ML20079D328
| ML20079D328 | |
| Person / Time | |
|---|---|
| Site: | Crystal River  |
| Issue date: | 06/30/1991 |
| From: | Dukelow J, Beverly Smith, Vo T Battelle Memorial Institute, PACIFIC NORTHWEST NATION |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| CON-FIN-I-2008 NUREG-CR-5467, PNL-7108, NUDOCS 9107080262 | |
| Download: ML20079D328 (74) | |
Text
a
- NU REG /CR-5467 PNie-7108 Risk-Based Insaection Guide for Crystal River L nit 3 Nuclear Power Plant a
Prepared in-
- 11. W. Smith, J. S. Dukclow, T. V. Vo.
M. S. liarris. II. F. Gore, S. T. Ilunt Pacific Northwest I.aboratory Operated by Battelle Memorial Institute Prepared for U.S. Nuclear Regulatory Commission l ; W 9 88eR 36888802 l 0 PDR
l AVAILAblLITY NOllCE Availabilf/ Of Reierence MaterWs Cett d en NRC Puthtations Most documents clied in NRC publications will be avatable from one of the fotiowing sources; i
- 1. The NRC Putstic Document Room, 2120 L Street, NW, Lower Level. Washtr'gton, DC 20555 1
- 2. The Superintendent of Documents U.S. Goverranent Printing Off.ce, P,0. Box 37062 Washington, DC 20013 7082
- 3. The National Technicalinformation Service, Springf6 eld, VA 22161 Ahhough the isting that follows represents the majority of documents Ctted in NRC publicationb, it is not intended to be exhavstive.
Referenced documents available for bsp;ction and copying for a fee from the NRC Public Document Room ;
hclude NRC correspondence and internal NRO memoranda: NRC Office of inspection and Enforcement butietins, circJars, Infortnation notices, bspection and investigation notices: Ucensee Event Repetis; ven.
dor reports and correspondence: Commission papers; and appucent and licensee documents and corre.
spondence, The fonowing documents H the NUREG series are avaRable for purchase from the GPO Sales Program:
formal NRC staff and contractor reports, NRO-sponsored conference proceed <nefs, and NRC booktets and brochures. Also avaRable are Regulatory Guides, NRC regulations h the Code of federal Regulations, and Nuclear Regulatory Commissron Issuances.
Documents avalable from the National Technical Information Service include NUREG series reports and >
technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Corrvnis.
slon, forerunner agency to the Nuclear Regdatory Commission.
Documents available from public and special technical libraries include at open 6terature items, such as books, journal and periodical articles, and transact 6ons. Federal Reg / ster notices, f ederal and state leg!sla.
tlon, and congressional reports can usualf I e obtahed from these l'brartes.
Documents euch as theses, dissertations, foreign reports and translauons, and non-NRC conference pro-ceedngs are avaFable for purchase from the orgardtat6on sponsorhg the publication cited.
2 Sing:e copies of NRC draft reports are avaAable free, to the extent of supply, upon written request to the Office of information Resources Management, Distribution Section, U S. Nuclear Regdatory Cornmission, Washington, DC 20555.
Copies of Ind%Lty codes and standards used in a substantive manner h the NRO regdatory process are maintained at the NRC Library,7920 Norfoix Avenue, Bethesda, Maryland, and are avaltab6, thero for refer-ence use by the publc. Codes and standards are usuaPy copyrighted and may t>e purchased from the ortgbating organ!Zation or, if they are American National Standards, from the American National Standards institute,1430 Broadway, New York, NY 10018.
DISCLAIMER NOTICE Ths report was prepared as an account of work toonsored by an agercy of the Unned States Govemmort Neither the Unitod States Govemment nor any agency thereof, or any of treir employoos, makes any warranty, expresod or implM, or assumes any legat liability of resparcitality fcr any third party's tee, or the resuhs of such use, of any information, apparatus, product or process disclosed in this report, or represents that hs use by tM:;h third party would nct infringe privately owrd rights.
1 NUllEG/ Cit-5467 i PNL-7108 L r
Risk-Based Inspection Guide for Crystal River Unit 3 -
Nuclear Power Plant ,
l i
Manuscript Completed: December 1990 Date Published: June 1991 ,
l's epared by
- 11. W. Smith. J. S. Dukelow T. V. Vo, ,
M. S. liarris,11. F. Oore, S. T. liunt l'acific Northwest I.aboratory llichland, WA 99352 Prepared for Division of Radiation Protection and Emergency Preparedness l Omre of Nuclear Reactor Regulation l U.S. Nuclear Regulatory Commission i
Washington, DC 20555 NRC FIN 12008 ,
1 1
.,,,,-..<r. --.-- ,-,-.,n- --- , , - . - - - .-e .,, --
i ABSTRACT The level 1 probabilistic risk assessment (PRA) for Crystal River Unit 3 (CR-3) has been analyzed to identify plant systems and components important to minimizing public risk, as measured by system contributions to plant core damage frequency, and to identify the primaiy failure modes of these com-ponents. The report presents a serics of tables, organized by system and prioritized by risk importance, which identify components associated with 98%
of the inspectable risk due to plant operation. The systems addressed, in descending order of risk importance are: Low Pressure injection, AC Power, Service Water, Domineralized Water, liigh Pressure Injection, DC Power, Emer-gency Feedwater, Reactor Coolant Pressure Control, and Power Conversion.
This ranking is based on the fussell-Vesely measure of risk importance, i.e.,
the fraction of the total core damapa frequency which involves failures of the system of interest.
i iii
1 l
l LORlfRIS ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
SUMMARY
. ........................ ...... ix ACKNOWLEDGMENTS *i
1.0 INTRODUCTION
.......................... 1.1 2.0 DOMINANT ACCIDLNT SEQUENCES . . . . . . . . . . . . . . . . . . . 2.1 2.1 STE AM GENERATOR TUBE RUP1URE . . . . . . . . . . . . . . . . 2.1 2.2 SHALL BREAK LOCA . . . . . . . . . . . . . . . . . . . . . . 2.2 2.3 LOSS Of OffSITE POWER ................... 2.2 2.4 LARGE BREAK LOCA . . . . . . . . . . . . . . . . . . . . . 2.2 2.5 OTHER INITIATORS . . . . . . . . . . . . . . . . . . . . . 2.3 2.6 IMPORTANT HUMAN ERRORS . . . . . . . . . . , . . . . . . . 2.3 2.6.1 Pre-Accident Errors . . . . . . . . . . . . . . . . . 2.3 2.6.2 Post-Accident Errors ................ 2.3 2.7 COMMON CAUSE FAILURES ................... 2.4 3.0 SYSTEM PRIORITY LIST ...................... 3.1 4.0 SYSTEM INSPECTION TABLES .................... 4.1 4.1 LOW PRESSURE INJECTION SYSTEM ........ ...... 4.1 4.2 AC POWER SYSTEM ...................... 4.8 4.3 SERVICE WATER SYSTEMS ................... 4.13 4.4 DEMINERAllZED WATER SYSTEM . . . .............. 4.21 4.S HIGH PRESSURE INJECTION SYSTEM . . . . . . . . . . . . . . . 4.22 4.6 DC POWER SYSTEM ...................... 4.27 4.7 EMiRGENCY FEEDWATER SYSTEM . . . .............. 4.31 4.8 REACTOR COOLANT PRESSURE CONTROL SYSTEM ... ...... 4.36
/ i
i 4.9 PGWER CONVERSION SYSTEM .................. 4.37 1 5.0 CONTAINMENT PROTECTION SYSTEMS AT CR-3 ............. 5.1 [
5.1 REACTOR BUILDING SPRAY SYSTEM ............... 5.1 ;
5.2 REACTOR BUILDING FAN ASSEMBLIES .............. 5.2 .-
~ '
6.0 REFERENCES
........................... 6.1 F
I i
i l
1 F
i i
vi
ElGVRES 4.1 SIMPLIFIED SYSTEM DRAWING OF DHR/LPI SYSTEM . . . . . . . . . . . 4.7 4.2 SIMPLIFIED SYSTEM DRAWING OF AC POWER . . . . . . . . . . . . . . 4.12 4.3A SIMPLIFIED SYSTEM DRAWING 0F SWS (NSCCC) ............ 4.17 4.38 SIMPLiflED SYSTEM DRAWING 0F SWS (DHCCC) ............ 4.18 4.40 SIMPLIFIED SYSTEM DRAWING OF SWS (NSSW and DHSW) ........ 4.20 4.5 SIMPLIFIED SYSTEM DRAWING Of MAKEUP /HPI SYSTEM ......... 4.25 4.6 SIMPLiflED SYSTEM DRAWING OF DC POWER , . . . . . . . . . . . . . 4.30 4.7 SIMPLIFIED SYSTLH DRAWING OF EFW SYSlEM . . . . . . . . . . . . . 4.35 4.9A SIMPLIFIED SYSTEM DRAWING OF MAIN FEEDWATER SYSTEM ....... 4.41 4.9B SIMPLIFIED SYSTEM DRAWING OF CONDENSATE SYSTEM ......... 4.42 i
5 i
vii
1 l
TABLES l
3.1 SYSTEM PRIORITY RANKING . . . . ................ 3.1 t 4.lA LPI SYSTEM FAILURE MODE IDENTIFICATION ............. 4.2 4.1B HODIFIED LPI SYSTEM WALKDOWN .................. 4.5 4.2A AC POWER SYS1EM FAILURE MODE IDENTIFICATION . . . . . . . . . . . 4.9 4.28 MODIFIED AC POWER SYSTEM WALKDOWN . . . . . . . . . . . . . . . . 4.11 4.3A SERVICE WATER SYSTEMS FAILURE MODE IDENTIFICATION . . . . . . . . 4.14 4.3B H0DIFIED SERVICE WATER SYSTEMS WALKDOWN . . . . . . . . . . . . . 4.16 4.5A HPI SYSTEM FAILURE MODE IDENTIFICATION ............. 4.23 ,
4.50 MODIFIED PHI SYSTEM WALKDOWN .................. 4.24 4.6A DC POWER SYSTEM FAILURE MODE IDENTIFICATION . . . . . . . . . . . 4.27 4.6B H0DIFIED DC SYSTEM WALKDOWN , . . . . . . . . . . . . . . . . . . 4.29 4.7A EMERGENCY FEEDWATER SYSTEM FAILURE MODE IDENTIFICATION ..... 4.32 4.7B MODIFIED EFW SYSTEM WALKDOWN .................. 4.34 4.8A REACTOR COOLANT PRESSURE CONTROL SYSTEM FAILURE MODE IDENTIFICATION ......................... 4.36 4.9A POWER CONVERSION SYSTEM FAILURE MODE IDENTIFICATION . . . . ., 4.38 .
4.98 MODIFIED POWER CONVERSION SYSTEM WALKDOWN , . . . . . . . . . . . 4.40 4.10 PLANT OPERATIONS INSPECTION GUIDANCE .............. 4.43 .
4.11 SURVEILLANCE INSPECTION GUIDANCE ................ 4.44 4.12 MAINTENANCE INSPECTION GUIDANCE , . . . . . . . . . . . . . . . . 4.45 4.13 QUALITY ASSURANCE / ADMINISTRATION CONTROL INSPECTION GUIDANCE ,........................... 4.46 viii
SUMMARY
The Risk-Based Inspection Guide for Crystal River Unit 3 (CR-3) was com-piled for the U.S. Nuclear Regulatory Commission (NRC) at Pacific Northwest Laboratory (PNL). It is based upon a previously developed methodology for ident'fication and presentation of information which is useful for the plan-ning and performance of powerplant inspections.
The Level 1 probat'ilistic risk assessment (PRA) for CR-3 (Averett et al.
1987) has been analyzed to identify plant systems and components important to minimizing public risk, as measured by system contributions to plant core melt frequency. The body of this report consists of a series of tables, organized by system and prioritized by risk importance, which identify components associated with 98% of the core damage probability resulting from plant operation.
Following a section describing important accident initiators and sequences identified in the PRA, tabulations are presented for seven systems.
