ML19339B885
| ML19339B885 | |
| Person / Time | |
|---|---|
| Site: | Summer  |
| Issue date: | 10/31/1980 |
| From: | GILBERT/COMMONWEALTH, INC. (FORMERLY GILBERT ASSOCIAT |
| To: | |
| Shared Package | |
| ML19339B882 | List: |
| References | |
| NUDOCS 8011100376 | |
| Download: ML19339B885 (134) | |
Text
..
l e
l GAI Report 2203 j
Revision 1 i
i l
i l
!I l
!I i
RELIABILITY ASSESSSEhT
]
"IRGIL C. SDSER NUCLEAR STATION j
UNIT 1 i
!il
)
1 l
i j
PREPARED FOR i
SOUTH CAROLINA ELECTRIC AND GAS COMPANT COLUMBIA, SOUTH CAROLINA i
4 1
1 1
1 1
1 1
1 l!I l
Prepared by i
]
Gilbert /Com.onwealth, Inc.
l Reading, PA 19603 1
l October, 1980
$((lt$
1 Gibert /Commonwea@
4 l
I TABLE OF CONTENTS Section Page
1.0 INTRODUCTION
1-1 I
1.1 Background
1-1 1.2 Objective 1-1 1.3 Scope 1-1 1.4 Analysis Technique 1-2 1.5 Appendicies 1-2 2.0 SYSTEM DESCRIPTION 2-1 2.1 Overall Configuration 2-1 2.2 Fluid System 2-1 2.3 Support Systems and Backup Water Source 2-4 I
2.4 Electrical Power Sources 2-5 2.5 Instrumentation and Control 2-5 2.6 Operator Actions 2-7 I
2.7 Testing 2-7 2.8 Technical Specifications 2-7 3.0 RELIABILITY ASSESSMENT 3-1 I
3.1 Fault Tree Approach 3-1 3.2 Assumptions and Criteria 3-1 3.3 Contributors to EFS Unavailability 3-8 3.4 Principal Dependencies 3-10 3.5 Comparative Reliability Assessment with NUREG-0611 3-10
4.0 REFERENCES
4-1 5.0 FIGURES 5-1 I
APPENDIX A RESPONSES TO GENERIC RECOMMENDATIONS APPENDIX B BASIS OF AUXILIARY FEEDWATER SYSTEM FLOW REQUIREMENTS -
WESTINGHOUSE RESPONSES TO NRC QUESTIONS APPENDIX C COMPARIS0N OF NRC STANDARD REVIEW PLAN 10.4.9 REV. 1 TO THE VIRGIL C. SUMMER FINAL SAFETY ANALYSIS REPORT APPENDIX D COMPARISON OF NRC BRANCH TECHNICAL POSITION ASB-10-1 l
I REV. 1 TO THE VIRGIL C. SUMMER FINAL SAFETY ANALYSIS REPORT APPENDIX E NRC QUESTIONS AND APPLICANT'S RESPONSES TO THE EMERGENCY FEEDWATER SYSTEM RELIABILITY ASSESSMENT
5 E
I
1.0 INTRODUCTION
1.1 BACKGROUND
The NRC has requested that plants with Westinghouse-designed reactors that are under operating license review evaluate and consider means for upgrading the Emergency Feedwater System (EFS) reliability. This report presents the reliability study performed on the EFS for the V. C. Summer Nuclear Station Unit 1 in a form comparable with that cou ained in NUREG-0611.
1.2 OBJECTIVE The objective of this study is to perform a reliability assessment of the V. C. Summer EFS and to compare its expected performance with similar systems at operating Westinghouse reactors.
1.3 SCOPE The V. C. Summer EFS design was analyzed for the following three I
Case 1 - Loss of Main Feedwater with Reactor Trip (UE) a.
b.
Case 2 - Loss of Main Feedwater Coincident with Loss of Offsite Power (LMF/LOSP) c.
Case 3 - Loss of Main Feedwater Coincident with Loss of All AC Power (DE/ LAC)
The analysis was limited to finding the probability of EFS failure on demand due to the occurrence of each of the above postulated initiating event cases. The causes and probabilities of the initiating sequences were not considered. External events, with the exception of tornadoes, were also not considered.
c.em ecommen.ae 1-1
1.4 ANALYSIS TECHNIQUE
~
The technique used for the study is Fault Tree Analysis. The I
undesirable (top) event postulated is the failure of EFS to provide sufficient flow to two steam generators. The system is examined with a view to finding combinations of component failure events and human errors which can cause the top event. This technique has been applied extensively to nuclear safety analysis, most notably in the Reactor Safety Study (WASH-1400).
I 15 APPENDICIES Enclosed as appendices to this report are responses to NRC requests, identified in the NRC letters of March 10, 1980*, and August 1980, as follows:
I Reference
Response
Ftclosure 1 of the NRC letter, Appendix A: Responses to March 10, 1980 Generic Recommendations of the NRC letter, Appendix B: Basis of Auxiliary March 10, 1980 Feedwater System Flow Requirements Item a. of the NRC letter, Appendix C:
Comparison of NRC March 10, 1980: " Provide an Standard Review Plan 10.4.9, evaluation which shows how Rev. 1, to V. C. Summer Final I
your AFW system meets each Safety Analysis Report requirement in Standard Review Plan 10.4.9 and Appendix D:
Comparison of h3C
'M Branch Technical Position Branch Technical Position E
^38 2 -' "
^38 2
, Rev.
,t
- v. C. Summer Final Safety Analysis Report I
l t
I I
Cnitert /Cammartwes.th 1-2
I
.I Reference
Response
Correspondence to Appendix E: NRC Questions and Mr. Armand Lakner, USNRC.
Applicant's Responses to the August 1980 EFS Reliability Assessment I
I I
n5 I
I I
I I
7-Letter dated March 10, 1980 from D. F. Ross, Jr., Acting Director, Division of Project Mana. -ment, Of fice of Nuclear Reactor Regulation, to all Pending Operating License Applicants of Nuclear Steam Supply Systems Designed by Westinghouse and Combustion Engineering.
Subject:
" Actions Required From Operating License Applicants of Nuclear Steam Supply Systems Designed by Westinghouse and Combustica Engineering Resulting from NRC Bulletins and Orders Task Force Review Regarding the Three Mile Island Unit 2 Accident."
.I I
GJbert /Commoneea@
1-3
m um i
2.0 SYSTEM DESCRIPTION 2.1 OVERALL C0hTIGURATION A diagram of the V. C. Summer EFS is shown in Figure 1.
The system consists of two Emergency Feedwater trains, one supplied by two motor-driven pumps (MDP) and one by a steam turbine-driven pump (TDP), all with a common suction source. Either of the trains can supply emergency feedwater to any ot the three steam generators. Any one of the three Emergency Feedwater pumps can supply sufficient emergency feedwater to at least two of the three steam generators.
2.2 FLUID SYSTEM 2.2.1 Suction The primary water source for the EFS is the condensate storage tank (CST). Of the tank's 500,000 gallon storage capacity, 150,000 gallons are available exclusively to the EFS.
A common suction header for all three EFS pumps is supplied through a 10 in. line from the CST. This line has a manual valve which has its handwheel removed is locked open.* The lines from the suction header to each EF pump have a check valve and a manual locked-open valve.*
The backup supply is the Service Water System (SWS) which is manually actuated or automatically actuated by pressure sensors (two-out-of-four logic) in the common suction line downstream of the locked-open manual valve from the CST. Service Water Loop A can supply the MDP "A" and the TDP.
Service Water Loop B can supply the
- Status of this valve indicated in Control Room (CR) and Technical Support Center (TSC) as part of By-Pass and Inoperable Status Indication (BISI).
1l L
2-1 F
I I
MDP "B" and the TDP. There is a normally closed motor-operated valve in each loop before the EF pump suction lines as well as a normally closed notor-operated valve and a check valve in the suction line of each pump. The motor-operated valves are isolation valves capable of I
both manual (local and remote) and automatic operation.
2.2.2 Pumps and Discharge Headers There are two discharge headers, one connected to the TDP and the other to the MDP's.
The discharge line from each pump to the header I
has a check valve and a locked-open, manually operated isolation valve.* The TDP delivers 570 gpm including recirculation at a steam generator pressure of 1211 psig and each MDP delivers 440 gpm including recirculation at a steam generator pressure of 1211 psig.
Each pump is provided with a recirculation path. This path consists of a check valve, a breakdown orifice and a locked-open manual valve.* The recirculation line is sized 2 in, for each MDP and 3 in.
l for the TDP.
Each recirculation line can pass the required pump l
minimum flow of 100 gpm. The recirculation lines discharge to a 4 in. recirculation header which returns the recirculation flow to the CST through a check valve.
lI The TJP and MDP discharge headers each split into three flow paths, one for each steam generator. Each flow path has a locked-open i
j manual valve *, a flow control valve ** and a locked-open stop check valve.* Downstream of the stop check valve, the flow paths from the I g E
TDP and MDP discharge headers combine to form one EF line to each steam generator. The common line to each steam generator contains a pneumatically operated spring-assisted check valve which serves as a containment isolation valve that is held open by discharge pressure from the EF pumps, and two check valves near each steam generator nozzle to limit the effects of a pipe break.
I
- Status of this valve indicated in CR and TSC as part of BISI.
k*For status indication of flow control valve, see 2.2.5.
2-2
I l
2.2.3 F_ low Control Valves Two normally open pneumatically operated flow control valves are provided for each steam generator; one valve controls flow from the I
MDP's, the other controls TDP flow. Remote manual / automatic control of the flow control valves is from the CR with provision for local manual operation. Safety class air accumulators with sufficient capacity to ensure valve closure for approximately three hours in the case of a secondary line break, are rrovided for the valves. The flow control valves fail open on loss of electric power or control air.
I 2.2.4 Steam Supply for the TDP Turbine The steam supply to the TDP consists of a connection taken from the safety class sections of each of two Main Steam (MS) lines (from steam generators B and C) upstream of the MS isolation valves. Two I
connections are provided to obtain redundancy of supply in the event of a MS line break. Each connection has a check valve and a motor-operated gate valve for positive isolation in the event of MS line break. A normally closed, fail open, pneumatically operated steam inlet valve
- which pneumatically fails safe upon loss of air or control signal and is opened automatically on EFS demand by two logic trains, is provide; in the common line to the turbine, which then connects to a turbine trip and throttle valve.
2.2.5 Valve Operation and Indication All motor-operated valves are ac powerad from Class IE buses, are controllable from and have their position indicated in the Control Room. Position indicat_an and control for each valve is from the valve motor power source. Additionally, all motor-operated valves can be manually opened or closed locally with position indication in the Control Room.
I
- Status of this valve indicated in CR and TSC as part of BISI.
I l
Gaerticommon.em 2-3 1
I I
The pneumatically operated flow control valves can be manually controlled from the control room or the control room evacuation panel. Audible and visual alarms will be activated and repeated at I
sixty-minute intervals wLenever an emergency feedwater flow control valve centrol switch is not in the auto position (valve is open when contrcl switch is in the auto position). Flow control in manual cont.rol (e.g., closed during EF pump test) will go to the full, wide-open position upon automatic initiation (excluding main feedwater pump trip) of the EFS.
I Locked-open valves critical to system successful functioning and several normally closed valves are monitored on the Bypass and Inoperable Status Indication (BISI) system. An input entry to the BISI computer is made whenever a valve is placed into a position contrary to successful system function. This record is displayed in the Control Room (CR) and Technical Support Center (TSC) CRT's.
.I 2.3 SUPPORT SYSTEMS AND BACKUP WATER SOURCE The EFS pumps, pump motors, and turbine are all independent of
,5 support systems such as nt cooling systems. The turbine can operate without air or electrical power. Motor cooling and turbine lubrication oil cooling are accomplished using EF flow.
In addition to the minimum of 150,000 gallons reserve in the CST, any extra inventory of water in the CST is available to the EFS. Makeup g
from the 500,000 gallon Demineralized Water Storage Tank (DWST) can 5
also be made available to the EFS. The backup water source for the EFS is the Service Water System.
In the present design, the manual action required to connect the backup water source, i.e., Service Water to the EF suction, is the remote manual opening of six MOV's.
The operator has 20 minutes af ter the soundinr of the CST low-low level alarm to accomplish this switchover.
If this is not I
accomplished, automatic switchover to the SW is initiated by low pressure sensing in the common suction header from the CST downstream I
4 tert /Commot%eaV 2-4
I I
of the locked-open manual valve. This signal automatically activates the motor-operated valves in the SW supply lines to the MDP's and the TDP using two of four sensor logic to the two separate SW trains.
I 2.4 ELECTRICAL POWER SOURCES A simplified diagram showing electrical power distribution to major EFS components is shown in Figure 2.
Each pump motor is supplied from a separate, independent Class 1E electric system bus.
Complete physical separation is followed throughout for control and instrumentation systems.
The required instrumentation and control I
are powered from separate and independent vital buses.
Power for EFS components necessary to establish emergency feedwater flow is derived from diesel generator backed 7200 V buses IDA and IDB. Normally (Case 1), these buses are supplied from offsite power through the switchyard. However, in the event of LMF/LOSP (Case 2), the diesel generators start automatically and ESF loads are connected in Engineered Safety Features Loading Sequence (ESFLS) Step 5.
Service I
Water also remains available in this case if the CST source is unavailable. Service Water is connected in ESFLS Step 3 ten seconds before initiation of the EFS pumps. At a predetermined pressure, the decreasing pressure in the EFS header initiates the transfer of EF source from the SWS with approximately twenty seconds of water remaining in the header.
I In the even+. of LMF/ LAC (Case 3), EFS is still adequately operable because startuu and operation of the TDP is not ac dependent.
2.5 INSTR'IMENTATION AND CONTROL I
2.5.1 Initiation Logic I
A functional logic diagram for EFS initiation is shown in Figure 3.
The diagram is simplified and does not show the redundancy, I
independence, and divisional separation of the hardware.
I G&ert!Ccmmonwes:tn 2-5
I I
The MDP's will ttart on low-low level in any one steam generator, Safety Injection Signal, or undervoltage on either ESF bus or loss of all three main feedwater pumps. The feedwater pump trip signal is a non Class lE electrical anticipatory start signal. The TDP starts on I
low-low level iri any two steam generators or undervoltage on both ESF buses.
The control logic shown in Figure 3 is powered from battery-backed buses.
I 2.5.2 EFS Flow Control The flow of emergency feedwater to each steam generator from the MDP's or the TDP can be controlled by air-operated Flow Control Valves (FCV's). Flow rates through the valves to the steam generators can be manually adjusted individually by hand controllers at either the main control board or the Control Room Evacuation Panel I
(CREP). On EFS initiation logic that starts either the MDP's (except the feedwater pump trip) or the TDP, the corresponding flow control valve for each steam generator will receive a signal to open regardless of its position.
Upon reset at the valve control switch, the operator can regain flow control.
I A high flow signal, such as in the event of a secondary line break, automatically closes the respective flow control valve.
2.5.3 Information Available to Operator I
In addition to the valve pcsition indication previously described, the following EFS parameters are indicated in the Control Room:
Pressure in the common feed line to each steam generator o
Suction pressure at each pump o
o Level in the CST I
Flow in the common feed line to each steam generator o
I I
-e
I 2.6 OPERATOR ACTIONS I
Assuming the CST is available, no operator actions are required to establish EFS flow in Cases 1, 2, or 3.
If the CST is not available I
initially, or if the CST level has been depleted after EFS operation for several hours, operator action, backed up by automatic switch-over, establishes Service Water supply to the EFS.
2.7 TESTING Each EF Pump is tested once a month to demonstrate operability.
Pump I
testing involves closing the appropriate FCV's from the TDP or MDP headers.
If the EFS is initiated, the FCV's will open; therefore, no EF pump is unavailable due to testing. When this test is performed, it is also verified that each non-automatic valve in the flow path that is not locked, sealed or otherwise secured in position, is in its correct position and that each automatic valve in the flow path is in the fully open position whenever the EFS is placed in automatic I
control.
At least once every 18 months during shutdown, the EFS is tested to verify that each pump starts automatically and upon receipt of each EF actuation test signal.
I iI I8 TECHNICAL SPECIFICATIONS Technical specifications require:
1.
All three EF pumps and associated flow >aths to be operable whenever the reactor is in Mode 1, 2, or 3.
With one pump inoperable, three pumps shall be made operable within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or the reactor should be brought to at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to HOT SHUTDOWN within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
I I
StertIComwwtatth 2-7
!I il
?.
Both independent service water loops be operable whenever the reactor is in Mode 1, 2, 3, or 4.
With only one service water loop operable, restore at least two loops to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.
3.
The condensate storage tank shall be operable containing a minimum volume of 150,000 gallons of water. With the condensate l
storage tank inoperable, within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> either:
I a.
Restore the CST to OPERABLE status or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in HOT SHUTDOWN within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, or I
b.
Demonstrate the OPERABILITY of the service water system as a backup supply to the emergency feedwater pumps and restore the condensate storage tank to OPERABLE status I
within 7 days or be in at least HOT STANDBY within tt'e next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in HOT SHUTDOWN within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
I I
I 4
I I
' I 9
I 2-8
I I
3.0 RELIABILITY ASSESSMENT I
3.1 FAULT TREE APPROACH I
Fault tree analysis was used to assess system unavailability to a demand.
In this assessment, unavailability is taken as being synonymous with unreliability. Tais approach is consistent with NUREG-0613 and the Reactor Safety Study (WASH - 1400).
I The analysis primarily considered the automatic initiation of the V. C. Summer EFS combined with hardware, human, and test and
=
maintenance-induced failures. Limited operator backup actions in the event of partial automatic startup failures were included in the assessment. These were in general limited to those actions that could be performed within the first five minutes of EFS initiation.?
With the exception of resetting a closed throttle valve on the TDP, in-plant corrective actions such as turning an incorrectly positioned l
valve were not explicitly considered because valve alignment, l
locking, checklist and position monitoring procedures provide l
adequate flow path availability compared to other more dominant system failure contributors.
l l
NUREG-0611 generic short-and long-term recommendations currently complied with o to be implemented (see Appendix A) have been included in the fault tree and/or event data selection where j
appropriate.
l
{B The LMF fault tree appears in Figure 4.
The top event in the tree is failure to achieve the minimum success criterion as defined in Section 3.2.1.
The tree branches downward and is stopped at levels l
corresponding to the resolution of the available data. At this level are usually basic event circles.
l
- Steam generator dryout time is 21 minutes for all three feedwater transients.
I 3-1
I I
Major tree branches consist of those failures affecting supply of EF flow to the pump discharge headers and delivery of EF flow from the pump discharge headers to the steam generators. The inter-relationship between component failure, technical specification maintenance outages and human error are developed in terms of the tree logic. The degree of development is consistent with the I
reliability assessment goals and data available in NUREG-0611.
Modifications were made to the UfF of Figure 4 for assessing the LMF/LOSP and UIF/ LAC cases.
Calculations were performed for each of the three feedwater transient cases to obtain values for EFS unavailability.
3.2 ASSUMPTIONS AND CRITERIA 3.2.1 Definition of System Failure (Fault Tree Top Event)
System failure is defined as failure of the EFS to provide sufficient flow to at least two cf the three steam generators after a feedwater transient. Sufficient flow to the steam generators can be achieved I
by any single EF pump.
3.2.2 Degradation vs. Failure No degradation or degraded failures were considered, i.e., equipment either operates as required or is in a failed state.
I 3.2.3 EF Delivery Requirements Consistent with current :hermal hydraulic analyses, adequate primary loop cooling is achieved with a minimum of one motor driven pump or turbine driven pump on loss ef main feedwater transient including those cases where the main steam or feedwater line break initiates I
the transient.
l l
kbert /Commonwes@
3-2
3.2.4 Pump Flow Recirculation Failure to establish EF pump recirculation flow has been examined.
This area is mainly of concern when approaching HOT STANDBY where EFS flow is continually throttled back.
