ML17300A214
| ML17300A214 | |
| Person / Time | |
|---|---|
| Site: | Palo Verde  |
| Issue date: | 06/26/1986 |
| From: | Van Brunt E ARIZONA PUBLIC SERVICE CO. (FORMERLY ARIZONA NUCLEAR |
| To: | Knighton G Office of Nuclear Reactor Regulation |
| References | |
| REF-GTECI-A-45, REF-GTECI-DC, TASK-A-45, TASK-OR ANPP-37162-EEVB, TAC-61875, NUDOCS 8607010151 | |
| Download: ML17300A214 (54) | |
Text
REQUL RY INFORNATION DISTR IBUT I
" 'YBTEN (R IDS)
ACCESSION NBR: 8607010151 DOC. DATE: 86/06/2b NOTARIZED: NO DOCKET 0 FACIL: BTN-50-529 Palo Verde Nuclear Stati one Uni t 2r Arizona Pub AUTHOR AFFILIATION li 05000529 AUTH. NANE VAN BRUNT> E. E. Arizona Nuclear Power Prospect ( formerly Ari zona Public Serv RECIP. NANE RECIPIENT AFFILIATION KNOGHTON~ G. N. PNR Prospect Directorate 7
SUBJECT:
Forwards engineering evaluation of alternative mods, to eliminate need for venting hydrogen from suction of- charg ing pumps~ per License Condition 3. b. Nods xiii be implemented after UBI A-45 resolved.
DIBTRIBOTION CODE: A001D COP IEB RECEIVED: LTR I ENCL ~ BI ZE:
TITLE: OR Submittal: General Distribution
~~
NOTES: Btandardi zed plant.
RECIPIENT COPIES RECIPIENT COP IES ID CODE/NANE LTTR ENCL ID CODE/MANE LTTR ENCL PNR-8 EB i PMR-8 PEICBB 2 2 Pl JR-8 FOB 1 PMR-8 PD7 LA 0 PNR-8 PD7 PD 01 5 5 LICITRAiE PNR-8 PEICBB i PMR-8 RSB 1 1NTERNAL: ACRB 09 6 ADN/LFNB 0 ELD/HDB3 1 0 NRR/D T/TBCB NRR/GRAB 0 EG F E 04 1 RGN5 1 i EXTERNAL: EQZ(Q BRUBNEi 8 LPDR 03 NRC PDR 02 NBIC 05 TOTAL NUNBER OF COPIES REQUIRED: LTTR 29 ENCL 25
I t
I
Arizona Nuclear Power Project P.O. BOX 52034 ~ PHOENIX, ARIZONA85072-2034 June 26, 1986 ANPP-37162-EEVB/BJA/98.05 Director of Nuclear Reactor Regulation Attention: Mr. George W. Knighton, Prospect Director PWR Project Directorate 87 Division of Pressurized Water Reactor Licensing B U. S. Nuclear Regulatory Commission Washington, D.C. 20555
Subject:
Palo Verde Nuclear. Generating Station (PVNGS)
Unit 2 Docket No. STN 50-529 (License No ~ NPF-51)
Item 3.b of Attachment 1 to Operating License NPF-51 File: 86-C-056-026
Reference:
(1) Letter from E. E. Van Brunt, Jr., ANPP, to G. W. Knighton, NRC, dated December 5, 1985 (ANPP-34174).
Subject:
Charging Pump Operabili,ty.
Dear Mr. Knighton:
/
As an NRC requirement for issuance of the PVNGS Unit 2 Operating License, ANPP was required to perform an engineering evaluation considering alternative hardware changes necessary to eliminate the need for venting hydrogen from the suction of the charging pumps. This engineering evaluation would also include the schedules for procurement and installation of the selected solution and would be submitted for NRC Staff approval by June 30, 1986. Subsequent to this required commitment, the NRC has issued a full~ower Operating License for PVNGS Unit 2 and has incorporated the above commitment as a condition of the Operating License.
The attachments to this letter satisfy the previous ANPP commitment and License Condition 3.b of Attachment 1 to Operating License NPF-51. Attachment 1 of this letter presents the engineering evaluation of the alternative hardware changes and Attachment 2 gives a summary of the reliability studies that were conducted during this evaluation. An additional evaluation is presented in Attachment 3 to address problems which were experienced at PVNGS with the charging pump pulsation dampeners.'he engineering evaluation has been completed and the results indicate that the following hardware modifications to the system would satisfy the License Conditi.on and improve the reliability of the charging system:
- 1) Provide emergency backed power to the existing Boric Acid Makeup Pumps (BAMPs).
8607010151 860626 PDR ADOCK 05000529',,
P PDR
)
0
Mr. George W. Knighton Item 3.b of Attachment 1 to Operating License NPF-51 ANPP- 37162 Page Two
- 2) Provide emergency backed power to the BAMP outlet isolation valve to the charging pump suction header (valve CH-514).
- 3) Provide a new redundant VCT outlet isolationAalve in series with the existing VCT outlet isolation valve (valve CH-501). This new valve will also receive emergency backed power.
