ML20003B703
| ML20003B703 | |
| Person / Time | |
|---|---|
| Site: | Palo Verde  |
| Issue date: | 02/10/1981 |
| From: | ARIZONA PUBLIC SERVICE CO. (FORMERLY ARIZONA NUCLEAR |
| To: | |
| Shared Package | |
| ML17296B226 | List: |
| References | |
| RTR-NUREG-0737, RTR-NUREG-737, TASK-2.E.1.1, TASK-TM NUDOCS 8102250260 | |
| Download: ML20003B703 (175) | |
Text
.
O*
I PALO VERDE NUCLEAR GENERATING STATION AUXILIARY FEEDWATER SYSTEM RELIABILITY ANALYSIS O
h O
$1022503 o
PVNGS AFS RELIABILITY ANALYSIS
(~)
-) TABLE OF CONTENTS SECTION PAGE
1.0 INTRODUCTION
1-1 1.1 Background 1-1 1.2 Objectives 1-1 1.3 Scope of Study 1-2 1.4 Method of Analysis 1-4 1.5 Criteria and Assumptions 1-4 2.0
SUMMARY
2-1 3.0 SYSTEM DESCRIPTION 3-1 3.1 General Description 3-1 3.2 System Operation 3-2 3.3 Inspection and Testing Requirements 3-4 3.4 Instrumentation and Control 3-4
,g 3.5 Supporting Systems and Sources 3-6 (m,) 3.6 Technical Specification Limitations 3-7 4.0 RELIABILITY EVALUATION 4-1 4.1 Analytical Approach 4-1 4.2 Results and Conclusions 4-17
5.0 REFERENCES
5-1 APPENDICES APPENDIX A PVNGS Feedwater System Piping and Instrumentation Drawings APPENDIX B Reliability Block Diagrams APPENDIX C Master Fault Tree APPENDIX D Test and Maintenance Fault Test APPENDIX E Human ~ Error Fault " ree APPENDIX F Common Cause Classifications and Definitions f'S APPENDIX C Sample Minimal Cut Set ws' APPENDIX H Failure Rates APPENDIX I Sample Calculations iii
- - .. . .__ _ , . - , ~ -
PVNGS AFS RELIABILITY ANALYSIS O
\m) PALO VERDE NUCLEAR GENERATING STATION AFS RELIABILITY ANALYSIS
1.0 INTRODUCTION
1.1 ' Background The Palo Verde AFS was analyzed considering various design alternatives as a result of the concerns expressed by the NRC. This study considered four different design alterna-tives. The first one is the current design which consists of one turbine-driven emergency feedwater train, one motor-driven emergency feedwater train, and a manual start non IE AC power motor-driven auxiliary feedwater train.
In case 2 the startup auxiliary feedwater pump was given the capability of being powered from the Train A diesel generator b.1 manual start. Case 2A is the same as Case 2
,_ except automatic start is provided. In Case 3, a fourth
(_) feedwater pump train was added. This fourth train would be completely safety grade while keeping the manual start, non IE AC power, startup auxiliary feedwater pump. The design features of the four cases are shown on table 1-1.
1.2 Objectives
-The objectives of this study are:
e To perform a reliability analysis for comparison of four design alternatives (current design plus three alternates).
e To meet the requirements of the NRC letter of March 10, 1980 (reference 12). The NRC letter requires a-reliability analysis of AFS similar to analysis described in NUREG 0635.
<x V)
(
1-1
PVNGS AFS RELIABILITY ANALYSIS 1.3 Scope of Study The Palo Verde AFS present design was analyzed along with three other configurations as described in table 1-1.
Simplified functional diagrams of the trains are shown in figures 1-1 and 1-2.
This study goes beyond the analysis in NUREG 0635.
Specifically, it includes error bounds on the results, incorporates common cause failures, provides a more conserv-ative treatment of operator error in addition to using more realistic failure rate data in some important cases.
However, to permit a comparison on a common basis with NUREG 0635 the analysis then " backs out" the differences and presents the results using the NUREG methodology.
The scope of this study was also limited to one top event also taken from the NUREG which states:
The time interval of interest for all transient events considered is the unavailability of the auxiliary feedwater system during the period of time to boil the steam generator dry.
The 20-minute boil dry time stated in NUREG 0635 was also used in this study.
The following transient (initiating) events were required by NUREG 0635:
Event A - loss of main feedwater (LMFW) and a reactor trip occur together. LMFW/RT Event B - The LMFW is coincident with a loss of all off-site (AC) power. LMFW/ LOOP Event C - the LMFW is coincident with a loss of all AC power, LMFW/LOAC, except for any which is derived from batteries.
O l-2 t
(3 Q
\,J
("
\
\s)
Table 1-1 DESIGN CASES FOR NUREG-0635 RELIABILITY STUDY AUXILIARY FEEDWATER SYSTEM _
TUR31NE MOTOR MANUAL START MANUAL START AUTOMATIC START l DRIVEN DRIVEN NORMAL AC PWR DIESEL CONNECTED DIESEL CONNECTED
- DESIGN CASE EMERGENCY EMERGENCY MOTOR DRIVEN MOTOR DRIVEN MOTOR DRIVEN $
l FEEDWATER FEEDWATER AUX FEEDWATER AUX FEEDWATER AUX FEEDWATER h 4 PUMP TRAINS PUMP TRAINS PUMP TRAINS PUMP TRAINS PUMP TRAINS CASE 1
' ' ~ ~
E 1
(CURRENT PVNGS DESIGN) C s @
b p CASE 2 1 1 1 E
L" y
4 CASE 2A 1 1 1
I/)
CASE 3 1 2 1 - -
i
PVNGS AFS RELIABILITY ANALYSIS 1.4 Method of Analysis The primary basis of this analysis consists of the con-struction and evaluation of fault trees. For each of the four design cases, minimal cut sets were determined from a fault tree which contained all active components and single-failure passive component (s). Constants for common cause and human factors were also determined. Failure rates and the fault tree methodology were based on references 1 and 2.
For each fault tree, common causes and human factors were studied. The minimal cut sets were generated using the FTAP code of reference 6. Manual comparisons, checks and tests of reasonableness were also applied.
1.5 Criteria and Assumptions The following analytical criteria, definitions and assump-tions have been made:
A. Availability criterion - Given that one of the postu-lated demand events should occur, unit AFS availabil-ity is defined as a successful system startup (at least one train) within boil dry time of 20 minutes.
The 20 minute boil dry time was obtained from NUREG 0635.
B. Availability of AFS power sources - The following assumptions are made with respect to the postulated demand events and the resulting mission for AFS success.
- 2) LMFW/ LOOP - Two diesel generators available.
O l-4
PVNGS AFS RELIABILITY ANALYSIS C. The failure rate data base used for quantification was taken primarily from NURPG 0635. The need for additional data were met by ferences 2 and 8. The rationale for data source and application are found in section 4.1.4.
D. Degraded failures - A partially successful perfor- ,
mance of any active or passive component was not con-sidered. Each component and each operator action was assumed to be either successful or failed.
E .* AFS actuation and control - For automatic operation during emergency shutdown conditions the Auxiliary Feedwater Actuation Signal (AFAS) will be initiated for either steam generator by a low steam generator level coincident with a steam generator not ruptured signal for that steam generator. The AFAS can be actuated manually.
O 1
l l
l i
\
lO i 1-5
/O r CONDENSATE I STORAGE TANK
-4 I
REACTOR a MAKEUP WATER TANK _
N$
l l
d AT'd j t n
\r/ N MAIN FW _
A SG 1 Q U^$ U$ &k i TRAIN 1 7~
+
- 9: 9 N
E
+ TRAIN 2 MAlN FW h
%A k /
o E
9 TRAIN 3 PALO VERDE 3 TRAIN AUXILIARY FEEDWATER SYSTEM Figure 1-1
~ , _ ~ ,
CONDENSATE STORAGE TANK ummmmu a
REACTOR _ -
MAKEUP WATER TANK umu l
l E 4
- amm
._. -- .- _ _ - - - - _ , . _ _ . ~ . ~ . . - , . _ - . - - _ - - _ _ . - .
%m ATM Mh t N De-
\T/ u^ia r* NI O so, ng =9==9= , n. .
TRAIN i QQ g
LM 7~
- g: 9
'g T g >g< N sGTRAIN 2
>< w n' MAIN FW N r,
O wTn O
wT2 ,
Sa2 p
r ,v ,
I a
TRAIN 4
- :: N.
b E
a w a -
TRAIN 3 PALO VERDE 4 TRAIN AUXILIARY FEEDWATER SYSTEM Figure 1-2
\# % q-
PVNGS AFS RELIABILITY ANALYSIS 2.0
SUMMARY
2.1 Discussion 1
The two objectives of this study are to compare the reli-ability of the four design alternatives and to meet the I re-tirements of the NRC letter of March 10, 1980 (refer-ence 12) which cites NUREG 0635.
To make a more meaningful design alternative comparison, the first objective required the treatment of uncertainty and the use of data on steam turbine drives and diesel generators. The details of this approach are found in i section 4.1. The results of the analysis are summarized on table 2-1.
! The second objective requires an analysis of the AFS I according to the requirements of NUREG 0635. The princi-ple aim of the NUREG was to evaluate the variability of l auxiliary feedwater system designs rather than evaluating i
s_. the variability in' data to be applied to a specific l design.
l The first objective went beyond the analyses in NUREG 0635.
Specifically, it included error bounds on the results, common cause failures, and a more conservative treatment of operator error in addition to using more realistic- -
, failure rate data in some.important cases. .However, to I
permit a comparison on a common basis with NUREG 0635 the analysis then'" backs out" the differences and presents the results using'the NUREG methodology as shown in figures 2-1 and 2-2 and described in section 4.2.1.
2.2 Conclusions
-The conclusion of the study is that the reliability of the AFS can be improved (refer to table 2-1) by modifying the
~
O 2-1 i
Table 2-1 AFS RELIABILITY ESTIMATE INDEPEND. - STATISTICAL INDEPENDENT UNAVAILABILITY T ESTIMATE PER C.C. - COMMON CAUSE ESTIMATE TOTAL YEAR
' 6.0E4 53: CASE 1 IN DE PE N D. 2.0E-4 1.1 E -3 3.3E.3
$ C.C.
INDEPEND. 2.0E-4 6.0E4
$l CASE 2 3.3 E-3 m E gg C.C. 1.1E 3 k" 3$ CASE 2A INDEPEND. 1.5E-5 4.5E 5 h gg C.C. 8.7 E-4 2.6E.3 g 1.0E.5
$" CASE 3 INDEPEND. 3.4 E -6
- C.C. 8.6 E-4 2.6E.3 %
8.8E4 T CASEI INDEPEND. 3.5E-3 C.C. 4.3 E-3 1.1E-3 y w E g5 CASE 2 IWdEFEND. 6.6 E-4 1.7 E4 $
H I y ot am "a C.C. 1.6E-3 4.0E4 p w ~
2.l E-4 5.3E 5 to 7 y*5 CASE 2A INDEPEND.
C.C. 1.1E-3 2.8E4 y et g ,D g H
- O" CASE 3 INDEPEND. 2.0 E-4 5.0E.5 C.C. 1.1 E-3 2.8E 4 N CASE 1 INDEPEND. 6.1 E -2 6.1E.5 y C.C. 6.2 E-2 6.2E.5 Z E $ LW2 INDEPEND. 6.1 E-2 6.1E.5 N C.C. 9.2E-2 6.2E-5 y a
k u
<wu CASE 2A INDEPEND. 6.1 E-2 6.1E.5 H
E h C.C. 6.2 E -2 6.2 E.5 CASE 3 INDEPEND. 6.1 E-2 6.1E-5 C.C. 6.2E-2 6.2 E.5 O O e
PVNGS AFS RELIABILITY ANALYSIS l design from the present Case 1 to design alternative Case 2.
1 Specific recommendations are as follows:
o Provide the capability to manually supply Train 3 auxiliary feedwater pump from the Train A diesel generator (Case 2).
e Provide position indication in the control room on the pump test bypass valves.
e Provide power to the suction valves for Train 3 auxil-iary feedwater pump from the Train A diesel generator.
e Perform a total system test once every 18 months.
e Perform testing on different shifts.
1 i
e l
9 l
l l
l l
l .
%s 2-3 t-
.. .. _ ,. - _ , _ . _ _ . . . . . _ _ . _ _ ~ . . . _ . _ . _ . . _ . . - . . . . _ . . . . . _ . _ _ _ . . . . _ . . _ . . . . . . _ . . . _ . . . _ , _ _ . , _ ... _
2 . _m. , . .. - _ . _ .. . ._ _ ._ .._.....,.,-_. .. ____ __ ____.... __ _ .. , _ , _ _ _ _
m 3
f.
- TRANSIENT EVENTS t - ,
PLANTS PALO VERDE CASE 1 PALO VERDE CASE 2 PALO VERDE CASE 2A PALO VERDE CASE 3 CALVERT CLIFFS PAttSADES MAINE YANKEE MILLSTONE ST. LUCIE
- A R K. N U C. N O. 2 F T. C AL H O U N '
e l
4
- k.
.c.:
'+ s ut _
V m i 4
- 2. __ u. - _. -u.m__ - - __< _ _ _ . _ _ _J.2 .__.___ _ _ m _.
a~ n LMFL LMFW/ LOOP LMFW/ LOSS OF ALL AC LO"! MED HIGH E LOW MED HIGH LOW MED HIGH i
e e e o e e e e e
. , o e o e o O e <>
C e d i C e 0 C e e e o e i e e e 10-2 10-3 10-4 10-5 10-6 10-2 10-3 10-4 10-5 1 10'I 10-2 gg-3 RELIABILITY CHARACTE.isZATIONS FOR AFS DESIGNS IN PLANTS USING THE COMBUSTION ENGINEERING NSSS AND PALO VERDE Figure 21
TRANSIENT EVENTS LMFW LMFW/ LOOP LMFW/ LOSS OF ALL AC PLAR.' LOW MED HIGH [ cst ['U LOW MED HIGH LOW MED HIGH PALO VERDE CASE 1 8 9 G!
PALO VERDE CASE 2 4 S 8 6 PALO VERDE CASE 2A S S 9 PALD VtRDE CASE 3 0 6 e HADDAM NECK e O t>
SAN ON0FRE e e o PR AIRIE ISLAND 0 0 0 SALEM O O O ZION e e t >
YANKEE R0WE 9 e O TROJAN 4. e 0 INDIAN POINT 4' s O KEWANEE e e <>
H. B. RO BINSO N O e 4 >
BEAVf R VALLEY d' e t' GINNA e e t >
COOK e e o TU R KE Y PT. e e o f'aLEY e e o SURRY e e O NO. ANNA e e e jg-3 4 10-5 10-6 10-2 4 10'3 10-2 33 10-3 10 10-5 1 10'I 10-2 REL'. ABILITY CHARACTERIZATIONS FOR AFS DESIGNS IN PLANTS tlSING THE WESTINGHOUSE NSSS AND PALO VERDE Figure 2-2 i
__,________m_ - - _ _ _ _ _ - _ _ _ _ _ - _
PVNGS AFS RELIABILITY ANALYSIS 3.0 SYSTEM DESCRIPTION 3.1 General Description The AFS consists of one safety-related Seismic Category I motor-driven AFS purp, one safety-relsted Seismic Ca'.egory I steam turbine-driven AFS pump, and one non-safety related non-Seismic Category I motor-driven AFS pump, associated piping, controls, and instrumentation.
Appendix A contains the piping and instrumentation diagram of the system. The non-safety-related motor-driven pump will accrue the most duty because it is used for startup, hot standby, and normal shutdown operations.
The primary source of auxiliary feedwater is the conden-sate storage tank. A_ minimum capacity of 300,000 gallons is required by the AFS; during emergency shutdown condi-tions 330,000 gallons are provided. This provides an orderly RCS cooldown to the shutdown initiation condi-() nions. The total tank capacity is 550,000 gallons.
secondary or backup source of auxiliary feedwater is the The reactor makeup water tank. Its maximum capacity is 480,000 gallons.
The safety-related motor-driven auxiliary feedwater pump at.d its motor-operated valves can receive Class lE power from both onsite and offsite power sources. In the event i of a loss of offsite power, power is sr) plied to this motor-driven pump by its standby diesel generator. The
, loading'of the emergency bus is sequential and automatic.
_The standby diesel generator powers this auxiliary feed-l
- water pump and the necessary valves and controle to ensure I system operability.
The turbine-driven AFS pump is supplied with steam from the main steam lines of either steam generator upstream (K
m) i 3-1
, , . ~ _ , _ - . ~ . , _ , - . - . . . . _ _ . . . _ . _ . - _ . _ _ _ . - . _ - _ . - - . , . _ . . _ . . . , . _ . . _ --_ .-_._. _ - _ _
PVNGS AFS RELIABILITY ANALYSIS of the main steam isolation valves. The power and con-trols for the valves associated with this pump receive power from the Class lE dc buses A and C.
The two safety-related auxiliary feedwater pumps are separated by a physical barrier. Piping and components are located, separated, or protected to preclude damage from missile and environmental effects.
3.2 System Operation For emergency operation, normal flow is fr m the conden-sate storage tank to both the safety-related motor-driven AFS pump and to the steam turbine-driven AFS pump. An alternative supply of water is provided by local manual cross connections to the reactor makeup water tank.
A minimum flow recirculation system is provided on each pump discharge with recirculation to the condensate storage tank. Each of these pumps can supply either steam gen-erator with feedwater. Condensate recirculation lines are provided downstream or the AFW pump to allow for full flow pump testing.
Either auxiliary feedwater pump can supply the necessary feedwater for reactor decay heat removal and reactor cool-down to 350F.
For normal AFS operation the non-safety-related pump, located in the turbine building, is employed.
One manually operated auxiliary feedwater path to the steam generators is provided for the non-safety-related motor-driven auxiliary feedwater pump through the feed-water header.
At a reactor coolant temperature of 350F, the shutdown cooling system is placed in operation. The AFS duty cycle is then completed and it is returned to standby status.
3-2 l
PVNGS AFS RELIABILITY ANALYSIS
^
[\m)\__ A minimum flow path is provided for each pump. Approxi-mately 13% of the pump capacity is recirculated back to the condensate storage tank whenever u pump is operating.
The minimum flow line is provided to prevent pump over-heating in the event the pump discharge line is shut off.
If a break is postulated to occur in the recirculation line downstream of the flow restriction orifice, system 1
operation is not affected. The pump still delivers required flow to the steam generators. The water inventory of the condensate storage tank has been calculated to include the possibility of a 13% flow water loss through the recircu-lation line while maintaining a sufficient quantity of water to provide the required cooling.
