Auxiliary Feedwater Sys Reliability Analysis

ML18052A359
Person / Time
Site:	Palisades
Issue date:	03/21/1986
From:	CONSUMERS ENERGY CO. (FORMERLY CONSUMERS POWER CO.)
To:
Shared Package
ML18052A357	List: ML18052A356 ML18052A359
References
NUDOCS 8603280238
Download: ML18052A359 (149)
v • d • e

Text

ATTACHMENT Consumers Power Company

-Palisades Plant Docket 50-255 AUXILIARY FEEDWATER SYSTEM RELIABILITY ANALYSIS March 21, 1986 8603280239 860321 PDR ADOCK 05000255 P

PDR 131 Pages IC0286-0001K-NL01

1.0 2.0 3.0 4.0 5.0 A.

B.

c.

D.

E.

F.

G.

PALISADES PLANT AUXILIARY FEEDWATER SYSTEM RELIABILITY ANALYSIS TABLE OF CONTENTS BACKGROUND RELIABILITY ANALYSIS 2.1 METHODOLOGY 2.2 FAULT TREES 2.3 CRITERIA AND ASSUMPTIONS 2.4 DATA SOURCES 2.5 CORRECTIONS TO FAULT TREES 2.6 RESULTS MSLB AFW MODEL CONCLUSIONS REFERENCES APPENDICES SYSTEM UNAVAILABILITY RESULTS MSLB AFW MODEL CUTSETS FIGURES AND DRAWINGS HARDWARE FAULT TREE TEST AND MAINTENANCE FAULT TREE ELECTRICAL FAULT TREES DATA IC0286-0001K-NL01 Page 1

2 2

3 4

5 5

7 9

13 14

1.0 BACKGROUND

AUXILIARY FEEDWATER SYSTEM RELIABILITY ANALYSIS 1

As a result of the Palisades Main Steam Line Break submittal, concern has been raised, by the NRG, regarding the adequacy of the existing Palisades auxiliary feedwater system (AFW).

This concern is based on the evaluation of the AFW model used in the Main Steam Line Break (MSLB) submittal.

Because of the importance of the issue, this report was created to clarify any potential misinterpretation of the results of the AFW system model analysis included in the MSLB submittal.

The intent of this report is to provide information in support of the position that the AFW system model, as used in the MSLB submittal, should not be construed to represent the reliability of the system.

This report focuses on two main elements 1) an analysis which more closely represents our state of knowledge regarding the reliability of the AFW system design and operation, and 2) a discussion of the results derived for the MSLB AFW model and why a significant portion is inappropriate in the context of the overall system reliability (refer to sections 2.1 and 3.0).

In order to accomplish item 1), a separate analysis of the AFW system was conducted using the guidelines of NUREG-0635.

The reasons for using NUREG-0635 are; a) to maintain consistency in the method of analysis (the system has undergone two previous analyses using these criteria).

b) the system has been significantly modified since the first analysis, using the same criteria allows direct comparison of the new results to the original results.

c) the results of the new analysis can be compared to the results for other plants already analyzed using the same criteria.

As indicated in a) above, two previous reliability analyses have been conducted.

The purpose of the second analysis was to demonstrate the level of increased reliability attainable from proposed modifications to the system.

A recent review of this second analysis showed that the fault tree models already developed could be used for an analysis of our existing system.

Necessary corrections and alterations to the models were made and are identified in section 2.5.

As indicated in b) above, modifications to the system to improve reliability by minimizing the failure effects of human error, common causes, and single-or double-point vulnerabilities were completed after NUREG-0635 was published. Therefore, the results obtained by the original analysis are no longer accurate.

Several of the significant modifications are listed below.

IC0286-0001K-NL01

2

1.

Addition of a third dedicated AFW pump.

2.

Manual or automatic flow initiation on receipt of low steam generator water level, and manual or automatic isolation of the depressurized steam generator following secondary system line breaks.

3.

Safety grade AFW flow indication to the main control room.

4.

Redundant emergency power supply for the electrical equipment, instrumentation, and control circuits associated with the modifications.

5.

Testability of AFW control circuits.

6.

Seismic and environmental qualification to meet applicable Palisades guidelines.

2.0 RELIABILITY ANALYSIS 2.1 METHODOLOGY Fault tree analysis was used to identify those potential failures that could be chief contributors to AFW system unreliability during the three transient conditions listed below.

LMFW - Loss of main feedwater with concurrent reactor trip and with offsite power available.

LMFW/LOOP -

LMFW with concurrent reactor trip and loss of offsite power (LOOP).

Onsite emergency power sources remain available.

LMFW/LOAC -

LMFw and concurrent loss of all alternating current power (LOAC), except that which is battery derived.

The model used in the current analysis is not the same as the model used in the MSLB submittal.

The reasons for using a different model are detailed below.

1)

The time interval of interest as stated in NUREG-0635 is the unavailability of the AFW system during period of time to boil the steam generator dry which for Palisades has been established as 15 minutes.

The model used in the MSLB submittal is based on a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time and therefore introduces significant contributions from failures of the system to continue to function

• IC0286-0001K-NL01

2) 3 The model used in the MSLB submittal is a modified version of the complete AFW fault tree. A discussion of the differences is provided in section 3.0 "MSLB AFW Model".

However, a major difference in the models is due to an arbitrary assumption that the failed steam generator was unavailable.

This assumption effectively eliminates the redundancy in flow paths from the AFW pumps to the steam generators.

3)

The level of detail in the current plant model goes well beyond the level of detail prescribed by NUREG-0635.

Since part of the concern is based on the degree of reliability as compared to other plants or proposed goals, it was decided that the reliability analysis should be completed in a manner that allows such comparisons.

As additional insight, each model was evaluated with two sets of data.

The first set of data is generic as provided by NUREG-0635.

The second set includes plant specific data where such data was available.

When plant specific data was not available, generic data was used.

This allows comparison of the relative impact of the use of plant specific data to generic data.

Analysis of the fault trees was conducted using the WAMCUT computer code.

2.2 FAULT TREES Three fault tree models were used.

The fault trees include random failures of electrical and mechanical components and the effects of testing and maintenance, and human error.

The fault trees are shown in appendices D, E, and F.

Th.e trees were examined for causes of specific component failure modes and evaluation of their likelihood of occurrence.

The causes considered were:

Random independent failures; Test and maintenance; and Human error.

Each of the three master trees was developed for the loss of main feedwater (LMFW) transient condition.

For other transient conditions -

LMFW with loss of offsite power (LMFW/LOOP) or LMFW with loss of all alternating current power (LMFW/LOAC) -

some systems or components are unavailable.

Those systems or components were deleted before analysis.

NUREG-0635 was used to establish the top event of the master fault tree, set the initiating events, and as the basic guide for the analysis.

The top event is taken from NUREG-0635 which states; IC0286-0001K-NL01

4 The time interval of interest for all transient events considered is the unavailability of the auxiliary feedwater system during the period of time required to boil the steam generator dry. (Reference 2, page III-10)

The fault tree models were peveloped assuming statistical independence for hardware/operator failures, human error, and test and maintenance failures.

2.3 CRITERIA AND ASSUMPTIONS The following analytical criteria and assumptions were used.

• AFW system availability is defined as successful system startup within the steam generator boil dry time of 15 minutes.

The availability conditions for AFW system power sources during the analyzed transients were as follows;

1)

LMFW - All alternating and direct current power available.

2)

LMFW/LOOP -

Two diesel generators and battery backup available.

3)

LMFW/LOAC - Direct current and battery-backed alternating current available (instrument and control power available only)

Although water from the fire protection system and service water system is available to backup the AFW system condensate storage tank, these sources were not considered in the fault tree analysis.

All component and operator actions were assumed to be either successes or failures.

No partial successes were considered.

Top event failure probability will be calculated by summing the failure probabilities from hardware, test and maintenance, and human error contributions.

The probabilities for each category are rare event approximations.

Human error probability has been considered in the Hardware and Test and Maintenance fault trees.

Component outage due to maintenance will only be considered for active components (pumps, control valves, etc).

Maintenance on manual valves is considered negligible

• IC0286-0001K-NL01

2.4 5

DATA SOURCES Data used for the component failure rates in the hardware and test and maintenance trees was taken from the NRC.data found in Appendix III, Table III-3 of NUREG-0635.

Electrical tree component data was taken from IEEE Std 500.

Human error probabilities were drawn from NUREG-1278 and NUREG-0635.

Specific component failure data is listed in Appendix G.

2.5 CORRECTIONS TO FAULT TREES 2.5.1 2.5.2 As part of the preparation for this analysis, the fault trees utilized in the second reliability analysis were reviewed for accuracy.

Several discrepancies were identified and corrected.

Changes made are indicated on the fault trees and discussed below.

Hardware fault tree

1)

Operator errors had been treated as independent events.

Since each operator error in this tree involved operator response to a failure of the automatic initiation of the system, it was decided that a high degree of dependence was involved.

Based on this decision, all operator actions were grouped into three basic types; a) failure to actuate the system from the control room, b) failure to actuate the system locally, and c) failure to manually operate components.

2)

T~e original hardcopy of the model did not identify the primary events representing the failure of pref erred ac power for instrumentation and control. These events were added to the model.

3)

The failure mode for the motor-operated valves in the AFW flow paths was originally identified as fail to open.

These valves are normally open and should be identified as fail to remain open. The correction to the fault trees did not get accomplished.

However, in the examination of the system cutsets it was noted that the failure of these valves did not contribute significantly to the system unavailability.

Therefore, no corrections were made since the only impact was a slight conservatism in the numerical results and relative ranking of cutsets of intermediate to low contribution.

Test and maintenance fault tree

1)

As in 2.5.1 (1) above, the human error associated with restoration of the outlet valves from the condensate storage tank to the AFW pumps was treated as independent for each valve.

Because of the location and basis for restoration (ie if isolation was necessary at that point then both valves must be closed and restored), the separate events were combined into one.

IC0286-0001K-NL01

2.5.3

2) 6 Credit was taken for a manual valve which bypasses the pressure control valve in the steam line to the turbine-driven pump.

The current PRA model does not take credit for successful operation of this valve.

While it may be possible to control steam inlet pressure to the turbine driver by manually regulating a gate valve, the ability to do this efficiently and consistently has not been demonstrated and it was deleted from the model.

3)

In several cases, maintenance on valves was included when a) it is not physically possible to isolate these valves during power operation or b) isolation would disable 2 of the 3 pumps which is not allowed by Technical Specifications.

Each of these valves was removed from the WAMCUT input deck and are shown lined-out in the model in Appendix E.

Electrical_ fault trees.

The majority of the failure probabilities for electrical components were derived by treating the components as standby with a monthly testing interval.

Since several. of the components are performing their normal function and failures associated with them would be immediately detectable, while this treatment is inaccurate its importance was not obvious.

Since the failure of power is represented in the master tree as basic events with a probability derived from the output of the evaluation of the appropriate electrical tree, the impact of this treatment was determined by reevaluating the electrical trees and by examining the cutsets from the three transient cases using generic data to determine the importance of loss of power as a contributor to system unavailability.

The reevaluation of the electrical trees was accomplished by changing the failure probability of components which do not experience demands to probabilities of mission time failures of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> (first reevaluation) and 15 minutes (second reevaluation).

In general the changes resulted in reduced unavailabilities for the electric power sources.

The examination of system cutsets disclosed that the only case where the failure of electric power was identified as a significant contributor (>1%) to system unavailability was for the transient initiator loss of main f eedwater with concurrent loss of offsite power.

In this case, the failure of bus lD and/or bus lC contributed substantially to the system unavailability.

However, the change in unavailability (using 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> or 15 minute mission times) for these buses under loss of offsite power conditions was insignificant (changed from 3.06E-02 to 3.05E-02).

The reason for the lack of difference is that the dominant failures for these buses tinder loss of offsite power are actual demand failures of the diesel generators and their output breakers

• IC0286-0001K-NL01

2.6 2.6.1 2.6.1.1 7

Based on these results, the system fault trees were not rerun with the revised electrical failure data.

The results from the analyses with the initial electrical data were retained while recognizing that they were numerically conservative with respect to the electrical failures.

RESULTS The results of the analyses of the system fault trees are included in Appendix A and are discussed in the following sections.

The information provided in Appendix A is arranged as follows.

Page 1 is a presentation in table form of the numerical unavailabilities of electrical power and the system for each transient case analyzed for both generic and plant specific data.

The contributions from hardware, maintenance, and human error were derived by an arbitrary reorganization of cutsets.

The reorganization was completed by 1) moving all cutsets containing an operator error to a separate group (human error), 2) of the remaining cutsets any which incuded maintenance were separated into another group (maintenance), and 3) the remaining cutsets were identified as hardware.

The remainder of the Appendix is comprised of listings of the cutsets for each transient case.

Pages two through seven involve the output from the use of generic data.

Pages eight through thirteen is the output from plant specific data.

For each type of data, three pages represent unavailabilities from the master hardware tree for each transient and three pages for unavaila-bilities from all considerations for each transient. 'Each page includes a listing of dominant cutsets and the contribution of each (cutset unavailability/system unavailability) and a listing of the basic events which contribute substantially to the system unavailability (sum of the unavailabilities of the cutsets containing the basic event/system unavailability).

Results from Generic Data Evaluation General Results The analysis indicates the factor having the greatest impact on the unavailability in all three cases was failure of the relief valve at the discharge of pumps P8A and P8B failing to remain closed, either as a single or in combination with the unavailability of pump P8C or its flow paths.

Other significant contributors are: failure of P8C either as a pump failure or due to loss of bus lD; maintenance on control valves or check valves; operator error; and various causes of P8C or P8B pump trains (ie maintenance, power failure, or valve failures)

• IC0286-0001K-NL01

2.6.1.2 2.6.1.3 2.6.1.4 2.6.2 2.6.2.l 2.6.2.2 8

Loss of Main Feedwater The dominant failure modes for this transient are double faults.

The most significant cutset contribution is the failure of the pump discharge relief valve to remain closed and the failure of P8C to start.

The relief valve failure represents the common mode failure of pumps PSA and P8B.

Primary event contributors in order of significance are: failure of the relief valve; failure of P8C to start; maintenance on control valves, check valves and PSC; and operator errors involving restoration of valves after testing or maintenance.

Loss of Main Feedwater/Loss of Offsite Power The dominant failure modes for this transient are also double faults.

The most significant cutset contributor is the relief valve and the loss of power to PSC. Primary event contributions in order of importance are: the relief valve; loss of power from bus lD; PSC fail to start; loss of power from bus lC; maintenance on control valves, check valves, or PSC; operator restoration errors; and maintenance on PSB, a pressure regulating valve, and a check valve.

Loss of Main Feedwater/Loss of all AC The dominant failure modes for this transient are single faults. The dominant contributors are: the relief valve; maintenance on P8B, its check valve,*and its pressure regulating valve; and P8B fails to start and operator restoration errors.

Results from Plant Specific Data Evaluation General Results The failures representing the largest contribution to unavailability in all three transients is pump fails to start.

Other general contributors are: the relief valve failing to remain closed; failure of the auto start circuitry and the operator error associated with placing the system in service.

Loss of Main Feedwater The dominant failures modes for this transient are triple faults.

The most significant contribution is made by the first cutset (approximately 24%).

This cutset represents the combination of all three pumps failing to start.

The more important primary event contributions in order of significance are: P8C fails to start; P8A fails to start; P8C fails to start; the relief valve fails to remain closed; and failure of the auto start circuit and the associated operator error in response to the failure of the start circuitry.

IC0286-0001K-NL01

9 2.6.2.3 Loss of Main Feedwater/Loss of Offsite Power 2.6.2.4 2.6.3 3.0 The dominant failure modes for this transient are again triple failures.

The largest contribution to the system unavailability (approximately 47%) is identified in the first four cutsets.

These cutsets represent failure of all three pumps.

They include combinations of pumps failing to start and loss of power to P8A and/or P8C.

The significant primary event contributions include:

P8B fails to start; loss of power from bus lC; loss of power from bus ID; P8C fails to start; and ~BA fails to start.

Loss of Main Feedwater/Loss of all AC The dominant contributors to this transient are single faults.

The most significant contribution is the failure of P8B to start (approximately 72%).

Other contributors are: maintenance on P8B, its steam pressure regulating valve, or its discharge check valve-;

and operator restoration errors associated with test and maintenance.

General Conclusions In comparing the results from generic data versus plant specific data, the calculated system unavailability is not significantly different.

The major difference in the results was a reorganization of the importance of the primary events in their contribution to the system unavailability.

In the analyses using generic data, the failure of the pump discharge relief valve for P8A and P8B is the dominant contributor in both cutset and primary event contribution.

For analyses using plant specific data, the combination of all available pumps failing to start is the dominant contributor in both cutsets and primary event contribution.

In evaluating the results from the analyses using plant specific data, no serious deficiencies were identified.

There were no single point vulnerabilities associated with hardware or maintenance identified.

Any further changes considered should be made only after careful evaluation of costs, benefits and importance in relation to the results of the analysis of the plant integrated risk model.

MSLB AFW MODEL In this section, the reliability of the auxiliary feedwater system as developed for examination of main st.earn line break issues is discussed (ref CPC to NRG May 23, 1985).

The purpose of the main steam line break logic models was to determine the risks associated with steam generator blowdown events and to determine the benefits of various backfits being proposed to minimize these risks.

In this regard," assumptions were made that significantly alter the system IC0286-0001K-NL01

• i

10 configuration (ie eliminated redundant portions of the system) and therefore bias the numerical results of the analysis in a way that make it inappropriate to use these logic models for comparison with other risk based AFW reliability analyses such as that presented in the preceding section.

Some of the more significant assumptions include:

those particular to the main steam line break transient which artificially enhance the benefits of some of the proposed

backfits, those conservative with respect to system reliability that had no affect on the outcome of the main steam line break analysis and were therefore left uncorrected, the exclusion of any repair or recovery of failed hardware and an explicit attempt to model common cause events (those component failures which result from common manufacturer, function, etc).

The auxiliary feedwater cutsets extracted from the main steam line break report are included in appendix B.

They are rearranged into sections to permit an understanding of the contributors to AFW failure (as developed in that specific evaluation) and to identify where the assumptions outlined above had an effect.

A brief description of these cutsets follows including a discussion of their contribution to AFW unavailability.

The first group of cutsets include those independent to the auxiliary feedwater system.

The independent module (AUX3IT) will be discussed in detail later.

The remaining cutset contains a single operator error -

AFVOT - which represents failure to increase the flow to the intact steam generator.

This cutset results from the assumption that the failed steam generator is isolated following the steam line break event and remains disabled as a viable heat sink throughout the transient.

In reality, feedwater can be supplied to this generator, particularly during non-steam line break transients and this operator error should not be a single.

In the normal system configuration -

AFVOT - would be part of group of doubles in which the second event represented the failure of the redundant flow path from a given pump train.

This cutset, therefore, is a result of assumptions made that are peculiar to the steam line break evaluation.

Additionally, preliminary analyses in support of the upgrade of emergency procedures indicate that the flow supplied automatically through a single AFW train may be sufficient for decay heat removal.

The second group of cutsets are associated with makeup to the condensate storage tank.

Given that there is normally several hours of condensate available in the tank, these failures are more closely associated with the long term functioning of the auxiliary feedwater system than the failures which would be identified in other reliability analyses (such as NUREG 0635).

This part of the steam IC0286-0001K-NL01

11 line break analysis did not take credi~ for operator action to supply makeup from available systems including service water and the fire system, as outlined in plant procedures.

In the normal system configuration with service water and fire water included as backups, these cutsets would become substantially lower in their contribution to the system unreliability.

These cutsets, Xherefore, are a result of simplifying assumptions made with respect to auxiliary feedwater reliability that had little effect on the outcome of the steam line break evaluation.

The last group of cutsets identify power dependencies coupled with failures of pumps and flow control valves.

The AC power system failures involve disabling of an emergency bus (Bus lC) which in these models is assumed to take out one motor driven pump and the air pressure to steam supply valves for the steam driven pump.

The models conservatively ignore the nitrogen backup to instrument air supply to the steam driven pump valves as well as the ability to operate these valves locally by hand.

In the normal system configuration these cutsets would be ANDED with failures of the turbine driven pump train or an operator action to manually admit steam to the pump.

Consequently, these cutsets result from uncorrected assumptions which had no affect on the outcome of the steam line break study plus a lack of accounting for repair and recovery actions.

Additionally, two of the cutsets contain flow control valve failures which, like AFVOT discussed above, appear because it is assumed that only one steam generator is available.

