ML20004D681
| ML20004D681 | |
| Person / Time | |
|---|---|
| Site: | Wolf Creek, Callaway  |
| Issue date: | 05/31/1981 |
| From: | STANDARDIZED NUCLEAR UNIT POWER PLANT SYSTEM |
| To: | |
| Shared Package | |
| ML20004D672 | List: |
| References | |
| NUDOCS 8106090644 | |
| Download: ML20004D681 (73) | |
Text
. ..
\
b)
V RELIABILITY ANALYSIS OF THE SNUPPS AUXILIARY FEEDWATER SYSTEM May 1981 8106090 M
TABLE OF CONTENTS Section .
Page
SUMMARY
1.0 INTRODUCTION
1-1 1.1 Background 1-1 1.2 Objective 1-1 1.3 Scope 1-2 1.4 General Approach 1-2 1.5 Assumptions and Criteria 1-3 2.0 SYSTEM DESCRIPTION 2-1 2.1 Introduction 2-1 2.2 Component Description 2-1 2.3 Emergency Operation 2-2 2.4 Power Sources 2-3 2.5 Information Available to the Operator 2-5 2.6 Technical Specifications 2-6 3.0 METHODOLOGY 3-1 3.1 Systems Review / Study Bounds 3-1 3.2 Fault Trees 3-1 3.3 Minimal Cut-Sets 3-2 3.4 Fault Tree Quantification 3-2 3.5 Importance Evaluation 3-2 3.6 Common Cause Failure 3-3 3.7 Interfacing Systems Failures 3-3 4.0 COMMON CAUSE FAILURE EVALUATION 4-1 5.0 RESULTS OF THE RELIABILITY EVALUATION 5-1 5.1 AFW System Reliability 5-1 5.2 Importance Evaluation 5-3 5.3 Dominant Failure Modes 5-10 5.4 Interfacing Systems 5-11 6.0 ' CONCLUSIONS / RECOMMENDATIONS 6-1
7.0 REFERENCES
7-1 Appendix A: Fault Trees A-1 Appendix B: Failure Data - Basic Event Probabilities B-1 Appendix C: Minimal Cut Sets C-1 9
y-w .,- - + - , . - -- --.,, - , , - , , - ,- - - - , .
LIST OF TABLES i i
t j Table Pg
] .
- B-1 Component-Basic Event Failure Probabilities B-6 4
B-2 Composite Basic Event Probabilities - Options A, B, B-9 l and C i
, C-1 AFWS Fault Tree Reduced to 9 Three-Event Cut-Sets C-2 j
l t,- 2 Significant Minimal Cut-Sets: Option A C-3 i
C-3 Significant Minimal Cut-Sets: Option B C-5 1
C-4 Significant Minimal Cut-Sets: Option C C-7 i
4
- l f
f T
4 1
, _ - . ._-...m.. , - . . . - . _ . _ . . _ . . __
LIST OF FIGURES 4
Figure Page 1-1 Basic Tasks of SNUPPS AFWS Reliability Study 1-4 2-1 Auxiliary Feedwater System P&ID 2-9 2-2 Auxiliary Feedwater Pump Turbine P&ID 2-10 ,
2-3 Main Single Line Diagram of AC Power System 2-11 2-4 Main Single Line Diagram of DC Power System 2-12 i
5-1 Qualitative Comparison of the Reliability Characteristics 5-5 for AFWS Designs in Plants Using the Westinghouse NSSS (including SNUPPS) 5-2 Quantification of the Reliability Characteristics of the 5-6 SNUPPS AFWS for Various Options 5-3 Importance of Selected Events for Option A 5-7 5-4 Importance of Selected Events for Option B 5-8 5-5 Importance of Selected Events for Option C 5-9 l
l l
l I
L
4 Summary The NRC has requested all pending operating license applicants with nuclear steam supply systems (NSSS) designed by Westinghouse and Combustion Engineering i -
to assess the reliability of their auxiliary feedwater system (Reference 5).
As a part of the response to this request, a reliability evaluation was made of the auxiliary feedwater system (AFWS) as designed for SNUPPS. This report presents the results of that reliability evaluation.
The primary objective of the study was to evaluate the reliability of the AFWS for SNUPPS using an approach which would yield results that could be conpared to those obtained by the NRC analyses for Westinghouse NSSS as reported by NUREG-4 0611. A secondary objective of the study was to identify any dominant component failures or other faults affecting system reliability. In a manner similar to that reported in NUREG-0611, AFWS reliability was evaluated for three cases:
- 1) Loss of Main Feedwater (LMFW) with reactor trip, 2) Loss of Main Feedwater coincident with loss of offsite power (LMFW/ LOOP), and 3) Loss of Main Feedwater i accompanied by a total loss of all AC power (LMFW/LOAC). For ecch case, system unreliability was assessed through the construction and analysis of fault trees.
i The results of the study indicated that the reliability ranking of the SNUPPS l AFWS, compared to conditional reliabilities as defined and reported for t
l Westinghouse plants in NUREG-0611, is in the 10-4 to 10-5 range for a 1 css of main feedwater transient, in the 10-4 to 10-5 range for a loss of man feed-water coupled with a loss of offsite power transient, and in the 10-1 to 10-2 range for the unlikely transient of a loss of main feedwater conincident with a
- total loss of both onsite and offsite AC power.
l t
l
1.0 Introduction
1.1 Background
This report presents the results of a reliability study for the SNUPPS auxiliary feedwater system (AFWS) in a form compatible with i~nformation contained in NUREG-0611. The approach followed in this study was based on the information available in the initiating request (Reference 5) and information provided by the NRC to analysts performing AFWS reliability studies.
1.2 Objectives o To perform a reliability analysis to determine the relative reliability of the SNUPPS auxiliary feedwater system (AFWS). To facilitate a mean-ingful comparison with NRC analyses, the initiating events given in NUkEG-0611 were used, as well as_similar assumptions, reliability data, and evaluation techniques.
o To identify the dominant failure modes of the SNUPPS AFWS.
o To examine in more detail than treated in NUREG-0611, the possible contributions of single point vulnerabilities, common causes, human error, and test / maintenance outages to AFWS unavailability.
1-1
1.3 Scops Three initiating event scenarios were analyzed:
Case 1: Loss of main feedwater (LMFW)
Case 2: Loss of main feedwater coincident with loss of of fsite power (LMFW/ LOOP)
Case 3: Loss of main feedwater coincident with loss
~
of all AC power (LMFW/LOAC)
The existence of the above scenarios was considered a priori and an evalaation of their probability of occurrence was considered to be outside the bounds of this study.
Consistent with NUREG-0611, low probability common cause factors such as flood, fire, L,rthquake, sabotage or high energy line breaks were not considered.
1.4 General Approach The principal technique used in this study was the construction and analysis of fault trees which represent the failure logic of the AFWS. The deductive logic used in evaluating the rela-tive reliability of the AFWS is based on the Boolean logic associated with fault trees. The fault trees representing the SNUPPS auxiliary ieedwater system can be found in Appendix A.
The fault trees were resolve into a list of cut sets to identify the failure modes, and failure rate data were inserted to evaluate system unreliability. Although failure data (see Appendix B) were taken primarily from NUREG-0611 (Reference 4),
secondary sources of failure data were the LER Summaries (References 6 and 7), WASH-1400 (Reference 11) and NPRDS (Reference 12).
1-2 L
The degree of development of the fault tree was consistent with the reliability assessment goals and data available in NUREG-0611, and was limi'.ed to a point estimate of AFWS unavailability on demand. For the purposes of this study, unavailability is synonymous with unreliability and both terms may be found in this report. Although an uncertainty analysis was not performed, the importance of certain failure modes and the interrelation-ship between and significance of t.ardware failures, test /mainten-ance outages, and human errors were examined (see Section 5.2).
The sensitivity to human error was examined for three levels of human error (Options A, B, and C); the three options are defined in Appendix B.
Figure 1-1 is a flow chart of the basic tasks in the study.
Each of these steps is discussed in more detail in Section 3.
1.5 Assumptions Assumptions were consistent with information supplied in NOREG-0611 and by the NRC Staf f to industry analysts performing reliability studies for other plants. The assumptions assure that the SNUPPS reliability evaluation will give results com-parable to those obtained by the NRC for plants evaluated in NUREG-0611, However, all the sensitivity evaluations, common csuse evaluations and impcrtance evaluations were based on a slightly more conservative assumption for onsite AC power availability (i.e., potential failure of either diesel generator was assumed). The specific assumptions used in the evaluation are:
1-3
E
- 1. Mission Success Criteria The success criteria is a minimum flow 'f 470 GPM delivered within one minute to at least two steam generators following a loss of main feed-water. This is a conservative criteria specified to assure adequate heat removal for a worse case.
This criteria is the basis of the top event in the SNUPPS AFWS fault tree as presented in Appendix A. Since this quantitative evaluation of system reliability is a point estimate and since each AFWS pump is siz?d to provide at least 470 gpm to two steam generators, the top event can be simplified to no flow to more than 2 out of 4 steam generators.
- 2. Hardware and Human Error Failure Data The failure data was taken primarily from NUREG-0611 and assumed valid and directly applicable 1
to the evaluation of basic even'y in this study.
In a few instances failure data was taken from WASH-1400 (Appendix III) and the LER Summaries.
The actual data used is presented in Appendix B.
- 3. Test and Haintenance Outage Contribution The calculational approt:h along with the outage mean duration data presented in Table III-2 of NUREG-0611 was used in this study. Test and maintenance outages were consistent with the Standard Technical Specifications (Reference 8).
14
~
A more detailed discussion of the treatment of T&M outages is presented in Appendix B.
o For comparison with the NUREG-0611 results, one diesel generator was assumed available with a probability of 1.0 and the other diesel generator fails with a probability of .04/ demand. However, all sensitivity evaluations common cause evaluations and importance evaluations were based on the potential failure of either diesel gen-erator with a probability of .04/ demand.
