ML19326E070
| ML19326E070 | |
| Person / Time | |
|---|---|
| Site: | Washington Public Power Supply System |
| Issue date: | 07/16/1980 |
| From: | Bozarth D, Mcbride A, Minarick J SCIENCE APPLICATIONS INTERNATIONAL CORP. (FORMERLY |
| To: | |
| Shared Package | |
| ML19326E068 | List: |
| References | |
| NUDOCS 8007250552 | |
| Download: ML19326E070 (214) | |
Text
__ __ _ _ _ _ _
l l
I e
I I
! RELIABILITY EVALUATION OF THE WASHINGTON PUBLIC POWER SUPPLY SYSTEM NUCLEAR PROJECTS NOS. 1 AND 4 VOLUME 1 MAI! REPORT Prepared by:
A. F. McBride, Principal investigator J. W. Minarick I D. P. Bozarth J. R. Penland I Science App 1tions, Inc. .
800 Oak Rt
- Turnpike I Oak Ridge, Tennessee (615)482-9031 37830 lg ae,,1e, 1e80 I ~
I ,
ll 'ef i !
soo'MoGSF I __ - - _ - _ _ - . _ - . . . - . . _. .._,_ . --
TABLE OF CONTENTS WNP 1 AND 4 RELIABILITY EVALUATION VOLUME 1 Pagg
- 1. 0 -
SUMMARY
OF RESULTS . . . . . . . . . . . . . . . . . . . . . 1
2.0 INTRODUCTION
. . ...................... 3
- 3. 0 WNP-1,4 FAILURE MODES ................... 7
3.1 DESCRIPTION
OF PLANT ................. 7 3.2 PLANT FAILURE MODES . . . . . . . . . . . . . . . . . . 8 3.3 FUNCTIONAL EVENT TREE DESCRIPTION . . . . . . . . . . . 10 4.0 INITIATING EVENT PROBABILITIES . . . . . . . . . . . . . . . 19 4.1 ANALYSIS OF LOFW TRANSIENTS . . . . . . . . . . . . . . 21 4.2 ANALYSIS OF LOSS OF ELECTRICAL GRID . . . . . . . . . 25 4.3 EVALUATION OF LOSS OF OFFSITE POWER . . . . . . . . . . 29 4.4 SEVERE WEATHER AND NATURAL DISASTERS ......... 31 5.0 MITIGATING SYSTEMS' DESCRIPTIONS . . . . . . . . . . . . . . 49 5.1 AUXILIARY FEEDWATER SYSTEM .............. 49 5.2 HIGH PRESSURE INJECTION . . . . . . . . . . . . . . . . 54 5.3 INSTRUMENT AIR SYSTEM . . . . . . . . . . . . . . . . . 59 5.4 SERVICE WATER SYSTEM ................. 60 5.5 SCRAM SYSTEMS . . . . . . . . . . . . . . . . . . . . . 61 5.6 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM . . . . . . 62 5.7 ESSENTIAL CONTROLS AND INSTRUMENTATION ........ 65 5.8 ELECTRICAL POWER SYSTEMS ............... 66 ;
l 6.0 MITIGATING SYSTEMS FAULT TREE ANALYSES . . . . . . . . . . . 105 6.1 AUXILIARY FEEDWATER SYSTEM .............. 105 )
F 6.2 HIGH PRESSURE INJECTION . . . . . . . . . . . . . . . . 110 E 6.3 INSTRUMENT AIR SYSTEM . . . . . . . . . . . . . . . . . 113 6.4 SERVICE WATER SYSTEM ................. 114 6.5 SCRAM SYSTEMS . . . . . . . . . . . . . . . . . . . . . 115 6.6 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM . . . . . . 116 6.7 ESSENTIAL CONTROLS AND INSTRUMENTATION ........ 117 6.8 ELECTRICAL POWER SYSTEMS ............... 118 7.0 RELIABILITY DATA DEVELOPMENT . . . . . . . . . . . . . . . . 139
7.1 INTRODUCTION
... .................. 139 7.2 COMPONENT FAILURE PARAMETERS ...: ......... 139 7.3 HUMAN RELIABILITY EVALUATION ............. 151 8.0 QUANTIFICATION OF SYSTEMS FAULT TREES ........... 197 8.1 COMPUTER METHODS FOR FAULT TREE EVALUATION ...... 197 8.2 PRINCIPAL CUT SETS OF MITIGATING SYSTEMS ....... 198
, iii -
l l
l
l 1
TABLE OF CONTENTS (Continued)
Page 9.0 FINAL RESULTS AND CONCLUSIONS OF THE WNP 1 AND 4 RELIABILITY EVALUATION . . . . . . . . . . . . . . . . . . . 215 9.1 APPLICATION OF LOFW TRANSIENT INITIATING EVENT
< FREQUENCIES TO THE EVENT TREE , . . . . . . . . . . . . 215
} 9.2 EVALUATION OF THE CORE FAILURE FREQUENCY. . . . . . . . 217
9.3 CONCLUSION
S OF THE WNP 1 AND 1 RELIABILITY EVALUATION . 218 l
l e
1 l
l l
1 I
l I
l i
l iv EI l I
I LIST OF TABLES l
Table Page 4-1 Expected Number of LOFW Trips vs. Time . . . . . . . . 36 4-2 Summary of BPA Grid Outage Data for 230-kV and 500-kV Lines . . . . . . . . . . . . . . . . . . . . . 37 5-1 Operating Positions of AFS Control Valves LCV-4007, -4009, -4025, and -4026 .......... 68 5-2 Auxiliary Feedwater and Operating Modes ....... 69 5-3 Reliability Block Diagram Components . . . . . . . . . 71 5-4 Success States for Scram Failed Sequences ...... 72 5-5 MU&P System Components Required to Function for HPI Following LOFW . . . . . . . . . . . ....... 73 5-6 Instrument Air System Components . . . . . . . . . . . 79 5-7 Servict Water System Principal Components ...... 80 7-1 Required Failure and Time Parameters . . . . . . . . 155 7-2A Auxiliary Feedwater System Failure Probabilities--
Mechanical Failures . . . . . . . . . . . . . . . . 156 7-2B' Auxiliary Feedwater System Failure Probabilities--
Human Failures . . . . . . . . . . . . . . . . . . . 159 7-3A Instrument Air System Failure Probabilities--
Mechanical Failures . . . . . . . . . . . . . . . . 161 7-38 Instrument Air System Failure Probabilities--
Human Failures . . . . . . . . . . . . . . . . . . . 162 7-4A Service Water System Failure Probabilities--
Mechanical Failures . . . . . . . . . . . . . . . . 163 7-4B Service Water System Failure Probabilities--
Human Failures . . . . . . . . . . . . . . . . . . . 164 7-5A High-Pressure Injection System Failure Probabilities--Mechanical Failures . . . . . . . . . 165 7-5B High-Pressure Injection System Failure Probabilities--Human Failures . . . . . . . . . . . 173 v 8M 1l
LIST OF TABLES (Continued)
Taole P3 l 7-6A Electrical Power System Failure Probabilities--
I Mechanical Failures . . . . . . . . . . . . . . . . . 178 m 7-6B Electrical Power System Failure Probabilities--
I,'
Human Failures ................... 189 7-7 Failure Probabilities for Technician Leaving a Valve in the Incorrect Position . . . . . . . . . . . 191 I
I s
vi //
I LIST OF FIGURES Figure Page 3-1 Functional Event Tree for the WNP 1 and 4 Reliability Evaluation. . . . . . . . . . . . . . . . 16 4-1 Time On Test Plot LOFW ............... 38 4-2 LOFW Hazard Rate vs. Calender Time. . . . . . . . . . 39 4-3 Expected Total Number of LOFW Trips vs.
Calender Time .................... 40 4-4 Frequency of Secondary Multiple Accidental Outages for 230 kV and 500 kV Lines ............. 41 4-5 Distribution Function for Repair Time of Automatic I Outages for 230 kV and 500 kV Lines ......... 42 I 4-6 Distribution Functiun for Repair Time of Automatic and Planned Outages for 230 kV and 500 kV Lines ... 43 l 4-7 Event Tree for Evaluation of Simultaneous Outage of 230 kV and 500 kV Lines Initiated by Failure of the 500 kV Line ............. 44 4-8 Density and Cumulative Distribution Fenction for Expected Maximum Annual Wind Speed . . . . . . . . . . 45 5-1 WNP 1 and 4 Auxiliary Feedwater System . . . . . . . . 82 5-2 Auxiliary Feedwater System Success Diagram (Reliability Block Diagram) ............. 83 5-3 Equivalent Auxiliary Feedwater System RBD for Scram Success Sequence (MKL ) ............ 84 1
t-4 Auxiliary Feedwater System RBD for Scram Failed Sequences (MKL ) . . . . . . . . . . . . . . . . . . . 85 2
5-5 WNP 1 and 4 MU&P Equipment Considered in the Analysis . . . . . . . . . . . . . . . . . . . . . . . 87 5-6 Makeup and Purification System Operating States ... 89 5-7 MU&P System Reoriented as the HPI System . ...... 91 5-8 HPI System Event Tree Subsections .......... 93 AI vii
LIST OF FIGURES (Continued)
Figure Page 5-9 HPI System Success Event Tree ............ 95 5-10 Instrument Air System ................ 96 5-11 Service Water Systems ................ 97 5-12 ESFAS Actuation Subsystem A ............. 98 5-13 ESFAS F0GG-Sensor Subsystem A ,........... 99 5-14 Simplified Diagram - ECI Channel "X". . . . . . . . 100 5-15 Simplified Drawing of WNP-1, 4 IE Electric Power System . . . . . . . . . . . . . . . . . . . . 101 6-1 Illustrative Fault Tree of the Auxiliary Feedwater' System (MKL Sequence). . . . . . . . . . 123 1
6-2 Illustrative Common Mode and Random Failure Representation on Fault Trees . . . . . . . . . . . 124 6-3 HPI System Divided into Passive Failure Regions . . 125 6-4 Simo!ified Injection Path I Fault Tree . . . . . . 127 2
6-5 Sirrplified Control Valve Fault Tree . . . . . . . . 128 6-6 Use of Conditional Gates to Describe Various l System Operating Conditions . . . . . . . . . . . . 129 6-7 Simplified Fault Tree for Train T During p Operating Conditions NA . . . . . . . . . . . . . . 130 6-8 ESFAS Actuation Subsystem Fault Tree . . . . . . . . 131 6-9 ESFAS Sensor Subsystem Fault Tree . . . . . . . . . 13 2 .
6-10 ESFAS Sensor Subsystem CMF Fault Tree . . . . . . . 133 6-11 ECI X-Control Circuit 1 Fault Tree . . . . . . . . . 134
. 6-12 ECI X-Actuation Fault Tree . . . . . . . . . . . . . 135 6-13 Simplified Fault Tree for 4160 VAC Bus EA With Preferred Power Provided from the SAT . . . . . . . 136 7-1 Fault Tree for Technician Leaving a' Valve in Improper Position After Maintenance . . . . . . . . 193 1l 11 \
viii )
j
i LIST OF FIGURES (Continued)
Fiqure Page 8-1 Principal Auxiliary Feedwater System Cut Sets With the Grid Available ............... 207 8-2 Principal Auxiliary Feedwater System Cut Sets With the Grid Unavailable .............. 208 8-3 Principal Auxiliary Feedwater System Cut Sets ,
for Scram Failed Criteria (Grid Available). . . . . . 209 1 8-4 Principal Auxiliary Feedwater System Cut Sets for Scram Failed Criteria (Grid Unavailable). . . . . 210 8-5 High Pressure Injection System Cut Sets With 1
the Grid Available. . . . . . . . . . . c . . . . . . 211 1
i 8-6 High Pressure Injection System Cut Sets With the G rid Unavail abl e . . . . . . . . . . . . . . . . . . . 212 8-7 Principal Cut Sets of the Combined Auxiliary Feedwater and High Pressure Injection Syshms With the Grid Available ....... ........ 213 8-8 Principal Cut Sets of the Combined Auxiliary Feedwater and High Pressure Injection Systems With the Grid Unavailable .............. 214 1 l
9-1 Time Averaged Frequency of Core Failures Following i Loss of Main Feedwater Transients .. ........ 219 9-2 Comparison of the Contributions of Core Failure Sequences to the Total Core Failure Frequency Following Loss of Main Feedwater Transients ..... 220 9-3 Variation of Expected Core Failure Frequency Following Loss of Main Feedwater Transients Over Plant Operatirg Life .............. 221 l
l 8
AI l ix
1.0
SUMMARY
I A reliability evaluation of the Washington Public Power Supply System WNP 1 and 4 nuclear power plants has been performed to assess the frequency of unrecoverable core failures following loss of main feedwater transients. This study incledes analyses of the frequency of initiating transients, establishing criteria for mitigating systems succe s in terms of the performance required to prevent core failure, calculating the probabilities of mitigating systems' failures and, based on the above, calculating the frequency of core failure.
The major results of the study show:
I 1. The calculated frequency of core failures following loss of main feedwater transients varies from 3.5x10 8 failure events per year in the first year of critical core operation to 9x10 7 failure events per year in the sixth and subsequent years of operation. The average core failure rate over the 40 year plant life is 1x10 8 failure events per year.
- 2. Core failure sequences following loss of feedwater events caused by offsite electrical grid outages and those following loss of feedwater events due to all other I causes each contribute approximately one half of the total core failure rate.
- 3. Scram failure sequences following loss of main feedwater (the dominant " Anticipated Transient Without Scram" for pressurized water reactors) did not contribute significantly to the total core failure rate. The I calculated 1.4x10 8 failure events per year for scram failure sequences contributed approximately 1% of the total average core failure rate. The contribution of scram failure sequences following grid outage events is I insignificant even with respect to the contribution of scram failure sequences following loss of feedwater events due to all other causes.
Based on the above results, it is concluded that the WNP 1 and 4 plant systems are very well designed. The estimated core failure rate is substantially less than the 1 x 10 3 failure per year criterion which
! had been proposed for the probability of core failure based on plant operation and design.
. 1 1/
I
2.0 INTRODUCTION
2.1 BACKGROUND
The use of probabilistic risk assessment techniques for analysis of I nuclear power plant safety has evolved from an analytical exercise to industry acceptance as a useful tool for improved plant design and op: ns. This industry acceptance is evidenced by the increased interest by plant owners and from such national groups as the Nuclear I Regulatory Commission (NRC), the Advisory Committee on Reactor Safeguards, the Kemeny Commission, and the Rogovin Commission. Recent interest has been focused on and by the NRC's Integrated Reliability Evaluation Program (IREP) which is directed ultimately at providing estimates of public risk resulting from operation of each nuclear power plant in the U.S. The IREP program began with an evaluation, funded by the NRC, of Florida Power Corporation's Crystal River Nuclear Plant.
I The Reactor Safety Study and preliminary results from the Crystal River IREP study have indicated a loss of main feedwater coupled with failure of the auxiliary feedwater and high pressure injection functions is a dominant contributor to the probability of core failure. Due to the recognized importance of this transient, an evaluation of the WNP 1 and l 4 plants' ability to recover from loss of main feedwater transients was undertaken.
2.2 TECHNICAL DESCRIPTION !
I The WNP 1, 4 reliability evaluation described in this report uses the event tree-fault tree methodology employed in ongoing IREP studies.
1 This methodology was developed, used and described in detail in the l l
Reactor Safety Study, WASH-1400. The event tree-fault tree methodology, I as employed in this evaluation, consists of four basic tasks:
- 1. Event Tree 6efinition.
- 2. Computation of the Frequency of the Initiating Transient.
I 3
d"
I
- 3. Fault Tree Development.
- 4. Numerical Evaluation of the Event and Fault Trees.
The event tree, a logical construction describing a plant response to an assumed transient in terms of the availability or unavailability of safety functions, was constructed for the WNP 1 and 4 plants for loss of main feedwater transients. The plant response to loss of main feedwater and the construction of the event tree defining the mitigating functions required following this transient are described in detail in Section 3.
Numerical evaluation of the event tree is required to determine the frequency of plant failures following loss of main feedwater transients.
To accomplish this, it was necessary to compute the arrival frequency of the transients and, given the transient, the conditional probability of the failure of safety functions designed to mitigate the effects of the transient as defined by the event tree.
The computation of the arrival frequency of loss of main feedwater transients is discussed in Section 4. In Section 4, the frequency of particular types of loss of main feedwater transients are considered since the cause of the transient may affect the availability of required mitigating functions.
The probability of failure of required safety functions was computed using fault tree methodology. Based on the WNP 1 and 4 systems' designs, discussed in Section 5, fault trees of the safety function failure, in terms of combinations of failures of mitigating system components, were constructed. The construction of the fault trees is discussed in Section 6 and the fault trees themselves are provided in Volume 2 of this report.
The numerical evaluation of the fault trees required the determination I
of the probability of the failure events considered in the fault trees.
The determination of the failure probabilities for these events, which included independent and common mode component failures and human intervention, is discussed in Section 7.
4
)
I I Finally, . the above information was numerically evaluated using computer techniques t- atain the estimated frequency of core failures in response tu sss of main feedwater transients. The results and conclusions of this effort are discussed in Sections 8 and 9.
I I
I I
I I -
I I
I I
I I
I l
5 d
3.0 WNP 1 AND 4 PLANT RESPONSl' TO LOSS OF MAIN FEEDWATER TRANSIENTS I
In order to construct an event tree defining the WNP plant recovery or failure following the loss of main feedwater, it is necessary to establish the Nuclear Steam Supply System (NSSS) response to the transient and the mitigating functions necessary to prevent NSSS or core I failure. The WNP NSSS design is discussed briefly in Section 3.1 and the plant response to loss of main feedwater is discussed in Section 3.2. Using this information, the construction of the event tree defining core recovery or failure in terms of the availability of mitigating functions is described in Section 3.3.
3.1 WNP 1 and 4 NSSS The WNP 1 and 4 plants are pressurized water reactor nuclear power stations. The NSSS's are designed by the Babcock and Wilcox Company.
l The Babcock & Wilcox (B&W) NSSS comprises a pressurized water reactor, the Reagtr- Coolant System (RCS), and associated auxiliary fluid
)
systems. The RCS is arranged in two closed coolant loops connected in I parallel to the reactor vessel; each loop contains two reactor coolant pumps and an Integral Economizer Once Through Steam Generator (OTSG).
I An electrically heated prest,urizer is connected to one of the loops.
The reactor core consists of 205 fuel assemblies of slightly enriched U2ss. At design conditions the core produces 3800 MWt.1 The RCS is designed to contain and circulate subcooled water at pressures and flows necessary to transfer the heat generated in the I reactor core to the secondary fluid in the OTSG's. In addition to serving as a heat transport medium, the coolant also serves as a neutron moderator and reflector and as. a solvent for the boric acid used for core reactivity control. In the power generation mode, feedwater is
! pumped into the two OTSG's at a combined rate of approximately 16.4 x 108 lbm/hr.2 The feedwater is boiled to steam and slightly l supetheated by the heat transferred from the reactor coolant. The steam l
E
l l1 i
1 is expanded through a 1339 MWe turbine ganerator unit, condensed in the I
main condensers and returned to the steam generators as feedwater.3 In the event the feedwater flow is interrupted, boron carbide control I rod assemblies will be released and drop into the core (reactor scram) by gravity. This will rapidly terminate the production of power in the j core. The residual heat produced by the core is removed through the OTSG's, which are supplied with feedwater by the automatically started backup or auxiliary feedwater system (AFS). Should this system fail, the operator can manually initiate the High Pressure Injection System (HPI) which pumps borated water into the RCS. In this mode of operation, the residual heat will be transferred to the reactor coolant which is discharged through the pressurizer relief valves. The WNP 1 and 4 plant designs and operations are similar to the B&W 3800 MWt Standard Plant Design which is described in detail in the Babcock and Wilcox standard safety analysis report, B-SAR-205.4 I
3.2 NSSS RESPONSE TO LOSS OF MAIN FEEDWATER The interruption of feedwater to the steam generators will result in a rapid increase in the pressure and temperature of the reactor coolant due to the imbalance between the heat production in the core and the heat removal in the steam g'enerators. In the short term, t'2 first minute of the transient, the core will be brought to a subcritical state by the automatic insertion of control rods (reactor scram) or by nuclear feedback mechanisms rasulting from the increased temperature and decreased density of the reactor coolant (or moderator). Under these conditions, 4 or 5 of the seven control rod assembly groups are sufficient to achieve rapid core subcriticality. (It should be noted that this requirement differs from control rod insertion requirements to limit the high RCS pressures which may result from scram failure transients. B&W has demonstrated analytically that insertion of any one of the seven groups, -0.7% AK/K, would prevent exceeding the ASME Level C stress limits in the RCS pressure boundary.)6 I
de I I
I In the event of scram failure, the expansion of the heated reactor coolant will result in very high RCS pressures. Sufficiently high pressures could cause failure of the RCS from which the plant may or may not recover. Although the failure pressure has not been determined, B&W has performed analyses which demonstrate that the WNP 1 and 4 RCS designs can safely withstand pressures of 4,000 psig. The actual pressure achieved in the transient will depend on the rapidity of core I power reduction, the relief capacity of the pressurizer safety and pilot valves, and the rapidity and quantity of auxiliary feedwater supplied to the steam generators.
After core subcriticality is achieved, either by nuclear feedback mechanisms or reactor scram, the core will continue to produce residual heat at small and decreasing rates. Unless removed through the steam I generators, this heat will be transferred from the core fuel elements to the reactor coolant which will be discharged through the pressurizer relief valves. After an extended period of time of reactor coolant boiloff without replacement, the inventory of reactor coolant will diminish to the point where the residual heat cannot be adequately I removed from the core fuel assemblies. In this mode, the UO2 fuel and its Zircaloy cladding will heat up. At sufficiently high temperatures the cladding will be oxidized by the high temperature steam and finally the UO2 fuel will melt.
I This process can be halted by injecting borated water into the RCS to I replace the reactor coolant boiled off or by injecting auxiliary feedwater into the steam generators where the heat can be removed from the reactor coolant. B&W has estimated that a borated water injection flowrate of 300 gpm started 20 minutes into the transient or an auxiliary feedwater flowrate of 600 gpm started 30 minutes into the transient would prevent an unrecoverable core failure sequence.5 It should be noted, that these estimates were made based on extrapolating the results of existing analyses and B&W's expert engineering judgement I rather than specific design analyses.
ig lI e
//
's
I 3.3 FUNCTIONAL EVENT TREE FOR THE WNP 1 AND 4 RELIABILITY EVALUATION Event Tree Description Based on the information described in Section 3.2, a functional event tree was constructed to define the response of the WNP 1 and 4 plants to g
loss of main feedwater transients in terms of the success or failure of 3 critical safety functions. The event tree is shown in Figure 3-1. The branches of the tree are described below:
3.3.1 Initiating Transient: The initiating transient for the tree is the loss of main feedwater, event M. M is defined as a combined feedwater flow less than 1200 gpm to either or both steam generators at any time. Since a flowrate greater than 1200 gpm directly leads to
" recovery" (see auxiliary feedwater requirements), the great majority of partial loss of feedwater events can be eliminated from consideration.
- 3.3.2 Reactor Scram: The failure of the control rods to insert into the core, event K, is defined as less taan 5 of 7 control rod groups inserted at any time greater than 10 sec.onds after M occurs. The selection of 5 or more control rod groups being required for core subtriticality at the high reactor coolant (moderator) temperatures following loss of feedwater transients, is probably conservative.
However, this assumption is not expected to affect the numerical results of the reliability analysis. With 3 or more grot.,.s required to fail, E
multiple independent failures can be e; Ninated from consideration. 5 With the probability of K limited to common mode failure probabilities, consideration of the number of control rods inserting or not inserting is not significant (e.g. , P(3 groups fail) s P(all fail)).
3.3.3 Auxiliary Feedwater with Scram Success: The failure of auxiliary feedwater given scram su: cess, event L, is defined as less than a i
g combined 600'gpm flowrate to either or both steam generators at any time E '
greater than 30 minutes after M occurs. Success of auxiliary feedwater in the sequence Mid , is defined to lead directly to core recovery.
t Under these conditions, the heat generated in the subcritical core will I
" I':
10 s
l
I I be removed through the steam generator (s) without high pressure injection of borated water into the reactor coolant system (RCS). Core recovery or failure given L, t will depend on the succes. of high pressure injection discussed below.
I The mission time selected for auxiliary feedwater injection is 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.
I Although the operator may choose to continue auxiliary feedwater injection, the plant operating conditions are expected to differ from For the initial conditions selected to define core recovery or failure.
instance, the operating personnel may:
- 1. Repair failed plant equipment.
- 2. Restore main feedwater system operation and remain at hot shutdown.
- 3. Restore main feedwater system operation and return to power generation.
- 4. Reduce RCS pressure and temperature and initiate Decay (Residual) Heat Removal system operation.
I The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> mission time is considered sufficient, under most conditions, to achieve one of the above alternate operating mod. .
3.3.4 High Pressure Injection with Scram Success and Auxiliary Feed-water Failure: Failure of high pressure injection, event U, is defined as less than 300 gpm of borated water injected into the reactor coolant system at any time greater than 20 minutes after M occurs. Success of high pressure injection, in the sequence MRL 0, is defined to lead t
directly to plant recovery with he-t generated in the subcritical core being removed thruugh tae pressurizer relief valves. The sequence MRL U t j is defined to lead to unrecoverable core failure due to eventual loss of reactor coolant and consequently loss of core cooling. As above, the
. mission time selected for hign pressure injection is 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.
I I .
I
1/
I 11 l
~
3.3.5 Auxiliary Feedwater with Scram Failure: Failure of auxiliary I
feedwater with scram failure, event L2, is defined as:
- 1. With offsite electrical power available, failure to deliver a 1200 gpm auxiliary feedwater flowrate within 15 seconds or 600 g gpm within 15 seconds and 1800 gpm within 30 seconds after M E occurs.
- 2. With offsite electrical power unavailable, failure to deliver I
a 1200 gpm auxiliary feedwater flowrate within 40 seconds after M occurs.5 The success requirements for 2L are more stringent than those of Et due I.
to the higher reactor core power levels occurring following M.
E Following the MKE t sequentc, the orimary function of Et , is to remove the heat generated by a subcritical core. With scram failure (F.K),
however, a much greater amount of heat will be generated in the core and stored in the reactor coolant system (RCS) early in the transient. The increased heat stored in the RCS will result in very high RCS pressures !
during the first minute of the MK sequence. Although the WNP 1 and 4 RCS's are capabla of withstanding pressures up to approximately 4000 psig, their behavior at pressures exceeding 4000 psig remains unanalyzed. Thus, in addition to long term heat removal, the auxiliary feedwater is required to limit the peak RCS pressure to less than 4000 psig. Pressures exceeding 4000 psig are defined conservatively to result in an unspecified system failure.
The rapid injection of auxiliary feedwater has been defined as required for success (peak RCS pressure less than 4000 psig). The differences in initiation time with and without offsite electric power result from differing reactor core responses to the MK sequence under these conditions. In either case, the reactor core rapidly becomes sub-critical, and the heat generation rate consequentially reduced, due to the increased temperature and decreased density of the water moderator.
s/
l 12 1
I If offsite electric power is lost, the reactor coolant psmps circulating the water moderator through the core will coast down resulting in decreased core flowrates. Under these conditions, the water moderator's temparature will increase and its density will decrease more rapidly than if the reactor coolant pumps continue N operate. Due to the more rapidly achieved core subcriticality, a 1200 gpm auxiliary feedwater flowrate is only required 40 seconds after MK to limit the peak RCS I pressure to less than 4000 psig. With AC power available and the reactor coolant pumps operating, the auxiliary feedwater flowrate is required more rapidly.
l It should be noted that the 1200 gpm or higher flowrates defined for MK sequences are only required early in the transient for peak pressure ,
1 limitation. For long term heat removal, the auxiliary feedwater flow '
rate will be reduced to less than 600 gpm as in the MK sequence. This reduction in the required auxiliary feedwater flowrate conservatively has not been reflected in the success criterion, E2 , to simplify the analysis.
3.3.6 Pressure Relief Valves For the MKLt 0, possibly the MKE tand the MKE 2sequences, heat removal through some combination of the pilot operated relief valve (PORV) and the two safety valves is required for recovery. However, due to the very small probability of these valves failing to open as required, their contribution to system failure is negligible. For simplicity, the relief valves' function has not been included on the event tree, Figure I 3-1.
The MK sequences require at most only one of the two pressure safety valves to open for plant recovery. Since the probability of a single safety valve failure to open is approximately 10 s per demand, the l probability of both safety relief valves failing to open would be l
incredibly small.
I I
s E E 3
g-
I The relief requirements for MK sequences are more stringent than for MI(
sequences due to the higher heat generation rates (see Section 2.2).
However, even with the minimum 1200 gpm auxiliary feedwater flowrate, L,
2 failure of the PORV would result in peak RCS pressures of approximately 4000 psig. Thus, failure of at least one safety relief valve would be necessary for system failure. Since the probability of K is approximately 10 5/dsmand, the probability of scram failure and safety relief valve failure would be again incredibly small.
The relief valve failures considered above were limited to failure to open on demand. Other studies have shown that failure of a relief valve to close after opening [a transient induced loss of reactor coolant accident (LOCA)], can contribute to system failure. However, consideration of LOCA's, including transient induced LOCA's, is beyond g the scope of the present evaluation. W 3.3.7 Plant Status As shown in the event tree, Figure 3-1, the loss of main feedwater transient, M, in combination with the success or failure of critical safety functions led to core recovery or failure. The definitions of core recovery or failure are based on consequences to the integrity of the core or reactor coolant pressure boundary.
Other studies of this type, principally the Reactor Safety Study, WASH 1400, have shown that sequences leading to a status other than an unrecoverable failure of the reactor core do not have a significant impact on public safety. This conclusion was corroborated by the TMI Unit 2 transient of March 28, 1979. At TMI, even though the core experienced extensive cladding failure, the physical impact of the transient on public safety was small.
Based on the above considerations, two sequences led to potential core failure conditions and were defined to be failures:
I
)' l 14
I MKLtU Potential core failure due to insuffici_ent core cooling.
It should be noted that not all MK sequences with I auxiliary feedwater flow < 600 gpm and high pressure injection flow < 300 gpm would lead to core melt:
. 599 gpm of auxiliary feedwater and 299 gpm of high pressure injection certainly would not be a failure. To simplify the calculations, however, these sequences were defined conservatively to be failures.
MKL 2 Potential for overpressurizing the RCS possibly resulting in an unspecified RCS failure, and leading to a core failure. As above, not all MKL2 sequences would result in a core failure for several reasons:
I
- 1. Not all MKL 2 sequences would result in peak RCS pressures exceeding 4000 psig.
- 2. The RCS would not necessarily fail if the peak pressure did exceed 4000 psig.
- 3. Not all RCS failures would result in a core failure.
However, due to insufficient knowladge concerning the behavior of the RCS at very high pressures and to simplify the calculations, all MKL2 transients were defined conservatively to be failures.
The three other sequences, MKL , MRL t t U and MKL 2 were defined to result in a recovery with the reactor core continuously cooled. Unrecoverable core failure, based on the best estimates currently available, will not I oCCdr.
I I
I I
lI E/"
.I
!l llIl! I
~g T
g T R f Y R R R l V u tm t v M0 O l l
el o (
g
( A tA t l i C1 i t a 5 R R R
EE
)
C A C M WHl t
A GI C A
fl M
N [ Cl I 1 E 0 E AA 5 H 1 5 0 n p 5 1 0 1 o t s 0 f 5 1 8 10 t f 5 10 l i C 2 A > f 12 i Al ( f O f 51 t
i K
t
) ' > 0 D O f J S .
/ / II f <
R '
M WW MII 0 O )
N I
it 0
I l
s 2
I I
I C
I I 0 1
C
(
tI lI
/
W C
/I(
W fR CO W M 5
l U
I C
t 1
0 t
J l
A 5
0 5
$N 5
(
C1P I$
N S C S
t g u l
1 I M P
4 1 1I 3
53 0A i
l .
U E C <~ $ < 4 N 1 t 4
P l
a )
E R
U 5
I H
0 R
U 5
5 0
0 3
i HE l
l II
[H I l
I M
> i (Hl
>l ES D M t
u ta 5 2 f R <
I H
l l HIf lIO N u HO l l E
2 1
R P
<~ P W R R M t I l A
l LAW l/ A E
10 I I R A 1 0
I M t G
I M MC M
1 f 1
B
- (
t t M P l
l I 3 Q
I C
RQ HI I GRQ MGIS N
. I N R 05 0E 0I
)
0[W0M0 0W001 5
IH N
I
. 0 2O2t0, 3P8Pf 2O08 1P61 > W D
f 0
3 H 5 >~ > > < < < E a
t C
< 0 3
D
(
M 5 H M t
C U
E M 5 L >
f t I t l K T l I S A l
A a
I I
I A E U
$ H F l
l R M
t
(
t H O
I H l
R 0
P R l A
O
_ t l
A R R E
l i I [
l F f
Y R .
II M
L I
l l
I A
M l
A M 2 A
l M
H G 2 A
M
[ C M
P E M A
l f
i E I I
E G
i L
(
( 0 I (
[
f 0
0 E.
PO N t f 0 & f f 0 2 I t
s R A
0 6
f T
0 0 Y 2
8 V R
1 TT u I L 6 R A >~ A < T A A >
L B
I W A
l < l t W l
t W O NU M U 0 l i W i n
0 l
l I L E L A t I
l u
O L
A U (
f U A (
I VA
(
A I
( E V. F L
AYT M S
P ) NI 5
PL ). U .
O 0 OL I
I R
O 0 R G 5 1
T B H
G 5 1
D 01 CA A
R
(
0 01 0
R O
R L
NL UE I
E 5
R L O R tl FR O
5 ROM
! I I
N Il I
C D N I O O 5 C l 1 A f t
S -
t C
C C
F l
A t
l A
7 A
D 3 E
i S U
F D
( K I
t F
0
(
l a
E M
0 l R
u U 5 t R A
R 5 I S CI < N 5
U C
S (
> N I
S ( S G
I l
F
)
0
= E l
t R M I
f l l I l
5 A l N M A A
R I
L E
(
f n
u E
G N N H I 0 l
A 0 l
A H 2 1
l f
l iM I
5 O
5 W
(
E 0 t 1 I
(
"nc 4
I REFERENCES - SECTION 3
- 1. Babcock and Wilcox, Standard Nuclear Steam System, B-SAR-205, Table 1.3-1.
I 2. Westinghouse Thermal Performance Data for WPPSS Turbine-Generator Unit, March 30, 1979.
- 3. Ibid.
- 4. Babcock & Wilcox Standard Nuclear Steam System, B-SAR-205.
- E5
- s. Record or 2/is,1r so Telecons Steinke, oorman, aones, Banworth, Finnin (B&W), McBr.de, Minarick (SAI) Notebook pps. 31,33.
" Babcock and Wil.3x Anticipated Transients Without Scram Analysis,"
I 6.
i BAW-10099, Rev. 1, May 1977.
I I !
I I
I I
I 3 l l
i I
17 d"
I I "
4.0 INITIATING EVENT PROBABILITIES As discussed in Section 3.0, the frequency of core failures following Loss of Main Feedwater (LOFW) transients, event M, is determined from the fr equency of LOFW transients and the conditional probability of the failure of mitigating systems given the LOFW occurred. Care must be exercised in calculating these numbers, since events producing a LOFW I may also affect the failure of the mitigating systems.
Four classes of LOFW events were initially considered:
I o Case 1--LOFW events due to all causes not affecting the mitigating systems.
Case 2--Equipment failures the mitigating I
o affecting systems and resulting in LOFW.
o Case 3--Offsite electrical power systems' failures resulting in LOFW.
u Case 4--Severe natural phenomena.
Particular attention has been focused on Class 2 events which impact mitigating systems and produce the LOW In the construction of the I event trees and fault trees, the inter aces of the AFWS and the HPI were examined in detail to try to identify any such events. Due to improved separation and independence ~ requirements, no such faults were identified.
AlthoQgh several plants (e.g., Crystal River, Davis Besse) have experienced LOFW events which directly affected mitigating systems, the plant designs either incorporated BOP instrumentation or their power sources in the mitigating systems' design or incorporated 1E instrumen-tation or their power sources in B0P systems' designs. In the WNP design, a strict separation of BOP and safety-related equipment is main-tained, with the following exceptions:
I I M "I '
19
I I
- 1. The 500-kV and 230-kV offsite electrical power ,
sources feed both the two IE 4160-VAC transformers and the separate B0P 4160-VAC transformers.
- 2. The " balance of plant" service water system (80P SWS) feeds both the nuclear service water system (NSWS) distribution piping and BOP distribution piping. However, the primary failure mode of the three punip SWS is a loss of the offsite power sources and is thus included in Case 3.
- 3. The B0P instrument air system (IAS) feeds the 3 Nuclear IAS distribution piping. As in Case 2, this g event is assumed included in Case 3.
- 4. The engineered safety features actuation system (ESFAS) can isolate main feedwater. However, this action also directly results in initiation of the mitigating systems considered. Thus, this item is assumed included in Case 1.
- 5. The essential controls and instrumentation (ECI) supplies buffered SG 1evel signals to the integrated control system (ICS), which controls main feedwater.
ECI failures resulting in low SG level signals, which include failures of vital buses A or 8, could g cause an overfill transient and affect the ini-tiation of auxiliary feedwater. However, this, g
again, is not LOFW as defined.
I As indicated above, a loss of offsite electrical power sources should be considered separately from "all LOFW transients," since, in addition to failing main feedwater, the availability of the mitigating systems are affected. A loss of the preferred effsite source and a transfer failure was considered a potential initiator. However, due to the saparation of I
5 1E and 80P switchgear, common-mode failures would have to be assumed if the transient both caused a LOFW and affected the mitigating systems.
These events were estimated to be of low probability and bounded by the probability of failure of both offsite power sources.
Based upon the evaluation of the mitigating systems, the probability of g
' Case 2 events must be very small in comparison to Case 3. Since these 3 two cases are functionally similar, Case 3 bounds Case 2.
I 20 d" I I
I I Case 1, LOFW events due to all sources, is evaluated and discussed in detail in Section 4.1. Case 3, the loss of offsite electrical power, is evaluated and discussed in Sections 4.2 and 4.3. Case 4, severe natural phenomena, is evaluated and discussed in Section 4.4.
I 4.1 ANALYSIS OF LOSS OF MAIN FEEDWATER TRANSIENTS IN B&W PLANTS For most reliability studies, the assumption of constant hazard rate for initiating transients is made because of the resulting simplicity or due I to a lack of sufficient data to justify another form. In this study, the actual history of all operating B&W plants was utilized to develop a j
I model for the frequency with which loss of feedwater (LOFW) induced j reactor trips could be expected. Previous studies have looked at the l observed occurrences of this type of event1,2 but made no attempt to model the data. These studies estimated the average frequency l (events / year) over the time from commercial operation to the data end date.