These system tables are ordered by system risk importance, as measured by the fraction of the total core melt probability associated with failures of each system. Two tables are presented for most systems. The first table presents the failure modes identified in the PRA for each important system component.
The second table provides a modified system check off list identifying the proper line-up of each component during normal operation.
The tabulations were developed by the following analysis procedure.
Plant systems were ordered according to system risk importance. To accom-plish this, the dominant cut sets representing more than 98% of the core melt probability were listed, and the fraction of the total core damage probabil-ity which involved failures of components from each system was calculated (this is the fussell-Vesely importance measure). Systems were then selected from the ordered list until more than 98% of the core melt probability was accounted for. Within systems, components were then ranked by similar fussell-Vesely importance calculations using the dominant cut set elements.
The tables thus present, in decreasing order of system importance, the failure modes, and a check off list of the normal operational states for all components associated with 98% of the core damage probability associated with plant operation. This information allows an inspector to readily identify important systems and components when developing an inspection plan and when walking down systems in the plant.
The information presented in this document allows an inspector to con-centrate his efforts on systems important to the prevention of core damage.
However, it is essential that inspections not focus exclusively on these sys-tems. Other systems which perform essential safety functions, but are absent from the tables because of high reliability and redundancy, must also be addressed to ensure that their importance is not increased by allowing their ix
reliability to decrease. A balanced inspection program is essential. This information represents but ene of the many tools to be used by experienced inspectors.
t X
l
ACKNOWLEDGMENTS Thanks are extended to M. W. Averett of florida Power Corporation, Proj-ect Manager of the Crystal River Unit 3 PRA, for information which he pro-vided concerning the accident sequence and fault tree analysis results and many discussions during the performance of this analysis. This analysis was performed under sponsorship by the U.S. NRC, Technical leader Dr. Steven Long, whom we wish to thank for his insights.
xi
1.0 UillLOMCJJ0jj Th acument has been prepared to provide inspection guidance based on PNL's review of the "rystal River Unit 3 Probabilistic Risk Assessment (PRA) prepared jointly by florida Power Corporation and Science Applications Inter-national Corporation (Averett et al. 1987). The guidance should be used to aid in the selection of areas to inspect, and is not intended either to replace current NRC inspection guidance or to constitute an additional set of inspection requirements. The information contained herein is derived from a revised listing of dominant cutsets produced by florida Power Corporation during 1990 (Averett and Hiskiewicz 1990), it therefore contains more cur-rent information than the reference document. Nevertheless, recent system experience, failures, and modifications should be considered when reviewing these tables. Since plant modifications are normally an ongoing process it is recomunended that relevant changes be catalogued so that this inspection guidance can be periodically revised as required.
l l
1.1
2.0 DOMit4 ANT AICJRElli S1QQ[NE]i The Crystal River PRA identifies a number of different accident sequences that contribute significantly to overall core damage frequency (CDF). Based on the revised listing of cutsets supplied by Florida Power Corporation (Averett and Hiskiewicz 1990), the total core damage frequency is 1.4E-5/ year.
The sequences that dominate this core damage frequency are identified below by their initiating events and the percentage of the total CDF which they represent.
. Steam Generator Tube Rupture (407)
. Small Break LOCA (26Y,)
Loss of Offsite Power (217.)
. Large Break LOCA (117.)
Other Initiators (27)
These and other accident sequences which contribute significantly to the CDF are described in more detail in the following subsections. These descriptions are based on the information provided in Reference 2.
2.1 SIEAM G(fMRATOR TQBJ RUPTVR[
The steam generator tube rupture (SGTR) is a small break LOCA, but a LOCA which immediately bypasses containment, greatly increasing the probability of a release of radioactivity to the environment. Operator response to an SGTR must replenish the reactor coolant system (RCS) inventory being lost through the ruptured tubes and must depressurize the RCS and the secondary systems to bring the plant to a stable decay heat removal condition, One complication is that RCS inventory lost through the ruptured tubes does not collect in the containment sump, so the operator cannot initiate recirculation mode core cooling when the borated water storage tank (BWST) is depleted, instead, action needs to be taken to stop the loss of RCS inventory through the rup-tured tubes and/or to refill the BWST.
The SGTR core damage accident sequences fall into two classes: 1) an SGTR followed by failure of high pressure injection (HPI) system and 2) an SGTR with successful high pressure injection, but subsequent failure to depressurize and begin long terni decay heat removal and/or failure to refill the BWST. The second class dominates the SGTR contribution to core damage risk.
2.1
i 2.2 $MMt BRFAK LOG Following a small break LOCA, the immediate concern is to replace RCS inventory being lost out the break. Two major classes of core damage sequences are important: 1) a small break LOCA followed by early failure of high pressure injection and 2) a small break LOCA with successful high pres-sure injection, followed by failure of high pressure recirculation mode cool-ing of the core. The second class of sequences dominates the small break LOCA contribution to total CDF, because both the HP1 and low pressure injection (LPI) systems must function correctly for successful high pressure recir-culation cooling.
Because LPI is a two train system (as opposed to the three train HPl sys-tem), high pressure recirculation failures are dominated by common cause or independent failures of two different LPI components, each failing one of the two LPl trains.
2.3 LOjiS OF 0FFSULLOWM Loss of Offsite Power (LOOP), as defined by the CR-3 PRA, is the loss of the 230 kV switchyard. A CR-3 LOOP leaves the emergency diesel generators (EDGs) as the only power source for the 4.16 kV Engineered Safeguards Buses 3A and 3B. The LOOP core damage sequences are all station blackout sequences.
Most involve loss of offsite power, failure of both EDGs, and failure to recover offsite power in time to prevent core uncovery. for most such sequences, core heat removal through the steam generators (SGs) succeeds, using feedwater supplied by the steam-turbine driven emergency feedwater pump.
If offsite power is not restored withic about four hours, then the loss of DC power due to battery depletion is assumed :c cause loss of the ability to control SG feedwater level. Loss of level ;ontrol is assumed to lead to either a dryout of the SG or overfill of the SG with water carryover into the emergency feedwater turbine steam lines.
2.4 LARGE BREAK 10CA In a large break LOCA, the RCS depressurizes rapidly, allowing reflooding (temporarily) of the core by injection f rom the core flood tanks. The LPI system must operate successfully in injection mode, injecting borated water from the BWST. When the BWST is depleted, the operators must switch the source of LPI pump suction to the containment sunp, initiating core cooling in recirculation mode (recirculating water from the sump, through the Decay Heat Removal system heat exchangers, to the RCS, and back out the break to the sump).
Core damage risk subsequent to a large break LOCA is dominated by failure of the operator to successfully switchover from low pressure injection to low pressure recirculation upcn depletion of the BWST. Other important sequences involve separate, independent or common cause, failures of LPI components disabling both LPI trains.
2.2
2.5 DE ER INITIATORS Coro damage accident sequences beginning with other initiators constitute less than 2% of the total core damage risk and are not discussed in detail in this report.
2.6 EPORTANT lLUtLAN ERRORS (includino Recovery Actions)
Human errors can be very significant to overall plant risk. Examination of the dominant cutsets from the Crystal River 3 PRA identified several human errors as particularly important contributors to risk.
2.6.1 Pre-Accident Erron
- 1. Miscalibration of the level transmitters of the EFW storage tank can prevent operators from recognizing loss of tank inventory, and thereby fail this source of EFW.
- 2. Misalignment closed of the surge tank outlet valve in either train of the Decay Heat Closed Cycle Cooling System (valves DCV-19 or DCV-20) may disable that service water train of heat removal.
Although this is a low probability event, it could lead to loss of that train of HPI and LPl.
- 3. Latent errors during testing or maintenance could disable the pump in either train of the Decay Heat Seawater System (RWP-3A or RWP-38), preventing cooling of the associated DHCCC hest exchanger.
These pumps could also be disabled if the flush water valves were left unavailable. As above, these are low probability events, but they may result in disabling HP1 and LPI pumps, and the associated LPI coolers.
- 4. Mispositioning the control of the standby HPl pump, preventing auto-matic start on demand, could result in system failure when the alternate HPI pump is unavailable due to maintenance, and the run-ning pump is failed by a transient.
2.6.2 Post - Accident _ Errors
- 1. Failure of the crew to restore offsite power f ollowing a station blackout event has a high risk importance, since loss of both the motor-driven EfW pump and HPl results. The turbine driven EfW pump fails two hours after the B diesel generator fails, due to depletion of the train B batteries, loss of emergency feedwater monitoring and control, and subsequent steam generator overfill or dryout. Core damage commences 50 minutes after loss of all HP1 and EFW. Impor-tant event sequences include failure of both diesels on demand, resultir.g in core damage after 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> 50 minutes, and coincident failures on demand of the A diesel and the B battery, resulting in core damage after just 50 minutes.
2.3 l l
l
- 2. Failure of the operators to refill the Borated Water Storage Tank following a steam generator tube rupture can lead to loss of HPI 1 after BWST depletion, since no water accumulates in the reactor building sump for recirculation during this event.
- 3. Failure of the operators to provide makeup from the reactor coolant Bleed Tanks during an event where HPI is lost due to blockage of BWST suction or BWST failure could result in core uncovery and melting.
Other human errors are identified in the system failure mode tables.
2.7 [QtitiON CAVSE FAllVRES Based on the results of Crystal River 3 PRA (revised), the following common cause failures are identified to be important:
. COMglLD_Rse Failure of Service Water Sysite Failure of the Service Water system due to common cause failures will prevent cooling from being provided to key front line equipment (e.g., makeup pumps). The important failure is the common mode failure of the standby Raw Water pumpt 3A and 3B or Service Water pumps lA and 18 to start and run under the emergency conditions.
. [gmmon Cause Failure of DC Batteries The station batteries at Crystal River are also susceptible to com-mon cause failure. The important common mode failures are either failure of the battery ventilation system or miscalibration of the battery chargers.
. Common CaqmfJilure_gLHakeuo Pumpl The important failure modes are pump failures to itTrt or to run as required. Hardware failure is the dominant failure mode.
. Common Cause Failure of Emergengy reedwAler Pumps Operation of the Emergency feedwater system requires a number of important support systems, e.g., ac power, de power, Emergency feedwater Instrumentatica and Control (EFIC), etc. These support systems are also used for other functions and support other systems.
These dependencies roke the pumps susceptible to common cause failure, despite t'.a fact that one is turbine-driven and one is motor-driven. The important failure modes are pump failures to start or to rur as required.
Other commor. cause failures, not considered to be as important as those identif',ed abovp, are addressed in the system failure mode tables.
2.4 1
a i
3.0 SYSTEM PRIORITY LISI 1
The Crystal River plant systems have been ranked in Table 3.1 according "
to their importance in preventing core damage. Two different rankings are
- provided for use under two types of circumstances. Under normal conditions, ;
i the left. hand column should be used. For degraded or inoperable systems, the right-hand column should be used, as discussed below. Plant systems not appearing on these lists are generally of lesser importance than those i included, j TABLE 3.1. SYSTEM PRIORITY RANKING ,
By Contribution to By Risk Significance of '
i Core Damaae Frecuencv(a) SvstemBeinoUnavailableg Low Pressure Injection AC Power AC Power
! 11uman Operators
........................................................(c)
Service Water Demineralized 'Jater DC Power liigh Pressure Injection Low Pressure Injection e liigh Pressure injection Chemical Addition DC Power RCS Pressure Control Service Water Power Conversion lluman Operators (a) The ranking in Column 1 is appropriate to use for systems that are functioning normally. It is based on the fussell.Vesely importance measure, which is the system's contribution to the core damage frequency, assuming that the system is operating with normal reliability.
(b) The ranking in Column 2 is appropriate to use for determining the significance of known system degradation or inoperability. It is based on the Birnbaum importance measure, which indicates the increase in the core damage frequency that results when the system is assumed to be inoperable.