In the normal system configuration these cutsets would also include failures of the redundant flow path from the respective pump train.

The cutsets which remain are those which make up the independent module, AUX3IT, introduced above.

The first group presented are those associated with the attempt to explicitly quantify common cause failures in the steam line break evaluation.

Common cause events were developed for various classes of equipment in the AFW system including the pumps, air operated valves, and instrumentation required to actuate the system.

Generic industry data was used to quantify these events and they end up making up the bulk of the independent module in terms of its probability.

Setting the appropriateness of these values aside, there are a number of features of the plant design which deserve some discussion for which credit could be taken to mitigate these failures.

Diversity in the pump design has been provided by including both turbine and motor drivers, for example.

Also, the motor driven pumps are located in separate areas of the plant minimizing location dependencies.

Failure of flow controllers and instrumentation can be overcome by operator action to maintain level in the steam generators rather than concentrate on AFW flow only.

In addition, the valves themselves can be operated locally if necessary

• IC0286-0001K-NL01

/".

12 The next cutset is associated with spurious FOGG actuation (Feed Only Good Generator).

The assumption that only one steam generator is available enters in to the generation of this cutset.

Given that two steam generators are normally available this cutset should be ANDED with failures of components in the other flow trains.

In the normal system configuration, this event would be represented by a group of triples involving spurious actuation AND failure of two flow paths. Additionally, it should be noted that FOGG signals for the two steam generators are interlocked such that FOGG isolation of one generator precludes this spurious FOGG signal for the other generator.

This interlock was not included in the steam line break logic.

The next group of forty cutsets involve the loss of both flow paths to the unaffected steam generator.

Again, this is a set of failures which results from assuming that only one steam generator is available as a heat sink throughout the transient.

These cutsets should in fact be coupled with corresponding failures in the flow paths to the other steam generator.

In the normal system configuration these cutsets would change to 3d and 4th order cutsets which represent combinations of a pump train and two flow paths; or four flow paths; or three flow paths and an operator action.

The next cutsets deal with the potential for flow diversion in the AFW pump suction. In fact, these failure modes are incorrect.

A conservative assumption was made that a Y-strainer in the suction line to the AFW pumps, if left open following maintenance could lead to sufficient diversion of condensate to fail a portion of the system.

Subsequent investigation reveals that the line from the strainer is small and will not divert sufficient flow to cause pump suction to drop significantly, is not only valved but capped, and if it were to be left open would result in condensate to pour on the floor of the turbine building where it would be difficult not to notice.

These cutsets are a result of conservative modeling

• assumptions that had no affect on the outcome of the steam line break evaluation and were left uncorrected in the analysis..This failure mode has been deleted from the model.

The next group of cutsets represent human error in the calibration of instrumentation associated with AFW pump and flow control valve operation.

Similar to the common cause failure of flow control

.instrumentation, miscalibration of this equipment will result in the operator taking feedwater flow control into manual in order to maintain steam generator inventory.

This recovery action was not included in the steam line break logic.

The pump suction pressure miscalibration should be a single event (as was noted in the staffs review of these cutsets).

Nevertheless, it should be noted that testing of these instruments independent of their calibration occurs frequently during pump surveillance tests.

Further, even if these monthly surveillances were to fail to uncover the deficiency, normal operator response to low suction trip of the AFW pumps would be to provide fire or service water pressµre to the pump s.uction IC0286-0001K-NL01

4.0 13 effectively eliminating the low pressure condition.

Additionally, steam supply to the turbine driven pump can be provided locally even in the presence of a low suction signal.

Again, recovery actions such as these were not incorporated in the steam line break models.

The final group of cutsets found in the independent module are the random pump and valve failures similar to those associated with the reliability analysis presented in the preceding section.

Given the preceding discussion, it should be clear that the main steam line break logic models were not developed with the intention of demonstrating the overall reliability of auxiliary feedwater.

Assumptions specific to the main steam line break transient, assumptions that conservatively enhance the benefits of various backfits and conservative assumptions that had no affect on the outcome of the main steam line break evaluation bias the bottom line results.

Explicit attempts to model common cause and a lack of obvious repair and recovery actions result in additional bias.

While the modelling was sufficient for the purpose of evaluating main steam line break issues, it is not appropriate to use them to draw conclusions as to the strengths and weaknesses of the system for a spectrum of more common transients.

CONCLUSIONS As indicated in section 1.0, the purpose of this report is to provide an analysis of the reliability of the AFW system and justification for not equating the results of the MSLB AFW model with system reliability.

In section 2.0, the results of a separate reliability analysis are discussed.

The results indicate that the system as modified is reliable.

Additionally, in a qualitative context the system includes multiple trains any of which is capable of removing decay heat, is automatically actuated, and has no single point vulnerabilities except for perhaps some human errors associated with calibration.

These are the features of an AFW system "characterized as having a high reliability" as explicitly outlined in section 4.6.1 of NUREG-0635.

In section 3.0, inconsistencies between the MSLB model and a reliability model were presented.

The differences between the special case MSLB model and a general case reliability model are significant and cause a substantial disparity in both numerical and qualitative results.

The MSLB model represents the system under unique conditions which do not allow an accurate derivation of the system reliability.

In addition, substantial improvement in the system reliability has been achieved through the completion of modifications as identified in section 1.0.

In conclusion, we believe the system is reliable and that the results of the reliability analysis have not disclosed any ~erious deficiencies in the current system.

IC0286-0001K-NL01

14

5.0 REFERENCES

1.

Guide to the Collection and Presentation of Electrical, Electronic, and Sensing Component Reliability Data for, Nuclear Power Generating Stations, IEEE Std 500(1977), Institute of Electrical and Electronics Engineers, Inc.

2.

Generic Evaluation of Feedwater Transients and Small Break Loss of Coolant Accidents in Combustion Engineering Designed Operating Plants, NUREG-0635, U.S. Nuclear Regulatory Commission, January 1980.

3.

Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications, NUREG/CR-1278, U.S. Nuclear Regulatory Commission, April 1980.

4.

Reactor Safety Study: An Assessment of Accident Risks in U.S.

Commercial Nuclear Power Plants, WASH-1400, U.S. Nuclear Regulatory Commission, 1975.

5.

Equipment Availability Component Cause Code Summary Report for the Ten-Year Period 1967-1976, EEI Publication 77-64A, January 1978.

6.

Clarification of TMI Action Plan Requirements, NUREG-0737, U.S.

7.

Nuclear Regulatory Commission, October 1980

• Auxiliary Feedwater System (PWR), NUREG-0800, Standard Review Plan 10.4.9, U.S. Nuclear Regulatory Commission, July 1981.

IC0286-0001K-NL01

1.0 2.0 3.0 4.0 5.0 PALISADES PLANT AUXILIARY FEEDWATER SYSTEM RELIABILITY ANALYSIS TABLE OF CONTENTS BACKGROUND RELIABILITY ANALYSIS 2.1 METHODOLOGY 2.2 FAULT TREES 2.3 CRITERIA AND ASSUMPTIONS 2.4 DATA SOURCES 2.5 CORRECTIONS TO FAULT TREES 2.6 RESULTS MSLB AFW MODEL CONCLUSIONS REFERENCES APPENDICES A.

SYSTEM UNAVAILABILITY RESULTS B.

MSLB AFW MODEL CUTSETS C.

FIGURES AND DRAWINGS D.

HARDWARE FAULT TREE E.

TEST AND MAINTENANCE FAULT.TREE F.

ELECTRICAL FAULT TREES G.

DATA IC0286-0001K-NL01 Page 1

2 2

3 4

5 5

7 9

13 14

1.0 BACKGROUND

AUXILIARY FEEDWATER SYSTEM RELIABILITY ANALYSIS 1

As a result of the Palisades Main Steam Line Break submittal concern has been raised, by the NRC, regarding the adequacy of the existing Palisades auxiliary feedwater system (AFW).

This concern is based on the evaluation of the AFW model used in the Main Steam Line Break (MSLB) submittal.

Because of the importance of the issue, this report was created to clarify any potential misinterpretation of the results of the AFW system model analysis included in the MSLB submittal.

The intent of this report is to provide information in support of the position that the AFW system model as used in the MSLB submittal should not be construed to represent the reliability of the system.

This report focuses on two main elements 1) an analysis which more closely represents our state of knowledge regarding the reliability of the AFW system design and operation, and 2) a discussion of the results derived for the MSLB AFW model and why a significant portion is inappropriate in the context of the overall system reliability (refer to sections 2.1 and 3.0).

In order to accomplish item 1) a separate analysis of the AFW system was conducted using the guidelines of NUREG-0635.

The reasons for using NUREG-0635 are; a) to maintain consistency in the method of analysis (the system has undergone two previous analyses using these criteria).

b) the system has been significantly modified since the first analysis, using the same criteria allows direct comparison of the new results to the original results.

c) the results of the new analysis can be compared to the results for other plants already analyzed using the same criteria.

As indicated in a) above, two previous reliability analyses have been conducted.

The purpose of the second analysis was to demonstrate the level of increased reliability attainable from proposed modifications to the system.

A recent review of this second analysis showed that the fault tree models already developed there could be used for an analysis of our existing system.

Necessary corrections and alterations to the models were made and are identified in section 2.4.

As indicated in b) above, modifications to the system to improve reliability by minimizing the failure effects of human error, common causes, and single-or double-point vulnerabilities were completed after NUREG-0635 was published. Therefore the results obtained by the original analysis are no longer accurate.

Several of the significant modifications are listed below.

IC0286-0001K-NL01

2

1.

Addition of a third dedicated AFW pump.

2.

Manual or automatic flow initiation on receipt of low steam generator water level, and manual or automatic isolation of the depressurized steam generator following secondary system line breaks.

3.

Safety grade AFW flow indication to the main control room.

4.

Redundant emergency power supply for the electrical equipment, instrumentation, and control circuits associated with the modifications.

5.

Testability of AFW control circuits.

6.

Seismic and environmental qualification to meet applicable Palisades guidelines.

2.0 RELIABILITY ANALYSIS 2.1 METHODOLOGY Fault tree analysis was used to identify those potential failures that could be chief contributors to AFW system unreliability during the three transient conditions listed below.

LMFW - Loss of main feedwater with concurrent reactor trip and with offsite power available.

LMFW/LOOP -

LMFW with concurrent reactor trip and loss of offsite power (LOOP);

Onsite emergency power sources remain available.

LMFW/LOAC -

LMFW and concurrent loss of all alternating current power (LOAC), except that which is battery derived.

The model used in the current analysis is not the same as the model used in the MSLB submittal.

The reasons for using a different model are detailed below.

1)

The time interval of interest as stated in NUREG-0635 is the unavailability of the AFW system during period of time to boil the steam generator dry which for Palisades has been established as 15 minutes.

The model used in the MSLB submittal is based on a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time and therefore introduces significant contributions from failures of the system to continue to function

• IC0286-0001K-NL01

2) 3 The model used in the MSLB submittal is a modified version of the complete AFW fault tree. A discussion of the differences is provided in section 3.0 "MSLB AFW Model".

However, a major difference in the models is due to an arbitrary assumption that the failed steam generator was unavailable.

This assumption effectively eliminates the redundancy in flow paths from the AFW pumps to the steam generators.

3)

The level of detail in the current plant model goes well beyond the level of detail prescribed by NUREG-0635.

Since part of the concern is based on the degree of reliability as compared to other plants or proposed goals, it was decided that the reliability analysis should be completed in a manner that allows such comparisons.

As additional insight, each model was evaluated with two sets of data.

The first set of data is generic as provided by NUREG-0635.

The second set includes plant specific data where such data was available.

When plant specific data was not available, generic data was used, This allows comparison of the relative impact of the use of plant specific data to generic data.

Analysis of the fault trees was conducted using the WAMCUT computer code.

2.2 FAULT TREES Three fault tree models were used.

The fault trees include random failures of electrical and mechanical components and the effects of testing and maintenance, and human error.

The fault trees are shown in appendices D, E, and F.

The trees were examined for causes of specific component failure modes and evaluation of their likelihood of occurrence.

The causes considered were:

Random independent failures; Test and maintenance; and Human error.

Each of the three master trees was developed for the loss of main feedwater (LMFW) transient condition.

For other transient conditions -

LMFW with loss of offsite power (LMFW/LOOP) or LMFW with loss of all alternating current power (LMFW/LOAC) -

some systems or components are unavailable.

Those systems or components were deleted before analysis.

NUREG-0635 was used to establish the top event of the master fault tree, set the initiating events, and as th~ basic guide for the analysis.

The top event is taken from NUREG-0635 which states; IC0286-0001K-NL01

4 1'.he time interval of interest for all transient events considered is the unavailability of the auxiliary feedwater system during the period of time required to boil the steam generator dry. (Reference 2, page III-10)

The fault tree models were developed assuming statistical independence for hardware/operator failures, human error, and test and maintenance failures.

2.3 CRITERIA AND ASSUMPTIONS The following analytical criteria and assumptions were used.

AFW system availability is defined as successful system startup within.the steam generator boil dry time of 15 minutes.

' The availability conditions for AFW system power sources during the analyzed transients were as follows;

1)

LMFW - All alternating and direct current power available.

2)

LMFW/LOOP - Two diesel generators and battery backup available.

3)

LMFW/LOAC - Direct current and battery-backed alternating current available (instrument and control power available only)

Although water from the fire protection system and service water system is available to backup the AFW system condensate storage tank, these sources were not considered in the fault tree analysis.

Use of these water systems would require successful operation of manual valves, which is difficult within the 15-minute boil~dry time limit.

• Al.l component and operator actions were assumed to be either successes or failures.

No partial successes were considered.

Top event failure probability will be calculated by summing the failure probabilities from hardware, test and maintenance, and human error contributions.

The probabilities for each category are rare event approximations.

• • Human error probability has been considered in the Hardware and Test and Maintenance fault trees.

' Component outage due to maintenance will only be considered for active components (pumps, control valves, etc).

Maintenance on manual valves is considered negligible

• IC0286-0001K-NL01

2.4 5

DATA SOURCES Data used for the component failure rates in the hardware and test and maintenance trees was taken from the NRC data found in Appendix III, Table III-3 of NUREG-0635.

Electrical tree component data was taken from IEEE Std 500.

Human error probabilities were drawn from NUREG-1278 and NUREG-0635.

Specific component failure data is listed in Appendix G.

2.5.

CORRECTIONS TO FAULT TREES 2.5.1 2.5.2 As part of the preparation for this analysis the fault trees utilized in the second reliability analysis were reviewed for accuracy.

Several discrepancies were identified and corrected.

Changes made are indicated on the fault trees and discussed below.

Hardware fault tree

1)

Operator errors had been treated as independent events.

Since, each operator error in this tree involved operator response to a failure of the automatic initiation of the system, it was decided that a high degree of dependence was involved.

Based on this decision all operator actions were grouped into three basic types - a) failure to actuate the system from the control room, b) failure to actuate the system locally, and c) failure to manually operate components.

2)

The original hardcopy of the model did not identify the primary events representing the failure of preferred ac power for instrumentation and control. These events were added to the model.

3)

The failure mode for the motor~operated valves in the AFW flow paths was originally identified as fail to open.

These valves are normally open and should be identified as fail to remain open. The correction to the fault trees did not get accomplished.

However, in the examination of the system cutsets it was noted that the failure of these valves did contribute significantly to the system unavailability.

Therefore, no corrections were made since the only impact was a slight conservatism in the numerical results and relative ranking of cutsets of intermediate to low contribution.

Test and maintenance fault tree

1)

As in 2.5.1 (1) above the human error associated with restoration of the outlet valves from the condensate storage tank to the AFW pumps was treated as independent for each valve.

Because of the location and basis for restoration (ie if isolation was necessary at that point then both valves must be closed and restored), the separate events were combined into one.

IC0286-0001K-NL01

2.5.3

2) 6 Credit was taken for a manual valve which bypasses the pressure control valve in the steam line to the turbine-driven pump.

The current PRA model does not take credit for successful operation of this valve.

While it may be possible to control steam inlet pressure to the turbine driver by manually regulating a gate valve, the ability to do this efficiently and consistently has not been demonstrated and it was deleted from the model.

3)

In several cases, maintenance on valves was included when a) it is not physically possible to isolate these valves during power operation or b) isolation would disable 2 of the 3 pumps which is not allowed by Technical Specifications.

Each of these valves was removed from the WAMCUT input deck and are-shown lined-out in the model in Appendix E.

Electrical fault trees.

The majority of the failure probabilities for electrical components were derived by treating the components as standby with a monthly testing interval.

Since several of the components are performing

.their normal function and failures associated with them would be immediately detectab~e*, while this treatment is inaccurate its importance was not obvio.us.

Since the failure of power is represented in the master tree as basic events with a probability derived from the output of the evaluation of the appropriate electrical tree, the impact of this treatment was determined by reevaluating the electrical trees and by examining the cutsets from the three transient cases using generic data to determine the importance of loss of power as a contributor to system unavailability.

The reevaluation of the electrical trees was accomplished by changing the failure probability of components which do not experience demands to probabilities of mission time failures of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> (first reevaluation) and 15 minutes (second reevaluation).

In general the changes resulted in reduced unavailabilities for the electric power sources.

The examination of system cutsets disclosed that the only case where the failure of electric power was identified as a significant contributor (>1%) to system unavailability was for the transient initiator loss of main feedwater with concurrent loss of offsite power.

In this case the failure of bus lD and/or bus lC contributed substantially to the system unavailability.

However, the change in unavailability (using 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> or 15 minute mission times) for these buses under loss of offsite power conditions was insignificant (changed from 3.06E-02 to 3.05E-02).

The reason for the lack of difference is that the dominant failures for these buses under loss of offsite power are actual demand failures of the diesel generators and their output breakers

• IC0286-0001K-NL01

.1_ --

2.6 2.6.1 2.6.Ll 7

Based on these results the system fault trees were not rerun with the revised electrical failure data.

The results from the analyses with the initial electrical data were retained while recognizing that they were numerically conservative with respect to the electrical failures.

RESULTS The results in Appendix information of the analyses of the A and are discussed in provided in Appendix A system fault trees are the following sections.

is arranged as follows.

in~luded The Page 1 is a presentation in table form of the numerical unavailabilities of electrical power and the system for each transient case analyzed for both generic and plant specific data.

The contributions from hardware, maintenance, and human error were derived by an arbitrary reorganization of cutsets.

The reorganization was completed by 1) moving all cutsets containing an operator error to a separate group (human error), 2) of the remaining cutsets any which incuded maintenance were separated into another group (maintenance), and 3) the remaining cutsets were identified as hardware.

The remainder of the Appendix is comprised of listings of the cutsets for each transient case.

Pages two through seven involve the output from the use of generic data.

Pages ei'ght through thirteen is the output from plant specific data.

For each type of data three pages represent unavailabilities from the master hardware tree for each transient and three pages for unavailabilities from all considerations for each transient.

Each page includes a listing of dominant cutsets and the contribution of each (cutset unavailability/system unavailability) and a listing of the basic events which contribute substantially to the system unavailability (sum of the unavailabilities of the cutsets containing the basic event/system unavailability).

Results from Generic Data Evaluation General Results The analysis indicates the factor having the greatest impact on the unavailability in all three cases was failure of the relief valve at the discharge of pumps PSA and P8B failing to remain closed, either as a single or in combination with the unavailability of pump P8C or its flow paths.

Other significant contributors are: failure of P8C either as a pump failure or due to loss of bus lD; maintenance on control valves or check valves; operator error; and various causes of P8C or P8B pump trains (ie maintenance, power failure, or valve failures)

• IC0286-0001K-NL01

2.6.1.2 2.6.1.3 2.6.1.4 2.6.2 2.6.2.1 2.6.2.2 8

Loss of Main Feedwater The dominant failure modes for this transient are double faults.

The most significant cutset contribution is the failure of the pump discharge relief valve to remain closed and the failure of P8C to start.

The relief valve failure represents the common mode failure of pumps PSA and PSB.

Primary event contributors in order of significance are: failure of the relief valve; failure of P8C to start; maintenance on control valves, check valves and PSC; and operator errors involving restoration of valves after testing or maintenance.

Loss of Main Feedwater/Loss of Offsite Power The dominant failure modes for this transient are also double faults.

The most significant cutset contributor is the relief valve and the loss of power to PSC. Primary event contributions in order of importance are: the relief valve; loss of power from bus lD; PSC fail to start; loss of power from bus lC; maintenance on control valves, check valves, or P8C; operator restoration errors; and maintenance on P8B, a pressure regulating valve, and a check valve.