The NRC is currently considering new requirements and guidance in the area of decay heat removal. This is part of the NRC effort to resolve Unresolved Safety Issue (USI) A-45 and will consider the need to install PORVs on the System 80 reactor coolant system. In light of this ongoing NRC effort, ANPP will defer the implementation of these modifications until after the final NRC resolution of USI A&5. If the NRC resolution of USI A-45 results in the backfitting of System 80 with PORVs or some other modification that would remove the necessity of relying upon the charging system for Branch Technical Position (BTP) RSB 5-1 compliance, then ANPP will not implement these modifications to the charging system. However, if the NRC resolution of USI A-45 does not result in any required modifications to System 80 that would effect the current BTP RSB 5-1 charging system reliance, then ANPP proposes to implement these modifications to the charging system during the first refueling outage that occurs for each of the Palo Verde units after one year following the final resolution'f USI A-45. ANPP considers this approach to be the most prudent means of satisfying the License Condition and complying with possible future regulatory requirements.
Please provide us the results of your review of this information by July 31, 1986. In addition, please provide a determination as to whether the requirement to eliminate the need for venting the charging pumps is a backfit in accordance with 10CFR50.109. If you have any questions on this matter, please contact Mr. W. F. Quinn of my staff.
Very truly yours, E. E. Van Brunt, Jr.
Executive Vice President Project Director EEVB/BJA/dim Attachments cc: E. A. Licitra (all w/a)
R. P. Zimmerman C. Y. Liang A. C. Gehr
f f l
ATTACHMENT 1 ANPP-37162 June 26, 1986 I. INTRODUCTION The licensing basis for the PVNGS Auxiliary Pressurizer Spray System (APSS) is found in Branch Technical Position (BTP) RSB 5-1. The licensing basis for the system also included the Steam Generator Tube Rupture (SGTR) accident scenario. However, the SGTR accident has been re-analyzed with the assumption that the APSS is not available. The revised analysis credits the use of the safety grade pressurizer vent system in combination with throttling of high pressure injection flow to depressurize the Reactor Coolant System (RCS) following a SGTR.
Therefore, although the APSS is the primary method of depressurizing the RCS after a SGTR, the pressurizer vent system provides a safety grade alternate method of depressurization. The requirements for the APSS are thus given in BTP RSB 5-1 ~ According to the provisions of BTP RSB 5-1, Palo Verde is grouped as a Class 2 plant. The requirements for a Class 2 plant allow: a) dependence on manual actions inside containment following a Safe Shutdown Earthquake (SSE) or single failure, or b) remaining at hot standby conditions until manual actions or repairs are complete, if such actions are found to be acceptable for the individual plant.
On September 12, 1985, an event occurred at PVNGS Unit 1 which resulted in the loss of charging flow for a period of time. There were a number of things that occurred during the event which contributed to the loss of charging flow. These contributing factors are identified as the failure of the VCT level instrumentation and the fact that the power supply for valves CH-501 and CH-536 was lost due to the shedding of the Motor Control Center (MCC), which supplies these two motor operated valves, on a Safety Injection Actuation Signal (SIAS). . Subsequent to this event, ANPP reviewed the system design and proposed modifications to the system that would: '1) improve the operator's ability to operate the system from the control room, 2) provide an automatic function to reduce the amount of required ,operator action, and 3) improve the reliability of the control grade level instrumentation on the Volume Control Tank (VCT).
The specific modifications are listed below:
- 1) Provided power to valves CH-501 and CH-536 from a lE MCC that does not get stripped from the bus following a SIAS.
- 2) Upgraded the VCT level instrumentation to improve the reliability.
This upgraded level instrumentation has a signal comparator which provides an alarm to the control room operators in the event of a deviation between the two level channels. This will alert the operators of a potential problem with the VCT level instrumentation.
- 3) Provided for automatic realignment of valves CH-501 and CH-536 on Lo-Lo VCT level and loss of offsite power. This modification will allow for the automatic remlignment of the charging pump suction to the Refueling Water Tank (RWT) gravity feed flow path.
1-1
n a
'F
ATTACHMENT 1 ANPP-37162 (Continued June 26, 1986
- 4) Locked open valves CH-532 and CH-524 to ensure the availability of the charging flow path to the RCS and APSS.
Another of the concerns that was identified following the September 12, 1985 event was that the charging pumps became gas bound with the VCT hydrogen cover gas. In order to restore the charging system, it was necessary to operate the BAMPs. Had this event occurred concurrent with an actual loss of offsite power, the BAMPs would not have been available and venting of the charging pumps may have been required. The NRC Staff took the position that this venting of hydrogen to the charging pump cubicles is a hazard due to the possibility of a subsequent hydrogen burn in these areas that are not ventilated by an essential system. Due to this NRC position, ANPP was required to modify the PVNGS Unit 2 charging system by installing vent piping which allows the charging pump piping to be vented to an area of the auxiliary building which does receive essential ventilation. The NRC staff determined that the vent piping modification is acceptable as an interim solution pending the completion of the engineering evaluation which considers alternative hard~are modifications to eliminate the need to vent hydrogen from the charging pump piping. It should'e noted that the capability to recover from the gas bound charging pump situation has been succesfully demonstrated by test in PVNGS Unit 2. The test demonstrated the capability to restore the system within the time constraints of the BTP RSB 5-1 scenario (i.e.,
maintain hot standby conditions for four hours prior to initiation of cooldown) ~
The modifications that have been described previously will significantly lessen the likelihood of the charging pumps becoming gas bound and also provide an appropriate means of'ecovering from a gas bound situation.
However, as required by the NRC for issuance of the Operating License, ANPP committed to perform an engineering evaluation considering alternative hardware changes necessary to eliminate the need for venting hydrogen from the suction of the charging pumps and achieve an appropriate level of system reliability.
