ML19260C726
| ML19260C726 | |
| Person / Time | |
|---|---|
| Site: | Rancho Seco |
| Issue date: | 12/26/1979 |
| From: | Dorman R, Enzinna R, Weaver W BABCOCK & WILCOX CO. |
| To: | |
| Shared Package | |
| ML19260C723 | List: |
| References | |
| BAW-1584, BAW-1584-01, BAW-1584-1, NUDOCS 8001080519 | |
| Download: ML19260C726 (32) | |
Text
BAW-1584 December 1979 AUXILIARY FEEDWATER SYSTEMS RELIABILITY ANALYSES A Generic Report for Plants With Babcock & Wilcox Reactors by W. W. Weaver R. W. Doman R. S. Enzinna BABC0CK & WILCOX Power Generation Group 1704 07i Nuclear Power Generation Division P. O. Box 1260 Lynchburg, Virginia 24505 Babcock & Wilcox C
8001080,,.gg c I
EXECUTIVE
SUMMARY
~
This report presents a generic summary of the analysis methods and results of a reliability study of Auxiliary Feedwater Systems (AFWS) at operating plants with Babcock & Wilcox designed Nuclear Steam Supply Systens.
The objectives of this report were:
- 1) To identify, through reliability based insights, dominant contributors to AFWS unreliability.
- 2) To assess the relative reliability of B&W operating plant Auxiliary Feedwater Systems.
Dominant contributors to unreliability are identified in Table 2.
These con-tributors vary widely ir, significance, ranging from the relatively unavoidable contribution of preventive maintenance to AC dependencies which preclude system operation on loss of AC power. In every case where significant contributors were identified, improvements by design and/or procedural changes should be achievable. These contributors provide a rational basis for design changes to improve AFWS reliability.
A comparative perspective on the range of reliabilities which' can be expected from B&W operating plant Auxiliary Feedwater Systems is shown in Figure 1.
The relationship of these values to the NRC-calculated reliabilities for plants of Westinghouse and Combustior. Engineering design is not straight forward in that certain assumptions appear to be more conservative in the B&W analyses than in the NRC analyses; the basis for this belief is explained in Appendix B.
r
~
1704 072
- 111 L
CONTENTS Page EXECUTIVE
SUMMARY
iii
1.0 INTRODUCTION
I 1.1 Background.........................
I 1.2 Obj ecti ves.........................
2 1.3 Scope 2
1.4 Summary and Conclusions 3
1.5 Limitations 4
2.0 DESCRIPTION
OF ANALYSIS.....................
5 2.1 Analysis Method 5
2.2 General Assumptions and Criteria..............
7 3.0 OVEF. VIEW 0F B&W AUXILIARY "iEDWATER SYSTEMS...........
10 4.0 RELIABILITY EVALUATION 12 4.1 Quantitative Analysis Results 12 4.E Dominant Failure Contributors 13 4.3 Single Point Vulnerab.lities................
15 REFERENCES 21 APPENDIX A -- NRC-Supplied Data A-1 APPENDIX B -- Comparability 'Aith NRC Analyses for the Reliability of Auxiliary Feedwater Systems.....
B-1 List of Tables 1.
Summary of Major Characteristics of B&W Operating Plant AFW Systems 16 2.
Major Failure Contributors 17 List of Ficures 1A. Relative AFWS Reliabilities, LMFW 18 1B. Relative AFWS Reliabilities, LMFW/ Loop..
19 1C. Relative AFWS Reliabilities, LMFW/LOAC.............
20 B-1 Effect of Assumption on Calculated AFWS Reliability B-3 B-2 Comparison of B&W AFWS Reliability With NRC Results for W Plants B-4 Babcock & \\Vilcox
-v-
~
1704 073
1.0 INTRODUCTION
This report presents a generic summary of the analysis methods and results of a reliability study of Auxiliary Feedwater Systems at operating plants with Babcock & Wilcox (B&W) designed Nuclear Steam Supply Systems.
The Auxiliary Feedwater System functions as an emergency system for the removal of heat from the primary system when main feedwater is not available. Some B&W operating plants refer to this system as an Emergency Feedwater System; however, throughout this report, the term Auxiliary Feedwater System ( AFWS) will be used.
Also contained in this report is an overview of AFWS designs at the B&W operating plants, a description of assumptions used during this study and appropriate limitations which should be observed when considering the results of the study.
1.1 Backaround As one outgrowth of the incident at Three Mile Island-2, the NRC requested all operating plants to consider means for upgrading the reliability of their Auxiliary Feedwater Systems. As a part of the response to this request, the B&W Owners Group utilities asked B&W to perform reliability analyses of the existing Auxiliary Feedwater Systems at each B&W operating plant.
The ultimate objective of this work is to determine what changes, if any, will improve AFWS reliability.
The NRC has conducted similar analyses for Westinghouse and Combustion Engineering plants; descriptions of those analyses and the results are in References 1 and 2.
The NRC requested that the B&W analyses be performed within a time frame and on a basis consistent with the NRC's own analyses.
Accordingly, the scope of B&W's study and arrangement of the schedule were made in agreement with the NRC's request.
B&W performed the requestea analyses and has issued to each of the utilities a report containing a plant specific AFWS reliability evaluation.
A ceneric sunmary of the analysis methods and results contained in these plant specific reports are presented herein.
1704 074 1.2 Objectives The objectives of this study were:
o To perform simplified analyses to assess the relative reliability of B&W operating plant Auxiliary Feedwater Systems.
It was intended that these analyses would be performed on a basis consistent with that used by the NRC in analyses for Westinghouse and Combustion Engineer-ing plants.
