Text

Enclosure To LD-82-029 A REVIEW 0F THE DEPRESSURIZATION & DECAY HEAT REMOVAL CAPABILITIES FOR THE C-E SYSTEM 80 NSSS COMBUSTION ENGINEERING, INC.

MARCH 4, 1982 l

l 8203090172 820304

~'~

i PDR A00CK 05000470 A

PDR 1

~

J l

t A REVIEW OF THE 4

DEPRESSURIZATION & DECAY HEAT REMOVAL CAPABILITIES FOR THE C-E SYSTEM 80 NSSS 4

Page I.

Introduction & Sunrnary 1

l' II. Background 2

III. Review of Draft SSER 3

i (1) Auxiliary Feedwater System Reliability 4

(2) Steam Generator Integrity 4

(3) The Need for Additional Primary System 6

Valves IV. Review of Draft PRA 8

(1) General Conrnents 8

(2) Specific Conrnents 9

(3)

C-E's Revision to DRA's Analysis 12 (4) Cost / Benefit Analysis 12 V.

Contingency Decay Heat Removal 13 VI. Conclusion 15 a

h

A REVIEW OF THE DEPRESSURIZATION AND DECAY HEAT REMOVAL CAPABILITIES FOR THE C-E SYSTEM 80 NSSS I. INTRODUCTION AND

SUMMARY

During its review of the CESSAR-F application, the Advisory Comittee on Reactor Safeguards (ACRS) stated that it may be useful to give consideration to the potential for adding valves of a size to facilitate rapid depressurization of the System 80 primary coolant system to allow more direct methods of decay heat removal."

The NRC staff subsequently forwarded to C-E two documents.

The first document, a draft input to the Supplementary Safety Evaluation Report (SSER) for CESSAR-F was prepared by the Division of Systems Integratica (DSI) and addressed (1) reliability of the auxiliary (or emergency) feedwater system (AFWS) (2) steam generator integrity, and (3) existing methods for primary system depressurization.

The draft SSER concluded that changes to the System 80 design were not warranted, but that CESSAR-F should include an interface requirement specifying a reliability goal for the AFWS.

The second document consisted of what was reported to be a " quick and dirty" Probabilistic Risk Analysis (PRA) performed by the Division of Risk Analysis (DRA).

From this analysis, the DRA recomended that " feed and bleed" capability be added to the System 80 NSSS.

In a cover letter to A. E. Scherer from D. G. Eisenhut, dated February 8, 1982, the NRC staff requested that Combustion Engineering (C-E) review the need for Power Operated Relief Valves (PORVs) in the System 80 design, giving specific consideration to the two NRC documents outlined above.

As requested, C-E has conducted a review of the System 80 design and has determined the following:

1.

The System 80 NSSS will be coupled with highly reliable emergency feedwater systems (EFWS) by addition of an interface requirement that the EFWS have an unavailability in the range of 10-N to 10-5 per demand.

2.

The System 80 NSSS is capable of achieving cold shutdown conditions using only safety grade systems, even without offsite power and with an added single failure.

3 The System 80 steam generator design includes many features which will assure adequate tube integrity, minimizing problems associated with operating reactors.

4.

Even if all auxiliary feedwater supply were somehow lost, the secondary side of the steam generators could be depressurized to allow use of low head pumps which might be aligned to provide water to the steam generators from a number of sources.

5 Contrary to the probabilistic analysis developed by DRA, installing PORV's will not result in a significant improvement in safety.

The added costs are not justified.

Based upon the considerations listed above, C-E has concluded that the current System 80 design, strengthened by addition of the interface requirement on reliability of the EFn'S, provides adequate protection for the health and safety of the public.

II. BACKGROUND The early C-E NSSS designs used PORVs as non-safety grade equipment to lirrdt overpressure transients to pressures below the ASME Code safety valve setpoint.

This function was intended to reduce challenges to the safety valves, thereby minimizing weepage and avoiding potential leakage following actuation.

The PORVs were not intended to prevent a high pressure reactor trip, but rather, were to be used in conjunction with the trip to mitigate the pressure transient.

