A seismic probabilistic risk assessment (PRA) of a nuclear plant requires identification and information regarding the seismic hazard at the plant site, dominant accident sequences leading to core damage, and structure and equipment fragilities. Uncertainties are associated with each of these ingredients of a PRA. Sources of uncertainty due to seismic hazard and assumptions underlying the component fragility modeling may be significant contributors to uncertainty in estimates of core damage

more »

... ability. Design and construction errors also may be important in some instances. When these uncertainties are propagated through the PRA, the frequency distribution of core damage probability may span three orders of magnitude or more. This large variability brings into question the credibility of PRA methods and the usefulness of insights to be gained from a PRA. The sensitivity of accident sequence probabilities and highconfidence, low probability of failure (HCLPF) plant fragilities to seismic hazard and fragility modeling assumptions was examined for three nuclear power plants. Mean accident sequence probabilities were found to be relatively insensitive (by a factor of two or less) to: uncertainty in the coefficient of variation (logarithmic standard deviation) describing inherent randomness in component fragility; truncation of lower tail of fragility; uncertainty in random (non-seismic) equipment failures (e.g., diesel generators); correlation between component capacities; and functional form of fragility family. On the other hand, the accident sequence probabilities, expressed in the form of a frequency distribution, are affected significantly by the seismic hazard modeling, including slopes of seismic hazard curves and likelihoods assigned to those curves. When the fragility modeling and plant logic are effectively uncoupled from the seismic hazard analysis in a seismic margin study, the influence of the large uncertainty in the seismic hazard is eliminated. Other modeling assumptions and sources of uncertainty become relatively more important. It appears that in seismic margin studies, uncertainties in fragility modeling take on a different significance than they do in seismic PRA studies. Questions have been raised in seismic PRAs concerning the potential for gross design and construction errors and their impact on estimates of seismic risk. Methodologies for dealing with errors are in a developmental stage and supporting data are limited. The error problem can be dealt with in an approximation by postulating various error scenarios and their effect on component fragilities, recalculating the core damage probabilities, and comparing the results to the error-free case. iii Although such analyses indicate that plausible design/construction errors have little effect on mean core damage probabilities, such conclusions are valid only to the extent that errors can be incorporated in the PRA through adjustments in component fragility models. Abstract iii List of Tables vii List of Figures ix 1.0 5.2.3 Fragility modeling 55 5.2.4 Random nonseismic equipment failures 60 5.2.5 Dependent (common cause) failures 62 5.2.6 Seismic hazard 65 5.3 Millstone 3 66 5.4 Maine Yankee 68 Addendum A5 Seismic hazard -fragility interactions 69 A5.1 Introduction 69 A5.2 Method of analysis 70 A5.3 Results 71 A5.3.1 Lognormal fragility model 71 A5.3.2 Modified Iognormal fragilities 73 A5.3.3 Weibull fragility model 73 A5.4 Simplified estimates of core damage probability 74 A5.5 Estimating core damage probability from HCLPF 76 A5.6 Summary 77 6.0 Role of error in safety evaluation 103 6.1 Design/construction errors 103 6.2 Significance of error for nuclear plant safety 104 6.3 Sensitivity of risk estimates to postulated errors 107 6.3.1 Limerick generating station 108 6.3.2 Millstone 3 109 6.4 Summary 110 7.0 Conclusions and recommendations 113 8.0 Acknowledgements 121 9.0 References 123 vi 2 analysis to be retained and, at the same time, simplifies the safety analysis of the plant by separating the issues of seismic hazard determination and plant logic and fragility. Recent trends are toward the use of seismic margin analysis to determine plant system vulnerability. Two variants of the margins methodology have been developed (Budnitz, 1992) , differing in the treatment of plant logic. The first and older approach focuses on failure paths, as in a traditional PRA, and was developed under NRC sponsorship (Budnitz, et al, 1985) . The second approach, developed under EPRI sponsorship, focuses on "success paths," or ways by which the plant can reach safe shutdown (EPRI, 1988) . Issues related to treatment of uncertainty arising from inherent randomness, lack of data, and modeling uncertainty are germane to both, of course. Either way, margins analysis stops at Level I; plant damage states and offsite consequences are not considered. 1.2 Insights from Existing PRAs A sufficient number of seismic PRAs have been completed for some general conclusions to be drawn (Probabilistic, 1984; Special, 1990). Some results are described in the following paragraphs. They are organized along the lines of the four items in section 1.1.1. Seismic Hazard Most studies have shown that uncertainties in the seismic hazard curve dominate uncertainty in risk due to seismic events and that orderof-magnitude changes in the seismic hazard curve yields similar changes in core damage probability (Reed and McCann, 1984; Ravindra, et al, 1984) . Below a certain magnitude, ground motion is insufficient to cause any damage to a properly designed plant. Ground motions above a certain level are physically impossible. Thus, the possible ground motion parameters (e.g., effective peak ground acceleration) are limited from above and below. However, because of insufficient data, lack of agreement among experts, etc., the seismic hazard curves usually are assumed to be unbounded from above and below (Bernreuter, 1987; EPRI, 1989). There is an issue as to whether the seismic hazard curves should be truncated and, if so, where. Several studies (e.g., Ravindra, et al, 1984; Ravindra, et al, 1985) have shown that the major contribution to core damage probability comes from ground accelerations in the range of 2 to 4 times the SSE. Although truncating the hazard curve above 5 SSE or below 1 SSE would seem to have little effect on the core damage probabilities, others have concluded that as much as 20 percent of the core damage probability may come from earthquakes smaller than the SSE (Shiu, Reed and McCann, 1985) . Core damage frequency is only moderately affected by the SSE chosen as a basis for design because the seismic hazard curves for typical plants in the Eastern United States are so flat.