Loss of recirculation flow does not contribute to startup and run failure, and therefore, is not considered in the fault tree.
Rupture of the EF pump recirculation lines upstream of the flow orifices has been included in the analysis as part of EF pump header I
rupture.
3.2.5 EF Pump Susceptibility to Suction Starvation The EF pump manufacturer, due to pump dynamic considerations, cannot confirm the ability of the EF pumps to survive startup at EFS demand in a starved condition. Pump damage, should it occur, would take I
place in a matter of seconds after startup because of the no flow condition.
In the case of a closed EF supply line maintenance valve 1010 at EFS demand, the automatic switchover pressure logic on the EF header would sense low pressure and open EFS valves (1037A, 1037B, 1601A, 1001B, 1022A, and 1022B) to the backup supply from the Service Water System. Valve full opening time is approximately 40 seconds with backup flow available to the pumps as early as 10 seconds after initiation. However, pump damage resulting from the initial starved condition has b en assumed to take place before backup water reaches the pump.
I If the pump suction isolation valve (1013A, 1013B or 1014) is closed, similar starvation and pump failure will result. However, in this case, only the pump with the closed isolation valve would fail. No I
automatic switchover to Service Water w :ld occur because the pressure sensors are upstream of the suction isolation valves.
Gited /Ccmmcneea.th 3-3
lI
- I It is assumed that an EF pump startup with a closed suction flow path valve will result in immediate pump failure.
No credit is taken for possible recovery by making available an alternate water supply.
3.2.6 Maintenance on the EF Supply Line This analysis assumes that all preventive and corrective maintenance on the EF supply line and pump suction isolation valves, (1013A, 1013B, or 1014) is performed when the reactor is not in Modes 1, 2 or 3.
Performance of all maintenance during shutdown ensures that the EF pumps are not started at EFS demand in a starved condition resulting from closure of the EF supply line maintenance valve 1010.
3.2.7 Control Circuit Definition Motor and valve control circuits are defined analogously to those appearing in the WASH-1400 AFWS, (Auxiliary feedwater System) l analysis and includes the starter control circuit, power to the start control, de bus, breaker coils, breaker contacts, and power and control cables.
3.2.8 Power Source Availability I
Case 1 - DIF - All de, ac and steam power sources were assumed available.
lg Case 2 - Uff/LOSP - de and steam power was assumed available. One 5
diesel generator set was assumed to fail to start and accept load
.o with a probability of 3 X 10 '; the second diesel generator set was assigned a start and load acceptance failure probability of zero.
Case 3 - LMF/ LAC - de and steam power were assumed available; all ac sources were assumed unavailable.
I
- m. _._
3-4
3.2.9 Data Table 3-1 presents the basic and quasi-basic event probabilities used in the fault tree analyses.
Included in Table 3-1 are the bases for these values. Most reliability data for hardware, operator actica, human error and maintenance were taken or derived from NUREG-0611 or l
WASH-1400.
l Information is provided below on the more significant event items not included within i.ne scope of NUREG-0611 or requiring additional I
interpretation.
3.2.9.1 Plugging Contribution of the EF Supply Line Maintenance Valve (1010)
Based upon data in WASH-1400, Appendix III, all manual valves are I
lumped into one statistical quantity for the primary mode of 3 X 10~0
-5 to 3 X 10 per demand for plugging. This range is primarily based I
upon globe valves in moderate to high energy fluid systems. The assessed value for the EF supply line maintenance valve utilized in the V. C. Summer EFS is expected to be below this range.
Globe valves are more prone to plugging than other manual valves.
The plugging value for the butterfly-type valve utilized in the V.C.
Summer EF supply line would be lower because plugging cannot take I
place in butterfly valves as easily as in globe valves due to inherent design.
A change of flow direction with varying velocity as found in globe-type valves creates an environment where debris and other foreign material accumulate near the seating surfaces and affect the opening or closing action or cause plugging.
The median plugging contribution due to valve conseruction (i.e. butterfly vs.
globe) is expected to be at the lower end of the assessed range in
-5 WASH-1400 or about 3 X 10 per demand.
I Gdbert!Cammcewea@
3-5
I a
An additional half order of magnitude improvement in reliability can be expected due to application. The EF valve is in a system with one of the more clean and controlled environments (condensate) in the plant. The valve is located on a low-energy line and is subjected to I
flow induced effects of considerably less magnitude than most globe valves. Finally, the EF supply line maintenance valve is of relatively large diameter (10") and must effectively plug to about 85% of line area to result in pump starvation at demand.
An overall
-5 median unavailability of 1 X 10 per demand has been assigned to this valve based on the considerations presented here.
I 3.2.9.2 Human Errors Pertaining to the EF Supply Line Maintenance Valve The probability of the EF supply line maintenance valve 1010 being in a closed position due to human error at EFS demand is considered insignificant and assigned a value of epsilon (a value too small for resolution in this analysis).
I Table III-2 of N1' REG-0611 discussed " Human Acts & Errors-Failure Data."
The failure probability discussed in this section is applicable to operational valves which are normally positioned manually in the performance of their function.
Credit is taken for design elements which are factored in to ensure a more reliable functioning of the manual valve.
I Valve 1010 is not a normally positionable valve to perform its system function. As a " maintenance only" valve it is rarely operated and g
5 then under unusual and seldom occurring circumstances such as isolation of the CST for maintenance or repair. The unavailability of this valve would be much lower than the figures provided in Table III-2 for the following reasons:
a.
As mentioned above, the valve is rarely repositioned since it is a " maintenance only" valve.
C.itert (CCmwee3@
3-6
L
~
u c-b.
The valve handwheel has been removed to make it more difficult w
to inadvertently change valve position.
c.
The valve is administrative 1y controlled by a " locking" device on the valve shaft.
d.
A walk around procedure verifies at least once every 31 days the correct positioning and the security of the locking device.
Also, position indication is provided on the valve.
F u
e.
The valve alarms visually and audibly through the BISI system in the Control Room if not in the full open position.
E f.
The valve is procedurally verified (S0P-211, System Operating Procedures for Emergency Feedwater) to be in the locked open p'sition prior to reactor startup; it is demonstrated j
operaa.onally to be in the open position because the EFS is used u
to fill the steam generators at reactor startup with condensate from the CST.
l-The extraordinary precautions, taken to ensure that valve 1010 is in the open position, reduce human error to a negligible contribution in this assessment.
3.2.9.3 Loss of CST Inventory l
This quasi-basic event may affect the ability of the EFS to start by I
placing a rapid demand on the EF pumps before adequate backup flow can be established. This rapid demand could preclude operator inte rvention. Credit is taken only for the automatic switchover to the Service Water backup; no credit is allowed for manual switchover.
I Tank rupture, undetected tank draining and tornado-induced catastrophic tank failure were considered. A value of 3 X 10 ' per
~
demand was used in the assessment.
I H
u C4ertICc,mmoe eae 3-7
1 I
l 3.3 CONTRIBUTORS TO EFS UNAVAII. ABILITY I
l 3.3.1 Case 1 - I.MF Dominant factors limiting EFS availability at demand are discussed below.
II 1.
The single most important contributor to EFS unavailability results from the EF supply line maintenance valve (1010) being plugged at EFS startup. System failure results because all pumps are postulated to fail if started in a starved condition.
Valve 1010 in a plugged state accounts for approximately 80% of the EFS demand-unavailability.
I 2.
Preventive maintenance outages on an EF pump combined with other active failures account for the next greatest contribution to system unavailability. The TDP in maintenance presents a greater restriction on EF availability than an MDP in maintenance.
I 3.
Motor circuit start failures dominate individual MDP failure.
4.
Mispositioned pump suction isolation valves can lead to pump damage at startup.
Mispositioned pump discharge valves will result in no flow to the MDP or TDP header, respectively.
Pump recirculation and flow instrumentation are available allowing control room diagnosis of the problem without pump destruction occurring.
Operator correction of closed discharge valves was not considered in this analysis as discussed in Section 3.1.
317./CammcentaC 3-8
I Header discharge valves and EF flow paths to the steam generators had no substantial effect on EFS unavailability.
This is due to the normally open EF flow control valves and automatic opening whenever the valves are in manual control including pump test.
3.3.2 Case 2 - UfF/LOSP The failure contributors for this case are similar to those in Case 1.
Loss of offsite power has no effect on the system availability j
when both diesel generators are available because all ac dependencies are supplied by the ESF buses IDA and IDB.
Loss of one diesel generator reduces system availability because of the loss of an FDP. All other contributors remained unaffected.
lI 3.3.3 Case 3 - LV/ LAC I
The TDP train of the EFS is independent of all a-c and air supplies.
For this case the Service Water System is unavailable as a backup source of water to the EFS. The TDP train and flow path through flew control valves FCV 3536/3546/3556 is the only means of providing EF to the steam generators. Unlike Case 1 and Case 2 above, no EFS j
redundancy exists.
Contributors limiting EFS availability at demand for the UIF/ LAC case include:
1.
Outages of the TDP for unscheduled maintenance.
2.
Failure of the TDP steam isolation valve 2030 to open.
3.
Mechanical failure of the TDP.
I 3-9
l 4.
Failure of the turbine drain system due to plugging and/or human error.
5.
Pump discharge manual valve 1036 closed due to human error (resulting from TDP maintenance).
6.
Loss of CST inventory.
TDP unscheduled maintenance outages r e responsible for approximately 50% of the LMF/ LAC unavailability.
Items 2-6 contribute approximately equally to the remaining 50%.
3.4 PRINCIPAL DEPENDENCIES An identified principal (single point) dependency results from failure of the single manual valve (1010) in the EF header supply line from the CST. Valve failure can occur due to severe plugging.
Failure of the valve is postulated to fail all three EF pumps on demand. An automatic switchover of the EF pump suctions to the alternate (Service Water) source would occur in this situation.
However, as descri'-l in Section 3.2.5, no credit is taken for this action.
No other principal (single point) dependencies were identified for this system.
I 3.5 COMPARATIVE RELIABILITY ASSESSMENT WITH NUREG-0611 Figure 5 presents a qualitative representation of this reliability assessment for the V. C. Summer EFS when the demand unavailability has been determined from the constructed fault trees.
The range of AFWS unavailability for 25 currently licensed units with Westinghouse NSSS is shown on this figure for comparative purposes.
The basic format for Figure 5, including characterization of Low, G. tert / Common
- eau 3-10
I i
i Medium and High reliability, was adopted from Table III-5 of NUREG-0611.
Because of basic limitations in the data and intended scope of this assessment and those performed as part of the NUREG-0611 effort, calculated unavailabilities are shown in i
i comparative form only. Numerical values permitting construction of Figure 5 were obtained from Reference 3.
Note that direct cross-comparisons of the Il!F/IAC case with Cases 1 and 2 cannot be made because the scale on Figure 5 encompasses differing orders of magnitude; the IlfF and I'T/LOSP magnitude scales are identical.
Based on the reliability assessment presented here, and a review of the system design performed during the assessment, the V. C. Summer EFS is expected te exhibit a high degree of reliability. This level of reliability is favorably comparable to the AFWS reliability assessments presented in NUREG-0611 for currently operating units with Westinghouse reactors.
I I
I
$be". lbenea t1 I
3-11
TABLE 3-1 FAULT TREE EVENT DATA FAILURE ON TRANSFER EVENT DEMANi g BASES 4
MIV 1010 >85% P12CGED lE-5 10" butterfly valve.
Plugging range of globe valves in general se rvice is 3E-4 to 3E-5, WAsil-1400. La rge butterfly valve has differing physical plugging mechanisms, is in clean environment, and must plug >85% closed to lead to pump damage. Order of magnitude credit taken for above considerations relative to general globe valve.
Q = (I E-4) (.1) = IE-5.
FAILURE OF AUTO SWITCil0VER lE-3 Fa ilure to sense low pressure on EF suction header LOGTC resulting in no automatic switchover to backup source from SWS.
2/4 logic used to initiate trains A&B actuation of MOV's.
No credit for operator action.
w LOSS OF CST INVENTORY 3E-4 CST is seismic Category I.
Contribution from tank b
rupture is Qg=4E-8, WASil-1400. Tornado contribution based on site tornado frequency and missile impact on CST, Q2=2.6E-4.
Contribution from inadvertent tank draining thru valve 1035 combined with level instrumentation failure, Q" NN = 2.9E-4.
3 1
2 3 IlUMAN ERROR MIV 1010 c.
Valve remains closed after corrective maintenance. Valve closed status on BISI control.
6 TDP IN MAINTENANCE 5.8E-3 Technical Specification 3.7.1.2 provides up to 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> TDP outage.
Q=(.22) x (19)/720 = 5.8E-3.
TDP is isolated on test by closing FCV 3536/3546/3556.
FCVs will open on automatic initiation during test; negligible unavailability contribution.
NOTE:
UNLESS OTilERWISE SPECIFIED, EVENT DATA IS TAKEN OR DERIVED FROM NUREG-0611, TABLE III-2.
m M
m m
m m
M M
M M
M M
M M
M FAT ' URE ON TRANSFFR EVENT DhrfAND J BASES 7-8-9 CV 1009 A/B/C falls TO OPEN lE-4 Check valve portion of pneumatically operated spring-assisted (to clase) valve.
CV 1038 A/B/C FAILS TO OPEN lE-4 CV 1039 A/li/C FAILS TO OPEN lE-4 SG-A/SG-B/SG-C PIPING 3E-7 Three sections of piping; used %4 times per year.
RUPTURE A=
IE-10 fr/hr, WASit 1400.
r 11-12-13 MIV 1017 A/B/C PLUGGED lE-4 Manual isolation valve plugged.
ICV 1019 A/B/C FAILS TO OPEN lE-4 Check valve portion of valve.
Stop-check valve plugged.
IlUMAN ERROR MIV 1017 A/B/C
- 1. 5 E-3 Valve left in wrong position after maintenance on FCVs.
IIUMAN ERROR ICV 1019 A/B/C 1.5E-3 Locked valve with monthly position verification; independent verification after FCV maintenance. Valve closed status Indication provided in control room on BISI Qo = SE-4.
w b
Valve incorrectly selected.
Status of correct valve would be on BISI; locked valve tag serial number comparison should detect error.
Population is approximately 4-6.
(1/5)(SE-3) = IE-3.
Q
=
c FCV 3531/3541/3551 PLUGCED LE-4 FCV plugs when normally open.
FAILURE OF FCV 3531/3541/
c FCV fails open cn loss of control signal; valve is normally 3551 CONTROL open except on MDP test.
Cycled twice monthly.
l llUMAN ERROR FCV 3531/3541/
SE-4 FCV opens automatically when left closed after MDP test 3551 on EFS auto initiation signal.
FCV is not closed for isolation on pump train maintenance; incorrect posillon contribution is negligible.
thiman error contribution arises when required maintenance results in valve left closed due to maintenance error (e.g., cranked closed, disabled).
TABLE 3-1, PC. 2 of 10
M M
M __
_ _ _M M
M M
M K.i M
M l
Fall.URE ON TRANSFER EVEf[l' DEMAND, Q BASES FCV status and position indication lights, and audible alarm for closed FCV alert operator to closed valve; independent maintenance verification is performed.
Upper limit is (F5E-4.
FCV 3531/3541/3551 FAILS 9 E-6 Valve closed when MDP is tested.
Sub tree constructed.
TO OPEN DURING MDP TEST Primary contributions are monthly and post-maintenance tests and FCV failure to open.
14-15-16 FCV 3536/3546/3556 Pl.UCCED lE-4 See FCV 3531/3541/3551 Plugged, Transf er 11-12-13.
FAILURE FCV 3536/3546/3556 c
See Failure of FCV 3531/3541/3551 Control, Transfer CONTROL 11-12-13.
IlUMAN ERROR FCV 3536/3546/
3556 MIV 1018 A/B/C PLUGGED 1E-4 See MIV 1017 A/B/C Plugged, Transfer 11-12-13.
IlUMAN ERROR ICV 1020 A/B/C 1.5E-3 See lluman Error MIV 1019 A/B/C, Transfer 11-12-13.
ICV 1020 A/B/C FAILS TO OPEN lE-4 IlUMAN ERROR MIV 1018 A/B/C 1.5E-3 See lluman Error MIV 1019 A/B/C, Transfer 11-12-13.
FCV 3536/3546/3556 FAII.S TO SE-6 See FCV 3531/3541/3551 Fails to Open During MDP Test, OPEN DURING TDP TEST Transfer 11-12-13.
FCV closed fewer times than FCV's on MDP train.
1 17 MDP llEADER RUPTURE 2E-7 lleader tested monthly on MDP test; 4 sections of pipe.
A=1E-10 fr/hr, WASII-1400.
18 TDP llEADER RUPTURE 2E-7 Similar to MDP licader Rupture. Transfer 17.
I 19 CV 1015 A FAILS TO OPEN 1E-4 TABLE 3-1, PG. 3 of 10
m m
m m
m m
m m
m m
M m
M M
M FAII.URE ON TRANSFER EVENT DEMAND, q BASES
!!DP A PIPING RUPTilRE 2E-7 Four sections of piping.
Section is tested monthly on MDP test.
A=lE-10 fr/hr, WASll-1400.
MIV 1021 A PLUGGED 1E-4 IlUMAN ERROR MlV 1021 A 7.5E-4 Valve in wrong position after maintenance. Valve is not closed on MDP A test; closed on MDP A maintenance.
Valve is locked open with monthly position verification; independent verification after MDP-A maintenance. Closed status indication in control room on BISL Q = SE-4.
g Valve incorrectly selected as 1021 B.
Status of correct valve would be on B1SI; locked tag serial number 1021B comparison should aid in detection. Valves 1021A and 1021B are about 8' apart with no vision barriers between so control room initiated checkout would result in detection. Q = (1/2) x 5E-4 = 2.5E-4.
c 20 CV 1015 B FAII.S TO OPEN lE-4 u
b*
MDP B PIPING RUPTURE 2E-7 Same as MDP A Piping Rupture, Transfer 19.
IlUMAN ERROR MIV 1021 B 7.5E-4 Similar to !!uman Error 1021 A, Transfer 19.
MIV 1021 B Pl.UGGED 1E-4 21 GV 1016 FAILS TO OPEN lE-4 TDP PIPING RUPTURE 2E-7 Similar to MDP A Piping Rupture, Transfer 19.
MlV 1036 PLUGGED lE-4 lillMAN ERROR MIV 1036 7.5E-4 Errors of omission are similar to M1V 1021A, Transfer 19.
Valve could be incorrectly selected as M1V 1018G.
TABLE 3-1, PG. 4 of 10
M M
M M
M M
M M
M M
M M
M FAllURE ON TRANSFER EVENT DEMAND, Q BASES i
22-24 LOSS OF MDP A/B COOLING 6E-6 MDP bearings are cooled with EF discharge. Five sections of 3/4" piping is tested monthly on MDP test.
Plugging and rupture contribution: A
=A
= IE-9 fr/hr, WASil-1400.
3 Q = (A + A )(720/2) = 4E-6.'
Es[Imated severe leakage of g
r oil at Searings is A=lE-6 fr/hr. Lube oil reservoir.
Likelihood of undetected leakage on monthly walk around is SE-3.
Q=Q1 + Q~, =
2 6E-6.
MDP A/B FAILS TO RUN lE-3 MDP A/B CONTROL CIRCUIT 4E-3 MDP A/B tested monthly.
FAILS TRAIN A/B INITIATION Fall.S 7E-3 OPERATOR FAILS TO START SE-2 Operator fails to observe train A/B failure and attempt MDP A/B MDP A/B start f rom Control Room.
IlUMAN ERROR MDP A/15 7.5E-4 Breaker is not racked-in or control switch in lockout af ter MDP maintenance and demonstration test, Q = SE-4.
g Wrong breaker racked out from bus.
