ML20062A478
| ML20062A478 | |
| Person / Time | |
|---|---|
| Site: | Perry  |
| Issue date: | 07/20/1982 |
| From: | Davidson D CLEVELAND ELECTRIC ILLUMINATING CO. |
| To: | Schwencer A Office of Nuclear Reactor Regulation |
| References | |
| NUDOCS 8208040003 | |
| Download: ML20062A478 (27) | |
Text
.
THE CLEVELAND ELEbTRIC ILLUMIN ATING COMPANY P o BOX 5000 m CLEVEL AND, oHlo 44101 e TELEPHONE (216) 622-9800 e ILLUMINATING BLOG e 55 PUBLIC SOUARE Serving The Best Location in the Nation Dalwyn R. Davidson VICE PREstDE NT systru (ocint r s!No ano consinuction July 20, 1982 Mr. A. Schwencer, Chief Licensing Branch No. E U. S. Nuclear Regulatory Commission Washington, D. C.
20555 Perry Nuclear Power Plant Docket Nos. 50-440; 50-441 SER Open Items - Nos. 11 and 12 Instrument and Control Systems
Dear Mr. Schwencer:
The Perry SER identified two open issues concerning manual initiation and termination of ESF systems and ADS system testability.
This letter forwards additional information concerning the acceptability of the Perry design with respect to these issues. Also attached is previous GE/NRC correspondence on ADS testability.
We believe that this information along with the fact that the Perry design is essentially identical to other BWR plants already licensed should result in a closure of these issues.
Very truly yours, Dalwyn. Davidson Vice President System Engineering and Construction DRD:mb cc: Jay Silberg John Stefano 0(
Max Gildner J. Mauck 0
B20BO40003 820720 DR ADOCK 05000440 PDR
421.72 During our review of the testing procedures for the pilot solenoid valves which control compressed air to the automatic depressurization system (ADS) relief valves, it became apparent that the present Perry design does not provide a method to indicate the actual position of the solenoid during this test.
In the GESSAR-238 NSSS preliminary design safety evaluation report (Docket No. SIN 50-550) dated Merch 1977, the NRC staff identified this as a potential problem and took the position that the General Electric Company wc.uld be required to make provisions to improve the testability of the ADS solenoid valves during reactor operation. Therefore, the staff requires that the applicant revise the design of the circuitry used to actuate the solenoids to permit verification of solenoid operation during tests.
RESPONSE
I.
Summary The function of the ADS system is to reduce reactor pressure during small breaks in the event of a postulated HPCS failure. When the vessel pressure is reduced to within the capacit~y of the low pressure system (LPCS and LPCI),
these low pressure systems provide intentory makeup to assure acceptable post accident consequences.
Testing of the ADS pilot air solenoid valves to assure their operability is performed at least once per 18 months at a reduced reactor steam dome pressure (greater or equal tc 100 psig) in order to avoid the hazard of accidental vessel depressurization and to avoid the build up of fission product centaminant in the suppression pool.
Testing of the ADS system logic up to but nct including the actual operation of the pilot air solenoid valve is done by periodic surveillance testing as required by Technical Specification.
The testability of the ADS pilot air solenoid valve during power operation has been the subject of numerous in-depth investigations.
Previous correspondences between GE and USNRC on this subject are attached for reference.
Studies have concluded that any modifications to test the pilot air solenoid valve will only reduce the reliability of the ADS.
II.
Testability Provisions for ADS Sensing devices utilized for measuring reactor water level, drywell pressure ard LFCI or LECS pump discharge pressure are of the analog transmitter type.
The trip units associated with each transmitter is a card housed in a rack
421.72 Page 2 unit in the control room.
Each bistable trip unit containing an integral meter accepts a 4 to 20 milliamp input and drives up to three trip relays.
The interval between calibration for transmitters is expected to be one year.
Verification of correct operation of the analog transmitter can, however, be made during periodic surveillance testing of ADS by cross correlation between channels at the trip unit in the control room.
Recalibration of the analog transmitter, if determined as being required can be done during power operation.
Calibration or trip setpoint surveillance testing of the ADS trip units is initiated by a calibration unit at the trip unit.
The calibration unit calibrated command signal enables the trip unit to accept a calibration current in place of transmitter current and at the same time causes the trip unit to indicate an out of service condition which is annunciated to the operator.
Trip setpoint testing of the trip unit will operate the associated trip relay.
The ADS consists of two separate logic circuits, either of which will simultan-eously operate all of the ADS valves.
The logic circuits are designed to allow the system testing without actually opening any of the ADS valves.
