ML20059D339
| ML20059D339 | |
| Person / Time | |
|---|---|
| Site: | 05200004 |
| Issue date: | 12/27/1993 |
| From: | Leatherman J GENERAL ELECTRIC CO. |
| To: | Borchardt R NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM), Office of Nuclear Reactor Regulation |
| References | |
| MFN-239-93, NUDOCS 9401070164 | |
| Download: ML20059D339 (28) | |
Text
{{#Wiki_filter:r; a
;' b^
[ GENuclear Energy ; GeneralElecVic Compa"y 175 Curtner Avenue, San Jose. CA 95125
. December 27,1993 MFN No. 239-93 Docket STN 52-004 Document Control Desk U.S. Nuclear Regulatory Commission Washington DC 20555 Attention: Richard W. Borchardt, Director Standardization Project Directorate
Subject:
Transmittal of Updated Section 173," Reliability Assurance Program During Design Phase" A draft of the updated Section 17.3," Reliability Assurance Program During Design Phase", of the SBWR Standard Safety Analysis Report (SSAR) is contained in Attachment 1 to this letter. This draft is based upon markups of Section 173 of Amendment 31 of the ABWR SSAR. This submittal and MFN No.187-93 are SBWR SSAR updates to incorporate ABWR " Lessons Learned"into the SBWR SSAR to take advantage of the ABWR review and thereby enhar.ce SBWR SSAR review. At your earliest convenience, we would like to discuss the SBWR SSAR Amendment Process with you to capture your ideas as to the process we should use for SBWR. Sincerely,- c , fgt ///// % J. E. Leatherman SBWR Certification Manager MC-781, (408)925-2023 cc: M. Malloy, Project Manager (NRC) (2 attachments) F. W. Hasselberg, Project Manager (NRC) (1 attachment) 050047 i LTimK eras ~) i m }fk{ q ' ygwa#18?W C A 1
l p ,17o e ; o 25A5113 Rev. A
, SBWR Standant Safety Analysis Report 17.3 Reliability Assurance Program During Design Phase This section presents the SBWR Design Reliability Assurance Program (D-RAP),
17.3.1 Introduction The SBWR Design Reliability Assurance Program (D-RAP) is a program that will be performed by-GFrNudear-lMergv-(GF419-during detailed design and specific equipment selection phases to assure that the important SBWR reliability assumptions of the probabilistic risk assessment (PRA) will be considered throughout the plant life. De plant owner / operator will comnlete the D-RAP for those risk-sitmificant structures. systems. and components.if any. that are not covered by the GE-NE D-RAP and will also have an Operational Reliability Assurance Program (0-RAP) that tracks equipment reliability to demonstrate that the plant is being operated and maintained consistent
- with PRA assumptions so that overall risk is not unknowingly degraded.
The PRA evaluates the plant response to initiating events to assure that plant damage has a very low probability and risk to the public is very low. Input to the PRA includes details of the plant design and assumptions about the reliability of the plant risk-significant structures, systems and components (SSCs) throughout plant life. SSAR Appendix 19K. PRA Based Reliability and Maintenance. identifies certain risk- , significant SSCs. The results of Appendix 19K can be used as a startine noint for the fb M The D RAP willinclude the design evaluation of the SBWR. It will identify relevant aspects of plant operation, maintenance, and performance monitoring ofimportant plant SSCs for owner / operator consideration in assuring safety of the equipment and limited risk to the public. Thepolictand-implementation-proc +4ures-will-be+pecified-by4he-owner /ojem The COL anplicant will snecify the policy and imolement procedures for usine tbe D-RAP information. See Subsection 17.3.13.1 for COL license j j!][ormatiJIL Also included in this explanation of the D-RAP is a descriptivt example of how the D-RAP will apply to one potentially important plant system, the Isolation Condenser i System (ICS). The ICS example shows how the principles of D-RAP will be applied to : 06her systems identified by the PRA as being significant with respect to risk. 17,3.2 Scope
~1 he SBWR IFRAP will include the f nture design emluation of the SBWR, and it will identify relevant aspects of plant oper:nion, maintenance, and performance monitoring j of piant risk-significant SSCs. The PRA for the SBWR and of her industry sources will be '
l ved to idemify and prioritize those SSCs that are important to prevent or mitigate plant transients or other events that could present a risk to the public. I Fn;;ebikty Assuranco Program During Design Phase - Arnendmer:t 1 DRAFT 17.3-1
i sg e . 25A5113 Rev. A
. SBWR standard Safety Analysis Report t
17.3.3 Purpose The purpose of the D-RAl' is to assaire that the plant safety as estimated by the PRA i orobabilistic rish assessment iPRM is maintained as the detailed design evolves through the implementation and procurement phases and that pertinent information is , provided in the design documentation to the future owner / operator so that equipment reliability, as it affects plant safety, can be maintained through operation and maintenance during the entire plant life. 17.3.4 Objective The objective of the D4 TAP is to identify those plant SSCs that are significant contributors to risk, as shown by the PRA or other sources, and to assure that, during the implementation phase. the plant design continues to utilize dsk-significant SSCs whose reliability is commensurate with the PRA assumptions. The D-RAP will also , identify key assumptions regarding any operation, maintenance and monitoring activities that the owner / operator should consider in developing its 04 TAP to assure that such SSCs can be expected to operate throughout plant life with reliability consistent with that assumed in the PRA. . A major factor in plant reliability assurance is risk-focused maintenance, by which 1 maintenance resources are focused on those SSCs that enable the SBWR safety-related systems to fulfill their essential safety-related functions and on SSCs whose failure may - directly initiate challenges to safety-rekued systems. All plant modes are considered, including equipment directly relied upon in emergency operating procedures (EOPs). Such a focus of maintenance will help to maintain an acceptably low level of risk, consistentwith the PRA. . .. 17.3.5 GE-NE Organization for D-RAP The-relevant-portimmf+4ypical-Gbhrganizatimmha4+for-a4PMR-D R.AP i :Imwn. inTigw+474-L-The44anagemfahe-Nuelear4erswand44aject+Depar4mentacparte.- u+4he-Vice44esident-an& General 44anager-40GFr-NT4K4 car-F,nergy he ec4ims-involved-with-an4PMR-D-RAP-are4heAdvanced Rearmr 14egrams4ection-and4he-Fagineedag4etvhw-Section- . AuthoritMos-them a n agem en4+f-a n4RWR-program 4we ntere4wi41+4he-Advance 4 Reae49r44egram44anages4)ay-uwtay41etails-of-an4RWFrps. gram.aie4tivec4edly4he-Pufer44fanagerrwinueport*imbeAdvanced4teaetor-ProgransAtanages-The44< feet-Manager-andhiwtaff-eoontinaie4mthahe-GFrNEu pport-for-the444fe<umd-thwork-of-external-otganiaadensr e*h-a&thearchitee4+nghteen The D-RAP definition. reliability anahses. and the PRA. includine Annendix 19R. were performed by GE Nuclear Enerev (GF,NEL 17.3-2 Reliability Ansurance Program During Design Phase - Amendment 1 DRATT
