ML20073K678
| ML20073K678 | |
| Person / Time | |
|---|---|
| Site: | San Onofre  |
| Issue date: | 06/30/1989 |
| From: | ABB COMBUSTION ENGINEERING NUCLEAR FUEL (FORMERLY |
| To: | |
| Shared Package | |
| ML13302B405 | List: |
| References | |
| CE-NPSD-550, NUDOCS 9105100265 | |
| Download: ML20073K678 (77) | |
Text
- - - - - - - - - - -
o CE NPsD-550 RISK EVALUATION l
of REMOVAL or SHUTDOWN COOLING SYSTEM AUTCCLCSURE INTERLCCK Prepared for the C-E OWNERS GROUP JUNE 1989 CCMBUSTION ENGINEERING, INC.
01051(E 265 910907 POR ADOC t 050003f.1 P
-- 1 d
TABLE OF CONTENTS
-Sectio}
-Title Page
- 1. O.
PURPOSE 1-1 2.0 3ACKGROUND 2-1 3.O METHODOLOGY 3-1 4.0 ANALYSIS 4-1 4.1 Interfacing System LOCA Frequency 4-2 4.2 Recent Precursor to Inter-facing System LOCA 4-9 4.3_
SDCS Unavailability 4-13 4.4 Nitigating Low Temperatuce Over-pressure Events-4-20 5.O RESULTS-5-1
.5.1 -Interfaring Ssytem LOCA Frequency 5-1 5.2 Interfacing Systen PCA Uncertainty and frn*'t..
ilty 5-8 a
5.3 SDCS Unavailabillty 5-9
6.0 CONCLUSION
S 6-1
7.0 REFERENCES
7-1 Appendix A Fault Tree Model for SDCS A-1
. i
=, -. _
. - -. ~. - -..... -
LIST OF TABLES Table Title Page 2-1 Frequency of DHR Losses 2-2 2-2 Categories of Total DER System Failures at U.S.
PWRs 1976-1983 when Required to Operate (Loss of Function) 2-3 4-1
. Component Failure Probabilities for SDCS Suction Valve 4-10 4-2 Human Error Probabilities 4-11 4-3 Component Failure Probabilities for SDCS Fault Tree 4-18 5-1 SDCS Hydraulic valve with ACI Fault Tree cut Sets 5-2 5-1 SDCS Hydraulic Valve w/o ACI Fault Tree Cut Sets 5-3 5-3 SDCS Hydraulic Valve with ACI and Alarm Fault Tree Cut Sets 5-4 5-4 SDCS MOV with ACI Fault Tree cut Sets 5-5 5-5
-SDCS MOV w/o ACI Pault Tree cut Sets.
5-6 5-6 SDCS MOV with ACI and Alarm Fault Tree Cut Sets 5-7 5-7 SDCS with ACI Fault Tree Cut Sets (Case 1: During Refueling) 5-16 5-8 SDCS w/o ACI Fault Tree cut Sets (Case 3: During Refueling) 5-21
-iii-f
= _. ~
E
(
/
LIST OF FIGURES Figure Title Page 3-1 Fault Tree Symbology 3-2 3-3 Shutdown Cooling System Suction Lines 3-3 4-1 Fault Tree Model for SDCS Suction Valve with ACI 4-4 4-2 Fault Tree Model for SDCS Suction Valve with ACI and Alarm 4-5 4-3 Fault Tree Model for SDCS Suction Valve with Alarm 4-7 4-4 SDCS Schematic 4-16 5-1 Impact of Varying All Operator Error Probabilities on Interfacing System LOCA Frequency 5-10 5-2 Impact of Varying-Probability of Opertor Fails to close Valve Af ter Previous Use on Interfacing System LOCA Frequency 5-11 5-3 Impact of Varying Probability of Operator Fails to Detect Valve in
. Wrong Position on Interfacing System LOCA Frequency 5-12 5-4 Impact of Varying Probability of Operator Fails to Respond to Alarm on Interfacing System LOCA Frequency 5-13 5-5 Impact of Varying Alarm Test Interval on Interfacing System LOCA Frequency 5-14 4
-iv-
4 i
RISK EVALUATION OF RIMOVAL OF SHUTDOWN COOLING SYSTEM AUTOCLOSURE INTERLOCK 1.0 PURPOSE The purpose of this report is to document the results of an analysis of the impact of removing the autoclosure interlock (ACI) from the shutdown cooling system (SDCS).
The analysis was performed to determine the change in interfacing system loss of coolant accident (LOCA) frequency, the change in SDCS unavailability, and the impact on mitigating low temperature over-pressure events due to removal of ACI.
The analysis is intended to provide input to the decision to remove the ACI from the SDCS.
The analysis addresses three configurations of the SDCS.
The first configuration considers SDCS suction valves with ACI only.
The second configuration considers SDCS suction valves with ACI and valve position alarm.
The first and second configurations are currently utilized at C-E supplied NSSS units considered in this analysis.
For those units which have valve position alarm currently installad, the alarm is considered to be not well focused because the pressure at which ~it' annuncirtes if the associated valve is not closed is also the setpoint pressure of the open permissive interlock (OPI).
Therefore, the operator may misdiagnose or ignore the warning of the alarm.
The third configuration considers SDCS suction valves with ACI removed and incorporation of a well focused valve position alarm in the control room.
This configuration is regarded as the proposed or modified configuration.
Interfacing system LOCA frequency and SDCS unavailability are determined for the configurations addressed.
1-1
2.0 BACKGROUND
The shutdown cooling system is designed to provide core decay heat removal and reactor coolant system (RCS) residual heat removal once the RCS is below SDCS cooling entry conditions.
The SDCS continues to operate throughout refueling operations.
All combustion Engineering NSSS units are designed with a SDCS which is a low pressure system relative to normal RCS pressure.
The majority of these units consists of SDCS with two suction lines.
In order to protect the SDCS from RCS pressure and to maintain the RCS pressure boundary, each suction line flow path is isolated by two valves in series.
Each valve has two RCS prassure interlocks associated with it.
One of the interlocks is to prevent the valve from being opened unless RCS pressure is below shutdown cooling entry conditions.
This is referred to as the open permissive interlock (OPI).
The second interlock closes the valve automatically if RCS pressure increases above the design pressure of the SDCS.
This interlock is referred to as the autoclosure interlock (ACI).
The purpose oc the ACI is to ensure that the low pressure piping of the SDCS is properly isolated from the RCS pressure during startup operations.
When RCS pressure rises above the setpoint pressure of the ACI, the SDCS suction valves inside the containment are signaled to close automatically if they have not been closed already.
Failure to close the SDCS suction valves may result in inadvertent over-pressurization of the SDCS by the RCS and cause an interfacing system LOCA during startup operations.
However, inadvertent actuation of ACI during shutdown cooling operations results in loss of decay heat removal from the RCS which may lead to core uncovery.
Inadvertent actuation of ACI can also result in over-pressurization of the RCS at low temperature conditions.
EPRI and the NRC have analyzed loss of decay heat removal events at pressurized water reactors (References 1 and 2).
Loss of decay heat removal events that occurred between 1976 and 1983 are analyzed.
Those events that occurred between 1976 and 1981 are presented in Reference 1.
Those that occurred in 1982 and 1983 are presented in Reference 2.
The summary of events along with key findings are also presented in Reference 2.
The reported results indicate that 130 loss of decay heat removal events were i
reported between 1976 and 1983.
These results are presented in Table 2-1.
The dominant contributor (28.5%) to loss of decay heat removal is inadvertent automatic closure of the SDCS suction isolation valves.
Other important contributors include loss of inventory and component failures.
The contributors to loss gf decay heat removal are identified in Table 2-2.
2-1 1
. ~....... ~...
---~n.....-.~,._..-
. _.. -... -. -. ~. - -
- ~..... _-
t
.e fable 2*1 '
Frequency of Due tosses (1976
- 1983) 1976 19T7 1978 1979 1960 1981 1962 1983 70tal Devin Gesse 4
1 9
2 16 Beaver valley
- 1 1
1 4
1 1
10 Calvert Cliffs 2 2
2 3
2 10 Salem
- 2 2
0 10 Crystal tiver 1
2 2
3 2
10 Calvert Cliffs
- 1 2
5 1
1 9
frojan 1
5 1
7 horth Ama.1 1
2 2
2 7
horth Ama
- 2 3
3 6
Sales
- 1 1
3 1
5 Farley 1 2
2 1
5 mcculte + 1 2
-1 3
millsotne 2 1
1 1
3 A4 2 2
2 Cime 2
2 meine Yantee 2
2 Polisecee.
1 1
2 aanche seco 1
1 2
St. Lucie
- 1 1
1 2
Se@oyen
- 1 1
1 2
Turkey Point
- 3 2
2 Turkey Point * &
2 2
Inolen Point 3 1
1 Fort Calhoun 1
1 San onofre-1 1
1 Oconee. I 1
1 Oconee 2 1
1 2 ion 1 1
1 surry. 1 1
1 Seweyen
- 2 '
1 1
Farley
- 2-1 1
McGuire 2 1
1 Suuser 1
1 1
130 Amout Frequency of DMR 1,osses
.04
.04
.5
.3
.6
.5
.35
.5-(# of events)
(# of Operating PJes)
This table is cooled form Reference 2.
- a 2-2
l Table 2-2 Categories of Total DHR System Failures at U.S.
PWRs 1976-1983 When Required to Opert a (Loss of Function)
No. of Events
(% of Events)
Automatic Closure of Suction /
37 (28.5)
Isolation Valves Loss of Inventory o Inadequate RCS Inventory 26 (20.0)
Resulting in Loss of DHR Pump Suction o Loss of RCS Inventory 10
( 7.7)
Through DHR System Neces-sitating Shutdown of DHR System Component Failures o Shutdown or Failure of DHR 21 (16.2)
Pump o Inability to Open Suction /
8
( 6.1)
Isolation Valve o Others 28 (21.5) l TOTAL 130 (100.0)
I
= This table is copied from Reference 2.
l t
i 5
2-3
.~.
$1
(
~
Sandia Laboratories also assessed the impact of loss of decay heat removal using the Calvert Cliffs SDCS configuration.
The results of their assesssment are presented in Reference 3.
In one of their conclusions they state that:
the best RHRS suction valve arrangement is to have a single suction line without primary system over-pressure interlocks en the valves."
With automatic closure of the SDCS suction isolation valves being such a large contributor to loss of decay heat, the NRC has indicated their. willingness to consider removal of the ACI provided certain conditions are addressed.
Pacific Gas and Electric Company has submitted-(Reference 4) justifications to and received approval from the NRC for removal of ACI for the residual heat removal suction valves for Diablo Canyon Units.
Members of Combustion Engineering owners Group (CEOG) have made commitments to the-NRC to pursue removal of.the ACI function from their units.
"RCS/RHR Suction Line Interlocks on PWR's" is listed as generic issue No.
99 in NUREG-0933.
To address this issue, NUREG/CR-5015 has'been published.
The following statement is made regarding the removal of the interlock. circuitry:
"With this design change, the frequency of spurious closure of an RHR suction valve-would be significantly reduced.
This design change reduces the frequency of loss-of-coolant events and reduces the calculated core damage frequency.
Due to the large number of already experienced suprious isolation events, this event 11s an.important contributor to the estimated frequency of loss-of-cooling events.
- The proposed design change results in a 60%
reduction in the initiator frequency of loss-of-cooling events.
The reduction in calculated core damage frequency based-upon implementation of this possible upgrade is 84."
The analysis presented in.this report addresses the impact of removing the ACI function from the SDCS-from C-E; supplied NSSS.
The' analysis examines the impact of ACI removal on:
o Interfacing system LOCA frequency o
SDCs unavailability Mitigating low temperature over-pressure o
events 2-4
4 The analysis also examines the impact of adding a valve position alarm circuitry to the SDCS suction isolation valves.
This alarm will annunciate in the control room when any of the SDCS suction isolation valves is not fully closed when RCS pressure exceeds a certain limit.
The Waterford Unit 3 plant configuration is used when plant specific information is required.
l 2-5
4 3.0 METHODOLOGY As stated in Section 1.0, the purpose of this analysis is to determine the impact of removing the autoclosure interlock (ACI) function from the shutdown cooling system (SDCS).
Inadvertent actuation of ACI is the dominant contributor to loss of SDCS which is used to remove decay heat from the RCS.
The removal of ACI can be assessed by observing the change in SDCS unavailability, the change in interf acing system LOCA frequency, and the impact on mitigating low temperature over-pressure events.
Fault tree analysis is e= ployed in determining the unavailability of the SDCS.
The technique used is consistent with the methods outline in References 5 and 6.
The technique involves the construction and evaluation of a fault tree model for the SDCS.
la constructing the fault tree model, failures that can result in the top event of the model are considered.
The top event is defined as failure of the SDCS to remove decay heat from the RCS.
Failures are combined by using logical AND and OR gates to relate them to the top event.
Refer to Figure 3-1 for a list of symbols used in fault tree models.
Equipment failures, human errors, common cause faults, and unavailability due to testing or maintenance are included in the model.
Once the fault tree model is constructed it is then evaluated to determine the minimal cut sets.
These are combinations of failures that result in the top event.
The evaluation also includes quantification of SDCS unavailability and determination of dominant contributors to unavailability.
Construction and evaluation of the fault tree model are accomplished by using the IRRAS PC computer code (Reference 7).
In WASH-1400 (Reference 8) interfacing system LOCA is referred to as Event V.
These events are defined as breaches of the RCS pressure boundary via an interfacing system which is designe( to operate at a lower pressure than the RCS.
Once the breach occurs RCS coolant is lost outside the containment.
For plants with C-E supplied NSSS, the low pressure safety injection lines and shutdown cooling suction lines are potential locations for interfacing system LOCA.
For this analysis, only the shutdown cooling suction lines are considered.
The shutdown cooling suction lines, as shown in Figure 3-2, each have a motor-operated valve and a hydraulic-operated valve in series inside the containment.
A motor-operated valve, also in series, is located outside the containment.
These valves are closed during power operations.
When closed, the valves inside the containment provide redundant isolation for the low pressure piping of the SDCS from RCS pressure, l
l 3-1
FIGURE 3-1 FAULT,TRt! $1930LDET Qutput went occurs if one ce GATI er een of the imt events occurs.
thatut event occurs If and Ade &ATI only if all input events occur.
r3
=
Lasic fault event reeviring W IC N me further develesment.