Q = (5E-4)x(1/12) =
4E-5 or control switch wrongly select 0d and locked out.
Population %3.
Q = (1/3)x(5E-4), Q = 2.5E-4.
c BUS IDA/lDB FAULT lE-5 Based on 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> surveillance on occurro e.
A = 2.7E-6 fr/Ir from IEEE-500.
Q = (2.7E-6)(8/2) = lE-5.
ACTIVE FAII.URE OF BUS lE-5 One breaker fails to open given occurence of a fault.
BREAKERS (12)
Assume one fault in 100 system operations.
Q = IE-3/d, q
1 WASil 1400.
Q = (1E-2)x(Q1)=lE-5.
I.0SS OF POWER SUPPLY TO IJfF all ac available: Q IJIF/LOSP "A" diesel
= 0. h.
"0.
=Q
=
A i
BUS JDA/1DB is assumed to start: Q B" diesel can fall:
j Q = 3E-2, WASil 1400. ho diesel or ac available for LbF/ LAC.
1 TABLE 3-1, PG. 5 o f 10
M M
M M
M M
M M
M M
M M
FAILURE ON TRANSFER EVENT DEMAND, Q BASES 23-25 MIV 1011 A/15 PLUGGED IE-4 IlUMAN ERROR MIV 1011 A/B 1.5E-3 Locked open valve closed on MDP A/Is maintenance; open on test.
Status input into BISI in control room.
Valve alignment check and pump operability demonstration after maintenance verifies 1011 A/B open.
Q % SE-4.
Valve inadvertently closed instead of 1011B, 1001A, 1001B, 1037B; all locked valve tag serial number comparison should aid in detecting error.
Population is five.
Q =(1/4)SE-3.
c CV 1013 A/B FAII.S TO OPEN lE-4 MDP A/ls INLET PIPING RllPTilRE 7E-8 Two sections tested on montly f:DP test; A= lE-10 f r/ hr, WASil-1400.
Pf.OW FROM CST AT EFS START Conditional probability of flow f rom CST taken as unity.
FAILURE OF SUGTION lE-4 Contribution from check valve failure Q =1E-4 and loop y
FLOW PATil T11ROUGli cV 1034 piping.
Loop plugging and rupture contribution A
=A A/B A = IE-10 fr/hr, WASil-1400.
Two loop sections tested En u
h 18 month basis.
Q = 2x(2E-10)x(18x720/2)=2.6E-6.
2 Q=Q 49 =1E-4.
1 2 SW LOOP A/B llNAVAILABLE SW Loop unavailability taken as lE-2 based on pump starting.
LMF/LOSP case Q
=Q
= lE-2.
IJ1F case at g
least one loop is operating at all times (Tech Spec.
3.7.4.1) in modes 1,2,3 and 4: Q 1E-2, Q = 0.0.
=
g A
No SW available for IJtF/ LAC.
LOSS OF CST INVENTORY 3E-4 See Loss of CST Inventory, Transfer 4.
MOV 1001 A/B FAILS TO OPEN 3.7E-3 Valve is NC; opens on auto switchover to SWS backup.
Valve tested monthly.
Status indication in control room.
Valve disabled for MDP A/B nalntenance, Qg=5E-4.
Valve incorrectly selected for r10V near MDPs; population 5.
O = (1/4 ) SE-4.
c Unavailability contribution from control circuit Q =2E-3, y
mechanical failure to open Q f E-3, and plugging Q 1
=
3 IE-4.
Q = Q 4 Q +Q +Q +0 = 3. 7 E-3.
g c 1 2 3 TABLE 3-1, PG. 6 of 10
t e
s uP2 s
e
=
pD1 u
r v
n
)
nT0 y
l a g.o l
an2 0
M t
i 1 :
t ec nnf a
mi-1 s
d d
i v
i w
v e
sns e n
eg s oy sIluaE rS f
t uaes u
l n adl f u d(
o t
l o i
ctldi t
)
P akf l t
s rt uan a
a3 7
D t cic s
a ei dh c art d M
T S er e
t m nsot esnf E h ey t
n ai a
l st uo5 G
y cvl e
wl
,P h ano x
P l
t P
k D st werd4 h
et en D
a h s sT ei pao (
t cnc e T
t gi n
vwtO -
o=
1 M
n n ent i
i rl u
khQ o
a mar y
T h e aeano l i 3
m nnne l
S n
rt va
.al egev0 h
C di df csl we E
n t i t d%
t 4
il an r a kP L
o nl na n
m o
t i eacdiD B
ainQ o
o r
vh a1 aneinl T A
i M
d a
ai m
r e
ac e1 ril t a T
e mem f
f a
s2db ci t o t
v e.
n s
oe r
rt nt s
Pl rb m o
w n
t rP sumcsi n
e D ae o
o a
n eO t Ta eoo e
t TVt t o d
l r
no t S s et L jg S
p f or e
f T
e f
u t o M
E o
g n
an t
pg arj. S nP no S
n o.
nP s.
f on ed1 D ot A
o i.
mnaD e0 o
y i
d pa1 tT B
t p0 d oocT t 0 r
eg n
2
.n d e i0 e oi 4
y o
b g ad r - eeyer s
p4 sRt en g1 t
t n
eoP gml s u l
1 o
avi n
l l
e sp r eaS mstbi i
n t i ent O at h al M
m-l a
ail l l rl i i i
v u
opr aun a
c ot aW pS f
eS rsVS iA b
n n e f oerdjonf t A et n pW a
I v
e pe d mo B
sW vno r
b sl b eopt a id
/
l om
.o f
o T
ea4 r
u nt n A
f aC e4 or r
S nV -
eapeol oua or v
d P
h p
C i
E v
ul h a b
1 h
n EE s/
l l st at udid 4
0 n/
niy5 nr l
f
=
a ert i t ere 0
or e
t % e of a
o ne) vval wct t s 1
if pI i ov i
n i n4 l t l aano t
oSlQl t0 o
s ai -
eaa eg r ol V
c0 I i a
c1 i
s rbE l v t n;t cc O
e1 dBb
.v e -
t o
d r1 t
P i d s M
s -
e a
sE i
L u(
t nD md enr e E
k orny 1
d rt x oiT aonoov3 e
el ct eel o=
n e
u 4
r a eoemrl -
e n=
onpp n w r o e
on=
h r nt l peraE S
OA Li ooo TA C
S FiQ TdO sf od evI M
NQ O
3 ED 3
8 4
4 4
8 4
4 3
R N E
UA 7
E E
E E
E E
E E
E LM 7
4 l
l S
7 3
4 l
E 3
I AD F
M N
S E
T E
L R
R M
P I
U E
A O
A T
R T
F P
U S
O U
N T
Y T
N R
E 2
P S
R O
P 1
U F
O D
m S
I G
O 0
R E
T E
L T
N 1
N G
N T
A O
D G
T E
G I
I I
N A
P T
E V
N A
V U.
A I
E F
T I
G I
I N
R l
V I
P S
G M
P T
I P
D E
B N
L U
I S
m T
I L
R P
C T
S R
/
I A
E A
P O
S E
O B
L F
R T
M C
N R
7
/
N 2
R E
O I
R 3
A I
4 1
E L
R F
L E
0 0
N F
O 1
N M
0 N
I N
N 1
1 A
1 A
W S
I A
I V
A E
V M
P O
S A
M O
R T
V U
D L
9 R
l I
U M
T S
C M
Il T
F L
D I
m R
E F
S 6
7 8
N 2
2 2
A R
T M
uee*
m FAILURE ON TRANSFER _
EVENT DEMAND, q BASES FAILifRE OF TDP LUBE lE-5 Similar to 1.oss of MDP A/B Cooling except turbine and purup OIL / COOLING SYSTEM bearings cooled, Q =8E-6.
Estimated Icakage at bearings 1
is similar. Q -2E 6.
Q=Q Hh.
1 2
Single manual valve to adjust flow to oil cooler.
Valve is set in position and locked. Valve status observed on monthly walk around and TDP test.
Note: TDP can run f o r t wo hours with val"e ti. closed posLLion at s t a rt up before oil temperature exceeds h1 range.
TDP Fall.S TO RUN lE-3 Includes governor and lube oil pump.
TRAIN A&li INITIATION FAILS SE-3 Valve A0V 2030 receives open signal from Trains A and B.
OPERATOR FAILS TO START TDP SE-2 Operator backup by opening A0V 2030 from Control Room.
A0V 2030 FAILS TO OPF14 IE-3 Tested monthly on TDP test; fails open.
Control circuit contribution negligible; not shown in tree.
t.,
L IlUMAN ERROP TDP TilROTTLE SE-4 Operator falls to reset throttle valve after test per SOP-val.VE 211.
Next detection at next monthly TDP test.
Control Room indication.
FAILURE TO PERFORM IN-PLANT SE-2 In-plant recovery by operator; limited to twenty minutes.
RESET OF TDP Non-dedicated operator backup.
29-30 FAILURE OF ONE OF FIVE SE-4 Number of SRVs stuck open affecting 'l
- supply is unknown:
MS-B/MS-C SRVs TO RESEAT assumption of or.e is conservative.
Q=lE-5/d, WASH-1400 for failure to open.
A factor of 10 is used for sticking open for each SRV.
Fall.URE OF MS-B/MS-C PORV IE-4 Air operated valve, fails closed. Control circuit TO CLOSE contribution negligible.
Similar to above.
- 6 A/B FAILS TO OPEN lE-4 MS-B/MS-C PIPING RUPTURE 4E-8 One section of -ising.
A = lE-10 fr/hr; WASil-1400.
TRAIN A&B INITIATION FAli,S SE-5 See Train A&B ' o Lia tion Falls, Transfer 28.
TABLE 3-1, PG. 8 of 10
M M
M M
M M
M M
M M
M M
FAILURE ON TRANSFER EVENT DEMAND, Q BASES MSIV 280L B/C FAILS TO CI.0SE lE-3 A0V faf.ls closed; redundant Tra.
A&B close signal to each valve.
MOV 2802 A/B PLUGCED lE-4 IlUMAN ERROR MOV 2802 A/B SE-4 2802 A/B closed for TDP maintenance. Valve closed locally. TDP demonstrated operable ensures operability of at least one valve: coupled error of both closed not applicable.
Control room status indication.
Valve is NO:
receives open signal on EFS startup.
Upper limit on Q = SE-4.
Valve closed status indication provided on BISI.
g 31-32-33 FCV 3531/3541/3551 IN 2.lE-3 Mean valve maintenance act of 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> per valve.
Only MAINTENANCE one valve is maintained at a time.
Q =.22 (7/720).
FCV 3536/3546/3556 IN 2.lE-3 Same as above.
MAINTENANCE 34-35-36
?!!V 1018 A/B/C PLUGGED lE-4 These events are described or Transfer 14-15-16.
w h
ICV 1020 A/B/C FAII.S TO OPEN 1E-4 tEMAN ERROR MIV 1018 A/11/C 1.5E-3 IlUt!AN ERROR ICV 1020 A/B/C 1.5E-3 l
FCV 3536/3546/3556 PLUGGED lE-4 FAILilRE OF FCV 3536/3546/3556 c
CONTROL IlUMAN ERROR FCV 3536/3546/3556 SE-4 i
37 N MIV 1017 A/ll/C PLUGGED lE-4 These events are described on Transfer 11-12-13.
I ICV 1019 A/B/C FAII.S TO OPEN lE-4
!!UMAN ERROR !!!V 1017 A/B/C 1.5E-3 i
IIUMAN ERROR ICV 1019 A/B/C 1.5E-3 j
TABLE 3-1, PC. 9 of 10 4
=.
l FAILURE ON TRANSFER EVENT DEMAND, O BASES FCV 3531/3541/3551 Pl.UCCED lE-4 c'AILURE OF FCV 3531/3541/3551 c
CONTROL llUMAN ERROR FCV 3531/3541/3551 SE-4 40-41 MDP IIEADE; RUPTURE 2E-7 Same as MDP lleader Rupture, Transfer 17.
MDP llEADER RUPTURF
?E-7 Same as MDP Ileader Rupture, Transfer 17.
MDP A IN MAINTENANCE 5.8E-3 Similar to TDP in Maintenance, see Transfer 6.
MDP B IN MAINTENANCE 5.8E-3 Similar to TDP in Maintena.' e, see Transfer 6.
42-43 FAILURE OF SWS LOOP A/11 1E-4 Similar to Failure of Suction Flow Path Thru CV 1034 A/B, FLOW PATil TIIRU CV 1022A/B Transfer 23-25.
SW LOOP A/B UNAVAll.ABLE lE-2 See Transfer 23-25.
a r'a MOV 1002/1008 FAILS TO OPEN 3.7E-3 Similar to MOV 1001 A/B Fails to Open, Transfer 23-25.
MOV 1037 A/B FAILS TO OPEN 3.7E-3 See Transfer 23-25.
TRAIN A/B INITIATION FAILS 7E-3 TAliLE 3-1, PG. 10 of 10
i t
i 2
i
4.0 REFERENCES
I i
i l
1.
NUREG-0611, " Generic Evaluation of Feedwater Transient and Small j
Break Loss-of-Coolant Accidents in Westinghouse Designed Operating Plants," January 1980.
2.
WASH-1400 (NUREG-75/014), " Reactor Safety Study," October 1975.
- g 3.
Various communications with USNRc personnel.
1
}
4 1
1 r
b!I t
I I
i i
C=Wt /Commorou :n l
4-1 i
1
i 5.0 LIST OF FIGURES l
Figure 1 - EFS FLOW SCIEMATIC i
j Figure 2 - AC POWER DISTRIBUTION TO EFS COMPONENTS 1
1 Figure 3 - EFS INTIATION LOGIC I
Figure 4 - V. C. SU?DfER EMERGENCY FEEDWATER FAULT TREE Figure 5 - COMPARIS0N OF V. C. SUPDER UNIT 1 EFS RELIABILITY WITH I
THAT OF OPERATING KESTINGHOUSE PLANTS I
I 4
1 l
4 i
i i
i r I N
Gert /Cemmonwer:n 3-1
TO STMOSPHERE A
l 2804B p - - w - - - - -.,
l y--- n ----
LEGEND ggg4A 1
T B.
wATEa STEAM l N EFmP
==
XPP.8-E F F.O.. FAIL OPEN "g
l I
FC FAIL CLO5ED l
g LO LOCKEC DPEN I
MOV - MOTOR OPE R AT ED V ALVE NC - NORMALLY CLOSED I
. _5TATU51NDICATION ON B:51 CRT
- F.O. b[ 30 1
I TO HEADER 'A' TO HEADER 'B' l
TO HE ADER 'C' A
i 6
1 4
}
%FC Q FC l
FC
. 2801 A 2868A
. 2801 8 2868B
- 2801C 2868C g--
j
( FC l l
FC j
i FC
$---J lg 2802A-y-- A 28028 l
l
--J i
2876A 2876B y
l g
y I
l l
---_l___________I________.--__-l_.______
STEAM CENERATOR A STEAM GENERATOR B STEAM GENERATOR C 1039A 1039B 1039C I
CON T AINMENT 1038A
,1038B 1038C FC 1009A FC 10098 FC 1009C LO LO LO LO LO LO I
1020A 1019A 10208 10198 1020C 1019C I
IFV IFV F.O.
F.O.
F.O.
F.O.
F.O.
F.O.
3536 3531 3546 3541 3556 3551 LO LO LO LO LO LO
- 1018A 1017A 1018 8 1017B 1018C 1017C i
1021A
.1036 10218 1015A 101o 0158 N
X X
N 1023A LO 024 TDEFP 10238 MDEFP LO bOEFP 1 5B 1 5A XPP8 XPP218 XPP21 A LO 1026 1034A 1013^
jog 33 se
{1034B
.x =C, 4.. z.
9
..m = C, I
V NC) 1 1
V NC) 1008
, 1014 1002
. LO 1012
(
- M ruov;NC) jk 1037A EL 30 1027
\\
C.S.T.
5.w. A XTK-8-CO FIGURE 1 EFS FLOW SCHEMATIC
M M
M M
M M
M M
M DIESEL A V\\ TR. XTF4-ES T R. X T F 31-ES DIESEL GENERATOR ' A'
^*
TW GENERATOR 'B' D
]
NO NO l
l l 7.2 KV BUS X SW1D A-ES l
l 7.2 KV BUS XSW1DB-ES O
O MDEFP MDEFP X P P21 A-ES X P P 218-E F 7.2 KV BUS XSW1E A-ES 7.2 KV BUS XSW1EB-ES O
O S.W.P.
W.
gg 3wp g
TR.IDA2 X PP39 A-SW XPP29B-SW TR.1DB2 XPP 9
)
I I)
I)
I) l MCC XMC 1D A2X-ES MCC XMC 1DB2X-ES l MCC IDB2Y-ES MOV'S MOV'S MOV 10 37 A - E F 10378-E F 280 28 -MS 1001 A-E F 1001 B -E F 1002-E F 1008-E F 2802A-MS FIGURE 2 AC POWER DISTRIBUTION TO EFS COMPONENTS
L L
L E
E E
W V
V D
D D
E E
E E
E 5
5 L
L P
P P
P P
P P
P O
O O
R I
E E
I RI R T T
L L
S T
T T S O
O A
C'
A L
L B
B' B'
A S
S P
P P
W W
w L
L F
g G
F F
F F
S f
S M
M M E S
E
. M
=
4 J'
=
V M
3
/
2
^I 3
C GI 4
O
-rL L
L N
O TI A
I T
I IN S
F E
N 3
N O
O I
?
E TI T
R M
I O
I OV I
S U
S O
G O
P E
E P
F G
G T
T A
A U
U T
T O
O L
L K
K O
O C
C V
V O
O R
R L
L E
E I
N N
I N
D D
N U
U S.
S.
