ML19254F760
| ML19254F760 | |
| Person / Time | |
|---|---|
| Site: | Arkansas Nuclear  |
| Issue date: | 11/07/1979 |
| From: | Trimble D ARKANSAS POWER & LIGHT CO. |
| To: | Reid R Office of Nuclear Reactor Regulation |
| References | |
| 1-119-6, NUDOCS 7911160542 | |
| Download: ML19254F760 (30) | |
Text
{{#Wiki_filter:: ARKANSAS POWER & LIGHT COMPANY POST OFFICE BOX 551 LITTLE ROCK. ARKANSAS 72203 (501) 371-4000 November 7, 1979 1-119-6 Director of Nuclear Reactor Regulation ATTN: Mr. R. W. Reid, Chief Operating Reactor Branch #4 U. S. Nuclear Regulatory Commission Washington, D. C. 20555
Subject:
Arkansas Nuclear One-Unit 1 Docket No. 50-313 License No. DPR-51 Abnormal Transient Operating Guidelines Program (File: 1510.1) Gentlemen: Pursuant to a verbal request by Mr. Tom Novak of the NRC staff in a meeting in Lynchburg, Virginia on October 15, 1979, and later confirmed via a telephone conversation between your Mr. R. Capra and our Mr. D. Mardis, the following information as it relates to the Abnormal Transient Operating Guidelines (ATOG) Program for Arkansas Nuclear One - Unit 1 is provided. Narrative Description of the ATOG Program Technique entitle " Safety Function and Protection Sequence Analysis", by R. A. Fortney et al (5 copies). Attachment 1 Explanation of the Role of Safety Se-quence and System Auxiliary Diagram in the Development of Abnormal Trans-ients Operating Guidelines (5 copies). Attachment 2 Excessive Feedwater Safety Sequence Diagram for Arkansas Nuclear One-Unit 1 (1 copy) - preliminary version with-out review. Attachment 3 7'6 306 MEMBEA M100LE SOUTH UTsuTIES SY h1}{ S 42 g( g
Y 1-119-6 Mr. R. W. Reid November 7, 1979 We note a copy of the Excessive Feedwater Event Tree was pro-vided to the NRC staff at the Lynchburg meeting. Also, the program has not progressed to the point where draft guide-lines are available. From our discussion with the B&O Task Force, we understand this information will be used to evaluate the ATOG Program prior to a meeting with the B&W Owner Group. Very truly yours,
*rph?2 $ ,:4 &
David C. Tr*.ble Manager, Licensing DCT/DGM/ew 7'6 307
-1.l.. I SAFETY FUNCTION AND PROTECTION SEQUENCE ANALYSIS I ' I l Authored by g R. A. Fortney J.T.Snedeker l of EDS Nuclear i _t I # g and J. E. Howard . l W. W. Larson of g Boston Edison Company I do I ^
6 308 l
presented at l I American Nuclear Society' l Winter Meeting November 11-16,1973 San Francis ~co, Califomia 1 I
Safety Function and Protection Sequence Analysis
' Abstract Today's complex nuclear +nt safety requirements dembad a planned and s. ..ematic engineering ap- SSAD's form the basis for comprehensive design re-proach to identify the functional design requirements view of all safety related systems. Because the full of the nuclearplantsystems. This systems engineering range of plant conditions is considered in evaluating concept is required to ensure that the nuclear p' ant each postulated event, the true design criteria and design satisfies the various federal regulations andin- requirements are asily derived and documented for dustry standards. The Safety Function and Protection each safety related system, structure and component; the Quality Assured items List is established; and re-Sequence Analysis provides such a systematic design verification process. The plant safety functions essen- dundancy and separation criteria are set. The SSD's tial to achieving acceptable consequences following and SSAD's also facilitate the identification of Seis-mic Category I equipment and structures. Systematic postulated accidents and transients are first carefully identified, and then the sequence. of prime system criteria are established for protection against pipe whip, jet impingement, fire and flooding. The infor-responses that form redundant success paths to the safety functions are diagrammed as Safety Sequence mation on the SSD's and SSAD's also forms the basis Diagrams (SSD). Systems that act as essential auxil-for the development of operating technical specifi-iaries in supporting the prime safety systems are func-cations. The concentrated effort required to perform the Safety Function and Protection Sequence Anal-tionally diagrammed on Safety Systems Auxiliary Diagrams (SSAD). When complete, the SSD's and ysis is repaid many times over through the resulting benefits the analysis brings to today's nuclearproject.
Introduction Developments over the past decade in nuclear plant safety technulogy have given birth to numerous tech- The SFPSA provides :he following specific benefits for a nuclear project: nically complex nuclear plant design and operational requirements. The proper application of the AEC rs~ quirements and industry codes and standards offers a 1. A con plete response to Section 15.1 of the significant challenge t'o nuclear plant engineers, man- AEC's Standard /ormat and Coetent of Safety agers and operators alike. The overall effect of the Analysis Reports f or Nuclear Power Plants. Safety Function and Protection Sequence Analysis is to systematize the identification of the functional de- 2. A systematic and consistent idenufication of all sign requirements to the nuclear power ph't design. systems, structures and componens that must Developed as a systematic approach to the nuclear be on the Quality Assured items uist and sub-safety aspects of tne Pilgrim Unit 2 design, the Safety &cted to a Quality Assurance Program satisfying Function and Protection Secuence Analysis (SFPSA) the requirements of 10CFR50, Appendix B. identifies the necessary and sufficient functional design requirements of the nuclear power station to 3. A systems level resign verification process satis-ensure protection of the public health and safety. fying, in part, the design control requirements of 10CFR50, Appendix 8.
'"6 309 1
. B
- 4. A systems level failure modes and effects anal- 7. A documented basis for the preparation and re-ysis which assists in the identification of the view of those plant operating procedures which necessary inputs for the development of func- address abnormal and accident conditions.
tional, physical and electrical separation criteria. 8. A learning and training aid for engineers and
- 5. A systems level, single failure analysis as re- operators to facilitate understanding of the in ,.
quired by IEEE 279, IEEE 379 and Regulatory tegrated plant response to various plant Guide 1.53. abnormal and accident conditions.
- 6. A documented basis for establishing operating plant technical specifications for inclusion in Chapter 16.0 of the Safety Analysis Report.
