Text

Nonproprietary Evaluation of Effect of Surveillance Frequencies & Out of Svc Times on Unavailability of N-16 Reactor Trips & Refueling Water Storage Tank Switchover Function
	ML20070G924
Person / Time
Site:	Comanche Peak
Issue date:	09/30/1990
From:	Heller R, Sharp D; WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP.
To:	;
Shared Package
ML19310D307	List: ML20070G911; ML20070G915; ML20070G924;
References
	WCAP-10272-S03, WCAP-10272-S3, NUDOCS 9103130081
	Download: ML20070G924 (88)
	v • d • e

,,(., ,. , .- . .. que

'.1 y,

3. .. , - - ,

.,.. .-- cy, - , ,' . . . .

..' 7 l g: ,. , , , , ,

c' ,

e .. A ;:. . .y N . .

.., .s -

. . .4 , a. . .' . -, ., .::. -. <

'. .. 3- i ,. - . . . ,;. ( . , .. , .- ~

P. .

'i h..

- et j. - ' ' .'.. - -

f, e '***H . r; ' ' ,d i - '1-

,: , . - . . - m z :. ;.. ,. .

.- . _ . _. ;. e, , ,

p , . .y - _ .. .,

. .. , ;p;

. . . 3.: ., w- c, . ,

c-8.'. ,,

- e ;

f e . 1 , .

,;. .o , ,

.e: . - - . - .

y.

s. , .-.3.

7...,

/

.,.s.. ,w e. _

y , y '. ' -

. _. n. ,

f

. q . . ' ' , '

',? ..-

g*. . ....

. c, . .. .-r

- ,' ' . y, ,a *

,,+v f.. g". e '. .? . '

, .2

..t- f. . 4

'5,.-

,.'.'?OA.- . g '

4 ' ' ,q , 7.yb.'

. %y 4 ' ,. 4'

- ' 1 4

.L , - , , . ',,. ' '- ' . i

[!;T3 /4; 3 h + ..?

. , ' ' .y, S..

..a,. - - ,[ .T ' * ,$ '

' f. , - \' ' ; ,. . 4 *.y'c

. ' .(. .A 1-

[

', =", f. y,Q ,{ ) ,. +('..,.,c

.3, m. .

, ,i '. ' - . ,

v. . ' .' c;

. ' f ' ' '. ; , . ..': 7. ,_ _.l, ,' ry. Pr h.[..,!. j ) ':: , . .- v .' .}. ..:

- p; ., ', , ;.. e, , p o.. . ...

P- .4 '

Jj+ m : u l, '. .. , J g , y : - ( - e ,., *y ,;. . , s-

/

,+.; .-J. . . ja d ., ,:Q ,s" A. ... ,.y..

.m

,e s.

. .i s. +, ' , , <

.. . - t g ., g

-(. g ..

. . .: .7,>g

,- 7

. 4 - .k

.t g , * . - - -

- . ,- ...M : '

/ '. a.,, ,,?'j -

% , . . ,?j 4. *

~

4 - , ,

g g,J ' , , , o I '. -

.( ,

.[. . - U. " y

,[

'e*

e

.,L-

[

,1 ff.,

a

' .II,*,

, .1. y _',; ,, / ; p. ..'i*i

-~

.A .,

}'

s Y '. _._

. <T *

' 8\ %

- j . g, . , ..?

$. - &. , ..g .*

-'.*. _- . m g' 7, .L

Q; c4 ; , .

, '.t , - _

'E. '{ } . D,',r

+,K

\, -

) . ,- j- . J. v . - ; , g:q}fR ,; .

n

- i 4 '. .j . 4 . %.}

4 ' ; ,. q W, . c .g '

,g

. g;,j

, , . , - G ,'")-

, 't . , .c n

..[ 4, , .e

.' e

. , . e .' . _ ,

_4 l $ ,_ ..

O,

'.,.. .1 ,! !

- ' i t,.

jc . fs- * . F; , . ; ' - I

', s; "

.- .; , . - - , gj, .,e, s . .- e i ., s,f ;^ f .. [A:.? [io sg .' ,-

-,e,,

. 4

, , , .. ..,.r.9 . , . .S , .%..) 4,i, , ., .. g. e ..t* * ;

.Y,3.5, .-

c a,'...a.,. c l. 4

, -- . ; ., ;N " . , ,4 ,- '. .- i - ,. . o pv8 ,'

}

,. - -.- a, o.'

.',4 ,-

. . i496-

..a *.3' * * $, , y ' ', [ -

',' , .* a 4

'.'. 't -

f ..f, ' ' c .;_4,

. p' ,8 : , , - ' t ,, ',

?,.

4. . . c- .; E d -, 3./ '

, .$ - . ' "1

. 'J1 -

- {('01,,l;;.,.r;p, i "g{

i

9. .

.~ ,. ,,

'd *

- . 4. -l ; . ; ; .

< j - '.

V , y' ' ;, -

.._, . , ' ... , . r uf ,

. . 3, j t'- } s .;

a c.

.s 4 y, 1

. _.- -g . ,.

,4 f' ' , l- -

, 4 ), ..*'h, '.

% [, g,*

-t-

) . , ' %l g .

.; i 6 . ,, - , ,,u .

. . ' , ' ' ' [ $. ,, ) . , ' * .

-,J -

9-l*.*. -

).

A'I- %J', - + 4 y, . . , , . .

,,4

,k.,,,;# .r . . . . * .J . . - + , . ' , -

,h,*

a.. ' * .

.i,

+. .. i... s.

8 ' d' ' . g. . .j .

., g -

, ' ,, .j . *

4' 5 .

', . y - ',yw -

c - ;) ;

' .... ; kj.y *.j.D.1. '/ & *.;).p,1. +p : . w %. .t **. [.> ,p . . .,,, . .$. ,- .' . '. . . *y-N'5 N. ,,. .S

! g ( '. .' ...

. , .'., .> l.

' . II.,)

.'. ' . . ' ' g, p

. ? --

.,<-D,p. .

e ... n

. . . g , f.u , . .*p. . , . . ..<'

e.;;, .,,1. - - *

....y...@.v.*..'.,;,,

i

-4..., . f.j +; . .s . -p* - , i . . ' - ^ , . : -

. 4, ,.i. e ', .yn j ,

{,

s. +,

, . . . '.1., - . . - - ' ,g- -

. s ,

,. ; ( ; .c %' .

~g i i :

g .-

#, . ' . , *, .* . , , -l p' . - %,, ,' '

t' Y,', - $,-

i, -

' , *( s .- , - s ((,; .b ..',. '

g, ,'.". <'. , . '.-

1- ' '

' [ h' , y , '

f [. '.

i3 .N

,3 k' ,'g

. i .

,,- , ej

ra . . {. , , '

.,'. . zd.

'. ..e-p ; . i . .. . . -

.g w - . ,

t J, . ' -

, s g, ' J. ,

e r ,, -

.., - g- -

w, y :

o :; - .. . ' ' *"

.s

m. , . f *. . . "

.'4. . 4.;

a - , ,

. y - . < -

. t q.. ;. , D

?

j . .- ,

'r .

2

-l',.

' ' , . .- . - ? -

, . V .5 :

. ' l .. . ' , ,,,,, '. _-

= .* '. . .

f. ' . 5

,9. (

4 . ,, .( , . - + .e . , i - . , , . ,

' . -.4,p .

' ' ' , , 49

, $ ' . * * .. . s , ' ,

9 * * '#

\ * - [ ,

l'

.l' ,

.v m ,;-

~ , r

c. ' ' ; ~ - ,

- 1 , . ' . * '

' ' .t , .

g' -}.,

- ,O (

.,f

" . 1 4 :. . t ' ' - _

s . -

a . ;.x f ,w, ' - i. '

j ' ;yE~ * .c,'y .- ' -' ' - '% ,.

. p

i;.

- ,. + .' ; . > (.q.. ,:.. .%.. n...... .. y n

s ,,,;,r ... ;.. t. . y

1,

- ~. ,j. . ~. ..s . . &: . :,

O.M j.m:j'[m.,.

s.* h ,Q M.y . ':' .%n _ .,7: y:Q@g y k

, [. ".(( f.". . .4 Q,,jq[f. *: . ,, $ " #

.. .s -

9.. . ,. . .e- v. p:. ei .

t m.. -..- ;.,,..- .va .u, C-n -

3 - 3. .. 5 - u

. q:G [.-w ,:, x &' ,

.. . . t. o.,.

. a ' .r 4

a ;.),)r.' y. ..jy.gj

. .a{, u j . -. .. . Q'.p.Ame

..f. .. f

, , g _ ,,,

. ~m ,. _. .. ,. .a., .m.

.- +a.. ,,, . n.. , ,.... ., . . .. .

+ -

.. x m.3 ,

,c .y . .c. , . 4.a . * [, . a. 4,.

g

. n. . .'.*,..[.-..g'-

m - .r. - .

.m.

I' '**.O,j '

~m. .