One pump motor driver is powered from a separate engi-neered safety features (ESF) bus which is powered by the Train B diesel generator. The steam turbine-driven pump's
( associated valving is powered from the battery-backed k- essential dc bus A and C. The turbine for this pump is supplied with steam from either of the steam generators.
The turbine controls are also powered from the dc b'Is A.
Auxiliary feedwater control is normally from the control.
room,~but' instrumentation is provided for operation from i
, the remote shutdown station in the unlikely event that the i
-control room must be evacuated.
l- Signals from the auxiliary feedwater actuation signal (AFAS) (automatic / manual) start the safety-related motor-driven auxiliary feedwater pump and the steam turbine-l driven auxiliary.feedwater pump, shut all isolation valves, and open the associated isolation valves to the downcomer nozzles of the intact steam generator (s). The non-safety-related motor-driven pump is started manually l
l and its associated valves are opened manually from the l _
control room.
l [ ~)
j _' V l
i 3-3 i . __ _ __ __-
PVNGS AFS RELIABILITY ANALYSIS 3.3 Inspection and Testing Requirements The AFS pumps are capable of being tested while the plant is in normal operation. A recirculation and full flow test line to the condensate storage tank enables the pumps to be operationally tested. Control room discharge pres-sure and local flow indicators are provided to monitor pump performance.
Containment isolation valves can be tested during normal plant operation. However, by technical specification, thera valves will be tested during refueling shutdown.
3.4 Instrumentation and Control Control room instrumentation includes steam generator level controls and hand switches plus position indicators for all power operated valves.
Control logic for the AFS is a manually overridable auto-matic two-of-four input signal system, part of the Engi-neered Safety Features Actuation System (ESFAS). Steam generator pressure and water level are the monitored variables for automatic protective action.
The following main control room monitors are provided for purposes of AFS control:
e System trip status light.
e Discharge pressure of each AFS pump.
e Auxiliary feedwater flow to each steam generator.
e Two status lights for each regulator valve.
e RPM of the turbine (pump-driving).
e Status lights for all motor operated-remote manual valves.
O 3-4 L ~
PVNGS AFS RELIABILITY ANALYSIS
)
(/
s_ The AFAS performs the following functions as intended by design:
A. Start the safety-relLted, motor-driven auxiliary feedwater pump whenever an AFAS occurs for either steam generator.
B. Open the steam supply valving to start the steam turbine driver whenever an AFAS occurs for either steam generator.
C. Determine whether a steam generator is intact in the event of a secondary system break.
D. Open the auxiliary feedwater regulating valves to the intact steam generator using the trip channel logic. The same logic is used to pro-vide a closing signal to the auxiliary feedwater valves to a non-intact steam generator to pre-
) ("')
U vent flow to that generator.
E. Close the steam generator blowdown line isola-tion valves whenever an AFAS occurs for either i steam generator.
F. Prevent a high water level condition in the intact steam generator (s) by closing the auxil-iary feedwater regulating valves when the level l
is reestaFlished above the low level trip set-point. The valve logic is not latched in the actuated state in order that this control can be l
accomplished. When the level and pressure con-ditions for valve opening are again met, the valves are automatically reopened.
G. Start the diesel generators whenever an AFAS l occurs for either steam generator.
l (~N N.,
3-5 L .
PVNGS AFS RELIABILITY ANALYSIS l
H. An AFAS aligns tne AFS regulating and isolation OI valves to feed the intact steam generator (s).
Once the steam generator level is restored, the !
pumps continue to operate, but the regulating and isolation valves close. The valves continue to cycle with steam generator level fluctuation.
The steam generator level should be stabilized to avoid undue cycling of the regulating valves.
The system is designed such that loss of electric power to two of the four like channels in the measurement channels, or initiating logic, or to the selective two-out-of-four actuating logic would actuate the auxiliary feedwater system.
Manual control of the aux.liary feedwater system is pro-vided by means of hand controllers on the main control panel. The operator may override the automatic system under all operating and accident conditions by controlling h
the AFS regulating valves from the main control room.
Manual control of the safety-related portion of the auxil-iary feedwater is also provided, from a remote shutdown station external to the control room should the control room become inaccessible. The safety-related, motor-driven auxiliary feedwater pump can be controlled from its appropriate switchgear. The steam turbine-driven pump can be controlled locally.
3.5 Supporting Systems and Sources The active components of the AFS are dependent upon diverse sources of electrical power. Lube oil and cool-ing subsystems are supplied from the same source as the primary component. All valves and controls in the same train are similarly matched to the same power source as its pump, and key devices can be manually or locally O
3-6
PVNGS AFS RELIABILITY ANALYSIS
.- actuated as well. Four independent transmission lines supply the offsite power, and two dedicated diesel gen-erators back up the onsite Class lE power busses.
There is a backup water supply source at the reactor makeup water tank. Up to 480,000 gallons of demineralized water can be made available to the AFS suction cross-tie by means of hand valve V019 of the chemical and volume control system, then through 8-inch pipings to the safety-related motor-driven pump and to the turbine driven pump.
3.6 Technical Specification Limitations Technical Specifications require the availability of 300,000 gallons of water in the condensate storage tank for AFS use. Tank volumes below 530,000 gallons, 330,000 gallons and 20,000 gallons are alarmed and annunciated in the main control room.
A maximum of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> out of service is allowed for r
,("N1
\/~
maintenance or repair of a safety-related pump while the
, reactor is critical. If that time is exceeded the reac-l tor must be put in hot shutdown within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.
Surveillance Requirements (CESSAR Chapter 16):
- 1) Each emergency feedwater pump shall be demonstrated operable:
A. At least once per 30 days by:
(1) Verifying turbine driven pump develops l discharge pressure of 11260 psig at flow l
i of 1987 GPM when the secondary steam supply pressure is greater than 1035 psig.
l (2) Verifying each valve (manual, power opera-
! ted or automatic) in the flow path that is not locked, sealed, or otherwise secured
, in position, is in correct position.
(
! U 3-7
PUNGS AFS RELIABILITY ANALYSIS B. At least once per 18 months during shutdown by:
(1) Verifying each automatic valve in the flow path actuates t; its correct position on MSIS and EFAS test signals.
(2) Verifying motor driven pump starts auto-matically upon receipt of an EFAS test signal.
- 2) The condensate storage tank shall be demonstrated operable at least once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> by verifying the contained water volume is within its limits when the tank is the supply source for the emergency feed-water pumps.
- 3) The applicable alternative service water system (reactor 9akeup water tank is the alternate for PVNGS) shall be demonstrated operable at least once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> by verifying that at least one service water loop is operating and that the service water system - emergency feedwater system isolation valves are either open or operable whenever the .cervice water system is the supply source for the emergency feedwater pumps.
O 3-8 i
PVNGS AFS RELIABILITY ANALYSIS 4.0 RELIABILITY EVALUATION 4.1 Analytical Apprs 3h The primary basis of this analysis consists of the con-struction and evaluation of fault trees. For each of the four design cases, minimal cut sets were determined from a fault tree which contained all active components and single-failure passive component (s). Constants for com-mon cause and human factors were also determined. Failure rates and the fault tree methodology were based on refer-ences 1 and 2.
For each fault tree, the common causes and human factor causes were studied. The minimal cut sets were generated using the tit.P code of Reference 6. Manual comparisons, checks and tests of reasonableness were also applied.
The basic tasks (see figure 4-1) required for the
("'s analysis are:
%'-]
Task 1 - Analysis Inputs Task 2 - Fault Tree Development Task 3 - Generation of Minimal Cut Sets Task 4 - Statistically Independent Hardware, Test and Maintenance and Human Error Quantification l
l Task 5 - Common Cause Hardware, Test and Maintenance and Human Error Analysis l Task 6 - Propagation of Uncertainty l
l Task l consists primarily of gathering information l required to establish the boundary conditions (initiating events, top events, system boundary, and surveillance requirements, for example) needed to carry out the analysis. This includes the time necessary to study and become familiar with the system.
l b) l (_/
l l
4-1
.._ _ . - _ . . _ _ . _ . ~ . _ . . ._
PVNGS AFS RELIABILITY ANALYSIS Task 2 differs from Task 1 in that the information obtained is then translated graphically into the master fault tree of appendix C.
Task 3 is the first step in analyzing the fault tree. In this task, all of the combination of component failures are generated. These various combinations of component failures which cause system failure are known as minimal cut sets. In this study the minimal cut sets were gen-erated by a computer code (reference 6).
Task 4 employs the minimal cut sets of Task 3 and the data of appendix H to determine the statistical independent unavailabilities of each design alternative.
In Task 5 common cause analysis was performed both qualitatively and quantitatively, qualitatively to identify potential sources of common cause failures and quantita-tively to indicate the limited effect that increased redundancy can have on the reliability of a system.
Task 6 propagated the uncertainty of the input data to the overall results. The uncertainty range between design alternatives can effect the decision making process and thus was considered.
These calculations are then combined into one overall unavailability number (table 4-1) accompanied by figures 4-5, 4-6 and 4-7 which graphically show the effect of uncertainty.
4.1.1 Task 1 - Analysis Inputs Task one consisted primarily of gathering the necessary information required to establish boundary conditions for the analysis and to become familiar with the system.
The information required was obtained from CESSAR Chapter 16, the PVNGS FSAR and NUREG 0635.
O 4-2
PVNGS AFS RELIABILITY ANALYSIS x_) Chapter 16 of CESSAR was used to establish Technical Specification (surveillance requirements, see Section 3.6) from which the unavailability of the AFS due to testing was calculated (Reference 1). All pumps were conserva-tively assumed to be tested once per month although it was only required for the turbine pump. The PVNGS FSAR was primarily used for system description and operating requirements.
NUREG 0635 was used to establish the top event of the master fault tree, the initiating events / event trees and as the basic guide for the analysis. The top event is taken from NUREG 0635 which states:
The time interval of interest for all transient events considered is the snavailability of the auxiliary feedwater system during the period of time to boil the steam generator dry.
p)
(_ The 20 minute boil dry time stated in NUREG 0635 was also assumed for this study.
System familiarization was accomplished by:
e Reviewing Piping and Instrumentation Drawings
- (P&ID's - see appendix A), system descriptions and technical specifications.
e Developing Reliability Block Diagrams (figure 4-2 and appendix B). A simplified system functional 1
[ diagram was also developed (see figures 1-1 and 1-2).
l l e Seeking clarification with cognizant engineers.
4.1.2 Task 2 . Fault Tree Development l
l A master fault tree was. constructed from the P&ID's. (See
[ appendix C.) This tree is for the most complex design alternative, namely, Case 3. For the-less complex alter-l natives, the_non-applicable portions were assumed not to
(~%
i \s-)
L l 4-3
PVNGS AFS RELIABILITY ANALYSIS exist. This tree includes all the " active" components and the ': passive" single failure components. The master fault tree was used for the hardware / operator error unavailability of the AFS.
Fault trees for the test and maintenance and human error unavailability were also constructed and are included in appendix D and E. Various portions of the master tree are incorporated in these fault trees.
All the above fault tree models were developed assuming statistical independence for hardware / operator failures, human error and test and maintenance failures as the simplified fault tree of figure 4-3 illustrates. A description of how common cause failures are treated is found in section 4.1.5.
4.1.3 Task 3 - Generation of Minimal Cut Sets Minimal cuts sets were generated for this study by the Fault Tree Analysis Program (FTAP) developed at the Lawrence Livermore Laboratory (reference 6) . A sample minimal cut set is found in appendix G. The quantifica-tion and integration of the minimal cuts sets into the master fault tree is developed in the next section.
4.1.4 Task 4 - Statistically Independent Hardware, Test and Maintenance and Human Error Quantification The failure rate data base used for the quantification of the fault trees is given in appendix H. The preferred source of data was NUREG 0635. In some cases, failure rates for such components as diesel generators were not given in NUREG 0635. In these cases, Appendices III and IV of WASH 1400 (reference 2) were used. There was no failure rate information available for Steam Turbine O
4-4
PVNGS AFS RELIABILITY ANALYSIS
() driven pumps (STDP) from either of the above sources so the LER information on STDP's of reference 8 was used.
All failure rates were treated on a demand basis for the unavailability calculations. This is due to the boil dry time constraint.
The failure rate information in the above references are given as median values which associated error factors. .
This information was converted to means and variances which are necessary to propagate uncertaint-1 through the model. These means and variances are based on the long-normal distribution as described on page II-43, Appendix II of reference 2.
With the data above, the dominant minimal cut sets were manually identified and quantified (see appendix I). The highest failure rate sets were selected and quantified to estimate the failure probabilities or the unavailabilities.
() A check on the manual calculations was performed by the "Importance" computer code which is an adjunct to FTAP (reference 7).
For the hardware / operator error unavailability estimate, the master fault tree was used as applicable for the e various cases and initiating events. The minimal cut sets were generated by FTAP, the dominate minimal cut sets were t
I manually calculated, and the sum of the dominant minimal cut set values is the unavailability of that branch of the tree.
For the test and maintenance and human error unavailabil-ity, the master fault tree was used as applicable. This result was incorporated into the test / maintenance and human error fault tree to calculate respective l unavailabilities (see appendix I).
~s i
4-5
PVNGS AFS RELIABILITY ANALYSIS 4.1.4.1 Single Failures Since the AFS availability is defined as a success system start up within an assumed boil dry time of 20 minutes, no local manual operation was assumed possible. Due to this assumption, the condensate tank and the pipings and valves connected to this tank has a potential to be " passive" single failure points if any of these components were to have a severe leak or rupture.
If the loss of condensate storage tank were to occur during plant operation, level alarms, one normal low level and two low low level, are in the control room to alert the operator of the problem. An automatic condensate storage tank iill system (demineralizer water system -
non Class 1E) will provide 125,000 gallons of water at a rate of 250 gal / min. The reactor makeup water tank (480,000 gallons) can be local manually transferred to the AFS and local manually valving off the condensate h
tank water source. The tank, pipes, and valves rupture failure rates was estimated to be 4.7E-7/h (reference 2).
Individual instrumentation failure rate was assumed to be 2.7E-6/h. Operator error with no duress was assessed at 1.2E-4/h. Thus, the failure probability, assuming 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> duration, is less than 10-16 (the product of the above failure rates, since they all must fail).
If the loss of condensate storage tank water were to occur simultaneously with the-AFS start and assuming a single rupture failure, a 10-inch diameter offset rupture area, the normal storage tank capacity of 530,000 gallons will provide adequate water for more than 85 minutes, during this time, the reactor make up tank water can be local manually transferred to the AFS pumps. The greatest single rupture failure rate was assessed to be 3.3E-7/h.
Utilizing the same rationale as before, the failure probability will again be in the order of 10-16 ,
4-6
PVNGS AFS ;.ELIABILITY ANALYSIS O
(_) 4.1.5 Task 5 - Common Cause Hardware, Test and Maintenance and Human Error Analysis Common cause analysis was performed both qualitatively and quantitatively. Qualitatively to identify potential sources of common cause failures and quantitatively to indicate the limited effect that increased redundancy can have on the reliability of a system.
Qualitative Analysis - The identification of common or i similar hardware, test, maintenance, human actions or physical links between redundant trains was the first step in this analysis. An example of this type of classification is shown on figure 4-4. Definitions and terms used in figure 4-4 are found in appendix F. The basic approach details are found in reference 4.
An in-house computer code was developed to indicate the number and type of commonalities that exist between com-()
ponents of the various redundant trains. The dominant minimal cut set components were compared with this listing since the remainder of the minimal cut sets had less commonality. The greater the commonality, the greater l the potential for common cause may exist. There are 25 possible categories of commonality but the maximum number of common categories found were 6. All sets of components with 5 or 6 commonalities were selected (there were 52) and these sets were compared to the minimal cut sets. No serious potential for common cause were found using this approach.
As a final qualitative check, the potential for common l cause failures as discussed in reference 5 were reviewed and are addressed below. Reference 5, Table 5-2, listed seven " common cause" failures that occurred in 1975 AFS 4-7 L_ --
PVNGS AFS RELIABILITY ANALYSIS experience. These failures are discussed below as to the effect if they were to occur in the Palo Verde AFS:
A. Operator failed to open the valve from the condensate storage tank to the two AFWS pumps. The two AFWS pump loops failed to be available on demand as required by technical specifications. Docket 50-317-516.
This failure indicates that a " single" valve piovided condensate to the two AFWS pumps. This indicates to be a " single" failure point. The Palo Verde AFS has separate supply lines and valves to each of the AFS pumps. Thus, a single valve closure will not cause AFS failure. Only a true common cause failure, multiple redundant inadvertant valve closure, will cause an AFS failure in the Palo Verde design.
B. Filters (in parallel) on suction side of three pumps plugged up with foreign material which restricted flow. Docket 50-305-354.
Palo Verde AFS pumps have startup suction filters.
Train 1 and 2 pumps have full flow test capabilities that will detect any restricted flow.
C. Condensate storage tank water level was intentionally drawn down below technical specification limits to maintain maximum steam generator blowdown. Failure to maintain water supply to multiple AFWS pumps within specifications. Docket 50-315-340.
Palo Verde condensate storage tank maintain a maximum of 550,000 gallons and, when the volume decreases to 530,000 gallons, an automatic refill system can provide 125,000 gallons at a rate of 250 gal / min. The AFS requirement is 330,000 gal. In addition, the reactor makeup water tank with a maximum capacity of 480,000 gal can be local manually transferred to the AFS.
h 4-8
PVNGS AFS RELIABILITY ANALYSIS D. Condensate storage tank water level was intentionally drawn down below technical specification limits because makeup water supply was dirty (high oxygen content).
Failure to maintain water supply to multiple AFWS pumps within specifications. Docket 50-247-449.
The Palo Verde condensate storage tank nitrogen blanket is maintained at about 2 psig. This system is to prevent re-entrainment of oxygen which is removed by the makeup demineralizer degasifier, thus this problem should not exist or is greatly reduced
, in the Palo Verde design.
E. Two AFWS pumps failed to start because of defective control switches which failed to close contacts.
Docket 50-305-350.
This could happen in the Palo Verde AFS, however, since train 1 pump is a turbine drive and the train 2
(-'T s,,/ pump is an electric drive, the control svitches will i
most likely be different, thus tends tw t< c independent failures as opposed to a common cause "in19:e. The common switches / breakers will be in the ituxiliary Feedwater Actuation Signal (AFAS) system.
F. A breaker accidentally opened and interrupted power to f the turbine overspeed protection (which tripped the reactor), and also interrupted power to an AFWS lube oil pump preventing start of the related AFWS pump.
Docket 50-305-361.
l The Palo Verde AFS lube oil pump is a direct mechanical drive off.of the turbine driven feed pump. Thus this should have no effect on the Palo Verde AFS.