- 5. Sample and Test Lines l Sample and test lines were not considered as signifi-cant flow diversion and/or leakage paths in the develop-l ment of fault trees used in the study.
l
- 6. Passive Piping Components All piping components (i.e., section of pipes, flanges, reducers, etc.) were assumed available with a probability of 1.0 ana were not considered in the fault tree development. However, the ef fects on system unreliability of pipe breaks in non-1-5
seismic /non-Q interfacing systems were examimed (see Section 5.4).
- 7. Degraded Component Failures Degraded failures were not considered in the analysis, that.is, components were assumed to operate properly or were treated as a total failure. Assumptions regarding component status, partial-capacity per-formance, and time-depende..t (delayed) failures are nade conservatively. That is, component failures will occur instantaneously and completely.
- 8. Coupling of Human Errors Coupled human errors for test and maintenance were ,
considered through the selection of the appropriate data for human acts and errors as supplied by the NRC in NUREG-0611. For a more detailed discussion of the human error treatment, see Appendix B.
- 9. Technical Specifications Since plant technical specifications are not available at this time, the Standard Technical Specifications (Re ference 8) were assumed.
1 1 -6
Review geview Review r,eview TASK TECHNICAL SYSTEM SPECIFICATION DESCRIPTIONS P&lD'S NUREG 0611 1
I I I I l -
SYSTEM BOUNDS I
FAULTTREE TASK 2 DEVELOPMENT TASK 3 MINIMAL CUT SETS FAULT TREE TASK 4 QUANTIFICATION I
!MPORTANCE TASK 5 EVALUATION I
COMMON CAUSE l TASK 6 FAILURE EVALUATION I
RESULTS TASK 7 CONCLUSIONS /
RECOMMENDATIONS i
Figure 1-1 1
Basic Tcsks of SNUPP5 An.*3 Reliability Study l
l-7
2.0 System Description
2.1 Introduction
~
The following paragraphs describing the SNUPPS AFWS summarize the more extensive description given in the SNUPPS FSAR (Reference 3).
Figure 2-1 is a flow diagram of the SNUPPS AFWS. The SNUPPS Auxiliary Feedwater System consists of two motor-driven pumps, one steam turbine-driven pump, and associate piping, valves, instruments, and controls as shown in Figure 2-1. Figure 2-2 shows the piping and instrumentation for the steam turbine.
Each motor-driven auxiliary feedwater pump will supply 100 percent of the feedwater flow required for removr.1 of the reactor decay heat. The turbine-driven pump is sized to supply up to twice the capacity of a motor-driven pump.
Normally, water to the AFW pumps is supplied from the condensate storage tank (CST). However, two redundant safety-related backup sources of water from the essential service water system (ESWS) are provided. Should the CST water supply to the pump suction be disrupted, the system will automatically switch from the CST to the ESWS on low pump suction pressure.
2.2 Component Description Motor-Driven Pumps: These two auxiliary feedwater pumps are driven by AC-powered electric motors supplied with power from independent Class lE switchgear buses. The pumps are ho'.izontal centrifugal units.
Turbine-Driven Pump: The pump is a horizontal centrifugal unit. The pump bearings are cooled by the pumped fluid. Turbine bearing lube oil is circulated by an integral shaft-driven pump. Power for all controls, valve operators, and other support systems is independent of AC power sources.
2-1
Steam supply piping to the turbine is taken from two of the four main steam lines between the con-tainment penetrations and the main steam isolation valves. Each of the steam supply lines to the turbine is equipped with air-operated globe bypass valve to keep the line warm. The steam line is kept warm to prevent the accumulation of condensate which might produce a waterhammer in the line. The air-operated globe valves are equipped with DC-powered solenoid valves.
These steam supply lines join to form a header which leads to the turbine via a normally closed, DC motor-operated mechanical trip and throttle valve. De-energizing one of the redundant control solenoids will vent air from the " fail open" valve operators allowing these isolation valves to open and admit steam to the TDP. The steam is supplied by steam generators B and C.
Both the air-operated (A0V) and motor-operated (MOV) flow control valves (FCV) are normally open. The A0Vs are fail-open and the motor-operated FCVs fail as is.
Half of the valves (4 valves) are powere'E from Class IE Load Group 1 and the other 4 valves are powered from Class IE Load Group 4 (see Figure 2-1).
2.3 Emergency Operation The AFWS is designed for automatic actuation in the event of an emergency.
Any one of the following conditions will automatically start both motor-driven pumps:
A. Two out of four low-low level signals in any one steam generator.
B. Trip of both main feedwater pumps.
C. Safeguards sequence signal (initiated by safety injection signal).
D. Class lE bus loss of voltage sequence signal.
2-2
~
The turbine-driven pump is automatically actuated on either of the following signals:
A. Two out of four low-low level signals in any two steam generators.
B. Under voltage conditions on any two out of four reactor coolant pump feeder potential transformer cubicles.
Additionally, the AFWS is capable of remote-manual actuation.
In case of failure of the CST water supply, the normally closed, motor-operated butterfly valves from the ESWS are automatically opened on low suction header pressure.
2.4 Power Sources Each SNUPPS unit is provided with a Class IE AC and DC power system.
The Class IE AC system distributes power at 4.16 kv, 480v, 208/120v, and 120 v to all safety-related loads. The Class IE AC system (see Figure 2-3) consists of the following features:
Power Supply Feeders:
Each Class IE 4.16 kv load grouo (two in each unit) is supplied by a separate preferred power supply feeders and one diesel generator (standby) supply feederi Each 4.16 kv bus supplies motor loads and 4.0 kv/480 v load center trar.sformers with their associated 480 v buses.
Bus Arrangement:
4 The Class IE AC system is divided into two redundant load groups per unit (load groups 1 and 2). For each unit, each AC load group consists of a 4.16 kv bus, two 480 v load centers, 480 v motor control center, and lower voltage AC supplies.
2-3
l No provisions exist for automatically connecting one Class IE load group to another redundant Class IE load group or automatically transferring loads between load group.
The Diass IE switchgear, load centers, and motor control centers for the redundant load groups are located in separate rooms of the control build-ing to ensare physical separation.
Although the power distribution system is described in some detail, the failure of breakers and buses was not explicitly treated in the reliability evaluation.
Instrumentation and Control:
The DC control supplies for switchgear breaker operation are separate and independent so that Class IE DC load group 1 supplies Class IE load group 1 switchgear. The battery chargers for DC load group 1 are fed from the same load group switchgear. Class IE DC load group 2 supplies Class IE AC load group 2 switchgear.
Diesel Generators:
The standby power supply for each safety-related load group consists of one diesel generator complete with its accessories and fuel storage and trans-fer systems. One diesel generator is connected exclusively to a single 4.16 kv safety feature bus of a load group. The diesel generators are housed in separate rooms of a seismic Category I structure which ensures physical separation for fire and missile protection. Power and control cables for.the diesel generators and associated switchgear are routed to maintain physical separation.
i 2.4.1 Vital Instrument AC Power Supply Four independent Class IE 120v AC vital instrument power supplies are provided to supply the four channels of protection systems and reactor control systems. Each vital instrument AC power supply consists of one 2-4
invsrtsr, cna dictribution bus, and enn nanuel tr:nsfer cwitch. Each inverter is supplied by a Class IE battery system.
2.4.2 Class IE DC Power System The Class IE DC system provides DC electric power to the Class IE DC loads and for control and switching of the Class IE systems. Physical separation, electrical isolation, and redundancy are provided to comply with the require-ments of IEEE-308. The four Class IE DC subsystems are shown in Figure 2-4. Subsystems 1 and 4 provide control power for AC Load Groups 1 and 2, respectively. Each Class IE DC power subsystem consists of one 125v battery, one battery charger, one inverter, and distribution switchboards.
The Class IE battr. ries, chargers, and DC switch gear of each separate group are located in separate rooms of the seismic Category I control building.
Chargers and DC switchgear are in separate rooms for the batteries.
2.5 Information Available to operator In addition to control room instrumentation showing the water level and pressure in individual steam generators, the operator is provided with the following information relating to the auxiliary feedwater system:
Control Room Indication / Control Control Room Local 1) Alarm Condensat atorage tank suction MOV valve position X X ESW suction MOV valve position X X Condensate storage tank level X X X Condensate storage tank suction header pressure X Low pump suction pressure X X X Low pump discharge pressure X X X Pump flow control valve operation X X Pump flow control valve position X X Auxiliary feedwater flow X X 2-5
Control Room Indication / Control Control Room Local ( ) Alarm Auxiliary feedwater pump turbine-trip & throttle valve position X X Auxil,iary feedwater pump turbine speed X X Auxiliary feedwater pump turbine low lube oil pressure X Auxiliary feedwater pump turbine high lube oil temperature X (1) Local control here means the auxiliary shutdown panel.
2.6 Technical Specifications A review of the Standard Technical Specifications (Reference 8) indicates that for power, start-up, or hot standby plant status the limiting condition of the AFWS for plant operation include:
- 1. At least three independent auxiliary feedwater pumps and associated flow paths shall be operable with:
- a. Two motor-driven AFW pumps, each capable of being powered from separate emergency buses, and,
- 2. Action
- a. With one auxiliary feedwater pump inoperable, restore at least three AFW pumps (two capable of being powered from separate emergency buses and one capable of being powered by an operable steam supply system) to an OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or be in at least HOT STANDBY' condition within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in a HOT SHUIDOWN within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
2-6
- b. With two auxiliary feedwater pumps inoperable, be in at least HOT STANDBY within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in HOT SHUTDOWN within the following 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
- c. With three auxiliary feedwater pumps inoperable, immediately ini-tiate corrective action to restore at least one auxiliary feedwater pump to OPERABLE status as soon as possible.
To satisfy specified surveillance requirements, each auxiliary feedwater pump shall be demonstrated OPERABLE:
- 1. At least once per 31 days by:
- a. Verifying that each motor-driven pump develops a discharge pressure of greater than or equal to (later) psig at a flow of greater than or equal to (later) gpm.
- b. Verifying that the steam turbine-driven pump develops a discharge pressure of greater than or equal to (later) psig at a flow of greater than or equal to (later) gpm when the secondary steam supply pressure is greater than (later) psig.
- c. Verifying that each non-automatic valve in the flow path that is not locked, sealed, or otherwise secured in position, is in its correct position.