Reactor trips for all operating B&W plants have been compiled3 and clas-sified by transient type. This compilation formed the basis for the I model developed here. From the "Cause of Transient" given, those events not initiated by a total LOFW were not included. In those instances where the cause was not clearly discernible the event was left in the data. No trips were excluded due to operating power level at the time of the trip. This introduces a considerable conservatism since many of the experienced LOFW events resulted from causes which can occur only at low power. At low power the hazard to the core is, of course, much less I than at full power. The initial time for the analysis was chosen as the time of initial criticality for each reactor, rather than the commercial operation date.
As a verification of the selection procedure, a comparison to the trip description held by B&W was made for Oconee-1. This comparison4 con-firmed that all trips not included in the present study were also not I
I Ef s I .
I considered LOFW trips by B&W, and a few of c.he questionable trips in-cluded could possibly have been exluded. On this basis, the selection criteria are considered conservative.
As expected for a complex facility, the observed number of trips is greater for the first year than for succeeding years due to learning process of the operators and to plant modifications and improvements.
This phemonemon has been observed previously,1 but insufficient data were available to quantify the effect by the analysis procedures used.
A similar characteristic was apparent in the data analyzed here. Since the data were used to develop a hazard rate rather than to try to esti-mate annual differences in mean frequencies, it was possible to include this effect in the model.
Development of a model must begin with consideration of the data collec-tion methods. This ic so because the method of data collection deter-mines the form of the data, and the analysis techniques must be applicable to the form of the data as well as to the form of the assumed underlying failure rate. The possible methods of data collection can be represented on a time axis that begins at zero (0), corresponding to the time that a unit starts operating, and extending to infinite time.
E Elapsed time to failure of the units is denoted by an asterisk (*) on 5 the axis. Elapsed time on a unit still running when data are collected is denoted by an X, with an arrow pointing to the time the unit will fail. Data of the form of the observed reactor trips from some initial ,
time corresponding to plant start-up (initial or recovery after trip) to an arbitrary end time (last day for which data was available at the time the collection process was halted) can be represented on such an axis.
E The data cons!st of times to failure (from the last trip) and operating 3 times since the last trip. Operating times extending to the end of test are also called censoring times. The ordered failure times and the cen-soring times are normally intermixed. If the censoring times are sta-tistically independent of the times those units will fail, the data type is known as randomly censored. Such data are shown for three units, two censored and one failed, with the failure and censoring times in an ar-bitrary order.
22 d" I I
I I
Unit 1 !---------*--*----------*
i .
2 l ---- *--------x--+ l l 3 l-*------*----------*---l-------x--+
0 Fixed Time Time The analysis of field data is possible by the application of the hazard function approach.5,6,7 The hazard function can be visualized as the instantaneous probability of failure in the interval betweeq (t, t+dt).
I Data analysis began with the evaluation of the time between trips, as-suming the hazard rate was constant. This assumption was then tested by use of the total time on test plot concept.0 This graphical method utilizes the ft ct that if the underlying hazard rate were constant, the observed percentage of failures would increase at approximately the same rate the percentage of the total operating time increased. Thus, a plot of these percentages against each other should produce an approximately straight line at a 45* angle. If the fractional failure rate were con-sistently less than the fractional total test time, the indication would be that the hazard rate was a decreasing function; and inversely, a fractional failure rate consistently greater than the fractional total test time would indicate that the hazard rate was an increasing func-tion. A plot of this type for the nine B&W operating reactors is shown in Figure 4-1. The shape of the time on test plot conclusively demon-I strates the existence of a decreasing hazard rSte early in reactor life.
After this initial period, the hazard rate can be considered constant, as indicated by the last portion of the curve.
Barlow and Davis have considered the problem of hazard function estima-tion for items in which the hazard rate for a component is dependent on the age of the device in which the component is used. This methodology I was utilized in this study to relate the LOFW trip rate to the calendar time since initial reactor start-up. The hazard function was assumed to I
23 d"
I be described by an expression of the form h(t) = aA"t"~1, where a and A are parameters to be estimated from the data. This particular form of the hazard function (Weibull) was chosen due a its capability to de-scribe many types of functions by proper choice of A and a. Note that if a < 1, h(t) is a decreasing function with t.
Given the set of trip times and a functional form for the model, the likelihood function summarizes the information in the data concerning the parameter values.10 Let n(t) be the number of reactors operating at reactor age t, and N(T) = N, the total number of trips observed over the observed operating time (0, T). The likelihood function, given the ordered set of failure times Z_ = (Zy 5Z5***I 2 N), is N Z i
L(a, A/Z_) = Il n(Z}) A(Z 4
) exp[-fg n(u) h(u) du]
i=1
~
where n(Z ) is the number of reactors operating just prior to the i th 9
observed trip. The values of a, A which are most consonant with Z_ are those which maximize the likelihood function, L.10 Since the . function in L will have a maximum at the same values of u, E that L will, the ex- ,
pression can be simplified by treating T a inL. Taking the log and sub- )
I stituting in the previously indicated functional form for h(t), one l
obtains: 1 M(Z9 )
I!
N N ]
r=I in[n(Zj)]+Nin(aA")+(a-1)IInZ - A" I 4 I n[Z}-Zj_y]
j l i=1 i i=1 j=1 l l
where M(Z 4 ) = the number of the last failure for which n(Z4 ) = n(Z 4_y).
This function was evaluated and the maximum found for values of the parameters & = 0.38, f) = 1/A = 9.0 (for t expressed in days). The resulting hazard rate is shown in Figure 4-2.
I I'
1 l D
</ ll 24
I I 1 If the hazard rate function is h(u), then A(t) = f, h(u) du is the ex-pected number of failures in (0, T). For the Neibull, A(t) = (t/q)"
To predict the total number of trips expected over the 40 year life of the plant, the hazard rate was assumed constant after the first five years at the value given oy the model at that time. This hazard func-tion is shown in Figure 4-2, and the resulting expected number of trips is given in Figure 4-3 and Table 4-1.
I The model developed in this study for the expected frequency of LOFW trQs for B&W plants accounts for the decrease in trip frequency over the first several years of plant life. The use of this model to predict ths total number of trips over the life of a plant thus allows a more realistic assessment of the number of occurrences than a prediction based solely on an assumed constant hazard rate.
l The expected number of trips over the first year after criticality is 4
approximately four, with approximately one additional trip over each of the next two years, approaching a constant number of ~0.57 annually at five years.
4.2 ANALYSIS OF LOSS OF ELECTRICAL GRID DATA WNP-1 and WNP-4 are supplied offsite electrical power by the Bonneville I Power Administration (BPA). Offsite power is supplied by one 500-kV and o e 230-kV line. The interconnection with the 500-kV BPA system is via that H. J. Ashe switchyard, located approximately one mile northwest of the plant, and provides for delivery of generated output and immediate access to the 500-kV system as a preferred power supply.
The interconnection with the 230-kV BPA system is via a 230-kV trans-I mission line to the H. J. Ashe switchyard which is connected to the DOE Hanford 230-kV loop from the BPA Midway Substation and from the White Bluffs Substation and provides for immediate access to the transmission system as the back-up preferred power supply.
I I d' 25 '
I '
I Beyond the Ashe switchyard, the interconnections of the EPA grid for both 230-kV and 500-kV power would require multiple failures of each g supply to interrupt service.11 Consequently, only the simultaneous 5 outage of the 230-kV and 500-kV lines between the WNP plants and the Ashe switchyard need be evaluated.
i To estimate the appropriate distributions of failure and repair times for the BPA grid, historical data from the BPA outage data base were utilized. BPA supplied a data tape containing the information on all g 230-kV and 500-kV lines in the BPA grid between November 1,1972 and B Kay 1, 1980.12 In addition, BPA supplied a printed listing of the char-acteristics of each line, including geographical sector in the grid, total length, and in-service and out-of-seavice dates. These data were analyzed in a fashion similar to that described in the previous section for LOFW transient frequencies; i.e. the failure and repair rates were estimated by assuming that constant failure and repair rates were appro-priate and then testing the assumption.
In order to utilize data most closely representative of the actual lines to be used, the data for the Walla-Walla sector and for lines shorter than 55 miles were used. This particular line length was chosen to maintain a significant number of accidental outage events in the data base. An evaluation of the effect of line length on the frequency of outage revealed a very tenuous correlation. Itere were no instances in which long lines (>75 miles) exhibited an extremely long mean-time-to-failure (MTTF) relative to the overall average, whereas ame shorter lines exhibited MTTF values as short as those of the longer lines. Consequently, an analysis to quantitatively determine a hazard rate per mile of line would require a c'etailed examination of each out-age, assigning each to a length-related or length-independent cause category, and subsequent failure analysis of these data. This complex analyris was not considered necessary for this study although the simpler approach used will introduce some conservatism.
I I
dI l
I
I i I The data were analyzed for the 230-kV and 500-kV lines separately. This I
separation showed that the 230-kV lines are slightly less susceptible to accidental or automatic outages and are significantly less likely to be out for planned outages. The latter fact is expected, since less routine maintenance can be performed on the 500-kV lines while they are )
energized.
I As mentioned above, the data analysis proceeded by assumption of a con-l i
stant hazard (repair) rate and subsequent verification of the assump-tion. In the outage data files, many outages are recorded with a zero l
(0) entry for repair time (outage duration). This is due to recording of time to the nearest minute by the data base system. In the instances of zero outage time, however, the outage duration is only as long as the I
time required for the automatic switching devices to restore power.
Consequently, these events are almost always of only a few seconds, at I most, and are consequently not of significance as far as demand for auxiliary power supply switching or start-up. In this analysis, then, these zero outage time events are not included as events in the data base. Lightning strikes are a typical example of the type of momentary outages that have been eliminated.
Initial results from the analysis of the edited data base were surpris-ing, in that the failure time distributions for automatic (forced) outages were markedly non-exponential for both 230-kV and 500-kV lines.
This result was not expected, since these events were thought to be
- randomly occurring natural events and man-caused incidents. The data analysis indicated, however, that the frequency of closely-spaced failures is significantly higher than expected if the hazard rate were I constant. Explanation of this phenomenon was found to be the o'currence of repetitive short outages due to the same cause (e.g. , interruptions caused inadvertently by a lineman performing maintena ce or repair).
These events, while random in time, do not follow the same time-to-failure distribution as do other isolated outages. The first event in each of these series of related events, however, is i Wependent of previous outages and therefore sould be expected to have the same I
27 d"
I failure distribution. This assumption was verified by re-analyzing the data base and removing the subsequent correlated events from the hazard rate calculation. Each initial event was tallied, and a separate tally E
3 was maintained for the number of repeated occurrences observed. The time-to-failure distribution computed in this manner is found to be l approximately exponential, thereby justifying the assumption of constant failure rate for initial events.
To obtain the total frequency of expected failures, the hazard rate for independent events computed as described above is weighted by the fre-quency distribution of repeated, correlated, events. The observed fre-quencies for 230-kV and 500-kV lines are shown in Figure 4-4. .
Repair rates were analyzed in an analogous manner; the tir.e-to-repair distribution was assumed to be exponential, and the assumption was then tested. Unlike failure times, however, no simple transformation or classification of the data could be found to produce an exponential outage time distribution. The repair time distribution also contains a larger number of short repair times than would be expected for an expon-ential time to repair distribution.
The distribution of repair times for automatic-only and automatic-and planned-outages for both 230-kV and 500-kV lines are shown in Figures 4-5 and 4-6, respectively. Estimation of parameters of these distributions was not attempted, since probability plotting on Weibull paper did not product a satisfactory fit. Consequently, the cumulative distribution functions as shown were utilized to get needed percentiles.
A summary of the information obtained from the grid failure data is pro-vided in Table 4-2. Note that the failure rate for automatic outages between longer lines and those less than 55 miles is not significant for 230-kV linas but is quite marked for 500-kV lines. In other respects, the 500-kV lines consistently had higher unavailabilities than the 230-kV lines. The large difference in unavailability due to planned outages is due to the necessity to de-energize the line for more 28 d
I
I maintenance than at 230-kV.13 The values given for average repair times are not the same as a mean-time-to-repair (MTTR), since the repair rates are not constant. The value given is the mean of the distribution.
Evaluation of the probability of repair within twenty minutes was evaluated by Monte Carlo simulation. The simulation consisted of the following steps:
- 1. Pick a random number (U 9
) uniformly distributed over the interval [0, 1];
- 2. Using the random deviate from (1), evaluate the repair I time for the ith trial from the inversion of the cumulative repair time distribution;
- 3. Generate a second random number uniformly distributed I over the range [0, U ], where U (a); 9 9 is the value from step
- 4. Generate a value for the time prior to the random failure I of line A at which line 8 went down. The time of failure is thus required to be less than the repair time for each trial.
- 5. The time elapsed before repair is then the difference between the repair time and the failure time, i . e. ,
t, = t ~r ?'d '
- 6. Steps (1) through (4) are repeated until a sufficient number of trials are generated. The resulting values of I t are the ordered in ascending value. The percentage of rIpairs completed in any elapsed time desired can then be estimated.
4.3 EVALUATION OF LOSS OF 0FFSITE POW 6R In applying the general grid data to the plant feeder lines, the actual operation must be considered. Since the primary purpose of the 500 KV line is to supply power from the plants to the BPA grid, planned outages j of this line will be scheduled to coincide with planned plant refueling outages. This procedure is currently implemented on the "N-Reactor" and its feeder lines.14 For the infrequent conditions requiring 500 KV line l
I I 29 d"
I
I maintenance between planned plant outages, the WNP 1 and 4 plants will be reduced to house load prior to separation from the 500 KV line. In g this moda of operation, the plant turbine gnerator would be the 5 preferred souce of electrical power with the 230 KV line supplying a backup scurce of electrical power.15 Based on the above, the failure and repair time distributions and the unavailability of the BPA 500 KV and 230 KV lines, the probability that both lines to the WNP 1 and 4 plants out simultaneously failed may be evaluated. This evaluation is performed by reference to an event tree, as shown in Figure 4-7 for simultaneous outages initiated by failure of the 500 KV line.
The frequency of the simultaneous outage of the 500 KV and 230 KV lines may be obtained by summing the failure branch frequencies of the event tree shown in Figure 4-7 plus the failure branch frequencies of an analogous event tree initiated by failure of the 230 KV line.
From the event tree, noting that the probability of failure in a 20-minute interval is small relative to the other probabilities involved:
FREQ(LOOP) A= A (1 -B A )[1 - P(R A )][1 - P(RB )3
+ AB (1 - AA )[1 - P(RB )][1 - P(R B)3 where A = Failure rates of the 230 KV or 500 KV lines (yr 1)
A = Availability of 230 KV or 500 KV lines P(R) = Probability of repair of the 230 KV or 500 KV lines within the appropriate time interval.
The frequency of two evn's has been estimated for use in the fault tree evaluation. Thase two events are total loss of offsite power (LOOP) for C
more than 20 minutes and LOOP for less than 20 minutes. As discussed above, a planned outage of the 500 KV line will not initiate a loss of N main feedwater event since the plant will be placed in cold shutdown or
), g 30
I reduced to house load prior to separation from the 500 KV line. Thus, the 500 KV line avar 'ility and repair time were based on automatic I outage data. The 23> W line availability and repair time were based on automatic and planned outage data.
I With the appropriate availability and repair time data from Table 4-2, the LOOP frequency equation was evaluated. The required frequencies I obtained were 0.03 cents / year for LOOP events less than 20 minutes duration and 7.3 x 10 3 events / year for LOOP events greater than 20 minutes duratior 1
4.4 SEVERE WEATHER AND NATURAL DISASTERS Only a limited time span is covered by the BPA data base. Consequently, the occurrence of infrequent but severe weather conditions or other natural disasters is not reflected in the observed outage data. These I conditions are discussed in the following subsections.
4.4.1 Tornadoes A survey of tornadoes in Washington, Oregon, and Idaho has been per-formed by Fujita.16 Jaecb 17 has analyzed the data published by Fujita to determine the probabi' ity of a tornado striking Exxon Nuclear Co. ,
Inc. (formerly the Jersey Nuclear Company) Fuel Facility, which is loca-ted about eight miles from the reactor site. His analysis estimates the frequency of occurrence of a tornado in the vicinity of the Exxon site I as 6 x 10 8 yr 1 While this number is subject to further interpretation, it does provide strong evidence that tornado induced failures are insignificant with respect to other causes. This frequency is negligible in comparison to the other event probabilities estimated previously, even if it is assumed that the occurence will cause LOOP with a probability of one.
1 I
I n
d" -
Il 4.4.2 Strong Winds l
The annual extreme fastest winc oeed (fastest observed one-minute wind speed at an elevation of 30 f t) 'or a given region has been commonly '
used as the best available measure of wind for design purposes. The B
standard reference speed level is normally chosen at the 30-ft eleva- E tion, and wind speed is assumed to vary with the 1/7 power of height.
Data on the fastest wind speed near the reactor site were supplied by I
BPA.10 From these data, the parameters of an extreme value distribution were estimated from a probability plot of the data. This probability distribution is given by:
p(Z)=hexp[-Ze 3 -Z I
p,o = Distribution parameters o = Maximum yearly wind speed (mph).
The values estimated for the parameters are & = 7.4 and fi = 37.8. The density and cumulative distribution functions are shown in Figure 4-8.
The BPA transmission line design is based on a maximum wind speed of 100 mph with no ice, heavy ice (1 -in. radius) but no wind, and two cases of ice and wind (2-in. radial rime, 40-mph wind; 1-in. ice, 57-mph wind).13,19 The frequency of LOOP due to winds greater than the 10 year wind (~55 mph) was then estimated, as described below.
The wind load is assumed to be proportional to the (velocity)2 and the probability of failure proportional to the load. Since the line is de-signed for a maximum wind speed, u,, plus a safety factor, the wind speed required to cauce certain failure, uult,isgreaterthanuj. This certain failure load is assumed to be 150% of the design load corres-ponding to the applied safety factor.13 With these assumptions, the certain failure wind velocity will be ~125% of the design value. In the 11 32 g l
l
I I analysis, it was also recognized that the probability of outages caused This proba-by wind velocities less than the design value is not zero.
bility was estin.ated as 0.05 at the design load. The probability of failure as a function of wind speed is then:
I K1 (" ~ "m) +K"2 '
" D "m Pf (u) = K"2
" # "m l
,1.0, o> uit where K y and K 2 are constants evaluated such that Pf (u,) = 0.05 and ;
Now the probability of failure per year due to strong I '
P7 (oult) = 1.0.
winds is given as:
J
)
l P(FailWind)=(f(u)h(u)du where f(u) = Probability distribution function for maximum yearly wind velocity; h(u) = Probability of failure due to wind load as given previously.
This integration was performed with a lower limit of 55 mph correspon-ding to the 10 year maximum wind and was found to be 2 x 10 3 yr 1 i
The synergistic effect of ice and wind is not as easily estimated.
I data are available for the joint probability distribution of maximum No yearly ice load and wind velocity. However, the data provided by BPA20 ]
indicated that the 100 year ice loading is less than 1-in. radial ice.
It was thus reasoned that the design basis ice and wind loadings are )
sufficiently severe as to cause this frequency to be on the same order of magnitude as that for strong wind alone. l 4.4.2 Earthquakes B.P. A does not consider seismic loading specifically in transmission I line design.19 However, they have determined that the design maximum I
g 33 Ef <
l I
ground acceleratio1 specified for the safe shutdown earthquake (SSE) will produce only 30% of the design load utilized.18 It is also noted that due to the damping of the lines on the motion of the towers, it is very difficult to cause a tower to fail by shaking it. Consequently, seismic events were neglected as a significant contributor to LOOP due to loss of transmission lines.
Potential outages due to ground-mounted equipment at the Ashe switchyard were not investigated specifically. However, the probability of occur-rence of earthquakes on the order of the SSE are estimated to be ~2 x 10 4 yr 1 by comparison of values used elsewhere.21 Consequently, the probability of LOOP due to earthquake is small relative to other esti-mated events, even if the conditional probability of LOOP given an SSE is assumed to be unity.
4.4.3 Volcanism The recent eruption of Mount Saint Helens has rekindled an interest in the potential effects of an active volcano on the safety of nuclear power plants. Although a detailed study of the potential effects of volcanism on the WNP 1 and 4 plants could not be performed in the time available, a summary review of potential safety impacts has been made.
The WNP 1 and 4 plant site is located approximately 100 miles from the g nearest active volcano, Mount Adams. Thus, wind borne volcanic ash is 5 expected to have the only impact of volcanos on the plant's safety. Due to the currently active state of Mt. St. Helens, the effects of other volcanos are considered to be of secondary importance. Over the next 20 to 25 years, Mt. St. Helens can be expected to erupt frequently with heavy ash fall probable.22 Given the eruption, the prevailing wind then The would have to transport the ash to the localized plant site.
g prevailing wind will be in the appropriate direction to transport the 5 ash to the plant site only 6 to 12% of the time.
I 34 d" I
I I The primary significant impact of ash fall is anticipated to be the potential for obstructing the emergency diesel generators air intakes.
For this event to be of concern a simultaneous or consequential failure of the offsite power sources would first have to occur. Although electric power line shorting due to volcanic ash fall combined with rain has been postulated in the news media, recent B.P.A. experience does not indicate this is a probable failure. For the three recent major Mt. St.
Helens eruptions, no ash related B.P.A. grid failures have been reported even though rain has fallen over most of the area served by B.P.A.24 As determined by this analysis, even if the two 1E 4160 VAC busses were deenergized due to volcanic ash, the steam driven AFS pump would be capable of providing auxiliary feedwater to either steam generator.
In summary, although the effects of volcanic ash should be evaluated in greater detail, it does not appear that plant failure due to an ash eruption would be a high probability event.
I I l I I I
I I
I l
M 35 l l
I e
I I
I TABLE 4-1 EXPECTED NUMBER OF LOFW TRIPS VS. TIME Time (Years) Total Number Annual Number 1 4.1 4.1 2 5.3 1.2 3 6.2 0.9 4 6.9 0.7 5 7.5 0.6 10 10.4 0.57 20 16.1 0.57 30 21.8 0.57 40 27.5 0.57 I
I I
I i I I
e' I l
I 36 s/
I I
I TABLE 4-2
SUMMARY
OF BPA GRID OUTAGE DATA FOR 230-kV AND 500-kV LINES I
Line Voltage I Variable 230-kV 500-kV Remarks FAILURE RATE 1.0 1. 5 Automatic, all lines in sector (Y#~ ) 1.0 2.6 Automatic, lines <55 miles long I AVERAGE REPAIR TIME (hr) 0.2 0.2 Automatic, lines <55 miles long 7.4 7.6 Planned, lines <55 miles long 7.0 7.3 Automatic and planned, lines
<55 miles long I FRACTIONAL DOWNTIME 0.0009 0.0012 Automatic 0.018 0.039 Planned 0.019 0.04 Total P (Repairl t 0.56 0.63 Automatic 5 20 min) 0.19 0.20 Automatic and planned I
- I I
! E 37
. l Ii l
t
! I l
4 i
- FIGURE 41 TIME ON TEST PLOT LOFW
! l 1 ,
l l l l l l l l l 1 .- _ _
i 1 1 o.aco _ _
l 1
i
- 0JOO -.
i 2 un ,/
/
3 o.soo /
- p - -
/ I i
1 O
a.s= _ / -
i 1 P l g a.mo _ __ .
4 m
- w o.300 _,, -
,. .n. -
W 0.100 _ _
' I I 0 - l l l l l l 0 .10 .2 .00 .4 .50 .50 .70 .80 .30 1.0
~
FRACTIONAL FAILURES 1
l I'
l i
l l
38 1
1 1
l
I I
I FIGURE 4 2 LOFW HA7.ARD RATE VS CALENDAR TIME I
17' I I l l l 1 1 j l l
~
I e
~l o l 2 l @ 1e= -
l ! j-I i I I 3 ! !
178 ! ! !
1ga ige 108 10' 102 I TIME (YEARS)
D E
I I ;
I 39
i i
l FIGURE 44 EXPECTED TOTAL NUMBER OF LOFW TRIPS VS CALENDAR TIME I
l I I I I I I I i i g,
3.0 -
en i b I
% 24.0 - -
! E
- s. = - -
- )
- E :
! g , o . '_ --
i W
8 ll 13.0 t '
~
, =
4
. i i i i i i i i i l
i 0 5.0 10 15 20 25 30 35 40' 45 50 i
i TIME (YEARS) i I
I I
40 I
FIGURE 4 4 FREQUENCY OF SECONDARY MULTIPLE ACCIDENTAL OUTAGES FOR
- 230 kv AND 500 kv LINES l
4 4
I 1.0 .
.! w i W 2 i c i 4 .7 y *,,
230 KV UNES j
o ;
- w J- l O i r .
' 1 g .s . .
1 E .2 -
< .1 -
i
! 5 ,
j
- ' l 0 , ,
0 1 2 3 4 5 6 7 8 9 to I NUMBER OF SECONDARY OUTAGES I
l i
- I i 1.0 -
0 .s -
Q .a -
3 7~ SOC KV UNES
, C .e -
, w j O .S c 2'
O G .3 -
- < .2 5
W .1 -
l 0 ,
0 1 2 3 4 5 6 7 8 9 10 NUMBER OF SECONDARY OUTAGES I
- I 41
I FIGURE 4 5 DISTRIBUTION FUNCTION FOR REPAIR TIME OF AUTOMATIC OUTAGES FOR 230 kv AND 500 kv LINES I,.
230 KV AUTOMATIC REPAIR DIST. ]
i . , . , ,
i gi , ; j ;
5 _ J 1
- 2 _ _,
s se __ _ E
. 5 _ -
Q g g 2 _
= 170 _,
= l g 5 _ _
m 2_ _
tea t I l t ? !8 t i I ! l t I l iga 2 5 tes 2 5 3ge 2 5 ty 2 5 to' 2 5 soa REPAIR TIME (DAYS) 500 KV AUTOMATIC REPAIR DIST. g se ! I l t i i u 5 ,, _
2 -
- = se _. __I i
g 5_ _!
I l
h 5- J B a
g 2 __ _.
' i se te 2 i I 5
I 1ea I
2 5 I
igi I
2 L
5 3e g
REPAIR TIME (DAYS)
I l
I 42
I I FIGURE 4 6 DISTRIBUTION FUNCTION FOR REPAIR TIME OF AUTO MATIC AND PLANNED OUTAGES FOR 230 KV AND 500 I KV UNES i 230 KV AUTOMATIC & PLANNED REPAIR DIST.
'# i i i 1 i i [ t i l 6 g i J
5 -
1 >
a z -
i E 2 -
- D s
1e' --
h =
I C i 4
3 s - _
i $ l 3 m ,
! o l l
$ 2 - -
l
,,, I 1 { l I l ! ! !I t l t I 2 2 5 2 5 2 5 2 5 S l
te* 178 it' e t o' ion REPAIR ~;*2 (DAYS)
' 500 KV AUTOMATIC & PLANNED REPAIR CIST.
l l llI l 1l , i t i l i ! !
s -
l 5 - -
! E i e i u. ie. _ _
C N
4 k
8
! E :- _
,,, _ i2 lii i ii 5
i i i 2 6 li! 2 5 I
5 2 5 2 1 ,8 1@8 te' 1@ 108 102 REPAIR TIME (CAYS)
I 43 1I
- ~ , -.
- I I
I FIGURE 4 7. EVENT TREE FOR EVALUATION OF SIMULTANEOUS OUTAGE OF 230 KV AND 500 KV LINES INITIATED BY FAILURE OF THE 500 KV LINE 230 KV REMAINS AVAILABLE 230 KV OR 500 KV 230 KV UNE REP'D s 20 MIN AVAIL 230 KV UNE FAILS BEFORE 500 KV UNE REP'D NEITHER REP'D 500 KV OR 230 KV LINE REP'D s 20 MIN 230 KV LINE UNAVAILABLE NEITHER REP'D s 20 MIN h 500: FAILURE RATE OF 500 KV UNE l t
l i
! 44
\
l
I FIGURE 4 8 DENSITY AND CUMULATIVE DISTRIBUTION FUNCTION FOR EXPECTED MAXIMUM ANNUAL WIND SPEED PDF OF WIND VELOCITY 0.0e0 I I I I I I I i u _ _
u.0 _ _
l
== _ _
(=
Q g un a
- a. u . _ __.
_\
0.01 5 -
0.010 - -
u= _ _
I i l i i i I i 0
0 10 20 30 40 50 60 70 80 90 100 WIND VELOCITY (MPH)
CDF OF WIND VELOCITY I 1.00 uGO _
i i l i I I I I l
l uGO _ _
l g .r00 0 -
4
- uGO _ __!
c a0 .s00 _ _i d I a 0.=0 - -
u00 _ _
i u00 _ _._i 0.100 0 I I i i i l i i .
l 0 10 20 30 40 50 60 70 50 90 100
(
WIND VELOCITY (MPH) l l
\
l 45 1
I REFERENCES - SECTION 4 I,l
- 1. ATWS: A Reappraisal, Part III: Frequency of Anticipated Transients, EPRI NP-801, July 1978, p. 4-4,
- 2. ATWS: Probabilistic Accident Analysis, EPRI NP-1090, June 1979.
- 3. NUREG-660 (Draft), Tables B-2, B-3.
- 4. G. Rambo, Telephone Conversation, May 14, 1980.
- 5. N. R. Mann, R. E. Schafer, and N. Singpurwalla, Methods for Statistical Analysis of Reliability and Life Data, John Wiley and Sons, Inc., New York, 1975.
- 6. W. A. Wolf, Interpreting Failure Data in a Nuclear Plant by the Hazard Function, AECL-5106, April 1975.
- 7. W. A. Wolf, Field Data and Its Interpretation, AECL-5509, April 1976.
- 8. R. E. Barlow and R. Campo, " Total Time on Test Processes and Appli-cations to Failure Data Analysis," Reliability and Fault Tree Analysis, SIAM, Philadelphia, 1975, pp. 451-481.
- 9. R. E. Barlow and B. Davis, " Analysis of Time Between Failuras for Repairable Components," Nuclear Systems Reliability Engineer.ng and Risk Assessment (Eds. J. B. Fussell and G. R. Burdick), SIAM, Phil-adelphia, 1977.
- 10. D. Basu, Statistical Information and Likelihood, Sankhya, 37, Ser-ies A, Part 1, pp.1-71.
- 11. One-Line Diagram: Existing Transmission System as Reported April 1, 1980, Orawing 17524-DSD-E, BPA.
- 13. E. J. Yasuda and F. B. Dewey, "BPA's New Generation of 500-kV Lines," IEEE Transactions on Power Apparatus and Systems, Volume PAS-99, March / April 1980, p. 616ff.
Notehook, p. 65.
- 15. Ibid.
- 16. T. Fujita, " Estimate of Maximum Wind Speed of Tornadoes in Three Northwestern States," SMRP Research Paper No. 92, University of Chicago, December 1970.
1 46
.sff / '
- 17. J. L. Jaech, " Statistical Analysis of Tornado Data for the Three Northwestern States," Jersey Nuclear Company, Richland, Washington, December 1970.
- 18. F. B. Dewey (BPA), Data quoted from " Distribution of Extreme Winds in BPA Grid Area," internal BPA document, and other BPA maps.
- 20. F. B. Dewey (BPA), Data quoted from " Record of Icing Conditions in Pacific Northwest" and other internal BPA reports.
- 21. CRBRP Safety Study: An Assessment of Accident Risk from CRBRP, Volume 2: Technical Appendices, March 1977, pp. III-61, 62.
- 22. Personal Communication, Robert Poling, SAI-Oak Ridge, TN.
I I
I I
E 1
I ,
AI if 47
I 5.0 MITIGATING SYSTEMS DESCRIPTIONS As described by the Functional Event Tree, Figure 3-1, and discussed in
, Section 3.0, the WNP plants will recover from LOFW transients (Event M) if either the AFS or the HPI perform their function srecessfully. In this section, the desigas of these primary mitigating systems and their supporting systems are described in detail.
In addition to system design descriptions, the AFS and HPI operating modes required for mission success or failure are discussed. The suc-cess states for the mitigating systems translate the flow requirements defined in the Functional Event Tree to systems' operating modes. The defined operating modes are then further analyzed and numerically re-duced using fault tree analysis techniques discussed in Sectic s 6.0, I 7.0, and 8.0.
The AFS design and success states are discussed in Section 5.1; the HPI and its success states are discussed in Section 5.2. The Instrument Air and Service Water Systems which support the AFS and HPI are discussed in Sections 5.3 and 5.4. Required instrumentation systems, including the Scram Systems (Reactor Protection System, Control Rod Drive Control i System, and Control Rods), the Engineered Safety Featt aes Actuation System, and tissential Controls and Instrumentation are discussed in Sec-t' ens 5.5, 5.6, and 5.7 respectively. Finally, the Electrical Power Distribution Systems are discussed in Section 5.8.
5.1 AUXILIARY FEEDWATER SYSTEM (AFS)
The WNP AFS consists of three pumps supplying demineralized water to the two OTSG's through four injection paths. The AFS is required to remove reactor decay heat in the event of LOFW to the steam generators (including t.he intentional isolation of main fen.dwater following postu-lated plant accidents). The system thus provides a vital plant safety function. The AFS and all supporting functions required for its opera-l M Af 49 1
I tion are designed to meet all applicable safety feature design require-ments of the General Design Criteria, 10CFR50. These include successfu E
operation following severe natural phenomena, assumed " single failures," E and Class IE requirements on electrical power and instrumentation systems.1 The AFS design is described in Section 5.1.1. The success states of the systcm as defined by the Functional Event Tree, Figure 3-1, are discussed in Section 5.1.2.
5.1.1 WMP AFS Description The WNP AFS is designed to pump up to 2,400 gpm of demineralized water from the demineralized water storage tank to the two steam generators.
The system is shown in simplified form in Figure 5-1.2 As shown in Fig-ure 5-1, three pumps are used to pump demineralized water through four control valves to the two steam generators. Pumps A and B (FWA-PMP 1-A and 2-B) are electric motor-driven, 600 gpm-capacity pumps which are capable of delivering their design flow within 15 seconds of their ini-tiation.
The flow from Pump A is controlled by valve LCV-4025 and supplies water to steam generator RCS-SGl. Pump B supplies water to SG2 through LCV-4007. Although the system may be reconfigured from the control room to allow Pump B to supply SG1 and Pump A to supply SG2, this capability is not considered significant in terms of overall system reliability. g Therefore, the crossover lines have not been shown on Figure 5-1. Pump g C (FWA-PMP 3-C) is a steam turbine-driven, 1,200 gpm-capacity pump which supplies water to both steam generators through separate control valves, LCV-4009 and LCV-4026. The steam-driven pump is capable of delivering it's design flow within 30 seconds of initiation.3 Deminerali_ed water is stored in a 460,000 gallon tank. Although the
, tank is designed to allow withdrawal of demineralized water for miscel-laneous purposes, the minimum inventory available for auxiliary feed-I 50 d< E
l water is 330,000 gallons. The miscellaneous-use demineralized water l only can be drawn from the " top" 130,000 gallons; the auxiliary feed-water is drawn frca the bottom. A 330,000 gallon volume is sufficient to remove reactor decay heat for a 2' hour period. Additional demin-eralized water may be supplied by the condensate storage tank by control room operator action.
The system is automatically started and controlled by the Essential Con-L trols and Instrumentation (ECI) upon a trip of both main feedwater pumps or low level in either steam generator. The ECI consists of separate "X" and "Y" channels powered from the "A" and "B" instrument power g buses. The ECI channels control equipment consistent with the electri-E cal power supplies described above.
The AFS is placed in operation by start a W aps A and B and opening one I hydraulic valve (CV-7938) in the line % .f ing steam to the Pump C tur-bine. The four control valves are under constant steam generator water level control by the ECI. Due to the high steam generator water levels during normal operation, the valves normally will be closed. Following I a loss of main feedwater, the valves will be opened to maintain a 6-ft water level as the steam generator level decreases. In addition to the ECI, the AFS pumps are started, and the isolation valves receive open signals from the Engineered Safety Features Actuation System (ESFAS).
I The AFS is supplied AC electrical power, DC power, and instrument power from two separate trains for each type of required electrical power.
I The system's equipment is powered such that water can be supplied to either steam generator with an electrical train failure including 4160-VAC, 460-VAC, 125-VDC, and vital 120-VAC instrument power. #
Basically, Pump A and its electrically operated associated valves are powered from the "A" train and Pump B and its electrically operated valves from the "B" train. Steam can be supplied to the Pump C turbine g frot either steam generator by opening one hydraulic valve (CV-7938) in B the steam supply line. This valve requires DC power from either 125-VDC source to operate. Once started, Pumps A and B only require 4,160-VAC I
l 11 Af SI
i 1
power. Pump C will continue to 'erate without any external electrical power source.5 The four AFS isolation valves, V20-B, V37-A, V31-8, and V14-A, are elec-I tric motor operated but normally open valves.6 Thus, these valves require no electrical power for successful AFS operation. The valves are powered from the 480-VAC emergency buses.
The pneumatic control valves, although similar in design, are operated in two distinct modes to maximize train-to-train diversity. The alves controlling flow from Pumps A and B, LCV-4007 and LCV-4025, are designed to close upon failure of vital instrument power,125-VDC power, or loss of instrument air pressure. In contrast, the valves controlling flow ,,
from the steam turbine driven Pump C, LCV-4009 and LCV-4026, will remain g open (throttled) upon loss instrument air, open upon loss of vital E instrument power and be unaffected upon loss of 125 VDC power. The operating positions of the four control valve, for the various operating modes are listed in Table 5-1.6 The four control valves require instrument air to be properly positioned The valves are supplied with instrument air from two separate instrument g air systems (including separate compressors and distribution piping). 3 Each train is also supplied instrument air from the B.O.P. instrument air system. The AC electrical power trains required to run the instrument air trains are consistent with the "A" train, "B" train configuration described above.
The stand-by and operating modes of the WNP-1 AFS major components are g
listed in Table 5-2, including required supporting services. More ex- E tensive descriptions of the AFS design and operation are found in the UE&C Auxiliary Feedwater System Description1and the B&W Secondary Plant System Description.8 The Instrument Air System and Electrical Distribu-tion Systems are described in Sections 5.3 and 5.8.
E d' l 52 I
5.1. 2 AFS Success States The AFS shown in Figure 5-1 is designed to allow multiple feedwater flow paths to transfer the water from the demineralized water storage tank to the steam generators. The success of any one flow path will depend on the operability of each component in the flow path.