O An evt-
'th is deteribed by EITERMAL thPJT a fay
- s sedel develosed indepots be,..y a typicall support system fallurs. y 4 TRAftSFER IR
' g Used as methed of conveniently s
seguenting the tree fer eraf31ng purposes and to 4Mid fuglication of certions of the tree. Indicates contimaattee to other portions of the tree.
l' TRAftSFER mlT l
l 3-2 A
( ric_-nos ]
( PIC-10) )
_]
A R
/
a FROM S
c TO LPSI PUMP SI-652 5I-651 51-440 A
/
/
v l,
/
( ric-soe )
jg 9
El
/'-
9 FROM RCS t
10 LPSI PUMP HOT LEG 7,
SI-666 51-665 SI-441
/j INSIDE CONTAINMENT OUTSIDE CONTAINMENT m
flGURE 3-2 Shutdown Cooling System Suction Lines
s There is also a six-inch relief valve which discharges to the containment sump.
This relief valve.is located inside the containment between the containment wall and the hydraulic-operated valve.
Note that this relief valve has enough flow capacity to mitigate low temperature over-pressure events.
The
-pressure setpoint for the relief valve is significanity lower (approximately 450 pSIG) than the design pressure for the RCS piping.
Figure 3-2 reflects the SDCS suction lines configuration for Waterford Unit 3.
The SDCS piping from the RCS up to and including the hydraulic-operated valve is rated for full RCS pressure.
The piping downstream of the hydraulic-operated valve is designed to operate at pressures much lower than the RCS.
Failure of the motor-and hydraulic-operated valves will expose the low pressure piping to RCS pressure.
Given that the motor-and hydraulic-operated valves fail, a break is postulated to occur just outside the containment wall.
During power operation, an interfacing system LOCA via the shutdown cooling suction lines can occur if:
- 1. Both valves in series are left open,
- 2. Motor-operated valve is left open and hydraulic-operated valve in series ruptures,
- 3. Hydraulic-operated valve is left open and motor-operated valve in series ruptures, or
- 4. motor-operated and hydraulic-operated valves rupture.
During startup operations, failure of the motor-and hydraulic-operated' valves inside the containment to close will suspend startup operations.- Failure of these valves to close during startup operations will cause the six-inch relief valve to open and discharge reactor coolant into the containment sump.
Events resulting from failure of these valves to close are:
Increasing containment sump level indications o
o Decreasing volume control tank level indications These indications will inform the operator that the RCS pressure boundary is breached'during startup.
Startup operations will then be suspended until the breach is located and isolated.
Therefore, item 1 above is considered to be a non-credible way for interf acing system LOCA to occur.
Because either the motor-or hydraulic-operated valve inside the containment is initially closed during power operation, the frequency for interfacing system LOCA via the shutdown coolin,g 3-4
lines can be estimated from the following expression:
T(ISL) = 2(kQ
+ k Q, + k Q )
(3.1) 3 3
- where, F(ISL) = frequency of interfacing system LOCA via SDCS suction lines x
= catastrophic failure rate for motor-or hydraulic-operated valve Q
= probability that motor-operated valve 3
is not closed Q,
= probability that hydraulic-operated valve is not closed Q,
= probability that hydraulic-operated valve fails given that motor-operated valve has failed The first term on the right represents the contribution due to the motor-operated valve is left open and the hydraulic-operated valve ruptures.
The second term on the right represents the contribution due to the hydraulic-operated valve is left open and the motor-operated valve ruptures.
The third term represents the contribution due to both valves rupturing.
Generic data is used in this analysis to quantify the frequency for interfacing system LOCA and SDCS unavailability.
The primarily source of generic data is the Advanced Light Water Reactor (ALWR Other sources)which include, NUREG/CR-4550 (Reference 10),
Requirements Document data base (Reference 9).
WASH-1400 i
(Reference 8), IEEE-500 (Reference 11), and CEN-327 l
(Reference 13) are used when component data could not be obtained from Referance 9.
The approach described by Swain and Guttmann (Reference 12) is used to determine human error probabilities.
l 3-5
4.0 ANALYSIS The purpose of the SDCS autoclosure interlock (ACI) is to ensure that the low pressure piping of the SDCS is properly isolated from RCS pressure during startup operations.
Although ACI protects the low pressure piping of the shutdown cooling system, spurious actuation will terminate decay heat removal during shutdown cooling opera tions.
Several such events have occurred.
One way of reducing inadvertent termination of decay heat removal is removal of ACT function from the SDCS.
Most but not all of the C-E supplied NSSS units considered in this analysis have position alarm installed for the SDCS suction valves.
To account for the differences, three models for interfacing system LOCA were developed to reflect the current and proposed configurations of the SDCS suction valves.
The first configuration considers SDCS suction valves with ACI only.
The second configuration considers SDCS suction valves with ACI and alarm.
Although the operability of the installed alarm is not governed by the technical specification, plant specific information obtained_from Louisiana Power and Light indicates that the alarm is tested every refueling.
The first and second configurations currently exist at C-E supplied NSSS units considered in this analysis.
A third configuration is being proposed.
It considers SDCS suction valves with alarm only.
This alarm will annunciate in the control room when RCS pressure increases above a certain setpoint while the associated valve is not fully closed.
For those units which have valve position alar =s currently l
installed, the alarms may not be well focused.
The alarm annunciates when RCS pressure increases above the setpoint of the OPI while the valve is not fully closed.
For some of these units, i
the setpoint for OPI is significantly lower than the setpoint for ACI, while the OPI and ACI setpoints for the other units are l
approximately the same.
Because the existing alarm and OPI l
provide different functions, the operator may misdiagnose or ignore the warning of the current installed alarm.
To make the I
alarm well focused, the proposed configuration for these units will require setpoint er procedural changes.
This analysis determines what impact removal of ACI will have on the frequency of interfacing system LOCA, the unavailability of SDCS, and the mitigation of low temperature over-pressure events.
The analysis quantifies the net changes in frequency and I
unreliability realized.
The availability of the low temperature l
over-pressure relief valves is also assessed.
The analysis 4-1
involves calculating the frequency of interfacing system LOCA for the following three cases:
Case 1 - SDCS suction valves with ACI only, o
o Case 2 - SDCS suction valves with ACI and alarm, and o
Case 3 - SDCS suction valves with alarm only.
The analysis also calculates SDCS unavailability for cases 1 and 3.
The alarm has no impact on SDCS unvailability.
Therefore for SDCS unavailability, case 2 above is the same as case 1.
Case 3 considers a SDCS configuration which excludes ACI.
The quantification of the frequency of interfacing LOCA for the above configurations of the SDCS is discussed in Section 4.1.
A recent precursor to interfacing system LOCA and its applicability to C-E supplied NSSS units are discussed in Section 4.2.
A discussion on SDCS unavailability for the above configurations is contained in Section 4.3.
Mitigating low temperature over-pressure events is summarized in Section 4.4.
4.1 Interfacing System LOCA Frequency Interfacing system LOCA is a safety concern because it can provide a direct path to the environment for releasing radionuclides.
For C-E NSSS supplied plants, the low pressure injection lines and shutdown cooling suction lines are potential locations for interfacing system LOCA.
For this analysis, the frequency for interfacing system LOCA is calculated for SDCS suction lines only.
Interfacing system LOCA via the SDCS suction lines can occur due to failures of both suction isolation valves inside the containment.
The failure combinations include:
Catastrophic failures of motor-and hydraulic-o operated valves, o
Catastrophic failure of motor-operated valve and hydraulic-operated valve not closed, and o
Catastrophic failure of hydraulic-operated valve and motor-operated valve not closed.
Therefore, the frequency of interfacing systen LOCA via the SDCS suction lines can be estimated using the following expression:
F(ISL) = 2(AQ
+ 1Q
+ 1Q )
(4.1]
3 3
3 l
- where, F(ISL) = frequency of interfacing system l
LOCA via SDCS suction lines l
x
= catastrophic failure rate for motor-or hydraulic-operated valve 4-2 l
'Q
= probability that motor-operated valve is not close6 i
Q
= probability that hydraulic-operated valve is not closed Q
= probability that hydraulic-operated 3
valve fails given that motor-operated valve has failed From Appendix A of the EPRI ALWR requirements document (Reference 9), the mean-failure rate for catastrophic internal leakage for a motor-operated valve is 3.1E-8 per hour.
The variable Q3 is determined by assuming that the hydraulic-operated valve is leak tested every refueling (18 months) and fails randomly in time.
Therefore,
\\AT Q
=
(4.2) 3
- Where, A
catastrophic failure rate
=
T fault exposure time (18 months)
=
-substituting in equation (4.2] results in, h (3.1E-8) x 13140
-Q
=
3 2.04E-4
=
Fault tree: analysis 1,s used to estimate the values for_Q and.Q.
The fault tree logic structures for motor-and hydraulic 3 operated valves not closed are similar.
However, failure probabilities for
-these. valves differ. _The same-fault tree model is used, with appropriate data, to estimate the probability that a motor-or hydraulic-operated-valve-is not closed.
A. fault tree model was developed for each of the SDCS config-urations considered.
The fault tree models for cases 1 through 3 are presented in Figures 4-1, 4-2, and 4-3 respectively.
The models presented-in these Figures are applicable to motor-and
-hydraulic-operated valves.
In developing the fault tree models the.following assumptions were made:
1.
Startup operations will not proceed if it is observed that power required:to close the SDCS suction isolation valves is lost.
The SDCS motor-operated suction valves are fail-as-is valves.
Loss of power to the valves during power operation will not cause the valves to be repositioned.
Therefore, 4-3
.~=
,t
\\;
i
- ti' t
?
i !l M
E a..
- f. bw ra I 4 (I 4E 5
I 5
M
_.c l
I nac I
t.
d c
C m,e e
,s A
rh ot fi w l
X f's 1
ee 5
w
~,
0
- dv 1
l G_i R-ln 5
Ma s
1 a
4
>l
[.
W Q r:i 0
Ra n
I I
1 ne E
V Tl
~A,e w
A R e a
O U en sa L
G ro I
f i W
I t
t c l u uS a
~,..
n I S a
C Wi_
=f.
m D
I S
u c
s e
W S
=
a I
[<.
n a
m N
. L
t:
i i 1
h, t
.'it
- jl, f 1!~
r *,!; t/t
![
i!
~
sL l.&
I nm m
I l
i".=
l m_
w.,br._
- s. 1A E
I 1
n m"'
5".
,m
)
1 2
hm f
o I
1 W
t ee h
S I
(
CA rh ot fi w
1 X
2ee r.
0 d vni w.
m_b._
a.
J 3 4 ol r 0
Maa I
E Vl A R e A
O Uen L Grod l Ti i Wf r
t d i cu l
uS a
fS CDS
.L E
i5 I
od' u.
2, -
c 3
T 1-I I
"'t An g,
)
- d. W I a. I<.
I w
m 5".
"m A.
I I
8 1
I I
2
. A.
m 4.=
I'
)
t
~
1I 2
rh*
t!!
!:{
!i, e
' t
>lt t!1 l
{
1,
! ;i.
i
.:?t flik ; tiy1
?
scm s
t a
am m
sa I
am a
o m0t w
3 a
tso (t
$g h
a A
l f
ueg u
mAm stur i
)
a ot m
2 r
s I
uts e.
e r
f s
a vs e
o e a 2
tee hS C
(
I et m
C s
f
%g S
A s
I s
f i
rh x
G w
ot fi H
t X
w ac B2ee l
e e*
4 dviv.
tsA idui 4 ol r t
uf 0
Maa 1
e FtJvIs AE Vl Ww R e A
OUen L Grod.
I Ti n WF - t a t c l u
$g e
uS i
A s
a a
fS F
I s
C t
a Ag U
t w
s S
(
t rm1 el0
=eca mc I
tto
+
act o
mas s
es saa e
A amr 4
w t
sp a
seo m
a w A
i rg, A
n w
as e
I t
3 s
sn s.e a Cn a
A c
s r
u r
o n
t t
s u se p
vm a
4 o a
o r
r v
I stses os mAa e
F
.em 2
.+
A-4 4
is-+->
9-
,a.m,--.-#a*.--
N - + A re a Lea Jh Cmd.-
Mwaxte+=4%
u J.4aJ.--
mA m-JM a
%m.4mpm.4 m
..L A
m-J A
-A4-2-4 h.
4 id l
- 7
'*l
_ai nl 1
i;> v
$5 58 m; "E-if M
$k fb-C m
8 s" ^A l* V
- h og-o i ~VI.
E i
J;'l t
1;>
I_
.c 2i xR,4 a
sa N!h.
l~d I, h.
% e d] a p.
3 o s e-4 a--e a
w 3
3U l2f
+
2 da 0
g a
t
=
i 1
at my
$8 I
89
~
. i 4
- 0,il q i
4-7
1 loss of power to the SDCS suction isolation valves is not included in the fault tree model.
2.
SDCS suction isolation valves are leak tested every refueling.
The refueling cycle is considered to be 18 months.
3.
SDCS suction isolation valve positions are checked every shift during power operations.
Therefore, a mispositioned SDCS suction isolation valve can be detected and corrected within one shift.
One shift is regarded as twelve hours.
4.
During power operations, each of the SDCS suction isolation valves closest to the RCS is exposed to RCS pressure and temperature.
The other in series suction valve is exposed to significantly lower temperatures and pressures.
Therefore, common cause failure associated with the SDCS suction isolation valves in series is not included in the fault tree model.
Suction isolation valves in each train of the SDCS are exposed to different operating environments.
5.
Failure of both SDCS suction isolation valves inside the containment, in any of the two lines, to close during.
startup operations will prohibit startup.
Failure of the valves to close will result in the following events:
o Increasing containment sump level indications o
Decreasing volume control tank level indications These events will notify the oprator that the RCS pressure boundary is breached during startup operations.
Therefore, the operator will elect to suspend startup operations until the breach in the RCS pressure boundary is located and isolated.
6.
For units with valve position alarm currently installed, the alarm is not required to be. maintained or tested on a periodic basis by the technical specification.
For this analysis, it is assumed to be tested every refueling and is included in the model.
7.
The SDCS ACI function is removed and replaced with a valve position alarm for units which do not have alarms currently installed.
The alarm annunciates in the control room when RCS prassure increased above a certain setpoint while the associated SDCS suction isolation valves is not fully closed.
The alarm circuitry is tested every refueling.
