ML20080K551
| ML20080K551 | |
| Person / Time | |
|---|---|
| Site: | Washington Public Power Supply System |
| Issue date: | 05/31/1983 |
| From: | BABCOCK & WILCOX CO. |
| To: | |
| Shared Package | |
| ML20080K540 | List: |
| References | |
| RTR-NUREG-0737, RTR-NUREG-737, TASK-2.K.2.10, TASK-2.K.3.01, TASK-2.K.3.02, TASK-TM BAW-1740, BAW-1740-R01, BAW-1740-R1, NUDOCS 8309290231 | |
| Download: ML20080K551 (72) | |
Text
,
ilAW-1740, Rev. I May 1983
- FINAL REPORT --
PORV RELIABILITY STUDY AND SETPOINT ANALYSIS FOR TENNESSEE VALLEY AlTril0RITY AND WASHINGTON PUBLIC POWER SUPPLY SYSTEM B&W Contract No. 600-5253 BABC0CK & WILCOX Utility Power Cencration Group P. O. Box 1260 Lynchburg, Virginia 24505 8309290231 830914 Babcock & Wilcox PDR ADOCK 05000460 e uco.,=.n e.=e.ar A
Babcock & Wilcox Utility Power Generation Division Lynchburg, Virginia Report BAW-1740, Rev. 1 May 1983 PORV Reliability Study and Setpoint Analysis for the 205-FA Owners Group i
Key Words: PORV Relief System Reliability, Automatic Block Valve Closure System EXECUTIVE SINMARY/ ABSTRACT l
This report provides the justification for using the original, as designed trip setpoints on the 205-fuel assembly (FA) power-operated relief valve (PORV) isolation system. The proposed system design using these setpoints comprises a single PORV and a single Block Valve with an automatic closure feature.
The supporting analysis provides the verification that the system design ful-fills both operational and reliability requirements. This system ensures nor-mal PORV operation and prevents high-pressure injection (HPI) actuation on low reactor coolant pressure if the PORV should fail open. Failure to isolate the 4
PORY relief path is limited to 1.66 x 10 failures per reactor year for TVA and to 1.26 x 10-" for WNP-1.
The pressurizer safety valves will have a fail-ure rate of 9.73 x 10 s per reactor year which satisfies NRC acceptance cri-teria. Therefore, restoration of the as-designed PORV function will not lead to an unacceptable safety valve challenge rate.
l In view of these finding, Babcock & Wilcox (B&W) recommends installation of the t
automatic PORV block valve closure system and the elimination of the mandatory l
reactor trip on turbine trip since reliability requirements are achieved even at the elevated PORV challenge rate.
l The advantages of this design include an enhanced ability to isolate the PORV relief path (compared to the 177-FA design) as well as fewer reactor protec-l tion system challenges and reactor trips. As a result, plant transient I
babcock &WilCOX
- iii -
.,a
frequencies tire reduced and availability is increased.
Plant safety will also be enhanced by permitting turbine and reactor runbacks.
The design does have two aspects which lead to acceptable, but undesired con-sequences. In some cases, reactor coolant system depressurization may actuate the engineered safety features actuation system if maximum instrument error is encountered. Also, the pressurizer code safety valves may be challenged if the PORV is inoperable and HPI
- i been actuated. However, the probability of either of'these event sequences occu,ing is small.
)
- iv -
Babcock & Wilcox
. m.o
CONTENTS Page 1.
INTRODUCTION.
I 1.1.
Background.....
2 2
1.2.
Scopa 1.3.
Results 3
1.4.
Organization.
4 2.
SYSTEM DESCRIPTION.
5 3.
PORV ISOLATION VALVE SETPOINT 6
4.
PORV/ SAFETY VALVE DEMAND FREQUENCY.
10 5.
PORV RELIEF PATH RELIABILITY.
14 6.
SAFETY VALVE RELIABILITY.
18 7.
ANTICIPATORY REACTOR TRIP ON TURBINE TRIP 21 8.
CONCLUSIONS 23 9.
RECOMMENDATIONS 24
- 10. REFERENCES.
25 APPENDIXES A.
System Fault Trees.
A-1 B.
Human Error Analysis.
B-1 C.
Statistical Modeling of PORV Lif ts.
C-1 D.
Failure Data.
D-1 E.
Event Sequences E-1 F.
Monte Carlo Simulation.
F-1 List of Tables Table 1.
Setpoints for PORV Isolation Valve Closing Setpoint Analysis.
9 2.
PORV Lifts.
13 3.
PORV Automatic Block Valve Isolation System Failure Probabil*ty and Canfidence Limits 17
-v-Babcock 8.WilCOX e McDermott tempany
1.
INTRODUCTION Following the loss-of-coolant accident (LOCA) at the Three Mile Island Unit 2 (TMI-2) facility, the NRC re-evaluated the power-operated relief valve (PORV) system requirements. Plant configuration changes were recommended to reduce the probability of PORV failures. Operating plants were required to raise PORV setpoints, lower high-pressure reactor protection system (RPS) setpoints, and install anticipatory reactor trips upon main turbine trips. These modifi-cations have reduced plant availability by increasing the number of reactor trips. The severity of these plant upsets can be reduced while meeting PORV reliability requirements. By returning the setpoints to their pre-TMI values and by installing an automatic PORV isolation system, both goals can be achieved.
The NRC has formalized guidance for the PORV system changes. The guidance is included in sections II.K.3.1 and II.K.3.2 of NUREG-0737.Section II.K.3.2 re-quires a report documenting the various actions that have been taken to decrease the probability of a small break LOCA caused by a stuck-open PORV or safety valve.
If these actions reduce the probability of a small break LOCA caused by a stuck-open PORV so that it is not a significant contributor to the probabili-ty of a small break LOCA due to all causes, then no other actions are needed.
If the contribution of the PORV to the total probability is more significant, then II.K.3.1 requires installation of an automatic PORV isolation system.
This report provides the rationale for maintaining the PORV and the high-pres-sure RPS trip setpoints at their as-designed values thus reducing unnecessary reactor trips by allowing the PORV to operate as intended. Since maintaining the FORV's intended function results in a moderate challenge rate to the valve, an automatic PORV block valve isolation system is necessary to achieve overall system reliability as required by II.K.3.2.
An isolation system description and reliability analysis are included to verify that the system will not be a major contributor to the probability of a small break LOCA. In addition, it is shown that safety valve reliability is not significantly affected by the isolation system. Babcock & )Milcox
. m o...n
1.1.
Background
Following the accident at TMI, the NRC required changes to the PORV opening and high-pressure reactor trip setpoints and the addition of an anticipatory reactor trip on turbine trip for all the operating plants. These changes have increased the number of reactor trips per month caused by minor over-pressure events, turbine trips, and feedwater upsets. As intended, the mod if i-cations have reduced the number of challenges to the PORV, but they have con-currently increased the number of challenges to the reactor protection system (RPS) and other safety systems required to support a trip. Data collected has shown that of the 87 reactor trip events from September 1979 through December 1981, 40% were caused by high RCS pressure and 29% by the anticipatory reactor trip on main turbine trip.
In order to reduce the number of reactor trips, the operating plant owners embarked on a program to return the PORV and high-pressure reactor trip set-points to their pre-TMI values. These actions would increase the number of PORV challenges, necessitating the installation of an automatic PORV closure system. A preliminary conceptual system design was prepared for the Florida Power Corporation in May 1980.
In principle, the proposed design was identi-cal to that proposed for backlog B&W 205-FA units.
It consisted of a single PORV and a single block valve with an automatic closure feature. The system improved the probability of isolating a failed-open PORV by a factor of 25.
However, its failure rate was still too high not to be considered a major contributor to the probability of a small break LOCA.
1.2.
Scope The results of the original automatic PORV isolation system proposed for Florida Power showed that the failure rate for isolating the PORV relief path prior to ESFAS actuation was 9.7 x 10-" per reactor year.
In order for the PORV not to be considered a significant contributor to the probability of a small break LOCA due to all causes, the calculated failure rate had to be reduced to approx-imately 3 x 10~" per reactor year. To achieve this rate, a more detailed anal-ysis wac conducted for the 205-FA plants.
It addressed four major areas:
PORV Rclief System Setpoints - The automatic PORV isolation system was sub-jected to dynamic setpoint analysis using the POWER TRAIN V (PT-V) code.
Set-point selection was based on (1) the expected minimum closure pressure for the Babcock s.Wilcox
. uco.,
n e...
1 1
PORV to preclude automatic block valve closure during normal PORV operation, (2) PORV block valve closure early enough to avoid ESFAS actuation due to low RCS pressure following a stuck open PORV (assuming no additional failures causing loss of RCS pressure control), (3) PORV block valve stroke time, and (4) nominal errors on applicable setpoints and instrument strings.
PORV/ Safety Valve Demand Frequency -- The demand frequencies of the PORV and safety valves were predicted for the backlog 205-FA plants. Various overheat-ing events, such as turbine trips, reactor trips, and feedwater pump trips j
were considered, as well as overcooling events resulting in HPI repressuriza-tion.
The PT-V code was used to model the overheating transients, while the l
KPRZ code was used for the overcooling transients.
PORV Relief Path Reliability - The probability of an open PORV flow path de-pends on the PORV demand frequency, the probability of a failed-open PORV (given that it has opened), and the probability of no block valve closure (given a stuck-open PORV). The probability calculations were based on valve hardware faults, valve operator faults, control faults, and human action probabilities.
Safety Valve Reliability -- The probability of safety valve failure depends on j
the demand frequency, PORV position (open or closed), and the phase of the effluent (liquid or vapor). The probabilities for steam relief were estimated f rom applicable experience on steam safeties and B&W operating experience.
Water relief probabilities were estimated using EPRI valve tests and applicable B&W experience.
1.3.
Results
'T The results of these analyses indicate three significant points. First, by using an isolation valve closing setpoint of 2170 psig, ESFAS will not be actuated if nominal (as designed) trip setpoints ar' used. Premature isolation valve closure during normal PORV operation will also m
'" anted on more than i
j 95% of the isolation valve challenges. Second, PORV and satm
'o failure rates will be limited to 1.66 x 10-" (TVA)/1.26 x 10 " (WNP-1) and 9.