G. Two AFWS valves were upgraded during the licensing process and were not seismically qualified because of oversight. Docket 50-289-491.
v( )
4-9
PVNGS AFS RELIABILITY ANALYSIS All safety related valves on the Palo Verde AFS are seismically qualified.
Quantitative Analysis - The method of reference 13 was used to quantitatively estimate the eff.ect of common cause failures. This approach is known as the p-factor method.
Simply stated, the p-factor method assumes that a fraction of the operationally independent failure probabil-ities (Q) of one loop of a redundant system will result in the loss of all redundant loops in that system. The analysis below uses a p-factor of p = 2.7 x 10 -2 . This p-factor is a mean value based on an assumed range of 10 -1 to 10 -3 . Again, the log normal distribution is assumed. The mean and range allows the -factor to be included in the uncertainty calculations.
The common cause failure probability, Q cc, f r a redun-dant system can be approximated by the failure probability of one loop of a redundant system, Q 1ggp, times p added to the independent failures.
In general, the p-factor approach to common cause failure estimates shows its greatest impact on system reliability for highly redundant and simultaneous operating systems, to the extent that more than a single-failure-proof redundancy is generally not warranted if p-factor common cause methodology is assumed.
For this analysis, the following assumptions were made:
- 1. Thecross-overMOV's,checkvdives,DC/vitalinstru-ment buses, AFAS (auxi'liary fledwater automatic start) signal,electricpump{ndbuses, operator error, and the diesel generatqrs were identical or similar and thus subject to tde common cause p-factor.
- 2. The turbine drive and electric drive pumps were diverse .and not subject to the common cause p-factor.
O 4-10 s
n.
i i
. . . _ . -! c i 1 l PVNGS AFS RELIABILITY ANALYSIS !
L 1 :
I l .
t
- 3. The inter-train common cause failures were considered.
i j The common cause failure probability contributions to the
! AFS were calculated and added to the independent failure i
j probabilities. The results are shown in table 4-1. !
i i
l i I
k' I
t >
i l .
i !
! I i '
l i !
I t i
i I
t l
i
[
! t
}
i i
[
4 1 b l
l h
f i
I b I
i ;
h i
b i i:
j' 4-11
, , . . , - - . - . . _ , . _ . - - - , - - - - . - _ , _ _ _ , - _ . , _ - - _ . _ . . _ . _ _ _ - - . _ _ . , _ . - . , ~ _ _ - .__,_.. _--_-__--
Table 4-1 AFS RELIABILITY ESTIMATE (NDEPEND. - STATISTICAL INDEPENDENT F AIL URE PRD8 ABILITY (UN AVAIL A81LITY) A C.G. - COMMON CAUSE ESTIMATE DP. E RRO R TEST & HUMAN YEAR *t!
HARDWARE M AIN T. ERRDR TOTAL ER CASE 1 INDEPEND. 3.7E-5 3.7 E-5 1.3 E-4 2.0E-4 6.0E-4 o m
I gg C.C. 1.5 E-4 4.0E-5 8.7 E -4 1.1E-3 3.3E 3
'Y CASE 2 INDEPEND. 3.7 E-5 3.7E-5 1.3 E-4 2.0 E-4 6.0E4 >
$ $cc C.C. 1.5E-4 4.0E-5 8.7 E-4 1.1 E-3 3.3 E.3 $
E
" hh ag CASE 2 A IN D E PE N D.
C.C.
1.1E-6 1.1 E-4 3.0E-6 6.1 E -6 1.1E-5 7.5 E-4 1.5E-5 8.7 E-4 4.5 E-5 16E.3 g
tr2 h$ CASE 3 INDEPEND. 8.1 E-7 5.6 E-7 2.0E-6 3.4 E-6 1.0E 5 C
>m C.C. 1.1E-4 4.5E-6 7.5 E-4 8.6 E-4 2.6E.3 g p CASE 1 INDEPEND. 1.1 E-3 5.3 E-4 1.9 E-3 3.5E-3 8.8 E4 e-.
N , C.C. 1.2 E -3 5.3 E-4 2.C E-3 4.3 E-3 1.1E 3 [
E m 5 CASE 2 INDEPEND. 2.6E-4 8.8 E -5 3.1E-4 6.6 E-4 1.7E 4 Q
y
~
Em" amti C.C. 4.0 E -4 1.0 E -4 1.1 E-3 1.6 E-3 4.0E 4
" a
- cc CASE 2A INDEPEND. 6.7E-5 3.3 L-5 1.1 E-4 2.1E-4 5.3E 5 4 5oE omo C.C. 2.1 E-4 4.4E-5 8.9 E-4 1.1E-3 18E-4 >
- o' CASE 3 INDEPEND. 5.1 E-5 3.3E-5 1.2 E-4 2.0 E -4 5.0E-5 .r<
C.C. 1.9 E-4 4.6 E-5 8.9 E-4 1.1 E -3 2.8E 4 m CASE 1 INDEPEND. 2.4 E-2 8.1 E-3 2.9 E-2 6.1E-2 6.1E 5 m C.C. 2.4 E-2 8.1 E-3 3.0 E -2 6.2 E-2 6.2E 5 E $ CASE 2 INDEPEND. 2.4 E-2 8.1 E -3 2.9 E-2 6.1 E-2 6.1E-5 y C.C. 2.4 E -2 8.1 E-3 3.0 E-2 6.2 E-2 6.2E -5 T U CASE 2 A !!!DEPE ND. 2.4 E-2 8.1 E -3 2.9 E-2 6.1 E-2 6.1E-5 2 $g C' 2.4 E-2 8.1 E-3 3.0 E -2 6.2 E-2 6.2E-5 v 6.1E-5 CASE 3 IN C L.% 3. 2.4E-2 8.3E-3 2.9 E-2 6.1 E-2 C.C. 2.4 E-2 8.3 E-3 3.0E-2 6.2 E-2 6.2E-5 O O O
PVNGS AF5 RELIABILITY ANALYSIS Hardware Estim_ .es for common cause S-factor calculation 10-3 < S < 10-1 (mean) = 2.7E-2 Single ti..n: crossover and check valves (2x1.2E-3 + 1.2E-4)(2.7E-2) = 6.8E-5 More than one train:
Crossover and Check Valves (2x1.2E-3 + 3x1.2E-4)(2.7E-2) = 7.45E-5 3 1 D/C Vital buses i (1.2E-3)(2.7E-2) = 3.24E-5 1.128E-4 Turb/Elec I b~ Train Redundancy l l'
AFAS '
(2.2E-4)(2.7E-2) = 5.9E-6 > )
1.776E-4 Elec Elec. Pump and buses b Train Redundancy (1.2E-3 + 1.2E-3)(2.7E-2) = 6.48E-5 D/G l.257E-3 Elec
._ (4E-2)(2.7E-2) = 1.08E-3 Train /DG Redundancy DG/Elec Pump and Turb. Pump D/G Elec Pump p factor Turb. Pump i (4E-2 + 2.4E-3) (2.7E-2) (2E-2) = 2.3E-5 DG/Elec Pump and Turb. Pump and balance = 2.3E-5 + 1.13E-4 = 1.36E-4 Elec Pump and Turb. Pump (6.5E-5)(2E-2) = 1.3E-6 Hardware / Operator Error Failure Probability Estimates Case CC Jndep. I LOMF 1 1.1E-4 3.7E-5 1.5E-4 2 1.1E-4 3.7E-5 1.5E-4 2A 1.1E-4 1.1E-6 1.1E-4 3 1.1E-4 8.1E-7 1.1E-4 LOOP 1 1.1E-4 1.1E-3 1.2E-3 i
2 1.4E-4 2.6E-4 4.0E-4
- 2A 1.4E-4 6.7E-5 2.1E-4 l 3 1.4E-4 5.1E-5 1.9E-4 AC Black- 1 6.8E-5 2.4E-2 2.4E-2 out 2 6.8E-5 2.4E-2 2.4E-2
'fs )
2A 6.8E-5 2.4E-2 2.4E-2 i
k/ 3 6.8E-5 2.4E-2 2.4E-2
.4-13 i-
PVNGS AFS RELIABILITY ANALYSIS The above results show the common cause and independent contributions to the hardware / operator error failure probability estimates utilizing the common cause factors.
Similarly, the hardware /op_.ater error common cause and independent contributlu'a ^o the test and maintenance and human error fault tree models were estimated and incorporated into the vaa ous branches. Only in the human error fault tree model, a common cause between the all branch seemed feasible, thus another common cause p-factor was included (see appendix I).
4.1.6 Task 6 - Propagation of Uncertainty There are two objectives for this study; a reliability comparison of four design alternatives and to provide an analysis to meet the requirements of the NRC letter dated March 10, 1980 (reference 12). Reference 12 cites NUREG 0635.
The principle aim of NUREG 0635 was to evaluate the O variability of auxiliary feedwater system designs rather than evaluating variability in data to be applied to a specific design. Thus propagation of uncertainty is not a requirement of NUREG 0635.
Since propagation of uncertainty can affect the decision making process among desigr alternatives, it was con-sidered in this study.
Propagation of uncertainty requires that all median data points based on the log normal distribution be converted to mean values according to the equations of page II-43, Appendix II of reference 2. The converted values (means) are shown on table H-1 of Appendix H.
O 4-14
PVNGS AFS RELIABILITY ANALYSIS i
r The equations used to calculate the means and variances of f item failure data are:
1 On A - p )2.
f( A;p ,o) = exp ,
2 V2n oA .
2a A .50 *
- l p + 1.645 o A .95 = e ,
A p - 1.645 o
.05 = e 2
p+g2 Mean (a ) = e 2 o
-Var. ($ 2) ,y _g - 1, a2 = In
.a h+1 .
p=Ina-j >
! where:
A = item failure rate p,o = parameters of the leg normal distribution Calculations of Means and Variances of Dominant Minimal Cut Sets are accomplished by using the following equations (from reference 11).
2nd order Minimal Cut Set Mean (a)2 * "1"2 i
2 2 Var (E )2 = a p +a 2 32. , p2 p i
i i
4-15
PVNGS AFS RELIABILITY ANALYSIS 3rd order Minimal Cut Set Mean (a)3 * "1"2"3 2
Var (p )3 * " "2 0 +
"3
- O "1 0 2
+a 22 0 +0 0 Care was taken to ensure that all 2nd order and higher dominant minimal cut set distributions were statistically independent from one another. This was accomplished by identifying all minimal cut sets of a given branch of the tree which had one or more items in common. The common items were then re-factored and stated in an independent form before calculating the uncertainty.
I f, for example, two minimal cut sets were:
- 1 (A, B)
- 2 (A, C) 9 Then the distribution for A is shared by cut sets #1 and
- 2 thus are not independent.
This problem can be circumvented by rearranging as follows:
U=A B+A C
=A (B + C) and then applying the rules for combination of means and variances.
O 4-16
_- ___ - _ = _ _ . .. ._ -.
PVNGS AFS RELIABILITY ANALYSIS (O ,/ 4.2 Results and Conclusions 4.2.1 Presentation of Results The results of the analysis are presented in three forms.
The first contains all calculated results in tabular form (table 4-2) without the effects of uncertainty. The far right hand column shows unavailability as a function of each initiating event. The " Total' column are the results given that the initiating event has occurred. The common cause numbers shown on the table include the effects of
, independent failures. All the failure probabilities are mean log normal values.
Figures 4-5, 4-6, and 4-7 are graphical comparisons of the
" Total" column of table 4.1. In these figures the effect of uncertainty is shown as well as the mean and median values.
l g-~
Figures 4-8 and 4-9 are the results of the analysis shown on the NUREG 0635 format. The following steps are required I to convert the preceding results to the NUREG 0635 format:
- 1. All pumps must have the same failure rate.
[
j 2. Mean values must be converted to median values.
- 3. Both diesel generators are considered available in the event of LMFW/ Loop.
l
- 4. A less conservative approach to operator error.
- 5. Include the effect of dominant common causes.
In step 1 instead of using a mean turbine pump failure to start frequencies of 2 x 10 -2 and a mean motor driven pump L failure to start frequencies of 1.2 x 10 -3 a median value
-3 of 10 was used for all pumps.
s_/
l 4-17
Table 4-2 AFS RELIABILITY ESTIMATE INDEPEND. - STATISTICAL INDEFENDENT FAILURE PRDBABILITY (UNAVAll ABILITY) A m C.G. - COMMON CAUSE ESTIMATE DP. ER RD R HARDWARE TEST &
MAINT.
HUMAN ERRDR TDTAL YEAR h g
t,.'
E3 I CASE 1 INDEPEND. 3.7E-5 3.7E-5 1.3 E-4 2.0E-4 6.0E 4 y$ C.C. 1.5 E-4 4.0E-5 8.7 E -4 1.1 E-3 3.3E.3 m
- I CASE 2 INDEPEND. 3.7 E-5 3.7E-5 1.3 E-4 2.0E-4 6.0E4 E $cc C.C. 1.5E-4 4.0E-5 8.7E-4 1.1 E -3 3.3 E.3
$ $h CASE 2A INDEPEND. 1.1E-6 3.0 E-6 1.1E-5 1.5E-5 4.5E-5 t-'
" a3 C.C. 1.1E-4 6.1 E-6 7.5 E-4 8.7 E-4 16E-3 H A
<o
>= CASE 3 INDEPEND. 8.1 E-7 5.6 E-7 2.0E-6 3.4 E-6 1.0E-5 tp h OE C.C. 1.1E-4 4.5E-6 7.3 E-4 8.6 E -4 2.6E.3 "
O CASE 1 INDEPEN3. 8.8E-4 *-*
1.1E-3 5.3 E-4 1.9 E-3 3.5 E -3
, C.C. 1.2E-3 5.3E-4 2.6E-3 4.3E-3 1.1E-3 h E
- gm"o CASE 2 INDEPEND. 2.6E-4 8.8 E-5 3.1E-4 6.6 E-4 1.7E4 otI C.C. 4.0E-4 1.0E-4 1.1 E-3 1.6E-3 4.0E4 t a en >
} gi$ CASE 2A INDEPEND. 6.7E-5 3.3 E-5 1.1E-4 2.1E-4 5.3E 5 ta q g og
- o*
C.C. 2.1 E-4 4.4 E-5 8.9E-4 1.1 E -3 18E4 y CASE 3 INDEPEND. 5.1 E-5 3.3 E-5 1.2 E-4 2.0 E -4 5.0E 5 "
C.C. 1.9 E-4 4.6 E-5 8.9 E-4 1.1E-3 2.8E4 "
CASE 1 INDEPEND. 2.4 E-2 8.1E-3 2.9 E-2 6.1E-2 6.1E-5 C.C. 2.4 E-2 8.1 E-3 3.0E-2 6.2 E-2 6.2E 5 E $ CASE 2 INDEPEND. 2.4 E-2 8.1E-3 2.9 E-2 6.1 E-2 6.1E 5 g o C.C. 2.4 E-2 8.1 E-3 3.0 E-2 6.2E-2 6.2E-5 f "
CASE 2A INDEPEND. 2.4 E-2 8.1 E-3 2.9 E -2 6.1 E-2 6.1E.5 4h C.C. 2.4 E-2 8.1 E-3 3.0 E -2 6.2E-2 6.2E 5 CASE 3 INDEPEND. 2.4 E-2 8.3 E-3 2.9 E-2 6.1 E-2 6.1E-5 C.C. 2.4 E-2 8.3 E-3 3.0E-2 6.2E-2 E.2 E-5 O O O
i i
i i PVNGS AFS RELIABILITY ANALYSIS i l
r 1
i f() Step 2 relates to step 1 in that all mean failure rate
- values listed in table 4-1 must be converted to laedian !
values to be consistent with NUREG 0635.
In both of the above steps, component specific failure I rates and mean values (needed to propagate uncertainty) were f used to make a more meaningful comparison of the four design alternatives. Althou'h this is beyond the j requirements of NUREG 0635, it was deemed necessary to
, prevent the possibility of introducing errors. This is not inconsistent since the principle aim of the NUREG was to evaluate the variability of auxiliary feedwater system i designs now operating rather than evaluating the variaTility
[ in data to be applied to a specific design or design
, alternatives.
t
- l. . Step 3 required the assumption that the dedicated diesel generators were available on loss of offsite power, i;
although-NUREG 0635 assumed one diesel generator was always available. The assumption that the dedicated diesel genera-tors were available was necessary in order to show the effect
~
I of three' train configurations on reliability.
l Step 4 required that one-operator error in the Master Fault Tree-bf Appendix CLreplace three operator errors, A04, A05 and A06. Althcugh there'were nine operator errors in the fault tree, only the above three appear in the dominant minimal cut sets. The effect on the results due to the use of one' operator-error will be small due to the redundancy in the system.
Steps'4 and 5 are not purely quantitative,.thus, engineering judgement enters.into'the consideration of the effect on unavailability. 'For instance the potential of Case 2A for safety-and operational control' systems interaction reduces the. difference between Cases 2 and 2A as would a less O
4-19
PVNGS AFS RELIABILITY ANALYSIS conservative approach to the consideration of the human factor involved in activating train 3 in Case 2. Under these conditions it is not unreasonable to expect Cases 2 and 2A to be closer in te? - if unavailability.
4.2.2 Discussion of Results 4.2.2.1 Dominant Failure Modes The analysis indicated that the greatest unavailability was due to human error. The human error was inadverte-':
leaving the pump recirculation valve open after a test and inadvertently leaving the pump discharge locked open manual valve closed after maintenance on the pum?. These valves are not provided with position indicators L, the control room. The locked-open pump discharge maintenance valve will not be tested or checked with pump operations after pump maintenance. The estimated human error failure probcbility for this was assessed at 2.7E-2 per demand.
By tech specs, the pump recirc valve will be opened for pump testing - once a month per train. All pumps were assumed to be tested monthly. The data source indicates that the failure rate of valves with position indicators in the control room is assessed at about 1/2 order less than the valves without position indicators.
The AFS pump discharge valves, both the check and locked open manual valves, V015 & V016 and V024 & V025, do not indicate to be flow tested in any of the surveillance requirement. A pressure indicator is provided downstream of these valves, but this does not fully assure that these valves are or will fully open.
The two check valves, V079 and V080, which go to the feed-water headers to the steam generators, again do not indicata to be checked or tested in Lay of the surveillance require-ments. The technical specification states that pump tests O
4-20
PVNGS AF3 RELIABILITY ANALYSIS shall be performed monthly and the crossover valves be tested at least once in 18 months, but no explicit total system testing is stated. These check and locked-open manual valves can only be tested during a total system test. Thus, it is recommended that total system test be required at least once every 18 mJa'uts.
