THE ASSESSMENT OF LOW PROBABILITY CONTAINMENT FAILURE MODES USING DYNAMIC PRA DISSERTATION

Transcription

1 THE ASSESSMENT OF LOW PROBABILITY CONTAINMENT FAILURE MODES USING DYNAMIC PRA DISSERTATION Presented in Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in the Graduate School of The Ohio State University By Acacia Joann Brunett Graduate Program in Nuclear Engineering The Ohio State University 2013 Dissertation Committee: Professor Tunc Aldemir, Advisor Professor Richard Denning Professor Carol Smidts

2 Copyright by Acacia Joann Brunett 2013

3 Abstract Although low probability containment failure modes in nuclear power plants may lead to large releases of radioactive material, these modes are typically crudely modeled in system level codes and have large associated uncertainties. Conventional risk assessment techniques (i.e. the fault-tree/event-tree methodology) are capable of accounting for these failure modes to some degree, however, they require the analyst to pre-specify the ordering of events, which can vary within the range of uncertainty of the phenomena. More recently, dynamic probabilistic risk assessment (DPRA) techniques have been developed which remove the dependency on the analyst. Through DPRA, it is now possible to perform a mechanistic and consistent analysis of low probability phenomena, with the timing of the possible events determined by the computational model simulating the reactor behavior. The purpose of this work is to utilize DPRA tools to assess low probability containment failure modes and the driving mechanisms. Particular focus is given to the risk-dominant containment failure modes considered in NUREG-1150, which has long been the standard for PRA techniques. More specifically, this work focuses on the low probability phenomena occurring during a station blackout (SBO) with late power recovery in the Zion Nuclear Power Plant, a Westinghouse pressurized water reactor (PWR). Subsequent to the major risk study performed in NUREG-1150, significant ii

4 experimentation and modeling regarding the mechanisms driving containment failure modes have been performed. In light of this improved understanding, NUREG-1150 containment failure modes are reviewed in this work using the current state of knowledge. For some unresolved mechanisms, such as containment loading from high pressure melt ejection and combustion events, additional analyses are performed using the accident simulation tool MELCOR to explore the bounding containment loads for realistic scenarios. A dynamic treatment in the characterization of combustible gas ignition is also presented in this work. In most risk studies, combustion is treated simplistically in that it is assumed an ignition occurs if the gas mixture achieves a concentration favorable for ignition under the premise that an adequate ignition source is available. However, the criteria affecting ignition (such as the magnitude, location and frequency of the ignition sources) are complicated. This work demonstrates a technique for characterizing the properties of an ignition source to determine a probability of ignition. The ignition model developed in this work and implemented within a dynamic framework is utilized to analyze the implications and risk significance of late combustion events. This work also explores the feasibility of using dynamic event trees (DETs) with a deterministic sampling approach to analyze low probability phenomena. The flexibility of this approach is demonstrated through the rediscretization of containment fragility curves used in construction of the DET to show convergence to a true solution. Such a rediscretization also reduces the computational burden introduced through extremely fine iii

5 fragility curve discretization by subsequent refinement of fragility curve regions of interest. Another advantage of the approach is the ability to perform sensitivity studies on the cumulative distribution functions (CDFs) used to determine branching probabilities without the need for rerunning the simulation code. Through review of the NUREG-1150 containment failure modes using the current state of knowledge, it is found that some failure modes, such as Alpha and rocket, can be excluded from further studies; other failure modes, such as failure to isolate, bypass, high pressure melt ejection (HPME), combustion-induced failure and overpressurization are still concerns to varying degrees. As part of this analysis, scoping studies performed in MELCOR show that HPME and the resulting direct containment heating (DCH) do not impose a significant threat to containment integrity. Additional scoping studies regarding the effect of recovery actions on in-vessel hydrogen generation show that reflooding a partially degraded core do not significantly affect hydrogen generation in-vessel, and the NUREG-1150 assumption that insufficient hydrogen is generated in-vessel to produce an energetic deflagration is confirmed. The DET analyses performed in this work show that very late power recovery produces the potential for very energetic combustion events which are capable of failing containment with a non-negligible probability, and that containment cooling systems have a significant impact on core concrete attack, and therefore combustible gas generation ex-vessel. Ultimately, the overall risk of combustion-induced containment failure is low, but its conditional likelihood can have a significant effect on accident mitigation strategies. It is also shown in this work that DETs are particularly well suited iv

6 to examine low probability events because of their ability to rediscretize CDFs and observe solution convergence. v

7 Dedication This work is dedicated to my family, whose support has given me limitless opportunities, and especially to Kitty, the best companion anyone could ask for. vi

8 Acknowledgments I would like to thank Professor Richard Denning for the years of guidance of support throughout my graduate work, and for keeping my work focused and on track. I have been very fortunate that he has shared his knowledge and experience with me over the years. I would like to thank Professor Tunc Aldemir for his support and insights during the last few years, and for allowing me to pursue my research, wherever it led. He has also provided me with invaluable knowledge regarding the many facets of publishing in academia, which I would have otherwise learned the hard way. I would like to thank Kyle Metzroth for his limitless guidance regarding Linux and ADAPT (and many things in between). Without him, this work would have been impossible. I would like to thank the Nuclear Regulatory Commission for support of my work through an NRC Fellowship. Lastly, I would like to thank my family who has been an inspiration to me. To my parents, Bruce M. and Barbara Brunett, thank you for this opportunity. To my siblings, Bruce A. and Miranda, thank you for the advice and loving support. To Matt, thank you for always being there for me, and for keeping me grounded. vii

9 Vita June Portage Area High School May B.S. Engineering Physics, Juniata College Graduate Teaching Associate, Department of Nuclear Engineering, The Ohio State University Graduate Fellow, The Ohio State University August M.S. Nuclear Engineering, The Ohio State University Publications 1. A. Brunett, R. Denning, and T. Aldemir, A Reassessment of Low Probability Containment Failure Modes, Proceedings of the 2012 ANS Winter Embedded Topical Meeting: Severe Accident Assessment and Management: Lessons Learned from Fukushima Dai-ichi, San Diego, CA, November 11-15, viii

10 2. M. Umbel, A. Brunett and R. Denning, Containment Source Terms in SFR Accidents, Proceedings of the ANS PSA 2011 International Topical Meeting on Probabilistic Safety Assessment and Analysis, Wilmington, NC, March 13-17, A. Brunett, W. Wutzler and R. Denning, Containment Processes in Sodium- Cooled Fast Reactor Accidents, Proceedings of the ANS PSA 2011 International Topical Meeting on Probabilistic Safety Assessment and Analysis, Wilmington, NC, March 13-17, R. Denning, A. Brunett, D. Grabaskas, M. Umbel and T. Aldemir, Toward More Realistic Source Terms for Metallic-Fueled Sodium Fast Reactors, Proceedings of the 2010 ICAPP Meeting, San Diego, CA, June 13-17, A. Brunett, R. Denning and T. Aldemir, Applications of Limit Curves to the Risk-Informed Regulation of Sodium Fast Reactors, Transactions of the 2009 ANS Annual Meeting, Atlanta, GA, June 14-18, Fields of Study Major Field: Nuclear Engineering ix

11 Table of Contents Abstract... ii Dedication... vi Acknowledgments... vii Vita... viii Table of Contents... x List of Tables... xvi List of Figures... xx List of Acronyms... xxiv Chapter 1: Introduction Problem Description Objective Scope Dissertation Overview... 7 Chapter 2: Background Probabilistic Risk Assessment... 8 x

12 Historical Remarks Conventional Probabilistic Risk Assessment Dynamic Probabilistic Risk Assessment Regulatory Approach to PRA Post-Fukushima Containment Failure Mechanisms and Relevant Severe Accident Phenomenology High Pressure Melt Ejection Steam Explosions Alpha-Mode Failure Rocket Mode Failure Containment Melt-Through Containment Isolation Failure and Bypass Mechanisms Combustible Gas Generation and Ignition Impact of Recovery Actions Containment Degradation Review of NUREG-1150 Zion PRA NUREG-1150 Containment Failure Modes and Current State of Knowledge Accident Progression Event Trees xi

13 2.5. Computer Codes MELCOR Overview ADAPT Software Overview Chapter 3: MELCOR Model System Model Primary System Secondary System Safety Systems and Components Containment and Environment Scenario Description Scenarios Considered in Sensitivity/Scoping Studies Level 1 Accident Progression and Selection of Level 2 Candidates for DET Analysis Chapter 4: ADAPT Model Active Components/Systems Branching Classes Auxiliary Feedwater System Charging Pumps Residual Heat Removal Pumps Safety Injection Pumps xii

14 Recirculation System Service Water and Component Cooling Water Systems Valve Failure Containment Fan Coolers Containment Sprays Procedures ECA ECA ECA Switchover to Recirculation Mode Passive Components and Severe Accident Phenomenology Accumulators Creep Rupture of RCS Components Reactor Coolant Pump Seal Failures Power Recovery Combustible Gas Ignition Containment Failure Chapter 5: Approach for Analysis of Likelihood of Combustible Gas Ignition Consideration of Minimum Ignition Energy xiii

15 5.2. Spark Energy and Frequency Probability of Ignition Chapter 6: Approach to Cumulative Distribution Function Refinement Motivation Sequential Discretization Technique Chapter 7: Results and Analyses Combustible Gas Generation Sensitivity/Scoping Studies In-Vessel Hydrogen Generation Ex-Vessel Gas Generation Containment Loading Sensitivity/Scoping Studies High Pressure Melt Ejection Cases Hydrogen and Carbon Monoxide Combustion Cases DET Results Combustible Gas Generation Containment Loading from Combustion Events Effect of Ignition Delay Containment Failure Likelihood Analysis of Containment Failure Using Degraded Fragility Curve Refinement of Containment Fragility CDF xiv

16 Chapter 8: Conclusions and Recommendations for Future Work Capabilities and Limitations of Software Tools NUREG-1150 Containment Failure Modes Implications of Late Combustion Events Following Deinerting An Accident Management Risk Perspective Modeling Uncertainties Affecting Combustion Analysis Recommendations for Future Work References Appendix A: NUREG-1150 APET for Zion Appendix B: Containment Degradation Fragility Curves xv

17 List of Tables Table 2.1: Parallel plate quenching distance and minimum ignition energy versus hydrogen concentration [81] Table 2.2: Ability of common electrical equipment to ignite lean hydrogen mixtures [81] Table 2.3: Change in LERF (yr -1 ) from degradation [86] Table 2.4: Packages in MELCOR software Table 3.1: Description of PDS bin characteristics Table 3.2: PDSs resulting from the Level 1 analysis and their conditional probabilities Table 4.1: Branch probabilities for TDAFW success or failure on demand Table 4.2: Branch probabilities for MDAFW system success or failure on demand Table 4.3: Branch probabilities for charging pump success or failure on demand. 107 Table 4.4: Branch probabilities for RHR pump success or failure on demand Table 4.5: Branching probabilites for SI pumps success or failure on demand Table 4.6: Branching probabilities for success or failure of the low-head and highhead recirculation systems on demand xvi

18 Table 4.7: Branching probabilities for the success or failure of SW/CCW systems called upon following the transient Table 4.8: Branching probabilities for the success or failure of SW/CCW systems called upon following power recovery Table 4.9: Branch probabilities for fan cooler states on demand Table 4.10: Branch probabilities for containment spray states on demand Table 4.11: Steps in procedure ECA-0-0 implemented in the ADAPT model prior to power recovery Table 4.12: Steps in procedure ECA-0-0 implemented in ADAPT model following power recovery Table 4.13: Steps in procedure ECA-0-1 implemented in ADAPT model Table 4.14: Steps in procedure ECA-0-2 as implemented in ADAPT model Table 4.15: Steps in recirculation switchover procedure as implemented in ADAPT model Table 4.16: Branch probabilities for accumulator failure states in ADAPT model. 122 Table 4.17: Branch probabilities for pump seal LOCA by binding and popping failure modes Table 4.18: Branching times at which power recovery is questioned and their associated probabilities Table 4.19: Branching probabilities as a function of containment pressure for the various containment failure modes considered in the dynamic model xvii

19 Table 6.1: Consequences and risks using endpoint and midpoint bin approximations of a CDF for linearly decreasing consequences Table 6.2: Expected risk results for the exact solution, endpoint approximation and midpoint approximation of a CDF for exponentially decreasing consequeunces Table 7.1: In-vessel hydrogen generation cases and their respective results Table 7.2: Ex-vessel combustible gas generation sensitivity cases Table 7.3: Ex-vessel combustible gas generation results for containment cooling cases Table 7.4: Ex-vessel gas generation results for debris conduction study Table 7.5: HPME debris dstribution sensitivty cases Table 7.6: HPME modeling coefficients sensitivity cases Table 7.7: Combution load analysis cases Table 7.8: Containment loading from combustion cases Table 7.9: Runtime statistics for DET experiments. Significant scenarios are classified as those having a probability larger than 1.0E Table 7.10: Bin characteristics for Level 2 DET results Table 7.11: Binned APBs and their corresponding conditional probabilities (conditional on core damage) for the depressurized and pressurized DETs Table 7.12: Conditional probability of failure by mode due to combustion event for depressurized DET xviii

20 Table 7.13: Comparison of conditional probabilities for various power recovery scenarios in the depressurized DET using the Zion fragility curve and a degraded fragility curve Table 7.14: Endpoint and midpoint three bin approximations for the NUREG-1150 Zion fragility curve Table 7.15: Endpoint and midpoint nine bin approximations for the NUREG-1150 Zion fragility curve Table 7.16: Number of leak scenarios per bin for three bin approximation Table 7.17: Number of leak scenarios per bin for nine bin approximation Table 7.18: Total conditional probabilities for combustion-induced containment failure for leak and rupture failure modes xix

21 List of Figures Figure 2.1: Schematic of Surtsey vessel and scaled Zion structures used in IET series [45] Figure 2.2: Schematic of scaled Zion model representing the reactor cavity [45] Figure 2.3: Minimum ignition energy of hydrogen-humid air (relatively humidity of 90%) and hydrogen-dry air mixture [77] Figure 2.4: Minimum ignition energy of hydrogen-dry air mixtures (solid line) for varying gap distances [77] Figure 2.5: Normalized peak pressure as a function of percent hydrogen in hydrogen:air mixtures [83] Figure 2.6: Cumulative probability of failure for the original and degraded cases of a prestressed containment [86] Figure 2.7: Early phase CET for a large, dry PWR containment [17] Figure 2.8: Late phase CET for a large, dry PWR containment [17] Figure 2.9: Example of containment fragility curve Figure 3.1: Schematic of Zion primary and secondary nodalization. Black numbers indicate control volumes, red numbers indicate flow paths [96] Figure 3.2: Schematic of the Zion containment in the MELCOR model. The boundaries of the containment building are represented by the outermost edges of the xx

22 control volumes. Note that the annular volume is a single ring-shaped volume, but represented in this two-dimensional figure as two separate volumes Figure 5.1: Minimum ignition energy as a function of diluent (carbon dioxide) concentration [79] Figure 6.1: Example of fragility curve using endpoints of bins to characterize the probability of failure Figure 6.2: Simplistic example of linearly increasing pressure Figure 6.3: Simplistic CDF of failure pressure, where the domain values correspond to bin numbers Figure 7.1: Carbon monoxide production from CCI for ex-vessel gas generation cases Figure 7.2: Zion containment fragility curve and containment loads for combustion cases Figure 7.3: Behavior of carbon monoxide generation for depressurized DET for each power recovery time Figure 7.4: Cavity water levels for depressurized DET Figure 7.5: Peak pressure resulting from burn as a function of power recovery time for depressurized DET Figure 7.6: Peak pressure resulting from burn as a function of power recovery time for pressurized DET Figure 7.7: Cumulative probability (conditional on core damage) of peak combustion-induced pressure for all power recovery times for both DETs xxi

23 Figure 7.8: Peak pressure from combustion event as a function of the time delay between power recovery and the burn for the depressurized DET Figure 7.9: Peak pressure from combustion event as a function of the time delay between power recovery and the burn for the pressurized DET Figure 7.10: Cumulative probability (conditional on core damage) of peak pressure for varying delays in ignition relative to power recovery. The conditional likelihood of scenarios with ignition delays of 12 hr to 15.9 hr was zero Figure 7.11: Peak pressure for each burn as a function of the power recovery time for the depressurized DET Figure 7.12: Peak pressure for each burn as a function of the power recovery time for the pressurized DET Figure 7.13: Effect of containment cooling on ECMF for depressurized DET for a scenario with power recovery at 28 hr (red line) and 32 hr (blue line) Figure 7.14: Effect of ignition delay on magnitude of combustion event for depressurized DET Figure 7.15: Degraded fragility curve from [86] and Zion fragility curve [64] implemented in ADAPT model Figure A.1: Questions 1 through 30 of the Zion APET* [64] Figure A.2: Questions 31 through 60 of the Zion APET [64] Figure A.3: Questions 61 through 72 of Zion APET [64] Figure B.1: Fragility curves for leak failure mode at corroded location [86] xxii

24 Figure B.2: Fragility curves for rupture and catastrophic rupture failure modes for corroded cases [86] Figure B.3: Fragility curves for 50% area reduction in tendons at midheight [86]. 230 Figure B.4: Fragility curves for loss of prestressing of 50% of midheight tendons [86] xxiii

25 List of Acronyms ADAPT AFW APB APET ASME BDBA BMT BWR CCI CCW Cdf CDF CET CFD DCH DDT DET DPRA ECCS ECCS ECMF FCI HPME IDCOR IE IET ILRT IPE LERF LOCA LOSP LST Analysis of Dynamic Accident Progression Trees Auxiliary Feedwater Accident Progression Bin Accident Progression Event Tree American Society of Mechanical Engineers Beyond Design Basis Accident Basemat Melt-Through Boiling Water Reactor Core Concrete Interaction Component Cooling Water Core Damage Frequency Cumulative Distribution Function Containment Event Tree computational fluid dynamics Direct Containment Heating Deflagration to Detonation Dynamic Event Tree Dynamic Probabilistic Risk Assessment Emergency Core Cooling System Emergency Core Cooling System Effective Combustion Mole Fraction Fuel-Coolant Interaction High Pressure Melt Ejection Industry Degraded Core Rule-Making Initiating Events Integral Effects Test Integrated Leak Rate Test Individual Plant Evaluations Large Early Release Frequency Loss of Coolant Accident Loss of Offsite Power Limit State Test xxiv

26 MDAFW Motor Driven Auxiliary Feedwater MFW Main Feedwater MIE Minimum Ignition Energy NEA Nuclear Energy Agency NRC Nuclear Regulatory Commission NUPEC Nuclear Power Engineering Corporation OECD Organization for Economic Co-operation and Development PDS Plant Damage State PORV Power Operated Relief Valve PRA Probabilistic Risk Assessment PRT Pressurizer Relief Tank PWR Pressurized Water Reactor QHO Quantitative Health Objectives RCP Reactor Coolant Pump RCS Reactor Coolant System RHR Residual Heat Removal ROAMM Risk Oriented Accident Analysis Methodology RPV Reactor Pressure Vessel RWST Refueling Water Storage Tank SBO Station Blackout SFMT Structural Failure Mode Test SGTR Steam Generator Tube Rupture SI Safety Injection SIT Structural Integrity Test SNL Sandia National Laboratories SNL Sandia National Laboratories SRV Safety Relief Valve SW Service Water TDAFW Turbine Driven Auxiliary Feedwater xxv

27 Chapter 1: Introduction 1.1. Problem Description Historically in the United States, safety assessment of the operation of nuclear power plants was carried out through deterministic analyses. In this deterministic approach, uncertainties in the mechanisms and phenomena affecting severe accident progression were not considered in a probabilistic fashion, and instead were accounted for with conservative assumptions. Analysts utilized expert elicitation to develop what were considered at the time to be credible accident scenarios. The deterministic approach led to a defense-in-depth approach based on redundant and diverse safeguards which are still utilized today. Beginning in the mid-1970s with the release of the WASH-1400 Reactor Safety Study [1], the regulatory environment began to transition toward a less conservative approach to risk analysis. Probabilistic risk assessment (PRA) has since been used to assess the risks associated with the operation of nuclear power plants. In the WASH-1400 PRA, which was the first major PRA as discussed in Section 2.1.1, the ability to analyze severe accident processes was very limited. Subsequent experimentation and model development has indicated that many of the challenges to containment integrity were conservative. Although the NUREG-1150 PRA [2] had the benefit of considerable severe accident research, there was still substantial subjective 1

28 judgment used in assessing containment failure probability and timing. When assessing the impacts of risk to human health or land contamination using PRA, the timing and mode of containment failure have been found to a have major effect on accident consequences and the associated risks [2]. However, the mechanisms and phenomena that could potentially result in containment failure, particularly early failure, are still not fully understood. System level codes, such as MELCOR [3] or MAAP [4] are capable of performing complete, consistent analyses for severe accidents, but the low probability phenomena that typically drive containment failure tend to be somewhat approximately modeled in these codes so that severe accident progression and consequences and the associated risks can vary greatly when considering phenomenological uncertainties. The NRC s SOARCA [5] program has attempted to use current methodologies to better characterize the progression of severe accident scenarios. The number of scenarios analyzed in SOARCA to date is limited, however, and this work has not yet been incorporated into a PRA. Furthermore, the severe fuel damage, containment failure and extensive release of radioactive material experienced at the Fukushima Dai-ichi plant have raised concerns about severe accidents in nuclear plants world-wide. Within the U.S. there will likely be increased regulatory oversight of beyond design basis accidents and a renewed emphasis on low likelihood events with potentially high consequences, as well as on the effects of recovery actions on accident progression. The conventional approach to PRA within the industry and regulating agencies relies on a static methodology utilizing event trees in which the order of events is fixed. However, when considering sources of variability and phenomenological uncertainty, it 2

29 is quite possible that the order of events can change [6]. Furthermore, if the assessment of branching probabilities relies heavily on expert judgment, as was the case in the NUREG-1150 [2] risk study, the reproducibility of results with different analysts is likely to be poor. In order to account for uncertainty in the timing of key events, like combustion of hydrogen and carbon monoxide, within a fixed event tree structure, the NUREG-1150 approach was to assume that the event could happen in various time periods and used approximate formulas to account for the impact on containment conditions of earlier events. As a result, the assessment of containment failure probabilities had phenomenological inconsistencies and was impossible to validate. In recent years, the increase in computing power, the development of higher-fidelity computer models and the effort to eliminate the inconsistencies in static PRAs have led to the development of dynamic event tree (DET) analysis [6] [7] [8], where DETs describe accident progression by explicitly considering time and stochastic system behavior probabilistically. Although it is not possible to completely avoid expert judgment, by explicitly accounting for time and possible scenarios arising from uncertainties associated with the hardware/software/human behavior and phenomenology, a DPRA using DETs can be performed in a manner that is mechanistically consistent with the models in the system code used to simulate accident progression. In principle, a DET analysis is capable of considering the full range of uncertainties for low probability phenomena leading to containment failure to capture the true risk resulting from these low probability events. 3

30 1.2. Objective The objective of this work is to reassess the likelihood of low probability, risk significant containment failure modes and mechanisms using the current state of knowledge for a station blackout (SBO) scenario in a pressurized water reactor (PWR). Specifically, the containment failure modes considered in NUREG-1150 [2] for the Zion Nuclear Power Plant will be reviewed in detail. Subsequent experimentation and modeling regarding the underlying mechanisms leading to containment failure have led to the resolution of some failure modes, such as Alpha Mode failure [9], such that these failure modes can be excluded from future consideration. Based on this review, some phenomena that still appear to have significant potential for causing containment failure, in particular combustible gas generation and ignition and its effect on containment loading, are explored using DETs. This work will also demonstrate a methodology to mechanistically treat combustible gas ignition. Typically in most risk studies, hydrogen combustion is treated simplistically in that if a gas mixture is in a regime favorable for ignition, it is assumed to ignite. The mechanisms leading to ignition in a containment building are substantially more complicated than typically modeled since ignition is highly dependent on the magnitude, frequency and location of ignition source in addition to the properties of the mixture. Furthermore, very little literature exists regarding ignition sources in a containment building. For this reason, development of a methodology for mechanistically assessing the probability of gas ignition based on the type of ignition 4

31 source and properties of the gas mixture is required if ignition is to be modeled realistically. The software used to generate DETs is ADAPT [6]. One of the benefits of the ADAPT approach to DETs is the ability to modify the cumulative distribution functions (CDFs) used in the branching process after the fact, without the need to go through a costly reanalysis. Another aspect of this benefit is the ability to refine the CDFs in areas of sensitivity and run additional scenarios but to be able to make full use of all of the scenarios run previously. This enables the analyst to perform successive refinements in a way to check convergence at a relatively small computation cost. An intent of this work is to explore the feasibility of utilizing this feature of the ADAPT approach to analyze the low probability phenomena which lead to early containment failure. A strategy is demonstrated for the refinement of containment fragility curves to converge on the low probability of a gas explosion subsequent to power restoration leading to containment failure Scope This work focuses on the analysis of an SBO scenario in large, dry PWR using the severe accident simulation code MELCOR [2]. A series of scoping studies are performed to assess the sensitivity and bounding conditions for the unresolved containment failure mechanisms, including the effect of accident mitigation strategies on combustible gas generation and ignition, using the MELCOR code to analyze predefined scenarios. In these scoping studies, the analysis begins with accident initiation (i.e. a loss of offsite 5

32 power (LOSP)) and extends beyond the time of containment failure. These scoping studies explore the effects of reflooding a degraded core at varying times and flow rates to assess the effect on combustible gas generation and the magnitude of potential containment loads from combustion events. For the dynamic probabilistic portion of this work, an SBO scenario with late power recovery is analyzed using MELCOR coupled with the DET generator ADAPT [6]. The period of the dynamic analysis includes the onset of core damage to containment failure, which is typically considered a Level 2 analysis in a PRA. The ADAPT model makes use of work previously completed at The Ohio State University [10], but also incorporates new models developed specifically for this work, such as a combustible gas ignition model. In the dynamic analysis, the success or failure of various systems and components is considered. The effects of passive phenomena, such as creep rupture or pump seal failure are also included in the analysis considered. Simplistic models for emergency depressurization procedures are included in the ADAPT model, but no human reliability model is included in this analysis. Results of the DET analysis focus on the effect of recovery actions and combustion events on the likelihood of containment failure. The probability of containment failure is assessed using a fragility curve that is consistent with the as-built state of the plant and a curve representative of degradation of the pre-stressing system. The effect of rediscretization of the fragility curves are evaluated in leading to a converged assessment of containment failure probability. 6

33 1.4. Dissertation Overview Chapter 2 of this dissertation provides the background and historical context for this work. PRA methodologies, containment failure mechanisms, the containment failure modes of NUREG-1150 and the computational codes utilized in this work are discussed in this chapter. Chapters 3 and 4 present the computational models in depth. Chapter 3 provides detailed information regarding the MELCOR model and candidate scenarios used in this analysis. Chapter 4 discusses the ADAPT model used for this work, specifically the branching classes used for DET generation in detail. Chapters 5 and 6 describe the methodologies used for various components of the DET analysis. Chapter 5 describes the approach for analysis of combustible gas ignition including the consideration of ignition sources in addition to properties of the mixture that affect ignition. Chapter 6 presents and discussed the methodology for refinement of the containment fragility curve. Chapter 7 provides the results of both the initial scoping studies and the full DET analysis. The primary output of interest is the probability of containment failure as the result of recovery actions that result in depressurization of containment, deintering of the containment atmosphere and a large gas explosion resulting in failure of the containment. Lastly, Chapter 8 discusses the conclusions of this study and provides recommendations for future work. 7

34 Chapter 2: Background This chapter provides background information related to the work performed in this analysis. Section 2.1 discusses the various risk assessment techniques. Section 2.2 discusses the containment failure mechanisms and severe accident phenomenology relevant to this work. Section 2.3 provides an overview of containment degradation. Section 2.4 reviews the findings of the NUREG-1150 study for Zion. Lastly, section 2.5 provides an overview of the computational software used in this analysis Probabilistic Risk Assessment This section provides background information regarding the development and evolution of PRA as a safety assessment tool. Section discusses the history of PRA development and provides information about the use of PRA in risk-informed regulation. Section discusses conventional (static) PRA and the methodologies it employs. Section describes dynamic PRA techniques. Lastly, Section discusses how regulatory approach may be changed in this post-fukushima environment. 8

35 Historical Remarks The process of risk assessment entails quantifying the severity and likelihood of potential consequences from a particular event. To accomplish this, three characteristics of a system must be identified: potential failures, the likelihood of these failures, and the consequences of these failures. Prior to 1975, the safety of nuclear power plant operation was assessed using deterministic methods. Initially that methodology relied heavily on conservative assumptions to account for limitations in the state of knowledge of accident processes. With time, as the fidelity of safety analysis methods improved, confidence in these methods increased and computer speed increased, the regulatory philosophy changed from one of conservative regulatory models to best-estimate plus uncertainty analysis. In 1975, the Nuclear Regulatory Commission (NRC) released the Reactor Safety Study, WASH-1400, which was the first significant risk study performed for a nuclear power plant [1]. While setting the standard for risk assessment in the nuclear industry at that time, the study was criticized for its limited treatment of human reliability, common cause failure, external events, severe accident phenomenology and uncertainty analysis. After undertaking a major severe accident research program and exploratory PRA methodology development activities, the NRC undertook NUREG- 1150, Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants, in 1990 [2]. Although the NUREG-1150 report remains the benchmark for Level 3 PRA methodology for assessing risks, in practice, most PRA efforts today are much more limited in scope than that study. In 1986, the NRC issued a Safety Goal Policy Statement in which it established risk-based criteria to characterize its goal for adequate level of 9

36 safety for nuclear power plants [11]. In NUREG-1150 the assessed risks of the five nuclear power plants were compared to Quantitative Health Objectives (QHOs) that had been derived from the NRC s Qualitative Safety Objectives. Each of these plants was assessed to satisfy the QHOs with wide margin. Despite the fact that almost all currently operating power reactors in the U.S. are one of two basic light water reactor designs (i.e. boiling water reactor (BWR) versus PWR) provided by four vendors, each plant has differences associated with evolving product lines among the vendors and plant specific features associated with utility of architectengineer preferences. Concurrent with the detailed analysis being performed for five plants in NUREG-1150, the NRC recognized the need to identify plant specific vulnerabilities at all individual plants. Consequently, in 1988 and 1989 the NRC established requirements for Individual Plant Evaluations (IPEs) [12] [13]. Although not all plants chose the option of a PRA to satisfy the IPE requirements, all those plants that did not develop a plant-specific Level 1 PRA at that time have subsequently done so. At the completion of the IPE program, the NRC issued a requirement for the IPEEE program to address external events at all plants [14]. The NUREG-1150, IPE and IPEEE programs were the first steps in a shift in regulatory emphasis toward a risk-informed, performance-based regulatory approach. Five years after the completion of NUREG- 1150, the Commission began to openly promote the use of PRA in regulatory decisionmaking [15]. A good example of the new risk-informed approach to regulation is Regulatory Guide [16]. Within this guide, the Commission identifies conditions that would be found acceptable regarding the change in risk associated with a proposed 10

37 change in a plant s licensing basis. Because comparison with the QHOs would require a Level 3 PRA for every plant, two surrogate risk measure were developed: core damage frequency (Cdf) and large early release frequency (LERF). Under Regulatory Guide 1.174, when a plant intends to implement a change in operation or design that diverges from that described in the Safety Analysis Report, the plant must be able to demonstrate that the Cdf and LERF will either decrease, or will satisfy limitations on the increase in these metrics. Since most plants have not undertaken a full Level 3 PRA, the ability of a utility to take advantage of risk-informed changes in regulation relies on the calculation of Cdf, the product of a Level 1 PRA, and LERF, the product of a Level 2 PRA. However, a full Level 2 PRA is also not a requirement. An approach is provided in NUREG/CR-6595, in which plants may perform a simplified LERF analysis [17]. This report, completed by Brookhaven National Laboratory, contains simplified containment event trees (CETs) for all containment configurations currently operating in the U.S. and distinguishes between containment failures modes that may or may not lead to early fatalities. Using NUREG/CR-6595, a plant can complete a traditional Level 1 analysis, then use the resulting end states to feed into the simplified CETs. The end states resulting from the CETs are grouped into failure modes; from these failures modes, the frequency of early containment failure can be estimated, and the calculated change in LERF can be compared with Regulatory Guide Under NUREG/CR-6595, the following containment failure modes contribute to LERF: early structural failure, bypass isolation failure or early venting. The report also includes the late failure of containment 11

38 combined with delayed evacuation as a contributor to LERF; this type of analysis follows a separate CET specific to late containment failure. Along with the assessment of the risk metrics of Cdf and LERF, the NRC has issued requirements regarding other specific safety issues, most of which are beyond the design basis. The NRC considers design basis as those systems and components which provide adequate protection; beyond design basis would then be those systems and components which provide more than adequate protection. Some of the specific issues addressed include the Aircraft Impact Assessment rule in 10 CFR , Anticipated Transient Without Scram and Station Blackout scenarios [18]. Beyond these specific safety issues, the NRC does not explicitly regulate events considered beyond the design basis because they are deemed too unlikely; the backfit of a plant to mitigate beyond design basis accidents (BDBAs) has historically been considered unwarranted based on the criterion of adequate protection Conventional Probabilistic Risk Assessment As in WASH-1400, a PRA is conventionally divided into three regions: Level 1: assessment of the core damage frequency for a specific set of initiating events. Level 2: assessment of severe accident behavior leading to containment failure and release of radionuclides to the environment (i.e. the source term) for a given plant damage state. In this region, timing and magnitude of containment failure play important roles. 12

