Text

'

02,<gy gg gf UNITED STATES

{ ' ),( ' g NUCLEAR REGULATORY COMMISSION 2 E WASA I!NGTON, D. C. 20655 AUG 2 71979 o

Generic Task No. A-17 MEMORANDUM FOR:

S. H. Hanauer, Director, Unresolved Safety Issues Program FROM:

J. Angelo, Task Manager, Task A-17, Systems Interaction in Nuclear Power Plants

SUBJECT:

SUMMARY

OF MEETING WITH SANDIA LABORATORIES ON AUGUST 8-9, 1979 TO DISCUSS TASK A-17 On August 8-9, 1979 members of the NRC staff met with representatives of Sandia Laboratories in Albuquerque, NM to discuss the series of fault trees which depict the reactor coolant pressure boundary safety function which is one of three safety functions being investigated in Generic Task A-17.

Persons who attended the meeting are listed in Enclosure 1 to this summary report.

The significant items discussed at the meeting are summarized in the following paragraphs of this report.

1.

Operator Actions While we did not specifically include operator actions as basic events in the fault trees, nevertheless there are a number of events that are more likely to be the result of operator actions than automatic controls.

The situation may be furthur compounded by the fact that the valve may be initially in the faulted position at the start of the occurrence, or may be initially in the success position.

There are also a large number of manual valves that are placed in the locked-open or locked-closed position.

There are also a number of manual by-pass valves around automatic valves that are nonnally in the closed position.

Sandia Laboratories can manip-ulate the computer code for evaluating fault trees to discriminate these kinds of events by inputing either unity or zero at that particular logic gate.

Sandia Laboratories intends to revise the fault trees as necessary so that these situations are treated as uniformly as possible.

2.

Reactor Coolant System Overpressurization The fault tree for reactor coolant system overpressurization does not presently include the loss of heat removal events that can potentially cause overpressurization.

The reason for this is that the loss of heat sink is treated in the decay heat removal function as an event that can lead to the top event of the fault trees by itself, regardless of the overpressurization.

Sandia Laboratories explained that this cause of 790926 W or6 y

S. H. Hanauer AUG 2 71979 overpressurization can be added to the fault trees but would not achieve any meaningful differences in the analysis of the even?.s.

Subsequent to this meeting, the NRC staff members had further discus 3 ion with the con-clusion that the overpressurization caused by insufficient heat removal should be depicted in the fault tree. We have infonned Sandia Laboratories of this conclusion subsequent to this meeting, and we are prepared to dis-cuss this matter at a future meeting with Sandia Laboratories.

3.

Event Trees During the course of this task performance, the question has been raised regarding the relative merits of using event trees to supplement the fault trees.

Sandia Laboratories has constructed event trees for the RCPB function and has verified that failure paths in the event trees have a corresponding branch in the fault trees. We have found it advantageous to use the event trees as a means of following the fault trees with greater ease of understanding.

Sandia Laboratories will include event trees in their next interim report which is scheduled for completion in September 1979.

4.

Loss of Reactor Coolant Pressure Boundary We decided early in this program to exclude loss-of-coolant accidents and mitigating systems for these accidents.

We did, however, include systems interactions that could potentially lead to loss-of-coolant accidents, for example, by overpressurization of the reactor coolant system and overpressurization of systems connected to the reactcr coolant system.

We made a definition that the loss of reactor coolant boundary occurs when the potential loss of coolant exceeds the capacity of the normal makeup or charging system.

On reconsideration of this definition we agree with Sandia Laboratories that events which have the potential of creating a non-normal leakage or flow path for the reactor coolant should be developed in the reactor coolant pressure boundary fault trees, whereas events that occur in normal leakage or flow paths are best depicted in the decay heat removal fault trees under a sub-function identified as

" loss of coolant inventory." The principal reason for this arrangement of fault tree branches is that it is difficult to distinguish when a particular fault (such as a failed check valve, for example) may lead to a loss of reactor coolant which exceeds normal charging capacity.

S.