4 o-
- 25AS113 Rev. A i
. SBWR standans sarety Analysis aeport Responsibility for the design of key equipment, components and subsystems ism shared by GE-NE die +everal-imit*4n4he4dvanml4teactor44egramdec4 ion-together with external organizations, including the aichitect engineer.-Repar44ng-di+ec41y-4o-ca+h+ngineeringitmetionalananager-+,ill4q.erforming-engineers 4ac4mling+ystem-r designers-andremponent-designersrDesign+uppm t-willelso4 e-pievided4pther-design +eetion-within CE NS-and4he-Nm4 ear-Fervk+ send 4'*ojess4)epar4 ment.- Responsibility 4ar4BWRsafet y analpisand4'RA+1udiesiumder4heSvstems4ntegmtion-and-P+ifmmanmEngineering42nih The manacer Manager,Sydem4ntegmtkm-and-Performance-Engineering, will-be-assigned the responsibility of managing and integrating the D-RAP Programr41e will have direct access to the SBWR Project Manager and will be kept will-keep-him abreast of D-RAP criticalitems, program needs and status. He has organizational freedom to: a Identify D-RAP problems. m Initiate, recommend or provide solutions to problems through designated organizations. m Verify implementation of solutions. m Function as an integral part of the final design process. 1 Reliability-analysety4neluding-the4'RArme-performed 4>y-4he Reliability 4kigineering-Services 4Jni44a4he-Lkensing-and-Consulting 4iervkwSulwecakm+f4h344tgineering-Servises4iec4 ion 4 Figure !*' !). Thtwr 4he4tRA4nfmtao-the-D-RAP-ami-many+f4he-SBWR+eliability-analyevill4+e-performedin4his+rganizatk>nrwithinahe-Nuclear-Servies-and44cjeca DepartmentrResponsibility-for-seliability re r:evi af-designed-Sinhystenw-and+omponenwelso fallum4he-Reliability 4ngineering-Services 4Jnitr-under- direction 4 rom 4he4>ystemW n tegra tionam i-Performa nmMigineciing42nik The combined operatine license applicant will need to sunniv a D-RAP orcanization description at the time of anplication for those riskaienificant SSCs that are desiened or nrocured by the annlicant 17.3.6 SSC Identification /Prioritization The PRA prepared for the SBWR will be the primary source for identifying sisk-significant SSCs that should be given special consideration during the detailed design and procurement phases and/or considered for inclusion in the O-RAP. The method bywhich the PRAis used to identify risk-significant SSCs is describedin Chapter 19.1t is also possible that some risk-significan t SSCs will be iden tified fr om sources other than the PRA. such as nuclear plant operating experience, other industrial experience, and relev;mt component failure data bases. i Reisabmty Assurance Program During Design Phase - Amendment 1 DRAFT 17.3-3
ce- , 25A5113 Rev. A . SBWR Stadant Safety Analysis Report t 17.3.7 Design Considerations The reliability of risk-significant SSCs, which are identified by the PRA and othen sources, will be evaluated at the detailed design stage (under contract to the combined 9peratine license applicant) by appropriate design reviews and reliability analyses. - Current data bases will be used to identify appropriate values for failure rates of - equipment as designed, and these failure rates will be compared with those used in the PRA. Nonnally the failure rates will be similar, but in some cases they may differ because of recent design or data base changes. Whenever failure rates of designed risk-significant SSCs are significantly greater than those assumed in the PRA, an evaluadon will l>e performed to determine if the equipment is acceptable or ifit must be redesigned to achieve a lower failure rate. For those risk-significant SSCs, as indicated by PRA or other sources, component redesign (including selection of a different component) will be considered as a way to reduce the core damage frequency (CDF) contribution. (If the system unavailability or , the CDF is acceptably low, less effort will be expended toward redesign.) If there are , practical ways to redesign a risk-significant SSC,it will be redesigned and the change in system fault tree results will be calculated. Following the redesign phase, dominant SSC failure modes will be identified so that protection against such failure modes can be accomplished by appropriate activities during plan t life. The design considerations that will go into determining an acceptable, reliable design and the SSCs that must be considered for 0-RAP activities are illustrated shown in Figure 17.S2. GFEE will idendfy in the PRA or other design documents to the phmt owner /opemtor the risk-significant SSCs and their associated failure modes and reliability assumptions, including any pertinent bases and uncertainties considered in the PRA. GE-NE will also provide this information for the plant owner / operator to incorporate into the O-RAP to help assure that PRA results will be achieved over die life of the plant. This information can be used by the owner / operator for establishing appropriate reliability targets and the associated maintenance pmetices for achieving them. 17.3.8 Defining Failure Modes
'Ihe determination of dominant failure modes of risk-significant SSCs will include historicalinforma tion, analydcal models and existing requirements. Many BWR systems and ccmponents have compiled a significant historical record, so an evaluation of that record comprises Assessment Path A in Figure 17.3-3. Details of Path A are shown in Figure 17.S4.
For those SSCs for which there is not an adequate historical basis to identify critical failure modes an analytical approach is necessary, shown as Assessment Path B in Figure 17.3-3. The details of Path B are given in Figure 17.S5.The failure modes identified in Paths A and B are then reviewed with respect to the existing maintenance 17.3 4 Reliability Assursnce Pwgram During Design Phase - Amendinant 1 DRAFT
.<:e' e ; i 2SA5113 Rev. A j
. SBWR ~ Standant SafetyAnalysis Report actisities in the industry and the maintenance requirements, Assessment Path Cin Figure 1731 Detailed steps in Path C are outlined in Figure 4MM 17,3-6. !
