DOE-HTGR-86-011, Rev. 3, Vol. 2, Supplement Probabilistic ... · PLANT RESPONSE AND SYSTEM RELIABILITY MODELS 7. ACCIDENT FREQUENCY ASSESSMENT 8. ACCIDENT CONSEQUENCES •• 9. RISK

DOE-HTGR-86-011 Revision 3 Volume 2

III1111111

GA PROPRIETARY SUPPLEMENT PROBABILISTIC RISK ASSESSMENT

FOR THE STANDARD MODULAR HIGH TEMPERATURE GAS-COOLED REACTOR

AUTHORS/CONTRACTORS

GA TECHNOLOGIES INC.

ISSUED BY GA TECHNOLOGIES INC. FOR THE DEPARTMENT OF ENERGY

CONTRACT DE-AC03-84SF11963

JANUARY 1987

GA PROPRIETARY INFORMATION

Document Control Desk

Department of Energy Washington, DC 20585

February 7, 1995

Project Number 672

U.S. Nuclear Regulatory Commission Mail Station PI-137 Washington, D.C. 20555

In the meeting between the Department of Energy (DOE) and the Nuclear Regulatory Commission (NRC) held September 29, 1994, the question was raised about the proprietary classification of Volume 2 of the Modular High Temperature Gas-Cooled Reactor (MHTGR) Probabilistic Risk Assessment (PRA).

Please note that in a May 21, 1991, letter from G. C. Bramblett to J. Donohew, it was reported that the proprietary information in Volume 2 had been released with unlimited rights to the U.S. government. For NRC purposes, this can be interpreted to mean that DOE no longer requests that the document be withheld from the Public Document Room under the provisions of 10 CFR 2.790.

However, as noted in that May 21, 1991, correspondence, the MHTGR PRA is still co"sidered Applied Technology and should be so protected.

Sincerely, ~-~

7---/ 4..e;~)~! John W. Herczeg _ Civilian Reactor Development Office of Nuclear Energy

• ~ --l-

Department of Energy Washington. DC 20585

Mr. Jack Donohew MHTGR Project Manager

February 8, 1995

Project No. 672

Advanced Reactor Project Directorate Associate Directorate for Advanced Reactors

and license Renewal Office of Nuciear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, D.C. 20555-0001

Dear Mr. Donohew:

In the May 26, 1993, letter from Mr. J. D. Griffith to Mr. D. M. Crutchfield, the Department of Energy committed to release the "Applied Technology" material associated with the preapplication review for the Standard Modular High Temperature Gas-Cooled Reactor in a timeframe to support the issuance of the Preapplication Safety Evaluation Report (PSER) by the Nuclear Regulatory Commission (NRC). It is our current understanding, based on our meeting with NRC personnel of September 29, 1994, that the PSER is to be completed by February 28, 1995.

We hereby authorize NRC to remove the RApplied TechnologyR distribution restriction and place the following reports into the NRC Public Document Room. These reports are titled RPreliminary Safety Information Document for the Standard Modular High Temperature Gas-Cooled ReactorR and RProbabi1istic Risk Assessment for the Standard Modular High Temperature Gas-Cooled Reactor." These documents are identified as follows:

HTGR-86-024, Volumes 1 through 6, and DOE-HTGR-86-011, Volumes 1 and 2

cc: R. M. Forsse11, GA R. R. Mills, POCO

Sincerely,

~//~'.I . I~/( :ye.~t~/r John W. Herczeg Civilian Reactor Development Office of Nuclear Energy

DOE-HTGR-86-011· . Revision 3 GA-C18718 Volume 2

CAUTION Do not publicly release this doet.ment.

This technical report is being transmitted in advance of DOE patent clearance and no further dissemination or publication shaH be made of the report without prior approval of the DOE Patent Counsel.

This document will be returned upon request or when no longer needed, unless notification has been received that this document has been cleared for release or publication.

GA PROPRIETARY SUPPLEMENT

PROBABILISTIC RISK ASSESSMENT FOR THE

STANDARD MODULAR HIGH TEMPERATURE

GAS-COOLED REACTOR

APPLIED TECHNOLOGY Any Further Distribution by any Holder of this Document or of Other Data Herein to Third Parties Representing Foreign Interests, Foreign Governments, Foreign Companies and Foreign Subsidiaries or Foreign Divisions of U.S. Companies Shall Be Approved by the Director, HTR Development Division, U.S. Department of Energy.

Issued By: GA Technologies Inc.

P.O. Box 85608 San Diego, California 92138·5608

DOE Contract No. DE-AC03-84SF11963

GA Project 6300

JANUARY 1987

j.-

"

<.-

LIST OF EFFECTIVE PAGES

Page Revision Date

Cover 3 1/87

iii 3 1/87

v through xii 3 1/87

xiii through xiv 3 1/87

B-1 through B-56 3 1/87

C-1 through C-93 3 1/87

D-1 through D-83 3 1/87

iii DOE-HTGR-86-011/Rev. 3

CONTENTS

VOLUME 1

1 • SUz..n1AR.Y...........

2. INTRODUCTION AND OBJECTIVES

3. PROBABILISTIC RISK ASSESSMENT METHODOLOGY.

4. PLANT DESCRIPTION • • • • • • • • • • •

5. IDENTIFICATION OF ACCIDENT INITIATORS

6. PLANT RESPONSE AND SYSTEM RELIABILITY MODELS

7. ACCIDENT FREQUENCY ASSESSMENT

8. ACCIDENT CONSEQUENCES ••

9. RISK ASSESSMENT RESULTS •

10. REQUESTED NRC RESPONSE

APPENDIX A: PRIMARY COOLANT LEAK FREQUENCY METHODOLOGY

VOLUME 2

LIST OF EFFECTIVE PAGES

! ABBREVIATIONS

B. PRA DATA BASE •

B.lo

B.2.

Introduction

Terminology

B.2.1. Failure Types.

B.2.2.

B.2.3.

B.2.4.

B.2.5.

Repair Time • •

Common Mode Failure •

Uncertainties • • • •

Operator Response Model •

B.3. Data Tabulation

B.4. References •••••

. . . . .

1-1

2-~

3-1

4-1

5-1

6-1

7-1

8~1

9-1

10.,.1

A-1

iii

xiii

B-1

B-1

B-2

B-2

B-2

B-3

B-3

B-4

B-5

B-53

v DOE-HTGR-86-011/Rev. 3

~fC~ EVENT TREE CONSTRUCTION AND QUANTIFICATION C-l

C-3

C-3

C-4

C-6

'\ 1: -.'

t.: - .

1. ~ .. '_.

... - ~ ...

, . L-- .. 1

.. ' -,,'

'. ~

C.l. Primary Coolant Leaks

C.l.l.

C.l.2.

C.l.3.

C.1.4.

C.l.s.

C.1.6.

C.l. 7.

C.l.8.

·C~2. Loss of

C.2.l.

C.2.2.

C.2.3.

C.2.4.

C.2.s •

C.2.6.

C.2.7.

C.2.8.

Primary Coolant Leak Occurs

Leak Size Distribution

Reactor Tripped with Control Rods • •

Reactor Shutdown Using' Reserve Shutdown Material • • • • • • • • • • • • • • • • C-8

Heat Transport System Cooling Maintained C-9

Cooling Provided by SCS • • • • • • • C-lO

Cooling Provided by RCCS • • • • • • • • • • C-ll

Primary Coolant Depressurized Through HPS C-l2

Main Loop Cooling • • • •

Loss of HTS Cooling

Reactor Tripped With Control Rods •

Reactor Shutdown Using Reserve Shutdown Material •••••

Cooling Provided by SCS • •

Cooling Provided by RCCS

C-l3

C-l4

C-l5

C-l5

C-l6

C-l8

Primary Coolant Depressurized Through HPS C-l9

Cooling Restored Prior to Excessive Vessel Temperature • • • • • • • • • • • • • • • • • C-20

Number of Modules Experiencing Event Sequence • • • • • • • • • • • • •• C-2l

C.3. Earthquake-Induced Failures C-22

C.3.l. Occurrence of Significant Earthquakes. • C-26

C.3.2. Seismic Intensity Range • • • • • • • • • • • C-27

C.3.3. Primary Coolant Boundary Remains Intact • C-28

C.3.4. Cooling Provided by HTS •••••

C.3.S. Reactor Tripped With Control Rods •

C.3.6. Reactor Shutdown Using Reserve Shutdown

C.3.7.

C.3.8.

C.3.9.

Control Equipment • • • • • •

Cooling Provided by SCS •

Cooling Provided by RCCS

Cooling Restore Prior to Excessive Vessel Temperature • • • • • • • . • • . . •

C.3.l0. Number of Modules Experiencing Event

C-29

C-30

C-32

C-33

C-34

C-35

Sequence" • • • • • • • • • • • • • • • • •• C-36

vi DOE-HTGR-86-0ll/Rev. 3

". :-"

C.7.S. Reactor Trip on High Pressure

C.7.6.

C.7.7.

C.7.8.

C.7.9.

Steam Generator Isolation • • •

Delayed Steam Generator Isolation

Steam Generator Dump Occurs • • • •

Steam Generator Pressure Response •

C.7.l0. Shutdown Cooling System Cooling Succeeds

C.7.ll. Cooling Provided by RCCS

C.7.l2. Primary Relief Train Response

C.8. Accidents Initiated by Moderate Steam Generator Leaks •••••••• • • • • • • • • •

C.8.l. Steam Generator Leak Frequency

C.8.2. Moisture Monitor Detection

C.8.3. Reactor Trip on High Moisture

C.8.4. Reactor Trip on High Pressure

C.8.s. Steam Generator Isolation • •

C.8.6. Delayed Steam Generator Isolation •

C.8.7. Steam Generator Dump Occurs •••

C.8.8. Steam Generator Pressure Response •

C.8.9. Shutdown Cooling System Cooling Succeeds

C.8.l0. Cooling Provided by RCCS

C.8.ll. Primary Relief Valve Response.

C.9. Uncertainty Treatment in Frequency Assessment

C.9.l. Uncertainties Considered

C.9.2. Uncertainty Distributions for Release Category Frequencies ••••

C. 10. References. • • • • • • • • • •

D. RELEASE CATEGORY DESCRIPTION AND DOSE QUANTIFICATION

D.1. Consequences from Forced Convection Cooldown Under

C-60

C-61

C-62

C-63

C-6S

C-6S

C-67

C-68

C-68

C-69

C-70

C-71

C-71

C-73

C-74

C-74

C-76

C-76

C-78

C-78

C-79

C-79

C-81

C-81

D-l

Dry Conditions • • • • • • • • • • • • • • • D-2

D.l.l. Data and Methods D-3

D.l.2. Fission Product Release and Dose Assessment

D.l.3. Uncertainty Analysis

viii

D-11

D-14

DOE-HTGR-86-011/Rev. 3

0.2. Consequences from Forced Convection Coo1down Under Wet Conditions • • • • • •

0.2.1. Oata and Methods

0.2.2. Fission Product Release and Oose Assessment

0.2.3. Uncertainty Analysis

0.3. Consequences from Conduction Coo1down Under Ory Conditions • • • • • • • • • • • • •




0.4. Consequences from Conduction Coo1down Under Wet Conditions • • • • • • • •




0.5. References • • • • •

FIGURES

B-1. Operator response model for the MHTGR •

C-1. Event tree for primary coolant

C-2. Event tree for loss of main loop cooling

C-3. Event tree for earthquake ••

C-4. MHTGR site seismicity curve •

C-5. Event tree for loss of offsite power

C-6.

C-7.

Event tree for ATWS

Event tree for control rod group withdrawal •

C-8. Event tree for small steam generator leak •

C-9. Event tree for moderate steam generator leak

0-1. Time to depressurize the primary system as a function of primary coolant leak size • • • • • • • • • • • •

0-2. RATSAM model used to determine shear stress distribution

0-3. TOAC model used to assess offsite dose at the EAB

0-19

0-21

0-27

0-33

0-36

0-36

0-43

0-48

0-51

0-51

0-57

0-65

0-67

B-56

C-85

C-86

C-87

C-88

C-89

C-90

C-91

C-92

C-93

0-71

0-72

0-73

ix OOE-HTGR-86-011/Rev. 3

FIGURES (Continued)

0-4. Nominal thyroid dose at the EAB for primary coolant leaks . . . . . . · . · · · · · · · · · · · · · · ·

0-5. Nominal lung dose at the EAB for primary coolant leaks

0-6. Nominal bone dose at the EAB for primary coolant leaks

0-7. Nominal Whole body gamma dose at the EAB for primary coolant leaks . . · . · · · · · · · · · · · · · · · · ·

0-8. Probability distribution for the atmospheric dispersion factor used in uncertainty analysis of dose consequences · . . . . . . . . . . . . . . . .

0-9. Thermal transient during a depressurized conduction coo ldo'WIl • • • • • • • • • • • • • • • • • • • •

D-10. Isotherm plot at 80 h during thermal transient due to depressurized conduction cooldown • • • • • • • •

0-11.

:0-13.

Thermal transient during a pressurized conduction coo ldo'Wrl • • • • • • • • • • • • • • • • • • • • •

Cumulative fission product release from core during pressurized conduction cooldown (OC-9) •••••••

Cumulative fission product release from core during a depressurized conduction cooldown with small primary coolant leak (OC-5, -6, -7, and -8) •••••••••

TABLES

B-1. Failure frequency and demand failure probability circulators, blowers, and fans •••••• • ••

B-2.

B-3.

B-4.

Failure frequency and exchangers

Failure frequency and

Failure frequency and and pressure vessels

demand failure probability heat

· · · · · · · · · · · · · · · · demand failure probability pumps

demand failure probability tanks

· · · · · · · · · · · · · · · ·

·

· B-5.

B-6.

B-7.

Failure frequency and demand failure probability piping

Failure frequency and demand failure probability valves

Failure frequency and demand failure probability diesel generator • • • •

B-8. Failure frequency and demand failure probability instrumentation • •• • • • • • • • • • • • •

B-9. Failure frequency and demand failure probability control

. .

systems ••••• · . . . . . . . . . . . . . . . . . .

0-74

0-75

0-76

0-77

0-78

0-79

0-80

0-81

0-82

0-83

B-6

B-8

B-13

B-15

B-16

B-17

B-20

B-21

B-22

x 00E-HTGR-86-011/Rev. 3

TABLES (Continued)

B-10. Failure frequency and demand failure probability plant service systems · · · · · · · · · · · · · · · · · · B-23

B-1!. Failure frequency and demand failure probability electric motors . · · · · · · · · · · · · · · · · · · · · · · · B-24

B-12. Failure frequency and demand failure probability transformers · · · · · · · · · · · · · · · · · · · B-25

B-13. Failure frequency and demand failure probability batteries · · · · · · · · · · · · · · · · · · · · · · · B-26

B-14. Failure frequency and demand failure probability electric conductors · · · · · · · · · · · · · · · · · · · B-27

B-15. Failure frequency and demand failure probability circuit breakers · · · · · · · · · · · · · · · · · · · · · · · B-28

B-16. Failure frequency and demand failure probability turbine plant . . · · · · · · · · · · · · · · · · · · · · · B-29

B-17. Failure frequency and demand failure probability other electrical components · · · · · · · · · · B-30

B-18. Repair times circulators, blowers, and fans · · · · · · B-31

B-19. Repair times heat exchangers B-33

B-20. Repair times pumps · · · · · · · · · · B-36

B-2!. Repair times tanks and pressure vessels · · · · · B-37

B-22. Repair times piping · · · · · · · · · B-38

B-23. Repair times valves · · · · · · · · · · · · · · B-39

B-24. Repair times diesel generators · · · · · · · · · B-41

B-25. Repair times instrumentation · · · · · · · · · · · · B-42

B-26. Repair times control systems · · · · B-43

B-27. Repair times plant service systems · · · · · · · · B-44

B-28. Repair times electric motors · · · · · B-45

B-29. Repair times transformers · · · · · · · · · · · · · · B-46

B-30. Repair times batteries · · · · B-47

B-3!. Repair times electric conductors . . . . . . . . . . . . . B-48

B-32. Repair times circuit breakers · · · · · · · · · · B-49

B-33. Repair times other electrical components · · · · B-50

B-34. Common mode failure factors · · · · · · · · B-S1

xi DOE-HTGR-86-011/Rev. 3

C-l.

C-2.

TABLES (Continued)

Assumed fragilities of key components • • • • • • •

Release category frequency uncertainty distribution parameters • • • • . . . • • • • • • • . . • .

0-1. Initial circulating and plateout inventories of nuclides that are major contributors to radiological consequences

C-24

C-82

of forced convection cooldowns under dry conditions • • 0-4

0-2. Constants in Eq. 0-1 for the excess percentage liftoff 0-6

0-3. Total percent liftoff for various leak sizes ••••• 0-8

0-4. Reactor building and site parameters 0-10

0-5. Cumulative release to environment in curies for forced convection cooldowns under dry conditions • • • • • 0-13

0-6. Nominal dose consequence at the EAB for forced convection cooldowns under dry conditions • • • • • • • • • • • • • • 0-15

0-7. Oose uncertainty analysis at the EAB for forced convection cooldown under dry conditions • • • • • • • • • • • • • • • 0-20

0-8. Initial circulating, plateout, and fuel body inventories of nuclides that are major contributors to radiological consequences of forced convection cooldowns under wet conditions •••••••••••••••• • • • • 0-26

0-9. Cumulative release to environment in curies for forced convection cooldowns under wet conditions • 0-32

0-10. Nominal dose consequence at the EAB for forced convection cooldowns under wet conditions •••••• • • • • • • • • 0-34

0-11. Oose uncertainty analysis at the EAB for forced convection cooldowns under wet conditions • • • • • • • • • • • • • • 0-37

0-12. Initial circulating, plateout, and fuel body inventories of nuclides that are major contributors to radiological consequences of conduction cooldown accidents • • • • • • • 0-41

0-13. Cumulative release to environment in curies for conduction cooldowns under dry conditions • • • • • • • • • • 0-45

0-14. Nominal dose consequence at the EAB for conduction cool-downs under dry conditions • • • • • • • • • • • • • • • • 0-49

0-15. Oose uncertainty analysis at the EAB for conduction cool-downs under dry conditions • • • • • • • • • • • 0-52

0-16. Cumulative release to environment in curies for conduction cooldowns under wet conditions . . . . . . . . . . 0-59

0-17. Nominal dose consequence at the EAB for conduction cool-downs under wet conditions ••• • • • • • • • • • • • • • 0-66

0-18. Oose uncertainty analysis at the EAB for forced convection cooldowns under wet conditions • • • • • • • • • • • • • • 0-68

xii OOE-HTGR-86-011/Rev. 3

AIPA

ATWS

BOP

EAB

ECS

EPZ

HPS

HTGR

HTS

LBE

LOSP

LWR.

MHTGR

NCSS

NRC

NSSS

OBE

PAG

PPIS

PRA

PSID

ABBREVIATIONS

accident initiation and program analysis

anticipated transients without scram

balance of plant

exclusion area boundary

energy conversion system

emergency planning zone

helium purification system

high-temperature gas-cooled reactor

heat transport system

licensing basis event

loss of normal station power

light water reactors

modular high-temperature gas-cooled reactor

neutron control subsystem

Nuclear Regulatory Commission

nuclear steam supply system

operating basis earthquake

protective action guides

plant protection instrumentation system

probabilistic risk assessment

preliminary safety information document

xiii DOE-HTGR-86-011/Rev. 3

RCCS

RPCWS

RSCE

RSCM

RSS

SCS

SCWS

SPS

SSE

SWS

TBCCWS

UPS

U.S.

reactor cavity cooling system

reactor plant cooling water subsystem

reserve shutdown control equipment

reserve shutdown control material

reserve shutdown system

shutdown cooling system

shutdown cooling water subsystem

safety protection subsystem

safe shutdown earthquake

service water subsystem

turbine building closed cooling water subsystem

uninterruptible power supply

United States

xiv DOE-HTGR-86-011/Rev. 3

BLANKPAGE

B.l. INTRODUCTION

APPENDIX B PRA DATA BASE

This appendix provides the reliability data base utilized in

assessing accident frequencies described in Section 7 and Appendix C

of this document. Event trees are employed to quantify the frequency

of accident sequences Which may result in an unplanned radionuclide

release. Event tree nodal probabilities, describing the probability

of failure of a given system or component, are derived from fault tree

analysis. The base reliability data used in the fault tree analyses are

presented here.

Many data sources were compiled from operating experience in LWR or

nonnuclear applications as well as from HTGR operating experience and

risk analyses. Depending upon the operating environment of a particular

component, the most appropriate reliability data available were used.

In reference to HTGR data, considerable work was accomplished in com

piling reliability estimates during the Accident Initiation and Program

Analysis (AIPA) (Ref. B-1) studies.

This appendix reflects a compilation of all identified applicable

data sources for the MHTGR PRA analysis. As such it represents the most

recent information believed to be available. The reliability data have

been arranged in tables and include

1. Failure modes for systems and component.

2. Failure frequencies (A, l/h).

3. Demand failures (Q, l/demand).

4. Repair times (7, h).

5. Common mode failure factors (P>.

B-1 DOE HTGR-86-0ll/Rev. 3

B.2. TERMINOLOGY

The intent of this section is to supply the reader with an explana

tion of terms and information provided in the reliability tables that

may not be readily apparent.

B.2.1. Failure TyPes (~ and Q)

There are two types of equipment failures shown in the reliability

data tables: operating failures and demand failures. For operating

failures, the failure frequency, ~, for a given component or system is

usually based on the number of failures observed divided by the number

of operating hours. This type of estimate is made When raw data are

available, the resulting failure frequency being given in failures/hour.

For demand failures, the failure frequency, q, for a system or component

is based on the total number of failures observed divided by the total

number of attempts to start, change state, or function.

B.2.2. Repair Time (T)

The time required to restore a failed system or component to normal

operating status is designated the repair time, T. The repair time may

include replacement, repair of the failed unit in place, or bypass of

the component While maintaining acceptable system performance. Because

of the wide range of repair possibilities and unknown elements such as

spare part availability, ease of access, possible decontamination pro

cedures, and repair crew availability, the tabulated repair times cover

a wide range of values and are associated only with the generic equip

ment. Selecting the appropriate value for repair time depends on the

particular situation being studied and should be assessed on a c~se by

case basis.

B-2 DOE HTGR-86-011/Rev. 3

B.2.3. Common Mode Failure cD Factor)

Essential functions or components within a system are frequently

duplicated in order to increase the system reliability. This method of

redundancy is used to ensure the proper function of an essential system

even if several component or functional failures within the system

occurred. Systems comprised of interconnected replicate components,

however, sometime experience a total loss of all functions as a result

of common mode failure. Common mode failures are usually not considered

random independent events within the system but as influences from out

side sources which are common to redundant components.

In order to quantify common mode failures for a system with paral

lel and redundant components, the p factor has been developed. The p factor is defined as the ratio of the common mode failure rate of all

similar redundant components in a system and the total failure rate for

a single one of those components.

B.2.4. Uncertainties

Reliability studies usually employ many input parameters and a

variety of models. These have uncertainties associated with them, some

of which may be in the range of an order of magnitude or more.

Some major factors contributing to uncertainties include,

(Ref. B-1):

1. Uncertainties exist in failure statistics for components that

have had little or no operating experience. This lack of

operating data is especially true for equipment peculiar to

the HTGR.


2. Failure statistics for equipment used in standby safety sys

tems are sparse, since the abnormal events for which the

systems are designed seldom, if ever, occur.

3. Failure statistics for various types of testing programs are

often used in lieu of actual use data. Uncertainties exist in

using this analog.

4. The models used to predict the probabilities may overlook some

of the system failure modes.

5. Uncertainties exist in the environment in which the systems

operate.

Lognormal distribution is mostly used in reliability studies for

representing the uncertainty distribution for equipment failure proba

bilities. It can be described by only two parameters, the median and

range, and is especially appropriate for parameters whose uncertainty

may be in order of magnitude or more. For this report a 90% range has

been selected, with the lower range end being the 5% bound and the upper

end the 95% bound. This definition is consistent with the WASH-1400

(Ref. B-3) study and says that there is a 90% probability that the data

points will lie within this range.

The tabulated reliability data are quoted at the lower 5%, median

and upper 95% values.

B.2.5. Operator Response Model

The operator response model chosen for the standard MaTGR reflects

cognitive rather than procedural error. The selected model is depicted

in Fig. B-1 which was extracted from Ref. B-6. The upper and lower


dashed lines are interpreted as lower fifth and upper ninety-fifth per

centile values, encompassing a 90% confidence band. The solid line is

interpreted as the median.

Several reasons contribute to the selection of a cognitive error

model:

1. Reliance on computer controlled systems during normal oper

ating conditions.

2. Reliance on passive safety systems during accident conditions.

3. Accident timing and operating systems are different from PWRs,

requiring a different operator response model.

B. 3. DATA TABULATION

The reliability data used in the PRA is presented in Tables B-1

through B-34. Tables B-1 through B-17 provide information pertaining

to system/component failure frequency and demand failure probability.

Tables B-18 through B-33 address system/component repair times, and

Table B-34 summarizes common mode failure factors for all redundant

systems/components considered. All tables follow a similar format. The

first column describes the system or component of interest, the second

column gives the failure mode under consideration, the adjacent columns

provide the reliability data, and the final column provides references.

For each piece of reliability data a lower bound (fifth percentile),

median (fiftieth percentile), and upper bound (ninety-fifth percentile)

value is given in the tables.

B-S DOE-HTGR-86-011/Rev. 3

System-Component Identification

Helium circulators -steam driven, water lubricated

Machine, drive, and lubrication

Power supply

b:I Control system

I 0\

Electric motor driven, oil lubricated

Machine, drive, and lubrication

t:' Power supply 0 tZJ I

:!1 Control system

~ I

00 Electric motor 0\ I driven, magnetic

0 .... bearings .... - Machine and drive i: 4 . w

TABLE B-1 FAILURE FREQUENCY AND DEMAND FAILURE PROBABILITY

CIRCULATORS, BLOWERS, AND FANS

Failure Frequency, A Demand Failure Probability, Q (l/h) (l/Demand)

5th 95th 5th 95th Failure Mode Percentile Median Percentile Percentile Median Percentile

Fail to operate 1 x 10-5 3 x 10-5 9 x 10-5

Loss of steam 3 x 10-6 1 x 10-5 3 x 10-5


Out of limits 3 x 10-5 1 x 10-4 3 x 10-4

All-unit 1 x 10-4 3 x 10-4 9 x 10-4 malfunction


Loss of electric 1 x 10-5 3 x 10-5 9 x 10-5 power


Out of limits 1 x 10-5 1 x 10-4 3 x 10-4

Fan to operate 1 x 10-5 3 x 10-5 9 x 10-5

References

B-2

B-2

B-2

B-2

B-2

B-2

B-2

B-2

B-2

B-2

tilt I ...,

'=' o l".I I

~ C) ~ I

00 Q\ I o .... .... -~ . w

TABLE B-1 (Continued)

Failure Frequency, A Demand Failure Probability, Q (l/h) (1/Demand)

System-Component 5th 95th 5th 95th Identification Failure Mode Percentile Median Percentile Percentile Median Percentile References

Power supply Loss of electric 2 x 10-5 3 x 10-5 9 x 10-5 B-2 power

Control system Fail to operate 1 x 10-5 3 x 10-5 9 x 10-5 A-2

Magnetic bearings Fail to operate 1 x 10-5 3 x 10-5 9 x 10-5 (a)

Solid state control Fail to operate 3 x 10-7 1 x 10-6 1 x 10-5 B-2

Blowers/fans Fail to operate 2 x 10-6 5 x 10-6 1 x 10-4 3 x 10-4 1 x 10-3 3 x 10-3 B-2 (Q) B-5 (A)

(a)A study performed by Jamea Howden and Company Limited indicates that the mean time between failures is on the order of 3 x 104 h. The failure frequency is, therefore, on the order of 3 x 10-5/h as cited in Table B-1. An uncertainty factor of 2 was adopted as the ratio of the median to 5th and 95th percentile failure frequency values predicted upon data cited in Ref. B-21.

b:I ,I CO

t::1 o tz:I 1

~ ~ 1 co 0\ 1 o .... .... -~ ~ . w


HEAT EXCHANGERS

Failure Frequency, A (l/h)

Demand Failure Probability, Q (l/Demand)

5th 95th 5th 95th System-Component Identification FaUure Hode Percentile Hedian Percentile Percentile Hedian Percentile References

Steam generator

Heat exchangers -general

Feedwater heater

Cooler

Desuperheater

Condenser

Air blast heat

Deaerator

Auxiliary boiler

Tube leak (per 1 x 10-5 plant hour)

All 1 x 10-6

Flow restriction 1 x 10-6

Tube leak 3 x 10-6

All 1 ~ 10-6

All

Tube leak

Rapid loss of vacuum

1 x 10-6

2 x 10-6

1 x 10-6

5 x 10-5

3 x 10-5

1 x 10-5

1 x 10-5

3 x 10-6

1 x 10-5

6 x 10-6

1 x 10-5

Fail to operate 2 x 10-5 2 x 10-4

Failure of level 7 x 10-10 3 x 10-6

Fail to operate 1 x 10-6 3 x 10-5

FaU to deliver steam in T minutes

T 1/3 - 180

T 1 - 60

2 x 10-4

3 x 10-4

1 x 10-4

3 x 10-5

9 x 10-6

1 x 10-4

2 x 10-5

3 x 10-5

2 x 10-3

1 x 10-5

3 x 10-4

3 L 20

1 x 10-4

3 x 10-4

3 x 10-4 9 x 10-4

1 x 10-3 3 x 10-3

(a)

B-2

B-6

B-2

B-2

B-2

B-6

B-2

B-1

B-7

B-2

B-2

(a)The failure frequency for steam generator tubes is predicted upon an assessment performed by Combustion Engineering, Inc. The results of the assessment have been modified to account for a differing number of tubes, tube lengths, plant availability, and welds per tube in the HHTGR steam generator design. The derivation of the failure consists of:

1. Identification of steam generator tube failure modes •

2. Development of a failure mode data base.

tid I \0

'=' o tz:I I

~ ~ I co 0\ I o .... .... -i . w


The dominant steam generator tube failure modes identified area

1. Bimetallic weld failure.

2. Corrosion/erosion.

3. Defects in welds of similar metals.

4. Mechanical damage, fretting, and wear.

Data in support of the failure frequencies for each mode were gathered from experience' with coal plant boiler tubes, PWR steam generator tubes, and Peach Bottom I and Fort St. Vrain HTGR steam generators.

Results of the data search indicated a low frequency of failure for bimetallic welds in the HHTGR steam generator. The estimate was based on British experience with bimetallic welds between 2-1/4 Cr - 1 Mo and austenitic steel boiler tubes in their fossil-fired generating plants (Ref. 1-22). Weld failure occurs between dissimilar metals because of differences in thermal expansion coefficients and due to carbon diffusion across the ferritic/weld interface resulting in a decarburized zone in the ferritic steel. The Iritish experience indicated a cumulative failure fraction of about 0.0007 failures for nickel-based weldments of these two dissimilar metal boiler tubes over a 40-year plant lifetime. ApplJing this value to the 3S0 tubes per HHTGR steam generator provides a linear bimetallic weld failure rate of 6 x 10- /module year.

The data search for secondary water side corrosion and erosion of boiler tubes indicated that a much higher tube failure frequency due to this cause has been experienced in PWRs and coal plants (approximately 0.1 to O.S failures per reactor year in PWRs and 1.1 tube failures per plant year in coal plants). PWR tube leak data and coal plant tube leak data have been gathered from Refs. B-23 and 1-24, respectively. The fractional contribution of corrosion to total tube failures in PWRs was obtained from data in Refs. B-2S and 1-26. Strong arguments were made that HTGR secondary water chemistry would be better than the water chemistry in the coal plants and that the 2-1/4 Cr - 1 Mo and the Inconel 800H metals used in the HHTGR steam generator tubes were ~own to be more resistant to corrosion than materials used in the PWRs and coal plants. The lowest report fsilure frequency of 0.11 per reactor year in PWRs was therefore used as a basis for an upper bound HHTGR failure frequency estimate of 3 x 10-2/module year. The PWR data was for total tube failures reported in 1981. Of those failures, 90% were attributed to corrosion and erosion.

Steam generator tube failures due to defects in welds of similar metals at large coal plants were found to occur as frequently as 0.29 per boiler year (Ref. 1-24). The number of occurrences is dominated by the level of quality control in the shop and at the plant site. Assuming that the HHTGR steam generator tube welding will be accomplished entirely in the shop, the fractional contribution of field weld failure (approximately 60% for coal plants) is not considered. The resultant HHTGR steam generator tube failure frequency due to similar weld failure is estimated to be 5 x 10-2 /module year taking into account differences in total tube length and plant availability between the coal plant data and the MHTGR. Data regarding weld failure in PWRs is not applicable to the MHTGR because PWR steam generator tube welds are located in the tubesheets.

till I

...... o

t::1 o P:I I

~ ~ I

00 0\ I o ...... ...... -~ . w


Ho data was available on the frequency of wear shield failure. Wear shields were introduced in the Fort St. Vrain design to protect the steam generator tubes from fretting at the support plates. Fretting, but not failure, had been found with the Peach Bottom I steam generator tubes which did not have wear shields. It is predicted that approximately 12 to 18 months are required to fail a steam generator tube after wear shield failure. In the absence of data on wear shield failure, a PWR experience base (Refs. B-23, B-25, and B-26) has been suggested as a reasonable source for failure data for the HHTGR. Based on this PWR experience with mechanical damage, fretting, and wear, a failure rate of 4 x 10-3/module year has been suggested for the HHTGR steam generator tubes from these causes. The PWR data was for total tube failures reported in 1979. Of these failures, 3% were attributed to mechanical damage, fretting, and wear.

The total failure rate of HHTGR steam generator tubes based on the preceeding information is estimated to be approximately 0.09/module year. Since the plant design consists of four modules, the total failure frequency per plant year is approximated as 0.4.

The HHTGR failure frequency data for steam generator tubes was calculated through the use of a series of equations. Equation B-1 represents the total tube failure frequency which is the sum of the four identified contributors. Equations B-2 through B-5 provide the failure -frequency per module year for each identified failure mode. The equations used are as follows:

AT - ABW + AC/E + ASW + AHD,F+W

where ABW - bimetallic weld failure rate,

AC/E - corrosion/erosion failure rate,

Asw - similar weld failure rate,

AHD,F+W - mechanical damage, fretting, and wear failure rate.

HBW * F ABW - ---

where HBW - number of bimetallic welds per steam generator,

F - bimetallic weld cumulative failure fraction,

where

T plant design lifetime (years).

AC/E = Ltubes * A * Atubes C/E

Ltubes - number of tubes * length per tube,

A • availability (h/yr),

(B-1)

(B-2)

(B-3)

~ I .... ....

t:J o tzJ I

~ co 0\ I o .... .... -::0 ~ . w

where

where


Atubes C/E • tube failure rate due to corrosion/erosion (per tube foot per hour).

Asw • Ltubea * A * Atubes sw (B-4)

Ltube. • number of tubes * length per tube,


Atubes sw • tube failure rate due to failure of welds between similar materials (per tube foot per hour).

AHD,F+W • Ltubes * A * Atubes HD,F+W (B-5)

Ltubes • number of tubes * length per tube,


Atubes HD,F+W • tube failure rate due to mechanical damage, fretting, and wear (per tube foot per hour).

~ I .... N

t:1 o tzj I

~ ~ I co 0\ I o .... .... -~ . UJ


The HHTGR steam generator tube failure rates were quantified using the following data:

Nbw • 350 welds,

T • 40 yr,

A • (0.90) * (8760 h/yr) • 7884 h/yr,

Ltubes • (350 tubes) * (536.19 ft/tube) • 187,666.5 ft,

F • 0.0007,

Atubes C/E • 2 x 10-1l/tube ft-h,

Atubes SW • 3.4 x 10-11/tube ft-h,

Atubes HO,F+W • 2.7 x 10-12/tube ft-h.

The resultant median tube failure rate per plant hour for the HHTGR is 5 x 10-5• An uncertainty factor of 4 was used to determine the upper 95th and lower 5th percentile values predicted upon data cited in Ref. B-27.


PUHPS

Failure Frequency, A Demand Failure Probability, Q (l/h) (I/Demand)

System-Component 5th 95th 5th 95th Identification Failure Hode Percentile Hedian Percentile Percentile Hedian Percentile References

Pumps - general All 1 x 10-5 3 x 10-5 3 x 10-4 B-2

Electric motor driven Fail to operate 1 x 10-5 3 x 10-5 9 x 10-5 1 x 10-4 1 x 10-3 3 x 10-3 B-2

Fail to run 3 x 10-4 1 x 10-3 3 x 10-3 B-2 in extreme environment

Hechanical 5 x 10-6 1 x 10-5 4 x 10-5 (a) bI failure I

4 x 10-6 .... Control/local 1 x 10-5 4 x 10-5 (a) w electrical failure

Operator error 1 x 10-6 3 x 10-6 9 x 10-6 (a)

Fail to start 8 x 10-5 8 x 10-4 2 x 10-3 (a) from electrical

C failure 0

3 x 10-7 1 x 10-6 1 x 10-5 tzJ Circuit failure B-2 I ::t:

Intake blockage 1 x 10-6 1 x 10-5 1 x 10-4 B-6 t-:1

~ Steam turbine driven Fan to run 3 x 10-5 1 x 10-4 3 x 10-4 B-2 I 00

1 x 10-5 3 x 10-5 9 x 10,;-5 3 x 10-3 1 x 10-2 3 x 10-2 0\ Feedwater pumps Fail to operate B-2 I 0

Electric motor driven Loss of drive 3 x 10-6 1 x 10-5 3 x 10-5 B-2 .... .... - Loss of power 1 x 10-5 3 x 10-5 9 x 10-5 B-2 \::d ID supply < . w



System-Component 5th 95th 5th 95th Identification Failure Mode Percentile Median Percentile Percentile Median Percentile References

Steam turbine driven Loss of drive 1 x 10-5 3 x 10-5 9 x 10-5 B-2

Loss of power 1 x 10-5 3 x 10-5 9 x 10-5 B-2 supply

Low pressure Fail to run 3 x 10-6 1 x 10-5 3 x 10-5 B-2 feedwater pumps

Air ejector pumps Fail to run 1 x 10-6 3 x 10-6 9 x 10-6 B-2

Condensate pumps Fail to run 1 x 10-5 3 x 10-5 2 x 10-4 B-2 ~ I ~

~ (a)Total failure rate data has been taken from Ref. B-2. Contributions to the total failure rate by the various

t=' o tz:I I

ei ~ I

00 0\ I o ~ ~ -r: < . w

failure modes is taken from Ref. B-18.

t:I:I I ....

VI

o o tz:I I

~ ~ co (J\ I o .... .... -~ . w

System-Component Identification Failure Mode

Tsnks and pressure All vessel - general Disruptive

failure

Welds Leak

Flanges and closure Rupture

Gaskets Leak

Pressurizer Leak

Demineralizer Leak


TANKS AND PRESSURE VESSELS


5th 95th 5th 95th Percentile Median Percentile Percentile Median Percentile

1 x 10-9 1 x 10-8 3 x 10-8

(3 x 10-12 (I x 10-10 (3 x 10-9

3 x 10-8 3 x 10-7 3 x 10-6

3 x 10-10 3 x 10-9 3 x 10-8

3 x 10-7 3 x 10-6 9 x 10-6

3 x 10-7 1 x 10-6 3 x 10-6

1 x 10-9 1 x 10-8 3 x 10-8

(a)Failure frequencies are from Ref. B-2 generic vessel failure data.

References

B-2

B-2

B-2

B-2

B-2

B-6

(a)

tlIf , .... 0\

c o tzJ I

~ , co 0\ , o .... .... -f . w


Piping - general

TABLE B-S FAILURE FREQUENCY AND DEMAND FAILURE PROBABILITY

PIPING

5th



~~ nh ~~ Failure Mode Percentile Median Percentile Percentile Median Percentile References

All (per foot)

Fraction of disruptive failures

2 x 10-11

0.02

2 x 10-10 2 x 10-9

0.05 0.15

B-6

B-2


Valves - general

Hotor operated

Hotor operated modu-lating (includes valve operator)

tilt I .... ......