TAELE I EVENTS CLASSIFICATION FOR PILGRIM 2_ B B 10CF R50, 10CFR50, ANSI 18. 2 SFPSA EVENT EVENT APP. A EVENT APP. I EVENT EVENT CATEGORY ccrennoy FREOUENCY CATEGORY CATEGORY Condition I; Planned Routine Normal Normal Reactor Operation No.rmal l Operation Operation Operation a1/ year Anticipated Expected Opera- Condition II; Expected Operational tional Occur- Incidents of Operational Occurrences Occurrences rences Mo~derate l Frequency 1/40 yrs s f Anticipated Expected Opera- Condition III; infrequent Operational < 1/yts Operational tional Occur- Infrequent Occurrences Occurrences rences Incident Condition IV; Accident <1/40 yrs Limiting Faults g I
6 310 I
Development of the Safety Function and Protection Sequence Analysis The fundamental objective of the nuclear plant de-sigh is to develop the funt.tional requirements of the Interim Policy Statement on Emergency Core Cool-plant's safety systems to prevent the occurrence of ing; and the ASME codes and IEEE standards. Be-specified unacceptable results during a postulated cause the unacceptable results must be specific and event. To achieve this proper plant design, a con- measurable to be useful in the SFPSA, certain key sistent systems engineering analysis must be devel- plant variables or parameters are associated with the oped. The Safety Function and Protection Sequence specific design limits of the plant, and thus with the Analysis, the development of which is described in unacceptable results. Examples of these plant param-the following paragraphs, is an example of this re- eters are fuel centerline temperature, site boundary quired systems engineering analysis, dose, and containment structure strets. The unaccep-table results are developed from the design limits Event Classification and the Unacceptable Results using these key plant variables. Table il lists the un-acceptable results used in the Pilgrim 2 analysis. The first task in the analysis is to categorize the postulated events and to select the unacceptable re- IY " " suits for each event category. The postulated events Having defined the unacceptable results for each are grouped into event categories based upon some common event initiating characteristic, such as ex- event category, the plant safety functions must be identified and developed. These safety functions are pected frepuency of occurrence or the event initiating mechanism (e.g., pipe breaks). Event categories are the functional means whereby the important plant not based upcn event consecuences because such variables are controlled or limited following a postu- i lated event to avoid the unacceptable results. The categorization would involve circular reasoning. The development of the safety function is one of the event consecuences are dependent upon the plant , major steps in the SFPSA. As a safety function is ! safety systems for which the design requirements are developed, the initial functional design requirements ' sougnt. Consideration is given to the various event of the nuclear plant systems are Oblished. For classifications set forth in such regulatory and in- ! example, the safety function " Trip Reactivry Cc i- l custry literature as 10CFR50 and its appendices and trol" establishes the functional requirement W. the ANSI N18.2. Table i lists the event categories used in rapid insertion of negative reactivity into the rtactor the Boston Edison Pilgrim 2 SFPSA and compares core to prevent a certain plant parameter, DNB R, them to the event classifications used in other in- from exceeding its design limit. dustry publications. Expected frequency of occur-rence was used as the basic event classification The development of the safety functions is com-characteristic. plete when it establishes ail the functional desien re-quirements essential to avoid the unacceptable tesults ! After classifying the events into categories, the specific unacceptable results applicable to each cate- for all the event categories. To assist in developing all gory are defind. To define the unacceptable results the required safety functions, a matrix is used to re-late the safety functions to the unacceptable results. the specific design !imits associated with the proposed nuclear plant are identified. For the Boston Edison This enables the plant analyst to gain a functional Pilgrim 2 analysis these limits were selected from ine overview of the safety functions and their effects. - design criteria for the plant and included considera. able 111 lists the safety functions identified for the tion of the AEC's Federal Regulation, Safety and Pilgrim 2 unit. Table IV is the matrix showing the Re*;alatory Guides, interim Acceptance Criteria and correspondence between the safety functions and the unacceptable results for the Pilgrim 2 SFPSA. 3
TABLE ll ! UNACCEPTABLE RESULTS FOR _ PILGRIM 2 SFPSA EXPE("TED UPER ATIONAL OCCURR ENCES . A. Radioactive Material Release
- l. Radioactive matertal release to the enetreamen: e.x. -
creding the limits of 10CFR50, proposed Appendix L B. Fuel Limits
- 1. DNER < l.3 fw.3 correlation)
- 2. Fuel cemerline temperature 2 L'0 2enetting temperature C. Ry:tivitv Limits
- 1. Inability to achieve a shutdown margin at no load raaetor coolant temperature immediately following automatte reactor trip with the most resettve CEA fu!!y witherswn and all other CEA's fully inserted.
- 2. Inabiltry to achieve and maintain a shutdown marpn following the event.
D. Primarv Syster- Stress
- 1. Primary system stress in excess of that for which the prtmary system is designed. as determined by the following
- a. Primary system pressure > 2750 pata when reactor coolare system temperature is 2 LST.
F
- b. Primary rystem pressure > allowable when reactor "--
cnotant system temperature < LST. m_ _.
- c. Prtrnary system thermal transients in excess of tnose consicered in the primary system destgr E. Secondarv Svstem Stress at__
- l. Secondary system stress in excess cf that for wttca the secondary system is designed as determined by the _ __
followingt
- a. Seconcary system pressure > 1320 psta.
~
- b. SMondary system thermal transients in excess of those cons &dered in the secondary rystem desig%
at__ F. Plant Environmental Conditions
- 1. Untababitabiltry of the cor=rol room and other plant locations where manual actions are essestal. m 7'6 312 -
m er - C W--
INFREQUENT OPER AT10NAL CCCURRENCF.S ACCIDENTS A. Radioacttve Matertal Release A. Radioactive Matettal Pelease
- 1. Radioactive maternal release to the environmem that
- 1. Radioactive matertal release to the environment ex- would result in exceeding the guideltne values of ceedtng the limits of 10CFR20. IUC FR l00.
L Fuel Limits R. Fuel Limits
- 1. Fuel centerline temperature 2 UO2 melting tempera.
L DNBR < l.3 (W-3 correlatwn) ture.
- 2. Fesk fuel cladetng te nperature tn exessa of 2200' F.
- 2. Fuel cemerline temperature 2 UO2melting temperature 3. Oxidation of fuel claddmg at any location in excess of 17'# .
C. Resettetty Limtts 4 Metal water reaction generating more H2 than l$ of the i that would be generated tf all cladding reacted. ; H2
- 1. Inabt!!ry to achieve a shutdown margtn at no load (*
reacter coolant temperature immediately followLng C. Reactivity Limits tnacitary to achieve a shutdown margin at no trad reactor i, automatic reactor trip with the most reactive CEA 1. fully withdrawn and all other CEA's fully inserted. coolant tempe:sture immediateiy following automatic p reactor trip wtts the most reactive CEA fully withdrawn -
- 2. Inability to achieve and maintain a snutdown margin and all etner CEA's fally inserted.
fcilowing the event. 2. Inability to achieve and matntain a shutdown margin following the event. Primarv System Stress j D. D. Primarv System Stress
- 1. Primary system etress in excess of that for which the 1. Primary system stress in excess of that for which the primary system is cessped, as determined by the primary tyrtem is destped. as determtned by the fellowing: followine:
- a. Primary system cressure > 2750 psia when reactor
- a. Primary system pressure > 2750 psta when coolant system temperature is a LST.
reactor coolant system temperature is g, LST. b. Primary system pressure > allowable when reacter coolant system temperature < LST.