Evaluation and Analysis of Fault Trees Work is currently in progress on the evaluation and analysis of the reactor coolant pressure boundary fault trees using the Set Equation Transformation System (SETS) computer code.

Sandia expects to complete this analysis by early September 1979 at which time we plan to meet with Sandia Laboratories to discuss the analysis results and methods.

0

AUO ' l 0I9 S. H. Hanauer..

6.

Specific Comments on the Fault Trees In addition to the more generalized discussions summarized in the paragraphs above, we discussed some specific comments on the fault trees and left Sandia Labori. tories with a list of these comments for their further consideratica.

These comments are shown in Enclosure 2 to this summary report.

f John Angelo Task Manager Generic Task A-17

Enclosures:

1.

Attendance List 2.

Comments on Fault Trees cc:

J. Hickman/W. Cramond Division 4412 Sandia Laboratories P. O. Box 5800 Albuquerque, NM 87185

')

I'..

7.

On page 4 (far lef t), under " Boric Acid Transfer Pump 1 Output Diverted", on'e input to,the OR gate is entitled " Bat A Return Line A0V 1 Fails Open".

It ap-pears th'at a normally closed manual valve is installed in this line.

Therefore, the fault tree should be modified to account for the required failure of this manual va'va.

8.

On page 4, the subtree, " Failure of Both flormal and Aux Pressurizer Sprays,"

appears incomplete.

Trie failure of normal spray capability through mechanical failure or loss of the reactor coolant pumping power has not been addressed.

9.

On page 5 (far lef t), under " Centrifugal Charging Pump Trains or Letdown Fails",.

the input for insufficient letdown is in error.

The input should concern insufficient letdown for the centrifugal charging pumps, not the positive displacement pun;p.

l G

6 SV.h u A

,eMO D r

\\

i l

L

~

! (

1 dump is delivering high ficw, the failure of the excess letdown line is not' necessary.

Therefore, the OR gate shown in the subtree should have only two inputs, " Charging pump Output Flow Control Valve Fails Open" and " Normal Letdown Path Fails Closed".

5.

The conditional gates shown for the Overpressure Cases appear to have the wrong pressure value in soire instances.

Where applicable, the valves should be changed to correspond to the correct PORV and safety valve settings, and Safety Injection pump design pressure.

On page 5, under the subtree, " Excess Letdown path Fails Closed," two inputs, o.

" Seal Flow Return Line Filter Manual Bypass Valve Not Opened" and " Seal Water Heat Exchanger Bypass Valve flot Openned," involve human error.

Since the scope of the study excludes huuan error, these inputs should be restated to assume a mechanical failure.

The exclusion of human error can be accomplished by one of the two following methods:

(1) the operator is assumed to perform every possible correct action on titre and following the correct sequence in an attempt to achieve a safe plant condition, or (2) the operator is assumed to perform absolutely no action whatsoever and the plant reacts independently.

I believe that the latter method is more realistic.

In either case, the fault trees should be conceived and structured consistent with the method which is

selected, o

M

\\

s&n w

m i

i I

~

l Convents on the Fault Tree for the Reactor Coolant Pressure Boundary (RCPB) Safety function (Figure 5.3-7, dated July 2, 1979) t i

1.

The RHR system is normally operating to provide for decay heat removal in the cold shutdown mode.

Therefore, if pressure rises to 600 psig, the RHR system will be automatically isolated.

If not, failure of R4R piping or openning of a relief valve would cause a RCPB failure.

This system has not been addressed in the fault tree, by fiWEOhk

,U n UnlDnun 2.

The fault tree utilizes a conditional gate to address the probability of a RCPB failure given a certain pressure.

This pressure is unrealistic in some cases since the pressure will t>e limited by much lower piping design pressures.

For example,'in Overpressure Case 1, it is possible for the pressure to be limited by the normal letdoun design pressure of 600 psig or the excess letdown design pressure of 150 psig.

In either instance, the pressure would never reach the conditional gate value of 2000 psig.

This same situation is also, present in Overpressure Cases 3, 5, 6, 12, and 13.