(c) The dashed lines represent significant differences 4
between importances of systems that are adjacent in -
the lists. Sy:tems not separated by dashed lines '
should be assuned to have importances approximately equivalent to c(ch other, within the precision of PRA quantification. Syst e which appear in Column 1, but not in Column 2, have Birnbaum importances an 1
order of magnitude or more lower than the six systems appearing in Column 2.
I 3.1 1
1
. - - . -..._.~.- _.-..-. _ - -. _ .... - - _ _ .. . _ - - . - . . . - . . . , . - - - . . .
1he two system prioritization lists have been included in Table 3.1 because they provide different types of risk insights that are useful in t'ic inspectinn process. The lef t-hand column indicates the system's contribu. ion to the CDF as provided by the fussell Vesely importance Measure, given ti.at the system is operating with the reliability assumed by the PRA. Generally, when planning an inspection without knowledge of specific system problems, those systems that contribute most to core damage frequency should be given priority attention in order to most officiently minimize risk.
However, when one or more systems exhibit unusuall) high failure rates or unusual types of failures, then the probabilities assumed in the PRA are not really appropriate for the failures of those systems. While their prob-lems persist, the affected systems contribute more to the risk of core damage than is indicated by the lef t-hand column. The increase in the core damage frequency when the system is inoperable is indicated by the right-hand col-umn, based on the Birnbaum importance Measure. The right hand column can be used to estimate how much more important these systems have become when they are having problems. (Affected systems with high rankings in the right-hand column should be considered to have become much more important than indicated by their rank in the left-hand column, while systems with lower rankings in the right-hand column would have smaller increases above the rank indicated in the left-hand column.) Similarly the right-hand column is the appropriate choice for estimating the risk significance of inspection findings that indi-cate a system is inoperable or degraded.
Adjacent systems on the list should be considered to have approximately equal contributions to risk because of the uncertainties in the PRA. Where the difference between importance measures of adjacent systems is signifi-cant, they have been separated by the dashed lines.
3.2
4.0 SYSTEM INSPECTION TABLES Tables are presented for each of the risk-important systems selected in the analysis. These tables identify important system f ailure modes, and the required position of each important component during normal system operation (i .e. , system walkdown checklist). The systems are presented in decreasing order of fussell-Vesely risk importance, and together comprise more than 9B%
of the risk associated with plant operation. To provide useful information for the inspector, simplified system drawings from the Crystal River PRA are reproduced at the end of each section.
4.1 LOW-PRESSURE INJECTION SYSTEM The purposes of the Low Pressure injection (LPI) system are to remove decay heat during normal shutdown and as an enginecred safeguards system dur-ing plant transients and accidents. The LPI system consists of two redundant pump trains in parallel. The pumps can be aligned to receive suction directly from the primary coolant system through the decay heat removal drop line, from the borated water storage tank (BWST), or from the reactor building sump.
Each pump discharges through a separate LPI line to the reactor vessel via one of the two core flood valves. Although cross over lines exist on both the suction and discharge sides of the pumps, the normal system configuration is to have both lines isolated.
During normal plant shutdown, the LPI system provides continual circula-tion of primary coolant water through the decay heat removal (RHR) heat exchangers to remove fission product decay heat and to maintain acceptable core temperatures. During plant transients, the LPI system provides emergency core cooling injection from the BWST to the primary system during the early stages of a large-break loss-of-coolant accident (LOCA) and recirculates water between the primary system and the reactor building sump to provide long-term core cooling. The LPI system can also provide suction from the reactor build-ing sump to the high pressure injection pumps if required for long-term high pressure recirculation. The minimum functional requirement is one operating LPI pump and one intact flow train.
The LPI System is also known as the Decay Heat Removal (DHR) System, it is a standby system and it does not normally operate unless the plant is shut down. During shutdown, the syrtem provides closed loop circulation of primary coolant water through one DHR pump and one DHR heat exchanger. DHR mode can only be actuated when the primary system pressure has been reduced to below 200 psi, since a primary system pressure interlock precludes opening of motor operated valves in the DHR drop line at pressures higher than 200 psi.
During an accident, the DHR pumps start automatically upon receipt of a
, high pressure injection actuation signal, but the LPI line isolation valves do 4.1
not open. Yhe DHR pumps operate on minimum flow recirculation until the pri-mary system pressure falls to the Low pressure injection actuation signal setpoint, at which time the injection valves cpen and the pumps begin supply-ing ECC water to the primary system from the BWST. When the BWST level drops to the low level alarm point, the operator must manually transfer suction from the BWST to the reactor building sump. Duriig this recirculation phase, dis-charge flow from the LPI pumps can be directed either directly to the primary system or to the suctian of the HPl pumps.
The LPI system requires the following support functions nrovided by ocher systems:
. AC power for the DHR Pumps is provided by 4160 V ES Buses 3A and 3B.
. Cooling for DHR Pumps and DHR Heat Exchangers is provided by oecay Heat Closed Cycle Cooling.
. AC power for motor operated valves is provided by 480 V ES Mt 'e 3A1, 3A3, 381, and 383.
. DC power for AC circuit breakers is provided by 125 V UF3-5A :nd DPDP-58.
. Automatic actuation is provided by the Engineered Safeguards Actuation System.
TABLE 4.lA. LPI SYSTEM FAILURE MODE IDENTIFICATION Conditions that Lead to Failure
- 1. tailure of DHR Dron Li_ng. Valves DHV-3. DHV-4. OR DHV-41 This is the principal mode of failure for the decay heat removal f unc-tion. During normal plant shutdown, failure of any one of the DHR drop line valves would prevent water from being removed fro.n the RCS, cooled, and recie-culated to the reactor core. During emergency operation, failure of the DHR dropline, in combination with the reactor b"ilding sung being unavailable (item 7 below), would prevent water from taing provided for long-term post-accident core cooling. The primary cause of failure of the drop line is the failure of any one of the rootor-operated valves DHV-3, OHV-4, or DHV-41 to open on demand, due to random hardware failure or electrical failure. Another potential cause is valve control circuitry failure (i.e., failure ;f the RCS pressure interlock on DHV-3 and DHV-4). Power availability, operator train-
- ing, awareness, and maintenance and testing of these valves should be reviewed
.ir observed to maintain reliability.
4.2
l l
l
- 2. Failure of the "Picov-back" line from LPI discharoe to HPI suctinn Fr' lure of both DHV-Il and DHV-12 causes failure of high pressure injec-tion in " piggy back" recirculation mode. Failure of one of the valves is recoverable by opening DHV-7 and DHV-8 (on the cross-connect between the two LPI discharge lines) to allow the either LPI pump to feed the remaining piggy-back line. In the event of concurrent make-up pump failures it might also be necessary to open valves on the cross-connecting header on the suction side of the make up (i.e., HPI) pumps. To prevent failure of both valves, inspection should focus on maintenance of the valves and the associated controls and electrical supply. Training and procedures should address recovery actions for failures of one train of LPI or one train of HPI.
- 3. Failure of Valves DHV-42 and DHV-43 betwecn_ Containment Sump and Lpl Pumo Suction Failure of motor-operated valves OHV-42 and DHV-43 to open on demand will prevent water from being recycled from the containment sump back iato the RCS.
The important failure causes are random hardware or electrical failures.
Power availability, maintenance and surveillance of these valves should be reviewed or observed to maintain reliability.
- 4. Failure of Decay Heat Pumps Failure of the Low Pressure Injection Pumps DHP-1A and DHP-1B will prevent RCS inventory make-up under some circumstances (i.e., du-ing the recirculation cooling phase of both high pressure and low pressure accident sequences). The dominant failure modes are failure of thesc pumps to start and run. When one of the pumps is in maintenance, the DHR system will be unable to provide water to the RCS or to the HPI pump suction, if concurrent failures disable the other LPI train and the cross-over headers. lhe impor-tant failure mechanisms are random hardware or electrical failures and human errors in following procedures to recover from failures. Operator training, awareness, surveillance and maintenance, including post-test surveillance of these pumps, should be reviewed or observed to maintain reliability.
- 5. Failure of JWST Valves DHV-34 and DHV-35 Failure to provide borated water to the reactor pressure vessel following a transient or accident may be caused either by valve failures or low level in the BWST. Failure of the motor-operated valve DHV-34 or check valve DHV-33 on train A combined with a failure of the motor-operated valve DHV-35 or check valve DHV-36 on train B results in borated water being unavailable for injec-tion into the RCS. The dominant causa is failure of the valves DHV-34 and DHV-35 to open on demand. Operator awaieness, maintenance and testing of the valves, as well as checking BWST level according to Technical Specifications should improve system reliability.
4.3 1
f.
k
- 6. failure of Valves in Decay Heat RemovtJ_Fumo Discharae lines Failure of the motor-operated discharge valve DHV-5 on train A combined with the failure of discharge valve DHV-6 on train B will prevent water flow from being provided to t u reactor vessel from the DHR pumps. Ihe dominant mode is that DHV-5 and DHV-6 fail to open on deme i. An additional failure cause is that the motor-operated valves transfer closed. Power availability, maintenance, and surveillance of th se valves should be reviewed or observed to maintain reliability.
- 7. Reactor Buildina Sumn Unavailable Failure of both the motor-operated valve WDV-3 and the air operated valve WDV-4 to close on demand may result in unavailability of the reactor building sump. This is one of the principle failure modes for the low pressure recirc-ulation function of the LPI system. Another mode of the failure is for the sump screens to be plugged. The important failure causes are random hardware or electrical failures. Maintenance of these valves should be reviewed or observed to maintain reliability. Verification and review of check-off lists and of the emergency operating procedures requirements to close these valves should improv sump availability.
- 8. BWST Vacuum Breaker Feils Tt.e failure of the BWST vacuum breakers, DHV-69 and DHV-70, to open when rcquired can lead to failure of high pressure injection or low pressure injec-tion due to loss of act positive suction head for the injection pumps, as a vacuum is drawn on the BWST by the injection pumps. The consequences of this failure could be failure of one or more injection pumps (if they continue to pump under cavitation conditions) or structural failure of the BWST itself.
Commoa cause failures due to vendor or maintenance commonalities are the most important for these components. Inspectors should review maintenance records, procedures, and scheduling.
i l
l l
4.4
TABLE 4.18. MODIFIED LPI SYSTEM WALK 00WN Component Required Actual Number Component Name Location Position Epsition Electrical Components ,
l Breaker on ES Bus 3A for Decay Racked In/
Heat Removal Pump DHP-1A Closed Breaker on ES Bus 3B for Decay Racked In/
Heat Removal Pump DHP-1B Closed Breakers for M0V DHV-3 Closed Breakers for MOV DHV-4 Closed Breakers for M0V DHV-5 Closed Breakers for MOV DHV-6 Closed _
Breakers '- 40V DHV-34 Closed Breakers for M0V DHV-35 Closed Breakers for MOV DHV-41 Closed Breakers for M0V DHV-42 Closed Breakers for M0V DHV-43 Closed Breakers for MOV WDV-3 Closed Valves DHV-3 M0 Decay Heat Discharge Valve Closed DHV-4 M0 Decay Heat Discharge Valve Closed DHV-5 M0 Decay Heat Suction Valve Closed DHV-6 M0 9ecay Heat Suction Valve Closed DHV-34 M0 BWST Discharge Valve Closed DHV-35 M0 BWST Discharge Valve Closed DHV-41 M0 Decay Heat Discharge Valve Closed DHV 42 M0 Containment Sump Discharge Valve Closed 4.5
l l
1 l
TABLE 4.18. (contd)
Cornoonent Required Actual Number Comnonent ' lame location Position Positicc.
DHV-43 M Containment Sump Diccharge Valve Closed __
DHV-69 BWST Vacuum Breaker Closed DHV-70 BWST Vacuum Breaker Closed WDV-3 M0 RR Sump Valve Open l
WDV-4 Air-0perated RB Sump Valve Open i
l 4.6
le l
~
n a i ef:i edi at:l gi ,9 a
R si- A 1
I I -
I R j< l g' f R "
l jE : -- __
g
.El g
,, y
' gg b l. (gs (g,
? e
.E ij $ Y!
