ML20081F471

From kanterella
Jump to navigation Jump to search
Review of the Catawba Units 1 and 2 Auxiliary Feedwater System Reliability Analysis
ML20081F471
Person / Time
Site: Catawba  Duke Energy icon.png
Issue date: 10/31/1983
From: Fresco A, Papazoglou I, Youngblood R
BROOKHAVEN NATIONAL LABORATORY
To:
Office of Nuclear Reactor Regulation
References
CON-FIN-A-3393 BNL-NUREG-51675, NUREG-CR-3297, NUDOCS 8311030020
Download: ML20081F471 (112)
v  d  e


Text

{{#Wiki_filter:NUREG/CR-3297 BNL-NUREG-51675 Review of the Catawba Units 1 and 2 Auxiliary Feedwater System Reliability Analysis Prepared by A. Fresco, R. Youngblood, l. A. Papazoglou Brockhaven National Laboratory lear Regulatory f3 D1 DO O O A PDR

NOTICE This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, or any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for any third party's use, or the results of such use, of any information, apparatus product or process disclosed in this report, or represents that its use by such third party would not infringe privately owned rights. The views expressed in this report are not necessarily those of the U.S. Nuclear Regulatory Commission. Available from GP0 Sales Program Division of Technical Information and Document Control U. S. Nuclear Regulatory Commission Washington, D. C. 20555 . Printed copy price: $4.75 and National Technical Information Service Springfield, Virginia 22161

NUREG/CR-3297 BNL-NUREG-51675 Review of the Catawba Units 1 and 2 Auxiliary Feedwater System Reliability Analysis Prepared by A. Fresco, R. Youngblood, l. A. Papazoglou Brookhm nel Laboratory Prepared for Division of Safety Technology Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Wzhington, D.C. 20liti5 NRC FIN A3393

u . Availability of Reference Matetials Cited in NRC Publications ^ Most documents cited in NRC publications will be available from one of the following sources:

1. The NRC Public Document Room,1717 H Street, N.W.

Washington, DC 20555

2. The NRC/GPO Sales Program, U.S. Nuclear Regulatory Commission, Washington, DC 20555
3. The' National Technical Informatior5 Service, Springfield, VA 22161 Although" the listing that follows represents the majority of documents cited in NRC publications,

- it is not intended to be exhaustive. Referenced documents available for inspection and copying for a fee from the NRC Public Docu-ment Room include NRC correspondence and internal NRC memoranda; NRC Office of Inspection - and Enforcement bulletins, circulars, information notices, inspection and investigation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers; and applicant and ' licensee documents and correspondence. The following ' documents in the NUREG series are available for purchase from the NRC/GPO Sales Program: formal NRC_ staff and contractor reports, NRC-sponsored conference proceedings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regulations in the Code of ~ Federal Regulations, and Nuclear Regulatory Commission Issuances. Documents available from the National Technical Information Service include NUREG~ series reports and technical reports prepared by_ other federal agencies and reports prepared by the Atomic L ' Energy Commission, forerunner agency to the Nuclear Regulatory Commission. Documents available _from public and special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions. Federal Register notices, federal and state legislation, and congressional reports can usually be obtained from these libraries. Documents such as theses, dissertations, foreign reports and translations,and non-NRC conference proceedings are available for purchase from the organization sponsoring the publication cited. Single copies of NRC draft reports are available free upon written request to the Division of Tech-l nical Information and Document Control, U.S. Nuclear Regulatory Commission, Washington, DC l 20555.. . Copies of industry codes and standards used in a substantive manner in the NRC regulatory process p are maintained at the NRC Library,7920 Norfolk Avenue, Bethesda, Maryland, and are available L there for reference use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, from the American National Standards institute,1430 Broadway, New York, NY 10018.

1 ABSTRACT This report presents the results of a review of the Auxiliary Feedwater - System Reliability Analysis for Catawba Units 1 & 2. The objective of this report is Jto estimate the probability that the Auxiliary Feedwater Systen will fail to perform its mission for each of three different initiators: (1) loss of main feedwater with offsite power available, (2) loss of offsite power, (3) loss of all AC power except for vital instrumentation and control power. The - ~ scope, methodology, and failure data are prescribed by NUREG-0611, Appendix III. ' The results are compared with those obtained in NUREG-0611 for other Westinghouse plants. e iii e

f TABLE OF CONTENTS Page ABSTRACT.................................. iii LIST OF FIGURES vii LIST OF TABLES............................. vii viii

