Review of Crystal River Nuclear Generating Station Unit 3 Emergency Feedwater System Reliability Analysis

ML20081D099
Person / Time
Site:	Crystal River
Issue date:	10/31/1983
From:	Papazoglou I, Youngblood R BROOKHAVEN NATIONAL LABORATORY
To:	Office of Nuclear Reactor Regulation
References
CON-FIN-A-3393 BNL-NUREG-51626, NUREG-CR-3081, NUDOCS 8310310444
Download: ML20081D099 (43)
v • d • e

Text

NUREG/CR-3081 BNL-NUREG-51626 l

l i

Review of the Crystal River Nuclear Generating Station Unit No. 3 Emergency Feedwater System Reliability Analysis l

i Prepared by R. Youngblood, l.A. Papazogicu Brookhaven National Laboratory Nuclear Regulatory Commission NodNb0cEoEdosd2 P

PDR

l l

l NOTICE This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, or any of their employees, makes any warranty. expressed ct imrlied or assumes any legal liability of re-sponsibility for any third party's use, or the results of such use. of any information, apparatus,

{

product or process disclosed in this report, or represents that its use by such third party would

(

not infringe privately owned rights.

The views expressed in this report are not necessarily those of the U.S. Nuclear Regulatory Commission.

l Availabihty of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one of the following sources:

1.

The NRC Pubhc Document Room 1717 H Street, N.W.

Washington, DC 20555

2. The NRC/GPO Sales Program, U.S. Nuclear Regulatory Commission, j

Washington. DC 20555

3. The National Technical information Service. Springfieid VA 22161 Although the hstirg that follovvs represents the majority of cucuments cited in NRC pubhcatior's.

it is not intended to be exhaustive.

Referenced documents availac!e for inspection and copying for a fee from the NRC Public Docu-ment Room incluce NRC correscondence and ir.ternal NRC memoranda; N RC Office of Inspection and Enforcement tulletins circulars, information notices, inspection and investigation notices; Licensee Event Reports vendor reports and correspondence, Commission papers; and applicant and beensee documents and correspondence.

The following documents in the NUREG series are available for purchase from the NRC/GPO Sales Program formal NRC staff and contractor reports. NRC spocsored conference proceedings, and i

N RC booklets and brochures. Also available are Regulatory Guices. NRC regulations in the Code of

{

Federal Regulations, and Nuclear Regulatory Commission issuances.

1 Documents available from the National Technical information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission. forerunner agency to the Nuclear Regulatory Commission.

! Documents availab!e from pubhc and special technical libraries include all open literature items.

such as books, s urnal and periodical artic!es, and transactions. Feceral Register notices, federal and o

state legislation, and congressional reports can usually be obtained from these libraries.

l Documents such as theses, dissertations. foreign reports and translations, and non NRC conference

proceedings are availabie for purchase from tre organization sponsoring the publication cited.

{

! Singte copies of NRC draft reports are availab!e free upon written request to the Division of Tech-

)

! nical Information and Document Control. U S. Nuclesr Regulatory Commission, Washington. DC l

j 20555.

Copies of industry codes and standards used in a substantive manner in the NRC regulatory process

are rnaintained at the NRC Library. 7920 Norfolk Avenue. Bethesda, Maryland, and are available there for reference use by tre public. Codes and standards are usually copyrighted and may be l

e l purcnased from the originating organization or, if they are American National Standards, from the l

l American National Standards Institute,1430 Broadway, New York, NY 10018.

)

GPO Pnnted copy price 13_75 l

NUREG/CR-3081 BNL-NUREG-51626 Review of the Crystal River l Nuclear Generating Station Unit No. 3 Emergency Feedwater System Reliability Analysis I

Manuscript Completed: November 1982 l

Date Published: October 1983 1

1 Prepared by R. Youngblood, l. A. Papazoglou Brookhaven National Laboratory Upton, NY 11973 Prepered for Division of Safety Technology Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Wzshington, D.C. 20666 NRC FIN A3393 I

-. ~. -. -. -.... -. -... -.

ABSTRACT The purposes of this report are to review the " Emergency Feedwater System Upgrade Reliability Analysis for the Crystal River Nuclear Generating Station Unit No.

3", and to provide an independent evaluation of the Emergency feed-water System reliability.

This report presents estimates of the probabil-ity that the Emergency Feedwater System will be unavailable given each of three different initiators:

(1) loss of main feedwater with offsite power available, (2) loss of offsite power, (3) loss of all 4160 VAC power.

The scope, methodology, and failure data are prescribed by NUREG-0611, Appendix 111.

]

?L iii

l l

TABLE OF CONTENTS Page ABSTRACT................................

iii LIST OF TABLES.............................

vi

SUMMARY

vii

1. INTRODUCTION 1

2. SCOPE................................

2

3. SYSTEM MISSION AND SUCCESS CRITERIA.

3

4. SYSTEM DESCRIPTION 4

5. QUALITATIVE RELIABILITY ANALYSIS 5

5.1 Single Point Failures 5

5.2 Cause Failures.........................

5 5.2.1 Potential for Common Cause Failures Related to Support systems.....................

6 1

5.2.1.1 Cooling 6

l 5.2.1.2 In s t rumen t Ai r.................

6 5.2.1.3 Electric Power 6

5. 2.1. 4 Control Logic 6

6. QUANTITATIVE RELI ABILITY ANALYSIS..................

7 6.1 Limitations of Methodology.

7 6.2 Approach of the FPC Study vs. Approach of the BNL Review....

7 6.3 Assumptions 8

6.4 Dominant Failure Modes.....................

9

6. 5 Comparison of FPC Probabilities with Failure Probabilities Used in the BNL Review.

10

7. RESULTS...............................

25 7.1 Oualitative Results 25

7. 2 Quantitative Results......................

25 i

REFERENCES...............................

27 l

APPENDIX A:

Conversion of FPC Results to NUREG-0611 Format 28 APPENDIX B: Qu e s t i on s a n d An swe r s...................

30 APPENDIX C:

Formal Response of FPC to Questions............

34 v

s

LIST OF TABLES Table #

Title Page 6.1A Contributors of O1H (LMFW).............

14 6.18 Contributors to 02H ( LM f W)

• * * * * *

• 19 6.2 Results for 01 and 02...............

24 7.1 EFWS Unavailability 26 A.1 FPC Results 28 vi

j

SUMMARY

4 Florida Power Corporation has submitted an analysis of the reliability of the upgraded Emergency Feedwater System at Crystal River Nuclear Generating Station Unit No. 3.

The present report presents a review of the submittal, I

and also presents an independent estimate of the failure probability of the i

Emergency Feedwater System.

For different loss of main feedwater conditions dnd different success criteria, the failure probability per demand of the Em-i i

ergency Feedwater S stem has been evaluated using methodology and data put forth in NUREG-0611 11 The results are as follows:

i l

1 Initiator Failure Probability to:

nvoid Supply EFW j

Dryout within 20 minutes j

1.

Loss of Main Feedwater(LMFW) 1.4x10-3 5.4x10-4 2.

Loss of Offsite Power (LOOP) 2.8x10-3 1.3x10-3 3.

Loss of all AC(LOAC) 3.9x10-2 2.2x10-2 i

The column " Avoid Dryout" gives the probability per demand of failure to i

prevent dryout, givec each of the three initiators.

These results have been i

obtained under the assumption that there is no tine for any recovery action, i

and thus, the calculations do not include any credit for operator action to 1

i recover from malfunctions or maintenance errors.

The probability of failure to deliver emergency feedwater w'ithin 20 minutes has also been calculated and l

is given in the second column of the Table for the various initiators.

This mission success requirement is less restrictive as far as the available time for recovery is concerned and, therefore, credit has been given for operator actions.

i i

l r

vii a

4

1.

INTRODUCTION Analysis (purposes of this study are:d) of the Emergency Feedwater System (EFW) of The

1) to review and evaluate a Reliabaility Nuclear Generating Station Unit No. 3 (CR-3) prepared by Babcock & Wilcox (BW) for Florida Power Corporation (FPC) and submitted to the Nuclear Regulatory Commission (NRC); and 2) to perform an independent reliability analysis of the EFW system using methodology and data put forth in NUREG-0611tl).

After the accident at Three Mile Island, a study was perfont.ed of the Auxiliary Feedwater Systems (AFWS) of all then-operating plants.

The results obtained f r operating Westinghouse-designed plants were presented in 9

NUREG-0611tl). At that time, the objective was to canpare Auxiliary Feedwater System ( AFWS) designs; accordingly, generic failure probabilities were used in the analysis, rather than plant-specific data.

Sane of these generic data were presented in NUREG-0611.

The probability that the AFWS would fail to perform its mission on demand was estimated for three initiating events:

LMFW, LOOP, and LOAC.

Since then, each applicant for ao operating license has been required (Ref. 3) to submit a reliability analysis of the plant's AFWS, carried out in a manner similar to that employed in the NUREG-0611 study.

In addition, some operating plants have also submitted reliability analyses of upgraded Auxili-ary Feedwater Systems.

Recently, a liability has been defined by NRC(4) quantitative criterion for AFWS re-in the New Standard Review Plan (SRP).

"... An accegtable AFWS should have an unreliability in the range of 10-4 to 10- per demand based on an analysis using methods and data presented in NUREG-0611 and NUREG-0635.