17.3.9 Operational Reliability Assurance Activities Once the dominant failure modes are determined for risk.significant SSCs, an - asr ssment is required to determine suggested O-RAP activities that will assure acceptable performance during plant life. Such activities may consist of periodic surveillance inspections or tests, monitoring of SSC performance, and/or periodic preventive maintenance (Reference 1731). An example of a decision tree that would , be applicable to these activities is shown in Figure 17&7. As indicated, some SSCs may require a combination of activities to assure that their performance is consistent with that assumed in the PRA. Periodic testing of SSCs may include startup of standby systems, surveillance testing of instrument circuits to assure that they will respond to appropriate signals, and inspection of SSCs (such as tanks and pipes) to shew that they are available to perform as designed. Performance monitoring, including condition monitoring, can consist of measurement of output (such as pump flow rate or heat exchanger temperatures), measurement of magnitude of an important variable (such as vibration or '! tem perature), and testing for abnormal conditions (such as oil degradation or local hot ' spots). Periodic preventive maintenance is an activity perfonned at regular intervals to preclude problems that could occur before the next preventive maintenance (PM) interval. This could be regular oil changes, replacement of seals and gaskets, or refurbishment of equipment subject to wear or age related degradation. Planned maintenance activities will be integrated with the regular operating plans so that they do not disrupt normal operation. Maintenance that will be perfonned more frequently than refueling outages must be planned so as to not disrupt operation or be likely to cause reactor scram, engineered safety feature (ESF) actuation, or abnonnal transients. Maintenance planned for performance during refueling outages must be conducted in such a way that it will have little or no impact on plant safety, on outage length or on other maintenance work. The COI aoplicant will nrovide a comolete O-RAP to be resiewed by the NRC. See Subsection 17.313.3 for COL license information. 17.3.10 Owner / Operator's Reliability Assurance Program ; The O RAP that will be prepared and implemented by the SBWR owner / operator will make use of the information provided by GE-NE. This infonnation will help the i l Reliability Assurance Program Durhug Design Phase - Amendment 1 DRAFT 17.3-5 l
- o; s e 25A5t 13 Rev. A I
. SBWR StandaniSafety Analysis Report owner / operator determine acthities that should be included in the O-lMP. Examples l of elements that might be included in an O-RAP are as follows:
(1) Reliability Performance hionitoring: hicasurement of the performance of equipment to determine that it is accomplishing its goals and/or that it will continue to operate with low probability of failure. (2) Reliability hiethodology: 51ethods by which the plant owner / operator can compare plant data to the SSC data in the PlM. (3) Problem Prioritization: Identification, for each of the risk-significant SSCs, of l the importance of that item as a contributor to its system unavailability and assignment of priorities to problems that are detected with such equipment. (4) Root Cause Analysis: Determination, for problems that occur regarding reliability of risk-significant SSCs, of the root causes, those causes which, after correction., will not recur to again degrade the reliability of equipment. (5) Corrective Action Determination: 1dentification of corrective actions needed to restore equipment to its required functional capability and reliability, based i on the results of problem identification and root cause analysis. (6) Corrective Action Implementation: Carging out identirn active action on risk-significant equipment to restore equipment to its intended function in such a way that plant safety is not compromised during work. (7) Corrective Action Verification: Post <orrective action tasks to be followed after maintenance on risk-significant equipment to assure that such equipment will perform its intended functions. (8) Plant Aging: Some of the risk-significant equipment is expected to undergo age related degradation that will require equipment replacement or refurbishment. . (9) Feedback to Designer: The plant owner / operator will periodically compare perfonnance of risk-significant equipment to that specified in the PRA and D-RAP, as mentioned in item 1. above. and, at its discretion, may semi feed back SSC performance data to plant or equipment designers in those cases that consistently show performance below that specified. 1 (10) ProgranunaticInterfaces: Reliability assurance interfaces related to the work i of the several organizations and personnel groups working on risk-significant j SSCs. 1 1
. 17.3 6 Reliability Assurance Program During Design Phase - Amendment 1 DRAFT u
l
26A5113 Rev. A SBWR Standard Safety Analysis Report The plant owner / operator's O-RAP will address the interfaces widi construction, l startup testing, operations, maintenance, engineering, safety, licensing, quality assurance and procurement ofinitial and replacement equipment. .i i 17.3.11 D-RAP Implementation An example ofimplementation of the D-RAP is given for the IGS isolation Condenser System (ICS).44,r4hiw* ample-44msauned4hanome ICS componentAave Leem iden tified-by4he-PRA,wmaking-a4gnificantemtritmtion-toahe-(orealamage- - fewtueney-{GDFh i The purpose of the ICS is to control reactor pressure and water level within acceptable ranges so that emergency reactor depressurization trips will not occur following reactor i isolation and shutdown from full power without feedwater makeup.The ICS must also, over a longer duration, remove excess sensible and core decay heat from the reactor i with minimal loss of coolant inventory from the reactor when the normal heat removal systems are unavailable for any reason. The ICS may or may not be identified by the final PRA as a sicnificant contributor to CDF or to offsite risk. For this examnle it is assumed , that some ICS comoonents have been identified by the PRA as makinc a sienificant contribution to the core damace frequency (CDF) or to offsite risk. The4CS-ivewpected49-olwrate4 haring 4rassie+ns-for-aaeactor-pressure eccel (PF/F gauge-paessure-between420f+-andW484tPa (9^0-!2f4psigh , 17.3.11.1 ICS Description l The ICS is expected to operate durine transients for a reactor oressure vessel (RPV) gance pressure between 6.205 and 8.618 MPa (9004250 osiet The IGS swtem basically consists of three high pressure, totally independent loops, each 1
~
containing a condenser that condenses steam on the tube side and transfen heat to , water in a large pool, the isolation condenser / passive containment cooling (IC/PCC) i pool, which is positioned above and outside the containment (drywell). The surface of the pool is vented to the atmosphere. A simplified ICS P&lD is shown in Figure 17.3-8. (Refer to Section 5A.6 for a detailed ICS System description which is summarized ] below.)
