Text

-

RRC PUBUC DOCUMEN

,_m y

h UNITED STATES g 'I 3 g

NUCLEAR REGULATORY COMMISSION

'C WASHINGTON, D. C. 20$55 o e 5; v...../

OCT 171979 Generic Task No. A-17 MEMORANDUM FOR: Distribution FROM:

J. Angelo, Task Manager, Generic Task No. A-17, Systems Interaction in Nuclear Power Plants

SUBJECT:

CHANGES TO RCPB FAULT TREES AND COMMENTS ON THE RCPB FAULT TREES By memorandum dateu August 6, 1979 copies of the fault trees which depict the Reactor Coolant Pressure Boundary (RCPB) safety function were distributed with a notation that we did not propose to replot the fault trees for any corrections until the final report on Phase I of Task A-17 is issued.

Instead, we proposed to make hand-written changes to the fault trees until the final report is prepared.

Sandia Laboratories has made some revisions to the RCPB fault trees. to this memorandum is a record of the changes that were made.

At a meeting with Sandia Laboratories on August 8-9, 1979, members of the NRC staff discussed the RCPB fault trees with representatives of Sandia Laboratories.

A suninary of that meeting was reported in a memorandum dated August 27, 1979.

At that meeting, we gave Sandia Laboratories a list of comments on the RCPB fault trees.

Enclosures 2, 3 and 4 to this memorandum presents a record of the current disposition of these comments.

By copy of this memorandum, NRC staff members assigned to Task A-17, and any other interested parties, are invited to review the comments and disposition of the comments in Enclosures 2, 3 and 4, and make their opinions to the Task Manager, or to J. Zwolinski. When you rear Enclosures 2, 3 and 4 keep in mind that the first paragraph under each of the numbered sections of the enclosures is the original comment made to Sandia Laboratories.

The subsequent paragraphs under each numbered section are statements of the current disposition of that comment.

J. Angelo Task Manager Generic Task No. A-17

Enclosures:

1.

Changes to RCPB Fault Trees 2.

Comnents on Fault Tree Figures 5.3, 5.3-1, 5.3-3, and 5.3-5 3.

Comments on Fault Tree Figure 5.3-2 4.

Comments on Fault Tree Figure 5.3-7

\\@

1248 296 mi 20

4 ENCLOSURE 1 CHANGES TO RCPB FAULT TREES DATED JUNE 30, 1979 l.

FIGURE 5.3 GFT-RCPB-P0HS 6/30/79 At logic gate RVI-ISO-MOV-0 PEN, redefine the fault in the description block as " POWER OP RELIEF VALVE 1 ISOLATION MOV FAILS OPEN." Do the same for elve 2 at gate RV2-ISO-MOV-0 PEN.

2.

FIGURE 5.3-1 WFT-LOOPS-C-P0HS 6/30/79 No changes.

3.

FIGURE 5.3-2 WFT-0VER-P0HS 6/30/79 a.

Sheet 1.

No chaages.

b.

Sheet 2.

For overpressure cases 7 and 8, add "SEE NOTES 12 & 13" at the conditional logic gates for these two events.

For over-pressure case 9, add "SEE NOTE 12" at the conditional logic gate for this event.

At logic gate CCPI-0PERATES, redefine the fault en the description block as " CENTRIFUGAL CHARGING PUMP 1 OPERATING."

Do the same for pump 2 at the logic gate CCP2-0PERATES.

c.

Sheet 3.

No changes.

d.

Sheet 4.

At gate SEAL-FIL-BYP-MV and gate SEAL-HE-BYP-MV, redefine the fault in the description block as "... VALVE FAILS CLOSED" rather than

".. VALVE NOT OPENED."

At gate EX-LET-3WAY, delete the entire branch as input to logic gate EXCESS-LET.

e.

Sheet 5.

No changes.

f.

Sheet 6.

Add " NOTE 13:

NOT APPLICABLE FOR P0 AND SU" to the list of notes.