- d. Verifying that each automatic valve in the flow path is in the fully open position whenever the auxiliary feedwater system is placed in automatic control or when above 10 percent of RATED THERMAL POWER.
- 2. At least once per 18 months during shutdown by:
- a. Verifying that each motor-driven pump starts automatically upon receipt of each of the following test signals:
2-7
- .~.
- 1. Loss of both main feedwater pumps.
- 2. Safety injection signal.
~
- 3. Two out of four low-low level signals in any one steam generator.
4 Class IE bus loss of voltage sequence signal.
- b. Verifying that the steam turbine-driven pump starts automatically upon receipt of each of the following test signals:
- 1. Undervoltage conditions on any two out of four reactor coolant pump feeder potential transformer cubicles.
- 2. Two out of four low-low level signals in any two steam generators.
- c. Verifying that the valve in the suction line of each auxiliary feed-water pump from the Essential Service Water System automat-ically actuates to its full open position on a low saction pressure test signal.
l j
4 l
)
l 1
2-8 l
=
DOCUV- - ,
P A G. :- -
J '
A N O. u u m er NO. OF PAGES /
REASON O PAGE ILLEGIBLE.
O HARD COPV FILED AT: h CF OTHER
/ 1 O BETTER COP ( REOJESTED ON D PAGE TOO LARGE TO FILM.
&Hk?DCOP(FILED ATh OTHER
@Fl[UED ON APERTURE CARD NO Nd[e890d i
. - . . - . . . . . . . . _ _ . . _ _ _ . _ _ _ . _ ~ . . _ . _ _ . _ _ _ _ _ _ . _ _ _ _ _ _ - -
t m.
= >g
=EiB 5
i!,p M
=- i l.T
,9 i m .+" '
id" a?
!,% . e
, i i' 3 ! !! ii? T W gi '
- "8" MI _.1~_. E h4j@,il i
-A
. - . . a.
.g: i
=
'-~
v ,. in i hI , -f! ._i g} i
. i s i
- I i
- 8
[--4,,g# 1 i
P, i
e
.e,g " .
sgl!e! ! ;2 -
Aq!:
! 81.4 i
~ .
ja!-d f H.41 !! 4t 's +t:! .
II: b.[ hg L Jl I "h;.hi y r 3 Q:ph e gy --g =.
p..;
y J .s3 fy wp*4 -
i
. d~.'i- e p,, ::m .. _...L#.i
.. h La.ir3,3 i.: l
.g .;
y gg i iI g-l . ,dl
. .2-
-3 a
y Q :I i 3' 3 pl g .
.g'
- t l
./; it, . i gitv=-+ f GT 3Pt-d(d i- J F
'llll 9 ---"
~ t, 3
r mb, p
.L giil .
i . . -
i :o a 9 . - ~ , llii; 11.
i eeeee A 21 u z .,5y 26
) } fg 9r'[ g N%I - fi x;} L.g s - 1
,e i' v. s r
ir em- 7c-- , 3 e 3
YN v
l Nh
.g.
m
$ hi e E
' ~
a!!
'N / !
I^ I Di j'l I4 I
'll
'{w -
i P00R ORLGINAL
)
2-10
- O f - ,i
- . 3 ny 8 I
,o 1
1 u 43 ' l ui Lkl i '31 l "; 1
<. .'r i ,
l s -
V $t b 1 I I I I' --d i
{g t il itkh.iigt_w : lhi i, t~~ T _ igp}li _ '? s. 3 c i E.
\ ,1 t t.t.i o t e q kidkl a 1 h;z w 5 h$
w e j !I hl4%wp m 4, eltk.~q.I- ! g 11 4 ~ 4 I Y
![i}ill hl-}m}\. d <q~
~
}Lrn-' W t i r:.
er;i=__a i . g: a s n . d ,1 P' i11 1m iil. i ()- ) ' ,ui p\p=1 s\i y 1 Li- i It , t i Ng i gt t i"t
\f,\f.e i y u-.
v
\
%1- 1- - ,
i I ia n o ,%?a;% 3 i 1n.
$: }; a ] tE =. #' \
' 9\ it Yq\
i
' g 1 l'i1k'I@ , i m
y 3l'\J\;\\,\\ U i t
} b^ Y3* 1 ' 1, it. n LJ 1 FA i I '? ,!-1 12 m' u: *' em i 1,1 t
tMi; i Ol k ,j!Iliiihl i . i i L.3 1i A;'(l.lf (h i i ilq}}',! ui >Ili}} lY u k kh OkI kil!.It o. \ !
-dv :p S~I .
it Llti $ ig', t i j,,ie.iiiW,t, . g 4 4 N.1 D 3 il J 111 0I. . l"onig'
- l. \\\\ h10p.al u
i '-1 " ,
- i. p..;d t. , tim.s: 0.\?iN~~~"qe-kj), cpMA: c a. d. \a y \\\\\\\\
L i \\\\ I\\ ig . u au,mn mm m3 g gi 3m ha lgj
')
94'i 13ne 1 A;. lh b r ~62lh u - -
.2.-
M]' " P'L t p j!1i e i p,: l gpg=.-4 hk i i pl hilir Abd b , lb ; 1
' 1
*(h, 1 C, . == a ()i'pN it lat t il
" pli ii f*f a.,- - '\
',bl~OIdhlt {ggl' Lifkl ?i. J p. A 1:y1 pqi ijjl l i3 .s 1
5 [v }gl .
' 1 w x i Iill b^i N4 1
" dD 4 i
'dibkk!IIYit l ilittP)i i
'abyy * >)M*TD ._l}Y s
r. i 1 igtisia 3dd^'il gdgy); e
.g-
- n n gp 1 ! i '
1 3 Id m""i'
. at uli. t$.as M.
Et i i y i i,II*C g # q" r'NWy' d l uu im iii 9'1 l1 Ni C
!jilidaGd 3
1 vit %.{a, b ;, _ o a i )gg}, i I1 alL'I w* yr m1-atpg. il D
- lo b
\_. -)d
/- . -
ld 1 g ni d q\,I,d,it 1S{. ili],h*{qj#di''de;m.:10 4u. oir p3 mg i~ 'f " ~ ti 11 tt t s \
-1 RBRIBlEl-
n a n I n I
- I = 4 a l u I g
EI [ l lll
- h .
!!j!d llffi!'ifllI
!; Il! ) l 5x i ef __
- -jiili!!iv i!! -
j = Tg<- i - A lb!73p.L)i I $ gjMf
!! b llll# d *:l ,l, , ,
oiti!.? !iflliil i;al
!i'ri "i. ,.
" I!-
=
=
E3E5 i I ' T' -k 83 fl, a,.~~* 7t---_m 11; i n 2 i!;, _w Lp>l,ll I 1Jml* j o
--- af s rs=,, _%o---
T- -1 I=y T 4 )
-W _ _ __,
.g;;
[ i' T7:,'.t;li v!_i
,= -
9
= t. g
.7
'"E
!' , i f_ G l. _.
p_ l!
,3 i n .
4ss t Lp_la, a-iratilm%l i, ni ti ni;
!! i ' c i !;; b a ,p" IljIl d.
t inji
$i=
~===3 pN -- E.- l -
=,.= D 1:
!!! !I : g ._y_ -
x 2 3
'. r -
fo I - I"T i f,3f"I lii 1 1 i !!%',i Esdfl. l!I ~==::ji,
~i,jJp -.
li 4,ir-li l I i tl Tr i.f
!>b; F[i AA l -
liti". y ! i 'j j , . dL , r. g.ii ,2l is' ii e,l
. w_,.!r;>,= __jl. I 1:
~-
!Ii p,.tl l
,ip r" l _
4
,_$jjiT rfr';
s
- 1. l, y ;I l; ' I
%1l '*I; '"
, g!I 2 -
i ! l
' 5
- s. l!lll l l is l! ll':$1= . Ah~ d!
r,il. : 17;i :3jp r d.i o .A' c.A l lt
==:s ,
;lj l difIIU n l i..i l
lh.l!' ilij= 11 3 - !!:- l l 11: i l: Tii '
's b l
~~ 1 = = ]
s l S.
,_w i! i; e
- !!i l -
, l C
4 2-12
3.0 Methodology In this section the actual step-by-step procedure followed in performing the AFWS reliability study will be presented. 3.1 System Review / Study Bounds In this first step the various drawings, P&ID's and schematics representing the SNUPPS AFWS were examined along with the FSAR and systems descriptions. Special attention was given to identifying the following:
- 1. Instrumentation systems required for success.
- 2. Fluid systems connected directly or indirectly to the AFWS.
- 3. HVAC systems required and their power sources.
- 4. The power sources of each of the components.
- 5. Any obvious single point vulnerabilities.
