ML20050A646
| ML20050A646 | |
| Person / Time | |
|---|---|
| Site: | Crystal River  |
| Issue date: | 03/31/1982 |
| From: | Amico P, Ariuska Garcia, Liner R, Lofgren E SCIENCE APPLICATIONS INTERNATIONAL CORP. (FORMERLY |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| References | |
| CON-FIN-A-1241, CON-FIN-A-6296 NUREG-CR-2515, NUREG-CR-2515-V02, NUREG-CR-2515-V2, SAND81-7229-2, NUDOCS 8204010534 | |
| Download: ML20050A646 (300) | |
Text
{{#Wiki_filter:______-_ _. _ _ _ _ _ . _ _ _ _ _ _ _ 6, l NUREG/CR-2515 CONTRACTOR REPORT SAND 81-7229/11 l AN Printed December 1981 l Crystal River-3 Safety Study - Volume II - Appendices l A. A. Garcia, Principal Investigator R. T. Liner, P. J. Amico, E. V. Lofgren Science Applications, Inc. 7315 Wisconsin Ave, Suite 1200 W ' Bethesda, MD 20814 l l Prcpared for U. S. NUCLEAR REGULATORY COMMISSION k$R O O O2 P PDR i
NOTICE This report was pre pared as an account of work sponsored by an agency of the United States Government. !!either the United States Gos ernment nor any agency thereof or any of their employ-ces, makes any warranty, empressed er implied, or assumes any legal liability or responsibility for any third party's use, or the results of such use, of any information, apparatus product or process disclosed in this report, or represents that its t.se by such third party would not infringe privately owned rights. Available from GPO 3 ales Program Division of Technical Information and Document Control U.S. Nuclear Regulctory Commission Washington, D C. 2055$ and National Technical Information Service Springfield, Virginia 22161
SAI-002-81-BE NUREG/CR-2515/II of II SAND 81-7229/II of II CRYSTAL RIVER-3 SAFETY STUDY VOLUME II APPENDICES 1 December 1981 Prepared by: Science Applications, Inc. 7315 Wisconsin Avenue, Suite 1200W Bethesda, Maryland 20814 Principal Investigator: A. A. Garcia Principal Authors: R. T. Liner P. J. Amico E. V. Lofgren Funded by Division of Risk Analysis Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington, D.C. 20555 Under Memorandum of Understanding DOE 40-550-75 NRC FIN No. Al?41 (Sandia) A6296 (EG&G) ( 1
TABLE OF CONTENTS Page y0LUME I - MAIN REPORT Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . I-i Acknowledgements . . . . . . . . . . . . . . . . . . . . . . I-ii Table of Contents . . . . . . . . . . . . . . . . . . . . . . I-iii List of Figures .. ........... . . . . . . . . . . 1-vi L i s t o f Ta bl e s . . . . . . . . . . . . . . . . . . . . . . . . I-v i i i Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . T-x
1.0 INTRODUCTION
. . . . . . . . . . . . . . . . . . . . . . . . 1-1 2.0
SUMMARY
OF RESULTS . . . . . . . . . . . . . . . . . . . . . . 2-1 2.1 Frequency of Radioactivity Releases . . . . . . . . . . 2-1 2.2 Dominant Sequences . . . . . . . . . . . . . . . . . . 2-3 2.3 Functional and System Dependencies . . . . . . . . . . . 2-16 2.4 Limita tions of the Analysis . . . . . . . . . . . . . . 2-21 3.0 GENERAL PLANT DESCRIPTION . . . . . . . . . . . . . . . . . 3-1 3.1 Reactor Coolant System (RCS) . . . . . . . . . . . . . . 3-6 3.2 Reactor Protection System (RPS) . . . . . . . . . . . . 3-6 3.3 Engineered Safeguards Actuation System (ESAS) . . . . . 3-7 3.4 Engineered Safeguards Systems . . . . . . . . . . . . . 3-7 3.4.1 Emergency Core Cooling System (ECCS) . . . . . . 3-8 3.4.2 Reactor Building Cooling and Spray Systems . . . 3-11 3.5 Emergency Feedwater System (EFS) . . . . . . . . . . . . 3-12 3.6 Emergency Auxiliary Systems . . . . . . . . . . . . . . 3-12 3.6.1 Electric Power . . . . . . . . . . . . . . . . . 3-13 3.6.2 Emergency Cooling Systems . . . . . . . . . . . . 3-13 3.7 Connections Between CR-3 and Coal-Fired Units 1 and 2 . 3-15 II-i
-- L
TABLE OF CONTENTS Page 4.0 EVENT TREES . . . . . . . . . . . . . . . . , . , , , , , , 4-1 4.1 Initiating Events . . . . . . . . ..........4-1 4.1.1 Transient Initiators . . . . . . . . . . . . . . 4-2 4.1.2 LOCA Initiators ................4-3 4.2 Transient Event Tree . . . . . . . . . . . . . . . . . 4-4 4.3 LOCA Event Tree . . . . . . . . . . . . . . . . . . . . 4-13 4.4 Special Events . . . . . . . . . . . . . . . . . . . . 4-19 4.4.1 Interfacing Systems LOCA (Event V) . . . . . . . 4-19 4.4.2 Vessel Rupture . . . . . . . . . . . . . . . . . 4-21 4.4.3 Steam Generator Tube Rupture . . . . . . . . . . 4-24 4.5 Containment Failure Modes . . . . . . . . . . . . . . . 4-24 4.6 Radioactive Release Categories . . . . . . . . . . . . 4-27 5.0 FAULT AND EVENT TREE QUANTIFICATION PROCEDURES . . . . . . . 5-1 5.1 Analytical Methods for Estimating Prinary Event Probabilities . . . . . . . . . . . . . . . . . . . . . 5-1 5.1.1 Fault Tree Development . . . ..........5-1 5.1.2 Quantification Data Base . . . . , . . . . . . . 5-4 5.1.3 Evaluation of Hardware Faults . . . . . . . . . 5-11 5.1.4 Evaluation of Human Faults . . . . . . . . . . . 5-11 5.1.5 Evaluation of Common-Cause Faults . . . . . . . 5-12 5.1.6 Evaluation of Test and liaintenance Outages . . . 5-13 5.1.7 Evaluation of Interfacing System Faults . . . . 5-14 , 5.1.8 Evaluation of System Unreliability During Recirculation . . . . . . . . . . . . . . . . . 5-15 5.2 Fault Tree Organization and Structure . . . . . . . . 5-17 5.2.1 A Faul t Tree Hierarchy . . . . . . . . . . . . . 5-18 5.2.2 System and Subsystem-Level Faults . . . . . . . 5-20 5.2.3 Functional Level Faults . . . . . . . . . . . . 5-27 5.2.4 Fault Tree Quantification Tables . . . . . . . . 5-29 II-ii 1
TABLE OF CONTENTS Page 5.3 Scquence Analysis . . . . . . . . . . . . . . . . . . . 5-34 5.3.1 Boolean Reduction of Event Tree Sequences . . . 5-34 5.3.2 Initiating Event Frequencies . . . . . . . . . . 5-37 5.3.3 Probabilities for Special Events in the Transient Even t Tree . . . . . . . . . . . . . . 5-38 5.3.4 Analysis of ATWS Sequence . . . . . . . . . . . . 5-40 5.3.5 Containment Failure Probabilities . . . . . . . . 5-46 5.3.6 Accident Sequence Analysis Results ... ... 5-48 5.4 Analysis of Selected Operator Faults . . . . . . . . . . 5-66 i VOLUME II - APPENDICES Ta bl e of Con ten ts . . . . . . . . . . . . . . . . . . . . . . II-i Glossary .......................... II_jy Introduction ........................ 11 1 Appendix A - Reactor Protection System (RPS) . . . . . . . . . . . A-1 Appendix B - Engineered Safeguards Actuation System (ESAS) . . . . B-1 Appendix C - DC Power System . . . . . . . . . . . . . . . . . . . C-1 Appendix D - Class I.E. AC Power System ............. D-1 Appendix E - Nuclear Services Closed Cycle Cooling System (NSCCCS) ...................... E-1 Appendix F - Decay Heat Clcsed Cycle Cooling System (DHCCCS) . . . F-1 Appendix G - High Pressure Injection and Recirculation System .. G-1 Appendix H - Core Flood System (CFS) . . . . . . . . . . . . . . . H-1 Appendix K - Low Pressure Injection and Recirculation System .. X-1 Appendix L - Reactor Building Emergency Cooling System (RBECS) . . L-1 Appendix M - Rear. tor Building Spray System (RBSS) ........ M-1 Appendix N - Reactor Building Isolation System (RBIS) ...... N-1 Appendix P - Emergency Feedwater System (EFS) .......... P-1 II-iii
~
GLOSSARY OF ABBREVIATIONS A/E Architect Engineer ATWS Anticipated Transient Without Scram BWST Borated Water Storage Tank CRA Control Rod Assembly CFT Core Flood Tanks CR-3 Crystal River Unit 3 CRDM Control Rod Drive Mechanism . DilCCCS Decay Heat Closed Cycle Coeling System DHCWS Decay Heat Services Cooling Water System DilSWS Decay Heat Sea Water System ECCS Emergency Core Cooling System ECF Emergency Cooling Functionability ECI Emergency Coolant Injection ECR Emergency Coolant Recirculation g EFS Emergency Feedwater System EPRI Electric Power Research Institute ESAS (ESFAS) Engineered Safeguards Actuation System FSAR Final Safe ;y Analysis Report HE Ileat Exchanger llP, HPI, HPR High Pressure (Injection) (Recirculation) ICS Integrated Control System LOCA Loss of Coolant Accident LOSP Loss of Offsite Power LP 1.PI , LPR Low Pressure (Injection) (Recirculation) TI-iv
GLOSSARY OF ABBREVIATIONS (CONT.) MFW Main Feedwater MOV Motor Operated Valve NC, N.C. flormally Closed fl0 0 N.O. Normally Open NPSH Net Positive Suction Head NRC Nuclear Regulatory Commission NSCWS Nuclear Service Cooling Water System NSCCCS Nuclear Services Clnsed Cycle Cooling System NSSS Nuclear Steam Supply System NSSWS Nuclear Services Sea Water System OTSG Once Through Steam Generator PAHR Post Accident Heat Removal PARR Post Accident Radioactivity Removal PCS Power Conversion System PORV Power Operated Relief Valve RB(E)CS Reactor Building (Emergency) Cooling System RBIC Reactor Building Isolation and Cooling RBIS Reactor Building Isolation System RBSS, RBSI, RBSR Reactor Building Spray System (Injection) (Recirculation) RCS Reactor Coolant System i RPS Reactor Protection System RSS Reactor Safety Study (WASH-1400) RSSMAP Reactor Safety Study Methodology Applications Program S/RV Safety / Relief Valve II-v - _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ . . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ l
N APPENDICES: SYSTEM DESCRIPTION AND FAULT TREE ANALYSES l INTRODUCTION l l This Volume consists of a collection of Appendices of system j descriptions and fault tree analyses, including the unavailability quantifi-cations for all systems designed to mitigate accident consequences and the auxiliary systens which support the " front-line" systems. The various systems are individually presented in Appendices A through P, which immediately follow the generic descriptive material below. This introductory material and discussion is provided to assist the reader in understanding the overall structure of the c.R-3 Safety Study and the organization and format of the individual Appendices. It is also intended to explain what kind of infonnation and results the reader can expect to find in these Appendices. The flow chart presented in Figure II.l'shows the main steps involved in the risk assessment of CR-3. It also shows the structure of the fault tree analysis contained in a typical Appendix . IThe followina discussion is a step-by-step account of the quantification process for the fault tree analysis of each system. The steps are keyed to t'a numbers shown in diamonds in Figure II.1. STEP 1 The starting point was the collection, review and study of plant information to aain a thorough understanding of the system designs and capabilities, and interactions between systems. I In the following discussion, o typical Appendix is generally referred to as Appendix X. II- l
=
2 The main sources of information were ; e Plant Design Information - CR-3 FSAR (11-1)3 System Drawings (e.g. , P& ids, One Line Diagrams, Elementaries), FPC System Descriptions, etc. e Technical Specifications (II-2) e Plant Visit - gain familiarity with the equipment layout (possibly common mode failures due to common location); ! extensive discussions with plant personnel about plant operation, test and maintenance practices, operating experience, etc. e Plant Procedures - Examples of procedures used are: Operating , Maintenance , Surveillance , Emergency-Procedures , etc. These procedures (1) provide insight into the general plant operation and (2) support the operators during abnormal occurrences (especially the Emergency- Procedures) . The procedures are also important to the quantification effort because they describe what is done to the various plant systems and how it is done. e Expert Opinion and Experience - Collect information on plant and systems behavior, containment failure modes , etc. , from experts available at FPC, B&W, NRC, and National Laboratories. Section X.1, the first section of each appendix, summarizes the information collected during Step h . The intent of this section is to convey to the reader all information necessary to follow the system's fault tree q uanti fication. STEP With the information gathered in Step h the con-struction of the event trees, based on the system functions required for accident mitigation, can begin. STEP The success requirements for each event '.ree heading (or function) are determined in this step. Where possible, the requirements are defined in terms of systems. 2 Not shown in the chart are the many iterations and exchanges among the various sources and other project personnel throughout the duration of t:ns project. 3 Numbers shown in parentheses in the text, e.g., (II-1) indicate references. II-2
STEP At this point, all the systems, including the supporting systems, contributing to the mitigation of an accident ata shown. Special studies, performed in parallel with the steps described thus far may allow exclusion of certcin systems from detailed fault tree anlysis. These special studies and their conclusions are discussed in Volume I. STEP Detailed fault trees for all the systems selected in The definition of the top Step $ are constructed. event for each tree is based on the success requirements developed in Step h . The detailed fault trees are developed for each system to a level of detail sufficient to identify possible common mode or common cause failures. STEP Simplified fault trees are developed from the detailed trees of Step <f . The basic fault elimination criteria for the simplification process results in simplified trees containing only single active and passive faults, double active faults, test and maintenance outages, and common mode failures. The simplification process eliminates other faults, including those whose contri-butions to the top event is neglibile (on the basis of of relative probability values) compared to other contributors. Thus the detailed trees are " pruned" to simplified trees which contain only the dominant cutsets , i .e. , failure combinations, leading to the 6 occurrence of the top event. The simplified fault trees are presented in Section X.2 of each appendix, together with the top event definition and any assumptions made for the development of the detailed trees. Sections X.1 and ) complete the basic information necessary to proceed to the fault tree quantification process presented in Section X.3. The first subsection, X.3.1, discusses the system reliability characteris ti cs . The results of the system quantification are summarized by highlighting the dom:.1 ant contributor, to the system's unavailability. 11-3 . I
Each of the following steps discussed is cresented in the Appendix either in table form or as a figure (s) in the logical sequence of development. Extensive Jse of notes, attached to the tables and figures as required, was made to explain a1d substantiate entries in the tables and figures. Two distinct phases in a post accident environment exist: the injection phase and, in m^st cases, the recirculation phase. Sections X.3.2 and X.3.3 contain the quantification for the two post-accident phases. The steps in the quantification process, which are the same for both phases, are discussed below. The reason for the construction of modularized fault trees is discussed in Section 5.1 of Volume I. STEP ' The appropriate event tree heading success requirements developed in Step (3) , and presented in Volume I, Tables 4.4 and 4.6, formed the basis for the definition of the success requirements for the individual systems. STEP (8 ', The top events for the modularized fault trees are defined in this step. The selection of top events for ~ systems and/or system trains is based on Step . Intermediate top events are frequently defined for (1) portions of system trains which are shared with other systems, and (2) for convenience of analysis.
\
STEP Construction of the modularized fault trees consists of grouping the faults which appear on the simplified fault tree, step f , by type into modules, e.g. , single hardware faults, system interfacing faults, etc. The construction of the modules is also governed by the requirements of the sensitivity analysis to be performed. Some modules have to be separated to accommodate events of different sensitivity types. The event sensitivity typesarediscussedinStepclJ: II-4
STEP Of The Boolean equations, representing the modularized fault trees, are developed in this step. The equations are Boolean reduced by hand whenever practicable; otherwise a Boolean reduction computer code, such as WAMCUT (II-3), is used. All crossterms prohibited by Technical Specifications are eliminated from the reduced equation since the crossterms represent simultaneous outage of both trains of a redundant two train system due to test, maintenance, or any combination thereof. (It is assumed that the plant does not intentionally violate applicable Technical Specifications.) The Boolean equations are input to the event tree sequence analysis. STEP This step represents the quantification of each module appearing on the modularized fault tree, The WASH-1400 data base (II-4) is used in general; in a few instances other data sources are used as indicated in the notes to the quantification tables. The calculation of maintenance and test outages is discussed in Section 5.1 of Volume I and is, in several cases, contained in the notes. Otherwise, standard methods such as those shown in WASH-1400 (II-4), and IEEE Standard 352 (II-5), for example, were used to calculate unavailabilities. A "D" in the " failure rate" column of the quantification tables means " demand", and "c" means negligible contribution. The code for the abbreviations used for the sensitivity type (or subgroup) in the column labeled "SENS." is as follows: 0 - Operator Error (defined in Volume I, Section 5.1) H - Human Error (defined in Volume 1, Section 5.1) B - Hardware Coupling (defined in Volume I, Section 5.1) M - Maintenance Outage S - Selected Components (e.g., components in severe , environment) l II-5 r o
The last table in Section X.3.2 or X.3 3 is the quantification summary and contains the cvent unavailability point estimates. Steps 7 through 11 are repeated for systems required to operate during the recirculation phase. Step 11 completes the input required to perform the event tree sequence analysis. Appendices A and B do not follow exactly the step-by-step outline above. The simplified fault tree is used in a slightly modified form instead of a modularized fault tree for the quantification of the Reactor Protection System (RPS) in Appendix A, and the simplified fault trees are used for the quanfication of the Engineered Safeguards Actuation System (ESAS) in Appendix B. References 11-1 Florida Power Corporation, " Crystal River Unit 3 Nuclear Generating Plant Final Safety Analysis Report," Docket 50-302, 1971 (as amended through March 26,1976). II-2 Technical Specifications; Appendix A to the Operating License for Crystal River-Unit 3. II-3 R. C. Erdmann, F. L. Leverenz, H. Kirch and G. S. Lellouche, Electric Power Research Institute, "WAMCUT, % Computer Code for Fault Tree Evaluation," EPRI NP-803,1978. II-4 U. S. Nuclear Regulatory Commission, " Reactor Safety Study-An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants," Appendix III, WASH-1400 (NUREG-75/014), October 1975. 11-5 Institute of Electrical and Electronics Engineers, Inc.,
"IEEE Guide for General Principles of Reliability Analysis of Nuclear Power Generating Station Protection Systems," IEEE Std 353-1975, April 1975.
11-6 .d _
w - 4
<z
. - - ...-,n. _. . - -
.--,..n.-._.- . , , ~ ._. _ . . _ _ . ,
v_: _m Tt es_ , s a t : 12. t w-fp. . - . a:s- .t2s- _ : 3 , s. a I Er v .cn i m : 3. - (: s p ; . , 1:..
- m r-m cts:t s o ta rt.,,n
( sea,t3 . o :a
\n .
l _ _ _ . . .l l
. . _ _ - - . . ._p..
[ ll . . l I ' l
. - - - . - _ _ . 2_ _- - . - . -
f f _? w u-
' :t . t _ a p_,._L....___ m, l< [-
3 r otT __ t....- . _ __ _ _ __~ _
%_: . . . - -nt
. _ m"~<e.'
p> ; . .. __-o i.> .- -ett: _ _ -o m __ c . _ . e Tet , m c t:. E_ __4 ..c._ys 3_._ g. ,. m > l y.;
<p
() q) <9 G) l N it%: n etT(
..a < s m ..c,- gF 52 u y-rMw
~
*' E- ' 5 k " ' L ' ' d r '--c ~.
e ', t r a i f Lt s t .cp Ente 4N A' * : i' M 5T E -1 l D .-
;,ta'.%- T5 at h,3,3,.7g
- j. l g;, a- . ., g g f'a.2 . F r y , ,,,g rwn nut ss stu.a u tex -~; 3,, ,, y t t ,, % y aum .9,_ e t om. . t
, s.,
c.u. m t, g n T , a , . .c y,.t rst m et tsr. ,. _ . , ...._..W. , , <.c l ~
,e n -.c T z u s n_.s :
s um u n 1_. _ g g;-? f y, ice- p
.. s W : m:spga q m;tr r.w m f --. , pp;.q ___ n ._ cs _ _;.q _ _ - _p, n; s :s u .g .- j .J l
" Y..,
'.=2 ,igtg. .t,g r_ngs t ~ ], ic - c.t. : o :t - ~;at g:,2 u t ;t Stc r ,t z wis ig.- - g t o &t x. cr ea
__, i ,-t.,. I
'O
--f
- h. h (A iy s_
__y _ _ _ . _ _ _ _ _ _ _ _ . . , _ _L _r: . .u i___ _
-_.-.n Isu. &_ _
u_ _ _ I f_ vtws Figure II.1 Main Steps Involved in the Risk Assessment of Crystal River-3 [
O APPENDICES SYSTEM DESCRIPTIONS AND FAULT TREE ANALYSES O II-8
APPENDIX A REACTOR PROTECTION SYSTEM (RPS) T i e A
APPENDIX A REACTOR PROTECTION SYSTEM (RPS) A.1 SYSTEM DESCRIPTION AND OPERATION The Reactor Protection System (RPS) monitors parameters related to reactor operation and trips the reactor by control rod insertion into the core to protect the core against fuel rod cladding damage. In addition, it protects against reactor coolant system damage from high system pressure through rod insertion, thereby limiting energy input to the system. A.l.1 SYSTEM DESCRIPTION The RPS consists of control rod assemblies (CRA), circuit breakers, instrumentation and electronic logic. The logic, in response to input signals from the instrumentation, shuts down the reactor by removing power from the control rod drive mechanism (CRDM) motors. The control rods then drop into the core under the influer,:e of gravity. A schematic of the RPS is shown in Figure A.l. There are a total of 69 CRA's, arranged in eight groups including four safety groups, three regulating groups and one axial power shaping group. The rod drive control system includes (1) five identical, dual channel DC supplies which power the regulating and axial power shaping groups and (2) two DC holding power supplies which power the safety groups. The DC supplies are fed from two 480VAC, 36 sources; i.e., a main bus and a secondary bus. Two primary breakers (A,B), two secondary breakers (C,D), and contactors (E,F) interrupt power to the CRA drive motors when a trip is commanded. The trip logic includes four identical channels, each consisting of logic circuits and trip relays, which maintain the trip breakers and contactors energized under normal operating conditions. In response to input signals from sensors (See Table A.1), the channel logic deenergizes associated trip relays which in turn deenergize the trip breakers and contactors thereby removing power to the CRDM motors and causing the regulating and safety CRA's (61) to drop into the core. The axial power shaping rods do not drop into the core when their associated drive motors are deenergized. A-1
CONTROL R0D ASSEMBLY The CRA includes 16 control rods, mounted in a stainless-steel spider, and a control rod drive mechanism. The CRDM, which positions the CRA in the reactor core, is a non-rotating translating lead screw coupled to the CRA. The screw is driven by split roller nut assemblies which are rotated magnetically by a motor stator located outside the pressure boundary. For rapid insertion, power is rer ,ved from the drive motor causing the nut halves to separate and release the screw and CRA which then drop into the reactor core under the influence of gravity. The CRAs are arranged into groups at the control rod drive control system patch panel . Typically twenty-eight CRAs are assigned to the regulating groups (Groups 5,6,7,8) while forty-one CRAs are assigned to the safety rod groups (groups 1,2,3,4) . Group 8 includes eight axial power shaping rod assemblies which do not drop into the core wnen power is removed from their drive motors during a reactor trip. The rod drive control system (RDC), which is shown in Figure A.2 consists of (1) drive motor DC power supplies, (2) system control logic, and (3) trip breakers and contactors. The DC power system includes four group power supplies. Identical power supplies are used for the regulating groups and the auxiliary power supply. The DC power supplies are fed from two 480VAC, 36 sources; i.e., a main bus and a secondary bus. The system logic encompasses those functions which command control rod motion in tne manual or automatic modes of operation, including CRD sequencing, safety and protection features, and the manual trip function. fiajor components of the logic system are the Operator's Control Panel, CRA position indication panels, automatic sequencer, and relay logic. Switches are provided at the operator's control panel for selection of the desired rod control mode. Control modes are: (1) Automatic mode -- where CRA motion is commanded by an integrated control system; and (2) Manual mode
-- where CRA motion is commanded by the operator. fianual control permits operation of a single CRA or a group of CRAs. Alarm lamps on the RDC panel A-2
alert the operator to the systems status at all times. The group 8 control rods can only be controlled manually, even when the remainder of the system is in automatic control. The sequence section of the logic system utilizes rod position signals to generate control interlocks which regulate group withdrawal and insertion. The sequencer operates in both automatic and manual modes of reactor control, and controls the regulating groups only. Analog position signals are generated by the read switch matrix on the CRA, and an average group positior, , generated by an averaging network. This average signal serves as an input to electronic trip units which are activated at approximately 25 and at 75 per cent of group withdrawal. Two bistable units are provided for each regulating group. Outputs of these bistables actuate " enable" relays which permit the groups to be comnanded in automatic or manual mode. The automatic sequencer circuit can control only CRA groups 5,6 and 7. The safety CRA groups, groups 1-4, are controlled manually, onc group at a time. In addition, the operator must select the safety group to be controlled and transfer it to the auxiliary power supply before control is possible. There is no way in which the automatic sequencer can affect the operations required to move the safety CRA. Automatic insertion of rods can only be commanded by the integrated control system when the control rod drive system is in the automatic mode. Positioning of regulating CRAs is accomplished by silicon controlled rectifier switching via a motor driven multichannel photo-optic encoder. The safety CRAs are positioned via the auxiliary power supply and maintained in the desired position by the holding power supplies. Trip breakers and contactors are provided for removing power to the CRDM motors. The AC power feed breakers are of the three-pole, stored-energy type and are equi;. ped with instantaneous undervoltage trip coils. Each AC feed breaker is housed in a separata metal cled enclosure. The secondary trip breakers are also of the storet-energy type with two parallel-connected instantaneous undervoltage trip coils consisting of two 2-pole breakers mechanically ganged to interrupt DC busses. All breakers are motor-driven-I A-3
reset to provide remote reset capability. Each undervoltage trip coil is operated from the Reactor Protection System. The trip breakers are tested monthly. TRIP LOGIC The system shown in Figure A.1 consists of four identical channels, each terminating in a trip relay within a reactor trip module. The primary source of AC power for the RPS comes from four vital 120VAC buses, one for each protective channel. In the normal untripped state, each channel main-tains the trip relay energized via the closed normally open (N/0) contacts of bistables associated with the various reactor sensors. Should any bistable become deenergized the trip relay deenergizes. Each trip relay has four N/0 contacts, each controlling a logic relsy in one reactor trip module. There-fore, each reactor trip module has four logic relays controlled by the four channels. The four logic relays combine to form a 2-out-of-4 coincidence network in each reactor trip module. Manual trip may be accomplished from the control console by a trip switch. This trip is independent of the automatic trip system. Power from the control rod drive power breakers' undervoltage coils comes from the RT modules. The manual trip switches arc between the reactor trip module output and the breaker undervoltage coils. Opening of the switches opens the lines to the breakers, tripping them. There is a separate switch in series with the output of each reactor trip module. All switches are actuated through a mechanical linkage from a single pushbutton. Each channel is provided with two key-operated bypass switches, a channel bypass switch and a shutdown bypass switch. The channel bypass switch enables a channel to be bypassed without initiating a trip. Actuation of the switch initiates a visual alarm on the main console which remains in effect during any channel bypass. This switch is used to bypass one protective channel during on-line testing. Thus , during on-line test-ing the system will operate in 2-out-of-3 coincidences. An electric interlock circuit prevents placing two channels in Ljpass simultaneously. The use of the channel bypass key switch is under administrative control. A-4
l The shutdown bypass switch enables the power / imbalance / flow, power /RC pumps , low pressure, and pressure-temperature trips to be bypassed, allowing control rod drive tests to be performed after the reactor has been shutdown and depressurized below the low reactor coolant pressure trip point. Before the bypass may be initiated, a high pressure trip bistable - which is incorporated in the shutdown bypass circuitry - must be manually reset. The set point of the high pressure bistable (associated with shutdown bypass) is set below the low pressure trip point. If pressure is increased with the bypass initiated, the channel will trip when the high pressure bistable (associated with shutdown bypass) trips. The use of the shutdown bypass key switch is under administrative control. Each of the four channels is physically separate and electrically isolated from the regulating instrumentation. The modules, logic, and analog equipment associated with a single protective channel are contained wholly within two Reactor Protection System cabinets. Within these cabinets, there is a meter for every analog signal employed by the protective channel, and a visual indication of the state of every logic element. At the top of one cabinet, and visible at all times, is a protective channel status panel. Lamps on this panel give a quick visual indication of the trip status of the particular protective channel and of the RT module associated with'it. Additional lamps on the panel give visual indication of a channel bypass or a fan failure. The RPS equipment is designed for continuous operation in a room environment of 40 F to 110 F and up to 75% relative humidity. All nodules I are designed for a 30UF temperature rise inside the equipment cabinets over the ambient room conditions. Two 100% capacity fans with filter banks and chilled water coils, two 100% capacity central station type chilled water systems, and two 50% capacity outside air booster fans are provided for environmental control of the equipment area. A-5
.. o
A.l.2 SYSTEM OPERATION The coincidence logic contained in the RPS channel A controls trip breaker A in the control rod drive system, channel B controls breaker B, channel C controls breaker C and contactor E, and channel D controls breaker D and contactor F. The control rod drive circuit breaker combinations that initiate reactor trip include (1) AB, (2) ADF, (3) BCE, and (4) CDEF. This is a 1-out-of-2 twice logic. When any 2-out-of-4 channels trip, all reactor trip modules trip (deenergize) all control rod drive breakers and contactors. The four RPS channels trip whenever the reactor conditions tabulated in Table A.1 exist. The use of 2-out-of-4 logic between protective channels permits a channel to be tested on-line without initiating a reactor trip. Main-tenance to the extent of removing and replacing any module within a protective channel may also be accomplished in the on-line state without a reactor trip. Each logic channel is tested monthly. The RPS sensors are checked during each shift and are tested monthly. To prevent either the on-line testing or maintenance features from creating a means for unintentionally negating protective action, a systen of interlocks initiates a protective channel trip whenever a module is placed in the test mode or is removed from the system. However, provisions are made to bypass any one protective channel (i.e. , supply an input signal which leaves the channel in a non-tripped condition) for testing or maintenance. The test scheme for the reactor protective system is based upon the use of comparative measurements between like variables in the four protective channels, and the substitution of digital and analog test signals as required, together with measurements of actual protective function trip points. The test signals are provided from built-in test circuits in the logic instrumentation system. A digital voltmeter (not cabinet-mounted) is used for making accurate measurements of trip point and analog signal voltages. Plant annunciator windows provide the operator with immediate indications of changes in the status of the reactor protective system. A-6
The following conditions are annunciated for each reactor protective system channel:
- a. channel trip
- b. fan failure in channel
- c. channel on test
- d. shutdown bypass initiated
- e. manual bypass initiated Any time a test switch is in other than the operate position, annunciator "c" will be lit and the associated protection channel will be tripped. Under this condition, annunciator "a" will be lit unless annunciator "e" is lit (i.e., the channel is bypassed).