At gate BACKPRESS-BYPV, indicate that the event is discriminated by "0MEGA."

This means that the event at that logic gate will not appear in the cut set.

1248 297

. At the gate ALT-SJURCE, change the logic to OR gate rather than AND gate.

At gates RWST-MOVl-0 PEN, RWST-MOV2-OPEN, and EMER-80R-VAL-0 redescribe the fault as "... VALVE FAILS OPEN" rather than "... VALVE INADVERTENTLY OPENED."

4.

FIGURE 5.3-3 WFT-LPS-I-P0HS 6/30/79 a.

Sheet 1.

Delete the fault at LPS-SI-PUMPS as an input to the gate LPS-CL-SI, and therefore eliminate the AND gate LPS-CL-SI.

b.

Sheet 2.

Delete the fault at LPS-SI-PUMPS as an input to the gate LPS-SI-RHR, and therefore eliminate the AND gate LPS-SI-RHR.

Delete the entire branch headed by LPS-SI-PUMPS.

At all of the faults which are inputs to logic gate LPS-RHR-RETURN revise the event descriptions to show that the faults are that the particular valve "... FAILS OPEN," and add the full event description to the vacant block at RHP,-RET-1-MOVA which is "MOV A 0F THE FIRST PAIR OF MOVS IN THE RHRS RETURN FAILS OPEN."

Also, at gate RHR-RET-2-MOVAB, delete the words "RHR-RET-1-MOVA" from the event description block.

5.

FIGURE 5.3-4 WFT-HPS-I-P0HS 6/30/79 Delete the faults CC-PUMP 1 and CC-PUMP 2 as inputs to their AND gates. Also correct the title block of Fig. 5.3-4 to "... PCHS."

6.

FIGURE 5.3-5 WFT-CVCS-I-P0HS 6/30/79 a.

Sheet 1.

Delete the entire branch at logic gate CVCS-LET-LINES.

(Part of the branch appears on overlapping Sheet 2.)

As input to the gate CVCS-NOL-AOL add a new branch as follows:

VALVE FAILURES ON THE AUX SPRAY CVCS LINE CVCS-ASL 3

PRESSURIZER AUX PRESSURIZER AUX SPRAY INPUT CV SPRAY A0V FAILS FAILS IN THE 1

OPEN REVERSE DIRECTION I

A'JA-SPRAr-LV-0

[ AUX-SPRAY-A0V-0 1248 298

. b.

Sheet 2.

At faults CC-PUMP 1 and CC-PUMP 2 redescribe the event as

... PUMP FAILS TO OPERATE AND PREVENT..." instead of " PUMP FAILS TO PREVENT..."

Delete the faults EXC-LET-RV and CVCS-EXC-BLOCK as inputs to gate CVCS-EXC-LET and thus eliminate that AND gate.

Also correct the figure 5.3-5 title block by adding "... P0HS."

7.

FIGURE 5.3-6 WFT-ACC-I-P0HS 6/30/79 No logic changes, except correct the figure 5.3-6 title block to "P0HS."

8.

FIGURE 5.3-7 WFT-RCPB-CS 6/30/79 a.

Sheet 1.

Change the event which is input to gate OVERPRESS-2 to APPROX-1500-PSIG, and change the event description also to 1500 PSIG."

At the gate RCPB-CS add a new branch input according to the attached diagram.

b.

Sheet 2.

At the gate PRESS-REL-VAL, add a triangle just to the left of the event block and above the words "SEE OUTPUT. LIST."

At gate PDP-LETDOWN delete, "PDP" from the event description in the event block and add "100 GPM," and add "SEE NOTE 7 AND 10" just to the right of the logic gate.

At gate LET-LESS-100GPM, delete the words "PDP OUTPUT" in the event description block and add "100 GPM."

At gate FCV-0-A75B75, complete the word " PATHS" in the event description block.

c.

Sheet 3.

