Text

Draft Risk-Based Insp Guide for Sequoyah Sequoyah Nuclear Power Station.
	ML19332C992
Person / Time
Site:	Sequoyah
Issue date:	11/30/1989
From:	Gregg R; EG&G IDAHO, INC., IDAHO NATIONAL ENGINEERING & ENVIRONMENTAL LABORATORY
To:	; NRC
Shared Package
ML19332C990	List: ML19332C992;
References
	CON-FIN-A-6553 EGG-SSRE-8720, EGG-SSRE-8720-DRFT, NUDOCS 8911290268
	Download: ML19332C992 (75)
	v • d • e

_. _ _ _ _ _ _ _ _ . __- . . . . - . . _ _ . . _ _

o' .

r 46 .

EGG-$$RE-8720 l

. ?

DRAFT !

4 RISK-BASED INSPECTION '

GUIDE FOR THE SEQUOYAM NUCLEAR POWER STATION l o ,

R. E. Gregg , ;

1

?

Puelished November 1989 ,

i EG6G Idaho, Inc. l' Idaho Falls, Idaho 83415

\

M Prepared for the >

U.S. Nuclear Regulatory Commission :

- Washington, D.C. 20555 i Under DOE Contract No. DE-AC07-761001570 FIN No. A6553 s

8-991i290268 991117 7 PDR ADOCK 0500 P , ,

- Rsd%e n mM-uPWe% b ~ M -

+$m 9 enge e e-

> O ABSTRACT e This report contains guidance for the integration of Probabilistic Risk Assessment (PRA) results into the inspection program at the Sequoyah Nuclear Power Station. The method for applying PRA techniques is i described and the proposed guide to risk-based inspections at Sequoyah is [

l provided in the form of system-based and programmatic tables. i l

f 1

f l

1 I

s l

l l

l 1

(

4 e

s ;

I I 1, 1 I

t l -)

i i-I-

l.

11 l

O i

e .

A

. SUP94ARY i l

The risk-based inspection guide (RIG) provided in this report was ;

developed for the Sequoyah Nuclear Power Station, Unit 1 as part of work !

performed for the Office of Nuclear Reactor Regulation of the Nuclear l Regulatory Commission (NRC) by EG6G Idaho, Inc. at the Idaho National i Engineering Laboratory. The RIG euploys a previously developed method for f using probabilistic risk assessment (PRA) techniques and results to ,

provide plant-specific risk-based inspection guidance, it can be used in the ongoing inspection efforts at Sequoyah. A PRA provides insights that help identify the risk-significant events and equipment, and therefore, will assist NRC inspectors in focusing essources on those portions of the facility that contribute significantly to risk.

Core damage results obtained from NUREG/CR-4550 were used to develop the SeQuoyah RIG. Importance measures were applied to the core damage results to determine the most important accident sequences, the events that contribute to those sequences, and the dominant causes of thoss events.

Major findings related to the risk of core melt are:

t

1. The most important sequer ce, a very small loss of coolant l accident followed by failure of the high pressure recirculation ;

cooling and the failure of the operator to stop containment spray ;

L l injection, contains ?5% of identified core damage frequency (CDF). The top six sequences contain 75% of identified CDF. A total of 23 sequences are required to obtain 99% of identified I- core damage frequency.

2. Based on their probability of being involved in a core melt accident, the most important systems include: the reactor coolant system, the high pressure recirculation system, the electrical power system, the auxiliary feedwater system, the containment spray system, and the low pressure recirculation system. A iii i

. e i a

complete list of iden?,1fied risk important systems is contained '

in the report.

I i

Two kinds of inspection guidance tables are provided. First, system >

tables (Tables 3 through 14) provide the important failure modes and a modified walkdown checklist for the important equipment in each .

risk-significant system. Second, the important failures are arranged in ;

programmatic tables (Tables 15 through 17) that show functional inspection ;

areas. Those tables can be used by the inspectors who will be performing the inspections called for in the Insoection and Enforcement Manual. l Use of the guidance provided in this report should assist the inspection effort to focus on those systems and compt sats that are major contributors to risk at $equojah.

h

(

G e

O iv l ,'

n

o ' \ .

l s

o- CONTENTS !

ABSTRACT ..........................;................................. ii I S UP99A R Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i ii )

INTRODUCTION ................................................ . . . . . 1 l

DOMINANT ACCIDENT SEQUENCES .................................. . . . 1 l t

SYSTEM PRIORITY LIST . . . . . . . . . . . . . ................................... 7 C09990N C AU S E F A I LUR E S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 !

IMPORTANT HUMAN ERRORS ............... 4 ............................. 8 {

SYSTEM INSPECTION TABLES ......................,..................... 9 i REFERENCES .......................................................... 11 j TABLES l i

i

1. Most Important Sequences ....................................... 12 l

2. Most Important Systems Based on Core Damage Frequency .......... 16 ;

3A. Reactor Coolant Syrtem Failure Mode Identification . . . . . . . . . . . . . l '. !

38. Modified Reactor Coolant System Walkdown ....................... 18 ,

4A. Safety Injection System Failure Mode Identificatien ............ 19 ;

1 4B.. Modified Safety Injection System Walkdown ...................... 21 ;

5A.- Containment Spray System Failure Mode Identification ........... 23 -

5B. Modi fied Containment Spray Systm Wal kdom . . . . . . . . . . . . . . . . . . . . . 24 6A. Electric Power System Failure Mode Identification .............. 26 i 6B. Modified Electric Power System Wal kdown . . . . . . . . . . . . . . . . . . . . . . . . 27 7A. Auxiliary Feedwater System Failure Mode Identification ......... 29 ,

78. Modified Auxiliary Feedwater System Walkdown ................... 31 8A. Low Pressure Injection / Recirculation System Failure Mode ....... 33 !

Identificacion ;

88. "odified Low Pressure Injection System Walkdown . . . . . . . . . . . . . . . 30 l

9A. Primary Pressure Relief System Failure Mode Identification ..... 38 :

98. Modified Primary Pressure Relief System Walkdown . . . . . . . . . . . . . . . 39 [

10A. Charging System Failure Mode Identification .................... 41 !

10B. Modified Charging System Walkdown .............................. 42

+

P i

V 9

i w

-g---.- ,-,y- -

y w - - - - mv p- g --e

. . c TABLES (continued) '

11A. Reactor Protection System Failure Mode Identification ......... 44 [

f 118. Modified Reactor Protection System Walkdown ................... 45 ;

12A. Accumulator System Failure Mode Identification . . . . . . . . . . . . . . . . 46 l 12B. Modified Accumulator System Walkdown .......................... 47 ,

13A. Essential Raw Water Coeling Failure Mode Identification ....... 49 138. Modified Ensential Raw taoling Water System Walkdown .......... 50 14A. Component Cooling System Failure Mode Identification ... .. . . . . . 52 148. Modi fied Compon ent Cooling Syster Wal kdown . . . . . . . . . . . . . . . . . . . . 53

15. Plant Operations Inspection Guidance .......................... 55

16. Surveillance Inspection Guidance .............................. 56

17. Maintenance Inspection Guidance ............................... 57

18. Containment Walkoown .......................................... 58

19. Frontline System Dependencies ..... ........................... 59

20. Support System Dependencivs ................................... 65 i

FIGURES 1 Do.ninant Contributors to Core Damage Frequency . . . . . . . . . . . . . . . . 2 4-1 Simplified Schematic of Safety Injection System ............ . . 22 5-1 Simplifieo Schematic of the Containment Spray System . .. .. . .. . . 25 6-1 Sirplified Schematic of the Electric Power System ............. 28 1-1 Simplifieo Schematic of the Auxiliary Feedwater System ........ 32 8-1 Simplified Schematic of Low Pressure Injection System . . . . .. . . . 37 9-1 Simplified Schematic of Primary Pressure Relief System ........ 40 )

10-1 Simplified Schemutic of the Charging System ................... 43

]

12-1 Simplified Schematic of the Accumulator System ................ 48 13-1 Simplified Schematic of Essential Raw Cooling Water ........... 51 1 14-1 Simplified Schematic of Component Cooling Water ............... 54 !

i l

1 l

l i

vi 0;

I

_. _ _ . _ . . , m___ , ,

a

l c_ FISK-BASED INSPECTION GU10E FOR !

,THE SE000YAH NUCLEAR POWER STATION INTRODUCTION The work described in this report was perfo med for the Office of Nuclear Reactor Regulation of the Nuclear Regulatory Comission (NRC) as part of FIN A6553. The purpose of this project is to provide guidance for Probabilistic Risik Assessment (PRA) based inspections, which can be used to fccus the NRC inspection efforts towards risk-significant items.

A review of NUREG/CR-4550 ,1 NUREG/CR-4551 2, and NUREG/CR-11503 was conducted to develop the following Risk-Based Inspection Guide (RIG).

Additionally, the results of a Sequoyah Individual Plt.nt Evaluation 4 -

(IPE) were reviewed. This RIG can be used to aid in the selection of areas to inspect and is not intended either to replace the current NRC t inspection requirements, or to constitute an additional set of inspection requirements. The information contained herein is based almost entirely on the findings of NUREG/CR-4550a published in June 1989. Hence, recent plant experience, failures, and modifications should be taken into account when using the information provided. Since plant modifications are ,

normally an ongoing process, it could prove helnful if relevant changes are catalogued so this inspection guidance can be periodically revised.

DOMINANT ACCIDENT SEQUENCES NUREG/CR-4550 contains a number of different accident sequences that

a. ~The Sequoykh IPE has yielded somewhat different results regarding the dominant accident sequences and the relative importance ranking of the various systems. Differences in the results obtained f 1 NUREG/CR-4550 and the Sequoyah IPE will be discussed throughout this report.

1 .

e

9 f.cc,trii:uts sti)nificantly to the total core damage frequency (CDF), which 1 is 5.7E 5 p6r rsactor year." The NUREG/CR-4550 CDF is calculated based l on internal initiating events only, external initiating events such as )

l fires, flocoing, tornvioes, and iirthqvakas were not included in the PRA. I l Figure 1 shows the percentage enca accident type, categorized by initiating events, contribute to core damage frequency at Sequoyah. Each l accident type is composed of several steilar but distinct sequences of j system failures. The following discussions give a generalized descriptior, i of the basic accident types. Table 1 lists all the individual dominant !

i ,- accident sequencas and describes the plant failures which contribute to )

them.

0Y' 62T.

r ..

17.

.;g ,,,..i.

., , M. .[ .) T 37. LCss or errsrtt PowtR (Lese) )

... 1 1

3*

v.

.J%

' @ j f%.:

- ANiicipatto inANsitNT witnout SCRAM i

j

,"5'A6'M l s. 1sicAuotNenAtomtuetmuetvet as a.i vu

^

b,4 ? '

l lINTterACING LoCA (V)

w

< [%. wa'h I. niimANsitc 267.

wp h[.( , toe,

- Figure 1 Dominant Contributors to Core Damage Frequency. l Loss of Coolant Accidents (LOCAs) l' l l

LOCA initiated sequences are the dominant contributors to CDF, contributing 62% of the total. There are several LOCA categories: Large LOCAs have a break size of greater than six inches in diameter, Intermediate LOCAs range from a two to six inch diameter break size,

a. The Sequoyah IPS estimates CDF to be approximately a factor of 50 lower than that predicted in NUREC/CR 4550.

2 .

l l .. . ... -. . . . - _ . _ - . _ __ -. .. _ .-. _ _ . - - . - _ _ _ _ .

. . l

- i

,. i and Small/Very Small LOCAs have a break size of less than two/one inches in diameter. !

i

, Small/Very Small LOCAs ;

Small/Very Small LOCAs are important at Sequoyah because of the small l

- size of the ice condenser containment, the low Contahment Spray Systera (CSS) actuation set point, and the high CSS flow rate, uuse the Refueling l Water Storage Tank (RWST) to drain faster than at other Pressurized Water :

Reactors (PWR). It is estimated that small LOCAs will require !

recirculation cooling within 20 minutes of spray actuatioa. This does not ;

allow sufficient time to depressurize the Reactor Coolant System (RCS) and go on Residual Heat Removal (RHR) closed cycle cooling. Therefore, I operator action is r6 quired to switch from the High Pressure Injection (HPI) mode to the High Pressure Recirculation (HPR) mode. The HPR mode :

has a functional dependency on the Low Pressure Recirculation System (LPR), so failure of either HPR or LPR following a small I.0CA results in core damage. Small/Very Small LOCAs contribute 45.9% of CDF.

Jnigrmediate LOCAs Intermediate LOCAs contribute 11.8% of CDF. Successful mitigation of ,

L an intermediate LOCA requires the initial injection by two of the four high pressure pumps (can be any combination of High Pressure Injection or Chargingpumps). Success of long ters decay heat removal requires recirculation with one of the four high pressure pumps boosted by tha discharge of one of the two low pressure pumps.