7.t was further intended that such consistency would be achieved by use of the same evaluative technique, event scenarios, assumptions and reliability data used by the NRC.
o To identify, through the development of reliability-based insight, dominant contributors to AFWS unreliability.
- 1. 3 S cope Auxiliary Feedwater Systems at the following B&W operating plants were analyzed:
Rancho Seco Ocomee Units I, II &. III Crystal River-3 Davis-Besse-1 Arkansas Nuclear One-1 Three Mile Island-1 The analysis for each plant was based on the configuration of the Auxiliary Feedwater System as it existed on August 1,1979, but also included were any near-term changes which were already in process and wnich would be in place by December 3,1979. An exception was made for the Three Mile Island-1 plant; a configuration date of early 1980, corresponcing to the earliest anticipated startup of this plant was used.
Three event scenarios were considered in this study:
o Case 1 - Loss of Main Feedwater with Reactor Trip (LMFW) o Case 2 - LMFW coincident with Loss of Offsite Power (LMFW/ LOOP) o Case 3 - LMFW coincident with Loss of all AC Power (LMFW/LOAC).
These event scenarios were taken as given; that is, postulated causes for these scenarios and the associated probabilities of their occurrences were not considered. Additionally, external comon mode events (earthquakes, fires, etc.) and their effects were excluded from consideration.
For each of the three cases, system reliability as a function of time was evaluated.
Three times were considered: 5,15 and 30 minutes following LMFW (Refer to Section 2.2).
A total of 54 detailed fault tree analyses were performed covering the six AFWS designs with three event scenarios and at three times for each event. Each plant's specific event tree can be found in the respective plant specific report (References 4-9).
1.4 Summary and Conclusions The principal result of this study is the identification of dominant contributors to AFWS unavailability for each plant. Pending further evaluation by the utilities, these contributors may provide a rational basis for the selection of design changes to improve AFWS reliability.
The dominant contributors identified in Table 2 vary widely in significance, ranging from the relatively unavoidable contribution of preventive maintenance, to AC dependencies which will preclude system operation on loss of AC power.
In every case where significant contrib-utors were identified, improvements by design and/or procedural changes should be acnievable. If appropriate modifications are accomplished, B&W operating plant AFW Systems,will exhibit, as a group, reliabilities close to the maximum reliability attainable for real, two-train systems.
The quantitative results of these analyses, shown in Figure 1, provide a general comparative perspective on the range of reliabilities which can be expected from B&W operating plant Auxiliary Feedwater Systems.
Although it was intended that this study closely match the NRC study for Westinghouse and Combustion Engineering Auxiliary Feedwater Systems, the results of the two studies should not be directly compared; see Appendix B.
1704 076 3_
u
1.5 Limitations Careful consideration must be given to the validity and applicability of the results of this study, these results could be misleading if taken out of context. Appropriate limitations on the use of these results include:
(1) Relative reliability standines. This report presents (Figure 1) the relative reliability standings of all the B&W plants, and while tnese results can show major differences, small differences between plants are not significant. Further, no direct comparison of the quanti-tative results for the B&W plants to the NRC calculated results for Westinghouse and C-E plants should be made without a thorough under-standing of the analyses. Even though a concerted effort was made to maintain unifomity with analysis methods and assumptions used by the NRC, B&W believes that certain inconsistencies exist.
(See Appendix B.)
(2) Absolute values of availability. This analysis resulted in only relative reliabilities and not absolute values of APAS unavailability.
Any inference of realistic AFWS reliability must address the probadility of occurrence of the three event scenarios in addition to considering other defects which may accompany the conditions producing these scenarios.
(3) Dominant failure contributors. This analysis identified the dominant contributors to system unavailability; however, this report did not explore possible modifications to those contributors. While in some cases a simple change appears feasible, other cases are obviously complex situations with many possible solutions.
Each utility must decide if cost-effective modifications are available for their dominant contributors.
(Dominant contributors are discussed in Section 4.2.)
1704 077 ;
L
9
2.0 DESCRIPTION
OF ANALYSIS 2.1 Analysis Method The analysis method used to evaluate the reliability of Auxiliary Feed-water Systems in operating B&W plants involved tne construction and analysis of fault trees. The techniques used in this effort were consistent with those described in the Reactor Safety Study, WASH-1400 (Reference 3).
The result of this analysis is the point unavailability of the AFWS, under three scenario conditions and at three points in time following the initial existence of conditions requiring AFWS initiation.
Point unavailability is equivalent to the probability that the system will be unavailable at the point in time at which a demand is placed on it.
To support this analysis, each utility with a B&W NSSS furnished to B&W the plant specific system drawings, electrical schematic diagrams, operating, test and maintenance procedures and technical specifications for the Auxiliary Feedwater System and pertinent support systems.
From this systems data, B&W extracted information necessary to prepare a detailed AFW system description (References 4 thru 9). This description was reviewed for accuracy by the utility to ensure that the system analyzed was, indeed, the system that pnysically exists at the site.
A fault tree was constructed for each utility based on this detailed system description.
The top level event in the fault tree was failure to acnieve mission success (defined in Section 2.2).
Top level sub-branches of the tree generally involved multiple failures resulting in the unavailability of all feedwater trains and included unavailability arising from preventive maintenance activities. Examples of multiple failures leading to system unavailability of a two-train system include:
failure of the pumps in both trains; or combination failures such as failure of one pump coupled with a discharge path failure in the opposite train and no available discharge cross-tie.
1704 078 iL From the top level event, fault tree branches were expanded downward to a level of detail corresponding to unavailability data which was supplied by tne NRC. This level of detail was typically that associated with component failure cause (valve plugging, pumo control circuit failure, etc.)