Loss of Main Feedwater/Loss of all AC The dominant failure modes for this transient are single faults. The dominant contributors are: the relief valve; maintenance on P8B, its check valve, and its pressure regulating valve; and P8B fails to start and operator restoration errors.

Results from Plant Specific Data Evaluation General Results The failures representing the largest contribution to unavailability in all three transient is pump fails to start.

Other general contributors are: the relief valve failing to remain closed; failure of the atito start circuitry and the operator error associated with placing the system in service.

Loss of Main Feedwater The dominant failures modes for this transient are triple faults.

The most significant contribution is made by the first cutset (approximately 24%).

This cutset represents the combination of all three pumps failing to start.

The more important primary event contributions in order of significance are: PSC fails to start; P8A fails to start; PSC fails to start; the relief valve.fails to remain closed; and failure of the auto start circuit and the associated operator error in response to the failure of the start circuitry

• IC0286-0001K-NL01

9 2.6.2.3 Loss of Main Feedwater/Loss of Offsite Power 2.6.2.4 2.6.3 3.0 The dominant failure modes for this transient are again triple failures.

The largest contribution to the system unavailability (approximately 47%) is identified in the first four cutsets.

These cutsets represent failure of all three pumps.

They include combinations of pumps failing to start and loss of power to P8A and/or P8C.

The significant primary event contributions include:

P8B fails to start; loss of power from bus lC; loss of power from bus lD; P8C fails to start; and P8A fails to start.

Loss of Main Feedwater/Loss of all AC The dominant contributors to this transient are single faults.

The most significant contribution is the failure of P8B to start (approximately 72%).

Other contributors are: maintenance on P8B, its steam pressure regulating valve, or its discharge check valve; and operator restoration errors associated with test and maintenance.

General Conclusions In comparing the results from generic data versus plant specific data, the calculated system unavailability is not significantly different.

The major difference in the results was a reorganization of the importance of the primary events in their contribution to the system unavailability.

In the analyses using generic data the failure of the pump discharge relief valve for P8A and P8B is the dominant contributor in both cutset and primary event contribution.

For analyses using plant specific data the combination of all available pumps failing to start is the dominant contributor in both cutsets and primary event contribution.

In evaluating the results from the analyses using plant specific data no serious deficiencies were identified.

There were no single point vulnerabilities associated with hardware or maintenance identified.

Any further changes considered should be made only after careful evaluation of costs, benefits and importance in relation to the results of the analysis of the plant integrated risk model.

MSLB AFW MODEL In this section the reliability of the auxiliary feedwater system as developed for examination of main steam line break issues is discussed (ref CPC to NRG May 23, 1985).

The purpose of the main steam line break logic models was to determine the risks associated with steam-generator blowdown events and to determine the benefits of various backfits being proposed to minimize these risks.

In this regard~ assumptions were made that significantly alter the system IC0286-0001K-NL01

10 configuration (ie eliminated ~edundant portions of the system) and therefore bias the numerical results of the analysis in a way that make it inappropriate to use these logic models for comparison with other risk based AFW reliability analyses such as that presented in the preceding section.

Some of the more significant assumptions include:

those particular to the main steam line break transient which artificially enhance the benefits of some of the proposed

backfits, those conservative with respect to system reliability that had no affect on the outcome of the main steam line break analysis and were therefore left uncorrected, the exclusion of any repair or recovery of failed hardware and an explicit attempt to model.common cause events (those component failures which result from common manufacturer, function, etc).

The auxiliary feedwater cutsets extracted from the main steam line break report are included in appendix B.

They are rearranged into sections to permit an understanding of the contributors to AFW failure (as developed in that specific evaluation) and to identify where the assumptions outlined above had an effect.

A brief description of these cutsets follows including a discussion of their contribution to AFW unavailability.

The first group of cutsets include those independent to the auxiliary feedwater system.

The independent module (AUX3IT) will be discussed in detail later.

The remaining cutset contains a single operator error - AFVOT - which represents failure to increase the flow to the intact steam generator.

This cutset results from the assumption that the failed steam generator is isolated following the steam line break event and remains disabled as a viable heat sink throughout the transient.

In reality, feedwater*can be supplied to this generator, particularly during non-steam line break transients and this operator error should not be a single.

In the normal system configuration -

AFVOT - would be part of group of doubles in which the second event rep~esented the failure of the redundant flow path from a given pump train.

This cutset, therefore, is a result of assumptions made that are peculiar to the steam line break evaluation.

Additionally, preliminary analyses in support of the upgrade of emergency procedures indicate that the flow supplied automatically through a single AFW train may be sufficient for decay heat removal.

The second group of cutsets are associated with makeup to the condensate storage tank.

Given that there is normally several hours of condensate available in the tank, these failures are more closely associated with the long term functioning of the auxiliary feedwater system than the failures which would be identified in other reliability analyses (such as NUREG 0635).

This part of the steam IC0286-0001K-NL01

11 line break analysis did not take credit for operator action.to supply makeup from available systems including service water and the fire system, as outlined in plant procedures.

In the normal system configuration with service water and fire water included as backups these cutsets would become substantially lower in their contribution to the system unreliability.

These cutsets, therefore, are a result of simplifying assumptions made with respect to auxiliary feedwater reliability that had little effect on the outcome of the steam line break evaluation.

The last group of cutsets identify power dependencies coupled with failures of pumps and flow control valves.

The AC power system failures involve disabling of an emergency bus (Bus lC) which in these models is assumed to take out one motor driven pump and the air pressure to steam supply valves for the steam driven pump.

The models conservatively ignore the nitrogen backup to instrument air supply to the steam driven pump valves as well as-the ability to operate these valves locally by hand.

In the normal system configuration these cutsets would be ANDED with failures of the turbine driven pump train or an operator action to manually admit steam to the pump.

Consequently, these cutsets result from uncorrected assumptions which had no affect on the outcome of the steam line break study plus a lack of accounting for repair and recovery actions.

Additionally, two of the cutsets contain flow control valve failures which, like AFVOT discussed above, appear because it is assumed that only one steam generator is available.

In the normal system configuration these cutsets would also include failures of the redundant flow path from the respective pump train.

The cutsets which remain are those which make up the independent module, AUX3IT, introduced above.

The first group presented are those associated with the attempt to explicitly quantify common cause failures in the steam line break evaluation.

Common cause events were developed for various classes of equipment in the AFW system including the pumps, air operated valves, and instrumentation required to actuate the system.

Generic industry data was used to quantify these events and they end up making up the bulk of the independent module in terms of its probability.

Setting the appropriateness of these values aside, there are a number of features of the plant design which deserve some discussion for which credit could be taken to mitigate these failures.

Diversity in the pump design has been provided by including both turbine and motor drivers, for example.

Also, the motor driven pumps are located in separate areas of the plant minimizing location dependericies.

Failure of flow controllers and instrumentation can be overcome by operator action to maintain level in the steam generators rather than concentrate on AFW flow only.

In addition, the valves themselves can be operated locally if necessary.

(Barry, is any of this part of current procedures?)

IC0286-0001K-NL01

12 The next cutset is associated with spurious FOGG actuation (Feed Only Good Generator).

The assumption that only one steam generator is available enters in to the generation of this cutset.

Given that two steam generators are normally available this cutset should be ANDED with failures of components in the other flow trains.

In the normal system configuration this event would be represented by a group of triples involving spurious actuation AND failure of two flow paths.

Additionally, it should be noted that FOGG signals for the two steam generators are interlocked such that FOGG isolation of one generator precludes this spurious FOGG signal for the other generator.

This interlock was not included in the steam line break logic.

The next group of forty cutsets involve the loss of both flow paths to the unaffected steam generator.

Again, this is a set of failures which results from assuming that only one steam generator is available as a heat sink throughout the transient.

These cutsets should in fact be coupled with corresponding failures in the flow paths to the other steam generator.

In the normal system configuration these cutsets would change to 3d and 4th order cutsets which represent combinations of a pump train and two flow paths; or four flow paths; or three flow paths and an operator action.

The next cutsets deal with the potential for flow diversion in the AFW pump suction. In fact, these failure modes are incorrect.

A conservative assumption was made that a Y-strainer in the suction line to the AFW pumps, if left open following maintenance could lead to sufficient diversion of condensate to fail a portion of the system.

Subsequent investigation reveals that the line from the strainer is small and will not divert sufficient flow to cause pump suction to drop significantly, is not only valved but capped, and if it were to be left open would result in condensate to pour on the floor of the turbine building where it would be difficult not to notice.

These cutsets are a result of conservative modeling assumptions that had no affect on the outcome of the steam line break evaluation and were left uncorrected in the analysis.

This failure mode has been deleted from the model.

The next group of cutsets represent human error in the calibration of instrumentation associated with AFW pump and flow control valve operation.

Similar to the common cause failure of flow control instrumentation, miscalibration of this equipment will result in the operator taking feedwater flow control into manual in order to maintain steam generator inventory.

This recovery action was not included in the steam line break logic.

The pump suction pressure miscalibration should be a single event (as was noted in the staffs review of these cutsets).

Nevertheless, it should be noted that testing of these instruments independent of their calibration occurs frequently during pump surveillance tests.

Further, even if these monthly surveillances were to fail to uncover the deficiency, normal operator response to low suction trip of the AFW pumps would be to provide fire or service water pressure to the pump suction IC0286-0001K-NL01

4.0 13 effectively eliminating the low pressure condition.

Additionally, steam supply to the turbine driven pump can be provided locally even in the presence of a low suction signal.

Again, recovery actions such as these were not incorporated in the steam line break models.

The final group of cutsets found in the independent module are the random pump and valve failures similar to those associated with the reliability analysis presented in the preceding section.

Given the preceding discussion,.it should be clear that the main steam line break logic models were not developed with the intention of demonstrating the overall reliability of auxiliary feedwater.

Assumptions specific to the main steam line break transient, assumptions that conservatively enhance the benefits of various backfits and conservative.assumptions that had no affect on the outcome of the main steam line break evaluation bias the bottom line results.

Explicit attempts to model common cause and a lack of obvious repair and recovery actions result in additional bias.

While the modelling was sufficient for the purpose of evaluating main steam line break issues, it is not appropriate to use them to draw conclusions as to the strengths and weaknesses of the system for a spectrum of more common transients.

CONCLUSIONS As indicated in section 1.0 the purpose of this report is to provide an analysis of the reliability of the AFW system and justification for not equating the results of the MSLB AFW model with system reliability.

In section 2.0 the results of a separate reliability analysis are discussed.

The results indicate that the system as modified is reliable.

Additionally in a qualitative context the system includes multiple trains any of which is capable of removing decay heat, is automatically actuated, and has no single point vulnerabilities except for perhaps some human errors ass.ociated with calibration.

These are the features of an AFW system "characterized as having a high reliability" as explicitly outlined in section 4.6.1 of NUREG-0635.

In section 3.0 inconsistencies between the MSLB model and a reliability model were presented.

The differences between the special case MSLB model and a general case reliability model are significant and cause a substantial disparity in both numerical and qualitative results.

The MSLB model represents the system under unique conditions which do not allow an accurate derivation of the system reliability.

In addition, substantial improvement in the system reliability has been achieved through the completion of modifications as identified in section 1. O.

In conclusion we believe the system is reliable and that the results of the reliability analysis have not disclosed any serious deficiencies in the current system.

IC02S6-0001K-NL01

14

5.0 REFERENCES

1.

Guide to the Collection and Presentation of Electrical, Electronic, and Sensing Component Reliability Data for, Nuclear Power Generating Stations, IEEE Std 500(1977), Institute of Electrical and Electronics Engineers, Inc.

2.

Generic Evaluation of Feedwater Transients and Small Break Loss of Coolant Accidents in Combustion Engineering Designed Operating Plants, NUREG-0635, U.S. Nuclear Regulatory Commission, January 1980.

3.

Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications, NUREG/CR-1278, U.S. Nuclear Regulatory Commission, April 1980.

4.

Reactor Safety Study: An Assessment of Accident Risks in U.S.

Commercial Nuclear Power Plants, WASH-1400, U.S. Nuclear Regulatory Commission, 1975.

5.

Equipment Availability Component Cause Code Summary Report for the Ten-Year Period 1967-1976, EEI Publication 77-64A, January 1978.

6.

Clarification of TMI Action Plan Requirements, NUREG-0737, U.S.

7.

Nuclear Regulatory Commission, October 1980

• Auxiliary Feedwater System (PWR), NUREG-0800, Standard Review Plan 10.4.9, U.S. Nuclear Regulatory Commission, July 1981

• IC0286-0001K-NL01

APPENDIX A SYSTEM UNAVAILABILITY RESULTS IC0286-0001K-NL01

F'ALISADES APPENDIX A AFW SYSTEM UNAVAILABILITIES CONTRIBUTORS TO UNAVP1 I LAB IL I TY HAF:Dl..JARE MAINTENANCE HUMAJ\\I ERF:OR TOTAL HARDvJAF:E MAINTENANCE HUMAN ERF::OR TOTAL..

LOSS OF FEEDl*JATEF:

LOSS. OF.

OFFS I TE POl>JER

<GENERIC DATA>

2. 04E-05

1. 3.ll*E-04

3. 15E--05

3. 99E--12l5 1.49E-05 1.76E-05

6. 68E--05 1.91E-04 CPLANT SPECIFIC DATA) l.. 1 7E-05 7.05E-05 9.17E-1Zl6 3.33E-05 7.47E-li'J6

1. 71E-05

2. 83E--1Zl5 1.21E-04 LOSS OF (4LL AC F'Ol*JEF:

5.03E-03

6. 46E-en 2.02E-1Zl3

1. ::~5E-02

s. 11E-1Zl2 8.31ZlE-03 2.04E-03 4.14E-02 CONDITIONAL UNAVAILABILITIES OF THE ELECTRICAL POWER SUPPLY NO ESSENTIAL POWER AVAILABLE FROM CASE AC BUS Y 10 C Y2!ZJ)

DC BUS # 1 ( #2)

AC BUS 1 C ( 1 D)

CGENERIC DATA>

l 6.52E-05 6.39E-05 9.40E-05 2

7. 88E--0;:.

7.60E-05

-5. 06E-02 3

2.83E-!Zl3 1.67E-03

1. 0 CPLANT SPECIFIC DATA>

1 1.04E-1Zl5 3.12E-05 1.21E-05Ct.03E-05) 2 1.07E-1Zl5 3.13E-05 3.43E-02(2.35E-02) 3 2.20E-04

1. 15E-04

1. fZJ CASE 1 -

LOSS OF MAIN FEEDL<JATER CASE

~. -

LOSS OF MAIN FEEDL<JATEF: " LOSS OF OFFS I TE POL1JEF:

(:t; CP1SE 3 -

LOSS OF MAIN FEEDl*JATEF: " LOSS OF ALL AC POl>JEF:

1::t; A-1.

AF'PENDI X A GENERIC DATA DOMINANT HARDWARE CUT SETS AND BASIC EVENTS LOSS OF MAIN FEEDWATER RAN~:::

LJWW{-~1 I U\\B IL I TY CUT SETS

1.

1.83E-05 PSBC F:\\.10783

2.

3.65E-07 G\\./0752 F:\\10783 211 3.65E-07 CK0726 RV0783

~.

3.65E-07 GVl2l751 F:V0783

2.

3.65E-07 CK0725 F:\\.10783 3.43E-07 EAC1D RV0783

• .;.i Q

4.

2.38E-07 EACY20 RV07S:3 RANf:::

l.JN(.WA I LAB IL I TY BASIC E'vENT

1.

3.65E-03 RV0783 5.00E-03 PSBC

.1::. II 1. 00E-04 0::0725

._1" 1.00E-04 CK0726

._1 SI 1.00E-04 G'-.10751

._1.,

1.00E-04 G'../0752

4.

9.40E-05 EAC1D c:"

6.52E-05 EACY20

._J

• F'(-1L I SP1DES CONTF: I BUT I ON

91. 6

1. 8

1. 8

1. 8

1. 8

1. 7

1. 2 CONTHIBUTION 99.5

91. 8

1. 8 1,...,

• 0

1. 8

1. 8

1. 7

1. 2

F'AL. I SADES APPENDIX A GENEF:IC DATA RANK

1.

~-*-*.

4.

4.

l.j.*

4.*

R(-1NK

1.

kn

4.

c:"

._).

6.

6.

6.

6.

DOMINANT HARDWARE CUT SETS AND BASIC EVENTS LOSS OF MAIN FEEDWATER AND LOSS OF OFFSITE POWER UtMWP1 I LAB IL I TY CUT SETS

1. 12E-04 Er.:iC1D R\\JIZJ783

1. 83E--IZl5 F'SBC R\\JIZJ783 9.36E-12l7 EAC1C EAC1D PSBB 3.65E-07 G\\..JIZJ752 F:'*/0783 3.65E-07 G'*/0751 R'*.J0783 3.65E-07 CK0726 F:'*J0783 3.. 65E-07 CK0725 R'*J07B:3 Ul\\W1W1 I U-18 IL I TY BASIC E'v'ENT 3.65E-03 RV078:.::;

3.06E-02 EAC1D

5. 0!ZJE-12r3:

PSBC

.. 06E--02 EAC1C

1. 0e:1E-03 PSBB 1.00E-04 CK0725

1. IZJIZJE-04 CK!Z:i726

1. IZJIZJE-04 G'v1Zt751

1. 00E*-04 GV0752 CONTRIBUTION 83.5 13.7 0

7 0.3 0.3 0.3 0.3 CONTRIBUTION 98.5

81. 2

17. ::::.

1 1..0 0.3 IZJ.3

0. 3 0.3

F'ALISADES AF'PENDI X A C'E.NER IC DAT A DOMINANT HARDWARE CUT SETS AND BASIC EVENTS LOSS OF MAIN FEEDWATER AND LOSS OF ALL ALTERNATING CURRENT i::::ANf:::

UNAl.JA I LAB IL I TY

1.

3.65E-03 1.00E-03 1

• IZHZ!E-01.!*

• ..:111

1. !Zl!Z!E-04 1.00E-04

• .) D

4.

6.53E-05 t::'

1. 00E-05

~1.

RANK UNA'v'A I LAB IL I TY

1.

3.65E-fll3

2.

1. IZJ!Z!E--03

1. !ZltlJE--04

...,:1.

• ... 'a 1.00E-04 1.!ZlfZJE-04

• -'[I

4.

6. 53E --05 i=

,_).

1.00E-05 CUT SETS F:V078::!.

PSBB GV!Zl742 Cf:'.:0743 GV0132 GOVERNOR PCV0521A BASIC E'v'ENT F:V0783 PSBB GV0742 CK0743 G',llZJ132 GOVERNOR PCV0521A f.i.... 4 CONTF: I BUT I ON 72.. 6 19.9

2. IZJ

. 0 2.. 0 L:::::

0.2 cmHF: I BUT I ON 72.6 19.9

2. (Z) 2.0

2. fZ)

.1.3 f2). 2

F'ALISf."1DES AF'F'ENDI X A GENERIC DATA DOMINANT CONTRIBUTORS TO CONDITIONAL UNAVAILABILITY LOSS OF MAIN FEEDWATER F:ANf:::

UNA',/A I LAB IL I TY CUT SE.TS CONTF: I BUT I ON

1.

1.83E-05 PSBC F:V0783

27. LJ.

~.

7.81E-06

.L.

MCV0736A F:V0783

11. 7

~.

7.81E-1Zl6

.i::..

MCl/0737A RV0783

11. 7

2.

7.81E-06 MCf:'.:0726 R'\\'0783

11.....

I r;

7.BlE-06 MF'BC fW0783

11. 7

3. 65E-*06 OPE210 RVIZl783 c:'

c::'

._J *..J 3.65E-06 OF'E2(Zt5

._'\\..

RV07S:3 c::'

c::'

..Jn *.J 3.65E-06 OPE108

• -=*.

FN0783 c::'

c::'

• --'.,_I

. 65E*--06 OPE107 Rl/0783 c::'

c::'

...:1.

...J.,.._I RANK UNAVAILABILITY BASIC El.JENT CONTF: I BUT I ON

1.

3.65E-1Zl3 F:'v0783

99. 1

~.

L,.

5.!Zt!ZtE-03 PSBC LI* D

2. 14E--03 MCV0T36A

11. 7

-=!'

~. 14E-03 MC\\J(2)737A

11.....

• _1..

I

3.

2.. 14E-li.'l3 MCK0726

11. 7

3.

~. 14E-03 MF'BC

11. 7 3..