1 Laroe LOCAs ,

Large LOCAs contribute 4.6% of CDF. The successful mitigation of a large LOCA requires su:cessful in,lection by both the Accumulator System (accumulator injection te 3ree of three intact loops) and at least one of the two Low Pressure Injection (LPI) trains. If the injection phase succeeds then long tern decay heat removal requires recirculation with one of the two low pressure pumps.

3 9

a- n-- , - .- -.,- ,- ~ , - ,, , . ~ , , . a-..-, -- , - e, -- ---... ,

Loss of Offsite power (LOSP) [

Station blackout sequences contribute to 26% of core damage j frequency. Station blackout sequeces are LOSP initiated events that !

involve the simultaneous failure of both emergency diesels, and the j

failure of the operator to suoply power from the other unit. Following a L

complete loss of AC power, failure of the staan driven Auxiliary Feedwater >

pump, or the RCP seals, or failure of a PORV to close, or depletion of the station batteries results in core damage, i

i Steam Generator Tube Runture (SGTR)

SGTR sequencris contribute 3.5% of CDF. These sequences require the l operator to depressurize the reactor coolant system within 45 minutes of the SGTR. Failure to do so results in a challenge of the steam generator pressure relief system. The subsequent failure of a steam generator PORY ;

or safety val;e to close result in a direct loss of RCS inventory to i atmosphere. Failure of subsequent efforts to limit RCS inventory losses :

by either depressurizing the RCS or isolating the open relief valve results in RWST depletion and core uncovery. ;

IIAQ11. Mil L The cnly transiant event of concern is initiated by a loss of the l inain .feedwater system. Loss of main feedwater challenges the auxiliary feedwater system. Should the euxiliary feedwater system also fail, core decay heat can !. removed by feed and bleed cooling operations. j Successful feed and bleed cooling requires the successful operation of both trains of power operated relief valves (PORVs). This sequences r contributes 3.4% of CDF. -

1 Anticinated Transients Without Scram (4TWS) ,

An ATWS event begins with some plant transient such as a turbine trip. The event is compounded by failure of the Reactor Protection System (RPS) to shutdown the reactor automatically. Following failure of the 4

l 1

l

. ~. _ - . _ . _ - - - - - - - . - - - . . . - _ . . _ .

. :. [

i. l automatic RPS trip, the operator can manually trip the RPS. If scram failure is due to the mechanical failure of the control rods to insert, j the operator can perform a chemical shutdown using the Charging gnd Volume !

Control System (CVCS). ATk's events contribute 3.3% of CDF.

I oss of DC power ILODC) i Because of the dependency of the feedwater regulating valves and the i l

Power Operated Relief Valves (PORV) or 125V DC power, loss of either DC bus results in loss of Main Feedwater capability. With only one of th6 l PORVs available following the loss of a DC bus, feed and bleed cooling cannot be successful. Therefore, if AFW fails subsequent to the loss of a .

I DC bus, core damage results. Loss of a DC bus contributes 1.2% of CDF.

LOCAs Outside the Centainment i

i The V-sequence (or int 6rfacing system LOCA) is a LOCA that occurs !

outside the containment boundary. It contributes to 1.1% of CDF. It is [

significant because it bypasses the Containment safeguards and the i resulting release is potentially very severe. The only significant LOCA ,

of this type is through any of the four sets of LPI cold leg injection i check valves. There is a potential recovery action in which the operator ;

may be able to isolate the LOCA by closing the appropriate cold leg

' injection isolation talve. ,

t Two additional interfacing system LOCA pathways have been identified by the Secuoyah IPE. One path is through any of four sets of safety ,

injection system check valves. The other path is through the two motor operated v;1ves in the RHR/RCS hot leg interface.

L Loss of Escential Raw Coolina Hater .

Loss of Essential Raw Cooling Water (ERCW) was identified by the ;

l Sequoyah IPE as being a potentially severe initiating event. It results l i.. loss of cooling flow to the component coolir.g system and the subsequent l failure of the safety injet. tion pumps and the CSS pumps. It also results 1

5 l e1 1

l l

. . i e

in loss of ERCW cooling flow to and the subsequent failure of the charging !

pumps. It has the potential of resulting in a subsequent re6ctor coolant pump (RCP) seal LOCA due to loss of both seal injection flow (form the !

charging pumps) and seal cooling flow (from the component coolinq ;

system). This is an important sequence at Sequoyah because the potential -

[

common cause failure of systems dependent upon ERCW ensures that both core damage and containment failure will occur. !

[gst of Connonent Coolina Like the loss of ERCW system, loss of Component Cooling Water (CCW) v was identified by the Sequoyah IPE as being a potentially severe event. -

It can result in loss of cooling flow to and the subsequent failure of the j safety injection pumps and the CSS pumps. Unlike the loss of ERCW system, ;

it should not results in an RCP seal LOCA because seal injection flow remains available from the charging pumps, which are cooled by ERCW. Both !

complete failure of CCW or partial failure of CCW in conjunction with !

randoni failures of other safety related components are of concern. This is a significant event at Sequoyah because it would result in the common cause failure of systems required to prevent both core damage and containment failure, i O

i 6

s.

,b, ,,, ~-,

,,~ - - ~=-,-v-- , ww.re-+,,,- -

5 I

SYSTEM PRIORITY LIST 1

The systems at Sequoyah have been ranked and are presented in Table 2 according to their importance in preventing core melt. Under normal conditions, the left hand column should be used. For degraded or l inoperable systems, the right hand column should be used, as discussed I below. Other plant systems not appearing on the list are generally of f lesser importance than those listed here. l The two system prioritization lists have been included ir Table 2 i because they provide diflerent types of risk insights that are useful in the inspection process. The left-hand column indicates the system's i contribution to CDF as provided by the Fussell Vesely Importance Measure, given that the system is aperating with the reliability assumed in the PRA. Generally, when planning an inspection without knowladge of specific l system problems, thwe systems that contribute most to CDF should be gisen l priority attentioil in order to most efficiently minimize risk, r

I However, when one or more systems exhibits unusually high failure 3 l rates or unusual types of failures, then the probabilities assumed in the ;

PRA are not really appropriate for the fa;1ures of those systems. While !

^

such problems persist, the affected Jystems contribute more to the risk of l core damage than is indicated by the laft hand colitun. Based on the Birnbaum Importance Measure, the right hand column indicates the increase ,

in CDF when the system is inoperable. The right-hand column can be used !

to estimate how much more important a system becomes when it is having problems. (Affected systems with high ranking in the right-hand column should be considered to have become much more important than indicated by ?

the4 ranking in the left hand column, while systems with lower ranking in the right hand column would have smaller increases above the ranking indicatedintheleft-handcolumnwhenaffected.) Similarly, the right hand column is appropriate for estimating the risk significance of inspection findings that indicate a system is inoperable or degraded. ,

L 7

e

,,,.,>y--. - , , - - , , . . . - . . - , - . -

, - - - , , _ ..,,..,,-,,,,----,.v- - - , . . - - - - - -

i l

I

I Adjacent systems on the list should be considered as having approximately equal contributions to risk because of uncertainties associated with the PRA. Where the difference between system importances is significant, they have been separated by dotted lines.

' I COMON CAUSE FAILURES l ,

The failure of multiple items from some common cause can be very )

significant to risk. The Sequoyah FP.' has identified several common enuse ]

failures.that are particularly important: 1

- Loss of Essential Raw Ccoling Water, l

- Loss of Component Cooling Water, 1

- Loss of Offsite Power with failure of both diesel generators.

- Loss of a 125V DC bus.

Other comon cause failures, or, the component level, are identified and discussed in the various system failure inde tables. In general, these common cause failures involve the activt tailure of similar components.

IMPORTANT HUMAN ERRORS Human errors em be very significar.t to overall plant risk. Human errors can be broken down in to.two broad categories: pre-accident errors j are those errors committed prior to the start of the initiating event, and post-accident errors are those c u itted while trying to mitigate an ;

accident. Pre-accident human errors can consist of errors committed ,

during either maintenance or operations and generally result in a decrease l in the availability of accident eitigating systems. Post-accident human errors are committed by the operators during the course of an accident sequence. They can consist of errors of omissien where the operator does not attempt to perfom a particular mitigating action, or errors of commissicn'where the operator attempts to perfom the proper citigating action incorrectly. Significant human errors are discussed in detail in the various- system failure mode tables and are compiled in the Plant Operations Inspection Guidance Table (Table 15).

l 8 i M-, ,_,,+.--.m -.s,, -,_+,..~n .s..,...-+ ,,s---, - , . , , . - - - . . , . , - , . . , _ . , , , . . _. v.,, , . , . - . , . . ,_,. . , , ,

j ..

SYSTEM INSPECTION TABLES The systems list'ed in the first column of Table 2 are the systems that will have a significant impact on CDF should they fail. Those systems are associated with (contribute to) 985 of the total CDF at Sequoyah. Fee each of those systems, inspection guidance is provided in the form of a failure mode table and a modified system walkdown checklist. The failure mode tables generally cover thae failures that contribute to the top 95% of a system's unavailability. The modified checklist contains those inspectabh components or failure modes that contribute significantly to system failure, where an inspectable component is defined as a component whose operating position or condition can be verified by observation (i.e. check valves are agi considered to be inspectable by walkdown). The modified checkiists cover the normal system configurations when the plant is operating. They are a good tool for an effective look ot the systems, covering the components that contribute significantly to a system's unavailability, but usually includes less than ,

20% of the system's components. For that reason, a full checkoff list should be used for major system reconfiguration applications, and the modified checklist should be used for efficient, frequent walkdowns. ,

l It should be noted that the onsite inspector will decide how a system or component should be inspected once it is selected for inspection. It is not the intent or purpose of this report t1 give guidance on how inspections should be performed, but to provide information that, will allow the inspector to focus his inspections on those aspects that ;

contribute significantly to risk.

Also included with most of the system checklists is a simplified systemdiagram(Figuras4-1through14-1). These diagrams can be used to get feel of basic system layout. However, it should be kept in raind that ,

these are uncontrolled, simplified diagrams, and controlled diagrans i should be obtained for any application requiring an exact up-to date ,

system description.

9 ,

a n

l In using these tables, it is esseitial to remember that the other systems and components can also become important. If, through inattention, the failure probabilities of other systems are allowed to !

increase significantly, their contributions to risk could equal or exceed !

^

that of the listed systems. Consequently, a balanced inspection program i is essential to ensure that the licensee is minimizing plant risk. The !

following tables allow an inspector to concentrate on systems and components that are most significant to risk. In so doing, however.

l

< cognizance of the status of other systems perforcing safety functions must ;

be maintained. l !

Tables 15 through 17 list information given in the system failure ,l niode tables in three functional areas. Those tables are designed to assist programmatic inspection in the areas of operations, surveillance, j and maintenance.

l l Table 18 lists those risk-significant components located inside the containment. Since the containment is inaccessible during normal i operations, that checklist is provided for efficient inspection of those components when the opportunity arises.

l Tables 19 and 20 are dependency matrices. Table lg shows the dependencies of the frontline systems on the support systems. Table 20 shows how the support systems depend on each other. The information - I supplied in these tables was provided by the Tennessee Vs11ey Authority (TVA).

t n

10 '

~ -

j

,. l

. i REFERENCES !

l

1. R. C. Bertucio and S. R. Brown Analysis of Core Damaae Frecuency:

Seouovah. Unit 1. Internal Events, NUREG/CR-4550 Vol. 5, Sand 86-2084, Revision 1, June 1989.

2. A. S. Benjamin et al., Evaluation of Severe Accident Risk and the :

Potential for Risk Reduction; Seouavah Power Station. Unit 1, 'l NUREG/CR-4551 Vol. 2. SAN 086-1309 (Draft for consent) February 1987, i 3

3. Reactor Risk Reference Document. Main Renort, U. S. Nuclear Regulatory Comission Report NUREG-1150 Vol.1 (Draft for coment), .

February 1987. ,

4. To Be Supplied ,

f I

I t

L

+

11 e

. 4 , . , , - -. , _.-.. . - ~ . ~. _ - - . . - -,--._...,...c -.. ..-. -,, ,, - ., . , .--..

. s.

TABLE 1. MOST IMPORTANT SEQUENCES !

Seouence Seouence Descrintion :

t l Small/Verv Small LOCAs S0H3C2 This sequence consist of a very small LOCA followed by .

failure of HPR cooling and failure of the operator to control containment spray injection. It contributes 25% of '

CDF. This is an important sequence at Sequoyah because the -

small size of the ice condenser containment, the low CSS .

actuation set point, and the high CSS flow rate cause the '

RWST to drain faster than at other PWRs. It is predicted that for all small LOCAs recirculation cooling will be required within 20 minutes of spray actuation. This does ,

! not allow sufficient time to depressurize the RCS and go on

, RHR closed cycle cooling. Therefore, operator action is -

L required to switch from the High Pressure Injection mode to

the High Pressure Recirculation mode. ,

l l

50H3C3 This sequence is similar to the first sequence with failure of the LPR system to supply flow to the HPR system. It i contributes 8.8% of CDF. In the high pressure recirculation !

mode, the high pressure pumps take their suction from the l discharge of the LFR pumps which in turn take their suction from the containment sump. Therefore, failure of the LPR '

system results in failure of the HPR system and subsequent -

-core damage.