At gates VARIABLE-HEAT-A and VARIABLE-HEAT-B, add "SEE NOTE 2" just below the event description block.

d.

Sheet 4.

At gate PRESS-SPRAYS, delete the words "... BOTH NORMAL AND

" from the event description.

At gate PDP-LETDOWN, delete "PDP" from event description and add "100 GPM" in the event description block.

e.

Sheet 5.

Delete the entire branch at gate EX-LET-3 WAY.

Also, delete the branch at LET-0RIFICE-0UT.

1248 299

. f.

Sheet 6.

Add the following notes:

NOTE 10: ASSUMING 100 GPM IS SUFFICIENT AUX SPRAY FLOW FROM THE PDP C'lLY 100 GPM IS REQUIRED FROM THE CCPS AND THE COMPENSATING LETDOWN IS THUS 100 FPM IN BOTH CASES.

NOTE ll:

THE DESIGN PRESSURE OF THE RHRS IS 600 PSIG, THUS THE SITUATION PRESENTED IN THIS CASE CLEARLY EXCEEDS ITS C/.PA-BILITY TO WITHSTAND OVERPRESSURE.

NOTE 12:

BOTH OF THESE VALVES ARE ASSUMED TO OPEN DUE TO RHRS OPERATION PRIOR TO THE OCCURRENCE.

124{3 300

ATTA C H b1EN(~

To EtVc t 050 K E 1 r

f^="- nsh E*

~['

)

5HEET I F,gure 5 3-7 I

l Rc PS-C.d FAILURE op THE RcPS T+4&OJ TH E T4tRS REcIn c L tdE Bu E Tb O/EfSREss uRE

~~C)

C

-[gcP6-RtfRS CS S E E. 140T 6 il m

W:2 l

E??>

l ANy otGAPREsSUR6 KETUqN rMtt ofEtV

$b 4Aus F occVR5 F&or^ TF E ECS 7 THEK.H*5 J

%:=

j~'A

{ ttngs-tzE*ctote

(

S EE tJo Ti lz-

' MoV A of TH E Fig 5T "rAo v A oF Tt' E L-m i

f Fj9fft of MoVS IN SEcoND pat /LoF L

I THE EHAS REToft#

M8VS IrJ TVE. gNAS f

(

DP-57AILTiV 1

^

(

fbst s OPGt!

J RGTutta FAILS 0950 t s

i j

r5ePS-5 TMTGP]

\\ ff 6SS'HGhTe&Q

\\

r

( KR R-fGT-l-r80\\l A htt-RET-2.-MestA 3

w i

m

/

J I

i Qips ]

l win n CF-STARTEPl

ENCLOSURE 2 COMMENTS ON FAULT TREE FIGURES 5.3, 5.3-1, 5.3-3, AND 5.3-5 1.

Figure 5.3 GFT-RCPB-P0HS Under "RCS Pressure Boundary Failure due to Safety and Relief Valves" the fault, " Failure to Close Power Operated Relief Valve Isolation M0V," involves human error.

This fault should be restated to specify a mechanical failure, -

since the scope of the study excludes the consideration of human error.

The fault tree has been revised to show these events as " Power Operated Relief Valve Isolation Valve Fails Open," for valves 1 and 2.

This comment raises the more general question about how to treat events that are operator actions.

Sandia intends to discriminate among actions that canibe taken from the control room and those which require the operator to leave the control room.

2.

Figure 5.3-1 WFT-LOOPS-C-P0HS The fault tree indicates that a seal failure of any one reactor coolant pump will result in a RCPB failure.

It should be noted that this RCPB failure will result in unacceptable core damage only if the charging system is unable to maintain reactor coolant inventory.

No change has been made to the fault tree logic, and no changes'are anticipated.

Subsequent to the meeting, we infomed Sandia that the event described as

" Reactor Coolant Pump Seals P,upture" is a credible event and in fact has already occurred at a nuclear facility. At the H. B. Robinson plant, all three seals of one reactor coolant pump failed, resulting in an unisolatable leak from the RCS.