Compensating factors such as other methods of accomplishing the safety functions of the AFWS or other reliable methods for cooling the reactor core during abnormal conditions may be considered to justify a larger un-availability of the AFWS."

The objective of the study is, therefore, to analyze the reliability of the CR-3 EFWS*, using methodology and data presented in NUREG-0611, in order to facilitate and supplement the qualitative review of the system design and, at the same time, assess whether the EFWS meets the quantitative criteria menticned above.

The report is organized as follows:

Section 2 presents the scope of the present study.

Section 3 discusses the mission success criteria for the EFWS and highlights the important differences between the definition of EFWS success for B & W plants and Westinghouse plants.

The latter were the subject of the analysis in NUREG-0611.

Section 4 describes the basic configuration and characteristics of the EFWS.

Section 5 discusses the qualitative aspects of the reliability of the system and presents the dominant contribution to the 4

l unavailability.

Section 6 presents the quantitative analysis and compares the results and approaches used in the FPC study with those of this study.

i Finally, Section 7 summarizes the results.

i 4

At some plants, the system which supplies feedwater after a total loss of main feedwater is called the Auxiliary Feedwater System (AFWS), while at others, it is called the Emergency Feedwater System (EFWS).

At CR-3, it is called the EFWS.

1 9

4

.- - - -.-.-..- - ~.

~

2.

SCOPE The scope of the reliability analysis of the AFWS is defined in APPENDIX III of NUREG-0611.

In the present study, the probability that the EFWS will not perform its nission on demand is calculated for two mission definitions and three types of demands.

The two mission success definition were necessary because of the substantial differences between the B & W plants and the Westingnocse plants.

The success criteria stipulated by NUREG-0611 were based on the Westinghouse design.

For the B & W plants the following two success criteria are considered:

1) Avoid dryout of the steam generators; and

2) Supply the stean generators with EFW within 20 minutes of the demand.

The failure to supply water to makeup for a loss of main feedwater, is estimated for dif ferent conditions, namely,

1) Loss of Main Feedwater without Loss of Offsite Power (LMFW).

2) Loss of Main Feedwater associated with Loss of Offsite Power (LOOP).

3) Loss of Main Feedwater associated with Loss of Offsite and Onsite AC (LOAC).

Since the purpose of this analysis is to assess the important characteristics of the EFWS design configuration, detailed modeling of support systems as electrical power (both AC and DC), service water, instrument air etc. was not perforned.

Such an undertaking is beyond the stated scope of the BNL reviews, although some effort was made to note major impacts of these support systems on AFWS failure probability.

The goal is a rudimentary understanding of the properties of the design of the EFWS.

To this end, standardized data are used wherever they are available (emergency AC is schematically represented by the diesel generators) or assumed to be available (e.g., DC power is assumed available), although in some cases where such a system is seen to introduce a common cause mechanism, this is pointed out (as in the case of instrument air).

The quantity calculated here is the unavailability cf the EFW system due to fluid system failures, maintenance acts, human errors, and failure to initiate, with mission success defined below (Section 3).

" Unavailability" neans (here as in NUREG-0611) "the probability per demhnd that the system will fail to perform its mission".

The FPC report deals with a number of ad-ditional failure modes, including steam generator overfill due to EFW control failures, spurious isolation of the steam generators, etc.

These failures lie beyond the scope of NUREG-0611, and are beyond the scope of this report.

l 2

l l

3.

MISSION AND SilCCESS CRITERIA In the FPC reliability study (2), mission success is defined as at-tainment of adequate flow from at least one punp to at least one steam generator.

In the Revised Systen Description, the minimum acceptable flow is given as 740 gpm at a SG pressure of 1050 psig, and the maximun acceptable time for achievenent of this flow is given as 50 seconds from the time an initiation signal is given.

There are two time scales to consider One is a 20-minute deadline for EFWSinitiation,whichreferstoapointuhtowhichEFWSinitiationcanprev-ent core damage.

According to NUREG-0667,(3) "For plants with reactors de-signed by RAW, analyses prepared by R&W concluded that a period of ap-proximately 20 minutes is available after loss of all feedwater for the oper-ator to either (1) restore feedwater (either auxiliary or main), or (2) start the HPI pumps and enter into a " feed-and-bleed" method of core cooling.

This available time is consistent with independent staff analyses".

[page 5-32 of Ref. 3]

On the other hand, it is acknowledged that "...B&W-designed 177-FA plants show some unique levels of sensitivity in their response and recovery from anticipated transients involving overcooling and undercooling events as well as small-break loss of coolant accidents.

The recovery from such events has often led to undesirable challenges to engineered safety features (ESF) sys-tems.

This sensitivity stems nainly from the small heat sink resulting from the operation of the once-through stean generator (OTSG), which is an inherent design feature of the B&W reactor plants... [page 2-1 of Ref. 5]... B&W plants place a premium on the reliability with which the auxiliary feedwater starts are properly timed.

The penalty for late starts is an increased likelihood of transient-induced LOCA.

[p. 7-8]

Therefore, for each initiator (LMFW, LOOP, and LOAC), failure probabilities are calculated for each of two nission success criteria:

1) Failure to deliver flow from at least one pump to at least one steam generator, with no credit for operator action;

2) Failure to deliver flow from at least one pump to at least one steam generator within 20 minutes, allowing credit for some operator actions within this time.

The top event for NUREG-0611 purposes is steam generator dryout.

It is considered that dryout occurs on a sufficiently short time scale that no

[

credit for operator actions is warranted.

Thus, for NUREG-0611 purposes, L

mission criterion 1) above is applied.

i 1

l l

3

4.

SYSTEM DESCRIPTION CR-3's EFW system (Figure 2) consists of two pump trains, each of which can supply feedwater through separate flow paths to either of the two steam generators.

Energency Feedwater Pump #1 (EFP-1) is electric motor driven; un-til recently, it has required cooling water from the nuclear service closed cycle cooling system (NSCCCS).

This cooling water supply in turn requires AC (two of the five pumps supplying EFP-1 are provided with diesel-backed AC).

(Note: According to plant personnel [ Appendix B], both pumps are now self-cooled, and no longer rely on the NSCCCS.

In this analysis, credit has been given for this.) EFP-2 is steam turbine driven, and is capable of supplying its own cooling and lubrication.

The primary suction source is the condensate storage tank.

The backup source is the condenser hotwell.

Switchover is manual.

An interlock is l

provided to ensure that the condenser vacuum is broken before valves to the l

hotwell are opened.

(There is a check valve in the line from the hotweil that

)

would prevent diversion of the flow from the CST to the hotwell in the event l

of inappropriate opening of the valves.

This check valve corresponds to an NRC suggestion. Otherwise, the NRC concerns (Reference 2) about manual vs.

automatic switchover, suitability of condenser hotwell as a backup source, etc. continue to apply.)

The flow control valves in each of the four discharge paths are normally closed; all other nanual or AC-powered motor-operated stopcheck valves in the normal flow paths are normally open. Manual valves in the line from the CST and in the recirculation paths are locked open.

Motor-operated stopcheck valves on the discharge sides and motor-operated valves on the suction sides of the pumps are closed for pump naintenance.

Pumps are tested monthly on a staggered schedule, with valves in their normal positions; that is, the pumps are recirculating water back to the CST.

This verifies that the suction valves and the recirculation valves are open, but not that anything else in the discharge side is open.

The four discharge paths are ti. '?d during shut-down and during emergencies.

The system is initiated automatically or by operator action.

There is no dedicated operator.

Flow is controlled by flow control valves in each of the four discharge paths.

These valves are controlled by the logic to maintain SG level at appropriate set points.

In addition, there are isolation valves in each path which are controlled by vector logic.

1 I

1

)

i 1

4

l 5.

00ALITATIVE RELIABILITY ANALYSIS 1

There are two trains in the EFWS (see Figure 1).

Each train consists of i

one pump and a pair of discharge paths, one to each stean generator. Mission success is defined as adequate flow from one pump to one steam generator i

within the appropriate tirae (see Section 3).

Therefore, failure of the EFW is:

4 1 + A B ) * (02 + A B )

Failure of both trains = (0 12 21 Q012+0Ah12l+0A8212+AA 1

where Q1 = inadequate flow out of EFV-7 (EMD train) 02 = inadequate flow out of EFV-8 (turbine train) i A1 = flow path from EFV-7 to SGB blocked A2 = flow path from EFV-8 to SGB blocked B1 = flow path from EFV-8 to SGA blocked B2 = flow path from EFV-7 to SGA blocked The dominant system cut sets are contained in Q 0.

Most of these 12 events are double failures, products of large single contributors to 01 l

multiplying large single contributors to 02 These will be discussed in i

Section 6.

5.1 Single Point Failures j

Event 0 012 contains at least one single failure:

blockage of the i

single valve (CDV-103)) in the line coming from the CST.

There is likewise a single valve (CDV-104) in the common recirculation path back to the CST; if lack of recirculation can fail the pumps, then this is a single failure.

These valves are locked open, and are implicitly tested r/ery time either of the pumps is tested (which is to say bi-weekly).

5. 2 Common Cause Failures Event A ApB 81 2 contains at least one double event; both paths 1

entering SGA converge at a single check valve, and similarly for SGB, so that a double check valve blockage fails the system.