SH22 This sequence is the same as the first sequence except it has a slightly larger break size and the operator manages to control the containment spray system. Its contribution to l CDF is 7.9%.

L

This sequence is the same as the second sequence except it SH23 has a slightly larger break size and the operator manages to control the containment spray system. Its contribution to CDF is 3%.

l Loss of Offsite Power SBO-L This sequence consist of a station blackout initiated by a ,

It contributes 16.9% of CDF. Following the LOSP, LOSP.

both diesel genera. tors 1A and IB fail to operate and there ;

is also a failure to get power from Unit 2 via the shutdown utility bus (this requires racking-in and manually closing two supply breakers). The subsequent failure of the turbine

driven auxiliary feedwater pump to supply steam generator feed flow, results in the gradual heat up and boil off of primary coolant. Core uncovery will occur if power is not restored within one hour from the loss of feed flow.

12 4

_ , _ _ . - . . _ . . - - . ~ , - . . . . _ _ _ . . _ . . . - . . _ . . . _ , _ _ _ _ _ _ . _ . . . . . . _ . . _ _ _ . _ . _ _ _ _ . _ _ _- . _ . . -

I

/ .

! TABLE 1. (continued) l

~

! This station blackout sequence contributes 7.6% of CDF. It SBO SLOCA I develops similarly to the previous sequence except the AFW i system operates successfully. It is complicated by failure 1 of an P.CP seal due to loss of both seal injection flow and !

seal cooling flow. Failure to recover AC power and Safety !

l Injection capability following the seal LOCA results in !

core uncovery. {

u SBO-Q This station blackout sequence contributes .7% of CDF. It I

, develops similarly to the first $80 sequence excest the AFW '

H system operates successfully. It is complicated >y a PORV :

sticking in the open position. Failure to recover AC power l and Safety Injection capability following ,the PORY failure results in core uncovery, f SBO BATT This station blackout sequence contributes .5% of CDF. It .

develops similarly to the first SB0 sequence except it is i complicated by failure to recover AC power prior to l depletion of the station batteries.

Intermediate LOCAs ;

SgH2 The $ H3 2 sequence is an intermediate LOCA followed by fallute of HPR cooling. It contributes 8.5% of CDF. This sequence is the same as $ H2 2 with the exception it has ,

a larger break size.

SjH4 SHi4 is an intermediate sized LOCA with failure of LPI ih either the miniflow mode, the recirculation mode, or the switch to hot leg recirculation. Its contribution to CDF !

is 3.3%.

Larae LOCAs ,

ADS ADS represents a large LOCA followed by failure of one or more of the cold leg accumulators to' inject into the intact loops. It contributes 2.3% of CDF.

AH} AHi represents a large LOCA followed by failure of low pressure recirculation. It contributes 1.7% of CDF.

AD6 AD6 is a large LOCA followed oy failure of the low pressure inject system to inject into the intact loops. It contributes .6% of CDF.

Transients TLP2I3 This sequence, which contributes 3.4% of CDF, is initiated by a transient that results in loss of main feedwater cooling. It is further complicated by loss of auxiliary feedwater cooling and failure to open the PORVs. Failure .

13

l

\;

TABLE 1. (continued) to o' pen the PORVs results in failure of Feed and Bleed l cooling. j Steam Generator Tube Ruotures ,l T 3g0 ODS This sequence is initiated by a steam generator tube I rupture. Failure of the operator to depressurize the i reactor coolant system within 45 minutes of the SGTR, 1 results in a challenge of the steam generator pressure )

relief system. The subsequent failure of a steam I generator PORV or safety valve to close result in a direct I loss of RCS inventory to atmosphere. It contributes 2.3% !

of CDF. ,

j T3 gt TscL is a steam generator tube rupture with the !

su5 sequent failure of the auxiliary feedwater system. It ,

contributes .7% of CDF. l TSgKR TscKR is a steam generator tube rupture compounded with l a Iubsequent failure of the reactor protection system I (both automatic and manual) to scram the reactor. This 1 SGTR/ATWS event contributes .5% of CDF. 1 1

Anticioated Transients Without Scram !

TKRZ This is an Anticipated Transient Without scram event. It is initiated by some transient that requires a reactor .

scram. As the sequence progresses, both automatic and L manual reactor scrams fail. The presence of an l unfavorable moderator temperature coefficient at the time l l~ of transient initiation results in core damage. It contributes 2.4% of CDF.

l TKRD4 This ATWS event sequence contributes .4% of CDF. It is !

initiated by some transient that requires a reactor l

L scram. As the sequence progresses both automatic and

! manual reactor scrans f:11 and the subsequent failure of l

emergency boration using the charging pumps results in

core damage. Emergency boration failure is dominated by failure of the operator to perform the proper charging system alignment.

Loss of DC Power TDCIllPl i Sequence TnCIf lP1 i contributes .6% of CDF. It is initiated By the loss of DC bus II followed by the failure of AFW flow. Failure of AFW cooling necessitates the use of Feed and Bleed cooling. However, loss of the DC bus prevents one PORY from opening and successful Feed and Bleed cooling requires the opening of both PORVs.

14 l e l

l. ,

i

~ _ __-_ _ _.._- .

4 ,

( . l o

f TABLE 1. (continued) i T

DCllP l1 This sequence is exactly the same as the previous sequence except it is initiated by the loss of DC bus I.

LOCAs outside the Containment V The V sequence is an interfacing systems LOCA. It ;

contributes 1.1% of CDF. It is important because it bypasses the containment safeguards. The LOCA path is through any of the four sets of LPI cold leg injection '

check valves. There is a potential recovery action in which the operator may be able to isolate the LOCA by ,

closing the appropriate cold it.g injection isolation .

valve.

(Two additional interfacing system LOCA lathways have been l identified by the Sequoyah IPE. One pati is through any of four sets of safety injection system check valves. The ;

other path is through the two motor operated valves in the RHR/RCSinterface.)

s 4

15 I

, TABLE 2. MOST IMPORTANT SYSTEMS BASED ON CORE DAMAGE FREQUENCY

! Ranked by contribution To RankedByRiskSignificancegf Core Damage Frequency a The System Being Unavailable i

Reactor Coolant System Reactor Vessel High Pressure Inject./Recire. Essential Raw Water Cooling Containment Spray System .................................

Electrical Power System Component Cooling Water l Low Pressure Inject. (V-sequence) l I Auxiliary Feedwater System .................................

Low Pressure Inject./Recirc. Low Pressure Inject./Recire.

............................... High Pressure In.iect./Recire.

l Primary Pressure Relief System Containment Spray System Charging System Reactor Protection System Reactor Protection System .................................

Accumulator Systein DC Power Distribution C Auxiliary Feedwater System -

EssentialRawCoolingWager Component Cooling System Ice Condenser System Diesel Generators Apcumulator System c

a. For the ranking by contribution to CDF, the systems above the first dotted line contribute to greater than 25% of core damage sequences. Those systems between the two dotted lines each contribute to core damage sequences ranging from 10% to 25% of the total core damage frequency. The .

systems below the second dotted line contribute to less than 10% of core damage sequences, l

b. For the ranking by risk significance of the system being unavailable, the dotted lines indicate orders of magnitude of change in importance level,

c. The Sequoyah IPE included these systems as contributors to CDF. ,

t l .

16 ,:

. . - . . - . . . - . .___.L_----_- .- - - - - .

l i

.o TABLE 3A. REACTOR COOLANT SYSTEM FAILURE MODE IDENTIFICATION :

i Mission Success Criteria t

The Reactor Coolant System consists of the reactor vessel, four main coolant loops, and the pressurizer. Each loop contains a steam generator, a main coolant pump, and associated instrumentation. The success criteria for ;

the RCS is dependent upon the accident sequence involved.

Conditions That Lead to Failure

1. Reactor Coolant Boundary Fa'1ure. Due to the predominance of the LOCA as an-initiating event, fai'ure of any RCS piping, vessels, welds, ,

penetrationk or connections can have serious consequences. i

2. Doerator Fails to Dooressurire. Failure of the operator to depressurize ;

the RCS (by using sprays or removing steam) within 45 minutes following a SGTR can result in loss of steam generator integrity. ;

3. Reactor Vessel Ruoture. l l

1

.l 1

17 s:

l

w,. . , _

- , . i t:

- . . - . . ~.

m

+ .

s

4 I

~

.y v; - :. , :!

, 4. . e , 4 7

y q ,.r <<

TABLE 38. MODIFIED REACTOR C00LWT SYSTEM WALKDOWN w ,

m - ,

.Walkdown is. ineffective against the RCS failure modes.. +

m

$~.'

l -

' 8 4

k 4 -

t

?

3 ;

?

L

.c

_i s,

F e e.

e v

=

1 Y w

b

^

.g -

i 1

t' 18 rie

%. - i' *

( ', ,A,, ' r .~ ;- .

s -: yy - -- - - -

4, - _. ._ . _ _ _ __.- ___ _ -_ _ _ _ _ _ _ _ _ _. . _ _ _ _

u i e ,

14 .

TABLE 4A. SAFETY' INJECTION /HIGH PRES $URF RECIRCULATION SYSTEM FAILURE MODE IDENTIFICATION' <

Mission Success criteria ,

The Safety Injection /High Pressure Recirculation functions can be performed by either of two redundant Safety Injection pump trains or by :

either of the Charging pump trains. During the injection phase, the SI pumps .

start automatically and provide flow from the RWST to the cold leg injection i points when RCS pressure is less than 1520 psig. If pressure remains above 1520 psig then the charging pumps most be used. The charging system is discussed in Table 10. When entering the recirculation phase, the operator must manually switch the_ system lineup to provide a suction path from the containment sump via tha Low Pressure Injection pump discharges. The only significant system failure mode is failure to provide flow in the High '

Pressure Recirculation mode following a small LOCA. Success is taken to be one of the SIS pumps or Charging pumps taking suction from the discharge of

- the Low Pressure Injection pumps and supplying flow to the cold leg injection ,

. points.

Conditions That Lead to Failure ,

1. Ooerator Failure to Switch from In_iection to Recirculation. Because of-the small size of the ice condenser containment, the low CSS actuation set point, and the high CSS flow rate, the RWST at Sequoyah drains faster than at other PWRs. It is predicted that for all small LOCAs recirculation cooling will be required within 20 minutes of spray actuation. This does not allow sufficient time to depressurize the RCS and go on RHR closed cycle cooling. Therefore, operator action is i

required to switch from the High Pressure Injection mode to the High Pres.iure Recirculation nede.

2. Failure of Miniflow 1alves FCV 63-3/63-4/63-175 to Close. The miniflow l- valves are normally open. Because they are interlocked with the pump suction valves, they must close for success of High Pressure Recirculation. Failure can be caused by valve / motor faults, valve actuation faults, or faults involving the valve power supplies.

3. Failure of Valves FCV 63-8/63-11 to Goen. Failure of either of these

[ normally closed valves to open isolates the associated SIS pump suction n

L and one of the Chargir.y pump suction paths from tLe LPR water supply and E. results in failure of that train of HPR cooling. Both common cause and l independent failures are cf concern. Failure can be caused %

valve / motor faults, valve actuation faults, or faults in:c'ving the valve power supplies.

l 4. Failure of Check Valve V 63-510 to onen. This check valve is a L potential single point failure of the safety injection system. Failures of concern are plugging, sticking shut, and valve failure.

l 19 l

l L

L IA. __ _ 1 . _ _

l 1

TABLE 4A. (continued) i I

5. - F:ilure of Valve FCV 63-5 to Remain Ooen. This motor operated valve is a potential single point failure of the safety injection system. ,

Failures of concern are plugging, imprcper positioning, and transferring '

i closed.

i j

t i

i e

e e

b

'f s

l 20 l .

l.

>=

,.c,.., , e a , . ._

,~' ..,

I TABLE-48. MODIFIED SAFETY IN.1ECTION SYSTEM WALKDOWNa REQUIRED ACTUAL POWER

- COMPONENT- NAME POSITION POSITION SUPPLYb ,

FCV 63-3 51 Pumps Recirc. to RWST OPEN 1Al-A 11B FCV 63-4 SI Pump A Rectre, to RWST OPEN IBi-B 15E FCV 63-175 SI Pump B Recire. to RWST OPEN 181-B 9A FCV 63-5 RWST to SI Pumps Supply OPEN 181-B 98 FCV 63-8 SI Pump A from RHR A CLOSED 1Al-A 11E -

FCV 63-11 SI Pump B from RHR B CLOSED 181-B 9E

a. Infon ation obtained from 501-63.1 Emeraency Core Coolina System, Revision 56,3/22/89. >

b.- Supply breaker closed unless otherwise noted.

5

'.,5' 21 k

1

['

PS-29

-4 'O **.

e'

.10 NOT b, .

LEGS N ~$

z z RwSi 5 5 e M-20 M-21

"~C .!'T.