TEST AND MAINTENANCE Each RPS channel, including the associated instrumentation, reactor trip module (RTM), and CRD breaker and contactor, is demonstrated operable by performance of functional tests once each month. Functional testing of each of the four channels requires approxi-mately four hours to complete and is performed on a weekly rotation by different test personnel.* Per discussion with plant personnel . A-7 1 _
Following are several notes related to test and maintenance. Notes on Reactor Trip Module e Prior to start of functional testing of the instrumentation and RTM associated with the particular channel under test, the channel is placed in bypass via the " Manual Bypass" switch located in the RTM. This reduces the RPS trip logic to a 2-out-of-3 system. e When RTM is placed in bypass via manual bypass switch, indication of 4his condition is provided in the control room (RP5 Panel) . e Operator can leave channel in bypass state but indication on RPS panel should alert operator. Same applies to inadvertent bypass. e An electric interlock circuit prevents placing two channels in bypass simultaneously, e Only one channel is permitted to be bypassed at any given time under administrative control . Notes on Control Rod Drive (CRD) Power Train e Functional testing of the CRD power train consists of causing the CRD breaker to trip. A jumper is momentarily placed across the trip coil of the breaker. The power train is restored to operational status by locally resetting the breaker. e A breaker can be racked out for maintenance without channel trip. Notes on Instrumentation e If a reactor sensor requires maintenance to correct for a defect, the work will be cone during a shutdown. e Work can be performed on the circuitry of the instrumentation signal processing electronics (such as the power supply, signal conditioners, etc.), but the associated channel will probably be bypassed.
- Calibration errors in the signal processing electronics can result in a circuit being unavailable to trip the reactor. (Calibration is performed on each channel on a weekly rotation basis, ty different personnel .)
A-8
Table A.1 Reactor Trip Summary Steady-State Trip Value or Trip Variable No. of Sensors Normal Range Condition for Trip Overpower 4 flux sensors 2-100% 2105.5% of rated power Nuclear overpower 4 two-section NA 1.045 times flow minus based on flow and flux sensors , reduction due to im-imbalance 8 AP flow balance Reactor outlet 4 temperature 532-604 F 2620F tempera ture sensors Pressure / temper- 4 pressure Variable (16.25T - 7838) 2 P(a)
+
atura sensors, 4 temperature sensors Reactor coolant 4 pressure 2,090-2,220 22,355 psig (high), pressure sensors psig 51,800 psig (low) Reactor building 4 pressure 0 psig 4 psig -- pressure switches ( )T is in F and P is in psig. A-9/10 L
s I a _-s a-
-- --9 ..._.....
~% ; :---:-~-
p r.. i 6 l l
.. - -_ ,.__ f.
g , , _ , _ su. up V )
=o =* Le. m PJ. &,,s r. . . , ---".-F! .<... .i i.
,,i. ...w..... . , :. - , _ . t
, t-- - - -
[m ;
. > ...w- e
, , n;- 1 i .. _n e
I 7_ ,
.... r ..t i i -
om. V
., i i w, , n m. .
- i i; l ;.ve N .p .:.- }u
; . ;., ei,
- i - , i j i ,
_J. _j : .] i i . t-- :--] i ,
" s-" -
. __.- - - . .;1L4 y.h. , m i i i c., e ....m_ !, ; _.___. ,
c.) , - s.,
.f q ; '
- l. '.
i i I. i *
- i. i t
,3 _ _ _ . _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ .J i.____.______ ____ ___. ._ J . _ _ . _ _ _ _ . _ _ _ _ _ _ - _ - . _ _ ,
,- m. ,m >
,.__r._. .m '
'u l t_"4" 4
; . ~i,
.,. [_.......a.
. c.d.:...
[. , .. .. . i E*',,_,, _Qg g . . ,
-a,--- a =st*
e c.,. .,. s ana i ' '
- L'[ v. =4]i}! - l - - - _ - , I e , , . _ - _ ,
j- ; i i i i l 1 'I . ' '. .m, 1,b. , l , W" '- r-" --~"T ...,U',"m'.~." I ' i i i r. --'. i a
,(.J . r., it,_
w m, , - U, : ii ... .. e w-1. ]}'D ::r:_.bi *:
. i.
. . . m ! e.=.u.:.=..t i e.m ~~7 -
Oe =..f o . i e e . L_ a i i e .. E }L ' ; 1 I i il i l t_____,______ -___ - _-it4. .~)O .; !___.___________- _ _ j l_ __
--E_,}?,I
,__.____.i .
r------ .
. . q, .__ a = ._ l.. 0 -- .q,__ m w . ,.
i r,___, l y_'"_m_, g } 3 ,' - r----. 3 i_.m_.5 f. , .]_ _ _ _ ._ 4
. ,V __.__.a__.-_~~.m.-- r_pw, '..*.*]. l..(m'11,.. _ _ _2 ? " * ** *_.- -
n a }.D l, Il, l. (1_.2, _ _
;. ,,.. f,,7..,,,,-. ...
.6 __.- __",. ' ,;, .
( ~ -"~. - e L ~~ ~ ^ _pd' l---- _i r - - i..;.. :7.; - - 7,- - ~,
;. ;- ,;,iji ,,, ---i O {uggW g ----'T.r. 3i . l .
r-p-+i
* + =; . ,,,].]m_0{l?"!Qs. ,.
I _i.t i
'e' i. ri -
l i I; p j l'
' lap. I t
D..e t-i i ..j. .~.i l -, . . .
..,L_
3.; e +i t_ I l 6;
- f..r.I..T.. . . _ . u _ e
.. t 4 .
i
< - . - I.__.,t
. 2. .
; .1,$ j[ ) ] f . I .M .,t . J. I .!
] $;. . .' (;.]
r . _ +i _.1_4 a *- i i
. . 3:.;[:,;Y;,lf,,, I 1 I I ,
, I
",'r.
. I
[ _ ,* 4,* 1 l l 8 f
',___t'~
. :. _.1. . r%_ < .. $ d '
r I"4"r_ *
- t. c; b ,,l, l r I_ i - - - - . 4 y f, .
.. _ , {__,__
t i .
-{ .. <,
'l.'. * "{ d=
. .. l_ y-_,; { 4.. ,. j ,
[ . . " l t', i s i j
, {m_ .
d " ___.__._.,_z, . J
. . _ . .p .- . _ . - -
--~-
.J.._--p, --l _ ._
__ _-_ _ _-_) _
?.; rn ~; C'*. <- - -
l 3 -1 !.",- l -d ,iC r-... .'.O -. <_ .
-l- ---
i
,,_ ~ _ _._,---.-_-- _ m_.- - - _ - _ _ _ _ _ _ . ____
_ t .=> -. m .u. t . a_-.= , - - = - - - , _ . . _ . -,=n ___. __n.--=-..-w__.-_.. A e p4 2.
'I O p e d.lP# #
j
e o
. s r.__-=.---- . . . _ . _ = . = . _
( ,_;;- - ,._ - - =:= =- = _
= = _ J
. t
. 1 - ,;,;; ;. ,,, - - - - - - -,
y p~, ',, . ~t.--- . . -h, r F i
.i l
,FX sj -. %L=.=_ mlw_i '
L ___ ,_ 4,
, . . . _ _ " ",g-
.. . , 9). ]4 g 4
i Il . [._ . . . ] '
, C,r. ..
,;. . t
*--L .-_ ... ,J
, - G., - - _.h' -
C~d-r:,I % ., i
** ~__J i 1
<v (r) l .' 9 gI t .
t 4 i I I l _ _ . _ _ _ _ _ _ _ _ . _ - _ _ _ ___.i u _ ___ _ _ _ - _ _ _ ._ _ _ _ __ __J
, me. . __3 r_____-_.______.._ .
'lp L._ __DE] 1. .. . .. . *! ! [E] 4. .. l aq, -
.c q.9 i . . . . _ _ _ _.-. - ' -
-e ya ,' Ej] - --. - .
i-- --, e i
.L i i ;;., ,, . . .. . . . .,.
~~
.---1 . } v. ,,r yr .. f-f y_.t 9 .i i,iir,- -, i :,,,::= ,
i , i r.u , i . ..
, p__
s-
.._ {}. i i ..
..-ii
}'i'l
;,E 1i i p.1 , - I -*
i ii o_... >' 1 ..:-'%J lr:.r..Je
. M .*~.'...'.' 4 k 0 ,l' i
-e.
G
-__._ r_ _' L " '_Ji..:'_. 1 i .:. .. ~ 8*'[- 1, ,i
"~-
i i e_---- - - - -
=E{I}9 t 8 I
----- E }& , ,,, - - - g e -- ., -- ; .; ,;;:- - -
i 1 l =g }a l , ,
. _ _ _ _ _ _ _ _ _ _ _ . _ _ . . . _ j :4. _ _ M. _ ol 8
o__________________ . ._ j -t _G_ .}.s_ ,i - g _,_ r " --{ae-i s __. ; . . e a-ez-- - [0---- @-
. . e _=- - - : ,,
_ _ _ _ ' -s ae . t-.=.__ .
. l ==# _. .
r-----l-t ' . _ _ . F-- -b ,,_ ,_,,
-{.~ }e f " " f l -
i..
- Er __ . .._-{ }O I 2 }l 4=--*""*****""
.a ,r.- - . g,t O_ _ _ " ae ei L _ 2_ _ a L ,___J Je p:; ;!,
.tg... [([6- t<d --,- .:*;,:::,f ;I,. . Q ; $ ,
.1' ((.-~
i gi I i ,g - a.:<,p c. ey. e 9.:_,1
> e, i --
r. c c,r.g.. a 4 r- 1 .
. . - - ~
2 ,)
; . ,w 1__,__..,
e ,, . .
, s.
.,....,.f. . -
.=._.y_.-_
r, . "a, . --- 4, ,
; ,- ". ..~ , - 1,,
4 -
, , c
-t , =.=:.: .:-..... --.
g.,. . .[.4 -. _... ,t,s ic. - g i ,
, _ , _.- r a-*.. -
e, L_y-u-o..- '
. . . . . g ,+---n- -_*- i . . . ~. .. ......
, ,, I, * [., p- y,n , , ,, J ,,
y.l
..1 '- "
- lu__LJ;*~__ .'_l'. .
1 1,, ' ' , . I i _.* : 1 l 1 1,, ,;' ., i l t_.___.____ ._ ____ _ _ _ . _ ._s In -
-.. t
, ,.1
-.. , _ 'n
. . . i.
i 1-o .-- l ,r - ;c'
.w, .__. . _
F_ s__ - h e.isv -..,- M4
.l- _-- - _ _ _ _
4
..%w! . 1.. .
l N,--'.*'"e'-ii7 M-.4 V -....-.--.~E'4""-~4J~.P-'_:-J
.~3'f-'-'.~"**b';"J'.#- -~7*-r 1.,...-C-*.;..,Wy-**.a'*"T."Ot'"'"
1 r l
)-
Fiaure A.1 (1/2) Reactor Protection System Schematic Diagram 3
/
v A-11/12
~
/
3 C I l . ,, o k' ~ , j J J 1 1
% /
\ .w a , a. . . .
;,1 c..;.,m.; .,;.-
~- -- --
@ I----4"~_7....-....~..-------
p_.,.... L -
-- 9 l
l l'.7.**. = ], : ! ( '
- 3 , 7*. .
i I n,1,, v _ _1 ... ... r .. . 1 l llh, ,,,. ,hM L h,-.4 ***" l
. . .. . . g - ,
J g @i i l i i i i I L ...______ __ _ _ . _ _ _ _ _ _J
, . . , ,, ._.____._____._______ ___q i
.,u .L La"?.'.
..._4 i
- p. _ eii .
),) .
p, a , . . . . , O l sp -ge) l , i r a .- m l ! ;, a, E.' eT .u->,i[ lr , iL,Fr..
- 4,lli iri.i i] ,li l
. . . _ _ s:.. _ _ _.c e
4-i ~1 _ . .. ' i, ....- i i ' _ _'~_ ; i i r-( l-C. .
'l s, i g
L.____________Y______._._ _ __j [$Dj
,c______e e,
.. )
r--- , ..e . . . . . . . . i..__..,. e 3 i r------ s, i Q, . . e Ii . . . ..n. i
- - - - - - ~
reg
. T l
O L _ _ _ _ _..)zL g, L_ay;"_,,'l r- - - - - - _. ; .. : _- - - - - - ,- ,n, O u g 4. .a i.,i %, h . tan , e..e I (
. .,1 - i i
-qq . .' , .,
i , , , , .,,f.. , . i j R s, . ' i l f;4j.._ s
,, . . . ,,, i J i
_.1 ,
. e!
.. i,
- s., l .L :
I
' i
< i #
1[ d) [ i .. i ._.._I_1.. . _I .. i
' 1H W i ... .. ( ~ i u
>f_ A--l- _4 s --
y l
-_ t ,y-i H r ;.-
- i. . ,,
, L...t__,.,s.
^
.i i__ ._ _ __ _ __ . _ _ _ ,C _ "q _ J
- i. q-__ - . . .
r _ _ _. - - . . .
;,_- -] _,,lg
_ _ _ _ _ _ . _ . _ .=. ..
- v. .
Figure A.1 (2/2) Reactor Protect *cn Systeni Sciematic Diagram 4
' \-13/14 s , ,
h w
1 1
- 1 I
i
. a .
Nl- [ ' i.')
.......s Ul I e i E
, q . m . . < .. . m . . . , _, , , , _ , , _ , ,
I . , . . . . . . ~ L t I
,,,....,..( l. ._ _J .,,,..,...( , . . ,. ~..-,,
. .-3 9_-]
. 3 t.. , )- .) - ---Q,
,. .)g {,e.,"a., !
- 7. z. t. s ,. .,.
). . .) - -- Q ,
; , , } ,r " " "~ '
g T.O .i f g .' 2 Tii' G ( ' (? 0) ;$ Illl -
.e ;l gl1 e-t[). .7b. ' . ,
t ,Q {h 7 -{'N,I--[I t'
.a
,.... .g.n. .
r- j-_ +r . e s p_I o
. tu .
-Q ,
~
. . _ _ g.) .. .
_, ; g.
' , gg [.)
_. . r- - u___ -. _ LJ {.__. . - ._. ._ .--
--.-G .___-_- [ _ _ y-. _ .
fG 79 % w.4p.m + . , , - T7_ '__1 ,f : . Z
~
-~ 7 -i_1
~ ~ , , ! T i .- .
f ~1 L _.. . _ _
.q.
.i y --- . _ _ .,
o I FI~I.tl [t : 'l, ' [hI. i if~ffj [I}~[fr.[.-. fq 2. t.t t L L
-i r i i j j j-i _t.. _ . ._ J 1. .
. _ _ _ . 1 i_ _. . .
; L, . -
j onnoun , 4 n , ,, p -- - l
\.--- L -' '
, 7 _T'-~ # '
1
...(.. . . . o. .. . <.. ...(..
Of 08 0f 0F Gauud e f y p . g 489960 4 [0458 ift I I .Pi fL 680uF (95 $4 62) f f *f
- CL.Ge%,CE. S5--?P t ,1 P 6 C .4 C.. 5412) l l
s i- J 4
,a 20" . ^- -
}
,s.. . . . tc , ...m 3 ,
._4 ,L 9 e. - (. t (. - ,p
,, )p_.,
3 _. , , , , , , , , , , , , , , , g, gp _,,,s...
. . m . o. .
(:) _ . .~ . ,,.. _ _ _ _ _ . - _ _ _ . .....-.e.>.m...,__
. . . ~. . . - . _ _ --._~. ,
' F "
III i l l "
.t-s uaav <r v, at f
~ u.u ". i _a
.i ...1, 7 -
i+ 0 T I l i I l 3 l i l l y.. . . s.,.s. .s . , . .. .
- r .
u u ,
, o
, - l . . .
+ o 4 4 4 4 4_ .
.] .
._ .._ l _ . _. __ t . .I _ ._. _ ._ .
u ~- . _ l __
-._,s !(,
, ~ -
__ ( _ - _ _ iL . _ . _ . . _ . . b
- _ ....i, w ., -. . _ , .
.i _ . . _ _ _ _ .
-+h1P -
c--.-.hw -- w-- ..ra-w - esb. . -
- m. - m- - - - -
I
, ,- 1
- 1. ,,. ._ _ _ _ ._ _. _ - . , _ _
.. . + . .
y_ __. . 7
. 7.
r
; r=
t c r
~ ~ -- -
g { _y,[.l_.{. f.q Q l4 }3 }...
. 1 1
l {9~ }l-...f'{ {.. l l l l L. L, l l LL L,1. i ' J L_ _u. L.. O,,b1 00u00ui i_b. _>bii _ , . . __b. J w , s_ , . . + >
...... ,..<.. c..
u .
. r. . c..
~,
o,..,.m~,....., ~. . a, ~. n.....,.u......... n,..c n o, ou ~ , e ,, ,,,,,c..a~...,, T Figure A.2 Rod Drive Control System Schematic Diagram A-15/16 1 e
, _ _ , . . - - . - - - , . - - . - , - - - , - , ~ - . , , - - - , ., ,. - -
A.2 SYSTEM SIMPLIFIED FAULT TREE A detailed fault tree for the RPS was constructed, identifying the events which contribute to the failure to insert the control and safety rods into the core when required by reactor conditions. Failure to automatically remove power to all of the safety and control rods constituted RPS failure. In addition, such faults as core disruption, which would inhibit rod insertion, or stuck rods were included as contributors to reactor trip failures. The top event of the fault tree is defined as:
" FAILURE TO INSERT SIX OR f10RE CONTROL R0D GROUPS" The simplified fault tree is shown in Figure A.3.
A-17
FAILLRE TO !%5ERT f 6 CC'4 TROL ROC GROUP 5 l FAILURE TO RE-COPE FAILURE OF MCVE FC%ER FROM m! $i!%G CO*HCN O!5RJPT!0m SLFFICIE%T NC. OF CRM MCTORS FAULT 5 OF TRIP MOLE FAILLRES !%
'MIB!TS E%TRf CF 0005 TO ;RGP INTO B3 TO OTHER EMr 1%ST Ot'ENT ATION R03 CODE I a i F AULTS 1% B RE AX ER FAULTS FROM TEST rAgt;5 In gaEA(ER
' A' AND (BREAKER A%0 mal % TEN C E 'B' AND (B RE AK ER 3 0F 4 RP 'C' OR COST ACTOR ;D,' OR CONTRACTOR CM$%EL5 FAIL F w )
> f3 O O l W CD T -~ l l B RE A/ f R ' C' CR 10F 4 RTM UN- 2 0F 3 RTM BREAKER 'D' OR B RE A/ E R CONTACTOR 'E' AVAILABLE DUE TO EAIL CONTACTOR ' F' B RE AXE R
'A' FAIL 5 FAULTS TEST FAULT 5 '8' FA!LS TO OPEN TO CFEN 1 I I l
FAILLRE OF BREAK- FAILORE OF p 2 FAILLRE OF BRE AK- FAILURE Cr > 2 OF 3 ' E ' CONT AC. ERS C or D2 TO OF 3 ' F' CONTRACT-E RS C, o r C y TORS TO CPEN ORS TO CPEN TOOPl% OPEN l t/2 l l 2/3 ! (Revised 6/19/81) Fiqure A.3 Simolified Fault Tree - Reactor Protection System
X A.3 SYSTEM QUANTIFICATION A.3.1 SYSTEM RELI ABILITY CHARACTERISTICS The RPS consists of eight groups of control rods, of which seven groups comprise the emergency safety system. Insertion of six of the seven energency safety systen groups is required for success. T""s , from the standpoint of failures that would fail inaividual groups, the system is configured in two-out-of-seven redundancy. Failures of this type were dssessed to not contribute to RPS unavailability. The dominant contribution to RPS unavailability was assessed to be due to test of the reactor trip modules (RTM). Faults in the CRD power train primary ( AC) breakers and secondary (DC) breakers makeup approximately 35% of the total unavailability. All other contributors are negligible. l l A-19
A.3.2 SYSTEM FAULT TREE QUANTIFICATION The Reactor Protection System does not interact with any other system. The independence from any other system does not require a Boolean reduction in the event tree sequence analysis. Therefore, no nodularized fault tree was constructed. The simplified fault tree in Figure A.3 was used in slightly mcJified form for quantification purposes. The nodified tree is shown in Figure A.4. Table A.2 shows the RPS success requirements. Table A.3 containt the top event definitions for the simplified fault tree. The unavailability of each gate is shown on the tree, Figure A.4. Table A.4 shows the Boolean equations that represent the fault tree. Table A.5 shows the quantification of each gate by component and failure mode. Table A.6 summarizes the point estimates and error factors for each gate. 1 i A-20
~
Table A.2 Reactor Protection System SUCCESC REQUIREf1ENTS INITIATOR TRAINS NOTES B, 4 Failure to automatically or manually Transients insert at least six control rod groups. B,B,B j 2 3 None 1 NOTES: For Bi, B 2 , B 1 3 LOCAs it is assumed that the effects of reactor coolant blowdown (removal of moderator) is sufficient to achieve reactor subcriticality. The reactor vessel will be refilled with borated water of sufficient boron concentration to keep the reactor subtritical. A 21 I
.~.--.- - - , _ ~ .
l 4 Table A.3 Reactor Frctection Systen TOP EVENT DEFINITION BOOLEAN REPRESENT /> TION TOP EVENT NOTES RPS Failure to insert at leart six control rod groups l RP Failure to remove power from CRDM rrotors RM Faults from test and maintenance outages l l 1 A-22 t . _ . . . , . - - ___ .._.1--_--_.-- _.__ _.__. _._ _ .._ __ ___ . , _ . _ ,
ill1
/
}
y
, e N
, h y q s t Ig g r
5; g ve n Wg ; n e rei4-ra r y0; be y vp gmg g erf m+i
<f r F ,
, ubt h n ee
'q7gN n' N' q
3 *sd d ui a " mce - r S P ) I nne . 1 P R i 8 R NGINr T O M } mvTws e mltss t 1y
/
7 1/ R I br uN a 6 t 7
- 5 d1 I R 3
/ 5
' of 4 v.
n t 1 I 3 2 - e e 5 A 1 f o 1 E 7 R v F l 2 D1. ( E 2l I p (A 5 5E R - EC TN A ) i N - d
'O E '
C I IRT N _ A l e S Mr I5 A E. 2, NT i f T 3 0 3 5 F 0 ADrA O alN - l O 2
/
( i I FANU -T tl( t At L O, E 'l O d AO 4E3 AI < R U' T o 6 - 1CU 1 f F* o 1 l3SN M 5 M 2 BgT 3 l RE ( [ TE - R r ( 6 R 4 E Af OP k P [ N 1/ 2 F O O 4 L O 4A l e 4' FIT 0AS L 2
- e r
M VE IM fR
- O I AT A T FI r A
0 OpR S E t R O60 TtO l T
>F +1 ENT O B j FD u F FFM R OR 2 a 0RR FT tEf 0
lE* l vf 4 ERR Al V[ f0 R O' E O N
/
1 ) F tSt 0 AoR R ,E l EAc A F!C N D' IMC REA l
'D R'F lVD T O
0 d
, BPT BN 1
' O r A D O S 2 s
e RT i IN(O D C FCS F E T 4 R f
> Ai SNR Ail i TAO)
L E fw 'i l U A 'B O'F HCf f p l ' ' ' m s g ' - i 4 t C A S rN! 2T nN A
>ho 3H t
iR9 I T C 3 4 pC L k it Ak 0 R O tt1
'0 /
2 [ A 5I eat p rA REA O 'E U' FF PRf fim C*R L 3SN I Rt e r F O IN( D U ,- RT O AF F 0 Or O u SN4 FC5 g F . OO N ( TA0) L U
*AT ATt i ENu F E
RT A F'
'A 'C'*
'F R OA BCF UN C _
ILEI K AC T A FI F E F R U P 7 S C F 2 S OR / T 1 O 1 3 IS E N - BD R ,f E S 5IO HR b RLN 3 UC 0 L 0 O. EI - 1DN RArt I5 AR O 2
=
IF E 0 , AIO 0 F[ T 2 E ' R RN R O 1 O0V ClR B 'A T
' l
=
iT R TN
/R tT
>0NW
' l
Table A.4 Reactor Protection System B30 LEAN EQUATIONS BASED ON SIMPLIFIED FAULT TREE TOP EVENT NGTES RPS = RP + RM (I) RP = Rl' R2 + R3 R4 RM = RM1 R5 I l l NOTES: 1. All basic events that are assessed to be negligible contributors (c) were not included in the Boolean equation. A-24
1
^ SENS. , NOTES EVENT C0f EVENT OR FAULT LESC9!PTICN lPATE R-1) DURAT ON(HR) R ABILITY F CR m _' _ _'PCh E NT
__g_________._.._. . _ _ ._
. , _ _ _ _ _ _. __ _ __ _ ,_ _ t
' \ !
