ML17216A327
| ML17216A327 | |
| Person / Time | |
|---|---|
| Site: | Saint Lucie  |
| Issue date: | 10/31/1985 |
| From: | Williams J FLORIDA POWER & LIGHT CO. |
| To: | Butcher E Office of Nuclear Reactor Regulation |
| References | |
| L-85-406, NUDOCS 8511050101 | |
| Download: ML17216A327 (31) | |
Text
!
REGULATORY ORMATION DISTRIB UTION SY M (RIDS)
ACCESSION-=NBR: 8511050101 DOC ~ DATE: 85/10/31 NOTARIZED: NO DOCKET FACIL:50-389 St
~ Lucie Planti Unit 2~ Florida Power L Light Co,, 55000389 AUTH, NAME AUTHOR AFFILIATION NILLIAMSiJ.H. Florida Power 8 Light Co, RECIP ~ NAME'ECIPIENT AFFILIATION BUTCHER i E'e J' Operating, Reactors Branch SUBJECT Fot wards addi info re 800522A application for amend to License NPF ibiincreasing ESFAS/auxiliary feedwater actuating sys actuation logic surveillance'interval from 6 months to 18 months.
DISTRIBUTION CODE: ADDIO OR COPIES RECEIVED:LTR Submittal: General Distribution ENCL / SIZE:~QgITLE:-
NOTES: 05000389 OLeO f/06/83I REC IP IENT COPIES RECIPIENT COPIES ID -CODE/NAMEl LTTR ENCL' ID CODE/NAME LTTR ENCL NRR ORB3 BC 01 7 INTERNAL; ACRS 09 6 ADM/LFMB 0.
ELD/HDS2'RR/DL'IR
- 1. 0 NRR/DE/MTEB 1 1 1- 1 NRR/DL/DRAB 1 0 NRR/DL/TSRG 1 1 NRR 1 1 NRP/DS I/RAB 1 1 G FI 0Q 1 RGN2 1 1 EXTERNAL:= 20X 1 1 EG8,G BRUSKE'gS LPDR 03 1' NRC PDR 02 NSIC 05 1 1 TOTAL NUMBER OF COPIES REQUIRED: LTTR 28 ENCL 25
bI
~ ~ pr 0
I N
'I
P.
II
~X 14000, JUNO BEACH, FL 33408 iyglhri FLORIDA POWER Bu LIGHT COMPANY 0CT S 1 gss L 006 Office of Nuclear Reactor Regulation Attention: '. Mr. Edward J. Butcher, Acting Chief Operating Reactors Branch II3 Division of Licensing U. S. Nuclear Regulatory Commission Washington, D.C. 20555
Dear Mr. Butcher:
Re: St. Lucie Unit No. 2 Docket No. 50-389 Engineered Safety Features Actuation System (ESFAS)
Auxiliary Feedwater Actuation System (AFAS)
Surveillance Re uirements Florida Power & Light Company (FPL) letter L-84-133, dated May 22, 1984, requested an amendment to the St. Lucie Unit 2 Operating License (NPF-I6),
which would increase the ESFAS/AFAS actuation logic (subgroup relay) surveillance interval from six months to eighteen months.
As a result of NRC's review, it was determined that there was insufficient information/justification to approve the requested change to the surveillance requirements. On June 14, 1985, NRC provided a draft of the Safety Evaluation that provides the basis for denying the requested change.
,FPL'as *carefully'eyie'wed NRC's,"conucerns iand believes that the attached
,! u
,information <fully,addresses'these,concerns, and~will allow NRC to proceed with
'approval of the amendment, Should you have, any additional questions. or'need clarification in any of the areas addressed please do not hesitate to'call.. Should you desire to meet with us to discuss any aspect of either the original analyses or this additional data, we are available to do so at your convenience.
Very truly yours, J. W. Williams, Jr.