- b. Prtmary system pressure > allowable when c. Primary wystem thermal transtents in excess of tnose reactor coolam system temperature < LST. considered in the ;rtmary system design,
- c. Prtmary system thermal transients in excess of E. Seconcarv System Stress those constoered in the prtmary <ystem destp. 1. Seconcary system stress in excess of that for which the secondary syrtem is eestped, as deterrrpned by the E. Seeencarv System Stress followtng:
- a. Secondary tyrtem pressure > 1320 psta.
- 1. Secondary system stress in excess of that for which b. Secondary system thermal transiems in excess of the secondary system ts destped, as determined tnose conmicered in the secondary ryttein design.
by the followtng: F. Containment Stress
- a. Secondary system pressure > 1320 psia. 1. When containment is required, containment stress an ex- I cess of that for which the containment is designed, as
- b. Secondary system thermal transients in excess determined by the followtng-of those constoerec in the secondary rystem design. a. Comainment pressure
- 60 psig.
- b. Thermal transie cs affecting either contatamette con.
F. Plam Enytronmental Conditions crete or liner plate in extess of those conandered in the contatnment oesign.
- 1. Untahabtrabiltry of the control room and other plant c. Existence of a flammable or explosive mixntre of locations where manual actions are essential. hydrogen and oxygen (i.e.
- 4% H2with a 5% O2 or
- ST 0 2with a 4% H 2) in areas of the plant where safety systems are located which are re-quired in response to the origtnating accident.
C. Plant Environmemal Condttions
- 1. Exposure of station personnel in the control room in ex-cess of 5 Rem whole body 15 Rem skin, and 30 Rem thyroid over the c.tration of the accide=t.
- 2. Uninhabitability of the coctrol room and other plant loca.
tions where msnm! actions are essential s '6 313
TABLE Ill SAFETY FUNCTIONS FOR PILGRIM 2 SFPSA Saferv Function
- Functional Description Trip Reactivity Control Rapid insertion of negative reactivity into the core -
M to produce suberitically immediately following an F evaluated event. Transient Reactivity Control insertion of negative reactivity into the core suf-ficient to compensate for cooldown of the reactor coolant system. Long Term Reactivity Control Establishment of a sufficient boron concentration in the core such that the reactor is maintained subcritical following the event. Emergency Core Cooling - Provision of coolant to the reactor core immediately injection Phase following an accident and prior to the time that manual action can be taken. Emergency Core Cooling- ?rovision of coolant to the reactor core some time Recirculation Phase after the accident has occurred and at a time when manual action can be taken and in such a way that the core coolant is recirculated back into the primary system after it leaks out. Reactor Heat Removal Cooling of the core by other than injection of coolant directly to the core. - Pressure Control - Maintenance of primary system pressure within Primary System allowable pressure limits and ensuring that the primary steam bubble remains in the pressurizer. Pressure Control - Maintenance of secondary system pressure within Secondary System allowable pressure limits. Pressure Control - Maintenance of containment pressure within allow-Containment able pressure limits when containment is required. Temperature Control - Maintenance of containment temperature within Containment allowable temperature limits when containment is required. Where appropriate, safety function descriptions are modified with such phrases as
" initial", "long term", "above LST", etc. 7 .
6
Safety Function
- Functional Description Combustible Gas Control Conditioning of post-accident atmosphere or treat-ment of accident-generated flammables to prevent formation of flammable or explosive mixtures. .
Radioactive Material Treatment Mechanical or chemical treatment of radioactive materials to reduce the quantity that escape or are discharged to the environs. Establish Containment Trapping of radioactivity inside the containment to prevent escape to the environs. Primary Syscem Isolation Isolation of all or part of the primary system to prevent coolant loss or radioactivity discharge. Secondary System Isolation Isolation of all or part of the secondary system to (blowdown) prevent or reduce the discharge of secondarv system coolant into the containment, so that con-tainment temperature and pressure are maintained within allowable limits. Secondary System Isolation Isolation of all or part of the secondary system to (heat sink) prevent or reduce the discharge of secondary coolant, so that at least one steam generator can function as a heat sink for primary system energy. Secondary System Isolation isolation of all or part of the secondary system to (radioactivity) prevent the discharge of radioactive materials to the environs. Steam Generator Inventory Maintenance of a proper level in at least one steam Control generator for use as a primary system heat sink and prevention from injecting cold feedwater into a dry and hot steam generator. Control Station Habitability Conditioning of the post-event control station (Control room and other locations where manual actions are essential) atmosphere to ensure habitability and control of personnel radiation exposure.