'0-8 g
failures per reactor year, respectively. At these levels, neither component s be considered a significant contributor to the probability of a small break LOCA. Third, the demand frequency analysis indicates that a main turbine trip will generate about 1.12 PORV lif ts per reactor year.
Even though this Babcock & Wilcox
. co n
m
represents about 26% of cne total PORV demand, failure to isolate the PORV relief psth is not appreciably affected because the additional challenges are j
adequately offset the automatic PORV ! solation system.
1.4.
Organization In order to logically evaluate the PORV isolation system, the body of this re-port is organized as follows.
First, the basic conceptual design of the auto-matic PORV isolation system is described briefly to clarify system operation.
Next, a block valve setpoint analysis is included to justify the closing set-point choice. Given this setpoint, the demand frequency of the PORV and safe-ty valves are predicted for various overheating / overcooling transients. With these predictions, the reliability of the PORV and safety valves is discussed.
Finally, the post-TMI requirement of an anticipatory reactor trip on main tur-bine trip is evaluated objectively.
J f
I I
f l
l Babcock & Wilcox
.me
s i
2.
SYSTEM DESCRIPTION The PORV has been deemed a probable source of failure that could lead to a small break LOCA. Should the PORV stick open or fail to reseat properly, cool-ant could bc lost continuously from the RCS. A PORV relief path isolation system was designed to mitigate this event. The isolation system must function automatically to block the PORV whenever coincident "PORV flow" and low RC pressure signals are received. The system need not be safety grade to satisfy NUREG-0737 requirements, since it is not performing a safety function. The system must provide manual cverrides for all automatic functions and allow the isolation valve to be opened by manual means alone. Within this framework, f ailure to close the PORV relief path m tst be significantly less than 1 x 10-8 failures per reactor year to keep the aystem from being considered a signifi-cant contributor to the probability of a small break LOCA.
On 205-FA units, the PORV isolation system will consist of a single PORV mount-ed downstream from a block valve with an automatic closure feature.
For this study, original design setpoints will be used to ensure normal PORV operations.
For a typical transient, an overheating event for example, the system response can be anticipated.
Under design conditions, as the RC pressure rises above 2295 psig, the PORV opens to limit additional pressure increases.
Following the transient, the RC pressure will drop below 2270 psig and the PORV will close to maintain RC pressure.
For off-design operation, the PORV may fail to open or may open but fail to close.
If the PORV fails to open and the RC pressure reaches 2355 psig, the high-pressure RPS will trip the reactor. On the other hand, the PORV may open but fail to close when RC pressure drops below the 2270 psig closing setpoint.
If the pressure continues to drop to 2170 psig and the PORV remains open, the 5
block valve will close to maintain RC pressure. Should the block valve fail to close, the RPS will trip on low RC pressure at 1987 psig (TVA)/2000 psig (WNP-1). Babcock & Wilcox
. uce.,..n c....n
3.
PORV ISOLATION VALVE SETPOINT Since the PORV failure at TMI-2, an automatic PORV isolation system has been proposed to increase system reliability. Fcr this analysis, the PORV opening and high-pressure reactor trip setpoints are maintained at their original de-sign values. The following analysis is included to verify that the 2170 psig block value closing setpoint (100 psi below the PORV closing setpoint) satis-fies the following three design criteria:
(1) prevents unnecessary cycling of the block valve, (2) prevents low RC pressure ESFAS actuation, and (3) prevents lifting of the code safety valves for most transients.
4 Prevent Block Valve Cycling Closure of the block valve during normal PORV operation defeats the original purpose of the PORV. The pressure sensors for the PORV and the isolation valve are located in the pressurizer and at the hot leg tap, respectively. Due to 4
elevation differences and frictional losses during transients, a pressure dif-ference exists between the two sensors that may cause premature isolation valve closures.
To evaluate the effects of this pressure difference, a Monte Carlo simulation was performed using the SAMPLE code (see Appendix F).
POWER TRAIN V (PT-V) runs supplied representative pressure differentials between the PORV and iso-lation valve sensors for various transients. The Monte Carlo simulation uti-lized a range of representative pressure differentials and accounted for in-strument errors. This analysis predicted the probability of an isolation valve closure, prior to PORV closure, to be less than 5%. Consequently, the present 21/0 psig block valve closing setpoint should allow normal PORV opera-tion, prevent unnecessary cycling of the isolation valve, and automatically mitigate a failed-open PORV small break LOCA.
i
! Babcock & Wilcox
. me n e-m
-n,,,
n
- - -. -, - - -,, -.. -.. - -,. ~. -,, -. ~ - - -,, -, -,. - - - - -, - - -, -,,, -.
Prevent Low RC Pressure ESFAS Actuation A block valve closing setpoint of 2170 psig prevents low RC pressure ESFAS actuation for most transients should the PORV fail-open. Overheating and overheating / overcooling transients were simulated on the hybrid computer code PT-V to verify this setpoint. Maximum instrument errors (i.e., the PORV block valve sensor reads low, while the low RC pressure RPS and ESFAS sensors read high) were used to establish worst-case performance.
Pressures sensed in the hot leg by the PORV block valve, RPS, and ESFAS pressure sensors were trans-lated to the top of the core for use in the PT-V code. However, all pressures in the following discussion will be referenced from the hot leg tap since this is the loction of the pressure sensors.
Table 1 lists the nominal and error-adjusted setpoints used in the analysis.
Computations were performed for the error-adjusted (low-side) block valve set-points of 2120 psig, because they represented the worst-case.
Computations were also performed for the WNP-1 model using an alternate setpoint of 2155 psig. This setpoint was chosen somewhat arbitrarily (within the nominal to error-adjusted (low-side) range) as a sample case so that differences between the worst-case (i.e., 2120 psig) and a more realistic case (i.e., 2155 psig) could be identified.
On the TVA model, an error-adjusted block valve closing setpoint of 2120 psig prevents reactor trips on low RC pressure for most transient.
However, the following events will probably trip the reactor on low RC pressure:
Trip one RC pump at 100% end of life (EOL).
Trip one RC pump at 80-100% beginning of life (BOL).
Even with a reactor trip-induced pressure drop of approximately 200 psi, the lowest pressure indicated in the hot leg is 1825 psig, which is 75 psi above the error-adjusted ESFAS setpoint of 1750 psig. Therefore, even if maximum instrument error is encountered and the reactor trips on low RC pressure, low RC pressure ESFAS actuation will not occur for TVA if a nominal trip setpoint of 2170 psig is used.
The WNP-1 POWER TRAIN V model also verifies the 2170 psig setpoint. As pre-
)
viously mentioned, closing setpoints of 2120 psig (error-adjusted) and 2155 psig (sample) were used in the analysis. The results indicate that the Babcock & Wilcox
. u.o.,..n......,
1 reactor will trip on low RC pressure following a turbine trip for 2120 psig setpoint, but not the 2155 psig setpoint. Following the trip, the lowest pressure in the hot leg is 1805 psig, which is 45 psi above the error-adjusted ESFAS actuation setpoint of 1760 psig. When one of two feedwater pumps are tripped using either block valve closing setpoint, the resulting overpressure event does not lead to a high pressure reactor trip as the PORV opens to miti-gate the transient. However, as the reactor runs back and the PORV fails to reseat, the ensuing overcooling trips the reactor on low RC pressure and pos-sibly actuates ESFAS. In this case, the hot leg pressure drops to 1715 psig, i
which is 45 psi below the error-adjusted ESFAS setpoint of 1760 psig, but 15 psi above the nominal ESFAS setpoint of 1700 psig. Therefore, with the possi-ble exception of a feedwater pump trip under worst-case conditions, a nominal block valve closing setpoint of 2170 psig prevents low RC pressure ESFAS actua-tien for the WNP-1.
Prevent Lifting of Code Safety Valves The block valve closing setpoint is also low enough to prevent lifting of the pressurizer safety valves. Repressurization of the RCS occurs after closing the isolation valve. With the PORV now blocked, only the pressurizer spray and the high-pressure reactor trip can decrease RC pressure. The highest repres-surization occurs for ar. RC pump trip transient on the WNP-1 model.
In this 1
case, pressurizer pressure may reach 2305 psig. A further increase in pres-l sure will trip the reactor on high RCS pressure. Hence, the high-pressure reactor trip ensures that repressurization will never lift the code safety valves.
The PT-V analysis can be used to verify another setpoint. Preliminary PT-V results indicate that the lowest nominal closing setpoint that can be justified.
is 2110 psig, which corresponds to an error-adjusted (low-side) setpoint of 2060 psig. Thus, the present analysis can be used to select and justify a set-point lower than 2170 psig, in summary, the PORV isolation valve closing setpoint of 2170 psig satisfies all design criteria. This setpoint prevents low RC pressure ESFAS actuation and prevents lif ting of the pressurizer code safety valves. In add 1 tion, nor-mal PORV operation is preserved, while unnecessary cycling of the isolation valve is prevented.
1 Babcock & Wilcox
. me
-,n..
a Table 1.
Setpoints for PORV Isolation Valve Closing Setpoint Analysis TVA setpoints, psig WNP-1 setpoints, psig With (a)
With Nominal NAIEs Nominal NAIEs
- Sample i
I PORV block 2170 2120 2170 2120 2155 valve closing (2230)(b)
(2180)
(2230)
(2180)
(2215)
RPS low RC 1987 2012 2000 2025 2025 pressure (2047)
(2072)
(2060)
(2085)
(2085) i Low RC pres 1700 1750 1700 1760 1760 sure ESFAS (1760)
(1810)
(1760)
(1820)
(1820) l
- NA1Es: Non-accident instrument errors.
}The setpoint in parentheses is used in POWER TRAIN.V; 60 psi has been added to this setpoint to translate the setpoint from the hot leg tap to the top l
of the core.