During testing, to prevent opening of the ADS valve, one of each pair of complimentary logic channels A&E or B&F is inactivated by a test switch is plugged into the logic panel in the control room.
Operating the test switch through each of its positions in combination with operation of the trip units, allow verification of the proper ADS logic response by observing indicating lamps and activation of annunciator windows.
The final ADS valve initiating logic is verified by neon lamps connected across series logic contacts which allow verification of operation without actually operating, the associated solenoid pilot valve (see ADS Elementary Diagram GE's 828E226CA, Sheet 11, a portion of which is shown below).
III. ADS Pilot Solenoid Testability The ADS pilot solenoid operability is performed at least once per 18 months at a reduced reactor steam dome pressure.
In order to test the solenoid valves more frequently, it would be necessary to introduce an additional valve which would block the air line to the air operator.
GE has investigated in depth the benefit of adding valves in order to test the ADS pilot solenoid valve.
As can be seen from the attached reference, these modification ideas will only decrease the reliability of the ADS.
CEI has also looked into the need of including continuing check of the solenoid at power.
The result indicated that there is no reason and no history to believe or to consider that continuity at the solenoid is questionable while the rest of the ADS is operable.
Furthermore, given the proven reliability of the solenoid valve, the weakest link is more probably the mechanical motion of the solenoid plunger which, the continuity check does not and can not verify.
As a result of this investigation, it is apparent that to modify the current ADS design to include additional continuity check of the solenoid will not improve the proven reliability of the ADS pilot solenoid valve which is already required to open at power, at least once per 18 months.
r
~
421.72 Page 3 IV.
Conclusion The Perry ADS design principle is consistent with all existing BWR's ADS, and in fact, the Perry ADS design is identical to that for Grand Gulf and Clinton
- Nuclear Power Plants.
CEI and GE have also investigated the possible modifications to allow continuity check of the solenoid and to allow testing of ADS pilot air solenoid valves at power.
The result has indicated that those modifications will not improve ECC or ADS reliability. Moreover, these modifications may introduce unreliability either not considered or overlooked in the investigation process.
CEI and GE believe the current surveillance testability of the ADS is sufficient and adequate.
The testing period coincides with the operating and refueling cycle as established and approved by the NRC for operating BWR's.
r Attachment for 421.72 1
3 5
l
- ____ __ _ -__ :: s s A s
l 4
5
--.m.
, ** A MC A
g J68 { A 8
C O E M M l
$h 2
I_4 S M' l CCl 0500 51 052 OS3 0S4 055
- ~~
e n
h
/
TL, K55 A C 05244
(
/
gL e
f TI'~ K5&E C 05254 g
TI Al
- :---- ;*K28&
g NI
/
F3A
[ KS A ESD M2
' g,y
-- - g,
/ Mmrw3 1r -,
ac kk },
)
0144 OSSA I
i hs A,
A
/
K2Sa K214 ptml (CLOSE)
F4A 94
$4
_ _ '- c s
(~3 IREF)
CCl 069 709 l M13 -P S 2 8 ADS LoGtc
~~
~~
Dey.e <t.
_ 3.
PEntTRATICm E. n 8
i l
l 10LE4010 I
1 l
A-l il 8 I
,,'t o'T..'#, '.8..
awr4* e>T 5
f vplC AL FOR
'(htfraTICs 82t-8 348 a.S.iiJ S21-F3e19.=
S28-F OSiG C e vALv E E21-EC46 8 DTi;1 f;.3 7,'"
- t 421.73 During our review, it has become apparent that the logic for manual initiation for several Engineered Safety Feature (ESP) systems is interlocked with permissive logic from various sensors.
In some cases it appears that the permissive logic is dependent upon the same sensors as those used for automatic initiation of the system.
The staff questions whether this design meets the intent of IEEE 279, Section 4.17.
The staff requires the applicant to revise the design to provide the capability to manually initiate each safety system independent of any permissive logic dependent upon sensors or circuitry used for automatic initiation or submit justification for interlocks for each ESF system in which the applicant proposed to retain the interlocks.
RESPONSE
I.
ECCS The Emergency Core Cooling System (including the LPCS, LPCI, HPCS, and ADS subsystems) as a whole meet the single failure criteria of IEEE 379 It also meets the intent of IEEE 279 Section 4.17 at the ECC System level, since there is no single manual initiation action which initiates the Perry ECCS.
Each individual subsystem has provision for its own manual initiation.
LPCS, LPCI and HPCS The LPCS, LPCI, and HPCS initiating logic can be activated manually by the operator at the same level as the automatic initiation.