..g

([! * ., O -

f, 1

,b. ..e 'y#1 a,

.'y 4[*' %,

'.g. ,.'v, .- , ,

I

...,.,gt ,,

91WldVVdA Y A VijVO . [~, '.?.": '.? I '.' oc i, $ ' ' ; . g ,,. . . p' d'. N 9

- ,I . 1 ' - 'I

k. - ' ? ?

= : 'j;1.E .',?.

Tl3. > . G dw,'W VC W"^'il >M.o y,'Md. .d; , k fp.

PDR- ADOCK 05000445 rO . l . ! . . .: ~

s . ..

"'- m'.-.*- ,-. (. . . ;,- - , - We 2y',,..,.;.,-

P - PDR - '~ -

< /G

. '; n. .f 4

- .. h . ;.

4 e..

J., a ,,,'j- ,,3.q.w ..,o.- 1 i, . m: C.a. .., : a - p

. . j . 4,k. !e 4 -

,a q..'; ;;

s . . . , ..

.1'.

..,,.."gt., , J(s .p :j. . . VGi ; a; 's. -

>, ' . ,, ;,'vg, i . m . , , ,

~

p:-. -),-e

..er'

... , . e, .

' 7 -

t, M !O- . i.,* ,

'1.s'

'r.',.~ .

9,* 4.; ' , ,i. * ' .j..;:4, ' . rc'.c.

3' . . .

, . ; .; p p_, . ,

i-

l FOR UNRCoTRICTED DISTRIBUTION DATE._- WEC I

4 I

l l l

WESTINGHOUSE PROPRIETARY CLASS 3 WCAP.10272 Supplement 3 EVALUATION OF THE EFFECT OF SURVEILLANCE FREQUENCIES AND OUT OF SERVICE TIMES ON THE UNAVAILABILITY OF THE N-16 REACTOR TRIPS AND THE REFUELING WATER STORAGE TANK SWITCH 0VER FUNCTION Prepared By:

R. E. Heller APPROVED BY:

$.$, W

0. R. SHARP h MAGER PRODUCT RISK ANALYSIS September 1990 ,

4 4

l WESTINGHOUSE ELECTRIC CORPORATION Nuclear Energy Systems P.O. Box 355 Pittsburgh, PA 15230-0355 oom*mm e.n n

WESTINGHOUSE PROPRIETARY CLASS 3

(*1990WestinghouseElectricCorporation) l l

D0122:1Cw0 ti19I(Part 1)

WESTINGHOUSE PROPRIETARY CLASS 3 TABLE OF CONTENTS 1.0 Introduction..................................................... 1 2.0 Description of the N-16 Power System and Associated Instrumentation Systems ......................................... 3 2.1 Analog Channels ............................................ 4 2.2 Logic Cabinet and Reactor Trip Breakers .................... 5 3.0 Instrumentation Testing ......................................... 8 3.1 H-16 Analog Channel Testing ................................ 8 4.0 Quantitative Evaluation of increasing Surveillance Intervals and Out of Service Times ........................................ 10 4' Methodology ................................................ 10 4.1.1 Unavailability of components due to random failures.. 11 4.1.2 Unava. lability of components due to test ............ 11 4.1.3 Unavailability of components due to maintenance ..... 11 4.1.4 Human Error Modeling ................................ 12 4.1.5 Common Cause Treatment .............................. 12 4.1.5.1 Quantification of Comon Cause Contribution from the N-16 Bistables ....... 14 4.1.5.2 Quantification of Common Cause Contribution from the Logic Cabinet ..................... 15 4.1.5.3 Trip Breakers Common Cause ................. 15 4.2 Data ....................................................... 16 4.2.1 Failure Rate Values ................................. 16 4.2.1.1 N-16 Detectors ............................. 16 4.2.1.2 Test and Relay Cards ....................... 17 4.2.1.3 Isolation and other Card Inputs ............ 17 4.2.1.4 Logic Card Integrated Circuit Failed High .. 18 4.2.2 Equipment Test and Maintenance Outage Time Data ..... 21 4.3 Fault Tree Analysis ........................................ 21 4.3.1 Fault Tree Cases .................................... 22 4.3.2 Equipment Bypass .................................... 22 4.4 Results .................................................... 24 wm mmsm.nu i

WESTINGHOUSE PROPRIETARY CLASS ?

TABLE OF CONTENTS - Continued b

5.0 Conclusions ................................................... 27 6.0 References ............................s........................ 29 Appendix A H-16 Power System Fault Trees ......................... A-1 Appendix B Refueling Water Storage Tank Switchover ............... B-1 e

004J 2 10/0 t t t9 I (8.r111 j u . . . . . .

WESTINGHOUSE PROPRIETARV CLASS 3 Lis1_p_f Tables and Fioures 2-1 Blo;k Diagram of H-16 System .................................... 7 4.2-1 Summary of Component failure Rates ......................... .... 20 4.3 1 N-16 Test and Maintenance Cases Evaluated ....................... 23 4.4-1 Summary for the N-16 and RTO Cased Systems ...................... 26 oom iommu v.n o iii

WESTINGHOUSE PROPRIETARY CLASS 3 l

1.0 INJRODUCTION WCAP-10271 (Reference 1) " Evaluation of Surveillance frequencies and Out of Service Times for the Reactor Protection Instrumentation System," describes a methodology for justifying revisions to technical specifications. The methodology consists of the numerical evaluation of the effects of technical specification changes. The objective of the methodology is to verify that safety and operability are ensured. To demonstrate the methodology and show how technical specification revisions can be justified, the methodology was applied to typical reactor protection systems. Tne technical specification revisions evaluated were increased time to place a ' ailed channel in a trip ,

condition, increased test and maintenance time, less frequent surveillance, and testing in bypass.

Having established the methodology in WCAP-10271, this report extends the application to the N-16 Power System, unique to Texas Utilities Electric Company, Com:nche Peak Steam' Electric Station Units No. 1 and 2. Those portions of the methodology which are discussed in detail in t - n .ginal WCAP, or Supplement 1 are not generally addressed in this report, rather, differences or new information is provided.

The methodology in this report consists of a fault tree analysis which calculates N-16 overtemperature and N-16 overpower reactor trip unavailability considering test intervals and test and maintenance times.

In addition to the quantitative analysis of the N-16 Power System, this report includes a qualitative argument for extending the Surveillance Test Interval and Allowed Outage Time changes provided by WCAP-10271 to the Refueling Water Storage Tank (RWST) switchover function of the Engineered Safety Features Actuation System. The argument demonstrates that the unavailability and risk results presented in the WCAP are conservative with respect to the results for the RWST switchover function. This argument has been included as Appendix B and is not discussed further in the body of this report.

l m n m ,n,n, - 1

, WESTINGHOUSE PROPRIETARY CLASS 3 WCAP-10271 in concert-with this supplement provides justifications.for including N-16 Power System and RWST switchover function in the relaxations covered by the WCAP-10271 Program. The methodology presented in WCAP-10271 is applicable to any protection system instrumentation and therefore applies to the N-16 and.RWST instrumentation. The results of the analysis of the N-16 are sufficient to justify relaxation of the surveillance test interval and-allowed outage times for the N-16 Power System. Also, the argument presented in Appendix B of this report is sufficient to justify relaxation of the surveillance test interval and allowed outage times for the RWST switchover instrumentation.

e 00%22. t 0/0 t I19I (Part Il 2

WESTINGHOUSE PROPRIETARY CLASS 3

2.0 DESCRIPTION

OF THE N-16 POWER SYSTEM AND ASSOCIATED THSTRUMENTATION SYSTEMS The N-16 Power System is an analog channel based system that measures the thermal power of nuclear reactors by detecting the level of N-16 present in the primary cooling system. N-16 is an isotope of nitrogen generated by fast neutron activation of oxygen contained in the water. Measurement is accomplished by externally mounting four specially developed N-16 detectors on the hot leg of each coolant loop within the reactor system.. Each detector interfaces to the N-16 System or to a Transit Time Flow Meter which provides coolant flow measurement. The detector current is converted to a voltage proportional to the amount of N-16 decay by the N-16 Power Module. The N-16 Power System also includes a high voltage supply that provioes power to the N-16 detectors.

Various signal conditioning amplifiers convert the level of N-16 activity into the following reactor parameters:

Thot: the calculated temperature in the hot leg of the primary coolant loop, Power: an indication of the operating power level of the reactor Tavg: the calculated average temperature in the core Overtemperature N-16 Setpoint: the value of Thot above which a reactor trip will occur.

Overpower N-16 Setpoint: the value of Power above which a reactor trip will occur.

The Thot and power signals, and the overtemperature and overpower setpoints are of primary concern in this analysis because they contribute through bistables to the generation of the overtemperature and overpower reactor trips. All of the generated signals also input into the control, and surveillance systems. The Tavg signal passes to bistables which generate Lo Tavg, and Lo Lo Tavg signals which are used in conjunction with other signals toinitiatetheEngineeredSafetyFeaturesActuationSystem(ESFAS),

specifically Se.fet ojection and Steam Line Isolation, and also in the generation of the P-12 interlock. 1

- - ,, n. ..m 3

WESTINGHOUSE PROPRIETARY CLASS 3 2.1 ANALOG CHANNELS In general analog channels consist of a sensor, signal corditioning equipment, and a comparator that monitors the signal for values in excess of a setpoint. The analog channels that comprise the N-16 Power System are more complex since additional signals are generated for use in the control and surveillance systems. The H-16 analog channels also make use of signals from other channels in calculating its outputs. A simplified block diagram showing the N-16 system and contributing portions of other channels is included as Figure 2-1.