Air solenoid

Air solenoid modu-lating (includes valve operator)

0 0 P:I

Hanual I

~ ~ I Check co 0\ I

0 .... .... -~ < w Injection valve


VALVES

Failure Frequency, A Demand Failure Probability, Q (lIh) (l/Demand)

5th 95th 5th 95th FaUure Hode PercentUe Hedian Percentile Percentile Hedian Percentile

All 3 x 10-8 1 x 10-6 3 x 10-3

FaU to change 5 x 10-3 6 x 10-3 7 x 10-3 state

FaU to operate 2.4 x 10-6 2.6 x 10-6 2.9 x 10-6

External leak 6 x 10-8 1 x 10-7 2 x 10-7

Plugged 1 x 10-8 3 x 10-8 7 x 10-8

Rupture 1 x 10-10 1 x 10-8 3 x 10-7




Rupture 1 x 10-10 1 x 10-8 3 x 10-7

FaU to operate 2 x 10-5 6 x 10-5 1 x 10-4

Lesk externally 6 x 10-9 2 x 10-8 6 x 10-8


Reverse leak 2 x 10-7 5 x 10-7 2 x 10L6


Rupture 1 x 10-10 1 x 10-8 3 x 10-7

Control circuit 1 x 10-7 1 x 10-6 1 x 10-5 failure

References

B-8

B-9

B-9

B-9

B-9

B-2

B-9

B-9

B-9

B-2

B-9

B-9

B-9

B-2

B-2

B-2

B-6



System-Component 5th 95th 5th 95th Identification FaUure Hode Percentile Hedian Percentile Percentile Hedian Percentile References

Check valve FaU to operate 2 x 10-8 1 x 10-7 7 x 10-7 B-9 Hydraulic valve All 3 x 10-6 1 x 10-5 3 x 10-5 B-8 actuator

Pneumatic valve All 3 x 10-7 1 x 10-6 3 x 10-6 B-8 actuator

Relief (steam/water) FaU to open 1 x 10-5 1 x 10-4 1 x 10-3 B-6

Spurious/ 3 x 10-6 1 x 10-5 3 x 10-5 B-2

bt . premature open

I Fail to reclose 7 x 10-3 2 x 10-2 6 x 10-2 A-6 ~

00 1 x 10-5 1 x 10-4 1 x 10-3 Relief (helium) FaU to open A-2

Spurious/ 3 x 10-6 1 x 10-5 3 x 10-5 B-2 premature open

Fail to reclose 1 x 10-2 3 x 10-2 9 x 10-2 B-2

Hotor operated FaU to change 3 x 10-5 1 x 10-4 3 x 10-4 B-2 t=' helium isolation state 0 PJ ring valve (with 3 x 10-7 3 x 10-6 3 x 10-5 I Spurious B-2 II: redundant motors) ., operation fJ Bypass leak 3 x 10-7 3 x 10-6 3 x 10-5 B-2 I 00

1 x 10-4 3 x 10-4 9 x 10-4 0'1 Passive helium iso- FaU to change B-2 I 0 lation check valve state ~ ~ Spurious 1 x 10-7 1 x 10-6 1 x 10-5 B-2 -::tt operation ~ < 1 x 10-6 . Bypass leak 3 x 10-6 3 x 10_5 B-2 w

tlII I .... \0

~ o tz:I I

~ ~ I

CD 0\ I o .... .... -f . IJ,)

System-Component Identifieation

Orifiee flow valve (helium)

Failure Hode

External leakl rupture

TABLE 8-6 (Continued)

Failure Frequeney, A (l/h)

Demsnd Failure Probability, Q (l/Demend)

5th 95th 5th 95th Pereentile Hedian Pereentile Pereentile Hedian Pereentile Referenees

3 x 10-10 1 x 10-8 3 x 10-7 8-2

til' I N o

o o PI I

~ ~ I

00 0\ I o ...... ...... -~ . w

System-Component Identificstion

Diesel generator (single unit)


DIESEL GENERATOR



5th 95th 5th 95th FaUure Mode Percentile Median Percentile Percentile Median Percentile References

FaU to start and load on first try

Standby failures 1 x 10-5

FaU to run 1 x 10-5

3 x 10-5 9 x 10-5

8 x 10-5 3 x 10-4

3 x 10-3 3 x 10-2 6 x 10-2 B-3

B-I0

B-11


INSTRUMENTATION


System-Component 5th 95th 5th 95th Identification Failure Hode Percentile Hedian Percentile Percentile Hedian Percentile References

Instrumentation - All 1 x 10-7 1 x 10-6 1 x 10-5 B-6 general

Solid state Fail to operate 3 x 10-7 1 x 10-6 1 x 10-5 B-2 instrumentation No output 1 x 10-7 3 x 10-7 9 x 10-7 B-2

Calibration 1 x 10-5 3 x 10-5 9 x 10-5 B-2 shift

til' 1 x 10-6 3 x 10-6 9 x 10-6 I Signal modifier Fail to operate B-2

N .... Setpoint drift 1 x 10-6 3 x 10-6 9 x 10-6 B-12

•• utron flux •• n.or Fail to operate 3 x 10-7 1 x 10-6 4 x 10-6 B-7 (all ranges)

Pressure sensor F~il to operate 7 x 10-10 3 x 10-6 1 x 10-5 B-7

Temperature sensor Out of limits 1 x 10-5 3 x 10-5 9 x 10-5 B-2 t:1

Out of limits 1 x 10-5 3 x 10-5 9 x 10-5 0 Speed (tachometer) B-2 tz:I I sensor

tEl 1 x 10-4 3 x 10-4 9 x 10-4 I-i Hoisture monitor Out of limits B-2

~ sensors I

00 Position (level) Out of limits 1 x 10-5 3 x 10-5 9 x 10-5 0\ B-2

I sensor 0 .... 7 x 10-10 3 x 10-6 1 x 10-5 .... Flow and level sensor Fail to operate B-7 -::0 (using AP)

II) c: PPIS Fail to actuate 1 x 10-5 3 x 10-5 9 x 10-5 B-6 . w SCS


CONTROL SYSTEMS


System-Component 5th 95th 5th 95th Identification FaUure Mode PercentUe Median PercentUe PercentUe Median PercentUe References

Main ste.. pressure FaU to operate 3 x 10-6 1 x 10-5 3 x 10-5 B-2 control Drift 1 x 10-5 3 x 10-5 9 x 10-5 B-2

Regulating rod FaU to operate 3 x 10-6 1 x 10-5 3 x 10-5 B-2 control Drift 1 x 10-5 3 x 10-5 9 x 10-5 B-2

Plant protection Spurious signal 2 x 10-6 5 x 10-6 1 x 10-5 B-1 tlrI controls .te~inates feed-• water flow t-) t-)

Signal conditioning FaU to operate 5 x 10-8 4 x 10-6 2 x 10-5 B-7 system

Ste .. line radiation FaU to operate 2 x 10-6 6 x 10-6 1 x 10-5 B-7 monitoring

Pressure switch FaU to operate 2 x 10-11 1 x 10-6 6 x 10-6 3 x 10-6 1 x 10-5 3 x 10-5 B-6 (Q) t::I B-7 (A) 0

Turbine control Out of limits 1 Jt 10-5 3 x 10-5 9 x 10-5 tz:I B-2 • ei Condenser control Out of limits 3 x 10-7 1 x 10-6 3 x 10-6 B-2 fJ RSC! control FaU to operate 2 x 10-6 2 x 10-5 2 x 10-4 B-1 • Q:)

RSCE hopper FaU to operate 6 x 10-7 1 x 10-5 1 x 10-4 B-1 0\

• 0 Neutron control FaUure to 1 x 10-8 1 x 10-5 7 x 10-5 B-1 .... .... insert adequate -l:ItI number of con-CD trol rods < · w

~ I

N W

'=' o tzJ I

ei ~ I co 0\ I o .... .... -~ . w


Instrument air

Service water

Offslte power


PLANT SERVICE SYSTEMS

Failure Frequency, A Demand Failure Probability, Q

FaUure Hode

FaU to operate

FaU to operate

All

5th PercentUe

1 x 10-6

1 x 10-5

6 x 10-6

(l/h)

Hedlan

1 x 10-5

3 x 10-5

1 x 10-5

(l/Demand)

95th 5th 95th PercentUe PercentUe Hedian PercentUe

1 x 10-4

9 x 10-5

2 x 10-5

References

B-2

B-2

B-20

D:I I

N .e-

t:J o tz.I I

~ I 00 0\ I o .... .... -i . w


Electric motors and associated equipment


ELECTRIC MOTORS

Failure Mode

Fail to operate

Fail to run in extreme environment


5th 95th Percentile Median Percentile

3 x 10-6 1 x 10-5 3 x 10-5

3 x 10-4 1 x 10-3 3 x 10-3

Demand Failure Probability, Q (1/DemancU


1 x 10-4 3 x 10-4 9 x 10-4

References

B-3

B-3

tlI:I I N VI

c ~ I

~ ~ I

00 0\ I o ..... ..... -~ . w


Transformers -general

High voltage transformer

Low voltage transformer


TRANSFORMERS


5th 95th 5th 95th Failure Hode Percentile Hedian Percentile Percentile Hedian Percentile

All 3 x 10-7 1 x 10-6 3 x 10-6

Trip off Une 1 x 10-6 3 x 10-6 9 x 10-6

Trip off Une 3 x 10-7 1 x 10-6 1 x 10-5

Open/short 3 x 10-7 1 x 10-6 3 x 10-6 windings

Short to ground 3 x 10-7 1 x 10-6 3 x 10-6

References

B-6

B-2

B-2

B-2

B-2

till I ~ G\

g ls:I I

~ ~ I co G\ I o .... .... -~ . w


Batteries - general

Battery charger


BATTERIES


5th 95th 5th 95th Failure Mode Percentile Median Percentile Percentile Median Percentile

All 3 x 10-7 1 x 10-6 3 x 10-6

Low output 1 x 10-6 3 x 10-6 9 x 10-6 shortened

Voltage 1 x 10-6 3 x 10-6 9 x 10-6 regulation

All 3 x 10-7 1 x 10-6 3 x 10-6

References

B-6

B-3

B-2

B-16

tlII I

N .......

o o t%J I

~ ~ I co 0\ I o ..... ..... -\:d

~ . w


Electric conductor -general

Power cable (per 1000 ft circuit)

Signal wire (per 1000 ft circuit)


ELECTRIC CONDUCTORS

Failure Frequency, A Demand Failure Probability, Q (l/h) (1/Demand)

5th 95th 5th 95th Failure Hode Percentile Hedian Percentile Percentile Hedian Percentile

All 1 x 10-5 3 x 10-5 9 x 10-5

Open 3 x 10-7 1 x 10-6 1 x 10-5

Ground 1 x 10-7 3 x 10-7 9 x 10-7

Open 3 x 10-7 1 x 10-6 1 x 10-5

Ground 3 x 10-8 3 x 10-7 3 x 10-6

Short to power 1 x 10-9 1 x 10-8 1 x 10-7

References

B-2

B-2

B-2

B-2

B-2

B-2

til:! I

to.) 00

t:J o tzJ I

~ 00 0\ I o .... .... -~ . w


Circuit breaker -general

TABLE B-1S FAILURE FREQUENCY AND DEMAND FAILURE PROBABILITY

CIRCUIT BREAKERS

Failure Hode

Fail to change state

Premature transfer

Failure Frequency, A (1/h)

Sth 9Sth Percentile Hedian Percentile

3 x 10-1 1 x 10-6 3 x 10-6


Sth 9Sth Percentile Hedian Percentile

3 x 10-4 1 x 10-3 3 x 10-3

References

8-2

8-2

b:f I

N \0

o o PI I

~ ~ I

00 0-I o ..... ..... -~ w


Turbine - generator

Bypass valve

TABL~ B-16 FAILURE FREQUENCY AND DEMAND FAILURE PROBABILITY

TURBINE PLANT

Fanure Mode

Inadvertent trip

Fan to change state

5th


95th Percentile Median Percentile



0.03 0.1 0.3

3 x 10-4 1 x 10-3 3 x 10-3

References

A-20

B-1

." I ~ o

8 PJ I

~ ~ I 00 0\ I o .... .... -i . ~


Inverter

Feeder


OTHER ELECTRICAL COHPONENTS



5th 95th 5th 95th Failure Hode Percentile Hedian Percentile Percentile Hedian Percentile References

Fail to operate

Fail to operate

3 z 10-5

1 z 10-7 1 z 10-4

1 z 10-6 3 z 10-4

1 z 10-5

B-6

B-6

TABLE B-18 REPAIR TIMES

CIRCULATORS, BLOWERS, AND FANS

Repair Time, r (h)

System-Component 5th 95th Identification Failure Mode Percentile Median Percentile References

Helium circulators - steam driven, All - unit malfunction 2.0 120 1200 B-2 water lubricated

Machine, drive, and lubrication Fail to operate 2.0 250 1200 B-2

Power supply Loss of steam 1.0 37 300 B-2

Control system Fail to operate 1.0 7 70 B-2 bit Out of limits 1.0 1 10 B-2 I w .... Electric motor driven, oil All - unit malfunction 2.0 120 300 B-2

lubricated

Machine, drive, and lubrication Fail to operate 2.0 250 300 B-2

Power supply Loss of electric power 1.0 37 200 B-2

1:1 Control system Fail to operate 1.0 7 70 B-2 0 pj Out of limits 1.0 1 10 B-2 I ::II o-i Fail to start 1.0 7 150 B-2 ~ I Electric motor driven, magnetic 00 0\ bearings I 0 .... Machine and drive Fail to operate 50.0 130 348 (a) .... -l:I:I Power supply Loss of electric power 1.0 37 200 B-2 C1)

< . w


Repair Time, r (h)


Control system Fail to operate 1.0 37 200 B-2

Magnetic bearings Fail to operate 50.0 130 348 (b)

Solid state controller Fail to operate 0.25 6 70 B-2

Blowers/fans Fail to start 4.0 40 100 B-2

Fail to run 10.0 100 1000 B-5

~ (a)Repair time data is predicted on Ref. B-2 with an additional 48 h added to account for startup w N and shutdown of the plant.

o o P:I I

~ ~ I

co C\ I o I-' I-' -::0 ~ . w

(b)Repair time is assumed to be the same as for all failures where the entire circulator assembly is replaced by a spare unit and repaired ex-situ.

tld I

W W

~


Steam generator

Heat exchangers - general

Feedwater heater

Cooler

Desuperheater

Condenser

Air blast heat exchanger

Deaerator

~ Auxiliary boiler I

~ ~ I co 0\ I o ~ ~ -i . w


HEAT EXCHANGERS

Failure Mode

Tube leak

All

Tube leak

All

All

Tube leak

.Rapid loss of vacuum

Fail to start

Fail to run

Failure of level control

Fail to start

Fail to run

Fail to deliver steam in T minutes

Repair Time, T (h)

5th 95th Percentile Median Percentile References

30.0 180 7000 B-2(a)

4.0 100 6000 B-2

4.0 30 200 B-2

4.0 30 200 B-2

4.0 30 200 B-2

4.0 60 400 B-2

4.0 60 400 B-2

5.0 24 144 B-1

5.0 24 144 B-1

0.25 6 70 (b)

4.0 40 500 B-2

4.0 40 500 B-2

4.0 40 500 B-2

b:I I

lot ,t:o.

g tzJ I

~ I

00 CJ\ I o .... .... -!:tI ~ . lot


(a)Repair times for the 5th and 95th percentiles are from Ref. B-2. The median value for repair time is predicated on the data given below:

Type of assessment Corrective maintenance (tube plugging).

System

Subsystem

Component

Number

Method

Frequency

Approach

Access

Layout

Complexity

Equipment/tools

Radiation level

Heat transport.

Steam generator.

Tubes.

350 as built per module.

Identifying and plugging leak tubes

As required.

In the event of a tube failure, perform leak testing with module shutdown, to locate tube to be plugged. The tube is plugged at both ends. The plugs can be installed manually, which is efficient for small number of leaking tubes and acceptable radiation levels. For larger number of leaking tubes or high radiation levels, a remote automatic system with manual installation would be used.

Most likely remote controlled after manual installation of equipment in high radiation areas.

Steam generator tubes are accessible for plugging at two locations. One location is feedwater tubesheet region below tube bundle, the second location is steam tubesheet region above the tube bundle at the point where steam leaves vessel. Platforms required at access covers on both ends.

Location of tube-moderate. Plugging of tube-moderate.

Location of tube; remote positioner and templet, mass spectrometer, vacuum pump, tubing. Tube plugging; plug, remote positioner (possible), tube preparation and plug installation tools •

High near tubesheet. Low at access covers.

b:I I

W VI

o o P:I I

~ ~ I

00 0'1 I o ..... ..... -::d (\I

< . w

Human factors

Calendar time required

Average number of people


Adequate shielding and remote control equipment in high radiation field. Temperature.

7 to 8 days (includes setup and decontamination time).

8 maintenance personnel + 1 health physicist.

Other Design not developed to extent required for detailed assessment. Preliminary appraisal given. Very preliminary time estimate.

(b)Repair times are based on engineering judgment predicted upon Ref. B-2 data for generic equipment.

till I

W CJ\

~ I

~ I

00 CJ\ I o .... .... -i . w


Pumps - general

Electric motor driven

Steam turbine driven

Feedwater pumps - electric motor driven

Steam turbine driven

Low pressure feedwater pumps

Air ejector pumps

Condensate pumps


PUMPS

Failure Mode

All

Intake blockage

Fail to operate


Fail to run

Fail to operate

Loss of drive

Loss of power supply

Loss of drive

Loss of power supply

Fail to run

Fail to run

Fail to run

Repair Time, T (h)


4 40 400 B-2

6 300 1800 B-18

4 40 400 B-2

4 40 400 B-2

4 40 400 B-2

4 40 400 B-2

4 40 400 B-2

4 40 400 B-2

4 40 400 B-2

4 40 400 B-2

4 40 400 B-2

4 40 400 B-2

4 40 400 B-2

b:I I w .....

o o ~ I

System-Component Identification·

Tanks and pressure vessels - general

Welds

Flanges and closures

Gaskets

Pressurizer

Demineralizer


TANKS AND PRESSURE VESSELS

Repair Time, T (h)

5th 95th Failure Mode Percentile Median Percentile References

All 8 40 104 B-2

Disruptive failure 8 40 104 B-2

Leak 8 40 104 B-2

Rupture 8 40 104 B-2

Leak 8 40 104 B-2

Leak 8 40 104 (a)

Leak 8 40 104 (b)

~ (a)Repair time data is predicted on Ref. B-2 with an additional 48 h added to account for startup ~ ~ and shutdown of the plant. I

~ (b)Repair time is assumed to be the same as for major mechanical failures where the entire circulator I o assembly must be replaced. ~ ~ ~

~

~ . w

~ , w 00

t:J o tz:I , ei ~ , 00 0\ , o ..... ..... -5' . w


Piping - general


PIPING

Failure Mode

All (per foot)

Disruptive failure

Repair Time, T (h)


2 30 100 B-2

2 30 100 B-2


VALVES

Repair Time, T (h)


Valves - general All 3 100 3000 B-8

Motor operated Fail to change state 3 24 3000 B-2

Motor operated modulating (includes Fail to operate 3 24 3000 B-2 valve operator) External leak 3 24 3000 B-2

Plugged 3 24 3000 (a) tlIt I Rupture 3 24 3000 B-2 \oJ \0

Air solenoid Fail to change state 3 24 3000 B-2

Air solenoid modulating (includes Fail to operate 3 24 3000 (a) valve operator) External leak 3 24 3000 B-2

Rupture 3 24 3000 B-2 c 0 Manual Fail to operate 3 24 3000 B-2 l"J I

~ External leak 3 24 3000 B-2 ~ Check Fail to change state 3 24 3000 B-2 I co 0\ Reverse leak 3 24 3000 B-2 I 0 .... External leak 3 24 3000 B-2 .... -::G Rupture 3 24 3000 B-2 CD -< . \oJ


Hydraulic valve actuator

Pneumatic valve actuator

Relief (steam/water)

Motor operated helium isolation ring ~ valve (with redundant motors) I ~ o

Passive helium isolation check valve

o o Orifice flow valve (helium) M I

~


Failure Mode

All

All

Fail to open

Spurious/premature open

Fail to rec10se


Spurious operation

Bypass leak


Spurious operation

Bypass leak

External leak/rupture

Repair Time, T (h)


3 24 3000 B-8

3 100 3000 B-8

3 24 3000 B-2

3 24 3000 B-2

3 24 3000 B-2

2 100 1000 B-2

2 100 1000 B-2

2 100 1000 B-2

2 100 1000 B-2

2 100 1000 B-2

2 100 1000 B-2

3 24 3000 B-2

~ (a)Repair times are based on engineering judgment predicted upon Ref. B-2 data for generic equipment. I ~ 0\ I o ~ ~ ~

~

~ . w

tlIf I ~ ......

o o t%J I

~ ~ I

00 0\ I o ...... ...... -:;d ~

< w


Diesel generator (single unit)


DIESEL GENERATORS

Failure Mode

Fail to start and load on first try

Standby failures

Fail to run

Repair Time, r (h)


1 21 400 B-3

1 21 400 B-10

1 21 400 B-2

tlI:I I ~ N

tj o tSJ I

~ ~ I co 0\ I o ..... ..... -~ . w


Instrumentation - general

Solid state instrumentation

Signal modifier

Neutron flux sensor (all ranges)

Pressure sensor

Temperature sensor

Speed (tachometer) sensor

Moisture monitor sensors

Position (level) sensors

Flow and level sensors (using AP)


INSTRUMENTATION

Failure Mode

All

Fail to operate

No output

Calibration shift

Fail to operate

Setpoint drift

Fail to operate

Fail to operate

Out of limits

Out of limits

Out of limits

Out of limits

Fail to operate

Repair Time, r (h)


0.25 6 70 B-2

0.25 6 70 B-2

0.25 6 70 B-2

0.25 6 70 B-2

0.25 6 70 B-2

0.25 6 70 B-12

0.25 6 70 B-2

0.25 6 70 B-2

0.25 6 70 B-2

0.25 6 70 B-2

0.25 6 70 B-2

0.25 6 70 B-2

0.25 6 70 (a)

(a)Repair times are based on engineering judgment predicated upon Ref. B-2 data for generic equipment •

tld I ~ W

o o ~ I


Main steam pressure control

Regulating rod control

Plant protection controls

Signal conditioning system

Steamline radiation monitoring

Turbine control

Condenser control

Pressure switch


CONTROL SYSTEMS

Failure Mode

Fail to operate

Drift

Fail to operate

Drift

Spurious signal termi-nates feedwater flow

Fail to operate

Fail to operate

Out of limits

Out of limits

Fail to operate

Repair Time, T Ch>


1.0 7 70 B-2

1.0 7 70 B-2

1.0 7 70 B-2

1.0 7 70 B-2

0.25 6 70 Ca>

0.25 6 70 Ca>

0.25 6 70 Ca>

0.25 6 70 B-2

0.25 6 70 B-2

0.25 6 70 Ca>

~ ~ Ca)Repair times are based on engineering judgment predicated upon Ref. B-2 data for generic equipment. I ~ ~ I o ~ ~ --.

~ . w


Instrument air

Service water tlI:I

1 Offsite power .I:-

1::1 o tz:I I

~ ~ I

00 0\ I o ~ ~ -~ . w


PLANT SERVICE SYSTEMS

Failure Mode

Fail to operate

Fail to operate

All

Repair Time, T (h)


1 7.0 100.0 B-2

1 7.0 100.0 B-2

4 x 10-2 0.3 10.0 B-1

01 I ~ VI

1:1 o PI I

~ ~ I

co 0\ I o .... .... -~ . w


Electric motors and associated equipment


ELECTRIC MOTORS

Failure Mode

Fail to operate


Repair Time, T (h)


4 40 400 B-3

4 40 400 B-3

till I ~ CJ\

8 tz:I I

ei ~ I

00 CJ\ I o .... .... -i . to)


Transformers - general

High voltage transformer

Low voltage transformer

All

TABLE B-29 REPAIR TIMES TRANSFORMERS

Failure Mode

Trip off line

Trip off line

Open/short windings

Short to ground

Repair Time, T (h)


5 200 5000 B-2

5 200 5000 B-2

5 200 5000 B-2

5 200 5000 B-2

5 200 5000 B-2

tlII , ~ ......

t::I o pj , ::x: t-i

fJ , co 0\ , o ..... ..... -~ <: . w


Batteries - general

Battery charger

All


BATTERIES

Failure Mode

Low output shortened

Voltage regulation

All

Repair Time, r (h)


1 5 100 B-2

1 5 100 B-3

1 5 100 B-2

1 5 100 B-2

t:IIS I ~ 00

t:1 o t1l I

~ ~ I

00 0\ I o .... .... -~ . w


Electric conductor - general

Power cable (per 1000 ft circuit)


ELECTRIC CONDUCTORS

Failure Mode

All

Open

Ground

Signal wire (per 1000 ft circuit) Open

Ground

Short to power

Repair Time, T (h)


3 5 15 B-2

3 5 15 B-2

3 5 15 B-2

3 5 15 B-2

3 5 15 B-2

3 5 15 B-2

D:I I ~ \0

'=' o tI:J I

~ ~ 00 0\ I o 't:: -i . w


Circuit breaker - general


CIRCUIT BREAKERS

Failure Mode


Premature transfer

Repair Time, T (h)


1 6 3000 B-2

1 6 3000 B-2

"" , VI o

g tz:I , ei ~ , 00 0\ , o .... .... -~ . w

Inverter


TABLE B-33

REPAIR TIMES

OTHER ELECTRICAL COMPONENTS

Repair Time, T (h)

5th 95th Failure Mode Percentile Median Percentile References

Fail to operate 0.25 6 70 B-2

TABLE B-34 COHHON HODE FAILURE FACTORS

No. of Systems-Components Common Hode Failure Factor, p

Experiencing Total System-Component COIIIIIOn Hode System-Component 5th 95th Identification FaUure Hode FaUure Population PercentUe Hedian Percentile References

Condenser Leak 2 2 2 x 10-3 0.02 0.2 (a)

Feedwater heater Leak 2 2 2 x 10-3 0.02 0.2 (a)

Heat exchanger Flow 2 2 1 x 10-3 5 x 10-2 0.5 (b) restriction

DemineraUzer Leak 2 2 2 x 10-3 0.02 0.2 (a)

BOP piping Rupture 2 2 2 x 10-3 0.02 0.1 B-1 ~ Valves - motor operated FaU to change 2 2 0.1 0.2 0.3 B-17(c) I

\J1 block state 4 4 2 x 10-3 7 x 10-3 2 x 10-2 B-14 .... Hotor operated FaU to operate 3 3 4 x 10-3 2 x 10-2 5 x 10_2 B-14 modulating 2 2 0.05 0.09 0.1 B-14

Check Fail to operate 2 2 0.04 0.1 0.2 B-14 3 3 0.01 0.05 0.1 B-14

Reverse leakage 3 3 0.01 0.06 0.2 B-14 t::=' Turbine bypass valve FaU to change 2 2 0.1 0.2 0.3 B-17 (c) 0 t'II state I tIl Battery Low voltage 2 2 1 x 10-3 0.05 0.5 (b) ~

fJ Inverter FaU to operate 2 2 1 x 10-3 0.05 0.5 (b) I 00

Feeder Fail to operate 0\ 2 2 0.05 0.1 0.2 Cd) I

0 Circuit breaker Premature 4 4 0.05 0.1 0.2 B-16 .... .... - transfer 2 2 0.05 0.1 0.2 B-16 !;I::I Deaerator Low level 2 2 0.04 0.07 0.1 B-7 $ <: . w


Pump - general

Circuit breaker

Battery charger

Transformers

~ Diesel generator VI I')

Turbine/generator

Hagnetic bearings

FaUure Hode

FaU to operate

Fail to start

FaU to change state

Fail to operate

All

Fail to start

FaU to run

Trip

Fail to· operate


No. of Systems-Components

Experiencing Total Common Hode System-Component

FaUure PopUlation

2 2 3 3

2 2

2 2

8 8

2 2

2 2

2 2

2 2

4 4

Common Hode Failure Factor, p 5th 95th

PercentUe Hedian Percentile References

0.01 0.06 0.2 B-13 0.01 0.06 0.2 B-13

0.1 0.2 0.4 B-17(c)

0.05 0.1 0.2 B-16

1 x 10-3 0.05 0.5 (b)

1 x 10-3 5 x 10-2 0.5 (b)

5 x 10-3 1 x 10-2 3 x 10-2 B-16

1.8 x 10-2 2.2 x 10-2 2.3 x 10-2 B-ll

0.4 0.5 0.7 (e)

1 x 10-3 5 x 10-2 0.5 (b)

(a)Yaluea for condenser, feedwster heater, and demineralizer common mode failures have been assumed to be similar to ~ pipe rupture data cited in Ref. B-1. Upper and lower bounds were determined using an uncertainty factor of 10. o ~ (b)These are generic data taken from Ref. B-16.

~ (c)The 5th percentile value was estimated from the median and 95th percentile by assuming a lognormal distribution. C)

~ (d)Data has been assumed to be similar to that for circuit breakers.

~ (e)Based upon operational experience with the gas-cooled HAGNOX reactors of the Central Electricity Generating Board b (CEGB) in Ref. B-28. The methodology of Ref. B-19 was used to obtain the 5th and 95th percentile values • .... ....

. -.~ ~ . w

B.4. REFERENCES

B-l. Fleming, K. N., et a1., "HTGR Accident Initiation and Progres

sion Analysis Status Report - Phase II Asses~ment," GA Report

GA-A15000, April 1978.

B-2. Hannaman, G. W., "GCR Reliability Data Bank Status Report,"

GA Report GA-A14839, July 1978.

B-3. "Reactor Safety Study: Appendix III Failure Data, Appendix IV

Common Mode Failure," U.S. Nuclear Regulatory Commission Report

WASH-1400 (NUREG 75/104), October 1975.

B-4. "State of the Art of Solid-State Motor Controllers," NUREG/

CR-4180, September 1984.

B-5. "Nuclear Plant Reliability Data System (NPRDS) - 1980 Annual

Report of Cumulative System and Component Reliability,"

NUREG/CR-2232.

B-6. "Generic Data Base for Data and Models Chapter of the National

Reliability Evaluation Program (NREP) Guide," EG&G Idaho Report

EGG-EA-5887, June 1982.

B-7. "Common Cause Fault Rates for Instrumentation and Control

Assemblies," NUREG/CR-3289, May 1983.

B-8. "IEEE G~ide to the Collection and Presentation of Electrical,

Electronic, Sensing Component, and Mechanical Equipment Relia

bility Data for Nuclear-Power Generating Stations," IEEE

Std. 500-1984.

B-9. "Data Summaries of Licensee Event Reports of Valves at U.S.

Commercial Nuclear Power Plants," January 1976 through December

1980, NUREG/CR-1363, Revision 1, October 1982.

B-10. "Operating Units Status Report, Licensed Operating Reactors:

Data for Decision," Nuclear Regulatory Commission Monthly

Publications, NUREG-0020-1-12, 1976 (Gray Books).

B-11. "Common Cause Fault Rates for Diesel Generators: Estimates Based

on Licensee Event Reports at U.S. Commercial Nuclear Power

Plants, 1976-1978," NUREG/CR-2099, June 1982.

B-12. Melvin, J. G. and R. B. Maxwell, "Reliability/Maintainablity,"

Chalk River Nuclear Laboratories Report AECL-4607, January 1974 •

..


B-13. "Common Cause Fault Rates for Pumps, 1972-1980," NUREG/CR-2098,

February 1983.

B-14. "Common Cause Fault Rates for Valves, 1976-1980," NUREG/CR-2770,

February 1983.

B-1S. Edwards, G. T., and I. A. Was ton , "A Study of Common Mode

Failure," Safety and Reliability Directorate Report SRD R146,

UKAEA, July 1979.

B-16. "Seabrook Station Probabilistic Safety Assessment," Pickard,

Lowe, and Garrick, Inc., Report PLG-0300, December 1983.

B-17. "Synthesis of Experience Data for Risk Assessment and Design

Improvement of Gas-Cooled Reactors," GA Report GA-A14924,

Hay 1978.

B-18. DNuclear Plant Reliability Data System (NPRDS) 1979 Annual

Reports of Cumulative System and Component Reliability," South

west Research Institute, San Antonio, Texas, September 1980,

NUREG/CR-1635.

B-19. "HTGR Accident Initiation and Progression Analysis Status

Report - AIPA Risk Assessment Methodology," ERDA Report GA-A13617

Vol. II, October 1975.

B-20. "HTGR Accident Initiation and Progression Analysis Status

Report - Phase I Analyses and R&D Recommendations," ERDA Report

GA-A13617, Vol. IV, December 1975.

B-21. Humphreys, M., and B. K. Daniels, "How Do Electronic System

Failure Rate Prediction Compare With Field Experience?"

sas/GR/58, October 1982.

B-22. Nicholson, R. D., and A. T. Price, "Service Experience of

Nickel-Based Transition Joints, "Central Electricity Generating

Board, Great Britain.

B-23. Nuclear Power Experience, Petroleum Information Corporation.

B-24. National Electric Reliability Council (NERC).

B-25. Tatone, O. S., and R. S. Pathania, DSteam Generator Tube

Performance: Experience With Water-Cooled Nuclear Power Reactors

During 1978," Nuclear Safety. V. 21. 6, November-December 1980.

B-54 DOE-HTGR-86-011/Rev. 3

B-26. Tatone, O. S., and R. S. Pathonia, "Steam Generator Tube

Performance: Experience With Water-Cooled Nuclear Power Reactors

During 1979, AECL-7251, March 1981.

B-27. "Safety Risk Assessment of the HTGR Steam Cycle/Cogeneration

Plant," GA Report GA-A17000, May 1983.

B-28. Cave, L., R. S. Cow, and A. J. J. MacArthur, "Effects of Loss of

Grid Supply on U.K. Nuclear Power Stations," presented at

LlKAEA/JAPC/CEGB/SSEB Meeting, 1975.


10-1

> !:: -' ca 10-2 cC CD CI ~ A. ~

10-3 CI ~ ~ Y.I

Z < ~ 10-4 = :c

10-5

HT-001(106)

----------------, , -- , --- , -- \ --, , "- \ '\ '\

'\ , '\ '\ , ,

'\ '\ , '\ . ... . -----. . -----. , ------, , , , " ,

'\ '\

'\

'--, " --

102

TIME IN MINUTES

" 'OlIo 'OlIo -,

Fig. B-1. Operator response model form the MHTGR

" OlIo, --


APPENDIX C EVENT TREE CONSTRUCTION AND QUANTIFICATION

As discussed in Section 7, event trees were utilized to assess the

frequency of accidents contributing to plant risk. This appendix

details the manner in which event trees were constructed and quantified

for the risk assessment.

In this assessment, event trees were constructed and quantified for

each of the seven initiating events defined in Section 5. These

initiating events are

1. Primary coolant leaks.

2. Loss of main loop cooling.

3. Earthquakes.

4. Loss of offsite power with turbine trip.

5. Anticipated transients requiring scram.

6. Inadvertent control rod withdrawal.

7. Small and large steam generator leaks.

This set of initiating events were selected in Section 5 as covering the

dominant precursors to radiological release commensurate with the cur

rent stage of the MHTGR design. As such, they are believed to provide

adequate bases for meeting the objectives of this study as discussed in

Section 1. Utilizing the Section 6 discussions of plant response to

these initiating events and system reliability models, event trees were

constructed to depict various event sequences possible following each

initiator. Each event sequence's frequency was then assessed by evalu

ating the initiating event frequency and branch point conditional proba

bilities within an event tree using fault tree or other appropriate

methodologies as described in Section 3. Finally, the initiating event

C-1 DOE-HTGR-86-011/Rev. 3

frequency and subsequent event probabilities were statistically combined

to yield a frequency for each event tree sequence.

The component level data base used in the frequency assessment is

described in Appendix B. This data base includes component operating

failure rates, demand failure probabilities, common mode failure frac

tions, repair times, and uncertainty distributions. Appendix B also

contains the offsite power reliability and restoration model used in the

assessment. Appendix A contains the probabilistic failure models used

in predicting the failure rate and size distribution for primary coolant

leaks.

The technique used to quantify the uncertainty in frequency proba

bilities is the same as that used in the Reactor Safety Study (Ref. C-l)

and is known as the Monte Carlo method of error propagation. The method

consists of statistically combining the uncertainty distribution for

the input parameters associated with the fault tree evaluation using

Monte Carlo si~lation to arrive at an uncertainty distribution for the

top, event, or fault tree probability. In a similar manner, the various

event probability distributions, so generated, can be statistically com

bined to arrive at uncertainty distributions for the various event tree

sequence frequencies. With the use of the methods introduced earlier,

an algebraic expression is obtained relating the desired branch point

probabilities to the input parameters, e.g., failure rates, repair

times, and common mode parameters. Uncertainties in the input param

eters are considered by assigning an uncertainty distribution to each

parameter. This information is then input to the computer code STADIC-2

(Ref. C-2), which uses Monte Carlo simulation of the distributions to

generate an uncertainty distribution in the branch point probability as

well as the mean and median estimates for the accident sequence frequen

cies. Appendix C contains further discussion of the methods used to

quantify the uncertainties.


Each of the accident initiators are discussed with their corres

ponding event trees in Sections C.l through C.8. Sequential subsections

of Appendix C describe the manner that each tree's initiating event fre

quency, as well as branching probabilities of subsequent events, were

quantified. In cases where the median sequence frequency exceeded 10-8

per year and a radionuclide release occurred, the event sequence is

designated with an appropriate release category designation as shown on

the Appendix C event trees. Frequency distributions for event sequences

contributing to the same release category are then statistically summed

to determine the frequency distributions for the release category.

These category frequency distributions are listed in Section C.9.

C.l. PRIMARY COOLANT LEAKS

As an initiating event, primary coolant leaks are of interest for

several reasons. Because of the activity circulating with the primary

coolant or plated out around the primary coolant circuit, failure of the

primary coolant pressure boundary necessarily results in some, albeit

limited,release of radionuclides to the environment regardless of any

subsequent plant response. Additionally, if the leak is of sufficient

size, the damage to surrounding equipments resulting from the leak may

threaten the integrity of core cooling systems and allow for graphite

oxidation as a result of air ingress. Given that a leak occurs, various

possible plant responses which affect consequence determination are

possible. These various scenarios are depicted as event sequences in

Fig. C-l. In this section, the likelihood of these various scenarios or

event sequences occurring is discussed.

C.l.l. Primary Coolant Leak Occurs

The initiating event in Fig. C-l is a primary coolant leak that

engenders a module shutdown. Because the helium purification subsystem

is sized so that it can automatically maintain primary coolant pres

sure for leaks smaller than about 3 x 10-5 in.2, no shutdown would be

C-3 DOE-HTGR-86-0ll/Rev. 3

required. Therefore, this leak size is used in this assessment to dif

ferentiate between "normal leakage" and transients. Using this working

definition, only pressure boundary failures resulting in greater leak

sizes than this are included within the accident initiating event.

While simultaneous leaks in two or more of the independent modules are

theoretically possible, excluding the outside forces (both external

events and multiple module thermal transients) which are covered else

where, the likelihood of this is sufficiently small to be ignored here.

As shown in Fig. C-1, the median frequency of a leak larger than

3 x 10-5 in. 2 occurring in anyone of the four modules is assessed at

0.26 per year. This frequency was determined utilizing a probabilistic

model, which is described in Appendix A. The model divides the problem

into two parts:

1. The frequency at which a leak of any size occurs (event 1 of

Fig. C-1).

2. The conditional probability that the leak exceeds a particular

size, given a leak occurs (event 2 of Fig. C-1).

In the Appendix A model, the frequency at which a leak of any size

occurs is estimated based upon operating experience data, available

literature, and probabilistic fracture mechanic studies.

C.1.2. Leak Size Distribution

Given that a leak occurs, it may occur over a spectrum of sizes

ranging from the more likely leaks only somewhat larger than the 3 x

10-5 in. 2 threshold to large leaks such as a connecting pipe failure.

Based upon the probabilistic leak model described in Ref. C-3, the

largest leak having a significant probability of occurrence is failure

of the 13 in. 2 relief valve or its connecting pipe. Because plant

systems response and resulting offsite doses are dependent upon leak


size, it is convenient to divide up the event tree based on leak size.

Event 2 in Fig. C-l provides the relative probabilities of leak size

ranges:

1. 3 x 10-5 to 2 x 10-3 in. 2•

2. 2 x 10-3 to 3 x 10-2 in. 2•

3. 3 x 10-2 to 1 in. 2•

4. 1 to 13 in. 2•

As previously discussed, no module shutdown is required if the depres

surization area is less than 3 x 10-5 in. 2 because the HPS automatically

maintains primary coolant inventory.

For leak sizes between the threshold of 3 x 10-5 and 2 x 10-3 in.2,

no impact on the performance of other systems is predicted, and the

branch probabilities of subsequent events can be calculated independent

of the initiating event. Therefore, leaks in this size range are

grouped together.

If the leak size is greater than or equal to 2 x 10-3 in. 2 and is

located in the HTS circulator enclosure, it is estimated that the

resulting primary coolant depressurization may damage the circulator

wiring. Thus, there is a possibility that the initiating event causes

an HTS failure in the affected module by damaging the HTS circulator.

A leak size of greater than or equal to 2 x 10-3 in. 2 results in a

primary coolant egress rate in excess of the normal building leakage

rate causing the reactor building dampers to lift, increasing the build

ing leakage rate. Consequently, this leak size is important with

respect to reactor building response during the accident.

It is assessed that a break of 3 x 10-2 in. 2 located in the SCS

circulator enclosure is the critical leak size for SCS circulator damage

for that module. Hence, if such a primary coolant leak occurs in the


SCS circulator enclosure, the initiating event is assumed to incapaci

tate the SCS.

Leak sizes greater than 1 in. 2 are estimated to require less than

1 h for the primary coolant to depressurize. Because transferring

significant primary coolant to helium storage by pumping down through

the HPS before it leaks could not be accomplished in this time, HPS

pump downs do not appreciably alter the consequences from accidents due

to leaks greater than 1 in. 2 •

A 13-in. 2 break corresponds to a guillotine rupture of a primary

relief train line. Other possible contributors to this size range of

1 to 13 in. 2 are leaks due to bolted vessel closures and joints, welds,

etc., as discussed in Appendix A.

C.1.3. Reactor Tripped with Control Rods

Since the initiating event is a primary coolant leak large enough

to require a module shutdown, one of the first responses to the leak is

a reactor trip. The PPIS is designed to monitor for primary coolant

leaks. Upon sensing a low primary coolant pressure [less than 5800 kPa

(835 psia) as discussed in Section 6.1.1], the PPIS will initiate a

reactor shutdown by insertion of the outer control rods. Event 3

considers the probability of successfully accomplishing this normal

trip.

The probability that the module fails to trip independent of the

effects of the leak is based on the model developed in Ref. C-3 and dis

cussed briefly in Section C.5. The failure model includes malfunction

of the redundant channels, common mode failure of the control rod

drives, common mode failure of the scram contractors, or common mode

failure in the PPIS scram logic. While failure should properly be

defined as failure to insert sufficient control rods to achieve a hot

shutdown, the number of control rods required to achieve this varies


with operating history. As a simplifying assumption which does not

significantly impact results, failure to insert three or more control

rods (still leaving sufficient rods to achieve cold shutdown under most

conditions) is assumed to constitute a failure to trip.

The probability that the module fails to trip can also be dependent

on the primary coolant leak. Several mechanisms were identified by

which a leak might re~ult in dependent failures of systems or subsystems

important to events 3 through 6 of Fig. C-1. Three dominant mechanisms

were identified:

1. Pressure/pressure forces.

2. Heat.

3. Missiles.

They were not found to affect the failure probability for reactor trip

as discussed below.

In order to fail to have a reactor trip, the Neutron Control Sub

system must fail to insert control rods. A failure mechanism which

could prevent reactor trip involves a shearing of the control rod guide

assemblies in the upper plenum due to forces imposed on the guide assem

blies by helium flow out a hole in the reactor vessel head. However, it

is estimated that the hole size on the reactor head that is necessary to

prevent reactor trip by this mechanism is several orders of magnitude

larger than the largest sized hole assessed as having any reasonable

probability of occurrence.

Two other mechanisms having the potential to cause a dependent

failure to trip - heat and missiles - were also dismissed. The Neutron

Control Subsystem is immersed in stagnant helium inside the primary

coolant boundary. It would take a significant but undetermined amount

of time for hot helium leaking out through a Control Rod Drive Housing

to make inoperative the enclosed control elements. Furthermore, the


failure of a single rod or a pair of rods to go into the core does not

prevent a successful reactor trip. Each Control Rod Drive Housing also

protects its Neutron Control Subsystem from missiles. In addition, a

thermal barrier/gamma shield protects all lines to the housing from heat

and missiles. In any case, severing the electrical lines to a Control

Rod Drive Housing would result in the control rods dropping into the

core.

Thus, the failure probability for reactor trip is assessed as

independent of these three potential mechanisms by which the occurrence

of primary coolant leak may influence plant system and subsystem

performance.