As each of the early plants became operational, the effectiveness of the pressurizer spray system to limit pressure transie-ts was demonstrated.

Consequently, C-E was unable to substantiate any advantages to opening PORVs during transients to protect the safety valves from leaksge.

PORVs were also considered to be counterproductive in light of the PORV leakage problems that had been experienced.

Furthermore, system analysis has demonstrated the pressure overshoot above the high pressure trip to be so minimal that, when PORV operation was not credited, the safety valves were not challenged.

- Accordingly, the -PORV fbnction during power operation was not considered necessary, and was eliminated from subsequent C-E designs.

Recently, a contingency method of core cooling employing once-through flow in the Reactor Coolant System (RCS) has been advanced as an alternate decay heat removal system.

This method would use the PORVs in conjunction with the High Pressure Safety Injection (HPSI) pumps and has been referred to as " feed and bleed".

In this regard, the Advisory Comittee on Reactor Safeguards (ACRS),

following its review of System 80, stated:

"In recent years, the availability of reliable shutdown heat removal capability for a wide range of transients has been recognized to be of great importance to safety.

The System 80 design does not include capability for rapid, direct depressurization of the primary system or for any method of heat renoval immediately after shutdown which does not require use of the steam ger.erators.

In the present design, the steam generators must be operated for heat removal after shutdown when the primary system is at high pressure and temperature.

This places extra importance on the reliability of the auxiliary feedwater system used in connection with System 80 steam generators and extra requirements on the integrity of the steam generators.

The ACRS believes that special attention should be given to these matters in connection with any plant employing the System 80 design.

The Committee also believes that it may be useful to gf e consideration to the potential for adding valves of a size to facilitate rapid depressurization of the System 80 primary coolant system to allow more direct methods of decay heat removal.

The Committee wishes to review this matter further with the cooperation of Combustion Engineering and the NRC Staff."

Then, in a letter from D.

G.

Eisenhut, dated February 8, 1982, the NRC requested C-E to review their draft SSER and PRA and provide our " analysis of the need for PORVs in the System 80 design". The results of C-E's review relative to the SSER and PRA are provided in the following sections.

III. REVIE'd 0F DRAFT SSER The draft SSER addressed the ACRS concern in three parts:

(1) auxiliary feedwater system reliability, (2) steam generator integrity and, (3) the need for additional primary system valves to facilitate direct rapid system depressurization for decay heat removal.

C-E's review addressed these three areas as outlined below.

l (1) Auxiliary Feedwater System Reliability The C-E Standard System 80 design contains specific BOP interface requirements for an Engineered Safety Features grade Emergency Feedwater System.

Although' there is currently no quantitative requirement for an expected system unavailability, the deterministic interface requirements reflect the highly reliable system needed to meet unavailabilities in the range of 10-4 to 10-5 per demand.

C-E has worked closely with the System 80 owners in the design of the AFWS and feels confident that the BOP designs will have the high reliability called for in the draft SSER.

C-E agrees with emphasis on the reliability of the AFWS and will add the following interface requirement to CESSAR.

10-4 (EFWS) 10~ gall s

have an "The Emergency Feedwater System to per demand unavailability in the range based on an analysis using methods and data presented in NUREG-0611 and NUREG-0636.

Compensating factors such as other methods of accomplishing safety functions of the EFWS or other reliable methods for cooling the reactor core during abnormal conditions may be considered to justify a larger unavailability of the EFn'S". (1)

(2) Steam Generator Integrity The System 80 steam generator is designed to avoid operating problems which

. have been experienced with U-tube steam generators of the recirculating type.

Special features of this design include the tube support structures and support spacing, tube to tube sheet

joint, flow distribution baffles, sampling arrangement, and cleanup capability.

Combined, they insure reliable operations and maintenance of integrity for primary heat removal after reactor shut down.

The secondary side hydraulics of the System 80 steam generator have been optimized to ensure that regions of localized dryout (which can concentrate boiler water solids) do not exist and that local velocities will permit particulate dropout only in the region of the crud removal system.