4.2.3 Conclusions The conclusions of the study are as follows:
A. Provide the capability to supply train 3 auxiliary feedwater pump from the train A diesel generator (Case 2).
B. Provide position indication in the control room on the pump test by-pass valves.
C. Provide power to the suction valves for train 3 auxiliary feedwater pump from the train A diesel generator.
D. Perform a total system test once every 18 months.
E. Perform testing on different shifts.
O 4-21
TASK TECHNICAL EVENT P&lD'S R BO'S 1 SPECIFICAitG\t TREE I I 1 1 I
F AULT TREE TASK 2 DEVELOPMENT TASK 3 MINIMAL CUT SETS STATI3TICALLY INDEPENDENT HARDWARE /0PERATOR ACTION, TASK 4 T+M, AND HUMAN ERROR QUANTIFICATION COMMON CAUSE HARDWARE /0PERATOR ACTION TASK 5 T+M, AND HUMAN ERROR QUANTIFICATION TASK 6 UNCERTAINTY CALCULATION AFS RELI ABILITY TASKS Figure 4-1 L
I e- , ^
t-1 i
4 I
i ~
l 7-4
- MAIN CONDENSATE STORAGE TANK CTE.TD1
[- F5 I CTE T01 VOO9 E
CONDENSATE MANUAL 1
- $10R AGE TANK VALVE (330,000 G AL (D R AIN (6' j
RESERVE) l
}
i LEGEND:
O R AWING I ITEM NO. COORDINATE k' ITEM g DASHED LINE INDICATES MULTI-STATE FUNCTION ITEM i-
} '.
REDUNDANCY TYPE i ^ ^
ACTIVE
.I
,r AUTOMATIC l
STANDBY I
- i. ,
I
{, REMOTE MANUAL STAND 8Y 4
[
}' [
t LOCAL MANUAL
- l~ STANDBY !
i ,
.* STATE (PLANT AT POWERh j; }
'~
NO - NORMALLY OPEN !
NC - NORMALLY CLOSED r i-
ND - NORMALLY DE-ENERGlZED ;
j NE - NORMALLY ENERGlZED v g.
ITEM:
i ,
e EDV - ELECTRIC 0PERATED VALVE !
A0V. - AIR OPERATED VALVE !
CR - CONTROL ROOM '
RS - REMOTE SHUTDOWN c .
I k ,
t n
- - 1 Jk I
. t 4
rv _
- T9 " M-I Fk &% q *WebWM(**'**"egy'--FtW ,kW $*V' t$ *( W M'ye--M . - 4MT 'FW*tS9h D P F PWTP M M'FT WM d e NF W'B-N- _.-. Mw seSM_ . _ _ _ . --
1
%~
l MAIN CONDENSATE STORAGE TANK LEVLL INSTRUMENTATION F7
- l _
E3 F2 F2 p _.
y LT 13 LSHL 13 : UA l OPERATOR I I LEVEL LEVE L SWITCH HU LTI-
" VARIABLE TRANSMITTER HI LO (CR)
) i NE NE 1
I ALARM (CR) NE F3
){ X ti m
~
F3 LEVEL INDICATOR I
L113B OPER ATOR (CR)
NE
_ LEVEL _
INDICATOR (LOCAL)
)[
NE F3 F4 F4 F4 LT 11 LSHH 11 LSLL 11 UA l OPERATOR i
~ LEVEL LEVEL LEVEL yMULTIVARIABLE' TRANSMITTER SWITCH Hl HI SWITCH LO LO ALARM (CR)
X i NE (CRi (CRi NE I I y
NE L __ __ ._ N E_J F4 F4
~
LSLL 12 UA l OPERATO R I
=
TCH LO LO
^
' I NE i
L_J i G5 r- -- - -- m 8 L122 i OPERATOR i
% LEVEL 8 8
l' [ INDICATORS 8
I (LOCAL), I
, L _ __ __ J DNG 13-M-CTP-001 REV 2 (PVNGS) '
Figure 4-2 \
1 i
c i !
. . - , - -. . . ~ - - -. , , - - , ,
w HAl AC I
,-~
- v T0i' EVENT "N0 FLOW IO BOTH STEAM GENERATORS DURING B0ll DRY TIME" DR r%
I I IDWARE/0PERATOR HUMAN ERROR MA NTENANCE fl0N INDEPENDENT INDEPENDENT INDEPENDENT FAILURES FAILURES FAILURES t t t 1 1 I l
I <
l l a
s I
(
t OMMON CAUSE COMMON CAUSE COMMON CAUSE I
I l
TASK 2 Figure 4-3 l
l l
l
m.-.._,_
TRAIN 1(TURBINE ORIV COMPONENT AFPAD ORIVER STE AM TL AFPAP PUMP AFPAC PUMP CONTROL V015 MANUAL GATE La CONDENSATE TAN V006 MANUAL GATE LO PUMPINLET V007 CHECK NC-8~
PUMP IN LET V017 MANSAL G ATE-L@
PUMP RE CIRC V018 MANUALGLOBE h TEST V015 CH E CK-N C-6" PUMP DISCHARGE V016 MANUAL GATE LO PUMP DISCHARGE HV32 VALVE GLOBE, NC AFW TO SGI HV32D VALVE ACTUATOF HV32C VALVE CONTROL UV36 VALVE G ATE, NC,i AFW TO SGI UV36D VALVE ACTUATOF UV36C VALVE CONTROL BW - BINGHAM WILL AMET y -.
- ~ . -
COMMON LINKS RESULTING E PUMP) MECHANICAL E LECTRICAL CHEMICAL OR IN DEPENDENCIES ALONG OR THERMAL ()R RADIATION MISCELLANEDUS COMPONENTS I y P G M S T E R M V I A 0 1 S B E C I M 0 P T N CNE *
- l j . . . .
r Ao . . .
Ao lr . . .
AD . . .
D" AD . . .
Cr Ao . . . . .
Ao . . .
l e
lr ,
AD . .
lc . .
f (DC) l : .
r
- Ao (DC) *
- CC- CO'JTROL COMPONENT AD - ANCHOR DARLING COMMON CAUSE GENERIC CAUSES - MOST SIGNIFICANT AUXILIARY FEEDWATER SYSTEM Figure 4-4 s- %
u.
I m+mN CASl.
CASE 3 1 1 f f II1f 10-I O
N "
LEGEND ESitMATE 5% MEDIAN MEAN 95%
PROB PROB PROB
=
INDEPENDENT
- - - - - = COMMON CAUSE (ALL DATA REF LECT UNIT PROBABILITY OF INITIATING EVENT)
CASE 1 : : : :
I CASE 2 : 0 : :
f 2A : : : :
- 0 : :
e- - - - - -. - - +" - - - * - - -
- --- - - - - - - - >- - - - + - - 4 CAS E 2 A
- ===-~~~---b----q>= = = M CASE 3 I l I f I f 11 I i f I t ill I t i I1lll f f I Itill I i l Illl1 l l l 1 l lll 10'0 10-I 4 gg-l 10 10'3 10-2 1
FAILURE PROBABILITY LMFW Figure 4-5 va
% ~ e~1 w t I t ! I f Il 10'I 10-7
~n LEGEND ESTIMATE 5% ME01AN MEAN 95%
PROB PROB PROB
= INDEPENDENT
- - - - - = COMMON CAUSE (ALL D AT A REF LECT UNIT PROBABILITY OF INITIATING EVENT)
CASE 1 : ; : e CASE 2 ; :
CASE 2A : : :
CASE 3 : : :
CASE 10- - - - - 4 - - -e C A SE 2 * - - - - - - - - * - e- - - =*
CASE 2A o- - - - - - - - - - e. - - - .e CASE 3 e- - - - - - --H---+---.e i I I It111 I I I Ilifl 1 I I f I Ill I t 1IIItt i I f I t ill i t i I f t il 10 4 10-3 10-2 10-I 10-0 10-5 FAILURE PROBABILITY LMFW/ LOOP Figure 4-6
~n
1i M AaSem& 4 i
l l
l l.
l l
t i I 1 f ill 10-7 10-6
w -
LEGEND ESTIMATE 5% MEDIAN MEAN 95%
PROB PROB PROB
= INDEPENDENT
= COMMON CA' SE (ALL D AT A REF LECT UNIT PR06.'"'.iTY OF INITIATING EVENT)
CASE 1 0 ; : :
CASE 2 r ; O CASE 2A : ; ; ;
CASE 3 0 ; :
CASE 1 > - = = 4- =* = = =*
CASE 2 >---f--*= - -*
CASE 2A *----+= -4 CASE 3 *----4--*--=*
I I i i f 11 f 1 I ffIII I I I IIIfl i 1 I tIlif I I 1 1 I!Il i I I f f t il 1
0 10-5 10-4 10-3 10-2 10-1 10 FAILURE PROBABILITY LMFW/LOAC Figure 4-7 w~
r- "
P 1 t i
I
' i L
?
4' l
l l
l
- TRANSIENT E PLAN 1
PALO VERDE I PALO VERDE
, PALO VERDE
.; PALO VERDE
!~ CALVERT CLI i
PALISADES l
l MAINE YANK i ,
1 MILLSTONE ,
I i.
4-ST. LUCIE 1
4 ARK. N UC. N a i f I 2'
FT. C ALHOUD t.~ :
1 4
e i.
l 4
4 a
4., ,
i t I
9 2 i h
i- ?
9 f.
4
- i. ~
~
+ --.:..', + . - . . . .
- ...--.i.n,,.-.~,... n-.-.~,,r-.---. ._ - ~ ~ - .- ,- - - n- -.~.. -- - -.- -- .. - ~ ~ J
I
(
ENTS LMFW LMFW/ LOOP LMFW/ LOSS OF ALL AC LOW MED HIGH E LOW MED HIGH LOW MED HIGH
- ASE 1 e e e qASE 2 e e g 1
C ASE 2A e e e ASE 3 e o e FS e e <>
. e l
E e G t >
1 l
. . o l e e e l2 e o e l e e e l
10-2 10-3 4 10-5 10-6 10-2 10-3 10 4 10-5 1 10'I 10-2 10 10'3 RELIABILITY CHARACTERIZATIONS FOR AFS DESIGNS IN PLANTS USING THE COMBUSTION ENGINEERING NSSS AND PALO VERDE i Figure 4-8 t
-,--w
-,o ,m- - m , , , . y ,
r w v. ~ ,~. ,
___. _ ~ . _ _ _ . . _ _ . . . _ _ _ . . _ _ _ _ . _
, 1 1
l i
TRANSIENT PLANI PALO VERD 1
PALO VERD i
, PALO VERD PALO VERD HADD AM N SAN ON0F i
PRAIRIE ISy SALEM ZION j YANKEE R' TROJAN ,
INDIAN P0
< KEWANEE H. 8. RO BIN BEAVER GINNA PT. BEACH !
i
, COOK l TUR KEY PT.
FARLEY SURRY ;
H '
hd. ANNA
.m q
t l
5
_- v EVENTS LMFW LMFW/ LOOP LMFW/ LOSS OF ALL AC S LOW MED HIG H h*['[ ' LOW MED HIGH LOW MED HIGH CASE 1 e e f
! CASE 2 e e e
! CASE 2A e e O!
! C ASE 3 e o e CK e o <>
e e o AND tl 4> 0 o o o
. e , ,
NE , e o
( , ,
p . .
. o
\ e l e o O e 4 >
fN LEY el e d' l
l e e o e e o e e o e e o e e o e e o e o e 10'3 4 10-6 10-2 4 10-3 i 10-2 10 10-5 10'3 10 10-5 1 10'I 10-2 l
HELIABILITY CHARACTERIZATIONS FOR AFe ~2 SIGNS IN PLANTS AND USING THE WESTINGHOUSE NSSS
. AND PALO VERDE 1
l Figure 4-9 l
1 s"
i PVNGS AFS RELIABILITY ANALYSIS
5.0 REFERENCES
- 1. NUREG-0635 " Generic Evaluation of Feedwater Transients and Small Break Loss of Coolant Accidents in Combustion Engineering Designed Operating Plants".
- 2. WASH-1400 (NUREG-75/014) Reactor Safety Study an Assessment of Accident Risks in U.S. Commercial Nuclear Plants.
- 3. NUREG-0572 Review of Licensee Event Reports (1976-1978).
- 4. COMCAN II "A Computer Program for Common Cause Failure Analysis" (Tree-1298) by D. M. Rasmuson, et al. , of EG&G Idaho, Inc. September 1978.
- 5. Common Cause Failure Experience in Nuclear Plant Auxiliary Feedwater Systems for Reliability Analysis (WARD-SR-3045-4) Topical Report by
(~'h G. E. Edison of Westinghouse Advanced Reactors
~'
Division for D.O.E.
- 6. Computer Aided Fault Tree Analysis (FTAP) by R. R. Willie of Operations Research Center University of California Berkeley OC 78-14 August 1978. Available through Dr. H. Lambert University of California, Berkeley.
- 7. Importance Computer Code by H. E. Lambert and F. M. Gilman. Available through H. Lambert University of California, Berkeley.
- 8. A Study of Steam Turbine Driven Pump LER's -
L September 1978. Prepared by Bechtel Power l Corporation.
- 9. NUREG-75/087 Standard Review Plan for Auxiliary Feedwater Systems.
lA Y_)
5-1
PVNGS AFS RELIABILITY ANALYSIS
- 10. ANPP System Description titled " Auxiliary Feedwater",
Rev. 1 November 1979, prepared by Bechtel Power Corporation.
- 11. Probability Intervals for the Top Event Unavailability of Fault Tree by Y. T. Lee and G. E. Apostolakis UCLA Report Number UCLA-ENG-7663, June 1976.
- 12. NRC Letter of March 10, 1980.
TO ALL PENDING OPERATING LICENSE APPLICANTS OF NUCLEAR STEAM SUPPLY SYSTEMS DESIGNED BY WESTINGHOUSE AND COMBUSTION ENGINEERING
SUBJECT:
ACTIONS REQUIRED FROM OPERATING LICENSE APPLICANTS OF NUCLEAR STEAM SUPPLY SYSTEMS DESIGNED BY WESTINGHOUSE AND COMBUSTION ENGINEERING RESULTING FROM THE NRC BULLETINS AND ORDERS TASK FORCE REVIEW REGARDING THE THREE MILE ISLAND UNIT 2 ACCIDENT
- 13. "A Reliability Model for Common Mode Failure in Redundant Safety Systems", K. N. Fleming General Atomics Report No. GA-A13284 April 18, 1975.
l O
1 5-2
1 i
{ PVNGS AYS RELIABILITY ANALYSIS i l-1 I
t I
i l
l
+
l B
l l
l f
APPENDIX A [
PVNGS AUXILIARY FEEDWATER SYSTEM PIPING AND INSTRUMENTATION DRAWINGS i
l l
t l
t I
~
- , - . . - _ . - _ - - - - _ . _ . ~ . . _ . _ _ _ . - , _ _ . - - _ _ _ , . . ~ . . _ . _ _ . . _ . _ - . - . _ _
P deuBB
,~E,
........ ....E .. ;, . .-.ji,,ii il
' 1 w e.,, . -
e- gg g m * * $. - 3,,.c . -o .
..r.-e.,.i,,
2- i 3 .. - <
a s. v <> >
t, , , ,
....e.s a se ;1 -. e u,,,
c '
. . . . .. ,l.
s . .w e n
~
j ,.
.. ,,. 7 j
. '4
- r e;,
g - 'i ; . l, g n*~- I, e
3 > ,
3' . a ;. .e n ,
t .
i , A i l
. e ,, w .e - .
.s. -n v s . L Q -.
. ms .sca s,. L -
. .n , ., _ _ . >e .ws ==_ _
t, w..e. ..c . g -. .
t L.h .a . .b i L*
s y t e 4.ic. i * ** "*L Ie
- c' .,4 p# ,
e g %g . . *
--s*
+ y* =, p> .
,4
--4. . , . . b a. 4
. t U.L -r- ? -
,q W4 s Z...64
,, s **x'
-- -- s c . ., ... a< ' ; - -
N'
. c . .. c..c. ....
i e: *-" P @-
7 I *
.*+sT *4r.9'. P.2es'._t ta l
. e,m e .?cG ' -= .'
- 1 ; et s
l '* ) %'- s 'p, L r' '
.o. or. *lare,.w ,z ey_
..x . g ., s . . A .' %- -. , -c4 -
g tw v. ~ s s. a mv a # #"* . . at ' ', , . e A s-s* . l.$ .
.s.
, 'f. - + -5. '
s ..* "'
= 25 '-
I
..e. e
, , . . , . .c.e-z_at* n o 4 e . v .4 ..g.)
4 (ss 2-%u es es , ; ,
ts)^
- _,
L.l- ,y, .;., J - ',.
r+ .-, ,g ,* v- . ,. n-m* V
.? -, , -
h' + '
..- m;---. ' '* u= .*
- G ., ,, \ ; i
.. . c i: ..a**
I g a' ,,,.,
3
, .#*u. o.: 7'*.a.
_- M. >- ..>_' % .,...*pp'Qa t is *. J. g*y.. ;.
e s
y_.__..._,,,.n.y......
-s I
- ._.i t. - . 4-
,/
g%,; y r e >__ _
L 1 I g ct..v
. .w g m, .,, y 1 +
.y-. -
u
.- ,, * .<.,:.;. n. - - , -
.. . i . am . j g c. . o. ; y ,o c .. .
t-
. < . ..:. m . u .= j l..o ..
a r.
5 IA e g.
I e am" pf' ".) o *m' jIl g *t I \/ d
- i i y dr 3
.; si g p, i i . !. g.
,. - ~s x
,1 i , s -
I was.
. e r av.et.v v, ,e. , _ _ _ _ _. : -* > 3 :
,s *
) r e.' 's i L2D5 a.,.,
- n* .n. *. m' g ...,et, < ,. I, -<ei [ .
-.a+-_ ,3 f . i
- ' :.a *( c e _. e g>
{ .,i, .* =.
- - ' i,e j
.(*
- 7 - a e e & - a 7
. . .ca.e, m, .S. .c s e ; ., . .
+,
- 4, -o c.
te
""w
?
l Y f .d,
@7
- "ga 9ii/ Fs.
.4 f"'> 1 sr j
4,, . -, o r
,s
-s
,~,. 1 r-* h HL ,e. -
y
. -F'.,. --* .
- c. Ac
.e -; e g (i 5.x %. .,
- 1 t >ere us s's <* k- U #
= e
- e. s.,,v. 3 ( z 3. . we s < L , e
, .v e ,
w.
me
, so. ..
v
. \ f
- W t..J .a.,
n g a. :* m' $. 't i
.n<e .i..--,
. -. i.g o q: s*. *A-3 i.