'I {ja l
Si
?
gj lE e ,,
g r'
g d
- _ B
,
- R k
8d $
g i a -
E&
ra
~
9 g
m
& 8
- v 7 I
R u
m
' l i E ?
- -e -
E SRu ,,
3 s< *?a ,
k {
u l .n 2
vd e 8 e g R
E b hh b
1 4.2 AC POWER SYSTEM The AC Power System at Crystal River 3 provides AC power at various vol-tages to all other plant systems. AC electrical power is the motive force for the majority of the auxiliary and safeguards system pumps, motor-operated valves, and instrumentation.
The AC power system is divided into six separate trains. These are the ,
6900 V Bus 3A, 6900 V Bus 3B, 4160 V Unit Bus 3A, 4160 V Unit Bus 30, 4160 V Engineered Safeguards Bus 3A and 4160 V Engineered Safeguards Bus 38. Power to the 6900 V buses (3A and 38), which power the reactor coolant pumps, is normally supplied by the Crystal River 3 main generator, when the plant is operating. All other buses are normally supplied by the Unit 3 Startup Trans-former, which is connected to the 230 kV switchyard. Since the Unit 3 genera-tor supplies power to the 500 kV switchyard, all other electrically operated equipment in the plant (powered from the 230 kV switchyard) is isolated from the effects of a main generator trip.
The two Engineered Safeguards buses are oacked up by diesel generators which automatically start on either low bus voltage or on an Engineered Safe-guards Actuation Signal. The Engineered Safeguards buses can a so be powered from the Crystal River Units 1 and 2 startup transformers. The two Unit Buses have no backup power supply.
In the event of a unit trip, power to the 6900 V bus is automatically transferred from the main generator to the Unit 3 startup transformer, so that all electrical equipment is powered from the 230 kV switchyard. If the -230 kV switchyard is lost, all normal AC power to all plant equipment is lost, with only the equipment that is rowered by the ES t,uses having an available backup power supply. As soon as low voltage is detected at one of the 4160 V ES buses, its associated diesel generator starts automatically and is automatically connected to the bus when it has reached the proper operating vol tage.
When the ous voltage is returned to normal, the equipment that was shed from the bus during the undervoltage transient can be sequenced back onto the bus either automatically or manually.
The AC Power system requires the following support functions provided by other systems:
. DC power to circuit breakers is provided by DC power distribution panels DPDP-3A, DPDP-3B, DPDP-5A and DPDP-58 e DC power to the diesel generators is provided by DC power distribution panels DPDP-6A and DPDP-6B.
l l
4.8
i TABLE 4.2A. AC POWER SYSTEM FAILURE MODE IDENTIFICATION Conditions that Lead to Failure
- 1. [meroency Diesel Geperators 3A a_nd/or 3B Fail to Ontale_gnare in Maintenance lhe emergency diesel generators provide essential backup power to the Emergency Safeguards buses. Failure of these diesel generators (DGs) to operate following a loss of normal of fsite power can result in a loss of all AC power. The emergency diesel generators have the highett risk importance of all plant components. The dominant failure made is failure of a DG to start and to run. A secondary failure mode is unavailability of a DG due to main-tenance activities. Periodic maintenance and surveillance in accordance with the Technical Specifications, and proper system lineup checks will enhance availability. In addition, maintenance activities should be reviewed and observed to help ensure that efficient scheduling is being done (including staggered maintenance and surveillance, to minimize the probability of main-tenance-related common-cause failure of both EDGs), and that repairs are performed correctly, minimizing DG downtime. Opera or training and awareness of Emergency Operating Procedures could also enhance the probtbility of recovery.
- 2. E.eeder Breaker 3209 or 3210 Fails to Op_eralg Failure of these feeder breakers can result in loss of electrical power to one or both of the Engineered Safeguards buses. Hardware or electrical component failures are the dominant failure mechanisms. Review and observa-tion of the periodic maintenance and surveillance procedures ai3ng with verif-ication of proper breaker position should help ensure breaker reliability.
- 3. 1115 kV Enqineered Safequards Bus 3A or 3B in Maintenance or Fails to Operate Failure of these Engineered Safeguards (ES) buses will lead to a loss of all AC power to one or both trains of Engineered Safeguards equipment. The principal cause of failure is unavailability of the bus due to mairitenance.
Failure of these ES buses could also be the result of subcomponent failures in the control circuitry, transformers, or improper lineup for automatic opera-tion. The performance of maintenance should be reviewed to help ensure that efficient scheduling is done, and that repairs are done correctly, minimizing ES bus downtime. In addition, procedures for periodic surveillance, main-tenance, and proper system lineup t'nuld be reviewed or observed to maintain the bus reliability.
I 4.9 1
l
- 4. failure of Unit 3 Startun Transformer Switchovers Following a trip of the main generator, power to the 6900 V buses is automatically transferred to the Unit 3 Startup Transformer, so all electrical equipment will be powered from the 230 kV switchyard. If the 230 kV switch-yard is lost, normal AC power to plant equipment is lost. Failure of the Unit 3 Startup Transformer in conjunction with failure of the Unit 1 and 2 Startup Transformers, which serve as backup power sources, could also result in a loss of normal AC power to vital systems. The dominant failure mode is that the transformer transfer switch fails to close. Contributing failure modes are operator failure to switchover or failure to lineup to the 230 kV switchyard. Observation and review of the periodic maintenance and testing should maintaiu availability. Operator training for awareness of potential system malfunctions and selection of appropriate responses will enhance recovery probability.
- 5. 4.16 kV ES Bus 3A for 3B) Feeder Breaker 3205 for 3206) Fails to Operate Failure of these ES bes feeder breakers can result in loss of electrical power to their respective buses, even though the EDGs are functioning. liard-ware or electrical component failures are the dominant failure mechanisms.
Review and observation of the periodic maintenance and surveillance proce-dures, along with verification of proper breaker position should help ensure breaker reliability.
l l
4.10 l
l TABLE 4.28. MODIFIED AC POWER SYSTEM WALKDOWN Component Required Actual Number Component Name location Position Position 3209 ES Bus 3A Feeder Breaker Open 3210 ES Bus 3B Feeder Breaker Open 3103 500 kV to 230 kV Switchover Open Breaker 3104 500 kV to 230 kV Switchover Open --
Breaker 3205 ES Bus 3A Feeder Breaker Closed 3206 ES Bus 3B Feeder Breaker Closed 3211 ES Bus 3A Switchover to Unit 1 & 2 S.U. Transformer Breaker Open 3212 ES Bus 3B Switchover to Unit 1 & 2 S.U. Transformer Breaker Open DG-3A Diesel Generator 3A (a)
DG-38 Diesel Generator 3B (a)
(a) Due to the integrated nature of the diesel generator failure-to-start or failure-to-run failure modes, the lineup of all automatic diesel generator support functions (service water, fuel oil, st.'rting air, etc.) should be verified.
(b) These are required positions during normal, not emergen.y, operations.
i 4.11 i
. vg _
S M g R
R 3, T
4 u
s s.
2 s W l
f
._}j_.
e_ e T
I N
U 8
- - s_.
". =_ @e w* 1 Qc i_
i
, l s c _
e_
s 3
I o -
3 3 'l I
C i
l .
Jo s
2 s i 3 f
e_,
L _
0 ;U "c_ _
O s
d] e,_
e ! .
t 2
s s
' _ [
"_ = Dc_ dj_.
e_
~ .
- _$j O
@ _ _e'i 2
- 4 e !a L
g.=
, l 2
C B 1 - "
l 3 ' 2 .
]
E X
O c .
R X
R 2 e
[.
m' 1 l e_%o
%t 3
, . l U
e c J >s e s 9
6 I
$ 2 2 -
[
_ F E
g R
J - (
Tc
[T => R
- x. EN
_.= _
. 2 3 1
~PO
, 1
'o f
i.
0
- l x C o
= ,, R U a . s s _
, s % i F
- 9" U
,su u,*f n @ 2yiL,_ c C
. 3
=O O M
)j ut p
2
= s
=]C
[ I H
R D
2 D 3
_$ M E
E 3=
= -
- S
- R I Y C= .S
- 2. DE 4 I F
, I
. . , L
, I P
M _
, S
4.3 SERVICE WATER SYSTEMS The Nuclear Services Cooling Water systems at Crystal River 3 include the Nuclear Services Closed Cycle Cooling (Service Water) System, the Decay Heat Closed Cycle Cooling System, and the Nuclear Services and Decay lleat Sea Water (Raw Water) System. The Nuclear Services Closed Cycle Cooling (NSCCC) system provides cooling to the letdown coolers, reactor coolant drain tanks, control rod drives, reactor coolant pumps, spent fuel pool coolers, spent fuel pumps' air handling units, the control complex water chillers, sample coolers, seal return coolers, waste evaporator packages, reactor coolant evaporator packages, waste gas compressors, the motor-driven emergency feedwater pump, the NSCCC pump motors, the raw water pump motors, and Make-up Pumps A and B under normal conditions. lhe NSCCC system also provides backup cooling to Make-up Pump C.
The NSCCC system consists of three service water pumps in parallel, one normal duty and two emergency pumps. The two emergency pumps are unusual in that each consists of one pump motor and two half-sized pumps connected by a comr..an shaf t . Each of these pumps' capacity is roughly 50% greater than that of the normal service water pump to accommodate the extra loading created by the reactor building fan assembl'.es in an emergency. Each of the emergency pumps is capable of handling 100% of the emergency cooling loads. Any three of the four service water heat exchangers will provide the necessary cooling during any situation. Under normal conditions the NSCCC system has one serv-ice water pump, SWP-lC, operating with SWP-1A and SWP-1B in standby. In the event of ESAS signal, both the SWP-1A and SWP-18 pump drivers start auto-matically, with SWP-1C being shut of f 15 seconds later.
The Decay Heat Closed Cycle Cooling (DHCCC) system provides primary cooling to the Decay Heat Removal heat exchangers, the Decay Heat Removal pump motors, Make-up Pump C, the Reactor Building Spray pump motors, the Decay Heat Service Sea Water pump motors, and the DHCCC air handling units. The DHCCC system also provides manual backup cooling to Make-up Pump A. The DHCCC sys-tem consists of two completely separate trains. Each train has its own pump, surge tank, and heat exchanger and can handle the emergency heat loads generated in any situation.
The Raw Water system, also called the Nuclear Services and Decay Heat Seawater System (NSSW and DHSW, respectively), provides the ultimate heat sink for the equipment cooled by the NSCCC and DHCCC systems. The NSSW System consists of three pumps in parallel, one normal duty and two emergency pumps.
As is the case with the NSCCC system, both of the emergency pumps start on an ESAS signal, tripping the normal duty pump after 15 seconds. Each of the emergency pumps is capable of handling 100% of the emergency cooling loads.
The Decay Heat portion of the Seawater system (DHSW) provides the ultimate heat sink for the decay heat removal and other DHCCC cooling loads.
The Decay Heat Seawater system consists of two trains, separate except for a cross-connect just prior to the discharge canal. Each train consists of a pump, heat exchanger, and associated valves. The Nuclear Eervices and Decay Heat Seawater Systems share a common discharge header.
4.13
1 l
The NSCCC system requires the following support functions provided by other systems:
. AC power for the pump driver for pumps SWP-1A and 2A is provided by the 4160 V ES Cus 3A. AC power for the pump driver'for pumps SWP-1B and 2B is provided by the 4160 V ES Bus 38. AC power for pump SWP-lC is provided by the 4160 V Unit Bus 38.
. Emergency actuation of pumps SWP-1A and 18 is provided by the Engineered Safeguards Actuation System.
The DHCCC system requires the following support functions provided by other systems:
AC power for pump DCP-1A and air handling unit AHHE-30A is provided by the 480 V ES Bus 3A. AC power for pump DCP-1B and air handling unit AHHE-30B is provided by the 480 V ES Bus 3B.
. DC power for AC circuit breaker for the pumps is provided by DPDP-5A and DPDP-58.
. Automatic actuation is provided by the Engineered Safeguards Actuation System.