Group Vice President Nuclear Energy JWW/R JS'/cab Attachment vi.u, 85i iOSOiOi ADOCK 0 8~5oiooggq PDR p R JS/005/1 P I
PEOPLE... SERVING PEOPLE
C 0 t tl I:
'I
'f
ADDITIONALINFORMATION IN SUPPORT OF THE PROPOSED CHANGE TO ST.LUCIE UNIT NO. 2 ESFAS/AFAS SURVEILLANCE TEST FREQUENCY FLORIDA POWER AND LIGHT COMPANY ST. LUCIE UNIT NO. 2 Issue Date: October, I 985 Page I of I 6
f 4 4'IV ~ 4 I I EI4 ~ Il4 ~, 4 4 ih
'I 4II4 4 It r 4 .-4 ~ lIV'4 4 4 IE 4 IE I, 4 4 4 4 /4 4 4 444 I 4' % $ 4' E..IEE 444444,.4 > 2 4 ~ 4
TABLE OF CONTENTS SECTION TITLE PAGE INTRODUCTION SUBGROUP RELAY FAILURE RATES ESFAS/AFAS - SYSTEM AVAILABILITYSENSITIVITY 10 IV. REDUCED TESTING FREQUENCY BENEFITS TO PLANT SAFETY V. CONCLUSIONS 12 Vl. REFERENCES 13 LIST OF FIGURES FIGURE TITLE PAGE RELAY FAILURE RATE COMPARISON 15-16 Page 2 of 16
4 N
~u '
0 o1
I. INTROOUCTION The St. Lucie Plant Unit No. 2 is provided with an Engineered Safety Features Actuation System (ESFAS) and an Auxiliary Feedwater Actuation System (AFAS) . These systems are designed to automatically actuate plant protective features in the event of the occurrence of various plant trans-ients or accidents. Current plant Technical Specifications require that the ESFAS and AFAS system relays which actuate the protective equipment (subgroup relays) be tested every six months.
In Hay of 1984, Florida Power and Light Company requested of the Nuclear Regulatory Commission (NRC) that the St. Lucie Unit 2 Operating License be amended to allow testing of the subgroup relays on an eighteen month interval. The basis for this request is summarized as follows:
a) Reliability analyses of the systems indicated that the probability of successful actuation of the plant's safeguards equipment was not sensitive to the proposed change in test interval; b) Actuation of the safeguards equipment with the reactor at power exposes the plant to the risk of test-induced plant trips and subsequent unneccessary challenges to the safety systems. This may not be justifiable based on the small increase in the probability of successful actuation due to more frequent testing.
The detailed, technical evaluations supporting this basis are documented in References I and 2 to this report.
In. June of 1985, the NRC provided Florida Power and Light (FPL) with a draft Safety Evaluation Report which expressed concerns with certain aspects of the reliability analyses and which concluded that further information/
justification was necessary prior to approval of the change in test inter-val.
The intent of this report is to address the NRC Staff 's stated concerns and to provide additional information in support of the proposed change to the St. Lucie Unit No. 2 Technical Specifications.
Of primary concern to the Staff is the failure rate assumed by the FPL analyses for the actuation (or subgroup) relays of the ESFAS and AFAS. The bulk of this report's discussion will address the differences between the FPL and NRC assumed relay failure rates (NOTE: to avoid confusion, if a failure rate is identified in this report and the data source presents both mean and median values for the rate, the median value will be referenced).
The sensitivity of the two actuation systems'vai labilities to this failure rate will also be discussed.
Page 3 of 16
sy x
Testing of these actuation systems with the reactor at power is presented with a qualitative discussion of the risk of plant trip and subsequent challenge of the safety systems.
II. SUBGROUP RELAY FAILURE RATES II.A ENGINEERED SAFETY FEATURES ACTUATION SYSTEH (ESFAS) RELAYS In the evaluation performed by FPL (Reference 1), a typical subsystem of the ESFAS, the Safety Injection Actuation Signal (SIAS), was modeled by use of the reliability block diagram technique, a standard tool of reliabil-ity analysis. The components of the system are arranged in a series/para-llel configuration, depending on the effect of their failure on the system.
A Boolean algebra expression can be generated from this diagram; this expression can then be translated into an equation which expresses the probability of system success in terms of the probabilities of the individ-ual components'ailure. In turn, these component failure probabilities are estimated from published generic or plant specific component 'failure rates.
For many of the SIAS components'ailure rates, including that of the subgroup relays, the FPL evaluation referenced a reliability analysis performed by the vendor of the ESFAS, Consolidated Controls Corporation (CCC). This analysis (Reference 3) predicted component failure rates by use of the HIL-HDBK-217 stress analysis technique. This method of component reliability prediction is widely used by the Department of Defense and its contractors for electronic equipment procured to both Hi litary and non-Hili-tary specifications. The preamble to this document states that the handbook has been "...approved for use by all Departments and Agencies of the Department of Defense..." and that "...every effort has been made to reflect the latest information on reliability prediction procedures." Users of this document recognize, however, that reliability prediction is not an exact science and that the predicted failure rates obtained from a IIIL-HDBK-217 stress analysis should fall roughly within the same order of magnitude as the actual measured component failure rates obtained from field data.