A B
C C
D D
I I
S S
U U
~
B B
{
L L
L A
A A
U U
4 U
4 N
N N
A A
A M
M M
I, 4
4 m
4 A
D pQ S
E M
S, B
V L
'A A S V M M )S T P
- - M T P N
R F A 8 -
R F E
2 2 0 A E AE P 0 0 3 O8 8 0 T D T D S M 2 2 2 S M
(
4 6
!I I
LIST OF ABBREVIATIONS USED IN THE EMERGENCY FEEDWATER SYSTEM FAULT TREE AC Alternating Current I
A0V Air Operated Valve CST Condensate Storage Tank CV Check Valve i
j DC Direct Current j
EF Emergency Feedwater i
l EFS Emergency Feedwater System i
FCV Flow Control Valve l
ICV Isolation Check Valve MDP Motor Driven Pump MIV Manual Isolation Valve MOV Motor Operated Valve MS Main Steam i
MSIV Main Steam Isolation Valve i
j PORV Power Operated Relief Valve 4
i SG Steam Generator SRV Safety Relief i'Ive 1
}
SWS Service Water System TDP Turbine Driven Pump f
a.,tmicaucunc
Y W L O H P L T E
P FI N C WI UF A N S ED R A O
E T TT T N E
UI 1
UI O PA 2
SS M
LF I
F F
A A
U 0
F S
1 T
E E
H S
T T
N E
N E
C TI TAS TI RU S
F H R FFP E
N E
W F
C E F
R WFI R
O SD U
A U
U OE 5
U S LI A S
R L
FD L
L
[
E HT I Y I
Y F A L F PH A L T
U P
P EB P
U U
S S
E M
E RT TNW T
EO L
I S
O C LF N U
TI F EI A
F A
F N H R E
E F O T T RS R UI UST O 4
L EC B P E A I
S R
FI T
W M
V f
E F
O D
T W
S E
E R
S OOR A
3 E
F LWO W
F EEFTT D
FIDFT A YE R
CE OVES E M
A N F OT EN E
E R N L E N
R PE G
G I
U I
T R A LO C A M E M I
TI A
A F OE M
F F
F T T R W S
O E
U S
E O RC R
S S
VI L E -
E S L F DG M O PAS M L E FME D U
DEU H N S
R OT P
.O EA 3
T NM G A C. F EOR E
V I
R A G R C UI F HS L F C
4 O
I F
S A U I
T E
FS D
P UG I
F TPS RW S
NM R EO RC E
EU vL E -
I P D O C A 'S
S D
O H DE U H N E F R
O OT P R U E
EA 2
US F W
TN M GB G
L RW R EI O R -
I T
E AEO AO RCR A G FVL HT UI F HS F
FC L
C IL S
F O
S E FI IAU I
T D ED FS D
M Rw S
L E -
DEU H N P
O T EA T NM G A 1
EOR E
I R
R C A G UI F HS L F C
F S O IA U I
T FS D
W M
M M
A A\\
A I
TO DE V ILURE TO DEllVE ALLURE TO DELIV l SUFFICIENT EF l SUFFICIENT EF l SUFFICIENT EF I l FLOW FROM PUMP l l FLOW FROM PUMP l l FLOW FROM PUMP l l DISCHARGE HEADERS l l DISCHARGE HEADERS l lDISCHARC C HE ADERSl
[TO SG-A AND SG-BJ
{TO SG-B AND SG-C]
TO SG A WID SG-C j f'
FAILURE TO FAILURE TO FAILURE TO FAILURE TO FAILURE TO FAILURE TO DELIVER DELIVER DELIVER DELIVER DELIVER DEllVER SUFFICIENT EF SUFFICIENT EF SUFFICIENT EF SUFFICIENT EF SUFFICIENT FF SUFFICIENT EF FLOW TO SG A FLOW TO SG-B FLOW TO SG-B FLOW TO SG-C FLOW TO SG-A FLOW TO SG-C
/7\\
!8\\
8 9
7 9
SHEET 2 0F 21
'l
___________._m
._m___.
m.._._
m m
m m
m M
M M
M M
E l
I I
l A
ALLURE TO PROVIDE l SUFFICIENT EF l SUCTION FLOW !
l TO BOTH EF l
PUMP TRAINS L
_J w
INSUFFICIENT EF NO BACKUP EF SUCTION FLOW SUCTION SOURCE THRU MfV 1010 AFTER LOSS OF AT EFS DEMAND CST INVENTORY LOSS OF CST INVENTORY em
\\/
MlV HUMAN 1010 ERROR FAILURE OF
> 85.
PLUGGED AUTO-SWITCHOVER Mly 1010 LOGIC 4
SHEET 3 0F 21
bL FAILURE b l SUPPLY SUFFICIENT l EF FLOW FROM BOTH EF PUMP l
l TRAINS L
1 1
I I
FAILURE OF FAILURE OF MDP TRAIN TO TDP TRAIN TO SUPPLY SUFFICIENT SUPPLY SUFFICIENT EF FLOW T0 MDP EF FLOW TO TDP A17 DISCHARGE HEADER DISCHARGE HEADER 18 L-l r
'- 1 FAILURE OF FAILURE OF g
17 18 MDP TRAIN TO I l
TDP TRAIN TO l
l SUPPLY SUFFICIENT l l SUPPLY SUFFICIENT l EF FLOW TO MDP EF FLOW TO TDP l DISCHARGE HEADER l l DISCHARGE HEADER g j
m I
I INSUFFICIENT EF INSUFFICIENT EF MDP TDP i
FLOW FROM MDP'S FLOW FROM TDP HEADER HEADER TO MDP DISCHARGE TO TDP DISCHARGE RUPTURE RUPTUP' HEADER HEADER j
s
/2A I
I I
INSUFFICIENT EF INSUFFICIENT EF FLOW FROM MDP A FLOW FROM MDP B TO MDP DISCHARGE TO MsP DISCHARGE HEADER HEADER 19 20 SHEET 4 0F 21
)
______..m.._
M M
M M
M M
M M
M A
-.1--
r AILURE TO SUPPLY l F
l SUFFICIENT EF FLOW l l ASSOCIATED WITH l l
PUMP TRAIN MAINTENANCE
{
FAILURE OF EF FAILURE OF EF FAILURE OF EF FLOW DUE TO FLOW DUE TO FLOW DUE TO TDPIN MDP A IN MDP B IN MAINTENANCE MAINTENANCE MAINTENANCE
/\\
\\/
TDP IN MAINTE-l NANCE l
FAILURE OF MDP l
TRAIN TO SUPPLY SUFFICIENT EF FLOW TO MDP DISCHARGE HEADER 17" SHEET 5 0F 21
M M
M M
M M
M M
M M
M M
kN r FAILURE TO n
! DELIVER SUFFICIENT!
l EF FLOW TO l
{SG A/SG-B/SG-C]
rm FAILURE OF MDP FAILURE OF FLOW DUE TO DISCHARGE AND TDP HEADER MAINTENANCE FLOW PATH TO DISCHARGE VALVE ACTION ON FCV lN SG-A/SG-B /SG-C TO SG A/SG-B/SG-C SG A5G-EL%C LINE uux I
I CV CV CV SG-A/
FAILURE OF MDP FAILURE OF TDP 1009 A/B/C 1038 A/B/C 1039 A/B/C SG-B/SG-C HEADER HEADER FAILS TO FAILS TO F AILS TO PIPING DISCHARGE VALVES DISCHARGE VALVES OPEN OPEN OPEN RUPTURE TO SG A/SG-B/SG-C TO SG A/SG-B/SG-C 11 12 13 4
SHEET 6 0F 21
ll 7
NR1 C AO0 /
1 M
B U
v/
H
! A M
C C /
E B
l P IV/
1 A
2 U M L
7 F
I 1
F 1
0 A
0 7
T C
E
/ D E
B E H
gy/G S
AG p
U 17 L 0P 1
/
1 1
5 NR3 5
AO5 3 MR 3/
M URV1 4
HEC 5F3 M
N 1
5EP 5
M PD MJED 3
l l g
/OM T
E V14OGS PG C
C 5TNE D R F3 I
T 1
M A O G F
5
/SR 5
1 HT S O
L 3
3I U F C
/
/
5AD OS SB E
M V1 3
F I
E -
R 4
C VG U
5 F3 R RLS L
/
/
U E A I
1 A
I D V A
3 L
F 5
AA G
3 FE S
M l l H
/
D 1
4 E
V51 G C 35
/5 G F1 3U M
3 L
5 P
3 M
/
L E
1 O
R 4
U 1R 35 L /5T I
3N A
O F
C 3
M M
C/ O BT N V/ SE M
I 9
CA L P I
1 AO 0F 1
F C
O
/
E B
l RV/
U CA L I 9 IA 01 1
F 9
NR1 C AO0 /
MR1 B URV/
HECA I
l(l ll
M M
M M
M M
M M
M M
M M
M M
J FkURE OF TDP l HEADER DISOiARGE !
l SG-A/SG-B/SG-C l VALVES TO g
FAILURE OF FAILURE OF FAILURE OF ICV FCV MIV 1020 A/B/C 3536/3546/3556 1018 A/B/C em em F^L RE FCV FCV HUMAN HUMAN HUMAN ICV OF p y ERROR 1020 A/B/C 3536/3546/
3535/3546/
3536/3546/3556 ERROR B/
ERROR ICV 1020 FAILS TO 3556 3556 FAtLS TO OPEN FCV 3536/
Mly 1018 A/B/C OPEN CONTROL PLUGGED DURING TDP 3546/3556 A/B/C TEST SHEET 8 0F 21
M M
M M
M M
M M
M M
M M
M i
t, A
A i
l INSUFFICIENT EF INSUFFtCIENT EF l i
l FLOW FROM l
l FLOW FROM l
MDP A TO MDP MDP B TO MDP l DISCHARGE HEADER l l DISCHARGE HEADER L
J L
J i
n
~
l l
l l
^'
T
^'
FAILURE OF FAILURE OF MDP A FAILURE OF F AILURE OF MDP B PROVIDE PROVIDE MDP A DISCHARGE FLOW MDP B DlJCHARGE FLOW SUF FICIEN T SUFFICIENT TO SUPPLY PATH TU MDP TO SUPPLY PxTH TO MDP SUCTION FLOW L
EF FLOW DISCHARGE HEADER EF FLOW DISCHAPGE HE ADER TO MDP A PB 22 3
4 45 r
CV CV MDP A MDP B MIV 1021 A PIP NG 1015 B 1015 A Mlv 1021 B PIPING IAiL$ IO FAIL 5 TO CLOSED RUPTURE CLOSED RUPTURE OPEN i
)
}
r e
i AIV 102) A Miv 1021 B PLUGGED PLUGGED Mly 10 A MI 1 B
1 J
a i
1 SHEET 9 0F 21 I
)
4
A
- r____,
l INSUFFICIENT l EF FLOW FROM l TDP TO TDP l DISCHARGE HE ADER L_
__J 1
I FAILURE OF FAILURE TO FAILURE OF TDP DISCHARGE PROVIDE TDP TO SUPPLY FLOW PATH TO TDP SUFFICIENT SUCTION EF FLOW DISCHARGE HEADER FLOW TO TDP 26 27 ew CV TDP 1016 Mly 1036 PIPING FAILS TO CLOSED RUPTURE OPEN em HUMAN Mlv 1036 ERROR l
PLUCGED Miv 1036 SHEET 10 0F 21
m M
M M
M M
M M
M M
M M
M M
M M
M MdA 1
r-FAILURE OF,
i l
MDP A/B I
l TO SUPPLY l
EF FLOW g I
I F AILURE OF LOSSOF MDP A/B AC TO TO FUNCTION MDP A/B T
I I
MDP A/B MDP A/B HUMAN LOSSOF CONTROL START ERROR BUS IDA/1DB LOSSOF FAILS FAILURE MDP A/B TO RUN MDP A/B COOLING e
I MDP A/B MDP A/B CONTROL BUS FA RE LOSS CONTROL INITI ATION OF BUS OF POWER IO# 00 CIRCUlT F AILUR E BREAKERS FAULT SUPPLY TO BUS FAILS U2) lDA '1DB I
OPERATOR TRAIN A/B FAILS TO INITIATION START FAILS MDP A/B SHEET 110F 21
M M
M M
M M
M
_ J__
l ILURE TO PROVID l SU F FICIENT l
SUCTION FLOW l L TO MDP A/B e
l N TE
^'
EST I H BA KUP SOURCE VALVES INLET EF SUCTION FLOW TO MDP A/B FROM SW LOOP A/B PIPING Fall TO OPEN TO MDP A/B RUPTURE hTA LOSS OF CST EF START INVENTORY r
CV HUMAN 1013 A/B ERROR 101 A/B FAILS TO MIV PLUGGED OPEN 1011 A/B s
FAILURE OF FAILURE OF SW LOOP A/B SW LOOP A/B SUCTION FLOW PATH ISOLATION VALVES
- JNAVAILABLE THRU CV 1034 A/B TO OPEN s
MOV 1001 A/B TRAIN A/B MOV 1037 A'B FAILS TO OPEN INITIA ION FAILS TO OPEN SHEET 12 0F 21 l
W W
M M
M M
i 26 FAILURE OF g
l TDP TO SUPPLY l
EF FLOW l
L ___
_ __ J FAILURE OF FAILURE OF TDP TO STEAM SUPPLY FUNCTION TO TDP 28 m
I FAILURE OF STEAM STEAM SUPPLY INLET LINES B AND C PIPING RUPTURE I
I I
FAILURE OF FAILURE OF STEAM SUPPLY STEAM SUPPLY FROM SG-B FROM SG-C 29 30 i
]
SHEET 13 0F 21
M M
M M
M M
M 7
I 1
FAILURE TO PROVIDE SUFFICIENT l
l SUCTION FLOW l l
TO TDP u_
__J
\\
T FAILURE TO TDP CONDENSATE ESTABLISH BACKUP INLET SOURCE VALVES EF SUCTION FLOW pipisc
)
TO TDP Fall FROM Sws ON LOSS RUPTURE TO OPEN OF CST INVENTORY
/\\
FOO NVENTORY CST AT t'FS START em r
FAILURE TO FAILURE TO CV 1014 HUMAN MIV 1012 ESTABLISH ESTABLISH FAILS TO ERROR PLUGGED BACKUP EF SUCTION BACKUP EF SUCTION OPEN MlV 1012 FLOW FROM SW FLOW FROM SW LOOP A TO TDP LOOP B TO TDP SHEET 14 0F 21
..._._______-...__...__.._..___._........__.m__.._.--.
E E
E E
E A
-l r FAILURE OF,
l l
TDP l
TO FUNCTION l
L_ __.
__ __ J l
FAILURE OF T
TDP FAILS FAILURE p $
TO START OF TDP LUBE 0:L/
DRAIN SYSTEM TO RUN COOLING SYSTEM 4
I I
DRAIN FAILURE TO SUPPLY FAILURE TO j
LINES HUMAN STEAM TO TDP RESET TDP PLUGGED ERROR THROTTLE VALVE THROTTLE VALVE DRAIN l
I TDP AOV 2030 hO F AILURE INITI ATION F AILS TO TDP TO PERFORM FAILURE OPEN THROTTLE IN PLANT RESET VALVE OF TDP
(
I PERATO j
FAILS TO TRAIN A & B l
START INITI ATION TDP F AILS SHEET 15 OF 21
/2M9 r - _1 -
l FAILURE OF l
STEAM SUPPLY FROM SG-B/C L____J O
em FAILURE OF CV MS-B/
FAILURE TO STEAM LINE 2876 A/B MOV 2802 A/B MS-C ISOLATE PRESSURE RELIEF FAILS TO FAILS TO OPEN PIP!NG MAIN STEAM TO CLOSE OPEN RUPTURE LINE B/C HUMAN FAILURE F AILUR E MOV ERROR OF ONE OF FIVE OF MS-B/MS-C 2802 A/B TRAIN A & B 2801 B/C MOV INITIATION FAILS TO MS-B/MS-C SRV'S PORV TO PLUGGED 28M UB FAILS CLOSE TO RESEAT CLOSE SHEET 16 OF 21
M M
,___\\
l lNSUFFICIENT EF FLOW DUE TO l
MAINT EN ANCE g ACTION ON FCV IN SG A/5G-B/5G j C
L LINE T
I I
INSUFFICIENT EF INSUFFICIENT EF FLOW DUE TO FLOW DUE TO MAINTENANCE MAINT ENANCE ON FCV ON FCV 3531/3541/3551 3536 '3546/3556 I
I I
I INSUFFICIENT EF INSUFFICIENT EF FCV FLOW FROM TDP FLOW FRGA unp FCV 3531/3541/
HEADER HEADER 3536/3546/
3551 DISCHARGE TO DISCHARGE TO 2556 in SG A/5G-B/SG-C SG A/5G-B/5G-C IN MAINTE-MAINT E-NANCE NANCE T
T l
l l
l FAILURE OF TDP FAILURE OF TDP FAILURE OF MDP FAILURE OF MDP HEADER DISCHARGE TRAIN TO SUPPLY TRAIN TO SUPPLY HEADER DISCHARGE VALVESTO SUFFICIENT EF SUFFICIENT EF VALVES TO SG A/5G-B/5G-C FLOW TO TDP FLOW TO MDP SG A/SG-B/5G-C (NO TDP TESTING)
DISCHARGE HEADERS DISCHARGE HEADERS (NO MDP TESTING) 34 35 36 18 17 7 38 39
)
5HEET 17 0F 21
M M
M M
M M
M F FAILURE OF TDP l HEADER DISCHARGE!
l VALVES TO l
l (SG.A/5G-B/SG C l L NO TDP TESTING)J
[h l
I FAILURE OF FAILURE OF FAILURE OF ICV FCV MIV
- 020 A/B/C 3536 /3546/3556 1018 A/B/C T
T
^
HUMAN ICV FAllURE FCV HUMAN HUMAN ERROR 1020 A/B/C ERROR 3536/35 /
3556 1018 /B/C ICV F AILS TO FCV 3536.,
MIV PLUGGED 1020 A/B/C OPEN CO T OL 3546/3556 1018 A/B/C SHEET 18 0F 21
E E
E E
E E
E E
E E
M r AILURE OF MDP l F
l HEADER DISCHARGE l l
VALVES TO l
l SG A/5G-B/5G-C l L(NO MDP TESTING)J b
ew I
FAILURE OF FAILURE OF FAILURE OF ICV FCV Mly 1019 A/B/C 3531/3541/3551 1017 A/B/C T
T
^
HUMAN icy FAILURE FCV HUMAN HUMAN ERROR 1019 A/B/C 3531/3541/
ERROR 3 /3541/
1017 /B/C 3551 FCV 3531/
ICV FAILS TO 3551 PLUGGED 1019 A/B/
OPEN CONTROL PLUGGED 3541/3551 1017 A/B/C SHEET 19 OF 21
40 41 p____q I
l FAILURE OF l
l FAILURE OF l
EF FLOW DUE l
l EF FLOW DUE
[
TO MDP B IN TO MDP A IN I
! MAINTENANCE L _ MAINTENANCE ____J L _ _ _ __ _ __ J
(>
rh FAILURE OF TDP FAILURE OF TDP TRAIN TO SUPPLY TRAIN TO SUPPLY FAILURE OF FAILURE OF SUFFICIENT EF SUFFICIENT EF MDP TRAIN MDP TRAIN FLOW TO TDP F '.OW TO TDP DISCHARGE HEADERS DISO ARGE HEADER 8\\
8
\\/
\\/
/\\
/\\
[h (h
MDP A MDP B IN IN MAINT E-MAINT E-NANCE NANCE MDP INSUFFICIENT Map INSUFFICIENT HEADER EF FLOW FROM HEADER EF FLOW FROM MDP B TO MDP RUPTURE MDP A TO MDP RUPTURE DISCHARGE HEADER DISCHARGE HEADER
/a\\
AN SHE. T 20 0F 21 l
i
M,.
r- -
j l
FAILURE TO ESTABLISH l
!BACKUP EF SUCilON g l
FLOW FROM SW g
L_ LOOP A/B TO TDPJ
[
<M FAILURE OF FAILURE OF SW LOOP A/B SW LOOP A/B SUCTION FLOW ISOLATION VALVES UNAVAILABLE PATH THRd TO OPEN CV 1022 A/B em
/
l MOV TRAIN A/B MOV 1037 A/B 1002/1008 INITIATION FAILS TO FAILS TO OPEN FAILS OPEN l
SHEET 210F 21
M M
POO L/W F
M
~
M L
h d
g n
H i
a
- C d
4 W
A M
l t
g M
l F
(
A L
f d
4 e
o d
p p
s e
h so M
t L
r
/
o W
p e
i Y
F l
e 4
a f
M 4
t ta T
M h
L t
I w
L s
o d
I a
L te B
e n
m AS r
s L
es I
e a
T 4
4 4
d p
N n.
e E
e E >
i R h A
R t
L 9
9 9
4 G
G 9
l n
F ley to SP h
ib 9
9 t
is E E a
e G
S I
la t
M v
n 1 U a
e n
TO D
v P
U e IN G H
O G
9 i
is n
O e h U
L d
d t
lH
/
e u
r W
M G
t o
R T M
F i
f n
ES M
g L
B le ME aM s MW e
e S
fo U
s G
e S
w 4
re h
.N o
d M
r T
I L
C. T O
- e VA to R
N F E OP S
9 9
9 G
G S
Ig NO M
ig e
b OF h
4 S
O H
IR T i
A A 4
4 Ig P H M
r M
T W
d O
e O
G CH FM M
T L
I i
G 5W l
9 O
E 4
M R
w U
o L
G I
F M
R n
E s
k e
o y
M t
c d
w t
n le a
U ne t
e N
r n
s e
e o
io b
la t
R l
M n
e v
n s
f la h
P e
o V
c n
a u
m o
fa E
l o
P e
r a
y n
S n
e R.
t P
a e
n e
n n
n g
d O
te r
n ia a
n h
e o
w ie y
A e
a e
e k
a k
v n
B.
k r
w B
e w
a C.
n d
n la le n
j d
o o
o a
n im it r
a a
a i
a r
t a
n t
e i
P C
T r
S N
V H
S Po S
Z Y
T i
K i
B G
s a
e rT W
M
I I
I i
I APPENDIX A I
RESPONSES TO GENERIC RECOTENDATIONS I
I
- I I
' I l
' I g
lI I
I I
l APPENDIX A RESPONSES TO GENERIC RECOMMENDATIONS i
1.0 GENERAL i
This section identifies short-term and long-term generic recommendations in terms of the concerns and the recommendation
.j details, and indicates the specific responses for the V. C. Summer Nuclear Station.
i 2.0 SHORT-TERM GENERIC RECOMMENDATIONS i
i 2.1 TECl[NICAL SPECIFICATION TIME LIMIT ON AFW SYSTEM TRAIN OUTAGE j
Concern Several of the plants reviewed have Technicial Specifications that i
i
}
permit one of the AFW system trains to be out of cervice for an indefinite time period.
