Text

Power Operated Relief Valve Reliability Study & Setpoint Analysis for TVA & WPPSS, Final Rept
	ML20065B089
Person / Time
Site:	Washington Public Power Supply System
Issue date:	06/30/1982
From:	; BABCOCK & WILCOX CO.
To:	;
Shared Package
ML20065B080	List: ML20065B077; ML20065B089;
References
	RTR-NUREG-0737, RTR-NUREG-737, TASK-2.K.3.01, TASK-2.K.3.02, TASK-TM BAW-1740, NUDOCS 8209140248
	Download: ML20065B089 (66)
	v • d • e

~

l L

6

- FINAL. REPORT -

PORY RELIABILITY STUDY AND SETPOINT ANALYSIS FOR TENNESSEE VALLEY AUTHORITY AND WASHINGTON PUBLIC POWER SUPPLY SYSTEM 4

CONTRACT NO. 600-5253 -

BAW-1740 Babcock &Wilcox JUNE 1982 e20914024e e20909

o -" < ~ "

PDR ADOCK 05000

BAW-1740 June 1982

- FINAL REPORT -

PORV RELIABILITY STUDY AND SETPOINT ANALYSIS FOR TENNESSEE VALLEY AUTHORITY AND WASHINGTON PUBLIC POWER SUPPLY SYSTEM B&W Contract No. 600-5253 BABCOCK & WILCOX Nuclear Power Group Nuclear Power Generation Group P. O. Box 1260 Lynchburg, Virginia 24505 Babcock & Wilcox

l l Babcock & Wilcox Nuclear Power Group Nuclear Power Generation Division Lynchburg, Virginia Report BAW-1740 June 1982 PORV Reliability Study and Setpoint Analysis for the 205-FA Owners Group Key Words: PORV Relief System Reliability, Automatic Block Valve Closure System EXECITTIVE

SUMMARY

/ ABSTRACT This report justifies the use of pre-TMI (as-designed) trip setpoints on the 205-fuel assembly pilot-operated relief valve (PORV) isolation system. The proposed system design using these setpoints comprises a single PORV and a single block valve with an automatic closure feature.

The supporting analysis verifies that the system design fulfills both opera-tional and reliability requirements. The system ensures normal PORV operation and prevents high-pressure injection (llPI) actuation on low reactor coolant pressure if the PORV should fail open. Failure to isolate the PORV relief path is limits to 1.66 x 10-" (TVA) /1.26 x 10-" (WPPSS) failures per reactor year. Restoration of the designed PORV function will not lead to unacceptable challanges for the safety valves, which will have a failure rate of 9.73 x 10-8 failures per reactor year.

Consequently, B&W recommends that the automatic PORV block valve closure system be installed. In addition, the mandatory reactor trip on turbine trip should be eliminated since reliability requirements are casily achieved even at the elevated PORV challenge rate.

The advantagen of this design include an enhanced ability to isolate the PORV relief path (compared to the 177-FA design), as well as fewer reactor protec-tion system challenges and reactor trips. As a result, plant availability is increased. Plant safety will also be enhanced by permitting turbine and reac-tor runbacks. Should grid separation occur, these features will ensure that the integrity of the power supply defense systems is maintained.

- 111 - Babcock & Wilcox

I The system does have two drawbacks: In some cases, reactor coolant system de-pressurization may actuate the engineered saf ety features actuation system if maximum instrument error is encountered. Also, the pressurizer code safety valves may be challenged if the PORV is inoperable and HPI has been actuated.

However, the probability of either of these event sequences occurring is small.

I I

I

- iv - Babcock & Wilcox

l CONTENTS Page

1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . ... I 1.1. Background . . . . . . . . . . . . . . . . . . . . . . ... 2 1.2. Scope . . . . . . . . . . . . . . . . . . . . . . . . ... 2 1.3. Results . . . . . . . . . . . . . . . . . . . . . . . ... 3 1.4. Organization . . . . . . . . . . . . . . . . . . . . .... 4

2. SYSTEM DESCRIPTION . . . . . . . . . . . . . . . . . . . . .... 5

3. PORV ISOLATION VALVE SETPOINT . . . . . . . . . . . . . .. ... 6

4. PORV/ SAFETY VALVE DEMAND FREQUENCY . . . . . . . . . . . . . ... 10

5. PORV RELIEF PATH RELIABILIIY . . . . . . . . . . . . . . . .... 14

6. SAFETY VALVE RELIABILITY . . . . . . . . . . . . . . . . . .... 18

7. ANTICIPATORY REACTOR TRIP ON TURBINE TRIP . . . . . . . . .... 21

8. CONCLUSIONS . . . . . . . . . . . . . . . . . . . . . . . .... 23

9. RECOMMENDATIONS . . . . . . . . . . . . . . . . . . . . . .... 24 1

10. BIBLIOGRAPHY . . . . . . . . . . . . . . . . . . . . . . . .... 25 e APPENDIXES A. System Fault Trees . . . . . . . . . . . . . . . . .... A-1 B. Human Error Analysis . . . . . . . . . . . . . . . .... B-1 C. Statistical Modeling of PORV Lifts . . . . . . . . .... C-1 D. Failure Data . . . . . . . . . . . . . . . . . . . .... D-1 E. Event Sequences . . . . . . . . . . . . . . . . . .... E-1

_ List of Tables Table

1. Setpoints for PORV Isolation Valve Closing Setpoint Analysis . . 9

2. PORV Lifts . . . . . . . . . . . . . . . . . . . . . . . .... 13

3. PORV Automatic Block Valve Isolation System Failure l Probability and Confidence Limits . . . . . . . . . . . .... 17 l

-v- Babcock 8.Wilcox

i

1. INTRODUCTION Following the loss-of-coolant accident (LOCA) at the Three Mile Island Unit 2 (TMI-2) facility, the NRC re-evaluated the power-operated relief valve (PORV) system requirements. Plant configuration changes were recommended to reduce the probability of PORV failures. Operating plants were required to raise PORV setpoints, lower high-pressure reactor protection system (RPS) setpoints, and install anticipatory reactor trips upon main turbine trips. These modifi-cations have reduced plant availability by increasing the number of reactor

trips. The severity of these plant upsets can be reduced while meeting PORV reliability requirements. By returning the setpoints to their pre-TMI values and by installing an automatic PORV isolation system, both goals can be achieved.

The NRC has formalized guidance for the PORV system changes. The guidance is included in sections II.K.3.1 and II.K.3.2 of NUREG-0737.Section II.K.3.2 re-l quires a report documenting the various actions that have been taken to decrease the probability of a small break LOCA caused by a stuck-open PORV or safety valve. If these actions reduce the probability of a small break LOCA caused by a stuck-open PORV so that it is not a significant contributor to the probabili-ty of a small break LOCA due to all causes, then no other actions are needed.

If the contribution of the PORV to the total probability is more significant, then II.K.3.1 requires installation of an automatic PORV isolation system.

This report provides the rationale for maintaining the PORV and the high-pres-sure RPS trip setpoints at their as-designed values thus reducing unnecessary I

reactor trips by allowing the PORV to operate as intended. Since maintaining the PORV's intended function results in a moderate challenge rate to the valve, an automatic PORV block valve isolation system is necessary to achieve overall system reliability as required by II.K.3.2. An isolation system description and reliability analysis are included to verify that the system will not be l

i a major contributor to the probability of a small break LOCA. In addition,

[ it is shown that safety valve reliability is not significantly affected by l the isolation system.

l-i Babcock & Wilcox l

I 1.1. Background Following the accident at TMI, the NRC required changes to the PORV opening and high-pressure reactor trip setpoints and the addition of an anticipatory reactor trip on turbine trip for all the operating plants. These changes have increased the number of reactor trips per month caused by minor over-pressure events, turbine trips, and feedwater upsets. As intended, the modifi-cations have reduced the number of challenges to the PORV, but they have con-currently increased the number of challenges to the reactor protection system (RPS) and other safety systems required to support a trip. Data collected has shown that of the 87 reactor trip events from September 1979 through December 1981, 40% were caused by high RCS pressure and 29% by the anticipatory reactor trip on main turbine trip. 3 In order to improve plant availability by reducing the number of reactor trips, g

the operating plant owners embarked on a program to return the PORV and high- W pressure reactor trip setpoints to their pre-TMI values. These actions would increase the number of PORV challenges, necessitating the installation of an automatic PORV closure system. A preliminary conceptual system design was pre-pared for the Florida Powder Corporation in May 1980. In principle, the prc-posed design was identical to that proposed for backlog B&W 205-FA units. It consisted of a single PORV and a single block valve with an automatic closure feature. The system frproved the probability of isolating a failed-open PORV by a factor of 25. However, its failure rate was still too high not to be considered a major contributor to the probability of a small break LOCA.