The reliability information described in Appendix III of NUREG-0611 was then appraised and AFWS studies performed for other facilities were reviewed. Since plant technical specifications did not exist when the study was initiated, the applicable requirements from the Standard Technical Specification (Ref-erence 8) were assumed. Additionally, a review was made of the LER Summaries and NPRDS data to select f ailure data for some of the events not identified in the NUREG-0611 data base (see Appendix B). Based on the above information, the bounds of the study were set, level of resolution decided upon, and the assumptions stated, to form the foundation for the subsequent analysis. 3.2 Fault Trees The fault trees were constructed (see Appendix A). In constructing the trees an effort was made to minimize the number of events explicitly identified 3-1
on the tree. This was accomplished by combining many of the basic events, which would be found under a single OR gate, into a single composite basic event (CBE) (see Appendix B). In this way, a tree containing a manageable number of events was constructed which preserved the fault propagation within and between systems. When coalescing basic events into
~
composite events, it was important to ensure that no event appearing in a composite event may appear elsewhere in the tree, unless the entire composite event recurs as a unit. 3.3 Minimal Cut-Sets The fault tree was evaluated down to the level of composite basic events and the "subtrees" 77, 88 and 99; the "subtrees" are indicated by the trans-fer symbols on the fault trees presented in Appendix A. Coalescing the basic events into composite basic events results in a significant reduction in the number of cut-sets generated and reauired to be truncated. It was possible to reduce the resulting 2916 Boolean Indicated Cut-Sets (BICS) down to 9 three-event cut-sets (see Aroendix C). Finally, the minimal cut-sets representing the "subtree-events" 77, 88 and 99 were substituted to resolve the fault tree to the level of composite basic events. These BICS were the basis of the subsequent quantification of the system. 3.4 Fault Tree Quantificatp n_ During this phase of the study, the BICS were processed in conjunction with the various event probabilities as defined in Appendin B. The probability of the top event was calculated by the following conservative first order approximation: P(TOP) = 1 -9(f [1 - P (ith cut set)] 3.5 Importance Evaluation To identify the dominant failure modes of the SNUPPS AFWS, the importance of various events and groups of events was computed. The Importance of event E, IE, is the probability that event E is contributing to the top 3-2
i event failure, given the top event is failed (Reference 14). To perform the actual computation of the Importance, it was necessary to inspect the cut-sets of the various cases tir events of interest and then to sum the probabilities. Finally, to ob,.iin the Importance, the total probability of the selected cut-sets is divide? by the top event probability. 4 The actual Importances for the various cases and options are presented in Section 5.2. In that section, the Importance of some of the events are further catagorized. Testing is distinguished from maintenance, actuation 4 failure from hardware failure, and human error is distinguished from
+
hardware faults. In Figures 5-3, 5-4, 5-5, the relative Importance of various events is displayed on bar charts. 3.6 Common Cause Failure The evaluation of common cause failures was approached in two phases. In the first phase those areas which historically have been associated with common cause failures, i.e., diesel generators, common location of components belonging to different trains were examined. In addition to examining P& ids and other drawings, extensive examination was made of the SNUPPS model (a completely detailed one-sixteenth scale model). It was concluded that human error was the only significant secondary cause and that c.her secondary causes, such as grit, temperature, manufacture, vibration, etc. , would be insignificant in comparison. In the second phase, an attempt v made to quantify the effect
- and importance of the human error induced common cause failures. A more detailed discussion of the common cause failure evaluation is given in Section 4.
3.7 Interfacing Systems Failures Finally, the effects on syster reliability of expanding the bounds of the study to include two interfacing systems were examined. Because of their potential for diverting large portions of the water required by the steam generators, the main feedwater system and the service water system were the two l interfacing systems examined. For the main feedwater system, the failure mode considered was failure of the main feedwater isolation valve coincident + 3-3
with pipe creak (i.e., P = 1.0) in the feedwater system. The failure treated in the service water system was failure of the redundant service water isolation valves coincident with an assumed pipe break. A discussion and the results of this evaluation can be found in Section 5.4. 4 3 4.0 Common Cause Failure Evaluation The evaluation of potential common cause faflures (CCF) was broken into two parts. The first part was an initial screening in which P& ids, systems descriptions, and the SNUPPS Model were examined for items which generally are associated with common cause failures, i.e., diesel generators, common location of pumps and valves belonging to different trains. Due.to the high
, degree of separation, the initial screening did not identify any potential for secondary causes, such as, grit, vibration, stress, temperatures.
The only potential secondary causes which could be identified were common manufacture and human error during test and maintenance. The former was not considered to be a sign.'.ficant cause because any gross manufacturing errors would be expected to be found in the pre-operational testing and any subtle common manufacturing defects would most likely appear as an increase in the random failure rate. Therefore, human error was the only secondary cause likely to be significant which could be explicitly identified and could be conservatively quantified Lased on the information provided in NUREG-0611. 4.1 Hardware Diesel Generators: Significant redundancy and separation of systems supporting the diesel generators was verified; separate fuel tanks, fuel lines, air intakes, exhausts, etc. Two potential common causes always associated with DGs are extreme low temperature and contaminated fuel. Potential failure from the first cause is greatly decreased for SNUPPS because the air intakes are within the DG rooms and the fuel tanks are located below the frostline; also, the fuel lines drain back to the fuel tanks, so they are dry when not in use. The problem with contaminated fuel is reduced by the presence of many filters and strainers throughout the fuel systcm with pressure oifferential switches and indicators. Also, the standard technical specifications require the diesel generators be tested at least once per 31 days. l l I 4-1 L l
Essential Service Water System: Redundancy and separation of the ESWS was verified. An area of concern with the ESWS was the potential for debris blocking the ESWS intake. However, it was concluded that the large quantities of debris i.ecessary to produce substantial blockage could not be genereted. Problems with ice cover are eliminated by taking water from substantially below the surface and by the addition of warming water. Pump and Valves: The pumps and valves of the three AFWS trains are located in distinct rooms and valve compartment. HVAC: Each MDP train has a separate ventilation system operating from the same Class IE load group as the pump / valve room it serves. Since the TDP must operate with a complete loss of AC power, the TDP and associated controla are qualified to operate without ventilation. Tests will be performed to demonstrate that pump room ambient conditions (e.g., temperature, humidity) do not exceed environmental qualification limits for equipment in the AFWS. Electrical Equipment: All Class IE AC and DC equipment (e.g., load centers, MCC, etc.) are located in separate rooms to ensure physical separation. 4.2 Human Error Next, common cause failures associated with human error were investigated. Any redundant systems or components which also contained manual valves were concidered prime candidates. All the CCFs treated were associated with mispositioning the locked open manual valves that must be periodically closed for test and maintenance. There was no CCF quantified for the actual t est 4-2
and maintenance of components but, a consistent error by an individual per-forming t est and maintenance on all three trains could hypothetically dis-able the entire AFWS. The following events were identified:
- Events
- 1. Loss of steam from SG B and SG C 44 45 >
(to the TDP)
- 2. Loss of ESWS train A and ESWS train B 41 42
- 3. Loss of discharge valves V031, V043, 20 21 22 and V055 All of these events have human error contributions (i.e., manual valves) for option B and C. Options A, B, And C are defined in Appendix B.
The top event probabilities and Importances were constructed as cut-sets containing these events to various degrees. The implicit assumption in these quantifications was that the events are statistically independ-ent; that is, no statistical coupling exists between the events. This is a lower bound estimate. One could obtain an upper bound by assuming complete coupling within the event sets given above. This is equivalent to assigning a single event probability to the coincident occurrence of two events. That is, if the operator neglects to re-open one manual discharge valve, he would also neglect to re-open the corresponding valve in the other train. However, in this study the only effect examined was that of using the valves l given in NUREG-0611 for the coupling of human errors. These values represent less coupling than mentioned in the preceeding paragraph. The inferaa-tion presented in Table III-2 of NUREG-0611 implies a coupling factor of .2 and
.3 for options B and C, respectively. This approach is consistent with WASH-1400 in which the mean of an assumed log-normal distribution of values between the statistically independent case and the complete coupling case was assumed. For example, for events 44 and 45, the human error probability component for option B is 5 X 10-3 and the hardware failure probability is 2 X 10-3; then, the following values can be assigned to the coincident occurrence of events 44 and 45 based on the degree of statistical coupling:
4-3
. . - . -. . - - -. . =.
-s ,
Statistically Independent: (2 x 10-3 + 5 x 10-3)(2 x 10-3 + 5 x 10-3) , 4.9 x 10-5
~
Complete Coupling: (1)(2 .x 10-3 + 5 x 10-3) = 7.0 x 10-3 Partial Coupling: (2 x 10-3 + .2)(2 x 10-3 + 5 x 10-3) = 1.4 x 10-
~ The approach was to select those r : sets ( 6 4 events) containing the coinci-dent occurrence of the events of interest. Then, the procedure'was to recal-culate the cut-set and total probability using the method described in the pro-ceeding paragraph.
7 r 1 4-4
5.0 Results of the Reliability Evaluation 5.1 AFW System Reliability 5.1.1 Qualitative Evaluation Figure 5-1 is a reprpduction of the reliability characteristics chart pre-sented in NUREG-0611 fer AFWS designs in plants using the Westinghouse NSSS with a row added which presents the results of a qualitative evaluation of the SNUPPS AFWS reliability. The intent of the figure is to show the relative reliability ranking of the SNUPPS AFWS for each of the three cases studied and to compare these results to those obtained by the NRC. This qualitative evaluation is included to complement the results of the quantitative analysis which are discussed in the next section. The qualitative evaluation described below was performed by comparinF the SNUPPS AFWS design to similar designs evaluated in NUREG-0611. The NUREG-0611 plants characterized by high reliability were used as a reference in performing the following qualitative evaluation: In characterizing the reliability of AFW systems NUREG-0611 generally implies that the following traits exist for specific reliability ratings:
- 1. Loss of Main Feedwater (SNUPPS - High Reliability Characterization)
Low Reliability Medium Reliability High Reliability
- a. Manual System Actuation a. Auto actuation with a. Auto actuation manual backup with manual backup
- b. Two-pump system b. Single point vulnerabi- L b. No single point lities may be present vulnerabilities preser.t
- c. Single point vulnerabil- c. Technical specifications c. High system ities present permit unlimited outage redundancy time
- d. Technical specifications d. Low reliance on permit unlimited outage operator action time for system maintenance, (human error) test, etc 5-1
The NUREG-0611 plants used in this study are classified in the high reliability range for this transient. Generally, the system consists of three AFW pumps (two motor and one steam) and is actuated automatically when required.
- 2. Loss of Main Feedwater with Loss of Offsite Power (SNUPPS - High Reliability Characterization)
The reliability classification of a specific plant under this transient is basically the same as for the previous LOFW event. The major differenec being that onsite AC power sources are now accounted for and the system evaluated for the possible degradation of onsite AC power (i.e., loss of one of two diesel generators).