_- g . .
e~ ..
5z * . ;"* n i,
5 g- ,g e r )(een, ,
- . . . +-l
.. a .; c.
~
. .c s ,.o, w.a
,L?*_.2&-- . . ..,.,..! ,,m y t.
-1,a i ,
n* -) 1 . ' . ' r,
- >. . m.
.n, . . a f
.3 . 2135,r n; e a n ..
s . 4
/;<,'
/
.ni s.: > e m-m- -_ h. :e, - r : .ji m-I {ef Q.-, ,
/;/,, ,, E
-e : _:
s jA 1.. y:ff
, , ,4 g ; s.cs 5
. ..c.o.,.,c.,.
y . . , > e n..
a :-
e e -- .
A:= N- \ .
. . I :a -o.d - - - j bish o
i
'..I,.'-'
, , c . v, o,u, s vozi es e *oi 2, ' *
=.g.,.
- [ ~n. 6'. u - N' ; -
a, , _u.,.; u..e. .r .-.- l
$ea c T< . . ,s n
- na; e .r.N. . O
- f. 1
- ;-;0dg ;* *(y-}
V c., -
( "
Ie ' ,- a '
1 g,
I
.m: ..
4 :=e >+ -
b 902.
g I -,
2 r--f * ' \ , .
8 (ED 1 D 1 ,4dy
\.)y I , --
I h.
1 J ,rN e2 e 5 lite -1 Y* Y*
n e ca.co.sce ~., e I i c
- c. m. us teea' a= ,e.
, eme .. L'O m I
y .
- aA *
=cv
....n...
7 4
a l l ..
t . . _ , . - _
, f'$. ,f ?, , _.
_..___ } _-.__ ~_ s
~4gga yp gggg * - --
p+ ' - ---
p I n sv
%x-/- , G a. a.,s.e x- a <m. '.r s*y*? a H l um g. %_ 4 p
. . . __p -m e e p== k-.Inon
- .ce! =ev.== , iem 1"' l,T 4 e 8 I -
l 1 i
+,e ! 5 ' i ! ! ' ;,.& - Uw r i. i. i. i i.
. t. .i .
i 4 M'"' '
i
. .! san s
?
IP.... +O.
, 4 .a e. N-W> o.e w H s% :
. n. n. w I!-
n w a R.,)
>1 -
v .. .q; , ..a.m..-...ni.
.o....2...
g we.
g &+ i .
a .;
f 70 n')--O T=crw: %o i .
.hkO- . . ,'.; ..
~~
Ii s e< am u. ac.=..~. .:.. u .. -
, x u ~;--. ..
- 6 ;-
.e g. g*
g.
- 9) {s
'/M' cr:sc% ris -
-,_f em - _-e- ..' ' ' e% s
,. '.15 k, '.
==*e***
. . . . ~ .
( ) .
m ae r 5-y w --. . .
- i. . J T-t . . , , , , , , %<, i
,,,,,_...gy 3
]g s s
{3.15t2 **
%,.u.a.n .
- =aJ-k h*gq M*;
4 2.e
,n
, )
i s r- -- - ~^
.r m g ._c.-. <mem. ,.a. - - . v, ,.-w e\ ,/
' 1ffd'WA-Q. figs"i'[-#P5 W -*-~-;>, -
\_. ,j
.,1 cMm: p . - e'g. f - n. u. -
. m,m... .--
ej ... o. *e*>
. . r .- v w<
sen s.1.,.uur.
a., .ms.
..m.
.n -s
. co . 3 . : .. w .+a n .u*
J
_ > 'M.....
n .c. .ev
.a.n. , i,;f.~-% ,/
m se ae
\ .. u
~~~
- 'ah . eee .;
m s
- u. m uun Y. v.,. e g
- --,' y
- -4 .- d T-u* l *S".____d p i*y
--- --@~.'mm x 3
-- --- - .l M\r , .. ,,o .-p
, u ;,P -4* '
- .==-e
..lh!.T(!
[s Y
$~
k X s O:
a fi - p, .-_4,,*p =
.aav-jy t'@ -'
)
. . t*Y- , w s. .. n.,.;
s.
(;jf. , d"L, ' '1 s. va-y c em ^;
- aaua muas sto.e i*4-{s
~I,.-
4s.m S A * ?L '
u_.a e e .:* , , , _ , .
4 ,,o..
l.,~W,l"a 4 vs A, ! Y'
]J v - u~ m*
. -m.-. Q. .".c. s. .
.y. + . . . g,,.* . - . . . . . _ ,
i y;-
d j .g. :q y ;g .eis g a
. i +.
.: Js ..g.
1s i
- m. m. .
, e r.. n 7,
'li,li .F[ iqh. I.I'.oc..i.m.. - [g..n. .a7gg M
m $, ~m- @_ -- !,JIi. s. ._.,., i a
m 9
q) C. i m3
-su vc i /: 9-wSymw r-~"tX "
1-3 ,_v +
> y N 7, c ,
s .e .
N, ,:
.m
" *>e-w, .as p%,
Im C
q n
qw-ep.----- : .. J' . ', . .. __2__ L 4,..
~ .
a g. q d
Y J.""/,
q"u.w m,' :. . *_P v.I,*y* s " /eE"-*
- n'.t
\ '*/ .
T I'E.,. d ,# E
[
..c, .e~ . . . . , . . . . . ,
@+y
. . -!. w..
- c. . -i . .
a$11, ;'. nI It '
a
-i. ,
x.
p .,
s.
I'd.
g _
,s t= .g*
@< v -4*
su Q. .g u t. -
i.'3s
(@s,M'ns,s, r- 7sd. - f$o ,m".%s.~~-ha; 1 T W, W : 1
,s
... 4. ._q" ~ l_- - @--g-
- .g 3;- ,,, / e-ut.) -
,,h 4'5" # 'e .s n, 4 v"
c I..
1,;. 3$ knumm' ; '~ , ,. m __ .a! -.
r;a. t c . - . ,,
.ma ...
- 4 y t3, 1 *[rc' ,y 4(= " p, v,
I]8.{
s ;, J r; ;,g- .
-.* r . c . - - . " . . - -,9,. , ~, r .. y
[4%I au
.,_.,,, s..
. I sif,8g e .-s .*** l +e sc-
- m. m.
_ f4.g *g.II
.~
w.J .-=
f j ,,_ol iH IgnJ n, g.6 .. o . -. ~.
= w. ..
@,,,m 72
.,.v. e @?.m y cm. -,_ ,
- w. ; -.,., i.~.-.m,..".m. .
! .e p g o.s v. p , , 3.c . ; . , , g
_ 4.s.}.* 7. o , ,, . . e ,. m .
/
p tna
--+%"') . . . v c,. v .u..
S. M *MM,/ l M g' M** !
- e. a.,f fc-s . - , .. sf _.4w, -~ .
w &s m,s,,
m e + "- or e y a e ve ue..v
- F l. [; 'D' ' ' ' '
d'. ,- rsa : 'o*
-~
acc sco so a es ecs gs. ..e as e.s. .a.s.e.4
,6 c t.4e.es - .et.a wes. cow rw.rse.m .p Lww_p *g=lj;,'ya pa-
- u** -+=
.v .m G
w..-.- . . . . ,
.x .c
- W -*- *iwne , ,r wfm ;7.ti:..= i i iI i
- p. ' =:P ' = r + wp BECUTEL .u x u i o,ci,3,, .u c o.u n
- c. %
i
. 4.% svstea a w.Ti.c ma- m-.n =N 9 .Ar #.#- . w,m;; = - -
N 'M "*
6......u.
, .* N !b,ff. O *# 8 8" N "8,t "Y," .M,, arf 2ONA NUCLEAR POWER PRosEcr -- I -
'4'1."_~*1 M_.*GM..
p- . ,f. ."*?
- , %1x w ; , . PAto vgRos Nyct:4e W W*=M t a k-w,e= A = QZ u .n.=f 7 4 GENERATING $1AftON 48487 l W -."*-**2 s t 4 i s i
! i - *-
s Figure A-1 ,
' .,,,s'"s8 3
r,,---t - - , , , - 4 ,- y - , - ., .c ,
1
~
i ' ,m
, i . . . . . . . .' . . . '. . . . . . ". i f . '.'. i. .f .i t .i .?. !...I i i i .! .I .r .i , ! i ! ! .i .t (i ..I >
o -.x. c ~v .::,-
y
. . ,1 Y L' et* Lsca t: .
. .= .c. x,t . s= ,I
-' ~ phn.c.
s: mv -
.. a-r :
- { . .-o..
5' 3, 4e..
cn
+- M#mo# ' **3*
- o WEl_** Y moe r.we _.
4Ka .b.
' w e. o. z* w ns .:ta r , . g hj
- .[ g $Q; -
,I
&p\ l[k0; ""
J h' r .
X t sty' /* w #y s
- o.c s .
- n\
l
- a ae . cal 5D
- , . . m ,
t r-- O C M.s O. .
m.y@' ds (
f'
--e s i e-. . .a ma I ,_. Le l ( ,', '
,.
- es , _,_.m
, e sw ero , ' *- 41 C;,
.i o. . . ..un o -
, -. m .-) l . . ',y
- n. -* . k >
s .
p.e, {J1 sr ' t '**** ' .x. ': =s ea ** '
x.
, . - > w . .
m
{ %'.....- ,,, c , .;.. 7 a
l -~ . ._ m m .g. 3n. 4 3 L J 9*
j m.
. oor coa.s o t* $,
k.
aano.,.we < u #s n, , 4 zh, -i $
- i ('~ ~w -
c cw..sa. . 7
.' ,.; awc -
y -
s , l . sa *4 ; ,\ ,
-r* * , e ,c. . .
- f *ta cemesal 4 , ., g w -%uce -
+ ~~ ~ t u..,
i ,u. .r . ., ; .'we a/.-
l l t. a: fI}
- Wa o -l!3 ..
y c :. .s e . _,.m -
g... q. y . t j "'M.
., s .* - y. . c. m, m, f.*
__ .2.S?2cT -~- -L +d ,- _ .g - ,,c , 3.- , p.-s b. m:a . ay < 3
~* ~ E, , . i .bfl "'OGC-
- h r
- l 5- u -" e 4 c; is e l 3- > .l 7 4 .
I l _p p]..t........t.
$g. x._s,L %.
. n. . .wU,o.#w-M
- , _ a _s , '
iy1 ..
n !r 1 j
5 e 4' .~ <^
i fjJls.
b- t i
s3r bd.
. c.
-;;_41.L a ; .(
-C o * .
v @n?' 7 @, , %,
, . ~
[ T f? k ! !!
- s. _.
l l *o c3**nw <y,,cu & ?;'Tc;%.*; 2 al s Ls.s .
I. w ~ Ir .
e ,*S'..". d-,r '
y! 44sts - ~ 'U D - r QM
. "2 .
= l- - -
- g 4 ', +@a .l 3 Y
(R) C-
- ;: t ,,y_.x
- - e -
s g g -
. ~~. m. ,
'T sucm - x .l - Igs 3
- -',.n.
][..
i ~'
a !* :
%l 5 !!1 . . . . . . P.M". '.' . m. cy . . .n&c.3
/ tog:>
1 w
(3 m_ L_.
, V
- M -aa vca-s .
t
- 1 C
- In I
c .'
5 .
I
, i... ..........<...... s a> p b l.<-
[ L 05M1
- y R.. .A
$,g W' _. _ ;=. :;
~-'-g l 7 i 8 l
% WI.
m
.i i .i .e i. i i. .! .i .r.. i i 4 ;-, i i i
. . , , . i.i. ! ii m n .i j i. e. ,i m,,
,)
i 5 i
l 1
c.
g Lf,w z g'v .c.
,t
.- _ 2 a
ws , _,, 4.-%) j3wa 4 : a a wg"" ^
- . e,c m 1,
gp * ..-
g achs r. , . > . w o< s
- m. -
- u. 4 . . .p: . . . , . . . . . . . .u. . . .# w.--
( g.a. , m. <-
c ,/ - ,
....e.. . .. -4 ...... 4
. .' . ;.>p.,7.m i..o
=g. _
,.a u,..n., .e w,,
J m ,c,,p e, ., -. , .
...- n.-
) ,
z,( i "v
-*=
u w .c ~
g : .
, a ,
., u.cm a..~ ~; . .v..:yu.. ,,, a.M ,.-n..m.
t ), .: .: -
.tfaa ni.
i s1 -
q*
p.c , e ** nW. ra - (,m,in m . .
c;.x.s..e
'. 1, .i i i .i u coes s .l. .: , %..
- u. amaani.w en
' g,l [f c_on aot.J_ne c. m *; ; ** - l * ~
i-
- c. . m r~ u , m-y;t, t
.. _ *F a
. *l 9
d ~% ~, ~ F Q ; ;}-
~e*:A"= -: 9 9 s _ _.m .m Q, , -- T j s
g :j g, c p@i m m ...g gJy...L,.4"j.J. t i ; ., em O, s . g .
v ... l 4u .-:......__.4...
m p' ! - ;.i _
Q ***M - +
4 , 4 ; * .} ' A) yA g, ,. 2 c.
. . . . . . . . . . . . . . i . ; , . ;,; . -. , . . .p - . m - >.._.u.g g g.gr .
.A h.
il Qpg, , , t' i 7-
- i
- f .Mg #H e.
%" ~
,m, i %(}; s i
i ,,
i qy .. iy >
- i. m , .. .
-1 .a .. 4 -
3 k ne,e EJa w,g.,,e r
. . _j g4r-~4 -Je g' _,-f es_y _.; *7g,7, ( cQ*g,,gfc' i m. W. e4 - s' ...,.. *' =r u
-. - ai--- %c, -H ,- - -(m .l.
i .
s ._ . ..
s&' ,. ?
9 t
3p =M
- Y s ^._~v m . , . -) 4,
. p.5 &l q ,
ette..t ,
.- as gI ,
n .. , ,N
[ . y,. a c.
m eoge.v t -0** *G i ,. -
- } -l .-
9 s _J* # _-.a(4: i AN T *** --
,=,=,% . w .
- .4,.. ,s gn )
t i
el
. .9
- c.
e, .r .
s.-
+', _e i w
_o,a= e.: .e . >
.t i e :: . y A. . n.
- cm.
to vm ac
'pT.*':-.'-y.'.-.--.'.e--.'J*'..'_'-*".'**+-_+--.'--+%
- ~
d c -
--yy, ; > ,m.c,'
- fd*
.o " 5j g
, { y *- , c. w woro. oaM insas) w e.T, * ' -+-- ! * *' ** . n .. -
~ c,< -+-+-.--.-.;.-.-_.-.-+--+--.-+- ~.-J [. . \
m ,u
.e . e.M ,wta.c.ur. n.g o . g ev.,
. . . ' . . , . . .~r~ r.
- .~. s
, er-
.. 3 p%-v -
un omc. i. ins, f ue an %-
e
. , . L e e.n. r.p. . @ .u.e < ,j.
,r.,. .a.
.L k.. a . ..., s
..cs. cca e cir wtww = coa --
, \.,
.LL. . .. .*. .
.cs,.- 3, . g.t
.. I p., Ej".]C"
' , .# Q,,84,77 m.., Q, c. S (.t en.t. x e i a A [ M ]e n
=--4 Y *i g ,, v,.n m *y y ,'",7,,u,m,.4i cm,o --- 4 13 .> i, m.-,.cc a-i, , y 7, , ,~ u >n >,.y,,,
..,.,,,,,m
,,, o r.*wa* -- - N '
d ;s ....%4, .,# .
...,. u.4c.h.] C M %_ y p . , .
, i# c-e i w*-
.w e.
4% r . ou .et
- - r. . - - -
.c. e-
- ....i....... .. v- . c. . .- a.+4 -. m t ar . ' ID* 29f">. <mem uusr c*i.n.a v C
~ m 42..i
} } g/, , ,
g na kp, at q
-x%. a. 1a,e,: - - '. e,,gyg. ; ja e r .g %.%. . y{' y 5 e
)) c,me.s.7e .e .s.t. . *E
- q , .i I 'g ( . r p;g$ u
} som .
s :
't a
{
6 r'. ;.["h
~
C .M. ' i, o. o
- on.-es . r.,
. T.m. ..=.~...a.rr.. e.i e
,=.)
e
-s t . n o . cc <cwis
._ .g e.u.., ,. .
m .
. .. . . . . . % -= e m-. -fMgr.P.*.ag 'bd.,3.s. m
. . . .s - . .c... m.m ..m . .
. e, < em i
>,a= = r ; ,~ ~' = , ~
u na,- n
'q ,, - 3m u . '
3 .s
.....,,,w.,,o_ m
.6 g
- J. 3,o e s _, . ~ . ..n , M g mr' ""'" "" '*" y' m,,,,,,,,.,,,,.
a,.....,
_ ..a 7 i
- !... 1...,.gf. 7.'."T.3i ; {gm ca
_. ..b .y,
_>c,Qy@m_ =m ".,.
- 2. ."
.q ~'=
f .m.u.-c ]
c,..,
p2 m , ,, gg,g y Wyn;;,<w---r ,
. -. . . 4, , s
. %., .c.2,.u
_ _ . . . _ . , .... e g ~ 3 n,,. e p.t. m . ~, ... , .
u_ .
r-
" ~ ~
ay=
nvM m*&.N.M+M% - - R.5'.i v M .+.,,/.; M,o' '
n- " S*# 'T** u,2?a'n#% 4 .. .
v%" wy A.w , emen-y- w .ud y < y m ----. o l ! t I i I' ' i i BECNTEL * ^* m^=
i ,
4ma:am*a - .~.-. w = c% - -
8,
- .,', CmDENSATE ST JE Ape is,wp 3, ORA,3 A i ', waaects ein. fw .
.... 4 Los anastas 37 a tsaaa w cwmee. g" ,
a JG ARIZONA NUCLEAR POWit PRCJECT === == .a=.=
I ! k. PALO VitDE NUCLEAR WF n-were 2
- '***** **k"*"" .* *= Z. O =a , a .r = = ! .=l.es y.,, @r. "- GENET AtlNG STAtlON 5 t ~ ~
4 6 3 1 2 i 3
- ' " Figure A-2
\- _ ,
i I
- DOCJ -
l t
t ---
(
A O. s-, m NO. OF PAGES 3 m a ,4 REASON O PAGE ILLEGIS'E.
O HARD COPY FILED AT. PDR CF OTHER
/ /
O BEMR COP ( REOJESTED ON MAGE 100 LARGE TO RLM.