1 ' lRP l l FAILURE (HARDWARE) TO REMOVE l l 4.0 F-6
! POWER FROM CRDM MOTORS j l R1 FAILS TO OPEN D , ! 1.0 E-3 3+,3-l BREAKER l i
2.0 E-3 3+ ,3- l R2 : BREAKERS FAIL TO OPEN (1/2) { D v=2.0 E-6 l y g.
"C" j
, l i 7 l<
I l
?
w R3 ! BREAKER FAILS TO OPEN D ! 1.0 E-3 l3+,3. l ; m "B" i l ;
; ;s
! , s
! 2.0 E-3 l3*,3- ! E 7 R4 BREAKERS FAIL TO OPEN (1/2) D
[ "D" ', y=2.0 E-6 ! m
=
i I l l, l f=4.0 E-6 l 5. l l
=
RM ! TEST AND MAINTENANCE RELATED 5.9 E-7 l ,
! FAULTS j l k i
l c l RM1 RTM iUNAVAILABLE DUE TO TEST i 2.2 E-2 ; l 1 E l
'(1/4) f l i I i
i' i I % I I l l j
!R5 RTM 7 2 0F 3 RTM FAIL (2/3) l j 2.7 E-5 l3+,3- 1 I
2 {
! l t 5.9 E-7 I i C.
! l I ! ! I 8 i
. i I
i i' i
; I l ,
i l !' !
/ lable A.5 Eaactor Protecticn Systen QUA'iTI FI E/JION TT:BLES NOT ES 1 Each of the four ic :: tor trip rodules ( RTM) is assumed to be unavailab't. for -n Average of four hcars per month due to test. 'he tstal test outage for the RTM channels is thus 16 hours and the tatal unavailability fron these tests is (15)/(720) - 2.2 E-2. 2 Failure of (2/3) P"S a-2s assessed to be 2.7 E-5. The individual RT." f ailure probability was assessed at 3.0 E-3 rather than the more normal assesscent of 1.0 E-2 due to the simpiification of the calibration procedure which results from the built-in test and calibration circuits in the equipment. The multiple f ailures of the RTM were assu:ced to be independent due to staggered test and calibratirn, thus the total unavailability of (2/3) RTMs
~ , is 3(3.0 E-3)2 = 2.7 E-5.
A-26
\
Table A.6 RPS - Qusntification Su mary 1 i
+
i I i l B00 LEU. , FOINT + l
,. , A R I w,
._;,- tdiir i
- - . . .,n. . E S li l
t RI 1.0 E-3 l l-
+
f R2 2.0 E-3 l R3 1.0 E-3 i R4 2.0 E- 3 n; n- , _9 . ,, .r _ . RMl 2.2 E-2 l l A-27
APPENDIX B ENGINEERED SAFEGUARDS ACTUATION SYSTEM l B
APPENDIX B ENGINEERED SAFEGUARDS ACTUATION SYSTEM (ESAS) B.1 SYSTEM DESCRIPTION AND OPERATICN The Engineered Safeguard Actuation System (ESAS) monitors two variables -- reactor coolant pressure and reactor building pressure -- to detect. loss of coolant system boundary integrity. Upon detection of "out-of-limit" conditions of these varicbles, it initiates operation of the high pressure injection (HPI), icw pressure injection (LPI), reactor building isolation and cooling (ksIC), and reactor building spray system ( RBSS) . The ESAS also starts the engineered safeguards diesel generators A and B. B l.1 SYSTEM DESCRIPTION The E3AS consists of two separate redundant actuation subsystems (trains) A and B, each of which is dedicated to a corresponding ES equipment train. Each ESAS train consists of three sets of channel cabinets, an actuation relay cabinet and the appropriate section of the engineered safeguard operating panel. The equipment in each of the channel cabinets is comprised of the bistable trip units, bistable auxiliary relays, bypass relays, test relays, relay status lights and test switches. The actuation relay cabinet is divided into four separate compart-ments to contain the relays for each actuation subsystem and manual actuation output relays. Each of the output signals from a train (the actuation signals for the equipment) is generated by combining the inputs from the three channels in a two out of three matrix as shown in the simplified ESAS logic diagram presented in Figure B.l. Each ESAS train generates five types of output signals: RBSS, RBIC, LPI, HPI and the diesel generator emergency loading sequence, which is provided for sequential starting of large electrical loads following detection of an "out-of-limi t" condition. B-1
1 1 The following is a simplified description of system operation of train A (or B): Each actuation train employs three logic channels and the outputs of these channels are used in two-out-of-three coincidence networks for equipment actuation. The channels are actuated by receiving signals (information) from the various oi-going processes within the reactor plant and containment. The signal actuates the channel logic by de-energizing to trip the instrumentation channel output relays by cpening the contacts, e.g., relay R3 (these output relays are normally energized with closed contacts). See Figure B.2. Similarly, the logic matrices (actuation relays) in the actuation channels are de-energized to trir -- contacts close, e.g. , relay Zl A -- and actuate the engineered safeguards equipment. (The actuation miays are normally energized with contacts open). Separate essential service and DC power supplies are used for each actuation channel. The following paragraphs contain a discussion of the specific relay logic implementation used in the actuaticn channels of each of the five types of ESAS actuation signals. HIGH PRESSURE INJECTION (HPI) AND DIESEL GENERATOR EMERGENCY LOADING SEQUENCE (DGELS) Referring to one of three independent reactor coolant pressure transmitters shown in Figure B.3, a signal proportional to the reactor coolant pressure is applied to a safeguards bistable (BTl) and to a bypass bistable. The design of safeguard bistables is such that when the reactor coolant pressure is above the setpoint and control power is available, bistable interposir.g relay R3 is energized. B2
HPI is initiated by de-energizing the multiple contact outnut relays constituting loading sequence block 1 in two-out-of-three channels. (Block 1 consists of HP Injection pumps, Injection and Nuclear Services Valves, and LP Injection pumps). The multiple contact output relays can be de-energized by the mantal actuation relay by their related test contact, or by an "0R" function made up of contacts which open when the reactor coolant pressure is below 1500 psig (R3), the building pressure exceeds 4 psig (R12), or the reactor coolant pressure is below 500 psig. Blocks 2, 3, and 4 de-energize through an "AND" function, combining an "0R" function similar to the one described above and undervoltage relay contacts from corresponding 4160 volt safeguard bus. Block 2 consists of Reactor Building Fans and Emergency Nuclear Service Seawater pumps. Block 3 consists of Emergency Nuclear Services Closed Cycle Cooling Water pumps. Block 4 consists of spray pump start permit, reactor building ventilation recirculation unit, Decay Heat Closed Cycle Cooling water pump, and Decay Heat Service Seawater pumps. LOW PRESSURE INJECTION (LPI) The channels of low pressure injection are equipped with bistables similar to those used for HPI but which are adjusted to actuate at a lower setpoint. A typical channel is shown in Figure B.3. The output of the bistables will de-energize the same output relay as the HPI bistables at 500 psig. The bypass enabling contact of the bistable closes when the reactor coolant pressure is below its setpoint (900 psig) and control power is available. This action permits manual bypass of the channel for normal l shutdown of the system. REACTOR BUILDING ISOLATION AND COOLING (RBIC) The channels of Reactor Building Isolation and Cooling are similar in design to the channels of HPI and loading sequence except for the bi-stable and bypass circuit, as shown in Figure B.4. When the reactor building pressure is belcw 4 psig and control power is available, pressure switch B-3
interposing relay R10 is energized to the reset state by treans of the bypass reset pushbuttca. A subsequent loss of power or rise in building pre:sure above Setpoint will drop out R10. The continuous bypass o f a channel is possible caly after a two-out-o f-three actua tion. Ce-energizing the cutput relays of two-out-o f-three channels initates reacter building isolation, starts reactor building e ergency cooling and opens all salves required for reactor building spray. Tne reactor building pressure is sensed by two sets of three pressure switchcs , and the bypas s can only be energized after a two-aut-o f-three actuation. REACTOR BUILDDiG SPRAY (RSSS) P3SS is initiated by starting the pumps when reactor buildino pressure is over 33 psig. This is achieved, as shown on Fiqure 3.5, by sensing the reactor building pressure with two sets of three pressure switches. Each set of t hree pressure switches, which are wired in a two-out-of-t'1ree matrix, controls the closing coils of the circuit breaker of one spray pump along with actuation uf thu spray pump start permit matrix from HPI. While independence between individual channels within ESAS actuation trains is realized, a dependency exists between actuation trains which include reactor coolant pressure trip signals (HPI, DGELS, LPI, and RBSS). This dependency can be observed by noticing that the channel pressure trans-ducer shown in Figure B.3 provides pressure signals to both LPI and HPI bistables, and that those bistables are common to both actuation trains. Failures of the pressure transducer or bistables affects both actuation trains. Another interface is the undervoltage relay contact appearing in the loading sequence circuitry which represents a dependency on the 4160V ES bus. The ESAS is not dependent on control power to accomplish equipment actuation since loss of power will da-energize the output relays and activate the anociated equipment. B.1.2 SYSTEM OPERATION Table B.1 illustrates ESAS equipment actuation signals as a function of reactor coolant pressure and reactor building pressure. Table B.2 B-4
lists the trip parameters met, along with ES equipment actuated during various size LOCA events. Loss of power to the ESAS circuitry msults in the generation of trip signals by the ESAS (except for RBSS). The ESAS is designed to allow every component in the system to be tested during plant operation. Typically, monthly surveillance tests are performed to insure all components are operating correctly. System calibration is performed during refueling. The pressure transducers and buffer amplifiers in the system are monitored at shift changes by observing a meter which indicates reactor pressure sensed by the system. Monthly surveillance tests are performed for the entire system except for the reactor coolant pressure transducers and most of the. actuation matrix relay contacts. Each of the ESAS channels is checked individually by generating trip signals. These signals de-energize the output relays of the channel and cause 1 of the 3 relays in the 2 of 3 relay matrices to trip. Equipment will be actuated upon receipt of a 4 trip signal from either of the other 2 channels. Testing of the system does not disable it or reduce its capability to trip. Only one channel can be tested at a time. During each refueling (every 18 months) tests am done which trigger the ES actuation system one actuation system (train A or B) at a time, then phase into a diesel generator test. These tests are performed using an, two (of the three) essociated RBIS pressure test switches to introduce an artificial high reactor building pressure signal. These signals de-energize the actuation relays of two out of three channels in the equipment matrices and consequently actuate the equipment. I l B-5 J
Table B.1 ESAS Actuation Signals for RCS and RB Pressure Set Points RCS Pressure ESAS Actuation RB Pressure ESAS Actuation l Set Point Description Set Point (psig) Description (psig) 1700 By-pass is enabled 4 Trip - (HPI, LPI pumps, 1500 Trip can be by-passed (PIvalves,RBisolation) initiated (HPI, LPI pump) 1500 Trip HPI, LPI pumps initiated 30 Start containment spray p ps if HPI trip 900 r can e by-passed n en a 500 Trip (HPI, LPI pumps, LPI valves) initiated
Table B.2 ESAS Trip Parameters Met and Systems Actuated for Various Sizes of LOCA Initiating Events i TRIP PARAMETERS MET SYSTEM ACTUATION INITIATING 500 1500 4 PSI 30 PSI LPI HPI RBIC RBSS EVENTS PSI TRIP PSI TRIP TRIP TRIP Large LOCA X X X X X X X X B) I t y B Medium LOCA X X X X X X X X 2 oc B Small LOCA X X X X X X 3 B Small small LOCA X X X 4 IBased on conservative FSAR calculations. RBSS spray line injection valves are actuated (opened) by the 4 psi trip signal. The RBSS pumps do not receive an actuation signal. LPI pumps start, but the LPI injection valves do not receive an actuation signal.
***Also isolates those RB isolation valves not associated with containment or RCS heat removal.
l MANUAL REACTCR REACTOR J !Niil ATION OF COOLANT PRESS CCOLANT PRESS B Y PA $5 < 17C0 PS!G < 700 PSIG l X REACTOR REACTOR COOLANT PRESS COOLANT PRESS f < 1500 P5tG < 500 PSIG I husVAL REACTOR INITIATION OF BLOG PRESS ~ BYPASS ACTUATION > 30 PS.G. N REACTCP BLDG PRESS
, > 4 P5tG I
f U O - i, T YP' CAL OF ONE RE ACTOR BLOG RE ACTOR CCOL ANT RE ACTOR COOLANT OF THE THREE 150L. A COOLING AC T UA T ION CH ANNE LS LOe PRE $5 INJ HIGH PRE 55 INJ OUTPUT REL AYS OUTPUT RELAYS OUTPUT RCLAYS ( ) ( > ( / \ AU ULI AR!E 5 2 OUT OF 3 2 OUT OF 3 2 OUT OF 3 2 OUT OF 3 MA T Rix Es MAT Rix ES MA T RIX E5 MAT RIX E 5 I T
'h h 'h RE ACTOR BL RE ACTOR BLDG RE ACTOR COOL AN T
' RE ACTOR COOL ANT EMERGENCY isOL A TION COOL ING low PRES $URE H:GH PRES 5URE DIE SE L VALVE 5 SY$1EM IN) SYSTEM iNJ SYSTEM GENERATOR
l MANUAL INIfl ATION Or 4
, L. BYPASS /
I 1 Z n MANUAL ACT. Or REACTOR BLDG. 150L. & COOL !NG MANUAL AC T OF low PRESS N J. $y ST E M
=M)
MANUAL ACT. OF HIGH PRESS IN) SYSTEM
')
) MANUAL ACT CF REACTOR Bt DG $PR AY PUMP UNDERv0LTAGE D E T E C T 10N START l RESE T E M'. RG L OADING 5f GUE NC E OUTPUT RF1 AY5 OR GATE
)
Y _ J OUI Or 3 _ A tJ D G ATE MAIR'n f 5 [ [ NOT l l t[ 1 [
-} , _ ._
Figure B.1 Engineered Safeguards I Actuation A (B similar) Rt ACTOR BtDG Simplified Logic ) . 5 PRAY $y$1[M B-9/10 ie f~~~
o l Typical output relay and Sensors its contact bi 9 "^I _._. A _.. 3j W
\=
Channel 1 e.g., relay R3 Signal S2 ---- d ... - P-v ,- - j Channel 2 r-Signal
& S3 --- --
w Channel 3 The circuits are shown tripped NOTE 1 Contacts 1, 2, 3, . ..n belong to matrixes of other equipmen NOTE 2 Each relay closes two contacts (one U and one Z) l , I
..w- - - . . . , - -
)
J Cor, tacts of a typical actuation From A-C relay form a two-out-of-three nowe r so u rc" matrix for ESAS equipment Auto actuation relap See NOTE 1 y
--+ 1
--+ 2
--+ 3 Ch. 1 U
^
g 4 contacts} See Note e.g., leadin9 \Z 2 to a set of 2 contacts from n relay ZlA
--+ 1
--+ 2
--> 3 Ch. 2 4 contacts .
\
....... . . . .' U Z
---+ n 41
---+ 2 43 Ch . 3 7 4
contacts \ U
- t
\.
-+a u
typical equipment
- e. g. , MUV-53
- t l
Figure B.2 ESAS-Simplified Circui try B-11/12
)
m
T J TYPICAL REACTOR COOLANT
' PRESSURE TRANSMITTER 1 0F P. T.
t BUFFER AMPLIF IER F l I I I M 4 ~SAFEGUARDS M 4 BYPASS i 1-ESSENTIAL SER. BUS A 1 ' #~ 0 E E f
~{ Big {ABLF 120V A.C. f 0 P
,* CCN Cib Bg@IS CON AC P I
- RI hP 2 HANUAL RESET T
I_ 7 ACTUgit0N ACTUATION h AUTO-RESET m
]
~
BY- BY- -- RI ~~ PAS AS ASS PASS T CON T. EXT
. * -u iHH i R2 Rt ,
RESET R1 R2 R3 1 __ R3 (1500 PSI)
- R3 (1500 PSI) -- BUI LD ING PRESS.
E.S. BUS PSIG (Rl2) UNDE O AGE __ BUILDING PRESS. _ 4
, PSic (R12 ) b(SH0wN TRIPPE0l~-
_4 NANUAL ION R&AY
~_ :R 'o (500 P SI ) -/ H.P.
9-T[S{ 3 H.P. H. P. , j TEST 2
/- TEST 1 I
TlHER 3 g [ Z1 A Z1B [ [TlHER <TlHER2 ' BLOCK 2 BLOCK 3 SLOCK 4 BLOCK l TYPICAL OF 3 CHANNELS HIGH PRESSURE INJECil0N & LOADING SEQUENCE A . NOTE: 2 CUT OF 3 LOG lC
~
w
/
6 m 8
/
t ---
)
- T
)
- 3) ,-
/
- w 1 1 1 1__
4 BYPASS BitTABLE g M y- ES0ENTI AL SER. BUS A y-I SAF EGUARDS BISTABLE M y - BISTABLE f~ ai-4 120V. A.C. BT-3 '"'- ' CUIPUT d -*' SfT-PO:si i SFT-POINf CONIACTS 900 rSi , 500 PSI 10
.i_ AUT0-RESET 2'- _1_ R 4 "2 ANUAL RESET
~
ACTUAT40N BY. 8Y- BY- - R5 R4 ~~ PAS
~~
PASS PAS 5 [ EXT. ONT " ' LXI. HHH
~ - .
R5 R4 ,f
/ .,.
, Rr. SET R4 R5
-[, p[
.~
TYPICAL OF 3 LOW PRESSURE CH ANNELS
~ ,
4 2 STARIS E ACH AutiLI ARY
,7~
s
~ .
Figure B.3 (1/2) Safeguards Actuation System , 2 > B-13/14 k - -- - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ a J
% h
~
s d
- TYPICAL REACTOR BLDG. PRESS.SW;
( l 0F 3)
- N-SET POINT'4PSIG '
X AUTO-RESET .
'N PS-24 . ESSENTI AL SERVICE BUS 120N 1 .
14 ' ]-- N y- '
- RIO R8 4
b N , . %
, , _4 TEST _4TES1,_4 TEST _g 1 '
p f e- 9I j- 2 .,t, 3 j
~
t - 3 - 1 m ( . .
. [ ErlASti -
~
R8 -~ ' BYPASS >
$ - . e R3 RIO XI -
o w - ,' PSI - '
~ ' * -0*JTPUT RELAYS IND N RESET RFLAY Fall SAFE-
% 2 OUT OF 3 LOGIC ACTU c PSl8 BUILDING ISOLATION & COOLI r ,
v 4-.-.--- BYPASS RELAYS -d I-
^
REACTOR BLDG. PRESSURE psi 9 OUT
,3 PRESSURE SWITCHES g^@' MAT
' SET-POINT 30 PSIG ii
. OF SPRAY PLNP "A "
(SlHILAR CIRCUITS FO R PUMP' "B") b] PS20' 3 MATRIX +
+
MD'- - l
. , ., I 4
4 L i l Y s p Y INDICATION
., & ALARM s
\
s Q A> 9 _ _ _ _ _ _ _ _ _ . _ .
4 w_
)
3
) , A. C. TYPICAL 0F 3 CH ANNELS ZRIO RIO O
T T IEST_g{s_g.,TET t Rll Rl2 CORE INJECTION TRIP lNITlAfl0N INDICATION (2 OUT OF 3 REQUIRED) RELAY LTES lG VALVES START CIRCUlT OF REACTOR BLDG. t$XOUTPUT SPRAY PUHP A I Figure B.3 (2/2) Safeguards Actuation System
'i B-15/16 i
s
t
, i t .t .t 5.i }.,.ygs. ,.ti..
n ,.y ..,., .,,,,
. .t is t
's 3 * * ,s t . , s .t n . . . c i . ,3 2e,, . . c, n,,,,,,,,,,,,,,,
'M --
J_- :: .' ._{". :. : . . ::... l
, ,s_.
no ,. , : < _ > . . , i
,,, "--i F- a t ,
= ....si w%,
.. f_ _,,, -- - -. . _ _ . _ _
s
. . ..u.
Y I N'. ....I..,..,f I I Y... I.. .".'... T "' ,.,
...i.i o eu, ,.w... .. ...... ,.,,c..,.
u .,
}.. in
....a.u...
l l Figure B.4 Reactor Building Isolation (RBIS) and Cooling (RBCS) Actuation Circuit (1 channel of 1 train) B-17
CH. ! CH 1 CH 3 PS gg PS g9 PS Hff loa o M gff H
$ 0tNS (p4 DIA6 pff$gey, 3a Blocx 4 stocx y stock 4 1
2-out-of-3 2- out - of- 3 M a leix Matrix Figure B.5 ESAS - Reactor Building Spray Actuation (1 Train) B-18
B.2 SYSTEM SIMPLIFIED FAULT TREE Fault trees were constructed to model ESAS failure to actuate ESF equipment during LOCAs. The ESAS responds to a B4 LOCA by actuating the HPI equipment group (including the LPI pumps). All other ESF functions (LPI injection line valves, RBIC, and RBSS) are not actuated. If a larger LOCA (B1.2
, 8 ' 0F 0 3) is the initiating event, it is expected that all ESF equip-ment will be given actuation signals.
A set of two fault trees was constructed for ESAS failure to actuate HPI, given a B4 LOCA. One top event is defined as the failure of a single piece of HPI equipment to receive an actuation signal from the ESAS (Event ISS). This top event is necessary to provide an interface to individual equipment appearing in system fault trees. Evaluation of this tree provides a failure-to-actuate probability for use in conjunction with individual equipment failures appearing in the HPI system fault tree. The fault tree j structure developed in this tree is valid for both immediate and loading sequence time delayed equipment actuation. The di fferences in circuitry involved are taken into account by modifying the unavailabilities of the group logic and the output relay to reflect the differences in hardware con fi guration. The top event for the second fault tree for ESAS to actuate HPI, given a B4 LOCA, is defined as failure of both HPI actuation trains to generate actuation signals (Event ISB). Evaluation of this tree provides the probability that equipment in both HPI trains will not be actuated. This event appears as a common mode fault in the HPI system fault trees. B-19
~ ,
A second set of two fault trees similar to those described above, was constructed for ESAS failure to actuate each ESF, given a B), 2B , rB LOCA(Even 3 ILB and ILS). The basic fault tree structure for these trees is defined by the fact that all ESF equipment is actuated by providing continuity to control circuits with two-out-of-three relay matrices. Each type of actuation circuit, however, contains a slightly different equipment configuration which is included in the models. In addition, these models include a common mode human error for actuation of the RBIC and RBSS. This error is the miscalibration of all pressure switches and pressure regulators used to test pressure switches. The detailed fault trees were simplified by the elimination of failure combinations containing more than two active failures, since these fault combinations are not expected to contribute to the system failure. The resulting simplified fault trees for ESAS failure to actuate HPI, given aB4 LOCA, are shown in Figures B.6 and B.7; those for ESAS failure to actuate each ESF, given a B), B2 , rP LOCA*, 3 are shown in Figures B.8 and B-9. The top event definitions for the simplified fault trees are shown in Table B.3. The RBSS pumps do not receive an ESAS actuation signal from the B 3LOCA initiator; however, the spray line injection valves are actuated (opened) by the RB 4 psi trip signal. B-20
ISS l l em l l cH2 out ya+ CH3 0u4 Put Citi output IAl\ relaj IaIS" relay fo*ilure rela) failure /IA1 combWS dikb co nMne s td*O Co-bines 43ilh CR1/c H3 Coal *545 cH2/cH1 coduc.45 cH2/cH3 Con 4at45 l l l l l l l l CH1 Oulpul cui or cn3 CH1 o u+ t ui-CH2 or CH3 reia'j re ma' ins relag teoloc45 relay remains relog Co,Jac4s energ'iteA (ai\ 4o close. enerpsca fail to close 2 c 3 outpu4
,, retay ,twates ,
energiYej ca,u g(o3h v/\3\ gCo nb c4 5z gCo hm n ta c a con4acks nloc45 i (od ko - (aa 4.o cui occH 2 fa'il lo fail 4 o close c\os e. velay co.4ac45 tto se. close 73 c4 fa'il io close. Idi IC2 (noleO T CH1Z C H 2.2. Nolt h for ChonatI Ond Conlock5 Coolac45
- c. }.cl idenlification { ail to (ail lo s ee rig ure 3 2. clo s' ICS LC.A Figure B.6 (1/2) Simpli fied Fault Tree - ESAS (Event "ISS", B,4 LOCA)
I P-21
IX X = 1,2,3 i Omr 1) C H 1. DUT PUT
!:E L A'( I'C!'h1!!5 EDELGIZED m
i CH X CH x CHx LcGIC I' AILS 00TPO T E'E L Ai TR A NS DUC E R To DE-ENERGfEC FAILS ENERGl2E D FAIL 5 Tc Hisu CUX CHx PRE 55URE G Ro u P LcGrc sec en 1 ITD%
,/ LilS TABL E K '
IC LYs FAILS TO DE - y g g y* 7 FAIL 5 TO TEl? to CN ERGI7E w
' J B 5x, sct Narc 1 I G. LX.