- 3. Loss of Main Feedwater with Loss of All AC Power (SNUPPS - High Reliability Characterization)
Low and medium reliability classifications under this event are generally due to systems having strong AC power dependencies in the steam turbine driven pump train. Such dependencies may include lube oil cooling, AC power to steam turbine admission valves, or air-operated valves which fail closed on loss of air. Those eystems characterized as having a relatively high reliability generally are automatically actuated and have no potentially degrading AC power dependencies. In comparing the SNUPPS AFWS to the NUREG-0611 plants which have a hign reliability characterization, the SNUPPS design has a similar reliability in that the turbine pump train has no AC dependencies in order to function normally. 5.1.2 Quantitative Evaluation Figure 5-2 presents the SNUPPS AFWS reliability characteristics based on the quantitative evaluation. This quantitative evaluation encompassed not only a computation of relative reliability ior comparison with NUREG-0611 but also an examination of tiie sensitivity of the AFWS reliability to various assumptions concerning human error and diesel generator aveilability. The
" base" case for making a comparison with NUREG-0611 is Option A (i.e. , no explicit human errors) with only one diesel generator capable of failure (i.e. row 1). In rows 3, 4, and 5, the ef fects of various levels of human error (i.e. , Options A, B, and C) coupled with the potential failure of either diesel generator are presented.
n.-e
Rows 6 through 11 of Figure 5-2 present the AFWS reliability characteristics for human error induced common cause failures in the identified systems. As indicated in rows 6 through 9, the inadvertent closing of both manual
.valvas in the steam lines to the turbine-driven pump has a minimal effect on the restem reliability while failure of the essential service water system (ESWS) due to mispositioning manual valves has a significant impact only for Class 1. Finally, it is clear from the results indicated in rows 10 and 11 that the inadvertent closing of the manual discharge valves in two AFW trains produces the lowest system reliability of all the options presented.
5.2 Importance Evaluation of Events ( Re fe rence 14) Calculating the Importance values for events or groups of events permits quantification of the dominant and potentially dominant failure modes of the system. Importance (I ) " E P(TOP) where, P(TOP) - Probability of the Top Event (AFWS failure) for a particular case / option.
}[Pk (E) - Summation of probabilities of k minimal cut-sets which contributes to the Top Event and which contain the event E.
Importance (IE ) - The Importance of event E,E I , is the probability, that event E is contributing to the top event failure. The method used to compute the Importances was to first select the cut-sets containing events of interest and then to calculate the total probability of the selected cut-sets. Finally, to obtain the Importance, this ]~ Pk (E) for the selected cut-sets was divided by the P(TOP). The relative Importance for the events of interest are displayed on bar-charts in Figures 5-3, Sr4, 5-5. 5-3
Although the various events shown on the figures were presented on the fault trees given in Appendix A and were described in more detail in Appendix B, a brief description is given below: o Te'.t and Maintenance: Unavailability due to test and maintenance outages except for test and maintenance of the diesels. o Actuation Failure: An actuation failure probability of 7 x 10-3 per demand per AFWS train. o Pump Failure: Represents all failure modes other than actuation failure. o Human Error: This category includes all those events (exclud-ing eve.nt 26: CST Isolation Valve) which have human error as one of the contributors to the composite basic event probability and is associ- ' ated with mispositioning of manual valves. o anrottle/ Governor Valve: Control faults and plugging in the turbine-driven pump's throttle valve or speed governor valve. o Diesel Generator: The failure of the diesels consists of failure ! on demand, as well as, test and maintenance out-age for the diesels. o CST Isolation Valve: This item includes human error for failure to i maintain the valve locked opened in addition to a small plugging probability. The plugging contribution is so negligible in relation to the other events that for Option A (i.2., no human error), Figure 5-3, the bar-chart shows a line representing a negligible Importance. l 5-4
N C s . i c .
, j tS .
hg sS j iS E , e rN -
- e . e C
A o t e . s ca A o g ac re t e n d e e () i ah e hg e M L C n
/
w ooo o o i j yt Wt t s w i e L o l lW
._ i o o_
~~ be
< o o ah
, it l
. ee j
Rni hg . . i es h hl i
. t P
' a O . . , f t O
L ona d i t
, p . ;
nl F oP M L 4n - d e s in ri)
< a pap S
e e L , nP oaU I j C! N l aS eNg
, _. . ... .e e j i v
n h . o e tSi a e m l tWd iAl u l c
<4
_ 1 arn uoi W de _ Qf( F M
= . ;
M L _ . 1 4
. . 5 e e
. e L ; r u g _ i F s d
. s
- m. . e t
a s n n, . t - w n . ae v.
. P
- A u mm.- - ~-
_ o s e . E. M -: u n e s n e h n o z v 1 . v. - n u 1 s s e . T . yw
s _ 3 n
- o 0 i _
1 t _ p O s 2 u 0 o i C 1 r A g G a O 6 > l > V L 4 $ i 4 g
/ O O $ r W I o f
F I M "0 S e L 1 W F A S P P U 1 N S
~
0 e 1 h _ $ t f e o s c i P 6 0 t O G 9 O S 9 $ @ g 1 s O i L g r
/ e t
W 3 c F ~ 0 a M 1 r L a h C y t
- i
~
0 l 1 i b a
~ i 0 l g e G 9 e O 1 e
R
- O O
. 9 e h
g ~ t
- 0 1
f S o
- n W - o F i t
M a L ~ 0 c 1 i f i t s s s n C C C a-D D D t h h h 1
~ Q 0
1 i t t t 1 s s 1 . o o o 6 e
- B B B 0 e 2
* - v v -
y l y f f f C l 5 t t o o o . E s s a a i t e e V V i l l r e e r e r
. 1L
- v v e i i u u u l l e e r b b _N a a g u a a 1 1
l i l i )
. V V g r g l r l
i i a a a n n n a a i a a l F F a o o h F v v l l l
. mu i s
i s h c c A A a a a s s H s s G D c o i t i t i t _( i m i m m e m e i i D n n n s d d t t D e e e e e A A s s n n t o t o t o _ er y y . n o h t o h t P h P h P h _la i u m a e t m a e t S W S S W S M n a M a i i t t t F S S E E - w w i i i - w w w e - - - - s B C A B A B C u B C B C a n n n n n n n C n n n n o o o o o o o o o o o i i i i i n i i i i i i t t t t t o t t t t t t p p p p p P- m g p p P P O o O O U _ Co m o O O O O O 0 1 2 5 6 7 g 9 1 1 3 4 n LS
1.0
.8 _
CASE 1 w- 6-g _ CASE 2
~
,4 CASE 3 c .2 i
- - F ,
N/A TEST ACTUATIDN PUMP FAILURES HUMANERROR THROTTLETAVERNOR DIESEL CST GOLATION i AND FAILURE VALVE GENERATOR VALVE Figure 5-3: Importance of Selected Events for Option A
i i 1.0 4 e
.8
) i an i y .6
~
O l Case 1 - 4 , Case 'l ._ Case 3 l - _ i , y N/A TEST ACTUATION PUMP HUMAN ERROR THROTTLER 4VERNOR DIESEL CSilSOLATION AND FAILURE FAILURES VALVE GENERATOR VALVE MANTENANCE
- Figure 5-4. Importance of Selected Events for Option B 1,
i
N O T 0 A VE L O S L f I VA T S C A
/ R N O L T E
S A C E R I E DN n E G o i
, t p
R l O O N R r E V E o f O G V L
> s EA L V t T
T n O e R v H T E R d O e R t
' R c E e N l A e M S U
H f o e c S n P E R a MU UL t r l PI A o F p m I 5 N 5 l OE I R T A U e UIL r TA u CF g A i F 2 8 E C e N s A 1 a T S DNEN C E T ATN e s I A a M C 0 6 0 2
- c. - .
1 . U$i - (
f 5.3 Dominant Failure Modes Loss of Main Feedwater (with offsite power available): 1 The resulting unavailability of the AFWS for this scenario is in the uppe.-
~
interval of the 10-4 to 10-5 range. The system unavailability during th!.s transient is dominated by several combinations of three event cut-sets. These 4 include test and maintenance outages and hardware failures in various corbinations along with failure o' the CST isolation valve and the ESWS. This conclusion is supported by the Importances indicated in Figure 5-3, 5-4 and 5-5. Test and maintenance outages of the motor-driven pump and turbine-driven pump are based on monthly pump tests, as well as a mean maintenance duration based on 72 hours of allowable inoperability. The hardware failures of the MDP trains include pump failure, in-line valve failures and control signal failure to the pumps. Additionally, human errors, which consisted of failures to maintain manual valves (in-line) in an open position during operation, were modelled for various probabilities, as discussed in Appendix B. The turbine-driven pump was modelled in the same manner as the MDPs except that valve failures in the steam supply lines were included in the model. Loss of Main Feedwater (with loss of of f site AC power): Generally, the dominant failure cortributors for this scenario are the same
~
as in the previous transient except that failure of a motor-driven pump can result from the potential failure of the associated diesel-generator train. The result-ing unavailability for this scenario is in the upper interval of the 10-4 to 10-5 range when one diesel generator is assumed available with a probability of 1.0. However, as can be seen in the third row of Figure 5-2, the results are sensitive to the failure probabilities assigned to the diesel generators. Lots of Main Feedwater (with loss of all AC power): The unavailability of AFWS for this scenario lies in the 10-1 to 10-2 range. Since in this scenario loss of both onsite and offsite AC power is postulated :o occur, the AFWS is reduced to the single turbine-driven 5-10
pump train. The unavailability of the TDP train is dominated by five single events: test and maintenance, failure of the TDP, discharge valve lef t closed (human error), CST isolation valve left closed (human error), and failure of the steam supply throttle or speed governor valves. If a coupling of human error is assumed for the manual valves in the steam supply lines (i.e. , a common cause failure), then failure of the steam supply becomes a sixth dominant failure mode. As indicated by Figures 5-3, 5-4 and 5-5, the failure modes are approxi-mately equal in Importance. 5.4 Interfacing Systems Failures Main Feedwater System: The main feedwater isolation valves (FWIV) prevent the auxiliary feedwater from being divetted into the non-seismic /non-Q main feedwater system. A failure probability of 3 X 10-4/devand was assigned to these valves. The inclusion of FWIV failures increases the failure probabilities assigned to events 9 through 12 from 2 X 10-4 to 5 X 10-4 The effect of including this failure mode .s to increase the failure probability for Case 1, Option A by 20% but did not change the reliability ranking as shown in row 1 of Figure 5-2. The effect for all other cases was less than 5%. i Service Water System: Including the failure of the redundant service water isolation valves had negligible impact on the AFWS reliability. .I r 5-11
i 6.0 Conclusions / Recommendations j The results of this AFWS reliability study indicate that, on both a qualitative and quantitative basis, the SNUPPS auxiliary feedwater system has a high relative reliability. Although there were no significant hardware related weaknesses in the system, some of the human error potential could be reduced by implementation of the following recommendations: f o Staggered Test and Maintenance for the driver-pumps and associated valves. o A strong procedure for checking the status of Locked Opened valves, particularly, the CST i-olation valve and the pump-dischstge valves. o There should be an LCO on the outage duration for any train of the l essential service water system. l 1 ( i I 6-1
7.0 References
- 1. " Steam Systems Design Manual," Westinghgpse (Project InformationPackage) Revision 2, August 1b73 2.- " Steam Systems Design Manual," Westinghouse (Standard Information Package, 10-1) Revision 3
- 3. SNUPPS-FSAR: Chapter 10, Section 10.4.9; Chapter 7, Chapter 8, Chapter 9, Section 9.2.1.2 (Figure 9.2-12, CST)
- 4. NUREG-0611, Generic Evaluation of Feedwater Transients and Small Break Loss-of-Coolant Accidents in Westinghouse-Designed Operating Plants, January 1980, USNRC
- 5. March 10, 1980 Letter to All Pending Operating License
, Applicants from USNRC (Division of Project Management);
Auxiliary Feedwater Systems
- 6. NUREG/CR-1362, " Data Summaries of Licensee Event Reports of Diesel Generators at U. S. Commercial Nuclear Power Plants; January 1, 1976 to December 31, 1978," March 1980,
, prepared by EG&G Idaho, Inc. ).