1
)
Note: All three pressure sensors for the PORV bicek valve, RPS low RC pres-sure, and low RC pressure ECFAS are located at the hot leg tap.
i I
i t
1 i
i 1
i
, Babcock &Wilcox e tecDermott compeev
,,. _... ~.
..,. _., - - -,. _,,, _.. ~ _ _. - -,.., ~,.,,,
. -. - -. _.... _ - _ _, -,,.. - ~., _,,, _ _ _. _, _. - -,. _ - -.
4.
PORV/ SAFETY VALVE DEMAND FREQUENCY la contrast to the operating 177-FA plants, the 205-FA design requires that the PORV setpoint be lower than the high-pressure reactor trip setpoint. This alignment increases the number of PORV challenges and raises questions about the reliability of the PORV and the safety valves. Operating experience from 177-FA plants (prior to the TMI-2 incident) indicates that a variety of tran-sients may lift the PORV.
Similar transients at the 205-FA plants should also generate PORV lifts. The following analysis predicts the number of PORV/ safety valve lifts on the 205-FA units for transients in which either or both valves lift. With these demand requirements, the reliability of the PORV and the safety valves can be ascertained.
t Challenges to the PORV and/or safety valves depend on the specific transient and plant being considered. Differences between the 205-and 177-FA plants eliminate the loss-of-main-feedwater transient. The anticipatory reactor trip i
on loss of both main feedwater pumps and on high flux /feedwater flow ratio should trip the 205-FA reactor before the PORV lifts. Also, differences be-t i
tween the TVA and WNP-1 plants result in different transient lists for each 4
l plant. TVA's interlock to trip the reactor upon turbine trip -- if reactor power is greater than 76% -- eliminates a turbine trip from the transient list for TVA above 76% power. Based on 177-FA operating experience and plant dif-ferences, the resultant transi t list includes the following:
Turbine trip with reactor trip (TVA > 76% reactor power)
Turbine trip without reactor trip Trip one FW pump Trip one RC pump l
Trip two RC pumps (one per loop) l Load rejection Ramp one FW valve 50% closed i
Rod drop Overcooling with HPI/MU repressurization
' Babcock &Wilcox
..-..m.- - -...m
.,m,,,
This list, consisting primarily of moderately frequent events, does not include random instrument failures that occur as a result of hardware failures or human error.
Two computer programs were used to determine the number of PORV and safety valve lifts. POWER TRAIN V (PT-V), a hybrid code, determines the nu=ber of PORV and/or safety valve lif ts for overheating transients. The TVA PT-V model was used for both the TVA and WNP-1 plants. This is justified since the dif ferences in heat generation and removal between the two plants tend to offset each other.
Comparison of a few WNP-1 runs and the TVA runs verifies this point.
Since PT-V cannot model high-pressure injection, KRPZ, a non-equilibrium pressurizer code, was used. KPRZ ascertains the number of PORV and/or safety valve lifts for overcooling events with HPI/MU repressurization.
The overheating transients run on PT-V (TVA model) gave the number of PORV lifts. Table 2 shows the number of PORV lif ts for beginning-of-life (BOL) and end-o f-life (EOL) conditions. The results indicate an estimate of the expected maximum number of lifts plus or minus a number of possible lifts. The number of possible lifts represents variations in the PORV setpoint and in plant con-ditions at the beginning of the transient. These variations can cause peak pressures that previously missed the PORV setpoint, but later actuate the PORV in the same transient.
In determining the PORV lifts, PT-V limits were ob-served and proper auxiliary feedwater (AFW) actuation and control were assumed.
These lifts are valid over the reactors' 70-100% power range. Below 70% power, the PORV lifts approach zero since the plant, with the aid of the ICS, can handle RC pressure upsets without challenging the PORV.
Consequently, the ma-jority of the PORV lifts will occur at high power levels.
PT-V and KPRZ provide the number of lif ts for the overcooling events with HPI/
MU repressurization. PT-V models overcooling transients prior to ESEAS actua-tion. Pressurizer conditions (such as pressure, level, insurge, temperature, etc.) from PT-V enable KPRZ to model post-ESFAS events.
Insurge flow was as-sumed to be due to high-pressure injection. The modeling also assumed that the operator correctly throttles HPI 10 minutes after ESFAS actuation in an ef-fort to control pressurizer level and subcooled margin. Post-ESEAS events mod-e eled on KPRZ predict that an HPI repressurization will generate an estimated 129 2 13 PORV lifts per demand. The normal repressurization due to makeup flow following a reactor trip is controlled by the pressurizer spray.
In this case, Babcock & Wilcox
. mo n..,
the PORV is not challenged. Therefore, only the overcooling with HPI repres-surization lifts the PORV and may lift the pressurizer safety valves.
The same transients were repeated with the PORV blocked. For the overheating transients, the pressurizer safety valves do not lift since the reactor trips on high RC pressure, and auxiliary feedwater controls steam generator level to remove decay heat. For overcooling with makeup repressurization, the pres-surizer spray maintains pressure below the FORV setpoint. Therefore, the safe-ty valves do not lift for this transient either. Overcooling by HPI repres-surization was the only transient that lifted the safety valves. As with the operable PORV case, the operator throttles HPI to control level 10 minutes after HPI begins. This HPI throttling assumption limits the safety valve lifts to 15 2 lifts for either valve. Therefore, only e7ercooling with HPI repres-surization will lift a safety valve.
Since both the PORV and the safeti valves may be challenged, the lifts may be coincident, or out of phase. Both operable and inoperable PORVs were consid-ered. With an operable PORV, the time difference between the two lifts is not applicable since the PORV or the pressurizer spray (overcooling with makeup repressurization) maintains pressure below the safety valve setpoint. For an inoperable PORV with overcooling and makeup (MU) repressurization, the pres-surizer spray again maintains pressure below the safety valve setpoint. As a result, the time difference between lifts is again not applicable. However, for an inoperable PORV with overcooling by HPI repressurization, one safety valve will' lift. In this case, the valve lifts approximately 145 seconds (about 2.5 minutes) after the pressure exceeds the PORV opening setpoint.
This time difference does not impact the PORV or safety valve reliability, however, it does characterize the time scale required for a safety valve lift that will be of use to the operator.
In conclusion, input to the PORV reliability. analysis consists of transients that lift the PORV, the number of PORV/ safety valve lif ts, and the time differ-ences between PORV and safety valve lifts. Operating experience on 177-FA plants has provided the basis for the transient list.
KPRZ indicates that the only transient that lifts the safety valves occurs for an inoperable PORV with HPI/MU repressurization. None of the overheating transients lifts the safety valves.
However, note that the number of valve lifts should be regarded as rep-resentative of the expected number of lifts since no operating data are available. uabcock & Wilcox
. mo a mm
1 Table 2.
PORV Lifts Lif ts/ demand,(a) Lif ts/ demand,(a)
No. of Transient BOL EOL lifts /yr Turbine trip w/
020 > 76% p r-O!O > 76% pwr 0
reactor trJp 1!1 < 76% pvr 1![ < 76% pwr Negligible Turbine trip w/o 1!1 11[
1.12 reactor trip Trip one W pump 41[
II) 0.92 Trip one RC pump 21[
2{
0.04 Trip two RC pumps 1!0 10 Negligible Load rejection 1!0 1!O 0.10 Ramp one W 2{
II) 0.91 valve 50% closed overcooling g
HPI repress'n 129 13 0.51 MU repress'n 00 0
Rod drop 0.09% Ak/k 2tj' O.06% Ak/k 21) 0.74 0.03% Ak/k 21)
(")These lif ts are valid over the power range from 70 to 100%.
Below 70% power, the lifts will go to zero.
( ) Predictions made with point estimates for BOL.
(c) Worst-case estimate based on two HPI pumps being operated for 10 minutes prior to proper operator corrective action. The modeling also assumed that insurge to the pressurizer was due exclusively to HPI, while outsurge was due to PORV relief.
Also note that the relief capacity of the PORV exceeds the capacity of the two HPI pumps.
, Babcock & Wilcox
. veo....n......,
5.
PORV RELIEF PATH RELIABILITY Having specified a PORV demand history, the reliability of the 205-FA auto-matic PORV isolation system can be evaluated. To meet NRC requirements, fail-ure to isolate the PORV relief path must not appreciably impact the value of
-8 1.0 x 10 failures per reactor year.
Isolation of the PORV may increase the demand on the pressurizer code safety valves, however. As a result, safety valve reliability unst also be evaluated, as discussed in section 6.
The probability of PORV isolation system failure was determined using a fault tree analysis. Fault trees were constructed for two classes of initiating events: pressure transients and spurious system operation. A statistical analysis was also performed, which predicted the PORV's challenge frequency.
Dominant cut sets for each fault tree were obtained usiag the fault tree anal-ysis program FTAP. With PORV challenge frequency and FTAP results as input, the SAMPLE code was used to predict the distribution of system failures.
Failure data and initiating event frequencies are listed in Appendixes C and D.
To evaluate the reliability of the PORV isolation system, the analysis was organized as follows: statement of assumptions, fault tree analysis, human reliability analysis, PORV challenge frequency, failure data, uncertainty analysis, and definition of mission success.
In any complex problem, simplifying assumptions are a necessity. For the automatic PORV isolation system, the following assumptions were made:
1.
Degraded failures were not considered. That is, components were assumed to operate properly or were treated as failed.
i l
2.
Failures of passive components, such as test points, were disregarded due to their infrequent occurrences.
j 3.
A monthly equipment test interval was assumed. Since time independent un-availability approximations were used to quantify the basic events, interim
[
failures would not be discovered until the succeeding test. Babcock & Wilcox
.mn,
4.
Operator errors of commission were not included in the fault tree.
5.
The failure rate for the block valve was based on generic data for an electric-motor-operated gate valve of that size and operator.
6.
Target Rock valves have experienced 125,000 total cycles (100,000 bench test and 25,000 field experience) on the pressurizer spray with no fail-ures. Since the spray valve is not subjected to the same environment as the PORV, the value of zero failures in 25,000 cycles was used in the Bayesian updating procedure. This procedure uses the prior experience of the D~ esser PORV (4 failures in 400 demands) and the evidence of zero r
failures in 25,000 cycles to arrive at a modified value for the Target Rock valve in the PORV application.