SUMMARY

'AND CONCLUSIONS

1.0 INTRODUCTION

1 2.0 SCOPE OF BNL REVIEW'........................ 2 .3.0 MISSION SUCCESS CRITERIA 3 4.0 SYSTEM DESCRIPTION 4 4.1 Configuration and Overall Design............... 4 4.2 Canponent Design Classification 6 4.3 Power Sources 7 4.4 Instrumentation and Controls................. 8 5.0 EMERGENCY OPERATION........................ 12~ 6.0 ' TESTING.............................. 15 7.0 TECHNICAL SPECIFICATIONS 16 8.0 ASSUMPTIONS............................ 18 9.0 RELIABILITY ANALYSIS 21 21 9.1 Qualitative Aspects 9.1.1 Mode of System Initiation............... 21 9.1.2 System Control Following Initiation.......... 21 9.1.3 Effects of Test and Maintenance Activity 22 9.1.4 Availability of Alternate Water Sources........ 22 9.1.5 Adequacy and ~ Separation of Power Sources 23 9.1.6 Common Mode Failures 23 9.1.7 Single Point Failures................. 28 9.1.8 Adequacy of Bnergency Procedures 28 9.2 Quantitative Aspects..................... 29 9.2.1 Applicant's Use of NRC Suggested Methodology and Data 29 .9.2.1.1 Fault Tree Construction, and Evaluation.... 29 9.2.1.2 Fa il u re Da ta................. 29 9.2.2 Appl i cant 's Resul ts.................. 33 v

o l' TABLE OF CONTENTS (Cont.) Page ' 9.2.2.1 ' System Unavailabilities 33 l 9.2.2.2 Dominant Failure Modes............ 33 m 9.2.3 BNL Assessment 34 9.2.3.1 Fault Trees 34 9.2.'3.2 Failure Data................. 36 9.2.3.3 System Unavailabilities 36 9.2.3.4 Dominant Failure Modes............ 39 i l 9.2.3.5 General Comparison to Other Plants...... 40 1 9.2.3.6 General Comments............... 40-REFERENCES............................... 44 APPENDIX A: Applicant's Letter on Quantitative Results 80 APPENDIX B: Telephone Conversations BA : May 20, 1982 81 1 B-2: May 27, 1982 87 B-3: June 11, 1982.................... 93 APPENDIX-C: Plant Visit. 96 l ' r/ l 1 vi

.l 1 l LIST OF FIGURES -Figure: Title Page 1 Comparison of Catawba AFWS Reliability to Other AFWS Design in Plants Using the Westinghouse NSSS.......................... x 2 Catawba Unit 1 - Auxiliary Feedwater System 45 Simpliff ed Flow Diagram 3 ' Logic Diagram -Motor-Driven Auxiliary Feedwater Pump Alignment to Nuclear Service Water System 46 4 Logic Diagram'Turbina-Driven Auxiliary Feedwater Pump Alignment to Nuclear Service Water System 47 5: Suction.Switchover Event Trees (Sheets 1-2) 48 6 Applicant's Reduced Fault Tree Development - LMFW 51 (and LOOP) (Sheets 1-5) 7 Catawba Auxiliary Feedwater System. BNL's Conceptual Expansion of Applicant's Fault Tre to Include. Test and Maintenance Out-ages and and Flow From turbine Driven Pump to Steam Generators A and D - LMFW and LOOP.......................... 56 8 Fault Tree Development - LMFW/LOAC (Sheets 1-2) 58 9 Dominant Cutsets.................... 60 LIST OF TABLES Table Title Page ix l' Comparison of Results 2 Comparison of Data Assumptions............. 37 39 3 Comparison of Results 4 Abbreviations and Acronyms Used in Description of Fa ul t Eve n t s...................... 50 5 ' Fault Events and Allocated Unavailabilities 63 6 NRC-Supplied Data Used for a Comparative Assessment of Existing AFWS Designs and Their Potential 76 Reliabilities..................... vii

W =

SUMMARY

AND CONCLUSIONS y After the accident at Three Mile Island, a study was performed of the re-liability of the Auxiliary Feedwater System (AFWS) of each then-operating plant with NSSS designed by Westinghouse. The results of that study were i presented in NUREG-0611 (1). At the request of the NRC (2), Duke Power Com-pany, an Operating License Applicant, has provided the NRC with a study of the Catawba Units 1 & 2 AFWS (3), performed using NUREG-0611 as a guideline. BNL l has reviewed this study. The BNL conclusions are as follows ("High", "Med-1- ium", and " Low" refer to the NUREG-0611 reliability scale): 1. For an accident resulting in a Loss of Main Feedwater (LMFW) with off-site power available: The reliability of AFWS is in the High range (Unavailability = 6.6x10-6/ demand). 2. For a loss of Offsite Power (LOOP) resulting in a concurrent Loss of Main Feedwater (LMFW): The reliability of the AFWS is in the High range. (Unavailability = 5.0x10-5) E 3. For a Loss of All AC Power (LOAC), except for the 125VDC/120VAC Vital Instrumentation and Control Power Systems resulting in a concurrent loss of Main Feedwater (LMFW): The reliability of the AFWS is in the Medium range. (Unavailability j_ = 2.8x10-2) i Results are summarized in Table 1. A comparison of the Catawba AFWS re-liability to other AFWS designs in plants using the Westinghouse NSSS is shown in Figure 1. 5 The above results do not include a possible common mode failure contri-bution, exceeding 2x10-5, resulting from loss of suction to the AFW pumps. y See Section 9.1.6 for details. Such a contribution would be algebraically ad-7 ded to the above results. Also, the applicant's results are substantially higher than the BNL as-sessment because of a number of the applicant's conservative assumptions, principally involving test and maintenance policy and restrictions in the flowpaths available to the steam generators to ensure isolation of flow to a steam generator undergoing depressurization. Some of these conservatisms have been removed to obtain the BNL results, but difficulties associated with the construction of, and the assumptions inherent in, the applicant's fault tree make a complete reassessment prohibitive at this time. viii i.