Nr>T C I : haE.bii;i;i as .s heit & p,,Jg on ajr.p,u,d inmicd;o j e c.edgj;;n , G nf;cju m hon ; 4inu jela < Figure B.6 (2/2) Simpli fied Fault Tree - ESAS (Event "IX", X = 1, 2, 3; B4 LOCA)
ISB T l l l
* " " Sislable. folkre, on Bisbble {a\1r( en Chi '" N"*5 "ih CH3 cam bines wi %
A4\ #" *# C ""' cH2 combines win ct nother c.hamel !146 onoker c.hann e {
- b. g " "' failu re. f ai{ ave b b,
( I I I l I
,[gg y cB2 or cH3 cH3 c% i or cB 2.
j g ,,p\c {aib\ bis DIC 5 ""#i" "N #"" dble @ils DI5b NI'S '"" i" 4 oat-ecth# s b de-ene.gitt ' ^ N "*1
\/ 185l
-m
/ 3'N Bislable fail 5 gg3 ew
,. L " S*"# _ I __
CR2 Bis %able. chi Bis \able l rema, CJ13ins Sista ble g CH2 bi sb ble remaing rerna\n s rernains i emerg i Eel encryited l energized
,x ec -" cui or CB3 energizel
/ 'N g
\ BiSbble 5 remain \
/Ilo y /. h\- ent yji E tg 10 \
T ct[1 Bisla ble CH3 Bislabk nmains ccmains energiEej energiZeJ JA_ llI Figure B.7 (1/2) Simpli fied Faul t Tree - ESAS (Event "ISB"; B 4 LOCA) l t
U Cll Y M) STAB'.E x LT. r l AIN s , X:(gl1,12 I.X_yh [N L R6 t F LD rm C \i Y lilSTAbt'.' I Att0 ,gpggpg.DMts (Q 1 Rly ' AILS r o titGU PK r ', lii3 )' 7 7[yy Figure B.7 (2/2) Simpli fied Fault Tree - ESAS (Event "IX", X = 10 and Y = 2, X = 11 and Y = 3, X = 12 and Y = 1; B LOCA)4 B-24
I -
/>
TFdPLE coNTAC.T 2 of 3 Atit FAILORES / CHANNELS T PREYENT CONTi#u1Ty
/IA7 Tb DE-ENERG O /N
/ \/
15 \ 1 /I7 C H A N N EL t--2 CHAN N EL 1-3 CH ANN E L 2-3 N conTAc.T tot 4BINA- CCN TACT COMBIN A- Cot 4 TACT coMBINA- AC.Tt)AT
-Tion FAILS TO -TION Fall S T O -TION FMLTTO HEL 1 FA PROYlD E CONTit40tTf PRbVIDE CONTINulTY pgoygpc ccurigorTY O- NERGl IAC1
-w gg -m- -s <
10 coNTAtt\ 3Z conTAc Tall TO Fait. To 1 g CHAHiiELg char /NEL CHANNEL
- 12. contact [\ f2Z.ccM TAC 15 1l} CONTACS [3U CCHThCT FA)L TO Fall To Fall TO FAIL TO CLOS E CLDSE CLosE CLOSE IC3 Id4 ICS Ic.6 l
9 _ . . . . _ _ _ . _ _ _ _ _ . _ . _ _ _ _ . _ . _ _ _ . . _
y
)
)
SE E N3TG 1 l QTloW RELAY coNTAC% hll TAIL IN coM5lWA-OtE MO . TION wiTR ACTDATioN ctiAth EL TALLURE 2of3 SEE NOTE 2 ACTOATION SLS Tb CHAWN Eb 2 YAll3 E 19E Ot?-EtaEILG\t G TuA CH A t4NEL 3 FAtLS To IACZ DE-E gggGl2E I.AU Figure B.8 (1/2) Simplified Fault Tree - ESAS (Event "ILB"; B1 , B2 , orb 3 LOCA) , B-25/26 _ _ _ - _ - _ _ _ - _ - _ 5r
RELAY CONTACTS Fall IN CoMfilNA-4\ . Tion vhTH ACTUATION tHANNEL FAILURE em ACT.1 F AIL S w t TH ACT. 2 FAIL 5 VITH AcT 3 TAIL 5 WITH CH2- CH3 coeJTACT cH2-ctI3 CONTACT C H4-cl{ 2 CONTACT CoMSINATlog coFf 6/N ATl0 Al cc M BlW A Tio u 1 (h ( h (3 Y I I l m , , , CHANNEL 2 $ C HANNEL I -3 ctfANNEL 1-2 toNTACT COMBIN A- CONTACT CoMS;NA. COA / TACT COMB /N-
-Tion Fall To -TroA; FAILS ro -ATrotJ TAIL TO P90 VIDE cnNTIN0lTY PF0VfDE CotvTIN'RW pgavspE CONTINVIT}'
^ C TOA. ACTM- ACTUA-
/77\ -TION C H ANNE 1 FAILS 70 6 - loN CHANNE 2 FAILS To DE-S
-Tion c H ANN 3 FAILS To DE-c-sNe mIE ngg(,, g - -entgcog IACf IAC.2. TAC 3 Figure B.8 (2/2) Simplified Fault Tree - ESAS (Event "I4"; By, B 2or B LOCA) 3
i Figure B.8 Simpli fied Fault Tree - ESAS (Event "ILB") NOTES: 1 The RBSS pumps do not receive an ESAS actuation signal for the B LOCA initiator; however, the spray line injection valves are 3 actuated (opened). 2 This event is failure of automatic actuation of all equipment in one train. B-28
- - ~
- ' L S SEE
, NOTES i, 2. em HPI.NOT AC.T\)A TED
,gg , 1.Bss No r w r7c.y/rEsr Ac.TOATED ouRtHG Bs,8 2 D u RI NG Bs, B2.
Of 6s LodA oR 8s LOC A 1LE2. g /M
/
,7 g g SEE NOTES 33 5 SEE NOTES 1A;6 j
i Figure B.9 Simp 1ified Fault Tree - ESAS (Event "ILS"; i:1, B2 or B3 LOCA) B-29
Figure B.9 Simplified fault Tree - ESAS (Event "ILS") NOTES 1 The RBSS pumps do not receive an ESAS actuation signal for the B3 LOCA initiator; however, the spray line injection valves are actuated (opened). 2 This fault tree combines a RBSS and HPI fault tree to model the entire RBSS actuation circuit. 3 ESAS fault tree evaluated for HPI 15 sec tima delay (B , B2, 1 or B3 LOCA). 4 ESAS fault tree evaluated for RBSS switch matrix (B , B2 , or 1 B3 LOCA) 5 See quantification table for event ILB2. 6 See quantification table for event ILB5. 7 This event is miscalibration of all pressure switches (both 4 psi and 30 psi) and pressure-switch-test pressure regulators due to a maintenance error during a refueling outage. This event disables the RBSS and RBIC actuation trains because the actuation logic circuit for the RBIC is a required part of the actuation logic circuit for the RBSS. It does not affect the LPI or HPI actuation trains. 8 This event results in failure to actuate all equipment in both trains in RBSS and both trains in RBIC. B-30
N B.3- SYSTEM QUANTIFICATION B.3.1 SYSTEM RELIABILITY CHARACTERISTICS Table g3 contains the results of the evaluation of the fault trees for the top events in the ESAS fault trees. The results in most cases are dominated by failures within the ESAS output matrices which provide actuation signals to individual pieces of equipment. Two types of ESAS actuation signal top events shown in the table appear as common mode faults in the fault trees for the systems receiving the actuation signals. The first, for the B LOCA, 4 is "HPI Actuation Signal Not Available to Any Equipment" (Event ISB). The second of these faults, for the B), B2 , or B3 LOCA is "All RBIC, RBSS Systems Do Not Receive Actuation Signal" (Event ILS). This fault can result from equipment miscalibration due to a common-mode human error. The dominant failure mode for ESAS failure to actuate one piece of HPI equipment, given a B4 LOCA (Event ISS), is due to conbinations of output relay matrix contact failures and failure to trip of a bistable in another channel. The dominant failure mode of both HPI actuation trains, given a B LOCA 4 (Event ISB) is a combination of two bistables failing to trip. The dominant reason for ESAS failure to actuate LPI, HPI, and RBIC, given a B), B2 or B 3 LOCA, is conbinations of three output relay contacts failing to close when their associated relays are de-energized. In addition to the triple contact failure, the time delay HPI actuation system of I relay contact failure and failure of the actuation channel is found to be a significant contributor. The common mode pressure switch miscalibration event dominates all failures of the RBIC and RBSS actuation systems. The most likely failure event for automatic actuation of these systems is total loss of actuation signals to both systems (Event ILS). B-31 3
B.3.2 SYSTEM FAULT TREE QUANTIFICATION The Engineered Safeguards Actuation System does not depend on any other systen (i .e. , power failure would cause an ESAS signal). The independence from any other system does not require a Boolean reduction ir, the event tree sequence analysis. Therefore, nc modularized fault tree was constructed. The simplified fault trecs presented in Section B.2 are used for the quantification purposes. Table B.4 shows the ESAS success requirement. Table B.5 contains the top event definitions for the simplified fault trees (Figures B.6 through B.9). Table B.6 shows the Boolean equations that represent the fault trees. Table B.7 shows the quantification of each gate by component and failure mode. Table B.8 summarizes the point estimates of the top events. B-32
( Table B.3 Results of ESAS Quantification INITIATING TOP FAULT TREE TOP EVENT UNAVAILABILITY EVENT EVENT ** ISS1 Non-time delayed HPI actuation signal not available to exactly 1 piece of 2.1 x 10-4 equipment B 4 LOCA ISS2 Time delayed HPI actuation signal not available to exactly 1 piece 2.2 x 10 ~4 of equipment 158 7.2 x 10~ HPI actuation to any equipment sig(ral Both nottrains available failed) ILB1 Non-time delayed HPI actuation signal not available to exactly 1 l 1 piece of equipment i 1.0 x 10~7 ILB2 Time delayed HPI actuation signal not available to exactly 1 piece of 5.6 x 10 -6 equipment ILB3 LPI actuation signal not available 1.0 x 10~ B,B, 1 2 to exactly 1 piece of equipment or 83 LOCA ILB4 RBIC actuation signal not available 1. 3 E-6 to exactly 1 piece of equipment ILB5 Reactor building high pressure signal not available to actuate exactly 1 1.2 E-6 piece of RBSS equipment
- ILS All RBIC and RBSS equipment does not receive actuation signal *,*** 1.1 E-4
_.__. ____ _ _ LILS=ILB2 + ILB5 + IHEl) _-_ _ OThe RBSS pumps do not receive an ESAS signal for the B 3 LOCA initiator; however, the spray line injection valves do receive signal. ooThe top events for the simpli fied fault trees, Figures B.6 through B.9, are defined in Table B.5, and quanti fied in Table B.7. 0"The actuation logic circuit for the RBIC is a required F'rt of the actuation logic circuit for the RBSS. Thus, if the RBIC actuation logic circuit fails, the RBSS actuation logic circuit will also fail. 11 - 3 3 __ n.
y - - - - _ _ _ ____ - __ Table B.3 ESAS - System Success Requirements TRAINS NOTES INITIATOR all 2/3 channels to each equipment 15 - 3 4
.a --- . ..
C Table B.5 ESAS - Top Event Definitions BOOLEAN REPRESENTATION TOP EVENT NOTES ISSa See below for a equal to 1 1 or 2 ISSI Non-time delayed HPI actuation 1 signal not available to exactly one piece of equipment (8 LOCA) 4 ISS2 Time delayed-HPI actuation signal l not available to exactly one piece of equipment (B LOCA). 4 ISB HPI actuation signal not available to any HPI equipment (B 4LOCA) ILB a See below for a equal to 1, 2, 3, 3 4 and 5 ILB1 Non-time dependent HPI signal not 3 available to exactly one piece of-equipment (B), B2 , B3 LOCAs) ILB2 Time delayed HPI actuation signal 3 not available to exactly one piece of equipment (B), B2, B3 LOCAs) ILB3 LPI actuation signal not available 3 to exactly one piece of equipment (B), B2, 83 LOCAs) ILB4 RBIC actuation signal not available 3 to exactly one piece of equiprr.ent (B), 82, B3 LOCA) ILB5 Reactor building high pressure signal 2,3 not available to actuate exactly one piece of RBSS equipment (Bj , B2 , B LOCAs) 3 ILS All RBIC and RBSS equipment does not 2 receive actuation signal during B), B , or 8 LOCAs. 2 3 B-35
Table B.5 ESAS - Top Event Definitions NOTES 1 The numerical evaluation is different for 1S51 and ISS2; however, the same tree with top event ISS is used. 2 The RBSS pumps do not receive an ESAS actuation signal for the B LOCA initiator; however, the spray line injection 3 valves are actuated (opened). 3 The numerical evaluation is different for ILB1, 2, 3, 4, and 5; however, the same tree with top event ILB is used. B-36
7 Table B.6 ESAS BOOLEAN EQUATIONS BASED ON SIMPLIFIED FAULT TREES TOP EVENTS NOTES B4 - LOCA ISS = ISS1 = ISS2 = IAl + IA2 + IA3 ISB = IA4 + IAS + IA6 B) , B2, B3 - LOCAs ILB = ILBX=I5 I6-I7 + I4+(IACl IAC2 +
+ IACl IAC3 + IAC2 IAC3) (1) for X = 1,2,3,4,5 ILS = ILB2 + ILB5 + IHE1 (4)
INTERMEDIATE EVENTS B4 - LOCA IA1 = Il-(IC5 + IC6) IA2 = 12-(ICl + IC2) IA3 = 13-(IC3 + IC4) IX = ITDX + IBSX + ICLX + IGLX + IORX (2) for X = 1,2,3 IA4 = IBSI-(Il0 + Ill) IAS = IBS2-(Ill + 112) IA6 = IBS3-(Il0 + 112) IX = IBSY + ITD) (3) for X = 10 and Y = 2, X = 11 and Y = 3, X = 12 and Y = 1 B), B2, B3 - LOCA I4 = IACl 17 + IAC2 16 + IAC3 15 15 = IC3 + IC4 16 = ICl + IC2 17 = ICS + IC6 l B-37
, Table B.6 ESAS "t
BOOLEAN EQUATIONS BASED ON SIMPLIFIED FAULT TREE NOTES 1 The expression in parenthesis reflects the possible "2-out-of-3" failure combinations. 2 For further definition of the parameter "X" see also quantifi-cation tables. 3 For further definition of the parameters "X" and "Y" see also quantification tables. 4 Event IHEl contributes only to ILB4 and ILB5. B-38
,l
/
ge7 c*y u ONe 2m3 d$q hC3 O+r$" S* E 9 1 E" U am W CMorb S - 3 3 E T 1 , , O 2 2 N , , 1 1 S N E S i
- .' l R ~ ~ - - - - -
C ~-' 0 0 0 0 - 0 0 1 1 1 1 3 1 1
* * * , + * +
~ 0 0 0 0 3 0 1 1 0
~ 1 1 1 1 Y
T I 4 5 5 I
- - E. -
5 4
? 3
- - 3
- 2 4 2 3 6 6 2 5 E E E E E 3
E E E L - - - - - - - - 0 E E E E E E E E
- 0 1 0 0 1 9 9 9 2 7 7 8 2 1 2 6 6 8 0 F 7 2 7 1 1 3 4 - =
1 1 1 7 3 3 1 7
= =
r I t "
.I E
)
R H
#6 4
4 4
+ +
E E 0 0 0 0 9 9 4 6 6 6 6 3 3 3 3
@ 1 1 D'
)
) 5 1 -
- E R
7 7 5 5 0 8 8 IE E E E E 1 E E ( 0 0 0 0 ) 0 0 1 1 2 3 3 ( 1 1 T T - C C Z I A A L N T T L L A C ! N N E E E E C o C O N S S ) N O O TI N r ( C N N L L N S P Lr E E3 E EA EA C C I ) E I
;E R3 RH RH T h R U U UC UC T F C C NIA L3 LD L O O F A T S GPC N IN IR L IR T T I R I E
I SEL O IAA F AA F AO AO S S H S DW S L N F F L T IC qY 2 Y 1 Y 1 Y IL I ( T N 2 P Y A A L HY E AL L E AL AL AL F F E R I O ( U LC EN L E. LE LE U A E' E: EN P E E F TIN R N NC! A RN A R AE N'S RN A B S S T Z Z A T T D I I R EAP TH TH THR THS C C E E G G T)L UC UC UCU E R S R R O NEC P P F L T UCE R A TAT Z P ( E E D L TH TH THI THU N N N N E T FOI UT UT UTA GI H P E E Z N T f. OI OI OIF UTL O CO C R G I - E V UE E M. 1 W W W OII WA / / E N I R E E
- I G
E 2 3 T X F D V H T D D P ELF SS SC S E E Y.E I
!AL TLU L srSuLEE E! ENR ENT LEA LET L L ENC E E S N
O TN O O T T O T N E IL 1U NIU nlN NIA N N O L N 5L NA S. I APC ?aO SI S S S S I NA A' .I N3T N N A LT L L L L
- Vi AFN A A M NAD CHOA CF HCA CCF HC HOO IA CH CH I I I I l
CC2 CCC E R I AR A A A F A F T - T T U S C P U N P N U P E T U A P GI O T Z E O R U G T L L G O P B B P A V O C U XM XR
,L E
.C XAT X XC XY
.S .I G
A
.L H H HE HU HI H. HO HE C C CR CD CB C CL CR T. 1 ' 5 1 2 3 X X X X X X i 5 A A A Y Z D S L L R v 1 A C C X T B E
I I I I I I I I I C G I O I I 8j i
, i
Tl FA SENS. *iO T E S A RE C I 81 T FA OR EVENT COMPC?.ENT EVENT OR FAULT DESC910'TICN p gq 1} DURATicN(HR) U 1T171 FELAYEf h?! SIC';AL TOT AVAILAELE Ii 5
'. ', E, - ",, o 1532 TO O'iE , PIECE OF ECCIF:INI EG!t,; to eg LL l L
IAI , CHANNEL 1 OUTFUT FELAY FAILLPE 7.4 E-5 l fFAILUFiS COSINES WITH CHAN'iEL 2 AND 3 CON 1 ACT j j ke IA2 l CHANNEL 2 OUTFUT RELAY FAILURE 7.4 E-5 l jC051NES WITH CHANNEL 1 AND 3 CCNTACT ' m FAILURES < IA3 I CHANNEL 3 OUTPUT RELAY FAILURE 7.4 F-5 @ iCOM31NES WITH OiAN'iEL 1 AND 2 CONTACT " l FAILURES " 2.2 E-4 l 1 -
! CHANNEL X OUTPUT FELAY FAILURE 7.4 E-5 lIAX COMBINES WITH CHANNEL Y OR CHAN'iEL 2 13+, 10- 1,2,3 $
N l , 1.0 E-7 1.9 E+4 1.9 E-3 = CHANNEL U/ CONT ACT A FAILS TO CLOSE 10+, 10- 1,2,3 ICY !CH. UA 1.0 E-7 1.9 E+4 1.9 E-3 ICZ l
'CH. VB CHANNEL V/ CONTACT B FAILS TO CLOSE a 3.9 E-3
@ar s
l l C
;CH. X OUTPUT l 1.9 E-2 2 = IX i RtMAINS ENEPGlZED 1 ; RELAY Q
10+, 19- g ITEX lDUCER lCd. X TFANS- iiFAILS TO HIGH PRESSURE 3.0 E-5 4(SHIFT IN 1.2 CALI-E-4
!BRATION i 1.1 E-2 10+, 10-IBSX CH. X
- BISTABLE FAILS TO TRIP (SET POINT DRIFT) 3.0 E-5 (2)(1.0 E-5) 360 360 7.2 E-3 3+, 3- [
i r-FAILS TO DE-ENERGlZE (2 SWITCHES) ICLXlCH.XLOGIC 1.1 E-4 g IGLX iCH. X GROUP LOGIC FAILS TO DE-ENERGIZE 3.6 E-6 10+, 10- ,
?
1.9 E-8 363 2 1 RELAY C0ll ENERGlZED l 10+, 10- @ 360 3.6 E-6 2 SETS RELAY 1.0 E-8 C0'iT ACTS FAILURE OF N.O. CONIACTS TO OPEN 1.0 E-4 3*, 3- d o FAILS TO ENEFGlZE 1 RELAY :=1.1 E-9 3./ E-4 g 10RX OUTPUT RELAY FAILS ENERGIZED 3.6 E-6 10+, 10- w C 1.0 E-8 360 (D 1 RELAY C0ll ENERGIZED 10+, 10' .S 360 3.6 E-6 1 SET RELAY 1.0 E-8 ' CONTACTS FAILURE OF N.O. CONTACTS TO OPLU 360 3.6 E-4 1.0 E-6 i 1 TIME DELAY FAILS TO DE-ENERGIZE S3.7 E_4
I E E vt NT E VENT OR Faut.T LESCRIPTICN SENS. f_co _"rof.E T l __..N _ a__ R ' R-1) DURAT ON(HR) BA TY C OR NOTES HPI ACTUA!!CN SIC 1AL *ai AVA:LAELE i jen
~
TO ANY ECL'IFT'ENT DN1% Eg LOCA 7.2 E-4 IA4 plSTA WITH Xg FAILURE
..uTHER CHA'iiELON FAILCr.t CHt.N'FL1 COP 31NES 2.4 E-4 f IAS BISTABLE FAILURE ON CHANNEL 2 C0" BINES 5 i WITH ANOTHER CHA*iNEL FAILURE 2.4 E-4 IA6 BISTABLE FAILURE ON CHAN'iEL 3 COPSINES -
2.4 E-4 N WITH ANOTHER CHANNEL FAILURE I=7.2 E-4 C s IAX l BISTABLE FAILURE ON CHANNEL X COMBINES WITH ANOTHEF CHANNEL FAILU;E 2.4 E-4 4 IBSY SEE EVENT "lSS" OUANTIFICATION 1.1 E-2 10+, 10- 4 m ITDY SEE EVENT "!SS" QUANTIFICATION 1.2 E-4 10+, 10- 4 @
<+
IBSZl SEE EVENT "ISS" QUANTIFICATION 1.1 E-2 10+, 10- 4 _ , ITDZ ' SEE EVENT "lSS" OUANTIFICATION 1.2 E-4 10+, 10- 4 G m en i :=2.2 E-2 = C IBSU SEE EVENT "lSS" QUANTIFICATION 1.1 E-2 10+, 10- @
==2.4 E-4 $
C. 2 O c. a 9 O 9 E_ y 1 r q 4 /
't
y
\
+
r- -- jEVENT C O*1PO NE N T EVENT OR FAULT DESC91PTICN RATE HR*l) DURAT N(HR) O BA LI y F R SENS. l NOTES [
..__J_._ g 7
- Il31 iNON-IlME DEPENCCiT HPI SIGNAL NOT IAVAILABLE 10 EXACTLY ONE PIECE OF m OUIPMENT DURING 1B , B2 OP B3 LOCA 1.0 E-i 'y l IA7 RIPLE CONTACT FAILURES PREVENT gl CONTINUITY 5.9 E-8 g I IA8 t)-00T-OF-3 ACTUATION QiANNELS Fall TO "
- DE-LNERG12E !
14 RELM CONTACIf Fall l'i C0f31NAT10N WITH m lACETION CHCNEL FAILIJRE i t.2 i E-8 $
=
n t- 1.0 L-/ IA7 TRIPLE CONTACT FAILURES PREVENT E CONTINUITY l 5.3 E-0 7 IX .'O!ANNtl 1 OR 2 CONTACT COMBINATIONS All 10 PROVIDE CONTINUITY 3.9 E-3 . 6 p. j ICY [ri. UA AILS fu CLOSE 1.) E-7 ,?.9 E+4 1.9 E-3 < 10', 10- 'L 3. 6 E l j
!CZ LH. VA FAILS TO CLOSE 1.0 E-7 1.9 E+4 1.9 E 3 10*, 10- '1, 3 6* C tu -s g r=3.9 E-3 g N 14 'RELAi CONTACTS Fall IN COP 31 NATION $
WITH ACTUATION CHANNEL FAILL;RE ti.2 E-3 8 g-IAC1 1 RELAY COIL ;ENERMZED (ACTL'MIGN GlANNEL 1) ' 1.0 E-8 360 3.6 L-6 17 SEE ABOVE EVENT "lX" - 3.9 E-3 , y n = 1.1: E-S m
~
f*" l ? Er
=
E o h 18 s = g a
EVENT COf*PCMENT EVENT OR FAULT DESCRIPTICN I RATE H *1) DURAT N(HR) O L OR SENS. NOTES p er IIME EELAYED hPI SIGML ? 0T AVAILA3LE l 1G2 TO EXACTLY CNE PIECE OF ECUIFfINT 5.6 E-6 DLR!% B1 , b U 53 LOCA
- IA7 TRIPLE CONTAL'T FAILURES FPB'ENT w CONTINUITY 5.9 E-8 _
IA8 2-0UT-0F-3 ACTUATIC'l CHAT 4ELS FAIL TO E DE-ENERGlZE t. $ 14 RELAY CONTACTS Fall IN COMBINATION WITH ACTUATION CHANNEL FAILURE 5.5 E-6 m
- = 5.6 L-6 @
IA7 TRIPLE CONTACT FAILURES FREVENT CONTINUITY 5.9 E-8 7 2 IX CHANSEL 1 0F 2 CONTACT COMBINATIONS E Fall TO PROVICE CONTINUITY 3.9 E-3 6 1 ICY CH. UA FAILS TO CLOSE 1.0 E-7 1.9 E+4 1.9 E-3 10+, 10- 2,3,6 o ICZ CH. VB FAILS TO CLOSE 1.0 E-7 1.9 E+4 1.9 E-3 10+, 10- 2,3,6
.- 5, m Z:3.9 E-3 &
[ v 14 RELAY CONTACTS 'IL IN COMBINATION WITH ACTUATION CHANNEL FAILURE 5.5 E-6 8 h n 13+, 10-IAC1 ENERGIZED (ACTUATION CHANNEL 1) 4.7 E-4 h 2 RELAY C0!LSjENER51ZE3 1.0 E-8 360 3.G E-6 10+, 10- <
'2 SETS RELAY i- ^
CONTACTS FAILURE OF N.O. CONTACT TO OPEN 1.0 E-8 360 3.6 E-6 10+, 10-' *
~
1 TIME DFLAY FAIL 5 TO OPERATE 1.0 E-6 36] 3.6 E-4 13+, 10-1 RELAY FAILS TO ENERGlZE o 1.0 E-4 N 3+.-3
,t=4.7 E-4 "o 17 SEE AB0VE EVENT "!X" 3.9 E-3 ,
h
= = 1. 8 E-6 a '
f 1
~
f 2 o. e Q tu 1 f
._J _ _
-~
~
~
'~ ~ I ra'n r o'.As A i t As~r t 1 T v f (Gwi " '-
rAituat D T E S l gup37:e (sa) tvt r.T com e ,t .T l tvte.r ca u,utt LtstsitTit* g,7ggy-3)
~ ~ ~ ~ ~ ~ ~ ' ~ ~
ca Fucan it:Tv lFAcTua
~'~
~
' ~ ~
1 LPI SIU.AL :;T AVAILAELE TO EXACTLY l' Ill3 C'.E PIECE OF ECulF P.L'il 1.0 E-7
; 'c- y r:s..r
.. i .;1, ~2 C ; ~' ), "" =
lA7 IFIFLE CC'iTACT FAILUEES 5EFNIT 5.9 E-S , E C0'ill'i;lTY
- j 2-0CT-GF-3 ACILATIC!i LHA*i'iELS F All TO lA8 < 1 l
LE-E'.EF312E l "
^
14 EELAY CC'. TACTS Fall I!4 (C51!.ATIC'. NITHl 4.2 E-3 ACILATIC*i CHA!J.EL FAILUFE l
- = 1.0 E-7 l }
1A7 TFIFLE CC'.iACT FAILUFES FFEVEtiT 5.9 E-S 7 m CC!.I l!.'J I T Y l < m l " IX CHA.'.EL 1 OR 2 (0 iT ACT C051tiATIC'.S 3.9 E-3 6 , FAILS TO FROVICE CC'; Tit;UITY 1.8 E 5 1.9 E-3 10*, la- 2,3,6 = FAILS TO CLOSE 1.0 E-7 ICY CH. UA 1.0 E-7 1.8 E-5 1.9 E_ _3 10*, 10~ 2, 3, 6 G g l 102 CH. \3 FAILS 10 CLOSE = D3.9 E-3 l c l 8
?m
[ 14 FEL AY CG?iTACTS Fall Iti CCSlfiATIC:4 4.2 E-8 o WITH ACTUATIC!i CHA!i'iEL FAILURE " x-360 3.6 E-6 10*, 10-ENEEGlZED ( ACTUAT10!i CHA?P4EL 1) 1.0 E-8 IACI 1 FELAY COIL 2 3.9 E-3 0 17 SEE Wii EVEt.I "lX" - e l " 1.4 E-8 O I o e i l Q i fu F O O v
- . - - - - ~ ~ ~ - - -
-r,- - _ _ _ _ - - - - - . -
-_~____.7_.____.________.______._..__._ _ _ _ _ _ _. __ , , _ _ . . _
, Evtur corwontui ! E VE NT C4 TAULT CESC91P71CN
^
E
~
T U DU T (HR) I CR $
- UIES I 5151@iALNOTAVA!UliTIOEXlCIL 0'.E PIECE OF ECUlFFENT CBit.5 yB , B, ('F B L
- 1.3 E-6 j
3 cCA g lA7 TRIFLE CONTACT FAILURES PREVENT LO';i!NUlIY o 5.9 E-8 m IA8 2-0UT-0F-3 ACTUATION CHA'i'iELS FAIL TO J DE-ENERGIZE r ,, 14 REL AY CONTACTS FAIL IN COSINATION WITH ACTUAIl0N CHANNEL FAILUPE E 1.3 E-6 $
*1.3 E-6 IA7 m IRIFLE CONTACT FAILURES PREVENT CONTINUITY $
5.9 E-S 7 IX CHAN';EL 1 OR 2 CONTACT COSINATIONS FAILS TO PROV10E CONTINUITY - 3.9 E-3 6 g ICY CH. UA FAILS TO CLOSE 1.0 E-7 1.9 E+4 1.9 E-3 10+, 10' 2,3,6 i ICZ CH. VB FAILS TO CLOSE l1.0E-7 1.9 E+4 1.9 E-3 10*, 10' 2,3,6
=
14
- = 3.9 E-T $
" RELAY CONTACTS FAIL IN CO.% INATION WITH ACTUATION CHANNEL FAILURE 1.3 E-6 5
IAC1 8 ; ENERGIZED (ACTUATION CHANNEL 1) 1.1 E-4 3 RELAY COILS ENERGIZED 1.0 E-8 360 [ 3.6 E-6 C 2 SEIS RELAY CONTACTS S FAILURE OF N.O. CONTACT TO OPFN 1.0 E-8 360 3.6 E-6 ,, kW$f FAILURE TO ACTUATE o 1.0 E-4 I-1.1 E-4
- m 17 SEE AB0VE EVENT "IX" 3.9 E-3 g
" 4.3 E-7 9 '