4-8
4 Component data used in the fault tree quantification are presented in Table 4-1.
Human error probabilities also used in the fault tree quantification are presented in Table 4-2.
Human error probabilities are based on the nethodology presented in Refere.nce 12.
The IRRAS personal computer code (Reference 7) is used to perform the fault tree quantification.
The probabilities obtained frem the fault tree analysis are:
Case 1 Case 2 Case 3 Q
2.56E-05 Qg = 1.00E-06 Qg
=
1.10E-06 3
=
Qa = 6.14E-06 Q
= 2.40E-07 Q
= 3.38E-07 Using these values along with the value for Q and substituting into equation [4.1) yields the following frequencies for 3
interfacing system LOCA:
Case 1 Case 2 Case 2 F(ISL) 1.28E-7/ year 1.12E-7/ year 1.12E-7/ year The values presented above reflect a SDCS with two suction flow paths.
Note that these values will decrease by a factor of two if a SDCS with only one suction path is considered.
The change in interfacing system LOCA frequency will be the same for a SDCS with one or two suction flow paths.
4.2 Recent Precursors to Interfacing System LOCA Interfacing system LOCA has been an out-standing issue of concern with the NRC.
A recent event, which involves pressure isolation valves between the RCS and interfacing systems as reported in references 14 and 15, has renewed NRC concern on this issue.
Because of this event, the NRC plans to implement a pilot inspection program of six PWRs to assess their vulnerability to interfacing system LOCA.
The recent event involving pressure isolation valves occurred at Biblis-A, a West German PWR.
The event occurred December 16-17, 1987.
The event began when operators restarted Biblis-A following an unplanned four-day outage.
A pressure isolation valve between the RCS and the low pressure injection system was not reclosed as it should have been.
4-9
.. -. ~.
. - -.. -. ~.,. - ~. ~. ~. -.
i 7sete 4 1
)
I l
Cosennent 7eilure Prooact tities for secs Swetion vetve C M tese DeMript ion pr e llity f$1 PPA 10$.
PetsstAt SI5fA8LE PA 105 FAILS Low 2.560t 002 FSAPtC105 IllfABLE ttLAT/ConfACT PC 10$ FAILS 70 Clost 8.1004 006 7tXP9fiOS Pitssunt TRAM $Miffit Pf a10$ FAILS 70 QPitAf t 2.760t*002 LVDetteli 30C8 SUCTION VALVE SI 651 FAILS 70 CLost ou otmAmo 1.000t 003 Lv00s!651 SCCS SUCflou vatyt OPths spunicusty _
2.000t 004 71APtl651 SOCs suCflou VALvt $1 651 ALAam FAILS TO AmmuuCIAft 3.910t 002 Lvtaltl632 SOCS SUCTIou VAlvt $1 652 FAILS to Clost Du DEMAmo 4.900E 003
( :-
e l
4-10
l l
Table 4-2*
Human Error Probabilities 1.
LVDOSI651A - Operator fails to close hydraulic-operated valve after previcus use OMISSION-ERROR
- HEP = 0.01 Operator fails to close valve Table-20-7 (Item # 4)
OR COMMISSION ERROR: HEP = 0.0005 Operator turns handswitch in wrong direction Table 20-12 (Item # 5)
AND RECOVERY ERROR -: HEP = 0.05 Checker fails to detect error made by others Table 20-22 -(Item # 3).
Therefore,_the human erre-: probability for failing to close valve
.after previous use is:
P = - (0. 01) (0. 05) + (0.99)(0.0005)(0.05)
=-5.25E-4 2.
-;LVDOSI651B - Operator = fails to detect hydraulic-operated valve-in wrong position-OMISSION ERROR
- HEP =u0.01 Operator fails to detect valve status light in wrong position
. Table 20-26'(Item # 13)-
-AND RECOVERY ERROR
.: HEP = 0.5 Checker fails to detect error made by others Table 20-22 (Item #4) l
- - Table and item number cited for each error are those presented l
in Reference 12.
4-11 l
l
Table 4-2*
(Cont'd)
Human Error Probabilities Therefore, the human error probability for failing to detect valve status light in wrong position is:
P = (0. 01) (0. 5)
= 5.00E-3 3.
LVDOSI651C - Operator fails to respond to alarm OMISSION ERROR
- HEP = 0.0001 operator fails to respond to valve position alarm Table 20-23 (Item 4 1)
AND RECOVERY ERROR
- HEP = 0.5 Checker fails to detect error made by others Table 20-22 (Item # 4)
Therefore, the human error probability for failing to respond to valve alarm is:
P= (0.0001)(0.5)
= 5.00E-5 l
i l
I l
l l
- - Table and item number cited for each error are those pres'ented in Reference 12.
j 4-12 1
Operators who restarted the reactor on December 15 failed to observe a warning light indicating that the pressure isolation valve was not closed, operators on the following shift did not notice the warning light or did not diagnose the warning light correctly.
The problem was recognized by the third shift operators.
Once the problem was recognized, the operator tried to close the valve by manipulating the pressure on it by slightly opening a second valve.
According to the report, this is an acceptable means of closing the valve.
However, this approach did not close the valve.
The operator then decided to stop the startup-and shutdown the reactor.
In opening-the second valve, a path from the reactor coolant to outside of the containment was established.
In doing so, a small amount of steam from the reactor coolant system was released into the annulus for a short period of 2-5 seconds and from there to the atmosphere via the reactor stack.
6 The SDCS suction isolation valve for all C-E supplied NSSS units are designed with two types of interlocks.
During plant startup, the SDCS suction valves are closed by the operator.
If plant startup continues and_the SDCS suction valves (s) are not closed as they should, the autoclosure interlock-(ACI) will close the valve (s).
An open permissive interlock (OPI) is also associated with each SDCS suction valve.
This interlock prevents the SDCS suction valves from being opened while the reactor coolant pressure is above shutdown cooling entry conditions.
In the Biblis-A event, the operator tried to close a mispositioned pressure isolation value by opening a.second valve to manipulate the pressure.
For all-SDCS of C-E supplied NSSS units the pressure isolation valves-(SDCS suction valves) cannot be opened by the operator if RCS pressure is above shutdown cooling entry conditions.
The opI prevents such actions by the operator.
These interlocks are not the subject of this analysis and will not be removed from the SDCS suction valves.
The sequences of events involving operator actions that occurred at Biblis-A is precluded for C-E supplied NSSS units.
4.3 SDCS Unkvailability The' primary function of the shutdown cooling system (SDCS) is to remove decay heat from the RCS during shutdown cooling operations.
The SDCSs of C-E supplied NSSS plants are equipped with autoclosure interlocks (ACI).
The main purpose of the ACI is to ensure that the low pressure piping of the SDCS is properly
~
isolated'from the RCS pressure during startup operations.
1 4-13 f
operating experience has shown that several loss of decay heat removal events have occurred at pressurized water reactors.
The dominant contributor to loss of decay heat removal is inadve rtent closure of the SDCS ruction isolation valves during shutdown cooling operations.
Some of these valve closings are linked to spurious operation of ACI during shutdown cooling operations.
One way of reducing loss of decay heat events is to remove the ACI function from the SDCS Valves.
Removal of ACI function from the SDCS suction valves is analyzed in this section.
The analysis involves determining the unavailability of SDCS to remove deacy heat for the following two cases:
o Case 1 - SDCS suction valve with ACI only, and o
Case 3 - ACI removed and inclusion of valve position al. arm for the SDCS suction isolation valves.
As discussed in Section 4.0, Case 2 is similar to Case 1 for SDCS unavailability.
Fault tree analysis was used to determine the unavailability for the above cases.
For each of the above ct ss, a fault tree model for SDCS was developed and quantified.
In order to simplify the quantification several steps were taken to minimize the size of the fault tree model.
These steps include:
o Treatment of support systems Because the focal point of this analysis is to determine the impact of ACI removal on SDCS unavailability, subcort systems for the SDCS were treated as developed events.
These support systems include component cooling water and electrical distribution systems, o
Treatment of pipe failures SDCS piping t'ailures are not included in the f ault tree model.
The contribution of piping failure to system unavailability is insignificant when compared with the contributions from other components.
Potential flow diversion paths o
Potential flow diversion paths of the SDCS that are isolated from the main flow path by two or more normally closed valves are not considered as faults of the SDCS.
Potential flow diversion paths with piping significantly smaller (10% or less) than the piping for the main flow path is also not included in the fault tree model.
4-14
o control circuits control circuits for major components (e.g.
motor cperated valves and pumps) are treated as part of the component.
Therefore, they are not modeled as separate events in the fault tres model for SDCS.
i Figure 4-4 is a schematic of the SDCS.
It was usud to construct the fault tree model for SDCS which is included in Appendix A.
In constructing the model tht following assumptions were made 1.
Successful operation of the SDCS involves the removal of RCS decay heat via one of the two shutdown cooling heat exchangers.
9 2.
Because the purpose of this analysis is to determine the change in SDCS unavailability due to ACI removal, support syetems for SDCS are assumed to be available.
3.
_ Failure of the SDCS warmup valve to open will not result in SDCS becoming unavailable.
The SDCS is designed to with stand a limited number of thermal shock while entering shutdown cooling operations.
The SDCS warmup valves are not included in the fault tree model.
4.
-The contribution of spurious recirculation actuation signal (RAS) to SDCS unavailability is considered to be insignificant when compared with other component failures.
Therefore, spurious actuation of RAS in not included in the fault tres model for SDCS.
5.
If the low pressure safety injection (LPSI) pumps become unavailable, the containment spray. pumps cannot be used as backup.
6.
Operating procedures do not allow components in both trains of the SDCS to be in maintenance at the same time.
As a result, the SDCs 5 eat exchanger and the pump in train A are modeled as compensits which may be unavailable due to maintenance.
-7.
The LPSI pump sucti on isolation valves are normally open and are used to isolate the pump fee maintenance.
The pump is tested after maintenance before it is returned to service.
This implies that the suction isolation valve-must be re-open.
Thersfore, mispositioned LPSI suction isolation valves are considered unlikely and are not included in the fault tres model.
4-15
i ri 10 MINI-ILOW 51-400 VALVIS
+
j gRon ggsp 5!-M7 5I-658 FROM C5P A J6 1
r JL 4
L
\\
fROM S
10 (5 HI AliR LOOP _
Ha A m
tv1 ri t
A 2
' ri ri ri W
SI-446 51-452 j
SI-652 51-651 51-440 51-442 IPSI PUMP i
51-457) %
A
) %
'Q - 10 RC5 58451 e
10 *t!NI-ilty I
r' 2A VA1VE5 51-307 58-615 5I-659 51-660 A
IROM RW5P f20M C5P B
'Ye 10 HC5 m
JL ri 28 h
51 -6A $
IROM
==
10 C5 ut A14 u g, g p_
LOOP -
-a N.A ri B
I ri ri ri W
SI-434 51-453 i
i 51-666 51-M5 51-441 51-419 LPSI PLMF 3,,4g t
10 NC5 e
m I
ri lA i
51-306 58-615 8
- M ID RCS II 51-625 4
M vi Figure 4-4 SI-450
$DC5 Schematic 1
I
_ _ = _ _ _ _ _.. _
Component data used to quantify SDCS unavailabilities for the cases considered are presented in Table 4-3.
The IRRAS personal computer code is used to perform the gauntifications.
In addition to component hardware failures and unavailability due to maintenance, operator error that results in closure of SDCS suction isolation valves is explicitly modeled.
It is estimated based on the following expression:
P(SDCS
- OPER) = P(SDCS/0PER)
P(OPER)
(4-3)
P
- where, P(SDCS
- OPER) probability of operator error
=
and loss of SDCS P(SDCS/OPER) probability of losing SDCS
=
given that an operator error has occurred P(oPER) probability of operator error
=
while performing test or maintenance Based on a revicw of the actual events reported in References 1 and 2, 28 events involving opertor errors that resulted in automatic closure of all SDCS suction valves are identified, one hundred and thirty events resulting in loss of SDCS vere reported.
Therefore, the conditional probability of losing SDCS given that an operator error occurs ist P(SDCS/OPER) 28 + 130
=
0.22
=
The probability of an operator erring while performing maintenance or test is obtained using the method described in Reference 12.
OMISSION ERROR r HEP = 0.001 operator errs in using written procedures Table 20-7 (Item # 1)
Because of insufficient time, no recovery action is assumed.
Substituting in equation (4-3) yellds a mean value of 2.15E-4.
An error factor of 3.0 is assumed.
4-17
,,-...ce
-n
--.e--
l i
fehle 6 3 Cameent Psitwee Prot.ecilites f or $0CS f ewL t tree C34 tem Cescription proc,ettlity itzwpA103 Pillsutt Itsfatti PA.103 FAILS elCat 2.16CE.002 fix>PA1C3 1 PitttLit IllfA8(t PA 1031 # AIL $ stGu 2.56Ct.002 str>PA104 fetitLit Illfatti PA.104 84tL5 alGW 2.$608 002
)
tsa>PA104 1 Petssytt gisfAstt PA.104 1 #4lts at:N 2.l M.002 rianPA10$
Patstest 8!stasti PA.10$ fell $ ulCW
!.$ m.002 88saPA105 1 Pillsytt Illfasti PA.1C$.1 PAlts alcu 2.$60t 002 fis>PA106 Pettsuit sistastt PA.106 FAIL 3 alCW 2.$408 002 ptxkPA104 1 P8835088 IllfA8Lt PA 1 %.1 # AILS NICN 2.$ W.002 ftr>Pf103 Pittstet itAmsmif f te Pt.103 #Alts alcu 4.000t.003 firkPf104 Pittsuit TRAt$niffit Pf.104 FAILS alga 6.0004 003 firNPf105 PRf tsuit f aAksmiffit Pt.10$ FAILS misu 4.000t 003 PlzhPf1M Pettsuas ftAm$ miff t4 Pf 1M FAILS NICs 4.000t 003 fir 0Act OPitaf04 tit Dutis0 MAltithANCI 04 ftSt 2.110t 0%
f$tCPCiO3 1 atLAf/ CONTACT PC*t031 CL0sts SPuel0VsLT 1.2638 0 %
FIROPC104 1 atLAf/ Conf ACT PC.104*1 Cletts $PValezast?