U m

$ 7, m e, ,g., .. . .,

i I

(e) .no es-ss, *ms

,ev

' " .s-2, 10 ONT. g i

.5-33. 5-see es-See gg

... . . , , , r.,, - u0.

s-47 .ss, es-sss .s-,ee e n-u C .;c,,, m

_a_ ,,.

u

.,-m .s- .

FR0es 5.-21 M-17 .m w TO WI 5 f, M: X & LEGS te IA - 4 .ett.

5- .s-,3 e .ser 5-7 .ety 5-3 H- 15 i usert0#

TO RwSi (t) BRE AKER RACKED OUT Al POWER SUPPLY , .

l Figure 4-1 Simplified Schematic of. Safety injection System J

e s

O

4 m -1 m . - ~ - <- <e, w .m _ - w .u__- _-- - _ - _ _ - - - - - - = _ . - x -_ . _ _ _ _

9? -

. I 1

j l

TABLE SA.- CONTAINMENT SPRAY SYSTEM FAILURE MODE IDENTIFICATION l

Mission Success Criteria l 1 .

L The Sequoyah CSS acts with'the Ice Condenser to provide the containment 1 l

with i.ressure-suppression and heat removal capabilities. The CSS _ consist of two 100% capacity trains and has two operating modes. In the injection mode, the pumps: supply cool water from the RWST to help condense the steam in the containment. -Upon depletion of the water in the-RWST, the CSS is shifted to - i the recirculation mode through a combination of automatic and operator actions. The RHR pumps can also be aligned to supply the containment spray I het:lers:and thus serve as two additional backup CSS trains. Success is taken

to be the operation of at least one spray train for the first 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of the

re: irculation phase.

o Conditions That Lead to Failure l 1. Failure of Ooerator to Control the Containment Sorav System. During a very small LOCA sequence, the operator can conserve the injection water stored in the RWST by manually securing the CSS injection flow when the containment pressure drops below the spray initiation setpoint. This can greatly extend the injection phase of the accident, which in turn will decrease the likelihood of failure in the recirculation phase.

2. Failure of Ooerator to Realian the Containment Sorav System for_

Recirculation. Like the high and low pressure injection syste;ns, approximately 20 minutes after spray initiation the CSS must be realigned to the recirculation mode.

i j

e i

(

23 s

mp ;.> < f e .;; ,

TABLE SC. . i40DIF:ED CONTAINMENT SPRAY SYSTEM WALKDOWN Walkdown is ineffective against the identified CSS failure modes.

A l

4 i

$. i

'j % d ic?fi

,9 j

24 ,

,2- : ~

e. /

f.

..~ ~ s ,

. e :-

d 1

eneeses erst mm CSS TEST IM

's c .

72-So2 A FrM A ameasuke FLOW 9M 1 7 3 .

72 A 87- 2. -

cem = :%

m g "m h,c, 73 3,,

72-S7e to 72-S33

- te 1r 72-303gg m

72-38 1r te 72-22 $ CSS,ES a L72-S4S ram 7-,,S -

/ n*

f ,

g

.-eRe

.7- 23 en ee te 1 72-Sea, r

6 va g72 t.eSee ,/ My- -=========g -- 4 h'

A

-- ic 1 r r

W 72-307 'u C RAF 72 S34 F

72 2 M t

~8$ '

ir k .i M "'"'"'"'"'"'"'"

e D-e 67 324 72-do y2 C333jg O -

A A teensues FLOW tw g g 72-20 72-e3 ,,

h ') '

A teeWM FLOW LM ,m

't e' mE4 rev' g 72-82 g g

&.,g, se mar 74-Ste 74-Sao to to , , , , ,

} $to '

W

.rc, 1

t YO -

3,3 74-334 tcw 3-s3 IICS e -a m-a rev.*p. g e- _. 1 ,

L74-38

,',c',

J

.FCv.

3- S.S-S2 g .

,c, _ ,

1 P ew 74-32 l J L74-37 y',735 --

, W L y(0.}, me mee 74-S2s74-92S as e e ,c,

- e e-a 2 -24 me, teeWM FLOW LM _ , A' l icv 74'S3's icv

> 7e-2e n-s e , m

. 3-n icv' , a

.ic; 3-n Figure 5-1 ,

Simplified Schematic of the Containment Spray System-

_ . . . . _ - . - . . . . . . ~.

l TABLE 6A. ELECTRIC POWER SYSTEM FAILURE MODE IDENTIFICATION ;

Mission Success criteria Emergency sower to Unit 1 is normally supplied by two independent diesel generators, witi each generator capable of sup>1ying the loads fed frota its -

- associated 69KV bus. :n addition, it is possisie to supply power to a unit from the other unit's diesel generators via the shutdown utility bus.

Mission success following the loss of offsite power is defined as either one of the unit's diesels runaing or power being supplied from the other unit through the shutdown utility bus.

DC power to Unit 1 is, in general, supplied by DC buses I and II.

However, some DC loads, such as those required by the turbine-driven AFW pump are supp1'ied by the other unit. DC power is normally supplico by converting .

480V AC power to 12SV DC power. On the loss of AC power, station batteries

act as a backup supply of DC power. Mission success fer the DC power supply ?

is defined as the continued operation of both DC buses.

Conditions That Lead to Failure

1. Failure of Diesel Generators to Start /Run. Failure of DG 1AA or IBB to -

start or run for six hours following a LOSP results in loss of ESF loads fed from the associated bus. Failure of both DGs is a significant contributor to station blackout' scenarios. Both common cause and independent failures are included. Failure can be caused by faults in the DGs, DG output htsker faults, or faults in the DG support systems such as control power, starting air, fuel oil, lobe oil, or cooling water.

2. Failure to Sunoly power From the Other Unit. In the event a station blackout occurs, it is possible to supply power ta a shutdown board via the shutdown utility bus using the other unit's diesel output. This operation involves racking in two breakers and manually closing them.

The dominant failure Me is human error to correctly perform the t

l procedure. Equipment failure is also a contributor'to the unavailability of power from the other unit.

l' Diesel Generator Unavailable Due to Maintenance. This includes both 3.

scheduled and unscheduled maintenance. This item contributes to both partial and complete loss of AC power following a LOSP.

l. 4. Loss of a DC Bus. The failure of concern is.the loss of either DC bus I or DC bus 11. Failure of ~either bus results in loss of Main Feedwater, and the loss of one of the PORV trains. Loss of a DC bus was identified as an important initiating event. -

l l

26 s

1

+- --e--w - - , . m.,-n.. ..-- .,-~--,, ... m.-.,,e,.-.., n.,,,,.y.,-.

.v - - . . - . . - - -- -- - - . - -

3 .

, v. . , . .

u-

.c. .

, TABLE 68... MODIFIED ELECTRIC POWER SYSTEM WALKDOWNa

=Due to the integrated nature of the diesel generator fail to start or run failure modes, each diesel generator should be checked for proper >

standby' mode alignment as discussed below.

The voltage regulator switch (on local panel) is in AUTO. I DG room exhaust fans IA/1B are_in AUTO.

DG room exhaust fans 2A/2B are in STANDBY.

Fault shutdown relays are RESET.

Auto-maintenance switch (on local panel) is in AUTO.

Hand reset switch LRX (on DG relay panel) is RESET (REMOTE).

Loss of field cutout switch (on local exciter panel) is ON. l 86 LOR (onDGrelaypanel)isRESET.

86 GA (on DG relay panel) is RESET.

Annunciation panel is clear on 0-M-26

' Unit-local parallel switch (on 0-M-26) is in UNIT.

43 T(L) (on 6.9kV logic panel) is in NORMAL.

k l .a. -Information obtained from LSI-82.1/.2/.3/.4 Diesel Generator 1A-A/1B-B/

2A-A/1B-B, Revision 34,8/19/88.

l t-l L 27 C

ll l

Y

. ;; . . = : : .L:. . _ _ _ _ - _ _ _ .

~

. ^.

. , m. ;. ,

- s~

1

. "I.T. '

cesesca

^

=

=v I

LNi1 , , , LNT 2 g... ...e __.t=5 __.

g... ...e .

cw ittui

_ . . . . . _ _ . . _ . . . I_ . . _ = _ _ . _ . . . _ _ _ .

i - -

, \

t 3*:" ?- -

TI) ,

m RE "!' RE Y .

RE "=" RET

' * . T T .I _. T T=.

"I fi[] ME) Mt3 f7. !] FE ME) #7.11 i

1 I 'l l L.

I

~

. . . . . a . a a . '

P!!!!.R r RF1. P rmn nmn n=n Niillrl n !!L 1 I l :

. ra l I.w .

i

- .. . .. .. - .. .. . n .L.~.-.

! Figure 6-1 Simplified Schematic of the Electric Power System- ,

i ees.ms ;

N i

9

= s l

. .~

t

-n, < s , , < c . , ~ - - - , --e, -, - ----,e n -

~ - - ~ ~ ~ ~ - - -

TABLE 7A.. AUXILIARY FEEDWATER SYSTEM FAILURE MODE IDENTIFICATION j

, Mission Success Criteria l

The Auxiliary Feedwater System consist of one 100% capacity turbine driven I I

pump which feeds all four steam generators,- and two 50% capacity motor driven pumps which each feed two of the four steam generators. Success for all accidents except an ATWS is taken to be any one pump running, supplying flow to i two : team generators. For an ATWS, success is defined as flow to three of the. l four steam generators from either both motor driven pumps or the turbine driven j pump.

Conditions That Le;d to Failure

1. f.gilpre of Goerator to Manually Doen Failed Air Operated Va ves. During a station blackout, AFW cooling-is supplied by the turbine driven pump.

train. -If loss of air to the-air operated ve.1ves on the pump discharge lines causes them to close, the operator can manually open them. The time frame for doing so is approximately one half hour. ,

2.- Turbine Driven Auxiliary Feedwater Pnan Failure to Start. Failure of the ,

turbine driven pump to start, in ccnjunction with a complete loss of AC results in complete loss of auxillary feed espability. Also, failure in conjunction with a partial loss of DC or AC power and a' independent failure in 'the operable motor. driven pump train also results in the failure of auxiliary feed flow. ,,

-3. Steam Bindina of Auxiliary Feedwater Pumas, This is a.possible common cause or independent failure mode caused by the leakage of steam into the s . pump discharge piping. Once per shift checking.of the AFW pump's L dir. charge piping temperature should minimizo these failures.

4.. Ig bine Daen Auxiliary Feedwater Pumo Unavailable Due to Maintenance.

L Turbine driven pump maintenance unavailability in conjunction with station i?cMcm:, is an important factor contributing to loss of auxiliary feed c.yannity.

5. tDtor Driven Pumos Fail to Start /Run. Following a transient initiating eJent that results in the unavailability of one motor driven pump train p and the subsequent failure of the turbine driven pump train, the f unaffected motor driven pump must start and continue to run for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months E

to ensure-adequate cooling is available to prevent core damage.

t

! 6. Auxiliary Feedwater System Actuation Failure s Actuation failure of one or

[ more AFW trains can result in partial or total loss of Auxiliary Feedwater capability. Failure can be caused by cither common cause or independent failures. There exist a possible operator recovery action to manually

. initiate flow following actuation failure.

7. Failure of Ocerator to Manually Initiate AFW Flow. In the event the l

automatic initiation of AFW fails, the operator has the ability to manually initiate flow by starting the appropriate pumps and establishing a flow path. .

L 29 g j

= -

i, es 4

4= * !

i 1 TABLE 7A. (continuad)

~

Conditions That Lead to Failure 1

8. Air Operated Valves LCV 3-148/3-156/3 164/3-171 Fail to 02RES .'

)

Following a transient initiating event that results.in the -

unav:ilability of one motor driven pump train and the subsequent failure of the turbine driven pump train, both of the level control valves in the operating motor driven pump train must open to ensure adequate cooling to prevent core damage. l l

l 9. Air Operated Valves LCV 3-172/3-173/3-174/3-175 Fail to Onen. l L Following a station blackout initiating event the turbine driven pump .;

train must supply flow to at least two of the steam generators. I Therefore. .two of the four level control valves in the turbine driven pump train must open to enture adequate cooling to prevent core i

damage. The failure of. concern is the common cause failure of three L or more of thesc valves to open.

10. Failure of Motor Ooerated Valve FCV 1-51 to Onen. In station blackout conditions, the only source of AFW flow is from the turbine driven pump. Failure of the normally closed thrnttle/ trip valve to open results in loss sf all AFW flow, l 1

j

' ll. Failure of Check Valve 3-864 to Doen. This check valve must open for success of the turbine driven pump train. Its failure to open when -

-l l the motor driven pump trains are not available could result in core J L

damage-. l

. - . ~

1 l

. i 1

l

. l l ,-

u 6

I l

L.

a. . . ,

f E - TABLE 78,'~ MODIFIED AUXILIARY TEEDWATER SYSTEM WALKDOWNa o

i REQUIRED ACTUAL' P0 kid L [.Q&fNEHI WW POSITIO3 POSITION SUPPLYD TDAFWP Turbine Dri<en AFW Pump 0FF N/A

. -)

MDP.A-A Motor Driven AFW Pump A A 0FF 1A-A 10 .