The system operation after manual initiation is dependent on normal or auxiliary power being available at the pump bus and on normal valve and pump control lineup for
" auto" operation.
Additionally the LPCS, LPCI, and HPCS operation can be initiated manually by the manipulation of the individual subsystem valve, pump and power systems control switches.
In this mode the LPCS and LPCI injection valves cannot be opened manually unless a LOCA signal exists or until the reactor pressure is below the setpoint which inhibits manual operations of these valves. The HPCS flow to the vessel is inhibited in manual or automatic mode with a high vessel water level signal present.
The LPCS, LPCI, and HPCS can be manually shutdown individually by operator control overriding the automatic or manual initiation signal or by closing the injection valve or stopping the pump motor.
421.73 Page 2 s
,3
\\\\
ADS 3
3 1
3 1
The ADS initiating logic can be activated manually b) the operator at t{te same level as the automatic initiation.
The manual initiation actio6' bypasses the ADS timer but is subject to interlock conditions which are the same As the autonatic mode. The interlock ensures the LPCS or LPCI pump is runnin6 prior to depressurization of the reactor vessel by ADS.
Additionally, each ADS valve can be manually opened without restriction from a
~
control switch in the control room.
The ADS system automatic operation cannot be shutdown by the operator while the high drywell pressure /RPV low level persists. The operator can reset the ADS timer to delay, or interrupt, ADS operation for 105 seconds.
II.
CRVICS 1
J,
(
s
\\
l The CRVICS initiating logic can be activated manually by the operator. There are no interlocks for manual operation, s
LII.
Suppression Pool Cooling Mode The Suppression Pool Cooling) mode of RHR is initiated only by manual ac[ ion.
Manual initiation is governeu by a 10 minute post-LOCA timer.
The 10 minute timer prevents operstor action which could divert LPCI flow away from the N
reactor c o're.
Containment Spray Mode also takes precedence over the Suppression Pool Cooling mode.
Upon initiat, ion of containm0nt' spray the RHR test return valve F024 and heat exchanger bypass valves vill close if open or?
will be interlocked'id prevent opening.Jf they are closed.
IV.
Containment Spray Mode The Containment Spray; Mode initiating' logic can be activated manually by the
- x operator.
The manual'inftlation is subject to interlocks which include High i
Drywall Pressure for both A and B subs'ystems and a 90 second delay timer for the B subsystem.
These. inter 20cks are considered necessary to protect i i containment integrity.
~
x
Background
ss_
The design internal pressure for the steel containment is 15 psig.
Th'e desi6n -
internal pressure bour.ds the ' maximum pressure resulting from any size-liquid / steam break inside the drywell.
Thus, it is clear that the highest' containment pressure is conservatively computed without the consideration oti containment spray.
The design external pressure ' is 0.8 PSID.. The design i
external pressure is computed from the inadvertent containment stray of both containment spray loops with thii' containment atmosp6ere at very dis i.1 van-i tageous environmental conditiohs'(see FSAR 6.2).
\\s x
4
-[
s k*
\\
l l
t w
E
- [.. ! ( !d&&.t f-Q-y=
t q,.w m
GEllER AL g ELECTRIC NUCLEAR ENERGY SYSTEMS DIVISION osNEnAL macTRic coWPANY.175 CURTNER AVENUE. SAN JOSE. CALIFORNIA 95125 8WR PROJECTS DEPARTMENT pnea. Mos) 2s7 3000 twx No. 910436-o114 Mail Code 685 A 9ust 9, 1976 Letter No. 781-152-76
\\
6
\\
Director of Reactor Regulation
/'
ATTN: Mr. B.C. Rusche. Director
/
9 Y.9, tg4p Office of Nuclear Reactor Regulation
\\
U.S. Nuclear Regulatory Consnission Washington, D.C.
20555
/
Dear Mr. Rusche:
This letter is to request your review of an outstanding issue regarding testability during power operation of the Autoniatic Depressurization System (ADS) which has been the subject of numerous technical discussions with your staff.
In a meeting on July 1,1976 with Mr. Roger S. Boyd and members of his staff, we stated that while we could not agree with the staff's position on ADS testability, we would agree to comply with it in the interest of resolving a longstanding open issue. At that time, Mr. Boyd allowed approximately one month for General Electric to fonnally respond either with details of the orcoc red modifications, or with an appeal letter on the subject.
Since that t' e,.~ have evaluated the staff's proposed design change and are convinced
":: he charge reduces plant safety since the overall reliability of the ADS 5 decrc ?ed.