The simplist and least restrictive AFS success criterion, as defined by the Functional Event Tree, Figure 3-1, occurs with scram success. Given
, a loss of main feedwater with scram success, a 600 gpm flow rate is required within 20 minutes (Event [y). This criterion is satisfied by any one flow path from the demineralized water tank to either steam generator.
For this case, the system flow path diagram has been redrawn as an anal-ogous success path diagram, referred to as a Reliability Block Diagram (RBD), in Figure 5-2. Each block represents the probability that the components represented by the block will operate. Table 5-3 summarizes the major components represented by each block.
The success paths of the system (which correspond to flow paths) may be
{ readily obtained from the RBD:
Success Path Reliability Blocks lA ABC, A'B', A, lA, 1 2B ABC, A'B', B, 28, 2 1C ABC, C', C, 1C, 1 2C ABC, C', C, 2C, 2 The RBD has been redrawn in an equivalent RBD to more clearly show these success paths in Figure 5-3. All blocks in a path must " succeed".
Overall system success will occur if any one of the four paths "suc-ceed."
AH if 53 L_
I For loss of feedwater sequences in which scram fails (MK), the success criteria for auxiliary feedwater are more severe. As described by the event tree, Figure 3-1, multiple success states are possible. These are described in Table 5-4. ,.
These success states are schematically shown in the RBD for st. ram failed sequences (MKE ), Figure 5-4. This RBD has been simplified to show only 2 g combinations of the MKE1 success paths described in Figure 5-3 rather p than individual blocks. As before, the " success" of any one MKL 2suc-cess path requires all path elements to " succeed"; system success will be achieved if any one of the MKE paths succeed.
2 I
- 5. 2 HIGH PRESSURE INJECTION SYSTEM The WNP high pressure injection (HPI) System consists of portions of the Make-Up and Purification (MU&P) System and provides for the addition of E
borated water to the Reactor Coolant System (RCS) for core cooling 5 during certain off-normal events.9 During normal operation, the MU&P System receives, cools and purifies I
RCS letdown and reactor coolant pump seal return flows in the make-up tank. A continuously operating make-up pump takes suction from the make-up tank and provides reactor make-up and reactor coolant pump seal g injection at a rate equal to the letdown and seal return flow rates.9 5 The WNP MU&P System will ';e operated in one of several configurations, depending on the pump p,widing the make-up flow. These c;ifferent con-figurations affect the specific components which must be actuated during g HPI initiation. As shown in Figure 5-5, the MU&P system consists of
- Laree pumps, designated MUS-PMP-1A, -28, and -3C. During normal opera-g tion, Pumps -1A and -28 will be utilized on a rotating basis as the g normal make-up pump. Each pump will be operated as the normal make-up pump until it must be removed from service for maintenance, at which time the other pump will be started and used for makeup until it must be removed from service for maintenance. During normal operation, 54 d$
I
1 tne ran-running pump will provide pumping power for the standby HPI i train. Pump -30, the center pump shown in Figure 5-5, will serve as an installed spare. This pump will be utilized as the stand-by pump when l either Pump -1A or -2B is removed for maintenance and is capable of being manually started from the control room to supplement Pumps -1A or
-28, provided offsite power is available. Because of high-energy pipe-I break-outside-containment considerations, Pump -3C, when serving as an '
installed spare, is aligned to discharge to the stand-by train, although
~
it is powered by and takes suction from the operating train. When Pump
-3C functions as the standby HPI pump, it's services and discharge and l suction connections are aligned to the train with which it is associ-ated.10 l
In this analysis, the different operating modes for the MU&P System I described above have been designated as follows:
o Normal A (NA): Pump -1A is the operating pump; Pump
-28 is the pump associated with the stand-by HPI train.
o Transition to Normal B (TNB): Pump -1A has been j removed from service for maintenance. Pump -28 is the operating make-up pump; Pump -3C is the pump associated with the stand-by HPI train.
o Normal B (NB): Pump -28 is the operating make-up pump; Pump -1A is the pump associated with the stand-by HPI train.
o Transition to Normal A (TNA): Pump -28 has been removed from service for maintenance. Pump -1A is the operating pump; Pump -3C is the pump associated with the stand-by HPI train.
j These different operating states are summarized in Figure 5-6.
When HPI is initiated, certain MU&P System valves are re-aligned, and a stand-by make-up pump is utilized along with the operating make-up pump to provide two separated trains of HPI. The HPI System can provide I emergency core cooling for an RCS pressure range from above operating i
1 1
1 A
55 I
l
I pcessures down to approximately 200 psig. The System is designed to provide an injection flow rate of 1400 gpm (700 gpm per train) at an RCS pressure of 600 psig.9,11 In the HPI mode, each train consists of one MU/HPI pump which takes suc-tion from the borated water storage tank (BWST) and injects borated water into the RCS via two control valves and a series of four g cross-connected injection paths. When HPI is initiated (primarily from P the Engineered Safety Features Actuation System [ESFAS]), the following system changes occur:
- 1. The normal source of RCS make-up (the make-up tank), the make-up pump recirculation lines, and the normal make-up flow path are isolated from the MU/HPI pumps.
- 2. The MU/HPI pump suction valves from the BWST, the HPI train pump discharge valves, and the discharge control valves are opened.
- 3. The stand-by make-up pump is started.
- 4. Normal RCS letdown is isolated.9 A simplified drawing of the WNP MU&P System re-oriented for use as the HPI System is shown in Figure 5-7. The specific MU&P System components required to operate for HPI initiation while the MU&P System is in its g several operating states are detailed in Table 5-5. E MU&P System motor-operated valves, pumps, and instrumentation require support from other plant systems during HPI initiation. The following support systems interface with these components:
o Motor-operated valves: 480-VAC motor co.. .rol centers MCCEA11, MCCEB11, MCCEB31, and MCCEA31 ESFAS mode 1A and ESFAS mode 1B outputs I
56 1/ i I
1 l
o Pumps: 4160-VAC bus EA and EB, 480-VAC motor control centers MCCEA11 and MCCEB11, and 125-VDC bus A and B ESFAS mode 1A and ESFAS mode 1B outputs Service water train A and train 8 o Flow instrumentation: ECI-X and ECI-Y.
This analysis considered potential failures in these support systems as an input to the HPI System failure analysis.
5.2.1 HPI System Success Criteria Following LOFW with reactor trip, the HPI System can be utilized to pro-vide core cooling if auxiliary feedwater is unavailable. In such a
{ case, 300 gpm of HPI must be provided within 20 minutes of LOFW for ade-quate core cooling. Water injected into the RCS from the HPI System is discharged into the containment through the pressurizer pilot-operated relief valve and/or code safety valves. While not a specific HPI System function, normal RCS letdown must also be isolated for effective core cooling when using the HPI System.12 Because of the multiplicity of components in the HPI System, various combinations of components can provide the required success flow rate.
These combinations are as follows:
- 1. With one operable HPI pump, both control valves in the operable train must be open, and at least three injection paths to the RCS cold legs must be available.
- 2. With two operable HPI pumps, at least one con-trol valve must be open in each train, and at least two injection paths to the RCS cold legs must be available.
- 3. In both cases, the HPI System must be manually I initiated, since no ESFAS setpoints are ex-ceeded during LOFW. In addition, RCS letdown l 1
A 11 57 l l
l l
I must be secured, HPI pump recirculation termin-ated, and the make-up tank isolated (to pre eventual cover gas injection into the RCS). gnt To define the interrelationships between the specific HPI System compon-ents requirad for injection success, an event tree was developed. The HPI System was divided into subsections, the flow from each of which could be considered an individual contributor to System success. Ther9 subsections, shown in Figure 5-8, are:
- 1. Trains 1 and 2--These trains consist of those com-ponents in each separated HPI train from the BWST up to and including the normally-closed 3 motor-operated isolation valves (valves V360-A and V465-B) downstream of the HPI pumps.
E Within trains 1 and 2, failure of any component is equivalent to failure of the associated HPI pump to run.
- 2. Control valves V through V 3--These consist of those 3 3 components 9hich can b'e associated with a spe- g cific subtrain control valve: flow elements FE-42A, B, C, and D; the instrumentation asso-ciated with the flow elements; check valves E V340-A through V343-B; and control valves E V179-A through V185-B.
- 3. Injection paths I through I --These 4 injection paths consist of the check arid stop-check valves be-tween the subtrain cross-connects and the RCS cold legs. Since the cross-connects themselves E contained no active components, they were not 5 included as part of any specific subsection but were used to relate specific injection path and control valve subsections.
The event tree which defines the HPI System success and failure states in terms of the above subsections is shown in Figure 5-9. For simplic-ity, all allowed combinations of injection paths taKen two-at-a-time and g three-at-a-time are shown only once and are indicated as a continuation 3 of the existing tree in other places, using identifiers 2/4 and 3/4, respectively. The aggregate of subsection failure combinations which will fail the system, reduced to exclude subsets of other failure com-binations, are shown on the right-hand side of Figure 5-9. 4 sa 1/ E g
i
To determine component failure combinations which result in failure of the event tree subsections, fault trees were developed.
I l
5.3 INSTRUMENT AIR SYSTEM l
. The WNP Nuclear Instrument Air System (NIAS) consists of two separate ;
trains which supply safety-related components (including the AFS control l valves) with instrument air. Each train consists of a compressor, surge tank, and distribution piping.7 Since this system performs a safety function, it is designed to meet all applicable requirements of the General Design Criteria, 10CFR50.
During normal operation, the nuclear IA headers are supplied from the j B0P IAS. The B0P IAS consist of a continuously running compressor, a ,
stand-by compressor, and associated distribution piping.14 A simplified diagram of the combined IA systems is shown in Figure 5-10.
With the BOP 480-VAC buses energized, the one continuously running B0P IA compressor (PSA-CPR-1 or PSA-CPR-2) will supply all plant instrument air requirements (safety and non-safety). Should the running compressor fail, the stand-by BOP compressor is automatically started on low IA header pressure.
Should both BOP IA compressors fail (primarily due to loss of the 500-kV and 230-kV offsite power sources), both trains of the NIAS will be au omatically started on low IA header pressure, low voltage on the 1E 4130-VAC buses, or an ESFAS actuation signal.
Even in the event of failure of all IA compressors, a significant volume s of pressurized air is available in the 80P IA distribution piping and the NIAS surge tanks. It has been estimated that vital IA functions would be continued for 15 minutes or more even following failure of all compressors. However, due to the diversity in safety equipment requirements, this design feature has been conservatively ignored in the AFS analys' .
Y l
l
< ff l 59
Ill l
The principal components of the IA systems and their requirements for 8
. operation are listed in Table 5-6. m' g1 i
5.4 SERVICE WATER SYSTEMS Cooling water requirements for safety-related components (including the NIAS compressors and MU/HPI pumps) are supplied by the Nuclear Service Water System (NSWS). The NSWS consists of two separated trains of dis- I tribution piping and associated valves.
The NSWS trains are supplied with cooling water from either the BOP service water pumps or the emergency shutdown service water pumps. With the BOP 4160-VAC buses energized, the 80P service water pumps will pump water from the plant cooling tower through the two NSWS trains.
Two of the three 80P service water pumps normally run to supply plant requirements. The stand-by pump is automatically started in the event one or both of the running pemps fail, based on low discharge pres-sure.16 Although two service water pumps -are normally, required, one of the three pumps can provide adequate cooling water for short-term equip-ment operation (days) at slightly higher operating temperatures (~30 F temperature rise vs. ~15 F rise).17 In the event the 80P service water pumps fail, the Emergency Shutdown Service Water System (ESSWS) can be manually started by the operator or automatically started upon low voltage on the 1E 4160-VAC buses or ESFAS actuation. In this mode of operation, each NSWS train is isolated from the BOP Service Water System and aligned to corresponding ESSWS trains.
Each ESSWS train supplies cooling water frcm the spray pond to an NSWS
- train. The NSWS, ESSWS, and spray pond perform a required safety func- g tion and are thus designed to meet applicable requirements of the Gen- E eral Design Criteria, 10CFR50.18,19 l I l A simplified diagram of the NSWS, ESSWS, and B0P SWS is shown in Figure
( 5-11. The principal components of the combined service water systems l and their operating requirements are listed in Table 5-7.
60 d" I I
s
- 5. 5 REACTOR SCRAM SYSTEMS The Reactor Scram Systems in the WNP-1,4 plants consist of the s following:
- 1. Reactor Protection System (RPS)--The RPS generates trip demand signals based on RCS or BOP param-eters exceeding their setpoint value;. For LOFW transients, trip signals will be generated on high RCS pressure, high RCS temperature, and LOFW anticipatory signals.
- 2. Control Rod Drive Control System (CRDCS)--The CRDCS interrupts power to the CRD mechanisms upon receiving an RPS trip demand signal.
- 3. Control Rod Drive Mechanisms (CRDM)--Each CRDM, upon loss of. power to its windings, disengages the roller nut assembly from the control rod drive lead screw. (Upon loss of power, the CRDM's are no longer capable of holding the control rods out of the core.)
- 4. Control Rod t.ssemblies (CRA)--Upon release of the
[% 1ead screw, each CRA falls into the core by gravity.
As conservatively defined by the Function Event Tree, a failure in any one of the systems mentioned above preventing two or more of the seven control rod groups from falling into the core will result in Scram Sys-tems failure.
The RPS is a four-channel protection system as defined by IEEE-279.
Each RCS parameter is monitored by four saparate sensors, each of .which provide an analog signal to one of the four RPS " analog" channels. The analog channels generate " parameter exceeds setpoint" signals which are transmitted to the four RPS " digital channels." Each digital channel produces a channel trip signal to the CRDCS upon receiving a " parameter exceeds setpoint" signal from any two of the four analog channels.20 The CRDCS feeds power to the CRDM's from two separate 480-VAC BOP power sources. To achieve reactor scram, both power sources must be interrup-ted. The CRDCS interrupts power by two diverse methods:
~
< AH Af 61 L
t E
- 1. Either power source may be interrupted by either of two 480-VAC circuit breakers tripped by separate RPS digital channel trip signals.
Power train A is interrupted by two circuit breakers receiving signals from RPS digital channels A and C, while train B power is inter-rupted by circuit breakers receiving signals from channels B and D.
- 2. Either power source may be interrupted by P de-energizing the motor return SCR gate drives in the CRDCS 120-VDC power circuits. The gate drives of power train A are tripped by RPS dig-ital channel A, and the gate drives of power train B are tripped by RPS channel B. g If the CRDCS interrupts both power trains as described above, power to all CRDM's will be interrupted. The power supplied to the CRDM's gener-ates a magnetic field which both ' engages the roller nut assembly -vith the control rod lead screw and rotates the roller nut assembly around the lead screw to insert or withdraw the CRA. Interruption of power =
l from the CRDCS collapses the magnetic field and allows the roller nut assembly to disengage by springs located in the CRDM. Once disengaged, each CRA falls into the core by gravity.
5.6 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM The ESFAS is a protection system, as defined by IEEE-279, which ftnc-tions to initiate safety feature equipment following plant accidents g
such as steam line ruptures and loss of reactor coolant accidents. us Although neither of these postulated events is being considered in the l WNP analysis, the ESFAS affects the analysis in two ways:
- 1. In the event the AFS is not started automatt- E cally following LOFW, the operator will be B instructed to trip the ESFAS upon low RCS ,
subcooling. This action will initiate the HPI g and selected compopunts of the AFS. g i
1 Ef s g
l 1 2. An important function of the ESFAS is to iso-late AFS flow to the depressurized steam gener-I '
ator following a steam line rupture. Should this function spuriously occur following LOFW, the availability of the AFS would be limited.
The ESFAS is designed to automatically trip on parameters indicating that a steam line rupture or loss of coolant accident has occurred.
I These are:
o RCS Pressure < 1600 psig o Containment Pressure > 4 psig o Steam Line Pressure < 600 psig.
Since none of these trip setpoints is expected to be exceeded following LOFW, the ESFAS can only be manually tripped by the operator. The oper-ator will take this action if the RCS temperature approaches saturated I conditions, as indicated by the "P SAT -T " meter or numerous other SAT indications of RCS pressure and temperature. The saturated conditions are indicative of LOFW and loss of auxiliary feedwater.
Manual trip of ESFAS is limited to consideration of the two Actuation Subsystems, A and B. A simplified diagram of Actuation Subsystem A is shown in Figure 5-12.
I two pushbuttons As shown in the figure, the operator must depress in Actuation Subsystem A to trip the subsystem (full channel trip). This operation will start HPI train A pump, open HPI train A injection valves, start AFS pumps A and C, and send open commands to normally open AFS isolation valves V14-A and V37-A (via I Sensor Subsystem FOGG Logic). A similar action on Actuation Subsystem B will initiate the B train equipment.22 The other ESFAS function of concern in the WNP analysis is the Feed Only Good Generator (FOGG) feature, which automatically isolates the depres-surized steam generator following postulated steam line ruptures. The FOGG isolation function is performed in the four Sensor Subsystems.
I 1
D "I
63 1
I Sensor Subsystems A and B F0GG logic controls AFS isolation valves V14-A, V37-A, V20-8, and B31-B. Subsystems C and D control AFS control valves LCV-4007, -4009, -4025, and -4026.
The FOGG logic is shown in Figure 5-13, a simplified logic diagram of Sensor Subsystem A.22 As shown in the diagram, the F0GG l'ogic is as follows:
SG1 Pressure SG2 Pressure FOGG Action
>600 psi >600 psi Feed SG1 and SG2
<600 psi >600 psi Isolate SG1 g
>600 psi <600 psi Isolate SG2 5
<600 psi <600 psi Feed SGI and SG2 As previously stated, following LOFW, low SG pressure is a very unlikely I
event. However, spurious operation of F0GG prior to or following LOFW would affect the availability of the AFS. .
The simplest spurious actions involve a failure of either a steam line pressure transmitter or its associated 600 psi bistable. This failure i produces a half-channel trip in Actuation Subsystems A and B and actu- ,
ates the FOGG logic. This failure results in the closure of one AFS valve. Since the F0GG actuation is alarmed, this failure would have to ,
occur shortly before or during LOFW and could be bypassed by the opera- ,
tor.
Of more concern was the potential for isolating the four AFS paths to the two steam generators. The only credible failure identified was un-detected CMF of the "AND" gate, labeled "CMF" in Figure 5-13, plus a subsequent and independent half-channel trip of Actuation Subsystem A or B. This failure will isolate the four paths by closing a combination of AFS isolation and control valves. As before, the condition is alarmed and can be readily bypassed.
I 1
< l 64 I
5.7 ESSENTIAL CONTROLS AND INSTRUMENTATION The ECI is a two-channel, Class 1E control and monitoring system. Of g primary interest to the WNP analysis are the AFS initiation and control I
functions. Upon low steam generator level (<1 ft) or a trip of both main feedwater pumps, the ECI starts all AFS pumps and sends an open command to the normally open AFS isolation valves. The ECI continuously I monitors the SG level and positions the AFS control valves to maintain a 6-ft SG level. Following LOFW, the ECI will open the normally closed control valves as the SG level decreases to below 6 ft. In addition to its AFS initiation and control functions, the ECI provides control room l
indication of critical HPI, AFS, SG, and RCS parameters.
The ECI AFS circuitry is shown in Figure 5-14, a simplified diagram of ECI Channel X. The circuitry for ECI-Y is of identical design.
The ECI produces a digital start signal derived from low SG level or main feedwater pump status. As shown, if the SG1 level bi-stable, SG2 level bi-stable, or both feedwater pump trip bi-stables are in the tripped state, ECI-X will generate signals to start AFS pumps A and C and command AFS isolation valves V14-A and V37-A to open. AFS pump 8 and C and valves V31-B and V20-8 are initiated by ECI-Y.
Each ECI channel contains two valve control circuits which continuously transmit proportional signals to position the four AFS control valves.
As shown in Figure 5-14, the ECI-X SG level transmitter provides a vol-tage signal which is compared to the SG1 level setpoint. This device produces a +10 to -10 V signal proportional to the difference between tne SG level and the 6-ft setpoint. After being modified by the propor-tional-integral circuit, the voltage signal is converted to a current signal to modulate instrument air pressure on the AFS control valve.
The other features in the control circuit are the test switch, which blocks the transmitter signal to substitute a test signal, and the manual control switch, which blocks the control signal to substitute a a console signal.23,24,25 B-I 65
//
B
E 5.8 ELECTRICAL POWER DISTRIBUTION SYSTEMS The Electrical Power System provides power to plant auxiliary loads and control power for instrumentation, switchgear breakers, and reiays. Two independent and redundant 4160 VAC buses are provided for safety related loads, bus EA and bus EB. During normal operation, these buses are powered through a Station Auxiliary Transformer (SAT) or a Backup Auxiliary Transformer (BAT), which receive power from the unit generator or the 500 KV offsite source (for the SAT) or from the 230 KV offsite source (for the BAT), The safety related 4160 VAC buses are provided with the capability to fast transfer from either the SAT to the BAT or from the BAT to the SAT in the event a loss of power is detected from g
the power source in use. In the event both offsite power sources are g lost, separate emergency diesel generators are provided, one for each bus. These diesel generators are capable of automatically starting and sequentially loading selected safety-related loads, and will provide power to the safety-related bus until offsite power is restored.26,27 Large loads, particularly the safety-related pumps, are powered directly from the 4160 VAC buses. Smaller loads, such as valve motors, are powered from 480 VAC motor control centers which derive their power from the 4160 VAC buses through step-down transformers.26,27 Four separable 125 VDC buses are utilized in WNP-1, 4. One bus is g associated with each RPS char.nel and consists of a 125 VDC battery, a 5 primary 480 VAC-125 VDC battery charger, and an alternate charger for use when the normal charger is not available. Each battery charger normally maintains its associated battery on a floating charge while providing all the required bus loads. The DC buses provide power for circuit breaker operation, diesel generator field flashing, operation of certain D.C. soleroids, and for the vital power supplies.
Because of the need for 125 VDC for circuit breaker operation, it can be seen that battery power is essential for continued electric power system operatian if a loss of the preferred offsite source occurs, since no I
d' I 66 I
a transfer to the alternate offsite source or diesel generator starting j
can occur if the battery associated with a safety-related bus does not provide power.26 Four separate 120 VAC vital power supplies are provided, one associated with each RPS channel. These power sources supply uninterrupted power to safety-related control and instrumentation loads, and consist of an inverter which converts 125 VDC from the battery-backed buses to regulated 120 VAC and a static transfer switch, which will instantly transfer a 120 VAC bus to an alternate A.C. source, should an inverter fail to provide output. In addition to normal control and instrumentation loads, 120 VAC Vital Power Supplies A and B provide power for operation of their respective diesel generator sequencers, which provide diesel generator start and loading sequence commands.26,27 E A simplified drawing of the WNP-1, 4 electric power system, showing portions of the system of interest in this study, is provided in Figure 5-15.
l $5
\
pf 67 r
TABLE 5-1 .
OPERATING POSITIONS OF AFS CONfROL VALVES LCF-4007, -4003, -4025, AND -4026 Valve Position Operating Mode LCV-4007 LCV-4009 LCV-4025 LCV-4026
- 1. Norme.) Power Operation Closed Closed Closed Closed
- 2. No 1nal AFS Operation Throttled Throttled Throttled Throttled c
- 3. Instrument Air Train A Failed Not Affected failed As Is Closed Not Affected
- 4. Instrument Air Train B Failed Closed Not Affected Not Affected Failed As Is c
- 5. Vital Power Train A Failed a Not Affected Open Closed Not Affected
- 6. Vital Power Train B Failed a Closed Not Affected Not Affected Open
$ 7. 125-VDC Train C Failed b
Not Affected Not Affected Closed Not Affected D
- 8. 125-VDC Train D Failed Closed Not Affected Not Affected Not Affected
" Valves LCV-4007 and -4025 are positioned by 4-20 MA I/P transducers and close on loss of vital power.
Valves LCV-4009 and -4026 are positioned by 20-4 MA I/P transducers and open on loss of vital power.
b The normal positioning of the control valves may be overridden by the ESFAS steam generator isolation logic (F0GG). This is accomplished by energizing or de-energizing the DC powered solenoid bleed valve on each control valve. Valves LCV-4007 and -4025 have de-energize-to-isolate (control valve closed) solenoids and will be maintained closed on loss of DC power. Valves LCV-4009 and -4026 have energize-to-isolate solenoids and will containue to be positioned by the I/P transducer upon loss of DC power.
'Due to the reservoir of air available, the valves will fail in a throttled position and continue to supply sufficient feedwater.
A m W m' m M ee mW mmm m ee mW m
GO M M M M_ R. O O M- U M M. J
.i r
. I IABLE 5-2 AUKILIARY f EE0WAIER AND of ERAllNG MODES
. Component . UE&C Comp.' Number Standby Mode Operating Mode pequirceents for System Operation Desinerallred Water . ONW-iK-1 >330,000 gal Inventory >0 gal inventory None Storage Valves VI tocked Open (L.O. ) L.O. None V71C L.O. L.O. None V48 L.O. L.O. None V8A L.0. L.O. None V2C L.O. L.O. None V30C L.O. L.O. None V668 L.O. L. O. None V13A L.O. L.O. None
.V36A L.O. L. O. None V728 L.O. L.O. None ONW-V9 Normally Closed (N.C.) Closed None a
Stop-Check Valves V248 "L.O."-Closed * "L.O."-Open Mone-V12A Closed Open None V35A Closed Open None
$ Check Valves VJ98 Closed Open None
.V169 Closed Open None V168 Closed Open None Electric Notor V20 Normally Open (N.O. ) Open Hone Operated Valves V14A N.O. Open Mone V37A N.O. Open None V318 N.O. Open Mone V41A N.O. Open None V448 N.O. Open None
'In the L.O. mode, the stock check valves will operate as a simple check valve.
6 w ,.
I IA8tE 5-2 (Continued)
Standby Mode Operating Mode Requirements for System Operation Component Of&C Comp. Number N.C. Throttled ECI Y (Circuit 2), Inst. Power Pretsnatic Operated LCV-4001 Train 8, Inst. Air Train 8 Control Valves (including AC power and N.S.W.
Train 8), DC Power Train D N.C. Throttled ECI X (Circuit 1), Inst. Power LCV-4025 train A, Inst. Air Train A (including AC power and N.S.W.
Itain A), DC Power Train C LCV-4009 N.C. Throttled EC1 X (Circuit 2)
LCV-4026 N.C. Throttled ECl Y (Circuit 1) flydraulic Operated CV-4673 N.O.
None (self contained turtine Turbine Gov. valve speed control)
Open None Turbine Trip valve v434 N.O.
g N. C. Open None ifydraulic Operated CV-1872 Open ECI X or (Cl Y, DC Power Irelm Vwives CV-7938 N.C.
A or 8 Stopped Running 4160 VAC Power, DC Power Pumps FWA-PMP-IA Train A, ECl X Stopped Running 4160 VAC Power, DC Power Train 8 IWA-PHP-28 fCI Y Stopped Running Steam from 5G1 or SG2, CV-7938, FWA-PHP-3C CV-4673 511-1 2,3 N/A N/A Not required and are expected to Pump Suction be removed prior to plant operation.
! 5 trainers E E E E E E E E E W E W W W g g
TABLE 5-3 RELIABILITY BLOCK DIAGRAM CG'MPONENTS o
Reliability Block Symbol Major Components Represented 1 SG1 (assumed not to fail), V63A
[ 2 SG2 (assumed not to fail), V21B 1A (path from Pump A V13A, LCV-4025, V14A to SG1) 2B V668, LCV-4007, V20B 1C V298, V72B, LCV-4026, V318
( '
2C A (Pump A and associated V35A, V36A, LCV-4009, V37A V12A, Pump A, STT-1, V8A valves)
B V248, Pump B, STT-2, V4B C V30C, Pump C, CV-4673, V434, CV-7938, CV-2872, V16B or V169, V41A E V44B, STT-3, V2C i
A'B' V1 I C' V71C ABC DMW-TK-1, DMW-V9
~
1 l
j 71
I I
I TABLE 5-4 SUCCESS STATES FOR SCRAM FAILED SEQUENCES (MKE2 )
Functional Success Criterion (E2 ) Equipment Capability
- 1. Offsite Power Unavailable: All equipment is capable of pre Supply 1,200 gpm within viding design flow rate, withil 40 seconds. required time limit.1
- 2. Offsite Power Available: All equipment, excluding turbine Supply 1,200 gpm within driven pump (Pump C), is capable 15 seconds. of providing design flow rates within required time limit.2
- 3. Offsite Power Available: All equipment is capable of pro-Supply 600 gpm within viding design flow rates within 15 seconds and 1800 gpm with 30 seconds.2 30 seconds.
I I
I I
I 72 4/ 8 I
L._ J ~ U 1._ _J l M R W ~W J~~1 I'~~l 6 1
TABLE 5-5 HU&P SYSTEM COMPONENTS REQUIRED TO FUNCTION FOR HPI FOLLOWING LOFW MU&P System Status During Required Change Component Operating Mode MU&P Operation Status During HPI in Operating State PUMPS a
MUS-PMP-1A NA Running Running None TNB Maintenance ---- ----
NB Stand-By Running Starg TNA Running Running None MUS-PHP-28 NA Stand-By Running Starg TNB Running Running None NB Running Running None" TNA Maintenance ---- ----
O MUS-PMP-3C NA Spare Available for Use ----
TNB Stand-By Running Start NB Spare Available for Use ----
TNA Stand-By Running Start MOTOR-OPERATED VALVES V144-A All Closed Open Open V141-B All Closed Open Open V360-A All Closed Open Open V465-B All Closed Open Open
-V179-A All Closed Open Open V174-A All Closed Open Open V184-B All Closed Open Open V185-B All Closed Open Open
TABLE 5-5 (Continued)
Mu&P System Status During Required Change Component Operating Mode MU&P Operation Status During HPI in Operating State V137-B All Open Closed Close V136-A All Open Closed Close V198-A All Open Closed Close V199-8 All Open Closed Close MANUAL VALVES CSS-V11-A All Open Open No (Containment Spray System)
CSS-V12-B All Open Open No (Containment Spray System) b V146A All Open Open None U
V147C Al' Open Open None b
V148B All Open Open None b
V160A All Open Open None b
V159C All Open Open None b
V158B All Open Open None V161A All Open Open None b
V162C All Open Open None b
V163B All Open Open None b
V167A All Open Open None b
V168C All Open Open None W W W W W W W W W W W W W W W W W W W
TABLE 5-5 (Continued)
MU&P System Status During Required Change Component Operating Mode MU&P Operation Status During HPI in Operating State b
V169B All Open Open None V251-A 'All Open Open None V252-A All Open Open None V259-B All Open Open None V260-8 All Open Open None V253-A All Open Open None V254-A All Open Open None V261-B All Open Open None sa V262-B _
All Open Open None m
V378 NA Open Open None TNB Open Open None NB Closed Closed None TNA Closed Closed None V379 NA Closed Closed None TNB Closed Closed None NB Open Open None TNA Open Open None V172-C NA Closed Glosed None TNB Open Open None NB Open Open None TNA Closed Closed None V171-C NA Open Open None TNB Closed Closed None NB Closed Closed None TNA Open Den None
TABLE 5-5 (Continued)
HU&P System Stattes During Required Change Component Operating Mode MU&P Operation Status During HPI in Operating State CHECK VALVES V145-A All Closed Pass Flow Open V142-B All ----
Pass Flow Open V340-A All Closed Pass Flow Open V341-A All Closed Pass Flow Open V342-8 All Closed Pass Flow Open V343-8 All Closed Pass Flow Open V354 All Closed Pass Flow Open M
c V166A NA Pass Flow Pass Flow None TNB NB Closed Pass Flow Open c
TNA Pass Flow Pass Flow None V165-C NA Closed Available ----
TNB Closed Pass Flow Open NB Closed Available ----
TNA Closed Pass Flow Open V164-B NA Closed Pass Flow Open c
TNB Pass Flow Pass Flow None NB Pass Flow Pass Flow None' TNA N E E E E E E E E E E E E E E O E E E
(__J~ U W Q _ O' M f~~l n_ U J~1 R M M W TABLE 5-5 (Continued)
HU&P System Status During Required Change Component Operating Mode MU&P Operation Status During HPI in Operating State VENT DRAIN VALVES V557-A/558-A All Closed Closed None V563/564 All Closed Closed None V532/533 All Closed Closed None V521/520 All Closed Closed None V655/656 All Closed Closed None V620/621 All Closed Closed None V507-B/506-B All Closed Closed None V504-B/505-B All Closed Closed None V681/682 All Closed Closed None V651/652 All Closed Closed None V501-8/500-B All Closed Closed None V498-B/499-B All Closed Closed None V510/511 All Closed Closed None V512/513 All Closed Closed None V570/571 All Closed Closed None V572/573 All Closed Closed None V574/575 All Closed Closed None V630/631 All Closed Closed None V535/534 All Closed Closed None V618/619 All Closed Closed None l
TABLE 5-5 (Continued)
MU&P System Status During Required Change Component Operating Mode MU&P Operation Status During HPI in Operating State V586/587 All Closed ' Closed None V590/591 All Closed Closed None V588/589 All Closed Closed None V568/569 All Closed Closed None V580/581 All Closed Closed None V605/606 All Closed Closed None V688/687 All Closed Closed None o$ V607/608 All Closed Closed None V567/566 All Closed Closed None V564/565 All Closed Closed None V579/578 All Closed Closed None V576/577 All Closed Closed None V580/581 All Closed Closed None V583/582 All Closed Closed None V584/585 All Closed Closed None Restart if LOOP.
b Certain valves may be closed during pump maintenance; these valves are not required to be open during HPI initiation.
c Re-open if LOOP.
W W W M M M M M M W W W W W W W W W W
M M M M M M M M M M M M M M M M M M M l TABLE 5-6 INSTRUMENT AIR SYSTEM COMPONENTS UE&C Normal Operating Requirements for Component Component Number Mode Mode System Operation Running B0P Compressor PSA-CPR-1 or -2 Running Running B0P 480-VAC power; BOP service water Stand-By BOP Compressor PSA-CPR-1 or -2 Stand-By Running BOP 480-VAC power; B0P service water NIAS Compressor--Train A IAC-PPU-1A Stand-By Running IE 480-VAC power; NSWS--Train A NIAS Compressor--Train B IAC-PPU-2B Stand-By Running IE 480-VAC power; NSWS--Train B Manual Valves V29 Open Open None V46 Open Open None V45 Open Open None V79 Open Open None V91 Op9n Open None V92 Open Open None a
Miscellaneous Open Open None
^The closure of manual valves other than those listed would be immediately detected in the normally oper-ating IA systems.
TABLE 5-7 SERVICE WATER SYSTEM PRINCIPAL COMPONENTS UE&C Normal Operating ;'equirements for Component Component Number Mode Mode System Operation Running SW Pump A SWS-PHP-1, -2, or -3 Running Running B0P 4160-VAC power Running SW Pump B SWS-PMP-1, -2, or -3 Running Running B0P 4160-VAC power Stand-By SW Pump C SWS-FMP-1, -2, or -3 Running Running B0P 4160-VAC power ESSWS-Train A:
a ESW Pump ESW-P1A Stand-By Running 1E 4160-VAC power; ESW instrumentation--train A a
CCW Isolation Valve TCV-1023 N.O. (F.C.) Closed NSW instrumentation--train A Pump Discharge Valve CV-1178 N.C. (F.C.) Open Instrument air, 125-VDC; NSW instrumentation--train A a
Spray Pond Isolation CV-1875 N.C. (F.O.) Open None Valve a
Cooling Tower Isola- V76-8 N.O. Closed NSW and B0P SWS will operate tion Valve with valve open; only NSW if closed ESSWS--Train B:
a ESW Pump ESW-P2B Stand-By Running 1E 4160-VAC power; ESW instrumentation--train B a
CCW Isolation Valve TCV-1017 N.O. (F.C.) Closed NSW instrumentation--train B a
Pump Discharge Valve CV-1178 N.C. (F.C-) Open Instrument air, 125-VDC; NSW instrumentation--train B W W W M M M W W W W W W W W W W W W W
M M n, M R M M M M M M V TABLE 5-7 (Continued)
UE&C Normal Operating Requirements for Component Component Number . Mode Mode System Operation Spray' Pond Isolation CV-1914 N.C. (F.O.) Open* None Valve a
Cooling Tower Isola- V76-B N.O. Closed NSW and BOP SWS will operate
. tion Valve with valve open; only NSW if closed Spray Pond Make-Up V177 N.D. N.O. None Valve Manual Valves VI-A L.O. Open None V11-A L.O. Open None
-- V85-A L.O. Open None O V87-A L. O. Open None V2-8 L.O. Open None V12-8 L. O. Open None V86-B L. O . Open None V88-B L.0. Open None Stop-Check Valves V75-A Open Closed" None V72-B Open Closed" None Position for ESSWS operation shown; reverse for B0P SWS operation.
DMW TK. ' V208 O
7 E. M. D. Vese (N.C) (N O.)
L~_a LO.) g_o.) u218 VI (Lo) 94, FWA (Pump g)PMP-28lV248 LCV-(L 2 Ct D E. M. D. V34A (N.O.)
I24 V83A FWA-PMP.I A gto y AO;) '
vgA STT.1 (PUMP A) N' '
(
& LCV. g RECIRC-S. T. D. 4005 (N.O)
V38A FWA PMP-3C V30C V35A (t,OJ (PUMP C) (LO.) I CD N <
VTIC 0) V2C (LOJ
><}C / g NPIM 511 3 RECIRC.
CV46T3 (N.O )0 m n 4026 yygg (N CJV318 (N.O p V434(N.OJ V83A 298 (LO) RCs.
9-x 'ti CV T938 (N.C40 . SGI CV28T2 (N O )
VISS V41 A (N.O.)
-%M FROM SGl V V169 V448 (N.OJ
%FROM so2 FIGURE 5-1 WNP 1 AND 4 AUXILIARY FEEDWATER SYSTEM E E E W g g g g
1 1
O D
M 2 5
7 '
' i 1
M
( > A R
- G A
I D
M B 2
A 1
c 2
c t
S S
E C
C U
> "
- k S O k M
, E T )M SA YR D SG RIA ED B A c T AK D WO C
- D L
> E E B 3 FY T
YI R L I AB U '
B '
I L A I
X L UE A (R I
c 2 -
A' 5 O E R
U r G L
. ' I F
O J
I O B C
A O
O O
3 T @"
T
~
!ll
S S
E C
C U
S
_ \ M A
R N
C S
R 1 2 1 2 O F
D.
_ B.