The maximum leak rate was estimated to be 400 gpm.

This exceeded the capacity of the normal makeup system.

A safety injection system provided the coolant makeup, as it was designed to do, and the fuel was ade-quately cooled.

There is still a question that the failure of one pump's seals can affect the perfomance of the other pumps by adverse effects on the seal flow and bearing cooling because all pumps share a common seal return line.

This item may need some further discussion and consideration.

~

3.

Figure 5.3-3 WFT-LPS-I-P0HS The potential failure of the SI system if subjected to reactor operating pressure should be more completely addressed.

The SI train relief valve setting is significantly lower than the nomal operating reactor pressure.

The operability or failure of this relief valve should be incorporated into the fault tree or the reasons for its absence should be explained spearately.

1248 302

-2_

The absence of the relief valve is justified on the basis that its capacity is limited (perhaps to as little as 20 gpm) and thus can only accommodate trivial amounts of leakage from the reactor coolant system into the SI system through check valves, typically.

The relief valve is normally, therefore, not effective in preventing failure of the SI system.

Also, if the relief valve were to " fail open," this event would not cause a significant loss of reactor coolant.

4.

Figure 5.3-3 WFT-LPS-I-P0HS The branch entitled "RCPB Fails thru the RHRS Return Path" is unclear. The normal plant design for PWR's utilizes a single line from one reactor conlant leg to the RHR system with two isolation valves in series.

The design which is most typical for operating power plants should be modeled to allow more widely applicable conclusions from the study.

While this comment has some general merit, the plant logic model serves the purpose of inserting the generic pathway into the systems interaction study.

In the existing logic, there are four fault combinations.that could cause the potential failure.

If the logic is changed to show a single line with two valves in series, then there will be only one possible fault combination.

Therefore, for purposes of systems interaction, the present logic model which depicts four valves in a parallel arrangement may be more demonstrative of the potential interactions.

These remar'<s do not, of course, apply when the decay heat removal function is under consideration.

5.

Figure 5.3-5 WFT-CVCS-I Under "High Pressure Flow from RCS Via: Pump Seals to CVCS Pumps," the fault tree indicates that a seal failure must occur for reactor coolant to flow back into the charging line.

The seal water is injected such that part of the flow travels up through the seals and the remainder flows down through the labyrinth thermal barrier and into the reactor coolant system.

Therefore, a seal failure is not necessary to allow backflow into the charging lines.

We have again considered this comment and conclude that seal failure is not a necessary condition.

Therefore, the faults identified as " Reactor Coolant Pump Seal Fails Allowing Back-flow Into Charging Lines" should be deleted.

6.

Figure 5.3-5 WFT-CVCS-I Under "CVCS Charging Pumps Fail to Prevent Reverse Flow," the fault tree contains an input entitled " Charging Pump Fails to Prevent Flow in the Reverse Direction."

In actuality, the charging pump must be secured such that it is no longer providing charging flow.

The fault tree has been revised to reflect the comment.

The input is now entitled " Charging Pump Fails to Operate and Prevent Flow in the Reverse Di recti on. "

1248 303

. 7.

F1gure 5.3-5 WFT-CVCS-I Under " Valve Failures on the Normal or Alternate CVCS Charging Lines,"

another input to the OR gate entitled " Valve Failures on the Auxiliary Spray Line" should be added.

This would include the possible failure of the check valve and air operated valve in the auxiliary spray line.

The fault tree has been revised to include the additional input falut to the logic gate CVCS-NOL-AOL.

8.

Figure 5.3-5 WFT-CVCS-I bcder " Valve Failures on the Alternate CVCS Charging Line," an input to the A O gate is entitled "A0V in Alternate Charging Line Fails Open with Loss of Air."

The possibility exists for the valve to functionally fail to the open position regardless of the status of the control air system.

