutdown.
The control rod trip can be triggered by anyone of several param
eters monitored redundantly by the PPIS (see Section 4.12). In general,
for each of the transients included within the initiating event there is
more than one parameter which is able to trigger the trip. For example,
the desired reactor trip following a steam generator tube failure is
normally triggered by high moisture level as detected by the moisture
monitors. However, the high primary coolant pressure resulting from the
ingress of steam will also cause trigger a reactor trip. Likewise, as
discussed in Section C.1, there are several diverse means of sensing the
loss of core cooling. Of course, the operator acts as the ultimate
backup to the PPIS sensors, since he may use the many control room indi
cations to decide whether a trip is required. Beyond failure of the
sensors, failure to trip might result from common mode failure of the
control rod drives, common mode failure of the scram contractors, or
common mode failure in the PPIS scram logic.
Quantification of event 2 is performed using the individual trip
reliability given in Appendix B which is based on the model developed in
Ref. C-3. However, the calculation here takes account of the number of
modules which require scram. As seen in Fig. C-6, the PPIS and rod con
trol equipments are assessed as having a high reliability; and there is
a low probability of them suffering the requisite common mode failures
to preclude shutdown with the outer control rods.
C-43 DOE-HTGR-86-011/Rev. 3
C.S.3. Reactor Shutdown Using Reserve Shutdown Material
As described above, the MHTGR is designed to respond to the tran
sients included within event 1 by shutting down the reactor with the
outer control rods. However, in the unlikely event that this normal
trip does not occur, a secondary means of shutting down the reactor is
automatically actuated, and the reserve shutdown material (boronated
pellets) is dumped into the core. In event 3, the operation of this
secondary means of shutdown is considered.
As in previous event tree cases when the outer control rod trip is
successful, there is no call for insertion of the reserve shutdown mate
rial, and the event is shown with a dotted line. In the less likely
scenarios where the normal trip has not succeeded, a demand for the RSCE
exists, and the event branch point presents the likelihood of success or
failure. This secondary shutdown can be triggered, after a 30-s delay,
either by high neutron flux to circulator speed ratio, high primary
coolant pressure or operator intervention. Besides multiple failures of
these independent sensor channels, failure of automatic insertion of
RSCE material could be caused by failure of the PPIS, common mode fail
ure of several RSCE hoppers, or failure of the class 1E 120 V ac UPS or
12S V dc. In the case of the ac power failure, the operator may still
manually actuate the RSCE.
Because failure of the outer control rod trip is considered to be
independent between modules, the probability that the RSCE is simulta
neously demanded in more than one module is negligible. Thus, each RSCE
failure probability calculation is done on the basis of only one module.
As can be seen in the figure, the probability of failure is low.
C.S.4. Reactor Tripped by Operator
Events 2 and 3 of Fig. C-6 consider the probability that the
systems for reactor trip are automatically actuated. As described in
C-44 DOE-HTGR-86-011/Rev. 3
Section 6, the negative temperature coefficient and high temperature
capabilities of the MHTGR are such as to preclude significant con
sequence should trip not occur for extended periods of time (in excess
of one day). However, continued operation of the main cooling loop fol
lowing rod withdrawal could allow higher than normal core outlet temper
atures to reach the steam generator and result in possible damage to
this component. It is estimated that in such a case, the steam gener
ator design temperatures would not be exceeded for approximately 20 min.
Even if the automatic operation of the two diverse trip mechanisms fail,
it is still possible for the operator to manually shutdown the reactor.
The probability of the operator being able to trip the reactor by manu
ally actuating either the control rod or RSCE trip is considered in
event 4.
The probability of this event being successful is assessed as 0.83
in Fig. C-6. This value was calculated by statistically combining the
probability of the operator properly responding within 20 min, which is
calculated using the operator response model described in Appendix B,
with the conditional probabilities that either the control rod drives or
the RSCE hoppers are available despite the malfunction of these shutdown
systems being automatically actuated.
Note that the probability of event 6 in the lower portion of
Fig. C-6 corresponds to a sequence in which a single module has expe
rienced control failure; whereas in the upper portion of the event tree,
multiple module cases are considered. The probability of the control
rod trip failing in more than one module was found to be negligible.
C.S.S. Cooling Provided by HTS
Following reactor trip, shutdown core cooling must be provided
until either of the following conditions is met: (1) the initial fail
ure is repaired and the module(s) is returned to power operation; or
C-4S DOE-HTGR-86-011/Rev. 3
(2) decay heat levels are so low that MHTGR core cooling system oper
ation is no longer required. Event 3 considers the probability that
this cooling can be provided by the HTS.
The reliability of core cooling provided by the HTS has been dis
cussed in Section C.2. The various transients making up the initiating
event for the loss of HTS event tree discussed in Section C.2 are, in
fact, a subset of those transients included in the initiating event
here. Consequently, the probability that HTS cooling is successful is
limited by the conditional probability that the initiating event was not
itself a transient that takes the HTS out of service. In addition, even
if the HTS is initially available for cooling, it must continue to oper
ate until the initial fault is repaired. The fault tree model for eval
uating whether the HTS runs for this period of time is described in
Section 6.2.1.
The probability that the initiating event involves loss of HTS
cooling dominates the event 5 HTS failure probability and is assessed to
be approximately 0.10. Thought of in another way, 10% of the antici
pated transients requiring scram are losses of HTS cooling. As a result
of this, the event tree sequences following the "no branch" of event 5
(HTS cooling not successful) are redundant with the loss of main loop
cooling event tree.
C.5.6. Cooling Provided by SCS
Following the loss of HTS cooling in event 5, the PPIS acts to
restore coolant flow by starting the SCS.· Event 6 considers whether or
not the SCS is successfully started; and if it is started, whether it
runs until HTS cooling is restored.
Depending upon the number of modules losing HTS cooling, a demand
for between one and four SCS loops is made. Using the detailed failure
model described in Section 6.2.2, the probability of not successfully
C-46 DOE-HTGR-86-011/Rev. 3
starting all the required loops is calculated. These calculations of
probability are, of course, conditional probabilities contingent upon
the outcome of preceding events (specifically the loss of the HTS). As
discussed in Section C.l, if only one module has lost cooling and HTS
cooling in the three other modules continues, the failure probability of
one SCS to startup can be calculated by directly quantifying the SCS
fault tree from the data base. In contrast, if four modules have lost
cooling, the likelihood that various common systems were the cause of
the initial failure, and therefore are not available, must be considered
in quantifying the SCS fault tree. The results of these two calcula
tions can then be combined appropriately, accounting for the relative
fractions of HTS failures that involve multiple versus single module
failures. The impact of these common dependencies between the HTS and
SCS is to limit the probability of success for the SCS.
Even after the SCS starts, event 6 is not judged successful unless
SCS cooling is maintained until HTS cooling is restored. The fault tree
models of Section 6.2.2 are requantified to assess the running reliabil
ity of the SCS, again conditioned upon prior events. These system reli
abilities are expressed as probability densities, combined with a com
plementary cumulative distribution function for HTS restoration, and
integrated over time. The probability that one or more SCS loops fail
to run for the required time is added to the probability that they fail
to start as the total failure probability for event 6.
Further description of this event is provided in Section C.2.4.
C.S.7. Cooling Provided by RCCS
Should both HTS and SCS cooling fail, the MaTGR is capable of
rejecting shutdown heat loads by conduction, localized convection, and
radiation to the reactor vessel wall where radiation and convection
carry the heat to the air-cooled RCCS panels. In event 7, the proba
bility that the RCCS is successful in providing cooling is considered.
C-47 DOE-HTGR-86-0ll/Rev. 3
Success of the RCCS is defined as the system continuing to operate
until either
1. One of the two forced core cooling modes is restored (main
loop cooling or the SCS).
2. Decay heat levels are sufficiently low so that a subsequent
loss of cooling would not lead to excessive vessel tempera
tures.
Since the system is continuously operating during normal operation of
the plant, no change of state or other equivalent to a "failure to
start" exists. For any given module, failure of the RCCS requires that
something happen to preclude continued operation of all four of the
initially operating, passive, and redundant, natural draft loops.
As discussed in Section 6.2.5, no meteorological or operating con
ditions have been identified which could preclude RCCS operation. Only
failures involving the extremely unlikely major structural collapse of
the safety-related RCCS have been identified as capable of causing RCCS
flow blockage. In this lower portion of Fig. C-6, in which a single
module has experienced a failure to trip with control rods, the event 7
branching probability reflects the assessed failure probability of a
single RCCS (1 x 10-6). In contrast the upper portion of the figure
includes multiple module demands upon the RCCS and the probability of
one RCCS failure in several modules is seen to be somewhat low.
C.S.8. Primary Coolant Depressurized Through HPS
The unique design of the MHTGR allows that even if all three engi
neered cooling systems fail, including not only the forced circulation
main and SCS cooling loops but also the passive and redundant RCCS, core
heat loss to the surrounding environment is sufficient to limit the core
temperature transient and prevents large-scale fuel failure. In fact,
C-48 DOE-HTGR-86-011/Rev. 3
the maximum fuel temperatures during conduction cooldown are not
strongly affected by whether or not RCCS cooling is available. However,
under these conditions the reactor vessel may experience wall temp~ra
tures significantly in excess of its design limit, depending upon the
history of prior cooling. During such an accident, it would be expected
that the operator would initiate action to depressurize the primary
coolant system so as to reduce the stress experienced by the overheated
vessel. Such a depressurization is routinely performed prior to refuel
ing or certain maintenance activities and is accomplished by pumping
down the primary coolant inventory through the HPS and to the helium
storage bottles. Event 8 in Fig. C-6 considers the likelihood that such
a pump down is successful, given failures of the HTS, SCS, and RCCS.
A fault tree depicting the failure model for pump down through the
·HPS is shown and discussed in Section 6.2.3. In the quantification of
event 8, this model is conditionally evaluated dependent upon prior
occurrences in the event sequence. Intersystem dependency effects limit
the conditional probability of the HPS working, given failure of both
the HTS and SCS. As can be seen in Fig. C-6, the chance of the system
operating when required is about 94%. A more complete discussion of
this evaluation and the impact of these intersystem dependencies is
provided in Section C.2.6.
C.S.9. Cooling Restored Prior to Excessive Vessel Temperature
Whether or not the primary coolant pressure is successfully
reduced, vessel side wall temperatures begin to rise when all three
cooling systems are lost. If allowed to rise high enough, the vessel's
integrity may be challenged. However, the large core heat capacity, the
core power density, and heat dissipation to the environment assure that
this heatup is very slow. Therefore, there are days to weeks (depend
ing upon the initial temperatures and prior cooling history) to restore
cooling before an excessive vessel temperature is reached. Event 9
C-49 DOE-HTGR-86-011/Rev. 3
considers the probability that cooling is restored prior to the vessel
experiencing such excessive temperatures.
Restoration of cooling with either the HTS, the .ses, or the Rees
is sufficient to arrest the vessel wall temperature transient. Since
the SCS and HTS repair times are estimated as much shorter than the Rces
repair time, only HTS and SCS restoration are considered in event 9.
For the event sequences in which the primary coolant pressure is
successfully relieved through the HPS, reactor vessel loads consist of
the weight associated with vessel support and the weight of the core.
These loads are very small compared to the design load at pressure.
Therefore, no failure is expected as a result of strength loss at tem
peratures significantly in excess of the design temperature. For the
assessment, excessive vessel temperature .has been estimated to be 760°C
(1400oF) at which point the material undergoes a phase change. It
should be noted, however, that while no detailed analysis has been per
formed to predict temperature-induced vessel failure, scoping calcula
tions suggest that the vessel may remain intact even at temperatures
much higher than 760°C (14000 F). Analyses of conduction cooldown with
out the RCCS show that the time available for restoration of either the
HTS or SCS prior to reaching this temperature is at least 95 h.
For the conduction cooldown event sequences without the RCCS and
where pumpdown through the HPS is unsuccessful, the primary coolant
remains at pressure, and the reactor vessel is under considerably higher
stress than in the depressurized case. Under such conditions, it is not
expected that the vessel could survive the high temperatures (and the
resultant strength loss) described above. For the pressurized assess
ment, a temperature of 480°C (900°F) has been defined as excessive. The
time available for repair before this temperature is reached is 50 h.
C-50 DOE-HTGR-86-011/Rev. 3
C.S.10. Number of Modules Experiencing Event Sequence
The final branch point in Fig. C-6 depicts the number of modules
experiencing the event sequence. For instance, on the uppermost branch
of the event tree, relative probabilities of transients requiring scram
in one, two, and four reactor modules can be seen. Below this can be
seen the 20% to 80% split of single versus multiple HTS failures given
that a failure to provide HTS cooling has occurred. Further down the
tree, if SCS cooling has not been successful, a failure of one, two,
three, or four SCS loops may occur. The relative probabilities of these
four SCS failure possibilities are shown.
In the lower branches of the tree involving failure of the RCCS and
failure to trip with the outer control rods, only one module is likely
to experience the event sequence since these systems are designed as
independent between modules. The disruptive external events which would
have the potential to defeat this independence are not postulated in
this event tree.
C. 6 • INADVERTENT CONTROL ROD WITHDRAWAL
Inadvertent control rod withdrawal is initiated by failures in the
rod control equipment that lead to the undesired withdrawal of one or
more control rods from the core. As an accident initiating event, rod
withdrawal is of interest because of its potential challenge to the con
tinued control of core heat generation. In challenging this function,
the rod withdrawal represents a potential precursor to failure of the
primary coolant boundary (relief valve lifting) simultaneous with the
incremental releases from fuel involving thermal effects discussed in
Section 5. The various possible MHTGR responses to this challenge are
depicted in the event sequences in Fig. C-7. The likelihood of these
scenarios occurring is discussed in the following subsections.
C-5l DOE-HTGR-86-0ll/Rev. 3
C.6.1. Spurious Control Rod Bank Withdrawal Occurs
Reference C-11 summarizes the history of uncontrolled rod with
drawals in light water reactors in the United States. Despite differ
ences in the systems, both PWRs and BWRs are cited as having experi
enced, on the average, 2 x 10-2 of these transients per reactor per
year. While the HTGR rod control system is somewhat different, 2 x 10-2
is adopted as a reasonable estimate for the frequency at which failure
of the rod control equipment results in unwanted withdrawal of control
rods. Since the MHTGR control strategy operates the control rods in
banks rather than individually, such a failure would cause a control rod
bank to be withdrawn.
The MHTGR will have four relatively independent rod control sys
tems, one for each module. The frequency of event 1 (a spurious control
rod withdrawal in anyone of four modules) was assessed by statistically
combining the spurious control rod group withdrawal frequency in each
module and its uncertainty factor, 2 x 10-2 per year and 4.1, to obtain
the total frequency of 0.1 per plant year.
C.6.2. Reactor Tripped With Control Rods
As the rod withdrawal proceeds, reactor power, steam generator
inlet helium temperature, and primary coolant pressure increase. The
PPIS monitors all three of these conditions and is designed to shut down
the reactor by dropping the outer control rods into the core if any of
the three become excessive. This action, by deenergizing the control
rod drive mechanisms and halting the nuclear chain reaction, terminates
the rod withdrawal. Event 2 considers the probability of successfully
accomplishing this shutdown.
As stated, the control rod trip can be triggered by anyone of the
three conditions mentioned. The parameters requisite to detect each of
these conditions are monitored by four redundant channels of the PPIS
C-S2 DOE-HTGR-86-011/Rev. 3
(see Section 4.12). Any combination of two of four channels can initi
ate a reactor trip. Beyond failure of the sensors, failure to trip
might result from common mode failure of the control rod drives, common
mode failure of the scram contactors, or common mode failure in the PPIS
scram logic.
Quantification of event 2 is performed using the individual trip
reliability given in Appendix A which is based on the model developed in
Ref. C-3. As seen in Fig. C-7, the PPIS and rod control equipments are
assessed as having a high reliability; and the probability of them suf
fering the requisite common mode failures to preclude ,shutdown with the
control rods is low. The value shown for this event is lower than the
value assessed for similar events on the loss of main loop cooling or
loss of offsite power event trees (Figs. C-2 and C-S) because the initi
ating event is a rod withdrawal in one of the four modules. Simultane
ous rod withdrawals in two or more modules is assessed as being signifi
cantly less likely and does not impact the accident consequence.
C.6.3. Reactor Shutdown Using Reserve Shutdown Material
As described above, the MHTGR is designed to respond to the rod
withdrawal of event 1 by shutting down the reactor with the outer con
trol rods. However, in the unlikely event that this normal trip does
not occur, a secondary means of shutting down the reactor is automati
cally actuated, and the reserve shutdown material (boronated pellets) is
dumped into the core. While not affecting the control rod motion, this
action, by shutting off the nuclear chain reaction, negates the effect
of the withdrawn rods. In event 3, the operation of this secondary
means of shutdown is considered.
As in si~lar cases of previous event trees when the outer control
rod trip is successful, there is no call for insertion of the reserve
shutdown material, and the event is shown with a dotted line. In the
less likely scenarios where the normal trip has not succeeded, a demand
C-S3 DOE-HTGR-86-011/Rev. 3
for the RSCE exists, and the event branch point presents the likelihood
of success or failure. This secondary shutdown can be triggered, after
a 30-s delay, either by high neutron flux to circulator speed ratio or
high primary coolant pressure. Besides multiple failures of these inde
pendent sensor channels, failure of the RSCE could be caused by failure
of the PPIS, common mode failure of several RSCE hoppers or failure of
the Class 1E 120 V ac UPS or 125 V ac. In the cases of PPIS or ac power
failure, the operator may still manually actuate the RSCE.
As can be seen in Fig. C-7, the combined reliability of the normal
outer control rod trip and the RSCE are more than adequate to assure
that there is a negligible probability of failing to terminate the
control rod withdrawal.
C.6.4. Cooling Provided by HTS
Following reactor trip, shutdown core cooling must be provided
until either-the initial failure is repaired and the module is returned
to power operation or until decay heat levels are so low that MHTGR core
cooling systems are no longer required. Event 4 considers the probabil
ity that this cooling can be provided by the HTS.
Two categories of failure are considered in assessing whether the
HTS succeeds in providing cooling. First, the HTS must respond success
fully to the trip-induced transient and transfer from a power producing
to a decay heat removal mode of operation. Second, if it does respond
successfully to the transient, it still must operate for a period of
time as described above. The fault tree failure model for the HTS is
described in considerable detail in Section 6.2.1. Additional discus
sion regarding the quantification pf the model is given in Section C.2.
The HTS failure probability in event 4 is dominated by the proba
bility that the system responds successfully to the transient but fails
C-S4 DOE-HTGR-86-011/Rev. 3
to run until no longer required. As can be seen in Fig. C-7, the
probability of this failure is 8 x 10-3 per demand.
C.6.S. Cooling Provided by SCS
Following the loss of HTS cooling, the PPIS attempts to restore
coolant flow by starting the SCS. Event 5 considers whether or not the
SCS is successfully started; and if it is started, whether it runs until
HTS cooling is restored.
Using the detailed failure model described in Section 6.2.2, the
probability of not successfully starting the required equipments for SCS
operation is calculated. These calculations of probability are, of
course, conditional probabilities contingent upon the outcome of preced
ing events (specifically the loss of the HTS). As discussed in Sec
tion C.2, certain of the HTS failure modes involve failures of equipment
which al~o supports the SCS. In quantifying the SCS fault tree, the
likelihood that these common systems were the cause of the HTS failure
is considered. The impact of these common dependencies between the HTS
and SCS is to limit the probability of success for the SCS.
Even after the SCS starts, event 5 is not judged as successful
unless SCS cooling is maintained until HTS cooling is restored. The
fault tree models of Section 6.2.2 are requantified to assess the run
ning reliability of the SCS, again conditioned upon prior events. These
system reliabilities are expressed as probability densities, combined
with a complementary cumulative distribution function for HTS restor
ation, and integrated over time. The probability that the SCS fails to
run for the required time is added to the probability that they fail to
start as the total failure probability for event S.
Further description of this event is provided in Section C.2.4.
C-SS DOE-HTGR-86-011/Rev. 3
C.6.6. Cooling Provided by RCCS
Should both HTS and SCS cooling fail, the MaTGR is capable of
rejecting shutdown heat loads by conduction, localized convection, and
radiation to the reactor vessel wall where radiation and convection
carry the heat to the air-cooled RCCS panels. In event 6, the probabil
ity that the RCCS is successful in providing cooling is considered.
Success of the RCCS is defined as the system continuing to operate
until either
1. One of the two forced core cooling modes is restored (main
loop cooling or the SCS).
2. Decay heat levels are sufficiently low so that a subsequent
loss of cooling would not lead to excessive vessel
temperatures.
Since the system is continuously operating during normal operation of
the plant, no change of state or other equivalent to a "failure to
start R exists. For any given module, failure of the RCCS requires that
something happen to preclude continued operation of all four of the
initially operating, passive, and redundant natural draft loops.
As discussed in Section 6.2.5, no meteorological or operating con
ditions have been identified which could preclude RCCS operation. Only
failures involving the extremely unlikely major structural collapse of
the safety-related RCCS have been identified as capable of causing RCCS
flow blockage. As an estimate of this very low failure probability, 1 x
10-6 per module with an uncertainty factor of 10 has been assigned to
event 6.
C-56 DOE-HTGR-86-011IRev. 3
C.7. ACCIDENTS INITIATED BY SMALL STEAM GENERATOR LEAKS
Small steam generator leaks are defined as leaks which introduce
moisture to the primary coolant at a rate in excess of the removal capa
city of the HPS but less than 0.05 kg/s (0.1 lb/s). As mentioned in
Section 5, water ingress is selected as an initiating event because of
the potential for primary coolant release due to relief valve venting
and for incremental fuel releases due to chemical attack (hydrolysis) of
the fuel. Given that such a leak occurs, the way the various plant sys
tems respond to the transient is depicted by the event tree shown in
Fig. C-8. Note that many of the sequences in the figure result in no
dose. Only in those sequences where certain protective functions are
not performed subsequent to the leak are offsite doses predicted. In
the following subsections, the quantification of the various branching
probabilities within the tree and the frequency of these various scenar
ios or event sequences are discussed.
C.7.1. Steam Generator Leak Freguency
A methodology for predicting the frequency of steam generator tube
leaks is presented in Table B-2 of Appendix B. The model is based upon
boiler operating experience in both nuclear and nonnuclear power sta
tions. Where possible, British and U.S. HTGR experience has been
incorporated to account for differences in the operating environment.
Employing this method for an MHTGR steam generator indicates that the
dominant leak contributors and their frequencies are
1. Bimetallic weld failure (6 x 10-3 per steam generator year).
2. Corrosion (4 x 10-2 per steam generator year).
3. Similar weld failure (5 x 10-2 per steam generator year).
4. Mechanical damage (4 x 10-3 per steam generator year).
Thus, the total frequency at which leaks of any size occur is 0.1 per
steam generator year. The majority (90%) of leaks are small, leaving
C-57 DOE-HTGR-86-011/Rev. 3
approximately 0.09 small leaks per steam generator per year. Taking
into account the four steam generators in the four module standard
plant, the frequency of event 1 occurring is assessed at approximately
0.4 per plant year.
C.7.2. Moisture Monitor Detection
To limit the impact of possible steam generator tube leaks and
the resulting ingress of moisture to the primary coolant system, each
module has an installed moisture monitor. If high moisture levels are
detected, the moisture monitor can give indication to the control room
operators; or, if levels become excessive, the moisture monitor can pro
vide a signal to the PPIS which in turn initiates reactor trip, main
loop trip, steam generator isolation, and steam generator dump. Event 2
in Fig. C-8 considers whether the moisture monitor successfully detects
the ingress condition of event 1.
In Ref. C-3, the probability that the moisture monitors were una
vailable was assessed as 1 x 10-3 • This failure probability ·was based
upon a moisture monitor channel failure rate of 1.4 x 10-4 per hour, a
common mode failure factor of 0.09, and a mean fault duration time of
12 h. In utilizing the Ref. C-3 model, this assessment assumes that the
moisture monitor design for the MHTGR will prove to be similar to that
envisioned for the large HTGR.
If the moisture monitors fail to function successfully, other trip
setpoints in the PPIS will initiate protective actions. Specifically,
engineered as backup protection against water ingress, high primary
coolant pressure will cause reactor trip and steam generator isolation.
However, only moisture detection can automatically trigger steam genera
tor dump. Therefore, should these monitors fail operator intervention
is required to dump the steam generator water inventory to the dump
tank. (Also see Section 6.2.6.)
C-58 DOE-HTGR-86-011/Rev. 3
C.7.3. Reactor Trip on High Moisture
Steam and water leaking from a failed steam generator to the pri
mary coolant increases primary coolant moisture content. It is expected
that within 6 min moisture levels would exceed 1000 ppmv. At this con
centration, the PPIS is designed to shut down the reactor by inserting
the control rods into the core. Event 3 considers the probability of
successfully shutting down the reactor on high moisture.
Of course, failure of the moisture monitor to detect the leak in
event 1 precludes tripping the reactor on high moisture. In addition,
failure to trip might result from common mode failure of the control rod
drives, common mode failure of the scram contactors, or common mode
failure in the PPIS scram logic. Quantification of these equipment
failures is performed using individual trip reliabilities given in
Appendix B.
C.7.4. Reactor Manual Trip
Even without a reactor trip on high moisture and before the high
pressure trip discussed in Section C.7.5, there are any number of indi
cations available to the operator telling him that something is amiss.
The moisture monitor may be providing high moisture or erratic readings,
primary coolant pressure would be slowly but continuously rising, and
the control system would repeatedly be shimming in the control rods to
account for the reactivity effect of the ingressed water. Event 4 con
siders the likelihood that the operator recognizes that a problem exists
and shuts down the reactor manually with either the control rods or the
RSCE.
Event 4 is evaluated at a time period of 4.8 h in Fig. C-8.
However, results from this assessment indicate that signals indicating
increased moisture, pressure, and reactivity levels would alert the
C-59 DOE-HTGR-86-011/Rev. 3
operator of the ingress and a manual shutdown would be accomplished
within the first hour of the event.
The probability of the operator acting to back up failed equipment
was quantified using the model for cognitive human errors in Ref. C-11.
This model assumes that the allowable time for the operator to
respond in sequences where automatic systems (e.g., the reactor trip or
steam generator isolation) fail largely governs the operator failure
probability.
C.7.5. Reactor Trip On High Pressure
In addition to increasing moisture level in the primary coolant
circuit, the moisture ingress results in a rise in primary coolant pres
sure. A small steam generator leak is expected to cause the primary
coolant pressure to exceed 6929 kPa ()1000 psia) within 4.8 h. At this
pressure, the PPIS is designed to shut down the reactor by inserting the
control rods. Therefore, where high moisture is not successfully
detected, pressure monitoring is available to trigger reactor trip.