__ _ .,m.
/
S l JAllINL l AUm T tc A. Allab il llY L "- M i NS* f*3 I E S FACTCR [Wh1 (01 a N1 I vt ral o r< f ttu.! M EC 41 F'110!J F AT[(ed- 1) W ATirN(H,<) OR PPDEASILITY lb FE ACIOR EU"11% HICH FRESSL;E SIG'.AL ! ILBS NOT AVAILAELE TCEXACILY C'E PIECE CF FESS! 1.2 E-6 ECUIF'ENT CCFIN3 Ey, E2 CR E3 LOCA
- 1A7 1RIPLE CC'iT ACI F allures PFEVENT 5.9 E ,s E cv CGNi li.U l T Y, '
g. IAS 2-00T-OF-3 ACTUA110N CH ATiELS Fall 10 ' - I:E-E NEEG12E u 14 EEL AY CONT ACTS F AIL IN C051 NATION 'llTH 1.2 E-6 co i
~ 1 ACILAI10*. CHAN'iEL FAlLURE o
- =1.2 E-6 v TRIPLE CONT ACT FAILURES FFDU T 7 m IA7 5.9 E-S CONTINUITY IX CHAN'iEL 1 OR 2 CONTACT COSINATIONS 3.9 E-3 6 FAILS TO PROVIDE CONTINUITY 1.9 E 'i 1.9 E-3 10*, 10- 2,3,6 .3 i FAILS TO CLOSE 1.0 E-7 r- i ICY CH. UA 10 10- 2,3,6 m j 1.0 E-7 1.9 E-4 1.9 E-3 ,
ICZ CH. VB FAILS TO CLOSE - r= 3.9 E-3 o g REL AY CCNT ACTS Fall IN CO.GINAT ION 8 m 14 1.2 E-6 e WIT 3 ACTUAT10N CHA*.NEL FAILURE *
- 10+, 10- ^
t IAC1 PRESSUFE o 1.0 E-4 n SWITCH FAILS TO ACTl' ATE
- 3.9 E-3 .
17 SEE AB0VE EVENT "lX~ o
'=3.9 E 7 a n
w e fu F O n
~
e,.e-.> er-w-i--
me,-m M- Oww wMil *m'emam--- FA! E VE NT lCof1P0t;ENT EVENT CR FAULT DESC9trTION p,yE SEks. h0TES R'l) lDURQTON(HR) 0 F ! TY OR ILS ALL F3IC #4D F3SS Eeu!FF'.ENT DOES NOT FICEIVE ACTUATICri SIGNAL 1.1 E-4 EtElfo B), B2 CP B3 LOCA ILES F3 HIGH FRESSCFI SIGNAL SOT AVAILABLE 1.2 E-6 U TO F2SS ECUIPMENT 5 o ILE2 Tli'E EELAYEI' HPI SICNAL NOT AVAILABLE . THE1 :ALL 4 PSI rid CO.7.0N MOEE MISCALIBRATION OF ALL 1.0 E-4 g 33 PSI PEESSUPE FEESSUF.E SWITCHES r o l * *' E-4 D v SWilJES 2 2 e C= 1
, w *~ ;3 2
9 8 W m N 9 i 1
Table B.7 ESAS QUAtlTIFICATI0flTABLES fl0TES 1 X = 1,2,3; i f X = 1 then Y = 5, Z = 6, UA = 2A, VB = 3A X = 2 then Y = 1, Z = 2, UA = 1A, VB = 3B X = 3 then Y = 3, Z = 4, UA = 1B, VB = 2B 2 The failure rate of 1.0 E-7/ hour is the lower bound of the failure rate given ir. Appendix III of WASH-1400. The fault duration time of 27 months (1/2 of once every three refuelings-54 months) is based on a review of plant procedure SP-417. According to this procedure, these relays are tested every refueling (18 months) by closing the contacts in one out of three paths through the actuation matrices. Thus, every three refuelings, all contacts in the actuation matrices are tested. 3 For channel and contact identification see Figure B.2 4 X = 4,5,6; if X = 4 then Y = 2, Z = 3, U = 1 X = 5 then Y = 1, Z = 3, U = 2 X = 6 then Y = 1, Z = 2, U = 3 5 Failure of one channel is (1.E-8/hr) (360 hrs) =
= 3.6E-6; therefore 2-out-of-3 is approximately c.
6 X = 5,6,7; i f X = 5 then Y = 3, Z = 4, UA = 1B, VB = 2B X = 6 then Y = 1, Z = 2, UA = 1A, VB = 3B X = 7 then Y = 5, Z = 6, UA = 2A, VB = 3A 7 IA7 = 15 16 I7 8 I4 = I ACl 17 + I AC2 I6 + IAC315; where IACl = IAC2 = IAC3 and 15 = I6 = 17 therefore p(I4) was assessed equal to ( 3)p(I ACl) . p(I 7) B-48 ~, ..
~ _ ~ ,
Table B.8 ESAS - Quantification Summary r B0OLEAN POINT VARIABLE ESTIMATES' ISS1 2.1 x E-4 ISS2 2.2 x E-4 ISB 7.2 x E-4 ILB1 1.0 x E-7 ILB2 5.6 x E-6 ILB3 1.0 x E-7 ILB4 1.3 E-6 ILB5 1.2 E-6 ILS 1.1 E-4 i B-49
.s I
l
\
l i APPENDIX C DC POWER SYSTEM C
G APPENDIX C DC POWER SYSTEM C.1 SYSTEM DESCRIPTION AND OPERATION The DC power system (DCPS), which consists of two isolated buses, provides a continuous source of 250V and 125V DC power for DC pump motors, control, and instrumentation. The 250V supply provides power to the DC pump motors and certain motor operated valves. The 125V supply provides power for control and instrumentation functions. C.l.1 SYSTEM DESCRIPTION Figure C.1 shows a simplified schematic diagram of the CR-3 DC power system. The DCPS consists o two separate and independent 250/125V DC supplies,each of which includes a battery and associated battery chargers and DC distribution panels. Each 250/125V DC supply includes two 125V batteries wired to produce one 250V source and two 125V sources. A battery charger is pro-vided for each 125V battery section. A spare charger is also provided as backup to the primary chargers and its output may be fed to either of the 125V battery sections. DC power fron each 250/125V supply is distributed to the various user equipment via distribution panels including a main panel and seven individual panels. The outputs of the batteries and chargers are fed to the main panel where the DC power is, in turn, fed to the individual panels for distribution to the user equipments. The vital inverters are fed directly from the main panel. Each battery charger is sized to continuously deliver 200 amperes to its associated battery section at 125VDC. Input power to the chargers consists of 480VAC,16 from motor control centers. fiCC3A-1 feeds chargers A, C and E (spare) which serve 250/125VDC supply 3A and MCC38-2 feeds l C-1
7 l l l chargers B, D and F (spare) which serve 250/125VDC supply 3B. Switches are provided at the input and output of each charger to permit off-line test and maintenance. In addition, fuses at the input and output of each charger provide overload protection. Each 125V battery section consists of 58 cells rated at 2.2 volts / cell minimum. The capacity of each 250/125V battery supply provides the capability to deliver the loads listed in Tables C.1 and C.2 continuously for two hours and perform three complete cycles of safeguards breaker closures with subsequent tripping (1020 ampere-hours). The distribution panels consist of switches, fuses and associated wiring for DC power distribution. The switches provide the capability for on-line checkout of user equipment as well as general maintenance and checkout of various elements of the DC system by permitting disconnection from power. The fuses provide overload protection for the DC supply and user equipment. C-2
' l C.l.2 SYSTEM OPERATION During normal plant operation the battery chargers supply the narmal DC loads while maintaining float charge on the batteries. In the event of loss of AC input to the chargers the batteries will automatically supply the required DC loads.
A high and low voltage a'larm is provided in the control room via i high/ low voltage relay contact closures. The high alarm is set at 137VDC i to protect against battery overcharging during normal clant operation. The low voltage alarm is set at 210VDC for DC motor bus voltage and 121VDC for instrumentation and control bus voltage. Battery discharge is monitored by contact making ammeters located in the main DC panels. This provide _ a remote alarm when the battery is supplying power to the user equipments. In the event that a primary charger becomes unavailable due to malfunction, test or maintenance the spare charger is manually switched on-line. This will maintain the float charge on the battery section and supply the DC loads associated with the unavailable charger. BATTERY TEST AND MAINTENANCE The individual 125 volt battery sections are given the following tests and inspections: (a) The voltage, specific gravity and electrolyte level of each cell are measured once each quarter. (b) During refueling each battery is inspected for physical damage and integrity of intercell connections. (c) Battery discharge is monitored continually via the contact making ammeters. (d) Maintenance is performed on the batteries as required to correct for defects. C-3 v
BATTERY CHARGER TEST AND MAIllTENANCE The individual battery chargers are given the following tests and inspections: (a) During refueling each charger is demonstrated to be operable via an eight hour load test. (b) Maintenance is performed on the chargers as required to correct for defects. During maintenance the defective charger is taken off-line and replaced by the spare charger. (c) Charger performance is continually monitored via high/ low voltage alarms in the control room. l l C-4
Table C.1 Battery 3A Loads (DC unavailable) , rom CR-3 FSMR Cycle No. of Load Description Volts Hp/KVA Time (min.) Breakers Feedwater Pump 3B Turbine Emergency Oil Pump 250 5 Hp 0-10 Feedwater Booster Pump 38 Emergency Oil Pump 250 5 Hp 0-10 Reactor Coolant Pump DC Oil Lift Pump 250 3 Hp 0-60 Reactor Coolant Pump DC Oil Lift Pump 250 3 Hp 0-60 Turbine Generator Air Side Seal Oil Pump 250 25 Hp 60-120 Emergency Diesel Generator Fuel Transfer Pump 250 1 Hp 1-20 Makeup Pump 3B Lube Oil Pump 250 1 Hp 0-20 Makeup Pump 3C Lube Oil Pump 250 1 Hp 0-20 Motor Driven Pump to Hotwell Isolation Valve 250 .09 Hp 10-11 Auxiliary Feedwater Pump Turbine Steam Supply 250 1.81 Hp 10-11 Isolation Valve Alterrex Excitation Cabinet 125 6.25 Hp 0-120 Feedwater Pump 3B Turbine Motor Speed Changer 125 1/6 Hp 0-10 6900 Volt Switchgear 3B Control 125 3 4160 Volt Switchgear 3B Control 125 10 4160 Volt Engineered Safeguards Switchgear 38 125 10 . n Control 5, 480 Volt Reactor Auxiliary Bus 38 Control 125 2 480 Volt Turbine Auxiliary Bus 3B Control 125 7 480 Volt Intake Auxiliary Bus 3B Control 125 4 480 Volt Engineered Safeguards Bus 3B Control 125 3 Inverter 3B 125 15 KVA 0-120 Inverter 3D 125 15 KVA 0-120 Inverter 3E 125 15 KVA 0-120 Control Room Panels 125 1.25 KVA 0-120 Hydrogen Panel 125 .625 KVA 0-120 Engineered Safeguards Channel 3B Cabinets 125 .625 KVA 0-120 Relay Racks 125 12.5 KVA 0-120 Engineered Safeguards Actuation 38 Cabinets 125 .625 KVA 0-120 Emergency Lighting 125 1.25 KVA 0-120 Substation Loads 125 7.5 KVA 0-120 Miscellaneous Cabinets 125 1.25 KVA 0-120 Power Required to trip breakers as listed (10 amps / breaker for one minute).
Table C.2 Battery 3B Loads (AC unavailable) from CR-3 FSAR Cycle No. of Load Description Volts Hp/KVA Time (min.) Breakers Turbine Emergency Bearing Oil Pump 250 60 Hp 10-60 Feedwater Pump 3A Turbine Emergency Oil Pump 250 5 Hp 0-10 Feedwater Booster Pump 3A Emergency Oil Pump 250 5 Hp 0-10 Reactor Coolant Pump DC Oil Lift Pump 250 3 Hp 0-60 Reactor Coolant Pump DC Oil Lift Pump 250 3 Hp 0-60 Emergency Diesel Generator Fuel Transfer Pump 250 1 Hp 1-20 Makeup Pump 3A Lube Oil Pump 250 1 Hp 0-20 Makeup Pump 3B Lube Oil Pump 250 1 Hp 0-20 Va(uum Breaker 250 .135 Hp 0-10 Turbine Driven Emergency Feedwater Pump to 250 .09 Hp 10-11 Hotwell Isolation Valve Auxiliary Feedwater Pump Turbine Steam Supply 250 1.81 Hp 10-11 Isolation Valve l Turbine Thrust Bearing Wear Detector Motor 125 .05 Hp 0-10 EHC Cabinet 125 1 KVA 0-120 m Feedwater Pump Turbine Speed Changer 125 .166 Hp 0-10
- 3 E 6900 Volt Switchgear 3A Control 125
- 10 4160 Volt Switchgear 3A Control 125
- 10 4160 Velt Engineered Safeguard Switchgear 125 3A Control
- 480 Volt Plant Auxiliary Bus 3 Control 125 480 Volt Reactur Auxiliary Bus 3A Control 125 2 480 Volt Turbine Auxiliary Bus 3A Control 125 7
480 Volt Heating Auxiliary Bus 3 Control 125 480 Volt Intake Auxiliary Bus 3A Control 125 4 480 Volt Engineered Safeguards Bus 3A Control 125 3 Ir..erter 3A 125 15 KVA 0-120 Inverter 3C 125 15 KVA 0-120 Condensate Demineralizer Control Panel 125 .625 KVA 0-120 Instrument Repair Shop Receptacles 125 .625 KVA 0-120 Engineered Safeguards Channel 3A Cabinets 125 .625 KVA 0-120 Engineered Safeguards Actuation 3A Cabinets 125 .625 KVA 0-120 Relay Racks 125 12.5 KVA 0-120 Substation Loads 125 7.5 KVA 0-120 Emergency Lighting 125 1.25 KVA 0-120 Power required to trip breakers as listed (10 amps / breaker for one minute).
4 80 VAC MCc 3 A-1 _ 480 VAc Mcc 38-2
!)N/c hN/c b N/o bN/c kN/c heJ/o
? h b etwe B attC' jaatiery Ba tte q I 64treg cw3grA chart {r C raatie%E lcy,*g ; charger 8 chager p cy,*g i I h
t ] [ L j i 1 L g'jF IJF
; F f
[]y []y f- N/ )
'] N/0 l
[]F []F o DCBUS3A o e ,,
, , pc sus 3 B e o
{
]
~~
plSCoNMECT { ] ogscoNNECT l
. 250/12.5 250/125 125vDC[]F (Pe EN 12.5voc-(PN,N)
F satieg 3A 12.5vp43 F n5voc- 'y saue<3 (p,pg (p4WT 36 Y Y Y V TO DUAL To DUAL To00AL TO DUAL INVERTER INVERTER INVERTER INvERTEll 36 3D 38 3A Fi.gure C.1 DC Power System One Line Diagram
p - ---- C.2 SYSTEM SIMPLIFIED FAULT TREE The DCPS fault tree analysis consisted of developing trees which would serve as sub-trees (i .e. , plug in modules) for the fault trees which were developed for the various systems that require DC power during normal plant operation and accident conditions including transients and loss of coolant accidents. Accordingly, fault trees were developed to identify the hardware and human failures which could inhibit the distribution of DC power from the individual DC panels to the associated systems. TOP EVENT DEFINITION The undesired event for which the DCPS fault trees were developed was:
" Insufficient Power at DC Panel DPDP-XX" where: DPDP-XX represents the DC distribution panel associated with the particular system for which DC power was required.
ASSUMPTIONS The underlying assumptions governing the development of the DCPS fault trees include:
- 1. Insufficient DC power is defined as loss of either of the 125VDC supplies provided by a 125VDC battery section and the associated charger.
- 2. Hardware failures, such as circuit breaker, switch or fuse failing open, are not immediately repairable. The failed hardware must be replaced in order to place the associated circuit back on 3. The down time resulting from failures such as inadvertent switch opening or failure to re-close a switch is a function of detectability; i .e. , DC system alarms and user equipment monitoring features.
- 4. Calibration failures such as mis-settina of one or more charges result in a down time after detection eaual to the initial calibration period. Further, calibration errors are assumed detectable after associated equipment is placed on-line.
The simplified fault trees for the DCPS are presented in Figure C.2, sheets 1 through15. Notes to the simplified fault trees are in Table C.3. C-8
T Table C.3 (1/4) Fault Tree Notes GENERAL NOTES (a) High and Low voltage alarm is provided in the control room for each of the six chargers employed for the two DC buses. o High alarm set point = 137VDC o Low alarm set point = 121VDC (b) Reactor shall not be made critical unless both 250/125 volt DC supplies (bus 3A and 38) are energized. (c) During power operation one of the two 250/125 volt DC supplies may not be out of service for more than two hours. (d) Charging current and load on each of the buses (3A&38) are checked each shi ft. . (e) Battery discharge is monitored each shift by contact makina amroeters located in each of the main DC panels (DPDP-1 A&-1B). (f) Voltage, specific gravity and electrolyte level of each battery cell are measured once each quarter. Pilot cells are checked weekly. (g) Maintenance is performed on the batteries and chargers as required to correct for defects. (h) During refueling each charger is demonstrated to be operable via an eight hour load test. (i) Plant batteries are of the lead-calcium type. t I C-9
i i Table C.3 (2/4) Fault Tree Notes i SPECIFIC NOTES I l (1) Unless all equipment obtaining DC from a particular i panel were on standby the likelihood is believed low i that the panel input switch would be opened for main- > tenance on associated equipment. Most likely individual l switches in the panel would be used to disable DC to j equipment for maintenance. (2) Those malfunctions would be immediately detected since i operating systems would be disabled. l - If all equipment obtaining DC from the disabled ! panel are on standby then malfunction could go undetected until' demand for the equipment occurred. ! - Elapsed time to affect repairs depends on time to i detect cause of DC loss and time to place switch in proper position. ! (3) These malfunctions would have same effect as (2) above. i A longer time would be required to affect repairs since failed hardware would have to be repaired or replaced. l l (4) This malfunction causes loss of all DC from the associated l 250/125VDC supply resulting in disabling of all equipment powered by this supply. Down time for the supply would be a function of time to detection and repair time, t l i l l l l C-10 l
Table C.3 (3/4) Fault Tree Notes BATTERY CHARGER - NOTE 1 e Since work on a charger requires that it be disconnected from the DC bus, maintenance personnel may leave the switch, which disconnects charger from bus, in the "off" position. However, when work is being done on a charger a spare charger is switched on line. After work is completed the original charger might not be placed back on line even though spare charger has been disconnected. e This condition can be discovered during daily check of charging voltage and/or charging current. During the time a battery is not on float charge, loads (DC) will be supplied directly by the battery (instead of by the charger) causing degradation in battery capability. This event will usually occur, if at all, during normal plant operation. DC DISTRIBUTION PANELS NOTES: 1. DC distribution panels consist of cabling and switches for applying DC to various user equipment. Maintenance personnel can inadvertently open a switch thereby removing the DC power from the associated user equipment.
- 2. If a particular component requires DC for its operation and Test and/or maintenance requires removal of DC power, maintenance personnel may fail to restore power.
C-ll
Table C.3 (4/4) Fault Tree Notes BATTERY NOTE 1 e Batteries are housed in rooms requiring ventilation to prevent build-up of hydrogen which develops during float charging. Loss of ventilation can cause batteries to fail or degrade and possibly a significant (explosive) mixture of hydrogen can develop if charging continues after loss of ventilation. f!0TE 2 e During equalizing charge excess voltage may be applied. This can severely damage batteiy. t e During tests for grounds (systen is ungrounded) all or part of the battery may be taken off line (momentarily). e Too much electrolyte can be added. e Cells may be "jumpered" for T&M and jumper may not be removed. This has the effects of degrading battery capability. C-12
o 45 s S, Ds sMf=u a, a e m S k q Yg i
$8 h %
ad*) E (b4 RR ss h- 4
- 14 ali 4 g4 N( ~4 t g
3 N R e M o 1 q 1 % $ =m s
; < em 4 -=
1 g S I 41 d4w t s 7 fis id? D 12
'l d4 4 [a 55 taa G
%% ')%**b
'v
$ 2* t %
e(4 g 4% 11 "a ! at z*4 i4 Rt E 49 2 4 a t\ M $ x lN N oB 1YQ t d a' m AT 4 q 4%( & Nk 1 {q* u (, s .< a bI "p a
$4 eg m
4 '14 $ 4 w =g Sh' C-13 - __ R
/
( [g% N4 44 s a J
'tD M i ~ m Dk '40 4
$sh "s h d% $
~
k k
<i # ,
3 A b 4 E= m m i f I h= dl R4a k 'l s 7 g lhzi b akk k k' kN IE ba ot pt y2x 34 en o 5 e 4 49 5
't 1 x
* *b x we !
- wat 1u D u g . 'g 1 M M
i n 5 s k k bg & 43 %l= v['h4hV i b
"3 2 = i 44 atqR<3% 4 -
% '$ f g l 'b C-14 (4.444 n i
s k i
% s A s k e .nq 54' u m
.A k gt Eu 5shei h g d 4) ti i kk 4II
/ g jN t; 4E
(# e 8_ ~ ee k
% 22
% i T 5~
, s I; 2 s 1 .i A.
$ $ , s ::
1
'Ri s4s d [q 8
.$k 3eg ) '*%
m a *)i g 2
~
hS h a E ae
<6
**9 )QiY 19 n a
% -. e m t
%kM t~ E o
N k 114 ,; +s k
~
9m D k g ib a j$ta I t s a < tqu
- 0Nk k;k \
A i j N 4 "k 4 s
'td e' %
dsh hkk Iv i T! A'h ad% 4 kk . h m% 8
'T s
t
% % a, s * ; e l N $%
l$yl G lih 45 Ad i la i pa 4e }!' - 144 , o = en 1 4 y a
- 49 m
't ga u
at')mOt N N
$c,$ s (e ikhk ,
N" s h k\ 4 q g i"Tk e 4b e ii j %
" e$ti 4<R 4wqg' 3 4 .s 0 l'j(N$ i l il C-16 4g
(
s s
,d, e ~
s.
$k A
h!
% o u 6
9
~
l nMi E ys kk)q N h '8 f,} gilt}d@.h*d, 7 8 !5 9 '!14 4 2n 3 e
- kante !
s$sg(ls b.
-
- 4$ al b,4' 4 4 h' 1 4 B
.s w ai'44 S U e ~!(u a a
no kg )p ' m[ ~ gr .i)s Mg G 9
?!
q< T a . }s . 4gM
' ma
<b e ? N D $
/
< ~ 4 ~
m,y('ieta >ls s e 4 q 3i9f*D4&"'kT 4,9 jsR 4 g
/
-fhGf,fffsllH> lhu';h
~a c- "
e4:sw4 ,
-- -- - S
h R s 4 4N ih n E R k
$o$jh N- b$ <$
3p i S N dl kk %< 1 ~I TD G 4'ahh Jalt El6 4 3 ( lij i N4p 1 mi i at d xd E g e>;
- lli T4 h x N di*1'jDlE
$4bts%
z%Qh448 Nt t *UN 1 5 4 1 e 4kd%dki 4
-iH su G
s6 C-18 (. _ _ _ _
s 1 DR s Ab x i s ka - su e !m'jk NO
~
b i D s
<e
' Plu ,
%a gt n e v
E u a b 1 l'92
~u !
i, R ,. 8 1 ( - i(sals9-e e e s - k 4 3 s % e D i / Eb
~3, s a?
