ML20007E352

From kanterella
Jump to navigation Jump to search
GE-Hitachi ABWR Design Control Document Tier 1 & 2, Rev. 7 - Chapter 17 - Quality Assurance
ML20007E352
Person / Time
Site: 05200001, 05200045
Issue date: 12/20/2019
From: Michelle Catts
GE-Hitachi Nuclear Energy Americas
To:
Office of Nuclear Reactor Regulation
Shea J
References
GEHITACHIABWR, GEHITACHIABWR.SUBMISSION.8, 25A5675.P, 25A5675.P.7
Download: ML20007E352 (35)
v  d  e


Text

25A5675AV Revision 7 October 2019 ABWR Design Control Document Tier 2 Chapter 17 Quality Assurance Copyright 1994, 2010, 2016, 2019 GE-Hitachi Nuclear Energy Americas LLC All Rights Reserved

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 Chapter 17 Table of Contents 17.0 Quality Assurance........................................................................................................................17.0-1 17.0 Introduction..................................................................................................................................17.0-1 17.0.1 COL License Information............................................................................................17.0-1 17.1 Quality Assurance During Design and Construction...................................................................17.1-1 17.1.1 Organization ................................................................................................................17.1-1 17.1.2 Quality Assurance Program.........................................................................................17.1-1 17.1.3 Design Control.............................................................................................................17.1-2 17.1.4 Procurement Document Control..................................................................................17.1-2 17.1.5 Instruction, Procedures, and Drawings........................................................................17.1-2 17.1.6 Document Control .......................................................................................................17.1-3 17.1.7 Control of Purchased Material, Equipment, and Services...........................................17.1-3 17.1.8 Identification and Control of Materials, Parts, and Components ................................17.1-3 17.1.9 Control of Special Processes .......................................................................................17.1-3 17.1.10 Inspection ....................................................................................................................17.1-3 17.1.11 Test Control .................................................................................................................17.1-4 17.1.12 Control of Measuring and Test Equipment .................................................................17.1-4 17.1.13 Handling, Storage, and Shipping.................................................................................17.1-4 17.1.14 Inspection, Test, and Operating Status ........................................................................17.1-4 17.1.15 Nonconforming Materials, Parts, or Components.......................................................17.1-4 17.1.16 Corrective Action ........................................................................................................17.1-4 17.1.17 Quality Assurance Records .........................................................................................17.1-4 17.1.18 Audits ..........................................................................................................................17.1-5 17.1.19 References ...................................................................................................................17.1-5 17.2 Quality Assurance During the Operations Phase.........................................................................17.2-1 17.3 Reliability Assurance Program During Design Phase .................................................................17.3-1 17.3.1 Introduction .................................................................................................................17.3-1 17.3.2 Scope ...........................................................................................................................17.3-1 17.3.3 Purpose ........................................................................................................................17.3-1 17.3.4 Objective......................................................................................................................17.3-2 17.3.5 GE Hitachi Nuclear Energy Organization for D-RAP ................................................17.3-2 17.3.6 SSC Identification/Prioritization .................................................................................17.3-2 17.3.7 Design Considerations.................................................................................................17.3-3 17.3.8 Defining Failure Modes...............................................................................................17.3-3 17.3.9 Operational Reliability Assurance Activities ..............................................................17.3-4 17.3.10 Owner/Operators Reliability Assurance Program......................................................17.3-4 17.3.11 D-RAP Implementation...............................................................................................17.3-6 17.3.12 Glossary of Terms .....................................................................................................17.3-11 17.3.13 COL License Information..........................................................................................17.3-13 17.3.14 References .................................................................................................................17.3-13 Table of Contents 17.0-i

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 Chapter 17 List of Tables Table 17.0-1 ABWR Compliance with Quality Related Regulatory Guides ...................................17.0-2 Table 17.3-1 SLCS Components with Largest Contribution to System Unavailability .................17.3-14 Table 17.3-2 Risk-Significant SSCs for SLCS ...............................................................................17.3-14 Table 17.3-3 Examples of SLCS Failure Modes and O-RAP Activities........................................17.3-15 17.0-ii List of Tables

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 Chapter 17 List of Figures Figure 17.3-1 Design Evaluations for SSCs .................................................................................17.3-16 Figure 17.3-2 Process for Determining Dominant Failure Modes of Risk-Significant SSCs ......17.3-17 Figure 17.3-3 Use of Failure History to Define Modes ................................................................17.3-18 Figure 17.3-4 Analytical Assessment to Define Failure Modes ...................................................17.3-19 Figure 17.3-5 Inlusion of Maintenance Requirements in the Definition of Failure Modes .........17.3-20 Figure 17.3-6 Identification of Risk-Significant SSC O-Rap Activities ......................................17.3-21 Figure 17.3-7 Standby Liquid Control System (Standby Mode)..................................................17.3-22 Figure 17.3-8 Standby Liquid Control System Top Level Fault Tree ..........................................17.3-23 List of Figures 17.0-iii

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 17.0 Quality Assurance 17.0 Introduction Section 17.1 describes the Quality Assurance (QA) Program which is implemented by GE Hitachi Nuclear Energy (GEH) for the ABWR project. It is based upon the standard GEH QA Program documented in the GEH topical report NEDO-11209-04A (Reference 17.1-1) and the additional information in this chapter describing and clarifying GE's interfaces and responsibilities with its technical associates on the ABWR. These technical associates are major international corporations who are licensees of GEHs technology and have extensive independent experience in the design and construction of nuclear power stations.

The standard program is used throughout GEH on all other nuclear power plant work and has been accepted by the Nuclear Regulatory Commission. It is in compliance with Title 10, Code of Federal Regulations, Part 50 (10CFR50), Appendix B; ANSI/ASME N45.2; ANSI/ASME N45.2-series standards; and NRC Regulatory Guides with some NRC-accepted GEH alternate positions.