In the absence of common interaction, this is not a significant contributor. Apart from this, the i

seeming redundancy of the flowpaths suggests that they contribute only to higher-order cut sets (3 or more failures, e.g., 0 A 8 ).

This is true 121 only if there are no commonalities.

There are examples in the LER files of events which bear on this question.

At Arkansas Nuclear One, which has flowpath redundancy comparable to that of CR-3, a maintenance error disabled two flowpaths on one occasion (4/6/80), and on another occasion (5/22/79) the I

i t

5 i

i 1

1 unexplained lifting of cable leads disabled two paths.

Thus, system failures involving flow paths may not be wholly negligible, especially those involving coupled maintenance errors.

However, they are unlikely to dominate the other system failures discussed here.

(See also Appendix B, Question 10, with re-gard to spurious isolation.)

5.2.1 Potential for Common Cause Failures Related to Support Systems j

The scope of the present reviews is almost entirely confined to the AFWS itself.

Although an effort has been made to note significant dependences on support systems, it must be recognized that detailed explicit modelling of these systems is beyond the scope of these reviews, and is moreover a practi-cal impossibility given the character of the information provided.

f 5.2.1.1 Cooling Both pumps are self-cooled, in that they do not depend on service water.

Environmental requirements (e.g., room cooling) of the pumps are not known.

The pntential for environmental common cause failures has not been evaluated.

5.2.1.2 Instrument Air The four control valves depend on air, and are designed to fail open on loss af air.

Valves in the same train are connected to different air sources.

4 Thus, loss of one air train causes two valves to fail open.

This does not prevent delivery of water to the steam generators, but leads in the direction of overcooling or overfilling.

l 5.2.1.3 Electric Power l

Only the dependences of the AFWS on diesel-backed AC has been evaluated l

here.

DC and vital AC are assumed available.

The usual IE separation minimizes the potential for common cause failures arising in this area.

A J

question in this area was raised with FPC, who verified that no power failure would cause the control logic to isolate more than one path from a given pump l,

(see Appendix B).

5. 2.1. 4 Control Logic The vcrious channels of control logic are nominally separate and redundant.

The potential for common cause failun.s in this area is, therefore, not due to phyiscal hardware dependentcs, but rather to external agents af fecting multiple channels, e.g., human error.

An example of a possible common cause failure involving logic would be a multiple i

niscalibration of bistables, such that the logic would not respond correctly to a low-low level.

This kind of detail appears to be beyond what was intended by flUREG-0611 in which actuation logic failure was modularized and given a value of 7x10-$ per train, i

l i

i 6

I i

l

l 6.

OUANTITATIVE RELIABILITY ANALYSIS 6.1 Limitations of the Reliability Analysis The significance of the point estimates obtained in this review is best illuminated by the following quotation from NUREG-0611 (page III-19):

1 "The data was applied to the various identified faults in the fault logic structure and a point value es-timate was determined for the top fault event (i.e.,

AFW System unavailability).

Such an approach is con-sidered adequate to gain those engineering and re-liability based insights sought for this AFW System reassessment.

As noted, no attempt was made to intro-duce the somewhat time consuming, calculational ele-

]

gance, associated with the process of error propaga-tion into this assessment (e.g., Monte Carlo).

Prior experience with such a calculational process has re-vealed a somewhat predictable outcome that, even with the very redundant system, could be slightly higher than the point value solution (e.g., factor of ap-proximately three times higher than the point value and usually less).

Should there exist a clearly over-whelming fault in a systems design, then the process of error propagation would be expected to be merely one of higher elegance and it would yield no important change to the quantitative solution".

It should be appreciated that not only is the median higher than the point estimate, but there is (by definition) a 50% chance that che actual unavailability is greater than the median.

Clear cut dependencies or commonalities have been sought in the analysis, but parametric modeling of common cause failures (e.g., beta factor j

treatments) has been considered to be beyond the scope of this report.

6.2 Approach of the FPC Study vs. Approach of the PNL Review Data Base:

The FPC study does not give details of basic event probabilities.

According to Paragraph 2.3 of the study, generic data were obtained and then made plant-specific to CR-3 by incorporating CR-3 experience.

The approach taken in the present analysis is to use data provided in NUREG-0611 and WASH-1400,(6) wherever these exist.

Unavailability for Different Initiators:

The FPC study does not present unavailability given LMFW, unavailability given LOOP, and unavailability given l

LOAC; it presents unavailability averaged over the initiators.

In this re-l view, unavailability is calculated for the three different initiators.

(see Appendix A.)

7

Level of Detail in the Fault Tree-The FPC fault trees go into con-siderable detail in treating the actua ion and control logic.

NUREG-0611, on the other hand, simply assigns 7 x 10- as the failure probability of each chann el.

Although sone qualitative infornation is provided about the details of the actuation and control logic, its relative newness and our lack of information concerning its details prevent us from offering a meaningful independent estimate of its failure probgbility within the scope of this re-view.

Accordingly, we adopt the 7 x 10- figure given in NUREG-0611.

Note, however, that the conclusions ara sensitive to this.

Mission Success Criterion:

The FPC study provides conclusions for un-availability given no operator intervention for 20 minutes, and unavailability given credit for operator intervention.

This is a useful distinction, which will be observed here (see Section 3).

Failure of Normal Suction:

Failure of CDV-103 (see Figure _1) to remain open does not appear on the FPC f ault tree.

Failure of Recirculation:

Failure of recirculation valves to remain open does not appear on the FPC f ault tree.

6.3 Assumptions Valve Maintenance:

NUREG-0611 indicates that valve maintenance shoyl be 7

assessed.

In some studies, this has been done (notably the RSSMAP studyt of Oconee).

WASH-1400 indicates (Page III-40) that maintenance on valves should be assessed, but the only important contributor showing up in Table II 5-9 is naintenance on the steam admission valve.

WASH-1400 acknowledges that maintenance is performed on the MOV's in the AFWS, but in that system the multiplicity of flow paths is such that these contributions to system un-availability are negligible.

Here, the dif ficulty of isolating certain valves causes valve maintenance to contribute in spite of the seeming redundancy of flowpaths.

Consider naintenance on EFV-33 (see Figure 1).

In order to iso-late this valve from the high-pressure discharge of EFP-1, it is necessary to close EFV-7, which isolates EFP-1 not only from the flowpath being maintained but also from its only alternativ'e flowpath.

From an unavailability point of view, then, maintenance on EFV-33 is logically equivalent to maintenance on EFP-1.

A similar remark applies to EFV-14 for EFP-1, EFV-11 for EFP-2, and EFV-32 for EFP-2.

These coatributions are tabulated in Q1M and Q2M-1 Maintenance of either EFV-3 or EFV-4 that required their isolation would involve closing the single manual vc!ve that isolates the CST from the EFWS.

1 Suction would then be available only after areaking of the condenser vacuum i

and opening of whichever one of EFV-1 and EFV-2 could provide suction to its train.

It would be effectively impossible to actuate the EFWS automatically under these conditions.

It is therefore assumed here that maintenance on EFV-3 and EFV-4 is performed only during shutdowns.

l 1

8

This leaves EFV-7 and EFV-8.

Maintenance on these valves is assessed as per NUREG-0611, Page III-76, and included in O1M and 02tt, respectively.

Spurious Closu.e Event: This event appears on the FPC fault tree.

The event is a random inappropriate closure of a mo

-operated valve by a glitch in its control circuit.

The hourly probability of this is low, but it enters the analysis because components which are downstream of where the recirculation path branches off are tested only during shutdowns and emergencies, so that the exposure time is long.

Here, it has been assumed that there is a quarterly challenge to the EFWS.

i Fault Duration of Maintenance Errors: Although a train may be lef t disabled after maintenance with a certain probability (valve left closed, steam admission left disabled, etc.), credit could arguably be given in many cases for recovery of these faults at the next monthly test.

Since it is assumed here that pump maintenance occurs every 4.5 months, this would reduce the demand unavailability by a factor of 1/4.5.

The argument becomes complicated, however, if maintenance of other components is factored in: e.g.,

pump naintenance might occasion a given error in January, May, etc., while maintenance on an associated downstream valve might occasion the same error in i

)

February, June, etc.

In other words, uncorrelated maintenance acts on dif ferent components tend to wash out the recovery probability.

FPC took no credit for recovery of this kind. Credit has also not been given here.

In this report, more errors have been assessed, so the impact of this

" conservatism" is correspondingly greater.

Full credit for an operability test following each maintenance act would have a substantial impact on the results.

6.4 Dominant Failure Modes Singles: For scenarios in which no operator intervention is considered, the failure of CDV 103 to remain open (1 x 10-4) is a dominang is dictated failure.

This does not appear on the FPC fault tree.

The value of 10-by NUREG-0611.

Some would consider this conservative; on the other hand, were this not a single failure point, it would not contribute much to the system unavailability.

The point is that suction switchover is manual and re-latively involved, and failure to diagnose loss of suction can quickly lead to damage of the pumps.

There is also a valve (CDV-104) in the common recirculation path.

The information presently avaliable to BNL indicates that flow from the EFWS is blocked until SG 1evel reaches the setpoint.

If the RC pumps are running, this setpoint is 3', which is substantially lower than normal operating level.