QA E* li qg 4euS a3 (aeh a 1 h G E e s m h '4 d 44 D a ( \[+Sd 4 ag[o '!g.'e( *a w-4 r i 1 b k) yt
'm kNs N.-
Ni A eN "flk 31_ gp li e _l%Sl4 aus R.o sa t *es * 'p 'e 8 t v, j { jd l.$$k.h g 4g(lC-19 s
~ - '
.es .
1 l s
/
fu u
&/pou
- c. cyn .
A a 'c a A c fofa hc a A, y n m mad n g. e p n. A J a o
>p
- //c cd e-a w&
kem a au t a4 s&cc a n e. rf f n f a ) )4 de. o6jt a pu p o u mfMha p p o yac cAJ / /,& ri do Acap vy> d J, d
- o. d r. 'd a.u
/e ]a A c (m /,, v vn yn 4 (o fexl w e
's 4 TJ C
'yu - wA 3, /c
/c a7
/ yp. c ep /o e-
/w r /e h cy ah v.
na c c wuo x e.
/u n 44 4 4e4h c u a Jf -,
d w d4 a ayndt < u n i a . p> a cdR a u. et w z a f /r &aa. s<y c wfA c i J t. A n< a or fc f c e dwv
/.A o
l m u v e
/uyndd a nn kkf u
c n e. or o e uy 4 pA aa pe L A i c p p A fa 9 /n n c .
. ,o o a a s .
,k
4 3 1' ., ,
,; 4 ti -
1 1 ' E f4,%) .I' i i g I I fj h
) s l }id %
l i QJ
%)pi g Dl i{s4 5
. (*p 5
Qg 9 23 t t 1 & %g F 44 A d I4lij ~ b g($ Gd}hbugbsy.R431$g iP 3s gg sq g g g" 4
$ h" XE'@ Y X Nfm 5
( i , tit 414 h.;b41 it f id: i
Ej14 l g kl j P e.T 4; <
- mx4.{ gngv6 a
t . [ p ftps 's H N' M gu
'va.911s A4hs g\ly jilliAlg s ;a}siii"w'4 te l'
C-21 -
/
g 7, kl __
~
/
t ts (N h. k
' as l (N
s4 1 l- k% a
.tl%s i ll ?
4s l b liQD I
~
% d
' st 1
*ty 39 f
44
=
1 1 Iw
'Ifk O- @ tl *!4 e af s18 4
N k T, ) z k
- E% b k b'kk
,i hkj j 4%4 I uy !
l b~ - 4k
*6 u $l~y s
44x s ts
\ N t% t ij!
~
t f'N u
< \ s t fssk
, C-22 ;gy Nss s{
i F
Cdmorpor? Meo'e ia ..'/re/to fYM [0-M zou of oc O m e Opaalbr hreafnn/enll7 o'eenefn sjer mah. din sh pav.c/ /A e zen of dc. due 4 4,- cWanyoy /en/ - zow n/Ay.en mais &u: iii sc and.a L our d4an9my Leve/ en a/] chaofma .se/ Sy Spu> a. Wor x o n ha n e y n H a y 0 4<-e. 4 /sw cda yn Ave / zour
. Lan of d c. A,e 4 hachany w ./.w<A (& ama! c.unce,d) et oru: d my / eve /- so dc. sn inaae d ua. .<a p a n d . a Q Hij4 Cha j Z.wd cn yA a# chen;ha]n c my re/ l op.inaAv xea n. coy f;n snaK c1a A &9/ chan9e9 /.~<t
// ipa cRanjk9./wel cwsp. ast cavun+)mau&c.a chaym i%o a Arc /
o 4 en of oil. c'ca 4sf/2rcrush4/4rta'u .4 hiyA chany*/,' ngs/.errt a. <n c id aain y fadiu oda. A /s.rr y ' n rt 4 /s A m-- chay.ro /~:n off asa 4 ha#eny svm4a.d nub /s&m am c/Ja//my y ad<o.c .emed&c/ec/ he.,4ce es'an;m. /ry>- off e Comm on. m o /c ,0!ccc -pers', malerie/, c'ec or marrafac/ansis, c'e/ec/.r cau<. att chan un- or 4a/ Liny A, fa ( yc.rt isa/Atoy / ' e cawu cAdnya /ri,o-sff o% A oven /oa:d chanym fad a cm haNeay o'amap. i Figure C.2 (11/15) Simplified Fault Tree DC Power System, Event "EIA-1" r
/
t
- at a
N pg '94n % s' 1
' *d 3
q% p
't m' en
~t Ar
.s b~s t ' c is an .
z ;
& 4
$5 us t
w p xx 1 " x t(stL g s .. q < w is r i 64 -c li e# b %tt Itg e &MM l'A c gig %" ss S" 4 b 6 l Rxb4 4 z
< n +2 4sg" D
N x u k4 W i DD 'i M uats%y S 4 4 1 di ' w i 'ID $1'4 klekk t s s t Dt t u o a s l
'4 9Q rl N %dw%s944g ts U % %Et 2qq 4 u4 31t1y1'4 kl xS g'ksk+aBN434 4gq
.... ~ ..
C-24 3
n stee,i is oues ai% , a-der enc'en r' fade e3 O I nr.cuJyicien/ _ Cdayer 'E' Cdmjes 'A'or Oc /=i*ont Una vaWadd. 'C' lhtavs/klk gg//e,, 3g A / <om .r And is 0 f ,_ ,4 , , T i chaiy> a 't 'A*S '" '= ' , u m vai /s h/e unsvaivah/e Faa u reee .ameArr s A,/for cAay n W T a /s,pu/ cs pom acc 3A-1 fad goin. .' fad:ma. A cadd Dpc-1 cauac Ars
. chany.a fa4 of 0.c. .<iysd 4 cdctnys a pand D .atpud .suoVeh 4 chay a fa.da go.in. a ic*adu,.u. .u; caK rpc-7 caxaze / ort a pantA /4 Apud /ye /0 a )#aA op.ut s) ofC. acfpd 4 pan.<l1A o cfauafor faifa. As re- c /s.re chan)/ /npu C8 oepul Id Ar;oul .ruis*/c/ a,0len 7'8 M o dyama/or <dtct.NcA/.t/n // 0,/zerta. x Q v / CB pf 7
8 44' 8 Figure C,2 (13/15) Simplified Fault Tree DC Power System, e
/ncorrec / C$any.<m /cd s'e / ly ena b r Event "ElA-3"
_ /pw /evc[ st ^ Ar /one l% 'b'*D
~
'y Y h '? Y"J' ' AAf " f/f ' 0
1
's m
e t s y S r e w o P ey C D z r e
/ /o e nd ad T
r t e l u gm a" F4 n cM s, R ~ dA eI iE f" i 3 l t l p'n me f /s'O ei t - n i v SE esl n d sAI f c/ o s / /o
)
5 1 s/o, o/t / i EyzA n /a f O ( 4 1 n d? e b 1' 2 C k, mo l e b /r At aa lu a mL O bl 4 i F e r u g hry u C p
/e Asfdn&
a ro/ u t
/
y n o y
/ar d he y/ n /e nt /
e a i i& a-s /sc 6,e 7 7/ i rMaA w 2/, d a , a es (ll I
Loss el O.C. n .rdd 'o /npu/ from ince 34 .i I I Inpu/ M Inpu/ M Inpuit n cdanyca 'A' cdan .s 'c ' cdanj.u %^' b vna2eadall Vna)rasfadd Un azes//eb/c. () ' fed / re.aa s
.cimi be A T Ado / .ide chanja M ' , /ripu/ CB /a6 apssi-a apua /or kaa%hm // s, win spw/ ca e Opuai6e fail .4 re-c,/o.ce hpa/ c8 af/u 7'dM on chanjn a fa dun a .im. cadd xpc.t causc /s.rr of G.C. impnd /o Chan;n Figure C.2 (15/15) Simplified Fault Tree DC Power System, Event "ElA-5" e
b
m C.3 SYSTEM QUANTIFICATION C.3.1 SYSTEM RELIABILITY CHARACTERISTICS The DC Power Distribution System is a two train system consisting of independent batteries, battery chargers and buses. DC power is normally supplied by the independent battery chargers. A third battery charger can be manually switched to either train should one of the chargers normally in operation be removed from service. The battery chargers are nornally driven by AC power. Should an AC power train be lost resulting in the loss of one charger, the battery assunes the DC loads on that train. The battery charger voltage and battery internal current are normally monitored. Each DC bus was assumed to be effectively monitored, since loss of DC voltage at a bus would result in the loss of instru,aentation that is normally operational, and it was assumed that this would be detected by the operators. Thus, during normal operation the DC system was assumed to be monitored. For the case where offsite power is available, the unavailability of each DC bus was assessed based on a two hour bus outage time allowed by Technical Specifications. The unavailability in this case was small, and assessed to be primarily due to loss of a fuse. For the loss of offsite power case, the unavailability of all buses on a single train is dominated by failure of the battery supplying that train. Since the battery is also required for the cori aponding train of AC power, failure of a battery would fail one train of DC power and the corresponding train of AC power (see AC power fault tree quantification tables). The failure of the DC power distribution system during the re-circulation phase of a postulated accident was evaluated to be negligible for both the cases where offsite power is available or lost, since offsite power n assumed to be recovered by this phase. C-28 1 _
C.3.2 SYSTEM FAULT TREE QUANTIFICATION This section presents the quantification of the DC power system unavailability for required emergency operation. The quantitative results are presented in table form with attached notes outlining the assumptions. l To perform the quantification, the simplified fault tree presented in Section E.2 was rearranged and is presented in this section in modular form. Modularized fault trees were constructed for each DC bus for the case where offsite power is available. For the case where offsite power is lost, a single fault tree was constructed for the DC power system, since the dominant faults are loss of the batteries, which fail all buses. Table C.4 shows the DC power success requirements, Table C.5 contains the top event definition for the modularized fault trees, and Figures C.4 through C.12 show the modularized fault trees. The unavai~. - ability of each gate is shown on these trees, as well as the top event un-a va il abil ities . Table C.6 shows the Boolean equations that represent each fault tree. Table C.7, the quantification table, shows the quantification , of each gate by component and failure mode. The attached notes t alain the assumptions used in the quant'fication. Table C.8 summarizes the paint estimates for each gate, and the error factors that were used in the sensitivity analysis. 9 l l 4 C-29
~.
Table C.4 DC Power Success Requirements If1ITIATOR TRAINS NOTES All DC power on all DC buses 1 fl0TES: 1. Failure of any DC bus would fail instrumentation and circuit breaker's power from that Lus. C-30
N I Table C.5 DC Power Top-Event Definitions BOOLEAN REPRESENTATICH TOP EVENTS NOTES Non-LOSP Case DPDP-1A (18) Insufficient power on bus DPDP-1 A (lB) 1 DPDP-2A (2B) DPDP-2A (2B) 2 DPDP-3A (38) DPDP-3A (3P., 2 DPDP-8A (8B) DPDP-8A (88) 2 DPDP-4A (4B) DPDP-4A (48) 2 BC-3A (3B) " " " BC-3A (38) 2 BC-3C (30) " " BC-3C (3D) 2 BC-3E (3F) " " " BC-3E (3F) 2 DPDP-5A (SB) DPDP-5A (SB) 2 DPDP-6A (6B) DPDP-6A (68) 3 DPDP-7A (78) DPDP-7A (78) 3 Loss of Offsite Power Case DCA Insufficient power on DC Train A buses 4 DCB B 5 DC Loss of both trains of DC power 6 o See Figure C.3 for bus dependencies. C-31
Table C.5 DC Power TOP EVENT DEFINITIONS-NOTES 1 DC - buses DPDP-1A and DPDP-lB are the main DC-panels i for the A- and B-trains of DC-power. All other buses are ' connected to these. l 2 These buses are connected directly to the main DC-power buses. 3 DPDP-6A and 7A are connected to subpanel DPDP-5A. DPDP-6B and -78 are connected to subpanel DPDP-58. 4 This top event is evaluated for loss of all buses on DC-Train A. 5 This top event is evaluated for loss of all buses on DC-Train B. 6 This top event represents loss of all DC-power, i c l { ' C-32 i
BC-3A B C-3C B C- 3E
-d l l DPDP-1A DPDP-5A Battery 3A DPDP-2A DPDP-3A DPDP-6A DPDP-7A DPDP-8A DPDP-4A B C-3B B C- 3D B C- 3 F ~i l l DPDP-1B DPDP-5B Battery 3B DPDP-2B DPDP-4B DPDP-6B DPDP- 7B DPDP-38 DPDP-88 Figure C.3 DC Power - Bus Dependencies C-33
___t
7 1 Insufficient b0hanj{ 1.3 E-6 DPDP-1A I Single Faults i I I DC6 Insufficient Loss of AC 1.3 E-6 Power From Panel i Battery 3A MCC 3A-1 DC5 gC 6.0 E-6 5.6 E-5 Figure C.4 Modularized Fault Tree for Event "DPDP-1 A" (Non-LOSP) , Ins ufficient
- 1. 3 E-6
((WPane{ DPDP-1B 1 Single Faults l l
- I I DC8 Insufficient Loss of AC 1*3 E-6 Power From Panel Battery 3B MCC 3B-1 DC7 kC1 6.0 E-6 5.6 E-5 Figure C.5 Modularized Fault Tree for Event "DPDP-1B" (Non-LOSP)
C-34 l l H
Insufficient Power at 1 DC Panel 2.6 E-6 DPDPXAg DPDP- XA
-~
I I Insufficient Single Faults Power at Main A-Train Panel DC1X 1.3 E-6 PDP-1A 1.3 E-6 Figure C.6 Modularized Fault Tree for Ever.t "DPDP-XA" (X = 2,3,4,5,8; Non-LOSP) Insufficient Power at 2.6 E-6 DC Panel BC-3X
-~
I I Insufficient Single Faults Power at Main A-Train Panel DC2X
- 1. 3 E-6 DPDP-1 A 1.3 E-6 Figure C.7 Modularized Fault Tree for Event "BC-3X" (X = A,C.E; Non-LOSP)
C-35
Insufficient Power at 2.6 E-6 DC Panel PDPXB\ DPDP-XB
-s I l Insu fficient Single Faults Power at Main B-Train Panel C3X 1.3 E-6 PDP-1B
- 1. 3 E-6 Figure C.8 Modularized Fault Tree for Event "DPDP-XB" (X = 2,3,4,5,8; Non-LOSP)
Insufficient Power at 2.6 E-6 DC Panel B C- 3X i
-s I
I Insufficient Singla Faults Power at Main B-Train Panel DC4 X
- 1. 3 E-6 DPDFlB 1.3 E-6 Figure C.9 Modularized Fault Tree for Event "BC-3X" (X = B,0,F; Non-LOSP)
C-36
Insufficient Power at DC Panel 3.9 E-6 ) DPDP-XA I I Single Insufficient Hardware Power at Faul ts DC Train A Panel DPDP-5A C9X 1.3 E-6 PDP-5A 2.6 E-6 Figure C.10 Modularized Fault Tree for Event "DPDP-XA" (X = 6,7; Non-LOSP) Insufficient Power at DC Panel 3.9 E-6 DPDP-XB l l l r% l l Single Insuf ficient Ha rdware Power at Faul ts DC Train B Panel DPDP-5B C10 1.3 E-6 iPDP-5 A 2.6 E-6 Figure C.ll Modularized Fault Tree for Event "DPDP-XB" (X = 6,7,; Non-LOSP) C-37
DC 1.0 E-5 O Ins u f fi ci ent Ins ufficient DC Power DC Power Train A Train B CA DCB
- 3. 2 E- 3 3.2 E-3 Figure C.12 Modularized Fault Tree for Event "DC" (LOSP) l C-38
Table C.6 DC Power BOOLEAN EQUATIONS BASED ON MODULARIZED FAULT TREES TOP EVENTS NON-LOSP DPDP-XA = DClX + DPDP-1A X = 2,3,4,5,8 BC-3X = DC2X + DPDP-1A X = A,C,E DPDP-XB = DC3X + DPDP-1B X = 2,3,4,5,8 BC-3X = DC4X + DPDP-lB X = B,0,F DPDP-1A = DC6 + DC5 MCC3A-1 DPDP-1B = DC8 + DC7 MCC3B-1 DPDP-XA = DC9X + DPDP-5A X = 6,7 DPDP-XB = DC10X + DPDP-5B X = 6,7 LOSP DC = DCA + DCB l l C-39 l
- l
Table C.7 (1/2) Events "DPDP-XA" and "DPDP-XB" ( for X=2, 3, 4, 5, 8), "B C- 3X" ( fo r X= A , B , C , D, E , F) , an d "DPDP-1 A,-1B" Quanti fications l m , bI ( \S b Ph @ (M c, N , r _. _ _ . . . _ . _ _ . _ i
;, b .* .
t7 _ _ _ _ _ _ . _ - S.._ _ . - _ . _ _ . _ _ _ _ _ ._ i i C7 cm i e
& FA +--4 e--I PA m Y r} s s s ,
. f>H ff V f + f 4 +s IO C C PO M F *( -
M e4 lWL I w
+
I
- y H
t>_>. e.
.J d to L,n Lq CO W s
e-- tD tD N , LD a t e e { ff; M W i i (A.J L.A.j! LAJ LA,j Lgj LhJ La.J , 81,a*f c, o. cm. o. e.7, m- to. to.
-e o-. c$ . m.
H *-1 to NN H in m i u.
..,y l ~ ] io 3, j
m _ _ . . f 1.-_., _ . _ . . ~ . - _ . - _ _ _ _ . s l I i e. ( P. I ! 1
+ T i H, o-M e-4 -9 Og }
( h >-- r
- N, O
- r. _.
i - w ~, m, l m.7 y
- o. .
W Lb3 L.LJ L.a.J l 7 r o e, o ; {dZ
. q A rA i >A t
< a i
.'_~ ____. ,
l t.n k l pr V I l I
' .1 <
N C l.
)' - _; 2,x
! 7- W
.. w
, m ,-
1 W G 7 u.J E.- I'
. M (L O L4J w i p W CJ sM J ,,,_2 l l
! a "i v,
- o. y
??
a a f) 4 1 -t -. ~._J k W U ~ ~ t r O, LJ.- a e La. .D [\ $ ~1 LJ fEL'i {
' O (A H-- --et 7,,
i
'ca . g b
t ,
- .. ' 2* O L5.8 eT f3 y H _U.
- m m 1 -
w m -u w
<a W,3 W-N H- k- ~* u.
f' LA D D
>- U
*i E
C- LJ - to ( .3 r c. l d ; '), a h $.9 H I J 1
* + - L. J .! gn m .n. ,,_3 y
""*W .
LL. O Q q) ( Q i,_, * - - -
! MLi O " __
W _ - - . -
; e
,w e5 %
I k i4 1 .. u" w W # W 6 m a: V V1 . .~. .T b
,_ '?._ - . . _ _ . - - -
-~ ~
, ,, -x , .
><9* ~W * % WO %
C &
", e-,.e a <\rt (p s Q m es inn rq P 's QLLv (J U U L.) VU U U p w L" ( h.M C.J C 1 MR &JCl O U s -
-.~)
_ .t . ___ _ . _ _ _ _ . . ~ . _ ~ _ t C-40 n
. l l I
#Em P~ ND "< n = >= $o=09=O53 9".O3 4 4 R
C '3 - 3
* +
3 3 3 3 3 3 3 - - - - A E E E E 3 2 2 2 2 F 3 3 3 3 0
)
R H ( N 3 0 O 8 0 I 9 0 T 1 1 A R U D
)
1
- 6 6 R - -
E E
!E 3 0 A 3 3 F
R N C I T C C P D D 0 S S C E E S S S U U E B D B T L L L L L U A R A R E E A R W R w F E O E o R U P h' e C 0 O P T P i N m T T E T E N N I N t E E C E C V I I I E C F C r IA F r u IB F S F u FN FN s UI N LI N SA SA I NR NR IT IT T N E f 0 Y Y P R R E E o' t T T C T T A A B 3 T N A 3 E C C V L D E h O.
Table C.7 DC Power QUANTIFICATION TABLES NOTES 1 The structure of the fault tree for events DPDP-2A, 3A, 4A, 5A, 8A and DPDP-28, 3B, 4B, 5B, 8B and BC-3A, 3B, 3C, 3D, 3E, and 3F are all similar. Each of these events are comprised of the same three single hardware faults and failure of the main DC bus in the train. 2 TSe DC-system is essentially a monitored system since failures would be detected when they occur. Technical Specifications i limit bus outages to two hours. Event unavailability was estimated as the product of event failure frequency and assumed average fault repair time of one hour. 3 The event unavailability was estimated as above (in Note 2), except that the average repair time was assumed to be two hours. 4 For the case of loss of offsite power the unavailability of the batteries dominates the unavailability of each DC-train. The batteries are checked quarterly and it was assumed that battery faults could be discovered at this time. The average fault duration time was thus 1/2 of 3 months. 5 See AC-Power Quantification Tables. C-42
Table C.8 DC Power System - Quantification Summary l BOOLEAN POINT VARIABLE ESTIMATES DC1X 2 1 3 E-6 DC2X 1. 3 E- 6 DC3X2 1.3 E-6 DC4X2 1.3 E-6 DC6 1. 3 E- 6 DC8 1.3 E-6 DC9X 1. 3 E- 6 i DC10X 1. 3 E- 6 I DC5 6.0 E-6 DC7 6.0 E-6 MCC3A-1 5. 6 E- 5 MCC33-1 5.6 E-5 DCA 3.2 E-3 DCB 3.2 E-3 f l X=2, 3, 4, 5, 8 C- 43
)
APPENDIX D CLASS I.E. AC POWER SYSTEM I D i
x j I APPENDIX D CLASS I.E. AC POWER SYSTEM i D.1 SYSTEM DESCRIPTION AND OPERATION The purpose of the class IE electrical system is to provide electric power to those systems required to shut down the reactor and limit the release of radioactive material following a transient or design basis event. AC power is required to operate valves and provide motive power for pumps and fans for all safety systems. The turbine-driven pump in the Emergency Feedwater System is the only safety system pump that does not require AC power. AC power is required during both the injection and recirculation phases of accident sequences. AC power is also supplied to-the battery chargers for the 250/125 VDC Battery and Distribution System. D. l .1 SYSTEM DESCRIPTION Figure D.1 presents a simplified one line diagram for AC power distribution (the DC power distribution system is also displayed). The preferred power supply for the two redundant 4.16kV Engineered Safeguards (ES) Buses 3A and 3B is the connection to the 230kV substation by means of the Unit 3 startup transformer. The 230kV substation is connected to the existing FPC transmission network by five circuits. The 4.16kV ES buses can also be fed from the Unit 1 and 2 startup transformer provided one of the two units is operating. Similarly, Unit 3 auxiliary transformer can also be used as a source provided the Unit 3 turbine generator is in operation. Upon loss of electric power due to a separation of the 230kV system, shutdown of the nuclear generating unit electric power will be supplied from the standby power supply which con-sists of two independent diesel generators. Each diesel generator feeds one of the 4.16kV ES buses. Various ES motor loads are connected to the 4.16kV ES ( buses by spring breakers. The safeguards auxiliary transfonner connections are provided to step-down the 4.16kV for the 480VAC engineered safeguards switchgear centers 3A and 3B. Motor control centers 3A-1, 3A.-2, 3A-B, 38-1 and 3B-2 are provided to feed associated safeguards equipment. MCC 3A-B is switchable between 480V ES Bus 3A or 38. MCC 3A-1 and 38-2 supply power to the DC battery chargers as well as power to the inverters in order to provide four independent 120VAC' vital buses. 0-1
D.l .2 SYSTEM OPERATION The normal supply for the 4.16kV ES buses 3A and 3B is from the nit 1 & 2 230kV substation via the Unit 3 startup transformer and "normally closed" feeder breakers 3205 and 3206. The backup connection to Units 1 and 2 startup transformer can be accomplished by manually closing breakers 3211 and 3212. In the event of the loss of the Unit 3 startup transformer or power at the 230kV substation (resulting in a loss of power on the buses) the following automatic actions occur: breakers 3205 and 3206 open and all breakers on the buses trip with the exception of a pre-selected block (block 1 of Table D.1) of feeder breakers and the 4160/480V ES auxiliary trans-former feeder breaker, both diesels start and energize their associated safeguards buses when "normally open" breakers 3209 and 3210 close. Additional equipment is manually reconnected as required for safe plant operation. If there is a requirement for safeguards system operation coincident with the loss of voltage on a 4160V bus, the bus is cleared as before and the diesels are started to energize the bus. However, the remaining selected safeguard loads (Table D.2) are automatically connected within 30 seconds by an orderly sequencing of load timers. In the event the motor driven emergency feedwater pump is required, various decay heat associated loads are dis-connected (Table D.2) prior to starting the motor driven emergency feed-water pump to avoid overloading the diesel generator. Breaker auxiliary contacts and protective relaying are used to supervise contact closures in other safeguards circuits to initiate signals and control opening and closing circuits for breakers in order to prevent bus ties and inadvertent " live" bus transfers. The 480V engineered safeguards distribution system is contained in two separate 480V unit switch gear rooms 3A and 3B. From these buses, notor control centers 3A-1, 3A-2, 3A-B, 3B-1 and 3B-2 are provided to feed associated safeguards equipment. Although MCC 3A-B is switchable between 480V ES Bus 3A or 3B through a manual transfer switch, it is normally configured to Bus D-2
I l 3A. MCC 3A-1 (and MCC 38-2) supply redundant DC battery chargers for 250/125VDC Battery and distribution system. MCC 3A-1 also supplies two dual input inverters which in turn supply two 120VAC vital buses 3A and JC. On loss of AC power the inverter is supplied by the 125VDC batteries to prevent a loss of power on the vital buses. If an inverter is inoperable, a redundant backup path to (MCC 3A-1 supplied) regulated 120VAC is available by manually switching transfer switch VBXS. Allowable outages for the AC power system are defined by the following general comments on limiting conditicas for operation of the class IE AC Electrical Power System. (For a complete description refer to Section 3/4.8.1 of the Technical Specifications.)
- Minimum conditions for operation require:
e 2 operable circuits between offsite transmission network and the onsite class IE Distribution ystem. c e 2 Diesel Generators (DG's) with associated fuel supplies. Although various combinations of the above can be inoperable for short durations, the most significant combination allows both DG's to- be inoperable for up to two hours provided two offsite AC circuits are shown to be operable. If one DG is not restored within the 2 hour time period, the reactor must be brought to Hot Standby within 6 hours and in Cold Shut-down within the following 30 hours. If only one diesel is inoperable, it must be restored within 72 hours or the reactor mst be in Hot Standby withia ' the next 6 hours and in Cold Shutdown within the following 30 hours, e In addition to the above, all of the Class IE Vital and Safeguards buses must be operable and energized from their normal sources of power. An inoperable bus must be restored i l to operable status within 8 hours or be in Hot Standby with-in the next 6 hours and in Cold Shutdown within the follow-ing 30 hours.