MDP B B Motor Driven AFW Pump B-B 0FF 18-B S )

LCV 3-148 SG'3 MDAFW Pump Level Cor,t. OPERABLEh VBBC d

LCV 3-156 SG 2 MDAFW Pump Level Cont. OPERABLE h VBB LCV 3-164 SG 1 MDAfW Pump Level Cont. OPERABLEh VBBd

' LCV 3-171 SG 4 MDAFW Pump Level Cont. OPERABLEh VBBc LCV 3-1/2' SG 3.TDAFW Pump Level Cont. OPERABLEh VBB' SG 2 TDAFW Pump Level Cont. OPERABLEh f LCV 3-173 VBB LCV 3-174 'SG 1 TDAFW Pumo Level Cont. C MP.ABLEh' VBBf LCV 3-175 SG 4 TDAFW Pump Level Cont. OPERABLEh VBB'-

FCV 1-51 Trip'end Throttle Valve Closed 9 N/A

a. Information obtained from $01-3.2 Auxiliary Feedwater System, Revision 46, 3/27/89.

b. Supply breaker closed unless otherwise noted,

c. 125VDC Vital Battery Board II Breakers 210 and 211.

d.,125VDC Vital Battery Soard I Breakers 210'and 211.

e. 125VDC Vital Battery Board III Breakers 210 and 211.

f. 125VDC Vital Battery Board IV Breakers 210 and 211.

. g. Operable, latched, and mechanical overspeed trip reset.

h. In order for an air operated valve to be considered operable, its-controller, positioner, and operator must have control air lined sp to them. It must appear properly assembled, with no obstructions or excessive air 1saks.

+

31 e

e 4'v'_ 4 er- - _ r- ,>v.,. ,e w, ---w a , - , -m-- -n., e ,--,v--- - , , - - - - - - , - - - - - - - - - , - ,,--

, ~_

.7

_, '"- - ~.c V, ,.

/

M

.w:c, - -

eg-i,.= eg-s,=

. A - -

e . -

$3 " n-m 4.w T,, . w= n.,nN.

w W 5

_y""gG_ g"

r

.'f- e m '""" D D a ,,

'Nm f.f. m W- .

._y & _

.]

u n-m W-T== k

& "[" . ,

g=

g

,g, m.ms y

=

= " ' ". m" ..

= -

(

. ll". =wA - i, A 2 w- == me=ta ea .-ame us. . '

% ,c m -- *a 4 >=

s-ene M

n-- a -**5 su. a=

- u __m : _

.A ameans n w. u un, c g A um E..= N Tn m g =

~ , , , , ,

n

-- -N mg;*A*-l wm . g * ,

o. .

E :K: & & S:

8

o; lc,', #L sk'.

,,,, "".'"V"' n=su

.c. A A .A A ~"

".a= = -

w . .r. .. m,w w _?

6:222 N-423 l Figure 7-1 Simplified Schematic t the Auxillery Feedwater System ,

i 1 e e

. T-O- .

~

-- , 6 , , . - . , . . . - , - . .- -, . l. .- .- - - . - . -

, j, * .

]

ja TABLE 8A. LOW PRESSURE INJECTION /P.[ CIRCULATION SYSTEM FAILURE MODE L

IDENTTFICATION

~~'

Mission Success Criteria g

The LPI/LPR system provides emergency coolant in.iection and 1 recirculation following an accident which ruults in Reactor Coolant System :

l--

depressurization. The LPR pumps can also be used to provide Contaii, ment Recirculation Spray flow. In addition, the LPR system provides the suction source to the Charging and SI pumps for High Pressure Recir.ulation

! o>erations. The success criteria for the LP!/LPR system varies depending on tie specific application.- However, for all cases involving the use of L

'LPI/LPR, successful operation of one of the two LPI pumps is required. -

~

Conditions That Lead to Failure

! i.. Failure of Low Pressure Iniection Pumos to Start /Run. The failure of

" concern is, failure of these pumps to start or run for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months follow!ng en accident. Failure can be due to either common cause failure of both sumps or the independent failure of one pump when a fault exist on tie othat pump train. Failure results in a complete or partial loss of-low pressure injection / recirculation capability, and the +

inability to provide High Pressure Recirculation. Failare can be caused L by pump / motor faults, electric power supply faults, or actuation system faults.

2. - Miscalibration of the Refuelina Water Storace Tank Level Sensors. -

Following the injection phase of a LOCA, there is an automatic switchover from low Pressure Injection to Low Pressure Recirculation.

Switchover is initiated when the RWST level decreases'to 29%.

Miscalibration of the RWST. level sensors can result in failure of the automatic switchover feature, and the subsequent failure of Low Pressure Recirculation nperations.

3. Failure of Mator (lI.erated Valves FCV 63-72/63-73 to onen. These valves open to provide tha LPI pumps suction from the Containment Sump. Their failure to open due to common cause or independent failure when a fault exist on the other pump train results in loss of low pressure-recirculation capability. Failure can be caused by valve / motor faults, electric power st.pply faults, or actustion fault;.

4. Pluaaina of the Containment S. =n. Common cause failure of the sump ,

suction lines due to plugging results in loss of high/ low pressure and containment spray recirculation capabilities.

5. Ooerator Fails to Ramove Refuelina Drain Plu2L. The refueling drain plugs-prevent water passing from the upper containment compartment to the containment sump. They are installed prior to floodir:g the refueling canal for refueling operations. If thess plugs were not removed after refueling, under accident conditions requiring use of the 33 0

h. 21_ ' ' - .__ _ . . - _ _ _ - _ _ _ _ . . _ - - . - - - - . _ _ _ _ . - . - , . - . - _ . _ _ - _ - _ . . . .

, .~ .. i ..

-g ,

i TABLE 8A. '(continued) l Conditions That Lead to Failure

CSS, spray water would accumulate in the upper containment compartment s

. with no way to drain back to the containment sump for recirculation. -

61 tilure of Motor Doerated Valves FCV 74-12/74-24 to Oneh The miniflow valves open du-%g the high pressure injsetion phase to prevent the LPI -

pumps from ov m . sating. Their failure to open due to common cause or independent failure when a fault exist on the other pump train can rssult-in loss of low pressure recirculation capability. Failure can be caused t,y valve / motor faults, electric power supply faults, or, actuation faults.

7. Low Head Safety Iniection Puma Unavailable Due to Maintenance.

c . Maintenance unavailability of one of.these pumps in conjunction with a >

L fault on the other pump train results in loss of low pressure injection / recirculation capability.

8. [n. ore of Motor Ooerated Valves FCV 74-3/74-21 to Close, These valves must close to isolate.the LPI pumps suction from the RWST to allow for recirculat'.on from the Containment Sump. Their failure to close due to common cause or independent failure when a fult exist on the other pump train results in loss of low pressure recirculation capability.

Failure can be caused by valve / motor faults, electric power supply faults, or valve. actuator faults.

9. failure of a Cold Leo Injection Check Valve Pair. There are four pairs of check valves on the Low Pressure Injection lines,63-633 and.63-560, 63-6351and 63-563,63-632 and 63-561, and 63-634 and 63-562. Failure of any one of these pairs due t'o a combination of rupture or failere to close, results in an interfacing systems LOCA. There is a potential recovery action in which the operator can isolate the LOCA by shutting .

the appropriate cold leg isolation valve.

10. Failure of Motor Operated Valves FCV 63-93/63-94 to Close. After approximately 15 hour1.736111e-4 days 0.00417 hours 2.480159e-5 weeks 5.7075e-6 months s- of cold leg recirculation, the core must be recirculated through the hot ~1egs to prevent the build up of boron and subsequent core damage. The cold leg isolation valves must close to allow flow from the LPI pumps to recirculate through the hot legs.

.Their failure to close due to cournon cause or independent failure when a fault exist on the other pump train results in loss of the normal method of hot leg recirculation. Failure can be caused by valve / motor faults, electric power supply faults, er valve actuator faults.

11. Doerator Fails to Onen RHR Header Cross Ties for Recirculation. Should one train of LPR be unavailable and the opposite train of HPR also be unavailable, the operator can recover r* circulation flow by opening the RHR header cross tie valves FCV 74-33 and FCV 74-35.

12. Failure of Check Valve V 63-502 to onen. This check valve is a

- potential-single point failure of the low pressure injection system.

Failures of concern are plugging, sticking shut, and valve failure.

34 c.+.* - K * : ' .:_...

+

.n.'- . . ,t - ,,,,.n . ,-,t.,,

,,&.1 -,s ,e .r-

.,:,...,._,,,r,,m-,v .w , y

, ~

i TABLE 8A. (continued) ,

Conditions That Lead to Failure ,

13. Eailure of Valve FCV 63-1 to Remain Onen. This motor operated valve is a potential single point failure of the low pressure injection system. ?

Failures of concern are plugging, impreper positioning, and transferring closed.

14. Failure of Valves FCV 74-1/74-2 to Remain Closed. Failure of these valves to remain closed, either through catastrophic failure or by ^

transferring open, has been identified by the Sequoyah IPE as a potential interfacing system LOCA pathway.

{

s 0

9

.F e

t

/-

l 35 s.

o . TABLE 8B. M00!FIED LOW PRESSURE INJECTION SYSTEM WALKDOWNa L

REQUIRED ACTUAL POWER COMPONENT NAMF POSITION POSITION SUPPLYb ;

RHR 1A-A RHR Pump 1A A 0FF . lA-A 14 .

I l RHR 1B 8 'RHR Pump 18 B. OFF IB-B 14 ;

FCV 63 72 Cont. Sump to RHR A CLOSED 1Al-A 13A FCV 63 73 Cont. Sump to RHR.B CLOSED IB1-B 11C FCV74-12 RHR Pump A Miniflow CLOSEDC 1Al-A 7C2 FCV 74-24 RHR Pump B Miniflow CLOSEDc IB1-B 14E F- FCV 74 3 RHR Pump A Suction Isol. OPEN 1Al-A 6E ,

FCV 74-21 RHR Pump 2 Suction Isol. OPEN ,lB1-B 14C FCV 63-93 Cold Leg 2 and 3 Isol. OPEN 1Al-A 13B FCV 63-94 Co'a Leg 1 and 4 Isol. OPEN 1B1-B 12A 1

FCV 74-33 RHR Htx A Bypass Isol. OPEN 1Al-A 7E l

.FCV 74-35 RHR Htx B Bypass T wl. OPEN IB1-B 15A FCV 63-1 RHR Srpply from RWST OPEN 1Al-A 13A FCV 74-1 RHR Supply from Hot Leg 4 CLOSED 1Al-A 6C2d I

FCV 74-2 RHR Supply from Hot Leg 4 CLOSED IB1-B 11Bd l

a. Inform & tion obtained from S01-63.1 Emeroency Core Coolina System, Revision 56,3/22/89.

b. Supply breaker closed unless otherwise noted.

c. Closed and in Auto.

d. Supply breaker open unless RHR cooling operations in ptocress. ;

1 36 -

I e

i

, .=

r

. Il'

. .p

~

l i , mi l ..

o o ..ses l'

t ~

f 4

.P.,

'N 1P n=az ,g

'/N' 3:

3 o

a -Jr gs a=n e a=n n=u n=m . y y hM N*

>&, , > & '9t r la ===

"N R litt

ag r, - ,e,,

- w i a=ma as T "g's, a -

m- <

M ,,, Ibj see

% aano F w w % e., -n=sa4,ser

.- ,es. .m _f"M*** j .To -

M=

e e

~gf g n =y,s y, , & ,.

zz

"'*-"L em - # Nam g ja; a g- - -gm .

A w

7.-es a:A1

-- J.L

! S.

\ .li, s"*

w u-n x

m -- - ,

Figure 8-1 Simplified Schematic of the Low Pressure injection / Recirculation System

.)

4

. _ _ . _ _ _CL _ __ _ .- _ . - , . - ._ . . - . . . _ . - _.

e . . . . . . -.. - . -

1 5

. TABLE 9A. PRIMARY PRESSURE REL 'YSTEM

. FAILURE MODE IDENTIFICATION Mission Success Criteria

The Sequoyah PPR system consist of three code Safety Relief Valves (SRV) _

and two. Power Operated Relief Valve (PORV) train.. Each PORY train consist of a DC powered PORV and an AC powered motor operated block valve. The only failure mode of consequence is failure to support feed and bleed cooling .

operations. Successful feed,and bleed cooling requires the opening of both PORV trains. ,

ConditionsThatLea'itoFatiure ,

1. Failure of PCV 68-334/68-340A to Onen. Failure of a PORV to open coupled with failure of the AFW system following a transient results in core damage. This is because, if AFW fails-then feed and bleed cooling

-is required, and the success criteria for feed and bleed cooling requires the opening of both PORVs.