At the top of the N-16 analog chanral, a dedicated high voltage supply provides power to the N-16 detectors through a junction box. Currents from the detectors feed through an interface panel to the N-16 Power Module. The interface panel is shared with signals from the Nuclear Instrumentation Systems (NIS) Power Range flux detectors, and also provides for diversion of the N-16 signals for off line flow measurement. The N-16 Power Module converts the N-16 detector currents to a voltage proportional to N-16 activity in the primar.y coolant loop.

A streaming correction based on signals from the NIS Power Range Flux System is then applied to the N-16 signal. This is followed by an additional correction based on Tcold, the temperature in the cold leg of the primary coolant loop. Tcold is determined using a conventional RTD. After these corrections the N-16 signal passes through a series of suming and lead / lag amplifiers that compensate for the recirculation of N-16 through the coolant

. loop. The compensated signal is then combined with Teoid to generate Tavg.

1 The H-16 signal passes through an additional lead / lag amplifier and into the comparators for the overtemperature and overpower bistables. The signals at the comparator inputs also feed the control and surveillance systems through isolation amplifiers.

The H-16 analog channels also perform the calculation of the N-16 overtemperature reactor trip setpoints. The Tcold signal, the NIS Power Range Flux upper and lower signals, and the Pressurizer Pressure signal are l

oom m ume.w 4

WESTINGHOUSE PROPRIETARY CLASS 3 modified and summed to generate the overtemperature setpoint. Although

" testing and maintenance requirements for systems other than the N-16 Power System that generate these signals are covered by their owri technical specifications, those portions of the systems necessary for the operation of the N-16 Power System were included- as part of the N-16 system in this Jnalysis. This provides an additional level of conservatism to the quantification, since the testing and mainten6nce requirements for the contributing systems were previously relaxed as a result of WCAP-10271 and Supplement 1. The overpower trip setpoint is manually set at a summing amplifier included in the N-16 analog channel. These setpoints are also input to the control system through isolation amplifiers.

2.2 LOGIC CABINET AND REACTOR TRIP BREAKERS For this analysis the logic cabinet and reactor trip breakers were assumed to be identical to those described in WCAP-10271 and Reference 9. Both the overtemperature and overpower bistables will generate a trip signal if two out of four of the respective channels are in a trip condition. Therefore three of the four channels must fail before a failure-to trip on either overtemperature or overpower will occur.

The mechanism of a reactor trip begins when a comparator senses a parameter in excess of the specified setpoint. The resulting comparator output will cause the corresponding input relay of the protection logic system to de-energize, applying a ground to a specific logic input. These logic inputs

-are applied to universal boards which-are the basic circuits of the

_ protection system. -For_the N-16 overtemperature and overpower trips they contain 2/4 logic circuits. Therefore grounding of two of the universal board inputs will cause a trip signal to be generated.

The outputs of the universal boards are connected to undervoltage output (UV)

' boards. The UV board in each Solid State Protection System (SSPS) train maintains the undervoltage coil of the reactor trip breaker in an energized condition. When a universal board generates a trip signal the output from the UV board will be removed, de-energizing the UV coils. This will open the reactor trip breakers removing power from the rods, allowing them to fall ummum m u 5

WESTINGHOUSE PROPRIETARY CLASS 3 into the core. (The trip breakers also use shunt coils to provide an additional mt.thod for opening their contacts.)

9

$ ! $! I Od h

I l

WESTINGHOUSE PROPRIETARY CLASS 3 l NvPl MlP 4 :s mst f

iniiri > W I

Jjfp. (

..p.

h ;

n"""' ( 'E'

=

G: qB , O O nu,,.a .................

p i ,u,, .a yyy" e

,.ut ......... ..... .. ,,,c.. n itig i m m !!, u t i I "Pl!t!'mdP' 7!dw.b i

' . - - 1 1 H all in (all inrut) u C5.N 410 .. $HL i.i, api, f f, .. THL k!NJgMitt as .: io S ,Y j- h to ,orn'. " .

q. -S: S

" mnm - D ' " :t L,L CONS

. m pi a;g,gj + wgg

'er .

a ,

5 l; ens g4n ** .

%.gI Ln.,

t.v6

'em fhatROL mom tC (OntHL Omine htocontHL

,1, (QMP. (CMP. 40M7.

!!hlfht LeLN!NGSfh.L$ hRfhf

.+.ls : M b steen Figure 2-1. H-16 Simplified Block Diagram mu miimemu 7

. - - - - - - ~ .. - ..- - . . - - . - ~ . _ . . -

i

], /.

' WESTINGHOUSE PROPRIETARY CLASS 3 l3.0- INSTRUMENTATION TESTING l

The reactor protection system-is designed to allow ca line testing. An. ]

, overlapping test sequence is used, with each test within the testing scheme I Ladiquately testing a portion of the protection system. Satisfactory completion of all-tests provides assurance that the system will perform as- l designed when a demand is placed upon it. Typical-RPS testing involves

-verification of proper channel response to known inputs, proper comparator 'l (bistable) settings, and proper operation of the combinational logic and ,

associated trip breakers.

This section of the report discusses current testing practices applicable to

.the N-16 Power System. 'It is-. intended that this discussion provide-an-overview of testing practices for the analog channels; more detail and information of logic cabinet and trip breaker testing is provided in WCAP-

~10271-and the referenced documents. _A discussion of the' impact of increased

-surveillance intervals and test and maintenance times on plant operation is j

alsoLincluded.-

3.1 'N-16 ANALOG CHANNEL TESTING-

^

-Analog tests are. performed to-verify that the analog channels are functioning properly land.that bistable. settings in the signal comparator are at.the

-desired setpoint. N-16 analog channel testing is performed as follows:-

4

. 1. - ~ Channel test cards are provided in the N-16 racks for various. segments ;

-ofsthe channel. These test cards _have_testrjacks'for inserting a test i signal into the circuit.: test points'to verify performance, light emittingdiodes(LED)for. status. indication,andswitchesandrelaysto falign the system for the tests-to be performed.-

J

2. The test. switch for._the channel segments to be tested is put in the

-test position. This actuates a relay to-align the chanr.e' input to the

. test jacks. The switch also actuates a relay that realigns the bistable-output for the function to-be tested from-the SSPS input

-relays-to an indicator test-lamp. -Channel segments upstream of the oeumomme.n n 8 I

, - .-,-. , , , , - , - - ,m,x

WESTINGHOUSE PROPRIETARY CLASS 3 segment under test are disconnected and the circuit is now capable of receiving a test signal through the test jacks. With the bistable output disconnected from the SSPS input relays, the protection system receives zero volts which corresponds to a trip signal. Therefore, while analog testing, only one additional signal is needed from the remaining redundant channels to activate a reactor trip. Input signals to the test jacks are adjusted until the bistables trip. This will be indicateo by the indicator test lamps. Further verification is gained from the 'ontrol boards alarms and indications which remain in the circuit throughout the test. When the test switch is restored to the normal position, the upstream segments supply inputs to the circuit and the bistable output is realigned to the protection system logic.

As discussed in the preceoing paragraph, testing of the N-16 analog channels is performed in a partial trip condition, i.e., the SSPS sees a trip condition from the channel being tested throughout the test. Receipt of any other trip signal on a redundant channel during testing while in a partial trip condition will result in a reactor trip.

This report justifies testing of the H-16 channels in a bypassed condition.

However, this mode of testing will not be utilized until such time as modifications are made to the system to allow bypass testing without using jumpers and lifted leads and to provide for bypass status indication in the control room. Testing in bypass would minimize the time spent in a partial trip configuration tnus reducing the probability of spurious reactor trips.

l n,, n n., n 9

WESTINGHOUSE PROPet!ETARY CLASS 3 4.0 OUANTITATIVE EVALUATION OF INCREASING SURV Q tauM INTERVALS AND OUT OF SERVICE TIMES To evaluate the impact of increasing surveillance intervals and out of service times for the N-16 Power System on reactor trip availability. a fault

. tree analysis of the reactor trip functions that are provided by the N-16 was performed. The increases in the survetilance intervals and test and maintenance times were chosen to make the requirements for the H-16 channels consistent with the other analog channels in the reactor protection system.

This section of the report discusses the fault tree methodology which was

.used for the analysis and presents the results of that analysis. Also provided is a discussion of the data sources and data obtained to quantify the fault trees and the methods used to calculate unavailability from the data. . Fault trees from the analysis are also provided.

