ML030580477

From kanterella
Jump to navigation Jump to search
WCAP-15887, Revision 2, Probabilistic Risk Analysis of the Slave Relay Surveillance Test Interval Extension for Beaver Valley, Unit 2
ML030580477
Person / Time
Site: Beaver Valley
Issue date: 12/31/2002
From: Andrachek J, Andre G, Brassart G, Farkas S, Finnicum D
Westinghouse
To:
Office of Nuclear Reactor Regulation
References
WCAP-15887, Rev 2
Download: ML030580477 (84)
v  d  e


Text

Westinghouse Non-Proprietary Class 3 WCAP-15887 December 2002 Revision 2 Probabilistic Risk Analysis of the Slave Relay Surveillance Test Interval Extension for Beaver Valley Power Station, Unit 2

( Westinghouse

WESTINGHOUSE NON-PROPRIETARY CLASS 3 WCAP-15887 Revision 2 Probabilistic Risk Analysis of the Slave Relay Surveillance Test Interval Extension for Beaver Valley Power Station, Unit 2 S. E. Farkas J. D. Andrachek GQ R. Andre D. J. Finnicum December 2002 Approved: /n RikAssmn Reliability and Risk Assessment Westinghouse Electric Company LLC P.O. Box 355 Pittsburgh, PA 15230-0355

© 2002 Westinghouse Electric Company LLC All Rights Reserved "6020doc-121302

ii' TABLE OF CONTENTS TABLE OF CONTENTS ............................................................................................................................ iii LIST OF TABLES ......................................................................................................................................... V LIST OF FIGURES ...................................................................................................................................... vi LIST OF ACRONYM S ............................................................................................................................... vii EXECUTIVE SUMM ARY .......................................................................................................................... ix S INTRODU CTION ........................................................................................................................ 1-1 2 SLAVE-RELAY TECHNICAL SPECIFICATION S .................................................................... 2-1 3 NEED FOR STI CHAN GE .......................................................................................................... 3-1 4 TECHNICAL SPECIFICATION CHANGE REQUEST ............................................................. 4-1 5 DESIGN BASIS REQUIREM ENTS AND IM PACT .................................................................. 5-1 6 REACTOR PROTECTION SYSTEM DESCRIPTION .............................................................. 6-1 6.1 RTS AND ESFAS DESIGN ............................................................................................ 6-1 6.2 TEST AND M AINTENAN CE ACTIVITIES ................................................................. 6-2 7 ASSESSM ENT OF IM PACT ON RISK ...................................................................................... 7-1 7.1 APPROACH TO THE EVALUATION ........................................................................... 7-1 7.1.1 Plant M odel Acceptability ............................................................................... 7-1 7.1.2 Slave-Relay and Interposing-Relay Relationships .......................................... 7-4 7.1.3 M odel Adjustm ents for this Application ....................................................... 7-39 7.1.4 Quantification Process .................................................................................. 7-4 1 7.2 COM PONENT DATA DEVELOPM ENT .................................................................... 7-41 7.2.1 Introduction ................................................................................................... 7-4 1 7.2.2 Relay Types and Associated Failure Probabilities ................................... 7-42 7.2.3 Plant Specific Adjustm ents ........................................................................... 7-45 7.3 SSPS UNAVAILABILITY AN ALYSIS ................................................................... 7-4 7 7.3.1 Introduction .............................................................................................. 7-47 7.3.2 Longer STI M odeling ................................................................................... 7-4 8 7.3.3 Assumptions for Items Held Constant .......................................................... 7-4 8 7.3.4 Results ........................................................................................................... 7-48 7.4 RISK IM PACT ANALYSIS .......................................................................................... 7-53 7.4.1 Introduction ................................................................................................... 7-53 7.4.2 Quantification of CDF and LERF ................................................................. 7-53 7.4.3 Core Damage Frequency and Large-Early Release Fraction Frequency Assessm ent .................................................................................. 7-54 December 2002 6020 doc-121302 Revision 2

IV TABLE OF CONTENTS (cont.)

8 IMPACT ON DEFENSE-IN-DEPTH AND SAFETY MARGINS .............................................. 8-1 8.1 IMPACT ON DEFENSE-IN-DEPTH ............................................................................. 8-1 8.2 IMPACT ON DETERMINISTIC SAFETY MARGINS ................................................. 8-2 9 C ON CLU SION S .......................................................................................................................... 9-1 10 REFEREN CE S ........................................................................................................................... 10-1 December 2002 6020 doc-121302 Revision 2

V LIST OF TABLES Table 7-1 Initiator Trip-Signal M atrix ................................................................................................... 7-2 Table 7-2 Relay to Equipment Matrix .................................................................................................... 7-5 Table 7-3 Excluded Relays That Were Not Modeled in the Fault Tree ............................................... 7-39 Table 7-4 Excluded Relays That Were Modeled, But Have a Zero Failure Probability .................. 7-40 Table 7-5 Surveillance Test Procedures for BVPS Slave Relays .................................................. 7-42 Table 7-6 Demands and Failures per Relay Type for Slave and Interposing Relays Subject to Quarterly Tests at BVPS Units I and 2 ............................................................................ 7-43 Table 7-7 SSPS Test and Maintenance Unavailability Values ....................................................... 7-46 Table 7-8 Summary of the N-Factor on Slave-Relay and Interposing-Relay Failure Probabilities .... 7-47 Table 7-9 Summary of the N-Factor Effect on T&M Numbers ..................................................... 7-48 Table 7-10 SSPS Split-Fraction Values Versus Case Matrix ........................................................... 7-49 Table 7-11 Effect of STIs on CDF and LERF ....................................................................................... 7-53 December 2002 6020 doc-121302 Revision 2

vi LIST OF FIGURES Figure 6.1 Simplified Diagram of a Reactor Protection System ...................................................... 6-3 December 2002 6020.doc-121302 Revision 2

vi' LIST OF ACRONYMS Term Definition ACDF the change in CDF over a baseline value ALERF the change in the large-early release fraction over a baseline value AFW auxiliary feedwater - in the report context, generally refers to the signal to automatically start auxiliary feedwater AOT allowed outage time (from Technical Specifications)

ATWS anticipated transient without scram, i.e., RTS or RTBs do not function as stated in the final safety analysis report BVPS Beaver Valley Power Station CDF core damage frequency CIA Phase "A" containment isolation signal CIB Phase "B" containment isolation signal CNMT containment ECCS Emergency Core Cooling System ESF Engineered Safety Feature(s)

ESFAS Engineered Safety Features Actuation System FMEA failure modes and effects analysis FWI main feedwater isolation GF guaranteed failure GT general transient - a class of CDF sequence initiators LAR license amendment request LCO limiting condition for operation (from Technical Specifications, specifies minimum requirements in terms of systems and functions needed for particular operating modes).

LERF large early release fraction (the fraction of CDF that escapes containment soon after vessel breach)

LLOCA large loss-of-coolant accident - double ended break of one of the RCS recirculation lines MLOCA medium loss of coolant accident - break size is between small and large - a class of CDF sequence initiators NRC Nuclear Regulatory Commission PRA probabilistic risk analysis (sometimes, probabilistic safety analysis)

December 2002 6020.doc-121302 Revision 2

viii QS quench spray - in the context of the report, the signal that automatically starts the system that sprays the open containment volume to condense steam formed during an accident Recirc abbreviation for the accident phase where water for the ECCS injection pumps comes from the containment sump rather than the RWST RT reactor trip - typically, the action of all control rods falling into the core RTBs reactor trip breakers that provide power to electromagnets holding control rods out of the reactor core RTS Reactor Trip System (the devices that actuate reactor trip breakers)

RW SI switch of the ECCS water source from RWST to the in-containment SI Sump RWST Refueling Water Storage Tank, in the current context this is the source of water for ECCS during early phases of accident response SGTR steam generator tube rupture SI safety injection, generally the high and low pressure ECCS injection pumps SIS Safety Injection System, generally the high and low pressure ECCS injection pumps SLBI steam line break inside containment - a class of CDF sequence initiators SLBD steam line break outside containment - a class of CDF sequence initiators SLI main steam line isolation SLOCI small loss of coolant accident - a class of CDF sequence initiators SLOCN small loss of coolant accident - a class of CDF sequence initiators SSPS Solid State Protection System (the electronics for ESFAS and RTS)

STI(s) surveillance test interval(s)

Tavg RCS temperature used to trigger safety-system response - typically a weighted average of hot and cold leg temperatures TOP Technical Specification Optimization Program ITT turbine trip - typically, the depressurization of the hydraulic fluid that holds open the main turbine steam inlet valves VB vessel breach, the severe accident phenomenon following core damage WOG Westinghouse Owners Group December 2002 6020 doc-121302 Revision 2

ix EXECUTIVE

SUMMARY

This program develops the technical justification for a License Amendment Request to extend the slave relay and interposing-relay surveillance test intervals (STIs) for Beaver Valley Power Station, (BVPS),

Unit 2. This program evaluated extending the STIs from 3 months to longer STIs that meet the NRC risk acceptance criteria. This program examined all the slave-relays and interposing-relays that actuate safety equipment arising from engineered safety feature (ESF) actuation signals. This document provides technical justification for extending STIs of those relays where an STI extension can be supported from a risk standpoint.

The motivation for extending the slave and interposing-relay STIs is to reduce the required testing on these relays, and thus reduce the probability of causing spurious equipment actuation and the potential for plant upsets and human errors. Also, it reduces unnecessary wear on equipment. In addition, extending the STI reduces out-of-service time for safety significant systems and components.

The approach is consistent with the Nuclear Regulatory Commission's method for making risk-informed decisions on plant-specific changes to the current licensing basis. The details of the approach are in Regulatory Guides 1.174 ("An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Current Licensing Basis," Reference 1) and 1.177 ("An Approach for Plant-Specific, Risk-Informed Decision Making: Technical Specifications," Reference 2).

The approach addresses, as documented in this report, the impact on defense-in-depth and the impact on safety margins, as well as an evaluation of the impact on risk. With regard to risk, the impact of the STI extensions on core damage frequency (CDF) and large early release frequency (LERF) are both considered.

The analysis is based on the plant specific PRA model for BVPS Unit 2. There are four basic steps to the approach used in this analysis. These are:

  • BVPS Unit 2 PRA model assessment and improvements required for the evaluation
  • Slave and interposing-relay data collection and analysis
  • ESF actuation signal fault tree analysis to determine the impact of the STI change on signal unavailability a Risk assessment to determine impact of STI change of CDF and LERF The impact of the STI change from quarterly to 12-months on CDF and LERF meets the acceptance criteria provided in Regulatory Guide 1.174. In addition, defense-in-depth and safety margins are not impacted by this change. Based on this, it is recommended that the STIs for the slave and interposing relays in BVPS Unit 2 be extended to 12 months.

December 2002 6020 doc-121302 Revision 2

1-1 1 INTRODUCTION The objective of this program is to develop the technical justification and prepare a License Amendment Request (LAR) for extending the slave-relay and interposing-relay surveillance test intervals (STIs) for Beaver Valley Power Station, (BVPS), Unit 2. This program evaluated extending the STIs from 3 months to longer STIs that meet NRC risk acceptance criteria. This program examined all the slave-relays and interposing-relays that actuate safety equipment as a result of engineered safety feature (ESF) actuation signals. This document provides technical justification for extending the STI of those relays where an STI extension can be supported from a risk standpoint.

The approach used in this program is consistent with the Nuclear Regulatory Commission's (NRC) approach for using probabilistic risk assessment in risk-informed decisions on plant-specific changes to the current licensing basis as presented in Regulatory Guides 1.174 ("An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Current Licensing Basis," Reference 1) and 1.177 ("An Approach for Plant-Specific, Risk-Informed Decision Making: Technical Specifications," Reference 2). The approach addresses, as documented in this report, the impact on defense-in-depth and the impact on safety margins, as well as an evaluation of the impact on risk. The impact of the STI extensions on core damage frequency (CDF) and large early release frequency (LERF) are both considered.

The slave and interposing-relay STI extensions will reduce the required testing on these relays. This change will also reduce the probability of causing spurious equipment actuation and the potential for plant upsets and human errors. Also, it reduces unnecessary wear on equipment and out-of-service time for safety significant systems and components.

The Westinghouse Owners Group (WOG) evaluated extension of slave-relay STIs to 18 months in two previous programs. This extension was initially evaluated in the Technical Specification Optimization Program that evaluated a number of STI and allowed outage time (AOT) changes to the reactor protection system and ESF actuation system. This evaluation and results are documented in WOG Technical Specification Optimization Program (TOP) WCAP-10271, Supplement 2 (Reference 3). The approach used a risk-based approach to determine the impact of the increase in STI on CDF. Detailed fault trees of representative ESF actuation signals were developed and used to assess the impact of the increase on signal unavailability. A generic risk model based on Millstone 3 was used in the risk evaluation. The evaluation concluded that the impact on CDF from increasing the slave-relay STIs was too large to justify the change to 18 months. This study was prepared using a conservative assessment since it would need to be applied to all WOG plants. Plant specific evaluations using updated plant PRA models were expected to show (as in this work) a smaller impact on the risk parameters.

The second program assessing the impact of a slave-relay STI increase used a failure modes and effects analysis (FMEA) and a data evaluation approach. This program specifically addressed Westinghouse AR (Reference 4) and Potter & Brumfield MDR (Reference 5) type relays. The objective of the FMEA was to determine the impact of the STI change on the relay reliability or failure probability. From the FMEA, it was concluded that relay failure modes are not sensitive to short test intervals. To support this conclusion, slave-relay performance (failure) data was collected from WOG plants that tested the slave relays at different intervals. Plants test slave-relays at intervals of 1 month, 3 months, and 18 months.

From this data evaluation, it was again concluded that the slave-relay failure probability is not sensitive to Introduction December 2002 6020 doc- 121302 Revision 2

1-2 test intervals. Only certain MDR and AR type relays were included in the study since these are the types most commonly used as slave-relays in WOG plants. This approach cannot be applied to other slave relay types or interposing relays since there are an insufficient number of other slave-relay types to develop meaningful component failure probabilities.

From these studies and WOG feedback it was concluded that plant specific evaluations would be necessary to extend the STIs on other slave-relays, and the evaluation approach would need to follow a risk approach, as opposed to the FMEA/data evaluation approach. The strength of the risk approach is that the assessments can be done using plant specific PRA models that include plant specific slave-relay configurations.

Introaucuon December 2002 6020 doc-121302 Revision 2

2-1 2 SLAVE-RELAY TECHNICAL SPECIFICATIONS The following provides the existing BVPS Unit 2 Technical Specifications for the ESFAS instrumentation. The frequency being evaluated is the 92-days that is contained in footnote 1.

Slave-Relay Technical Specifications December 2002 6020 doc-121302 Revision 2

2-2 INSTRUMENTATION 3/4.3.2 ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION SURVEILLANCE REQUIREMENTS 4.3.2.1.1 Each engineered safety feature actuation system instrumentation channel and interlock and the automatic actuation logic with master and slave relays shall be demonstrated OPERABLE by the performance of the ESFAS Instrumentation Surveillance Requirements(l) during the MODES and at the frequencies shown in Table 4.3-2.

4.3.2.1.2 The logic for the interlocks shall be demonstrated OPERABLE during the at power CHANNEL FUNCTIONAL TEST of channels affected by interlock operation. The total interlock function shall be demonstrated OPERABLE at least once per 18 months during CHANNEL CALIBRATION testing of each channel affected by interlock operation.

4.3.2.1.3 The ENGINEERED SAFETY FEATURES RESPONSE TIME of each ESF function shall be demonstrated to be within the limit at least once per 18 months. Each test shall include at least one logic train such that both logic trains are tested at least once per 36 months and one channel per function such that all channels are tested at least once per N times 18 months where N is the total number of redundant channels in a specific ESF function as shown in the "Total No. Of Channels" Column of Table 3.3-3.

(1) For the automatic actuation logic, the surveillance requirements shall be the application of various simulated input conditions in conjunction with each possible interlock logic state and verification of the required logic output including, as a minimum, a continuity check of output devices. For the actuation relays, the surveillance requirements shall be the energization of each master and slave relay and verification of OPERABILITY of each relay. The test of master relays shall include a continuity check of each associated slave relay. The test of slave relays (to be performed at least once per 92 days in lieu of at least once per 31 days) shall include, as a minimum, a continuity check of associated actuation devices that are not testable.

BEAVER VALLEY - UNIT 2 3/4 3-15 Amendment No. 88 Slave-Relay Technical Specifications December 2002 6020 doc-121302 Revision 2

ABLE 4.3-2 0%

ENGINEERING SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION SURVEILLANCE REQUIREMENTS CD CHANNEL MODES IN WHICH CHANNEL CHANNEL FUNCTIONAL SURVEILLANCE Fj 0 FUNCTIONAL UNIT CHECK CALIBRATION TESST REQUIRED

1. SAFETY INJECTION AND FEEDWATER ISOLATION
a. Manual Initiation N.A. N.A. R 2, 3, 4 1,

M(1

b. Automatic Actuation Logic N.A. N.A. 2, 3, 4 and Actuation Relays
c. Containment Pressure-High S R Q 2, 3 1,
d. Pressurizer Pressure--Low S R Q 2, 3 i,
e. Steam Line Pressure--Low S R Q 2, 3 1.1 SAFETY INJECTION-TRANSFER FROM INJECTION TO THE RECIRCULATION MODE
a. Automatic Actuation Logic N.A. N.A. 1, 2, 3, 4 Coincident with Safety Injection Signal
b. Refueling Water Storage S R M 1, 2, 3, 4 Tank Level-Extreme Low 0

BEAVER VALLEY - UNIT 2 3/4 3-33 Amendment No. 108

<0

-I t'3 0

aSri, C

C TABLE 4.3-2 (Continued) k) 0o ENGINEERING SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION SURVEILLANCE REOUIREMENTS 0

CHANNEL MODES IN WHICH CHANNEL I

0 CHANNEL FUNCTIONAL UNIT FUNCTIONAL SURVEILLANCE CHECK TEST REOUIRED CALRTIN

2. CONTAINMENT SPRAY
a. Manual Initiation N.A. R 1, 2, 3, 4
b. Automatic Actuation Logic, N.A. II N.A. N.A. 1, 2, 3, 4 and Actuation Relays M
c. Containment Pressure R High-High S Q 1, 2, 3
3. CONTAINMENT ISOLATION
a. Phase "A" Isolation
1. Manual Initiation N.A. N.A. R 1, 2, 3, 4 II
2. Automatic Actuation N.A.

M(1 N.A. 1, 2, 3, 4 Logic and Actuation Relays

3. Safety Injection See Functional Unit 1 above for all Safety Injection Surveillance Requirements.
b. Phase "B" Isolation
1. Manual Initiation N.A. N.A. R 1, 2, 3, 4
2. Automatic Actuation N.A. N.A.