Therefore,

the qualifier, "with Loss of Air," should be deleted.

We agree that the event description should be revised to delete the qualifier.

However, the fault tree has not yet been revised in this regard.

We realize, of course, that the fault logic will not change.

9.

Figure 5.3-5 WFT-CFCS-I The regenerative heat exchanges has not been included in this fault tree.

The fact that the regenerative heat exchanger cross-connects both the charging and letdown lines makes it a prime source for a failure that could result in unacceptalbe core damage.

Our scope of work does not at the present time include pipe ruptures as faults.

Therefore, the fault tree will not be revised to include the heat exchanger failure.

10.

Figure 5.3-5 WFT-CVCS-I Under "RCS Pressure Boundary Failure due to CVCS Normal Letdown Line," the inputs, " Letdown High Pressure Isolation Valves Fail Open" and " Letdown Relief Valve Fails to Open with Overpressure," are unnecessary. The blockage of flow downstream of the letdown orifice valves would result in an operating reactor pressure of 2235 psig being applied to the relief valve which has a setpoint of 600 psig.

This situation would result in a loss of reactor coolant pressure boundary.

We agree that these two faults should be deleted.

We discussed this with Sandia Laboratories and concluded that the entire branch should be removed from this fault tree on RCPB function and placed in the DHR function.

Sandia Laboratories has deleted the branch at logic gate CVCS-LET-LINES from this fault tree. We intend to review the DHR fault tree for these particular faul ts.

1248 304

. 11.

Figure 5.3-5 WFT-CVCS-I Under "RCS Pressure Boundary Failure due to CVCS Excess Letdown Line," I have the following comments:

a.

To provide a flow path from the reactor coolant system such that a RCPB failure will result, the three excess letdown air operated valves must fail open. The failure of these valves should not be an input to an OR gate.

b.

The input, " Return Flow from Reactor Coolant Pump Seals," should be deleted. A fault tree should contain only failures, not events.

In addition, return flow from the seals is normal and does not represent a failure.

c.

A more direct method of excess letdown line failing open and the three-way air operated valve failing such that flow is directed to the RCDT.

The entire branch has been deleted from this fault tree and restructer; to depict " loss of inventory" in the DHR safety function fault tree.

1243 305

ENCLOSURE 3 Comments on the Fau't Tree for Reactor Coolant Pressure Boundary (RCPB) Safety Function Figure 5.3-2 dated 6/30/79) 1.

The fault tree does not address the overpressure situation where a loss of feedwater causes an overpressurization of the RCS.

This is a very common transient and, therefore, should be incorporated into the fault tree.

We are not convinced that this particular cause of overpressurization needs to be depicted on the RCPB fault tree becuase we do not believe that any system interaction will be lost. All significant events associated with the loss of feedwater should be revealed in the DHR fault tree. Also, all significant events that are essential to the RCPB function should be shown in the RCPB fault tree.

It is agreed that this cause of overpressurization can be shown in the fault tree, but it is not clear that any useful purpose will be accomplished.

2.

In Overpressure Cases 7 and 8, the reactor control system would respond and insert control rods to maintain a constant average reactor temperature.

The transient wc

.u be stable when the heat output from the core was lowered such that the total heat output including the contribution from the RCP was nearly correct for that power level.

Therefore, these two cases are not viable methods for RCS overpressurization.

The fault trees have been revised to show that these two cases are not applicable during power operation or startup which is when the control rods are withdrawn and therefore, can respond to the overpressure event.

3.

On, age 3 (far left), the subtree " Insufficient CVCS Letdown with Pump FCV at Min Flow" contains unnecessary inputs.

If both the nonnal and excess letdown path are close<i, the other two inputs (FCV at minimum and centrac-tion insufficient) are not necessary.

We believe that these inputs CCP-FCV-MIN and CONTRACTION are superfulous~and should be deleted.

The fault trees have not yet been revised in this regard, 4.