In the consideration of failure rate estimation, the component failure
~mode s which will result in system failure must be identified. In the case of the St. Lucie Unit No. 2 SIAS, there are only two, very specific failure modes of the subgroup relay which will prevent actuation of its associated equipment:
a) failure of the relay contacts to close, given that the relay coil has deenergized and b) failure of the relay or associated wiring such that the relay coil remains energized given that the associated SIAS actuation module has deenergized (relay coil short ~to ower).
Page 4 of 16
The reliability analyst must also consider the specific equipment being used in the system design to estimate the component's failure rate. These considerations were applied by FPL in the case of the ESFAS subgroup relays and are discussed in the next two paragraphs.
The particular relay used by FPL in the St. Lucie Unit No. 2 ESFAS is of the metal can, hermetically sealed, balanced armature type. Although this relay was not procured by Consolidated Controls to the applicable Military Specification (HIL-R-5757), its quality may be likened to that of a "HIL-SPEC" relay. Discussions with the vendor indicate that this relay has been used in military applications, in particular, as part of U.S. Navy submarine Reactor Protection Systems since about 1958. The primary differ-ence between the two relay applications lies not in the design, material p 11, t fg d~libilit fth 1yb 1 h d tation and material traceability requirements associated with the Military Specification versus the commercial nuclear power specification.
Given that the relay is of high quality, the specific failure modes of interest are addressed. In the manufacturing of the relay, the case is evacuated and backfilled with dry nitrogen. This minimizes the possibility of contact oxidation and/or pitting and therefore minimizes the probability of the contacts failing to transfer when demanded. The possibility of the relay coil shorting to power may also be judged remote. The geometry of the coil/contact pins and the relay base allows the relay to only be inserted into its socket in the correct configuration. The relay coil is held open via a 24VDC output signal from its associated SIAS actuation module. The contacts are wired to either 120VAC or 120VDC control circuits.
A short across one of the socket terminations to either of these voltage levels would result in the coil 's rapid burn-out or a failure of the actuation module's circuitry. In either of these cases, the result would be the inadvertent actuation of Engineered Safeguards components, not the prevention of their actuation.
In their evaluation, Consolidated Controls Corporation predicted the ESFAS subgroup relay to have a failure rate of 0.06 failures per million hours of operation. HIL-HDBK-217 does not provide the capability to predict mode specific failure rates. Based on the discussion presented above, FPL considered that 0.06 failures per million hours was a reasonable estimate of the relay 's total failure rate (including all modes) and that this value p td 1 tl f th ~d- lf1 bg p 1 y failure rate.
II.B AUXILIARY FEEDWATER ACTUATION SYSTEM RELAYS The Auxiliary Feedwater Actuation System (AFAS) of St. Lucie Unit No.
2 differs from the ESFAS in design and therefore was treated separately in FPL's Technical Specification change request. The logic circuitry of this system is composed mainly of relay contact combinations, rather than the solid state logic of the ESFAS. The AFAS relay matrix-type logic is Page '5 of 16
currently installed in a number of commercial nuclear power plants and has proven to be of reliable design. Due to the differences in the design of the AFAS, FPL chose to perform the AFAS reliability study using the fault tree analysis technique. Like the reliability block diagram, the fault tree is a standard, accepted tool for estimation of system failure/success probability in terms of the individual component failure probabilities.
Fault tree analysis has been used almost exclusively in the conduct of nuclear power plant Probabilistic Risk Assessments starting with the Reactor Safety Study (WASH-1400) in 1975.
The AFAS consists primarily of normally energized relays which, upon receipt of the proper combination of out-of-tolerance plant process para-meter signals, will deenergize to actuate. As with the ESFAS, the two failure modes of an individual relay which (in combination with other component failures) could lead to system failure were:
a) relay contacts fail to close, given deenergization of the relay coil; b) relay coil remains energized, given that its upstream actuating circuitry has deenergized.
The AFAS fault tree modeled these failure modes as individual basic events for each applicable AFAS relay. And, as with the ESFAS model, to establish the sensitivity of the AFAS to the relay test interval the failure rate associated with each of these events was estimated.