The QA Program described in this chapter meets Regulatory Guide 1.28, Revision 3 and is organized to show its relationship to Reference 17.1-1, ANSI/ ASME NQA-1-1983 and NQA-1a-1983, and GEH's interfaces with its technical associates. The terms and definitions of supplement S-1 of NQA-1a-1983 apply. Table 17.0-1 summarizes ABWR compliance with the quality related Regulatory Guides.

The COL applicant/holder is responsible to prepare and implement a QA program for the construction phase of Section 17.1 and the operations phase of Section 17.2 that also meets the requirements of ANSI/ASME NQA-1-1983 and NQA-1a-1983 and the quality related Regulatory Guides listed in Table 17.0-1. See Subsection 17.0.1 for COL license information.

17.0.1 COL License Information 17.0.1.1 QA Programs for Construction and Operation The COL applicant/holder shall prepare and implement a Quality Assurance Program for the construction phase of Section 17.1 and the operations phase of Section 17.2. They will meet the requirements of ANSI/ASME NQA-1-1983 and NQA-1a-1983 and the quality related Regulatory Guides listed in Table 17.0-1 (Section 17.0).

Introduction 17.0-1

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 Table 17.0-1 ABWR Compliance with Quality Related Regulatory Guides Regulatory Guide Rev. Comments 1.8 1 No exceptions.

1.26 3 No exceptions.

1.28 3 Except for NRC accepted alternate positions documented in Table 2-1 of Reference 17.1-1.

1.29 3 No exceptions.

1.30 0 No exceptions.

1.37 0 Except for NRC accepted alternate positions documented in Table 2-1 of Reference 17.1-1.

1.38 2 Except for NRC accepted alternate positions documented in Table 2-1 of Reference 17.1-1.

1.39 2 No exceptions.

1.58 Superseded by Reg. Guide 1.28, Rev. 3 except for NRC accepted alternate positions documented in Table 2-1 of Reference 17.1-1.

1.64 Superseded by Reg. Guide 1.28, Rev. 3 except for NRC accepted alternate positions documented in Table 2-1 of Reference 17.1-1.

1.74 Superseded by Reg. Guide 1.28, Rev. 3.

1.88 Superseded by Reg. Guide 1.28, Rev. 3 except for NRC accepted alternate positions documented in Table 2-1 of Reference 17.1-1.

1.94 1 No exceptions. WIll be applied during construction.

1.116 0-R Except for NRC accepted alternate positions documented in Table 2-1 of Reference 17.1-1.

1.123 Superseded by Reg. Guide 1.28, Rev. 3 except for NRC accepted alternate positions documented in Table 2-1 of Reference 17.1-1.

1.144 Superseded by Reg. Guide 1.28, Rev. 3.

1.146 Superseded by Reg. Guide 1.28, Rev. 3 except for NRC accepted alternate positions documented in Table 2-1 of Reference 17.1-1.

17.0-2 Introduction

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 17.1 Quality Assurance During Design and Construction 17.1.1 Organization See Section 1 of Reference 17.1-1.

This section complies with Basic Requirement 1 and Supplement 1S-1 of ANSI/ASME NQA-1-1983.

The following additional information describes the relationship between GEH and its technical associates.

GEH, with the support of major technical associates, is designing the ABWR. This is a common engineering effort to design and specify systems and equipment from the standard plant through major purchasing specifications. The designs, specifications, and drawings are based upon various joint development and engineering studies performed by GEH and its associates.

The lead responsibility to produce each specification and drawing is formally assigned to one design organization. However, the content of each document is reviewed and approved by GEH. While all common engineering documents reflect the formal consensus of all parties, GEH is responsible for the design and the supporting calculations and records for the ABWR project.

17.1.2 Quality Assurance Program See Section 2 of Reference 17.1-1.

This section complies with Basic Requirement 2 and Supplements 2S-1, 2S-2, and 2S-3 of ANSI/ASME NQA-1-1983 and NQA-1a-1983 as modified by the NRC-accepted alternate positions identified in Table 2-1 of Reference 17.1-1 relating to NRC Regulatory Guides: 1.28, Revision 0; 1.58, Revision 1; and 1.146, Revision 0.

The following additional information describes the relationship between GEH and its technical associates.

GEH and each of its associates have their own Quality Assurance Program based on Reference 17.1-2. GEH has performed a review of the QA programs of each of the associates to assure that the engineering designs and documentation produced by the associates meet the requirements of the GEH quality program. These reviews found the QA programs of the technical associates to meet GEH requirements and the applicable requirements of Appendix B to 10CFR50.

Agreements between GEH and its associates require an annual review to assure that the quality systems are being implemented. All associates are committed to correct discrepancies noted during these reviews.

Quality Assurance During Design and Construction 17.1-1

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 The identification of safety-related structures, systems, and components (Q list) to be controlled by the quality assurance program is shown on Table 3.2-1. Additional items will be added to Table 3.2-1, as necessary.

17.1.3 Design Control See Section 3 of Reference 17.1-1.

This section complies with Basic Requirement 3 and Supplement 3S-1 of ANSI/ASME NQA-1-1983 as modified by the NRC-accepted alternate position identified in Table 2-1 of Reference 17.1-1 relating to NRC Regulatory Guide 1.64, Revision 2.

The following additional information describes the relationship between GEH and its technical associates.

GEH and its associates control the review and approval of ABWR design documents with a procedure using the Engineering Review Memorandum (ERM). The lead design organization prepares the document and circulates it internally for engineering review, approval, and design verification. Evidence of verification is entered into design records of the responsible design organization. Each document is distributed by ERM to the design organizations of the other parties for their review and approval of technical content and design interfaces. All comments resulting from this process are resolved to the satisfaction of all parties. After resolution of all the comments, the design verification is reviewed and, when necessary, updated to assure that changes did not invalidate the original verification. After final agreement is reached, the document is finalized by the lead design organization, circulated to the other parties for their approval signatures, and then issued.

Changes to ABWR documents are also approved by GEH and its associates. The changed document's revision status is advanced or a new document initiated. The new or changed document is circulated for review, verification, and approval to all parties that performed the original review, verification, and approval.