Flow distribution baffles are arranged above the tube sheet in a manner which

( 1) This reliability goal is consistent with the acceptance criteria of Standard Review Plan 10.4.9 which has been imposed as a requirement on all new Operating License applications via item II.E.1.1 of NUREG-0737 insures a uniform distribution of flow across the tube bundle.

The baffles also insure that local horizontal velocities near the tube sheet are sufficiently high to prevent dropout of boiler water particulate in the region of the tube bundle.

The primary tube bundle supports are of the eggerate type,with large punchouts in the strips where appropriate to enhance freedom of flow.

The large open flow area helps to avoid accumulation of boiler water deposits.

All C-E steam generators have explosively expanded tube-to-tubesheet joints in which the tubes are expanded for the full depth of the tubesheet.

This eliminates the tube-to-tubesheet crevice which has resulted in tubing corrosion problems in this location, such as stress corrosion cracking and intergranular attack.

Sampling connections on the System 80 steam generator are located in both the recirculating downcomer and in the blowdown piping adjacent to the blowdown nozzle.

These locations permit the separate evaluation of secondary fluid chemistry in the recirculated water and the water within the region of the tube bundle containing the hottest tubes.

Comparison of the samples permits optimization of feedwater chemistry so that corrosive conditions can be avoided.

Stainless steel is used for the eggerate supports and flow distribution plates to minimize localized corrosion of these components.

Inconel 600 tubing material is specified, controlled and tested to preclude sensitivity to stress corrosion cracking or intergranular attack.

The System 80 steam generator has high capacity blowdown capability for periodic on-line removal of solids which may accumulate on the tubesheet.

C-E feels that the multiple design features discussed above, along with appropriate chemistry control, will assure adequate steam generator integrity.

t (3) he Need for Additional Primary System Valves to Facilitate Direct Rapid System Depressurization for Decay Heat Removal here are numrous systems, both within the standard NSSS design and BOP design, available to perform the various functions necessary to bring the plant to a cold shutdown condition.

As a group, these systems provide the operator with the flexibility necessary to coc' down and depressurize the plant in a variety of possible situations.

The design fully meets Branch Technical Position RSB 5-1.

Some of the more significant features of the C-E System 80 design related to shutdown, cooldown, and depressurization capabilities are discussed below.

Normal Shutdown Under the vast majority of situations, the same. systems used for power gene ation will be employed for plant cooldown.

In these cases primary coolant is circulated through the RCS using the reactor coolant pumps.

Steam is drawn from the steam generators, bypasses the turbine and is rejected to the main condenser.

The main feedwater and condensate systems are used to return the condenser inventory to the steam generators.

RCS heat removal is maintained with the steam generators.

RCS pressure is maintained with the pressurizer, using the normal heater and spray control systems.

Shutdown with Heat Rejection to Atmosphere In the event that the main condenser or associated systems are unavailable, steam may be rejected directly to atmosphere.

Any of four safety grade steam generator atmspheric dump valves located upstream of the MSIVs may be operated manually to bleed steam. Makeup water to the steam generators is supplied from the safety grade EI4'S.

This system provides an assured capacity of at least 300,000 gallons of water.

This is sufficient inventory to allow for a plant cooldown (i.e., sensible heat removal) and decay heat remval for a period of time in excess of 15 hours1.736111e-4 days <br />0.00417 hours <br />2.480159e-5 weeks <br />5.7075e-6 months <br />.

Additional makeup from other site sources, including the ultimate heat sink, allows for extended operations.

Natural Circulation Central to the accomplishment of the basic safety function of Core Heat Removal is the ability to transport reactor coolant to a heat sink where Reactor Coolant System Heat Removal can be accomplished.

Reactor coolant pump forced circulation and heat transfer to the steam generators is the preferred mode of operation for residual heat removal whenever plant temperatures and pressures are above the shutdown cooling system (SDCS) entry conditions.

Subcooled natural circulation provides an effective alternate means for controlled core cooling, using the steam generators, for extended periods of time if the reactor coolant pumps are unavailable.

Two-phase natural cir Llation and reflux cooling will also occur to provide adequate core cooling following transients which result in loss of RCS inventory and/or subcooling.