4.1 METHODOLOGY A set of-fault trees was previously developed in WCAP-10271 and supplement 1 for the RPS. The fault trees _for the logic cabinets, and reactor trip breakers were copied from WCAP-10271 and reviewed. The results of subtree evaluations for the trip breakers, bypass breakers, and input relay ground returns and the component failure rate values applied to the components were also developed in WCAP-10271. The methodology used is consistent with that documentedinNUREG/CR-2300,"ThePRAProceduresGuide"(Reference 14). The Westinghouse GRAFTER code system (Reference 12) was used to edit, maintain the fault trees on file, and quantify the fault trees.

Failure probability: estimates were input to the trees in order to quantify-unavailability of the system for both the N-16 Overtemperature Trip and N-16 Overpower Trip signals.

The five major contributors to trip unavailability are listed below and discussed _ individually in the following paragraphs.

1. Unavailability of components due to random failures mnwomemn 10

l I

WESTINGHOUSE PROPRIETARY CLASS 3 l

2. Unavailability of components due to test

3. Unavailability of components due to maintenance l

4. Human error modeling

5. Common cause treatment l

4.1.1 Unavailability of ComDonents Due to Random Failures l

Hourly failure rates for the components modeled in the fault trees were j obtained using industry data as discussed in 4.2 and WCAP-10271. The failure rates were then converted to failure probabilities using the following l formula:

Failure Probability = Failure Rate (hourly) x (Detection Interval (hrs)/2)

This is the average probability of failure over the detection interval, and is sensitive to the detection interval applied. ;

Since the temperature and power parameters and setpoints determined by the N-16 channels are input into the control system, most of the failures that occur will be detected during surveillance of the control system inputs.

This sJrveillance is performed three times per day, therefore the detection interval for these components is 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . However failures of the H-16 channel comparators, logic cabinet and trip breakers will only be detected during the regular surveillance testing. Therefore the detection intervals for the comparators, logic cabinet and breakers are the specified surveillance test intervals for the case under consideration.

4.1.2 Unavailability of Components Due to Test The unavailability of components due to test was calculated using the following formula:

Probability of unavailability due to test = (mean number of tests per hour) X (mean duration of the test) i oom iomime.nn 11 l _ _ _ _ _ - - - - _ - - _ .

WESTINGHOUSE PROPRIETARY CLASS 3 4.1.3 Unavailability of Components Due to Maintenance The unavailability of components due to scheduled maintenance was calculated in the same way as test unavailability:

Probability of unavailability due to scheduled maintenance = (mean number of scheduled maintenances per hour) X (mean duration of the

. maintenance) 4.1.4 Human Error Modelina Human ;rrors such as miscalibration or misposition of a component were modeled in the fault trees. Alan D. Swain's, " Handbook of Human Reliability Analysis With Emphasis on Nuclee.r Power Plant Applications". NUREG/CR-1278 (Reference 11) was used as a guideline in determining the human error probabilities. The human error probability is defined as the probability that when a given task is performed an error will occur. Swain provides some general rules to quantify certain types of human errors without task analysis. Consistent with these rules, a blanket proLability of IE-3 was assigned to each human error.

The possibility of an operator committing more than one of the same type of error was also considered. This potentici conmon cause was quantified using the following formulas:

Beta factor = (1 + 19 x (probability of single error))/ 20 Probability of more than one error = (Beta factor) x (probability of oneerror)

This formula, taken directly from Swain's manual, assumes low dependence between tasks. This assumption was used in this study due to the absence of detailed task analysis to reveal potential sources of human interaction.

1 mn umm,.o 12

WESTINGHOUSE PROPRIETARY CLASS 3 4.1.5 Common Cause Treatmep_t This'section deals with the handling of common cause for the actual lardware components in the N-16 System. Common cause failures of hardware components can be defined as simultaneous failures of like components with identical functional requiren.ents. A four-step procedure was followed to calculate the contribution of common cause to overall system failure. This procedure is:

Step 1. Develop the fault tree for independent (random) failures of components. - Determine minimal cutsets that are major contributors to system failure.

Step 2. Identify cutsets which contain multiple failures of the same type of component.

t Step 3. Calculate the common cause failure probability of each of the cutsets identified in Step 2.

Step 4. Sum all common cause failure probabilities calculated in Step 3.

Identify and quantify any additional system specific comon cause contributors.

Common cause was quantified for 1.- Reactor Trip Breakers

2. Logic Cabinet, including the N-16 bistables LThe quantification was performed using the approach developed by Corwin L.

Atwood in his guide: " Common Cause Fault Rates for Instrumentation and Control Assemblies: Estimates Based on Licensee Event Reports at U.S.

Commercial Nuclear Power Plants,-1976-1978", EGG-EA-5623, (Reference 10). It l 1s important to stress that very-little data has been compiled regarding L ' common cause. The derivation of these rates included certain failures that l cause the reactor to trip, whereas this study is concerned only with failures that cause the reactor not to be tripped. Therefore, these rates are conservative, com unme.w 13

WESTlHGHOUSE PROPRIETARY CLASS 3 i

The actual model used to treat common cause is as follows: l Probability of common cause failures = (hourly common cause failure l rate) x (time period of interest)

Total Probability of system failure = (probability of random failures, l operator errors, and unavailability due to test an maintenance) + l (probability of comon cause f ailures) 4.1.5.1 Quantification of Comon Cause Contribution from the N-16 Bistables Atwood (Reference 10) defines the bistable in two parts:

1. The sensing device which measures a parameter. For the N-16 this consists of the radiation detectors.

2. The signal conditioning system. This includes all components after the sensing device up to and including the bistable.

It is assumed here, as in WCAP-10271, that a failure of more than one channel would be detected in two shifts or 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months .

Both the overtemperature and overpower trip signals use 2 out of 4 logic; therefore there are four combinations of three bistables failing simultaneously. For each combination, the common cause contribution was calculated as follows:

Rk = Comon Cause Hourly Failure Rate H-16 Detector (ExcoreRadiationSensor) Rk = 4.90E-07 /hr Signal Conditioning System Rk = 3.70E-07 /hr Total Comon Cause Failure Rate Rk = 8.60E-07 /hr T = Time Interval (16 hrs /2) T= 8 hrs Pcc = Probability of Common Cause pcc = Rk

T pcc = 6.88E-06 mm%m,i v.n o 14

WESTINGHOUSE PROPRIETARY CLASS 3 However there are 4 combinations of 3 failures possible, so:

i Pcc = 4 x pcc Pcc = 2.75E-05 Note that this-is-slightly higher than the common cause calculated for the RTO based System (1.7E-5) on page 4-7 of WCAP-10271. This is due to the greater complexity, and therefore higher common cause failure rate of the N- ,

16 detectors.

i 4.1.5.2 Quantification of Common Cause Contribution from the Logic Cabinet i

As shown in WCAP-10271 the Logic cabinet common cause failure probability is the sum of the bistable common cause probability and the human error common cause probability.

.N-16 Bistable Common Cause Pcc = 2.75E-05 Human Error. Common Cause Pcc = 5.09E-05 Total Logic Cabinet Connon Cause Pcc = 7.35E-05 Note that given the above assumptions, this value is independent of the test and maintenance intervals. Therefore the same value applies in all the cases evaluated in this: analysis.

.4.1.5.3 l Trip Breakers Comon Cause The Beta Factor method is used as shown in section 4.1.5.2 of WCAP-10271.

The random failure probability used is that calculated for mechanical malfunction.of the Trip breakers, given that both-the undervoltage and shunt trip mechanisms are applied. These values are the same as those applied to the RTO based system.

t commmm,.n n 1S

-WEST 8HGHOUSE PROPRIETARY CLASS 3 aC

~

g s B = Beta Factor B= _

Base Case 1 1 rip Breaker MM Failure Probaollity Rk =

ac Common Cause Pcc = _____

Therefore the total probability of common cause failures is:

Base Case Case 1 Case A Logic Cabinet Common Cause 7.85E-05 7.85E-05 7.85E-05 Trip Breakers Commen Cause a,c Total __ -

4.2 DATA The failure rate estimates contained in WCAP-10271 and applied in this study were generated by reviewing a variety of data sources. The failure rate estimates presented in this analysis are point estimates and the general methods for establishing these estimates are as described in section 4.2 of WCAP-10271. Information of the failure rates used, and the development of failure rates for. components specific to this analysis are described in the following sections.

4.2.1 Failure Rate Values A summary of the f ailure rate values used, and identification ci their source can be found in Table 4.2-1. Those failure rates not specified in WCAP-10271 or supplement 1 were developed as follows:

4.2.1.1 H-16 Detectors The failure rate for the H-16 detectors were developed based on prototype demonstration testing as reported in WCAP-9190 Section 4.0 (Reference 5).

eem a nnu..,n 1F

. 1 WESTINGHOUSE PROPRIETARY CLASS 3 a ,b.c; L(The' Chi-Squared distribution was used to calculate the 90% upper confidence limit of the N-16 detector failure rate based on prototype performance at

-Ginna and Indian Point.)