The NRC-supplied unavailability data consisted of expected unavailability numbers for typical fluid and control system hardware, human failure probabilities as a function of time, and unavailability associated with preventive maintenance. This, data was obtained as a part of Reference 1, and is shown in Appendix A.
The data was supplemented when necessary by direct consultation with the NRC staff and by engineering judgment.
(The NRC has emphasized that these input data are largely unverified estimates of human and component reliability. According to the NRC, errors as large as an order of magnitude up or down may exist in this data.
In spite of this uncertainty, such data can provide a uniform basis for obtaining reliability results for plants with substantially different system designs. Because of this uncertainty, absolute values of calculated reliability must be strongly de-emphasized, and even relative reliability standings are subject to uncertainty.)
After construction of the fault tree, unavailability analyses were perfo med. These analyses were accomplished by inserting the NRC-supplied data at the bottom-level basic events of the fault tree and then working upward with hand calculations to assess the cumulation of unavailability.
Each tree was analyzed a total of nine times; this was necessary to incorporate appropriate modifications for the three event scenarios at each of three times following the initial demand.
Perfoming the analyses, at the level of detail described above, provided insights into the relative importance of various contributors to overall system reliability. Thus, tne analysis approach used permitted the identification of major failure contributors which was a major objective of the study.
1704 079._
2.2 General Assumotions and Cri teria Agreement was reached with the NRC staff regarding the assumptions and criteria used in this study, with the goal of obtaining results which were on a consistent basis with those produced by the NRC in 't! Westinghouse and Combustion Engineering analyses. The assumptions anc criteria whicn were used in this study and which have general applicability are described below. Other, plant specific, assumptions were used and these are con-tained in the reliability reports for each utility (References 4-9).
- 1) Definition of Mission Success - In order to evaluate the contribution of system components to overall reliability, it was necessary to determine to what extent failure of those components might prevent successful accomplishment of the AFWS mission. This in turn requires an explicit definition of mission success. Tne definition adopted for this study was the attainment of flow from at least one full capacity pump (or from at least two half-capacity pumos) to at least one steam generator. Attainment of flow from only one half-capacity pump was not considered sy. tem success.
System reliability was calculated at times of 5,15, and 30 minutes following the existence of initiating conditions to allow for a range of operator action. These times were specifically chosen because NRC-supplied operator reliability data for these times was available; these times are reasonable and consistent with LMFW mitiga-tion for B&W plants.
In their study, the NRC staff has used steam generator dryout time as a criterion for successful AFWS initiation, and the 5-minute case represents a comoarable result for B&W plants with anticipatory reactor trips on LMFW. However, steam generator dryout itself does not imply serious consequences; a more appropriate criteria is the maintenance of adequate core cooling. Recent ECCS analyses (Reference 10) have shown that adequate core cooling can be maintained for times in excess of 20 minutes without AFWS operation, providing c6a at least one High Pressure Injection Pump is operated.
(For Davis-Besse-1, the requirements are contained in References 7 and 11.)
1704 080 _---
In general, the loss of flow, resulting from random corponent failures after successful AFWS initiation, was not considered within the scope of this study. However, system charac-teristics or component limitations which were known to potentially restrict tne duration of system operation (to less than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />) were considered in accordance with NRC guidance. Such limitations were included by assuming that they resulted in instantaneous unavailability of the affected components unless the underlying causes were correct-able within 5, 15 or 30 minutes.
It must be emphasized that this method for accounting for latent failures results in a very conserva-tive analysis.
It may not take credit for successful AFWS operation until failure, nor does it allow for the possibility that corrective or mitigating measures can be used (such as restoring power or cycling components on and off).
- 2) Power Availability - The following assumptions were made regarding power availability:
LMN - All AC and DC power was assumed available with a probability of 1.0.
LMFW/ LOOP - All DC power was assumed available with a probability of 1.0.
Where applicable, one diesel generator was assumed available with a probability of 1.0 and the other was assumed unavailable with a probability of 10-2.
LMFW/LOAC - DC and battery-backed AC were assumed available with a probability of 1.0.
3)
Interconnections with Other Units - In general, no credit was taken nor any penalty assigned for steam, electric power or auxiliary feedwater
_ supplied from, or diverted to, other adjacent plants.
- 4) NRC-Sucolied Data - NRC-supplied unreliability data for hardware, operatar actions and preventive maintenance were assumed valid and directly applicable.
- 5) Coupled Manual Actions - Panual initiation of valves with identical function and the same physical location was considered coupled. Such valves were assumed to be both opened manu311y or both not opened.
The case in which one valve was opened and the other valve was left closed was not considered.
1704 081
) t_
- 6) Decraded Failures - This was a binary type analysis as defined in Reference 3.
Degraded failures were not considered; that is, components were assumed to operate properly or were treated as failed.
- 7) Small Lines Icnored - Typically, lines on the order of 1-inch were ignored as possible flow diversion paths.
- 8) Steam Sucoly for AFWS Turbines - Adecuate steam to the turbine-driven-pump turbines was assumed for the 15 and 30 minute cases.
These turbines and pumps are designed to deliver water to the steam generators using steam remaining in the steam lines after generator dryout.
G 9
f 1704 082
(
-g-L
3.0 OVERVIEW 0F B&W AUXILIARY FEEDWATER SYSTEMS A sumary description of tne major characteristics of Auxiliary Feedwater Systems at B&W operating plants is contained in Table 1.
This information was extracted from plant specific reliability reports which were prepared for each utility (References 4-9). As indicated in the table, there are many functional similarities between the AFWS analyzed. These similarities and scme exceptions are summari:ed below.