r c. e Table 1 Comparison of Results Unavailability / Demand . Transient' Description Applicant BNL . 1. 'LMFW 4.6x10-5 '6.6x10-6 2. LOOP 2.8x10-4 5.0x10-5 3 LOAC 8.1x10-2 2.8x10-2 4 i iX

- -m -,h,-.- -.- - -.. ; w rw h'. - L --- M..&-

.a, a - --

h s- %--em w w --- TRANSIENT EVENTS LMFW PuMTS LOW MED HIGH LOW MED HION LOW MED HIGH WESTINGHOUSE HADOAM NECK O SAN ONOFRE O O PRAIRIE ISLAND SALEM O Zim YANKEE ROWE O 4' TROJAN U INDIAN POeNT g D 0 x XEWANEE (p 9 1> H.S. ROSINSON O I' 4> REAVER VALLEY g 9 I> GINNA PT. BE ACH 9 0 4> O TURKEY POINT FARLEY O O SURRY G 8 NORTH ANNA l Catawba ORDER OF MAGNITUDE IN UNAVAILASILITY REPRESE74TED.

  • NOTE: THE SCALE FOR THIS EVENT IS NOT THE SAME AS THAT FOR THE LMFW AND LMFWILOOP.

Applicant's Results a BNL Results Figure 1. Comparison of the Catawba AFWS Reliability to Other AFWS Designs in Plants Using the Westinghouse NSSS.

1.0 INTRODUCTION

After the accident at Three Mile Island, a study was performed of the Auxiliary Feedwater Systems (AFWS) of all then-operating plants. The results obtained for g grating plants with Westinghouse-designed NSSS were presented in NUREG-06111 1 At that time, the objective was to compare AFWS designs; accordingly, generic failure probabilities were used in the analysis, rather than plant-specific data. Some of these generic data were presented in NUREG-0611. The probability that the AFWS would fail to perform its mission on demand was estimated for three initiating events: (a) Loss of Main Feedwater without Loss of Offsite Power (LMFW), (b) Loss of Main Feedwater associated with Loss of Offsite Power (LOOP), (c) Loss of Main Feedwater associated with Loss of Offsite and Onsite AC (LOAC), except for 125V DC/120V AC Vital Instrumentation and Control Power Systems. Since then, each applicant for operating license has been required (2) to submit a reliability analysis of the plant's AFWS, carried out in a manner cimilar to that employed in the NUREG-0611 study. This report is a review by brookhaven National Laboratory (BNL), of the analysis in WCAP -9946 Nuclear Station Units 1 & 2"(Ayxiliary Feedwater System for the Catawba 1 which was prep " Reliability Analysis of the 3 Corp. for Duke Power Company. A quantitative criterion for AFWS reliability has been defined by NRC in h current Standard Review Plan (SRP 10.4.9) for Auxiliary Feedwater Systems 4: ... An accegtable AFWS should have an unreliability in the range of 10-4 to 10- per demand based on an analysis using methods and data presented in NUREG-0611 and NUREG-0635. Compensating factors such as other methods of accomplishing the safety functions of the AFWS or other reliable methods for cooling the reactor core during abnormal conditions may be considered to justify a larger un-availability of the AFWS". 1

2.0 SCOPE OF BNL REVIEW The BNL review has been conducted in accordance with the methodology, data,and_ scope of NUREG-0611, Appendix III. It has two major ob-jectives: (a).To evaluate the applicant's reliability analysis of the AFWS. (b) ~ To provide an independent assessment, to the extent practical, of , the AFWS unavailability. Unavailability as used.in this report has been defined as the "probabil-ity that the AFWS will not perform fts mission on' demand". The term un-availabilityL s used interchangeably with unreliability. i Specific goals of-this review are then: (a) To compare the applicant's AFWS to the operating plants studied in NUREG-0611 by following the methodology of the latter as closely as possible. i (b) To evaluate the ' applicant's AFWS with respect to the reliability goal set forth in SRP 10.4.9, i.e., that the AFWS has an un-reliability in the range'of 10-4 to 10-5 per demand, using the above methodology. The NU' REG-0611 methodology and the BNL review specifically exclude externally-caused common mode failures such as earthquakes,' tornadoes, floods, etc. and internal failures such as pipe ruptures. i l 2

3.0 MISSION SUCCESS CRITERIA 'The mission success criteria as described in REF.3 are as follows: 1. The Catawba AFWS is designed to supply a minimum of 470 gpm at 120*F to a minimum of two steam generators-within one minute of any ac- -cident requiring the system to function. This flow will. ensure adequate heat transfer area coverage in the steam generators to pre- . vent a temperature rise in the reactor coolant which would result in release of coolant through the pressurizer relief valves. The AFWS must be capable of pumping this flow into the steam generators at a pressure of 1210 psig (first safety valve relieving pressure + 3 per-cent). 2. Sufficient feedwater supply to the AFWS must be available under any accident condition to enable.the plant to be taken to a safe con-dition. A minimum of 225,000 gallons feedwater supply is required to maintain the reactor at hot standby for two hours followed by cool-down of the Reactor Coolant System to the temperature at which the Residual Heat Removal System (RHRS) ~may be operated.