C.l.4. Reactor Shutdown Using Reserve Shutdown Material

As described above, the MaTGR is designed to respond to a primary

coolant leak by shutting down the reactor with the control rods. How

ever, in the unlikely event that this normal trip does not occur a

secondary means of shutting down the reactor is automatically activated;

and the reserve shutdown material (boronated pellets) is dumped into the

core. In event 3, the operation of this secondary means of shutdown is

considered.

Three cases for consideration exist. If the control rod trip is

successful, as is the case in the top branch of Fig. C-l, then there is

no call for insertion of the reserve shutdown material and the event is

shown with a dotted line. In the second case where the normal trip has

failed, the probability of the RSCE being successfully inserted can be

calculated independent of the leak or normal trip failure.

Independent failures of the RSCE are modeled similar to failures in

the normal trip system and are discussed further in Section C.S.


C.1.5. Heat Transport System Cooling Maintained

Following reactor trip, shutdown core cooling must be provided

until either the primary coolant leak is repaired and the module is

returned to power operation or until decay heat levels are so low as to

no longer require operation of any of the MHTGR core cooling systems.

Event 5 considers the probability that cooling can be provided by the

HTS.

Two general categories of HTS failure are addressed in event 5:

1. Failure of the HTS to survive the initiating event.

2. Failure of the HTS to continue operating given that it has

survived the initiating event.

Leak-induced HTS failures were only found to have significant

impact on the failure probability for event 5 in the 2 x 10-3 to 3 x

10-2 in. 2 size range. As discussed in Section C.1.2, the conditional

probability of a leak this size occurring in the HTS circulator enclo

sure and damaging circulator wiring such that the HTS is unable to

remove decay heat has been considered.

The reliability model of core cooling provided by the HTS is

discussed in Section C.2 in some detail and is therefore not discussed

further here. The assessed probability that the HTS fails independently

of the initiating event is 0.17. This can be seen in Fig. C-1 for all

leak sizes where the probability of a leak-induced failure is negligible

(i.e., all cases except the 2 x 10-3 to 3 x 10-2 in. 2 size range). This

result is based on the HTS failure rate given in the next section and

assuming a two-month cooling mission time. That is to say, the module

is not returned to service (not repaired) before two months, but after

this time the fuel could be off loaded, if necessary.


C.1.6. Cooling Provided by SCS

If HTS cooling is lost in event 5, coolant flow can be restored by

either the PPIS or the operator starting the SCS. Event 6 considers

whether or not the SCS is successfully started, and if it is started,

whether it runs until HTS cooling is restored.

As in the case of HTS cooling considered in event 5, two categories

of SCS failure are addressed:

1. Failure of the SCS to survive the initiating event.

2. Failure of the SCS to successfully operate due to failures

independent of the leak, given that it survived the initiating

event.

As discussed in Section C.l.2, leak-induced SCS failures are

important if a leak greater than 3 x 10-2 in. 2 occurs in the right loca

tion of the SCS circulator enclosure. However, the probability of such

a leak causing SCS failure is assessed as much lower than other causes

of SCS failures. Hence, the failure probability for event 5 is domi

nated by the independent failure probability of the SCS.

This independent failure probability of the SCS is calculated

considering failure to start plus the probability that the SCS fails to

operate due to system failures independent of the leak. Using the

detailed failure model described in Section 6.2.2, the probability of

not successfully starting the SCS is calculated. These calculations of

probability are, of course, conditional probabilities contingent upon

the outcome of preceding events (specifically the loss of the HTS). The

analysis here is similar to that of Section C.2, where it is discussed

further.

Even after the SCS starts, event 6 is not judged as successful

unless SCS cooling is maintained until HTS cooling is restored. The


fault tree models of Section 6.2.2 are requantified to assess the run

ning reliability of the SCS, again conditioned upon prior events. These

system re1iabi1ities are expressed as probability densities, combined

with a complementary cumulative distribution function for HTS restora

tion and integrated over time. Consistent with the mission time assump

tion made for the HTS, it is assumed that the SCS must run long enough

so that the combined running time of the HTS and SCS is two months.

Taking the resultant probability that the SCS does not run and

combining it with'the probability that the SCS fails to start gives the

leak size independent probability for event 6. This combined failure

probability is assessed at 0.03 as shown in Fig. C-l.

C.l.7. Cooling Provided by RCCS

Should both HTS and SCS cooling fail, the MHTGR is capable of

rejecting shutdown heat loads by conduction, localized convection, and

radiation to the reactor vessel wall where radiation and convection

carry the heat to the air-cooled Reactor Cavity Cooling System (RCCS)

panels. In event 7, the probability that the RCCS is successful in

providing cooling is considered.

Success of the RCCS is defined as the system continuing to operate

until either of the following conditions exist:

1. One of the two forced core cooling modes is restored (main

loop cooling or the SCS).

2. Decay heat levels are sufficiently low so that a subsequent

loss of cooling would not lead to temperatures threatening

vessel integrity. It is estimated that approximately 38,000 h

of cooling by any combination of HTS/SCS/RCCS is sufficient

time for decay heat to decrease below levels that could

C-ll DOE-HTGR-86-011/Rev. 3

produce excessive vessel temperatures should all three heat

removal systems become subsequently unavailable.

Since the system is continuously operating during normal operation of

the plant, no change of state or other equivalent to a "failure to

start" exists. Furthermore, as discussed in Section 6.2.5, no meteoro

logical or operating conditions outside of those associated with major

disruptive events have been identified which could preclude RCCS oper

ation. Only failures involving the extremely unlikely major structural

collapse of the safety-related RCCS have been identified as capable of

causing RCCS flow blockage. As an estimate of this very low failure

probability, 1 x 10-6 per module has been assigned to the independent

failure probability for event 7.

C.1.8. Primary Coolant Depressurized Through HPS

The design response of the MHTGR to a primary coolant leak is for

the PPIS to automatically initiate an intentional vessel depressuriza

tion through the BPS on low primary coolant pressure and high reactor

building radiation. By pumping some primary coolant to the helium stor

age bottles, the amount of circulating and lifted-off activity released

can be reduced. Event 8 considers whether this pumpdown is successful.

As discussed in Section 6.1.1.1, when the effective leak area is

greater than 1 in.2, the pump down rate is ineffective. Therefore, there

are no branches under the pumpdown event in Fig. C-1 for leak sizes

greater than 1 in. 2•

The HPS unavailability and failure to operate probability are

computed taking into account the common support dependencies between the

HPS and the systems which provide HTS cooling and SCS cooling (i.e.,

electric power and service water systems).


As an example of these common dependencies, loss of electric power

is an HPS failure mode. Consequently, the pumpdown failure probability

is conditionally dependent upon whether the HTS and SCS function suc

cessfully or fail. Therefore, if the HTS operates during the first

30 h following the reactor trip, then the probability that the HPS is

deprived of power during its mission time is zero because the HTS and

HPS are both connected to the nonessential distribution system, and the

intentional depressurization time is 30 h or less. However, if the

HTS fails during the first 30 h, even if the SCS operates successfully,

there is a chance that the pumpdown fails due to a loss of power because

the HPS (unlike the SCS) is not connected to the backup electrical sys

tem. These dependencies are reflected in the different failure proba

bilities assessed for the pump down top event, as a function of the

status of HTS and SCS cooling. The analysis also considers manual

actuation of the pumpdown in the event the automatic start signals fail.

The fault tree analysis for evaluation of the pumpdown event is

described more fully in Section 6.2.3.

C.2. LOSS OF MAIN LOOP COOLING

The loss of main loop cooling is initiated by equipment failures

within the plant which preclude continued operation of the HTS in one or

more modules. As.an initiating event, the loss of main loop forced cir

culation core cooling is of interest as a challenge to the function of

removing core heat and consequently a potential precursor to the incre

mental releases from fuel as discussed in Section 5 (see Fig. 5-1).

Given that such an event occurs, various possible MHTGR responses

resulting in differing alternative cooling modes are possible. These

various scenarios are depicted as event sequences in Fig. C-2. In this

section, the likelihood of these various scenarios or event sequences

occurring is discussed.


C.2.1. Loss of HTS Cooling

As shown in Fig. C-2, the assessed median frequency of event 1, a

loss of HTS cooling, is 2.6 per plant year. The fault tree analysis

used in this quantification is described in considerable detail in Sec

tion 6.2.1. Failures which render the HTS inoperative include not only

failures of equipment within the HTS but also failures of equipment in

the balance of plant (BOP) that are needed for ultimate heat rejection

(e.g., feedwater, condensate, and circulating water systems) as well as

failures in important support systems (e.g., service water, electrical

distribution).

In the fault tree evaluation, distinction is made between those

failures that would affect only one reactor module and those failures

which would impact HTS cooling in all four modules. While failure of

HTS cooling in two or three modules is also possible, system configura

tion in the MHTGR is such that this is considerably less likely. Gen

erally, failures in the individual module's HTS are localized to that

module; whereas BOP failures capable of preventing HTS cooling affect

all four modules. Approximately 80% of the HTS failures included in

event 1 are of the single module type, while the remaining 20% result

in a loss of HTS cooling to all four modules.

There are two general categories of failures which can also pre

clude continued HTS operation but are not included within this initiat

ing event. These are the external events, such as earthquakes or loss

of offsite power and certain in-plant equipment failures (steam gener

ator leaks), which can place additional challenges on the plant beyond

just interrupted forced cooling and also, in the case of external

events, may have a significant impact on system independence modeling.

Because of this, the plant response to these initiators is more

conveniently described with separate fault trees.


C.2.2. Reactor Tripped With Control Rods

Immediately following a loss of HTS cooling, the PPIS is designed

to sense the condition and shut down the reactor by inserting the outer

set of control rods. This reduction in power is performed to assure

that the generated core heat more nearly matches the heat removal capa

bilities of the alternative cooling modes available. Event 2 considers

the probability of successfully accomplishing this.

Normally, a control rod trip would be expected to be triggered by

the main loop trip. However, several other diverse means of sensing the

loss of main loop cooling and triggering the control rod insertion are

available. These include the redundant sensor channels monitoring neu

tron flux to helium mass flow, steam generator inlet temperature and

primary coolant pressure. Beyond failure of the sensor channels, a

failure to trip might result from common mode failure of the control rod

drives, common mode failure of the scram contractors, or common mode

failure in the PPIS scram logic. As seen in Fig. C-2, the PPIS and rod

control equipments are assessed as having a high reliability, and the

probability of them suffering the requisite common mode failures to

preclude shutdown with the control rods is low.

C.2.3. Reactor Shutdown Using Reserve Shutdown Material

As described above, the MHTGR is designed to respond to a loss of

HTS cooling by shutting down the reactor with the control rods. How

ever, in the unlikely event this normal trip does not occur, a secondary

means of shutting down the reactor is automatically actuated, and the

reserve shutdown material (boronated pellets) is dumped into the core.

In event 3, the operation of this secondary means of shutdown is

considered.

Two cases for consideration exist. If the control rod trip is

successful, as is the case in the top branch of Fig. C-2, then there is

C-1S DOE-HTGR-86-011/Rev. 3

no need for insertion of the reserve shutdown material, and the event is

shown with a dotted line. In the less probable case where the normal

trip has not succeeded, a demand for the RSCE exists, and the event

branch point presents the likelihood of success or failure. This secon

dary shutdown can be triggered, after a 30-s delay, either by high neu

tron flux to circulator speed ratio or high primary coolant pressure.

Besides multiple failures of these independent sensor channels, failure

of automatic insertion of RSCE material could be caused by failure of

the PPIS, common mode failure of several RSCE hoppers or failure of the

Class 1E 120 V ac UPS or 125 V dc. In the case of the ac power failure,

the operator may still manually actuate the RSCE.


The mismatch between generated heat and heat removal following

the loss of HTS cooling is dealt with in t~ ways simultaneously by the

PPIS. In addition to reducing heat generation by initiating a reactor

shutdown (events 2 and 3), the PPIS also attempts to restore coolant

flow by starting the SCS. Event 4 considers whether or not the SCS is

successfully started, and if it is started, whether it runs until HTS

cooling is restored.

Depending uPQn the number of modules losing HTS cooling, a demand

for between one and four SCS loops is made. Using the detailed failure

model described in Section 6.2.2, the probability of not successfully

starting all the required loops is calculated. These calculations of


the outcome of preceding events (specifically the loss of the HTS). For

example, several of the HTS failure modes included in event 1 and lead

ing to loss of cooling in four modules are systems whose failure would

also preclude operation of or reduce the redundancy within the SCS.

These systems include plant service water, 4160 to 480 V ac distribution

and the Class 1E 120 V ac UPS. Thus, if only one module has lost cool

ing and HTS cooling in the three other modules continues, the failure


probability of one SCS to start up can be calculated by directly quanti

fying the SCS fault tree from the data base. In contrast, if four mod

ules have lost cooling, then the likelihood that these various common

systems were the cause of the initial failure must be considered in

evaluating the SCS fault tree. The results of these two calculations

can then be combined appropriately, accounting for the relative frac

tions of HTS failures that involve multiple versus single module fail

ures. The impact of these common dependencies between the HTS and SCS

is to limit the probability of success for the SCS.





system reliabilities are expressed as probability densities, combined

with a complementary cumulative distribution function for HTS restora

tion and integrated over time. The probability that one or more SCS

loops fail to run for the required time is added to the probability that

they fail to start as the total failure probability for event 4. Note

that the probability of event 4 in the lower portion of Fig. C-2 corres

ponds to a sequence in which the control rod trip has failed in a single

module; whereas in the upper portion of the event tree, multiple module

cases are considered. The probability of the control rod trip failing

in more than one module was found negligible.

While the Beta Factor Method is employed in describing common mode

failures between like SCS components within a given module, independence

is assumed from module to module except where explicit common failure

modes are identified in the model of Section 6 (e.g., the common elec

trical power and cooling water loops).


C.2.5. Cooling Provided by ReCS




carry the heat to the air-cooled RCeS panels. In event 5, the proba

bility that the RCCS is successful in providing cooling is considered.


until either of the following conditions exist:




loss of cooling would not lead to excessive vessel tempera-

tures.



start" exists. For any given module, failure of the RCCS requires that

something happen to preclude continued operation of all four of the

initially operating, passive, and redundant natural draft loops.

As discussed in Section 6.2.5, no meteorological or operating con

ditions have been identified which could preclude RCCS operation. Only

failures involving the extremely unlikely major structural collapse of

the safety-related RCCS have been identified as capable of causing Rces

flow blockage. In the lower portion of Fig. C-2, in which a single

module has experienced a failure to trip with control rods, the event 5

branching probability reflects the assessed failure probability of a

single RCCS (1 x 10-6). In contrast, the upper portion of the figure

includes multiple module demands upon the RCCS and the probability of

one RCCS failure in several modules is seen to be somewhat higher.


C.2.6. Primary Coolant Depressurized Through HPS

The unique design of the MHTGR allows that even if all three

engineered cooling systems fail, including not only the forced circula

tion main and SCS cooling loops but also the passive and redundant RCCS,

core heat loss to the surrounding environment is sufficient to limit the

core temperature transient and prevents large-scale fuel failure. In

fact, the maximum fuel temperatures during conduction coo1down are not

strongly affected by Whether or not RCCS cooling is available. However,

under these conditions (i.e., loss of all three cooling systems), the

reactor vessel may experience wall temperatures significantly in excess

of its design limit, depending upon the history of prior cooling. Dur

ing such an accident, it is expected that the operator would initiate

action to depressurize the primary coolant system so as to reduce the

stress experienced by the overheated vessel. Such a depressurization is

routinely performed prior to refueling or certain maintainence activi

ties and is accomplished by pumping down the primary coolant inventory

through the HPS and to the helium storage bottles. Event 6 in Fig. C-2

considers the likelihood that such a pumpdown is successful given

failures of the HTS, SCS, and RCCS.

A fault tree depicting the failure model for pump down through the

HPS is shown and discussed in Section 6.2.3. In the quantification of

event 6, this model is conditionally evaluated dependent" upon prior

occurrences in the event sequence.

As shown in the model, pumpdown can be either manually or auto

matically initiated. However, since the automatic PPIS startup is

intended to mitigate releases due to primary coolant leaks, the primary

coolant pressure low setpoint for pump down startup would not be effec

tive in this accident. Therefore, the initiation of pumpdown is depen

dent upon operator intervention. From Appendix B, the probability of

the operator failing to take corrective action within the first several

hours available to start the pumpdown is 0.001.


If only one of the four modules has experienced a loss of cooling,

none of the support systems common to the HTS and HPS fail. Thus, HPS

pump down failure is independent of the HTS failure. Neglecting initia

tion, such an independent failure is assessed as having a probability of

about 0.001. On the other hand, possible failure modes for cooling loss

in four modules include failures in Reactor Plant Cooling Water (RPCWS),

Plant Service Water (SWS), or normal in-house electrical power. These

systems are common to both forced cooling systems and the HPS. Thus,

given a failure in four loops, the conditional probability that the HPS

does not operate is increased to 0.35. Combining the conditional

probabilities appropriately leads to a median probability for failure in

event 6 of approximately 0.07.

C.2.7. Cooling Restored Prior to Excessive Vessel Temperature

Whether or not the primary coolant pressure is successfully

reduced, vessel side wall temperatures begin to rise when all three

cooling systems are lost. If allowed to rise high enough, the integrity

of the vessel is uncertain. However, the large core heat capacity, the

core power density, and heat dissipation to the environment assure that

this heatup is very slow. Therefore, there are days to weeks (depending

upon the initial temperatures and prior cooling history) to restore

cooling before an excessive vessel temperature is reached. Event 7

considers the probabiiity that cooling is restored prior to the vessel

experiencing such excessive temperatures.

Restoration of cooling with either the HTS, the SCS, or the RCCS

is sufficient to arrest the vessel wall temperature transient. Since

the SCS and HTS repair times are estimated as much shorter than the RCCS

repair time, only HTS and SCS restoration are considered in event 7.

For the event sequences in which the primary coolant pressure is

successfully relieved through the HPS, reactor vessel loads consist of

the weight associated with vessel support and the weight of the core.


These loads are very small compared to the design load at pressure.

Therefore, no failure is expected as a result of strength loss until

temperatures are significantly in excess of the design temperature. For

the assessment, excessive vessel temperature has been estimated to be

760°C (1400oF), at which point the material undergoes a phase change.

It should be noted, however, that while no detailed analysis has been

performed to predict temperature-induced vessel failure, scoping calcu

lations suggest that the vessel may remain intact even at temperatures

much higher than 760°C (1400oF). Analyses of conduction cooldown with

out the RCCS show that the time available for restoration of either the

HTS or SCS prior to reaching this temperature is at least 95 h.

For the conduction cooldown event sequences without the RCCS and

where pumpdown through the HPS is unsuccessful, the primary coolant

remains at pressure and the reactor vessel is under considerably higher

stress than in the depressurized case. Under such conditions, it is not

expected that the vessel could survive the high temperatures (and the

resultant strength loss) described above. For the pressurized assess

ment, a temperature of 4BOoC (900°F) has been defined as excessive. The

time available for repair before this temperature is reached is 50 h.

C.2.B. Number of MOdules Experiencing Event Sequence

The final branch point in Fig. C-2 depicts the number of modules

experiencing the event sequence. For instance, on the uppermost branch

of the event tree can be seen the 20% to BO% split described in Sec

tion C.2.1 of single versus multiple HTS failures given that an HTS

failure has occurred. Further down the tree, if SCS cooling has not

C-21 DOE-HTGR-B6-011/Rev. 3

been successful one, two, three, or four SCS loops may have failed to

operate. The relative probabilities of these four SCS failure possi

bilities are shown.

In the lower branches of the tree involving failure of the RCCS and

failure to trip with the outer control rods, only one module is likely

to experience the event sequence since these systems are designed as

independent between modules. The disruptive external events which would

have the potential to defeat this independence are not postulated in

this event tree.

C.3. EARTHQUAKE-INDUCED FAILURES

The equipment damage produced by the vibrations during an earth

quake causes seismic events to be the most important class of external

events because it (1) simultaneously challenges redundant equipment in

each of the modules; and (2) poses one of the few potential risks to

passive equipment. The radiological risk from seismic events is never

theless limited because severe earthquakes with intensities sufficient

to damage key systems and structures are very unlikely, and only a few

components are required to function in any case. Plant response follow

ing a seismic event is dependent upon the fragility of structures, sys

tems, and components and upon the magnitude of the earthquake as shown

in Fig. C-3.

In performing the seismic analysis of the conceptual MHTGR design,

several preliminary assumptions are necessary. First, it is necessary

to assume site seismicity characteristics. Since the standard MHTGR is

not designed for a specific site, site parameters have been selected to

envelop the characteristics of approximately 85% of reactor sites and

potential reactor sites in the_U.S. as discussed in Section C.3.1. For

seismicity purposes, a safe shutdown earthquake (SSE) of 0.3 g has been


selected as the basis for the design of structures, systems, and compo

nents required to meet lOCFRlOO dose limits. All other equipment and

structures are designed to ANSI AS8.l Zone 3 specifications.

Secondly, assumptions must be made regarding the fragility of

the plant. As noted in Ref. C-6, seismic-induced failure data is not

generally available for a specific plant. Since only a very limited

accounting for plant specific variations of the conceptual design can be

made, it was assumed that the plant will be constructed in a manner com

parable to existing Light Water Reactors (LWRs). Thus, available data

was reviewed; and after accounting for differences between LWR and MHTGR

designs, representative equipment and structure fragilities were

selected.

The median fragilities and concomitant uncertainty parameters used

in this analysis are summarized in Table C-l. Components included in

this analysis were selected by reviewing Chapter 6 system diagrams and

fault trees in conjunction with fragility data in Refs. C-4, C-6, C-7,

and C-8. The fragility of each system was calculated based upon only

those components with the lowest fragilities (i.e., the "key component

fragilities" in Table C-l). Furthermore, only one component in a group

of similar components was included in the assessment of a system's fra

gility. In many instances, the lack of detailed design information

resulted in a typical value being assumed for a piece of equipment

and/or a structure's fragility (e.g., buildings, pumps, feedwater

heaters). A more extensive list of component fragilities was felt

unwarranted, considering the status of the standard MHTGR conceptual

design.

The fragility data in the literature is developed primarily from

analysis and engineering judgement supported by limited test data. Such

fragility estimates contain considerable uncertainty, which is usually

represented by two factors in the literature. One factor accounts for

the random variability in a particular earthquake's characteristics, and


TABLE C-1 ASSUMED FRAGILITIES OF KEY COMPONENTS

System and Component

Building (general)

Pumps (general)

Feedwater heaters (general)

Steam generator

Supports

Piping

Piping supports

Valves (general)

Service water

HX

Pumps

Piping

Piping supports

Building

Reactor

Reactor pressure vessel supports

Control rod drives

Control rod guide tubes

Reserve shutdown channels

Reactor Cavity Cooling System

RCCS

Reactor Building

Electrical

120 V ac distribution panels -Chatter Permanent damage

Inverters

125 V dc buses -Chatter Permanent damage

Batteries and racks

Peak Acceleration (g)

Reference

C-4

C-6

C-6

C-6, C-7, C-8

C-6, C-7, C-8

C-6, C-7, C-8

C-6, C-7, C-8

C-6, C-7, C-8

C-6, C-7, C-8

C-6, C-7, C-8

C-6, C-7, C-8

C-4

C-7

C-6, C-7, C-8

C-13(a)

C-13(a)

C-4

C-4

C-6 C-6 C-6

C-6 C-7

C-6

5th

0.92

0.8

0.8

1.5

2.2

1.7

1.5

0.8

0.8

3.0

1.7

0.92

50th

1.5

1.0

1.0

2.0

3.0

2.2

2.2

1.0

1.0

4.2

2.2

1.5

1.0 1.7

1.7 2.0

0.5. 2.1

0.5 2.1

1.3

1.9

0.32 0.64 1.7

0.32 1.3

0.51

2.0

2.5

0.6 1.2 2.7

0.6 2.0

1.0

95th

2.4

1.2

1.2

2.5

3.8

2.7

3.0

1.2

1.2

5.4

2.7

2.4

2.9

2.3

9.9

9.9

3.0

3.4

1.1 2.2 4.4

1.1 3.1

2.0


TABLE C-1 (Continued)

Peak Acceleration (g)

System and Component Reference 5th 50th

Non-class IE

Switchgear - Chatter C-6 0.40 0.72 Permanent damage C-6 0.80 1.4

Diesels C-7 0.92 1.5 Diesel oil tanks and anchor C-7 0.55 1.0 Transformer C-6 0.72 1.4 Motor control center C-6 0.8 1.4 4160 buses C-7 0.22 0.40 Switchyard C-7 0.22 0.40

Offsite :eower - Ceramic insulator C-6 0.15 0.20

(a) Based upon experimental data in conjunction with preliminary calculations as explained in Section C.3.5.

95th

1.3 2.6

2.5 1.7 2.7 2.6 0.73 0.73

0.28


the second factor accounts for uncertainty in measuring a particular

component's seismic response. The first factor was included in this

assessment by assuming the random variability follows a logarithmic

relationship in which the median values listed in Table C-l correspond

to peak ground accelerations causing 50% of the components to fail. The

second factor is included by utilizing a Monte Carlo selection process

from each component's fragility uncertainty distribution, whose param

eters are also listed in Table C-l.

Component fragilities were statistically combined with the proba

bility of a particular ground acceleration to estimate plant system

response following an earthquake. The likelihood of event sequences

corresponding to different plant responses is discussed in this section.

The results, summarized in Fig. C-3, were obtained for one module. How

ever, since the earthquake affects all four modules similarly, these

results have been assumed to apply to all four modules. System

responses shown in Fig. C-3 represent not only the failure probability

due to an earthquake, but also the probability of failure independent

of the earthquake. Each system's independent failure probability was

obtained using results from the main loop cooling event tree (Sec-

tion C. 2).

C.3.1. Occurrence of Significant Earthquakes

Event 1 of Fig. C-3 corresponds to the occurrence of earthquakes

with seismic intensity greater than 0.06 g. Since seismographic data

demonstrate that the ground is in constant motion, a 0.06 g de1iminator

has been introduced to differentiate between "earthquakes" a~d normal

seismic background in which no damage to typical commercial or

residential structures is expected.

To obtain the frequency at which earthquakes with intensities above

0.06 g occur, it was necessary to define a seismicity curve of a site

with characteristics corresponding to the design requirements of the


MHTGR reference site. Results from Ref. C-4 indicate that Watt's Bar

seismicity characteristics are representative of an actual plant site

which corresponds to the MHTGR design requirement that the standard

plans be "certified in accordance with NRC requirements over a range of

conditions that envelop approximately 85% of domestic U.S. sites"

(Ref. C-5). Seismicity data for the Watt's Bar site, which has a SSE of

0.25 g, was used to construct the MHTGR site seismicity curve shown in

Fig. C-4. This seismicity curve indicates that the frequency of earth

quakes having an intensity above 0.06 g is 5.6 x 10-3 per plant year.

There is an unavoidable conservatism in using the site seismicity

curve depicted in Fig. C-4 since it does not completely account for

attenuation effects which limit the maximum ground accelerations occur

ring. For mechanical reasons, it is felt that there is a maximum accel

eration attainable, although the scatter in available data indicates

unusually high ground accelerations are possible at low frequencies.

Hence, it is felt that seismic hazard curves are only valid down to fre

quencies of 10-5 per year. The stringent MHTGR design goal (Ref. C-5)

requires, however, that accidents with frequencies several orders of

magnitude below 10-5 per year be considered. Although the validity of

data obtained by extrapolating a seismicity curve to such low fre

quencies may be questionable, it is necessary for calculations in this

assessment.

C.3.2. Seismic Intensity Range

Given that an earthquake of significant intensity occurs (greater

than 0.06 g), it may occur over a spectrum of ground accelerations rang

ing from the more likely earthquakes only slightly larger than the

0.06 g threshold described above to severe earthquakes of intensity much

higher than the plant site SSE. Because plant system response is highly

dependent upon the earthquake intensity, it is convenient to divide up

the event tree based upon earthquake intensity.


Event 2 in Fig. C-3 provides the relative probabilities of four

earthquake intensity ranges:

1. 6 x 10-2 to 0.2 g.

2. 0.2 to 0.4 g.

3. 0.4 to 0.8 g.

4. 0.8 to 2.0 g.

These intensity ranges were selected because seismic activity contrib

utes negligibly to plant component failure probabilities when the ground

acceleration is below 0.2 g. Preliminary studies, based upon informa

tion in Refs. C-6 and C-7, disclose that above approximately 0.2 g, main

loop cooling may be disrupted due to spurious signals (chatter from

electrical system equipment. Earthquakes are not, however, expected to

impact the RCCS or control system reliability at intensities below

0.8 g.

C.3.3. Primary Coolant Boundary Remains Intact

Event 3 in Fig. C-3 considers whether the primary coolant boundary

remains intact following an earthquake. As discussed in Section C.1,

primary coolant release is important because of the potential to release

the limited amount of activity circulating with the primary coolant and

plated out upon primary circuit surfaces. In addition, the plant

response following an earthquake will vary depending upon whether

the reactor is pressurized or depressurized.

The literature was reviewed to assess the fragility of equipment

which guarantees the primary coolant boundary remains intact. It was

found that piping is generally predicted to be capable of withstanding

peak ground accelerations in excess of 2.0 g. In fact, the support

structures for the steam generators and reactor vessel were found to be

the most susceptible to earthquakes if their fragilities are assumed to

be comparable to the 1.7 g fragility of the reactor vessel supports


given in the Seabrook PRA (Ref. C-7). Thus, it has been conservatively

assumed that an acceleration sufficient to fail the vessel supports is

sufficient to result in a leakage area of greater than 0.03 in. 2 •

As shown in Fig. C-3, this fragility assumption results in a

negligible probability of a primary coolant system boundary failure

following earthquakes with intensities lower than 0.8 g, and only a 6%

probability for a rupture during earthquakes with intensities between

0.8 to 2.0 g.

C.3.4. Cooling Provided by HTS

Event 4 considers whether HTS cooling continues following an earth

quake. As discussed previously, components in the HTS were reviewed to

determine the type and manner of failures which could preclude HTS oper

ation. As discussed in Section C.4, a loss of offsite power does not

preclude HTS operation if onsite power and other necessary equipment are

available. Thus, the earthquake-induced HTS failure probability was

estimated by the probability that the HTS fails due to system component

and onsite power failure plus the conditional probability that given

the system components and onsite power were available, a loss of off

site power occurred in conjunction with both turbines failing to remain

online. The fragilities selected for this analysis are included in

Table C-1. Although several systems and components were included in

this assessment, the HTS is susceptible to earthquakes because of the

low fragilities of

1. Offsite power (failure of ceramic insulators).

2. 4160 bus and switchyard.

3. 125 V dc bus (chatter).

4. 120 V ac distribution panel (chatter).

5. Non-class 1E switchgear (chatter).


Although small earthquakes could cause the latter three components to

produce a signal to shut down the HTS, these components are not perma

nently damaged and could be used later in the transient.

The results of this analysis indicate that for earthquakes with

peak accelerations less than 0.2 g, there is a 97% probability that HTS

cooling will continue. Above 0.4 g peak ground accelerations, however,

it is not anticipated that the BTS will remain operational because of

the high probabilities that a loss of offsite power, failures of the

4160 buses and switchyard, and/or relay chatter of the 125 V dc buses

and 120 V ac distribution panels will occur.


Immediately following a loss of HTS cooling, the PPIS is designed

to sense the condition and shut down the reactor by inserting the outer

set of control rods. This reduction in power is performed to assure

that the generated core heat more nearly matches the heat removal capa

bilities of the alternative cooling modes available. Event 5 considers

the probability of successfully accomplishing this.

As discussed in Section C.2.2, redundant mechanisms exist by which

the PPIS may sense the loss of main loop cooling and trigger control rod

insertion. Furthermore, if the PPIS were disabled because of the earth

quake there is the probability that the controls will be inserted by

gravitational forces (if power is lost) or by the operator.

A failure to scram following an earthquake may be due to

earthquake-induced as well as normal operational failures. As discussed

in Section C.2., the control rod drive mechanisms are extremely reliable

and have a low failure probability. However, the probability that the

control rods fail to scram the reactor was estimated as the sum of

earthquake-induced failures and failures due to other mechanisms given

that the earthquake did not preclude scram.


In this assessment, two mechanisms were considered by which an

earthquake could cause a failure of the rods to shut down the reactor.

The first mechanism assessed was if the ground acceleration was suffi

cient to cause misalignment between the control rods and guide tubes

such that the number of rods necessary for shutdown could not be

inserted. This misalignment did not preclude shutdown; the second

mechanism assessed was the probability of ground accelerations suffi

cient to damage enough control blocks that the rods necessary for

shutdown could not be inserted.

In order to evaluate the above probabilities, several assumptions

and data are needed. Based upon engineering judgment, a conservative

assumption was made that at least 21 of the 24 outer control rods must

be inserted for shutdown. Although under most conditions, fewer rods

are required for shutdown, this conservative simplification was employed

since the exact number of control rods needed is dependent upon factors

such as core life, operating history, and conditions (such as moisture

presence, etc.).

The fragility of each control rod guide tube was assumed as 2.0 g

with an uncertainty factor of 1.1. Scoping calculations were performed

to estimate the stresses produced in graphite blocks at certain ground

accelerations. These stresses were compared with experimentally

obtained data for the graphite block's ultimate strength (Ref. C-13) to

predict the number of blocks damaged due to a particular ground accel

eration. These preliminary results indicate that a peak ground accel

eration of 2.1 g with an uncertainty factor of 4.7 could damage three

blocks. Given that three blocks are damaged, there exists the possibil

ity that two or three of the block failures occur within the same col

umn. However, for this assessment, it was conservatively assumed that

the failures occurred in different fuel block columns. Using the fact

that approximately one of every outer three blocks contains a control

rod, the probability of an acceleration sufficiently damaging control

blocks to preclude shutdown was reduced by one-third. Then, the total


probability that the earthquake prevented reactor trip by the rods was

estimated by combining the probability that the earthquake resulted in

guide tube misalignment with the conditional probability that the guide

tubes remained in place, but control block damage prevented shutdown.

C.3.6. Reactor Shutdown Using Reserve Shutdown Control Equipment

As described above, the MHTGR is designed to respond to a loss of

HTS cooling by shutting down the reactor with the control rods. How

ever, in the unlikely event that this normal trip does not occur, a

secondary means of shutting down the reactor is automatically actuated,

and the reserve shutdown material (boronated pellets) is dumped into the

core. In event 6 of Fig. C-3, the operation of this secondary means of

shutdown is considered.

Two cases for consideration exist. If the control rod trip is

successful, as is the case in the top branch of Fig. C-3, then there is

no call for insertion of the reserve shutdown material, and the event is

shown with a dotted line. In the less probable case where the normal

trip has not succeeded, a demand for the RSCE exists, and the event

branch point presents the likelihood of success or failure. This sec

ondary shutdown can be triggered, after a 30-s delay, either by high

neutron flux to circulator speed ratio or high primary coolant pressure.

Besides multiple failures of these independent sensor channels, failure

of automatic insertion of RSCE material could be caused by failure of

the PPIS, common mode failure of several RSCE hoppers or failure of the

Class IE 120 V ac UPS or 125 V dc. In the case of the ac power failure,

the operator may still manually actuate the RSCE. However, in order for

the boron pellets to be released following actuation of this switch, a

120 V dc bus is required to supply electricity for heating the fusible

link, which melts, allowing pellets to enter the core.

The RSCE failure probability following an earthquake was estimated

as· the sum of earthquake-induced failures and failures due to other


mechanisms given that no earthquake-induced failures occur. Earthquake

induced RSCE failures were assumed to be contingent upon Whether the bus

to the link could supply electricity and if the reserve shutdown chan

nels remained intact so that the boron pellets could be inserted. The

fragility of the reserve shutdown channels was assessed to be similar to

control rod guide tubes, having a median value of 2.1 g. The median

fragility of the 125 V dc bus was assessed as 2.0 g, as shown in

Table C-1.

As can be seen in Fig. C-3, there is a very low probability of a

large earthquake occurring in Which neither the control rods nor the

reserve shutdown control equipment trip the reactor. However, as dis

cussed in Section 6.1.5.2, the negative temperature coefficient by

itself assures that no offsite release results even if such a situation

occurs. Therefore, even in this extremely unlikely scenario, the pas

sive safety characteristics of the MHTGR perform to ensure that the

consequence of this failure is minimal.


If an earthquake results in a loss of HTS cooling, the mismatch

between generated heat and heat removal is dealt with in two ways simul

taneously by the PPIS. In addition to reducing heat generation by ini

tiating a reactor shutdown (events 5 and 6), the PPIS also attempts to

restore coolant flow by starting the SCS. Event 7 considers Whether or

not the SCS is successfully started, and if it is started, Whether it

runs until HTS cooling is restored. The failure of the SCS following an

earthquake was calculated as the sum of earthquake-induced failures and

the conditional probability of failure due to other mechanisms Which was

calculated using results from the method described in Section C.2.4.

The SCS fragility was estimated with many of the component fragili

ties used to estimate the HTS system fragility, since both of these sys

tems depend upon the service water system and the electrical system.

C-33 DOE-HTGR-86-011/Re~. 3

However, the SCS is less susceptible to earthquakes than the HTS. Spu

rious signals due to earthquake vibrations that cause the HTS to trip do

not damage the SCS. Furthermore, backup diesel generators may be used

to power the SCS; thus, the failure of offsite power plus turbine trip

is not expected to preclude SCS operation. The SCS failure probability

due to mechanisms other than earthquakes was estimated as 0.05% using

the models described in Section 7.2.4. The combined SCS failure proba

bility is calculated as 9% for peak ground accelerations less than

0.2 g, 35% for accelerations in the 0.2 to 0.4 g range, and nearly 100%

for accelerations greater than 0.4 g.

C.3.8. Cooling Provided by RCCS




carry the heat to the air-cooled RCCS panels. In event 8, the probabil

ity that the RCCS is successful in providing cooling is considered. The

RCCS failure probability following an earthquake was estimated as the

sum of earthquake-induced failures and failures due to other mechanisms

given that no earthquake-induced failures occur.

The RCCS is a passive system constructed to meet a 0.3 g safe shut

down earthquake. The reactor cavity is a portion of the underground

silo in which the reactor is mounted. This silo is substantially

buttressed by interior shear walls and is joined at the top by a heavy

shear wall box structure which contains the coaxial ducts of the RCCS.

The structure surrounding this ducting extends upward to the RCCS

inlet/exhaust structure, which terminates above the reactor maintenance

enclosure roof (see Fig. 4-10).


Based upon Ref. C-13, the RCCS was assessed as having a median fragility

of 2.0 g.The failure probability for event 8 was calculated by combin

ing the failure probability associated with the RCCS fragility and the

independent failure probability of the RCCS (1 x 10-6 per demand).

C.3.9. Cooling Restore Prior to Excessive Vessel Temperatures

When all three cooling systems are lost, vessel side wall tempera

tures begin to rise. If allowed to rise high enough, the integrity of

the vessel is uncertain. However, the large core heat capacity, the


this heatup is very slow. Therefore, there are days to weeks (depending

upon the initial temperatures and prior cooling history) to restore


considers the probability that cooling is restored prior to the vessel


Restoration of cooling with either the HTS, the SCS, or the RCCS is

sufficient to arrest the vessel wall temperature transient. However,

only SCS repair is considered in event 9 because of its accessibility,

and ability to function without offsite power, and estimated shorter

repair time.

Event 9 is assessed by assuming there are 50 h available for SCS

repair prior to when the pressurized vessel reaches excessive tempera

tures. As discussed in Section C.2.7, it is estimated that loads in a

pressurized vessel could produce failures at temperatures in excess of

480°C (900°F). It is assumed in Section C.2.7 that a pressurized vessel

could reach such temperatures in 50 h. In estimating the likelihood of

repair it is assumed that repair efforts do not begin until 10 h after

the earthquake owing to the general confusion and attention given to

personnel injuries with which the plant crew may have to deal.






Therefore, no failure is expected as a result of strength loss until

temperatures are significantly in excess of the design temperature. For

the assessment, excessive vessel temperature has been estimated to be

760°C (14000 F), at which point the material undergoes a phase change.

It should be noted, however, that while no detailed analysis has been

performed to predict temperature-induced vessel failure, scoping calcu

lations suggest that the vessel may remain intact even at temperatures

much higher than 760°C (14000 F). Analyses of conduction cooldown with





remains at pressure and the reactor vessel is under considerably higher




ment, a temperature of 480°C (900°F) has been defined as excessive. The


C.3.10. Number of MOdules Experiencing Event Sequence



of the event tree can be seen the 20% to 80% split described in Sec

tion C.2.1 of single versus multiple HTS failures given that an HTS

failure has occurred. Further down the tree, if SCS cooling has not

been successful one, two, three, or four SCS loops may have failed to

operate. The relative probabilities of these four SCS failure possi

bilities are shown.

C-36 DOE-HTGR-86-011/Rev •. 3

C.4. LOSS OF NORMAL STATION ELECTRICAL POWER

The normal station electrical power equipment refers to the normal

loads in the energy conversion train for power production such as the

HTS circulators, condensate pumps, and feed pumps. A loss of normal

station power occurs when, for any reason, the power flow from the grid

(via the main or auxiliary transformers) is lost and the turbine genera

tors inadvertently trip instead of maintaining their load and continuing

to remove heat.

A LOSP is of interest as an initiating event because it is

externally caused, and because it can simultaneously challenge multiple

systems. For example, if offsite power is lost and both turbines trip,

all four cooling loops are shut down which challenges core heat removal

and, consequently, may result in incremental fuel releases from thermal

mechanisms as discussed in Section 5. Various responses are possible

following a loss of all offsite power due to the number of cooling modes

possible as shown in Fig. C-5. This section discusses the likelihood of

event sequences corresponding to possible plant response scenarios.

C.4.1. Loss of Offsite Power and Turbine Trip

Event 1 of Fig. C-5 corresponds to the frequency of a LOSP followed

by the inadvertent trip of both turbines. Unlike conventional U.S.

light water plants, the MHTGR main turbine generator is designed not to

trip following a LOSP so that it may continue to supply in-house loads.

The continued operation of the turbines and MaTGR at a reduced load fol

lowing a LOSP is possible, in part, because of high MaTGR core heat

capacity. The median annual frequency of 5 x 10-3 shown in event 1 of

Fig. C-5 was calculated by statistically combining the frequency of a

loss of offsite power occurring in conjunction with the demand failure

probability of both turbines. U.S. reactor operating experience data in


Ref. C-2 indicates a loss of offsite power occurs with a median fre

quency of 0.1 per year. Based upon experience with turbines in gas

cooled MAGNOX reactors (Refs. C-14 and C-1S), the probability of both

turbines failing to remain online following a loss of offsite power is

assessed at 0.05. The British plant experience is particularly applica

ble to the MHTGR in this event since the turbines in their plants were

also designed to have the capability of remaining online following a

loss of offsite power.