- 7. NUREG/CR-1363, Volume 1, "Datt Summaries of Licensee Event Reports of Valves at U. S. Commercial Nuclear Powe.r Plants; January 1, 1976 to December 31, 1978," June 1980, prepared by EG&G Idaho, Inc.
- 8. NUREG-0452, Revision 3, " Standard Technical Specifications for Westinghouse Pressurized Water Reactors," USNRC, Fall 1980
- 9. SNUPPS-FSAR: Figures 8.3-1, -2, -3 (Schematim E-01001-3, E-01005-4, E-01010-1) - Class IE AC and DC System 7-1
- 30. System Descripcion, " Auxiliary Feedwater System";
M-00AL(Q), Revision 3 (SNUPPS)
- 11. Reactor Safety Study, WASH-1400 (October 1975); Appendix III (Failure Data) and Appendix IV (Common Cause Failure)
- 12. NUREG/CR-1635, " Nuclear Plant Reliability Data System 1979 Annual Reports of Cumulative System and Component Reliability," September 1980, prepared by Southwest Research Institute
- 13. NUREG/CR-1464 (ORNL), " Review of Nuclear Power Plant Offsite Power Source Reliability and Related Recommended Changes to the NRC Rules and Regulations," May 1980
- 14. NUREG-0492, Fault Tree Handbook, USNRC, January 1981 7-2
~ Q e APPENDIX A FAULT TREES
\
, e I.a 7L 91op.,
% T. A o.t.] Il Stu C mbes I I m I I ,
N. /7~ 7. N., F/~ T. N. Fi.e 7. N. H 7. 3 k m (...<, # n 1% Creton X- tie.8r: % 6e o.tk A ,. B AWD C A, B AWo D A, C Awo D B, C Avo D O ~ ~D -
~
f ') f) . I I I .I I I I I W. p~ T. s. sw r %, nn. x %, N. p. r. s, ~NrH~7.Va N.B X%, S /4 T.% A,8a vo C A,8 A* C A, B An D n. w r.yb, A,Bom A, C Aw D A,com f) 8. C AnD B C Am D
% Mpfa . 1;w, TDP h PDPs h TDP h h0P -
&~. 7DP__ rum Moh h , TDP oo1 Joo1 2002 300.1 003 300 009 00
).Mi, ,..,/ /4 ., z,, //,- ); ; .),j'y , A; e.e o. J; L< .. ~ .~L d , /- %i.:1 J..i. .., t,. . < ., .aJ -. % j,1 ~ / A-1 tr i F-
. @ '1 ~
00
\ I noo 1
A t4,.1 %, 1 N. Tha t.X gji.1;.pg, y,71,.,7 L A,C AnD B, C Awo D A,8 AM C A,B axo D p;, map, Fam MDP, F., mpf, L. PCh ( h ( 3 , f 3 (3
'WelieTT; &n3 A fsaw To A fk. T; il .r T. S F4a To 4 fM T.
fl~ To Xfk- fi No H w To l[l/ [fl.a ~
%D jy,% B %C %D
%A he %C %A %8 %D %A %C f WA T,., w A Fe,. w B Fm MP B fe RDP B - Fw NPA F~ w B - - ~ WB ' fr- 2_h in NWh f,vs hPB Fen ~. d A doo 0\ 0 o\ Ok k k y ,,, g I p
~To^FI, N.flo- I* % No f/*w1D75 NIh.~*ba A, B Awo A,C A"oD B, C in D A,Bsuo Trn TDP F- 7DP Tre _7DP Ta TDP ( h r 3 r) r3
-c I
.I I I L Dk TT As fi~ T. N. Ik To I
Plaw T. Tl M P7.- Te N.14- K
. Fkw T,
%A M fi,e Te We f/
%C T. N.14~ T.
-VG A N. H~ T.
%B %D %A %C %D O S %C %D sha B n su r - Top s -R o F c EP B % EP - M n.
c jn np u re F ne ..s A :o A A A
,or
.ngx A A A A A .O A mo e
" M A-2 r--
P vo a. w; a..t v1.~~ ~. n- r Viti Qg VIJC pop y-vo,s s, et wit f /. Cl.ssl S.ty LTXA
'ki,4f*fQ '
I 9 b I I I I / la.Q.LLy g.,. or NPJM T. hy* W~a~ AT ofMDP P.L.lf $. p r ww
- N.?LIL 't c ..t b, f tt
.. u., ,wa
- p. , u. 7- f Do b i3 Y l I
1 I I
^r w*s ~ i.., one. i... oi < s i i. os em t T.
S yp, O' N*f St *t C Pas .S.y/, T. ppy g= i
@ ToQu pgo.g ,,,.p.
1 L A' c 5 7 To Us-V.I.. AFWis 1 Hv34 ycn],Fal. gl.. y n c,Voot p.,gcf.,,) I PoV ilV30 f* Is N 0t " I lon elVILL 10EuS fs N bsws 5 :.8 Cl. .l 19.,4 11,, on MQ NBOJ , 3I 40
.1 AME 4* Foi g,3 9 cl.
- IM. . gj, y b
A-3
*O JX iq4 6@g mn .
r.. E"
.s_ 4,4
-, l
.m QS3 r 5=
-Y $1D >$ a U2 li,i.
- t Mi.4 p
- I
~
N , R.L -+ :: 1 4 4< > sad _, ,4-
~ ~
~
Wd "e ilw i J1
,BM 2%A f rcd ug
' sJ
- eRu 32= -
.l S E ,. -
l' Id d%dN' ' j d .MJ Bd ; I 2
~
s
'a- .- ~
s lg 2 l ,b'd d*d L- t.t.j-% 43 2 ki - kk rh
'A I M '
44d 4
v-- g
-42 W4 r
di us 4
l I
l o -
s: i' N
_ ,u 4v -vic v.1 f~l" A %.B I . f. cfs.J -B/J f/n L_Tr _
Tiyy5rc voor_ 'FCNYC,f{ M*?-
! fcwan/.,, p(svJra44 I itBLL5A f itBLia % t ]O
} . f/c B Tm % C ,- m -m l I ! l
. -n . - .
- u. .w - , -n i...., - -
~
Isws 6)s*?'N8*l, ...,f' ei ..'[][. j!$rY ' IT"" '$,b' <.,y5 E 17 -
##Y
-^' '"
f ,, 9 w
& f A-6
64 e I I Voc'G,Hy/0 ~ . ii L Volns M ftw fam.
- V06 7, WCT V/20 d V)QV TDP 3=lsyk
, NI?Y f*.Kb>L . _To 46. S_ _ I 6 IO , f%
-w I I V071,NYla che.L Veins '
y, f/~ fr~ v 373, V073 V/23 BV12'l ' W 3.bn k s
%[.Jt L)(Ard To 3/C_ (_ _. &
, 7 !! sc5
/%
g vo a,, - 7 Yaeapaz , a..u.i.s ym a vuc m, w:n-, s.i.,. n ; & YMn54& -.ftICh'L l ton'..D__. N .. . A-7
. . .- - m ,. ..
IT
; lDA hD
- T NMa oh _
c v D To W
- 7. eT DP a
aC T s nCm r. 8 &F t f S%iMA Sg1f 7 M W8T i%%A N M T* I b.D IN.Vs%A s P vD T.
. n rm lIbC m
- u. A. c,Fv (hMA N.
p To MT I iAn f
$ %MA / a, y 8
- l. f o
- u. . A
, d. A, o, sL..
X PD w % T..
&.D 7A I
N %%4 L l1t u J. ! f-s P vD D To
- r. a~1
. .re a B,fe W. \m e/
- p. A N.%%
e M AT \ 7 II.I
% fMA t,
P To D kCT\ I i%%A M yo C P
.oD To DP uT A
- x. 8 . //nB T\
p.% f n4 u,A, fa 3_ u e C I T.
/A f
Y Ys M\ F r ~4
APPENDIX B Failure Data - Basic Event Probabilities Hardware The failure data used in this study are presented in Table B-1. Unless t.therwise indicated all failure data were taken directly from NUKEG-0611. One item, " Flow Element / Runout Protection fault," is explained in the following paragraph. The MDP runout protection system consists of a feedback from flow elements FEl, FE2, FE3. FE4 to tiOVs HV5, HV7, HV9 and HVil, respec-tively. Since the valvos are normally open, there would strictly speaking, be no need to include a control circuit failure for these valves; i.e., loss of power or control signal would leave the valves as is--open. However, the introduction of a feedback from the flow elements to the valve positioner permits a spurious closing of the valve; any plugging of the flow element could be interpreted as a high' flow past the element. Therefore, for Events 1 through 4, an additional
-4*
basic event probability of 5 x 10 was inserted. Other failure modes (circuits, loss of local power) were not considered because the failures would likely rescit in a 0 amp input to the valve positioner which maintains the valve in the full open state. Finally, it should be noted that even if a higher failure probabiJity was assigned to the flow element (e.g., 10-3) the impact would be negligible because these valve failures are not significant contributors to the Top Event probability. Human Error The sensitivity of the AFWS reliability to human error was examined for three levels of assumed pre-accident human error. Since the AFWS is 1 i 1 l
*This probability was chosen by a conservative extrapolation of the 3 x 10 ' probability estimated in WASH-1400 for plugging of a flow orifice.