3. 'The criterion adopted for mission success for a LMFW transient'was the attainment of flow from the ~AFWS pumps such that one or more of the three AFW pumps functions to supply the minimum total feedwater requirements to at least two intact steam generators.

4. System reliability was calculated to the above criterion allowing a steam generator dryout time of twenty-five (25) minutes. This time. is the amount of time it takes to boil away minimum water inventory in.the steam generators based on decay heat curves (ANS plus 20 percent). 3

r 4.0 SYSTEM DESCRIPTIO,N The AFW system description provided in REF.3 is repeated here with com-ments by BNL. 4.1 Configuration and Overall Design Figure 2 is a simplified flow diagram of the AFWS for Catawba, Unit No. 1. The AFWS for Catawba, Unit No. 2 is of identical design. The pump dis-charge headers are connected through associated piping, valves, and controls such that motor-driven AFW pump A supplies water to A and B steam generators and motor-driven AFW pump B supplies water to steam generators C and D. The turbine-driven (TD) AFW pump supplies water to B and C steam generators. The flow from the AFWS enters the steam generators through individual nozzles on each generator, separate from the Main Feedwater nozzles. The alignment scheme of the pumps to the steam generators is designed to prevent excessive pump runout during an accidental depressurization and yet maintain at least minimum AFW flow to at least two effective steam generators during the operator delay period (REF.5 and Appendix B-1). BNL Comment: The TD pump has the capability of feeding all four steam generators. However, its motor-operated isolation valves in the feedlines to Steam Generators A and D, MOVs ICA668 and ICA38A, respectively, are normally closed and are powered by the energency AC power busses. No provisions have been made for emer-gency DC operation of these valves to the open position for use during an LOAC transient. For LMFW or LOOP, the operator would open the valves to balance the flow to all four steam generators after determining that no steam generator is under-going depressurization. The valves can be handjacked open. The pump design data is as follows: s Design Flowrate Total Dynamic Head Type Quantity (GPM 0 F) (Ft. H2 ) O

1. Centrifugal, 2

500 0 134 3200 electric motor driven

2. Centrifugal,

1 1000 0 134 3200 steam turbine driven Water to the sucticn of each units' AFWS is supplied from several non-safety grade water sources and one safety grade water source. The water is supplied from these sources on a priority based on water quality as follows: 4

Ja acitie's(Gallons] C n. . Source SafetyGrdde( ( Normal / Maximum s

1. Upper Surge No 55,000 85,000 Tanks (USTs)
2. Auxiliary Feed-No

\\ 42,500 42,500 water Condensate Storage ^ Tank'(AFW-CST).

(Shared between both units)*
3. Condenser Hot No 170,000 170,000 Well (CHW)
4. Nuclear Service 3 Yes Nuclear Water-System (NSWS)

Service WaterPonf) (2.74x108 ga 5

5. Condenser Circul-No N

3 Day Supply ating Water System l (CCWS) s I 4 g An additional 30,'000 gal. (maximum) is available from the condensate stoyage tank when the condensate storage tank pumps are available to fill the upp'er surge tanks.'For a discussion of minimum capacities, see Appendix B-3.\\ Water supplied from the Upper Surge Tanks, Auxiliary Feedwater Condensate Storage Tank and the Condenser Hot Well is headered into a common line. This single line'is then routed to the AFW pumps. [' BNL Comments: In a plant visit by NRC personnel (Appendix C), it was determined that both the USTs'and the AFW-CST are \\' 1 located at about same elevation, with the AFW-CST on a lower roof.of the Turbine Building. The USTs and the CHW are normal-ly uf. der a vacuum while the AFW-CST is open to atmosphere. This means>tha$ the latter provides the greatest available NPSH to the pumps and thus is the first source to be depleted, fol-lowed by the:USTs and then the CHW. r: 3 The safety-grade Nuclear Service Water Syitem (NSWS) is connected to the . AFWS of'each unit such that redundant nuclear service water channels A and B can be aligned to any or,all three of the AFW pumps. Safety class isolation valves are provided in the grade source when supply fr,AFW pump suction lines to isolate the non-safety un Ane NSWS is required.