39 Level 3: assessment of offsite consequences resulting from the release of radionuclides to the environment. In a Level 1 analysis, the core damage frequency is quantified using a combination of fault tree and event tree analyses which considers the combination of the likelihood of success or failure of various systems and components dependent on a given initiating event. The probability of failure of a specific system (e.g. Emergency Core Cooling System (ECCS)) is determined using a fault tree analysis, where the reliability of that system is dependent on the success or failure of its basic components. Once the fault tree analysis has been completed for all necessary components, an event tree can then be constructed. In an event tree, following an initiating event (IE), the system effectively moves through a series of predetermined pathways, where the pathways are affected by the success or failure of systems and components (Top Events); the system will progress through the pathways until core damage occurs, or the plant achieves a safe state. At each point in the scenario where a particular system may be called upon (i.e. actuation of ECCS based on a particular setpoint), the tree will bifurcate and follow two scenarios in parallel: one scenario with system success and a separate scenario with failure of the same system. These two scenarios will continue to evolve until another setpoint is reached for another system, and branching will occur again. In an event tree, a single sequence of successes and failures of systems and components delineates a scenario. The product of each scenario is an end state, where this end state may either be core damage or the plant is in a safe state. The probability of each end state is determined 13

40 using the probability of each success or failure of systems and components called upon in a particular scenario. Since a full plant PRA tends to generate hundreds of end states, these end states are typically grouped by specific characteristics into groups called Plant Damage States (PDS). The grouping is based on the states of systems or components and the occurrence of particular phenomenology which are determined by the analyst to have the most significant effects on system behavior. The probability of each PDS is the sum of the probabilities of all scenarios which are classified in that specific PDS. The final product of a Level 1 analysis, the Cdf, is determined by multiplying the total probabilities of all PDSs leading to core damage by the initiating event frequency. The Level 2 analysis commences from each PDS, and follows an event tree structure similar to that of Level 1 (i.e. a series of pre-determined events are questioned), where the tree generated in a Level 2 analysis is called an Accident Progression Event Tree (APET). Typically in an APET, the Top Events correspond to the occurrence of phenomena or mechanisms relevant to scenario evolution rather than the success or failure or specific systems and components, although some systems and components are considered in the Level 2 analysis. The Level 2 analysis is carried on from the onset of core damage through containment failure to the release of radionuclides to the environment. As in the Level 1 analysis, the progression of a system through a specific pathway produces a single scenario with an end state probability. Similar to the grouping of Level 1 results, Level 2 results are grouped into Accident Progression Bins (APBs) based on system behavior and the states of various systems and components. 14

41 The Level 3 analysis entails the estimation of offsite health effects due to the source term released from each APB. Several factors contribute to the Level 3 analysis, such as meteorology, population, evacuation, and protective actions. The results of a Level 3 analysis tend to focus on the risk of latent cancer fatality or early fatalities, which are the consequence measures outlined in the NRC s QHOs [19] Dynamic Probabilistic Risk Assessment The risk studies presented in WASH-1400 and NUREG-1150 utilized the static fault/event tree methodology as described in Section While these reports provided significant insights into the risk from nuclear power plant operations and were ground breaking in their risk assessment techniques, the static methodologies they employed contained certain drawbacks which prevented them from capturing certain aspects of system risk. By definition, a static PRA does not explicitly account for time, or allow for the scenario to evolve dynamically. In reality, the ordering or timing of events can play an important role in scenario evolution and can significantly affect the final end state of a scenario. Furthermore, because a static PRA tends to rely on expert elicitation and the analyst s judgment regarding scenario evolution, key phenomenology tends to be treated inconsistently. For these reasons, and due to the recent increase in computational capabilities, dynamic PRA techniques which are capable of more accurately and systematically capture system risk [20] [21] [22] [7] [23] [24] are receiving more attention. Dynamic PRA can be defined in several ways: 1) a living PRA which is a conventional PRA 15

42 updated to include any modifications to plant configuration, 2) an existing PRA modified to consider aging components or systems in a plant, and, 3) a PRA which considers phenomenology and failures in a probabilistic and deterministic manner, where the occurrence of events are dependent on the state of the system and inherently time. This work utilizes the third definition of dynamic PRA. As with a conventional PRA, a dynamic PRA using the concept of event trees entails the creation of an event tree which describes possible scenario pathways by considering the system state and/or time. In a dynamic PRA, this tree is referred to as a dynamic event tree (DET). A DET can include all aspects of a conventional Level 1, Level 2 and Level 3 analysis, but because the ordering of events is not predetermined and instead obtained from a transient system model, a DET is typically not divided into three regions. However, because DETs are capable of generating a very large number of scenarios and/or may be using different computational tools to model different relevant phenomena, a DET can be segregated into Level 1, Level 2 or Level 3 analysis to manage computational efficiency. Similar to a conventional event tree, a DET analysis begins with a single initiating event. The scenario will evolve with time until a particular user-defined branching criterion based on state variables (i.e. a creep rupture parameter or containment pressure) is reached. At this point, the scenario will branch and two parallel scenarios will be generated. These scenarios will progress in time until another user-defined state variable is reached, and branching will occur again. Probability of branchings are inferred from probability distributions which are representative of the aleatory uncertainty in the 16

43 behavior of a system, component (e.g. failure of a particular valve or pump on demand) or human (e.g. operator) and epistemic uncertainty related to the lack of knowledge regarding phenomena Regulatory Approach to PRA Post-Fukushima In light of the accident at Fukushima Dai-ichi, it is expected that there will be new regulatory emphasis on reducing the likelihood of containment failure in severe accidents, particularly early containment failure modes. Each federal regulatory authority is in the process of determining how its regulations will be changed to reflect lessons learned from the Fukushima accident. In many countries, stress tests have been undertaken to assure that their nuclear plants could withstand Fukushima scope accidents [25]. In the U.S., it has been recommended that nuclear utilities reexamine the extent to which their plants are capable of satisfying requirements for response to natural phenomena hazards, such as earthquakes and floods [26]. The extent to which different countries will require backfits to their plants to address perceived severe accident issues will vary. In the U.S., it is likely that the regulatory approach adopted will be riskinformed. In some respects, the Fukushima accident is changing our perspective on the nature of the risk of a major nuclear power plant accident. Despite the large release of radioactive material, the radiological impact on human health from the accident will be very limited [27] [28]. NUREG-1150 provided evidence that the increased health risk to someone living in the proximity of a nuclear power plant is not significant in 17

44 comparison with other health risks with significant margin. The results of the SOARCA study, completed by Sandia National Laboratories, [29] indicate that the health risks from nuclear power plants are even smaller than assessed in NUREG Nevertheless, the impact on Japan s economy has been substantial as the result of the need to relocate members of the public, the loss of food products, the cost of decontamination of the facilities, and the loss of electrical power production, particularly from the loss of nuclear power plants shut down as a precautionary measure for further safety evaluation. Thus, the dominant risk from a nuclear power plant accident does not appear to be health risk to the public but a societal risk impacting the country s economic well-being [30]. The NRC is undertaking a new Level 3 probabilistic risk assessment that is expected to pay greater attention to other measures of offsite consequences. It is not yet clear whether measures of societal risk will have an increased role in reactor regulation. In the Fukushima region, if a person would have received greater than 2 rem (20 msv) in the first year, relocation was required. This is the same limit as in the US EPAs Protective Action Guidelines [31]. Based on maps of ground level dose rate, the total land area requiring relocation is approximately 240 square miles. In actuality, members of the Japanese public have been relocated from a substantially larger area. From a societal viewpoint this level of contamination has been disruptive to the economy. At this time there is no regulatory basis for design criteria for the management of the consequences of beyond design basis events other than controlling the frequency of large early releases that could potentially lead to early offsite fatalities. Insights from the 18

45 societal impact of the Fukushima accident may provide a different perspective on what constitutes a large release of radioactive material. In response to the Fukushima accident, the NRC s Near-Term Task Force issued its findings on July 12, 2011 [32]. The Task Force concluded that the long-standing approach to defense-in-depth should be strengthened by including requirements for beyond design basis accidents. The Task Force made a number of recommendations in the areas of: clarifying the regulatory framework; ensuring adequate protection related to seismic events and flooding; enhancing mitigation for station blackout, hardened vents, hydrogen control, spent fuel protection and severe accident management; strengthening emergency preparedness; and improving the regulatory reactor oversight program. The Task Force recommended that consideration be given to extending the current design basis of a plant to include some risk significant events beyond the currently used design basis events. The NRC subsequently developed a plan and schedule for a phased implementation of the Task Force recommendations. In April of 2012, the NRC issued the report of a Risk Management Task Force commissioned to develop A Proposed Risk Management Regulatory Framework [26]. This report deals broadly with issues traditionally considered outside the design basis of the nuclear power plant and not subject to consistent regulatory treatment. Among the findings of the Task Force are: the set of design basis events and accidents needs to be updated, there is inconsistency in the way that requirements for beyond design basis events have been implemented, and voluntary industry initiatives are not well covered by the regulatory oversight process. The Task Force recommended that the beyond design 19

46 basis accident regime be subdivided into a region of enhanced defense in depth and a region of residual risk. The details of the more consistent framework for risk management still require development. In June 2012, the American Society of Mechanical Engineers (ASME) presented their own approach to the management of severe accident risks [33]. As in the 90-Day Report and Accident Management Task Force Report, this report also recognizes the need to effectively extend the design basis to include protection against all sources of risk including rare yet credible events. The ASME report goes a step further in recognizing the importance of not only protecting the health and safety of the public but also explicitly identifying the need to prevent substantial socio-political and economic consequences associated with land contamination. From a regulatory perspective, the rare event phenomena that dominate the likelihood of early containment failure will need to be readdressed with emphasis on the reduction of uncertainties and an increase in model fidelity. At this time, the extent to which the NRC regulatory framework will be modified to include some level of oversight of BDBAs is unclear. Internationally, it appears likely that stringent backfit requirements will be imposed on plants to mitigate the consequences of BDBAs [34]. Recently in the U.S., the nuclear industry has developed an approach to severe accident management called FLEX [35], which incorporates lessons learned from the BDBA at Fukushima. The FLEX approach includes the utilization of flexible and portable equipment which would provide a backup to the equipment permanently installed on-site that would normally be relied upon during a severe accident resulting 20

47 from rare natural phenomena; the FLEX equipment is also meant to supplement the current requirements for protection against terroristic acts. The primary intent of the FLEX equipment is to provide an alternative source of power and a means to provide cooling water to limit core degradation and prevent containment failure. Under the FLEX framework, the portable equipment may be stored on-site or in regional or national centers where it would then be transported to the required location when necessary. The availability of equipment both on-site and off-site provides a means for accident management when the existing infrastructure is severely degraded during a natural disaster such as a flood or tornado. In conjunction with the additional equipment, updated accident mitigation strategies are developed as part of the FLEX approach that provide guidance on the use of FLEX equipment during rare natural phenomena. As a result of these changes in approach to the treatment of BDBAs, there will be much greater attention paid in future PRAs to the effect of accident mitigation strategies, such as reflooding a damaged core, than in historical PRAs, in which there was some reluctance to include credit for response actions in the reduction of severe accident risk Containment Failure Mechanisms and Relevant Severe Accident Phenomenology This section describes the failure mechanisms and severe accident phenomenology that directly affect containment failure. Section describe the various mechanisms associated with containment failure: high pressure melt ejection (HPME), in-vessel steam explosions, alpha-mode failure, rocket mode failure, basemat melt- 21

48 through, failure to isolate the containment, bypass scenarios, and combustible gas explosions. Section describes how severe accident recovery actions can affect the potential for containment failure High Pressure Melt Ejection With regard to the low frequency event of HPME, significant research was undertaken in the 1990s to resolve the issue of HPME in several plants [36] [37] [38] [39] [40] [41] [42] [43] [44] [45] [46] [47]. The primary concern of this work was the analysis of containment loads resulting from direct containment heating after an HPME event. In an HPME event, lower head failure occurs while the primary system is at high pressure, allowing for molten material and debris to be ejected at high pressure into the containment volume. The ejected material releases significant amounts of energy into the containment atmosphere by radiation and convection; there is also the possibility for exothermic reactions among the debris, steam and oxygen. This process, known as direct containment heating (DCH), imposes significant temperature and pressure loads on containment, and could lead to containment failure at the time of vessel breach. An expansive amount of literature exists regarding HPME and DCH phenomena and experimental programs. In the mid-1990s, Sandia National Laboratories (SNL) performed the Integral Effects Test (IET) series at the Surtsey Test Facility; a total of twelve experiments were conducted [10]. Within the IET series, a melt mixture was ejected at high pressure from a simulated reactor pressure vessel (RPV) into a scaled reactor cavity. The objective of these studies was to assess unresolved DCH phenomena, 22

49 including the effect of subcompartment structures, the effect of water in the cavity and containment, the threat due to hydrogen generation/combustion, and the effect of physical scale. A 1:10 linear scale model of Zion s cavity, instrument tunnel, subcompartment structures and lower head of the RPV were constructed. Figure 2.1 shows the Surtsey test vessel and the scaled Zion structures below the test vessel. The Surtsey pressure vessel has an internal volume of 103 m 3, is 3.6 m in diameter, 10.3 meter high and has a maximum working pressure of 1 MPa at 260 C. Within the test vessel are several I- beams and steel framework for supporting an equipment crane, neither of which is meant to represent structures in containment. A concrete floor was constructed near the bottom of the vessel however to represent the basement floor of Zion; scaled versions of the subcompartment structures (four steam generators, four reactor coolant pumps, operating deck, refueling canal, seal table room, biological shield wall, and crane wall) were constructed in the pressure vessel. The ports (circled numbers) shown in Figure 2.1 are utilized for instrumentation, and there is one personnel access port at level 1. The RPV is represented with a melt generator (Figure 2.2); the melt generator has a hemispherical bottom head with a steel pressure barrier and a cast MgO crucible; within the crucible was an iron oxide/aluminum/chromium thermite mixture. The graphite limiter plate at the bottom of the melt generator has a 3.5 cm hole from which material is ejected; this size hole was chosen as a representation of an ablated hole that may form as a result of a penetration failure in the lower head. The cavity below the melt generator and test vessel was designed to withstand an internal pressure of 6.9 MPa; the inclined portion of the 23

50 instrument tunnel enters the test vessel at an angle of 26, the same angle in Zion. The instrument tunnel was approximately 2.7 m, which is the correct scaled length. The burst diaphragm in Figure 2.2 was attached to an accumulator tank and boiler which were used to generate the steam that would drive the thermite mixture into the cavity. In the majority of the experiments, the accumulator tank was pressurized to approximately 6.3 MPa with superheated steam. When pressurized, the thermite mixture would be ignited, and the burst diaphragm would be failed by the operator, allowing the steam to contact with the thermite mixture. When a fusible brass plug in the bottom of the crucible was failed, the thermite mixture would be driven out of the crucible by the superheated steam and expelled into the cavity. 24

51 Figure 2.1: Schematic of Surtsey vessel and scaled Zion structures used in IET series [45]. 25

52 Figure 2.2: Schematic of scaled Zion model representing the reactor cavity [45]. Initial conditions for the experiments were largely the same among tests, with only one major parameter varied. The parameters modified include the Surtsey atmosphere and the water level in the cavity or basement floor. Three classes describe the initial atmosphere in the pressure vessel: inert, reactive (i.e. a 1:1 mixture by pressure of air:nitrogen) and reactive plus preexisting hydrogen. For two of the IET, a volume of water was placed in the cavity that represented condensation on structures and in the atmosphere; the rationale for this volume of water arises from the fact that during a severe accident, steam vented from the primary system (intentional or otherwise) will enter containment and condense on structures and in the atmosphere. For other severe 26

53 accidents where the entire primary inventory is boiled away, water condensed on surfaces will collect on the basement floor. Several IET experiments simulated this by assuming that the entire primary system inventory is delivered to containment as steam; approximately one atmosphere of saturated steam will then be retained in the atmosphere, with the remainder collecting on the basement floor. With regard to debris ejection and spread, the IET experiments found that approximately 90% of the thermite melt was ejected into the cavity from the simulated RPV lower head; approximately 77% of the debris in the cavity was then dispersed into the Surtsey vessel. A small percentage (9.3%) of the thermite melt was then found dispersed beyond the subcompartment structures in the Surtsey vessel. With regard to the effect of water in the cavity and on the basement floor, the experiments showed that water on the basement floor did not seem to affect the peak containment load, but condensate levels of water in the cavity had unpredictable effects. In the case of water in the cavity, two distinct behaviors were observed: a sharp pressure spike (indicative of a steam explosion) or a broad pressure spike representative of rapid vaporization of water in the cavity; the report was not able to conclude whether the different responses were the result of stochastic behavior or other unrecognized phenomena. The IET experiments showed an appreciable pressure spike in reactive atmospheres due to hydrogen combustion as gas was pushed into the upper dome. For tests with reactive atmospheres, peak pressure increase was about 250 kpa, but for inert atmospheres, peak pressure increase was about 100 kpa. 27

54 After the completion of the IET experiments, resolution of the DCH issue for Zion began, using the risk oriented accident analysis methodology (ROAAM) [46]. Under ROAAM, the phenomena driving severe accident behavior are quantified and assessed probabilistically. In the case of DCH, containment loads (based on the response to certain initial conditions for certain enveloping scenarios) are compared to containment fragility curves; intersection of these two curves implies a probability of containment failure. In considering containment failure from DCH, Pilch, et al. [46], identified two principle types of scenarios that may lead to HPME: a small break loss of coolant accident (LOCA) in which molten material rapidly relocates to the lower plenum (identified as a wet-core scenario), and an SBO-like scenario where the melt gradually relocates to the lower plenum (identified as a dry-core scenario). Further bifurcation of these two scenarios was identified, where the branching was based on the timing of lower head failure. Three initial conditions identified as having the greatest effect on the evolution of the scenario (the mass of UO 2 melt, zirconium oxidation fraction and molten steel mass) were quantified with probability distributions and used in the ROAAM methodology. A coherence ratio, which is defined as the ratio of melt entrainment time constant to the system blowdown time constant was developed to reduce complexity in the DCH analysis. The rationale behind the coherence ratio is that during the blowdown following HPME, the time of entrainment of debris is short relative to the time of blowdown of the primary system due in large part to debris being trapped by subcompartment structures. The molten debris therefore interacts with the steam of the primary system for a very short period of time, a crucial detail given that it is the 28

55 interaction of steam and molten debris that drives hydrogen production and energy transfer to the containment atmosphere. It is important to note that this rationale is valid only under the assumption that there is an intermediate-sized compartment that will trap debris (the compartment must be large relative to the cavity, but small relative to containment), and there is no significant line-of-sight pathway for debris to travel into containment. The coherence ratio and probability distributions representing initial conditions were input to the Alpha code, software developed specifically for this DCH issue resolution, to calculate a conditional failure probability. Results from the Alpha code were also compared with a two-cell equilibrium model developed by Pilch to predict DCH [48] and a convection-limited containment heating model developed by Fauske & Associates, Inc. for their State of the Art Report on HPME and DCH [42]; both independently developed models are based on the incoherence in time constants for debris entrainment and primary system blowdown. Within this ROAAM study, the containment fragility curve from the Zion IPE report [49] was selected for comparison with the containment failure probability calculated by Alpha; the Zion IPE predicts zero probability of failure below 0.68 MPa. Pilch, et al. ultimately concluded that the containment failure probability for Zion by DCH is less than Containment loads predicted in the ROAAM study are far below containment failure values given IN the Zion IPE; peak predicted pressure ranges from 0.3 MPa to 0.5 MPa in the ROAAM study. In 1994, the NRC issued NUREG/CR-6075, which described closure of the DCH issue for Zion [50]. The majority of work completed in support of the resolution 29

56 document is described by the ROAAM paper, above. Supplemental studies were completed in which splinter scenarios and modeling deficiencies were addressed. SCDAP/RELAP5, a severe accident analysis tool developed by Idaho National Laboratories [51], was used to complete studies which examined short term station blackout with varying pump seal leak rates; the objective of these calculations was to justify initial and boundary conditions for dry-core scenarios. The primary conclusion from the RELAP studies was that hot leg failure occurred prior to melt relocation in all cases, allowing for primary system depressurization and preventing HPME. The calculations were allowed to proceed to eventual lower head failure so that the composition of the melt and reactor coolant system (RCS) pressure could be assessed. The SCDAP/RELAP analysis predicted that relocation of metallic blockages to the lower plenum would not occur, largely because of quenching by displaced water. It was predicted that at most 60% of zirconium would be oxidized during the in-vessel phase of core melt progression. CONTAIN, a containment analysis code developed by Sandia National Laboratories [52], was also used to assess conditions within containment after vessel breach occurred, primarily with regard to hydrogen combustion. The calculations showed that nonflammable concentrations were observed in the containment dome. The CONTAIN calculations also showed that even if hydrogen ignition occurred following a hot leg failure, depressurization would occur so rapidly that containment integrity would not be threatened; peak containment pressure increased by approximately 0.03 MPa as a result of hydrogen ignition, which is not a threatening load on containment. As with the 30

57 ROAAM study, the ultimate resolution for the DCH issue was that the probability for containment failure was negligible. It should be noted that this resolution is partially dependent on the fragility curve to which the predicted loads are compared. In the case of the DCH resolution, the fragility curve from the Zion IPE was utilized. If a more conservative curve was utilized, such as the fragility curve from NUREG-1150, it is possible that low, but not negligible failure probability could be observed. Because of the high importance of HPME in the NUREG-1150 analysis for Zion, sensitivity studies were performed for the Zion SBO accident regarding the potential containment loads. The results of these calculations were reviewed to determine their consistency with the earlier assessments indicating the low risk significance of HPME. Results of these scoping studies regarding the potential loads on containment from HPME and DCH are shown in Section Steam Explosions While hydrogen burns are primarily a concern outside of the reactor pressure vessel and primary system, steam explosions may occur both in-vessel and ex-vessel, and typically result in destructive pressure waves. A steam explosion occurs when the hot molten core interacts with the relatively cooler coolant; the rapid transfer of energy from the molten material to the coolant may fragment the melt and drive explosive steam generation. In-vessel explosions may occur when a slumping core is immersed water, while ex-vessel explosions may occur when molten material escapes a failed lower head 31

58 and falls into a flooded cavity (the cavity may be flooded due to condensed steam, emergency core cooling water, or containment sprays). Previously, experiments at Argonne National Laboratory and at European Joint Research Center (JRC)-Ispra, Italy indicated that corium would not induce a spontaneous steam explosion, but that external triggers could generate triggered steam explosions [53] [54] [55]. The FARO tests at JRC-Ispra simulated the effect of molten corium falling into the water in the lower plenum and the settling of the corium onto the bottom head of the RPV. In the experimental setup, the TERMOS test vessel is connected to a furnace via a release channel; the furnace, release vessel and TERMOS are all separated by a series of isolating safety valves. Once the corium simulant is melted in the furnace, it is released to the release vessel. The release vessel is isolated using valves and pressurized to the pressure of the TERMOS vessel using argon. Once pressurization is achieved, a flap is released and the melt is delivered from the release vessel to the TERMOS vessel via gravity; the distance between the release vessel nozzle and the water level is approximately 1 m, and the depth of the saturated water is approximately 1 m. A debris catcher at the bottom of the TERMOS vessel collects the melt. The main objective of the TERMOS tests was to assess the effect of water level, pressure and melt composition on debris quenching, where successful debris quenching typically prevents a steam explosion. Subsequent to the TERMOS tests, studies have been completed recently at Korea Atomic Energy Research Institute s (KAERI) TROI facility that indicate spontaneous steam explosions are a possibility, and the composition of corium melt affects the 32

59 occurrence of this event [56] [57] [58] [59]. Whereas the objective of the TERMOS tests was to perform sensitivity analyses on debris quenching, the objective of the TROI program was to investigate the sensitivity of steam explosions to melt composition. The experimental setup at TROI is similar to that of TERMOS. There is an upper pressure vessel containing a crucible and melt generator and a lower pressure vessel containing water and a debris catcher; the two vessels are separated by a series of valves and plugs. A cold crucible with a plug and a puncher is utilized to create the melt mixture; the crucible is cooled by water flowing through copper tubes, which make up the crucible walls. Melting is accomplished by induction skull melting (direct inductive heating by an alternating electromagnetic field); the ZrO2 powder is placed in the crucible and a Zirconium ring at the center of the crucible is charged to initiate melting. As the material melts, the cold crucible cools the exterior of the melt and forms an outer crust. After melting is complete, the plug at the bottom of the crucible is removed and a hole is punched in the bottom of crust to initiate melting. The melt mixture is allowed to flow into the lower pressure vessel and into the water below. To simulate oxide fuel, some TROI experiments (experiments 1-5 and 15) utilized ZrO 2 instead of alumina, as its material properties match that of corium better than alumina. The TROI-9 through TROI-14 experiments utilized a 70:30 w/o melt mixture composed of UO 2 and ZrO 2, respectively. The remaining TROI experiments used various eutectic compositions including UO 2, ZrO 2, iron and stainless steel. Parameters varied in the TROI experiments include the composition and mass of the melt mixtures and the initial temperature of the water. During the experiment, metrics related to 33

60 pressure and temperature in the lower pressure vessel and properties of the melt jet were monitored; debris resulting from the experiment was also monitored. Experiments 1 through 5 in the TROI program demonstrated that the melt jet geometry, the superheat of the melt and the pool geometry affected the occurrence and magnitude of a spontaneous steam explosion. In cases with a coherent melt jet, steam explosions are more likely to occur, as an incoherent release is more easily quenched. The initial TROI experiments also suggest that the cross sectional area of pool surface water to jet diameter plays a significant role in the occurrence of steam explosions. Relative to previous steam explosion studies performed at other institutions (such as the TERMOS series of tests, where no spontaneous explosions were observed), this ratio was large at the TROI facility where spontaneous explosions occurred. A larger ratio implies a larger volume of water is available for interaction, and a larger flow area over which steam may be vented following the jet s initial interaction with the water. The TROI tests also had significant melt superheat, relative to experiments at other institutions, suggesting that higher superheat may drive steam explosions. The additional superheat of the melt mixture above the melt temperature allows for the mixture to be in the liquid phase longer as it travels through the pool, such that a greater fraction of the melt is potentially capable of participating in an explosion. In addition to the findings of experiments 1 through 5, TROI experiments 9 through 15 showed very little hydrogen generation. This aspect is important because in previous fuel-coolant interaction (FCI) tests with corium [55], it was believed that excessive hydrogen generation during the test prevented a spontaneous steam explosion since the 34

61 hydrogen would stabilize the vapor layer surrounding the melt. TROI experiments 13 through 15 confirmed that the steam explosion was initiated once the melt jet contacted the bottom of the vessel; at this point, the column of melt is totally submerged in the pool of water. The effect of external triggers was assessed in the TROI-45 and -46 experiments. In the case of experiment 45, where a pure zirconia melt was used, a steam explosion occurred before the external trigger; in experiment 46, which used a 70:30 UO 2 :ZrO 2 corium mixture, a steam explosion occurred after the external trigger was applied. TROI-47 examined the effect of iron in the eutectic; a mixture of 63:27:10 w/o UO 2 :ZrO 2 :Fe was utilized. In this case, no spontaneous steam explosion occurred, largely due to the lower superheat of the mixture. The addition of iron to the eutectic lowered the melt temperature of the mixture and allowed the corium to solidify quickly once submerged in water. A UO 2 :ZrO 2 :Zr:SS mixture was utilized for experiments 51 and 52 to assess the effect of partially oxidized corium on the occurrence of triggered steam explosions. Previous experiments at other institutions utilized purely oxidic corium comprised only of UO 2, whereas the TROI experiments were attempting to use a more prototypic corium mixture which is partially oxidized. The compositions of the melts in the TROI-51 and - 52 experiments were fairly similar (62.8:13.5:12.6:11.1 by weight percent in 51, 61:16:12.2:10.8 in 52), but the mixture in experiment 52 was approximately 800 degrees lower than that in 51 when it was released. For this reason, no steam explosion occurred in 52, as the melt quickly solidified once it came in contact with the water. When the 35

62 melt was at a higher temperature as in experiment 51, the mixture was finely fragmented and generated a steam explosion after the initiation of an external trigger. Relative to oxidic corium, partially oxidized corium was found to be more explosive, due largely to the superheat made available during the interaction between uranium metal and water Alpha-Mode Failure Alpha-mode failure is a containment failure mode that was first hypothesized in the WASH-1400 study [1] involving an in-vessel steam explosion (the WASH-1400 containment failure modes were given Greek letter designation). This failure mode has generally been discredited. As defined in NUREG-1150, a series of specific events must occur chronologically to be classified as an alpha-mode failure. Through LOCA or loss of heat removal, the fuel uncovers and begins to melt. The liquefied core relocates to regions near the lower support plates and freezes, forming a crust. The crust, which initially supported the molten core above the water remaining in the RPV, will eventually break due to the mass of the molten material, allowing molten material to flow into the water below the crust. Once the molten material comes in contact with the relatively cool water, a steam explosion occurs, which generates a massive slug of water and molten debris. This slug impacts the upper head of the vessel and may either dislodge the head so that it travels as a missile (and possibly catastrophically fails containment), or simply moves the entire RPV upward (as in the SL-1 accident [60]) a measurable distance and destroys RPV support structures and penetrations (i.e. the hot leg, cold leg, etc.). While NUREG-1150 concluded that the probability of alpha mode failure was less than 1% 36

63 (conditional on core damage), this conclusion was based largely on conservative expert judgment. Since NUREG-1150, significant experimental and analytical work regarding steam explosions has been performed. The most recent industry/nrc assessment of alpha-mode failure is based on the findings of the SERG-2 workshop [9]. SERG-2, the Second Steam Explosion Review Group, consisted of extensive discussions among eleven experts regarding the issue of alpha-mode failure and FCI phenomena related to alpha-mode failure, such as premixing of the melt and coolant, triggering of an explosion, and propagation of the front generated in an explosion. The expert panel concluded that the series of events leading to an alphamode event were highly unlikely. The panel considered a scenario in which melt from the core region is released into water in the lower plenum via one or more jets (although not necessarily simultaneously). The panel concluded that one large, coherent pour is incredible, and if it did occur, it would likely isolate the melt from the coolant via a vapor chimney, limiting mixing of the coolant and melt. It was also concluded by the panel that only the pour stream would have a significant effect on the interaction; melt that accumulates at the bottom of the pool does not have a significant contribution to the reaction. With regard to premixing (the phase prior to the steam explosion in which the melt and coolant interact and mix), the panel agreed that significant experimentation and computational research supported the conclusion that alpha-mode failure is unlikely. At the time, recent research had uncovered a depletion phenomenon in which finely fragmented melt generates significant amounts of steam; the steam then drives water away from the melt, prohibiting any further interaction. No general consensus on 37

64 triggering was reached by the panel, except that it is difficult to model and observe in experiments, and that the triggerability of a melt is not well understood. Overall, the experts of the SERG-2 panel concluded that despite residual uncertainties and the lack of detailed knowledge regarding some phenomena, the likelihood of an alpha-mode event was negligible, and any reduction in uncertainties or improvement in the knowledge base would not significantly alter the likelihood. The SOARCA study [5], completed by SNL, also concluded that this mode of failure was physically unrealistic and did not assess its consequences. Other literature suggests that the conservatism in the NUREG-1150 analysis can be reduced by utilizing the experimental and analytical work performed since the study, allowing for a formal, risk-informed resolution [61]. Concern has also been raised about the potential effects of an in-vessel steam explosion that could result in failure of the vessel in the lower plenum region. Considerable research has been performed on the likelihood and loads associated with steam explosions. In the Organization for Economic Co-operation and Development (OECD) SERENA [62] program a detailed investigation concluded that vessel failure in the lower plenum region would be very unlikely. However, the state of knowledge is not at the same level as for the alpha-mode failure mechanism, which has been precluded as physically unrealistic Rocket Mode Failure Similar to alpha-mode failure, rocket mode is another potential method of containment failure which has largely been discredited. In a rocket mode event, there is a 38

65 gross failure of the lower head of the pressure vessel while the primary system is at high pressure, resulting in an impulsive pressure load on the RPV which drives the vessel upward. After a few inches of movement, the vessel may be restrained by the cold and hot leg piping as they contact the upper boundary of the penetration through the cylindrical concrete wall that surrounds the reactor vessel. If there is sufficient jet force, the piping may fail and the whole vessel may achieve lift-off and impact internal structures within containment, such as the missile shield or crane above the RPV. If these internals do not impede the rocketing vessel, the RPV could in theory impact the upper dome of containment, likely failing containment. Unlike alpha-mode failure, rocket mode failure has no formal resolution, and even less literature regarding experimental and computational research on this topic exists. This issue draws some parallels to HPME, however, in that this phenomenon begins with the primary system at high pressure. As discussed in Section 2.2.1, failure of RPV peripherals, such as the hot leg nozzle or hot leg is expected to occur long before lower head failure, effectively precluding the chance of a rocket mode failure. Preliminary calculations specific to Surry from Energy Research, Inc. [63] show that if failure occurs at a pressure of 160 bar (~2300 psi), a failure size larger than 20 cm in radius is required for the vessel to achieve lift-off. Discharge time and vertical displacement are both closely correlated with hole radius. The larger the hole, the shorter the discharge time but the higher the initial thrust; for hole sizes less than 50 cm, the RPV depressurizes over approximately 0.5 s. For a hole radius up to 1 m, the maximum vertical displacement increases with increasing radius; above 1 m, the maximum vertical 39