M(1 Logic and Actuation 1, 2, 3, 4 Relays

3. Containment Pressure- S R High-High Q 1, 2, 3, 4 C1 0

BEAVER VALLEY - UNIT 2 3/4 3-34 Amendment No. 108

0%

0 N

o < TABLE 4.3-2 (Continued) o.r Cb ENGINEERING SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION N

SURVEILLANCE REOUIREMENTS 0

0 CHANNEL MODES IN WHICH CHANNEL CHANNEL FUNCTIONAL SURVEILLANCE 0

FUNCTIONAL UNIT CHECK TEST REQUIRED

4. STEAM LINE ISOLATION 0
a. Manual Initiation 0 N.A.
1. Individual N.A. R 1, 2, 3 I N.A. 1, l
2. System N.A. R 2, 3 N.A. N.A. M(1 1, 2, l
b. Automatic Actuation Logic 3 and Actuation Relays
c. Containment Pressure- S 1, 2, R Q 3 Intermediate-High-High
d. Steamline Pressure--Low S R Q 1, 2, 3
e. Steamline Pressure Rate-High S 1, R Q 2, 3 Negative
5. TURBINE TRIP AND FEEDWATER ISOLATION
a. Automatic Actuation Logic N.A. N.A. 1, 2, 3 I and Actuation Relays
b. Steam Generator Water S R Q 1, 2, 3 Level--High-High, P-14
c. Safety Injection See Functional Unit 1 above for all Safety Injection Surveillance Requirements.
  • 0

(*0' BEAVER VALLEY - UNIT 2 3/4 3-35 Amendment No. 108 Corrected by Letter Dated: April 18, 2000

0 I',

CL TABLE 4.3-2 (Continued)

Cd, ENGINEERING SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION 0* SURVEILLANCE REQUIREMENTS CHANNEL MODES IN WHICH n

CHANNEL CHANNEL FUNCTIONAL SURVEILLANCE FUNCTIONAL UNIT CHECK CALIBATION TEST REQUIRED

6. LOSS OF POWER
a. 4.16kv Emergency Bus
1. Undervoltage (Trip Feed) N.A. R M 1, 2, 3, 4
2. Undervoltage (Start N.A. R M 1, 2, 3, 4 Diesel)
b. 4.16kv Emergency Bus N.A. R M (Degraded Voltage) 1, 2, 3, 4 C. 480v Emergency Bus N.A. R M (Degraded Voltage) 1, 2, 3, 4
7. AUXILIARY FEEDWATER(4)
a. Automatic Actuation Logic N.A. N.A.

and Actuation Relays 1, 2, 3

b. Steam Generator Water Level-Low-Low
1. Start Turbine Driven R Pump S Q 1, 2, 3
2. Start Motor Driven Pumps S R Q 1, 2, 3 (4) Manual initiation is included in Specification 3.7.1.2.

0DC BEAVER VALLEY - UNIT 2 3/4 3-36 WN Amendment No. 108

!2 TABLE 4.3-2 (Continued) t.

t*J ENGINEERING SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION SURVEILLANCE REQUIREMENTS 0 CHANNEL MODES IN WHICH CHANNEL CHANNEL FUNCTIONAL SURVEILLANCE FUNCTIONAL UNIT CHECK CALIBRATION TEST . REQUIRED CD,

~0 0

7. AUXILIARY FEEDWATER (continued)

C. Undervoltage - RCP (Start S R M 1, 2

3 Turbine-Driven Pump)
d. Safety Injection (Start All See 1 above (all SI surveillance requirements)

Auxiliary Feedwater Pumps) e Trip of Main Feedwater Pumps N.A. N.A. R 1, 2, 3 (Start Motor-Driven Pumps)

8. ENGINEERED SAFETY FEATURE INTERLOCKS
a. Reactor Trip, P-4 N.A. N.A. R 1, 2, 3
b. Prepsurizer Pressure, P-11 N.A. R Q 1, 2, 3
c. Low-Low Tavg, P-12 N.A. R Q 1, 2, 3 tV 0

U)

BEAVER VALLEY - UNIT 2 3/4 3-37 Amendment No. 108 0

-3 t.)

2-8 TABLE 4.3-2 (Continued)

TABLE NOTATION (1) Each train or logic channel shall be tested at least every other 31 days.

BEAVER VALLEY - UNIT 2 3/4 3-38 Amendment No. 108 Slave-Relay Technical Specifications December 2002 6020 doc- 121302 Revision 2

3-1 3 NEED FOR STI CHANGE The Beaver Valley Power Station Unit No. 2 Technical Specifications require ESFAS slave and interposing-relay testing at least once per 92 days. This requirement involves testing some of the relays at power, with the attendant risk of inadvertent actuation of the ESFAS equipment. On-line testing of the relays requires significant plant manipulation, abnormal configurations, and removes from service various pieces of equipment, making them unavailable to perform their intended safety function.

STI changes for these ESFAS components are necessary to reduce utility burden and reduce the probability of reactor trip or plant upsets during component testing activities. In addition, extending the STI reduces out-of-service time for safety significant systems and components.

Need for STI Change December 2002 6020 doc-121302 Revision 2

4-1 4 TECHNICAL SPECIFICATION CHANGE REQUEST The analysis documented herein provides the justification for extending the surveillance test intervals for the slave and interposing-relays utilized in the ESF actuation system. Individual evaluations justify surveillance test interval extensions from the current quarterly-interval requirement up to a 12-month interval. Technical specification Table 4.3-2, "Engineering Safety Feature Actuation System Instrumentation Surveillance Requirements" will be revised to show the surveillance test interval extension revisions (re LAR 180).

Technical Specification Change Request December 2002 6020 doc-121302 Revision 2

5-1 5 DESIGN BASIS REQUIREMENTS AND IMPACT The following information is taken from the Bases of Reference 9, for Westinghouse Plants.

The Reactor Protection System consists of the reactor trip system (RTS) instrumentation and the, engineered safety features actuation system (ESFAS) instrumentation. The RTS initiates a reactor shutdown based on values of selected parameters to protect against violating the core fuel design limits and reactor coolant system pressure boundary during anticipated operational occurrences, those events expected to occur one or more times during the unit life, and to assist the engineered safety features systems in mitigating accidents. The protection systems are designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings, or trip setpoints, in terms of parameters directly monitored by the RTS, as well as specifying limiting conditions for operation (LCO) on other reactor system parameters and equipment performance. The RTS also protects against accidents, that is, events that are not expected to occur during the unit life. The acceptance limit during accidents is that offsite dose shall be maintained within an acceptable fraction of 10 CFR 100 limits.

The ESFAS initiates necessary safety systems, based on the values of selected unit parameters, to protect against violating core design limits and the reactor coolant system pressure boundary, and to mitigate accidents.

The ESFAS instrumentation is divided into three parts: field transmitters or sensors, signal processing equipment, and solid state or relay protection system. Each part of the ESFAS instrumentation is designed with redundancy to meet design requirements. The field transmitter or sensors and signal processing equipment typically consist of three or four channels and require two-out-of-four or two-out-of-three logic to meet the reliability requirements. The solid state or relay protection system consists of two trains with either train capable of actuating the required safety systems. The master relays, slave-relays, and interposing-relays are included as part of the solid state and relay protection systems. A more detailed system description is provided in Section 6.0.

RTS The LCO requires all instrumentation performing an RTS function to be operable. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected functions.

The LCO generally requires operability of four or three channels in each instrumentation function, two channels of manual reactor trip in each logic function, and two trains in each automatic trip logic function. Four operable instrumentation channels in a two-out-of-four configuration are required when one RTS channel is also used as a control system input. This configuration accounts for the possibility of the shared channel failing in such a manner that it creates a transient that requires RTS action. In this case, the RTS will still provide protection, even with random failure of one of the other three protection channels. Three operable instrument channels in a two-out-of-three configuration are generally required when there is no potential for control system and protection system interaction that could simultaneously create a need for RTS trip and disable one RTS channel. The two-out-of-three and two-out-of-four configurations allow one channel to be tripped during maintenance or testing without causing a reactor trip.

Design Basis Requirements and Impact December 2002 6020 doc-1 21302 Revision 2

5-2 ESFAS Each of the analyzed accidents can be detected by one or more ESFAS function. One of the ESFAS functions is the primary actuation signal for that accident. An ESFAS function may be the primary actuation signal for more than one type of accident. An ESFAS function may also be a secondary or backup actuation signal for one or more other accidents. Functions such as manual initiation, not specifically credited in the accident safety analysis, are qualitatively credited in the accident safety analysis and the NRC approved licensing basis for the unit. These functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate function performance. These functions may also serve as backups to functions that were credited in the accident analysis.

The LCO requires all instrumentation performing an ESFAS function to be operable. Failure of any instrumentation renders the affected channel(s) inoperable and reduces the reliability of the affected functions.

The LCO generally requires operability of three or four channels in each instrumentation function and for two channels in each logic and manual initiation function. The two-out-of-three and two-out-of-four configurations allow one channel to be tripped during maintenance or testing without causing an ESFAS initiation. Two logic or manual initiation channels are required to ensure no single random failure disables the ESFAS.

Impact of Proposed Changes The proposed change includes extending the STIs for the slave-relays and interposing-relays. These changes do not impact the design basis requirements. As required in the design basis, RTS and ESFAS instrumentation will be available to protect the reactor during anticipated operational occurrences and accidents. Backup and redundant signals will remain available. None of the proposed changes will impact acceptance limits that protect against violating the core fuel design and reactor coolant system pressure boundary nor will they impact acceptance limits that protect against offsite dose requirements.

In addition, the limiting safety system settings and instrumentation response times are not impacted by the proposed changes Design Basis Requirements and Impact December 2002 6020 doc- 121302 Revision 2

6-1 6 REACTOR PROTECTION SYSTEM DESCRIPTION This section discusses the RTS and ESFAS instrumentation system design and performance of test and maintenance activities on the instrumentation system components.

6.1 RTS AND ESFAS DESIGN The typical RTS circuit consists of analog channels (field transmitters or process sensors and signal process control and protection system), combinational logic units (solid state protection system), and RTB (reactor trip breaker). The typical ESFAS circuit consists of analog channels (field transmitters or sensors and signal processing equipment), combinational logic (solid state protection system), and actuation relays. The analog channels, part of the process instrumentation system, provide signals to each of two logic cabinets which in turn provide signals to their respective reactor trip breakers and the actuation relays. The actuation relays consist of master, slave, and interposing-relays, with the master relays being controlled by the logic cabinet and the slave-relays being controlled by the master relays. At Beaver Valley Power Station Unit No. 2, some of the slave-relays directly actuate ESFAS equipment, while others actuate equipment via interposing-relays. A simplified diagram of a typical reactor protection system is shown in Figure 6.1.

Any particular protective feature, such as safety injection on pressurizer pressure low, will have either two, three, or four separate analog channels with each providing input to the logic cabinets. Actuation of the RTBs or master/slave/interposing-relay combination requires a combinational logic of one-out-of-two, two-out-of-three, or two-out-of-four, as appropriate.

A typical analog channel consists of a sensor, loop power supply, signal conditioning circuits, and a comparator which is the output device to the logic cabinet. The sensor measures physical parameters such as temperature, pressure, level, etc. The measurement is converted to an electrical signal and transmitted to the protection racks for signal conditioning. The signal conditioning modules perform a number of functions including amplification, square root derivation, lead/lag compensation, integration, summation, and isolation. A signal comparator, usually a bistable device, compares the conditioned signal to a predetermined setpoint and turns the output off or on if the voltage exceeds the setpoint. Each bistable controls two relays; one for train A logic and the other for train B logic.

The combinational logic is performed in the SSPS train logic cabinet. Each SSPS train consists of three bays; the input bay which contains the input relays, the logic bay, and the output bay which contains the master and slave-relays.

The solid state cabinet, or solid state protection system (SSPS), receives inputs from the analog channels via the input relays. This is accomplished using relays in either an energized or de-energized state, as determined by the output of the comparator. The relays operate grounding contacts in the SSPS circuitry.

When a comparator senses a trip condition the corresponding input relay will either energize or de energize as appropriate, applying a ground to a specific logic input. The logic inputs are applied to universal boards which are the basic circuits of the protection system. These boards contain one-out-of two, two-out-of-three, or two-out-of-four logic circuits. Grounding of the appropriate number of universal board inputs will cause a signal to be generated. Output signals from the universal boards are connected to other universal boards, undervoltage output boards, or safeguard output boards as described:

Reactor Protection System Description December 2002 6020 doc-121302 Revision 2

6-2

1. Connection to other universal boards enables additional logic combinations. For example, auxiliary feedwater may be started by low level in one steam generator as sensed by 2 out of 3 channels. Each of the three steam generator channels for one steam generator would input to a 2 out of 3 universal board. For BVPS Unit 2 there would be three such circuits. The output of each of these universal boards would input to a 1 out of 3 universal board to achieve the desired logic.
2. Connection to undervoltage output boards to drive the undervoltage relays to trip the RTBs.
3. Connection to safeguard output boards to drive the master relays which in turn drive the slave, or slave/interposing-relays.

The master, slave, and interposing actuation relays function to start the safeguards equipment which is used to mitigate events. This is accomplished by a combination of relay operations initiated by the output of the logic circuit. Each master relay energized by the logic circuit closes contacts, which energize one or more slave-relays. The number of master and slave-relays is dependent on the particular protective function. The more complex the function, the greater the number of relays energized. Each slave or slave/interposing-relay, when energized, closes or opens contacts in the actuation circuits for one or more pieces of equipment. Typically each slave-relay causes several components to operate.

6.2 TEST AND MAINTENANCE ACTIVITIES This program is concerned with test and maintenance activities related to the slave and interposing-relays in the ESFAS instrumentation system. The protection system is designed to allow online testing. An overlapping test sequence is used, with each test within the testing scheme adequately testing a portion of the protection system. Satisfactory completion of all tests provides assurance that the system will perform as assumed in the safety analysis when required. Typically, testing of the protection system involves verification of the proper channel response to known inputs, proper comparator (bistable) settings and proper operation of the combinational logic and associated trip breakers, master relays, and slave/interposing-relays.

With regard to the following analyses, the impact of test and maintenance activities on the ESFAS is important. Of specific interest is the impact on the availability of protection system signals. That is, how the individual components of the protective functions are unavailable during test and maintenance activities.

The slave and interposing-relays are unavailable during testing and maintenance activities. The tests are either "go" or "no-go" tests. With the "go" tests, the final devices are actuated. Some final devices cannot be acutated without causing equipment damage or interrupting power generation. In these cases, either "no-go" tests are used so the final devices are not actuated, or modifications to the normal plant lineup are necessary to limit the perturbation caused by the operation of the devices that are actuated.

Reactor Protection System Description December 2002 6020 doc-121302 Revision 2

6-3 Figure 6.1 Simplified Diagram of a Reactor Protection System Description December 2002

System Description

Reactor Protection System December 2002 6020 doc- 121302 Revision 2

7-1 7 ASSESSMENT OF IMPACT ON RISK The following provides the results of the analysis that determines the impact of the STI change on plant risk acceptance criteria. As discussed in Section 1, this analysis is consistent with Regulatory Guides 1.174 and Regulatory Guides 1.177. This requires determining the impact of the change on CDF and LERF, as well as the impact of the change on defense-in-depth and safety margins. The impact on defense-in-depth and safety margins is discussed in Section 8.

7.1 APPROACH TO THE EVALUATION The analysis is based on the plant specific PRA model for BVPS Unit 2 (model Revision 3A) which includes internal and external events. There are four basis steps to the approach used in this analysis.

These are:

  • BVPS Unit 2 PRA model assessment and improvements
  • Slave and interposing-relay data assessment
  • Signal unavailability assessment
  • Risk assessment Each of these steps is discussed in detail in the following sections.

7.1.1 Plant Model Acceptability This work involves manipulating two independent models. The primary model is a support-state-style model that has CDF and LERF end-states among others. The other is a detailed fault tree designed to represent various failure states in the SSPS, typically as a function of initiator and electric power support.

The fault tree analysis provides split fractions for the ESF actuation signal unavailabilities that are then used in the support-state model.

The support-state model for the plant has the following attributes.

  • The model allows the analyst to take credit for operator actions that manually begin what the automatic ESFAS may fail to do. The model conforms to plant operating procedures that direct manual safety-system start should the automatic system fail.

0 The model design accounts for dependencies of subsequent operator actions on previous operator actions. This most recently mentioned feature is one of the main attributes of the support state-style of modeling.

0 The model includes ATWS end-states.

  • The model has a list of initiators and mitigating events that form a comprehensive set of CDF sequence cutsets. The initiator list for CDF includes seismic, internal floods, and internal fires.

Assessment of Impact on Risk December 2002 6020 doc-121302 Revision 2

7-2 The following matrix is an aid, which shows the general relationship between the initiating events and the plant trips Table 7-1 Initiator Trip-Signal Matrix Trip Signal Initiator RT12' 3 5 TT" ' FWI") AFW( ) SI(6) CIA(7) RW( 8 ) CIB(9) QS(1O) SLI(ti)

GT w/o SIS(12 ) X X X X SLOCI or GT w/SIS(13) X X X X X X X SGTR(1 4) X X X X X X X SLOCN, MLOCA, or X X X X X X X X X LLOCAt 15 1 SLBI(16) X X X X X X X X X X t17 SLBO( ) X X X X X X X X Notes

1. [Intentionally left blank]

2 Reactor trip 3 Turbine trip 4 Main Feedwater isolation 5 Auxiliary Feedwater actuation

6. SIAS, Safety Injection actuation
7. Phase A Containment isolation
8. SI switch from RWST to SI Sump ECCS water source 9 Phase B Containment isolation
10. Quench spray actuation
11. Steam line isolation 12 General Transients that do not require Safety Injection to mitigate the initiator 13 General Transients or Small LOCAs that do require Safety Injection to mitigate the initiator 14 Steam Generator Tube Rupture
15. Non-isolable Small, Medium and Large LOCA accidents
16. Steam Line Break inside containment 17 Steam Line Break outside containment Assessment of Impact on Risk December 2002 6020 doc- 121302 Revision 2

7-3 The support-state model feeds SSPS states via support system event trees into the safety injection system model. Support-state events also credit operator actions, as appropriate, to initiate safety injection via the SI switch in the control room. Appropriate actuation signals are included, as necessary, in the model for containment spray actuation, containment isolation, auxiliary feedwater pump start, main steam system isolation, and emergency core cooling system recirculation.

The fault-tree model for the plant SSPS has the following attributes:

The model details the most important ESF actuation signals (see Table 7-2) as described on Technical Specifications Table 4.3-2 from the actuating relays (interposing or slave) down to the sensor instrument.

The model includes all slave-relays and interposing-relays that play an active roll in mitigating the CDF sequences created by the support-state model. This negates the need to have fault tree gates represent specific trips as shown on Technical Specifications Table 4.3-2.

The support-state model loads the appropriate SSPS split-fraction values into the CDF sequence cutsets.

The SSPS split-fraction values combine the failures in ESFAS and RTS components leading to a somewhat higher CDF than would otherwise be expected. For example, SSPS plays a part in CDF sequences that require high-pressure injection. The SSPS split-fraction value in such a CDF sequence includes a contribution from RTS component failures, which truly do not affect ESFAS equipment like the high-pressure injection pump. SSPS split-fractions are part of all of the CDF sequences that rely on ECCS equipment and RTBs for accident mitigation.