Differences between international and domestic designs are identified in a controlled list for future design action and application.

17.1.4 Procurement Document Control See Section 4 of Reference 17.1-1.

This section complies with Basic Requirement 4 and Supplement 4S-1 of ANSI/ASME NQA-1-1983 as modified by the NRC-accepted alternate position identified in Table 2-1 of Reference 17.1-1 relating to NRC Regulatory Guide 1.123, Revision 1.

17.1.5 Instruction, Procedures, and Drawings See Section 5 of Reference 17.1-1.

17.1-2 Quality Assurance During Design and Construction

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 This section complies with Basic Requirement 5 of ANSI/ASME NQA-1-1983.

17.1.6 Document Control See Section 6 of Reference 17.1-1.

This section complies with Basic Requirement 6 and Supplement 6S-1 of ANSI/ASME NQA-1-1983.

The following additional information describes the relationship between GEH and its technical associates.

All ABWR documents produced by GEH and its associates are entered on the GEH Master Parts List (MPL) for the ABWR. These documents are under GEH configuration control.

Changes to these documents require verification and GEH review and approval before they are entered into the GEH document control system and applied to the MPL.

17.1.7 Control of Purchased Material, Equipment, and Services See Section 7 of Reference 17.1-1.

This section complies with Basic Requirement 7 and Supplement 7S-1 of ANSI/ASME NQA-1-1983 as modified by the NRC-accepted alternate position identified in Table 2-1 of Reference 17.1-1 relating to NRC Regulatory Guide 1.123, Revision 1.

17.1.8 Identification and Control of Materials, Parts, and Components See Section 8 of Reference 17.1-1.

This section complies with Basic Requirement 8 and Supplement 8S-1 of ANSI/ASME NQA-1-1983.

17.1.9 Control of Special Processes See Section 9 of Reference 17.1-1.

This section complies with Basic Requirement 9 and Supplement 9S-1 of ANSI/ASME NQA-1-1983.

17.1.10 Inspection See Section 10 of Reference 17.1-1.

This section complies with Basic Requirement 10 and Supplement 10S-1 of ANSI/ASME NQA-1-1983 and NQA-1a-1983 as modified by the NRC-accepted alternate position identified in Table 2-1 of Reference 17.1-1 relating to NRC Regulatory Guide 1.116, Revision 0-R.

Quality Assurance During Design and Construction 17.1-3

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 17.1.11 Test Control See Section 11 of Reference 17.1-1.

This section complies with Basic Requirement 11 and Supplement 11S-1 of ANSI/ASME NQA-1-1983 as modified by the NRC-accepted alternate position identified in Table 2-1 of Reference 17.1-1 relating to NRC Regulatory Guide 1.116, Revision O-R.

17.1.12 Control of Measuring and Test Equipment See Section 12 of Reference 17.1-1.

This section complies with Basic Requirement 12 and Supplement 12S-1 of ANSI/ASME NQA-1-1983.

17.1.13 Handling, Storage, and Shipping See Section 13 of Reference 17.1-1.

This section complies with Basic Requirement 13 and Supplement 13S-1 of ANSI/ASME NQA-1-1983 as modified by the NRC-accepted alternate position identified in Table 2-1 of Reference 17.1-1 relating to NRC Regulatory Guide 1.38, Revision 2.

17.1.14 Inspection, Test, and Operating Status See Section 14 of Reference 17.1-1.

This section complies with Basic Requirement 14 of ANSI/ASME NQA-1-1983.

17.1.15 Nonconforming Materials, Parts, or Components See Section 15 of Reference 17.1-1.

This section complies with Basic Requirement 15 and Supplement 15S-1 of ANSI/ASME NQA-1-1983.

17.1.16 Corrective Action See Section 16 of Reference 17.1-1.

This section complies with Basic Requirement 16 of ANSI/ASME NQA-1-1983.

17.1.17 Quality Assurance Records See Section 17 of Reference 17.1-1.

17.1-4 Quality Assurance During Design and Construction

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 This section complies with Basic Requirement 17, Supplement 17S-1, of ASME NQA-1-1983 as modified by the NRC-accepted alternate position identified in Table 2-1 of Reference 17.1-1 relating to NRC Regulatory Guide 1.88, Revision 2.

17.1.18 Audits See Section 18 of Reference 17.1-1.

This section complies with Basic Requirement 18 and Supplement 18S-1 of ANSI/ASME NQA-1-1983 and NQA-1a-1983 as modified by the NRC-accepted alternate position identified in Table 2-1 of Reference 17.1-1 relating to ANSI Standard N45.2.121977.

17.1.19 References 17.1-1 Nuclear Energy Business Operations Quality Assurance Program Description, NEDO-11209-04A, the latest NRC accepted revision.

17.1-2 NEDC-32267P, ABWR Project Application Engineering Organization and Procedures Manual, (Proprietary), December 1993.

Quality Assurance During Design and Construction 17.1-5

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 17.2 Quality Assurance During the Operations Phase Out of ABWR Standard Plant scope.

Quality Assurance During the Operations Phase 17.2-1

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 17.3 Reliability Assurance Program During Design Phase This section presents the ABWR Design Reliability Assurance Program (D-RAP).

17.3.1 Introduction The ABWR Design Reliability Assurance Program (D-RAP) is a program that will be performed during detailed design and specific equipment selection phases to assure that the important ABWR reliability assumptions of the probabilistic risk assessment (PRA) will be considered throughout the plant life. The plant owner/operator will complete the D-RAP and will also have an operational RAP (O-RAP) that tracks equipment reliability to demonstrate that the plant is being operated and maintained consistent with PRA assumptions so that overall risk is not unknowingly degraded. The PRA evaluates the plant response to initiating events to assure that plant damage has a very low probability and risk to the public is very low. Input to the PRA includes details of the plant design and assumptions about the reliability of the plant risk-significant structures, systems and components (SSCs) throughout plant life. Appendix 19K, PRA Based Reliability and Maintenance, identifies certain risk-significant SSCs. The results of Appendix 19K can be used as a starting point for the D-RAP.