Indefinite outage of one train reduces the defense-in-depth provided by multip1m AFW system trains.
II 1
Recommendation GS-1 1
The licensee should propose modifications to the Technical Specifications to limit the time that one AFW system pump and its associated flow train and essential instrumentation caa be j
The outage time limit and subsequent action time should be as required in current Standard Technical Specifications; i.e.,
72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, respectively.
5 iB jB
Response
V. C. Summer Technical Specification 3.7.1.2 complies.
i c4micommm..u A-1 A
lI l
j
- .2 TECHNICAL SPECIFICATION ADMINISTRATIVE CONTROLS ON MANUAL VALVES -
,I LOCK AND VERIFY POSITION 1
Concern 4
Several of the plants reviewed use a single manual valve or multiple valves in series in the common suction piping betweert the primary j
water source and the AFW system pump suction. At some plants, the valves are locked open, while at others, they are not locked in position.
If the valves are inadvertently left closed, the AFW I
system would be inoperable, because the water supply to the pumps would be isolated. Since there is no remote valve position 1
indication for these valves, the operator has no immediate means of determining valve position.
I i
Further, the Technical Specifications for plants with locked-open manual valves do not require periodic inspection to verify that the 1
~
valves are locked and in the correct position. For most plants where
- m the valves are not locked open, valve position is verified on some I
periodic basis.
4 j
Recommendation GS-2 lI l
The licensee should lock open single valves or multiple valves in 1g series in the AFW system pump suction piping and lock open other
- M single valves or multiple valses in series that could interrupt all i
i AFW flow. Monthly inspections should be performed to verify that these valves are lockei and in the open position. These inspections should be proposed fo; incorporation into the surveillance requirements of the plant Technical Specifications.
See j
Recommendation GL-2 for the longer-term resolution of this concern.
!;I
Response
J See long-term item 4.2 (GL-2).
i
'I 1
%tnlCowonetaC d-2 l
I I
2.3 AW SYSTEM FLOW THROTTLING-WATER HA>D!ER I
Concern l
Several of the plants reviewed apparently throttle down the AFW system initial flow to eliminate or reduce the potential for water hammer.
In such cases, the overall reliability of the AFW system can be adversely affected.
I Recommendation GS-3 The licensee has stated that it throttles AFW system flow to avoid water hammer. The licensee should reexamine the practice of throttling AFW system flow to avoid water hammer.
The lirar ee should verify that the AFW system will supply on demand sufficient initial riow to the necessary stam generators to assure adequate decay heat removal following loss of main feedwater flow and a reactor trip from 100 percent power.
In cases where this reevaluation results in an increase in initial AFW system flow, the license should provide sufficient information to demonstrate that the required initial AFW system flow will not result in plant damage due to water hammer.
Response
The EF system is not throttled to avoid water hammer.
I 2.4 EMERGENCY PROCEDURES FOR INITIATING EACKUP WATER SUPPLIES Concern I
Most of the plants do not have written procedures for transferring to alternate sources of AFW supply if the primary supply is unavailable I
or exhausted. Without specific criteria and procedures for an I
G.ee t /Commcc*ea-th A-3
l' 1
I I
operator to follow to transfer to alternate water sources, the primary supply could be exhausted and result in pump damage or a long interruption of AFW flow.
I Recommendation GS-4 Emergency procedures for transferring to alternate sources of AFW supply should be available to the plant operators. These procedures should include criteria to inferm the operators when, and in what crder, the transfer to alternate water sources should take place.
The following cases should be covered by the procedures:
I (1) The case in which the primary water supply is not initially available. The procedures for this case should include any operator actions required to protect the AFW system pumps against self-damage before water flow is 3..i t ia ted.
(2) The case in which the primary water supply is being depleted.
I The procedure for this case should provide for transfer to the
)
alternate water sources prior to draining of the primary water supply.
Response
I South Carolina Electric and Gas Co. procedures provide criteria for transfer *o the alternate water source in the abovc cases.
2.5 EMERGENCY PROCEDURES FOR INITIATING AFW FLOW FOLLOWING A COMPLETE l
l LOSS OF ALTERNATING CURRENT P0kIR I
Concern Some operating plants depend on ac power for all sources of AFW system supply, including the turbine-driven pump train.
In the event I
of loss of offsite and onsite ac power, ac-dependent lube oil supply I
Gatst /Camreneeac d-A
I I
or lube oil cooling for the pump will stop, and/or manual actions are required to initiate the AFW flow from the turbine-driven pump by manually opening the turbine steam admission valve and/or AFW system flow control val,es.
There are no procedures available to the plant I
operators for AFW system initiation and control under these conditions. This could result in a considerable time delay for AFW system initiation, since the operators would not be guided by procedures dealing with this event.
I Recommendation GS-5 I
The as-built plant should be capable of providing the required AFW flow for at. least two hours from one AFW pump train, independent of any ac power source. If manual AFW system initiation or flow control is required following a complete loss of ac power, emergency procedures should be established for manually initiating and
~
controlling the system under these conditions. Since the water for I
cooling of the lube oil from the turbine-driven pump bearings may be t' pendent on ac power, design or procedural changes shall be made to elim.. ate this dependency as soon as practicable. Until this is d ae, the emergency procedures should provide for an individual to be stationed at the turbine-driven pump in the event of the loss of all ac power to monitor pump bearing and/or lube oil temperatures.
If necessary, this operator would operate the turbine-driven pump in an on-off mode until ac until ac power is restored. Adequate lighting powered by direct current (ac) power sources and communications at local stations should also be provided if manual initiation and control of the AFW syste.a is needed.
(See Recemmendation GL-3 for the longer-term resolution of this concern).
I
Response
See long-term item 4.3 (GL-3).
I I
G. tert /Ccmmeta th l
A-5
2.6 AFW SYSTEM FLOW DATH VERIFICATION Concern Periodic testing of the AFW system is accomplished by testing of individual components of one flow train (periodic pump recirculation l
flow test or automatic valve actuation), thus altering the normal AFW l
system flow path (s). The flow capability of the entire AFW system, j
or at least one integral AFW system train, is only demonstrated on system demand following a transient, or if the AFW system is used for normal plant startup or shutdown.
Recent Licensee Event Reports indicate a need to improve the quality of system testing and maintenance.
Specifically, periodic testing and maintenance procedures inadvertently result in (1) more than one AFW system flow train being unavailable during the test, or (2) the AFW system flow train under test not being properly restored to its I
operable condition following the test or maintenance work. The Office of Inspection and Enfo. cement has taken action to correct Item (1); the recommendation below is made to correct Item (2).
)
Recommendation GS-6 The licensee should confirm flow path availability of an AFW system flow train that has been out of service to perform periodic testing or maintenance as follows:
i i
(1) Procedures should be implemented to require an operator to l
determine that the AFW system valves are properly aligned and a second oparator to independently verify that the valves are properly aligned.
i I
I l
i
(
GeitetlCammonwes')
I
!I I
(2) The licensee should propose Technical Specifications to assure that, prior to plant startup fol'owing an extended cold shutdown, a flow test would be performed to verify the normal flow path from the primary AFW system water source to the steam generators. The flow test should be conducted with AFW system I
valves in their normal alignment.
- I
Response
Station Surveillance Test Procedures STP-120.001, " Surveillance Testing of Motor Driven Emergency Feedwater Pump (s)", STP-120.002,
" Surveillance Testing of Turbine Driven Emergency Feedwater Pump",
and STP-120.003, " Surveillance Testing Emergency Feedwater Month Valve Alignment Verification", are the applicable Surveillance Test Procedures. These procedures address the requirements of Technical Specification Limiting Condition for Operating 3.7.1.2 and 3.7.1.3.
The last step of STP-120.001 and STP-120.002 requires independent I
verification that the Emergency Feedwater System has been returned to procedure designated status at the completion of the test.
STP-120.003 relates to verification that the salves are in procedure designated status. These procedures insure that the system is t' turned to the proper configuration after maintenance and testing.
Act tal flow to the steam generators is verified every startup and shut o wn by using the Emergency Feedwater System to supply flow to the ste m generators.
2.7 NON-SAFETY GRADE, NON-REDUNDANT AFW SYSTEM AUTOMATIC INITIATION I
SIGNALS Concern Some piants with an automatically initiated AFW system utilize some init;ation signals that are not safety grade, do not meet the single failure criterion, and are not required by the Technical I
Specifications to be tested periodically. This can result in reduced reliability of the AFW system.
A-7
I l
Recommendation GS-7 The licensee should verify that the automatic start AFW system g
signals and associated circuitry are safety grade.
If this cannet be B
verified, the AFW system automatic initiation system should be I
modified in the short-term to meet the functional requirements listed below. For the longer-term, the automatic initiation signals and j
circuits should be upgraded to meet safety grade requirements, as indicated in Recommendation GL-5.
(1) The design should provide for the automatic initiation of the I
AFW system flow.
(2) The automatic initiation signals and circuits should be designed j
so that a single failure will not result in the loss of AFW system function.
(3) Testability of the initiation signals and circuits shall be a l
i feature of the design.
(4) The initiation signals and circuits should be powered from the emergency buses.
(5). Manual capability to initiate the AFW system from the control room should be retained and should be implemented so that a i
single failure in the manual circuits will not result in the loss of system function.
l (6) The ac metor-driven pumps and valves in the AFW system should be i:.cluded in tne automatic actuation (simultaneous and/or sequential) of the loads to the emergency buses.
I (7) The automatic initiation signals and circuits shall be designed so that their failure will not result in the loss of manual capability to initiate the AFW system from the control room.
I A-8 l
I I
i
Response
See long-term item
'.5 (GL-5).
2.8 AUTOMATIC INITIATION OF AFW SYSTEMS I
Concern For plants with a manually initiated AFW system, there is the j
potential for failure of the operator to manually actuate the system following a transient in time to maintain the steam generator water
- E level high enough to assure reactor decay heat removal via the steam i
generator (s). While IE Bulletin 79-06A requires a dedicated individual for W-designed operating plants with a manually initiated AFW system, further action should be taken in the short-term. This concern is ident.ical to Item 2.1.7a of NUREG-0578.(13) lim Recommendation CS-8 g
i i
f The licensee should install a system to automatically initiate AFW syst_m flow. This system need not be safety grade; however, in the 1
l short-term, it -hould meet the criteria listed below, which are 1
j similar to Item 2.1.7a of NUREG-0578.(13) For the longer-term, the automatic initiation signals and circuits should be upgraded to meet safety grade reyuirements, as indicated in Recommendation GL-2.
t l
(1) The design should provide for the automatic initiation of the AFW system flow.
I (2) The automatic initiation signals and circuits should be designed so that a single failure will not result in the loss of AFW
[
system function.
(3) Testability of the initiation signals and circuits should be a I
feature of the design.
ce.itcmnen.nu A-9
i ll l
(4) The initiating signals and circuits should be powered from the 1
emergency buses.
t l
(5) Manual capability to initiatate the AFW system from the control l
room should be retained and should be implemented so that a i
single failure in the manual circuits will not result in the loss of system function.
I l
(6) The ac motor-driven pumps and valves in the AFW system should be f
included in the automatic actuation (simultaneous and/or jg sequential) of the loads to the emergency buses.
43 i.
1 (7) The automatic initiation signals and circuits should be designed so that their failure will not result in the loss of manual i
capability to initiate the AFW system from the control room.
i I
i 4
j
Response
I See long-term item 4.1 (GL-1).
i 3.0 ADDITIONAL SlIORT-TERM RECOTIENDATIONS i
j 3.1 PRIMARY AFW WATER SOURCE LOW LEVEL ALAFl!
I' Concern
}
Plants which do not have level indication and alarm for the primary f
water source may not provide the operator with sufficent information l
to properly operate the AFW system.
i 4
{
Recommendation 1
l The licensee should provide redundant level indication and low level alarms in the control room for the AFW system primary water supply, jg to allow the operator to anticipate the need to make up water or t
GJteet /Ccinmonewth
}
A-10 1
I 4
!I
{
transfer to an alternate water supply and prevent a low pump suction pressure condition from occurring. The low level alarm setpoint should allow at least 20 minutes for operator action, assuming that
{
the largest capacity AFW pump is operating.
l
Response
l>1ENDATIONS 4.1 AUT0!!ATIC INITIATION OF AFW SYSTE!!S i
I l
Concern i
This concern is the same as short-term generic Recommendation GS-8; namely, failure of an operator to actuate a manual start AFW system i
C~mert ICemcesesc A-13 i
in time to maintain steam generator water level high enough to assure reactor decay heat removal via the steam generator (s).
Recommendation GL-1 For plants with a manual starting AFW system, the licensee should install a system to automatically initiate the AFW system flow.
This system and associated automatic initiation signals should be designed and installed to meet safety grade requirements. Manual AFW system start and control capability should be retained with manual start serving as backup to automatic ATW system initiation.
I
Response
\\
The V. C. Summer Nuclear Station EFS is automatically initiated.
I 4.2 SINGLE VALVES IN THE AFW SYSTEM FLOW PATH Concern This concern is the same as short-term generic Recommendation GS-2; namely, AFW system inoperability due to an inadvertently closed manual valve that could interrupt all AFW system flow.
Recommendation GL-2 Licensees with plant designs in which all (pr,imary and alternate) water supplies to the AFW systems pass through valves in a single flow path, should install redundant parallel flow paths (piping and valves).
I Licensees with plant designs in which the primary AFW system water supply passes through valves in a single flow path, but the alternate AFW system water supplies connect to the AFW system pump suction piping downstream of the above valve (s), should install redundant A-14
ll valves parallel to the above valve (s) or provide automatic opening of the valve (s) from the alternate water supply upon low pump suction pressure.
)
The licensee should propose Technical Specifications to incorporate appropriate periodic inspections to verify the valve positions into i
the surveillance requirements.
Response
In the EFS design, the primary EFS water supply passes through a valve, 101C-EF, in a single flow path, but the alternate EFS water 4
I j
supply connects to the EF pump suction piping downstream of the above i
valve. Automatic opening of the valves from the alternate water I
supply, Service Water System, upon low pump suction pressure is l
provided. Also, valve 1010-EF has a limit switch which, through the l
BISI system, is alarmed in the control room when it is not in the 1
i full open position.
Periodic inspections to verify the valve position will be incorporated into the surveillance requirements of the Technical 3
Specifications.
II j
4.3 ELI?!INAT10N OF AFW SYSTE!! DEPENDENCY ON ALTERNATING CURRENT POWER i
FOLLOWING A C0!!PLETE LOSS OF ALTERNATING CURRENT POWER
?
t Concern This concern is the same as short-term generic Recontmendation GS-5; namely, delay in initiation of AFW system operation or maintaining l
AFW system operation following a postulated loss of onsite and j
offsite ac power; i.e.,
ac power blackout.
l lI MYfdM l
A-15 i
1
.iI i
iI l
Recommendation GL-3 I
At least one AFW system pump and its associated flow path and 4
essential instrumentation should automatically initiate AFW system flow and be capable of being operated independently of any ac power l
source for at least two hours. Conversion of de power to ac power is acceptable.
Response
I i
The turbine driven EF pump and its associated flow path and essential I
instrumentation automatically initiate EFS flow and are capable of j
i being operated independent of any ac power source for at least two hours.
1 I
4.4 PREVENTION OF MULTIPLE PUMP DAM.tGE DUE TO LOSS OF SUCTION RESULTING FROM NATURAL PHENOMENA s
l
,I Concern I
In many of the operating plants, the aormal water supply to the AFW j
system pumps (including the interconnected piping) is not protected from earthquakes or tornadoes. Any natural phenomenon severe enough j
to result in a loss of the water supply could also be severe enough to cause a loss of offsite power with loss of main feedwater,
{
resulting in an automatic initiation signal to start the AFW system pumps.
The pumps would start without any suction head, leading to cavitation and multi le pump damage in a short period of time, 1
l possibly too short t>r the operators to take action that would protect the pumps. This may lead to unacceptable consequences for j
some plants, due to a complete loss of feedwater (main and i
auxiliary).
l l
51bert lCammcreta n A-16 e
lI I
lI i
Recommendation GL-4 4!I Licensees having plants with unprotected normal AFW system water supplies should evaluate the design of their AFW systems to determine lI if automatde protection of the pumps is necessary following a seismic event or a tornado. The time available before pump damage the alarms and indications available to the control room operator, and the time necessary for assessing the problem and taking action should be considered in determining whether operator action can be relied on to j
prevent pump damage. Consideration should be given to providing pump protection by means such as automatic switchover of the pump suctions I
to the alternate safety grade source of water, automatic pump trips on low suction pressure, or upgrading the norma; source of water to meet Seismic Category I and tornado protection requirements.
1
Response
1 1
)
Automatic swithcover of the pump suction to the alternate 1
l safety grade source of water is being provided to provide protection for the FF pumps.
!I l
4.5 NON-SAFETY GRADE, NON-REDUNDANT AFW SYSTEM AUTOMATIC INITIATION SIGNALS 1
Concern I
i Thia concern is the same as short-term generic Recommendation GS-7; j
namely, reduced AFW system reliability as a result of use of l
non-safety grade, non-redundant signals, which are not periodically tested, to automatically initiate the AFV system.
j Recommendation GL-5 l
i The licensee should upgrade the AFW system autcmatic initiation signals and circuits to meet safety grade requirements.
1 5.ite::commer.uc A-17 4
1lI i
t i
Response
I The EFS automatic initiation signals and circuits are redundant and l
meet safety grade requirements.
In addition, a non-safety grade, i
anticipatory signal, from a trip of all main feedwater pumps, is used to start the two motor driven emergency feedwater pumps.
I 1
i JlI
!I 4
I
!lI 1
' I I
i I
I l
Sec.zamnum a,
j A-18 i
L u
'I APPENDIX B l
BASIS OF AUXILIARY FEEDWATER SYSTEM FLOW REQUIRE?ENTS - WESTINGHOUSE RESPONSES TO NRC QUESTIONS I
l I
I I
I I
I I
I Steet /Ocmmpees 3 I
t - - - - - - - - - - -
Question 1 a.
Identify the plant transient and accident conditions considered in establishing AFWS flow requirements, including the following events:
1)
Loss of Main Feed (UffW) 2)
DifM w/ loss of offsite ac power 3)
LMFW w/ loss of onsite and offiste ac power 4)
Plant cooldown 5)
Turbine trip with and without bypass 6)
Main steam isolation valve closure 7)
Main feed line break 8)
Main steam line break
- I.
9)
Small break LOCA
- 10) Other transient or accident conditions not listed above.
b.