This report summarizes the results of the engineering evaluation of the charging system. The existing system and potential design alternatives were evaluated considering such factors as system reliability, cost, operator action required to operate the system, and the ability to prevent or recover from a gas bound charging pump condition.
1-2
(5 ATTACHMENT 1 ANPP-37162 (Continued) June 26, 1986 II EVALUATION A. S stem Descri tion The existing charging system is shown in Pigures 1 and 2. The function of the APSS is 'to'epressurize the RCS whenever the main pressurizer sprays are unavailable. The loss of the main pressurizer sprays will occur whenever a loss of offsite power occurs., To perform the APSS 'epressurization function, the following actions occur following a loss of offmite power:
- 1. The two pneumatically operated charging line-to-loop isolation valves (CH-239, CH-240) fail closed on loss of air or power supply.
- 2. The charging pumps are operated as required.
B. Desi Alternatives The results of the APSS reliability analysis with the existing design are summarized in Table 1. these results were used to develop potential design enhancements. Total onMemand system unavailability, assuming a loss of offmite power and no local operator actions, is estimated to be 7.8E-02 and the dominant contributors to APSS unavailability are as listed. The modifications to the existing design that were considered are the following:
- l. A redundant VCT outlet isolation valve and RWT gravity feed line valve. This design would provide single failure protection against the failure of either of these components.
1-3
/I H
/) El
[
r,y r
F e, l~ >P R
L N
p, 4 t P
P 0
ATTACHMENT 1 ANPP-37162 Continued June 26, 1986 2~ A fully safety grade system. This design would meet all the functional requirements specified in BTP RSB 5-1, including quality assurance, protection against natural phenomena, fire protection, equipment qualification, redundancy, onmite/
off-site power, and control room operability. This would require new qualified level transmitters with separate Class 1E power supply and control circuitry, and new redundant VCT and RWT outlet valves with Class 1E power supply. The power supply and control circuitry to t'e existing VCT and RWT outlet valves would be upgraded to a Class 1E installation.
3e Pully safety grade Boric Acid Make-Up Pumps (BAMPs) . The BAMPs would provide a suction source to the charging pumps from the RWT and would automatically isolate the VCT by closing the VCT outlet check valve. This design would require physical relocation of the pumps, associated piping and power cable to meet separati.on criteria.
4, Provide Class 1E power to the existing BAMPs and discharge valve (CH-514). Additionally, a redundant VCT outlet isolation valve would be installed. Power to these components would be provided from emergency powered buses so that the components would be available following a loss of offsite power. This design would not fully meet safety grade criteria. System function would be the same as for the fully safety grade BAMP alternative, but with an additional VCT outlet isolation valve. Power would be provided from the Train B since the existing VCT outlet isolation valve (CH-501) and RWT gravity feed line valve (CH-536) are powered from the Train A.
- 5. A fully safety grade vent valve on the VCT. The valve would be operable from the control room and would be used to remotely vent the VCT cover gas to below the RWT gravity feed line pressure, allowing the establishment of gravity feed to the charging pumps. The design requires the installation of a new safety grade solenoid valve off the existing VCT vent piping I
with Seismic Category vent piping routed to the essential pipe tunnel. The essential pipe tunnel provides a high volume air flow to dissipate the vented hydrogen and exhaust it through the radiation monitored fuel building exhaust.
C. Results The results of the engineering evalu'ati.on are summar'ized in Table
- 2. This table evaluates each of the alternatives against the ma)or factors of the evaluation.
1-4
p 4 It 1
(
t/
ATTACHMENT 1 ANPP-37162 (Continued) June 26, 1986 D. Conclusions After evaluating the existing system and potential design alternatives against such factors as system reliability, cost, operator action, and the ability to prevent or recover from gas-bound charging pumps, alternative 4 was selected. This alternative reduces the potential for gas-binding the charging pumps and achieves an appropriate level of system reliability. This design consists of the following enhancements:
- 1. Provide emergency backed Train B power to the existing BAMP's.
- 2. Provide emergency backed Train B power to the BAMP outlet isolation valve to the charging pump suction header (CH-514) ~
- 3. Install a redundant emergency~owered Train B valve in series with the existing VCT outlet isolation valve (CH-501). Cable installation would not meet, safety grade criteria.
The enhanced system design is shown in Figure 3. It provides redundant Train A/Train B powered isolation of the VCT and redundant Train A/Train B flow paths from the RWT. The VCT level instrumentation will continue to receive automatic backup power from Train B only. However, failure of the single safety grade power supply results in the automatic transfer of the charging pump suction to the RWT. Both BAMPs will be powered from Train B, since the BAMPs discharge isolation valve (CH-514) common to both pumps will be powered from Train B.
The results of the reliability analysis of the enhanced system are presented in Table 3. Total onMemand system unavailability is reduced to 8.6E-03 and contributors to system unavailability resulting in gas-binding are significantly reduced.
Of the dominant contributors to system unavailability, three involve a failure of the VCT level transmitter (LT-227) to automatically initiate the transfer of the charging pump sucti.on from the VCT to the RWT. In addition to this equipment failure, the control room operator must also fail to remotely transfer charging pump suction to the RWT. The operator is prompted to do this action by his emergency procedures, by the back-up VCT level transmitter (LT-226) low level indication, and by the VCT level comparator alarm. However, given this highly unlikely set of circumstances, system operability can be easily recovered by utilizing the BAMPs to overcome the VCT cover gas pressure and restore suction to the charging pumps.