Furthermore, if the primary coolant pressure continues to increase above
the second PPIS setpoint of 6998 kPa (1015 psia) , the PPIS will trigger
a backup shutdown using the RSCE. During the ingress, there may also be
a rise in core power due to the reactivity effect of the water. How
ever, for small leaks, the control system is able to compensate for this
by shimming rods in well before the power to flow trip set point is
reached. Event 5 considers the probability of successfully accomplish
ing shutdown with either the outer control rods or RSCE.
Monitoring of primary coolant pressure is accomplished by four
redundant channels of the PPIS (see Section 4.12). Any combination of
two of four channels can initiate a reactor trip. Beyond failure of the
sensors, failure to trip might result from common mode failure of the
C-60 DOE-HTGR-86-011/Rev. 3
control rod drives, common mode failure of the scram contactors, or com
mon mode failure in the PPIS scram logic. With similar logic, failure
of the RSCE to operate if called upon can be caused by common mode fail
ure of its independent pressure sensor channels, failure of the PPIS,
common mode failure of several RSCE hoppers, or failure of the class 1E
120 V ac UPS or 125 V dc.
Quantification of the equipment failures in event 5 is performed
using the individual trip reliability given in Appendix B. The quanti
fication is also dependent upon the outcome of previous events. Specif
ically, success of inserting the control rods in event 5 is conditioned
by the probability that the failure in event 3 does not preclude rod
insertion. For instance, if the failure to insert the control rods on
high moisture in event 3 was caused by common mode failure of the scram
contactors, an additional trip signal coming from high pressure will
also be unsuccessful in event 5. This example is also useful in under
standing why the failure probability for event 5 is higher than the
failure probability for event 3.
C.7.6. Steam Generator Isolation
The steam generator isolation system functions to limit the amount
of water that enters the primary circuit, given a steam generator leak,
by closing a set of feedwater and steam outlet block valves. In addi
tion to the set of block valves, the steam generator outlet can also be
isolated (against reverse flow) by a check valve. Three system failure
modes are considered in this event:
1. Only the feedwater valves fail open.
2. Only the steam valves (including the check valve) fail open.
3. Both sets of isolation valves fail open.
C-61 DOE-HTGR-86-011/Rev. 3
In Ref. C-3, each failure mode was evaluated by considering the failure
of two identical redundant subsystems. The subsystem failure probabili
ties were assumed similar to the values derived for systems analyzed in
Refs. C-3 and C-12 with two exceptions:
1. The probability that the steam valves fail open was obtained
from the failure probability assessed in Ref. C-12 and
adjusted for the conditional probability of a check valve
sticking (i.e., failing to shut on reverse flow).
2. Given that the reactor is not tripped within five or fewer
minutes when the moisture monitors function properly, the con
ditional probability of an automatic steam generator isolation
system failure is governed by the probability that a PPIS
logic fault prevented control rod insertion (as assessed in
Ref. C-12).
If the reactor fails to trip, but the moisture monitors success
fully trip, the likelihood of both the steam and feedwater isolation
valves failing to close is increased. This is because of the increased
likelihood that the cause of the reactor failing to trip is an actuation
logic failure that would also prevent the steam generator isolation
signal.
As a backup to automatic steam generator isolation, operator action
to trip the boiler feedpumps to minimize water ingress is considered.
C.7.7. Delayed Steam Generator Isolation
Even if the automatic isolation considered in event 6 is unsuccess
ful, the steam generator can still be isolated and the inleakage termi
nated by either operator intervention or PPIS response to a high primary
coolant pressure. The probability that the steam generator is success
fully isolated by these secondary mechanisms is considered in event 7.
C-62 DOE-HTGR-86-011/Rev. 3
As stated, steam generator isolation in event 7 can be accomplished
by either PPIS reaction to high primary coolant pressure or operator
action. Quantification of this branching probability is conditioned by
the probability that the failure to isolate in event 6 was due to fail
ure that would also affect success in event 7. For example, failure of
the isolation valves in event 6, given a shutdown signal was triggered
by high moisture, will very likely also preclude success of a second
PPIS signal triggered by high pressure in event 7. In this case, only
operator action is accounted for in the analysis. Under these condi
tions, operator action to isolate the steam generator is expected to
occur within 30 min.
In those sequences preconditional by failure of the moisture moni
tors to defect the inleakage both the PPIS high pressure trip and opera
tor intervention are available to isolate the steam generator. Since
the low inleakage rate results in the high pressure trip being reached
in approximately 4-1/2 h the isolation is very likely to be accomplished
in less than this time.
The probability of isolation as a result of high primary coolant
pressure is calculated, as in the preceding event, using the models of
Refs. C-3 and C-12. The operator response model, also discussed in
Section C.7.4, is taken from Ref. C-11.
C.7.8. Steam Generator Dump Occurs
Following successful isolation of the steam generator, the PPIS is
designed to further limit the ingress of water to the primary coolant by
diverting most of the steam generator water inventory to the dump tank.
event 8 considers the likelihood of this mitigating action successfully
occurring.
Dumping the steam generator is accomplished by first opening a
set of valves located between the steam generator and the dump tank
C-63 DOE-HTGR-86-011/Rev. 3
and then reshutting them as the pressure within the steam generator /
approaches that of the primary coolant. If the dump valves fail to open
as required, essentially the complete steam generator inventory is
available to leak into the primary circuit. On the other hand, if the
dump valves open but fail to reshut, not only the water inventory but
also some primary coolant will be transferred to the tank. However, no
radioactive release from this failure mode is predicted because the dump
tank is designed to withstand primary coolant pressure and is vented to
the liquid and gaseous radioactive waste subsystems. These independent
failure modes of the dump valves are the same as those derived for the
similar system described in Ref. C-3, except the only failure mode con
sidered was a failure of the dump valves to open. Additional descrip
tion of this subsystem is given in Section 6.2.7.
In addition to these independent failure modes, success of steam
generator dump is conditioned upon the outcome of previous events. As
mentioned in Section C.7.2, automatic dump occurs only if the moisture
monitors have successfully detected the ingress. If the moisture moni
tors have failed in event 2, operator action is required to actuate the
dump. Further, steam generator dump is only considered if isolation
successfully occurs. Failure to isolate the steam generator renders any
subsequent dump valve actions ineffectual, relative to the impact of
open isolation valves, in determining the accident consequence.
Finally, the failure probability for event 8 is approximately
one-third lower in the branch where moisture monitor detection and steam
generation isolation are successful. In this case, the failure proba
bility also considers that either of the two redundant set of valves
could be repaired with the 13 h avaiiab1e before the primary relief
system valve lifts.
C-64 DOE-HTGR-86-011/Rev. 3
C.7.9. Steam Generator Pressure Response
Following a moisture ingress, it is expected that the steam genera
tor will be isolated and its inventory dumped as previously discussed in
this section. However, if the steam generator feedwater valves fail to
successfully isolate, the steam generator pressure may increase. The
manner in which the plant is designed to relieve steam generator pres
sure has the potential of providing an activity release path into the
environment. Thus, the steam generator pressure response is considered
in event 9 to assess these potential mechanisms for activity release.
The first branch shown in event 9 of Fig. C-8 considers the proba
bility that steam is successfully bypassed from the steam generator to
the condenser. Note that the success of this bypass requires not only
that the steam bypass valve open, but also that the feedwater control
valve function to limit the amount of feedwater entering the steam gen
erator. If this bypass fails, the resultant pressure transient will
cause one of the two steam generator relief valves to lift. The latter
two branches in event 9 consider the steam generator relief train
response. The proper operation of the relief valve is considered. in the
second branch of event 9. In sequences where this event branch is suc
cessful, the steam generator pressure is reduced by steam, which is
vented directly to the environment during the short period of time the
relief valve is open. However, if the relief valve fails open, not only
is the steam released, but as the steam pressure is lowered to the pri
mary system pressure, primary coolant may also exit through the steam
generator relief line. The probability of radioactivity being released
through this path is considered in the last branch of event 9.
C.7.10. Shutdown Cooling System Cooling Succeeds
Following the steam generator leak, HTS cooling is lost as the
steam generator is isolated and the main loop tripped. Responding to
this, the PPIS acts to restore primary coolant flow by starting the SCS.
C-65 DOE-HTGR-86-011/Rev. 3
Event 10 considers whether or not the SCS is successfully started; and
if it is started, whether it runs until HTS cooling is restored.
In those sequences with successful trip, steam generator isolation,
and steam generator dump, the operation of the SCS serves to reduce the
probability of pressurized conduction cooldown. In sequences involving
isolation or dump failure, SCS cooling serves to prevent the combination
of an increased primary circuit inventory (due to the added moisture)
and higher than normal temperatures (which result from a pressurized
conduction cooldown) from lifting the primary coolant relief valve.
Finally, in those sequences where the primary coolant circuit depres
surizes, SCS cooling can mitigate the resultant doses by preventing
thermally induced fission product release from the fuel.
Using the detailed failure model described in Section 6.2.2 and
quantified in Section C.2, the probability of not successfully starting
the required equipments for SCS operation is calculated.
Even after the SCS starts, event 10 is not judged as successful
unless SCS cooling is maintained until HTS cooling is restored. The
fault tree models of Section 6.2.2 are requantified to assess the run
ning reliability of the SCS. These system reliabilities are expressed
as probability densities, combined with a complementary cumulative dis
tribution function for HTS restoration and integrated over time. The
probability that the SCS fails to run for the required time is added to
the probability that they fail to start as the total failure probability
for event 10.
In the branch near the top of Fig. C-8 in which moisture monitor
detection and steam generation isolation are successful, but in which
the steam generator dump system fails, the probability of the SGS fair
ing to provide forced cooling can be seen to be somewhat lower than
elsewhere in the tree. In this case, failure of SCS cooling is defined
as not only the SCS failing to start or failing to run but also that it
C-66 DOE-HTGR-86-011/Rev. 3
is not restored in the 13 h available for repair prior to the primary
coolant relief valves lifted.
Further discussion of the SCS reliability is provided in
Section C.2.4.
C.7.11. Cooling Provided by RCCS
Should SCS cooling fail, the MaTGR is capable of rejecting shutdown
heat loads by conduction, localized convection, and radiation to the
reactor vessel wall Where radiation and convection carry the heat to the
air-cooled RCCS panels. In event 11, the probability that the RCCS is
successful in providing cooling is considered.
Success of the RCCS is defined as the system continuing to operate
until either
1. One of the two forced core cooling modes is restored (main
loop cooling or the SCS).
2. Decay heat levels are sufficiently low so that a subsequent
loss of cooling would not lead to temperatures threatening
vessel integrity.
Since the system is continuously operating during normal operation of
the plant, no change of state or other equivalent to a "failure to
start" exists.
As discussed in Section 6.2.5, no expected meteorological or oper
ating conditions have been identified which could preclude RCCS opera
tion. Only failures involving the extremely unlikely major structural
collapse of the safety-related RCCS have been identified as capable of
causing RCCS flow blockage. As an estimate of this very low failure
C-67 DOE-HTGR-86-011/Rev. 3
probability, 1 x 10-6 per module with an uncertainty factor of 10 has
been assigned to event 11.
C.7.12. Primary Relief Train Response
Preliminary calculations indicate that as long as SCS cooling is
maintained, the probability of a small steam generator leak producing
primary circuit pressures high enough to require relief is negligible.
Thus, the possibility of opening the primary relief train is only con
sidered in sequences that include SCS cooling failure. For these sce
narios, the probability that the relief train remains closed is the
probability that the operator intervenes before the relief valve set
point is reached. There is a small probability that a primary circuit
relief valve setpoint is miscalibrated low or drifts sufficiently low,
so that the primary circuit pressure rise causes the relief valve to
lift. This possibility is considered in the evaluation. Given that the
relief valve setpoint is reached, the probability that the relief valve
fails open is provided in Appendix B. An estimated common mode factor
of 0.1 is assumed to quantify the probability that both relief trains
fail closed after being challenged to relieve pressure at their
setpoint. (Also, see Section 6.2.9.)
C.8. ACCIDENTS INITIATED BY MODERATE STEAM GENERATOR LEAKS
MOderate steam generator leaks are defined as any leaks which
introduce moisture to the primary coolant at a rate of between 0.05 kg/s
(0.1 lb/s) and 5.7 kg/s (12.5 lb/s). The upper bound of 5.7 kg/s was
selected because it corresponds to the leak rate of a single offset
steam generator tube rupture; and the available data (Ref. C-3 and
Appendix B) suggest that the probability of a larger size leak occur
ring is very small. Distinguishing between small and moderate steam
generator leaks is phenomenologically important due to inherent dif
ferences in occurrence rates and response times. Whereas small steam
generator leak transients progress slowly, provide relatively long
C-68 DOE-HTGR-86-011/Rev. 3
operator response times, and concomitant high probabilities of success
ful operator intervention, moderate leak transients develop much more
rapidly. As a result, operator intervention that could otherwise pre
vent or mitigate offsite doses are less likely.
Water ingress is selected as an initiating event because of the
potential for primary coolant release due to relief valve venting and
for incremental fuel releases due to chemical attack (hydrolysis) of the
fuel. Furthermore, for the more severe ingress rates discussed in this
section, water ingress is of interest due to its reactivity effect on
the core. Given that such a leak occurs, the way the various plant sys
tems respond to the transient is depicted by the event tree shown in
Fig. C-9. Note that Fig. C-9 is organized slightly differently than
Fig. C-8. This recording better reflects the' manner in which transients
initiated by the larger-sized leaks are expected to progress. Many of
the sequences in Fig. C-9 result in no dose. Only in those sequences
where certain protective functions are not performed subsequent to the
leak are offsite doses predicted. In the following subsections, the
quantification of the various branching probabilities within the tree
and the frequency of these various scenarios or event sequences are
discussed.
C.8.1. Steam Generator Leak Frequency
A methodology for predicting the frequency of steam generator tube
leaks is presented in Table B-2 Appendix B. The model is based upon
boiler operating experience in both nuclear and nonnuclear power sta
tions. Where possible, British and U.S. HTGR experience has been incor
porated to account for differences in the operating environment. As
shown in Section C.7.1, employing this method for an MHTGR steam genera
tor leads to predicting a total frequency at which leaks of any size
occur of 0.1 per steam generator year. Reference C-3 indicates that
approximately 10% of all HTGR steam generator leaks would be expected
to exceed 0.05 kg/s (0.1 1b/s). The frequency of moderate leaks is
C-69 DOE-HTGR-86-011/Rev. 3
assessed at 0.01 per steam generator year. Taking into account the four
steam generators in the four module standard plant, the frequency of
event 1 occurring is assessed at 0.04 per plant year.
Of these moderately sized steam generator leaks, only a very few
are as large as the upper bound leak flow. Again, based upon informa
tion in Ref. C-3, it is predicted that a moderate size leak has an
average ingress rate of approximately 1.2 kg/s (2.6 1bm/s), and less
than 30% of the moderate sized leaks exceed this mean value.
C.8.2. MOisture MOnitor Detection
To limit the impact of possible steam generator tube leaks and
the resulting ingress of moisture to the primary coolant system, each
module has an installed moisture monitor. If high moisture levels are
detected, the moisture monitor can give indication to the control room
operators; or, if levels become excessive, the moisture monitor can pro
vide a signal to the PPIS which in turn initiates reactor trip, main
loop trip, steam generator isolation, and steam generator dump. Event 2
in Fig. C-9 considers whether the moisture monitor successfully detects
the ingress condition of event 1.
From Ref. C-3, the probability that the moisture monitors were
unavailable was assessed as 1 x 10-3 • This failure probability was
based on a moisture monitor failure rate of 1.4 x 10-4 per hour, a com
mon mode failure factor of 0.09, and a mean fault duration time of 12 h.
In utilizing this model, this assessment assumes that the moisture moni
tor design for the MHTGR will prove to be similar to that envisioned for
the large HTGR.
If the moisture monitors fail to function successfully, other trip
setpoints in the PPIS will initiate protective actions. Specifically
engineered as backup protection against water ingress, high primary
coolant pressure will cause reactor trip and steam generator isolation.
C-70 DOE-HTGR-86-011/Rev. 3
However, only moisture detection can automatically trigger steam gener
ator dump. Therefore, should these monitors fail, operator intervention
is required to dump the steam generator water inventory to the dump
tank. (Also see Section 6.2.6.)
C.8.3. Reactor Trip on High Moisture
Steam and water leaking from a failed steam generator to the
primary coolant results in increasing moisture content in the primary
coolant. At 1000 ppmv, the PPIS is designed to shut down the reactor by
inserting the outer control rods into the core. Event 3 considers the
probability of successfully shutting down the reactor on high moisture.
Of course, failure of the moisture monitor to detect the leak in
event 2 precludes tripping the reactor on high moisture. In addition,
failure to trip might result from common mode failure of the control rod
drives, common mode failure of the scram contactors or common mode fail
ure in the PPIS scram logic. In cases in~olving a rapid pipe rupture,
a rise in core power due to the water's reactivity effects may cause
the reactor to trip on power to flow before the moisture set point is
reached. However, steam generator isolation is not initiated until the
PPIS detects high moisture levels. Quantification of the equipment
failures in event 6 is performed using the individual trip reliability
given in Appendix B.
C.8.4. Reactor Trip on High Pressure
In addition to increasing moisture level in the primary coolant
circuit, the moisture ingress results in a rise in primary coolant pres
sure. The PPIS monitors this parameter and is designed to shut down the
reactor by inserting the control rods into the core if it exceeds its
designated setpoint. Therefore, where high moisture is not successfully
detected, a high pressure signal is available to trigger reactor trip.
Note that a high pressure trip will be delayed approximately 6 min
C-71 DOE-HTGR-86-011/Rev. 3
before the ingress will cause primary pressure to exceed the PPIS trip
setpoint. In addition, the primary coolant pressure high setpoint will
also, after a 30-s delay, trigger a backup shutdown using the RSCE.
Event 4 considers the probability of successfully accomplishing shutdown
by the high pressure signal with either the control rods or the RSCE.
To detect high pressure, primary coolant conditions are monitored
by four redundant channels of the PPIS (see Section 4.12). Any com
bination of two of four channels can initiate a reactor trip. Beyond
failure of the sensors, failure to trip might result from common mode
failure of the control rod drives, common mode failure of the scram
contactors, or common mode failure in the PPIS scram logic. With simi
lar logic, failure of the RSCE to operate (if called upOd) , might result
from common mode failure of its independent pressure sensor channels,
failure of the PPIS, common mode failure of several RSCE hoppers, or
failure of the Class IE 120 V ac UPS or 125 V dc. In the cases of sen
sor, PPIS, scram contactor, or ac power failure, the operator may still
manually actuate either a control rod scram or the RSCE.
Quantification of equipment failures in event 4 is performed using
the individual trip reliability given in Appendix B. The quantification
is also dependent upon the outcome of previous events. Specifically,
success of inserting the outer control rods in event 4 is conditioned
by the probability that the failure in event 3 does not preclude rod
insertion.
For quantification of any operator actions taken to back up failed
equipments, the model for cognitive human errors given in Ref. C-ll is
utilized. This model assumes that the allowable time for the operator
to respond in sequences where automatic systems (e.g., the reactor trip
or steam generator isolation) fail, largely governs the operator failure
probability.
C-72 DOE-HTGR-86-011/Rev. 3
C.8.5. Steam Generator Isolation
The steam generator isolation system functions to limit the amount
of water that enters the primary circuit, given a steam generator leak,
by closing a set of feedwater and steam outlet block valves. In addi
tion to the set of block valves, the steam generator outlet can also be
isolated (against reverse flow) by a check valve. Three system failure
modes are considered in this event:
1. Only the feedwater valves fail open.
2. Only the steam valves (including the check valve) fail open.
3. Both sets of isolation valves fail open.
In Ref. C-3, each failure mode was evaluated by considering the failure
of two identical redundant subsystems. The subsystem failure probabili
ties were assumed similar to the values derived for systems analyzed in
Refs. C-3 and C-12 with two exceptions:
1. The probability that the steam valves fail open was obtained
from the failure probability assessed in Ref. C-12 and
adjusted for the conditional probability of a check valve
sticking (i.e., failing to reclose).
2. Given that the reactor is not tripped within five or fewer
minutes when the moisture monitors function properly, the con
ditional probability of an automatic steam generator isolation
system failure is governed by the probability that a PPIS
logic fault prevented outer control rod insertion (as
assessed in Ref. C-12).
If the reactor fails to trip, despite success of the moisture moni
tors to detect the leak, the likelihood of both the steam and feedwater
isolation valves failing to close is decreased. This is because of the
increased likelihood that the cause of the reactor failing to trip is an
C-73 DOE-HTGR-86-011/Rev. 3
actuation logic failure that would also prevent the steam generator
isolation signal.
C.8.6. Delayed Steam Generator Isolation
Even if the automatic isolation considered in event 5 is unsuccess
ful, the steam generator can still be isolated and the in1eakage termi
nated by either operator intervention or PPIS response to a high primary
coolant pressure. The probability that the steam generator is success
fully isolated by these secondary mechanisms is considered in event 6.
As stated, steam generator isolation in event 6 can be accomplished
by either PPIS reaction to high primary coolant pressure or operator
action. Quantification of this branching probability is conditioned by
the probability that the failure to isolate in event 5 was due to fail
ure that would also affect success in event 6. For example, failure of
the isolation valves in event 5, given a shutdown signal was triggered
by high moisture, will preclude success of a second PPIS signal trig
gered by high pressure in event 6. In this case, only operator action
is accounted for in the analysis. The probability of successful opera
tor action increases rapidly after 20 to 30 min. In those event
sequences where immediate isolation has not occurred because of a mois
ture monitor failure, the high pressure reached after a 6 min delay is
expected to terminate the ingress.
The probability of isolation as a result of high primary coolant
pressure is calculated, as in the preceding event, using the models of
Refs. C-3 and C-12. The operator response model, also discussed in
Section C.7.4, is taken from Ref. C-ll.
C.8.7. Steam Generator Dump Occurs
Following successful isolation of the steam generator, the PPIS is
designed to further limit the ingress of water to the primary coolant by
C-74 DOE-HTGR-86-011/Rev. 3
diverting most of the steam generator water inventory to the dump tank.
Event 8 considers the likelihood of this mitigating action successfully
occurring.
Dumping the steam generator is accomplished by first opening a set
of valves located between the steam generator and the dump tank and then
reshutting them as the pressure within the steam generator approaches
that of the primary coolant. If the dump valves fail to open as
required, a relatively' larger amount of water than would occur
otherwise, will enter the primary circuit as essentially the complete
steam generator inventory is available to leak. On the other hand, if
the dump valves open but fail to reshut not only the water inventory but
also some primary coolant will be transferred to the tank. However, no
radioactive release from this failure mode is predicted because the dump
tank is designed to withstand primary coolant pressure and is vented to
the liquid and gaseous radioactive waste subsystems. These independent
failure modes of the dump valves are the same as those derived for the
similar system described in Ref. C-3, except the only failure mode con
sidered was a failure of the dump valves to open. Additional descrip
tion of this subsystem is given in Section 6.2.7.
In addition to these independent failure modes, success of steam
generator dump is conditioned upon the outcome of previous events. As
mentioned in Section C.8.2, automatic dump occurs only if the moisture
monitors have successfully detected the ingress. If the moisture moni
tors have failed in event 2, operator action is required to actuate the
dump. Further, steam generator dump is only considered if isolation
successfully occurs. Failure to isolate the steam generator renders any
subsequent dump valve actions ineffectual, relative to the impact of
open isolation valves, in determining the accident consequence.
C-7S DOE-HTGR-86-011/Rev. 3
C.8.8. Steam Generator Pressure Response
Following a moisture ingress, it is expected that the steam genera
tor will be isolated and its inventory dumped as previously discussed in
this section. However, if the steam generator feedwater valves fail to
successfully isolate, the steam generator pressure may increase. The
manner in which the plant is designed to relieve steam generator pres
sure has the potential of providing an activity release path into the
environment. Thus, the steam generator pressure response is considered
in event 8 to assess these potential mechanisms for activity release.
The first branch shown in event 8 of Fig. C-9 considers the proba
bility that steam is successfully bypassed from the steam generator to
the condenser. Note that the success of this bypass requires not only
that the steam bypass valve open, but also the feedwater control valve
function to limit the amount of feedwater entering the steam generator.
If this bypass fails, the resultant pressure transient will cause one of
the two steam generator relief valves to lift. The latter two branches
in event 8 consider the steam generator relief train response. The
proper operation of the relief valve is considered in the second branch
of event 8. In sequences where this event branch is successful, the
steam generator pressure is reduced by escaping steam, which is vented
directly to the environment during the short period of time the relief
valve is open. However, if the relief valve fails open, not only is the
steam released, but as the steam pressure is lowered to the primary sys-
tem pressure, primary coolant may also exit through the steam generator
relief line. The probability of radioactivity being released through
this path is considered in the last branch of event 8.
C.8.9. Shutdown Cooling System Cooling Succeeds
Following the steam generator leak, BTS cooling is lost as the
steam generator is isolated and the main loop tripped. Responding to
this, the PPIS attempts to restore coolant flow by starting the SCS.
C-76 DOE-BTGR-86-011/Rev. 3
Event 9 considers whether or not the SCS is successfully started; and
if it is started, whether it runs until HTS cooling is restored.
In those sequences with successful trip, steam generator isolation
and steam generator dump, the operation of the SCS serves to reduce the
probability of pressurized conduction cooldown. In sequences involving
isolation or dump failure, SCS cooling serves to prevent the combination
of an increased primary circuit inventory (due to the added moisture)
and higher than normal temperatures (which result from a pressurized
conduction cooldown) from lifting the primary coolant relief valve.
Finally, in those sequences where the primary coolant circuit depres
surizes, SCS cooling can mitigate the resultant doses by preventing
thermally induced fission product release from the fuel.
Using the detailed failure model described in Section 6.2.2 and
quantified in Section C.2, the probability of not successfully starting
the required equipments for SCS operation is calculated.
Even after the SCS starts, event 9 is not judged as successful
unless SCS cooling is maintained until HTS cooling is restored. The
fault tree models of Section 6.2.2 are requantified to assess the run
ning reliability of the SCS. These system reliabilities are expressed
as probability densities, combined with a complementary cumulative dis
tribution function for HTS restoration and integrated over time. The
probability that the SCS fails to run for the required time is added to
the probability that they fail to start as the total failure probability
for event 9.
Further discussion of the SCS reliability is provided in
Section C.2.4.
C-77 DOE-HTGR-86-011/Rev. 3
C.B.10. Cooling Provided by RCCS
Should SCS cooling fail, the MHTGR is capable of rejecting shutdown
heat loads by conduction, localized convection, and radiation to the
reactor vessel wall where radiation and convection carry the heat to the
air-cooled RCCS panels. In event 11, the probability that the RCCS is
successful in providing cooling is considered.
Success of the RCCS is defined as the system continuing to operate
until either
1. One of the two forced core cooling modes is restored (main
loop cooling or the SCS).
2. Decay heat levels are sufficiently low so that a subsequent
lQsS of cooling would not lead to temperatures threatening
vessel integrity.
Since the system is continuously o~erating during normal operation of
the plant, no change of state or other equivalent to a "failure to
start" exists.