MD COPV FILED AT: 6 CF OTHER LMED ON APERTURE CARD NO f/O 02 P6446
- 40 -jd4,
. - - - - - . . - - . . . - - - . - .- . - - _ - . _ - - - - . - _ _ -._ .- . . _ ~ . . . . . _ . . - _ . _ - _ - - . . . .
h
- PVNGS AFS RELIABILITY ANALYSIS !
i F
1 1
l@
4 i
i i
i .
I h
I I
i I
I I
L i
i APPENDIX B ..
RELIABILITY BLOCK-DIAGRAMS i
l 1
i t
1 L.
, - - _ = . ,
MULTI-FUNCTION ITEM c DASHED LINE:
MULTI-FUNCTION ITEl LOCATION:
CR - CONTROL ROC RS - RESERVE SHU1 STATION VITAL INSTRJMENT BUS REDUNDANCY TYPE:
A
< > i i S' P
ll il I'
L(
3' :: Sl
~a
I
~ .
- : ORAWING COORDIN ATE
- ITEM NUMBER A~ ITEM DESCRIPTION: E/P - ELECTRO PNEUMATIC E/H - ELECTRO HYDHAULIC
/
0 # ^ ^ ^ '
N0 - NORMALLY OPEN LO - LOCKED OPEN ND - NORMALLY DEENERGlZED NC - NORMALLY CLOSED LC - LOCKED CLOSED NE - NORMALLY ENERGlZED FL - FAILED LOCKED NA - NORMALLY ACTIVE CTIVE JTOMATIC BLOCK DIAGRAM SEQUENCE:
SHEET 2 SHEET 3 SHEET 4 SHEET 5 SH EET 6 SHEET 7 SHEET 8 SHEET 10 EMOTE M ANUAL ANDBY SHEET 9 SHEET 11
' CAL M ANUAL
'AND8Y PVNGS AFS RELIABILITY BLOCK DIAGRAM Figure B-1 (Sheet 1 of 11)
J A, "~ = * - ~ '
i l PVNGS AFS RELIABILITY ANALYSIS
- O-i 4
MASTER FAULT TREE
OCn ~
- nums 1 I M
A O. v-an NO. OF PAGES /0 mW REASON O PAGE ILLEGIBLE.
O HARD COPY FILED AT. PDR CF OTHER
/ /
O BETTER COP ( REQUESTED ON
[PAGE 100 LARGE TO FILM.
[HARD COPY FILED AT:lhCF OTHER l
LMED ON APERTURE CARD NO 8/OM48 DMO 42flIo0-f9' l
. i O
l L OCU : _
=
3AC,E M
m - het7 m A O. w-cuc NO. OF PAGES / M Uf REASON O PAGE ILLEGIBLE.
O HARD COPY RLED AT. PDR CF OTHER
/ /
D BETTER COPV REOJESTED ON ,
@ AGE 100 LARGE TO RLM.
CF WHARD COPV RLED Al (h)
OTHER MED ON APERTURE CARD NO 7,/ DATMMO !
PVNGS AFS RELIABILITY ANALYSIS O
1 l
l l
i l
l t
l l
l l
APPENDIX D TEST AND MAINTENANCE FAULT TREE l
O
PVNGS AFS RsLIABILITY ANALYSIS O
O A,,smoIx e HUMAN ERROR FAULT TREE O
T R Al!
FOR1 Mall t
i TR AIN 100T FOR TEST OR M AINTEN ANC E T4
+
i 1
i UN AV A:L ABLE DUE TO TEST T8 T
'1*\
IVALVE PUMP Q,5 w.s.c -%
s ~= ,
l l
1 l
l CASE 1: AFS UNAVAILABLE TRAIN OUE TO TEST OR 1,2&3 MAINTENANCE Tb
+
T I I I 110UT TR AIN 3 00T TRAIN 2 0UT UST OR FOR TEST OR FOR TEST OR IE.M 3CE MAINTENANCE MAINTE NANCE T2 X X X I I I i l I I I I TRAINS 2&3 F All TRAIN 3 OUT TRAINS 1&2 Fall TRAIN 1&3 Fall TRAIN 2 OUT TO DELIVER FLOW FOR TEST OR TO DELIVER FLOW TO DELIVER FLOW FOR TEST OR TO BOTH SG'S MAINTENANCE TO BOTH SG'S TO BOTH SG'S MAINTENANCE T5 X
b+ X T6 X
hb +
7 g I I I I iOFLO3 NO FLOW NO FLOW NO FLOW
@ SG(A) TO SG(B) TO SG(A) TO SG(B) o /\ o a l I UNAVAILABLE UNAVAILABLE UNAVAILABLE OUETO OUETO OUE TO TEST MAINTENANCE MAINTENANCE T T T 1
' VALVES WERE CONSIDERED BUT s'
- h PUMP
) VALVE PUMP H AD NO IMPACT DUE TO TESTING DURING SHUT 00WN.
VALVE PUMP IVALVE;
( ,/
T & M FAULT TREE Figure D-1
I
)
1 TRAIN FOR HL ERROR T.
)
7 I
TRAIN 1 OUT FOR HUMAN ERROR T4 X
NO TO l
KJMAN ERROR l Fall TO CLOSE MA OR OPEN VAL VALVE CL@
+-
~v CASE 1: AFS UNAVAILABLE TRAIN OUE TO HUMAN 1,2&3 ERROR Tb
+
I 1
iOUT MAN TR AIN 3 0UT FOR TRAIN 2 00T FOR HUMAN ERROR HUMAN ERROR D O
_ X Q
X I
1 I I I I i l TRAINS 2&3 FAIL - AINS 1&2 Fall TRAIN 3 OUT FOR TRAIN 1&3 F All
! TO DELIVER FLOW 0 DELIVER FLOW TRAIN 2 OUT FOR l
TO BOTH SG'S HUMAN ERROR TO DELIVER FLOW TD BOTH SG'S HUMAN ERROR TO BOTH SC'S (353 (3 ( 3 X X X (T6N X
rf i
X I I i 1 I I FLOW NO FLOW NO FLOW NO FLOW sG(Al TO SG(B)
T + n ,
P T
HUMAN ZT TEST ERROR MAINT TEST M l VALVE l I FAllTO CLOSE I 5
VALVE VALVE OPEN OR OPEN CLOSED OPEN VALVE HUMAN ERROR FAULT TREE Figure E-1
.v '
- i. ,
1 i
4 i
PVNGS AFS RELIABILITY ANALYSIS r J. l 1- ;
i f.-
2 4
i !
l i
1 b i t i !
< r l
,I i I
=
s l
i ,
1 i ,
s I-I !
- 1. !
t 4
- j. i e
i i
APPENDIX F !
i i- COMMON CAUSE' CLASSIFICATIONS AND DEFINITIONS i i I'
i i,
i I
i.
+
m k
t .
1 f 1' ;
l -!
i
?
- - e 5
1 t !
)
VO
.1 i
)
1 t >
[
- 4 4
(
i
'+-s'wm. ___ _ _ _ _ _ _ _ - - - - . _ _ _ _ _ _ _ _ _ _ _ _ ___m,-.e _ _ e m w am ee wmsm.
J. w +rmwe . , .
,-we'<w-*
PVNGS AFS RELIABILITY ANALYSIS APPENDIX F COMMON CAUSE CLASSIFICATIONS AND DEFINITIONS [
z Energy flow path Same hydraulic, electric, air loop g Test Procedure Faulty Test Procedure m Proximity Location m o Operator or Operator disable or x Operation overstressed M
4 x Maintenance Incorrect procedure, !
c poorly trained o
j f u
g Installation Contractor Same subcontractor or crew o Calibration Misprinted calibration instruction, test equipment faulty
( W Energy Source Common drive shaft, same h
power supply ,
I m Biological hazards Poisonous gases, explosives, ,
missiles J m Similar Same generic component, i.e.,
- a valve, centrifugal pump, lE electric motor, etc.
4 o s Identical Same manufacture, size, l a design e
o o Corrosion In a water medium, or around I (Oxidation) high temperature metals l e l 6 (i.e., filaments) i
< Corrison (Acid) Boric acid from neutron control system, acid used for removing rust and cleaning O
V.
-F-1
. - - ., . - . . - . . ~ , - ,- - . - . . - . . . - . . . , , - , , , . . . , . ,-. - - . - . . , ,
PVNGS AFS RELIABILITY ANALYSIS c
o s Current - Short circuit, power surge O out of tolerance v
5 Voltage -
> Power surge y out of tolerance m
u x Conducting medium Moisture, combustion gases o
a g Radiation damage Neutron scurces, charged 5
particle radiation e4 U g Electromagnetic Welding equipment, rotating y Interference (EMI) elec. machi"ery, lightning, g power supply g Temperature Fire, lightning, welding equipment, cooling system faults, elec. short circuits m Stress Thermal stress at welds of g dissimilar metals, bending m moments b
j x Moisture Condensation, pipe rupture, e rain, flood u
o e Grit Dust, metal fragments a generated by moving parts 8 with inadequate tolerances
$m a Pressure Explosion, out-of-tolerance
$ system changes (pump y overspeed, flow blockage)
> Vibration Machinery in motion, earthquake s Impact Pipe whip, water hammer, missiles, earthquakes, structural failure O
F-2
- -.,-a - m J ------A -u- wda s -r2- -_- ---,a-, -- L-m m-- m .- -__,, - -- - s1-.- - - - , , . _..- -- _ ,-w. ----- - -- - - -
,-4_- - -
PVNGS AFS RELIABILITY ANALYSIS j
D I
I APPENDIX G SAMPLE MINIMAL CUT SET l
l l
l l
l
O O O Table G-1 TYPICAL MINIMAL. CUT SET LMFW (CASE 3)
CONCURRENT HARDWARE FAILURE (S)
Fall PATH NUMBER REQUIRED TO CAUSE AFS FAILURE -
1 CTET01 i 2
3 4
CTEPV3 EAAC AFASB }g i EFAC EAAC EEAC un 5 EBAC AFASB V007 6
p EBAC AFASB AFASA "2 7 EBAC EFAC VOD7
" l 8 EBAC EFAC AFASA 9 EBAC EFAC EAAC M '
10
? 11 EDAC EAAC EEAC 5 l
- EDAC EBAC V007 $
12 EDAC EDAC AFASA t* r 13 EDAC EBAC EAAC 14 U
ECDC EBAC AFASB k i 15 16 ECDC EBAC EFAC g ECDC EDAC EBAC 17 EADC EBAC AFASB g
g 18 EADC EBAC EFAC U2 -
19 EADC EDAC EBAC m 20 VOIS EBAC AFA08 e ,
e e
280 I
k
J.-w -A - 2.--.*s e 44 e-- - - - -4 - + A- - - -um- - - - -E-adhh- +-- ----e . - + - - .>-= -h--AwaAE *-am- -M wJ.*WmJ a -4.- h-m a m- __-Jh.a--am.A-ah_A-m.2.,e, maa&A-._
PVNGS AFS RELIABILITY ANALYSIS l
l f
I l
l I
l l
i
[
[
l APPENDIX H FAILURE RATES I
1 I
l l
i l- ,
i
,,,-~,,--..e ,-.,,-- - , - . ,----,--,- ,- --nn.,.,n..,..n--, , . _ , - - . - ~ ~ - - . . - - - - - - --, -- ,. ....- .. . .
PVNGS AFS RELIABILITY ANALYSIS O(_,p Table H-1. Failure Rates (Sheet 1 of 4)
Item Mean Variance Failure Mode V079 1.2E-04 9.3E-09 CHECK FAIL TO OPEN UV34 1.2E-03 9.3E-07 MOV FAIL TO OPEN AFASA 2.2E-04 5.0E-07 M01T INITIATING SIGNAL FAILURE AUTO-MANUAL EBAC 1.2E-03 9.3E-07 ESSEN ELEC SUPPLY B FAILURE AC HV30 1.2E-03 9.3E-07 MOV FAIL TO OPEN V024 1.2E-04 9.3E-09 CHECK FAIL TO OPEN AFBP01 1.2E-03 9.3E-07 ELEC PUMP FAIL TO START EEAC 1.2E-03 9.3E-07 ESSEN ELEC SUPPLY FAILURE AC V022 1.2E-04 9.3E-09 CHECK FAIL TO OPEN i
ECDC 1.2E-03 9.3E-07 ESSEN ELEC SUPPLY C FAILURE DC AFASB 2.2E-04 5.0E-07 MOV INITIATING SIGNAL FAILURE AUTO-MANUAL UV36 1.2E-03 9.3E-07 MOV FAIL TO OPEN EADC 1.2E-03 9.3E-07 ESSEN ELEC SUPPLY A FAILURE DC
, HV32 1.2E-03 9.3E-07 MOV FAIL TO OPEN V015 1.2E-04 9.3E-09 CHECK FAIL TO OPEN AFAP01 2.0E-02 2.6E-04 TURB PUMP FAIL TO START V007 1.2E-04 G.3E-09 CHECK FAIL TO OPEN V080 1.2E-04 3.3E-09 CHECK. FAIL TO OPEN UV35' 1.2E-03 9.3E-07 MOV FAIL TO OPEN HV31- 1.2E-03 9.3E-07 MOV FAIL TO OPEN UV37 1.2E-03 9.3E-07 MOV FAIL TO OPEN HV33 1.2E-03 9.3E-07 MOV FAIL TO OPEN H-1
PVNGS AFS RELIABILITY ANALYSIS Table H-1. Failure Rates (Sheet 2 of 4)
Item Mean Variance Failure Mode CTET01 1.0E-16 N.A. CONDENSATE STORAGE TANK' RUPTURE See CTEPV 1.0E-16 N.A. TANK PIPE AND VALVE Sec. 4.1.4 RUPTURE ,
V652 1.2E-04 9.3E-09 CHECK FAIL TO OPEN V642 1.2E-04 9.3E-09 CHECK FAIL TO OPEN A01 2.7E-02 4.4E-03 OPERATOR ERROR-15 MIN UV130 4.0E-04 1.0E-07 AOV FAIL TO OPEN A02 2.7E-02 4.4E-03 OPERATOR ERROR-15 MIN UV172 4.0E-04 1.0E-07 AOV FAIL TO OPFN A03 2.7E-02 4.4E-07 OPERATOR ERROR-15 MIN FV1113 4.0E-04 1.0E-07 FCV FAIL TO OPEN V002 1.2E-04 9.3E-09 CHECK FAIL TO OPEN V012 1.2E-04 9.3E-09 CHECK FAIL TO OPEN AO4 2.7E-02 4.4E-03 OPERATOR F' ROR-15 MIN AFNP01 1.2E-03 9.3E-07 ELEC PUMP-NON ESSEN FPIL TO START AOS 2.7E-02 4.4E-09 OPERATOR ERROR-15 MIN EAAC 1.2E-03 9.3E-07 ESSEN ELEC SUPPLY A FAILURE AC UV1 1.2E-03 9.3E-07 MOV FAIL TO OPEN UV4 1.2E-03 9.3E-07 MOV FAIL TO OPEN A06 2.7E-02 4.4E-03 OPERATOR ERROR-15 MIN V653 1.2E-04 9.3E-09 CHECK FAIL TO OPEN V693 1.2E-04 9.3E-09 CHECK FAIL TO OPEN O
H-2
f.
PVNGS AFS RELIABILITY ANALYSIS
/
Table H-1. Failure Rates (Sheet 3 of 4)
Item Mean Variance Failure Mode A07 2.7E-02 4.4E-03 OPERATOR ERROR-15 MIN UV135 4.0E-04 1.0E-07 AOV FAIL TO OPEN AO8 2.7E-02 4.4E-03 OPERATOR ERROR-15 MIN UV175 4.0E-04 1.0E-07 AOV FAIL TO OPEN AO9 2.7E-02 4.4E-03 OPERATOR ERROR-15 MIN FV1123 4.0E-04 1.0E-07 FCV FAIL TO OPEN V008 1.2E-04 9.3E-09 CHECK FAIL TO OPEN UV234 1.2E-03 9.3E-07 MOV FAIL TO OPEN EDAC 2.2E-03 9.3E-07 ESSEN ELEC SUPPLY D FAILURE AC HV230 1.2E-03 9.3E-07 MOV FAIL TO OPEN V224 1.2E-04 9.3E-09 CHECK FAIL TO OPEN
[}
AFCP01 1.2E-03 9.3E-07 ELEC PUMP FAIL TO START EFAC 1.2E-03 9.3E-07 ESSEN ELEC SUPPLY FAILURE AC V222 1.2E-04 9.3E-09 CHECK FAIL TO OPEN UV235 l'.2E-03 9.3E-07 MOV FAIL TO OPEN HV231 1.2E-03 9.3E-07 MOV FAIL TO OPEN AS 1.2E-03 9.3E-07 AIR SUPPLY
'EPEB 4.0E-02 1.0E-03 B DIESEL GEN FAIL TO START EPEA 4.0E-02 1.0E-03 A DIESEL GEN FAIL TO START AFAP02 1.9E-03 4.2E-06 TURB PUMP TEST UNAVAIL AFAP03 5.8E-03 2.8E-04 TURB PUMP MAINT UNAVAIL AFBP02 1.9E-03 4.2E-06 ELEC PUMP TEST UNAVAIL AFBP03 5.8E-03 2.8E-04 ELEC PUMP MAINT UNAVAIL A
i, ,)
PVNGS AFS RELIABILITY ANALYSIS Table H-1. Failure Rates (Sheet 4 of 4) h Item Mean Variance Failure Mode AFCP02 1.9E-03 4.2E-06 ELEC PUMP-NON ESSEN-TEST UNAVAIL AFCP03 5.8E-03 2.8E-04 ELEC PUMP-NON ESSEN-MAINT UNAVAIL CTEPV1 1.0E-16 N.A. TANK PIPE AND VALVE RUPTURE CTEPV2 1.0E-16 N.A. TANK PIPE AND VALVE See RUPTURE Section 4.1.4 CTEPV3 1.0E-16 N.A. TANK PIPE AND VALVE RUPTURE ,
V279 1.2E-04 9.3E-09 CH2CK FAIL TO OPEN V280 1.2E-04 9.3E-09 CHECK FAIL TO OPEN O
O H-4
, PVNGS AFS RELIABILITY ANALYSIS ,
l i
l l i l
I I
e i.
i l
APPENDIX I P
SAMPLE CALCULATIONS !
t
PVNGS AFS RELIABILITY ANALYSIS
/r
, \. )
s Appendix I, will present sample calculations for the AFS Reli-l ability estimate. Case 1 of the LMFW will be used as a sample -
see Table I-1, 1st row.