A fault tree analysis, consistent with the methodology described in the Fault Tree Handbook (NUREG-0492), was used to evaluate the reliability of the PORV/
PORV block valve system. The fault trees for this system are included in Ap-pendix A.
The GRAP software package (graphic reliability analysis package) was used to construct and evaluate the fault trees. Fault trees were con-structed with enough detail to identify the components that are dominant con-tributiors to system failure. No attempt was made to account for failures due to external events, such as fires, floods, or earthquakes.
The FTAP code was used for identification of minimum cut sets, quantification of the fault trees, ranking of basic event importance, and identification of major contribttors to system failure (See Appendix A.)
A human reliability analysis (HRA) was also performed, which was consistent with the methodology described in NUREG/CR-1278. The basic human error prob-abilities used in this analysis are found in Chapter 20 of the Handbook.
Probability tree diagrams for the human tasks of interest are presented in Appendix B.
With the framework of the fault tree and human reliability analysis set, the PORV demand frcquency was predicted. PORV lif ts were initiated using seven transient sources. The number of lifts for each source, in a specified period of t ime, is described by a Poisson distribution. Each PORV lift may result in one or more cycles. The number of cycles for each source is described by a multinomial distribution. This distribution changes linearly from the be-ginning to the end of the core life (assumed to be 1 year). The statistical Babcock & Wilcox
. me n..,
t treatment involved combining the Poisson and multinomial distributions to de-scribe the random number of cycles. Thereaf ter, che frequency of one, two, etc.
cycles could be obtained, regardless of the source, by means of simulation.
l The complete list of generic data used in this analysis is given in Appendixes C and D.
Failure data and initiating event frequencies were obtained from various sources. Repair times for components in the power distribution system were supplied by plant parsonnel.
An uncertainty analysis was also performed. The SAMPLE code was used to evalu-ate uncertainties in the system unavailability results. Range factors obtained from the Reactor Safety Study were used to construct lognormal distributions.
These distributions were localized around the point-estimate failure probabil-ities of the dominant unavailability contributors. Three parameters influenced the form of the sample function used in this analysis. The form depended on the product of two terms, the simulated PORV demand frequency and the system re-sponse to the pressure transients, plus the contribution due to spurious system operation. The uncertainties surrounding system unavailability were evaluated in terms of the mean, the 5%, and the 95% levels of system probability distribu-tion.
To finally judge the PORV isolation system, a formal definition of mission suc-cess is required. Mission success can be defined in terms of either system op-eration or reliability.
In terms of system operation, mission success is de-fined as the ability to isolate the FORV relief path prior to low RC pressure ESFAS actuation (1700 psig). System failure, therefore, is defined as any fail-ure within the system boundaries that results in depressurization to the ESEAS actuation setpoint.
In terms of reliability, the NRC requires a ceiling fail-ure rate significantly less than 1.0 x 10-3 failures per reactor year for small break LOCAs. Based upon engineering judgement, B&W has selected a failure cri-teria of 3 x 10-" failures per reactor year to represent an insignificant con-tributor to the probability of a small break LOCA. Consequently, system failure in this case is defined as a system with a probability of failure greater than 3.0 x 10-".
With these definitions, mission success can be evaluated for the systems considered.
The results pf this study indicate that,the 205-FA automatic PORV isolation 3
system satisfies <both definitions of mission success. Operationally, the iso-lation system (with original design trip setpoints) prevents low RC pressure Babcock 4 Wilcox
. =co
ESFAS actuation, effectively modulates RC pressure, reduces unnecessary reac-tor trips, and increases plant availability.
From a reliability standpoint, the results are given in Table 3 at the mean, 5%, and 95% confidence levels.
At the 95% confidence level, for example, failure to isolate the PORV relief path is limited to 1.66 x 10-4 (TVA/1.26 x 10-" (WNP-1) failures per reactor year. Therefore, the probability of failing to isolate the PORV relief path at the 205-FA plants is significantly less than 1 x 10-8 failures per reactor year.
Aside from strict design criteria, two other aspects of the design are worth mentioning. The results indicate that the Target Rock valves are extremely reliable and that the presence of the ATOC displays and PORV position switch in the control room increase operator awareness.
However, there is one dis-tinct drawback to this design. Improved isolation of the PORV relief path could lead to elevated safety valve demand as discussed in section 6.
Table 3.
PORV Automatic Block Valve Isolation System Failure Probability and Confidence Limits Failure probability / year 5% confid.
95% confid.
Mean limit limit TVA 6.00 x 10-5 1.31 x 10-5 1.66 x 10-"
WNP-1 4.99 x 10-s 1.35 x 10-5 1.26 x 10-" Babcock & VVilcox e McDermott company
6.
SAFETY VALVF RELIABILITY A reliable automatic PORV isolation system had been developed for the 205-FA plants. With this system, the probability of proper isolation of the PORV re-lief path is maximized.
Isolation of the PORV, however, could increase demand on the pressurizer code safety valves. Consequently, a safety valve reliability analysis was conducted.
A small break LOCA due to a failed-open safety valve may occur along either of two pathways. The pathways identified include overcooling with subsequent repressurization and overheating transients.
To quantify the LOCA probabilities, event sequences were constructed for the overcooling scenario and for three overheating events. The event sequences and supporting failure data are listed in Appendix E.
The overcooling tran-sient was initiated by assuming that the ESFAS actuates on low RC pressure.
No attempt was aade to predict the frequency of occurrence of the three over-heating events analyzed. This method was chosen because the existing auxil-iary feedwater designs are very reliable and, in the event of a total loss of feedwater, HPI feed along with some form of pressurizer bleed would be used to cool the core.
The following assumptions were used in analyzing the overcooling scenario:
1.
The PORV relief path is isolated.
2.
Af ter 10 minutes of inadvertent HPI operation, the proba-bility that the operator will throttle HPI and realign normal makeup is 1.0.
3.
There is some type of uncertainty as to the type of discharge passed through the safety valves. However, a conservative failure estimate can be made by assuming that the discharge j
i is water or two-phase (worst case).
. Babcock & Wilcox e tec0ermott company
Failure rates for the pressurizer safety valves (PSVs) can be ascertained by examining the failure rates of the main steam safety valves (MSSVs). This is possible because both operate on the same principle; i.e., they both work against the closing force of a spring, and they both require an additional sudden opening force when they resch their trip setpoints.
Dif ferences between the PSV and MSSV must also be pointed out:
I The fluid passing through a PSV should contain fewer suspended particulares than that passing through an MSSV.
The PSV is stainless steel whereas the MSSV is predominantly carbon steel. Rusting of the carbon steel will introduce additional foreign matter into the fluid.
I
- The PSV is an ASME Class I component, while the MSSV is an ASME Class II valve.
The PSV must operate with a variable backpressure, while the b6SV operates with a fairly constant bachpressure. As a re-sult, the PSV design is more sophisticated and has more com-ponents that may fail.
The first three differences suggest that the PSV may have a lower failure i
rate than the MSSV, while the last point suggests the opposite.
Cumulative B&W operating experience indicates that there have been aproxi-mately 2850 MSSV demands.
In all these cases, there has not been a single failure due to a valve reseating problem (remain in full-open position). A failure rate based on zero failurcs in 2850 demands was computed using a X*
50% level test. The calculated failure rate for the steam relief wes found to be 2.43 x 10~" per demand. The failure rate for water relief was.esti-
-2 mated to be 100 times larger than for steam relief, i.e., 2.43 x 10 per demand.
The safety valve failure rate was determined using a Layesian updating proce-dure. The prior distribution was assumed to be lognormal with a mean of 2.43 x 10-2 per demand. This lognormal distribution was then combined with the evidence of five safety valve water demands with no failures to determine the probability of failure. Four EPRI safety valve test programs (September 1981) and a single demand at Crystal River 3 (February 26, 1980) accounted for valve performance history. Babcock & Wilcox
...o n
,,_,,_,-~,_,-_,m--
m.
_-..,---,--,_,..r.-
The results of this investigation indicate that an uncontrolled small break LOCA through the pressurizer code safety valves is not a probable event. Dur-ing the course of this analysis, two paths were identified as dominant con-tributors to the probability of a safety valve failure. These are overcooling with subsequent repressurization and overheating transients. The probability of a LOCA due to overcooling events was found to be 9.73 x 10-' per reactor year, while the cumulative frequency of occurrences for the overheating tran--
7 i
sients was calculated to be 6.27 x 10-5 per reactor year. In addition, the i
unavailability of the PORV relief path was estimated to be 7.23 x 10-8 per
- year, j
4 The impact of the automatic PORV isolation system on safety valve reliability 1
is insignificant because the unavailability of the PORV relief path is so low.
The automatic isolation system achieves all operational requirements and NRC-j
{
mandated reliability requirements as originally designed.
)
i i
i i
l l
i i
i i
1 l
i Babcock & WHcox n-
-_.,_.__,..,,,.__,.__._.,_.,--.,__m
4 I
7.
ANTICIPATORY REACTOR TRIP ON TURBINE TRIP Following the PORV failure at TMI-2, the NRC required PORV system modifica-tions on all operating plants. Changes were made to the PORV opening and high pressure reactor trip setpoints. The addition of an anticipatory reac-tor trip on main turbine trip was also required. These modifications have decreased PORV challenges, but have concurrently increased the number of re-actor trips (through RPS challenges). The intent of these modifications was to reduce PORV challenges and thus reduce the probability of a PORV failure.
t i
However, the probability of PORV failure can be reduced using alternative ap-
)
proaches that do not detract from plant performance.