R M
E T
A 8 C C S 2
1 2 1 Y
S
_ R E
T A
- W D) ,
B C C EE E
A FR YM R(
AE LC I
X N I
E U
- NS _
E S _
L S A E V C I
UC _
c C QU -
A C 8 2 C s C 2 C ES _
1 B B H B H B -
t H A A T A T A T A
T A 3- -
A A P P P P 5 W W W -
W O O O E O
L F
g L F
L F
L F R U
GI F
g lLl1llll ',
m
, o E
r FLOWPATH 1A FLOWPATH 28 L
FLOWPATH 1A FLOWPATH 1C FLOWPATH PJ ; SUCCESS L
PLOWPATH 28 FLOWPATN 1C FLOWPATH 2C E
FLCWPATH FLOWPATH 1A 2s FLOWPATH FLOWPATH 1A 1C OFF5ITE
- POWER UNAVAILAsLE FLOWPATH FLOWPATH 1A 2C I FLOWPATH FLOWPATH L 2 1C b FLOWPATH FLOWPATH 2s 2C E
FIGURE 5 4 AUXILIARY FEEDWATER SYSTEM RBD FOR SCRAM FAILED SEQUENCES I
a \
P 85
L ,i
\
'l g
. " + - '
_ @ D:_
= mr...g K F , ,G_ . _
c ..
i ,. _
9'--.:.----._em
- 3'.
=a, = x .x- .w. .e i;
=- #y -. . -.
u.a o *., -@
r @g@~
1@e~., ' - 4 r. .@.. ,_
-t j $.
O.
I-g..n r3 .,= g, g
=. .m .c
= _.
r t
I,$.., 0"4@N_
4
& r. x l.J@
- u. .m
=. . _.
=
O r G.-M4 6.@
i . p,_.4"@ M'M q t4 .. ,
h!!"p"
, =.=
.- x s . E.e.. g. -- -
W>- == a .
. f. ** .m.
W W J .-~
@d -@& m-@_
n .. , ,
.sr
~fj .
FIGURE 5 5 WNP 1 AND 4 MU & P EQUlPMEZ
!q n.
v
i rrm i . .. i
('h i _
T"3
.L
- .s e
~
$h.g)"" J
) ~~h;', ;4- .u
.:s -
q_' .
~
k1 H"
XfNim, f~,',@~,
r . ..
t.
B".X!
-5 X-rc. n a.. .
- I: x . ;1 t-@ .
) ~~;,
~ ~
4- I..'{e,. .a a
",. ]
g,4 e.- ;7.,
~'-
Z_ ,- 1.
1
' ~ ~
6 X-e.i"'
X%
x _ [$",.... lH_m 51 i . .. >
N u r,
~
~
-j c m k .: s m.- - -. - .
4...,
b r
, i:
I CONSIDERED IN THE ANALYSIS F
,o i
t i
l m
I
)
i 1
I I e i *.
)
l
, 4 ,y .:- .
i a 'r " ;p .
a i- y__
I
\
= = = = - . .
I I
. l l ', (__.
, - s --
m S.
l
- e. -a:, p,' -
. I. c, t g
i U_, -'
I I .
~
.. f G" mr
,j-
..:ce= b'-
i l u:.4o ,
1 ,
l 3 =. =.=:---..
, .^
c ,
? ! 'I
- A _.
. Hz :ssN ,
g 1
I
[ FIGURE 5 6 MAKEUP AND PURIFICATION SYSTEM OPERATING STATES 89 l
L e
I t
I
('
[eGM m...:
c.,
M
- m. .M ma
>i . . .
- - - ,Q, . -
==.
7;* *** n
,,,,. -. gP,,
o . w
~
r.@ @M__EL
, @ s.1- @ r @ _ 4....,
r _BT
,_ _ _ _ _ _ _j ). 3 s
n,,., +
.N.
~ ~. y,,e . '
.g <~
. =a O" _
$g_ @F -@[@r. . @....
I,
' .2 ; "
r.
dik, = ,
r; uw-o c@
@4. ._
@s:=ar@_ u. ,
O @e
.u.. >* M ,
" "' ** i, .
v=,.
.... g em.
.. ==.
h, i =l. i --
, @ 8- A@ o .. .. , @ _
4 \.
4 FIGURE 5 7 MU & P SYSTEM REORIEb t
.I t
i
.i-
i I
rr ,, i . . .. i T. - _
V ,,,,,
1.-
i.
=. . . <> L
_L. .a._ _ . .
- L
@ J.;,.g ..
x =.
_-enu .
...ma . ma .x._ cas .*ia
- tub.
r-@-
L . { .. .. j
. 01.
, = f eatC 148.
ur2J
-= :I: W E h.c.,
4: I " x. " w !L =.,
3]. ~ . .._ m..
, . J, -
L .4 . .. ]
.\
i I
(
{
I I
s l
INJECTION PATH 1, fr,r:a
- m. - - -
TRAIN .
- =.- m. . m . ,,.. .
- u . .
VM . W3*. . (
CONTROL VALVE V 1 . i ._ w '=
- r .c. . j
~
(y n ~[~ occ INJECTION PATH 1, ,.. - tag I---- -
y "
wm 4 A --
vu vg. m.
g .... _ _ _
p CCNTROL VALVE V O ". e l .cc l
. == h b - $ ~r M..,,.i '.,
INJECTION PATH l a j
1 0, _ _4 4 s 3_ _ TRAIN
-~
7, .g. . .se. .
)
vm. vai . i,, ,, j CONTROL VALVE V3 '~
G-l- .cc INJECTION PATH 1, ,,, p g ' i ~ '. I p;' : ,,
- ~
w w _ _ _ T :< u ~ _
.g. g. m..
... g m, .
, l "l' l rh
~~
CONTROL VALVE V, i LI . .. "*
! ^b ii
'(.
FIGURE 5-8 HPl SYSTEM EVER l
l
i-1 a
[ s u .. i I
- I: W 0-L@...
~ ~ ,. .c
\ --) s.
7, ci J:
- / .< - . ,
?..@. .. , .
t i . .. i .
- L W
~ _ ,
, . .k., j e; :L a > .~ . ,
.. - .e. .
~ m.
F* REi t-4 . .. i i
P
- U TREE SUBSECTIONS
t fe fs #9 Vs #1 We 4 % % '*
gy ygg M i 1
8' l
\, l
% 't l .. l I -
I l
,, \ i 4 '
- v. / l !
1 wh I a
i os 1 l
1 I
l %4 l l l l- _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ ~ _ _ _ _ _
l e.____________________,
,_ ' l l l l l ,
_ 1 n 1 .
- i i
1 ,
g I i
I
!4 aass W wi 0" I l
l I f l I % l i l l
I % l l___
!' OK i.wiW i
% viv,
.VsWs I i.%4 pa.- m ca
%WeW,
. W.v-We vWie
-e.6 Y,v4.ie.%,% apy.% ga.e W.V,W.
Wt W,W.
I l 2 f ill.as + 4 4 + % * %+ * % . *v6e i
l 't ft I -W,fa l
g .
I .,,.
Fi f,
! ..S...,......_.__t,....
ANO TRAir 'r AILWRES. AAG SUBSET 10P fMt SASIC Le F AaLUAE STATi$
I FIGURE 5 9 HPI SYSTEM SUCCESS EVENT TREE 95 P
M a
~
INST. AIR INSI. AIR TRA;1"A" (RANI"S*
llL. DER liEADER
)i l l X .
X X X
_ no no _
u u-u a
7 NUCLEAR INST. OPERAilNG STAND 8V NUCLEARINST.
~
AIR COMP. 80P BOP AIR COMPRESSOR SAC-PPU tA AIR COMPRESSOR AIR COMPRESSOR BAC-PPU 28 J i il Jl Jl i l Ji JL i l NSW TRAIN A C.
POWER f
NSW 1 RAIN "B" A C.
POWER "A" (ORID OR COOttNG (GRfD OR COOLING D. G. "A") A.C. WATER D. G. "A7 BOP WATER COOLING POWER WATER (GRID ONLY)
FIGURE 5-10 INSTRUMENT AIR SYSTEM 4
M M M M -
M M M M M M M M M -
M
9 CV gggt IRAM . - COtBPONENI ME AI E ECHANGERS n
9
.. lo-H Hel, V & O, Vt S 0
<t t -E}-
-g- .,,.g_i . . . . , -.0 - . ~
-l+HkH+1-o ,,..., -l+ H,4 6H +1-
, f ,, g . . . . ,
vf.A E 0, WF.4 S.0,
-l+H# Hel- - . . . . . . ,
VGSA V0PA
-l+ H # H +;
O l+H..AH.
... ... ...+.1, 0 -0_ -
n:
- .o-X X-on>
o db q o u i
.P...
M::_:::::::::::::-
j T inam a cOesPONENI titAl 1.RC80 ANGERS g V
virr ya04: oNinct l ll FIGURE 5-11 SERVICE WATER SYSTEMS
i I
I I
I FROM SENSOR FROM SENSOR
{ MANUAL SussmEMS MANUAL TRIP A TRIP y
1
@@ @C l I
) '
%J I
j 'I y TO SENSOR SUS. SYS. TO SENSOR SUB. SYS.
A&B C&D
]f INITIATE TRAIN A l HPI AND AFS PUMPS E A&C l
FIGURE 512 ESFAS ACTUATION SUBSYSTEM A Ili (GREATLY SIMPLIFIED)
Il I:
( 98 I
4
" E W M M m a g- ,
"R1,"' = O C ,<.
.S.
~_
g,O u
- , - r>
c-t-
(
(~~ ,<. ,O n _j Co pgg M , Pg 2 f orEN vm g -
(SG-2) c o--
= "ig;,= = r :> t C
FROM ACT S.S.A.
(% Cil. TRIP) A I
FROM AcT S.S.s~ -
~
(% Cif. TRIP)
To ACTUATION f
SUBSYSTEM A & 8 G OTHER TRIP SIGNALS I
l FIGURE 5-13 ESFAS FOGG - SENSOR SUBSYSTEM A I
l I
I SG 2 I
SG 1 I
LEVEL LEVEL x FWP'A' TRIPPED
' s TEST TEST TEST %
TEST
=
l SWITCH INPUT INPUT SWITCH FWP'S' ,
< 1' < 1' START AFS PUMPS A & C & COMMAND E V14A AND V37A OPEN SETPOINT 6' SG 2 6' SG 1 SETPOINT LEVEL SETPOINT COMP.
LEVEL 3ETPOINT "I COMP.
I y y I
MANUAL MANUAL CONT. SW.
CONT. SW.
Ell I
l E/I 1
l I
l f f 4 20 ma TO 20- 4ma IIP TRANSDUCER ON INVERTER AND 1/P LCV 4025 TRANSOUCER ON LCV4009 I
FIGURE 514 SIMPLIFIED DIAGRAM ECl CHANNEL "X" I
100 I
E E b E E E E 500 KV SWITCHYARD i i 230 KV SWITCHYARD ww mw AU Y ...... STATION ,,,,,,
GEN RATOR T
-- )
)4 4160 VAC BUS E 8 4100 VAC BUS EA DC DC e DC DC
EA p lsI l 480 VAC a
l
!=Tsi u s
- (TYP)
~ >
BATTERY 480 VAC LOADS @M 400 VAC BATTERY CHARGER LOADS @ D CHARGER 125 VDC BUS 8 125 VDC BUS A
- ) E g;g 12noC LOAoS @n ,,,,,;,,,y, x, 120 VAC VITAL BUS 8 120 VA VITAL
' 120 VAC VITAL LOADS 120 VAC VITAL LOADS Mn en FIGURE 5-15 SIMPLIFIED DRAWING OF WNP-1,41E ELECTRIC POWER SYSTEM
I I
REFERENCES - SECTION 5
- 1. Svs+'m Description for Auxiliary Feedwater System for WNP-1 and 4, UE&C, System Description M4, Revision 3.
- 2. Record of Telecon, March 27, 1980, Kwan (UE&C), Reid (Terry Tur-bine), McBride (SAI); Notebook, p. 47.
- 3. Record of Telecon, March 27, 1980, Kwan and Hill (UE&C), McBride 1 (SAI); Notebook, p. 47; Borg-Warner P&ID 435KAC5-001.
- 4. UE&C Schematic Diagrams for 4160V SWGR; Record of Telecon, June 12, l 1980, Hosler (WPPSS), Kwan (UE&C), McBride (SAI); Notebook, p. 64.
- 5. Record of Telecon, March 14, 1980, Kwan and Hill (UE&C), McBride (SAI); Notebook, p. 41.
- 6. Record of Telecon, March 12, 1980, Kwan (UE&C), Hosler (WPPSS), I McBride (SAI); Notebook, p. 64.
- 7. UE&C P&ID's 9779-F-805070, -805077, and -805078.
- 8. System Description for Secondary Plant, B&W, 154055000001-07, Oe-I 9.
cember 7, 1979.
System Description for Make-Up and Purification System, I 15-4035000001-04, B&W, WPPSS Nuclear Project No.
and 3.1, February 7, 1977.
1, Sections 1.0
- 10. Record of Telecon, May 7, 1980, Kwan, and Lingapan (UE&C), Minarick I 11.
(SAI).
Final Safety Analysis Report (Draft), WPPSS Nuclear Project Nos.1 and 4, Section 6.3, March 10, 1980.
- 12. UE&C P&ID's 9779-5-805040 and -805041.
- 14. System Description for Plant Service Air System for WNP 1, UE&C,
.vstem Description M-18, Revision 1.
- 15. Records of Telecons, March 14 to June 13, 1980, Kwan (UE&C),
McBride (SAI); Notebook, pp. 41-65.
- 16. System Description fr BOP Service Water System for WNP-1, UE&C, System Description M-19, Revision 3.
- 17. Records of Telecon, April 24, 1980, Kwan (UE&C), McBride (SAI);
Notebook, p. 55.
I I D
'l 103
I
- 18. System Description for Emergency Shutdown Service Water System for WNP-1, UE&C, System Description M-1, Revision 2.
- 19. System Description for Nuclear Service Water System for WNP-1, UE&C, System Description N-22, kevision 5.
Final Safety Analysis Report (Draft), WPPSS Nuclear Project Nos. 1 20.
and 4, Section 7.0, March 10, 1980.
- 21. Instruction Manual IC506627N for the Control Rod Drive Control Sys-tem, Volume 1, November 1977, pp. 3-30, 31.
- 22. ESFAS System Functional Logic Diagram, WNP-1&4, 2242-5001, Automa-tion Industries (Vitro Labs), August 15, 1978.
- 23. Essential Control and Instrumentation--Analog Logic Diagram, 0559166F, Revision F, Bailey Meter Co.
- 24. Record of Telecon, May 14, 1980, LaQuay (BCCO), McBride (SAI);
Notebook, p. 59.
- 25. Record of Telecon, June 12, 1980, Hosler (WPPSS), Kwan (UE&C),
McBride (SAI); Notebook, p. 64.
- 26. DRAFT WNP-1 FSAR, Chapter 8, Section 8.3, Amendment 10, September 1974.
- 27. System Description for the Auxiliary Power Network for WNP-1, #E-3. 1 I!
l I
l l
l 104 d$ l
6.0 FAULT TREE ANALYSES OF THE WNP-1,4 MITIGATING SYST'.MS l
Based on the mitigating systems' success / failure criteria defined in the l Functional Event Tree, Figure 3-1, the mitigating systems' designs were subjected to a detailed fault tree analysis. This analysis expanded the event tree failure criteria in terms of logical combinatiens of systems' component failures based on the systems' design discussed in Section I 5.0.
Section 6.1 briefly discusses fault tree methodology and discusses, in detail, the development .of the 'workirig AFS +'ault trees. The HPI fault tree is discussed in Sectimi 6.2, and the support syste.ns' fault trees are discussed in Sections 6.b through 6.8.
A I
6.1 FAULT TREE ANALYSIS OF THE WNP AFS i
In Section 5.1, the AFS design was characterized in terms of the system !
flow paths which were required to function to achieve the success cri-teria defined in the Functional Event Tree. The basic advantage of RBD methodology, describcd in Section 5.1, is the direct analog with a system flow diagram. The fault tree methodology, however, more clearly identifies system " weak" points leading to system failure. Although the two methods are logically equivalent, the fault tree methodology is used in this analysis due to wide familiarity with the technique.
The fault tree analysis methodology is described in Section 5.1.1 The detailed fault tree analysis of the AFS for the scram success sequence (MIdy ) is described in Section 6.1.2 The analyses of the scram failure sequences (MKL 2
) are described in Section 6.1.2.
6.1.1 Fault Tree Analysis Methodology As illustrated in Figure 5-2 given scram success, the AFS will succeed if success paths 1A, 28, 1C or 2C succeed.
l l
1 105
The equivalent failure statement is: The system will fail if success paths 1A, 28,1C and 2C fail. 'his failure statement is illustrated schematically in a fault tree format in Figure 6-1. As in the RBD, the fault tree expands the path failure into its constituent component fail-ures. As shown, Path 1A fails it ABC, A'B', A, lA, or 1 fail. This is the equivalent failure statements to: Path 1A succeeds if ABC, A'B', A, 1A and 1, succeed.
The RBD's and fault trees have been described in terms of logical com-binations of events leading to system success or failure. Combinatio.
of the probabilities of these events often involves the assumption of independence. That is, for two events A and B, the success or failure of A is independent of the success or failure of B. There exists, however, a class of failures known as common-mode failures for which the failures of physically separate components are related. These failures, although difficult to identify and quantify, are physically real and g must be accounted for in the analysis. In general, one component of a 5 set may fail due to independent failure causes or due to failure causes affecting the entire set. These failure causes are separately ident-ified on fault trees, as illustrated in Figure 6-2.
6.1.2 Fault Tree Analysis of the AFS with Scram Success The AFS worn..g fault tree is shown in Volume 2, Appendix A, sheets 1 through 8. This fault tree defines the component failure combinations which will result in the L event, an auxiliary feedwater flow less than 1 g 600 gpm, 30 minutes or more after the LOFW. The above event may be 3 caused by any one of the following:
- 1. System le al common-mode failures of equipment.
- 2. System level est and maintenance common-mode failures.
- 3. System level operator-induced failures occur-ring during the operation of the system.
I de I 106
l l 4. Independent failures of AFS components and sub-l systems.
Independent failures are discussed in Section 6.1.2.1, and the system t
I level common-mode operation failures and equipment failures are dis-cussed in Section 6.1.2.2. Failures occurring due to manual l
reconfiguration of the AFS are discussed in Section 6.1.2.3.
I 6.1.2.1 Independent AFS Failures
~
As shown in the RBD for the MI(E 1 sequence, Figure 5-3, auxiliary feed-I water will succeed if any one of the four success paths succeed. This is shown graphically in Appendix A, sheet 1 (and is illustrated in the simplified illustrative fault tree in Figure 6-1): flowpaths AFIA,
[ AFIC, AF2C, and AF2B must fail to result in system failure. The subsystem and component level failures resulting in failure of each of these flowpaths are shown in detail in Volume 2, Appendix A, sheets 1 through 5.
E The fault trees expand the top event to the level of component failures or transfers from other supporting systems. For the AFS fault tree, direct transfers are made from the Instrument Air Fault Tree, Appendix I C, discussed in Section 6.3, and from the 4160-VAC, Vital Instrument Power and 125-VDC fault trees, Appendix E, discussed in Section 6.8.
References are made to transfers from the ESFAS and ECI trees. These trees are discussed in Sections 6.6 and 6.7.
l 6.1.2.2 System Level Common-Mode Failures )
System level common-mode failures were identified from the " random" l
failures and input to the AFS tree for separate quantification. These j consisted of equipment-related and maintenance-related common-mode fail- l l ures as identified in Appendix A, sheet 1. These inputs are expanded on '
sheets 6 and 7.
The criteria for selecting the common-mode events from multiple similar events which affect all injection paths are itemized below:
I g s !
107 s/ \
l .
- 1. Select common-mode failures to function as de-signed and exclude common-mode spurious opera-tion.
- 2. Select mechanical common modes (e.g., valves 8 sticking) in components infrequently exercised. gi l
- 3. Selected probable common-mode human failures.
I' Once specifically identified, the common-mod 9 failure probability could be estimated, as discussed in Chapter 7.0.
The equipment-related common mode failures identified include mechanica common-mode failure of the SG check valves, a common-mode failure of the 5
5 four ECI AFS control circuits, a common-mode failure of the four I/P transducers and a common-mode failure of the ESFAS resulting in closure .
of all AFS control and/or isolation valves.
The maintenance-related common mode failures are shown on Appendix A, sheet 7. As shown, these failures include the operator failing to g
re-open manual valves in all trains following one or more maintenance E activities, a common mode failure of the temporary strainors not removed and plugged (expanded on Appendix A, sheet 8), and the operator placing the four ECI AFS control circuits in manual and failing to re-open the control valves when required.
6.1.2.3 Failures Occurring During AFS Ooeration Several system level failures were postulated which would fail the AFS following a successful start. These failures involved incorrect opera-tor intervention. The failures during AFS operation are shown on Appendix A, sheet 7. They include insufficient demineralized water, which required that the demineralized water tank be at least partially drained prior to AFS operation, and the operator failing to switch to the alternate condensate storage tank source. The second failure postulated the operator taking manual control of the AFS control valves, overthrottling the flow, and failing to re-open the valves. The third I
D 4 l 108
involved the operator tripping the A and B AFS pumps as instructed.1 Pump C then failing after successfully running, and the operator failing to restart Pumps A cr C 6.1. 3 Fault Tree Analysis of the AFS with Scram Failure As discussed in Section 3.0, the AFS is the primary mitigating system for LOFW with scram failure events. As shown in the Functional Event Tree, the requirements for AFS operation are more severe than for the other cases considered.
The success criteria for the AFS are shown in Figure 5-4, the AFS RBD for the scram-failed case. Two general success path combinations are shown: those with offsite electrical power available and unavailable.
These cases are considered separately below.
6.1. 3.1 Scram-Failed Sequences with Offsite Power Available The AFS success for LOFW with scram failure and offsite power available, I as shown in Figure 5-4, requires success of:
- 1. Flow paths 1A and 2B, or M 2. Flow paths lA, 1C, and 2C, or I 3. Flow paths 28, 1C, and 2C.
The equivalent fault tree representing this success criteria is shown in Appendix A, sheet 9. The transfer inputs to this top-level tree are identical to those described in Section 5.1.2 and Appendix A, sheets 1 l through 8, with one exception. Due to the rapid initiation time required for scram-failed sequences, all operator recovery actions (e.g., manual initiation following automatic initation failure) have I been deleted (probability of operator action failure assumed to be 1.0).
I I
l 11 4
J 109 E t
~
I 6.1. 3. 2 Scram-Failed Sequences with Offsite Power Unavailable The AFS success for LOFW with scram failure and offsite power unavailable requires the successful operation of any two of the four flowpaths 1A, 28, 1C and 2C. The fault tree representation of this success criterion is shown in Appendix A, sheet 9. System failure will occur if any three of the four flowpaths fail (Note: the " combination gate" may be expanded in terms of "AND" and "0R" gates. However, since the "WAM-CUT" computer code, discussed in Sction 8.1, internally performs this function, the fault tree is shown in its abbreviated form). As above, all operator recovery actions have been deleted (probability of operator action failure assumed to be 1.0).
6.2 HPI SYSTEM FAULT TREES Separate fault trees were developed, using detailed plant design infor-mation on the MU&P and HPI systems,2 for failure to provide flow from each of the system subsections included in the HPI system event tree, Figure 5-9. Faults postulated included failures of pipes, pumps, valves, control circuit components, and the BWST. In addition to the component failure modes, human errors that could result in " faulted" g
components were also considered. Each fault tree was constructed by 3 considering components sequentially, from the output of the subsection to its input. The detailed HPI system fault trees are shown in Volume 2, Appendix B, sheets la through 55.
HPI system interfaces with the cooling water system, electric power sys- =
tem, and ESFAS were included as inputs to the HPI fault trees. The fault trees describing system failure combinations for these supporting systems are considered separately in this report.
Potential passive failures, including pipe and weld failures, vent and I
drain valves inadvertently left open, and failed-open relief valves, were added to the fault trees ay dividing the HPI system into passive failure regions, as shown in Figure 6-3. Passive failures in these I
de i 110 g
I I regions would result in failure of specific event tree subsections, de-g pending on the system operating configuration at the time. For example, B a passive failure in Region 2 was considered to fail injection paths I 2 and I3, since these two paths are cross-connected.
Once the HPI system fault trees were developed and failure probabilities for the fault tree component and operator error inputs established. the fault trees were computer analyz' i to determine the dominant cut sets g wnich contributed to subsection failure. The combinations of subsection 3 failures which would fail the system, as described in the system event tree, were also included as a part of the fault tree description which was analyzed, so that cut set combinations which fail the entire system could be readily identified.
In addition to the fault trees developed fe- the injection path, control valve, and train subsections of the HPI system, separate fault trees were developed for failure to secure RCS letdown and to combin6 the sub-section and letdown fault trees in the manner required, based on the system event tree, to determine the overall system failure states.
These various trees are discussed in the following subsections.
. 6.2.1 Injection Path Subsection Fault Trees Four injection path fault trees were developed, with one for each injec-I tion path. For each injection path, the potential failure of check and stop-check valves to open upon demand, the potential for certain stop-check valves to be inadvertently left closed following maintenance, and potential passive failures in the injection oath and in the cross-connected injection path were considered as contributors to injection path failure. For injection path I , which is used, in part, 1
during normal make-up, failures due to stuck shut valves and valves left I closed after maintenance were not considered for valves passing normal make-up flow at the time HPI is initiated. A simplified fault tree for one of the injection paths, I , 2is shown in Figure 6-4.
I I de g til 1 .
I 6.2.2 Control Valve Subsection Fault Trees Four control valve fault trees, one for each control / containment isolation valve subsection were developed. Each control valve subsec-tion fault tree considered three potential failures:
- 1. Failure of the control valve to open.
- 2. An operator error in which flow through the control valve is excessively throttled because of erroneous high-flow indication.
- 3. Failure of the check valve upstream of each control valve to open.
A simplified fault tree for one of the control valves, V179-A, which includes these significant control valve subsection failure states, is shown in Figure 6-5, 6.2.3 Trains T and 1 T 2Fault Trees The two train fault trees included all HPI system compont. ts which could fail and prevent flow from valves V360-A (for T ) 1and V465-B (for T )*2 Each tree was constructed to permit the impact of the four expected sys- .
tem operating conditions described in Section 5.0 to be separately considered. This was done by using conditional gates at the top of the trees. These gates could be assigned values of 0 or 1 during evaluation of the trees, depending on which system operating condition was being considered. This is illustrated in Figure 6-6. Below each conditicnal gate, a fault tree was constructed for the operating condition under consideration. Failures of valves and pumps to operate, potential pas-sive failures, and inadequate water in the BWST were sequentially addressed. In the two cases in which the center make-up pump was avail-able as a spare pump (operating condition NA for 2T and NB for 1T ), its manual start was included in the fault trees, provided offsite power was available. As in the fault tree for injection path 1 , components 1
known
.to be operating at HPI initiation were not considered to be failed. For example, failure to start was not included for the running make-up pump I
de i 112 I
I I unless it was momentarily stopped due to a loss of offsite power. Fail-ure to secure makeup pump recirculation flow and isolate the ulake-up I tanks was included in each train fault tree. A simplified fault tree for train 2T fr ne f the operating conditions, NA, is shown in Figure 6-7.
6.2.4 Failure to Secure Letdown Flow Fault Tree As discussed in Section 5.0, RCS normal letdown flow must be secured during HPI initiation for core cooling following LOFW. A separate fault I tree was constructed for failure to terminate letdown. This tree in-g cluded failures of the normal letdown isolation valves to close and also E the failure of the operator to close additional valves if he determined the normal letdown isolation valves had failed to close as indicated in the control room.
6.2.5 Combination Fault Tree The combinations of injection path, control valve, and train failures which will result in failure of the Hl'I system to provide adequate flow I for core cooling have been discussed previously and are illustrated in the HPI system event tree, Figure 5-9. These failure combinations were included in a fault tree which used the injection path, control valve, and train faul't tree outputs and combined them in a manner equivalent to the event tree failure combinations to arrive at a single fault tree which described the failure of the HPI system to provide required flow.
Failure to secure letdown and failure to manually initiate HPI were also I added to this combined tree.
1 6.3 INSTRUMENT AIR SYSTEM FAULT TREE As discussed in Section 5.3, the Instrument Air System consists of the two qualified trains of the NIAS, each fed by either of the two B0P in-strumer.t air compressors.
I I
na A/'
The fault tree for the Instrument Air System, as shown in Appendix C, depicts this system configuration. The principal failure inputs to the NIAS branches, in addition to the identified component failures, are the 1E 480-VAC electrical power train failures and the service water fail-ures. As shown in the tree, the B0P instrument air will fail due to identified component failures, 80P service water failures, and the BOP 480-VAC electrical power trains. To simplify the trees, the 80P 480-VAC inputs are shown as BOP 4160-VAC failure or BOP 480-VAC switchgear fail-ure.
6.4 SERVICE WATER SYSTEMS FAULT TREE Similar to the Instrument Air System, the Service Water Systems (SWS) 1 consists of two Emergency Shutdown Service Water System (ESSWS) trains, each fed by the 80P SWS, as discussed in Section 5.4. The fault tree describing the failure of this system is shown in Appendix D, sheets 1 and 2.
As shown on sheet 1, the B0P SWS will fail due to failure of the two running and one stand-by pumps or failure of both BOP 4160-VAC buses. ,
The ESSWS train failures are shown on sheet 2. Since train A and B are configured identically, the fault tree was only drawn for train A, with train B component numbers shown in parentheses.
The tree (s) as drawn shows no input for electrical power or instrument air, even through failure of these inputs fails the system. These sys-tem train failures were intentionally excluded to avoid a fault tree
" loop." Service water is a required input for diesel generator failure (failure of the 1E 4160 buses) and NIAS failure. Since loss of the 1E 4160 buses will fail all components requiring nuclear service water, all failures are accounted for in the combined trees.
I I
l 114 de 1 g
9
- 6. 5 SCRAM SYSTEMS FAILURES As discussed' in Section 5.5, the Scram System is comprised of the RPS and its sensor inputs, the CRDCS, the set of CRDM's, and the control rods / core internals. The loss of offsite power sources will result directly in de-energizing the CRDM's and bypassing the potential for RPS/CRDCS failures. However, for purposes of evaluating scram failure probability, the offsite power sources will be assumed conservatively to be available. The estimated probabilities of the systems comprising the scram cystem are discussed below:
- 1. RPS Sensor Inputs--The RPS sensor inputs incorporate sufficient redundancy and diversity to assume that their contribution to scram failure is negligible. For LOFW transients these include high RCS pressure, high RCS temperature and anticipatory LOFW inputs.
- 2. RPS--The potential for RPS failure has been investi-gated in substantial detail. Due to the substantial redundancy incorporated in the system's design, the potential for multiple
{- random failures is small in comparison to potential common-mode effects. Common-mode failure probabilities have been calculated by several investigators. EPRI has computed a probability of 3.2 x 10 8 failures / demand,#
while the USNRC has establishgd a working value of 3 x 10 5 failures / demand. Although hotly debated, these probabilities differ by only an order of magnitude. For purposes of the WNP analysis, the more conservative USNRC value of 3 x 10.s failures / demand has been used.
- 3. CRDCS--The CRDCS, as described in Section 5.5, can perform its function with diverse and redundant components. Thus, its failure rate was consid-ered sufficiently small to assume that its contribution to scram failure is small in com-parison to the conservative RPS failure proba-bility.
- 4. CRDM/CR/ Core Internals--As with the RPS the proba-bility of a mechanical CMF prever.....g CR inser-tion once the CRDM's were de-energized has been hotly debated. Calculations of CR mechanical CF probabilities have predicted very small 115 Ef s
I values, ul x 10 8 per demand depending on the number of co rod failures required for scram failure.yrolThe USNRC has stated that the mechanical CMF is small with r 1
in the instrumentation systems.gspect to CMF's For purposes of the WNP analysis, the probability of a mechanical CMF of the CRDM/CR/ core internals is small in comparison to the conservative RPS CMF probability assumed.
In summary, the only significant contributor to scram failure found was the postulated CMF of the RPS. The probability of scram failure used in the WNP analysis is thus 3 x 10 5 failures / demand.
6.6 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM FAULT TREES I
The two functions of the ESFAS of importance to the WNP analysis are the initiation of the AFS and HPI system components following manual trip and the potential for spuriously closing AFS isolation and control
- valves, as described in Section 5.6. The failure analysis of these functions are discussed below
- 1. Failure of the ESFAS to Actuate Equipment--The fault ~
tree of one EyAS Actuation Subsystem is shown -
in Figure 6-8. This tree considers only ESFAS component failure, since operator action and vital power failure are considered separately.
As shown, any one of many component failures can prevent the actuation of equipment. Since interfacing systems were not involved, the tree was separately quantified using IEEE-500 failure rates and monthly testing to yield a failure probability of 2.2 x 10 3 failures /
demand / actuation subsystem.
- 2. Spurious Closure of AFS Valves--The fault tree de-
~
scribing the ESFAS sensor subsystem failures which result in ci of one AFS valve is showninFigure6-9.gsureTo quantify the tree, it was assurmd conservatively that the components could fail over a two-shift interval due to the E FOGG actuation alarm. Based on this 3 assumption, the failure probability of any one of the four sensor subsystems was e x 10 8 failures / demand.
D
</ E 116
I I In addition to the single valve closure fail-i ure, the potential for isolating four AFS flow paths was investigated. The fault tree for this event is shown in Figure 6-10. Only one credible sequence for this event was a CMF of a F0GG logic component (see Section 5.6) over the one-month test interval, a manual ESFAS trip test, and failure of the operator to ' bypass
! ESFAS on the FOGG alarm. As shown, the proba-bility of this event was negligible. However, since the analysis was not exhaustive, a fail-ure probability of 1 x 10 8 failures / demand was assumed for conservatism.
6.7 ESSENTIAL CONTROLS AND INSTRUMENTATION FAULT TREES
, The ECI functions to initiate the AFS and, once started, to control the water level in the two steam generators by throttling the control valves in the four AFS flow paths. Based on the system design discussed in g Section 5.7, two fault trees were constructed to evaluate the failure e probability of the control and initiation circuitry.
Figure 6-11 shows the component failure combinations which result in
- . ECI-X, circuit 1 closing (or not opening) AFS control valve LCV-4025.
This fault tree is typical for the two control circuits in each ECI channel. As shown, the circuit failure probability is dominated by the I
SG 1evel transmitter failure probability. In addition to having a higher failure rate, the test inter '.1 assumed for the transmitters was two months, since the instrument wt .1 continuously read full-scale at high reactor power operating conditions. It was assumed that the reac-tor would be reduced to low power more than once evary two months. This is conservative compared to the expected 9 trips / year which occur in operating B&W plants.6 iuring low power operation, the level transmitter could be tested by comparing the multiple level indications.
In Figure 6-12, a fault tree was constructed to show component failure combinations which prevent ECI-X from starting AFS pumps A and C and sending open commands to AFS isolation valves. This fault tree is typi-cal for the initiation function of ECI channels X and Y.
I de I .
I As shown in the tree, only the SG low-level initiation circuits are shown. The main feedwater pump's tripped circuit will initiate the AFS under most LOFW conditions. However, since LOFW events can occur with-out tripping the main feedwater, this circuit was conservatively not I considered.
Since two circuits must fail to produce channel failure, common-mode effects were assumed to dominate the channel failure probability. Using the CMF failure probability discussed in Section ).0, the channel fail- ,
ure probability was found to be 6 x 10 5 failures / demand. ,
6.8 ELECTRICAL POWER DISTRIBUTION SYSTEMS FAULT TREES I
l Fault trees vere developed for unavailability of the following electri- j cal power sources:
- 1. 125-VDC buses A, B, C, and D. .
- 2. 120-VAC vital buses A, B, C, and D.
- 3. 4160-VAC buses EA and EE
- 4. 480-VAC motor control centers EAll, EB11, EA31, and EB31.
- Outputs from these trees were used either as inputs to other electric power fault trees or as inputs to the main AFS and HPI system fault trees. Since the elect *1 cal power sys' 'm fault trees served an inter-face function, they were not constructed to the detail of the major trees.
The electrical power systems fault trees are shown in Volume 2, Appendix g
E. The trees were constructed to allow intra-train or intra-system E failure events (e.g., CMF's and interfaces with the offsite grid or other systems) to be considered separately from failure events affecting one train of one system.
I 11 4 E 118
B l
The fault trees of Appendix E, sheets 1 and 2, incorporated the g intra-train and intra-system events and were evaluated as an integral B part of the AFS and HPI trees. The fault trees for the 125 VDC,120 VAC, 4160 VAC and 480 VAC buses are shown in Appendix E. sheets 3 through 15. These trees were independently evaluated on a per train f basis and the bus failure probability input to the trees of sheets 1 and 2 as components.
1 i
I The fault trees for the 125 VDC,120 VAC, 4160 VAC and 480 VAC busses are discussed below.
6.8.1 Fault Trees for 125-VDC Buses A, B, C, and D I Two fault trees were constructed for loss of DC power, with one for the case when AC power was available to the battery chargers and another for l the case when only the battery was available to power the bus. Separate trees were required, since the requirement for DC power for 4160-VAC source transfers and diesel generator starting occurs at a time when AC .
f power is unavailable to the chargers.
The DC power fault tree with AC power unavailable considered the fol-I lowing potential fau ts:
- 1. Battery failures
- 2. Inadvertent opening of circuit breakers I 3. Bus shorts
- 4. Bus open circuits.
l For tnis tree, as well as for all other electrical power trees, unavail-l ability of components due to maintenance was included for bus A und C) o ni,y , since technical srecifications prohibit two redundant buses from I being removed from service for maintenance at the same time.
The DC power fault tree for the case where AC power was available to the
} battery chargers considered failure of the on-line charger and its B
l B
M
- /
119
I associated breakers, as well as failure of the operator to either switch I
to the alternate charger or failure of that charger and its associated breakers also.
6.8.2 Fault Trees for 120-VAC Vital Buses A, B, C, and D Two fault trees were also constructed for failure to deliver power to g
the vital buses, with one for the case in which AC power was available g and the other for the case in which only DC power was available to power the inverters. Potential failures considered included failure of the inverter to provide output, failure of breakers associated with the i
inverter, failure of the inverter static transfer switch, and an opera-tor error in selecting the alternate source of power to the vital bus (for the case in which no AC power is available to the bus). The DC power fault trees, as well as the AC power trees discussed later, served as input trees to the vital power fault trees.