On page 4 (far left), under " Boric Acid Transfer Pump 1 Output Diverted,"

one input to the OR gate is entitled " Bat A Return Line A0V 1 Fails Open."

It appears that a normally closed manual valve is installed in this line.

Therefore, the fault tree should be modified to account for the required failure of this manual valve.

As the fault tree is now structured, it is conservative to ignore the manual valve (in effect, assume it has been left open inadvertently).

However, there is an existing flow path around t.ie normally closed manual valve.

Thereb e, in effect only one control actuation fault is necessary to create the diverted flow and that is the A0V-1 " fails open," Therefore, we conclude that the fault tree should not be revised to include the nonnally closed manual valve which is in the same line as the A0V, 1248 306 S.

On page 4 (center), two basic events, " Seal Flow Return Line Filter Manual Bypass Valve Not Opened" and " Seal Water Heat Exchanges Bypass Valve Not Opened," involve human error. These should be restructured to assume a mechanical failure.

The fault tree has been revised to show these faults "... valve fails open." Note, however, that the entire branch which includes these two faults has been deleted from the RCPB fault tree and will now appear, restructured, in the DHR fault tree.

6.

On page 4 (right), the subtrees, " Excess Letdown Path Fails Closed" and

" Normal Letdown Path Fails Closed other than Flow Control Orifices," contain situations where letdown flow is blocked by low design pressure components.

This would prevent the reactor pressure from reaching the pressure value assumed in the overpressure cases.

We believe that most of the low design pressure components have been deleted from the fault tree because the branch input at logic gate EX-LET-3WAY and the branch at gate LET-0RIFICE-0UT have been deleted from the RCPB fault tree.

7.

On page 6 (left), the subtree " Alternate Coolant Source Available" utilizes an "AND" gate for the three inputs depicting possible water sources. Actually, the RWST or Primary Water Supply would be capable of providing sufficient supply.

Therefore, the "AND" gate is not adequate and should be restructured.

In addition, three of the faults in the subtree involve human error and should be restructured to assume a mechanical failure.

The fault tree has been revised to correct these items. The AND logic gate ALT-SOURCE has been changed to an OR gate and the three faults have been redescribed to indicate ",.. fails open" as the fault.

1248 07

ENCLOSURE 4 Coments on the Fault Tree for the Reactor Coolant Pressure Boundary (RCPB)

Safety FunctionTFigure 5.3-7, dated July 2,1979 1.

The RHR system is normally operating to provide for decay heat removal in the cold shutdown mode.

Therefore, if pressure rises to 600 psig, the RHR system will be automatically isolated.

If not, failure of RHR piping or opening of a relief valve would cause a RCPB failure.

This system has not been addressed in the fault tree.

The fault tree has been revised to depict faults described above during the cold shutdown mode of operation when the RHRS is in operation.

2.

The fault tree utilizes a conditional gate to address the probability of a RCPB failure given a certain pressure.

This pressure is unrealistic in some cases since the pressure will be limited by much lower piping design pressures.

For example, in Overpressure Case 1, it is possible for the pressure to be limited by the normal letdown design pressure of 600 psig or the excess let-down design pressure of 150 psig.

In either instance, the pressure would r.ever reach the conditional gate value of 2000 psig.

This same situation is also present in Overpressure Cases 3, 5, 6,12 and 13.

It appears that the restructured fault tree of Figure 5.3-7, which deletes the branches which are inputs to the logic gates at LET-0RIFICE-0UT in the normal letdown path and EX-LET-3WAY to the excess letdown path, removas most of lower design items from the tree and thus resolves the comment.

3.

The fault tree indicates that Primary Water Supply is available under all conditions.

In previous versions of the DHR, RS, and Loss of RCPB fault trees, primary water was assumed unavailable for a loss of off-site power condition.

The fault trees should be mutually consistent.

It appears that the fault trees have not been revised to reflect that for the loss of off-site pucler, primary water may not be available.

We need to explore this furthur.

4.