-l The condenser is connected by piping to the RIV and is placed at an elevation above )
the sotuce of steam. When the steam is condensed, it returns to the vessel through a condensate return pipe. The steam side connection between the vessel and the IC is normally--open and the condensate line is normally-closed. This allows the isolation ] condenser and drain piping to fill with condensate which is maintained at a subcooled ;j temperature by the pool water during normal reactor operation. l
)
l i Reliab hty Assurance Program During Design Phase - Amendment 1 DRAFT 17.3-7 j l
,.s . 254S113 Rev. A SBWR standard sarety Analysis Report The steam supplyline is vertical and feeds two horizontal headers through four pipes. The steam line is propedy iasulated and enclosed in a guard pipe which penetrates the , containment roof slab. Tv a nonnallympen, fail-as-is isolation vahes in senies (nitrogen-motor-operated F001 and motor-operated F002) are located in the nm of steam supply line piping inboard of the containment boundary. They are used to isolate that part of the ICS that is located outside the containment. Two different salve actuator types are used to prmide diverse means for flow path closure. Steam is condensed inside vertical tubes of the condenser and is collected in two lower headers. Two pipes, one from each lower header, take the condensate to the common drain line which vertically penetrates the containment roof slab. On the condensate retum piping, two nonnally-oper., fail-as-is isolation valves in series (motor-operated F003 and nitrogen-motor-operated F004) are provided, both located inboard of the containment boundary. They are also used to isolate parts of the ICS outside the containment. Two different valve actuator types are used to provide diverse means for flow path closure, when required. The condensate return valve (R)05, motor-operated, fail-as-is) is located on the condensate return piping.just upstream of the reactor entry point. This valve is closed during normal station power operations. Since the steam supply line valves are nonnally-open, condensate will fonn in the IC and will fill up to the steam distributor, atove the upper headers in parallel with F005 is valve F006 (nitrogen-operated, fail-open) which serves as a backup to operate the IC loop by remote manual signal if F005 fails to open. Valve F006 also opens upon loss of nitrogen orloss of divisional electrical power. Time isolation condenser starts into operation when the condensate return valve (F005) is opened, allowing condensate to drain to the reactor. This causes steam from the reactor to fill the tubes which transfer heat to the cooler pool water. As flow occurs, the steam-water interface in the IC tube bundle moves down, below the lower headers, to a point in the main condensate return line. The condensate return valve (F005) fails as-is if the 125 Vdc power is lost. The bac.kup s eturn valve (F006) opens if nitrogen supply or safety-related dc power is lost. Vent lines are pr ovided for both upper and lower headers to rcmove the noncondensable gases away from the IC headers to the suppression pool dming IC operation. Venting is controlled as follows. The lower header vent line has two nonnally-closed, fail-closed solenoidoperated v;dves (F009 and F010). They can be actuated (opened), both automatically and manually. These valves open automatically when RPV pressure is high and either of the condenrate ret urn valves is open. They can be opened manually by the control room operator. In case of F009 and/or F010 failure, two bypass motot-operated valves F41L,mdT41Num+nally-cloml) (F011 and F012-normally timed) allow the operator to vent noncondensable gases. 17.3 8 ReliabiHry Assurance Prugram During Design Phase - Amendment 1 DRAFT
,-o:
- 2SAS113 Rev. A SBWR stansanisarety anarrsis seport A vent line from the upper headers equipped with two normally-closed, fail-closed, solenoid-operated valves (F007 and F008) permits the operator to vent noncondensable ;
gases, if necessarv. During normal plant operation, noncondensable gases are prone to accumulate in the IC because of hydrogen buildup from water chemistry control , additions and air entrained in the feedwater. A purge line is provided to assure that the IC tubes will not be blanketed with noncondensables when the system is first started. The isolation condensers are located in the ICS/PCC pool, positioned above the . ,
& ywell. The large 1C/PCC pool is partitioned, but both the IC and PCC are able to draw water from the entire pool; the air and steam space is also held in common. The elevation difference between the pool bottom and the RPV Level tiis equal to or greater than 6.7 meters (264 in.)to prcaide adequate column height for natural circulation flow.
t The pool subcompartment interconnections are as follows: The individual IC/PCC pool subcompartments are connected to the other pool subcompartments below the water level by locked-open vah es, one for each subcompartment, so that each IC has access to the entire pool. These valves can be closed to isolate and empty the indhidual partitioned IC pool for maintenance of the unit. All other pool subcompartments are intertonnected below the pool water level. The water volume above the top of the IC tubes is at least 1100 cubic meters (38,846 cubic feet) in order to meet the 72 hours decay heat boiloff regt'irement. The remote handwheels on the locked open valves extend above the water level to locations accessibte to the operator. The walls containing thb airspace flow path extend above the normal water level; this . enhances the flow stability and hea t removal capability of the condensers by establishing a flow path for steam leaving the pool and for the pool makeup water through the lower pipes. 17.3.11.2 ICS Operation During normal plant operation, the IC loops are in " ready standby", so ICS operation will start upon opening of one valve. Bcath steam supply isolation valves and both isolation valves on the condensate return line are in a normally-open position, the condensate level in the IC extends above the upper headers, the condensate return I valves are both closed,and the small vent lines from the IC top and bottom headers to the suppression pool are closed. A small amount of steam flows from the steam piping above the ICs through the purge line by the pressm e differential caused by main steam line flow. For each IC loop the four normally-open+ pen, nh+egew+peated isolation valves (two nitrogen-operated cate valves and two motor-ooerated gate valves) fail as is; the four normally-closed, Reliability Assurance Pwgram During Design Phase- Amendment 1 DRAFT 17.3-9 j
.e a-2SA5113 Rev. A SBWR Standant Safety Analysis Report solenoid-operated vent valves (globe valves) fail closed; the two nonnally-closed, motor-operated vent valves (globe valves) fail as is; the nonnally-ck> sed, motor <>perated condensate return valve (gate valve) fails as is; the normally-closed, nitrogen <>perated t condensate eturn bypass valve (globe valve) fails open; and the normally-open, motor ;' operated purge line valve (globe valve) fails as is. During refueling, the IC is isolated from the reactor. All isolation valves (F001 through F004) and all vent valves (F007 through F012) are closed. During plant operation, one of the ICS initiation signals opens the condensate seturn valve FM (F005) within 30 seconds, thus starting the IC operation. If the IC does not operate, the RPV gauge pressure will incr ease to the SRV supoint 8.618 MPa (1250 - psig). Also, isolation valves (F001,'?,3, and 4) are signaled to open to assure that they , were reopened dming or after a test closure of the valves. Co ndensate bypass valve FD06 will open to initiate ICS operation by remote manual operation or if there is a loss of , nitrogen pressure or of dc power. If, dtuing IC operation and after the initial transient, the RPV gauge pressure increases : above 7.653 MPa (1110 psig), the bottom vent valves F009 and F010 automatically open j to vent to the suppression pool. When the RPV gauge pressure decreases below W6f4 l MPa7.585 MPa (1100 psig) reset value; and after a time delar to avoid too many cycles, .. these two valves close. The three initiation signals which actuate all three ICS loops at the same time, opening the condensate return valve F005, are described as follows: m The " reactor mode switch is in RUN" and the inboard or outboard MSIV position ij