- 1. 2Mt.004 FirCPC101 1 atLAf/ Conf ACT PC.1051 CLOSit SPValGJLsf 1.2638 004 isr:PC106 1 atLAf/C04fACf PC.106 1 CLC$ts LPutltx>$LT
- 1. 263t.004 FinePC103 ftLAf/ CONTACT PC.103 FAIL $ TO CLCSE 8.1005 004 7tatPC104 AtLAf/ConfACf PC 104 FAILS 70 CLost 8.100t*006 F5ttPCiC1 RELAT/ contact PC 101 FAILS TO Ct0st 8.100t.006 PlatPC104 t!LAf/ CONTACT PC.104 FAILS TO CLO$8 0.1004 004 F5r*0Pl Comes04 CAunt FAILUtt OP OPlu PttMillivt INfttLCCE 8.790s 00$
CHRCNIA OtFICfivt $NVf00w C00Llh0 utAf txCNANGER A 3.0004 003 WRCkst DEFICflVE Sduf00WW C00LikG htAf trCNANGER I 3.000E.003 GNtVNRA
$0C$ NE A UWAVAlLA$(I Dut f0 MAINfthAmCt 1.010t 003 OutX30CS Copee0W CAutt FAILVet CP $Mut00W C00LlW4 NEA) EXCMAmCits 1.$47t 004 CVMC11671 Olvtt$10N OF FLOW TO CC$ DUt 10 MitPotifloht0 YLV 51671
$.000t.005 GWC 51672 Olvttil0W OF FLOW 70 CCS 008 f0 N15Pollflott0 VLY $1672
$.0004 005 GVWOMEA 50C3 MX 4 IN(II/0UT(tf VALVI NOT OPtW 2.$ 0Ct
- 04 CVWUNIB 50C8 atAT EXCMANGit 8 CCW ikLtf/0VfLif VALVI NOT OPtw 2.$00t*004 NYCAll217 IWJtCT!0W CM(CK VALVf $121? FAILS 70 OPEN 1.3004 004 nVCAll227 INJECf!0W CHECK VALyt $1227 FAILS 70 QPEN 1.3094 004 WVCA51237 luJECflow C>ttr VALW 81237 FAILS TO Opts 1.3004 004 MVCAll247 INJECfl0N CNECE VALVE St.267 PAILS 70 Optu 1.300E.004 NVMell619 Mlut. FLOW VALW $1639 FAILS 10 CL0st 4.900t.003 NWell660 MINI. FLOW VALVI 11 6e0 FAILS TO Clost 4.900E 003 HWesteer Mlal. FLOW VALVt 31647 f AILS 70 Clott 4.9006 003 NVW$$l6et M!bl.FLCad VALVI $!.664 FAILS TO Clost 4,9004 003 i
WVM108tNI C0 bee CAust FAILURE Of N!WI.7 LOW VALVis 1.$40s.005 LBC8LPSl>A LPl! PUMP A 94tAtte FAILS 70 CLost 3.400E.004 1,8LILPllPS LPll PUMP B BatAgge FAIL TO CLOSE 3.4006 004 LPMJLPl!PA LPSI Pt>P A FAILS to sfAtt 1.2508 003 LP8JLPilPI t,711 PtMP B FAILS 70 sfAtt 1.2$0t.003 LPMLPl!PA LPSI PtMP A fall 3 70 CPttatt 8.0864 002 LPMLPflPS LPSI PtMP 0 FAILS 70 CPitAft 8.0668 002 LPWVLPlf*A LPl! PtMP A UNAVAILA8Lt 008 f0 MAINfthakCE 2.0108 003 l
4-18
~.. - -
e itete 4*3 (Cont'#)
Cappeneet f ellwet PPoteellitte for $DCS Fewit tree C:re tone Costription PPoteettity LPurtPt P C0pugCN CAvst FAILLit CF LPfl PUwPt 3.6&Ot 004 LvCAllii4 1 % ttfl0s CatCK v4 Lyt 31 114 FAILS TO Mtw 1.3CCta004 LVCAlli!4 l#JtCfl04 ChtCE VADE $1 124 FAIL 8 TO yte 1.300t*004 LvCAIl134 lu.tCf!ON CSICK VADE ll*134 8 AILS 70 CPts 1.300t*004 LYCAlli44 INJtCIICN CNtCK VADI $1*144 FAIL 1 TO orts 1.300t*004 LvCAll433 LPil PW A CMtCE VALVI 11433 f alls f 0 CPf u 1.300t*004 LYtAll&34 LPll Pt>P I C>tCK VALVI $1 434 FAILS TO crtu t.300t.004 LVDA31631 2C3 $UCitCN vatvt $1*6$1 FAILS 70 QPts 1.0008 M3 LV0AllMS
$0C8 SUCflCN VALyt 11 645 falls TO OPlu 1.000t
- M3 LvDr$0c3
- 0 pes 0N CAust 8Altgtt 07 50C8 SUCfl0N vtyt 181*6$1 & M))
4.300t*005 kWAll440 50C8 $UCfl0N vatyt s1440 FAILS TO Drtu 3.4004 003 LWA81441
$0Cl SUCfl0N VALyt $1441 # AILS TO OPf u 3.000t+M3 LWAllel!
$0CS C#os50W A VALyt $1*412 f AILS TO OPlu 3.6006 003 LVWAll453 SCCS CRC $50Vit VALVI $1 453 FAILS 70 OPtu 3.800t 003 LvuAtl456
$0C3 CtCil0Vtt VALVI $1454 FAILS to OPtu 3.4005 M3 LWASI417
$0C8 Chostovtt VALvt $1457 FAl'.S 70 CPtu 3.0006 003 LWAS161$
LOW Pet 18U68 IWJECfl0N alAtti VALVE $1 615 FAIL 8 to OPlu 3.800t*003 tWAll625 LOW Pet:300t IN;tCTION utActe vAtyt 31623 PAILS TO Optu 3.8006 003 LWAtt&l3 Low Petssytt lugtCfl0N MtActt VALVI $1635 FAlts to opeu 3.800t 003 LWAll645 LOW Palltutt INJECfl0N NEACle VALVE ll*64$ FAILS TO QPfp 3.800E.003 kWAll632 SCCS SUCfl0N VALVE $1*652 FAILS 70 QPts 3.000t 003 LWAllMe SOCS SUCfl0N VALyt 116e6 FAILS f0 Orts 3.800t 003 LWC31306
$0CS NX t ifPAls VALyt $1304 FAILS TO OkttAtt 4.900E*003 kWC11307
$0CS Nu a tyPAss VALys 31 307 FAILS to OPetAtt 4.900t+003 tWC$lel6 SCCs TN#0ffte VALys 31 654 FAILS 70 OPttAi?
4.9006 003 LWCS!657
$0C8 ThtoffLt VALVI 81657 FAILS TO OPitAf t 4.900E 003 L WOSOCS OPitAf 00 FAILS 10 IWiflAf f $NUfDOWN COOLING 1.7006 004 L WOfkt07
. OPttATOR FAILS 70 TN#0ffLt $0C8 IfPAll VALVI 1.000E 004 LWA8VPts Casse0N C1054 FAILVal CF 30C8 BfPAtt VALVet 4.3004 005 LWXMOR C0pou0N CAult FAILutt 0F LOW Patsgutt INJECfl0N uCR VLys 1.540E 00$
LYMittu C3et0N CAutt FAILutt 0F $0C8 C90990Vit VALVES 8.300t*001 l
LWISOCS1 C3080s CAust FAILUtt OF SOCS SUCfl0N YLYS (31'441 & 440) 8.300ta001 LW130CS2 C3ee0N CAutt FAILUtt 07 SOCS SUCfl0N VtYS ($!*652 4 6 M )
4.300E*005 kWafMtot C3es0W CAust FAILUst 07 SOC 8 fMA0ffLE WALVtl 4.300ta005 LYb011424 LPfl Pulgt 8 MANUAL VALys $1424 DOT OPIN 1.2508 004 Lvholl444 LP11 Pulep & MANUAL VALyt $1+444 mof OPlu 1.1508 004 4-19
4 The SDCS unavailabilities obtained from the fault tree analysis are 5.05E-02 and 3.08E-02 for case 1 and case 3 respectively.
These values include failure of the SDCS to actuate and failure to operate during refueling given that it has actuated.
4.4 Mitigating Lew Temperature over-pressure Events During low RCS temperatur. (e.g.
shutdown cooling) cperations the reactor vessel material is more brittle than during normal operations.
Because of the brittleness of the vessel material at low temperatures, over-pressurization of the RCS during low temperature operations is of concern.
For the design considered in this analysis, relief valves are installed in the SDCS sucticn lines for plants which use this approach to mitigate low temperature over-pressure events.
The six-inch relief valves shown in Figure 3-2 have enough flow capacity to mitigate low temperature over-pressure events that may occur during shutdown cooling operations.
These valves are located downstream of the inside containment SDCS suction valves.
Because of their locations, inadvertent closure of the SDCS suction valves by ACI will isolate the relief valves and eliminate protection of the RCS piping if a low temperature over-pressure event occurs.
As shown in Section 4.2, removal of ACI from the SDCS suction valves decreases the unavailability of the SDCS.
The number of inadvertent closures of SDCS suction valves also decreases.
By removing the ACI from the SDCS suction valves the availability of the relief valves increases.
4 4-20
5.0 RESULTS In order to determine the impact of removing the autoclosure interlocks (ACI) from the SDCS suction valves for C-E supplied NSSS units, three configurations of the SDCS vere analy:ed.
The first configuration considers SDCS suction valves with ACI function only.
The second configuration considers SDCS suction valves with ACI and valve position alarm.
The third configuration considers SDCS suction valves with alarm only.
The first and second configurations are currently utilized at C-E supplied NSSS units.
The third configuration is regarded as a modified or preposed configuration.
The analysis examined the not change in interfacing system LOCA frequency and and the net change in SDCS unavailability due to ACI ry.aoval.
5.1 Interf acing System LOCA Frequency The analysis results for interfacing system LOCA frequency are presented below SDCS Configuration Inter LOCA Frequency Case 1:
SDCS suction valves 1.28E-7/ year with ACI only case 2:
SDOS suction valves 1.12E-7/ year with ACI and alarm Case 3:
SDCS suction valves 1.12E-7/ year with alarm only The dominant c,ut sets for SDCS isolation valve unavailability used to determine interfacing system LOCA frequency for the above cases are presented in Tables 5-1 through 5-6 respectively.
For units without an alarm currently installed, the results presented above show that the frequency of interfacing system LOCA via the SDCS suction paths decreases by approximately 13% if ACI is removed and replaced with a valve position alarm.
For units which do have valve position alarm installed, there is a slight increase of 0.09% in the frequency of interf acing system LOCA.
The values presented above reflect a SDCS with two suction flow i
paths.
Note that these values will decrease by a factor of two if a SDCS with only one suction flow path is considered.
The change in interfacing system LOCA frequency will be the same for a SDCS with one or two suction flow paths.
5-1
Table 5-1 SDCS Hydraulic Valve with ACI Fault Tree cut Sets Fault Tree:
WLoA01BX Mincut Upper Bound 6.140E-006 Cut
% Cut No.
Total Set Treq.
Cut Sets
- 1 81.4 81.4 5.0E-006 LVDBSI651, LVDOSI651B 2
97.7 16.3 1.0E-006 LVDOSI6518, LVDQSI651 3
98.9 1.2 7.2E-008 FSXPPT105, LVDOSI651A, LVDOSI651B 4 100.0 1.1 6.7E-008 FSXPPA105, LVDOSI651A, LVDOSI651B 5 100.0
.0 2.1E-011 FSXPPC105, LVDOSI651A, LVDOSI651B i
Refer to Tables 4-1 and 4-2 for cut set component descriptions 5-2 1
l
_ _ =
Table 5-2 SDCS Hydraulic Valve w/o ACI Fault Tree Cut Sets i
Fault Tree:
WLoA02BX Mincut Upper Bound 3.377E-007 Cut i Cut No.
Total Set Freq.
Cut Sets
- 1 57.9 57.9 2.0E-007 FIAPSI651, LVDBSI651, LVDOSI651B 2
8S.3 30.4 1.0E-007 FIAPSI651, LVDOSI651A, LVDOSI651B 3
99.9 11.6 3.9E-008 FIAPSI651, LVDOSI651B, LVDQSI651 4
99.9
.1 2.5E-010 LVDBSI651, LVDOSI6518, LVDOSI651C 5 100.0
.0 1.3E-010 LVDOSI651A, LVDOSI651B, LVDOSI651C 6 100.0
.0 5.0E-011 LVDOSI6518, LVDOSI651C, LVDQSI651 Refer to Tables 4-1 and 4-2 for cut set component descriptions 5-3
l Table 5-3 SDCS HYDRAULIC VLV WITH ACI & ALARM FAULT TRIE C"T SETS Fault Tree WLOA03BX Mincut Upper Bound 2.404E-007 Cut
% Cut No.
Total Set Freq.
Cut Sets
- 1 81.3 81.3 2.0E-007 FIAPSI651, LVDBSI651, LVDOSI651B 2
97.6 16.3 3.9E-008 FIAPSI651, LVDOSI651B, LVDQSI651 3
98.8 1.2 2.8E-009 FIAPSI651, FSXPPT105, LVDOSI651A, LVDOSI6513 4
99.9 1.1 2.6E-009 FIAPSI651, FSXPPA105, LVDOSI651A, LVDOSI651B 5 100.0'
.1 2.5E-010 LVDBSI651, LVDOSI651B, LVDOSI651C 6 100.0
.0 5.0E-011 LVDOSI6518, LVDOSI651C, LVDQSI651 7 100.0
.0 3.6E-012 FSXPPT105, LVDOSI651A, LVDOSI651B, LVDOSI651C B 100.0 40 3.4E-012 FSXPPA105, LVDOSI651A, LVDOSI651B, LVDOSI651C 9 100.0
.0 8.3E-013 FIAPSI651, FSXPPC105, LVDOSI651A, LVDOSI651B 10 100.0
.0 1.1E-015 FSXPPC105, LVDOSI651A, LVDOSI6518, LVDOSI651C Refer to Tables 4-1 and 4-2 for cut set component descriptions 5-4 l
(
Table 5-4 SDCS MOV witt ACI Fault Tree cut sets Fault Treet WLOA01BX Mincut Upper Bound 2.564E-005 Cut
% Cut No.
Total Set Freq.