As discussed in Section 6.2.5, no expected meteorological or oper
ating conditions have been identified which could preclude RCCS opera
tion. Only failures involving the extremely unlikely major structural
collapse of the safety-related RCCS have been identified as capable of
causing RCCS flow blockage. As an estimate of this very low failure
probability, 1 x 10-6 per module with an uncertainty factor of 10 has
been assigned to event 11.
C.B.11. Primary Relief Valve Response
One difference in the MHTGR response to small and moderate steam
generator leaks is that maintaining SCS cooling subsequent to a moderate
C-7B DOE-HTGR-B6-011/Rev. 3
leak is not, by itself, sufficient to preclude primary relief train
opening. However, given that the primary relief train setpoint is
reached, the probability of each particular relief train response is
the same as the probabilities generated for the small steam generator
leak tree. (See Sections C.7.8 and 6.2.9.) Successful steam generator
isolation and dump also is expected to prevent a challenge to the pri
mary coolant relief trains, regardless of the status of SCS cooling.
The small probability of substantial relief valve setpoint miscalibra
tion or drift low, that might still cause the relief valves to be
challenged is considered in the analysis.
C. 9 • UNCERTAINTY TREATMENT IN FREQUENCY ASSESSMENT
Event sequence frequencies in Appendix C are calculated by multi
plying the initiating event frequency by the probability of subsequent
events in the sequence. Initiating event frequencies and branching
failure probabilities were assessed by combining system and component
failure data consistent with the system descriptions and fault trees in
Section 6. However, because there is uncertainty in this data, it is
important to obtain the proper combinations and to assess and propagate
their uncertainties. This section describes the types of uncertainties
included in the frequency assessment, how these uncertainties were
. incorporated, and the final uncertainty distributions calculated for the
sequence frequencies in each of the Appendix B release categories.
C.9.1. Uncertainties Considered
Historically, in the context of PRAs, the term "uncertainty" has
been applied to two different concepts (Ref. C-16):
1. Random variability in a parameter or measurable quantity.
2. Imprecision in the knowledge about a model, its parameters, or
predictions.
C-79 DOE-HTGR-86-011/Rev. 3
The difference between these two concepts is best illustrated by noting
that an enlargement of the data base may improve precision in the latter
concept but cannot affect the fundamental random variability, although a
numerical assessment of that variability can be made more precise. As
noted in Ref. C-16, it is desirable to have some quantitative measure of
uncertainty and random variability although it is not always easy to
separate the two concepts.
Both of these concepts are recognized and incorporated in this risk
assessment. Although the current HTGR reliability data base does sepa
rate different types of component failure mechanisms, sufficient detail
is generally not provided to allow variability and imprecision to be
treated in separate and distinct fashions. Instead, the data, which is
based upon industry wide experience, is averaged, resulting in the ran
domness being incorporated into the data's uncertainty distribution.
This uncertainty distribution is represented by one of several methods.
Where possible, a mathematically defined distribution (i.e., normal,
log-normal, etc.) is utilized. However, in cases where it is not pos
sible to use an easily-defined distribution, the distribution was either
described tabularly or a technique was employed in which the distribu
tion was split at its median value and each half modeled separately.
The uncertainty in the component failure models and probabilities
were combined utilizing the Monte Carlo sampling process contained in
the STADIC-2 code (Ref. C-2). Essentially, the STADIC-2 code selects
one pseudo-random value from each input variable's statistical distribu
tion and mathematically combines this set of sample variables as desired
to represent a sequence frequency or event probability. This process is
repeated for a large number of samples, thus generating a statistical
distribution for the desired output function (an event probability or
sequence frequency).
C-80 DOE-HTGR-86-011/Rev. 3
The importance of including uncertainties in a risk assessment has
been recognized in many PRAs (Refs. C-6, C-7, and C-8) because it incor
porates the probability that uncertainties combine in the worst, as well
as the best, possible manner. Its impact is evidenced in this assess
ment by noting the difference between the event sequence frequencies and
numbers obtained by simply multiplying together the median values in the
event trees of this appendix.
C.9.2. Uncertainty Distributions for Release Category Frequencies
The distributions for the several event sequences which may make up
a single release category have been added using STADIC-2 to estimate the
frequency distributions for each release category described in Appen
dix B. These release category distribution parameters are summarized in
Table C-2 along with the dominant event tree sequence contributing to
the release category. The mean value identified in column 5 of
Table C-2 is a measure of the distribution's central tendency and is
calculated by STADIC-2 using an unbiased estimate for the true mean with
the formula
N
Y - L Yi (C-l) i=l
N
where Yi = the outcome of one of a total of N samples.
These mean release category frequencies are combined with the doses
given in Appendix B to assess the plant risk as discussed in Section 9.
C.10. REFERENCES
C-lo U.S. Nuclear Regulatory Commission, "Reactor Safety Study,"
NUREG-75/0l4, (WASH-1400), 1975.
C-8l DOE-HTGR-86-0ll/Rev. 3
TABLE C-2 RELEASE CATEGORY FREQUENCY UNCERTAINTY DISTRIBUTION PARAMETERS
Frequency Distribution Parameters for Release Category (per year)
Release Median Dominant (a) Category 5th Percentile 50th Percentile 95th Percentile Mean Sequence
DF-1 3.3 x 10-3 7.7 x 10-3 2.0 x 10-2 9.7 x 10-3 PC-BP DF-2 1.2 x 10-2 2.9 x 10-2 8.2 x 10-2 3.7 x 10-2 PC-BC DF-3 1.0 x 10-3 5.0 x 10-3 4.0 x 10-2 1.1 x 10-2 PC-AD DF-4 0.12 0.25 0.57 0.29 DC-AA
WF-1 2.1 x 10-9 2.0 x 10-8 1.8 x 10-7 4.7 x 10-8 MS-AX WF-2 1.4 x 10-7 1.7 x 10-6 1.2 x 10-5 3.5 x 10-6 MS-CC WF-3 8.3 x 10-8 6.4 x 10-7 4.2 x 10-6 1.2 x 10-6 MS-AW WF-4 4.5 x 10-6 3.3 x 10-5 2.1 x 10-4 6.1 x 10-5 MS-BU
DC-1 1.3 x 10-10 9.9 x 10-9 3.8 x 10-7 8.8 x 10-8 EQ-BD DC-2 1.4 x 10-9 2.3 x 10-8 2.6 x 10-7 8.2 x 10-8 HTS-AH,
0 PS-AK I co DC-3 6.2 x 10-9 1.7 x 10-7 2.5 x 10-6 7.2 x 10-7 EQ-BN N
DC-4 4.1 x 10-6 2.4 x 10-5 2.0 x 10-4 5.4 x 10-5 PC-AU DC-5 1.9 x 10-6 1.3 x 10-5 1.0 x 10-4 2.8 x 10-5 PC-BH DC-6 7.6 x 10-5 3.1 x 10-4 1.6 x 10-3 5.2 x 10-4 PC-AT DC-7 3.3 x 10-5 1.6 x 10-4 9.1 x 10-4 2.8 x 10-4 PC-BG DC-8 1.0 x 10-5 5.0 x 10-5 2.7 x 10-4 8.4 x 10-5 DC-BR
t=' DC-9 2.5 x 10-4 1.2 x 10-3 5.6 x 10-3 1.9 x 10-3 PC-AE 0
1.6 x 10-9 2.6 x 10-8 7.8 x 10-7 2.4 x 10-7 PI WC-1 SS-AF I
ei WC-2 1.8 x 10-9 3.5 x 10-8 1.5 x 10-6 3.2 x 10-7 MS-CF ~ WC-3 4.8 x 10-10 7.8 x 10-7 2.6 x 10-5 6.1 x 10-6 SS-AE I WC-4 1.3 x 10-9 2.0 x 10-8 6.9 x 10-7 1. 7 x 10-7 MS-AZ co 0\ WC-5 8.5 x 10-9 1.5 x 10-7 5.1 x 10-6 1.4 x 10-6 MS-AD I 0 WC-6 7.0 x 10-8 1.1 x 10-6 3.5 x 10-5 8.1 x 10-6 MS-CE .... .... WC-7 2.8 x 10-7 4.6 x 10-6 1.6 x 10-4 3.7 x 10-5 MS-AC -~ • <: . \.oJ (a) Event sequence estimated to have the highest frequency within the release category (see
Figs. C-1 through C-8).
C-2. Koch, P. K., and H. E. St. John, "STADIC-2, A Computer Program
for Combining Probability Distributions," GA Report GA-A16227,
July 1983.
C-3. Fleming, K. N., et a1., "HTGR Accident Initiation and Progression
Analysis Status Report Phase II Assessment," GA Report GA-A15000,
April 1978.
C-4. EqE, "Evaluation of Seismic and Wind Criteria for the Modular
HTGR Plant," Presentation to GCRA, San Diego, CA, August 13,
1986.
C-5. "Utility/User Requirements for Modular High-Temperature Gas
Cooled" Reactors," GCRA-011, Rev. 2 (Draft), November 1985.
C-6. Zion Probabilistic Safety Study, 1981, prepared for Commonwealth
Edison Company.
C-7. Seabrook Station Probabilistic Safety Assessment, 1983, prepared
for Public Service Company of New Hampshire and Yankee Atomic
Electric Company.
C-8. Millstone Unit 3 Probabilistic Study," August 1983.
C-9. "The Reactor Safety Study - An Assessment of Accident Risks in
U.S. Commercial Nuclear Plants," WASH-1400 (NUREG-75/014),
October 1975, Appendix III, Tables III 6-5 through 6-7.
C-10. "Forced Outage Assessment of the MaTGR," HTGR-86-069, September
1986.
C-11. Oswald, A. J., et a1., "Generic Data Base for Data and Models
Chapter of the National Reliability Evaluation Program (NREP)
Guide," EGG-EA-5887, June 1982.
C-12. Houghton, W. J., et a1., "Investment Risk Assessment of the HTGR
Steam Cycle/Cogeneration Plant," GA Report GA-A18000, September
1984.
C-13. Price, R. J., "Statistical Study of the Strength of Near
Isotropic Graphite," GA-A13955, May 1976.
C-14. "HTGR Accident Initiation and Progression Analysis Status
Report - Phase I Analyses and R&D Recommendations," ERDA Report
GA-A13617, Vol. IV, December 1975.
C-83 DOE-HTGR-86-011/Rev. 3
C-15. Care, L., R.S. Cow, and A. J. J. MacArthur, "Effects of Loss of
Grid Supply on U.K. Nuclear Power Stations," Presented at a
UKAEA/JAPC/CEGB/SSEB Meeting, 1975.
C-16. "PRA Procedures Guide, A guide to the Performance of Probabil
istic Risk Assessments for Nuclear Power Plants," NUREG/CR-2300,
January 1983.
C-84 DOE-HTGR-86-011/Rev. 3
EVENT I EVENT2 EVENTJ EVENT4 EVENTS EVENTI EVENT 7 EVENT 8 10 MEDIAN RELEASE PRIMARY LEAK SIZE REACTOR REACTOR HTS SCS RCCS HPS FREQUENCY CATEGORY COOLANT DISTRIBUTION SUCCESSFULLY SUCCESSFULLY OPERATES OPERATES OPERATES PUMPOOWN OF EVENT
LEAK OCCURS TRIPPED WITH TRIPPED WITH SUCCESSF ULL Y SUCCESSFULLY SUCCESSFULLY SEQUENCE CONTROL RODS RSCE (PER PLANT
YEAR)
0.Z6 0.68 -I 0.13 -I PC-AA 0.15 OF-4 ----- -----------3 I 10-5 IN.Z_ 2110-3 IN.Z 1110-3 PC-AS 2110-4 OF-3
o.n 0.17 0.91 PC-AC 3 I 10-2 DF-4 -----9 I 10-Z PC-AO 3 I 10-3 OF-3
3 I 10-2 -I 0.14 PC-AE 1.,0-3 OC-9
6 I 10-Z PC-AF 8. 10-5 OC-9
1110-& PC-AG < -------Z I 10-5 -1 0.1l -1 PC-AH Z I 10-& DF-4 -----------
1.10-3 PC-AI < --o.n 0.17 0.91 PC-AJ 3110-7 DF-4 -- ---
9.10-Z PC-AK 4 I 10-8 DF-J
3110-2 '-1 0.94 PC-AL 1110-8 DC-9
6 • 10-Z PC-AM < --1110-& PC-AN < ------
4 • 10-5 PC-AO < -------------------------0.16 -I O.ID -1 PC-AP 4.,0-2 DF-4 ----- -----------ZI ld-3 lN Z_
0.03 IN.Z . IIIO-J PC-AQ 4 I 10-5 DF-3
UO 0.17 0.11 PC-AR B I 10-3 OF-4 -- ---• I 10-2 PC-AS .110-4 DF-3
3 I 10-Z -I 0.14 PC-AT J I 10-4 OC-&
1110-2 PC-AU 2 I 10-5 OC-4
1110-1 PC-AV < -------Z I 10-5 I O.ID -1 PC-AW 5110-7 DF-4 -----------
1110-J PC-AX < --co CIt
D.ZO 0.17 0.11 PC-AY I I 10-- OF-4 -----0 :r-eo ~ii)
"'00 0 ~> ~ c:&j 0
a _. og
I- m-el) ~CD
0.0 CO ::s
II 10-2 PC-AZ < --» 3 I 11-2 PC-IA < --") -U» ----------.mZ 4.10-5 'PC-II < -------------------------t- :0 en 0.11 -I 0.1l -1 PC-IC 2111-Z DF-Z
~~ -i -i - ---- -----------
0.03 ~N.Z_ 1.10-3 PC-ID Z 1 10-. DF-Z I . em liN .
4110-3 :DO I.n 0.17 0.11 PC-IE DF-2 - - ---m 1110-2 PC-If 4110-4 DF-2
1 J.IO-2 -1 0.14 PC-IG 2 I 10-4 DC 7
1.10-2 PC-IH' I .10-5 DC-5
0 1111-& PC-II < -------
2110-5 -1 I.U -1 PC-IJ 31 10-7 DF-Z -----------1110-J PC-IK < --
\ .1 (") ">j J: I .... -I
OJ (JQ I lJ1 . 0
I.n 1.17 0.11 PC-IL 51 10-1 OF-Z - -----I I IO-Z PC-8M < --
0 (") ~ J.II-2 PC-IN • --I ~
...... 0 :::!
----------4 • 10-5
PC-IO < -------------------------o ~ o <
0 o ~ a ~::l ~ III rt I ::l :r: rt rt
3 I 10-Z -1 I.U PC-IP & • 10-J OF-I -- - -------------~-----llN.2f
13 IN. I.n '.17 PC-IO 1 • 10-3 DF-l -----------3. ,,-2 -1 PC-BR 5 • 10-5 DC-I -----
>..,j 1"1 G') ~
1 .10-& PC-IS • --' -- ---:;tJ ~ I
OJ HI
2 • 10-5 -1 0.13 PC-IT 1.,0-1 -------------------0\ 0 I 1"1
'.n 0.17 PC-IU 2.,0-1 OF-I -----------0 ...... "d ...... 1"1
3.,0-2 -I PC-IV < --- -'- --- .... :;tJ ~ ~
< 1"1 '<
4 • 11-1 PC-IW < ------------------------------------------------------------ PC-IX • --
" 13IN.2 w
EVENT 1 EVENT 2 LOSS OF REACTOR
HTS SUCCESSFULLY COOLING TRIPPED WITH
CONTROL RODS
2.6 -1
,
2 x 10-5
EVENT 3 EVENT 4 EVENT! EVENT 6 EVENT 7 EVENT 8 REACTOR SCS RCCS HPS COOLING NO. OF MODULES
SUCCESSFULLY OPERATES OPERAT S PUMPDOWN RESTORED EXPERIENCING TRIPPED WITH SUCCESSFULL Y SUCCESSF~LL Y PRIOR TO EVENT
RSCE VESSEL DAMAGE ! :
i I [
0.95
---~--------------0.79 ------
I (1 MODULE) ! 0.21
I (4 MODULES) 0.05 ""' 1 I 0.60 ------------! (1 MODULE)
0.09
; (2 MODULES) 0.04
: (3 MODULES)
I 0.27
I (4 MODULES) 3 x 10-6 0.93 0.94
I - - - --I (1 MODULE)
0.06 - ----(1 MODULE)
i 0.07 0.86
i - ----I (1 MODULE)
0.14 - ----(1 MODULE)
-1 0.97 -----------------------(1 MODULE) 0.03 --- 1 , -----------------
1 x 10-6 (1 MODULE)
~----------------4 x 10-5
" (1 MODULE)
..... >- - - - - - - - - -, - - ;JtN'S.EC - - - - - - -(;-M;D~E)
.PI=CTllnr-• -. II-
J..: CARD
Also Avaifable on~ Aperture Card
9503070163
ID MEDIAN RELEASE FREQUENCY CATEGORY
OF EVENT SEQUENCE (PER PLANT
YEAR)
HTS-AA 1.8 NONE
HTS-AB 0.47 NONE
HTS-AC 8 x 10-2 NONE
HTS-AD 1 x 10-2 NONE
HTS-AE 4 x10-3 NONE
HTS-AF 3 x 10-2 NONE
HTS-AG 4 x 10-7 NONE
HTS-AH 2 x 10':"8 DC-2
HTS-AI 2 x 10-8 NONE
HTS-AJ € -HTS-AK 3 x 10-5 NONE
HTS-AL 6 x 10-7 NONE
HTS-AM €
HTS-AN € --
HT -001 ('08)
Fig. C-2. Event tree for loss of main loop cooling
C-86 DOE-HTGR-86-011/Rev. 3
co ~
o to o .-...l o ... c CotO ,
C) w
() I
0:> ....,
t:1 o t>1 I
::r: t-3 G) ::0 I
0:> 0\ I a I-' I-' --::0 ~ <!
w
"'1 ~.
()Q
() I
W
t\) t>1 I» < 11 t\) rt ;:l ::rrt
..0 r:: rt III 11 ;>;"~ ~ ~
H1 0 11
:r -l I 0
~ -~
a 10
EVENT I EARTHOUAKE
>0.06,
EVENT 2 SEISMIC
INTENSITY RANGE
EVENTJ PRIMARY
BOUNDARY INTACT
EVENH HTS
COOLING
EVENT5 REACTOR TRIP WITH
RODS
EVENTi REACTOR TRIP WITH
RSCE
EVENT 1 SCS
CODLING
EVENT 8 RCCS
COOLING
EVENT 9 COOLING
RESTORED PRIOR TO VESSEL DAMAGE
10 MEDIAN FREOUENCY
OF EVENT SEOUENCE (PER PLANT
YEARI
RELEASE CATEGORY
It w tn-J NONE 16XIO-1/yr 0 0.8. Q -I Q 0.98 ______________ • _______________ +I_..;E;,;O;,.-.;,;A.;,;A __ I-...;;,....;,.... __ f-10.06 •• 0.2al
IXIO~ ..... -6 NONE
· ---. I NONE ., 10-4 1.14
2, 10-l 1.14 EO-AI -I -----1 I, 11-2 - - : - - - - - - - - EO-AC
f 1, 10-' c: = = = = +--E"'O;..-"'A.;.O---I-....;;.;;..;;:..---+-
-I ___________ +I_.:;EO:..;-.:.AE:.....-+_.::..:..:.::...._+ __ ::.::.::.....~
I , 11-2 0- __________ tl...;E;;:,O-;,:;A.:.,.F _+-_::"""_+--==---1 I, It-I EO-AG
~";"';';'--o-- - - - - - - - - - - - - - - - -I-----I--...;....-+-......;;;;;;;;;;;.~ 2 x 10-1 :> ___________________________________ ,1_..;.;EO;.-.;.A;;;H~ __ r-_..;.; __ +_-"'='---I
-I 0.10 • , 10-2 •.•• -4 NONE
"IO-~ •.•• -5 ~
EO-AJ
_____________________________ -t1_....;;.EO;.-"'A,;;,I_.....,f-..;.,;;,.;.~_+-
10.2 •• 0.411 ,-_..;';;;.3;,;0 __ 0<;0 - I ____ _ 0.12
~ -----------I , 11-2 -I _____ -t-~EO;;"-";,;,AK"___+-,;,,..;,,,;,:;,..--+-
f 3, 10-6 0- ____ -t-~EO;;,,-..:;;A:..L _+_""':"_-1_ • ~ •• -1 NONE • __ 3_'_',;,,0-_3__ -I 0.12 "I~....;E.;,O_-A;:M::.._+_..;.,.;;,..;; __ +-
Q Q -----------,
· •• _1 NONE 1,11-2 0 -I _____ ,1_,,;E:;,:O;.-.:;A~N ___ r-...;:.::..:.::....._+_..:::::::.::..---1
3 , 10-6 EO-AD
5,,0-1 ____________ +I_...:E,::,O-::A:,::,P_-+_""": ___ +_==--I 5, 10-1 0- __________________________________ -i1_....;;.EO;.-..;A;,;O:,,-_r-_"':' __ +_-==:"--I
EO-AS
2 , 10-2 0 -I 0 O.ll _____________________________ .II-....:E.:;O;,.-;,;A;,;R __ I-....:;,....;,.... _ _I'-
10.4 •• O.Bul
-----1 0.11 --~,-------- EO-AT
f .. __ ,;,6;"..;10..;-.6 __ ----- ~-.;,EO;.-..;A..;U--f-~~~-~-- 0-----
VI -I D.11
h 10-3 9 -I 9 O.ll ____________ +I_....:.EO;.-..;A;:,.V..;._+-_..::..::.:.:. __ +-0.11 0 -I ______ -+I_E;;,;;O..;:-A,;;,;W_+..;.,;;",;,;;_-+_;,;.;,.;;~_I
• ~ •• -5 NONE
4"D-~ · .~-, NONE
___ 7 I NONE
•• -8 I NONE
ax 10-6 C- _____ ~I ---:E;,;:.O-",;;A;,;:.X -+--";";'-~......;=~-l
2,,0-5 I EO-AY L-----_o- - - - - -. - •• -- - - - - --+......;.:;;,...;:.:.--+-...;;,.--+--=~-I
l,'0-3 "0':5-4:>- ~ .-'0--'- - - - - -:-:-:--=--: .. - - - - =--:----~~--= .. -- --------1 ::~:: 1--T'-~O~1d---N(fNE-I~ (0.8 to 2.011 0 0 - - - - - - - - - - - - - - - - - - - - - - - - - ----- -+--=".;,;,..;.--+---,;,,;,.:.:.--+--..::.::;,:,:;--
0.96 0 0.96 _____ -Q 0.31 ____________ +1_..;E;,;;0..;-,;,8 8~_+-__ ;,;;";,;;,,,_-+_ , _ tn-6 NONE
< ..• n-6 0.63 0 0.99 __ ----+I---'E""O-....:B·,;;"C--f-"""'-"""'--+- NONE
",0-2 0.65 EO-BO 2 x IO-B NONE
0.35 EQ-BE 1" 10-8 OC-l
... _R 4x10-2 0 0.96 0 0.37 ____________ -1If-....;E::O;;,-B::;F..;._~-..::..::...:.::.-- NONE
•• -1 NONE 0.13 0 0.99 ______ +1...;E;;:,0-;"::8;:,,G _~...,;,,;;,.:.:.._+----:.:.:::;,:,:;. __
",0-2 0- ____ +I_E=.::O:;::-B:;.:H_+_....::.._-+_-==-__
4 , 10-2 0 0.37 ____________ +I_;;,;;EO:...-B:.:.I_+_"",,,-_-+_-=~ __
0.63 0- ___________ ~I---:E:.::..O-:.::;8J~+_"':"'_-+----':=---I
5,,0-2 4 x 10-2 I En-BK 2, 10-8 NONE L.-":';;";~---<O :>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +----''''-'''''--t----t---.;;.;;...;.;;.--I
EO-BL NONE
-----1 0.63 - - 0:9- --= = = = = ~ I EO··8M 3, 10-1 OC-3 r ",0-2 0- _____ t._...;E;,;O;",-,.;;8.;.;N __ t--____ --i _____ -i
0.96 0.31 0.96 1 x 10-7
1.--.;..4 _' '_0-_2 _ 0.96 0.31 I-.!.E::.:O-:!!:BO:!...--+_....::.._-+_-=~-I o 0 ------------~
0.63 :> ____________ +I....;.:EO=--B=-P _-+-_~--+_..,;;,;;~~
4,,0-2 EO-BO 0- ________ - --- - ____ ,J,. __ ;.;",=_ ..... _____ ...I.. __ ,,;;,;_~
> » »Ci) "CO -0» CD» omz :::1< »:D(J) ~tu CD;::': :0-1-1 ()~ Oem m-.... <t> :DO 0.0
::-:J m
10-3 > t,)
Z &.1.1 :I CI &.1.1
10-4 a: ~
&.1.1 5% HAZARD t,)
z cr: Q &.1.1
10-5 &.1.1 t,)
>< &.1.1 ..... cr: :I Z z 10-6 cr:
~EXTRAPOLATED
, ,) \ ~ \ \ \ \ \ \ \ , \ \ \ \ ,
1 2 10
PEAK GROUND ACCELERATION, 9
HT-001(110)
Fig. C-4. MHTGR site seismicity curve
C-88 DOE-HTGR-86-011/Rev. 3
n I
00 \0
t::I o P:I I
~ ~ I 00 0\ I o ...... ...... -~ . to.)
EVENT 1 LOSS OF
OFFSITE POWER AND BOTH
TURBINES TRIP
5 x 10-3/YR
HT-001l111l
EVENT 2 REACTOR
SUCCESSFULLY' TRIPPED WITH
CONTROL RODS
-1.00
6 x 10-5
EVENT 3 EVENT 4 EVENT 5 NO.OF ID REACTOR SHUTDOWN RCCS MODULES
SUCCESSFULLY COOLING SYSTEM OPERATES EXPERIENCING TRIPPED WITH OPERATES SUCCESSFULL Y EVENT
RSCE SUCCESSFULL Y
0.99 LOSP-AA ----- -----1 x 10-2
(4 MODULES) -1.00 0.69 LOSP-AB
(1 MODULE) 0.02 LOSP-AC
(2 MODULES) 0.02 LOSP-AD
(3 MODULES) 0.27 LOSP-AE
3x 10-6 (4 MODULES)
LOSP-AF ..JI't. _____
11 MODULE) -1.00 0.99 . LOSP-AG -----------
6 x 10-3 (1 MODULE)
LOSP-AH -. ----------4x 10-5
(1 MODULE) .... LOSP-AI ----------------11 MODULE)
Fig. C-S. Event tree for loss of offsite power
MEDIAN RELEASE FREQUENCY CATEGORY
OF EVENT SEQUENCE (PER PLANT
YEAR)
5 x 10-3/yn NONE
4x 10-5/yn NONE
9 x 10-7/yn NONE
1 x 10-6/YR NONE
1 x 10-5/YR NONE
€ --3x 10-7 NONE
€ --€ --
EVENT 1 EVENT 2 EVENT 3 EVENT 4 EVENT 5 EVENT 6 EVENT 7 EVENT B EVENT 9 NO. OF 10 MEDIAN RELEASE
) ANTICIPATED REACTOR REACTOR OPERATOR HTS SCS RCCS - HPS RESTORATION MODULES FREQUENCY CATEGORY TRANSIENT SUCCESSFULLY SUCCESSFULLY SUCCESSFULLY OPERATES OPERATES , OPERATES PUMPDOWN OF COOLING EXPERIENCING OF EVENT
OCCURS TRIPPED WITH TRIPPED WITH TRIPS SUCCESSFULLY SUCCESSFULL yi SUCCESSFULLY EVENT SE~UENCE
CONTROL RODS RSCE REACTOR (PER PLANT YEAR)
27 ...... 1 0.90 0.3 RS-AA B.l NONE ------------ ------------------------ (1 MODULE) 0.3 RS-AB 7.7 NONE
, ANSTEC (2 MODULES) , APERTURE 0.4 RS-AC 9.5 NONE
(4 MODULES) 0.10 0.95 . CARD .. 0.79 RS-AD 2.0 NONE
-----~------------! (1 MODULE)
Also Avaflable on 0.21 RS-AE 0.50 NONE
Aperture Card (4 MODULES) 0.05 I
....... 1 0.60 RS-AF B x 10-2 NONE ----------- .... (1 MODULE)
0.09 RS-AG 1 x 10-2 NONE
(2 MODULES) 4 x 10-3 0.04 RS-AH NONE
i (3 MODULES) i i 0.27 RS-AI 3 x 10-2 NONE .