All AFWS are capable of providing auxiliary feedwater to one or both steam generators under automatic (or manual) initiation and control.
Each system consists of multiple f&edwater trains with a combined capacity of twice the ficw of a nominal full capacity pump. This capacity is achieved by the use of at least one full-capacity turbine-driven Dumo and, with the exception of Davis-Besse-1, which has two turbine-driven pumps, each has either one fall-capacity or two half-capacity motor-driven pumps. Wi th the exception of Crystal River-3 and the OccMe Units, all AFW turbines, motors and pumps are self-sufficient entities without dependence on secondary support systems.
Each AFWS has multiple suction sources available, including the condenser hotwell or other backup water supply. Switchover to the backup water supply requires manual action except for Dr.i:.-Besse-1 for which this action is automatic.
Motive power for the motor-driven pump (s) is obtained from one (or two, as applicable) nucledr service busses. These busses are backed by diesel generators or, at Oconee, hydro generators. Manual loading of the pump s
motors onto the diesel generators is required at Rancho Seco and Crystal Ri ve r-3.
In each system, steam for the AFWS turbine (s) may be obtained _
from either steam generator.
Conditions which will cause AFWS initiation vary between plants wi%
the only common initiating condition being loss of both main feedwater pumps. Every system will ba initiated by at least one other condition; examples ir.clude: loss of all four reactor coolant pumps or low steam generator level. All AFWS pump initiation circuitry is battery-backed and, except for Arkansas Nuclear One-1, is independent of the Integrated Control System (ICS).
b 1704 083
All AFWS but Davis-Besse-1 and the Oconee Units control the flow of auxiliary feedwater to the steam generators by flow control valves under ICS control. Oconee uses separate steam generator level control circuits and Davis-Besse-1 controls steam generator level "by varying turbine speed.
With correct system alignment and no component failures, none of the plants require manual action to achieve mission success for Case 1 (LMFW).
In Case 2 (LMFW/ LOOP), none of the plants except the Oconee Units require manual action to obtain flow from the turbine-driven pump (s), but manual actions described earlier are required to energize the motor-driven pumps at Rancho Seco and Crystal River-3.
In Case 3 (LMFW/LOAC), only Rancho Seco and Three Mile Island-1 will achieve sustained auxiliary feedwater flow from the turbine-driven pump without nanual actions.
d I
1704 084 b
4.0 RELI ABILITY EVALUATION 4.1 Quantitative Analysis Results The quantitative results of the fault tree analyses are presented in Figures 1A, B and C.
Indicated in these figures are the Auxiliary Feedwater System unavailabilities for each B&W operating plant for eacn of the three scenario cases and at each time 5,15 and 30 minutes.
Tnese figures provide a general comparative perspective on the range of relia-oilities which can be expected from B&W operating plant Auxiliary Feed-water Systems. Limitations described in Section 1.5, should be observed when considering data presented in these figures.
Shown in each figure is an approximate upper limit for the reliability of a two-train AFW system in which the pump in one train is electric-powered from a diesel generator during loss of offsite power.
This limit is calculated for a two train system in which each train consists of one pump with drive, one check valve and one nomally open flow control valve.
Pump discharges are interconnected with a crosstie and pump suctions are connected to a " perfect" source. The system has no common mode vulnera-bilities or human dependencies. This upper limit, which does not apply to Davis-Besse 1 in Cases 2 and 3 because of their two-turbine system, represents the reliability of an ic'ealized system using only the number of components needed to approximate optimum reliability; this limit is calculated from NRC-supplied component failure data. The minimum reliability in each case represents unavailability of the system (i.e.,
probability of unavailability is 1.0).
The presentation of reli&bility results in the format of Figure 1 demonstrates tne range of reliabilities against a frame of reference which has physically meaningful limits for each case.
Consistent with the results reported by the NRC for Westinghouse and Combustion Engineering Plants (References 1 and 2), B&W operating plant AFW5 designs exhibit more than an order of magnitude variability in the calculated reliability for each of the three event scenarios considered.
1704 085 Tne effect of degraded power availability is indicated clearly by the differences in the results for each of the three cases. Except for tne Oconee Units, the loss of offsite power results in a relatively small decrease in system availability (typically one order of magnitude or less),
primarily resulting from the assumed unavailability of one of the two diesel generators (with a probability of 10-2). However, as indicated by the Case 3 results, a loss of all AC power will have significant consequences fer all units.
In Case 3, all but two of the units have AC dependencies which would inhibit system operability.
The effect of corrective operator actions is also shown in Figure 1.
As the time allowed for operator action increases from 5 to 15 and 30 minutes, system unavailability usually improves because human reliability improves and because the range of possible operator action increases (to include for example, manual actions outside the control room).
Reflecting the NRC-supplied human reliability data, this improvement is much more pro-nounced in the interval between 5 and 15 minutes than in tne interval between 15 and 30 minutes. This improvement is also somewhat more pro-nounced in Case 1 than in Cases 2 and 3 where degraded oower availability tends to reduce the number of available options for operator action.
In atypical cases, system reliability ma'y decrease with time, even allow-ing for increased probability for operator corrective actions.
This results from the treatment of latent failures discussed in Section 2.2.
4.2 Dominant Failure Contributors A summary tabulation of dominant failure contributors revealeo during the fault tree analyses is presented in Table 2.
It appears that improvement of AFWS reliability, based on modifications of hardware-related failure contributors, should be achievable for all B&W plants.
In no case are the contributors so extensive in nature that the inherent AFWS design is unacceptable.