Component elevations of the System 80 plant are such that satisfactory natural circulation for decay heat removal is obtained as a result of density differences between the bottom of the core and the top of the steam generator tube sheet, an elevation head of approximately 25 feet.

An additional small contribution to natural circulation flow rate is the density difference obtained as the coolant passes through the steam generator U-tubes.

Addition-ally, several systems design features have been incorporated to assure the maintenance of natural circulation flow.

A redundant pressurizer heater capacity of 150 KW from each diesel generator is available to maintain system subcooling.

A reactor coolant head vent system is also provided to allow the purging of non-condensible gases should they form.

As was done for all other C-E plants, the Standard System 80 natural circulation performance will be tested during the plant start-up.

When in natural circulation, the main pressur!.zer spray system is unavailable.

The auxiliary spray from the charging system provides for system depressurization under these conditions.

C-E recomends use of the auxiliary spray system for primary depressurization whenever the main pressurizer spray system is unavailable.

In sursnary, the Standard System 80 design is in full compliance with Branch Technical Position RSB 5-1, " Design Requirements of the Residual Heat Removal System."

The plant can be brought to SDCS initiation in less than 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> using only seismic category 1 equipment, assuming the most limiting single j

failure, and with only onsite or only offsite power available.

IV. REVIEW 0F DRAFT PRA The draft PRA provided by the Division of Risk Analysis (DRA) attempts to demonstrate that, for C-E's System 80 plants, the current designs will not meet the NRC's proposed plant performance guideline.

This guideline is that " the likelihood of a nuclear reactor accident that results in a large-scale core melt should normally be less than one in 10,000 per year of reactor operation".

Additionally, the DRA study makes a case for incorporating fnd and bleed capability to partially alleviate the perceived problem, and presents analysis to show that such a change is cost beneficial to the utilities.

C-E's review indicates that the recorrrnendations are not well supported by the analyses. The analyses and attendant discussions also raise some questions that should be resolved before comparisons of rough PRA estimates and NRC's safety goal are made. The following comments are offered.

(1) General Cocrnents 1.

The NRC proposed safety goal was developed in the light of PRA analyses which have all been done assuming some nominal plant age, that is, an age for which the usual assumptions inherent in reliability analyses apply.

The DRA study uses the same safety goal to apply to very early plant operation that can be characterized as the wear-in period rather than applying the goal to average plant conditions.

This appears to be a misapplication of the safety goal.

_g_

d 2.

The reference includes treatment of uncertainty and shows that, given huge uncertainty spans (three orders of magnitude), that the upper bound estimate may somewhat exceed the plant performance guideline.

This approach is in conflict with the NUREG-0880 recommendation of the Staff regarding treatment of uncertainties.

NUREG-0880 recomends that probabilistic risk assessments be performed during the trial period on the basis of " realistic assumptions and best estimate analyses".

3 The NRC's " Proposed Policy Statement on Safety Goals for Nuclear Power Plants" states, under the heading of " Implementation", that the proposed numerical cost / benefit guidelines may be used by the NRC staff during the trial period, and that benefits should be measured in radiological risk.

Costs should be annualized over the remaining plant life.

However, the cost / benefit analysis contained in the DRA study does not agree in form or content with the above policy.

Most importantly, consideration was not limited to radiological risk.

Since no radiological consequences were predicted for the events considered, the only benefit identified by the DRA is a reduction in the utility's economic risk.

Cost / Benefit based on utility economic risk is outside of the intended scope of the guidelines and should not be the basis for developing NRC requirements.

Cost / benefit based on utility economic risk is clearly a serious misapplication of the safety goal.

(2) Specifie Coments 1.

The reference discusses three potential accident sequences for which System 80 plants may not meet the safety goal.

These are listed below, together with reasons why C-E believes they are not applicable to System 80 plants.

We recognize that "back-of-the-envelope" calculations require simplified and conservative assumptions.

Unfortunately, such assumptions resulted in arroneous conclusions reached by the Staff in their analysis.

Specifically, it was assumed that only one diesel generator is capable of

l energizing the safety related motor-driven AFWS train and that offsite power is required for the other motor-driven AFWS train.