Cut Sets 1
95.6
- 95. 6 2. 5E-005 LVDOSI652B, LVMBSI652 2
99.5
- 3. 9 1. 0E-006 LVDOSI652B, LVDQSI652 3
99.7
.3 7.2E-008 FSXPPT103, LVDOSI652A, LVDOSI652B 4 100.0
.3 6.7E-008 FSXPPA103, LVDOSI652A, LVDOSI6528 5 100.0
.0 2.1E-011 FSXPPC103, LVDOSI652A, LVDOSI6528 Refer to Tables 4-1 and 4-2 for cut set component descriptions 5-5
Table 5-5 SDCS MOV v/o ACI FAULT TREE CUT SETS Fault Tree:
WLOA02BX Mincut Upper Bound 1.101E-006 Cut t
% Cut No.
Total Set Freq.
Cut Sets 1
87.0 87.0 1.0E-006 FIAPSI652, LVDOSI6528, LVMBSI652 2
96.3 9.3 1.0E-007 FIAPSI652, LVDOSI652A. LVDOSI652B 3
99.9 3.6 3.9E-008 FIAPSI652, LVDOSI652B, LVDQSI652 4 100.0
.1 1.2E-009 LVDOSI6528, LVDOSI652C, LVMBSI652 5 100.0
.0 1.3E-010 LVDOSI652A, LVDOSI652B, LVDOSI652C 6 100.0
.0 5.0E-011 LVDOSI652B, LVDOSI652C, LVDQSI652 Refer to Tables 4-1 and 4-2 for cut set component descriptions 5-6
I l
Table 5-6 SCCS MOV WITH ACI f. AIJGM FAULT TREE CUT SETS Fault Treat WLOA03BX Mincut Upper Bound 1.004E-006 Cut
% Cut tio.
Total Set Freq.
Cut Sets
- 1 95.4 95.4 1.OE-006 FIAPSI651, LVDOSI651B, LVMBSI652 2
99.3 3.9 3.9E-008 FIAPSI651, LVDOSI651B, LVDQSI651 3
99.6
.3 2.8E-009 FIAPSI651, FSXPPT105, LVDOSI651A, LVDOSI651B 4
99.9
.3 2.6E-009 FIAPSI651, FSXPPA105, LVDOSI651A, LV00SI651B 5 100.0
.1 1.2E-009 LVDOSI651B, LVDOSI651C, LVMBSI652 6 100.0
.0 5.0E-011 LVDOSI6518, LVDOSI651C, LVDQSI651 7 100.0
.0 3.6E-012 FSXPPT105, LVDOSI651A, LVDOSI651B, LVDOSI651C 8 100.0
.0 3.4E-012 FSXPPA105, LVDOSI651A, LVDOSI6518, LVDOSI651C 9 100.0
.0 8.3E-013 FIAPSI651, FSXPPC105, LVDOSI651A, LVDOSI651B 10 100.0
.0 1.1E-015 FSXPPC105, LVDOSI651A, LVDOSI651B, LVDOSI651C l
l Refer to Tables 4-1 and 4-2 for cut set component descriptions 5-7
5.2 Interfacing System LOCA Trequency Uncertainty and Sensitivity Because of the importance of interfacing system LOCA, uncertianty and sensitivity analyses were performed to determine the impact of assumptions regarding operator error on the LOCA frequency.
The uncertainty analysis involves propagating the uncertainty of each fault included in the models to determine the upper and lower bounds for the frequency of interfacing system IcCA.
Monte Carlo sampling of failure rates is performed to determine the uncer-tainty.
The failure rates are assumed to be log-normally distrib-uted.
The results of the uncertainty analysis are presented below for each of the three cases discussed in Section 4.0.
Case 1 Case 2 Case 3 point estimate 1.28E-07 1.12E-07 1.12E-07 mean 1.04E-07 1.07E-07 9.50E-08 standard deviation 3.91E-07 4.74E-07 5.18E-07 lower bound (5%)
4.95E-10 1.81E-10 1.58E-10 median 1.21E-08 7.50E-09 6.23E-09 upper bound (95%)
4.20E-07 4.07E-07 3.35E-07 Three types of operator errors are included in the fault tree models for interfacing system LOCA.
To determine the potential impact of our assumptions about the likelihood of these operator errors, a sensitivity analysis was performed.
This analysis involves systematically varying base case values for the following types of operator errors:
Base Case Code Description Probability LVDOSI651A Orarator fails to close Ave after previous use 5.25E-04 v
LVDOSI651B
.or fails to detect vu, in wrong position 5.00E-03 LVDOSI651C 0'
.ator
- ails to respond tu alar 5.00E-05 Base case operator error probabilities were vsried by fixed factors of 0.1, 0.2, 0.5, 2.0, 5.0, and 10.0.
Upon varying the operator error probabilities, one at a time, the frequency of interfacing system LOCA was requantified and the impact observed.
Additionally, the impact was also determined for the very conservative case of all three types of operator errors being varied together.
According to Swain and Guttmann (Reference 12),
variability of operator performance (or error) is restricted 5-8
during normal operating conditions due to the extensive training the operator receives.
For those units which have an alarm currently installed, it is assumed that the alarm is tested at each refueling.
A sensitivity analysis was also performed to determine the potential impact of this assumption on the frequency of interfacing system LOCA.
Test intervals of 30 days, 6 months, 1 year, 1\\ years, 2 years, 5 years, 10 years, and 20 years were used for the sensitivity analysis.
The results of the sensitivity evaluation are presented in Figures 5-1 through 5-5~.
Figure 5-1 shows the potential impact on the frequency when all three types of operator errors are varied together.
(This is considered to be a very conservative case.)
This figure shows that the change in frequency is slightly sensitive to variations of operator error probabilities for units with ACI only.
For units with ACI and valve position alarm currently installed, and for units with alarm only, the change in frequency is insensitive to the variations of operator error probabilities.
Figures 5-2, 5-3, and 5-4 show the impact on the frequency when one type of operator error is varied while the others remain fixed. The potential impact due to operator fails to close valve after previous use, o
o opc stor fails to detect valve in wrong position, or o
ope : tor fails to respond to alarm
- . shown in figure 5-2, 5-3, and 5-4 respectively.
Figure 5-3 shows that the change in frequency is slightly sensitive to "oper-ator fails to detect valve in wrong position" for units with ACI only.
The other figures show the change in frequencies as being insensitive to variations of one type of operator error only.
For units with ACI and valve position alarm currently installed, the frequency of interfacing system LOCA is relatively insensitive to how often the alarm is tested.
Small increase in the frequency is observed when the test interval is 5 years or more.
This is shown in Figure 5-5.
5.3 SDCS Unavailability The fault tree model presented in Appendix A is used to evaluate the unavailability of SDCS with ACI included.
Those portions of the model that explicitly included ACI components are deleted and the model is then re-evaluated to determine the unavailability of 4
5-9
1o.0 Jo I If. L I
i I
s.o
?.0 60 i
so L
A.0... 7 A
.. -. g.
3.. LLL.
-pw-
<a N
O HM f.
.g..u
- g.. n.
5
,m o, z.o 1> L s e -
a w
r e
4.'
3 v, m
E I&
I
. Q f.
n.
-o e.
g M M P &
4
^3 Emz wm
" S +0
, e.
m=
,f ee m CD 3g y
6 _ -..
r.
~'" 's 2.
'4
'3 o
- 2 L.
l 1-f I
t i
I I
I I
I i
e,$
64 we
S od' INTERFACING SYSTEM LOCA FREQUENCY (PER YEAR)
FIGURE 5 1 Impact of Varying All Operator Error Probabilities on Interfacing System LOCA Frequency 5-10 L
3
~
a s o.o
.y so I
so I
7o I
6o w
d s.o L
4.o
_. _ g._,
1.
s s
s
.yg 30 C
N
.r '
7 d
TT
>o a
w n
4 m
\\
.n s.:
--e r
v
.n o 24 he v
.4 n
s._.
a m.
51 3"
g~g..*
f-e V
,g 1. _=_.---.
=
g 4
r.
f.o 3
n
.u:
4 M.....
> m.s r-m E S,
.7
-m
.6 y.5
-I A,
3
,a _
4
- 1 I
I I
o.om-r w siF INTERFACING SYSTEM LOCA FREQUENCY (PERYEAR) t FIGURE 5-2 Impact of Varying Probability of Operator Fails to Close Valve After Previous Use on Interfacing Syste,m LOCA Frecuency l
5-11
1 i
1o 0 9*1
_ _ _ /.. '
s,o
/
,.e --
L __.-
6.o
- k. W l _' ?
\\7 s.o i
'gj
_. i, 4.e _D
/s.
E,n H ;L T _ _.R_ G....
y 9
Jo
,U N,'H -
et t
4 g 10 3 e.- y...
m g
5 Y
_E 3
C 5m x
w" 1
n m g 1*c 4
g r
r
.g c:
m 7
t S, en 3B 6
-r
...=
5 -
)..._
. w.. < -..
4 _
i 4 -
2--
I l
o.t l
I I
I I
I I
INTERFACING SYSTEM LOCA FREQUENCY (PER YEAR)
FIGURE 5-3 Impact of Varying Probability of Operator Fails to Detect Valve in Wrong Position on Interfacing System LOCA Frequency 5-12
10 0 S'*
3 14 7.o 64 50
'~
44 30 p
g 10 C* Fi B
%wT
_2 3wv.
x m
g m
gg m g i'%
s g g,,
- q. p c.
.:..s.
em
,7 g gf-
- J :. -
.: y_
QJ i
.h
-J 7.-
- ,g
__~ '
m.s -
-: r x.
e
. s.i=.i Ejar.:.- E E4
_ =. -....-.,7 2.
4 _
~ ~ ~ - - -
?.=.E Q _
. *.. '~. '..
v b
,g s
E4 4
y e,q l
~
t t
- !NTERFACING SYSTEM LOCA FREQUENCY I'4 * *
(PERYEAR)
FIGURE 5-4 Impact of Varying Probability of Operator Fails to Respond to Alarm on Interfacing System LOCA Frequency 5-13
i l
404 we no Ns l
- e.e S.0
- -o 7.
, p s.e J.C f.e
> k.
hI
,+a 7
y y.
-3o
..t1 3
m 7 ao r-1
~
=4 I
m>
10 y.
t.e
+
l-
.s
.t 6
5
. _4 3
1 2
r I
g.j i
t t
F 1* 0 s se* #
.F 9w sit L
INTERFACING SYSTEM LOCA FRE0VENCY (PER YEAR)
FIGURE 5-5 Impact of Varying Alarm Test Interval on Interfacing System LOCA Frequency 5 14
.. _ _. _ -.. _ ~. _. _.._ - _ _.,. _ _ __ _ _
SDCS with ACI removed.
These two configurations of the SDCS are similar to the configurations of cases 1 and 3 considered for interfacing system LcCA.
For each configuration, SDCS unavailability is evaluated for failure to provide shutdown cooling during refueling operations.
The refueling period is considered to be six weeks duration.
The evaluation includes failure to actuate and failure to operate given that the system has actuated.
The results are presented below SDCS Configuration SDCS Unavailability case 1 SDCS suction valves 5.05E-02 with ACI only case 3:
SDCS suction valves 3.08E-02 with ACI removed SDCS unavailability changes from 5.05E-02 to 3.07E-02.
This change represents 39% decrease in unavailability during refueling operations.
The dominant contributors to SDCS unavailabilities are presented in Tables 5-7 and 5-8.
SDCS unavailabilities presented above reflect a SDCS with two suction flow paths.
If a SDCS with one suction flow path is considered the unavailability for each configuration is expected to be greater than the above value.
However, the percentage decrease in unavailability is expected to be the same as above.
5-15
Table 5-7 SDCS W/ACI FAULT TREE CUT SETS (Case 1: During Refueling)
Fault Treet WLOB01BX Mincut Upper Bound 5 051E-002 Cut t
% Cut No.
Total Set Freq.
Cut Sets 1
13.0 13.0 6.6E-003 LPMKLPSIPA, LPMKLPSIPB 2
17.1 4.1 2.1E-003 FSXHPA105, LPKKLPSIPB 3
21.2 4.1 2.1E-003 FSXHPA104-1, LPMKLPSIPA 4
25.3 4.1 2.1E-003 FSXHPA103-1, LPMKLPSIPS 5
29.4 4.1 2.1E 003 FSXHPA105-1, LPMKLPSIPB 6
33.5 4.1 2.1E-003 FSXMPA106-1, LPMKLPSIPA 7
37.6 4.1 2.1E-003 FSXHPA104, LPMKLPSIPA 8
41.7 4 1 2.1E-003 FSXHPA103, LPMKLPSIFB 9
45.8 4.1 2.1E-003 FSXHPA106, LPKKLPSIPA 10 47.1 1.3 6.6E-004 FSXHPA105-1, FSXHPA106 11 48.4 1.3 6.6E-004 FSXHPA103, FSXHPA104-1 12 49.7 1.3 6.6E-004 FSXHPA105-1, FSXHPA106-1 13 51.0 1.3 6.6E-004 FSXHPA103, FSXHPA106 14 52.3 1.3 6.6E-004 FSXHPA103-1, FSXHPA106-1 15 53.6 1.3 6.6E-004 FSXHPA103-1, FSXHPA104-1 16 54.9 1.3 6.6E-004 FSXHPA103, FSXHPA106-1 17 56.2 1.3 6.6E-004 FSXHPA103-1, FSXHPA106 18 57.5 1.3 6.6E-004 FSXHPA103, FSXHPA104 19 58.8 1.3 6.6E-004 FSXHPA104-1, FSXHPA105 20 60.1 1.3 6. 6E-004 FSXHPA105, FSXHPA106 21 61.4 1.3 6.6E-004 FSXHPA104-1, FSXHPA105-1 22 62.7 1.3 6.6E-004 FSXHPA105, FSXHPA106-1 23 64.0 1.3 6.6E-004 FSXHPA104, FSXHPA105 24 65.3 1.3 6.6E-004 FSXHPA103-1, FSXHPA104 25 66.6
- 1. 3 6. 6E-004 FSXHPA104, FSXHPA105-1 26 67.3
.8 4.0E-004 LPMKLPSIPA, LVMCSI306 27 68.1
.8 4.0E-004 LPMKLPSIPB, LVMCSI307 28 68.9
.8 4.0E-004 LPMKLPSIPA, LVMCSI656 29 69.7
.8 4.0E-004 LPMKLPSIPB, LVMCSI657 30 70.5
.8 3.9E-004 LPMXLPSIP 31 71.2
.7 3.4E-004 FSXHPT106, LPMKLPSIPA 32 71.8
.7 3.4E-004 FSXHPT104, LPKKLPSIPA 33 72.5
.7 3.4E-004 FSXHPT103, LPMKLPSIFB 34 73.2
.7 3.4E-004 FSXHPT105, LPMKLPSIFB 35 73.8
.6 3.1E-004 LPMKLPSIPB, LVMASI457 36 74.4
.6 3.1E-004 LPMKLPSIPB, LVMASI452 37 75.0
.6 3.1E-004 LPMKLPSIPA, LVMASI441 38 75.6
.6 3.1E-004 LPMKLPSIPA, LVMASI456 39 76.2
.6 3.1E-004 LPKKLPSIPA, LVMASI453 40
- 6.9
. 6 3.1E-004 LPMKLPSIPB, LVMASI440 i
41 77.5
.6 3.1E-004 LPMKLPSIPB, LVMASI652 42 78.1
.6 3.1E-004 LPKKLPSIPA, LVMASI666 43 78.5
.4 2.2E-004 GHRCHXB, LPKKLPSIPA 5-16
Table 5-7 (Cent'd)
SDCS W/ACI FAULT TREE CUT SETS (Case 1: During Refueling)
Fault Treat WLOB01BX Mincut Upper Bound 5.051E-002 Cut
% Cut No.