1.2. Scope The results of the original automatic PORV isolation system proposed for Florida Power showed that the failure rate for isolating the PORV relief path prior to ESFAS actuation was 9. 7 x 10" per reactor year. In order for the PORV not to be considered a significant contributor to the probability of a small break LOCA due to all causes, the calculated failure rate had to be reduced to approx-imately 3 x 10- per reactor year. To achieve this rate, a more detailed anal-ysis was conducted for the 205-FA plants. It addressed four major areas:

PORV Relief System Setpoints - The automatic PORV isolation system was sub-jected to dynamic setpoint analysis using the POWER TRAIN V (PT-V) code. Set- g point selection was based on (1) the expected minimum closure pressure for the I

Babcock & Wilcox

PORV to preclude automatic block valve closure during normal PORV operation, (2) PORV block valve closure early enough to avoid ESFAS actuation due to low [

RCS pressure following a stuck open PORV (assuming no additional failures causing loss of RCS pressure control), (3) PORV block valve stroke time, and (4) nominal errors on applicable setpoints and instrument strings.

PORV/ Safety Valve Demand Frequency -- The demand frequencies of the PORV and safety valves were predicted for the backlog 205-FA plants. Various overheat-ing events, such as turbine trips, reactor trips, and feedwater pump trips were considered, as well as overcooling events resulting in HPI repressuriza-tion. The PT-V code was used to model the overheating transients, while the KPRZ code was used for the overcooling transients.

PORV Relief Path Reliability - The probability of an open PORV flow path de-pends on the PORV demand frequency, the probability of a failed-open PORV (given that it has opened), and the probability of no block valve closure (given a stuck-open PORV). The probability calculations were based on valve hardware faults, valve operator faults, control faults, and human action probabilities.

Safety Valve Reliability - The probability of safety valve failure depends on the demand frequency, PORV position (open or closed), and the phase of the effluent (liquid or vapor). The probabilities for steam relief were estimated from applicable experience on steam safeties and B&W operating experience.

Water relief probabilitier were estimated using EPRI valve tests and applicable B&W experience.

1.3. Results The results of these analyses indicate three significant points. First, by using an isolation valve closing setpoint of 2170 psig ESFAS will not be actuated if nominal (as designed) trip setpoints are used. Premature isolation valve closure during normal PORV operation will also be prevented on more than 95% of the isolation valve challenges. Second, PORV and safety valve failure rates will be limited to 1.66 x 10-" (TVA)/1.26 x 10 " (WPPSS) and 9.73 x 10-8 failures per reactor year, respectively. At these levels, neither component can be considered a significant contributor to the probability of a small break LOCA. Finally, the demand frequency analysis indicates that a main turbine-trip will generate about 1.12 PORV lif ts per reactor year (about 26% of the Babcock & Wilcox

- - , - . , r n , - - - - - - ,, e -, ,-- ,w,,. ,,~,-n,, , n,e- -,---

total demand). However, the additional challenges do not signif icantly affect the reliability of the automatic PORV isolation system.

1.4. Organization In order to logically evaluate the PORV isolation system, the body of this gi report is organized as follows. First, the basic conceptual design of the E automatic PORV isolation system is described briefly to clarify system opera-tion. Next, a block valve setpoint analysis is included to justify the clos-ing setpoint choice. Given this setpoint, the demand frequency of the PORV and safety valves are predicted for various overheating / overcooling transients.

With these predictions, the reliability of the PORV and safety valves is dis-cussed. Finally, the post-TMI requirement of an anticipatory reactor trip on main turbine trip is evaluated objectively.

I I

I Babcock & Wilcox

2. SYSTEM DESCRIPTION The PORV has been deemed a probable source of failure that could lead to a small break LOCA. Should the PORV stick open or fail to rescat properly, cool-ant could be lost continuously from the RCS. A PORV relief path isolation system was designed to mitigate this event. The isolation system must function automatically to block the PORV whenever coincident "PORV flow" and low RC pressure signals are received. The system must also provide manual overrides for all automatic functions and allow the isolation valve to be opened by man-ual means alone. Within this framework, failure to close the PORV relief path must be less than 1 x 10-3 failures per reactor year to keep the system from being considered a significant contributor to the probability of a small break LOCA.

On 205-FA units, the PORV isolation system will consist of a single POPV mount-ed downstream from a block valve with an automatic closure feature. Original design setpoints will be used to ensure normal PORV operation. For a typi-cal transient, an overheating event for example, the system response can be anticipated. Under design conditions, as the RC pressure rises above 2295 psig, the PORV opens to limit additional pressure increases. Following the transient the RC pressure will drop below 2270 psig, and the PORV will close to maintain RC pressure.

For off-design operation, the PORV may fail to open or may open but fail to close. If the PORV fails to open and the RC pressure reaches 2355 psig, the high-pressure RPS will trip the reactor. On the other hand, the PORV may open but fail to close when RC pressure drops below the 2270-psig closing setpoint.

If the pressure continues to drop to 2170 psig and the PORV remains open, the block valve will close to maintain RC pressure. Should the block valve fail to close, the RPS will trip on low RC pressure at 1987 psig (TVA)/2000 psig (WPPSS).

Babcock & Wilcox

I I

3. PORV ISOLATION VALVE SETPOINT Since the PORV failure at TMI-2, an automatic PORV isolation system has been proposed to increase system reliability. For proper operation, the PORV open-ing and high-pressure reactor trip setpoints must be maintained at their orig-inal design values. An isolation valve closing setpoint of 2170 psig (100 psi below the PORV closing setpoint) was originally recommended to prevent unneces-sary cycling of the isolation valve. This setpoint should also prevent low RC pressure ESFAS actuation and prevent lifting of the code safeties for most transients. The following analysis is included to verify that the 2170-psig block valve closing setpoint satisfies all three design criteria.

Closure of the isolation valve during normal PORV operation defeats the orig-inal purpose of the PORV. The pressure sensors for the PORV and the isolation valve are located in the pressurizer and at the hot leg tap, respectively.

Due to elevation differences and frictional losses during transients, a pres-sure difference exists between the two sensors which may cause premature iso-lation valve closure.

To evaluate the ef fects of this pressure difference, a Monte Carlo simulation was performed. POWER TRAIN V runs supplied representative pressure differen-tials between the PORV and isolation valve closing setpoints for various tran-sients. The Monte Carlo simulation utilized a range of representative pressure differentials and accounted for instrument errors. This analysis predicted the probability of an isolation valve closure, prior to PORV closure, to be less than 5%. Consequently, the present 2170-psig setpoint should allow nor-g mal PORV operation, prevent unnecessary cycling of the isolation valve, and B automatically mitigate a failed-open PORV small break LOCA.

The closing setpoint of 2170 psig prevents low RC pressure ESFAS actuation.

Overheating and overheating / overcooling transients run on the hybrid computer code PT-V verify this value. Table 1 lists the nominal and errer-adjusted setpoints used in the analysis. On the TVA model, an error-adjusted closing Babcock & Wilcox

catpoint of 2120 psig (110 psi below the actual 2230-psig PT-V setpoint) prevents rractor trips on low RC pressure for most transients. The following vill prob-cbly trip the reactor on low RC pressure:

Trip one RC pump at 100% EOL Trip one RC pump at 80-100% BOL However, with a reactor trip-induced pressure drop of approximately 200 psi, the lowest RC pressure achieved is approximately. 1885 psig. This is 75 psi cbove the low RC pressure ESFAS setpoint, 1840 psig (error-adjusted). Hence, sven with a lower setpoint (2120 versus 2230 psig) and a low RC pressure reac-tor trip, low RC pressure ESFAS actuation does not occur.

In addition, the WPPSS PT-V model verifies the setpoint of 2170 psig. Closing

.setpoints of 2180 and 2215 psig were used on the WPPSS model. When using the 2180-psig setpoint, the reactor trips on low RC pressure following a turbine trip with error-adjusted setpoints. The lowest pressure produced following the trip is 1865 psig. This pressure is 45 psi above the ESEAS actuation set-point of 1820 psig (error-adjusted). When using 2180 or 2215 psig as the clos-ing setpoint, tripping one of two feedwater pumps will trip the reactor on low pressure and possibly actuate the ESFAS. The lowest pressure produced is 1775 psig, 45 psi below the error-adjusted ESEAS setpoint (1820 psig), but 15 psi above the nominal ESFAS setpoint (1760 psig). A feedwater pump trip with a coincident failed PORV inherently seems to trip the reactor on low pressure and actuates ESFAS, regardless of the isolation valve closing setpoint. There-fore, with the possible exception of a feedwater pump trip, a closing setpoint of 2170 psig prevents low RC pressure ESFAS actuation.