The relays used in the AFAS differ from those of the ESFAS. The AFAS utilizes open, medium duty, general purpose type relays. The contacts are single button and their composition is of silver-cadmium oxide with a gold surfacing (flashing). The gold fldshing prev'ents the formation of a contact oxide layer. The relay has an installed blowout magnet to assist quenching arcs formed as the contacts break a current carrying circuit. Based on vendor discussions, the particular model relay has been used in a wide variety of industrial applications for over ten years.
The total failure rate of the relay may be estimated using the HIL-HDBK-217 stress analysis procedure. The relay installed in the St. Lucie Unit No. 2 AFAS is not procured to a Hilitary Specification and so the "lower quality" factors are applied in the stress analysis. This results in a predicted total failure rate for the AFAS actuation relay of 0.07 failures per million hours.
The draft IREP data base (Reference 4 - based on ~able III 4-2 of the Reactor Safety Study) identifies the failure rate for the coil short to power mode of 0.01 failures per million hours. Assuming that the only other possible failure of the relay is that of the contacts failing to transfer, the failure rate estimate for this mode would be the difference between the total rate and the coil short to power rate. In this case, the contacts fail to transfer rate is estimated at 0.06 failures per million hours. This Page 6 of 16
failure rate is identical to that estimated for the ESFAS relays and was deemed reasonable by FPL for estimation purposes in the AFAS analysis.
II.C INTERIM RELIABILITY EVALUATION PROGRAM (IREP) RELAY FAILURE DATA The Interim Reliability Evaluation Program Procedures Guide (NUREG/CR-2728) presents procedures for the conduct of what is described in the PRA Procedures Guide (NUREG/CR-2300) as a "Level I" Probabi listic Risk Assess-ment (PRA). This basically includes'hose steps necessary to complete the plant systems analysis portion of a full-scope or "Level III" PRA. Publish-ed in 1983, the IREP Procedures Guide presents a compilation of the methods used by 'he four teams in the NRC-sponsored IREP from late 1980 to early 1982. Provided to those teams were numerous draft procedures and documents intended to assist their performance of the IREP tasks. Among these is a draft IREP data base (Reference 4), for use in quantifying the system fault trees. This compilation of failure rates was based primarily on the research performed during the Reactor Safety Study.
A comparison of the draft data base to that appearing in NUREG/CR-2728 indicates that, for the most part, the failure rates differ by only a factor of two or three. In some cases, the draft data base reports a higher failure rate, in some cases a lower rate.
A noteable exception to the consistency of these two data bases is in the area of relays. The failure rate reported for the mode of contacts failing to transfer is identical: one failure per thousand demands. The failure rate reported for coil failures is significantly different: the draft data base reports a coil failure rate (open circuit) of 0.1 failures per million hours and a coil failure rate (short to power) of 0.01 failures per million hours. In the final IREP Procedures Guide, the coil failure rate (open or short) is reported as being 1.0 failures per million hours.
This represents an increase of a factor of ten over the total coi 1 failure rate. It further represents an increase of a factor of one hundred over the f11 1111 f1fff 1 1 ddggg: 1 power.
With this discrepancy existing between the NIL-HDBK, the draft IREP (essentially WASH-1400) and the final IREP Procedures Guide, it becomes necessary to explore other data sources to attempt to establish a concensus.
Actual St. Lucie Unit No. 2 experience was researched: no relay fai lures have occurred for either ESFAS or AFAS subgroup relays to date. This represents about 1.7 million relay-hours of failure free operation for each
~t e of relay . Although this allows the estimation of confidence bounds on the relay failure rate, unless Bayesian techniques are used (combining other industry sources with the plant-specific data), it does not permit a satisfactory point estimation of the failure rate.
The actual St. Lucie Unit 2 experience does allow an illuminating "what-if" type of comparison: If the hypothesis is made that the IREP Page 7 of 16
j ~ ."s);,
1
Procedures Guide relay failure rate is "correct," then what is the probabil-ity that the ESFAS would have survived a "mission time" of 1.7 million relay-hours of operation without a re1ay failure? Assuming a constant
- l. 11 ~ 1111 be 0.18, or about one chance in five.
h, failure rate (exponential favlure distribution),and using the median value hl p b byl1ty l<<fly Using the mean value of 3.0 failures per million hours, the probability is much lower: 0.006 or about one chance in two hundred. The probability that both systems would survive for this period of time without a relay failure is very low: 0.00004 (using the mean failure rate). From a statistical standpoint, the real-world St. Lucie experience refutes the hypothesis that the IREP failure rate is applicable to the ESFAS/AFAS subgroup relays: the actual failure rate cannot be that high.