The support-state model quantified during this work has virtually the same logic and data as the most current BVPS - Unit 2 model, Revision 3A. The differences are discussed in the next section.

Assessment of Impact on Risk December 2002 6020 doc-121302 Revision 2

7-4 7.1.2 Slave-Relay and Interposing-Relay Relationships Slave-relays can either directly affect equipment control circuits, or toggle interposing-relays.

Interposing-relays then in-turn affect equipment control circuits. The next table illustrates the relationship between relays and technical specification items. The slave-relay and interposing-relay relationship to actuated equipment also appears on Table 7-2.

Assessment of Impact on Risk December 2002 6020 doc- 121302 Revision 2

7-5 Table 7-2(1) Relay to Equipment Matrix ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item(2) Relay and Type Relays and Type Components Description Safety Injection Table 4.3-2 K501B K601B 2FWS-FCV478 21A SG MAIN FEEDWATER REG VLV Item L.b type: 2FWS-FCV488 21B SG MAIN FEEDWATER REG VLV AR440AR 2FWS-FCV498 21C SG MAIN FEEDWATER REG VLV K801B RESET DISABLE Safety Injection Table 4.3-2 K603B 3-HVRCB 2HVR-FN201C CONTAINMENT AIR RECIRC FAN Item L.b type: type:

AR440AR ASEA RXMA1 Safety Injection Table 4.3-2 3-HVRBA 2HVR-FN201B CONTAINMENT AIR RECIRC FAN Item l.b type:

ASEA RXMA1 Safety Injection Table 4.3-2 2CHS-LCV115E CHARGING PUMP SUCTION FROM VOLUME CONTROL TANK Item l.b 2CHS-MOV310 REGEN HX NORMAL CHARGING DISCHARGE VALVE 2SIS-MOV867D HHSI PUMPS ISOLATION TO COLD LEG INJECTION 2CHS-LCV115D CHARGING PUMP SUCTION FROM RWST t" The outer or left column device controls the devices listed in the center and right columns until the name in the first column changes.

(2) A cross-reference is listed only when the line contains Actuation Relays. A blank entry indicates that there is no specific Technical Specification for the relays in that line.

Assessment of Impact on Risk December 2002 6020 doc- 121302 Revision 2

7-6 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Safety Injection Table 4 3-2 K603XB 3-RCPBM 2RCP-H2E PRESSURIZER HEATER Item L.b type: type:

MDR-4121-1 ASEA RXMH2 Safety Injection Table 4.3-2 2CHS-LCV1 15D BLOCKS MANUAL OPENING OF CHARGING PUMP SUCTION Item L.b FROM RWST 2CHS-LCV1 15D Safety Injection Table 4.3-2 3-HVRBB 2HVR-FN202A2 CRDM SHROUD COOL FAN Item l.b type ASEA RXMAI Safety Injection Table 4 3-2 K608B 3-RSSBD 2RSS-MOVI56D RECIRC SPRAY PUMP 21D OUTSIDE CNMT DISCH ISOLATION Item l.b type: type: 2CHS-P21B HI HEAD SAFETY INJ CHARGING PUMP AR440AR ASEA RXMH2 2CHS-LCV115D CHARGING PUMP SUCTION FROM RWST Safety Injection Table 4.3-2 3X-RSSBD 2CHS-P21C HI HEAD SAFETY INJ CHARGING PUMP Item L.b type: 2RSS-P21D RECIRC SPRAY PUMP 21D ASEA RXMH2 2SIS-MOV8809B LHSI PUMP (2SIS*P2B) SUCTION ISOLATION Safety Injection Table 4.3-2 2SIS-MOV8887B LOW HEAD SI PUMP 2B DISCH TO HOT LEGS ISOLATION Item I b 2SIS-MOV863B LHSI PUMP 21B DISCH TO HHSI PUMPS ISOLATION 2SIS-P21B LOW HEAD SAFETY INJECTION PUMP 2SIS-MOV8811B RS PP (2RSS*P21D) DISCH CROSSOVER TO LHSI P21B DISCH Safety Injection Table 4.3-2 K610B 3-SWSNB 2SWS-STRN48 SERVICE WTR PUMPS 2SWS-P2 IA,B,C SEAL WTR & MTR Item l.b type: type: COOLING STRAINER AR440AR ASEA RXMVB4 N.O. K608B contact closes actuating 3-SWSNB relay which then energizes Running Contactor 42-SWSNB thus activating Strainer Motor Safety Injection Table 4.3-2 2SIS-MOV865C SI ACCUMULATOR TK21C DISCH STOP Item l.b 2HCS-HAIOOB HYDROGEN MONITORING SYSTEM 2CHS-P21C HI HEAD SAFETY INJ CHARGING PUMP (Also listed with K610A)

_2SWS-P21C SERVICE WATER PUMP 21C (Also listed with K610A)

A ecpc -m t nf J TIn ia~.Ltl t+n D. t, 6020 doc- 121302 December 2002 Revision 2

7-7 Table 7.2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Safety Injection Table 4.3-2 K610XB 762-EGSBA 2EGS-E2-2 EMERGENCY DIESEL GENERATOR Item 1.b type: (TIMER)

MDR-4121-1 type:

ATC-365A Safety Injection K503B K615B P/O UNIV A405B Input to Universal Board A405B, which are used for Multiplexing only.

type:

AR440AR Safety Injection Table 4.3-2 K521B K61 IB ESI-EGS21 EDG2-2 EMERGENCY DIESEL GENERATOR START Item L.b type: type: Start Circuit No.1 AR440AR ITE-JI3 4A-EGS21 type:

ITE-JI3 T2A-EGS21 type: Agastat 7012PC Safety Injection Table 4.3-2 ES2-EGS22 EDG2-2 EMERGENCY DIESEL GENERATOR START Item l.b type: Start Circuit No. 2 ITE-J13 4B-EGS22 type:

ITE-J 13 T2B-EGS22 type: Agastat 7012PC Safety Injection Table 4.3-2 2SWS-MOV113D EMER DG 2-2 HX 21B SERV WTR HDR B CLG WTR INLET VLV Item 1.b 2FWE-P23B MOTOR-DRIVEN AUX FEED PUMP TSR/TSRX TEST START Assessment of Impact on Risk December 2002 6020 doc- 121302 Revision 2

7-8 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Safety Injection Table 4.3-2 K611XB 2EGS-EG2-2 EMERGENCY DIESEL GENERATOR Item L.b type: 2HCS-SOV135A/B H2 ANALYZER (2HCS*HAI00B) INLET INSIDE CNMT ISOL MDR-4121-1 2EGA-SOV201-2 (2EGS*DG2-2) SAFETY S/D SOLENOID VALVE Safety Injection Table 4.3-2 K609B 3-SWSNB 2SWS-STRM48 SERVICE WTR PUMPS 2SWS-P21A,B,C SEAL WTR & MTR Item L.b type: type: COOLING STRAINER AR440AR ASEA RXMVB4 Safety Injection Table 4.3-2 2SWS-AOVI18B CLARIFIED WTR TO SEAL WTR HEADER ISOL VLV Item L.b 2SWS-AOVI30B SW SUPPLY TO STRAINER (2SWS-STRM48) 2QSS-AOV120B REFUELING WATER COOLING PUMP SUCTION ISOL 2SWS-P21B SERVICE WATER PUMP 21B 2SIS-P21B LOW HEAD SAFETY INJECTION PUMP 2CHS-P21B HI HEAD SAFETY INJ CHARGING PUMP Safety Injection Table 4.3-2 K609XB Blocks manual operator action from stopping 2CHS-P21B, 2SIS-P21B, Item L.b type: 2SWS-P21B.

MDR-412 1-1 Safety Injection Table 4.3-2 K604B 2SIS-MOV867B HHSI PUMPS ISOLATION TO COLD LEG INJECTION TD AUX Item L.b type: 2MSS-SOV105B FEEDWATER PMP STEAMLINE B ISOL VALVE TD AUX AR440AR 2MSS-SOVI05E FEEDWATER PMP STEAMLINE B ISOL VALVE TD AUX 2MSS-SOVI05F FEEDWATER PUMP STEAMLINE C ISOL VALVE SI 2SIS-MOV865B ACCUMULATOR TK21B DISCH STOP Safety Injection Table 4.3-2 K604XB 3-RCPBL 2RCP-H2B PRESSURIZER HEATER BACKUP GROUP B Item L.b type: type:

MDR-4121.l ASEA RXMH2 Safety Injection Table 4 3-2 3-HVRBM 2HVR-FN202C2 CRDM SHROUD COOL FAN Item l.b type:

ASEA RXMAI Safety Injection Table 4.3-2 2HVW-FN269B ALT INTAKE STRUCT EXHAUST FAN OUTPUT BKR Item l.b 4KVS-2DF-2F10 602e0s:csnt 01 impact on ASK December 2002 6020 doc- 121302 Revision 2

7-9 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Safety Injection Table 4.3-2 K602B 3-HVRBD 2HVR-FN202B2 CRDM SHROUD COOL FAN Item L.b type: type:

AR440AR ASEA RXMA1 Safety Injection Table 4.3-2 2HCS-SOVI33B H2 ANALYZER (2HCS*HA1OOB) OUTLET INSIDE CNMT ISOL Item L.b 2HCS-SOV134B H2 ANALYZER (2HCS*HAIOOB) OUTLET OUTSIDE CNMT ISOL 2SWM-MOV565 CHLORINE INJECTION ISOL TO A HDR 2SWM-MOV563 CHLORINE INJECTION ISOL TO B HDR A210 INDICATION TD3 TIME DELAY RELAY Safety Injection Table 4.3-2 K501A K610A 3-SWSNA 2SWS-STRM47 SERVICE WTR PUMPS (2SWS-P21A,B,C) SEAL WTR & MTR Item L.b type: type: Seal water injection COOLING FILTER AR440AR ASEA RXMVB4 strainer backwash motor Safety Injection Table 4.3-2 2CHS-P21C HI HEAD SAFETY INJ CHARGING PUMP (Also listed with K610B)

Item L.b 2HCS-HAIOA HYDROGEN MONITORING SYSTEM 99-OAB3-AB Train A SIGNAL ISOL for computer point 2SWS-P21C SERVICE WATER PUMP 21C (Also listed with K610B)

Safety Injection Table 4.3-2 K61OXA 762-EGSAA 2EGS-EG2-I EMERGENCY DIESEL GENERATOR Item 1.b type: (TIMER)

MDR-4121-1 type: Contacts close to operate 762-EGSAA. EDG2-1 sequencer SI Reset Relay.

ATC-365A Blocks stopping of 2SWS-P21C and 2CHS-P21C.

Safety Injection Table 4.3-2 K601A KS01A RESET Item L.b type: Operates K801 Reset Coil. Reset interlock.

AR440AR Safety Injection Table 4.3-2 K603A 3-HVRAA 2HVR-FN201A CONTAINMENT AIR RECIRC FAN Item l.b type: type:

AR440AR ASEA RXMAI Vecember 2UUL Assessment of Impact on Risk Decemoer 2002 Revision 2 6020 doc-121302

7-10 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Safety Injection Table 4.3-2 3-CHSAC 2CHS-LCVI 15B CHARGING PUMP SUCTION FROM RWST Item L.b type:

GE CRI20B/02202 Safety Injection Table 4.3-2 3-HVRCA 2HVR-FN201C CONTAINMENT AIR RECIRC FAN Item L.b type.

ASEA RXMAI Safety Injection Table 4.3-2 2CHS-MOV289 NORMAL CHARGING HDR ISOLATION VALVE Item L.b 2CHS-LCV115C CHARGING PUMP SUCTION FROM VOLUME CONTROL TANK 2SIS-MOV867C HHSI PUMPS ISOLATION TO COLD LEG INJECTION Safety Injection Table 4.3-2 K603XA 3-CHSAC 2CHS-LCVI 15B CHARGING PUMP SUCTION FROM RWST Item L.b type: type:

MDR-4121-1 GE CR 120B/02202 Safety Injection Table 4.3-2 3-RCPAM 2RCP-H2D PRESSURIZER HEATER Item L.b type, ASEA RXMH2 Safety Injection Table 4.3-2 3-HVRAB 2HVR-FN202AI CRDM SHROUD COOL FAN Item L.b type:

ASEA RXMAI Safety Injection Table 4.3-2 K608A 3-RSSAD 2RSS-MOVI56C RECIRC SPRAY PUMP 21C OUTSIDE CNMT DISCH ISOLATION Item 1.b type: type: 2CHS-P21A HI HEAD SAFETY INJ CHARGING PUMP AR440AR ASEA RXMH2 2CHS-LCV115B CHARGING PUMP SUCTION FROM RWST Safety Injection Table 4.3-2 3X-RSSAD 2CHS-P21C HI HEAD SAFETY INJ CHARGING PUMP Item L.b type: 2RSS-P21C RECIRC SPRAY PUMP 21C ASEA RXMH2 2SIS-MOV8809A LHSI PUMP (2SIS*P21 A) SUCTION ISOLATION tsemntILI ot ImlpaCL on ISK December 2002 6020 doc- 121302 Revision 2

7-11 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Safety Injection Table 4.3-2 2SIS-MOV8887A LOW HEAD SI PUMP 2A DISCH TO HOT LEGS ISOLATION Item L.b 2SIS-MOV863A LHSI PUMP 21A DISCH TO HHSI PUMPS ISOLATION 2SIS-P21A LOW HEAD SAFETY INJECTION PUMP 2SIS-MOV8811A RS PP (2RSS*P21A) DISCH CROSSOVER TO LHSI P2IA DISCH Safety Injection K503A K615A P/O UNIV A405A PROTECTION OUTPUT Input to Universal Board A405A, which are used for Multiplexing only.

Safety Injection Table 4.3-2 K521A K609A 3-SWSNA 2SWS-STRM47 SERVICE WTR PUMPS (2SWS-P21A,B,C) SEAL WTR & MTR Item L.b type: type: COOLING FILTER AR440AR ASEA RXMVB4 Safety Injection Table 4.3-2 2QSS-SOVI20A (2QSS-AOV120A) SOLENOID Item L.b 2SWS-SOVI 18A (2SWS-AOVI18A) SOLENOID 2SWS-SOV130A (2SWS-AOV130A) SOLENOID 2SWS-P21A SERVICE WATER PUMP 21A 2SIS-P21A LOW HEAD SAFETY INJECTION PUMP 2CHS-P21A HI HEAD SAFETY INJ CHARGING PUMP Safety Injection Table 4.3-2 K609XA Blocks manual operator action from stopping 2CHS-P21 A, 2SIS-P21 A, Item L.b type: 2SWS-P21A.

MDR-4121-1 Safety Injection Table 4.3-2 K602A 3-HVRAD 2HVR-FN202B 1 CRDM SHROUD COOL FAN Item 1.b type: type:

AR440AR ASEA RXMA1 Safety Injection Table 4.3-2 2SWM-MOV564 CHLORINE INJECTION ISOL TO B HDR Item 1.b TD3 TIMER 2SWM-MOV562 CHLORINE INJECTION ISOL TO A HDR 2HCS-SOV133A H2 ANALYZER (2HCS*HA100A) OUTLET INSIDE CNMT ISOL 2HCS-SOV134A H2 ANALYZER (2HCS*HAI00A) OUTLET OUTSIDE CNMT ISOL A210 INDICATION Assessment of Impact on Risk December 2002 6020 doc- 121302 Revision 2

7-12 lable 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Safety Injection Table 4.3-2 K61 IA ESI-EGS I 2EGS-EG2-1 EMERGENCY DIESEL GENERATOR Item 1.b type* type: Start Circuit No 1 AR440AR ITE-J 13 4A-EGS 1I type*

ITE-J13 T2A-EGS 11 type: Agastat 7012PC Safety Injection Table 4.3-2 ES2-EGS 12 2EGS-EG2-1 EMERGENCY DIESEL GENERATOR Item L.b type: Start Circuit No 2 ITE-J13 4B-EGS 12 type:

ITE-J 13 T2B-EGS 12 type: Agastat 7012PC Safety Injection Table 4.3-2 2MSS-SOV120 RAD MON (2MSS*RQI101A,B,C) DISCHARGE ISOL Item l.b 2FWE-P23A MOTOR-DRIVEN AUX FEED PUMP 2SWS-MOVI 13A EMER DG 2-I HX 21A HDR A CLG WTR INLET VLV TSR TEST START Safety Injection Table 4.3-2 K61 IXA 2HCS-SOVI36A/B H2 ANALYZER (2HCS*HAI00A) INLET INSIDE CNMT ISOL Item L.b type:

MDR-4121-1 Assessment of Imnwt on Ride 6020 doc- 121302 December 2002 Revision 2

7-13 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Safety Injection Table 4.3-2 K604A 2MSS-SOV105D TURBINE DRIVEN AUX FEEDWATER PMP STEAMLINE A ISOL Item 1.b type: VALVE AR440AR 2SIS-MOV867A HHSI PUMPS ISOLATION TO COLD LEG INJECTION 2MSS-SOV105C TURBINE DRIVEN AUX FEEDWATER PMP STEAMLINE C ISOL VALVE 2SIS-MOV865A SI ACCUMULATOR TK21A DISCH STOP 2MSS-SOV105A TURBINE DRIVEN AUX FEEDWATER PMP STEAMLINE A ISOL VALVE Safety Injection Table 4.3-2 K604XA 3-RCPAL 2RCP-H2A PRESSURIZER HEATER Item 1.b type: type:

MDR-4121-1 ASEA RXMH2 Safety Injection Table 4.3-2 3-HVRAM 2HVR-FN202C1 CRDM SHROUD COOL FAN Item 1.b type:

ASEA RXMAI Safety Injection Table 4.3-2 2HVW-FN269A ALT INTAKE STRUCT EXHAUST FAN Item L.b 4KVS-2AE-2EI0 DIESEL GENERATOR 2-1 BREAKER Containment Table 4.3-2 K502B K607B K808B TEST Isolation Item 3.a.2 type: 2CHS-MOV381 SEAL WATER RETURN CONTAINMENT ISOLATION VALVE AR440AR Containment Table 4.3-2 K605B 2RCS-AOV519 PRI. WTR. TO PZR. RLF. TK & SEAL VENT POTS Isolation Item 3.a.2 type: 2SIS-MOV842 SI ACCUM TEST LINE ISOLATION VALVE TO RWST AR440AR 2IAC-MOV134 CONTMT INSTRUMENT AIR ISOL VALVE 2RCS-AOV 101 PZR. RLF. TK NITROGEN ISOLATION 2GNS-AOVIO1-2 SI ACCUMULATORS N2 MAKEUP INSIDE CNMT ISOL VALVE 2CHS-AOV204 NON-REGEN HEAT EXCHANGER LETDOWN INLET VALVE Assessment of Impact on Risk December 2002 6020 doc- 121302 Revision 2

7-14 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Containment Table 4.3-2 K613B 99-PCBI-AB SIG ISOL.

Isolation Item 3.a.2 type: 99-PAB2-BT S1G ISOL.