2. Failure of a Block Valve FCV 68-332/68-333 to Onen. The block valves.

are normally open valves, however, they are sometimes shut for leak j -isolation purposes. Failure of a closed block valve to open on demand j

t results in failure of that PORV train,

( '--

t 38 r

--.-----+_,e,-.e, -

c. .;

TABLE 98. MODIFIED PRIMARY PRESSURE RELIEF SYSTEM WALKDOWNa REQUIRED ACTUAL POWER COMPONENT NAME POSITION POSITION SUPPLYb

, PCV 68-340A- Power Operated Relief Valve OPERABLEc VBB I PCV 68-334 Power Operated Relief Valve GPERABLEC VBB II FCV 68 332 PORY Isolation Valve OPEN IB1-B ;

FCV 66-333 PORV Isolation Valve OPEN 1Al-A I XS-68-3400 Pressure Channel Selector Pos. l d N/A l PIC-68-340A RCS Master Press Control AUTO VBB'

a. Information obtained from $01-68.3 Pressurizer Pressure and Sorav control System, Revision 15,3/22/89.

b. Supply breaker closed unless otherwise noted.

c. In order for an air operatad valve to be considered operable.. its

controller, positioner, and operator must have control air lined up to them. It must appear. properly assembled, with no obstructions or excessive air Isaks.-

d _ Or alternate position 2 or 3.

e. 125VDC Vital Battery Board I and II breaker 24.

l l

l~

1..

l l

L -

39

. s_ . , - . . . _ . , . . . ._. . .- . .. . - _ _ . . . _ . . , . _ . . - . . _ . . . . - _ ..

m a g '4i" e-O 1

i J

JL JL JL

> >n >

t W

>9<! - ,A K D D

es-333 aukts4 A

v ,2 i .

FCV FCV l SS-332 88440A

! ALL COMPONENTS DERE CONTApedENT Figure 9-1 Simplified Schematic of Primary Pressure Relief System s

I . :

~- , a e c - -

e o .. nr

-y ~ -

.,.l.

'~

w-4 TABLE.10A. CHARGING SYSTEM FAILURE MODE IDENTIFICATION I J

Mission Success Criteria The charging system consists of two centrifugal pump trains. A third positive displacement pump train was not considered due to it being frequently out of service. The charging pumps act with the safety injection pumps (see Table 4A) to provide high pressure injection of sakeup water to the cold leg injection paths. The charging system additionally provides seal injection flow l to the RCPs and provides a source of highly borated water for emergency l baration following an ATWS event. Mission success is taken to be successful operation of one of the two centrifugal pump trains (or for high pressure !

safety injection the successful operation of one of the two charging pumps or one of-the two safety injection pumps).

Conditions That Lead to Failure

1. Failure of the Doerator to Correctly Perform Feed and Bleed Coolina. In the event of auxiliary feedwater system failure following a plant transient, the operator can initiate feed and bleed cooling. This is 4

accomplished by using the charging system to feeding cool water to the RCS while draining hot water via the PORVs. Failure of the operator to correctly line up the charging system and initiate feed and bleed cooling can result in core damage.,

L 2. Failure of the Operator to Correctiv Perfom Emeraency Boration.

Following an ATWS event in which the control rods fail to. drop, the -

operator can mitigate-the effects of the ATWS by performing enargency '

boration. The dominant contributor to failure of emergency boration is L failure of the operator to properly align the charging system to deliver flow-from the boron injection tank to the reactor.

l 41 4

.m.y..,. . . - - . - - . ,,. . . . , , , . _ . . , , .. , ,,,.4 , , . , s._, _ , , , _ , . , . . , , , , , . , , , . -y

.1 s

4

' h" "

= TABLE 108. - MODIFIED CHARGING SYSTEM WALKDOWN w

Walkdown is ineffective against the charging system failure modes.

-}

y

, G; I

l l'

l l

l l-L l,

4 4

I t 42 .

F i.

p ,

pp YkAik l

IMAGE EVALUATlON 8/,

///jg/j 4 '

$> TEST TARGET (MT-3) 4% 4 4

gypye/

%, '*%j[$ ,

l.0 l# 2 Bla e

t tu a p-I.I [" E8l l 1.8 1.25 1.4 1.6 4 150mm ?

4 6" >

tjk,~,hy ;;[-$

W i: .$ .

, k .

_. _ __J

4) I o

@[t IMAGE EVALUATION ,,,/p f[$$

4 )7 v: <> TEST TARGET (MT-3) KY #4 y,,, 9 /4 </ dy$

+

r, l.0 lf wm M !

ce m gn i l,l

lll!lb l rus l o== ;

8 1.25 1.4 1.6

==

4 150mm >

4 6" >

[ ;[f-)$

.;f>,f,,,%e

,e Mein _ .

J

4*

98>4r IMAGE EVALUATION /,,,, / d$h gp s;< f/

TEST TARGET (MT-3) g. ,

+ .

l.O lM M I [lj !!!E ii [= En I.8 1.25 1.4 1.6 4 150mm >

4 6" >

i /!b

+,[g,I o#

,,,,,l%y,

,,yy;;'h

'9h*

////

w . ,

, , .- ~.: e s.:-.

- ~

s 4

s- . , .

I$ , #

t*

i t

to iI

~

!- az-see 5#

i; . -O4-*. flow _ _

ez-sse , ,

w w n-05 ,,,,,g E $

VCT %4 h ensw see I- es-ssa es-sss ea-sss se n-sss um sistmen z g fe se 03-407 SI-sSS = 0 0 p gg ,#gg " U U

{.

w w f a a-'a

?

2 3

w n-es '

r-- n_,,

m . . ~-

i ness W w n-04 p,,,

g;;,

m a-=

-p4-a-=

5 -91 a

0m n-10 e

n-12 m

% += a- =

to cT, a-'= --a * ,=,-,, a-=' 4--w--

V_ tEc

5 -08 n-It m g .

_a_

= ._ a,,_ - = . - -

03-8B SS-N

-N--b4-*- insgo,

.sa.

e sz-= st- se #

1 g go,,, w n- " .I? 7

=mouc.

s

n-= n-=

i raan me 5-Il nw

- m-n'> &,, n m3 (t) 8RE AKER RACKED OUT AT POWER SUPPLY i Figure 10-1 Simplified Schematic of Charging System ,

1 i

1

-__ _ _ _ _ _ _ _ _ _ _ ~ _ _ _ - _ _ _ - _ . < + _ 4- w w w -m'. m-r r w .4 -.

. s.

l TADLE 11A. NEACTORPROTECTIONSYSTEMFAILUREMODEIDENTIFICATION t

Mission Success Criteria s

-The Reactor Protection System is designed to automatically scram the ,

reactor when abnormal conditions exist. Should an insufficient number of control rods be inserted into the core to insure a safe shutdown margin, then the addition of boron to the reactor can achieve the same results.

Conditions That Lead to Failure ;

1. Failure of Automatic Reactor Scram. The failure mode of concern is failure of the Reactor Protection System to scram the reactor given an automatic trip signal. This could result from electrical or mechanical failures in the Protection Logic, Scram Breakers, or Control Rod Drive Mechanisms.

2. Failure of Ooerator to Manually Scram the Reactor < For those ATWS events not caused by Control Rod Drive Mechanism mechanical failure, the operator can end the event by manually opening the Scram Breakers. This can be done by deenergizing the shunt trips from the control room or removing power at the motor-generator sets. The operator has one minute to perform one of these actions.

3. Presence of an Unfavorable Moderator Temoerature Coefficient. The presence of an unfavorable moderator temperature following an ATWS event can lead directly to core damage. Care should be taken to ensure the reactor is always maintained with in the operating limits established by the technical specifications.

0

.h l

44 ,

,. .. .: )

,- 1 TABLE 11B. . MODIFIED REACTOR PROTECTION SYSTEM WALKDOWNa The failure modes of Table 8A are not all readily inspectable by '

walkdown. Surveillance of the RPS system while critical does not include inserting the control rods. Therefore, whenever any surveillance is performed that would check this functions, it should be' observed or reviewed to ensure proper equipment response. Additionally, any surveillance involving the automatic reactor trip functions should be observed or reviewed to ensure proper equipment response, j j

REQUIRED. ACTUAL POWER COMPONENT NAME POSITION POSITION SUPPLYb RTA Gear BKR RTA Trip CLOSED VBBC I 320 BYA Gear Bypass Bkr BYA OPEN VBBC I 319 RTB Gear BKR RTB Trip CLOSED VBBc II 320 BYB Gear Bypass Bkr BYS OPEN VBBC II 319

a. Information obtained from S01-99.1 Reactor Protection System, Revision 8,3/22/89.

b. Supply breaker closed unless otherwise noted,

c. 125VDC Vital Battery Board.

l . .

l l

L l

l

, 45 r

1 9

9 TABLE 12A, ACCUMULATOR SYSTEM FAILURE MODE-IDENTIFICATION !

Mission Success Criteria The Accumulator system consist of four pressure vessels filled with borated water and pressurized with nitrogen gas. During normal operation one accumulator is floating on each of the cold legs behind two closed check valves and a normally open motor operated isolation valve. Following a large LOCA, as primary pressure drops >elow that in the accumulator, the nitrogen gas expands and forces the accumulator water to inject into the primary. Success is taken to be the injection of water into the vessel

frcm the three intact loop accumulators.

Conditions That Lead.to Failure -

L

1. Failure of Check Valves 63-622/-623/-624/-625 or 63-560/-561/-562/-563 to Ooen. Following a large LOCA, core safety requires that the Accumulators on the intact loops inject to the core. Failure of any of these check valves-to open in an intact loop would result in core damage. Failure can be caused by mechanical valve faults or plugging.

2. Valve FCV 63-67/63-50/63-98/63-118 Fails to Remain Open. Failure of l any of these valves to remain open prior to or following a large LOCA-i can result in core damage. Failure can be caused by plugging, ,

mispositioning, or transferring closed.

L a

46 3...- . . . - . - . . , . , . .....-.a . . ~ . . . . - . - . , - , - . . . , . , . . , . . . - . . . - n,-,.-..r

TABLE 128. MODIFIED ACCUMULATOR SYSTEM WALKDOWNa ,

REQUIRED ACTUAL POWER COMPONENT NAME POSITION POSITION SUPPLYD j

FCV 63-67 Accumulator 4 Isolation OPEN 181-B 11Bc FCV G3-80 Accumulator 3 Isolation OPEN 1Al-A 13CC FCV 63-98 Accumulator 2 Isolation OPEN IB1-B-11Ec FCV 63-118 Accumulator 1 Isolation OPEN 1Al-A 13Ec

a. Information obtained from S01-63.1 Emeraency Core Coolina System.

Revision 56,3/22/89,

b. Supply breaker closed unless otherwise noted. ,

c. Supply breakers must be open whenever RCS pressure exceeds 2000 psig.

4 e

4

. 47 e

~

' WI

(

j g'.

(

i ACCUMLLATOR 1

, FCV 63-118 TO LOOP 1 i m COLD LEG 63-622 63-560

2 FCV 63-98 TO LOOP 2 be bi -

COLD LEG i'63-623' 63-561 i a ACCtMLLATOR

3 i

f TFCV i m TO LOOP 3 COLD LEG 63-624 63-562 4

FCV

- 63-67 .

.O LOOP 4 q' 'q m COLD LEG 63-625 63-563 i

ALL COtrONENTS NMIE CONTA9eENT 4

~

f ' Figure 12-1 Simplified Schematic of Accumulators l

C4900202 i

~

db I <

_ _ _o .;_. _ _ _ _ _ _ _. ,-. . . . . . . _ _ . _ _

Ec

~

I

,,..,.4 a e l TABLE 13A. ESSENTIAL RAW WATER COOLING FAILURE MODE IDENTIFICATION Mission Success Criteria ERCW is a system shared with Unit 2. Normally, four of the eight system pumps are running, with one pump supplying each train at a plant. The other -

four pumps are normally in an automatic standby mode, with one pump aligned as back-up for each running pump. ERCW success is taken to be a minimum of two pumps running and supplying cooling water, with at least one pump supplying cooling water to each plant.

Conditions That Lead to Failure

1. Pumos Fail to Start /Run. Failure of a pump to start or failure of a running pump reduces tita system's ability to recover should some independent system failure occur. Common cause failures of more than one pump are of particular concern.

2. Strainers Pluaaed. Each pair of ERCW pumps has a common traveling .

screen inlet strainer and a discharge strainer. The plugging of any of these strainers will reduce the system's ability to recover should some independent system failure occur. Common cause failure of more than one strainer is of particular concern. .,

3. Purao Maintenance Unavailability. The unavailability of a pump due to maintenance reduces the system's ability to recover should some independent' system failure occur. Time spent with a pump unavailable should be as short as possible.

l 49

-,-.w.y.-y- -.y ...,,,..c,-.n,,

y,.,, , , , . , , _..__,__9 ,.p_.y_.- , . , , - , _ - - - , . -

m _ - __ .- .4 m - - w m ,_, ,y, ,7--,9-%,,

e TABLE 138. MODIFIED ESSENTIAL RAW COOLING WATER SYSTEM WALKCOWNa REQUIRED ACTUAL POWER COMPONENT NAME POSITIONb POSITION SUPPLYc Q-A ERCW Pump Q A ON 1A-A J-A 'ERCW Pump J-A STANDBY , IA-A -

N-B ERCW Pump N-B ON IB-B L-B ERCW Pump L-B STANOBY IB-B R-A .ERCW Pump R-A ON 2A-A K-A ERCW Pump K-A STANDBY 2A-A M-B ERCW Pump M B ON 2B-B P-B ERCW Pump P-B STANDBY 28-B

a. Information supplied by TVA.

b. Normally one of each pair of pumps is running with the other in standby,

c. Supply breaker closed unless otherwise noted.