6.8.3 4160-VAC Buses EA and EB Fault Trees The 4160-VAC fault trees considered failures of the preferred offsite power source, the back-up offsite power source, and the onsite diesel generators in determining the failure probability of each bus. Condi- I g'
tional gates were used to allow either the Station Auxiliary Transformer 5 (SAT) or Backup Auxiliary Transformer (BAT) to be considered as the preferred source of 4160-VAC power. Potential faults included in the fault trees were loss of either offsite source, failure of circuit breakers to transfe because of internal failures, failure of transfer signals or unavailability of DC power to the breakers, unavailability of a bus due to maintenance (EA bus only), transformer failures, bus shorts g and open circuits, and failure of the diesel generators to start. Fail- E l t..e cf tre diesel generators to start ir.cluded inputs for unavailability of 125-VDC power and 120-VAC vital power, since these are required for circuit brt:aker closure and sequencer operation. A simplified fault tree for unavailability of power on 4160-VAC bus EA, for the case where the preferred offsite power source is provided through the SAT, is shown in Figure 6-13.
120 d< I
6.8.4 480-VAC Motor Control Center Fault Trees Fault trees developed for motor control centers EAll, EB11, EA31, and EB31 used the availability of power on the respective 4160-VAC buses as inputs and considered as motor control center-related faults bus shorts and open circuits, transformer failures, outages due to maintenance, and loaded component shorts. together with failure of the associated current limiting device to operate.
The electrical fault trees were hand-reduced, and specific failure rates for the various buses for conditions of availability and non-availabil-ity of offsite power were calculated. These values were used, together with conditional gates for loss of offsite power, to develop small input b fault trees for the various electric power inputs to the AFS and HPI l fault trees. Additional failure inputs were included in the input tree l for 4160-VAC buses EA and EB to account for failure of the cooling water supply to the diesel generators and for common mode failure contribu-tions of the diesel generator and safety-related batteries.
[
E
[
[
C r
121
AFW SYSTEE FMLS l O
ANO l
l l
[
- PATH 1A FMLS PATH 28 FMLS PATH TC FAILS PATH 2C FAILS l
i OR BLOCK SLOCK SLOCK SLOCK SLOCK ABC FAILS A B' FAILS A FAILS 1A FAILS 1 FAILS OR T
V12A PUMPA V48 STT 1 FAILS FAILS FAILS FAILS "OR" OPERATION OR QATE: FAILURE OUTPUT OCCURS IF ONE OR MORE INPUT EVENTS FAIL "AND" OPERATION OR GATE: FAILURE OUTPUT OCCURS IF ALL INPUT EVENTS FAIL FMLURE EVENT TO SE EXPANDED IN TERMS OF CONSTITUENT EVENTS (NOT SHOWN) FAILURE EVENT WHICH WILL SE QUANTIFIED WITHOUT FURTHER EXPANSION SASIC FAILtiRE WHICH WILL SE QUANTIFIED r FIGURE 61 ILLUSTRATIVE FAULT TREE OF THE AUXILIARY L FEEDWATER SYSTEM (MRL, SEQUENCE) e 123
I 1
I AUXILIARY FEEDWATER SYSTEM FAILS A I
-~
I 4
CHECK VALVES V21 AND V63A I
Fall CLOSED 4
i n g
-~
j
- I COMMON RANDOM MODE FAILURE FAILURES OF OF V63A AND V218 AND V63A V218 O
4 I
V., .
FAILS FAILS 1
CLOSED CLOSED I
, _ I FIGURE 6 2 ILLUSTRATIVE COMMON MODE AND RANDOM FAILURE REPRESENTATION ON FAULT TREES. l I\,
124
1 1
i
\
o c_________________.___.__________________________.__
i i . L. .. :: -i
- h $. ~
,_ ___ _ _ _ q
. 6 = j '"" **
+ .x _ _ "i.:.
..>_x __
l . .
2-l ,,,g.
, , - n .. .e@.- ..=
, . -, c.- 3 , =
~ . .
-- .x l
.A#. .
1~. L____.._.__
e:
f ,;
.-----========.===_-_=,,,q=.,,.=====
.x i .,.
3.,,,
9 i iI 3M z g -
ar
. . . ;;7-- 1 ~. -
DVL
~~'
l____J '
Q?
I$,,,, "' ~
l
-m m_b-.. _ _
r--- -
ly--j E ,
h .1 - -h-4~,.. {"" ~
T- I-::_
l66, a,.
~ . _ g 9- x i I ,_v_ _ _ _ _
7 x -
r f rI , - g -
3 l ~ ~
I
- f. llJ l
I..c Ox l Q ..
r@-
O l- c ,,.,i_=N x g _m.,_
._ . .- _t ..
r -b...)i j i x ~,=
, j :,_- N______
,m l 3 y _ _ ___ _ _ _ _ _ _ _ _
'a.kY; b 7; i (_ _ _ _ _ ___ _ _ _ ___ _
~
.::, - g! x I
~
r; f.
2 r - -
.=.
g I - ' - - - - -
g i.. .. i
..7-'----- g .-
~~'
l 0"$ r
&*__O, L L_ ,l h$ - -@o g
t4 . .. i I~
1--
1-r- 7.,--- i~
=,
,J -
x 91. k: a T-k, u -.
l 1 -
L - _J
)^
a Q :. , .-_ @ .
@8-&-@_ .. , .=-
l_ _ __ _ t4 1
L!
s u
FIGURE 6 3 HPI SYSTEM DIVIDI 4
I 1
--- In,m ,,m Il _h T_ k_ "
_1__"'
, , =.y,,
- .x ._ ..g.g ,
m i___ _ _ _ _ _ _ _ _ -- J
! l
!q l L~.,,
l l l ..L ;, ;=-
'r>
i IL I
l 7,_
Jl
+-.
lllli"
. u y;.
. i l
-- &L@-
r- t._ _j m J: g x _ . ,
3 q:.a at,3,. ,, . .. m....
~
i1,. [~rY~' -
'[~.b ..=,..
D> X)-
{~i i i -
i l lL 3 ::=.- l l X. "T;T."
l
! ___Dlll l 7,+j,,
i ' ,- i wr1 r@...
l ll gy i .;;<
I j
l l !
- '" [4 !"IO ~~;_,
g,;,t 4 I@I._'. "y, . e",__.]
.w. ;,.
= "'-
.z . l j.-
yg=
f, i i
'4 '
l r - -
X-.e. - "" l3T.m -il x .. [,' @i .. .. i
- Hm
- XI.
llj I p. --. i .- - i y; g i
!~
l -~ O
'~ l [' ~w,=,
~
- 4 @h_J ;a. .d
<o
.n.. = -
I rd t_4 . .. i l
~=__ __l !
ED INTT PASSIVE FAILURE REGIONS
I1 f W UU W W F FAILURE OF INJECTION PATH I TO DELIVER FLON O
r%
N PASSIVE
" STOP- stop. STOP- STOP- FAILURE IN f, CHECK VALVE CHECK VALVE CHECK VALVE OR CROSS-CHECK VALVE V254A STICKS V254A LEFT V252A STICKS V252A LEFT CONNECTED FATH SHUT CLOSED AFTER SHUI CLOSED AFTER g, MAINTENANCE MAINTENANCE FIGURE 6-4 SIMPLIFIED INJECTION PATH 12FAULT TREE l
l 1
FAILURE OF CONIROL VALVE VITS-A TO DELIVER FLOW m
OPERATOR ERROR DETECTS HIGH CHECK CONTROL VALVE CONTROL VALVE VALVE V340- A VIT9 A FAILS FLOW AND STICKS SHUT TO OPEN THROTTLES CONTROL VALVE SHUT b
I I
VALVE FALSE OPERATOR FAILURE OF 480VAC gggg plow I^ POWER TO VALVE THROTTLES CONTROL j INDICAilON RR VALVE FAILURE SHUI FIGURE 6-5 SIMPLIFIED CONTROL VALVE FAULT TREE g g g g M M M M M W W W E E E E E E E
W W M M M M M M M M M M M M M W M M W] l FAILURE OF TRAIN TO DELIVER FLOW r%
I FAILURE FAILURE TO DELIVER OF VALVE V465-8 FLOW TO VALVE TO OPEN V4658 NO OUTPUT FF.OM OUTPUT FROM NO OUTPUT FROM g%
THIS GATE THIS GATE THIS GATE ' '
11 4 I t I FAILURE TO DELIVER FAILURE TO DEllVER to FA1 LURE TO DEllVER FLOW TO V465-B FLOW TO V465-8 FLOW TO V465-8 WHEN IN OPERATING WHEN IN OPERATING WHEN IN OPERATING CONDITION NB CONDITION NA CONDITION TNB
[D (D (h I I l
I l I
FAILURE TO DELIVER FAILURE TO DELIVER FAILURE TO DELIVER FLOW WITH SYSTEM FLOW WITH SYSTEM FLOW WITH SYSTEM STEM IN SYSTEM IN ARRANGED FOR OPER.
SYSTEM IN ARRANGED FOR OPER. ARRANGED FOR OPER- OP ^'
OPERA G TING CONDITION NB O ER ' TING CONDITION NA TING CONDITION TNB ONMTION D lON NB7 NA? TNB7 NO-GATE YES-GATE NO-GATE VALUE = 0 VALUE = i VALUE = 0 r 'f 3
FAULT TREE CONTINUATION FAULT TREE CONTINUATION FAULT TREE CONTINUATION FIGURE 6-6 USE OF CONDITIONAL GATES TO DESCRIBE VARIOUS SYSTEM OPERATING CONDITIONS
l FAULT TREE CONTINUATION f
F A4UAE TO DElfVER FLOW IO VALVE V4068 WITH SYSIEM ARRAN GEO FOR OPERAIWeO CONDITEDN NA l
l l
? AKURE OF OPERAIOR TO STARI PUIsP 3C ORFAEURE10 F AltusbE IO DELIVER DEtfVER FtOW FROts F4 OW U$us0 PuesP 38 Puaar 3C f\
m 7
PUtaP REC 8ACU- MAREUP FA4 URE F AES TO SIARI & ATsON VAL VES IANK NOT OF PuaeP SUCl40N M DEMAIE OR RUN Fast TO CLOSE t&OLATED W ALVE 50 OPEN WAIER Me SWSt C
o OPEPAIOR j
, ,'g,5,',',, F AmuRE iO ofuVER 3C WasEse Puaar FtOW GM N 3C 28FAntD T
OrtRABOR
$HROR At8GNS PUMP RECBRCU MAKEUP FARUAE WAtVES APOUNo fasts 80 STARE & AfiON vat VES I ANK HOI 07 PuteP SUCilON GNADEOUAIE CINitR Pua4P OR RUN F Alt IO C& OS.E SSOLATED VA&VE IO OPEN WATER IN SWSI DNCORRE CIL Y FIGURE 6-7 SIMPLIFIED FAULT TREE FOR TRAIN T2 DURING OPERATING CONDITION NA W M W W W W W W W W W W W W W mW W W
l ESFAS ACTUATION SUBSYSTEM FAILS
- TYPICAL OF ESAA-F. ESAB-F 8
r% P (ACTUATION SUBSYSTEM FAILURE)= 2.2 x 10 U
w s
EITHER ANY EITHER OF 5 AMPLIF.
OF 2 SOLID OF 2 POSH. SPURIOUSLY STATE RELAYS BUTTONS FAIL FUNCTION Fall SHORTED l
EITHcR 8 8 OF 2 PUSH- 2(1 x 10s/ DEMAND) = OF 6 AMPLIF. 5(.206 x 10 /HRJ15 DAYS.24 ffR/ DAY =
2(.0394 x 10 /HR)360HR =
BUTTONS Fall TO 2 x 108 FAIL TO FUNCTION 3.7 x to' 3 x 108 MAKE CONTACT 8
2(1 x 10 / DEMAND) = 6(822 x 10'/HR)360 HRS =
2 x to' t.8 x 103 FIGURE 6-8 ESFAS ACTUATION SUBSYSTEM FAULT TREE
ESFAS SENSOR SUBSYSTEM CLOSE3 1(ISVALVE y TYPICAL OF ESSA-F, ESSB F, ESSC-F, ESSD '
P(SENS. SUB SYS CLOSES VLV) = 6 x 10e U
to f%
STM.
P! STABLE AMPLIF.
PRESSURE SPURIOUSLY SPURIOUSLY TRANSMITTER FAILS GEN. SIGNAL LOW TRIPS 8
(.584 x 10*lHR) 8 HR = (.206 x 10 /HR)8 HR = (.206 x 10'lHR) 8 HR =
1.6 x 10e 1.6 x 10 e 4.T x 10 8 FIGURE 6-9 -ESFAS SENSOR SUBSYSTEM FAULT TREE E E E E E E E M M W W W W M g g g g g
U( f'l fl M W M W N ESFAS SENSOR SUBSYSTEMS CLOSE VALVES IN 4 AFS FLOW PATHS P(4 VALVES CLOSED) + E (ASSUME 1 x 10')
C w
CMF OPERATOR ACTUATION OF 1 AMPLIF. FAILS TO BYPASS SUBSYSTEM %
IN 4 SEN R FOGG CHANNEL TRIP 5 x lo s g,o
(.822 x 10'lHRN360HRN.1X.3M.5)=
4 x 10' FIGURE 6-10-ESFAS SENSOR SUBSYSTEM CMF FAULT TREE
. . . _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _. __ ._ _ _ _ _ .._.._ . _ _ _ _ _ . _ . . _ _ . _ . _ _ _ _ . . . _.m.. _ .
EC1 X - CIR.1 FAILS TO OPEN AFS CONT VLV TYPICAL OF ECX1-F, ECX2-F, ECYl F, ECY2-F 4
P(ECIX-CIR.1 CLOSES VLV) = 7.4 x 10 f%
ANY OF 3 AMPLIF. EITHER LEVEL TRANSMITTER PRODUCE HIGH OF 2 CONTACT FAILS HIGH OUTPUT SWITCHES CLOSE 8
(.713 x 13'tHR)x 30 DAYS x 24 HR = 3(.144 x 10*lHR)360 HR = 2(.1 x 10 /HR)360 HR 5.1 x 10* 1.6 x 10* 7.2 x 10s FIGURE 6-11 -ECl X - CONTROL CIRCUIT 1 FAULT TREE E E E E E E W E W W W W W M W W W W g
EC1 X FAILS TO ACTUATE AFS 8
P(ECl X FAILS TO ACTUATE) = (5.0 x 104)(.1) = 6 x 10 (CMF)
TYPICAL OF ECI-4A & ECl4C C
SG A CIRCulT SG B CIRCulT FAILS TO pagts yo ACTUATE ACTUATE 5.9 x 10' 5.9 x 10' r% 7%
SG A EITHER- SG B EITHER LEVEL TRANS OF 2 SG A LEVEL TRANS OF2SGB FAILS HIGH RELAYS FAIL FAILS HIGil RELAY 3 Fall 8
(.713 x 10stilR)720llR a 2(.1 x 10 8/18R)360ilR (.713 x 10s/HR)T20 HR = (.1 x 10 /HR)360 618 5.1 x 104 7.2 x 108 5.1 x 104 7.2 x 108 FIGURE 6-12 ~ECl X ACTUATION FAULT TREE i
FAILURE OF POWER ON 4160VAC BUS EA
- 71 PREFERRED POWER PROVIDED FROM SAT O
I l FAILURE TO PROVIDE FAsLURE TO PROVIDE FAILURE TO PROVIDE POWER FROM DIESEL POWER FROM BAT POWER FROM SAT f% 7%
TRANS- FAILURE FAILURE
[
CIRCUlf FORMEIUCIRCUIT OF BACKUP OF PREFERRED BREAKER BREAKER OFF SITE OFF SITE ALLURES FAILURES SOURCE SOURCE TRANS-FORMERICIRCulT BREAKER OfESEL OF D P WER GENERATOR FAILURE TO DIESEL TO START OR GENERATOR FAILURE TO RUN TRANSFER TO BAT FAILURE OF DIESEL GENERATOR @
SEOUENCE I FAILURE TRANS.
FER RELAYlCIRCUli OF P e POWER BREAKER TC - 1CUlf BREAKERS ALLURES FIGURE 6-13 SIMPLIFIED FAULT TREE FOR 4160 VAC BUS EA WITH PREFERRED POWER PROVIDED FROM THE SAT E E E E E E E W W W W W W W W g g g
l
{ REFERENCES - SECTION 6
- 1. System Description for Auxiliary Feedwater System for WNP-1 and 4, UE&C, System Description M-4, Revision 3.
- 2. The following design material was used to develop the HPI fault trees:
- a. System Description for the Make-Up and Purification .-
System, B&W, 15-4035000001, Revision 4, including Appendix D.
- b. Final Safety Analysis Report (Draft), WPPSS 1,4 Section 6.3.
- c. UE&C P&ID 9779-5-805040, MU&P System, Revision 14, sheet 1 of 3.
- d. UE&C P&ID 9779-S-805041, MU&P System, Revision 14, sheet 2 of 3.
- e. UE&C P&ID 9779-5-805042, MU&P System, Revision 14, sheet 3 of 3.
- f. UE&C P&ID, 9779-M-303900.
- g. UE&C P&ID, 9779-M-303099.
- h. Record of 3 /14/80 Telecon, Minarick (SAI), Kwan (UE&C).
- i. Record of 3/24/80 Td econ, Minarick (SAI), Hill, Kwan (UE&C).
- 1. Record of 5/7/80 Telecon, Minarick (SAI), Kwan Lingapan (UE&C).
- m. Record of 6/3/80 Telecon, Minarick (SAI), Gannon (UE&C).
- 4. Anticipated Transients Without Scram for Light Water Reactors, NUREG 0460, USNRC Staff Report, April, 1978.
E L
F L
AM ff 137
I I 7.0 RELIABILITY DATA DEVELOPMENT
7.1 INTRODUCTION
g A composite of the fault trees and event trees described previously pro-3 vides the " systems model" with which the estimates of core damage probability are synthesized. To develop this synthesis requires that l the probabilities of occurrence of the individual events contained in the trees be provided. These basic events can be grouped into three categories:
- 1. Events whose causes are external to the systems
- which respond to LOFW but whose impact can pro-
! duce the transient or alter the sequence of events after transient initiation. Such events l
[g include loss of main feedwater transients
'3 (LOFW) and failure of 230kV and 500kV offsite power sources (which cause loss of main feed-water). The estimation of the probability of
] such events is described in Section 4.0.
- 2. Failure of specific components in systems which ,
should respond to mitigate the impact of LOFW. l
- 3. The occurrence of errors on the part of the 1 operator or maintenance personnel. These er- ]
i rors include acts of omission, such as not )
- actuating a system when required, and acts of commission, such as performing an action which results in a component or system being unable I to perform its function.
The estimation of component failure parameters is described in Section 7.2, while that for human error is described in Section 7.3.
l I 7. 2 COMPONENT FAILURE PARAMETERS l l
Reduction of fault trees to produce estimates of the probability of occurrence of the " top event' was accomplished by use of the WAM-CUT j I
computer code described in Section 8.0. This code require that the estimates of the failure parameters input for basic events be entered as pure probabilities. This requirement differs from the requirements of l
i l
139 1/ #
I E l
I other fault tree reduction codes in which failure distributions or failure rates are input.
I TMS restriction prohibits any detailed simulation of time-dependent be-havior of system reliability and, for all practical purposes, forces the assumption of an exponential failure distribution with constant failure rate for each component. The lack of ability to model time-depedent '
system reliability is not limiting to the present analysis. For most systems, detailed simulation of time dependent behavior does not alter the result by more than 50%, which is inconsequential in comparison with other uncertainties which reach an order of magnitude. This, of course, assumes that the time frame of analysis does not include any accentuated break-in/ wear-out failure regimes. The relatively small effects of con- -
sidering the time dependence in treating staggered test intervals are shown in Table 2 of IEEE Standard 352-1975.1 The assumption of an exponential failure distribution is not limiting and has been discussed in detail in documents such as The Reactor Safety Study.2 7.2.1 Component Service Conditions The pure probability of a component failing to function is estimated using a tilure rate and consideration of a time. The manner in which time is cuasidered depends on the service mode of the cpecific component and the form of av;ilable data. Four pertinent ?ses are discussed below:
- 1. The component is normally in a dormant state, I and " demand" failure data are available. In E l this case, the component is required to take a l positive action upon occurrence of LOFW. For l instance, the circuit breakers connecting power to an auxiliary feedwater pump rnotor may be I required to open and reclose on less of offsite electric power. Failure data for circuit brea-l kers are narmally collated as the probability i that the breaker will fail to function upon I demand. In this situation, the appropriate 11
'l i 140 8
1
[
[ probability associated with the fault tree
% event is that failure probability per demand.
- 2. The equipment is normally dormant, and failure rates (per unit time) are available. Equipment of this category includes pumps which must run following LOFW. The failure would result from the component having failed while in its dorm-ant state, with the failure remaining undetec-ted until the component is called upon to run.
g Such components are tested periodically (typi-
[ cally once a month or once a year). If t..;s test interval is e, then P ,f the probability of the component being failed when called upon, is approximated by:
{
Pf = A e/2
[ when A = the failure rate for the component while in the dormant mode. This approximation is good if the repair / replacement time is small compared to the test interval, and if A 0/2 << 1.
[ This constraint is met for components under consideration in this study.
I 3. The equipment is normally running prior to the initiating event and is required to continue ia j run. This situation is typified by a control
.J system amplifier required in normal operation and in the plant upset condition. In this case, the danger results from the component I being under repair when LOFW occurs.
bability of this event is approximated by:
The pro-Pf = At where A = the failure rate of component under running service conditions, and I = the average repair / replacement time. This approximation is good for At << l.
- 4. The component is functioning at transient ini-tiation and is required to continue functioning I for some time after the event. The need for the HPI pump's continued service for the 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> mission time is an example of this mode.
The desired probability for this event is that I
D
</
141 1
I of the component function for the required E
duration, T, and is given by:
Pf = 1 exp[-AT] ~ AT I
where A = the failure rate under running service conditions, and T = the required time interval.
The required failure and time parameters for the four cases are summar-ized in Table 7-1.
Therefore, depending upon the required service of the component, a fail-ure parameter and, in most cases, a time parameter were developed, as discussed in t.he following paragraphs.
7.2.2 Failure Parameter Estimation As indicated above, the failure parameter considered was the failure rate or the probability of failure per demand. This latter parameter is often referred to as the " cyclic failure rate."
fiumerous sources of failure data exist; however, only three were found necessary for component failure data in this study. The first, and most important, source is The Reactor Safety Study (RSS).2 This document, published in 1975, provides the most extensive compendium of nuclear power plant component data and evaluates most of the significant data sources. As such, the RSS is a secondary source already incorporating an evaluation of prior sources. A major drawback of the RSS as a data E
source is, however, its suspected large degree of conservatism and its 5 lack of reflection of current generation equipment reliability.
The second source utilized in the present study is IEEE Standard 500.3 The appendix to tnis standard presents failure rate data for electrical
~
and electronic equipment used in nuclear power plants. These data are based upon "hard" operating experience and upon engineering judgment ob-tai:.ed and analyzed via a formal Delphi methodology.
I A1 Af 142
{ A major advantage of IEEE-500 is that it incorporates and uses a de-tailed hierarchy of equipment types and failure modes. This allows a fairly precise definition of equipment failures to be used in the
[ analysis.
IEEE-500 presents a range of failure rates by listing values for " Low, Recommended, High, and Maximum." These ranges cannot be interpreted strictly as representing statistical confidence bands. For this study, values listed as " Recommended" were used. Values for " Low" and "High" can be utilized for purposes of sensitivity analyses. (The " Maximum" category simply presents the largest value encountered in the Delphi process or in hard data and does not represent a meaningful parameter.
( Due to the misuse of this category as an upper band for sensitivity analyses, the planned revision to the document will delete the " Maximum" category.")4 The third source of component reliability data considered in this study L, was Licensee Esent Reports (LER's) or published analyses based on LER data. Due to the limited time available, this data source was used only where available failure probabilities were questioned and the particular failure probability was considered significant in terms of the overall analysis results. Two comporants were selected: emergency diesel generators and steam turbine driven auxiliary feedwater pumps. These failure probabilities are discussed below:
7.2.2.1 Emergency Diesel Generator Failure Probabilities The WNP 1 and 4 plants each employ two 16 cylinder DeLaval diesel generator units to supply 4160VAC electric power in the event of
{ a grid failure. These units are of recent design and no design specific data were available to base a failure probability.5 The Reactor Safety Study lists a failure probability of 3x10 2 per demand but further specifies a lx10 2 common mode failure probability for both diesel generator units due to " instantaneous" loading conditions. Due
[ to the recognized importance of on-site emergency power, the recently E
143 sf r
L-- .
I published NRC analysis of diesel generator LER data NUREG/CR-13626 was investigated to obtain updated diesel generator failure probabilities.
The report covers LER data for the years 1976, 1977 and 1978. This time interval was chosen due to the implementation of standard technical specifications and riporting procedures. Although the number of diesel generator test failures was well known, the total number of tests was not. NUREG/CR-1362 lists failure probabilities based on assumed weekly testing or monthly testing since the actual number of tests was unknown.
For purposes of the WNP 1 and 4 analysis a two week test interval was '
assumed to obtain an " average" failure probability. A failure probability of 3.2x10 2 failures to start or run per demand thus was obtained from the published results. It should be noted that NUREG/CR-1362 did not exclude from the failure events delayed automatic starts (failure to start within the specified time) or cases where the unit was manually started following a failure to automatically start. g Although the failure criteria established for the WNP analysis would a permit exclusion in most cases, this effect was not considered 1
significant with respect to other uncertainties.
The LER data published in NUREG/CR-1362 was further used to estimate the probability of emnmon mode effects in diesel generator failures. Of all !
failures listed, only ten instances of multiple failures (two or more diesel generators failing on the same or adjacent dates) were found. I These are:
Plant Date Failure I
Millstone 2 5/15/77 CMF-Fuel Valves Closed St. Lucie 1 1/18,19/77 Rcndom Brunswick 1 1/4/77 Random Cooper Station 1 11/7/10/76 Random Duane Arnold 1 5/10,12/77 Rando:.. ,
Dresden 2 12/4/77 Random Peach Bottom 2 8/26/77 Random I:
de I 144
I I
I Yankee Rowe 1 8/2/77 CMF-After Coolers Overheating f Zion 1 1/16/78 Random l
Zion 2 1/6,9/78 Random Of the multiple falut observed, eight are clearly due to multiple random failures and two are due to common mode failures. Eight random double failures in 4614 assumed tests (two trials per test) results in an observed probability of 1.7x10 3 for double failures per demand.
This figure is consistant with the calculated probability, P(A fails) P(B fails) = (3.2x10 2)2 = 10 3 In a similar manner, the observed common mode failure probability was 2 failures in 4614 assumed I tests or 4.4x10 4 common mode failures per demand. Although the uncertainties associated with this value are large, the data indicate that random diesel generator failures are more significant then common mode failures.
I 7.2.2.2 Steam Turbine Driven Auxiliary Feedwater Pump Failure Probabilities In the event of failure of on-site and offsite electrical power sources, the continued operation of the steam turbine driven auxiliary feedwater pump is critical to the recovery of the plant. In the WNP design, this pump is capable of supplying water to the steam generators without requiring AC electrical power.
- The Reactor Safety Study lists a failure probability for all pumps of 1x10 3 failures per demand. In view of the observed number of reported test failures of turbine driven pumps, LER data for auxiliary feedwater systems was obtained7 and reviewed. The following failures of turbine driven pumps were found (failures of valves and instrumentation were excluded since these items were considered separately in the fault trees):
lI
- I ll d M
,I 145
I I
Year Number of Failures NSICPrintoutIdentificationNumber[
(See Appendix F) 1979 11 3,7,14,15,16,17,24,30,38,40,45 1978 2 54,70 1977 12 47,86,87,88,100,104,106,110,113,115, 117,11d In these years there were four reported failures of electric motor driven pumps.
Since the total number of test was unavailable, an estimate of this number was obtained from NUREG/CR-1362. Based on an assumed monthly test interval, there were approximately 4560 diesel generator tests in he above time period. From this data and one turbine driven pump per plant, there were 2280 tests of turbine driven pumps. A failure pro-babilitv of 1x10 2 failures per turbine driven pump per demand was thus obtained.
Although relatively large uncertainties are associated with this probability it is significantly higher than that presented in the Reactor Safety Study. Based on the available information, the 1x10 2 failura per demand was used in the WNP analysis.
7.2.3 Time Parameter Estimation I
As discussed in Section 7.2.1, a temporal parameter is necessary for estimation of certain component failure probabilities. These times cor-respond to test intervals, mission times, and repair / replacement times.
Test intervals were used for stand-by equipment. Depending on the com-E ponent and its system, the test interval will be one week, one month n (four weeks), or approximately one year. The one year interval corres-ponds to time between refueling operations and is a conservative esti-I mate of the test interval for components which can be tested only when l 5 1
146
1
[
{ the plant is shut down. Tables 7-2 through 7-6 list the components included in the fault trees, their assumed failure probabilities and the pertinent time parameters.
Where components are required to function for a specified period after
[ accident initiation, the " mission time" is the applicable temporal vari-able. These mission times are defined by the success criteria for the '
particular branch of the event trees, as discussed in Section 3.
{
Tables 7-2 through 7-6 incorporate the twelve hour mission time utilized
[ in this study for the appropriate components.
( For components which may be unavailable when callei upon due to being in a maintenance state, the appropriate temporal variable is the repair or replacement time. This time includes the time required to identif the
{ f failure, diagnose it, effect either repair or replacement, and test the component as necessary. The time may also be specified by technical specifications as the maximum time allowed for repair without shutting down the plant. Repair / replacement times were estimated based upon
( engineering judgment, technical specifications, and discussions with operating personnel. Values assumed for the present study are comparable to those of the Reactor Safety Study.
7.2.4 Commen-Mode Failures The design of current generation nuclear power plant systems, as dis-cussed in Section 5, incorporates a substantial degree of redundancy.
In such situations, common mode failure are often the dominant contributor to system failure. Although fault tree analysis can
( identify multiple coraequential failures due to a single component failure, the identification and numerical reduction of multiple failures due to unspecified causes are less tractible.
In the WNP analysis, the systems' fault trees were used to identify identical or similar elements which could fail in a common mode and L
N
~
AM1l 147 F
L
I significantly contribute to system failure. These failures and their I
assigned probabilities are listed in Tables 7-2 through 7-6. The common mode failures were selected based on the following criteria:
- 1. Select common mode failures to function as designed and excluda common mode spurious operation.
- 2. Select mechanical common modes (e.g., valves sticking) in components infrequently excercised and exclude in components frequently tested.
- 3. Select probable common mode human failures.
Based upon review of the event and fault trees using these selection l guidelines, dominant common mode events were identified. The ,
probabilities of these common mode events were then estimated using the ,
procedures described below.
7.2.4.1 System Failure Experience As discussed in Section 7.2.2.1, an estimate of the probability of a common mode failure of two emergency-diesel generators was estimated based on actual failure data. Although uncertainties in the probability calculated are large, total diesel generator failure probability is dominated by random failures rather than common mode failure. Although basing common-mode probability estimation on actual failure experienced is the preferred method, diesel generators were the only equipment for which sufficient hard data could be obtained.
7.2.4.2 Upper Bound For selected common mode failures, an upper bound probability can be estimated without conservatively biasing the analysis results. This was g
the case with scram failure, ESFAS isolation of the auxiliary feedwater 5 system, failure to remove temporary pump suction strainers in a system and failure to reopen tank isolation valves after tank maintenance.
B.
11 Af 148 g
l 1
I 1 I These upper bound values are listed in Tables 7-2 through 7-6.
The
]
upper bounds are based either upon sparse historical data, as for )
'I failure to scram, or upon the very conservative assumption that !
redundant elements are completely coupled. (That is, if one fails, all redundant elements are guaranteed to fail.) Thus, the CMF failure rate .;
of the system is the random failure rate of the train.
I 7.2.4.3 Assigned Common Mode Failure Probabilities For many common-mode failures, an upper bound assignment introduces excessive conservatism and insufficient information exists to calculate a probability based on historical data. In these instances evaluation I and categorization of the coupling between redundant elements was performed. Based upon experience and data from similar equipments, numericai ag ression of the coupling were obtained using engineering extrapolation.
I For many sets of components subject to common mode failure, little is known beyond the estimated failure probability of one redundant element of the set and the fact that the common-mode failure probability is less than the single element probability. From this starting point, engineering extrapolation is used to extend the single element failure probability to the common-mode. In the Reactor Safety Study,2 fgp I instance, it was assumed that the common-mode probability could be estimated as the log mean of single element probability and the multiple independent failure probability of the set:
In[P(A)]-in[P(A)*P(8)***P(n)]
in[P(CMF: A,B
- n)] = 2 where A,B* * *n are the failure events of individual elements of a set.
I This estimator, however, tends to generate very low probabilities for n greater than 2 or 3. This behavior runs counter to experience which indicates that if, for instance, five identical elements fail, it is highly probable that sixth will also fail due to a common failure cause.
I I de 149
I For the WNP analysis, estimates were made of the K S ailure f of a set giver, that the first K-1 elements failed:
B P(B/A) = 0.1
- P(C/A and B) = 0.3 P(D/A and B and C) = 0.5
, Therefore, if AA is the failure rate for one of four redundant components, A, B, C and D, then the common mode failure rate for the complete set is: ,
P(A, B, C, and D) = 0.1
- 0.3
- 0.5
- AA The above probabilities were assigned assuming the conditional proba-bility of the KS ailure f increased with K.
The specific values were based upon a qualitative engineering evaluation of the equipments under consideration. In general, these were fairly complex and typically supplied by a common vendor. Thus a conservative i bounding estimate is that if such an equipment failed, then 10% of the time it would be common mode induced. If two such equipments failed i then, 30% odds that their failures are CMF related is a conservative j
estimate. A comparison of the assigned probabilities with data was made for the diesel generator information discussed in Section 7.2.2.1 Using the above estimator:
}
P(CMF:2 diesel generators) = P(A)* P(B/A)
~
=
(3.2 x 10 2) 0.1 = 3.2 x 10 3 In comparison, the data indicated a common-mode failure probability of
~
4.4x10 4 thus indicating P(B/A) = 0.1 may be conservative.
I I
150 s/
ll m !
[
7.3 HUMAN liELIABILITY O!ALUATION
{.
The event and fault trees developed for this evaluation include human i l
error as an integral part of the analysis. The trees provide a descrip-
{ tion of the events which define the context within which the operator is j
functioning. For instance, the fault trees identify the possible failure of the operator to initiate HPI following LOFW and after receiving positive indication that AFWS has not functioned properly.
( Thus, it is probable that the operator is under moderate stress and is receiving multiple system alarms. The trees thus provide a description of the scenario context. This full scenario is utilized to estimate the y probability of operator error.
For each significant operator error, the scenario within which the oper-ator is presumed to function was characterized. Based upon this 0
( characterization, NUREG/CR-1278 was the used to estimate the probablity of error. This human reliability handbook developed by Swain presents scenario-oriented failure situations consistent with the technique and informatior rintent of the trees developed in this study. Thus, the WNP scenario cr2racteristics were correlated with those provided by Swain to produce estimates of human error probabilities.
For the purposes of this study, human error was classified in the following categories:
- 1. Failure to provide correct system configuration after scheduled maintenance;
- 2. Failure to perform an action;
- 3. Incorrect operator action; and,
- 4. Common-mode events of the operator.
[ To illustrate the technique, Figure 7-1 provides the fault tree for a valve being left in an incorrect position following maintenance (i.e.
case 1 above). Table 7-7 provides the human error probabilities for the
{ individual events comprising the fault tree as taken from F
L 151 I"l1 r
I NUREG/CR-1278.8 The probability of occurrence of this event is approximately 6.6x10~3/ maintenance. It should be noted that the probability of occurrence of this event during a specific time interval is sensitive to the number of times maintenance is performed upon the system or component of interest per year. E It is also sensitive to the m testing frequency of the system or component as this event could be considered a latent failure event if the component or system is normally dormant. These events have been evaluated in this analysis.
An example of Case 2 is provided also in NUREG/CR-1278.0 The events evaluated include that of a failure to initiate HPI by tripping ESFAS g upon low reactor coolant subcooling. For this ever' it was assumed that 3 there is no dedicated operator to start the HPI given that system operation must be initiated within 20 minutes. The probability of failure to initiate the HPI on demand, for this condition is 5x10 3 failures per demand which was derived from a failure rate of .01/ demand of the regular operator ',o initiat,e the appropriate action and a failure of .5/ demand of the shift supervisor to detect the operator failure and initiate the appropriate action himself.
Examples of incorrect operator action are operator failure to observe a normal flow indicator and failure to correctly interpret quantitative information. In NUREG/CR-1278, a basic error probability of failure to check read a meter of .003/ demand under a normal level of stress. How-ever, under a " moderate level of stress," which is that level of stress experienced by the operator during plant transients requiring manual or automatic reactor and turbine trips, (except a large LOCA event) it is suggested that this failure probability be increased by a factor of 5 to a value of .015/ demand.
The water level in the Borated Water Storage Tank (BWST) is indicated by a set of indicator lamps each identifying a specific water level. In NUREG/CR-1278, a human error probability of .001 is specified for failure to correctly read a set of indicator lamps used for quantitive information.
d< I 152
Finally an operator could fail to consistently perform a required common 4
set of actions (e.g. failure to reopen a maintenance valve in three AFS trains). In many common-mode events, an upper bound estimate results in undue conservatism and insufficient information exists to permit calculation of a probability estimate. In these cases, engineering
' judgement is utilized to provide these estimates. For most sets of 3
actions, little is known beyond the estimated probability of failure of I an operator to perform a single specific action (e.g. observe a normal flow indicator as discussed above). Engineering judgement is used to
! extend these single element failure probabilities to estimate that of the common-mode. For the purposes of this study, it was assumed that the common-mode human failure probability could be estimated by assigning conditional probabilities of failure to a failure event given -
that a similar failure event had occurred. This mr iod is discussed in i Section 7.2.4.3.