AR440AR 2CCP-MOV176-2 PRIM COMP CLG SUPPLY ISOL 2CCP-MOV178-2 PRIM COMP CLG RET ISOL 2SWS-MOV107D SEC COMP COOLING WTR HX SERV WTR SUPPLY HDR B ISOL VLV Containment Table 4.3-2 K613XB 3-HVSBB 2HVS-MOD210B FLTA205B ISOL Isolation Item 3.a.2 type: type: 2HVS-MOD21 lB FLTA205B ISOL MDR-4121-1 ASEA RXMH2 Containment Table 4.3-2 3A-HVSBC 2HVS-MOD212B FLTA208B ISOL Isolation Item 3.a.2 type: 2HVS-MOD213B HEPA FILTER HOUSE NO. 4 OUTLET DAMPER ASEA RXMA 1 Containment Table 4.3-2 3B-HVSBE 2HVS-MOD203B ELECT HTR CH219B ISOL Isolation Item 3.a.2 type: 2HVS-MOD218B ELECT HTR CH219B ISOL ASEA RXMA I Containment Table 4.3-2 2HVS-CH219B LEAK COLL SYSTEM HEATER MOISTURE SEPERATOR NO. 2 Isolation Item 3.a.2 Containment Table 4.3-2 K506B K625B 62-HVCBP 2HVC-MOD201D CONTROL ROOM AIR EXHAUST DAMPER Isolation Item 3.b.2 type: (TIMER) 2HVC-MOD201B CONTROL ROOM OUTSIDE AIR INTAKE DAMPER AR440AR type: ATC 2HVC-FN241B CONTROL ROOM FILTERED AIR INTAKE FAN 365A300N30PX Initiates Control Room Isolation, bottled air system and time delay start of 3-HVCBP emergency supply fan and is Interlocked with Unit 1 Control Room type: Isolation system Control Room Isolation system ASEA RXMH2 62-HVCBDX type:

ASEA RXMH2 Assessment of Impact on Risk December 2002 6020 doc- 121302 Revision 2

7-15 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Containment Table 4.3-2 62-HVCBDXI 99-K625B-2 ISOLATION RELAY to interlock with Unit 1 Control Room Isolation Isolation Item 3.b.2 type: System ASEA RXMH2 Containment Table 4.3-2 K626B 3A-QSSBJ 2QSS-SOVIOOB CHEM INJ PUMP DISCH TO CNMT SUMP Isolation Item 3.b.2 type: type:

AR440AR ASEA RXMVB4 Containment Table 4.3-2 62-QSSBG 2QSS-SOVIO1B CHEM INJ PUMP DISCH TO QUENCH PUMP 2 lB Isolation Item 3.b.2 (TIMER) type:

ATC 305E006L1OPX Containment Table 4.3-2 62-QSSAH 2QSS-SOV102A CHEM INJ PUMP DISCH TO QUENCH PUMP 21A Isolation Item 3.b.2 (TIMER) type:.

ATC 305E006LIOPX Containment Table 4.3-2 3-CCPCA 2CCP-P21C PRIMARY COMPONENT COOLING WATER PUMP 21C Isolation Item 3.b.2 type:

ASEA RXMA1 Containment Table 4.3-2 2SWS-MOV152-2 CNMT AIR RECIRC CLG COILS INSIDE CNMT CDS INLET Isolation Item 3.b.2 2SWS-MOV155-2 CNMT AIR RECIRC CLG COILS INSIDE CNMT CDS OUTLET Containment Table 4.3-2 K626XB Block Manual Opening of 2SWS-MOV152-2 and 2SWS-MOV155-2, Isolation Item 3.b.2 type: Block Manual Reset of 3A-QSSBJ and 3B-QSSBJ to block close of 2QSS MDR-4121-1 SOVI1OB Assessment of Impact on Risk December 2002 6020 doc- 121302 Revision 2

7-16 Iable 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Containment Table 4.3-2 K619B 2CCP-MOV157-2 PRIM COMP CLG HDR ISOL - INSIDE CONTNMNT Isolation Item 3.b.2 type, 2CCP-MOV150-1 PRIM COMP CLG HDR ISOL - OUTSIDE CONTNMNT AR440AR 2CCP-MOV151-2 PRIM COMP CLG HDR ISOL - INSIDE CONTAINMENT 2CCP-MOV156-1 PRIM COMP CLG HDR ISOL - OUTSIDE CONTNMNT 2SWS-MOV106B PRI COMP CLG WTR HXS SERV WTR SUPPLY HDR B ISOL VLV K804B During SSPS testing prevents reset of K804B unless K619B is de energized.

Containment Table 4.3-2 K619XB Block Manual Opening of 2CCP-MOV157-2, 2CCP-MOVI50-1, 2CCP Isolation Item 3.b.2 type, MOV 151-2, 2CCP-MOV 156-1, 2SWS-MOV 106B MDR-4121-1 Containment Table 4.3-2 K618B 3-CCPBA 2CCP-P2 IB PRIMARY COMPONENT COOLING WATER PUMP 21B Isolation Item 3.b.2 type: type:

AR440AR ASEA RXMAI Containment Table 4.3-2 62-QSSBF 2QSS-P24B QUENCH SPRAY CHEMICAL INJECTION PUMP 24B Isolation Item 3.b.2 (TIMER) type:

ATC 305E006A1OPX Containment Table 4.3-2 A210 INDICATION Isolation Item 3.b 2 2SWS-MOV153-2 CNMT AIR RECIRC CLG COILS INSIDE CNMT SERV WTR INLET 2RHS-P2IB RESIDUAL HEAT REMOVAL PUMP 21B 2SWS-MOV154-2 CNMT AIR RECIRC CLG COILS INSIDE CNMT SERV WTR OUTLET Containment Table 4.3-2 K618XB 862-EGSBA 2EGS-EG2-2 EMERGENCY DIESEL GENERATOR Isolation Item 3.b.2 type: (TIMER) BLOCK MANUAL OPENING OF 2SWS-MOV153-2, AND MDR-4121-1 type: 2SWS-MOV154-2 ATC-365A BLOCK MANUAL START OF 2RHS-P2 lB.

AssesSM#-nt nf Tm qt - V; L-6020 doc- 121302 December 2002 Revision 2

7-17 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Containment Table 4.3-2 K522B K606B 3A/3B/3C-SSRBB 2SSR-SOV128A2 PRI COOL HOT LEG SAMPLE OUTSIDE CNMT ISOL Isolation Item 3.a.2 type: type: 2SSR-SOV129A2 RHRICNMT SUMP SAMPLE OUTSIDE CNMT ISOL AR440AR ASEA RXMEI 2SSR-SOV130A2 PRZR RELIEF TK GAS/PDTT SAMPLE OUTSIDE CNMT ISOL 62-SSRBB (TIMER) type:

ATC 305EO06LIOPX 3D-SSRBB type:

ASEA RXMH2 Containment Table 4.3-2 3-PASBA 2PAS-SOV105A2 CONTAINMENT ATMOSPHERE SAMPLE LINE OUTSIDE ISOL Isolation Item 3.a.2 ASEA RXMEI Containment Table 4.3-2 2CVS-SOV152B CNMT VAC PP 21B SUCTION ISOL Isolation Item 3.a.2 2CCP-MOV175-2 PRIM COMP CLG SUPPLY ISOL 2CVS-SOV153B AIR ACTIVITY MONITOR INLET ISOLATION 2CCP-MOV177-2 PRIM COMP CLG RET ISOL 2SWS-MOV107B SEC COMP COOLING WTR HX SERV WTR SUPPLY HDR A ISOL VLV Containment Table 4.3-2 K606XB 2CVS-SOV152A CNMT VAC PP 21A SUCTION ISOL Isolation Item 3.a.2 type:

MDR-4121-1 Containment Table 4.3-2 K614B 3B-HVPBE 2HVP-MOD22B EXHAUST FILTER BANK DAMPER Isolation Item 3.a.2 type: type: 2HVP-MOD24B EXHAUST FILTER BANK DAMPER AR440AR ASEA RXMAI Containment Table 4.3-2 3-HVSBG 2HVS-MOD201B (2HVS-FN263A) NORM LK COLLECT DAMPER Isolation Item 3.a.2 type: 2HVS-MOD202B (2HVS*FN204A, 2HVS*FN204B) FLT LK COLLECT DAMPER ASEA RXMH2 Assessment of Impact on Risk December 2002 6020 doc- 121302 Revision 2

7-18 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Containment Table 4.3-2 2CCP-AOV 172 PRIMARY DRAINS COOLER COOLING WTR SUPPLY Isolation Item 3 a.2 2CCP-AOV174 PRIMARY DRAINS COOLER COOLING WTR DISCH Containment Table 4.3-2 K614XB 2CCP-MOV119 CNMT INSTR AIR COMPRESSORS CLG WTR SUPPLY ISOL Isolation Item 3.a.2 type' 2CCP-MOV120 CNMT INSTRU AIR COMPRESS CLG WTR RETURN ISOL MDR-4121-1 Containment Table 4.3-2 K612B 2DGS-AOVI08B PRI DRAINS TFR TK PMPS Isolation Item 3 a.2 type' 2DAS-AOV100B CNMT SUMP PMPS AR440AR 2SSR-AOVI02A2 PRI COOL COLD LEG SAMPLE 2SSR-AOVI00A2 PRZR LIQ SPACE SAMPLE 2SSR-AOV1 12A2 PRZR VAPOR SPACE SAMPLE 2SSR-AOV109A2 SAFETY INJECT ACCUM SAMPLE 2VRS-AOVI09A2 PRZR RLF/PRI DRAINS TFR TANKS IN CNMT VENTS ISOL Containment Table 4.3-2 K502A K605A 2IAC-MOVI30 CONTMT INST AIR ISOL VALVE Isolation Item 3.a.2 type: 2SIS-AOV889 SI ACCUM TEST LINE ISOLATION AR440AR 2CHS-AOV200A LETDOWN ORIFICE 21 ISOL (45 GPM) 2GNS-AOVI01-1 SI ACCUM N2 MAKEUP OUTSIDE CNMT ISOL VLV 2CHS-AOV200B LETDOWN ORIFICE 23 ISOL (60 GPM) 2CHS-AOV200C LETDOWN ORIFICE 22 ISOL (60 GPM) 2IAC-MOV133 CONTMT INST AIR ISOL VALVE Containment Table 4.3-2 K613A 990CBI-X SIG. ISOL Isolation Item 3.a.2 type' 2SWS-MOV107C SEC COMP COOLING WTR HX SERV WTR SUPPLY HDR B ISOL AR440AR VLV 2CCP-MOV178-1 PRIM COMP CLG RET ISOL 2CCP-MOV176-1 PRIM COMP CLG SUPPLY ISOL 99-OA3-BD SIG ISOL.

Containment Table 4.3-2 K613XA 3C-HVSAB 2HVS-MOD210A FLTA205B ISOL Isolation Item 3.a.2 type: type: 2HVS-MOD211A FLTA205B ISOL MDR-4121-1 ASEA RXMH2 A . flXt.

Assessment 01 impact on rUSK December 2002 6020 doc- 121302 Revision 2

7-19 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Containment Table 4.3-2 3B-HVSAC 2HVS-MOD212A FLTA208B ISOL Isolation Item 3.a.2 type: 2HVS-MOD213A HEPA FILTER HOUSE NO. 4 OUTLET DAMPER ASEA RXMAI Containment Table 4.3-2 3B-HVSAE 2HVS-MOD203A ELECT HTR CH219B ISOL Isolation Item 3.a.2 type: 2HVS-MOD218A ELECT HTR CH219B ISOL ASEA RXMA I Containment Table 4.3-2 2HVS-CH219A LEAK COLL SYSTEM HEATER MOISTURE SEPARATOR NO. 2 Isolation Item 3.a.2 Containment Table 4.3-2 K607A K808A TEST Isolation Item 3.a.2 type: 2CHS-MOV378 REACTOR COOLANT PUMPS SEAL WATER RETURN ISOLATION AR440AR Containment Table 4.3-2 K506A K618A 3-CCPAA 2CCP-P21A PRIMARY COMPONENT COOLING WATER PUMP 21A Isolation Item 3.b.2 type: type:

AR440AR ASEA RXHA 1 Containment Table 4.3-2 2SWS-MOV154-1 CNMT AIR RECIRC CLG COILS OUTSIDE CNMT SERV WTR Isolation Item 3.b.2 OUTLET 2RHS-P21A RESIDUAL HEAT REMOVAL PUMP 21A A210 INDICATION 2QSS-P24A QUENCH SPRAY CHEMICAL INJECTION PUMP 24A 2SWS-MOV153-1 CNMT AIR RECIRC CLG COILS OUTSIDE CNMT SERV WTR INLET Containment Table 4.3-2 K618XA 862-EGSAA 2EGS-EG2-1 EMERGENCY DIESEL GENERATOR Reset D/G Sequencer.

Isolation Item 3.b.2 type: (TIMER)

MDR-4121-1 type: Block Manual opening of 2SWS-MOV154-1, 2SWS-MOV153-1, ATC-365A 2SWS-MOVI53A. Block Manual Start of 2RHS-P21A Assessment or Impact on Risk December 2002 6020 doc- 121602 Revision 2

7-20 ladle 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Containment Table 4.3-2 K625A 62-HVCAP 2HVC-MOD201C CONTROL ROOM AIR EXHAUST DAMPER Isolation Item 3.b.2 type. (TIMER) 2HVC-MOD201A CONTROL ROOM OUTSIDE AIR INTAKE DAMPER AR440AR type: 2HVC-FN241A CONTROL ROOM FILTERED AIR INTAKE FAN ATC 365A300N30PX Initiates Control Room Isolation, bottled air system and time delay start of emergency supply fan and is Interlocked with Unit 1 Control Room 3-HVCAP Isolation system type ASEA RXMH2 62-HVCADX type:

ASEA RXMH2 Containment Table 4.3-2 62-HVCADXI 99-K625A-2 ISOLATION RELAY to interlock with Unit 1 Control Room Isolation Isolation Item 3 b.2 type: System ASEA RXMH2 Containment Table 4.3-2 K619A 2CCP-MOV150-2 PRIM COMP CLG HDR ISOL - INSIDE CONTNMNT Isolation Item 3.b 2 type: K804A RESET AR440AR 2SWS-MOVI06A PRI COMP CLG WTR HXS SERV WTR SUPPLY HDR A ISOL VLV 2CCP-MOVI5I-1 PRIM COMP CLG HDR ISOL - OUTSIDE CONTNMNT 2CCP-MOV157-1 PRIM COMP CLG HDR ISOL - OUTSIDE CONTNMNT 2CCP-MOV156-2 PRIM COMP CLG HDR ISOL - INSIDE CONTNMNT Containment Table 4.3-2 K619XA Block Manual Opening of 2CCP-MOV157-1, 2CCP-MOVI50-2, 2CCP Isolation Item 3.b.2 type: MOVI5 1-1, 2CCP-MOV 156-2, 2SWS-MOV 106A MDR-412 1-1 Containment Table 4.3-2 K626A 3A-QSSAJ 2QSS-SOVIOOA CHEM INJ PUMP DISCH TO CNMT SUMP Isolation Item 3.b.2 type: type:

AR440AR ASEA RXMVB4 AccPccrni-ntnf1- -t D; t' 6020 doc-121302 December 2002 Revision 2

7-21 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Containment Table 4.3-2 62-QSSAG 2QSS-SOVI1OA CHEM INJ PUMP DISCH TO QUENCH PUMP P2 IA Isolation Item 3.b.2 (TIMER) type:

ATC 305E006L1OPX Containment Table 4.3-2 62-QSSBH 2QSS-SOVI02B CHEM INJ PUMP DISCH TO QUENCH PUMP 21B Isolation Item 3.b.2 (TIMER) type:

ATC 305E006LIOPX Containment Table 4.3-2 3-CCPCB 2CCP-P21C PRIMARY COMPONENT COOLING WATER PUMP 2 1C Isolation Item 3.b.2 type:

ASEA RXMAI Containment Table 4.3-2 2SWS-MOV152-1 CNMT AIR RECIRC CLG COILS OUTSIDE CNMT CDS INLET Isolation Item 3.b.2 2SWS-MOV155-1 CNMT AIR RECIRC CLG COILS OUTSIDE CNMT CDS OUTLET Containment Table 4.3-2 K626XA Block Manual Opening of 2SWS-MOV152-1 and 2SWS-MOV155-1, Isolation Item 3.b.2 type: Block Manual Reset of 3A-QSSAJ and 3B-QSSAJ to block close of 2QSS MDR-4121-1 SOV100A Containment Table 4.3-2 K522A K614A 3B-HVPAE 2HVP-MOD22A EXHAUST FILTER BANK DAMPER Isolation Item 3.a.2 type: type:

AR440AR ASEA RXMAI Containment Table 4.3-2 2HVS-MOD201A (2HVS-FN263A) NORM LK COLLECT Isolation Item 3.a.2 2HVS-MOD202A DAMPER/(2HVS*FN204A,204B) FLT LK COLLECT DAMPER 2FPW-AOV204 CNMT FILTER (2HVR-FLTA21 IA) CNMT ISOL 2FPW-AOV205 RHS PUMP DELUGE SYSTEM CNMT ISOL VLV 2CCP-AOV173 PRIMARY DRAINS COOLER COOLING WTR DISCH 2CCP-AOV171 PRIMARY DRAINS COOLER COOLING WTR SUPPLY uecemoer LUUL Recemiersin Assessment of Impact on Risk Revision 2 6020 doc-121302

7-22 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Containment Table 4.3-2 K614XA 2IAC-MOV133 CONTMT INSTRUMENT AIR ISOL VALVE Isolation Item 3.a.2 type: 2CCP-MOV 118 CNMT INSTR AIR COMPRESSORS CLG WATER SUPPLY ISOL MDR-412 1-1 2FPW-AOV206 REACTOR CONTMT HOSE RACKS ISOL VALVE 2FPW-AOV221 REACTOR CONT CHARCOAL FILTER DELUGE ISOL VALVE Containment Table 4.3-2 K606A 62- 2SSR-SOV128AI PRI COOL HOT LEG SAMPLE CNMT ISOL Isolation Item 3.a.2 type: SSRAB(TIMER 2SSR-SOV129AI RHR/CNMT SUMP SAMPLE CNMT ISOL AR440AR type- 2SSR-SOVI30AI PRZR RELIEF TK GAS/PDTT SAMPLE CNMT ISOL ATC 305E006LIOPX 3A/3B/3C SSRAB type.