The NSSW and DHWS systems require the following support functions prov'ded by other systems.
. AC power for pump RWP-1 is provided by.the 4160 V Unit Bus 3A. AC power for pumps RWP-2A and RWP-3A is provided by the 4160 V ES Bus 3A. AC Power for pumps RWP-2B and RWP-38 is provided by the 4160 V ES Bus 38. AC power for pump DOE-2A is provided by ES MCC 3Al. AC power for pump DOE-2B is provided by ES MCC 381.
TABLE 4.3A. SERVICE WATER SYSTEMS FAILURE MODE IDENTIFICATION
- Conditions that Lead to Failure
- 1. RWP-3A and RWP-3B flush Water Valves Fail Closed f ailure of these Raw Water Pump Flush Water valves to remain open may prevent sufficient flow from being provided to the heat exchangers. The dom-inant failure cause is random hardware failure. Periodic surveillance, test-ing and maintenance of these valves should help ensure reliable operation.
l 4.14
- 2. f_ailure of RWP Pumn _M m3 J j The dominant f ailure mode for pumps RWP-3A or RWP-3B is failure to start l or run. This may be caused by random hardware failure of the pumps or by latent human error. A secondary contributor to pump failure is physical plug-
! ging of the seawater side of the Heat Exchangers, DCHE-1 A or DCHF-18. Review i and observation of periodic maintenance and testing procedure.,, including post-maintenance surveillance of these pumps or heat exchengers should help I maintain system reliability. Particular attention should be paid to any main-tenance , vendor , or environmental-related potential causes of common cause failure of the two pumps.
- 3. Failure of DECCC Fumps lA. 18 The DHCCC system provides primary cooling to several of the plant's essentiel heat removal components. Except for normal decay heat removal conditions (during shutdown), the DHCCC system is activated only upon receipt of an ESAS signal, whereupon pumps lA and IB start automatically. Failure of the DHCCC pumps could prevent sufficient water flow from bring provided to cool these components. The dominant failure mode is failure of the DHCCC pumps to start or run. A contributing failure is misalignment of the pump suction valves DCV-19 or DCV-20. Observation and review of surveillance, maintenance, and lineup of these pumps or valves shoald maintain system reliability.
N 4.15 l l
.. -.- . . - _ . ~ = . - ._ _ - _ . . - . . - .
1 TABLE 4.38. MODIFIED SERVICE WATER SYSTEMS WALKDOWN Component Required Actual
.3Mhar_, ComponenLtlLme Lota.tiqq Josition Position Electrical Components DCP-1A, Pump Breaker Racked in/
Closed DCP-18, Pump Breaker Racked in/
Closed RWP-3A, Pump Breaker Racked in/
Closed RWP-3B, Pump Breaker Racked in/
Closed __
Valves DCV-19 Surge Tank Discharge Valve Open DCV-20 Surge Tank Discharge Valve Open RWP-3A Flush Water Valve Open RWP-36 Flush Water Valve Open I
t 4.16
M le M 18 le _
1 ge' ge j -H -
H_ j e H ge g:
H le {+.
, D' He
_ _ _l_ _
<_Il e_t~ ___Is
_,_ _e . . . _8-f3 O r y y (in (te '
te 51- Ki- Sl? sg. yle :
- :l= ygs yg.
- 13 tgs i.
r '
r r ek h es .
l! !
I g ., e a bI a
$ gM ,sl e s, e -, -
ei
$5 Is Is EE $ .
F: Fa Ti i.
i ", i' rc had!g db a
i 3 It ca 4.17
N g n Y
> W tw a 5
-n x 52.
- ET sihI 81 jiis !
a a y
a 6 s h!is =
i!cI a " t
? a !
! 8!io g i M X a!.'lj ie s.
Y 0 Ak I E
!a
--l k
_g. ,
12 5 1 g-gli
.s 2
a 2 k
! -y i -
T T
?_h b
- .m i
l 4.10
4 b
Y l.rK 5
b b EY
- e l5 5 e
,i t E!EE =
5 aim 6 3h g
"5" a 3 ?
i x
gjis a ,
1 u _
n lD E "
E 8 g g
t j T q T
B
?_
13- t 55
==g,51 .
. e i 91)i a
e !
I -*-
8 M r, n
- T T
$'T $
_4.; ;, ,;
is .
< J l ; ;. gg 4.19
I le r-CH+l- ll as la l- 15 im 1 ll l
-i+HO '
r-O-i+- ih g o ooo 1: i- 1: e 1,
)
-i+ r-lsH+ g lm-e, a
je e- @@ G8E a 1
+ F- O ' r-CH+
'~.
m la -
-l+ M. -
2N 3 K3 . Mml R* EK w
!+ M .,
.3. ..,
- ~is W la.
s 1 - -
@d in la " * ' ' 's
+H+ r ,,, ;
+
s I
j.e -
A
' ==$ n=I g l la la s
, H aJ a H
l I
gs .
le I
g.6. s,,l, la :19 'I 5 E
,' ! N$
- 1R1; ,.' ; j
- H 4.29
4.4 DEMINERAllZED WATER SYSTEM The Demineral, zed Water system provides demineralized water to other plant systems and for RCS makeup, after boration by the Chemical Addition system. The risk-significant Demineralized Water system failures all occur during steam generator tube rupture (SGTR) sequences. After an SGTR, the operators face a complex task of simulteneously managing the temperature and pressure of the RCS and the secondary system and providing borated makeup water to replace the RCS inventory lost ta the secondary through the ruptured steam generator tubes. This management process can include, for some sequences, the need to refill the BWST, since the lost inventory is not being collected in the containnient sump and it will not be possible to switchover to recirculation mode core cooling.
It is anticipated that presently contemplated changes in ,tbe emergency operating procedures for SGTR accident sequences will reduce or climinate the risk-importance of Demineralized Water system components. Emphasis will be placed on isolation of the faulted steam generator (SG) combined with an orderly cooldown of the RCS and secondar) system using the unfaulted SG.
These changes will reduce the need to ref;11 the BWST with borated demineralized water.
4.21
\
l 4,5 HIGH-PRESSURE INJECTION SYSTEM The High-Pressure injection (HPI) system at Crystal River 3 serves as both a support system during normal operation and as an engineered safeguard system during plant transients and accidents. The Crystal River 3 HPI system is also known as the makeup and purification (MVP) system. It consists of three makeup pumps in parallel, Makeup pump 18 is normally running to provide makeup flow and seal injection flow through separate lines to the primary system. Normal suction is obtained from the letdown system via the makeup tank. During an accident, suction is obtained either directly from the BWST or from the containment sump via the LPI systcm (" piggy-back" mode), and flow is provided to the primary system through four high pressure injection lines which are separate from the normal makeup and seal injection lines.
During normal operation, the HPI system provides normal makeup water to the primary coolant loop and seal injection water to the reactor coolant pumps. During plant transients, the HPI system provides emergency core cool-ing (ECC) injection from the BWST to the primary system during the early stage of a loss-of-coolant accident (LOCA) and re nives suction from the LPI pumps ,
for long-term recirculation of cooling wder between the primary system and I the reactor building sump. The HPI syscem can also be used to provide primary I system feed for feed-and-bleed cooling Following a loss of both main and emer- !
gency feedwater system. The " success etiteria" for emergency operation of the !
HPI system are is one operat;ng HPI pump and one intact flow train, j l Unless it is'down for maintenance, Ha u p Pump 1B is normally running i and Pumps lA and 1C are in standby. In the event of a high pressure injection i actuation signal from the ESAS, pumps IA and IC start automatically. The injection valves open automatically. The normally closed valves MUV-62 and MUV-73 also open to provide two flow paths from tFe BWST to the makeup pumps.
The system then provides ECC water to the primary system until the BWST is drained to its low level alarm point. When the BWST low level alarm sounds, the operator must manually transfer suction to the containment sump for long-term cNling via the DHR pumps in piggy-back mode by 1) opening the valves i DHV-11 and DHV-12 between the HP! suction and the LPI pump discharges,
- 2) opening the valves DHV-42 and DHV-43 between the containment sump and the LPI pump suction, and 3) starting one or both of the DHR (LPI) pumps.
Support functions prov 6 ; to the HPI system by other systems include l provision of AC and DC electric power, and automatic initiation by the Engineered Safeguard Actuation System.
l l
l 1
4.22
l l
TABLE 4.5A. HP! SYSTEM FAILURE MODE IDENTIFICATION Conditions that Lead to failure
- 1. [Lilqtg of the "Picav-back" Valves DHV-ll. DHV-12 0 111 valves DHV-Il and DHV-12 to operate will prevent " piggy back" mode where water from the containment sump is provided to the HPI pun pumps. The dominant failure mode is that valves DHV-Il and DHt ) pen on demand. The important failure causes are random hard-ware 11 failures. Training and operator awareness of emergency operati.., , dres will enhcree valve availability. Maintenance af these valves should be reviewed or ubserved.
- 2. tiakeun Pumps Unavailablah to Failure or Maintertangs Under normal operation, m http pump 18 is normally running and pumps IA and 1C are in standby. In the event of ESAS signal, pumps lA and IC start autnmatically. Failures of pumps lA and 1C to start and run or maintenance unavailabi'ity of these pumps in combination with failure of pump 1B to con-tinue runn1 g can prevent delivery of HPI flow to the RCS. The failure causes are random eardware or electrical failures of the pump or common cause fail-ure. Maintenance or testing activities and training should be reviewed to ensure that efficient scheduling is done, that repairs are performed cor-rectly, and that systems are properly returned to service following main-tenance and testing. Because of the number of potential cross-connects operator training may enhance the probability of recovery from these failures.
- 3. Egilure of BWST Suction Valves MUV-73 and MUV-58 to Open on Demand following an ESAS actuation, failure of the valves MUV-73 and MUV-58 to open on demano may prevent water from the BWST from being provided by makeup pumps. Hardware or electrical failures are the dominant failure mechanisms.
Maintenance and testing of these valves according to Technical Specifications should maintain valve availability. Verification and review of the emergency operating procedures and check-off lists should minimize the probability of failure.
4.23
l l
TABLE 4.58, MODIFIED HPI SYSTEM WALKDOWN Component Required Actual
. Number Comoonent Name Location Position- Position Electrical Breaker for Makeup Pump MVP-1A Racked in/
Closed
.reaker for Makeup Pump MVP-1B Racked In/
Closed Breaker for Makeup Pump MVP-lC Racked In/
Closed Breakers for M0V DHV-Il Closed Breakers for M0V DHV-12 Closed Breakers for MOV MUV-5B Ope',
Breakers for M0V MUV-73 Closed Valves DHV-11 Piggy-back M0 Valve Closed DHV-12 Piggy-back (10 Valve Closed MUV-58 BWST Suctioa M0 Valve Open MUV-73 BWST Suction MO Valve Closed l
l l
4.24
l 15 I II R
a :1: els
- c x 1R 1R 1 R 18
- e v. skis E5
]
la x
18 x y
$" XlaEU El8 N a 1R
=e -!Igs sB :: := a:8--
S g( E$
f
= SIR ggs V Xis Ell V' V
-- 9 11 sl8 ~ 2 51- 51~ 51: .
sn l8 B sigh I"E E 1, Kl* 1 R Kl* i te x l x :e !
la 1 ;
" " * * " i*- KD np xla nla j u
E!!El$ Ni$E!! oggs Kit: GKlE Kl8 h Kl2 ED 3 18 E!$ l E D
~
}leyta 914 pla M lB ga ;p x,2 l l gg N! !
S u gAgdEll l ga a
s'le 12 E :l~' ~
-u- -M "ll"xN ER H (in sp i I 4.25
bs E!
ll,[yls shi lask ,, afla 4g U ' =l:1,
- i
, se a BKl! !! ola a-g,' .
_.J glQ -
0 Bi ;li gs !8 ,
l
$ it! !!BK 13 li BI I! 4 38 a5 T1:l
)
. m t
b_
62 9 Ji
'g!