In the past few years, due to the NRC and industry interest in PRA and its techniques, there have been developed a number of data bases reporting equipment reliability and failure rate information (Westinghouse Reliability Data Base, IEEE-STD-500, etc.). In addition, various PRA efforts have been conducted (Big Rock Point, Zion, etc.); these generally provide a compila-tion of the component failure rates used by the analysis. Further, there exist non-nuclear failure rate data bases (such as HIL-HDBK-217) from which information may be gained.
A number of these sources were consulted for relay failure rates; the results are presented in Figure I (Sheet 2 of this figure identifies the sources). Note that the failure rates presented here represent the total rela failure rate. There has been no attempt to break them down into the t . t <<h h EEAE fa i lure rate was predicted us ing the current version of HIL-HDBK-217 bp p 1 y
(Revision D). Although a slightly higher failure rate is estimated (Source I - 0.17 failures per million hours), the difference between Revisions B and D is not statistically significant.
It can be readily seen that the industry experience with relays strongly suggests that a failure rate of O.l failures per million hours is typical for this type of equipment. The IREP failure rate of 1.0 failures per million hours (also shown, but not included in the average) is a notable outlier.
Based on FPL's experience with the methods and conduct of the plant systems analysis portion of a PRA, one possible explanation arises for the apparent discrepancy between the IREP data base and the other sources of failure data. As part of a fault tree analysis of a system, the analyst p f ly will utilize E 11 a
11 flb f ltt . 1 thl p <<,h computer code (such as SETS or WAH) to identify the dominant causes of system failure. He desires to identify both the combina-tions of component failures (minimal cut-sets) with high probabilities of occurence and also those sin le com onent failures which'ay result in system failure.
Page 8 of 16
"lL L ~
11 II g I
Due to the large number of minimal cut-sets which may be generated by even a relatively simple system, the analyst instructs the computer code to place truncation limits on the solution of the fault tree. The limits are of two basic types:
a) the maximum number of terms in a minimal cut-set is set (this limits the number of simultaneous component failures considered) bilityyb) the minimum robabilit of the cut-sets is defined.
This second limit is of importance here. A generally accepted proba-truncation value for minimal cut-set determination is one in a mi 1 1 ion.
The IREP Procedures Guide notes that the failure rates contained in its Section 5 are for "...preliminary point estimate screening calcula-tions.." The relay failure rate reported in this data base would allow the analyst to identify sin le rela failures that would result in system failure without having to resort to extremely low truncation probabilities in his fault tree quantification.
For ~screenin purposes, this is valuable information to the analyst.
It allows him to identify weak points in system design or potential system interactions regardless of probabi lity. However, as the IREP Procedures unavailability Guide points out, the use of the generic data base contained in that document does not provide a basis for a realistic assessment of system II.D RELAY FAILURE RATE CONCLUSIONS The preceding discussion examines in detail many aspects of the ESFAS and AFAS relays and their failure rates. A number of major conclusions are drawn above and they are summarized here:
a) For the specific failure modes of the relays which result in actuation channel failure, the values of 0.06 failures per million hours (ESFAS) and 0.07 failures per million hours (AFAS) represent conservative yet realistic failure rate estimates; b) Although the ESFAS and AFAS relays are different in type, their design and construction result in highly reliable equipment; c) The IREP Procedures Guide is extremely conservative in its estimation of relay failure rates and not consistent with values reported in published data bases and which have been used in recent PRA activities; d) The St. Lucie Unit No. 2 ESFAS and AFAS relays have not experienced a failure to date. This also is not consistent with, Page 9 of 16
0
~n '
A a
(
and places doubts on the validity of the IREP Procedures 6uide's failure rate for relays.
III. ESFAS/AFAS - SYSTEN AVAILABILITYSENSITIVITY The FPL analyses for these systems demonstrated that the proposed change in test interval for the subgroup relays from six months to eighteen months did not significantly affect the availability of either ESFAS or AFAS. In both cases, the estimated availability change was less than one percent for the system channel modeled (ESFAS - 0.03K, AFAS - 0.22K (without including expected system demands as tests)). In both cases, the estimated system availability remained high with the eighteen month test interval (ESFAS - 0.9984, AFAS - 0.9953).