ASEA RXME 1 3D-SSRAB type:

ASEA RXMH2 Containment Table 4.3-2 3-PASAA 2PAS-SOV105AI CONTAINMENT ATMOSPHERE SAMPLE LINE INSIDE ISOLATION Isolation Item 3.a.2 type:

ASEA RXME1 Containment Table 4.3-2 2CVS-SOV151A CNMT VAC PP 21A SUCTION ISOL Isolation Item 3.a 2 2CCP-MOV175-1 PRI COMP CLG SUPPLY ISOL 2CCP-MOV177-1 PRIM COMP CLG RET ISOL 2SWS-MOV107A SEC COMP COOLING WTR HX SERV WTR SUPPLY HDR A ISOL VLV 2CVS-SOV153A AIR ACTIVITY MONITOR INLET ISOLATION Containment Table 4.3-2 K606XA 2CVS-SOVI5IB CNMT VAC PP 21B SUCTION ISOL Isolation Item 3.a.2 type:

MDR-4121-1 C T~t December 2002 6020 doc- 121302 Revision 2

7-23 Table 7.2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Containment Table 4.3-2 K612A 3-DASAG 2DAS-AOVIOOA CNMT SUMP PMPS INSIDE CNMT DISCHARGE ISOLATION Isolation Item 3.a.2 type: type:

AR440AR ASEA RXMH2 Containment Table 4.3-2 3-DGSAC 2DGS-AOV108A PRIMARY DRAINS TFR TK PMPS INSIDE CNMT DISCHARGE ISOL Isolation Item 3.a.2 type:

ASEA RXMH2 Containment Table 4.3-2 2VRS-AOV109A1 PRZR RLF/PRI DRNS TFR TANKS OUTSIDE CNMT VENTS Isolation Item 3.a.2 ISOLATION 2SSR-AOV109AI SAFETY INJECT ACCUM SAMPLE INSIDE CNMT ISOL 2SSR-AOV102AI PRI COOL COLD LEG SAMPLE INSIDE CNMT ISOL 2SSR-AOVIOOAI PRZR LIQUID SPACE SAMPLE INSIDE CNMT ISOL 2SSR-AOV112AI PRZR VAPOR SPACE SAMPL INSIDE CNMT ISOL Spray Actuation Table 4.3-2 K505B K643B 3-QSSBAX 2QSS-P21B QUENCH SPRAY PUMP 21B Item 2.b type: type:

AR440AR ASEA RXMH2 Spray Actuation Table 4.3-2 K644B Interlock to prevent testing of K644B.

Item 2.b 2RSS-MOV156B RECIRC SPRAY PUMP 21B OUTSIDE CNMT DISCH ISOLATION 2RSS-MOV155B RECIRC SPRAY PUMP P21B OUTSIDE CNMT SUCTION ISOL A210 INDICATION 2SWS-MOV103B RECIRC SPRAY HX'S SERV WTR SUPPLY HDR B ISOL VLV Spray Actuation Table 4.3-2 K643XB Block Manual Close of 2RSS-MOV155B, 2SWS-MOV103B, 2RSS Item 2.b type: MOV156B.

MDR-4121-1 Spray Actuation Table 4.3-2 K644B 62-RSSBA 2RSS-P21B RECIRC SPRAY P21B 2-STAGE PUMP Item 2.b type: (TIMER)

AR440AR type:

ATC 365A300 Assessment of Impact on Risk December 2002 6020 doc- 121302 Revision 2

7-24 7-24 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Spray Actuation Table 4.3-2 K643B Interlock to prevent testing of K643B.

Item 2.b 2QSS-MOVIOIB QUENCH PUMP 21B DISCHARGE ISOLATION VALVE 2QSS-MOV 102B CHEM ADDITION TANK DISCH TO PUMP P24B ISOL 2QSS-MOVI00B QUENCH PUMP 21B SUCTION ISOLATION VALVE 99PCB I-AE SIG ISOL Spray Actuation Table 4.3-2 K644XB Block Manual Close of 2QSS-MOV010B, 2QSS-MOVI02B, Item 2.b type: 2QSS-MOV1OOB. Block Manual Trip of 2RSS-P2 IB.

MDR-4121-1 Spray Actuation Table 4.3-2 K645B 62-RSSDA 2RSS-P21D RECIRC SPRAY PUMP 21D Item 2.b type. (TIMER)

AR440AR type ATC 365A300N30PX Spray Actuation Table 4.3-2 2RSS-MOV155D RECIRC SPRAY PUMP P21D OUTSIDE CNMT SUCTION ISOL Item 2.b 2RSS-MOV156D RECIRC SPRAY PUMP 21D OUTSIDE CNMT DISCH ISOLATION Spray Actuation Table 4.3-2 K645XB Block Manual Close of 2RSS-MOVI55D, 2RSS-MOVI56D Item 2.b type: Block Manual Trip of 2RSS-P2 ID.

MDR-4121-1 Spray Actuation Table 4.3-2 K505A K644A 62-RSSAA 2RSS-P21A RECIRC SPRAY P2IA 2-STAGE PUMP Item 2.b type: (TIMER)

AR440AR type:

ATC 365A300N30PX Spray Actuation Table 4.3-2 990CB I-AA SIGNAL ISOL Item 2.b 2QSS-MOV101A QUENCH PUMP 21A DISCHARGE ISOLATION VALVE 2QSS-MOVI02A QUENCH SPRAY CHEM ADD TANK DISCH TO CHEM INJ PMP 24A 2QSS-MOVIOOA QUENCH SPRAY PUMP 21A SUCTION ISOL VALVE K643A INTERLOCK TO PREVENT TESTING OF K643A iiieiiL A----t 01 impact on tUSK 6s02ssment 0impact dKISK on December 2002 6020 doc. 121302 Revision 2

7-25 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Spray Actuation Table 4.3-2 K644XA Block Manual Close of 2QSS-MOV1OIA, 2QSS-MOV102A, Item 2.b type: 2QSS-MOV1OOA. Block Manual Trip of 2RSS-P21A.

MDR-4121-1 Spray Actuation Table 4.3-2 K643A 3-QSSAAX 2QSS-P21A QUENCH SPRAY PUMP 21A Item 2.b type: type:

AR440AR ASEA RXMH2 Spray Actuation Table 4.3-2 2RSS-MOVI56A RECIRC SPRAY PUMP 21A OUTSIDE CNMT DISCH ISOL Item 2.b 2RSS-MOV155A RECIRC SPRAY PUMP 21A OUTSIDE CNMT SUCTION ISOL 2SWS-MOV103A RECIRC SPRAY HX'S SERV WTR SUPPLY HDR A ISOL VLV A210 INDICATION K644A Interlock to prevent testing of K644A.

Spray Actuation Table 4.3-2 K643XA Block Manual Close of 2RSS-MOVI55A, 2SWS-MOV103A, Item 2.b type: 2RSS-MOV156A.

MDR-4121-1 Spray Actuation Table 4.3-2 K645A 62-RSSCA 2RSS-P21C RECIRC SPRAY P21C 2-STAGE PUMP Item 2.b type: (TIMER)

AR440AR type:

ATC 365A300N30PX Spray Actuation Table 4.3-2 2RSS-MOV155C RECIRC PUMP 21C OUTSIDE CNMT SUCTION ISOLATION Item 2.b 2RSS-MOV156C RECIRC SPRAY PUMP 21C OUTSIDE CNMT DISCH ISOLATION Spray Actuation Table 4.3-2 K645XA Block Manual Close of 2RSS-MOVI55C, 2RSS-MOVI56C. Block Item 2.b type: Manual Trip of 2RSS-P2IC.

MDR-4121-1 Spray Actuation Table 4.3-2 K519B K645B 62-RSSDA 2RSS-P21D RECIRC SPRAY PUMP 21D Item 2.b type: (TIMER)

AR440AR type:

ATC 365A300N30PX Assessment of Impact on Risk December 2002 6020 doc- 121302 Revision 2

7-26 iiaie 7-2 Relay to lquipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Spray Actuation Table 4.3-2 2RSS-MOVI55D RECIRC SPRAY PUMP P21D OUTSIDE CNMT SUCTION ISOL Item 2.b 2RSS-MOV156D RECIRC SPRAY PUMP 21D OUTSIDE CNMT DISCH ISOLATION Spray Actuation Table 4.3-2 K645XB Block Manual Close of 2RSS-MOV155D, 2RSS-MOVI56D.

Item 2.b type: Block Manual Trip of 2RSS-P2 ID.

MDR-4121-1 Spray Actuation Table 4.3-2 K644B 62-RSSBA 2RSS-P21B RECIRC SPRAY P2IB 2-STAGE PUMP Item 2.b type- (TIMER)

AR440AR type:

ATC 365A300 Spray Actuation Table 4.3-2 K643B SLAVE RELAY Item 2.b 2QSS-MOVIOIB QUENCH PUMP 21B DISCHARGE ISOLATION VALVE 2QSS-MOV102B CHEM ADDITION TANK DISCH TO PUMP P24B ISOL 2QSS-MOVIOOB QUENCH PUMP 21B SUCTION ISOLATION VALVE 99PCB I-AE INDICATION Spray Actuation Table 4.3-2 K644XB Block Manual Close of 2QSS-MOVIOIB, 2QSS-MOV102B, 2QSS Item 2.b type: MOVI00B. Block Manual Trip of 2RSS-P2IB.

MDR-4121-1 Spray Actuation Table 4.3-2 K643B 3-QSSBAX 2QSS-P21B QUENCH SPRAY PUMP 21B Item 2.b type: type:

AR440AR ASEA RXMH2 Spray Actuation Table 4.3-2 K644B SLAVE RELAY Item 2.b 2RSS-MOV156B RECIRC SPRAY PUMP 21B OUTSIDE CNMT DISCH ISOLATION 2RSS-MOV155B RECIRC SPRAY PUMP P21B OUTSIDE CNMT SUCTION ISOL A210 INDICATION 2SWS-MOVI03B RECIRC SPRAY HX'S SERV WTR SUPPLY HDR B ISOL VLV, Spray Actuation Table 4.3-2 K643XB Block Manual Close of 2RSS-MOVI55B, 2SWS-MOVI03B, Item 2.b type: 2RSS-MOV 156B.

MDR-4121-1 Assesmpnt cnf Im nnit - V; 1, 6020 doc- 12 1302 December 2002 Revision 2

7-27 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Spray Actuation Table 4.3-2 K519A K643A 3-QSSAAX 2QSS-P21A QUENCH SPRAY PUMP 21A Item 2.b type: type:

AR440AR ASEA RXMH2 Spray Actuation Table 4.3-2 2RSS-MOVI56A RECIRC SPRAY PUMP 21A OUTSIDE CNMT DISCH ISOL Item 2.b 2RSS-MOV155A RECIRC SPRAY PUMP 21A OUTSIDE CNMT SUCTION ISOL 2SWS-MOV103A RECIRC SPRAY HX'S SERV WTR SUPPLY HDR A ISOL VLV A210 INDICATION K644A SLAVE RELAY Spray Actuation Table 4.3-2 K643XA Block Manual Close of 2RSS-MOVI55A, 2SWS-MOVI03A, Item 2.b type: 2RSS-MOV 156A.

MDR-4121-1 Spray Actuation Table 4.3-2 K644A 62-RSSAA 2RSS-P21A RECIRC SPRAY P2IA 2-STAGE PUMP Item 2.b type: (TIMER)

AR440AR type:

ATC 365A300N30PX Spray Actuation Table 4.3-2 990CB 1-AA SIGNAL ISOL Item 2.b 2QSS-MOV101A QUENCH PUMP 21A DISCHARGE ISOLATION VALVE 2QSS-MOVI02A QUENCH SPRAY CHEM ADD TANK DISCH TO CHEM INJ PMP 24A 2QSS-MOVIOOA QUENCH SPRAY PUMP 21A SUCTION ISOL VALVE K643XA SLAVE RELAY Spray Actuation Table 4.3-2 K644XA Block Manual Close of 2QSS-MOV101A, 2QSS-MOV102A, Item 2.b type: 2QSS-MOVIOOA. Block Manual Trip of 2RSS-P21A.

MDR-4121-1 Spray Actuation Table 4.3-2 K645A 62-RSSCA 2RSS-P21C RECIRC SPRAY P21C 2-STAGE PUMP Item 2.b type: (TIMER)

AR440AR type:

ATC 365A300N30PX Assessment of Impact on Risk December 2002 6020 doc- 121302 Revision 2

7-28 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Spray Actuation Table 4.3-2 2RSS-MOV155C RECIRC SPRAY PUMP 21C OUTSIDE CNMT SUCTION ISOLATION Item 2.b 2RSS-MOVI56C RECIRC SPRAY PUMP 21C OUTSIDE CNMT DISCH ISOLATION Spray Actuation Table 4 3-2 K645XA Block Manual Close of 2RSS-MOV 155C, 2RSS-MOV 156C.

Item 2.b type- Block Manual Trip of 2RSS-P21C.

MDR-4121-1 Steam Stop Table 4.3-2 K504B K623B SLI-BX-MSSAD 2MSS-AOVIOIA (2RCS*SG21A) MN STM ISOL VALVE Valves Item 4.b type: type:

AR440AR ARD 3X-MSSAD type:

ASEA RXMAI Steam Stop Table 4.3-2 SLI-BX-MSSBD 2MSS-AOV1OlB (2RCS*SG21B) MN STM ISOL VALVE Valves Item 4.b type:

ARD 3X-MSSBD type:

ASEA RXMA.1 Steam Stop Table 4.3-2 SLI-BX-MSSCD 2MSS°AOVO10C (2RCS*SG2 IC) MN STM ISOL VALVE Valves Item 4 b type:

ARD 3X-MSSCD type, ASEA RXMAI Steam Stop Table 4.3-2 K806 RESET Valves Item 4.b 99PCB 1-X SIGNAL ISOL vecemoer uu Assessment of Impact on Risk RecemiersUn2 Revision 2 6020 doc- 121302

7-29 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Steam Stop Table 4.3-2 K616B 2SDS-AOV 111A2 MN STEAMLINE A DRAIN TO CONDENSER Valves Item 4.b type: 2SDS-AOVI IIB2 MN STEAMLINE B DRAIN TO CONDENSER AR440AR 2SDS-AOV I1C2 MN STEAMLINE C DRAIN TO CONDENSER 2MSS-AOVI02A 21A SG MN STM BYPASS TRIP VALVE 2SDS-AOV129B RESIDUAL HEAT RELEASE PIPING DRAIN ISOL 2MSS-AOV102B 21B SG MN STM BYPASS TRIP VALVE 2MSS-AOV102C 21C SG MN STM BYPASS TRIP VALVE 99-PAB2-S INDICATION Steam Stop Table 4.3-2 K504A K616A 2SDS-AOV 111AI MN STMLINE A DRAIN TO CONDENS Valves Item 4.b type: 2MSS-AOV102A 21A STEAM GEN MN STM BYPASS TRIP VALVE AR440AR 2SDS-AOVI IIB1 MN STMLINE B DRAIN TO CONDENS 2SDS-AOV129A RESID HEAT RELEASE PIPING DRAIN ISOL 2MSS-AOV102B 211B STEAM GEN MN STM BYPASS TRIP VALVE 2MSS-AOV102C 21C STEAM GEN MN STM BYPASS TRIP VALVE 2SDS-AOVII1C1 MN STEAMLINE C DRAIN TO CONDENSER Steam Stop Table 4.3-2 K623A SLI-AX-MSSAB 2MSS-AOVIO0A (2RCS*SG21 A) MN STM ISOL VALVE Valves Item 4.b type: type:

AR440AR ARD 3X-MSSAB type:

ASEA RXMA1 Assessment of Impact on Risk December 2002 6020 doc- 121302 Revision 2

7-30 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Steam Stop Table 4.3-2 SLI-AX-MSSBB 2MSS-AOVIOIB (2RCS*SG21B) MN STM ISOL VALVE Valves Item 4.b type' ARD 3X-MSSBB type:

ASEA RXMAI Steam Stop Table 4 3-2 SLI-AX-MSSCB 2MSS-AOVIO0C (2RCS*SG21C) MN STM ISOL VALVE Valves Item 4.b type:

ARD 3X-MSSCB type:

ASEA RXMAI Steam Stop Table 4.3-2 K806A RESET Valves Item 4 b 99-OCB 1-S SIGNAL ISOL Main Feedwater Table 4.3-2 K507B K620B 2FWS-FCV498 21C SG MAIN FEEDWATER REG VLV Valve Closure Item 5.a type: 2FWS-FCV488 21B SG MAIN FEEDWATER REG VLV AR440AR 2FWS-FCV478 21A SG MAIN FEEDWATER REG VLV A405 Input to multiplexing for indication only K801B Operates K801B, which during SSPS testing prevents reset of K801B relay unless K620B is de-energized Main Feedwater Table 4.3-2 K507A K620A K801A Operates K801A, which during SSPS testing prevents reset of K80IA relay Valve Closure Item 5 a type: unless K620A is de-energized AR440AR A405 A405 is input to multiplexing for indication only Feedwater Table 4.3-2 K520B K622B type None Bypass Valves Item 5.a AR440AR Blocked Assessment of Impact on Risk December 2002 6020 doc- 121302 Revision 2

7-31 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Feedwater Table 4.3-2 K636B 2FWS-FCV479B 21A SG FEEDWATER BYPASS CONTROL VLV Bypass Valves Item 5.a type: P/O Univ. A405 PROTECTION OUTPUT Blocked AR440AR 2FWS-FCV489B 21B SG FEEDWATER BYPASS CONTROL VLV 2FWS-FCV499B 21C SG FEEDWATER BYPASS CONTROL VLV Feedwater Table 4.3-2 K520A K636A None Bypass Valves Item 5.a type:

Blocked AR440AR Feedwater Table 4.3-2 K622A K811A RESET Bypass Valves Item 5.a type: 2FWS-HYVI57C 21C SG FEEDWATER ISOL VLV Blocked AR440AR 2FWS-HYVI57B 21B SG FEEDWATER ISOL VLV 2FWS-HYVI57A 21A SG FEEDWATER ISOL VLV Trip Turbine and Table 4.3-2 K508B K621B 5-FWSAB 2FWS-P21AI STEAM GEN FEED PUMP 21A Feedwater Pumps Item 5.a type: type: 2FWS-P21A2 AR440AR HGA- 11 Trip Turbine and Table 4.3-2 5-FWSBB 2FWS-P21B 1 STEAM GEN FEED PUMP 2 18 Feedwater Pumps Item 5.a type: 2FWS-P21B2 HGA- 11 Trip Turbine and Table 4.3-2 ITX-FWSNF 2FWS-P24 STEAM GENERATOR START-UP FEED PUMP Feedwater Pumps Item 5.a type:

SG RELAY Trip Turbine and Table 4.3-2 R-RPT 2TMA-1AST Turbine trip solenoids.

Feedwater Pumps Item 5.a type: 2TMA-2AST ARD 420S 2TMA-3AST The same signal that causes TT and K508 actuation also goes to the RTBs.

99-R-RPT 2TMA-4AST Actuating K621B does not cause actuation of RTBs. Actuation of N.O.

type: K621A contact operates 20-RPT(initiated also by Reactor Trip ckt) in SD CX3918 Turbine Trip Circuit TMAAD.