=l
!I
!I il
!I E
- I
'I Is3 Afa g
R U FM M M~M D O O O O O O O O O I TABLE 7-1 REQUIRED FAILURE AND TIME PARAMETERS 1
Probability Case Situation Failure Parameter Time Parameter Estimate 1 Component dormant, Ac = probability of Not Applicable Ac action required. failure per demand 2 Component dormant, A = failure rate under 0 = test interval A(0/2) action required dormant conditions 3 Component normally A = failure rate under T = repair / replacement time At running running condition G 4 Component required A = failure rate under T = required mission time AT
- to run for a speci- running condition fied time
TABLE 7-2A AUXILIARY FEEDWATER SYSTEM FAILURE PROBABILITIES--
MECHANICAL FAILURES IDE NT. DESCRIPilon UNAV4tLAaltlif Cope (RIS (per demaad)
IATM Iest or maint. on Path MI A 2.5ml0 includes pump and valves 12 test / year a fattures/ test a 72 hrs /fallure ICIM Test or maint. on path MIC 1.4 a10-4 Includes only maintenance on discharge valves (See IATM) 2872HA-E Channel A hydraulic solenoid energized 1:10'0 IEEE.500 and monthly testing 2872HB-E Channel B hyJraulic solenad energized 1 10-6 See 2872HA-E 2BIM Test or maintenance on Path M2B 2.5 104 See l'IM 2CIM Test or maintenance on Path M2C l.4 al0'O See 'CTM P'3078 falls low 8:10'0 IEF.-500 and monthly testing y 3018-ft m 3019-FL $-
D19 falls low 8a10'0 Sie 3078-FL 7938HA-F nannel A hydraulic solenoid falls as is I:10'3 Asil-1400 and monthly testing 1938ts-F Lnannel B !.ydraulic solenoid falls as is 1x10'3 See 193SHA-F 1938P A-F Chawnel A pneu. solenoid f ails as is 1:10' See 1938hA-F 193& s-F Channel B pneu. solenotJ f alls as is Isl0'I see 193alA-F Dtndi-F Del-l falls tal0'0 Conservatively assumed, continuously testable ECl-4A ECl I f alls to open valves & start pump 5.9s10'b Based on IEEE-500 data and a thly testing ECI-4C ECI T falls to open valves & start pump 5.9:10-5 See ECI-4A ECl-FA ECl-X and Y fall to start and matutata AF5 I.la10-5 Consman mode coupling of ECXI-F ECI2-F ECYl-F, ECY2-F; P(BCD/A).0.015 ECtl-F ECI-X im;orrectly closes V4025 1.4s10 Based on IEEE-500 data, one month inst. test laterval aad two month transmitter test interval ECX2-f LCl-1 incorrectly closes valve V4009 7.4s10'4 See ECII-F ECYl-F ECI-V incorrectly closes valve V4326 7.4x10 See ECII-F ECY2-F ECl-T incorrectly closes V4001 7.4sl0-0 See ECXI-F E S-Cff CHF ESF A5 (OGG closes IA.lC.2C.25 I 10'0 Arbitrarily assumed due to low calculated probability E5AA-F ESFA5 *AA* falls to open valves & start pumps 2.2n10'3 lEEE-500 and monthly testing Esa8-F E5FA5 *AS* falls to open valves & start pumps 2.2m10' Based on IEEE-500 data and monthly testing
E E E E O E E TABLE 7-2A (Continued)
IDE N!. DE5C88Pfl0N UNAVAILASILIIT CDP 9(NI5 (per dessad)
E55A-F ESTAS *SA* Incorrectly closes salve V144 8:10-6 See ESSA-F E558-f ESTA5 *58* facorrectly closes valve V318 8 slo-6 $,,g$$g_,
E 5%-f CSFAs "5C* incorrectly closed V4025 8 10'6 Based on IEEE-500 data and amnthly testing E 550-F ESTA5 *SD* Incorrectly closes valve V4026 8 10~0 See E55A-F I/P-CMF I/P 4001,4009,4025,4026 fall as is 1:10'0 Casumon mode coupling of 4 1/P transducers, P(BCD/A).0.015 IP4001-F I/P 4007 falls as is 5.2n10~5 IfEE-500, monthly testing IP4009-f 1/P 4009 fails as is 5.2a10-5 See IP4007-F IP4025-F 1/P 4025 falls as is 5.2nI0'I See IP4001-F l' 426-f 1/P 4026 falls as is 5.2n10-5 See IP4007-F N
P.A-F Over-current trip inst, failure 3.3a10'4 IEE(-500, monthly testing OCl8-f Over-current trip inst. failure 3.3a10-4 See OCIA-F PA-f Pump A (including motor) falls 1.4a10' WASH-1400, includes failure to start or run for 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> PB-F Pump 8 (nacluding motor) f alls 1.4a10' See PA-F PC-F Pump C (Inc. turbine and gov. vlvs.) f alls 1:10~2 Based on t[A data 1977, 1918, 1919 - Avall f ary feedwater Paps PC-Lif Pump C (inc. turbine a gov. vies.) falls 3.6a10"* WASH-1400 to run over 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> PCTM Maintenance on Pump C l.1 10'3 Includes only maintenance on Pump C (See I ATM)
PP-1-2/F Piping to 5G 1 or 2 ruptures 1:10~ 3 3:10 f attares/ueld/hr (WASH-1400), yearly 5 monthly test interval PP-l/F Discharge piping to SG-1 ruptures 4.5:10' See PP-t-2/F PP-A8/F Iank discharge piping to pumps A or 8 ruptures 1 10-6 Conservatively assumed - piping continuously testable PP-C/ T Piping to Pump C ruptures la10-0 See PP-AD/F PP-2/F Piping to SG 2 ruptures 4.5:10' See PP-t-2/F FilN-F PSAT-ISAT inst. f alls 6:10'4 litt-500 anJ continuous monitortnq 54001-f0 SolenotJ 4001 falls to de-energlie 5:10-5 IEEE-500 and monthly testing posit ton (open) 54009-FL Solenoid 4009 f alls to energ- losition (open) 5:30-5 See 54001-fc
TABLE 7-2A (Continued)
IDENT. DE5Calril0N UNAVAILABILIIV CGe(NI5 (Per demand) 54025-f0 solenote 4025 falls to de-energize 5:10-5 See 54007-F0 pasition (open) 54026-f0 Solenoid 4026 falls to energ. postllon (open) 5:10-5 5,, 3,3gy,,n SCM Solenoids 4001,4003,4025,4026 fall open 1 10-6 . ut of saco7-Fo. sacos-fo, sars-Fo. nn-fo SG-f Low stems pressure in SG A and 8 la10-0 See PP-A8/F SP 5 trainers plug Isl0 Estimated teased on high purity i.ater Vl4A-SC V14A sgaartously closes 1:10'0 IEEE-500 and continuous monitoring V168-fC Chk. viv. V168 falls closed tai 0' WA5H-I400 g V169-fC Clik. viv. V169 falls closed 1 10'4 Vl68-fC C V208-SC V208 spuriously closes 1:10'0 See V14A-CL V2163f-fC Commun mode fatture of check 1:10-5 Csemon mode coupilng of two components P(A18).0.1 valves V218 anJ 8634 v218-fC 5. G. chk. viv. V218 falls closed 1 10 See vl68-FC V298-FC Pump discharge chk. viv. V298 f alls closed 1 10'4 See V168-fC V318-5C V318 spurtously closes 1 10-6 3,, ,g4,$g V35A-CL Pump discharge Chk. Viv. V35A f alls closed tal0 See V634-fC V31A-Cl V31A spuriously closes I:10'0 See vl4A-5C V4007-fC LCV 4001 falls closed 3:10~4 kASH-1400 V 4(X)9-f C LCV 4009 falls closed 3:10'4 See V4001-fC V4025-fC LCV-4025 fatis closed 3 10'4 See V4001-fC V4026-fC LCV 4026 falls closed 3:10 Seir V4007-fC V63A-fC 5. G. cht. valve V63A f alls closed Isl0'* See V168-FC V1938-f Valve CV1939 falls as is 3 10 See v4001-fC M M M M M M M M M M M M M M
TABLE 7-28 AUXILIARY FEEDWATER SYSTEM FAILURE PROBABILITIES--
HUMAN FAILURES UNAVAllARILITT Cop 9fMIS IDf MI. DESCRIPIl0N (per demand) 5 10"3 Based on Handbouk for thanan Reliability (NURIG/CR-1218l Af0f Operator falls to start MS on demand Af 5 Case staff . pp. 20-21 Operator f alls to sultch to condensate tank 5:10-3 See MOF DtW-OF Jank inventory dralned to (330K gal. 1a10'3 Operator disregards twocedures (NUREG/CR-1278)
OtWi-0 2:10'4 Consnun mode coupling of four actions P(SCD/A)=0.015
[CKY-OPF Operator places [CI-I,Y M5 control strings monthly testing ui (4) la manual or test Operator falls to trip E5f A5 on low RC 5 30-3 See M0F ESF-OPF subcoollag
-3 See M OF LCV-IR Operator falls to re-open valves 5:10 8alf Canaan mode coupling of four disallowed actions, (CV-CL Operator throttles LEVs 4001.4009.4025,4026 closed P(BCD/A) 0.015 5:10'3 See Af0F OPCD-F Operator falls to initiate AF5 fras control panel Operator falls to restart pumps A or C 5:10~3 See MDF PAB-IR Operator trips pump C 1:10'3 See DtWl-D PC-0PT 5tralners not removed prior to operation 3:10-3 Operator falls to implement procedure (NURIG/CR-1278)
St4R tal0'I Estimated based on low flow penp tests SI-OPF Operator talls to detect plugged strainers Suction strainer 511-1 not removed and plugged 3 10-6 same as comanon mode - see SNR. SP, ST-OPf Sil-PL 5 trainer $11-3 not removed and plugged 3:10-6 g,,$gg,pg
$fi-3-PL Stralner STI-2 not removed and plugged 3:10-0 See Sit-PL 51T2-PL 5.5a10 Based on once per ten years DMW tank maintenance, VI-CL Valve VI (1.0.) closed monthly testing, and figure 7-1 6.6a10-* Based on once per year pump maintenance, yearly V12A-CL Pump discharge valve V12A (L.O.) closed testing, and figure 7-1 Based on once per five years control valve dl3A-CL Control valve isolation valve V134 (t.0.) closed 1.3a10~4 maintenance, yearly testing, and Figure 7-1
TABLE 7-28 (Continued) lat NT. 9[5C81Pl10N tmAVAll ASILiff CDPVENIS (per demand)
V14A-OPF Operator incorrectly closes Vl4A 1:10 Based on monthly testin9 and continuous mattoring VI7IC Tech. Closes valves VI and 71C over 5.5a10 Consma mode coupling of tuo actions P(3/A)-0.1 I month for maintenance V200-OPF Operator incorrectly closes V208 1n10-4 See Vl4A OPf V248.CL Peep discharge valve V248 (L.O.) closed 6.6 10-4 See V12A-u V29-Cl Control valve I A viv. V29 (N.O.) closed 5.5 10-5 sased on once per five years control valve malatenance and enthly testing Pump suction valve V2C (L.O.) closed 5.5a10'$ Based on once per year Pimp maintenance. aunthly V2C-CL testing, and Figure 7-1 2 10' Cossnon nuJe coupling of three actions P(BC/A).O.03 O
V302412C lech. closes valves V300. V248. v124 over I year for maintenance V 30C-CL Valve v30C (L.O.) closed 6.6 10 See V12A-CL V318-OPF Operator incorrectly closes V318 tal0
- See V14A-OPF V 36A.R Control valve isolation valve V36A 1.3a10'* See Vl3A-CL (L.O.) closed V37A-OPF Operator incorrectly closes V37A 1 10' See Vl4A-OPF V46-CL Control valve 1A viv. v46 (N.O.) closed 5.5410-5 See V29-CL V48-CL Pump suction valve V45 (L.O.) closed 5.5a10-5 See V2C-C1 V668-CL Control valve isolation valve V668 (L.O.) closed 1.3a10-4 See Vl3A-CL V71C-CL Tani discharge valve V71C (L.O.) closed 5.5a10-0 See VI-CL
. 28-CL Control valve isolation valve V128 (L.O.) closed 1.3 10 See V13A-CL V79-Cl Control valve IA Viv. V79 (N.O.) closed 5.2a10-5 3,, yy9,cg V SA-CL Pump suction valve V8A (L.O.) closed 5.5n10'I 5ee V2C-CL V3 0 Drain valve DPGJ-V9 lef t open 5.5a10 See VI-CL V91-Cl Control valve S A Viv. V91 (N.0) closed 5.5a:0-5 See V29-CL V92-Cl Control valve IA viv. V92 (N.O.) closed 5.5 10-5 See V29-CL m e p m m m m
7 M. O _M. M M M M M M. O O M M _O M ._ M I TABLE 7-3A INSTRtMENT AIR SYSTEM FAILURE PRO 8 ABILITIES--
MECHANICAL FAILURES-ISINT. BEltalrileg uMAWAILABillif CSSENIS Iper danand) ml4 train A line ruptured 1 10 Conservatively assumed - continuously testable lAA-LR IA8-LR NIA trale 8 line ruptured 1 10 See 1%tt NIACA-f . NIA camp. A f alls to start or run 1.4sl0'I WASN-8400, includes failure to start or run for 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> MIACE-F WIA camp. B falls to run or start 3.4a10'3 See alACA-1 NIAIA-F NBA camp. Inst. train A falls 3.3 10 Ittt-500 and monthly testing NIAIB-F NIA coop. last. train B f alls 3.3a10'4 ' See NIAIA-F 315WAS-PL Caspressor strainer NSW-lA plugged 1.1a10 WASH-1400, monthly testing
$ Compressor strainer NSW-23 plugged 1.1:10'4 See NIACA-8 H5WBS-PL Running SGP IA camp. f alls 3.6a10-4 W45&l-1400,12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> operation R90PC-F 565A-f Solenoid valve V65A falls 1 10' WASH-1400 580PC-F 5taney BOP IA camp. f alls 1.4 10'3 See NIACA-I 500PI-F Standby BOP IA camp. Inst. falls 2a10'3 IttE 500, 6 month test interval i
- - - - - - - -v-- n w -v-
TABLE 7-3B INSTRUMENT AIR SYSTEM FAILURE PROBABILITIES--
HUMAN FAILURES IDE NT. DisCRIPIION UnAVAILABILIIT COPMNIS (per demand) .
5WIAV-CL Standby BOP IA camp. SW Viss. closed 1.1n10-3 Two valves, I yearly maintenance, I year test interval V 356-CL Compresser N5W V356A (N.O.) closed 6.6a10-4 Based on once per year pump maintenance, yearly testing, and Figure 7 1 V3488-CL Compressor NSW V3488 (N.O.) closed 6.6a10'* See V356-CL V 3498-CL Compressor NSW V3490 (N.0.) closed 6.6sI0'0 See V356-CL 4
v355A-CL Compressor NWS V355A (N.O.) closed 6.6:10 See v356-CL V61A-CL Compressor OW V61A (N.O.) closed 6.6a10" See v356-CL N
V628-CL Compressor NSW V678 (N.O.) closed 6.6:10'* See V356-CL
m m M M M TABbE 7-4A SERVICE WATER SYSTEM FAILURE PROBABILITIES--
MECHANICAL FAILURES IDENI. EE5CalPilON UNAVAll Attilit CaptENIS (Per danand) 4 WASH-1400, 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> operation BWPA F Running BOP Service Water Pump A falls 3.6a10 stb-F Running Dar Service Water Pump B falls 3.6a10'4 See SWPA-F BWC-F 5tandy D)P service Water Punip falls 1.4 10'3 WA9t-1400, includes f ailure to start or run for 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> 4 Conservatively assweed, continuously testable CIF Passive failure of cooling touer or lines 1:10 E5WPIA-F (W5 PIA falls to start or run 1.4a10'3 See BWPC-F EWSP28-F [WSP2B falls to start or run 1.4x10' See SWPC-F NSWA-tR M5W tre*? A line rupture 1 10 See CIF M5W8-tR NSW train B line rupture 1n10'0 See CIF NSW inst. train A falls 3.3:10~4 IEEE-500 and sonthly testing g NSWIA-F 3.3a10'4 See NSWIA-F W NW5IB-F NSW last. train B falls 51017-F Solenold 1017 f alls as is I 10'3 WA96-1400 51023-F Solenold 1023 f alls as is 1:10'3 See 51087-fD 51118-F Solenoid Vil18 falls as is I:10'3 See 510lf-F0 Sil87-F Solenoid Vil87 f alls as is 1:10'3 See $1011-f0 5BPI-F Standby gnsep inst. falls 2:10'3 l[E[-500 and 6 month test interval SWP-M 5tandby pianp in maintenance 6x10 Ihree maintenance outages of I ueek each V1017-10 TCV 1017 f alls to close 3:10'4 WAsti-14t10 V1023-F0 ICV 1023 f alls to close 3:10'4 See V4017-F0 Vil18-f C CV-IIT8 falls to open 3:10'4 See V4087-f0 Vil87-f C CV-Il87 f alls to open 3:10'4 See V40l?-F0 V!875-FC CV-1875 f alls to open 3:10 See V4011-f 0 V128-F0 Check valve V128 falls open 1:10'3 WASH-5400 V75A-fC Valve V15A falls closed (spurious closure) 1s10'0 Ittt-500 and continuous monitoring V75A-f3 Check valve V75A falls open 1:10'3 See V128-f0 V168-FC Valve V168 falls closed 1 10'0 See V75A-FC
TABLE 7-48 SERVICE WATER SYSTEM FAILURE PROBABILITIES--
HUMAN FAILURES IN NI. Dt1CRIFil0N UNAVAILAsttlit C0NE NIS (per demand)
DV-CL $1d disch. valve closed 3.3 10'4 Yearly pianp maintenance, 6 month test interval, and figure 7-1 MV5I-CL Any of 4 Train A manual valves (L.O.) closed 2.6 10'3 fearly pimp maintenance, monthly testing, and figure 7-1 MVS2-CL Any of 4 Train 8 manual valves (L.O.) closed 2.610'3 See MVSI-CL SV-CL SW suction valve closed 3.3a10'4 See DV-C1 Operator falls to start NSWA 5 10'3 AT5 Case Sturty, ItJREG/CR-1278 g SWA-OF
& SWD OF Operator falls to start NSWS 5:10'3 See SWA-Of M -
M M M
E E E E E E TABLE 7-5A HIGH-PRESSURE INJECTION SYSTEM FAILURE PROBABILITIEE--
MECHANICAL FAILURES IDE NT. 0($CalPil0N UNAVAILA81LITV CaetNIS (per demand]
OlVBOE0 Valve breaker open 3.6alo"* See 1Asot0 02VB0f0 Valve breaker open 3.6 10-5 See IA80LO 03VB0E0 Valve breaker open 3.6alo-5 See IA80LO 04WB0E0 Valve breaker open 3.6 10-5 See IAnoto 05VBoto Valve breaker ogen 3.6a10-5
- See IA80E0 06v80[0 Valve breaker open 3.6:10-5 See IABOE0 06VBolo Valve breaker open 3.6:10-5 See IA80E0 01VSOE0 Valve breaker open 3.6 10-5 See IA8010 08VB0E0 Valve breaker open 5.4 10-5 See IA80E0 g 09VB0E0 Valve t.reaker open 3.6 10 -5 See IABOLO OfBCC failure of breaker control circuit 5.4a10-5 See VIAIF Ofl0P3t4A failure of lube oil pump to start tal0'I WAStt-1400, Iable Ill-2-1 Ofst3CNA f ailure of -3C pump / motor to start talo-3 WASH-1400, Table ill-2-1 OV1428tf Check valve V142-B sticks shut la10'4 See Iv253 Arf OVl488HC Valve Vl48-8 closed 3.1a10-5 See OV141CNC ovl648MF Check valve V164-8 sticks shut Inlo'4 See IV253Att UV165Ctf Check valve Vl65-C sticks shut - See tv253Alf DVl66Aff Check valve Vl66-A sticks shut la10'# 5ee IV253Alf OV168CNC Vl68C closed 4.4x10-4 See IV251ATC, see OVl12 CPI 10VB0E0 Valve breaker open 3.6a10-5 Ste IADOE0 llVBOIO Valve breaker open 3.6 10-5 See IABOIO 12VB0E0 Valve breaker open 3.6 10-5 See IA80f0 13VC0E0 Valve breaker open 3.6a10-5 See IA80Io IABolo Valve VI-A MCC breaker open 3.6 10-5 litt-500, p. 148, average between spurious and all modes appron. tal0 /br.. I math test IA0fD6PJ Open breaker undetected 3:10'3 Swain AfWS case study, operator error is taken to be 5:10'3
TABLE 7-5A (Continued) 80[Nr. DtSCRirlton UNAVAllASItIIT CtDefNI5 (Per demand) 1880[0 Valve VI-8 MCC breaker open 3.6al0 4 See IA80E0 ICl44MF Valve V144-A motor controller failure 5.ta10-5 See VIMF ICM5fte Pump contrct handswitch falls I:10-5 $,, y g ggg ICV 354HF Check valve V354 sticks shut tal0'* See tv253W IECIXf tX LCl-1 electronics generate high flow signal 2.3a10~4 See AFW5 IF AH42Mit flow alare FAH-428 indtCates high flow 2.2s10 Ittt-500, p. 4F, f ailure of alarms, all modes, I yr. test AF142HEF flow indicator FI-428 falls high 2.2a10' WA96-1400, Table 111-2-1 fatture of annunciator m to operate 10-6/hr 1/2 year test IFLOPPMF Failure of tube oil pop for pump (tl5-PHP-IA 1n10- See torfiSI If0PIMNA Failure of PtJS-PtF-IA pump / motor to start l a 10-
- WASH-1400, Table 111-2-1 IFOP24MF Failure of Mis-PMP-IA pump / motor to run 3.6s10'4 WASH-1400, Ill-2-e IFPBCCEE Failure of pop MIS-PHP-1A breaker to control I.2:10-6 See vlMF, is hour demand circuit dureng tarst 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> ifPBCDEF Failure of pump MJ5-PN'-I A breaker control 5.4x10-5 3,, y g g 7 circuit upon domand IFI42FMF Flow transmitter FI-428 falls high 6.2 10'I IEEE-500, p. 432, flow tranwitter high outpat
.fl%/10-6 Nt 8 year test IPE H5Ftf Pump control handswitch fa61ed tal0 See VI Alf IV144 W Valve Vl44-A mechanical /-ator failure 1a10'3 ,
5ee MI AM IV251AFI Valve V251-A closed for maintenance 2 sin'I Nintenance, I every 5 years, tested once a year IV251 W 5 top check valve V251A sticks shut la10-0 See IV253Aff IV252AFI Valve V252-A closed for maintenance 2 10-I See IV25tATI IV252Aff Stop check valve V252-A sticks shut 1:50- See tv253 W IV253AMF Stop check valve V253-A sticks shut tul0-* WA98-1400, Table 111-2-1, check valve f alls to open IV254AFI Valve V254-A closed for maintenance la10"I Nintenance once every 10 years, tested once a year IV254AMF 5 top check valve V254-A sticks shut Isl0 See IV253AMF IV259Cfl Valve V259-8 closed for maintenance 2a10 See IV251AFI IV25984 5 top check val e V259-8 sticks shut Is10-4 See IV253Att IV26tBFI Valve V261-8 closed for maintenance tal0'I See IV254MI M M Un
TABPP 7-5A (Continued)
EDE NI. 0(SCRIPil0N INIAVAILABillTY ColefRIS (per esemand)
IV26tGMF 5 top check valve V261-8 sticks shut I 10 See IV253Aff IV340A70 Check valve V340-A sticks shut 1 10 See Iv253Alf IVB000 Valve breaker open 3.6 10-5 See IABOCO 2CitlBif Valve V141-8 motor controller failure 5.4 10-5 5,, y g gg ,
2CM5Fif Pump control handsuitch falls 1:10'$ See VIAMF 2[Cl1TlH (Cl-I electronics generate high flow signal 2.3:10'4 Based en IEEE-500 data, monthly test interval 2F 4642Mit Flow alare FAH-42A indicates high flow 2.2nl0'I See ITAH42Mit 2Fl42HEF flow indicator F1-42A falls high 2.2 10'3 See IFl42itEF 2fLOPPff Failure of lube oil pump for paap IUS-FM' 28 laI0' See toPFISI 2F0P24MF Failure of PUS-FMP-28 punp/ motor to run 3.6 10'O WASH-1400, 111-2-1 2f0P2MNA Failure of Kl5-PM*-28 pianp/ motor to start 1a10' WASH-1400, lable Ill-2-I 2fPBCCl[ Failure of piasp PUS-PMP-28 breaker to control 1.2 10-6 See VIAf f,12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> demand h circuit during first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> 2frBCD(F Failure of pump IUS-FMP-28 breaker control 5.4 alo- 5 See VIAfF ZIPBCDEF circuit upon danand 2fl42fMF flow transmitter fi-42A falls high 6.2al0'3 See IFI42FMI 2P[H5fMF Pump tantrol handswitch failed 1 10-5 See VIAff 2V141Bff Valve vl41- A mechanical / motor f ailur e 1 10'3 See MIAtf 2V34 t Ato Check valve V341-A sticks shut tal0' See IV253AMF 2VB0E 0 Valve breaker open 3.6a10-5 See IAB000 3ECivf EH [CI-V electronics generate h69 h flow signal 2. 3aI0'i See 2tCitf EH
" 4642Mit flow alasu IMI-42C indicates high f eow 2 2al0'I See IFAH42ftt 3FI42Hff flow indicator FI-42C falls high 2.2 10 See Irl42HEF 3F142fMF Flow transmitter fi-42C falls high 6.2x10'3 See Ifl42Fff 3V342Ble Check valve V342-8 sticks shut I:10'4 See IV253Aff 4ECivitti (Cl-V electronics generate high flow signal 2.3:10-4 See 2fCIXftH 4fAH42Mt f low alana FAH-42D indicates high flow 2.2al0'I See If All42MI 4fl42il[F flow inJlcator FI-420 f alls high 2.2a10-3 See Irl42H[F 4F F42FMF Flow transmitter FI-42D falls high 6.2a10' See III42f MF 4V260BFI Valve V260-8 closed for saaintenance tal0*I see IV254AFI
I I 1 35 3 A 3~ -
- - Ti a!?? ?
gg-- -
6 41 1
)cE 119ee
= : 3 .g . . . . !
ESEEa Ec5555SE '!!1833335t!551stBW EEE E
3 a
. . . . .a =. =t=thiiEEEEEE 33.A3a33a~3j]R5......EE . t . w w ssaAAA3a33sa343Aaa .a. .....
EEE w
< v m 5-e sn o a e . .
I 3 4 .-..e ee 'o ~ 'c o om a m m m m m m m m a m m m 'o m m m N .5 g *- 'o'o 'o 'o 'o'o 'e -'o *-*o'o'e'o'o'o 'o 'o 'o 'e 'o 'o 'o 'o 'o 'o
'o'o'
- o w a a e co o I3 - - -- -- - - - a ~~~~------------m ---
< u n w s
t
.} = thah8th ht ...
2W: ... M ..: : : : : : : : = = htt
. FFFT23 t* : :::::: : : : :
$ .j a5 565s~s~6 0- 5B " ! ! ~...* b, .b .b, .b, .b .h., .h _b.
- .b..b ., s 6
- -I: . * *
- 3I*5:
" - ~
.s . . = 1 2,, '8. : =. . ~. ' t =,8 =8 3 8 8 8 E E . . t a ' 3 3 .b s:rrra
. .- s t 5 x a, = =. =. =. =. =. =s s .==.saas s s s msmmum=Eset---
x.44se .= .=: 8.= . . . :--
22.: A
. ,a. . =. .= .= .=g .= zyz- . . a22. . .
- yz
- : = g 1' s m :
. . . . . . 14tutss.tg - - - .
- *=
......,e..- -
yy E
- i$1'.55551,53355$.$.$.$.$.$.$.$.25$.$.52I.I.
ggg. . .. ..
y--~ n g=*jl..
e ~
g . t tt........st..t...
, : s.--
MC555= a. 3*: .2==: : : : : : : : = = : : ::::
"n : : :::::::::::::
R E~1m 8~ 8 .t~ ! . ::
-i. 3 -
c o = a 8 1A*5 O3 e I.e
- w.feR g+E w. $ *$.0m.g" 1----- - C e 3 ~4 2. *r
~.
C3
.e . . M.
m w e Es.:.-88 U
..==4.*-Azz- z zz z zz z zzz -z z z z I
168
O O.. "
O .O W R. O R. %
c di TABLE 7-5A (Continued)
IB(af. B(StalPilen UNAVAllABilliv CBIGENIS (per M )
OCVllAMC Valve CSS-V!!A shut 1.3x10'4 See IV253AFC, maintenance once in 5 years, I year test interval DV145AMC Check valve V!45A sticks shut la10'* See IV253A W OV166AW Check valve V166-4 sticks shut 1:10 See V253AMr PIRI ALL Passive failure between valves V253-A, V338-A, 6.6:10'4 Specific pipe, welds, laadvertant lif ts of relief.
Vi79-A, V262-B, and V185-8 vent and drain valves are described on page 30 and in the appendia PIR2Att Passive failure between valves V254 A. V114-A. 7.lal0'4 See PIRIALL V268-8, and VI84-8 PfR4NA Passive failures between Vl84-8, v185-8, 2.8 10'3 See PIRIALL g Vill-C, and V165-8
@ - 4" 'fMA Passive failure between valves V!84-8, 2.8mI0'3 See PIRIAtt V185-8, V208-8 Vlil-C, and VI65-8
.cN Passive failure between V184-8, V185-b, 2.8x10'3 See PIRIALL V208-8, Vill-C, and V165-8 Pi AKA Passive failures between V112-C, VIG8-C, 8.6 10-5 See PfRIALL and Vl18-C PfRSINA Passive failure between V171 C Vl12-C, 1.6mlo-5 3,, pgggggt and VI68-C PfRSINB Passive fall.ere between VI??C,VlilC, A 3.3410-5 3,,pg,;3(g and V168C PIR8NA Passive failure between V165-C F0358, 3.1x10-5 See PfRIALL and -3C discharge PTR8MB Passive failure between V!65-C, V162-C, 3.4n10' See PfRIALL and PHP-3C discharge PIR8INA Passive failure between Vl65-C f0358 3.4 10-5 ' See PfRIALL valve motor failure PfR8lNB Passive failure between V165C, V162C, 8:10-5 See PfRIALL and P W -3C disch.
TABLE 7-SA (Continued) lit NT. 0(5GIPil0N INIAVAILABILITT CopVfRIS (perdemand)
PFR9NA Passive failure between V164-B. F035C. I 10'4 See IV253 W and 28 discharge PFR9fMS Passive failure between Vl64-B F035C. 3.4al0-5 $,, pygg3gg and PMP discharge PIIN-F Failure of RCS press /tenp instru. 6:10 See PflN-F Table 7-2 SINAC System in normal A configuratirn Sal 0-I the syste is in normal A configuration approximately 1/2 the time SINBC System in nonnal 8 configuration Sal 0'I The system is in nonaal 8 configuration approminately I/2 the time
[
O SIINA Systed in transition to nonaal A 1:10'3 Ihe systen is in transition to normal A approni ately 2 days in *) years 5l INS Systes in transition to normal B 1:10~3 The syston is in transition to normal 8 approalmately 2 days every 5 years 55C24PF Suction strainer clogs la10 q = (probability it doesn't clog up to the time of occurrence) a (probability it doesn't clog during the mission)
Vl36Alf valve V136-A motor controller failure 5.4a10-5 3,, ygggy V136AM Valve V136-A handswitch failed 1 10-5 3,, y gg Vl36 AIM valve in maintenance 1 10'4 Ass e e I hr/ year VI37BfF Valve Vl37-8 motor controIIer failure 5.4alo-5 See VIAEF V1378tM Valve in maletenance 1 10-4 Assume I hr/ year V137BMA Valve V137-B handswitch failed 1 10-5 See VIAMF Vl4tBIH Valve in maintenance tal0'4 See V360 AIM V144A!H Valve in maintenance 1x10'4 See V360 AIM Vl74AIF valve V174-4 motor controller fal?ure 5.4x10-5 See VIAff VI74AlH Valve in maintenance 1n10~4 Assume I hr/ year Vl74AMA Valve Vl14-A handswitch f ailed 1 10-5 5,,ygggy Vl19AIF Valve V179-A motor controller failure 5.4 a10-5 5,, y g gg y Vl19 AIM Valve in maintenance la10'4 As simur I hr/ year
M M W W W W W W W W W WM M M M W W W TAfsLE 7-5A (Continued)
IDE NI. D(SCRIPil0N UNAVAllASILliv C0ptfMIS (per emand)
V179AM Valve V179-A handswitch failed 1 10-5 $,, ygg,y V1848EF Valve V!84-8 motor controller failure 5.4a10-5 3,,yggg7 Vl848tM Valve in maintenance 1 10'4 Assisme I hr/ year V1848M Valve V184-8 handswitch failed 1:10-5 $,,yggg7 Vl85BIF Valve VIB5-8 motor controller failure 5.4 10-5 See VIAIF Vl85BIH valve in maintenance 1x10'4 Assisme I hr/ year V!858tM Valve VIR5-8 handswitch f ailed 1x10-5 5,, ygggg V198Atr Valve Vl98-8 motor controller failure 5.4x10-5 $,,yggg7 V!98 AIM Valve in maintenance 1a10'4 Assimee I hr/ year Vl98AMA Valvo Vl98-B handswitch f ailed talo-5 See VIAMF Vl99BEF Valve Vl99-8 motor controller f ailure 5.4x10'b See VIAIF Y VI990!M Valve in maintenance 1 10'4 Assisne I hr/ year V!99BMA Valve Vl99-8 handswitch failed la10'b See V'*V V!AIF Failure of valve VI-A motor controller 5.4alo-5 Failure of controller, all modes .15 10-6/hr IEEE 50'3, p.169, monthly testing Vl AMF Valve VI-A handswitch f ailure to operate 1:10-5 WASH-1400, Table ill-2-1, f ailure at handswitch VISEF Fallve of valve VI-B motor controller 5.4al0-5 See VIAEF Vist Valve VI-B handswitch fatture to operate Inl0-5 $,, ygggy V360AEF Valve V360-A motor controller failure 5.4x10-5 See VIAIF V360 AIM Valve in maintenance 1a10-4 Assisse I hr/ year V 360AM Valve V360-A handswitch failed 1 10-5 $,,yggnr V3AEF Valve V3A motor controller failure 5.4x10-5 See VIA[F
~4 V3 AIM Valve in maintenance 1:10 Assume I hr/ year 4
vlAMA Valve V3A handswitch failed 1:10 See VlAMI V4650tf Valve V465-8 motor controller failure 5.4x10-5 $,, yggg7 V46581M Valve in maintenance 1:10'4 Assisne I hr/ year V465CM Valve V465-B handswitch f ailed tai 0-5 See VIAMF V4 AIM Valve in maintenance 1:10~4 Assume I hr/ year V4Btf Valve V4B motor controller failure 5.4al0-5 See VIAlf V4BM Valve V4B handswitch failed la10'b See VIAMF
N i
O_.
r E__
a
_ e y
/
r i
f f
A I
h I
e F
M A
l E_
N V m v E u M e s e O e s e S A S C
_. ) T I
T
)
d M
_. A d L n 5 e t s m a
_ - u A e L d 5
7 n I 0 5 E t L n i A r V
A p t
m(
e 5
1x 0 4 I t
a n O
I I
N B o
,.. A C T (
O
._ e l
i a
r u N f
d r
m l
e le i
a E
l o f
_ r t e h
. n c ct
_ o c an i r
o en sw t d N
t n n o
0 l m ia m ha O i
r 8 B l
A 5
V in 5 V
=_ C e e ev
$ v
(
D l lv l a a a T
V V V E
N
, E D F M A I E 1 M B 8 B 5 5 5 E
= .
V V V M
E sN
l 1
l l
l 6
2 E
I u
- o 4* 4 L
T 8
e 6 E 5-
.= .
2 l m l 2 * . tu T T T T T T T 2 I
W T .
g T.
g;g gj
& & & & & & & & & a"m ;"
C . . . . . . . . .
2 * *:
m R,2,2,R,2,2,2,2,2, J .
m 2. 'E' 2. I 2. oh 2. h m 2 2o 2. % 2.
a ho 2. % a 2. bo 5
- g. ".
- F- 3 y u
~--
23 o 5s5E5855585s585a53 ,s s .
n a
- e, : C. 't
=
o.
-a a<a.o s .- so -
. a <. s. - o-o s - o-g.
aE-W a
g w Ea.-l3I3I3$3I3sa . .
$ Sea .
5}S 3a*
D a -
~ m ~~
< w' *:
-. 1 m u m e+
m aI 3f *
- i m m m m m m m o o 9 E 2 n m m m m m m m m m m,, eg m. g ee g o e g e g e n e e 77 5 WM gg *
,so e, e ', .e , e, g s e o g
o o o e e p
77
" mT-~;7-~;~~~;;~70m00~ T W
a G@
y 5
S 3 -m -m m m m m m . m . mm m m z P- z E o 0
- I e e e e e e e g H g
- u 2 - 2 2 2 2 2 - ,
0 $*
N Z 555"hio555*h&hEo5"5 1&E t &&&hEr5 555*55 .
- .u . 6 . u .u . 6 .u . 6 .6 , -
. u
$ $$i$$$$55555$$$$$$%
e-e-e e-e-e-e e-e= ".
3 2 u o u o u o u o u o u o u o u o u o--
m 1 1 1 E 1 99* "
m w
1,E 22 .%. a-1-$
2 % 2 .% 2 .% E .* 6 %E W2 3 *tW*e 2 a e 3
e 2 2 a *
- a. 342434242424242424~~ o - o . o - o o .
u 6
,.7 e -o o .
- W"M*M"%"%*M"%"E"%"j4 22 G ",, * ~
2%2 * **
2 '
k **
= E " ;
o -
';';4":
o- o-4 ;o 't- 2o % -o - o -
- % ; '2;" '*4; ; %. %.
o- o - .t
<y
.~
~- " " " " " ** " ~ ;;
h .$"u u u u u u u u 6 .
E x E 3. *= 3 *. 3. *. 3.
- 3. *. 3.