  • See REF.5

/ See Appendix B-3 \\ 1 5 1 4

l -l -( 'BNL Comment:.- From Fig. 2, it_ appears that.either redundant nuclear service water channel A or B can feed-the turbine-driven pump and its corresponding ~ motor-driven pump. Either channel alone can also feed all three pumps simultaneously 'but only if both Trains A and B electric i power are.available to allow opening of motor-operated valves (ICA15A,1CA188,1CA116A ICA858) and operation of 1 the motor driven pump on'the train opposite to the one sup-e plyi ng 'NSW. Each auxiliary feedwater pump discharge line is~ provided with a motor operated isolation valve, and air operated fail open/ control valve, and a check-valve in' individual _feedlines to each steam gener_ator. The discharge from each AFW. pump also has' a-loop for full flow pump testing, which leads to 'the Upper Surge Tanks. (Self-contained _ automatic' recirculation valves are provided to ' assure ' individual pump minimum flow when needed during operation. These pump.re-icirculation valves are.self-regulating self-contained control valves. Flow is 1 discharged into a. common header with the test flow which leads to the Upper Surge -Tanks.' BNL-Comment: The recirculation flow rate for each motor-driven pump is approximately~ 90 GPM and for the turbine-driven pump ap- -proximately 200 GPM. See Appendix B-1. The-NSWS is designed to. provide cooling. water for various Auxiliary Building;and Reactor Building heat exchangers during all phases of station . operation. 'Each unit has two redundant " safety-related" headers serving two trains of ' equipment necessary for a safe plant shutdown and a '"non-essential" beader. serving' equipment not required for~a safe shutdown. Water is normally ' supplied to the system from the lake but can be switched to the Nuclear . Service Water. Pond -(NSWP) which is designed to meet seismic loa'ds. .As an - Engineered Safeguards' System the NSWP is automatically valved to provide feed

to the channels of the NSWS of both units following a safety injection signal
from'either; unit.
4.2 ~ Component Design Classification The AFWS of.each unit including its primary water supply from the NSWS are engineered safeguards systems. The major components of these system are designed according to~ seismic and other requirements as given in the following

. table: System / Component: ASME-BPV Seismic / -Code Section OBE DBE .1. AFWS - Turbine III - Class 3 Yes Yes t t Driven Pump., ~ ~ -/ OBE - Operating Basic Earthquake t ' DBE ,0esign Basis Earthquake g% g. Gr =ww g 4 i 6 <u Y w a-- K Us a .r

g d -q j 3s;W n 1;jf\\ f-lJ Syst_em/ Component, ASME-BPV-Seismic / Co,d_e Section OBE DBE ~ 2. AFWS - Motor III - Class 3 Yes Yes Driven. Pumps <v V-3. AFWS - Valves III - Class:2 Yes Yes ',1 III - Class 3 Yes Yes y / 4. NSWS - Pumps aIII - Class'3 Yes Yes 5. NSWS --Strainers VIII Yes Yes 6.. NSWS - Valves

II - Class 2 Yes Yes III - Class 3 )

Yes Yes

7
7. /CCWS - Valves
  • III - Class 2 Yes
Yes, III'- Class 3 Yes Yes
The components listed above are also designed for tornado, wind and mis-sile protection.. Piping for the safety-related portions of AFWS and NSWS is Q(sodesignedaccordingly.

cm f ' The motors of the motor-driven pumps of the AFWS and NSWS for each unit are designated Electrical Safety - Class 2E. This same classification is ' 'given to the motors of valve motor operators of these systems. Electrical - equipment of'2E classification requires seismic qualification to a safe shut-down earthquake criterion and are so designed.' 4.3 Power Sources i The turbine-driven, AFW pump of each unit is supplied with steam from-re-dundant feedlines. One feedline is supplied-steam from the unit's steam generator "B" outlet' header. upstream of its main steam isolation valvo (MSIV) and the other from tiie unit's steam generator "C" outlet header upstream from its MSIV. This assures steam to the turbine-driven AFW pump even with these two MSIV's closed. BNL Comment: There is also a connection from the Auxiliary Steam Supply System although it is not stated under what conditions that. system can be used to drive the pump. fNo credit has been taken in the analysis for that possible source of supply. Each unit of the station is equipped w^th an " Essential Auxiliary Power System" (EAPS) that includes onsite 4160 V, 600 V,120 V AC and 125 V DC power..This system supplies power necessary for a safe shutdown 'of the re-See Appendix B-3. 7