The D-RAP will include the design evaluation of the ABWR. It will identify relevant aspects of plant operation, maintenance, and performance monitoring of important plant SSCs for owner/operator consideration in assuring safety of the equipment and limited risk to the public.

The COL applicant will specify the policy and implement procedures for using the D-RAP information. See Subsection 17.3.13.1 for COL license information.

Also included in this explanation of the D-RAP is a descriptive example of how the D-RAP will apply to one potentially important plant system, the Standby Liquid Control System (SLCS).

The SLCS example shows how the principles of D-RAP will be applied to other systems identified by the PRA as being significant with respect to risk.

17.3.2 Scope The ABWR D-RAP will include the future design evaluation of the ABWR, and it will identify relevant aspects of plant operation, maintenance, and performance monitoring of plant risk-significant SSCs. The PRA for the ABWR and other industry sources will be used to identify and prioritize those SSCs that are important to prevent or mitigate plant transients or other events that could present a risk to the public.

17.3.3 Purpose The purpose of the D-RAP is to assure that the plant safety as estimated by the probabilistic risk analysis (PRA) is maintained as the detailed design evolves through the implementation and procurement phases and that pertinent information is provided in the design documentation to the future owner/operator so that equipment reliability, as it affects plant safety, can be maintained through operation and maintenance during the entire plant life.

Reliability Assurance Program During Design Phase 17.3-1

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 17.3.4 Objective The objective of the D-RAP is to identify those plant SSCs that are significant contributors to risk, as shown by the PRA or other sources, and to assure that, during the implementation phase, the plant design continues to utilize risk-significant SSCs whose reliability is commensurate with the PRA assumptions. The D-RAP will also identify key assumptions regarding any operation, maintenance and monitoring activities that the owner/operator should consider in developing its O-RAP to assure that such SSCs can be expected to operate throughout plant life with reliability consistent with that assumed in the PRA.

A major factor in plant reliability assurance is risk-focused maintenance, by which maintenance resources are focused on those SSCs that enable the ABWR systems to fulfill their essential safety functions and on SSCs whose failure may directly initiate challenges to safety systems. All plant modes are considered, including equipment directly relied upon in Emergency Operating Procedures (EOPs). Such a focus of maintenance will help to maintain an acceptably low level of risk, consistent with the PRA.

17.3.5 GE Hitachi Nuclear Energy Organization for D-RAP The D-RAP definition, reliability analyses, and the PRA, including Appendix 19K, were performed by GEH.

Responsibility for the design of key equipment, components and subsystems was shared by GEH together with external organizations, including the Architect Engineer. The manager assigned the responsibility of managing and integrating the D-RAP Program had direct access to the ABWR Project Manager and kept him abreast of D-RAP critical items, program needs and status. He had organizational freedom to:

(1) Identify D-RAP problems.

(2) Initiate, recommend or provide solution to problems through designated organizations.

(3) Verify implementation of solution.

(4) Function as an integral part of the final design process.

The COL applicant completing its detailed design and equipment selection during the design phase, must submit its specific D-RAP organization for NRC review. See Subsection 17.3.13.2 for COL license information.

17.3.6 SSC Identification/Prioritization The PRA prepared for the ABWR will be the primary source for identifying risk-significant SSCs that should be given special consideration during the detailed design and procurement phases and/or considered for inclusion in the O-RAP. The method by which the PRA is used to 17.3-2 Reliability Assurance Program During Design Phase

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 identify risk-significant SSCs is described in Chapter 19. It is also possible that some risk-significant SSCs will be identified from sources other than the PRA, such as nuclear plant operating experience, other industrial experience, and relevant component failure data bases.

17.3.7 Design Considerations The reliability of risk-significant SSCS, which are identified by the PRA, will be evaluated at the detailed design stage by appropriate design reviews and reliability analyses. Current databases will be used to identify appropriate values for failure rates of equipment as designed, and these failure rates will be compared with those used in the PRA. Normally, the failure rates will be similar, but in some cases they may differ because of recent design or database changes.

Whenever failure rates of designed equipment are significantly greater than those assumed in the PRA, an evaluation will be performed to determine if the equipment is acceptable or if it must be redesigned to achieve a lower failure rate.

For those risk-significant SSCs, as indicated by PRA or other sources, component redesign (including selection of a different component) will be considered as a way to reduce the Core Damage Frequency (CDF) contribution. (If the system unavailability or the CDF is acceptably low, less effort will be expended toward redesign.) If there are practical ways to redesign a risk-significant SSC, it will be redesigned and the change in system fault tree results will be calculated. Following the redesign phase, dominant SSC failure modes will be identified so that protection against such failure modes can be accomplished by appropriate activities during plant life. The design considerations that will go into determining an acceptable, reliable design and the SSCs that must be considered for O-RAP activities are shown in Figure 17.3-1.

GEH will identify in the PRA or other design documents to the plant owner/operator the risk-significant SSCs and the associated reliability assumptions, including any pertinent bases and uncertainties considered in the PRA. GEH will also provide information for the plant owner/operator to incorporate into the O-RAP to help assure that PRA results will be achieved over the life of the plant. This information can be used by the owner/operator for establishing appropriate reliability targets and the associated maintenance practices for achieving them.

17.3.8 Defining Failure Modes The determination of dominant failure modes of risk-significant SSCs will include historical information, analytical models and existing requirements. Many BWR systems and components have compiled a significant historical record, so an evaluation of that record comprises Assessment Path A in Figure 17.3-2. Details of Path A are shown in Figure 17.3-3.

For those SSCs for which there is not an adequate historical basis to identify critical failure modes, an analytical approach is necessary, shown as Assessment Path B in Figure 17.3-2. The details of Path B are given in Figure 17.3-4. The failure modes identified in Paths A and B are then reviewed with respect to the existing maintenance activities in the industry and the Reliability Assurance Program During Design Phase 17.3-3

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 maintenance requirements, Assessment Path C in Figure 17.3-2. Detailed steps in Path C are outlined in Figure 17.3-5.