(4 MODULES) 3 x 10-6 0.94 0.94 RS-AJ 2x10-7 NONE
(1 MODULE) 2 x lO-B 0.06 RS-AK DC-2
(1 MODULE) 2 x lO-B 0.06 0.86 RS-AL NONE
(1 MODULE) 0.14 RS-AM E --
3x 10-5 (1 MODULE)
3 x 10-5 ...... 1 0.96 : RS-AN NONE ------ -----------------------j
(1 MODULE) 3 x 10-5 0.04 0.97 RS-AO NONE -----------------I (1 MODULE)
0.03 ....... 1 RS-AP 1 x 10-6 NONE -----------1 x 10-6
(1 MODULE) RS-AO E -------------
4 x 10-5 (1 MODULE)
1 x 10-B 0.B3 RS-AR NONE ---- -- - - - - - .. - - - - - - - - - - - - - - - -- (1 MODULE)
0.17 RS-AS E ------------- .. _----------------(1 MODULE)
HT-001 (112)
9503070163 -0 Fig. C-6. Event tree forATWS
C-90 DOE-HTGR-86-011/Rev. 3
o I
\D .....
t::I o tz:I I
~ ~ I
00 0\ I o ..... ..... -::d CD <: . VJ
EVENT 1 CONTROL ROD
GROUP WITHDRAWAL
0.10
HT -001(113)
EVENT 2 REACTOR
SUCCESSFULLY TRIPPED WITH
CONTROL RODS
-1
1 x 10-5
EVENT 3 EVENT4 EVENT 5 EVENT& NO.OF 10 REACTOR HTS SCS RCCS MODULES
SUCCESSFULL Y OPERATES OPERATES OPERATES EXPERIENCING TRIPPED WITH SUCCESSFULL Y SUCCESSFULL Y SUCCESSFULL Y EVENT
RSCE
0.99 1 RW-AA ----- -----------• x 10-3 0.97 1 RW-AB - ----
3 x 10-2 -1 1 RW-AC
1 x 10-& 1 RW-Ao
-1 0.99 1 RW-AE -----------• x 10-3 0.97 1 RW-AF
t -----3 x 10-2
~ ---- 1 RW-AG
3 x 10-5 1 RW-AH ------------------
Fig. C-7. Event tree for control rod group withdrawal
MEDIAN RELEASE FREQUENCY CATEGORY
OF EVENT SEQUENCE IPER PLANT
YEAR)
0.10 NONE I
9 x 10-4 NONE
3 x 10-5 NONE
€ --1 x 10-6 NONE
1 x 10-8 NONE
€ --€ --
C) I
\D N
I:' o trl I
::c t-j GJ :::0 I
(Xl
0\ I o ...... ...... --:::0 It)
<:
w
EVENT I SMALL
S/G LEAk OCCURS
EVENT 2 MOISTURE MONITOR
DETECTION
EVENT l REACTO~
TRIP ON HIGH
MOISTURE
EVENH REACTOR MANUAL
TRIP
EVENTS REACTOR TRIP ON
HIGH PRESSURE
EVENTI· S/G
ISOLATION
EVENT 1 DELAYED
S/G ISOLATION
EVENT. AUTOMATIC
S/G DUMP
EVENTI S/G
PRESSURE RESPONSE
EVENT ID SCS
COOLING
EVENT II RCSS
COOLING
EVENT 12 PRIMARY
RELIEF TRAIN RESPONSE
10 MEOIAN FREOUENCY
Of EVENT SEQUENCE (PER PLANT
YEAR)
RELEASE CATEGORY
0.4 0 -I 0 - I - - - - - - - - - - - o<;l - I - - - - - C-I - - - - -1 D.98 - - - - - - - - - - -_ Ix 10-2 r -I ____ _
l ,.10-6 0- ____ + __ S;.;S;..-.;.;A;;...C_I-_....;....;_-+ ____ ---l
,.,0-4 0.99 55-AD 1 x 10-4 NONE
(FAILS CLOSED) - - - - - "9 - - - - - - - - - - -
SS-AA O.l NONE
1 x 10-2 SS-AB NONE
11( 10-5 -1
')( 10-2 -I 0.91 r (OPENS/CLOSES)
J.It tn-Z
(FAILS OPEN) l.1l 10-5
SS-AE
SS-AF
SS-AG
8 x 10-1 WC-l
J.II 10-8 WC-I
(FAILS CLOSED} I. 10-6 :::- ____ -II_...:S:;:.S-;;:A;;:H:...--I __ ...:. __ + ____ -I
1 x 10-4 -t -1 0.91 0.91 I 55-AI J 1110-5 NONE
(FW VALVES 'T <30 MIN 'T ~ (BYPASS) r -----------FAIL OPEN}
2 x 10-5
(STEAM VALVES FAIL OPEN}
1.10-5
(STEAM ANO FW VALVES FAIL OPENI
Z I 10-2 -1 I SS-AJ 1)[ 10-6 NONE ;J - - ---
1.10-6 ~I_~SS~-~A~K_--I __ ~ __ ~_~~....;--I ...... _--0- -- - - ... 2 x 10-2 _ _ _ _ _ _ _ _ _ _ _ I 55-Al 6 .. 10-1 NONE 0.98
(OPENS/CLOSES} 2. 10-2 -I 55-AM l.10-8 NONE
o -----,.,0-6 :::- ____ ~I~~S.;:;S;;:A:::N:...-~-...:.--+-...::::::..._j
,-:~4~. i'i'0~~~_:> _________________ +_;;SS:;;:A~O --+--':"'--l--=::;:;=--j (FAILS OPEN)
, J II 10--4 0.98 0.98 SS-AP '" 10-8 NONE
(FAILS CLOSED} r (BYPASS} ~ - - - - - - - - - - -
2.10-2 :::- __________ 11~~S;:;S-;;:A:.::0:...-~-...:.--+--===-_j
2 x 10-2
2. 10~ (OTHERS} :>- - - - - - - - - - - - - - - - - SS-AR > lO MIN :>- _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ t-"'SS;;";'';';S'''';-I--..;,--+--===---l
_I - - - - - - - - - - - - r...::.;:;-;::A~-t-_..!..._+.......;=;....j 1 x 10-6 -I 0.98 -----1 2)1 10"":2 - --~ - - - - - - - -I 55-AU J It 10-7 NONE
r -----. l 1.10-6 :::- ____ +_..;;S;;.S-..;A.;.;V_--1f-_~ __ +_-=~....;_i
SS-AT NONE < 30 MIN
, ]x 10-~ (FAILS CLOSEO) :>- - - - - - - - - - - - - - - - - _ _ _ _ _ _ SS-AW r-~~r-~-+--=~~
2 x 10-4 > 30 MIN C>- - - - - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ SS-AX
-I t-~~~r-~---+~=~ 2.11 10-5 -I O.QA SS-Ar NONE -----1 2. 10-2 - - - - - - - - - - -
- y ------""l 1. 10~6 +-_...;S;;;S...;-8;;,;A;.-.....,I-_...:.. __ + ____ -1 . :>-----.,
< 3D MIN g.ll 10-1 SS-AZ NONE
, J lC. 10-4 (FAILS CLOSEO) :::- - - - - - - - - - - - - - - - - - - - - - - 11_-'S;;;S_-::.:BB~....,r_-.!.--+--===-....J
2 x 10-4 ____________________________ +I_...::S::;;S-;.::.:BC:......+_-:..._-+_.=;::...-t
> 30 MIN _____ [-' -----C-I -----1 2:::-2 --~--------- 1 -----
1 .. _..:.1.::.,..:.10;.,-_6_""0- _ _ _ _ SS-BF f --
1 J{ 10-4 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ SS-BG E __
'.,0-3 _____ ~:A:S~l:E~)----_------------------- SS-BH E
3.11 10-6 NONE SS-SO
'.II 10-1 SS-BE NONE
l. 10~ :> _______________________________________________ .,I--",S;.S-...;B;.;.I-....,--...:..--+--== __ ....,
'I( 10-3 J II 10-4 _____ o()_---I~-- -I -I
-----------~ 0 -----SS-BJ 0.91
1 2, 10-2 - --~ - - - = = = = = SS-8K 1,10-5 NONE
NONE
• TIME FOllOWING REACTOR TAIP
'"'l f-'.
()1:l
() I
(Xl
UJ trl rt <: It) It)
~ ::J 8 rt
()1:l rt It) ti ::J It) It) It)
ti ~ H-o rt 0 o ti ti
UJ 1-'8 It) Ol ~ I-' ;0;"1-'
I ~ I o o
~
·co <:ll o ('A?
o ..:t o t-eD CO
\
C) lY\
J I( 10-4
SI.5 HRS
1 I. 10-6 0- ____ +_.:::SS:;;.-;.:8L'--I __ ':'-_-+_";;;;=~-I '1110-1 3 II. 10-4 5S-8M NONE 0.98 1 2 x to-2 - - - - - - - - - - - SS-BN
~.~~_o-----------++-~~--~~--+--==-~ (FAILS CLOSEO}
2 II. 10-5 . 1 S5-BO :>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4-....:::~:....-1---:..--+--==-~
, lC 10-7 NONE -I -I -I 0.98
-----~ 0 -----1 -----------_ Z. 10-2 0- __________ +_...;S;.S...;-B;.;O=-_I-_-"' __ +_"';;=;;;"'-1
SS-BP
, J lC. 10-4 ::> _______________________ +_",S;.S-..;B",R_....,f-_""';' __ +_-"'="--I (FAILS CLOSED)
I.IO-l 0- ____________________________ +-_..:S:;;.S-;;.:B:;:S_--1I-_~ __ +_-"'==---I ..... ....;.;1 ';.I;;;O_-l __ o- ________________________________________ ..a..._..;;S;;.S-...;B;.T_.....JL-_"':"' __ ....L.._-===---I
» »Ci) "00 g» C~ ~::: ·ro 00-fJ)~(I) Q.O
::s
~. » '"0» Omz
»JJcn :IJ-f-i oem
JJO m
c:o CIt o CA:)
o ...:l cO .... C CO ,
C) 6"
n I \0 W
o o [%j I
::r: >-3 Q :;tJ I
OJ C'I I o ...... ...... -:;tJ (I)
<:
w
"%j ,....-
OQ
n I \0
en [%j rt c:: n> n> III ::J E! rt
OQ rt (I) '1 ::J (I) (\) (\) '1 III Hl rt 0 o '1 '1
E! ...... 0 n> 0.. I» (\) ;>;"'1
I» rt (I)
I ..... I o o ~
£!
EVENT I MODERATE
S/G LEAK OCCURS
EVENT! MOISTURE MONITOR
DETECTION
EVENT) REACTOR TRIP
ON HIGH MOISTURE
EVENT 4 REACTOR TRIP
ON HIGH PRESSURE
EVENT 5 S/G
ISOLATION
EVENT 6 oELAVEo
S/G ISOLATION
EVENT 7 S/G
DUMP
EVENT 8 S/G
PRESSURE RESPONSE
EVENT' SCS
COOLING
EVENT 11 RCCS
COOLING
EVENT 11 PRIMARY
RELIEF TRAIN
RESPONSE
10 MEDIAN FREQUENCY (PER PLANT
YURt
RHEASE CATEGORY
4.,0-2 _I -I _1 0 .• 1 .j_..:::M::.:S-::A:::A_-+_..:3~'~1:::.0-_I_+_.::N:::.O::.NE::""'--I o 0 -----0 ----- Q ---- -9 -- - -------
> >e;; "CO
~> c:~ (iJ= O~ Sll..,<0 0.0
:::J.
11110-5 .
Z.,0-2 _I _I
ISTAYS SHun 4.,0-3
loPENS/ClOSES, 11110-4
IFAIL oPEN'
MS-AB
MS-AC
MS-Ao
1 1110-3 NONE
5 J( 10-6 WC-l
21110-) WC-5
','D--' ::- ____ -lI_..!M~S~-A~E_-I-_.!..._-+_-==-__
31110-4 ---'-4 0.98 __________ MS-Af 11110-5 NONE
IF AIL ClOSED' 2 II 10-2 _, 0.91 MS-AG 3 III 10-1
10PENSIClOSES' 31110-2
If AIL OPEN' 1 It 10-5
IFAIL ClOSED'
WC-6
MS-AH 1 II 10-8 WC-I
MS-AI
','D--' c----- -l-....::::MS:;:-A::::,'_+-_!.-_I-..;::;;;;;....--I
11110-4 0.98 WF-4
IFWVALVES -----FAil OPEN)
2.'0-5
ISTE"AMVALVEs FAil OPEN)
Z x 10-2 _I 0.91 loPENS/CLOSESI
3 II 10-2
loTHERS'
WF-Z
MS-AM
MS-AN 1 x 10-1 WC-6
MS-AO
1,'D-6 0- ____ +-:::M::;;S-:::;AP_+-_;'-'_I--==---I
MS-AR
I 2 I( 10-2 D.ltl 0.91 I MS-AQ 6 II 10-8 WF--4 (OPENSJCLOSES8 - - - - - ~ (OPENS/CLOSES)
3 II 10-2
10THERS'
----1 j MS-AS .l . -z _ ------ I "" 0-__ ~, ~ ~
JL-~M~S-~A~U~-1--~==~--r_~==::~ ·L,,""';-;;;;WIS. _____ _
- - - - - - - - j-2!MlS;!A~V:"'-t--~:-11-::~J - - - - - - - - -1 WF-3
- -- ~-- -~~~-~~~rrt--~M~S~AW:---r--5~~"O~==1===~~ __
-- --- - 0.91
- - - - - - 0.91 - - - IloPENS/Cl.."fES' I>J~~'N' _I -- - - ~ 3. I. ~
2.,0-8 Wf-l MS-AX
D.ID IZ.-3DMINI
Z II 10-2 -I
IFAllOi'HII ,.,0-5 IFAIL cLoseD,
0.89 loPENS/CLOSES,
.11
MS-AY
MS-AZ 21110-8 WC ....
MS-8A
I • 10-& (OTHERS) MS-BB
1.--:";;';';'--_:>- - - - - +"':::=-+---=---+-="--1 J 110-4 IFAI~~LOSEo, 0- -- - -- - - - - - - -.- -- __ T_.;;M:::.S..;-B:;:C_-t_-=:::~_I-_===_-I
----kO.9S _____ •. 91 MS-BO PENS/CLOSES,
31110-2 MS-BE
2.'0-'-IOTHERS) MS-8f -----------
, 31110-4 IFAIL CLOSED' c- - - - - - - - - - - - - - - - -- - -t_.::M:;:S;::-B::G:""-f __ ..!.. __ !-_===-....J
'1.10-2 C>- - - - - - - - - - - - - - - - - - - - - - ..;..-+-=..;;;;~-+--..:...-__ I-...:;;==--t
t>JOMINI 11110-5 ... 1"'1 O.gl
(STEAM AND ----1 FW VALVES FAIL OPEN)
2.,0-2 -I IF AIL CLOSED!
o.gl IOPENS/CUfsES,
3 It 10-2
MS-8J 7 It 10-1 WF-Z
M5-BK
MS-Bl
MS-IM loTHERS'
,,,.-, c- ____ +_=M!;S-~8::N_-+ __ ~_-!_...;;= __ -l
I 31110-4
,'D-3 IFAIL CLOSED, ::- - - - - ,- - - -
0-' -- 091 1>30 MIN' ::------ ------C --- I - - - -- - - - - - -- - -- t=-:MS~-~I~O-t--~--+---=--J -c=-----1 D98 ~~ ~ ~ = ------r-:-:MS-I~P f---!-~.==:J _ 2010-1 ------ I
101 -z .. ,..... ::------.. ,,_. • _____ .::~~.~.~ _______________ ~ ----J-:~'-i--.!..--~-===J __ ___ _ ______ :_-:_-::.: __ -_-:.=~= ____ -___ -_=_=_=_~~=-+....!.--!-=:J
MS-BO 3 It 10-7 NONE
1 ,,10-] . .. 1 _1 0.5 0.98 WF-4 ------Q: ----4 Q j<10MIN) ---- 4' -----
» -0:)-
Omz >:000 :0-1-1 oem
JJQ m
2 II 10-2
(FAIl/OPEN)
'110-5 IFAIL CLOSED)
... , 0.91
(OPENS/CLOSES) 3.'0-2
tFAIL OPEN) 1110-5
WF-2
M5-8X
MS-8V 5 II 10-7 WC-6
MS-IZ 2 It 10-8 WC-2
MS-CA
6 tFAIL CLOSED) .. ID- :>- _____ 11_..;M:::S:;-;:;C:.B_-+ __ ~_--1_..;;= __ ~
O.S 0.98 WF-4
I··IDMINI ----4
2.10-2 _I
fFAIl OPEN)
11110-5
tfAIL CLOSED) 0.94
IOPENS/CLOSES) .,0-2
IF All OPEN) I II 10-5
WF-Z
MS-CE
MS-Cf 5 II 10-7 WC-6
MS-CG 4 II 10-8 wc-z
MS-CH (FAil CLOSED) ,.,.-& 0- ___ ~ -I-_::;M::.S-::C:::.'_-+ __ -!.. ___ ~-===--I
Z 110-4 0---- ______________________ +_;:M::.S-::C:::.J_-+ __ .!.._-II-_==;;...-l
C II ID-S 1-:..& MIN) MS-CK
0_ - - - - - - - - - - - - - --- - --- - - -- - - - - - - --- -- - ..... --:=.::-..J.._-=--..I--"'=---i
APPENDIX 0 RELEASE CATEGORY DESCRIPTION AND DOSE QUANTIFICATION
As discussed in Section 8, the consequences of representative acci
dent sequences are discussed in terms of the resultant dose to an indi
vidual at the plant EAB. This appendix details the accident categories
and for each accident category presents the data and methods, fission
product release and dose assessment, and uncertainty analysis.
The accidents considered in Appendix C that result in dose conse
quences are evaluated in this appendix. These accidents include fission
product releases from forced convection cooldowns under dry and under
wet conditions, and from conduction cooldowns under dry and wet condi
tions. Forced convection cooldowns under dry conditions are initiated
by primary coolant leaks. The fission product release is due to frac
tional.release of circulating and plateout activity. Forced convection
cooldowns under wet conditions are initiated by steam generator leaks.
The fission product release is due to fractional releases from oxidation
of graphite and hydrolysis of failed fuel in addition to fractional
release of circulating and plateout activity. Conduction cooldowns
involve loss of forced convection cooling and therefore rely on conduc
tion and radiation to remove heat from the reactor core out to the reac
tor cavity cooling system (RCCS). The incremental fission product
release is due to fractional releases from heatup of the fuel particles.
Conduction cooldowns under dry conditions are initiated by primary
coolant leaks, loss of main loop cooling, and seismic activity. Conduc
tion cooldowns under wet conditions are initiated by steam generator
leaks. The consequences from forced convection cooldowns under dry
conditions are discussed in Section 0.1. The consequences from forced
convection cooldowns under wet conditions are presented in Section 0.2.
The consequences from conduction cooldowns under dry conditions are
discussed in Section 0.3. The consequences from conduction cooldowns
0-1 DOE/HTGR-86-011/Rev. 3
under wet conditions are presented in Section 0.4. ~ach of the conse
quence sections presents the data and methods, the fission product
release and the resultant dose assessment, and the uncertainty analysis
for the accident sequences considered.
0.1. CONSEQUENCES FROM FORCED CONVECTION COOLDOWN UNDER DRY CONDITIONS
A number of event sequences that are initiated by primary coolant
leaks have been identified in Fig. C-1. Since all these primary coolant
leak sequences result in fission product release to the environment they
are all addressed here. Those sequences that have forced core cooling
have been grouped and categorized as forced convection cool downs under
dry conditions. The categories are labeled DF-1 through DF-4 where
DF-1 has the greatest consequence and DF-4 has the least nonzero conse
quence. The consequence source term for forced convection cooldowns
under dry conditions includes a portion of the circulating activity and
the liftoff of a fraction of the activity plated-out on primary circuit
surfaces. Incremental release of radionuclides from the fuel body
inventory is prevented by forced convection cooling of the reactor core,
which is provided in all cases by either the Heat Transport System (HTS)
or the Shutdown Cooling System (SCS).
The circulating and liftoff activities are released through the
breach in the primary coolant boundary into the reactor building. For
smaller leak sizes, the consequences are reduced by pumpdown of primary
coolant to storage bottles by the Helium Purification Subsystem (HPS).
For larger leak sizes pumpdown becomes ineffective, and essentially 100%
of the circulating activity is released into the reactor building. The
fraction of material lifted-off at a given location in the primary cir
cuit increases when helium flow velocities increase at the location.
Once in the reactor building, fission products are depleted by the nat
ural processes of radioactive decay, plateout on building surfaces, and
by particulate settling. The fission products can be transported from
the reactor building to the atmosphere by building leakage or through
0-2 DOE/HTGR-86-011/Rev. 3
the building dampers if the depressurization rate from the vessel
exceeds the building leak rate.
0.1.1. Oata and Methods
The primary coolant leak depressurizes the reactor vessel resulting
in release of fission products to the reactor building as described in
Section 6.1.1. When the reactor pressure reaches 5688 kPa (825 psia),
the Plant Protection and Instrumentation System (PPIS) initiates a reac
tor trip and automatically inserts the outer reflector control rods.
The pumpdown of primary coolant to storage bottles by the HPS is auto
matically begun when the reactor pressure reaches 5515 kPa (800 psia).
The"effect of pump down is negligible for hole sizes greater than 6.5 cm2
(1 in.2) because the depre~surization is too rapid.
The circulating and plateout activities initially available for
release during a depressurization event are based on radionuclide design
criteria. The radionuclide design criteria are the allowable levels of
radionuclide accumulation in the primary coolant circuit which will per
mit the plant to satisfy the radiological dose limits applied to normal
plant operation and postulated events. The nominal circulating activi
ties and equilibrium 40-year plateout activities available for liftoff
are presented in Table 0-1 for those radionuclides which are major con
tributors to the resultant dose from a forced convection cooldown under
dry conditions.
Initially, the rate of helium depressurization is determined
using choked flow conditions. At a reactor pressure of about twice
atmospheric pressure, the depressurization flow is no longer choked.
The amount of helium released is determined by integrating the time
dependent rate of depressurization through the leak along with the HPS
pumpdown rate. The time to depressurize the reactor vessel is shown in
Fig" 0-1 as a function of leak size.
0-3 OOE/HTGR-86-011/Rev. 3
TABLE D-1 INITIAL CIRCULATING AND PLATE OUT INVENTORIES OF NUCLIDES THAT ARE
MAJOR CONTRIBUTORS TO RADIOLOGICAL CONSEQUENCES OF FORCED CONVECTION COOLDOWNS UNDER DRY CONDITIONS
Circulating Activity Plateout Activity Isotope (Ci) (Ci)
Kr-85m 2.30+00 0.00
Kr-87 2.96+00 0.00
Kr-88 5.16+00 0.00
Kr-89 1.24+00 0.00
Rb-88 6.78-02 5.20+00
Rb-89 1.98-02 1.31+00
Sr-89 1.39-06 1. 72+00
Sr-90 7.29-10 3.35-01
Y-91 2.14-07 4.17-01
Ag-110m 5.43-06 8.43+00
Te-129m 9.26-06 1.91+00
Te-132 8.25-04 1.66+01
1-131 1.79-02 2.00+01
1-132 2.23-01 1.94+01
1-133 1.18-01 1.49+01
1-134 5.41-01 5.22+00
1-135 1.91-01 6.74+00
Xe-133m 1.14-01 0.00
Xe-133 2.32+00 0.00
Xe-135m 1.20+00 0.00
Xe-135 3.49+00 0.00
Xe-138 1.12+00 0.00
Cs-134 3.23-06 1.49+01
Cs-137 1.98-06 7.00+01
Cs-138 9.37-03 1.30+00
Ba-137m 3.27-04 6.62+01
D-4 DOE-HTGR-86-0i1/Rev. 3
If the leak size is large enough, liftoff becomes a major source
of released fission products in addition to the circulating activity.
Liftoff refers to the removal of fission products plated-out during nor
mal operation from the surfaces of reactor components by particulate
entrainment, desorption, and diffusion. The liftoff model developed for
depressurization events takes an empirical approach using all of the
experimental data available (Ref. D-1). The ratio of shear stress dur
ing the accident to the shear stress at nominal operating conditions is
called the shear stress ratio (SR). Experimentally derived curves of
liftoff versus shear stress ratio were considered in developing the
liftoff model.
In applying the model, t~ requi~ements must be satisfied:
(1) provide an expression for the liftoff in excess of that under nor
mal conditions (SR • 1) and (2) provide for a limiting value of 100% for
the excess liftoff as the shear ratio increases without limit. To meet
these requirements, the following expression for percentage liftoff was
used (Ref. D-1):
AL(%) _ 100 m (SR-1) 100 + m (SR-1) (D-1)
where the m values are given in Table D-2 for representative isotopes.