In addition, the isolation valve closing setpoint is low enough to prevent lifting of the pressurizer safety valves. Repressurization of the RCS occurs after closing the isolation valve. With the PORV now blocked, only the pres-surizer spray and the high-pressure reactor trip can decrease RC pressure. The highest repressurization occurs for an RC pump trip transient on the WPPSS model.

In this case, pressurizer pressure may reach 2305 psig. A further increase in pressure will trip the reactor on high RCS pressure. Hence, the high-pressure reactor trip ensures that repressurization will never lift the code safety valves.

l i

i Babcock & \Milcox

If the 5% probability that the isolation valve will interfere with normal PORV operation is unacceptable, the PT-V analysis can be used to verify another setpoint. Preliminary PT-V results indicate that the lowest nominal closing setpoint that can be justified is 2060 psig, while the lowest error-adjusted (low side) setpoint is 2110 psig. Thus, the present analysis can be used to select and justify a setpoint lower than 2170 psig.

In summary, the ?ORV isolation valve closing setpoint of 2170 psig satisfies all design criteria. This setpoint prevents low RC pressure ESFAS actuation and prevents lifting of the pressurizer code safety valves. In addition, g

normal PORV operation is preserved, while unnecessary cycling of the isolation W valve is prevented.

I I

I Babcock & Wilcox

- . - - ~ . . ... .. - . - , _ . _ . _..

Table 1. Setpoints for PORV"Isblation Valve Closing Setpoint Analysis -

~

TVA setpoints, psig WPPSS setpoints, psig \

With Nominal NAIEs("}" Nominal With NAIEs ("

PORV block 2170 2120 2i70 ' 'h 2120 -

valve closing (2230)(D) (2180)- (2230) (2180)

?

RPS low RC 1987 2012 2000 2025 ,

pressure (2047) (2072) (2060) .(2085)' ic Low RC pres- 1700 1750 0 00 I760 sure ESFAS (1760) (1810). '(1760). >-

-(1820) ,

("}NAIEs: Non-accident instrument errors. ,

/=

- (b)Setpoints in parentheses are those used in POWER TRAIN V; 60 I psi has been added to this setpoint to; translate the-setpoint from the hot leg top to the tap of the core. s;

^

~.

F

'g 3

l

_," ,/,*

i c

s l

e .-

l , 7

- i N

.aP f.I E

(

Babcock 8 Wilcox u

, e cy f s

I I

4. PORV/ SAFETY VALVE DEMAND FREQUENCY In contrast to the operating 177-FA plants, the 205-FA design rcquires that the PORV setpoint be lower than the high-pressure reactor trip setpoint. This slignment increases the number of PORV challenges and raises questions about the reliability of the PORV and the safety valves. Operating experience from 177-FA plants (prior to the TMI-2 incident) indicates that a variety of tran-sientu may lift the PORV. Similar transients at the 205-FA plants should also generate PORV lifts. The following analysis predicts the number of PORV/ safety valve lifts on the 205-FA units for transients in which either or both valves lift. With these demand requirements, the reliability of the PORV and the safety valves can be ascertained.

Gnallenges to the PORV and/or safety valves depend on the specific transient and plant being considered. Differences between the 205- and 177-FA plants eliminate the loss-of-main-feedwater transient. The anticipatory reactor trip on loss of both main feedwater pumps and on high flux /feedwater flow ratio should trip the 205-FA reactor before the PORV lifts. Also, differences be-tween the TVA and WPPSS plants result in different transient lists for each plant. TVA's interlock to trip the reactor upon turbine trip - if reactor power is greater than 76% - eliminates a turbine trip from the transient list for TVA above 76% power. Based on 177-FA operating experience and plant dif-ferences, the resultant transient list includes the following:

Turbine trip.with reactor trip (TVA > 76% reactor power) I Turbine trip without reactor trip Trip one FW pump Trip one RC pump Trip two RC pumps (one per loop)

Load rejection Ramp one FW valve 50% closed Rod drop Overcooling with HPI/MU repressurization Babcock & Wilcox

This list, consisting primarily of moderately frequent events, does not include random instrument failures that occur as a result of hardware failures or human error.

Two computer programs were used to determine the number of PORV and safety valve lifts. POWER TRAIN V (PT-V), a hybrid code, determines the number of PORV cnd/or safety valve lif ts for overheating transients. The TVA PT-V model was used for both the TVA and WPPSS plants. This is justified since the differences in heat generation and removal between the two plants tend to offset each other.

Comparison of a few WPPSS runs and the TVA runs verifies this point. Since PT-V cannot model high-pressure injection, KRPZ, a non-equilibrium pressurizer code, was used. KPRZ ascertains the number of PORV and/or safety valve lifts for overcooling events with HPI/MU repressurization.

The overheating transients run on PT-V (TVA model) gave the number of PORV lifts. Table 2 shows the number of PORV lifts for beginning-of-life (BOL) and end-of-life (EOL) conditions. The results indicate the maximum number of def-inite lifts plus or minus the number of possible lifts. The number of possible lifts represents variations in the PORV setpoint and in plant conditions at the beginning of the transient. These variations can cause peak pressures that previously missed the PORV setpoint, but later actuate the PORV in the same transient. In determining the PORV lifts, PT-V limits were observed and proper AFW actuation and control were assumed. These lifts ;ie valid over the reactors' 70-100% power range. Below 70% power, the PORV lifts approach zero since the plant, with the aid of the ICS, can handle RC pressure upsets with-out challenging the PORV. Consequently, the majority of the PORV lifts will occur at high power levels.

PT-V and KPRZ provide the number of lif ts for the overcooling events with HPI/

MU repressurization. PT-V models overcooling transients prior to ESFAS actua-tion. Pressurizer conditions (such as pressure, level, insurge, temperature, etc.) from PT-V enable KPRZ to model post-ESFAS events. Insurge flow was as-sumed to be primarily due to high-pressure injection. The modeling also as-sumed that the operator throttles HPI 10 minutes af ter ESFAS actration in an effort to control pressurizer level and subcooled margin. Post-ESFAS events modeled on KPRZ predict that an HPI repressurization will generate 129 13 PORV lifts. The normal repressurization due to makeup flow following a reactor trip is controlled by the pressurizer spray. In this case, the PORV is not Babcock & Wilcox

challenged. Therefore, only the overcooling with HPI repressurization lifts the PORV and may lift the pressurizer safety valves.

The same transients were repeated with the PORV blocked. For the overheating t ran sient s , the pressurizer safety valves do not lift since the reactor trips on high RC pressure, and auxiliaqr feedwater controls steam generator level to remove decay heat. For overcooling with makeup repressurization, the pres-surizer spray maintains pressure below the PORV setpoint. Therefore, the safe-ty valves do not lift for this transient either. Overcooling by HPI repres-surization was the only transient that lifted the safety valves. As with the operable PORV case, the operator throttles HPI to control level 10 minutes after HPI begins. Throttling HPI limits the safety valve lifts to 15 ! 2 lifts per valve. Therefore, only overcooling with HPI repressurization will lift a safety valve.

Since both the PORV and the safety valves may be challenged, the lifts may be coincident, or out of phase. Both operable and inoperable PORVs were consid-ered. With an operable PORV, the time difference between the two lifts is not applicable since the PORV or the pressurizer spray (overcooling with makeup repressurization) maintains pressure below the safety valve setpoint. For an inoperable PORV with overcooling and makeup (MU) repressurization, the pres-surizer spray again maintains pressure below the safety valve setpoint. As a result, the time difference between lifts is again not applicable. However, for an inoperable PORV with overcooling by HPI repressurization, both safety valves do lift. In this case, the valves lift approximately 145 seconds apart (about 2.5 minutes).

In conclusion, input to the PORV reliability analysis consists of transients that lift the PORV, the number of PORV/ safety valve lifts, and the time dif-ferences between PORV and safety valve lifts. Operating experience on 177-FA I plants has provided the basis for the transient list. KPRZ indicates that the only transient that lif ts the safety valves occurs for an inoperable PORV with l HPI/MU repressurization. None of the overheating transients lifts the safety valves. However, note that the number of valve lifts should be regarded as representative of the expected number of lifts since no operating data are available.