B-1 1
automatically actuated, no effort was made to quantify post-accident operator error. This treatment of human error was limited to misposition-ing manual and motor-operabad valves and was based on the human error probabilities given in NUREG-0611 which are reproduced in Table B-1; the three levels or options of human error are summarized below: o Option A: These probabilities contain no explicit human error; i.e., the failures are strictly hardware failures. o Option B: These probabilities include human error for failure to position manual and motor operated valves properly; this option assumes double check and walk-around procedures for manual valves. Note: This applies only to the locked opened valves in the AFWS flow path (i.e., from water supply to steam generators). o Option C: This option is similar to Option B except that no valve position checking is assumed and, therefore, a higher human error probabiilty is assigned. The probabilities given in Table III-2 of NUREG-061) weie treated as unconditional probabilities; that is, the values were not decreased by the probability of maintenance (i.e., .22). Based on the system's assumed test and maincenance requirements, human error was not included for all manual valves (See the T & M section of Appendix B). Also, pre-accident mispositioning of valves in interfacing systems was not treated. For example, if the manual valves on the line carrying diesel generator jacket cooling vater were closed, the diesel generator would fail after several minutes. However, since the assumed diesel generator failure probability is relatively large, that particular human error would not make a significant impact on the system reliability. B-2
Test and Maintenance i The approach presented in NUREG-0611 was used along with the testing frequencies given in the Standard Technical Specifications for Westinghouse PWRs (Reference 8). Testing and maintenance activities widch remove components and/or systems from service can be significant contributors to the overall AFWS unavailability. The most common forms of valve maintenance per-formed during power operation are packing adjustments and repairs to MOV and A0V control circuits and operators. Nearly all these maintenance activities are performed with the valve in the f ailsafe . position during the maintenance interval. Therefore, naintenance of MOVs and ADVs was not considered to be a contributor to valve unavail-ability. Check valves and manual valves are expected to require very little maintenance. The low t est and maintenance impact on this part of the AFWS was the basis for not including a human error contributor to unavailability for the manual valves in the individual S/G flow paths (i.e., fore and aft of the MOVs and A0Vs). Although T & M i contributions were not traated for the valves associated with the branch flowpaths to a specific steam generator, the unavailability due to testing and maintenance of the pump sub-systems was treated. In the sub-system part of the fault-tree, T & M was treated as a dis-l tinct composite basic event. Since the T & M unavailability was higher l l for thq pump-driver than the valves in each train, only the pump-driver i unavailability was considered. Essentially the pump unavailability was considered to be synonymous with " pump sub-system" unavailability. The probabilities'for the events (i.e., 13, 14 and 15) were determined i using the methods described in NUREG-0611 as follows: i f Test i f (Unavailability / demand) QTest = (hrs / test) (number of tests per year)
*7008 hrs./yr.
l l
- Assumes the plant is in a functional mode only 80% of the year.
l B-3
QTest will be calculated using the default hrs./ test (t,)* from NUREG-0611 and the number of tests per year based on the technical s pecifications: Component Hrs./ Test Tests / Year ' Test Pumps 1.4 12 2.4 x 10 -3 Diesels 1.4 12 2.4 x 10 -3 Maintenance
.22 ( Hrs./ Maintenance Action ) ,
(Unavailability / demand) QMaint. " 720 Qg ,g will be based on the most conservative value for hrs / maintenance action. Component Hrs./ Maintenance Action 9Maint. Pumps 19 5.8 x 10 -3
~
Diesels 21 6.4 x 10 l l 1 i l I i l
- Standard Technical Specifications requires testing pumps and ve.1ves
,in the AFWS monthly. 3 4
4 B-4
, - ,..,er x <,--, -m , , - - - - - , , , . . . - . . - - - - - , , - . - ~ , - - - - - r,, --,r-, - , , , . - - + . ,,..,,r..- -- -
Addftionally, it was assumed that coincident test and/or maintenance of components of more than one AFW pump and its associated flow paths, while the reactor is at full power, is in violation of the plant technical specifications; therefore, minimum cut sets containing such coincident basic events are treated as not being credible and are dis-carded in the quantitative evaluation. } B-5
TABLE B-1 Component-Basic Event Failure Probabilities Failure Probability Component or Basic Event (on demand) Local Fault in h0V:
- Mechanical 1 x 10 -3
-4
- Plugging 1 x 10
- Control (" Command") Circuit, local 2 x 10 ~3 Local Fault in A0V:
-4
- Mechanical 3 x 10
- Control Circuit 1.3 x 10-3 (Table 8, Reference 7)
- Plugging 1 x 10 ~0
~
Check Valve (Plugging) 1 x 10 '
~0
- Manual Valv a (Plugging) 1 x 10 Local Fault in MDP or TDP
- Mechanical 1 x 10 -3
- Control Circuit 4 x 10 -3 MDP or TDP: Down for Maintenance 5.8 x 10-3 (conservatively assumes 19 hrs. per interval)
Down for Testing 2.4 x 10-3 (12 tests / year @ 1.4 hrs. per test) Manual Valve Left Closed (Operator Error) 5x10[2((optionB) 1 x 10 Option C) Actuation Logic (failure to transmit a 7 x 10-3/ train start signal to AFWS)
~
Loss of Offsite Power 1 x 10 (based on an examination of Reference 16) B-6
Table B-1 (continur p Failure Probability Component or Basic Event (on demand) Diesel Generator
~
- Fails ~to start 4 x 10 (Reference 6)
~3
- Test and Maintenance 8.8 x 10
~4 Flow Element / Runout Protection 5 x 10 i
B -7
Composite Basic Events Table B-2 presents the probabilities assigned to each composite basic event (CBE) indicated on the AFWS fault tree (see Appendix A). Since the same probabilitics apply to many valves which perform similar functions but are located in different trains or branches, a generic notation has been used. For example, CBEs 9, 10, 11 and 12 are included under one heading, " Check Valves V12X og; V12Y Fails Closed" and is interpreted as: CBE 9: Check Valve V121 or V125 Fails Closed CBE 10: Check Valve V120 or V124 Fails Closed CBE 11: Check Valve V123 or V127 Fails Closed CBE 12: Check Valve V122 or V126 Fails Closed . The various contributions (i.e., basic events) are then listed. So that information in Table B-2 can be easily understood without reference to the fault trees, a description of each composite basic event (CBE) is listed below: CBE 1 through 8: V0XX, VOYY, VOZZ, HVXX Valve Fault Blocks Flow CBE 8 through 12: Check Valve V12X or V12Y Fails Closed CBE 13, 14 and 15: Test and Maintenance of MDP "B", MDP "A", and TDP AFW Trains CBE 20, 21 and 22: Discharge Blockage Caused by Fault in Valves VOXX or VOYY CBE 23 and 24: AFW MDP "X" Does Not Start Due to Motor / Pump Fault CBE 25: TDP Does Not Start Due to Turbine / Pump Fault CBE 26: Isolation Valve APV015 Inadvertently Lef t Closed (Operato- Error) j CBE 27: APV015 - Valve Fault CBE 28, 29 and 30: VOXX, HVYY Valve Fault Blocks Flow CBE 31 through 34: V0XX, VOYY Valve Fault Blocks Flow CBE 35 through 38: MOV HVXX Fails to Open or Plugged CBE 38 and 40: Loss of 4.16 KV to Bus NBOX CBE 41 and 42: Loss of ESWS Irain A (B) CBE 43: Throttle Valve or Speed Governor Valve Faults CBE 44: FCHV5, FCV001 FCV024, FCV085 Valve Faults Block . Steam from S/G B CBE 45: FCHV6, FCV002, FCV024, FCV087 Valve Faults Block Steam from S/G C B-8_ -~ _ ___ _