66 displacement decreases with increasing hole radius. The maximum possible vertical displacement is calculated to be 10 m, corresponding to a hole size of ~10 m; as most cranes have a height of ~30 m, and containment is typically ~50 m tall, it is unlikely that a rocketing RPV would even fail containment directly. If the maximum restraining forces are assumed, then vessel lift-off is impossible. The impact of the impulsive load on containment penetrations was not assessed in the Energy Research, Inc. paper Containment Melt-Through Containment melt-through is another containment failure mechanism considered in both WASH-1400 and NUREG-1150; this mechanism is largely considered to occur in the late phase of the accident. There are two main types of melt-through: a gradual attack on the concrete basemat, and a rapid melt-through of the steel liner. The latter is typically only associated with Mark I BWR containment designs or with collection of core debris in a location next to a containment wall in a PWR following HPME. In basemat melt-through, also known as China Syndrome, molten material escapes the vessel and spreads across the concrete floor of the reactor cavity. Over a period of days, the melt may penetrate the concrete and release material into the surrounding soil. The melt mass would continue to penetrate the soil until it reaches a coolable geometry. It should be noted that in NUREG-1150, containment failure by basemat melt-through (BMT) is the most likely containment failure mechanism for Zion. In the late phase of accident progression, the two methods of containment failure are generally either overpressurization or BMT. BMT is unaffected by earlier modes of containment failure. 40

67 It can, however, preclude long term failure by over-pressurization. If depressurization occurs into the ground, some reduction would occur in the resulting atmospheric release. Expert elicitation described in NUREG/CR-4551 [64] deemed the Zion containment to be robust, with the expectation that the Zion containment can survive fairly high pressures. If containment heat removal is actuated within a few days following accident initiation, it is expected that containment overpressurization failure can be averted. Basemat melt-through is unlikely to lead to a large airborne release of radionuclides but would exacerbate the problem of facility decontamination and site remediation. Although basemat melt-through was historically considered to be inevitable if the lower head of the vessel failed and molten core fell to the floor of the reactor cavity, that is not now believed to be the case [65] [66]. If there is water in the reactor cavity at the time the corium drops into the cavity, there is the potential for fragmentation of the core and establishment of a coolable geometry that results in sufficient heat transfer to the pool to limit core concrete attack. A continued supply of water would be required to maintain the water pool in the cavity. For an SBO, that would only be possible following power recovery. Thus for an SBO scenario the question of basemat melt-through becomes an issue largely in the realm of recovery actions. In a severe accident scenario with substantial core melting, the operator might have a choice between flooding the reactor cavity and risking a steam explosion but potentially fragmenting the core into a coolable debris bed, or allowing the molten core to attack concrete with the potential for radionuclide release, combustible gas generation and BMT. 41

68 Another aspect of core-concrete attack that affects the plant is through erosion of support structures. There can be substantial radial growth of the molten core attacking the concrete in addition to axial growth. There is some potential for the loss of major equipment support structures resulting in slumping of the reactor vessel. Plant specific analyses would be required to determine whether this could affect containment integrity, perhaps by failure of penetrations Containment Isolation Failure and Bypass Mechanisms Containment isolation failure typically would occur at the very beginning of the accident in which there is a significant leak rate of the containment, substantially larger than the design basis leak rate or because of failure to isolate a system that penetrates the containment boundary with valves that are open during normal operation. These valves are designed to close automatically on receipt of an accident signal. Historically, there has not been the same level of consideration given to the isolation failure mode as to other modes. Containment bypass is another failure mode considered in both the WASH-1400 and NUREG-1150 analyses. Bypass results from the failure of the coolant system boundary in such a way that radionuclides are released to the environment without passing through containment. Historically bypass scenarios (called Event V) were identified in WASH involving the interface between systems with a high design pressure region and low design pressure region in which two sets of valves separate the high and low design portions; in the event of failure of both valves while the system is operating, rupture of 42

69 low pressure piping could occur outside the containment. The resulting loss of coolant accident cannot be isolated and because all emergency core cooling water would be lost outside the containment at the time the refueling water storage tank is empty, the sump would be dry and it would be not possible to continue to cool the core through the recirculation mode of the emergency core cooling system. For PWRs, another bypass failure could be associated with a steam generator tube rupture (SGTR) accident in which one or more degraded tubes rupture; releases associated with SGTR only involve the environmental release of radioactively contaminated primary reactor coolant water and are typically very small. However, if the SGTR is compounded by other failures leading to core melting, the release to the environment could be substantial, particularly if there are multiple tube failures. In the case of isolation failure and Event V-type events, these failures are directly affected by system and component malfunction, rather than severe accident phenomenology. In a severe accident it is also possible to induce the rupture of steam generator tubes by means of hot gases that circulate through the hot leg to the steam generator if the reactor coolant system has not been depressurized Combustible Gas Generation and Ignition This section discusses the mechanisms driving combustible gas generation in-vessel and ex-vessel, the criteria that must be satisfied for ignition, and potential sources of ignition. Section describes the processes leading to combustible gas generation and Section discusses the ignition process. 43

70 Combustible Gas Generation In a severe accident scenario, combustible gases may be generated in-vessel and exvessel by different mechanisms. In-vessel gas generation is driven by the interaction of steam with the zirconium cladding. In this case, hydrogen is created in the exothermic reaction: Zr + 2H O ZrO + 2H (2.1) A substantial fraction of the zirconium in the reactor core is predicted to become oxidized during the in-vessel phase of core degradation. The process can be limited, however, by steam starvation in which the available steam is effectively all consumed during the period of time in which the clad is in its original configuration with a high surface to mass ratio. Thus, there is the potential to enhance clad oxidation if a partially degraded core is reflooded as part of a mitigation strategy; in this type of scenario, the interaction of relatively cool water with the hot corium/core material will increase the amount of steam in the RPV, where the steam will then be available to participate in oxidation. Sensitivity studies regarding the effect of recovery actions on hydrogen production invessel are presented in Sections If core melting is left unmitigated, the melt will penetrate the lower head of the vessel and be released into the cavity below. The corium will aggressively attack the concrete in the cavity in a process known as core concrete interaction (CCI). In this case, 44

71 the zirconium and iron in the corium react exothermically with water and carbon dioxide in concrete to produce carbon monoxide and hydrogen: Zr + 2H O ZrO + 2H Zr + 2CO ZrO + 2CO 2 2 Fe + H O FeO + H 2 2 Fe + CO FeO + CO 2 (2.2) During CCI, a significantly increased amount of hydrogen is released to containment. Of even greater significance is the addition of large quantities of carbon monoxide. The CCI process can be delayed or arrested if sufficient water is added to the cavity to cool the debris shortly following debris ejection. Sensitivity studies regarding the effect of containment cooling mechanisms on combustible gas generation ex-vessel are presented in Section Combustible Gas Ignition When the effects of combustible gas deflagrations are considered, it is typically assumed [5] that an ignition source of sufficient energy exists whenever the deflagration limit is exceeded and the containment is not steam inerted. In reality, ignition of a combustible gas mixture depends on the availability of an ignition source and the energy level of the source. In dry air, hydrogen is considered to be flammable at concentrations greater than 4% hydrogen. At this concentration a flame will propagate in the upward direction, driven 45

72 by buoyancy. There is also a maximum concentration for upward propagation but in accident scenarios the concern is primarily on the hydrogen lean side of stoichiometry as the concentration of hydrogen grows within the containment. The energy release to the containment atmosphere with upward propagation can be substantial but the flame front velocity is slow and a limited fraction of the available hydrogen will participate in the event. When the hydrogen concentration reaches 9% or 10%, the potential exists for downward propagation. Under these conditions the energetics of the event can be substantially greater. A deflagration is an energetic event in which the velocity of the flame front is subsonic. Relative to the response time of the containment structure, the pressure rise in a deflagration is sufficiently slow that the load is quasi-static. A detonation on the other hand refers to an event in which the flame front travels at the speed of sound. The destruction potential of a detonation typically is greater than for a deflagration but depends on the coupling that occurs between the structure and the superposition of incident and reflected shock waves. The conditions that can lead to a detonation depend not only on the concentration of hydrogen and oxygen in the atmosphere but also on geometry and the energy of the ignition source [67] [68]. With a sufficiently energetic source, such as a high explosive or a large spark, it is possible that a detonation could be initiated directly. Typically, under reactor accident conditions, the ignition sources are weak and in order to achieve a sonic condition the flame front must transition from subsonic to sonic. The load introduced by a shock wave onto a structure is very rapid. Shock waves will reflect off of structures and interact with other waves, sometimes perpetuating the reaction [69]. 46

73 The reactivity of a mixture can be described by λ, the characteristic cell width; this parameter is physically observable in soot tracks left behind during wave propagation in a detonation. If the scale of the geometry is not larger than the cell width, then detonation cannot occur. As mixture conditions approach stoichiometric, the cell width decreases, or in other words, the reactivity of the mixture increases. Deflagration to detonation transition (DDT) requires that the subsonic flame front be channeled in such a way, as in a corridor or tube, that its propagation becomes supersonic, and the shock wave moves so that it compresses unburned gases in front of it to the point that the temperature is raised beyond the autoignition temperature. The effect of gas mixture composition on propagation direction has also been examined in [70] [71] [72] [73] [74]. Experiments also show that transition to detonation is enhanced by the development of eddy currents [71] [73] [75]. In an open geometry, a deflagration will lose energy as the reaction expands spherically around the ignition point. The location of the initiation of the combustion event also affects the potential for propagation, as well as the load produced on containment structures. In the case of detonations, the largest pressure impulses in containment result from ignitions occurring farther away from reflective surfaces; in this case, there is little wave incoherence to reduce the magnitude of the shock wave. As expected, impulses are the largest for wave fronts with the same orientation as the confining/reflecting surface (i.e. a horizontal wave front reflecting from a horizontal surface versus a horizontal front reflecting from a vertical surface) [76]. Detonations initiated at mid-height of the containment tend to 47

74 have significant scattering of the shock wave which allows for rapid dissipation of the wave front [69]. There are considerable data relating the minimum ignition energy (MIE) for combustion to hydrogen concentration, although little literature exists regarding the MIE for H 2 -CO-air mixtures. As shown in Figure 2.3, for lean concentrations or very rich concentrations of hydrogen the MIE required is large; as hydrogen approaches stoichiometric conditions, the required energy is small. Also shown in Figure 2.3 is the effect of high humidity. The effect does not appear to be large. However, it should be recognized that this is high humidity at ambient temperature and pressure. At elevated temperature and in a pressurized containment at 200 C, the concentration of water molecules is 50 times greater than in the high humidity curve. Thus, what appears to be a ten percent effect on minimum hydrogen ignition energy when the steam moles is a small fraction of the hydrogen moles could be a much greater effect when the ratio is increased by a factor of fifty. 48

75 Figure 2.3: Minimum ignition energy of hydrogen-humid air (relatively humidity of 90%) and hydrogen-dry air mixture [77]. The concentration of hydrogen, air, steam and diluents, such as nitrogen and carbon dioxide also affects the flammability and explosivity of hydrogen. When a mixture approaches 70% steam by volume, hydrogen is no longer flammable. The effect of diluents on minimum ignition energy has been studied both experimentally [78] and analytically [79]. The presence of diluents tends to increase the minimum ignition energy. At low diluent concentrations the effect is small. There is however a critical diluent concentration above which ignition is totally suppressed. As this limit is approached, the minimum ignition energy increases rapidly. Shapiro [80] found that flame propagation is prevented by diluent concentrations in the range of 55% to 72% by volume. Specifically, the limits are 56.5%, 71.1% and 58.9% by volume for CO 2, nitrogen and steam, respectively. The characteristics of how the spark is generated, in particular the energy density per unit length of the spark and the proximity of neighboring structures, are as important as 49

76 the structures themselves. When the spark deposits its energy into a kernel of gas and increases the temperature of that region, if the heat transferred to neighboring structures is greater than the heat generation rate resulting from hydrogen combustion, the reaction will die away and ignition will not result. The quenching distance has been determined experimentally for dry mixtures of air and hydrogen as illustrated in Table 2.1. Thus, if the spark occurs within a confined channel of a piece of equipment, the gas may not ignite, even if the minimum ignition energy is exceeded, if the channel is too narrow. Table 2.1: Parallel plate quenching distance and minimum ignition energy versus hydrogen concentration [81]. H 2 Concentration in Air (%) Parallel Plate Quenching Distance (cm) Minimum Ignition Energy (mj) If the spark jumps between less massive poles that do not represent a dominant heat sink, the minimum ignition energy for a particular hydrogen composition varies as a function of the separation between the poles. Experimental work completed by Ono, et al., [77] also determined the MIE as a function of separation distance, as shown in Figure 2.4. Note that for the larger separation distances, the minimum ignition energy actually increases. Experimental work completed by Bane, et al. [82] suggests that while gap length is an important mechanisms affecting gas ignition, it may be more insightful to 50

77 consider the spark energy density (i.e. energy deposited per unit length) rather than a single minimum ignition energy for a given concentration. Figure 2.4: Minimum ignition energy of hydrogen-dry air mixtures (solid line) for varying gap distances [77]. There is very little information available about the frequency of sparks of different energy in a PWR containment following recovery of AC power in a station blackout event. A study by Swain, et al. [81] tested some common equipment to determine whether sparks from that equipment would ignite in combustible environments in the range of 4% to 10% hydrogen. The results of that study are summarized in Table 2.2. Note that the light switch cases involve the likelihood of ignition for a single event whereas the cases with motors involve multiple sparks over a given time period. As 51

78 might be expected, multiple trials did not necessarily result in the same outcome demonstrating the stochastic element of the process. There was no attempt made in the experiments to actually measure the energy of the sparks. However, based on the available data on minimum ignition energy it is possible to make some general statements. Equipment that did not initiate ignitions at concentrations up to 10% probably did not have spark energies exceeding 0.05 to 0.1 mj (or at least that value as a surrogate for conditions leading to ignition). Because the shop vacuum cleaner (after cleaning the brushes) was able to ignite a 6% enriched mixture, the spark energies probably exceeded 10 mj. It is reasonable to assume that equipment in containment could emit substantially higher spark energies because it is substantially larger and operates at a higher voltage than a common shop vacuum. Table 2.2: Ability of common electrical equipment to ignite lean hydrogen mixtures [81]. Equipment Results for Range of H 2 Concentrations Toggle light switch Unable to ignite in range of 4% - 6% Shop vacuum motor Able to ignite in range 6% - 10% Pull chain ceiling light Able to ignite in range 8% - 10% Garage door opener motor Unable to ignite in range 4% - 10% Flammability of Hydrogen:Air:Steam Mixtures The flammability of hydrogen:air:steam mixtures has been examined by SNL in the FITS vessel [83]. The FITS facility was designed to perform scaled experiments of combustion phenomena in a vessel that is 3.4 m in height and 1.52 m in diameter, which is approximately 1:25 th scale of an actual containment building. The facility has spark and glow plug igniters which are used to trigger combustion. The vessel also has fans 52

79 that can be used to determine the effect of turbulence on ignition, energetic and completeness of combustion. Tests were performed for air, hydrogen and steam mixtures at both ambient and elevated (375 K) temperatures. Peak pressures were measured. Percent combustion was determined by comparing the pressure rise with that of a calculated adiabatic isochoric complete combustion value. The effect of steam was found to reduce the normalized peak pressure (P max /P 0 ) relative to what was obtained in experiments with equivalent hydrogen to air ratios in the absence of steam, where P max is the maximum pressure measured and P 0 is the pressure prior to the burn. For hydrogen concentrations in the neighborhood of 10% or less, turbulence was found to increase the pressure rise and completeness of combustion. For concentrations greater than 15%, it did not appear to make any difference. Figure 2.5 from [83] shows the results for normalized peak pressure as function of the percentage of hydrogen only considering hydrogen and air in the composition. The peak increases as a function of hydrogen concentration until near stoichiometric conditions are achieved and then decreases in the hydrogen rich region. In Figure 2.5, as the percentage of steam increases, the normalized peak pressure decreases. For conditions in which ignition occurs with a steam concentration greater than 40% steam, the peak pressure is substantially reduced such that even for near stoichiometric conditions, containment failure would be unlikely to occur. Under these conditions, the event propagates much more slowly and with substantially reduced burn completeness. In Section 7.3.4, the importance of this effect and our uncertainty regarding the magnitude of ignition sources in containment are discussed. 53

80 Figure 2.5: Normalized peak pressure as a function of percent hydrogen in hydrogen:air mixtures [83] Impact of Recovery Actions Ideally, mitigating and recovery actions are performed shortly after accident initiation in order to return the plant to a safe state where adequate cooling can be achieved and radionuclide boundaries are maintained. However, it is important to note that some recovery actions may initiate some of the severe accident phenomenology discussed above. These short term preventative actions may induce detrimental events in the longer term of the accident. For example, as a last resort at Fukushima, the choice was made to utilize ocean water to achieve cooling of the molten cores, and now the utility faces issues of decontaminating that water and the effect the salt water will have had on the 54

81 molten corium. Some recovery actions to consider include steam generator water makeup, reactor cavity flooding, containment venting and the actuation of containment sprays and fan coolers. The Nuclear Energy Agency (NEA) released a short study that assessed the short- and long-term effects of mitigating and recovery actions [84]. This study covered water chemistry, containment cooling, sump leakage, hydrogen generation and the issues mentioned previously Containment Degradation As the nuclear industry has proposed plant life extensions from forty years to sixty years and considered the eventual life extension to eighty years, increased attention has been given to the effects of degradation mechanisms on containment integrity through various experimental and computational studies. These studies generally relate to failure by quasi-steady overpressurization and include aging effects related to degradation of structural members required for structural integrity; in a PWR, for steel-lined containments, these members include reinforcing bars, pre-stressed tendons and steel liners. The SNL has conducted several containment fragility studies in which they experimentally investigate containment response to aging and overpressurization [85]. Between 1983 and 2001, SNL constructed several scaled models of various containments for integrity testing, including four 1:32 steel containment models (two cylindrical shells with hemispherical dome, one with additional hoop stiffeners and one with additional simulated penetrations), a 1:6 reinforced concrete PWR model and a 1:4 prestressed 55

82 concrete PWR model; the level of complexity proposed in the model dictated the scale, i.e. increased complexity required a larger scale model. In most tests, pneumatic pressurization by nitrogen was used, with the exception of the 1:4 prestressed concrete tests, where the vessel was filled 95:5 with water:nitrogen by volume; thermal stresses were not considered in the tests, so all tests were conducted at ambient temperature. SNL found several general conclusions regarding containment designs similar to those at Zion (steel-lined, prestressed concrete), which will be briefly mentioned here. Global strain in containment achieved before failure is on the order of 0.5 to 1.0% for prestressed concrete. High strains at local discontinuities tended to limit the model capacities. For steel-lined structures, failure is dominated by leakage, mainly due to the structural interaction between the steel lining and concrete, while for steel structures, failure is dominated by rupture. This differentiation is significant because the mechanism of failure is the same in both the steel liner and the steel vessel, i.e. tears in steel are the result of the exceedance of ductility limits at geometric discontinuities. In 1987, SNL tested the 1:6 scale reinforced concrete model; the steel lined model was designed to ASME code for a design pressure of 0.32 MPa (46 psig) and included functional models of equipment hatches, airlocks and smaller penetrations. Studies in the early 1980s by SNL predicted a failure by leaks and shears in the range of 0.9 to 1.31 MPa. However, the actual test showed failures at much lower pressures, and the test was concluded early because the pressurization system could not compensate for excessive leakage; the vessel could not be tested to catastrophic rupture. The leak rate increased significantly over a small range of pressures; at 0.96 MPa, the leak rate was ~10 scfm, at 56

83 0.98 MPa the leak rate was 50 scfm, and at 1.0 MPa, the leak rate was 4000 scfm, or 5000% mass per day. A 22 inch long tear in the liner plate near a penetration was responsible for the majority of leakage, while other smaller tears (1/8 to ½ inch long) were next to liner studs near other penetrations. The test found that no new cracks were developed while the vessel was at high pressure, but cracks developed at low pressure grew while the vessel was at high pressure. In the late 1990s, SNL tested a steel lined prestressed concrete containment vessel (PCCV); this test was co-sponsored by the Nuclear Power Engineering Corporation (NUPEC) of Japan, so the vessel was designed to closely match the existing Ohi-3 unit in Japan. The design pressure for the model was 0.39 MPa, and the model was designed so that the global and local response, particularly around penetrations, of the Ohi-3 prototype could be mimicked. The model was prestressed to match the net forces expected in the prototype after 40 years of service. A combined Structural Integrity and Integrated Leak Rate Test (SIT/ILRT) was performed in which the vessel was first pressurized to 0.44 MPa (1.125 the design pressure) for 1 hour, and then pressure was reduced to 0.36 MPa (0.9 design pressure) for 24 hours. During the ILRT, a leak rate of less than 0.1% mass per day was observed, demonstrating that the vessel was essentially leak-tight. A Limit State Test (LST) was performed which would test the response of the vessel to beyond design basis loading. The model was first pressurized to 0.6 MPa and a leak rate of 0.48% mass per day was observed. Pressurization continued to 0.78 MPa, where now the leak rate was calculated to be essentially zero. Again pressurization was continued to 0.98 MPa; at 0.94 MPa, an anomaly was reported by an operator, and the 57

84 leak rate was found to be 1.63% mass per day, indicating leakage. It was concluded from the LST that the model functionally failed at approximately 2.5 times the design pressure from liner tears near equipment hatches and penetrations. Pressurization was again continued in effort to observe a structural failure of the model. The model was pressurized to approximately 1.3 MPa (3.3 times design pressure) until the test was concluded due to excessive leakage of approximately 275% mass per day. A Structural Failure Mode Test (SFMT) was subsequently completed with the objective of observing large inelastic deformations and structural failure. The PCCV was sealed with a membrane and filled 97% with water and 3% with nitrogen. The acoustic monitoring system detected an event interpreted as a tendon wire break at approximately 1.3 MPa, and shortly after a small spray was observed at mid-height. Additional tendon breaks were detected with increasing frequency and a second spray was detected. Pressurization continued, and a violent rupture at mid-height occurred when the system was at 1.42 MPa. Ultimately, the SFMT showed that the limiting factor of the structure s integrity is the radial expansion of the cylinder. Hoop tendon rupture began when the maximum strain was approximately 4%, and expanded vertically along the structure. The location of structural failure coincides with the decrease in hoop reinforcing near the equipment hatch; additional hoop reinforcing was constructed in areas surrounding the equipment hatch, similar to the prototype. Various tests were also performed to specifically test penetrations, personnel airlocks, and equipment hatches. Most tests found that electrical penetrations and compression seals and gaskets could withstand pressures up to 1.1 MPa with minimal leakage; 58

85 generally, electrical penetration failure was not observed, and ageing did not affect failure pressure. Personnel airlocks were found to fail at a relatively lower pressure; outer doors did not experience failure, but inner door failure was observed at 0.07 MPa. Equipment hatches were found to deform severely (i.e. in the reinforced concrete test, the hatch diameter increased 1.5% in the horizontal direction and decreased 1.5% in the vertical direction). In more recent years, various forms of degradation, a consequence of ageing, has been observed in steel and concrete containments. In steel and steel-lined structures, corrosion has been observed, and loss of prestressing in hoop tendons has also been observed. In light of this ageing, SNL also completed a risk informed analysis of the effects of degradation on various containment designs [86]. In the study, a finite element model of containment with meshes appropriate to represent a full containment was utilized first in order to assess global effects. Displacements and strains calculated in the global model are then used as boundary conditions in local models representing areas with concentrated stresses. ABAQUS [87], a nonlinear finite element analysis program, was used for all finite element modeling in the SNL study. While the SNL study contained detailed results for all containment models, only information pertaining to a Zion-like model will be discussed here. In the SNL study, the leak criterion is fulfilled when a tear in the steel shell occurs; a tear is assumed to occur when the effective plastic strain reaches a limiting value. Tears are expected to occur primarily at four locations: large steam penetrations, the basemat junction, personnel and equipment hatches, and the springline. For steel-lined containments, the rupture criterion is defined as a hole size of 59

86 0.028 m 2 ; tear and crack growth were not explicitly modeled in the study, so only a final hole size was estimated. Catastrophic rupture was also considered as a failure mode, and the pressure at which this would occur was calculated by an equation which considers the ultimate strength, spacing and area of rebar and tendons, the thickness of the liner and the physical dimensions of containment. In the model, two different corrosion locations were considered: containment mid-height, and just above the basemat junction; for each case, 50% and 65% liner corrosion penetration were assessed. Two different cases of tendon degradation were assessed in the study: a reduction in 50% of the area of 20% of hoop tendons group at containment mid-height, and a 50% reduction in prestressing force in the same 20% of tendons. The area reduction of the tendons may be the result of corrosion, pitting, stress cracking or embrittlement. The reduction in prestressing force is motivated by low prestressing levels observed in actual plants, which may be the result of improper calibration during initial post-tensioning, unexpected prestressing losses and improper quality control. Results of the SNL study will be briefly summarized here, but figures related to the results can be found in Appendix B. With regard to corrosion, the level of corrosion did not have any effect on the likelihood of leak failure, but leak was more likely to occur with corrosion at the basemat junction. Increased corrosion did slightly increase the likelihood of rupture (Figure B.1 and Figure B.2). With regard to tendon area reduction, the likelihood of failure is the same for rupture, catastrophic rupture and leak in the locations of steam penetration, wall-basemat junction, hatch, and springline (Figure B.3). Regarding the loss of prestressing in tendons, the likelihood of leakage at the basemat 60

87 junction is significantly higher than all other failure modes; the likelihood of leak failure at the basemat junction quickly grows from 0.2 to 0.7 in the range of 0.6 MPa-g to 0.7 MPa-g, while all other failure modes show similar likelihoods in the range of 0.7 MPa g to 1.0 MPa-g (Figure B.4). Curves for the cumulative probability of leak failure and the original probability of failure for the undegraded case are shown in Figure 2.6; it is clear that corrosion, regardless of location, has a minimal effect on the failure probability, but tendon degradation has a fairly significant effect. For tendon area reduction, the curve covers pressures in the 0.45 MPa-g to 0.55 MPa-g range, while the corrosion and base case curves cover pressures of 0.6 MPa-g to 0.8 MPa-g. The SNL study also calculated various statistics related to early release and early containment failure probabilities. Of most significance to this proposal is the change in large early release frequency due to degradation, shown in Table 2.3. While corrosion tends to reduce the LERF by approximately 9 x 10-9 yr -1, tendon area reduction increases LERF by approximately 5.5 x 10-7 yr -1. Based on Regulatory Guide 1.174, this type of change in the system would be acceptable to the NRC for a proposed change in the licensing basis independent of the core damage frequency. 61

88 Figure 2.6: Cumulative probability of failure for the original and degraded cases of a prestressed containment [86]. Table 2.3: Change in LERF (yr -1 ) from degradation [86]. Case Mean 50% corrosion near basemat -8.79E-9 50% corrosion at midheight -8.79E-9 65% corrosion near basemat -8.79E-9 65% corrosion at midheight -8.79E-9 50% tendon area reduction 5.47E-7 50% tendon prestressing loss 1.17E Review of NUREG-1150 Zion PRA This section describes PRA developed for the Zion Nuclear Power Plant in the NUREG-1150 study. Zion is four-loop Westinghouse PWR with a large, dry containment; the plant is now in a permanent shutdown mode. Section describes the containment failure modes considered in NUREG-1150 and an assessment of the failure modes using the current state of knowledge is made. Section describes the 62

89 Accident Progression Event Trees (APETs) developed in the NUREG-1150 analysis, and draws some comparisons with a more recent analysis performed by the NRC NUREG-1150 Containment Failure Modes and Current State of Knowledge In this section, several failure modes of NUREG-1150 and the current state of knowledge regarding these failure modes are discussed. These failure modes include: failure to isolate containment, containment bypass, Alpha Mode failure, rocket mode failure, HPME and DCH, reactor cavity steam explosions, combustible gas explosions, quasi-steady overpressure, and basemat melt-through Failure to Isolate the Containment The NUREG-1150 probability of pre-existing leakage or failure to isolate is 5x10-3 per event. Historically, there has not been the same level of consideration given to this failure mode as to other modes. The NUREG-1150 conditional probability of early containment failure is on the order of 1% for large, dry PWR containments. As a result, whether failure to isolate is an order of magnitude higher or lower doesn t have a great impact on the risk. However, from the viewpoint of land contamination the consequences associated with failure to isolate could be substantial. One of the areas in which risk-informing regulatory requirements has led to relaxed requirements relates to the interval at which integrated leak-rate tests are performed. As a result, the rate of accumulation of data from operating experience that would help to better assess this probability is slow. Because isolation failure is considered a mode of early containment 63

90 failure, this failure mode is not considered further in this analysis because it does not pertain to a long term SBO and it is not related to the treatment of severe accident processes in a dynamic analysis. However, it should be noted that failure to isolate the containment has the potential for significant consequences due to the early release of airborne radionuclides and should be subject to further research Containment Bypass Due to Interfacing System LOCA or Temperature-Induced Steam Generator Tube Rupture The interfacing system LOCA, Event V, is an accident scenario associated with the failure of two valves in series that isolate the low design pressure portion of the reactor coolant system to the high design pressure system. In a SBO the potential exists for a temperature-induced failure of steam generator tubes that could lead to similar consequences if a secondary side relief valve sticks open. The SOARCA examination [5] of the interfacing system LOCA showed substantially lower radionuclide release than NUREG However, the scenario analyzed in SOARCA provided high credit for retention of aerosols in primary system piping, filtration in the standby gas control system, and integrity of the safeguards building in the presence of high combustible gas concentrations. The associated aleatory variability and epistemic uncertainties for this analysis are substantial and include events in which the extent of radioactive material release is larger than indicated by the SOARCA analysis. Within the context of a full uncertainty analysis, bypass scenarios still appear to have the greatest potential for a major release of radioactive material to the environment [10]. In the NUREG

91 analysis of the Zion Nuclear Plant, the probability of induced bypass in a station blackout accident was assessed as 0.1% but with limited technical justification. Subsequently, there has been considerable work done to assess this potential using the MELCOR code and separate effects computational fluid dynamics modeling of flow in steam generators [10] [88]. The probability of steam generator tube rupture depends on a competition with creep rupture somewhere in the hot leg or in the surge line to the pressurizer. The failure probability can depend on whether the system is depressurized by loss of primary coolant through failed pump seals. The number of tubes that rupture can also be important. The potential benefit of a consistent uncertainty analysis has been demonstrated for a case in which hot leg failure was found to preclude steam generator tube failure in the best estimate case, but in which the steam generator tube failure was found to contribute a few percent when uncertainties in the creep rupture model were taken into account [10]. In that respect, bypass will not be addressed in this study Alpha Mode Failure The alpha-mode of containment failure was assessed to contribute 5.9x10-3 to the probability of containment failure in NUREG The experts of the Steam Explosion Review Group [61] and the review of the SERENA program [62] found that Alpha Mode failure and vessel failure in the lower plenum region are very unlikely. Based on the results of these studies and the discussion in Section 2.2.3, it is concluded that this mode of failure is physically unrealistic and its contribution as a low probability containment failure mode will not be considered in this analysis. 65

92 Rocket Mode Failure As discussed in Section 2.2.4, this event can be dismissed as physically unrealistic based on: In general, the intent under severe accident conditions is for the operators to depressurize the system. Any failure, such as in the hot leg, which occurred prior to lower head failure would also depressurize the system. Although the lower head failure could occur by creep rupture in a circumferential manner, it is unlikely that the rupture would rapidly unzip the head, failure is likely to be initiated at one side of the vessel and the induced loads will not be directly vertical. The gap above the legs is also not likely to be large enough for the vessel to achieve sufficiently high velocity before impact to lead to failure of this piping. Subsequently, this failure mechanism is considered to be physically unrealistic and is not considered further in this analysis High Pressure Melt Ejection and Direct Containment Heating If creep rupture of the lower head of the vessel occurs under the thermal load of a large mass of molten fuel material while the vessel is at high pressure, the molten material could be dispersed around containment in fragmented form. This debris would 66

93 rapidly transfer heat to the atmosphere. Such DCH through HPME could also initiate combustion of pre-existing hydrogen, adding to the pressure rise. The amount of heat released would be augmented by oxidation of any unoxidized zirconium in the dispersed material. In NUREG-1150, DCH was an important contributor to the containment failure probability at the time of vessel failure. The probability of containment failure at vessel breach was assessed based on expert elicitations for a variety of potential conditions associated with the pressure in the vessel at the time of failure, the size of the breach in the lower head, the fraction of core material ejected, and whether the reactor cavity was dry or water-filled. The range of pressure increase over which sampling was performed was as great as MPa with median values as large as 0.65 MPa. These values were sufficiently great to result in a significant probability of containment failure at the time of vessel breach. The experts were considering the superposition of the effects of direct containment heating, oxidation of unoxidized zirconium, and hydrogen combustion. In the time frame of NUREG-1150 and the period immediately following its release, there was considerable effort expended in reducing the uncertainty in HPME, including a number of model experiments. Based on the evaluations in [45] [40] [39] [41] [44], the potential for HPME for different cavity configurations is now better understood. Based on the models that now exist for HPME, it is quite unlikely that there would have been a significant probability of Zion containment failure in case of vessel failure. There has also been some consideration of the possibility of molten debris, which has been distributed around the containment, accumulating at a location adjacent to the wall of the 67

94 containment, leading to containment failure. For the Zion cavity configuration, it is unlikely that much of the ejected material would escape the cavity [45]. Some uncertainty still exists regarding the distribution of debris within containment following high pressure melt ejection. To investigate the sensitivity of direct containment heating, oxidation of zirconium, and combustion to the distribution of debris within containment, a series of MELCOR calculations have been performed to assess the effect on containment loading. These results are presented in Section Reactor Cavity Steam Explosions An energetic explosion in the reactor cavity could potentially lead to containment failure through the contribution of the blast wave to the pre-existing pressure within the containment. An explosion could also lead to the structural failure of support structures resulting in movement of reactor coolant system components, with the possibility of penetration failure. There has been considerable research on the potential for steam explosions for different corium (mixtures of uranium dioxide, zirconium oxide and zirconium) compositions with saturated and subcooled water [56]. If the water is subcooled in the cavity, the likelihood of an explosion is greater. Frequently, artificial triggers are used in experiments to initiate an explosion. Under prototypic geometries, it is unclear under what conditions triggers will exist and whether the process is effectively stochastic. Aside from the question of whether a steam explosion could directly lead to containment failure, which appears unlikely, the extent of corium breakup and the coolability of the debris have other important effects. If the debris bed is coolable, attack 68