6 315 7
TABLE IV - 2 3 SAFETY FUNCTIONS AND UNACCEPTABLE RESULTS MATRIX . FOR PILGRIM 2 SFPSA , W Primary Secondary Fuel Reactivity System System Containment . Safety Functions Limits Limits Stress Stress Stress Trip Reactivity Acc: B.1 Acc: C.1 Acc: D. I. a Control EOO: B.1-2 EOO: C.1 EOO: D.1.a
~
100: B.1-2 100: C.1 100: D.1.a - Transient Reactivity Acc: C.2 . Control EOO: C.2 z 100: C. 2 - Lone Term Reactivity Acc: C.2 "; Control EOO: C. 2 E 100: C. 2 Emergency Core Acc: B.1-4 Cooling - Injection _- Phase m Emergency Core Acc: B.1-4 E Cooling - Recircula- ' tion Phase . Reactor Heat Acc: B.1, 2 -- Removal EOO: B. 2 100: B. 2 - Pressure Control - Acc: D.1. a. b Primary System EOO: D. L a.b __ 100: D.1.a. b Pressure Control - Acc: E.1.a Secondary System EOO: E.1.a - 100: E.1.a Pressure Control - Acc: F.1.a - Containment T Alphanumeric references refer to unacceptable results as listed on Table II 7 8 6 516 _-
B . 1 Primary Secondary Radlological Fuel System System Containment Environmental SAFETY FUNCTION Release 1.imits Stress Stress Stress Conditions Temperature Acc: F.1.b Control - Contain-1 me::t Combustible Gas Acc: F.1.c Cor: trol Radicactive Mater- Acc: A. I tal Treatment EOO: A. I 100: A.1 Establish Contain- Acc: A. I ment Primary System Acc: A.1 Isolation Secondary System Acc: F.1. a. b Isclation (blowdown) Secondary System Acc: B.1-4 isolation (heat sink) EOO: B.1-2 100: B.1-2 Secondary System Acc: A.1 Isolation (Radio-activity) Control Station Acc: G.1-2 Habitability EOO: F. I 100: F. I Steam Generator Acc: B.1-4 Acc: D.1.a, b, c Acc: E.1.a.b inventory Control EOO: B.1-2 EOO: D.1.a, b c EOO: E.1.a,b IOO: B.1-2 100: D.1. a, b, c 100: E.1.a,b Legend: Acc = Accident EOO = Expected Operational Occurrences 100 = Infrequent Operational Occurrences
, 7'6 .517
Operating States Because each postulated event must be evaluated the range of plant conditions within each operating over the full range of normal plant conditions in state. The operating states to be used for the analysis which the event is possible, it is convenient to of a specific plant are dependent upon the plant de-identify and define various plant operating states. The sign. Table V defines the operating states used for the analyst can then more easily evaluate each event over Pilgrim 2 unit, a two loop pressurized water reactor. TABLE V , PLANT OPERATING STATES FOR PILGRIM 2 Operating State Reactivity Control Status Primary System Reactor States Mwer A Refueling All CEA's may be with- O psig Nil drawn
- T < 2100 F B Cold Shutdown < 1 shutdown poup O psig Nil withdrawn; all others T < 2100 F inserted ""
C Shutdown Cooling < 1 shutdown poup 2100 F < T < 3500 F Nil withdrawn; all others pressure per allow-inserted "" able "" D- Heatup/Cooldown < 1 shutdown poup with- 3500 F < T < 556 F Nil drawn; all others pressure per allow-inserted "" able "" E Hot Shutdown < 1 shutdown poup 2250 psia Nil withdrawn; all others 5560 F inserted " F Hot Standby Any allowable CEA Temp / pressure per < 15% positions " allowable G - Power Any allowable CEA Temp / pressure per 15 - 100 % positions " allowable Reactor boron concentration such that reactor would have at least a 5% shutdown margin with all CEA's fully withdrawn. Reactor boron concentration such that reactor would have at least a 2% shutdown margin at no load reactor coolant temperature following reactor trip with the most reactive CEA fully withdrawn and all other CEA's fully ins erted. Pressure-temperature limits applicable during heatup and cooldown of reactor coolant system. Reactor boron concentration such that reactor would have at least'a 2% $ M shutdown margin with all CEA's fully inserted. 10
Event Analysis features) have been designed with functional redun-dancy, certain safety functions require only one With the placement of each postulated event in its success path, r.e., no s_ ingle active component failure category and with the unacceptable results and can prevent the safety systems in the success path safety functions identified for event category, the from achieving their special responses. If the analys_s i ' analysis of each specific event can be performed. reveals a safety function for which functional redun-The analysis of an event begins with the complete dancy does not exist, either with a parallel indepen-definition of the event. This includes the identifi-dent success path or safety system redundancy, then < cation of the event (e.g., steamline break inside con- the plant design, configuration or functional response l tainment), the range of plant process variables which must be changed to achieve this redundancy. apply to the event (e.g.,350 F to 580 F for average reactor coolant temperature), and the listing of the The analysis of the postulated event is continued for its entire duration including post-event activities applicable plant operating states (e.g., power oper. ation, hot shutdown). After the event is completely until some planned operation is resumed or the plant achieves a stable condition. A planned operation is defined, the analyst selects a specific set of initial plant process parameters (e.g.,100% power, rated considered resumed when the actions taken are temperature) to begin the event analysis. With this set identical to those described by normal operating pro-of initial parameters, each unacceptable result asso. cedures. ciated with the event's cateoory is examined to deter- After the success paths and safety functions re-mine which unacceptable results could or could not qu red for the initial set of plant conditions have been occur as a result of the event. For example, the ana- identified and illustrated on the Safety Sequence Dia-lyst determines that the unacceptable result concern- gram, the analyst will vary each plant process para-ing the existence of a flammable or explosive mix- meter from in initia! condition va!ue throughout its ture of hydrogen and oxygen could not occur for a entire range for the event. During this parameter vari-steamline break accident occurring outside contain- ation process, the analyst ensures that all required ment. safety functions have been identified. If any addi-Having determined which unacceptable results tional required safety functions are identified, their could occur for the event, a matrix such as that required success paths must be determined in the shown in Table IV is used to determine the safety same manner as done for the initial set of plant condi-functions associated with the specific set of initial tions. Additionally, as the parameters are varied, the parameters. To achieve these safety functions the analyst also determines which of the " initial condi-specific plant safety systems and their required re- tion" safety functions are still required. Each of these sponses, or safety actions, are identified. A safety required safety functions is reviewed to ensure that system is a system, active or passive, which must the safety systems in the success path will provide furnish the safety action as a result of a postulated their required safety actions under the different plant plant event. conditions. During this process, if any new success After identification of the required safety systems paths are discovered, they are diagrammed on the and their safety actions, the sensed variables are Safety Sequence Diag 1m with appropriate notation identified that cause or require the special system re- as to the specific conditions under which they are sponses. In cases where the system does not auto. required. Also, where the event mechanism itself is matically respond, the operator action required to variable (e.g., size and location of a pipe break), the initiate the safety system (e.g., starting the pump variable characteristic is considered over its full range locally from the control room) is identified. As the to assure that all success paths are identified. safety systems and their actions are identified, they This parameter variation analysis for each safety are arranged in functional order forming success sequence enables the analyst to identify the limiting paths, or protection sequences, leading to the re- set of parameters for each success path and each quired safety function. The arrangement of success safety system. This type of systematic analysis is used paths becomes the Safety Sequence Diagram for the to demonstrate the plant's ability to safely respond to event. The Safety Sequence Diagram (SSD) becomes any postulated event. The historical concept of the the analyst's major output in the SFPSA. Figure 1 is " worst case" is an unusable concept for a systems the format of the SSD's developed for the Boston analysis of a nuclear power plant. Considering the Edison Pilgrim 2 analysis. number of systems and components vLtlich must func-To depict the level of redundancy in the plant de- tion.during an accident, no single set of initial con-sign on the SSD, a sufficient r. umber of independent ditions can possibly describe the most limiting set for parallel paths is developed for each safety function all systems. Rather than any one " worst case" condi-such that no single component failure can prevent the tion, there exists a spectrum of " worst cases" which achievement of the required safety function. Because must be analyted on a systems basis to properly de-many of the Pilgrim 2 systems (e.g., engineered safety sign a nuclear power station. 6319 11
Safety Sequence Diagram When all the plant process parameter variations have ,been' considered, the Safety Sequence Diagram (SSD) for the particular event is completed. The SSD displays those prime, or major, plant safety systems whose responses are essential to providing the safety actions required for the postulated event. The SSD shows these safety systems in their functional (not necessarily chronological) sequences following the ' postulated event. In addition, the SSD shows which
- plant process variables are monitored or sensed by these safety systems as initiating signals. Figure 2 is an example of the Safety Diagram for the accident "Steamline Break inside Containment", as developed for the Pilgrim 2 unit.