Therefore, depending on the circumstances, recirculation is required for a period of several minutes, or there will be no flow through the pumps.

If the i

pumps sustain damage on this time scale-and the plant personnel were not reas-suring on this point (question 11, Appendix B)-then CDV-104 is a single failure point of the system.

Evidently, the manual valve and check valve in each train's recirculation line likewise become contributors to the failure of their respective trains.

9

= -- _-

{

l Quantification of this event is problematic.

NUREG-0611 prescribes 10-4 for plugging of CDV-104; ideally, this should be reduced by a factor which takes inte account the variation in times for which recirculation is re-quired, the possibility that the pumps can survive, etc.

It seems unlikely that this " optimism factor" is as low as 10-2, and it may well be of order l

unity.

Here, it is omitted.

This gives 10-4 as the probability that re-j circulation will be unavailable and that the pumps will suffer damage as a re-i sult.

In Table 7.1, " Singles" has the value 2 x 10-4, which is 10-4 each for CDV-103 and CDV-104 i

Doubles:

The important doubles are contributions to Q1 multiplying contributions to 0, where Q1 = unavailability of the EMD train from EFV-3 2

to EFV-7, inclusive, and 02 = unavailability of the STD train from EFV-4 to EFV-8, inclusive.

(There may be doubles arising from commonalities between i

pairs of flow paths which are 1301able by a given logic channel.)

Contributions to 01 and Q2 are given in Table 6.1.

i 6.5 Comparison of FPC Failure Probabilities with Failure Probabilit'es Used in the BNL Review The FPC study used plant-specific failure probabilities, some of which were made available to BNL.

These are tabulated, together with the values used in this review, in Table 6.1.

The important differences are discussed here.

Events which were included here but not by FPC are flagged with asterisks in Table 6.1.

Maintenance and Test Unavailability:

NUREG-0611 ef fectively prescribes these numbers for pumps and valves.

They have been assessed here wherever they can be assessed consistently with reasonable operating practice.

(It has been assumed that certain maintenance acts which would completely disable auto-matic initiation will not be performed.) FPC values for these un-availabilities are much lower.

{

Human Error Possibilities:

NUREG-0611 gives substantial credit for valve position indication in the control room, which CR-3 has for many of the valves in the EFWS.

Thus, the probability of leaving a suction valve in the wrong position after maintenance is 5x10-4 from Table III-2 of NUREG-0611.

FPC took Reckoning this way one would obtain 5x10 go credit for position indication.from Table III-2, which is comparable to Here, we have used 5x10-4 The valves on the discharge sides of the pumps (EFV-7 and EFV-8) were ap-parently assumed restored with prob Here, failure of restoration wasassignedaprobabilityof5x10gbility1.

10 l

= - _ _ _

Failure to restore operability of steam to the turbine after maintenance was also included here (ASV5ZZLO).

An event apparently of this type occurred at Farley on 3/25/78.

Communications from CR-3 plant personnel indicated that this failure should be considered on a par with failure of suction valve re-storation.

Since ASV-5 is normally closed anyhow, credit for its position indication is superfluous; the value adopted here is that corresponding to failure to restore a suction valve without position indication.

This is not a substitute for a detailed human error analysis; it is simply an attempt to be consistent with the scope and methodology of the rest of the analysis without ignoring previously untabulated failure modes.

It is not clear that this is a conservatism; several f ailures of the turbine pump have occurred at Arkansas Nuclear One which, though not precisely of this i

type, involve degradation of the steam supply because of maintenance errors.

i i

Recovery Factors:

Where recovery of a failure is practicable within 20 minutes, substantial credit for such recovery gffectively removes that failure from the list of contr Example: 5x10- for an unrestored discharge valvedropstothe10gbutors.5

(

to 10- range when 20-minute recovery is taken into account, which makes it relatively insignificagt compared with other contributors to O g and 02H, which are of order 10.

Substantial l

credit for recovery is appropriate on a 20-minute time scale.

However, some events must be recovered much more quickly.

For example, the pumps do not trip on loss of suction, and pump damage is expected within a few minutes if suction is lost.

Restoration of suction at 19 minutes is therefore superfluous (the pumps are presumed damaged).

It should be borne in mind that the recovr.ry factor being considered is not simply " failure to diagnose within 2 minutes and promptly correct a closed suction valve"; rather, it is this failure given that the other train of the EFWS has also failed, and that the initiating event might have been, for example, a loss of offsite power.

In other words, there are many claims gn the operator's attention.

Swain and Guttmann (NUREG/CR-1278, page 17-24)L 3 9

suggest that for the first 5 minutes into a transient, it should be assumed that the operator is alone in the control room.

Finally, given all this, stress is understandably moderate to high, so that even if the operator gets around to this particular problem, his error rate is somewhat elevated.

For all these reasons, credit has not been given here for recovery of suction.

(

As a footnote to this discussion, observe that the FPC Therp (Technique l

for Human Error Rate Prediction) tree for this reccvery has the operator trip i

the pump in order to prevent damage while the auxiliary building operator l

finds and opens the valve, but the Therp tree does not then have the operator restart the pump.

Recovery of flow from the EFW turbine-driven pump after dryout is dubious, because it is not clear that there 1e enough steam in the system to operate the turbine long enough to generate more steam.

FPC was asked by NRC to verify that the turbine could be started with the steam remaining after i

11

dryout; the FPC response [10] essentially stated that dryout was not an ex-pected event.

There is therefore an argument for disallowing recovery of the turbine-driven train.

However, steam is available in principle from the other units.

Here, credit has been given for recovery of this train based on availability of the alternate steam supply.

This assumption does not affect dryout probability; it only enters the 20-minute initiation probability.

Actuation Logic:

NUREG-0611 prescribes 7x10-3 per channel for actua-tion logic failure probability.

However, there are no entries in FPC's cut set table which can be compared with this value. One reason for tnis is that FPC expanded actuation logic down to much finer detail on their fault tree.

data (if these were available) could well be of order 10 geduce from FPC's The overall actuation failure probability that one would

, which would merit inclusion in Table 6.1, but the individual contributors to this are probably much r.J ler.

Thus, if one sums only over cut sets greater than some arbitrary cut-off in order to arrive at a point estimate, a large number of small cut sets involving actuation logic will be omitted.

This is the case here.

FPC's seeming omission of actuation logic fron Table 6.1 is therefore partly rethodological and partly because their asses. ment of the probability of failure of actuation is probably lower than 7x10 -

One should ask whether the assessment of 7x10-3 per channel is re-sonable.

In Westinghouse plant, this value tends not to overwhelm the system unavailability, because NUREG-0611 prescribes substantial credit for operator actuation within the "available" time.

Here, for some purposes, we (and FPC) are giving no credit for operator actions within the 'first few minutes, so that the conclusions are correspondingly sensitive to this parameter.

For ex-backup is (7x10-3)2 = by failgre of both actuation channels without operator ample, system fail"re 4.9x10, which virtually exhausts the unavail-ability contemplated by the new SRP for auxiliary feedwater systems.

B8W plants arguably need, and may have, actuation systems which are more re-liable than this.

But FPC has not explicitly documented this by providing failure data, and in any case, this level of detail is beyond the scope of this analysis.

While a more complete analys'is might substantiate a lower actuation failure probability, this would be partially offset by the inclusion of f ailures of automatic control, which have not been addressed here.

Accordin') to the Revised Systen Cescription(ll) (p. 32), it is possible to place one channel of the Emergency Feedwater Initiation and Control Logic (EFIC) in "naintenance bypass".

In the same paragraph, it is stated that the maintenance bypass of the NI/RPS (from which the EFIC receives signals) is interlocked with the EFIC, so that automatic initiation of EFW is not prevented by the simultaneous disabling of one channel of ERIC and an opposing channel of NI/RPS; but it is further stated that administrative procedures should be written to prevent this.

EFIC bypass events are absent from the FPC fault tree.

Here, 5x10-4 per channel has been assessed (EFICAZLD and EFICBZLD) under maintenance, assuming that the two cannot simultareously be 12

4 i

i i

j bypassed.

This assumes a one-hour quarterly maintenance act (3x10-4) small probability of inadvertently leaving the channel bypassed (2x10 gius

).

It is assumed that the probability of leaving EFIC disabled is appreciably less than the probability of leaving a valve u' restored.

A recovery factor is allowed for this.

1 These events have been incluoed essentially for completeness; they appear to be minor contributors.

There are other bypasses associated with startup, which automatically remove themselves, and still others associated with shut-down.

These latter bypasses do not enter this analysis.