17.3.9 Operational Reliability Assurance Activities Once the dominant failure modes are determined for risk-significant SSCs, an assessment is required to determine suggested O-RAP activities that will assure acceptable performance during plant life. Such activities may consist of periodic surveillance inspections or tests, monitoring of SSC performance, and/or periodic preventive maintenance (Reference 17.3-1).

An example of a decision tree that would be applicable to these activities is shown in Figure 17.3-6. As indicated, some SSCs may require a combination of activities to assure that their performance is consistent with that assumed in the PRA.

Periodic testing of SSCs may include startup of standby systems, surveillance testing of instrument circuits to assure that they will respond to appropriate signals, inspection of passive SSCs (such as tanks and pipes) to show that they are available to perform as designed.

Performance monitoring, including condition monitoring can consist of measurement of output (such as pump flowrate or heat exchanger temperatures), measurement of magnitude of an important variable (such as vibration or temperature), and testing for abnormal conditions (such oil degradation or local hot spots).

Periodic preventive maintenance (PM) is an activity performed at regular intervals to preclude problems could occur before the next PM interval. This could be regular oil changes, replacement of seals and gaskets, or refurbishment of equipment subject to wear or age related degradation.

Planned maintenance activities will be integrated will the regular operating plans so that they do not disrupt normal operation. Maintenance that will be performed more frequently than refueling outages must be planned so as to not disrupt operation or be likely to cause reactor scram, Engineered Safety Feature (ESF) actuation, or abnormal transients. Maintenance planned for performance during refueling outages must be conducted in such a way that it will have little or no impact on plant safety, on outage length or on other maintenance work.

The COL applicant will provide a complete O-RAP to be reviewed by the NRC. See Subsection 17.3.13.3 for COL license information.

17.3.10 Owner/Operators Reliability Assurance Program The O-RAP that will be prepared and implemented by the ABWR owner/operator will make use of the information provided by GEH. This information will help owner/operator determine 17.3-4 Reliability Assurance Program During Design Phase

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 activities that should be included in the O-RAP. Examples of elements that might be included in an O-RAP are:

(1) Reliability Performance Monitoring: Measurement of the performance of equipment to determine that it is accomplishing its goals and/or that it will continue to operate with low probability of failure.

(2) Reliability Methodology: Methods by which the plant owner/operator can compare plant data to the SSC data in the PRA.

(3) Problem Prioritization: Identification, for each of the risk- significant SSCs, of the importance of that item as a contributor to its system unavailability and assignment of priorities to problems that are detected with such equipment.

(4) Root Cause Analysis: Determination, for problems that occur regarding reliability of risk-significant SSCs, of the root causes, those causes which, after correction, will not recur to again degrade the reliability of equipment.

(5) Corrective Action Determination: Identification of corrective actions needed to restore equipment to its required functional capability and reliability, based on the results of problem identification and root cause analysis.

(6) Corrective Action Implementation: Carrying out identified corrective action on risk-significant equipment to restore equipment to its intended function in such a way that plant safety is not compromised during work.

(7) Corrective Action Verification: Post-corrective action tasks to be followed after maintenance on risk significant equipment to assure that such equipment will perform its safety functions.

(8) Plant Aging: Some of the risk-significant equipment is expected to undergo age related degradation that will require equipment replacement or refurbishment.

(9) Feedback to Designer: The plant owner/operator will periodically compare performance of risk-significant equipment to that specified in the PRA and D-RAP, as mentioned in item 1, above, and, at its discretion, may feedback SSC performance data to plant or equipment designers in those cases that consistently show performance below that specified.

(10) Programmatic Interfaces: Reliability assurance interfaces related to the work of the several organizations and personnel groups working on risk-significant SSCs.

The plant owner/operators O-RAP will address the interfaces with construction, startup testing, operations, maintenance, engineering, safety, licensing, quality assurance and procurement of replacement equipment.

Reliability Assurance Program During Design Phase 17.3-5

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 17.3.11 D-RAP Implementation An example of implementation of the D-RAP is given for the Standby Liquid Control System (SLCS). The purpose of the SLCS is to inject neutron absorbing poison into the reactor, upon demand, providing a backup rector shutdown capability independent of the control rods. The system is capable of operating over a wide range of reactor pressure conditions. The SLCS may or may not be identified by the final PRA as a significant contributor to CDF or to offsite risk.

For the purpose of this example, it is assumed that the SLCS is identified as a significant contributor to CDF or to offsite risk.

17.3.11.1 SLCS Description During normal operation, the SLCS is on standby, only to function in event the operators are unable to control reactivity with the normal control rods. The SLCS consists of a boron solution storage tank, two positive displacement pumps, two motor operated injection valves (provided in parallel for redundancy), and associated piping and valves used to transfer borated water from the storage tank to the reactor pressure vessel (RPV). The borated solution is discharged through the B high pressure core flooder (HPCF) subsystem sparger. A schematic diagram of the SLCS, showing major system components, is presented in Figure 17.3-7. Some locked open maintenance valves and some check valves are not shown. Key equipment performance requirements are:

(1) Pump flow per pump 11.35 m3/h per pump (2) Maximum reactor pressure (for injection) 8.6 MPaG (3) Pumpable volume in storage tank 23,090.9 L (minimum)

Design provisions to permit system testing include a test tank and associated piping and valves.

The tank can be supplied with demineralized water which can be pumped in a closed loop through either pump or injected into the reactor.

The SLCS uses a dissolved solution of sodium pentaborate as the neutron-absorbing poison.