< 90% open on both MSI.(A) and MSL(B). (MSIV closure is initiated on reactor :
water level below L2 and other isolation ck>sure signals). '.Ihere are two main stearp isolation valves (MSIVs) on each main steam line. The logic is: one<>ut-of-two lim h switches of the MSIVs on one line plus one-out-of-two limit switches of the MSIVs on the other line (logic one<>ut<>f-two twice). During MSIV testing, one MSL is out hf se:Tice;if a onc<>ut<>f-two signal comes from the limit switches of the MSIVs of the other line, the IC goes into operation. .f a RPV gauge pressure (with logic twomut-of-four) is 2 7.446 MPa (1080 psig) for IO seconds or moie. , m Operator manual initiation. When the RPV gauge presstue decreases below the IC System reset value 5.516 MPa (800 psig), the operator may stop the ICS kxips individually, overriding the system initiation signals coming from closure of the MSIVs. 173 10 Reliabihty Assurance Pwgram During Design Phaen - Amendmorn 1 DRAFT
25AS113 Rev. A SBWR standard sarety Anarysis neport - Condensate return valve F005 fails as is on loss of electrical power supply. Condensate return bypass valve FOO6 opens automatically upon a loss of the nitrogen supply, loss of two electrical power divisions, manually, by operator action, or on reactor water level below Level 2. Automatic actuation for the vent valves (F009 and F010, located in series) is provided by a high RPV pressure (above system actuation value) and either of the condensate return valves not fully closed (with time delay to avoid the vents opening during the initial transient). The valves close, preventing loss ofinventory, when the RPV pressure decreases below a reset value. Four radiation sensors are installed in the IC/PCC pool exhaust passages that vent air and coolant vapor to the environment. Detection of a low-level leak (radiation level above backgroimd, logic two-out+f-four) initiates an alarm. Detection of a high radiation level (exceeding site boundary limits, logic twooutof-four) isolates the leaking isolation condenser automatically (closure ofisolation valves F001 through F004). The high radiation may be caused by a leak from any IC tube and a subsequent ; release of noble gas to the air above the IC/PCC pool. . Four redundant sets of differential pressure instrumentation (dPT) on the steam line and another four sets on the condensate return line are used to detect a possible loss-of-coolant accident (LOCA). A high dPT signal coming from twoout-of-four di'Fs on the same line (steam or condensate) will result in alarms to the operator and automatic closure of all isolation valves, rendering the IC inoperable. Alarm and closure of the isolation valves (F001 through F004) are automatic on the following signals coming from a single loop (logic twocutof-four): a high mass flow in the IC steam supply line; a high mass flow in the IC condensate return line; and a high radiation in the pool steam flow path. The operator cannot override the high radiation signals from the IC atmosphere vents and high difleiential pressure IC-isolation signals. A temperattue element is provided downstream of the valves in each vent line to confirm functioning of vent valves. A temperature element is similarly provided in the condensate return line, downstream of the isolation valve F004. 17.3.11.3 Major Differences from Operating Boiling Water Reactors The ICS design is similar to that of the few operating hoiling water reactors BWRs , (llWRAihat have ICs. Automatic and manual actuation of the SliWR ICS is similar to Reliabihty Assurance Program During Desogn Phase- Amendment 1 DRAFT 17.3 11
, y, F C y;i-25A5113 Rev. A 0
W: t-JSBWR standant sarery Anarysis nepon y L. ; that incorporated in operating BWRs. The major differences for the SBWR are (1) use =I p of three heat exchangen (IIXs) instead of the one or two in operating plants; (2) use - of vertical tube HXs instead of horizontal tubes; (3) use of both NOVs and MOVs for ; condensate return valves instead of only.MOVs; and (4) use of a large poolinstead of . i an HX shell. .. 1 The number ofIIXs for the SBWR is partly determined by th'e desire for equipment redund:mcy and forlimiting the length and number of tubes in each IIX- Vertical tube. 1IXs of the SBWR provide for greater stability of flow and less problems' with ;; . noncondensable gases. Since the condensate retum bypass valves are operated by y 4 nitrogen, and fail open on loss of nitrogen pressure or electrical power, they'do not . l require electrical power as do the motor-opented condensate return valves. e The large IC/PCC pool provides cooling water capacity for 72 hours following SBWR . j scram. Following that time, makeup water can be provided by water trucks through safety-related piping providing makeup connections at grade level outside the reactor . building. Openting BWRs have typically 20 to 30 minutes of water capacity in IC I!Xs,1 -l with make up provided by pumping from the condensate storage tanks or from the fire L main. ! 17.3.11.4 !i::nt::= ef P.!:S S!;n" :-t SSC:ICS Fault Trn An example top level fault tree for the ICS is shown in Figure 17.3-9, with the top gate. $ defined as failure of the ICS to inject water into the RFV when required. Four major.. , events were analyzed: loss-of-coolant accidents (LOCAs), tunsients,~ loss of off-site : j power (LOSP) and anticipated transient without scram (ATWS). For the LOCA l adequate ICS water injection is accomplished with one of the three ICs, so all three ICs :! must fail to result in system failure. The other' events can be accommodated by any two~ ICs, so failure of two-out-of-three ICs results in system failure. One detail not shown in the fault tree is that, for water injection following LOCA or XfWS events, at least one L vent path to the SP must be established. This means that valves F009 & F010 or F011 & : ] F012 must open, as can be seen from Figure 17.3-8, Based upon the fault tree analysis, a ranking of the ICS components or events by : importance allows identification of those SSCs with greatest importance. Such comoonents and events are shown in Table 17.3-1, For this example, the most risk significant SSCs are listed in Table 17.3-2. These'SSCs ~ sh ould be considered as risk-significant candidates for 0-RAP activities. No SSCs appear q to be risk-significant because of aging or common cause considerations. l
-1 zj
~ 17.3-12 Reliability Assurance Program During Design Phase - Amendment 1 DRAFT T
.~. ..-
25AS113 Rev. A SBWR standard sarety Anatrsis Report 17.3.11.5 System Design Response
'Ihe4hice intypes of ICS risk-significant components identified in Table 17.S2 as having high importance in the ICS fault tree are now considered for redesign or for O RAP activities. The flow chart of Figure 17.S2 guides die designer.
The componenis identified in Table 17.S2 are IC loop isolation vahestlG4oop+eno valves and condensate retum valves. The most significant fMiure of these valves is mechanical failure. Isolation valves have a relatively high probability of mechanical y failure to open following a closure test, which is assumed to occur quarterly. Any one of the four isolation valves in each loop could disable that loop ifit failed to open. Failure of a condeusate return valve to open when IC operation is signaled, coupled with failure of the bypass return valve, would also disable that loop.-Faihne-of-vent +alverao+ pen-
<huing-cer-tain-events 4ouhl4 eave 4he4CS4aeffective-because-of-nmeendensable-gases-huhe4ooym These duce ne_ components are identified for special attention with regard to reducing die risk of system failure.