Describe the plant protection acceptance criteria and corresponding technical bases used for each initiating event identif'_ed above. The I
acceptance criteria should address plant limits such as:
1)
Maximum RCS pressure (PORV or safety valve actuation)
I 2)
Fuel temperature or damage limits (DNB, PCT, maximum fuel central
)
temperature) e 3)
RCS cooling rate limit to avoid excessive coolant shrinkage 4)
Minimum steam generator level to assure sufficient steam generator l
heat transfer surface to remove decay heat and/or cool down the primary system.
Response to 1.a l
The Auxiliary Feedwater System (Emergency Feedwater System (EFWS) in the Virgil C. Summer Plant) serves as a backup system for supplying feedwater to I
l B-1 1
~
I I
the secondary side of the steam generators at times when the feedwater system is not availa' ale, thereby maintaining the heat sink capabilities of the steam generator.
As an Engineered Safeguards System, the Emergency Feedwater System is directly
'ed upon to prevent core damage and system overpressurization in the event of transients such as loss of normal feedwater or a secondary system pipe r-
.re, and to provide a means for plant cooldown following any plant I
Following a reactor trip, decay heat is dissipated by evaporating water in the steam generators and venting the generated steam either to the condensers through the steam dump or to the atmosphere through the steam generator safety valves or the power-operated relief valves.
Steam generator water inventory must be maintained at a level sufficient to ensure adequate heat transfer and continuation of the decay heat removal process. The water level is maintained under these circumstances by the Emergency Feedwater System which delivers an emergency water supply to the steam generato s.
TL Emergency Feedwater System must be capable of functioning for extended periods, allowing time either to restore normal feedwater flow or to proceed with an orderly cooldown of the planttothereactorcoolangtemperaturewheretheResidualHeatRemovalSystem can assume the burden of decay heat rezo' al.
The Emergency Feedwater System I
flow and the emergency water supply capacity must be sufficient to remove core decay heat, reactor coolant pump heat, and sensible heat during the plant cooldown. The Emergeacy Feedwater System can also be used to maintain the steam generator water levels above the tubes following a LOCA.
In the latter function, the water head in the steam generators serves as a barrier to prevent leakage of fission products from the Reactor Coolant System into the secondary
,I plant.
- ESIGN CONDITIONS The reactor plant conditions which impose safety-related performance requirements on the design of the Emergency Feedwater System are as follows for the Virgil C. Swnmer plant:
I I
I b
iI i
Loss of Main feedwater Transient Lass of main feedwater with offsite power av&_'cble i,
Station blackout (i.e., loss of main feedwater without offsite power available) l 1
Secondary System Pipe Ruptures il j
Feedline rupture Steamline rupture i
i Loss of Coolant Accident (LOCA) 1 l
l i
Cooldown
!I Loss of Main Feedwater Transients lI l
The design loss of main feedwater transients are those caused by:
i Interruptions of the Main Feedwater System flow due to a malfunction in i
lI the feedwater or condensate system Loss of offsite power or blackout with the consequential shutdown of the i
system pumps, auxiliaries, and controls Loss of main feedwater transients are characterized by a rapid reduction in j
steam generator water levels which results in a reactor trip, a turbine trip, 1
and emergency feedwater actuation by the protection system logic. Following s
reactor trip f rom high power, the power quickly falls to decay heat levels.
4 The water levels continue to decrease, progressively uncovering the steam s
generator tubes as decay heat is transferred and discharged in the form of l
steam either through the steam dump valves to the condenser or through the
(
steam generator safety or power-operated relief valves to the atmosphere. The l
l reactor coolant temperature increases as the residual heat in excess of that I
l G.wt!Cowan* earth B-3 L
I dissipated through the steam generators is absorbed. With increased temperature, the volume of reactor coolant expands and begins filling the pressurizer. Without the addition of sufficient emergency feedwater, further expansion will result in water being discharged through the pressurizer safety and relief valves.
If the temperature rise and the resulting volumetric expansion of the primary coolant are permitted to continue, then (1) pressurizer safety valve capacities may be exceeded causing overpressurization of the Reactor Coolant System and/or (2) the continuing loss of fluid from the primary coolant system may result in bulk boiling in the Reactor Coolant System and eventually in core uncovering, loss of natural I
circulation, and core damage.
If such a situation were ever to occur, the Emergency Core Cooling System would be inef fectual because the primary coolant system pressure exceeds the shutoff head of the safety injection system pumps, the nitrogen over-pressure in the accumulator tanks, and the design pressure of the Residual Heat Removal Loop. Hence, the timely introduction of sufficient emergency feedwater is necessary to arrest the decrease in the steam generator water levels, to reverse the rise in reactor coolant temperature, to prevent the pressurizer from filling to a water solid condition, and eventually to establish stable hot standby conditions. Subsequently, a decision may be made to proceed with plant cooldown if the problem cannot be satisfactorily I
corrected.
The blackout traasient differs from a simple loss of main feedwater in that emergency power sources must be relied upon to operate vital equipment. The loss of power to the electric driven condenser circulating water pumps results in a loss of condenser vacuum and condenser dump valves. Hence, steam formed by decay heat is relieved through the steam generator safety valves or the I
power-operated relief valves. The calculated transients are similar for both the loss of main feedwater and the blackout, except that reactor coolant pump heat input is not a consideration in the blackout transient following loss of power to the reactor coolant pump bus.
I The station blackout transient serves as the basis for the minimum flow required for either the two motor driven pumps acting together or the turbine I
driven pump itself for the EFWS for the Virgil C. Summer plant. The pumps are I
B-4
!I i
sized so that they will provide s
- ient flow against the steam generator
)
safety valve set pressure (wit:
,. accumulation) via the above groupings to prever<t water relief from the pressurizer. The same criterion is met for the jg loss of feedwater transient where A/C power is available.
ig i
Secondary System Pipe Ruptures lI The feedwater line rupture accident not only results in the loss of feedwater flow to the steam generators but also results in the complete blowdown of one steam generator within a short time if the rupture should occur downstream of i
the last nonreturn valve in the main feedwater piping to an individual steam I
generator. Another significant result of a feedline rupture may be the pumping of emergency feedwater to the faulted steam generator through the connection which is separate from the main feedwater nozzle.
Such situations can result in the pumping of a disproportionately large fraction of the total emergency feedwater flow to the faulted steam generator and out the break because the system preferentially pumps water to the lowest pressure steam generator rather than to the effective steam generators which are at relatively high pressure.
The system design aust allow for terminating, limiting, or minimizing that fraction of emergency feedwater flow which is delivered to a faulted loop in 1
order to ensure that sufficient flow will be delivered to the remaining effective steam generator (s). The concerns are similar for the main feedwater line rupture as those explained for the loss of main feedwater transients.
Main steamline rupture accident conditions are characterized initially by plant cooldown and, for breaks inside contairment, by increasing containment pressure and temperature.
Emergency feedwater is not needed during the early phase of I
the transient but flow to the faulted loop will contribute to the rei me of I
mass and energy to containment. Thus, steamline rupture conditions establish the upper limit on emergency feedwater flow delivered to a faulted loop.
Eventually, however, the Reactor Coolant System will heat up again and i
emergency feedwater flow will be required to be delivered to the unfaulted loops, but at somewhat lower rates than for the loss of feedwater transients described previously.
Provisions must be made in the design of the Emergency I
Feedwater System to limit, control, or terminate the emergency feedwater flow I
1 Swtmmcuno B-5
l I
to the faulted loop as necessary in order to prevent containment overpressurization following a steamline break inside containment, and to ensure the minimum flow to the remaining unfaulted loops.
I Loss-of-Coolant Accident (LOCA)
The loss of coolant accidents do not impose on the emergency feedwater system any flow requirements in addition to those required by the other accidents addressed in this response. The following description of the smal.1 LOCA is provided here for the sake of completeness to explain the role of the emergency feedwater system in this transient.
Small LOCA's are characterized by relatively slow rates of decrease in reactor coolant system pressure and liquid volume. The principal contribution from the Emergency Feedwater System following such small LOCAs is basically the same as the system's function durins hot shutdown or following spurious safety injection signal which trips the reactor. Maintaining a water level inventory in the secondary side of the steam generators provides a heat sink for removing decay heat and establishes the capability for providing a buoyancy head for natural circulation. The emergency feedwater system may be utilized to assist I
in a system cooldown and depressurization following a small LOCA while bringing the reactor to a cold shutdown condition.
I Cooldown I
The cooldown function performed by the Emergency Feedwater System is a partial one since the reactor coolant system is reduced from normal zero load I
temperatures to a hot leg temperature of approximately 350 F.
The latter is the maximum temperature recommended for placing the Residual Heat Removal System (RIIRS) into service. The RHR system completes the cooldown to cold shutdown conditions.
Cooldown may be required following expected transients, following an accident I
such as a main feedline break, or during a normal cooldown prior to refueling or performing reactor plant maintenance.
If the reactor is tripped following I
3-6
i i
I extended operation at rated power level, the EFS is capable of delivering sufficient emergency feedwater to remove decay heat and reactor coolant pump (RCP) beat following reactor trip while maiataining the steam generator (SG)
[
l water level. Following transients or accidents, the recommended cooldown rate is consist,t with expected needs and at the same time does not impose additional requirements on the capacities of the emery,ency feedwater pumps, considering a single failure.
In any event, the process consists of being able l
to dissipate plant sensible heat in addition to the decay heat produced by the reactor core.
Response to 1.b.
Table 1B-1 summarizes the criteria which are the general design bases for each event, discussed in the response to Question 1.a., above. Specific assumptions used in the analyses to verify that the design bases are met are discussed in response to Question 2.
I The primary function of the Emergency Feedwater System is to provide sufficient heat removal capability for heatup accidents following reactor trip to remove the decay heat generated by the core and prevent system overpressurization.
Other plant protection systems are designed to meet short term or pre-trip fuel failure criteria. The effects of excessive coolant shrinkage are bounded by the analysis of the rupture of a main steam pipe transient. The maximum flow requirements determined by other bases are incorporated into this analysis, resulting in no additional flow requirements.
I I
I I
b-7
1 i.
.c s.
<J
'C y y 1
3: O CW L C X
ya b
- L M C
3 0
- C U C-
.J 6
E LL
= D C
E
+ = =
\\
.J U C4 Q
V.
U =
U C > W aO ut W 4
i
- -
- L
- A C
C E W 1 W EO U
=
",, C XA
'A *C k'A C
.J C.
~
L 2
D 4
'A O %
N O C
~:.
(
L "O
C U
.J d t C
4 O
J > M C
U >
C
'3
.J
% C.~ C C
- 3 **
in U2 y EL
-* b m
X i
5 N
"; *'O "O
O E A
-l C
N L
U L C
- a j
C L
L C O
'A C
=
.J m "O
M 4
'A
= W C b.
"ll r3 C N
0 C C
.J A
% % <C Dm
-m C
v3 2,2 r.
U U.
CO N s'A 3-C G
~
- O Ce 6 &
L E 6 a
- J
'O Wd = =
0 m:
C to C -*
L D
.J G
TA
.J
-D C
LM
'~
i 4
e C.
O E O l
C C
~
V.
~
i 6
J M
L O
ad i
i C u)
G E
.J
=
CC 2 C
@ E i
6 C
3 l
=
C
=
v3 6
5 G 1
l CC
.J
<a U3 a
k L U l
C "n O
C o
D 1
~
m
.J k
u L -.n O
C = W u: O V2 u
z V.
s 1
O Z
J
.J O
e
.s 05 h
l
'A -~
~~
~ %
.- m
-. x
.J v 1 E
C 0 0 L
..E C0 E:
..E J
-E.s C
-a c31 6 w m
Q g L
-m y:
.J
- l O '+.
-4 m
E E
XQ
- :n A
m D
L A
L
.J
~
f h C
U1 =m Q "O 0 6 y
t-O..a CO *A w
0 r.C c C
M
'O M L V2 V:
O E 6 i
u
%M
.J
-p C rJ Q C
C t-O t--
u O U
~
% ~*
C~
"O
'C U
- U
.J l
Er.: C U
L =
0 0 OC L
L-J us t/: "O L
Un C E 4 C
-v
- l C
C C
O c 1 O U
=
C O
C
- L CC CC
'A w U A
i
< 3
%7 0"
-.
- X O **:l a t.n
- to C
a d
i-= ";
C 4 L
Z c0
% "; C Cll Z
- Y W.,
A 1 i
0
.:d 0 A E
A
.s A
O 0
A%
6A
.s
- x l
l L
CO V C
U
=J U "A V
.J UU UU A
e a
A L X C C C C CU X C
CC CC L
A O Q v
- V O
-X O
Z C.
4 0 h
O
.O.
-s.>-
L c
X
?
..l m
.s t
.=!
t e E
Oi
+
O
=-
L a 0 W
-*j J.
z u
,6 ci 3
3
. C.,
3 ~.~
C 3
3 3
I.,,
n s.,,
l n
l
.J a
a
.J J
.J s
.- n t
.3 i
.: e b
ml O
7 7
5 0
O E
.J j
4 c!
O
=
<O
=
=
L s = =
j
-l 0
C C
C N
C 0
N
.O.
O > 0 Ui U
U U
U 2
U U
z 4
..a
- ,, c.-
u v:
l U
zJ =
O C 7 i
3 0 : L u
s 1
d Z
4 j
.J -
L F
.m 3
4 2
C L
v A
e l
0I
.J 0
- Z4
.-l n
3 i
n.
. =, = >
1 M.
3 C
L L
cc
.s Q
"3 ;
O
.J L
L i
Li 0
C w
U
.J Z x
.c l
Hj 6
C 2
N 0 OL-i x
O
- C ki
^<
~
'A a
.s 3
O Z., = A O'
.J Z
.C.
<t*
0 -
,,. 0
. ~~
~
s=w aW g
v w
.a b
W 9
M i W.
.J Om O
C 0
-.-0 3
E I
' 1
.J T'
0; V Z
- 7 V.
e.
A
.'s O
O Od a
I.
A O
L O
C C
0 O'
Jv V.
7.
6 4
y Z
C 4ectlDmmct eeac B-8 l
lI i
Question 2 Describe the analyses and assumptions and corresponding technical justification i
used with plant condition considered in 1.a. above including:
I a.
Maximum reactor power (including instrument error allowance) at the time of the initiating transient or accident.
l t
b.
Time celay from initiating event to reactor trip.
1 i
t j
Plant parameter (s) which initiates AFWS flow and time delay between initiating event and introduction of AFWS flow into steam generator (s).
d.
Minimum steam generator water level when initiating event occurs.
e.
Initia) steam ge tor water inventory and depletion rate before and after AFWS flow commences -- identify reactor decay heat rate used.
il i
f.
Maximum pressure at which steam is released from steam generator (s) and against which the AFW pump must develop sufficient head.
i l'
g.
Minimum number of steam generators that must receive AFW flow; e.g.,
1 out c' 2? 2 out of 4?
h.
RC flow condition -- continued operation of RC pumps or natural circulation.
i.
Maximum AFW inlet temperature.
j.
Following a postulated steam or feed line break, time delay assumed to j
isolate break and direct AFW flow to intact steam generator (s). AFW pump l
flow capacity allowance to accommodate the time delay and maintain minimum l
steam generator water level. Also identify credit taken for primary system heat removal due to blowdown.
see uccmmnew.
B-9 I - - -
i 6
i j
k.
Volume and maximum temperature of water in main feed lines between steam generator (s) and AFWS connection to main feed line.
1.
Operating condition cf steam generator normal blowdown following initiating event.
i
)
m.
Primary and secondary system water and metal sensible heat used for a
j cooldown and AFW flow sizing.
j n.
Time at hot standby and time to cooldown RCS to RHR system cut in 4
temperature to size AFW water source inventory.
I Response to 2 I
i l
Analyses have been performed for the limiting transients which define the EFS j
performance requirements. These analyses have been provided for review in the f
Virgil C. Summer FSAR. Specifically, they include:
I Loss of Main Feedwater (Station Blackout) 1 Rupture of a Main Feedwater Pipe l
Rupture of a Main Steam Pipe Inside Containment l
i
. In addition to the above analyses, calculations have been performed l
I specifically for the Virgil C. Summer plant to determine the plant cooldown flow (storage capacity) requirements. The Loss of All ac Power is evaluated 1
via a compar2 on to the trar.sient results of a Blackout, assuming an available j
emergency pump having a diverse (non-ac) power supply. The LOCA analysis, as l
discussed in response 1.b., incorporates the system flow requirements as l
defined by other transients, and therefore is not performed for the purpose of f
specifying EFS tiow requirements. Each of the analyses listed above are explained in further detail in the following sections of this response.
il G.sen!Camccsww B-10
I I
Loss of Main Feedwater (Blackout)
I A loss of feedwater, assuming a loss of power to the reactor coolant pumps, was performed in FSAR Section 15.2.8 for the purpose of showing that for a station blackout transient, either two motor driven or one turbine driven emergency feedwater pump delivering flow to two steam generatores does not result in filling the pressurizer. Furthermore, the peak RCS pressure remains below the criterion for Condition II transients and no fuel failures occur (refer to Table IB-1).
Table 2-1 summarizes the assumptions used in this analysis. The transient analysis begins at the time of reactor trip. This can be done because the trip occurs on a steam generator level signal, hence the core power, temperatures and steam generator level at time of reactor trip do not depend ou the event sequence prior to trip. Although the time from the loss of feedwater until the reactor trip occurs cannot be determined from this analysis, this delay is expected to be 20-10 seconds. The analysis assumes that the plant is initially operating at 102% (calorimetric error) of the Engineered Safeguards design (ESD) rating shown on the table, a very conservative assumption in defining decay heat and stored energy in the RCS.
The reactor is assumed to be tripped on low-low steam generator level, allowing for level uncertainty. The FSAR shows that there is margin with respect to filling the pressurizer. A loss of normal feedwater transient with the assumption that the two smallest emergency feedwater pumps and reactor coolant pumps are running results in even more margin.
This analysis establishes the capacity of the motor driven and turbine driven pumps and also establishes train association of equipment so that this analysis remains valid assuming the most limiting single failure.
Rupture of Main Feedwater Pipe The double ended rupture of a main feedwater pipe downstream of the main feedwater line check valve is analyzed in FSAR Fection 15.4.2.2.
Table 2-1 summarizes the assumptions used in this analysis. Reactor trip is assumed to be actuated by low-low level in the affected steam generator when the water level falls below the top of the U-tubes.
This conservative assumption uruwwmv B-ll
I_ - -. -. _ _ _ _
i
(
l f
maximizes the stored heat prior to reactor trip and minimizes the ability of the steam generator to. remove heat *from the RCS following reactor trip due to a j
conservatively small total steam generator inventory. As in the loss of normal f
feedwater analysis, the initial power rating was assumed to be 102% of the ESD l
rating. The Virgil C. Summer emergency feedwater design is assumed to supply a j
j total of 380 gpm to the two intact stean generators, including allowance for l
feeding the affected steam generator.
The criteria listed in Table 1B-1 are i
l met.
!I
}
This analysis establishes the capacity of the emergency feedwater pumps,
{
establishes requirements for layout to preclude indefinite loss of emergency f
feedwater to the postulated break, and establishes train association j
t j
requirements for equipment so that the EFWS can deliver the minimum flo-requ ued in 1 minute assuming the sorst single failure.
i Rupture of a Main Steam Pipe Inside Containment Ijg Because the steamline break transient is a cooldown, the EFS is not needed to W
remove heat in the short tern.
Furthermore, addition of excessive emergency j
feedwater to the faulted steam generator will affect the peak containment i
j pressure following a steamiine break inside coricainn.ent.
This transient is performed at four power levels for several break sizes. Emergency feedwater is assumed to be initiated at the time of the creak, independent of system j
actuation signals.
The maximum flow is used for this analysis, considering 1
pump runout. Table 2-1 summarizes the assumptions used in this analysis. At j
30 minutes after the break, it is assumed that the operator has isolated the 1
1 EFS from the faulted steam generator which subsequently blows down to ambient i
j pressure. The criteria stated in Table IB-1 are met.