C.4.2. Reactor Trip With Control Rods

Following a loss of all station non-uninterruptible ac power, the

PPIS, Which receives power from the uninterruptible power source sup

plied by the de power system batteries, will sense the mismatch between

the circulator speed to feedwater flow and signal a main loop shutdown.

The signal to shut down the BTS results in the PPIS also initiating a

signal to trip the reactor with the outer control rods. Note that the

rods will not drop due to loss of power because the control rod drives

receive power from the Class 1E UPS, Which may receive power from other

sources than normal station and offsite power. Event 2 considers the

probability that the reactor is tripped by inserting the outer control

rods.

As discussed in Section 6.1, there are diverse means by Which the

PPIS may sense the loss of main loop cooling and trigger control rod

insertion. In addition to initiating a trip because of the HTS shut

down, the PPIS may initiate a trip because of the high neutron flux to

helium mass flow ratio, high primary pressure, or the high steam gener

ator helium inlet temperature. ·Mechanisms exist Which may result in a

failure to trip, such as common mode failures of the control rod drives,

the scram contactors or the PPIS scram logic. However, this equipment

is assessed as having a high reliability. Hence, a low probability is

shown in Fig. C-S for the failure of the control rods to shut down the

reactor.

C-38 DOE-BTGR-86-011/Rev. 3


Failure of reactor trip using the control rods has been shown to be

very unlikely. However, even if the control rods fail to shut down the

reactor, it is designed such that it may be shut down using the RSCE.

Event 3 considers the operation of this secondary means of reactor shut

down which consists of actuating a signal for RSCE hoppers to release

boronated pellets into the core.

As noted in the discussion of the loss of main loop cooling event

tree in Section C.2.3, the PPIS and control rod equipment are assessed

as having a high reliability, and it is unlikely that the common mode

failure necessary to preclude shutdown would occur. Hence, there would

not be any demand for reserve shutdown material, which is why event 3 is

shown as a dotted line in the top part of Fig. C-S. A discussion of the

diverse means by which the RSCE may be actuated and the model which was

used to calculate this system's failure probability may be found in

Section C.2.3.


Given that a LOSP and inadvertent trip of both turbines occur,

normal station power would be lost, precluding forced circulation by the

HTS. The PPIS responds to this condition by not only initiating a reac

tor shutdown, but also, in order to ensure core decay heat removal, ini

tiating a signal to start the SCS which will receive backup power from

the diesel generators. Event 4 considers the probability that the SCS

successfully starts on the diesel generators, and given that it starts,

the probability that the SCS runs until restoration of offsite power and

HTS cooling. The calculation of this event is different than the manner

in which it was calculated for the HTS in Section C.2.4 for several rea

sons. For example, the initiating event in this case, a loss of normal

station power, results in all four modules being shut down and requiring

SCS cooling. Furthermore, startup of the SCS is dependent upon the


startup of the backup generator since neither offsite nor normal

in-house power is available.

The conditional probabilities of SCS operation are calculated using

the failure models described in Section 6.2.2. Note that these proba

bilities are contingent upon preceding events. For example, since off

site and normal in-house power is not available, their failure are not

considered in evaluating the probability of SCS operation.

For SCS operation to be successful, cooling must be started and

maintained until power is restored. The SCS fault tree models in Sec

tion 6 were quantified to calculate the probability of an SCS unit fail

ing to start and then requantified to calculate the probability of an

SCS unit failing to run. The probability that an SCS unit fails to run

was assessed by first obtaining a probability density function corre

sponding to SCS failure from the reliability of one or more units.

Then, the appropriate probability density function of a particular

number of SCS units failing to run was combined with a complementary

cumulative distribution function corresponding to the probability for

offsite power restoration and integrated over the required mission time

of 150 h. (According to Ref. C-9, this was the longest observed time to

restore offsitepower.) Finally, the probability of event 4 was calcu

lated by combining the probability that one or more SCS loops fail to

start with the probability that they fail to run. Note that the proba

bility of event 4 in the lower portion of Fig. C-5 corresponds to a

sequence in which the control rods fail in a single module; whereas in

the upper portion of the event tree, multiple module cases are con

sidered. The probability of the control rod trip failing in more than

one module was found negligible.

As discussed in Section C.2.4, the Beta Factor Method was employed

to describe common mode failures between like SCS components within a

given module. However, modules are assumed to fail independently except

where explicit common mode failures are identified in Section 6 models.


C.4.S. Cooling Provided by RCCS

In the event that both the HTS and the SCS are not operational,

shutdown heat loads from the MHTGR vessel may be transferred via conduc

tion, radiation, and convection to the air-cooled RCCS panels. Event S

considers the probability that the passive and redundant, natural draft,

RCCS loops are successful in providing cooling. The success probability

for RCCS operation in this event was calculated using the same model

described in Section C.2.S for loss of main loop cooling event tree

calculations.

C.4.6. Number of Modules Experiencing Event Sequence

The initiating event, a LOSP and both turbines tripping, results in

HTS cooling being lost in all four modules. Hence, all modules experi

ence sequence AA in Fig. C-S. The number of modules experiencing a loss

of both HTS and SCS cooling may range from one to four (sequences AB

through AE), depending upon the specific SCS failure mode. Only one

module is shown in Fig. C-S for sequences considering failures of the

RCCS, reactor control rods, and the RSCE (sequences AF through AI).

Since the scram and RCCS systems in each mmodule are considered indepen

dent, it is less likely that simultaneous failure of the RCCS or scram

systems in multiple modules would occur. Hence, the frequencies of

sequences considering failures in more than one module would be lower

than the frequencies shown in Fig. C-S.

C.S. ANTICIPATED TRANSIENTS REQUIRING SCRAM

There are a number of off-normal plant transients for which the

PPIS is designed to detect the upset condition and as a part of the

automatic response, reduce the heat that must be removed from the core

by initiating a reactor shutdown (scram) in one or more modules with the

control rods. Such a transient without successful scram is of interest

as a challenge to the continued control of core heat generation. In


challenging this function, the ATWS represents a potential precursor to

failure of the primary coolant boundary (relief valve lifting) simulta

neous with the incremental releases from fuel involving thermal effects

discussed in Section 5. The various possible MHTGR responses to this

challenge are depicted in the event sequences in Fig. C-6. In this

section, the likelihood of these various scenarios occurring is

discussed.

C.5.1. Anticipated Transient Occurs

Transients requiring automatic or relatively prompt shutdown of the

reactor, event 1 of Fig. C-6, have been assessed as having a frequency

of occurrence of approximately 25 times per plant year. These tran

sients are characterized by plant conditions which either directly pre

clude a normal plant shutdown or which, if allowed to persist for the

extended period of time associated with normal shutdown, would lead to

exceeding design limits.

The assessed frequency of occurrence is based upon the plant avail

ability data base (Ref. C-10). System outage causes were screened for

those capable of causing reactor trip as opposed to those which lead to

only power output reduction or additional maintenance or repair at some

later date. In addition, for each identified transient it was noted

whether the outage cause would require trip in one, two, or four mod

ules. This approach tends to yield a somewhat high estimate of the

frequency at which reactor scram is demanded, as not all failures in

systems capable of causing trip would cause a trip. However, at the

present design stage of the MHTGR, the approximation is not,unreason

able. To provide some perspective, the estimate can be compared to the

light water reactor experience of something over six scrams per reactor

per year. Noting that, on the average, a single transient in the MHTGR

causes a scram in 1.6 reactor modules, the estimated frequency of 25

transients per plant year corresponds to 40 scrams per plant year or

10 scrams per reactor module per year.



For the majority of the transients described by event 1, the PPIS

is designed to sense the abnormal condition(s) and shut down the reactor

by inserting the outer set of control rods. This action helps assure a

prompt turnaround in any reactivity, thermal, or primary coolant pres

sure transients the plant may be experiencing. Furthermore, reactor

shutdown and the subsequent drop in temperature can arrest reactions

between the core graphite and any ingressed water or air. Event 2 con

siders the probability of successfully accomplishing this shutdown.

The control rod trip can be triggered by anyone of several param

eters monitored redundantly by the PPIS (see Section 4.12). In general,

for each of the transients included within the initiating event there is

more than one parameter which is able to trigger the trip. For example,

the desired reactor trip following a steam generator tube failure is

normally triggered by high moisture level as detected by the moisture

monitors. However, the high primary coolant pressure resulting from the

ingress of steam will also cause trigger a reactor trip. Likewise, as

discussed in Section C.1, there are several diverse means of sensing the

loss of core cooling. Of course, the operator acts as the ultimate

backup to the PPIS sensors, since he may use the many control room indi

cations to decide whether a trip is required. Beyond failure of the

sensors, failure to trip might result from common mode failure of the

control rod drives, common mode failure of the scram contractors, or

common mode failure in the PPIS scram logic.

Quantification of event 2 is performed using the individual trip

reliability given in Appendix B which is based on the model developed in

Ref. C-3. However, the calculation here takes account of the number of

modules which require scram. As seen in Fig. C-6, the PPIS and rod con

trol equipments are assessed as having a high reliability; and there is

a low probability of them suffering the requisite common mode failures

to preclude shutdown with the outer control rods.


C.S.3. Reactor Shutdown Using Reserve Shutdown Material

As described above, the MHTGR is designed to respond to the tran

sients included within event 1 by shutting down the reactor with the

outer control rods. However, in the unlikely event that this normal

trip does not occur, a secondary means of shutting down the reactor is

automatically actuated, and the reserve shutdown material (boronated

pellets) is dumped into the core. In event 3, the operation of this

secondary means of shutdown is considered.

As in previous event tree cases when the outer control rod trip is

successful, there is no call for insertion of the reserve shutdown mate

rial, and the event is shown with a dotted line. In the less likely

scenarios where the normal trip has not succeeded, a demand for the RSCE

exists, and the event branch point presents the likelihood of success or

failure. This secondary shutdown can be triggered, after a 30-s delay,

either by high neutron flux to circulator speed ratio, high primary

coolant pressure or operator intervention. Besides multiple failures of

these independent sensor channels, failure of automatic insertion of

RSCE material could be caused by failure of the PPIS, common mode fail

ure of several RSCE hoppers, or failure of the class 1E 120 V ac UPS or

12S V dc. In the case of the ac power failure, the operator may still

manually actuate the RSCE.

Because failure of the outer control rod trip is considered to be

independent between modules, the probability that the RSCE is simulta

neously demanded in more than one module is negligible. Thus, each RSCE

failure probability calculation is done on the basis of only one module.

As can be seen in the figure, the probability of failure is low.

C.S.4. Reactor Tripped by Operator

Events 2 and 3 of Fig. C-6 consider the probability that the

systems for reactor trip are automatically actuated. As described in


Section 6, the negative temperature coefficient and high temperature

capabilities of the MHTGR are such as to preclude significant con

sequence should trip not occur for extended periods of time (in excess

of one day). However, continued operation of the main cooling loop fol

lowing rod withdrawal could allow higher than normal core outlet temper

atures to reach the steam generator and result in possible damage to

this component. It is estimated that in such a case, the steam gener

ator design temperatures would not be exceeded for approximately 20 min.

Even if the automatic operation of the two diverse trip mechanisms fail,

it is still possible for the operator to manually shutdown the reactor.

The probability of the operator being able to trip the reactor by manu

ally actuating either the control rod or RSCE trip is considered in

event 4.

The probability of this event being successful is assessed as 0.83

in Fig. C-6. This value was calculated by statistically combining the

probability of the operator properly responding within 20 min, which is

calculated using the operator response model described in Appendix B,

with the conditional probabilities that either the control rod drives or

the RSCE hoppers are available despite the malfunction of these shutdown

systems being automatically actuated.

Note that the probability of event 6 in the lower portion of

Fig. C-6 corresponds to a sequence in which a single module has expe

rienced control failure; whereas in the upper portion of the event tree,

multiple module cases are considered. The probability of the control

rod trip failing in more than one module was found to be negligible.

C.S.S. Cooling Provided by HTS


until either of the following conditions is met: (1) the initial fail

ure is repaired and the module(s) is returned to power operation; or


(2) decay heat levels are so low that MHTGR core cooling system oper

ation is no longer required. Event 3 considers the probability that

this cooling can be provided by the HTS.

The reliability of core cooling provided by the HTS has been dis

cussed in Section C.2. The various transients making up the initiating

event for the loss of HTS event tree discussed in Section C.2 are, in

fact, a subset of those transients included in the initiating event

here. Consequently, the probability that HTS cooling is successful is

limited by the conditional probability that the initiating event was not

itself a transient that takes the HTS out of service. In addition, even

if the HTS is initially available for cooling, it must continue to oper

ate until the initial fault is repaired. The fault tree model for eval

uating whether the HTS runs for this period of time is described in

Section 6.2.1.

The probability that the initiating event involves loss of HTS

cooling dominates the event 5 HTS failure probability and is assessed to

be approximately 0.10. Thought of in another way, 10% of the antici

pated transients requiring scram are losses of HTS cooling. As a result

of this, the event tree sequences following the "no branch" of event 5

(HTS cooling not successful) are redundant with the loss of main loop

cooling event tree.


Following the loss of HTS cooling in event 5, the PPIS acts to

restore coolant flow by starting the SCS.· Event 6 considers whether or

not the SCS is successfully started; and if it is started, whether it

runs until HTS cooling is restored.

Depending upon the number of modules losing HTS cooling, a demand

for between one and four SCS loops is made. Using the detailed failure

model described in Section 6.2.2, the probability of not successfully


starting all the required loops is calculated. These calculations of


the outcome of preceding events (specifically the loss of the HTS). As

discussed in Section C.l, if only one module has lost cooling and HTS

cooling in the three other modules continues, the failure probability of

one SCS to startup can be calculated by directly quantifying the SCS

fault tree from the data base. In contrast, if four modules have lost

cooling, the likelihood that various common systems were the cause of

the initial failure, and therefore are not available, must be considered

in quantifying the SCS fault tree. The results of these two calcula

tions can then be combined appropriately, accounting for the relative

fractions of HTS failures that involve multiple versus single module

failures. The impact of these common dependencies between the HTS and

SCS is to limit the probability of success for the SCS.

Even after the SCS starts, event 6 is not judged successful unless

SCS cooling is maintained until HTS cooling is restored. The fault tree

models of Section 6.2.2 are requantified to assess the running reliabil

ity of the SCS, again conditioned upon prior events. These system reli

abilities are expressed as probability densities, combined with a com

plementary cumulative distribution function for HTS restoration, and

integrated over time. The probability that one or more SCS loops fail

to run for the required time is added to the probability that they fail

to start as the total failure probability for event 6.

Further description of this event is provided in Section C.2.4.

C.S.7. Cooling Provided by RCCS

Should both HTS and SCS cooling fail, the MaTGR is capable of



carry the heat to the air-cooled RCCS panels. In event 7, the proba

bility that the RCCS is successful in providing cooling is considered.



until either




loss of cooling would not lead to excessive vessel tempera

tures.



start" exists. For any given module, failure of the RCCS requires that


initially operating, passive, and redundant, natural draft loops.




the safety-related RCCS have been identified as capable of causing RCCS

flow blockage. In this lower portion of Fig. C-6, in which a single

module has experienced a failure to trip with control rods, the event 7

branching probability reflects the assessed failure probability of a

single RCCS (1 x 10-6). In contrast the upper portion of the figure

includes multiple module demands upon the RCCS and the probability of

one RCCS failure in several modules is seen to be somewhat low.

C.S.8. Primary Coolant Depressurized Through HPS

The unique design of the MHTGR allows that even if all three engi

neered cooling systems fail, including not only the forced circulation

main and SCS cooling loops but also the passive and redundant RCCS, core

heat loss to the surrounding environment is sufficient to limit the core

temperature transient and prevents large-scale fuel failure. In fact,


the maximum fuel temperatures during conduction cooldown are not

strongly affected by whether or not RCCS cooling is available. However,

under these conditions the reactor vessel may experience wall temp~ra

tures significantly in excess of its design limit, depending upon the

history of prior cooling. During such an accident, it would be expected

that the operator would initiate action to depressurize the primary

coolant system so as to reduce the stress experienced by the overheated

vessel. Such a depressurization is routinely performed prior to refuel

ing or certain maintenance activities and is accomplished by pumping

down the primary coolant inventory through the HPS and to the helium

storage bottles. Event 8 in Fig. C-6 considers the likelihood that such

a pump down is successful, given failures of the HTS, SCS, and RCCS.

A fault tree depicting the failure model for pump down through the

·HPS is shown and discussed in Section 6.2.3. In the quantification of

event 8, this model is conditionally evaluated dependent upon prior

occurrences in the event sequence. Intersystem dependency effects limit

the conditional probability of the HPS working, given failure of both

the HTS and SCS. As can be seen in Fig. C-6, the chance of the system

operating when required is about 94%. A more complete discussion of

this evaluation and the impact of these intersystem dependencies is

provided in Section C.2.6.

C.S.9. Cooling Restored Prior to Excessive Vessel Temperature

Whether or not the primary coolant pressure is successfully

reduced, vessel side wall temperatures begin to rise when all three

cooling systems are lost. If allowed to rise high enough, the vessel's

integrity may be challenged. However, the large core heat capacity, the


this heatup is very slow. Therefore, there are days to weeks (depend

ing upon the initial temperatures and prior cooling history) to restore



considers the probability that cooling is restored prior to the vessel


Restoration of cooling with either the HTS, the .ses, or the Rees

is sufficient to arrest the vessel wall temperature transient. Since

the SCS and HTS repair times are estimated as much shorter than the Rces

repair time, only HTS and SCS restoration are considered in event 9.





Therefore, no failure is expected as a result of strength loss at tem

peratures significantly in excess of the design temperature. For the

assessment, excessive vessel temperature .has been estimated to be 760°C

(1400oF) at which point the material undergoes a phase change. It

should be noted, however, that while no detailed analysis has been per

formed to predict temperature-induced vessel failure, scoping calcula

tions suggest that the vessel may remain intact even at temperatures

much higher than 760°C (14000 F). Analyses of conduction cooldown with





remains at pressure, and the reactor vessel is under considerably higher




ment, a temperature of 480°C (900°F) has been defined as excessive. The



C.S.10. Number of Modules Experiencing Event Sequence



of the event tree, relative probabilities of transients requiring scram

in one, two, and four reactor modules can be seen. Below this can be

seen the 20% to 80% split of single versus multiple HTS failures given

that a failure to provide HTS cooling has occurred. Further down the

tree, if SCS cooling has not been successful, a failure of one, two,

three, or four SCS loops may occur. The relative probabilities of these

four SCS failure possibilities are shown.

In the lower branches of the tree involving failure of the RCCS and

failure to trip with the outer control rods, only one module is likely

to experience the event sequence since these systems are designed as

independent between modules. The disruptive external events which would

have the potential to defeat this independence are not postulated in

this event tree.

C. 6 • INADVERTENT CONTROL ROD WITHDRAWAL

Inadvertent control rod withdrawal is initiated by failures in the

rod control equipment that lead to the undesired withdrawal of one or

more control rods from the core. As an accident initiating event, rod

withdrawal is of interest because of its potential challenge to the con

tinued control of core heat generation. In challenging this function,

the rod withdrawal represents a potential precursor to failure of the

primary coolant boundary (relief valve lifting) simultaneous with the

incremental releases from fuel involving thermal effects discussed in

Section 5. The various possible MHTGR responses to this challenge are

depicted in the event sequences in Fig. C-7. The likelihood of these

scenarios occurring is discussed in the following subsections.

C-5l DOE-HTGR-86-0ll/Rev. 3

C.6.1. Spurious Control Rod Bank Withdrawal Occurs

Reference C-11 summarizes the history of uncontrolled rod with

drawals in light water reactors in the United States. Despite differ

ences in the systems, both PWRs and BWRs are cited as having experi

enced, on the average, 2 x 10-2 of these transients per reactor per

year. While the HTGR rod control system is somewhat different, 2 x 10-2

is adopted as a reasonable estimate for the frequency at which failure

of the rod control equipment results in unwanted withdrawal of control

rods. Since the MHTGR control strategy operates the control rods in

banks rather than individually, such a failure would cause a control rod

bank to be withdrawn.

The MHTGR will have four relatively independent rod control sys

tems, one for each module. The frequency of event 1 (a spurious control

rod withdrawal in anyone of four modules) was assessed by statistically

combining the spurious control rod group withdrawal frequency in each

module and its uncertainty factor, 2 x 10-2 per year and 4.1, to obtain

the total frequency of 0.1 per plant year.


As the rod withdrawal proceeds, reactor power, steam generator

inlet helium temperature, and primary coolant pressure increase. The

PPIS monitors all three of these conditions and is designed to shut down

the reactor by dropping the outer control rods into the core if any of

the three become excessive. This action, by deenergizing the control

rod drive mechanisms and halting the nuclear chain reaction, terminates

the rod withdrawal. Event 2 considers the probability of successfully

accomplishing this shutdown.

As stated, the control rod trip can be triggered by anyone of the

three conditions mentioned. The parameters requisite to detect each of

these conditions are monitored by four redundant channels of the PPIS

C-S2 DOE-HTGR-86-011/Rev. 3

(see Section 4.12). Any combination of two of four channels can initi

ate a reactor trip. Beyond failure of the sensors, failure to trip

might result from common mode failure of the control rod drives, common

mode failure of the scram contactors, or common mode failure in the PPIS

scram logic.

Quantification of event 2 is performed using the individual trip

reliability given in Appendix A which is based on the model developed in

Ref. C-3. As seen in Fig. C-7, the PPIS and rod control equipments are

assessed as having a high reliability; and the probability of them suf

fering the requisite common mode failures to preclude ,shutdown with the

control rods is low. The value shown for this event is lower than the

value assessed for similar events on the loss of main loop cooling or

loss of offsite power event trees (Figs. C-2 and C-S) because the initi

ating event is a rod withdrawal in one of the four modules. Simultane

ous rod withdrawals in two or more modules is assessed as being signifi

cantly less likely and does not impact the accident consequence.


As described above, the MHTGR is designed to respond to the rod

withdrawal of event 1 by shutting down the reactor with the outer con

trol rods. However, in the unlikely event that this normal trip does

not occur, a secondary means of shutting down the reactor is automati

cally actuated, and the reserve shutdown material (boronated pellets) is

dumped into the core. While not affecting the control rod motion, this

action, by shutting off the nuclear chain reaction, negates the effect

of the withdrawn rods. In event 3, the operation of this secondary

means of shutdown is considered.

As in si~lar cases of previous event trees when the outer control

rod trip is successful, there is no call for insertion of the reserve

shutdown material, and the event is shown with a dotted line. In the

less likely scenarios where the normal trip has not succeeded, a demand


for the RSCE exists, and the event branch point presents the likelihood

of success or failure. This secondary shutdown can be triggered, after

a 30-s delay, either by high neutron flux to circulator speed ratio or

high primary coolant pressure. Besides multiple failures of these inde

pendent sensor channels, failure of the RSCE could be caused by failure

of the PPIS, common mode failure of several RSCE hoppers or failure of

the Class 1E 120 V ac UPS or 125 V ac. In the cases of PPIS or ac power

failure, the operator may still manually actuate the RSCE.

As can be seen in Fig. C-7, the combined reliability of the normal

outer control rod trip and the RSCE are more than adequate to assure

that there is a negligible probability of failing to terminate the

control rod withdrawal.

C.6.4. Cooling Provided by HTS


until either-the initial failure is repaired and the module is returned

to power operation or until decay heat levels are so low that MHTGR core

cooling systems are no longer required. Event 4 considers the probabil

ity that this cooling can be provided by the HTS.

Two categories of failure are considered in assessing whether the

HTS succeeds in providing cooling. First, the HTS must respond success

fully to the trip-induced transient and transfer from a power producing

to a decay heat removal mode of operation. Second, if it does respond

successfully to the transient, it still must operate for a period of

time as described above. The fault tree failure model for the HTS is

described in considerable detail in Section 6.2.1. Additional discus

sion regarding the quantification pf the model is given in Section C.2.

The HTS failure probability in event 4 is dominated by the proba

bility that the system responds successfully to the transient but fails


to run until no longer required. As can be seen in Fig. C-7, the

probability of this failure is 8 x 10-3 per demand.

C.6.S. Cooling Provided by SCS

Following the loss of HTS cooling, the PPIS attempts to restore

coolant flow by starting the SCS. Event 5 considers whether or not the

SCS is successfully started; and if it is started, whether it runs until

HTS cooling is restored.

Using the detailed failure model described in Section 6.2.2, the

probability of not successfully starting the required equipments for SCS

operation is calculated. These calculations of probability are, of

course, conditional probabilities contingent upon the outcome of preced

ing events (specifically the loss of the HTS). As discussed in Sec

tion C.2, certain of the HTS failure modes involve failures of equipment

which al~o supports the SCS. In quantifying the SCS fault tree, the

likelihood that these common systems were the cause of the HTS failure

is considered. The impact of these common dependencies between the HTS

and SCS is to limit the probability of success for the SCS.





system reliabilities are expressed as probability densities, combined

with a complementary cumulative distribution function for HTS restor

ation, and integrated over time. The probability that the SCS fails to

run for the required time is added to the probability that they fail to

start as the total failure probability for event S.

Further description of this event is provided in Section C.2.4.

C-SS DOE-HTGR-86-011/Rev. 3


Should both HTS and SCS cooling fail, the MaTGR is capable of



carry the heat to the air-cooled RCCS panels. In event 6, the probabil

ity that the RCCS is successful in providing cooling is considered.


until either




loss of cooling would not lead to excessive vessel

temperatures.



start R exists. For any given module, failure of the RCCS requires that


initially operating, passive, and redundant natural draft loops.




the safety-related RCCS have been identified as capable of causing RCCS

flow blockage. As an estimate of this very low failure probability, 1 x

10-6 per module with an uncertainty factor of 10 has been assigned to

event 6.

C-56 DOE-HTGR-86-011IRev. 3

C.7. ACCIDENTS INITIATED BY SMALL STEAM GENERATOR LEAKS

Small steam generator leaks are defined as leaks which introduce

moisture to the primary coolant at a rate in excess of the removal capa

city of the HPS but less than 0.05 kg/s (0.1 lb/s). As mentioned in

Section 5, water ingress is selected as an initiating event because of

the potential for primary coolant release due to relief valve venting

and for incremental fuel releases due to chemical attack (hydrolysis) of

the fuel. Given that such a leak occurs, the way the various plant sys

tems respond to the transient is depicted by the event tree shown in

Fig. C-8. Note that many of the sequences in the figure result in no

dose. Only in those sequences where certain protective functions are

not performed subsequent to the leak are offsite doses predicted. In

the following subsections, the quantification of the various branching

probabilities within the tree and the frequency of these various scenar

ios or event sequences are discussed.

C.7.1. Steam Generator Leak Freguency

A methodology for predicting the frequency of steam generator tube

leaks is presented in Table B-2 of Appendix B. The model is based upon

boiler operating experience in both nuclear and nonnuclear power sta

tions. Where possible, British and U.S. HTGR experience has been

incorporated to account for differences in the operating environment.

Employing this method for an MHTGR steam generator indicates that the

dominant leak contributors and their frequencies are

1. Bimetallic weld failure (6 x 10-3 per steam generator year).

2. Corrosion (4 x 10-2 per steam generator year).

3. Similar weld failure (5 x 10-2 per steam generator year).

4. Mechanical damage (4 x 10-3 per steam generator year).

Thus, the total frequency at which leaks of any size occur is 0.1 per

steam generator year. The majority (90%) of leaks are small, leaving


approximately 0.09 small leaks per steam generator per year. Taking

into account the four steam generators in the four module standard

plant, the frequency of event 1 occurring is assessed at approximately

0.4 per plant year.

C.7.2. Moisture Monitor Detection

To limit the impact of possible steam generator tube leaks and

the resulting ingress of moisture to the primary coolant system, each

module has an installed moisture monitor. If high moisture levels are

detected, the moisture monitor can give indication to the control room

operators; or, if levels become excessive, the moisture monitor can pro

vide a signal to the PPIS which in turn initiates reactor trip, main

loop trip, steam generator isolation, and steam generator dump. Event 2

in Fig. C-8 considers whether the moisture monitor successfully detects

the ingress condition of event 1.

In Ref. C-3, the probability that the moisture monitors were una

vailable was assessed as 1 x 10-3 • This failure probability ·was based

upon a moisture monitor channel failure rate of 1.4 x 10-4 per hour, a

common mode failure factor of 0.09, and a mean fault duration time of

12 h. In utilizing the Ref. C-3 model, this assessment assumes that the

moisture monitor design for the MHTGR will prove to be similar to that

envisioned for the large HTGR.

If the moisture monitors fail to function successfully, other trip

setpoints in the PPIS will initiate protective actions. Specifically,

engineered as backup protection against water ingress, high primary

coolant pressure will cause reactor trip and steam generator isolation.

However, only moisture detection can automatically trigger steam genera

tor dump. Therefore, should these monitors fail operator intervention

is required to dump the steam generator water inventory to the dump

tank. (Also see Section 6.2.6.)



Steam and water leaking from a failed steam generator to the pri

mary coolant increases primary coolant moisture content. It is expected

that within 6 min moisture levels would exceed 1000 ppmv. At this con

centration, the PPIS is designed to shut down the reactor by inserting

the control rods into the core. Event 3 considers the probability of

successfully shutting down the reactor on high moisture.

Of course, failure of the moisture monitor to detect the leak in

event 1 precludes tripping the reactor on high moisture. In addition,


drives, common mode failure of the scram contactors, or common mode

failure in the PPIS scram logic. Quantification of these equipment

failures is performed using individual trip reliabilities given in

Appendix B.

C.7.4. Reactor Manual Trip

Even without a reactor trip on high moisture and before the high

pressure trip discussed in Section C.7.5, there are any number of indi

cations available to the operator telling him that something is amiss.

The moisture monitor may be providing high moisture or erratic readings,

primary coolant pressure would be slowly but continuously rising, and

the control system would repeatedly be shimming in the control rods to

account for the reactivity effect of the ingressed water. Event 4 con

siders the likelihood that the operator recognizes that a problem exists

and shuts down the reactor manually with either the control rods or the

RSCE.

Event 4 is evaluated at a time period of 4.8 h in Fig. C-8.

However, results from this assessment indicate that signals indicating

increased moisture, pressure, and reactivity levels would alert the


operator of the ingress and a manual shutdown would be accomplished

within the first hour of the event.

The probability of the operator acting to back up failed equipment

was quantified using the model for cognitive human errors in Ref. C-11.

This model assumes that the allowable time for the operator to

respond in sequences where automatic systems (e.g., the reactor trip or

steam generator isolation) fail largely governs the operator failure

probability.

C.7.5. Reactor Trip On High Pressure

In addition to increasing moisture level in the primary coolant

circuit, the moisture ingress results in a rise in primary coolant pres

sure. A small steam generator leak is expected to cause the primary

coolant pressure to exceed 6929 kPa ()1000 psia) within 4.8 h. At this

pressure, the PPIS is designed to shut down the reactor by inserting the

control rods. Therefore, where high moisture is not successfully

detected, pressure monitoring is available to trigger reactor trip.

Furthermore, if the primary coolant pressure continues to increase above

the second PPIS setpoint of 6998 kPa (1015 psia) , the PPIS will trigger

a backup shutdown using the RSCE. During the ingress, there may also be

a rise in core power due to the reactivity effect of the water. How

ever, for small leaks, the control system is able to compensate for this

by shimming rods in well before the power to flow trip set point is

reached. Event 5 considers the probability of successfully accomplish

ing shutdown with either the outer control rods or RSCE.

Monitoring of primary coolant pressure is accomplished by four

redundant channels of the PPIS (see Section 4.12). Any combination of

two of four channels can initiate a reactor trip. Beyond failure of the

sensors, failure to trip might result from common mode failure of the


control rod drives, common mode failure of the scram contactors, or com

mon mode failure in the PPIS scram logic. With similar logic, failure

of the RSCE to operate if called upon can be caused by common mode fail

ure of its independent pressure sensor channels, failure of the PPIS,

common mode failure of several RSCE hoppers, or failure of the class 1E

120 V ac UPS or 125 V dc.

Quantification of the equipment failures in event 5 is performed

using the individual trip reliability given in Appendix B. The quanti

fication is also dependent upon the outcome of previous events. Specif

ically, success of inserting the control rods in event 5 is conditioned

by the probability that the failure in event 3 does not preclude rod

insertion. For instance, if the failure to insert the control rods on

high moisture in event 3 was caused by common mode failure of the scram

contactors, an additional trip signal coming from high pressure will

also be unsuccessful in event 5. This example is also useful in under

standing why the failure probability for event 5 is higher than the

failure probability for event 3.

C.7.6. Steam Generator Isolation

The steam generator isolation system functions to limit the amount

of water that enters the primary circuit, given a steam generator leak,

by closing a set of feedwater and steam outlet block valves. In addi

tion to the set of block valves, the steam generator outlet can also be

isolated (against reverse flow) by a check valve. Three system failure

modes are considered in this event:

1. Only the feedwater valves fail open.

2. Only the steam valves (including the check valve) fail open.

3. Both sets of isolation valves fail open.


In Ref. C-3, each failure mode was evaluated by considering the failure

of two identical redundant subsystems. The subsystem failure probabili

ties were assumed similar to the values derived for systems analyzed in

Refs. C-3 and C-12 with two exceptions:

1. The probability that the steam valves fail open was obtained

from the failure probability assessed in Ref. C-12 and

adjusted for the conditional probability of a check valve

sticking (i.e., failing to shut on reverse flow).

2. Given that the reactor is not tripped within five or fewer

minutes when the moisture monitors function properly, the con

ditional probability of an automatic steam generator isolation

system failure is governed by the probability that a PPIS

logic fault prevented control rod insertion (as assessed in

Ref. C-12).

If the reactor fails to trip, but the moisture monitors success

fully trip, the likelihood of both the steam and feedwater isolation

valves failing to close is increased. This is because of the increased

likelihood that the cause of the reactor failing to trip is an actuation

logic failure that would also prevent the steam generator isolation

signal.

As a backup to automatic steam generator isolation, operator action

to trip the boiler feedpumps to minimize water ingress is considered.

C.7.7. Delayed Steam Generator Isolation

Even if the automatic isolation considered in event 6 is unsuccess

ful, the steam generator can still be isolated and the inleakage termi

nated by either operator intervention or PPIS response to a high primary

coolant pressure. The probability that the steam generator is success

fully isolated by these secondary mechanisms is considered in event 7.


As stated, steam generator isolation in event 7 can be accomplished

by either PPIS reaction to high primary coolant pressure or operator

action. Quantification of this branching probability is conditioned by

the probability that the failure to isolate in event 6 was due to fail

ure that would also affect success in event 7. For example, failure of

the isolation valves in event 6, given a shutdown signal was triggered

by high moisture, will very likely also preclude success of a second

PPIS signal triggered by high pressure in event 7. In this case, only

operator action is accounted for in the analysis. Under these condi

tions, operator action to isolate the steam generator is expected to

occur within 30 min.

In those sequences preconditional by failure of the moisture moni

tors to defect the inleakage both the PPIS high pressure trip and opera

tor intervention are available to isolate the steam generator. Since

the low inleakage rate results in the high pressure trip being reached

in approximately 4-1/2 h the isolation is very likely to be accomplished

in less than this time.

The probability of isolation as a result of high primary coolant

pressure is calculated, as in the preceding event, using the models of

Refs. C-3 and C-12. The operator response model, also discussed in

Section C.7.4, is taken from Ref. C-11.

C.7.8. Steam Generator Dump Occurs

Following successful isolation of the steam generator, the PPIS is

designed to further limit the ingress of water to the primary coolant by

diverting most of the steam generator water inventory to the dump tank.

event 8 considers the likelihood of this mitigating action successfully

occurring.

Dumping the steam generator is accomplished by first opening a

set of valves located between the steam generator and the dump tank


and then reshutting them as the pressure within the steam generator /

approaches that of the primary coolant. If the dump valves fail to open

as required, essentially the complete steam generator inventory is

available to leak into the primary circuit. On the other hand, if the

dump valves open but fail to reshut, not only the water inventory but

also some primary coolant will be transferred to the tank. However, no

radioactive release from this failure mode is predicted because the dump

tank is designed to withstand primary coolant pressure and is vented to

the liquid and gaseous radioactive waste subsystems. These independent

failure modes of the dump valves are the same as those derived for the

similar system described in Ref. C-3, except the only failure mode con

sidered was a failure of the dump valves to open. Additional descrip

tion of this subsystem is given in Section 6.2.7.

In addition to these independent failure modes, success of steam

generator dump is conditioned upon the outcome of previous events. As

mentioned in Section C.7.2, automatic dump occurs only if the moisture

monitors have successfully detected the ingress. If the moisture moni

tors have failed in event 2, operator action is required to actuate the

dump. Further, steam generator dump is only considered if isolation

successfully occurs. Failure to isolate the steam generator renders any

subsequent dump valve actions ineffectual, relative to the impact of

open isolation valves, in determining the accident consequence.

Finally, the failure probability for event 8 is approximately

one-third lower in the branch where moisture monitor detection and steam

generation isolation are successful. In this case, the failure proba

bility also considers that either of the two redundant set of valves

could be repaired with the 13 h avaiiab1e before the primary relief

system valve lifts.


C.7.9. Steam Generator Pressure Response

Following a moisture ingress, it is expected that the steam genera

tor will be isolated and its inventory dumped as previously discussed in

this section. However, if the steam generator feedwater valves fail to

successfully isolate, the steam generator pressure may increase. The

manner in which the plant is designed to relieve steam generator pres

sure has the potential of providing an activity release path into the

environment. Thus, the steam generator pressure response is considered

in event 9 to assess these potential mechanisms for activity release.

The first branch shown in event 9 of Fig. C-8 considers the proba

bility that steam is successfully bypassed from the steam generator to

the condenser. Note that the success of this bypass requires not only

that the steam bypass valve open, but also that the feedwater control

valve function to limit the amount of feedwater entering the steam gen

erator. If this bypass fails, the resultant pressure transient will

cause one of the two steam generator relief valves to lift. The latter

two branches in event 9 consider the steam generator relief train

response. The proper operation of the relief valve is considered. in the

second branch of event 9. In sequences where this event branch is suc

cessful, the steam generator pressure is reduced by steam, which is

vented directly to the environment during the short period of time the

relief valve is open. However, if the relief valve fails open, not only

is the steam released, but as the steam pressure is lowered to the pri

mary system pressure, primary coolant may also exit through the steam

generator relief line. The probability of radioactivity being released

through this path is considered in the last branch of event 9.


Following the steam generator leak, HTS cooling is lost as the

steam generator is isolated and the main loop tripped. Responding to

this, the PPIS acts to restore primary coolant flow by starting the SCS.


Event 10 considers whether or not the SCS is successfully started; and

if it is started, whether it runs until HTS cooling is restored.

In those sequences with successful trip, steam generator isolation,

and steam generator dump, the operation of the SCS serves to reduce the

probability of pressurized conduction cooldown. In sequences involving

isolation or dump failure, SCS cooling serves to prevent the combination

of an increased primary circuit inventory (due to the added moisture)

and higher than normal temperatures (which result from a pressurized

conduction cooldown) from lifting the primary coolant relief valve.

Finally, in those sequences where the primary coolant circuit depres

surizes, SCS cooling can mitigate the resultant doses by preventing

thermally induced fission product release from the fuel.

Using the detailed failure model described in Section 6.2.2 and

quantified in Section C.2, the probability of not successfully starting

the required equipments for SCS operation is calculated.




ning reliability of the SCS. These system reliabilities are expressed

as probability densities, combined with a complementary cumulative dis

tribution function for HTS restoration and integrated over time. The

probability that the SCS fails to run for the required time is added to

the probability that they fail to start as the total failure probability

for event 10.

In the branch near the top of Fig. C-8 in which moisture monitor

detection and steam generation isolation are successful, but in which

the steam generator dump system fails, the probability of the SGS fair

ing to provide forced cooling can be seen to be somewhat lower than

elsewhere in the tree. In this case, failure of SCS cooling is defined

as not only the SCS failing to start or failing to run but also that it


is not restored in the 13 h available for repair prior to the primary

coolant relief valves lifted.

Further discussion of the SCS reliability is provided in

Section C.2.4.


Should SCS cooling fail, the MaTGR is capable of rejecting shutdown

heat loads by conduction, localized convection, and radiation to the

reactor vessel wall Where radiation and convection carry the heat to the

air-cooled RCCS panels. In event 11, the probability that the RCCS is

successful in providing cooling is considered.


until either




loss of cooling would not lead to temperatures threatening

vessel integrity.



start" exists.

As discussed in Section 6.2.5, no expected meteorological or oper

ating conditions have been identified which could preclude RCCS opera

tion. Only failures involving the extremely unlikely major structural




probability, 1 x 10-6 per module with an uncertainty factor of 10 has

been assigned to event 11.

C.7.12. Primary Relief Train Response

Preliminary calculations indicate that as long as SCS cooling is

maintained, the probability of a small steam generator leak producing

primary circuit pressures high enough to require relief is negligible.

Thus, the possibility of opening the primary relief train is only con

sidered in sequences that include SCS cooling failure. For these sce

narios, the probability that the relief train remains closed is the

probability that the operator intervenes before the relief valve set

point is reached. There is a small probability that a primary circuit

relief valve setpoint is miscalibrated low or drifts sufficiently low,

so that the primary circuit pressure rise causes the relief valve to

lift. This possibility is considered in the evaluation. Given that the

relief valve setpoint is reached, the probability that the relief valve

fails open is provided in Appendix B. An estimated common mode factor

of 0.1 is assumed to quantify the probability that both relief trains

fail closed after being challenged to relieve pressure at their

setpoint. (Also, see Section 6.2.9.)

C.8. ACCIDENTS INITIATED BY MODERATE STEAM GENERATOR LEAKS

MOderate steam generator leaks are defined as any leaks which

introduce moisture to the primary coolant at a rate of between 0.05 kg/s

(0.1 lb/s) and 5.7 kg/s (12.5 lb/s). The upper bound of 5.7 kg/s was

selected because it corresponds to the leak rate of a single offset

steam generator tube rupture; and the available data (Ref. C-3 and

Appendix B) suggest that the probability of a larger size leak occur

ring is very small. Distinguishing between small and moderate steam

generator leaks is phenomenologically important due to inherent dif

ferences in occurrence rates and response times. Whereas small steam

generator leak transients progress slowly, provide relatively long


operator response times, and concomitant high probabilities of success

ful operator intervention, moderate leak transients develop much more

rapidly. As a result, operator intervention that could otherwise pre

vent or mitigate offsite doses are less likely.