4 l

f

]

13

l

?

i TABLE 6.lA Contributors to Q n (LMFW) i Fault ote: cW4 Identifier BNL Value FPC Value Comments on BNL Values EFPlZZFS 5 x 10-3 5 x 10-4 1 x 10-3 pump, 4 x 10-3 control circuit w/ monthly testing EFPlZZFR 2.4 x 10-4 3.2 x 10-4 3 x 10-5/hr x 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> failure to run; AT, A=3x10-5/hr, T=8 hrs EFV3ZZFB 1 x 10-4 9.1 x 10-5 Flow Blockage EFV3ZZLC 5 x 10-4 3.3 x 10-3 EFV-3 inadvertently lef t closed, valve position indicated in or or or control room. FPC Therp tree took no credit for control room EFV3ZZLC indication. Recovery credit not given here; see discussion.

f 5 x 10-4 c

and EFV3ZZRE Spurious Closure: 1/2 A T A = 1.24 x 10-7/hr, 1/2 T = 1/2 EFV3ZZSC 4.4 x 10-5 month (monthly flow test l. (Included for comparison with EFV7ZZSC. )

EFV6ZZFB 1y 10-4 9.1 x 10-5 Flow Blockage EFV7ZZFB 1 x 10-4 Flow Blockage EFV7ZZLC 5 x 10-4 EFV-7 inadvertently left closed, valve position indicated in l'

or or control room. For " operator action within 20 minutes", re-EFV7ZZLC covery factor ef fectively removes this contributor.

f and c

EFV7ZZRE

.-EFV72ZSC 2.7 x 10-4 9.1 x 10-5 ~

(CompareEFV3ZZSC)SpuriousClosure: 1/2 A T. A = 1.24x10-7/hr, L

or or 1/2 T = 3 months. FPC quantifled this as 'If it were flow blockage, which has been assessed here as EFV7ZZFB. The fault exposure time is relatively long here because flow through this YdlVe occurs only during shutdowns and emergenCles.

EFY7ZZSC Above failure and failure to recover within 20 minutes. FPC did f

c not take credit for recovery, perhaps becuase they treated the and 9.1 x 10-5 as a flow blockage.

EFV72ZRE i

• Denotes events which did not appear on FPC fault tree Note:c <<10-4

l TABLE 6.1A (Cont.)

1 Contributors to Q n (LMFW) i Fault ote-M04 Identifier BNL Value FPC Value Comments on BNL Values i

EFPICCLD 5 x 10-3 EFPI control circuit lef t disabled af ter maintenance. See or or ASV5ZZLD.

EFPICCLD and EFPICCRE 5 x 10-5 Above, with failure to recover.

EFPIRELC 5 x 10-3 Failure to restore recirculation valve after pump maintenance.

Position not indicated in control room. This failure mode is discussed under " Singles" in Section 6.4.

Valve designator illegible on system diagram.

EFPIREFB 1 x 10-4 Flow blockage of valve in recirculation line. See EFPIRELC.

l EFP1RCFB 1 x 10-4 Flow blockage of check valve in recirculation on line. See EFPIRELC.

I Gate N35 7 x 10-3 Failure of actuation logic. FPC modeled this detail beyond f

{

the scope of NUREG-0611, that is, Gate N35 was expanded on the l

FPC fault tree to the component level. Individual cut sets are or therefore small contributors which did not show up on the tab-ulation supplied.

Gate N35 7 x 10-5 Failure of actuation logic (7 x 10-3) and failure of non-f dedigatedoperatortoactuatemanuallywithin15 minutes and AFWTRPOP (10- ).

(NUREG-0611 tabulates a 15-minute value. The dif-i ference between 15 minutes and 20 minutes is not regarded as 9

significant.)

~

{=

2.4 x 10-2 4,4 x 10-3 O1H (LMFW), no credit for operator actions

[=

1.1 x 10-2 1.1 x 10-3 01H (LMFW), credit for some operator actions within 20 min.

I

TABLE 6.lA (Cont.)

ADDITIONAL CONTRIBUTORS TO Qgg (LOOP)

DGlZ7ZFS 3.6 x 10-2 1.93 x 10-2 Failure of diesel generator to start or diesel generator maintenance 6.0 x 10-2 2.4 x 10-2 Q n (LOOP), no credit for operator actions i

=

{=

4.7 x 10-2 2.04 x 10-2 01H (LOOP), credit for some operator actions within 20 min.

ADDITIONAL CONTRIBilTORS TO Q g (LOAC) i THIS TRAIN IS UNAVAILABLE GIVEN LOAC

TABLE 6.lA (Cont.)

Contributors to Q g (LMFW) i Name BNL Value FPC Value Comments on BNL Values EFP12ZPM 5.8 x 10-3 2.3 x 10-5 19 hours2.199074e-4 days <br />0.00528 hours <br />3.141534e-5 weeks <br />7.2295e-6 months <br /> x.22 acts x 1 month Pump Maintenance month 720 hours0.00833 days <br />0.2 hours <br />0.00119 weeks <br />2.7396e-4 months <br /> EFV3ZZTS 3.9 x 10-4 Testing of valve: 0.86 hrs x 4 tests 1 vrs x 1 day x

or or yr.

365 days 24 hrs EFV3ZZTS and c

EFV3ZZRT EFV72ZTS 3.9 x 10-4 Testing of valve or y

EFV7ZZTS or and c

_E_FV7ZZRT EFV33ZPM 2.1 x 10-3 Valve maintenance EFV7ZZPM 2.1 x 10-3 Valve maintenance EFV14ZPM 2.1 x 10-3 Valvemaintenance EFICAZLD 5

x 10-4 EFIC Channel A disabled. (See Actuation Logic, Sec. 6.5) or EFICAZLD EFIC Channel A disabled and operator fails to recover.

and c

-AFWTRPOP 1.3 x 10-2 2.3 x 10-5 Qig (LMFW), no credit for operator actions 1.2 x 10-2 2.3 x 10-5 Qig (LMFW), credit for some operator actions.within

=

20 min.

6

TABLE 6.lA (Cont.)

r ADDITIONAL CONTRIBUTORS TO Q1g (LOOP)

(None)

Maintenance on diesel generator 21 hr x.22 a_ qts l_-_ month l

x IIIUrI Lfl

/CU HUUF5 i

included in diesel generator unavailability under Q1H 1.3 x 10-2 2.3 x 10-5 Q1g(LOOP),nocreditforoperatoractions

=

I 1.2 x 10-2 2.3 x 10-5 Qig (LO0i'), credit for some operator actions within 20 min.

=

co 4

THIS TRAIN IS UNAVAILABLE GIVEN LOAC Denotes events which did not appear on FPC fault tree i

r b

4 e.

3 e

w e

i TABLE 6.18 Contributors to Q2il (LMfW)

Note: c<<10-4 Name BNL Value FPC Value Comments on BNL Values EFP2ZZFS 1 x 10-3 5.5 x 10-3 Pump fails to start (turbine-driven).

ASV5ZZFB 1 x 10-4 Blockage of ASV5 (steam admission valve)

I ASV5ZZTO 3 x 10-3 3.9 x 10 3-3 x 30-3 failure to operate, 2 x 10-3 control circuit (monthly testing of steam admission valve) or or or ASV5ZZTO or and 3 x 10-5 c

Above failure and failure to operate manually within 20 ASV5ZZ0P min.

to ASYSZZLD 5 x 10-3 Failure to restore steam supply to operability after or maintenance on p.mp.

Value corresponds to leaving a pump isolation valve closed inadvertently without taking credit for position indication in control room.

A5V5ZZLD Above, and failure to recover manually in 20 min. and obtain I

and 5 x 10-5 steim from alternate source.

ASV5ZZRE EFP2ZZFR 2.4 x 10-4 3.4 x 10-4 Failure to run; AT, A=3x10-5/hr, T=8 hrs EFV4ZZFB 1 x 10-4 9.1 x 10-5 Flow blockage EFV4ZZLC 5 x 10-4 3.3 x 10-3 Pump suction valve left closed, valve position indicated or-or or in control room. FPC Therp tree took no credit for control EFV42ZLC room indication. Recovery credit not given here; see dis-and 5 x 10-4 C

cussion.

EFV4ZZRE EFV42ZSC 4.5 x 10-5 9.1 x 10-5 Spurious Closure.1/2A T, A = 1.24 x 10-7/hr,1/2 T = 1/2 month (monthly flow test). FPC quantified this as if it were flow blockage

• Denotes events which did not appear on FPC fault tree

-=

l l

i TABLE 6.18 (Cont.)

Contributors to 02H (LHFW)

Name BNL Value FPC Value Comments on BNL Values EFV5ZZFB 1 x 10-4 9.1 x 10-5 Flow blockage EFV82ZFB 1 x 10-4 Flow blockage FV8ZZLC 5 x 10-4 Inadvertently leaving EFV8 closed after pump maintenance, or or EFV8ZZLC position indicated in control room.

and c

EFV8ZZRE Above failure and failure to recover within 20 minutes and obtain steam from alternate source.

EFV82ZSC

2. 7 x 10-4 9.1 x 10 Spurious Closure: 1/2 A T, A = 1.24 x 10-7/hr, 1/2 T or

= 3 months. FPC quantified this as if it were flow blockage. The fault exposure time is relatively long here because ficw through this valve occurs only during shut-down and emergencies.

EFV8ZZSC and C

9.1 x 10-5 Spurious closure and failure to recover within 20 minutes.

EFV8ZZRE FPC did not take credit for recovery, perhaps because they treated the event as flow blockage.

hteN41 7 x 10-3 Failure of Channel B actuation logic. FPC modeled this in detail beyond the scope of NUREG-0611; Gate N41 was expanded or on the FPC fault tree down to the component level.

Indi-vidual cut sets are therefore small contributors which do not show up on the tabulation supplied Gate NA1 7 x 10-5 and Failure of actuation logic (7 x 10-3) an.d failure of AFWTRPOP dedicated operator to actuate manually within 15 minutes (10-Z). (NUREG-0611 tabulates a 15-minute value. The difference between 15 minutes and 20 minutes is not regarded assignificant).