I On all 205-FA units, an automatic PORV isolation system using pre-TMI-2 (as-designed) trip setpoints has been proposed. This system consists of a single PORV and a single block valve with an automatic closure feature. The use of the original design trip setpoints will ensure normal PORV operation, re-3 duce reactor trips, and increase plant availability. However, the questien of the anticipatory reactor trip upon main turbine trip still remains.
l The anticipatory reactor trip upon turbine trip was candated to help reduce the number of PORV challenges. Operating experience verifies that it has achieved this objective, but at the expense of plant availability. However, with the improved 205-FA design, it is no longer necessary to limit PORV chal-1enges.
2 1
The annual PORV challenge rate was predicted for both backlog 205-FA plants at BOL conditions (worst case). The annual challenge rate depends on two_fac-tors; the number of challenges per transient and the number-of transients per l
reactor year. The results of these calculations are given in Table 2.
Three operating regimes exist in the TVA plant since it was designed with an interlock to trip the reactor upon' main turbine trip (provided reactor power i
is greater than 76%). Above 76% power, a turbine trip followed by a reactor 4
{
trip will generate zero PORV lif ts.
From 70 to 76% power, a' turbine trip will
, Babcock & Wilcox
. m e.
a t
,wi me,*
--,,.~,w.e_-%4-.
,-,,-----,-,--r---
r ww-,-+-,---
,,.--c---,v w r-v +
+.4-
,,,w-rw,
.,e-e--
generate an insignificant number of lif ts since the reactor rarely operates in this power range.
Below 70% power, PORV lif ts due to all causes approach zero.
On the WNP-1 plant, only two operating regimes exist since the WNP-1 plant was designed without a mandatory trip. Above 70% power, a turbine trip will generate 1.12 PORV lif ts per reactor year, and below 70% power PORV lif ts due to all causes again approach zero.
The number of PORV challenges due to a turbine trip has been predicted as 1.12 per reactor year. The addition of an anticipatory reactor trip on turbine trip can reduce this number to zero. Projected yearly PORV demand due to all causes should be in the 4-5 challenge range.
With the addition of the automatic PORV isolation system, the NRC-mandated reliability requirements can be achieved, even with turbine trip-induced PORV challenges.
The post-TMI modifications to the PORV relief path system must be re-evaluated.
They represent but one way to reduce the probability of a PORV failur2 (reduced PORV challenges). They also tend to increase the number of RPS challenges, in-crease the number of reactor trips, and reduce plant availability. B&W's automatic PORV isolation system will achieve the NRC's PORV reliability re-quirements without these modifications. As a result, the PORV will be able to control RC pressure for minor overpressure events and avoid the unnecessary re-actor trips, which have been a consequeuce of the post-TM1 modifications. Babcock &)Milcox
. u. o....n.....,
8.
CONCLUSIONS An automatic PORV isolation system has been designed for B&W's 205-FA units.
The system will operate reliably to increase plant availability by reducing the number of reactor trips. This will be accomplished using pre-TMI-2 trip setpoints to ensure proper RC pressure control and reduced RPS challenges.
In addition, five significant conclusions can be drawn from the supporting analysis:
1.
A block valve closing setpoint of 2170 psig will not actuate the ESFAS using nominal trip setpoints, but it will prevent premature isolation valve closure on 95% or mere of the isolation valve challenges.
2.
The PORV should be challenged annually on approximately 4.34 occasions on WNP-1 and 3.22 occasions on TVA.
3.
The number of PORV challenges due to a turbine trip represents about 26% of the total demand.
4.
By using the automatic PORV isolation system, the probability of failing to isolate the PORV relief path will be limited to 1.66 x 10-" (TVA) 1.26 x 10-" (WNP-1) failures per reactor year. The NRC requires a fail-ure rate significantly less than 1 x 10-3 failures per reactor year for isolation of the PORV relief path.
5.
The reliability of the precsurizer code safety valves will not be signifi-cantly affected by the isolation system. With the automatic PORV isolation system installed, the probability of a safety valve f ailure will be 9.73 x 10-5 failures per reactor year.
i 1 Babcock & Wilcox
. uco....n c.....,
.= -
--_ ~ __.
1 1
i 9.
RECOMMENDATIONS i
Based on the sapporting system justification, B&W recomends that the auto-matic PORV isolation system be installed on all 205-FA units as designed. In addition, the post-TMI requirement of an anticipatory reactor trip on main
!i j
turbine trip should be abolished.
Even though turbine trip-induced PORV chal-1enges represent a significant portion of the total demand, the 205-FA design j
can suitably isolate the PORV relief path at the enhanced rate.
In addition, unnecessary reactor trips will be avoided, and plant availability will be in-j creased by the elimination of the mandatory reactor trip.
i i
I i
1 1
I i
i l
I i
l l
l
, Babcock & Wilcox
. me
...---.4
_m l
j 10.
REFERENCES l
POWER TRAIN - Hybrid Computer Simulation of a Babcock & Wilcox Nuclear Power 1
Plant, BAW-10149-01, Babcock & Wilcox, Lynchburg, Virginia, November 1981.
2 W. E. Vesely, et al., Fault Tree Handbook, NUREG-0492_, U. S. NRC, Washing-i ton, D. C. (1981).
]
A. D. Swain and H. W. Guttman, Handbook of Human Reliability Analysis With 8
i Emphasis on Nuclear Power Plant Applications, NUREC/CR-1278, Sandia Labora-
]
tories Albuquerque, New Mexico (1980).
" IEEE Guide to the Collection and Presentation of Electrical, Electronic, 1
and Sensing Component Reliability Data for Nuclear Power Generating Sta-I tions, IEEE Std. 500-1977.
3 Nuclear Plant Reliability Data System, 1980 Annual Reports of Cumulative System and Component Reliability, NUREG/CR-2232, September 1981.
6 Reactor Safety Study, NUREG-75/014 (WASH-1400).
7 Reliability Prediction of Electronic Equipment, MIL-HDBK-217C, May 1980.
e Data Summaries of Licensee Event Reports of Control Rods and Drive Mech-anisms at U. S. Commercial Nuclear Power Plants, NUREG/CR-1331, April 1978.
9 i
Reliability Evaluation of the Washington Public Power Supply System Nuclear Projects Numbers 1 and 4, SAI, La Jolla, California, (1980) 18 TVA to J. McFarland, Letter, "PORV Acoustic Monitor Reliability - N4M-2-59,"
j K-6868, Babcock & Wilcox, Lynchburg, Virginia, March 4, 1982.
11 Auxiliary Feedwater Systems Reliability Analyses, BAW-1584, Babcock & Wilcox, Lynchburg, Virginia, December 1979.
- 2 F. L. Levereny, et. al, "ATWS: A Reappraisal, Part III, Frequency of Antici-i pated Transients," NP801, Electric Power Research Institute, Palo Alto,
{
California, July 1978.
! Babcock &Wilcox
. mo.,
c.,
-..., - -,.. - -. - - _,,. _, _,.. - - - - -,.,,. - -. -. ~....., - - -,.,., -
..n
)
APPENDIX A System Fault Trees A-1 Babcock & Wilcox e McDermott company
Top event Sum of implicants j
Initiating event is a 1.29 x 10-5 pressure transient Initiating event is 2.78 x 10-s spurious PORV open-ing PORV relief path un-7.23 8 available P
Notes:
1.
These fault trees are representative l
of the TVA system design. The struc-ture of the WP-1 trees is nearly identical except that the basic event "AMEMOVAM" (acoustic monitor fails) is replaced by "PSEMOVAM" (position switch fails).
d 2.
The sum of implicants refers to the summation of each of the individual contributors responding to the top initiating event.
i 1
i A-2 Babcock & Wilcox
. scow.at c
,wy L
.. - ~
.. ~
4 I
INITIATING EVENT IS A PRESSURE TRAN$1ENT RB 1
I PORU FAILS TO EMOV FAILS TO RECLOSE CLOSE l
I i
A-3 Babcock & Wilcox
.on,
,m
i i
{GIVECLOSE ENERGIZED 3
pg PORUXXCD SOLEHXRE
/%
GNAL U
j CIRCUITRY
{
FAILS HI l
SHORTED AFTER EN-ERGIZING CTPORVSH TUJXXXaM i
l A-4 babcock & WilCOX j
e scoermeet cemeear l
I EMOU FAILS TO CLOSE i
2
/
N No MOTIVE POWER FOR NO SIGNAL TO CLOSE LUE 9ALUE VALVE EC ICAL FAILUPE T2 GUEM000D
/N NO SIGtEL FROM AC00-NO SIGNAL FROM RCS FAILURE OF ESFAS STICAL MONITOR AND PRESSURE L OPERATOR SSA UNAUAIL*
OPERATOR FAILS TO FAILS TO SAVE MAN-ABILITY SAVE MANUAL SIGNAL UAL SIGNAL A
T4 T5 TVI2 evac NO SIGNAL FROM I0"L I
FAI TO 79 FAI TO MANUALLY TER FAILS MANUALLY INITIATE HIGH INITIATE EMOV EMOV EMOUPPOC PTEMOVFH EMOVAMOC 4
I i
A-5 Babcock & Wilcox
. =co a c.,
c.
,-,,e,,
, -,, - - -,,,,.. -,. -, - ~. -..,,, -, -., --
I N0 MOTIVE POUEP FOP UALUE
+
M.C.C. FAILS TO FUNCTION ON DEMAND g g gt.
ABILITY OF 480 4.%C SUPPLY TO T6 M.C.C.