In the consideration of the ~chan e in SSFAS/AFAS system availability, both the FPL analyses and the NRC Safety Evaluation Repor t compared point estimates of the parameters of interest. There was no explicit treatment of the uncertainty (or error margin) which is associated with this estima-tion. For the FPL results, there is no statistical significance in the system availability change. The NRC results showed the ESFAS unavailability increasing by less than a factor of. three (0.0078 (six monks) to 0.0209 (eighteen months)) and the AFAS unavailability also increasing by less than a factor of three (0.0197 (six months) to 0.057 (eighteen months)). Both of these increases are well within the error margin typically expected of such an analysis and are therefore not statistically significant.
Thus, even using the highly conservative relay failure rate reported by the IREP Procedures 6uide, the estimated change in ESFAS/AFAS availability is not important from a statistical standpoint.
Currently, there do not exist explicit regulatory requirements or industry guidelines which define minimum availability values for nuclear power plant safeguards systems. A plant's Technical Specifications may, however, be construed as implicit availability requirements for systems important to nuclear safety.
The Technical Specification Allowable Outage Time (AOT) defines the window in which a channel or train of that system may be out of service and during which reactor power operation may continue while attempts are made to unavailability return the full system to service. Although FPL is not aware of any analytical bases for these AOT's, they do represent subjective measures of the system's importance to safety and may be considered as measures of allowable or "acceptable" channel or train .
For St. Lucie Unit No. 2, both the ESFAS and AFAS must have an inoper-able actuation channel returned to service within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> or the reactor placed in the Hot Standby condition within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (Reference 5).
Should this event occur once. per year, and the full AOT be required to return the actuation channel to service, the actuation channel unavailabil-Page 10 of 16
k> v' J(
op ~R
0 ity would be 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />s/ 8760 hours0.101 days <br />2.433 hours <br />0.0145 weeks <br />0.00333 months <br /> (if of hours per year) = 0.0055 for a channel availability of 0.9945. Plant operation would have continued with the implicit judgement that the health and safety of the public were not in danger. As noted above, both of the FPL estimated ESFAS and AFAS channel availabi lities remained above this value, even with the eighteen month actuation relay test.
IV. REDUCED TESTING FREQUENCY - BENEFITS TO PLANT SAFETY Westinghouse Electric Corporation, in their Evaluation of Surveillance Fre uencies and Out of Service Times for the Reactor Protection Instrumen-the frequency of safeguards system testing. The three basic points v'educing are extracted and presented here in support of this discussion:
a) A significant number of plant transients (and subsequent challenges to plant protection systems) have, as their root cause, testing and maintenance of the Reactor Protection and/or Engineered Safeguards Actuation Systems; b) There are human factors considerations relating to the time and attention which must be devoted to testing of these systems by the operators and shift supervisor and which could be better directed to other aspects of plant operation; c) The reduction in plant trip frequency and reduced testing requirements improve the plant's availability and'educes the plant staff 's manpower expenditure associated with the testing.
This manpower can be redirected to other areas that are more appropriate to plant safety .
'he nuclear industry has long been an advocate of frequent safeguards systems'esting to ensure a high probability of their successfully perform-ing their safety functions when demanded. Recently, however, the industry has begun to realize that frequent testing may, in fact, have a deleterious impact on this equipment. Issues such as Station Blackout have brought to light the realization that Technical Specification required testing of the Emergency Diesel Generators has actually resulted in degradation of this system's reliability. Thus, the industry has begun to reexamine the entire philosophy of safeguards system testing in this new light.
Page 11 of 16
V. CONCLUSIONS References 1 and 2 provided a technical basis for extension of the St.
Lucie Unit No. 2 ESFAS and AFAS actuation channel surveillance intervals from six to eighteen months. This document supports the basic conclusion previously reached that the high reliabi lity of the actuation (or subgroup) relays results in an insignificant change in the channel availability .
Further, there are significant benefits to be gained by reducing the test frequency in terms of reduced plant trips, challenges to safety systems, and manpower requirements to implement the testing.
Page 12 of 16
0 "fffII "0;8~, II'4 If. 1 $ I1
VI. REFERENCES
- 1. EVALUATION OF SURVEILLANCE FREQUENCY OF ENGINEERED SAFETY FEATURES ACTUATION SYSTEM (ESFAS) SUBGROUP RELAYS, Florida Power and Light Co.,
Power Plant Engineering Department, Report No. JPE-L-83-1, Rev. 2, January, 1984.