CSVSGARS 3.4 x 10-4 3.4 x 10-4 Failure of safety relief valves on both steam genera-and CSVSGBRS tors, resulting in loss of steam to turbine.

l

TABLE 6. lB (Cont.)

Contributors to Q H (LMFW) 2 Name BNL Value FPC Value Comments on BNL Values EFP2REL C S x 10-3 Failure to restore recirculatfor, after pump main-tenance. Position not indicated in control room.

This failure mode is discussed under " singles" in Sec. 6.4.

Valve designator is illegible on system diagram.

EFP2REFB 1 x 10-4 Flow blockage of valve in recirculation line.

SEE EFP2RELC.

EFP2RCFB 1 x 10-4 Flow blockage of check valve in recirculation line SEE EFP2RELC.

e-.

{=

2.35 x 10-2 1.384 x 10-2 02H (LMFW), no credit for operator actions

[=

7.9 x 10-3 6.6 x 10-3 02H (LMFW), credit for soee operator actions within 20 min.

TABLE 6.1B (Cont.)

Contributors to Q2M (LMfW)

Name BNL Value FPC Value Comments on BNL Values EFP2ZZPM 5.8 x 10-3 1.15 x 10-3 Maintenance on EFP-2 1 day EFV4ZZTS 3.9 x'10-4 Testing of EFV-4: 0.86 hrs x i LeilS-x 65 days lJear x year 3

24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or EFV4ZZTS Testing and failure to restore train in 20 minutes and c

EFV4ZZRT Testing of EFV8 (calcualted as for EFV4)

EFV8ZZTS 3.9 x 10-4 or EFV8ZZTS N

and E

N EFV8ZZRE Haintenance on EFV8: l h0El-x 42LE15 x.Lmonth EFV8ZZPM 2.1 x 10-3 act month 720 hours0.00833 days <br />0.2 hours <br />0.00119 weeks <br />2.7396e-4 months <br /> EFV11ZPM 2.1 x 10-3 Valve Maintenance EFV32ZPM 2.1 x 10-3 Valve Maintenance Maintenance on ASV-5: Calculated as for EFV8.

ASV5ZZPM 2.1 x 10-3 EFIC Channel B disabled. (See actuation logic. Sct. 3.5)

EFIC1BZLD 5 x 10-4 or EFIC Channel B disabled and operator fatis to recover.

EFICBZLD and E

AFWTRPOP

]=

1.5 x 10-2 1.15 x 10-3 Q2M (LMFW), no credit for operator actions

{=

1.4 x 10-2 1.15 x 10-3 02M (LMFW), credit for some operator actions within 20 min.

I

TABLE 6.18 (Cont.)

ADDITIONAL CONTRIBUTORS TO Q M (LOOP) 2 No contributors to Qpg (LOOP) have been assessed, beyond those already included in Q M 2

(LMFW); therefore, Q2M (LOOP) = Q M (LMFW) 2 ADDITIONAL CONTRIBUTORS TO 0 M (LOAC) 2 No contributors to Q2M (LOAC) have been assessed, beyond those already included in Q M 2

' LOOP) and Q2M (LMFW); therefore, Q M (LOAC) = Q M (LMFW) = Q M (LOOP) 2 2

2

I I

TABLE 6.2 RESULTS FOR Qi AND Q2 OH Q1M 02H 02M 1

LMFW, 1.1 x 10-2 1.2 x 10-2 7.9 x 10-3 1.4 x 10-2 operator I credit

LMFW, 2.4 x 10-2 1.3 x 10-2 2.35 x 10-2 1.5 x 10-2 no operator credit

LOOP, 4.7 x 10-2 1.2 x 10-2 7.9 x 10-3 1,4 x 10-2 operator credit

LOOP, 6.0 x 10-2 1.3 x 10-2 2.35 x 10-2 1.5 x 10-2 no operator credit

LOAC, 1

0 7.9 x 10-3 1.4 x 10-2 operator credit

LOAC, 1

0 2.35 x 10-2 1.5 x 10-2 no operator credit t

24

7.

RESULTS 7.1 Oualitative Results LMFW - Given LMFW, the major contributors to unavailability of the EMD l

pump assuming no operator action are actuation logic, pump maintenance, failures of the pump and its control circuit, and human errors which leave the train incapacitated.

Major contributors to unavailability of the STD train are similar, with steam admission failurs replacing pump control circuit faults.

l A dominant contributor to system unavailability is blockage of the single valve in the suction line.

Depending on the actual time dependence of the thermal hydraulics and the actual minimum flow requirements of the pumps, the single valve in the recirculation line may also be such a single failure point.

LOOP - In addition to the failures mentioned above, unavailability of AC becomes a dominant factor in the unavailability of the EMD train given LOOP.

This is true because the WASH-1400 figure for diesel generator un-availability dominates the other failures assessed here.

LOAC - Given a total loss of 4160V AC, only the STD train is potentially available.

Its dominant failures are given above.

7. 2 Ouantitative Results The results are presented in Table 7.1.

The detailed reasons for the differences between BNL results and FPC re-sults are clear from Table 6.1.

Following is a list of the largest con-tributors to the difference between BNL and FPC results.

(1) The single failure points (valves in the suction and recirculation lines) were omitted from the FPC analysis.

(2) Maintenance unavailability was much reduced in the FPC analysis from the figure prescribed by NUREG-0611.

(3) Actuation logic failure did not contribute to FPC's result, although it gas nominally part of the fault tree.

In this review, 7 x 10 / train was assessed for actuation logic failure probability.

(4) The "left disabled" maintenance error events were not assessed by FPC.

(5) The recirculation blockage events were not assessed by FPC.

There are other (smaller) discrepancies, but the above differences are re-sponsible for most of the discrepancy between BNL and FPC results.

25

__ _j

=

TABLE 7.1 EFWS Unavailability Values given here are calculated from 0=0g02H + 0 g 02M + O1M 02H + Singles, 1

1 where Singles = 2 x 10-4 plugging of CDV-103 or CDV-104 O1H = Hardware failures associated with EFP-1 02H = Hardware failures associated with EFP-2 O n = Maintenance unavailability associated with EFP-1 l

02M = Maintenance unavailability associated with EFP-2 This Wcrk FPC Report LMFW, Operator Credit 5.4 x 10-4 7.4 x 10-6 LMFW, No Operator Credit (Drycut) 1.4 x 10-3 5.7 x 10-5 LOOP, Operator Credit 1.3 x 10-3 1.5 x 10-4 LOOP, No Operator Credit (Dryout) 2.8 x 10-3 3.3 x 10-4 LOAC, Operator Credit 2.2 x 10-2 7.6 x 10-3 LOAC, No Operator Credit (Dryout) 3.9 x 10-2 1.4 x 10-2 26

REFERENCES 1.

" Emergency Feedwater System Upgrade Reliability Analysis for the Crystal River Nuclear Generating Station Unit No.

3", prepared by B&W Plant Performance Engineering, submitted to NRC by FPC in June 1981; herein called "The FPC Report".

2.

" Generic Evaluation of Feedwater Transient and Small Break Loss-of-Coolant Accidents in Westinghouse-Designed Operating Plants", NUREG-0611, U. S.

Nuclear Regulatory Commission (January 1980).

3.

Letter from D. F. Ross, Jr. (NRC) to "All Pending Operating License Ap-plicants of Nuclear Steam Supply Systens Designed by Westinghouse and Com-bustion Engineering", dated March 10, 1980.

4 USNRC Standard Review Plan, Sec.10.4.9 (NUREG-0800), Revised July 1981.

5.

" Transient Response of Babcock & Wilcox-Designed Reactors", NUREG-0667, U.

S. Nuclear Regulatory Commission (May 1980).

6.

" Reactor Safety Study, An Assessment of Accident Risks in U. S. Commercial Nuclear Power Plants, WASH-1400", NUREG-75(014), U. S. Nuclear Regulatory Commission (October 1975).

7.

" Reactor Safety Study Methodology Applications Program: Oconee #3 PWR Power Plant", NUREG/CR-1659, U. S. Nuclear Regulatory Commission (January 1981), (Rev. May 1981).

8.

"IEEE Nuclear Peliability Data Manual", IEEE STD 500 (1977).

9.

" Handbook of Human Reliability Analysis With Emphasis on Nuclear Power Plant Applications", NUREG/CR-1278, U. S. Nuclear Regulatory Commission (October 1980).

10.

" Response to Request for Information, Crystal River Unit 3, Emergency Feedwater System Requirements", Submitted to NRC by letter from William A. Cross (FPC) to John F. Stolz (NRC) dated September 16, 1981.

See Com-ment #2.

11.

" Revised System Description, Emergency Feedwater System, for Florida Power Corporation's Crystal River Unit 3", submitted August 11, 1981 (received August 14,1981) with a letter from William A. Cross (FPC) to John F. Stolz (NRC).

27

APPENDIX A Conversion of FPC Results to NUREG-0611 Format The FPC study quotes an EFWS unavailability, which ;is ef fectively a weighted average over LMFW and LOOP events.

Some of the cut sets contain factors of.154 = fraction of the time an LMFW involves LOOP, and 1.93 x 10-( = FPC value for DG f ailure).