Water ingress is selected as an initiating event because of the

potential for primary coolant release due to relief valve venting and

for incremental fuel releases due to chemical attack (hydrolysis) of the

fuel. Furthermore, for the more severe ingress rates discussed in this

section, water ingress is of interest due to its reactivity effect on

the core. Given that such a leak occurs, the way the various plant sys

tems respond to the transient is depicted by the event tree shown in

Fig. C-9. Note that Fig. C-9 is organized slightly differently than

Fig. C-8. This recording better reflects the' manner in which transients

initiated by the larger-sized leaks are expected to progress. Many of

the sequences in Fig. C-9 result in no dose. Only in those sequences

where certain protective functions are not performed subsequent to the

leak are offsite doses predicted. In the following subsections, the

quantification of the various branching probabilities within the tree

and the frequency of these various scenarios or event sequences are

discussed.

C.8.1. Steam Generator Leak Frequency

A methodology for predicting the frequency of steam generator tube

leaks is presented in Table B-2 Appendix B. The model is based upon

boiler operating experience in both nuclear and nonnuclear power sta

tions. Where possible, British and U.S. HTGR experience has been incor

porated to account for differences in the operating environment. As

shown in Section C.7.1, employing this method for an MHTGR steam genera

tor leads to predicting a total frequency at which leaks of any size

occur of 0.1 per steam generator year. Reference C-3 indicates that

approximately 10% of all HTGR steam generator leaks would be expected

to exceed 0.05 kg/s (0.1 1b/s). The frequency of moderate leaks is


assessed at 0.01 per steam generator year. Taking into account the four

steam generators in the four module standard plant, the frequency of

event 1 occurring is assessed at 0.04 per plant year.

Of these moderately sized steam generator leaks, only a very few

are as large as the upper bound leak flow. Again, based upon informa

tion in Ref. C-3, it is predicted that a moderate size leak has an

average ingress rate of approximately 1.2 kg/s (2.6 1bm/s), and less

than 30% of the moderate sized leaks exceed this mean value.

C.8.2. MOisture MOnitor Detection

To limit the impact of possible steam generator tube leaks and

the resulting ingress of moisture to the primary coolant system, each

module has an installed moisture monitor. If high moisture levels are

detected, the moisture monitor can give indication to the control room

operators; or, if levels become excessive, the moisture monitor can pro

vide a signal to the PPIS which in turn initiates reactor trip, main

loop trip, steam generator isolation, and steam generator dump. Event 2

in Fig. C-9 considers whether the moisture monitor successfully detects

the ingress condition of event 1.

From Ref. C-3, the probability that the moisture monitors were

unavailable was assessed as 1 x 10-3 • This failure probability was

based on a moisture monitor failure rate of 1.4 x 10-4 per hour, a com

mon mode failure factor of 0.09, and a mean fault duration time of 12 h.

In utilizing this model, this assessment assumes that the moisture moni

tor design for the MHTGR will prove to be similar to that envisioned for

the large HTGR.

If the moisture monitors fail to function successfully, other trip

setpoints in the PPIS will initiate protective actions. Specifically

engineered as backup protection against water ingress, high primary

coolant pressure will cause reactor trip and steam generator isolation.


However, only moisture detection can automatically trigger steam gener

ator dump. Therefore, should these monitors fail, operator intervention

is required to dump the steam generator water inventory to the dump

tank. (Also see Section 6.2.6.)


Steam and water leaking from a failed steam generator to the

primary coolant results in increasing moisture content in the primary

coolant. At 1000 ppmv, the PPIS is designed to shut down the reactor by

inserting the outer control rods into the core. Event 3 considers the

probability of successfully shutting down the reactor on high moisture.

Of course, failure of the moisture monitor to detect the leak in

event 2 precludes tripping the reactor on high moisture. In addition,


drives, common mode failure of the scram contactors or common mode fail

ure in the PPIS scram logic. In cases in~olving a rapid pipe rupture,

a rise in core power due to the water's reactivity effects may cause

the reactor to trip on power to flow before the moisture set point is

reached. However, steam generator isolation is not initiated until the

PPIS detects high moisture levels. Quantification of the equipment

failures in event 6 is performed using the individual trip reliability

given in Appendix B.

C.8.4. Reactor Trip on High Pressure

In addition to increasing moisture level in the primary coolant

circuit, the moisture ingress results in a rise in primary coolant pres

sure. The PPIS monitors this parameter and is designed to shut down the

reactor by inserting the control rods into the core if it exceeds its

designated setpoint. Therefore, where high moisture is not successfully

detected, a high pressure signal is available to trigger reactor trip.

Note that a high pressure trip will be delayed approximately 6 min


before the ingress will cause primary pressure to exceed the PPIS trip

setpoint. In addition, the primary coolant pressure high setpoint will

also, after a 30-s delay, trigger a backup shutdown using the RSCE.

Event 4 considers the probability of successfully accomplishing shutdown

by the high pressure signal with either the control rods or the RSCE.

To detect high pressure, primary coolant conditions are monitored

by four redundant channels of the PPIS (see Section 4.12). Any com

bination of two of four channels can initiate a reactor trip. Beyond

failure of the sensors, failure to trip might result from common mode

failure of the control rod drives, common mode failure of the scram

contactors, or common mode failure in the PPIS scram logic. With simi

lar logic, failure of the RSCE to operate (if called upOd) , might result

from common mode failure of its independent pressure sensor channels,

failure of the PPIS, common mode failure of several RSCE hoppers, or

failure of the Class IE 120 V ac UPS or 125 V dc. In the cases of sen

sor, PPIS, scram contactor, or ac power failure, the operator may still

manually actuate either a control rod scram or the RSCE.

Quantification of equipment failures in event 4 is performed using

the individual trip reliability given in Appendix B. The quantification

is also dependent upon the outcome of previous events. Specifically,

success of inserting the outer control rods in event 4 is conditioned

by the probability that the failure in event 3 does not preclude rod

insertion.

For quantification of any operator actions taken to back up failed

equipments, the model for cognitive human errors given in Ref. C-ll is

utilized. This model assumes that the allowable time for the operator

to respond in sequences where automatic systems (e.g., the reactor trip

or steam generator isolation) fail, largely governs the operator failure

probability.


C.8.5. Steam Generator Isolation

The steam generator isolation system functions to limit the amount

of water that enters the primary circuit, given a steam generator leak,

by closing a set of feedwater and steam outlet block valves. In addi

tion to the set of block valves, the steam generator outlet can also be

isolated (against reverse flow) by a check valve. Three system failure

modes are considered in this event:

1. Only the feedwater valves fail open.

2. Only the steam valves (including the check valve) fail open.

3. Both sets of isolation valves fail open.

In Ref. C-3, each failure mode was evaluated by considering the failure

of two identical redundant subsystems. The subsystem failure probabili

ties were assumed similar to the values derived for systems analyzed in

Refs. C-3 and C-12 with two exceptions:

1. The probability that the steam valves fail open was obtained

from the failure probability assessed in Ref. C-12 and

adjusted for the conditional probability of a check valve

sticking (i.e., failing to reclose).

2. Given that the reactor is not tripped within five or fewer

minutes when the moisture monitors function properly, the con

ditional probability of an automatic steam generator isolation

system failure is governed by the probability that a PPIS

logic fault prevented outer control rod insertion (as

assessed in Ref. C-12).

If the reactor fails to trip, despite success of the moisture moni

tors to detect the leak, the likelihood of both the steam and feedwater

isolation valves failing to close is decreased. This is because of the

increased likelihood that the cause of the reactor failing to trip is an


actuation logic failure that would also prevent the steam generator

isolation signal.

C.8.6. Delayed Steam Generator Isolation

Even if the automatic isolation considered in event 5 is unsuccess

ful, the steam generator can still be isolated and the in1eakage termi

nated by either operator intervention or PPIS response to a high primary

coolant pressure. The probability that the steam generator is success

fully isolated by these secondary mechanisms is considered in event 6.

As stated, steam generator isolation in event 6 can be accomplished

by either PPIS reaction to high primary coolant pressure or operator

action. Quantification of this branching probability is conditioned by

the probability that the failure to isolate in event 5 was due to fail

ure that would also affect success in event 6. For example, failure of

the isolation valves in event 5, given a shutdown signal was triggered

by high moisture, will preclude success of a second PPIS signal trig

gered by high pressure in event 6. In this case, only operator action

is accounted for in the analysis. The probability of successful opera

tor action increases rapidly after 20 to 30 min. In those event

sequences where immediate isolation has not occurred because of a mois

ture monitor failure, the high pressure reached after a 6 min delay is

expected to terminate the ingress.

The probability of isolation as a result of high primary coolant

pressure is calculated, as in the preceding event, using the models of

Refs. C-3 and C-12. The operator response model, also discussed in

Section C.7.4, is taken from Ref. C-ll.

C.8.7. Steam Generator Dump Occurs

Following successful isolation of the steam generator, the PPIS is

designed to further limit the ingress of water to the primary coolant by


diverting most of the steam generator water inventory to the dump tank.

Event 8 considers the likelihood of this mitigating action successfully

occurring.

Dumping the steam generator is accomplished by first opening a set

of valves located between the steam generator and the dump tank and then

reshutting them as the pressure within the steam generator approaches

that of the primary coolant. If the dump valves fail to open as

required, a relatively' larger amount of water than would occur

otherwise, will enter the primary circuit as essentially the complete

steam generator inventory is available to leak. On the other hand, if

the dump valves open but fail to reshut not only the water inventory but

also some primary coolant will be transferred to the tank. However, no

radioactive release from this failure mode is predicted because the dump

tank is designed to withstand primary coolant pressure and is vented to

the liquid and gaseous radioactive waste subsystems. These independent

failure modes of the dump valves are the same as those derived for the

similar system described in Ref. C-3, except the only failure mode con

sidered was a failure of the dump valves to open. Additional descrip

tion of this subsystem is given in Section 6.2.7.

In addition to these independent failure modes, success of steam

generator dump is conditioned upon the outcome of previous events. As

mentioned in Section C.8.2, automatic dump occurs only if the moisture

monitors have successfully detected the ingress. If the moisture moni

tors have failed in event 2, operator action is required to actuate the

dump. Further, steam generator dump is only considered if isolation

successfully occurs. Failure to isolate the steam generator renders any

subsequent dump valve actions ineffectual, relative to the impact of

open isolation valves, in determining the accident consequence.


C.8.8. Steam Generator Pressure Response

Following a moisture ingress, it is expected that the steam genera

tor will be isolated and its inventory dumped as previously discussed in

this section. However, if the steam generator feedwater valves fail to

successfully isolate, the steam generator pressure may increase. The

manner in which the plant is designed to relieve steam generator pres

sure has the potential of providing an activity release path into the

environment. Thus, the steam generator pressure response is considered

in event 8 to assess these potential mechanisms for activity release.

The first branch shown in event 8 of Fig. C-9 considers the proba

bility that steam is successfully bypassed from the steam generator to

the condenser. Note that the success of this bypass requires not only

that the steam bypass valve open, but also the feedwater control valve

function to limit the amount of feedwater entering the steam generator.

If this bypass fails, the resultant pressure transient will cause one of

the two steam generator relief valves to lift. The latter two branches

in event 8 consider the steam generator relief train response. The

proper operation of the relief valve is considered in the second branch

of event 8. In sequences where this event branch is successful, the

steam generator pressure is reduced by escaping steam, which is vented

directly to the environment during the short period of time the relief

valve is open. However, if the relief valve fails open, not only is the

steam released, but as the steam pressure is lowered to the primary sys-

tem pressure, primary coolant may also exit through the steam generator

relief line. The probability of radioactivity being released through

this path is considered in the last branch of event 8.


Following the steam generator leak, BTS cooling is lost as the

steam generator is isolated and the main loop tripped. Responding to

this, the PPIS attempts to restore coolant flow by starting the SCS.

C-76 DOE-BTGR-86-011/Rev. 3

Event 9 considers whether or not the SCS is successfully started; and

if it is started, whether it runs until HTS cooling is restored.

In those sequences with successful trip, steam generator isolation

and steam generator dump, the operation of the SCS serves to reduce the

probability of pressurized conduction cooldown. In sequences involving

isolation or dump failure, SCS cooling serves to prevent the combination

of an increased primary circuit inventory (due to the added moisture)

and higher than normal temperatures (which result from a pressurized

conduction cooldown) from lifting the primary coolant relief valve.

Finally, in those sequences where the primary coolant circuit depres

surizes, SCS cooling can mitigate the resultant doses by preventing

thermally induced fission product release from the fuel.

Using the detailed failure model described in Section 6.2.2 and

quantified in Section C.2, the probability of not successfully starting

the required equipments for SCS operation is calculated.




ning reliability of the SCS. These system reliabilities are expressed

as probability densities, combined with a complementary cumulative dis

tribution function for HTS restoration and integrated over time. The

probability that the SCS fails to run for the required time is added to

the probability that they fail to start as the total failure probability

for event 9.

Further discussion of the SCS reliability is provided in

Section C.2.4.


C.B.10. Cooling Provided by RCCS

Should SCS cooling fail, the MHTGR is capable of rejecting shutdown

heat loads by conduction, localized convection, and radiation to the

reactor vessel wall where radiation and convection carry the heat to the

air-cooled RCCS panels. In event 11, the probability that the RCCS is

successful in providing cooling is considered.


until either




lQsS of cooling would not lead to temperatures threatening

vessel integrity.

Since the system is continuously o~erating during normal operation of


start" exists.

As discussed in Section 6.2.5, no expected meteorological or oper

ating conditions have been identified which could preclude RCCS opera

tion. Only failures involving the extremely unlikely major structural



probability, 1 x 10-6 per module with an uncertainty factor of 10 has

been assigned to event 11.

C.B.11. Primary Relief Valve Response

One difference in the MHTGR response to small and moderate steam

generator leaks is that maintaining SCS cooling subsequent to a moderate

C-7B DOE-HTGR-B6-011/Rev. 3

leak is not, by itself, sufficient to preclude primary relief train

opening. However, given that the primary relief train setpoint is

reached, the probability of each particular relief train response is

the same as the probabilities generated for the small steam generator

leak tree. (See Sections C.7.8 and 6.2.9.) Successful steam generator

isolation and dump also is expected to prevent a challenge to the pri

mary coolant relief trains, regardless of the status of SCS cooling.

The small probability of substantial relief valve setpoint miscalibra

tion or drift low, that might still cause the relief valves to be

challenged is considered in the analysis.

C. 9 • UNCERTAINTY TREATMENT IN FREQUENCY ASSESSMENT

Event sequence frequencies in Appendix C are calculated by multi

plying the initiating event frequency by the probability of subsequent

events in the sequence. Initiating event frequencies and branching

failure probabilities were assessed by combining system and component

failure data consistent with the system descriptions and fault trees in

Section 6. However, because there is uncertainty in this data, it is

important to obtain the proper combinations and to assess and propagate

their uncertainties. This section describes the types of uncertainties

included in the frequency assessment, how these uncertainties were

. incorporated, and the final uncertainty distributions calculated for the

sequence frequencies in each of the Appendix B release categories.

C.9.1. Uncertainties Considered

Historically, in the context of PRAs, the term "uncertainty" has

been applied to two different concepts (Ref. C-16):

1. Random variability in a parameter or measurable quantity.

2. Imprecision in the knowledge about a model, its parameters, or

predictions.


The difference between these two concepts is best illustrated by noting

that an enlargement of the data base may improve precision in the latter

concept but cannot affect the fundamental random variability, although a

numerical assessment of that variability can be made more precise. As

noted in Ref. C-16, it is desirable to have some quantitative measure of

uncertainty and random variability although it is not always easy to

separate the two concepts.

Both of these concepts are recognized and incorporated in this risk

assessment. Although the current HTGR reliability data base does sepa

rate different types of component failure mechanisms, sufficient detail

is generally not provided to allow variability and imprecision to be

treated in separate and distinct fashions. Instead, the data, which is

based upon industry wide experience, is averaged, resulting in the ran

domness being incorporated into the data's uncertainty distribution.

This uncertainty distribution is represented by one of several methods.

Where possible, a mathematically defined distribution (i.e., normal,

log-normal, etc.) is utilized. However, in cases where it is not pos

sible to use an easily-defined distribution, the distribution was either

described tabularly or a technique was employed in which the distribu

tion was split at its median value and each half modeled separately.

The uncertainty in the component failure models and probabilities

were combined utilizing the Monte Carlo sampling process contained in

the STADIC-2 code (Ref. C-2). Essentially, the STADIC-2 code selects

one pseudo-random value from each input variable's statistical distribu

tion and mathematically combines this set of sample variables as desired

to represent a sequence frequency or event probability. This process is

repeated for a large number of samples, thus generating a statistical

distribution for the desired output function (an event probability or

sequence frequency).


The importance of including uncertainties in a risk assessment has

been recognized in many PRAs (Refs. C-6, C-7, and C-8) because it incor

porates the probability that uncertainties combine in the worst, as well

as the best, possible manner. Its impact is evidenced in this assess

ment by noting the difference between the event sequence frequencies and

numbers obtained by simply multiplying together the median values in the

event trees of this appendix.

C.9.2. Uncertainty Distributions for Release Category Frequencies

The distributions for the several event sequences which may make up

a single release category have been added using STADIC-2 to estimate the

frequency distributions for each release category described in Appen

dix B. These release category distribution parameters are summarized in

Table C-2 along with the dominant event tree sequence contributing to

the release category. The mean value identified in column 5 of

Table C-2 is a measure of the distribution's central tendency and is

calculated by STADIC-2 using an unbiased estimate for the true mean with

the formula

N

Y - L Yi (C-l) i=l

N

where Yi = the outcome of one of a total of N samples.

These mean release category frequencies are combined with the doses

given in Appendix B to assess the plant risk as discussed in Section 9.

C.10. REFERENCES

C-lo U.S. Nuclear Regulatory Commission, "Reactor Safety Study,"

NUREG-75/0l4, (WASH-1400), 1975.

C-8l DOE-HTGR-86-0ll/Rev. 3

TABLE C-2 RELEASE CATEGORY FREQUENCY UNCERTAINTY DISTRIBUTION PARAMETERS

Frequency Distribution Parameters for Release Category (per year)

Release Median Dominant (a) Category 5th Percentile 50th Percentile 95th Percentile Mean Sequence

DF-1 3.3 x 10-3 7.7 x 10-3 2.0 x 10-2 9.7 x 10-3 PC-BP DF-2 1.2 x 10-2 2.9 x 10-2 8.2 x 10-2 3.7 x 10-2 PC-BC DF-3 1.0 x 10-3 5.0 x 10-3 4.0 x 10-2 1.1 x 10-2 PC-AD DF-4 0.12 0.25 0.57 0.29 DC-AA

WF-1 2.1 x 10-9 2.0 x 10-8 1.8 x 10-7 4.7 x 10-8 MS-AX WF-2 1.4 x 10-7 1.7 x 10-6 1.2 x 10-5 3.5 x 10-6 MS-CC WF-3 8.3 x 10-8 6.4 x 10-7 4.2 x 10-6 1.2 x 10-6 MS-AW WF-4 4.5 x 10-6 3.3 x 10-5 2.1 x 10-4 6.1 x 10-5 MS-BU

DC-1 1.3 x 10-10 9.9 x 10-9 3.8 x 10-7 8.8 x 10-8 EQ-BD DC-2 1.4 x 10-9 2.3 x 10-8 2.6 x 10-7 8.2 x 10-8 HTS-AH,

0 PS-AK I co DC-3 6.2 x 10-9 1.7 x 10-7 2.5 x 10-6 7.2 x 10-7 EQ-BN N

DC-4 4.1 x 10-6 2.4 x 10-5 2.0 x 10-4 5.4 x 10-5 PC-AU DC-5 1.9 x 10-6 1.3 x 10-5 1.0 x 10-4 2.8 x 10-5 PC-BH DC-6 7.6 x 10-5 3.1 x 10-4 1.6 x 10-3 5.2 x 10-4 PC-AT DC-7 3.3 x 10-5 1.6 x 10-4 9.1 x 10-4 2.8 x 10-4 PC-BG DC-8 1.0 x 10-5 5.0 x 10-5 2.7 x 10-4 8.4 x 10-5 DC-BR

t=' DC-9 2.5 x 10-4 1.2 x 10-3 5.6 x 10-3 1.9 x 10-3 PC-AE 0

1.6 x 10-9 2.6 x 10-8 7.8 x 10-7 2.4 x 10-7 PI WC-1 SS-AF I

ei WC-2 1.8 x 10-9 3.5 x 10-8 1.5 x 10-6 3.2 x 10-7 MS-CF ~ WC-3 4.8 x 10-10 7.8 x 10-7 2.6 x 10-5 6.1 x 10-6 SS-AE I WC-4 1.3 x 10-9 2.0 x 10-8 6.9 x 10-7 1. 7 x 10-7 MS-AZ co 0\ WC-5 8.5 x 10-9 1.5 x 10-7 5.1 x 10-6 1.4 x 10-6 MS-AD I 0 WC-6 7.0 x 10-8 1.1 x 10-6 3.5 x 10-5 8.1 x 10-6 MS-CE .... .... WC-7 2.8 x 10-7 4.6 x 10-6 1.6 x 10-4 3.7 x 10-5 MS-AC -~ • <: . \.oJ (a) Event sequence estimated to have the highest frequency within the release category (see

Figs. C-1 through C-8).

C-2. Koch, P. K., and H. E. St. John, "STADIC-2, A Computer Program

for Combining Probability Distributions," GA Report GA-A16227,

July 1983.

C-3. Fleming, K. N., et a1., "HTGR Accident Initiation and Progression

Analysis Status Report Phase II Assessment," GA Report GA-A15000,

April 1978.

C-4. EqE, "Evaluation of Seismic and Wind Criteria for the Modular

HTGR Plant," Presentation to GCRA, San Diego, CA, August 13,

1986.

C-5. "Utility/User Requirements for Modular High-Temperature Gas

Cooled" Reactors," GCRA-011, Rev. 2 (Draft), November 1985.

C-6. Zion Probabilistic Safety Study, 1981, prepared for Commonwealth

Edison Company.

C-7. Seabrook Station Probabilistic Safety Assessment, 1983, prepared

for Public Service Company of New Hampshire and Yankee Atomic

Electric Company.

C-8. Millstone Unit 3 Probabilistic Study," August 1983.

C-9. "The Reactor Safety Study - An Assessment of Accident Risks in

U.S. Commercial Nuclear Plants," WASH-1400 (NUREG-75/014),

October 1975, Appendix III, Tables III 6-5 through 6-7.

C-10. "Forced Outage Assessment of the MaTGR," HTGR-86-069, September

1986.

C-11. Oswald, A. J., et a1., "Generic Data Base for Data and Models

Chapter of the National Reliability Evaluation Program (NREP)

Guide," EGG-EA-5887, June 1982.

C-12. Houghton, W. J., et a1., "Investment Risk Assessment of the HTGR

Steam Cycle/Cogeneration Plant," GA Report GA-A18000, September

1984.

C-13. Price, R. J., "Statistical Study of the Strength of Near

Isotropic Graphite," GA-A13955, May 1976.

C-14. "HTGR Accident Initiation and Progression Analysis Status

Report - Phase I Analyses and R&D Recommendations," ERDA Report

GA-A13617, Vol. IV, December 1975.


C-15. Care, L., R.S. Cow, and A. J. J. MacArthur, "Effects of Loss of

Grid Supply on U.K. Nuclear Power Stations," Presented at a

UKAEA/JAPC/CEGB/SSEB Meeting, 1975.

C-16. "PRA Procedures Guide, A guide to the Performance of Probabil

istic Risk Assessments for Nuclear Power Plants," NUREG/CR-2300,

January 1983.


EVENT I EVENT2 EVENTJ EVENT4 EVENTS EVENTI EVENT 7 EVENT 8 10 MEDIAN RELEASE PRIMARY LEAK SIZE REACTOR REACTOR HTS SCS RCCS HPS FREQUENCY CATEGORY COOLANT DISTRIBUTION SUCCESSFULLY SUCCESSFULLY OPERATES OPERATES OPERATES PUMPOOWN OF EVENT

LEAK OCCURS TRIPPED WITH TRIPPED WITH SUCCESSF ULL Y SUCCESSFULLY SUCCESSFULLY SEQUENCE CONTROL RODS RSCE (PER PLANT

YEAR)

0.Z6 0.68 -I 0.13 -I PC-AA 0.15 OF-4 ----- -----------3 I 10-5 IN.Z_ 2110-3 IN.Z 1110-3 PC-AS 2110-4 OF-3

o.n 0.17 0.91 PC-AC 3 I 10-2 DF-4 -----9 I 10-Z PC-AO 3 I 10-3 OF-3

3 I 10-2 -I 0.14 PC-AE 1.,0-3 OC-9

6 I 10-Z PC-AF 8. 10-5 OC-9

1110-& PC-AG < -------Z I 10-5 -1 0.1l -1 PC-AH Z I 10-& DF-4 -----------

1.10-3 PC-AI < --o.n 0.17 0.91 PC-AJ 3110-7 DF-4 -- ---

9.10-Z PC-AK 4 I 10-8 DF-J

3110-2 '-1 0.94 PC-AL 1110-8 DC-9

6 • 10-Z PC-AM < --1110-& PC-AN < ------

4 • 10-5 PC-AO < -------------------------0.16 -I O.ID -1 PC-AP 4.,0-2 DF-4 ----- -----------ZI ld-3 lN Z_

0.03 IN.Z . IIIO-J PC-AQ 4 I 10-5 DF-3

UO 0.17 0.11 PC-AR B I 10-3 OF-4 -- ---• I 10-2 PC-AS .110-4 DF-3

3 I 10-Z -I 0.14 PC-AT J I 10-4 OC-&

1110-2 PC-AU 2 I 10-5 OC-4

1110-1 PC-AV < -------Z I 10-5 I O.ID -1 PC-AW 5110-7 DF-4 -----------

1110-J PC-AX < --co CIt

D.ZO 0.17 0.11 PC-AY I I 10-- OF-4 -----0 :r-eo ~ii)

"'00 0 ~> ~ c:&j 0

a _. og

I- m-el) ~CD

0.0 CO ::s

II 10-2 PC-AZ < --» 3 I 11-2 PC-IA < --") -U» ----------.mZ 4.10-5 'PC-II < -------------------------t- :0 en 0.11 -I 0.1l -1 PC-IC 2111-Z DF-Z

~~ -i -i - ---- -----------

0.03 ~N.Z_ 1.10-3 PC-ID Z 1 10-. DF-Z I . em liN .

4110-3 :DO I.n 0.17 0.11 PC-IE DF-2 - - ---m 1110-2 PC-If 4110-4 DF-2

1 J.IO-2 -1 0.14 PC-IG 2 I 10-4 DC 7

1.10-2 PC-IH' I .10-5 DC-5

0 1111-& PC-II < -------

2110-5 -1 I.U -1 PC-IJ 31 10-7 DF-Z -----------1110-J PC-IK < --

\ .1 (") ">j J: I .... -I

OJ (JQ I lJ1 . 0

I.n 1.17 0.11 PC-IL 51 10-1 OF-Z - -----I I IO-Z PC-8M < --

0 (") ~ J.II-2 PC-IN • --I ~

...... 0 :::!

----------4 • 10-5

PC-IO < -------------------------o ~ o <

0 o ~ a ~::l ~ III rt I ::l :r: rt rt

3 I 10-Z -1 I.U PC-IP & • 10-J OF-I -- - -------------~-----llN.2f

13 IN. I.n '.17 PC-IO 1 • 10-3 DF-l -----------3. ,,-2 -1 PC-BR 5 • 10-5 DC-I -----

>..,j 1"1 G') ~

1 .10-& PC-IS • --' -- ---:;tJ ~ I

OJ HI

2 • 10-5 -1 0.13 PC-IT 1.,0-1 -------------------0\ 0 I 1"1

'.n 0.17 PC-IU 2.,0-1 OF-I -----------0 ...... "d ...... 1"1

3.,0-2 -I PC-IV < --- -'- --- .... :;tJ ~ ~

< 1"1 '<

4 • 11-1 PC-IW < ------------------------------------------------------------ PC-IX • --

" 13IN.2 w

EVENT 1 EVENT 2 LOSS OF REACTOR

HTS SUCCESSFULLY COOLING TRIPPED WITH

CONTROL RODS

2.6 -1

,

2 x 10-5

EVENT 3 EVENT 4 EVENT! EVENT 6 EVENT 7 EVENT 8 REACTOR SCS RCCS HPS COOLING NO. OF MODULES

SUCCESSFULLY OPERATES OPERAT S PUMPDOWN RESTORED EXPERIENCING TRIPPED WITH SUCCESSFULL Y SUCCESSF~LL Y PRIOR TO EVENT

RSCE VESSEL DAMAGE ! :

i I [

0.95

---~--------------0.79 ------

I (1 MODULE) ! 0.21

I (4 MODULES) 0.05 ""' 1 I 0.60 ------------! (1 MODULE)

0.09

; (2 MODULES) 0.04

: (3 MODULES)

I 0.27

I (4 MODULES) 3 x 10-6 0.93 0.94

I - - - --I (1 MODULE)

0.06 - ----(1 MODULE)

i 0.07 0.86

i - ----I (1 MODULE)

0.14 - ----(1 MODULE)

-1 0.97 -----------------------(1 MODULE) 0.03 --- 1 , -----------------

1 x 10-6 (1 MODULE)

~----------------4 x 10-5

" (1 MODULE)

..... >- - - - - - - - - -, - - ;JtN'S.EC - - - - - - -(;-M;D~E)

.PI=CTllnr-• -. II-

J..: CARD

Also Avaifable on~ Aperture Card

9503070163

ID MEDIAN RELEASE FREQUENCY CATEGORY

OF EVENT SEQUENCE (PER PLANT

YEAR)

HTS-AA 1.8 NONE

HTS-AB 0.47 NONE

HTS-AC 8 x 10-2 NONE

HTS-AD 1 x 10-2 NONE

HTS-AE 4 x10-3 NONE

HTS-AF 3 x 10-2 NONE

HTS-AG 4 x 10-7 NONE

HTS-AH 2 x 10':"8 DC-2

HTS-AI 2 x 10-8 NONE

HTS-AJ € -HTS-AK 3 x 10-5 NONE

HTS-AL 6 x 10-7 NONE

HTS-AM €

HTS-AN € --

HT -001 ('08)

Fig. C-2. Event tree for loss of main loop cooling


co ~

o to o .-...l o ... c CotO ,

C) w

() I

0:> ....,

t:1 o t>1 I

::r: t-3 G) ::0 I

0:> 0\ I a I-' I-' --::0 ~ <!

w

"'1 ~.

()Q

() I

W

t\) t>1 I» < 11 t\) rt ;:l ::rrt

..0 r:: rt III 11 ;>;"~ ~ ~

H1 0 11

:r -l I 0

~ -~

a 10

EVENT I EARTHOUAKE

>0.06,

EVENT 2 SEISMIC

INTENSITY RANGE

EVENTJ PRIMARY

BOUNDARY INTACT

EVENH HTS

COOLING

EVENT5 REACTOR TRIP WITH

RODS

EVENTi REACTOR TRIP WITH

RSCE

EVENT 1 SCS

CODLING

EVENT 8 RCCS

COOLING

EVENT 9 COOLING

RESTORED PRIOR TO VESSEL DAMAGE

10 MEDIAN FREOUENCY

OF EVENT SEOUENCE (PER PLANT

YEARI

RELEASE CATEGORY

It w tn-J NONE 16XIO-1/yr 0 0.8. Q -I Q 0.98 ______________ • _______________ +I_..;E;,;O;,.-.;,;A.;,;A __ I-...;;,....;,.... __ f-10.06 •• 0.2al

IXIO~ ..... -6 NONE

· ---. I NONE ., 10-4 1.14

2, 10-l 1.14 EO-AI -I -----1 I, 11-2 - - : - - - - - - - - EO-AC

f 1, 10-' c: = = = = +--E"'O;..-"'A.;.O---I-....;;.;;..;;:..---+-

-I ___________ +I_.:;EO:..;-.:.AE:.....-+_.::..:..:.::...._+ __ ::.::.::.....~

I , 11-2 0- __________ tl...;E;;:,O-;,:;A.:.,.F _+-_::"""_+--==---1 I, It-I EO-AG

~";"';';'--o-- - - - - - - - - - - - - - - - -I-----I--...;....-+-......;;;;;;;;;;;.~ 2 x 10-1 :> ___________________________________ ,1_..;.;EO;.-.;.A;;;H~ __ r-_..;.; __ +_-"'='---I

-I 0.10 • , 10-2 •.•• -4 NONE

"IO-~ •.•• -5 ~

EO-AJ

_____________________________ -t1_....;;.EO;.-"'A,;;,I_.....,f-..;.,;;,.;.~_+-

10.2 •• 0.411 ,-_..;';;;.3;,;0 __ 0<;0 - I ____ _ 0.12

~ -----------I , 11-2 -I _____ -t-~EO;;"-";,;,AK"___+-,;,,..;,,,;,:;,..--+-

f 3, 10-6 0- ____ -t-~EO;;,,-..:;;A:..L _+_""':"_-1_ • ~ •• -1 NONE • __ 3_'_',;,,0-_3__ -I 0.12 "I~....;E.;,O_-A;:M::.._+_..;.,.;;,..;; __ +-

Q Q -----------,

· •• _1 NONE 1,11-2 0 -I _____ ,1_,,;E:;,:O;.-.:;A~N ___ r-...;:.::..:.::....._+_..:::::::.::..---1

3 , 10-6 EO-AD

5,,0-1 ____________ +I_...:E,::,O-::A:,::,P_-+_""": ___ +_==--I 5, 10-1 0- __________________________________ -i1_....;;.EO;.-..;A;,;O:,,-_r-_"':' __ +_-==:"--I

EO-AS

2 , 10-2 0 -I 0 O.ll _____________________________ .II-....:E.:;O;,.-;,;A;,;R __ I-....:;,....;,.... _ _I'-

10.4 •• O.Bul

-----1 0.11 --~,-------- EO-AT

f .. __ ,;,6;"..;10..;-.6 __ ----- ~-.;,EO;.-..;A..;U--f-~~~-~-- 0-----

VI -I D.11

h 10-3 9 -I 9 O.ll ____________ +I_....:.EO;.-..;A;:,.V..;._+-_..::..::.:.:. __ +-0.11 0 -I ______ -+I_E;;,;;O..;:-A,;;,;W_+..;.,;;",;,;;_-+_;,;.;,.;;~_I

• ~ •• -5 NONE

4"D-~ · .~-, NONE

___ 7 I NONE

•• -8 I NONE

ax 10-6 C- _____ ~I ---:E;,;:.O-",;;A;,;:.X -+--";";'-~......;=~-l

2,,0-5 I EO-AY L-----_o- - - - - -. - •• -- - - - - --+......;.:;;,...;:.:.--+-...;;,.--+--=~-I

l,'0-3 "0':5-4:>- ~ .-'0--'- - - - - -:-:-:--=--: .. - - - - =--:----~~--= .. -- --------1 ::~:: 1--T'-~O~1d---N(fNE-I~ (0.8 to 2.011 0 0 - - - - - - - - - - - - - - - - - - - - - - - - - ----- -+--=".;,;,..;.--+---,;,,;,.:.:.--+--..::.::;,:,:;--

0.96 0 0.96 _____ -Q 0.31 ____________ +1_..;E;,;;0..;-,;,8 8~_+-__ ;,;;";,;;,,,_-+_ , _ tn-6 NONE

< ..• n-6 0.63 0 0.99 __ ----+I---'E""O-....:B·,;;"C--f-"""'-"""'--+- NONE

",0-2 0.65 EO-BO 2 x IO-B NONE

0.35 EQ-BE 1" 10-8 OC-l

... _R 4x10-2 0 0.96 0 0.37 ____________ -1If-....;E::O;;,-B::;F..;._~-..::..::...:.::.-- NONE

•• -1 NONE 0.13 0 0.99 ______ +1...;E;;:,0-;"::8;:,,G _~...,;,,;;,.:.:.._+----:.:.:::;,:,:;. __

",0-2 0- ____ +I_E=.::O:;::-B:;.:H_+_....::.._-+_-==-__

4 , 10-2 0 0.37 ____________ +I_;;,;;EO:...-B:.:.I_+_"",,,-_-+_-=~ __

0.63 0- ___________ ~I---:E:.::..O-:.::;8J~+_"':"'_-+----':=---I

5,,0-2 4 x 10-2 I En-BK 2, 10-8 NONE L.-":';;";~---<O :>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +----''''-'''''--t----t---.;;.;;...;.;;.--I

EO-BL NONE

-----1 0.63 - - 0:9- --= = = = = ~ I EO··8M 3, 10-1 OC-3 r ",0-2 0- _____ t._...;E;,;O;",-,.;;8.;.;N __ t--____ --i _____ -i

0.96 0.31 0.96 1 x 10-7

1.--.;..4 _' '_0-_2 _ 0.96 0.31 I-.!.E::.:O-:!!:BO:!...--+_....::.._-+_-=~-I o 0 ------------~

0.63 :> ____________ +I....;.:EO=--B=-P _-+-_~--+_..,;;,;;~~

4,,0-2 EO-BO 0- ________ - --- - ____ ,J,. __ ;.;",=_ ..... _____ ...I.. __ ,,;;,;_~

> » »Ci) "CO -0» CD» omz :::1< »:D(J) ~tu CD;::': :0-1-1 ()~ Oem m-.... <t> :DO 0.0

::-:J m

10-3 > t,)

Z &.1.1 :I CI &.1.1

10-4 a: ~

&.1.1 5% HAZARD t,)

z cr: Q &.1.1

10-5 &.1.1 t,)

>< &.1.1 ..... cr: :I Z z 10-6 cr:

~EXTRAPOLATED

, ,) \ ~ \ \ \ \ \ \ \ , \ \ \ \ ,

1 2 10

PEAK GROUND ACCELERATION, 9

HT-001(110)

Fig. C-4. MHTGR site seismicity curve


n I

00 \0

t::I o P:I I

~ ~ I 00 0\ I o ...... ...... -~ . to.)

EVENT 1 LOSS OF

OFFSITE POWER AND BOTH

TURBINES TRIP

5 x 10-3/YR

HT-001l111l

EVENT 2 REACTOR

SUCCESSFULLY' TRIPPED WITH

CONTROL RODS

-1.00

6 x 10-5

EVENT 3 EVENT 4 EVENT 5 NO.OF ID REACTOR SHUTDOWN RCCS MODULES

SUCCESSFULLY COOLING SYSTEM OPERATES EXPERIENCING TRIPPED WITH OPERATES SUCCESSFULL Y EVENT

RSCE SUCCESSFULL Y

0.99 LOSP-AA ----- -----1 x 10-2

(4 MODULES) -1.00 0.69 LOSP-AB

(1 MODULE) 0.02 LOSP-AC

(2 MODULES) 0.02 LOSP-AD

(3 MODULES) 0.27 LOSP-AE

3x 10-6 (4 MODULES)

LOSP-AF ..JI't. _____

11 MODULE) -1.00 0.99 . LOSP-AG -----------

6 x 10-3 (1 MODULE)

LOSP-AH -. ----------4x 10-5

(1 MODULE) .... LOSP-AI ----------------11 MODULE)

Fig. C-S. Event tree for loss of offsite power

MEDIAN RELEASE FREQUENCY CATEGORY

OF EVENT SEQUENCE (PER PLANT

YEAR)

5 x 10-3/yn NONE

4x 10-5/yn NONE

9 x 10-7/yn NONE

1 x 10-6/YR NONE

1 x 10-5/YR NONE

€ --3x 10-7 NONE

€ --€ --

EVENT 1 EVENT 2 EVENT 3 EVENT 4 EVENT 5 EVENT 6 EVENT 7 EVENT B EVENT 9 NO. OF 10 MEDIAN RELEASE

) ANTICIPATED REACTOR REACTOR OPERATOR HTS SCS RCCS - HPS RESTORATION MODULES FREQUENCY CATEGORY TRANSIENT SUCCESSFULLY SUCCESSFULLY SUCCESSFULLY OPERATES OPERATES , OPERATES PUMPDOWN OF COOLING EXPERIENCING OF EVENT

OCCURS TRIPPED WITH TRIPPED WITH TRIPS SUCCESSFULLY SUCCESSFULL yi SUCCESSFULLY EVENT SE~UENCE

CONTROL RODS RSCE REACTOR (PER PLANT YEAR)

27 ...... 1 0.90 0.3 RS-AA B.l NONE ------------ ------------------------ (1 MODULE) 0.3 RS-AB 7.7 NONE

, ANSTEC (2 MODULES) , APERTURE 0.4 RS-AC 9.5 NONE

(4 MODULES) 0.10 0.95 . CARD .. 0.79 RS-AD 2.0 NONE

-----~------------! (1 MODULE)

Also Avaflable on 0.21 RS-AE 0.50 NONE

Aperture Card (4 MODULES) 0.05 I

....... 1 0.60 RS-AF B x 10-2 NONE ----------- .... (1 MODULE)

0.09 RS-AG 1 x 10-2 NONE

(2 MODULES) 4 x 10-3 0.04 RS-AH NONE

i (3 MODULES) i i 0.27 RS-AI 3 x 10-2 NONE .