This solution is held in a heated storage tank to maintain the solution above its saturation temperature. The SLCS solution tank, a test water tank, the two positive displacement pumps, and associated valving are located in the secondary containment on the floor elevation below the operating floor. This is a Seismic Category I structure, and the SLCS equipment is protected from phenomena such as earthquakes, tornados, hurricanes and floods as well as from internal postulated accident phenomena. In this area, the SLCS is not subject to conditions such as missiles, pipe whip, and discharging fluids.

The pumps are capable of producing discharge pressure to inject the solution into the reactor when the reactor is at high pressure conditions corresponding to the system relief valve 17.3-6 Reliability Assurance Program During Design Phase

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 actuation. Signals indicating storage tank liquid level, tank outlet valve position, pump discharge pressure and injection valve position are available in the control room.

The pumps, heater, valves and controls are powered from the standby power supply or normal offsite power. The pumps and valves are powered and controlled from separate buses and circuits so that single active failures will not prevent system operation. The power supplied to one motor-operated injection valve, storage tank discharge valve, and injection pump is from Division 1, 480 VAC. The power supply to the other motor-operated injection valve, storage tank outlet valve, and injection pump is from Division II, 480 VAC. The power supply to the tank heaters and heater controls is connectable to a standby power source. The standby power source is Class 1E from an onsite source and is independent of the offsite power.

All components of the system which are required for injection of the neutron absorber into the reactor are classified Seismic Category I. All major mechanical components are designed to meet ASME Code requirements as shown below.

Reliability Assurance Program During Design Phase 17.3-7

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 Design Conditions ASME Code Component Class Pressure Temperature Storage Tank 2 Static Head 66°C Pump 2 10.8 MPaG 66°C Injection Valves 1 10.8 MPaG 66°C Piping Inboard of Injection Valves 1 8.6 MPaG 302°C 17.3.11.2 SLCS Operation The SLCS is initiated by one of three means: (1) manually initiated from the main control room; (2) automatically initiated if conditions of high reactor pressure and power level not below the Anticipated Transient Without Scram (ATWS) permissive power level exist for 3 minutes; or (3) automatically initiated if conditions of RPV water level below the Level 2 setpoint and power level not below the ATWS permissive power level exist for 3 minutes. The SLCS provides borated water to the reactor core to introduce negative reactivity effects during the required conditions.

To meet its negative reactivity objective, it is necessary for the SLCS to inject a quantity of boron which produces a minimum concentration of 850 ppm of natural boron in the reactor core at 20°C. To allow for potential leakage and imperfect mixing in the reactor system, an additional 25% (220 ppm) margin is added to the above requirement. The required concentration is achieved accounting for dilution in the RPV with normal water level and including the volume in the residual heat removal shutdown cooling piping. This quantity of boron solution is the amount which is above the pump suction shutoff level in the storage tank, thus allowing for the portion of the tank volume which cannot be injected.

17.3.11.3 Major Differences from Operating BWRs The SLCS design is very similar to that of operating BWRS. Automatic actuation of the ABWR SLCS is similar to that incorporated in some operating BWRS. Because of the larger ABWR RPV volume, the pumping capacity has been increased from 9.8 to 11.4 m3/h per pump.

Injection of SLCS solution through the HPCF sparger has been shown by boron mixing tests to give better mixing than the operating plant injection through a standpipe.

Injection valves of operating plants are leak-proof explosive valves to keep boron out of the reactor during SLCS testing. In the ABWR the injection valves are motor operated and a suction pipe fill system keeps the lines filled with distilled water at slightly higher pressure than that of the boron storage tank to preclude entry of boron into the reactor.

17.3-8 Reliability Assurance Program During Design Phase

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 The motor-operated injection valves provide the following advantages over explosive valves:

(1) Radiation exposure to personnel is potentially reduced during testing and maintenance because less work will be required at the valves.

(2) Post-injection containment isolation capability is enhanced because the motor operated valves can be closed following boron injection. Explosive valves cannot be reclosed to provide containment isolation.

17.3.11.4 SLCS Fault Tree The top level fault tree for the SLCS is shown in Figure 17.3-8, with the top gate defined as failure to deliver 11.4 m3/h of borated water from the storage tank to the RPV. Details providing input to most of the events in Figure 17.3-8 are contained in the several additional branches to the fault tree.

It is assumed that the SLCS has been identified by the PRA as a system making significant contribution to CDF. A listing of the SLCS components or events by Fussell-Vesely Importance was made, and those SSCs with greatest importance are given in Table 17.3-1. No SSCs appear to be risk-significant because of aging or common cause considerations. The seven most significant components are listed in Table 17.3-2, so these SSCs should be considered as risk-significant candidates for O-RAP activities.

17.3.11.5 System Design Response The seven SLCS risk-significant components identified in Table 17.3-2 as having high importance in the SLCS fault tree are now considered for redesign or for O-RAP activities, as noted above. The flow chart of Figure 17.3-1 guides the designer.

Two of the events in Table 17.3-2 result from flow of SLCS fluid being diverted through relief valves back to pump suction rather than into the RPV. Since gate and check valve failures (which could result in relief valve operation) are accounted for by separate events, the relief valve failures of concern can be considered to be valve body failures or inadvertent opening of the relief valves. Plugging of the suction lines from the storage tank could result from some contamination of the tank fluid or collection of foreign matter in the tank. The pump failures to start upon demand could result from electrical or mechanical problems at the pumps or their control circuits.

Two AC electrical system failures that contribute to SLCS failure are identified in Table 17.3-2.

No further details of electrical system failures or maintenance are included here. That leaves the five components noted above for special attention with regard to reducing the risk of system failure.

Reliability Assurance Program During Design Phase 17.3-9

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 (1) Redesign The design evaluation of Figure 17.3-1 is used by the designer. The design assessment shows that the component failure rates are the same as those used in the PRA, so there is no need to recalculate the PRA. Also, no one SSC has a major impact on SLCS unavailability, so redesign or reselection of components is not required and the seven components are identified for consideration by the O-RAP.

Redesign considerations, if they had been required, would have included trying to identify more reliable relief valves and pumps and suction lines less likely to plug.

The latter might be achieved by using larger diameter pipes or multiple suction lines.