In fact, none of the current designs for System 80 plants have AFWS systems with such a configuration.

a.

Total Loss of Feedwater The conclusion of the write-up on total loss of feedwater is that "even at maturity this core melt sequence frequency may be higher than 10-4/ year."

This conclusion is the direct result of the enormous uncertainty band chosen by the analyst.

There are three orders of magnitude in the uncertainty of the core melt frequency due to loss of 10-7).

By arbitrarily 10-"

39 x

main feedwater (2.6 x

increasing the uncertainty bounds, one can show that any system or event may not meet any goal.

As discussed in the general coments above, it is recommended that best estimate calculations be used to demonstrate compliance with the NRC's proposed safety goal.

Additionally, the calculation should be based on plant designs that are appropriate to System 80 plants.

b.

Loss of Offsite Power The results of this analysis indicate that the System 80 plants are acceptable as long as both motor driven AFW pumps can be powered by diesel generators.

As shown in Table 1, this is ine case for all System 80 plants.

Hence, as discussed below and shown in Table 2, the frequency of core melt resulting from loss of offsite power is well below the proposed NRC safety goal.

c.

Very Small (S ) LOCA 2

This section suggests that all PWRs may suffer from a comon problem:

that the frequency of core melt due to small break LOCA may exceed the NRC's proposed goal of 10-4/ year.

The scenario posed is an S LOCA followed by failure of the 2

Safety Injection System.

The combined frequency is estimated by the Division of Risk Assessment at 1.5 x 10-4/ year.

There is a short

I,

discussion (on page 7) of High Pressure Safety Injection (HPSI) 10-3 for Surry, 10-3 for "Most PRAs".)

reliability (e.g.,

8.6 x However, this does not reflect the reliability of C-E designed HPSI systems.

The C-E designs are simpler and are more reliable than those evaluated for Surry, Oconee, et al.

The C-E HPSI design is a single purpose, multi-train system that does not have the potential for the failure modes that have tended to dominate the unreliability estimates of other HPSI systems.

Due to these differences alone we believe that the NRC's estimate of 5 x 10-3 per demand is much too high.

A best LOCA at a C-E plant is much estimate of core melt frequency due to S2 less than 10-4 It seems inappropriate to draw conclusions on C-E designed systems from the results of analyses on non C-E plants.

2.

The analysis presented by the NRC is for loss of residual heat removal leading to core melt. The correct conditional failure probabilities should be used for this analysis.

Most AFWS reliability analyses were performed to the requirements specified in NUREG-0635 This document specifies 20 minutes for generator boil dry time as a failure criterion.

This criterion is too restrictive for analysis of rare occurrences such as core melt and its associated risk.

To ensure adequate core cooling it is estimated that the AFWS need only be started within approximately 90 minutes after total loss of feedwater.

This longer time interval permits manual actions, repairs, and restorations of vital support systems and would produce much higher reliabilities than those predicted by NUREG-0635 analysis.

3 The failure probability of the diesel should also be reevaluated.

The normal failure criterion for the diesels is that they should be started and loaded in 10 seconds.

This criterion might be appropriate for a large break LOCA but is inappropriate for analysis of resielual heat removal systems.

The 90 minute criterion mentioned above is more correct.

This criterion would again produce a much higher diesel reliability than that used by NRC in their analysis.

4.

The use of error bands in the NRC analysis seems unconventional and inappropriate.

The meaning of the error bands or how they were generated or combined is not clear.

Their appropriateness to the analysis and the safety goal is also questionable.

Most analyses of core melt risk have been best estimate calculations.

Although the methodology of compliance with the proposed safety goal has not been defined, it should be based on best estimate calculations.

The use of undefined error bands and their comparison with the proposed safety goal is not appropriate.

(3) C-E's Revision Of DRA's Analyses Table 2 contains a refinement on the NRC's risk analysis of loss of reactor heat removal events.

This refinement is limited to reflecting the increased reliability of actual System 80 plant's AWS in place of the assumed system in the staff's analysis.

The AFWS unreliabilities were taken from the Palo Verde AFWS Reliability Study.