- 3. *. 3. : ; - 3.*."."*.
g: 22
~ g O
- 5' :: 5' : 5' 5' : 5' :* ): 6
- h' :ags
- g 22 a" s'*2 2 , , , , , , , , , , , , , , , , , ,, ,
aw s" I % I %o-I I I %
-o - - oI.. $ k % - o% - h o .I. $ o- % *E h* E* i h
2u
~
SB2BSB2B28958ES5aS5ss o- mooeoooo ~m m n . + + . . ~ ~ w o oo o o o o oo ooo
- 8 o
oo B
B E
l
TABLE 7-5B (Continued) 101NI. DESCRIPIION UNAVAllAsitiIT CotM MIS (per demand)
OVl4FCNC Valve V141-C closed 3.1x10' See OV147CNC OVl67ANC . Valve VI61.A closed 4.4n10'* See OV172CPX OV1686MC Valve V168-C closed 4.4 10'4 See OVll2CPX OV169BNC Valve V169-8 Closed 4.4s10~4 See OVlF2CPX OVil2 CPI Operator falls to open Vli2C 4.4s10-4 See IV251ATC, maintenance every 1.5 years, test period 1 year DVl72CPX Valve Vil2-C closed 4.4 10 See OVli2CPX OV318HC Valve V318 closed 4.4x10'* See OVIF2CPX OV319NC Valve V319 closed 4.4x10'# 5ee OV112CPX Operator error aligns cooling water to In10-3 See 0[ALOXX g 10LMSWB y NSW train A 10Et45W8 Operator error aligns cooling water to 1:10-3 See OEALOXX NSW train B 10f0H5PX Operator falls to operate hamisuitch 5x10'3 See IAOIDBPJ when pump tanture detected Ix10'3 NURIG/CA-1218, p. 11-9 10fDIVPJ f ailure to detect improper valve position 3 10~3 See IA0fDuPJ 100FDBPJ Operator falls to detect breaker open Ix10-3 lAREG/CR-1218, p. 11-9 lifolVPJ failure to detect improper valve position 3x10'3 See IAurDBPJ IlufDSPJ Uperator falls to detect breaker open 1x10' 4A*f G/CR-1218, p.11-9 12FDIVPJ f ailure to detect leproper valve position 3x10-3 See IAOIDBPJ 120fDBPJ Operator f alls to detect breaker open Ix10'3 NtRIC/CR-1278, p. 11-9 13fDIVPJ Failure to detect improper valve position 3x10'3 See IAOIDbPJ 130IUBPJ Operator f alls to detect breaker open 5x10~3 See IA0rD8PJ IBOIDBPJ Open breaker undetected IFD3CSPJ Iallure to detect -3C pisap f ailure to auto start 5 10'I See IAOIDCPJ 5x10'3 See IAOIDBPJ IID30$PX FallHre to manually start -3C pimip when failure to auto start detected E E M N M $ g g g
7_ O -
O M_
1 TABLE 7-5B (Continued) i 80t Nr. 9(5Calril0N UNAVAltAtittlv C M NIS l (Per demand)
.ifDP2A8PJ Tallure to detect pump IA failure to operate 5:10'3 General operator error, see IA0fDSPJ IfDPF5PJ failure to detect pump auto failure to start 5:10'3 See IA0fDePJ ITDPTSPJ - Tallure to detect pump auto failure to start . 5 10'3 See IA0fD8PJ ITLINDPI Operator falls to observe normal flow l.5ml0-2 HURIG/CR-1278, p.11-14. failure to observe indicator ifLINDPX Indication Ilght, 3:10-3 moderate stress multipler of 5 10fD0BPJ Operator falls to detect breater open 5:10'3 1A0fDePJ 10fl5P3C Operator falls to start PMP-3C 5:10-3 See IA0fD8PJ IVlilCNC Valve Vlil-C closed 4.4m!0-4 See OVl12 CPI lylF9APC Operator throttles valve V179-A closed 5:10-3 See IA0fD8PJ D IV251AFC Valve V251-A not reopened after maintenance 6.6m10'3 figure 7-l. operator / maintenance falls to restore valve to its proper position IV251A0J Valve V251-A closure not detected in valve check Isl0'I NUREC/CR-1278, p. 13-16, item 3 IV252AFC Valve V252-A not reopened after maintenance 6.6ml0 4 See IV251AFC Iv252Aal Valve V252-A closure not detected in val.e check tal0*I See IV251AM IV254Aal Valve V254-A closure not detected in valve check Isl0'I See IV251Aal IV254AFC Valve V25a-A not reopened after maintenance 6.6a10-3 See IV251AFC IV2596f C Valve V259-B not reopened af ter maintenance 6.6m10'3 See IV251ATC IV25980J Valve V259-B closvre not detected in valve check tal0'I See IV251A0J IV26180J Valve V261-B closure not detected in valve check I:10*I See IV25tAal IV2618FC Valve V261-8 not reopened af ter maintenance 6.6x10'3 See IV251AFC IV262Bal Valve V262-8 closure not detected in valve check I 10'I See IV251A0J 2fD3CSPJ failure to detect -3C pump failure to auto start 5:10'3 See IA0fDOPJ 2fD3C5PX failure to manually start -3C pump 5:10'3 See IA0fDDPJ uhen failure to auto start detected 2fDP2A8PJ Tallure to detect pump 28 failure to operate 5:10~3 General operator error, See IA0fDSPJ 2fDPf5PJ failure to detect pump auto failure to start 5a30'3 See IA0FDBPJ 2fLINDPX Operator falls to observe normal flow I.5 10-2 See IftlNDPI indication 20fD00PJ Operator falls to detect breaker open 5:10*3 1A0fDePJ
TABLE 7-58 (Continued)
IDE RI. M5CRIPil0M UNAVAIL ASIL;if C0petNIS (per demand) 20f0H5PX Operator falls to operate handswitch 5:10-3 See IAOFDBPJ when pump failure detected 20fl5P3C Operator falls to start Pre-3C 5 10'3 See IAOIDBPJ 2V!J4APC Operator throttles valve VIF4-A closed 5 10'3 See IA0fDBPJ 3fLIMIPI Operator f alls to observe normal flow I.5a10-2 See ifLINDP1 Indication 3V184BPC Operator throttles valve V184-5 closed 5 10'3 See IAOFDBPJ 4f LINDPI Operator falls to observe nonsal flow 1.5ml0 See ifLINDPX ladication 4V!85BPC Operator throttles valve V185-8 closed 5 10'3 See IA0fDBPJ 4V2608FC Valve V260-8 not reopened after maintenance 6.6x10-3 See IV251AfC Q
- 4V26080J Valve V260-8 closure net detected la valve check Im!0"I See IV251A0J 4V2628FC Valve V262-B not reopened af ter maintenance 6.6 10-3 See IV251AFC E5f-OPF Operator falls to initiate Irl via E5fA5 5:10-3 Same comments as ATW list Operator error selects incorrect allgement 3:10-3 NURCG/CR-1278, p.19-12, non-passive tasks with OEALOX1 short check list 551PA Suction strainer in place 3 10' NUREG/CR-1218, p.14 . 2, non-passive task, long list of special Instructions ulO a check IIst
$3tPB Suction strainer in place 3:10' See SSIPA Suction strainer in place 3:10" See 551PA SSIPC vi-OF CV operator f alls to close valve V!-A, 5 30-3 See VI-OfDR V5-8, V3-A, and V3-8 f ailure to close detected VI-OfCY Operator falls to close valve VI-B when 5 10-3 See IA0fDGPJ valves VS-8, V3- A, and V3-8 f ailure to close detected VI-Of 0R Operator f atts to detect valves VS-8, 5:10'3 Ceneral operator error. NUREG/CR-1218 AfWS case study VI-OFDR V3- A, V3-8 f ailure to close N N M E M $ % g
TABLE 7-5B (Continued)
IN NI. N 5CRIPil0N UNAVAILAsttili Copt(NI5 (per demand)
V136 APX Operator falls to operate handswitch when 5:10'3 See IA0fDBPJ valve failure detected V131BPX Operator f alls to operate handswitch when 5:10'3 See IAOIDBPJ valve failure detected V114 API Operator falls to operate handswitch when 5x10'3 See IAN DBPJ valve failure detected Vl19 API Operator falls to operate handswitch when 5:10'3 See IA0f0BPJ valve failure detected
[
N Vl84BPX Operator falls to operate handswitch when 5:10'3 See IA0fDBPJ valve f ailure d,ttected Vl85BPX Operator falls to operate handswitch when 5:10'3 See IAOIDBPJ valve failure detected Vl98APX Operator falls to operate handswitch when 5:10'3 See IA0tDBPJ valve failure detected Vl99BPX operator falls to operate handswitch when 5:10'3 See IAOIDBPJ valve failure detected V360APX Operator falls to operate handsmitch when 5x10'3 See IA0f0BPJ valve failure detected V 3APX Operator falls to operate handswitch when 5x10'3 See IA0fDBPJ valve failure detected V465BPX Operator falls to operate handswitch when 5:10'3 See IAOIDBPJ valve failure de tected V4 API Operator falls to operate handsultch when 5:10'I See IA0fDBPJ valve failure detected V5BPX Operator falls to operate handswitch when 5:10'3 See IA0fDBPJ valve failure detected
TABLE 7-6A ELECTRICAL POWER SYSTEM FAILURE PROBABILITIES-- <
MECHANICAL FAILURES IDENT. 0(SCRIPfl0N UNAVAILABILIIT CINetNI5 (per demand) 4160A0 Bus open 5 10 4 See MCC81180 416080 Bus open 7.2 slo'0 See MCC81180 4160A5 Bus short 6.2 10-5 See MCCBilBS 416085 Bus short 8.9 10-6 See MCC81185
~ 480AlfnC 480 VAC fault not cleared by equipment 6.2x10-5 IE[i-500, p. 521 Mission time + 12 hrs N MCC, or unit Sub/MCC breaker 480A3.NC 480 VAC fault not cleared by equipnent 6.2a10-5 See 480AIF MCC, or unit Sub/MCC breaker 48081FNC 480 VAC f ault not cleared by equipment 8.9mIO"0 IEEE-500, p. 521. Mission time HCC, or unit Sub/MCC breaker 48083f NC 480 VAC fault not cleared by equipnent 8.9n10-0 See 48081INC MCC, or unit Sub/MCC breaker 4KSA10DM Breaker open due to maintenance Ix10'4 Assumed I hr/yr 4e;BAIC10 Breaker inadvertantly open 3.6x10'0 See BKRAlll0 4 r,BA300M Breaker open due to maintenance Ix10'O Assumed I hr/yr 4KBA3010 Breaker inadvertantly open 3.6a10-6 See BkRAlll0 4KB0100M Breaker open due to watntenance O No maintenance assumed 4KB81010 Breaker inadvertantly open 5.2x10'# See BKRBillo 4KBE UDM Breaker open due to maintenance 0 No maintenance assuned 4KBB3010 Breaker inadvertantly open 5.2x10"I See BKRBil10 All(OF Equipment overcurrent fault 1.2x10'3 1[lf-500, p. 521, 20 itens for mission + T2 hrs AllIEUD Tallure of equipment uvercurrent device 3:10 1[t[-500, p. 148 AlHCCF One of 4 MCC overcurrent f aults 2.5x10~4 IEEE-500, p. 521, 4 Items for mission + 72 hrs A31[0F [quipment overcurrent fault 1.2x10'3 See All[0F A31fl00 f ailure of equipment overcurrent device 3 10-4 l((b 500, p. 148 A3MCCf One of 4 HCC overcurrent faults ,
2.5a10 See AIMCCF AP5A180 Inverter AC alternate source breaker open, 2.8mlo-5 llEE 500, p. 152, Breaker failure within last month bus Al3 E M O M E E O 'E M' $ M @
ll h h h t t t n n n o
s o o e m m t t t
- s s s a a a l l l i
n i
n i n
h h h n it t t o n e i i is o h T w w w i t A A _
s e e e is s B B s r
r u
r u
r u m is a r r h 8 S l t l r m e r e r 8 5 5 S _
d v y v y e 2 0 0 1 i t i o r e e e 4 A I _
f a
f a
f a f f
o t a
n e
2
/
n e
2 im1 F T l f
8 B s n h
/ t
- A A r r r s 1 h 1 B B h h e e e m e n r w w n n t t k t t t e e y r
y r
o o n n a a a i t d e e d
e e is is i i i w wi .
e e e It la s v s v _
r r r 0 u e u e is is ede de de d B B B 2 4 e e . r M M d d n n
, , b e . r u u 2
5 2 2 1
8 1 8 l e b e h c
b e h c 1 1
,l l c c m b
i i b
5 1 1 5
1 2 4 2 5 1 5 4
1 l
c ; an I I l n a
I 2 2 n n o m r i en be 5 5 i i c c l
iw uo w n i n e p w e b p. te et et e t 5 p p p p p p T s p. _
t t g
, , ,F0 F A T o I n o a a a a 1 g s 0 0 0, 0, G 0 E 0 , CC B d Ae S iamd t A S a i t 0, 3
, r r r r 8 g T g 0 0 i
N 5 5 0
5 0
5 W50 l I
B 0 N 5 I d r n r e e e md e
0 0 e e e e B g 5 5 r r r r U g E E t C E E E
- B a e n n ns s m
s n mu - - u u u u S $ .
M E E t E E E e c T f
e s i ss i i s i i
s E E l l l li i ee ,,
P t E E .
C C
E I
E I
E I
E E E I I l S e E I Se ASr p s A is A As i A s s E E ifaf aFiF S a I I g a _
f i )
) l d ,
A d t n I a 6 e 8 u A = 5 5 5 7 n l
l d -
0 D
0 '04 04 0 5
4 5
0 5 i A r V e 1
l m
1 x
l - 1 '01 0' 0 1 01 o
l 0
l
'0 1
0 1
m 0 s a 0 x a n E t A p N (
8 8 8 8 1 6 8 1 1 6 '01 3 3 6 x
L n U 2 2 2 I 3 3 1 3 3 5 0 2 0 2 I. 9 2 B o I 3 - - - - 8 6 A C T (
n, n n, ep e p ep n n n n o o o e e e e e e c c h h h h r r r i
v i
v w w w w e e e e e e e t k k d d c c c e e a a a n n n c
& t e.
e b
e r
e b
e r
t n s e lt r
t n
r e s cr lt e
u t a
n e
t a
n e
t a
e n
t a
n e
n c c r u r u so n n n n r u a u a e r
u r
u r
u lt u r c f lt u r t dc f ia m r ei e c m a r c m i a c ru ma i ce r
o o o a e t a e e u s s s f v n f o e v n r o e r o o o os o os to osu u
M t e
a n
r t
e a
n r
t e
a n
r t
c t e
r e r
r n t
n cu re en cur re t
r ef t s t eu de eud ee u d r rd r d rr d r r t
d e e du e r i r r m r p r e e e u m e v uc ip e n e ne e ne e n e ef c il t t r u o re qu ov as t
p e p e p e p e e e o no n r r lt l lt e f f f N a a a e q o r o r o r o r p p h h 0l C v e o CC vo e C dC p p p p o o s s M i P
1 A
r e l t
A r
e 3 C
A r
e 1 t
n e e f
o H 4 n t
e e f M o
4 t
e c
e k
r a
e t
r a
e t
r e he k eh ke e eh kerh e a
e t a e t d e r r r r e e e e d d d n n r r t t 8
C t 1 t 1 m r f n r f l e s r s r e e e e e o o 5 r Al tr 8 r 8 ip l u o p lu o s br i b is br i b is f e e e e p p h h E e e v s v s v s e e f f f o o s s B n u a u a u q ia n q i an eA T u e u T T T T T T T T T T T T T T T T I
b l t e
l b E F O E f O B A B B 8 S B B B 5 B B B B B C B A A A A A A A A A A A A A A A B M T N
0 0 0 o D S
A S
A 8
D 5
E 8 8 8 D D 3 3 F o F F O F M M M H B 5 B 5 1
0 l C O E C O O 0 l A S
8 8 E f lC E T C B B 8 0
8 0 0 S5 f f B 5 8 5 F F O O 5 P
5 5 l M 1 M T I T l i l T I T T I5 P P t 31 3 3 A A A A A A I I A A A i S B i 8 8 8 8 8 B 8 8 B 4 A A A B 8 8 B B B B B A A A S
y0 l llll -
i TABLE 7-6A (Continued)
EDE NI. Of5CSIFfl0N UNAVAILASILIIT CDPt(NI5 (per demand)
BBKRf0A Battery A breaker f alls open 5.3 10 See IDCSAO BBKRf00 Battery 8 breaker falls open 4.6?l0'I See IDCBB0 SUKRf0C Batt ry C bre Aer falls open 5.3slu'I See IDCDAO BBKRF00 Battery D breaker falls open 4.6aI0'I See 100800 BBKRidA Battery A breaker inadvertantly open I.9:10-4 Open once/yr s 5a10-3 failure to close a 1/2 week check period 88KR108 Batters 9 breaker inadvertantly open 1.9a10 Open once/yr a 5:10'3 failure to close a 1/2 week check period BBKRIOC Battery C breaker laadvertantly open 1.9a10'4 Open once/yr a 510'3 failure to close a 1/2 week check period Open once/yr a 5:10'3 failure to close a g BBKR100 Battery 0 breaker inadvertantly open 1.910~4 o 1/2 week check period BCAPBIO Battery charger A breaker f alls opm. 5:10 See BCAPB0 BCAPB0 Battery charger A breaker falls open 5:10'# See IDCBAO BCAPT Battery charger A failure 1.5 10-5 It[E-500, p. 90, Mission time
- 2 hrs BCA5Bf0 Alternate charger A breaker falls open 2. F al0'b 5ee 8CA500 8CA500 Alternate charger A breaker f alls open 2. / al3'I IEtt-500, p. las, I month failure time 8CASF Alternate battery charger A failure 7.9a10'4 l[EE-500, p. 90, I month failure time
! BCCPBf0 Battery charger A breaker falls open 4.6 10'# See BCBP80 BCOP00 Battery charge- B breaker falls open 4.6a10"I See IDCB00 SCOPF Battery charger 8 failure 1.3a10-5 ((tt-5^9, p. 90, Mission time BCBSBIO Alternate charger 8 breaker falls open 2.1a10-5 See 808500 l 808580 Alternate chargc - 8 breaker Falls open 2.7m10
- Ittt-W, p.143, I moath tellure time l BCBSF Alternate battery charger 8 failure 1.9:10' 1[f E-500, p. 90, I month failure time i BCCPBfD battery charger A breaker falls open SaI0'# See BCCPd0 BCCPB0 Battery charger C breaker falls open Sal 0'I See IDCBAD BCCPT Battery charger C failure 1.5 10-5 IEt[-500, p. 90, Mission time + 2 hrs BCC5BF0 Alternate charger C breaker falls open 2.7 10-5 See B00500 BCCSB0 Alternate charger C breaker falls open 2.1 10-5 Ittf-500, p. 148, I month failure time BCCST Alternate battery charger C fatture 1.9 10'4 life-500, p. 90, I month failure time
e TABLE 7-6A (Continued)
IO(NI. 0($CRIPi!0N UNAYAILASILIII COP 9fMIS (per demand)
BCDPBf0 Battery charger A breaker falls open 4.6a10"I See BCDPB0 BCDPB0 Battery charger D breaker falls open 4.6a10"i See IDCBBC Battery charger D failure 1.a10 0 Itt[-500, p. 90, Mission time BCDPF BCD5BfD Alternate charger D breaker falls open 2.7a:F $ See BCDSB0 BCD5B0 Alternate charger 0 breaker falls open 2.7 10-5 lit [-500, p. 148, I month failure time BCD5F Alternate battery charger D failure 7.9:10 IEEE-500, p. 90, I month f ailure time BCOSA Battery charger A output short 0 See SCCA 8C058 Battery charger B output short 0 See SCCA 8005C Battery charger C output short 0 See SCCA BC05D Battery charger D output short 0 See SCCA 4
g BfA Battery failure 3.4 13 IEEE-500, p. 104, tow output during test H BfB Battery failure 3.4x10" l((L-500, p. 104, Low output during test BIC Battery failure 3.4x10~4 lite-500, p. 104, Low output during test BID Battery failure 3.4al0'0 IEEE-500, p. 104. Low output during test BKRA!!D Breaker inadvernantly open 3.6x10-0 See BKRAlliO 3.6a10
-0 lif t-500, p.148,12 hr mission
- 12 hrs BKRAll!0 Breaker All inadvertantly open BKR AllH it.C All breaker open due to maintenance 4.6al0"* Asstsaed 4 hrs /yr BERA310 Breaker inadvertantly open 3.6 10-6 See BKRAllto BKR A3110 Breaker A31 inadvertantly open 3.6x10-0 See BKRAll!0 BKRA31H PEC A38 breaker open due to maintenance 4.6aI0'4 Assumed 4 hrs /yr UKRA59fC A59 breaker failure to close 1.4 a10-5 liff-500, p. 152 BKRA59F0 A59 breaker failure to open 3x10~4 IEEE-500, p. 152 BKRA5910 SAT breaker falls and trips open 5.9x10'0 See BKRA6tTO BERA61FC M1 breaker failure to close 1.4 10-5 IEEE-500, p. 152 BKRA61f0 Ad breaker failure to open Jul0~4 IEEE-500, p. 152 BKRA6tIO BAf breaker falls and trips open 5.9a10~0 ftEE-500, p. 152, Mission time
- 12 hrs BKRA80fC A80 breaker failure to close 1.4:10-5 IEEL-500, p. 152 BKRA80I0 A80 breaker failure to open 3:10-0 IEEE-500, p. 152 BARA80l0 BAI breaker falls and trips open 8.4al0'I See BKRA62I0 BKRA82FC A82 breaker failure to close 1.4 10" IEEE-500, p 152
TABLE 7-6A (Continued)
IDE NI. DESCRIPil0N UNAVAllA88tlif C0pt(NIS (Per demand)
BKRA82f0 A82 t der failure to open 3 10~4 IEEE-500, p. 152 BrRA82iG BAI breaker falls and trips open 8.4x10"I IEEE-500, p. 152, Mission time BKR8tIO Breder inadvernantly open 5.2x10"# See BKRBillo 8KR81110 treaker 811 laadvertantly open 5.2x10"I IEEE-500, p. 148, 12 hr mission BKRBilM HCC 811 breaker open due to maintenance O Assumed not to be in maintenance BKR8310 Breder inadvertantly open 5.2x10'I see BKR8tilo SKRB3110 Breaker 831 Inadvertant;- open 5.2x10*I See BKRBilI0 8KRB3tM KC 831 breder open due to maintenance O Assuned not to be in maintenance BOAl Bus open , 5:10-5 See HCCAllB0 BOA 3 Sus open 5 10-5 See MCCAllB0 00 8081 Bus open 1.2xt0-6 See MCC81180 N
8083 Bus open 1.2x10~6 See MCC81180 85Al Bus short 6.2x10-b See MCCAllBS 85A3 Bus short 6.2x10-5 See MCCAll85 850' Bus short 8.9110-6 See MCE81185 B583 Bus short 8.9x10-6 See McC81185 DCBA0 DC bus A open 1.2xt0-6 lEEE-500, p. 521, tuo hrs before use DCB00 DC bus 8 open 0 Failure over DG start time DCBBERTA Breder A falls open 1.6x10-0 IEEE-500, p.154, tuo hrs before use DCbBrRf8 Breaker 8 falls open 0 Failure over DG start time DCBBLRDA failure to detect open breaker Int 0-I See FDBBKROA DCBBLRDB Failure to detect open breder tal0*I See TDBBKROS DCB3tROA Breaker A inaJvertantly open 1.9xl0~4 See BBrRIDA DCB0tP06 Breder 8 inadvertently open 1.9x10'* See BBKRIOS DCBTA Battery failure 3.5ml0~' See ETA DCBf B Battery fatture 3.5x10-4 See BfB DC80A Bus open 8.4x10'0 See VITALA80 DCB06 Bus open 7.2x10-6 See VITALB80 DCBOC Bus open 8.4x10-0 See VITALA30 OS E M
TABLE 7-6A (Continued)
IDE NI. Df5CAiril0N UNAVAllABilliT C0petNt1 (Per demand) l DCBUD Bus open 7.2x10-6 See VliALB80 DCBSA h rt on DC bus A 1.5:10-6 Ifft-500, p. 521, tuo hrs before use DCB5B h rt on DC bus 5 0 Failure over DG start time DCCSA Short of any connected component 0 See SCCA DCCSS Short of any connected component 0 See SCCA DCDarRA Dist. center breaker A f alls open or 1.14:10'2 Assumed I hr/yr plus failure during open due to maintenance DCD8tR8 Dist. center breaker B f alls open or 0 Failure over DG start time open due to maintenance
$ DCDCBOA Dist.centerbreder048fallsopen 1.2m10-4 Assumed I hr maintenance /yr or open due to maintenance DCDC808 Dist. center breaker U58 falls open 4.6x10"# 5ee IDCBBQ DCDCBOC Dist. center breaker U53 falls open 1.2a10'* See DCDC804 or open due to maintenance DCDCBOD Dist. center breaker U43 f alls open 4.6ml0'I See IDC880 DCOCDA f ailure of associated over-current 0 See SCCA protection device DCOCDB f ailure of associated over-current 0 See SCCA p.".ection devtce DGBICA DG breaker A failure to close 1x10-6 IEEE-500, p. 148 DGBFCB DG breaker B failure to close 1 10-6 IEEE-500, p. 148 DGFTWA DG f ailure to start or run 3.2x10-2 See Section 7.2.2 of main report DGFISR8 DG failure to start or run 3.2a10-2 See Section 1.2.2 of main report DGUDINA DG A unavailable due to maintenance 3.2a10'3 0.032 failures / demand a 12 domands/yr a 72 hrs / repair /8760 hrs /yr DGUDlHB DG B unavailable due to maintenance O DG assumed not to be in maintenance IBAI f ailure of HCC breaker 3:10' 1[t[-500, p. 148 IEA3 Failure of ICC breaker 3410-4 1[EE-500, p. 148 fB81 Failure of HCC breaker 3:10 IEEE-500, p. 148 f883 Failure of HCC breaker 3x10-0 IEEE-500, p. 148
-- - - _ - _ - _ _ _ _ _ . . _ _ - _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ._ ._. .a
TABLE 7-6A (Continued)
IDE NI. 0(5C81PIION UNAVAltAsillIT CoretNIS (Per demand)
FBCBOA failure of breaker A to open 0 See SCCA F80808 Fatture of breaker 8 to open 0 See SCCA FBCBOC Failure of breaker C to open 0 See SCCA F8CD00 Fallure of breaker 0 to open 0 See SCCA FD88tROA Failure to detect battery A breaker open Info-I Check 6ag error af ter maintenance FDG8KROS failure to detect battery B breaker open Isl0'I Checking error after maintenance FD88rROC Failure to detect battery C breaker open Isl0'I Checking error af ter maintenance FDBDFROD failure to detect battery D breaker open la10'I Checking error after maintenance f 00 ACOA Failure of breakers associated with 0 See SCCA
$ failed c m ponent F08AC06 Failure of breakers associated with 0 See SCCA failed component F T'KOC Failure of breakers associated with 0 See SCCA failed camponent FotnC00 Failure of breakers associated with 0 See SCCA fai1ed component ful%80A failure of ureaker A to open 0 See SCCA FUP5808 Failure of breaker 8 to open 0 See SCCA FUP5000 Failure of breaker C to open 0 See SCCA FUP5000 Failure of breaker 0 to open 0 See SCCA FU5PSISA Failure of static transfer switch 2. 6 x 10' IEff-500, p. l , Relay failure within last month 4 1[EE-500, p. 155 Relay failure within last month FUSPSISS Fallure of static transfer switch 2.6 10 FUST8Al failure of unit se. trans./480VAC 3:10'* (([E.500, p. 148 unit se. breaker FUSIBA3 Fallure of unit sub. trans./480VAC 3s10'* IEEE.500, p. 148 unit sub. breaker Fusiput Failure of unit sub. trans./480VAC 3:10'4 IEEE-500, p. 148 unit sub. breaker F U5TBB3 Failure of unit sub. trans./480VAC 3:10'* lif E.500, p.148 unit sub. breaker
y .
1 4
i l
l 6e le b b
& & & R N N N N l
.. . . i 8888EE58 33
- e a: a:a :e : =:
a e a
&E
-rrrrrrrr s e.
14414444 rete la
- e - -
~ ~ ~~ ~~ . 2
_= e. m . r. m t :. tgg-
~
. ~. . . ==
32 00EEE200
- 6
.6 . i. 6 ; Es E. 58888888&& *
. . . .. .. E 11124441 :. )) *:
- e a a e e e a e IkMe MMAN E
'b b b b b b b 6 dd 55
. . . . . . . . . . . ' ' ' ' ^ ^ ^ c ::: ..
22223333 3 4M R22222222- 8SRR
_--3
&&&&&&&didid
~ ~ -
&{j]ygjjjkk&&di . . ..
. 8 , 83 .gggggggg--
88..- . . ---- .8
= . o. . . . . . . , , . . .
.m m m. . . .
m
. ......e . -
--m
-m m I, ========4 = 33: 33333333aa====
n
=c z E e 5 m
- 3 ~~~~~~~~,~ . .. . ..... . .
$ .h, 2 'o 'o 'o 'o 'o 'o 'o 'o 'o 'o 'o 'o 'o 'o u ' 'o e 'o 'o 'o 'o 'o m in 'o 'o
. e-s1 :: :::: : ::: : :o: : : : : : -o - o : :
w a a c cm o 5 " " .* *.. " *..----oa ec " * - * * : * *: 9. : 59979
~e .~o-o u~oo~-
9
<c v s v
=0=0
<<<< * =.
.*. 2a 3333 ..
. . a
= = . .. . i. t.
I E E h- Ek. # i l
. . 2 - -
2222a e a e in
- aA2a
- p tz:
e .
n E' t
==
......i. . . gg*aa.6. .
i . 8' .
.' j : 3a m
-m - -
ret:
88 j8*=*21141"lett33, j'2:
.3 -*"i"ESj
- r : .
3 2 :s : :....
WWWW888888m ** - 11* 353333
[.
3 x
'g :
6 6 m u 3*** ::::::yey,:
6 6 m u s u 3
2:
e re te te rat 2.,.}2}2}2*f a
. . . . ....I3 r
y773 y.3.1e..
2222222222: - 22 2aaaaaaaaii&&&5 J.
=
- 2R oa 22ge22s oe ga 3 ga$ 25m 1 SE .M o 2m o a s s "s 2v E a u yy55gggggg<2SS*WWWWWWWWEE E vEv Ev E v v v R a
o aa-888 185
TABLE 7-6A (Continued)
IDENI. DESCRIPTION UNAVAIL A8It ill COP 9(MI5 (per demand)
OCfNEA Overcurrent fault not interrupted by 6.2n 0-5 lif E-500, p. 521, ttission time
- 12 hrs breaker below 4160/ unit sub. trans. breaker DCfNIB Overcurrent f ault not interrupted by 8.5 10'0 ftLE-500, p. 521, Mission time breaker below 4160/ unit sub. trans. breaker 5AT SAT selected as preferred source SalG'I SAT and BAI will be alternated as the preferred soerce SATBOMAS SAI breaker open due to maintenance when 2.3:10~" Assisned to be I hr every 1/2 yr
~ BAT is the preferred source
$ SAIBUMAS SAT breaker open due to maintenance when 0 See BAIDOMAS SAI is the preferred source 5AIBUMBS SAI breaker open due to maintenance when 2.3x10'4 Assianed to be I hr every 1/2 yr PAT is the preferred source 5AIBUMBS SAT breaker open due to maintenance when 0 See BAT 80 MAS SAT is the preferred source 5Aff08 5AI feeder open 1. t x10~4 See BAlf05 5Alf05 SAT feeder open I .6x10-5 See 8Alf06 SATF5A SAT feedor short - failure rate included in 5Alf05 SAlf 58 SAT feeder short - Failure rate included in SAIT08 SATOS SAT open -
See BAIDS SATOS SAT open - See 8ATOS SAISA SAT short 8.9n10-6 See BAISB SAI58 SAT short 6.2 10-5 3,,ggg$$
5CCA Short of any connected component 0 Based on reduction of the 400 MCC fault trees, the combination of (assts.e 50 canponents) component short and over-current device failure to operate is suf ficiently low that these items were not specifically evaluated.
5C08 Short of any corrected component 0 See SCCA (asstsee 50 components)
SCLC Snort of any corrected component 0 See SCCA (assume 50 components)
M
O M O C .. I TABLE 7-6A (Continued) 18E 8i. 8tSC81Pil0Il BRAVAILASILIII CIBOENIS (per esmond)
SCCO Short o,f any corrected component 0 See SCCA (assene 50 camponents) 5C084 - Short circuit on bus A I:10-5 See VIIALA85 5C088 Short circuit on bus A 8.9:10'0 See VIIAL885 SC08C ' Short circuit on bus A 1 10-0 See VIIALA85 SCOB0 Short circuit on bus A 8.9m10-6 3,,ygggggg$
SEQtfA Sequencer A logic failure ' 7.2a10-4 R55 general lastru antation number, one month test inte. val StyLIO 5equencer B logic failure 7.2x10-4 855 g;eneral instrumentation number, g one month test laterval N SUBIALO Transionner open - f ailure rate combined with $UBIAls, 34 hrs SUSIAIS transfonner short 6.5m10-5 litt-500, p 285, Mission time
- 72 hrs SUBIA30 fransformer open - Failure rate combined with suBIA35, 84 hrs SUCIA35 Transfonner short 6.5 10-5 3,,$ggggg5
$UBIBIO Tratsfonner open - Failure rate cambined with SUBf815,12 hrs 5U01815 Iransfonner short 9.3x10'* IEEE.500, p. 285, Mission time 5U81830 fransfonner open - Failure rate cm 4lned with 5U81835, 12 hrs SUBIS35 Iransformer shurt 9.3x10 See SUBIB15 5U10 Step-up transformer open - Failure rate combined with SUIS SUTS Step-up transfonner short 8.9:10-6 3,,ggg$g ISRfA Transfer signal relays (one of three) 7.8a10-5 litt-50ft, p. 155, one month period fall to generate / allow transfer, Bus A 15RF8 Transfer signal relays (one of three) 7.8a10-5 IEEE-500, p.155, one month period fall to generate / allow transfer, Bus 8 UPtAISO Bus open 5:10-5 See McCAll80 UPIAI85 Bus short 6.2 10-5 See MCCAll85 UPtA380 Bus open 5:10-5 See MCCAll80 UPEA365 Bus short 6.2a10-5 See MCCAll85 UPE8180 Bus open 7.2x10-0 See MCCBilBO UPt8185 Bus short 8.9:10-0 See MCC81185
TABLE 7-6A (Continued) 10EEI. p(iCRIPilom UNAVAll ASILIII CCPviENIS (per demand)
UPE8383 Bus open 1.2 10-6 See MCC81180 UPE 83h5 Bus short 8.9 10-6 3,,,gggggg$
UP505A UPSA blxting diode and bypass cabinet 0 See SCCA ADC input short UP5058 UP58 blocking diode and bypass cabinet 0 See SCCA ADC input short UP505C UPSC blocking diode and bypass cabinet 0 See SCCA ADC input short UP5050 LPSD blocking dioJe and bypass cabinet 0 See SCCA ADC input short USTBFI0A 4160 bus / unit sub. trans. breaker 3 10"* IEEE-500, p. 152 y failure to operate CD U518FT08 4160 bus / unit sv4. trans. breater 3:10 IEEE-500, p. 152 failure to operate USUBBAIM Breeter open due to maintenance 2.3a10 Assismed 2 hrs /yr U5UBBA3H Breater open due to maintenance 2.3 10 Assumud 2 hrs /yr U5UBBBIM Breater open due to maintenance O Assumed not open for maintenance U5U6803M Breater open due to maintenance O Assiseed not open for maintenance VI EAL A80 vital bus open 1.2:10-6 IEEE-500, p. 521,12 hr mission + 2 hrs VITALA85 Vital bus short la10-5 IEEE-500, p. 521,12 hr mission + 2 hrs VITAt8B0 V6tal bus open 4.6 10"I IEEE.500, p. 521,12 hr mission VIIAt885 Vital bus short 8.9a10-6 IEEE-500, p. 521, 12 hr mission VII4 95A Alternate power source selected 5:10-3 Geneeal operator error VITAP558 Alternate power saurce selected 5:10-3 General operator error VIIBOA Bus open 8.4 10-6 IEEE-500, p. 521, Mission t tise + 2 hrs VITBSA Bus short 1:10-5 IEEE-500, p. 521 Mission time + 2 hrs VITBOB Bus open 1.2m!0-6 IEEE-500, p. 521. Mission time VIIaL8 Bus short 9:10~0 l((E-500, p. 521, Mission time VIIIFA Inverter failure 1.8:10-5 3,, gyg VillFB Inverter failure 1.6 10-5 3,, g y g W W W M M M M M
O O .O- O
. TABLE 7-6B~
ELECTRICAL POWER SYSTEM FAILURE PROBABILITIES--
HUMAN FAILURES IN Nf. B(SCRIPIl0N UNAVAltAgillif CapOENIS (per demead)
DGCMA operator error mis-sets diesel controls 5 10'3 AFS case study NUREG/CR-1278 diesel A DGCM Operator error mis-sets diesel controls 5:10'3 See DGCM diesel 8 OEMACBSA Operator error falls to set auto-transfer 5x10'3 See DGCM controls to 8AT-SAI y DEMACS$8 Operator error falls to set auto-transfer 5 10'3 See DGCMA
@ controls to SAT-SAI DEMACSSA Operator error falls to set auto-transfer 5:10'3 See DCCMA controls ta SAT-SAf OLMACSBB - Operator error falls to set auto-transfer 5 10'3 See DGCM controls to SAT-BAI OEMCA59 . Operator error mis-sets A59 switchgear 5a10' See DGC M remote-local centrols OEMCA61 Operator error mis-sets A68 switchgear 5x10'3 See DCCMA remote-local controls OtMCA80 Operator error mis-sets A80 switchgear 5 10'3 See DGCHA remote-local controls OEMCA82 Operator error uts-sets A82 switchgear 5:10'3 See DGCMA remote-local controls OEIII Operator error falls to transfer to alternate 5x10'3 See DGC M source OfpBCAPT Operator falls to detect unavailability inl0'I Considered an obscure detection since of gx>wer from operating charger battery would still be supplying power to bus.
TABLE 7-6B (Continued)
UNAVAltA38tlif Capt(NIS ID(NI. DESCRIPil0N (per demand)
OfD8C8PI Operator falls to detect unavailability tai 0-2 Considered an obscure detection since battery m uld still be supplying power to bus.
of power from operating charger OfDBCCPF Operator falls to detect unavailability la104 Considered an obscure detection since battery muld still le supplying power to bus.
af power fram operatteg charger OfDBCDPF Operator falls to detect unavailability 1:10-2 Considered an obscure detection since battery would still be supplying power to bu;.
of power from operating charger Of 5CA5f P Operator f alls to switch to alternate charger - failure rate combined with OfD8 CAPI given detection of unavailability of power f rom f ailed charger.
g Of 5C85f P Operator falls to suitch to alternate charger - f ailure rate combined with Of DBC8PI
$ given detection of unavailabiltty of power from failed charger.
Of5CC5fP Operator f alls to switch to alternate charger - f ailure rate combined with OIDBCCPF given detection of unavailability of gewer from falIed charger.
Of5CD5fr Operator fails to switch to alternate charger - failure rate combined with OIDBCDPF given detection of unavailability of power free failed charger.
TABLE 7-7 FAILURE PROBABILITIES FOR TECHNICIAN l LEAVING A VALVE IN THE INCORRECT POSITION B
i I Component Human Error Probability Comment MCE00 .01 Maintainance worker fails to restore j valve after work is complete.
(NUREG/CR-1278, p. 13-18 item #2).
MCEOC .003 The maintainance worker inadequately attempts to restore the valves.
(NUREG/CR-1278, p. 13-18, item #1, P. 13-15, item #4).
f
.01 I The maintainance worker fails to use MFTUCL the checklist. Checkoff is required but not used, or all items are f checked after maintenance is I
l complete.