TU48E%C a
FAILURE IN THE 480 FAILUPE IN THE 120 l
VAC LINE VAC C0ftTROL LIFE ST TR l
FAILS
}
T7 T2 MCCMSFNS
/N i
4 USES IRCUIT HERMAL P
USE TARTER FAIL BPEAAERS OVERLOAD TRANSFOR-FAILS CLCiE FAIL RELAYS MER FAILS COIL f
FAILS
. ir
!8 3 FUSE 486 3CBRK480 3 THOR 480 STSTR120 1 FUSE 120 STC1C120 gw
. e.
l=Y
- 8
- x
J I
l FAILWE OF ESFAS l SSe I
3
/%
ACOUSTI-C PPES-RESS 2 D GAT 4
4 CAL MONI-SURE BISTABLE FAILS TOR
}
CURRENT FAILS CURRENT PTFER SUFFER FAILS
~
i MSSACAT PTSSACAT BISSACAT ANDSSAAM i
OGIC ONTACT NIT l,
BUFFER BUFFER CONTROL FAILS FAILS MODULE FAILS I
)
LESS4xAN CBSSAXAN ICMSSAAN 1
i f
f 4
4 1
A-7 Babcock & WilCOX
. =co n..,
m..-
1 NO SIGNAL FPON ACOUSTICAL MONITOR 4
SSCS IMPEMS AC00-
" I POWER I-UNAUAIL-J TOR FAILS ARLE To ACOUSTICAL MONITOR g
AMEMOVAM
/
TV120UeM LAY OLID POWER STATE lrOPEMS SPURIOUS-UNAVAIL-ELEC-LY ABLE TO TRONICS SSCS FAIL RLSSCSCP TUSSCSAM TV120VSS l
l l
l l
l A-8 babcock & WilCOX
. =co a
I NO SIGNAL GENEPATED TO CLOSE PORu 1
/N ES ISTABL LAY ONTACT TRANSPtIT-FAILS TO FAILS TO FAILS TO TER DOES FUNCTION OPEN OPEN tt07 MN CHANGE SIGNALLED PTPORVC0 BSPORurF RLPORUFO CTPORUFO A-9 Babcock & Wilcox
. = co....n...,
1 INITIATING EVENT IS SPURIOUS OPEHING OF PORU R3 1
PORU SPURIOUSLY EMOV FAILS TO OPEftS AND FAILS TO CLCSE PECLOSE PS
/%
UPSTREAM CONTROL INTEGRAL VALVE FAILURES OCCUR CONTROL ACTUATES SPURIOUSLY
\\
i
)
i A-10 Babcock &Wilcox e tecDermott compsey I
I I
UPSTREAM CONTROL INTEGRHL UALUE FAILURES OCCUR CONTROL HCTUseTES SPURIOUSLY R7 pa
/N
/N OLEN01 OUEP ENERGI2ES CONTACT SPURICUS-SPURIOUS-LV LY MCTU-ATES SOLEttXSP CTP0Rt/SP T-5 00 j
TER FAILS l
UITHOUT l
CLOSES l
HIGH SIGNAL PTPORUFH BSPCPt>SP RLPORUSP i
I 1
A-11 Babcock & Wilcox
.va,....n....
I EfMK8 FAILS 70 CLOSE 2
/
N NO MOTIVE POUER FOR fl0 SIGitAL TO CLOSE "M
- E EC AN CAL l
FAILURE T2 GLEMOVOD
/%
l NO SIGNAL FROM ACOU-NO SIGNAL FROM RCS
' FAILURE OF ESFAS STICAL MONITOR AND PFESSURE & CPERATOR SSA UNAVAIL-CFCRATOR FAILS TO FAILS TO S#.C MAN-ABILITY swg nerqJAL SICML UAL SIGNAL SA T4 T5 TVI200AC
[
i N0 SIGNAL FROM ACOUSTICAL MONITOR FAIL TRM IT-FA TO MANUALLY TCP FAILS MANUALLY INITIATE HIGH INITIATE MOV EMOV EMOUPROC PTEMOUFH EM00AM00 i
l l
f i
l l
A-12 Babcock &Wilcox
. =o a
I H0 MOTICE POWER FOR i
UALUE 5
+
b tCTl0 i DEMAND UNMielL-I ALILITV Or 480 UAC SUPPLY TO T6 M.C.C.
7U480040 L
w FAILURE IN THE 480 FAILURE Itt THE 120
)
UAC LINE UAC C0t4 TROL LIFE ST R
{
FAILS T7 T8 MCCMSFHS i
USES IRCUI HEPMAL EP DO USE 2TeRTER FAIL B PEher.EPS OuERL0hD TRANSFOR-FAILS CLOSE FAIL PELAYS 11Ed FAILS CGIL ge, FAILS 4
.K
!8 3 ruse 4se 3cepe:4se 3 THOR 4to STStp 20 1 FUSE 120 STC1Clae
? pr l9 l
.IE
]y i
~
i, I
l I
[.4C00571-PRES SSUp M D CAT
{fCALMONI-SURE EISTABLE FAILS TOR CURRENT
}
FAILS CUPPENT DUFFER SUFFER FAILS At1SSACAT PTSSACAT SISSACAT ANDSSAAi1 OGi b ONTAC NIT SUFFER BUFFER CONTROL FAILS FAILS MODULE FAILS L8SSAXAM CBSSAXAM ICMSSM M I
l A-14 Babcock & Wilcox
.=co.
n
..~._,.__,- -,,.....
..,,.m.,
I
'40 SIGNAL FROM ACOUSTICAL MONITOP 4
/N SSCS IMPEDES AC00-NITOR h
POWER MO UNAVAIL.
l TOR FAILS j.
ABLE TO ACOUSTICAL MONITOR g
AMEMoveM TV129UAM ELAY OLID OPENS POWER STATE SPURIOUS-UNAUAIL-ELEC-LY ABLE TO TRONICS SSCS FAIL RLSSCSSP TUSSCSAM TV12eVSS i
4 A-15 Babcock & Wilcox e uceermott compear
i PORV RELIEF PATH UNAVAILABLE A1 I
N
/
INOPERABLE ENOV CLOSED Peau A-16 Babcock & WilC0X a McDermott company
1
^
INOPERABLE PORU g
A2 NO SIGNAL
, TO FA{
R TO SOLEHOID OPEN MOTIVE DOES NOT POWER EtERGIZE PORUFLOP PORUSDNE PORUMPV4 4
A-17 babcock & WilCOX e McDermott company
NO SIGHAL CENERATED TO g
OPEN PORU B1
/
S BISTABLE LAY CONTieCT l
TRANSMIT-l FAILS CONTROL FAILS TO FAILS TO TER FAILS POWER CLOSE CLO5E LOW UNAVAIL-ABLE POPUPTFL PORUBISF PORVRFTC PORUCFTC POPUCPVA Ys l
E ik 1-gs.si
!E aa
Enov closto I
A3
/%
i
\\
SPURI
>Y CLOSES EE$gi Enovoe N/
A
~"
t l
LEM!rM PoAULEM A-19 BabC0ck & WilCOX
. =co n
EMOU SPURIOUSLY g
CLOSES C1 P0uER FAULTS CONTPOL FAULTS C2 C3 Y
/%
i N
MOTOR
[ MOTOR TARTE OCIC AND
[c0HTACT
( OPEP(.TES COIL BUFFER GATE EUFFER C
STARTER lfOPERATOP l
OPERATES OPERATES OPEPATES l
l ACTUATES CLOSES SPURIOUS-SPURIOUS-SPURIOUS-ERRCN-ERROM-ERROH-i LV LY LY EOUSLY EOUSLY EOUSLY EMOURSAS EMOUMOCS EMOUSCOS EMOUL50E EMOUAGOE EMOUCFE 1
2 1
F k.k ip k
i=
3
c_
. ~..
4 l
Table A-1.
List of Major Contributors for Pressure Transient Initiating Event Unavailability Event 1 Event 2 Event 3 i
0.22000 x 10-s GVEMOVOD PIPORVC0 0.21800 x 10-8 BSPORVNF GVEMOVOD 0.16720 x 10 s AMEMOVAM EMOVPROC PTPORVC0 0.16568 x 10-8 AMEMOVAM BSPORVNF EMOVPROC 0.60600 x 10-8 GVEMOVOD PORVXXCD 0.51200 x 10-8 GVEMOVOD SOLENXRE 4
j 0.46056 x 10-8 AMEMOVAM EMOVPROC PORVXXCD 0.41250 x 10-s BISSACAT PTPORVC0 0.40875 x 10-s BISSACAT BSr0RVNF 0.38912 x 10-s AMEMOVAM EMOVPROC SOLENXRE 0.32120 x 10-8 CBSSAXAM PTPORVC0 8
0.32120 x 10 LBSSAXAM PTPORVC0 0.31828 x 10-8 BSPORVNF CBSSAXAM 0.31828 x 10-s BSPORVNF LBSSAXAM 0.18480 x 10-8 PTPORVC0 STSTR120 0.18312 x 10-8 BSPORVNF STSTR120 0.12320 x 10-8 AMSSACAT PTPORVC0 0.12320 x 10-s PTPORVC0 PTSSACAT 0.12208 x 10-8 AMSSACAT BSPORVNF 0.12208 x 10-8 BSPORVNF PTSSACAT 0.11363 x 10-8 BISSACAT PORVXXCD 0.10960 x 10-8 GVEMOV0D TUJXXXAM l
Note: Sum of implicants = 0.12858 x 10-".
l 4
{
A-21 Babcock & Wilcox
. m.o a
~
...-m.,
---,.-,..-,.,.-._,---,--~.-m-...--,..
,...-.,__,,_--~m-
, ~. -. _ -,.------ -,
i Table A-2.
Ranking of Basic Event Importance for Pressure Transient Initiating Event Unavailability Event 0
0.10000 x 10 EMOVPROC 0.15200 x 10-1 AMEMOVAN 0.20000 x 10-2/d CVEMOVOD 0.11000 x 10-2 PTPORVC0 0.10900 x 10-2 BSPORVNF 0.37500 x 10-s BISSACAT 0.30300 x 10-8/d PORVXXCD 0.29200 x 10-8 CBSSAXAM 0.29200 x 10-8 LBSSAXAM 0.25600 x 10-8 SOLENXRE 0.16800 x 10-8 STSTR120 0.11200 x 10-8 AMSSACAT 0.11200 x 10-8 PTSSACAT 0.54800 x 10 "
TUJXXXAM Note:
"/d" refers to "per demand."
i I
i l
A-22 Babcock &Wilcox l
. me n -
_ = _ _ _..
~-
Table A-3.