Redesign The design evaluation of Figure 17.S2 is used by the designer. The design assessment shows that the component failure rates are the same as those used in the PRA, so there is no need to recalculate the PRA because of failure rate changes. Also, no one SSC has a major impact on ICS system unavailability, so redesign or reselection of components is not required and these components are identified for consideration by the O-RAP. j Redesign considerations, if they had been required, would have included trying to ; identify more reliable valves that would have lower probability of mechanical failure to open or more reliable electrical components of motor operated valves. This might be achieved by making specific design changes or by selection of a different component. l Any such redesign would have to be evaluated by balancing the increase in reliability 1 against the added complication to plant equipment and/orlayout. Failure Modoidentification 1 If redesign is not necessary, or after redesign has been completed, the appropriate - q 0 RAP activitics would be identified for the three um ICS component types identified
]
by the fault tree and discussed above. This begins with detennining the likely failure j modes that will lead to loss of ftmction, following the steps in Figure 17.S3. The components used in the ICS have adequate failure history to identify critical failure modes, so Assessment Paths A and C (Figures 17.14 and 17.S6, respectively) would be followed to define the faihue modes for consideration. f , All vahr types are subject to mechanical problems such as valve stem failure, separation of stem from disk, and failure to stroke, For motoroperated valves the additional major failure modes are electrical failures in the motor winding or motor internals, and problems with torque limit switches and switch settings. Solenoid +perated valves are Reliability Assurance Program During Design Phase - Amendment 1 DRAFT 17.3-13
2SA5113 Rev. A SBWR Standant Safety Analysis Report subject to failures of electrical coils and gas leakage past seals as result of thermal and L radiation damage. Moisture intrusion also causes coil failures. A major failure mode of , pneumatic 4>perated valves is operator seal leakage which allows the operator gas to l leak. Most pneumatic-operated valves use solenoids. Following the flow chart of Figure 17.3-4, the designer would determine more details l- about each failm e mode, including pieceparts most likely to fail and the frequency of each failme mode category or piecepart failure. This would result in a list of the dominant failure modes to be considered for the O-RAP. ASM E Section XI requirement for inservice inspection and other mandated inspections and test would be identified, , as indicated in Figure 17.3-6. Examples of the types of failure modes that could impact reliability of these identified components are shown in Table 17.3-3. The table is not a complete listing ofimportant failure modes, but is intended to indicate the types of failures that would be considered. Identification of Maintenance Requirements For each identified failure mode, the appropriate maintenance tasks will be identified to assure that the failure mode will be (1) avoided, (2) rendered insignificant, or , j (3) kept to an acceptably low probability. The type of maintenance and the maintenance frequencies are both important aspects of assuring that the equipment failure rate will be consistent with that assumed for the PRA. As indicated in Figur e 17.3-7, the designer would consider periodic testing, performance testing or periodic preventive maintenance as possible O-RAP activities to keep failure rates acceptable. For the ICS isolation valvesromdemate4eturn-vaM+and-vent-valves and condensate return vaIves, which normally have no required cycles dming operation, a quarterly full-stroke test isjudged (for this example) to be appropriate. Such tests are in compliance _ with ASME Code requirements for valves in nuclear plants. Detailed disassembly, inspection and refurbishment of valves would be done less frequently. Examples of maintenance acthities and frequencies are shown in Table 17.3-3 for each identified failure mode. The D-RAP will include documentation of the basis for each suggested G RAP activity. 17.3.12 Glossary of Terms Core Damage Frequency- As calculated by the probabilistic risk assessment. Design Reliability Assurance Program- Performed by the plan t designer to assure that the plant is designed so that it can be operated and maintained in such a way that the ) ichability assumptions of the probabilistic risk assessment apply throughout plant life. i 17.3-14 Reliability Assurance Program During Design Phase - Amendment 1 DRAFT
25AS113 Rev A SBWR standant Safety Analysis Report Fussell-Vesely Importance-A measm e of the component contribution to estend muevailaldlity core damace frequeng. Numerically, the percentage contribution of component to wslem-unavailaislity f_1.lE. GE Nuclear Energy-SBWR plant designer. Owner / Operator-The utility or other m ganization that owns and operates the SBWR following construction. Operational Reliability Assurance Program - Performed by the plant owner / operator to assure that the plant is operated and maintained safely and in such a way that the reliability assumptions of the PRA apply thmughout plant life. Piecepart - A portion of a (risk.significant) component whose failure would cause the failure of the component as a whole. The precise definition of a *piecepart* will vary between component types, depending upon their complexity. Probabilistic Risk Assessment - Performed to identify and quantify the risk associated with the SBWR. Risk.Significant - Those structures, systems and components which are identified as contributing significantly to the systensmavailability core damace freauency. Structures, Systems and Components--Identified as being important to the plant operation and safety. 17.3.13 COL License information 17.3.13.1 Policy and implementation Procedures for D-RA.P The COL applicant will specifv the noliev and implementation nrocedures for usine Lh RAP information (Subsection 17.311. 17.3.13.2 D-RAP Ornanization The COL applicant completine its detailed desien and caninment selection durine the desien nhase. will submit its snecific D-RAP ormmimion for NRC review (Subsection 17.3.M. 17.323.3 Provision for O-R AP The COL annlicant will provide a complete O-RAP to be reviewed by the NRC
.duhsection 172.9h Reliability Assurance Prc, gram During Design %se - Arnendment 1 DRAFT 17.3-15
*- e 2546113 Rev. A SBWR Standard Safety Analysis Report 1
17.3.14 References 17.3-1 E. V. lx>fgren, et al., "A Process for Risk-Focused f.f aintenance,' SAIC, , NUREG/CR-5695, March 1991.
'f i
e t i
.)