1-5
ll 1
r
ATTACHMENT 1 ANPP-37162 Continued June 26, 1986 The remaining contribution to system failure resulting in potential gas-binding involves the failure of both the Train B Diesel Generator and the Train A VCT outlet isolation valve (CH-501). This low probability scenario can be accommodated by remaining at hot standby (as allowed by BTP RSB 5-1 for Class 2 plants) until off-s'ite power or Diesel Generator B operability is restored, or by manually venting the pump suction and manually establishing a gravity feed line from the RWT.
Implementation of these design enhancements will significantly improve the flexibility of the system by providing additional methods of supplying borated water to the suction of the charging pumps. With these design enhancements, system function will be as in the existing design discussed previously except that:
- 1. At least one of the two VCT outlet isolation valves must close or either of the two BAMPs must start and valve CH-514 must open.
- 2. The RWT gravity feed line valve CH-536 must open or either of the two BAMPs must start and valve CH-514 must open.
III. SCHEDULE POR IMPLEMENTATION The schedule for implementation of these modifications is as follows: If the NRC resolution of USI A-45 results in the backfitting of System 80 with PORVs or some other modification that would remove the necessity of relying upon the charging system for Branch Technical Position (BTP) RSB 5-1 compliance, then ANPP will not implement these modifications to the charging system. However, if the NRC resolution of USI A-45 does not result in any required modifications to System 80 that would affect the current BTP RSB 5-1 charging system reliance, then ANPP proposes to implement these modifications to the charging system during the first refueling outage that occurs for each Palo Verde unit after one year following the final resolution of USI A-45.
1-6
A' LT 226(B)
REFUELING VOLUME LT-227(B)
WATER CONTROL TANK TANK (S)
MAKE-UP PUMPS CH-5I4 CHARGING CH-190 PUMPS (S)
CH-536(A)
(S)=SAFETY GRADE COMPONENT (A)=RECEIVES A TRAIN POWER (B)=RECEIVES B TRAIN POWER FIGURE I CHARGING S YSTEM (E X IS TING)
l CH-203(S)
CH-205(S) CH-431 P RES S UR IZER F 0-212( S)
CH-VM70 REGEN. TO HEAT R.C.S EXCH'ANGER CHARGING CH 239 CH 240 NOZZLE CH-524(S.)
CH-435 (S)=SAFETY GRADE COMPONENT FIGURE 2 CHARGING/'AUXILIARY SPRAY SYSTEM (EX S T IN G)
I
A H
REFUELING VOLUME LT-227(B)
WATER CONTROL TANK TANK (S)
NEW VALVE (B)
BORIC ACID MAKE-UP C H-50 I(A)
PUMPS (B)
CH-514(B)
CHARGING CH-l90 PUMPS (S)
CH-536(A)
(S)=SAFETY GRADE COMPONENT (A)=RECEIVES A TRAIN POttttER (B) =RECEIVES 8 TRAIN POWER F IGURE CHARGING SYSTEM (ENHANCED)
TABLE 1 EXISTING DESIGN DOMINANT CONTRIBUTORS TO APSS UNAVAILABILITY Total System Unavailability 7.8E-02 Probabilit Failure Mode Comments
- 3. 6E-02 CH-501/CH-536 fail to operate due to Could result in Diesel Generator A failure. gas-binding.
1.9E-02 CH-501 fails to close. Could result in gas-binding.
- 1. 9E-02 CH-536 fails to open. Does not result in gas-binding. Recoverable by manually aligning alternate gravity feed line or by manually opening CH-536.
1.4E-03 LT-227 fails to indicate properly Could result in and operator fails to remotely gas-binding.
align CH-501 and CH-536 in response to LT-226 indication, VCT level comparator alarm, or by emergency procedures.
4.3E-04 LT-227 in maintenance and operator Could result in fails to remotely align 501/536 per gas-binding.
LT-226 or LOP procedure.
4.0E-04 CH&35 (charging discharge swing Passive failure. Does check valve) fails open. not result in gas-binding.
4.0E-04 CH-501 fails to close due to Could result in mechanical fault. gas-binding.
4.0E&4 CH-536 fails to open due to Does not result in mechanical fault. gas-binding.
Recoverable by manually aligning alternate gravity feed line.
3.8E-04 Flow Orifice FE-212 plugs. Passive failure. Does not result in gas-binding.
1-10
K I'
TABLE 2 EVALUATION RESULTS (3)
(1) (2) BENEFIT/ SYSTEM PREVENT OR RECOVER ALTERNATIVES COST BENEFITS COST RATIO UNAVAILABILITY OPERATOR ACTION FROM GAS BINDING
- 1. Redundant VCT/ 4 233,000 4156,000 0.67 1.06E-02 Fully automatic Susceptible to VCT level RWT valves instrumentation failures.
- 2. Fully Safety 842,000 4323,000 0.38 9.14E&3 Fully automatic Single failure proof.
Grade System
- 3. Safety Grade 41,000,000 4327,000 0.33 9.13E-03 Fully automatic Provides safety grade means BAMPs to recover from gas binding.
- 4. 1E Power to 194,000 4142,000 0.73 8.61E-03 Fully automatic Provides 3 independent means BAMPs/Redundant of preventing gas binding VCT Value with 1 means of recovering.
- 6. Safety Grade 520,000 4218,000 0.42 7.79E-02 Requires initiation Provides safety grade means VCT vent of VCT vent valve of recovering from gas from control room binding.