Accordingly, we believe that a formal review of this matter by
.c. s:1f and other senior staff members is appropriate.
':e beckcround is as follows:
~
- , r tober,1974 a series of meetings were held at San Jose between General e
E'e:tric and members o' the Nuclear Regulatory Consnission staff to discuss the new solid state centrol and instrumentation systems for the BWR-6.
During the corse of these meetings. members of the staff expressed their desire to have changes made to the '.35 system to improve testability of the system and General Electric comitted to investigate the feasibility of making the ADS system fully testable.thrasgh actuation of the pilot solenoid valves. Several Electric $~ discussions and meetings were held between personnel from General subsequeq fnd the staff to discuss the subject of ADS testability.
On August 22, 1975 at a meeting with the NRC, in Bethesda, General Electric stated that the only methods that General Electric was aware of to accomplish t'is testability feature involved pneumatic circuit design changes which could cor:civably result in an overall degradetion of system availability. General
- m.s.
y.
- .t..
?' ' '
d*-
SENERAL $ ELECThlt per. 8.C. h sche Page 2 August 9, 1976
).
Elev..-ic comitted to provide a reliability analysis showing the net effect cf modifying the circuitry to make the system testable.
On October 17, 1975, in response to 251 NSSS GESSAR question 222.14, General Electric submitted an analysis, provided herein as Attachment 1,. showing the effect of various poematic circuitry modifications on the system availability. The analysis showed conclusively that modifications to the circuitry to pemit pilot valve testability degraded the availability of the system, and it was our opinion at the time that analysis would resolve this issue. The staff, af ter reviewing the analysis, still maintained that they would require the system to be fully testable.
In the July 1,1976 meeting between General Electric and the staff, the subject of ADS testability was reviewed, and the staff again argued that the system be made testable during power operation by application of the staff's proposed modifications.
- 2: '-+arest of resolving this item, General Electric, as I indicated riier, com d to incorocrate the desian features suonected hv tha etaff.
Attachment #2 However, upon closer evaluation of the proposed new design, Generai ciectric has detemined that we cannot agree to include this design as a part of the BWR-6.
The reasons are as follows:
1.
The design, as sugseTTed by theT taff. is not testable because
{olenoid valve "AT (Attachment 71 shoot 3) cannot be veritted during the testinc h luence. f 2.
Modifying the pneumatic circuitry to place the existing solenoid valves in series rather than parallel results in increasing by a factor of approximately 68 the system unavailability on a yearly test interval.
If it is assumed that solenoid valve "B" is tested f,requentiv. the system unavpT5Miity.ds still a factor nf 14 creater t_han the existing design. Qfiachment Q provides an analysis comparing the proposed system wun tne present system.
3.
Modifying the electrical circuitry to "de-energize to operate" would result in simultaneous blowdown of all safety rg, lief valves if brth 125 VDC battery supplies fail. Additionally, it should be notec. that normally energized solenoids, which the suggested design requires, are less reliable and subject to temperature stress.
4.
A series arrangement of the pilot valves as suggested by the staff is susceptible to single failure and would not meet the Comission's
~ single failure criteria.
2 p.
In addition to showing the effect of system modifications on overall availability, General Electric has performed and provided to the staff in an appeal meeting held on June 11, 1976 at Bethesda an evaluation of the existing ADS system against appropriate industry and NRC criteria, standards and guides.
The
' F. e j.c ;2 4 :.j:; w n.'?.r;. Q.y.s r~
4
)
~
L.
i j
GENERAL Q ELECTRIC fer. B.C. Rusche Page 3 August 9,1976 d
evaluation showed that the system meets all of these criteria, standards and guides.
General Electric fully agrees with the NRC that systems should be reviewed and periodically revised to increase plant safety and reliability; however, in this case we firmly believe that the existing ADS design will be more a
reliable than the alternate design proposed by the staff which incorporates a testability feature.
General Electric Company requests an appeal meeting with you at an early date with the objective of obtaining early resolution of this matter.
Sincerely, ff fheWoo, hanager Si G.
Safety and Licensing GGS:JDH:JFQ:csc Attachments (3) cc:
L.S. Gifford bec:
W.D. Gilbert MFN 282-76 E.D. Fuller G.C. Ross I
J.L. Benson F.D. Judge H.H. Hendon D.R.Wilkjns J.E. Hench D.G. Scapini 0.J. Foster e
G. Bradstad D.L. Murray W.C. Brady y
h!
4
'7*.