This study was performed by the Architect and has been submitted as an appendix to chapter 10 of the FSAR.

Inspection of Table 1 verifies that all of the other System 80 plant's AFWS have a similar or higher degree of redundancy.

Utilizing this analysis would then be conservative for other plants.

As noted in Table 3,

the numbers in Table 2 are very conservative.

If these conservatisms were renoved, the sum of the core melt probabilities for these sequences would be even further below the proposed safety goal.

(4) Cost Benefit Aaalysis The cost benefit analysis prepared by the Division of Risk Analysis is seriously flawed. As discussed in the general comments above, the scope of the analysis is not in keeping with the NRC Proposed Policy Statement. Cost / benefit based on utility economic risk, rather than safety risk to the public, is a serious misapplication of the safety goal.

Additionally, the results are misleading h concluding that incorporation of feed and bleed capability would be cost-beneficial to System 80 owners.

Specifically:

As shown in Table 2, inappropriate average core melt frequencies are a.

used in the analysis.

b.

Costs associated with delayed start-up or plant unavailability due to retrofit are neglected. These could amount to $150 million per plant.

c.

The effects of interest payments are neglected in the analysis.

d.

Costs associated with maintenance, training, procedures, and routine plant unavailability due to incorporation of feed and bleed capability are not considered in the analysis.

V. CONTINGENCY DECAY HEAT REMOVAL (DHR)

C-E's Standard System 80 design meets all licensing criteria with regard to DHR capability and, additionally, compares favorably with benchmark reliability goals.

Nevertheless, C-E is well aware of the importance of contingency capabilities that go beyond existing design bases.

As such, we have been reviewing alternate DHR Systems. It is our opinion that, if any improvement of DHR capabilities is warranted, the upgrade should be directed towards the secondary systems.

Based on the review to date, C-E believes that a practical method for providing contingency DHR capability is secondary depressurization as described below:

SECONDARY DEPRESSURIZATION The safety grade steam generator atmospheric dump valves provide the contingency capability to blowdown and depressurize the steam generator secondary system.

The potential mode of plant operations considered is as follows:

Following reactor trip and the very unlikely event of a total loss of all feedwater, the plant could be brought to hot standby using either the secondary srfety valves or the atmospheric dump valves.

The atmospheric dump valves could then be opened to depressurize the steam generators.

At the reduced steam generator pressure a low head pump could be aligned to deliver feed to the steam generator.

Then, with sufficient feedwater and steam flow, continous decay i

heat removal could be established at those "off design" conditions.

I There appear to be several advantages to steam generator depressurization in preference to primary feed and bleed. These are:

a.

The reactor coolant pressure boundary is maintained intact.

~Therefore the potential radiological release to the containment and possibly to the environment is avoided.

Any necessary containment entry for repairs would not be impeded.

Additionally the large clean-up cost that would be associated with the use of primary feed and bleed is avoided.

b.

There is time available for operator action.

Delivery' of secondary makeup to a depressurized steam generator can be accomplished any time prior to core uncovery and effectively ensure adequate core cooling, which is estimated to be approximately 90 minutes.

c.

Equipment involved is accessible.

The atmospheric dump valves and various low head pumps are located outside containment where access is possible.

The PORVs on the other hand are virtually inaccessible inside containment.

d.

Procedures are consistent with normal DHR procedures.

Normal procedural efforts focus upon restoration of feedwater.

Initiation of primary feed and bleed would represent a departure from this strategy.

The final reason noted above is worthy of elaboration in that it was strongly supported by plant operators during procedure work shops conducted at C-E.

Plant operators feel that it is highly preferable to continue operation with the steam generators performing the function of RCS Heat Removal,with the functions of RCS Inventory and Pressure Control being controlled separa' ely.

With the initiation of RCS feed and bleed all three safety functions would now rely on a single process with no degree of independent control.

The extreme difficulty in dealing with competing demands of RCS Heat Removal, Pressure and Inventory Control by regulating a single process has been clearly demonstrated at TMI-2 and Ginna.

r

• VI. CONCLUSION

__ ~

As requested, C-E has conducted a review of the System 80 design and has d'

determired the following:

1.