I i i J 1 I l l 17.3 16 Reliabihty Assurance Program During Dnign Phase- Amendmor:t 1 DRAFT
.i
4 .e 25A5113 Rev. A 3 S8WR. Standard Safety Analysis Report i Table 17.3-1 ! ICS Cornponents with Largest Contribution to Core Damage Frequency ' I i Bink_ Fussell-Vesgly, A_chie_yement Component Importance Worth ICA-UNVL IC "A" unavailable due mainly to the failure to 0.21 11 reopen isolation valves after test ICBMV006GO Motor +peratedvalve400511-fails-toopen ACCMV005GO Motor-operated-valvef005C fa!!c te open ICBMOD02 IC *B" mechanical failure of valve F006B QJQ 2_Q ICCMOD02 IC "C" mechanical failure of valve F006C QJQ 20 , ICBMV005GO Motor operated valve F005B fails to open Q.002 12 ICCMV005GO Motor operated valve F005C fails to open 0.002 12 4CBKV009FA IC *-B"-mechanical-failure +f-valve 4009B ICBKVC10FA N mechanisaMailureakalvef040B ICCKV009FA IC "C" mechanical 4ai!ure of va!ve F009G , 1 1CCKV040FA !C "C" mechanica! failure-oWalve F010C NOTE: Although the " failure to reopen isolation valves after test" is assigned to IC "A", and mechanical failure of condensato return valvos or IC vent valves is assigned to ICs "B" and "C*, each type of failure could occur in any of the three loops. l 1 Table 17.3-2 Risk-Significant SSCs for ICS j Component Valve Number isolation Valves F001A, B & C l F002A, B & C F003A, B & C F004A, B & C Condensate Return Valves F005A, B & C F006A, B & C Vent #alves F009,^ , 94-C F040ArBM Rehabiltty Assurance Program During Design Phase - Arnendment 1 DRAFT 17.3-17
Q;, & _a l2SA5113 Rsv. A -
. :SBWR standow snMy Analysis Report :
i l- :! Table 17.3-3 Examples of ICS Failure Modes & O-RAP Activities : j Recommended Maintenance Component l Failure Mode /Cause - Maintenance -- Interval- Basis *. Isolation Failure to open . . Stroke test 3 months Experience; valves because of mechanical ASME Code ISI. or pneumatic problems ;; Visual and penetrant .10 years Low failure rate; inspection of stem, : ASME Code ISI. ultrasonicinspection of ' stem; replace if ' necessary. .l
'1 Failure to open Electrical circuit test 3 months Experience I
because of electrical (may be part of stroke problems test) Condensate Failure to open Stroke test 3 months Experience; ; return valves because of mechanical ASME Code ISI.' ; or pneumatic problems ' Visual and penetrant 10 years Low failure rate; . inspection of stem; ASME Code ISL- ' replace if necessary. ! Failure to open Electrical circuit test 3 months Experience L! because of electrical (may be part of stroke j
- problems test) *!
Vent +alves Failure 404 pen- Stroke 4est- 3 months Experience; becauseof-mechanical- ASME Ccde !S!. E' Visual-and penetrant- 4& years Low 4a!!ure ete;-' j inspectionefaitemr ASME Cc6 !S!,- :! replace !! nece : rj. 1 i Failure toepen- E4ectrical4ircuit4est-- 3 months. Experienos- 'I beceuse-of-electrical- (may-bepart+f-stroke- .j problems- test) u
- These types of ICS valves have been used in operating BWRs, so there is much experience to guido 'j owners / operators in care of the equiprnont. ')
,q L :
1 l i 17.3-18 Reliabdity Assurance Program During Design Phase - Amendment 1 DRAFT 1
25AS113 Rev. A SBWR Standard Safety Analysis Repost 4 i l
.1 Figure 17.3-1 Deleted Reliatslity Assurance Program During Design Phase - Amendrnent 1 DRNT 17.3 19 1
,e
- 25A5113 Rev A
. SBWR Standant Safety Analysis Report RISK SIGNIFICANT SSCs IDENTIFIED BY PRA SYSTEM FAULT TREE 4 COMPONENT p RECALCULATION REDESIGN V
RELIABILITY ASSESSMENT YES ARE PRA RESULTS YES - IN DESIGN PHASE: y SIGNIFICANTLY CHANGED y ARE FAILURE RATES > BY HIGHER FAILURE THOSE IN PRA? RATE? NO NO 4 V YES IS COMPONENT YES DOES SSC FAILURE HAVE A LARGE IMPACT ON > '" ' ' SYSTEM UNAVAILABILITY 7
^
EFFECTIVE 7 NO NO 4 y l l SSCs FOR O-RAP I l Figure 17.3-2 Design Evaluation for SSCs 17.3 20 Reliabihty Assurance Prograrn During De=lgn Phase - Amendment 1 DRAFT
e e 25A5113 Rev. A SBWR stanient satery Analysis Repois RISK-SIGNIFICANT SSCs FOR O-RAP V ASSESSMENT PATH A YES DOES FAILURE HISTORY IDENTIFY CRITICAL FAILURE MODES AT PIECEPART LEVEL 7 NO V ASSESSMENT PATH B IDENTIFY EXISTING IDENTIFv" CRITICAL FAILURE MAINTENANCE-RELATED MODES AT PIECEPART LEVEL ACTIVITIES AND USiNG ANALYTICAL METHODS REQUIREMENTS V V V DEFINE DOMINANT FAILURE MODES TO IDENTIFY MAINTENANCE DEFEND AGAINST REQUIREMENTS Figure 17.3-3 Process for Determining Dominant Failure Modes of Risk-Significant SSCs Reliabihty Assurance Program During Design Phase - Amr<ndment 1 DRATT 17.3-21
e e 1 25A5113 Rev. A SBWR standard satery Analysis seport
.-. . -,-..--.-. - _ _ - - - < I INFORMATION NEEDED ASSESSMENT PATH A
^^^
. INPUT FROM ACCEPTED ^ ^' "'
INDUSTRY DATA BASES
- CONSULTATION WITH KNOWLEDGEABLE ENGINEERING, OPERATIONS y
AND MAINTENANCE , PERSONNEL DETERMINE THE ANALYSIS
- ROOT CAUSE ANALYSIS BOUNDARY (INDIVIDUAL
. DESIGN REVIEWS COMPONENT, COMPONENT TYPE SYSTEM WALKDOWNS IN SIMILAR APPLICATIONS, ETC.)
