2CAN078507, Responds to 850424 Request for Addl Info Re Generic Ltr 83-28,Items 2.1.1,2.1.2,2.2.1,2.2.2 & 4.5.3.All Items Incomplete.Evaluation of Reactor Protection Sys to Address Item 4.5.3 Encl
| ML20127A055 | |
| Person / Time | |
|---|---|
| Site: | Arkansas Nuclear  |
| Issue date: | 07/26/1985 |
| From: | Enos J ARKANSAS POWER & LIGHT CO. |
| To: | Butcher E Office of Nuclear Reactor Regulation |
| References | |
| 2CAN078507, 2CAN78507, GL-83-28, NUDOCS 8508050378 | |
| Download: ML20127A055 (18) | |
Text
O E?
~ed ARKANSAS POWER & LIGHT COMPANY POST OFFICE BOX 551 LITTLE ROCK, ARKANSAS 72203 (501) 371-4000 July 26, 1985 2CAN078507 Mr. Edward J. Butcher, Jr.
Acting Chief, Operating Reactors Branch 3 Division of Licensing U. S. Nuclear Regulatory Commission Washington, D.C.
20555
SUBJECT:
Arkansas Nuclear One - Unit 2 Docket No. 50-368 License No. NPF-6 Generic Letter 83-28 Request for Additional Information Gentlemen:
In response to your letter dated April 24, 1985 (2CNA048504) the following information is provided.
Item 2.1.1. - Incomp.lete Licensee must supply a statement confirming that reactor trip system components were reviewed and that they are identified as safety-related on documents, procedures and information handling systems.
Response: Our original response to this item indicated that we were developing a component listing of safety related Reactor Trip System components.
This effort is now complete.
After development of the list, a review was conducted to verify that procedures utilized for the identified components were classified as safety related.
This effort is complete with satisfactory results.
No procedure changes were identified as necessary as a result of the review.
Item 2.1.2. - Incomplete Licensee needs to supply detailed information describing his vendor interface program for reactor trip system components.
Information supplied should state how the program assures that vendor technical information is kept complete, current, and controlled throughout the life of the plant and should also indicate how the program will be implemented at ANO-2.
8508050378 8507 6 DR ADOCK 050 g
p MEMBEA MICOLE SOUTH UTiuTIES SYSTEM J
-0 Mr. Edward J. Butchsr, Jr. July 26,1985
' Response: Our original response to this item discussed our means of controlling, reviewing, and incorporation of vendor information.
This program is procedurally implemented.
l In addition to this program, AP&L is in the process of further enhancing.our controls of vendor manuals.
The new program will address vendor manuals and other available technical data for the reactor trip components.
The first. phase of this program, which identified safety-related plant component vendor manuals at ANO, has been completed.
The next phase of the program, currently beginning, will include a r.eview of the components.
Once this is accomplished available pertinent technical information will be assembled and reviewed for applicability to the ANO specific components.
This information will be used to update the technical manuals.
Upon completion of.this effort the technical manuals for safety-related equipment will be treated as controlled documents for the life of the plant, and industry and vendor initiated technical information which is continuingly applicable to ANO specific equipment will be incorporated into or reference in the vendor manuals.
Item 2.2.1. - Incomplete Licensee r.eeds to supply detailed information on how equipment will be classified as safety related and will be designated as such on plant documentation as requested in sub-items 2.2.1.1 to 2.2.1.6.
Response: AP&L currently has a system level Q list as described in the original response to item 2.1.
The terms Safety Related and Q are used synonymously when referring to components and are defined as those structures, systems and components which are relied upon to remain functional during and following design base events to ensure:
(1) the integrity of the reactor coolant boundary, (2) the capability to prevent or mitigate the consequences of accidents that could result in potential offsite exposures comparable to the guidelines of 10CFR Part 100.
Since the current Q list is a system level list, components within the boundaries of a safety related (Q listed) system are treated as safety related unless specifically exempted using the process presented in Attachment 12 of our original response.
Plant instructions and procedures which, when implemented, have a potential for direct and immediate impact upon safety related systems, are marked or identified as " Safety Related."
1 AP&L is developing a component level listing of Safety Related (Q) equipment.
This activity involves reconfirmation of the I
boundaries of safety related systems, then determination at the k
Mr. Edward J. Butchsr, Jr. July 26, 1985 component level of whether or not the individual component is safety related.
The criteria used in making the safety related (Q) determination is the basic criteria presented above.
The component level Q-list will be loaded into a computerized equipment database.