- p. 14-15).
(NUREG/CR-1278, MUCLI .5 The maintainance worker uses the B checklist, but performs incorrectly while checking list. (NUREG/CR-1278,
- p. 14-15).
CFTDE .1 The checker fails to detect an error j of commission in valve restoration list. (NUREG/CR-1278, p. 13-19)
CDEBTWA 0 It is assumed the checker will take
{ corrective action if a non-restored valve is detected.
l l
l B
l B
l 1
l E
191 I
I I
VALVE IS LEFT IN INCORRECT POSITION AFTER l
l ASSUME:
- 1. THE WORK IS PERFORMED UNDER OPTIMAL STRESS
MAINT5 NANCE WORKER CHECAER FAILS FAILS TO OPEN TO RECOVER VALVE VALVE AFTER TO CORRECT POSITION MAINTENANCE l T CHECKER MAINTENANCE WORKER ECTS ERR MAINTENANCE WORKER 0 l F#JLS TO RECOVER l l l BUT TAKES FAILS TO OPEN VALVE HIS ERROR WRONG ACT CFTDE CDEBTWA P P AINTENANC MAINTENANCE MAINTENAN MAiNTEN WORKER WORKER USES WORKER l WORKER FAILS 1
i l COMMITS AN TO USE CHECKLIST COMMITS AN ERROR OF ERR INCORRECTLY M Sg CHECKLIST OMISSION MCEOO MCEOC MFTUCL MUCLI FIGURE 7-1 FAULT TREE FOR TECHNICIAN LEAVING A VALVE IN IMPROPER POSITION AFTER MAINTENANCE
I I REFERENCES - SECTION 7
- 1. WASH-1400.
- 2. "IEEE Guide for General Principles of Reliability Analysis of Nuc-I lear Power Generating Station Protection Systems," ANSI N41.4-1976, IEEE Standard 352-1975, The Institute of Electrical and Electronic Engineers, Inc., New York, NY, 1975.
- 3. "IEEE Guide to the Collection and Presentation of Electrical, Elec-tronic and Sensing Component Reliability Data for Nuclear Power Generating Stations," IEEE Standard 500-1977, The Institute of Electrical and Electronic Engineers, New York, NY, 1977.
- 4. Private Communication with J. R. Penland, Chairman of the Relia-I bility Subcommittee of the IEEE Nuclear Power Engineering Commit-tee, June 1980.
- 5. NUREG/CR-1362.
- 6. NUREG/CR-1331.
- 7. NUREG/CR-1205.
- 8. NUREG/CR-1278.
I I
I I
3 1
1 I
I 11 "I
195
1 8.0 QUANTIFICATION OF SYSTEMS FAULT TREES With the fault tree input event data defined in Section 7, the systems' fault trees were numerically evaluated to yield safety function failure probabilities. The results of the analysis include, in addition to the system failure probability, identification of each combination of fault tree input failure events (e.g., pump A fails) which causes system failure. These combinations or " cut sets" and their importance are discussed in detail in Section 8.
g The computer methods used to numerically evalcate the fault trees is 1 discussed in Section 8.1. , In Section 8.2, the principal cut sets contributing to system failures are discussed. The AFS results are discussed in Section 8.2.1, the HPI results in 8.2.2 and the combined AFS/HPI system in 8.2.3.
I 8.1 COMPUTER METHODS FOR FAULT TREE EVALUATION The following SAI developed computer codes were used to numerically evaluate the WNP 1 and 4, mitigating systems' fault trees:
WAMBAM: A code for the quantitative point-wise j evaluation of system failure probability 3 using Boolean algebra.
WAMCUT: A code to determine quantitatively the cut I sets (failure sets) that lead to failure of the system.
The WAMBAM code uses Boolean algebra minimization techniques to find the resultant logic expressions from an input tree and then calculates the associated point unavailability. WAMBAM first forms all possible com-binations of events and then forms a truth table that describes each I event and gate as a function of these combinations. This basic method-ology is computationally optimized, based on techniques used in the GO computer code, i
11
'l 197 -
l I
I,,
The WAMCUT code is divided into two sections. The first, WAM, the same preprocessor used in the WAM8AM code, reads the fault tree description j and checks for logic and syntax errors. The second section, CUT, is the l cutset finder routine, which takes the restructured input fault tree from WAM and finds the cutsets of each gate, working from the bottom to l
the top of the tree.
All the WAM series codes have been developed, checked, and made opera-tional by SAI for EPRI; and they are currently available through the EPRI code center.
I 8.2 DISCUSSION OF PRINCIPAL CUT SETS OF MITIGATING SYSTEMS Using the failure rate data described in Section 7, the WNP 1 and 4 AFW and HPI system fault trees were independently analyzed using the WAM series of computer codes to determine the principal combinations of system fault tree input events (cut sets) contributing to system failures. In addition, the AFW and HPI system fault trees were merged to determine the dominant cut sets for the simultaneous failure of both the AFW and HPI systems to provide core cooling.
In each case, the systems were analyzed to obtain:
- 1. The conditional probability of system failure with the I
offsite electrical power grid available (500 KV line or the 230 KV line available).
- 2. The conditional probablity of system failure with the offsite electrical power grid unavailable.
I The AFS results are discussed in Section 8.2.1 and HPI results in Section 8.2.2. The combined AFS/HPI " system" results are discussed in Section 8.2.3.
I 198 d" I I
T L
I 8.2.1 Principal Cut Sets of the AFS The AFS was analyzed to obtain the probabilities of system failure and contributing cut sets for the three failure criteria discussed in Section 3:
- 1. Failure to deliver 600 gpm within 30 minutes of a LOFW 1 with and without the offsite power grid available (Scram Success Sequences).
I 2. Failure to deliver 1200 gpm within 15 seconds E 600 gpm within 15 seconds and 1800 gpm within 30 seconds with the offsite power grid available (Scram failure sequence).
- 3. Failure to deliver 1200 gpm within 40 seconds with the offsite power grid unavailable (Scram failure sequence).
The results of the AFS analysis are shown in Figures 8-1 through 8-4.
Figure 8-1 shows the principal cut sets contributing to the failure to deliver 600 gp:n with the grid available. The system failure probability for this case is 1.3x10 4 failures per demand which is consistent with the highly redundant system design.
As shown, one single element cut set contributed 52% of the system failure probability: failure to reopen manual pump discharge isolation valves following maintenance on the three AFS pumps over one year. The high significance of this event resulted from the assumptions used in estimating the event's probability:
- 1. All three pumps will be maintained over 1 year, each I maintenance requiring the put.:p maintenance valves to be closed.
I 2. The closed valves can only be detected by the yearly system flow test (i.e., visual inspection of the normally
" locked open" valves will not detect the failure.
- 3. The average duration of the undetected system failure stata is 6 months.
I B
199
)"
I.
Ya d
- 4. The common-mode coupling factor for the failure to reopen the second and third valves is (0.1)(0.3) = 0.03.
Other cut sets contributed less than 10% each.
The cut sets contributing to the failure to deliver 600 gpm with the grid unavailable are shown in Figure 8.2. rhe system failure probability for this case is 2x10 4 failures / demand.
Two single element cut sets contributed 52% of the system failure rate.
The failure to reopen the pumps' discharge valves, discussed above, g
contributed M% shile a common mode failure of the train A and train B g batteries contributed 17%. The high significance of the battery CMF resulted from the following assumptions:
- 1. Battery failure can only be detected by the discharge test performed every 6 months.
- 2. The probability of a battery train failing a test can be used as an estimate of the probability of failure to perform its function.
- 3. The CMF coupling factor for the second failure is 0.1.
The third cut set, contributing 10%, consisted of a triple random failure of the 4160 VAC bus EA, bus EB, and the turbine driven AFS pump.
The principal contributor to the AC power failure was the double random failure of the two emergency diesel generators (given LOOP). The fact that the independent turbine driven AFS pump failure must occur in addition to the " loss of AC power" transient demonstrates the system's power source diversity. Other cut sets contributed less than 7% each.
Figures 8-3 and 8-4 show the principal cut sets for the scram failure sequences. The failure criteria for these cases are more restrictive than the scram success sequences discussed above. This is due to the higher required flow rates which required additional operable equipment and the rapid initiation times which eliminated short term operator g recovery actions even from the control room. W
$ ~
200 M
I
/T l -
I l
l l Figure 8-3 shows the principal cut sets contributing to system failure with the scram failed criteria and the grid available. As shown four single element cut sets contributed 69% of the system failure l
p.obability for this case, 6.8x10 4 failures per demand.
The operator failing to restore the ECI to " automatic" contributed 29%
of the system failure probability. This cut set did not contribute significantly to scram success cases since the operator could detect the failure and recover in the time available. The rapid initiation times for the scram failed case reouired that this operator recovery be l
disallowed.
l The high flow requirements resulted in the passive failure to open either S.G. check valve causing system failure. These two cut sets l contributed 15% each. The failure to reopen AFS pump discharge valves af ter pump maintenance, discussed above, contributed 10%. Other cut sets contributed less than 2% each.
The cut sets contributing to the failure to deliver 1200 gpm within 40 seconds with the grid unavailable are shown in Figure 8-4. The total AFS failure probability for this case is 4.3x10 4 failures per demand, reflecting the less restrictive failure requirements compared to the scram failed sequence with the grid available. As in the grid available case, the failure of the operator to restore the ECI to "autcaatic" after testing was the highest probability cut set, contributing 46% of the system failure probability. The failure to reopen pump discharge values after maintenance on all pumps contributed 16% and other cut sets contributed less than 3% each.
8.2.2 Prin-ipal Cut Sets of the HPI The HPI system was analyzed to determine the failure probability of the l
system to deliver a 300 gpm flowrate to the RCS within 20 minutes of the LOFW transient and to identify contributing cut sets. This failure criterion is discussed in Section 3.
l 201
.. $l 3
1
l I'
As discussed in Section 5, the HPI system will be operated in two I
configurations: one with HPI pump A normally providing makeup flow to the RCS (Normal A) and the other with HPI pump B providing makeup flow (Normal B). The analyses of the two configurations show the syctem '
failu*e probabilities and the contributing cut sets were essentially MerScal [P(Failure of Normal A) = 6.8692x10 3 vs P(Failure of Normal g B) = 6.8674x10 3]. Since the results for Normal A are applicable to E l Normal B, only the Normal A results will be discusseo.
The principal cut sets contributing to HPI system diure with the Il offsite power grid available are shown in Figure 8-5. Two single element cut sets contributed 87% of the system failure probability. The i failure of the operator to initiate HPI by tripping the ESFAS upon indicated low RCS subcooling contributing 71% of the system failure probability. Although the HPI system is automatichily initiated by the ESFAS for its primary function, loss of reactor coolant accident (LOCA) mitigation, it must be manually initiated for its backup function of providing core cooling if the (primary) AFS fails following a LOFW. The cut set probability of 5x10 3 failures of an operator to perform a defined function per demand was selected from NUREG/CR-1278. This human failure probability reflects well trained operators and the revised operating procedures developed by B&W after the THI-2 transient.
The failtre of the "P SAT
-T SAT " subconling indicator circuit which displays and alarms low RCS subcooling (*F below the RCS saturation temperature) in the control room contrib.ited 16% of the system failure probability. The consideration of only the "P SAT
-T SAT "
instrumentation as an indication to the operator of the need to initiate l HPI is conservative. In addition to the P SAT -T SAT instrumentation, the operator has available indications of AFS system failure and numerous indications of rcd pressure and temperature from the reactor i protection system and the non-nuclear instrumentation.
I I
D
</ I 202 l
E I
The complexity of the HPI flow paths to the RCS prevented an explicit )
identification of probable HPI system common mode failurer from the fault trees. For this reason, the HPI fault trees were evaluated by computer to identify cut sets containing similar elements. Tne results I show 11 combinations of 2 motor operated valves coulo fail to produce system failure. These valves are identified in the HPI fault trees as "M MF". The application of a 0.1 common mode coupling factor to the failure of the second valve in each set produced 11 single element cut sets each with a probability of 1x10 4 failures per demand. The sum of the probabilities of the 11 CMF cut sets,1.1x10 3 failures per demand, is shown in Figure 8-5. The sum of these cut set probabilities I contributed 9% of the HPI system failure probability for the offsite power grid available case.
The cut sets contributing to HPI system failure with the grid unavailable are shown in Figure 8-6. The system failure probability of the HPI system for this case is 1.2x10 2 failures per demand.
As for the grid available case, the failure of the operator to initiate HPI had the highest cut set probability. For the grid unavailable case, this cut set contributed 42% of the system failure probability.
Random failure of the 4160 VAC buses EA and EB, primarily caused by the double random failures of the two emergency diesel generators contributed 18%. The sum of the probabilities of the CMF's of 11 two I valve combinations, discussed above, contributed 9% to the system failure probability. Other cut sets contributed less than 5% each.
I Principal Cut Sets of the Combined AFS/HPI Systems 8.2.3 As shown in the functional event tree, Figure 3-1, failure of both the AFS and HPI functions is required to cause core failure in scram success LOFW transients. Unless the two systems were completely independent, I however, the product of the individual systems' failure probabilities will be less than the failure probablity of both systems. This is due 1/
203
I to the expected " common elements" among the AFS, HPI and their supporting systems.
To compute the failure probability of the AFS and HPI functions, the fault trees of the two systems were merged into a single "AFS/HPI" system fault tree. The combined tree was then evaluated to determine g the probability of failure to deliver a 600 gpm AFS flowrate and failure B to deliver a 300 gpm HPI flowrate. The failure probability and principal contributing cut sets for the combined systems are shown in Figures 8-7 and 8-8 for the grid available and grid unavailable cases.
The principal cut sets contributing to the combined AFS/HPI systems failure with the grid available are shown in Figure 8-7. The combined systems' failure rate for this case is 7.1x10 7 failures per demand.
Inspection of all cut sets for this case (with a probability of 1x10 8 or greater) showed each comprised independent AFS and HPI elements.
This independence is reflected in the low combined systems' failure probability. E g,
l As shown in Figure 8-7, the highest probability cut set is the failure l to reopen the AFS pump discharge valves after maintenance and the failure to initiate HPI upon indicated low RCS subcooling. This cut set contributed 49% of the combined systems' failure probability. Other cut sets contributed less than 10% each.
Figure 8-8 shows the cut sets contributing to the combined system failure probability with the grid unavailable, 6.9x10 s failures per demand. In contrast to the grid available case, a single element cut set was identified which resulted in the failure of the AFS and HPI: a common mode failure of the train A and train 8 batteries supplying 125 VDC buses A and B. This cut set was not significant in the grid l available cases since the DC buses are energized via AC powered battery chargers.
E
I 204 1/
I
i I
Given LOOP, the failure of the train A and B batteries prevent energizing the 4160 VAC busses from the emergency diesel generators since the switchgear is powered from the DC buses. In addition, the operation of the turbine driven AFS pump is initiated by opening AFS 1 valve CV-7938. This valve is opened by energiring either of two solenoids which are powered from the A and B DC buses respectively.
Thus, the CMF of the two battery trains, given LOOP, prevented any of the five pumps from being started. This cut set contributed 51% of the combined systems failure probability for this case. It should be noted, however, that the probability of this cut set was estimated conservatively assuming the operator would not locally open CV-7938 I which should be possible in the 30 minutes available.
The random failures of 4160 VAC bus EA, EB and failure of AFS, pump C contributed 31% of the combined systems' failure rate. Other cut sets contributed less than 6% each.
I I
1 1
1 1
1 1
AH Af 20s
202 I
% OF AFS FAILURE PROBABILITY - GRID AVAILABLE o 5 E 8 8 8 TECH. CMF TO REOPEN PUMP DISCH. VLVS.
T E
V30C, V248 & V12A AFTER MAINT. ON ALL PUMPS Q OVER 1 YEAR C 3
m 98 AFTER TRIPPING PUMPS A & B PER PROCEDURE, OPERATOR SUBSEQUENTLY TRIPS PUMP C IN ERRGR AND FAILS TO RESTART PUMPS A, B OR C qqg E
y F Z r-
>mT 59 CMF OF 4 ECl CONTROL CIRCUITS hH >
m 5 >Uc i 5?U c-a >
E p 2 m
T h
x =CN y CMF OF SG CHK VLYS V21B AND V63A m
3 en O .M<
0 ED e (A H c
H g m en Q C(g
=0 (A CMF OF t/P TRANSDUCERS ON 4 LEVEL C l CONTROL VLVS. q O O MM 5 22QM ;
> >Q b
TECH. CMF TO REOPEN DMW TANK DISCH.VLVS.
V1 & V71C AFTER TANK MAINT.
hE
-Q E 9, ><
m c l r>
OPERATOR DRAINS DMW TANK AND FAILS ll g '
TO SWITCH TO COND. TANK
- ^
u-mr X ^T '
a r O
TECH. FAILS TO REMOVE PUMP START.UP STRAINERS, k STRAINERS PLUG AND PLUGGING NOT DETECTED .T 11 l a
~
l I
i I
I 802 I
% OF AFS FAILURE PROBABILITY - GRID UNAVAILABLE o $ o 8 o S TECH. CMF TO REOPEN PUMP DISCH. VLVS.
I 3 V30C, V245 & V12A AFTER MAINT. ON ALL PUMPS OVER 1 YEAR O C
3 m +
I CMF BATTERIES.TR&lNS A & B 8P M
d"mT I O T > :D
$PFZ rO C O ,
FAILUME OF 4180 VAC BUSSES EA AND EB (INCL. DIESEL OENJ
> m AND FAILURE OF PUMP C g--
o
>aO>C m ,
i
[ F 'o P_ M c 1 l
to O
AFTER TRIPPING PUMPS A & B PER PROCEDURE, OPERATOR SUBSEQUENTLY TRIPS PUMP C 3c4%
m 3 t
IN ERROR AND FAILS TO RESTART PUMPS A, B OR C
$ .g ;.
m :D 8 om
<n i
Q O i m CD co m ;
> qc o
i E =I !
g CMF OF 4 ECI CONTROL CIRCUITS C g I C $ qm 5 - 2 3 '
O yM I
l
> r j 3 2 4 I mM t
l F Q l g CMF OF SG CHK VLVS V218 & V63A C Om ,
I g e Z 3E
- DO i g E i
- c$M Z
i h
i I CMF OF t/P TRANSDUCERS ON 4 LEVEL CONTROL VALVES E
gg P
gm
{
i tD I
11 F i f*
o m +
TECH, CMF TO REOPEN DMW TANK DISCH. VLVS V1 & V71C AFTER TANK MAINT.
X ;
I -
a o
L I
I :
I .
I 602 I
% OF AFS FAILURE PROBABILITY - SCRAM FAILED CRITERIA o E -
U '$ 8 E I
OPERATOR FAILS TO RESTORE ECl AUTO. LEVEL CONT. AFTER MONTHLY TEST m a
C 3
5 m
SG CHK VLV V63A FAILS CLOSEb @
ca
> H M Q m '"I 'C
<Omm>D2 3
]
E SG CHK VLV V21B FAILS CLOSED D)OCFFz P F O 3
O p>Q2m m
oT g 3 P M g
m 3]5$H3r ii , H e OoA
> m>
e TECH, CMF TO REOPEN PUMP DISCH. VLYS. "2 c V30C, V24B & V12A AFTER MAINT. ON ALL m F 2 "3 r ^> rd
- CH PUMPS OVER 1 YEAR 3Z
-,a~=aHD a B
I
==
i >m m
B y AFTER TRIPPING PUMPS A & B PER PROCEDURE, *Og -Q z <m c) OPERATOR SUBSEOUENTLY TRIPS PUMP C IN ERROR ) )gC yQ g AND FAILS TO RESTART PUMPS A,5 OR C V p .
E 3 F< Dmg 3 > (>
m - grogWH rm
> <DO F
m mzH53Z g 3 PUMPS A AND C FA!L mrg{
O m (f) =<
h ) Id zm m I a g m _ Q (f) g
$ h "h O PUMPS B AND C FAfL F
m lOz C Q OQ M O E h 3
- JD O (t) i A I2 m i M Am O CMF OF 4 EC1 CONTROL CIRCUITS -
I_ D E
> zrC M g O H 8m m m
Z H E O O 2
O l
I 012 I
I % OF AFS FAILURE PROBABILITY - SCRAM FAILED CRITERIA -
GRID UNAVAILABLE o 8 8 8 $ $
I I OPERATOR FAILS TO RESTORE ECl AUTO.
LEVEL CONT. AFTER MONTHLY TEST
=
m I $
E TECH. CMF TO REOPEN PUMP DISCH.
VLVS.V30C,V24B & V12A AFTER W" T.
ON ALL PUMPS gqgq
- z3 O z > :g :p g2 I O sr-5 $ ><Cmo C F D32T z>
FAI m
m AFTER TRIPPING PUMPS A & B PER PROCEDURE mM I OPERATOR SUBSEQUENTLY TRIPS PUMP C IN ERROR AND FAILS TO RESTART PUMPS A, B OR C
>T
< U) q WQ$>
r mQ-c m I
m Q 5F @O5 I m 6
O PUMPS A AND C Fall WC P 2 u,
-CC
<z)E 3 4 E 2 >m I m F
&O ca a W
Fm
>m to W Q jhk h PUMPS B AND C Fall $C I q [$ $
H m
lIl m ^
E m I m
>* O E <
r I $
6 CMF OF 4 ECl CONTROL CIRCUITS llD E 8 g
u) d m
g I
I E 4
F F
m C
O z
0 0
5
'm
$ O M @ f I Q CMF OF SG CHK VLVS V63A AND V218 :33 5
g Q
2 m
m O
i l'
y a =
g -
3- $
W g
- Q 2 CMF OF IIP TRANSDUCERS ON 4 LEVEL CONTROL VALVES d
I E I H '
E _
z
=
F m i I C !
I I
112 I
I E
% OF HPI FAILURE PROBABILITY - GRID AVAILABLE 5
. 3 o 8 8 8 8 8 OPFRATOR FAILS TO INITIATE HPI UPON LOW RCS SUBCOOLING 2!
O C
l m
l Y
m l
.,PSAT TSAT" SUBCOOLING INDICATION T1
- "m g5 FAILED (OTHER INDICATIONS ASSUMED NOT CHECKED)
O
>ge F I I,mm o mm CMF OF ANY OF 11 PAIRS OF MOTOR OPERATED VALVES T II M m DoOC r' m=
- D E C .o CM<-
o m m 3 'm r-2 SUM OF 54 REMAINING CUT SETS 2 WO 2 O 8d M
a 5 - geO3zm
- E
. C g< 5 a
- M q$
' s= IE
- l E -
1O O D mC
- > g H
$ g m*
n g
b as I.
m m >< "
m i e f""
O N X
o L
l I 1 I
--.+A- 4 - -.-.-.-a e am -m_a a__s _ _ . . _ _ , , a i
um 212 j l
i l
I I % OF HPI FAILURE PROBABILITY GRID UNAVAILABLE l o 5 0 8 8 8 OPERATOR FAILS TO INITIA* E m HPl UPON LOW RCS SUBCOOLING 5 C ,
m !
m FAILURE OF 4160 VAC BUSSES !
EA AND EB (INC DIESEL GEN.) ,
H" z
.I l
l l
OT -0 q6C P
Z F
l
$ CMF OF ANY OF 11 PAIRS OF T o ITIzT m
l MOTOR OPERATED VALVES 3 *T H m 11 O 03
$ D F-a Cmn:C i
I r-2 Co
- D Cm 2
m m o "PSAT - TSAT" SUBCOOLING INDICATION FAILED T 3[ m I 5 l
m (OTHER INDICATIONS ASSUMED NOT CHECKED) 2 O
IN
> eOz o
d '
i O
CMF OF 2 EMERGENCY DIESEL GENERATORS F k g
a" z2 ;
I $
p C $o mC l
$' CMF OF 2 HPI PUMPS OR THEIR OIL LIFT PUMPS $ Q I -
e m
asa C
g z I
PAS $1VE PIPING FAILURE IN REGION 3 AND f l FAILURE OF 4160 VAC BUS EB (INC. D.G. 8) 5 D r-ll >
I ~
?
X N
?
m I
PASSIVE PIPING FAILURE IN REGION 4 AND FAILURE OF 4160 VAC BUS EA (INC. D.G. A) !
- 1 I ,
I I .
EI2 r
H
% OF AFS/HPl FAILURE PROBABILITY - GRID AVAILABLE o $ $ $ $ $ 3 O
, C -
l 2
TECH. CMF TO REOPEN AFS PUMP DISCH. VLVS. m -
AND OPERATOR FAILS TO INITIATE HPI UPON i
q Hm ,, ]
i AFTER TRIPPING AFS PUMPS A & B PER PROCEDURE, m i OPERATOR TRIPS AFS PUMP C IN ERROR AND >I g Fg 2
{ FAILS TO RESTART AFS PUMPS A,8 OR C AND FAILS TO INITIATE HPl UPON LOW RCS SUBCOOLING )g wb m CT mH 32> m r-Cn O tl g_ n
' 2 0ocC
]
CMF OF SG CHK VLVS V215 & V63A AND OPERATOR T M'omH z FAILS TO INITIATE HPl UPON LOW RCS SUBCOOLING "m< C w O.q M I
O >m -
E P3 hW r-e o 21 (A
$ CMF OF 4 EC1 AFS CONTROL CIRCUfTS AND m <mq E OPERATOR FAILS TO INITIATE HPl UPON LOW RCS T g 2 SUBCOOLING 2 mm h > O
>m Mo (n (Il (D $E g3 TECH. CMF TO REOPEN AFS PUMP DISCH. VLVS.
AND FAILURE OF "PsAT TSAT" SUBCOOLING Q Z INDICATION g _
m D e=
-h m>
$ O m 25 g CMF OF 4 t/P TRANSDUCERS ON ALL AFS LEVEL M Q gC P
CONTROL VLVS. AND OPERATOR FAILS TO INITIATE HPl UPON LOW RCS SUBCOOLING
<3 b
3 m
hh h TECH. CMF TO REOPEN DMW TANK DISCH. VLYS.
m m 3
X r- Q p a
OPERATOR DRAINS DMW TANK AND FAILS TO O ( Z g
SWITCH TO COND. TANK AND FAILS TO INITIATE HPl UPON LOW RCS SUBCOOLING
[gy g _
m O
- I
]
l -
t - _ - - -
I M2 I
% OF AFS/HPl FAILURE PROBABILITY - GRID UNAVAILABLE o 5 $ $ o $
CMF BATTERIES TRAINS A & B I C 2
m l
I FAILURE OF 4160 VAC BUSSES EA AND EB ONC. DIESEL GEN.) AND FAILURE OF AFS PUMP C q -
O > T :n m I
o
! :o H -m-T CMF OF EMERGENCY DIESEL GENERATORS >m l h AND FAILURE OF AFS PUMP C H c
e
~OngO
.oauC Tm I
2 -ComM Om I O h
gn FAILURE OF 4160 VAC BUSSES EA AkJ EB GNCL DIESEL GEN.) AND AFS PUMP C UllAVAILABLE DUE TO MAINTENMCE T4 D$
I L.,
dQ 0 m Z
m M M M O I '"
l m
T o
c 4 m Ch O wo E
$ FAILUM OF 4160 VAC BUSSES EA AND EB ONCL.
g>
c DIESEL GEN.) AND PASSIVE FAILURE OF PIPING g W C FROM AFS PUMP C TO EITHER SG. >M gm (gm z
% Fm
-r Ac e --
z)
I E p
m FAILURE OF 4160 VAC BUSSES EA AND EB ONCL DIESEL GEN.) AND TECH FAILS TO REOPEN PUMP 33 lZI O gc EC DISCH.VLV. V30C AFTER MAINT.ON AFS PUMP C U m O>
- D :D
- Co 54 FAILURE OF 4160 VAC BUS EA DNC. DIESEL GEN.) AND h*
4 Cm Z ITl TECH. FAILS TO REOPEN t. TRAIN B NSWS VLV. AFTER D >0 MAINT. AND AFS PUMP C FAILS g g
=]
r e-
>m ma I FAILURE OF 4160 VAC BUS EB ONC. DIESEL GEN.) AND TECH. FAILS TO REOPEN A TRAIN A NSWS VLV. AFTER MAINT. AND AFS PUMP C FAILS 51 y
PP 3
q h >Z Q
co O z X 5 a
f Z o
),, m I
I I
9.0 FINAL RESULTS AND CONCLUSIONS OF THE WNP 1 AND 4 RELIABILITY E'/4LUATION I
l With the mitigating systems' failure probabilicies discussed in Section 8 and the LOFW transient initiating event frequehcies discussed in Section 4, the Functional Event Tree, Figure 3-1, was numerically evaluated. The results of this evaluation showed the frequency of core l ,
failures following LOFW transients to vary from 3.5x10 8 failure events per year in the first year of critical core operation to less than 9x10 7 failure events per year in the sixth year of operation and thereafter. The average core failure rate over the plant life was found to be 1x10 8 failure events per year.
The application of the LOFW transient event frequencies to the event tree is discussed in Section 9.1. The numerical evaluation of the event tree and the core failure frequency results are discussed in Section 9.2. The conclusions of the WNP 1 and 4 Reliability Evalcation are presented in Section 9.3.
I 9.1 APPLICATION OF LOFW TRANSIENT INITIATING EVENT FREQUENCIES TO THE EVENT TREE The frequencies of LOFW transient initiating events was evaluated in Section 4 based on statistical analyses of B&W operating plant data and BPA grid records. The results of these analyses are summarized below:
I 1. LOFW transiente occur in B&W onarating plants, due to all causes, at a rate vrjir.g from 4.1 events per year in first year of critical core operation to 0.57 events per year in the sixth year and thereafter (see Table 4.1).
- 2. The simultaneous unavailability of the 230 KV and 500 KV lines to the WNP 1 and 4 plants was calculated to be 0.03 I events per year for outages less than 20 minutes and 7.3x10 3 events per year for outages greater than 20 minutes.
.I I
s I #j 215
Thus, although a single input event is shown in the event tree, Figure 3-1, multiple event trees are required to combine the transient frequencies with the systems' failure probabilities using the event tree logic.
As indicated above, the LOFW frequency varied significantly early in I
plant life especially during the first two years of plant operation.
For this reason, the average expected frequency of LOFW transients was computed by integrating the data of Table 4.1. The average frequency, based on this data, is 0.7 LOFW events / year. The core failure frequency following LOFW transients with the offsite power grid available is evaluated in Section 9.2 for both the average and time varying LOFW frequencies.
As discussed in Section 8, the availability of the offsite power grid significantly affected the failure probability of the mitigating systems. Thus, LOFW events caused by the simultaneous unavailability of the 230 KV and 500 KV lines is evaluated in Section 9.2 separately from LOFW transients with either of these lines available. ;
The grid failure frequency was found to vary significan'.ly with the i duration of the outage. As indicated above, outages of less than 20 minutes can be expected to occur with a frequency of C 03 events per year vs. 7.3x10 3 events per year for outages greater t"an 20 minutes.
Although either outage will result in a LOFW, the operator has the option of reenergizing either 4160 VAC bus Et, or EB from a recovered offsite power source if either of the 4160 VAC buses is deenergized (e.g., due to emergency diesel generator failure). With 5x10 3 operator g failures per demand, discussed in Section 7,1.5u0 4 outages greater 5 than 20 minutes duration per year can be expected to result from brief outages and an operator failure. This frequency is added to the calculated frequency to obtain the total frequency of grid outages greater than 20 minutes, 7.5x10 3 events per year. Subsequent recovery of either offsite source was excluded conservatively and the core j failure frequency evaluated for 7.5x10 3 grid outages per year of indefinite duration. '
l 11 216 ,
For scram failure secuences following a grid outage, the rapid AFS
[ initiation time requirements preclude consideration offsite power recovery. Thus, the scram failure sequence fsllowing a grid outage is
( evaluated in Section 9.2 with a 0.03 event per year grid outage frequency of indefinite duration.
3.2 EVALUATION OF THE CORE FAILURE FREQUENCY Based on the LOFW initiating transient frequencies discussed in Section 9.2, the event tree logic discussed in Section 3 and the mitigating systems' failure probabilities discussed in Section 8, a multiple input event tree was const ructed to evaluate the total frequency of core failure following LOFW transients. This event tree is shown in Figure
[ 9-1. Of the 10 LOFW sequences evaluated, 6 high probability sequences led to recovery and 4 low probability sequences led to core failure.
Since the input events are exclusive (the frequency of one input event is not included in the frequency of other input events), the total core failure frequency may be obtained by addirg the frequencies of the core failure sequences. As shown on Figure 9-2, the averaoe core failure frequency over the 40 year plant life is 1x10 8 failure events per year.
The relative importance of each failure sequence we aluated with respect to the total core failure frequency. As shown .n Figure 9-2, 9W of the total core failure frequency was contributed the two scram success sequences. Core failures following grid outages contributed 50%
of the total core failure frequency and 49% was contributed by the LOFW sequence with the grid available. Tt is interesting to note that the
{ increased mitigating system failure probability following grid outage events was compensated by the lo' er frequency of the grid outage LOFW initiating event.
Even with the conservatively evaluated scram failure probability and core failure criteria, discussed in Sectionr. 6 and 3, the scre failurc ',
sequences are shown to be insignificant contributors to the total core
{ failure frequency. In particula , the frequency of core failure E
1 217 r
I following the grid outage scram failure sequence is insignificant even I
in comparison to the frequency of scram failure sequences witn the grid available.
The effect of the variation of the expected frequency of LOFW transients is shown in Figure 9-3. The event tree in Figure 9-1 was evaluated for the varying LOFW frequencies discussed in Section 4. As shown in Figure 9 '> , the total core failure frequency following LOFW transients is 3.5x10 8 failure events per year in the first year of critical core operation. This frequency rapidly decreases to 9x10 7 failure events per year by the sixth year of operation.
9.3 CONCLUSION
S OF THE WNP 1 AND 4 RELIABILITY EVALUATION I
The results nf the WNP 1 and 4 reliability evaluation, discusseo in Section 9. 2, show the estimated average frequency of core failure following loss of main feedwater transients to be 1x10 8 failures per year. This low failure frequency is indicative of very well designed plant systems.
Regulatory criteria defining the acceptability of core failure rates are still under development. However, preliminary information concerning propased USNRC plant failure rate criteria for plant operation and design has been publicly discussed.1 These failure criteria are:
Unacceptable Level-P(Plant Failure)>l x 10 3 failures / year Warning Range-1 x 10 4 <P(Plant Failure)< 1 x 10 3 failures / year Although the present analysis Joes not include the failure contributions from all transients, the very low frequency of failure due to loss of main feedwater, one of the dominant plant transients, is indicative of acceptable systems' designs.
I I
1/
d I 218 g
I 1
1 EVENTI OR K: EVENT COR L: EVENT U OR U:
FREQUENCY OF LOFW COND. PROS. OF COND. PROS. OF COND. PROS.OF F(C.F)
TRANSIENT INIT'6 TOR SCRAM SUCCESS AFS SUCCESS OR HPl SUCCESS OR FREO.OF l (EVENT M) FAILURE FAILURE FAILURE CORE FAILURE I SUCCESS P(Ig) = 1.0 RECOVERY I
P(K) 8' 1.0 _
P(U) = 1.0 RECOVERY f
t LOFW EVENT FREQUENCY WITH F(CF) = 5.0 x 10 7 OFFSITE POWER ORID AVAILABLE g AVERAOE FREQUENCY OVER P(Lj AND U) = 7.1 x te r
,I PLANT LIFE = 0.7 EVENTStYR P(K) = 3 x 108 P([2)
- 1.0 NL2)
- 8 8 X 18' F(CF) = 1.4 x iga EVENTStYR FAILURE P[L3 ) = 1.0 RECOVERY
= 1.0 p{g , 9,o LOFW EVENT FREOUENCY CAUSED RECOVERY 8Y FAILURE OF OFFSITE POWER ORIO FOR >20 MINUTES FREOUENCY = e.S x iga EVENTStYR l ' E R P(L9 AND U) = 6.9 x its M EVENT FREOUENCY CAUSED FAILURE OF OFFSITE POWER aRIO FOR > 0 MINUTES P([2) = 1.0 RECOVERY I
FREOUENCY = 0.03 EVENTSIYR P(K)< 3 x 108 NL2 )
- 3
- 1** pp m x igio EVENTStYR TOTAL TIME AVERAGED FREOUENCY OF CORE FAILURES FOLLOWING LOSS OF MAIN FEEDWATER TRANSIENTS =
I E P(CF) = 1.0 x 10-6 EVENTSlYR FIGURE 91 TIME AVERAGED FREQUENCY OF CORE FAILURES FOLLOWING LOSS OF MAIN FEEDWATER TRANSIENTS 219 1 _-
2!
o C
m m
% OF TOTAL CORE FAILURE FREQUENCY E FOLLOWING LOSS OF MAIN FEEDWATER E -4 m -t O o 3 8 8 8 8 >o moo E$ r- Eyk, m s -4 CORE FAILURE SEQUENCES FOLLOWING LOSS OF $km D f "-
GRID TRANSIENTS gyz
-t O
-4
> O "U
mm m mO z1g E
CORE FAILURE SEQUENCES FOLLOWING LOSS OF MAIN ll'mh h z FEEDWATER TRANSIENTS WITH GRID AVAILABLE z g
~ )
m xE 1
MmOmz 5 m -E my C y-a CORE FAILURE SEQUENCES FOLLOWING SCRAM FAILURE TRANSIENTS (ATWS) dm m c"c mH c Qm E m$ $. zO o
m o
z He o gm p' 2m O mz mm bh O na m 52
$5l $ Em age r
= o Es_
o 0,. b r-E 9M E= z Om 0 $"m
%8,
, r m, O Om l
As m mo 88
- E C 9 0
' R$
n zo m um aus amm sum nai
M M < M M M - M._
FIGURE 9-3 VARIATION OF EXPECTED CORE FAILURE FREQUENCY FOLLOWING LOSS OF MAIN FEEDWATER TRANSIENTS OVER PLANT OPERATING LIFE 4 x 1&8 c
E uh 3E 9e o$ 3 x 10-6 ee
$ab 255 g O y 2 x 10-8
=
8
- u. "s. e W O4
>E o u.
$ g3 1 x 10s , _ _ ,
y TIME AVERAGED FREQUENCY = 1 x 10-6 CORE FAILURESIYR tJ ;
gg - - -
=.
u a i 4 6 40 0 2 l
C^* ENDAR TIME FROM INITIAL CORE CRITICALITY (YEARS) l
REFERENCES - SECTION 9
- 1. Presentation of William Vesely (NRC-PAS) to the ACRS Subcommittee on Reliability and Risk Assessment, April 30, 1980.
I I
I I
I I
lI lI
!I lI il F
ll I
I 223 Af ff i
)
- -- _ _ . _ . _ _