NOTES: (1) Costs are on a per unit basis. Costs include construction, engineering, and procurement but do not include continuing costa such as maintenance and testing.
(2) Benefits are averted on-site costs plus averted man~ benefit.
(3) Benefit/cost ratio is on a per unit basis.
K II b'
TABLE 3 ENHANCED DESIGN DOMINANT CONTRIBUTORS TO APSS UNAVAILABILITY Total System Unavailability 8.6E-03 Probabilit Failure Mode Comments 2.1E-03 Diesel Generators A and B fail. Does not result in gas-binding.
1.4E-03 LT-227 fails to indicate properly and Could result in gas-operator fails to remotely transfer binding but recover-charging pump suction to RWT in able by use of BAMPs.
response to LT-226 indication, VCT level comparator alarm, or by emergency procedures.
6.8E-04 Diesel Generator A fails and Does not result in gas-CH-514 (Train B) fails to open. binding. Recoverable by manually opening CH-514 or aligning alternate gravity feed line.
I 6.8E-04 , Diesel Generator B fails and Does not result in CH-536 (Train A) fails to open. gas-binding. Recover-able by use of alter-nate gravity feed line or manually opening CH-536 Diesel Generator B fails and CH-501 Could result in gas-
'.8E-04 (Train A) fails to close. binding.
4.3E-04 LT-227 in maintenance and operator Could result in gas-fails to remotely transfer charging binding but recover-pump suction to RWT in response able by use of BAMPs.
to LT-226 indication or emergency procedures.
4.0E-04 CH-435 (charging discharge swing Passive failure. Does check valve) fails open. not result in gas-binding.
3.8E-04 Flow orifice FO-212 plugs. Passive failure. Does not result in gas-binding.
1-12
1 P
'1 I
TABLE 3 ENHANCED DESIGN (Continued)
DOMINANT CONTRIBUTORS TO APSS UNAVAILABILITY Probabilit Failure Mode Comments 3.6E-04 and CH-536 fail to open. Does not result in gas-binding. Recover-
'F'H-514 able by manually opening either valve or by use of alternate gravity feed line.
1.3E-04 Auxiliary spray valves CH-203 and Does not result in gas-CH-205 fail due to common cause binding.
faults.
1.1E-04 LT-227 low-low level bistable fails Could result in and operator fails to remotely gas-binding, but transfer suction to RWT in recoverable by use of response to LT-226 indication BAMPs ~
or emergency procedures.
1-13
t
~
)qy
ATTACHMENT 2 ANPP-37162 June 26, 1986 APSS RELIABILITYRESULTS
SUMMARY
I. INTRODUCTION As part of a comprehensive engineering evaluation of proposed design upgrades to the Auxiliary Pressurizer Spray System (APSS), system reliability of the various proposed alternatives was evaluated. The base case APSS design, from which additional system modifications were considered, included all design changes which have been previously committed to. The base case APSS thus includes the following design features:
CH-501 and CH-536 receive power from 1E MCC E-PHAW35.
The VCT level transmitters utilize separate reference legs. One detector utilizes a dry reference leg and the other a wet reference leg. This feature further reduces the potential for common cause failures.
CH-536 automatically opens on low-low VCT level and loss of offsite power.
The APSS engineering evaluation concluded that providing lE power to the BAMPs and the associated discharge valve and adding a redundant VCT outlet isolation valve moat effectively reduced the potential for charging pump gas binding, when such factors as system reliability, cost, and the amount of operator action required were considered. This attachment summarizes the APSS reliability results for the base case design, and for the APSS as modified per the recommended modifications of the engineering evaluation. 1 II.
RELIABILITYEVALUATION METHODOLOGY APSS system reliability was evaluated by constructing and quantifying a system, fault tree. Combinations of component failures, systems interactions," maintenance unavailabilities, human errors, instrument failures, and common cause faults which can result in failure of the APSS to perform its intended function were modeled within the system fault tree. The reliability analysis methods used in this study adhere to current reliability methods as described in the PRA Procedures Guide (NUREG/CR-2300). Pailures caused by external events such as fire or earthquakes were not considered within the APSS fault tree. APSS availability was evaluated assuming a loss of offsite power. The recovery of offsite power was considered in accordance with NUREG-1032.
2-1
'% ~
J n
't l
ATTACHMENT 2 ANPP-37162 (Continued) June 26, 1986 Com onent Failure Rate Data Table 1 illustrates the component failure rate data used in the calculation of fault tree basic event probabilities, and the methodology employed. Basic data sources utilized included the IREP Procedures Guide, the Oconee Probabilistic Safety Study, WASH-1400 and the NREP Procedures Guide. Since several system components have relatively long intervals between tests, hourly failure rates were utilized instead of demand failure rates for these components.
Modelin of 0 erator Action APSS reliability is sensitive to assumptions regarding the ability of the operator to diagnose improper system alignment and to properly align the system. Operator actions required to prevent charging pump gas binding are modeled within the APSS system fault tree, since failure of these actions may result in extended unavailability of the charging system.
However, operator actions required to initiate auxiliary spray are not modeled, since these actions do not affect system availability.
Additionally, considering the long time frame available for the operator to initiate auxiliary spray for long term depressurization, the probability of operator failure was judged to be negligible.
Human error probabilities were calculated using the Human Reliability Handbook (Refexence 12). A conservative human error model was employed and no credit was taken for operator action outside of the control room.