Here, these factors are separated out in order to display FPC's unavailabilities: (1) given LMFW with offsite power available, (2) given LOOP, and (3) given LOAC.

Refer to Table 3.1 of the FPC s;udy (results for EFW initiate failure) and Table A.2 of FPC cut sets.

TABLE A.1: FPC RESULTS l

No Operator Operator Intervention Intervention Within 20 Minutes Cut Sets Not 5.74 x 10-5 7.42 x 10-6 Involving Loop Cut Sets Involving 4.22 x 10-5 2.25 x 10-5

}

Loop and DG Failure 9.9 x 10-5 2.9 x 10-5 j

FPC Results:

=

1 Unavailability Given 5.74 x 10-5 7.42 x 10-6 j

LMFW, Offsite Power Available Unavailability 5.74x10-5 + (.154)-1 7.42x10-6 + (.154)-1 Given LOOP x 4.22x10-5 x 2.25x10-5

= 3.3 x 10-4

= 1.53 x 10-4 l

Unavailability 5.74x10-5 + (.154)-1 7.42x10-6 + (.154)-1

[l 1

Given LOAC x(1.93x10-2)-1 x4.22x10-5 x(1.93x10-2)-1 x2.

l l

= 1.42 x 10-2 7.6 x 10-3 m

28

One of FPC's cut sets for the "20-ninute" case appears to contribute to the "flo operator intervention" case, but was not included.

This is cut set "R" of Table A.2.b, which is loss of steam frcm both SG's (which fails the STD pump) and loss of offsite power and emergency AC (which fails the EMD) pump).

FPC assigns 1.0x10-6 to this event; adding this figure to FPC's total for the "tio operator intervegtion" case, one obtains 1.006x10-4 rather than the stated result of 9.9x10-3 29

1 APPENDIX B Ouestions and Answers Several conference calls between BNL, FPC, and NRC were conducted for the purpose of obtaining clarification of certain points concerning the analysis.

These points are summarized below, together with the FPC replies.

The formal written response of FPC to these questions is given in Appendix C.

Here, the BNL understanding includes information and clarifications obtained during the conference calls.

It should be noted that the report was actually prepared by B&W, not by the FPC personnel who participated in the calls.

Question 1.

The results are not presented in a manner that lends itself to a "NUREG-0611-type" comparison.

For example, unavailability given LOOP is not tabulated.

LOOP appears as a basic event on the fault tree; was this entered as the probability of LOOP given LMFW? How was this handled?

Response

FPC relayed from B&W the response that the event "LOOPZZZZ" which appears on the fault tree is quantified as the fraction of time that an LMFW is associated with LGOP.

(Given this, and given the answers to Question Nos. 2, 3 and 4 below, one can unravel the re-sults for the three initiators LMFW, LOOP, and LOAC.

This is done in Appendix A.)

Questions 2, 3 and 4 are dealt with as a unit.

Question 2.

A narrative description of cut sets was provided, but no quantit3tive details were given.

What were the contributions from the dominant cut sets?

Question 3.

Failure data were not given.

What are they?

Ouestion 4 What probabilities were assigned to failure events on the fault trees?

Response

The response to these questions is attached as Tables B.1 and B.2 of this report.

Table B.1 gives FPC's dominant cut sets for EFWS failure given no operator intervention, while Table R.2 gives the cut sets for EFWS failure with credit taken for operator inter-vention within 20 ninutes.

The details of the quantification of each cut set are given; thus, failure data are given for those j

basic events which turn up in FPC's dominant cut sets.

These are 1

included in Table 3.1.

l 30

Question 5.

Regarding fault tree events EFV3ZZLC and EFV4ZZLC, which refer to valves left closed after maintenance:

(a) Are these the only valves which are closed for pump mainte-nance?

(b)

Is the position of these valves indicated in the control room?

(c) Are these maintenance acts staggered?

Response

(a) No, EFV-7 and EFV-8 are also closed.

FPC personnel could not explain why failure to restore EFV-7 and EFV-8 did not appear l

on the fault tree.

After turbine pump maintenance, it is also necessary to restor ASV-5 to service; failure to do this, they felt, was also comparable to failure to restore EFV-3 and EFV-4.

(b)

Yes, although the FPC Therp trees took no credit for this.

(c)

Yes.

Question 6.

Regarding valves EFV33, EFV14, EFV32 and EFV11, the drawing indicates that these are normally open, but the fault tree (EFW INITIATE) contains events in which these " fail closed".

Is this because the logic requires them to close and subsequently reopen?

Or should the event be considered a plugging event? Is there ever a flow test to verify that they are open?

Response: Accoring to FPC personnel, the valves are normally open.

They felt that the valves had been considered to be closed for the sake of conservatism. (In the absence of some common cause mechanism, this would not matter.) There is no test except during shutdown and em-ergencies.

Question 7.

Regarding stop check valves EFV-7 and EFV-8:

These valves have events " spuriously closed" on the fault tree.

Is this the same as plugging, or does this refer to the valves being actively closed? Under what circumstances (especially testing or mainte-nance) are these valves supposed to be closed? Is there a flow test to verify that they are open? Is their status indicated in the control room?

Response: These events show up in Table 3.1 as having been quantified by B&W as plugging events. However, FPC felt that they should be treated as ordinary spurious closures, i.e., events in which a spurious actuation of the M0V's control circuit causes the valve to close.

These events do not substitute for the failure to restore EFV-7 and EFV-8 after pump maintenance (see Question 5 above).

31

1 Question 8.

Maintenance on valves does not appear on the fault tree.

NUREG-0611 suggests that maintenance on valves hsould be assessed (refer to Table III-2 of NUREG-0611).

For example, is there a reason not to assess maintenance on the steam admission valve (ASV5) by analogy to that assessed in WASH-1400 (Table 115-9 and page II-107)?

Response: FPC replied, in essence, that maintenance outage of a pump and its associated balves should be treated as a unit, and that scheduled maintenance of a valve would be timed to coincide with scheduled outage of its associated pump.

Thus, they would take the figure for pump maintenance and consider it to include all the rest.

This does not appear to cover unscheduled maintenance, however, and seems to conflict with the NUREG-0611 prescription.

Question 9.

Previous NRC comment expressed concern over a single valve in the cooling water supply to FEP-1. Was this remedied? What are the contributors to the ur. availability of coling water to EFP-1?

Response: Although the report states that EFP-1 relies on the NSCCCS for cooling, FPC stated that EFP-1 has recently been modified so that it is now self-cooled. Credit has been given for this here.

Question 10.

Are there single failures in the Vector logic that can isolate both discharge paths from a given pump? Example: Channel D logic can isolate both paths from EFP-1.

Are there failures (e.g., power failures) in Channel D that isloate both paths?

Response

No.

Question 11.

Under what conditions do the EFWS pumps trip?

(e.g., loss of suction; high discharge pressure?)

If recirculatio is not available, are the pumps damaged, or do they trip?

Response

One concern behind this question was that the two pumps' common re-circulation line might present a common cause failure mechanism.

The FPC personnel were asked whether the control logic ever de-manded zero flow to the steam generators; they were unable to re-ply. They did state that if zero flow is demanded and re-circulation is unavailable, the pumps do not trip; they overheat.

Therefore, if zero flow is ever a success state of the control logic for more than a brief period, then the valve in the common recirculation line becomes a single failure point, and the valves in each individual pumps' recirculatio line become contributors to their pumps' unavailability.

If the reactor coolant pumps are operating, the SG level set point which controls SFW flow is much lower than the operating level.

It l

1s plausible that under these conditions, little or no flow ill be called for.

If "zero flow" cannot be rulled out as a success state of the logic, then failures assoctiated with recirculation might contribute to unavailability at the same level as the more signific-ant failures assessed here.

1 32

The pumps also continue to operate on loss of suction, and damage is ex-i pected within a few minutes if the operators do not intervene.

The 20-minute time scale implicitly contemplated in the study is far too long to wait.

Se =

'N.

r-9 33 i

i

1 l

l l

APPENDIX C Fomal Response to Questions

?.

i s

W

.~

\\

7 4

e i

, 1

+

.,p e

+

o

/

M 4

r 9

t.9

$ ~

h

'o*

N s e

fF e.

4 Y

f l

e 4 e A

N

.A

~

er

5 j

I

/

i w

w.

y a

y e

he w

,/

e n,

f

[

4 g

/

4, eo

")

}e p

a s

g, *Y p. &

a t 5 m-

[a 6

d

'j /

"s

~

34

~?]

/

h 1

'N s-

,,[ 4_j_ _ _ _

l i

~~FPC DISTRIBUTION F*?,s se W'q,m P. Y. Baynard CR-3 g

i'

.}YQ D. D. Blake/ File H-2 g

..Jf.:gdfps J.

Cooper CR-3 u

B. E. Crane CR-3

' y*g;$. w9M'n p**

i

., n Docket File H-2 7.. f 5' H. A. Evertz. !!!

A-5

%@p-B. l.. Griffin A-s-B D. v. Harper H-2 L. A. Hill N.o.

%ghg T. C. Lutkchaus CR-3 D. G. Mardas H-2 PQWM E. C. simpson H-1 c on e o n a s.o=

T. F stetka (NRC)

CR-3 J. T. Telf ord H-9 April 28,1932

w. s. witgus A-s-D o cument controH2)

N

1. 3F-0482-30 s.