E.
e 4 *I $ *
.(**
.e e O
ATTACHttENT 1 101775
[
QUESTION 222.14 la the staff's Safety Evaluation Report (first supplement) on CESSAR-238, we accepted C.E.'s identification of a development proRram which was to re.sult in improvements in the testability of the Automatic Depressurization System (ADS).
tRs specifically pointed out that the taproved design "must include provisions for testing the pilot solenoid valves." We also stated that the relief valves them-selves need not be tested during reactor operation.
In Amendment 34 to CESSAR-238, the applicant stated: "We know of no means of totally verifying the operation of the ADS solenoids during power operation other than purposely actuating the system."
C.E. proposes to verify the continuity through the solenoid coil during plant operation. The staff's position with regard to continuity checks is detailed in the recommendations of Regulatory Guide 1.53, " Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems" (6/73), specifically Regulatory Position Number 2.
Therefore, the staff requires that C.E. provide a design that allows more conclusive testing which can be considered as adequate bases to classify the
)
failure of these solenoid valves as detectable.
EESPONSE l
l In the Staff's Safety Evaluation Report (first supplement on CESSAR 238) it was noted that C.E. committad to the following two items as cottcorns the ADS cystem.
1.
The effects of inadvertent actuation of the safety / relief valves would be studied and if the results of this study showed that it was necessary, the design would be such that no single failure would result in more than one safety /
relief valve being opened.
2.
A study would be made of methods to improve testability of the safety /
relief. valves.
Tha response to question 220.3 (7)a stated that the information on inadver-tant actuation of valves would be provided to the NRC. Topical reports NEDO l
[
20942 and NEDE-20942P, which examina the ef fects of multiple relief valve dis-charge, were submitted to the NRC.
D
.1
- R222.14-1 n-,
p
-, wmm
~ - - - -
=
111976 hs8 4033T105 222.14 (Contammed)
The response to questime 220.3 (7)b stated that C.E. knew of no anana of getally verifying the ADS solenoids,.& ring power operation.
A meeting was held between C.E. and NRC personnel on August 22, 1975.
muttae the course of that meeting ADS testability was discussed. In essence, C.E. informed the NRC that the only methods C.E. knew of to test the ADS solen-side was to aJd a blocking valve (s) downstream of the solenoids and perform testing in a manner similar to that performed on some ECC systees. The testing sequence would consist of closing the downstream valve (s) while testing the up-stream valves and then closing the upstream valves and testing the downstream valves.
C.E. stated at the time that modification of the existing pneumatic circuit to accomplish this testing could result in a decrease in total system reliability since the pneumatic circuitry would become more complicated by add-ing the testability feature.
C.E. committed at ); hat meeting to examine the pneumatic circuit design changes that would be required to achieve the testabil-ity and to perform a system reliability analysis to determine the set increase or decrease in the system reliability as a result of this testability feature.
The analysis, which follows, has been completed and shows that there is no gain (in fact, there is a loss) in system reliability by incorporating the test-ability feature.
assolution of the ADS Testability issue will be attempted as follows:
He General Electric Compey will implement a progran to establish the a.
reliability of the solenoid pilot valves that are used on the Automatic g
l Depressurisation System (ADS) and on the pressure relief system. De results of the program will be utilised to demonstrate that a test I
interval of the ADS compatible with the refueling outage (e.g., up to 21 months) La justif fed. General Electric Company has previously committed to sedertake a surveillance program on the pressure relief valves.
Reports pertaining to these programs will be transmitted to
..the NRC staff at the FDA phqsa of the CESSAR review.
b.
De General Electric Company will prepare a report on the methodology for establishing acceptable failure rates and test intervals for the ADS. He report will faclude s=% Ui O 4 j. h
.n~*4 Q.n 3222.14-2 I
i 111976 e
QUESTICE 222.14 (Continued)
- 1) the methods esployed to salemista unavailability of the ADS.
- 2) the asseptions used la the calculations, and
- 3) a sensitivity analysis to determine which component failure rates of the ADS are governing.
Osaeral Electric Company will work with the staff to establish the concept cf umfag reliability objectives as an industry discipline in assessing acceptability of nuclest power plant systems.
o e
h e
4 O
O e
e b
h
- '.f
- '8
- * '*.,, t ' Q. ' I 'e, ', -. -
g 4... _ _ _
Attachnent 1 101775 AUTOMATIC DEPRESSURIZATION SYSTEM (ADS) TESTABILITY I troduction to Problem i
The NRC has required that the Autoestic Depressurization Systen (ADS) be examined.
to determine how the system testability could be improved.
In response to this requirement, a circuit modification which sects the testability requirement is chown which is analyzed along with the present circuit in order to assess the effect on reliability.