3 i

. i i

4.2.1.2 Test and Relay Cards The N-16 and its associated channels contain many cards whose function-is to isolate part of the' system for signal injection and measurement duri"g test and. maintenance. . During system operation the signal passes through the normally closed relay contacts. The remainder of the card provides power connections to the' relay. coils and test points which are not used during normal operation. Therefore -the failure rate assigned for.these cards is 1the value specified for failure of relay. contacts in the open position, mn mm,iv.n n 17 1

WESTINGHOUSE PROPRIETARY CLASS 3 4.2.1.3 Isolation and other Card inputs Many of the signals used in the N-16 system are fed through isolation cards to the control or surveillance systems. Some of the signais, such as the pressurizer pressure, and neutron flux power range, contribute to their own channels and therefore feed into bistables, or signal processing boards.

Since an input short on any card connected to a N-16 signal would result in the loss of the H-16 channel, these failures must be included in the analysis. However, it would be excessively conservative to use the entire failure rate of these cards to reflect the possibility of an input short.

Review of the schematics of the various isolation cards, bistables, and amplifiers, reveals that the input signal feeds into a single integrated

-a circuit, usually an operational amplifier.

- - a ,c Therefore the failure rate of an integrated circuit as reported in Reference 1 was used to determine the frequency of input shorts on cards connected to, but not contributing to the processing of the N-16 analog channels.

4.2.1.4 Logic Card Integrated Circuit Failed High In the analysis of the N-16 analog channels it was assumed that any component failure resulted in the unavailability of the channel.

However, in the evaluation of the logic cards, undervoltage driver cards, trip and bypass breakers, and supporting hardware, only those failures that could result in a failure to' trip on demand were considered. Thus the fault tree included references to specific failure modes such as, diodes fails open, transistor collector-emitter short. It is a standard practice to apply information about component failure modes to partition specific part failure rates and determine the rate of occurrence of the failure modes of interest.

However, for the majority of the components in the logic cabinet no reduction in failure rate was made to account for failure mode specifics. This will of course result in a conservative estimate.

oom amme.o 18

WESTINGHOUSE PROPRIETARY CLASS 3

- Two casos do exist where the failure rates assigned include an adjustment to account for failure modes. These are the trip and bypass breakers, and the integrat'ed circuits on the universal logic card. Mode. specific failure rates for the-breakers resulted from the fault tree analysis performed on the breakers in WCAP-10271.

The integrated circuits designated Z1, 22, and Z3 on the universal logic card-are logic gates that receive the 4 trip signals from the N-16 bistables and

- determine when at least 2 of them call for a trip. When the 2 of 4 condition is met, Z3 presents a low level to the undervoltage driver card idlich results in a reactor trip. The f ailure rate adjustment was made for Z1, Z2, and Z3 failed high since any other failure modes will result in a reactor trip, and since failures of these-integrated circuits are major contributors to the potentialunavailab,1,1{tyofthetraintheyarein. Therefore a failure mode L probability'of was used for the failed high condition to adjust the .

- integratedcirEuit'f'ailurerate.

4-005211041f t91(Part t)

- ~ . . . . . . _ , _ . ,- , .- - . , _ . .

, . _ _ _ _ . - 1 .-- -- ,,

WESTINGHOUSE PROPRIETARY CLASS 3 Table 4.2-1 Sumary of Component Failure Rates Component Failure Mode Failurt BAlt Source 15 Volt Bus All - -

Bypass Breaker Mechanical Capacitor All Dual Comparator All Function Generator Card All Input Relay Ground Open

~5ntegratedCircuits All Lead / Lag Amplifier All Light Emitting Diode (LED) All HIS Buffer Amplifier All Neutron Flux Detector All Pressure Sensors All Pressurizer Pressure LPS All Printed Circuit Board Open Trace Printed Circuit Card Single Pin Connection Rectifier Diode All Relay Contacts Open Relay Contacts Shorted Resistors All RTO Type Temperature Sensors All Suming Amplifier All Thermocouple LPS All Transistor HPH All Transistor PNP All Transistor Q3 PHP,25W.HI REL All Transistor Q4.PHP, SW.HI REL All Transistor QS NPN, HI REL All Trip Breaker Mechanical All Zener Diodes 1

mm a nnu..no 20

WESTINGHOUSE PROPRIETARY CLASS 3 4.2.2 Eauipment Test and Maintenance Outaae Time Data Tne technical specification places limitations on the time allowed for testing and maintenance of the instrumentation systems. The Comanche Peak technical specification allows 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months for testing and 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months for maintenance of the N-16 bistables, and 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months for testing and 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months for maintenance of the SSPS and trip breakers. Testing or maintenance of the SSPS and trip breakers that takes longer than this must be performed with the plant shutdown.

Discussions with Comanche Peak revealed that N-16 bistable testing takes from 1 to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months depending on the proficiency of the crew. A survey reported in WCAP-10271 determined that on the average 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months were required to diagnose and effect repairs following identification of a faulty or out of range components for a typical analog channel.

Revising the technical specification to allow 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for testing and 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for maintenance of analog channels will allow sufficient time in most situations to accomplish testing and maintenance without placing the plant in a partial trip condition. It will also make the requirements for the N-16 channels consistent with those for the other channels in the RPS.

Most recent discussions with Comanche Peak indicate that they test the N-16 channels in trip and there are no current plans for implementing the modifications necessary for testing in bypass. This analysis evaluates testing in bypass to be consistent with the previous Test Optimization Program work and since it represents the more conservative test configuration with respect to trip signal availability.

4.3 FAULT TREE ANALYSIS Copies of the fault trees for the H-16 analog channels, and the associated logic cards and breakers have been included as Appendix A. The fault trees are consistent with those developed in WCAP-10271 for the reactor trip system.

oom co mm.m n 21 j l

1

WESTINGHOUSE PROPRIETARY CLASS 3 4.3.1 Fault Tree Cases fault trees were constructed to model the RPS to allow the calculation of the unavailability of overtemperature and overpower trip functions. The fault trees were quantified using industry data as discussed in section 4.2. The quantification was first performed assuming the current technical specification requirements to provide a reference against which comparisons could be made. A second complete analysis was performed to evaluate the overall change in trip function unavailability resulting from the proposed increase in the bistable test intervals, and test and maintenance times.

This case is referred to as Case A as first denoted in WCAP-10271 Supplement 1.

In addition the quantification was repeated for the Base Case, and Case 1 as specified in WCAP-10271. Although not required for this evaluation these cases allowed direct comparison to the unavailability values developed for the RTO Temperature Systems.

Table 4.3-1 provides a summary of the cases evaluated and the test and maintenance intervals and times assumed for each.

4.3.2 Eauipment Bypass Equipment bypass was modeled assuming that during testing and maintenance the channel was not capable of performing its function. For example, the N-16 technical specifications allow operation with channels inoperable provided that the channel is placed irl the tripped conditions within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The implication in a fault tree analysis is that for 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months the channel is unavailable. However, after the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months period the channel has an availability of 1.0, since it is providing a trip signal and for all practical purposes cannot fail. To include equipment bypass in the evaluation the assumption was reade that during testing and maintenance the channe:1 was not in a tripped condition and could not provide a trip function.

)

oom mmm..% 22

WESTINGHOUSE PROPRIETARY CLASS 3 i

t Table 4.3-1 N-16 Test and Maintenance Cases Evaluated-Component Current Case o[s Units Test Interval Bistable Channels 1 3 1 3 Months Breakers 2 2 2 6 Months

. Actuation Logic 2 2 2 6 Mcnths '

Test Time Bistable Channels 2 4 2 4 Hours Breakers 2 2 2 4 Hours Actuation Logic 2 2 2- 4. Hours Maintenance' interval All 12 12 12 12 Months Maintenance Time Bistable Channels 6 12 1 -l 12 Hours Breakers 6 6 6 12 Hours l Actuation Logic 6 6- ,

6 12 Hours oom ioen m e.n a 23

,.i., ,. ,m ._ , _ . . , -- -

WESTlHGHOUSE PROPRIETARY CLASS 3 4.4 RESULTS The results of the analysis, both without and with common cause modeled, are shown below.

Unavailability Calcul.ations with No Hardware Common Cause Trio Function Current Proposed Ov e Temperature Trip 8.9E-06 1.4E-05 Over Power Trip 8.7E-06 1.3E-05 Note the increase in the test and maintenance intervals and times for the N 16 Channels increases the trip unavailability by 54% and 56% over the current requirements with no hardware common cause modeled. This compares favorably to the 94% and 50% changes determined for the RTO based measurement system evaluated in WCAP-10271 aupplement 1.

Unavailability Calculations with Hardware Comon Cause Trio Function Current Proposed Over Temperature Trip 1.01E-04 1.06E-04 Over Power Trip 1.01E-04 1.06E-04 The increase in the test and maintenance intervals and times for the H-16 Channels has little effect, a'n increase of 5%, on the trip unavailability when comon cause is considered. This is comparable to the 9% and 5% changes determined for the RTD based measurement system.

-Table 4.4-1 shows the rei'J1ts of all the cases evaluated and provides a comparison to the values determined for overtemperature and overpower trips evaluated in WCAP-10271 Supplement 1. Note the values given for the RTD system are slightly higher than those reported in supplement 1. This is due to the correction of several errors found when verifying the RTD results for inclusion in this report.