actor, containment isolation, containment spray and cooling, auxiliary feedwater flow, and emergency core cooling following an accident. It consists of redundant switch-gear, load centers, motor control centers, panelboards, battery chargers, batteries, inverters, diesel-engine AC generators (two per unit), protective relays, control devices, and interconnecting cable supplying two redundant load groups of each unit. The 120 V AC and th'e 125 V DC Vital Instrumentation and Control Power Systems of the EADS supply continuous power for control and instrumentation in the Reactor Protection and Control System. .. The EAPS of each unit 'is designed to meet the criteria set forth in the NRC General Design Criteria (GDC 17, GDC 18), IEEE 279-1971, IEEE 308-1971 and . Regulatory Guides 1.6,1.9, and 1.32. The motor-driven pumps of a unit's AFWS receive power from its EAPS via two identical but separate 4160 V emergency buses. In the event of a loss of offsite power, the pumps receive power via the emergency buses from two diesel AC generators (4160 V) designated "A" and "B". Diesel generator "A" provides power to the emergency bus that feeds the unit's AFW motor-driven pump. designated "A" and diesel generator "B" provides power to the bus feeding AFW pump "B". Redundant motor.-operated valves and other electrical equipment designated "A" and "B" receive power in a similar manner. 4.4' Instrumentatigand Controls Sufficient instrumentation and controls are provided to adequately monitor and control the AFW System. The safety related instrumentation and controls which monitor steam generator level and pressure, automatically start the AFW pumps, and automatically align the safety related NSW supply, meet the system: requirements for redundancy, diversity, and separation. Appropriate methods are emoloyed to assure independent operation of the three instrumentation and control channels and to prevent any interaction between subsystems. All nonsafety related instrumentation and controls are designed such that any failure will not cause degradation of any safety related equipment function. Indicators: Specific indicators for the AFW System are listed below, as provided in the control room and/or the auxiliary shutdown panels: Control i Indicators-Room Local U Steam generator'A,B,C,0 levels (wide range) x x Steam generator A,B,C,0 pressures (wide range) x x -Turbine driven pump suction and discharge pressures x x Motor driven pump A suction and discharge pressures x x Motor driven pump B suction and discharge pressures x x -Turbine steam inlet pressure x x 8

Control ~ Indicators Room Local - Turbine speed x x Auxiliary feedwater isolation motor operated valves x x L CA38A, CA428, CA46B, CA50A, CAS48, CA58A, CA62A, l CA66B open/close position Auxiliary feedwater tubine stop valve and main x x steam supply valves ISA2, ISAS open/close position Upper Surge Tank. supply valve CA4 open/close x x position Condenser Hot Well supply valve CA2 open/close x x position Auxiliary Feedwater Condensate Storage Tank x x supply valve CA6 open/close position Main feedwater bypass to AFW nozzle isolation x valves open/close position Consensate sources low level indicating lights x x Loss of condensate source indicating lights x Auxiliary feedwater pump suction vaives CA7A, x x CA98, calla, CA15A, CA188, CA858, CA116A open/ [ close position Nuclear service water supply valves RN250A, x x RN310B open/close position Condenser circulating water supply valves CA174, x x CA175, CA178 open/close position (*) l AFW flows to A, B, C, D steam generators x x Individual auxiliary feedwater pump discharge flows x Main feedwater pressure x Upper surge tank level x Auxiliary feedwater condensate storage tank level x Hot Well level x Condensate storage tank level x Nuclear service water pond level x Auxiliary feedwater pumps running lights x x Auxiliary feedwater pumps automatic start defeat x indicating lights Auxiliary feedwater pumps recirculation flow x i, indicating lights See Appendix B-3 9 L.

i Controls: Specific controls for the AFW System are listed below, as provided in the control room and/or the auxiliary shutdown panels: Control Controls Room Local Motor driven pump A stop/ start x x Motor driven pump B stop/ start x x Turbine driven pump stop/ start x x Individual valve position controls for pump x x discharge flow control valves CA36, CA40, CA44, CA48, CA52 CA60, CA64 Individual auxiliary feedwater motor operated x x isolation vavles CA38A, CA428, CA50A, CAS4B, CA58A, CA62A, CA66B open/close Auto start defeat switch (motor driven pumps only) x Local / remote control transfer switch x Auxiliary Feedwater Condensate Storage Tank x x supply valve CA6 open/close/ auto Upper Surge Tanks supply valve CA4 open/close x x Condenser Hot Well supply valve CA2 open/close x x Auxiliary feedwater pump suction valves x x CA7A, CA9B, calla open/close Nuclear Service Water supply valves x x RN250A, RN310B, open/close/ auto Condenser circulating water supply x x valves CA174, CA175 open/close/ auto CA178 open/close (*) Turbine trip and reset control x x Turbine speed control x x Auxiliary feedwater turbine main steam supply x. x valves 1SA2, ISAS l Main feedwater bypass to auxiliary feedwater x nozzle isolation valves open/close Auxiliary feedwater pump suction valves x x CA15A, CA188, CA85B, CA116A open/close/ auto