95 of the concrete could be prevented or its extent decreased such that the basemat would not be penetrated. The amount of hydrogen and carbon monoxide released during coreconcrete attack can also have a major impact on the potential energetics of the late combustion of combustible gases. Cavity flooding is potentially an effective severe accident management strategy. However, it is important to understand both the potential benefits and conversely potential negative impacts on accident consequences. The results of sensitivity studies regarding the effects of a flooded cavity on accident progression are presented in Section Combustible Gas Explosions The Fukushima accident provided graphic evidence of the potential impacts of a combustible gas explosion. Of course, the containment structure of a large, dry PWR is much more robust than a BWR reactor building. The NUREG-1150 event tree does not consider the potential for containment failure due to a hydrogen explosion prior to the time of vessel failure under the assumption that the total amount of hydrogen produced by zirconium oxidation is insufficient to result in a sufficiently energetic event to fail containment. In NUREG-1150, the potential for a hydrogen deflagration resulting in containment failure was not addressed separately at the time of vessel failure, but the burning of pre-existing hydrogen in combination with direct containment heating was considered by the experts in their elicitations. In NUREG-1150, very little credit was given to potential recovery actions. In the post-fukushima environment with its emphasis on FLEX equipment [89], it is recognized 69

96 that recovery actions of some type will almost certainly happen and that they can have important impacts. Reflooding of a severely degraded core could potentially lead to a rapid production of hydrogen, significantly increasing the likelihood and magnitude of a hydrogen explosion. In the station blackout accident, if power is not recovered, the amount of steam in the containment is sufficient to prevent hydrogen combustion. If power is recovered, however, or some means is employed to cool the containment such as with sprays or containment fan coolers, the partial pressure of water vapor will decrease and the atmosphere can become flammable. The question then arises as to whether an explosion would be triggered. In the SOARCA analysis for station blackout at the Surry Nuclear Power Plant, this question is examined for a number of scenario conditions. Of all of the containment failure modes examined in our study, this appears to be the most important, with implications regarding severe accident management strategies. The results of sensitivity studies regarding combustible gas production and combustion loading are provided in Section Quasi-Steady Overpressure If cooling cannot be provided and the containment has not failed by some other mechanism, the containment will fail due to overpressurization. There is insufficient cooling associated with thermal conduction through the containment shell to reject all of the decay heat. In the Zion plant, failure would occur in about two days based on our preliminary MELCOR analyses using the reference model described in Section

97 Subsequent to NUREG-1150, there has been substantial research to assess the conditions under which containment would fail from quasi-steady over-pressurization [90]. It is generally recognized that as the internal pressure increases, a steel-lined concrete containment would leak, rather than rupture. With increased pressure the size of the leak would continue to increase and could equilibrate when the leakage balances the production rate of gases. At higher pressures the potential increases for a substantial rupture of some region of the containment such as at a penetration. Similar behavior could occur for a steel containment. However, the potential for a major rupture for a steel containment appears to be greater than for a concrete containment based on containment integrity research by SNL [85]. Overpressure failure is considered the primary failure mode in this analysis, and containment DCH and combustion events directly contribute to overpressurization Basemat Melt-through In WASH-1400, all scenarios were assumed to result in penetration of the basemat of the containment. In NUREG-1150, basemat penetration was considered as having the potential to preclude a later atmospheric release. Recent experimental work indicates that flooding of the cavity can be an effective means of arresting basemat penetration, depending on the timing of flooding, the depth of the corium debris pool in the cavity and on the type of concrete [65]. Without cooling, the molten corium could penetrate a substantial distance into the concrete with potential breakthrough to the underground environment. A below-grade release of radioactive material could result in an airborne 71

98 release or to ground water contamination. In past risk assessments, there has been little consideration of liquid pathway releases. The Fukushima accident showed that the potential exists for a significant liquid pathway release from contaminated water collecting in the basement of the reactor buildings. The potential for a direct impact on human health appears to be quite limited, however, in comparison with airborne releases [27] [28]. This study does not directly address BMT, as the primary intention is to focus on overpressure failures due to loading from DCH and combustion events Conclusions Regarding Review of Containment Failure Modes The review of the risk-dominant containment failure modes and mechanisms from NUREG-1150 shows that some failure modes and phenomenon may be excluded from further analyses, while some modes continue to be a concern to varying degrees. Specifically, Alpha mode failure, rocket mode failure, and in-vessel steam explosions can be excluded from further consideration as they are physically unlikely, if not unrealistic. The review regarding the state of knowledge of failure to isolate containment, bypass failure and BMT shows that these mechanisms still continue to be relevant to accident progression analysis, but they are not analyzed in this work as they either are considered to be beyond the scope of this work or have been previously reviewed in a DET analysis [10]. The review of HPME and DCH showed that significant modeling uncertainties still exist regarding this phenomenon; scoping studies to examine its effect on containment loading are presented in Section Ultimately, this analysis primarily focuses on the competition between combustion-induced containment failure and overpressurization. 72

99 Results of scoping studies regarding combustion-induced containment loading are presented in Section 7.2, and results of DETs examining combustion events in a long term SBO are presented in Section Accident Progression Event Trees The NUREG-1150 study required the development of five unique APETs for the five plants studied. The APETs are comprised of a series of questions typically related to severe accident phenomena, although the status of some systems and components are also questioned [64]. For a real plant, the APETs are too large to draw as a traditional tree and are instead represented as numbered questions; for the Zion plant, 72 questions cover the tree [64]. All questions are categorized into seven different time periods: Initial, Early, Intermediate, Late Intermediate, Late, Very Late and Final. Of all the APET questions, less than one seventh of these questions pertain specifically to containment failure with time periods that correspond to the Intermediate, Very Late and Final phase. The possibility of containment failure to isolate is covered in the first group of questions (Question 11), Initial, which describe the PDS. Question 12 deals with Event V, which is an interfacing system LOCA where the containment isolation valves fail; this may also be considered as a containment bypass method. Questions 34 and 36 of the Zion APET cover the possibility of containment failure at vessel breach, namely Alpha mode and rocket mode failures, and falls into the Intermediate time period. Question 64 considers containment failure due to hydrogen combustion, and is classified in the Very Late time period, following CCI. Questions fall into the Final category 73

100 and specifically describe the status of containment. Questions 68 and 70 consider basemat melt-through, and Question 69 considers containment failure due to overpressurization. It is prudent to compare the APETs from NUREG-1150 with the containment event trees (CETs) of NUREG/CR The simplified CET for a PWR with a large volume containment is comparatively smaller and simpler than the event tree from NUREG For the early phase of the accident, the CET considers largely the same phenomena as the APETs, such as RCS depressurization, SGTR, vessel breach and successful containment isolation. However, very specific questions, such as those monitoring the status of systems/components at various phases, or the generation of combustibles are not considered in the early phase CET (Figure 2.7). The only top event in the early phase CET related specifically to containment failure is the question of containment failure at vessel breach. A separate, late containment failure CET (Figure 2.8) is provided in NUREG/CR-6595, and is to be used if a delay in evacuation is predicted. The majority of questions found in the NUREG-1150 APETs are covered in the late failure CET. The status of containment heat removal systems, such as sprays or fan coolers, is condensed into one branch of the late phase CET. The only question in the CETs regarding hydrogen combustion is also found in the late phase CET. 74

101 Figure 2.7: Early phase CET for a large, dry PWR containment [17]. Figure 2.8: Late phase CET for a large, dry PWR containment [17]. 75

102 2.5. Computer Codes This section discusses the software used for analyses presented in this dissertation. The system level code used for scenario progression simulation in this analysis is MELCOR [3]; while later versions of this code are available, version was utilized as it is currently linked with ADAPT while the later versions are not. This software is discussed in Section To generate the DETs, the ADAPT software [6] coupled with MELCOR was utilized; ADAPT is discussed in Section MELCOR Overview The MELCOR code, developed by SNL for the NRC, is a fully integrated software package capable of modeling severe accident phenomenology in both PWRs and BWRs. The MELCOR code was developed to analyze the diverse phenomena encountered in a severe accident, including thermal-hydraulic response, core melting and relocation, core concrete interactions, oxidation of components, radionuclide transport, containment load response, and many other phenomena. MELCOR s level of fidelity for some models is fairly coarse, but the scope of severe accident phenomena addressed by the code is comprehensive and allows for an integrated analysis for a complete accident scenario. The software operates on a unified framework which contains multiple packages that address the overall code response dependent on various phenomena. Plant designs in MELCOR are user-defined and consist of heat structures and control volumes connected by flow paths. The level of detail of the analysis therefore is controlled by the user s nodalization or refinement of control volumes, heat structures 76

103 and flow paths. Information related to the physical states of the control volumes and flow paths directly affect the solution in other packages (i.e. the boundary conditions for solutions in all other packages are calculated based on control volume and flow path information). To advance the simulation in time, the governing equations of state (including analysis of mass, momentum and energy) are solved simultaneously in all control volumes and flow paths for each time step. To increase runtime efficiency, MELCOR utilizes a lumped-parameter approach to control volume analysis. Most calculations in MELCOR utilize mechanistic models, however for some phenomenological behavior which is still not well understood or requires a more complicated computational fluid dynamic (CFD) approach to the solution, approximate or empirical models are utilized File Structure Running the MELCOR software requires the use of two executables; the melgen executable is responsible for compiling the user s input into a binary format readable by the melcor executable, where the melcor executable runs the actual simulator. The melgen executable creates a binary restart file which contains a database of state variables relevant to the system being modeled; as the software increments in time, the restart file is appended at regular intervals, and the simulator can be started again from any restart file (a convention useful in DET creation). Throughout the execution of the simulator, a plot file is also generated at specific intervals which contains state variable data in a format accessible by the user for data analysis. For debugging and data analysis 77

104 purposes, melcor also generates a message and diagnostic file throughout the simulation. Stoppage of the simulator is controlled by user-defined control functions (also useful in DET creation) or a stop file Code Packages As an integrated software suite, MELCOR utilizes several individual packages to simulate a severe accident. Some packages contain specific phenomenological models, while other packages are utilized internally to MELCOR to manage simulator execution or the transfer of data between packages. This section will briefly describe the MELCOR packages, and details regarding specific packages that directly affect the analysis in this work will be provided as necessary. 78

105 Table 2.4: Packages in MELCOR software. Package Name EXEC BUR CAV CF COR CVH DCH EDF FCL FDI FL HS MP NCG RN SPR TF TP Package Description Executive: Controls execution of melgen and melcor calculations and file handling Burn: Treats burning of gases globally Cavity: Models CCI, including heat transfer, concrete ablation and gas generation Control Function: Allows for user-defined functions to be implemented and made available to other packages Core: Models thermal response of core and RPV internals, transport of molten core and clad oxidation Control Volume Hydrodynamics: Models thermalhydraulic behavior and transport of materials between volumes and flow paths Decay Heat: Models decay heat generated by decay of fission products in the core External Data File: Provides a means for MELCOR to communicate with time history data stored externally Fan Cooler Logic: Calculates mass and heat transfer due to operation of fan coolers Fuel Dispersal Interactions: Models low and high pressure debris ejection from RPV and debris transport around containment Flow Path: Defines control volume connectivity and transport of hydrodynamic material between control volumes Heat Structure: Calculates heat conduction within a solid volume and energy transfer across its boundary to a connected control volume Material Properties: Contains physical properties of materials in forms of analytical laws, correlations and tables Noncondensible Gases: Contains equations of state for gases, which are treated as ideal in control volumes Radionuclide: Models behavior of aerosols and vapors in control volumes, including deposition, revaporization and condensation, and the release of radionuclides from fuel Containment Sprays: Models heat transfer from water droplets from containment sprays to containment atmosphere Tabular Function: Enables user-defined tabular input for use in any package Transfer Process: Provides an interface for mass and energy transfer of materials across packages 79

106 The BUR package in MELCOR models the burning of the combustible gases carbon monoxide and hydrogen in control volumes. Due to MELCOR s lumped-parameter approach, the actual flame front propagation and reaction kinetics are not directly modeled. Rather, MELCOR calculates the change in energy (i.e. pressure and temperature) in a control volume by maintaining an inventory of the reactants and products and calculating the energy change based on the equations of state of these materials: 2CO + O 2CO 2 2 2H + O 2HO (2.3) A burn will be initiated in a control volume if user-defined ignition criteria are met. The ignition criteria are specified using LeChatelier s formula, or the effective combustion mole fraction (ECMF) which accounts for ignitability of more than one combustible gas: ( 2 ) ( ) 2 ( ) ( ) n H n CO ECMF = 1 N H + N CO (2.4) where n(x) is the actual mole fraction of gas X and N(X) is the minimum flammability limit of gas X. The presence of diluents (steam and carbon dioxide) in the control volume must also be sufficiently low for a deflagration to occur, and there must also be sufficient 80

107 oxygen (typically > 5%) in the volume for the reaction to proceed. The completeness and burn duration are also calculated by MELCOR and can be specified through user input. Combustion completeness (CC) is calculated using: CC min = (2.5) 1 Y Y max where Y min is the value of the ECMF desired at the end of the burn, and Y max is the value of the ECMF at the start of the burn. For most reactions satisfying the minimum flammability limits, combustion tends to be complete. While flame front propagation is not directly modeled, burns can propagate to nearby volumes if specific criteria defined by the user are met. It is important to note that MELCOR does not include the capability to model detonations, but it will produce a flag if detonation criteria are satisfied. No detonation occurs in the simulation, but instead the flame front is treated using the deflagration model. The burn package also includes the capability to model igniters simplistically using trip logic and a separate minimum ignition criteria. A diffusion flame model, based on the HECTR 1.5 model [91] is also included in the burn package. The diffusion flame model treats the burning of hydrogen during DCH, where the hot particles of debris ignite hydrogen entering a control volume, so the behavior differs from bulk burning. The CAV package in MELCOR is used to model the interaction of hot core material with concrete and the release of gases, and is largely based on the CORCON-Mod3 [92] 81

108 and VANESA [93] models. Heat transfer to the cavity atmosphere or concrete from the debris is calculated by the ratio of corresponding thermal resistances across the interfacing boundaries, causing concrete ablation and debris transport to be dominated by energy conservation. In the cavity, it is assumed that heat is either generated by the decay heat of the molten debris or through the oxidation of corium and decomposition of concrete. Concrete ablation in the cavity package is treated as a quasi-steady process due to the small thermal diffusivity of concrete. The cavity package assumes that the heat flux to concrete is sufficient to decompose it, producing carbon dioxide and water vapor in the process. The high temperature at which decomposition occurs causes the off gases to be highly oxidizing; these decomposed gases react with the metal in the debris, oxidizing it to produce carbon monoxide and hydrogen. The cavity package also has the capability to treat the rise of bubbles through a debris pool, where the bubbles may be fission products released from molten fuel or the gas products of concrete decomposition. Debris bed layers may be formed in the cavity, where the layers result from varying densities of debris and range from an oxide layer less dense than metal, to an oxide layer more dense than metal. Each debris layer is treated separately as a lumped mass with a single temperature. The heat flux within each layer and at its interfaces are treated separately. Modes of heat transfer considered in the cavity package include conduction and natural convection. It should be noted that MELCOR does not consider the quenching and break up of a debris bed due to overlying coolant. However, heat transfer to and from water vapor is calculated by the cavity package. 82

109 The control function (CF) package in MELCOR is utilized to create user-defined functions of variables for inclusion in the simulation. This allows for complex trip logic which may cause various modeled systems or components to actuate. For example, control functions are typically used to model the opening and closing of a relief valve dependent on system pressure, or the actuation of accumulators which are also dependent on system pressure. Control functions can be either real-valued or logical; real-valued control functions can be any real number, while logical control functions can only be true or false. Control functions can also be used to control the stoppage of MELCOR through the use of the stopcf feature. Although no new control functions can be added during a MELCOR restart, the current value of an existing control function can be modified. The flexibility of the stopcf and ability to modify existing control functions are essential to DET creation in this analysis. The FCL package allows for the simplified inclusion of containment fan coolers in the system model. The fan coolers are heat exchangers in containment which circulate the hot containment gas (primary side) over cooling coils (secondary side). Through user-specified input, the rated flows, coolant temperatures and heat removal rate can be specified. In melgen, an effective heat transfer area is calculated using the specified rated flows and heat transfer coefficient and cooler capacities for the rated conditions. The heat transfer rate is then calculated using the effective heat transfer area and the current conditions in containment, including the heat transfer coefficient of steam and the 83

110 average temperature of the primary gas and secondary coolant. Like the igniters in the BUR package, fan coolers can be tripped using control function logic ADAPT Software Overview This section describes the DET generator Analysis of Dynamic Accident Progression Trees (ADAPT) software which is utilized in this work. This software was developed at The Ohio State University under contract to Sandia National Laboratories to manage the creation of dynamic APETs. Section describes the general methodology utilized by ADAPT. Section identifies the input required to run ADAPT Methodology In dynamic PRA, DET generators are either continuous or discrete in nature; ADAPT utilizes a discrete approach to DET generation based on user-specified branching conditions. While some discrete DET generators branch solely on time, ADAPT has the capability to branch on state variables, such as temperature or pressure. This methodology allows ADAPT to treat a wide range of uncertainties mechanistically and consistently. ADAPT acts as a simulator driver and input manipulator when linked with a system code. Given a set of user-specified branching conditions, the ADAPT software controls the execution and stoppage of the simulator. Under ADAPT, a simulator will run until a specified value of a user-defined state variable is reached. When that threshold is achieved, the simulator will stop, and ADAPT will modify input to the simulator related 84

111 to the state variable of interest. ADAPT will then relaunch the simulator in two parallel branches in the tree; one consistent with the conditions and probability of the branch occurring and the other consistent with the conditions and probability of the branch not occurring. The simulator will continue to run both branches until another branching condition is met for each. For example, consider the branching class of containment failure. The user-specified branching rules for this class include a discretized fragility curve, where the discrete cumulative probability of failure as a function of containment pressure is described by the red dots in Figure 2.9. Under ADAPT, the simulator will run until the first branching point is reached (P = 0.51 MPa). At this point, the simulator will stop, and a branch in which the containment has failed (probability of 0. 3%) and a branch in which containment has not failed (probability of 99.7%) are generated and launched. For the branch without containment failure, the simulator will proceed to run until the next branching point (P = 0.79 MPa) is reached, and bifurcating will occur again. 85

112 Cumulative Probability of Failure Pressure (MPa) Figure 2.9: Example of containment fragility curve. Because ADAPT has the flexibility to consider branching based on a variety of phenomenon, it is likely that very large trees will be generated. ADAPT has been designed to run under a server architecture in a parallelized Linux environment to decrease run times. Data management and server communication is accomplished using a MySQL database [94]. The ADAPT software maintains a job server which manages the execution and launch of simulations to hosts. The job server will monitor simulator progress as indicated by the database and determine if new branches need to be executed; if new branches are generated, they are placed in the job server s queue and launched when a host becomes available. The execution of each new branch is accompanied by a supervisor process. The supervisor is responsible for monitoring the state of a branch (i.e. queued, running, completed) and assembling all the files necessary for the launch of a new branch. The 86

113 supervisor process also updates the necessary information (i.e. branch state, output management) in the database Software Input Overview Execution of the ADAPT software requires several input files. Required input which is simulator-specific includes: simulator input files and simulator executables. Required input which is ADAPT-specific includes: a simulator template file, edit-rules file, and simulator wrapper file. The required simulator-specific files are fairly self-explanatory; a simulator cannot be run without the necessary input model and executables. The simulator template file is required for ADAPT as a means to directly communicate with the simulator. The template file contains simulator-specific input (i.e. in a format readable by the simulator), where input relevant to DET generation is modified to include tags that are recognized by ADAPT for input manipulation. The most widely used example of this in MELCOR-ADAPT is the treatment of bounding control function values. For most control functions in MELCOR which are relevant to branching phenomenon, the input records affecting boundaries of control functions are replaced by tagged variables; these tagged variables are then overwritten as deemed necessary by the supervisor process, and new branches that are generated with the new input are submitted to the job server. The edit-rules file contains all branching conditions utilized in generation of the DET; it effectively defines the probabilistic model. This file includes initial values for all template variables and branching conditions for every branching class, where the 87

114 branching conditions include the probability of branching and the state parameter on which branching is dependent. For each class, the probability of branching may be determined by a discrete cumulative distribution function (CDF) or as a point-value. The state parameters which affect branching can also be entered as either a point-value (e.g. a setpoint pressure for a valve) or as a series of values (e.g. containment pressure in the case of the containment failure branching class). The edit-rules file enables a significant amount of flexibility with regard to branching. In the case of more complicated phenomena, such as the mode of containment failure, it may be necessary to generate two or more branches at a branching point. If a specific containment pressure is achieved, containment will fail by leak, rupture or catastrophic rupture with varying likelihoods. The edit-rules file allows the user to define what branches are created each time branching for a certain phenomenon is questioned. This is particularly useful for a process like containment failure, where there is a relatively high likelihood of failure by rupture at median pressures, but a negligible likelihood of failure at very low and very high pressures. The last file required for ADAPT execution is the simulator wrapper. This file is written to link ADAPT with a specific simulator so that ADAPT can effectively run the simulator. It is important to note that in order to be able to be linked with ADAPT, the simulator must have the following capabilities: the simulator must use text-based input, the simulator must have a restart capability, and the simulator must be able to halt itself. The wrapper provides the correct syntax and arguments for simulator execution to ADAPT. Once a simulation has stopped, the wrapper provides a means for ADAPT to 88

115 determine why the simulator halted (i.e. due to branching condition or achievement of mission time) and if new branches need to be submitted to the job server (via a separate script). The wrapper is also responsible for updating this information in the database. 89

116 Chapter 3: MELCOR Model This chapter discusses the MELCOR model used in this analysis. Section 3.1 describes the system model in detail. This includes a description of the nodalization of the primary and secondary systems, the containment building and outside environment, and the plant systems represented in the model. Section 3.2 presents the scenarios considered in this work for both the scoping studies and generation of DETs System Model This section describes the MELCOR model used in the research presented in this dissertation. An input deck representing an SBO scenario in Zion Unit 1 was utilized. The deck was developed for the Industry Degraded Core Rule-Making (IDCOR) studies [95] by Sandia National Laboratories. The input deck was then modified by Texas A&M University to enhance natural circulation modeling in the regions of the core, hot leg and steam generators. Zion is a four-loop, 1100 MWe Westinghouse PWR north of Chicago, Illinois which is now in a permanent shutdown mode. The model includes representation of the primary system (discussed in Section 3.1.1) and secondary system (described in Section 3.1.2). Section describes the safety systems included in the MELCOR model. In Section 3.1.4, the containment model is 90

117 discussed. A general schematic of the primary and secondary loops is shown in Figure 3.1. Figure 3.1: Schematic of Zion primary and secondary nodalization. Black numbers indicate control volumes, red numbers indicate flow paths [96] Primary System The primary system is modeled by two loops: one loop containing the pressurizer and a second loop representing the remaining three loops. The second loop contains three times the volume and thermal inertia so as to properly account for heat transfer to and from the primary system. Representation of the pressurizer (CVs ), hot leg (CVs , ), cold leg (CVs 522, 523, 622, 623), steam generators (CVs

118 519, ), reactor vessel (CVs 310, 320, 399), accumulators and core are also included in the primary system model. The pressurizer, core, and steam generators are relatively finely nodalized to better approximate natural circulation and other thermal hydraulic effects in these regions. Emergency core cooling pumps and accumulators are also included in the primary system. The hot leg of the primary system is divided into four nodes to represent counter-current flow during accident conditions. Two of the nodes, representing the upper portion of the hot leg, carry hydrogen and super-heated steam to the steam generator and two of the nodes representing the lower portion of the hot leg carry cooler fluid back to the upper plenum. The reactor coolant pump, represented with one node, is located on the cold leg which is represented by four control volumes: two nodes before the pump and two nodes after the pump. The pressurizer is modeled using six nodes; a separate node represents the surge line connecting the pressurizer to the primary system. Two power operated relief valves (PORVs) and three safety relief valves (SRVs) are included in the pressurizer model; the PORVs require power for operation, while the SRVs are passive and do not require power. The relief valves reject water to the pressurizer relief tank (PRT) until a PRT pressure of 1000 psia is achieved; at this point, the PRT rupture disk fails and flow is directed to the lower containment volume. In the COR package (see Table 2.4), the fuel in the core region is modeled using five radial rings and 19 axial levels. Volumetric nodalization of the region, using the CVH package, includes 20 nodes, with four levels of nodalization and five nodes per level to 92

119 simulate natural circulation. The RPV model also includes control volumes for the upper head, lower head, downcomer, control rod drives and inlet and outlet nozzles. The U-tube steam generator is represented using 20 nodes. The inlet plenum is modeled using three control volumes. The primary flow tubes (upward and downward) are represented by twelve nodes, with six nodes representing each flow direction. Cross flow in the steam generator is modeled using four nodes, and the exit plenum is modeled using a single volume Secondary System Modeling of the secondary system in the Zion deck is simplistic relative to the modeling of the primary system. The secondary system includes modeling of the secondary side of the steam generator (CVs 575, 580, 585, 675, 680, 685), main steam lines (CVs 590, 690), turbine (CV 598) and steam generator environment (CV 599). The steam generator secondary side model includes single nodes for the boiler, downcomer and dome. The main steam lines are modeled using a single control volume for each loop, and the turbine is modeled using a single control volume. The steam generator environment is included as a release pathway in the event of SGTR. Similar to the pressurizer model, the steam generator model includes PORVs and SRVs. For each steam generator, the model includes one PORV and five SRVs. The PORVs require power to operate, while the SRVs do not require power. Control functions representing auxiliary feedwater systems (both turbine driven and motor driven) are included in the secondary system model to provide cooling water to the 93

120 secondary side. The turbine driven auxiliary feedwater (TDAFW) system can provide 100% of the required capacity, and requires power from the station batteries to operate. The two motor driven feedwater pumps (MDAFW) can each supply 50% of the required capacity, and require AC power Safety Systems and Components This section describes the safety systems and components modeled in the Zion deck. Some non-safety systems are also described. Safety systems include accumulators, charging pumps, safety injection pumps, residual heat removal pumps, containment sprays and fan coolers. Non-safety systems include component cooling water and service water, which are both required for successful operation of many of the safety systems. Four passive accumulators are included in the primary system model, however only two are physically modeled (one for the single loop containing the pressurizer and a second one for the triple loop). Accumulators are modeled using a fixed capacity drain tank and valves connecting the drain tank to the cold legs. Valves are tripped via a primary system pressure setpoint, and once the accumulator drain tanks drain completely, their inventory is exhausted and the accumulators are no long available to assist with cooling. Several pumping systems are included in the model. Two centrifugal charging pumps and two safety injection (SI) pumps, which provide high-head, low capacity flow, are included in the model. Both systems can operate in either injection or recirculation mode. Injection mode uses inventory from the refueling water storage tank (RWST), 94

121 while the recirculation mode utilizes coolant taken from the cavity sump. Both systems can provide coolant to the primary system during emergency conditions, but the charging pumps are also utilized during normal operation to provide cooling to certain components. Operation of the emergency core cooling system (ECCS) utilizes two residual heat removal (RHR) pumps. These pumps provide low-head, high capacity flow to the primary system during emergency operation. Like the charging and SI pumps, the RHR pumps can also operate in either injection or recirculation mode, where injection mode takes suction from the RWST and recirculation mode requires inventory from the containment sump. Containment cooling is accomplished using either the containment sprays or fan coolers. Three containment spray rings are included in the model, where one ring receives pumping power from a diesel pump, and the remaining two rings each receive pumping power from separate motor driven pumps. Only one spray ring is necessary to provide adequate cooling to containment as determined by design basis criteria. Sprays can take suction from either the RWST or containment sump. Five fan coolers are included in the Zion model. Each fan cooler provides one-third the necessary cooling capacity to containment, and successful operation of three are required to maintain design basis containment cooling. Fan coolers take their cooling water from the service water system. The fan coolers actuate at a pressure setpoint of 20 psia, while the containment sprays actuate at a setpoint of 37 psia. 95

122 Component cooling water (CCW) and service water (SW) are required for the successful operation of many of the safety systems discussed here. CCW, which is required to supply cooling to ECCS pumps, and SW are modeled using five pumps, all powered by diesel generators. Only one pump is required for successful operation of either system. Success of CCW is directly dependent on success of SW. Success of SW is also required for fan cooler operation and RHR pump operation, as the SW system provides cooling to the heat exchangers in these safety systems. The feedwater system, which is required for secondary side cooling, is included in the Zion model. During normal operation, the main feedwater (MFW) system provides cooling to the steam generators, but during an SBO scenario, MFW will become unavailable and primary system s heat sink will be lost. Auxiliary feedwater (AFW) would then be used instead of MFW. AFW is supplied by one TDAFW train or two MDAFW trains, where the TDAFW train can supply 100% of the necessary capacity and the MDAFW trains each supply 50% of the necessary cooling capacity. TDAFW requires station batteries to operate, while MDAFW requires AC power to operate Containment and Environment The actual Zion containment building is a large, dry cylinder with a hemispherical dome. The steel-lined building is comprised of a post-tensioned prestressed concrete structure, and operates at essentially atmospheric pressure. The 80,927 m 3 containment building is modeled using a coarse nodalization of four control volumes (Figure 3.2). The cavity region (CV 001), with a volume of 217 m 3, is located below the RPV. The 96

123 lower volume (CV 008), located above the cavity, encloses the top of the RPV and has a volume of 12,100 m 3. The annular volume (CV 011), whose location and orientation overlap the lower volume, has a volume of 9,710 m 3. The upper volume (CV 024), representing the upper dome of containment, contains a volume of 58,900 m 3 ; flow paths representing containment failure are located in this upper volume. All four containment volumes are interconnected with flow paths. Three different environment volumes are also included in the model. They each are used to represent radionuclide releases via different pathways. One environment volume connected to the upper dome via a small flow path is used to represent the nominal containment leakage of 0.1% per day. A second environment volume connected to the upper dome via a larger flow path is used to represent containment failure. The last environment volume, which is connected to the steam generators, represents leakage from the primary system to the outside environment via containment bypass. 97

124 Figure 3.2: Schematic of the Zion containment in the MELCOR model. The boundaries of the containment building are represented by the outermost edges of the control volumes. Note that the annular volume is a single ring-shaped volume, but represented in this two-dimensional figure as two separate volumes Scenario Description This section describes the scenarios analyzed in this work. For both the sensitivity studies and DET analysis (see Section 1.3), an SBO scenario resulting from a loss of offsite power (LOSP) initiating event in the Zion model is selected as the starting point for the analyses. Station blackout then occurs if the onsite diesel generators fail. In all cases, it is assumed that the reactor scrams upon accident initiation. Section discusses the scenarios considered in the sensitivity and scoping studies. Section describes the scenarios considered in the DET analysis. 98

125 Scenarios Considered in Sensitivity/Scoping Studies Sensitivity studies were performed prior to the DET analysis to help define the scope of the DET. In these sensitivity studies (Section 7.1 and 7.2), individual SBO scenarios were examined without DET generation. The scenarios begin with the LOSP and SBO initiators; the reactor scrams and all systems dependent on power fail. For these cases, short term SBOs were examined in which the station batteries were unavailable leading to early meltdown. Approximately 3.4 hr after accident initiation, fuel failure occurs via gap releases. The core begins to slump and main core support structures begin to collapse at approximately 4.2 hr. Lower head failure occurs 7 hours after accident initiation, and debris ejection into the cavity occurs shortly after. For the gas generation studies in Section 7.1, actuation of containment cooling systems or recovery actions related to reflooding the core were considered at various times. The timings of system activation or reflooding were chosen such that they correspond to events significant to scenario progression (i.e. onset of fuel failure, lower head failure, etc.). The specific matrix of scenarios analyzed in the sensitivity studies can be found in Section

126 Level 1 Accident Progression and Selection of Level 2 Candidates for DET Analysis The dynamic portion of this work also analyzed an SBO scenario resulting from the LOSP initiator. These scenarios address the long term SBO, however, station batteries are assumed to be available until their depletion at 6 hours. Even though this work primarily focuses on Level 2 phenomena, a Level 1 DET was generated to identify Level 2 scenarios for analysis. The probabilistic model outlined in Chapter 4 was used to generate the DETs in Level 1 and Level 2. The Level 1 DET analysis, which covers the accident space from the initiating event to the onset of core damage, generated a total of 406 probabilistically significant (i.e. having a probability of 10-6 or greater) scenarios, with 98 scenarios leading to core damage. All scenarios were grouped in PDSs based on characteristics describing the success of failure of various systems in the scenario. The binning parameters are described in Table 3.1, and the resulting PDSs are shown in Table

127 Table 3.1: Description of PDS bin characteristics. Characteristic Characteristic 1: RCS Status Characteristic 2: ECCS Status Characteristic 3: Containment Sprays Status Characteristic 4: AC Power Status Characteristic 5: RWST Status Characteristic 6: Feedwater Status Characteristic 7: SW/CCW Status Characteristic 8: Fan Cooler Status Symbol Description T RCS intact S2 RCS breached I ECCS operated in injection mode only R ECCS not operating, but recoverable R Y R Y R Y S D Y R N Y R Sprays recoverable AC power recovered AC power not available, but recoverable RWST injection occurred No RWST injection occurred, but available with AC power recovery AFW running TDAFW failed, but MDAFW available if AC power recovered TDAFW operated until station battery depletion, MDAWF available if AC power recovered SW/CCW recovered SW/CCW recoverable with AC power recovery SW/CCW failed Fan coolers operating Fan coolers recoverable with AC power recovery 101