B
6 320 g B
B B E B B B B
~
B 12
~
4 EVENT CL ASSIFIC ATION R ANGE OF INITI AL CONDITIONS ACCIDENT 212 < T < 546 F EVENT Tl 600 < P < 2500 psia STAT lE < PC )WER < 75" DIFFE RENT PL ANT CONDITION / NOTE 5 NOTE 4 (S E T POI NT) I S AFETY SYSTEM (SETPOINT) S AFETY SYSTEM Lf Sh IS SENSED Sh O R VARIABLE INFFATING T h 3 SYSTEM Q A B A B $ SAFETY SYSTEM l' ____j GENER ATES SIGNAI. m ' Air WilICil INITIATI-1 T SYSTEM W EITHER SENSED h S A FETY SYSTE M -g VARIABLE Th OR cT WILL % S gg a., INITIATE SYSTEMS Tc A B a -d og l ilOTil SENSED VARIABLE SAFETY SYSTEM Pg3 AND L LMUST EXCEED T P L L J y TilEIR LIMITS TO > SAFETY ACTION
!NITIATE SYSTEM T A B MANUAL. ACTIOS
.54 3 REQUIRED FOR M SYSTEM Y 'N 7 SAFETY \
'~
FUNCTION p uj A N! PLANT IS RETI'RNED TO STABLE
, CONDITION W!iEN ALL SAFETY I. FUNCTIONS ARE ACillEVED.
'6 32 2 53
i
\ i OPER A'l ING GENER AL NOTES E
STATES IN WillCli f / TitlS PR( >TECTION 1. A lt h ,u ch :,ot -hm n for all -ystem e W, Z
- SI.QI T.NU i . IS .\ PPl.lC Al;I,1. on thi format diatram, c': leo sa fet '.
ev< tem i' pauive a -en ,ed va riable i4 required fier citi.er n.anJal or DIFFERENT PL ANT CONDITION a onn c em ct uen.
- 2. Ite 4.ifety action for each system i- to he chcm n a s:de the a rrow p< >inted av.ay from the 'vstem ( + ).
AFETY SY ST EM SAFETY SYSTEM SIGNAL ,
- a. hv < ten .I. and 'l_ tocether satisfy
- U gg g- M ndependent tuactional redandancy. l B C I " C
" f'
' m ale t5 A D A B NOTE 6 conditi'an.
-i . Sy, tem R action t< not essential to achieve cafety funct ton A. Due to AFETY SYSTEM S AFE TY SYSTE M plant condition sy-tem R may onerare.
W N !)a-hed path indicates this condition. A B A B . thetpoint ) indicate- the value of the sensed variable at which the sysic is initiated. NOTE 3 f D. A !!!l or l A C l i)l indicates SAFETY SAFETY SYSTEM SAFET Y SYSTEM niunher of independent, functional:. FUNCTION J L redundant system channels or B m ponent s. SYSTEM K IS PASSIVE AFETY SYSTEM SAFETY SYSTEM Y , K
\
A B P SAFETY SEQUEHCE DI AGR AM FORWO SAFETY SAFETY FUNCTION FUNCTION C D FIGURE 1
6 32A ,
1 i 11 '
y -
.4 O _ _ - . ,'
19 F-e. s
',b*l*<' .
P i
;>g, e e
~ _ _ _ _ _ . ._ _
~ _ - - . -. _ _ - - l - . - . --__.-
- .s d . - --- _a . ,
' N
_q , - .s e s F' - u-- i g % a: e+, et'*% f ,, i * , s t [, , A 't - +. ~. .
. = > #- .
u .7
,Jg**Ys *;_ ' - - s~1 _,T.
... . . . s n.
._n.. e- -
O M . ,
~I %_
[~ g es. stu < . -.
; a
_.,e ,L . s,..,e.v.,.s
. . .. . v u i *e , ---
,, y
-'W .y
- j . '}
.s~,n s
, , , . . , e, O *. . ?"b 1
. _ . .L . . - - . , ,
g . " 48
-J_9 i
l.....,.,,
.u..
.-, pm Op 4. -
. LU & >*s M .Ih E % k. , k Le
-__) s * .*ai st r-8 _ - . **-l -,, ., va r.- J
,a ;,, p ,> e. ' ..
' , .e , s
> e
~d y
.-,_-.M---5 l
[~# - , , s L> , . .',",h k.m . _m' ; mr-) M . . 4,
-2 t .,---,.. 4
' '._--. ---J sa . ,
r; c.a , - [ ~,
,/ . , . . . ., ..
*% a T' '
-1.
k - M q gge -
. - *=.s i . . . . . , ,
J. ld e
-~ _.. ,
u;- 1 3 .. e=wae, e sr::s;, o as< v s' i A?S'
} 6AT ' C &4 f fl# ., .
L _g -__s
, ~ ~ " ~
,.u-
- - 3 l , ,
, a- ) -
=;: .4 /
-{ - . . + . _ , ",_+. , , .. . .
* ' g g b%
p- r, , s e I ., . _ . E gt ' G-{ *e i b ) ~9+ . 4_-e s 4 a..ta e - - -
- gw ~ *-
- T,,[ n ,
/. (, ) .- l m__-
s ,,
..d.
- m. 7--.- _ ___
*' m go.
bian' i f b- *- -w;++ LF fr _, , _.J ; i .
~,
s t !
# j g, -
.e- e.,--
ey+ Fi6g .Niea8 t 'w r.[ g
- _ .a .* e .<it m. . . , - -
3 l * ' f 4 e ea' C 6 9 ,6 , 8 lk'kfd Y M I" ~ ' ' 1 _ l l *4 f: i
-e is p;gj , ; -
i -, ( I
, - - , p.- emm>.- w-M--g> %-
b
. - -' s q_.A
)
..a _
]
- t, Li I ,
u.,. . h [h e ____ __ _ __ _ __ _ .__ _ - - -
$ be .
.s. ...s, . .. , 1
.$ P- O f 8. I .
s . .. . , s .._ .. . _ . . . , ,
, , . l
. .s.,
..t,. !
. . . , . .s._.-. ..
d
. .- ....e.. ...., -
i t
- . ., ._, . m. .... i 4't
- _...-
_..t e *
. .s . .. .
g d
... ..~
.. i
. . . .s .