The' System 80 NSSS will be coupled with highly reliable emergency feedwater systems, by addition of an interface requirement that the EFWS have an unavailability in the.ange of 10-N to 10-5 per

~

' demand.

2.

The System 80 NSSS is capable of achieving cold shutdown conditions using only safety grade systems, even without offsite. power and with an added single failure 3

The System 80 steam generator design includes many features which will assure adequate tube integrity, minimizing concerns associated with operating reactors.

4.

Even if all auxiliary feedwater supply were somehow lost, the secondary side of the steam generators could be depressurized to allow use of low head pumps which might be aligned to provide water to the steam generators from a number of sources.

5 Contrary to the probability analysis developed by DRA, installing PORV's will not result in a significant improvement in safety.

The added costs are not justified.

Based upon the considerations listed above, C-E has concluded that the current System 80 design, strenghtened by addition of the interface requirement on reliability of the EFWS, provides adequate protection for the health and safety of the public.

T

TABLE 1 C-E SYSTEM 80 AUXILIARY FEEDWATER SYSTEM NUMBER OF PLANT PUMPS CAPACITY ACTUATION ELECTRIC POWER SUPPLY Arizona Public Service 2 Motors 875 GPM 1 Motor - Manual Manual Train - Diesel B (Palo Verde) 1 Turbine Each 1 Motor,1 Turbine Auto. Train - Diesel A Automatic Turbine - DC Bus A, C Duke 2 Motors 875 GPM All 1 Motor Train -Diesel A (Cherokee) 2 Turbines Each Automatic 1 Motor Train -Diesel B 1 Turbine - DC Bus A Start Bus A ded-run i

1 Turbine - DC Bus B Start, Bus B ded-run WPPSS 2 Motors 437 GPM All 1 Motor Train - Diesel A (WNP-3) 2 Turbines Each Automatic 1 Motor Tr'ain - Diesel B 1 Turbine - DC A Bus 1 Turbine - DC B Bus TVA 2 Motors 875 GPM All 1 Motor Train - Diesel A (Yellow Creek) 2 Turbines Each Automatic 1 Motor Train - Diesel B 1 Turbine - DC - A*

1 Turbine - DC - B*

• Train Can Operate Without DC Power

TABLE 2 LOSS OF REACTOR HEAT REMOVAL EVENTS EVENT FREQUENCY DIESEL AUX. F.W. (2)

SEQUENCE (4)

(+ NON RECOVERY)

UNRELIABILITY UNRELIABILITY PROBABILITY LOOP 0.04 (1) 4.8E-4 1.9E-5 Station 0.04 0.003 6.1E-2 0.73E-5 Blackout LOFW 0.1 (1) 2E-4 2.0E-5 S LOCA 0.03 NA 2E-4 x FP(3)

< 6E-6 2

(1) Diesel Unreliability is Included in the Auxiliary Feedwater Unreliability (2) From Palo Verde AFW Reliability Study (3) FP is conditional failure probability of main feed >eter train, assumed to be < 1.0.

(4)

Tne sequence probabilities would even be lower if the methodology and guidelines used in NUREG-0635 were utilized in calculating auxiliary feedwater system unreliability.

TABLE 3 ASSUMPTIONS IN PALO VERDE AFW RELIABILITY ANALYSIS

1) Uses Failure Criteria of Delivery of AFW in 20 Minutes, not 1 Hr. 30 Min.

2) Neglects any Operator Action to Correct Valve Alignment Errors (Dominant Cutsets)

3) Neglects Position Indicators in the Control Room on Pump Test Bypass Valves

4) Neglects Performance Tests cf Total System Tests Every 18 Months

5) Uses Different Failure Rates for eacn Type of AFW Pump (NUREG 0635 Uses Same)

6) Uses Mean Values Instead of Median on Reliability and Failure Rates (vs.

NUREG 0635)

7) Considered 9 Operator Errors and not Just One (NUREG 0635 Bases)

8) Did not Assume Diesel Available in LOOP (vs. NUREG 0635) 4 e

W-