Additionally, in assessing the time available for operator action, it was assumed that all three charging pumps act to pump VCT inventory into the reactor coolant system. These assumptions are consistent with designing a system which minimizes reliance on operator action. However, it should be recognized that these assumptions result in conservative estimates of system availability. Table 2 summarizes the quantification of the ma)or human error events which occur in the APSS system fault tree.
Sensitivity studies were made assuming a more realistic human error model and these results are shown in Table 3 along with the reliability results without credit for local operator action.
Common Cause Failure Anal sis Common cause failures are multiple failures which can lead to the total unavailability of redundant safetymelated systems. As overall system unavailability can be significantly degraded due to common cause, these types of failures must be identified and quantified.
2-2
ATTACHMENT 2 ANPP-37162 Continued June 26, 1986 All common cause failure probabilities have been calculated according to the Binomial Failure Rate Model (Reference 1). According to this model, common cause failures happen as a consequence of common shocks that affect the components. Common cause failure rates are dependent on the level of redundancy in the system and on the number of common cause failures necessary to fail the overall system. Thus, "m" redundant trains, the common cause failure rate for "k" failures is for a system with defined's Rk m. Therefore, the common cause unavailability is expressed as:
T CC R.
K x test (common cause calculation for a standby component) 2 where Ttest is the time between successive tests of the same component Tabulated values for these failure rates have been obtained by Atwood et al, in References 3, 4, and 13- These failure rates have been determined based on Licensee Event Reports. Common Cause failures were identified and quantified for all identical active components within the APSS system.
Fault Tree Quantificati,on Process The WAMBAM and WAMCUT computer codes were used for fault tree quantification. These codes were developed by Science Application, Inc.,
under the sponsorship of the Electric Power Research Institute.
WAMBAM was used to calculate the first moment of the top event and WAMCUT was used to identify the minimal cutsets. It is these cutset listings which were utilized to identify the dominant contributors to system unavailability. The WAMCUT computer code is further described in Reference 10.
Cost/Benefit Anal sis of Alternatives A cost/benefit analysis was performed for each of the various alternatives. For each of the design alternatives considered, the resulting decrease in accident sequence frequency was estimated. This decrease in accident sequence frequency was then correlated to a dollar benefit by using accepted methods of cost/benefit analysis (per NUREG/CR-3568). The cost benefit analysis considered external initiating events as well as internal events.
The costs and benefits of each of the proposed upgrades are summarized in Table 2 of Attachment 1. The benefit was primarily derived as a result of the decrease in utility financial risk achieved from implementing the proposed modifications (i.e., from consideration of averted onsite costs).
2-3
c I'
l~
U I h
o
ATTACHMENT 2 ANPP-37162 Continued June 26, 1986 Averted onsite costs are those costs (replacement power costs, radiological cleanup costs), calculated probabilistically, which are averted by implementing a proposed upgrade. Alternative 4 (the selected alternative) provides the most cost effective method to improve system performance but still requires more than a 41000 expenditure per man REM reduction.
III. Results Reliability results are summarized in Table 3. Dominant contributors to APSS unavailability are listed in Tables 1 and 3 of Attachment 1 for the base case APSS design and for the enhanced design. Alternative 4 improves system unavailability to 8.6E-03 from a base system unavailability of 7.8E-02 assuming a conservative human error model and no credit for local operator action.
IV. References
- 1. NUREG/CR-2300, "PRA Procedures Guide", U. S. Nuclear Regulatory Commission, January, 1983.
- 2. "Reactor Safety Study WASH 1400", NUREG-75/014, Appendix III, U. S. Nuclear Regulatory Commission, October, 1975.
- 3. NUREG/CR-2098, C. L. Atwood and J. A. Stevenson, "Common Cause Fault Rates for Pumps: Estimates Based on Licensee Event Reports at U. S. Commercial Nuclear Power Plants, January 1, 1972 through September 30, 1980", February 1983.
- 4. NUREG/CR-2770, C. L. Atwood and J. A. Stevenson, "Common Cause Fault Rates for Valves: Estimates Based on Licensee Event Reports at U. S. Nuclear Power Plants, 1976-1980", February, 1983.
- 5. IEEE Standard 500-1984, "The Institute of Electrical and ELectronics Engineers, Inc. (IEEE) Guide to the Collection and Presentation of Electrical, Electronic, Sensing Component, and Mechanical Equipment Reliability Data for Nuclear Power Generating Stations", IEEE Inc.,
1983.
- 6. NUREG/CR-1205, Revision 1 "Data Summaries of Licensee Event Reports of Pumps at U. S. Commercial Nuclear Power Plants", January, 1982.
- 7. NUREG/CR-1363, Revision 1, "Data Summaries of Licensee Event Reports of Valves at U. S. Commercial Nuclear Power Plants", October, 1982.
- 8. NUREG/CR-2815, "National Reliability Evaluation Program (NREP)",
U. S. Nuclear Regulatory Commission, Final Draft, September, 1982.
2-4
k 4 Il
ATTACHMENT 2 ANPP-37162 Continued June 26, 1986
- 9. Power Authority of the State of New York, and Consolidated Edison Company of New York, "Indian Point Probabilistic Safety Study", 1982.
- 10. R. C. Erdmann and R. L. Leverenz, "WAMCUT, A Computer Code for Fault Tree Evaluation," EPRI-NP-803, Electric Power Research Institute, June, 1978.
- 11. "Reliability of Emergency AC Power Systems at Nuclear Power Plants",
NUREG/CR-2989, U. S. NRC, July, 1983.