128 Table 3.2: PDSs resulting from the Level 1 analysis and their conditional probabilities. PDS S2RRRRDYR TRRRRDYR TRRRRSYR S2RRRRSYR S2RRRRYRR TRRRRYRR S2RRRRDRR TIRYYYYY S2RRRRSRR S2IRYYYYY S2RRYRYRR TRRRRSRR S2NRYYYNR TRRRRDRR TNRYYYNR TIRYYNYY TRRYRDRY Conditional Probability 1.62E E E E E E E E E E E E E E E E E-06 Because the primary intent of this analysis is to examine combustion phenomena late in an SBO scenario, it is necessary to select scenarios for the Level 2 portion of the analysis which lead to combustion events. Scenarios with early power recovery (e.g. an entry of Y for Characteristic 4) cannot be candidates for the Level 2 analysis, because core melting is prevented. Low probability scenarios are of more limited interest. Thus, scenario probability was used as a second discriminator. For these reasons, the highest probability scenarios from bins S2RRRRDYR and TRRRRDYR were selected for the Level 2 portion of the DET analysis. PDS S2RRRRDYR represents scenarios in which TDAFW was recovered but eventually failed due to station battery depletion at 6 hours. In the candidate scenario for PDS 102

129 S2RRRRDYR, after a certain number of demands, a pressurizer SRV fails at 11.7 hr, depressurizing the primary system by a breach of the primary system. Core damage then occurs shortly after, at 12.5 hr. PDS TRRRRDYR represents scenarios similar to those of S2RRRRDYR, with the exception that a LOCA does not develop, so the primary system remains pressurized. In the candidate scenario from bin TRRRRDYR, core damage occurs at approximately 14.4 hr. 103

130 Chapter 4: ADAPT Model This chapter describes the probabilistic model used to develop the DETs in this analysis. Section 4.1 presents the branching model for active components and systems. This includes: accumulators, AFW, charging pumps, RHR pumps, SI pumps, recirculation system, SW and CCW systems, valves, containment fan coolers and containment sprays. Section 4.2 describes the procedures modeled in the dynamic analysis. It should be noted that the probabilistic treatment of procedures in this analysis does not include a human reliability model. Section 4.3 describes the branching models used for passive components and severe accident phenomenology. The majority of branching conditions utilized in this analysis were developed for earlier studies that have previous been reported in [96] [10]. While this dissertation will provide key details of the branching model, additional details may be found in [96] [10] Active Components/Systems Branching Classes This section describes the branching model used for the active systems and components in the Zion model. Section describes the treatment of failures in the AFW system. Sections 4.1.2, and provide details regarding the modeling of failures of the charging pumps, RHR pumps and SI pumps, respectively. The 104

131 probabilistic model applied to modeling of the recirculation system is outlined in Section Section describes the modeling of failures in the SW and CCW systems. Section describes the treatment of valve failures, including PORVs and SRVs for the pressurizer and steam generators. Section describes the failure model of the containment fan coolers, and Section describes the containment spray model Auxiliary Feedwater System The AFW system includes the TDAFW pump, which requires station batteries for operation, and two MDAFW pumps, both which require AC power or for operation. Success of AFW requires operation of either the TDAFW pump or both of the MDAFW pumps. Failures of all three pumps are treated separately. The failure probabilities for these pumps are generated using data from the analysis in [97]. Because diesel generators are assumed to be unavailable, the turbine driven pump is the only system available initially for the primary system heat sink. Success of TDAFW is questioned shortly after accident initiation. Only two states are possible: one with successful operation of the TDAFW pump or one in which TDAFW fails upon demand. The branch probabilities for these states are found in Table 4.1. If power is not recovered before station battery depletion at 6 hours, the turbine driven pump will fail with a probability of

132 Table 4.1: Branch probabilities for TDAFW success or failure on demand. State TDAFW failure TDAFW success Probability 3.90E E-1 Because the MDAFW system consists of two pumps, the failure of these pumps is treated differently than failure of the TDAFW pump. For the motor driven system, success of one pump or failure of both pumps is considered. Actuation of the MDAFW pumps is considered shortly after power recovery if the turbine driven pumps are in a failed state. The branch probabilities for success or failure of the motor driven system upon demand are found in Table 4.2. Table 4.2: Branch probabilities for MDAFW system success or failure on demand. State Success of 1 MDAFW pump Failure of both MDAFW pumps Probability 9.930E-1 6.7E Charging Pumps If power is recovered during the scenario, the charging pumps are manually activated by operators through emergency procedures when operated in injection mode. It is assumed that only one pump is called upon during injection mode and in the switchover from injection mode to recirculation mode. In the branching model for the charging pumps, failure of one charging pump upon demand and success of both pumps are considered. Probabilities for these states are directly taken from the analyses in [98] and [97]. A per-hour failure rate of the charging pumps is also included in the ADAPT 106

133 model, where the probabilities were also taken from [98] and [97]. The probabilities of these states are shown in Table 4.3. Table 4.3: Branch probabilities for charging pump success or failure on demand. State Failure of 1 pump on demand Success of both pumps on demand Failure rate Probability 5.70E-3 per demand 9.94E-1 per demand 2.73E-6 per hr Residual Heat Removal Pumps The RHR pumps are called upon following power recovery for low-head, high volume coolant makeup. As opposed to the charging pumps, the RHR pumps will actuate automatically once their pressure setpoint of 167 psia is achieved. Similar to the charging pumps, failure states of the RHR pumps include the failure of one pump, the failure of both pumps, or the success of both pumps. A per-hour failure rate after successful activation is also considered. The probabilities of these states were calculated using data from [98] and [97], and are shown in Table 4.4. It should be noted that the RHR pumps are required for successful operation of the recirculation system, which is described in Section Table 4.4: Branch probabilities for RHR pump success or failure on demand. State Failure of 1 pump on demand Failure of 2 pumps on demand Success of both pumps on demand Failure rate Probability 5.20E-3 per demand 5.60E-4 per demand 9.94E-1 per demand 2.53E-6 per hr 107

134 Safety Injection Pumps The SI pumps are responsible for supplying high-head coolant to the primary system when AC power is available. They are called upon either during the emergency feedand-bleed procedures, or by actuation of a safety signal when the primary system reaches a setpoint of 1489 psia. As with the charging pumps, possible failure states include failure of 1 pump or success of both pumps. A per-hour rate of failure after successful actuation is also considered. The probabilities of these states were also taken directly from the studies in [98] and [97], and are shown in Table 4.5. Table 4.5: Branching probabilites for SI pumps success or failure on demand. State Failure of 1 pump on demand Success of both pumps on demand Failure rate Probability 2.20E-3 per demand 9.97E-1 per demand 1.55E-5 per hr Recirculation System The recirculation system is used to provide cooling water to the primary system (in either high-head or low-head recirculation mode using different pumps) and the containment sprays. The failure model used for containment sprays is discussed in Section After RWST depletion, the recirculation system is called upon to take cooling water from the containment sump. Note that the sump water is cooled via RHR heat exchangers, but even if RHR heat exchangers fail, the recirculation system will continue to operate. Success or failure of both the high-head and low-head recirculation systems are considered separately, where the only states considered are either success or 108

135 failure of each system. If the low-head recirculation system fails, the high-head system fails with a probability of 1. If the high-head system fails, both the charging pumps and SI pumps become inoperable. Probabilities for their success or failure are taken directly from [98] and [97]. Branch probabilities for failure of the low pressure and high pressure recirculation system are shown in Table 4.6. Table 4.6: Branching probabilities for success or failure of the low-head and high-head recirculation systems on demand. State Low-head system succeeds Low-head system fails High-head system succeeds High-head system fails Probability 9.95E E E E Service Water and Component Cooling Water Systems For successful operation of many of the safety system called upon during an SBO scenario, the success of the SW and CCW systems is required. The CCW system is required for operation of all emergency cooling pumps. The SW system is required for success of the CCW system, fan coolers and RHR heat exchangers. In the probabilistic model, the SW and CCW systems are questioned at two points in the scenario: upon initiation of the transient, and upon power recovery (provided they were unsuccessful at accident initiation). It is assumed that if the systems fail upon the second demand, it will be due to a common cause (failure of the diesel generators they share). The SW and CCW systems are considered in a single branching condition; the only possible states are system success or failure. Probabilities for the success or failure of these systems were 109

136 taken from the analyses in [98], [97] and [99]. Branching probabilities for the success/failure of the SW and CCW systems at the transient are shown in Table 4.7. Probabilities for the success or failure of these systems upon power recovery are shown in Table 4.8. Table 4.7: Branching probabilities for the success or failure of SW/CCW systems called upon following the transient. State SW/CCW succeeds SW/CCW fails Probability 9.75E E-2 Table 4.8: Branching probabilities for the success or failure of SW/CCW systems called upon following power recovery. State SW/CCW succeeds SW/CCW fails Probability E-1 2.2E Valve Failure In the ADAPT model, failure of the PORVs and SRVs on the pressurizer and steam generators are considered. Because the PORVs require power to operate, and because they are likely to be called upon many times, both the failure to open and the failure to close upon demand are considered separately. For SRVs, failure of the valve to close is considered, as this would represent a breach in the primary system. Note that for multiple valve failures, the events are assumed to be independent. For the pressurizer PORVs, failure of 1 or failure of 2 valves upon demand is considered for the open and closed position. Failure of 1, 2, and 3 pressurizer SRVs is considered in the ADAPT model. Failure of the steam generator relief valves is only considered for valves on the 110

137 single loop containing the pressurizer; the likelihood of failure of all valves represented in the triple loop is so low that their risk contribution is considered negligible. For the steam generator PORV, failure upon demand at either the open or closed position is considered. Failure of the steam generator SRV to close is also considered. The analysis performed in [10] developed an algorithm to calculate the probability of valve failure as a function of the number of demands. The discrete probability of failure after a certain number of demands for each valve was computed by sampling points over the CDF, similar to that shown in Figure 2.9. These data were incorporated into the ADAPT model by using the number of demands per valve as the branching criterion. For all PORVs and the steam generator SRV, branching is questioned at the 5 th, 50 th and 95 th percentile in the pressurizer loop; in the triple loop, branching is questioned at the onetenth, 5 th and 10 th percentile. For the pressurizer SRVs, failure of 1 SRV is also questioned at the 5 th, 50 th and 95 th percentiles. Failure of 2 SRVs is questioned at the 5 th, 15 th and 25 th percentiles. Failure of 3 SRVs is questioned at 0.01%, 0.03% and 0.05%. As the original NUREG-1150 analysis did not provide data regarding the probability of valve failures, data from the analyses [100] and [101] were utilized. For the failure of PORVs to open, a probability of 1.44E-3 per demand was utilized. A probability of 6.0E-3 per demand was assumed for the failure of PORVs and SRVs to close Containment Fan Coolers A total of five fan coolers are included in the Zion model, where only three are required for design basis cooling. For successful operation, fan coolers require the 111

138 recovery of AC power and the successful operation of the SW system. The fan coolers are called upon if containment pressure reaches the setpoint of 20 psia provided power is recovered and the SW system is successful. In the probabilistic model, only two states are considered: success of three fan coolers, or failure of all five coolers, where all five are assumed to fail by common cause. Probabilities for the failure of a fan cooler on demand due to maintenance outage (3.80E-2) or hardware failure (1.30E-3) were taken from [98] and [99]. The probability of the success of three fan coolers was calculated in [10] using a binomial distribution accounting for both maintenance and hardware failures: P3 = Q (1 Q ) + Q Q (1 Q ) (3 1) H H M H H (4.1) where Q H is the failure of one fan cooler on demand due to hardware malfunction, and Q M is the failure of one fan cooler on demand due to maintenance outage. The studies in [98] and [99] also provided the failure of all fan coolers due to common cause as 2.45E-6. The branch probabilities for the possible states of fan coolers are shown in Table 4.9. It should be noted that if the SW system fails, the fan coolers are not questioned (i.e. it is assumed the fan coolers fail with a probability of 1). Table 4.9: Branch probabilities for fan cooler states on demand. State Probability 3 fan coolers succeed E-1 All fan coolers fail 2.45E-6 112

139 Containment Sprays The containment spray system utilizes three independent pumping systems (1 diesel driven, 2 motor driven) to provide water to the spray rings. However, operation of only one spray ring is required for successful design basis cooling. For this reason, only success of one pump is considered in the branching conditions, making the possible states the success of one pump or the failure of all three pumps. Containment sprays will be questioned if AC power is recovered and the containment setpoint pressure of 37 psia is achieved. The study in [97] assumed that failure of all three spray pumps would result from a common cause, and assigned it a probability of 6.3E-5. Because only two states are possible for this branching class, the success of one pump is assumed to be the complement of the probability of common cause failure. Probabilities for this branching class are shown in Table Table 4.10: Branch probabilities for containment spray states on demand. State Probability 1 spray pump succeeds E-1 All spray pumps fail 6.30E Procedures This section describes the emergency procedures which were implemented in the probabilistic model. This work was completed in [10]; information essential to understanding the ADAPT model is provided here, but additional details can be found in that study. Only procedures relevant to the progression of an SBO scenario were 113

140 implemented. These procedures were not meant to address any aspect of human reliability analysis, but instead were included to provide a more realistic analysis of plant response since it is assumed that some kind of mitigative actions would normally be attempted. These procedures largely deal with the relative timing of actuation of various systems which may be called upon. There are no branching probabilities associated with the successful completion of these procedures. Rather, these procedures are utilized to question the successful operation of necessary systems at various times, where the probability of failure of these systems was described in Section 4.1. It should be noted that the procedures included in the ADAPT model are a small fraction of the actual emergency procedures available to operators; the procedures in this section were selected based on their relevance to an SBO scenario. Furthermore, emergency procedures typically include a large number of steps; the procedures in this analysis were simplified to only include steps which had direct meaning in this problem. In order to determine the relative timing of various steps in the procedure, the study in [10] assumed approximately 90 s were required for the completion of each step. Using this assumption, the relative timing of actuation of various systems was determined. The procedures in this section were taken from Westinghouse Emergency Operating Procedures. Section describes procedure ECA-0-0, which calls for cooldown of the primary system. Section describes procedure ECA-0-1, which follows the successful implementation of ECA-0-0 and prescribes the operators to further cooldown and depressurize the primary system so that SI and charging pumps may be utilized. 114

141 Following completion of procedure ECA-0-0, if the primary system is in a state in which SI pumps can be utilized, procedure ECA-0-2 is implemented instead of ECA-0-1; procedure ECA-0-2 is described in Section Section describes the procedures utilized to switch ECCS from injection mode to recirculation mode ECA-0-0 Procedure ECA-0-0 directs the operators to prepare the plant for the recovery of AC power by activating AFW, cooling down the primary system, and attempting to restore diesel generators. This procedure is entered when AC power is initially lost. The full procedure contains 31 steps, but only a few are directly relevant to this analysis: activation of SW and CCW, actuation of TDAFW, and depressurization of intact steam generators (i.e. steam generators with AFW available). Following the transient, the operators first attempt to recover SW and CCW. Step 4 in ECA-0-0 then requires the operators to attempt to recover AFW at the nominal flow rate; because no AC power is available, only TDAFW is questioned in this analysis. Under the assumption in [10] that each step requires 90 s to complete, step 4 is questioned 360 s after the transient. Step 4 also allows operators to increase the flow rate from the nominal value of 340 gpm to the maximum of 900 gpm if the level in the steam generator drops below 8%. Step 20 of this procedures calls for the depressurization of the steam generators and cooldown of the primary system to specified levels. This step continues until the set points are met, or until power is recovered. If power is recovered, depressurization is halted and the operators then must assess the state of the system to determine if procedure ECA-0-1(SI 115

142 not required) or procedure ECA-0-2 (SI required) should be entered. The steps in procedure ECA-0-0 required prior to power recovery and their relative timings as implemented in the ADAPT model are shown in Table For post-power recovery, the steps in this procedure and their relative timings are shown in Table Table 4.11: Steps in procedure ECA-0-0 implemented in the ADAPT model prior to power recovery. Step Time After Transient (s) Description Notes 1 5 Activate SW and CCW Activate TDAFW Initially use nominal flow; increase to max flow if steam generator level becomes < 8% If TDAFW successful, continue until: Cold leg Depressurize steam temperature < 320 F generators, cooldown OR primary system Steam generator pressure < 250 psig Table 4.12: Steps in procedure ECA-0-0 implemented in ADAPT model following power recovery. Step Time After Power Recovery (s) 28 0 Description Stop steam generator depressurization - 5 Activate SW and CCW Choose recovery procedure Notes - Only in previously unrecovered Choose ECA-0-2 if: 1. Primary subcooling < 25 F 2. Pressurizer level < 14% 3. SI signal 116

143 ECA-0-1 Following the completion of procedure ECA-0-0, if no SI signal is active and if the primary system subcooling and pressurizer level are above the required levels, then procedure ECA-0-1 is entered. This procedure calls for the activation of charging pump and cooldown and depressurization of the primary system following power recovery. As in procedure ECA-0-0, it is assumed that each step in this procedure requires 90s to complete. Procedure ECA-0-1 contains 35 steps, but as with ECA-0-0, only steps relevant to the DET analysis will be modeled and described here. In this procedure, operators will first attempt to start the charging pumps. If recovery of TDAFW was unsuccessful in ECA-0-0, then the operators will attempt to recover MDAFW. If activation of TDAFW is unsuccessful, the operators will implement the feed and bleed procedure. If activation of a charging pump early in this procedure was unsuccessful, then the operators attempt to cool down the primary system if the core exit temperature is above 565 F. If cooldown is not required, or once the cooldown step has been completed, then the operators will depressurize the primary system by opening a pressurizer PORV and activating the SI pump. The depressurization is only performed if the pressurizer level is above 50% and if primary system pressure is greater than 1500 psig. The PORV will be closed and SI pump deactivated once the target primary system pressure has been achieved. During the ECA-0-1 procedure, if the operators receive an SI signal, or if primary system subcooling drops below 25 F, then the procedure will be halted and procedure ECA-0-2 will be entered. The relative timing and steps implemented in the ADAPT model of procedure ECA-0-1 are shown in Table

144 Table 4.13: Steps in procedure ECA-0-1 implemented in ADAPT model. Step Time After Procedure Entered (s) Description Notes Start charging pump Activate MDAFW - Immediately after step Immediately after step 14 Immediately after step 14 or 15 If AFW unavailable, start feed and bleed Feed and bleed - Check if primary cooldown necessary Cooldown primary Depressurize primary 1. If step 8 successful, no more action required 2. If core exit temperature > 565 F, perform step If core exit temperature < 565 F, perform step 16 Depressurize steam generators until core exit temperature < 565 F THEN If pressurizer level < 50%, perform step 16 Open pressurizer PORV, activate SI pump until primary pressure between 1400 and 1500 psig ECA-0-2 Procedure ECA-0-2 calls for the activation of various emergency core cooling pumps and the activation of containment cooling systems if safety injection if available. This procedure is entered directly following ECA-0-0 if primary subcooling is less than 25 F and if the pressurizer level is less than 14%. This procedure contains only 10 steps, but not all are included in the ADAPT model as they are not all relevant. As with the preceding procedures, it is assumed that each step requires 90s to complete; this duration is used to directly compute the time at which various systems may be called upon as per 118

145 the procedure. The first step of this procedure included in the probabilistic model is step 5 in which operators make the RHR and SI pumps and fan coolers available. Note that this does not imply that these systems are activated at this time; they are now available to be questioned when their respective set points are achieved. The operators then attempt to actuate the charging pumps and MDAFW, if it is necessary. The last step of interest in this procedure is related to fan coolers, which will be made available late in the procedure and will then able to actuate if their pressure setpoint is achieved. The steps and their relative timing of procedure ECA-0-2 which are included in the ADAPT model are shown in Table Table 4.14: Steps in procedure ECA-0-2 as implemented in ADAPT model. Step Time After Procedure Entered (s) Description Allow activation of RHR pump, SI pump, fan coolers Activate charging pump Notes Systems will actuate if respective set points are achieved Activate MDAFW Allow activation of containment sprays System will actuate once setpoint is achieved Switchover to Recirculation Mode This section describes the steps considered in the ADAPT model regarding the switchover from injection mode to recirculation mode. The analysis in [10] utilized data from [102] and [103] to develop and implement this procedure in the ADAPT model. This procedure is entered when the RWST inventory reaches a volume of 100,000 gal 119

146 and a low-level alarm is tripped. During the switchover, the RHR pumps are halted if they were previously running. Several steps are taken to switch suction from the RWST to the sump. The RHR are then attempted to be restarted in low-head recirculation mode. If the low pressure system fails at this point, then it is assumed the high pressure systems fail also. If low-head recirculation is successful, then the charging and SI pumps will be attempted to be actuated after their suction has been switched from the RWST to the containment sump. The last steps in the procedure are related to stopping and restarting the containment sprays. If the spray pumps were running at the time the RWST lowlevel alarm was received, they must be halted, suction must be switched to the sump, and they must be restarted in recirculation mode. The steps and their relative timings for the switchover procedure are shown in Table Similar to the other procedures in this section, branching is dependent upon the success or failure of each system, where their respective branching probabilities were described in Section 4.1. Table 4.15: Steps in recirculation switchover procedure as implemented in ADAPT model. Time After Step Alarm (s) Description Halt RHR pump if previously running Reactivate RHR pump Activate charging and SI pumps Halt containment sprays if previously running Reactivate containment sprays Notes - Low pressure system High pressure system

147 4.3. Passive Components and Severe Accident Phenomenology This section describes the probabilistic model used to treat the failure of passive components and severe accident phenomenology. Section describes the modeling of accumulator check valve failure. Section describes the treatment of creep rupture of major RCS components. Thermally-induced failure of reactor coolant pump seals is discussed in Section The power recovery times questioned in the dynamic analysis are described in Section Section discusses the treatment of combustible gas ignition, and lastly, Section describes the containment failure fragility curve used in this analysis Accumulators As accumulators are a passive safety feature that provides cooling water to the primary system during accident conditions, the failure of the accumulators themselves is not considered. Rather, failure of the check valves, which are considered passive components, connecting the accumulator tank to the primary system is considered. The accumulators (one on the pressurizer loop and one on the triple loop, which represents three accumulators) are questioned when the primary systems reaches its setpoint of 675 psia. In the ADAPT model, only two states are possible for each loop: success of the accumulator upon demand or failure of the accumulator upon demand. The analysis in [10] utilized data from [98] to determine the failure of one accumulator on demand as 1.20E-3; the probability of failure of the three accumulators on the triple loop then is 121

148 1.70E-9. The branching probabilities for the possible states in the ADAPT model are shown in Table Table 4.16: Branch probabilities for accumulator failure states in ADAPT model. State Failure of pressurizer loop accumulator Success of pressurizer loop accumulator Failure of triple loop accumulator Success of triple loop accumulator Probability 1.20E E E E Creep Rupture of RCS Components During a severe accident, there is the potential for several primary system components to fail as the result of extreme thermal stress. As the core degrades and the scenario progresses without mitigation, hot gases begin to circulate in the primary system. These gases introduce a thermal load on RCS components which in turn begins to degrade them and eventually cause failure in these components. Typically, creep rupture is modeled using correlations based on experimental data, but significant uncertainty regarding the lifetime of a component when subjected to various stresses still exists. For this analysis, the creep rupture model developed in the analysis by Metzroth in [10] is directly utilized. In the Metzroth analysis, an algorithm for calculating the probability of component failure as a function of variable stress and temperature was developed which included treatment of the failure of the hot leg, hot leg nozzle, pressurizer surge line and steam generator tubes. The algorithm is based on the Larson- Miller correlation, which treats creep as an Arrhenius process and is typically used to 122

149 predict component lifetime for a given material under a constant stress. The algorithm developed by Metzroth also utilized experimental data to treat the relative uncertainty in component lifetime for various materials at variable stresses. Throughout a simulation, this algorithm tracks an accumulated lifetime fraction for a given lifetime distribution, where the lifetime fraction is a surrogate for the accumulated creep stress on a component. When this fraction reaches a limit of one, it is assumed the component fails. The lifetime fraction for various percentiles in the lifetime distribution is tracked, and when the lifetime fraction for a given percentile reaches unity, the code will branch. For example, if branching is considered at 5%, 50% and 90%, the first branching event will occur when the lifetime fraction for the 5 th percentile reaches one. On the branch with no component failure, the scenario will continue until the lifetime fraction for the 50 th percentile reaches unity; at this point the code will branch again, and the simulations will continue. This algorithm is used to question failure of the surge line and hot leg at the onetenth, 25 th, 50 th, 75 th and 99.9 th percentiles. For hot leg nozzle creep, branching is considered at the 1 st, 50 th and 99 th percentiles. For creep rupture of steam generator tubes, the tubes are represented by two groups to simulate gas stratification during an SBO scenario, and their creep stresses are tracked separately. Creep in the steam generator tubes is questioned at the one-tenth, 1 st, 10 th, 50 th, 90 th, 99 th and 99.9 th percentiles. 123

150 Reactor Coolant Pump Seal Failures During an SBO accident scenario, if SW and CCW are not recovered, there is the possibility that the reactor coolant pump (RCP) seals will fail and create a leakage pathway from the primary system. For a Westinghouse PWR, the pumps utilized include a three-stage seal system in which some nominal leakage is typically present. If cooling to the pumps seals is lost, the various seal stages will fail by different modes and allow for significant leakage from the primary. The analysis by Metzroth [10] expended considerable effort to address the uncertainty in seal failure and implement it within a dynamic model; the model developed by Metzroth will be used directly in this analysis. Metzroth considered failure of pumps seals by binding and popping, and also considered the failure of O-rings by blowout in the seal packages themselves. Similar to the creep rupture analysis, an algorithm which tracks the stress on the O-rings and determines a probability of failure dependent on these stresses was implemented in the ADAPT model. Seal failure by binding and popping was assumed to be dependent on the time at which SW and CCW were lost; these probabilities are based on the expert elicitation supporting NUREG The binding and popping failure branch probabilities are shown in Table The O-ring blowout failure model utilizes experimental data in addition to the supporting documentation of NUREG-1150 to determine the probability of failure. Similar to the creep analysis, the lifetime distribution for an O-ring is used as branching criteria in the ADAPT model, where failure of O-rings is considered in both loops and for two seal rings. O-ring blowout failure is questioned at the 5 th, 50 th and 95 th percentiles. 124

151 Table 4.17: Branch probabilities for pump seal LOCA by binding and popping failure modes. State No failures Failure of ring 2 in both loops Failure of both rings in both loops Failure of ring 1 and 2 in pressurizer loop and failure of ring 2 in triple loop Probability 8.11E E E E Power Recovery The primary objective of the analyses presented in Section 7.3 is to address severe accident phenomena, such as combustion events, following the recovery of offsite power late in the accident scenario. It is recognized that while offsite power recovery can lead to positive outcomes, such as the prevention of containment overpressurization, the activation of containment cooling systems following power recovery could lead to conditions in containment favorable for a deflagration. In this analysis, data from NUREG/CR-6890 [104] were used to characterize power recovery time following a loss of offsite power event. In that report, the power recovery curve was shown to be well represented by a lognormal distribution. Because data were only provided out to 24 hr, the data were fit to a lognormal distribution to assess the probability of power recovery beyond 24 hours for the purpose of this study. Durations for a LOSP were provided for four categories for both critical operation and shutdown modes: plant centered, switchyard centered, weather related and grid related. From the LOSP duration data provided in NUREG/CR-6890, a composite curve of the nonexceedance probability for critical operation was constructed for use in this analysis. The 125

152 composite curve is a frequency-weighted average of the four individual categories, where the frequencies of each category were provided in NUREG/CR In our DET analysis, several times for LOSP duration and their associated probabilities are utilized as surrogates for branching points in the power recovery time branching class. The branching times at which power recovery is questioned and their associated probabilities are shown in Table These power recovery times were selected based on the results of the scoping studies completed in Section 7.1. Table 4.18: Branching times at which power recovery is questioned and their associated probabilities. Time Questioned (hr) Probability of Recovery E E E E E E E E Combustible Gas Ignition During a severe accident, hydrogen is generated in-vessel from the oxidation of zirconium cladding. Typically, the hydrogen generated from in-vessel progression is insufficient to fail a large, dry PWR containment if burned [105]. However, the additional generation of hydrogen and carbon monoxide from CCI can generate sufficient gas to fail containment with some non-negligible probability when burned [105]. When the probability of hydrogen deflagration is assessed in most studies, it is assumed that an ignition source of sufficient energy exists whenever the deflagration limit is exceeded 126

153 [5]. In reality, ignition of a combustible gas mixture depends on the availability of an ignition source and the energy level of the source. In containment it is assumed that following power recovery operation of various components will generate sparks at some frequency of some energy level, providing an energy source for ignition. To calculate the probability of a combustion event, it is not only necessary to quantify if the gas mixture is in a favorable regime for ignition, but also the likelihood that a spark of sufficient energy exists. In this analysis, combustion is prohibited when the gas mixture has too high a concentration of the diluents steam and carbon dioxide. If the atmosphere is not inerted by diluents, it must also be able to support an upwardly propagating flame for a burn to be initiated. LeChatelier s formula [74] was utilized to determine the ECMF as per Equation 2.4. For hydrogen and carbon monoxide, the upward propagation limits are 4% and 12.5%, respectively. Because the upward propagation limits are used in this model, combustion can be initiated over a wide range of concentrations, including lean mixtures. In addition to the requirements regarding the properties of the gas mixture itself, a limit regarding the interval of burns is also utilized. Because conditions in the containment change slowly relative to the MELCOR timestep, it is not necessary to assess whether a combustible gas explosion is initiated at every timestep. In this analysis, a time interval of two hours has been used to consider the possibility of ignition of a combustible gas explosion starting with the time of lower head failure. This imposition on ignition intervals was necessary due to ADAPT s branching methodology. For a single branching class, ADAPT only considers state variables in the branching rules 127

154 sequentially. For example, considering the containment fragility curve in Figure 2.9, and assuming the red dots are the branching criteria, ADAPT will first stop the simulator when containment pressure reaches 0.51 MPa. The simulator is relaunched with the appropriate branches, and ADAPT will then stop the simulator again when the second point, 0.79 MPa is reached. If for any reason containment pressure were to drop below 0.51 MPa after the first branch and then increase again to the limit in point one of 0.51 MPa, branching will not occur. In order to allow combustion events at varying ECMFs (e.g. a first branch at 1.5, a second branch at 1.0), it was necessary to force branching to occur at specific time intervals rather than at a specific property of the flammability of a mixture. Using this methodology, it is possible to have a very energetic combustion event followed by a less energetic event in a single scenario, which is certainly possible. During the DET model execution, a dummy probability is assigned to branches with combustion events, and the probability of branching at each point is then calculated in post-analysis, as described in Chapter Containment Failure For a large, dry containment, the likelihood of different containment failure modes depends on the pressure at which failure occurs (e.g. failure by leak is more likely to occur at relatively low pressures, but a catastrophic rupture is more likely to occur at a high pressure). To this end, the containment failure modes of leak, rupture and catastrophic rupture are considered in this analysis. This failure mode was developed during the analysis in [10], and is utilized directly in this work. 128

155 Discrete probability distributions describing the conditional probability of containment failure by various modes were developed based on the expert elicitation in the supporting reports for NUREG-1150 [64]. Probabilities from the elicitation were implemented in ADAPT such that at each failure pressure of interest, it is possible for the DET to contain branches for failure by leak, rupture, catastrophic rupture and no failure, where the probability of each branch is conditional on the total probability of failure. The branching probabilities for each failure mode are shown in Table Table 4.19: Branching probabilities as a function of containment pressure for the various containment failure modes considered in the dynamic model. Pressure (MPa) Non- Failure Probability Total Failure Probability Conditional Leak Probability Conditional Rupture Probability Conditional Catastrophic Rupture Probability E E E0 0.00E0 0.00E E E E E E E E E E E E E E E E E E E E E E E E E E E0 1.00E0 5.00E E E0 129

156 Chapter 5: Approach for Analysis of Likelihood of Combustible Gas Ignition In a severe accident, there is the potential for significant amounts of combustible gases to be generated ex-vessel from CCI [105]. If this gas is burned, a large pressure spike may be produced which has the potential to fail containment. In most studies, such as the SOARCA analysis [5], it is assumed that combustible gases will ignite once they achieve their minimum deflagration limits. The studies in [10] and [96] attempted to treat uncertainties associated with combustion events by considering the uncertainty in the minimum deflagration limits. As discussed in Section , the ignition of combustible gases is highly dependent on the ignition source itself in addition to properties of the mixture. In this analysis, a methodology for consideration of the ignition source is developed and demonstrated within a dynamic framework. Section 5.1 discusses the assumptions used regarding the minimum ignition energy (MIE). Section 5.2 describes the characterization of sparks in containment, and Section 5.3 describes the probabilistic treatment of ignition Consideration of Minimum Ignition Energy There are considerable data relating MIE to the concentration of hydrogen mixed with various diluents [77] [106]. However, there is virtually no information regarding 130

157 the ignition energy of carbon monoxide mixed with hydrogen. Because of this lack of data, carbon monoxide is treated as equivalent hydrogen, using the ECMF relationship in Equation 2.4 to determine the ignition limit. This assumption is not insignificant since carbon monoxide is generated in significant quantities during CCI and therefore is a large contributor to the combustion event; consideration of the combustion characteristics of carbon monoxide could affect the energetics of the combustion event. A study by Karim, et al. [107] investigated the flammability of hydrogen in lean concentrations mixed with various fuels and diluents. This study showed that Le Chatelier s formula predicts lean flammability limits fairly well when compared with experimental results. In light of the lack of data regarding the MIE of H 2 -CO mixtures, this analysis will treat the MIE as a function of the diluent concentration by treating CO as if it were effectively H 2. Literature and experimental data do currently exist regarding the MIE for hydrogen gas as a function of the concentration of diluents. It should be noted that even though the direct dependency of MIE on carbon monoxide is removed through this treatment, the concentration of carbon monoxide still inherently affects the MIE. A study by Zhang, et al. [79] relates the MIE of hydrogen to the concentration of diluents argon, nitrogen, helium and carbon dioxide. Diluents in containment are typically considered to be either steam or carbon dioxide, where steam typically exists in containment in significantly higher quantities relative to carbon monoxide. Even though it is expected that the primary diluent in containment will be steam, the MIE as a function of carbon dioxide relationship developed in [79] will be utilized for this analysis, as MELCOR 131