..s, .
a f F . r *
-)
, - I -
._ p
~
w > . .t5
. . ,'.!. L.s..Wt -
.g 4
.3
. . . . .s
_ s .m D""D D
'9']@
ww o 1. Ird a efi# '18, f L a rs % ' % 8
.b*#t*S' %
O $ I [. 0,0 0 I, ( 6. Y { y y ,# , (.*.*. ', ),8 ( k T CArr
- rg;. ,cr 3, f,c q a v l 1
4
, ~,. 2 y
6 jd .
Safety System Auxiliary Diagram ensuring all support requirements are identified. After identification of the support requirements, the plant After completion of the SSD for a postulated systems that provide these support requirements are event, each safety system displayed on the SSD is identified. These* systems are the Auxiliary Safety analyzed to determine the specific support require- Systems. A Safety System Auxihary Diagram is then ments necessary to produce its safety action. prepared on which the prime safety system and its Examples of these support requirements are electric auxiliary safety systems are displayed. Figure 3 is the power, component cooling, or instrument air supply. ormat for a Safety System Auxiliary Diagram as used The analyst refers to the SSD to determine every se- .in the Boston Edison Pilgrim 2 analysis. quence in which a safety system is required, thereby AUXILI A RY AUXILI ARY SAFETY SAFETY SYST E M SYSTEM B SAFETY A SAFETY
.. "S" '
A B ACTION A l8 ' ACTION SIGN AL "S" ACTU ATES , I AUXlLI ARY S AFETY SYSTE M B SAFETY (SAFETY ACTIONS PROVIDE SYSTEM SUPPORT REQUIREMENTS) K A l B AUXILI ARY AUXILIARY S A F ETY SAFETY SYSTEM SYSTEM 0 C _ SAFETY _ SAFETY
.- A ; B ' ACTION A B ' ACTION
.~
R SA FETY SYSTE M AU XILI ARY DI AGR AM FORMAT
~' ' 6 .$ 2 5 FIGURE 3 , 15
n eve oping the a ety System Auxiliary Diagram To Complete any Safety System Auxiliary Diagram the analyst ensures that each support requirement is the analyst must review the Safety Sequence Dia-functionally redundant by developing design infor-grams for all the postulated events to identify all mation about the plant sufficient to positively safety sequences in whiCh the subject safety system identify the auxiliaries essential to the required re-appears. Figure 4 is the Safety System Auxiliary Dia-
. sponse of the safety system, and by identifying plant gram for the Containment Spray System of the design Changes so that the auxiliary systems Can sup- Boston Edison Pilgrim 2 nuclear unit.
port their safety system with the needed level of redundancy. I SR 125 V DC CONTROL POWER FOR PDS ' PUMP MOTOR BREAKERS A S SIAS TO ABCW wiLL ISOLATE NON SAFETY RELATED LOADS FROM ABCW COOLING WATER SRAC 4.16 KV TO PUMP 3,gg ABCW FOR CONTAINMENT
, SPRAY PUMP pg3 . MOTOR BREAKERS Al8 480 V TO MCC L.O. COOLER AlB FOR VALVE MOTORS B
3 CSS SIAS TO CCW STARTS I A l 8 STBY PUMPS AND 4 ISOLATES NON-SAFETY RELATED . PORTIONS OF THE . CCW SYSTEM CCW PROVIDES CCCLP4 WATER FOR PRCU SUPPLIES COOLING SIAS AIR TO CSS PUMP &
- MECH ANICAL
- MOTOR IN ESF AiB SEALS AlBl PUMP ROOM SDCS HEAT EXCHANGERS SDCS COOL SPRAY DURING M
- RECIRCUL ATION (R AS).
*ga
- MANUAL VALVE OPERATION REQUIRED NOTE:
REFER To TABLE Yi FoR DEFINITION oF ABBREVIATIONS CONTAINME NT soR AY SYSTEM
- s. S AFETY-SYSTEu AurtLI A RY OfAGR Au v FIGURE 4
.A
6 326
.w -s .
.Y % ,
L-16 m a.
Auxiliary Safety System Commonality Diagram supports. ASSCD is developed mainly as an infor-mation diagram, rather than a primary design review After completion of the Safety Sequence Diagrams diagram. ASSCD allows evaluation of the overall for each postulated event and the Safety System Aux- plant response to the operations of each Auxiliary . Hiary ' Diagrams, the Auxiliary Safety System Com- Safety System, considering such effects as that of a monality Diagram (ASSCD) for each Auxiliary Safety single active failure to the component cooling water System is developed. This diagram indicates all the system. Figure 5 is the ASSCD for the Component safety systems that a given Auxiliary Safety System Cooling Water System of the Pilgrim 2 station. cCW CCAS > > CCAS Increases Flow To CCS A B Fan Cells SIAS - Isclates Nonsafery Related SiAS Heat !. cads and Starts Stancey Pumps CIAS - Isolates RCP Meter and ClAS Seal Heat Exchangers V \/ V 1/ 1/ CCS HPSI LP$l CSS SDCS A B a B A B A l8 A B , V y h V y Cools Cools Cools LPSI Cools CSS Cools CCS HPSI Pump Pump SDCS Fan Pump m echanical mechar.ical Heat Coils mechanical seals seals Exchanger seals NOTE: REFER To TABLE II. FoR DEFINITION oF ABBREVIATIONS r CoupoNENT CoottNC wa ten SYSTEu aVX f LlaRY Sa FETY SYSTEu CouuoNallTY Dia CRa u FIGURE 5
6 07 -
17
TABLE VI iP l ABBREVIATIONS USED ON SFPSA DIAGRAMS Auxiliary Building Cooling Water RCS Reactor Coolant System ABCW Reactor Protection System ADS CB Atmospheric Steam Dump System Containment Structure Containment Cooling Actuation Signal RPS RTS RWT Reactor Trip System Refueling Water Tank
.l CCAS Containment Cooling System SDCS Shutdown Cooling System CSS CCW Component Cooling Water SG Steam Generator Control Element Assemblies SIAS Safety Injection Actuation Signal CEA Control Element Trip System SRPDS Safety Related Power CETS Containment Isolation Actuation Signal Distnbution System CIAS Containment Isolation System SSV Secondary Safety Valves CIS CSAS Containment Spray Actuation Signal g Containment Spray System W
CSS CST Condensate Storage Tank CVCS Chemical and Volume Control System g P EFCS Emergency Feed Control System EFS Emergency Feed System JgH High Logrithmic Power ESFPS Engineered Safety Features Protection Jg Startup Neutron Flux Level System Lp Pressurizer Level HPSI High Pressure Safety Injection Lg3 Steam Generator Level LPSI Low Pressure Safety injection LSGL L w Steam Generat'or Level' g MFIV Main Feed Isolation Valves PH Hign Containment Pressure C MSI Main Steam Isolation System Pp Pressurizer Pressure MSIS Main Steam Isolation Signal PLp Low Pressurizer Pressure MSIV Main System Isolation Valves Pp LL Low-Low Pressurizer Pressure Pressurizer Proportional Heaters P Steam Pressure PPH PRCU Pump Room Cooling Unit P 3 SG L w Steam Generator hessure L w-L w Steam Generator
.l PRV Power Relief Valves P SG LL PSV Primary Safety Valves Pressure .