- 12. NUREG/CR-1278, Swain, A. D. and H. E. Gutteman, "Handbook of Human Reliability Analysis with emphasis on Nuclear Power Plant Applications", August, 1983.
- 13. NUREG/CR-3289, Meachum, T. R. and C. L. Atwood, "Common Cause Fault Rates for Instrumentation and Control Assemblies", May, 1983.
- 14. NUREG/CR-3568, "A Handbook for Valve-Impact Assessment", December, 1983.
2-5
It I'I 0
0 I 0 0'
I- I fA It 0
TABLE 1 EXAMPLES OR FAULT TREE BASIC EVENT QUANTIFICATION Component Fault Tree Pailure Com onent ID Failure Descri tion Probability Source/Comments CHV5010N CH-501 (VCT outlet valve) fails to close 1.9E-02 NUREG/CR-2770 (2.9E6/hr, mean time between remotely. test 18 months) .
CHS2030Y HV-203 fails to open (APSS spray admission 4.4E&3 NREPHOV fails to operate (2E&6/hr, mean valve) ~ time between demands estimated as 6 menthe).
203/25CC HV-203 and HV-205 fail to open due to 1.3E4 NUREG/CR-2770 (Beta factor for remote operated common cause. valves equal 0.03).
CHV3350E Manual valve V-335 fails to remain open 3. OE&5 WASH-1400.
(plugs).
CHV4310Q APSS check valve CH&31 fails to open. 1.0E-04 IREP.
(and other check valves)
CHAP010R Charging pump CHA-P01 (CHB-P01, CHE-P01) 1.0E&2 IREP (conservatively used 95th percentile of (CHBP010R) fails to start. IREP distribution).
(CHEP010R)
. DGOOOAOW Diesel Generator A fails to supply 3.6E&2 Based on IREP valves of 3E-2/demand and (DGOOOBOW) power until offsite power is recovered. 3E-3/hr combined with offsite power recov model per NUREG-1032.
CHI2270X LI-227 indicates high by more than 5X at low 1.0E2 NSAC-60 (2.2E6/hr, 18 months mean time range of scale. between tests, 70 percent of failures assumed not to be detected by comparison with redundant detectors).
2-6
f 'I I.
4
\
C l~
I C r II 4
'll ~
~
j fl
~ 'b 4 k 1 r a
I II
TABLE 2 HUMAN ERROR PROBABILITY QUANTIFICATION Component Fault Tree Failure Com onent ID Pailure Descri tion Probabilit Source/Comments CHI226HR Operator fails to take remote action to 0.3 NUREG/CR-1278, Figure 12-4 (upper bound curve maintain charging pump suction on LT-226 = 0.5, median curve = 0.08) based on 12 VCT low level alarm. minutes available for operator action assuming maximum charging flow.
CHI226HL Operator fails to take local action to 1.0 Local operator action not credited.
maintain charging pump suction on LT-226 VCT low level alarm.
CHI227HR Operator fails to take remote action to 0.5 NUREG/CR-1278, Figure 12-4 (median curve maintain charging pump suction on based on 2 minutes available for operator LT-227 VCT low level alarm. action assuming maximum charging flow).
CHI227HL Operator fails to take local action to 1.0 Local operator action not credited.
maintain charging pump suction on LT-227 VCT low level alarm.
CHA012HL Operator fails to locally align gravity 1.0 Iocal operator action not credited.
feed in accordance with loss of forced circulation procedure (41R0-1ZZ04).
CHA012HR Operator fails to remotely align gravity 0.5 NUREG/CR-1278, Figure 12-4 (upper bound curve drain in accordance with loss of forced based on 12 minutes available for operator circulation procedure (41RO-lZZ04). action assuming maximum charging flow).
CH0239HU Operator fails to close CH-239 given 0.3 No procedural guidance for this action, but CH-240 fails open. action would be prompted by insufficient depressurization rate.
CHM501HV Operator fails to locally operate CH-501 3. OE&3 NUREG/CR-1278.
(CHM502HV) (CH-502, CH-536) due to valve selection (CHM536HV) error. Note that CH-502 is the new redundant VCT outlet isolation valve.
2-7
t I'i1 is t'
I r
'I I I
~ C 1
II'I I
I'
TABLE 3 APSS SYSTEM UNAVAILABILITYFOLLOWING A LOSS OF OFFSITE POWER EVENT Conservative Realistic Human Error Human Error Model Model Existing Design (CH-501/536 powered from 7. 8E&2 l. 1E&2 PHA-M35; CH-536 auto transfers on low-low VCT level and LOP).
Enhanced Design (BAMPs and CH-514, receive 8.6E-03 4.7E-03 Class lE power from Train B, redundant VCT outlet valve).
+
e
ATTACHMENT 3 ANPP-37162 June 26, 1986 FAILURE OF CHARGING PUMP PULSATION DAMPENER I. INTRODUCTION On February 18, 1986, PVNGS Unit 1 experienced a temporary loss of all 3 charging pumps as a result of a leaking bladder in one of the charging pump pulsation dampeners. The leaking bladder resulted in the introduction of the dampener's nitrogen precharge gas into the pump's discharge piping. Subsequent operation of the pump with nitrogen filled discharge piping resulted in discharge pressure excursions which caused a pressure relief valve on the discharge side of the pump to open for an unknown period of time. This valve. relieves directly to the pump suction. Thus, an unknown quantity of gas was introduced into the common suction piping header for all three charging pumps. An evaluation was performed to determine if failure.
a system design change was required to prevent this potential common mode II. EVALUATION A review of this experience and the charging system design indicates that the introduction of nitrogen from the pulsation dampeners into system piping can only occur during precharging of the pulsation dampeners.