This transient establishes the maximum allowable emergency feedwater f1m rate to a single f aulted steam generator assuming all pumps operating, establishes the basis for runout protection, if needed, and establishes layout requirements i
l so that the flow requirements may be met considering the worst single.ailure.
I I
t l
l ccteucm e me l
s-12 i,
l 1
l t
l Plant Cooldown l
Maximum and minimum flow requirements from the previously discussed transients s
l meet the flow requirements of plant cooldown. This operation, however, defines i
l the basis for tankage size, based on the required cooldown duration, maximum decay heat input and maximum stored heat in the system.
As previously discussed in response IA, the emergency feedwater system partially coo's the k
system to the point where the RHRS may complete the cooldown, i.e.
350 F in the RCS.
Table 2-1 shows the assumptions used to determine the cooldown heat f
capacity of the emergency feedwater system.
l l
The.ooldown is assumed to commence at 102% of engineered safeguards design pcwer, and maximum trip delays and decay heat source terms are assumed when the j
reactor is tripped.
Primary metal, primary water, secondary system metal and secondary system water are all included in the -tored heat to be removed by the EF" See Table 2-2 for the items constituting the sensible heat stored in the NSSS.
3 This operation is analyzed to establish minimum tank size requirements for emergency feedwater fluid source which is normally aligned.
t l
i 4
l lI B-13 l
M M
M M
M M
M M
M M
M M
TABLE 2-1 j
Sunanary of Assumptions Used in EFWS Design Verification Analyses Loss of Feedwater Main Steamline Break Transient
'statiuc blackout)
Cooldown Main Feedline Break (containment) a.
Max reactor power 102% of ESD rating 2969 MWt 102% of ESD rating 0, 30, 70, 102% of (102% of 2910 MWt)
(102% of 2910 MWt)
(% of MWL) b.
Time delay from 2 see (delay from lo-lo 2 sec 2 see variable event to Rx trip SG level setpoint) i c.
EFWS actuation signal /
lo-lo SG level NA Low-low SG level Assumed immediately tica delay for EFWS flow I minute 1 minute O sec (no delay) d.
SG watec level at (lo-lo SG level)
NA top of U-tubes in N/A time of r3 actor trip 0% NR span 1 SG l
e.
Initial SG inventory 55,000 lbm/SG (at trip) 64,780gbm/SG 102,200 lbm/SG consistent with power
@ 540.2 F Rate of change before See FSAR Figure 15.2-27 N/A turnaround s 3200 sec.
N/A
& after EFWS actuation l
decay beat FSAR Figure 15.1-6 FSAR Figure 15.1-6 FSAR Figure 15.1-6 FSAR Figure 15.1-6 I
l'y f.
EW pump design 1226 psia 1226 psia 1226 psia N/A pressure g.
Minimum # of SGs which 2 of 3 N/A 2 of 3 N/A must receive EW flow h.
RC pump status Tripped @ reactor trip Tripped All operating All operating i
- i. Maximum EFW temperature 120 F 100 F 120 F equal to main feed temperature
- j. Operator action none N/A
> 20 min.
30 min.
3 3
3 3
k.
EW purge volume / temp.
50 ft /438 F 150 ft /per loop 200 ft /435 F ft / loop (for dryout time) 435,F 1.
Normal blowdown none ssumed none assumed none assumed none assumed m.
Sensible heat See cooldown Table 2-2 see cooldown N/A
)
n.
Time at standby / time 2 hr/4 hr 2 hr/4 hr 2 hr/4 hr N/A l
to cooldown to RHR i
)
o.
EFW flow rate 380 CEM - coi.; tant variable 380 GPM - constart GPM (constant) to (min. requirement)
(min. requirement) broken SG.
(max. requirement) i l
1
l I
a l
TABLE 2-2 l
Summary of Sensible Hear Sources
- E Primary Water Sources (initially at engineered safeguards design power temperature and inventory)
I l
RCS fluid Pressurizer fluid (liquid and vapor) f f
Primary tietal Sources (initially at engineered safeguards design power j
temperature)
I
+
Reactor coolant piping, pumps and reactor vessel j
Pressurizer l
l Steam generator tube metal and tube sheet i
j Steam generator metal below tube sheet Reactor vessel internals
{
i Secondary Water Sources (initially at engineered safeguards design power temperature and inventory) l j
Steam generator fluid (liquid and vapor)
Emergency feedwater piping purge fluid j
Secondary ?!etal Sources (initially at engineered safeguards design power j
tempe ra ture) il I
All steam generator metal above tube sheet, excluding tubes.
j LI i
s lI l
Gited /Ccmmoseao B-15 i
I I
Question 3 l
I Verify that the AFW pumps in your plant will supply the necessary flow to the I
steam generator (s) as determined by items 1 and 2 above considering a single failure.
Identify the margin in sizing the pump flow to allow for pump recirculation flow, seal leakage and pun.. vear.
Response to 3 I
FSAR Figure 10.4-16 schematically shows the major features and components of th: Emergency Feedwater System for Virgil C. Summer.
Flow rates for all of the de,ign transients described in Response 2 have been met by the system for the worst single failure. The flows for those single failures considered are tabulated for the various transients in Table 3-1, including the following:
A.
Motor Driven Pump Train Failure B.
Turbine Driven Pump Failure C.
Motor Driven Pump Failure I
I I
lI ll I
I B-16
i l
II TABIE 3-1 Emergency Feedwater Flow (1) to Steam Generators Following an Accident / Transient with Selected Single Failure - GPM
!=
Single Failure i
Elec. Train TD Pump MD Pump Accident / Transient Failure Failure Failure 1
l A
B C
i l
l 1.
Loss of Main FW 872 gpm 704 gpm 872 gpm l
2.
Feedline Rupture 471 gpm 704 gpm 872 gpm
!I j
3.
Cooldown 958 gpm 796 gpm 958 gpm
)
i 1'
4.
Main steamline 979 gpm 0 gpm 0 gpm rupture (max.
requirement) i l
i i
Notes:
4 j
(1)
Items 1 thru 3 are minimum expected flows to intact loops; item 4 is I
maximum possible flow to the faulted loop.
I i.
.I G.wt /Cemmor uin B-17
L r
E IL FL P
l r'
t L,
r APPENDIX C C0h! PARIS 0N OF NRC STANDARD REVIEW PLAN 10.4.9 REV. 1 TO THE VIRGIL C. SUTIER FINAL SAFETY ANALYSIS REPORT i
I i
I I
I I
I I
I
Comparison of NRC Standard Review Plan 10.4.9, Rev. I to V. C. Sununer Final Saf ety Analysis Report SRP 10.4.9, Rev. I Sununary of FSAR Text
_..__ _ _. Section II1, Review Procedures and Reference to Applicable Sections 1.
The SAR is reviewed to determine that the system The EF System Description is found in FSAR description and piping and instrumentat ion diagrams Section 10.4.9.
(P&lDs) identify the AFS equipment and arrangement that is used f or normal operations and for safe plant The EF System P&ID is shown on Fig. 10.4-16.
shutdown (essential) operation. The system P& ids, layout drawings, and component description and Component descriptions and characteristics are characteristics are then reviewed to verify that:
included in the System Description.
Minimum performance requirements for the Minimum performance requireme.:ts and a.
system are sufficient for the various description of the EF System capability to y
functions of the AFS.
meet performance requirements are found in
- ?.
Section 10.4.9.1.
~c3 0
b.
Essential portions of the AFS are isolable f rom Essential portions of the EF System are I
non essential portions, so that system isolable from non-essential portions, as can performance is not impaired in the event of a be shown on Fig. 10.4.16.
failure of a non-essential component.
c.
Component and system descriptions in the SAR The EF System is Seismic Design Class I in include appropriate seismic and quality group accordance with Reg. Guide 29.
The EF pumps, classifications, and the P&lDs indicate any valves, and piping are Safety Class 2a or 2b, points of change in piping quality group except as noted on the system diagram, Fig.
classitication.
10.4-16.
d.
Design provisions have been made that. permit Provisions have been made that permit appropriate in service inspection and functional appropriate inservice inspection and functional testing of system components important to safety.
testing of system components import. ant to safety It is acceptable if the SAR information delineates as described in FSAR Section 10.4.9.4.
testing and inspection program and if the a
system drawings show the necessary recirculation loops around pumps or isolation valves as may be required by this program.
m m
g de e
e m
e e
e e
m W
W
'W ~ W M
SRp 10.4.9, Rev. 1 Summary of FSAR Tc a Section Ill Review Procedures and Reference to Applicable Sections y
2.
The reviewer veri fies that the system safety function will be maintained as required, in the event of adverse environmental phenomena, breaks or cracks in iluid system piping outside containment, system component failures, joss of an onsite motive power source, or loss of of fsite power.
The reviewer uses engineering judgment and the result s of failure modes a nd e f f ec t :. analyses to determine that:
a.
The failure of portions of the system or of Failure of portions of the system or of other other,ystems not designed to Seismic systems not designed to Seismic Category 1 Category I standards and located close to standards will not preclude operation of essentral portions of the system, or of essential portions of the EF System. Equipment P
non-Scismic Category I structures that house, classification is listed in Table 3.2-1 and
?k support, or are close to essential portions of structure classification in Table 3.2-2.
V the AFS, will not preclude operation of the General arrangement and layout drawings are j
essent ial portions of the AFS.
Reference to shown on Figures 1.2-1 through 1.2-26.
SAR sections describing site features and the general arrangement and layout drawings will be necessary, as welI as the SAR tabulation of seismic design classitications for structures and systems.
b.
The essential portions of the AFS are protected The EF system, except for the condensate f rom the ef f ects of floods, hurricanes, storage tank and a short section of piping from tornadoes, and interna.'ly or externally the tank, is located in Seismic Category I generated missiles.
Flood protection and s t. ru c t u re s. The alternate water source, service miss i le prot ect.i on cri t eria are discussed and water, is located in Seismic Category I evaluated in detail under the SRp Section 3 or is buried. Tornado missile and flood series.
The location and design of the system, protection is described in Sections 3.3 and 3.4 structures, and pump rooms (cubicles) are respectively.
reviewed to de t e rmi ne that the degree of protection provided is adequate.
A statement to the ef fect that the system is located in a Seismic Catepry I stru ~ cure that is tornado missile and tlood protected, or the components l
M M
M M
M M
M M
M M
M M
M M
M M
M SRP 10.4.9, Rev. I Summary of FSAR Text Section III Review Procedures and Reference to /.171icable Sections t
of the system will be located in individual cubicles or rooms that will withstand the effects of both flooding and missiles is acceptable The essential partions of the system are Essential portions of the EF System are c.
protected from the effects of high and protected from the effects of high and moderate moderate line breaks in accordance with Branch energy line breaks as described in Section 3.6.
Technical Position ASB 3-1.
I.ayout drawings Protection from flooding from a rupture in the are reviewed to assur^ that no high or moderate Feedwater System is described in Section energy piping systems are close to essential 7.6.5.1.2.
portions of the AFS, or that protection from the effects of failure will be provided. The means of providing such protection will generally n.4 he given in Section 3.6 of the SAR and procedures d2 Y for reviewing this information are given in SRP j
Section 3.6.
G' d.
Essential components and subsystems necessary for Essential components and subsystems for safe safe shutdown can function as required in the shutdown can function as required in the event event of loss of offsite power. The SAR is of loss of offsite power. Fpecific FSAR reviewed to see that for each AFS component or descriptions are as follows:
subsystem affected by the loss of offsite power, system flow and heat t rans f er capability meet EF Pumps - FSAR Section 10.4.9.2 minimum requirements. Statements in the SAR and EF Flow Control Valves - Section 10.4.9.5.3 the results of f ailure modes and effects analyses EF Flow Measurement - Section 10.4.9.5.3 a re considered in assuring that the system meets Auto-Transfer to luesel Generator -
these requirements.
Section 7.3.1.
.5 The system is designed with adequate redundancy The EF System is designed with adequate e
to accommodate a single active component failure redundancy to acconunodate a single active without loss of function.
component failure without loss of function as per FSAR Table 10.4-8.
M M
M M
M M
M M
M M
M M
M M
M M
SRP 10.4.9, Rev. 1 Summary of FSAR Text SCC.t ipn_ IJ I Review Procedures __
and Reference to Applicab'.._ Sections n
f.
Diversity in pump motive power sources and Diversity in pump motive power and essential essential instrumentation and control power instrumentation and control power sources have sources has been provided. The diverse system been provided. The turbine driven system including pump (s), controls and valves should including pump, controls and valves are he independent. of offsite arnt onsite AC power independent. of of fsit e and onsite AC power sources in accordance with the guidelines of sources. The power sources are described in liranch Technical Posit ion ASH 10-1.
Sections 7.4, 7.5 and 8.3.
g.
The system is designed with ade<guate Automatic initiation of EF is described in FSAR instrumentation to automatically initiate Sections 10.4.9.3 and 10.4.9.5.3.
auxiliary feedwater flow to the steam generators upon receipt of an actuation signal.
The initiation signal should start all auxiliary N
teedwater pumps and supporting systems, align
?E the auxiliary feedwater sources, and open flow "f
paths from the auxiliary feedwater pumps to the st eam generat or(s).
Ec h.
The system is designed with the capability to Manual initiation of EF is provided as manually initiate the protective actions described in FSAR Sections 10.4.9.3 and necessary so that the auxiliary feedwater 10.4.9.5.3.
system design satistles the reconunendation of Regulatory Guide 1.62.
i.
The AFS is designed with redundant instrumentation The EF system is designed with redundant so that the system will automatically limit or instrumentation so that the system will terminate auxiliary icedwater f low to a automatically terminate EF flow to a depressurized steam generator, and to assure that depressurized steam generator as described in the minimum reipii red f low is directed to the FSAR Sections 10.4.9.3 and 10.4.9.5.3.
intact s t ear. gene ra t o r.
j.
The AFS is designed with sufficient flow Flow capacity re<inirements for the EF system capacity so that the syst.em can remove residual are contained in Section 10.4.9.1.
heat over the entire range of reactor operation and achieve a cold shutdown condition.
I
)
APPENDIX D COMPARISON OF NRC BRANCH TECHNICAL POSITION ASB 10-1, REV. 1 TO THE VIRGIL C. SUMMER FINAL SAFETY ANALYSIS REPORT I
I I
I I
I I
'I I
,l E
E n
R i
f A
o S
n E
l eF w
l R
erh s
o ot n i
h s
ueA l
n fdS bt i
s h
r s o
uF acd i
T ee i
ol pa nd y
pws t
wcn a ea e nl m o a i
pa pp c
t ni cr b
i e
i ri ape 6 e
S t
.d h eer r ut 1 t
,r st e ch wc t ss - neu e
ahb at os 4 url e
pe h of. oui l
et i
tb l
r f
d ct o0 cl a E
xa
. sc
,oC a
1 cif ec t
ms s
A s esn aa Ti a ee nd a
po.
f m l
t d i ay rmigo e
R p f s aob m outit t t A p oys rl a
f paF nns SA sa t
d e n
ey i
I F
s t et t ein ns o
t t s oar s nhb oeo f t sne wee et m k pl v
o ec t h wy m
ona mo i
e e
sd r r ob et cwt or R
yc nnu sep gi o
ct r n oeo2 at d2 n m yh s n
E ae cps.
hf s e arns eeo mr e
9 air 9 r ea ovc 1
t me md r.
m e.
rp sdi 0
r uf ene4 eeew4 a
oa td8 w.
t h no.
ot t c n -
o S e t i 1
l p
R s
,o0 stO p0 gt snaa4 i
e y
n rr e p1 y
1 SR d
sy sg s
id eom
,0 A
n t en n.i n pet t eee1 s
a Fi so Fi m o
na a gr r i
n i
E cri E veri pgwr nuue o
s a et ot et i d eal l l y
epvc emsh c es enriib i
tl h aie h eyt e h eeer aaa E
i a
Tcd s T r sos Tdf gaff T s
n o A P
y l
t a
e E
c f i
a e
s r
nS h
p t
e h
t r
t m
m n
w c
l a
ed y
a
, u e
o e
a t
t nf r e
e ep m
p T n f a aa oa n
t g
e e
i oh w
i o
s r em
,eg t ed hF t
d eel e ah aoer n oh n c
t et l ih gcy ht et r ua mt a n r s s ea pxt nb c
t nul r ge a e m
f r mu i a st sil i r nr gs i
ir m
s e aa a gv d
ii i a ai nr E
l nu nt ypx na oe d mf eaf pyi o i
os r eeeih wr rokf eib st C
S n
c y as t v t e d e a
mnp u a R
o s
i nao w
npnt t eO d
r fA rmmf o a
o nt re
,e N
i d
l C
t l t i
o a eeop oid es et mp f
i un x
prt et tl ny va o o E
o.
s oe ut
. e sr y k
a uosnor o V
1 o
hd a pysf yel ad nop os er e n
P s n eg oshl t eih ml i s p v
o e
ec r o t o nnb s oot ool l s
vl mp h n ewerih i gm cr c r oa i
ea ees t ont l oew i ot t ncer v r
R c t d e ce bt h sc nenu b t a
i s nc f
ea cmn t e evof s ne p
,n yi r oeeb paoi od ymic i noh m
h s
u h v a er a b
net m
act 1
o
- c
,o st id crf r ea gcr eec C
0 e r ys t
tl t
, b n aot l er T
et neouh ed t
oa sbt h o 1
t i r es moch er ndt r,
,ya at f E
Bh ace nu wat r e el r eest h S c wa w o
f e
eh mur ar r pt me A n d po pooy f wt eoe uut e ol a
ea p ms t
, ooo gh t sl l ncs r ps r
ec ol sis p
ns aiii ecef m
i t
f - e caes nd e
a wh aavav ce I
l s c rianh r ndTf f e l l nt E
yl r dd r ea oit r ri e r eaois B
r ue el uvrl a e
aae eypb vr r y rd w rf pl t ps af v r uoi t
n i
i eosd t t n o gt si pdd gn o
l od wh r a ap n
yr ppl l n oyn w
osed eee ihl o uuuict o i
i t
xt e p
et h t s c pc pt t s oon l
i i E
c u
d mpr a - a e -
i apa n cwil st e
at u r eiiwr r cd peu r ur aa r a t
S sl et t d ea r s eoet t t u eu eac h sl
0.99 >5% >350 F 2 Startup - 0.99 < 57. ->350 F r 3 Hot Standby < 0.99 0 >350 F 4 Hot Shutdown < 0.99 0 T 350 F> I avg >200 F
- E:<cluding decay hea t vxt w wen E-8
lI 20. Section 2.7 l l At the Turkey Point Reactor an incident occurred in which one individual overtightened the seals on all three AFWS pumps. Later, on demand during test, all three failed to start. Do your maintenance procedures preclude i such an event? II
Response
II j
Virgil C. Summer Nuclear Station flaintenance Procedures (PD1P-195.1 for tiotor Driven Pumps and ?D!P-195.2 for Turbine Driven Pump) delineates instructions for performing !!echanical Seal ?!aintenance on the Emergency J
j Feedwater Pumps. Note that Summer Station Emergency Feedwater Pumps have f
mechanical seals, while the Turkey Point AFWS pumps ha<e packing glands.
Also, whenever maintenance is performed on active safety related equipment, a retest / functional verification is performed to insure operability of the equipment.
21.
Section 3.2.5 t
i Will the pumps automaticslly stop if there is no suction head?
j
Response
l'he pumps will not automatically stop if there is no suction head.
1 22.
Section 2.7 lI Are the AFWS Pump Tests performed on the same day?
l f
Response
i l
l Emergency Feedwater Pumps may be tested on the same day; however, they are i
i not tested concurrently.