3.

The fault tree indicates that Primary Water Supply is available under all conditions.

In previous versions of the DHR, RS, and Loss of RCPB fault trees, primary water was assumed unavailable for a loss of off-site power condition.

The fault trees should be mutually consistent.

4.

On page 3, under the subtree, " Insufficient Letdown Compensate for CCPS", three inputs are shown necessary to achieve an insufficient letdown situation at charging minimma flow.

Actually, if normal letdown is inoperable and a charging

,r7

I f.

t Valve No't Openned" and " Seal Water Heat Exchanges Bypass Valve Not 0 penned,"

involve human error.

These should be restructured to assume a mechanical failure.

4 6.

On page 4 (right), the subtrees, " Excess Letdown Path Fails Closed" and " Normal Letdown Path Fails Closed other than Flow Control Orifices," contain situations where letdown flow is blocked by low design pressure components.

This would prevent the reactor pressure from reaching the pressure value assumed in.the overpressure cases.

l{

gg) g ;) dbdL tra d31 Y.s 7.

On page 6 (left), the subtree " Alternate Coolant Source Available" utilizes an "AND" gate for the three inputs depicting possible water sources.

Actually, the RWST or Primary W. iter Supply would be capable of providing sufficient supply.

Therefore, the "AliD" gate is not adequate and should be restructured.

I In addition, three of the faults in the subtree involve human error and should be restructured to assume a irechanical failure.

d V (' C G \\

b 3

Conments on;the Fault Tree for Reactor Coolant Pressure Boundary (RCPB) Safety Function (Figure 5.3-2 dated 6/30/79)

.. s,.. ;

1.

The fault tree does not address the overpressure situation where a loss of feed-water causes an overpressurization of the RCS.

This is a very conrnon transient and, therefore, should be incorporated into the fault tree.

'1 In Overpressure Cases 7 and 8, the reactor control system would respond and in-J.

sert control rods to maintain a constant average reactor temperature.

The trans-

ent would be stable when the heat output from the core was lowered such that. the total heat output including the contribution from the RCP was nearly correct for that power level.

P00ilOllfMl.

Therefore, these two cases are not viable methods for RCS overpressurization.

.o - t t-On page.3 (far lef t), the subtree "Insuf ficient CVCS Letdown with Pump FCV at 3.

Min Flow" contains unnecessary inputs.

It both the normal and excess letdown paths are closed, the other two inputs (FCV at minimum and contraction insufficient) are not necessary.

4.

On page 4 (far lef t), under " Boric Acid Transfer Pump 1 Output Diverted," one input to the OR gate is entitled " Bat A Return Line A0V 1 Fails Open."

It appears that a normally closed manual valve is installed in this line.

Therefore, the fault tree should be modified to account for the required failure of this manual valve.

5.

On page 4 (center), two basic events, " Seal Flow Return Line Filter Manual Bypass P[q 7j,

.J

v.

i k

7.

Figure 5.3-5 UFT-CVCS-1 Under " Valve Failures on the Nonnal or Alternate CVCS Charging Lines," another input to the OR gate entitled " Valve Failures on the Auxiliary Spray Line" should be added.

This would include the possible failure of the check valve and air operated valve in the auxiliary spray line.

8.

Figure 5.3-5 WFI-CVCS-I under " Valve Failures on the Alternate CVCS Charging Line", an input to the ANO gate is entitled "A0V in Alternate Charging Line Fails Open with Loss of 4ir".

The possibility exists for the valve to functionally f ail to the open poi tion regardless of the status of the control air system.

Therefore, the qualifier, "with Loss of Air", should be deleted.

9.

Figure 5.3-5 UFT-CVCS-1 i

The regenerative heat exchanges has not been included in t is fault tree.

The fact that the regenerative heat exchanger cross-connects both the charging and letdown lines makes it a prin,e source for a failure that could result in unac -

ceptable core d nage.

10.