Upon completion of the Q-list, changes to the list will be controlled via the design change process and subjected to required reviews for that process.
Such changes to the list will be filed in the nuclear records management system.
When the component level Q-list information is loaded into the computerized system, job orders written for maintenance of a specific component will have the component automatically identified as "Q' (safety related) on the job order.
Item 2.2.2 - Incomplete Licensee needs to present his evaluation of NUTAC program and describe how it will be implemented at ANO-2.
The staff found the NUTAC program fails to address the concern about establishing and maintaining an interface between all vendors of safety-related equipment and the utility.
Accordingly the licensee will need to supplement his response to address this concern.
This additional information should describe how current procedures will be modified and new ones initiated to meet each element of the item 2.2.2 concern.
Response: AP&L participated in the development of the NUTAC program and believes that this program is responsive to the concerns of the Salem event and this item.
AP&L has evaluated the utility implementation responsibilities outlined in Section 4.1.1.1 of the March, 1984 NUTAC program and has concluded that current AP&L practices, together with future planned activities under the ongoing vendor manual review program, adequately implement these recommendations.
The review of safety related technical manuals will follow closely behind the equipment classification program described in the response to item 2.2.1.
In order to ensure that adequate preventive maintenance is incorporated in our procedures, vendor technical information for safety related equipment will be reviewed and, if appropriate, incorporated into the ANO preventive maintenance program.
Item 4.5.3 - Incomplete Licensee needs to supply additional information on applicability of B&W Owners Group analysis program for considering the concerns of 4.5.3.1 and 4.5.3.5 in the generic letter to ANO-2.
If not found applicable, a review of the on-line testing intervals specific to ANO-2 that considers the five concerns enumerated above and shows that these intervals are consistent with high reactor trip system availability needs to be described and the results presented.
In addition, plant specific concerns relating to implementation of results of these programs need to be addressed by your response.
Mr. Edward J. Butchar, Jr. July 26, 1985 Response: Attachment 1 is ~a description of the evaluation undertaken and the
-results as applicable to ANO-2.
Very truly yours, i
J. Ted Enos Manager, Licensing JTE/sg.
Attachment w
ATTACHMENT 1 EVALUATION OF ANO-2 RPS TO ADDRESS GENERIC LETTER 83-28 ITEM 4.5.3
{
EVALUATION OF ANO-2 PPS RPS TEST INTERVAL EVALUATION I.
Summary The objective of the completed study was to evaluate the availability of the C-E supplied NSSS reactor trip system at ANO-2 based on the current tech spec testing intervals and to compare this resultant availability with the goal implied by the NRC in their evaluation of the ATWS rule.
As part of a C-E Owner Group commissioned study, a fault tree model for the postulated fault, " failure to trip the reactor", was constructed for the type RPS design implemented at ANO-2.
This model explicitly addressed four of the five concerns of subject item 4.5.3 (GL 83-28),
which are the effects on RTS availability by 1) random component failures, 2) common cause failures, 3) out-of-service time for testing and 4) operator errors. As stated in previous correspondence, wear contribution on the GEAK RTBs is considered insignificant.
As such, wear was not considered in the evaluation.
The results of this analysis for the RPS design supplied for ANO-2 is that the median probability that the RPS will fail to trip the reactor is less than 4.91 x 10 8 per demand with a 95th percentile confidence limit probability of 2.20 x 10 s per demand.
This compares favorably to the NRC derived point estimate value of 2 x 10 s per demand as the probability that the RPS would fail to trip the reactor for plants supplied with C-E supplied NSSS.
Based on this we conclude.that the current RPS test intervals are consistent with maintaining the high degree of availability expected of the RPS.
L
II.
Fault Tree Model A fault tree was constructed to model the Reactor Protection System l
(RPS) for failure to generate a full trip.
The base case fault tree considers one protective trip parameter, pressurizer pressure, input to four trip u' nit bistables.
These in turn interface with six logic l
matrix blocks to form all possible 2 out of 4 coincident signals from the four protective channels A, B, C and D, respectively.
Each RPS trip path consists of a trip circuit K-relay in series with six logic matrix relays (one from each logic matric block).
Each K-relay provides a trip signal to its associated trip circuit breakers via two sets of contacts.
Each set includes a normally open (NO) contact in series with the reactor trip breaker undervoltage device and a normally closed (NC) contact in series with the breaker shunt trip device.
Manual trip buttons perform the same function as K-relays in the automatic trip path.
They open N0 contacts to de-energize undervoltage devices causing reactor trip breakers to open and close NC contacts to energize shunt trip coils which also act to open the reactor trip breakers.