99X-R-RPT type:

ASEA RXMAI Assessment of Impact on Risk December 2002 6020 doc-121302 Revision 2

7-32 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Trip Turbine and Table 4 3-2 K508A K621A ITX-FWSNF 2FWS-P24 STEAM GENERATOR START-UP FEED PUMP Feedwater Pumps Item 5.a type: type:

AR440AR SG Relay Tnp Turbine and Table 4.3-2 2TMA-SOV20RPT TURBINE TRIP Feedwater Pumps Item 5.a 2FWS-P21AI STEAM GEN FEED PUMP 21A 2FWS-P2IB1 STEAM GEN FEED PUMP 21B Turbine Auxiliary Table 4.3-2 K514B K632B 2MSS-SOV105F TURBINE DRIVEN AUX FEEDWATER PUMP STEAMLINE C ISOL Feed Pump Item 7.a type: VALVE (Delayed) AR440AR 2MSS-SOVI05E TURBINE DRIVEN AUX FEEDWATER PUMP STEAMLINE B ISOL 2MSS-SOV105B VALVE Turbine Auxiliary Table 4.3-2 K515B K633B 2MSS-SOV105F TURBINE DRIVEN AUX FEEDWATER PUMP STEAMLINE C ISOL Feed Pump Item 7 a type: VALVE AR440AR 2MSS-SOV105E TURBINE DRIVEN AUX FEEDWATER PUMP STEAMLINE B ISOL 2MSS-SOVI05B VALVE Motor Auxiliary Table 4.3-2 K516B K634B 2FWE-P23B MOTOR-DRIVEN AUX FEED PUMP Feed Pump Item 7.a type:

AR440AR Turbine Auxiliary Table 4.3-2 K514A K632A 2MSS-SOV105A TURBINE DRIVEN AUX FEEDWATER PMP STEAMLINE A ISOL Feed Pump Item 7.a type: VALVE (Delayed) AR440AR 2MSS-SOVI05D TURBINE DRIVEN AUX FEEDWATER PMP STEAMLINE A ISOL VALVE 2MSS-SOV105C TURBINE DRIVEN AUX FEEDWATER PMP STEAMLINE C ISOL VALVE Turbine Auxiliary Table 4.3-2 K515A K633A 2MSS-SOV105D TURBINE DRIVEN AUX FEEDWATER PMP STEAMLINE A ISOL Feed Pump Item 7.a type. VALVE AR440AR 2MSS-SOVI05A TURBINE DRIVEN AUX FEEDWATER PMP STEAMLINE A ISOL VALVE 2MSS-SOV105C TURBINE DRIVEN AUX FEEDWATER PMP STEAMLINE C ISOL VALVE Assessment ot Impact on Risk December 2002 6020 doc-121302 Revision 2

7-33 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Motor Auxiliary Table 4.3-2 K516A K634A 2FWE-P23A MOTOR-DRIVEN AUX FEED PUMP Feed Pump Item 7.a type:

AR440AR RCP K509A K627A 2RCS-P21A REACTOR COOLANT PUMP LOOP A Underfrequency AR440AR K807A RESET RCP K509B K627B type: 2RCS-P21B REACTOR COOLANT PUMP LOOP B Underfrequency AR440AR KS07B RESET RCP K509A K627A K807 RESET Underfrequency type: 2RCS-P2 IC REACTOR COOLANT PUMP LOOP C AR440AR Pressurizer Relief K510B K628B type: 2SIS-MOV865B SI ACCUMULATOR TK21B DISCH STOP Block AR440AR 2SIS-MOV865C SI ACCUMULATOR TK21C DISCH STOP N.C. K628B contact identified as Pressurizer Relief Block in Safety Injection Accumulator Outlet Isolation Valve Circuit.

Pressurizer Relief K510A K628A 2SIS-MOV865A SI ACCUMULATOR TK2IA DISCH STOP Block type: N.C. K628A contact identified as Pressurizer Relief Block in Safety AR440AR Injection Accumulator Outlet Isolation Valve Circuit.

Pressurizer K523B K646B type: 4-RCSNB 2RCS-PCV455C PZR. POWER RELIEF Pressure Relief AR440AR type:

Interlock ASEA RXMH2 Pressurizer K802B RESET K802B Safeguards Test Cabinet.

Pressure Relief Interlock Pressurizer K648B type: 3-RCSNJ 2RCS-MOV535 (2RCS*PCV455C) ISOLATION Pressure Relief AR440AR type:

Interlock ASEA RXMA 1 Assessment of Impact on Risk December 2002 6020 doc-121302 Revision 2

7-34 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Pressurizer K523A K649A 2RCS-MOV537 (2RCS*PCV455D) ISOLATION Pressure Relief Interlock Pressurizer K648A 3-RCSNK 2RCS-MOV536 (2RCS*PCV456) ISOLATION Pressure Relief type: type Interlock AR440AR ASEA RXMAI Pressunzer K647A 4-RCSNC 2RCS-PCV455D PZR. POWER RELIEF Pressure Relief type: type:

Interlock AR440AR ASEA RXMH2 Pressurizer K805A RESET K805A Safeguards Test Cabinet.

Pressure Relief Interlock Pressurizer K646A 4-RCSNA 2RCS-PCV456 PZR POWER RELIEF Pressure Relief type: type:

Interlock AR440AR ASEA RXMH2 Pressurizer K802A RESET K802A Safeguards Test Cabinet.

Pressure Relief Interlock Lo-Lo TAVG K513B K631B SDL-B-MSSNF None Steam Dump type: type:

Interlock AR440AR AR440AR Lo-Lo TAVG SDX5BI-MSSNF None Steam Dump type:

Interlock AR440AR Lo-Lo TAVG SDX5B2-MSSNF None Steam Dump type:

Interlock AR440AR Assessment ot Impact on Risk December 2002 6020 doc-121302 Revision 2

7-35 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Lo-Lo TAVG SDX6B-MSSNF 2MSS-PSV106A2 (2MSS-PCV106A) SOLENOID Steam Dump type: 2MSS-PSV106B2 (2MSS-PCV106B) SOLENOID Interlock AR880AR 2MSS-PSVI06C2 (2MSS-PCV106C) SOLENOID Lo-Lo TAVG SDX7B 1-MSSNF 2MSS-TSVI06A2 (2MSS-TCV 106A) SOLENOID Steam Dump type: 2MSS-TSVI06B2 (2MSS-TCV106B) SOLENOID Interlock AR880AR 2MSS-TSVI06C2 (2MSS-TCV106C) SOLENOID 2MSS-TSVI06D2 (2MSS-TCVI06D) SOLENOID 2MSS-TSVI06E2 (2MSS-TCV 106E) SOLENOID 2MSS-TSVI06F2 (2MSS-TCV106F) SOLENOID 2MSS-TSVI06G2 (2MSS-TCVI06G) SOLENOID Lo-Lo TAVG SDX7B2-MSSNF 2MSS-TSVI06Q2 (2MSS-TCVI06Q) SOLENOID Steam Dump type: 2MSS-TSVI06H2 (2MSS-TCV106H) SOLENOID Interlock AR880AR 2MSS-TSVI06J2 (2MSS-TCV106J) SOLENOID 2MSS-TSVI06K2 (2MSS-TCVI06K) SOLENOID 2MSS-TSVI06L2 (2MSS-TCV106L) SOLENOID 2MSS-TSVI06M2 (2MSS-TCV106M) SOLENOID 2MSS-TSV I06N2 (2MSS-TCV 106N) SOLENOID 2MSS-TSVI06P2 (2MSS-TCV106P) SOLENOID Lo-Lo TAVG K513A K631A SDL-A-MSSNE None Steam Dump type: type:

Interlock AR440AR AR440AR Lo-Lo TAVG SDX-5A1- None Steam Dump MSSNE Interlock type:

AR440AR Lo-Lo TAVG SDX-5A2- None Steam Dump MSSNE Interlock type:

AR440AR Assessment of Impact on Risk December 2002 6020 doc- 121302 Revision 2

7-36 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Lo-Lo TAVG SDX-6A-MSSNE 2MSS-PSVI06AI (2MSS-PCV106A) SOLENOID Steam Dump type: 2MSS-PSVI06B1 (2MSS-PCVI06B) SOLENOID Interlock AR880AR 2MSS-PSVI06CI (2MSS-PCVI06C) SOLENOID Lo-Lo TAVG SDX-7A1- 2MSS-TSVI06AI (2MSS-TCVI06A) SOLENOID Steam Dump MSSNE 2MSS-TSVI06BI (2MSS-TCVI06B) SOLENOID Interlock type: 2MSS-TSV 106C I (2MSS-TCV 106C) SOLENOID AR880AR 2MSS-TSVI06DI (2MSS-TCV106D) SOLENOID 2MSS-TSV106EI (2MSS-TCV106E) SOLENOID 2MSS-TSVI06FI (2MSS-TCV 106F) SOLENOID 2MSS-TSVI06G1 (2MSS-TCV106G) SOLENOID Lo-Lo TAVG SDX-7A2- 2MSS-TSV106QI (2MSS-TCV106Q) SOLENOID Steam Dump MSSNE 2MSS-TSVI06HI (2MSS-TCV106H) SOLENOID Interlock type. 2MSS-TSVI06JI (2MSS-TCV106J) SOLENOID AR880AR 2MSS-TSVI06KI (2MSS-TCV106K) SOLENOID 2MSS-TSV I06L I (2MSS.TCV 106L) SOLENOID 2MSS-TSVI06M I (2MSS-TCV106M) SOLENOID 2MSS-TSVI06NI (2MSS-TCVI06N) SOLENOID 2MSS-TSVI06PI (2MSS-TCV106P) SOLENOID Generator Trip K517B K635B 62-TMABA Exciter Bkr. Exciter field breaker (Main Turbine type' (TIMER) Bkr. 42C 4 kV Bus 2A Supply Breaker from USST Vlvs) AR440AR type: Bkr. 142C 4 kV Bus 2B Supply Breaker from USST ATC 305E Bkr. 242D 4 kV Bus 2C Supply Breaker from USST 99B-TMABAX2 Bkr 342D 4 kV Bus 2D Supply Breaker from USST type: PCB 352 Main generator output breaker SD CX3918 PCB 362 Main generator output breaker 99BX-TMABAX2 type:

ASEA RXMAI 86-TMABB type:

LOR A-*ssessment o0 impact on KISK December 2002 6020 doc- 121302 Revision 2

7-37 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description Generator Trip K517A K635A 62-TMAAA Exciter Bkr. Exciter field breaker (Main Turbine type: (TIMER) Bkr. 42C 4 kV Bus 2A Supply Breaker from USST Vlvs) AR440AR type: Bkr. 142C 4 kV Bus 2B Supply Breaker from USST ATC 305E Bkr. 242D 4 kV Bus 2C Supply Breaker from USST 99B-TMAAAX2 Bkr. 342D 4 kV Bus 2D Supply Breaker from USST type: PCB 352 Main generator output breaker SD CX3918 PCB 362 Main generator output breaker 99BX TMAAAX2 type:

ASEA RXMA1 86-TMAAB type:

LOR RWST Lo-Lo K526B K617B 3-RSSBD 2RSS-MOV156D RECIRC SPRAY PUMP 21D OUTSIDE CNMT DISCH ISOLATION Level I type: type: 2CHS-P21B HI HEAD SAFETY INJ CHARGING PUMP AR440AR ASEA RXMH2 2CHS-LCV115D CHARGING PUMP SUCTION FROM RWST RWST Lo.Lo 3X-RSSBD 2CHS-P21C HI HEAD SAFETY INJ CHARGING PUMP(also actuated by 3X Level I type: RSSAD).

ASEA RXMH2 2RSS-P21D RECIRC SPRAY PUMP 21D 2SIS-MOV8809B LHSI PUMP (2SIS*P2B) SUCTION ISOLATION RWST Lo-Lo 2SIS-P21B LOW HEAD SAFETY INJECTION PUMP Level I 2SIS-MOV881 lB RS PP (2RSS*P21D) DISCH CROSSOVER TO LHSI P21B DISCH 2SISMOV8887B LOW HEAD SI PUMP 21B DISCH TO HOT LEGS ISOLATION RWST Lo-Lo K624B 2SIS-MOV863B LHSI PUMP 21B DISCH TO HHSI PUMPS ISOLATION Level 1 type:

AR440AR RWST Lo-Lo K526A K624A 2SIS-MOV863A LHSI PUMP 2 1A DISCH TO HHSI PUMPS ISOLATION Level I type:

AR440AR Assessment of Impact on Risk December 2002 6020 doc- 121302 Revision 2

7-38 Table 7-2 Relay to Equipment Matrix (cont.)

ESF Actuation Tech Spec Master Slave Relay Interposing Actuated Signal Item Relay and Type Relays and Type Components Description RWST Lo-Lo K617A 3-RSSAD 2RSS-MOVI56C RECIRC SPRAY PUMP 21C OUTSIDE CNMT DISCH ISOLATION Level 1 type: type, 2CHS-P21A HI HEAD SAFETY INJ CHARGING PUMP AR440AR ASEA RXMH2 2CHS-LCV115B CHARGING PUMP SUCTION FROM RWST RWST Lo-Lo 3X-RSSAD 2CHS-P21C HI HEAD SAFETY INJ CHARGING PUMP(also actuated by 3X-RSSBD)

Level I type, 2SIS-MOV8809A LHSI PUMP (2SIS*P2A) SUCTION ISOLATION ASEA RXMH2 2RSS-P21C RECIRC SPRAY P2IC 2-STAGE PUMP RWST Lo-Lo 2SIS-MOV8811A RS PP (2RSS*P21C) DISCH CROSSOVER TO LHSI P21A DISCH Level I 2SIS-MOV8887A LOW HEAD SI PUMP 21A DISCH TO HOT LEGS ISOLATION 2SIS-P21A LOW HEAD SAFETY INJECTION PUMP General Warning K524A 52/RTB UV/STB BREAKER UNDERVOLTAGE BYB UV General Warning Annunciator General Warning 52/RTA UV/STA BREAKER UNDERVOLTAGE BYA UV General Warning Red Light General Warning K524B 52/RTA UV/STA BREAKER UNDERVOLTAGE BYA UV General Warning Annunciator General Warning 52/RTB UV/STB BREAKER UNDERVOLTAGE BYB UV General Warning Red Light Assessment or impact on KiSK December 2002 6020 doc- 121302 Revision 2

7-39 7.1.3 Model Adjustments for this Application ý Excluded Relays The Revision 3A model includes a contribution from all slave-relays and interposing-relays in the SSPS split-fractions. The model was refined to increase the fidelity of the model with respect to new STIs for slave-relays and interposing-relays. Certain slave-relays and interposing-relays actually play no role in mitigating accidents. In some cases the relays provides indication only. The relays on Table 7-3 are on Table 7-2, but are not modeled (i.e., represented by failure events in the fault tree). It was clear in the early development of the model that these Table 7-3 relays would play no part in accident mitigation.

Table 7-3 Excluded Relays That Were Not Modeled in the Fault Tree Interposing Slave SDL_A_MSSNE RRPT K622_B SDLBMSSNF 99_R_RPT K627_A SDX_5AIMSSNE 99X_R_RPT K627_B SDX_5A2_MSSNE 3_HVCAP K628_A SDX5BIMSSNF K628_B SDX5B2_MSSNF K636_A 3_HVCBP K643X_A K643X_B K644X_A I-39 K644X_B K645X_A K645X_B Assessment of Impact on Risk December 2002 6020.doc-121302 Revision 2

7-40 Later exclusions (listed on Table 7-4) were handled by simply setting the corresponding event to zero.

The "base case" in this work differs from the Revision 3A CDF results and LERF results in that the non contributing relays (see Table 7-4) have a zero failure probability. The quantification assigns a zero failure probability so these relays do not contribute to any split fraction value.

Table 7-4 Excluded Relays That Were Modeled, But Have a Zero Failure Probability Interposing Slave 3_HVRAA 3BHVSAC K601_A 3_HVRAB 3BHVSAE K602_A 3_HVRAD 3BHVSBE K602_B 3_HVRAM 3CHVSAB K603X_B 3_HVRBB 3DSSRAB K609X_A 3_HVRBD 62_HVCADX K609XB 3_HVRBM 62-HVCADX1 K61IX_A 3_HVRCA 62-HVCAP K613X_A 3_HVRCB 62_HVCBDX K613X_B 3_HVSBB 62_HVCBDX1 K615_A 3_HVSBG 62_HVCBP K615_B 3_PASAA 62-QSSAG K619X_A 3_RCPAL 62_QSSBF K619XB 3_RCPAM 62-QSSBH K620_A 3_RCPBL 62_SSRAB K625_A 3_RCPBM 62_TMAAA K625_B 3A_3B_3CSSRAB 62_TMABA K626XA 3AHVSBC 86_TMAAB K626X_B 3AQSSAJ 86_TMABB K63 I_A 3AQSSBJ 99BTMAAAX2 K631_B 3BHVPAE 99BTMABAX2 K635_A 3BHVPBE 99BX-TMAAAX2 K635_B 99BXTMABAX2 SDX_6AMSSNE SDX_7AIMSSNE SDX_7A2_MSSNE SDX_6BMSSNF SDX7B IMSSNF SDX7B2_MSSNF Assessment of Impact on Risk December 2002 6020 doc- 121302 Revision 2

7-41 Plant Specific SSPS Split-Fraction Values Revision 3A used slave-relay and interposing-relay failure probabilities that did not represent actual plant experience. As part of this work, the model was quantified with plant specific values as discussed in Section 7.2. In addition, the non-contributing relay failure probability was set to zero. In addition, new ATWS split-fraction logic rules were employed as discussed in Section 7.4. Thus, the CDF and LERF values differ from that for Revision 3A.

7.1.4 Quantification Process The support-state model demonstrates the affect on CDF and LERF when changing the STI for slave relays and interposing-relays. Solving the plant model for this work is a two step process. Step one determines values for the 72-independent SSPS split fractions with the fault-tree model. Step two involves transferring those values to the support-state model and then solving to obtain new CDF and LERF values.

This work demonstrates the acceptability of extending the STIs for the slave-relays and interposing-relays by showing the CDF and LERF changes associated with a new 9-month, 12-month, and 18-month STI.

In summary, this work discusses four cases called "base," "9-month," "12-month," and "18-month." For each of these four cases, the quantification process determined a set of 72 independent SSPS split-fraction values. Thus for the four cases, 288 split-fraction values were determined. The split fraction values as well as a description appear on Table 7-10.

Each set of split-fractions was loaded into the support state model to determine a CDF and LERF for each STI extension. The CDF and LERF values for'the extended STIs are compared to their respective values for the base case (3 month STIs). The increases in each are then compared to the acceptance criteria for the ACDF and ALERF of IE-6/yr and 1E-7/yr respectively in Regulatory Guide 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis," (see Reference 1).

7.2 COMPONENT DATA DEVELOPMENT 7.2.1 Introduction The failure probability values in the fault-tree quantification process come from a variety of sources discussed in Section 7.2.2. This work depends on a special effort made to identify a proper demand failure probability for slave-relays and interposing-relays. The quantification process would tend to exaggerate any conservatism in probabilities assigned to slave-relays and interposing-relays. The primary contributors to SSPS split-fraction values arise from single failures because the logic for a particular SSPS split fraction is largely a collection of OR gates. That is, the quantification sums the failure probabilities of all of the events in the sub-tree. There are very few AND gates in the model. As there are numerous slave-relays associated with any given SSPS split-fraction, a relay failure probability higher than best-estimate would tend to overstate the failure probability represented by the SSPS split fraction.