Babcock & Wilcox

Table 2. PORV Lifts Lif ts/ demand,(a) Lif ts/ demand,(a) No. of Transient BOL E0L lifts /yr(b.)

Turbine trip w/ 020 > 76% pwr 010 > 76% pwr 0 reactor trip 1 1 < 76% pwr II[ < 76% pwr Negligible Turbine trip w/o 11 11[ 1.12 reactor trip Trip one FW pump 41[ 1j 0.92 Trip one RC pump ~21[ 2{ 0.04 Trip two RC pumps 1!0 10 Negligible Load rejection 1!O 1!0 0.10 Ramp one FW valve 50% closed 2[ 11) 0.91 Overcooling HPI repress'n(*) 129 13 0.51 MU repress'n O!0 0 Rod drop 0.09% Ak/k 2fl' O.06% Ak/k 21[

0.74 0.03% Ak/k 21),

~ ("}These lif ts are valid over the power range from 70 to 100%.

Below 70% power, the lifts will go to zero.

( } Predictions made with point estimates for BOL.

(c) Includes operator corrective action.

l k

l

! Babcock & Wilcox

5. PORV RELIEF PATH RELIABILITY Having specified a PORV demand history, the reliability of the 205-FA auto-matic PORV isolation system can be evaluated. To meet NRC requirements, fail-ure to isolate the PORV relief path must not appreciably impact the value of 1.0 x 10 ~3 failures per reactor year. Isolation of the PORV does increase the demand on the pressurizer code safety valves, however. As a result, safety valve reliability must also be evaluated, as discussed in section 6.

The probability of PORV isolation system failure was determined using a fault tree analysis. Fault trees were constructed for two classes of initiating events: pressure transients and spurious system operation. A statistical analysis was also performed, which predicted the PORV's challenge frequency.

Dominant cut sets for each fault tree were obtained using the fault tree anal-ysis program FTAP. With PORV challenge frequency and FTAP results as input, the SAMPLE code was used to predict the distribution of system failures.

Failure data and initiating event frequencies are listed in Appendixes C and D.

To evaluate the reliability of the PORV isolation system, the analysis was organized as follows: statement of assumptions, fault tree analysis, human reliability analysis, PORV challenge frequency, failure data, uncertainty analysis, and definition of mission success.

In any complex problem, simplifying assumptions are a necessity. For the automatic PORV isolation system, the following assumptions were made:

1. Degraded failures were not considered. That is, components were assumed to operate properly or were treated as failed.

2. Failures of passive components, such as test points, were disregarded due to their infrequent occurrences.

3. A monthly equipment test interval was assumed. Therefore, interim failures would not be discovered until the succeeding test.

Babcock & Wilcox

4. Operator errors of commission were not included in the fault tree.

5. The failure rate for the block valve was based on an average electric-motor-operated gate valve of that size and operator.

6. Target Rock valves have experienced 125,000 total cycles (100,000 bench test and 25,000 field experience) on the pressurizer spray with no fail-ures. Since the spray valve is not subjected to the same environment as the PORV, the value of zero failures in 25,000 cycles was used in the Bayesian updating procedure. This procedure uses the prior experience of the Dresser PORV (4 failures in 400 demands) and the evidence of zero failures in 25,000 cycles to arrive at a modified value for the Target Rock valve in the PORV application.

A fault tree analysis, consistent with the methodology described in the Fault Tree Handbook (NUREG-0492), was used to evaluate the reliability of the PORV/

PORV block valve system. The fault trees for this system are included in Ap-pendix A. The GRAP software package (graphic reliability analysis package) was used to construct and evaluate the fault trees. Fault trees were con-structed with enough detail to identify the components that are dominant con-tributiors to system failure. No attempt was made to account for failures due to external events, such as fires, floods, or earthquakes.

The FTAP code was used for identification of minimum cut sets, quantification of the fault trees, ranking of basic event importance, and identification of major contributors to system failure.

A human reliability analysis (HRA) was also performed, which was consistent with the methodology described in NUREG/CR-1278. The basic human error prob-abilities used in this analysis are found in Chapter 20 of the Handbook.

Probability tree diagrams for the human tasks of interest are presented in Appendix B.

With the framework of the fault tree and human reliability analysis set, the PORV demand frequency was predicted. PORV lif ts were initiated using seven transient sources. The number of lif ts for each source, in a specified period of time, is described by a Poisson distribution. Each PORV lift may result in one or more cycles. The number of cycles for es7h source is described by a multinomial distribution. This distribution changes linearly from the be-ginning to the end of the year. The statistical treatment involved combining Babcock s Wilcox

I the Poisson and multinomial distributions to describe the random number of cycles. Thereafter, the frequency of one, two, etc. cycles could be obtained, regardless of the source, by means of simulation.

The complete list of generic data used in this analysis is given in Appendixes C and D. Failure data and initiating event frequencies were obtained from various sources. Repair times for components in the power distribution sytem were supplied by plant personnel.

An uncertainty analysis was also performed. The SAMPLE code was used to evalu-ate uncertainties in the system unavailability results. Range factors obtained from the Reactor Safety Study were used to construct lognormal distributions.

These distributions were localized around the point-estimate f ailure probabil-ities of the dominant unavailability contributors. Three parameters influenced the form of the sample function used in this analysis. The form depended on the product of two terms, the simulated PORV demand frequency and the system re-sponse to the pressure transients, plus the contribution due to spurious system operation. The uncertainties surrounding system unavailability were evaluated in terms of the mean, the 5%, and the 95% levels of system probability distribu-tion.

To finally judge the PORV isolation system, a formal definition of mission suc-cess is required. Mission success can be defined in terms of either system op-eration or reliability. In terms of system operation, mission success is de-fined as the ability to isolate the PORV relief path prior to low RC pressure ESFAS actuation (1700 psig). System failure, therefore, is defined as any fail-ure within the system boundaries that results in depressurization to the ESFAS actuation setpoint. In terms of reliability, the NRC requires a ceiling fail-ure rate of 1.0 x 10-3 failures per reactor year for small break LOCAs. To provide a margin of safety, B&W has used a figure of 3.0 x 10-" failures per reactor year. Consequently, system failure in this case is defined as a sys-tem with a probability of failure greater than 3.0 x 10-". With these defini-tions, mission success can be evaluated for the systems considered.

The results of this study indicate that the 205-FA automatic PORV isolation system satisfies both definitions of mission success. Operationally, the isolation system (with original design trip setpoints) prevents low RC pres-sure ESFAS actuation, effectively modulates RC pressure, reduces unnecessary reactor trips, and increases plant availability. From a reliability standpoint.

Babcock & Wilcox

the results are given in Table 3 at the mean, 5%, and 95% confidence levels.

At the 95% confidence level, for example, failure to isolate the PORV relief path is limited to 1.66 x 10-" (TVA)/1.26 x 10-" (WPPSS) failures per reactor year. Therefore, both backlog plants will easily achieve the NRC reliability requirement s.

Aside from strict design criteria, two other aspects of the design are worth mentioning. The results indicate that the Target Rock valves are extremely reliable and that the presence of the ATOG displays and PORV position switch in the control room increase operator awareness. However, there is one-dis-tinct drawback to this design. Improved isolation of the PORV relief path in-evitably leads to elevated safety valve demand as discussed in section 6.

Table 3. PORV Automatic Block Valve Isolation System Failure Probability and Confidence Limits Failure probability / year 5% confid. 95% confid.

Mean limit limit TVA 6.00 x 10-5 1.31 x 10-s 1.66 x 10-"

WPPSS 4.99 x 10-s 1.35 x 10-5 1.26 x 10-"

i 1

l l

Babcock & Wilcox

I

6. SAFETY VALVE RELIABILITY A reliable automatic PORV isolation system had been developed for the 205-FA plants. With this system, isolation of the PORV relief path is maximized.

Isolation of the PORV, however, should increase demand on the pressurizer code safety valves. Consequently, a safety valve reliability analysis was conducted.

A small break LOCA due to a failed-open safety valve may occur along either I of two pathways. The pathways identified include overcooling with subsequent repressurization and overheating transients.

To quantify the LOCA probabilities, event sequences were constructed for the overcooling scenario and for three overheating events. The event sequences and supporting failure data are listed in Appendix E. The overcooling tran-sient was initiated by assuming that the ESFAS actuates on low RC pressure. 3 No attempt was made to predict the frequency of occurrence of the tiiree over-heating events analyzed. This method was chosen because the existing auxil-fary feedwater designs are very reliable and, in the event of a total loss of feedwater, HPI feed along with some form of pressurizer bleed would be used to cool the core.