There are a total of eight reactor trip breakers in the ANO-2 RPS which open to interrupt holding power to CEDMs, causing CEAs to drop into the reactor core.
High local power density trip from the core protector calculators (CPCs) is incorporated into the model as a diverse trip parameter.
Its failure probability was evaluated separately.
Though failure of CEDM power supplies have the same effect as a trip signal they are excluded from the analysis.
Using nominal failure rates for all components in the model, the fault tree was used to determine base system reliability.
Next a sensitivity analysis was done to determine how system reliability was affected by variations in component failure rates, common mode failure rates and operator error rates.
For each selected component or condition, the failure rate was varied.01% to 1000% of its nominal value, while holding constant all other contributing failure rates to the RPS fault tree.
If the system failure rate changed little over the range of individual failure rates applied, then the system was considered insensitive to that particular component or made of failure.
However if system reliability fluctuated widely over the variance applied then the system was considered sensitive to that particular component or failure mode.
The results are shown on Table 1 and are discussed further in the next section.
Table 2 shows which outsets dominate the ANO-2 fault tree.
A cutset is the combination of component failures, operator errors, etc. t.
will result in the fault tree top event (i.e. failure to trip _ator).
m
= -
e III. Failure Analysis A.
Data Analysis NPRDS failure reports and LERs (from 1972 through 1983) with C-E supplied NSSS comprised the data base for this report.
Failures which did not impact RPS availability or occurred during fault isolation testing were eliminated from this base.
Failure events were then divided into two categories, independent RPS component failures and dependent (or common mode) RPS failures.
To account for uncertainties in the data collected, prior distributions were updated through the Bayesian method to adjust the plant specific data.
The Bayesian approach treated failure parameters as random variables themselves and used prior distributions from WASH-1400 and IEEE-500 to derive the density functions which govern the failure parameters.
B.
Component Failure Rates Table 3 presents the RPS component. failure posterior distributions as updated from prior distributions by the Bayesian method.
RPS component unavailabilities are lognormally distributed in terms of 5th, 50th (median) and 95th percentile confidence limits.
As can be seen from Table 1 and 2, individual component failure rates have very little impact on RPS system reliability.
The most dominant individual component failures are mechanical failure of reactor trip breaker to open and failure of pressure sensors.
C.
Common Mode Failure Rates Table 4 represents the common cause failures that were incorporated into the RPS ANO-2 fault tree.
The Marshall-Olkin method was used to esti.nate common cause failure rates for fault tree component types with two or more unit failures in the past.
The Beta-Factor method was used to estimate the common mode failure rates of RPS components which had not experienced multiple failures (diesel generators excepted).
As can be expected, common mode failures are the biggest contributors to RPS unreliability.
Table 2 snows that common cause mechanical failure of reactor trip breakers to open is the most dominant outset of RPS failure to trip the reactor and accounts for 76.2% of the RPS system unavailability.
D.
RPS Testing Testing affected the RPS fault tree in two ways.
First, test frequency partially determined the number of demands individual RPS components received per operating cycle and hence affected their failure rates.
Second, testing contributed to unavailability of RPS trip paths. Since only one channel of the RPS can be in bypass at any given time, unavailability contributions were included for Channel D. and for Logic Matrix AC of the fault tree model.
Test intervals for this study were based
on current Tech Spec requirements and were not varied in
. determining contributions to component failure rate and system unavailability.
E.
' Operator Error The two types of operator error modeled in the RPS fault tree were:
1.
Miscalibration of the RPS bistables (2.5 x 10 3 per demand) and 2.
Failure to manually scram the reactor (5 x 10 2 per demand).
-Quantifications of these errors was accomplished using methods developed by Swain and Guttran whose median failure rates are shown in parentheses above.
As shown in Table 1, after common cause mechanical failure of the reactor trip breaks, the RPS system is most sensitive to these two failure modes.
These operator errors contribute to 21% of the RPS system failure rate.
Tables 1 and 2 emphasize the importance of operator input into maintaining RPS system reliability.
7 IV.
Conclusion Results of the fault tree analysis for RPS reliability of.the ANO-2 RPS NSSS design is as follows:
Probability of Failure to Trip on Dem&nd 5% Lower 95% Upper Bound Median Bound 2.16 x 10 8/D 4.91 x 10 6/D 2.20 x 10 5/D These results are comparable to failure probabilities used by the NRC in determining the cost / benefit value of requiring diverse scram and ATWS mitigation systems for C-E NSSS supplied plants.