A generic mean-failure rate was selected to represent the priori distribution for the slave and interposing relays used at Beaver Valley - Unit 2. This technique keeps this work from being dependent on either a Assessment of Impact on Risk December 2002 6020 doc-121302 Revision 2

7-42 particular relay model or a relay manufacturer. BVPS provided operating experience data for their slave relays and interposing-relays in terms of number of test demands and number of failures. The data was analyzed through the following steps. A generic mean priori and an error factor were selected. Plant specific experimental information was collected and used to perform a Bayesian update of the generic failure probability to determine the value used in the SSPS split-fraction quantification.

7.2.2 Relay Types and Associated Failure Probabilities Plant specific values were collected on all ESF slave-relays and interposing-relays tested by the following quarterly-interval plant procedures for the period from 1996 through 2001.

Table 7-5 Surveillance Test Procedures for BVPS Slave Relays Procedure Number Procedure Title 20ST-1.1 1A BVPS-2 Safeguards Protection System Train A Blockable Test 2OST-1.1 lB BVPS-2 Safeguards Protection System Train A SIS Go Test 20ST-1.1 IC BVPS-2 Safeguards Protection System Train A CIB/Spray Actuation Test 20ST-1. I ID BVPS-2 Safeguards Protection System Train A CIA Go Test 20ST-1. 11E BVPS-2 Safeguards Protection System Train A Miscellaneous Go Test 2OST-1.12A BVPS-2 Safeguards Protection System Train B Blockable Test 20ST-1.12B BVPS-2 Safeguards Protection System Train B SIS Go Test 20ST-1.12C BVPS-2 Safeguards Protection System Train B CIB/Spray Actuation Test 20ST-1.12D BVPS-2 Safeguards Protection System Train B CIA Go Test 20ST-1.12E BVPS-2 Safeguards Protection System Train B Miscellaneous Go Test lOST-1 11 BVPS-I Safeguards Protection System Train A Test 1OST- 1.12 BVPS-1 Safeguards Protection System Train B Test The only failures in this period involved relays in a quarterly testing scheme. There was only 1 failure out of 4311 relay actuations in the data set reviewed.

A C I*Is* enLL U0 II1mpaCL on RiSK December 2002 6020 doc- 121302 Revision 2

7-43 Table 7-6 Demands and Failures per Relay Type for Slave and Interposing Relays Subject to Quarterly Tests at BVPS Units 1 and 2 Relay Type # Demands in the Quarterly Test # Failures in the Quarterly Test 7012PC 92 0 AR440AR 1556 1 AR880AR 50 0 ARD 96 0 ASEA RXHAI 29 0 ASEA RXMAI 573 0 ASEA RXMA2 6 0 ASEA RXMEI 209 0 ASEA RXMH2 341 0 ASEA RXMVB4 128 0 ATC 305E 48 0 ATC Timer 305E0061A10PX 29 0 ATC Timer 305E006LIOPX 180 0 ATC Timer 365A300 45 0 ATC Timer 365A300N30PX 115 0 ATC-365A 88 0 GE CR120BI02202 49 0 ITE-J13 248 0 MDR-4121-1 429 0 TOTAL 4311 1 Assessment of Impact on Risk December 2002 6020.doc-121302 Revision 2

7-44 Data sources for relay failure rates were reviewed. The EPRI ALWR Key Assumptions and Groundrules (KAG) (Reference 6) presents a value of 1.OE-4/demand for general electromechanical relays.

NUREG/CR-4639 (Reference 10) does not provide a failure rate for relays equivalent to the slave and interposing-relays. However, it does provide failure probability values for control relays. The median probability of failure-to-open or failure-to-close presented in NUREG/CR-4639 is of the order of 4.OE-6 per demand with an error factor of 1.6. This is equivalent to a mean of 4.2 E-06 per demand. This is significantly below the KAG value. NUREG/CR4639 also presents a median failure rate of 3.6E-07 per hour for "control relay fails-to-operate" with an error factor of 1.5. Assuming a log-normal distribution, this is equivalent to a mean standby-failure-rate of 3.8 1E-7 per hour. For a quarterly test interval, this would convert to an unavailability of approximately 4E-04 per demand, which is consistent with the KAG value (e.g., UA = XT/2 where X is 3.81E-7/hour and T is 8766 hr/yr / 4 quarters/year). Based on this information, a value of 1.4E-04 per demand was selected as the mean for the priori distribution as well as an error factor of 3.0. This error factor is consistent with nominal error factors typically used in other PRAs and bounds the error factor from NUREG/CR-4639.

The Westinghouse plant operating data on the AR440AR relays and MDR-4121 relays, similar to the slave and interposing-relays of BVPS - Unit 2, contained in References 4 and 5 were also reviewed.

The failure probability of 1.4E4/demand selected as the mean failure probability for the priori distribution for the slave and interposing relays bounds the equivalent failure probabilities in References 4 and 5.

As shown in Table 7-6 above, the relay test data for BVPS Units 1 and 2 shows one slave/interposing relay failure in 4311 quarterly test demands. This data was used to perform a Bayesian update of the generic log-normal priori distribution represented by a mean of 1.4E-04 per demand with an error factor of 3. The mean of the resulting posterior distribution is 1.56E-04 per demand. This value was used as the mean failure probability for relays tested on a quarterly basis.

BVPS - Unit 2 uses MDR-4121-1 relays for some of the slave and interposing-relays. BVPS Unit 2 has experienced no failures of this type of relay used in its protection system, but during the 1980s, the industry experienced some issues associated with MDR type relays. AEOD/S93-06 (Reference 11) documents a reliability evaluation of these relays. A review of this report indicates that the 4121-1 series had not experienced any significant problems. Also, the failure probability calculated above was consistent with the failure rates calculated for Westinghouse SSPS and general protection applications that used the 4121-1 series relays.

A review of the relay operating experience at both BVPS units did not indicate any specific relay problems that might preclude extending the test interval. BVPS Unit 2 has experienced only one failure of a slave-relay or interposing-relay and that was an AR440AR relay. BVPS - Unit I uses similar slave and interposing-relays. BVPS -- Unit 1 tests some of its slave and interposing-relays on a monthly basis, some on a quarterly basis and the remainder is tested on a refueling interval (18-month) basis. BVPS -

Unit 1 has experienced four AR440AR (slave-relay) failures when considering all slave-relays and interposing relays. Three of the failures occurred during the monthly tests and one failed during the refueling interval test. These failures did not indicate any particular pattern. The failures during the monthly tests included a non-actuation, a contact resistance problem and a verification problem. The refueling interval test failure involved a reset problem. The BVPS -- Unit 1 relay failure probability for the monthly tests is greater than that for the refueling interval tests. One key assumption in the analysis is Assessment of Impact on Risk December 2002 6020 doc-121302 Revision 2

7-45 that the demand failure probability is directly proportional to the test interval and when the test interval increases, the demand failure probability will increase proportionally. The relay failure data for BVPS Unit 1 suggests that this assumption may be somewhat conservative for these relays.

7.2.3 Plant Specific Adjustments Relays Already in an 18-Month STI Scheme At BVPS -- Unit 2(1), the slave-relays involved with the automatic transfer to recirculation function are K608 (safety injection) and K617, K624 (both for low RWST level). BVPS -- Unit 2 does not have a system-level manual initiation function for transfer to recirculation. The slave-relays are tested in 2OST 7.11A and 2OST-7.11B every 18 months (since the current Technical Specifications do not require testing these relays) with the unit in Mode 5 or Mode 6.

The monthly surveillance frequency associated with the slave and interposing-relays for RWST transfer only applies to the SSPS actuation logic testing, and does not apply to the slave-relays (actuation relays).

Thus, the failure probability of the six recirculation-relays is different from the others. For the most part, the quantification of the Unit 2 SSPS treats all slave and interposing-relays uniformly, e.g., a failure probability of 1.56E-04 over three months. However, the per-demand failure number for the RWST transfer relays (K608 A, K608 B, K617 A, K617 B, K624 A, and K624 B) will be set at a constant six times the nominal slave-relay per-demand probability, i.e., 9.35E-04 to reflect the longer test interval.

Common Cause Failure Assumptions For this work, to allow PRA Quant to work, the value of the common-cause failure (CCF) probability is set to 0.1 times the value of the corresponding random failure. CCF is an analytical way to account for the common features of equipment in multiple trains, e.g., common maintenance procedures, nearly identical parts in terms of age and design, common ambient environments. Although these factors are hard to come by, common CCF beta-factors for different classes of nuclear plant equipment run roughly 7% of the random failure. A fairly standard approach is to include a reasonable (but high) factor value, quantify results and decide how overall results are affected by the CCF number. If the relatively high CCF does not significantly affect results, it is unproductive to spend more time refining the CCF values.

Test & Maintenance Frequency The test frequency is an important parameter in this study. As the test interval increases, the frequency of testing decreases. This in turn decreases the unavailability of the slave and interposing relays since they will be out of service less often for testing. The maintenance frequency is not impacted by the relay test interval change.

Each of the listed T&M Events are put high in the fault tree as a means of making a train of SSPS out-of service. The unavailability caused by these tests appears on Table 7-9.

1. For which the model was created.

Assessment of Impact on Risk December 2002 6020 doc-121302 Revision 2

7-46 Test Unavailiability The procedures listed in Table 7-5 cause particular relays or sets of relays to be unavailable. As modeled in this study, the entire train and all the associated ESF actuation signals are conservatively disabled. For example, a test of a Train A relay renders both ESFAS Train A and RTS Train A unavailable. In practice, the procedures render unavailable either a particular relay or a small set of relays. But, the other relays remain available. The modeling approach simplifies the quantifications of the ESF actuation signals while also creating a conservative analysis. That is, the model overstates the actual effect of the relay procedures. Table 7-7 presents the unavailabilities caused by test and maintenance procedures and the time basis for each T&M event value.

Table 7-7 SSPS Test and Maintenance Unavailability Values Unavailability T&M Event Fraction Basis ESFASTMA 1.14E-041 11 This is the SSPS Train A Blockable Test (2) The unavailability is assumed to be 15 min per test on a Quarterly basis.

ESFASTMB I 14E-04(') This is the SSPS Train B Blockable Test. M The unavailability is assumed to be 15 min per test on a Quarterly basis.

SSPS.LDSEQTMA 6.85E-04(2) This is for the Safeguards Protection System Train A. The unavailability is assumed to be 1.5 hrs per test on a Quarterly basis.

SSPSLDSEQTMB 6.85E-04(2) This is for the Safeguards Protection System Train B. The unavailability is assumed to be 1.5 hrs per test on a Quarterly basis.

SSPSLGCTMA 1.03E-03"3 ) This is the SSPS Train A Bi-Monthly Maintenance Surveillance Testi 8 ) The unavailability is assumed to be 1.5 hrs per test on a Bi-Monthly basis. SSPS Train A along with the entire Reactor Trip and Safeguards Train A are made inoperable.

SSPSLGCTMB 1.03E-103 3 ) This is the SSPS Train B Bi-Monthly Maintenance Surveillance Test.(9 ) The unavailability is assumed to be 1.5 hrs per test on a Bi-Monthly basis. SSPS Train B along with the entire Reactor Trip and Safeguards Train B are made inoperable.

Notes:

1 0 25 hr/test

  • 4 tests/yr
  • 1 yr/365 days
  • 1 day/24 hr 2 1 5 hr/test
  • 4 tests/yr
  • I yr/365 days
  • I day/24 hr 3 1 5 hr/test
  • 6 tests/yr
  • I yr/365 days
  • I day/24 hr Assessment ot Impact on Risk December 2002 6020 doc- 121302 Revision 2

7-47 7.3 SSPS UNAVAILABILITY ANALYSIS 7.3.1 Introduction The split-fraction values in the "base case" exclude contributions from the non-mitigating slave-relays and non-mitigating interposing-relays. The first step was to recalculate SSPS split-fractions for the "base case" excluding contributions from non-mitigating relays with the fault tree model. Then a base CDF and LERF for the plant was calculated with the support-state model with the "base case" split-fraction values.

The next steps involved uniformly changing the failure probabilities for the contributing relays by factors of three, four, and six to represent candidate'STIs of nine, twelve, and eighteen months respectively. An exception is made for the relays currently on an 18-month test frequency. The failure probability for those relays is always 9.38E-4/demand during each SSPS split-fraction quantification.

1 Table 7-8 Summary of the N-Factor on Slave-Relay and Interposing-Relay Failure Probabilities Base 3 months 9 months 12 months 18 months N factor 1 3 4 6 Failure Probability 1.56E3-4/demand 4.68E-4Idemand 6.24E-4/demand 9.35E-4/demand At the same time, test-and-maintenance unavailability captured by ESFASTM.A, ESFASTMB, SSPS_LDSEQTM.A, and SSPS_.LDSEQTM_B were decreased by factors of three, four, and six respectively. These factors aggregate the unavailability due to surveillance testing itself on a quarterly basis. As the STI increases, the unavailability because of the surveillances themselves decreases by the reciprocal of the STI factor (N factor) increase.

For each of these STI cases(2), the first step is to recalculate 72-independent split fractions associated with the three SSPS top events in the BVPS support state model, i.e., SA, SX and SB. The 72-independent split fraction values are calculated with the fault tree model and taking the min-cut-upper-bound value from cutset files(3 ) corresponding to each split-fraction as the value to load into the support-state model.

The process then used the support-state model to calculate a new CDF and LERF for each case to compare to the base case CDF and LERF.

2. For example, the set of runs needed to represent the CDF and LERF impact of a nine-month STI.
3. These values are listed in Table 7-10. This value aggregates the probabilities of each cutset line item in the cutset file.

Assessment of Impact on Risk December 2002 6020 doc-121302 Revision 2

7-48 Table 7-9 Summary of the N-Factor Effect on T&M Numbers 9 month 12-month 18-month T&M Event Base Fraction Fraction Fraction Fraction Factor 1 1/3 1/4 1/6 ESFASTMA 1.14E-04 3 81E-05 2 85E-05 1 90E-05 ESFASTMB 1.14E-04 3.81E-05 2 85E-05 1 90E-05 SSPSLDSEQTMA 6 85E-04 2.28E-04 1 7 IE-04 1.14E-04 SSPSLDSEQTMB 6.85E-04 2.28E-04 1.71E-04 1.14E-04 SSPSLGCTMA I 03E-03 I 03E-03 1.03E-03 1.03E-03 SSPSLGCTMB 1.03E-03 1.03E-03 1.03E-03 I 03E-03 7.3.2 Longer STI Modeling Longer STIs are modeled by accepting the latent-failure-probability hypothesis. That is, there is an increasing likelihood over time that idle components will fail when the demand is required. It is more realistic to believe that there is a binomial probability and a probability because of latent failures both contributing to the unavailability of a particular relay. Plant-specific failure analysis tends to illustrate that the binomial contribution is quite large. The number of observed failures-on-demand (for slave relays and interposing-relays) was not found statistically dependent on being in a one-month or three month scheme. Nevertheless, the 9-month, 12-month, and 18-month cases are a result of multiplying the "base case" failure probabilities for slave-relays and interposing-relays by factors of three, four, and six respectively. These factors are derived from the ratio of the STI under consideration to the base case STI (3 months).

7.3.3 Assumptions for Items Held Constant There is an exception to the "uniformly changing failure probability" process described above. The exception is for relays K608 A, K608 B, K617 A, K617 B, K624 A, and K624 B. These relays are involved in the RWST-recirculation-switchover for BVPS Unit 2. These six relays are currently on an 18-month frequency. The failure probability values for these six relays were held at a constant six times the base failure probability for the other slave-relays. Rather than the nominal slave-relay failure probability (i.e., 1.56E-04) times three, four, or six (depending on the case), the quantification assumes that these six relays have the failure probability (i e., 9.35E-04) associated with the 18-month case for all of the cases.

7.3.4 Results The split fraction values for each case are presented on Table 7-10.

Assessment ot Impact on Risk December 2002 6020 doc- 121302 Revision 2

7-49 Table 7-10 SSPS Split-Fraction Values Versus Case Matrix Split Fraction Base Case 9-month 12-month 18-month Description SAI 8 54E-03 9 87E-03 1 07E-02 I 25E-02 SSPS TRAIN A - GENERAL TRANSIENT, ALL SUPPORT SAIA 8 54E-03 9 87E-03 1 07E-02 1.25E-02 SSPS TRAIN A - GENERAL TRANSIENT, LOSS OF VB III SAIB 8 54E-03 9 87E-03 1 07E-02 1.25E-02 SSPS TRAIN A - GENERAL TRANSIENT, LOSS OF VB IV SA2 2 03E-02 3 44E-02 4 15E-02 5.57E-02 SSPS TRAIN A - LLOCA, ALL SUPPORT SA2A 2 04E-02 3 44E-02 4 16E-02 5.57E-02 SSPS TRAIN A - LLOCA, LOSS OF VB III SA2B 2 04E-02 3 44E-02 4.16E-02 5.57E-02 SSPS TRAIN A - LLOCA, LOSS OF VB IV SA3 3.07E-02 4 46E-02 5 17E-02 6.57E-02 SSPS TRAIN A - LLOCA, LOSS OF VB III & IV SA3A 3.07E-02 4 46E-02 5 17E-02 6.57E-02 SSPS TRAIN A - LLOCA, LOSS OF VB II & III SA3B 3 07E-02 4 46E-02 5 17E-02 6-57E-02 SSPS TRAIN A - LLOCA, LOSS OF VB II & IV SA4 1.87E-02 2 89E-02 3 41E-02 4 45E-02 SSPS TRAIN A - SGTR, ALL SUPPORT SA4A 1.88E-02 2 89E-02 3 41E-02 4.45E-02 SSPS TRAIN A - SGTR, LOSS OF VB III SA4B 1.88E-02 2 89E-02 3 41E-02 4.45E-02 SSPS TRAIN A - SGTR, LOSS OF VB IV SA5 2 07E-02 3 53E-02 4 28E-02 5.75E-02 SSPS TRAIN A - MSLB INSIDE CNMT, ALL SUPPORT SA5A 2 07E-02 3 53E-02 4 28E-02 5.75E-02 SSPS TRAIN A - MSLB INSIDE CNMT, LOSS OF VB III SA5B 2 07E-02 3 53E-02 4 28E-02 5.75E-02 SSPS TRAIN A - MSLB INSIDE CNMT, LOSS OF VB IV SA6 3 1IE-02 4 56E-02 5 29E-02 6.75E-02 SSPS TRAIN A - MSLB INSIDE CNMT, LOSS OF VB III & IV SA6A 3 1IE-02 4 56E-02 5 29E-02 6.75E-02 SSPS TRAIN A - MSLB INSIDE CNMT, LOSS OF VB II & III SA6B 3 1IE-02 4 56E-02 5 29E-02 6 75E-02 SSPS TRAIN A - MSLB INSIDE CNMT, LOSS OF VB II & IV SA7 I 86E-02 2 94E-02 3 49E-02 4.59E-02 SSPS TRAIN A - MSLB OUTSIDE CNMT, ALL SUPPORT SA7A I 87E-02 2.94E-02 3.50E-02 4.59E-02 SSPS TRAIN A - MSLB OUTSIDE CNMT, LOSS OF VB III SA7B I 87E-02 2 94E-02 3.50E-02 4.59E-02 SSPS TRAIN A - MSLB OUTSIDE CNMT, LOSS OF VB IV SAS I 87E-02 2 89E-02 3.41E-02 4 45E-02 SSPS TRAIN A - SMALL LOCA, ALL SUPPORT Assessment of Impact on Risk December 2002 6020 doc-121302 Revision 2

7-50 Table 7-10 SSPS Split-Fraction Values Versus Case Matrix (cont.)