Total Set Freq.
Cut Sets 44 78.9
.4 2.2E-004 GHRCHXA, LPMKLPSIFB 45 79.4
.4 2.1E-004 FSXOACI 46 79.7
.3 1.6E-004 LPMKLPSIFB, LPMVLPSIPA 47 80.0
.3 1.6E-004 GHRXSDCS 48 80.2
.2 1.3E-004 FSXHPA103, LVMCSI306 49 80.5
.2 1.3E-004 FSXHPA106, LVMCSI637 50 80.7
.2 1.3E-004 FSXMPA105-1, LVMCSI306 51 81.0
.2 1.3E-004 FSXHPA105, LVMCSI306 52 81.2
.2 1.3E-004 FSXHPA103, LVMCSI656 53 81.5
.2 1.3E-004 FSXMPA106-1, LVMCSI657 54 81.7
.2 1.3E-004 FSXMPA104, LVMCSI657 55 82.0
.2 1.3E-004 FSXHPA104-1, LVMCSI307 56 82.2
.2 1.3E-004 FSXHPA104-1, LVMCSI657 57 82.5
.2 1.3E-004 FSXHPA104, LVMCSI307 58 82.7
.2 1.3E-004 FSXHPA106, LVMCSI307 59 83.0
.2 1.3E-004 FSXHPA105-1, LVMCSI656 60 83.2
.2 1.3E-004 FSXHPA106-1, LVMCSI307 61 83.5
.2 1.3E-004 FSXHPA103-1, LVMCSI656 62 83.7
.2 1.3E-004 FSXMPA103-1, LVMCSI306 63 84.0
.2 1.3E-004 FSXHPA105, LVHCSI656 64 84.2
.2 1.1E-004 FSXHPA103-1, FSXHPT104 65 84.4
.2 1.1E-004 FSXHPA103-1, FSXHPT106 66 84.6
.2 1.1E-004 FSXHPA106-1, FSXHPT103 67 84.8
.2 1.1E-004 FSXHPA103, FSXHPT106 68 85.0
.2 1.1E-004 FSXHPA106, FSXHPT105 69 85.3
.2 1.1E-004 FSXHPA104, FSXHPT105 70 85.5
.2 1.1E-004 FSXHPA106-1, FSXHPT105 71 85.7
.2 1.1E-004 FSXHPA105-1, FSXHPT104 72 85.9
.2 1.1E-004 FSXHPA105, FSXHPT104 73 86.1
.2 1.1E-004 FSXHPA105, FSXHPT106 74 86.3
.2 1.1E-004 FSXHPA105-1, FSXHPT106 75 86.6
.2 1.1E-004 FSXHPA106, FSXHPT103 76 86.8
.2 1.1E-004 FSXHPA104-1, FSXHPT105 77 97.0
.2 1.1E-004 FSXHPA104-1, FSXHPT103 78 87.2
.2 1.1E-004 FSXHPA104, FSXHPT103 79 87.4
.2 1.1E-004 FSXHPA103, FSXHPT104 80 87.6
.2 1.0E-004 LPMJLPSIPA, LPMKLPSIPB 81 87.8
.2
- 1. 0E-004 LPMJLPSIPB, LPMKLPSIPA 82 88.0
.2 1.0E-004 FSXMPA103-1, LVMASI441 83 88.2
.2 1.0E-004 FSXHPA105, LVMASI456 84 88.4
.2 1.0E-004 FSXMPA103, LVMASI456 85 88.6
.2 1.0E-004 FSXHPA106-1,'LVMASI440 86 88.8
.2 1.0E-004 FSXHPA105, LVMASI453 5-17
-__._.._______...__m.__
Table 5-7 (Cont'd)
SDCS W/ACI FAULT TREE CUT SETS (Case 1 During Refueling)
Fault Treet WLOB01BX Mincut Upper Bound 5.051E-002 i
Cut
% Cut No.
Total Set Freq.
Cut sets 87 89.0
.2 1.0E-004 FSXHPA103, LVMASI453 88 89.2
.2_1.0E-004 FSXHPA103-1, LVMAS%453 89 89.4
.2 1.0E-004 FSXHPA103-1, LVMASI456 90 89.6
.2 1.0E-004 FSXHPA105-1, LVMASI453 31 89.7
.2 1.0E-004 FSXHPA105-1, LVMASI456 92 89.9
.2 1.0E-004 FSXMPA103, LVMASI441 93 90.1
.2.1.0E-004 FSXHPA106, LVMASI440 94 90.3
.2 1.0E-004 FSXHPA105-1, LVMASI441 95 90.5
.2 1.0E-004 FSXHPA105, LVMASI441 96 90.7
.2 1.0E-004 FSXHPA106-1, LVMASI452 97 90.9
.2 1.0E-004 FSXMPA104, LVMASI457 98 91.1
.2 1.0E-004 FSXHPA106, LVMASI452 99 91.3
.2 1.0E-004 FSXHPA104-1, LVMASI452 100 91.5
.2 1.0E-004 FSXHPA103, LVMASI666 101 91.7
.2 1.0E-004 FSXHPA104, LVMASI452 102 91.9
.2 1.0E-004 FSXMPA104, LVMASI652 103 92.1
.2 1.0E-004 FSXHPA104-1, LVMASI457 104 92.2
.2 1.0E-004 FSXHPA106-1, LVMASI457 105 92.4
.2 1.0E-004 FSXHPA106-1, LVMASI652 106 92.6
.2 1.0E-004 FSXHPA106, LVMASI457 107 92.8
.2 1.0E-004 FSXHPA104-1, LVMASI652 108 93.0
.2 1.0E-004 FSXHPA105-1, LVMASI666 109 93.2
.2 1.0E-004 FSXHPA105, LVMASI666 110- 93.4
.2 1.0E-004 FSXHPA103-1, LVMASI666 111 93.6
.k 1.0E-004 FSXMPA106, LVMASI652 112 93.8
.2 1.0E-004 FSXHPA104-1, LVMASI440 113
_94.0
.2 1.0E-004 FSXHPA104, LVMASI440 114 94.2
.2 8.8E-005 FSXXOPI 115 94.3
.2 8.3E-005 LVMXRTN 116 94.5
.2 8.3E-005 LVMXSDCS2 117 94.7
.2 8.3E-005 LVMXSDCS1 118 94.8
.2 8.3E-005 LVMXBYPSS 119 95.0
.2 8.3E-005 LVMXTHROT' 120 95.1
.2 8.3E-005 LVDXSDCS3 121 95.3
.2 8.2E-005 GHRVHXA, LPMKLPSIFB
+
122 95.5
.2 8.1E-005 LPMKLPSIPB, LVDASI651 123 95.6
.2 8.1E-005 LPMKLPSIPA, LVDASI665 124 95.8
.1 6.9E-005 FSXHPA105, GHRCHXB 125 95.9
.1 6.9E-005 FSXHPA105-1, GHRCHXB 126-96.0
.1 6.9E-005 FSXHPA104-1, GHRCHXA 127 96.2
.1 6.9E-005 FSXHPA104, GNRCHXA 128 96.3
.1 6.9E-005 FSXHPA106, GHRCMXA 129 96.4
.1 6.9E-005 FSXHPA103-1, GHRCHXB 5-18
o i
Table 5-7 (Cont'd)
SDCS W/ACI FAULT TREE CUT SETS (Case 1: During Refueling)
Fault Treet WLOB01BX Mincut Upper Bound 5.051E-002 Cut
% Cut No.
Total Set Freq.
Cut Sets 130 96.6
.1 6.9E-005 FSXHPA106-1, GHRCHXA 131 96.7 1 6.9E-005 FSXHPA103, GHRCHXB 132 96.8 1 5.1E-005 FSXHPA106, LPNVLPSIPA 133 96.9 1 5.1E-005 FSXHPA104-1, LPMVLPSIPA 134 97.0
.1 5.1E-005 FSXHPA106-1, LPMVLPSIPA 135 97.1
.1 5.1E-005 FSXHPA104, LPNVLPSIPA 136 97.2
.1 3.2E-005 FSXHPA105-1, LPMJLPSIPB 137 97.3
.1 3.2E-005 FSXHPA104-1, LPK7LPSIPA 138 97.3
.1 3.2E-005 FSXHPA103, LPMJLPSIPB 139 97.4
.1 3.2E-005 FSXHPA105, LPMJLPSIPB 140 97.4
.1 3.2E-005 FSXHPA106-1, LPMJLPSIPA 141 97.5
.1 3.2E-005 FSXMPA106, LPK1LPSIPA 142 97.6
.1 3.2E-005 FSXHPA103-1, LPMJLPSIFB 143 97.6
.1 3.2E-005 FSXHPA104, LPMJLPSIPA 144 97.7
.1 2.8E-005 LBCBLPSIPA, LPMKLPSIFB 145 97.7
.1 2.8E-005 LBCBLPSIFB, LPMKLPSIPA 146 97.8
.1 2.6E-005 FSXHPA106, GHRVHXA 147 97.8
.1 2.6E-005 FSXHPA104-1, GERVHXA 148 97.9
.1 2.6E-005 FSXHPA104, GHRVHXA 149 97.9
.1 2.6E-005 FSXHPA106-1, GERVHXA 150 98.0
.1 2.6E-005 FSXHPA106, LVDASI651 151 98.1
.1 2.6E-005 FSXHPA104, LVDASI651 152 98.1
.1 2.6E-005 FSXHPA103, LVDASI665 153 98.2
.1 2.6E-O'5 FSXHPA104-1, LVDASI651 0
154 98.2
.1 2.6E-005 FSXHPA105-1, LVDASI665 155 98.3
.1 2.6E-005 FSXHPA105, LVDASI665 156 98.3
.1 2.6E-005 FSXHPA106-1, LVDASI651 157 98.4
- 1 2.4E-005 FSXHPA103-1, LVDASI665 158 98.4 0 2.4E-005 LVMCSI306, LVMCSI307 159 98.4
.0 2.4E-005 LVMCSI307, LVMCSI656 160 98.5
.0 2.4E-005 LVMCSI306, LVMCSI657 161 98.5
.0 2.4E-005 LVMCSI656, LVMCSI657 162 98.6
.0 2.1E-005 FSXHPT103, LVMCSI656 163 98.6
.0 2.1E-005 FSXHPT104, LVMCSI657 164 98.7
.0 2.1E-005 FSXHPT105, LVMCSI306 165 98.7
.0 2.1E-005 FSXHPT106, LVMCSI657 166 98.8
.0 2.1E-005 FSXHPT104, LVMCSI307 j
167 98.8
.0 2.1E-005 FSXHPT103, LVMCSI306 1
168 98.6
.0 2.1E-005 FSXHPT105, LVMCSI656 l
169 98.9
.0 2.1E-005 FSXHPT106, LVMCSI307 170 98.9
.0 2.0E-005 GVNOHXA, LPMXLPSIPB 171 99.0
.0 2.0E-005 GVNOHXB, LPKKLPSIPA i
112 99.0
.0 1.9E-005 LVMASI441, LVHCSI657 i
5-19
,m y
.y.%3 cy v
y
-,,-+%y y
e.---*
--- ~-
- " - - =
Table 5-7 (Cont'd)
SDCS W/ACI FAULT TREE CUT SETS (Case 1: During Refueling)
Fault Treet WLOB01BX Mincut Upper Bound 5.051E-002 Cut t
% Cut tio.
Total Set freq.
Cut Sets 173 99.0
.0 1.9E-005 LVMASI453, LVMCSI657 174 99.1
.0 1.9E-005 LVMASI457, LVMCSI656 175 99.1
.0 1.9E-005 LVMASI652, LVMCSI656 176 99.1
.0 1.9E-005 LVMASI452, LVMCSI650 177 99.2
.0 1.9E-005 LVMASI452, LVMCSI306 178 99.2
.0 1.9E-005 LVMASI666, LVMCSI307 179 99.2
.0 1.9E-005 LVMASI441, LVMCSI307 180 99.3
.0 1.9E-005 LVMASI666, LVMCSI657 181 99.3
.0 1.9E-005 LVMASI440, LVMCSI656 182 99.4
.0 1.9E-005 LVMASI456, LVMCSI657 183 99.4
.0 1.9E-005 LVMASI440, LVMCSI306 184 99.4
.0 1.9E-005 LVMASI457, LVMCSI306 185 99.5
.0 1.9E-005 LVMASI652, LVMCSI306 186 99.5
.0 1.9E-005 LVMASI453, LVMCSI307 187 99.5
.0 1.9E-005 LVMASI456, LVMCSI307 188 99.6
.0 1. 8E-005 FSXHPT104, FSXHPT105 189 99.6
.0 1.8E-005 FSXHPT103, FSXMPT104 190 99.7
.0 1.8E-005 FSXHPT105, FSXHPT106 191 99.7
.0 1.8E-005 FSXHPr103, FSXHPT106 192 99.7
.0 1.6E-005 FSXHPT104, LVMASI440 193 99.8
.0 1.6E-005 FSXHPT105, LVMASI456 194 99.8
.0 1.6E-005 FSXHPT106, LVMASI440 195 99.8
.0 1.6E-005 FSXHPT104, LVMASI457 196 99.8
.0 1.6E-005 FSXHPT105, LVMASI453 197 99.9
.0 1.6E-005 FSXHPT103, LVMASI441 198 99.9
. 0 1. 6E-005 FSXHPT104, LVMASI452 199 99.9
.0 1.6E-005 FSXHPT103, LVMASI666 200 100.0
.0 1.6E-005 FSXHPT100, LVMASI453 5-20
Table 5-8 SDCS W/O ACI FAULT TREE CUT SETS (Case 3: During Refueling)
Fault Tree WLoB01BX Mincut Upper Bound 3.067E-002 Cut
% Cut No.