Based on this it is concluded that current Technical Specification required test intervals are consistent with maintaining the high degree of reliability expected'of the RPS.
t k
I i
1
4 l
TABLE 1 SENSITIVITY ANALYSIS RESULTS FOR ANO-2 NORMALIZED SYSTEM UNAVAILABILITY
- COMPGNENT FAILURE MODE GIVEN COMPONENT FAILURE RATE CHANGES BY A FACTOR OF:
.0001
.1
.9 1.1 10.0 Common Cause Mechanical Failure of the
.24
.32
.92 1.08 7.84 Trip Circuit Breakers to Open Operator Fails to Initiate Manual Reactor Trip
.76
.79
.98 1.02 3.13-Operator Sets Bistable Setpoints Incorrectly
.82
.84
.98 1.02 2.63 Common Cause Failure of Pressure Sensors
.97
.97 1.00 1.00 1.25 Mechanical Failure to Trip Circuit 1.00 1.00 1.00 1.00 1.22 i
Breaker to Open Common Cause Failure of Sensor Power
.99
.99 1.00 1.00 1.10 Supplies Common Cause Failure of Bistable
.99
.99 1.00 1.00 1.07 Relays to De-Energize Failure of Pressure S(nsors 1.00 1.00 1.00 1.00 1.04 i
Common Cause Failure of K-Relays to 1.00 1.00 1.00 1.00
' 04 De-Energize
- Normalized System Unavailability = System Availability calculated with changed component failure rate divided by median system unavailability.
3.
TABLE 1 (Cont.)
SENSITIVITY. ANALYSIS RESULTS FOR ANO-2 NORMALIZED SYSTEM UNAVAILABILITY",
COMPONENT FAILURE M0")E GIVEN COMPONENT FAILURE RATE CHANGES BY A FACTOR OF:
.0001
.1
.9 1.1 10.0 Common Cause Failure of the Bistable 1.00 1.00 1.00 1.00 1.03 i
Trip Units I
i Common Cause Failure of Shunt Trip 1.00 1.00 1.00 1.00 1.03 Device to Actuate Common Cause Failure of Undervoltage 1.00 1.00 1.00 1.00 1.01 Device to Actuate j
l
- Normalized System Unavailability = System Availability calculated with changed component failure rate l
divided by median system unavailability.
e TABLE 2 DOMINANT CUTSETS FOR ANO-2 RPS PERCENT OF CUTSET TOTAL 1
NUMBER CUTSET MEMBERS UNRELIABILITY l
I 1
- Comon Cause Mechanical Failure of Trip 76.2%
Circuit Breakers 2
Operator Sets Bistable Setpoints Incorrectly 18.2%
Failure of Diverse Trip Parameter, Operator Fails to Initiate Manual Trip 3
Comon Cause Failure of Pressure Sensors, 2.8%
Failure of Diverse Trip Parameter, Operator Fails to Initiate Manual Trip s
L.....
TABLE 3 ANO-2 RPS COMPONENT FAILURE POSTERIOR DISTRIBUTIONS OPERATING EXPERIENCES RPS NO. OF NO. OF POSTERIOR DISTRIBUTIONS COMPONENT FAILURES (1)
NO. OF DEMANDS OPER. HRS.
5th 50th MEDIAN 95th Trip Circuit 1*
58576 2.0x10 5 4.5x10 5 9.0x10 5 Breakers Undervoltage Trip 57 32202 1.4x10 3 1.7x10 2 2.1x10 3 Devices Shunt Trip 5
42993 6.3x10 s 1.2x10 4 2.1x10 4 Devices K-Re1ays 1*
97890 1.lx10 8 6.2x10 8 2.3x10 5 Logic Matrix 24 5809?.
2.5x10 4 2.7x10 4 5.1x10 4 i
Relays Bistab1e Re1ays 2
215196 1.9x10 8 6.9x10 8 1.9x10 5
)
Bistables 105 14,637,950 4.3x10 7 2.7x10 8 1.1x10 5 Instru. Loop 36 15,472,346 3.4x10 7 1.5x10 8 5.7x10 8 Power Supplies Sensor /High 9
2,359,944 2.4x10 8 4.1x10 8 6.6x10 8 Pressure RCS Temperature 20 10,210,656 1.3x10 8 1.9x10 8 2.7x10 8 I
Detectors 1.
- Means No Failure was Reported; However, One Failure was Assumed in Order to Estimate the Posterior Distribution
j i
TABLE 3 (Cont.)