Improvement in AFWS reliability with the removal of dominant contributors is expected to be dramatic in some cases.
For example, the addition cf a valve position indicator may result in a calculated system reliability improvement of nearly an order of magnitude.
i i
-la-1704 086 m
The most common dominant contributor for Case 1 is outage for preventive maintenance-related activities. Sucn outages reduce system redundancy and increase the likelihood of unavailability if AFWS use is required. Other typical contributors affecting more than one plant include: flow diversion thrcugh normally-closed manually-operated recirculation test valves whicn may be left open inadvertently, and failure to obtain pump initiation and/or :ontrol valve opening because both AFWS trains rely on common initiation / control circuit components.
In general, the loss of offsite power does not impose significant new conditions on the AFWS such that new and substantially different failure contributors become dominant. Thus, Case 2 major failure contributors tend to be identical with those identified during the Case 1 analyses.
Specific exceptions to this rule include: human failures associated with the manual loading of the motor 4ven pumps onto diesel generator-backed busses at Rancho Seco and Crystal River-3; and human failure to perform actions necessi.. ted by automatic load stiedding at Oconee.
With the exception of Three Mile Is]and-1 and Rancho Seco, the Case 3 analyses 'adicate significant AC dependencies for Auxiliary Feedwater Systems. These dependencies may be direct as is the case for Davis-Besse-1 and Arkant.s Nuclear One-1 where cet in valves required for AFWS mission success are AC powered; or the dependencies may be indirect, as is tne case fcr Crystal River-3 and tne Oconee Units, where AFWS support systems requirs AC power for continued AFWS operation.
The significance of failure contributors must be carefully evaluated before design and/or procedural changes are recommended. Such evaluation is required because even the significance for the sace contributor varies widely be; ween plants. Such variation exists because the importance of failure contributors is distributed differently for different AFWS designs.
A dominant failure contributor for a plant like Davis-Besse-1, which has a relatively uniform distribution of potential failure importance, may be almost insignificant by comparison to a dominant contributor for a plant with salient failure contributors.- It is necessary to consider such factors in orcer to determine the most effective utilization of resources for reliability improvement.
1704 087
- t.
4.3 Sincie Point Vulnerabilities A review of Table 2 reveals that two of the AFWS designs (Davis-Besse and Oconee) do not have single point vulnerabilities in Case 1.
In Case 2 only one AFWS (Davis-Sesse) has no single point vulnerabilities.
In Case 3, all plants have single point vulnerabilities.
1704 088 L
.y-.
TABLE 1.
SUfVtARY OF HA.iOR filARA(.llRISTICS OF Il&W OPERATING PLANT AIW SYSIIHS Rancho Seco Oconce-1,ll,lli Crystal River-3 Davis-Desse-1 Arkansas Nucl. One-I h ree Hile Island.1 Pupps I turbine /notor I tuibine driven I turbine ilriven 2 tuihine driven I turbine driven I turbine driven driven I notor driven 2 'at.ap. mutor driven I santor driven I actor driven 2 Vap. untor driven Primary Suction 250,000 g. CST 50,000 g. USTAe8 for '150,000 g. CSI 2 CSI's each 107,000 g. CST 2 C51's each Source il>P 250,000 g.
150,000 g.
US1
- l(N),000 g. Cond.
lks tw. for f1DP Alter. Suction Canal & reservoir Condensor Hotwell Condensor liotwell 2 Svc. Water Trains Nucl. Svc. Wa ter 5ys.
Riv. Water Sys.
Source connector Switt. hover to Manual Manual for 110 ninual Auto.
Kinual Minual Alt. Suction Discharge Yes, with N.O.
No (N.C. pa ths not Ves, two with Yes with N.C. valves Yes with N.O. valves Yes any pune feeds t.r oss tie valves considered) check valves SIRCS/ man, control any 5/G Each ille feeds 15/G, TDP feeds both e
Iackup Power 2 diesel gen, reowee hydro gen.
2 diesel gen.
2 diesel gen.
2 diesel gen.
2 diesel gen.
Con,r,n Steam Yes
~~ '
'~
~
~
Yes Yes No, sepas a te sim.
Yes Yes Sup,,1y Header Ied supply lines with Irons both 5/G tross-over tonnec-l 7
tions under SIRCS a nntr ol INap flJP f 5f AS,4 RCP trip.
2 HWP to Disch Press 2 ttfWP trip
!Ilf W Viv. Ili Rev. AP 2 HlWP Irip.I s/g to 2 fu WP to t.P. 2 HIWP Irip initiation 2 lifuP trip 2 Hf WP irlp 2 5/Glo level 15/Glolvl. 4 RCP Lvl.
Trip 4 RCP Irip 4 Rt P l e ip Htf Saw minus LSI A5 Sarv.
Saw N/A Sannt Ibore minus 28tfwP 1 rip I
location l y t.
to 105
[xt. to 105 Lat. to 105 51RCS All within 105 it u t.
In 105 g
e s
1 1.fM Control 105 Contr. for Flow S/Gi vl. (ontr. t k ts.
llCS contr. for luebine speed contr. [1C5 contr. for flow for flow I
b'ICScontr.
J. Valves Contsol Vivs. 5/P's for eae h 5/G flow finw r.ontr. vivs.
sptod-contr. vivs.
(cositr. vivs. 5/P's l
ont r. valves. 5/P's for loss of 4 RCP.
contr. vivs SI RCS isol. vivs.
j for Loss of 4 PCP.
for loss of 4 Hf P.
2 lifMP All rontr. sep. from 2 lis WP 2 HlWP ICS ti+rator t'ose i None H'q.l.