1 I

com un m v.n n 24

WESTINGHOUSE PROPRIETARY CLAS$ 3 The results of the fault tr(.e quantifications demonstrate that the availability of the trip signals from the N-16 system art essentially the same as the availability of the RTD system signals. This is due to the redundaricy applied to the analog channels which significantly reduces the contribution of channel failures to the trip signal unavailability.

h$d2 l lYkhk .d b

WESTINGHOUSE PROPRIETARY CLASS 3 Table 4.4-1 Summary for the N-16 and RTD Based Systems Overtemperature Overpower NQ_(.Q With CC Eg__([ With CC

~~

N-16 System Current 8.90E-06 1.01E-04 8.71E-06 1.01E-04

~

Case A 1.39E-05 1.06E-04 1.34E-05 1.06E-04 Base Case 8.50E-06 1.01E-04 8.34E-06 1.01E-04 Case 1 3.44E-05 1.65E-04 3.39E-05 1.65E-04 Change in Case A 56% 5% 54% 5%

respective to Current RTO System Current 8.78E-06 8.98E-05 8.19E-06 8.92E-05 Case A 1.70E-05 9.80E-05 1.23E-05 9.33E-05 Base Case 8.40E-06 8.94E-05 7.90E-06 8.89E-05 Case 1 3.76E-05 1.55E-04 3.28E-05 1.50E-04 Change in Case A 929 9% 50% 5%

respective to Current . ._-

E-16_ System Increase Over RTD Respective to RTO System Current 1% 13%

Case A -18% 8% 9% 13%

Base 1% 13% 6% 13%

Case 1 -8% 7% 3% 10%

RTO System H16 Sy: rem Overtemp2 Overpower Overtemp.

byerpower Individual Channel

[ailure Probabilititi Current 7.68E-03 6.74E-03 7.84E-03 7.58E-03 Case A or 1 '1.36E-02 1 '.'-02 1.20E-02 1.17E-02 Base Case 7.10E-03 ~6.16E-03 7.27E-03 7.00E-03 Change from Current 77% 63% 53% 54%

Practice to Case A 1

00%22 IMt 191 (f.12) 2b

,-- r,-- _,, , , - , - - -- - , - - - - - - - - _ , - - - , - - , - - , -, - , - - - - - , , - - - - - -

_n---- _ _

-.- - -.- - . _ m--ma ___--__.-

WESTINGHOUSE PROPRl[TARY CLASS 3

5.0 CONCLUSION

S L As a summary, the contents of the previous discussions are briefly stated

) below:

1. Increasing test and maintenance requirements results in:

a. An increase in equipment random failure probabilities which results in a 5% increase in overtemperature and overpower trip i

unavailability,

b. Performance of testing and maintenance in bypass condition for longer intervals which also contributes to the rennrted increase in trip signal unavailability.

I

2. The benefits to be realized by revising testing and maintenance r requirements for the N-16 Power System are:

a. A reduction in unnecess6ty plant transients and challenges to the protection systems.

b. A reduction in the amount of time the RPS is partially inoperable due to the increased surve111cnce test interval.

c. More effective use of the operating staff.

F d. The ability to redirect manpower to non surveillance matters.

e. Consistency in the scheduling of RPS channel testing, f A potential increase in equipment reliability.

g. A pottntial decrease in testing and maintenance errors,

h. An improvement in plant availability.

The implication of testing and maintenance and the benefits to be realized by revising testing and maintenance requirements are more than sufficient to justify the 5% increase in N-16 overtemperature and overpower trip unavailability. This increase is comparable to the increase determined in WCAP-10271 and SF I 1 for the RTD based system the N-16 channels replace. The recomended revisions to the RTD channel test and maintenance requirements were approved by the NRC based on that analysis, om n e m in.. o 27

WESTINGHOUSE PROPRIETARY CLASS 3 The methodology used contains several conservatisms. No credit was taken for RPS diversity. The handling of connon cause is extremely conservative, and segments of channels contributing to, but not part of the N.16 system were included in the calculation of trip unavailability. Perhaps most significant was the assumption that all analog channel failures would be undetectable at the time of failure. (Inreality,alargenumberoffailureswillresultin a call for trip which will be immediately annunciated.) Considering all 1 these factors the insignificance of the decrease in reliability is justification in itself for revising test and maintenance requirements. ;

Based on the discussion in Appendix B, it is judged that the impact on plant safety of implementing WCAP-10271 STI and A0T requirements for RWST switchover is significantly less than the increases resulting from the quantitative analysis of the Engineered Safety Features Actuation System (ESFAS). This is based on two arguments; the signal unavailability increase is smaller than that for auxiliary feedwater pump start on steam generator level low, and the RWST switchover requires operator actions which provide backup for the automatic portion of the switchover.

In conclusion, it has been shown using the methodology developed in WCAP-10271, and using qualitative argument based on WCAP-10271, that the test interval and test and maintenance times for the N-16 Power System's RPS instrumentation, and RWST ESFAS instrumentation can be as approved in WCAP.

10271.

l-l l

l oom a min..,n 28

WES?!NGHOUSE PROPRIETARY CLASS 3

6.0 REFERENCES

1. WCAP-10271, and Supplement 1. " Evaluation of Surveillance frequencies and Out of Service Times for the Reactor Protection Instrumentation System", Westinghouse Electric Corporation January 1983.

2. Comanche Peak Steam Electric Station Reactor Protection System, Section9 of the Comanche Peak FSAR.

3. NUREG-0460 V.1, " Anticipated Trans'ints Without Scram for Light Water Reactors", U.S Nuclear Regulatory Commission, Washington D.C., April 1978 (Vol.1, pg. 28) 4 WCAP-7706, " An Evaluation of Solid State Logic Reactor Protection in Anticipated Transients", Westinghouse Electric Corporation July 1971.

5. WCAP-9190, "N-16 Power Measuring System", Westinghouse Electric Corporation, December 1977

6. WCAP-9172," ann-16TransitlimeFlowMeasurementSystem(TTFM)

Description and Performance", Westinghouse Electric Corporation, February 1978.

7. TBX-320, Instruction Book for Upgrade Protection and Surveillance System, Texas Utilities Generating Company, Comanche Peak Steam Electric Station, Units No. 1 and 2. Volumes I and 11. Westinghouse Electric Corporation.

8. TBX-330. Technical Manual for the Nuclear Instrumentation System, Texas Utilities Generating Company, Comanche Peak Steam Electric Station.

Units No. 1 and 2, Volumes I and 11. Westinghouse Electric Corporation, January 1979.

9. SNP-387 Technical Manual for the Solid State Protection System.

Standardized Nuclear Unit Power Plant System. Westinghouse Electric Corporation, March 1980.

oom emen..o 29

MESTINGHOUSE PROPRIETARY CLASS 3

10. EGG-EA-5623,

Common Cause fault Rates for Instrumentation and Control Assemblies: Estimates based on Licensee Events Reports at U.S.

Commercial Nuclear Power Plants. 1976-197B", Corwin L. Atwood, September 1982.

11. NUREG/CR-1278,

Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications *, A. D. Swain and H. E. Guttman, April 1980,

12. WCAP-11693, Rev. 1,

GRAFTER Code System User Manual for Version 1.6',

Westinghouse Electric Corporation. October 1989.

mn u m, u ., n 30

i WE$TINGNOUSE PROPRIETARY CLASS 3 4

Appendix A -

N-16 Power System Fault Trees Index To Fault Trees M Ha!!!! fJLis ,

N-16 Analog Channels N16 CHANNEL ..................... A-1

^

Overtemp. Logic-Train A TAPLOT ......................... A-8 Overtemp. Logic Train B TBPLOT ......................... A-14 Overtemp. Trip Breakers TTPLOT ......................... A-20 1 Overpower Logic. Train A PAPLOT ......................... A-26 0verpower Logic Train'B PBPLOT ......................... A-32 Overpower Trip Breakers PTPLOT ......................... A-38 1

-t

)

9 e

1 i

b i

oosn iommit e.,in A

WESTINGHOUSE PROPRIETARY CLASS 3

+a,c i

N 16 Analog Channels, Sheet 1 of 7 1

oom unme.nu A1

WESTINGHOUSE PROPRIETARV CLASS 3

+a.c i

N 16 Analog Channels, Sheet 2 of 7 l

' l l

cosn iocitisi esn a, A2

WESTINGHOUSE PROPRIETARY CLASS 3

+a.c i

N 16 Analog Channels, Sheet 3 of 7 l

I oomimiisu.nn A3

WESTINGHOUSL PROPRIETARY CLASS 3

+a.c N 16 Analog Channels, Sheet 4 of 7 oom im o u..n ,, A4

WESTINGHOUSE PROPRIETARY CLASS 3

+a,c N 16 Analog Channels, Sheet 5 of 7 mn iniiiii r .,,, A5

WESTINGHOUSE PROPRIETARY CLASS 3

+a.c 1

N 16 Analog Channels, Sheet 6 of 7

cesn: immie.n n A-6

WESTINGHOUSE PROPRIETARY CLASS 3

+a.c N 16 Afvalog Channels, Sheet 7 of 7 mn mws,e.nn A7

WESTINGHOUSE PROPRIETARY CLASS 3 l

+a.c Overtemperature Trip, Logic Train A, Sheet 1 of 6 m5nio,m,u..na A8

WESTINGHOUSE PROPRl[TARY CLA$$ 3

+a.c Overtemperature Trip, LogicTrain A, Sheet 2 of 6 oom to4 min..na A9

WESTINGHOUSE PROPRIETARY CLASS 3 ca.c Overtemperature Trip, Logic Train A, Sheet 3 of 6 comimn,ir ,n A 10