The local shear ratios in the primary coolant loop were calculated
for various leak sizes and positions in the loop. The calculational
method used for determining the local shear ratios solves a set of ordi
nary differential equations and relations gov~rning the modeled flow
system. The analytical model assumes that the primary coolant system
can be broken down into a series of subvolumes, or nodes, interconnected
by flow paths. The transient forms of conservation of mass and energy,
as well as the equation of state, are then applied to the nodes, and the
transient conservation of momentum with the buoyancy term is applied to
the interconnecting flow paths. Transient coolant pressure, tempera
ture, and flow throughout the primary coolant system are calculated,
D-5 DOE/HTGR-86-011/Rev. 3
TABLE 0-2 CONSTANTS IN EQ. 0-1 FOR THE EXCESS
PERCENTAGE LIFTOFF
Other Isotopes Isotope m Represented
Cs-137 0.4 Sm, Rb, Pr, Pm, La, Eu, Cs, Ce, and Ba
I-131 1.2 I and Br
Sr-90 2.6 Zr, Y, Te, Sr, Sn, and Mo
Ag-110m 1.2 Ru, Rh, Pd, Nb, and Ag
Te-129m 1.2 Te
Sb-125 1.2 Sb
0-6 OOE-HTGR-86-011/Rev. 3
taking into account the dynamic behavior of the circulators and valves,
the actions of the PPIS, and the heat transfer between the coolant,
core, steam generator, shutdown cooling heat exchanger, and reactor
internals. These calculations were performed using the systems-dynamics
computer code RATSAM (Ref. 8-1). The RATSAM model of the MHTGR is shown
in Fig. D-2. The estimated local shear ratios were used along with the
distribution of plateout on primary circuit surfaces to determine the
fractional liftoff from the primary loop surfaces for a given leak. The
total integrated liftoff of fission products from all the primary loop
surfaces released into the circulating helium was estimated for a range
of leak sizes and locations.
By using the liftoff model to combine the local shear ratios for a •
particular leak with the distributed plateout activities in Table D-1,
the liftoff activities are calculated. The total percent liftoff is
presented in Table D-3 for various leak sizes. It can be noted from
Table D-3 that total integrated liftoff from the primary circuit does
not necessarily increase with increasing leak size. Since a leak occurs
from a system of flowing coolant, it tends to accelerate flows upstream
from the leak site and decelerate flows downstream. Accelerated flows
typically produce local shear ratios greater than 1.0, and local lift
off, Whereas decelerated flows produce no local liftoff. For some leak
locations, increased leak size actually decreases the liftoff at the
locations Where most plateout has been deposited, While increasing lift
off only at locations Where very little plateout resides. Thus, for
some leak locations, the total integrated liftoff from the primary cir
cuit decreases for increased leak size. In Table D-3, most of the iso
topes display a smaller total percent liftoff for a leak of 0.65 cm2
(0.1 in.2) at the circulator outlet than for smaller or larger leak
sizes. The total percent liftoff of iodine, however, is smaller for a
leak size of 6.5 c~ (1.0 in.2), since the plateout distribution of
iodine differs from the distributions of the other isotopes. All lift
off is considered to be elemental rather than in the form of compounds.
The subsequent transport of fission products that are lifted off will
D-7 DOE/HTGR-86-011/Rev. 3
TABLE D-3 TOTAL PERCENT LIFTOFF FOR VARIOUS LEAK SIZES
Leak Size Total % Liftoff
[cm2 (in. 2)] Sr I Cs Ag, Te, Sb
Circulator outlet
0.065 (0.01) 8.4-03 2.0-03 7.5-04 1.5-03
0.65 (0.1) 6.6-03 1. 7-03 7.2-04 1.4-03
6.5 (1. ) 9.2-03 2.2-04 8.1-04 1.5-03 . 65. (10.) 0.076 0.024 3.6-03 6.9-03
84. (13. ) 0.088 0.029 3.2-03 6.1-03
Steam generator annulus
65. (10. ) 0.41 0.18 0.034 0.067
D-8 DOE-HTGR-86-011/Rev. 3
depend on the governing phenomena and could lead to retention within or
loss from the reactor vessel. Simplifying the calculation of radionu
c1ide transport, retention mechanisms in the reactor vessel are conser
vatively neglected, and all the lifted-off fraction is assumed available
for release as the vessel depressurizes.
The fission product transport in the reactor building, subsequent
release to the atmosphere, and the resultant dose calculations were per
formed using the TDAC computer code (Ref. D-3). The method used is
based on the analytical solution of coupled linear differential equa
tions governing the activity in different volumes representing the reac
tor vessel, reactor building, and the environment over time. The calcu
lation of activity in each volume is based on the assumption of instan
taneous homogenous mixing. The calculation of radiological doses is
based on the semi-infinite cloud approximation. The code allows up to
65 decay chains with up to six nuclides each. The TDAC model is shown
in Fig. D-3, Which indicates the various volumes available and inter
connecting flow paths. Fission product release from the reactor vessel,
removal by pump down of helium, attenuation due to p1ateout and settling
in the reactor building, and release through the building dampers are in
the TDAC model.
The building dampers will remain closed if the volumetric depres
surization rate from the reactor vessel is lower than the volumetric
building leakage rate. When the depressurization rate from the vessel
is larger than the reactor building leak rate, then the dampers open to
relieve the excess building pressure allowing fission products to escape
to the atmosphere. After the pressure transient is complete, the build
ing dampers reclose and the remaining reactor building radionuc1ide
inventory is released by normal building leakage.
The reactor building parameters and site data used in the TDAC
model are presented in Table D-4. As shown in Table D-4,credit is
taken for the physical processes of p1ateout of halogens and particulate
D-9 DOE/HTGR-86-011/Rev. 3
TABLE D-4 REACTOR BUILDING AND SITE PARAMETERS
Parameters
Reactor Building
Volume
Settling rate
Plateout rate
Dampers
Leak rate
Minimum building crosssectional area
Site
EAB distance
Atmospheric dispersion factor at EAB (including building wake effect)
o to 8 h
8 h to 30 days
Breathing rate
o to 8 h
8 to 24 h
1 to 30 days
Medians
5203 ~ (183,738 ft3 )
(0.32 h-1
)1.0 h-1
Open when flow in ) flow out
1 volume/day
732 m2 (7880 ft2)
425 m (1394 ft)
1.22 x 10-4 s/~ (3.46 x 10-6 s/ft3 )
2.70 x 10-5 s/~ (7.65 x 10-7 s/ft3 )
3.47 x 10-4 s/~ (1.23 x 10-2 s/ft 3)
1.75 x 10-4 s/~ (6.18 x 10-3 s/ft 3)
2.32 x 10-4 s/~ (8.19 x 10-3 s/ft3)
D-10 DOE-HTGR-86-011/Rev. 3
settling in the reactor building. The numerical values for plateout and
settling in Table 0-4 are deposition rates effective when depressuriza
tion is complete and the building is leaking at its nominal rate. The
plateout rate is proportional to the mass transfer rate to the vertical
walls with appropriate correction for surface to ~olume ratio for the
reactor building. The settling rate is due to gravitational settling
and is influenced by the particulate size distribution and flow veloci
ties in the reactor building. The atmospheric dispersion factors X/Q
used in the nominal analysis were derived in accordance with the metho
dology of Regulatory Guide 1.4 (Ref. 0-4), including the effect of the
reactor building wake. Ten percent of the Regulatory Guide 1.4 atmos
pheric dispersion factors are used for the median values, in accordance
with Regulatory Guide 4.2 (Ref. 0-5). This methodology was chosen since
it results in typical values for any potential site and is expected
to envelop about 85% of U.S. sites. The breathing rates used in the
analysis are taken directly from Regulatory Guide 1.4.
0.1.2. Fission Product Release and Oose Assessment
The planned response to a breach in the primary circuit begins with
reactor trip with the outer control rods, initiated by the PPIS when
primarY system pressure is reduced to 5688 kPa (825 psia). The PPIS
initiates an BPS pumpdown of the primary coolant to storage when a pres
sure of 5515 kPa (800 psia) is reached. This action is ineffective when
the leak size is large enough to result in a short depressurization time
as compared to the time required to pumpdown the primary system. Forced
convection core cooling will continue either on the HTS or the sese Fission products contained in the primary coolant will be released to
the reactor building where plateout and settling will help to reduce the
quantity of fission products that are released through the building
dampers.
The frequency assessment for primary coolant leaks assigns a
release category designation for each forced convection cooldown under
0-11 OOE/HTGR-86-011/Rev. 3
dry conditions. For the purposes of consequence assessment, a represen
tative size is selected for each leak size range identified in the fre
quency assessment in Appendix C. Proceeding from the least to the
greatest consequence, the following paragraphs describe for each release
category the dominant event sequence, radionuclide release mechanism,
and dose consequences.
Release categories DF-4 and DF-3 describe leaks in the range of 2 x
10-4 to 0.2 c~ (3 x 10-5 to 0.03 in. 2). For purposes of consequence
assessment, a leak size of 0.065 c~ (0.01 in.2) has been selected as
typical of leaks in this range. Forced convection core cooling is pro
vided in both categories either by the HTS or by the SCS. The differ
ence in the release categories is that in DF-4, pumpdown by the BPS is
successful, whereas in DF-3, it fails. The doses of DF-4 are therefore
less than those of DF-3 because much of the primary coolant and the
activity it contains is removed by the BPS before it can be released to
the reactor building. DF-4 takes 28 h to depressurize to atmospheric
pressure while DF-3 takes 130 h. Liftoff of plated-out material for
these release categories is small because of the small leak size (see
Table D-3). The cumulative release of I-131 and I-133 from the reactor
building to the environment is 1.8 x 10-4 and 9.6 x 10-4 Ci, respec
tively, for DF-4 and 6.4 x 10-4 and 2.3 x 10-3 Ci, respectively, for
DF-3. Table D-S presents the cumulative nuclide release to the environ
ment for the major contributors to dose.
Release category DF-2 describes a leak in the range of 0.2 to
6.5 c~ (0.03 to 1 in. 2). A representative size of 0.65 c~ (0.1 in.2)
was selected for analysis in this size range. Forced convection cool
ing is provided either by the HTS or by the SCS. Pumpdown by the BPS
in this size range has a negligible effect on the consequences. DF-2
takes 7 h to depressurize to atmospheric pressure. All of the circulat
ing activity is released to the reactor building. Liftoff of plateout
material for this release category is small because of the "small leak
size (see Table D-3). The cumulative release of I-131 and I-133 from
D-12 DOE/HTGR-86-011/Rev. 3
TABLE D-5 CUMULATIVE RELEASE TO ENVIRONMENT IN CURIES FOR FORCED CONVECTION COOLDOWNS UNDER DRY CONDITIONS
Nuc.lide DF-1 DF-2 DF-3 DF-4
Kr-87 6.9-01 1.8-01 1.3-02 1.1-02
Kr-88 1.6+00 6.8-01 9.2-02 7.2-02
Rb-88 1.1+00 6.5-01 8.9-02 7.0-02
Sr-89 6.4-05 3.1-05 2.3-05 6.0-06
Sr-90 1.0-05 4.1-06 3.2-06 8.4-07
Ag-110m 4.4-05 2.3-05 1.4-05 3.8-06
1-131 3.2-03 1.2-03 6.4-04 1.8-04
1-132 3.5-02 7.7-03 7.4-04 5.9-04
1-133 2.1-02 7.1-03 2.3-03 9.6-04
Cs-134 4.0-05 2.0-05 7.2-05 1.9-05
1-135 3.3-02 9.7-03 1. 7-03 1.0-03
Xe-135 1.8+00 1.2+00 4.2-01 2.3-01
Cs-137 1.8-04 9.3-05 3.4-04 8.9-05
D-13 DOE-HTGR-86-011/Rev. 3
the reactor building to the environment for OF-2 is 1.2 x 10-3 and
7.1 x 10-3 Ci, respectively. Table 0-5 presents the cumulative nuclide
release to the environment for the major contributors to dose.
Release category OF-1 represents a leak in the size range of 6.5
to 84 cm2 (1 to 13 in. 2). A size of 6.5 cm2 (1.0 in.2) has been selec-
ted for analysis.
HTS or by the SCS.
Forced convection cooling is provided either by the
BPS pump down of primary coolant cannot mitigate
the consequences for this release category because the primary system
depressurizes within minutes. OF-1 takes 21 min to depressurize to
atmospheric pressure. All of the primary coolant circulating activity
is released to the reactor building as well as a liftoff fraction of
plated-out material (see Table D-3). The cumulative release of I-131
and I-133 from the reactor building to the environment for DF-1 is 3.2 x
10-3 and 0.021 Ci, respectively. Table 0-5 presents the cumulative
nuclide release to the environment for the major contributors to dose.
The nominal dose consequence for each of the release categories
analyzed is presented in Table D-6 for 30-day EAB thyroid, lung, bone,
and Whole body gamma doses. Figures 0-4 through 0-7 present the nominal
dose consequence with and without BPS pumpdown for thyroid, lung, bone,
and Whole body gamma doses.
D.1.3. Uncertainty Analysis
A method for assessing the uncertainties in consequence prediction
was developed in the AIPA safety assessment (Ref. D-6). The method uses
simplified mathematical algorithms describing the consequence control
ling phenomena as functions of variables with uncertainties that affect
the dose consequence. The algorithms are used in a Monte Carlo error
propagation program to model the resultant dose, sampling the input
variables and thereby determining the probability distribution for the
dose. Cumulative probability distributions of independent variables
are specified as input to the program. This section describes the
D-14 DOE/HTGR-86-011/Rev. 3
TABLE D-6 NOMINAL DOSE CONSEQUENCE AT THE EAB FOR FORCED
CONVECTION COOLDOWNS UNDER DRY CONDITIONS
Nominal Dose in Rem
Release Leak Size BPS Whole Body Category (in.2) Failure 7 Thyroid Bone Lung
DF-1 1.0 1. 7-04 8.6-04 6.6-06 2.1-05
DF-2 0.1 5.9-05 2.0-04 2.0-06 7.5-06
DF-3 0.01 Yes 9.6-06 4.3-05 1.1-06 1. 7-06
DF-4 0.01 No 6.0-06 1.7-05 2.8-07 5.4-07
D-15 DOE-HTGR-86-011/Rev. 3
algorithms used for the consequences from forced convection cooldowns
under dry conditions.
For the dose consequence from forced convection cooldowns under dry
conditions
where
.J Di = ~ Qj fj (t; ~l,j; ~2,j; ••• ) Ci,j X/Q
j=l , (D-2)
Di - dose to organ "i,"
.J - total number of nuclides released,
Qj - initial activity for nuclide "j,"
fj (t; ~l,j; ~2,j; ••• ) - fractional reduction in nuclide j due to
buildup, decay, settling, plateout, and
other processes involving the physic~l
parameters, ~l,j; ~2,j;
Ci,j = dose effectivity to organ i from nuclide
j; whole body 7 dose,
dose commitment effectivity to organ i
from nuclide j X breathing rate;
inhalation doses,
X/Q = atmospheric dispersion factor,
i - 1; whole body 7, 2; thyroid,
3; lung,
4; bone.
D-16 DOE/HTGR-86-011/Rev. 3
The uncertainty in Ci,j is relatively small and is therefore not
considered. The model for determining the probability distribution for
the atmospheric dispersion factor (X/q) is discussed in Ref. 0-7 and the
uncertainty distribution in meteorology is found in Ref. 0-6.
Where [2 _ U~ + CA/w, z
r2 2 Ly - Uy + CA/W,
u - wind velocity,
A - cross sectional area of building,
C = 0.585,
Uz = deviation in z direction,
Uy - deviation in y direction.
(0-3)
The X/q assessment included the probability of being in six different
weather stability classes, Which defined the conditional probability of
being in four different wind speeds, and the probability of being in any
one of ten wind directions, thus accounting for variation in the build
ing wake factor. The values of uy and Uz were taken from Regulatory
Guides 1.145 and 1.111 as determined by the weather stability class.
The wind direction determines the cross-sectional area of the building
based upon its dimensions and a uniform probability of its orientation.
The X/q distribution shown in Fig. 0-8 for the EAB distance of 425 m has
a median of 9 x 10-5 s/~ (2.5 x 10-6 s/ft3).
The initial activity for nuclide -j- for accidents involving forced
convection cooldowns under dry conditions has an uncertainty that is
determined by the uncertainty of its components according to the
following:
(0-4)
0-17 OOE/HTGR-86-011/Rev. 3
where ~,j = circulating activity of nuclide j,
Lj = liftoff fraction of nuclide j (Table 0-3),
Qp,j - plateout activity of nuclide j.
The uncertainty distribution on the circulating and plateout activities
is lognormal. The upper 95% limit to the liftoff at a leak size of
84 c~ (13 in.2) is 5%. Using the nominal value at this leak size
(given by Eq. 0-1), an uncertainty factor (ratio of 95% ~o 50% value)
is calculated and used for all other leak sizes. The resulting uncer
tainty factors are 1640 for cesium, 180 for iodine, 60 for strontium,
and 860 for tellurium, antimony, and silver. The uncertainty factor on
the circulating activity of noble gases and iodines is assumed to be 4,
but for metals, it is assumed to vary from 100 to 5000 depending on the
individual nuclide. There is no plateout activity for noble gases so
that term drops out. For iodines and telluriums, the assumed uncer
tainty factor on plateout activity is 4, but for metals, it is 10.
The factor fj (t; ~l,j ; ~2,j; ••• ) accounts for time-dependent
attenuation. Thus the ~i,j terms that contribute to its uncertainty
include
1. Vessel to confinement depressurization rate.
2. Confinement settling and plateout rates.
3. Radiological decay and buildup.
4. Confinement to environment release rate.
Items 1, 3, and 4 are anticipated to have uncertainty factors below 1.5.
However, Ref. 0-8 cites uncertainty factors of 10 for the confinement
settling and plateout rates. Therefore, the uncertainty distribution in
fj (t; ~l,j; ~2,j; ••• ) is governed by
fj (t, Ap) ; halogens
fj (t; ~l,j; ~2,j; ••• ) N fj (t, As) particles , (0-5)
fj (t) ; noble gases
0-18 DOE/HTGR-86-011/Rev. 3
where Xp = plateout rate,
Xs = settling rate.
Sensitivity studies disclose that to within 1% accuracy:
and
where as' &p, bs ' and bp are dependent upon the depressurization area
and time-dependent physical attenuation phenomena, and MS and MP are
normalized dimensionless depletion parameters based on Xs and Xp '
respectively. The values of as' &p, bs ' and bp were obtained by curve
fitting the dose sensitivity results. The uncertainties in the factors
MS and MP were assumed to be lognormal with uncertainty factors of 10
and median values of 1.
The dose uncertainty analysis for each of the representative leak
sizes is presented in Table D-7 for 30-day EAB thyroid, lung, bone, and
whole body gamma doses.
D.2. CONSEQUENCES FROM FORCED CONVECTION COOLDOWN UNDER WET CONDITIONS
A number of event sequences that are initiated by small and moder
ate steam generator leaks have been identified in Figs. C-8 and C-9.
Only those sequences that result in fission product release to the envi
ronment are addressed here. These sequences in which forced cooling is
maintained have been phenomenologically group and categorized as forced
convection cooldowns under wet conditions. The categories are labeled
WF-1 through WF-4 where WF-1 has the greatest consequence and WF-4 has
the least nonzero consequence. Release categories that exhibit doses
have release paths that vent to the reactor building through the primary
D-19 DOE/HTGR-86-011/Rev. 3
c;:, I
t-) 0
g lZJ -~ ~ I
(XI 0\ I o .... .... -i . w
Release Category
DF-1
DF-2
DF-3
DF-4
TABLE D-7 DOSE UNCERTAINTY ANALYSIS AT THE !AB FOR FORCED CONVECTION COOLDOWN UNDER DRY CONDITIONS
Dose in Rem
Leak Size Whole Body 7 Thyroid Bone Lung
(in. 2) 5% Hedian 95% 5% Hedian 95% 5% Hedian 9S% S% Hedian 9S%
1.0 4.5-05 2.9-04 2.7-03 2.5-04 1.4-03 9.1-03 7.S-07 3.7-0S 4.3-03 1.3-05 1. 7-04 2.6-02
0.1 2.3-05 1.4-04 1.1-03 2.6-05 3.5-04 4.5-03 2.5-07 1.4-05 1.7-03 2.7-06 6.9-05 1.2-02
0.01 2.6-06 1.7-05 1.8-04 4.6-06 6.6-05 8.5-04 7.2-08 4.3-06 5.1-04 6.9-07 1.7-05 3.3-03
0.01 1.5-06 9.2-06 9.0-0S 1.4-06 2.5-05 3.0-04 1.8-08 1.3-06 9.3-05 2.2-07 5.1-06 8.8-04
coolant relief valves before reaching the environment. The consequence
source term for forced convection cooldowns under wet conditions con
sists of (1) circulating activity, (2) steam-induced recirculation of
activity plated-out on primary circuit surfaces, (3) release from ini
tially failed fuel due to hydrolysis, and (4) release from oxidized
graphite. In all cases, the reactor core is cooled by forced convection
provided by either the HTS or the SCS, which prevents any incremental
release of radionuclides from the fuel body inventory.
The frequency assessment in Section C.7 for small steam generator
leaks covers a spectrum of leak sizes ranging from pinhole to approx
imately 0.053 c~ (S x 10-3 in. 2). The maximum size considered for
small steam generator leaks corresponds to a flow rate of 0.05 kg/s
(0.1 lbm/s) which will be used in the consequence assessment for all
small leaks. The frequency assessment in Section C.S for moderate steam
generator leaks covers a spectrum of leak sizes ranging from 0.053 to
6.6 cm2 (S x 10-3 to 1 in. 2). The flow rates may range from 0.05 to
5.7 kg/s (0.1 to 12.5 lbm/s) with the latter flow rate is equivalent
to a single tube offset rupture. The consequence assessment for moder
ate steam generator leaks has been based on a leak rate of 5.7 kg/s
(12.5 lbm/s). In all of the release categories considered in this
section, forced convection cooling is present. Conduction cooldowns
initiated by steam generator leaks are cons~dered in Section D.4.
D.2.1. Data and Methods
A steam generator leak allows moisture to enter the core and react
with the graphite and initially failed fuel particles. A brief descrip
tion of the plant response to a small steam generator leak is presented
in Section 6.1.7 and the plant response to a moderate steam generator
leak is presented in Section 6.1.S. The ingress of high-pressure steam
and the reaction of steam with graphite result in pressure increases
above nominal levels. If the moisture ingress continues due to addi
tional plant protection failures, the primary relief valve will open,
0-21 DOE/HTGR-S6-011/Rev. 3
thus releasing fission products to the reactor building. Releases to
the reactor building are then released to the atmosphere through the
reactor building dampers resulting in offsite dose. The methods and
data used to assess the release categories for forced convection cool
downs under wet conditions are described below.
The analysis of the consequences of a forced convection cooldown
under wet conditions includes the effects of (1) hydrolysis of failed
fuel particles, (2) oxidation of both structural and matrix graphite
in the core, (3) steam-induced vaporization and recirculation of radio
nuclides plated-out on primary circuit surfaces, and (4) the release of
circulating activity. The computer program OXIDE (Ref. D-9) is used to
analyze the transient effects of inleakages of moisture to the primary
coolant system. The code analyzes the three-dimensional effects of
stea~graphite and steam-fuel reactions in the core and simulates the
primary system and the reactor building with respect to heat and mass
transfer. The code can either calculate or accept as input the spatial
transient flow and temperatures as conditions necessary for oxidation
calculations. Nuclear heat generation, graphite temperature, coolant
temperature, total pressure, ste~graphite and ste~fuel reaction
rates, heats of reaction, and graphite burnoff are calculated as a
fun-tion of space and time. Alternatively, graphite temperatures can
be provi~ed to OXIDE from another code, such as PANTHER (see Sec-
tion D.4.1). PANTHER is a computer code which uses finite difference
methods to analyze system temperatures after a pressurized loss of
forced circulation. Plant protective system actions can be simulated
in the code.
OXIDE methods were independently reviewed (Ref. D-10) for the NRC
and found to be in good agreement with alternative methods, for the
cases analyzed. Modifications have been made to OXIDE (Ref. D-11) to
address shortcomings identified in that review when they affect the
current use of the code for moisture ingress events. A detailed
D-22 DOE/HTGR-86-011/Rev. 3
description of the OXIDE program is presented in Ref. D-9. A brief
description of the code is presented below.
The reaction of steam with graphite proceeds at significant rates
when temperatures exceed 700°C (13000 F). Thus in an accident, when
steam first reaches the core, some reaction occurs mainly in the lower
half of the core since the graphite there is hotter than 700°C (13000 F). The steam-graphite reaction has been extensively investigated (Refs. D-9
and D-12). The predominant chemical reaction is
, (D-6)
where the endothermic heat of reaction Q is 118 kJ/gm-mole of graphite
(51,000 Btu/lb-mole). Since this reaction produces two moles of gaseous
product for each mole of water reacting, any such reaction increases the
primary circuit pressure rise. Other secondary reactions are insignifi
cant for the short time periods of these accidents.
The kinetic expression used in the OXIDE code for the rate of
reaction is a rational function of steam and hydrogen pressure, with
time-dependent Arrhenius coefficients and modifiers that account for
the effects of prior reaction (burnoff) and the presence of catalysts.
Possible inh~biting effects of CO and/or helium pressure on the steam
graphite reaction rate are neglected for conservatism, and because cur
rent evidence is too limited to take quantitative credit for these
effects. Radiation effects on the reaction rate have been shown to
be negligible for nuclear-grade graphite (Ref. D-13).
The reaction of steam with initially failed fuel can result in
enhanced release of fission gas due to hydrolysis and oxidation of
failed UCO particles. The model used in OXIDE accounts for hydrolysis
and neglects the oxidation of UCO fuel. The oxidation of UCO fuel is
neglected because the oxygen concentrations during accident conditions
D-23 DOE/HTGR-86-011/Rev. 3
are expected to be very low. Onder normal reactor operating conditions,
the estimated concentration is expected to be 10-9 (1 ppbv).
The time-dependent release of krypton, xenon, and iodine isotopes
is calculated. The fractional release of bromine, selenium, and tel
lurium is considered the same as that of iodine.
In treating the response of a failed OCO kernel to hydrolysis, a
distinction is made between the portion of the kernel containing OC2 and
that containing 002. These two portions undergo hydrolysis in distinct
ways. The fractional release is determined by the addition of the
release from each of these portions.
The core is modeled geometrically as a set of eight analysis
regions with variable numbers of columns and with ten axial segments
that extend beyond the active core to include reflector blocks. Indi
vidual flows and power density factors can be specified for each region;
each axial segment can have an individually specified power factor. In
each segment a typical element of symmetry (triangular in shape) around
an MHTGR fuel rod/coolant channel is modeled with 17 nodes. The com
plete core analysis is accomplished by performing the appropriate cal
culations on the symmetry element of each of the 80 segments.
The phenomenon of steam-induced vaporization and recirculation
treats the reaction and removal of fission and activation products
sorbed on primary circuit components by steam flowing over the surfaces
of the components. (The term washoff, often used in the past to include
this phenomenon, ref~rs to the removal of fission and activation pro
ducts by water in the liquid state flowing over the surfaces in the form
of droplets or bulk.)
Recent experiments of steam-induced vaporization (Ref. 0-14) were
designed to study the fraction of iodine, sorbed on the surface of the
alloy T-22, removed by the passage of steam over the surface. The tests
0-24 00E/HTGR-86-011/Rev. 3
showed that no molecular iodine was sorbed on the surface of the alloy_
Rather, it was in the form of an iodide, possible FeI2- Two tests con
ducted resulted in significantly.different amounts of iodide being
removed from the surface. The first test, Which resulted in 60% iodide
removal, was judged to better represent the conditions in the reactor
during transients. The second test, Which involved an unusual treatment
of the surface by scrubbing with acidic solution, resulted in no signif
icant iodide removal.