The following assumptions were used in analyzing the overcooling scenario:

1. The PORV relief path is isolated.

2. Af ter 10 minutes of inadvertent HPI operation, the proba-bility that the operator will throttle HPI and realign normal makeup is 1.0.

3. There is some type of uncertainty as to the type of discharge passed through the safety valves. However, a conservative failure estimate can be made by assuming that the discharge is water or two-phase (worst case).

Babcock & Wilcox

b c

Failure rates for the pressurizer safety valves (PSVs) can be ascertained by examining the failure rates of the main steam safety valves (MSSVs). This is possible because both operate on the same principle; i.e. , they both work against the closing force of a spring, and they both require an additional sudden opening force when they reach their trip setpoints.

Differences between the PSV and MSSV must also be pointed out:

The fluid passing through a PSV should c.ntain fewer suspended particulates than that passing through an MSSV.

The PSV is stainless steel whereas the MSSV is predominantly carbon steel. Rusting of the carbon steel will introduce additional foreign matter into the fluid.

The PSV is an ASME Class I component, while the MSSV is an ASME Class II valve.

The PSV must operate with a vs.riable backpressure, while the MSSV operates with a fairly constant backpressure. As a re-sult, the PSV design is more sophisticated and has more com-ponents that may fail.

The first three differences suggest that the PSV may have a lower failure rate than the MSSV, while the last point suggests the opposite.

Cumulative BMT operating experience indicates that there have been aproxi-mately 2850 MSSV demands. In all these cases, there has not been a single failure due to a valve reseating problem (remain in full-open position) . A failure rate based on zero failures in 2850 demands was computed using a X2 50% level test. The calculated failure rate for the steam relief was found to be 2.43 x 10" per demand. The failure rate for water relief was esti-I mated to be 100 times larger than for steam relief, i.e. , 2.43 x 10-2 per demand.

The safety valve failure rate was determined using a Bayesian updating proce-dure. The prior distribution was assumed to be lognormal with a mean of 2.43 x 10-2 per demand. This lognormal distribution was then combined with the evidence of five safety valve water demands with no failures to determine the probability of f ailure. Four EPRI safety valve test programs (September 1981) and a single demand at Crystal River 3 (February 26, 1980) accounted for valve performance history.

Babcock & Wilcox

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ A

The results of this investigation indicate that an uncontrolled small break IDCA through the pressurizer code safety valves is not a probable event. Dur-ing the course of this analysis, two paths were identified as dominant con-tributors to the probability of a safety valve failure. These are overcooling with subsequent repressurization and overheating transients. The probability of a LOCA due to overcooling events was found to be 9.73 x 10-8 per reactor year, while the cumulative frequency of occurrences for the overheating tran-sients was calculated to be 6.2/ x 10-5 per reactor year. In addition, the unavailability of the PORV relief path was estimated to be 7.23 x 10 -8 per year.

g 3

The impact of the automatic PORV isolation system on safety valve reliability is insignificant because the unavailability of the PORV relief path is so low.

The automatic isolation system achieves all operational requirements and NRC-mandated reliability requirements as originally designed.

I l

Babcock s.Wilcox

7. ANTICIPATORY REACTOR TRIP ON TURBINE TRIP Following the PORV failure at TMI-2, the NRC required PORV system modifica-tions on all operating plants. Changes were made to the PORV opening and high pressure reactor trip setpoints. The addition of an anticipatory reac-tor trip on main turbine trip was also required. These modifications have decreased PORV challenges, but have concurrently increased the number of re-actor trips (through RPS challenges). The intent of these modifications was to reduce PORV challenges and thus reduce the probability of a PORV failure.

However, the probability of P0i/ failure can be reduced using alternative ap-proaches that do not detract from plant performance.

On all 205-FA units, an automatic PORV isolation system using pre-TMI-2 (as-designed) trip setpoints has been proposed. This system consists of a single PORV and a single block valve with an automatic closure feature. The use of the original design trip setpoints will ensure normal PORV operation, re-duce reactor trips, and increase plant availability. However, the question of the anticipatory reactor trip upon main turbine trip still remains.

The anticipatory reactor trip upon turbine trip was mandated to help reduce the number of PORV challenges. Operating experience verifies that it has achieved this objective, but at the expense of plant availability. However, with the improved 205-FA design, it is no longer necessary to limit PORV chal-lenges.

The annual PORV challenge rate was predicted for both backlog plants at BOL conditions (worst case) . The annual challenge rate depends on two factors; the number of challenges per transient and the number of transients per reac-tor year. The results of these calculations are given in Table 2.

Three operating regimes exist in the TVA plant since it was designed with an interlock to trip the reactor upon main turbine trip (provided reactor power is greater than 76%). Above 76% power, a turbine trip followed by a reactor trip will generate zero PORV lifts. From 70 to 76% power, a turbine trip will Babcock & \Milcox

generate an insignificant number of lif ts since the reactor rarely operates in this power range. Below 70% power, PORV lif ts due to all causes approach zero.

On the WPPSS plant, only two operating regimes exist since the WPPSS plant was designed without a mandatory trip. Above 70% power, a turbine trip will generate 1.12 PORV lif ts per reactor year, and below 70% power PORV lif ts due to all causes again approach zero.

The number of PORV challenges due to a turbine trip has been predicted as 1.12 per reactor year. The addition of an anticipatory reactor trip on turbine trip can reduce this number to zero. Projected yearly PORV demand due to all causes should be in the 4-5 challenge range. With the addition of the automatic PORV isolated system, the NRC-mandated reliability requirements can be easily achieved, even with turbine trip-induced PORV challenges. Therefore, the need for the anticipatory reactor trip on main turbine trip seems marginal at best.

The post-TMI modifications to the PORV relief path system must be re-evaluated.

They represent but one way to reduce the probability of a PORV failure (reduced PORV challenges). They also tend to increase the number of RPS challenges, in-crease the number of reactor trips, and reduce plant availability. B&W's automatic PORV isolation system will achieve the NRC's PORV reliability re-quirements without these modifications. As a result, the PORV will be able to control RC pressure for minor overpressure events and avoid the unnecessary re-actor trips, which have been a consequence of the post-TM1 modifications.

Babcock & Wilcox

8. CONCLUSIONS An automatic PORV isolation system has been designed for B&W's 205-FA units.

The system will operate reliably to increase plant availability by reducing the number of reactor trips. This will be accomplished using pre-TMI-2 trip setpoints to ensure proper RC pressure control and reduced RPS challenges.

In addition, five significant conclusions can be drawn from the supporting analysis:

1. A block valve closing setpoint of 2170 psig will not actuate the ESFAS using nominal trip setpoints, but it will prevent premature isolation valve closure on 95% or more of the isolation valve challenges.

2. The PGRV should be challenged annually on approximately 4.34 occasions on WPPSS and 3.22 occasions on TVA.

3. The number of PORV challenges due to a turbine trip represents about 26% of the total demand.

4. By using the automatic PORV isolation system, the probability of failing to isolate the PORV relief path will be limited to 1.66 x 10-" (TVA) 1.26 x 10-" (WPPSS) failures per reactor year. The NRC requires a fail-ure rate of 1 x 10' 8 failures per reactor year for isolation of the PORV relief path.

5. The reliability of the pressurizer code safety valves will not be signifi-cantly affected by the isolation system. With the automatic PORV isolation system installed, the probability of a safety valve failure will be 9.73 x 10-6 failures per reactor year.

Babcock & Wilcox

I I

I

9. RECOMMENDATIONS Based on the supporting system justification, B&W recommends that the auto-matic PORV isolation system be installed on all 205-FA units as designed. In addition, the post-TMl requirement of an anticipatory reactor trip on main turbine trip should be abolished. Even though turbine trip-induced PORV chal-lenges represent a significant portion of the total demand, the 205-FA design can suitably isolate the PORV relief path at the enhanced rate. In addition, unnecessary reactor trips will be avoided, and plant availability will be in-creased by the elimination of the mandatory reactor trip. 5 I

I I

Babcock & Wilcox I

l

10. BIBLIOGRAPHY l

R. L. Bright, PORV Isolation Valve Closing Setpoint Analysis, 32-1132776-00, Babcock & Wilcox, Lynchburg, Virginia.

J. W. Pegram, PORV-PORV Block Valve Simulation, 86-1134210-00, Babcock &

Wilcox, Lynchburg, Virginia, May 1982.

3 R. L. Brigh t, PORV Reliability Analysis - PORV/ Safety Valve Lif ts, 32-1130679-00, Babcock & Wilcox, Lynchburg, Virginia.