1.00E-03 OF'E210 t:"

C'

._J **.J

-=!'

l. IZllZlE--03 OF'E205 c::'

c::'

• -' D

,_I*..J

1. 00E-li.'l3 OF'E108 t::'

c::-

.._J....J 1

• 00E -ei::~

OF'E107 I:

C"'

._J *._J

F'ALISADES APF'END IX A GENERIC DATA RANK

1.

2.

3.

-~*

,_'\\A l.j.*

4.

4.

4.

i=

,_,II c::"

.J.

c::"

...J.

RAM<

1" r-,

L.

3.

4.

C":"

,_In t::-

c*

c::-

6.

6.

6.

6.

7.

7.

7.

DOMINANT CONTRIBUTORS TO CONDITIONAL UNAVAILABILITY LOSS OF MAIN FEEDWATER AND LOSS OF OFFSITE POWER UNA'\\IA I L_AB IL I TY

1. 12E--04 1.83E-05 7.81E-06 7.BlE-06 7.81E-06 7.81E-06

3. 65E*-06 3.65E-06

.. 65E-06

3. 65E--06 2.00E-06

2. 00E-*06 2.00E-06 UNA\\JA I LAB IL I TY 3.. 65E-en 3.06E-02 5.00E-03 3.06E-02

'.2:. 1.l~E-03

,..., 14E-03 r'

..::.. 14E-03

~.

Ln 14E-03

1. 00E--03

1. 00E-0:::;

1. 00E-!.2J::::;

1. 00E-(2J:5

~, 1.4E--03

~..

~. l4E-03

~.

2. 14E-0::::;

CUT SETS EAClD R\\10783 PSBC F:\\10783 MCVC!J736?"1 F:\\10783 MC'v0737~1 R'v0783 MCK0726 R~!IZJ78::::;

MPBC R~/0783 OF'E210 R~/0783 OPE205 R\\10783 OPE 108 F:V0783 OF'E107 R',/0783 EAC1C EACl.D EAC1C EAC1D EAC1C E(-1C1 D BASIC E'*!ENT R\\J0783 EAC1D PSBC EAC1C MCV0736A Mcv07:::;:7A MCK0726 MPBC OPE211ZJ OF'E205 OPE108 OPEl.07 MCK0743 MPBB MF'C'v521A Pi-6 CDNTF: I BUT I ON l.J.* :L

4. 1

4. 1

4. 1

1. 9

1. c;:*

l..9

1. 9 1'1CK07 Lf:~)

1

• 0 MPBB 1.0 MPCV521A 1.0 CONTRIBUTION 93.IZi 64.2 10.5 5.8

4. 1

4. 1 4.. 1

4. 1

1. 9

1. '7' 1.. 'i

1. 9

1. 4

1. 4 1 ".l'~

F'ALISADES APPENDIX r-1 GENERIC D(-H A DOMINANT CONTRIBUTORS TO CONDITIONAL UNAVAILABILITY LOSS OF MAIN FEEDWATER AND LOSS OF ALL ALTERNATING CURRENT F:AN~:::

UNAVAILABILITY

1.

3.65E-03 2.14E-03

.L..

~*. l.4E.-t2rs

• ..:1..

""=!"

~.

..::.. 14E-03

4.

1. f2l0E -Qr~;

4.

1. 00E-er~;

4.

1.00E-03 i:::*

1.l?JllJE-04

'*-'a t::'

..J.

1. 00E.-fZJij.

c::-,.J.

1.00E-04

6.

6.53E.-05

6.

1.00E-05 F:r4NK IJN(WA I LAB It... I TY

1.

3. 65E-*03 2..

~. 14E-03

,.., 14E-03 3n

~.

..:..:.. 14E-03

4.

1.00E-03

4.

1.00E-03

4.

1.00E-03

<::-,J.

1.00E-04 r.::-..;.

1. 00E-*04 c:

..J.

l.. 00E-04

6.

6. 53E--05

6.

1.00E-05 CUT SETS R\\10783 MCKl7.l71.J.3 MF'8B MF'C'-./:'.i21 A PS88 OPE 102 OF'E 101 G'v'0742 D<Q:i742*

G\\/0132 GO',,JERNOF:

PC',./0521 r.i BP1SIC E',JENT FN0783 MCK074::::;

MP8B MF'C'-J521 A PS8B OF'E102 OPE.101 G\\10742 CK0743 G'-./01:32 GO\\JEF:NOR F'CV0~i21A CONTF: I BUT I ON 27.2 15.8 15.8 15.8 7.4 7.4 7..t.'J.

0.7

0. 7 0.7 0.5

0. 1 CONTF: I BUT I CN r-.1

..::. /...::.

15.8 15.8 15.8 7.4 7.1.!*

7.4 0 7 0.7 0.7 0.5

0. 1

AF'F'END IX A PLANT SPECIFIC DATA DOMINANT HARDWARE CUT SETS AND BASIC EVENTS RANK UNAVAILABILITY L

6.75E-IZJ6

'")

2.55E-12l6

2. 11ZJE-IZJ6

4.

7. IZH2lE--12l7 C"

._).

1. 94E-*07

6.

l. 53E-07

6.

1. 53E-07

6.

1. 53E*-12l7

7.

1.51E-12l7

7.

1.51E-12l7

7.

1.51E-12l7

7.

1.51E-07 F:ANK UNFNA I LAB IL I TY

1.

1.50E-02 2n

3. 012lE-02

._1 n 1.50E-12l2

4.

7. l.ZllZJE--03

4.

1. 00E-12l3 C"

1. 70E-l.Zl4

6.

1.00E-03

7.

-_::;. 612lE-0~5

7.

3. 612lE-IZr5

8.

2.80E-03

8.

2.80E-03

8.

2. 80E-(13

8.

. BIZlE-03

9.

3.40E-04

9.

3.412lE-04

10.

3. 41ZJE-0*1-LOSS OF MAIN FEEDWATER CUT SETS PS8f'.'..)

PSBB F'SBC RV0783 AFAS OPE1 AF{-iS OF'El C'*)0727 c~Jl2l749 Cf<l2l74l PSBB CKl2l726 PSBA CK!ZJ725 PSBA C'v'C1749 M00798 C'v'IZl749 MOIZl743 C'*Jl2l727 M00760 CVl2l727 M00753 BASIC EVENT PSBC PSBB PSBA AFAS OPE!

R~)0783 OPE2 C'*)0727 CV074*9 M00798 M00761ZJ M00753 M00743 CKl2i725 CKIZl726 CK07LH A-8 F'SBC F'SBB OF'E2 F'SBC F'SBC PS8B PS8B F'SBC PSBC F'S8C PSBC F'ALISADES CONTRIBUTION*

46.5 17.6 14.5 LJ.* 8 1.. :~:

1. 1

1. 1.

1. 1

1. 0

1. Q) 1.. (2)

1. IZl CONTF: I BUT I ON 76.3 65.2 50.4 19.. ~3 19.5 18.7 4.8 r.:

._:1 11._I c::"

.. :*.._)

2. f:l

~.,...,

L.. O 2.8 2.8 1..5

l. 5 l.. 1

F'ALISADES APF'ENDI X A PLANT SPECIFIC DATA DOMINANT HARDWARE CUT SETS AND BASIC EVENTS LOSS OF MAIN FEEDWATER AND LOSS OF OFFSITE POWER RANK L

2.

• -* u

4.

4.

16.

13.

UNAVAILABILITY 2.41E-IZJ5 1.54E-05 1.12l6E-12l5 6.75E-12l6

4. 012lE-06 2.55E-06 2.10E-06 7.00E-07 RANK UNAVAILABILITY

1.

3. 00E-02

2.

2.35E-02

3.

3.43E-02

4.

6..

/.

8.

9.

1.50E-02

1. 50E-02 l..70E-04 7.00E-03

1. IZJ0E-03 1.00E-03 E?,C1C EAC1C EACH>

PSBA EACl.D PSBC AFAS AFAS CUT SETS EAC1D PSBB PSBA PSBB R',)078:3 RVIZJ7K.\\

OPEl 0F'E1 BASIC EVENT PSBB EAC1D EAC1C PS8C PS8P1 RV07f:33 AFP1S OPE1 OPE2 A-9 PS8B F'SBC PSBB PSBC PSBB OPE2 CONTF: I BUT I Dr*J 32.8

21. 0 14.4 c:

t::-

.** J.....J

3. ~I 2.9

1. 0 CONTRIBUTIC!N 83.0 57.4 56.5 36.6 24.8

9. 1

.* 9

1. 0

PALISADES AF'PEND IX A PLANT SPECIFIC DATA DOMINANT HARDWARE CUT SETS AND BASIC EVENTS LOSS OF MAIN FEEDWATER AND LOSS OF ALL ALTERNATING CURRENT HANK UNA'v'A I LAB IL I TY

1.

3. 00E-C12 3.4QlE-04 1.70E-04

._:1.

4.

1. 10E-04 c::*

._.).

1. 00E--04 r::"

...J.

8.70E-IZJ5 r.::-

8.70E.-(2)5

...J.

6.

6.53E-05 F:ANK UNA'vA I LAB IL I TY

1.

3.00E-02 3.40E-fZJ4

.a::..

1.71ZJE-04

4.

1. 10E-04

4.

1. 00E-02 c::"

._.).

1.00E-1Zl4 c::"

._.).

8.70E-05 r::"

._.).

8.70E-05 6.

6.53E-05 CUT SETS PSBB CK!2l74:.::;

F:V07B:::::

C'v0522A CV0522B PC'*J0521A G\\/0742 G'v0132 GOVERNDF:

Bf-)S IC EVENT F'SBB CK0743 F:V07s::;

C'.J0522A C'*l0522B F'C'*.10521 A G'v0742 GV0132 GO'v'ERNOF:

A-10 CONTRIBUTION 96.. 5

1. 1 0.5 IZ'J.. 4 0.3 0.3 0.3 0.2 CONTRIBUTION 96.5

1. 1 IZJ. 5

0. Lj.

0.4

0. 3 0.3 121. 3 (2) r::*

F'ALISADES APPENDIX A PLANT SPECIFIC DATA DOMINANT CONTRIBUTORS TO CONDITIONAL UNAVAILABILITY RANK UNA'vP1 I LAB IL I TY

1.

6.75E-06

~.

2.55E-06

2. llZlE-06

._:1.

4.

9. 63E-*07

4.

9.63E-07

4.

9.63E-07

4.

9.63E-07 c:"

,J.

8. 7BE--07

6.

7. IZHZlE -07

7.

4. 82E--07

7.

4.82E-07

8.

4.50E-07 M o.

4.50E-!Zl7

8.

4.50E-07 8..

4.50E-07 8..

4.50E-07

8.

4.50E-f2l7

9.

3.64E-07

9.

. 64E-1Zl7 9.

3.64E-07

29.

2.73E-!Zl7 RANK UNAVAILABILITY

1.

3.00E-02

2.

1. 50E-02

3.

1. 50E*--02

4.

1. 70E-04 5a 7" 0fZJE-03

~I a 1 n eJe\\E -l?J3

6.

2u14E-03

6.

2. 14E--03

6.

2. 14E-03

7.

3. 9l?lE-03

8.

2. 14E-03 B.

3.20E-04

8.

3.21ZlE-04

9.

9.

9.

9.

1 !ZJ.

10.

10.

10.

11.

11.

12.

2.80E-03

2. 812lE-IZl3

2. 80E-03 2.BlZlE-03 1. 00E -03

1. 12l0E-0:3 1. IZJ0E -03

1. 00E-03 2.14E-03

2. 14E-0:_::;

1 * !ZJ!ZJE -03 1.. 00E-03 LOSS OF MAIN FEEDWATER CUT SETS PSBA PS8B PSBC R'v'0783 AFAS OPE!

MCV0737A PS8A MCV0736A PS8A MCK0741 PSBB MD:::f~726 PSBA MP8B PSBA AFAS OPt=~l MPCV521A PSBA MCK0743 PSBA OPE210 PSBA OPE205 F'SBA DPE108 PSBA OPE107 PSBA OPE102 PSBB OPE101 PSBB MC'v0737A R'v'0783 MCV0736A RV0783 MCK0726 RV0783 AFAS MP8B BASIC EVENT PSBC PSBA PSBB F:'v'0783 AFAS OPE1 MC\\J07::6A MCV0737A MCK0726 MPBB MCK07-'+1 CV0727 CV0749 M00798 MD0760 M00753 M007t:i*:;

OPE210 OPE205 OPE108 DPE107 MPC'*.1521A MCK074~J DPE102 OPEJ.01 A-l 1 PSBC PSBB PS8B PS8B PSBC PSBB PSBC OPE2 PSBC PSBC PSBB PSBB PSBB PSBB PS8C PSBC OF'El CONTRIBUTION 23.. 8 9.0 7.4 3.4 3.4

~:. 4

3. 1 1..7

1. 7

1. 7

1. 7

1. 7

1. 7 l.7

1. 7

1. 3 1.3

1. 3

1. 0 COl\\ITF: I BUT I !JN 57.7

51. 6

16. 1 12.6 12.6

[:"

~=

...J. ~1 t::"

c:"'

...J11 *-'

4. ~;

3.6 3.6

~,

I

..::.. 0 2.6 2.6 2.4 2.4 2.4 L6

• 1 " t.:i

F'ALISADES AF'F'END IX A PLANT SPECIFIC DATA DOMINANT CONTRIBUTORS TO CONDITIONAL UNAVAILABILITY LOSS OF MAIN FEEDWATER AND LOSS OF OFFSITE POWER F:ANK UNAVAILABILITY CUT SETS CONTRIBUTION

1.

2.41E-05 EAClC EAClD F'SBB 19.9 r>

1.54E-IZJ5 EAC1C PSBB PSBC 12.7 1.06E-05 EAC1D PSBA PSBB 8.8

4.

6.75E-06 PSBA PSBB F'S8C 5.6 c:*

4.lllli.lE-06 EAC1D RV0783

..J.

.... 1. *-*

6.

3. 14E-IZJ6 EAC1C EAC1D MPBB 2.6

7.

2.55E-06 PSBC Rl.J(2)783

2. l

8.

2.21ZJE-06 EAC1C MCV0737A PSElB

l. 8

8.

2.20E-06 EAClC MCV0736(-1 PSBB

1. 8

8.

2.20E-06 EAC1C MCl<0726 PSBB

1. 8

9.

2. l!ZJE-06 AFAS OF'El PS8B

1. 7

9.

2.IZJlE-06 EAC1C MPBB F'SBC

1. 7

10.

1.72E-IZJ6 EAC1.C EP1ClD MPC:V521A

1. 4

10.

1.72E-IZJ6 EAC1C EAC1D MC1<074:5

1. 4 l 1.

1. 51E-0t::i EAC1D MD<0741 PSBB

1. 2

L 2.

1.37E-06 EAC1D MF'BB F'SBA

1. 1

13.

1. l l.ZlE-1216 Er.:iC1C MPCV521A PSBC

1. 0 1.3.

1. 10E-06 EAC1C MCl<0743 PSBC

1. !Zl

13.

1.1Zl3E-06 EAClC OPE211Zl PSBB

1. 0 (0. 8) 1 ::::;.

1.03E-12l6 EAC1C OPE205 PSBB

l. 0

13.

1. 03E-06 EAC1C OPE108 PSBB

1. Ql

13.

1.03E-06 EAC1C OPE107 PSBB

1. 0 F:r-~NK UNA~.JA I LAB IL I TY Bi:)S IC E'*.JENT CONTRIBUTION

1.

3.00E-02 F'SBB 8

?.

~

2.

3.42E-02 Ef4C1C 5.4

._.. u

2. ::::;5E-02 EAC1D

8. 7

4.

1.50E-02 F'S8C

1.

• I

.L c::-

..J.

1. 50E-IZJ2 F'SBA 4

r::*.

~

6.

1.70E-04 R'*.J0783

7. (2) 7.

3.90E-03 MPBB 6.5

8.

2.14E-03 MPC'v521A

._; ** \\.J

8.

2.14E-03 MCKIZJ743

...;.* 0

9.

2. 14E-0:.

MCVfZJ736A

~.-...

• _, u

9.

~.

..::... 14E-12l3 MCV0737A

._1 *

9.

~.

..:.:, a 14E-03 MCK0726

-;r

• --i 117.J.

7.IZllZIE-03 AFAS 2.9

10.

1. 00E-03 OPE1 2.9 1L 2.14E-03 MCl<0741

~.

..::... 1 1 ~.

.a::..

1. !Zl0E-12l3 OPE104

1. 6

12.

1. 00E-03 OPE103

1. 6

13.

1.©0E-03 OPE210

1. 4

13.

1. 1Zl(ZJE-e13 OF'E205

1. 4

13.

1. 00E-IZl3 DF'E108 L LI*

l3.

1. 00E-0:.

OPE107 L4 r.:i-12

PALISADES APPENDIX A PLANT SPECIFIC DATA DOMINANT CONTRIBUTORS TO CONDITIONAL UNAVAILABILITY LOSS OF MAIN FEEDWATER AND LOSS OF ALL ALTERNATING CURRENT RANK UNAVAILABILITY CUT SETS

1.

3.IZJIZJE-02 PSBB

2.

3.91ZJE-03 MPBB

4.

4.

t:"

...J.

6.

7.

8.

9.

9.

1 IZJ.

2. 14E-0~J

2. l.4E*-03 1

• 0!2lE-IZJ3 1

• IZJ!ZIE-03 5.IZJ!i.'IE-04 3.20E-04

1. 7!i.'IE-04 1.l0E-04 8.l.4E-IZJ5 8.14E-05

6. 5~.!.E-05 RANK UNAVAILABILITY

1.

. 01ZJE-IZJ2

2.

3.90E-03 3p 2n 14E-(Zl3

3.

2. 14E-03

4.

1

• IZJ0E-IZJ3

4.

1. 00E-03 c:*

...J.

6.

7.

7.

7.

8.

8..

9.

5. 01ZJE-04

3. 2!ZJE-04 l.. 70E-IZJ4 l

• 1 !ZJE-04

1. 1 !ZlE-04*

B.14E-05 8.14E-05 6.53E-05 MPCV521A MCKIZJ743 OPE11Zl2 OF'E11Zl1 F'CV0521A CK0743 R'v0783 C',,112l522A CV0522B GVIZJ742 G\\1(2)132 GOVERNOR BASIC EVENT F'SBB MP88 MF'CV521A MCK0743 OF'E102 OPE101 PCVIZJ521A CKIZJ743 R'v0783 CV0522A CVIZJ522B GVIZJ742 GV0132 GOVERNOF:

A-13 CONTRIBUTION 72.4 9.4 5.2 2.4 2.4 1 '::'

12'J. 8 (Z). 4 IZJ. 3 IZl. 2 0.2 IZl CON TR I BUT I m.J

72. L1 9.4 5.2

2. 't 2.4 1 ':.'

iZJ. 8 fZ). 4 0.4 12). 4 0.2 Q). 2 0.2

APPENDIX B MSLB AFW MODEL CUTSETS IC0286-0001K-NL01

APPENDIX B AFW3 P = 5.0E-03 The following cutsets are independent to AFW

1.

.,),

2.40E-1113 AUX31T 5.00E-04 AFVOT See indep transfer description Op fail to incr flow to good SS The following cutsets are associated with makeup to the condensate storage tank

'1...

4.

,J.

6.

7.

8.

9.

10.

11.

12.

13.

14.

16.

17.

18.

19.

2111.

21.

23.

24.

.:.,J *

26.

29.

5.63E-04 3.89E-04 3.89E-04 2.BBE-04 5.64E-05 4.28E-05 4.28E-05 3.16E-05 1.96E-05 1.28E-05 1.19E-05 6.lBE-06 4.28E-06 4.13E-06 3.13E-06 2.15E-06 2.10E-06 2.10E-06

1. 66E-06 1.66E-06 1.56E-06 1.40E-06

1. 22E-06 CONDTKIT P221 IT P221IT P221 IT P2211T POOLOOP POOLOOP POOLOOP ED611MG P221IT EDG1100 POOLDOP EDG11ME P205DIT P2211T P221IT PTRSU1-2MT PTRSU1-2MT P410IT P410IT PTF:SU1-2MT POOLOOP P410IT XXV713MA XXV712MA XXV107MB XXV171MA XXV712MA XXV713MA XXV107MB POOLOOP X0090-020T POOLOOP XXV171MA POOLOOP POOLOOP XLS5201MC PCBB#105MA XXV712MA XXV713MA XXV713MA XXV712MA XXV11117MB XOD90-02DT XXV107MB Condensate makeup indep failures Loss of power to auto mikeup

_valve and alt makeup supply failures The following cutsets are associated with random failures of combinations of pumps.and flow control valves

15.