158 assumes a single ignition limit for diluent concentration in which the sum of the concentrations of steam and carbon dioxide is utilized. The MIE as a function of carbon dioxide relationship developed by Zhang, et al. is shown in Figure 5.1. In this analysis, the curve in Figure 5.1 was implemented using a piecewise function: for diluent concentrations less than 30%, the MIE is assumed to be 0.1 mj, for diluent concentrations between 30% and 40%, the MIE is 0.11 mj, for diluent concentrations between 50% and 55% the MIE is 100 mj and for diluent concentrations between 40% and 50%, the MIE is approximated as a 6 th order polynomial. It is assumed that for diluent concentrations above 55%, ignition cannot occur, where 55% is typically considered the maximum diluent concentration for a flammable mixture Minimum Ignition Energy (mj) Diluent Concentration Figure 5.1: Minimum ignition energy as a function of diluent (carbon dioxide) concentration [79]. 132

159 5.2. Spark Energy and Frequency To consider the availability of an ignition source of adequate energy, (i.e. above the MIE), the frequency of sparks and their energy level must be analyzed. As discussed in Section , very little information regarding the frequency of sparks and their energy emitted from equipment in a PWR containment currently exists. In reality, an accurate analysis of this would likely need to be performed on a plant by plant basis, as the specific type and performance (affected by wear and age) of equipment can vary greatly. The study by Swain, et al. [81] tested some common equipment (see Table 2.2) to determine whether sparks from that equipment could ignite lean mixtures of hydrogen. The results of that study showed that common equipment probably emitted sparks exceeding 10 mj since they were able to ignite lean hydrogen mixtures, and it is anticipated that equipment at a nuclear power plant is capable of emitting sparks of a significantly higher energy if energized. For these reasons, this analysis will consider sparks ranging from 0.1 mj to 100 mj. Similar to the availability of data regarding the energy of sparks emitted from equipment in a PWR containment, data regarding the frequency of sparks emitted from large, powered equipment such as industrial grade pumps are scarce. To characterize the frequency of sparks, it is assumed that low energy sparks will occur more frequently than high energy sparks. To that end, it is assumed that the recurrence frequency of small sparks of 0.1 mj is on the order of 1 per second and the recurrence frequency of large sparks of 100 mj is on the order of 1 per hour. There is no empirical basis for this assumption. Assuming that one knows the MIE for a given composition of the 133

160 containment atmosphere, this recurrence function can then be used to assess the probability that ignition would occur over a given time interval. The following form is assumed for the demonstration of how a recurrence function would be applied: ( ) G E E ae * b > = (5.1) where G(E>E*) is the frequency of sparks of a given MIE E* or greater per second. If the value of the recurrence function is assumed to be 1 sec -1 at 0.1 mj and 1/3600 sec -1 at 100 mj, then a = and b = This recurrence relationship will be used to assess the probability of ignition over an interval of time Probability of Ignition Given a state of the containment atmosphere, if a spark is emitted by a piece of equipment, it is assumed that if the energy of the spark exceeds the minimum ignition criterion a combustion event will occur. From the earlier discussion in Section 2.2.7, it is recognized that the question of ignition is not as simple as just comparing the spark energy with a MIE criterion. Nevertheless, for the purposes of this analysis, it is assumed that minimum ignition energy is indeed the determining criterion or serves as an adequate surrogate for the more complex determinant. Of course the concern is not for a single spark, which results in some probability of a combustion event, but for a series, or cumulative number, of sparks. Thus, the probability of ignition per spark could be very 134

161 small but over a given time period the probability of ignition over an interval could be large depending on the frequency of sparks. In light of this, assuming the spark frequency is constant and that ignition is a stochastic, memoryless process which can be described by an exponential distribution, the probability P NI of non-ignition over interval t can be assessed from ( ) ( *) GE E t PNI t e > = (5.2) where G(E>E*) if the frequency of sparks for a given MIE from Equation 5.1. It follows then that the probability of ignition over time interval t is ( ) ( *) GE E t P t = 1 e > (5.3) I where P I is the probability of ignition and G(E>E*) is again the frequency of sparks for a given MIE as per Equation 5.1. Using the methodology described in this section, the probability of ignition can be assessed using Equation 5.2 (or Equation 5.3 in the case of non-ignition) which considers conditions in containment at the time of branching (e.g. fuel/diluent concentration), the energy required to ignite the given gas mixture and the frequency of the sparks (Equation 5.1). 135

162 Chapter 6: Approach to Cumulative Distribution Function Refinement This chapter discusses an approach for the refinement of branching conditions conventionally used in DETs [10] [96]. This chapter largely focuses on branching as it relates to containment fragility curves (a CDF describing the likelihood of failure dependent on the stresses imposed on containment, where pressure is typically used a surrogate for stress), but this approach can be utilized for any distribution utilized to control branching. Section 6.1 discusses the motivation for refining a fragility curve and provides some simple examples. Section 6.2 then describes a methodology which can be applied to perform the rediscretization Motivation In previous work [10] [96], fragility curves have been used in DETs to determine the conditions under which the execution of a code would be halted and branching would occur. The discrete values of probability selected from the curves at which branching ensues are used in the assessment of the probabilities assigned to the resulting branches, as described in Section For many of the systems and components described in Section 4.1, branching tends to be binary, i.e. the daughter branches produced contain either a success state or failed state. 136

163 One of the advantages of the ADAPT methodology (see Section ) is that, if additional information indicates the need for modification of a fragility curve, it is not necessary to rerun the cases that have previously been performed. Instead, it is necessary to only redefine the probabilities associated with the existing branches and end states of the tree, and execute new branches produced from the refinement of the CDF as necessary. Sensitivity studies have been performed on the nodalization of fragility curves [10] to determine how finely the fragility curve must be divided to achieve a goal value of accuracy. However, the answer is clearly problem dependent, and the region requiring refinement (e.g. in the low probability region versus the high probability region) may vary. The computational penalty for too finely nodalizing the fragility curve is extremely large with regard to runtime and data storage. If a fine nodalization is used, a large number of scenarios would be generated in the DET analysis, many of which would provide no insight probabilistically or with regard to accident progression. Thus, a process of sequential refinement is of high value not only in minimizing the computational cost of the analysis (e.g. runtime, dataset size) but also in obtaining a quantitative assessment of the magnitude of the nodalization error. In the initial applications of DETs at The Ohio State University [10] [96] and in this work, branching occurs at selected points on the CDF associated with a physical state, such as pressure, hydrogen concentration, or creep rupture parameter. For example, if the state variable is pressure, when the pressure reaches that value, the simulator stops and then restarts with two daughter scenarios: one for which the event did not occur and 137

164 one for which the event did occur. The probability of the branch in which the event did occur is multiplied by the difference in probability between that value of the state variable and the value of the probability of the previous branching point, Δp. Since the total probability of the daughters of the branching point must add to unity, the probability of the scenario in which the event did not occur is multiplied by 1-Δp. For example, consider the curve in Figure 6.1, where the red points indicate the value of the state variable which causes branching. For the second point on the curve corresponding to branching at 0.8 MPa, the cumulative failure probability at this point is 7E-2. For the third point corresponding to branching at 1.0 MPa, the cumulative probability is 4.0E-1. It follows that the probability of a branch generated by branching at 1.0 MPa would be 4.0E-1-7.0E-2 = 3.3E-1. This value is assumed to be representative of the probability of failure for pressures between 0.8 MPa and 1.0 MPa; that is, 3.3E-1 can be thought of as the probability of that bin, where the endpoints are defined by 0.8 MPa and 1.0 MPa. Note that if the pressure meets and then exceeds 0.8 MPa, but does not achieve 1.0 MPa, another branch is not initiated after the branch incurred at 0.8 MPa. Rather than branching at the end point of an interval, it will, in general, provide a more accurate solution to branch at the midpoint of a probability interval since the midpoint pressure is more characteristic of conditions in that interval than the endpoint pressure. Thus for the example in Figure 6.1, a better solution is achieved if branching occurs at the midpoint of an interval rather than at an endpoint of an interval, which has been historically done using the ADAPT code [10] [96]. 138

165 Figure 6.1: Example of fragility curve using endpoints of bins to characterize the probability of failure. Two simple examples are shown here to examine the effect of using the endpoint versus midpoint to represent the bin. For the first example, consider a scenario in which pressure increases linearly with time (Figure 6.2) and the fragility curve which is linear from P min to P max (Figure 6.3). Assume that the CDF is discretized into four bins (or intervals), where the probability of that bin is associated with the endpoints of the bin, and each bin is designated by a solid line. In this equally discretized, four-bin example, the probability of each bin is 1.0/4 = 0.25 (the cumulative probability of unity divided by the number of bins), and the state space described by the probability of each bin is defined by the endpoints of the bin. Assume branching occurs at the right-most endpoints of each bin (solid vertical lines in Figure 6.3). If containment pressure rises to the maximum value indicated by the right-most endpoint of the bin (i.e. solid vertical 139

166 line), then branching occurs and the probability of that bin is captured in the analysis. However, if the pressure does not rise to the maximum value on the CDF for that bin, then branching does not occur and the potential risk contribution for that bin is not captured, even though pressure may have risen to 99% of the maximum value. If instead the midpoint of the bin (with regard to state space) is utilized, then the probability of that bin, where its probability is still 0.25, is captured in the analysis. Using the midpoint of a bin is similar to averaging the state values in that bin. It should be noted however that for most fragility curves, their behavior is not strictly linear, and more complicated averaging techniques, such as computing the expected value of each bin, could be employed to capture the actual mean value. Figure 6.2: Simplistic example of linearly increasing pressure. 140

167 Figure 6.3: Simplistic CDF of failure pressure, where the domain values correspond to bin numbers. Furthermore in this first example, assume that containment failure leads to a consequence, denoted by C(t), that is independent of the time of containment failure; in this case, C(t) = C 0. If the consequence is independent of time of containment failure and the pressure increases to the maximum pressure on the fragility curve, then the resulting risk is independent of the choice of endpoint or midpoint. However, if the pressure rise stops at a value less than the maximum of the fragility curve (e.g. the pressure increases to some fraction of the next specified branching pressure), then the endpoint consequence approach will underestimate the risk (defined as a consequence multiplied by its probability), potentially by as much as 25% for a CDF discretized into four equal bins. The alternative midpoint approach would either underestimate or overestimate the risk by 12.5%, dependent on whether or not the midpoint branching criterion was met. 141

168 Next, consider the case where consequences decrease linearly with time from C max at time zero to zero at time t max. The hypothetical consequences as a function of the end state are shown in Table 6.1. In this table, the consequences are calculated by assuming that there is a 25% reduction in C max for each end state, and that the reduction increases linearly with each end state, e.g. the consequence of end state 1 is 75%C max (a 25% reduction), while the consequence of end state 3 is 25%C max (a 75% reduction). The risk of each end state in Table 6.1 is then calculated as the probability of the end state times its consequence; for example, the endpoint risk of end state 1 is 0.25*0.75C max = C max. If the consequences decrease linearly from a maximum value of C max at time zero to zero at time t max, then the true mean value of the risk is 0.5C max. If the endpoint consequences are used to calculate the expected risk, the resulting value is ( )C max = 0.375C max. Using the midpoint consequences, the expected risk is the same as the true value of 0.5C max, which is computed by again summing the risk over all bins for the midpoint approximation. Table 6.1: Consequences and risks using endpoint and midpoint bin approximations of a CDF for linearly decreasing consequences. End Consequence Risk Probability State Endpoint Midpoint Endpoint Midpoint C max 0.875C max C max C max C max 0.625C max 0.125C max C max C max 0.375C max C max C max C max = C max 0C max = C max Expected Risk: 0.375C max 0.5C max As a second example, assume the consequences decrease exponentially as a function of time, as described by: 142

169 t ( ) e λ C t = (6.1) where λ is the decay constant, and C(t=0) is equal to C max and C(t max ) is zero. By integrating Equation 6.1 over time, the true risk can be obtained by multiplying the integral of the consequence times the probability. If the expected risk is calculated again using the endpoint and midpoint approximations, the endpoint approximation will underestimate the risk, where the percent difference between the endpoint risk and true risk increases with increasing λ. For example, the percent difference for λ = 1 is 100*(( )/0.632)*C max = -12%, while for λ = 2, the percent difference is - 23%. The midpoint estimation of risk produces results closer to that of the true risk. The expected risk using the endpoint and midpoint estimations for varying values of λ are shown in Table 6.2, as well as the exact expected risk, as calculated by integrating Equation 6.1. For these results, it was again assumed the CDF was discretized into four bins, each with equal probability. The risk was again calculated as the product of each bin s probability and consequence (i.e. R i = P i *C i, where i indicates the bin or end state), and the risk of each bin was summed to find the expected total risk (e.g. R = i R i ). Table 6.2: Expected risk results for the exact solution, endpoint approximation and midpoint approximation of a CDF for exponentially decreasing consequeunces. λ Exact Endpoint Midpoint C max 0.556C max 0.630C max C max 0.333C max 0.423C max C max 0.143C max 0.235C max 143

170 6.2. Sequential Discretization Technique A simple and consistent approach to the sequential refinement of a fragility curve is presented in this section. In this approach, an interval, or bin, on the fragility curve is subdivided into three subintervals of equal size. In this case, the probability associated with a scenario which branched in this interval is reduced by a factor of 3. If b i corresponds to the selected value on the CDF that represents the upper boundary of probability interval i, and b i-1 represents the lower boundary for the initial discretization of the CDF, then the following β ij represent the boundary for the more finely discretized CDF: bi b βi 1 = 3 2 i βi2 = 3 β = b i3 i i 1 ( b b ) i 1 (6.2) If B(a) expresses the functional relationship of the CDF, then for the endpoint approximation technique, branching would occur at a i = B -1 (b i ) for the initial discretization, where a represents the state variable of interest and b i is the discrete probability taken from the CDF for i = 1, 2, 3. Branching for a refined discretization would occur at α ij = B -1 (β ij ) for j = 1, 2, 3, where α ij denotes the new state variable branching condition, and β ij is the new discrete probability corresponding to the new state variable in the original bin i. For the midpoint approximation technique, branching would occur at a i = B -1 ((b i + b i-1 )/2) in the initial discretization and at α ij = B -1 ((β ij + β (i- 144

171 1)j/2)) for j = 1,2,3 for the refined discretization. Note that the middle interval branches at the same state space criterion as in the original DET (when using the midpoint approximation), but its probability is reduced by a factor of 3, and its corresponding probability on the CDF is reduced by a third. 145

172 Chapter 7: Results and Analyses This chapter presents the results of sensitivity studies and DET analyses using the models discussed in Chapters 3, 4 and 5. Section 7.1 discusses the results of the gas generation scoping studies using the model in Chapter 3. Section 7.2 presents the results of the containment loading studies; these loading studies utilize the model in Chapter 3 and results from Section 7.1. Section 7.3 discusses the DET results obtained in this study using the system model in Chapter 3 and probabilistic model from Chapter 4. Lastly, Section 7.4 discusses the results of fragility curve refinement Combustible Gas Generation Sensitivity/Scoping Studies The discussions in Section 2.2.7, Section and Section 2.3 introduced the phenomena of combustible gas generation and identified the associated uncertainties that could affect the potential for a gas explosion capable of resulting in containment failure. These uncertainties include enhanced clad oxidation resulting from reflooding a partially degraded core and the conditions in a flooded reactor cavity that could limit CO production. For this analysis, the gas generation studies were divided into in-vessel and ex-vessel analyses. Section discusses the results of in-vessel hydrogen generation studies. Section discusses the results of the ex-vessel gas generation studies and the 146

173 potential for explosive combustion sufficiently large to fail containment following deinerting of the containment with fan cooler or containment spray operation In-Vessel Hydrogen Generation In the NUREG-1150 containment event tree, it is assumed that there is insufficient hydrogen produced in-vessel to result in an explosion of the magnitude to fail containment prior to the time of vessel failure. At the time of vessel failure, NUREG recognized the potential for the superposition of hydrogen combustion loads and direct containment heating leading to containment failure, if the vessel was pressurized at the time of lower head failure. Recognizing the apparent effect that reflooding of the core had on hydrogen production in the TMI-2 accident, this study explored different rates of water addition including some that would be insufficient to cool the core but would provide additional steam to feed clad oxidation. MELCOR calculations were performed in which a partially degraded core was reflooded at 2.5 hr, 3.4 hr, 5 hr and 8 hr using the model described in Section Water injection rates matching matching 50% and 90% of the flow required to remove the existing decay heat was used for each injection time. Detailed description of the cases studied and their results are shown in Table 7.1. The delayed injection times were chosen such that they corresponded to significant periods in core melt progression; in the reference case, 2.5 hr corresponds to the uncovery of the top of the fuel, 3.4 hr to the onset of clad failure, and 7 hr to the onset of lower head failure. In this subset of calculations, water was injected until simulation 147

174 termination at a problem time of 48 hr. A reference case in which no coolant was injected was also simulated. Table 7.1: In-vessel hydrogen generation cases and their respective results. Case Injection Existing Decay In-Vessel Hydrogen Time (hr) Heat Removal (%) Production (kg) Reference W W W W W W W W W The water addition results in Table 7.1 indicate that reflooding a partially degraded core does not have a major effect on in-vessel hydrogen generation relative to the reference case. It was expected that reflooding with flow rates less than required to remove decay heat would increase in-vessel hydrogen production due to higher steam availability to support zirconium oxidation. However, reflooding the core at an injection rate equal to the flow required to remove 90% of the decay heat actually reduced the invessel hydrogen produced. Injecting water at a flow rate matching 50% of the decay heat had almost no effect on zirconium oxidation relative to levels observed in the reference case. Based on these results, there is no evidence that reflooding a degraded core would be likely to increase the amount of hydrogen produced in-vessel, and subsequently it is unlikely that sufficient hydrogen would be generated in-vessel to produce an energetic deflagration at the time of vessel failure. 148

175 These results should be treated with appropriate skepticism, however. It is important to recognize that the reflooding analyses used existing MELCOR models. There are substantial uncertainties associated with the characterization of the degraded core geometry and the reflooding of degraded debris that may not be adequately modeled. The message from the sensitivity studies may actually be that more model development work is required to better characterize reflooding of a degraded core Ex-Vessel Gas Generation For an SBO event, the water vapor fraction in containment is typically sufficiently high to preclude combustion subsequent to vessel failure. If power is recovered prior to over-pressure failure or intentional venting of the containment, the operators will take some action to cool the containment and prevent over-pressure failure. As indicated by Khatib-Rahbar et al., under these conditions the potential for combustion-induced containment failure could be substantial [108]. To address the issue of de-inerting containment through containment cooling systems, the effects of the actuation of fan coolers and spray systems at various times in the accident were investigated. These methods of containment cooling also can affect core concrete attack and the associated generation of combustible gases ex-vessel by adding water to the reactor cavity and potentially arresting or limiting core-concrete attack by cooling the debris in the cavity. The times at which the fan coolers were actuated in the study were selected based on correspondence to events significant to the accident progression in the reference case. Fan coolers are assumed to operate at 100% capacity until simulation termination 149

176 at a problem time of 48 hr. Two sets of spray actuation cases were performed: one with the standard RWST inventory of 350,000 gal of water and another with a spray source inventory of 1,000,000 gal of water. The matrix of cases analyzed in this study is shown in Table 7.2. Table 7.2: Ex-vessel combustible gas generation sensitivity cases. Case F1 F2 F3 F4 F5 F6 F7 F8 F9 F10 S1 S2 S3 S4 S5 S6 Description Fan cooler activation at 3.25 hr Fan cooler activation at 7 hr Fan cooler activation at 10 hr Fan cooler activation at 15 hr Fan cooler activation at 24 hr Fan cooler activation at 35 hr Fan cooler activation at 40 hr Fan cooler activation at 45 hr Fan cooler activation at 18 hr Fan cooler activation at 21 hr Spray activation at 3.25 hr, 350,000 gal injected Spray activation at 10 hr, 350,000 gal injected Spray activation at 24 hr, 350,000 gal injected Spray activation at 3.25 hr, 1,000,000 gal injected Spray activation at 3.25 hr, 1,000,000 gal injected Spray activation at 3.25 hr, 1,000,000 gal injected The results of containment cooling cases are shown in Table 7.3; it should be noted that the minimum deflagration limits (i.e. 10% and 16.7% for hydrogen and carbon monoxide, respectively) were used in the calculation of ECMF. The results confirm the expectation that late fan cooler actuation and prolonged containment spray can sufficiently deinert the containment to result in an energetic explosion. For the spray cases, the relative humidity of the containment remains high and whether or not deinerting occurs can depend on how much water is available to sustain injection. If a 150

177 sufficiently large volume of water is available for injection through containment sprays, the steam concentration can be reduced by the prolonged operation of sprays; for cases with a relatively small injection source, sprays do not operate long enough to de-inert containment, although they contribute to a decrease in the concentration of steam in containment by cooling the atmosphere. These results (Table 7.3) also indicate that the timing of fan cooler actuation is of critical importance, while for spray actuation, the magnitude of water injection is also of high significance. In all containment cooling cases, approximately 560 kg of hydrogen is generated in vessel from cladding oxidation which is released upon lower head failure. During core concrete attack not only is there a substantial release of additional hydrogen but also carbon monoxide release to containment that increases the potential for an energetic combustion event. Cases with late fan cooler actuation (t 21 hr) or spray injection of 1,000,000 gal of water show combustible gas concentrations in containment that are well above the minimum deflagration limit (e.g. cases F5, F6, F7, F10, S4 and S6 produce ECMFs greater than or equal to unity). For the majority of the fan cooler cases, peak ECMFs are observed at the end of the simulation (e.g. in cases F2 through F7, F9 and F10 the peak ECMF is achieved at 48 hr). This is due to the continued removal of steam from the containment atmosphere, which effectively increases the concentration of combustible gases. The results also show a loose correlation between ECMF and amount of combustible gas released to containment. For ECMFs larger than unity (cases F5, F6, F7, F10, S4 and S6), higher ECMFs that are greater than or equal to unity are associated with relatively larger releases to containment of at least 16,000 kg of combustible gas, as 151

178 anticipated. Based on the evidence from results presented in Table 7.1 and Table 7.3, the NUREG-1150 assumption that an early hydrogen combustion event would not lead to containment failure appears to be correct as the relative fraction of hydrogen (or hydrogen and carbon monoxide) to air in containment is not sufficiently high to result in an energetic event early in scenario progression. 152

179 Table 7.3: Ex-vessel combustible gas generation results for containment cooling cases. 153 Production Ex-Vessel Released to Containment Time Peak Case Peak ECMF ECMF H 2 (kg) CO (kg) H 2 (kg) CO (kg) Achieved (hr) Reference F F F F F F F F F F S S S S S S

180 For the cases in this ex-vessel gas generation study, the amount of water in the cavity and assumptions about the ability of that water to limit core concrete attack were found to have a major impact on the results. Following lower head failure and the release of molten core debris, there is sufficient water released from the RPV to limit CCI until early fan cooler actuation begins to condense steam in containment and add water to the cavity, further cooling the debris. For all spray cases and cases with fan cooler actuation at or after 21 hr, there is a period of cavity dryout in which corium aggressively attacks concrete, producing off-gases at a higher rate. After this period, delayed water addition to the cavity from steam condensation is not sufficient to cool the debris and reduce core concrete attack. The behavior of gas generation from CCI follows two specific trends: either a limited amount of gas (2,000 kg of CO or less) is generated shortly following debris ejection and the attack is quickly arrested by water in the cavity, or the cavity may dryout after debris ejection and CCI may resume, producing additional combustible gas in the process. All cases followed five specific trends for combustible gas generation, which are shown in Figure 7.1. In this figure, F1 is representative of cases F1, F2, F3 and F4 from Table 7.2, which all correspond to the situation in which cavity dryout does not occur. F5 is representative of F5-F8, F10 in Table 7.2, and also S3, S4 and S6 in Table 7.2 in which prolonged cavity dryout leads to aggressive CCI. Behavior of F9, S1 (which is also representative of S2) and S5 were unique as there is delayed cavity dryout which delays CCI until later in the scenario. 154

181 Figure 7.1: Carbon monoxide production from CCI for ex-vessel gas generation cases. Due to the findings shown in Figure 7.1, additional ex-vessel gas generation studies were performed to address the impact of cavity dryout on core concrete attack. In the Zion MELCOR model developed by SNL, several modifications had been made to the standard debris bed conductivity input which enhanced heat transfer to overlying coolant and the thermal conductivity of metallic and oxidic mixtures by applying a multiplier to default coefficients; this change was also noted in SNL s standard modeling practices guide [109]. Cases F1, W1 and F5, shown in Table 7.1 and Table 7.2, were simulated again without the enhanced coefficients to study the effect of reduced debris conductivity. Comparison of the results using the enhanced (i.e. higher debris conductivity) and default coefficients is shown in Table

182 Table 7.4: Ex-vessel gas generation results for debris conduction study. H 2 Generated in Cavity (kg) CO Generated in Cavity (kg) Case Enhanced Conduction Default Conduction Enhanced Conduction Default Conduction W F F Substantially more combustible gas is generated ex-vessel when the default coefficients are used, as the reduced debris conductivity limits the rate at which heat is removed from the corium and therefore promotes core-concrete attack. In these cases, core concrete attack begins with debris ejection and continues at a constant rate throughout the simulation. This sensitivity study demonstrates the high sensitivity of CCI to debris conductivity. While the state of knowledge regarding CCI has progressed significantly, there are still substantial uncertainties regarding the effect of overlying water pools Containment Loading Sensitivity/Scoping Studies To ascertain the potential loads on containment resulting from some severe accident phenomena, several scoping studies were performed using the MELCOR model described in Chapter 3. Section describes the results of the HPME loading studies. Section discusses the results of the combustion loading studies. 156

183 High Pressure Melt Ejection Cases Based on the discussion in Section 2.2.1, experimental work and associated semiempirical models seem to indicate that HPME is an unlikely threat to containment integrity, either by containment loading from DCH or gas generation and combustion. However, severe accident analysis codes like MELCOR do not contain a true mechanistic model of debris ejection and dispersion; instead users must specify fractional debris distributions and time constants related to heat transfer, oxidation and debris settling. To investigate the effect of the uncertainty in modeling parameters on the amount of pressure rise resulting from HPME and DCH, two subsets of MELCOR calculations were performed. In one subset, the fractional debris distribution was varied while the time constants remained unchanged; in the other subset, the time constants were varied while the distribution of debris ejected from the RPV to the various containment volumes was held constant. The results of model experiments listed in references [45] [40] [39] [41] [44] showed that most of debris is ejected into the atmosphere low in the containment, with the majority of the debris being retained in the lowest volumes and cavity; very little debris is initially deposited by impact on structures. For this reason, sensitivity studies were performed with regard to the distribution of fractional debris ejected directly to the atmosphere; it is assumed that no debris is directly deposited by impact, in these cases. The matrix of cases analyzed and their respective results are shown in Table 7.5. A reference case in which 27% of debris is assumed to be impacted was also simulated. 157

184 For the cases in this study, 5% and 65% were chosen as bounds for ejected airborne debris fractions to the lowest three volumes of containment based on the experimental evidence discussed in Section 2.2.1; for the uppermost volume of containment (see Figure 3.2), bounding values of 0% and 25% were chosen. Results for peak pressure, peak temperature and the fraction of deflagration limit resulting from DCH are presented in Table 7.5. It should be noted that the minimum deflagration limits (i.e. 10% and 16.7% for hydrogen and carbon monoxide, respectively) were utilized in calculating the fuel:diluent ratio. For cases where results indicated a deflagration was possible, the peak pressure from combustion is also presented in Table

185 Table 7.5: HPME debris dstribution sensitivty cases. 159 Cases Fraction of Core Debris Cavity Lower Annular Upper Peak Pressure (MPa abs ) Peak Temp. (K) Fraction of Deflagration Limit Pressure With Combustion (MPa abs ) Reference HPME HPME HPME HPME HPME HPME HPME HPME

186 For all cases, the pressure loads from debris ejection and DCH are very similar. Peak pressure results for cases HPME2, HPME3, HPME4 and HPME8, where the majority of debris is distributed to the upper most volumes of containment, show the greatest increases in containment loading from DCH. The largest pressure load on containment (0.39 MPa) is observed in case HPME8, where 85% of debris is ejected to the upper volumes, while the smallest pressure load (0.31 MPa) is observed in the reference case, where 70% of debris is ejected to the lower containment volumes; these results are consistent with the expectation the pressure load from DCH would be larger for cases where the majority of debris was distributed to the upper volumes. The results of these sensitivity studies show however, that the load on containment from HPME and DCH are well below values expected to fail containment with any significant probability using the fragility curve from NUREG For all cases in Table 7.5, the peak DCH- and combustion-induced pressures are between 0.3 and 0.4 MPa; at this pressure, the cumulative likelihood of failure is less than 0.3% using the NUREG-1150 fragility curve for Zion. Comparing the results of HPME1 and HPME8, where 85% of debris is distributed to the lowermost and uppermost volumes, respectively, there is a 22% increase in peak pressure load for the case in which a large fraction of the debris reaches the uppermost containment; containment pressure is initially low enough at the time of lower head failure that this increase is not threatening to containment integrity. In cases HPME2, HPME3 AND HPME 4, the fractional percentage of hydrogen in a containment volume including what is produced from distributed core debris exceeds the minimum required for deflagration (enabling 160

187 downward propagation), i.e. the fraction of the deflagration limit exceeds unity, where the downward propagation limit is considered to be 10% for hydrogen. For those cases, deflagrations were triggered in the MELCOR analysis to determine the extent of increase in containment pressure. Although the peak pressure was increased, as indicated in Table 7.5, the pressure still remained below a threshold failure pressure The MELCOR HPME package also requires time constants to be input by the user related to oxidation, heat transfer and settling of airborne debris. No suggested default values are listed in the User s Guide [3], so a sensitivity study on the effect of these time constants was also performed. The matrix of cases analyzed and their respective results are shown in Table 7.6. For oxidation and heat transfer, values of 0.1 s, 0.5 s and 1 s were chosen as inputs to the MELCOR model in the FDI package, where 0.1 s represents a relatively slow transient and 1 s represents a very fast transient; these values were taken from a DCH study performed by SNL using MELCOR [37]. Two sets of settling time constants were chosen. For the lowest two control volumes, settling time constants of 1 s, 2 s and 5 s were used as inputs to the MELCOR model in the FDI package; for the upper two most control volumes, settling time constants of 1 s, 5 s, and 10 s were used; these values were again taken from the SNL DCH study using MELCOR [37]. For all cases shown in Table 7.6, the fractional debris distribution from case HPME1 in Table 7.5 was used for consistency; that is, 85% debris is assumed to be distributed to the lower containment volumes, and 15% is assumed to be distributed to the uppermost containment volumes. 161

188 Cases Table 7.6: HPME modeling coefficients sensitivity cases. Oxidation Time Constants (s) Settling Heat Lower, Transfer Cavity Settling Upper, Annular Peak Pressure (MPa abs ) Peak Temp. (K) Fraction of Deflagration Limit HPME HPME HPME HPME HPME HPME HPME HPME For cases HPME9 through HPME16, the results for temperature load indicate that variations in the modeling coefficients related to HPME do not significantly influence heat transfer to the containment environment. For cases with longer time constants, e.g. cases HPME10 versus HPME15 and HPME11 versus HPME16, the results indicate that increasing the heat transfer time constant does enhance heat transfer to the containment atmosphere as anticipated, producing slightly higher temperature loads. For example, in case HPME11 where a 0.1 s heat transfer time constant was used, the DCH-induced temperature load is 436 K, while in case HPME16, where a 1 s heat transfer time constant was used, the DCH-induced temperature load is 491 K. Similar trends are observed on the effect of increasing the oxidation and settling time constants; larger amounts of combustible gas are produced since the duration of the transient from HPME and DCH are effectively increased. For example, case HPME9 produced a peak fractional deflagration limit of 0.62 using debris settling time constants of 1 s for both the lowermost and uppermost containment volumes, while case HPME10 produced a fractional deflagration limit of 0.73 using debris settling time constants of 2 s and 5 s for 162

189 the lowermost and uppermost containment volumes, respectively. However, these uncertainties in combination with uncertainties regarding debris distribution within containment do not appear to be large enough to significantly impact the potential for early containment failure. While the pressure loads in Table 7.5 from the deflagrations are high relative to the load from DCH, they are still non-threatening with regard to containment integrity, as the peak pressures produced in these cases would have cumulative failure probabilities of 0.3% or less using the NUREG-1150 fragility curve for Zion. In the expert elicitation supporting NUREG-1150 for Zion [64], pressure loads were predicted for a variety of scenarios with HPME and DCH; scenarios were characterized by the amount of melt ejected, the size of the resulting vessel breach and the state of the cavity (wet or dry). The smallest predicted median pressure rise in the elicitation is 0.29 MPa, corresponding to a scenario with a low fraction of melt being ejected into a wet cavity. The largest median pressure rise in the elicitation is MPa, which corresponds to a scenario with a high fraction of melt being ejected into a dry cavity according to the elicitation. The presence of water in the cavity directly impacts the predicted pressure load. For cases with water in the cavity, higher pressure loads are predicted in the elicitation; if water is present in the cavity, it will enhance the oxidation of debris and contribute to an increase in containment pressure. For the majority of scenarios in the elicitation, which include the scope of our sensitivity study, the predicted pressure rise was approximately 0.4 MPa or 0.5 MPa. These pressure rises alone match or surpass the peak total pressures observed in our sensitivity studies (Table 7.5 and Table 7.6). Within the light of additional 163