" POWER TRAIN V - Hybrid Computer Simulation of the B&W Nuclear Power Station, NPGD-TM-435, Babcock & Wilcox, Lynchburg, Virginia, February 1980.

5 FTAP 2 - Computer-Aided Fault Tree Analysis, NPGD-TM-536, Babcock & Wilcox, Lynchburg, Virginia , February 1980.

8 SAMPLE - General Purpose Computer Program for Uncertainty Analysis by Monte Carlo Simulation, NPGD-TM-501, Babcock & Wilcox, Lynchburg, Virginia, April 1980.

7 BURD - Bayesian Updating of Reliability Data, NPGD-1M-582, Babcock & Wilcox, Lynchburg, Virginia, October 1981.

e GRAP - Graphic Reliability Analysis Package, NPGD-TM-604, Babcock & Wilcox, Lynchburg, Virginia, April 1982.

' W. E. Vesely, F. F. Goldberg, N. H. Robers and D. F. Haasal, Fault Tree l

Handbook (NUREG-0492), U. S. NRC, Washington, D.C. (1981).

t 18 l

A. D. Swain and H. E. Guttman, Handbook of Human Reliability Analysis With Emphasis on Nuc1 car Power Plant Applications (NUREG/CR-1278) Sandia Labora-tories (1980).

11 "IEEE Cuide to the Collection and Presentation of Electrical, Electronic, f and Sensing Component Reliability Data for Nuclear Power Generating Sta-tions," IEEE Std 500-1977.

Babcock & Wilcox

I 12 Consolidated Library of Component Failure Data, 32-1132097-0, Babcock &

Wilcox, Lynchburg, Virginia, May 1982.

13 Nuclear Plant Reliability Data System, 1980 Annual Reports of Cumulative System and Component Reliability, NUREGJCR-2232, September 1981.

I" Reactor Safety Study, NUREC-75/014 (WASH-1400) .

18 Reliability Prediction of Electronic Equipment, MIL-HDBK-217C, May 1980.

18 Data Summaries of Licensee Event Reports of Control Rods and Drive Mecha-nisms at U.S. Commercial Nuclear Power Plants, NUREG/CR-1331, April 1978.

17 Reliability Evaluation of the Washington Public Power Supply System Nuclear Projects Numbers 1 and 4, SAI (1980).

la TVA to J. McFarland, Letter, "PORV Acoustic Monitor Reliability - N4M-2-59,"

K-6868, Babcock & Wilcox, Lynchburg, Virginia, March 4, 19% .

l' D. A. Downtain to W. W. Weaver, Memorandum, " Selected Transient Frequencies on Operating Plants," Babcock & Wilcox, Lynchburg, Virginia, December 17, 1981.

2o Auxiliary Feedwater Systems Reliability Analyses, BAW-1584, Lynchburg, Virginia, December 1979.

21 EPRI Report NP 801, Electric Power Research Institute, Palo Alto, California.

22 Response to ACRS Questions for TMI-1 Small Break LOCA Probabilities, 32-1127869-00, Babcock & Wilcox, Lynchburg, Virginia, September 1981.

i l

Babcock 8.Wilcox

APPENDIX A System Fault Trees A-1 Babcock & WilCOX

Top event Sum of implicants Initiating event is a 1.29 x 10-5 pressure transient Initiating event is 2.78 x 10-5 spurious PORV open-ing l

E PORV relief path un- 7.23 x 10-3 available Note: These fault trees are representative of the TVA system design. The struc-ture of the WPPSS trees is nearly identical except that the basic event "AMEMOVAM" (acoustic monitor fails) is replaced by "PSEMOVAM" (position switch fails).

l l

l I

A-2 Babcock & Wilcox

l INITIATING EVENT IS A PRESSURE TRANS!ENT R2 I

PORU FAILS TO EMOV FAILS TO RECLOSE CLOSE A-3 Babcock & Wilcox

I A I I

PORU FAILS TO RECLOSE R6 l 1

/N l PORV CONTROL CIR- NO SIGNAL GENERATED ECHANI- OLEN01 CUITRY VEEPS SOLE- TO CLOSES PORV CAL Fa!L- REMAINS NOID ENERGI'ED URE ENERGIZED GIVE CLOSE COMMAND 3

R9 PORUXXCD SOLEHXRE

/N SIGN U!NY CIRCUITRY l l FAILS HI SHORTED AFTER EN-ERGIZING CTPORUSH TUJXXXnM l

I i

l A-4 babcock & WilCOX I

, I EMOV FAILS TO CLOSE 4

2

/ N NO MOTIVE POWER FOR NO SIGNAL TO CLOSE UALUE VALVE ALUE l

ECHANICAL FAILURE

, T2 GVEMOVOD

! /N

! NO SIGNAL FROM ACOU- NO SIGNAL FROM RCS FAILURE OF ESFAS i STICAL M0NITOR AND PRESSURE & OPERATOR SSA i UN* VAIL- OPERATOR FAILS TO FAILS TO SAVE MAN-ABILITY SAVE MANUAL SIGNAL UAL SICHAL A

T4 TS i

! TV126VnC . ,

NO SIGNAL FROM l ACOUSTICAL MONITO, ERAT RESSUR ERAto j FAILS TO TRANSMIT- FAILS TO l

NANUALLY TER FAILS MANUALLY INITIATE HIGH INITIATE i 4 EMOV ENOV ENOUPPOC PTEMOVFH EMOVAMOC i

s i

}

i 4

i I

l 4

A-5 Babcock & Wilcox

I 140 MOTIt.'E POWEP F00 UALUE

/N M.C.C. FAILS TO FUNCTION ON DENHND ABILITY OF 480 t.%C SUPPLY TO T6 M.C.C.

TV4808.%C a

FAILURE IN THE 480 FAILUPE IN THE 120 UAC LItiE VAC CONTROL LINE ST R FAILS l

77 T3 MCCMSFNS USES LIRCUIT HERMAL EP DOO USE STARTER FAIL BREAKERS O'.'ER LOAD TRANSFOR- FAILS CLO9E FAIL RELAYS MER FAILS COIL y FAIL 5 i

O 3 FUSE 489 3CBRK480 3 THOR 4E0 STSTR120 1 FUSE 120 STCIC120 x

9*

n-M umm unus em sum umm seum Muu muu 15 5

I FAILUPE OF ESFAS SSA 3

l

! /N COUST C PPEd- RESS D GAT CAL ftONI- SURE BISTABLE FAILS j

j TOR l CURRENT FAILS CURRENT BUFFER 4

UFFER FHILS AMSSACA1 PTSSACAT BISSACAT ANDSSAAM OGIC OHTAC NIT BUFFER BUFFER CONTROL FAILS FAILS MODULE FAILS LESSHXAN CBSSAXAN IcnSSAAn i

b i

(

A-7 Babcock & WilCOX

I A I I

ous$$k'$$1 TOR A

/%

I I

,aNkmES muur~-

u$Pv4It- E l 5 3"'

l

$!?I!*' ,,

Ancnovan TV120VAM N 5- UNk$t- E RLSSCSSP

$l I$$E3

TUSSCSAM l

TV120VSS I

I I

l I I

I I

I A-8 BabC0Ck & WilCOX I

I NO SIGNAL GENERATED TO CLOSE POPU

[ 1 ESSUR ISTABL LAY ONTACT TRANSNIT- FAILS TO FAILS TO FAILS TO TER DOES FUNCTION OPEN OPEN NOT WHEN

, CHANGE SIGNALLED PTPORUC0 BSPORUfF RLPORUFO CTPORUFO

.l i

a i,

i i

A-9 Babcock & Wilcox 1

I I

!!32!!N:"'

R3 l

S ND S TO E PECLOSE R5

/N UPSTREnN CONTPOL INTEGPAL UALVE I

FAILURES OCCUR t eTUATES I

I I

I A-10 Babcock & Wilcox I

L, p ,

I I F U Abu ES SPURIOUSLY R7 pg

/N /N I

OLENOJ O7' EP EriERGIZES CONTACT I SPURIOUS-LV SPURIGUS-CTU-SOLENXSP CTPORUSP I

TRe N T-TER FAILS Fur C WITHOUT S O CLOSES

\

l l HIGH SIGNAL PTPORUFH BSPOPUSP RLPORUSP I

I <

l !