22.

27.

28.

5.32E-06 2.03E-06 1.28E-06

1. 28E-06 APMBCME PCBB#105MA AAV0749MA AAV111737AMA AUX3IT -- INDEPENDENT MODULE PCBB#105MA,-loss of Bus iC and Pump C PCBB#209ML PCBB#203MA Loss of Bus lD and Trains A&B PCBB#105MA Loss of Bus lC and Train C The following cutsets are common cause failures derived using ge~eric industry data

1.

1.1110E-03 APM8ME2CC Pumps fa i 1 to start

.,..J.

2.50E-04 ASGFCVBCC Flow controller malfunction

4.

8.10E-05 ATFFCVBCC Flow transmitter failure

6.

4.80E-05 AAVFCV4CC Flow control valve failure.

16.

1.30E-05 APM8MG2CC Pumps fail to run B-1 PALISADES

PALI SADES APPENDIX B AUX3IT Continued The following cutset is spurious FOGG isolation

2.

3.80E-04 ASSLMBMT The following cutsets are loss of both flow paths or one flow path with pump failure(s) in the remaining train C'

5.40E-05 AAV0749MA APM8Cl1E

7.

3.90E-05 AMV0760MD APM8CME

8.

3.90E-05 AMV0753MD APMBCME

9.

2.40E-05 AFC0749MT APMBCME

11.

2.05E-05 AAV0749MA PCBB#209MB

13.

1.48E-05 AMV0753MD PCBB#209MB

14.

1.4BE-05 AMV0760MD PCBBi209MB 15,.

1.30E-05 AAV0737AMA AAV0749MA

18.

9.36E-06 AAV0749MA APMBCMG

19.

9.36E-06 AAV0737AMA AMV0760MD

20.

9.36E-06 AAV0749MA AMV0754MD

21.

9.36E-06 AAV0749MA AMV0759MD

22.

9.36E-06 AAV0737AMA AMV0753MD

_L._\\.

9.12E-06 AFC0749MT PCBB#209MB

'"l C'

"-.J

• 6.76E-06 AMV0753MD AMV0759MD

26.

6.76E-06 AMV0759MD AMV0760MD

27.

6.76E-06 AMV076111MD APM8CMG

28.

6.76E-06 AMV0753MD AMV0754MD

29.

6.76E-06 AMV0753MD AP MB CMG

30.

6.76E-06 AMV0754MD AMV07b0MD

32.

5.76E-06 AAV0749MA AFC0737AMT 5.76E-06 AAV0737AMA AFC0749MT

.J.J.

37.

4.80E-06 ACV0729MA AP MB CME

38.

4.16E-06 AFC0737AMT AMV0753MD

39.

4.16E-06 AFC0749MT AP MB CMG

40.

4.16E-06 AFC0737AMT AMV07b0MD

41.

4.16E-06 AFC0749MT AMV0759MD

42.

4.16E-06 AFC0749MT AMV0754MD

46.

2.56E-06 AFC0737AMT AFC0749MT

49.

2.40E-06 AIP0749MT APMBCME

51.

1.82E-06 ACV0729MA PCBBi209MB C'.,.

..J._\\ I 1.62E-06 AAV0737AMA APM8AME APM8BME

54.

1.50E-06 APM8CME ARE3P8ABMA

• C' C'

.J.J.

1. 43E-06 AFE0749MK APM8CME

58.

1.17E-06 AMV0759MD APM8AME APMBBME

60.

1. 17E-06 AMV0754MD APMBAME APMBBME

61.

1.15E-06 AAV0749MA ACV111704MA

62.

1.15E-06 AAV0749MA ACV0725MA

63.

1. 1 SE-06 AAV0749MA ACV0726MA

• 64.

1. 15E-06 AAV0737AMA ACV0729MA B-2

APPENDIX B AUX3IT Continued The following cutsets represent pump suction flow diversion 1111.

3.00E-05

17.

1.14E-05

24.

7.20E-06

34.

5.20E-06

..:i..J.

5.20E-06

36.

5.20E-06

45.

3.20E-06 The following cutsets

12.

52.

43.

C'..,

..JI

• 1.60E-1115

1. 65E-06 3.90E-06 1.30E-06 APMBCME AXV505MC AAV0737AMA AMV0759MD APMBCMG AMV0754MD AFC0737AMT result from INSTRABCOH APMBCl1E APSPBACOH APSPBACOH AXV505MC PCBB#209MB AXV505MC Y-strainer at suction AXV505MC of pumps A ~ B AXV505MC AXV505MC AXV505MC human error (instrument calibration>

---

i_ Flow control calibration I NSTRU@Q!!j APMSBMO-Suction pressure calibration ATBl<BMG The following cutsets are random pump failures

31.

6. 7'5E-1116 APMBAME APMBBME APMBCME

44.

2.'56E-06 APMBAME APMSBME PCBBl209MB

47.

2.56E-1116 APMBBME

~PMBCME PCBB#104MB

48.

2.40E-1116

• APMBCME ARV0783MC

50.

2.2'5E-06 AP MBA ME APMBCME ATBKBMS 56

• 1.17E-06 APMBAME

• APMBBME APMBCMG 59.

1.17E-06 APMBAMG APMSBME APMBCME B-3 PALISADES

APPENDIX C FIGURES AND DRAWINGS IC0286-0001K-NL01

co.. DllNIATE STOllACOE TAtOC.

• 1 l..C.

,f\\OM.SfRYIC£ WATl!R,.SYSTEM MOTOR DRIVEN PUi-1P-8A STEIM1 TURBINE.

DRIVEN l'VMP 88 f!B

~--~

~

cw 0749

---~-.. --"\\

~..

I L-------:~----r.:'Z. --- - - p;;\\_ l~'

~;

B, I

~

141

---

*..:t---------__J I

I I

A I

~

~---~

~

I I

- - ------~_-_

@-~-@

I

~~

_('iii?\\_

I I

f.o.

..:. ~-~-J FIGURE i nrw~ ~r~rMdTJr rn~onN~NT I 1tor1 rn

~-- ~--

1 I

bi;]

A/S I

- -L-- --

t;;;\\

~

~- -- -~

I

~

~--1--

~

I I

I

~

A/~

A/.s 61l r>N FIGURE 2

~TFAM ~llPPI V,V,Tl="M ~r11r.M/\\TTt 40IM6 1*0 ""'

L r

n-m1nt 11-aTPl*ll a.&TC t-GATIC -

VALlll VM.Vl Loop 2 1--'-

21*1Slflll MTS - -

GA ft -

hW-110NI W'ILlll GATI -

~

VAL\\/&

CIT

,.._ Loop 1 -

ISJ*PV Uri -

• AMI&

llAlllCI.

H*OnlM CdCIC.

un -

"ALlll I

Line I

rain Al: Loop 2 + Loo T

p 3 + RV07A3 + Line 3 Train A2: Line 5 +Line 6 Train Bl: Loop 2 +Loop 3 + RV0783 + Line 4 Train B2: line 5 + Line 7 I~

IW*01N lllLllf VAL\\lf Line 1 I

r-11111141 tt.or*o*11 t-HTS -

CllltlL WALVll Loop 3 lll*Of.fl 1'""1*1NI

~p -

CHCI -

• ,.ft -

P.H VAi.aii VA&.VS j

Line 2 I

I Cl*071*M 1111*11.....

Qll"'

p..ac flUll VA&.¥11 5

Fl GURE 3 AFWS RELIABILITY BLOCK DIAGRAM

~

Line 3 I

CV*0141 _.

ICll~lhl INUITlllW -

llOUITIN -

CMICll r--

VALlll VALVI VaLllC

~.

HOA Ctl-tnlT MO-OJiJ

... Olfl

'°'..,..,_.

COllHO&. -

llKATlOll -

...... T.... -

QllC..

VALVI...

11111.VC

.-ft Line 4 I

Line 6.

.I I

C'kln7A

• OIM

• om

~

CGllTIA - lllU1Wll -... """ - *ca -

lll\\Ull WALlll U&.118 tTUM CHrlM IJll.°"9 llMTIM -

.-ATllll t-OllU.

WAUIC fAl.VI

r--

~

STEAM 153 ens IHAh\\S

• C\\1*051.18

.. OlMS PC.V-0521.ll GEN.

PRESSURE -

GATE GATlt CONTROL CHECK CONTJ(Ot.

E-SOA VALVE VALVI VALVI.

VALVI.

VALVE K*&

TURBINE PUMP Loop 4 i-Loop 5 -

DRIVfR P-IB 110*214FW 150 F'N GLOH 1-i-

GLOBE 1--

VALVE VALVE STEAM 15!.MS 15'2.AMS CV*0521A

'401MS GUI, -

GATE -

GATE -

CO~TROL -

CHECK -

E*SOB VALVE VALVE VALVE V~LVE CV*Olll CONTROL i-VALVE"

~

w.----------Line 9 -------------~

FIGURE 4 STEAM SUPPLY SYSTEM RELIABILITY BLOCK DIAGRAM

APPENDIX D HARDWARE FAULT TREE IC0286-0001K-NL01

PALI SADES APPENDIX D AFW SYSTEM RELIABILITY - HARDWARE

1. llE-0.7 1

2 TOP OR 2

2 61 G2 CST PRU PT 61 AND 0

2 6V270FW 6V133FW 62 AND 2

0 63 64 63 AND 2

0 65 66 64 AND 2

0 67 GB 65 OR 3

1 69 610 611 RV0783 66 OR 2

0 612 613 67 OR 3

1 69 610 614 RV0783 68 OR 2

0 612 615 69 AND 0

2 6V0771 6V0271 610 AND 2

0 616 617 611 OR 1

3 620 lt00753 1'100760 CK0729 612 OR 1 4 622 CK0725 GV0751.

CK0726 GV0752 613 OR 1

3 623 1'100754 1'100759 CK0704 614 OR 1 3 621 1'100743 1'10079-8 CK0728 615 OR 1

3 624

'100748 1'100755 CK0703 616 OR 1 3 618 6V0772 CK0741 6110740 617 OR 1

3 619 6V0132 CK0743 6V07.42 618 OR 1

3 625 PSBA EAC1C EACY10 619 OR 1

1 628 PSSB 620 OR 1

1 662 CV0749 621 OR 1

1 647 CV0727 622 OR 1 3 644 PS8C EAC1D EACY20 623 OR 1

1 657 CV0737A 624 OR 1

1 652 CV0736A 625 AND 1

1 626 AFAS 626 OR

.0 HS 104CS OPE1 EDC1

~'

628 OR 2

1 629 631!11 GOVERNOR 629 AND 2

0 632

. 633 632 OR 1

3 636 CK41!12MS GV153AMS 6V1531'1S 633 OR 3

637 638 665 CK401MS GV152AMS

.,)

1 GV152MS 636 OR 1

2 642 CV0522B

• EACY10 637 AND 2

0 639 6371 638 OR 1

1 640 CV0522A 639 OR 0

6 OPE1 CV0521 SV0521 HS0521 EDC2 1

EACY10 640 AND 1

1 641 OPE2 641 OR 0

6 AIR1 SV0522A FCV0522A HS0522A OPE!

1 EDC1 642 AND 2

0 6421 6422 643 OR 1 5 6431 SV0522B FCV0522B HS0522B OPEl 1

EDC1 644 AND 2

0 6441 645 645 OR 0

3 HS209CS OPE1 EDC2 647 AND 0

2 OPE1 FT0727A 652 AND 0

2 OPE1 FT0736A 657 AND 0

2 OPE1 FT0737A 662 AND 0

2 Of'El FHl749A 665 AND 1

1 666 NATER 666 OR 1

1 667 GV714FW 667 OR 1

1 668 CV0525 668 AND 1

1 G69 OPE2 D-1

PALISADES.

APPENDIX D 669 OR 5

AlR3 SV0525 HS0525.

OPE1 EDC1 631111 OR 1

1 631112 PCV111521A 63&12 AND Ill NITROGEN AlR4 L

6371 OR 2

6V111214 OPE3 6421 AND 1

1 643 OPE2 6422 OR 1 1 6423 EDCl 6423 OR 1

1 6424 AFAS 6424 OR 2

1 6425 6426 EACY20 6425 AND "

2 FT1117'36H FT0736AH 6426 AND 111 2

FT0737H FT0737AH 6431 AND "

2 NITROGEN AlR2 6441 OR 1 1 6442 AFAS 6442 OR 2

1 6443 644~

EACY10 6443 AND "

2 FT111727H FT0727AH 6444 AND "

2 FT0749H FT0749AH END D-2

CST RUPTURE CST NO FLOW TO BOTH STEAM GENERATORS DURING BOIL DRY TIME <"" 15 MINJ DUE TO HARDWARE FAILURES 11--------< TRANSIENT EVEMT *#1, COMMON SUCT HEAD En PIPE RUPTURE PRU PT TOP NO FLOW THRU LOOP 1 Gl MV-270FW 133FW FAILS TO OPEN FAILS TO OPEN LMFW - AC SOURCES AVAILABLE NO FLOW TO SG A AND SGB G2 NO FLOW TO SG A NO FLOW TO SG B P.H3 Hl

NO FLOW HIRU LOOP 2 G9 P.H4 P.Hl NO FLOW THRU TRAIN Al NO FLOW TO SG A G3 NO FLOW THRU LOOP 3 RV-0783 NO FLOW THRU PREMATURE OPEN LINE 3 RV0783 P.H5 P.H2 NO FLOW THRU TRAIN A2 NO FLOW HIRU LINE 5 NO FLOW THRU

. LINE 6 P.HlO P.Hll

NO FLOW THRU LOOP 2 G9 P.H4 P.Hl NO FLOW THRU TRAIN Bl NO FLOW THRU RV-0783 NO FLOW TO SG B NO FLOW THRU LOOP 3

• PREMATURE OPEN lINE Ll RV0783 P.H5 P.H9 NO FLOW THRU TRAIN B2 NO FLOW THRU NO FLOW THRU LINE 5 LINE 7 H3

NO FLOW THRU LOOP 2 P.B2.,H3 29-0771FW FAILS TO OPEN GV0771 69

. MV-271FWS FAILS TO OPEN GV0271 H4

P.H2.,H3 NO FLOW THRU LINE 1 P.H6 GlO NO FLOW THRU LINE 2 P.H7 H5

NO FLOW TH.RU

~---1 29-0772FW FAILS TO OPEN P.HS GV0772 PUMP P-8A FAILS P.Hl3 LINE 1 Gl6 218-0741 14-0740FW FAILS TO OPEN FAILS TO OPEN CK0741 GV0740.

H6

PUMP P-8B FAILS -

P.Hl4 P.HS NO FLOW THRU LINE 2 29~132FW 218-0743 14-0742FW FAILS TO OPEN

• FAILS TO OPEN FAILS TO OPEN GV0132 K0743 GV0742 H7

CV-0749 PREVENTS WATER FLOW P.H28

~----11 NO FLOW THRU LINE 3 P.H2 Gll M0-0753 M0-0760 CK-0729FWS FAILS TO OPEN FAILS TO OPEN FAILS TO OPEN 00753 M00760 CK0729 H8

NO FLOW THRU

...-...~----1 LI NE 4 P.H3 CV-0727 PREVENTS WATER FLOW P.H25 M0-0743 FAILS TO OPEN M00743 M0-0798 CK-0728FWS FAILS TO OPEN FAILS TO OPEN M00798 CK0728 H9

PUMP P-8C FAILS P.H24

~--.....

CK-0725FWS FAILS TO OPEN CK0725 NO FLOW THRU LINE 5 Gl2 MV-751FWS CK~0726FWS FAILS TO OPEN FAILS TO OPEN GV0751 K0726 MV-752FWS FAILS TO OPEN GV0752 HlO

CV-0737A PREVENTS WATER FLOW P.H27 NO FLOW THRU

'~--....

P.H2 LINE 6 M0-0754 FAILS TO OPEN M00754 M0-0759 CK-0704FWS FAILS TO OPEN FAILS TO OPEN M00759 CK0704 Mll

CV-0736A PREVENTS WATER FLOW P.H26 NO FLOW THRU

~--.....

P.H3 LINE 7 M0-0748 FAILS TO OPEN M00748 M0-0755 CK-0703FWS FAILS TO OPEN "FAILS TO OPEN M00755 CK0703 Hl2

P.H6 PUMP P-8A NO ELEC POWER FAILS TO START ROM AC BUS lC HS-152-104CS FAILS PUMP P-8A FAILS Gl8 MANUAL START FAILURE G26 OPERATOR ERROR MS104CS PEI NO ACTION TO START P-8A WHEN REQUIRED NO POWER FROM nc nus I ED Cl 625 AFAS FAILS AFAS Hl3

P.H7 PUMP P-8B FAILS TO START PS8B NO STEAM THRU LOOP 4 I' I Hl5 PUMP P-8B FAILS Gl9 NO STEAM i:o PUMP P-8B NO STEAM THRU LOOP 5 P.H16 GOVERNOR FAILS OVERNOR IU4

P.Hl4 NO STEAM THRU LINE'8 32 NO STEAM THRU LOOP 4

...__ G29 402MS 153AMS 153MS FAILS TO OPEN FAILS-TO OPEN FAILS TO OPH!

CK402MS GV153AMS Vl53MS NO STEAM THRU LINE 9 P.Hl7 CV-0522B PREVENTS STEAM FLOW G36

-P.H21-Hl5

NITROGEN SOURCE FAILS P.Hl4 NO STEAM THRU LOOP 5 630 PCV-0521A PREVENTS FLOW LOSS OF INSTRUMENT AIR 6302 SERVICE &

INSTR AIR SYSTEM FAILS 6301 PCV-0521A FAILS TO OPEN PCV05.21A NITROGEN AIR4 Hl6

ATER IN PIPE/

FAILURE TO DRAIN WATER P.Hl8 P.Hl5 NO STEAM THRU LINE 9 CV-0522A PREVENTS STEAM FLOW CV-0521 AND 130-214FW FAI TO PASS STEAM 401MS FAILS TO OPEN P.H20 CV-0521 PREVENTS STEAM FLOW G37 130-214FW PREVENTS STEAM FLOW CK401MS 130-214FW FAILS TO OPEN OPERATOR ERROR GV0214 OPE3 152AMS FAILS TO OPEN GV152AMS 152MS FAILS TO OPEN GV152MS Hl7

ATER IN PIPE/

rAP-----1 FAILURE TO DRAIN WATER

-..-G65 WATER IN PIPE ATER FAILURE TO DRAIN WATER G66 CV-0525 PREVENTS WATER FLOW 714FW FAILS TO OPEN CV-0525 FAILS TO OPEN CV0525 667 CV-0525 FAILS DUE TO CONTROL FAILURE GV714FW Hl8

LOSS OF INSTRUMENT AIR AIR3 CV-0525 FAILS Ar---....,UE TO CONTROL P.Hl8 SUPPORTING INSTRUMENTS FAILURE SV-0525 FAILS SV0525 FAILURE 668 HS-0525 FAILS HS0525 OPERATOR ERROR IN CR OP El NO POWER FROM DC BUS 1 ED Cl OPERATOR ERROR IN LOCAL OPE2 H19

P.Hl7 CV-0522A FAILS TO*OPEN LOSS OF INSTRUMENT AIR AIRl CV0522A SV-0522A FAILS SV0522A CV-0522A PREVENTS STEAM FLOW SUPPORTING INSTRUMENTS FAILURE 641 FC'7-0522A FAILS FCV0522A*

CV-0522A FAIL DUE TO CONTROL FAILURE OPERATOR ERROR IN LOCAL HS-0522A OPERATOR ERROR FAILS

• IN CR OPE2 H20 NO POWER FROM DC BUS 1 DCl

CV-0522B FAILS TO OPEN P-.-H15 CV0522B CV-0522B PREVENTS STEAM FLOW MANUAL CONTROL FAILS CV-0522B FAIL UE TO CONTROL FAILURE G42 AUTOMATIC CONTROL FAILS NO POWER FROM DC BUS 1 ED Cl G422 AUTO START FAILS H21

LOSS OF

• INSTRUMENT AI G431 NITROGEN SOURCE FAILS NITROGEN P.H21 CR/SUPPORTING INSTRUMENTS FAILURE G43 MANUAL CONTROL FAILS 6421 OPERATOR ERROR IN LOCAL OPE2 SV-0522B FCV-0522B HS-0522B OPERATOR FAILS FAILS FAILS ERROR IN CR SERVICE &

INSTR AIR SYSTEM FAILS AIR2 NO POWER FROM DC BUS 1 ED Cl H22

P. Hl7 OPERATOR CV-0521 ERROR IN CR FAILS TO OPEN rm ELEC PWR FROM AC BUS YID CV-:0521 PREVENTS STEAM FLOW SV-0521 FAILS SV0521 EACYlO L__ ______________ ---

HS-0521 NO POWER FROM FAILS DC BUS 2 H23

P.HlO PUMP P-8C FAILS PUMP P-8C NO ELEC POWER FAILS TO START PS8C EA CID HS-152-209C FAILS HS209CS MANUAL.