1 i

WESTINGHOUSE PROPRIETARY CLASS 3

+a.c ,

l i

1 l

l l Overtemperature Trip, LogicTrain A, Sheet 4 of 6 l

~

M __

WESTINGHOUSE PROPRIETARY CLASS 3

+a.c Overtemperature Trip, Logic Train A, Sheet 5 of 6 oom imiisir.n n . A 12

WESTINGHOUSE PROPRIETARY CLASS 3

+4,C i

i 4

Overtemperature Trip, Logic Train A, Sheet 6 of 6 mn metiisie.4 n A 13

WESTINGHOUSE PROPRIETARY CLASS 3 )

ca.c Overtemperature Trip, Logic Train B, Sheet 1 of 6 oom io,nis t er n A 14

WSTINGHOUSE PROPRIETARY CLASS 3 i

C4,C _j

1 i

s c

i i

sr a

-r; Overtemperature Trip, LogicTrain B, Sheet 2 of 6 1

1 L-onu w.. so.4n . A-15 >

- , , - . y, . J.-,-. ,-.....;-.-..,-,-.- .__;__,,.,,.m_-- -..,,__.~.-..,_.._-_-,-_-.._.-._,_,.___--_..~.a--._,.

-I

WESTINGHOUSE PROPRIETARY CLAS5 3

+a.c Overtemperature Trip, Logic Train B, Sheet 3 of 6 mn iranii,e.nu A 16

WESTINGHOUSE PROPRl[1ARY CLASS 3 i

t

+a.c Overtemperature Trip, Logic Train B, Sheet 4 of 6 oontio iiisie.n:, A 17

J WESTINGHOUSE PROPRIETARY CLASS 3

+8,C Overtemperature Trip, Logic Train B, Sheet 5 of 6 can io,iii.n..n n A 18

WESTINGHOUSE PROPRIETARY CLASS 3 os.c I

l Overtemperature Trip, Logic Train B, Sheet 6 of 6 mumm,w nn A.19

WESTINGHOUSE PROPRIETARY CLASS 3

+a.c Overtemperature Trip Breakers, Sheet 1 of 6 oom a m,iemn A 20

jp ' MSTINGHOUSE PROPRIETARY- CLASS 3': a

,N. f. * ' '

K:#' +n c

.:.5 c

\

f

, 1 f

o,<

f

[

i o

i 4

1.- ;

t

't 3

9 t

i\\

-y

)

.4, i

Mi3 b

OvertemperatureTripBreakers, Sheet 2 of 6

. .o. moo.m,ive n : . A-21 v-- I -- w -c-e .- , , . - . -,,,-y ,-- - ,,s ,- , ,.y,, ,,m,g .,e.3 g3 , . . . - . .,

WESTINGHOUSE PROPRIETARY CLASS 3 ca.c s

l I

e Overtemperature Trip Breakers, Sheet 3 of 6 oeu , w in ,n,.n , A-22

WESTINGHOUSE PROPRIETARY CLASS 3

. 4a.c l

l l

l Overtemperature Trip Breakers, Sheet 4 of 6 4

com m msu,.nn A 23

WESTINGHOUSE PROPRIETARY CLASS 3 ca.c Overtemperature Trip Breakers, Sheet 5 of 6 i

casu m m oit ,,,,, A 24

WESTINGHOUSE PROPRIETARY CLASS 3

+a,c l

Overtemperature Trip Breakers, Sheet 6 of 6 l

oom m m m ,mu A 25 l

WESTINGHOUSE PROPRIETARY CLASS 3

+a.c J

Overpower Trip, Logic Train A, Sheet 1 of 6 co m i m m u i..<i n A 26

M 3(INGHOUSE PROPRIETARY CLASS 3

+a.c I

l OverpowerTrip, LogicTrain A, Sheet 2 of 6 com amn e.nu A 27

WESTINGHOUSE' PROPRIETARY CLASS'3 ev , ::c;

'+g,c ;L

. .1 4

^!

i i

}

h 4 -;

. c;:

h h

, , 1 I

e.

-F 4

L T

1 1 i'

A

- OverpowerTrip, Logic Train A, Sheet 3 of 6 l.

i .. <

oommtuvie.nn; -A 28

1 - WESTINGHOUSE: PROPRIETARY CLASS 3 s lw t

'i

+a,c ;

i i

M -.

i L

s r

i 4

l-e I ::

l 'e

- Overpower Trip, Logic Train A, Sheet 4 of 6 b, lloutioiime.nie - A-29 L.

Y h

1 F'Y"' l '- "M^v 2- + , _ , _ , _ f

WESTINGHOUSE PROPRIETARY CLASS 3

+4.C C

OverpowerTrip, LogicTrain A, Sheet 5 of 6 com m u mi..n n A-30

f WESTINGHOUSE PROPRIETARY CLASS,3' s

+a,cbl A

I j_

e OverpowerTrip, Logic Train A, Sheet 6 of 6 main,u, n n --- - A 31

WESTINGHOUSE PROPRIETARY CLASS 3

+a.c d

Overpower Trip, Logic Train B, Sheet 1 of 6 oosumum v.n n A-32

WESTINGHOUST PROPRIETARY CLASS 3

+a c OverpowerTrip, Logic Train B, Sheet 2 of 6 ooumaiii,i e.n n A-33

~ WESTINGHOUSE; PROPRIETARY CLASS-3 .

s -t h.. . , -

+a c

. . s

..m 4

(

f 4

4

)

o

.1 -

n r

4

}

Overpower Trip, LogicTrain B, Sheet 3 of 6

,. o.mejm e.n n A-34 -

WESTINGHOUSE PROPRIETARY CLASS 3

+a,c OverpowerTrip, Logic Train B, Sheet 4 of 6 couuo,,iini em n A 35

i WESTINGHOUSE PROPRIETARY CLASS 3 l f

+a.c b

l Overpower Trip, Logic Train B, Sheet 5 of 6 com.m meie.nn A-36

WESTINGHOUSE _ PROPRIETARY CLASS 3 1

+4eC :

i

' i s

+

M .

I i

l '.

l' OverpowerTrip, Logic Train B, Sheet 6 of 6 oananxinen..hn - -A-37

': = . - - . ..;. . -.. , , ,. .. - , _ . .. _ _ _ _ . _ _ _ _

WESTINGHOUSE PROPRIETARY CLASS 3

+8,C Overpower Trip Breakers, Sheet 1 of 6 D052J 10411191(Pan 2) A*3b

WESTINGHOUSE PROPRIETARY CLASS 3

+a,c :.;

l.

o L

-~i

f i

l l

i Overpower Trip Breakers, Sheet 2 of 6' oesu imou e.nn A-39

. , .,j: y . i

. e WESTINGHOUSE PROPRIETARY Ct. ASS 3' i

' +S,C 1

.j

.r l

,,r E

?

.l.- y s

B"

s. r t

f G.~

T,' _ - -

i i

c) i Overpower Trip Breakers,-Sheet 3 of 6

- A-40 l oosummu e.n n

. ,; u .- ; ..- #. _. . - - . _ __ .. _ . - - _ _ . . __ ._ . - - - .

WESTINGHOUSE PROPRIETARY CLASS 3

+a c Overpower Trip Breakers, Sheet 4 oi6 m sn m nii n..n n A-41

WESTINGHOUSE PROPRIETARY CLASS 3

+8,C t

o Overpower Trip Breakers, Sheet 5 of 6 l

l D0522.10/01litI (Part 2)

WESTINGHOUSE PROPRIETARY CLASS 3-3 oa',c 6

- ,-.-s. -

.a-

,. t.e, ,

I t

ij>

l, i

3 i.

t n

I1 +

b - OverpowerTrip Breakers, Sheet 6 of 6 m

6

.J z onn imu m e.n u - A-43

. _ . . > _ . . - ~ _ . . - . _ . . . .. _ . , _ . . .;_.

WESTINGHOUSE PROPRIETARY CLASS 3 ADDendix B Refuelina Water Storaae Tank Switchover l

l com twon tti e.n n B-1 l

q n 1 WESTINGHOUSE PROPRIETARY CLASS 3 Refuelino Water Storace-Tank Switchover 1 Table of Contents 4 l' . 0 ~ Purpose ......................................................... B-3 i 1

2.0 B a c k g r ou nd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B - 3 l 4

i 3.0 Approach ........................................................ B-3

.i i

4.0 Results and Discussion .......................................... B-4 i a

L5 .0 ' S u ma ry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B 6.0'

References:

............e......................................... B'- 6 f

f e

I l.