  • See Appendix B-3 10

Alarms: Specific alarms for the AFW System are listed below, as provided in the control room: Low hotwell level Low upper surge tank level Low-low auxiliary feedwater condensate storage tank level Loss of condensate source Turbine stop valves not open Control room control overridden by local panel control Any auxiliary feedwater pump discharge motor operated isolation valve not open Any nuclear service water supply valve not closed (RN250A, RN3108, CA15A, CA18B,CA858,CA116A) High temperature alarms for pump and driver bearings and motors Any auxiliary feedwater pump suction valves CA7A, CA98, calla not open Initiation Signals for Automatic Operation: The AFW motor-driven pumps start automatically on the following signals: 1. Two out of four low-low water level signals in any one of the four steam generators, 2. Loss of all main feedwater pumps, 3. Initiation of a safety injection signal, -4. Loss of offsite power. The AFW turbine-driven pump starts automatically upon the generation of two cut of four low-low water level signals in any two steam generators or upon loss of offsite power. Two redundant steam supplies for the turbine, one from Loop B and one from Loop.C, are provided upstream of main steam isolation valves SM3 and SMS. Each steam supply is provided with a piston operated valve that opens on a signal to start the turbine driven pump. Redundant control systems are provided to assure opening of each valve on a turbine driven pump start signal. Any electrical or air failure will result in the valve to fail open. A check valve is provided in each steam supply to prevent flow reversal. The turbine discharges to atmosphere. Turbine over-speed protection is provided. 11

5.0 EMERGENCY OPERATION The emergency operation of the AFWS described in REF.3 is repeated here -with comments by BNL: Start-up of the AFW pumps is automatic. As an accident initiated cool-down of the. reactor progresses, the AFWS is controlled manually from the Con-trol Room, from the Auxiliary Shutdown Panels (ASPS), or locally at the pumps 'if the Control - Room-or ASPS are not available. I f The motor-driven and turbine-driven pumps will start automatically and provide more than the minimum required. flow against a steam generator pressure of 1210 psig. The pumps will remain in operation until manually stopped by the operator. The Auxiliary Feedwater System will continue to function during a shut-down until the steam generator steam pressure reaches 125 psia and the primary l coolant temperature and pressure are approximately 350 F and 415 psia.. At this time, the Residual Heat Removal System will be placed in operation as the AFW system is manually removed from service. The AFW-CST, the USTs, and the CHW are condensate grade, non-safety re-l lated water sources which are preferred in both normal and emergency operation to maintain steam generator cleanliness. However, for emergency events, when none of the condensate grade sources are available, two redundant and. separate trains of nuclear service water are available. The water supplied by the two nuclear service water sources will be of lower quality; however safety con-siderations override those of steam generator cleanliness. An additional independent source of water is the Condenser Circulating Water System (CCWS). The AFW-CST is provided for.the Auxiliary Feedwater Systems of both units 'q as a condensate grade. feedwater supply. Motor operated supply valve ICA6 is normally open during normal unit operation..This valve is supplied with a l handjack for manual operation if the motor operator is inoperable. ' Controls are provided on both the local panel and the control room for operation of valve ICA6..During blackout operation, valve ICA6 will be operable on black-out power. The CHW and USTs supply the major portion of the condensate reserves for each unit. Motor operated upper surge tank and hotwell supply valves, ICA4 and ICA2 respectively, are normally open during normal unit operation. During blackout operation, valve ICA4 will be operable on blackout power. These two - valves are supplied with handjacks for manual operation if the motor operator is inoperable.. Controls are provided on both the local panel and the control room for operation of valves ICA4 and ICA2. Control of these two valves is manual only by open-close control switches. To prevent spurious closure of all three valves ICA6, ICA4, and ICA2, such as may be caused by a fire, valve ICA2 motor operator breaker is always 12 +.....

~ n: < tagged out.such that no power _is available nonnally to close the valve. The ' breaker must first be closed to operate 1CA2 remotely. This measure is taken t'o prevent loss _of all' condensate-sources due'-to possible spurious signals that' may: result from a fire in the Turbine Building. During normal operation of the condensate. sources, there~is never any need Jto close valve ICA2; how-ever, valv'esLICA4 and ICA6 must remain remotely operable from the control room to; allow these valves to be closed by the-operator as sources are depleted.. LBNL" Comment: See Section 9.1.2 for=a detailed discussion of ~ jthe operation'of these valves for all'of the conditions . mentioned above. If'all three of the condensate grade auxiliary feedwater supplies are un-s

available during emergency operation, and detected by the redundant

? instrumentation provided, redundant. sources of nuclear service water are

available.through motor operated' supply valves 1RN250A and 1RN3108.

Valve IRN250A is powered from train ~ A of the Essential A.C.. Power Systen during

blackout conditions,'and valve 1RN3108 will operate from train B of the Es-sential ~ A.C. Power System.. Both valves 1RN250A and.1RN3108 are closed'during normal unit _ operation.

Both valves fail "as is" if no power is.available,for L operation. These. valves are provided with -handjacks for. local manual oper-ation if the motor operator is inoperable. Controls are provided on both the local panel and the control. room = for both valve IRN250A and 1RN3108. In the auto mode, these' valves will automatically open and will remain open after -automatic initiation of the = Nuclear Service. Water Systen supply trains A and B. -BNL Comment: Automatic switchover is possible only if the valves had been placed in.the Auto Mode by the operator. These valves may be manually overridden either at the local panel or in the control room by placing the control. switches in the open or close posi-Ltion..If-for any: reason, both. valves 1RN250A and.1RN310B are. inoperable, at

least one of theseitwo valves.must be manually opened.using the provided hand.