Pump and valve reliability might be enhanced by specific design changes or by selection of a different component. Any such redesign would have to be evaluated by balancing the increase in reliability against the added complication to plant equipment and layout.

(2) Failure Mode Identification If redesign is not necessary, or after redesign has been completed, the appropriate O-RAP activities would be identified for the three SLCS component types identified by the fault tree and discussed above. This begins with determining the likely failure modes that will lead to loss of function, following the steps in Figure 17.3-2. The components of SLCS have adequate failure history to identify critical failure modes, so Assessment Paths A and C (Figures 17.3-3 and 17.3-5, respectively) would be followed to define the failure modes for consideration.

For the SLCS relief valves, past experience with similar valves shows that the major failure modes are fluid leakage from the valve body and a spurious opening as result of failure of the spring, the spring fastener, the valve stem or the disk. Past pump failures fall into two general categories, electrical problems resulting in failure to start on demand and mechanical problems that cause a running pump to stop or fail to provide rated flow. The plugging of fluid lines generally results from presence of sediment or precipitation of compounds from saturated fluid.

Following the flow chart of Figure 17.3-3, the designer would determine more details about each failure mode, including pieceparts most likely to fail and the frequency of each failure mode category or piecepart failure. This would result in a list of the dominant failure modes to be considered for the O-RAP. ASME Section XI requirement for inservice inspection (ISI) and other mandated inspections and test would be identified, as indicated in Figure 17.3-5.

Examples of the types of failure modes that could impact reliability of these identified components are shown in Table 17.3-3. The table is not a complete listing 17.3-10 Reliability Assurance Program During Design Phase

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 of important failure modes, but is intended to indicate the types of failures that would be considered.

(3) Identification of Maintenance Requirements For each identified failure mode, the appropriate maintenance tasks will be identified to assure that the failure mode will be (a) avoided, (b) rendered insignificant or (c) kept to an acceptably low probability. The type of maintenance and the maintenance frequencies are both important aspects of assuring that the equipment failure rate will be consistent with that assumed for the PRA. As indicated in Figure 17.3-6, the designer would consider periodic testing, performance testing or periodic preventive maintenance as possible O-RAP activities to keep failure rates acceptable.

For the SLCS relief valves, which normally have no cycles during operation, a visual inspection for leakage and periodic inspections of internals are judged to be appropriate. The pumps can be functionally tested periodically for ability to start and run and vibration can be measured during functional tests to detect potential mechanical problems. Detailed disassembly, inspection and refurbishment would be done less frequently. To prevent line plugging, the storage tank can be sampled for sediment and/or liquid saturation, with appropriate cleaning or temperature increase as necessary. Examples of maintenance activities and frequencies are shown in Table 17.3-3 for each identified failure mode. The D-RAP will include documentation of the basis for each suggested O-RAP activity.

17.3.12 Glossary of Terms ATWS Anticipated Transient Without Scram.

CDF The core damage frequency as calculated by the PRA.

D-RAP Design Reliability Assurance Program performed by the plant designer to assure that the plant is designed so that it can be operated and maintained in such a way that the reliability assumptions of the PRA apply throughout plant life.

Fussell-Vesely A measure of the component contribution to system unavailability.

Importance Numerically, the percentage contribution of component to system unavailability.

GEH GE Hitachi Nuclear Energy, ABWR plant designer.

Owner/Operator The utility or other organization that owns and operates the ABWR following construction.

Reliability Assurance Program During Design Phase 17.3-11

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 O-RAP Operational Reliability Assurance Program performed by the plant owner/operator to assure that the plant is operated and maintained safely and in such a way that the reliability assumptions of the PRA apply throughout plant life.

Piecepart A portion of a (risk-significant) component whose failure would cause the failure of the component as a whole. The precise definition of a piecepart will vary between component types, depending upon their complexity.

PRA Probabilistic risk assessment performed to identify and quantify the risk associated with the ABWR.

Risk-Significant Those SSCs which are identified as contributing significantly to the system unavailability.

SSCs Structures, systems and components identified as being important to the plant operation and safety.

17.3-12 Reliability Assurance Program During Design Phase

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 17.3.13 COL License Information 17.3.13.1 Policy and Implementation Procedures for D-RAP The COL applicant will specify the policy and implementation procedures for using D-RAP information (Subsection 17.3.1).

17.3.13.2 D-RAP Organization The COL applicant completing its detailed design and equipment selection during the design phase, must submit its specific D-RAP organization for NRC review (Subsection 17.3.5).

17.3.13.3 Provision for O-RAP The COL applicant will provide a complete O-RAP to be reviewed by the NRC (Subsection 17.3.9).

17.3.14 References 17.3-1 E. V. Lofgren, et al., A Process for Risk- Focused Maintenance, NUREG/CR-5695, March 1991.

Reliability Assurance Program During Design Phase 17.3-13

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 Table 17.3-1 SLCS Components with Largest Contribution to System Unavailability Fussel-Vesely Component Importance OVF001HW Flow Diverted Through Relief Valve F003A 0.50 OVF002HW Flow Diverted Through Relief Valve F003B 0.50 OFL000HW Plugged Suction Lines From Tank 0.24 OPM001HW SLCS Pump A (C001A) Fails to Operate 0.05 OPM002HW SLCS Pump B (C001B) Fails to Operate 0.05 ECA003H AC Power Cable 03 Failure 0.05 ECA013H AC Power Cable 13 Failure 0.05 Table 17.3-2 Risk-Significant SSCs for SLCS Relief Valves F003A and F003B Suction Lines from Tank Pumps C001A and C001B AC Power Cable 03 AC Power Cable 13 17.3-14 Reliability Assurance Program During Design Phase

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 Table 17.3-3 Examples of SLCS Failure Modes and O-RAP Activities Recommended Maintenance Component Failure Mode/Cause Maintenance Interval Basis*

Relief Valve Body leakage Visual inspection 24 months Experience Spurious opening, Inspect closure for 10 years Low failure rate; spring failure breaks; measure spring ASME Code ISI.

constant; replace spring.