1 Present System The solenoid valves which are used to initiate the Automatic Depressurization Systes (ADS) are used in redundancy so that even in the event one valve fails to operate, the function of energizing the air operator on the particular relief valve will be performed. The arrangement currently in use is shown in Figure 1, tchen from the Nuclear Boiler System P & ID (Figure 7.3-11a of the 251 CESSAR).
The circuit works as follows: The three-way solenoid valves are de-energized during normal plant operation. The pneumatic air supply is blocked from reach-ing the air operator (AO) and the AO is vented'to the containment. An air accumulator A003 and a check valve F039 function to allow a loss of pneumatic cir supply without losing a driving source for several actuations of the AO.
A signal to operate solenoid valve A for the ADS function originates in Division 1 logic.
Similarly, a signal to operate solenoid valve B originates in Division 2 logic. When solenoid valves A and/or 3 are energized, air pressure is applied to the AO which, in turn, opens the relief valve.
T: sting the solenoid valves to assure their operability is performed on an annual basis during reactor shutdown in order to avoid the hazard of accidental crens -, ~ sai s vessel depressurization and to avoid a buildup of fission product eencaminster in the suppression pool.
Pzstulated System l
A modification of the present system has been postulated wherein a remote man-mally operated valve (s) fe placed between the A0 and the solenoid valves in l
cuch a way that the pneumatic pressure signal can be blocked and the solenoid velves tested without operating the talief valve. The advantage to be gained i k' 2. ', *
- s l
R222.14-3
7 j
9 '.
- g c.
.t n-fh f"
PNEUM SUPPLY S
=
s.
F038 FIDS STEAM LNW e
U A004 A003
_ ~,
~~
b
~
~
O-MDS MLENOto
[
VALVES u{
//
g fr c
8 A
VENT AO ff ff p
ly g
g g
e g
N
/
\\
t l
l
.I I
I I
l l
1 I
I I
I l
(LATERI (LATER)
(LATER)
E FIGURE 1. ADS - RELIEF VALVE SCHEMATIC y
(CUR.R.C.9T b 6 N) l t
Attachment i 101775 10 ease of testing the solenoid valves actuated by the ADS logic. The disadvant-age is that the additional valve introduces non-fail-safe failure modes into the system. The question to be resolved is whether the net result is a gain or loss in reliability.
&aalytical Model For the purposes of this analysis, consider that only the solenoid valves are of concern in the present circuit Figure 2a and that only the solenoid valves plus the remote manually operated blocking valve are of concern in the postulated cir-cuit Figure 2b.
Present Present Postulated Solenoid Solenoid Blockage Valves valves Valve 1
1 1
1 1,
A 1
e 1
1 e
e e.
2 (a) 2 (b)
Figure 2, - Reliability Block Diagram of the Frasent and Fostulated Arrangement, Valves only.
The unavailibility of the present two valve redundancy is:
2
=(1 6/2)
(See IEEE-352-1975 Equ. 5-8)
(1)
A 1
gg) abers:
Agg) la the unavailability of the present system.
At is the failure rate of the solenoid valve.
6 is the interval between tests of the solenoid valve.
Nota: Equ. (1) applies if 10/2 is small, say less than 0.05.
r...... u
. z. >...- -
E222.16-3
~... - -
hment 1 101775 The unavailability of the postulated system including the added blocking valve is:
I(2)*(A
+ 10/2 (2) l 9/)
2 1
re:
I) is the unavailability of the postulated system.
2
- 1'g is the failure rate of the solenoid valve.
Ag is the failure rate of the added blocking valve.
4 istheintervalbetweentestsfthesolenoidvalve, e
is the interval between tests of the added blocking valve.
In order for the postulated system to be as good or better than the present system, its unavailability must be equal to or less than the unavailability of the present system. Mathematically, I(2) = I(1)
(3) e z
2 dr:
(Ag 9 /2)
+ A 6/2 _(Ag8 /2) 2 e
Assume that 6 is shorter than 8 so that e
e-ae (4) where a is a factor between sero and one then:
2 1
+ A 0/2_(Ag 9/2)
(5)
(Ag a 0/2) 2 solving for 12 2
2 (6) 1 _(1-* ) A1 t/2 2
For small values of m, in other words, when the solenoid valves are tested fre-2 quently, (1-m ) approaches unity, and equation (6) can be approximated by:
2 e
13 g Ag e/2 (7)
If we know tha failure rate for the solenoid valves and assume that 6 is a one-year test interval. (the interval associated with the present solenoid valve con-figuration and the interval associated with the postulated remote manually oper-sted blockage valve) we can decernine the maximum acceptable value for A2 the
)
failure rate of the added blocking valve. For our analyis, An is assumed to be 5.6 a 10 failures per hour (Appendix 6-A, 251 CESSAR).
f
~
R222.14-6
~
~ ~. ~
- * " ' ~ * *-
%ttachment 1 8-101775
)'
Therefore 4
At1U.6m10 /hr)2(3760 hrs.)