(4 MODULES) 3 x 10-6 0.94 0.94 RS-AJ 2x10-7 NONE

(1 MODULE) 2 x lO-B 0.06 RS-AK DC-2

(1 MODULE) 2 x lO-B 0.06 0.86 RS-AL NONE

(1 MODULE) 0.14 RS-AM E --

3x 10-5 (1 MODULE)

3 x 10-5 ...... 1 0.96 : RS-AN NONE ------ -----------------------j

(1 MODULE) 3 x 10-5 0.04 0.97 RS-AO NONE -----------------I (1 MODULE)

0.03 ....... 1 RS-AP 1 x 10-6 NONE -----------1 x 10-6

(1 MODULE) RS-AO E -------------

4 x 10-5 (1 MODULE)

1 x 10-B 0.B3 RS-AR NONE ---- -- - - - - - .. - - - - - - - - - - - - - - - -- (1 MODULE)

0.17 RS-AS E ------------- .. _----------------(1 MODULE)

HT-001 (112)

9503070163 -0 Fig. C-6. Event tree forATWS


o I

\D .....

t::I o tz:I I

~ ~ I

00 0\ I o ..... ..... -::d CD <: . VJ

EVENT 1 CONTROL ROD

GROUP WITHDRAWAL

0.10

HT -001(113)

EVENT 2 REACTOR

SUCCESSFULLY TRIPPED WITH

CONTROL RODS

-1

1 x 10-5

EVENT 3 EVENT4 EVENT 5 EVENT& NO.OF 10 REACTOR HTS SCS RCCS MODULES

SUCCESSFULL Y OPERATES OPERATES OPERATES EXPERIENCING TRIPPED WITH SUCCESSFULL Y SUCCESSFULL Y SUCCESSFULL Y EVENT

RSCE

0.99 1 RW-AA ----- -----------• x 10-3 0.97 1 RW-AB - ----

3 x 10-2 -1 1 RW-AC

1 x 10-& 1 RW-Ao

-1 0.99 1 RW-AE -----------• x 10-3 0.97 1 RW-AF

t -----3 x 10-2

~ ---- 1 RW-AG

3 x 10-5 1 RW-AH ------------------

Fig. C-7. Event tree for control rod group withdrawal

MEDIAN RELEASE FREQUENCY CATEGORY

OF EVENT SEQUENCE IPER PLANT

YEAR)

0.10 NONE I

9 x 10-4 NONE

3 x 10-5 NONE

€ --1 x 10-6 NONE

1 x 10-8 NONE

€ --€ --

C) I

\D N

I:' o trl I

::c t-j GJ :::0 I

(Xl

0\ I o ...... ...... --:::0 It)

<:

w

EVENT I SMALL

S/G LEAk OCCURS

EVENT 2 MOISTURE MONITOR

DETECTION

EVENT l REACTO~

TRIP ON HIGH

MOISTURE

EVENH REACTOR MANUAL

TRIP

EVENTS REACTOR TRIP ON

HIGH PRESSURE

EVENTI· S/G

ISOLATION

EVENT 1 DELAYED

S/G ISOLATION

EVENT. AUTOMATIC

S/G DUMP

EVENTI S/G

PRESSURE RESPONSE

EVENT ID SCS

COOLING

EVENT II RCSS

COOLING

EVENT 12 PRIMARY

RELIEF TRAIN RESPONSE

10 MEOIAN FREOUENCY

Of EVENT SEQUENCE (PER PLANT

YEAR)

RELEASE CATEGORY

0.4 0 -I 0 - I - - - - - - - - - - - o<;l - I - - - - - C-I - - - - -1 D.98 - - - - - - - - - - -_ Ix 10-2 r -I ____ _

l ,.10-6 0- ____ + __ S;.;S;..-.;.;A;;...C_I-_....;....;_-+ ____ ---l

,.,0-4 0.99 55-AD 1 x 10-4 NONE

(FAILS CLOSED) - - - - - "9 - - - - - - - - - - -

SS-AA O.l NONE

1 x 10-2 SS-AB NONE

11( 10-5 -1

')( 10-2 -I 0.91 r (OPENS/CLOSES)

J.It tn-Z

(FAILS OPEN) l.1l 10-5

SS-AE

SS-AF

SS-AG

8 x 10-1 WC-l

J.II 10-8 WC-I

(FAILS CLOSED} I. 10-6 :::- ____ -II_...:S:;:.S-;;:A;;:H:...--I __ ...:. __ + ____ -I

1 x 10-4 -t -1 0.91 0.91 I 55-AI J 1110-5 NONE

(FW VALVES 'T <30 MIN 'T ~ (BYPASS) r -----------FAIL OPEN}

2 x 10-5

(STEAM VALVES FAIL OPEN}

1.10-5

(STEAM ANO FW VALVES FAIL OPENI

Z I 10-2 -1 I SS-AJ 1)[ 10-6 NONE ;J - - ---

1.10-6 ~I_~SS~-~A~K_--I __ ~ __ ~_~~....;--I ...... _--0- -- - - ... 2 x 10-2 _ _ _ _ _ _ _ _ _ _ _ I 55-Al 6 .. 10-1 NONE 0.98

(OPENS/CLOSES} 2. 10-2 -I 55-AM l.10-8 NONE

o -----,.,0-6 :::- ____ ~I~~S.;:;S;;:A:::N:...-~-...:.--+-...::::::..._j

,-:~4~. i'i'0~~~_:> _________________ +_;;SS:;;:A~O --+--':"'--l--=::;:;=--j (FAILS OPEN)

, J II 10--4 0.98 0.98 SS-AP '" 10-8 NONE

(FAILS CLOSED} r (BYPASS} ~ - - - - - - - - - - -

2.10-2 :::- __________ 11~~S;:;S-;;:A:.::0:...-~-...:.--+--===-_j

2 x 10-2

2. 10~ (OTHERS} :>- - - - - - - - - - - - - - - - - SS-AR > lO MIN :>- _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ t-"'SS;;";'';';S'''';-I--..;,--+--===---l

_I - - - - - - - - - - - - r...::.;:;-;::A~-t-_..!..._+.......;=;....j 1 x 10-6 -I 0.98 -----1 2)1 10"":2 - --~ - - - - - - - -I 55-AU J It 10-7 NONE

r -----. l 1.10-6 :::- ____ +_..;;S;;.S-..;A.;.;V_--1f-_~ __ +_-=~....;_i

SS-AT NONE < 30 MIN

, ]x 10-~ (FAILS CLOSEO) :>- - - - - - - - - - - - - - - - - _ _ _ _ _ _ SS-AW r-~~r-~-+--=~~

2 x 10-4 > 30 MIN C>- - - - - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ SS-AX

-I t-~~~r-~---+~=~ 2.11 10-5 -I O.QA SS-Ar NONE -----1 2. 10-2 - - - - - - - - - - -

- y ------""l 1. 10~6 +-_...;S;;;S...;-8;;,;A;.-.....,I-_...:.. __ + ____ -1 . :>-----.,

< 3D MIN g.ll 10-1 SS-AZ NONE

, J lC. 10-4 (FAILS CLOSEO) :::- - - - - - - - - - - - - - - - - - - - - - - 11_-'S;;;S_-::.:BB~....,r_-.!.--+--===-....J

2 x 10-4 ____________________________ +I_...::S::;;S-;.::.:BC:......+_-:..._-+_.=;::...-t

> 30 MIN _____ [-' -----C-I -----1 2:::-2 --~--------- 1 -----

1 .. _..:.1.::.,..:.10;.,-_6_""0- _ _ _ _ SS-BF f --

1 J{ 10-4 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ SS-BG E __

'.,0-3 _____ ~:A:S~l:E~)----_------------------- SS-BH E

3.11 10-6 NONE SS-SO

'.II 10-1 SS-BE NONE

l. 10~ :> _______________________________________________ .,I--",S;.S-...;B;.;.I-....,--...:..--+--== __ ....,

'I( 10-3 J II 10-4 _____ o()_---I~-- -I -I

-----------~ 0 -----SS-BJ 0.91

1 2, 10-2 - --~ - - - = = = = = SS-8K 1,10-5 NONE

NONE

• TIME FOllOWING REACTOR TAIP

'"'l f-'.

()1:l

() I

(Xl

UJ trl rt <: It) It)

~ ::J 8 rt

()1:l rt It) ti ::J It) It) It)

ti ~ H-o rt 0 o ti ti

UJ 1-'8 It) Ol ~ I-' ;0;"1-'

I ~ I o o

~

·co <:ll o ('A?

o ..:t o t-eD CO

\

C) lY\

J I( 10-4

SI.5 HRS

1 I. 10-6 0- ____ +_.:::SS:;;.-;.:8L'--I __ ':'-_-+_";;;;=~-I '1110-1 3 II. 10-4 5S-8M NONE 0.98 1 2 x to-2 - - - - - - - - - - - SS-BN

~.~~_o-----------++-~~--~~--+--==-~ (FAILS CLOSEO}

2 II. 10-5 . 1 S5-BO :>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4-....:::~:....-1---:..--+--==-~

, lC 10-7 NONE -I -I -I 0.98

-----~ 0 -----1 -----------_ Z. 10-2 0- __________ +_...;S;.S...;-B;.;O=-_I-_-"' __ +_"';;=;;;"'-1

SS-BP

, J lC. 10-4 ::> _______________________ +_",S;.S-..;B",R_....,f-_""';' __ +_-"'="--I (FAILS CLOSED)

I.IO-l 0- ____________________________ +-_..:S:;;.S-;;.:B:;:S_--1I-_~ __ +_-"'==---I ..... ....;.;1 ';.I;;;O_-l __ o- ________________________________________ ..a..._..;;S;;.S-...;B;.T_.....JL-_"':"' __ ....L.._-===---I

» »Ci) "00 g» C~ ~::: ·ro 00-fJ)~(I) Q.O

::s

~. » '"0» Omz

»JJcn :IJ-f-i oem

JJO m

c:o CIt o CA:)

o ...:l cO .... C CO ,

C) 6"

n I \0 W

o o [%j I

::r: >-3 Q :;tJ I

OJ C'I I o ...... ...... -:;tJ (I)

<:

w

"%j ,....-

OQ

n I \0

en [%j rt c:: n> n> III ::J E! rt

OQ rt (I) '1 ::J (I) (\) (\) '1 III Hl rt 0 o '1 '1

E! ...... 0 n> 0.. I» (\) ;>;"'1

I» rt (I)

I ..... I o o ~

£!

EVENT I MODERATE

S/G LEAK OCCURS

EVENT! MOISTURE MONITOR

DETECTION

EVENT) REACTOR TRIP

ON HIGH MOISTURE

EVENT 4 REACTOR TRIP

ON HIGH PRESSURE

EVENT 5 S/G

ISOLATION

EVENT 6 oELAVEo

S/G ISOLATION

EVENT 7 S/G

DUMP

EVENT 8 S/G

PRESSURE RESPONSE

EVENT' SCS

COOLING

EVENT 11 RCCS

COOLING

EVENT 11 PRIMARY

RELIEF TRAIN

RESPONSE

10 MEDIAN FREQUENCY (PER PLANT

YURt

RHEASE CATEGORY

4.,0-2 _I -I _1 0 .• 1 .j_..:::M::.:S-::A:::A_-+_..:3~'~1:::.0-_I_+_.::N:::.O::.NE::""'--I o 0 -----0 ----- Q ---- -9 -- - -------

> >e;; "CO

~> c:~ (iJ= O~ Sll..,<0 0.0

:::J.

11110-5 .

Z.,0-2 _I _I

ISTAYS SHun 4.,0-3

loPENS/ClOSES, 11110-4

IFAIL oPEN'

MS-AB

MS-AC

MS-Ao

1 1110-3 NONE

5 J( 10-6 WC-l

21110-) WC-5

','D--' ::- ____ -lI_..!M~S~-A~E_-I-_.!..._-+_-==-__

31110-4 ---'-4 0.98 __________ MS-Af 11110-5 NONE

IF AIL ClOSED' 2 II 10-2 _, 0.91 MS-AG 3 III 10-1

10PENSIClOSES' 31110-2

If AIL OPEN' 1 It 10-5

IFAIL ClOSED'

WC-6

MS-AH 1 II 10-8 WC-I

MS-AI

','D--' c----- -l-....::::MS:;:-A::::,'_+-_!.-_I-..;::;;;;;....--I

11110-4 0.98 WF-4

IFWVALVES -----FAil OPEN)

2.'0-5

ISTE"AMVALVEs FAil OPEN)

Z x 10-2 _I 0.91 loPENS/CLOSESI

3 II 10-2

loTHERS'

WF-Z

MS-AM

MS-AN 1 x 10-1 WC-6

MS-AO

1,'D-6 0- ____ +-:::M::;;S-:::;AP_+-_;'-'_I--==---I

MS-AR

I 2 I( 10-2 D.ltl 0.91 I MS-AQ 6 II 10-8 WF--4 (OPENSJCLOSES8 - - - - - ~ (OPENS/CLOSES)

3 II 10-2

10THERS'

----1 j MS-AS .l . -z _ ------ I "" 0-__ ~, ~ ~

JL-~M~S-~A~U~-1--~==~--r_~==::~ ·L,,""';-;;;;WIS. _____ _

- - - - - - - - j-2!MlS;!A~V:"'-t--~:-11-::~J - - - - - - - - -1 WF-3

- -- ~-- -~~~-~~~rrt--~M~S~AW:---r--5~~"O~==1===~~ __

-- --- - 0.91

- - - - - - 0.91 - - - IloPENS/Cl.."fES' I>J~~'N' _I -- - - ~ 3. I. ~

2.,0-8 Wf-l MS-AX

D.ID IZ.-3DMINI

Z II 10-2 -I

IFAllOi'HII ,.,0-5 IFAIL cLoseD,

0.89 loPENS/CLOSES,

.11

MS-AY

MS-AZ 21110-8 WC ....

MS-8A

I • 10-& (OTHERS) MS-BB

1.--:";;';';'--_:>- - - - - +"':::=-+---=---+-="--1 J 110-4 IFAI~~LOSEo, 0- -- - -- - - - - - - -.- -- __ T_.;;M:::.S..;-B:;:C_-t_-=:::~_I-_===_-I

----kO.9S _____ •. 91 MS-BO PENS/CLOSES,

31110-2 MS-BE

2.'0-'-IOTHERS) MS-8f -----------

, 31110-4 IFAIL CLOSED' c- - - - - - - - - - - - - - - - -- - -t_.::M:;:S;::-B::G:""-f __ ..!.. __ !-_===-....J

'1.10-2 C>- - - - - - - - - - - - - - - - - - - - - - ..;..-+-=..;;;;~-+--..:...-__ I-...:;;==--t

t>JOMINI 11110-5 ... 1"'1 O.gl

(STEAM AND ----1 FW VALVES FAIL OPEN)

2.,0-2 -I IF AIL CLOSED!

o.gl IOPENS/CUfsES,

3 It 10-2

MS-8J 7 It 10-1 WF-Z

M5-BK

MS-Bl

MS-IM loTHERS'

,,,.-, c- ____ +_=M!;S-~8::N_-+ __ ~_-!_...;;= __ -l

I 31110-4

,'D-3 IFAIL CLOSED, ::- - - - - ,- - - -

0-' -- 091 1>30 MIN' ::------ ------C --- I - - - -- - - - - - -- - -- t=-:MS~-~I~O-t--~--+---=--J -c=-----1 D98 ~~ ~ ~ = ------r-:-:MS-I~P f---!-~.==:J _ 2010-1 ------ I

101 -z .. ,..... ::------.. ,,_. • _____ .::~~.~.~ _______________ ~ ----J-:~'-i--.!..--~-===J __ ___ _ ______ :_-:_-::.: __ -_-:.=~= ____ -___ -_=_=_=_~~=-+....!.--!-=:J

MS-BO 3 It 10-7 NONE

1 ,,10-] . .. 1 _1 0.5 0.98 WF-4 ------Q: ----4 Q j<10MIN) ---- 4' -----

» -0:)-

Omz >:000 :0-1-1 oem

JJQ m

2 II 10-2

(FAIl/OPEN)

'110-5 IFAIL CLOSED)

... , 0.91

(OPENS/CLOSES) 3.'0-2

tFAIL OPEN) 1110-5

WF-2

M5-8X

MS-8V 5 II 10-7 WC-6

MS-IZ 2 It 10-8 WC-2

MS-CA

6 tFAIL CLOSED) .. ID- :>- _____ 11_..;M:::S:;-;:;C:.B_-+ __ ~_--1_..;;= __ ~

O.S 0.98 WF-4

I··IDMINI ----4

2.10-2 _I

fFAIl OPEN)

11110-5

tfAIL CLOSED) 0.94

IOPENS/CLOSES) .,0-2

IF All OPEN) I II 10-5

WF-Z

MS-CE

MS-Cf 5 II 10-7 WC-6

MS-CG 4 II 10-8 wc-z

MS-CH (FAil CLOSED) ,.,.-& 0- ___ ~ -I-_::;M::.S-::C:::.'_-+ __ -!.. ___ ~-===--I

Z 110-4 0---- ______________________ +_;:M::.S-::C:::.J_-+ __ .!.._-II-_==;;...-l

C II ID-S 1-:..& MIN) MS-CK

0_ - - - - - - - - - - - - - --- - --- - - -- - - - - - - --- -- - ..... --:=.::-..J.._-=--..I--"'=---i

APPENDIX 0 RELEASE CATEGORY DESCRIPTION AND DOSE QUANTIFICATION

As discussed in Section 8, the consequences of representative acci

dent sequences are discussed in terms of the resultant dose to an indi

vidual at the plant EAB. This appendix details the accident categories

and for each accident category presents the data and methods, fission

product release and dose assessment, and uncertainty analysis.

The accidents considered in Appendix C that result in dose conse

quences are evaluated in this appendix. These accidents include fission

product releases from forced convection cooldowns under dry and under

wet conditions, and from conduction cooldowns under dry and wet condi

tions. Forced convection cooldowns under dry conditions are initiated

by primary coolant leaks. The fission product release is due to frac

tional.release of circulating and plateout activity. Forced convection

cooldowns under wet conditions are initiated by steam generator leaks.

The fission product release is due to fractional releases from oxidation

of graphite and hydrolysis of failed fuel in addition to fractional

release of circulating and plateout activity. Conduction cooldowns

involve loss of forced convection cooling and therefore rely on conduc

tion and radiation to remove heat from the reactor core out to the reac

tor cavity cooling system (RCCS). The incremental fission product

release is due to fractional releases from heatup of the fuel particles.

Conduction cooldowns under dry conditions are initiated by primary

coolant leaks, loss of main loop cooling, and seismic activity. Conduc

tion cooldowns under wet conditions are initiated by steam generator

leaks. The consequences from forced convection cooldowns under dry

conditions are discussed in Section 0.1. The consequences from forced

convection cooldowns under wet conditions are presented in Section 0.2.

The consequences from conduction cooldowns under dry conditions are

discussed in Section 0.3. The consequences from conduction cooldowns

0-1 DOE/HTGR-86-011/Rev. 3

under wet conditions are presented in Section 0.4. ~ach of the conse

quence sections presents the data and methods, the fission product

release and the resultant dose assessment, and the uncertainty analysis

for the accident sequences considered.

0.1. CONSEQUENCES FROM FORCED CONVECTION COOLDOWN UNDER DRY CONDITIONS

A number of event sequences that are initiated by primary coolant

leaks have been identified in Fig. C-1. Since all these primary coolant

leak sequences result in fission product release to the environment they

are all addressed here. Those sequences that have forced core cooling

have been grouped and categorized as forced convection cool downs under

dry conditions. The categories are labeled DF-1 through DF-4 where

DF-1 has the greatest consequence and DF-4 has the least nonzero conse

quence. The consequence source term for forced convection cooldowns

under dry conditions includes a portion of the circulating activity and

the liftoff of a fraction of the activity plated-out on primary circuit

surfaces. Incremental release of radionuclides from the fuel body

inventory is prevented by forced convection cooling of the reactor core,

which is provided in all cases by either the Heat Transport System (HTS)

or the Shutdown Cooling System (SCS).

The circulating and liftoff activities are released through the

breach in the primary coolant boundary into the reactor building. For

smaller leak sizes, the consequences are reduced by pumpdown of primary

coolant to storage bottles by the Helium Purification Subsystem (HPS).

For larger leak sizes pumpdown becomes ineffective, and essentially 100%

of the circulating activity is released into the reactor building. The

fraction of material lifted-off at a given location in the primary cir

cuit increases when helium flow velocities increase at the location.

Once in the reactor building, fission products are depleted by the nat

ural processes of radioactive decay, plateout on building surfaces, and

by particulate settling. The fission products can be transported from

the reactor building to the atmosphere by building leakage or through

0-2 DOE/HTGR-86-011/Rev. 3

the building dampers if the depressurization rate from the vessel

exceeds the building leak rate.


The primary coolant leak depressurizes the reactor vessel resulting

in release of fission products to the reactor building as described in

Section 6.1.1. When the reactor pressure reaches 5688 kPa (825 psia),

the Plant Protection and Instrumentation System (PPIS) initiates a reac

tor trip and automatically inserts the outer reflector control rods.

The pumpdown of primary coolant to storage bottles by the HPS is auto

matically begun when the reactor pressure reaches 5515 kPa (800 psia).

The"effect of pump down is negligible for hole sizes greater than 6.5 cm2

(1 in.2) because the depre~surization is too rapid.

The circulating and plateout activities initially available for

release during a depressurization event are based on radionuclide design

criteria. The radionuclide design criteria are the allowable levels of

radionuclide accumulation in the primary coolant circuit which will per

mit the plant to satisfy the radiological dose limits applied to normal

plant operation and postulated events. The nominal circulating activi

ties and equilibrium 40-year plateout activities available for liftoff

are presented in Table 0-1 for those radionuclides which are major con

tributors to the resultant dose from a forced convection cooldown under

dry conditions.

Initially, the rate of helium depressurization is determined

using choked flow conditions. At a reactor pressure of about twice

atmospheric pressure, the depressurization flow is no longer choked.

The amount of helium released is determined by integrating the time

dependent rate of depressurization through the leak along with the HPS

pumpdown rate. The time to depressurize the reactor vessel is shown in

Fig" 0-1 as a function of leak size.

0-3 OOE/HTGR-86-011/Rev. 3

TABLE D-1 INITIAL CIRCULATING AND PLATE OUT INVENTORIES OF NUCLIDES THAT ARE

MAJOR CONTRIBUTORS TO RADIOLOGICAL CONSEQUENCES OF FORCED CONVECTION COOLDOWNS UNDER DRY CONDITIONS

Circulating Activity Plateout Activity Isotope (Ci) (Ci)

Kr-85m 2.30+00 0.00

Kr-87 2.96+00 0.00

Kr-88 5.16+00 0.00

Kr-89 1.24+00 0.00

Rb-88 6.78-02 5.20+00

Rb-89 1.98-02 1.31+00

Sr-89 1.39-06 1. 72+00

Sr-90 7.29-10 3.35-01

Y-91 2.14-07 4.17-01

Ag-110m 5.43-06 8.43+00

Te-129m 9.26-06 1.91+00

Te-132 8.25-04 1.66+01

1-131 1.79-02 2.00+01

1-132 2.23-01 1.94+01

1-133 1.18-01 1.49+01

1-134 5.41-01 5.22+00

1-135 1.91-01 6.74+00

Xe-133m 1.14-01 0.00

Xe-133 2.32+00 0.00

Xe-135m 1.20+00 0.00

Xe-135 3.49+00 0.00

Xe-138 1.12+00 0.00

Cs-134 3.23-06 1.49+01

Cs-137 1.98-06 7.00+01

Cs-138 9.37-03 1.30+00

Ba-137m 3.27-04 6.62+01

D-4 DOE-HTGR-86-0i1/Rev. 3

If the leak size is large enough, liftoff becomes a major source

of released fission products in addition to the circulating activity.

Liftoff refers to the removal of fission products plated-out during nor

mal operation from the surfaces of reactor components by particulate

entrainment, desorption, and diffusion. The liftoff model developed for

depressurization events takes an empirical approach using all of the

experimental data available (Ref. D-1). The ratio of shear stress dur

ing the accident to the shear stress at nominal operating conditions is

called the shear stress ratio (SR). Experimentally derived curves of

liftoff versus shear stress ratio were considered in developing the

liftoff model.

In applying the model, t~ requi~ements must be satisfied:

(1) provide an expression for the liftoff in excess of that under nor

mal conditions (SR • 1) and (2) provide for a limiting value of 100% for

the excess liftoff as the shear ratio increases without limit. To meet

these requirements, the following expression for percentage liftoff was

used (Ref. D-1):

AL(%) _ 100 m (SR-1) 100 + m (SR-1) (D-1)

where the m values are given in Table D-2 for representative isotopes.

The local shear ratios in the primary coolant loop were calculated

for various leak sizes and positions in the loop. The calculational

method used for determining the local shear ratios solves a set of ordi

nary differential equations and relations gov~rning the modeled flow

system. The analytical model assumes that the primary coolant system

can be broken down into a series of subvolumes, or nodes, interconnected

by flow paths. The transient forms of conservation of mass and energy,

as well as the equation of state, are then applied to the nodes, and the

transient conservation of momentum with the buoyancy term is applied to

the interconnecting flow paths. Transient coolant pressure, tempera

ture, and flow throughout the primary coolant system are calculated,

D-5 DOE/HTGR-86-011/Rev. 3

TABLE 0-2 CONSTANTS IN EQ. 0-1 FOR THE EXCESS

PERCENTAGE LIFTOFF

Other Isotopes Isotope m Represented

Cs-137 0.4 Sm, Rb, Pr, Pm, La, Eu, Cs, Ce, and Ba

I-131 1.2 I and Br

Sr-90 2.6 Zr, Y, Te, Sr, Sn, and Mo

Ag-110m 1.2 Ru, Rh, Pd, Nb, and Ag

Te-129m 1.2 Te

Sb-125 1.2 Sb

0-6 OOE-HTGR-86-011/Rev. 3

taking into account the dynamic behavior of the circulators and valves,

the actions of the PPIS, and the heat transfer between the coolant,

core, steam generator, shutdown cooling heat exchanger, and reactor

internals. These calculations were performed using the systems-dynamics

computer code RATSAM (Ref. 8-1). The RATSAM model of the MHTGR is shown

in Fig. D-2. The estimated local shear ratios were used along with the

distribution of plateout on primary circuit surfaces to determine the

fractional liftoff from the primary loop surfaces for a given leak. The

total integrated liftoff of fission products from all the primary loop

surfaces released into the circulating helium was estimated for a range

of leak sizes and locations.

By using the liftoff model to combine the local shear ratios for a •

particular leak with the distributed plateout activities in Table D-1,

the liftoff activities are calculated. The total percent liftoff is

presented in Table D-3 for various leak sizes. It can be noted from

Table D-3 that total integrated liftoff from the primary circuit does

not necessarily increase with increasing leak size. Since a leak occurs

from a system of flowing coolant, it tends to accelerate flows upstream

from the leak site and decelerate flows downstream. Accelerated flows

typically produce local shear ratios greater than 1.0, and local lift

off, Whereas decelerated flows produce no local liftoff. For some leak

locations, increased leak size actually decreases the liftoff at the

locations Where most plateout has been deposited, While increasing lift

off only at locations Where very little plateout resides. Thus, for

some leak locations, the total integrated liftoff from the primary cir

cuit decreases for increased leak size. In Table D-3, most of the iso

topes display a smaller total percent liftoff for a leak of 0.65 cm2

(0.1 in.2) at the circulator outlet than for smaller or larger leak

sizes. The total percent liftoff of iodine, however, is smaller for a

leak size of 6.5 c~ (1.0 in.2), since the plateout distribution of

iodine differs from the distributions of the other isotopes. All lift

off is considered to be elemental rather than in the form of compounds.

The subsequent transport of fission products that are lifted off will


TABLE D-3 TOTAL PERCENT LIFTOFF FOR VARIOUS LEAK SIZES

Leak Size Total % Liftoff

[cm2 (in. 2)] Sr I Cs Ag, Te, Sb

Circulator outlet

0.065 (0.01) 8.4-03 2.0-03 7.5-04 1.5-03

0.65 (0.1) 6.6-03 1. 7-03 7.2-04 1.4-03

6.5 (1. ) 9.2-03 2.2-04 8.1-04 1.5-03 . 65. (10.) 0.076 0.024 3.6-03 6.9-03

84. (13. ) 0.088 0.029 3.2-03 6.1-03

Steam generator annulus

65. (10. ) 0.41 0.18 0.034 0.067

D-8 DOE-HTGR-86-011/Rev. 3

depend on the governing phenomena and could lead to retention within or

loss from the reactor vessel. Simplifying the calculation of radionu

c1ide transport, retention mechanisms in the reactor vessel are conser

vatively neglected, and all the lifted-off fraction is assumed available

for release as the vessel depressurizes.

The fission product transport in the reactor building, subsequent

release to the atmosphere, and the resultant dose calculations were per

formed using the TDAC computer code (Ref. D-3). The method used is

based on the analytical solution of coupled linear differential equa

tions governing the activity in different volumes representing the reac

tor vessel, reactor building, and the environment over time. The calcu

lation of activity in each volume is based on the assumption of instan

taneous homogenous mixing. The calculation of radiological doses is

based on the semi-infinite cloud approximation. The code allows up to

65 decay chains with up to six nuclides each. The TDAC model is shown

in Fig. D-3, Which indicates the various volumes available and inter

connecting flow paths. Fission product release from the reactor vessel,

removal by pump down of helium, attenuation due to p1ateout and settling

in the reactor building, and release through the building dampers are in

the TDAC model.

The building dampers will remain closed if the volumetric depres

surization rate from the reactor vessel is lower than the volumetric

building leakage rate. When the depressurization rate from the vessel

is larger than the reactor building leak rate, then the dampers open to

relieve the excess building pressure allowing fission products to escape

to the atmosphere. After the pressure transient is complete, the build

ing dampers reclose and the remaining reactor building radionuc1ide

inventory is released by normal building leakage.

The reactor building parameters and site data used in the TDAC

model are presented in Table D-4. As shown in Table D-4,credit is

taken for the physical processes of p1ateout of halogens and particulate


TABLE D-4 REACTOR BUILDING AND SITE PARAMETERS

Parameters

Reactor Building

Volume

Settling rate

Plateout rate

Dampers

Leak rate

Minimum building crosssectional area

Site

EAB distance

Atmospheric dispersion factor at EAB (including building wake effect)

o to 8 h

8 h to 30 days

Breathing rate

o to 8 h

8 to 24 h

1 to 30 days

Medians

5203 ~ (183,738 ft3 )

(0.32 h-1

)1.0 h-1

Open when flow in ) flow out

1 volume/day

732 m2 (7880 ft2)

425 m (1394 ft)

1.22 x 10-4 s/~ (3.46 x 10-6 s/ft3 )

2.70 x 10-5 s/~ (7.65 x 10-7 s/ft3 )

3.47 x 10-4 s/~ (1.23 x 10-2 s/ft 3)

1.75 x 10-4 s/~ (6.18 x 10-3 s/ft 3)

2.32 x 10-4 s/~ (8.19 x 10-3 s/ft3)


settling in the reactor building. The numerical values for plateout and

settling in Table 0-4 are deposition rates effective when depressuriza

tion is complete and the building is leaking at its nominal rate. The

plateout rate is proportional to the mass transfer rate to the vertical

walls with appropriate correction for surface to ~olume ratio for the

reactor building. The settling rate is due to gravitational settling

and is influenced by the particulate size distribution and flow veloci

ties in the reactor building. The atmospheric dispersion factors X/Q

used in the nominal analysis were derived in accordance with the metho

dology of Regulatory Guide 1.4 (Ref. 0-4), including the effect of the

reactor building wake. Ten percent of the Regulatory Guide 1.4 atmos

pheric dispersion factors are used for the median values, in accordance

with Regulatory Guide 4.2 (Ref. 0-5). This methodology was chosen since

it results in typical values for any potential site and is expected

to envelop about 85% of U.S. sites. The breathing rates used in the

analysis are taken directly from Regulatory Guide 1.4.


The planned response to a breach in the primary circuit begins with

reactor trip with the outer control rods, initiated by the PPIS when

primarY system pressure is reduced to 5688 kPa (825 psia). The PPIS

initiates an BPS pumpdown of the primary coolant to storage when a pres

sure of 5515 kPa (800 psia) is reached. This action is ineffective when

the leak size is large enough to result in a short depressurization time

as compared to the time required to pumpdown the primary system. Forced

convection core cooling will continue either on the HTS or the sese Fission products contained in the primary coolant will be released to

the reactor building where plateout and settling will help to reduce the

quantity of fission products that are released through the building

dampers.

The frequency assessment for primary coolant leaks assigns a

release category designation for each forced convection cooldown under

0-11 OOE/HTGR-86-011/Rev. 3

dry conditions. For the purposes of consequence assessment, a represen

tative size is selected for each leak size range identified in the fre

quency assessment in Appendix C. Proceeding from the least to the

greatest consequence, the following paragraphs describe for each release

category the dominant event sequence, radionuclide release mechanism,

and dose consequences.

Release categories DF-4 and DF-3 describe leaks in the range of 2 x

10-4 to 0.2 c~ (3 x 10-5 to 0.03 in. 2). For purposes of consequence

assessment, a leak size of 0.065 c~ (0.01 in.2) has been selected as

typical of leaks in this range. Forced convection core cooling is pro

vided in both categories either by the HTS or by the SCS. The differ

ence in the release categories is that in DF-4, pumpdown by the BPS is

successful, whereas in DF-3, it fails. The doses of DF-4 are therefore

less than those of DF-3 because much of the primary coolant and the

activity it contains is removed by the BPS before it can be released to

the reactor building. DF-4 takes 28 h to depressurize to atmospheric

pressure while DF-3 takes 130 h. Liftoff of plated-out material for

these release categories is small because of the small leak size (see

Table D-3). The cumulative release of I-131 and I-133 from the reactor

building to the environment is 1.8 x 10-4 and 9.6 x 10-4 Ci, respec

tively, for DF-4 and 6.4 x 10-4 and 2.3 x 10-3 Ci, respectively, for

DF-3. Table D-S presents the cumulative nuclide release to the environ

ment for the major contributors to dose.

Release category DF-2 describes a leak in the range of 0.2 to

6.5 c~ (0.03 to 1 in. 2). A representative size of 0.65 c~ (0.1 in.2)

was selected for analysis in this size range. Forced convection cool

ing is provided either by the HTS or by the SCS. Pumpdown by the BPS

in this size range has a negligible effect on the consequences. DF-2

takes 7 h to depressurize to atmospheric pressure. All of the circulat

ing activity is released to the reactor building. Liftoff of plateout

material for this release category is small because of the "small leak

size (see Table D-3). The cumulative release of I-131 and I-133 from


TABLE D-5 CUMULATIVE RELEASE TO ENVIRONMENT IN CURIES FOR FORCED CONVECTION COOLDOWNS UNDER DRY CONDITIONS

Nuc.lide DF-1 DF-2 DF-3 DF-4

Kr-87 6.9-01 1.8-01 1.3-02 1.1-02

Kr-88 1.6+00 6.8-01 9.2-02 7.2-02

Rb-88 1.1+00 6.5-01 8.9-02 7.0-02

Sr-89 6.4-05 3.1-05 2.3-05 6.0-06

Sr-90 1.0-05 4.1-06 3.2-06 8.4-07

Ag-110m 4.4-05 2.3-05 1.4-05 3.8-06

1-131 3.2-03 1.2-03 6.4-04 1.8-04

1-132 3.5-02 7.7-03 7.4-04 5.9-04

1-133 2.1-02 7.1-03 2.3-03 9.6-04

Cs-134 4.0-05 2.0-05 7.2-05 1.9-05

1-135 3.3-02 9.7-03 1. 7-03 1.0-03

Xe-135 1.8+00 1.2+00 4.2-01 2.3-01

Cs-137 1.8-04 9.3-05 3.4-04 8.9-05


the reactor building to the environment for OF-2 is 1.2 x 10-3 and

7.1 x 10-3 Ci, respectively. Table 0-5 presents the cumulative nuclide

release to the environment for the major contributors to dose.

Release category OF-1 represents a leak in the size range of 6.5

to 84 cm2 (1 to 13 in. 2). A size of 6.5 cm2 (1.0 in.2) has been selec-

ted for analysis.

HTS or by the SCS.

Forced convection cooling is provided either by the

BPS pump down of primary coolant cannot mitigate

the consequences for this release category because the primary system

depressurizes within minutes. OF-1 takes 21 min to depressurize to

atmospheric pressure. All of the primary coolant circulating activity

is released to the reactor building as well as a liftoff fraction of

plated-out material (see Table D-3). The cumulative release of I-131

and I-133 from the reactor building to the environment for DF-1 is 3.2 x

10-3 and 0.021 Ci, respectively. Table 0-5 presents the cumulative

nuclide release to the environment for the major contributors to dose.

The nominal dose consequence for each of the release categories

analyzed is presented in Table D-6 for 30-day EAB thyroid, lung, bone,

and Whole body gamma doses. Figures 0-4 through 0-7 present the nominal

dose consequence with and without BPS pumpdown for thyroid, lung, bone,

and Whole body gamma doses.

D.1.3. Uncertainty Analysis

A method for assessing the uncertainties in consequence prediction

was developed in the AIPA safety assessment (Ref. D-6). The method uses

simplified mathematical algorithms describing the consequence control

ling phenomena as functions of variables with uncertainties that affect

the dose consequence. The algorithms are used in a Monte Carlo error

propagation program to model the resultant dose, sampling the input

variables and thereby determining the probability distribution for the

dose. Cumulative probability distributions of independent variables

are specified as input to the program. This section describes the


TABLE D-6 NOMINAL DOSE CONSEQUENCE AT THE EAB FOR FORCED

CONVECTION COOLDOWNS UNDER DRY CONDITIONS

Nominal Dose in Rem

Release Leak Size BPS Whole Body Category (in.2) Failure 7 Thyroid Bone Lung

DF-1 1.0 1. 7-04 8.6-04 6.6-06 2.1-05

DF-2 0.1 5.9-05 2.0-04 2.0-06 7.5-06

DF-3 0.01 Yes 9.6-06 4.3-05 1.1-06 1. 7-06

DF-4 0.01 No 6.0-06 1.7-05 2.8-07 5.4-07


algorithms used for the consequences from forced convection cooldowns

under dry conditions.

For the dose consequence from forced convection cooldowns under dry

conditions

where

.J Di = ~ Qj fj (t; ~l,j; ~2,j; ••• ) Ci,j X/Q

j=l , (D-2)

Di - dose to organ "i,"

.J - total number of nuclides released,

Qj - initial activity for nuclide "j,"

fj (t; ~l,j; ~2,j; ••• ) - fractional reduction in nuclide j due to

buildup, decay, settling, plateout, and

other processes involving the physic~l

parameters, ~l,j; ~2,j;

Ci,j = dose effectivity to organ i from nuclide

j; whole body 7 dose,

dose commitment effectivity to organ i

from nuclide j X breathing rate;

inhalation doses,

X/Q = atmospheric dispersion factor,

i - 1; whole body 7, 2; thyroid,

3; lung,

4; bone.


The uncertainty in Ci,j is relatively small and is therefore not

considered. The model for determining the probability distribution for

the atmospheric dispersion factor (X/q) is discussed in Ref. 0-7 and the

uncertainty distribution in meteorology is found in Ref. 0-6.

Where [2 _ U~ + CA/w, z

r2 2 Ly - Uy + CA/W,

u - wind velocity,

A - cross sectional area of building,

C = 0.585,

Uz = deviation in z direction,

Uy - deviation in y direction.

(0-3)

The X/q assessment included the probability of being in six different

weather stability classes, Which defined the conditional probability of

being in four different wind speeds, and the probability of being in any

one of ten wind directions, thus accounting for variation in the build

ing wake factor. The values of uy and Uz were taken from Regulatory

Guides 1.145 and 1.111 as determined by the weather stability class.

The wind direction determines the cross-sectional area of the building

based upon its dimensions and a uniform probability of its orientation.

The X/q distribution shown in Fig. 0-8 for the EAB distance of 425 m has

a median of 9 x 10-5 s/~ (2.5 x 10-6 s/ft3).

The initial activity for nuclide -j- for accidents involving forced

convection cooldowns under dry conditions has an uncertainty that is

determined by the uncertainty of its components according to the

following:

(0-4)

0-17 OOE/HTGR-86-011/Rev. 3

where ~,j = circulating activity of nuclide j,

Lj = liftoff fraction of nuclide j (Table 0-3),

Qp,j - plateout activity of nuclide j.

The uncertainty distribution on the circulating and plateout activities

is lognormal. The upper 95% limit to the liftoff at a leak size of

84 c~ (13 in.2) is 5%. Using the nominal value at this leak size

(given by Eq. 0-1), an uncertainty factor (ratio of 95% ~o 50% value)

is calculated and used for all other leak sizes. The resulting uncer

tainty factors are 1640 for cesium, 180 for iodine, 60 for strontium,

and 860 for tellurium, antimony, and silver. The uncertainty factor on

the circulating activity of noble gases and iodines is assumed to be 4,

but for metals, it is assumed to vary from 100 to 5000 depending on the

individual nuclide. There is no plateout activity for noble gases so

that term drops out. For iodines and telluriums, the assumed uncer

tainty factor on plateout activity is 4, but for metals, it is 10.

The factor fj (t; ~l,j ; ~2,j; ••• ) accounts for time-dependent

attenuation. Thus the ~i,j terms that contribute to its uncertainty

include

1. Vessel to confinement depressurization rate.

2. Confinement settling and plateout rates.

3. Radiological decay and buildup.

4. Confinement to environment release rate.

Items 1, 3, and 4 are anticipated to have uncertainty factors below 1.5.

However, Ref. 0-8 cites uncertainty factors of 10 for the confinement

settling and plateout rates. Therefore, the uncertainty distribution in

fj (t; ~l,j; ~2,j; ••• ) is governed by

fj (t, Ap) ; halogens

fj (t; ~l,j; ~2,j; ••• ) N fj (t, As) particles , (0-5)

fj (t) ; noble gases

0-18 DOE/HTGR-86-011/Rev. 3

where Xp = plateout rate,

Xs = settling rate.

Sensitivity studies disclose that to within 1% accuracy:

and

where as' &p, bs ' and bp are dependent upon the depressurization area

and time-dependent physical attenuation phenomena, and MS and MP are

normalized dimensionless depletion parameters based on Xs and Xp '

respectively. The values of as' &p, bs ' and bp were obtained by curve

fitting the dose sensitivity results. The uncertainties in the factors

MS and MP were assumed to be lognormal with uncertainty factors of 10

and median values of 1.

The dose uncertainty analysis for each of the representative leak

sizes is presented in Table D-7 for 30-day EAB thyroid, lung, bone, and

whole body gamma doses.

D.2. CONSEQUENCES FROM FORCED CONVECTION COOLDOWN UNDER WET CONDITIONS

A number of event sequences that are initiated by small and moder

ate steam generator leaks have been identified in Figs. C-8 and C-9.