Station Surveillance Test Procedure STP-120.001,
" Surveillance Testing of the ?!otor Driven Emergency Feedwater Pumps",
i l
1
+tr lCawcasta m E-9 f
L L_
I specify that only one pump is tested at 2 time and must be returned to L
normal operation condition before testing the other.
Station Surveillance r
Test Procedure STP-120.002, " Surveillance Testing of the Turbine Driven i
Emergency Feedwater Pump", is a separate test and will be scheduled separately. The STP's further require that the test be satisfactorily t
l l
performed after any maintenance or repair before the pump can be declared operable.
Prior to performing any test, the Shift Supervisor's permission l
must be obtained. The Shift Supervisor is required by Station Administrative Procedure AP-217, " Removal and Restoration of Station Equipment", to verify that the required system redundancy is satisfied prior to authorizing the removal of any safety related equipment.
i 23.
Section 2.8(3b) l The Technical Specification allows operation with Service Water only for seven days. Was this potential Case 3 AFWS availability considered in the analysis?
Response
i A conservative value of 3 X 10 per demand for CST unavailability was j
used in the Case 3 analysis. Details are provided in Section 3.2.9.3 and the response to Question 5.
f, Technical Specification 3.7.1.3 requires that the CST be operable with 150,000 gallons dedicated EFS supply.
If Service Water is demonstrated available as a backup supply for the EFS, Technical Specification 3.7.1.3
!g allows the CST supply to be inoperable for up to seven days.
t i
Consideration was given to the seven day Technical Specification allowance
)
during the assessment. However, it is extremely unlikely that the CST would be maintained or otherwise unavailable to the EFS while the reactor i
is in.'!cde 1, 2 or 3.
Secondary side supply to the condensate cycle would be possible for only about four hours as the CST level is depleted to the l
1 1I I
1 l
EFS physically dedicated supply level. Thus, operation of the unit with l
less than 150,000 gallons in the CST is not anticipated nor included in I
the analysis.
l.
24.
Section 3.1 What is the steam generator boil dry time for the three cases?
Response
1 4
I The steam generator boil dry time for all three cases is 21 minutes.
!I 25.
Figure 4 1
4
.1' Is there a list of the basic events and the probability of failure for 1I each? Without these, checking the numerical solution of the fault trees i
j and verifying that Figure 4 is a correct comparison is not possible.
4
Response
l Table 3-1 Fault Tree Event Data has been added a part of Revision 1 to provide information on the probabilities used in the reliability assessment.
26.
Section 3.2.5 i
j Why does the EFS suction header condensate valve (ri1010) in the closed f
position at EFS initiation lead to pump failure since there is an i
i automatic switcho.er to the SW system?
lI
Response
1 i
f If the EF System supply line maintenance valve 1010 is in the closed position pump failure may occur because a vacuum and no flow condition
!I
{
Me*. i"pmmec E-11 1
~ - - -
will very rapidly develop. The automatic switchover to the SW System is not quick enough to definitely state that damage to the EF pumps would not occur.
27.
There was not an adequate discussion of the following areas as listed in the Schedule 183 1)
Test and Maintenance Procedures and Unavailability
~,
2)
Potential Common Mode Failures (e.g. common location, etc.)
s 3)
Adequacy of Emergency Procedures wm 4)
Adequacy of Power Sources and Separation of Power Sources and i
~
Redundaut Equipment.
Response
(Item 1) Test and Maintenance programs for the Emergency feedwater System components are in compliance with ASME Section XI, Technical Specifications, and ANSI 18.7 criteria.
System unavailability during
~
operation is kept to a minimum by planning all corrective maintenance for times when the plant is in a cold shutdown status.
Redundant train operability is verified prior to removal of an alternate train from l
service. Maintenance and test results are reviewed for problem areas and any trends that may be developing. At present, most preventive and corrective maintenance procedures for the system have been written. Test procedures for the system and components are being prepared at this time I
with schedule for completion on January 1, 19S1.
II (Item 2) A common mode, or more generally, ccmmon cause failure "is a i
l group of component failures, with or without the same failure mode, that i
I are the direct result of the same event, cause or condition, and that 3..terD >morsea#
E-12
i I
I leads directly to a specific system failure" Design considerations, both plant-specific and generic, external phenomena (ensironment) and maintenance / test actions are potential pathways for the occurence of common cause failures. The features of V. C. Summer Nuclear Station that
.E
- 3 mitigate common cause failures due to each of the above pathways are t
j listed below:
i i
Plant Specific Design Related Features 1
t l
a)
Redundant, safety grade instrumentation and control for EFS flow,
]
pump startup, and automatic EFS initiation.
I
}
b)
Diversity of EF pump motive sources - ac and steam.
c)
Diversity of MDP ac sources - offsite power and onsite diesel generators.
i d)
Independence of the TDP, its auxiliaries and controls from ac power.
1 i
e)
Diversity of EFS actuation input signals.
i f)
Flexibility of supplying EF to any combination of steam generators 1
from the TDP and MDP headers.
Ii f
i g)
Automatic isolation of depressurized steam generators.
lg
?,g l
h)
Independent flow control to each steam generator.
j i)
Ability to isolate essential portions of the EFS from failed components while accomplishing the safety objective.
l j)
Use of flow control valves with fail safe modes.
I I
k)
Flexibility to perform over a wide range of operating and accident conditions.
}
i E-13 i
t
L
~
1)
Capability for automatic startup and run without operator
~
intervention for a minimum of ten minutes; flexibility of operatar intervention at startup or manual start of the EFS from the Control F
Room.
t m)
Availability of a backup EF source from the SWS.
Generic Design Related Features n)
An applicable industry-wide experience history for AFWS design and l
equipment.
l I
o)
EFS equipment procurement under 10CFR50, Appendix B, QA programs which includes design control.
l p)
Conformance to recognized industry standards and criteria.
External Phenomena q)
Location of the EFS in Seismic Category I structures.
l r)
Housing of the EFS in structures designed to withstand the effects of tornados and floods.
l s)
Protection from flooding from feedwater and EF line breaks.
t)
Design to withstand pipe whip and impingement effects resulting from high and moderate energy line breaks.
)
u)
Physical separation of the TDP from the MDP's which includes a fire barrier.
I I
I i
v)
Qualification of equipment to withstand high temperature and humidity resulting from Intermediate Building steam line breaks.
.- sm ove.uv E-14 l
l
1 1
l Flaintenance/ Test Related Features i
j w)
Test and maintenance programs in compliance with AS?lE Section XI, i
Technical Specifications and ANSI IP,.7 criteria.
x)
?!onthly FIDP and TDP testing not requiring closing of manual isolation valves.
i l
y)
!!onthly position verification of all EFS valves including locked i
valves.
z)
Test, maintenance and functional verification procedures as described i
j in Responses to Questions 20, 22 and 27 (Part 1).
(Item 3) Emergency Feedwater is addressed in Station Emergency Operating
{
Procedures E0P-1, " Safety Injection", E0P-5, " Reactor Trip", and E0P-13, i
" Natural Circulation" In all cases, steps are provided to:
}
1) verify emergency feedwater pump operation i
j 2) verify flow to steam generators i
)
i 3) method for and criteria for assuming operator control of emerge y
}
feedwater flow 4) verify Condensate Storage Tank level, and 1
5) describe how to transfer to Service Water backup on loss of condensate water.
These procedures are under review by the NRC for adequacy.
4 I!I
{
(Item 4) The motor driven EF pumps are supplied with power frcm different l
l buses which are, under a Loss of Of f site Power condition, powered from the l
diesel generators. This arrangement is shown in Figure 2 of the i
)
i s.wt ww.oo r-15 l
w.--,_,r.,.,.
!t l
lI I
Reliability Analysis. This figure also shows which motor operated valves are powered from these buses. A description of the separation criteria j
for redundant electrical systems is contained in FSAR Section 8.3.1.4.
i 28.
Section 3.3.1 What is the largest contribution to system unavailability? In number 1 it is stated that the " single most important"; In number 2 "the greatest contribution"
(
i
Response
]
The text in Section 3.3.1 has been revised.
.I l
29.
Section 3.1 Was the TDP the only component considered to have operator recovery capability?
i
Response
- I 4
j The TDP is the only component considered to have in plant recovery capability in the analysis.
i 30.
Appendix A, Section 2.3 i
j Was the EF system tested to determine that there is no water hammer in the i
full open position?
Response
4
(
l.
Yes, extensive testing was performed during Hot functional Testing on the
{
Emergency Feedwater System concerning water hammer.
With at least one i g motor driven pump running on mini-flow, full flow was introduced to each 15 steam generator separately at several different intial steam generator
)
l i
i
- Geer:!Cen cunts E-16 4
!u F
L levels. For each of these conditions on each steam generator, the applicable system piping was observed to verify that no abnormal vibration or noise occurred. Also, all three Emergency Feedwater Pumps were individually started and individually aligned to deliver flow to all three i.
steam generators and then the pump stopped.
Under these conditions for each pump, the pump and associated piping was observed to verify that no abnormal vibration existed.
I 31.
Appendix A, Section 2.4 l
khat are the procedure numbers and the content of the instruction for initiating Backup Water supplies?
l i
Response
i The Emergency Feedwater System is being modified to incorporate automatic j
transfer to Service Water on Low Emergency Feedwater Pump Suction
.I Emergency Operating Procedures E0P-1, " Safety Injection",
Pressure.
E0P-5, " Reactor Trip", and E0P-13, " Natural Circulation", require s
i verification of Automatic Transfer when required. System Operating Procedure S0P-211, " Emergency Feedwater Sv; tem" details how the operator
{
can transfer to Service Water and whai. action to take if the Condensate Storage Tank is not available.
i 6
32.
Appendix A, Section 2.5 I
bhat are the procedure numbers and contents? What Technical Specification applies and what is the paragraph number? How is the flow path verified?
Response
i j
a)
Station Surveillance Test Procedures STP-120.001, " Surveillance Testing of Motor Driven Emergency Feedwater Pump (s)", STP 120.002, 4
" Surveillance Testing of Turbine Driven Emergency Feedwater Pump",
}
.I atw%.m E-17 i
L
[
and STP-120.003, " Surveillance Testing Emergency Feedwater Month Valve Alignment Verification", are the applicable Surveillance Test
~
Procedures.
I i
b)
Procedures in item (a) address the requirements of Technical Specification Limiting Condition for Operating 3.7.1.2 and 3.7.1.3.
c)
The last step of STP-120.001 and STP-120.002 requires independent verification that the Emergency Feedwater System has been returned to l
procedure designated status at the completion of the test.
STP-120.003 relates to verification that the valves are in procedure designated status. These procedures insure that the system is returned to the proper configuration after maintenance and testing.
Actual flow to the steam generators is verified every startup and shutdown by using the Emergency Feedwater System to supply the steam gene ra t o rs.
i i
33.
Appendix A, Section 3.2 i
lias the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> endurance test been performed to date? Is cooling of the I
AFW pump rooms required for successful operation?
i
)
Response
i a)
A seventy-three (73) hour endurance test was performed on all three Emergency Feedwater Pumps at conditions which reflect the normal operating conditions for pump flow, head, speed and steam
'E temperature. Figure 1 presents the EFS schematic diagram. The test I
results demonstrate that acceptable performance was achieved for the 1
three Emergency Feedwater Pumps.
These tests were performed by running primarily on recirculation flow. The Motor Driven Pumps were run for the entire 73 hours8.449074e-4 days <br />0.0203 hours <br />1.207011e-4 weeks <br />2.77765e-5 months <br />, but j
the Turbine Driven Pump was run for a total of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and 40 minutes. Approximately 37 1/2 hours into the run, the flow conttol 1
0.em;>mm:n E-18 i
I i
I i
l valves associated with the Turbine Driven Pump inadvertently went to the full open position due to testing of the flew control valve cards l
by I&C technicians in the Relay Room. Operator action was to secure i
valve 2030-MS which cut of f steam to the turbine. The Turbine Driven Pump was restated af ter a 20 minute shutdown and run for an additional 35 1/2 hours. Note that the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> requirement has been 1
reduced by the NRC to 48 hoars. This short interruption is not significant for three reasons. The first is that the shutdown was not due to a problem related to the pump. The second is that the test was continued before the system has cooled down significantly.
The third reason is that the test was performed for a total of 72 l
hours and 40 minutes, which greatly exceeds the 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> requirement.
i Bearing / bearing oil temperatures were monitored on all the pumps over I
l the duration of the testing. The temperatures did not exceed the f
design limits and were therefore acceptable. For the Turbine Driven Pump, the steam temperature was above 400 F for approximatley 65 hours7.523148e-4 days <br />0.0181 hours <br />1.074735e-4 weeks <br />2.47325e-5 months <br /> ( the last 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> was performed at steam temperatures less l=
than 400 F).
The 65 hour7.523148e-4 days <br />0.0181 hours <br />1.074735e-4 weeks <br />2.47325e-5 months <br /> test exceeds the current requirement for a 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> endura ice test.
Pump Room and area ambient conditions were observed to be within acceptable limits during the testing.
The vibration parameters measured during the testing are not considered to be outside allowable limits.
However, prior to the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> run, a detailed analysis of the "A" pump motor indicated that ju the motor horizontal readings were in the "slightly rough" region.
I Additiona' N acing will be added to both the "A" and "B" pump motors l
to correct this problem. Also, on the "B" pump, at the beginning of l
the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> run, vibration data was taken and analysis indicated that i
j the readings were marginal (slightly rough).
A new thrust bearing I
l will be installed to correct this problem.
l l
I u.mm...w E-19 i
l Upon completion of these modifications, new vibration measurements will be taken to insure that vibration conditions have been improved.
l l
b)
Cooling of the EF pump rooms is not required for the accident condition as these pumps are qualified for steam line break conditions. Safety related cooling to these areas is provided as an additional level of protection. Section 3.11 of the FSAR discusses the environmental qualifications of this equipment.
34.
Appendix A, Section 3.4 I
Referring to page 3-6, are these the control valves which open automatically if the EFS is initiated?
Response
These are the control valves which open automatically if EF is initiated.
I 35.
Appendix A, Section 4.1 Besides being automatically initiated does the Er system meet the other recommendation of GS-8 and GL-l?
(e.g. safety grade requirements and manual backup)
Response
The EF System does meet the other recommendations of GS-8 and GL-1 (e.g.
safety requirements and manual backup).
See the response to GL-5 on page A-17.
j 36.
Appendix A, Section 4.2 l
Has the periodic inspections to verify valve position been incorporated into the Technical Specifications to date? Credit is given to the I
auto-initiation of the SW system but the fault tree does not.
See page 4-2 Paragraph 4.3.2(1).
G.!!*et / Ccmmonses t3 E-20 m
t t
Response
j Technical Specification Surveillance Requirement 4.7.1.2(3) requires a.
j at least once per 33 days a verification that each non-autcmatic
]
valve in the flow path that is not locked, sealed, or otherwise j
secured in position, is in its correct position. Also Surveillance l
Requirement 4.7.1.2(4) requires a verification that each automatic valve in the flow path is in the fully open position whenever the Emergency Feedwater System is placed in automatic control or when above 10% Rated Thermal Power.
I l
b.
Credit was not taken for automatic initiation of the Service Water System backup consistent with the response to Question 26 ar.d Section l
3.2.5 of the analysis.
Credit is taken for automatic initiation in i
the event of a catastrophic loss of CST inventory.
!Il 37.
Appendix A, Section 4.4 1
The only alternate source of water described in the report is the Service Water system.
Is this the Safety grade source of water? Is another alternate source being provided? How is a suction lead provided for the Service Water System?
The Service Water System is a safety grade source of water. Another i
alternate source is not provided. The Service Water Pumps take suction from the service water pond, a Seismic Category I impoundment adjacent to Monticello Reservoir. Also, a non-safety grade source from the DWST is available as discussed in question 14.
l 38.
I t
4 Does CRT mean circuit (See page iii)?
4 l
l m-,u,
(
r-21 l
l l
1
Response
i i
CRT is a Cathode Ray Tube. The typographical error has been corrected.
39.
Figure 4, Sheet 1 The fault tree is difficult to review because of the structure of the tree.
1
\\
Response
The tree structure was chosen to facilitate hand evaluation.
40 Figure 4, Sheet 1 If common mode and maintenance associated failures are considered in the right leg of the fault tree, should they also be considered in the left leg?
Response
No common mode failure was identified in the left (flow path) leg of the fault tree.
Maintenance associated failures were considered in the flow path leg and are shown in Figure 4, Sheat 1.
I 41.
Figure 4, Sheet 7 i
and What Human Error is involved in the automatic pneumatic operated FCV 3531?
42.
Figure 4, Sheet 8 What Human Error is involved in the automatic pneumatic operated FCV 3536?
i Sten /Ccwenwes w E-22
1 1
i
Response
il The human error shown for FCV 3531, etc., is associated with acts of l
commission and omission resulting from maintenance.
43.
Figure 4, Sheet 6
!I l
Are FCV 3531/3541/3551 and FCV 3536/3546/3556 the only ones maintained I
l l
when the reactor is operating? Are they all taken out of service at once?
Are these events properly described by the " House Shaped Symbol? Is maintenance performed on CV1009? The failure modes displiyed do not fail the system.
Response
l FCV's 3531/3541/3551 and FCV's 3536/3546/3556 are the only valves j
maintained downstream of the EF pump discharge headers when the reactor is 1ig running. These valves are individually taken out of service.
15
.i Maintenance is not performed on valve 1009 A/B/C while the reactor is j
operating.
For the purpose of clarification, additional transfers have been shown in l
the fault tree.
1 l
1 1
j 44.
Figure 4, Sheet 13 j
and What effect does MIV 1025 being plugged have on the " Loss of IDP 45.
Recirculation Flow?"
l.
Figure 4 Sheet 13 If recirculation failures are modeled in the fault tree, why isn't failure of valve 1027 a single failure of the AFWS?
I E-23
iL r~
L FL
Response
I CV 1027 is not shown on the fault tree bacause pump recirculation is required only as HOT STANDBY is approached.
The fault tree in Figure 4 is a demand tree and as such is consistent with the analysis in NLT1EG-0611.
Additional discussion on pump recirculation flow is provided in Section 3.2.5.
46.
Figure 4 Sheet 16 The right leg indicates that the main steam line must be isolated. Why?
l
Response
l The steam linc isolation valves MSIV 2801 B/C must be closed to ensure adequate steam supply to the turbine driven pump.
1 I
47.
Figure 4 4
i Where are valves 1027, 1025A/B, 1026 2802A/B shown on the Fault Tree?
)
J
Response
Valves 1027, 1025 A/B, and 1026 are not shown in the tree based on items 44 and 45 above.
i Normally open valves 2602 A/B receive an automatic open signal on EFS initiation. Therefore a small additional contribution to EFS failure is the loss of steam lines B & C due to plugging or maintenance errors associated with these valves. Valves 2802 A/B are shown in the Revisica 1 j
fault tree.
)
48.
Figure 4, Sheet 3 What common mode failures are described in this leg of the Fault Tree?
1 Should the top "0R" gate be an "AND" gate?
be.M /h?N3Mefdt'l
l, L
r-L_.
~
Response
t._.
r Thic leg of the tree has been revised; the term common mode ha-been removed from Figure 4, Sheet 3.
The top gate on Figure 4, tueet 3 is an "0R" gate based on the discussion provided in Section 3.2.5.
I 49.
Figure 4, Sheet 4 I
Is one Motor Driven Pump sufficient to meet the specification for minimum flow to the steam generators?
Response
One motor driven pump is sufficient to meet the specification for minimum j
flow to the steam generators.
50.
Appendix A, Section 2.6 4
l Provide additional information in response to generic recommendation GS-6.
Response
Additional information has been provided in Appendix A for item GS-6.
51.
When will the BISI system be completed?
Response
The BISI will be completed 4-1-81.
~
MDM.$WC4f 8;',#
E-25 k.