This activity requires the charging pump discharge piping to be isolated and depressurized. Then, the pulsation dampener bladder is charged with nitrogen to a predetermined pressure. If the bladder is leaking, the entire discharge piping up to the first discharge check valve may be filled with nitrogen before the required precharge pressure is obtained.
Subsequent operation of the pump could then result in pressure excursions large enough to open the discharge piping pressure relief valve.
Should the bladder begin to leak during system operation, nitrogen cannot enter the piping since the precharge pressure is less than system operating pressure and the gas will remain captured in the dampener bladder.
Because nitrogen can be introduced into system piping only during a specific maintenance activity and cannot occur during normal system operation, no system design changes are required. However, to ensure this activity is performed correctly, tools and procedures are being developed which will preclude similar occurrences. Although still in the conceptual stage, we are in the process of designing a remote pulsation dampener nitrogen charge tool which we anticipate will involve the use of a mass flow totalizer. The flow totalizer would measure the amount of nitrogen being used to charge the dampeners and would provide an indication of a leaking bladder due to increased gas consumption.
The schedule for implementation of the remote pulsation dampener nitrogen charge tools and associated procedures is consistent with the schedule for implementation of the system modifications described in Attachment 1 of this submittal.
3-1
ll
, II p h t
JUN 13 1986 D~cTPIBUT ION D t 'F1 1 e PDR LPDR PRC System PD7 Reading JLee (2)
DOCKET NO(S). 50-529 t1r. E. E. Van Brunt, Jr.
Executive Vice Ppesident Arizona Nuc1ear Power Project Post Office Box 52034 Phoenix, Arizona'5072-2034
SUBJECT:
ARIZONA PUBLIC SERVICE COMPANY PALO VERDE NUCLEAR GENERATION STATION, UNIT 2 The following documents concerning our review of the subject facility are transmitted for your information.
O Notice of Receipt of Application, dated O Draft/Final Environmental Statment, dated O Notice of Availability of Draft/Final Environmental Statement, dated O Safety Evaluation Report, or Supplement No. , dated O Notice of Hearing on Application for Construction Permit, dated O Notice of Consideration of Issuance of Facility Operating License, dated Bi -Iteekly Ixj IMI/ixiXNYj'otice;Applications and Amendments to Operating Licenses Involving no Significant Hazards Considerations, dated 366 and 20367).
O Application and Safety Analysis Report, Volume O Amendment No. to Application/SAR dated O Construction Permit No. CPPR- , Amendment No. dated O Facility Operating License No. , Amendment No. , dated O Order Extending Construction Completion Date, dated O Other (Specify)
Office of Nuclear Reactor Regulation
Enclosures:
As stated
'ee next page os vier~
SURNAMCW J/yt D
'/
DAN'S~ /86 NRC FORM 318 (1/84) NRCM 0240
+ ~
4 rg
~
- ~
tg)
~ 'i II
~
~ ~ ~
I r~ r
~ .i.'4 "q,
Mr. E. E. Van Brunt, Jr.
Arizona Nuclear Power Project Palo Verde CC:
Arthur C. Gehr, Esq. Kenneth Berlin, Esq.
Snell & Wilmer Winston & Strawn 3100 Valley Center Suite 500 Phoenix, Arizona 85073 2550 M Street, NW Washington, DC 20037 Mr. James M. Flenner, Chief Counsel Arizona Corporation Commission Ms. Lynne Bernabei 1200 West Washington Government Accountability Project Phoenix, Arizona 85007 of the Institute for Policy Studies l901 Que Street, NW Charles R. Kocher, Esq. Assistant Washington, DC 20009 Council James A. Boeletto, Esq.
Southern California Edison Company Ms. Jill Morrison P. 0. Box 800 522 E. Colgate Rosemead, Cal i for nia 91770 Tempi, Arizona 85238 Mr. Mark Ginsberg Mr. Charles B. Brinkman, Manager Energy Director Washington Nuclear Operations Office of Economic Planning Combustion Engineering, Inc.
and Development 7910 Woodmont Avenue Suite 1310 1700 West Washington - 5th Floor Bethesda, Maryland 20814 Phoenix, Arizona 85007 Mr. Wayne Shirley Mr. Ron Rayner Assistant Attorney General P; 0. Box 1509 Bataan Memorial Building Goodyear, AZ 85338 Santa Fe, New Mexico 87503 Mr . Roy Zimmerman U.S. Nuclear Regulatory Commission P. 0. Box 239 Arlington, Arizona 85322 Ms. Patricia Lee Hourihan 6413 S. 26th Street Phoenix, Arizona 85040 Regional Administrator, Region V U. S. Nuclear Regulatory Commission 1450 Maria Lane Suite 210 Walnut Creek, California 94596
Chairman Ar izona Corporation Cnmmission P. 0. Box 6019 Phoenix, Arizona 85003 Arizona Radiation Regulatorv Aqency ATTN: Ns. Clara Palovfc, librarian 925 South 52nd Street Tempe,'rizona 85238 Nr. Charles Tedford, Director Arizona Radiation Regulatory AgencY 924 South 52nd Street, Suite 2 Tempe, Arizona 85281 Chairman Naricopa County Board of Supervisors 111 South Third Avenue Phoenix, Arizona .85003