190 experimental evidence and the modeling of integral effects with the MELCOR code, it appears that the NUREG-1150 elicitations were very conservative Hydrogen and Carbon Monoxide Combustion Cases To investigate the sensitivity of containment loading to gas combustion, several cases were performed using MELCOR. Since cases with fan cooler actuation produced the largest masses and mole fractions of hydrogen, a subset of these cases was selected for analysis. In general, ignition of combustible gas was triggered late in the scenario when accumulation of gas was largest (e.g. 40 hr); earlier ignition times (e.g. 24 hr, 28 hr) were chosen to explore the range of possible combustion-induced pressure loads, where it is anticipated that earlier ignition times will produce smaller pressure loads. The matrix of cases analyzed is shown in Table 7.7. Table 7.7: Combution load analysis cases. Case Description Debris Conductivity H1 F5, ignition at 40 hr Enhanced H2 F5, ignition at 28 hr Enhanced H3 F10, ignition at 24 hr Enhanced H4 F10, ignition at 40 hr Enhanced H5 F5, ignition at 28 hr Default H6 F5, ignition at 40 hr Default Results of the combustion loading cases of Table 7.7 are shown in Table 7.8. Since the purpose of the exercise was to identify the worst possible conditions associated with combustion, it was not surprising that, for the majority of cases analyzed, significant pressure loads on containment were observed ranging from 0.73 MPa in case H3 to

191 MPa in case H6. The results in Table 7.8 also indicate that in cases H1 through H4, high levels of combustion completeness occur, as the fraction of fuel burned approaches unity. Typically, high levels of combustion completeness approaching unity are predicted for hydrogen-rich mixtures where the hydrogen mole fraction is larger than 10% [110] [111]. The lumped parameter model approach of MELCOR is not capable of realistically modeling the combustion front as it propagates through the volume as would be necessary to accurately assess the percent combustion, which could affect the combustion-induced pressure load and therefore likelihood of containment failure. It should be noted however, that other studies with higher fidelity models indicate that when the concentrations of the combustible gases are close to the stoichiometric ratio, the completeness of the combustion can approach unity and the resulting pressures can approach adiabatic, isochoric pressures, similar to those calculated by MELCOR under these conditions [71] [73] [76]. Case Table 7.8: Containment loading from combustion cases. Peak Pressure (MPa abs ) Peak Temp. (K) Percent Burn: H 2 Percent Burn: CO ECMF H H H H H H Figure 7.2 shows the Zion containment fragility curve described in Section and containment loads obtained in this study for combustion cases. The results in Figure

192 show that some cases (H2 and H3) have a small conditional probability of failure less than 10%. Cases H1 and H4 have moderate failure probabilities, and case H6 has a significant failure likelihood. It is important to note that alternative containment fragility curves have been developed for Zion and Zion-like containments (such as those developed for the Zion Individual Plant Examination [49] or the DCH study in NUREG [50]) which can affect the failure probability. The fragility curve used for the Zion IPE has smaller tails at the upper and lower ends of the distributions, relative to the NUREG-1150 curve, yielding lower probabilities for pressures marginally capable of causing failure and higher probabilities for high pressures. The median failure pressure is nearly identical, however in the Zion IPE and NUREG-1150 fragility curves. The fragility curve can also change as the plant ages due to materials degradation. The results of finite element analyses performed by Sandia National Laboratories [86]show that containment integrity could be substantially affected by various modes of degradation including steel liner corrosion, hoop tendon corrosion and loss of prestressing of hoop tendons, if there were inadequate surveillance and maintenance. 166

193 Figure 7.2: Zion containment fragility curve and containment loads for combustion cases DET Results This section describes results of the DET analysis using the models described in Chapter 3, Chapter 4 and Chapter 5. The DET was executed in a parallel environment utilizing 6 compute nodes. Each host is equipped with a dual quad-core 2.4GHz processor, 32 GB of RAM and a 1 TB hard drive; this setup provided 48 processors for DET execution. Execution of the Level 2 DETs for the depressurized primary and pressurized primary scenarios (as described in Section 3.2.2) required approximately 2.5 months to complete. Table 7.9 shows runtime statistics for the depressurized primary and pressurized primary DET experiments. Batch serial runtime corresponds to the time required to execute all scenarios in each tree serially on a single processor. The ADAPT serial runtime refers to the time required to execute each tree serially on a single processor using the ADAPT tool. Batch parallel runtime refers to the amount of time 167

194 required to complete all scenarios in each tree in a parallel environment using 48 processors. A probability truncation of 1.0E-6 for scenarios was utilized when generating the trees using ADAPT. This threshold allows ADAPT to halt simulated scenarios that have a probability below the truncation limit, which significantly reduces the time required to generate the DET. Table 7.9: Runtime statistics for DET experiments. Significant scenarios are classified as those having a probability larger than 1.0E-6. Statistics Depressurized Primary Pressurized Primary No. of Scenarios 772 significant/ 390 significant/ 4632 total 6136 total Batch Serial Runtime (d) ADAPT Serial Runtime (d) Batch Parallel Runtime (d) Output Size (GB) For the preliminary analyses, the scenarios of each DET were grouped into APBs based on the occurrence of three events: power recovery, combustion event, and containment failure (including mode); Table 7.10 describes the bin characteristics used for scenario grouping. 168

195 Table 7.10: Bin characteristics for Level 2 DET results. Character Symbol Description P Power recovered 1 N No power recovery H Combustion event 2 N No burn I Containment intact L Containment failure by leak 3 R Containment failure by rupture C Containment failure by catastrophic rupture The binned results for the depressurized and pressurized DETs are shown in Table All bins are conditional on the occurrence of core damage, which has a conditional probability of 3.32E-2 (for the LOSP initiator). The APB corresponding to no power recovery, no burns and no containment failure has the highest total conditional probability of 3.75E-1. It should be noted that if power is not recovered during a scenario, containment will eventually fail by overpressurization; in this analysis, scenarios with no power recovery and no containment failure were halted before containment failure occurred in the simulation. Both sets of DETs produced scenarios with no power recovery and failure by leak. The DET for the pressurized primary case also produced scenarios in which power was not recovered and containment failed by the rupture or catastrophic rupture failure modes. In the APBs PNL and PNR, containment failure by overpressurization occurred prior to power recovery. The binned results show that regardless of power recovery or the occurrence of a combustion event, the majority of the probability space (83.6%) corresponds to cases in which containment failure did not occur during the simulation, where the entire probability space is the total probability of all scenarios in both the depressurized and 169

196 pressurized DETs. For APBs in which containment does fail, their total conditional probabilities are at least one order of magnitude smaller than those of bins in which containment does not fail. Cases with a combustion event have a conditional probability of 1.93E-1. The binned results also show that power recovery is required for a combustion event, but a combustion event is not guaranteed if power is recovered. Table 7.11: Binned APBs and their corresponding conditional probabilities (conditional on core damage) for the depressurized and pressurized DETs. Bin Conditional Probability Depressurized Pressurized Total NNI 3.41E E E-1 PNI 1.91E E E-1 PHI 1.64E E E-1 NNL 9.64E E E-2 NNC E E-2 NNR E E-2 PHL 1.08E E E-3 PNL 1.02E E E-4 PHR 3.82E E E-5 PNR E E-6 Assessment of these results largely focuses on the phenomena of gas generation and combustion. Section describes the behavior of gas generation ex-vessel. Section discusses containment loading from combustion events and the effect of power recovery on the magnitude of loads. Section provides some comments on the effects of ignition delay. Lastly, Section discusses the likelihood of containment failure for the DET. 170

197 Combustible Gas Generation The scenarios in the DETs displayed gas generation behavior similar to the cases presented in the scoping studies in Section Combustible gas generation ex-vessel is strongly correlated with cooling of debris in the cavity, and therefore power recovery and the actuation of containment cooling systems. When assessing the progression of CCI and its effect on gas generation, the amount of carbon monoxide generated will be used as a surrogate. Carbon monoxide generation for each power recovery time is shown in Figure 7.3, and the water level in the cavity for each power recovery time is shown in Figure 7.4. For all scenarios generated from the Level 1 depressurized scenario, lower head failure occurs at approximately 14.5 hr. At this time, debris and the coolant remaining in the RPV are released into the cavity. In the depressurized DETs, for the next 2.5 hr, the coolant in the cavity is sufficient to cool the debris, but at 17 hr, the coolant gradually boils off and CCI occurs for a short period of time, generating approximately 1,000 kg of carbon monoxide in all scenarios (see Figure 7.3 and Figure 7.4). For scenarios with power recovery at 16 hr, 18 hr and 20 hr (as determined by the power recovery branching class described in Section 4.3.4), no additional gas is generated as containment cooling and emergency core cooling systems are activated which provide additional coolant to the debris in the cavity. Accordingly, the water level in the cavity remains high, at approximately 10 m, as shown in Figure 7.4. For scenarios with power recovery at 22 hr and 25 hr, an additional 500 kg and 5,000 kg of carbon monoxide are generated, respectively. The water depth in the cavity is also high in these scenarios. For scenarios 171

198 with power recovery at 28 hr, 32 hr, and 40 hr, the behavior of CCI and gas generation follow that of scenarios with no power recovery. That is, beginning at approximately 21 hr, the corium begins to aggressively attack the concrete and produce large amounts of combustible gas following a short period of cavity dryout; these scenarios produce approximately 1,000 kg per hour or less for the remainder of the scenario (Figure 7.3). The addition of water to the cavity does not have an appreciable effect on decreasing the rate of gas generation, which largely continues unimpeded. These trends are shown in Figure 7.3, which shows the behavior of gas generation for each power recovery time, and Figure 7.4, which shows the corresponding water level. Figure 7.3: Behavior of carbon monoxide generation for depressurized DET for each power recovery time. 172

199 Figure 7.4: Cavity water levels for depressurized DET. The behavior shown for the depressurized DETs is consistent with the behavior displayed by the pressurized DETs, except that lower head failure is delayed by 2.5 hr in the pressurized DET (i.e. lower head failure occurs at 17 hr). Coolant in the cavity is again sufficient to cool the debris and prevent CCI for the next 2.5 hr, and a small amount of combustible gas (1,000 kg) is generated following this interval. At approximately 22 hr, corium aggressively attacks the concrete and significant quantities of combustible gases are generated at a rate of approximately 1,000 kg per hour Containment Loading from Combustion Events For the depressurized DET, 547 of the 772 scenarios had an occurrence of one or more combustion events. In the pressurized DET, 219 of the 390 scenarios had an 173

200 occurrence of one or more combustion events. Peak pressures due to a combustion event for all scenarios as a function of the power recovery time are shown in Figure 7.5 and Figure 7.6 for the depressurized DET and pressurized DET, respectively. As anticipated, the timing of power recovery is strongly correlated with the magnitude of the pressure spike resulting from the burn. In the depressurized DET, for relatively early power recovery times (i.e. power recovery at or before 22 hr), the pressure spike produced is low enough that containment failure is not questioned. Scenarios with power recovery times after 22 hr produce combustion events with pressure spikes of 0.52 MPa or larger. The majority of scenarios with power recovery at 25 hr produce burns with significant pressure spikes. The largest pressure spikes are observed for cases with power recover at 28 hr and 32 hr. Based on the gas generation results shown in Section 7.3.1, it follows that the largest combustion events will occur in scenarios with later power recovery, as those scenarios displayed the largest generation of combustible gas. For the pressurized DET, the same trends are generally true; scenarios with relatively late power recovery times produce pressure spikes which are capable of failing containment with increasing probability. A small number of scenarios with power recovery at 20 hr and 22 hr produced pressures spikes large enough to question containment failure (i.e MPa or larger). All scenarios with power recovery at 32 hr produced combustion events larger than 0.51 MPa, while scenarios with power recovery at 40 hr produced either combustion loads larger than 0.8 MPa (up to 1.1 MPa), or smaller than 0.4 MPa. Divergence in the pressure loads produced in scenarios with power recovery at 40 hr is due to the delay in ignition. For the smaller pressure loads, 174

201 ignition tends to occur within 3 hours following power recovery, whereas the larger loads are produced when ignition is delayed by 8 hours. The effect of ignition delay is discussed further in Section Figure 7.5: Peak pressure resulting from burn as a function of power recovery time for depressurized DET. 175

202 Figure 7.6: Peak pressure resulting from burn as a function of power recovery time for pressurized DET. The cumulative distribution of peak pressure load for all scenarios generated from both the depressurized and pressurized DETs is shown in Figure 7.7. All probabilities are conditional on core damage. The figure shows that scenarios with power recovery at 25 hr have the largest contribution (35%) to the probability space of the DETs. These scenarios produce peak pressures ranging from 0.55 MPa to 0.75 MPa, which when compared with the NUREG-1150 fragility curve for Zion, have a cumulative failure likelihood of 6.7% or less. Scenarios with power recovery at 18 hr, 22 hr and 32 hr have similar cumulative likelihoods of approximately 6%; however, the peak pressures produced in scenarios with power recovery at 32 hr are significantly larger than the peak pressures produced in scenarios with power recovery at 18 hr and 22 hr. Scenarios with power recovery at 20 hr and 28 hr have cumulative probabilities of approximately 9%; 176

203 again the peak pressures produced in scenarios with power recovery at 28 hr are significantly larger than the pressures produced in scenarios with power recovery at 20 hr. Figure 7.7: Cumulative probability (conditional on core damage) of peak combustioninduced pressure for all power recovery times for both DETs Effect of Ignition Delay For the depressurized DET, the delay between the burn and power recovery also shows a correlation with the peak pressure spike produced from the burn. The peak pressure from the combustion event as a function of the time of burn relative to the time of power recovery is shown in Figure 7.8. For the most energetic events, the burn tends to occur within 7 hours following power recovery. For scenarios with a longer delay between power recovery and the combustion event, a relatively smaller pressure spike is 177

204 produced. The larger events tend to occur relatively shortly after power recovery because sufficiently large amounts of combustible gas have been generated such that the gas mixture can burn shortly following power recovery. If the burn event is significantly delayed relative to power recovery, it is largely due to the gas mixture not meeting the minimum flammability limits. Quantities of combustible gases sufficient to support ignition are not generated until very late in these scenarios, as early power recovery decreased the rate at which corium was ejected from the RPV by provided some cooling to the slumping core, and also provided cooling to the existing debris in the cavity which slowed combustible gas generation. The same trends are observed for the pressurized DET. Peak pressure from the combustion event as a function of the delay in ignition for the pressurized DET is shown in Figure 7.9. In this DET, ignition delays longer than 12 hours produce pressure loads which are non-threatening to containment integrity, as the combustion-induced pressure load is approximately 0.4 MPa or less, which has a cumulative failure probability less than 0.3% using the NUREG-1150 fragility curve for Zion (Figure 2.9). 178

205 Figure 7.8: Peak pressure from combustion event as a function of the time delay between power recovery and the burn for the depressurized DET. Figure 7.9: Peak pressure from combustion event as a function of the time delay between power recovery and the burn for the pressurized DET. 179

206 The cumulative distribution of peak pressure for various delays in ignition is shown in Figure 7.10 for all scenarios generated in both the pressurized and depressurized DETs. To display the cumulative likelihood of peak pressure for the various ignition delay times, the scenarios were grouped into five equally sized bins, each with a duration of four hours, based on the delay in ignition. Scenarios with an ignition delay ranging from 12 hr to 15.9 hr had a cumulative probability of zero, so these scenarios were omitted from the figure. The results in Figure 7.10 show that scenarios with an ignition delay of four hours or less account for approximately 80% of the probability space and produce peak pressures ranging from 0.2 MPa to 1.1 MPa. Scenarios with ignition delays ranging from 8 hr to 11.9 hr have a larger cumulative probability than scenarios with delays ranging from 4 hr to 7.9 hr. Also, scenarios with ignition delays of 8 hr to 11.9 hr produce a relatively limited variation in peak pressure, ranging from 0.3 MPa to 1.0 MPa, where scenarios with ignition delays of 4 hr to 7.9 hr produce peak pressures which vary from 0.2 MPa to 1.19 MPa. Scenarios with ignition delays of 16 hr or more have the lowest cumulative probability and produce the smallest pressure loads. These scenarios correspond to cases with very early power recovery. 180

207 Figure 7.10: Cumulative probability (conditional on core damage) of peak pressure for varying delays in ignition relative to power recovery. The conditional likelihood of scenarios with ignition delays of 12 hr to 15.9 hr was zero. The depressurized DET produced 429 scenarios with a single combustion event, 112 scenarios with 2 combustion events and 6 scenarios with 3 combustion events. The timing of power recovery had no effect on whether a burn occurred; every power recovery time had some kind of a burn event. Scenarios with 2 burns had power recovery at 18 hr or later, and scenarios with 3 burns all had power recovery at 28 hr. The peak pressure as a function of its burn sequence (e.g. the first, second or third burn) and power recovery time are shown in Figure As to be expected, the second and third burns are generally considerably smaller than the first burn. None of the second or third combustion events are energetic enough to fail containment with any significant probability. 181

208 Figure 7.11: Peak pressure for each burn as a function of the power recovery time for the depressurized DET. For the pressurized DET, 180 scenarios contained a single combustion event, 31 scenarios contained two combustion events, 23 scenarios contained three combustion events and ten scenarios had four combustion events. Results for the peak pressure as a function of the burn sequence are shown in Figure Similar to the results for the depressurized DET, the timing of power recovery did not affect whether a burn occurred. Scenarios with two combustion events had power recovery at 22 hr or later; scenarios with three combustion events had power recovery at 28 hr or 32 hr. Only scenarios with power recovery at 32 hr produced four combustion events. Similar to the depressurized DET, as the burn sequence increased, the resulting pressure spike decreased in magnitude. 182

209 Figure 7.12: Peak pressure for each burn as a function of the power recovery time for the pressurized DET. In this dynamic analysis of combustion, a limit on the frequency of branching due to combustion events was utilized in which branching due to burns was permitted in two hour intervals. Its purpose was two-fold: to allow the consideration of burns of diminishing magnitude (necessary due to the limitations imposed by ADAPT), and to control the growth of the event tree. For approximately 89% of the scenarios in the depressurized DET, the combustion event occurs when the diluent concentration is less than 40%. As shown in Figure 5.1, the MIE for gas mixtures of this type is 0.11 mj or lower. From Equation 5.1, the recurrence of a spark of this energy level is calculated to be approximately one per second (recognizing that the values for G(E) are highly speculative). Using Equation 5.2, the probability of non-ignition for a spark of this frequency over a two hour period is effectively zero. Even if the upper limit on MIE of 183

210 100 mj is utilized, the probability of non-ignition over a two hour interval is only 14%. For all scenarios, if a branch occurs in which burning was questioned but did not occur, the probability of this scenario becomes zero using the methodology described in Chapter 5. Even if the recurrence curve in Equation 5.1 is reduced by a factor of 100, the probability of not igniting a mixture requiring the lower limit of MIE is still on the order of 1.0E-29. In light of this, more consideration should be given to the delay between power recovery and the point at which a mixture becomes deinerted to develop a more meaningful combustion model. For the depressurized DET, containment cooling is fairly rapid. For all cases, the containment atmosphere remains inerted until the containment cooling systems are utilized. However, typically within an hour of fan cooler or spray actuation, the mixture in containment is in a flammable regime. Figure 7.13 shows an example of the containment cooling rate for two scenarios from the depressurized DET. For the scenario with power recovery at 28 hr (100,800 s, red line in Figure 7.13), the containment becomes de-inerted approximately 30 minutes after power recovery. For the scenario with power recovery at 32 hr (115,200 s, blue line in Figure 7.13), the containment is de-inerted within 15 minutes. Therefore, the energetics of a combustion event are better approximated by the characteristics of the gas mixture at the time of power recovery, rather than two hours following power recovery. However, it is still necessary to account for long delays between power recovery and combustion, as long delays (or late recovery times) have the potential to produce significant loads on containment. Figure 7.14 shows the pressure spike in containment following 184

211 combustion events with varying delays relative to the same power recovery time (25 hr, or 90,000 s). As expected, a delay in combustion leads to larger pressure loads since more combustible gas has been generated and is therefore available to burn. The first two peaks (scenarios and 44884, red and blue lines, respectively) produce pressure loads which may fail containment with a low probability, but the final peak (scenario 44990, green line) produces a pressure load which has a higher probability of failure. Figure 7.13: Effect of containment cooling on ECMF for depressurized DET for a scenario with power recovery at 28 hr (red line) and 32 hr (blue line). 185

212 Figure 7.14: Effect of ignition delay on magnitude of combustion event for depressurized DET. There are two effects of delay of ignition after power recovery. The first effect is that additional carbon monoxide production increases the potential energetics of the event. This effect is evident in Figure 7.5 and in Figure 7.14 where the pressure spike increases with time. The other effect is that steam concentration suppresses the magnitude of the pressure spike. As indicated in Section , this effect is dramatic for steam concentrations greater than 40%. Thus, if ignition occurs somewhere between 55% and 40% steam concentration, containment failure is probably precluded. As shown in Figure 5.1, the MIE decreases dramatically over this range. Based on our limited understanding of the spark recurrence curve in Equation 5.1, it is very unlikely for near stoichiometric atmospheric compositions at low steam partial pressure that ignition would be delayed by as much as two hours. However, with steam concentration on the order of 50%, it is not at all clear whether ignition would occur in seconds, minutes, or 186

213 hours. Based on the cases with cooling re-established, the time frame over which conditions pass from 55% to 40% steam concentration is on the order of one-half hour. Thus, better knowledge of the spark recurrence relationship could lead to the conclusion that de-inerting of containment does not result in the potential for a combustion event sufficiently energetic to fail the containment Containment Failure Likelihood For the depressurized DET scenarios, if power is not recovered and cooling provided to containment, over-pressurization and failure of the containment will occur within 40 hours. By approximately 25 hours, containment pressure reaches a level at which the probability of failure by leak increases significantly. These results will largely focus on containment failure due to combustion events. For depressurized DET, 286 scenarios had a significant end state probability of 7.0E- 7 or greater. Of the 564 scenarios with combustion events, 17 had containment failure by leak due to the combustion event, and 4 had containment failure by rupture due to the combustion event; in the pressurized DET, three scenarios had combustion-induced leak failure and one had containment failure by rupture. Table 7.12 shows the conditional probability of containment failure due to a combustion event for each failure mode for the depressurized DET; the probabilities of scenarios with combustion-induced failures in the pressurized DET were on the order of 1.0E-6 or smaller, so they will not be considered in the following discussion as their contribution is effectively negligible. Including the core damage probability of 3.22E-2, the total probability of containment 187

214 failure by leak and rupture mode as the result of a combustion event is 2.98E-5 conditional on the LOSP initiating event. Table 7.12: Conditional probability of failure by mode due to combustion event for depressurized DET. Failure Mode Conditional Probability Conditional Probability Using Reduced Recurrence Curve Leak 8.85E E-3 Rupture 3.82E E-5 Total 9.27E E Analysis of Containment Failure Using Degraded Fragility Curve As discussed in Section 2.3, the use of an alternative fragility curve has the potential to produce significantly different results for the likelihood of containment failure. To demonstrate this, a degraded fragility curve for a pre-stressed, steel-lined PWR containment is used to recalculate the probability of containment failure in the depressurized DET. This curve, from NUREG/CR-6920 [86], is representative of tendon degradation via a 50% reduction in prestressing. This curve, shown in Figure 7.15 with the Zion fragility curve used in the ADAPT model, was chosen because of all the degraded curves presented in [86], it most closely resembled the original fragility curve utilized in the ADAPT probabilistic model; the majority of curves presented in [86] had cumulative failure probabilities of unity for the lower pressures considered by the Zion curve. 188

215 Figure 7.15: Degraded fragility curve from [86] and Zion fragility curve [64] implemented in ADAPT model. The degraded curve shown in Figure 7.15 was used to recalculate the probabilities of scenarios in which containment failure was questioned. This recalculation considers scenarios in which no failure occurred, or failure by leak or rupture occurred. The recalculated probabilities are shown in Table Results are shown for scenarios in which a combustion event directly caused containment failure by leak or rupture, all scenarios with leak failure (both due to overpressurization and combustion events), all rupture failures (which are solely due to combustion events), and scenarios in which the containment did not fail. These scenarios all have power recovery at some point, and the probabilities are conditional on core damage. All leak failures increase by an order of magnitude when using the degraded fragility curve, and failures by rupture increase by nearly three orders of magnitude. 189

216 Table 7.13: Comparison of conditional probabilities for various power recovery scenarios in the depressurized DET using the Zion fragility curve and a degraded fragility curve. Scenario Conditional Failure Probability Zion Curve Degraded Curve Leak Failure Due to Burn 1.27E E-2 All Leak Failures 1.70E E-2 All Rupture Failures 5.48E E-2 Intact 5.09E E Refinement of Containment Fragility CDF This section discusses the results for refinement of the containment fragility CDF utilized in the ADAPT model. The techniques described in Chapter 6 were applied to the fragility curve for containment failure likelihood described in Section This analysis focuses on combustion-induced containment failure in the depressurized DET; a total of 17 combustion-induced leak failures and 4 rupture failures were produced in this tree. The total conditional probability of each failure mode was computed using the original three bin endpoint approximation, a three bin midpoint approximation, a nine bin endpoint approximation and nine bin midpoint approximation. The branching criteria (i.e. pressure) for the three bin approximation are shown in Table 7.14, and the branching criteria for the nine bin approximation are shown in Table

217 Table 7.14: Endpoint and midpoint three bin approximations for the NUREG-1150 Zion fragility curve. Pressure (MPa) Endpoint Midpoint Cumulative Failure Probability Conditional Leak Probability Conditional Rupture Probability E E E E-1 4.2E E E E-2 Table 7.15: Endpoint and midpoint nine bin approximations for the NUREG-1150 Zion fragility curve. Pressure (MPa) Endpoint Midpoint Cumulative Failure Probability Conditional Leak Probability Conditional Rupture Probability E E E E E-1 1.4E E E-1 2.8E E E-1 4.2E E E-1 8.4E E E E E E E-1 The number of leak scenarios per bin for the three bin and nine bin approximations are shown in Table 7.16 and Table 7.17, respectively. For all rupture scenarios, the peak pressure was approximately 0.83 MPa, so all scenarios were always contained within a single bin regardless of the approximation method. Table 7.16 and Table 7.17 illustrate the effects of using different branching criteria and CDF discretizations on scenario classification. In the case of the three bin discretization, all scenarios are classified within the third bin using the endpoint approximation, but only two scenarios are classified in the third bin using the midpoint approximation, indicating a finer discretization in this region should be utilized. The nine bin approximation shown in 191

218 Table 7.17 demonstrates the effects of a finer discretization in this region, as the number of scenarios is now distributed among two or three bin for the endpoint and midpoint approximations, respectively, rather than in one or two bins. Table 7.16: Number of leak scenarios per bin for three bin approximation. Bin Pressure (MPa) Number of Leak Scenarios in Bin Endpoint Midpoint Endpoint Midpoint Table 7.17: Number of leak scenarios per bin for nine bin approximation. Bin Pressure (MPa) Number of Leak Scenarios in Bin Endpoint Midpoint Endpoint Midpoint Results for the total conditional probability of each combustion-induced failure mode are shown in Table 7.18; the actual probability is also shown in this table, where the actual probability was determined by fitting the fragility curve to a third-order polynomial and computing the exact probability of failure as a function of the actual peak pressure. The results for the three bin discretization indicate that the endpoint and midpoint approximations do not produce appreciably different results. The variance in the results is not observed until the sixth decimal for the leak failure mode, and no 192

219 difference is observed in the rupture failure mode. This is largely due to the fact that the probability dominant scenarios are still classified in the same bin (i.e. bin 2 in Table 7.16) regardless of the approximation technique; these scenarios have conditional probabilities on the order of 1.0E-3, where the majority of the remaining scenarios have conditional probabilities on the order of 1.0E-6. The rupture scenarios all have peak pressures of approximately 0.83 MPa, so the approximation technique does not affect which bin it is classified in, and the total conditional probability remains unchanged. Both the endpoint and midpoint approximation techniques underestimate the total probability of containment failure for each failure mode using the three bin discretization. The three bin discretization results are on the same order of magnitude as the actual probability. However, when compared with the actual probability, the probability of failure by leak is underestimated by a factor of 1.3 and the probability of failure by rupture is underestimated by a factor of 2.2 using the three bin discretization. The nine bin discretization produced more accurate results using the midpoint approximation, but the endpoint approximation using the nine bin discretization significantly underestimates the actual probability. For the midpoint approximation technique, the conditional probabilities of leak and rupture scenarios are overestimated by a factor of 0.9 and 0.7, respectively. The endpoint approximation technique produced conditional probabilities which were a factor of 4 and 6.7 lower than the actual probability for the leak and rupture failure modes. For the case of leak failure modes, this is again largely due to the decrease in contribution to the total probability for the probability-dominant scenarios. Using the 193

220 nine bin endpoint approximation, the conditional probability of these scenarios decreases by an order of magnitude. This change is due in part to the number of non-failure branches which the scenario must evolve through to achieve the failure branch. In the three bin endpoint approximation, the cumulative probability of non-failure in the second bin (corresponding to a failure pressure of 0.79 MPa) is 0.997, as the scenarios must pass through only one non-failure branch; this makes the probability of failure by leak conditional that is hasn t failed previously 6.13E-2. However, in the case of the nine bin endpoint approximation, the scenarios undergo five non-failure branches before they reach a failure branch in the sixth bin. These scenarios then have an integral non-failure failure probability of at the point they reach the failure branch at 0.79 MPa, where the integral non-failure probability is considered the probability that a scenario experiences branches in which containment failure is questioned five times, but does not fail. At the 0.79 MPa branch, the probability of failure by leak conditional that is hasn t failed previously becomes 1.98E-2. For the leak cases, the difference in the results of the nine bin endpoint and midpoint approximations is a direct result of the approximation technique which affects the binning of the scenarios. First, it should be noted that the probability of containment failure by leak conditional that it has not failure previously in bin six is 1.98E-2, while for bin seven this probability is 9.16E-2. The endpoint approximation technique classifies the majority of scenarios into bin six, while the midpoint approximation classifies the majority of scenarios into bin seven, which has a significantly higher probability. This scenario classification causes the endpoint approximation technique to 194

221 significantly underestimate the probability of failure by leak, as the majority of scenarios, and more importantly the probability-dominant scenarios, have peak pressures of approximately 0.83 MPa. The midpoint approximation technique provides a better quantification of the probability of these scenarios since it enables branching at MPa. Similar to the results for the leak scenarios, the lack of resolution in the region where peak pressures occur causes the nine bin endpoint approximation technique to underestimate the total conditional probability of failure by rupture. All rupture scenarios have peak pressures of 0.83 MPa. The endpoint approximation technique assigns a probability of failure by rupture conditional that it has not failed previously of 8.69E-4 (corresponding to the sixth bin), while the midpoint approximation technique applies a probability of 8.58E-3 (corresponding to the seventh bin). Table 7.18: Total conditional probabilities for combustion-induced containment failure for leak and rupture failure modes. Three Bin Nine Bin Failure Discretization Discretization Mode Endpoint Midpoint Endpoint Midpoint Actual Leak 3.813E E E E E-3 Rupture 1.648E E E E E-4 From the results shown in Table 7.18, it is evident that discretization of failure distributions is not problem agnostic and can have a large effect on the assessed probability of low probability events. For this reason, it is essential that convergence studies be performed. A major advantage of the ADAPT approach is that the 195

222 characterization of cumulative distribution functions is particularly effective when assessing low probability events. In general, as illustrated by the results in this study, branching at the midpoint of an interval is likely to provide more accurate results than branching at the endpoint of intervals. 196

223 Chapter 8: Conclusions and Recommendations for Future Work This chapter describes the major conclusions of this work. This discussion largely focuses on the capabilities and limitations of the software tools used for this work, the effects of combustion events on the likelihood of containment failure and the uncertainties associated with combustion events. Section 8.1 discusses the suitability of the computational tools used in this analysis for the assessment of low probability events. Section 8.2 discusses the conclusions of the review of the NUREG-1150 containment failure modes using the current state of knowledge. Section 8.3 discusses the implications of late combustion events following deinerting. The risk significance of late combustion events is described in Section 8.4. A discussion of the uncertainties affecting combustion analysis is provided in Section 8.5. Lastly, potential future work is discussed in Section Capabilities and Limitations of Software Tools Through this work, the advantages of dynamic PRA tools, such as ADAPT coupled with a system code, are demonstrated, particularly with regard to the assessment of low probability events with potentially high consequences. The results presented in Section 7.3 show that a dynamic PRA can be implemented with practical computational 197

224 resources. Through the use of the ADAPT DET generation technique, the amount of data generated and size of trees produced is manageable, and the simulation runtimes are not overly cumbersome if coupled with a relatively fast running simulator such as MELCOR. Dynamic PRA tools are also well-suited to address low probability events because of their ability to sequentially refine CDFs and observe the convergence of results. The use of a coarse CDF in the initial analysis reduces the computational burden, and additional analyses can be completed in regions significant to accident progression following initial analyses. More importantly, dynamic PRA tools allow for the consistent and mechanistic treatment of severe accident phenomena of a low probability, and remove the dependency on an analyst s input to the event tree. However, if treatment of epistemic uncertainties is desired, an outer-loop iterative analysis must be completed using the ADAPT tool, therefore increasing the runtime. Analysis of epistemic uncertainties is critical since it provides an assessment of the confidence level of the risks resulting from a single DET. The MELCOR software tool has a significant advantage in that it is relatively fast running due to its lumped parameter approach and use of parametric solutions for complex phenomena. MELCOR also presents a significant advantage in that it covers a broad range of severe accident phenomena. However, some phenomenological models are quite crude, making its fidelity an issue. To estimate the magnitude of uncertainties associated with the crudely modeled phenomena, benchmarking a low-fidelity model against higher-fidelity models would be required. 198