- Minimum conditions for shutdown require the following buses to be operable and energized from sources of power other than a DG but aligned to an operable DG:
D-3
s 1 - 4160V Emergency Bus. e 1 - 480V Emergency Bus. e 2 - 120V AC Vital Buses. Containment integrity must be established within 8 hours if less than the above combination of AC are operable. Test and surveillance requirements are defined as:
- Each independent circuit between the offsite transmission necwork and the onsite Class IE Distribution System shall be:
e Determined operable at least once per 7 days by verifying c)rrect breaker alignments, and sump pumps in tunnel contain-iag DC control feeds to 230kV switchgear are operable. e Demonstrated operable at least once per 18 months during shut-down by transferring unit power supply from the normal circuit to the alternate circuit.
- Each diesel generator shall be demonstrated operable at least once per 31 days by verifying fuel level and the diesel is started, synchronized, loaded, and operated for more than 60 minutes. it.is test can be run during normal operations.
- At least once per 18 months during shutdown:
e Perform preventive maintenance in accordance with manufacturer's recommendations. e Simulate LOSP and ESAS signal to verify automatic load shedding, bus tie breakers open, diesel starts and energizes the auto-connected emergency loads through the load sequencer.
- Emergency AC buses determined operable and energized from normal AC sources at least once per 7 days by verifying correct breaker alignment and indicated power availability.
D-4
I Table D.1 Block loading Sequence Loading hquence Quanyty Description Block 1 i flakeup and Purification Pump (High Pressure Inj.) 1 Decay Heat Pump (Low Pres-sure Ir.j.) Miscellaneous Valves, Emergency Lighting 2 j Inverters i ' 1/2 . Control Complex Lighting 2 Battery Chargers ' Block 2 , 2 . Reactor Building Fan Assemclies 1 , Ec.ergency N>tclear Services . Sea Water Pump i Block 3 1 Emergency NJclear Services Closed Cycle' Cooling Pump.
, t-s Block 4 1 Decay Heat Service Sea ',
Water Pump -
\
1 Reactor Building Spray Pump -
^
/
' I s
1 Decay Heat Closed Cycle i Cooling Water Pump , e' e . 1 > Y 9 i
/
.) l D-5
Table D.2 Disconnect loads and Additiona' Loads Required LOADS DISC 0titlECTED Decay heat pump i Reactor building spray punp Decay heat service sea water pump Decay heat closed cycle cooling water pump
) )
D-6
h b : c ;, VA _ _ _ _ _ . _ i ,,,,...,- '. . t - '\ p t f t. J. . 7ac% t.'.*, 4 i s. N, , ' ' w ael jf .A ' h' \ * ( g.s ( )h01 { ] m , - , ,,,,i , ,, j u ra t u ', @ i y u ,a C .) A A 1 E w b >g,Al3 /,q.
" g,. O ,. t O
[ d . ln. N em c<, (,q );9 3 f. ' U .t . f
- Tb 1 3A' k i.
6# O 3M
),,g e , g f
~ n. e . . .. ..
1,2 c 2. NA- J ?.th H 0. N.C. w.(. [] sic?
~
60 Q e, A 22c3 tt C. [] [] Q3:c6 4.ib K V E tZ. di(t j*H A P
!t..kOsv Ls3A ^l i,,p ai Bn 3 8 ;
^
+
, j 3D 7 =i C : a
% a I 3 g11 (3 [
wjy r A l] di C [,] $U j y
.k.(x }(E6 16 36 jb w tm..u. u t ?2 v>
h 4' , .J i .t e Ts .is 1 s; >"4 c. i' i sw r, e ' ;> 4,f, g .m
- s
. Aa t . r,t A 1. L ev e.s * ,t=<'- , e. ,, , ,, t ,u,.. .W T A. Syd"*f.
u ,,, t. Aso T,as p f y, { [N d, hy V- k. ({ 2-3A M-M uc. ' a s ieoA h. W \u PA V5 'l
, to, A us g p r. . J2 NtI Oc > l't k , to b ' ' '>
z,p V Ac L tJG. 5Af C. Bv5 3 A []19 1 0 335) Q n.i , 3355 fnmal Trusfu Sv o
/
1 tsy 1,3r v u nt. b - P ' Nu ga r, c tc51 esce s e '< M T C '. Q 0 ,
-TA-2 30 Asc v of PC '> A be' 3A~E 1.,00 V A t E'7F rcc ?>A*-1 _ ,
) )
) ) )
W Batt e.'U
,T M D 6y i ts u u IAl C ev n f N'yO CN ' *; "
VSTA w 2C tYn V6 ff 2 ic/ Q #' VOC66 M- )L ) 1 . SP( D . VtWK .'-.- - J
/ / /
y ^ i2 6 V DC- I -- 15c / IM V . Itiv. 3a O o e.c.e.e.,y i b C I- (f e d . C'. at - gg i o r'(b p,s t. 01!.s. 1 (25V.D.C It1V. 3C D v e.> A 5 -1 A 1 VB%$ '
' f) 120 vat VMI BVb 3 A
;)
sc 11C VAC Vila t f,'J 5 3 C
)
{ tj r. 6 i L '
... a.s'.J...
f Vid51L2 y 3 c, g.f g tishd:o n ue aw ) e r<o';#+S fw g,,. g., g n 1 q k v' $ lark-y If0"' "'#
,u. nes n.:. no6 s.c. 32 C y.c.
3 z n [] O [] [] 'M , 4.lb kV u46 sME. Bas 3B r 32c3 3.; 7c , pp i Vm 10_ NcO n.c 0 s.c[] 3 2 M[]
- e O > - NC t.AJ A> ge. _
i
< v o M? it M.
av 06 34 9,,p.,. ,. 4 esF a ki
.e t
'e em c
<t s.
n2 - 9 s.osm s m ; i< e fG 9 i P aim - 4. " 't I o.u.3B R .11 s A Pi M 'E "2 j s w d s.o. so n.<. M: ? ;;< . w
/,p o V At CNG. So[tl{uS'dBJS6 0 h y>> 7 u, $2 =h a e b x 3nogn+ L]33@ [] [] []3350 O
CSF 4E0V N O ,o o nm,1 U
- tsF L6cv TMc g M) 3 B-l .
b} ij B0 $ 3 8- 2 Trord. " a rm M,.Jo ic 3 pm j3 5 $^ 33!2 [] N4 4Bo vAc Nant Aux. Bu.s 3A NON IE Y Y ic Non IE 4, now.1E Loals 4 00 VAd AW-Bu ses. Fi gure D.1 Class IE AC Power System - Simplified One-Line Diagram ) D-7/8 1
/
1 l i D.2 SYSTEM SIMPLIFIED FAULT TREES ! Fault Trees were drawn for each of three levels of emergency power distribution: 4160V, 480V and 120VAC. The simplified fault trees are shown in Figure D.2. The fault summary is shown in Table D.3. j 4160V FAULT TREE l Two fault trees were developed: one for loss of offsite power (LOSP) as the initiating event, and the other for accident initiators other than LOSP. I The difference being, of course, that in the latter case offsite power must ! fail in addition to the diesels. No credible single failures could be j postulated which would fail both DG buses. Dominant cut sets for loss of ) both buses involve failure of the diesels to start, or to continue to run. j Some of the faults associated with loss of power on the 4.16kV buses are due to failures with protective relaying and logic such that automatic starting, load sequencing and circuit breaker trips are not accomplished. Common mode events include diesel common mode and hardware double failures such as the bus tie circuit breakers not opening. 1 One major assumption for this tree is that turbine trip occurs on LOSP which leaves only Units 1 and 2 and the DG's available to provide i emergency power. Technical Specifications require as a minimum two 4.16kV buses, I two 480VAC buses (3A&38), and four 120VAC vital buses available unless the i plant is in cold shutdown or refueling. 430VAC FAULT TREES Individual simplified trees were constructed for each of the seven MCC ES 480V buses. In keeping with the simplified tree requirements, general cable and bus open and short to power or ground were not considered on the basis of probability of occurrence. Thus, for the most part, each individual 480V MCC tree is represented by faults associated with its feeder breaker or loss of power supplied to the bus. Transfers are provided for other ES systems shose components require power from one or more of these buses. Bus opera-bility is also discussed in Section D.l.2 of this report. D-9
. -__ . _ . ~
120VAC VITAL BUSES Similarly as was done for the 480VAC buses, each of the four 120VAC vital buses were modeled individually to facilitate transfers. Single failures for these buses are associated with faults which cause a disruption of power to the vital bus, e.g. , fuse and breaker faults, switch failures, etc. Double failures (due to symmetry each of the trees are exactly alike) are associated with loss of power from the inverter system and loss of power from the backup 120VAC redundant regulated power supplies. This backup source is provided essent'ially only for maintenance purposes on the inverter and requires switching the manual transfer switch VBXS by the operator. This human interface is reflected on the tree. The inverter system failures are represented by single faults with the inverter itself or doubles reflecting the loss of the normal inverter 480VAC input and the "uninterruptible" backup connection to the DC power system. D-10
~ 7 Table D.3 (1/4) AC Power Fault Summary - 4.16kV Buses 3A, 3B SIMPLIFIED FAULT TREE - FAULT
SUMMARY
EVENT NAME EVENT COMP 0NENT FAILURE MODE K000001W Loss of Offsite Power Conditional Event KDL0013R Diesel Generator A Does Not Run KDL0013S Diesel Generator A Does Not Start KLC0013W Relay Logic for Automatic Start Fails to Function KLC003AW Bus 3A Load Shedding Logic Fails to Function KCB0010P Circuit Breaker 3206 Does Not Open KLC0010W Relay Logic for CB 3206 Fails to Function KCB0011P Circuit Breaker 3205 Does Not Open KLC0011W Relay Logic for CB 3205 Fails to Function KCB0012N Circuit Breaker 3209 Does Not Close KC80012W Relay logic for CB 3209 Fails to Function E0000DC1 DC Control Power "A" DC Power Not Available KDL0023R Diesel Generator B Does Not Run KDL0023S Diesel Generator B Does Not Start KLC0023W Relay logic for Automatic Start Fails to Function KLC003BW Bus 3B Load Shedding Logic Fails to Function KCB0024N Circuit Breaker 3210 Does Not Close KLC0024W Relay Logic for CB 3210 Fails to Function KCB0025P Circuit Breaker 3222 Does Not Open KLC0025W Relay Logic for CB 3222 Fails to Function T000ESA1 Engineering Safeguards Signal No Actuation Signal E0000DC2 DC Control Power "B" DC Power Not Available K0000DLW Diesel Generators 3A, dB Common Mode K House 01 Electrical Train "B" Out for Service Not a Fault Event K House 02 Electrical Train "A" Out for Service Not a Fault Event l E0000DCW Loss of all DC Power Conditional Event D-ll m
y . Table D.3 (2/4) AC Power Faul t Summary 480V MCC Buses SIMPLIFIED FAULT TREE - FAULT
SUMMARY
EVEtiT fiAME EVEtiT COMPONENT FAILURE MODE e or E" " KCB0006X Circuit Breaker 3341 g jgn KLC0006W Relay Logic for CB 3341 Premature Trans fer KCB0007X Circuit Breaker 3311 o[ ion KLC0007W Relay logic for CB 3311 Premature Transfer KCB0008X Circuit Breaker 3221 sion KLC000BW Relay Logic for CB 3221 Premature Transfer e rE KCB0014X Circuit Breaker 3351 g jgn KLC0014W Relay Logic for CB 3351 Premature Transfer ea " " " KCB0015X Circuit Breaker 3361 gm sion KLC0015W Relay Logic for CE 33G1 Premature Transfer MCC 3A-B Transfor Switch KSW0016X fP0 so KSW0016ft MCC 3A-B Trans fer Switch Does flot Close Op " E" " KC30017Y Circuit Breaker 3369 C sion KLC0017W Relay Logic for CB 3360 Premature Trans fer
" E or KCB0018X Circuit Breaker 3340 fPC m siop KLC0018W Relay Logic for CB 3340 Premature Transfer e r E" "
KCB0019X Ci rcui t Breaker 3310 g jgn KLC0019W Relay Logic for CB 3310 Premature Trans fer KCB0020 X Circuit Breaker 3220 g si KLC0020W Relay Logic for CB 3200 Premature Transfer e r E" " KCB0021X Circuit Breaker 3350 g jgn KLC0021W Relay Logic for CB 3350 Premature Trans fer KTR0030D Sa feguards Auxiliary Trans former 3A Shorts KTR0031D Sa feguards Auxiliary Trans former 3B Shorts
- - - - - _ - - - - - - - - _ - - . - -_.- a D-12 b __ . __
Table D.3 (3/4) AC Power Fault Summary - 120VAC Vital Bus 3A and 3C SIMPLIFIED FAULT TREE - FAULT
SUMMARY
EVENT NAME EVENT COMPONENT FAILURE MODE KCB00AIX Circuit Breaker 3601 Operator Error (Commission) KFU00A6B Fuse VBF1 Opens KSW00A2B Manual XFR Switch 3A VBXS-1A Opens KSW00A2X Manual XFR Switch 3A VBXS-1A Operator Error (0 mission) KSWOOA2il Manual XFR Switch 3A VBXS-1A Does Not Close KIV00A5W Invertor 3A Fails to Function KFU00A7B Fuse VBF45 Opens KCB00A8X Breaker to Inverter 3A e" " "" " gmjssion KLC00A8W Relay Logic for Inverter 3A CB Fails to Function KFU00A9B Fuse VBF 36 Opens KVRGA10W VBTR-3A 15W Power Supply / Regulator 3A Fails to Function KFU0A11B Fuse VBF35 Opens KTROA120 Voltage Trans former VBTR-2A Shorts era r Er or KCB00A4X Circuit Breaker to VBTR-2A gm jgn KLC00A4W Relay Logic for CB to VBTR-2A Fails to Function KCB00C1X Circuit Breaker 3603 Operator Error ( Commission) KFUOOC6B Fuse VBF 2 Opens KSWOOC2B Manual XFR Switch VBXS-3C Opens KSWOOC2X Manual XFR Switch VBXS-3C Operator Error (Omission) KSWOOC2N Manual XFR Switch VBXS-3C Does Not Close KIV00C5W Inverter 3C Fails to Function KFU00C7B Fuse. VBF 49 Opens KC800C7X Breaker to Inverter 3C e r E" " 9[a j9n KLC00C8W Relay Logic for Inverter 3C CB Fails to Function KFU00C9B Fuse VBF 40 Opens KVROC10W VBTR-3C 15W Redundant pS Regulator 3C Fails to Function KFU0C11B Fuse VBF 39 Opens KTROCl2D Voltage Trans former VBTR-2C Shorts Circuit Breaker to VBTR-2C rE " KCB00C4X sjgn KLC00C4W Relay logic for CB to VBTR-2 Fails to Function D-13 a
Table D.3 (4/4) AC Power Fault Summary - 120VAC Vital Bus 3D and 3D SIMPLIFIED FAULT TREE - FAULT
SUMMARY
EVENT NAME EVENT COMPONENT FAILURE MODE
" E" "
KCB00BlX Circuit Breaker 3602 fPCo sion KFU00B6B Fuse VBF 3 Opens KSW00B2B Manual XFR Switch VBXS-3B Opens KSWO0B2X Manual XFR Switch VBXS-3B s on KSWOOB2N Manual XFR Switch VBXS-3B Does Not Close KIV00B5W Inverter 3B Fails to Function KFU00B7B Fuse VBF 47 Opens KCB00B8X Breaker to Inverter 3B fPCo sion KLC00B8W Relay Logic for Inverter 3B CB Fails to Function KFU00B9B Fuse VBF 38 Opens KVROB10W VBTR 3815W Redundant PS Regulator 3B Fails to Function KFU0B118 Fuse VBF 37 Opens KTR0B12 D Voltage Transformer VBTR-2B Shorts "E " Circuit Breaker to VBTR-2B KCB00B4X f[ sion KLC00B4W Relay Logic for CB to VBTR-2B Fails to Function e r Er or KCB00DlX Circuit Breaker 3604 f{g jgn KFUOOD6B Fuse VBF 4 Opens KSWOOD2B Manual XFR Switch VBXS-10 Opens r KSWOOD2X Manual XFR Switch VBXS-1D 0n KSWOOD2N Manual SFR Switch VBSX-1D Does Not Close XIV0005W Inverter 3D Fails to Function KFU0007X Fuse VBF 51 Opens r E" " KCB00D8X Breaker to Inverter 3D fpea g jgn KLC00D8W Relay Logic for Inverter 3D CB Fails to Function KFU00D9B Fuse VBF 42 Opens KVR0010W VBTR-3015W Redundant PS Regulator 3D Fails to Function KFUODllB Fuse VBF 41 Opens KTR0012D Voltage Trans former VBTR-2D Shorts era or E or KCB0004X Circuit Breaker to VBTR-2D g j9 KLC00D4W Relay logic for CB to VBTR-2D Fails to Function D-14
] _-
' NO PO WFR cN 4,16 i< L' [ piu, E t. Sv.t': LOSS of 4.1b Kv DiC5EL K1 \ gusts This sheet em I DOUBLES y10 D E O I P I I t40 ?:4E2 cN NO PhfR ON LOSS OF ALL a.it K V E; ; ', . 4.t6 KV Sus K 2. - 3A 3g /K3 oc poggg O"
- 5 *(
- i togcope w K DL c013 s K DL 0o23 s onJ d ed 2 3ma neef 2 K DLoot3 K K DL 00 2 3 R.
K LC 0013 W K LC 002 3W K c 6 0012 N Kc Boor 4 N I K LC oon2 W K Lt 002 4 W Dit sE L KLC003AW K Ltoo 3 BW CoMt10N MtDE Ed0 00 D01 E 90 00 Dc2 KUU O Dw KCBcG25 P cctDEtt N0 f0WER ON K LC 002 5 W I t41 T. OT HER -- 416 KV viESEL THMJLobF SuSES T00tESA1 SF' E AKE k' 3205
~'LO ST o~p KC6 0011 P
-LOL5 OU ~~
orf 5lTE 416 A V DIE SEL K LC Mll W POWER SUSES TOTE 1 gi? c 20 i':/ K1 NOTES: 1. Assumes Units 1 Turbine Trip occ THis sliECT 2. Tech. Spec. mini shutdown: one 4. bus (3A or 3B); ] I m _ _ _ _ _ _ _ _ _ _ _ _ . _ . . _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ . _ _ _
l } L 3 ano r/Olu , s ytyp j psy (tsorE!; l j2-) 1 1 i l I TEST At4D t1AIN TCtWR E P UAM/ ARC BoTH BOSES BOTil BUSES dom WsN MODE ottAVAttABLE UNAVAll ABLE [ (h m I -- l sus tic NO P0't'LR ON no n,/cg og BRCAKER5po No_r opg N ELECTRIC 416 KV B05 416 Kv sus ELECTRIC 3^ 3B T R AIN B' gg,,
"
- ouT Fon
/K2 g3 service SERVICE TH15 5tiECT THIS SHECT K ll0USE. 01 K ROOSE 02 FREAKER 3Z06 KCS0010P K LC 0010 W rigure D.2 (1/4) Simplified Fault Tree -
2 are down and AC Power System (4160VAC Buses)
<rs on LOSP um required for kV bus; one 480VAC 0-15/16 ,wo 120VAC vital buses. (
t s s
~
LOSS of LOSS OF 48o VAc. BOS 48 #^0 O U b 3A-1 /K6 K7\ 3A-2 SING LES Los of 4B0 gg gg gg3 LOSS OF 480 VAc Mdi Bus 3A vat Mcc Bus 3 A i i CB 334l C B 335I OPENS K4 OPENS K4 T"' "C K'00 '"# TKiSsKCCT Kd B 0006A K L(,0006 W gos3 op4go VAc Mct Bus K9 \ 3AB l Lo 55 0 F 4 80 No POWER FRota l VAC MCC BV5 /K4 480VAC B05 3A 3A THIS S tlE ET
.-w -%
SINGLES LOSS OF POWCK ' SS I b8 FROM 4-16 KV SNG LES VAC MCC bus 3A 605 3 A i t K TK 003o o c.6- 3361 Kc g ooo7x K2 OPENS K4 K Lc 0007w stit t T 1 K65 coIS A THIS silEE T k dB 0008X k LC 00tSW k LC o008 W i e
d Lossof 480 Loss o F 480 Y VAC B u s 3 B-1 /K8 Klo\ vat 605 35-2 l
-w -w SINGL ES '0"'bOE 460 stNGLES Loss F'+80
, vat tacc Bus 33 vat tAcc. 805 35 C.B. 3340 c. B. 33 50 OPENS K5 opCNs K5
%d 8 colo A THis SHEET KtB602ix. THIS 5HCCT KLt 0018 w KLc cozi w I
No Powcr Loss of 4 Bo FRoM AkvAC VAc. Htt B05 DV5 3B K5\ 3 P;
' $ I SINGLES 0
sin G t.E5 VAC tact 805 36 FgoM 416 KV Bus 36 K 6 W 004 X KTR 0631 D K5 g c 3 3o g x, K3 KSWcoi6 t4 KC 6 0017 A THis StiEE T K LC 00 \9 W G\tECT 1 KLc0017W Kcs co2o8 l K Lc co20 W - Figure D.2 (2/4) Simplified Fault Tree - AC Power System (Individual 480VAC MCCs) g ! 0-17/18
LOSS of i20 l j t/Ac VI TAL SUS 3. A l J l l l __.f______-____._._.___.-_._T____..__________.___.__l ' stWGLES poogtES
,__. T -._ iT K d B 00 Al's NO PowE Ps K Fuon A6 B SUPPLI C D TO v_ets IA- - . _ . - _ .
__._] Nb PowC K NO POWEK F P,t il EgoM REG. I t'7Ei'TE K 5 A tTR r4 3A g . _ _ _ _ T _ _ --_ _ _ _ _ __ _ '. . P. _ . _ _ _ SINGLES DoVBLE5 t SINGLE 5
, gg VA6
_ .!_ . _.. l BUS SA 1 KSWOOA2 DW. 3 A N o pog g y' KsWoo A2 N FAUL T5 soPPLIED To K6 7 s y, 3 4 - - - K FUOO A9 B SHC[T2 KFUODA7B ( KF00Att B
.I- .- . _ .
KTK 0 A[2 D NO 4 00 VAC LOSS Of NO i K LC 00 A4 W POWER To BACKUF DC Peu IN V. 3A_ _. PcWERSouRf_E I.H td Loss of~l25 VDC M Aiu PANEL J
-_ _ _ I _ _ _ _. _ ._ __ _ _ _ _. l I- - -
'O F Loss or ciRCU!T 480VAC 605 3,c,L AR Epi oPEus EIA 4 80 V^t 3A-1 -- - - - - - -
oc poggg W 5 3 \-I K t 6 v u, M, K __ K6 KLdooASW KG m r T (( - 5!ICL T 2
d Lc55 o f t20 VA C V LT/sl bOS 3 C.
)
g
- T . - _ _ _ .
SINGLCS DDUBLES KCBoocix 3 l l K FU ooc 6 6 50f pLIE D TO KSw ooc 2 B VBx 5-1 c __
~
tIO Eo~v)ER ~ go powc 4 FRoti INVERTER TROM KCG-3d XTRM 36 p 1 _ .T _ ____._ ___._] l j DOUBL E 5 LcSs I 49 SING L E5 m VAC BOS
! 3 A-1 No POWE K K 5w ooc 2x 1 n y. 3e SUPPLIED To K6 K SW ooc 2 N
_t u v. 3 c FAUL T5 st(CC T 2 K F000 c 7 B K1vooc 5 W KvEocto W KFU oot7 6 KFU0C t 13 I~ I-- l KT Roct2 D 80 VAC 1055 o F C R To BACKUP oc K LC ODCD/
- 3C Pov)ER SouRct l
LOSSoFL25 7 VDC M AIN PAN EL Figure D.2 (3/4) Simplified Fault Tree - I AC Power System (Individual cincolT 120VAC Vital Buses A, C) ERE AK ER OPENS EA1 DC POWER TREE D-19/20
)
K Lt coc 3 '</ 3 7
-_ I
LOS$ o f 120 VA C. VI T AL _ Sus 3 6 I l c n4 G LES coeLES I K c.S cos t A no p3weg K FUooB6 S 5'JPPLI ED TO VBKS-tB K svjo o B 2 B No POW CK gg p g.<1 ER W' F80M REG. INVER1ER 3B g 77,g 3 g, T b._ l l l
'0 b I GlHGLES DOU BL ES 6t N C3 L 'C S lt90 VAC
- } -_ _ E05 36-2 I U V. 3 B NO POW E R O S2 N T AO L T5 50pplI ED To Klo 199 3 e , k FUoo B9 B
-H E T2 Kiv 00 B 5W K VRosso W K To 00 B 7'S k 700B11 B KTKost2 D
_ _f_ _._ ' ~ ~y - R KtSco64x No 4 80 vat Loss o p POWEit To B Attup ot K'C0064W I N V. 33 g;g p,y;gg f _ l~ ~ ~-~ LOSS of i25 VDC. M AI N J-~ 7-q ~ PANLL LOY2 l 0F Los5 o[ :,go ctFculT EIS 4 80 VAc i VAC EV6 S T4 AKE F.o[UJ5 33-2 oc pcwEg Bus 36-z Kc S ct, ee n 1' M 1 5 HEE T 2 gio K LC00 BdW gio
)
LOLS o[ !20 VAc vs TAL EuG 3.D } T I __ l 61N C.L C S DOVELES I KGBooDiX g, pogg g kVVcoD6B s0PPLIED To K 5W oo D2 8 VBx5-ID Ho POVJ ER No PoviER TRo t-1 FROM RE G INVERTcR 3p ATRf4 3D T - T
-- l __1_ __ ! ,
~
DOUBLES SINGLES LC% OF 480 vet SINGLES l Bus 3E-2 INV.3D K SW oO D2 X Ho Pov>CR suppicD T FAULT 5 Kio K5 Wood 2 N It J v. S o K F Uoo Dq (3 KTVooDSW s tit cT 2 URO DIOW K TUco D7 8 K FU oot\ 3
]~ ;
KTRO D\2 D tio 4Bo V At toss op KCBooD4x 'ov1C R To BAcxup oc KLc co D4 w itJV. 3 D PcvJCR sour (t i Loss of 125 yoc Figure D.2 (4/4) Simpli fled Fault Tree - 7 - t% uJPANEL ' AC Power System (Individual tiR(vi-T 120VAC Buses B, D) 6 M ANCR OPENS pc PovlCK D-21/22
\
Kd b oo D8 A T R E.C 4 ET2 KLc 30 pgw i o
D.3 SYSTEM QUANTIFICATION D.3.1 SYSTEM RELIABILITY CHARACTERISTICS The Crystal River AC power distribution system is a two train system with the capability of being energized by multiple sources. The preferred source, and the one that the distribution system is normally aligned with, is the 230kV substation through the Unit 3 startup transformer. However, if power from the 230kV substation is not available, the distribution system may be aligned to receive power from either Units 1 or 2 (if they are avail 'le) or from the onsite diesel generators. This realignment requires the av. ' ability of DC power. AC power is supplied to the various safety systems rom a variety of buses on both (independent) trains. For the case where offsite power is available, the unavailability of the major AC buses was assessed to be primarily due to premature transfer of breakers and transformer shorts during a time window that would make the bus unavailable, but would not require the plant to be shut down (by Technical Specification limits). Since these faults are relatively rare in occurrence, and since the fault exposure time is small, the unavailability of individual buses was assessed to be small compared to other faults. The unavailability of an entire train of AC power is smaller still. For the loss of offsite power case the unavailability of the AC power trains was assessed to be a contributor to safety system unavailability. The major contributors to AC power unavailability (both single trains and both trains) were assessed to be due to failures and maintenance outages of the diesel generators coupled with the unavailability of power from Units 1 and 2. Failure of a battery in the DC power distribution system was a less important contributor. D-23 B
D.3.2 SYSTEM FAULT TREE QUANTIFICATION This section presents the quantification of the AC power fault tree for emergency operation in response to an accident or transient. Only AC power availability during the injection phase of an accident or transient is presented. AC power failure during the recirculation phase was assessed to be of negligible probability compared to other safety system failures for the following reasons: e For the case where offsite power is available, failure of individual AC buses by premature breaker transfers could probably be recovered within an acceptable time frame to nitigate the accident. These failures are of small prob-ability compared to other safety system failure modes, at any rate. Loss of an entire train of AC power is an even smaller probability event. e For the case where loss of offsite power is the initiating event, it was assumed that offsite power would be restored by the time that the recirculation phase started. This assumption was based on WASH 1400 data that show that the probability of restoration of offsite power three to ten hours af ter offsite power is lost is very high. Other options for recovering power by the recirculation phase include restoration of diesels that may have failed at the onset of the accident (Units 1 and 2 require offsite power for res tart) . Modularized fault trees were constructed for each of the 4160VAC and 480VAC buses with offsite power available. For the loss of offsite power case, modularized fault trees were constructed for AC power Trains A and B, and for total loss of AC power. Table D.4 shows the success requirements for AC power distribution, Table D.5 contains the top event definition for the modularized fault trees, and Figures D.3 through D.9 show the modularized fault trees for both the LOSP and Non-LOSP cases. The unavailability of each gate is shown on these trees, as well as the unavailability of the top events. Table D.6 presents the Boolean equations that represent the fault trees. Table D.7, the quantification table, shows the quantification of each gate, by component and failure mode. The attached notes describe the assumptions used in the quantification. Table D.8 summarizes the point estimates and the error factors for each gate. D-24 C, .-
Table D.4 AC Power SUCCESS REQUIREMENTS INITIATOR ^ RAINS NOTES B1, B2, B3, B4 1/1 480V, 4160V buses 1,2 All Transients LOSP 1/2 AC power trains 1,2,3 NOTES: 1. Train A of AC power supplies power to the A trains of engineered safety systems. Train B supplies power to the B trains of these systems.