PZR Pressurizer T Cold Leg Temperature R
'76 328 I
B 18
The Role of SFPSA in the Design Process Under the requirements of 10CFR50, systems, Seismic Design Review structures and components important to nuclear plant safety rnust be identified and designed to ensure The SFPSA facilitates the identification of the that they will perform reliably in service. This re- systems, components and structures that must be' quirement is satisfied by subjecting all such safety classified Seismic Category I under the requirements related items to a quality assurance program conform- of AEC Regulatory Guide 1.29. In a manner similar ing to the requirements of 10CFR50, Appendix B. to the identification of quality assured items, the The systematic process employed by the SFPSA, as accident SSD's are reviewed, and sufficient systems. shown on the resulting SSD's and SSAD's, makes it components and structures are classified Seismic possible to easily identify and classify the various Category I to provide at least one success path for systems, structures, and components of the plant in each required safety function. The SSAD for each relation to safety. In particular, the SSD's and safety system in the success path is reviewed to SSAD's become a key tool or mechanism to satisfy identify those auxiliary systems required to support the design verification requirements of a nuclear qual- the Category I safety systems. Such auxiliary safety ity assurance program under Criterion 111.(Design systems are also classified Seismic Category 1. Control) of 10CFR50, Appendix B. The following To icentify the specific components and structures paragraphs describe how the SFPSA results are used to be Seismic Category 1, each prime safety system in the design process. and auxiliary safety system is studied in detail, as The Quality Assured items List done in the Quality Assured items List stucy. The specific components and structures which must func-Each system, component, and structure required to tion to produce the safety actions of these systems mitigate the consequences of a nuclear plant accident are classified as Seismic Category 1. must be subjected to the Nuclear Quality Assurance Program and must be listed on the Quahty Assured Redundancy and Separation items List. Upon completion of the required Safety During the development of the SSD's and SSAD's, Sepuence Diagrams (SSD's) and Safety System Auxil. success paths are determined for each safety function. iary Diagrams (SSAD's), the process of-identifying Each success path represents a sequence that is cao-these quality assured items and placing them on the able of achieving iu safety function,'given any single Quality Assured items List is simple and systematic. active component failure. This capability is shown Each accident SSD and the associated SSAD's is re- with either physical redundancy (e.g., two indepen-viewed. Because the prime safety systems and their dent trains of the Safety injection System) or func. supporting auxiliary systems required to achieve the tional redundancy (e.g., either the High Pressure Safety safety functions are diagramed on the SSD's and injection System or the Chemical & Volume Control SSAD's, the task of quality assured system identifi- System supplying borated water). Thus, with the cation is complete. To identify the specific com- SSD's and SSAD's finished, the complete systems ponents and structures within the plant systems and level redundancy of the plant is shown diacramat-larger structures that must be quality assured, each ically. safety system and auxiliary safety system is examined to determine the specific components of these sys- During the review of the safety system design of tems that must function to produce the required the plant, the information on the SSD's and SSAD's system responses. The structures in which the systems is: used to ensure that the designs do reflect Ihe re-and components are located, including passive struc- quired redundancy shown on the diagrams. The tures shown on the SSD (e.g., the containment or the gn ewer refen m de N ad SSAD's as he refueling water tank), are identified as structures to be tests the designs for susceptibility to single failures. quality assured. During review of physical arrangement drawings, the SSD's and SSAD's are used to check the adequacy of The significant amount of analytical effort ex. physical separation, thus ensuring that the plant is pended to perform the SFPSA has made the develop- properly designed against the effects of pipe whip, jet ment of the sometimes controversial Quality Assured impingement, flooding, fire, etc. Items List easy and systematic.
6 .529 19
Effects of Pipe Breaks ment is acceptable. For example, if a particular two Because an SSD has been developed for every pipe nch pipe break in the reactor coolant system does _ _ . n t require the use of the Chemical & Volume Con-break that must be postulated in plant design con- _ sideririg the various plant systems and the various e , ere is no reason to protect the m
' sizes of breaks, the specific systems and structures CVCS piping following that two inch reactor coolant that must respond to each specific pipe break can be system pipe break, and no pipe whip restraints or jet easily identified. During the analysis of a particular deflectors would be specified for this purpose. How- -
ever, e gp essure yafety injecdon System is pipe break the information on the SSD's and SSAD's is -used to identify the specific systems, components
**
- EI * * -
and structures that must be protected for that partic- damage duewhich to pipe whip and jet impingment. Thus$ all the items must be protected are systemati ular break. Pipe whip restrainu and jet deflectors are cally identified and protected, but the number of located to protect those specific systems, components ~ i e restraints and deflectors is minimized. and structures, whereas damage to other plant equip-F Summary ;- The systematic approach of the SFPSA provides receives a complete and consistent design review. The _ assurance that each system, component or structure SFPSA helps to ensure that no one safety system has recuired for safety is identified and designed in accor- been "over designed" at the expense of another. ---- dance with all applicable requirements. V/ hen performed early in the design process of a __ When the SFPSA is complete, each required safety nuclear project, the SFPSA operates to greatly re- =- function that must be achieved is cleariv identified; duce, or even eliminate, design changes later in the ' the time sequence in which the necessary safety project, when such chances would be much more _ actions must occur is delineated;the degree of redun- costly. Because the SFPSA is a continuing . analysis dancy provided in plant design is established; and the throughout the design phase of the project, it be- - need for station design to provide intelligence for comes the most useful and meaningful comprehensive operator manual control is defined. The SFPSA representation of the plant safety system design, - distinguishes between those plant systems that are re- illustrating on easily understood diagrams the practi- , quired for the public health and safety and those that cal results of large volumes of engineering drawings, are required only for equipment protection. The specifications, and design information. - SFPSA is the mechanism whereby each safety system b r e 20 <
SA FE TY FUNCTION AND PROTECTION SEQUENCE ANALYSIS identif y Events Clas sif y Events identify Unacceptable Results Safety - Functional Design Functions j Requirements Postulate Event Identif y initial Conditions Required Saf ety Functions t Determine Safety Secuence Diagram Success Safety Systems Paths j _ Safety Actions Select Success Path ,,h )}l Select Safety System identify Support ; Safety System eQuirementh Auxiliary Diagram *
?>
,m.,7m m,wwa, ---rm:rees:rre m 'r r n e_ m:m 5m=m.t ATTACHMENT 1 Application of Safety Sequence and System Auxiliary Diagrams to the Development of Abnormal Transients Operating Guidelines
.6 332 .