START FAILURE 645 OPERATOR ERROR

. OPEl NO ACTION TO START P-8C WHEN REQUIRED 644 NO POWER FROM DC BUS *2 EDC2 NO ELEC PWR.

FROM AC BUS Y20 AUTO START FAILS EACY20 H24

P.H9 CV-0727 FAILS TO OPEN CV0727 CV-0727 PREVENTS WATER FLOW G21 CV-0727 FAILS DUE TO CONTROL FAILURE G47 OPERATOR ERROR.

FT-0727A FAILS OP El FT0727A H25

P.Hl2 CV-0736A FAILS TO OPEN CV-0736A PREVENTS WATER FLOW G24

. CV-0736A FAILS DUE TO CONTRO FAILURE CV0736A G52 OPERATOR ERROR OPEl FT-0736A FAILS FT0736A H26

CV-0737A PREVENTS p.Hll WATER FLOW CV-0737A FAILS TO OPEN CV0737A CV-0737A FAIL UE TO CONTROL FAILURE G57 OPERATOR ERROR FT-0737A FAILS OP El FT0737A H27

P.H8 CV-0749 FAILS TO OPEN V0749 CV-0749 PREVENTS WATER FLOW OPERATOR ERROR CV-0749 FAILS UE TO CONTROL FAILURE G62 FT-0749A.

FAILS FT0749A H28

AFAS FAILS P.H21 AFAS AUTO START FAILS G423

• FT0736 AND FT0736A L

FLOW TRANSMITTERS FAIL 6424 NO ELEC PWR FROM AC BUS Y20 FT0737 AND FT0737A FAIL HIGH

.__ G't25 EACY20

___.6426 FT0736 FAILS HIGH FT0736H FT0736A FAILS HIGH FT0736AH FT0737 FAILS HIGH T0737H FT0737A FAILS HIGH FT0737AH H29

AFAS FAILS P.H24 AFAS AUTO START FAILS FT0727 AND FT0727A FAIL HIGH FLOW TRANSMITTERS FAIL G442 NO ELEC PWR FROM AC BUS YlQ FT0749 AND FT0749A FAIL HIGH G443 EACYlO G'444 FT0727 FT0727A FAILS HIGH FAILS HIGH FT0727H FT0727AH FT0749 FAILS HIGH FT0749H FT0749A FAILS HIGH.

H30 FT0749AH

APPENDIX E TEST AND MAINTENANCE FAULT TREE IC0286-0001K-NL01

PALI SADES APPENDIX E AFW SYSTEM RELIABILITY - TEST & MAINTENANCE

1. 0E-1118 1

2 TOP DR 3

111 6801 6802 6803 6801 OR 2

0 6804 8805 8802 OR 0

6101 611112 6103

..)

681113 DR 4

0 6206 6208 6203 8204 6804 AND 0

DPE801 GV133FW 8805 AND 0

2 DPE81111 6V270FW 611111 AND 111 6104 6105 6102 AND 2

0 6106 8107 8103 AND

"')

0 8108 6109 6104 AND 2

0 6110 66 6105 AND 2

0 8121 GB 6106 AND 2

111 6112 66 6107 AND 2

0 6122 68 6108 AND 2

0 6119 65 8109 AND

"')

0 6119 67 6110 AND 2

111 G 111 617 G 111 OR 0

C" TP8A MP8A MCK0741 OPE101 OPE102

.J G 112 AND 2

0

~113 616 G 113 OR 1

C" 6114 TPBB MP8B MCK0743 OPE11113

.J 1

OPE104 6114 OR 2

1 6115 6116 MPCV521A 6115 AND r,

0 6117 632 G 116 AND 2

0 6118 633 6117 DR 0

4 MCK401MS MCV0521 OPE105 MCV0522A 6118 OR 0

MCK402MS MCV0522B DPE106

..)

6119 DR 0

c TP8C MP8C MCK0726 OPE 107 OPE108

~*

6203 OR 2

111 6209 6210 62M DR 2

0 8211 G212 6206 AND 2

0 8217 64 621118 AND 2

0 6223 83 821119 AND 2

0 G'J"C"

~.£..J 6239 8210 AND 2

0 8228 84 6211 AND 2

0 6230 6231 8212 AND 2

0 6"')77

......,).._\\

83 6217 AND 2

111 G21B 86 6218 OR 0

2 MM00753 OPE21112 6223 AND 2

0 6224 GB 6224 OR 111 2

MM00743 OPE204 6225 AND 0

6227 85

.£.

6227 DR 0 "

MCV0737A DPE205

.£.

8228 AND 2

0 6229 65 G229 DR 0

2 MMD0754 DPE206 6230 AND 111 6232 85

.£.

6231 AND 2

111 6232 87 6232 DR 0

2 MCV0736A DPE210 6233 AND 2

0 G234 67 6234 OR 0

"'I MM0074B OPE207

.£.

6239 AND

'1,_

0 6227 87 83 AND 2

111 85 86 64 AND 111 67 GB

.i..

65 OR 7

1 69 810 811 RV0783

..)

66 OR

"')

0 612 613 67 OR 7

1 69 610 814 RV0783

~'

E-1

PALISADES APPENDIX E GB DR 2

Ill G12 815 G9 AND Ill 2

GVlll771 GVlll271 G10 AND 2

Ill G16 G17 611 DR 1

3 6211!

MOlll753 M011176111 CKlll729 612 OR 1

4 6'""'

££ CKlll725 6Vlll751 CKlll726 6V0752 613 OR 1

3 G23 MDlll754 MOlll759 CKlll704 614 OR 1

3 G21 M00743 1'100798 CK0728 615 DR 1

624 M00748 M0111755 CK0703

.,).

616 OR 1

618 6Vlll772 CKlll741 6V111740

~'

617 DR 1

3 619 6Vlll132 CKlll743 GVlll742 618 OR 1

625 PS8A

'EAC1C EACY 10

.,)

619 OR 1

1 628 PSBB 62111 OR 1

1 G62 CVlll749 621 OR 1

1 647 CVlll727 G"'r, OR 1

G44 PS8C EAC1D EACY21i'l

.t..~

.,)

623 OR 1

1 657 CVlll737A G24 OR 1

1 652 CVlll736A G"'c-

.:.....1 AND 1

1 626 AFAS G26 OR Ill HS104CS OPE1 EDC1

.,)

628 OR 2

1 629 631111 GOVERNOR G29 AND

'i Ill 632 G33 G32 OF:

1 G36 CK402MS GV153AMS GV153MS

.,)

633 DR 637 G38 665 CK41111MS GV152AMS

~'

.,)

6V152MS 636 OR 1

2 642 CVlll522B EACY1111 G37 AND 2

Ill 639 G371 638 DR 1

1 64111 CVlll522A G39 OR Ill 6

DPE1 CVlll521 SVlll521 HSlll521 EDC2 1

EACY10 84111 AND 1

1 641 OPE2 541 DR Ill 6

AIR1 SVlll522A FCVlll522A HSlll522A OPE 1 1 '

EDC1 642 AND 2

Ill 6421 6422 64:'.,

OR 1

5 6431 SVlll522B FCVlll522B HSlll522B OPE1 1

EDC1 644 AND

"'i Ill 6441 645 645 OR Ill

"'l' *-*

HS21119CS OPE1 EDC2 847 AND Ill 2

OPE1 FT111727A G c-""

AND*

Ill OPEl FTlll736A

...1,;.

657 AND Ill 2

OPE1 FT111737A 662 AND Ill 2

OPE1 FT111749A 865 AND 1

1 866 WATEr:

666 OR 1

1 667 6'V714FW 867 OR 1

1 668 CVlll525 G68 AND 1

1 G69 OPE2 G69 OF:

Ill 5

AIR3 SVlll525 HSlll525 OPE1 EDC1 6:S~l OR 1

1 G31112 PCVlll521A G:.1112 AND Ill 2

NITROGEN AIR4 G371 OR Ill 2

GVlll214 OPE3 6421 AND 1

1 G43 OPE2 6422 OR 1

1 G423 EDC1 G423 DR 1

1 G424 AFAS 6424 OR 1

G425 G426 EACY2111

.L.

6425 AND 0

FT0736H FT0736AH 6426 AND Ill 2

FT0T37H FT0737AH E-2

PALISADES APPENDIX E G431 AND 0

2 NITROGEN AIR2 8441 OR 1

1 G442 AFAS G442 OR 2

1 G443 G444 EACY10 G443 AND 0

2 FT0727H FT0727AH G444 AND 0

FT0749H FT0749AH

£.

END E-3

NO FLOW TO BOTH STEAM GENERATORS DURING BOIL DRY TIME <"'15 MlN)

MV-270FW AND 133FW FAIL TO OPEN 133FW FAILS T OPEN; MV-270FW OMMISIONERROR 804 MV-270FW 133FW 6801 DUE TO TEST AND MAINTENANCE <T&M)

TOP NO FLOW TO SGA

& SGB DUE TO PUMP T&M P.T2 V-270FW FAILS 0 OPEN & 133FW OMMISION ERROR 6805 TRANSIENT EVENT #1~

LMFW - AC SOURCES AVAILABLE NO FLOW TO SGA.

& SGB DUE TO MAINT ON LINES P.Tll NQIE:***1NDICATES TRANSFER TO DESIGNATED GATE AND PAGE OF HARDWARE FAULT TREE MISSION ERROR FAILS TO OPEN MV-270FW AILS TO OPEN 133FW OMISSION ERROR

• PE801 GV133FW GV270FW OPE801 Tl

NO FLOW TO SGA

&SGB DUE TO PUMP P-8A T&M 6101 NO FLOW TO SGA

&SGB DUE TO

....___.----PUMP T & M P.Tl NO FLOW TO SGA

& SGB DUE TO PUMP P-8B T&M 6102 NO FLOW TO SGA DUE TO NO FLOW TO SGB DUE TO 0 FLOW TO SGA DUE TO P-8B T&M NO FLOW TO SGB DUE TO P-8A T&M P-8A T&M P-8B T&M P.T4 P.TS 0 FLOW TO SGA

& SGB DUE TO PUMP P-8C T&M 0 FLOW* TO SGA DUE TO P-8C T&M P.19 6103 NO FLOW TO SGB DUE TO P-8C T&M

P-8A TEST TP8A P-8A MAINTENANCE P.T2 NO FLOW THRU TRAIN Al NO FLOW TO SGA DUE TO P-8A T&M 6104 GllO Glll NO FLOW THRU LIME 2 NO FLOW THRU TRAIN A2 218-0741 MAINTENANCE 29-0772FW 14-0740FW MISSION ERROR OMISSION ERROR MP8A CK0741 OPElOl OPE102 T3

P.T2 NO FLOW THRU TRAIN Bl NO FLOW TO SGB DUE TO P-8A T&M NO FLOW THRU TRAIN B2 Gl21 NO FLOW THRU LINE 1 DUE TO P-8A &

NO FLOW THRU LINE 2 T4

NO FLOW THRU LINE 1 NO STEAM TO PUMP P-8B DU TO MAINT P-8B TEST P.T2 0 FLOW TO SGA DUE TO P-8B T&M 6106 NO FLOW THRU TRAIN Al 6112 NO FLOW THRLJ

..___---t LINE 2 DUE TO P-8B T&M P.T8 P-8B MAINTENANCE Gll3 218-0743 MAINTENANCE NO FLOW THRU TRAIN A2 29-132FW 14-0742FW T5 OMISSION ERROR MISSION ERROR TP8B MP8B MCK0743 OPE103 PE104

LINE 8 FAILS AND LINE 9 MAINT P.T7 P.TS PCV0521A MAINTENANCE NO STEAM TO PUMP P-8B DUE TO.MAINT PCV0521A MA nn AND 150FW FAILS TO OPEN 6125 MPCV521A 402MS MAINTENANCE MCK402MS CV-0522P:

MAINTENANCE LINE 8 MAINT AND LINE 9 FAILS LINE 8 MAINTENANCE 6118 6116 153AMS OMISSION ERROR MCV0522B OPE106 LINE 9 FAILS TG

P.T5 LINE 8 FAILS 401MS MAINTENANCE MCK401MS LINE 8 FAILS LINE 9 MAINT

.....___.GllS LINE 9 MAINT Gll7 152AMS CV-0522A CV-0521 MAINTENANCE OMISSION ERROR MAINTENANCE MCV0521 OPE105 MCV0522A Tl

NO FLOW TO SGB DUE TO P-SB T & M Gl07 NO FLOW THRU TRAIN Bl NO FLOW THRU LINE 2 DUE TO P-8B T&M Gl22 NO FLOW THRU LINE 1 NO FLOW THRU TRAIN B2 T8

P-8C TEST NO FLOW THRU TRAIN Al P.T2 P-8C MAINTENANCE.

TP8C MP8C NO FLOW TO SGA DUE TO P-8C T&M Gl08 NO FLOW THRU

~----1 LINE 5 DUE TO CK-0726FWS MV-751FWS MV-752FWS MAINTENANCE OMISSION ERROR OMISSION MCK0726 PE107 OPE108 T9

NO FLOW THRU TRAIN Bl tlO FLOW TO SGB DUE TO P-8C T&M 6109 NO FLOW THRU LINE 5 DUE TO P-8C T&M TlO

W FLOW TO SGA

& SGB DUE TO MAINT LINE 3 0 FLOW TO SGA SGB DUE TO MAINT LINE 4 6208 DUE TO OTHER VALVES P.116 DUE TO CV-0737A P.Tl7 0 FLOW TO SGA

& SGB DUE TO MAINT LINE 6 6203 DUE TO OTHER VALVES 0 FLOW TO SGA

& SGB DUE TO MAINT LINE 7 6204 DUE TO CV-0736A DUE TO OTHER VALVES P.Tl9 P.T20 Tll

THIS PAGE INTENTIONALLY BLANK Tl2

CV-0749 MAINTENANCE MCV074~

CV-0749 MAINTENANCE G215 14-0740FW

& 14-0742FW MISSION ERRO G216 14-0740FW 14-0742FW MISSION ERROR OMISSION ERROR OPE201 OPE202 Tl3

M0-0753 MAINTENANCE DUE TO

.. OTHER VALVES NO FLOW TO SGA

...__....., 6217 M0-0753,M00760 OR CK0729FWS MAINTENANCE 6206 NO FLOW TO SGB NO FLOW THRll TRAIN A2 CV-0749 OMISSION ERROR OPE20 2 Tl4

THIS PAGE INTENTIONALLY BLANK Tl5

M0-0743 MAINTENANCE MM00743 DUE TO OTHER VALVES G208 NO FLOW TO SGB NO FLOW TO SG M0-0743., M0079 OR CK-0728FWS MAINTENANCE 6224

• No FLOW THRU TRAIN B2 P.H3 CV-0727 OMISSION ERROR OPE204

• Tl6

P.Tl7 W FLOW TO SGA

~----IOI SGB DUE TO V-0737A MAINT

--..-.. G209 NO FLOW TO SG G225 CV-0737A MAINTENANCE NO FLOW THRU TRAIN-Al CV-0737A MAINTENANCE MCV0737A G227 MV-752FWS OMISSION ERROR OPE205 NO FLOW TO SGB 6239 NO FLOW THRU TRJHN Bl P.H3 CV-0737A MAINTENANCE Tll

DUE TO OTHER VALVES

--G210 NO FLOW TO SGA NO FLOW THRU TRAIN Al M0-0754 MAINTENANCE MM00754

..__...... 6228 0-0754.; M0-0759 OR CK-0704FWS MAINTENANCE 6229 NO FLOW TO SG CV-0737A OMISSION ERROR OPE206 118

NO FLOW THRU TRAIN Al NO FLOW TO S6A

~----1

& SGB DUE TO

~

CV-0736A MAINT 6211 NO FLOW TO S6A 0 FLOW TO SGB G230 CV-0736A MAINTENANCE NO FLOW THRU TRAIN Bl CV-0736A MAINTENANCE MCV0736A 6232 MV-752FWS OMISSION ERROR OPE210 6231 CV-0736A MAINTENANCE P.Tl9 Tl9

M0-0748 MAINTENANCE NO FLOW TO SGA MM00748 DUE TO OTHER VALVES

...__,, 6212 NO FLOW TO SGB M0-0748,M00755 OR CK-0703FWS MAINTENANCE G234*

--......... G233 NO FLOW THRU TRAIN Bl CV-0736A OPE207 T20

14-07Lf0FW

& 14-0742FW OMISSION ERROR GZ'fO 14-07lf.OFW 14-0742FW OMISSION ERROR OMISSION ERROR OPE208 OPE209 TZJ

-1 APPENDIX F ELECTRICAL FAULT TREES IC0286-0001K-NL01

PALISADES APPENDIX F AFW RELIABILITY -

ELECTRICAL BUS 1 C EAC1C OR 1

1 826 BUS1C 826 AND 2

0 631 833 831 OR 0

4 B18 C16 D81-1S D61-1R 633 OR 0

4 B20 ClB STUT1-2 OPRT END AFW RELIABILITY - ELECTRICAL BUS y 10 EACY10 OR 1

61 BUSY10 81 AND

~.

© 62 83

£ 62 OR 1

4 64 Bl Cl BYPR BUSY01

,83 OR 1

4 85 B2 C2 INVl BUSDl 84 AND

"')

Ill 66 67 85 AND

'7

-~

0 GB 89 610 86 OR 1

4 814 B3 C3 ACT!

BUSMCl 87 OF:

1 4

811 B4 C4 ACT2 BUSMC3 8.8 OR 1

7

._)

812 B5 C5 BATT 1 89 OR 1

3 813 B6 C6 BUSMC2 810 OR 1

3 814 B7 C7 BUSMC1 611 OR 1

2 815 BB CB 612 AND Ill 7

CHl CH3 BD

._)

613 OR 1

7 816 B9 C9 BUSB12

-~

814 OR 1

617 Bllll C10 BUSB11

~'

615 OR 1

618 BUSB13 616 AND 2

0 619 620 617 AND 2

0 621 622 618 AND Ill 6181 623

£ 619 OR 4

624 B12 C12 STAP12 BUS1D 620 OR 1

7

._)

622 B 11 Cll BUSBll 621 OR 1

3 819 B 11 C11 BUSB12 622 OR 1

4 626 B14 C14 STAPll BUS1C 623 OR 2

827 BUSB14 B15 624 AND r;

111 628 630 826 AND 2

0 831 833 627 OR 1

4 634 B16 C13 STAP14 BUSlE 828 OR Ill 4

B17 C15 D81-2S D61-2R 830 OR 0

4 B22 C22 STUT 1-2 OPRT 631 OR 0

4 B18 C16 DG1-1S D81-1R 633 OR 0

4 B20 C18 STUTl-2 OPRT 634 OR 0

4 B24 C21 STUTl-2 OPRT 6181 OF:

4 626 B181 C181 STAP13 BUSlC END F-1

PALISAI:E3 APPENDIX F Anl RELIABILITY - ELECTRICAL DC BUS EDC1 OF:

1 1

85 BUSD1 85 AND 3

0 GB 89 610 GB OR 1

~'

812 B5 C5 BATT1 89 OR 1 3 613 B6 C6 BUSMC2 810 OR 1

814 B7 C7 BUSMC1

..J 612 AND 0

7.

.)

CH1 CH3 BD 813 OF:

1

~'

G16 B9 C9 BUSB12 614 OR 1

7 G17 B10 C10 BUSB11

..J 616 AND 2

0 819 820 617 AND

'i 0

621 6""'~*

G19 OR 1

4 G24 B12 C12 STAP12 BUSlD G20 OR 1

..J 622 811 c 11 BUSB11 821 OF:

1 819 811 C11 8USB12

..J s~...,

OR 1

4 G26 814 C14 STAPll 8US1C 624 AND 2

0 G28 G311l 626 AND 2

0 631 G33 G28 OR 0

4 817 C15 D61-2S DG1-2R G30 OR 0

4 822 C22 STUT1-2 OPRT 631 DR 0

4 B18 C16 D61-1S D61-1R 633 DR 0

4 B20 C1B STUT1-2 DPRT END F-2

EEPS TO AC BUS IC.