1

l.

l-1 e

50 t

I l

7. .

Jll:T4%

Om 5%'*% %) , _ , , ,

ll) g n- ro,

"-m q-

0) . n-tus AEWe u

-U" 'n"ros** #-4 ~ = =

o-mo o-. o g o i m-ar7 = =3: Z "

,, J = 2:t",,

{!

M O d n-- n ,,, u awe

"- ra2 n.

x.

n f,o p .-. ,

e e, x.-.,

L /

o n-ras # 4 *' " - o"n"=> o'.'".=>

g i

. g i- n=na

,ess x

]:

.=,

h4 Z. ::

g (s-.usst

Jf = Mat'1> . .

m .4mm il "-m os nu.s AR"Wo G

" ~ >*---*c p

~

n=nz [4 o-n=> o-.'".wi I : 3;

) !'

rA n-rri

- Z. ;

g

,, > d! 2 R*t'l> .

T M 54 m

) e! -- ., a a=o

"-'** Qo, ><- ,

C_ ..

g . ---oc=

y g = ,,,.

n-ris #24 _ o-me a-. o

"" = . -

==< ""gl = g g;g.. _ g. _.

.= E.

,g 1 g ,, g v.

<n-=>raa n 54 o- >

Figure 13-1 Simpilfled Schematic of the Essential Raw Cooling System e

e y-~w'.

4 ,4 . - - .g,,.e, ...e . - . - ,,2.-4__ m +,-,w. crs.m s

. __ _ __ . ~- . _ .- ._.. . _ -_ _ . - - -. .- _ .. . - . .

o.,

o e .

L TABLE 14A. COMPONENT COOLING SYSTEM FAILURE MODE IDENTIFICATION '

1 Mission Success Criteria p The component cooling water system (CCS) is a system shared with '

Unit 2, Normally, three of the five system pumps are running, with one pump i supplying the B-trains of both plants and separate pumps supplying the l A-trains for each plant. The other two pumps are normally in an automatic ,'

standby mode, with one pump aligned as back-up for each plant. CCS success is taken to be a minimum of one pump running, supplying cooling water to both plants.

Conditions That Lead to failure L 1. Failure of the Operatina Pumos to Continue Runnino. The failure mode of concern is the simultaneous failure of all three operating pumps due to some common cause failure. This failure coupled with failure of the standby pumps results in complete loss of CCS flow to the Unit. Because of the short time frame involved (4-5 hours), no recovery actions are likely.

2.- Failure of the Standby Pumos to Start and Run for 24 Hours. Following a simultaneous loss of all operating CCS pumps, a standby pump must start and continue running for approximately 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to ensure sufficient time is available to restore the failed pumps. Failure of the standby pumps results in a complete loss of CCS. Pump failure can be caused by.

pum)/mator faults, electric power supply faults, or actuation faults wita failure of the operator to start manually.

3. Pumo Maintenance Unavailability. The unavailability of a CCS pump due to maintenance reduces the system's ability to recover should some

' independent system failure occur. Time spent with a pump unavailable should be as short as possible.

4. Heat Exchanaer Maintenance Unavailability. The unavailability of a CCS heat exchanger due to maintenance reduces the system's ability to recover should an independent system failure occur. Time spent with a heat exchanger unavailable should be as short as possible.

L L

l .

L 52 y b

,a b e ,

TABLE 14B. MODIFIED COMPONENT COOLING WATER SYSTEN WALKDOWNa REQUIRED ACTUAL POWER

- COMPONENT NAME POSITION POSITION SUPPLYb -

-1A-A CCS Pump 1A-A ON 1Al-A 4B i IB-B CCS Pump 18-B STANDBY IB1-B'3C 2A A .CCS Pump 2A-A ON 2Al-A 48 ,

2B-B CCS Pump 2B-B STANDBY 281-B 3C C-S. CCS Pump C-S ON 2B2-B 2D Pump Heater Breaker Closed LC-152C 18

a. Information obtained from 501-70.1 Comoonent coolina Water, Revision 51, 5/24/89.

b. Supply breaker closed unless otherwise noted.

c. Col. A2-S, El 690.

53 0\

4 essesses MACTOR BLDG -

n~334 M ^ gpet g n~323 g,y s-re N$

n-318 n-320 ae, n-in tus s n-Jo9 ,,,

n.3cy e-70 e-70 rev rev . ycv ac, 70-25 70-a 7o-ss7 men y{0 30** SCSA ,_yo b M-3Il N7 -324 pqy

'X+rcy>. -

eq r e ii e, &g,, _ csr counen

- 1A h ;f,S'

.-- g,a n-Sa1 M-3 '" o 4*I. s, WC'

" n-319_n &

L **

n-337 *

'~

e-70 s-to - a r

'C' 1

e-7e so.e sose el fr D- I i ei r 0 y[334 sose e e-a & ,7o$e i L"' n-338 _

[$r g g j

n-306 ; ,

n-323 we, _ 18

m y [

wa n_3gg O

i 27 n-363 e n-3.10 g,C,', n-34 g

- i --ck_. msic moG

-n R=. =': .-.

n-ina W, i",

n-na

~'

g,;, _

. n-3ar

~

k

n-311 n=320

?e -

yo.s g

_I

- n, .-7. == == v :ee R-nt Sc30 2e-a n-3 rr 27,0 so n-Sir n-3 IJe, 7 ,7,a m

- 2-70 0 - M gg *

' g.

~

EXQ4fm00tS 'i

-c%"~3## y"'h '

n-3 r3 i

n-3sf egf FCv >-

FCV FCV

= n-3de 3: #:FCv FCW 2 70 2-70 2-70 so4a SOSA 70-i. 2-7e 70 N 893 70-894 .

MSA 24-a sies -

n-na ,

MACTOR EDG IMT 2

_g6 , tsr reunen

2A 4

i=imt.3 t2 ) CLOM31psyt signe rouqR sesoweg I

! Figure 14-1 Simpilfled Schematic of the Component' Cooling Water System 4

W

'. , I 41 s e

. G

.g, g 4 -

4 w- - - +

TABLE 15. PLANT OPERATIONS INSPECTION GUIDANCE Recognizing- that normal system lineup is important to any given standby

. safety system, the following human errors are specifically identified in the PRA as important to risk.

System Failure Discussion Reagtor Coolant To depressurize RCS following SGTR Table 3A, Item 2 High Pressure To switch from injection to recire. Table 4A, Item 1 Injection Containment Spray To control sprays Tabla 5A, Item 1 To properly switch to recirculation Table SA, Item 2 Electric Power To provide power from other Unit Table 6A, Item 2 Auxiliary Feedwater To manually open failed A0Vs Table 7A, Item 1 To manually initiate AFW flows Table 7A, Item 7 Low Pressure Miscal. of RWST 1esel sensors Table 8A, Item 2 Injection To remove Refueling Drain Plugs Table BA, Item 5 To open RHR header cross ties Table 8A, item 11 Charging System To perform feed and bleed Table 10A, Item 1 To perform emergency boration Table 10A, Item 2 Reactor Protection To manually scram reactor Table 11A, Item 2 I

i l

55 l

l

, . - - . . . . ~ . . . . . , - - . - . . . . . - _ . , , - . .

TABLE 16. SURVEILLANCE INSPECTION GUIDANCE .

The listed components are the risk significant components'for which proper sarveillance should minimize failure.

System Component Discussion RCS RCS boundary Table 3A, Item 1,3 -

High Pressure FCV-63-8/63-11 Table 4A, Item 3

, Injection FCV-63-4/63-175 Table 4A, Item 2 -

V-63-510 Table 4A, Item 4 FCV-63-5 Table 4A, Item 5

! Electric Power Diesel Generator 1AA, IB8 Table 6A, Item 1 Auxiliary Feedwater Turbine Driven Pump Table 7A, Item 2,3 '

l LCV 3-148/3-156/3-164/3-171 Table.7A, Item 8 l

Motor Driven Pumps Table 7A, Item 3,5 l Actuation System Table 7A, Item 6 i FCV 1-51 Table 7A, Item 10 LCV 3-172/3-173/3-174/3-175 Table 7A, Item 9

Check Viv 3-864 Table 7A, Item 11 Low Pressure LPI pumps Table 8A, Item 1 l Injection FCV 63-72/63-73 Table 8A, Item 3 i FCV 74-3/74-21 Table 8A, Item 8 Containment Sump Table 8A, Item 4 FCV 74-12/74-24 Table 8A, Item 6 Cold leg injection check valves Table 8A, Item 9 FCV 63-93/63-94 Table 8A, Item 10 l V 63-502 Table BA, Item 12 L FCV 63-1 Table 8A, Item 13 FCV 74-1/79-2 Table 8A, Item la Primary Pressure FCV PCV 68-334/68-340A Table 10A, Item 1 Relief FCV 68-332/68-333 Table 10A, Item 2 Reactor Protection Automatic Scram System Table 11A, Item 1 l

i 1 Accumulator- Chk Viv 63-622/63-623/63-624/63-625 Table 12A, Item-1

/63-560/63/561/63/652/63/653 FCV 63-67/63-80/63-98/63-118 Table 12A, Item 2 ERCW Pumps Table 13A, Item 1 Strainers Table 13A, Item 2 Component Cooling Running pumps Table 14A, Item 1 Standby pump Table 14A, Item 2 l Heat Exchangers Table 14A, Item 4

<. Containment Spray FCV 72-20/72-23 Table 6A, Item 2 FCV 72-2/72-39 Table 6A, Item 3

Pumps CSS 1A-A/1B-B Table 6A, Item 4 l FCV 72-21/72-22 Table 6A, Item 5 CSS Room Coolers Table 6A, Item 6 56 I

L .

_ . . . _ . . - . - . . _ . . - _ . - _ . _ _ _ . _ - ~ __.. . . _ . . . . _ _ _ _ _ . .

,..f -._-

t >

.t TABLE 17. MAINTENANCE INSPECTION GUIDANCE The folicwing components are risk significant due to maintenance unavailability. The dominant contributors are frequency and duration of ,

maintenance, with some contribution due to improperly performed maintenance, ;

I System Comoonent Discussion L

- Electric Power Diesel Generator IAA, IBB Table 6A, Item 3 -

DC Buses Table 6A, Item 4 Auxiliary Feedwater Turbine Driven Pump Table- 8A, Item 2,4 Motor Driven Pumps Table 8A, Item 5 Low Pressure LPI pumps Table 9A, Item 7 Injection Reactor Protection Automatic Scram System Table 21A, Item 1 ERCW Pumps Table 13A, Item 3 L Component Cooling Running pumps Table 14A, Item 1,3

Standby pump Table 14A, Item 2,3 l_ Heat Exchanger- Table 14A, Item 4 l

l l . .

l' L

I 1

57 d

i

W TABLE'18. CONTAINMENT WALKDOWN t'

Since the containment-is inaccessible during normal plant operation, those components found to be risk-significant that are located inside the o containment are listed below.

Required Actual System comoonent Position Position LPl/LPR .FCV 63-172 Closed Cont. Sump NA __

' Drain Plugs Removed FCV-74-1 Closed FCV-74-2 Closed e

' Pressure PCV 68-304A Closed Relief PCV 68-334' Closed FCV 68-332 Open FCV 68-333 Open Accumulators FCV-63-67 Closed i FCV-63-80 Closed _

l -~

FCV-63-93 Closed FCV-63-118 Closed 4

1 i

1- ,

I.

,T i

58

(

o

. _ . . _ . - - . _ . _ . - _ , . . . . . . - . . - _ - - . . . _ ~ , _ . . - -

r

-: :e .

v .

X

.s- -

X ! :

.s-X X X l '

if- X X u-X X X X X i s- :

s XX X i .

+ X -

X :

i- X ;

t- X X *

.X

1- X ,

5-p u X .

X X a X X X X 85 X X si X X X X X i- X X X X X i X X X X X :

u X -

X '

u X X s X X X X '

5X X X X I-XX X i X u XX XXXX XX u XX XX

- u XX XX u X X XX L

u X Xi XX L

u-XX X XX

'I X X X X X --

L

'i X . X X X X

=s XXXXXXXX XX 8 XX XX X i

is XX XX sa XX i- X. X s- X X

'- X X

.. . . . ..... . .. . .. . . . ... . . . ... . . . ........i........................ G t

m j

fRONTLINE--SUPPORT SYSTEM DEPENDENCY MATRIX NOTES A. Because of the short time required to accomplish the reactor trip

' function, it is assumed not to require HVAC. l l

B. ERCW is supplied to the room coolers for pump area cooling. H l

C. Power.is required to open the outlet valve in the CCS side of the heat j exchanger.

I D. I&C power is required to open the PORV; 480-Vac power is required to close )

the block valve.

i L

E. The RPS shunt trip coil requires power to actuate; the UV coil and the RPS-logic do not require power to trip.

F. Each MSIV receives both trains A and B power. MSIV solenoids must actuate L to close the MSIV. Power from either train is sufficient to close the MSIV.