Miner (3F only)

NRC File: 3-0-26

3. C. Plunke tt Nus R. A. svotells (3F only) Gilber Mr. John F. Stolz, Chief Operating Reactors Branch #4 1

Division of Licensing U.S. Nuclear Regulatory Commission Washington, D.C. 20555

Subject:

Crystal River Unit 3 Docket No. 50-302 Operating License No. DPR-72 NUREG-0737, Item II.E.1.1 Crystal River Unit 3 Auxiliary (Emergency) Feedwater System Reliability Assessment

Dear Mr. Stolz:

By letter dated April 1,1982, your staff requested additional information on Florida Power Corporation's (FPC) Crystal River Unit 3 Auxiliary'(Emergency) Feedwater System Reliability Assessment. FPC hereby provides written responses to your eleven questions as previously discussed with your staff.

]

Question 1.

The results are not presented in a manner - that lends itself 'to a "NUREG-0611-type" comparison.. For example, unavailability given LOOP is not tabulated. LOOP appears as a basic event on the fault tree; was this entered as the probability of LOOP given LMFW? How was this handled?

Resoonse 1.

The results were not presented in a NUREG-0611 type format since the NUREG is not applicable to B&W plants and no advantage was seen in presenting our results in this manner. LOOP was entered as the probability of LOOP given LMFW.

Ouestion 2.

A narrative description-of cut sets was provided, but no quantitative i

details were given. What were the contributions from the dominant cut sets?

Response 2.

Cut sets information, including quantitative details, was informally transmitted to your office in March,1982.

4 Question 3.

Failure data were not given. What are they?

Resoonse 3.

Failure data was informally transmitted to your office in March,1982.

General Office 3201 Te 'ouen street soutn. P O Box 14042. St Petersourg. Florica 33733 813 - 866 5151 35 r

l'

~. -

5 Mr. John F. Stolz April 23,19S2 Page 2 Ques-len 4 What probabilities were assigned to failure events on the fault trees?

Response 4.

Failure event probabilities were informally transmitted to your office in March,19S2.

Question 5.

Regarding f ault tree events EFV-3ZZLC and EFV-4ZZCL, which refer to valves lef t closed af ter maintenance:

j a)

Are these the only valves which are closed for pump maintenance?

1 b) is the position of these valves indicated in the control room?

c)

Are these maintenance acts staggered?

Response 5.

a)

EFV-3ZZLC and EFV-4ZZLC are not the only valves closed for pump maintenance. The valve closures necessary for pump maintenance are given in the pump maintenance procedure.

b)

The positions of the valves are indicated in the control room.

1 c)

Maintenance acts are staggered.

Questien 6.

Regarding valves EFV33, EFV14, EFV32, EFVil:

The drawing indicates that these are normally open, but the fault tree (EFW INITIATE) contains events in which these " fail closed."

is this because the logic requires them to close and subsequently reopen?

Or should the event be considered a plugging event? Is there ever a flow test to verify that they are open?

Response 6.

Logic does not require valves EFV-11, EFV-14, EFV-32, and EFV-33 to close and then reopen, just fail. closed. This event is not considered a i

plugging event. The valves are not flow tested to verify if they are open.

Operator and surveillance procedures are used to verify valve position.

1 I

Question 7.

Regarding stop check valves EFV-7 and EFV-8:

These valves have events " spuriously closes" on the fault tree. Is'this the same as plugging, or does this refer to the valves being actively closed? If a

it is the latter, is this an operator or maintenance error?

Under what circumstances (especially testing or maintenance) are these 1 l

valves supposed to be closed? Is there a flow test to verify that they are !

open? Is their status indicated in the control room?

i i

I

~

36 i

i

l

(

Mr. John F. Stol:

April 2S,1982

)

Page 3 I

Resoc.se 7.

The event refers to valves being actively closed and is not a plugging event. The events are a result of either operator or maintenance errors (no determination made between operator and maintenance errors).

Stop check valves EFV-7 and EFV-8 are closed during testing and maintenance. There is no flow test to verify that they are open. Operator and surveillance procedures are used to verify valve position. Their status is indicated in the control room.

Question 8.

Maintenance on valves does not appear on the fault tree. NUREG-0611 suggests that maintenance on valves should be assessed (Refer to Table 111-2 of NUREG-0611).

For example, is there a reason not to assess maintenance on the steam admission valve (ASV5) by analogy to that

]

assessed in WASH-1400 (Table 115-9 and page 11-107)?

Response 3.

Maintenance on valves was not considered.

Valve maintenance was assumed to take place during pump maintenance.

Question 9.

Previous NRC comment expressed concern over a single valve in the l

cooling water supply to EFP-1.

Was this remedied?

What are the contributors to the unavailability of cooling water to EFP-1?

Resconse 9.

The installation of self-cooling modifications to EFP-1 has eliminated the need to supply cooling water to EFP-1 from the nuclear services closed j

cycle cooling system. Cooling water is now supplied to EFP-1 from its own i

discharge.

I i

Ouestion 10.

Are there single failures in the vector logic that can isolate both discharge paths frem a given pump? Example: Channel D logic can isolate both paths from EFP-1. Are there failures (E.G. power failures) in channel D that isolate both paths?

Resoonse 10. There are no single failures in the vector logic (including Channel D) that can isolate both discharge paths from a given pump.

i Question 11.

Under what conditions do the EFWS pumps trip? (E.G. Loss of suction?

High discharge pressure?) If recirculation is not available, are the pumps i

damaged, or do they trip?

Response !!. lne emergency feedwater pumps do not trip under any conditions. The pumps will be destroyed if recirculation and discharge paths are lost. This is a very low probability event.

l 37

__-_..m,

.n

Mr. John F. Stol::

April 2S,19S2 Page 4

)

1 If you have any further cues

• ions, please contact this office.

Very truly yours, S J 6.

David G. Mardis Acting Manager Nuclear Licensing RAW:mm cc:

Mr. J. P. O'Reilly, Regional Administrator Office of Inspection & Enforcement U.S. Nuclear Regulatory Commission 101 Marietta Street N.W., Suite 3100 Atlanta, GA 30303 1

38

U.S. MUCLEAR HECULATonY CCMMISSIOOD

""3 NUREG/CR-3081 DIDLIOGRAPHIC DATA SliEET BNL-NUREG-51626

b. Ts7LE AND SUBTITLE IAdd Volume No.. of reprmrostel

2. (Leave bisoki Review of the Crystal River Nuclear Generating Station Unit No. 3 Emergency Feedwater System Reliability Analysis

3. RECiriENrS ACCESSION NO.

). AUTHOR ESS

5. DATE REPORT CO*APLETED Ih82 R. Youngblood and I. A. Papazoglou Nov$ber l

9. PSnFOGMING OfiGAN! ATION NAME AND MAILING ADDRESS / Include Zip Codel DATE REPORT ISSUEO l vs Y3 I

MONYw 19 l

October Brookhaven National Laboratory 6'"'

Upton, New York 11973

8. flesse blanti

32. SPONSORING ORGANIZATION NAME AND MAILING ADORESS //nctuac Zip Codel Division of Safety Technology l

, Office of Nuclear Reactor Regulation

n. CONTRACT NO.

U. S. Nuclear Regulatory Commission FIN A3393 Washington, D. C.

20555 1

IJ. TYPE OF REPORT PE RIOQ COVE RE D floclusewe domst Technical Report

15. SUPPLEMENTARY NOTES 14.(tes,e crasal 1G. ABSTil ACT (200 swords'or tessl The purposes of this report are to review'the " Emergency Feedwater System Upgrade Reliability Analysis for the Crystal River Nuclear Generating Station Unit No.

3", and to provide an independent evaluation of the Emergency Feedwater System reliability. This report presents estimates of the probatiility that the Emergency Feedwater System will be unavailable given each of three different ini'tiators: (.1) loss of main feedwater with offsi.te power available, (.2) loss of offsite power, (3) loss of all 4160 VAC power. The scope, methodology, and fai: lure data are prescribed by NUREG-0611, Appendix III.

j

o. ecY wOnoS AND OCCUMENT AN At.YSIS W DCSCHWTOns j

Relibbi.li.ty Analysi.s l

Auxiliary Feedwater System i

Crystal River Nuclear Generating Stati.on Uni.t No. 3 NUREG-0611 s u.. sCsto re r er r.S cE:, r.:0: e s ee.,s

.r Oc Anitaa.o rv STA:r.:t tr

.tEco ait: <.z.r..

.r, i.o u Pe..62 Unlimited Unclassifirjd Q

• Udf 7isWE,l''

I #,"5

• C a, u.,,, g 1

UNITED STATES s ou nt < n ass ean 5

NUCLEAR REGULATORY COMMISSION PosiaLE 6 5tEs Pa>0 C

WASHINGTON. D.C. 20555

.$$70 c d

eE nvir me su e

OFFICIAL BU$lNESS PENALTY FOR PRl/ ATE USE. $300

('

i C2g 4E

o. E ak mE mx 0m5 2

120555078877 1 1AN O4 US tlPC n

ADV-O!V OF TIDC POLICY & PUB MGT HP-POR NUREG m.

W-501 DC 20555 WASHINGTnN E>

Hm 2

in "

in HmEm' m

CD E

C H<'

>2>r-M th 9

6