None R *
- pl.
None R'spl.
None R*<,d.
None R*qd.
None R*.rt.(Oprn 6" Attions 5 t ne Suppl y) for Case 2 fl.en. Load of HOP on Open ile Cool. Water Han. t oad of HIP Hone R'qd.
None it'qd.
,None H'qd. (0 pen 6" Sustained D.G.(if IIP falls)
Viv..reature load (if IOP fails)
Sim. Supply)
N AIN Finw shed I'WR
[
f
- n. O tkme R*qd.(Open 6" CD Case 3 Hone H'qd.
Nane Avail.
lNoneAvail.
Kne. open. AC Vivs.
.._._.1-.-
$. pen AC Vlvs..
I
"* NI'Pllk--
Hi P'"
Note: For details eefer to plant specific Ile - lue bine Driven Pune tril - Opper Surge Tank 5/G - 5 te..m 0enes a tor C
de a f t reports (References 4 9)
Nic - M> tor Driven Punp RCP - Reac tor Coolarit Pump S/P-Sol Point CD CST - Coralensate Storage Tank MfWP - tiain Icedwater Punp ICS - Integrated Contsal System W
3' 3 h D
A 1I L D**D r
=
m
.r-TAPt f 2 - MA.10R TAllVRC COfilH100lORS R.inclu) Seco O(nswg-Lil,Ill Crystal River-3 Davis liesse-I Arkatisas ibK l. Ovie-I IIece Itile l'. land.)
f t) Flow diversion f rom
- 1) luitine support
- 1) Valve plugging in
- 1) Preventiva main-
- 1) i'reventive muin-
- 1) lailure to olitain both trains via te-systens lai lures eg.
a coneausa camiling teriante of orie tosia Ke snatages.
feedwate. flow circ. valve fuS-055, aux, inbe oll, imp.
water line to both train coupledwith
- 2) fallute to obtain i.e(ause of actua-i i f inadvertently
- 2) lue bine puup bea r-pung es.
randone failures systene initiations tiepi t i r t isi t C'5' 1 *-
M*'n ny tallure if
)
ages rpm-in the other can W 3use failum et f ailuies town to I ) Outat es for pre-va l ve l PSU-131 ventive mainte-defeat insissiori tems.sni < <nitionesits init h t r aises.
2 v(nt ve suintenance.
doesn' t ops n.
nance.
- sutress, in the initiation
- 2) Preventive si, sin-
- 3) Loss of suction and control equip-ten nte outages.
because uppe r surge sent for tuith
- 3) Isolation valves tanks are not trains.
inadvertently left closedI replentsbed.
- 3) f low diversion via
- 4) Ilo.s di version via if ter pimip testing.
f Wil A.12A.Ilh or recirc. valve I14-88, 170.
If inadvertently
- 4) Suttion related open.
Failures (incorrec t alignment of CV2803 and CV2800).
Case i Contributors Case I Contributors Case ! Contributors Case 1 Contributor Case I Contributors Case ! Contributors plus p)lus: toss oTiiiidiisi 1 -
Iilus:
ITIallure to man-I)~ failure to mar.ually ually load motor water to turbine load the motor driven puup onto puup lecause driven puup onto diesel.
I V>H.1311s load the diesel, e
r*u e 2".
s t.( d.
g,gj
- 2) loss of surtion for l
g,gp tuebine iniless l
C-MI is opened
.uid nunual loading of botwoll pimps on 4100 VN: bus.cs 1
- 3) fri-92 staying open l
l.ecause ll'i-H1 or Hi-129 h w" f ailed j
upt-n two lar.s of air-inadmguate? s t: aus leir ten bine.
i:ast I Contriteutors is:ase I and 2 fonteil>- tase i..n.1 ? fontrib-Caw I tiwilril.utors Case I lontributuis l aw I f inale il.utos s
~~
ii viilving hiriiide~
'utnis iiivalving,tur-p t o i '. inulving tur-p)lus :
E)lue. :
pes t.iining to tuabine driven gi mg.
Re i!.._*5 _t us h_ie,e pupp, laine tuib_ine pimy2 l
I Af dependerne of
] At lependente of ano tuihine g wy g lus:
~
- hiu, all AiWs valves valves su*cessary
- 1) potreitial f ailisse p)lus ;1 ' ultimat.E lw.s ofll) Ultim.ete loss of~ - - -
probileits initial for systene actua-of itWe> bet auw of f aw 3:
I Hnl/
turbint i+e..use of tui hine pimqi lie-AIWS mission tion ptohibits loss of air leading LOAC ina icquate lube oil (ause of lack of su<; cess-initial ATWS mis-to degraika steam cnoling fins AC beas ing tooling sion success.
supply and/or tur-i operated lobe oil w.s t er-suppl ied bine severspeed trip.
N cooling water circu-finni AC tooling O
lating pump.
wa ter punps.
4 f.
D7
'T ca e) o e
u' ud
6 5 MIN IE MIN O 30 MIN RELIA 2!LITY APPROX. MAX. FOR MIN TWO TRAIN SYSTEM' l
I' RANCHO SECO 6
l OCONEE I.2.M l[
CRYSTAL RIVER-3 l
DAVIS-BESSE-l O8' 1RX ANSAS NUCLEAR ONE-l l
O y
I I
i THREE MILE ISLAND-i O
I 8
l 0
-l
-2
-3
-4
-5
_g Log Scale -
POINT UNAVAILABILITY
' UPPER LIMIT I S DIFFERENT FOR RANCHO SECO BECAUSE OF THE MULTI-0 RIVE PUMP.