List of Major Contributors for Spurious PORV Opening Initiating Event Unavailability Event 1 Event 2 Event 3 0.43800 x 10-8 GVEMOVOD PTPORVFH 0.36000 x 10-8 BSPORVSP GVEMOVOD 0.33288 x 10-8 AMEMOVAN EMOVPROC PTPORVFH i
i 0.27360 x 10-s AMEMOVAM BSPORVSP EMOVPROC 0.24600 x 10-s GVEMOVOD SOLERXSP 0.18696 x 10-8 AMEMOVAM EMOVPROC SOLENXSP
+
0.82125 x 10-8 BISSACAT.
PTPORVFH j
i 0.72000 x 10-8 GVEMOVOD RLPORVSP 0.67500 x 10-8 PISSACAT BSPORVSP 0.63948 x 10-8 CBSSAXAM PTPORVFH 0.63948 x 10-8 LBSSAXAM PTPORVFH j
0.54720 x 10-8 AMEMOVAM EMOVPROC RLPORVSP 0.52560 x 10-8 BSPORVSP CBSSAXAM 0.52560 x 10-8 BSPORVSP LBSSAXAM 0.46125 x 10 s BISSACAT SOLENXSP i
0.36792 x 10-8 PTPORVFH STSTR120 0.35916 x 10-8 CBSSAXAM SOLENXSP j
0.35916 x 10-8 LBSSAXAM SOLENX'2P 0.30240 x 10-8 BSPORVSP STSTR120
-8 0.29000 x 10 CTPORVSP GVEMOVOD 0.24528 x 10-s AMSSACAT PTPORVFH 0.24528 x 10-8 PTPORVFH PTSSACAT 0.22040 x 10-8 AMEMOVAM CTPORVSP EMOVPROC O.20664 x 10-s SOLENXSP STSTR120 j
0.20160 x 10-8 AMSSACAT BSPORVSP 0.20160 x 10-8 BSPORVSP PTSSACAT 0.13776 x 10-8 AMSSACAT SOLENXSP 0.13776 x 10-8 PTSSACAT SOLENXSP l
l 0.13500 x 10-8 BISSACAT RLPORVSP l
0.12001 x 10-8 ANDSSAAM PTPORVFH I
-8 j
0.10512 x 10
'CBSSAXAM RLPORVSP l-0.10512 x 10-8 LBSSAXAM RLPORVSP 1
l 0.10315 x 10-8 PTPORVFH 3CBRK480 Note: Sum of Implicants = 0.27773 x 10-".
Babcock & WHcox r
_A-23
. scow =mt
~..
c.. -..
. a.
.. =. -
Table A-4.
Ranking of Basic EventImportance/for Spurious PORV Opening Initiating Event Unavailability Event 8
0.10000 x 10 EMOVPROC 0.15200 x 10-1 AMEMOVAM 0.21900 x 10-2/yr PTPORVFH 0.20000 x 10-2/d GVEMOVOD 0.18000 x 10-2/yr BSPORVSP 0.12300 x 10-2/yr SOLENXSP 0.37500 x 10-3 BISSACAT 0.36000 x 10-8/yr RLPORVSP 0.29200 x 10-8 CBSSAXAM 0.29200 x 10-8 LBSSAXAM 0.16800 x 10-8 STSTR120 0.14500 x 10-3/yr CTPORVSP 0.11200 x 10-8 AMSSACAT 0.11200 x 10-3 PTSSACAT 0.54800 x 10-"
ANDSSAAM 0.47100 x 10 "
3CBRK480 Note:
"/d" refers to "per demand."
d A-24 Babcock & Wilcox
.n,
Table A-5.
List of Major Contributors and Ranking of Basic Event Importance for Inoperable PORV Relief Path Unavailability Event 0.17500 x 10-2 EMOVMOCS 0.17000 x 10-2 PORVLEAK 0.11000 x 10-2 PORVPTFL 0.10900 x 10-2 PORVBISF 0.10000 x 10-2 PORVFLOP 0.25600 x 10-3 PORVSDNE 0.13400 x 10-8 EMOVMSAS 0.42000 x 10 "
PORVCFTC O.38400 x 10-"
EMOVCBOE 0.38400 x 10-"
EMOVLBOE 0.35400 x 10-"
PORVRFTC 0.21200 x 10-"
PORVCPVA 0.21200 x 10-"
PORVMPVA Note: Sum of implicants = 0.72266 x 10-2, 1
A-25 Babcock &Wilcox
. = =
,...m..
r Figure A-1.
System Configuration me PRESetetINA sELIEF LM 9
_ _ _ __ _ _ _ _ _ _ q umcavl I
l 9
l
'c gp l
l "" l
- 2 5'=<
L">a J
I
--g i
,to, no v&
UU l_^* sus __*2=__l
__q
'~
l l
NY l
l cao.c l
RELAYS l
SSC$
i
==
o
< a ".,J.
I
.new ac j
I l
.c o s==
zrm L5sc5
_ _ _J l
o n
l 1
I r---,
1 e
l 27tf 27#
a n
l l
.I i
I l
l l
1 c"'
l car I
l l l
.rsi=r l
cc' l
wies I
n d
l c
o, l
l l
l l
l a'e
,ca ca.m com u _._
1 l
o i
s LOGIC l
l 440 VAC l
5'.FPL Y l
l n
l canict I
SEFEft i
l I
4 i
l l
1r I
l I
}
l I
=m 55$ =5^
__ _ _ _ __ _J L_
A-26 Babcock & Wilcox
.co n
_s,
APPENDIX B Human Error Analysis l
B-1 Babcock & Wilcox
. =co....n
HPITHROC - Operator fails to throttle HPI
.999 A=.001 j
999 F
B=.001 y
.99 2
C=.01 D=.003 F3 F4 P(F) = F7+F2+F3+
4
-2 P (F) = 1. 49 x 10 "A" = Operator fails to realize ESFAS initiates HPI pumps (Table 20-3).*
"B" = Fails to resume attention to legend light (Table 20-3).
"C" = Fails to recognize the return of pressurizer level on ATOG scope'(Table 20-5).
l l
"D" = Fails to throttle HPI and realign normal make-up (Table 20-13).
i i
l-
- Note: Tables identified in this appendix are from NUREG/CR 1278.
f i
B-2 Babcock &Wilcox
. =co n
--~.
n,
EMOVAMOC - Operator fails to close block valve-Based on (Acoustical Monitor Signal (TVA) or Position Switch (WPPSS)]
A=.0001
.9999 a
.999 b B=.001
.999 c C=.001 2
.997 d 3
=.003 F4 P(F) = F7+F2+F3+
4 P(F) = 5.09 x 10-3 "A" = Fails to respond to alarm (Table 20-3) (.00005 to.001)
"B" = Incorrectly reads message (Table 20-3) (.0005 to.005)
"C" = Fails to resume attention (Table 20-3) -(.0001 to. 01)
"D" = Selects wrong MOV switch (Table 20-14) ( 001 to.01) l L
I l
\\
Babcock & Wilcox B-3
i EMOVPROC ~- Oper'ator fails' to close block valv'e. based on RC pressure A=.05
.95 B=.05 F
.95 C=.003 F2
.997 y
P(F) = Fy+F
+F 3 P(F) =.1002 %.1 "A" = Operator fails to detect low RC pressure display (Table 20-12).
"B" = Operator fails to properly diagnose that RC pressure drop is due to open PORV path (i.e.) fails to detect quench tank temperature / level rise.
(Table 20-14)
"C" = Operator selects wrong MOV switch (Table 20-14).
i i
B-4 Babcock & Wilcox 1
. m.o n
i APPENDIX C Statistical Modeling of PORV Lifts
)
c-1 Babcock & Wilcox
. uco....n.....,
Assumptions PORV lifts are initiated by seven transient sources with failure rates F,
i=1... 7.
Since the time to failure (initiation of transient) is assumed to be exponential, the number of times the PORV lifts (X ) in time t for each f
transient is given by the Poisson distribution X
(F t) i exp(-F t) f prob (X ) =
X!
After a transient has been initiated, it may lead to a random number of PORV lifts. The probability distribution of a given number of PORV lists is dif-ferent for each source, and it changes from the beginning to the end of each fuel cycle.
For a given transient source, if the transient is init'.ated in the time interval t+At, the number of lifts (y ) is given by the multinomial I
g distribution I
Yi Yki i
Yoi l
7 !*i t " y, gly f yki!
1 (t) 1 l
3 ji ji(t)
The marginal distribution of P(y
) is obtained as exP(-fat) x (x (A
i P(y /x t)P(x )at =
-y
-y
-y
)!y
!+y 1
X1 I i i
1 x=0 p
f x (1 -P
-P
...-Pkh) *(*i ~7v 'YR ~7kt) x P
... P g
(FatPgt) exp(-FatPit)
( AtP2t) exP(-FatP )
=
x x
71t' 72t' (FatPkt) exP (-FatPkt) x I
Ykt c-2 Babcock & Wilcox
. m.o
e J
e--
i--
M 4
Thus, each number (1, 2, etc.) 'of PORV lift cases for source i is distributed independently by Poisson distributions at any time interval t+At.
The number of lifts over the entire time interval 0-t can be obtained by adding the Pois-son distributions over the interval.
If at is taken to be small, this amounts to integration. Thus, the number of single lifts is T
T
]-
F (P ) exp(-F P )
No. of so
<o i
lifts yI T
T F
P exp(-F P )
k lifts =
, etc.
Yk i
Since the sum of independent Poisson distributions is again Poisson distribu-tions, we can obtain the number of single lifts, double lifts, etc. for all transient sources. Thus, the number of single PORV lift cases for all tran-sient sources will have a Poisson distribution with the following parameters:
T T
rT Gi=Ft Pit (t)dt + F2 Ph (t)dt +... + F7 Pt7(t)dt
'O
'O
'0 and T
iT T
G = Ft PM (t)dt + F2 Pk2(t)dt +... + F7 Pk7(t)dt.
k 0
0 0
If the Poisson distributions with parameters G, G, G are simulated in 1
2 k
SAMPLE, yielding simulated variables zt, z2, z, then the total number of lifts k
for each simulation will be given as No. of lifts per = zt + 2z2 + 3zs +... + kz.
simulation k
The probabilities Pd (t)... Pki(t) were btained from the histograms at the beginning and end of fuel life. Assuming that the change occurs linearly with time, the probabilities are given as
[
Pg(t) - P, (0)
Pg(t) = Pd(0) +
xt T
P, (T) - P,(0) l P, (t) = Pd(0) +
2 xT o
c-3 Babcock & Wilcox
. m o.n
-. ~.