FAILURE P.EI9

• EEPS AC BUS lC NOT AVAILABLE EACIC

• • EEPS = ESSENTIAL ELECTRICAL POWER SUPPLY AC BUS IC FAILURE BUSIC El

EEPS ro DC BUS 1 FAILURE P.ES EEPS DC BUS 1 NOT AVAILABLE DC BUS 1 FAILURE BUSDl E2

EEPS FROM BUS YOl FAILURE.

P. E4 EEPS TO BUS YlO FAILURE Gl EEPS AC BUS YlO NOT AVAILABLE EACYlO EEPS FROM DC BUS 1 FAILURE P.ES BUS YlO FAILURE BUSYlO E3

EEPS TO BUS YOl FAILURE G4 EEPS FROM MCC 1 FAILURE P.E6 P.E3 BRKRS FAILURE EEPS*FROM MCC 3 FAILURE G7 P.E7 Bl EEPS FROM BUS YOl FAILURE CABLING FAILURE Cl BYPASS REGULATOR FAILURE BYPR BUS YOl FAILURE BUSYOl*

E4

EEPS TO DC BUS 1 FAILURE BATTERY 1 FAILURE P.E8 BRKRS FAILURE EEPS FROM MCC 2 FAILURE P.E9 B2 EEPS FROM DC BUS 1 FAILURE CABLING FAILURE C2 EEPS FROM MCC 1 FAILURE P.ElO INVERTER 1 FAILURE INVl BUS 1 FAILURE BUSDl ES

EEPS TO BUS MCC 1 (FR BUS Bll) FAILURE P.Ell EEPS FROM MCC 1 P.E4

.FAILURE BRKRS FAILURE B3 G6 CABLING FAILURE :

C3 INSTR AC XFMR 1 FAILURE ACTl BUS MCC 1 FAILURE BUSMCl E6

L BRKRS FAILURE B4 EEPS TO BUS Bl3 FAILURE P.F14 EEPS FROM MCC 3 P.E4 FAILURE CABLING FAILURE EEPS FROM BUS Bl3 FAILURE 615 BUS Bl3 FAILURE BUSB13 EEPS TO MCC 3 FAILURE Gll BRKRS FAILURE B8 INSTR AC

. BUS MCC 3 XFMR 2 FAILURE FAILURE CABLING FAILURE C8 E7

BRKRS FAILURE BS P.ES CABLING FAILURE cs BATTERY 1 FAILURE G8 BATT 1 FAILURE BATTl CHARGER 1 FA I.LURE CHl BATTERY CHARGERS FAILURE 612 CHARGER 3 FAILURE CH3 BATTERY LOW CHARGE E8

BRKRS FAILURE B6 P.t5 CABLING FAILURE C6 EEPS FROM MCC 2 FAILURE BUS MCC 2 FAILURE -

EEPS TO BUS Bl2 FAILURE P.El2 BUSMC2 BRKRS FAILURE EEPS To MCC 2 (FROM BUS Bl2)

FAILURE CABLING FAILURE C9 BUS Bl2 FAILURE

• BUSB12 E9

BRKR FAILURE Bl P.E5 CABLING FAILURE Cl EEPS FROM MCC 1 FAILURE BUS MCC 1 FAILURE BUSMCl EEPS To MCC 1 (FROM BUS Bll)

FAILURE ElO

BRKR FAILURE BIO EEPS TO MCC 1

,......,_-----t (FROM BUS Bll)

P.E6,,El0 CABLING FAILURE 10 FAILURE Gl4 BUS Bll FAILURE BUSBll EEPS TO BUS Bll FAILURE P.El3 Ell

EEPS FROM BUS lD FAILURE P.E9 EEPS FROM BUS lC FAILURE P.El8 EEPS TO BUS Bl2 FAILURE

---... Gl6 BRKRS FAILURE Bll EEPS* FROM BUS Bll FAILURE CABLING FAILURE Cll BUS Bll FAILURE USBll

• ~. '*

. El2

BRKRS FAILURE Bll P.Ell EEPS FROM BUS Bl2 FAILURE CABLING FAILURE Cll EEPS TO BUS Bll FAILURE

"----'Gl7 BUS Bl2 FAILURE BUSB12.

EEPS FROM BUS lD FAILURE P.El6 EEPS FROM

. BUS IC FAILURE Fl3

BRKRS FAILURE Bl81 P.E7 EEPS FROM BUS lC FAILURE Gl81 CABLING FAILURE 181 STA PWR XFMR 13 FAILURE EEPS TO BUS Bl3 FAILURE

.............._Gl8 STAP13 BUS lC FAILURE BUSlC EEPS FROM BUS Bl4 FAILURE EEPS TO BUS lC FAILURE 1 G26 P.El9 El4

EEPS TO BUS lE FAILURE P.E20 EEPS TO BUS Bl4 FAILURE P.El4 627 BRKRS FAILURE Bl6 EEPS FROM BUS Bl4 FAILURE BUS Bl4 FAILURE BUSB14 CABLING FAILURE STA PWR XFMR 14 FAILURE STAP14 P:RKRS FAILURE Bl5 BUS lE FAILURE BUSIE EIS

BRKR FAILURE BI2 p I EI2.,, EI3 CABLING

• FAILURE CI2 BRKRS FAILURE EEPS FROM EUS ID.

FAILURE STA PWR XFMR I2 FAILURE GI9 BUS lD FAILURE STAPI2 BUSlD EEPS FROM DG I-2 FAILURE G28 CABLING FAILURE DGl-2.

FAILURE Bl7 Cl5 DGI-2 EEPS TO BUS ID FAILURE G24 EEPS FROM <RT)

FFSITE POWER FAILURE

~ *~...

El6

EEPS FROM CRT>

n..,.._ __

__.OFFSITE POWER P.El6 FAILURE BRKR FAILURE B22 CABLING FAILURE C22 STARTUP XFMR 1-2 FAILURE STUTl-2 OFFSITE POWER CRT) SOURCE FAILURE

~. '*

El7.

BRKRS FAILURE Bl4 P.El2.,El3 CABLING FAILURE Cl4 EEPS FROM BUS lC FAILURE G22 STA PWR XFMR 11 FAILURE STAPll BUS lC FAILURE BUSIC EEPS TO BUS IC FAILURE P.El9 El8

BRKR FAILURE Bl8 P.El,El4,El8 EEPS FROM DG 1-1 FAILURE CABLING FAILURE BRKR FAILURE B20 DG 1-1 FAILURE EEPS TO BUS lC FAILURE 626 EEPS FROM <RT)

OFFSITE POWER FAILURE CABLING FAILURE Cl8 Cl6 DGl-1 STARTUP XFMR 1-2 FAILURE STUTl-2 OFFSITE POWER

<RT) SOURCE FAILURE OPRT El9

P.El5 BRKR FAILURE B24 CABLING FAILURE EEPS TO BUS IE FAILURE 634 21 STARTUP XFMR 1-2 FAILURE STUTl-2 OFFSITE POWER CRT> SOURCE FAILURE PRT E20

APPENDIX G DATA IC0286-0001K-NL01

PALISADES APPENDIX G FAILURE OF AFW SYSTEM COMPONENTS USING PLANT SPECIFIC DATA COMP ID PROBABILITY DESCRIPTION AFAS 7.00E-03 AFW actuation signal fails AIR 1 1.52E-03 Loss of instrument air on CV-0522A AIR2

1. 52E-03 Loss of instrument air ( f ram air system) on CV-0522B AIR~.

1.52E-0'3 Loss of instrument air on CV-0525 AIR4 1.52E-03 Loss of instrument air (from air system) on PCV-0521A CK401MS 1.00E-04 Check valve 401MS fails to open CK402MS 1.00E-04 Check valve 402MS fails to open CK0703 1.00E-04 Check valve CK-0703 FWS fails to open CK0704

1. 00E-04 Check valve CK-0704 FWS fails to open CK0725 1.00E-04 Check valve CK-0725 FWS fails to open Cl<0726 1.00E-04 Check valve CK-0726 FWS fails to open CK0728 1.00E-04 Check valve CK-0728 FWS fails to open CK0729 1.00E-04 Check valve CK-0729 FWS fails to open CK0741 1.00E-04 Check valve CK-0741 FWS f ai 1 s to open CK0743 1.00E-04 Check valve CK-0743 FWS fails to open CV0521 4.00E-04 Control valve CV-0521 fails to open CV0522A 4.00E-04 Control valve CV-0522A fa i 1 s to open CV0522B 4.00E-04 Control valve CV-0522B fails to open CV0525 4.00E-04 Control valve CV-0525 fails to open CV0727 4.00E-04 Control valve CV-0727 fails to open CV0736A 4.00E-04 Control valve CV-0736A fails to open CV0737A 4.00E-04 Control valve CV-0737A fails to open CV0749 4.00E-04 Control valve CV-0749 fails to open EAClC

9. 40E-05 No power from ac bus 1C CASE I ' TABLE 2-2 EAC1D 9.40E-05 No power from ac bus lD CASE I I TABLE 2-2 EACY 10 6.52E-05 No power from ac bus Y10 CASE I' TABLE 2-2 EACY20 6.52E-05 Na power from ac bus Y20 CASE I ' TABLE 2-2 EDCl 6.39E-05 No power from de bus 1 CASE I I TABLE 2-2 EDC2 6.39E-05 No power from de bus 1 CASE I I TABLE

")

~.

.... -L.

FCV0522A 1.00E-05 Flori control valve FCV-0522A fails to open FCV0522B 1.00E-05 Fl ow control valve FCV-0522B fails to open FT0727A 2.17E-03 Fl ow transmitter FT-0727A fails FH!736A 2.17E-'n Flow tra.nsmi tter FT-0736A f ai 1 s FT0737A 2.17E-03 Flow transmitter FT-0737A fails FT0749A 2.17E-03 Fl ow tt-ansmi tter FT-0749A fails FT0727H 2.17E-03 Fl ow transmitter FT-0727 fails FT0727AH 2.17E-03 Flow transmitter FT-0727A fails high FT0736H 2.17E-03 Fl Ol'l transmitter FT-0736 fails high FT0736AH 2.17E-11!3 Flow transmitter FT-0736A fails high FT0737H 2.17E-03 Flow transmitter FT-0737 fails high FTl1!737AH 2.17E-03 Flow transmitter FT-0737A fails high FT0749H 2.17E-03 Flow transmitter FT-0749 fails high FT0749AH

2. 17E-11!3 Flow transmitter FT-0749A f ai 1 s high GOVERNOF:

6.53E-05 Turbine governor K-8 fails GV0132

1. 011!E-11!4 Gate valve 29-132FW fails to open 6V0271 1.11!0E-04 Gate valve MV-271FWS fails to open GV0740 1.00E-04 Gate valve 14-111740FW fails to open GV0742 1.00E-04 Gate valve 14-11!742FW fails to open G'~0751

1. 0\\:lE-04

. Ga.te valve MV-751FWS fails to open GV0752 1.00E-04 Gate valve MV-752FWS fails to open GV0771 1.11!0E-04 Gate valve 29-0n1rn f ai 1 s to open G-1

PALISADES APPENDIX G GV0772 1.00E-04 Gate valve 29-0772FW fails to open GV133nl

1. 00E-04 Gate valve 133FW fails to open GV152MS

1. 00E-04 Gate valve 152MS fails to open GV152AMS 1.1110E-1114 Sate valve 152AMS fails to open GV153MS

1. 00E-04 Gate valve 153MS fails to open GV153AMS

1. 00E-04 Gate valve 153AMS fails to open GV270FW 1.00E-04 Gate valve MV-270FW fails to open 6V714FW 1.00E:-04 Gate valve 714FW fails to open GV0214 1.00E-04 Gate valve 130-214FW fails to open HS0521 3.00E-04 Hand switch HS-0521 fails HS0522A 3.00E-04 Hand Sl~i tch HS-0522A fa i 1 s HSlll522B

3. 0111E-1114 Hand switch HS-0522B fails HS0525 3.00E-1114 Hand srii tch HS-0525 fails HS104CS 3.00E-04 Hand switch HS-104CS fails HS209CS 3.00E-04 Hand switch HS-211l9CS fails MCK401MS

2. 14E-1113 Maintenance on check valve 401MS MCf:'.402MS 2.14E-03 Maintenance on check valve 41!12MS MCK0726 2.14E-1113 Maintenance on check valve CK-0726FWS MCK0741 2.14E-03 Maintenance on check valve 218-0741 MCK0743

2. 14E-lll3 Maintenance on check valve 218-0743 MCV0521 2.14E-03 Maintenance on control valve CV-0521 MCVl1l522A 2.14E-03 Maintenance on control valve CV-111522A MCVl1l522B 2.14E-1113 Maintenance on control valve CV-05ssB MCV0736A 2.14E-03 Maintenance on control valve CV-0736A MCV0737A 2.14E-03 Maintenance on control valve CV-0737A MM00743 2.14E-03 Maintenance on motor-operated valve MD-0743 MM00748 2.14E-03 Maintenance on motor-operated valve M0-0748 MMD0753 2.14E-03 Maintenance on motor-operated valve M0-0753 MM00754 2.14E-03 Maintenance on motor-operated valve M0-0760 MPCV521A 2.14E-03 Maintenance on pressure control valve PCV-0521A MP8A 2.14E-03 Maintenance on pump P8A MP8B 2.14E-03 Maintenance on pump PBB MPBC 2.14E-03 Maintenance on pump PBC M00743 1.00E-1114 Motor-operated valve M0-0743 fails to open MOl1l748

1. 011lE-1114 Motor-operated valve M0-0748 fails to open MOl1l753 1.00E-04 Motor-operated valve M0-0753 fails to open M00754

1. 00E-04 Motor-operated valve M0-0754 fails to open MOl1l755 1.00E-04 Motor-operated valve M0-0755 fa i 1 s to open M00759 t.00E-04 Motor-operated valve M0-0759 fails t Ci open M00760 1.11l0E-1114 Motor-operated valve M0-0760 fails to open M00798 1.11l0E-04 Motor-operated valve M0-0798 fails to open NITF:OGEN 1.52E-03 Loss of pressure from nitrogen source OF'E 1 1.00E-Ql3 Operator error DPE101 1.00E-03 Operator error OPE Hl2 1.00E-03 Operator error OPE103 1.00E-03 Operator error OPE104 1.00E-03 Operator error OF'E105 1.1110E-03 Operator error OPE106 1.00E-03 Operator error OPE107

1. 00E-03 Operator error OPE108 1.00E-03 Operator error OPE2 1.00E-03 Operator error OPE3 1.00E-03 Operator error OPE202

1. 00E-03 Operator error OF'E204 1.00E-03 Operator error G-2

OPE205 1.11l0E-11l3 OPE206

1. 00E-03 OPE207

1. 011JE-11l3 OPE2111l 1.11ll1JE-03 DPE801 1.11l0E-03 PCVl1l521A 1.11l11JE-11l5 PSBA 5.11l11JE-03 PSBB 1.11l0E-11l3 PSBC 5.11ll1JE-11l3 RVl1l783

3. 65E-11l3 SV0521

1. 00E-03 SV0522A 1.11l0E-03 SV0522B

1. liHlE-03 SV0525 1.00E-11l3 WATER

1. 00E-03 APPENDIX G Operator error Operator error Operator error Operator error Operator error Pressure control valve PCV-0521A fails to open Electric pump PBA fails to start Turbine-driven pump PBB fails to start Electric pump P8C fails to start Relief valve RV-0783 premature open Solenoid valve SV0521 fails Solenoid valve SV0522A fails Solenoid valve SVl1l522B fails Solenoid valve SVl1l525 fails Water in steam pipe G-3 PAL I SALES

APPENDIX G FAILURE OF AFW SYSTEM COMPONENTS USING PLANT SPECIFIC DATA COMP ID PROBABILITY AFAS AIRl AIR2 AIR3 AIR4 CK401MS CK402MS CK0703 CKlil704 CK0725 CK0726 CK0728 CKlil729 CK0741 CK0743 CV0521 CV0522A CV0522B CV0525 CV0727 CV0736A CV0737A CV0749 EAC1C EAC1D EACY 113 EACY20 EDC1 EDC2 FCV0522A FCV0522B FT0727A FT0736A FT0737A FT0749A FT0727H FT0727AH FT0736H FT0736AH FT0737H FT0737AH FT0749H FT0749AH GOVERNOF:

GV0132 GV0271 GV0741il GV0742 GV0751 GV0752 GV0771 7.1110E-03 1.52E-03 1.52E-1113 1.52E-03

1. 52E-03 9.50E-04 3.20E-04 3.20E-04 3.20E-04 3.20E-04 3.20E-04 3.20E-04 3.20E-04

3. 20E-04 3.21/JE-04 8.00E-03 1.10E-02 3.60E-03

1. 10E-02 3.60E-03 3.61/JE-03 3.60E-03 3.60E-03

1. 21E-05 1.03E-05 1.04E-05

1. ME-05

3. 12E-05 3.12E-05 5.50E-04

1. 90E-04

1. 40E-04 1.40E-04

1. 40E-M 1.40E-04 2.17E-03 2.17E-03 2.17E-03 2.17E-03 2.17E-03 2.17E-03 2.17E-03 2.17E-03 6.53E-05 8.14E-05 8.14E-05 8.14E-05 8.14E-05 B.14E-05 8.14E-05 8.14E-0:,

DESCRIPTION AFW actuation signal fails Loss of instrument air on CV-0522A Loss of instrument air (from air system) on CV-0522B Loss of instrument air on CV-0525 Loss of instrument air (from air system) on PCV-0521A Check valve 401MS fails to open Check valve 402MS fails to open Check valve CK-0703 FWS fails to open Check valve CK-0704 FWS fails to open Check valve CK-0725 FWS fails to open Check valve CK-0726 FWS fails to open Check valve CK-0728 FWS fails to open Check valve CK-0729 FWS fails to open Check valve CK-0741 FWS fails to open Check valve CK-0743 FWS fails to open Control valve CV-0521 fails to open Control valve CV-0522A fails to open Control valve CV-0522B fails to open Control valve CV-0525 fails to open Control valve CV-0727 fails to open Control valve CV-0736A fails to open Control valve CV-0737A fails to open Control valve CV-0749 fails to open No power from ac bus 1C CASE I, TABLE 2-2 No power from ac bus 1D CASE I, TABLE 2-2 No power from ac bus Y10 CASE I, TABLE 2-2 No power from ac bus Y20 CASE I, TABLE 2-2 No power from de bus 1 CASE I, TABLE 2-2 No power from de bus 1 CASE I, TABLE 2-2 Flow control valve FCV-0522A fails to open Flow control valve FCV-05228 fails to open Flow transmitter FT-0727A fails Flow transmitter FT-111736A fails Flow transmitter FT-0737A fails Flow transmitter FT-0749A fails Flow transmitter FT-0727 fails Flow transmitter FT-0727A fails high Flow transmitter FT-0736 fails high Flow transmitter FT-0736A fails high Flow transmitter FT-0737 fails high Flow transmitter FT-0737A fails high Flow transmitter FT-0749 fails high Flow transmitter FT-lil749A fails high Turbine governor K-8 fails Gate valve 29-132FW fails to open Gate valve MV-271FWS fails to open Gate valve 14-0740FW fails to open Gate valve 14-0742FW fails to open Gate valve MV-751FWS fails to open Gate valve MV-752FWS fails to open Gate valve 29-0771FW fails to open G-4 PALI SADES

GV111772 GV133FW GV152MS GV152AMS GV153MS GV153AMS GV270FW GV714FW GV0214 HS0521 HS0522A HS0522B HS0525 HS 104CS HS209CS MCK401MS MCK402MS MCK111726 MCK0741 MCK0743 MCV0521 MCV0522A MCV0522B MCV0736A MCV0737A Mt-100743 MM00748 MM00753 MM00754 MPCV521A MPBA MPBB MPBC M00743 M00748 M0075:.