FIG. lA RELATIVE AFWS RELIABILITIES, LMFW s
c 1704 091
'8
A 3
5 MIN O
is min O
30 MIN INCREASING APPROX. MAX. FOR y;y
_RELI ABILITY TWO TRAIN SYS' i
l RANCHO SECO O
OCON EE-I,H,E p--
O I
CRYSTAL RIVER-S I
Davis SESSE-l O
I I
ARKANSAS NUCLEAR ONE-l' O
l b
i THREE Ml LE I SLAND-I g
l
! i 0
-l
-2
-3
-4
-E Log Scale
=
POINT UNAVAlLABILiTY
'WHERE ONE TRAIN IS ELECTRIC POWERED FROM A DIESEL GENERATOR
( I E.. EXCLUDI NG D AV I S-BESSE-1 ).
LIMIT IS DIFFERENT FOR RANCHO SECO BECAUSE OF THE MULTI-DRIVE PUMP.
FIG. 1B RELATIVE AFWb RELIABILITIES, LMFULCCP 1704 092 L-19
6 5 MIN O 15 MIN O 30 MIN INCREASE APPROX. MAX.FOR MIN RELIAB.
- Th0 TRAIN SYSTEM' I
RANCHO SECO I
)i OCONEE-I.II.III CRYSTAL RIVER-3 l
l DAVIS BESSE-l O
ARK. NUCLEAR ONE-l O
8 i
Q l
THREE MILE ISLAND-l O
l l
0
-l
-2
-3
-u
-5 Log Scal e -
POINT UNAVAIL ABILITY
'WHERE ONE TRAIN IS ELECTRIC POWERED FROM A DIESEL GENERATOR (IE.. EXCLUDING DAVIS BESSE-1)
FIG. 1C RELATIVE AFWS RELIABILITIES, LMFW/LOAC 1
1704 093 20 L
REFERENCES 1.
DRAFT version of Appendix III (W), Auxiliary Feedwater Systems as transnitted in a letter from T. E. Murley (NRC) to E. A. Womack (B&W)
November 8, 1979.
2.
" Nuclear Power and Public Risk",
IEEE SPECTRUM - Pgs. 58 November,1979.
3.
WASH-1400 (NUREG-75/014), " Reactor Safety Study" USNRC, October 1975.
4.
" Auxiliary Feedwater System Reliability Analysis for the Rancho Seco Nuclear Generating Station - Unit no.1" Babcock & Wilcox, Sept. 10, 1979.
5.
" Emergency Feedwater System Reliability Analysis for the Oconee Nuclear Generating Station, Unit No. I, II, III" Babcock & Wilcox, Revision 1, November 1979.
6.
" Auxiliary Feedwater System Reliability Analysis for Crystal River Unit No. 3" Cabcock & Wilcox, October 1979.
7.
" Auxiliary Feedwater System Reliability Analysis for the Davis-Besse Nuclear Generating Station Unit No.1" Babcock & Wilcox, Revision 1, November 1979.
8.
" Emergency Feedwater System Reliability Analysis for Arkansas Nuclear One Generating Station Unit No.1" Babcock & Wilcox, Revision 1. November 1979.
9.
" Emergency Feedwater System Reliability Analysis for the Three Mile Island Nuclear Generating Station Unit No.1" Babcock & Wilcox, Revision 1, Dec.1979.
10.
" Evaluation of Transient Behavior and Small Reactor Coolant System Breaks in the 177 Fuel Assembly Plant" Volume 1, May 7,1979, Babcock & Wilcox.
11.
" Evaluation of Transient Behavior and Small Reactor Coolant System Breaks in the 177 Fuel Assembly Plant", Volume III - Raised Loop Plants (Davis-Besse) May 16, 1979, Babcock & Wilcox.
1704 094 f
L APPENDIX A NRC-SUPPLIED DATA USED FOR PURPOSES OF CONDUCTING A COMPARATIVE ASSESSMENT OF EXISTING AFWS DESIGNS & THEIR POTENTIAL RELI ABILITIES Point Value Estimate of Probability of*
Failure on Demand I.
Comoonent (Hardware) Failure Data a.
Valves:
Manual Valves (Plugged) 11x10-i Check Valves s1 x 10-*
Motor Operated Valves Mechanical Components s1x10j Plugging Contribution s1 x 10-Control Circuit (Local to Valve) w/ Quarterly Tests 16 x 10-3 w/ Monthly Tests s2 " 10-3 x
b.
Pumos:
(1 Puma)
Mechanical Components s1 x 10-3 Control Circuit w/ Quarterly Tests s7x10-f w/Mcnthly Tests s4 x 10-c.
Actuation Locic s7 x 10-3
- Error factors of 3-10 (up and down) about such values are not unexpected for basic data uncertainties.
1704 095 L
r' r r
Appendix A II. Iluman Acts & Errors - Failure Data:
- Es timated,uman Error / Failure Probabili ties
- i difying factors & Situations With Local Walk-With Valve Position Around & Double Indica tion in Control Room Check Procedures w/o Either Point Est on Point Est on Point Es t on Value Error Value Error Value Error Es tima te factor Es tima te Factor Es timate factor A) Acts & Errors of a Pre-Accident Nattire
- 1. Valves mispositioned during test / maintenance.
a) Specific single 1
-2 I
20
- - x 10 x1 10 10 x1 10 I
-2
-2 x gg x
y valve wrongly selected 20 X
20 X
X out of a population of m
valves during conduct of a test or maintenance act ("X" no. of valves in population at choice).
b) Inadvertently leaves m5 x 10-4 20 sS x 10 10' s10 10
-3
-2 correct valve in wrong posi tion.