Total Set Freq.
Cut Sets 1
21,4 21.4 6.6E-003 LPMKLPSIPA, LPMKLPSIPB 2
28.1 6.8 2.1E-003 FSXHPA105, LPKKLPSIPS 3
34.9 6.C 2.1E-003 FSXHPA106, LPMKLPSIPA 4
41.6 6.8 2.1E-003 FSXHPA103, LPKKLPSIPB 5
48.4 6.8 2.1E-003 FSXHPA104, LPKKLPSIPA 6
50.5 2.1 6.6E-004 FSXHPA103, FSXHPA104 7
52.7 2.1 6.6E-009 FSXMPA103, FSXHPA106 8
54.8 2.1 6.6E-004 FSXHPA105, FSXHPA106 9
56.9 2.1 6.6E-004 FSXHPA104, FSXHPA105 10 58.2 1.3 4.0E-004 LPMKLPSIPA, LVMCSI306 11 59.5 1.3 4.0E-004 LPKKLPSIPA, LVMCSI656 12 60.8 1.3 4.0E-004 LPMKLPSIPS, LVMCSI657 13 62.1 1.3 4.0E-004 LPKKLPSIPO, LVMCSI307 14 63.4
- 1. 3 3.9E-004 LPKXLPSIP 15 64.5 1.1 3.4E-004 FSXHPT105, LPMKLPSIPB 16 65.6 1.1 3.4E-004 FSXHPT103, LPMKLPSIFB 17 66.8 1.1 3.4E-004 FSXMPT106, LPMKLPSIPA 18 67.9 1.1 3.4E-004 FSXHPT104, LPMKLPSIPA 19-68.9
- 1. 0. 3.1E-004 LPKKLPSIPB, LVMASI652 20 69.9 1.0 3.1E-004 LPMKLPSIPA, LVMASI666 21 70.9
- 1. 0 3.1E-004 LPMKI.PSIPA, LW.ASI4 41 22 71.9 1.0 3.1E-004 LPMKLPSIPS, LVMASI440 23 72.9 1.0 3.1E-004 LPMKLPSIPS, LVMASI452 24 73.9 1.0 3.1E-004 LPMKLPSIPB, LVMASI457 25 74.9 1.0 3.1E-004 LPMKLPSIPA, LVMASI456 26 75.9 1.0 3.1E-004 LPMKLPSIPA, LVMASI453 37
?^.(
7 2.2E-004 GKRCHXA, LPKKLPSIPS 28 77.3
.i 2.2E-004 GKRCHXB, LPMKLPSIPA 29 77.9
.5 1.6h*004 LPMKLPSIP5, LPMVLPSIPA 30 78.4
.5 1.6E-004 GKRXSDCS 31 78.8
.4 1.3E-004 FSXHPA105, LVMCSI656 32 79.2
.4 1.3E-004 FSXH7A106, LVMCSI657 33 79.6
.4 1.3E-004 FSXHPA30?. LVMCSI306 34 80.0
.4 1.3E-004 FSXHPA11S LVMCSI656 35 80.4
.4 1.3E-004 FSXMPA103, LVMCSI307 36 80.8
.4 1.3E-004 FSXHPA106, LVMCSI307.
37 81.2
.4 1.3E-004 FSXHPA103, LVMCSI306 38 81.6
.4 1.3E-004 FSXMPA104, LVMCSI657 39 82.0
.4 1.1E-004 FSXHPA106, FSXHPT103 40 82.4
.4 1.1E-004 FSXHPA103, FSXHPT106 41 82.7
.4 1.1E-004 FSXHPA105, FSXHPT106 42 83.1
.4 1.1E-004 FSXHPA105, FSXHPT104 43 83.4
.4 1.1E-004 FSXHPA104, FSXHPT105 5
- 21..
\\
l Table 5-8 (Cont'd)
SDCS W/0 ACI FAULT TREE CUT SETS (Case 3 During Refueling)
Fault Treat WLOB01BX Mincut Upper Bound 3.067E-002 Cut
% Cut No.
Total Set Freq.
Cut Sets
+
44 83.8
.4 1.1E-004 FSXHPA106, FSXHPT105 45 84.1
.4 1.1E-004 FSXHPA103, FSXMPT104 46 84.5
.4 1.1E-004 FSXHPA104, FSXHPT103 47 84.8
. 3 1. 0E-004 LPMJLPSIPB, LPMKLPSIPA 48 85.1
.3 1.0E-004 LPMJLPSIPA, LPMXLPSIPB 49 85.5-
.3 1.0E-004 FSXHPA104, LVMASI452 50 85.8
.3 1.0E-004 FSXHPA104, LVMASI457 51 86.1.
.3 1.0E-004 FSXMPA106, LVMASI457 52 86.4
.3 1.0E-004 FSXHPA103, LVMASI453 53 86.7
.3 1.0E-004 FSXMPA105, LVMASI441 54 87.0
.3 1.0E-004 FSXHPA103, LVMASI456 55 87.4
.3 1.0E-004 FSXMPA103, LVMASI666 56 87.7
.3 1.0E-004 FSXHPA105, LVMASI666 57 88.0
.3 1.0E-004 FSXMPA104, LVMASI652 58 88.3
.3 1.0E-004 FSXHPA103, LVMASI441 59 88.6
.3 1.0E-004 FSXHPA104, LVMASI440 60 89.0
.3 1.0E-004 FSXHPA106, LVMASI452 61 89.3
.3 1.0E-004 FSXHPA106, LVMASI440 62 89.6
.3 1.0E-004 FSXHPA105, LVMASI453 63 89.9
. 3 1. 0E-004 FSXHPA106, LVMASI652 64 90.2
.3 1.0E-004 FSXHPA105, LVMASI456 65 90.5
.3 8.8E-005 FSXXOPI 66 90.8
.3 8.3E-005 LVMXSDCS1 67 31.0
.3 8.3E-005 LVMXRTN 68 91.3
.3 8.3E-005 LVMXSDCS2 69 91.6
.3 8.3E-005 LVDXSDCS3 70 91.9
.3 8.3E-005 LVMXTHROT 71 92.1
.3 8.3E-005 LVMXBYPSS 72 92.4
.3 8.2E-005 GHRVHXA, LPMKLPSIPB 73 92.7
.3 8.1E-005 LPMKLPSIPA, LVDASI665 74 92.9
.3 8.1E-005 LPMKLPSIPB, LVDASI651 75 93.2
.2 6.9E-005 FSXHPA106, GHRCHXA 76 93.4
.2 6.9E-005 FSXHPA103, GNRCHXB 77 93.6
.2 6.9E-005 FSXHPA104, GNRCMXA 78 93.8
.2 6.9E-005 FSXHPA105, GNRCHXB' 79 94.0
.2 5.1E-005 TSXHPA106, LPNVLPSIPA 80 94.2
.2 5.1E-005 FSXHPA104, LPNVLPSIPA 81 94.3
.1 3.2E-005 FSXHPA105, LPMJLPSIPB 82 94.4
.1 3. 2E-005 FSXHPA106, LPK7LPSIPA t
83 94.5
.1 3.2E-005-FSXHPA104, LPM 7LPSIPA l
84 94.6
.1 3.2E-005 FSXHPA103, LPK7LPSIFB 85 94.7
.1 2.8E-005 LBCBLPSIPA, LPMKLPSIPS 86 94.8
.1 2.8E-005 LBCBLPSIPB, LPMKLPSIPA 5-22
~
Table 5-8 (Cont'd)
SDCS W/O ACI FAULT TRIE CUT SETS (Case 3: During Refueling)
Fault Tree:
WLOB01BX Mincut Upper Bound 3.067E-002 Cut
% Cut No.
Total Set Freq.
Cut Sets 87 94.8
.1 2.6E-005 FSXHPA104, GHRVHXA 88 94.9
.1 2.6E-005 FSXMPA106, GERVHXA 89 95.0
.1 2.6E-005 FSXHPA104, LVDASI651 90 95.1
.1 2.6E-005 FSXHPA103, LVDASI665 91 95.2
.1 2.6E-005 FSXMPA106, LVDASI651 92 95.3
.1 2.6E-005 FSXHPA105, LVDASI665 93 95.3
.1 2.4E-005 LVMCSI307, LVMCSI656 94 95.4
.1 2.4E-005 LVMCSI656, LVMCSI657 95 95.5
.1 2.4E-005 LVMCSI306, LVMCSI307 96 95.6
.1 2.4E-005 LVMCSI306, LVHCSI657 97 95.6
.1 2.1E-005 FSXHPT106, LVMCSI307
-98 95.7
.1 2.1E-005 FSXHPT106, LVMCSI657 99 95.8
.1 2.1E-005 FSXHPT105, LVMCSI656 100 95.8
.1 2.1E-005 FSXHPT104, LVMCSI307 101 95.9
.1 2.1E-005 FSXHPT105, LVMCSI306 102 96.0
.1 2.1E-005 FSXHPT104, LVMCSI657 103 96.1
.1 2.1E-005 FSXHPT103, LVMCSI306 104 96.1
.1 2.1E-005 FSXHPT103, LVMCSI656 105 96.2
.1 2.0E-005 GVNOHXA, LPMXLPSIPB 106 96.3
.1 2.0E-005 GVNOHXB, LPMKLPSIPA 107 96.3
.1 1.9E-005 LVMASI440, LVMCSI306 108 96.4
.1 1.9E-005 LVMASI652, LVMCSI656 109 96.4
.1 1.9E-005 LVMASI456, IVMCSI657 110 96.5
.1 1.9E-005 LVMASI452, LVMCSI306 111 96.6
.1 1.9E-005 LVMASI452,- LVMCSI656 112 96.6
.1 1.9E-005'LVMASI440, LVMCSI656 113 96.7
.1 1.9E-005 LVMASI457, LVMCSI306 114 96.7
.1 1.9E-005 LVMASI457, LVMCSI656 115 96.8
.1-1.9E-005 LVMASI441, LVMCSI657 116 96.9
.1 1.9E-005 LVMASI453, LVMCSI307 117 96.9
.1 1.9E-005 LVMASI453, LVMCSI657 118 97.0
.1 1.9E-005 LVMASI441, LVMCSI307 119 97.0
.1 1.9E-005-LVMASI666, LVMCSI657 120 97.1
.1 1.9E-005 LVMASI456, LVMCSI307 121 97.2
.1 1.9E-005 LVMASI652, LVMCSI306 122 97.2
.1 1.9E-005 LVMASI666, LVMCSI307 123 97.3
.1 1.8E-005 FSXHPT104, FSXHPT105 124 97.3
.1 1.8E-005 FSXHPT105, FSXHPT106 125 97.4
.1 1.8E-005 FSXHPT103, FSXHPT106 126 97.5
.1 1.8E-005 FSXMPT103, FSXHPT104 127 97.5
.1 1.6E-005 FSXMPT104, LVMASI652 128 97.6
.1 1.6E-005 FSXHPT106, LVMASI452 129 97.6
.1 1.6E-005 FSXHPT104, LVMASI440 5-23
i Table 5-8 (cont'd)
SDCS W/O ACI FAULT TREE CUT SETS (Case 3: During Refueling)
Fault Treet WLOB01BX Mincut Upper Bound 3.067E-002 Cut
% Cut No.
Total Set Freq.
Cut Sets 130 97.7
.1 1.6E-005 FSXHPT105, LVMASI666 131 97.7
.1 1.6E-005 FSXHPT106, LVMASI440 132 97.8
.1 1.6E-005 FSXHPT105, LVMASI441 133 97.8
.1 1.6E-005 FSXHPT104, LVMASI452 134 97.9
.1 1.6E-005 FSXHPIl03, LVMASI441 135 97.9
.1 1.6E-005 FSXHPT103, LVMASI666 136 98.0
.1 1.6E-005 FSXHPT103, LVMASI453 137 98.0
.1 1.6E-005 FSXHPT105, LVMASI456 138 98.1
.1 1.6E-005 FSXHPT106, LVMASI457 139 98.1
.1 1.6E-005 FSXHPT105, LVMASI453 140 98.2
.1 1.6E-005 FSXHPT104, LVMASI457 141 98.2
.1 1.6E-005 FSXHPT106, LVMASI652 142 98.3
.1 1.6E-005 FSXHPT103, LVMASI456 143 98.4
.1 1.5E-005 LVMXHDR i
144 98.4
.1 1.5E-005 HVMXMINI 145 98.4
.0 1.4E-005 LVMASI452, LVMASI666 146 98.5
.0 1.4E-005 LVMASI441, LVMASI457 147 98.5
.0 1.4E-005 LVMASI456, LVMASI652 148 98.6
.0 1.4E-005 LVMASI453, LVMASI457 149 98.6
.0 1.4E-005 LVMASI456, LVPJLSI457 150 98.7
.0 1.4E-005 LVMASI440, LVMASI666 151 98.7
.0 1.4E-005 LVMASI441, s.VMASI452 152 98.8
.0 1.4E-005 LVMASI440, LVMASI441 153 98.8
.0 1.4E-005 LVMASI440, LVMASI456 154 98.9
.0 1.4E-005 LVMASI452, LVMASI456 155 98.9
.0 1.4E-005 LVMASI453, LVMASI652 156 99.0
.0 1.4E-005 LVMASI440,
,VMASI453 157 99.0
.0 1.4E-005 LVMASI452, uVMASI453 158 99.1
.0 1.4E-005 LVMASI652, LVMASI666 l
159 99.1
.0 1.4E-005 LVMASI457, LVMASI666 160 99.2
.0 1.4E-005 LVMASI441, LVMASI652 161 99.2
.0 1.3E-005 GHRCHXB, LVMCSI307 162 99.2
.0 1.3E-005 GHRCHXB, LVMCSI657 163 99.3
.0 1.3E-005 GHRCHXA, LVMCSI656 164 99.3
.0 1.3E-005 GHRCHXA, LVMCSI306 165 99.4
.0 1.1E-005 FSXHPT104, GHRCHXA 165 99.4
.0 1.1E-005 FSXHPT106, GHRCHXA 167 99.4
.0 1.1E-005 FSXHPT103, GHRCHXB 168 99.5
.0 1.1E-005 FSXHPT105, GHRCHXB 169 99.5
.0 1.1E-005 LPMKLPSIPA, LVCASI434 170 99.5
.0 1.1E-005 LPMKLPSIPB, LVCASI433 171 99.6
.0 1.0E-005 GHRCHXB, LVMASI457 172 99.6
.0 1.0E-005 GHRCHXA, LVMASI666 5-24
Table 5-8 (Cont'd)
SDCS W/0 ACI FAULT TREE CUT SETS (Case 3: During Refueling)
Fault Tree:
WLOB01BX Mincut Upper Bound 3.067E-002 Cut t
% Cut No.