[ -

i l'

00522:10/0 81191 Pert 2) 0"2 o

I

- m- -' -- , - . - , y - _

WESTINGHOUSE PROPRIETARY CLASS 3 i 1.0 PURPOSE The purpose of this appendix is to provide justification for extending the Surveillance Test Intervals (STI) and Allowed Outage Time (A0T) changes provided by the WCAP-10271 Program (Reference 1) to the Refueling Water Storage Tank (RWST) switchover function for Comanche Peak Steam Electric Station Units No. 1 and 2.

2.0 BACKGRO N WCAP-10271, Supplement 2 evaluated the impact of increasing the STIs and A0Ts for the Engineered Safety Features Actuation System (ESFAS) on signal unavailability and plant safety, in particular, changes associated with the analog channels, process instrumentation, logic cabinets, master relays, and slave relays were evaluated. The Nuclear Regulatory Commission (NRC) approved the WCAP-10271 justified increases to the analog channel ffis, and increases in A0Ts for the analog channels, logic cabinets, master re layf, and slave relays, for plants with Solid State Protection Systems (SSPS). TV increases were from monthly to quarterly for the analog channel STIs, and to 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months A0Ts for testing and 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months A0Ts for maintenance activities.

Since this was a generic program, only the ESFAS functions which were applicable to a majority of plants were included in the study. The RWST switchover was not included-since the design and implementation of this function is, for the most part, plant specific.

TheLprimary reasons for seeking relaxation for this function are; to provide the improved plant operability as stated in the previous WCAPs and to provide a consistent set of Technical Specification requirements for the ESFAS functions.

I 2!

.tive approach was used to assess the impact of increasing the STIs anu n,., associated with the RWST switchover function. These arguments are made with respect to function unavailability and the effect on plant safety com ioen,m.n n B-3 i

WESTINGHOUSE PROPRIETARY CLASS 3 as measured by core damage frequency. The objective is to demonstrate that th'e unavailability and risk results presented in the WCAP for STI and A0T increases-for the functions analyzed is indicative of, or conservative with respect to, the results of increasing the STis and A0Ts for the RWST switchover function.

The following areas were examined in this assessment:

Analog channel logic Analog channel process circuitry Logic cabinet circuitry Master and slave relay configurations Switchover. procedures Analog channel test configurations 4.0 ~RESULTS AND DISCUSSION 4

The following presents the arguments for changing the STIs.and A0Ts for the RWST switchover function.' Consideration is given to internal events impacting the function.

The RWST switchover. design configuration was reviewed. It consists of four level me,nitoring channels that provide signals via input relays to each logic train in the SSPS. Each channel consists of a level sensor, transmitter, L

! channel test-switch, loop power supply, comparator..and:comoarator test / trip switch. The channels energize to actuate and are tested in a tripped configuration. 1Each SSPS. train consists of a 2 of 4 circuit on the universal logic card and a safeguards driver card. The safeguards driver card provides L .the output signal from the SSPS to a ntst~er relay (KS14) which in turn j actuates one slave relay (K/41-A or -B). The slave relay then actuates the required-component (safetyinjectionrecirculationsumpisolationvalve8811A

^

or88118).

A review of the-WCAP-10271, Supplement 2 analysis indicates that the RWST level channel is identical in configuration to the steam generator level channel. One c,perational difference exists; the RWST level channel energizes com connu.nn B-4

I WESTINGHOUSE PROPRIETARY CLASS 3 l to actuate, but the steam generator level channel de-energizes to actuate.

.The WCAP-10271 study did not differentiate between these modes of operation. ~

WCAP-10271 modeled analog channel testing in bypass, as opposed to 'isting in trip, since bypass is a more conservative test configuration with respect to I signal unavailability. Testing in trip is consistent with RWST testing at Comanche Peak. WCAP-10271 analysis also indicates that for functions using 2 of 4 logic the analog channels are minor contributors to signal unavailability, l Auxiliary feedwater pump start on steam generator level low was specifically I analyzed in the WCAP study. The master relay to slave relay configuration for the auxiliary feedwater pump start signal as analyzed contains one more slave relay than the master / slave configuration for the RWST switchover signal (auxiliaryfeedwaterpumpstartusesonemasterrelaydrivingtw2 slave relays per train). Therefore the unavailability value and change -

determined for auxiliary feedwater pump start on steam generator level low are conservative with respect to the unavailability of the RWST switchover function.

Since the configuration analyzed in WCAP-10271 Supplement 2 is conservative with respect to the Comanche Peak configuration, the unavailability values and also the increases in unavailabilities due to the. proposed STI and A0T changes calculated for the auxiliary feeowater pump start on steam generator level signal can be conservatively applied to the RWST switchover signal.

.WCAP-10271 calculated a 12% increase in signal unavailability for auxiliary feedwater pump start of steam generator low. Increases in untvailability cvalues for signals'due to the proposed changes ranged from 12% to 35%. An increase in core damage frequency of approximately 3% was calculated for the bounding case presented.

-Switchover from the RWS1 requires a manual action to complete isolation of the RWST. This is in addition to the automatic action which opens the safety injection recirculation sump isolation valve. A review of the Emergency Operating Procedure for this switchover, E05-1.3A, indicates that steps are included to open these valves. This is a backup to the automatic action.

Since the success of switchover is dependent on various operator actions, L

l conno4n m e.n n B-5 I

, , . , . . - - , - . - . . ---._.---.--__..c--.- - _ _ . ._ _

UESTINGNOUSE PROPRIEVARY CLASS 3 success of the operator actions will control the success of ;his event.

Thertfore, the small increase % signal unavailability will have no impact on plau safety.

5.0 CUMMARY Based on the previous discussion, it is judged that the impact on plant safety of implementing WCAP-10271, Supplement 2 STI and A0T requirements on

]

RWST switchover is negligible. That is, significantly less than the increases resulting from the quantitative analysis. This is based on the following arguments:

The signal unavailability increase is smaller than that for auxiliary I feedwater pump start on steam generator level low.

The RWST switchover requires operator action for success, and the operator's procedure provides a backup for the automatic portion of the switchover.

6.0 REFERENCE 1 L WCAP-10271-P-A, Supplement 2 Revision 1, " Evaluation of Surveillance Frequencies and Out of Service Times for the Engineered Safety Features Actuation System" Westinghouse Electric Corporation. May 1989.

2. "Comancht Peak Steam Electric Station Final Safety Analysis Report",

Sections 6s3.2.8 and 7.6.5.

3. SNP-387 Technical Manual for the Solid State Protection System, Standardized Nuclear Unit Power Plant System, Westinghouse Electric Corporation, March 1980.

4 Drawing 8758039. Rev. 4 Sheet 38 Process Control Block Diagram, Refueling Water Storage Tank Level Protection Sets I, 11. III and IV.

mu m mim.o B-6

WESTINGHDUSE PROPRl[TARY CLASS 3

5. Drawing 8810031, Rev. 6. Steet 12. Interconnecting Wiring Diagram Cabinet 01 Comanche Peak Nuclear Power Station Refueling Water Storage Tank level Protection 1.

6. Drawing 8810032 Rev. 7 Sheet 12, Interconnecting Wiriiig Diagram Cabinet 02 Comanche Peak Nuclear Power Station, Refueling Water Storage Tank Level Protection !!.

7. Drawing 8B10033, Rev. 8. Sheet 12, Interconnecting Wiring Disgram Cabinet 03 Comanche Peak Nuclear Power Station, Refueling Water Storage Tank Level Protection Ill.

8. Drawing 8810034 Rev. 8. Sheet 12, Interconnecting Wiring Diagram Cabinet 04 Comanche Peak Huclear Power Station, Refueling Water Storage Tank Level Protection IV.

9. Drawing El-0062, Rev. CP-4, Sheet 22, Motor Operated Valve 1-8811A Sump To 1 Residual Heat Removal Pump, Schematic / External Connection Diagram, a

10. Drawing El-0062. Rev. CP-5, Sheet 23, hter Operated Valve 1-88118 Sump To 2 Residual Heat Removal Pump, Schematic / External Connection Diagram.

11. Drawing 1084H37 Rev. A. Sheet 20, Solid State Protection System Schematic Diagram, Refueling Water Storage Tank and Safety injection.

12. Drawing 1084H37, Rev. P. Sheet 28, Solid State Protection System Schematic Diagram, Output Relay Cabinet f 2.

mn mm,w.o B-7

>4 l ...

"$O- .. "' =- - -- - __ ,__ ,

Y 4

q t

s

.,r'.

0 a

e

.I 1

i 8

+

)

a i

8 I. ' ,

3 i i

d t

a s <

l J

?

] .I

.1 l

i 1

1 d ,

' 4 n

1 m

I i

's

-h j

s a

4 5

N f .-

6 a

+

i i

6 i

,,...,,,.v., w. , .._-_,._~-...#,...m,c..,,,,.....,=...,,,..,.,.,,_.mo.....,m~,,%..... . . . _ - , - . , ,. . _ . . . ... _ - _ ...-..,mmm..,...r

ML20070G924

Text

2.0 DESCRIPTION

5.0 CONCLUSION

6.0 REFERENCES

References:

Navigation menu

Search