(a) 2 b
A2 1.4 x 10 failures / hour Present Postulated Solenoid Redundant Valves valves e
Ag 12
~
e 11 A2 e
0 0
Finure 3 RELIABILITY BLOCK DIAGRAM OF A POSTULATED SYSTEM WITH REDUNDANT 51DCKACE VALVES s
the resulting value of A2 is what would be required just to " Break even" from the standpoint of reliability, and it is a value nearly two orders of inagnitude lower than was assumed for the original solenoid valves, clearly an unachievable goal in a single active device.
So, if an appropriately low failure rate cannot be achieved in a single device, the answer may be to go to redundant devices. Assume that two remote manually actuated blockage valves are applied in the postulated system in order to obtain.
~
an equivalent 12 of 1.4 x 10 failures / hour. This variation is shown in Figure
- 3. 'Since even the redundant valves would have to be tested on an annual basis, the failure rate for the valve used in redundancy can be solved directly, e
E (A : e/2)
As e/2 (10)
=
e o
where A2 is the failure rate of one device in a pair of redundant devices which together have failure rate Aa*
n R222.14-7
Atachment1 s.
101775 e
}
Salving for 12 i,2 12 *(2 A fg) 2 (gg)
Substituting the values for 1 and 9 already used yields 2
e 3 = S.6 x 10~0/ hour (12) 1
- -te, sk.t this is exactly the failure rate assumed for 1g. so the postulated solution is no better than the present one.
To recap the story thus far, the present system uses redundant solenoid valves, but they cannot be tested without lifting the relief valves, an undesireable j
event. So they are only tested once per year.
In order to test these solenoid valves more frequently, it would be necessary to introduce an additional valve which blocks the air line to the air operator. With this addition, the air line l
can be blocked and the solenoid valves tested as is desired, thus eliminating the i
solenoid valve reliability as a problem. However, the added valve is used to block the air line.
If it fails, in the blocked position, it blocks not only the test, but also the ADS signal to actuate the relief valve. The only way to assure that the valve is not failed blocking the line is to test through, which of course cperates the relief valve.
But this is undesireable, so it is only done once per year. In order not to degrade the overall reliability, the failure rate of the added valve in the " fail blocked" position must be extremely low, an unachievable goal for an active device.
If the failure rate is unachieveable on a single velve, the obvious answer is redundancy or more frequent testing.
In order to test the blockage valve more frequently, an additional blockage valve is needed l
downstream of the first one in order to test the first blockage valve, and so on.
If the redundancy approach is used, the failure rates of the addeg! devices have to be as low as the original solenoid valves just to break even on reliability.
The original goal was not just to break even, but to improve the reliability.
Therefore, the added remote manually operated blockage valves should be substant-tally better than the existing solenoid valves.
If such a valve is available with a substantially lower failure rate, then reliability could be improved. However, if spch a better valve is available, it would be more rewarding to apply it as the l
solenoid valve in the existing configuration.
l An additional consideration is that which deals with inadvertant actuation of a safety / relief valve. The failure mode thus far considered on the blockage valves s g...
As failure to spea.
The op
- site failure mode, failure to close, is not entirely
~,.
. v u. <..s
.w...
...s s...
R222.16-8 a
t
~
. ' Attachment 1 101775 safe either. If the blockage valve fails to close before the solenoid valves are tested, it will initiate a spurious trip of the associated safety / relief valve.
This is an undesireable event and the postulated system introducing the blockage i
salve would tend to increase its frequency. Redundant blockage valves arranged
- s to reduce the probability of failure to open would tend to increase the frequency l
ef taadvertant safety / relief valve actuation still more. A numerical assessment of this influence has not beer. attempted.
I e
I
(
l
(
~
b
)
v.. 6: wS:G.im: *
) '.
R222.14-9
- -~ --
5 ATTACHMENT 2 Sheet 1 of Sheet 4 PRESENT " DS/ SAFETY RELIEF VALVE LO3IC DIAGRAM MtESENT Lo9 i Actuation Solenoids f
CHANNEL.1 Div. 1 power
+
A energize to actuate safety relief valve CHANNEL 1 or CHANNEL 2
+
8 Div. 2 p er f
energize to actuate CHANNEL 2 safety relief valve l
I 4
Energization of either solenoid will open final relief valve
. e e
8
%r N
I v.