V FROM FAILURE HISTORY, CONSTRUCT LIST OF FAILURE MODES /C 8SES AT PIECEPART LEVEL Y 1F APPROPRIATE, DEVELOP FAILURE MODE CATEGORIES AND ASSIGN EACH PIECEPART FAILURE TO A CATEGORY V OBTAIN OCCURRENCE FREQUENCY OF EACH CATEGORY (OR PIECEPART FAILURE) V DEFINE THE DOMINANT FAILURE MODE LIST FROM DATA CONSIDERATIONS l l l Figure 17.3-4 Use of Failure History to Define Failure Modes
)
17.3-22 Reliabihty Assurance Program During Design Phase - Amendment 1 DRAFT '
25AS113 Rev A SBWR Standard Safety Analysis Report
- . - - . ~ - . - . . . -
INFORMATION NEEDED ASSESSMENT PATH B ENGINEERING DIAGRAMS OF OUAN^ ' ^^ ^ ASSE Et CRITICAL COMPONENT UNDER ASSESSMENT V PERFOPM A FAULT TREE OR FMEA ANALYSIS ON COMPONENTS TO PIECEPART LEVEL V I 1 3DENTIFY: i SINGLE PIECEPART FAILURES THAT FAllTHE COMPONENT'S FUNCTION (AND THAf ARE LIKELY TO OCCUR), LATENT PIECEPART FAILURES NOT DETECTED THROUGH ORDINARY DEMAND TESTING, PIECEPART FAILURES THAT HAVE COMMON CAUSE~ POTENTIAL, INCLUDING BY AGING OR j WEAR, AND a ! PIECEPART FAILURES THAT COULD CASCADE TO MORE SERIOUS FAILURES. Y DEFINE THE DOMINANT , FAILURE MODE LIST FROM ' ANALYSIS CONSIDERATIONS Figure 17.3-5 Analytical Assessment to Define Failure Modes Ret; ability Assurance Program During Design Phase- Amendinent 1 DRAFT 17.3 23
.o
- 25AS113 Rev. A SBWR Standard Safety Analysis Report JJFORMATION tFFDFD ASSESSMENT PATH C ASME SECTION XI REOUIREMENTS
> IDENTIFY PLANNED PAAINTENANCE PROGRAM AND VENDOR RECOMMENDATIONS REQUIREMENTS EO REQUIREMENTS TECHNICAL SPECIFICATION y ,
FOR TESTING & CAllBRATiON OTHER LIST ALL MAINTENANCE FEGULATORY-MANDATED REQUIREMENTS AND FEOUIREMENTS R ICOMMENDATIONS FROM ALL SOURCES V PARTITION LIST INTOTHOSE MAINTEN ANCE REOUIREMENTS AND RECOMMENDATIONS ACTUALLY PLANNED ANDTHOSE THATARE NOT V Y MAINTENANCE ACTUALLY PLANNED NOTPLANNED V Y RECORD RATIONALE RECORD RATIONALE FORPERFORMING FORNOTPERFORMING THEMAINTENANCE . THEMAINTENANCE Y V IDENTIFYFAILURE IDENTITY FAILURE MODES l MODESAFFECTED NOTPROTECTED BY ; AND FREQUENCY OF MAINTENANCE MAINTENANCE flFANY) l V DEFINETHE DOMINANT FAILURE MODES Figure 17.3-6 inclusion of Maintenance Requirements in the Definition of Failure Modes 17.320 Reaability Assurance Program During Design Phase - Amendment 1 DRAFT
,i 3 25A5113 Rev. A SBWR standant sarery Analysis eleport DOMINANT FAILURE PODES OF RSK-SIGNIFICANTSSCS Y
YES DOES SSC REQUIRE PERIODICTESTING?
> SPECIFY REQUIRED TESTS NO 4
V DOES SSC REQUIRE YES SPECIFY
- PERFORMANCE PERFORMANCETESTING7 MONITORING NO 4
V DOES SSC REQUIRE YES-p p PERIODIC PREVENTIVE 7 pg MAINTENANCE 7 - NO 4 V DOCUMENT, FOR OWNEROPERATOR, MAINTENANCEACTIVITIES ANDBASES. PLUS UNCERTAINTIES, FORTHE RISK-SIGNIFICANTSSCS. Figure 17.3-7 Identification of Risk-Significant SSC O-RAP Activities (Example) 17.3-25 Reliability Assurance Program During Design Phase - Amendment 1 DRAFT
.,(
a e
~
W l_____________________._,_________________%__: ll ll ll Il STEAM VENT ll ll )l u- -x- - _ _ _ _- -: _::_-_ _- -_ :::: -::::- ::,,,__-- :,------_- _jl SO SIGNAL ) DRYER
,7_________________ 7
, ll ISOLATION gl (1 [k EXTET40N ll , gl !l 1 HANDLE
!g
'! g . CONDENSER t POOL l!
>< lI l! 3 _
F101 gl II _ _ _ _ _ _IlI v IL ___ . . I l OPPER VENT UNE CONDENSATE UNE _. _ _ _ _ _ _ _ _. _ _ _ _ _ _ J. I l' LOWER VENT UNE i r PURGE UNE I DRYWELL l MO y MO v l {* l F002 0- F003 ^ l I I E dPT dPT dPT dPT l ! 001 \ gg 003
\ [N [W
' hN,M,10 dPT dPT i- (( v - - ,
l -MO MO RMS y NMO gus j[F007 RMS n n F009 ig p
- 4. [ F013 ^ r004 l
@ l .
%_ i - t STEAM
- 'l'
@ . llF000 llF010;jj F012 TOR UNE ONE LOOP SHOWN g, l NO (TYPtCAL OF THREE) l
= -l _ r00s l
[ l Q ,, I
,, Q A I I
I
;p I V.T -U -- I l?
=
= l 5 5 5 2 2 2 r r 5.._ 5 5 I1. T
* 'l g
a. 1 l ll suPeREsstON i N ll I F005 I g g
$ l l- l a l _t _ _ __ _ _ __ _ _ _ _ _ J: ONE
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ll Or TuREE LOOPS ;. $, _ E. a
] Figure 17.3-8 Isolation Condenser System P&lD (Simplified) y 1 g - ..-..L-.,.e..,- ...r~.,+1 . ;. ... m J .. _ . i,-. - . - - - . :. ,2-. .,0. - . . - - - - - -- .. ... -. . - - : -.J .
g m wa. o 2SAS113 Rev. A i SBWR Standard Safety Analysis Report FAILURE OF ICS TO INJECT WATER INTO RPV WHEN REQUIRED O T I I I I LOSS OF 2 OF 3 ICs Fall 2 OF 3 ICs Fall 2 OF 3 ICs FAIL ! ALL 3 ICs TO INJECT WATER TO INJECT WATER DURING ATWS AFTER 1 FOLLOWING INTO RPV DURING INTO RPV DURING SLCS ACTUATION LOCA TRANSIENTS LOOP (WITHOUT q 1 BATTERIES) .,
-s
-s 1 l l l FAILURES THAT LOSS OF FAILURES THAT LOSS OF RENDER ICS ALL3 RENDER ICS 2 0F 3 INOPERA.BLE ICs INOPERABLE ICs r
[2
-m /
I I I- 1 I 10
- A* IC *C" IC HX IC IC "A" 10 "C" FAILS FAILS LEAKS COMMON FAILS FAILS INTO CAUSE POOL FAILURES
- IC *B* IC *B" FAILS FAILS LOSS OF IC/PCC POOL WATER ,
SOME OF THE COMMON CAUSE FAILURES ARE DIFFERENT FOR DIFFERENT ACCIDENT SCENARIOS. Figure 17.3-9 Example Isolation Condenser System Top Level Fault Tr* Reliability Assurance Program During Design Phase - Amendment 1 DRAFT 17.3-27,28}}