- 2. More than one valve is s1 x 10-4 20 ml x 10-3 10 m3 x 10-3 10 cf fected (coupled errors).
O
.p=
O<
Appendix A II. Human Acts & Errors - Failure Data (Cont'd):
- Estimated Human Error / Failure Probabilities -
Estimated Failure Prob. for Primary Time Actuation Operator to Actuate Needed AFWS Comoonents B) Acts & Errors of a Post-Accident Nature 2
- 1. Manual actuation of s5 min.
s5 x 10 2 AFWS fmm Control N15 mir.
s1 x 10 3 Room. Considering s30 min.
s5 x 10-
"non-dedicated" operator to actuate AFWS and possible backup actuation of AFWS.
III. Maintenance Outace Contribution Maintenance outage for pumps and EMOVS:
0.22 (d hours / maintenance act) 3 gMaintenance 720 1704 097
[
A-3
APPENDIX B COMDARABILITY WITH NRC ANALYSES FOR THE RELI ABILITY OF AUXILI ARY FEEDWATER SYSTEMS B.1 Backcround A major objective, established at the outset of B&W's Auxiliary Feecwater System Reliability Study, was the production of reliability results which could be compared wi th the results obtained by the NRC in its analyses of Westinghouse (W) and Combustion Engineering (CE) plants (References 1 and 2). The desired comparability was to be achieved by maintaining consist-ency with the NRC analyses; this consistency was to involve use of the same three event scenarios, the same fault tree analysis method, and the same assumptions, levels of detail and data employed by tne NRC. Ques tions regarding the NRC's approach were to be resolved by direct consultation with NRC staff personnel who had participated in the b[ and CE analyses.
B&W did not have access to the fault trees used in the NRC study and therefore had to rely on telephone consultations with the NRC and independ-ent engineering judgment in many cases.
It is now evident to B&W that some inconsistencies have occurred which may invalidate a direct compari-son between the B&W and NRC results.
In particular, tne NRC calculated reliabilities reported for some h[ plants are higher than would be possible using the B&W approach.
This implies that systematic differences in the calculated reliabilities may reflect differences in tne B&W and NRC approaches, and do not necessarily sig1ify actual differences in system reliabilities.
B.2 Examoles of Evaluation Acoroach Differences and 1 heir Effects One important area of difference between the NRC and the B&W approach involves an assumption concerning the number of operating pumps required to achieve mission success.
It appears that, in some cases, the NRC gave credit for mission success upon successful operation of a single "hal f-capaci ty" pump. The effect of this on system reliability, depending on other areas of redundancy, is to shift reliability toward that of a three-train system.
1704 098 I
I B-1
~
/
Two of the AFW systems analyzed by B&W also employed half-capacity pumps; however, B&W assumed that mission success could not be achieved by operation of one half-capacity pump by itself. An example of the effect of this assumption is shown in Figure B1 for the Oconee Units. As indicated in the figure, the assumotion of mission success upon operation of a single nalf-capacity pump improves tne calculated system reliability by more than an order of ragnitude. An estimated reciprocal effect on one of tne W plants analyzed by the NRC is also shown in Figure Bl. As expected, the quoted reliability decreases by over an order of magnitude.
The use of different pumo operation assumptions described above is a readily detectable difference between the B&W and NRC approaches; other differences may also exist.
One such area of concerr, is the scope and level of detail of the fault tree analyses.
The level of detail (fault tree failure rate data input level) used by B&W appears,to be generally consistent with that used by the NRC; however, the scope (number of fault tree branches) of B&W's analyses may be greater.
It is likely that, with more time available, B&W conducted a more comprenensive analysis; and a more comprehensive analysis frequently results in a lower calculated reliability.
B.3 Comparison of Reliability Results Figure B2 shows a comparison of calculated reliabilities for the B&W operating plants with results obtained by the NRC for W and CE.
Tne format for this figure was derived from References 1 and 2.
The figure demonstrates that, with allowances for analysis differences, the range of expected AFWS reliabilities for B&W plants is similar to that obtained by the NRC for W and CE.
w 1704 099
(
[
S-2
O CASE 1:
LMFW OCONEE I.II,III
_a i
AFW WITHIN 5 MINUTES (IMPROVEMENT WITH
~'
NRC ASSUMPTION ON 1/2 CAP PUMPS)
PLANT X' C AFW WITHIN 20 MINUTE $
(EFFECT OF B&W g :
ASSUMPTION ON i/2 CAP PUMPS) 1 0
-1
-2
-3
-4
-5 Log Scale POINT UNAVAILABILITY
' DATA OBTAINED FROM REFERENCE I AND PLANT X FSAR.
FIG. 81 EFFECT OF ASSI.NPTION CN CALCULATED AFWS RELIABILITY 1704 100 B-3
r-
^
'v, CASE 1: tJtFW CASE 2: LMFW/ LOOP CASE 3: LMiW/lOAC AIW WillllN 5 MIN.
RANCll0 SECO o
O OCONEE UNilS'
=c 2O 4 6 CRYSTAL RIVER-3 e
e i l DAVIS DESSE-l e
d '
ARK. NUC. ONE-l g
lilREE HILE ISt AHD-l 3
e T
^
RANGE Of B&W*
PLANIS Willi NRC 4
4 0
0 ASSUHPfl0NS AlW WilillN 20 HlN.
RANGE Of W 0
U 0
0 PLANIS (BY NRC)
'RLLIAulLilY CllANGE DERIVED FROM iIG. HI N
cp n
~
FIG. 02 COMPARISON OF B&W AFWS RELIABILITY Willi NRC RESULTS FOR W Pi ANIS g
-