- 2. EVALUATION OF SURVEILLANCE FREQUENCY OF AUXILIARY FEEDWATER ACTUATION SYSTEM (AFAS) SUBGROUP RELAYS, Florida Power and Light Co., Power Plant Engineering Department, Report No. JPE-L-83-4, Rev. 1, January, 1984.
- 3. RELIABILITY ANALYSIS OF ENGINEERED SAFEGUARD PANELS FOR S~. LUCIE NUCLEAR POWER STATION UNIT ¹2, Consolidated Controls Corporation, Engineer-ing Report No. 1213, April 26, 1978.
- 4. COHPONEN~ FAILURE RA~ES FOR NUCLEAR PLANT SAFETY SYSTEM RELIABILITY ANALYSIS, Nuclear Regulatory Commission (Draft Report issued 9/23/80 for Interim Re 1 i ab i i ty 1 i Evalu at on Program use) .
- 5. TECHNICAL SPECIFICATIONS FOR THE ST. LUCIE PLANT UNIT NO. 2, DOCKET NO.
50-389, Table 3.3-3.
- 6. INTERIM 'ELIABILITYEVALUATION PROCEDURES GUIDE, NUREG/CR-2728, David D.
Carlson, Principal Investigator, Sandia National Laboratories, January, 1983.
- 7. EVALUATION OF SURVEILLANCE FREQUENCIES AND OUT OF SERVICE TIMES FOR THE REACTOR PROTECTION INSTRUMENTATION SYSTEM, WCAP-10271, R. L. Jansen, L. H.
Lijewski, R. J. Hasarik, Westinghouse Electric Corporation, January, 1983.
- 8. REACTOR SAFETY STUDY, WASH-1400, Nuclear Regulatory Commission, Rasmussen et al, October, 1975.
- 9. RELIABILITY PREDICTION OF ELECTRONIC EQUIPMEN'r, HIL-HDBK-217D, Department of Defense, 15 January 1982.
- 10. EHERGENCY SAFETY FEATURES ACTUATION SYSTEM INSTRUMENrA~ION - SURVEILL-ANCE REQUIREMENTS, E. J. Butcher to J. W. Williams, Jr. letter of June 14, 1985.
- 11. BIG ROCK POINT PLANT PROBABILISTIC RISK ASSESSMENT, Consumer 's Power Company, March, 1981.
Page 13 of 16
I
- r> 2' "k4fI>
4 ~ f<" t
,k,,p
"-I l 'V I,g~ pl f0 oR L
FORM 1016 REV. 8/77 APPROVED:
Prepared Cheeked Reviewed CHIEF ENGINEER POWER PLANTS FIGURE 1 RELAY FAILURE RATE COMPARISON 5HT I aF 2 FAILURE RATE (HRS-1) 0.00001 0.00000$
~ MEAN INDUSTRY Ci FAILURE RATE p (SOURCES A-I}
m O m 0.000000$ ~
Q 0
~Ã0 &
O ~
rn ~~
go I
Cl Q
à 0.0000000$
A 8 C D E1 E2 F G H I J1 J2 m ~< 1T1 FAILURE RATE SOURCE E71-
'a" C3 CQ C3
l FIGURE 1. RELAY FAILURE RATE COMPARISON SHT. 2 OF 2 LETTER SOURCE VALUE BIG ROCK POINT PRA 1.0 E-7 (Reference 11)
IEEE-S~D-500/1984 7.0 E-8 (Reference 12)
IREP (DRAFT DATA BASE) 2.8 E-7 (Reference 4)
WCAP-10271 8.7 E-8 (Reference 7)
El lION PRA (PLANT SPECIFIC) 2.4 E-7 (Reference 14)
E2 ZION PRA (GENERIC) 3.0 E-8 (Reference 14)
IEEE-STD-493/ 1980 2.0 E-8 (Reference 13)
WASH-1400 3.0 E-7 (Reference 8)
CONSOLIDATED CONTROLS E.R.1213 6.0 E-8 (Reference 3)
MIL-HDBK-217D 1.7 E-7 (Reference 9)
IREP PROCEDURES GUIDE (MEAN) 3.0 E-6 (Reference 5)
J2 IREP PROCEDURES GUIDE (MEDIAN) 1.0 E-6 (Reference 5)
Page 16 of 16
F l,.A