Figure 5.3-5 UFT-CVCS-1 Under "RCS Pressure Boundary Failure due to CVCS Normal Letdown Line", the in-puts, " Letdown High Pressure Isolation Valves fail Open" and " Letdown Relief Valve Fails to open with Overpressure", are unnecessary.

The blockage of flow downstream of the letdown orifice valves would result in an operating reactor pressure of 2235 psig being applied to the relief valve which has a setpoint of 600 psig.

This situation would result in a loss of reactor coolant pressure boundary.

11.

Figure 5.3-5 WF1-CVCS-1 Under "RCS Pressure Boundary f ailure due to CVCS Excess Letdown Line," I have the following wnments:

To provide a flow path from the reactor coolant system such that a RCPB a.

failure will r esult, the three excess letdown air operated valves must fail open.

The failure of these valves should not be an input to an OR gate.

b.

The input, " Return Flow frca Reactor Coolant Pump Seals", should be deleted.

A fault tree should contain only failures, not events.

In addition, re-turn flow from the seals is normal and does not represent a failure.

A more direct method of excess letdown line failure is the pathway resulting c.

from the three air operated valves failing open and the three-way air operated valve failing such that flow is directed to the RCDT.

J Ibb 7l c. o'

g EllCLOSURE 2 t

Comments on the Fault Trees for Reactor Coolant Pressure Boundary (RCPB) Safety function (dated 6/30/79) 1.

Figure 5.3 GFT-RCPB-POUS Under "RCS Pressure Boundary Failure due to Safety and Relief Valves", the fault, "Failuie to Close Pcuer Operated Relief Valve Isolation MOV", involves human error, lhis fault should be restated to specify a mechanical failure, since the scope of the study excludes the consideration of human error.

2.

Figure 5.3-1 UFT-l.00PS-C-P0HS The fault tree indicates that a seal failure of any one reactor coolant pump will result in a RCPB failure.

It should be noted that this RCPB failure will result in unaccentable core damage only if the charging system is unable to maintain reactor coolant inventory.

3.

Figure 5.3-3 UFT-LPS-I-P0HS The potential failure of the SI system if subjected to reactor operating pressure should be nore completely addressed.

The SI train relief valve setting is significantly lo - tnan the normal operating reactor pressure.

The operability or failn-

.>r tnis relief valve should be incorporated into the fault tree or the iusons for its absence should be explained separately.

4.

Figure 5.3-3 WFT-LPS-I-P0HS The branch entitleo "RCPB Fails thru the RHRS Return Path" is unclear.

The normal plant design for PWRs utilizes a single line from one reactor coolant

=

leg to the RHR sys tem with two isolation valves in series.

The design whitn is most typical for operating power plants should be modeled to allow more wi&ly applicable conclusicns from the study.

5.

Figure 5.3-5 Uil-CVCS-1 Under "High Pressure Flow from RCS Via Pump Seals to CVCS Pumps", the fault tree indicates that a seal failure must occur for reactor coolant to flow back into the charging line.

The seal water is injected such that part of the flow travels up through the seals and the remainder flows down through the labyrinth thermal barrier and into the reactor coolant system.

Therefore, a seal failure is not necessary to allow backflow into the charging lines.

6.

Figure 5.3-5

f I-CVCS-1 Under "CVCS Charging Pumps f ail to Prevent Reverse Flow", the fault tree con-tains an input entitled "Cnarging Punp Fails to Prevent Flow in the Reverse Direction" In actaality, the charging pump must be secured such that it is, _.

no longer providing charging flo,s.

J i

i i

l t

Ef1 CLOSURE 1 ATTEf1DAf1CE LIST MEETIf4G WITil SAflDIA LABORATORIES

[, '

i 2!!

AUGUST 8-9, 1979

' A GEliERIC TASK fl0. A-17

,,y USf1RC Sandia Laboratories D. C. Fischer G. J. Kolb T. G. Scarbrough G. J. Boyd J. Angelo J. W. Hickman J. M. Griesmeyer S.11. McAbren John A. Zwolinski W. R. Cramond t

s..

me w

a

'2