ANO-2 RPS COMPONENT FAIll!!:E POSTERIOR DISTRIBUTIONS OPERATING EXPERIENCES RPS NO. OF NO. OF POSTERIOR DISTRIBUTIONS COMPONENT FAILURiS(1)
NO. OF DEMANDS OPER. HRS.
5th 50th MEDIAN 95th Excore Detectors 12 2,819,318 7.6x10 8 9.5x10 8 1.2x10 s Axial Offset 21 1,409,659 5.9x10 8 8.8x10 8 1.3x10 5 Calculators Power Calculators 11 1,409,659 2.7x10 8 4.5x10 8 7.0x10 8 Trip Comparators 36 2,919,318 7.7x10 8 1x10 5 1.4x10 5 Core Protection 13 144,364 7.6x10 8 1.4x10 5 2.5x10 5 Calculators l
CEA Calculators 19 72,182 2x10 5 3.6x10 5 6.2x10 5 Manual Push Button 1
3392 5.1x10 8 1.5x10 5 4.4x10 5 Batteries 11 1,648,106 3.4x10 8 5.8x10 8 9.1x10 8 Battery Chargers 4
2,542,152 5.7x10 7 1.4x10 8 2.9x10 8 Diesel Generators 67 1997 2.7x10 2 3.3x10 2 4.10 2
TABLE 4 ANO-2 RPS COMPONENT COMMON CAUSE FAILURE RATES NO. OF MIN. NO. OF NO. OF EVENTS NO. OF FAILED COMMON RPS REDUNDANT COMP. CONSTITUTING WITH 2 COMPONENTS IN BETA CAUSE FAILURE COMPONENT COMPONENT-SYS. FAILURE FAILURES NO. OF EVENTS FACTOR RATE Trip Circuit 8
2 0
0 0.1 1.3x10 5/D Breaktes Shunt Trip 8
2 1
4 N/A 2.3x10 5/D Devices Undervoltage 8
2 14 46 N/A 4.3x10 4/D Trip Devices K-Relays 4
2 0
0 0.1 6.7x10 7/D Logic Matrix 24 12 1
3 N/A 1.1x10 11/D-Relays (All)
Logic Matrix Relays 12 6
1 3
N/A 4.3x10 6/D (One Channel Bypassed)
Bistables 4
3 8
18 N/A 1.2x10 7/Hr.
Bistable 12 6
0 0
0.1 6.9x10 7/D Relays (All)
Bistable Relays 6
3 0
0 0.1 6.9x10 7/D
'(One Channel Bypassed)
Push Buttons 4
3 0
0 0.1 1.5x10 6/D
TABLE 4 (Cont.)
ANO-2
'RPS COMPONENT:
COMMON CAUSE FAILURE-RATES
~NO. OF MIN. NO. OF NO. OF EVENTS NO. OF FAILED COMMON RPS REDUNDANT COMP. CONSTITUTING WITH 2 COMPONENTS IN BETA CAUSE FAILURE COMPONENT COMPONENT SYS. FAILURE FAILURES NO. OF EVENTS FACTOR RATE Sensor /High 4
3 2
4 N/A 3.6x10 7/Hr.
-Pressure Instru. Loop 4
3 0
0 0.1 1.5x10 7/Hr.
Power. Supplies RCS Temp.
8 6
7 18 2.0x10 9/Hr.
Detectors Excore Detectors 4
3 2
4 N/A 3.0x10 7/Hr.
Axial Offset 4
3 0
0 0.1 8.8x10 7/Hr.
Calculators Power Calculators 4
3 0
0 0.1 4.5x10 7/Hr.
Trip Comparators 4
3 1
2 N/A 2.5x10 7/Hr.
Core Protector 4
3 1
4 N/A 6.9x10 8/Hr.
Calculators CEA Calculators 2
1 0
0 0.1 3.6x10 8/Hr.
Batteries 4
2 1
2 N/A 6.1x10 7/Hr.
p
e-q O.
TABLE 4 (Cont.)-
ANO-2 RPS COMPONENT COMMON CAUSE FAILURE RATES NO. OF MIN. NO. OF NO. OF EVENTS NO. OF FAILED COMMON RPS REDUNDANT COMP. CONSTITUTING WITH 2 COMPONENTS IN BETA CAUSE FAILURE COMPONENT COMPONENT SYS. FAILURE-FAILURES NO. OF EVENTS FACTOR RATE Battery 4
2 0
0 0.1 1.4x10 7/Hr.
Chargers Diesel 2
1 1
2 0.03 1.0x10 3/D Generators e
w