Selecting the result from the sample that was treated more in the
manner of the alloy surfaces to be used in the MHTGR, the value of 60%
for steam-induced vaporization of fission and activation products is
used in the analysis of standard MHTGR events and conditions that
involve the ingress of steam.
The fuel body inventory and circulating and plateout activities
available at the start of an event are based on radionuclide design cri
teria. The radionuclide design criteria are the allowable levels of
radionuclide accumulation in the primary circuit Which will permit the
plant to satisfy the radiological dose limits applied to normal plant
operation and postulated events. The nominal circulating activity, the
equilibrium 40-yr plateout activity subject to steam-induced vaporiza
tion and the fuel body inventory subject to hydrolysis and oxidation are
presented in Table 0-8 for those radionuclides Which are major contribu
tors to the resultant dose from forced convection cooldowns under wet
conditions. The steam-induced vaporization model is applied to the
plateout activities. The recirculated activity is considered to be ele
mental rather than in the form of compounds. Only the fraction of the
fuel body inventory present in initially failed fuel (5 x 10-5 fraction
of all fuel particles) is subject to the hydrolysis release of noble
gases, halogens and telluriums. The fraction of the fuel body inventory
~ubject to release due to oxidation of graphite (7 x 10-5 fraction)
includes those metals initially present in failed fuel and in heavy
metal contamination that have become sorbed in graphite. The subsequent
0-25 OOE/HTGR-86-011/Rev. 3
TABLE D-8 INITIAL CIRCULATING, PLATEOUT, AND FUEL BODY INVENTORIES OF NUCLIDES
THAT ARE MAJOR CONTRIBUTORS TO RADIOLOGICAL CONSEQUENCES
Isotope
Kr-87 Kr-88 Rb-88 Sr-89 Sr-90 Y-91 Ag-110m Te-129m Te-131m Te-132 Te-133m Te-133 Te-134 1-131 1-132 1-133 1-134 1-135 Xe-133 Xe-135m Xe-135 Xe-138 Cs-134 Cs-136 Cs-137 Cs-138 Ba-137m Ba-140 La-140 Ce-144
OF FORCED CONVECTION COOLDOWNS UNDER WET CONDITIONS
Circulating Activity (Ci)
2.96+00 5.16+00 6.78-02 1.39-06 7.29-10 2.14-07 5.43-06 9.26-06 1.63-04 8.25-04 6.30-03 1.06-02 1.22-02 1.79-02 2.23-01 1.18-01 5.41-01 1.91-01 2.32+00 1.20+00 3.49+00 1.12+00 3.23-06 1.64-05 1.98-06 9.37-03 3.27-04 7.69-06 8.65-06 4.22-08
Plateout Activity (Ci)
0.00 0.00 5.20+00 1.72+00 3.35-01 4.17-01 8.43+00 1.91+00 1.26+00 1.66+01 1.51+00 7.90-01 2.21+00 2.00+01 1.94+01 1.49+01 5.22+00 6.74+00 0.00 0.00 0.00 0.00 1.49+01 1.31+00 7.00+01 1.30+00 6.62+01 7.39-01 8.29-01 7.40-02
Fuel Body Inventory (Ci)
7.13+06 9.95+06 1.02+07 1.34+07 7.41+05 1.62+07 1.38+04 4.85+05 1.66+06 1.35+07 1.12+07 9.10+06 1.91+07 9.34+06 1.37+07 2.03+07 2.28+07 1.89+07 2.03+07 3.71+06 2.48+06 1.85+07 1.06+06 1.97+05 8.58+05 1.96+07 8.17+06 1.87+07 1.88+07 1.24+07
D-26 DOE-HTGR-86-011/Rev. 3
transport of these fission products will depend on the governing phenom
ena and could lead to retention within the reactor vessel. Conserva
tively, retention mechanisms in the reactor vessel are neglected, and
all the activity released to the primary coolant is assumed available
for release through any available release path.
Releases from the vessel to the atmosphere through the reactor
building are modeled using the TDAC code as described in Section 0.1.1.
Plateout and settling in the reactor building have been considered.
Meteorological conditions and reactor building parameters are as given
in Table 0-4.
0.2.2. Fission Product Release and Oose Assessment
The planned response to a moisture ingress event begins with the
detection of moisture at the 1000 ppm level by the moisture monitors
as discussed in Section 6.1.7 for small steam generator leaks and in
Section 6.1.8 for moderate steam generator leaks. For a small leak,
this level is reached in approximately 5 min. For a moderate leak,
this level is reached in only 2 s. The moisture sampling process takes
another 20 s. The PPIS initiates a reactor trip on the outer control
rods and the closure of the steam generator isolation valves. Following
the signal to isolate, the main circulator is tripped, and the SCS is
started and cools the reactor core by forced convection. Following iso
lation, the steam generator dump system valves are opened and the steam
generator inventory is released into the dump system tanks. Just prior
to releasing primary coolant through the dump system, the valves are
reclosed. The increase in system pressure resulting from the ingress of
moisture is not large enough to lift the primary relief valves. There
is no fission product release as the primary coolant boundary remains
intact.
If the moisture monitors fail to successfully function, the high
primary coolant pressure PPIS trip setpoint will automatically initiate
0-27 OOE/HTGR-86-011/Rev. 3
protective actions. If this also fails then the operator can manually
initiate these actions. Specifically the PPIS trip will cause reactor
trip, steam generator isolation, and SCS startup. In addition to these
actions, the operator can manually dump the steam generator.
For fission product release to occur, failures in addition to the
leak are required that result in failure of the primary coolant boundary
to contain the fission products. As shown in Figs. C-8 and C-9, fail
ures in addition to the steam generator leak may result in a number of
sequences that result in fission product release. Failure of the mois
ture monitors or failure to isolate the steam generator precedes each
event sequence where an offsite dose occurs. Many of the event
sequences with offsite doses involve loss of forced convection cooling
and are designated as conduction coo1downs under wet conditions which
are discussed in Section D.4. Proceeding from the least to the greatest
consequence, the following paragraphs describe for each release category
the dominant event sequence, radionuc1ide release mechanism, and the
basis for assessment of the category dose consequences.
Detailed analysis was performed on release categories WF-l and
WF-2. WF-2 consists of a moderate steam generator leak, delayed steam
generator isolation (about 6 min), and primary relief valve opens but
fails to rec10se. WF-l is identical to WF-2 except that the steam gen
erator isolation is delayed as much as 20 min. Categories WF-3 and WF-4
are similar to WF-l and WF-2 except that the pressure relief valve
rec10ses successfully, so that only a fraction of the inventory is
released from the vessel. This fraction provides the scaling factor
used to determine the dose consequences for WF-3 and WF-4 based on the
detailed WF-l and WF-2 analyses.
Release category WF-4 is a moderate steam generator leak which
results in fission product release to the reactor building and subse
quently to the atmosphere. The category is representative of a moderate
leak where isolation is delayed and the primary relief valve opens and
D-28 DOE/HTGR-86-011/Rev. 3
recloses to vent excess pressure. One possible scenario in this cate
gory involves failure of the moisture monitors to detect excessive mois
ture levels. The reactor is nevertheless tripped within about 10 s on
high power-to-flow ratio. The main loop is tripped on high pressure
within about 6 min, followed by a manual dump of the steam generator. A
total of 3000 kg (6600 lbm) of steam enters the system. A second less
likely scenario involves successful detection of the leak by the mois
ture monitors. The reactor is tripped and the PPIS signals the steam
generator isolation valves to close. Steam line valves close, but the
feedwater valves do not. Pressure at the steam generator outlet rises
above the normal steam pressure of 17,340 kPa (2515 psia) to the feed
water pressure of 20,680 kPa (3000 psia). The steam generator bypass
valve opens to relieve the 'excess pressure to the condensor. Manual
isolation and dump of the steam generator occurs within 10 min. The
flow of feedwater through the steam generator will flood it in minutes,
so that the amount of steam, ingressed is about 1730 kg (3800 lbm).
Following the main loop trip, the core is cooled by the sese Shortly
after 6 min, high pressure causes the primary relief valve to lift and
vent excess pressure to the reactor building after which the valve
successfully recloses. Because of the difference between the relief
valve opening setpoint of 7177 kPa (1041 psia) and closing setpoint of
6103 kPa (885 psia), about 15% of the primary coolant and the fission
products it contains at the time of relief are released to the reactor
building and subsequently to the atmosphere. Since the amount of water
ingressed is large and since the core is rapidly cooled by the HTS or
ses, the consequences are about the same for both scenarios. The frac
tion of the graphite oxidized is 1.1 x 10-4 (23 lbm); 0.26% of the noble
gases and 0.18% of the halogens have been released from the failed fuel
due to hydrolysis at the time of the pressure relief. The radioactivity
available for release from the vessel (assuming no attenuation in the
vessel) consists of 100% of circulating activity, 60% of plateout activ
ity due'to steam induced vaporization and recirculation, 1.1 x 10-4
fraction of nuclides retained in the core graphite, 0.26% of the noble
gas and 0.18% of the volatile fission products retained in the initially
D-29 DOE/HTGR-86-011/Rev. 3
failed fuel (5 x 10-5 fraction of all fuel). The release to the envi
ronment is through the reactor building where there is attenuation from
settling and deposition.
Release category WF-3 is a moderate steam generator leak which
results in fission product release to the reactor building and subse
quently to the atmosphere. Following detection of excessive moisture in
the primary system, the reactor is tripped and the PPIS signals to iso
late the steam generator. The isolation is not successful as the steam
valve fail to close and moisture continues to enter the primary system
for up to 20 or 30 min until the operator isolates the steam generator.
A total of 6800 kg (15,000 lbm) of steam enters the primary system.
Excessive primary system pressure opens the primary relief valve once,
shortly after 6 min, venting primary circuit radionuclides into the
reactor building, after which the valve successfully recloses. Core
cooling is provided by the SCS, and is effective in preventing a second
pressure relief. At the time of the pressure relief, 0.6% of gaseous
and volatile fission products are released to the primary coolant by
hydrolysis, and 0.018% of fission products sorbed in bulk moderator
graphite are released by graphite oxidation. These activities, along
with the initially circulating activity and the activity removed from
metallic surfaces due to SIVR, are available for release with the pri
mary coolant. Because of the difference between the relief valve open
ing and closing setpoints, about 15% of the primary coolant and the
fission products it contains at the time of relief are released to the
reactor building and subsequently to the atmosphere.
Release categorY WF-2 is a moderate steam generator leak which
results in fission product release to the reactor building and subse
quently to the atmosphere. This category is the same as category WF-4
except that the primary relief valve fails to reclose after it opens to
relieve excess pressure. The moisture monitors fail to detect excessive
moisture levels, but the reactor is tripped within about 10 s on high
power-to-flow ratio. The main loop is tripped on high pressure within
D-30 DOE/HTGR-86-011/Rev. 3
about 6 min, followed by manual dump of the steam generator. Subsequent
to the main loop trip, the core is cooled by the sese Shortly after
6 min, high pressure causes the primary relief valve to lift, but it
fails to rec1ose. The primary system depressurizes through the primary
relief train into the reactor building. Fission products contained in
the primary coolant are subsequently released to the atmosphere. The
fraction of the graphite oxidized is 1.1 x 10-4 ; 0.26% of the noble
gases and 0.18% of the halogens are released from the failed fuel due
to hydrolysis. The fission products released from the vessel conserva
tively include 100% of circulating activity, 60% of p1ateout activity
released due to steam induced vaporization and recirculation, 1.1 x 10-4
fraction of activity from the core graphite released due to oxidation,
0.26% of the noble gas and 0.18% of the volatile activity from the ini
tially failed fuel released due to hydrolysis. The relief valve fails
open releasing all of this inventory into the reactor building conserva
tively assuming no attenuation or retention in the vessel. Table D-9
presents the cumulative nuclide release to the environment over the
course of the event for the major contributors to dose.
Release category WF-1 is a moderate steam generator leak which
results in fission product release to the reactor building and subse
quently to the atmosphere. This category is the same as category WF-3
except that the primary relief valve fails to rec10se after it opens.
Following detection of excessive moisture in the primary system, the
reactor is tripped and the PPIS signals to isolate the steam generator.
The isolation is not successful and moisture continues to enter the
primary system until the operator isolates the steam generator within
20 min. A total of 6800 kg (15,000 1bm) of steam enters the primary
system. Excessive primary system pressure opens the primary relief
valve, venting primary circuit radionuc1ides into the reactor building.
Once the relief valve lifts, it fails to rec10se as designed. The pri
mary system depressurizes through the open relief valve into the reactor
building. At the time of the pressure relief, shortly after 6 min, 0.6%
of gaseous and volatile fission products are released to the primary
D-31 DOE/HTGR-86-011/Rev. 3
TABLE D-9 CUMULATIVE RELEASE TO ENVIRONMENT IN CURIES
FOR FORCED CONVECTION COOLDOWNS UNDER WET CONDITIONS
Nuclide WF-1 WF-2
Kr-88 3.3+00 2.7+00
Sr-89 4.8-01 4.6-01
Sr-90 8.5-02 8.4-02
Ag-110m 2.1+00 2.1+00
1-131 3.9+00 3.4+00
1-132 4.4+00 3.6+00
Te-133m 1.4+00 6.3-01
1-133 4.0+00 2.9+00
1-134 2.7+00 1.5+00
Cs-134 3.7+00 3.7+00
1-135 2.6+00 1.5+00
Cs-137 1.7+01 1.7+01
Ba-137m 1.6+01 1.6+01
Xe-138 1.7+00 9.1-01
Cs-138 5.9-01 9.1-01
Ce-144 8.2-02 5.6-02
D-32 DOE-HTGR-86-011/Rev. 3
coolant by hydrolysis, and 0.018% of fission products sorbed in bulk
moderator graphite are released by graphite oxidation. These activi
ties, along with the initially circulating activity and the activity
removed from metallic surfaces due to steam induced vaporization, are
released from the reactor vessel along with the primary coolant. The
fission products contained in the primary coolant are subsequently
released to the atmosphere. Table D-9 presents the cumulative nuclide
release to the environment over the course of the event for the major
contributors to dose.
The nominal dose consequence for each of the release categories
analyzed is presented in Table D-10 for 30-day EAB thyroid and Whole
body gamma doses.
D.2.3. Uncertainty Analysis
A method for assessing the uncertainties in consequence prediction
was developed in the AIPA safety assessment (Ref. D-6). The method uses
simplified mathematical algorithms to describe the consequence control
ling phenomena as functions of variables with uncertainties that affect
the dose consequence. The algorithms are simplified because they are
used in a MOnte Carlo error propagation program Which determines the
probability distribution for the dose by sampling the input variables.
Cumulative probability distributions of independent variables are speci
fied as input to the program. This section describes the algorithms
used for the consequences from forced convection cooldowns under wet
conditions.
The dose consequence equation for steam generator leaks is the same
as Eq. D-2 in Section D.1.3. The X/Q distribution is also the same one
described in Section D.1.3. The factor fj in Eq. D-2 accounts for time
dependent attenuation due to buildup, decay, settling, plateout, and
other processes and is determined as described in Section D.1.3. Also,
D-33 DOE/HTGR-86-011/Rev. 3
TABLE D-10 NOMINAL DOSE CONSEQUENCE AT THE EAB FOR
FORCED CONVECTION COOLDOWNS UNDER WET CONDITIONS
Release Doses at EAB (Rem)
Category Whole Body 7 Thyroid
WF-1 2.2-03 3.4-01
WF-2 1. 7-03 2.8-01
WF-3 3.3-04 5.2-02
WF-4 2.6-04 4.3-02
D-34 DOE-HTGR-86-011/Rev. 3
as in Section 0.1.3, the uncertainties in dose effectivities Ci'j are
not considered.
The initial activity for nuclide j for accidents involving moisture
ingress has an uncertainty that is determined by the uncertainty of its
components according to the following:
whereQc,j = circulating activity of nuclide j,
Qf,j - fuel body inventory of nuclide j,
fh = fraction of failed fuel hydrolyzed,
ff = failed fuel fraction,
fo = oxidation fraction,
fs - heavy metal contamination fraction,
, (D-7)
Rs,j = fraction of plated-out nuclide j removed by steam-induced
vaporization and recirculation,
Qp,j = plated-out activity of nuclide j.
The uncertainty distribution on all terms is taken to be lognormal
except for the distribution on steam induced release fraction which,
because of lack of data, is assumed to be uniformly distributed from
0% to 100%. The uncertainty factor on the circulating activity of noble
gases and iodines is typically 4, but for metals, it can vary from 100
to 5000 depending on the individual nuclide. The fuel body inventory
has an uncertainty factor that varies from 1.01 to 2.13. There is no
plateout activity for noble gases so that term drops out. For iodines
and telluriums, the uncertainty factor on plateout activity is 4, but
for metals, it is 10. The failed fuel fraction has a median of 5 x 10-5
with an uncertainty factor of 4. The heavy metal contamination fraction
has a median of 2 x 10-5 with an uncertainty factor of 2. The hydrol
ysis and oxidation fractions vary with the accident but have uncertainty
0-35 DOE/HTGR-86-011/Rev. 3
factors of 2.4 and 1.4, respectively. For iodines, te11uriums, and
noble gases, there is no oxidation term because these nuclides are not
retained by the graphite. For metals, there is no hydrolysis term
because the metals are still retained by kernel material.
The median, ninety-fifth percentile, and fifth percentile results
of the dose uncertainty analysis for thyroid and whole body gamma doses
for a 30-day exposure at the EAB are presented in Table D-11.
D.3. CONSEQUENCES FROM CONDUCTION COOLDOWN UNDER DRY CONDITIONS
A number of event sequences that are initiated by primary coolant
leaks and seismic activity have been identified in Figs. C-1 and C-3.
Only those release categories that result in fission product release are
addressed here. These sequences in which forced cooling is lost have
been phenomenologically grouped and categorized as conduction coo1downs
under dry conditions. The categories are labeled DC-1 through DC-9
where DC-1 has the greatest consequence and DC-9 has the least nonzero
consequence. The consequence source term for conduction coo1down under
dry conditions includes (1) the circulating activity, (2) fission pro
duct release from the fuel due to high temperatures, and (3) liftoff of
a portion of the activity plated-out on primary circuit surfaces.
D.3.1. Data and Methods
Conduction coo1downs under dry conditions are initiated by loss
of HTS cooling, primary coolant leaks, and seismic activity. Each acci
dent has the loss of all forced convection cooling as the common feature
which identifies the accident as a conduction coo1down. In these acci
dents a gradual rise in core temperatures results due to an imbalance
between heat removal and decay heat generation rates. However, as tem
peratures increase the heat removed by conduction, convection, and radi
ation to the RCCS cooling panels also increases. Furthermore, the decay
D-36 DOE/HTGR-86-011/Rev. 3
TABLE 0-11 DOSE UNCERTAINTY ANALYSIS AT THE EAB FOR FORCED
CONVECTION COOLDOWNS UNDER WET CONDITIONS
Doses at EAB (Rem}
Release Whole Bod! 1 Th!roid
Category 5% Median 95% 5% Median 95%
WF-1 2.6-04 2.2-03 1.9-02 3.8-02 3.4-01 3.1+00
WF-2 2.0-04 1. 7-03 1.4-02 3.1-02 2.8-01 2.5+00
WF-3 3.9-05 3.3-04 2.8-03 5.8-03 5.2-02 4.6-01
WF-4 4.8-05 2.6-04 2.2-03 4.7-03 4.2-02 3.8-01
0-37 DOE-HTGR-86-011/Rev. 3
heat generation rate slowly decreases as the core fission product inven
tory decays with time. Thus, during the accident the imbalance between
heat generation and heat removal diminishes and eventually reverses,
whereupon the core begins to naturally cooldown to the RCCS.
The time-dependent evaluation of temperature throughout the core
and reactor vessel under depressurized conditions is conducted using the
TAC20 computer program (Ref. 0-15). TAC20 contains models to simulate
the heat generation due to decay of radionuclides, the heat-transfer
processes, and the heat exchange across open core plenums during the
course of a loss of forced circulation event.
The geometrical input data for the TAC20 model is specified in
terms of material boundaries parallel to the coordinate axes. Cylindri
cal coordinates are used, and the axes are denoted by r (radial) and z
(axial). The material boundaries define annular regions in which tem
perature nodal points are located. These points each represent a nodal
volume for which a central temperature is calculated. Some thermal
properties are dependent on temperature, and some are also dependent on
time and location. Specific heat, emissivity, conductivity, and volume
tric heat generation are specified as functionally dependent variables
for solid materials.
A two-dimensional geometric model of the entire reactor vessel
and cavity is used to perform the TAC20 analysis. The geometric model
encompasses the active core; the inner, outer, top, and bottom graphite
reflector; the graphite core support plenum shroud; the reactor vessel;
radiation shielding material above and below the reactor vessel; the top
access floor; the first concrete partition below the reactor vessel; and
the concrete behind the air-cooled RCCS panels. Heat transfer within
this model is principally by conduction through the core and reflectors
to the top and bottom core surfaces and to the core periphery adjacent
to the core barrel. Heat is transferred by thermal radiation and con
duction across the gas spaces separating the core surfaces and the metal
0-38 OOE/HTGR-86-011/Rev. 3
support structures and shrouds, and across the gas spaces to the reactor
vessel. Free convection from heated surfaces is represented by placing
a multiplicative factor on the thermal conductivity of the gas in the
spaces between surfac~s. Heat is transferred predominantly by thermal
radiation across the gas spaces separating the reactor vessel and the
RCCS cooling panels. A convective flow of air through the cooling
panels is calculated, which removes most of the heat from the panels.
Some heat is transferred by conduction from the panels to the reactor
cavity walls.
The thermal transient experience by the core during a depressurized
conduction cooldown is shown in Fig. D-9 for both the peak fuel and
average active core temperatures. In this particular transient the
depressurization is immediate, and natural circulation within the core
is negligible. Therefore heat removal is primarily by conduction and
radiation to the RCCS cooling panels. The core temperature as shown in
Fig. D-9 increases as the core heats up and begins to cooldown at
approximately 80 h when the heat removal rate exceeds the decay heat
generation rate. The peak temperature is 16200 C (2948°F).
Figure D-10 shows a plot of isotherms at the time of peak core
temperature across the R-Z plane of the reactor core, reflectors and
the reactor vessel. The peak core temperatures in excess of 16000 C
(2948°F) are confined to only about 5% of the core volume; most of the
fueled region experiences much lower temperatures.
For cases in which the reactor remains pressurized for some
extended period of time, (hundreds of hours) natural circulation within
the core becomes a more important heat transfer mechanism than under
depressurized conditions. The PANTHER computer code is used to analyze
these pressurized (or very slowly depressurizing) conduction cooldowns.
PANTHER is based on the classical thermal analyzer program TAP-LOOP,
which is described in Ref. D-16 and is discussed in Section D.4.1. As
D-39 DOE/HTGR-86-Q11/Rev. 3
an example, the thermal transient experienced by the core during a pres
surized conduction cooldown is shown in Fig. 0-11 for both the peak fuel
and average active core temperatures. This particular transient has no
breach in the primary coolant boundary and is applicable to small pri
mary coolant leaks that require more than 100 h to depressurize.
Because of natura~ circulation and the resultant heat redistribution in
the core, the peak temperatures are lower than for depressurized conduc
tion cooldowns.
The fuel body inventory and circulating and plateout activities
available at the start of an event are based on radionuclide design
criteria. The radionuclide design criteria are the allowable levels of
radionuclide accumulation in the primary circuit which will permit the
plant to satisfy the radiological dose limits applied to normal plant
operation and postulated events. The nominal circulating activity,
equilibrium fuel body inventory, and equilibrium 40-year plateout activ
ity available for liftoff are presented in Table 0-12 for those radio
nuclides which are major contributors to the dose resulting from con
duction cooldowns under dry conditions. By applying the liftoff model
discussed in Section 0.1.1 to the plateout activities, the additional
liftoff activities are calculated for a particular primary coolant leak
size. Some fraction of the fuel body inventory can be released due to
elevated temperatures.
Fuel particle failure and the fission product release from the core
during temperature transients are evaluated using the SORS computer code
(Ref. 0-17). The core release calculated by SORS is the source activity
due to elevated temperatures which contributes to the total release upon
which subsequent environment dose calculations are based.
SORS accepts core temperatures during a transient from other codes,
such as TAC20 and PANTHER, and calculates (1) release from heavy metal
contamination in the fuel rod matrix as a function of temperature and
nuclide, (2) release from initially exposed kernels in the core as a
0-40 OOE/HTGR-86-011/Rev. 3
TABLE D-12 INITIAL CIRCULATING, PLATEOUT, AND FUEL BODY INVENTORIES OF NUCLIDES THAT ARE MAJOR CONTRIBUTORS TO RADIOLOGICAL CONSEQUENCES OF CONDUCTION
COOLDOWN ACCIDENTS .
Isotope
Kr-85 Kr-87 Kr-88 Rb-88 Sr-89 Sr-90 Y-91 Mo-99 Ru-103 Ag-110m Sb-125 Sb-127 Te-127 Te-132 Te-133m 1-131 1-132 1-133 1-134 1-135 Xe-133 Xe-135m Xe-135 Xe-138 Cs-134 Cs-137 Cs-138 Ba-137m Ce-144
Circulating Activity (Ci)
2.96-03 2.96+00 5.16+00 6.78-02 1.39-06 7.29-10 2.14-07 6.96-06 2.54-07 5.45-06 7.30-10 1.34-07 1.14-04 8.25-04 6.30-03 1.79-02 2.23-01 1.18-01 5.41-01 1.91-01 2.32+00 1.20+00 3.49+00 1.12+00 3.23-06 1.98-06 9.37-03 3.27-04 4.22-08
Plateout Activity (Ci)
0.00 0.00 0.00 5.20+00 1.72+00 3.35-01 4.17-01 1.74-01 1.03-01 8.43+00 4.74-03 6.04-03 1.00+00 1.66+01 1.51+00 2.00+01 1.94+01 1.49+01 5.22+00 6.74+00 0.00 0.00 0.00 0.00 1.49+01 7.00+01 1.30+00 6.62+01 7.40-02
Fuel Body Inventory (Ci)
9.91+04 7.13+06 9.95+06 1.02+07 1.34+07 7.41+05 1.62+07 1.83+07 1.20+07 1.38+04 5.64+04 6.52+05 6.47+05 1.35+07 1.12+07 9.34+06 1.37+07 2.03+07 2.28+07 1.89+07 2.03+07 3.71+06 2.48+06 1.85+07 1.06+06 8.58+05 1.96+07 8.17+06 1.24+07
D-41 DOE-HTGR-86-011/Rev. 3
function of nuclide, fuel burnup and temperature, (3) failure of ini
tially intact fuel particle coatings (both with and without manufactur
ing defects) due to the mechanism of pressure vessel failure, (4) SiC
corrosion by fission products and SiC thermal decomposition, and (5)
diffusion of fission products through intact coatings. SORS further
accounts for diffusion of the nonvolatile nuclides through the fuel
rod matrix and core graphite and their transport by the primary coolant.