C-1\ l ;
- i!ORI - - -
g l ~
T T "
Kl: ljb Xg#! D. 8 I h g Kie l'
- :p
( ;1a g 15 15 D: : ;
VP'38 {l' le; ; O gl) 4 Q la yp~ lE P B{ l-y ggla phEggAls ,
- Kl! li xlW klR I",[:d { l ! 3 01O : ;g : t!! O ;EO: :H
,, ,g x8 xis <ls gis xl! _
1 -
t 5 f k b th th
,5 .
!- a 4.2G
4.6 DC POWER SYSTEM The Crystal River 3 DC Powe system provides an uninterruptible source of DC power at 250,125 and 24 V to plant electrical equipment, such as DC-powered valves, DC-powered AC circuit breakers, and DC control logic. The DC Power system also serves as the primary source of power to the 120 V instrument buses in the AC Power system.
The DC Power system at Crystal River 3 is divided into two separate and redundant trains. Each train has its own battery bank consisting of two 125 V cell groups in series. Charging power to the batteries is supplied by six AC battery chargers (two normally operating AC battery chargers and an installed spare for each train). The capacity of the two normally operating chargers is sufficient to maintain battery charge while supplying all normal DC loads on a given train. The DC Power distribution system consists of a main distribution panel for each train. All other distribution panels receive power from the main distribution panel.
The DC Power system normally operates with the four operating battery chargers providing power for all plant loads, if one of the normally operat-ing chargers is out of service, the installed spare charger can be placed in operation by manual operator action. If an operating charger faili or power is lost to the chargers, the battery bank automatically takes over the load for that train until the charger (s) can be restored.
The DC Power system requires the following support functions provided by other systems:
. AC power for the batter) chargers is provided by 480 V ES MCC's 3A3 and 382.
TABLE 4.6A. DC POWER SYSTEM FAILURE MODE IDENTIFICATION Conditions that Lead to failure
- 1. Failure (including common cause) of Battery 3A and/or 3B Failure of either of these batterie; results in a loss of power from the batter) to its respective 125 V DC bus. This failure in combination with other failures can result in a loss of all power at the affected 125 V DC bus.
Local faults of the battery itself are the dominant failure mechanisms. The secondary contribution is cannon cause failure due to latent human error.
Periodic testing of the battery voltage and specific gravity, in accordance with the Technical Specifications, as well as proper battery maintenance, should be reviewed and monitored. Operatcr training and awareness of system malfunction should improve probability of recovery.
4.27
- 2. [.ailures of Battery Chargers 3A. 38. 3C. 3D These battery chargers provide charging power to the DC batteries as well as powering the main distribution panel. Faiiure of these battery chargers, in combination with failure of the standby chargers and failure of battery sets, can prevent DC power from being supplied to the DC buses.
Periodic maintenance, testing and surveillance in accordance with the Tech-nical Specifications requirements will help maintain battery charger reli- ,
ability. Operator training and awareness of Emergency Operating Procedures will enhance the probability of successful recovery.
- 3. Failure of DC Distribution Panels DPDP-1A and/or DEDP-10 These distribution panels supply the DC instrumentation and control sys-tems power to the plant. Failure of these distribution panels can prevent -
electrical power from being supplied to their respective loads. Local faults of the distribution panels are the dominant failure mechanisms. Periodic testing and maintenance should bc observed and reviewed, and appropriate breaker lineups should be verified.
4.28
4.6 DC POWER SYSTEM The Crystal River 3 DC Power system provides an uninterruptible source of DC power at 250,125 and 24 V to plant electrical equipment, such as DC-powered valves, DC-powered AC circuit breakers, and DC control logic. The DC Power system also serves as the primary source of power to the 120 V instrument buses in the AC Power system.
The DC Power system at Crystal River 3 is divided into two separate and redundant trains. Each train has its own battery bank consisting of two 125 V cell groups in series. Charging power to the batteries is supplied by six AC battery chargers (two normally operating AC battery chargers and an installed spare for each train). The capacity of the two normally operating chargers is sufficient to maintain battery charge while supplying all normal DC loads on a given train. The DC Power distribution system consists of a main distribution panel for each train. All other distribution panels receive power from the main distribution panel.
The DC Power system normally operates with the four operating battery chargers providing power for all plant loads. If one of the normally operat-inc chargers is out of service, the installed spare charger can be placed in
(
operation by manual operator action. If an operating charger fails or power is lost to the chargers, the battery bank automatically takes over the load for that train until the charger (s) can be restored.
The DC Power system requires the following support functions provided by other systems:
. AC ;awer for he battery chargers is provided by 480 V ES MCC's 3A3 and 1 7.
TABLE 4.6A. DC POWER SYSTEM FAILURE MODE IDENTIFICATION Conditions that Lead to failure
- 1. Failure (includino common causej of Battery 3A andLor 3B Failure of either of these batteries results in a loss of power from the battery to its respective 125 V DC bus. This failure in combination with other failures can result in a loss of all power at the affected 125 V DC bus.
Local f aults of the battery itself are the dominant failure mechanisms. The secondary contribution is common cause f ailure due to latent human error.
Periodic testing of tre battery voltage and specific gravity, in accordance with the Technical Srecifications, as well as proper battery maintenance, should be reviewed and monitored. Operator training and awareness of system malfunction should improve probability of recovery.
4.
- 2. Eailures of Battery Charqers 3A. 3R. 30, 3D These battery chargers provide charging power to the DC batteries as well as powering the main distribution panel. Failure of these battery chargers, in combination with failure of the standby chargers and failure of f battery sets, can prevent DC power from being supplied to the DC buses.
Periodic maintenance, testing and surveillance in accordance with the Tech-nical Specifications requirements will help maintain battery charger reli-ability. Operator training and awareness of Emergency Operating Procedures will enhance the probability of successful recovery.
- 3. Failure of DC Distribution Panels DPDP-1A andLor DPDP 1B These distribution panels supply the DC instrumentation and control sys-tems power to the plant. Failure of these distribution panels can prevent electrical power from being supplied to their respective loads. Local faults of the distribution panels are the dominant failure methanisms. Periodic testing and maintenance should be observed and reviewed, and appropriate breaker lineups should be verified.
4.28
TABLE 4.68. H0DIFIED DC POWER SYSTEM WALKDOWN Component Required Actual Number Component Name location Position Position Battery Charger 3A Supply Breaker Closed Battery Charger 3B Supply Breaker Closed Battery Charger 3C Supply Breaker Closed Battcry Charger 3D Supply Breaker Closed DPDP-1A DC Panel DPDP-1A Breaker Closed DPDP-1B DC Panel DPDP-1B Breaker Closed 3A Battery 3A (a) __
3B Battery 3B (a)
(a) Surveillance and testing of the battery should be performed in accordance with the plant Technical Specifications and approved procedures.
4.29
, , , n Q
B e t !
M
.. V Vl ,,
a W
W b5
- a. g, M Milli hT " m h,
$M ." h 5 a a 6 -,
g g-mW8 mWn m9n 5 w.v
- /"V"t %
""y 6:
hw
.A 6m W JJ N m
$~ O --
$" MM $'
EN 2 .-.
"" N O y U U N kC I e == 7 n
at a M W" na k t g w g 2 . > m e n e n .
D W W -
N W
iWW 6MM w % LA/5m (
"M s '
5 _
[ _, g 5 -
_ g A g 5
$ 5
= n h r T E O L i 5 m 5
h b O "
!a
- s s em m-b b
-- l' m
s -.
?,
- M' S
_ $ ~~~ '
Ce E N 5" E as o
E a
4.3H
4.7 EMERGENCY FEEDWATER SYSTEM The emergency feedwater (EFW) system at Crystal River 3 is a standby system and is used to back up the main feedwater (MFW) system in removing post shutdown heat from the reactor coolant system via the steam generatc-s when MFW is lost. During normal shutdowns the main feedwater flow is throttled down to a level capable of removing decay heat and the EFW system is not used.
If the plant shutdown is caused by an interruption of the main feedwater flow, the EFW system is automatically put into operation. Also, if main feedwater is lost subsequent to a reactor trip, EfW will be automatically initiated.
The EFW system model also includes the emergency feedwater initiation and control system (EFIC). The EFIC serves several functions that include:
automatic initiation of the emergency feedwater system pumps and valves; control of the emergency feedwater flow rate; regulation of secondary side pressure during emergency feedwater system operation; and isolation of the main steam lines on low steam generator secondary side pressure. The EFIC system consists of four redundant instrument and actuation channels.
The EFW system consists of two trains, each capable of supplying emer-gency feedwater to either or both steam generators. One train contains a motor driven pump, and the second train contains a turbine driven pump. The turbine driven pump is powered by steam from either or both steam generatnrs.
The motor driven pump is cooled with water from the nuclear services closed cycle cooling system and the turbine driven pump is self cooled. There are three sources of emergency feedwater: a dedicated EFW storage tank, the condensate storage tank and the condenser hotwell.
There are two EFW injection lines. Each provides emergency feedwater to a spray header in one of the steam generators. Each injection line may receive EFW from either pump train. Flow is controlled through solenoid valves in each of the lines.
The EFW is normally aligned to the dedicated EFW tank, and all block and flow control valves are normally open. The EFW pumps may be started manually or automatically with the EFIC system. The dedicated EFW tank can provide decay heat removal and cooldown for a minimum of twelve hours. Switching to an alternate EFW supply or refilling the tank requires operator action.
The EFW system requires the following support functions provided by other systems:
. AC power for EF% pump EFP-1 is provided from ES Bus 3A.
. cooling water for EFP-1 is provided by the nuclear services closed cycle cooling sy, tem.
. electric power for the EFIC channels is provided from 120 V AC Panels VBDP-7, VBDP-8, VBDP-9 and VBDP-10.
4.31
. DC power for the solenoid (control) valves is provided from 125 V DPDP-5A and DPDP-58,
. DC power for the block valves is provided from 125 V DPDP-8C and DPDP-80.
. DC power for the pump suction valves to the condenser hotwell is provided from 125 V DPDF-3A and DPDP-3B.
. DC power for the steam admission valves to EFP-2 is provided from 125 V DPDP-58.
Other interfaces, e.g. power supplies to other EFW valves, do not appear in the EFW system fault tree and are therefore not listed.
TABLE 4.7A. EMERGENCY FEEDWATER SYSTEM FAILURE MODE IDENTlflCATION Conditions that Lead to Failure 0
- 1. Emeraency Feedylter Pumos EFP-1. EFP-2 fail to Operate Failure of the motor-driven pump EFP-1 and turbine-driven EFP-2 to operate will prevent water flow from being provided by the EFW system. The important failure causes are the pump hardware, electrical or steam supply failures. Another cause is common cause due to latent human errors. Train-ing, operator awareness, and surveillance of these pumps should be reviewed cr observed to maintain reliability. If one pump is unavailable due to main-tenance and the other pump fails to start and run, the total lets of the CFW system may result. The performance of maintenance and testing and training for these activities should be reviewed to ensure that scheduling is effi-cient, and that repairs are performed correctly. Operator understanding of Emergency Operating Procedures involving the EFW System should also be reviewed.
- 2. Operator Fails to Switch EFW Suction Source The EFW system has three sources of emergency feedwater with the emergency feedwater tank being used for the first twelve hours. Operator action is required to switch to an alternate EFW supply. The dominant failure causes are that the cperator simply fails to switch to an alternate suction source or the two level transmitters fail to respond. Operator awareness of criteria for switchover and adherence to emergency procedures is important.
Maintenance and testing activities should be reviewed or observed to determine that the transmitters are operational and properly calibrated.
4.32
l l
- 3. Failure of Cont. col Valves EEYdh. EFV-56. EFV-57 and EFV-58 Failure of these control valves in the closed position will prevent flow of EFW to the steam generators. The dominant failure modes are the loss of signal from EFIC system or valve hardware failures. Testing and maintenance of these valves should be reviewed or observed to maintain reliability.
Operator understanding of and training on the Emergency Operating Procedures controlling recovery from these failures should also be reviewed.