.4, 0
9 9 j ', hhf _ _ _ = _ _ _ __ -- _ _ _
N
~
rm:- r- - m====:crs_-r-wer- - z z carr..mtm z. rx.:. s.w___ .r_2:=r- mmr. ecae.:~=:u Application of Safety Sequence and System Auxiliary Diagrams to the Development of Abnormal Transients Operating Guidelines. The objective of the B&W Abnormal Transients
, Operating Guidelines (ATOG) Program is to provide the operators of 177 fuel assembly plants with operating guidelin< s based on a thorough understanding of many possibl' . event sequences. Event trees will be const acted and computer simulations completed to provide the technical basis for the guidelines.
Guidelines will be prepared specifically for each of seven plants. Development of the event trees and guidelines will require a large amount of plant specific data. EDS Nuclear will collect and present this information using the Safety Sequence Diagram (SSD) and System Auxiliary Diagram (SAD) formats. The purpose of the SSDs will be to provide information about systems designed to perform safety functions mitigating transient consequences. The SADs will provide information about systems necessary for operation of other prime systems, which directly affect plant response. (Conversely, they will provide information about the causes of prime system failure.) The SSDs will provide input data for preparation of the event trees (and, to some extent, the guidelines). The SADs will provide direct input data for preparing the guidelines. The SSDs and SADs will also achieve certam secondary objectives: provide training devices; crass check event trees; and identify possible design deficiencies. The SSD and SAD formats were chosen for several reasons. They contain sufficient data for preparation of event trees or for establishing corrective actions. They provide information in a logical and easily understood form.
6 .533 N , - - - - . _ye
Nh r;m.m:rxq1mmhcMET2TMFhW MJ h PY.WL~ TMM C hWCLUG EDS Nuclear has a number of people trained in this method of representing system response; use of this method will facilitate the use of EDS staff personnel in order to complete the ATOG Program in a timely manner. Safety sequence diagrams are prepared by first carefully identifying the plant safety functions (reactor heat removal, primary pressure and level control, etc.) essential to achieving acceptable consequences during transients. Then the sequence of prime system responses forming redundant success paths arc diagramed. The information listed in Table 1 is also added to the diagram. Safety Function and Protection Sequence Analysis,
" Transactions of the ANS", November 1973, by R. A. Fortney, et. al. , (Attachment 2) is a good general discussion of the SSD and SAD. The EDS Administrative and Technical Procedures for the
.ATOG Program (Attaclunent 3) are more current and more detailed descriptions of the methods which will be used to prepare SSDs and SADs.
Figure 1 illustrates the relationship of event trees and SSDs. On the left of Figure 1 is a segment of the preliminary version of the Arkansas Nuclear One Unit 1 (ANO-1) Loss of Feedwater (LOFW) event tree. On the right is one success path from a preliminary version of the ANO-1 LOFW SSD (Attachment 4). The detailed information provided on the SSD is essential to the analyst's understanding of the ANO-1 response to a LOFW. That understanding is needed for development of the event sequences represented on the event tree and for simulation of the event sequence. The data and nomenclature presented can also be used to develop the guidelines.
6 334 g
Ak - f.' w =--r-= = = . --. x - - -= m m w m uw v.=..nc - ,n m a A sample SAD is provided as Attachment 5. Tabic 2 summarizes the information presented on the SAD. The importance of the SAD in developing corrective actions and trmning new operators is apparent.
6 335 E DS ?.uctc.ar =
~ 7 s j 6
v.SSv's t :13i4 J017 e g- r . ____A v l I T BS 8 L(Q,1.[,)r - tu.tu STE Au / i_ _ l_ _i _- l ADV*s l SAFET Y VALN'S { CD g /p"bb . RESE AT l_ J l YES IJO . g rtf5 4__ VE _l _ _ _ , _ _ - - l. I 3-- I
-t. i--
s TES VAL \t5 ; / I ICS f 'N ^
~
(DNTROL PFCPERLY EI"O] _ ~~~ l l ( [* WLOW
~ --~~
')
YtS N y EFW 4 0R0lNE EF W /070Ft
/gh DRIVEN DRIVEN swg -
PUMP /g7[. y pyyp Erw p__ - p
" A- -
INITI AT ED < SWSY EF W SW EFW I g YES tio ll ._CST_ - _l$ SUPPLY /" SUFitY l CST FFAC$tWj/\ .', ovVALVES \ :v VALVES [' ~F5S5E I f C d v I l l SWS Sv.s l Erw y 33 cot 1 TROLLED g g g g l L _ __L___- r___.______
- YES t EFW ETW SG 49 EFW SUPPLY BY SG
'T' / EFW SUPPLY VALVE SG w
SUPPLY VALVE SG gg
- s. ,
SUFPLY BY EyPASS V wi, d x t'? BYPAS VlivE - 6 LOSS OF FEEDWATER
-eEuppf 9 ,arctY Sn EVENT TlME .
h vAtvES h vAtytS i
\
S ECON DA5< PRi5SU RE/ D"D "D ' * * - w a SS= 4 '- LOSS OF FEE.DWATER SAFETY SEOUENCE DI AGRAM Figure 1 Relationship of Safety Sequence Diagrams and Event Trees .
'6 .536 e e- . _ _ _ ~'~ **
w w
TABLE 1 SA1FETY SEQUENCE DIAGRAM INFORMATION SUMMARIZED , ALL SYSTEMS INVOLVED IN ACHIEVING A SAFETY FUNCTION SYSTEM MAJOR COMPONENTS COMPONENT ACTUATION LOGIC SETPOINTS REDUNDANCY - PARAMETERS MONITORED . COMPONENT FUNCTIONAL INTER-RELATIONSHIPS PLANT SPECIFIC-TERMINOLOGY INPUT REFERENCES OPERATOR ACTIONS
- 6 537 t
,r9 -M, o- ,w --
_n ._,,
* :j)
TABLE 2 SYSTEM AUXILIARY DIAGRAM INFORMATION SUMMARIZED , - ~ SUPPORTING SYSTEMS AND INTERDEPENDENCE POWER SUPPLIES ACTUATION PARAMETERS AND INSTRUMENTATION VALVES ACTUATED (INCLUDING FAILURE POSITION) LLCIC AND SETPOINTS , , SAFETY QUALIFICATIONS REQUIRED OPERATOR ACTIONS 4 VERIFICATION INSTRUMENTATION OUTPUT ACTIONS AND SIGNALS REFERENCES
6 538 we - mw w i .my - --, . - - - - - - w --w . - --M---}}