M00754 M00755 M00759 M00760 M00798 NITROGEN OPE1 OPE101 OPE 11112 OPE1l!l3 OPE11114 OPE 11115 OPE106 OPE107 OPE108 OPE2 OPE3 OPE202 OPE21114 8.14E-05 8.14E-05 B.14E-05 8.14E-05 8.14E-05 8.14E-05 8.14E-05 8.14E-05 6.70E-03 3.00E-05 1.00E-05

1. 00E-05

1. 00E-05

1. 00E-05

1. 00E-05 2.14E-03

2. 14E-03

2. 14E-03 2.14E-03 2.14E-03 2.14E-03 2.14E-03 2.14E-03 2.14E-03 2.14E-03 2.14E-1113 2.14E-03 2.14E-03 2.14E-03 2.14E-03 2.30E-04 3.90E-03 2.70E-04 2.80E-03 2.80E-03 2.80E-03 2.80E-03 2.80E-03 2.80E-03

2. BlllE-1113 2.80E-03 1.52E-03 1.00E-02 1.00E-1112 1.00E-02

1. 00E-03 1.00E-03 1.00E-03

1. 00E-03 1.00E-03

1. 00E-03 1.00E-03 1.00E-03 1.00E-03 1.00E-03 APPENDIX G Gate valve 29-0772FW fails to open Gate valve 133FW fails to open Gate valve 152MS fails to open Gate valve 152AMS fails to open Gate valve 153MS fails to open Gate valve 153AMS fails to open Gate valve MV-270FW fails to open Gate valve 714FW fails to open Gate valve 130-214FW fails to open Hand switch HS-0521 fails Hand switch HS-0522A fails Hand switch HS-0522B fails Hand switch HS-0525 fails Hand switch HS-104CS fails Hand switch HS-209CS fails Maintenance on check valve 401MS Maintenance on check valve 402MS Maintenance on check valve CK-0726FWS Maintenance on check valve 218-0741 Maintenance on check valve 218-0743 Maintenance on control valve CV-0521 Maintenance on control valve CV-0522A Maintenance on control valve CV-05ssB Maintenance on control valve CV-0736A Maintenance on control valve CV-0737A Maintenance on motor-operated valve M0-0743 Maintenance on motor-operated valve M0-0748 Maintenance on motor-operated valve M0-0753 Maintenance on motor-operated valve M0-0760 Maintenance on pressure control valve PCV-0521A Maintenance on pump PBA Maintenance on pump P8B Maintenance on pump PBC Motor-operated valve M0-0743 fails to open Motor-operated valve M0-0748 fails to open Motor-operated valve M0-0753 fails to open Motor-operated valve M0-0754 fails to open Motor-operated valve M0-0755 fails to open Motor-operated valve M0-0759 fails to open Motor-operated valve M0-0760 fails to open Motor-operated valve M0-0798 fails to open loss of pressure from nitrogen source Operator error Operator error Operator error Operator error Operator error Operator error Operator error Operator error Operator error Operator error Operator error Operator error Operator enot-G-5 PALISADES

OPE205 OPE206 OPE207 OPE210 OPE801 PCV0521A PS8A PSBB PSBC RVllJ783 SVllJ521 SV0522A SVllJ522B SVllJ525 WATER 1.00E-llJ3 1.011JE-03 1.00E-03

1. lllllJE-03 1.00E-03 5.00E-lll4

1. 511JE-lll2 3.llJllJE-02 1.50E-02

1. 70E-M 1.00E-03 1.llJllJE-03

1. 011JE-lll3 1.llllllE-03 1.00E-03 APPENDIX G Operator error Operator error Operator error Operator error Operator error*

Pressure control valve PCV-0521A fails to open Electric pump PBA fails to start Turbine~driven pump PBB fails to start Electric pump PBC fails to start Relief ~alve RV-0783 premature open Solenoid valve SVllJ521 fails Solenoid valve SV0522A fails Solenoid valve SV0522B fails Solenoid valve SV0525 fails Water in steam pipe G-6 PALI SADES

PAL I SAr:.ES APPENDIX G FAILURE OF ELECTRICAL EQUIPMENT USING GENERIC DATA COMP ID PROBABILITY RATE DESCRIPTION ACT!

1. 79E-1214 4.91E-07 Instr AC Transf 1 fa i 1 s to function ACT2

1. 79E-04 4.91E-lil7 Instr ~c Tran sf 2 fails to function B1 5.15E-05

4. 70E-lil8 1/3 Breakers from bypass regulator to bus Y10 ftc B2 3.43E-05 4.70E-08 DC breaker ftc or 4.70E-lil8 AC breaker ftc B3 1.72E-05 4.70E-lil8 Breaker 52-145 ftc B4

1. 72E-05 4.70E-lil8 Breaker 52-356 ftc B5 1.72E-05

4. 70E-08 DC Breaker ftc B6

1. 72E-05 4.70E-lil8 Breaker 52-285 ftc B7

1. 72E-05

4. 70E-08 Breaker 52-146 ftc BB 1.72E-lil5

4. 70E-08 Breaker 52-1301 ftc B9 1.72E-05 4.70E-lil8 Breaker 52-1203 ftc B10

1. 72E-05

4. 70E-08 Breaker 52-1101 ftc B 11 3.43E-05 4.70E-08 Breaker 52-1118 or breaker 52-1217 ftc B12 3.43E-l?J5 4.71ilE-08 Breaker 52-1202 ftc or 4.70E-lil8 Breaker 152-201 ftc B14 3.43E-05 4.7l?!E-08 Breaker 52-1102 ftc or 4.71ilE-08 Breaker 152-115 ftc B15

1. 72E-05 4.70E-08 Breaker 52-1310 ftc B16 3.43E-05 4.70E-08 Breaker 52-1402 ftc or 4.70E-08 Breaker 152-304 ftc B17 1.72E-05 4.70E-08 Breaker 152-213 <DG1-2 output) ftc B18 1.72E-05 4.7M-08 Breaker 152-107 <DG 1-1 output) ftc B21il 1.72E-05 4.70E-08 Bt-eaker 152-Hl6 ftc B22

1. 72E-05 4.71ilE-08 Breaker 152-202 ftc B24 1.72E-05 4.70E-08 Breaker 152-303 ftc B181 3.43E-05 4.70E-lil8 Breaker 52-1302 ftc or 4.70E-08 Breaker 252-110 ftc BD 1.05E-lil3 2.88E-06 DC battery 1 degraded BATT 1 1.06E-l?J3 2.90E-06 DC battery 1 fails BUS1C 6.39E-05 1.75E-07 Bus 1C fails BUS1D 6.39E-05 1.75E-07 Bus 10 fails BUS1E 6.39E-05 1.75E-07 Bus 1E fails BUSB11 6.39E-05 1.75E-07 Bus 11 fails BUSB12 6.39E-05 1.75E-07 Bus 12 fails BUSB13 6.39E-1115 1.75E-07 Bus 13 fails BUSB14 6.39E-05 1.75E-07 Bus 14 f ai 1 s BUSMC1 6.39E-1115 1.75E-1117 MCC 1 fails BUSMC2 6.39E-lil5 1.75E-1117 MCC 2 fails BUSMC3 6.39E-1115 1.75E-07 MCC.,. fa i 1 s BUSY01 6:39E-05 1.75E-07 Bus Y01 fa i 1 s BUSY10 6.39E-05 1.75E-lil7 Bus Y10 f ai 1 s BUSD1 6.39E-05 1.75E-07 DC Bus

• fails J.

BYPR 8.40E-04 2.30E-06 Bypass regulator fails Cl 5.lBE-04

1. 42E-06 Cable fails C2 5.lBE-04 1.42E-lil6 Cable fails C3 5.18E-04 1.42E-06 Cable fails C4 5.18E-04

1. 42E-lil6 Cable fails C5

5. lBE-04 1.42E-06 Cable fails Cb 5.18E-04 1.42E-06 Cable fails C7

5. lBE-04

1. 42E-lil6 Cable failE G-7

I PALI SADES APPENDIX G CB

5. 18E-04

1. 42E-06 Cable fails C9 5.18E-04 1.42E-06 Cable fails C10 5.1BE..:.04 1.42E-06 Cable fails C11 5.18E-04 1.42E-06 Cable fails C12 5.lBE-1114 1.42E-06 Cable fails C13 5.18E-04

1. 42E-06 Cable f aii s C14 5.lBE-04 1.42E-06 Cable fails C15

5. lBE-04 1.42E-06 Cable fails Clb 5.lBE-04 1.42E-06 Cable fails C17 5.lBE-04 1.42E-06 Cable fails ClB 5.lBE-04 1.42E-06 Cable fails C19 5.lBE-04 1.42E-06 Cable fails C20 5.lBE-04 1.42E-06 Cable fails C21 5.lBE-04

1. 42E-06 Cable fails C22

5. lBE-04 1.42E-06 Cable fails C181 5.18E-04 1.42E-06 Cable fa i 1 s CHl 4.42E-03 1.21E-05 Charger fails CH3 4.42E-03

1. 21E-05 Charger f ai 1 s DG1-1S

3. 00E DG fails to start DG1-2S 3.00E-02 DG fails to start INV 1 8.40E-04 2.30E-06 Inverter 1 fails OPRT 1.19E-04 3.26E-07 Loss of offsi te power STAP11 2.lBE-04 5.96E-07 Station power transformer fails STAP12 2.lBE-04 5.96E-07 Station power transformer fails STAP13 2.lBE-04 5.96E-07 Station power transformer fails*

STAP14

2. lBE-04 5.96E-07 Station power transformer fails STUT 1-2

3. 22E-04 8.BlE-07 Start-up transformer fails G-8

PALISADES APPENDIX G FAILURE OF ELECTRICAL EQUIPMENT USING PLANT SPECIFIC DATA COMP ID PROBABILITY RATE DESCRIPTION ACT!

2.1118E-1115 2.6111E-06 Instr AC Transf fails to function - Bhrs ACT2 2.1118E-1115 2.6111E-06 Instr AC Tran sf.., fails to function - Bhrs B1 3.84E-1116 1.6111E-1117 113 Breakers f ra*m bypass regulator ta bus Y10 ftrc - Bhrs B2 4.24E-06 3.70E-07 DC breaker ftrc - Bhrs or 1.60E-07 AC breaker ftrc - Bhrs B3 1.28E-1116

1. 60E-07 Breaker 52-145 ftrc - Bhrs B4 1.28E-06 1.6111E-07 Breaker 52-356 ftrc - Bhrs B5 2.96E-06

3. 70E-07 DC Breaker ftrc - Bhrs B6 1.28E-06 1.60E-1117 Breaker 52-285 ftrc - Bhrs B7 1.28E-1116 1.6111E-07 Breaker 52-146 ftrc - Bhrs BB

1. 28E-06

1. 6M-07 Breaker 52-1301 ftrc - Bhrs B9 1.28E-06

1. 6111E-1117 Breaker 52-121113 ftrc - Bhrs BH!

1. 28E-06

1. 60E-07 Breaker 52-111111 ftrc - Bhrs B11 2.56E-1116 1.6111E-1117 Breaker 52-1118 or breaker 52-1217 ftrc - Bhrs B12 1.33E-1115 1.611!E-1117 Breaker 52-121112 ftrc - Bhrs or 1.5111E-06 Breaker 152-21111 ftrc - Bhrs B14 1.33E-05 1.6111E-07 Breaker 52-111112 ftrc - Bhrs or 1.50E-1116 Breaker 152-115 ftrc - Bhrs B15 1.28E-1116

1. 60E-1117 Breaker 52-1310 ftrc - Bhrs B16

1. 33E-1115 1.6111E-07 Breaker 52-141112 ftrc.... Bhrs or

1. 5111E-1116 Breaker 152-304 ftrc - Bhrs B17 2.15E-1112

5. 7111E-1115 Breaker 152-213 <DG 1-2 output) ftc or ftrc DI=370hrs, MT=Bhrs B18 6.1111E-1113

1. 6111E-1115

• Breaker 152-H'!7 <DG 1-1 output) ftc or ftrc DI=37111hrs, MT=Bhrs (p-1.6E-05)

B20

1. 2111E-1115

1. 50E-06 Breaker 152-11116* ftrc - Bhrs B22 1.20E-05 1.50E-1116 Breaker 152-21112 ftrc - Bhrs B24

1. 2111E-1115

1. 50E-fll6 Breaker 152-31113 ftrc - Bhrs B181 1.33E-1115

1. 6111E-1117 Breaker 52-131112 ftrc - Bhrs or

1. 5111E-06 Breaker 252-11111 ftrc - Bhrs BD

9. 62E-04 2.60E-1116 DC battery 1 degraded - SBD, DI=37111hrs BATT!

2.1118E-fll5

2. 6111E-06 DC battery 1 fails -

Bhrs BUSlC

6. 4111E-06 8.1110E-1117 Bus 1C fails - Bhrs BUS1D 6.4111E-1116 8.0111E-fll7 Bus 1D fails - Bhrs BUS1E 6.4111E-1116 8.111111E-lil7 Bus lE fails - Bhrs BUSB11 1.36E-1116

1. 7111E-1117 Bus 11 fails - Bhrs BUSB12

1. 36E-06 1.7111E-07 Bus 12 fails - Bhrs BUSB13

1. 36E-1116

1. 7111E-1117 Bus 13 fails - Bhrs BUSB14

1. 36E-1116 1.7121E-07 Bus 14 fails - Bhrs BUSMCl

1. 36E-1116 1.70E-07 MCC fails - Bhrs BUSMC2 1.36E-06 1.70E-1117 MCC.., fa i 1 s - Bhrs BUSMC3 1.36E-1116 1.70E-07 MCC 7

~' fails - Bhrs BUSY1111 1.1114E-1115 1.3111E-06 Bus Y1111 fails - Bhrs BUSY10

1. ME-1115

1. 3111E-06 Bus Y10 fa i 1 s - Bhrs BUSDl 3.12E-05 3.9121E-06 DC Bus 1 fails -

Bhrs BYPR 4.16E-1115 5.2111E-1116 Bypass regulator fa i 1 s - 8hrs Cl 6.00E-05 7.511lE-11l6 Cable fa i 1 s - Bhrs C2

6. liHl!E-05 7.50E-06 Cab 1 e fa i 1 s - Bhrs C3 6.lil0E-05 7.511JE-11l6 Cable fails - Bhrs C4 6.!l!lllE-05 7.511lE-06 Cable fa i 1 s - 8hrs C5 6.11l0E-11l5 7.5111E-06 Cable fails - 8hrs G-9

PALI SADES APPENDIX G C6 6.00E-05 7.50E-06 Cable fails - Bhrs C7 6.00E-05

7. 5111E-1116 Cable fails - Bhrs CB 6.00E-05

7. 50E-1116 Cable fails - Bhrs C9 6.00E-05 7.50E-06 Cable fails - Bhrs C10

6. ll!ll!E-1115

7. 5111E-1116 Cable fails - Bhrs c 11

6. 0111E-1115 7.511!E-06 Cable fails - Bhrs C12

6. 011!E-1115

7. 5111E-06 Cable fails - Bhrs C13 6.1110E-1115

7. 5111E-1116 Cable fails - Bhrs C14 6.11!0E-1115

7. 511!E-06 Cable fails - Bhrs C15 6.00E-05

7. 50E-1116 Cable fails - Bhrs C16 6.00E-05 7.50E-06 Cable fails - Bhrs C17 6.00E-05 7.511!E-06 Cable fails - Bhrs C18 6.00E-05 7.50E-06 Cable fails - Bhrs C19 6.00E-05 7.50E-1116 Cable fails - 8hrs C2111 6.00E-05.

7.50E-06 Cable fails - Bhrs C21 6.1110E-05 7.5111E-06 Cable fails - Bhrs C22 6.00E-1115 7.50E-06 Cable fails - 8hrs C181 6.00E-05 7.50E-1116 Cable fails - Bhrs CH1 1.1114E-05 1.30E-06 Charger fails - Bhrs CH3

1. ME-05 1.3111E-06 Charger fails - Bhrs DG1-1S 6.1111E-03 6, llllE-03 DG fails to start -

SBD DG1-1R 2.24E-02 2.BlllE-03 DG fails to run - Bhrs DG1-2S 8.10E-03 8.10E-03 DG fails to start -

SBD DG1-2R 9.60E-03 1.20E-1113 DG fails to run - Bhrs INV 1 3.12E-05 3.9111E-06 Inverter 1 fails - Bhrs OPRT 5.36E-04 6.71l\\E-05 Loss of offsite power - 8hrs STAP11 4.00E-06 5.00E-07 Station power transformer fails - Bhrs STAP12 4.00E-06 5.00E-07 Station power transformer fails - Bhrs STAP13 4.00E-06 5.00E-07 Station power transformer fails - Bhrs STAP14 4.00E-06 5.00E-07 Station power transformer fails - Bhrs STUT1-2 2.64E-05 3.30E-ll!6 Start-up transformer fails - Bhrs G-10

APPENDIX G COMPONENT FAILURE RATE DATA CALCULATION The following presents some calculations of component failure rate data for the AFW system unavailability estimate.

1.0 TEST AND MAINTENANCE 1.1 Pump test= 1.92E-03 (Reference 2)

Q

= (hrs/test) (tests/yearl=(l.4> (12l = 1.93E-03 Test

<hrs/year) 8760 1.2 Pump maintenance= 2.14E-03 <Reference 2)

Q

=(!ll.22l (hrs/maintl=<0.22) (7) = 2.14E-03 Mai nt 720 720 1.3. Valve maintenance= 2.14E-03 (Reference 2l Q

=<0.22) (hrs/maint>=t0.22l (7) = 2.14E-03 Mai nt 720 720 2.0 OPERATOR ERROR

2. 1 Maintenance error = 1.00E-03 (Reference 3)

The failure probability if the maintainer fails to restore a valve after this work is finished is 1.00E-02, and the checker's failure probability is (1.01t'!E-02l (10> = 1.00E-01. Hence, the estimated error by the maintainer restoring manual valves is

<1.00E-02l (1.00E-01l = 1.00E-03.

2.2 Operator error in control room (or local)= 1.00E-03 (Reference 2)

Estimated failure probability for a "dedicated" operator to actuate AFW and possible backup actuation of AFW in 15 minutes actuation time needed is 1.00E-03.

3.0 HARDWARE 3.1 Valve (check, gatel fails to open= 1.00E-04 (Reference 4) 3.2 Control valve fails to open = 4.00E-04 Q = fails to operate +failure to remain open (plugl

= 3.00E-04 + 1~00E-04 = 4.00E-04 (Reference 4l 3.3 Relief valve premature open = 3.65E-03 Relief valve premature open failure rate~ = 1.00E-05/hr

<Reference 4l G-11 PALISADES

APPENDIX G By monthly testing:

Q = A*730/2 = (1.00E-05) (365) = 3.65E-03 3.4 AFW actuation signal fails = 7.00E-03 (Reference 2l 3.5 Loss of instrument air = 1.52E-03 Failure rate(...= 4.17E-06/hr (using compressor's failure rate (Reference 1 1 p 120>

Using monthly testing:

Q = A.* 730/2 = 4. 17E-06l <365) = 1. 52E-1113 3.6 Flow transmitter failure= 2.17E-03 Failure rate A. = 5.95E-06/hr (Reference 1 1 p 432)

Using monthly testing:

Q = (5.95E-06l 730/2 = 2.17E-03 3.7 Hand switch failure = 3.00E-04 (Reference 4l 3.8 Pressure (flow) control valve fails to open = 1.1110E-05 By using relief valve fails to open data (Reference 4) 3.9 Governor failure = 6.53E-05 Failure rate A= 1.70E-07/hr MTTR't"'= 19.13 hr (Reference 7l Q = 1\\1:' + 7'* 730/2 = 6.53E-05 (using monthly testing) 3.10 Electrically driven pump fails to start= 5.00E-03 Q = mechanical components + control circuit <with monthly testing) = 1.00E-03 + 4.00E-03 = 5.00E-03 (Reference 2l 3.11 Turbine driven pump fails to start= 1.00E-03 <Reference 2) 3.12 Solenoid valve failure= 1.0111E-03 (Reference 41 3.13 Pipe rupture, condensate storage tank rupture= 4.80E-08 The pipe rupture ()3") failure rate is 1.00E-10/hr per foot (Reference 4l. It was estimated that there were 20 feet of pipe length from the condensate storage tank to the double suction header and the average repair time was 24 hrs

• Q = (20l (1.00E-111H'!) (24) = 4.80E-08/demand G-12 PALI SADES

APPENDIX G 3.14 Motor-operated valve <N.0.) fails to open (plugging)

= 1.00E-04 (Reference 21 3.15 Water in pipe= 1.00E-03 By judgement, the estimated probability that there is sufficient condensed water in the steam pipe is 1.00E-03.

It is noted that the top event unavailability will not be affected if 1.0 is used for that estimated probability.

6-13 PALI SADES