225 8.2. NUREG-1150 Containment Failure Modes The discussion in Section provided a review of the risk-significant containment failure modes of NUREG-1150 using the current state of knowledge. The state of knowledge regarding phenomena and mechanisms affecting the failure modes has progressed significantly since the NUREG-1150 analysis, due to both experimental work and computational studies. For some failure modes, the state of knowledge is sufficient to eliminate them from future considerations. For example, rocket mode and Alpha mode are now considered either physically unrealistic or of such low likelihood that they can be dismissed. Furthermore, containment failure by HPME and DCH also appears to be highly unlikely, as concluded by post NUREG-1150 reviews and demonstrated by the scoping studies presented in Section Other failure modes are still of concern to varying degrees. The risks resulting from containment isolation failure are difficult to quantify due to a current lack in operational data regarding ILTs; due to the lack of data, isolation failure cannot necessarily be ruled out as a risk significant event. Containment bypass also continues to be of high concern due to its potential for high consequences. Furthermore, previous DET studies at The Ohio State University [10] found this failure mode to be of some probabilistic significance. The results presented in Section and Section 7.3 demonstrate that combustioninduced failure and containment overpressurization cannot be eliminated from future considerations, as they relate to long-term accident management decisions. Combustion events were predicted to occur after power recovery with sufficient energetics to fail 199

226 containment with probabilities as high as 40%. While not activating the containment cooling systems will preclude a combustion event, the tradeoff is that containment will then fail by overpressurization if not vented Implications of Late Combustion Events Following Deinerting This study analyzed late combustion events in an SBO scenario for the Zion Nuclear Power Plant. The large, dry Zion containment is known to be of a particularly robust design with a relatively high limit for failure pressure. The implications of this study are therefore only applicable to containment designs which are very similar to that of Zion, which is comprised of steel-lined, pre-stressed concrete. If power recovery and actuation of containment cooling systems occurs prior to the time at which containment pressure approaches the threshold for failure by overpressurization (i.e. the point at which the failure likelihood increases significantly), then the likelihood that deinerting will lead to containment failure is low. The containment loading results presented in Section 7.3 indicate that if power is recovered sufficiently early following lower head failure, then the magnitude of pressure spikes produced from combustion events is relatively small. However, if power recovery occurs late after substantial CO has been released, then there is a significant potential for combustion events to lead to containment failure. In-vessel hydrogen generation does not appear capable of producing combustion events large enough to fail containment for this plant. Furthermore, a small amount of 200

227 hydrogen relative to carbon monoxide is generated ex-vessel. Carbon monoxide production is a key contributor to the threat of containment failure. As shown by the studies in Section 7.1, the conditions in the reactor cavity are likely to have a major impact on the potential for containment failure as these conditions significantly affect combustible gas generation. The effectiveness of debris cooling in the cavity (e.g. the heat transfer coefficient associated with heat rejection from debris), the amount of water in the cavity and the duration of cavity dryout directly affect the progression of CCI and therefore the amount of combustible gas generated. If prolonged cavity dryout occurs, or if the debris is assumed to have relatively low heat transfer properties, then significant amounts of hydrogen and carbon monoxide will be generated which are then available to participate in energetic combustion events. The results in Section 7.3 also showed that the characteristics of the ignition source, in particular the frequency of sparks as a function of their energy, can have a significant impact on the potential for containment failure. For cases with very late power recovery, if ignition occurs shortly after the actuation of containment cooling systems where the atmosphere contains 40% or more steam, then containment failure is unlikely. For cases with relatively early power recovery, the delay between actuation of containment cooling systems and ignition does not appear to affect the likelihood of containment failure, as the magnitude of the combustion event remains small. 201

228 8.4. An Accident Management Risk Perspective The overall risk of late combustible gas explosions resulting in containment failure during SBO scenarios is small. A small fraction of scenarios in the DETs produced combustion events large enough to lead to containment failure. However, if an accident were to progress to the point at which a combustible gas explosion could fail containment, the perspective changes entirely. At that point, if power is recovered the risk manager (e.g. the staff in the Technical Support Center) is faced with a conditional probability perhaps in the neighborhood of 40% that if the fan coolers are activated, a combustible gas explosion could fail containment. The importance of the type of analyses performed for this dissertation is that they help to develop accident management strategies in advance. In this particular scenario, the strategy could be to do nothing and let the containment fail by overpressure, which is unattractive, or cool down the containment and risk the probability of a major combustible gas explosion, which could be even more unattractive. Alternatively, the strategy could be to cool the containment but only to the point at which the partial pressure of steam remained sufficiently high that the containment is inerted. If there were a portable filtered vent system stored offsite, it could be brought to the plant site and the containment could be vented until the possibility of a major explosion no longer existed Modeling Uncertainties Affecting Combustion Analysis There are a variety of uncertainties associated with the models employed by MELCOR which directly affect the analysis of combustion events and the resulting 202

229 likelihood of containment failure. The following are areas in which additional research, model development or tuning of models to higher fidelity calculations could significantly affect conclusions: Hydrogen stratification within the containment, which could affect conclusions regarding whether earlier failure of containment could occur as the result of a deflagration or detonation. The coolability of molten core debris entering a water-filled reactor cavity and the potential to preclude core-concrete attack. The degraded core debris configuration and the effect of reflooding on hydrogen generation. The heat transfer to an overlying water pool while core-concrete attack is in progress. The combustion characteristics of mixtures of hydrogen and carbon monoxide, including flammability limits, deflagration limits and the effects of diluents. The availability of ignition sources in containment, including the frequency of spark as a function of energy Recommendations for Future Work This section addresses considerations for future work related to the analyses presented in this dissertation. These recommendations can be classified into the following areas: improvement in the approximation of the recurrence curve, convergence 203

230 analyses of rediscretized CDFs, inclusion of epistemic uncertainties, inclusion of offsite consequence analyses, and treatment of accident mitigation procedures. While this work presented a methodology for approximating the probability of combustion dependent on conditions in containment, the spark frequency recurrence curve developed in this analysis was highly speculative and had no basis on actual data, as no data were available. If experimental data regarding the sparking characteristics of industrial-sized equipment could be obtained, a more appropriate recurrence curve could be developed. However, in the absence of these data, it would be insightful to examine the sensitivity of the combustion probability results to different forms of the recurrence curve. Given the apparent sensitivity of the ignitability of a gas mixture and the magnitude of the resulting pressure spike shortly following actuation of containment cooling systems (as discussed in Section 7.3.3), the recurrence curve has a significant effect on the likelihood of combustion-induced containment failure. Exploration of this sensitivity would provide bounds on the uncertainties regarding the potential peak pressures and likelihood of containment failure. Furthermore, the two-hour interval used in this analysis should be refined to investigate combustion events shortly following (i.e. within one hour) power recovery, but a framework which enables delayed ignition should be maintained. Within this work, a sequential CDF rediscretization technique was presented that demonstrated convergence of the probability of combustion-induced containment failure when using a midpoint approximation. Because containment failure was effectively the end state for this analysis, convergence to the true solution was easy to ascertain and 204

231 demonstrate. However, for branching classes based on more complicated severe accident phenomena, such as creep rupture or pump seal failure, a more detailed convergence analysis is necessary, as these branching classes are dependent on surrogates representing the state space, rather than actual state variables such as containment pressure. Given the importance of creep rupture phenomenon demonstrated in the Metzroth analysis [10], the creep rupture branching conditions are ideal candidates for further convergence analyses using the sequential discretization technique described in Chapter 6. Additional exploration of this phenomenon would serve to demonstrate its significance to accident progression in addition to further developing the sequential discretization technique. Three areas which were not addressed in this analysis were the effect of epistemic uncertainties, consideration of offsite consequences, and implementation of accident mitigation strategies. Inclusion of epistemic uncertainties entails parametrically varying the input to MELCOR to obtain the sensitivity of results to modifications in key modeling parameters by generating numerous DETs for a single scenario, which is expected to be computationally expensive. Analysis of offsite consequences resulting from containment failure was also absent from this work. While containment failure is certainly undesirable, the timing of containment failure relative to the processes occurring within containment can have a significant effect on the resulting consequences. During a severe accident, radionuclides tend to deposit within the reactor coolant system and containment following their initial release, but some species, in particular cesium and iodine, will resuspend as these surfaces heat up and be available for release. The evolution of the source term within containment can be modeled using a system code like 205

232 MELCOR (through the RN package), but additional detail in the modeling parameters affecting radionuclide transport, deposition and resuspension would be required to develop a more realistic source term. In this analysis, no significant consideration was given to radionuclide transport within containment. Lastly, in light of the changing regulatory environment the combustion results shown in Section 7.3, it is recommended that a DET analysis is performed which includes a more accurate characterization of the use of FLEX equipment and accident mitigation strategies. This type of analysis could be segregated into two areas: exploration of the capabilities and limitations of FLEX equipment and their effect on accident progression, and treatment of a range of mitigation strategies. A systematic analysis of mitigation strategies could be utilized to determine the probability of containment failure (or other undesirable events) dependent on the relative timing of mitigation actions (as described in Section 8.4). 206

233 References [1] U.S. Nuclear Regulatory Commission, "Reactor Safety Study: An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants," WASH-1400, NUREG-75/014, Washington, D.C., [2] U.S. Nuclear Regulatory Commission, "Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants," NUREG-1150, Washington, D.C., [3] R. O. Gauntt, "MELCOR Computer Code Manual, Version 1.8.5, Vol. 2, Rev.2," NUREG/CR-6119, Sandia National Laboratory, Albuquerque, NM, [4] Fauske & Associate, Inc., "MAAP4 - Modular Accident Analysis Program for LWR Power Plants, Vol.2, Part 1: Code Structure and Theory," Electric Power Research Institute, Palo Alto, CA, [5] Sandia National Laboratories, "State-of-the-Art Reactor Consequence Analysis Project," NUREG/CR-7110, Albuquerque, NM, [6] A. Hakobyan, T. Aldemir, R. Denning, S. Dunagan, D. Kunsman, B. Rutt and U. Catalyurek, "Dynamic Generation of Accident Progression Event 207

234 Trees," Nuclear Engineering and Design, vol. 238, pp , [7] K. Hsueh and A. Mosleh, "The Development and Application of the Accident Dynamic Simulator for Dynamic Probabilistic Risk Assessment of Nuclear Power Plants," Reliability Engineering and System Safety, vol. 52, pp , [8] M. Kloos and J. Peschke, "MCDET: A Probabilistic Dynamics Method Combining Monte Carlo Simulation with the Discrete Dynamic Event Tree Approach," Nuclear Science and Engineering, vol. 153, pp , [9] S. Basu and T. Ginsberg, "A Reassessment of the Potential for an Alpha- Mode Containment Failure and Review of the Current Understanding of Broader Fuel-Coolant Interaction issues," NUREG-1524, U.S. Nuclear Regulatory Commission, Washington, D.C., [10] K. Metzroth, "A Comparison of Dynamic and Classical Event Tree Analysis for Nuclear Power Plant Probabilistic Safety/Risk Assessment," Ph.D. Dissertation, The Ohio State University, Columbus, OH, [11] U.S. Nuclear Regulatory Commission, "Safety Goals for the Operation of Nuclear Power Plants," Policy Statement, 51 FR 30028, Washington, D.C., [12] U.S. Nuclear Regulatory Commission, "Generic Letter No ," Washington, D.C.,

235 [13] U.S. Nuclear Regulatory Commission, "Individual Plant Examinations: Submittal Guidance," NUREG-1335, Washington, D.C., [14] J. T. Chen, N. C. Chockshi, R. M. Kenneally, G. B. Kelly, W. D. Beckner, C. McCracken, A. J. Murphy, L. Reiter and D. Jeng, "Procedural and Submittal Guidance for the Individual Plant Examination of External Events (IPEEE) for Severe Accident Vulnerabilities," NUREG-1407, U.S. Nuclear Regulatory Commission, Washington, D.C., [15] U.S. Nuclear Regulatory Commission, "Use of Probabilistic Risk Assessment Methods in Nuclear Activities: Final Policy Statement," 60 FR 42622, Washington, D.C., [16] U.S. Nuclear Regulatory Commission, "An Approach for Using Probabilistic Risk Assesment in Risk-Informed Decisions on Plant- Specific Changes to the Licensing Basis," Regulatory Guide 1.174, Washington, D.C., [17] W. T. Pratt, V. Mubayi, T. L. Chu, G. Martinez-Guridi and J. Lehner, "An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events," NUREG/CR-6595, Rev.1, Brookhaven National Laboratory, Upton, NY, [18] U.S. National Archives and Records Administration, "10 CFR : Aircraft Impact Assessment," Code of Federal Regulations, Washington, D.C.,

236 [19] U.S. Nuclear Regulatory Commission, "Safety Goals for the Operations of Nuclear Power Plants," Policy Statement, 51 FR 30028, Washington, D.C., [20] A. Amendola and G. Reina, "DYLAM-1, A Software Package for Event Sequence and Consequence Spectrum Methodology," EUR-924, CEC- JRC ISPRA, Commission of the European Communities, [21] T. Aldemir and M. Hassan, "A Data Base Oriented Dynamic Methodology for the Failure Analysis of Closed Loop Control Systems in Process Plants," Reliability Engineering and System Safety, vol. 27, pp , [22] S. A. Lapp and G. J. Power, "Computer-Aided Synthesis of Fault Trees," IEEE Transactions on Reliability, Vols. R-26, pp. 2-13, [23] S. Guarro, M. Yau and M. Motamed, "Development of Tools for Safety Analysis of Control Software in Advanced Reactors," NUREG/CR-6465, U.S. Nuclear Regulatory Commission, Washington, D.C., [24] T. Aldemir, "Computer-Assissted Markov Failure Modeling of Process Control Systems," IEEE Transactions on Reliability, Vols. R-36, pp , [25] European Commission, "Communication from the Commission to the Council and the European Parliament on the interim report on the comprehensive risk and safety assessments ("stress tests") of nuclear 210

237 power plants in the European Union," COM(2011)784, Brussels, Belgium, [26] G. Apostolakis, et al., "A Proposed Risk Management Regulatory Framework," U.S. Nuclear Regulatory Commission, Washington, D.C., [27] World Health Organization, "Preliminary Dose Estimation from the Nuclear Accident after the 2011 Great East Japan Earthquake and Tsunami," [Online]. Available: [Accessed 2013]. [28] A. Maclachlan, "Most Fukushima doses likely below harmful level: UN agencies," Nucleonics Week, vol. 53, no. 22, Platts, New York, NY, [29] R. Chang, J. Schaperow, T. Ghosh, J. Barr, C. Tinkler and M. Stutzke, "State-of-the-Art Reactor Consequence Analyses (SOARCA) Report," NUREG-1935, U.S. Nuclear Regulatory Commission, Washington, D.C., [30] R. Denning and S. McGhee, "The Societal Risk of Severe Accidents in Nuclear Power Plants," in Transactions of the American Nuclear Society, Atlanta, GA, [31] U.S. Environmental Protection Agency, "Manual of Protective Action Guides and Protective Actions for Nuclear Incidents," Office of Radiation Programs, EPA, Washington, D.C., [32] C. Miller, A. Cubbage, D. Dorman, J. Grobe, G. Holahan and N. 211

238 Sanfilippo, "Recommendations for Enhancing Reactor Safety in the 21st Century: The Near-Term Task Force Review of Insights from Fukushima Dai-Ichi Accident," U.S. Nuclear Regulatory Commission, Washington, D.C., [33] ASME Presidential Task Force on Response to Japan Nuclear Power Plant Events, "Forging a New Nuclear Safety Construct," American Society of Mechanical Engineers, New York, NY, [34] International Atomic Energy Agency, "IAEA Report on Reactor and Spent Fuel Safety in the Light of the Accident at the Fukushima Daiichi Nuclear Power Plant," International Experts Meeting, IAEA Action Plan on Nuclear Safety, Vienna, Austria, [35] NEI, INPO, EPRI, "The Way Forward: U.S. Industry Leadership in Response to Events at the Fukushima Daiichi Nuclear Power Plant," Nuclear Energy Institute, Institute of Nuclear Power Operations, Electric Power Research Institute, Washington, D.C., Atlanta, GA, Palo Alto, CA, [36] M. M. Pilch and M. D. Allen, "Closure of the Direct Containment Heating Issue for Zion," Nuclear Engineering and Esign, vol. 164, pp , [37] L. N. Kmetyk, R. K. Cole, R. C. Smith, R. M. Summers and S. L. Thompson, "MELCOR Assessment: Surry PWR TMLB' (with a 212

239 DCH Study)," SAND , Sandia National Laboratories, Albuquerque, NM, [38] J. L. Binder and B. W. Spencer, "Investigations into the Physical Phenomena and Mechanisms that Affect Direct Containment Heating Loads," Nuclear Engineering and Design, vol. 164, pp , [39] M. D. Allen, M. Pilch, R. T. Nichols and R. O. Griffith, "Experiments to Investigate the Effect of Flight Path on Direct Containment Heating (DCH) in the Surtsey Test Facility," NUREG/CR-5728, Sandia National Laboratories, Albuquerque, NM, [40] M. D. Allen, M. Pilch, R. O. Griffith and T. K. Blanchat, "Experimental Results of Integral Effects Tests with 1/10th Scale Zion Subcompartment Structures in the Surtsey Test Facility," Nuclear Engineering and Design, vol. 155, pp , [41] T. K. Blanchat and M. D. Allen, "Experiments to Investigate DCH Phenomena with Large-Scale Models of the Zion and Surry Nuclear Power Plants," Nuclear Engineering and Design, vol. 164, pp , [42] Fauske & Associates, Inc., "High-Pressure Melt Ejection (HPME) and Direct Containment Heating (DCH), State of the Art Report," NEA/CSNI/R(96)25, OCDE/GD(96)194, Sandia National Laboratories, Albuquerque, NM,

240 [43] K. E. Washington and D. S. Stuart, "Comparison of CONTAIN and TCE Calculations for Direct Containment Heating of Surry," Nuclear Engineering and Design, vol. 164, pp , [44] Q. Wu, S. Kim, M. Ishii, S. T. Revankar and R. Y. Lee, "High Pressure Simulation Experiment on Corium Dispersion in Direct Containment Heating," Nuclear Engineering and Design, vol. 164, pp , [45] M. D. Allen, M. Pilch, T. K. Blanchat, R. O. Griffith and R. T. Nichols, "Experiments to Investigate Direct Containment Heating Phenomenon with Scaled Models of the Zion Nuclear Power Plant in the SURTSEY Test Facility," NUREG/CR-6044, Sandia National Laboratories, Albuquerque, NM, [46] M. M. Pilch, H. Yan and T. G. Theofanous, "The Probability of Containment Failure by Direct Containment Heating in Zion," Nuclear Engineering and Design, vol. 164, pp. 1-36, [47] H. Yan and T. G. Theofanous, "The Prediction of Direct Containment Heating," Nuclear Engineering and Design, vol. 164, pp , [48] M. Pilch, "A Two-Cell Equilibrium Model for Predicting Direct Containment Heating," Nuclear Engineering and Design, vol. 164, pp , [49] Fauske & Associates, Inc., "Zion IPE, Commonwealth-Edison Zion Station: Individual Plant Evaluations," NRC Doc. No , Burr 214

241 Ridge, IL, [50] M. M. Pilch, M. D. Allen, D. L. Knudson, D. W. Stamps and E. L. Tadios, "The Probability of Containment Failure by Direct Containment Heating in Zion," NUREG/CR-6075, Sandia National Laboratories, Albuquerque, NM, [51] D. L. Knudsen and J. L. Rempe, "SCDAP/RELAP5-3D: A State of the Art Tool for Severe Accident Analysis," RELAP5 International Users Seminar, Idaho National Laboratories, Idaho Falls, ID, [52] K. K. Murata, D. C. Williams, J. Tills, R. O. Griffith, R. G. Gido, E. L. Tadios, F. J. Davis, G. M. Martinez and K. E. Washington, "Code Manual for CONTAIN 2.0, A Computer Code for Reactor Containment Analysis," NUREG/CR-6533, SAND , Sandia National Laboratories, Albuquerque, NM, [53] D. H. Cho, D. R. Armstrong and W. H. Gunther, "Experiments on Interactions Between Zirconium-Containing Melt and Water," NUREG/CR-5372, Agronne National Labaoratory, Lemont, IL, [54] D. Magallon and I. Huhtiemi, "Corium Melt Quenching Tests at Low Pressure and Subcooled Water in FARO," Nuclear Engineering and Design, vol. 204, pp , [55] D. Magallon, I. Huhtiemi and H. Hohmann, "Lessons Learnt from FARO/TERMOS Corium Melt Quenching Experiments," Nuclear 215

242 Engineering and Design, vol. 189, pp , [56] J. H. Kim, B. T. Min, I. K. Park, H. D. Kim and S. W. Hong, "Steam Explosion Experiments Using Partially Oxidized Corium," Journal of Mechanical Science and Technology, vol. 22, pp , [57] J. H. Kim, I. K. Park, S. W. Hong, B. T. Min, S. H. Hong, J. H. Song and H. D. Kim, "Steam Explosion Experiments Using Nuclear Reactor Materials in the TROI Facilities," Heat Transfer Engineering, vol. 29, no. 8, pp , [58] J. H. Song, I. K. Park, Y. S. Shin, J. H. Kim, S. W. Hong, B. T. Min and H. D. Kim, "Fuel Coolant Interaction Experiments in TROI Using a UO2/ZrO2 Mixture," Nuclear Engineering and Design, vol. 222, pp. 1-15, [59] J. H. Song, I. K. Park., Y. S. Sin, J. H. Kim, S. W. Hong, B. T. Min and H. D. Kim, "Spontaneous Steam Explosions Observed in the Fuel Coolant Interaction Experiments Using Reactor Materials," Journal of the Korean Nuclear Society, vol. 33, no. 4, pp , [60] U.S. Atomic Energy Commission, "SL-1 Reactor Accident on January 3, 1961," IDO-19300, Washington, D.C., [61] T. Theophanous and W. Yuen, "The Probability of Alpha-Mode Containment Failure," Nuclear Engineering and Design, vol. 155, pp ,

243 [62] B. R. Sehgal, Nuclear Safety in Light Water Reactors, Severe Accident Phenomenology, Academic Press, Waltham, MA, [63] R. Vijaykumar and M. Khatib-Rahbar, "Lift-off Potential of Reactor Pressure Vessel at High Pressure Pressurized Water Reactors," in International Meeting: PSA/PRA and Severe Accidents, Ljubljana, Slovenia, [64] C. K. Park, E. G. Cazzoli, C. A. Grimshaw, A. Tingle, M. Lee and W. T. Pratt, "Evaluation of Severe Accident Risks: Zion, Unit 1," NUREG/CR- 4551, Vol. 7, Rev.1, Part 1, Brookhaven National Laboratory, Upton, NY, [65] M. T. Farmer, D. J. Kilsdonk and R. W. Aeschlimann, "Corium Collability Under Ex-Vessel Accident Conditions for LWRs," Nuclear Engineering and Technology, vol. 41, no. 5, [66] M. T. Farmer, S. Lomperski, S. Basu, D. Kilsdonk and R. W. Aeschlimann, "A Summary of Findings from the Melt Coolability and Concrete Interaction (MCCI) Program," in Proceedings of ICAPP 2007, Nice, France, [67] D. Bjerketvedt, J. R. Bakke and K. van Wingerden, "Gas Explosion Handbook," Journal of Hazardous Materials, vol. 52, pp , [68] International Atomic Energy Agency, "Mitigation of Hydrogen Hazards in Severe Accidents in Nuclear Power Plants," IAEA-TECDOC-1661, 217

244 Safety Assessment Section, Vienna, Austria, [69] M. N. Fardis, A. Nacar and A. Delichatsios, "R/C Containment Safety Under Hydrogen Detonation," Journal of Structural Engineering, vol. 109, no. 11, pp , [70] W. Breitung, et al., "State of the Art Report on Flame Acceleration and Deflagration to Detonation Transition in Nuclear Safety," NEA/CSNI/R(2000)7, OECD Nuclear Energy Agency, Issy-les- Moulineaux, France, [71] W. Breitung, "Conservative Estimates for Dynamic Containment Loads from Hydrogen Combustion," Nuclear Engineering and Design, vol. 140, pp , [72] S. B. Dorofeev, A. S. Kochurko, A. A. Efimenko and B. B. Chaivanov, "Evaluation of the Hydrogen Explosion Hazard," Nuclear Engineering and Design, vol. 148, pp , [73] M. P. Sherman, "Hydrogen Combustion in Nuclear Plant Accidents and Associated Containment Loads," Nuclear Engineering and Design, vol. 82, pp , [74] H. F. Coward and G. W. Jones, "Limits of Flammability of Gases and Vapors," Bulletin 503, U.S. Bureau of Mines, [75] M. P. Sherman, S. R. Tieszen and W. B. Benedick, "FLAME Facility: The Effect of Obstacles and Transverse Venting on Flame Acceleration and 218

245 Transition to Detonation for Hydrogen-Air Mixtures at Large Scale," NUREG/CR-5275, SAND , Sandia National Laboratories, Albuquerque, NM, [76] W. Breitung and R. Redlinger, "Containment Pressure Loads from Hydrogen Combustion in Unmitigated Severe Accidents," Nuclear Technology, vol. 111, pp , [77] R. Ono, M. Nifuku, S. Fujiwara, S. Horiguchi and T. Oda, "Minimum Ignition Energy of Hydrogen-Air Mixture: Effects of Humidity and Spark Duration," Journal of Electrostatics, vol. 65, pp , [78] B. Lewis and G. von Elbe, Combustion, Flames and Explosions, New York: Academic Press, [79] W. Zhang, Z. Chen and W. Kong, "Effects of Diluents on the Ignition of Premixed H2/Air Mixtures," Combustion and Flame, vol. 159, no. 1, pp , [80] Z. M. Shapiro and T. R. Moffette, "Hydrogen Flammability Data and Application to PWR Loss-of-Coolant Accident," WAPD-SC-545, Bettis Plant, Westinghouse Electric Corporation, Pittsburgh, PA, [81] M. R. Swain, P. A. Filoso and M. N. Swain, "Ignition of Lean Hydrogen- Air Mixtures," International Journal of Hydrogen Energy, vol. 30, pp , [82] S. P. Bane, J. E. Shepherd, E. Kwon and A. C. Day, "Statistical Analysis 219

246 of Electrostatic Spark Ignition of Lean H2/O2/Ar Mixtures," International Journal of Hydrogen Energy, vol. 36, pp , [83] B. W. Marshall, "Hydrogen:Air:Steam Flammability Limits and Combustion Characteristics in the FITS Vessel," NUREG/CR-3468, Sandia National Laboratory, Albuquerque, NM, [84] V. Gustavsson, J. Rohde and M. Vidard, "Impact of Short-Term Severe Accident Management Actions in a Long-Term Perspective: Final Report," NEA/CSNI/R(2000)8, CSNI-PWG4 Task Group on Containment Aspects of Severe Accident Management, Nuclear Energy Agency, Paris, France, [85] M. F. Hessheimer and R. A. Dameron, "Containment Integrity Research at Sandia National Laboratories: An Overview," NUREG/CR-6906, Sandia National Laboratories, Albuquerque, NM, [86] B. W. Spencer, J. P. Petti and D. M. Kunsman, "Risk-Informed Assessment of Degraded Containment Vessels," NUREG/CR-6920, SAND P, Sandia National Laboratories, Albuquerque, NM, [87] Hibbit, Karlsson and Sorenson, "ABAQUS Standard User's Manual, Version 6.3," [88] C. F. Boyd, D. M. Helton and K. Hardesty, "CFD Analysis of Full-Scale Steam Generator Inlet Plenum Mixing During a PWR Severe Accident," 220

247 NUREG-1788, U.S. Nuclear Regulatory Commission, Washington, D.C., [89] Nuclear Energy Institute, Letter from Adrian Heymer, NEI, to David L. Skeen, U.S. NRC, "An Integrated, Safety-Focused Approach to Expediting Implementation of Fukushima Daiichi Lessons Learned", Project Number 689, Washington, D.C., December 16, [90] J. R. Weatherby, "Posttest Analysis of a 1:6-Scale Reinforced Concrete Reactor Containment Building," NUREG/CR-5476, U.S. Nuclear Regulatory Commission, Washington, D.C., [91] S. Dingman, "HECTR Version 1.5 User's Manual," NUREG/CR-4507, SAND , Sandia National Laboratories, Albuquerque, NM, [92] D. R. Bradley and D. R. Gardner, "CORCON-MOD3: An Integrated Computer Model for Analysis of Molten Core Concrete Interactions, User's Manual," NUREG/CR-5843, SAND , Sandia National Laboratories, Albuquerque, NM, [93] D. A. Powers, J. E. Brockmann and A. W. Shiver, "VANESA: A Mechanistic Model of Radionuclide Release and Aerosol Generation During Core Debris Interaction with Concrete," NUREG/CR-4308, SAND , Sandia National Laboratories, Albuquerque, NM, [94] "MySQL: The world's most popular open source database," [Online]. Available: [Accessed 2012]. 221

248 [95] M. H. Fontana, "The Industry Degraded Core Rulemaking Program: IDCOR - An Overview," in Proceedings of American Nuclear Society International Meeting on Light Water Reactor Severe Accidents, Cambridge, MA, [96] A. P. Hakobyan, "Severe Accident Analysis Using Dynamic Accident Progression Event Trees," Ph.D. Dissertation, The Ohio State University, Columbus, OH, [97] M. B. Stattison and K. W. Hall, "Analysis of Core Damage Frequency: Zion Unit 1, Internal Events," NUREG/CR-4550, Vol. 7, U.S. Nuclear Regulatory Commission, Washington, D.C., [98] Commonwealth Edison Company, "Zion Probabilistic Safety Study," Chicago, IL, [99] D. L. Barry and et al., "Review and Evaluation of the Zion Probabilistic Safety Study," NUREG/CR-3300, SAND , Sandia National Laboratories, Albuquerque, NM, [100] E. Hofer, M. Kloos, B. Krzykacz-Hausmann, J. Peschke and M. Sonnenkalb, "Dynamic Event Trees for Probabilistic Safety Analysis," GRS, Garsching, Germany, [101] W. E. Bickford and A. S. Tabatabai, "Effects of Control Systems Failures on Transients, Accidents and Core-Melt Frequences at a Westinghouse PWR," NUREG/CR-4385, Pacific Northwest National Laboratory, 222

249 Richland, WA, [102] U.S. Nuclear Regulatory Commission Inspection and Enforment Training Center, "Systems Manual Pressurized Water Reactors, Vol. 1," Washington, D.C.. [103] Westinghouse Owner's Group, "Zion Nuclear Power Plant Emergency Operating Procedure ECA-0-2: Recovery of AC Power with SI Required," Cranberry Township, PA, [104] S. A. Eide, C. D. Gentillon, T. E. Wieman and D. M. Rasmuson, "Reevaluation of Station Blackout RIsk at Nuclear Power Plants, Analysis of Loss of Offsite Power Events: ," NUREG/CR-6890, Vol. 1, INL/EXT , Vol. 1, Idaho National Laboratory, Idaho Falls, ID, [105] A. Brunett, R. Denning and T. Aldemir, "A Reassessment of Low Probability Containment Failure Modes," in Proceedings of International Meeting on Severe Accident Assessment and Management: Lessons Learned from Fukushima Dai-ichi, San Diego, CA, [106] S. P. Bane, J. L. Ziegler, P. A. Boettcher, S. A. Coronel and J. E. Shepherd, "Experimental Investigation of Spark Ignition Energy in Kerosene, Hexane, and Hydrogen," in Proceedings of Prevention and Mitigation of Industrial Explosions Selected papers from the Eighth International Symposium on Hazards, Yokohama, Japan,

250 [107] G. A. Karim, I. Wierzba and S. Boon, "Some Considerations of the Lean Flammability Limits of Mixtures Involving Hydrogen," International Journal for Hydrogen Energy, vol. 10, pp , [108] M. Khatib-Rahbar and M. Zavisca, "A Monte Carlo Method for Estimation of the Probability of Combustion-Induced Containment Failure," in OECD International Workshop on Level 2 PSA and Severe Accident Management, Koln, Germany, [109] S. G. Ashbaugh, M. T. Leonard, P. Longmire, R. O. Gauntt and D. A. Powers, "Accident Source Terms for Pressurized Water Reactors with High-Burnup Cores Calculated Using MELCOR 1.8.5," SAND , Sandia National Laboratories, Albuquerque, NM, [110] M. M. Pilch, M. D. Allen and E. W. Klamerus, "Resolution of the Direct Containment Heating Issue for All Westinghouse Plants with Large Dry Containments or Subatmospheric Containments," NUREG/CR-6338, SAND , Sandia National Laboratories, Albuquerque, NM, [111] D. R. Whitehouse, D. R. Greig and G. W. Koroll, "Combustion of Stratified Hydrogen-Air Mixtures in the 10.7 m3 Combustion Test Facility Cylinder," Nuclear Engineering and Design, vol. 166, pp ,

251 Appendix A: NUREG-1150 APET for Zion 225

252 Figure A.1: Questions 1 through 30 of the Zion APET* [64]. *SF = split fraction, ZO = zero-one, Summary = summary question, UFUN = user function evaluation, SARRP = Severe Accident Risk Reduction Program, Struct. = structural expert panel, In-Vessel = in-vessel expert panel, Loads = loads expert panel, DS = sampling from distribution developed by expert panel. 226

253 Figure A.2: Questions 31 through 60 of the Zion APET [64]. 227

254 Figure A.3: Questions 61 through 72 of Zion APET [64]. 228