. - - _ _ -,. - - - ~ ~... _ - - - - -. - - _ _... - _..
_ - = =.
l I
I where P,1(0) and P, (T) denote the probability of zero lifts at the beginning and end of the fuel cycle, respectively. The probabilities P (t) are seen to be appropriate multinomial probabilities since the sum over 0, 1, 2, etc.
adds up to 1 for any value of t, given that this is true for the initial and final histograms.
Similar modeling was used to derive the probabilities for the number of lifts equal to 1... k.
This type of modeling was used for cases 1 and 2.
In case 3, 'the number of transients in time t is assumed to be given by a Poisson distribution as before. However, in this case, the number of lifts for each transient will be defined by a normal distribution with specified mean and standard deviation (mean = nominal No. of lifts, std = A/2, where !A denotes the maximum and minimum deviations from the mean).
The number of PORV lifts for case 3 is taken as normal with mean xp and vari-2 ance xo, where x is the simulated Poisqon value. Thus, a random value of x was obtained first, and then a random number of lifts could be determined:
No. of lifts = xp + z/xor where z is simulated normal with mean zero and a variance of 1.0.
Statistical Simulation Cases Case 1 Case 2 Case 3 Turbine trip without Turbine trip with Overcooling: HPI reactor trip reactor trip repressurization Trip one FW pump Trip one FW pump Trip one RC pump Trip one RC pvmp Load rejection Load rejection Ramp one FW valve Ramp one FW valve 50% closed 50% closed Rod drop Rod drop Note: The expected contribution to total PORV demand from case 3 must be qualified by an operator error probabil-I ity (operator fails to throttle HPI) before it can be added to cases 1 and 2.
6 l
C-4 Babcock &Wilcox
. m.o a
Initiating Event Frequencies i
Frequency, j
Transient times /rx-yr*
Turbine trip 1.120 Trip one FW pump 0.229 Trip one RC pump 0.019 Load rejection 0.095 j
Ramp one FW valve 50%
0.457 i
closed I
Cvercooling: HPI re-0.263 j
pressurization Rod drop 0.372 4
g
- rx-yr: reactor year.
Notes
- 1. Rod drop frequency was determined over all i
power ranges. All other event frequencies s
were determined when the reactor was in operation above 70% power.
- 2. The fuel cycle was assumed to be 12 months.
- 3. Downtimes are inherent in the initating event frequency.
i e
i i
f i
s i
f I
c-5 Babcock & Wilcox
. =co..a..,
t
., ~
, -. ~ - - -. - -... -, --
. -,., -. -,, - - - -,, - _ ~
a,.-
I APPENDIX D Failure Data D-1 babcock & WilCOX e McDermott company
m l
' Code Source Unavailability PORVXXCD B&W Proprietary 3.03 x 10-"/d SOLENXRE IEEE, p. 387*
2.56 x 10-"
PTPORVC0 IEEE, p. 428 1.10 x 10-3 BSPORVNF IEEE, p. 483 1.09 x 10-3 RLPORVF0 IEEE, p. 155 3.54 x 10-s CIPORVFO IEEE, p. 174 4.20 x 10-5 PTPORVFH IEEE, p. 428 2.19 x 10-8/yr BSPORVSP IELE, p. 483 1.80 x 10-3/yr RLPORVSP IEEE, p. 155 3.6 x 10-"/yr GVEMOV0D B&W Proprietary 2.00 x 10-3/d CTPORVSH IEEE, p.
174 6.02 x 10-8
-5 TUJXX M B&W Proprietary 5.48 x 10 SOLENXSP IEEE, p. 387 1.23 x 10-3/yr CTPORVSP IEEE, p. 174 1.45 x 10-"/yr AMEMOVAM EW Proprietary 1.52 x 10-2 PSEMOVAM IEEE, p. 452 4.89 x 10-"
PTEMOVFH IEEE, p. 428 9.13 x 10-5 3 FUSE 480 IEEE, p. 193 2.30 x 10-s 3 CBRK 480 IEEE, p. 148 4.71 x 10-5 3 THOR 480 IEEE, p. 155 3.94 x 10-s MCCMSFNS IEEE, p. 171 4.42 x 10-s 1 FUSE 120 IEEE, p. 193 7.67 x 10-8 STCIC120 IEEE, p. 162 2.45 x 10-5 TUSSCS AM B&W Proprietary 5.48 x 10-s
-5 RLSSCS SP B&W Proprietary 1.69 x 10 AMSSACAT IEEE, p. 475 1.12 x 10-"
PTSSACAT IEEE, p. 475 1.12 x 10-"
BISSACAT IEEE, p. 483 3.75 x 10-"
ANDSSAAM B&W Proprietary 5.48 x 10-5 LBSSAXAM MIL-HDBK 217-C 2.92 x 10-"
CBSSAXAM MIL-HDBK 217-C 2.92 x 10-"
j ICMSSAAM IEEE, p. 177 2.10 x 10-5
- IEEE: IEEE Std 500-1977.
9-2 Babcock a.Wilcox
.=co
.n....
Code Source Unavailability TV120VAM B&W Proprietary 3.11 x 10-5 TV120VAC B&W Proprietary 3.11 x 10-5 TV120VSS B&W Proprietary 3.00 x 10-5 TV480VAC B&W Proprietary 2.12 x 10-5 STSTR120 IEEE, p. 372 1.68 x 10 "
PORVFLOP B&W Proprietary 1.00 x 10-8/d PORVLEAK NPRDS, p. 573 1.70 x 10-3 PORVSDNE IEEE, p. 387 2.56 x 10-"
PORVMPVA B&W Proprietary 2.12 x 10-5 3
PORVPTFL IEEE, p. 428 1.10 x 10 PORVBISF IEEE, p. 483 1.09 x 10-3 PORVRFTC IEEE, p. 155 3.54 x 10-5 PORVCFTC IEEE, p. 174 4.20 x 10-s PORVCPVA B&W Proprietary 2.12 x 10-5 D40VMSAS IEEE, p. 171 1.34 x 10-"
EMOVMOCS NPRDS, p. 617 1.75 x 10-8 EMOVSCOS IEEE, p. 162 2.02 x 10-5 EMOVACOE B&W Proprietary 7.20 x'10-5 EMOVLBOE MIL-HDBK 217C 3.84 x 10-5 EMOVCBOE MIL-HDBK 217C 3.84 x 10-5 i
D-3 Babcock & Wilcox
.mo a.
.m
APPENDIX E Event Sequences E-1 Babcock & WilCOX
. = c o.,..n c..,
l 1.
Overcooling Scenario i
Operator PORV Code throttles relief path safeties HPI available reseat S
ESFAS 3
HPITHROC 3
PORV SV F 3 (0.263/yr)(1.49 x 10-2)(7.23 x 10-s)(2.29 x 10-2)(15)
F
=
3 4
l
= 9.73 x 10-5/yr*
i 2.
Overheating Events F2:
loss of main feedwater and no auxiliary feedwater, given that normal electric power is available.
(UdFW)(AFW/AC)
F
=
2 (1.78/yr)(3 x 10-5)
=
= 5.34 x 10-5/yr F: loss of offsite' power and no auxiliary feedwater, given that diescis are 3
operative.
(LOOP)(AFW/ diesels)
F
=
3 (0.03/yr)(3 x 10-")
=
-8
=9x 10 /yr l
1 i
l l
- In this scenario the safety valves are challenged 15 times.
E-2 Babcock & Wilcox l
.me
- a. -
i F:
loss of offsite power and no auxiliary feedwater, given that diesels fail.
g (LOOP)(diesels)(AFW/ diesels)
F
=
g i
= (0.03/yr)(3.2 x 10-3)(3 x 10-3)
= 2.88 x 10-7/yr Event Sequence Failure Data Event Failure rate 4
LOOP 0.03/yr 4
diesels 3.2 x 10-8/ demand AFW/ diesels 3x 10-"/ demand AFW/ diesels 3x 10-8/ demand AFW/AC 3x 10-s/ demand 4
LMFW 1.78/yr ESFAS 0.263/yr HPITHROC 1.49 x 1,0-2/ demand PORV 7.23 x 10-8/ demand IUI 2.29 x 10-2/ demand 4
1 i
i t
i ll I
E-3 Babcock & Wilcox
. m.o r.
....,,..,...,, _ _ _ _ -,.., _,.. - -....,. _, ~,.
APPENDIX F Monte Carlo Simulation l
l l
i F-1 Babcock & Wilcox
. uco....n
e l
A Monte Carlo simulation was executed using the SAMPLE code to verify that the l
i incidence of PORV block valve closures, prior to PORV closures, is reasonably low. The model considers three random vsriables. First, one variable is used to adjust the true (without error) pressurizer pressure to the true (without error) RCS pressure. This variable, X(1), is assumed to b9 uniformly distrib-uted over the range of 40 to 60 psi. A second random variable is used to re-flect the error on the RCS. This variablu, X(2), is assumed to be normally distributed with a mean of zero and a variance of 306.25 (standard deviation i
of 17.5 psi). The third random variable is the sensed pressurizer pressure, i
X(3), which is taken to be normally distributed about 2270 psi with a variance of 625 (standard deviation of 25 psi).
The Monte Carlo program samples a pressurizer value, X(3), and compares it to an adjusted sensed RCS pressure, RCS, where RCS = 2270.0 - X(1) + X(2)
- 17.5.
If X(3) is greater than 2270.0 and RCS is less than or equal to 2170.0, then the trial results in a block valve closure prior to a PORV closure.
i 4
I i
1 l
f F-2 Babcock & WilCOX
. me
...,- - - -., -,.