- 2. Analysis was performed for individual 480V buses for the case where offsite power is available. Analysis was performed for the A and B trains of AC power for the loss of offsite power case.
No analysis was performed for the 120V AC vital buses for the offsite power available case, since these involve failures of the 480V buses, coupled with additional failures, which make the failure probabilities negligible.
- 3. For the loss of offsite power case, credit is given for obtaining power from units 1 and 2 through the auxiliary transformer.
An assessment of the availability of this additional backup power source is contained in the analysis. D-25
Table D.5 AC Power TOP EVENT DEFINITIONS BOOLEAN TOP EVENT NOTES 3EPRESENTATION Non-LOSP-CASE 3Al No power on 480VAC bus 3A-1 , MCC3A No power on 480VAC bus MCC3A 3A2 No power on 480VAC bus 3A-2 3B1 No power on 480VAC bus 3B-1 MCC3B No power on 480VAC bus MCC-3B 3B2 No power on 480VAC bus 3B-2 MCC3AB No power on 480VAC bus 3AB LOSP-CASE ACA No power on 4160V ESF bus 3A ACB No power on 41t0V ESF bus 3B AC No power on either 4160V ESF bus 3A and 3B A2 No povrer available from Units 1 and 2 D-26 e
AC=ACA*ACB Failure of 2. 3 E-3 Both _ AC-Trains (See Note 1) (h Failure of Failure of AC Train A AC Train B ACA ACB \ 3.2 E-2 3.2 E-2 NOTE: (1) ACA and ACB are not independent, thus Boolean reduction is required to evaluate AC. Figure D.3 Modulcrized Fault Tree for Event "AC" (LOSP) D-27
ACA\ /ACB t Failure of Failure of 3', g_p
- 3. 2 E-2 -
AC Train A AC Train B l
- -s n A System Single System Si n gl e Fail ures Interface F: : i ure< Interface Faul ts Fa ul ts i
n Al AX1
/'\
f M i
/
LAX 2 1.0 E-3 3.2 E-3 1.0 E-3 ? ? F- 3 No Power [ Fower From Units 1 and 2 [ ]
~
Fr on 'Jni ts L 1 cod _, 2
/
/
A2 LF
- 0. 36 . . _ . _ _ _ _ _ _
0.36 Single Test and Si ngl e 7,. 4
.nd Diesel Maintenance Di es el m j ng .,,m'g Faul ts Outages Fauits pn.-. O,'
A3 AM1 . /_s_\ ? 6.1 E-2 1.6 E-2 6.2 L-,' 1.6 E-2 Figure D.4 Modularized Fault Trees for Events "ACA and "ACB" (LOSP) D-28
A2 0 . 36
.~
P No Pceder No Power Available Available From Unit 1 From Unit 2
^ ,
la - Unit ! Uc. i t 1 Unit 2 Unit 2 rown Trinc' ca Down Trips On t t. , y. n r !..t Los; o f Net
'\ /\g
'/ \
/ ff, N / 7,7 N s
A8 A9
- n. 0.5 0.2 0.5 Fiqure it. ~ , . ' c ,zt.d Faul t Tree for Event "A2" (LOSP) l D-29 i .
3Al 7.0 E-5 3A2 7.0 E-5
-~ -~
/"i' Single MCC Bus Singl e MCC Bus Faul ts 3A Faults 3A 5.6 E-5 1.4 E-5 1.4 E-5
-~
MCC Bus 3A 4160 Bus \ CB 3205 hI t A 1.4 E- 5 A 4.2 E-5 Figure D.6 Modularized Fault Trees for Events "3A-1" and "3A-2" (Non-LOSP) [,-30
3B1 7.0 E-5 382 7.0 E-5
/A Single MCC Bus Single MCC 3B Faul ts 3B Faul ts n1
- 5. 6 E- 5 1.4 E-5 1.4 E-5
- 5. 6 E-5 4160 CB MCC 3B 3206 Single Fa ul t s 1.4 F c 4.2 E F Figure D.7 Modularized Fault Trees for Events "3B-1" and "3B-2" (Non-LOSP)
D-31 l
MCC-3AB 7.0 E-7 ( No Power No Power From 3A From 3B
-m ,N I
CB 3361 MCC 3A CB 3360 MCC 3B F 1.4 E-5
\
5.6 E-5 l.0 E-2 5.6 E-5 Figure D.8 Modularized Fault Tree for Event "MCC-3AB" (Non-L OSP) D-32
Table D.6 (1/2) AC - Power LOSP B00LEAll EQUATIONS BASED ON MODULARIZFD FAULT TREES TOP EVENTS NOTES AC = ACA ACB (1) INTERMEDIATE EVEN11S ACA = Al + AX1 + A2-(A3 + AM1) ACB = A4 + AX2 + A2-(A5 + AM2) A2 = ( A6 + A7)J; A8 + A9) AX1 = DCA AX2 = DCB BOOLEAN ElUATIONS REGROUPED FOR BOOLEAN REDUCTION TOP EVENT AC = (Al + AX1)-[A4 + AX2 + A2-(A5
- A"2)] + (2)
+ A2-[(A4 + AX2)-(A3 + AM1) + 'M 4 A3 AM2 + A5 AMl]
INTERMEDIATE EVENTS SAME AS AB0VE NOTES: 1. This event AC is not Boi) lean reduced.
- 2. The event AM1 AM2 is prohibited by Technical Spbcifications and is therefore not included. ./
,- 4 a $
+
D-33 , , l' h
Table D.6 (2/2) AC - Power Non-LOSP BOOLEAN EQUATIONS BASED ON MODULARIZED FAULT TREES TOP EVENTS 3Al = AF6 + MCC3A 3A? = AF7 + MCC3A 3B1 = AF8 + MCC3B 3B2 = AF10 + MCC3B 3AB = (AF9A + MCC3A)-(AF9B + MCC3B) INTERMEDIATE EVENTS MCC3A = AFl + AF4 MCC3B = AF2 + AF5 / D-34
SENS. NOTES EVENT COF.PONENT EVENT OR FAULT DESC9fPTICN R TE R-1) DURAT CN(HR) P BA LI OR Al SINGLE FfILUCES TO TRAIN A 1.0 E-3 l l CIRCUIT EKR l 3233 FAILS TO TRANSFER D 1.0 E ,> 3., 3-g A2 P0t/ER FROM UNITS I ANP 2 NOT AVAILASLE 3.36 E _ ro D A5 0'11 I 1 00'JN D 0.2 a A7 011T 1 TRIPS ON LOSS OF NET D 0.5 7 y A5 U11T 2 DOUTl D 0.2 6 g A9 UNIT 2 TRIFS ON LOSS CF NET D 0.5 7
~
3
'(:)" 0.36 m
A3 SINGLE FAULTS TliAT FAIL POWER FROM DIESEL 3A 6.1 E-2 ;@ 3.0 E-2 3+, 3- r CG-3f- FAILS TO START D [+ DG-!A FAILS TO RUN 3.0 E-3 13 3.0 E-2 10*, 10- 1 = ) RELAY LOGIC AUTO START FAILS TO FUNCTION NOT SIGNIFICANT 2 N o a CIRCUIT BKR 3^, 3-8 3209 FAILS TO CLOSE D 1.0 E-3 g 2 a RELAY LOGIC CIRCUIT BREAKER FAILS TO FUNCTION NOT SIGNIFICANT LOAD SilED. > LOGIC FAILS TO FUNCTION iiOT SIGNIFICANT 2 y r=6.1 E-2 g AX1 SYSTEH INTERFACE FAULTS 3.2 E-3 E DCA Afil DC TRAIN A FAILS ON LOSp TRAIN A TEST & MAINTENANCE OUTAGES 3.2 E-3 1.6 E-2 8 3 {g 3/720 1.3 E-2 3*, 3- H CG-3A OUT FOR TEST 3 3*, 3- { DC-3A OUT FOR UNSCHEDULED FAINTENANCE 2/8763 15 3.5 E-3 M 8 9 t= 1.6 E-2 8 3
FA!! 0;E I FAULT l'N AV A' L ASILI T Y ! ER40R l BENS
- j NJTES ]
l EVENT CC??C':E N T EVENT CR FAULT CESCH PTICN OR PROBA3!LITY ! FACTOR [ i RATE 7HR-1) l DUR AT IC'4(Hrd L ---- - - -
-+-- --.{ - .t-_- o j
l A1 SINGLE FAILLTES TO TRAIN 5 1.0 E-3 f l 1 j j CI5CUIT 3kR l 1.0 E-3 ! 3*, 3 , , FAILS TO TRt.N UER D f32C5 ' l I
?2 PO':EF FPJ U';lTS 1 .] 2 vlT , VAIL /dLE l ! I 7 l j 0.36 l (SEE EVE'I ACM ;
E l l 1 j A5 SINGLE FAULTS INAT FAIL PC'.!ER FR 2 l '" I i DIESEL 35 6.2 E-2 J 3,0 E-2 3*, 3- . FAILS i0 START D m l lDG-33 ! t - FAILS TO RUN 3.0 E-3 10 3.0 E-2 10', 10- 1 m l lcc, ^) 9 NOT SIGNIFICANT 2 RELW LCGIC AUTO START FAILS TO FUNCTIOf. -
!CIFCUIT RK; l 1.0 [-3 i 3+, 3-j$210 FAILS TO CLOSE D lRELAYLCGIC CIRCutr BREAAER LCGIC FAILS TO 2 l @
FUNCTION NOT SIGNIFICANT " j j lLO.5D SnED. LOGIC FAILS TO FUNCTION NOT SIGNIFICANT 2 I 5 o <
; ('o c
w CIRC,UIT BKR 3+, 3-e --
))14 FAILS TO CPEN D 1.0 E-3 2 ?
NOT SIGNIFICANT 2 RELAY LOGIC CIRCUIT BREAKER FAILS TO FUNCTION LSAS-B NO ESAS SIGNAL AND NO RECOVERY D NOT S;GNIFICANT 2 5 56.2 E-2 y, n 3.2 E-3
- AX2 SYSTEM INTERFACE FAULTS ,
DCB CC TRAlh B fills ON LOSP 3.2 E-3 8 8s AP2 TRAIN B TEST & fiAINTENANCE OUTAGES 1.6 E-2 3 0G-33 3/720 3 1.3 E-2 3*, 3- f. 5 DG-33 OL'T FOR TEST OUT FOR L'NSCHEDULED PAINTENANCE 2/8760 15 3.5 E-3 3+, 3- ti y
- .= 1.6 E-2
____t _
A@Y gN Cd
- g@g =gO: $a iS. =
. r +2 928- O?50-S E 4 4 4 5 4 4 T
O N S. E N - S l R O 3 3
~
3 3 '3 ~ 3 T , , , , , , -
* + * + * * -
3 3 3 3 3 3 - T I 5 5 5 5 5 5 6 5 5 5 3 A E E E E E E E E E E E
+
4 4 6 4 4 2 0 0 4 4 2 R _. 1 1 5 1 1 4 4 1 1 1 4
= ~
R r O
) -
R H ( t 4 4 4 0 4 4 T 1 1 1 1 1 A R U D t
)
E-R G 6 G 6 6 5 E E E E E E IE 0 0 0 0 0 0 A 1 1 1 1 1 1 Fg g S _ T R O N H C S TI A _ P 3 _ 91 1 I R ) ) C - N A E N N S A E M E E E 3 P S S R P P _ D C U I O O O T ( E E L F ( ( T N L U S L E R B V R A N R R U V F A 0 E F A E E A E F L 6 F R E F F F S I 1 S E T T S S O N A f: N L . A N N R T A V A G x R A A O R A , R N u E R R S T N S T I A P T T T T U T S O N L E L E D E E E U R A U R A R O R R V A U 3 A U 3 A T U U E F T F T U T T A S A S G S A A . L N U E M U E L M M L E S L E B F I E E G i R G R A A R R . f P C N P C S F P P I C I C S N S 1 f T R R R R R R K . N K E E K K E f S B E r. P B B 0 T T O 0 T T P I I C F I I N U U S S U U C1 C5 _ O N N C1 C1 C R4 R0 A A R1 R2 I3 I2 PA RA I3 I2 - C3 C3 T3 T3 C3 C3 A T 3 E N 6 F C I C. F 4 F V A ' l A A - E
?d
# T ^ SENS, NOTES 3 A OR EVENT CCf'PC P.EN ENENT OR FAULT ESC I IC R E
-1 D
__ _J)_______.__.__7 T -
;;;4 1.4 E-5
- AF7 SI:iGLE FALLTS TO EVE.iT 3A-2 3+, 3- 4 .
CIRCUIT BKR 1.0 E-6 14 1.4 E-5 3351 PREMATURE TRANSFER (CPEN) 1.4 E-5 AFB SIM LE FAULTS TO EVE'iT 3B-1 s N CIRCUIT BKR 1.4 E-5 3+, 3- 4 g 1.0 E-6 lt: 3340 PRE?*.ATURE TRANSFER (CPEN) 5.6 E-5 m NCC BUS 3B U'iAVAILABLE 1.4 E-5 g AF2 SINGLE FAULTS, 4160V BUS B Pe CIRCUlT BKR 1.4 E-5 3*, 3- 4 1.0 E-6 14
- 3205 PREMATURE TRANSFER (OPEN) 4.2 E-5 AF5 f.CC SUS 3B SINGLE FAULTS ?N TRAi4SFORTIR 4 4.0 E-6 3*, 3- 4 ,=
1.0 E-6 3B SAFEGUARD AUX. TRANSFORMER 3B SHORTS _ TRAi4Sf0RiTR 1.0 E-3 3+, 3- 5 1.0 E-3 10 3B FAILS TO CPERATE " o 3*, 3- 4 = CIRCUIT BKR 1.4 E-5 ~ 6 Co 3310 PREMATURE TRANSFER (OPEN) 1.0 E-5 14 ' 1.4 E-5 3+, 3- 4 $ CIRCUIT BKR 1.0 E-6 14 o. 3220 PREMATURE TRANSFER (OPEN) r=4.2 E-5 e3 to 1.4 E-5 AF10 SINGLE FAULTS TO EVEt4T 3B-2 b 3*, circuli EKR 3350 PREMATURE TRANSFER (OPEN) 1*0 E-6 14 1.4 E-5 3~ 4 [ C c. t r. O 3 m O 3 s O m
p _ _ _ EvcNT ^ E I SENS. EVENT OR FAULT DESC91PT!CN NOTES l Cor*PCNENT RATE \HR-1) DURATI 1(HR) P ! OR i AT9Al SINGLE FAULTS TO BUS 3A 1.4 E-5 1 CIRCUIT BKR g
'3'61 PRE"ATURE TRANSFER 1.9 E-E 14 1.4 E-5 3+, 3- l, 4 5 AF93 SINGLE FAULTS TO EUS 33, AND OPERATOR I
m FAILS TO T"dNSFER 1.0 E-2 l - i-CIRCUIT BKR 33C0 S' AITCH i:CC3' PREMATURE TRANSFER 1.1 E-6 14 1.4 E-5 3+, 3- 4 (* B TRANSFER SWITCH FAILS TO CLOSE D 1.0 E-5 3+, 3-OPERATOR FAILS TO TRANSFER D 1.0 E-2 3+, IT 0 7 m I-1.0 E-2 g 2 5 b, O > L, 9 - e a 2 2 C. O 3 m
?
r-3
Table D.7 AC Power QUANTIFICATION TABLES NOTES 1 Times for the injection phase can vary from 0.5 to 10 hours depending on LOCA size. A fault duration time of 10 hours was conservatively chosen for the injection time. 2 This fault was not evaluated but was assumed to be of lower probability than other faults in this gate. 3 Testing occurs approximately three times a month with an average duration of three hours. Testing itself does not remove the diesel from service; however, loss of offsite power during testing would present the diesel with a full-load reject situation, which is assumed to trip the diesel off-line. Unscheduled maintenance occurs approximately two times per year with an average duration of 15 hours. 4 Technical Specifications require the plant to go to hot shutdown within eight hours after loss of AC-bus. This fault was assessed as an unavailability of a failed equipment. 5 Ten hours fault duration time was conservatively assumed to represent the injection phase. 6 Availability for unit is defined as portion of time plant is producing power or in spinning reserve. Plant records show this to be about 80% of the time for CR-1 and CR-2. 7 Unit has experienced two opportunities to run back on loss of offsite power, and has been successful once. Hence, the probability of a successful runback was estimated as 0.5. 8 See DC Power Distribution System quantification tables for 10SP case. D-40 ~ -
Table D.8 AC Power Quantification Summary BOOLEAN POINT VARIABLE ESTIMATES i' Al 1.0 E- 3 A2 0.36 A6 0.2 A7 0.5 A8 0.2 A9 0.5 A3 6.1 E-2 AX1 3.2 E-3 DCA 3.2 E-3 AM1 1.6 E-2 A4 1. 0 E- 3 A5 6.2 E-2 AX2 3.2 E-3 DCB 3.2 E-3 AM2 1.6 E-2 AF6 1.4 E-5 MCC3A 5.6 E-5 AF1 1.4 E-5 i AF4 4. 2 E- 5 AF7 1.4 E-5 AF8 1. 4 E- 5 MCC3B 5.6 E-5 AF2 1.4 E- 5 AF5 4.2 E-5 AF10 1.4 E- 5 AF9A 1. 4 E- 5 AF9B 1.0 E-2 0-41
APPENDIX E NUCLEAR SERVICES CLOSED CYCLE COOLING SYSTEM j-i 1 ~ d l E
APPENDIX E NUCLEAR SERVICES CLOSED CYCLE COOLING SYSTEM (NSCCCS) E.1 SYSTEM DESCRIPTION AND OPERATION The Nuclear Services Closed Cycle Cocling System (NSCCCS) is a safety related system which provides cooling to various nuclear oriented equipment during normal and emergency operation. Typical loads during emergency operation are makeup pumps MVP-1 A and 1B (part of the HPI system), reactor building fan assembly cooling coils, ventilation fan riotor coolers, and control complex chillers. In addition, the NSCCCS provides cooling to its own pumps and to the pumps of the Nuclear Services Seawater System (NSSWS). The NSSWS is part of the Raw Seawater System and serves as a heat sink for the NSCCCS. E.1.1 SYSTEM DESCRIPTION The NSCCCS, shown in Figure E.1, is a single closed loop system that removes heat from the containment atmosphere and component heat. The once-through Nuclear Services Seawater System (NSSWS), shown in Figure E.2 takes suction from the seawater sump, removes heat from the closed cycle loop, and discharges into the seawater discharge canal . Component design information for the major components in these systems is given in Table E.1 The NSCCCS consists of one normally operating pump, SWP-lC, and two 100% rated emergency pumps, SWP-1 A and -18. The non-safety pump SWP-lC is sized to supply the normal flowrate of 6900 gpm - which is insufficient for emergency operation. The emergency flow rate of 11,000 gpm can be de-livered by each of the two emergency pumps. SWP-l A and -1B each consists of two half-sized pumps driven by a single shaft. Each of the five pumps has a check valve in the discharge line and a manual blocking valve on either side. The pumps discharge into a single header. The main line is 18 inches , in diameter. At each heat load center, smaller lines supply water to the individual components. Most of the major heat load centers can be isolated by manual block valves. E-1 I
The heat absorbed by the NSCCCS is transferred to the NSSWS by a bank of four one-third capacity heat exchangers (HE). Three operable heat exchangers are required for both emergency and normal operation. The HE's have no automatic isolation capability. Each HE has an inlet and outlet manual blocking valve on both the seawater side and the primary side. The heat exchangers are of the shell and tube type, with seawater flow through the tubes. The NSCCCS emergency flow rate of 3700 gpm per HE results in a 6 heat rejection rate of 92 x 10 BTU /hr per heat exchanger. Outlet tempera-ture of the HE's is 105 F under emergency operation. The NSSWS has one non-safety pump for normal operation and two 100% redundant emergency pumps. The non-safety pump RWP-1 is sized for a normal flow rate of 10,800 gpm and cannot supply the emergency flow rate o f 14,100 gpm (4700 gpm/HE). Each pump is provided with a check valve on the discharge side and with manual blocking valves on both sides for isolation purposes. The inlet temperature is determined by the Gulf of Mexico. Technical Specification prohibits operation if the inlet temperature rises above 105 F. For environmental reasons, the temperature rise through the heat exchanger is limited to a maximum of 6 UF. Seawater flows by gravity from the intake canal to the seawater sump, through 48 inch pipes. The emergency pumps are installed in separate compartments of the seawater sump to allow the isolation of either compartment for service without disabling the system. The pump motors are cooled by the NSCCCS. The bearing is cooled by the domestic water supply. If that system fails, the demineralized water supply can provide water through the domestic water lines. If both of these systems fail, seawater will back into the oearing. This provides adeouate cooling although it is not desirable for long-term cooling because of corrosion considerations. The NSSWS has no H0V's or remotely operated valves. There are no locked valves in the system. Manual valves are locally indicated. The p"mps in the NSCCCS and NSSWS are powered from the 4160V ESF buses. E-2 x___-
E ,1,2 SYSTEM OPERATION The NSCCCS and the NSSHS are continuously operating systems required for normal plant operation. Upon ESAS, the nonessential loads on the NSCCCS are isolated by closing the inlet and outlet valves in the appropriate line. These loads are primarily isolated to protect against missile damage to the NSCCCS and subsequent drainage of the system. The loads involved are not active during post-LOCA time periods. The ESAS will start both NSCCCS pumps (SWP-1 A, -1B) and both Raw Water Pumps (RWP-2A,-28). Fifteen seconds after either emergency pump in each system starts, the corresponding non-safety pump is tripped. If one HE is inoperable due to rupture, blockage, or electrolytic erosion / corrosion, the HE-bank can be reconfigured during plant operation by isolating the faulty exchanger on both sides and opening the block valves on both sides of the inactive heat exchanger. The inactive HE is not required to be tested for operability. There is a procedure for freshwater layup on the seawater side to prevent marine growth for long periods of time. The pumps SWP-1A, -B and RWP-2A, -2B are required to be started once a month (SP-344). The pumps are tested on a two-week staggered basis. Testing of the pumps does not disrupt system service. Technical Specifications require that two emergency pumps be operable in each system. Plant operation can continue for not more than 72 hours if only one emergency pump is avail-able in the NSCCCS or in the NSSWS. I E-3
Table E.1 Component Design Information Nuclear Service Heat Exchangers 4 Number Type Shell and Tube Sea Cooling Water Flow (tubeside), gpm 4700 Emerg; 3600 Normal Sea Cooling Water Temperature, F 85 Closed Cycle Cooling Water Outlet Temp, F 105 Emerg; 90 Normal Closed Cycle Cooling Water Flow (shell side),gpm 3700 Emerg; 2300 Normal Tube Material 90-10 Cu-Ni Shell Material Welded Carbon Steel Channel Material 2% Nickel Cast Iron l Design Pressure, Shell/ Tube, psig 200/100 Design Temperature, Shell/ Tube, F 180/150 Code / Seismic Class ASME Section VIII/I l Duty Btu /h 92 X 10 6Emergency Nuclear Service Seawater Pumps Number 2 Emerg; 1 Normal Flow, gpm 14,100 Emerg; 10,800 Normal Design Head, ft 144 Emerg; 98 Normal Design Pressure, psig 100 Design Temperature, F 109 Seismic Class I Nuclear Service Closed Cycle Cooling Pumps Number 2 Emerg; 1 Normal flow, gpm 11,000 Emerg; 6,900 Normal Design Head, ft 190 Emerg; 110 Normal Design Pressure, psig 200 Design Temperature, F 135 Seismic Class I Nuclear Service Closed Cycle Surge Tank 1 Number Capaci ty , gal . 10,000 Design Temperature, F 135 Design Pressure, psig 100 Material Carbon Steel, ASTM Code / Seismic Class ASME Section VIII/I E-4
I i i - l Tu mH-EMMENoj. oml.*g landt 1 b V-41*' V-L3 v4N h swv-5W
'" 8"e
>C ,l .
80
- at LO- 7M h pn {
v h..$ v?H T f Swf6tl sw-F4
- s" sw' e7 -Ses
\
l sw-lasuv-tw\ swv-4o r D. F.V.P. M.D.r u p. L E22 f H -
- EYP-1 EFP-1 NOTEI
- t ;- x7 SWV-Si\ ~~\S WV-do O d 5 T suv sms6 sw-Elb S&. v Sra h U coM TKOL Co=Pl ex suv-184 CNILLKK$ ;4 > bSCCCS ((MILP-sc) 34 38 sw-25 y ,,
.5WV-63[ '. swr-H ##'"'d sw-t33 sw.is y pcy.4o DCV-42.
W M*J- - <
--C