Total Set Freq.
Cut Sets 173 99 6
.0 1.0E-005 GHRCMXA, LVMASI441 174 99.7
.0 1.0E-005 GHRCMXA, LVMASI456 175 99.7
.0 1.0E-005 GHRCHXA, LVMASI453 176 99.7
.0 1.0E-005 GkRCMXB, LVMASI440 177 99.8
.0 1.0E-005 GHRCHXB, LVMASI452 178 99.8
.0 1.0E-005 GHRCHXB, LVMASI652 179 99.8
.0 1.0E-005 LPMKLPSIPA, LVNOSI424 180 99.9
.0 1.0E-005 LPMKLPSIPB, LVNOSI446 181 99.9
.0 1.OE-005 LPMVLPSIPA, LVMCSI306 182 99.9
.0 1.0E-005 LPMVLPSIPA, LVMCSI656 183 100.0-
.0 8.7E-006 FSXHPA105, LBCBLPSIPB l'
=
5-25
i l
6.0 CONCLUSION
S The removal of autoclosure interlocks from the shutdown cooling system and replacement with a valve position alarm or modification of the existing alarm was evaluated to determine the impact of such a change on Interf acing System LOCA frequency, SDCS unavailability, and low temperature over-pressure event mitigatien.
The evaluation presented in this report. assesses the impact of removing ACI from two existing configurations of SDCS suction valves at C-E supplied NSSS units.
The evaluation addressed the two existing configurations in addition to a proposed configu-ration of the SDCS suction valves.
The configurations addressed in this report are as follows:
o Case 1 SDCS suction valves with ACI only, o
Case 2 SDCS suction valves with ACI and alarm, and o
Case 3 SDCS suction valves with alarm only.
The evaluation shows that for those units with ACI only, the removal of the ACI from the SDCS and replacement with a valve position alarm will reduce the frequency of interfacing system LOCA by approximately 13%.
The evaluation also shows that for those units with ACI and valve position alarm, the removal of ACI and incorporation of certain changes to the existing alarm will result in negligible increase (0.09%) in the frequency of interfacing system LOCA.
These results are not particularly sensitive to assumptions made regarding opertor error porbabilities.
Varying all types of operator error probabilities together results in only a slight increase in the frequency of interfacing system LOCA for units with ACI only.
The frequency for the other type of units remain virtually constant, of the three types of operator error evaluated, only " operator fails to detect valve in wrong position" shows any significant impact.
When the probabilities for the other types of operator error are varied individually there is no j
noticable change in Interfacing System LOCA frequency.
The frequency of Interfacing System LOCA tends to increase as l
longer test intervals for the alarm are assumed.
Noticable changes are observed when' test intervals of 5 years or more are i
assumed.
Therefore, since the proposed configuration includes an alarm that is tested at each refueling, units with ACI and alarm will realiza a reduction in their interfacing system LOCA frequency if the existing alarm is tested less frequent than 'every 1
6-1
l refueling.
A test interval of every refueling is assumed in all analyses, except the sensitivity analyses.
A review of the recent interf acing system LOCA precursor event that occurred at Biblis-A PWR shows that the operator tried to close a mispositioned pressure isolation valve that should have been closed prior to startup.
The operator tried to manipulate the pressure on the mispositioned valve by opening a second valve.
In doing so, a path from the RCS to the atmosphere was estab-lished.
As a result, a small amount of release occurred for a short time.
For all SDCS of C-E supplied NSSS units, the pressure isolatien valves (SDCS suction valves) cannot be opened by the operator while RCS pressure is above shutdown cooling entry conditions.
The open permissive interlocks prevent such actions by the operator.
These interlocks are not the subject of this analysis.
They will remain as an integral part of the SDCS suction valves.
Therefore, the sequence of events involving operator actions that occurred at Biblis-A is not expected to occur in the SDCS of any C-E supplied NSSS unit.
The evaluation shows that by removing ACI and replacing it with a valve position alarm, SDCS unavailability will decrease by 39% during refueling operations.
Therefore, removal of ACI from the_SDCS will reduce the number of spurious closures of suction valves and thut increase the availability of SDcs.
By increasing SDCS availabili.., the availability of the relief valves to mitic 'te low temperature over-pressure events also increases.
TP results of the evaluation show that removal of ACI will
>9 interfacing system LOCA frequency via SDCS suction lines an'er with ACI only and vill increase the frequency by an ex.D aely small amount at units with ACI and alarm.
The results also show that removal of ACI will increase SDCS reliability, and increase the availability of the low temperature over-pressur,e relief valves.
Therefore, removal of ACI and replacement with a vslve position alarm or modifications to existing alarm will result in safety improvements at plants with the configurations considered in this analysis.
6-2 l
4 s
7.0 REFERENCES
1.
G. Vine, et al, " Residual Heat Removal Experience Review and Sefety Analysis - Pressurized Water Reactors", NSAC-52, January 1983.
2.
U.S. Nuclear Regulatory Commission, Office for Analysis and Evaluation of Operational Data, " Decay Heat Removal Problems at U.S. Pressurized Water Reactors", Case Study Report AEOD/C503, December 1985.
3.
D.R. Gallup, et ai, " Potential Benefits obtained by Requiring Safety-Grade Cold Shutdown Systems", NUREG/CR-4335, November 1985.
4.
Pacific Gas and Electric Company Letter, James D.
Shiffer to NRC, "Diablo Canyon Units 1 and 2 Removal of RER System Autoclosure Interlock Function", DCL-87-187, August 4, 1987.
5.
I.A.
Papazoglou and R.A. Buri, "Probabilistic Safety Analysis Procedures Guide", NUREG/CR-2815, January 1984.
6.
"PRA Procedures Guide", NUREG/CR-2300, April 1982.
7.
K.D. Russell and M.B. Sattison, " Integrated Reliability and Risk Analysis System (ARRAS) User's Guide - Version 2.0 (Draft)," NUREG/CR-5111, March 1988.
8.
" Reactor Safety Study, An Assessment of Accident Risks in U.S.
Conmerical Nuclear Power Plants", WASH-1400/NUhEG-75/014, October 1975.
9.
" Advanced Light Water Reactor Requirements Document, Appendix A: PRA Key Assumptions and Groundrules", (Draft), July-1987.
- 10. M.T. Drouin, et al, " Analysis of Core Damage Frequency from Internal Events: Methodology Guidelines", Volume 1, NUREG/CR-4550, September 1987.
- 11. "rEEE Guide to the Collection and Presentation of Electrical, Electronic, and Sensing Com Power Generating Stations",ponent Reliability for Nuclear IEEE-STD500-1984.
- 12. A.D. Swain and H'.E. Guttmann, " Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications",
NUREG/CR-1278, August 1983.
t
- 13. "RPS/ESFAS Extended Test Interval Evaluation", CEN-327, May 1986.
i i
l 7-1 I
l
.. -.. ~ _ -
- 14. "NRC Looks for Generic Implications of HPIS Back flow at AP&L's ANO-1", INSIDE N.R.C.,
February 13, 1989.
- 15. " German officals Defend Biblis Accident Precursor Handling",
NUCLIONICS WEEK, December 8, 1988.
The following drawings were used to develop the fault tree model for SDCS:.
1.
Louisiana Power & Light Company Waterford'S.E.S. Unit No. 3 Flow Diagram, Safety-Injection System, LOU-1564-G-167, sheet 1 of 2, Rev. 27.
2.
Louisiana Power & Light Co=pany Waterford S.E.S. Unit No. 3 Flow Diagram, Safety Injection System,. LOU-1564-G-167, sheet 2 of 2, Rev. 23.
3.
Combustion. Engineering, Pressurizer Pressure (Low Range) CH.
P-1103 & 1105 Interconnection Diagram, D-13172-416113, Rev.
05.
4.
Combustion Engineering, Pressurizer Pressure (Low Range) CH.
P-1104 & 1106 Interconnection Diagram, D-13172-416113, Rev.
05.
5.
Elementary Wiriny Diagram - Motor Operated Valves, B-13172-414-350, sheet 4 of 10, Rev. 01.
i 7-2
. _. -. = -.
APPENDIX A Fault Tree Model for SDCS A-1
.-,i4 nA.-i K
K,n.*lnwhnGa.
Si 4 2<u-+,-+ia 4
14-.~,-
- ne.
4,&
44 eJm h.4
.u._AAu#J s.
Es b -py..A.a,
.,.as Js ama4,.._.w.,
s <. A_
,_g,.w 4,ga6~4,e.
JJJ m. A a,a
.mi.54_
- ataa, A.m4 4 4.. a, l
.i
- rd 6
o 11 s
8 Eg g
gas ea 8ega g
b*g 3
~
2 v
x g-L W
c25 5
O
-de m
$pm O
a g
3 egs n
gh
~
o s
d 9
% @8 b
m 8-g egn g
Dg$
8 o
dr;5 m
L
-.y l
25 A-2
.l 4,
J44-4
--m4e.ain.
24.4 4
MC-Je.4M-.42 3
-A__..sa.u_+%4
-ra..
,-e4
- 4s A.y4mer4-4 Awe, A w&
A 6
4.p 3a s A,m 4
4 4___.4a4 Aw.
d.4__._d_4
=
5,5 5
[%
h 2
EV 8d~
l t
g-s a
g@
2 v
1 S$5 R
=$*
CD Bh se!
- fk 5'
$e O
g f4k s
i-
=6-
~ e g
2 dm a'
>u L..
BC 1
eg 83>1 g
A-3
6
-A-k Whee um..aku-
=
4-
'e-O#
e
--e--
Mm A
es A.-7m-,-
9M 6+k M9 M A. A.A s A &O 4 at
>+1wm,4..a.,,.,A'4---6,Q-e s + ; 44yA 4,6 vsAa"Lb - & bAMmHMy, 4JA--.AL4
- a
.m-l e
?
T im % E c[$m
]
iw o
a I
MI l"
8-t geg s
c5R 5
X 7
CD hh
,e s.
.h.4 lc
~~
~
s gh a
J
.l{
=c gg I
I g
dn
~
65 bj e$$
>;o 5
~
eW se w
A-4
-e m
w....
4 9
575 A,
3 o1 33i
~% Qt tu l
l d2" 1 s s
2 8
g5 s
b
.C..
au m
~
p-
- r$e j
o.
W 3-ep %
=
->h 3
3A!Os$.
Es s
t~e
=
w$$
jst V!
A-6
-. - -h a
-,,sm d.+mn+m, 4A A,\\-==Wu$a n4 esVAa3&2,La-i.
$ - isEm.m.
1, e
Gh-,u-.,---s 4s_a sp-4ai,4-1 m
A
+e.lE
&k
_A ga
-b
?
T=
Ut b
$Es s
^
g R
- X CD in 5
~
ola v !
e a
,Jb
!a[6 GI
\\
2 36>u e
- gi-atm E
65#
5 i
O b th 3
B I
A-6
J g
m.
A a.
A d.
4.Me, L
4 eu+... - -
- d.
R
.e m
4 a
a 4
k -
- S< A g$. \\g
!*S
- 3 7-e
$$Y at
,t e
) !b
~
s
-is
<~
%i ue S*f f
Mr I-s 8
- ihG[,
g g-*
ss-
~
pf ws 8
NE' N
g yt l
_w ff I-g$g
~h I
E L
L a
8 1
A-7
I SDC CROSSOVER VALVE SI-457 UNAVALABLE WLQ 07BX r
i t
I CCF OF SDC CROSSOVER SDC CROSSOVER VALVES VALVE SI-457 FAILS TO OPEN
}
v i VMXRiti LVMASl45/
W_03073X e
I m
[
I SDC TliROTIlE VALVE SI-657 INOPERABLE w btox
?
E l
CCF OF OPERATOR FALS SDC IliROIILE SDC THROTTLE-10 TitROITLE SDC VALVE SI-6S7 i
VALVES TliROTTLE VALVE 7 AILS TO OPERAll; G
\\
J LVMXIl ROI LVMOltROT LVMCue /
W_03083X
I SDC CROSSOVER VALVE SI-452 UNAVAt_ABLE wt Jux P
1 E
I CCF OF SDC CROSSOVER SDC CROSSOVER VALVE SI-452 VALVES FAILS TO OPEN LVMXRIt1 LVMAS14S'1 W_03093X
..a
e*
9 i
LOSS Of itOW FROM tl*J RWA Int tw I
I I
1 LP9P MAkalAL LP9P. A OECK (P'J IAAd*
TOSS of It(w h
RV SI-4 46 RV SI-433 A
TO WJ Re42 L
NOT OTH FALS TO OITN tt4AVALA11E A
w mex w w esa t%9sOSM 46 LW.A5M 33 L
WLOB10BX 4
1 DC ltX A OfPAM WV 58-307
- 40PERAf1E wN[ux I
I i
CCF OF SDCS C4fRATOf FAI S ItX A BYPASS IfX ffYPASS 10 ilff01Ilf vt.V SI-307 VALVES SDCS BYP W.VS TALS TO CPUf.
tvu=3wss tvwnie<or tvucasoi WLOB 11BX O
o~
- a I
soc tu A
t#4AVA1Allf n
wtbx O
I I
I I
COuu0ti CAUSE OffECINE SDCS ttx A SOCS itX A CCw TAttRf OF SDCS ttX Ut4AVA1.IXC N ET/OultEl SOCS stXs A
10 MAHI M.V NO1 (Atti GNXSOCS G6TJtXA G emu A LMotAA WLOB12BX 4
h