A. Operator Error / Hardware:
- 1. Independent estimate = 3.7E-5:
Table I-2, Cases 1 & 2 LMFW, Hardware / Operator
, Error, is the dominate portion of its minimal cut set (MCS) as developed from the master fault tree in Appendix C. The second order MCS's failure probability (Q), or un-availability, was 3.47E-5. The 3rd order MCS was estimated to be about 2E-6. Thus, the total Q is 3.5E-5 +
2E-6 = 3.7E-5.
- 2. Common cause estimate = 1.5E-4 From the common cause quantitative factors in
() section 4.1.6, l.1E-4, Turb/Elec Train redundancy factor, was chosen because all components between these trains were considered the same except the turbine pump and the electric pumps. Thus, the common cause contribution (1.1E-4) added to the independent estimate (3.7E-5) will total to 1.5E-4.
i A
(vA I-l
Table I-l AFS RELIABILITY ESTIMATE INDEPEND. - STATISTICAL INDEPENDENT ESTIMATE -
F AILURE PRDBABILITY (UN AVAILABILITY) T PER M C.G . - COMMON CAUSE ESTIMATE HAhlDWARE A NT. R OR TOTAL YEAR h
O E3 CASE 1 INDEPEND. 3.7 E -5 3.7E-5 1.3 E-4 2.0E-4 6.0E.4 M j$ C.C. 1.5 E-4 4.0E-5 8.7E-4 _ 1.1E-3 3.3 E.3 y gT CASE 2 INDEPEND. 3.7E-5 3.7 E-5 1.3 E -4 2.0 E-4 6.0E 4
]
$ y, ec C.C. 1.5 E-4 4.0 E -5 8.7 E -4 1.1 E-3 3.3E 3 k" hh C ASE 2A INDEPEND. 1.1E-6 3.0E-6 1.1E-5 1.5 E-5 4.5E-5 h
_a m C.C. 1.1 E-4 6.1E-6 7.5 E-4 8.7E-4 2.6E 3 t" at a M s gW CASE 3 INDEPEnID. 8.1 E-7 5.6 E-7 2.0E-6 3.4 E -6 1.0E-5 g
g >- m C.C. 1.1E-4 4.5E-6 7.5 E-4 8.6 E-4 2.6E-3 s CASE 1 INDEPEND. 1.1E-3 5.3E-4 1.9 E-3 3.5 E-3 8.8E4
,, C.C. 1.2E-3 5.3E-4 2.6 E-3 4.3E-3 1.1E 3
[
$ us m o CASE 2 INDEPEND. 2.6 E-4 8.8 E-5 3.1 E-4 6.6 E-4 1.7E4 W
s o t "'
-e us t C.C. 4.0E-4 1.0 E-4 1.1E-3 1.6E-3 4.0E4 >
-> m' tc CASE 2A INDEPEND.
2 6.7 E-5 3.3 E-5 1.1 E-4 2.1 E -4 5.3E 5 >
4 {o{
- O "- CASE 3 C.C.
INDEPEND.
2.1 E-4 5.1 E-5 4.4 E-5 3.3E-5 8.9 E-4 1.2 E-4 1.1 E-3 2.0E-4 2.8E4 5.0E 5 y
M C.C. 1.9E-4 4.6 E-5 8.9 E-4 1.1 E-3 2.8E4 m CASE 1 INDEPEND. 2.4 E-2 8.1E-3 2.9 E-2 6.1E-2 6.1E.5 C.C. 2.4 E-2 8.1 E -3 3.0E-2 6.2 E-2 6.2E.5
$ $ CASE 2 INDEPEND. 2.4 E-2 8.1 E-3 2.9 E-2 6.1 E-2 6.1E.5 g o C.C. 2.4 E-2 8.1E-3 3.0 E-2 6.2 E -2 6.2E.5 i U u _,
CASE 2A INDEPEND. 2.4 E-2 8.1E-3 2.9 E-2 6.1 E-2 6.1E.5 C.C. 2.4 E-2 8.1E-3 3.0E-2 6.2E-2 6.2E.5 CASE 3 INDEPEND. 2.4 E-2 8.3E-3 2.9 E-2 6.1 E-2 6.1E.5 C.C. 2.4 E-2 8.3E-3 3.0 E -2 6.2 E-2 6.2E .5 e e e
s Table I-2 l s
CASES 1 AND 2 LMFW HARDWARE / OPERATOR ERROR
. . _ _ . . . .u . . . ..__ a ".a L T $IeOF P..I aL T.tR , , ,_;
-i
.. m a.,+. u r. ..u n. ,a. . . , ei v..
"'F 2*2 ;
. ou ai.+.
i ..... . .. ...reev..u ,,
, ;, ,,, ., a;,T.- .....
...e .... . ., a ,,...c i.
- - i a en u ear. .. , . ,,,, . .
800 q . _ _ pg _ . . _ . . . . _ _ . . ...
=.._
. . f, ,,
- *A** * *
..... 8 E M vs ~ *!* M .
- N Q G S Lo -1saat a.s..r.'adees 1.s 4 yse# ~
8#
h o
- - .-tr,,o ggg ear egg--- rcutiW'- s , - - - - - - - - - - - - - J'8 ' - '- ;',
. py g geai s.1a vvett s. 'i 8' c, ,
p- 1 - .;r - ,
- z. 7 c ,< m M;.6,s4*IM.*alh*'M - % dI' '~v--.: j 1
<l ,
i
.' ; E' ?. } ,[un r.
[pl* -,.
Iis 1n n lc
, _ _ , , g ym__o y,
+ ' gnag e.a si.'gaag s,=r v. . - _a- e n (T3
=
- f n ,s s so"6 l w s
S t,*W S 840% f.1rr #80a4 _
,a, yf 3 ' ;g3 _, .4f . V/a5--- >
f5 , ,jh ,4 4 o
- g 7 t 3 3 3,, . 3 7. ,.,
i h 4. s,W 1 ged Ost",gid (=f#'F f .
'~,. P' j tg
, - - to .. .'-i naw.? set
_ri i.+' x i-
,. ., i x i. '
. j
( g j _ r m ,,,, ( . % ,
j
[
', .. ,. .?na. 3 a v -
s,.sv K l*.;y g g d -M j ;, gg 2
,8 t 1 5 A'; V984 f. W Esat
- !y r. 1
, ~ 15 ii,WA 'aW6Ti,~ sin.2*-~Px T5*'
-~ -- ~- - ~~~ ~~- - -
O a
b
- p
..n v m t/
~
Ie_ u m J . ,i.u ssaac
-y
- e g
.m -
1
,, W J
. veM . tea 4 stet i 4
It
' ' ' - ' ' ~ -
'~n , g '- g
~'
' ~ ~ ~ ' - ' ' ' - ~~^ - -'- - - - - - "
a
.M.
M h @ ~- - ' H EI ~-" sC -
$_ ___ if 91e WM taat '
l 3 le avsi vote saae ;,
p g,g g3g g _ .. . - - . _ _ _ . _. .. .. _ . _ _
it- -- -, Uvsa tSat wval D g
.- , , y--,
y a
hl WVS$ SSAC U90f .
} u uvu n.e
.vn ! - -
--- y II "lI_' araes ,,__ves? _ _ _ , _ _ __ _
' .no nik .6a Arau b.
1-1 -m_, .a ggg-~~ Mat--- west -- --Jto w. .a , eon, - - - - - - - - - - - -- -- -
'3VNGS AFS RELIABILITY ANALYSIS B. Test and Maintenance - Figure I-l
- 1. Independent Estimate = 3.7E-5 a.II) Pump Test = 1.9E-3 STest = (hrs / test)(tests / year) = 1.4 x 12 (hrs / year) 8760
=1.9E-3
- b. Pump Maintenance = 5.8E-3 QMaint = .22 (hrs /maint) _ .22720 x 19 5.8E-3 720
- c. Valve Maintenance = 1.2E-6 EMaint = (1.2E-4)(7) = 1.26E-6 720 Since the AFS is a standby system and since no repair can take place during the boildry time, the only way any portion of the system can be down for maintenance is as a result of a failure during test. The only full h system test takes place during refueling thus has-no effect on AFS unavailability.
The AFS is a non-pressurized standby system.
MOV's are only tested during shutdown. The only active valve that would be cycled during pump testing will be the pump suction check valve. The demand failure rate of a check valve is assessed at 1.2E-4. Thus it was assumed that the likelyhood of valve maintenance per month be 1.2E-4.
- d. Thus for any train out for T or M will be the sum of a + b + c, or 7.8E-3.
- 1. Note: All lower case letters refer to locations on the fault trees.
I-4
PVNGS AFS RELIABILITY ANALYSIS
$) e. Trains 2 & 3 Fails = 1.4E-3 Table I-3, Cases 1 & 2 LMFW, Train 1 out, is the dominate portion of the MCS as developed from the master fault tree in Appendix C. The Q for this branch was estimated to be 1.4E-3.
- f. Train 1 out and Trains 2 & 3 fails = 1.1E-5 This is the product of the Train 1 unavail-ability (7.8E-3) and Trains 2 & 3 fails (1.4E-3) equal to 1.1E-5.
- g. Trains 1 & 3 Fails = 3.3E-3 Table I-4, Cases 1 & 2 LMFW, Train 2 out, is the dominate portion of the MCS as developed from the master fault tree in j Appendix C. The Q for this branch was esti-mated to be 3.3E-3.
l -\_-
f'/
T l h. Train 2 out and Trains 1 & 3 Fails = 2.5E-5 This is the product of the Train 2 unavail-ability (7.8E-3) and Trains 1 & 3 fails (3.3E-3) equal to 2.5E-5.
! i. Trains 1 & 2. Fails = 9.6E-5 Table I-5, Cases 1 & 2, LMFW, Train 3 out, is-the dominate portion of the MCS as developed from the master fault tree in l
Appendix C. The Q for this branch was estimated to be 9.6E-5.
- j. -Train 3 out -and Trains 1 & 2 fails = -7.5E-7 this is the product of the Train 3 unavaila-l l bility (7.8E-3) and Trains 1 & 2 fails (9.6E-5) equal to 7.5E-7.
/\
k)
I-5 iJ
PVNGS AFS RELIABILITY RNALYSIS
__ _ .y.--..e-e_e_r..._.__..__r,.-- . - . .
i i
l i'
i i I
f N 5 I D d a a n 5 0 4 I
??
e.1 , e - e
, 2 .
el a t
N 9% ;
~ ,
O l. ,
- e S , a M U.oL s
( U. l 4 C '*9 %
C l' l hk??e t0 4
\ !
l l 4 d -
- I '
s'4" s*** fe *3 { %.!
a 'g
- 9 e 4 ;*
-h
,4 4 s, %
s '
i: . , v l ' h 'gI
' , , **w o **
m n
O .$ . * *
- m*
- iia .
m =
3 44 am *$ I , w*e y
l d
- ff 4 4W M H = =% +
M SN k 0 H * :
-
- W 3:
N
- lC A o l
1 b
i
.e I M i 2: > ' '. s.
5
?
e
-4 O e-E me
@ . 4 W
'so . * =>
l < >
O E 2 e U e U U GIS U SIB e U N 9 U SW & eld U % W & 89 U 4 eng g as as as as se as we g as se sus e e g g e N 4 3 e e X D E es b hs as e 45 6 h he e e g e h th tas e e h h tas
> e9 4 tup 4 af hp D kB D 4B euf D D he > g g og > > e se er ao a U E '
G Cl 9 s va ae G
. a. .e .e _o -
e, . O D e e e e e e e S uns U > & M U fe fit die 4 e # & & & G &
4.9 h D 4 he og as se ao o as m og og 3 2 g X e &. &. .p p p p @ es em C tut S > > et eE e e e e e O & tb Ob tb b ab ab D U O O L >
- I he U U he ama > > D D D D 4 *E e e as g e e e g as e J J 49 W Q
- e ab me ha
.A > S b 3 E O se as u
G G e* ** 4 Elit @ F 4 So G p e se SW e4 @ W e 9m e @ e se 85 54 W @
> > J == em se em se as ao en es em 8e de Se SW 9 8le E 2 &
se es 3 se t
3 S se se I-6
_, >a_ w-,,- .,-_ _, - ->_w ..+.-.w~a__A.ms a_-s.--.i.-sa-a-. -,1-----x--4-. 4 - ---_-,m 2.__ - - . -_L ---e.--A<-.k "
a wk-~. 4 .ew aA L- AJ PVNGS AFS RELIABILITY ANALYSIS t
1 i
- * * ' ' ~ * * * * *
- f T {7 T 9 Y 7p? *
'( .,
l i
6 6
e i
t 1
i i
'l
^ $
N t
M
'. O i.
4 p.
M i 5
0 :
r
( *$
C .
I i N -
w t D -
O m 4 l H N 4* y h H g Z f 4 -
i
~ Q H S e $f }.
- s '
h
' 4
,Q I e i 4 8 a y e.
- 2 8 s
- t m
3 e ,
4 l
N y '
4 : 4 g E . e s M g $ 5 4 N m O
Z i 4
a 4 b b w e m m n e e 4' h > > a.e > a4 m
' W W y e es .e e.s e e g a
- 4 se e I
" & A D > > > > e e Ex3 % 4 0 4 3 a 3 3 3 > a to l < 1 '.
l U .-
e .
O .
e = , e e N G & U% @ h &W W G & S U M G S G U % W & b 84 M e4 84 e4 e4 N N & e 4 M 8tf S 4 a0 4 4 S 4 4 die 4 S *E 4 4 m e em p 9 == =e ao se l
- # h h Imp e e m & es e e h h to e e h h w e e & D e 4 > > > m D D *E 4 t$ D D 4 4 W D D e 4 et D & 4 4 as > > 4 3 p > 3 3 3 3 l
i O '
q Q4 QG % b b @ !
. . . . e e .
4 4 W @ W G W @ S W G e 4 e e e e e e
- ** ** 4 4 @
O O O O > > > > > e e e e e m a h m k m a
- > Q G O O O O e g as e e e as e e e 4 e 3 3 3 e 4 e e e 4 es e 4 4 3 3 3 3 3
@ a.e W g4 W D 4 h 6 & O es N g4 g F 4 h G F e se 4 M G S 4 h 9 @
G En et ft 8B E4 52 d4 gib WD ER EA WD 94 54 6 e G e e G @ W G W F F F F aP
\
I-7
Table I-4 CASES 1 AND 2 LMFW TRAIN 2 OUT (Sheet 1 of 3)
Il h
anatvs eor eatuAL Tatt i
ImPLiCahf8 0F Lt4 Gin sagatge twas 3 seg nOf 33ytm t IMPLICa4TO 14 flent OF SaSIC EVENTS ~ !
' \
l f ~ ~ t##Litatf4 FDa tytti .
M5 j.! e
- . -. - .--.- ----- . . . . _ . . - . Pics.a . - - . - -. ... . - - . -.- - - - . .
1
._., ,,n. i ., .~~ .-- g 3 . . .
' 3 CTFPV
~
Jf s' &#
tsat .. vest
- _ . _ . . . . . of. =
.-/**~..--
- l
[ 4 . .
u ,,, ,epe ,2.
g W s 4 *
- A*e q .-- . - . .
tsat ..arasa. -
h 4 ECOC E8aC
- p. J7 g gA)g = [1 H > f taOC ttat s ., A*4 sepe , H 8.... .V885 .EsaC #8
- 8 48f
- e' 9 V01I WOST , ,- pf ,
- te vest arasa ,, . erers ~l - ~ ~ ~ ~ ~
6 3
b
-+>.'r~ ~ ~ - ><
~ ~ 11 vell ECOC ##
- a' " ' [ ;
L~
Veit s7 . As e
) >
d 32 taDC y,, ,
- g. .. .
, g,4 h
g4 i,
fs.gs.6 ge arapet tenc 3s Je*ess S g g
. e.1 ( # gg ayappg ygg3 M ~ D
.9 9f.9 9 47-4 e 6,7IE-r
. _ _ _ _ - . . . j,, - - -_
n 4 e s.e e .g . F4n~2 37 AFNest apaga j, , , g e -. . #. ** -#
18 AFN808 ECDC #
~ f s yd'es -4"
- e/4FG-*
- AFN#01
^
ta0C
'~~
19 a....,
a,....
a.a.., ..,..,
, ,... g
'42 AOS V407 i fe 3 ~~
88 405 a'as* 1 ue = v, , v, t v3 , v, ., v. )
, '- 24 aOS (CDC 1.34."1 4 J.Ct.y(9.VC.3 ,v.gr.h F.vE "R) 25 aos tant : F* Y E" '
O O 9
l t
i PVNGS AFS RELIABILITY ANALYSIS -
l r i.
- u e ,
i I 6 a i r t s i
- L 1 ,
I l
i -
I I
.sas n
W o ' -
N i a
o i i , i j ,
e l l : i , , ,
.C i m
w E-*
o O .
i l N N i Z !-
o w M 6
.c t E-* t E.o '
5 i N
a i -
. t Z w a a * , [
. ;- i ,
c _-
m XX... . .
s
. .u
... X X.... .. ... ~..XX.
. M M.
u 1 ,
t i
.. = = =
- ;
- : L
==, .8 8 I .8 8 8 8 8 *2.8 8 3. =: =: =: =: =:
2- . . .
4-
- i i i
~ ..-...
. . . ..... 2....-.........-...
,4 g f i Jf V# d L'
r a
e a
E d* .
. . c. c . . .Sk , n..,. .'....,. .r-.. 2.. ..
\
I-9 l
- . . - - , , - . - . - . . - . . . . - . . . - ~ - - . - . - _ . - - . - _ , . - _ - _ - - , - - - - - . _ - . ._- - ..- . . .
.._____ _________._._..m_- -_ . _ _ .. _ _ _ ..___ _ _ . . . _ _ . _ . . .
1 l
falAn 6ttAn 20v3 Se
- 41An 1694 30 3 es i
falAn 1594 30 3 se l
l Satan falAn 20v3 #9 ntlAn GEinn 3438 le !
16*A GElAn 3033 99 -
_ .._, 8694 ettAn 3033 _ 64 +
&llAn $($An 3033 04 i .
- 4 tan 6tlAn 3033 && * !
__._ .. falAn. , 5694 . 3033 _.94,,, =
U1 H SalAn 6694 3035 84 +
SalAn #4 tan 3033 04 ,
j titan ettAn tavat 54 ;
g ...A ..ian v.t., .4 .
($4A ellAn 9994, 11 '
l f 'i g . _ _ . . _ _ . _ _ _ ,
._ .. 843 AA . . 'IIAA ._ _8'.. . . . _
_ ___ _ 71 4
g ratAn satan veva, e9 .
o l g .