On page 3, under the subtree, " Insufficient Letdown Compensate for CCPS,"

three inputs are shown cecessary to achieve an insufficient letdown situation at charging minimum flow.

Actually, if nonnal letdown is inoperable and a charging pump is delivering high flow, the failure of the excess letdown line is not necessary.

Therefore, the OR gate shown in the subtree should have only two inputs, "CFarging Pump Output Flow Control Valve Fails Open" and Wormal Letdown Path Fails Closed."

The fault tree has not been revised for thir item, and it is not yet clear whether it should be changed.

It appears that the third input which is

" Charging Pump Output Flow Control Valve in Minimum Position at 32 GPM" really describes a conditional event rather than a fault.

If this is true, then the logic as it now exists may still yield the same result in the cut sets.

1248 308

. 5.

The conditional gates shown for the Overpressure Cases appear to have the wrong pressure value in some instances.

Where applicable, the values should be changed to correspond to the correct PORV and safety valve settings, and Safety Injection pump design pressure.

The pressure value for Overpressure Case 2 has been changed to "APPR0X-1500 _

PSIG." We have discussed these cases with Sandia Laboratories and it is now our understanding that the pressure values selected were not meant to correspond in all cases to the correct PORV or safety valve settings.

If you will refer to the event trees depicted in Figures 2-6 and 2-7 of the Third Interim Report, you most likely will be able to discern what Sandia has tried to accomplish. The simplest explanation is that the various overpressure cases have been selected to represent some probability of RCS boundary failures at pressures below the relief or safety valve set points.

6.

On page 5, under the subtrec, " Excess Letdown Path Fails Closed," two inputs,

" Seal Flow Return Line Filter Manual Bypass Valve Not Opened" and " Seal Water Heat Exchanger Bypass Valve Not Opened," involve human error.

Since the scope of the study excludes human error, these inputs should be restated to assume a mechanical failure.

The exclusion of human error can be accomplished by one of the two following ;oe,ds:

(1) The operator is assuaed to perform every possible correct action on time and following the ccmrect sequer..e in an attempt to achieve a safe plant condition, or (2) the operator is assumed to perform absolutely no action whatsoever and the plant rear;s independently.

I believe that the idter method is more realistic.

In eitner case, the fault trees should be conceived and structured consistent with the method which is selected.

This particular branch of the fault tree which contains these two events has.

Leen deleted from the RCPB fault tree.

Nonetheless, the comment is valid.

Sandia Laboratories intends to deal with the problem by assuming operator faults for actions that can be taken in the control room, and by assuming no action whatsoever if the action is external to the control room.

7.

On page 4 (far left), under " Boric Acid Transfer Pump 1 Output Diverted,"

one input to the OR gate is entitled " Bat A Return Line A0V 1 Fails Open."

It appears that a normally closed manual valve is installed in this line.

Therefore, the fault tree should be modified to cccount for the required failure of this manual valve.

Examination of the particular piping arrangement shows that there is a flow path around the normally closed manual valve installed in the line with the A0V. Therefore, the fault tree as structured appears to depict the least number of faults that could divert the flow from the boric acid transfer pumps.

1248 309

8.

On page 4, the subtree, " Failure of Both Normal and Aux Pressurizer Sprays,"

appears incomplete.

The failure of normal spray capability through mechanical failure or loss of the reactor coolant pumping power has not been addressed.

The fault tree has been corrected to depict that this branch is now applicable only to the failure of the auxiliary sprays, Therefore, the branch now appears to be complete, 9.

On page 5 (far left), under " Centrifugal Charging Pump Trains or Letdown Fails "

the input for insufficient letdown is in error, Tiie input should concern insufficient letdown for the centrifugal charging pumps, not the positive displacement pumo.

The fault tree has been corrected to depict the fault as " insufficient let-down to compensate for 100 gpm," and deletes the mentioning of the positive displacement pump.

This revision appears to resolve the comment, l 2.k b

.