The procedure adopted in SORS is to describe the problem in terms
of several coupled first order differential equations with coefficients
which are dependent on time. The independent variables represent the
total amount of each isotope in one of the three parts of the core,
i.e., the fuel, the graphite, or the coolant. The variable coefficients
represent an average probability of an atom moving from one part of the
core to another, where the probability has been averaged over the whole
reactor. The differential equations are integrated numerically using
Hemmings' predictor-corrector technique. Since Hammings' technique is a
four-step method, the Runge-Kutta routine is used to set up the start
ing values. The Hammings' method is well established, accurate, and
reliable.
After release from the fuel particles, the nonvolatile fission
products are still confined by the matrix and structural graphite. To
escape from the core, the fission products must diffuse through the
graphites to the coolant channel, evaporate at the surface of the chan
nel and be carried out of the coolant channel by the coolant stream.
The fission product transport from the reactor vessel, subsequent
release to the atmosphere, and the resultant dose calculations were
performed using the TDAC computer code as discussed previously in Sec
tion 0.1.1. Hydrostatic displacement and thermal expansion after a com
plete depressurization to atmospheric pressure become important due to
the release of fission products from the core during the time when peak
core temperatures are increasing. Once core temperatures begin to
0-42 DOE/HTGR-86-01.1/Rev. 3
decrease, thermal contraction will essentially terminate the release
from the reactor vessel. Since all of the conduction cooldowns under
dry conditions vent to the reactor building, plateout and settling in
the reactor building on surfaces cooled by the RCCS have been consid
ered. Meteorological conditions and reactor building parameters are as
given in Table 0-4.
0.3.2. Fission Product Release and Oose Assessment
In the frequency assessment for primary coolant leaks, loss of HTS
cooling, and earthquakes, events were identified in Figs. C-1 through
C-3 which lead to conduction cooldowns under dry conditions. These
events are assigned a release category designation based on their radio
nuclide release characteristics. For the purposes of consequence
assessment, a representative size is selected for each leak-size range
identified in the frequency assessment. Proceeding from the least to
the greatest consequence, the following paragraphs describe for each
release category the dominant event sequence, radionuclide release
mechanism, and dose consequence.
Release category OC-9 is represented by a characteristic leak area
of 1.6 x 10-3 cm2 (2.S x 10-4 in. 2). The size may range from 1.9 x 10-4
to 0.013 c~ (3 x 10-5 to 2 x 10-3 in. 2). In this leak range, it is
assumed conservatively that the OC-9 category is bounded by those events
without HPS pumpdown. HPS pump down rapidly depressurizes the primary
system so that the fuel temperature experiences the transient given in
Fig. 0-9. However, with the pump down successful, the fission products
released from the core are mostly retained in the vessel, thus resulting
in less release than without HPS pumpdown. For sizes this small, the
depressurization time for the reactor vessel is several hundred hours so
that the thermal temperature profile is approximated by that given in
Fig. 0-11 for pressurized conduction cooldowns. Figure 0-12 shows the
cumulative release of gaseous and volatile fission products from the
core. As seen in the figure, the release is small and occurs slowly
0-43 00E/HTGR-86-011/Rev. 3
over several days. The attenuation of activity in the reactor vessel is
assumed to occur only due to radioactive decay. The release to the
atmosphere is via the reactor building. The 1-131 and 1-133 activities
released to the atmosphere during OC-9 are 0.31 and 0.071 Ci, respec
tively. These two radionuc1ides account for over 90% of the thyroid
dose. Table 0-13 presents the cumulative nuclide release to the envi
ronment for the major contributors to dose.
Release category OC-S describes large leaks greater than 6.5 cm2
(1.0 in.2) Where the depressurization is so rapid that BPS pump down is
ineffective. The depressurization time for OC-S is less than 7 h so
that the thermal temperature profile is approximated by that given in
Fig. 0-9 for a depressurized conduction cooldown. During the depres
surization, a very small fraction of the initially plated-out activity
is lifted off and released along with all of the initially circulating
activity. Figure 0-13 shows the cumulative release of gaseous and
volatile fission products from the core. As seen in the figure the
release occurs over days as the core heats up slowly. The release rate
becomes negligible beyond 100 h as the core begins to cooldown. The
release mechanism from the vessel after the initial depressurization and
as the core heats up is by slow thermal expansion of gases from the
vessel. The release to the environment is through the reactor building
Where fission products are attenuated due to decay, settling, and plate
out. The cumulative nuclide release for OC-S is the same as that for
OC-7 Which can be seen in Table 0-13.
Release category OC-7 describes a leak in the size range 0.19 to
6.5 c~ (0.03 to 1.0 in2) with a successful BPS pumpdown to atmospheric
pressure. The primary system is depressurized in about 20 h, so the
thermal transient is approximated by that given in Fig. 0-9 for a
depressurized conduction coo1down. The fission products released from
the core are the same as for release category ~C-So After the initial
depressurization, fission products are released from the vessel by
(1) hydrostatic displacement of the helium in the vessel by air in
0-44 OOE/HTGR-S6-011/Rev. 3
TABLE D-13 CUMULATIVE RELEASE TO ENVIRONMENT IN CURIES FOR CONDUCTION
COOLDOWNS UNDER DRY CONDITIONS
Nuclide DC-1 DC-2 DC-3 DC-4 DC-5 DC-7 DC-9
Kr-88 1.7+02 4.3+01 1.6+00 1.1-01 4.0-01 1.2+00 5.6-03
Rb-88 1.6+02 4.0+01 1.5+00 1.1-01 3.8-01 3.8+00 5.4-03
Sr-90 6.4-03 1.6-03 2.8-05 1.2-05 7.0-06 9.5-06 1.6-06
Ru-103 3.0+02 7.4+01 3.6-02 5.1-02 8.9-03 9.1-02 3.0-02
Sb-125 5.2+02 1.3+02 5.0-03 2.3-03 1.2-03 4.8-04 3.3-03
Te-129m 5.2-04 1.3-04 9.2-06 3.6-06 2.3-06 7.8-06 8.5-03
I-131 6.4+04 1.6+04 8.8+00 4.2+00 2.2+00 1.0+00 3.1-01
Te-132 2.6+03 6.6+02 6.5+00 2.2+00 1.6+00 4.9-01 8.9-02.
I-132 3.0+03 7.6+02 4.0+00 1.5+00 1.0+00 5.0-01 5.2-02.
I-133 1.4+03 3.6+02 6.2+00 1.5+00 1.6+00 8.0-01 7.1~02
Xe-133 2.0+04 5.1+03 4.7+02 2.1+02 1.2+02 5.6+01 1.45+01
Cs-134 3.7+02 9.3+01 5.6-05 2.4-05 1.4-05 2.8-05 3.4-06
Xe-135 4.8+02 1.2+02 3.3+01 4.6+00 8.3+00 4.9+00 2.4-01
Cs-137 3.1+02 7.8+01 1.5-04 6.0-05 3.7-05 1.1-04 9.8-06
D-45 DOE-HTGR-86-011/Rev. 3
the reactor building and (2) thermal expansion of gases in the vessel
as the core heats up. Because of the small leak size, the. hydrostatic
displacement is assumed to proceed slowly over about 100 h. When the
core begins to cool down, after about 100 h, the release rate from the
vessel becomes negligible. Fission products are released to the envi
ronment through the reactor building, after some attenuation due to
radioactive decay, settling of particulates, and plateout of halogens on
cool surfaces in the reactor building. The I-131 and I-133 activities
released to the atmosphere during OC-7 are 1.0 and 0.80 Ci, respec
tively. Table 0-13 presents the cumulative nuclide release to the envi
ronment for the major contributors to dose.
Release category OC-6 describes a leak in the size range between
0.013 and 0.19 cm2 (2 x 10-3 and 0.03 in2) with a successful HPS pump
down. Because the pump down is successful in reducing the primary system
pressure within about 24 h, the thermal transient is approximated by
that given in Fig. 0-9 for a depressurized conduction cooldown. Thus,
Fig. 0-13 is representative of the release of fission products from
the core. After the initial depressurization, fission products are
released from the vessel by (1) hydrostatic displacement of the helium
in the vessel by air in the reactor building and (2) thermal expansion
of gases in the vessel as the core heats up. Hydrostatic displacement
proceeds slowly over about 100 h. At about that time, when the core
begins to cool, the release rate from the vessel becomes negligible.
Fission products are released to the environment through the reactor
building, after some attenuation due to radioactive decay, settling, and
plateout. The cumulative nuclide release to the environment for OC-6 is
identical to that of OC-5 which is presented in Table 0-13.
Release category OC-5 describes a leak size in the range of 0.19
to 6.5 cm2 (0.03 to 1.0 in.2) where HPS pump down fails and the system
depressurizes slowly over a period of 25 h. Hydrostatic displacement
proceeds slowly over about 100 h. The release from the reactor core is
represented by Fig. 0-13. Attenuation in the reactor vessel is from
0-46 00E/HTGR-86-011/Rev. 3
radioactive decay and holdup after the reactor begins to coo1down (after
100 h). The release to the environment is via reactor building leakage,
with attenuation due to p1ateout, settling, and decay in the reactor
building. The 1-131 and 1-133 activities released to the atmosphere
during DC-5 are 2.2 and 1.6 Ci, respectively. Table D-13 presents the
cumulative nuclide release to the environment for the major contributors
to dose.
Release category DC-4 describes a leak in the size range of 0.013
to 0.19 c~ (2 x 10-3 to 0.03 in.2), with a representative leak area of
0.05 c~ (7.7 x 10~3 in. 2). In DC-4, the BPS fails to pump down primary
coolant to storage. The result is a depressurization over a period of
145 h Where fuel body activity released during that time period has a
mechanism to be transported out of the reactor vessel. Since the vessel
remains at high pressure over 100 h, the transient temperature profile
for these leaks is approximated in Fig. D-11 for a pressurized conduc
tion cooldown. Release to the environment is via reactor building leak
age, with attenuation due to plateout, settling, and radioactive decay
in the reactor building. The 1-131 and 1-133 activities released to the
atmosphere.during DC-4 are 4.2 and 1.5 Ci, respectively. Table D-13
presents the cumulative nuclide release to the environment for the major
contributors to dose.
Release category DC-3 describes an event initiated by seismic
activity Which results in a primary coolant leak with a size greater
than 0.19 c~ (0.03 in. 2). In this category, the dose consequence is
identical to DC-5 except that all four modules are affected so that the
dose is four times the dose for DC-5. The 1-131 and 1-133 activities
released to the atmosphere during DC-3' are 8.8 and 6.2 Ci, respectively.
Table D-13 presents the cumulative release to the environment for the
major contributors to dose.
Released category DC-2 represents events Where loss of HTS is fol
lowed by loss of both the SCS and the RCCS cooling. The system pressure
D-47 DOE/HTGR-86-011/Rev. 3
is reduced within two days by operator initiated pumpdown of the primary
system using the BPS system. In the absence of RCCS core cooling, the
reactor heats up reaching a core maximum and average temperatures of
approximately 18700 C (3398°F) and 16000 C (2912°F), respectively. This
results in release of approximately 0.02% of the halogens from the fuel
body inventory. Even at these temperatures the fuel particles and the
core provide sufficient retention to hold a vast majority of the fission
products in the core. The release from the primary system is due to the
hydrostatic displacement of helium and thermal expansion of primary sys
tem inventory. The release to the environment is via the reactor build
ing Where fission products are attenuated due to plateout, settling, and
decay. Table D-13 presents the cummulative release to the environment
for the major dose contributors.
Release category DC-1 is the final category under consideration in
this section. In this event sequence, seismic activitY'produces ground
accelerations greater than 1.5 g resulting in failure of the HTS, SCS,
and RCCS, in addition to a nominal instrument line failure. This event
affects all four modules of the plant and is otherwise identical to
release category DC-2. Table D-13 presents the cumulative nuclide
release to the environment for the major contributors to dose.
The nominal dose consequence for each of the release categories
analyzed is presented in Table D-14 for 30-day exposure at the EAB for
thyroid, bone, lung, and Whole body gamma doses.
D.3.3. Uncertainty Analysis
A method for assessing the uncertainties in consequence prediction
was developed in the AIPA safety assessment (Ref. D-6). The method uses
simplified mathematical algorithms describing the consequence control-
I ling phenomena as functions of variables with uncertainties that affect
the dose consequence. The algorithms are simplified because they are
used in a Monte Carlo error propagation program Which determines the
D-48 DOE/HTGR-86-011/Rev. 3
TABLE D-14 NOMINAL DOSE CONSEQUENCE AT THE EAB FOR CONDUCTION
COOLDOWNS UNDER DRY CONDITIONS
Release Nominal Dose in Rem
Category Whole Body 7 Thyroid Bone Lung
DC-1 4.5-02 4.7+01 1. 7-01 1.3+00
DC-2 1.1-02 2.3+01 8.7-02 6.7-01
DC-3 4.5-04 1.0-01 1.5-04 2.8-03
DC-4 1.5-04 7.6-02 9.2-05 1.9-03
DC-5 1.1-04 2.5-02 3.7-05 7.0-04
DC-7 2.0-04 2.1-02 2.3-05 5.8-04
DC-9 9.0-06 5.5-03 1.3-05 1.7-04
D-49 DOE-HTGR-86-011/Rev. 3
probability distribution for the dose by sampling the input variables.
Cumulative probability distributions of independent variables are speci
fied as input to the program. This section describes the algorithms
used for consequences from conduction cooldowns under dry conditions.
The dose consequence equation for conduction cooldown accidents
is the same as Eq. D-2 in Section D.1.3. The X/Q distribution is also
the same one described in Section D.1.3. The factor fj in Eq. D-2
accounts for time-dependent attenuation due to buildup, decay, set
tling, plateout, and other processes and is determined as described in
Section D. 1.3. Als.o, as in Section D. 1. 3, the uncertainties in dose
effectivities Ci,j are not considered.
The initial activity for nuclide j for accidents involving conduc
tion cooldowns has an uncertainty that is determined by the uncertainty
of its components according to the following:
, (D-8)
where Qi,j = source term activity due to forced convection cooldown
under dry conditions (Eq. D-4),
fT,j = fractional release of nuclide j due to temperature
increase,
QF,j = fuel body inventory of nuclide j.
The uncertainty distribution on all terms is taken to be lognormal.
The components of the source term activity due to forced convection
cooldown under dry conditions and their uncertainty factors are given in
Section D.1.3. The fuel body inventory has an uncertainty factor that
varies from 1.01 to 2.13. The uncertainty factor in the fractional
release due to elevated temperatures is estimated to be 1.2 for all
nuclides.
D-50 DOE/HTGR-86-011/Rev. 3
The median, ninety-fifth percentile, and fifth percentile results
of the dose uncertainty analysis for thyroid, lung, bone, and whole
body gamma doses for a 30-day exposure at the EAB are presented in
Table D-15.
D.4. CONSEQUENCES FROM CONDUCTION COOLDOWN UNDER WET CONDITIONS
A number of event sequences that are initiated by small and
moderate steam generator leaks have been identified in Figs. C-8 and
C-9. Only those release categories that result in fission product
release and result in an offsite dose to the public are addressed here.
These sequences in which forced' cooling is lost have been phenomenologi
cally grouped and categorized as conduction cooldowns under wet condi
tions. The categories are labeled WC-1 through WC-7 where WC-1 has the
greatest consequence and WC-7 has the least nonzero consequence. The
consequence source term for conduction cooldowns under wet conditions
includes (1) the circulating activity, (2) fission product release from
the fuel due to high temperatures, (3) steam-induced vaporization and
recirculation of a portion of the activity plated-out on primary circuit
surfaces, (4) release from failed fuel due to hydrolysis, and (5)
release from oxidized graphite.
D.4.1. Data and Methods
Conduction cooldowns under wet conditions are initiated by steam
generator leaks. Each accident has the loss of all forced convection
cooling as the common feature which identifies the accident as a con
duction cooldown. The following paragraphs summarize the physical
phenomena and plant response that was analyzed followed by the methods
and data used in the analysis.
For accidents initiated by small and moderate steam generator
leaks, a subsequent loss of forced convection cooling and primary
coolant boundary failure result in conduction cooldowns with an offsite
D-51 DOE/HTGR-86-011/Rev. 3
TABLE D-1S DOSE UNCERTAINTY ANALYSIS AT THE EAB FOR CONDUCTION COOLDOWNS UNDER DRY CONDITIONS
Dose in Rem
Release Whole Body 7 Thyroid Bone Lung
Category SI Median 9S1 51 Median 9S1 SI Median 9S1 SI Median 9S1
DC-I 1.0-02 6.4-02 4.S-01 6.0+00 S.O+Ol 4.3+02 6.0-03 9.3-02 1.3+00 1.2-01 1.1+00 1.0+01
t::I DC-2 2.7-03 1.6-02 1.1-01 3.0+00 2.S+01 2.1+02 3.1-03 4.7-02 6.3-01 S.9-02 S.7-01 S.1+00 I
VI DC-3 4.8-0S 2.9-04 2.3-03 2.0-02 2.1-01 2.2+00 4.4-0S 4.0-04 4.2-03 1.1-03 8.0-03 6.8-02 N
DC-4 1.5-0S 1.S-04 1.S-03 7.6-03 7.6-02 7.6-01 N.C. 9.2-0S N.C. N.C. 1.9-03 N.C.
DC-S 1.2-0S 7.3-0S S.8-04 5.1-03 5.3-02 5.5-01 1.1-05 9.9-0S 1.1-03 2.7-04 2.0-03 1. 7-02
DC-6 1.2-05 7.3-05 S.8-04 S.1-03 5.3-02 5.5-01 1.1-05 9.9-05 1.1-03 2.7-04 2.0-03 1.7-02
DC-7 6.5-05 3.2-04 2.2-03 3.0-03 4.9-02 5.9-01 4.7-06 5.7-05 5.7-04 4.6-05 5.6-04 5.5-03
DC-8 6.5-05 3.2-04 2.2-03 3.0-03 4.9-02 5.9-01 4.7-06 5.7-05 5.7-04 4.6-05 5.6-04 5.5-03
t::I DC-9 2.1-06 1.0-05 7.2-05 3.4-04 5.5-03 6.6-02 5.1-07 7.5-06 8.2-05 2.3-05 2.1-04 1.9-03 0 tzJ I
~ fJ I
00 (J\ I
0 ..... ..... -:;tI ~ . w
dose to the public. The fission product release pathway may be either
through the steam generator secondary side or to the reactor building
if the primary relief valves lift. Releases may consist of circulating
activity, activity released from hydrolyzed fuel, activity released from
oxidized graphite, plated-out material released due to SIVR, or fuel
body inventory released due to the thermal transient. The frequency
assessment of Section 7.7 for small steam generator leaks covers a spec
trum of leak sizes ranging from pinhole to approximately 0.052 cm2
(8 x 10-3 in. 2). The maximum size considered for small leaks corre
sponds to a leak rate of about 0.05 kg/s (0.1 lbm/s) which is used for
the consequence assessment for small steam generator leaks. The fre
quency assessment of Section C.8 for moderate steam generator leakS
covers a spectrum of flow rates ranging from 0.05 to 5.7 kg/s (0.2 to
12.5 lbm/s). The consequence assessment for moderate steam generator
leaks has been based on the leak rate of 5.7 kg/s (12.5 lbm/s) which
corresponds to a single tube offset rupture.
The planned response to a moisture ingress event begins with the
detection of moisture at the 1000 ppm level by the moisture monitors.
Depending on the leak size, this level may not be reached for anywhere
between 2 s to 5 min. The moisture sampling process takes another 20 s
after which the PPIS initiates a reactor trip on the outer control rods
and isolation of the steam generator. Following isolation, the steam
generator dump valves are opened and the steam generator inventory
released into the dump tanks. Just prior to releasing primary coolant
through the dump system, the valves are reclosed. Also following the
signal to isolate the steam generator, the HTS circulator is tripped and
the SCS is started and cools the reactor core by forced circulation. In
the accidents discussed in this section the SCS either fails to start or
fails to operate a sufficient amount of time so that forced circulation
cooling is lost. Removal of core residual heat is by conduction and
radiation to the RCCS cooling panels. The resulting transient is a
pressurized conduction cooldown with the reactor pressure remaining
below the setpoint of the primary system pressure relief train.
D-53 DOE/HTGR-86-011/Rev. 3
For cases in which the reactor remains pressurized for some
extended period of time, natural circulation within the core becomes
a more important heat transfer mechanism than under depressurized con
ditions. The PANTHER computer code is used to analyze these pressurized
(or slowly depressurizing) conduction cooldowns. PANTHER is based on a
classical thermal analyzer program which is described in Ref. 0-16.
PANTHER models the reactor system as a network of interconnected
nodes. The nodal map models the active core, reflectors, core barrel,
reactor vessel, and the RCCS. Each node is assumed to be connected to
each of its neighbors by a conducting path to which a value called the
"admittance,· is assigned. The "admittance is the reciprocal of the
thermal resistance. Each active core node is assigned a generation rate
equivalent to the rate of heat generation of the actual core column
represented by the node. The temperature assigned to each node repre
sents the temperature at the centroid of the corresponding element of
the physical system.
Heat generated within the active core is transferred by conduction
both radially and axially from node to node within the core and reflec
tors. Within the fueled core there are three flow paths. Heat is also
transferred to the fluid nodes in each flow path, which transport heat
by flowing either upward or downward within the coolant passages. The
flow rates were computed within the program by adding up the hydrostatic
head in each gas column and relating these to the frictional pressure
loss in each column, assuming that the pressures in the top and bottom
plena are uniform. This computation is done iteratively at each time
step by adjusting the plenum pressures until the conservation-of-mass
condition is satisfied for the flows. Ultimately heat is radiated from
the core barrel to the vessel, and from the vessel, heat is transferred
to the RCCS panels via radiation and natural convection.
The thermal transient experienced by the core during a pressurized
conduction cooldown is shown in Fig. 0-11 for both the peak fuel and
0-54 OOE/HTGR-86-011/Rev. 3
average active core temperatures. This particular transient assumes no
breach in the primary coolant boundary. Slow primary coolant leaks,
which require more than 100 h to depressurize, is assumed to experience
the same temperature transient.
For cases where the pressure vessels depressurize, such as through
a relief valve that fails open, the time-dependent evaluation of tem
peratures throughout the core and reactor vessel under depressurized
conditions is conducted using the TAC2D computer program (Ref. D-15).
TAC2D contains models to simulate the heat generation due to decay of
radionuclides, the heat-transfer processes, and the heat exchange across
open core plenums during the course of a loss of forced circulation
event. A brief discussion of the TAC2D program is given in
Section D.3.1.
The thermal transient experienced by the core during a depressur
ized conduction cooldown is shown in Fig. D-9 for both the peak fuel and
average active core temperatures. This particular transient assumes
immediate depressurization. Primary coolant leaks which require less
than 100 h to depressurize is assumed to experience the same temperature
transient.
The fuel body inventory and circulating and plateout activities
available at the start of an event are based on radionuclide design cri
teria. The radionuclide design criteria are the allowable levels of
radionuclide accumulation in the primary circuit which will permit the
plant to satisfy the radiological dose limits applied to normal plant
operation and postulated events. The circulating activity, fuel body
inventory, and plateout activity available for steam-induced vaporiza
tion and recirculation are presented in Table D-12 in Section D.3 for
those radionuclides which are major contributors to the resultant dose
from conduction cooldowns under wet conditions. By applying the steam
induced vaporization model discussed in Section D.2.1, the fraction of
plateout activities reentrained into the primary system are calculated
D-55 DOE/HTGR-86-011/Rev. 3
for steam generator leak accidents. The fuel body inventory can be
released due to elevated temperatures, due to hydrolysis of the ini
tially failed fuel, and due to oxidation of graphite in which fission
products have been retained.
The thermal transient results from PANTHER for pressurized con
duction cooldowns are used by the OXIDE code to analyze the transient
effects of moisture ingress on the fuel and core graphite. The OXIDE
code determines the fractional fission product release due to steam
graphite and steam fuel reactions and is described in more detail in
Section 0.2.1.
The evaluation of fuel particle failure and the fission product
release from the core during temperature transients is calcu~ated using
the SORS computer code (Ref. 0-17). The core release calculated by SORS
is the source activity due to elevated temperatures which contributes to
the total release upon which subsequent environment dose calculations
are based. The SORS code is discussed in Section 0.3.1.
The fission product transport from the reactor vessel, subsequent
release to the atmosphere, and the resultant dose calculations were
performed using the TDAC computer code as discussed previously in Sec
tion 0.1.1. Meteorological conditions and reactor building parameters
are as given in Table 0-4. The release pathway for accidents initiated
by steam generator leaks may be either through the steam generator sec
ondary side relief train or through the reactor building if the primary
relief train valves open. For those conduction cooldown categories
which vent to the reactor building, plateout and settling in the reactor
building on surfaces cooled by the RCCS have been considered. In either
case, possible failure of the valves to reclose is typically considered.
Hydrostatic displacement and thermal expansion subsequent to a complete
depressurization become important due to the release of fission products
from the core during the time when core temperatures increase. Once
0-56 DOE/HTGR-86-011/Rev. 3
core temperatures begin to decrease, thermal contraction will essen
tially terminate the release from the reactor vessel.
D.4.2. Fission Product Release and Dose Assessment
The planned response to a moisture ingress event is discussed in
Section 6.1.7 for small steam generator leaks and in Section 6.1.S for
moderate steam generator leaks. For fission product release to occur
from conduction cooldowns initiated by steam generator leaks, failures
in addition to the leak are required that result in failure of the pri
mary coolant boundary to remain intact and contain the fission products
throughout the transient. As shown in Figs. C-S and C-9, additional
failures can result in a number of accident sequences that result in
offsite dose. Proceeding from the least to the greatest consequence,
the following paragraphs describe for each release category the dominant
event sequence, radionuclide release mechanism, and the basis for
assessment of the category dose consequences.
Detailed analysis was performed on release categories WC-2, WC-4,
and WC-7. WC-7 consists of a moderate steam generator leak and normal
plant response. WC-4 represents a moderate steam generator leak with
delayed isolation resulting in four pressure reliefs and successful
reclosure. WC-2 represents a moderate steam generator leak with delayed
termination resulting in tWD pressure reliefs with failure to reclose
after the second. These categories represent the range from the minimum
to the maximum water ingress for moderate steam generator leaks. The
dose consequences of the other four release categories are calculated by
scaling the dose results of WC-2, WC-4, or WC-7. The scaling examines
the dose contribution from fission products released due to hydrolysis.
One scaling for hydrolysis contribution is due to the amount of water
ingressed. The other scaling, in instances where the relief valve fails
open, is based on the time of final relief. In addition, the number of
pressure reliefs determines the fraction of the activitY'in the reactor
system that is released which provides an additional scaling factor for
D-S7 DOE/HTGR-S6-011/Rev. 3
dose. If the pressure relief valve fails open, then the dose results
due to the slow thermal expansion and release of a conduction cooldown
are added.