,4,An .6.A v.v.e .. e-t I i m
- ) _
_. . .tiAn t..A .
v.v., 4 . .: -
0: Satan g& tan sev49 ,, ,
3 U, 4004 &lIAn GEIAn 69 $
- g . . _
4..A ...A .. An ., ;
4 U, 4..A ...A . ian i, :
o &&lAn 4044 O(IAA 39 ,
b""
, n. . . . .
e&iAn 4..A si:An i, RAIAn 1944 (40A gg ;
f&lAn 1884 El94 66 -
s& san sa:An Asea es .
ledest tv AS ,3M sieA e, es ;
1 (C 30 C laat{S) 100 2 NIVH1 MMI E UNV I S3SVD i
k-I 01901
, - . , . . ~-~ __, _. . . - - - -. . _ _ . ~ , .
PVNGS AFS RELIABILITY ANALYSIS (n
,N m v-...
n
. mminu_mpm7vurmumtm-7.-
,....a, r-A :
.;;,o a
- ;r,*
w..J <
..4 u, .. u. .
s
.~- .
- i m-rum,'m u.
- j*w
. '. s1 4
rr7_~7 e
- ' ; ,7,'l , . ; ', ' L', ',1 '
.. A . 'i.- !!
M
~
- n. ,n
, . . u?.N. d+ lil'd
-- Ai1
- . - >./.d -
. .. H, ~W 8A L* *d -
h +}
{*e .**h.. {-
.. . . . . . . . . .. N.i' g i
< 6.
. g L
l
.nd 6 .M1 b.Aad Pde .J VM L' -
h '
1
! Ui 4 -
1
, , . . _ r. ,, - ., , - <
i e
i i
% v 3
..,~.,
n ,' e { i a ,, , . - 1 A.
- k ; ,
l ,
m '3
=
' e ..
~
o - b - sc ~
~
,g I. . .am. y 3
s 1-l.
w :
~ .
9
...!
- l l-
~
9 n
.1 a
s.J a l* p e : :
+ . ,. -
a' j 5 vt >
ba -h,*. . bRil! !.i Eh l21 i .
WF 3di'PJ , 4 n ,
In I- A e
a i
i j.
?
- i,*;, t
. 2 e I
. ss...m' 2< , .
O = o yw* ; [ =,. g M
_ s .
, i a .! ,
W t I z
m, ~ . i ,
n - g '
i
\ s e e a .
l 4 3 : ,i i -
t go 3
- ! I'
. i.
I', <
. . r a .
i ,
- i. e : i N . E 'x s i s\ N <\ \. \ \ ?
- 1 9 : .". i 1 Y,-W hsi \ (i r-- N \tN t h\\\V
- ! . s i :4 44E s u . .
2 we - ?~N
$?5 t
n r 15 : I ;3 g a q li>> , , tl o*r t 4 3. C , ' ; ;.
- 14 . .: 4
- 1- 4~m4 4 ia .
,. s -
= .=-
- r i i4 i s ; a l m m
5 '- o cJa5:!! 313v!=95er! ::! r
~
- 5-; !
- =
s r= =V=.-= =,= = =. s = = =.= = = ,=
m i: :
o
- .t E!!
Jr l e,. -
. .Je s Je .Jg ,e es eab a ,*.
E p:g,=xxx . ..
s =, = ,= s,i, =,= = =,= = = .= : : : : : :
,v: .xxxxx========
. t3 i ,
, ,j, l 5
- k i l d C 0 1 s' i a j
kja 1 i i j t' ~1 -
I' #i
!g 5 g -In: =Lef q s .: : : : : : :
l :i - ,a b a : :l =. .
l l
rr:
l i ;;
r .
l
. j _ d
' +h ;.,
I m . -.,.-. 1 -n =1 r r: >r 1 1 m x 1 x ==1 2 ==1 x=2 ==1 2 - ==1 ,2 m x =_2 2 1, a f
I j
'\s' I-11
PVNGS AFS RELIABILIT1f ANALYSIS g = = * + ;, u r r = rmg ru m p r.,] v uup_u
- , .qj
- r. v .. .
+
%~t u.
"r n vr.J
.umu.2.n uu uuynt
, ~ .. , . .
1
~.
+ . ~2 . ;., 4 s,.= ,, . 1 J9 ' aN P.
~
h!.fi 4?k hp .; ,,
bA Ird h N '
h ,
h J^n k? '.*4 ,(Al s
H li.
. m... s . - - ,
% ::-,a 09 u hddJid
.:c.i
- :i
., t..fl. . t. _ ,
A j
t r
4 k ss&E
~~1 2.
x m 14, n x: pkm >
[ .4_.; L, e- <
r~ g te --a r pr.n y W < r, 3 p 1 . . . ;
t
. . , ce e- w s ,
i 1 -i ut rN KCZ p.Jd P 11 l
.I i ;
. s y . , .. p 1 t
.1 ,a .1 5 ..J > :. . . 9
' l
, l N ( .
i
, t; a
. l tu L. , - y 1 1 .
g ,6 , ..1 5J - ..y . ..i i 4 1 6 <
i .
N l t- ; 1 1
I 43 0 g. ' .o M Is .au '^ - '*
w4 dc4 ~1*.A 'ua4 .A W
0 W-+ , . :p $:'J@ F1'J W.t'1 MP1 ' -il
.c: -
i I m- I i l
l { i i i t ,
1 e i . i .! l
! b D
i
! ,, i
( '
- h. ,6 6 O '
.i ;
i S.
i
' %! is '
n % e-
, i P
- 0 6
- l I' l '
l' '
LA Z s m c
6 I %
, h.:
- *: tN
'Eg i
H i i
l
- l i.e i (Q *- n C E4 6,
r-M i -
t ; u a 3 i .
I i ! 9, g -
l C A .
6 % i . , l .
4 ; . t : 1 L i
< \ \ \ \1 !
! \ \i \ st-
\jd, a
m ps\ s
\ si\
, vni \ N3 g l! p, 9i \5
, n.
I p"\2 '
' q. f D i
D 4
W 4 Il.>4 k : =a* ,,->
t 3
- 3-M!+y e d s :
' B .
J N i
- 2 m a x s a a = a .
N I s4 '
4 1.
N 'D l 6 *
'l' d
! ) <
l I l - i ! g ~
l'a.. 4'E
- w: .:
l i
m o.
o
.o. .
o.
.4 e
4.
- q. m
=.,
. .I w-t
'oo i
- o. 'o o
u.
i s a a s
! M '
% s s
< go g ;- 3 %. a .
e!. h. N { l u - d : : : .. : : : :': : : * . . :
% * *
- A % % *U:S 3 3 .3 311 2111 3 I E I
- I
- : : i: : *. 3 30 t tt 3, 3 2 l l 6 : : .: : : i: : : *
. t l l l . ! i l
.- . t. . . - : . .i..,2..I.....
t I I t I l
- l
. s ,I , s.
.\ i l e e i i !
l
.~?' :_ rT T'rTri:nffTIrnn d t t O~r.11'a_ri m rTra_^t rdfr2 r.L._
O I-12
PVNGS AFS RELIABILITY ANALYSIS 4
( ) k. The total statistically independent AFS unavailability due to T or M is the sum of f (1.lE-5) + h (2.5E-5) + j (7.5E-7) equal to 3.7E-5
- 2. T or M Common Cause Estimate = 4.0E-5.
Potential Common Cause (CC) was assumed only to occur in the three main branches of the tree.
No CC was assumed between the three main branches.
CC factors from Section 4.1.6 were utilized as applicable to the hardware / operator portion of the tree.
e'. Common cause factor of 1.8E-4 was selected for the trains 2 & 3 because the two trains were assumed to be similar including the pump. This added to the independent Q (1.4E-3) is 1.6E-3.
l f'. Train 1 out and Trains 2 & 3 fail with CC = 1.2E-5. This is the product of l
l Train 1 unavailability (7.8E-3) and Trains 2 & 3 fails with CC (1.6E-3) = 1.2E-5.
g'. CC factor of 1.1E-4 was selected for Trains 1 l
& 3 because all components were assumed similar except the pumps. This added to 3.3E-3 = 3.4E-3.
h'. Train 2 out and Trains 1 & 3 fails with CC = 2.6E-5. This is the product of (7.8E-3) and 3.4E-3 = 2.6E-5.
i'. CC factor of 1.lE-4 was selected for Trains 1
& 2 because all components were assumed similar except the pumps. This added to l 9.6E-5 = 2.lE-4.
i I-13
PVNGS AFS RELIABILITY ANALYSIS j'. Train 3 out and Trains 1 & 3 fails with b CC = 1.6E-6. This is the product of (7.8E-3 )
and (2.lE-4) = 1.6E-6.
k'. The total AFS unavailability due to T or M with independence and CC is the sum of f' (1.2E-5) + h' (2.6E-5) and j ' (1.6E-6) equal to 4.0E-5.
C. Human Error - Figure I-2 The human error, which was considered, was forgetting to reclose the pump full flow test valve after it was opened and forgetting to reopen the pump discharge manual maintenance valve after a pump failure and maintenance action.
- 1. Independent estimate = 1.3E-4
- a. Test valve open = 1.0 Full flow pump test requires the flow by-pass valve to be fully opened. All pumps were assumed to be tested on a monthly basis, thus the likelyhood of this valve to be opened is 1.0.
- b. For the turbine pump, the demand failure rate is assessed at 2E-2, thus, conserva-tively, the maintenance valve will be l closed monthly at a likelyhood of 2E-2 due to a failure.
- c. Similar to "b", the electric pump demand failure rate is assessed at 1.2E-3, thus its maintenance valve will be closed monthly at a likelyhood of 1.2E-3 due to a failure.
O I-14
PVNGS AFS RELIABILITY ANALYSIS I
x) d. The human error of " fail to reclose or reopen" a valve without position indicators in the control room was taken from NUREG 0635 and was assessed at 2.7E-2.
- e. Train 1 out for human error = 2.75E-2.
The likelyhood of train 1 to be unavailable is the product of the likelyhood to open the test valve and to close the maintenance valve (1.02) times the human error failure probability (2.7E-2) equal to 2.75E-2.
- f. Train 2 or 3 out for human error = 2.7E-2 The likelyhood of train 2 or 3 to be unavailable is the product of the 7- likelyhood to open the test valve or to
(_3) close the maintenance valve (1.001) times the human error failure probability (2.7E-2) equal to 2.7E-2.
- g. Trains 2 & 3 Fails = 1.4E-3 Same as T & M, B.1.e.
- h. Train 1 out and Trains 2 & 3 fails
= 3.9E-5 This is the product of Train 1 unavailable due to human error (2.75E-2) and Trains 2 & 3 fails (1.4E-3) equal to 3.9E-5.
- i. Trains 1 & 3 Fails = 3.3E-3 Same as T & M B.1.g.
(
v I-15
PVNGS AFS RELIABILITY ANALYSIS
- j. Train 2 out and Trains 1 & 3 fails b
= 8.9E-5 This is the product of Train 2 out due to human error (2.7E-2) and Trains 1 & 3 fails (3.3E-3) equal to 8.9E-5
- k. Trains 1 & 2 Fails = 9.6E-5 Same as T & M B.l.g.
- 1. Train 3 out and Trains 1 & 2 fails
= 2.6E-6 This is the product of Train 3 out for human error (2.7E-2) and Trains 2 & 3 fails (9.6E-5) equal to 2.6E-6.
- m. AFS Statistical Independent Unavailable Due to Human Error (1.3E-4) is the sum of h (3.9E-5) + j (8.9E-5) + m (2.6E-6).
- 2. Human Error Common Cause estimate = 8.7E-4 Potential Common Cause (CC) was assumed to occur in the three main branches of the tree. In addition, a potential CC between the three main branches of the tree was assumed to exist in that the operator may forget to reclose or reopen valves after test or maintenance on all three main branches.
g'. Common cause factor of 1.8E-4 was selected for the same reason as T or M CC B.2.e'.
This added to the independent Q (1.4E-3) is 1.6E-3.
9 I-16
PVNGS AFS RELIABILITY ANALYSIS (Os_) h'. Train 1 out and Trains 2 & 3 fail with CC =
4.4E-5.
This is the product of Train 1 unavailability (2.75E-2) and Trains 2 & 3 fails with CC (1.6E-3) = 4.4E-5.
i'. CC factor of 1.1E-4 was selected for trains 1 & 3 for the same reason as T or M CC B.2.g'. This added to the independent Q (3.3E-3) is 3.4E-3.
j'. Train 2 out and Trains 1 & 3 fail with CC =
9.2E-5.
This is the product of Train 2 unavailability (2.7E-2) and Trains 1 & 3 fails with CC (3.4E-3) = 9.2E-5.
k'. CC factor of 1.1E-4 was selected for
~'\
[b trains 1 & 2. For the same reason as T or M CC B.2.i'. This added to the independent Q(9.6E-5) is 2.1E-4.
m'. Train 3 out and Trains 1 & 2 fails with CC = 5.6E-6 This is the product of Train 3 unavailability (2.7E-2) and Trains 1 & 2 fail with CC (2.1E-4) = 5.6E-6 n'. The total AFS unavailability due to human error with independence and CC in the three '
main branches is the sum of h' (4.4E-5) + j' (9.2E-5) + m' _ (5.6E-6) equal to 1.4E-4.
(-
I-17
~ . - - . - . - _ - ___ . - - _ - - - - .
PVNGS AFS RELIABILITY ANALYSIS n". The CC factor between the three main >
branches was assessed to be human error fal ore probability (2.7E-2 ) times the common cause -factor (2.7E-2 ) equal to 7.3E-4. This added to the independent failure (1.3E-4) equal to 8.7E-4.
D. Total Failure Probability per demand - Table I-1
- 1. Independent = 2.0E-4 The total statistical independent failure proba-bility is the sum of the hardware / operator error (3.7E-5) and T & M (3.7E-5) and human error (1.3E-4) equal to 2.0E-4.
- 2. Common Cause = 1.lE-3 Total CC failure probability is the sum of hard-ware / operator error (1.5E-4) and T & M (4.0E-5) and human error (1.1E-3) equal to 1.lE-3.
E. Unavailibility (A) per year - assume 3 LMFW/ year.
Table I-1
- 1. Independent = 6.0E-4 The total statistical independent failure proba-bility per demand (2.0E-4) times the demand per year (3) equal to 6.0E-4.
- 2. Common Cause = 3.3E-3 Total CC failure probability per demand (1.1E-3) times the demand per year (3) equal to 3.3E-3.
9 I-18 w_
.-- P
( ) COMI
\
I TR AIN 10UT FOR TEST OR MAINTENANCE T2 X
l i
TRAIN 1 OUT TF;J FOR TEST OR T@
MAINTENANCE T@
M .
r %
a= 7JE 3 d f NO FLOW TOSG(B) b UNA UN AVAILAB LE 00E TO TEST .
i n"
T
/ , * ~~T IVALVE; PUMP VALVE u_/
a = 1.9 E-3 a=1E a c w ~,
i l
l l
CASE 1: AFS UN AVAILAB LE
[0N CAUSE TRAIN OUE TO TEST OR l 1.2 & 3 MAINTENANCE !
l [T1} a = 3.7 E-S k ,
, (4.0E4) k 1
I TRAIN 3 0UT TRAIN 2 0UT FOR TEST OR FOR TEST OR f MAINTENANCE MAINTENANCE ao l.1E4 f ,
(1.2 E-5) f f3 X
a = 7.5E-7 j (1.6E-6) j' Q a = 2.5 E4 h (2.6E4) h' X l l I l 7AINS 2 & 3 Fall I I TRAIN 1 & 3 Fall I I TRAIN 3 OUT TRAINS 1 & 2 F AIL TR AIN 2 OUT DELIVER FLOW FOR TEST 07; TO DELIVER FLOW TO DELIVER FLOW FO R TEST OR BOTH SG'S MAINTENANCE TO BOTH SG'S TO BOTH SG'S MAINTENANCE a = 7.8E-3 a = 3.3E 3 X a = 1.4E 3 X {3.4E 3) +
(16E 3) d .(2.1 E4)
(1 =" 4)' P , "'I'(11E4) y- (1.1E4)< -%
l i' l 9, l l a = 7.S E 3 1 I I d NO FLOW NO FLOW NO FLOW TOSG(A) TO SG(A) TO SG(B) 7 i
/AILABLE UNAVAILABLE TO UNAVAILABLE DUETO ITENANCE DUE TO TEM MAINTENANCE T9 f\
T10 T11
- VALVES WERE CONSIDERED BUT HAD NO IMPACT DUE TO TESTING PUMP DURING SHUTDOWN.
VALVE PUMP
/[.\
(VALVE) PUMP s_-
6 ao 5.8E 3 T&M FAULT TREE a = 12E-6 a=53E3 a = 1.9 E-3 b
- Figure 11 *
( ) COMMON CAUSE TRAIN 101 FOR HUMA ERROR T2 X
I I _
TRAIN 10 U1 FOR HUMAN ERROR e T4 a = 2.75E 2 X r
NO FL0 TO SG(d HUMAN ERROR FAllTO CLOSE MAIN 1 l VALVI OR OPEN l VALVE a = 2.7E-2 a = 2 E-2 l d b l
l i
~ ~ , . , _
CASE 1: AFS UNAVAILABLE TRAIN OUE TO HUMAN 1,7 & 3 ERROR a = 13E4
+
~ , n' (1.4E4) - (8.7 E4) n" (7.3E 4).
I TR AIN 3 00T FOR TRAIN 2 OUT FOR HUMAN ERROR HUMAN ERROR h
= 3.9 E4 n m a = 2.6E-6 g j a =8.9E4 X y (4.4E4) (5.6E4) (9.2E4) h' l m; l i' l i I I I I T/R AINS 2 & 3 Fall Al S1 Fall TR AIN 1 & 3 FAIL TRAIN 2 0UT FOR TRAIN 3 0UT FOR TO OkLIVER FLOW LIVER FLOW TO DELIVER FLOW HUMAN ERROR HUMAN ERROR V0BOTHSGS TO BOTH SG'S TO BOTH SG S (TS\ ""I* ' r\ f r3 k rN T6
- rN T7 X
(1.6E 3)
X a = 2.7E-2 X a = 9.6E4 (2.1E 4) X a = 3JE-3 '
X MM (1JE4) (1.1E4) (1.1E4) '3.4 E.3) --
I .- l l u- 1 i-1 I I J NO FLOW NO FLOW NO FLOW TO SG(B) TO SG(A) TO SG(B) f)
o o o m + a=1A2 a = 1 A01 n+
l T T HUMAN
\ ERROR l) TEST MAINT TEST I FAllTO CLOSE I
} j VALVE ) VALVE Il VALVE l OR OPEN CLOSED VALVE 1
, a = 1.0 a = 1.2 E-3 a=1A a = 2.7E-2 l a e a d i
HUMAN ERROR FAULT TREE l Figure 12
,o i