Split Fraction Base Case 9-month 12-month 18-month Description SA8A 1 88E-02 2 89E-02 3 41E-02 4 45E-02 SSPS TRAIN A - SMALL LOCA, LOSS OF VB III SA8B I 88E-02 2 89E-02 3 41E-02 4 45E-02 SSPS TRAIN A - SMALL LOCA, LOSS OF VB IV SB 1 9 01E-03 I 13E-02 I 26E-02 1 53E-02 SSPS TRAIN B - GENERAL TRANSIENT, ALL SUPPORT SB1A 9 01E-03 1 13E-02 1 26E-02 1 53E-02 SSPS TRAIN B - GENERAL TRANSIENT, LOSS OF VB III SB1B 9 01E-03 I 13E-02 I 26E-02 I 53E-02 SSPS TRAIN B - GENERAL TRANSIENT, LOSS OF VB IV SBIC 9 01E-03 1 13E-02 1.26E-02 1.53E-02 SSPS TRAIN B - GENERAL TRANSIENT, LOSS OF VB I, SA=GF SB2 2 16E-02 3 80E-02 4 63E-02 6 27E-02 SSPS TRAIN B - LLOCA, ALL SUPPORT SB2A 2 16E-02 3 81E-02 4 64E-02 6 28E-02 SSPS TRAIN B - LLOCA, LOSS OF VB III SB2B 2 16E-02 3 81E-02 4 64E-02 6 28E-02 SSPS TRAIN B - LLOCA, LOSS OF VB IV SB3 3 20E-02 4 82E-02 5 65E-02 7.27E-02 SSPS TRAIN B - LLOCA, LOSS OF VB III & IV SB3A 3 20E-02 4 82E-02 5 64E-02 7 27E-02 SSPS TRAIN B - LLOCA, LOSS OF VB I & III, SA=GF SB3B 3 20E-02 4 82E-02 5 64E-02 7 27E-02 SSPS TRAIN B - LLOCA, LOSS OF VB I & IV, SA=GF SB4 I 96E-02 3 16E-02 3 77E-02 4 98E-02 SSPS TRAIN B - SGTR, ALL SUPPORT SB4A I 97E-02 3 16E-02 3 77E-02 4.99E-02 SSPS TRAIN B - SGTR, LOSS OF VB III SB4B I 97E-02 3 16E-02 3.77E-02 4 99E-02 SSPS TRAIN B - SGTR, LOSS OF VB IV SB4C 1-97E-02 3 16E-02 3 77E-02 4 99E-02 SSPS TRAIN B - SGTR, LOSS OF VB I, SA=GF SB5 2 19E-02 3 89E-02 4 75E-02 6 45E-02 SSPS TRAIN B - MSLB INSIDE CNMT, ALL SUPPORT SB5A 2 19E-02 3 90E-02 4 76E-02 6 45E-02 SSPS TRAIN B - MSLB INSIDE CNMT, LOSS OF VB III SB5B 2 19E-02 3 90E-02 4.76E-02 6 45E-02 SSPS TRAIN B - MSLB INSIDE CNMT, LOSS OF VB IV SB6 3-23E-02 4.91E-02 5 76E-02 7 44E-02 SSPS TRAIN B - MSLB INSIDE CNMT, LOSS OF VB III & IV Assessment of Impact on Risk December 2002 6020 doc- 121302 Revision 2

7-51 Table 7-10 SSPS Split-Fraction Values Versus Case Matrix (cont.)

Split Fraction Base Case 9-month 12-month 18-month Description SB6A 3 23E-02 4 91E-02 5 76E-02 7.44E-02 SSPS TRAIN B - MSLB INSIDE CNMT, LOSS OF VB I & III, SA=GF SB6B 3 23E-02 4.91E-02 5.76E-02 7 44E-02 SSPS TRAIN B - MSLB INSIDE CNMT, LOSS OF VB I & IV, SA=GF SB7 I 96E-02 3.21E-02 3 85E-02 5 13E-02 SSPS TRAIN B - MSLB OUTSIDE CNMT, ALL SUPPORT SB7A 1.96E-02 3 22E-02 3 86E-02 5 13E-02 SSPS TRAIN B - MSLB OUTSIDE CNMT, LOSS OF VB III SB7B I 96E-02 3 22E-02 3 86E-02 5.13E-02 SSPS TRAIN B - MSLB OUTSIDE CNMT, LOSS OF VB IV SB7C I 96E-02 3 22E-02 3 86E-02 5.13E-02 SSPS TRAIN B - MSLB OUTSIDE CNMT, LOSS OF VB I, SA=GF SB8 1.96E-02 3 16E-02 3.77E-02 4 98E-02 SSPS TRAIN B - SMALL LOCA, ALL SUPPORT SB8A 1.97E-02 3.16E-02 3.77E-02 4 99E-02 SSPS TRAIN B - SMALL LOCA, LOSS OF VB III SB8B I 97E-02 3 16E-02 3 77E-02 4 99E-02 SSPS TRAIN B - SMALL LOCA, LOSS OF VB IV SB8C 1.97E-02 3 16E-02 3 77E-02 4 99E-02 SSPS TRAIN B - SMALL LOCA, LOSS OF VB I, SA=GF SXI 6 24E-04 9 96E-04 1.19E-03 1.58E-03 SSPS TRAINS A & B - GENERAL TRANSIENT, ALL SUPPORT SXIA 6 24E-04 9 96E-04 I 19E-03 1.58E-03 SSPS TRAINS A & B - GENERAL TRANSIENT, LOSS OF VB III SXIB 6 24E-04 9.96E-04 1.19E-03 1.58E-03 SSPS TRAINS A & B - GENERAL TRANSIENT, LOSS OF VB IV SX2 121E-03 2 71E-03 3 65E-03 5 87E-03 SSPS TRAINS A & B - LLOCA, ALL SUPPORT SX2A 123E-03 2 73E-03 3 67E-03 5 89E-03 SSPS TRAINS A & B - LLOCA, LOSS OF VB III SX2B 1.23E-03 2 73E-03 3 67E-03 5 89E-03 SSPS TRAINS A & B - LLOCA, LOSS OF VB IV SX3 8 94E-03 105E-02 I 15E-02 1.38E-02 SSPS TRAINS A & B - LLOCA, LOSS OF VB III

& IV SX4 9 92E-04 I 88E-03 2 42E-03 3.70E-03 SSPS TRAINS A & B - SGTR, ALL SUPPORT SX4A I 01E-03 1.90E-03 2 44E-03 3.73E-03 SSPS TRAINS A & B - SGTR, LOSS OF VB III SX4B I O1E-03 1.90E-03 2 44E-03 3 73E-03 SSPS TRAINS A & B - SGTR, LOSS OF VB IV Assessment of Impact on Risk December 2002 6020 doc-121302 Revision 2

7-52 Table 7-10 SSPS Split-Fraction Values Versus Case Matrix (cont.)

Split Fraction Base Case 9-month 12-month 18-month Description SX5 I 22E-03 2 78E-03 3 76E-03 6 IOE-03 SSPS TRAINS A & B - MSLB INSIDE CNMT, ALL SUPPORT SX5A 1 24E-03 2 80E-03 3 78E-03 6 12E-03 SSPS TRAINS A & B - MSLB INSIDE CNMT, LOSS OF VB III SX5B 1 24E-03 2 80E-03 3 78E-03 6 12E-03 SSPS TRAINS A & B - MSLB INSIDE CNMT, LOSS OF VB IV SX6 8-95E-03 106E-02 I 16E-02 1 40E-02 SSPS TRAINS A & B - MSLB INSIDE CNMT, LOSS OF VB III & IV SX7 9 83E-04 1 90E-03 2 48E-03 3 84E-03 SSPS TRAINS A & B - MSLB OUTSIDE CNMT, ALL SUPPORT SX7A 1.00E-03 192E-03 2 50E-03 3 86E-03 SSPS TRAINS A & B - MSLB OUTSIDE CNMT, LOSS OF VB III SX7B I OOE-03 1 92E-03 2 50E-03 3 86E-03 SSPS TRAINS A & B - MSLB OUTSIDE CNMT, LOSS OF VB IV SX8 9.92E-04 1 88E-03 2 42E-03 3 70E-03 SSPS TRAINS A & B - SMALL LOCA, ALL SUPPORT SX8A 1.O0E-03 1.90E-03 2 44E-03 3 73E-03 SSPS TRAINS A & B - SMALL LOCA, LOSS OF VB III SX8B I OIE-03 1-90E-03 2 44E-03 3 73E-03 SSPS TRAINS A & B - SMALL LOCA, LOSS OF VB IV Assessment of Impact on Risk December 2002 6020 doc- 121302 Revision 2

7-53 7.4 RISK IMPACT ANALYSIS 7.4.1 Introduction The acceptance criteria for risk impact in this work is ACDF and ALERF. The support-state model was quantified for each of the four cases (STIs of 3, 9, 12, and 18 months). This resulted in a CDF and a LERF value for each case that can be directly compared.

7.4.2 Quantification of CDF and LERF The support-state model quantification, for this effort, begins by manually entering one set of SSPS split fraction values into the appropriate table. These 72-values replace the values found in the Revision 3A model. The quantification itself is the same method used to establish the Revision 3A CDF and LERF values. However, a modification to the Revision 3A model was necessary to eliminate ATWS-response assumptions that were leading to unrealistic and overly conservative results.

Quantification Results The ACDF and ALERF values over the base case are presented in the following table. The former CDF and LERF values from the Revision 3A model are also provided for information. The numbers are rounded to the first five significant figures. Note that the quantification for the base case and the cases for 9, 12, and 18 month STIs has eliminated the slave and interposing-relays that are not important to event mitigation.

Table 7-11 Effect of STIs on CDF and LERF Revision 3A Base Case 9 mo 12 mo 18 mo CDF (per yr) 1.64E-05 1.56E-05 1.60E-05 1.62E-05 1.67E-05 LERF (per yr) 5.13E-07 5.55E-07 6.01E-07 6.35E-07 6.95E-07 ACDF (per yr) 4.OE-07 6.0E-07 1.IE-06 ALERF (per yr) 4.6E-08 8.OE-08 1.4E-07 Assessment of Impact on Risk December 2002 6020 doc-121302 Revision 2

7-54 7.4.3 Core Damage Frequency and Large-Early Release Fraction Frequency Assessment The trend of the CDF and LERF values is affected by competing factors. The larger slave-relay and interposing-relay failure probabilities (relative to the Revision 3A numbers) drive the CDF values higher Modeling the RWST-recirculation-switchover relays with 18-month failure probabilities in all cases resulted in a larger base case. The Revision 3A model had modeled ATWS in a way that was conservative, but created unrealistic dominant cutsets. The base case in this study takes credit for operators initiating emergency boration while also having a feature where control rods do not drop and operators do not manually trip the reactor. The realistic ATWS modeling change and assigning zero to the non-contributing relays together offset the higher relay failure probabilities making the base case CDF less than in Revision 3A. Note, the importance of the RWST- recirculation-switchover relays decreases in the hypothetical cases as all of the slave-relays and interposing-relays take on higher and higher failure probabilities (eventually equaling the constant value for the RWST- recirculation-switchover relays in the "18-month case"). In addition, the test-and-maintenance unavailability due to ESF and SSPS tests decreases (compared to the base case) as the STI increases.

The various cases did generate CDF and LERF values above the base case, as expected. The ACDF and ALERF for the 9 months and 12-month STIs are small enough to be considered inconsequential according to guidance in Reference 1. The ACDF and ALERF exceed the Regulatory Guide acceptance criteria for the 18-month STI. Combined with the discussion in Section 8, and a reasonable margin to the Reference I criteria, a 12-month STI has little core damage risk impact when compared to current three-month frequency.

Assessment of Impact on Risk December 2002 6020 doc-121302 Revision 2

8-1 8 IMPACT ON DEFENSE-IN-DEPTH AND SAFETY MARGINS The traditional engineering considerations are addressed in this section. These include defense-in-depth and safety margins. The fundamental safety principles on which the plant design is based cannot be compromised. Design basis accidents are used to develop the plant design. These challenges and failure events are explicitly accounted for to demonstrate safe plant response. Defense-in-depth, the single failure criterion, and adequate safety margins may be impacted by the proposed change and consideration needs to be given to these elements. As no physical change to the plant is required to implement this proposed test, the plant keeps its defense in-depth and single-failure protection criterion features. A detailed discussion of these three criteria follows.

8.1 IMPACT ON DEFENSE-IN-DEPTH The proposed change needs to meet the defense-in-depth principle that consists of a number of elements.

These elements and the impact of the proposed change on these elements follow:

A reasonable balance among preventing core damage, preventing containment failure, and consequence mitigation is preserved.

The proposed STI change has only a small-calculated impact on CDF and LERF. The STI change does not affect containment integrity. The change neither degrades core damage prevention at the expense of containment integrity, nor does it degrade containment integrity at the expense of core damage prevention. The balance between preventing core damage and preventing containment failure is the same. Consequence mitigation remains unaffected by the proposed changes.

Furthermore, no new accident or transient is introduced with the requested change, and the likelihood of an accident or transient is not impacted. No new activities on the SSPS will be performed at-power that could lead to a new transient event. Conversely, the increased STI may reduce the likelihood of a test-induced transient or accident. This last item is an unquantified benefit of the STI change.

Over-reliance on programmatic activities to compensate for weaknesses in plant design is avoided.

The plant design will not be changed to accommodate the proposed STI extension. All safety systems, including the SSPS, will still function in the same manner with the same signals available to trip the reactor and initiate ESF functions, and there will be no additional reliance on additional systems, procedures, or operator actions. The calculated risk increase for these changes is very small and additional control processes are not required to compensate for any risk increase.

System redundancy, independence, and diversity are maintained commensurate with the expected frequency and consequences of challenges to the system.

There is no impact on either the redundancy, independence, or diversity of the SSPS or of the ability of the plant to respond to events with diverse systems. The SSPS is a diverse and Impact on Defense-in-Depth and Safety Margins December 2002 6020 doc-121302 Revision 2

8-2 redundant sub-system and will remain so. There will be no change to the signals available to trip the reactor or initiate an ESFAS actuation.

Defenses against potential common-cause-failures are maintained and the potential for introduction of new common-cause-failure mechanisms is assessed.

Defenses against common cause failures are maintained. The STI extension requested is not sufficiently long to expected new common-cause mechanisms to arise. In addition, the operating environment for these components remains the same, therefore no new common-cause-failure modes are expected. In addition, backup systems and operator actions are not impacted by these changes; and there are no common cause links between the SSPS and these backup options.

Independence of barriers is not degraded.

The barriers protecting the public and the independence of these barriers are maintained. With the extended STI, it is not expected that the plant will have multiple systems out-of-service simultaneously that could lead to degradation of these barriers and an increase in risk to the public.

Defenses against human errors are maintained.

No new operator actions related to the STI extension are required. No additional operating or maintenance procedures have been introduced, or have to be revised because of the STI change and no new at-power test or maintenance activities are expected to occur as a result of the STI change. With the STI increase, fewer surveillance tests will be performed at-power, which will reduce the potential for test induced reactor trips and safety system actuations. This represents a risk benefit, i.e., a reduction in risk.

8.2 IMPACT ON DETERMINISTIC SAFETY MARGINS The safety analysis acceptance-criteria as stated in the Final Safety Analysis Report are not impacted by this change. Diversity with regard to signals, which provide reactor trip and actuation of engineered safety features, will also be maintained. The proposed STI change will not result in plant operation different from the design basis safety-limits and margins described in other submittals. All signals credited as primary or secondary and all operator actions credited in the accident analysis will remain the same.

Impact on Defense-m-Depth and Safety Margins December 2002 6020 doc- 121302 Revision 2

9-1 9 CONCLUSIONS Table 7-11 demonstrates that the change to a STI of 12-months for the slave-relays and interposing-relays meets the Regulatory Guide 1.174 acceptance criteria for the ACDF and ALERF of 1E-6/yr and 1E-7/yr respectively. The differential risk with an 18-month STI is somewhat above the acceptance but not unreasonably so given the conservatism in the risk assessment technique.

Neither the type, nor location, nor function of the slave-relays and interposing-relays need to change in the plant to support this change.

Reactor trips and safety equipment actuations occur, on occasion, because of test and maintenance activities. This indicates that these activities should be completed with caution. And, reducing the number of these activities, i.e., increasing the STI, will reduce the potential for these induced trips and induced actuations.

Conclusions December 2002 6020 doc-121302 Revision 2

10-I 10 REFERENCES

1. Regulatory Guide 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk Informed Decisions on Plant-Specific Changes to the Licensing Basis," July 1998.
2. Regulatory Guide 1.177, "An Approach for Plant-Specific, Risk-Informed Decision-Making:

Technical Specifications," August 1998.

3. "Evaluation of Surveillance Frequencies and Out of Service Times for the Engineered Safety Features Actuation System," WCAP-1027 1-P-A, Supplement 2, Rev. 1.
4. WCAP-14129, Revision 2-NP-A, "Reliability Assessment of Westinghouse Type AR Relays Used as SSPS Slave Relays"
5. WCAP-14117-NP-A, Revision 2, "Reliability Assessment of Potter & Brumfield MDR Series Relays"
6. Advanced Light Water Reactor Utility Requirements Document: Volume II, ALWR Evolution Plant, Chapter 1, Appendix A: Key PRA Assumptions and Groundrules, Annex A-Reliability Database for ALWR PRAs, (Table A3-1) EPRI, December 1993.
7. NUREG/CR-5500, Vol. 2, "Reliability Study: Westinghouse Reactor Protection System, 1984 - 1995," April 1999.
8. WCAP-15376, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times," October 2000.
9. NUREG-1431, Revision 2, "Standard Technical Specifications Westinghouse Plants" April 2001
10. NUREG/CR-4639, "Nuclear Computerized Library for Assessing Reactor Reliability (NUCLARR) - Data Manual", Volume 5, Part 3, U. S. Nuclear Regulatory Commission, December 1990.
11. AEOD/S93-06, "Special Study Report Potter & Brumfield Model MDR Rotary Relay Failures",

Reactor Operations Analysis Branch, U. S. Nuclear Regulatory Commission, December, 1993.

References December 2002 6020 doc- 121302 Revision 2

Retrieved from "https://kanterella.com/w/index.php?title=ML030580477&oldid=2673521"