Release category WC-7 is a moderate steam generator leak which
results in fission product release to the reactor building through the
primary relief valve and subsequently to the atmosphere. The plant
responds as planned with the exception that the SCS cooling fails. A
total of 270 kg (600 lbm) of steam enters the primary system. System
pressure increases due to (1) inventory additions caused by the reaction
of steam with graphite (one mole of steam produces two moles of gaseous
reaction products), and (2) temperature increases caused by the pressur
ized conduction cooldown. At about 10 h, when the system pressure
reaches a setpoint of 7177 kPa (1041 psia), the pressure relief valve
opens to vent primary coolant into the reactor building. The valve
recloses successfully when the setpoint of 6103 kPa (885 psia) is
reached. Because of the difference between the relief valve opening and
closing setpoints, abo~t 15% of the primary coolant and the fission
products it contains at the time of relief are released to the reactor
building and subsequently to the atmosphere. At the time of the
release, 8% of gaseous fission products in failed fuel are released to
the primary coolant by hydrolysis, 0.05% of fission products sorbed in
bulk moderator graphite are released by graphite oxidation, and small
amounts of halogens and noble gases are released from the fuel to the
primary coolant due to elevated temperatures. In addition, 60% of the
fission products plated out on metallic surfaces are released to the
primary system from steam-induced vaporization. The thermal transient
would be like a pressurized conduction cooldown. Table 0-16 presents
the cumulative nuclide release to the environment for the major
contributors to dose.
Release category WC-6 is a moderate steam generator leak with
delayed termination, which results in fission product release to the
reactor building through the primary relief valve and subsequently to
0-58 OOE/HTGR-86-011/Rev. 3
TABLE D-16 CUMULATIVE RELEASE TO ENVIRONMENT IN CURIES FOR
CONDUCTION COOLDOWNS UNDER WET CONDITIONS
Nuclide WC-1 WC-2 WC-3 WC-4 WC-6 WC-7
Kr-88 2.5+00 9.8+00 1.2-01 1.4+00 6.3-01 7.5-02
Sr-89 1.4+00 8.0-01 8.6-03 1.2-02 6.1-03 2.4-02
Sr-90 8.8-02 3.0-02 5.3-04 1.9-03 9.7-04 4.0-03
Y-91 4.1-01 4.8-01 2.5-03 6.5-03 3.0-03 9.8-03
Ag-110m 3.9-01 2.5+00 2.4-03 4.2-02 2.3-02 9.6-02
1-131 2.6+01 4.6+00 1.0+00 8.0-01 3.3-01 2.9-01
Te-132 6.1+01 1.8+01 3.6-01 2.0-01 9.6-02 7.3-01
1-132 3.1+01 7.8+00 1.0+00 8.7-01 3.3-01 4.2-01
1-133 3.7+01 8.8+00 1.5+00 1.1+00 4.3-01 3.7-01
Xe-133 3.7+02 1.1+02 4.6+01 1.3+01 6.4+00 9.2+00
1-134 5.0-03 6.4+00 1.5-04 7.9-01 2.7-01 2.2-03
Cs-134 6.2-01 4.4+00 3.7-03 7.4-02 3.9-02 1. 7-01
1-135 1.2+01 6.2+00 4.7-01 7.9-01 2.9-01 1.5-01
Xe-135 8.1+01 1.7+01 8.1+00 4.1+00 2.0+00 2.0+00
Cs-137 2.5+00 3.3+00 1.5-02 3.5-01 1.8-01 7.9-01
Ba-137m 2.3+00 1.9+01 1.4-02 3.2-01 1. 7-01 7.4-01
Ce-144 1.3+00 3.0-01 7.7-03 3.8-03 1.6-03 4.8-03
D-59 DOE-HTGR-86-011/Rev. 3
the atmosphere. Two possible scenarios result in this release category.
In the first, the moisture monitors fail to detect high moisture levels,
but the reactor is tripped in about 10 s on high power-to-flow ratio.
As moisture continues to enter the system, the primary coolant pressure
increases to the high pressure trip setpoint of 7069 kPa (1025 psia) in
about 6 min. Reaching this PPIS setpoint initiates HTS trip and steam
generator isolation. In the second possible scenario, the moisture
monitors detect high moisture levels and respond as planned, to trip
the reactor and the HTS and to isolate the steam generator. However,
the steam generator dump valves fail to open. Steam generator dump is
initiated manually in both scenarios within 10 min, but by that time a
large portion of the steam generator inventory drains into the primary
system. A total of 3000 kg (6600 lbm) of steam enters the system.
After the HTS trips, the SCS fails to provide forced convection cooling
and heat is removed by conduction and radiation to the RCCS cooling
panels. Because of the continued water ingress, the pressure increases
and is relieved two times through the pressure relief valve before oper
ator intervention succeeds in isolating the steam generator. The pres- .
sure relief valve successfully recloses after opening both times, thus
releasing 28% of the primary coolant inventory. At the time of the
final relief (about 0.8 h), 6% of gaseous fission products in failed
fuel are released to the primary coolant by hydrolysis, and 0.16% of
fission products sorbed in bulk moderator graphite are released by
graphite oxidation; the release from fuel due to elevated temperatures
is insignificant. These activities, along with the initially circulat
ing activity and the activity removed from surfaces due to steam-induced
vaporization and recirculation are available for release with the pri
mary coolant. Table 0-16 presents the cumulative nuclide release to the
environment for the major contributors to dose.
Release category WC-5 is a moderate steam generator leak Which
results in fission product release to the reactor building through
the primary relief valve and subsequently to the atmosphere. The
plant responds as planned with the exception that the SCS cooling fails
0-60 OOE/HTGR-86-011/Rev. 3
and the primary relief valve fails to reclose after opening to relieve
excess pressure. The release category is identical to WC-7 with the
exception that the primary relief valve fails to reclose. The resulting
moisture ingress and elevated temperatures will hydrolyze 8% of the
failed fuel and oxidize 0.05% of the bulk moderator graphite prior to
vessel depressurization. Subsequent hydrolysis and oxidation are negli
gible due to the low partial pressure of steam. The thermal transient
prior to depressurization is like a pressurized conduction cooldown, and
afterwards, it is like a depressurized conduction cooldown. Thermal
expansion, therefore, will transport some of the fission products
released during the slow thermal transient out of the reactor vessel
into the reactor building. These fission products will be released
slowly to the atmosphere via reactor building leakage, and can be atten
uated in the building due to radioactive decay, plateout, and settling.
Release category WC-4 is a moderate steam generator leak with
delayed isolation which results in fission product release to the reac
tor building through the primary relief valve and subsequently to the
atmosphere. The moisture monitors detect high moisture levels and
respond as planned, to trip the reactor and the HTS and to isolate the
steam generator. The feedwater valves close, but the steam valves fail
to close. Steam continues to enter the primary system until the opera
tor manually isolates and dumps the steam generator, within about
20 min. A total of 6800 kg (15,000 lbm) of steam enters the system.
After the HTS trips, the SCS fails to provide forced convection cooling
and heat is removed by conduction and radiation to the RCCS cooling
panels. Because of the continued water ingress, the pressure increases
and is relieved four times through the pressure relief valve before
operator intervention succeeds in isolating the steam generator. ·The
pressure relief valve successfully recloses after each opening. Thus,
48% of the primary coolant inventory is eventually released from the
reactor vessel. At the time of the final pressure relief (about
20 min), 5.7% of gaseous and volatile fission products in failed fuel
are released to the primary coolant by hydrolysis, and 0.09% of fission
D-61 DOE/HTGR-86-011/Rev. 3
products sorbed in bulk moderator graphite are released by graphite oxi
dation; the release from fuel due to elevated temperatures is insignifi
cant. These activities, along with the initially circulating activity
and the activity removed from surfaces due to steam-induced vaporization
are available for release with the primary coolant. The fission prod
ucts are released from the reactor vessel through the reactor building
to the atmosphere. Table D-16 presents the cumulative nuclide release
to the environment for the major contributors to dose.
Release category WC-3 is a small steam generator leak which results
in fission product release to the reactor building through the primary
relief valve and subsequently to the atmosphere. Moisture monitors
successfully detect high moisture, initiating a reactor trip, HTS circu
lator trip, and steam generator isolation and dump. However, the steam
generator dump valves fail to open following steam generator isolation.
Depending on the location of the leak, a large portion of the steam gen
erator inventory can subsequently enter the primary system, with as much
as 2200 kg (4850 lbm) flashing to steam. A total ingress of 1090 kg
(2400 lbm) has been assumed. Primary system pressure continues to
increase, and the primary relief valve opens at approximately 13 h into
the transient and successfully reseats. The relief valve subsequently
remains closed due to termination of the ingress once the steam genera
tor inventory has been depleted. At the time of the relief, 20% of gas
eous fission products in failed fuel are released to the primary coolant
by hydrolysis, 0.33% of fission products sorbed in bulk moderator graph
ite are released by graphite oxidation, and small amounts of halogens
and noble gases are released from the fuel to the primary coolant due to
elevated temperatures. These activities, along with the initially cir
culating activity and the activity removed from surfaces due to SIVR,
are available for release with the primary coolant. Because of the dif
ference between the relief valve opening and closing setpoints, about
15% of the primary coolant and the fission products it contains at the
time of relief are released to the reactor building and subsequently to
D-62 DOE/HTGR-86-011/Rev. 3
the atmosphere. Table 0-16 presents the cumulative nuclide release to
the environment for the major contributors to dose.
Release category WC-2 is a moderate steam generator leak which
results in fission product release to the reactor building through the
primary relief valve and subsequently to the atmosphere. The release
category is identical to WC-6 with the exception that the primary relief
valve fails open. Two possible scenarios result in this release cate
gory. In the first, high-moisture levels are not detected by the mois
ture monitors. Reactor trip occurs within about 10 s on high power-to
flow ratio but moisture continues to enter the primary system. The
primary coolant pressure increases to the high pressure trip set point
in about 6 min, whereupon the PPIS initiates an HTS trip and steam gen
erator isolation. In the second possible scenario, the moisture moni
tors detect high moisture levels and respond as planned, to trip the
reactor and the HTS and to isolate the steam generator. However, the
steam generator dump valves fail to open. In both scenarios, operator
intervention within about 10 min succeeds in isolating the steam genera
tor, thus terminating the moisture ingress. Following the HTS trip, the
SCS fails to provide forced convection cooling and decay heat is subse
quently removed by conduction and radiation to the RCCS cooling panels.
A total of about 3000 kg (6600 lbm) of steam enters the primary system.
This ingress is sufficient to lift the primary relief valve. The valve
fails to reclose following a second relief. At the time of the final
relief (about 0.8 h), 6% of gaseous fission products in failed fuel are
released to the primary coolant by hydrolysis, and 0.16% of fission
products sorbed in bulk moderator graphite are released by graphite oxi
dation; the release from fuel due to elevated temperatures is insignifi
cant. These activities, along with the initially circulating activity
and the activity removed from surfaces due to steam-induced vaporization
and recirculation, are available for release with the primary coolant.
Primary coolant activity rapidly depressurizes through the open relief
valve into the reactor building, through the building dampers, and into
the atmosphere. The thermal transient prior to depressurization is like
0-63 OOE/HTGR-86-011/Rev. 3
a pressurized conduction cooldown, and afterwards, it is like a depres
surized conduction cooldown. Thermal expansion will transport some of
the fission products released during the slow thermal transient out of
the reactor vessel into the reactor building. These fission products
will be released slowly to the atmosphere via reactor building leakage,
and can be attenuated in the building due to radioactive decay,
settling, and plateout. Table D-16 presents the cumulative nuclide
release to the environment over the course of the accident for the major
contributors to dose.
Release category WC-1 is a small steam generator leak which results
in fission product release to the reactor building through the primary
relief valve and subsequently to the atmosphere. The category is iden
tical to WC-3 with the exception that the primary relief valve fails
open. A total ingress of 1090 kg (2400 lbm) has been assumed. Tempera
ture increases caused by the pressurized conduction cooldown and inven
tory increases caused by the reaction of steam· with graphite (one mole
of steam produces two moles gaseous reaction products) increase system
pressure to the relief valve setpoint. The valve opens at approximately
13 h, but fails to reseat, depressurizing the primary circuit inventory
into the reactor building, through the building dampers, and into the
atmosphere. The thermal transient prior to depressurization is like a
pressurized conduction cooldown; afterwards it is like a depressurized
conduction cooldown. Thermal expansion will transport some of the fis
sion products released during the slow thermal transient out of the
reactor vessel into the reactor building. These fission products will
be released slowly to the atmosphere via reactor building leakage, and
can be attenuated in the building due to radioactive decay, settling,
and plateout. Table D-16 presents the cumulative nuclide release to the
environment over the course of the accident for the major contributors
to dose.
D-64 DOE/HTGR-86-011/Rev. 3
The nominal dose consequence for each of the release categories
analyzed is presented in Table 0-17 for 30-day exposure at the EAB for
thyroid and whole body gamma doses.
0.4.3. Uncertainty Analysis
A method for assessing the uncertainties in consequence prediction
was developed in the AIPA safety assessment (Ref. 0-6). The method uses
simplified mathematical algorithms describing the consequence control
ling phenomena as functions of variables with uncertainties that affect
the dose consequence. The algorithms are simplified because they are
used in a Monte Carlo error propagation program which determines the
probability distribution for the dose by sampling the input variables.
Cumulative probability distributions of independent variables are
specified as input to the program. This section describes the algo
rithms used for the consequences from conduction cooldowns under wet
conditions.
The dose consequence equation for conduction cooldown accidents
is the same as Eq. 0-2 in Section 0.1.3. The X/Q distribution is also
the same one described in Section 0.1.3. The factor fj in Eq. 0-2
accounts for time-dependent attenuation due to buildup, decay, set
tling, plateout, and other processes and is determined as described in
Section 0.1.3. Also, as in Section 0.1.3, the uncertainties in dose
effectivities Ci'j are not considered.
The initial activity for nuclide j for accidents involving
conduction cooldowns has an uncertainty that is determined by the
uncertainty of its components according to the following:
0-65 OOE/HTGR-86-011/Rev. 3
TABLE 0-17 NOMINAL DOSE CONSEQUENCE AT THE EAB FOR CONDUCTION
COOLDOWNS UNDER WET CONDITIONS
Release Dose at EAB (Rem)
Category Whole Body 7 Thyroid Bone Lung
WC-1 6.1-03 2.4+00 1.9-01 3.4-01
WC-2 1.6-03 3.7-01 3.0-02 1.1-01
WC-3 2.3-04 9.6-02 1.2-03 3.2-03
WC-4 1.4-04 5.4-02 4.9-04 2.0-03
WC-5 8.0-04 4.7-02 2.4-03 4.6-03
WC-6 5.5-05 2.1-02 2.5-04 1.0-03
WC-7 3.9-05 2.4-03 3.4-04 5.2-04
0-66 DOE-HTGR-86-011/Rev. 3
where Qi,j - source term activity due to forced convection coo1down
under wet conditions (Eq. D-7),
fT,j = fractional release of nuclide j due to temperature
increase,
QF,j = fuel body inventory of nuclide j.
The uncertainty distribution on all terms is lognormal. The com
ponents of the source term activity due to forced convection coo1down
under wet conditions and their uncertainty factors are given in Sec
tion D.2.3. The fuel body inventory has an uncertainty factor that
varies from 1.01 to 2.13. The uncertainty factor in the fractional
release due to elevated temperatures is 1.2 for all nuclides.
The median, ninety-fifth percentile, and fifth percentile results
of the dose uncertainty analysis for thyroid and whole body gamma doses
for a 30-day exposure at the EAB are presented in Table D-18.
D.S. REFERENCES
D-1. GA Technologies Inc., proprietary data.
D-2. ~RATSAM, A Computer Program to Analyze the Transient Behavior of
the HTGR Primary Coolant System During Accidents," GA Report
GA-A1370S, May 1977.
D-3. Buckley, D. W., "TDAC: An Analytical Computer Program to Calcu
late the Time-Dependent Radiological Effects of Radionuc1ide
Release." GA Report GA-D13476, May 1976.
D-4. U.S. Nuclear Regulatory Commission (NRC), "Assumptions Used for
Evaluating the Potential Radiological Consequences of a Loss of
Coolant Accident for Pressurized Water Reactors," Regulatory
Guide 1.4, Revision 2. Washington, D.C., June 1974.
D-67 DOE/HTGR-86-011/Rev. 3
TABLE 0-18 DOSE UNCERTAINTY ANALYSIS AT THE EAB FOR FORCED
CONVECTION COOLDOWNS UNDER WET CONDITIONS
Doses at EAB (Rem)
Release Whole BodI 1 ThIroid
Category 5% Median 95% 5% Median 95%
WC-1 5.1-04 6.2-03 7.4-02 1. 7-01 2.4+00 3.4+01
WC-2 1.6-04 1.6-03 1.6-02 3.6-02 3.7-01 3.8+00
WC-3 1.9-05 2.3-04 2.7-03 6.7-03 9.6-02 1.4+00
WC-4 1.2-05 1.4-04 1. 7-03 3.8-03 5.4-02 7.7-01
WC-5 1.1-04 8.0-04 6.1-03 4.5-03 4.7-02 4.8-01
WC-6 5.5-06 5.5-05 5.6-04 2.1-03 2.1-02 2.2-01
WC-7 3.2-06 3.9-05 4.6-04 1. 7-04 2.4-03 3.5-02
0-68 DOE-HTGR-86-011/Rev. 3
D-5. u.s. Nuclear Regulatory Commission (NRC), "Preparation of
Environmental Reports for Nuclear Power Stations," Regulatory
Guide 4.2, Revision 2. Washington, D.C., July 1976.
D-6. Fleming, K. N., et a!., "HTGR Accident Initiation and Progression
Analysis Status Report - Phase II Risk Assessment," GA Report
GA-A15000, April 1978.
D-7. Slade, D. H., ed., Meteorology and Atomic Energy 1968, USAEC,
1968.
D-8. Barsell, A. W., et a!., "HTGR Accident Initiation and Progression
Analysis Status Report Volume VI. Event Consequences and Uncer
tainties Demonstrating Safety R&D Importance of Fission Product
Transport Mechanisms," GA Report GA-A13617, January 1976.
D-9. Peroomiam, M. B., A. W. Barsell, and J. C. Saeger, "OXIDE-3:
D-10.
D-11.
D-12.
D-13.
D-14.
D-15.
A Computer Code for Analysis of HTGR Steam or Air Ingress
Accidents," GA Report GA-A12493, 1974.
Skalyo, J. Jr., L. G. Epel, and C. Sastre, "An Analysis of the
Methods Utilized in OXIDE-3," BNL-NUREG-50810, April 1978.
GA Technologies Inc., unpublished data.
"TARGET Program Quarterly Progress Report for the Period Ending
May 31, 1965," GA Report GA-6418, June 1965.
"HTGR Base Program Quarterly Progress Report for the Period
Ending November 1971," GA Report GA-A10930, 1971.
GA Technologies, Inc., proprietary data.
"TAC2D - A General Purpose Two-Dimensional Heat Transfer Computer
Code," GA Report GA-A14032, July 1976.
D-16. Leach, C. E., and E. L. Kelley, Jr., HTAP-LOOP: A Stable Thermal
Analyzer Code for Thermal Analysis of Closed Hydraulic Systems,"
BNWL-1172, January 1970.
D-17. "SORS - Computer Program for Analyzing Fission Product Release
from HTGR Cores During Transient Temperature Excursions," GA
Report GA-A12462, April 1974.
D-69 DOE/HTGR-86-011/Rev. 3
en ICC = Q :c -IoU
~ ICC = en en IoU ICC a. IoU CI Q ... IoU :E i=
0.025 103
'0'
100
0.01
HT -001 (116)
0.254
LEAK SIZE (cm2)
2.54
WITHOUT HPS
WITH HPS
0.1 1
LEAK SIZE (IN.2)
25.4
10
Fig. 0-1. Time to depressurize the primary system as a function of primary coolant leak size
0-70 OOE/HTGR-86-011/Rev. 3
. UPPER CD -.. PLENUM
+1 TOP CD REFLECTOR
+2 CORE 0 +3
11 CD CORE
+4 CORE CD +5
® COOLANT BOnOM CD CHANNELS REFLECTOR
~ +6 CD
CD HOT 1 HOT I FINAL 1& PLENUM ... CROSS DUCT SUPERHEATER
11 +-LOWER ... 15 COLD @ INITIAL
PL.ENUMS CROSS DUCT SUPERHEATER @ @.
j ~ ~ + 14 + 10
® SCS CIRCULATOR @ EVAPORATOR INLET OUTLET ®
~ j ~
c c P 13 11
dr
20 SCS S/G ~ 12
OUTLET ANNULUS - ECONOMIZER @
HT-001(117) @ @
Fig. 0-2. RATSAM model used to determine shear stress distribution
0-71 OOE/HTGR-86-011/Rev. 3
'=' I ...., ,.,
'=' o l".I -~ ~ I co CJ\ I o I-' I-' -~ . w
PSEUDO SOURCE TERM VOL
HT -001(118)
* .. ,...
~
MHTGR REACTOR ..... FILTER ~ VESSEL BLDG ~- VOL VOL VOL ~ ....
~
FILTER --- FILTER VOL VOL
*TIME-DEPENDENT INPUT OF NUCLIDE ACTIVITY FROM VOLUME 1 TO VOLUME 2
.. FILTER -.. VOL !-
-
Fig. 0-3. TOAC model used to assess offsite dose at the EAB
ENVIRON· --. MENT ... (e.g. EAB)
LEAK SIZE (cm2)
0.025 0.25 2.5 25.4
~ 10-3
'" ~ w en = Q Q -= ~ > :: • WITH HPS t-
10-4
10-5 0.01 0.1 1 10
LEAK SIZE UN.2)
HT-001(119)
Fig. 0-4. Nominal thyroid dose at the EAB for primary coolant leaks
0-73 OOE/HTGR-86-011/Rev. 3
LEAK SIZE (cm2)
0.025 0.25 2.5 25.4 10-3 r---------.-------__ -----__
10-4
~ '" a: -Y.I CI)
10-5 c c c:J z = ...
10-6
10-7 ~_~_~~~_~_~~~~_~_~_L~~
0.01 0.1 1 10
LEAK SIZE (IN.2)
HT-001(120)
Fig. 0-5. Nominal lung dose at the EAB for primary coolant leaks
0-74 OOE/HTGR-86-011/Rev. 3
-~ w a: -w en CI CI w Z CI CD
0.025 10-3
10-4
10-5
10-6
LEAK SIZE (cm2)
0.25 2.5 25.4
10-7 ","-_..L-_..L--'-..I...I_--L_--L---'L....I.-'-_-'-_-'---L....J...L....I
0.01 OJ 1 10
LEAK SIZE (IN.2)
HT-001(121'
Fig. 0-6. Nominal bone dose at the EAB for primary coolant leaks
0-75 OOE/HTGR-86-011/Rev. 3
LEAK SIZE (cm2)
0.025 0.25 2.5 25.4
§" &A.I a::
10-4 -&A.I en Q Q
C[ WITH HPS :IE :IE II( c::I > Q Q III &A.I .... Q :: == 10-5
10-6
0.01 OJ 1 10
LEAK SIZE UN.2)
HT-001(122)
Fig. 0-7. Nominal whole body gamma dose at the EAB for primary coolant leaks
0-76 OOE/HTGR-86-011/Rev. 3
> t: .... a::I < a::I C a: A. w > i= < .... = :E = u
1
0.8
0.6
0.4
0.2
o 10-6
HT-001(123)
10-4
ATMOSPHERIC DISPERSION FACTOR SIM3
Fig. D-8. Probability distribution for the atmospheric dispersion factor used in uncertainty analysis of dose consequences
D-77 DOE/HTGR-86-011/Rev. 3
c I ....,
0)
c o tzJ -~ I 0) 0\ I o ..... ..... -~ . w
3000
2500
u:-c -w a:: ;:,
~ 2000 a:: w a. ::E w t-
1500
/ ..... , I "
" " ,~
MAXIMUM CORE ./ TEMPERATURE
/', /' '",-VERAGE CORE ___ _ ~EMPERATURE _____ _
1000 ' f
o 100 200 300 400 500 600 100 800 900
TIME PAST LOSS OF FORCED CIRCULATION HOURS HT -001 (124)
Fig. D-9. Thermal transient during a depressurized conduction cooldown
1000
TOP REFLECTOR RADIAL DIRECTION
16000C
z CI ~ ~ IoU a: 14000C CI ...I
:! ACTIVE CORE )( ct
10000C
600°C
BOTTOM REFLECTOR
HT-001(125)
Fig. D-10. Isotherm plot at 80 h during thernal transient due to depressurized conduction cooldown
D-79 DOE/HTGR-86-011/Rev. 3
t1 I co 0
t1 o tzJ -ei ~ I co 0\ I o .... .... -~ . w
3000
MAXIMUM CORE TEMPERATURE 2000
Li:' «!..... w a: =
...-.------------------- " ------"-"",..",,,.,. AVERAGE CORE TEMPERATURE .... ee a: w a.. ::E W ....
1000
o o 40 80 120 160 200
TIME (HOURS)
HT -001 (126)
Fig. D-11. Thermal transient during a pressurized conduction cooldown
o 200
150 ~
100 ~
TIME (DAY$)
5
I
10
I
1-132 ------------~ .. -------.. -----. , .
" 1 .... 131 • ___ ----------, .---------50 ~
" ~.----------------~
__ --J'" /
/1/· // .
.tf1II' J-133 .~
o o
HT-001(127)
//'-/ ~/'/ ,. TE-132
~--...... ---............ -.. -........ ---.. -... -.... -KR-88 I --r
50 100 150 200 250
TIME PAST REACTOR TRIP (HOURS)
Fig. D-12. Cumulative fission product release from core during pressurized conduction cooldown (DC-9)
D-S1 DQE-HTGR-S6-011/Rev. 3
o 200
150
100
50
o o
HT-001(128)
TIME ,11JA!I)'y :~;
5 ; 10
1-132 .' ~ •••• " •••••••• _ •• . -.,,~ ... ~ .. . ·t~·""·-..... ~.~ . • -. 1-133 , . • .. - .... ,_. __ .. __ ._ .. _ . ..... -- . .
,il,1· 1-1~t ' ", /-:l' ,
/:l~ - I ,~ 1/ -. /1
II -: • .:
TE:"'132 '. _-----------,- , --------~" ,," _._.~t!' KR"'88 ..... -... _--------- ..... -----------
50 " 150 :'l 200 250
TIME PAST REACTOR'TRIP (HOllRS)
Fig. 0-13 •. Cuma1:ative fission prpduct. release,·.frOJD core during a depressurized conductioJl" cooldown with small primary cool(ant leak (Oc.;.S ,. ~6; -7 ,.an.' -8~
OOE-HTGR-86-011/Rev. 3