' 1 :gs.2 h '. '.
- 4 ; t' * * ' *
- g'
=3 s
a- - -v- - ~
T-f, '
ATTACHMENT 2 Sheet 2 of Sheet 4 1
PROPOSED NRC LOGIC DIAGRAM NEW i
CMMNEL 1 Div. I power 0
de. energize to
~-__
A actuate safety CHANNEL 4 relief valve and CHANNEL 2 Div. 2 power
~~~~--
8
~
4 de-energize to actuate safety CHANNEL 3 relief valve t
H De-energization of both solenoids 0 - NOTE:
Independence required to svTTT open final prevent a " failure" in relief valve a " logic" and/or " actuation" from preventing the de-energization of the set of A solenoids or the 8 solenoids
'. f4 'h
'E A.* >*
,.s,
~
,<e.s
l
'lil
$ ::. 0 2 5
- pNw
- 2. ?2n
/ /.
\\*s
~
g"5 a;8 oW AI V a3 i
1 MnE 5s BE g-cde d
zeb iz git rgs eru nem cn
. s~
3-eB y-l e&
+
ld a
A n
n s
s
. my B
i.
rl s) 6f q
ol d s
n.a i
/l.
Z 4
l mod 1
orne y
V roez b
A A
u..
anli y
V s
og
\\
\\
dsSr ni e
a en dve dnl raae z
Vb id geft rzes T
eiiu
- e N
n gl m E
ere eRC irG nn A
o Di I 4ET'
.2 gx.
a.
N weSd R
heAo R
sd n
A ee enhl E
rwto V
ao S
L hf A
Bsor V
o
&sn 2
D iod A
i e I
D Ctz N
s ai E
.ddrg E m P B w.' R C A $ =,O m E 5 L
ii er
.O sope
..S nnon ee e
W l 'l r-E oooe
'N. *- SSF.d
- . V. h
(
i.
ATTACHMENT 2 Shest 4 of Sheet 4
/f PNEUM SUPPLY N
ff F036 F039 9
ACCUM ACCUM A004 A003
,h 50 EE
{
- =
45 n
//
b5 "3
C 8
A Il ff ll k
A0
/
g-el s
s s
Q T'
3:t t
9 W
a p2 5
a For inputs -- see logics
~'
.E I.S W
~
FIGURE 1. ADS -- RELIEF, VALVE SCHEMATIC e
?
Ee 1
-s S.
4%
j'f
.E~
E e
.sU Mbb c
-w.
- L d
o-ATTAC MENT 3 i
Analysis of Existing Versus Suggested System Existing System Model Solenoids i
a to main valve n
y 6
N 5clenoid failure rate The system unavailability is given as 10 s
A
=
1 3
where:
A 1 system unavailability
=
Q solenoid failure rate 5 x 10-6 failures /hr
=
0 Test internal = 8760 hours0.101 days <br />2.433 hours <br />0.0145 weeks <br />0.00333 months <br /> (1 year)
=
Suggested System Model Solenoid "B" Solepoid.A.
y to main valve Air i
i solenoid failure rate The system unavailability is given as l
y+y A
=
l i
2 system unavailability l
where:
A
=
A sciamid failure r',.te 5 x 10-6 failures /hr
=
test internal in hours 0
=
a 8
....... e.
. > nc r v -
E
Y~
..(*
ATTACHENT 3 -- cont'd Page 2 COPFARISON SETWEEN EXISTING AND SUGGESTED SYSTEMS Since the existing system can only be tested yearly, the.svstem unavailability is:
15 X 10-6)2 (8760)2 g
=
The system unavailability for the suggested system assuming a yearly test l
interval is:
l 2 (5 X 10-6) (8760)
A2
=
2 and the ratio of A2 is:
AT i5 X 10-6 5 ll8760)2
_3
,2 L8760)
, L5 X 10-0 ?Z 68 (5 X 10-0 ) (8760) 3 l
The system unavailability for the suggested system assuming that solenoid "8" is tested very frequently (solenoid "A" is not fully testable) is:
(5 X 10-6 )
(8760)
A
=
2 2
and the ratio of A2 is:
II (5 X 10-6 ) (8760) 2 3
2 (5 x 10-8 )4 (8760) I 3
e 9
J-$..
.. 3;:.;G-gre a.;p,-j e, u..
-.