Only those sequences that result in fission product release to the envi

ronment are addressed here. These sequences in which forced cooling is

maintained have been phenomenologically group and categorized as forced

convection cooldowns under wet conditions. The categories are labeled

WF-1 through WF-4 where WF-1 has the greatest consequence and WF-4 has

the least nonzero consequence. Release categories that exhibit doses

have release paths that vent to the reactor building through the primary


c;:, I

t-) 0

g lZJ -~ ~ I

(XI 0\ I o .... .... -i . w

Release Category

DF-1

DF-2

DF-3

DF-4

TABLE D-7 DOSE UNCERTAINTY ANALYSIS AT THE !AB FOR FORCED CONVECTION COOLDOWN UNDER DRY CONDITIONS

Dose in Rem

Leak Size Whole Body 7 Thyroid Bone Lung

(in. 2) 5% Hedian 95% 5% Hedian 95% 5% Hedian 9S% S% Hedian 9S%

1.0 4.5-05 2.9-04 2.7-03 2.5-04 1.4-03 9.1-03 7.S-07 3.7-0S 4.3-03 1.3-05 1. 7-04 2.6-02

0.1 2.3-05 1.4-04 1.1-03 2.6-05 3.5-04 4.5-03 2.5-07 1.4-05 1.7-03 2.7-06 6.9-05 1.2-02

0.01 2.6-06 1.7-05 1.8-04 4.6-06 6.6-05 8.5-04 7.2-08 4.3-06 5.1-04 6.9-07 1.7-05 3.3-03

0.01 1.5-06 9.2-06 9.0-0S 1.4-06 2.5-05 3.0-04 1.8-08 1.3-06 9.3-05 2.2-07 5.1-06 8.8-04

coolant relief valves before reaching the environment. The consequence

source term for forced convection cooldowns under wet conditions con

sists of (1) circulating activity, (2) steam-induced recirculation of

activity plated-out on primary circuit surfaces, (3) release from ini

tially failed fuel due to hydrolysis, and (4) release from oxidized

graphite. In all cases, the reactor core is cooled by forced convection

provided by either the HTS or the SCS, which prevents any incremental

release of radionuclides from the fuel body inventory.

The frequency assessment in Section C.7 for small steam generator

leaks covers a spectrum of leak sizes ranging from pinhole to approx

imately 0.053 c~ (S x 10-3 in. 2). The maximum size considered for

small steam generator leaks corresponds to a flow rate of 0.05 kg/s

(0.1 lbm/s) which will be used in the consequence assessment for all

small leaks. The frequency assessment in Section C.S for moderate steam

generator leaks covers a spectrum of leak sizes ranging from 0.053 to

6.6 cm2 (S x 10-3 to 1 in. 2). The flow rates may range from 0.05 to

5.7 kg/s (0.1 to 12.5 lbm/s) with the latter flow rate is equivalent

to a single tube offset rupture. The consequence assessment for moder

ate steam generator leaks has been based on a leak rate of 5.7 kg/s

(12.5 lbm/s). In all of the release categories considered in this

section, forced convection cooling is present. Conduction cooldowns

initiated by steam generator leaks are cons~dered in Section D.4.

D.2.1. Data and Methods

A steam generator leak allows moisture to enter the core and react

with the graphite and initially failed fuel particles. A brief descrip

tion of the plant response to a small steam generator leak is presented

in Section 6.1.7 and the plant response to a moderate steam generator

leak is presented in Section 6.1.S. The ingress of high-pressure steam

and the reaction of steam with graphite result in pressure increases

above nominal levels. If the moisture ingress continues due to addi

tional plant protection failures, the primary relief valve will open,

0-21 DOE/HTGR-S6-011/Rev. 3

thus releasing fission products to the reactor building. Releases to

the reactor building are then released to the atmosphere through the

reactor building dampers resulting in offsite dose. The methods and

data used to assess the release categories for forced convection cool

downs under wet conditions are described below.

The analysis of the consequences of a forced convection cooldown

under wet conditions includes the effects of (1) hydrolysis of failed

fuel particles, (2) oxidation of both structural and matrix graphite

in the core, (3) steam-induced vaporization and recirculation of radio

nuclides plated-out on primary circuit surfaces, and (4) the release of

circulating activity. The computer program OXIDE (Ref. D-9) is used to

analyze the transient effects of inleakages of moisture to the primary

coolant system. The code analyzes the three-dimensional effects of

stea~graphite and steam-fuel reactions in the core and simulates the

primary system and the reactor building with respect to heat and mass

transfer. The code can either calculate or accept as input the spatial

transient flow and temperatures as conditions necessary for oxidation

calculations. Nuclear heat generation, graphite temperature, coolant

temperature, total pressure, ste~graphite and ste~fuel reaction

rates, heats of reaction, and graphite burnoff are calculated as a

fun-tion of space and time. Alternatively, graphite temperatures can

be provi~ed to OXIDE from another code, such as PANTHER (see Sec-

tion D.4.1). PANTHER is a computer code which uses finite difference

methods to analyze system temperatures after a pressurized loss of

forced circulation. Plant protective system actions can be simulated

in the code.

OXIDE methods were independently reviewed (Ref. D-10) for the NRC

and found to be in good agreement with alternative methods, for the

cases analyzed. Modifications have been made to OXIDE (Ref. D-11) to

address shortcomings identified in that review when they affect the

current use of the code for moisture ingress events. A detailed


description of the OXIDE program is presented in Ref. D-9. A brief

description of the code is presented below.

The reaction of steam with graphite proceeds at significant rates

when temperatures exceed 700°C (13000 F). Thus in an accident, when

steam first reaches the core, some reaction occurs mainly in the lower

half of the core since the graphite there is hotter than 700°C (13000 F). The steam-graphite reaction has been extensively investigated (Refs. D-9

and D-12). The predominant chemical reaction is

, (D-6)

where the endothermic heat of reaction Q is 118 kJ/gm-mole of graphite

(51,000 Btu/lb-mole). Since this reaction produces two moles of gaseous

product for each mole of water reacting, any such reaction increases the

primary circuit pressure rise. Other secondary reactions are insignifi

cant for the short time periods of these accidents.

The kinetic expression used in the OXIDE code for the rate of

reaction is a rational function of steam and hydrogen pressure, with

time-dependent Arrhenius coefficients and modifiers that account for

the effects of prior reaction (burnoff) and the presence of catalysts.

Possible inh~biting effects of CO and/or helium pressure on the steam

graphite reaction rate are neglected for conservatism, and because cur

rent evidence is too limited to take quantitative credit for these

effects. Radiation effects on the reaction rate have been shown to

be negligible for nuclear-grade graphite (Ref. D-13).

The reaction of steam with initially failed fuel can result in

enhanced release of fission gas due to hydrolysis and oxidation of

failed UCO particles. The model used in OXIDE accounts for hydrolysis

and neglects the oxidation of UCO fuel. The oxidation of UCO fuel is

neglected because the oxygen concentrations during accident conditions


are expected to be very low. Onder normal reactor operating conditions,

the estimated concentration is expected to be 10-9 (1 ppbv).

The time-dependent release of krypton, xenon, and iodine isotopes

is calculated. The fractional release of bromine, selenium, and tel

lurium is considered the same as that of iodine.

In treating the response of a failed OCO kernel to hydrolysis, a

distinction is made between the portion of the kernel containing OC2 and

that containing 002. These two portions undergo hydrolysis in distinct

ways. The fractional release is determined by the addition of the

release from each of these portions.

The core is modeled geometrically as a set of eight analysis

regions with variable numbers of columns and with ten axial segments

that extend beyond the active core to include reflector blocks. Indi

vidual flows and power density factors can be specified for each region;

each axial segment can have an individually specified power factor. In

each segment a typical element of symmetry (triangular in shape) around

an MHTGR fuel rod/coolant channel is modeled with 17 nodes. The com

plete core analysis is accomplished by performing the appropriate cal

culations on the symmetry element of each of the 80 segments.

The phenomenon of steam-induced vaporization and recirculation

treats the reaction and removal of fission and activation products

sorbed on primary circuit components by steam flowing over the surfaces

of the components. (The term washoff, often used in the past to include

this phenomenon, ref~rs to the removal of fission and activation pro

ducts by water in the liquid state flowing over the surfaces in the form

of droplets or bulk.)

Recent experiments of steam-induced vaporization (Ref. 0-14) were

designed to study the fraction of iodine, sorbed on the surface of the

alloy T-22, removed by the passage of steam over the surface. The tests

0-24 00E/HTGR-86-011/Rev. 3

showed that no molecular iodine was sorbed on the surface of the alloy_

Rather, it was in the form of an iodide, possible FeI2- Two tests con

ducted resulted in significantly.different amounts of iodide being

removed from the surface. The first test, Which resulted in 60% iodide

removal, was judged to better represent the conditions in the reactor

during transients. The second test, Which involved an unusual treatment

of the surface by scrubbing with acidic solution, resulted in no signif

icant iodide removal.

Selecting the result from the sample that was treated more in the

manner of the alloy surfaces to be used in the MHTGR, the value of 60%

for steam-induced vaporization of fission and activation products is

used in the analysis of standard MHTGR events and conditions that

involve the ingress of steam.

The fuel body inventory and circulating and plateout activities

available at the start of an event are based on radionuclide design cri

teria. The radionuclide design criteria are the allowable levels of

radionuclide accumulation in the primary circuit Which will permit the

plant to satisfy the radiological dose limits applied to normal plant

operation and postulated events. The nominal circulating activity, the

equilibrium 40-yr plateout activity subject to steam-induced vaporiza

tion and the fuel body inventory subject to hydrolysis and oxidation are

presented in Table 0-8 for those radionuclides Which are major contribu

tors to the resultant dose from forced convection cooldowns under wet

conditions. The steam-induced vaporization model is applied to the

plateout activities. The recirculated activity is considered to be ele

mental rather than in the form of compounds. Only the fraction of the

fuel body inventory present in initially failed fuel (5 x 10-5 fraction

of all fuel particles) is subject to the hydrolysis release of noble

gases, halogens and telluriums. The fraction of the fuel body inventory

~ubject to release due to oxidation of graphite (7 x 10-5 fraction)

includes those metals initially present in failed fuel and in heavy

metal contamination that have become sorbed in graphite. The subsequent

0-25 OOE/HTGR-86-011/Rev. 3

TABLE D-8 INITIAL CIRCULATING, PLATEOUT, AND FUEL BODY INVENTORIES OF NUCLIDES

THAT ARE MAJOR CONTRIBUTORS TO RADIOLOGICAL CONSEQUENCES

Isotope

Kr-87 Kr-88 Rb-88 Sr-89 Sr-90 Y-91 Ag-110m Te-129m Te-131m Te-132 Te-133m Te-133 Te-134 1-131 1-132 1-133 1-134 1-135 Xe-133 Xe-135m Xe-135 Xe-138 Cs-134 Cs-136 Cs-137 Cs-138 Ba-137m Ba-140 La-140 Ce-144

OF FORCED CONVECTION COOLDOWNS UNDER WET CONDITIONS

Circulating Activity (Ci)

2.96+00 5.16+00 6.78-02 1.39-06 7.29-10 2.14-07 5.43-06 9.26-06 1.63-04 8.25-04 6.30-03 1.06-02 1.22-02 1.79-02 2.23-01 1.18-01 5.41-01 1.91-01 2.32+00 1.20+00 3.49+00 1.12+00 3.23-06 1.64-05 1.98-06 9.37-03 3.27-04 7.69-06 8.65-06 4.22-08

Plateout Activity (Ci)

0.00 0.00 5.20+00 1.72+00 3.35-01 4.17-01 8.43+00 1.91+00 1.26+00 1.66+01 1.51+00 7.90-01 2.21+00 2.00+01 1.94+01 1.49+01 5.22+00 6.74+00 0.00 0.00 0.00 0.00 1.49+01 1.31+00 7.00+01 1.30+00 6.62+01 7.39-01 8.29-01 7.40-02

Fuel Body Inventory (Ci)

7.13+06 9.95+06 1.02+07 1.34+07 7.41+05 1.62+07 1.38+04 4.85+05 1.66+06 1.35+07 1.12+07 9.10+06 1.91+07 9.34+06 1.37+07 2.03+07 2.28+07 1.89+07 2.03+07 3.71+06 2.48+06 1.85+07 1.06+06 1.97+05 8.58+05 1.96+07 8.17+06 1.87+07 1.88+07 1.24+07


transport of these fission products will depend on the governing phenom

ena and could lead to retention within the reactor vessel. Conserva

tively, retention mechanisms in the reactor vessel are neglected, and

all the activity released to the primary coolant is assumed available

for release through any available release path.

Releases from the vessel to the atmosphere through the reactor

building are modeled using the TDAC code as described in Section 0.1.1.

Plateout and settling in the reactor building have been considered.

Meteorological conditions and reactor building parameters are as given

in Table 0-4.


The planned response to a moisture ingress event begins with the

detection of moisture at the 1000 ppm level by the moisture monitors

as discussed in Section 6.1.7 for small steam generator leaks and in

Section 6.1.8 for moderate steam generator leaks. For a small leak,

this level is reached in approximately 5 min. For a moderate leak,

this level is reached in only 2 s. The moisture sampling process takes

another 20 s. The PPIS initiates a reactor trip on the outer control

rods and the closure of the steam generator isolation valves. Following

the signal to isolate, the main circulator is tripped, and the SCS is

started and cools the reactor core by forced convection. Following iso

lation, the steam generator dump system valves are opened and the steam

generator inventory is released into the dump system tanks. Just prior

to releasing primary coolant through the dump system, the valves are

reclosed. The increase in system pressure resulting from the ingress of

moisture is not large enough to lift the primary relief valves. There

is no fission product release as the primary coolant boundary remains

intact.

If the moisture monitors fail to successfully function, the high

primary coolant pressure PPIS trip setpoint will automatically initiate

0-27 OOE/HTGR-86-011/Rev. 3

protective actions. If this also fails then the operator can manually

initiate these actions. Specifically the PPIS trip will cause reactor

trip, steam generator isolation, and SCS startup. In addition to these

actions, the operator can manually dump the steam generator.

For fission product release to occur, failures in addition to the

leak are required that result in failure of the primary coolant boundary

to contain the fission products. As shown in Figs. C-8 and C-9, fail

ures in addition to the steam generator leak may result in a number of

sequences that result in fission product release. Failure of the mois

ture monitors or failure to isolate the steam generator precedes each

event sequence where an offsite dose occurs. Many of the event

sequences with offsite doses involve loss of forced convection cooling

and are designated as conduction coo1downs under wet conditions which

are discussed in Section D.4. Proceeding from the least to the greatest

consequence, the following paragraphs describe for each release category

the dominant event sequence, radionuc1ide release mechanism, and the

basis for assessment of the category dose consequences.

Detailed analysis was performed on release categories WF-l and

WF-2. WF-2 consists of a moderate steam generator leak, delayed steam

generator isolation (about 6 min), and primary relief valve opens but

fails to rec10se. WF-l is identical to WF-2 except that the steam gen

erator isolation is delayed as much as 20 min. Categories WF-3 and WF-4

are similar to WF-l and WF-2 except that the pressure relief valve

rec10ses successfully, so that only a fraction of the inventory is

released from the vessel. This fraction provides the scaling factor

used to determine the dose consequences for WF-3 and WF-4 based on the

detailed WF-l and WF-2 analyses.

Release category WF-4 is a moderate steam generator leak which

results in fission product release to the reactor building and subse

quently to the atmosphere. The category is representative of a moderate

leak where isolation is delayed and the primary relief valve opens and


recloses to vent excess pressure. One possible scenario in this cate

gory involves failure of the moisture monitors to detect excessive mois

ture levels. The reactor is nevertheless tripped within about 10 s on

high power-to-flow ratio. The main loop is tripped on high pressure

within about 6 min, followed by a manual dump of the steam generator. A

total of 3000 kg (6600 lbm) of steam enters the system. A second less

likely scenario involves successful detection of the leak by the mois

ture monitors. The reactor is tripped and the PPIS signals the steam

generator isolation valves to close. Steam line valves close, but the

feedwater valves do not. Pressure at the steam generator outlet rises

above the normal steam pressure of 17,340 kPa (2515 psia) to the feed

water pressure of 20,680 kPa (3000 psia). The steam generator bypass

valve opens to relieve the 'excess pressure to the condensor. Manual

isolation and dump of the steam generator occurs within 10 min. The

flow of feedwater through the steam generator will flood it in minutes,

so that the amount of steam, ingressed is about 1730 kg (3800 lbm).

Following the main loop trip, the core is cooled by the sese Shortly

after 6 min, high pressure causes the primary relief valve to lift and

vent excess pressure to the reactor building after which the valve

successfully recloses. Because of the difference between the relief

valve opening setpoint of 7177 kPa (1041 psia) and closing setpoint of

6103 kPa (885 psia), about 15% of the primary coolant and the fission

products it contains at the time of relief are released to the reactor

building and subsequently to the atmosphere. Since the amount of water

ingressed is large and since the core is rapidly cooled by the HTS or

ses, the consequences are about the same for both scenarios. The frac

tion of the graphite oxidized is 1.1 x 10-4 (23 lbm); 0.26% of the noble

gases and 0.18% of the halogens have been released from the failed fuel

due to hydrolysis at the time of the pressure relief. The radioactivity

available for release from the vessel (assuming no attenuation in the

vessel) consists of 100% of circulating activity, 60% of plateout activ

ity due'to steam induced vaporization and recirculation, 1.1 x 10-4

fraction of nuclides retained in the core graphite, 0.26% of the noble

gas and 0.18% of the volatile fission products retained in the initially


failed fuel (5 x 10-5 fraction of all fuel). The release to the envi

ronment is through the reactor building where there is attenuation from

settling and deposition.



quently to the atmosphere. Following detection of excessive moisture in

the primary system, the reactor is tripped and the PPIS signals to iso

late the steam generator. The isolation is not successful as the steam

valve fail to close and moisture continues to enter the primary system

for up to 20 or 30 min until the operator isolates the steam generator.

A total of 6800 kg (15,000 lbm) of steam enters the primary system.

Excessive primary system pressure opens the primary relief valve once,

shortly after 6 min, venting primary circuit radionuclides into the

reactor building, after which the valve successfully recloses. Core

cooling is provided by the SCS, and is effective in preventing a second

pressure relief. At the time of the pressure relief, 0.6% of gaseous

and volatile fission products are released to the primary coolant by

hydrolysis, and 0.018% of fission products sorbed in bulk moderator

graphite are released by graphite oxidation. These activities, along

with the initially circulating activity and the activity removed from

metallic surfaces due to SIVR, are available for release with the pri

mary coolant. Because of the difference between the relief valve open

ing and closing setpoints, about 15% of the primary coolant and the

fission products it contains at the time of relief are released to the

reactor building and subsequently to the atmosphere.

Release categorY WF-2 is a moderate steam generator leak which


quently to the atmosphere. This category is the same as category WF-4

except that the primary relief valve fails to reclose after it opens to

relieve excess pressure. The moisture monitors fail to detect excessive

moisture levels, but the reactor is tripped within about 10 s on high

power-to-flow ratio. The main loop is tripped on high pressure within


about 6 min, followed by manual dump of the steam generator. Subsequent

to the main loop trip, the core is cooled by the sese Shortly after

6 min, high pressure causes the primary relief valve to lift, but it

fails to rec1ose. The primary system depressurizes through the primary

relief train into the reactor building. Fission products contained in

the primary coolant are subsequently released to the atmosphere. The

fraction of the graphite oxidized is 1.1 x 10-4 ; 0.26% of the noble

gases and 0.18% of the halogens are released from the failed fuel due

to hydrolysis. The fission products released from the vessel conserva

tively include 100% of circulating activity, 60% of p1ateout activity

released due to steam induced vaporization and recirculation, 1.1 x 10-4

fraction of activity from the core graphite released due to oxidation,

0.26% of the noble gas and 0.18% of the volatile activity from the ini

tially failed fuel released due to hydrolysis. The relief valve fails

open releasing all of this inventory into the reactor building conserva

tively assuming no attenuation or retention in the vessel. Table D-9

presents the cumulative nuclide release to the environment over the

course of the event for the major contributors to dose.



quently to the atmosphere. This category is the same as category WF-3

except that the primary relief valve fails to rec10se after it opens.

Following detection of excessive moisture in the primary system, the

reactor is tripped and the PPIS signals to isolate the steam generator.

The isolation is not successful and moisture continues to enter the

primary system until the operator isolates the steam generator within

20 min. A total of 6800 kg (15,000 1bm) of steam enters the primary

system. Excessive primary system pressure opens the primary relief

valve, venting primary circuit radionuc1ides into the reactor building.

Once the relief valve lifts, it fails to rec10se as designed. The pri

mary system depressurizes through the open relief valve into the reactor

building. At the time of the pressure relief, shortly after 6 min, 0.6%

of gaseous and volatile fission products are released to the primary


TABLE D-9 CUMULATIVE RELEASE TO ENVIRONMENT IN CURIES

FOR FORCED CONVECTION COOLDOWNS UNDER WET CONDITIONS

Nuclide WF-1 WF-2

Kr-88 3.3+00 2.7+00

Sr-89 4.8-01 4.6-01

Sr-90 8.5-02 8.4-02

Ag-110m 2.1+00 2.1+00

1-131 3.9+00 3.4+00

1-132 4.4+00 3.6+00

Te-133m 1.4+00 6.3-01

1-133 4.0+00 2.9+00

1-134 2.7+00 1.5+00

Cs-134 3.7+00 3.7+00

1-135 2.6+00 1.5+00

Cs-137 1.7+01 1.7+01

Ba-137m 1.6+01 1.6+01

Xe-138 1.7+00 9.1-01

Cs-138 5.9-01 9.1-01

Ce-144 8.2-02 5.6-02


coolant by hydrolysis, and 0.018% of fission products sorbed in bulk

moderator graphite are released by graphite oxidation. These activi

ties, along with the initially circulating activity and the activity

removed from metallic surfaces due to steam induced vaporization, are

released from the reactor vessel along with the primary coolant. The

fission products contained in the primary coolant are subsequently

released to the atmosphere. Table D-9 presents the cumulative nuclide

release to the environment over the course of the event for the major

contributors to dose.


analyzed is presented in Table D-10 for 30-day EAB thyroid and Whole

body gamma doses.




simplified mathematical algorithms to describe the consequence control


the dose consequence. The algorithms are simplified because they are

used in a MOnte Carlo error propagation program Which determines the

probability distribution for the dose by sampling the input variables.

Cumulative probability distributions of independent variables are speci

fied as input to the program. This section describes the algorithms

used for the consequences from forced convection cooldowns under wet

conditions.

The dose consequence equation for steam generator leaks is the same

as Eq. D-2 in Section D.1.3. The X/Q distribution is also the same one

described in Section D.1.3. The factor fj in Eq. D-2 accounts for time

dependent attenuation due to buildup, decay, settling, plateout, and

other processes and is determined as described in Section D.1.3. Also,


TABLE D-10 NOMINAL DOSE CONSEQUENCE AT THE EAB FOR

FORCED CONVECTION COOLDOWNS UNDER WET CONDITIONS

Release Doses at EAB (Rem)

Category Whole Body 7 Thyroid

WF-1 2.2-03 3.4-01

WF-2 1. 7-03 2.8-01

WF-3 3.3-04 5.2-02

WF-4 2.6-04 4.3-02


as in Section 0.1.3, the uncertainties in dose effectivities Ci'j are

not considered.

The initial activity for nuclide j for accidents involving moisture

ingress has an uncertainty that is determined by the uncertainty of its

components according to the following:

whereQc,j = circulating activity of nuclide j,

Qf,j - fuel body inventory of nuclide j,

fh = fraction of failed fuel hydrolyzed,

ff = failed fuel fraction,

fo = oxidation fraction,

fs - heavy metal contamination fraction,

, (D-7)

Rs,j = fraction of plated-out nuclide j removed by steam-induced

vaporization and recirculation,

Qp,j = plated-out activity of nuclide j.

The uncertainty distribution on all terms is taken to be lognormal

except for the distribution on steam induced release fraction which,

because of lack of data, is assumed to be uniformly distributed from

0% to 100%. The uncertainty factor on the circulating activity of noble

gases and iodines is typically 4, but for metals, it can vary from 100

to 5000 depending on the individual nuclide. The fuel body inventory

has an uncertainty factor that varies from 1.01 to 2.13. There is no

plateout activity for noble gases so that term drops out. For iodines

and telluriums, the uncertainty factor on plateout activity is 4, but

for metals, it is 10. The failed fuel fraction has a median of 5 x 10-5

with an uncertainty factor of 4. The heavy metal contamination fraction

has a median of 2 x 10-5 with an uncertainty factor of 2. The hydrol

ysis and oxidation fractions vary with the accident but have uncertainty

0-35 DOE/HTGR-86-011/Rev. 3

factors of 2.4 and 1.4, respectively. For iodines, te11uriums, and

noble gases, there is no oxidation term because these nuclides are not

retained by the graphite. For metals, there is no hydrolysis term

because the metals are still retained by kernel material.

The median, ninety-fifth percentile, and fifth percentile results

of the dose uncertainty analysis for thyroid and whole body gamma doses

for a 30-day exposure at the EAB are presented in Table D-11.

D.3. CONSEQUENCES FROM CONDUCTION COOLDOWN UNDER DRY CONDITIONS

A number of event sequences that are initiated by primary coolant

leaks and seismic activity have been identified in Figs. C-1 and C-3.

Only those release categories that result in fission product release are

addressed here. These sequences in which forced cooling is lost have

been phenomenologically grouped and categorized as conduction coo1downs

under dry conditions. The categories are labeled DC-1 through DC-9

where DC-1 has the greatest consequence and DC-9 has the least nonzero

consequence. The consequence source term for conduction coo1down under

dry conditions includes (1) the circulating activity, (2) fission pro

duct release from the fuel due to high temperatures, and (3) liftoff of

a portion of the activity plated-out on primary circuit surfaces.


Conduction coo1downs under dry conditions are initiated by loss

of HTS cooling, primary coolant leaks, and seismic activity. Each acci

dent has the loss of all forced convection cooling as the common feature

which identifies the accident as a conduction coo1down. In these acci

dents a gradual rise in core temperatures results due to an imbalance

between heat removal and decay heat generation rates. However, as tem

peratures increase the heat removed by conduction, convection, and radi

ation to the RCCS cooling panels also increases. Furthermore, the decay


TABLE 0-11 DOSE UNCERTAINTY ANALYSIS AT THE EAB FOR FORCED

CONVECTION COOLDOWNS UNDER WET CONDITIONS

Doses at EAB (Rem}

Release Whole Bod! 1 Th!roid

Category 5% Median 95% 5% Median 95%

WF-1 2.6-04 2.2-03 1.9-02 3.8-02 3.4-01 3.1+00

WF-2 2.0-04 1. 7-03 1.4-02 3.1-02 2.8-01 2.5+00

WF-3 3.9-05 3.3-04 2.8-03 5.8-03 5.2-02 4.6-01

WF-4 4.8-05 2.6-04 2.2-03 4.7-03 4.2-02 3.8-01

0-37 DOE-HTGR-86-011/Rev. 3

heat generation rate slowly decreases as the core fission product inven

tory decays with time. Thus, during the accident the imbalance between

heat generation and heat removal diminishes and eventually reverses,

whereupon the core begins to naturally cooldown to the RCCS.

The time-dependent evaluation of temperature throughout the core

and reactor vessel under depressurized conditions is conducted using the

TAC20 computer program (Ref. 0-15). TAC20 contains models to simulate

the heat generation due to decay of radionuclides, the heat-transfer

processes, and the heat exchange across open core plenums during the

course of a loss of forced circulation event.

The geometrical input data for the TAC20 model is specified in

terms of material boundaries parallel to the coordinate axes. Cylindri

cal coordinates are used, and the axes are denoted by r (radial) and z

(axial). The material boundaries define annular regions in which tem

perature nodal points are located. These points each represent a nodal

volume for which a central temperature is calculated. Some thermal

properties are dependent on temperature, and some are also dependent on

time and location. Specific heat, emissivity, conductivity, and volume

tric heat generation are specified as functionally dependent variables

for solid materials.

A two-dimensional geometric model of the entire reactor vessel

and cavity is used to perform the TAC20 analysis. The geometric model

encompasses the active core; the inner, outer, top, and bottom graphite

reflector; the graphite core support plenum shroud; the reactor vessel;

radiation shielding material above and below the reactor vessel; the top

access floor; the first concrete partition below the reactor vessel; and

the concrete behind the air-cooled RCCS panels. Heat transfer within

this model is principally by conduction through the core and reflectors

to the top and bottom core surfaces and to the core periphery adjacent

to the core barrel. Heat is transferred by thermal radiation and con

duction across the gas spaces separating the core surfaces and the metal

0-38 OOE/HTGR-86-011/Rev. 3

support structures and shrouds, and across the gas spaces to the reactor

vessel. Free convection from heated surfaces is represented by placing

a multiplicative factor on the thermal conductivity of the gas in the

spaces between surfac~s. Heat is transferred predominantly by thermal

radiation across the gas spaces separating the reactor vessel and the

RCCS cooling panels. A convective flow of air through the cooling

panels is calculated, which removes most of the heat from the panels.

Some heat is transferred by conduction from the panels to the reactor

cavity walls.

The thermal transient experience by the core during a depressurized

conduction cooldown is shown in Fig. D-9 for both the peak fuel and

average active core temperatures. In this particular transient the

depressurization is immediate, and natural circulation within the core

is negligible. Therefore heat removal is primarily by conduction and

radiation to the RCCS cooling panels. The core temperature as shown in

Fig. D-9 increases as the core heats up and begins to cooldown at

approximately 80 h when the heat removal rate exceeds the decay heat

generation rate. The peak temperature is 16200 C (2948°F).

Figure D-10 shows a plot of isotherms at the time of peak core

temperature across the R-Z plane of the reactor core, reflectors and

the reactor vessel. The peak core temperatures in excess of 16000 C

(2948°F) are confined to only about 5% of the core volume; most of the

fueled region experiences much lower temperatures.

For cases in which the reactor remains pressurized for some

extended period of time, (hundreds of hours) natural circulation within

the core becomes a more important heat transfer mechanism than under

depressurized conditions. The PANTHER computer code is used to analyze

these pressurized (or very slowly depressurizing) conduction cooldowns.

PANTHER is based on the classical thermal analyzer program TAP-LOOP,

which is described in Ref. D-16 and is discussed in Section D.4.1. As

D-39 DOE/HTGR-86-Q11/Rev. 3

an example, the thermal transient experienced by the core during a pres

surized conduction cooldown is shown in Fig. 0-11 for both the peak fuel

and average active core temperatures. This particular transient has no

breach in the primary coolant boundary and is applicable to small pri

mary coolant leaks that require more than 100 h to depressurize.

Because of natura~ circulation and the resultant heat redistribution in

the core, the peak temperatures are lower than for depressurized conduc

tion cooldowns.


available at the start of an event are based on radionuclide design

criteria. The radionuclide design criteria are the allowable levels of

radionuclide accumulation in the primary circuit which will permit the


operation and postulated events. The nominal circulating activity,

equilibrium fuel body inventory, and equilibrium 40-year plateout activ

ity available for liftoff are presented in Table 0-12 for those radio

nuclides which are major contributors to the dose resulting from con

duction cooldowns under dry conditions. By applying the liftoff model

discussed in Section 0.1.1 to the plateout activities, the additional

liftoff activities are calculated for a particular primary coolant leak

size. Some fraction of the fuel body inventory can be released due to

elevated temperatures.

Fuel particle failure and the fission product release from the core

during temperature transients are evaluated using the SORS computer code

(Ref. 0-17). The core release calculated by SORS is the source activity

due to elevated temperatures which contributes to the total release upon

which subsequent environment dose calculations are based.

SORS accepts core temperatures during a transient from other codes,

such as TAC20 and PANTHER, and calculates (1) release from heavy metal

contamination in the fuel rod matrix as a function of temperature and

nuclide, (2) release from initially exposed kernels in the core as a

0-40 OOE/HTGR-86-011/Rev. 3

TABLE D-12 INITIAL CIRCULATING, PLATEOUT, AND FUEL BODY INVENTORIES OF NUCLIDES THAT ARE MAJOR CONTRIBUTORS TO RADIOLOGICAL CONSEQUENCES OF CONDUCTION

COOLDOWN ACCIDENTS .

Isotope

Kr-85 Kr-87 Kr-88 Rb-88 Sr-89 Sr-90 Y-91 Mo-99 Ru-103 Ag-110m Sb-125 Sb-127 Te-127 Te-132 Te-133m 1-131 1-132 1-133 1-134 1-135 Xe-133 Xe-135m Xe-135 Xe-138 Cs-134 Cs-137 Cs-138 Ba-137m Ce-144

Circulating Activity (Ci)

2.96-03 2.96+00 5.16+00 6.78-02 1.39-06 7.29-10 2.14-07 6.96-06 2.54-07 5.45-06 7.30-10 1.34-07 1.14-04 8.25-04 6.30-03 1.79-02 2.23-01 1.18-01 5.41-01 1.91-01 2.32+00 1.20+00 3.49+00 1.12+00 3.23-06 1.98-06 9.37-03 3.27-04 4.22-08

Plateout Activity (Ci)

0.00 0.00 0.00 5.20+00 1.72+00 3.35-01 4.17-01 1.74-01 1.03-01 8.43+00 4.74-03 6.04-03 1.00+00 1.66+01 1.51+00 2.00+01 1.94+01 1.49+01 5.22+00 6.74+00 0.00 0.00 0.00 0.00 1.49+01 7.00+01 1.30+00 6.62+01 7.40-02

Fuel Body Inventory (Ci)

9.91+04 7.13+06 9.95+06 1.02+07 1.34+07 7.41+05 1.62+07 1.83+07 1.20+07 1.38+04 5.64+04 6.52+05 6.47+05 1.35+07 1.12+07 9.34+06 1.37+07 2.03+07 2.28+07 1.89+07 2.03+07 3.71+06 2.48+06 1.85+07 1.06+06 8.58+05 1.96+07 8.17+06 1.24+07


function of nuclide, fuel burnup and temperature, (3) failure of ini

tially intact fuel particle coatings (both with and without manufactur

ing defects) due to the mechanism of pressure vessel failure, (4) SiC

corrosion by fission products and SiC thermal decomposition, and (5)

diffusion of fission products through intact coatings. SORS further

accounts for diffusion of the nonvolatile nuclides through the fuel

rod matrix and core graphite and their transport by the primary coolant.

The procedure adopted in SORS is to describe the problem in terms

of several coupled first order differential equations with coefficients

which are dependent on time. The independent variables represent the

total amount of each isotope in one of the three parts of the core,

i.e., the fuel, the graphite, or the coolant. The variable coefficients

represent an average probability of an atom moving from one part of the

core to another, where the probability has been averaged over the whole

reactor. The differential equations are integrated numerically using

Hemmings' predictor-corrector technique. Since Hammings' technique is a

four-step method, the Runge-Kutta routine is used to set up the start

ing values. The Hammings' method is well established, accurate, and

reliable.

After release from the fuel particles, the nonvolatile fission

products are still confined by the matrix and structural graphite. To

escape from the core, the fission products must diffuse through the

graphites to the coolant channel, evaporate at the surface of the chan

nel and be carried out of the coolant channel by the coolant stream.

The fission product transport from the reactor vessel, subsequent

release to the atmosphere, and the resultant dose calculations were

performed using the TDAC computer code as discussed previously in Sec

tion 0.1.1. Hydrostatic displacement and thermal expansion after a com

plete depressurization to atmospheric pressure become important due to

the release of fission products from the core during the time when peak

core temperatures are increasing. Once core temperatures begin to

0-42 DOE/HTGR-86-01.1/Rev. 3

decrease, thermal contraction will essentially terminate the release

from the reactor vessel. Since all of the conduction cooldowns under

dry conditions vent to the reactor building, plateout and settling in

the reactor building on surfaces cooled by the RCCS have been consid

ered. Meteorological conditions and reactor building parameters are as

given in Table 0-4.


In the frequency assessment for primary coolant leaks, loss of HTS

cooling, and earthquakes, events were identified in Figs. C-1 through

C-3 which lead to conduction cooldowns under dry conditions. These

events are assigned a release category designation based on their radio

nuclide release characteristics. For the purposes of consequence

assessment, a representative size is selected for each leak-size range

identified in the frequency assessment. Proceeding from the least to

the greatest consequence, the following paragraphs describe for each

release category the dominant event sequence, radionuclide release

mechanism, and dose consequence.

Release category OC-9 is represented by a characteristic leak area

of 1.6 x 10-3 cm2 (2.S x 10-4 in. 2). The size may range from 1.9 x 10-4

to 0.013 c~ (3 x 10-5 to 2 x 10-3 in. 2). In this leak range, it is

assumed conservatively that the OC-9 category is bounded by those events

without HPS pumpdown. HPS pump down rapidly depressurizes the primary

system so that the fuel temperature experiences the transient given in

Fig. 0-9. However, with the pump down successful, the fission products

released from the core are mostly retained in the vessel, thus resulting

in less release than without HPS pumpdown. For sizes this small, the

depressurization time for the reactor vessel is several hundred hours so

that the thermal temperature profile is approximated by that given in

Fig. 0-11 for pressurized conduction cooldowns. Figure 0-12 shows the

cumulative release of gaseous and volatile fission products from the

core. As seen in the figure, the release is small and occurs slowly

0-43 00E/HTGR-86-011/Rev. 3

over several days. The attenuation of activity in the reactor vessel is

assumed to occur only due to radioactive decay. The release to the

atmosphere is via the reactor building. The 1-131 and 1-133 activities

released to the atmosphere during OC-9 are 0.31 and 0.071 Ci, respec

tively. These two radionuc1ides account for over 90% of the thyroid

dose. Table 0-13 presents the cumulative nuclide release to the envi

ronment for the major contributors to dose.

Release category OC-S describes large leaks greater than 6.5 cm2

(1.0 in.2) Where the depressurization is so rapid that BPS pump down is

ineffective. The depressurization time for OC-S is less than 7 h so

that the thermal temperature profile is approximated by that given in

Fig. 0-9 for a depressurized conduction cooldown. During the depres

surization, a very small fraction of the initially plated-out activity

is lifted off and released along with all of the initially circulating

activity. Figure 0-13 shows the cumulative release of gaseous and

volatile fission products from the core. As seen in the figure the

release occurs over days as the core heats up slowly. The release rate

becomes negligible beyond 100 h as the core begins to cooldown. The

release mechanism from the vessel after the initial depressurization and

as the core heats up is by slow thermal expansion of gases from the

vessel. The release to the environment is through the reactor building

Where fission products are attenuated due to decay, settling, and plate

out. The cumulative nuclide release for OC-S is the same as that for

OC-7 Which can be seen in Table 0-13.

Release category OC-7 describes a leak in the size range 0.19 to

6.5 c~ (0.03 to 1.0 in2) with a successful BPS pumpdown to atmospheric

pressure. The primary system is depressurized in about 20 h, so the

thermal transient is approximated by that given in Fig. 0-9 for a

depressurized conduction coo1down. The fission products released from

the core are the same as for release category ~C-So After the initial

depressurization, fission products are released from the vessel by

(1) hydrostatic displacement of the helium in the vessel by air in

0-44 OOE/HTGR-S6-011/Rev. 3

TABLE D-13 CUMULATIVE RELEASE TO ENVIRONMENT IN CURIES FOR CONDUCTION

COOLDOWNS UNDER DRY CONDITIONS

Nuclide DC-1 DC-2 DC-3 DC-4 DC-5 DC-7 DC-9

Kr-88 1.7+02 4.3+01 1.6+00 1.1-01 4.0-01 1.2+00 5.6-03

Rb-88 1.6+02 4.0+01 1.5+00 1.1-01 3.8-01 3.8+00 5.4-03

Sr-90 6.4-03 1.6-03 2.8-05 1.2-05 7.0-06 9.5-06 1.6-06

Ru-103 3.0+02 7.4+01 3.6-02 5.1-02 8.9-03 9.1-02 3.0-02

Sb-125 5.2+02 1.3+02 5.0-03 2.3-03 1.2-03 4.8-04 3.3-03

Te-129m 5.2-04 1.3-04 9.2-06 3.6-06 2.3-06 7.8-06 8.5-03

I-131 6.4+04 1.6+04 8.8+00 4.2+00 2.2+00 1.0+00 3.1-01

Te-132 2.6+03 6.6+02 6.5+00 2.2+00 1.6+00 4.9-01 8.9-02.

I-132 3.0+03 7.6+02 4.0+00 1.5+00 1.0+00 5.0-01 5.2-02.

I-133 1.4+03 3.6+02 6.2+00 1.5+00 1.6+00 8.0-01 7.1~02

Xe-133 2.0+04 5.1+03 4.7+02 2.1+02 1.2+02 5.6+01 1.45+01

Cs-134 3.7+02 9.3+01 5.6-05 2.4-05 1.4-05 2.8-05 3.4-06

Xe-135 4.8+02 1.2+02 3.3+01 4.6+00 8.3+00 4.9+00 2.4-01

Cs-137 3.1+02 7.8+01 1.5-04 6.0-05 3.7-05 1.1-04 9.8-06


the reactor building and (2) thermal expansion of gases in the vessel

as the core heats up. Because of the small leak size, the. hydrostatic

displacement is assumed to proceed slowly over about 100 h. When the

core begins to cool down, after about 100 h, the release rate from the

vessel becomes negligible. Fission products are released to the envi

ronment through the reactor building, after some attenuation due to

radioactive decay, settling of particulates, and plateout of halogens on

cool surfaces in the reactor building. The I-131 and I-133 activities

released to the atmosphere during OC-7 are 1.0 and 0.80 Ci, respec

tively. Table 0-13 presents the cumulative nuclide release to the envi

ronment for the major contributors to dose.

Release category OC-6 describes a leak in the size range between

0.013 and 0.19 cm2 (2 x 10-3 and 0.03 in2) with a successful HPS pump

down. Because the pump down is successful in reducing the primary system

pressure within about 24 h, the thermal transient is approximated by

that given in Fig. 0-9 for a depressurized conduction cooldown. Thus,

Fig. 0-13 is representative of the release of fission products from

the core. After the initial depressurization, fission products are

released from the vessel by (1) hydrostatic displacement of the helium

in the vessel by air in the reactor building and (2) thermal expansion

of gases in the vessel as the core heats up. Hydrostatic displacement

proceeds slowly over about 100 h. At about that time, when the core

begins to cool, the release rate from the vessel becomes negligible.

Fission products are released to the environment through the reactor

building, after some attenuation due to radioactive decay, settling, and

plateout. The cumulative nuclide release to the environment for OC-6 is

identical to that of OC-5 which is presented in Table 0-13.

Release category OC-5 describes a leak size in the range of 0.19

to 6.5 cm2 (0.03 to 1.0 in.2) where HPS pump down fails and the system

depressurizes slowly over a period of 25 h. Hydrostatic displacement

proceeds slowly over about 100 h. The release from the reactor core is

represented by Fig. 0-13. Attenuation in the reactor vessel is from

0-46 00E/HTGR-86-011/Rev. 3

radioactive decay and holdup after the reactor begins to coo1down (after

100 h). The release to the environment is via reactor building leakage,

with attenuation due to p1ateout, settling, and decay in the reactor

building. The 1-131 and 1-133 activities released to the atmosphere

during DC-5 are 2.2 and 1.6 Ci, respectively. Table D-13 presents the

cumulative nuclide release to the environment for the major contributors

to dose.