I I

I A-11 Llabcock & WilCOX

. . . . - - - - - - - - _ _ - - - _J

l A I I

ENOU FAILS 70 CLOSE A2

/N I

No M0TIVE POUER FOR ' I'o SIG%L TO CLOSE 'ALVE I

VALUE UdLL'I ECHANICAL g FAILURE g

T2 GUEMOVOD

/N =

'40 sit.NAL FPON ACQU- NO SIGl4AL FROM RCS FAILURE OF ESFAS UNAVAIL- OR AI O Ai ' 44 ABILITY SW'E MANUAL SIGtml UAL SIGNAL A

T4 TS TV1200AC l PE A 0 IC L ITOR 7 "Q TRg p MANU+.LLY TEP FAILS MANUALLY W INITIATE HIGH INITIATE EMOi8 EMOV EMOUPPOC PTENOUFH EMOUAMOC I

I I

I A-12 Babcock & Wilcox I l

ll1l

~ -

0 2 R IE r S

T E

T 0

2 EI RE S I HL mSLL C T TOII I L > LOA C 1 NO CCF T

,r O IR S O T T C . C EN A RO TY %. LY C. UC I'PC.

L0P I3UM 8

4 L

IC AA E4S U FV A T 0

I 2 ES I SL E UI S A U F F I

S RL 0OI 0 S I 0FA 2 O SF I F PN R EAR T R RE S E 5 TN T u S o

P R S I H E l S F U L S I I M T TA C OE SF C LD MU M AM 0 L

0A MOS 2 t

iV D I

RLY 4 N ERA R HEL O OPM 6 0E H TE T 0R 7 D 3 S

LN l IO A

FN O

.I T

C. C N S C. U IR RF 0 I

UE 3 C 4 0

8 RwL IEI s

p 4 RA t 7 BF C T

E

)

3 T

I N I

E EN I I A

IL L

Ic Ae FU 0

I S 8 E 4 SL E UI S A U F F 3

n

>d :

gW@k >I= oM

- illltl 1lj l ll! , t!!

A I I

F LURE OF ESFas i A>

/N I

I C tt !- S E EIS B F S TOP CUPRENT FAILS B F 1 AMSSACAT PT95ACAT BISSACAT ANDSSAAM OGIC ETACT NIT

=- =- =e FAILS LBSSAXAN CB S S A):*N ICMSSa*N I

I I

I A-14 babcock & WilCOX I

i l

l Aobs AL ITop i A

/%

I cousTI- $llg["MSlcou-e l uifait. in n"ls 5='

3!$a' Aetnovun

[%y I TV12eVAN I

!" ous- u$$$IL- !c

$!!!' I$iE*

RLSSCSSP TUSSCSAM Tviaevss i

I I

A-15 Babcock 8.Wilcox l _

l P R PATH A1

-s g 5"f,E""BLE ENOV CLOSED AN AN g I

I I

I A-16 Babcock 8.Wilcox I

INOPERABLE PORV I A2

+

k oh l OPEN 70 MOT!UE SOLENOID DOES NOT P00ER ENERGIZE g UNAVAIL-

4BLE PORUFL0P PORUSDNE POR9f1PV4 A-17 Babcock 8. WilCOX

I I

o I

E t-b5

= .s E

v OSU >

ta k &

O 4

0

> O 3'3 M t w-o u aea o 60 QL o

A nG I

? sa=~l> <

- _, wa m :, >

.-w2w a.

34 a=2 ESid va=2 8

a

-wr a o mZW Q.

W EL 200 I

w a

. u em .

F .J me m .- .

-2 :.

6 g a

W P .J I

. s

%~c~e u meu3 mtaa t-w M OL w CL M >=

L I

I A-18 Babcock a.Wilcox

I

^

EMOV CLOSED I

i A3 N

\ OPERATOR SPURI LV CLOSES ENOVOP ISOLATES

\/

PORO LEAKING PORVLEAK f

1 I

i l

A-19 Babcock & Wilcox

I I

I 00> w 2

?Tu!' t.ni ! !

l w

I sa 1

W,3 a I

9025*

4 V g 50s$"

8 E a 5 E u

g o

=0 > w I

204ed 2 85S28 9 E O ~8S" wI E 888 E Sad E E 2 e. . '.

2

W $8 8 ad2r a E "8023

8 5 5

I 3

" E d 8g.8a

E it f,

= B&""$3

E$.

y ov =

2 m

I

- 8

W h'.*3

. We 23?E> g GW c w

I I

A-20 Babcock & Wilcox I

APPENDIX B Human Error Analysis B-1 Babcock & Wilcox

I I

HPITHROC - Operator fails to throttle HPI

.999 A=.001 I

.999 F I

B=.001 1 I

.99 2

C=.01

.997 D=.003 F 3

I F

4 l

P(F) = F7+F2+F3+

P(F) = 1.49 x 10

-2 4

l "A" = Operator fails to realize ESFAS initiates HPI pumps I

(Table 20-3) .*

"B" = Fails to resume attention to legend light (Table 20-3).

"C" = Fails to recognize the return of pressurizer level on ATOG scope (Table 20-5). l "D" = Fails to throttle HPI and realign normal make-up (Table 20-13).

I

Note: Tables identified in this appendix are from NUREG/CR 1278.

I B-2 I,

I

EMOVAMOC - Operator fails to close block valve Based on [ Acoustical Monitor Signal (TVA) or Position Switch (WPPSS)]

.9999 a I F

.999 b B=.001 I

.999 F C=.001 2

.997 d =.003 3 4

P(F) = F7+F2+F3+F4 P(F) = 5.09 x 10-3 "A" = Fails to respond to alarm (Table 20-3) (.00005 to .001)

"B" = Incorrectly reads message (Table 20-3) (.0005 to .005)

"C" = Fails to resume attention (Table 20-3) (.0001 to .01)

"D" = Selects wrong MOV switch (Table 20-14) (.001 to .01) l B-3

. . - . -------------------------_.______________________________-._________________-.___________________________________J

EMOVPROC - Operator fails to close block valve based on RC pressure I

.95 A=.05 g l

l B=.05 F 7

C=.003 F 2

.997 F

3 I

+F I

P(F) = F1+F 3 g

P(F) = .1002 % .1 "A" = Operator fails to detect low RC pressure display (Table 20-12) .

"B" = Operator fails to properly diagnose that RC pressure drop is I due to open PORV path (i.e.) fails to detect quench tank temperature / level rise. (Table 20-14)

"C" = Operator selects wrong MOV switch (Table 20-14).

I I

l APPENDIX C Statistical Modeling of PORV Lifts c-1 Babcock s.Wilcox

Assumptions PORV lifts are initiated by seven transient sources with failure rates F ,

1-1 .. 7. Since the time to failure (initiation of transient) is assumed to be exponential, the number of times the PORV lifts (X ) in time t for each transient is given by the Poisson distribution X

(F t) i exp(-Fg t)

Prob (X ) = X!

i After a transient has been initiated, it may lead to a random number of PORV lifts. The probability distribution of a given number of PORV lists is dif-ferent for each scurce, and it changes from the beginning to the end of each fuel cycle. For a given transient source, if the transient is initiated in the time interval t+At, the number of lif ts (yg ) is given by the multinomial distribution 3 AI i Yoi Yi l Yki g (71 !*i,t

yg!ydtyki! 1(t) 11(t) ki(t) W Y ji ~b ji(t)

The marginal distribution of P(y ) is obtained as (Fat) exp(-fat)

i

[ P(y /x t)P(x )At =

1 [ X! (x 1 -y 11 -y 21 - yki) !y11! + yki!

x=o 1

x =o i x -P (1 - P ...-Pkit) *(*i -7 1t ~7 2t ~7kt) * ***

k

)

1 (FatPg) exp(-FAtPR) (FatP g)

exp(-FatP )

= x x ...

7 1t 72t' (FatPkt) exP(-FatPk)

~

Y kt I I

c-2 Babcock s.Wilcox I

Thus, each number (1, 2, etc.) of PORV lif t cases for source 'i is distributed independently by Poisson distributions at any time interval t+At. The number of lifts over the entire time interval 0-t can be obtained by' adding the Pois-son distributions over the interval. If At is taken to be small, this aucunts to integration. Thus, the number of single lifts is

>T 'T F (Pit) exp(-F P )

No. of 'O 'O lifts yi

'T T F P exp(-F Ph) k lifts = , etc.

YI k

Since the sum of independent Poisson distributions is again Poisson distribu-tions, we can obtain the number of single lifts, double lifts, etc. for all transient sources. Thus, the number of single PORV lift cases for all tran-sient sources will have a Poisson distribution with the following parameters:

T T T Gi=Fi Pit (t)dt + F2 Pk2(t)dt + ... + F 7 P ty (t)dt

'O 'O 'O and T T T Gk = Fi Pk1(t)dt + F 2 Pk2(t)dt + ... + F 7 Pk7(t)dt.