4.33
TABLE 4.78. MODIFIED EFW SYSTEM WALKDOWN Component Required Actual CompAnent Name Location Positiot, Egilliqu t[ umber Electrical EFP-1 Pump Breaker Racked In/
Closed EFP-2 Pump Breaker Racked In/
Closed Valves EFV-55 EFP-2 Discharge Valve Open EFV-56 EFP-2 Discharge Valve Open EFV-57 EFP-1 Discharge Valve Open _
EFV-58 EFP-1 Discharge Valve Open 4.34
!= !=
o Sk Sl
+1 31 41 el :
~ . . >
k'B si- si,, k~B s v . E si. *E si si. -
a In n
n e
a 5
E ib sl i i si" ! .
--M V. l-
- 4---V. W
!= Ba !K xl= !
,e w en w
1 .
dg el $$ *$ _
l . .
.. . i g s,i *!st!a
_ fi.o o 3
. n E8a sU 6
" Ei" u
8: : $$ $$
4.35
l 4.8 REACTOR COOLANT PRESSURE CONTROL SYSTEM This system maintains control over RCS pressure by manipulating the makeup and letdown flows and by controlling the pressurizer heaters and the pressurizer spray valves. In addition, protection against over-pressurization transients is provided by the pilot-operated relief valve and the passive (i.e., spring loaded) safety relief valves.
TABLE 4.8A. REACTOR COOLANT DRESSURE CONTROL SYSTEM FAILURE MODE IDENTIFICATION Conditions that lead to Failure
- 1. Failure of a Pilot-0perated Relief Valve to Reclose Occurrence of this f ailure during a plant transient that requires actua-tion of the pilot-operated relief valve (PORV) initiates a small-break LOCA, which then challenges other plant safety systems. As a standby component, the PORV is difficult to fully test; PORVs have been subject to vendor- and main-tenance-related common cause failures. Maintenance procedures, schedules, records, and plant experience with PORVs should be reviewed.
4.36
4.9 POWER CONVERSION SYSTEM (PCS)
The power conversion system (PCS) at Crystal River 3 transforms tSermal energy from the reactor coolant system through the steam generators into elec-trical energy. Tha functions of interest are: providing main feedwater to the steam generators following a reactor trip and relieving steam from the steam generators to the condenser via the turbine bypass valves. The plant systems of interest are therefore: the feedwater and condensate systems, the main steam system, and tho' integrated control system.
The feedwater and condensate systems consist of two main trains of pumps and heaters, supplying water from the main condenser to each steam generator.
The two trains are crosstied at several locations by means of common headers.
Two motor-driven condensate pumps provide condensate from the condenser hotwells to the de-aerator tank. I.evel in the tank is maintained by cycling condensate to the condensate storage tank, as required. The motor-driven feedwater booster pumps take suction from the de-aerator tank and supply flow to the main feedwater pumps. The main feedwater pumps are turbine-driven.
During normal operation each pump supplies flow to one steam generator.
Feedwater flow during normal operation and following reactor trip is controlled by the integrated control system. This system processes plant signals and provides control to the feedwater system, the main steam system and the reactor control system. The major components of the integrated control system are the unit load demand subsystem, integrated master control subsystem, feedwater control subsystem and reactor control subsystem.
During normal operation, the main feedwater system provides controlled feedwater flow tc each steam generator via the main feedwater valves FWV-29 and FWV-30. The integrated control monitors reactor power, steam generator level and other parameters to match feedwater flow with demand.
Following a reactor trip, the demand for feedwater flow is sharply reduced. The mair feedwater system and the integrated control system are designed to run back feedwater flow to meet this reduced demand. The main feedwater inlet valves close and flow is provided via the startup line and valves FWV-39F and FWV-40F. Normally one train of feedwater and condensate flw stop shortly af ter a reactor trip and the feedwater crosstie valve FWV-28 opens so that one main feedwater pump provides flow to both steam generators.
During this time, the integrated control system regulates the steam generator pressure by relieving steam to the condenser through the turbine bypass valves.
The power conversion system includes several plant systems. These sys-tems as a group are self contained except for their requirements for electric power. Interfaces with the electric power system are:
. 480 V ES MCC-3B1 provides power to FWV-28
. 480 V ES MCC-3Al provides power to FWV-29 and FWV-31 4.37
. 480 V ES MCC-381 provides power to FWV-32 and FWV-28
. 480 V ES MCC-3A provides power to FWV-14
. 480 V ES MCC-3A provides power to FWV-14
. 480 V ES MCC-3B provides power to FWV-15
. TB MCC-3A provides power to FWV-26, FWV-25, FWV-8, FWV-1, and to the lube
. oil pump and turbine turning gear for main feedwater pump 2A
. 4 kv buses 3A and 3B provide power to the feedwater booster pumps, the condensate pumps the circulating water pumps and the secondary services closed cycle cooling pumps TABLE 4.9A. POWER CONVERSION SYSTEM FAILURE MODE IDENTIFICATION Conditions that Lead to failure
- l. QTSG A. B levg] Control Faults This is the primary contributor to secondary system failure to provide cooling to the steam generators. The primary failure causes of the OTSG level control are the failures of a controller system and their associated integ-rated control system. Other causes may include human errors following system maintenance or testing. Training, observation surveillance and maintenance of these control systems should be reviewed or observed to maintain reliability.
- 2. Startuo Valves to Either Steam Generator Fail Closed Following a reactor trip, 'he demand for feedwater flow is sharply reduced. The main feedwater iniat valves close and flow is provided via the startup lines (valves FWV-39F and FWV-40F). Failure of these valves in the closed position would prevent cooling water being provided to the steam gen-erators. The dominant failure mode is random valve hardware failures. Test-ing, surveillance and maintenance of these valves should be reviewed or observed.
- 3. Failure of, Control of De-aerator Level Failure of flow control elements CDP-1A or CDP-1B to respond or failure of the controllers CDP-1A or CDP-1B may result in the loss of main feedwater.
lhe important failure causes are random hardware or control circuit failures.
The contributing failure cause is the human errors following testing or 4.38
maintenance. The periodic testing, surveillante and maintenance of these control systems should be reviewed or observed to maintain maximum availability.
- 4. Failure of the Turbine Bypass or Atmq. spheric Dump Valves These are hardware failures. The failure modes for the turbine bypass valves are hardware f ailures or ICS pressure control f aults. The failure modes for the atmospheric dump valves are demand failcres, or hardware fail-ures. These failures can be minimized by reviewing or observing valve and control system, surveillance, testing, valve calibration, and checking system lineup for standby operation.
4.39
l TABLE 4.9B. MODIFIED POWER CONVERSION SYSTEM WALKDOWN Component Required Actual Number Component Name Locaticn Position Position Air FWV-39F Startup Valve On FWV-40F Startup Valve On Electrical CDP-1A Control Element CDP-1A Breaker Closed CDP-18 Control Element CDP-1B Breaker Closed Valves Turbine Bypass Valves Closed Atmospheric Dump Valves Closed FWV-39F Startup Valve FWV-40F Startup Valve Open 4.40
M[ U R iE 1 o
e 1
a-u 4 ge 1n +
1 i m a
(g91 . ppf h ,'I
~
lI i
[g je im
- l g,e 1,
1 is g
h 1 le .
,. - r ggg .g g '
in &* in in 17"
^
is la li s s p T
- p $4 i gs: x e
w :g g.
sn ;
j l'
la E s
lV w 3:< v.- & i la is la s W E ls s*
,e E$
3i
~~
..<i M
i* '
i w -
x-i le ~' ndii
- Ain mi s . i
- g -
EX i i j
"lE ^g B,a li" B
i Z8a
! N -
-/
O s} iM U' a i' i-el BB b b W. a ei; t.
i Ol 6d)
Q" Q") l A- ;
ei ! !
\~ !
)-
a a h.
)s e 4.42 !
TABLE 4.10. PLANT OPERATIONS INSPECTION GUIDANCE Recognizing that the normal system lineup is important for any given standby safety system, the following human errors are specially identified as important to risk.
System Failure Discussion AC Power Switchover/ Recovery Failure Table 4.2A, Item 5 Switchover/ Recovery failure Table 4.2A, item 1 High-Pressure injection Switchover/ Recovery Failure Table 4.5A, Item 3 Improper Alignment / Recovery Table 4.5A, Item 2 Failure DC Power Improper Alignment / Recovery Table 4.6A, item 2 Failure Improper Alignment / Recovery Table 4.6A, item 1 Failure low-Pressure Injection improper Alignment / Recovery Table 4.lA, item 5 Switchover/ Recovery failure Table 4.lA, item 4 Improper Alignment / Recovery Table 4.lA, item 1 Failure Improper Alignment / Recovery Table 4.l A, item 7 Failure Emergency Feedwater Improper Alignment / Recovery Table 4.7A, item 1 Failure Switchover/ Recovery failure Table 4.7A, item 2 Power Conversion Improper Alignment / Recovery Table 4.9A, item 1 Failure 4.43
l TABLE 4.11. SVRVEILLANCE INSPECTION GUIDANCE The liste' components are the risk significant components for which proper surveillance should minimize failure.
System _ Component .
Discussion AC Power 4.16 kV E.S. Buses 3A, 3B Table 4.2A, item 3 Unit 3 S.U. Transformer Switchover Table 4.2A, Item 4 Diesel Generators 3A, 3B Table 4.2A, item 1 4.16 kV E.S. Buses 3A, 3B Table 4.2A, item 2 Feeder Breakers Service Wt.ter DHCCC Pumps lA, IB Table 4.3A, Item 3 RWP-3A, -3B Table 4.3A, item 2 RWP-3A, -3B Flush Water Valves Table 4.3A, item 1 High-Pressure Injection Makeup Pumps Table 4.5t., Item 2 BWST Suction Valves Table 4.5A, item 3 DC Power Battery Chargers Table 4.6A, Item 2 DC Distribution Panel Table 4.6A, item 3 Batteries Table 4.6A, item 1 Low-Pressure Injection Decay Heat Discharge Valves Table 4.lA, item 6 Containment Sump Valves Table 4.lA, Item 3 BWST Valves Table 4.lA, Item 5 Decay Heat Pumps Table 4.lA, item 4 DHR Drop Line Table 4.lA, item 1 Emergency Feedwater EFP-1, EF P-2 Table 4.7A, It..n 1 Control Valves Table 4.7A, item 3 Power Conversion OTSG Level Control Table 4.9A, Item 1 Startup Valves Table 4.9A, Item 2 De-aerator f.evel Control Table 4.9A, item 3 Turbine Bypass or ADVs Table 4.9A, Item 4 4.44
o . ,
i TABLE 4.12. MAINTENANCE INSPECTION GUIDANCE The components listed here are significant te risk because of unavailability for maintenance or testing. The dominant contributors are usually frequency of maintenance and duration of maintenance, with some contribution due to improperly performed maintenance.
Svilem Component Discussign AC Power 4.16 kV E.S. Buses 3A, 3B Table 4.2A, Item 3 Unit B Startup Transformer Switch Table 4.2A, item 4 Diesel Generators 3A, 3B Table 4.2A, item 1 4.16 kV E.S. Buses 3A, 3B Table 4.2A, item 2 feeder Breakers Service Water DHCCC Pumps Table 4.3A, Item 3 RWP Pumps Table 4.3A, item 2 ,
RWPs Flush Water Valves Table 4.3A, Item 1 High-Pressure injection Makeup Pumps Table 4.5A, item 2 BWST Suction Valves Table 4.5A, item 3 DC Power Battery Chargers Table 4.6A, Item 2 DC Distribution Panel Table 4.6A, item 3 Batteries Table 4.6A, item 1 Low-Pressure Injection Decay Heat Discharge Lines Table 4.l A, Item 6 Recirculation Valves Table 4.lA, Item 2 BWST Valves Table 4.lA, item 5 Decay Heat Pumps Table 4.lA, Item 4 DHR Drop Line Table 4.l A, Item 1 Containment Sump Table 4 lA, item 7 Piggy-back Line Valves Table 4.l A, item 2 BWST Vacuum Breakers Table 4.lA, item B Emergency Feedwater EFPs 1 and 2 Table 4 7A, item 1 Control Valves Table 4.7A, item 3 Power Conversion OTSG Level Control Table 4.9A, item 1 Startup Valves Table 4.9A, Item 2 De-aerator Level Control Table 4.9A, item 3 Turbine Bypass oi ADVs Table 4.9A, item 4 4.45
TABLE 4.13. QUALITY ASSURANCE / ADMINISTRATIVE CONTROL INSPECTION GUIDANCE The failures listed here are the ones which the QA/ Administrative staff can affect. For example, QA should ensure that both regular and post-maintenance surveillance actually test for failure mode of concern for significant equipment. Also, in the case of equipment unavailabilities, administrative control should work to minimize the plant risk.