Release category DC-4 describes a leak in the size range of 0.013

to 0.19 c~ (2 x 10-3 to 0.03 in.2), with a representative leak area of

0.05 c~ (7.7 x 10~3 in. 2). In DC-4, the BPS fails to pump down primary

coolant to storage. The result is a depressurization over a period of

145 h Where fuel body activity released during that time period has a

mechanism to be transported out of the reactor vessel. Since the vessel

remains at high pressure over 100 h, the transient temperature profile

for these leaks is approximated in Fig. D-11 for a pressurized conduc

tion cooldown. Release to the environment is via reactor building leak

age, with attenuation due to plateout, settling, and radioactive decay

in the reactor building. The 1-131 and 1-133 activities released to the

atmosphere.during DC-4 are 4.2 and 1.5 Ci, respectively. Table D-13

presents the cumulative nuclide release to the environment for the major


Release category DC-3 describes an event initiated by seismic

activity Which results in a primary coolant leak with a size greater

than 0.19 c~ (0.03 in. 2). In this category, the dose consequence is

identical to DC-5 except that all four modules are affected so that the

dose is four times the dose for DC-5. The 1-131 and 1-133 activities

released to the atmosphere during DC-3' are 8.8 and 6.2 Ci, respectively.

Table D-13 presents the cumulative release to the environment for the

major contributors to dose.

Released category DC-2 represents events Where loss of HTS is fol

lowed by loss of both the SCS and the RCCS cooling. The system pressure


is reduced within two days by operator initiated pumpdown of the primary

system using the BPS system. In the absence of RCCS core cooling, the

reactor heats up reaching a core maximum and average temperatures of

approximately 18700 C (3398°F) and 16000 C (2912°F), respectively. This

results in release of approximately 0.02% of the halogens from the fuel

body inventory. Even at these temperatures the fuel particles and the

core provide sufficient retention to hold a vast majority of the fission

products in the core. The release from the primary system is due to the

hydrostatic displacement of helium and thermal expansion of primary sys

tem inventory. The release to the environment is via the reactor build

ing Where fission products are attenuated due to plateout, settling, and

decay. Table D-13 presents the cummulative release to the environment

for the major dose contributors.

Release category DC-1 is the final category under consideration in

this section. In this event sequence, seismic activitY'produces ground

accelerations greater than 1.5 g resulting in failure of the HTS, SCS,

and RCCS, in addition to a nominal instrument line failure. This event

affects all four modules of the plant and is otherwise identical to

release category DC-2. Table D-13 presents the cumulative nuclide

release to the environment for the major contributors to dose.


analyzed is presented in Table D-14 for 30-day exposure at the EAB for

thyroid, bone, lung, and Whole body gamma doses.




simplified mathematical algorithms describing the consequence control-

I ling phenomena as functions of variables with uncertainties that affect


used in a Monte Carlo error propagation program Which determines the


TABLE D-14 NOMINAL DOSE CONSEQUENCE AT THE EAB FOR CONDUCTION

COOLDOWNS UNDER DRY CONDITIONS

Release Nominal Dose in Rem

Category Whole Body 7 Thyroid Bone Lung

DC-1 4.5-02 4.7+01 1. 7-01 1.3+00

DC-2 1.1-02 2.3+01 8.7-02 6.7-01

DC-3 4.5-04 1.0-01 1.5-04 2.8-03

DC-4 1.5-04 7.6-02 9.2-05 1.9-03

DC-5 1.1-04 2.5-02 3.7-05 7.0-04

DC-7 2.0-04 2.1-02 2.3-05 5.8-04

DC-9 9.0-06 5.5-03 1.3-05 1.7-04



Cumulative probability distributions of independent variables are speci

fied as input to the program. This section describes the algorithms

used for consequences from conduction cooldowns under dry conditions.

The dose consequence equation for conduction cooldown accidents

is the same as Eq. D-2 in Section D.1.3. The X/Q distribution is also

the same one described in Section D.1.3. The factor fj in Eq. D-2

accounts for time-dependent attenuation due to buildup, decay, set

tling, plateout, and other processes and is determined as described in

Section D. 1.3. Als.o, as in Section D. 1. 3, the uncertainties in dose

effectivities Ci,j are not considered.

The initial activity for nuclide j for accidents involving conduc

tion cooldowns has an uncertainty that is determined by the uncertainty

of its components according to the following:

, (D-8)

where Qi,j = source term activity due to forced convection cooldown

under dry conditions (Eq. D-4),

fT,j = fractional release of nuclide j due to temperature

increase,

QF,j = fuel body inventory of nuclide j.

The uncertainty distribution on all terms is taken to be lognormal.

The components of the source term activity due to forced convection

cooldown under dry conditions and their uncertainty factors are given in

Section D.1.3. The fuel body inventory has an uncertainty factor that

varies from 1.01 to 2.13. The uncertainty factor in the fractional

release due to elevated temperatures is estimated to be 1.2 for all

nuclides.



of the dose uncertainty analysis for thyroid, lung, bone, and whole

body gamma doses for a 30-day exposure at the EAB are presented in

Table D-15.

D.4. CONSEQUENCES FROM CONDUCTION COOLDOWN UNDER WET CONDITIONS

A number of event sequences that are initiated by small and

moderate steam generator leaks have been identified in Figs. C-8 and

C-9. Only those release categories that result in fission product

release and result in an offsite dose to the public are addressed here.

These sequences in which forced' cooling is lost have been phenomenologi

cally grouped and categorized as conduction cooldowns under wet condi

tions. The categories are labeled WC-1 through WC-7 where WC-1 has the

greatest consequence and WC-7 has the least nonzero consequence. The

consequence source term for conduction cooldowns under wet conditions

includes (1) the circulating activity, (2) fission product release from

the fuel due to high temperatures, (3) steam-induced vaporization and

recirculation of a portion of the activity plated-out on primary circuit

surfaces, (4) release from failed fuel due to hydrolysis, and (5)

release from oxidized graphite.


Conduction cooldowns under wet conditions are initiated by steam

generator leaks. Each accident has the loss of all forced convection

cooling as the common feature which identifies the accident as a con

duction cooldown. The following paragraphs summarize the physical

phenomena and plant response that was analyzed followed by the methods

and data used in the analysis.

For accidents initiated by small and moderate steam generator

leaks, a subsequent loss of forced convection cooling and primary

coolant boundary failure result in conduction cooldowns with an offsite


TABLE D-1S DOSE UNCERTAINTY ANALYSIS AT THE EAB FOR CONDUCTION COOLDOWNS UNDER DRY CONDITIONS

Dose in Rem

Release Whole Body 7 Thyroid Bone Lung

Category SI Median 9S1 51 Median 9S1 SI Median 9S1 SI Median 9S1

DC-I 1.0-02 6.4-02 4.S-01 6.0+00 S.O+Ol 4.3+02 6.0-03 9.3-02 1.3+00 1.2-01 1.1+00 1.0+01

t::I DC-2 2.7-03 1.6-02 1.1-01 3.0+00 2.S+01 2.1+02 3.1-03 4.7-02 6.3-01 S.9-02 S.7-01 S.1+00 I

VI DC-3 4.8-0S 2.9-04 2.3-03 2.0-02 2.1-01 2.2+00 4.4-0S 4.0-04 4.2-03 1.1-03 8.0-03 6.8-02 N

DC-4 1.5-0S 1.S-04 1.S-03 7.6-03 7.6-02 7.6-01 N.C. 9.2-0S N.C. N.C. 1.9-03 N.C.

DC-S 1.2-0S 7.3-0S S.8-04 5.1-03 5.3-02 5.5-01 1.1-05 9.9-0S 1.1-03 2.7-04 2.0-03 1. 7-02

DC-6 1.2-05 7.3-05 S.8-04 S.1-03 5.3-02 5.5-01 1.1-05 9.9-05 1.1-03 2.7-04 2.0-03 1.7-02

DC-7 6.5-05 3.2-04 2.2-03 3.0-03 4.9-02 5.9-01 4.7-06 5.7-05 5.7-04 4.6-05 5.6-04 5.5-03

DC-8 6.5-05 3.2-04 2.2-03 3.0-03 4.9-02 5.9-01 4.7-06 5.7-05 5.7-04 4.6-05 5.6-04 5.5-03

t::I DC-9 2.1-06 1.0-05 7.2-05 3.4-04 5.5-03 6.6-02 5.1-07 7.5-06 8.2-05 2.3-05 2.1-04 1.9-03 0 tzJ I

~ fJ I

00 (J\ I

0 ..... ..... -:;tI ~ . w

dose to the public. The fission product release pathway may be either

through the steam generator secondary side or to the reactor building

if the primary relief valves lift. Releases may consist of circulating

activity, activity released from hydrolyzed fuel, activity released from

oxidized graphite, plated-out material released due to SIVR, or fuel

body inventory released due to the thermal transient. The frequency

assessment of Section 7.7 for small steam generator leaks covers a spec

trum of leak sizes ranging from pinhole to approximately 0.052 cm2

(8 x 10-3 in. 2). The maximum size considered for small leaks corre

sponds to a leak rate of about 0.05 kg/s (0.1 lbm/s) which is used for

the consequence assessment for small steam generator leaks. The fre

quency assessment of Section C.8 for moderate steam generator leakS

covers a spectrum of flow rates ranging from 0.05 to 5.7 kg/s (0.2 to

12.5 lbm/s). The consequence assessment for moderate steam generator

leaks has been based on the leak rate of 5.7 kg/s (12.5 lbm/s) which

corresponds to a single tube offset rupture.

The planned response to a moisture ingress event begins with the

detection of moisture at the 1000 ppm level by the moisture monitors.

Depending on the leak size, this level may not be reached for anywhere

between 2 s to 5 min. The moisture sampling process takes another 20 s

after which the PPIS initiates a reactor trip on the outer control rods

and isolation of the steam generator. Following isolation, the steam

generator dump valves are opened and the steam generator inventory

released into the dump tanks. Just prior to releasing primary coolant

through the dump system, the valves are reclosed. Also following the

signal to isolate the steam generator, the HTS circulator is tripped and

the SCS is started and cools the reactor core by forced circulation. In

the accidents discussed in this section the SCS either fails to start or

fails to operate a sufficient amount of time so that forced circulation

cooling is lost. Removal of core residual heat is by conduction and

radiation to the RCCS cooling panels. The resulting transient is a

pressurized conduction cooldown with the reactor pressure remaining

below the setpoint of the primary system pressure relief train.


For cases in which the reactor remains pressurized for some

extended period of time, natural circulation within the core becomes

a more important heat transfer mechanism than under depressurized con

ditions. The PANTHER computer code is used to analyze these pressurized

(or slowly depressurizing) conduction cooldowns. PANTHER is based on a

classical thermal analyzer program which is described in Ref. 0-16.

PANTHER models the reactor system as a network of interconnected

nodes. The nodal map models the active core, reflectors, core barrel,

reactor vessel, and the RCCS. Each node is assumed to be connected to

each of its neighbors by a conducting path to which a value called the

"admittance,· is assigned. The "admittance is the reciprocal of the

thermal resistance. Each active core node is assigned a generation rate

equivalent to the rate of heat generation of the actual core column

represented by the node. The temperature assigned to each node repre

sents the temperature at the centroid of the corresponding element of

the physical system.

Heat generated within the active core is transferred by conduction

both radially and axially from node to node within the core and reflec

tors. Within the fueled core there are three flow paths. Heat is also

transferred to the fluid nodes in each flow path, which transport heat

by flowing either upward or downward within the coolant passages. The

flow rates were computed within the program by adding up the hydrostatic

head in each gas column and relating these to the frictional pressure

loss in each column, assuming that the pressures in the top and bottom

plena are uniform. This computation is done iteratively at each time

step by adjusting the plenum pressures until the conservation-of-mass

condition is satisfied for the flows. Ultimately heat is radiated from

the core barrel to the vessel, and from the vessel, heat is transferred

to the RCCS panels via radiation and natural convection.

The thermal transient experienced by the core during a pressurized

conduction cooldown is shown in Fig. 0-11 for both the peak fuel and

0-54 OOE/HTGR-86-011/Rev. 3

average active core temperatures. This particular transient assumes no

breach in the primary coolant boundary. Slow primary coolant leaks,

which require more than 100 h to depressurize, is assumed to experience

the same temperature transient.

For cases where the pressure vessels depressurize, such as through

a relief valve that fails open, the time-dependent evaluation of tem

peratures throughout the core and reactor vessel under depressurized

conditions is conducted using the TAC2D computer program (Ref. D-15).

TAC2D contains models to simulate the heat generation due to decay of

radionuclides, the heat-transfer processes, and the heat exchange across

open core plenums during the course of a loss of forced circulation

event. A brief discussion of the TAC2D program is given in

Section D.3.1.

The thermal transient experienced by the core during a depressur

ized conduction cooldown is shown in Fig. D-9 for both the peak fuel and

average active core temperatures. This particular transient assumes

immediate depressurization. Primary coolant leaks which require less

than 100 h to depressurize is assumed to experience the same temperature

transient.


available at the start of an event are based on radionuclide design cri

teria. The radionuclide design criteria are the allowable levels of

radionuclide accumulation in the primary circuit which will permit the


operation and postulated events. The circulating activity, fuel body

inventory, and plateout activity available for steam-induced vaporiza

tion and recirculation are presented in Table D-12 in Section D.3 for

those radionuclides which are major contributors to the resultant dose

from conduction cooldowns under wet conditions. By applying the steam

induced vaporization model discussed in Section D.2.1, the fraction of

plateout activities reentrained into the primary system are calculated


for steam generator leak accidents. The fuel body inventory can be

released due to elevated temperatures, due to hydrolysis of the ini

tially failed fuel, and due to oxidation of graphite in which fission

products have been retained.

The thermal transient results from PANTHER for pressurized con

duction cooldowns are used by the OXIDE code to analyze the transient

effects of moisture ingress on the fuel and core graphite. The OXIDE

code determines the fractional fission product release due to steam

graphite and steam fuel reactions and is described in more detail in

Section 0.2.1.

The evaluation of fuel particle failure and the fission product

release from the core during temperature transients is calcu~ated using

the SORS computer code (Ref. 0-17). The core release calculated by SORS

is the source activity due to elevated temperatures which contributes to

the total release upon which subsequent environment dose calculations

are based. The SORS code is discussed in Section 0.3.1.

The fission product transport from the reactor vessel, subsequent

release to the atmosphere, and the resultant dose calculations were

performed using the TDAC computer code as discussed previously in Sec

tion 0.1.1. Meteorological conditions and reactor building parameters

are as given in Table 0-4. The release pathway for accidents initiated

by steam generator leaks may be either through the steam generator sec

ondary side relief train or through the reactor building if the primary

relief train valves open. For those conduction cooldown categories

which vent to the reactor building, plateout and settling in the reactor

building on surfaces cooled by the RCCS have been considered. In either

case, possible failure of the valves to reclose is typically considered.

Hydrostatic displacement and thermal expansion subsequent to a complete

depressurization become important due to the release of fission products

from the core during the time when core temperatures increase. Once

0-56 DOE/HTGR-86-011/Rev. 3

core temperatures begin to decrease, thermal contraction will essen

tially terminate the release from the reactor vessel.

D.4.2. Fission Product Release and Dose Assessment

The planned response to a moisture ingress event is discussed in

Section 6.1.7 for small steam generator leaks and in Section 6.1.S for

moderate steam generator leaks. For fission product release to occur

from conduction cooldowns initiated by steam generator leaks, failures

in addition to the leak are required that result in failure of the pri

mary coolant boundary to remain intact and contain the fission products

throughout the transient. As shown in Figs. C-S and C-9, additional

failures can result in a number of accident sequences that result in

offsite dose. Proceeding from the least to the greatest consequence,

the following paragraphs describe for each release category the dominant

event sequence, radionuclide release mechanism, and the basis for

assessment of the category dose consequences.

Detailed analysis was performed on release categories WC-2, WC-4,

and WC-7. WC-7 consists of a moderate steam generator leak and normal

plant response. WC-4 represents a moderate steam generator leak with

delayed isolation resulting in four pressure reliefs and successful

reclosure. WC-2 represents a moderate steam generator leak with delayed

termination resulting in tWD pressure reliefs with failure to reclose

after the second. These categories represent the range from the minimum

to the maximum water ingress for moderate steam generator leaks. The

dose consequences of the other four release categories are calculated by

scaling the dose results of WC-2, WC-4, or WC-7. The scaling examines

the dose contribution from fission products released due to hydrolysis.

One scaling for hydrolysis contribution is due to the amount of water

ingressed. The other scaling, in instances where the relief valve fails

open, is based on the time of final relief. In addition, the number of

pressure reliefs determines the fraction of the activitY'in the reactor

system that is released which provides an additional scaling factor for

D-S7 DOE/HTGR-S6-011/Rev. 3

dose. If the pressure relief valve fails open, then the dose results

due to the slow thermal expansion and release of a conduction cooldown

are added.

Release category WC-7 is a moderate steam generator leak which

results in fission product release to the reactor building through the

primary relief valve and subsequently to the atmosphere. The plant

responds as planned with the exception that the SCS cooling fails. A

total of 270 kg (600 lbm) of steam enters the primary system. System

pressure increases due to (1) inventory additions caused by the reaction

of steam with graphite (one mole of steam produces two moles of gaseous

reaction products), and (2) temperature increases caused by the pressur

ized conduction cooldown. At about 10 h, when the system pressure

reaches a setpoint of 7177 kPa (1041 psia), the pressure relief valve

opens to vent primary coolant into the reactor building. The valve

recloses successfully when the setpoint of 6103 kPa (885 psia) is

reached. Because of the difference between the relief valve opening and

closing setpoints, abo~t 15% of the primary coolant and the fission

products it contains at the time of relief are released to the reactor

building and subsequently to the atmosphere. At the time of the

release, 8% of gaseous fission products in failed fuel are released to

the primary coolant by hydrolysis, 0.05% of fission products sorbed in

bulk moderator graphite are released by graphite oxidation, and small

amounts of halogens and noble gases are released from the fuel to the

primary coolant due to elevated temperatures. In addition, 60% of the

fission products plated out on metallic surfaces are released to the

primary system from steam-induced vaporization. The thermal transient

would be like a pressurized conduction cooldown. Table 0-16 presents

the cumulative nuclide release to the environment for the major


Release category WC-6 is a moderate steam generator leak with

delayed termination, which results in fission product release to the

reactor building through the primary relief valve and subsequently to

0-58 OOE/HTGR-86-011/Rev. 3

TABLE D-16 CUMULATIVE RELEASE TO ENVIRONMENT IN CURIES FOR

CONDUCTION COOLDOWNS UNDER WET CONDITIONS

Nuclide WC-1 WC-2 WC-3 WC-4 WC-6 WC-7

Kr-88 2.5+00 9.8+00 1.2-01 1.4+00 6.3-01 7.5-02

Sr-89 1.4+00 8.0-01 8.6-03 1.2-02 6.1-03 2.4-02

Sr-90 8.8-02 3.0-02 5.3-04 1.9-03 9.7-04 4.0-03

Y-91 4.1-01 4.8-01 2.5-03 6.5-03 3.0-03 9.8-03

Ag-110m 3.9-01 2.5+00 2.4-03 4.2-02 2.3-02 9.6-02

1-131 2.6+01 4.6+00 1.0+00 8.0-01 3.3-01 2.9-01

Te-132 6.1+01 1.8+01 3.6-01 2.0-01 9.6-02 7.3-01

1-132 3.1+01 7.8+00 1.0+00 8.7-01 3.3-01 4.2-01

1-133 3.7+01 8.8+00 1.5+00 1.1+00 4.3-01 3.7-01

Xe-133 3.7+02 1.1+02 4.6+01 1.3+01 6.4+00 9.2+00

1-134 5.0-03 6.4+00 1.5-04 7.9-01 2.7-01 2.2-03

Cs-134 6.2-01 4.4+00 3.7-03 7.4-02 3.9-02 1. 7-01

1-135 1.2+01 6.2+00 4.7-01 7.9-01 2.9-01 1.5-01

Xe-135 8.1+01 1.7+01 8.1+00 4.1+00 2.0+00 2.0+00

Cs-137 2.5+00 3.3+00 1.5-02 3.5-01 1.8-01 7.9-01

Ba-137m 2.3+00 1.9+01 1.4-02 3.2-01 1. 7-01 7.4-01

Ce-144 1.3+00 3.0-01 7.7-03 3.8-03 1.6-03 4.8-03


the atmosphere. Two possible scenarios result in this release category.

In the first, the moisture monitors fail to detect high moisture levels,

but the reactor is tripped in about 10 s on high power-to-flow ratio.

As moisture continues to enter the system, the primary coolant pressure

increases to the high pressure trip setpoint of 7069 kPa (1025 psia) in

about 6 min. Reaching this PPIS setpoint initiates HTS trip and steam

generator isolation. In the second possible scenario, the moisture

monitors detect high moisture levels and respond as planned, to trip

the reactor and the HTS and to isolate the steam generator. However,

the steam generator dump valves fail to open. Steam generator dump is

initiated manually in both scenarios within 10 min, but by that time a

large portion of the steam generator inventory drains into the primary

system. A total of 3000 kg (6600 lbm) of steam enters the system.

After the HTS trips, the SCS fails to provide forced convection cooling

and heat is removed by conduction and radiation to the RCCS cooling

panels. Because of the continued water ingress, the pressure increases

and is relieved two times through the pressure relief valve before oper

ator intervention succeeds in isolating the steam generator. The pres- .

sure relief valve successfully recloses after opening both times, thus

releasing 28% of the primary coolant inventory. At the time of the

final relief (about 0.8 h), 6% of gaseous fission products in failed

fuel are released to the primary coolant by hydrolysis, and 0.16% of

fission products sorbed in bulk moderator graphite are released by

graphite oxidation; the release from fuel due to elevated temperatures

is insignificant. These activities, along with the initially circulat

ing activity and the activity removed from surfaces due to steam-induced

vaporization and recirculation are available for release with the pri

mary coolant. Table 0-16 presents the cumulative nuclide release to the

environment for the major contributors to dose.

Release category WC-5 is a moderate steam generator leak Which

results in fission product release to the reactor building through

the primary relief valve and subsequently to the atmosphere. The

plant responds as planned with the exception that the SCS cooling fails

0-60 OOE/HTGR-86-011/Rev. 3

and the primary relief valve fails to reclose after opening to relieve

excess pressure. The release category is identical to WC-7 with the

exception that the primary relief valve fails to reclose. The resulting

moisture ingress and elevated temperatures will hydrolyze 8% of the

failed fuel and oxidize 0.05% of the bulk moderator graphite prior to

vessel depressurization. Subsequent hydrolysis and oxidation are negli

gible due to the low partial pressure of steam. The thermal transient

prior to depressurization is like a pressurized conduction cooldown, and

afterwards, it is like a depressurized conduction cooldown. Thermal

expansion, therefore, will transport some of the fission products

released during the slow thermal transient out of the reactor vessel

into the reactor building. These fission products will be released

slowly to the atmosphere via reactor building leakage, and can be atten

uated in the building due to radioactive decay, plateout, and settling.

Release category WC-4 is a moderate steam generator leak with

delayed isolation which results in fission product release to the reac

tor building through the primary relief valve and subsequently to the

atmosphere. The moisture monitors detect high moisture levels and

respond as planned, to trip the reactor and the HTS and to isolate the

steam generator. The feedwater valves close, but the steam valves fail

to close. Steam continues to enter the primary system until the opera

tor manually isolates and dumps the steam generator, within about

20 min. A total of 6800 kg (15,000 lbm) of steam enters the system.

After the HTS trips, the SCS fails to provide forced convection cooling

and heat is removed by conduction and radiation to the RCCS cooling

panels. Because of the continued water ingress, the pressure increases

and is relieved four times through the pressure relief valve before

operator intervention succeeds in isolating the steam generator. ·The

pressure relief valve successfully recloses after each opening. Thus,

48% of the primary coolant inventory is eventually released from the

reactor vessel. At the time of the final pressure relief (about

20 min), 5.7% of gaseous and volatile fission products in failed fuel

are released to the primary coolant by hydrolysis, and 0.09% of fission


products sorbed in bulk moderator graphite are released by graphite oxi

dation; the release from fuel due to elevated temperatures is insignifi

cant. These activities, along with the initially circulating activity

and the activity removed from surfaces due to steam-induced vaporization

are available for release with the primary coolant. The fission prod

ucts are released from the reactor vessel through the reactor building

to the atmosphere. Table D-16 presents the cumulative nuclide release

to the environment for the major contributors to dose.

Release category WC-3 is a small steam generator leak which results

in fission product release to the reactor building through the primary

relief valve and subsequently to the atmosphere. Moisture monitors

successfully detect high moisture, initiating a reactor trip, HTS circu

lator trip, and steam generator isolation and dump. However, the steam

generator dump valves fail to open following steam generator isolation.

Depending on the location of the leak, a large portion of the steam gen

erator inventory can subsequently enter the primary system, with as much

as 2200 kg (4850 lbm) flashing to steam. A total ingress of 1090 kg

(2400 lbm) has been assumed. Primary system pressure continues to

increase, and the primary relief valve opens at approximately 13 h into

the transient and successfully reseats. The relief valve subsequently

remains closed due to termination of the ingress once the steam genera

tor inventory has been depleted. At the time of the relief, 20% of gas

eous fission products in failed fuel are released to the primary coolant

by hydrolysis, 0.33% of fission products sorbed in bulk moderator graph

ite are released by graphite oxidation, and small amounts of halogens

and noble gases are released from the fuel to the primary coolant due to

elevated temperatures. These activities, along with the initially cir

culating activity and the activity removed from surfaces due to SIVR,

are available for release with the primary coolant. Because of the dif

ference between the relief valve opening and closing setpoints, about

15% of the primary coolant and the fission products it contains at the

time of relief are released to the reactor building and subsequently to


the atmosphere. Table 0-16 presents the cumulative nuclide release to

the environment for the major contributors to dose.

Release category WC-2 is a moderate steam generator leak which

results in fission product release to the reactor building through the

primary relief valve and subsequently to the atmosphere. The release

category is identical to WC-6 with the exception that the primary relief

valve fails open. Two possible scenarios result in this release cate

gory. In the first, high-moisture levels are not detected by the mois

ture monitors. Reactor trip occurs within about 10 s on high power-to

flow ratio but moisture continues to enter the primary system. The

primary coolant pressure increases to the high pressure trip set point

in about 6 min, whereupon the PPIS initiates an HTS trip and steam gen

erator isolation. In the second possible scenario, the moisture moni

tors detect high moisture levels and respond as planned, to trip the

reactor and the HTS and to isolate the steam generator. However, the

steam generator dump valves fail to open. In both scenarios, operator

intervention within about 10 min succeeds in isolating the steam genera

tor, thus terminating the moisture ingress. Following the HTS trip, the

SCS fails to provide forced convection cooling and decay heat is subse

quently removed by conduction and radiation to the RCCS cooling panels.

A total of about 3000 kg (6600 lbm) of steam enters the primary system.

This ingress is sufficient to lift the primary relief valve. The valve

fails to reclose following a second relief. At the time of the final

relief (about 0.8 h), 6% of gaseous fission products in failed fuel are

released to the primary coolant by hydrolysis, and 0.16% of fission

products sorbed in bulk moderator graphite are released by graphite oxi

dation; the release from fuel due to elevated temperatures is insignifi

cant. These activities, along with the initially circulating activity

and the activity removed from surfaces due to steam-induced vaporization

and recirculation, are available for release with the primary coolant.

Primary coolant activity rapidly depressurizes through the open relief

valve into the reactor building, through the building dampers, and into

the atmosphere. The thermal transient prior to depressurization is like

0-63 OOE/HTGR-86-011/Rev. 3

a pressurized conduction cooldown, and afterwards, it is like a depres

surized conduction cooldown. Thermal expansion will transport some of

the fission products released during the slow thermal transient out of

the reactor vessel into the reactor building. These fission products

will be released slowly to the atmosphere via reactor building leakage,

and can be attenuated in the building due to radioactive decay,

settling, and plateout. Table D-16 presents the cumulative nuclide

release to the environment over the course of the accident for the major


Release category WC-1 is a small steam generator leak which results

in fission product release to the reactor building through the primary

relief valve and subsequently to the atmosphere. The category is iden

tical to WC-3 with the exception that the primary relief valve fails

open. A total ingress of 1090 kg (2400 lbm) has been assumed. Tempera

ture increases caused by the pressurized conduction cooldown and inven

tory increases caused by the reaction of steam· with graphite (one mole

of steam produces two moles gaseous reaction products) increase system

pressure to the relief valve setpoint. The valve opens at approximately

13 h, but fails to reseat, depressurizing the primary circuit inventory

into the reactor building, through the building dampers, and into the

atmosphere. The thermal transient prior to depressurization is like a

pressurized conduction cooldown; afterwards it is like a depressurized

conduction cooldown. Thermal expansion will transport some of the fis

sion products released during the slow thermal transient out of the

reactor vessel into the reactor building. These fission products will

be released slowly to the atmosphere via reactor building leakage, and

can be attenuated in the building due to radioactive decay, settling,

and plateout. Table D-16 presents the cumulative nuclide release to the

environment over the course of the accident for the major contributors

to dose.



analyzed is presented in Table 0-17 for 30-day exposure at the EAB for

thyroid and whole body gamma doses.



was developed in the AIPA safety assessment (Ref. 0-6). The method uses

simplified mathematical algorithms describing the consequence control



used in a Monte Carlo error propagation program which determines the


Cumulative probability distributions of independent variables are

specified as input to the program. This section describes the algo

rithms used for the consequences from conduction cooldowns under wet

conditions.

The dose consequence equation for conduction cooldown accidents

is the same as Eq. 0-2 in Section 0.1.3. The X/Q distribution is also

the same one described in Section 0.1.3. The factor fj in Eq. 0-2

accounts for time-dependent attenuation due to buildup, decay, set

tling, plateout, and other processes and is determined as described in

Section 0.1.3. Also, as in Section 0.1.3, the uncertainties in dose

effectivities Ci'j are not considered.

The initial activity for nuclide j for accidents involving

conduction cooldowns has an uncertainty that is determined by the

uncertainty of its components according to the following:

0-65 OOE/HTGR-86-011/Rev. 3

TABLE 0-17 NOMINAL DOSE CONSEQUENCE AT THE EAB FOR CONDUCTION

COOLDOWNS UNDER WET CONDITIONS

Release Dose at EAB (Rem)

Category Whole Body 7 Thyroid Bone Lung

WC-1 6.1-03 2.4+00 1.9-01 3.4-01

WC-2 1.6-03 3.7-01 3.0-02 1.1-01

WC-3 2.3-04 9.6-02 1.2-03 3.2-03

WC-4 1.4-04 5.4-02 4.9-04 2.0-03

WC-5 8.0-04 4.7-02 2.4-03 4.6-03

WC-6 5.5-05 2.1-02 2.5-04 1.0-03

WC-7 3.9-05 2.4-03 3.4-04 5.2-04

0-66 DOE-HTGR-86-011/Rev. 3

where Qi,j - source term activity due to forced convection coo1down

under wet conditions (Eq. D-7),

fT,j = fractional release of nuclide j due to temperature

increase,

QF,j = fuel body inventory of nuclide j.

The uncertainty distribution on all terms is lognormal. The com

ponents of the source term activity due to forced convection coo1down

under wet conditions and their uncertainty factors are given in Sec

tion D.2.3. The fuel body inventory has an uncertainty factor that

varies from 1.01 to 2.13. The uncertainty factor in the fractional

release due to elevated temperatures is 1.2 for all nuclides.


of the dose uncertainty analysis for thyroid and whole body gamma doses

for a 30-day exposure at the EAB are presented in Table D-18.

D.S. REFERENCES

D-1. GA Technologies Inc., proprietary data.

D-2. ~RATSAM, A Computer Program to Analyze the Transient Behavior of

the HTGR Primary Coolant System During Accidents," GA Report

GA-A1370S, May 1977.

D-3. Buckley, D. W., "TDAC: An Analytical Computer Program to Calcu

late the Time-Dependent Radiological Effects of Radionuc1ide

Release." GA Report GA-D13476, May 1976.

D-4. U.S. Nuclear Regulatory Commission (NRC), "Assumptions Used for

Evaluating the Potential Radiological Consequences of a Loss of

Coolant Accident for Pressurized Water Reactors," Regulatory

Guide 1.4, Revision 2. Washington, D.C., June 1974.


TABLE 0-18 DOSE UNCERTAINTY ANALYSIS AT THE EAB FOR FORCED

CONVECTION COOLDOWNS UNDER WET CONDITIONS

Doses at EAB (Rem)

Release Whole BodI 1 ThIroid

Category 5% Median 95% 5% Median 95%

WC-1 5.1-04 6.2-03 7.4-02 1. 7-01 2.4+00 3.4+01

WC-2 1.6-04 1.6-03 1.6-02 3.6-02 3.7-01 3.8+00

WC-3 1.9-05 2.3-04 2.7-03 6.7-03 9.6-02 1.4+00

WC-4 1.2-05 1.4-04 1. 7-03 3.8-03 5.4-02 7.7-01

WC-5 1.1-04 8.0-04 6.1-03 4.5-03 4.7-02 4.8-01

WC-6 5.5-06 5.5-05 5.6-04 2.1-03 2.1-02 2.2-01

WC-7 3.2-06 3.9-05 4.6-04 1. 7-04 2.4-03 3.5-02

0-68 DOE-HTGR-86-011/Rev. 3

D-5. u.s. Nuclear Regulatory Commission (NRC), "Preparation of

Environmental Reports for Nuclear Power Stations," Regulatory

Guide 4.2, Revision 2. Washington, D.C., July 1976.

D-6. Fleming, K. N., et a!., "HTGR Accident Initiation and Progression

Analysis Status Report - Phase II Risk Assessment," GA Report

GA-A15000, April 1978.

D-7. Slade, D. H., ed., Meteorology and Atomic Energy 1968, USAEC,

1968.

D-8. Barsell, A. W., et a!., "HTGR Accident Initiation and Progression

Analysis Status Report Volume VI. Event Consequences and Uncer

tainties Demonstrating Safety R&D Importance of Fission Product

Transport Mechanisms," GA Report GA-A13617, January 1976.

D-9. Peroomiam, M. B., A. W. Barsell, and J. C. Saeger, "OXIDE-3:

D-10.

D-11.

D-12.

D-13.

D-14.

D-15.

A Computer Code for Analysis of HTGR Steam or Air Ingress

Accidents," GA Report GA-A12493, 1974.

Skalyo, J. Jr., L. G. Epel, and C. Sastre, "An Analysis of the

Methods Utilized in OXIDE-3," BNL-NUREG-50810, April 1978.

GA Technologies Inc., unpublished data.

"TARGET Program Quarterly Progress Report for the Period Ending

May 31, 1965," GA Report GA-6418, June 1965.

"HTGR Base Program Quarterly Progress Report for the Period

Ending November 1971," GA Report GA-A10930, 1971.

GA Technologies, Inc., proprietary data.

"TAC2D - A General Purpose Two-Dimensional Heat Transfer Computer

Code," GA Report GA-A14032, July 1976.

D-16. Leach, C. E., and E. L. Kelley, Jr., HTAP-LOOP: A Stable Thermal

Analyzer Code for Thermal Analysis of Closed Hydraulic Systems,"

BNWL-1172, January 1970.

D-17. "SORS - Computer Program for Analyzing Fission Product Release

from HTGR Cores During Transient Temperature Excursions," GA

Report GA-A12462, April 1974.


en ICC = Q :c -IoU

~ ICC = en en IoU ICC a. IoU CI Q ... IoU :E i=

0.025 103

'0'

100

0.01

HT -001 (116)

0.254

LEAK SIZE (cm2)

2.54

WITHOUT HPS

WITH HPS

0.1 1

LEAK SIZE (IN.2)

25.4

10

Fig. 0-1. Time to depressurize the primary system as a function of primary coolant leak size

0-70 OOE/HTGR-86-011/Rev. 3

. UPPER CD -.. PLENUM

+1 TOP CD REFLECTOR

+2 CORE 0 +3

11 CD CORE

+4 CORE CD +5

® COOLANT BOnOM CD CHANNELS REFLECTOR

~ +6 CD

CD HOT 1 HOT I FINAL 1& PLENUM ... CROSS DUCT SUPERHEATER

11 +-LOWER ... 15 COLD @ INITIAL

PL.ENUMS CROSS DUCT SUPERHEATER @ @.

j ~ ~ + 14 + 10

® SCS CIRCULATOR @ EVAPORATOR INLET OUTLET ®

~ j ~

c c P 13 11

dr

20 SCS S/G ~ 12

OUTLET ANNULUS - ECONOMIZER @

HT-001(117) @ @

Fig. 0-2. RATSAM model used to determine shear stress distribution

0-71 OOE/HTGR-86-011/Rev. 3

'=' I ...., ,.,

'=' o l".I -~ ~ I co CJ\ I o I-' I-' -~ . w

PSEUDO SOURCE TERM VOL

HT -001(118)

* .. ,...

~

MHTGR REACTOR ..... FILTER ~ VESSEL BLDG ~- VOL VOL VOL ~ ....

~

FILTER --- FILTER VOL VOL

*TIME-DEPENDENT INPUT OF NUCLIDE ACTIVITY FROM VOLUME 1 TO VOLUME 2

.. FILTER -.. VOL !-

-

Fig. 0-3. TOAC model used to assess offsite dose at the EAB

ENVIRON· --. MENT ... (e.g. EAB)

LEAK SIZE (cm2)

0.025 0.25 2.5 25.4

~ 10-3

'" ~ w en = Q Q -= ~ > :: • WITH HPS t-

10-4

10-5 0.01 0.1 1 10

LEAK SIZE UN.2)

HT-001(119)

Fig. 0-4. Nominal thyroid dose at the EAB for primary coolant leaks

0-73 OOE/HTGR-86-011/Rev. 3

LEAK SIZE (cm2)

0.025 0.25 2.5 25.4 10-3 r---------.-------__ -----__

10-4

~ '" a: -Y.I CI)

10-5 c c c:J z = ...

10-6

10-7 ~_~_~~~_~_~~~~_~_~_L~~

0.01 0.1 1 10

LEAK SIZE (IN.2)

HT-001(120)

Fig. 0-5. Nominal lung dose at the EAB for primary coolant leaks

0-74 OOE/HTGR-86-011/Rev. 3

-~ w a: -w en CI CI w Z CI CD

0.025 10-3

10-4

10-5

10-6

LEAK SIZE (cm2)

0.25 2.5 25.4

10-7 ","-_..L-_..L--'-..I...I_--L_--L---'L....I.-'-_-'-_-'---L....J...L....I

0.01 OJ 1 10

LEAK SIZE (IN.2)

HT-001(121'

Fig. 0-6. Nominal bone dose at the EAB for primary coolant leaks

0-75 OOE/HTGR-86-011/Rev. 3

LEAK SIZE (cm2)

0.025 0.25 2.5 25.4

§" &A.I a::

10-4 -&A.I en Q Q

C[ WITH HPS :IE :IE II( c::I > Q Q III &A.I .... Q :: == 10-5

10-6

0.01 OJ 1 10

LEAK SIZE UN.2)

HT-001(122)

Fig. 0-7. Nominal whole body gamma dose at the EAB for primary coolant leaks

0-76 OOE/HTGR-86-011/Rev. 3

> t: .... a::I < a::I C a: A. w > i= < .... = :E = u

1

0.8

0.6

0.4

0.2

o 10-6

HT-001(123)

10-4

ATMOSPHERIC DISPERSION FACTOR SIM3

Fig. D-8. Probability distribution for the atmospheric dispersion factor used in uncertainty analysis of dose consequences


c I ....,

0)

c o tzJ -~ I 0) 0\ I o ..... ..... -~ . w

3000

2500

u:-c -w a:: ;:,

~ 2000 a:: w a. ::E w t-

1500

/ ..... , I "

" " ,~

MAXIMUM CORE ./ TEMPERATURE

/', /' '",-VERAGE CORE ___ _ ~EMPERATURE _____ _

1000 ' f

o 100 200 300 400 500 600 100 800 900

TIME PAST LOSS OF FORCED CIRCULATION HOURS HT -001 (124)

Fig. D-9. Thermal transient during a depressurized conduction cooldown

1000

TOP REFLECTOR RADIAL DIRECTION

16000C

z CI ~ ~ IoU a: 14000C CI ...I

:! ACTIVE CORE )( ct

10000C

600°C

BOTTOM REFLECTOR

HT-001(125)

Fig. D-10. Isotherm plot at 80 h during thernal transient due to depressurized conduction cooldown


t1 I co 0

t1 o tzJ -ei ~ I co 0\ I o .... .... -~ . w

3000

MAXIMUM CORE TEMPERATURE 2000

Li:' «!..... w a: =

...-.------------------- " ------"-"",..",,,.,. AVERAGE CORE TEMPERATURE .... ee a: w a.. ::E W ....

1000

o o 40 80 120 160 200

TIME (HOURS)

HT -001 (126)

Fig. D-11. Thermal transient during a pressurized conduction cooldown

o 200

150 ~

100 ~

TIME (DAY$)

5

I

10

I

1-132 ------------~ .. -------.. -----. , .

" 1 .... 131 • ___ ----------, .---------50 ~

" ~.----------------~

__ --J'" /

/1/· // .

.tf1II' J-133 .~

o o

HT-001(127)

//'-/ ~/'/ ,. TE-132

~--...... ---............ -.. -........ ---.. -... -.... -KR-88 I --r

50 100 150 200 250

TIME PAST REACTOR TRIP (HOURS)

Fig. D-12. Cumulative fission product release from core during pressurized conduction cooldown (DC-9)

D-S1 DQE-HTGR-S6-011/Rev. 3

o 200

150

100

50

o o

HT-001(128)

TIME ,11JA!I)'y :~;

5 ; 10

1-132 .' ~ •••• " •••••••• _ •• . -.,,~ ... ~ .. . ·t~·""·-..... ~.~ . • -. 1-133 , . • .. - .... ,_. __ .. __ ._ .. _ . ..... -- . .

,il,1· 1-1~t ' ", /-:l' ,

/:l~ - I ,~ 1/ -. /1

II -: • .:

TE:"'132 '. _-----------,- , --------~" ,," _._.~t!' KR"'88 ..... -... _--------- ..... -----------

50 " 150 :'l 200 250

TIME PAST REACTOR'TRIP (HOllRS)

Fig. 0-13 •. Cuma1:ative fission prpduct. release,·.frOJD core during a depressurized conductioJl" cooldown with small primary cool(ant leak (Oc.;.S ,. ~6; -7 ,.an.' -8~

OOE-HTGR-86-011/Rev. 3

Documents

DOE-HTGR-86-011, Rev. 3, Vol. 2, Supplement Probabilistic ... · PLANT RESPONSE AND SYSTEM RELIABILITY MODELS 7. ACCIDENT FREQUENCY ASSESSMENT 8. ACCIDENT CONSEQUENCES •• 9. RISK