Spurious opening, Visual inspection of 10 years Low failure rate; spring fastener failure spring fastener; replace ASME Code ISI.

if necessary.

Spurious opening, Visual and penetrant 10 years Infrequent use, low failure of valve stem or inspection of stem, failure rate, ASME disk ultrasonic inspection of Code ISI.

stem; replace if necessary.

Pump Fails to start, electrical Functional test of pump 6 months Experience with problems with suction from test other electrical tank, no flow from pumps.

storage tank.

Fails to run, Measure pump vibration 6 months Infrequent use, little mechanical problems during pump operation wear.

in functional test.

Disassemble/inspect 5 years Infrequent use, low pump for corrosion, failure rate, ASME wear. Refurbish as Code ISI.

necessary.

Suction Lines Lines plugged by Sample storage tank 6 months Clean system, little sediment water for sediment; chance of sediment.

clean tank as necessary.

Lines plugged by Sample storage tank for 1 month Saturated solution precipitated boron degree of saturation of most likely source compounds boron compounds. of line plugging.

Increase tank temperature, as necessary.

  • AII SLCS components have been used in operating BWRs, so there is much experience to guide owners/operators in care of the equipment.

Reliability Assurance Program During Design Phase 17.3-15

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 RISK SIGNIFICANT SSCs IDENTIFIED BY PRA SYSTEM COMPONENT FAULT TREE REDESIGN RECALCULATION RELIABILITY ASSESSMENT ARE PRA RESULTS IN DESIGN PHASE: SIGNIFICANTLY CHANGED ARE FAILURE RATES > BY HIGHER FAILURE THOSE IN PRA? RATE?

DOES SSC FAILURE HAVE IS COMPONENT A LARGE IMPACT ON REDESIGN FEASIBLE, SYSTEM UNAVAILABILITY? PRACTICAL AND COST EFFECTIVE?

SSCs FOR O-RAP Figure 17.3-1 Design Evaluations for SSCs 17.3-16 Reliability Assurance Program During Design Phase

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 Figure 17.3-2 Process for Determining Dominant Failure Modes of Risk-Significant SSCs Reliability Assurance Program During Design Phase 17.3-17

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 Figure 17.3-3 Use of Failure History to Define Modes 17.3-18 Reliability Assurance Program During Design Phase

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 Figure 17.3-4 Analytical Assessment to Define Failure Modes Reliability Assurance Program During Design Phase 17.3-19

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 INFORMATION NEEDED ASSESSMENT PATH C IDENTIFY PLANNED MAINTENANCE PROGRAM AND REQUIREMENTS LIST ALL MAINTENANCE REQUIREMENTS AND RECOMMENDATIONS FROM ALL SOURCES PARTITION LIST INTO THOSE MAINTENANCE REQUIREMENTS AND RECOMMENDATIONS ACTUALLY PLANNED AND THOSE THAT ARE NOT MAINTENANCE MAINTENANCE RECOMMENDED BUT ACTUALLY PLANNED NOT PLANNED RECORD RATIONALE RECORD RATIONALE FOR PERFORMING FOR NOT PERFORMING THE MAINTENANCE THE MAINTENANCE IDENTIFY FAILURE IDENTITY FAILURE MODES MODES AFFECTED NOT PROTECTED BY AND FREQUENCY OF MAINTENANCE MAINTENANCE (IF ANY)

DEFINE THE DOMINANT FAILURE MODES Figure 17.3-5 Inlusion of Maintenance Requirements in the Definition of Failure Modes 17.3-20 Reliability Assurance Program During Design Phase

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 DOMINANT FAILURE MODES OF RISK-SIGNIFICANT SSCS YES DOES SSC REQUIRE PERIODIC TESTING? SPECIFY REQUIRED TESTS NO YES DOES SSC REQUIRE SPECIFY PERFORMANCE TESTING? PERFORMANCE MONITORING NO YES DOES SSC REQUIRE PERIODIC PREVENTIVE SPECIFY PERIODIC MAINTENANCE (PM)? PM NO DOCUMENT, FOR OWNER/OPERATOR, MAINTENANCE ACTIVITIES AND BASES, PLUS UNCERTAINTIES, FOR THE RISK-SIGNIFICANT SSCS.

Figure 17.3-6 Identification of Risk-Significant SSC O-Rap Activities Reliability Assurance Program During Design Phase 17.3-21

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 VENT PRIMARY NNS CONTAINMENT 2 STORAGE TANK H

TE A NNS 2 L

H SAMPLING L A SYSTEM L

HEATER HPCF 'B' SUCTION VALVES M M ASME CODE CLASS1 INJECTION VALVES PUMPS (WITH POSITION INDICATION)

M M 2

NNS ASME CODE CLASS 2 P 2 NNS TEST TANK Figure 17.3-7 Standby Liquid Control System (Standby Mode) 17.3-22 Reliability Assurance Program During Design Phase

25A5675AV Revision 7 ABWR Design Control Document/Tier 2 SLC FAILS TO DELIVER 50 GPM BORATED WATER G1 FAILURE OF BOTH SLC BOTH PUMP BOTH PUMP BORATED PUMPS TO SUCTION DISCHARGE WATER NOT DELIVER VALVES FAIL VALVES FAIL AVAILABLE AT BORATED CLOSED CLOSED PUMP WATER TO SUCTION DISCH.

G2 G7 G10 G13 FAILURE TO INITIATE MANUAL FAILURE TO AUTOMATIC FAILURE INITIATE TO INITIATE G25 OPERATOR SIGNAL TO FAILS TO INITIATE INITIATE FAILURE SLCOO1HE 1.00E-01 G23 Figure 17.3-8 Standby Liquid Control System Top Level Fault Tree Reliability Assurance Program During Design Phase 17.3-23

Retrieved from "https://kanterella.com/w/index.php?title=ML20007E352&oldid=2522343"