System Component Discussion AC Power 4.16 kV E.S. Buses 3A, 3B Table 4.2A, item 3 Unit 3 S.U. Transformer Switchover Table 4.2A, item 4 Diesel Generators 3A, 3B Table 4.2A, item 1 4.15 kV E.S. Buses feeder Breakers lable 4.2A, item 2 Service Water DHCCC Pumps Table 4.3A, item 3 RWP Pumps Table 4.3A, Item 2 High-Pressure Line Suction Valves Table 4.5A, Item 1 Injection Makeup Pumps Table 4.5A, item 2 BWST Suction Valves Table 4.5A, item 3 DC Power Battery Charpers Table 4.6A, item 2 DC Distribution Panel Table 4.6A, item 3 Batteries lable 4.6A, Item 1 Low-Pressure Decay Heat Discharge Valves Table 4.lA, item 6 Injection Containment Sump Valves Table 4.lA, Item 3 BWST Valves Table 4.l A, Item 5 Decay Heat Pumps Table 4.lA, item 4 DHR Drop Line Table 4.lA, item 1 Containment Sump Table 4.lA, item 7 Emergency feedwater EFP-1, -2 Table 4.7A, item 1 Control Valves Table 4.7A, item 3 Power Conversion OTSG Level Control Table 4.9A, item 1 Startup Valves Table 4.9A, item 2 De-aerator Control Table 4.9A, item 3 Turbine Bypass or ADVs Table 4.9A, item 4 4.46
a 5.0 CONTAJNtD T PROTECTION SYSTEMS AT CR-3 in the event of a core melt accident, the public risk due to radiation release is minimized by the containment building. The analysis in this report has not addressed public risk, except through the probability of core melt, because the PRA which was analyzed is a " level 1" analysis and includes only a cursory analysis of release quantities and their effects.
If the containment functions as designed, the public risk resulting from a core melt will be small (e.g., THI-2 accident), compared to the risk when containment fails with gross releases of radioactivity to the environment.
During severe accidents, the containment is protected by two systems--the Reactor Building Spray System (RBS) and the Reactor Building fan Assemblies (RBFA). They limit the (emperature and pressure of steam and air in the containment, and reduce the airborne radioattivity by entraining it in water spray, in the analysis of the Oconee-3 level 3 PRA (Gore, Vo, and Harris 1987),
where systems were prioritized on the basis of public risk, the most risk- '
important systems were found to be the containment spray and the containment air cooling (e.g., RBS and RBf A) systems. This is because event sequences leading to significant radioactivity releases almost always involved failure of one or both of these systems, which then led to failure of the containment.
In this section, the components of the containment spray and air cooling systems which were found to be important in the Oconee PRA, and their domi-nani. failure modes are identified. It is reasonable to expect that these components and failure modes are important at Crystal River 3 also, in each case, the modes identified contributed to 95% or more of the failure proba-bility of the system. The importance of these systems and components to public risk should be kept in mind during inspection planning at Crystal River 3.
5.1 REACTOR BULLQlNG SPRAY SYSTEM Conditions that lead to Failure
- 1. Human Error - System Oper_ation inhibited or f ailure to Restore Valves or Eump Switchgear af t er Test ing Oper .or f ailure to restore correct system lineup for automatic pump start and flow to spray nozzles is the most important failure in the Oconee PRA.
E.1
l l
l
- 2. .Soray Pumo Failure to Start or Run Pump hardwr-e or control circuit failures are important at Oconee, as are human errors in the associated procedures for surveillance or maintenance.
- 3. Failure of Motor-0perated Discharae Valve to Open (Crystal River 3 Valves BSV-3 and BSV-4). The dominant failure mode at Oconee is hardware failure, with human failure to manually actuate these valves when necessary being a contributing mode.
- 4. Pumn Trains Unavail_able Due to Maintenance and Testina Both scheduled and unscheduled activities are included. Minimization of this time and conformance to Technical Specifications requirements are important at Oconee.
- 5. Puma Suction Valves Fail to Open or Check Valves Stick Closed (Crystal River 3 Valves BSV-16 and BSV-17). The dominant Oconee failure modes are human error, electrical failure, or hardware failures. Lineup for standby operation and proper surveillance and maintenance are important.
5.2 RfACTOR Bull 0 LNG FAN ASSEMBLIES Conditions that Lead to Failure
- 1. Operatina Fans Fail to Run and Non-Operatina Fan Fails to Start and Run Fan failure due to hardware failure is the dominant system failure mode at Oconee.
- 2. Operatina Fans Fail to Run and Non-Operatina Fan in Maintenance At Oconee, system failure due to fan maintenance unavailability in combination with hardware failures is a significant system failure mode.
- 3. Motor-Ocerated Damper to Common Duct Header Fails to Open Damper misoperation is a significant failure mode at Oconce.
- 4. Dropout Plates Fail to Drop Failure of fusible dropout plates to drop and open ductwork bypasses in a post-LOCA environment is a significant Oconee failure mode.
5,2
5, Start Switches Improperly Positioned liuman error in positioning control switches, preventing proper automatic system operation, is also an important failure mode at Oconce.
5.3
6.0 BfffRENCES Averett, M. W. , et al . 1987. Crystal River Unit 3 Probabilistic Risk Assessment, Florida Power Corporation, Saint Petersburg, Florida.
Averett, M. W. , and D. N. Miskiewicz. 1990. Crystal River 3 Prqhabilistic Risk Assessment Summary Document, Florida Power Corporation, Saint Petersburg, Florida.
Gore, B f., T. V. Vo, and M. S. Harris. 1987. PRA Applications Prooram for Inspection at Oconee Unit 3, NUREG/CR-5006, prepared by Pacific Northwest Laboratory for the U.S. Nuclear Regulatory Commission, Washington, D.C.
6.1
DISTRIBUTION 'JREG/CR-5467 PNL-7108 No of No. of Conies [pnin i 0FFSITE OFFSITE U.S. Nuclear Reaalatory U.S. Nuclear Reaulatory Commistian Commission - Reaion 2 A. El Bassioni R. Crlenjak OWFN 10 E4 P. Burnett A. Gibson W.D. Beckner A. Herdt OWFN 10 E4 F. Jape T. Peebles H.N. Berkow L. Reyes OWFN 14 H22 H. Sinkule K. Campe 4 Crystal River 3 Resident OWFN 10 E4 Insoector Office J. Chung U.S. Nuclear Renulatory OWFN 10 E4 Commission - Reaion 5 F. Congel R. Pate 0WFN 10 E2 L.F. Miller D.F. Kirsch H.C. Cullingford OWFN 12 G18 4 Mark Averett Florida Power B.K. Grimes P.O. Box 14042 OWFN 9 A2 St. Petersburg, FL 33733 10 S.M. Long J.H. Taylor OWFN 10 E4 Brookhaven National Laboratory Bldg. 130 H.W. Peranich Upton, NY 11973 OWFN 12 022 R. Travis W.T. Russell Brookhaven National Laboratory OWFN 12 G18 Bldg. 130 Upton, NY 11973 H. Silver OWFN 14 H22 R. Gregg EG&G Idaho, Inc.
2 K.S. West P.O. Box 1625 OWFN 12 H26 Idaho Falls,10 83415 U.S. Nuclear P.eaulatory Dr. D.R. Edwards Commission - Reaion 1 Professor of Nuclear Engineering University of Missouri - Rolla S. Collins Rolla, MO 65401 W.F. Kane DISTR-1
ONSITE 42 Etq1flg Northwest Laboratory
~
S.R. Doctor L.R. Dodd J.S. Dukelow (5)
B.F. Gore (10)
M.S. Harris (5)
S.T. Hunt B.D. Shipp F.A. Simonen B.W. Smith (5)
T.V. Yo (5)
Pu'clishing Coordination Technical Report File (5)
DISTR-2
gR,g,0.. u5 v s Nuctt AR RioutatoRv couwsuoN i~ gigeg, EN BIBLIOGRAPHIC DATA SHEET Nt E -5 W
<s.,-,...-,.
2.1ti LE AND SUBilitt Risk-Based Inspection Guide for Crystal River Unit 3 3 D * " " ' "o " ' "" " ' 5" ' " I Nuclear Power Plant w j . . e.
June 1991 4 i sN OR GR ANI NUM91 R 12008 b AulHOR(5) 61YPE OF REPORT B.W. Smith, J.S. Dukelow, T.V. Vo, M.S. Harris, B.F. Gore, Technical S.T. Hunt t Pt RIOO COVI ft t O u=w.* Pe=e8 1/90 - 1/91
.. oeene e, n.p a u s u.a es, me, aee.,, c w ew ua, .**,u n c.=> son e, ==
S. P F ANi2 A1 ION - N AM t ANO ADDR t 55 an =ac ,, O,.
Pacific Northwest Laboratory Richland, WA 99352
. .# waererent e o..w Nac o 4.m on.e or aseen. u a normer aevosere,v c-
- 9. R RG ANIZ ATION - N AME AND ADORt $5 in mac. ,y,, was e on Division of Radiation Protection and Emergency Preparedness Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555
- 10. $UPPLL Ut vi ARY NO f LS 11, A85T R ACT IAv ,m er e..'
The level 1 probabilistic risk assessment (PRA) for Crystal River Unit 3 (CR-3) has been analyzed to identify plant systems and components important to minimizing public risk, as measured by system contributions to plant core damage frequency, and to identify the primary f ailure modes of these com-ponents. The report presents a series of tables, organized by system and prioritized by risk importance, which identify components associated with 98*e of the inspectable risk due to plant operation. Ibn systems addressed, in descending order of risk importance are: Low Pressure Injection, AC Power, Service Water, Demineralized Water, High Pressure Injection, DC Power, Emer-gency Feedwater, Reactor Coolant Pressure Control, and Power Conversion.
This ranking is based on the Fussell-Vesely measure of risk importance, i.e.,
the fraction of the total core damage frequency which involves failures of the system of interest.
IJ Av Ait AE'u T , a1 a T t we es1 i2, K L Y WOR D510E $CH P i OH 5 ft es . weave er parases ease ed esear rouesacaer, as hareren, rae aseen, J PRA Uniimitod
" 5 ' c ua ' " " a "'"'^ ""
Risk Analysis
< r=
- e PRA Applications CR-3 Unclassified "aa-"
Components Important to Risk Unclassified Ib NUMRt A Of PmGl$
16 PHIGE seRC PORM u f2491
. . n 7
THIS DOCUMENT WAS PRINTED USING RECYCLED PAPER
l s
e UNITED STATES g , c , , , c ,. , o , , , . . , , y NUCLEAR REGULATORY COMMISSION
- a ' a j,*j j i $ * [
WASHINGTON, D.C. 20555 e Pi t u ' ho L t' g g i
OFFICIAL BUSINESS PEN ALTY FOR FRiv All USt. 4XO
{
g i f, ' .
9 <> '.1 <' <J C 's i ? C',Y,E, 4 -
o k ') M , ' p' t i ; A 110 h,"
t l
- 11 I .L 'RL>
q ; D SS. '
u;]4, .,[, t s 15 >
o.. c g ;, 3 tt \ ';c' ' ot, y i
k 5
E t
=
e 2_
E E
F se E
e E
r
[
a f
f E
o W
C E
h E
+
+
t b
?
l