TABLE B-2 Probability of Failure (On Demand) Option A Option B Option C Composite Basic Events 1 through 8 Valves VOXX; Plug 1.0E-04 Valves V0ZZ; Plug 1.0E-04 4.0E-04 4.0E-04 Valves VOYY; Check Valve Fails Closed 1.0E-04 Valves HVX; Plug 1.0E-04 Events 5-8 -- -- -- Flow Element Events 1-4 5.0E-04 5.0E-04 5.0E-04 Human Error - Valve HVX -- 5.0E-04 5.0E-04 Total Probability Events 1-4 9.0E-04 1.4E-03 1.4E-03 Events 5-8 4.0E-04 9.0E-04 9.0E-04 Composite Basic Events 9 through 12 V12X; Fails Closed 1.0E-04 1.0E-04 1.0E-04 V12Y; Fails Closed 1.0E-04 1.0E-04 1.0E-04 Total Probability 2.0E-04 2.0E-04 2.0E-04 Composite Basic Events 13,14 and 15 Testing (Manual Discharge Valves Closed) 2.4E-03 N/C* N/C Maintenance of MDPs (TDP) and Associated 5.8E-03 Valves-Total Probability 8.2E-03 8.2E-03 8.2E-03 Composite Basic Events 20, 21 and 22 Check Valve VOXX; Fails Closed 1.0E-04 2.0E-04 2.0E-04 Manual Valve VOYY; lug 1.0E-04 Human Error - Manual Valve VOYY -- 5.0E-03 1.0E-02 Total Probability 2.0E-04 5.2E-03 1.02E-02 o N/C indicates No Change from Option A for the group of basic events. 1 B-9
e TABLE B-2 (continued) Probability of Failure (On Demand) Option A Option B Option C Composite Basic Events 23, 24 and 25 Mechanical Fadit 1.0E-03 Control Circuit Fault 4.0E-03 N/C N/C Actuation Failure 7.0E-C3 Total Probability 1.2E-02 1.2E-02 1.2E-02 Benic Esent 26 CST Valve APV015 Left Closed -- 5.0E-03 1.0E-02 Basic Event 27 CST Valve APV015 Plugged 1.0E-04 1.0E-04 1.0E-04 Composite Basic Events 28, 29 and 30 Check Valve V00X; Fails Closed 1.0E-04 MOV HVYY; Plug 1.0E-04 N/C N/C Human Error; MOV Left Closed -- 5.0E-04 5.0E-04 Total Probability 2.0E-04 7.0E-04 7.0E-04 Composite Basic Events 31 throu_ghj4_ Check Valve VOYY; Fails Closed 1.0E-04 1.0E-04 1.0E-04 Manual. Valve VOXX; Plug 1.0E-04 1.0E-04 1.0E-04 Human Error - Manual Valve VOXX Left Closed -- 5.0E-03 1.0E-02 Total Probcbility 2.0E-04 5.2E-03 1.02E-02 Composite Basic Events 35 through 38 Mechanical 1.0E-03 Plug 1.0E-04 N/C N/C l Control Circuit Failure 2.0E-03 Total Probability 3.lE-03 3.lE-03 3.lE-03 B-10 s E
f TABLE B-2 (continued) Ensic Events 39 and 40 I. Events 39 and 40 represent the unavailability of Offsite AC power and Onsite AC (diesel guaerators) for the two Class IE buses: A (unavailability of AC power) = Apg
- A (offsite AC) where:
Agg (Diesel Generator Unavailability) = (Probability of failure on demand) + (Test and Malrtenance Outage)
= .04 + .0088 = 4.088E-02 For comparison with NUREG-0611, P(39) = 0.0 and:
Case 1: P(40) = (4.088E-02) (.01) = 4.088E-04 Case 2: P(40) = 4.088E-02 (1) For all the sensitivity, Importance and common cause evaluations: Case 1: P(40) = P(39) = 4.088E-04 Case 2: P(40) = P(39) = 4.088E-02 Case 3: P(40) = P(39) = 1.0 Note: These probabilities ,verstate the impact of testing since the ESFAS will override any testing. Also, the die.4el generator may already be running and only needs to be sequenced onto the safety loads, k I i B-11 I
,.c e .,- - -- ., - - , _ , , , ,
TABLE B-2 (continued) Probability of Failure (On Demand) i Option A Option B ' Option C Composite Basic Events 41 and 42 ESW Motor / Pump; Mechanical Failure 1.0E-03 Check Valve EFV00X; Fails Closed 1.0E-04 U/C N/C Control Fault (Local) 4.0E-03 Manual Valves (EFV00X, ErV10X, EFV10Y) (3x) 1.0E-04 Human Error: Manual Valves (3x) -- 1.5E-02 3.0E-02 Total Probability 5.4E-03 2.04E-02 3.54E-02 Composite Basic Event 43 Throttle Valve; Control Fault 2.0E-03 Speed Governor. Valve; Control Fault 2.0E-03 N/C N/C Plug (either valve) 2.0E-04 Total Probability 4.2E-03 4.2E-03 4.2E-03 Composite Basic Event 44 Check Valves FCV001, FCV024; Fail Closed (2x) 1.0E-04 Manual Valve FCV085; Plug 1.0E-04 A0V FCHV5; Mechanical 3.0E-04 N/C N/C Control Circuit (Local) 1.3E-03 Plug 1.0E-04 Human Error; Manual Valve FCV085 -- 5.0E-03 1.0E-02 Total Probability 2.0E-03 7.0E-03 1.2E-02 Composite Basic Event 45 Same Probabilities as CBE 44 B-12
APPENDIX C Minimal Cut-Sets This appendix presents a tabulation of the significant minimal cut-sets for each case and option. The cut-sets are listed in approximately descending order of probability. The total probability associated with these cut-sets reoresents at least 90% of the Top Event probability; therefore, the additional cut-sets were not listed. It is evident, from a review of these cut-sets, that failure of the pumps or actuation 4 failure (Events 23, 24, 25), test and maintenance outages (Events 13, 14, 15), discharge vsives closed or faulted (Events 20, 21, 22) and loss of power (Event 40) are dominant failure modes. Table C-1 gives the SNUPl'3 AFWS fault tree reduced to 9 three-event cut-sets. The " events" 77, 88 and 99 represent the "subtrees" 77, 88 and 99 (see Appendix A). The fault tree was completely resolved to the level of composite basic events by substitution of the minimal cut-sets representing the subtrees. Tables C-2, C-3 and C-4 list the resulting cet-sets by option for Case 1, Case 2 and Case 3. All the events making up the cut-sets were previously defined in Appendix B. C-1
TABLE C-1 AFWS Fault Tree Reduced to 9 Three-Event Cut-Sets 77 88 99 1 88 99 , 2 77 99 3 77 99 4 88 99 9 88 99 10 77 99 11 77 99 12 88 99 l 1 C-2 ;
. . . . . _ . ._. - - . . = .
TABLE C-2 Significant Minimal Cut-Sets: Option A Case 1 Case 2 Case 3 23 24 , 25 24 25 40 25 13 24 25 14 25 40 15 14 23 25 15 24 40 15 15 23 24 24 40 43 43 23 24 43 23 24 25 22 4 14 23 43 14 40 43 30
- 13 '
- 24 43 15 23 24 27 2 23 '25 14 23 25 3 23 25 13 24 25 1 24 25 23 24 43
-4 24 25 3 25 40 2 13 25 2 25 40 3 15 23 13 24 43 3 13 25 14 23 43 1 15 24 3 15 40 1 14 25 2 15 40 4 15 24 2 40 43 4 14 25 3 40 43
- '2 15 23 4 24 25 23 25 39 3 23 25 24 25 40 2 23 25 13 25 39 1 24 25 15 24 40 11 25 40 14 25 40 22 24 40 15 23 39 10 25 40 4 24 43 21 25 40 1 24 43 3 13 25 2 23 43. 2 13 25 3 23 43 1 15 24 3 13 43 1- 14 25 2 13 43 4 15 24 1 14 .43 4 14 25 4 14 43 2 15 23 C-3
TABLE C-2 (continued) Case 1 Case 2 Case 3 9 24 25 3 15 23 12 24 25 15 21 40 20 24 25 14 22 40 21 23 25 10 15 40 10 23 25 11 15 40 11 23 25 3 23 43 22 23 24 1 24 43 23 39 43 4 24 43 24 40 43 2 23 43 13 22 24 21 40 43 14 22 23 11 40 43 9 15 24 10 40 43 13 21 25 1 14 43 4 9 14 25 2 13 43 r
- 10 15 23 3 13 43 14 20 25 4 14 43 12 15 24 9 24 25 12 14 25 22 23 24 11 15 23 10 23 25 i 15 20 24 11 23 25 C-4
m Jee J_ <aw , a-TABLE C-3 Significant Minimal Cut-Sets: Option B Case 1 Case 2 Case 3 23 24 - 25 24 25 40 25 13 24 25 14 25 40 15 14 23 25 15 24 40 22 15 23 24 22 24 40 26 22 23 24 21 25 40 43 20 24 25 26 40 41 30 21 23 25 24 40 43 27 23 24 43 14 22 40 44 45 15 20 24 15 21 40 13 21 25 23 24 25 14 20 25 14 40 43 15 21 23 21 22 40 13 22 24 15 23 24 14 22 23 13 24 25 26 41 42 14 23 25 13 24 43 21 40 43 14 23 43 3 25 40 21 22 23 2 25 40 20 22 24 20 24 25 20 21 25 21 23 25 20 24 43 22 23 24 21 23 43 23 24 43 13 21 22 2 15 40 15 20 21 3 15 40 14 20 22 14 20 25 3 23 25 15 21 23
- 1 24 25 13 22 24 4 24 25 14 22 23 2 23 25 15 20 24 14 20 43 13 21 25 13 21 - 43 26 41 42 20 21 22 14 23 43 1 14 25 13 24 43-3 15 23 2 22 40 C-5 3 22 40
1 l I i TABIE C-3 (continued) Case 1 4 15 24 2 15 23
~
4 14 25 3 13 25 2 13 25 1 15 24 20 21 43 3 22 23 3 20 25 1 22 24 1 21 25 4 22 24 4 21 25 2 22 23 2 20 25 l l r l t 1 l C-6 i
TABLE C-4 Significant Minimal Cut-Sets: Option C Case 1 Case 2 Case 3 26 41 42 26 40 41 25 23 24 25 24 25 40 22 21 23 25 21 25 40 15 22 23 24 22 24 40 26 20 24 25 21 22 40 43 20 22 24 15 24 40 30 20 21 25 14 25 40 27 21 .22 23 14 22 40 44 45
-15 23 24 15 21 40 13 24 25 24 40 43 14 23 25 26 41 42 20 21 22 21 40 43 14 22 23 23 24 25 13 22 24 14 40 43 15 21 23 20 24 25 13 21 25 22 23 24 15 20 24 21 23 25 14 20 25 20 22 24 15 20 21 21 22 23 i 13 21 22 20 21 25 i
14 20 22 13 24 25 23 24 43 14 23 25 l 21 23 43 15 23 24 i- 20 24 43 20 21 22 20 21 43 13 21 25 13 24 43 15 20 24 14 23 43 14 22 23 14 20- 43 14 20 25 13- 21 43 15 21 23 4 24 -25 13 22 24 2 23 25 3 23 25
, C-7 1
TABLE C-4 (continued) l i
. Case 1
,! 1 24 25 3 22 23 j) 4 22 24 e 4 21 25 j 3 20 25 2 20 25 1 22- 24 i
- 1 21 25 l 2 22 23 i
i '3 20 22 4 4 21- 22-2 20 22 i. 1 21 22 1 14 25 3 15 23 I 1 15 24 i 2 15 23 - 4 '15 24 3 13 25 l 2 13 25 1 } I, I i f i i h i }. , i 4 i C-8}}