0 0 0 If the Poisson distributions with parameters G1 , G2, G are simulated in k

SAMPLE, yielding simulated variables zi, z2, z , then the total number of lifts k

for each simulation will be given as No. of lifts per simulation = zi + 2z2 + 3za + .. 4 kz k.

The probabilities P,1(t) ... Pg(t) were obtained from the histograms at the beginning and end of fuel life. Assuming that the change occurs linearly with time, the probabilities are given as Pg(t) - P, (0) xt Pd(t) = Pd(0) +

T P,1(T) - P,(0)

P, (t) = Pd(0) + 2 xT 0

C-3 Babcock & Wilcox

I where Pd(0) and Pd(T) denote the probability of zero lif ts at the beginning and end of the fuel cycle, respectively. The probabilities P (t) are seen to be appropriate multinomial probabilities since the sum over 0, 1, 2, etc.

adds up to 1 for any value of t, given that this is true for the initial and final histograms. Similar modeling was used to derive the probabilities for the number of lifts equal to 1 ... k. This type of modeling was used for cases 1 and 2. In case 3, the number of transients in time t is assumed to be given by a Poisson distribution as before. However, in this case, the number of lifts for each transient will be defined by a normal distribution with specified mean and standard deviation (mean = nominal No. of lif ts, std = A/2, where !A denotes the maximum and minimum deviations f rom the mean) .

The number of PORV lifts for case 3 is taken as normal with mean xp and vari-ance xo 2 , where x is the simulated Poisson value. Thus, a random value of x was obtained first, and then a random number of lifts could be determined:

No. of lifts = xp + z @

where z is simulated normal with mean zero and a variance of 1.0.

I Statistical Simulation Cases Case 1 Case 2 Case 3 Turbine trip without Turbine trip with Overcooling: HPI reactor trip reactor trip repressurization Trip one W pump Trip one W pump Trip one RC pump Trip one RC pump Load rejection Load rejection Ramp one W valve Ramp one W valve g 50% closed 50% closeu E Rod drop Rod drop Note: The expected contriburion to total PORV demand from case 3 must be qualified by an operator error probabil-ity (operator fails to throttle HPI) before it can be a added to cases 1 and 2. g I

I Babcock & Wilcox C-4 I

Initiating Event Frequencies i

Frequency, Transient times /rx-yr*

Turbine trip 1.120

+

Trip one FW pump 0.229 Trip one RC pump 0.019 Load rejection 0.095 Ramp one FW valve 50% 0.457 closed Overcooling: HPI re- 0.263 pressurization j Rod drop 0.372 i

j *rx-yr: reactor year, i

Notes

1. Rod drop frequency was determined over all power ranges. All other event frequencies were determined when the reactor was in

) operation above 70% power.

2. The fuel cycle was assumed to be 12 months.

3. Downtimes are inherent in the initating event frequency.

i f

I I

c-5 Babcock & Wilcox

APPENDIX D Failure Data D-1 Babcock a Wilcox

I Code Source Unavailability

~

PORVXXCD --

3.03 x 10 "/d

~

SOLENXRE IEEE, p. 387* 2.56 x 10 "

PTPORVC0 IEEE, p. 428 1.10 x 10~5 BSPORVNF IEEE, p. 483 1.09 x 10 ~3 RLPORVF0 IEEE, p. 155 3.54 x 10 -s CTPORVF0 IEEE, p. 174 4.20 x 10 s PTPORVFH IEEE, p. 428 2.19 x 10-3/yr BSPORVSP IEEE, p. 483 1.80 x 10-3/yr 3.6 x 10 "/yr

~

RLPORVSP IEEE, p. 155 GVEMOVOD --

2.00 x 10~3/d

~5 CTPORVSH IEEE, p. 174 6.02 x 10 TUJXXXAM ---

5.48 x 10 ~5 SOLENXSP IEEE, p. 387 1.23 x 10~3/yr 1.45 x 10 "/yr

~

CTPORVSP IEEE, p. 174 2

AMEMOVAM --

1.52 x 10

~

PSEMOVAM IEEE, p. 452 4.89 x 10 "

5 PTEMOVFH IEEE, p. 428 9.13 x 10

~5 3 FUSE 480 IEEE, p. 193 2.30 x 10 3 CBRK 480 IEEE, p. 148 4.71 x 10 s 3 THOR 480 IEEE, p. 155 3.94 x 10 ~5 MCCMSFNS IEEE, p. 171 -5 4.42 x 10 8

1 FUSE 120 IEEE, p. 193 7.67 x 10 5

STCIC120 IEEE, p. 162 2.45 x 10

< TUSSCS AM --

5.48 x 10 ~5

RLSSCS SP --

1.69 x 10 ~5

~

AMSSACAT IEEE, p. 475 1.12 x 10 "

~

PTSSACAT IEEE, p. 475 1.12 x 10 "

~

BISSACAT IEEE, p. 483 3.75 x 10 "

ANDSSAAM --

5.48 x 10 s

~

LBSSAXAM MIL-HDBK 217-C 2.92 x 10 "

~

CBSSAXAM MIL-HDBK 217-C 2.92 x 10 "

ICMSSAAM IEEE, p. 177 3.10 x 10 ~5

IEEE: IEEE Std 500-1977.

l I

l D-2 babcock & WilCOX 1

Code Source Unavailability TV120VAM -s 3.11 x 10 TV120VAC --

3.11 x 10 -5 TV120VSS -5 3.00 x 10 TV480VAC -5 2.12 x 10

~

STSTR120 IEEE, p. 372 1.68 x 10 "

PORVFLOP --

1.00 x 10 3/d

-8 PORVLEAK NPRDS, p. 573 1.70 x 10 SVRESEAT --

9.38 x 105/d PORVSDNE IEEE, p. 387 2.56 x lo "

PORVMPVA ~5 2.12 x 10 3

PORVPTFL IEEE, p. 428 1.10 x 10 8

PORVBISF IEEE, p. 483 1.09 x 10 PORVRFTC IEEE, p. 155 3.54 x 10 s 5

PORVCFTC IEEE, p. 174 4.20 x 10 8

PORVCPVA --

2.12 x 10

~

EMOVMSAS IEEE, p. 171 1.34 x 10 "

EMOVMOCS NPRDS, p. 617 1.75 x 10 -3 EMOVSCOS IEEE, p. 162 -5 2.02 x 10 EMOVAGOE ~5 7.20 x 10

-s EMOVLBOE MIL-HDBK 217C 3.84 x 10 EMOVCB0E MIL-HDBK 217C 3.84 x 10 -5 D-3 Babcock 8.Wilcox

APPENDIX E Ever.1 Sequences E-1 Babcock & Wilcox

I

1. Overcooling Scenario Operator PORV Code B throttles IIPI relief path available safeties g reseat S

ESFAS S

HPITHROC g

PORV SV F3 F3 =

(0.263/yr)(1.49 x 10-2)(7.23 x 10-3)(2.29 x 10-2)(15)

= 9.73 x 10-6/yr*

2. Overheating Events F:2 loss of main feedwater and no auxiliary feedwater, given that normal electric power is available.

F2 =

(DiFW)(ArW/AC)

= (1.78/yr)(3 x 10-5)

= 5.34 x 10-5/yr F: 3 loss of offsite power and no auxiliary feedwater, given that diesels are operative.

F3 =

(LOOP) (AFW/ diesels)

= (0.3/yr)(3 x 10- )

= 9x 10-6/yr I

In this scenario the safety valves are challenged 15 times.

E-2 Babcock & Wilcox I

1 F:g loss of offsite power and no auxiliary feedwater, given that diesels fail.

I Fg = (LOOP)(diesels)(AFW/ diesels)

= (0.03/yr)(3.2 x 10-8)(3 x 10-8)

= 2.88 x 10-7/yr Event Sequence Failure Data i

i Event Failure rate i

] LOOP 0.03/yr diesels 3.2 x 10-8/ day AFW/ diesels 3x 10-"/ day AFW/ diesels 3x 10-8/ day AFW/AC 3 x-10-5/ day LOFW 1.78/yr l ESFAS 0.263/yr HPITHROC 1.49 x 10-2/ day PORV 7.23 x 10-8/ day IU7 2.29 x 10-!/ day i

l i

i i

4 e

4 t

?

E-3 EkBbCOCk & VVilCOX

. , , -- -,-

ML20065B089

Text

SUMMARY

Navigation menu

Search