G. Each MSIV receives signals from both trains A and 8 of ESFAS.

H. The MFW isolation valves are motor operated and require 480-Vac power to operate.

I. The MFW control valves fail closed on loss of 180 power.

l J. The steam supply MOV isolation valves from steam generators 1 and 4 (FCV-1-17-A and FCV-1-1-18-B) require power from 480-V RMOV boards IA2-A and 1B2-B, respectively, to change position. The valves are only required to change position to isolate a faulted steam generator.

l

! K. Raw cooling water supplies cooling to the condensate booster pumps and the L

standby main feed pump.

L. ERCW supply to the containment spray heat exchanger.

0 61 a

-. . ..., l

' M. The condens. ate booster pumps and the hotwell pumps receive motive power

- from 6900-V unit boards IA, 18, and IC. ,

N. The 120 Vac supplies power to the pressure indicating controller to '

modulate the power-operated atmospheric dump valves.

d

0. The 125 Vdc supplies power to the solenoids to oro and close the POADVs. t p P. The turbine-driven pump's LCis receive power from 125-Vdc board 1-IV, the motor-driven pump's LCVs from board 1-1.

L Q. The 120 Vac supplies the motor driven pump discharge pressure control

)

t

. valve controller, R. The turbine driven pump LCVs and the motor driven pump LCVs receive air from different headers.

S. The pressure control valve on the discharge of the pumps receives trained air.

1

! T. The 125-Vdc control power is required for pump start and stop. It is not- 4 required for an already running pump to continue to run.

L U. The 125-Vdc power is to energize the solenoid to open the CDV; the 120-Vac is for control circuitry.

l V. The system designators ussd in_ Figure 4.3-2 for support systems are identified in the notes for Figure 4.3-1. The system designators for the frontline systems represent systems as follows:

RTS A = Reactor Protection System Train A RTS B = Reactor Protection System Train B PORV A = Power-Operated Relief Valve Train A PORV B = Fower-Operated Relief Valve Train B 62 e

- .- . ._~ _ . _ . . _ _ . . . . _ . . . . . _ . ~ . . . _ _ . . . . _ _ . . ...___ -._.. _ ._ ..._ _ __. _

..>- . :w ;

TUR8 TRIP =, Turbine Trip Function >

- MSIV ISOL = Main Steam Isolation Valve Closure ;

CDVs = Condenser Dump Valves P0ADVs = Power-0perated Atmospheric Dump Valves i i

AFW PMP_ A = Auxiliary Feedwater Motor Driven Pump A AFW PMP 8 = Auxiliary Feedwater Motor Driven Pump B AFWPMP. TD =' Auxiliary Feedwater Turbine-Driven Pump AFW INJ1 Auxiliary Feedwater Injection Path to Steam Generator Number 1 ;

AFW INJ2 = Auxiliary Feedwater Injection Path to Steam Generator Number 2 +

AFW INJ3 - Auxiliary Feedwater Injection Path to Steam Generator Number 3 AFW INJ4 - Auxiliary Feedwater Injection Path to Steam Generator Number 4

MFW ISOL = Main Feedwater Isolation Valves '

COND = Condensate System RWST - Refueling Water Storage Tank CCPA = centrifugal Charging Pump A CCPB = centrifugal Charging Pump B CCP INJA = centrifugal. Charging Pump A Injection Path CCP INJB = centrifugal Charging Pump B Injection Path SI PMPA = Safety Injection Pump A SI PMPS = Safety Injection Pump 8 RHR PMPA = Residual Heat Removal Pump A RHR PMPB = Residual Heat Removal Pump C RHR HXA = Residual Heat Removal Heat Exchanger A ,

RHR HXB a Residual Heat Removal Heat Exchanger B 63 0

44.,

LPI A = Low Pressure Injection Path Train A LP! 8 = Low Pressure Injection Path Train B

~

HP RECIRC A = High Pressure Recirculation Train A HP RECIRC B = High Pressure Recirculation Train B -

LP RECIRC A = Low-Pressure Recirculation Train A LP RECIRC 8 Low Pressure Recirculation Train B SD COOL = Shutdown Cooling CNTMT SPRAY A = Train A Containment Isolation CNTMT SPRAY B = Train 8 Containment Isolation RB ISOL A = Train A of Containment Isolation RB ISOL 8 = Train 8 of Containment Isolation -

64 (

- != X X_X l X l

1. g __ 3 _x _

___________ _____ I_

. = . x __

3 114 X l lu- l X l N g,_

l x x 1 i X l

- X l X

2. X l X foi

___________ ___ ___ XXM __

E __ ________ ___ ___ XZ _ _

. . 12i 2 ,

- 3 m e

l X

=- ________

w m

!!- X X .

X l l 8 se XX X X XX l I XX E s XX XX XX l l l X ! '

!= X X X l l X 5 is M M M I E y __ _ _

3 ,

M_' ___

g y _______

g y 7

y .

!vi x i lx il! x l l

.IlXll

!vi a X l X l ivi X XI l l -' XJ !

MM

~

__ M ___________

X '

sa 2 2 ___

s x/

s 1

l

$8" b I I b in lllll X XX sis X4lIll X l sis : X lllll X -

siniinl-j.jkhhh!;ippisteasisipj;j;nl-j~i;>j!a:ji :

65

+e -ae.- - ,we.=,-----.---wwww - , - - . . .-e,- .--ww. m=e-- v--.-.,-,we u-- .,~,-.ww .-w-ww,-ey-,---,w--- -- ,.e-w= -,-e .-ww,w-,,-w-- =----gre*+!

, D .7 T-SUPPORT--SUPPORT SYSTEM DEPENDENCY MATRIX NOTES A. - Partial dependency - I&C power is normally fed from the shutdown t,oards.

Alternate feed from the batteries. ,

i B. The common boards supply the 250 Vdc battery chargers. Power for the 250-Vdc boards is available fron the batteries if the common boards are unavailable.

C. Because of the long time frame that may be involved before an ESFAS signal is' generated for some sequences, Control Building HVAC is assumed to be required to cool the ESFAS cabinets. This assumption should be verified ,

for the full'-scope PRA.

D. There are eight ERCW pumps available to feed the four headers. Four of the pumps are powered from the Unit I shutdown boards and four from the-Unit 2 shutdown boards. )

E. The Unit I train A ERCW pump receives control power from 125-Vdc board I, j train 8 pump from 125-Vdc board II. The Unit 2 train A ERCW pump receives i 1

control power from 125-Vdc board III, train B from 125-Vdc board IV.

F. CCS pumps lA-A and 18-B both are normally aligned to feed the 1A ESF header. Pump 1A-A receives motive power from 480-V shutdown board 1Al-A i and control power from 125-Vdc board I. Pump 18-8 receives motive power from 480-V shutdown board 181-B and control power from 125-Vdc board II.

G. ERCW supplies the CCS pump area coolers. CCS pumps CS and 1AA area cooler is supplied from ERCW header 1A. CCS pump IBB area cooler is supplied l

from ERCW header 1R.

H. CCS pump CS supplies the 18 CCS her. der. Pump CS can be powered from either 480-V SDB 1A2-A or 2.82-B. Control power for 480-V SDB 1A2-A is I suppliec' from 125-Vdc board I, 480-V SDB 2B2-8 from board IV.

l I. ERCW header 2A supplies cooling water to the train A CCS heat exchanger.

67

. - _. ~ . - - - . . - .. . - . .

. ..V.,

.1

. . i J. ERCW header 28 supplies cooling water to the CCS heat exchanger,. Valves are-administrative 1y controlled for Appendix R. J K. The 6900-V and 480-Y SDBs receive control power from 125-Vdc boards I, II, I III, and IV. Control power is not required for the SDBs unless breaker cycling is required (i.e., LOOP).

L. MCR air conditioning water chillers A and B receive cooling water from L ERCW headers IA and 18, respectively.

l l~ M. Shutdown board room water chiller AA receives cooling water from ERCW l header IA, chiller BB from header 28.

L l-N. Diesel generators lAA,188, 2AA, and 2BB receive cooling water from ERCW headers IA and 28. l O. Station air compressors are supplied by botil ERCW headers lA and IB.

P. The 125-Vde-boards supply power to the 120-Vac boards through the inverters if ac power is lost.

i Q. The 120 Vac boards are normally fed from the 480-V SDBs; boards 1-1 and 1-II from 480-V SDBs IAl-A and 182-B, respectively; and boards 1-III and 1-IV from 480-V.SDBs 2Al-A and 2B2-B, respectively.

R. Compressors A and B are powered from the 480-V SDBs. Compressors C and D ,

are powered from the 480-V common boards.

S. Control power for the unit boards is from the 250-Vdc boards.

T. Auxiliary Building HVAC supplies cooling for the electrical board rooms.

U. Failure of both boards is required to fail the corresponding train of ESFAS. These boards are required to support the output relays only. The input relays are fail safe.

68

(

,49 * ' * - ,,

.V. The system'designators used in Figure 4.3-1 represent systems as follows:

- 1

)

AUX PWR 1A = Train IA 6.9-kV and 480-V shutdown boards AUX PWR IB = Train 18 6.9-kV and 480-V shutdown boards AUX PWR 2A = Train 2A 6.9-kV and 480-V shutdown boards AUX PWR 2B = Train 2B 6.9-kV .nd 480-V shutdown boards AUX PWR COM = Conson Boards l

UNIT PWR = Unit Boards IA,18.- IC, and 10 l 125-Vdc I = 125-Vdc board I '

125-Vdc II = 125-Vdc board II ' '

125-Vdc III = 125-Vdc board !!!

125 Vdc IV = 125-Vdc board IV -

120-Vac l-I = 120-Vac board 1-I 120-Vac 1-II - 120-Vac board 1-!! -

120-Vac l-III - 120-Vac board 1-III 120-Vac 1-IV = 120-Vac board 1-IV ESFAS A = Train A Engineered Safety . Features Actuation Signal ESFAS B =. Train B Engineered Safety Features Actuation Signal ERCW IA = Essential Raw Cooling Water Train lA ERCW IB = Essential Rav Cooling Water Train IB ERCW 2A = Essential Raw Cooling Water Train 2A ERCW 2B = Essential Raw Cooling Water Train 2B CCS 1A = Component Cooling Water Train IA CCS IB = Component Cooling Water Train IB ESS Air A = Train A of Control Air !

ESS Air B = Train B of Control Air ;

NON ESS AIR = Nontrained Control Air 1 1

CONT BLDG HVAC = Centrol Building HVAC System

)

i 69

c

, . *i 6, , j

+. . 1

.l AUX BLOG HVAC = Auxiliary Building HVAC Systems i

~

l DG A = Train A Diesel Generators.

DG B = Train 8 Diesel Generators RCW = Raw Cooling Water System 250-Vdc 1 = 250-Vdc board 1 I 250-Vdc 2 = 250 Vdc board 2 W. CCStrainIBisonlydependentEnAuxPwr18duringpumpC-Smaintenance when pump 1B is aligned to replace pump C-S.

4 4

e I- ,

l l

l^

70 l

,Q 3 }

u , : . .. , % .. r..e 4-h.7 sisuo0RAPH6c OATA SHEET EGG-SSRE-8720 I

i

.. ci.o . .... i

..,..we... ,6.......

l Risk-Based Inspection Guida for the Sequoyah Nuclear Power Station .........:t3 l

. . , . . . September 1989 j

R. E. Gregg ***

l

'i September 1989 ,

. ::= : : ..a.. ... u ,. <. c . .cv .v . ... , w . J 8'340 '

-Idaho National Engineering Laboratory . ... 1 % .. l EG&G Idaho. Inc.

P. O. Box 1625 A6553 :

Idaho Falls. ID 83415

.. . o .. 4. . . .. . . u. ,. c ....o..., ;

Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Comission Inform.tl ,

Washington, DC 20555 . >...oo cavaa r ==

. m e ..,,... ....

)

4 .e.T..cT is .

~

This report contains guidance for the integration of probabilistic risk assessment I (PRA) results into the inspection program at the Sequoyah Nuclear Power Station.

The method for applying PRA techniques is described and the proposed guidance for risk-based inspections is provided in the form of system-based and programatic tables.

.. ooc - r... ...... ... p..c...,...

. . .v.

Unlimited

.. . . . . c 6. .. . .. . , .c s

. o.=v..... w v..=o.o a Unc1assified

.r Unclassified

. I %.8 . gs a.G.5 i . 85 C. 6

= , ~ . ., .-,-,. .~ . -

ML19332C992

Text

= -

Navigation menu

Search