Jacks. Either valve will provide the necessary supply' water to all three

duxiliary~feedwater pumps for emergency operation.

BNL' Comment: - However, normally-closed, motor-operated valves 1CA15A, ICA188, and'1CA116A or ICA858 must also be opened for NSW to enter the pumps' suction lines..These' valves are included in the automatic switchover logic to NSW (see Figures 3 and 4) but:thisLis'not mentioned in_the text of the analysis..These valves 1were properly shown in the fault trees. -It -is' not stated whether these valves have hand-- . jacking capability. See Section 9.1.2 for further discus-si on.. .-A separate plant subsystem has been incorporated into the Catawba design ~to allow a~ means of limited plant shutdown, independent from the control-room i 13'

and aux'iliary panels. -This~ system provides adequate secondary side makeup independent of. all A.C. power.and normal sources of' water. If condensate sources are depleted or lost, suction will automatically transfer to an in. L dependent source initiated by train' A of.the condensate source' loss de-tection logic and battery powered motor-operated -valves. :The. independent. .sourceTof water is the buried piping 'of the Condenser Circulating Water System - ~(CCWS), which contains sufficient water'.in the imbedded pipe, inaccessible for sabotage,' to enable the. plant to be maintained at hot standby for at least~ 3 1/2 days. - In this. manner, sufficient ' AFW flow may be maintained 'even if all normal and emergency A.C. power is lost, and-all condensate and safety-grade water: sources are lost due to sabotage. The motor driven pumps are provided with motor coolers to prevent motor overheating..These coolers are sup' plied a minimum of 30 GPM of_ nuclear. serv-ice: water fran the train associated with each pump. Travel stops on the. tem-perature' control valves are set.such that 30 GPM.is always provided under minimum nuclear. service water supply' conditions. .The turbine driven pump is contained.within a confined area, and en- .vironmental considerations are incorporated into the design of turbine sub-systems.. AsLthe turbine lube oil system is also sensitive to the environment surrouncing the turbine,'a turbine lube oil. cooler is p'rovided.. A small flow (approximately 20 GPM) is taken fran:the turbine driven' AFW pump discharge, through a series of orifices and a throttled globe valve to supply the-lube . oil cooler. i k 'l

  • v 14 R

6.0 TESTING Pump performance and flow control testing as described in REF.3 are as follows : The AFW pumps are periodically tested to meet inservice surveillance requirements. A full flow test loop to the USTs is provided at the discharg'e of each AFW pump. Adequate instrumentation is provided to verify pump performance. The motor-driven AFW pumps may be used during plant _startup in their normal alignment to the steam generators.. Pump performance' and automatic 'feedwater flow control can be verified during this mode of operation. The turbine-driven AFW pump performance and its discharge control valve travel stop settings can also be verified during this mode of operation. f l-15

7.0(TECHNICALSPECIFICATI'ONS ~ The' technical specifications which will be applied as described in REF.3 -are the following: I A review of the Technical Specification indicates that for power,. start- -{ Jup, or hot standby plant status the limitir.fccr.dition of the AFWS for plant - ) operation. include: 1. 'At least three independent auxiliary feedwater pumps and associated -flow paths shall be operable with; .a. Two motor-driven.AFW pumps, each capable of being powered from 'l separate emergency. buses, and, b. One turbine-driven AFW pump-capable of being powered from an ~ operable. steam supply system. 2. W. ith one auxiliary feedwater pump inoperable, restore at least three i AFW pumps (two capable of being powered from separate emergency buses and one. capable of being powered by an operable steam supply system) to an operable status within 72 hours or be in at least hot standby condition within the next 6 hours and in a hot shutdown within the following 6 hours. The Technical Specification requires all-valves of the AFWS to be given inservice tests and inspections-in accordance with the ASME Boiler and Pres-sure Vessel Code (Section.XI and applicable Addenda) for Safety Class 1, 2 and 3 components. [ BNL Comment: There are no specified test frequencies or maintenance outage limitations for non-safety class - val ves. See Appendix B-3. l . Additional' surveillance requirements include: 1. At~1 east once per 31 days a. Verifying that each motor-driven pump develops a discharge pres-sure of greater than or equal to 1380 psig at a flow of greater tha'n or equal to 500 gpm. b. Verifying that the steam turbine-driven pump develops a discharge . pressure of greater than or equal to 1480 psig at.a flow of greater than or equal to 800 gpm when the secondary steam supply h< pressure is greater than 600 psig. c. Verifying that each non-automatic valve in the flow path that is not locked, sealed, or otherwise secured in position, is in its correct. position.. i= h 16 E

d. Verifying that each automatic valve in the flow path is in the fully open position whenever the auxiliary feedwater system is placed in automatic control or when above 10 percent of RATED THERMAL POWER. 2. At least once per 18 months during shutdown a. Verifying that each motor driven pump starts automatically upon receipt of each of the following test signals: 1. Loss of both main feedwater pumps.- 2. Safety injection signal. 3. Steam Generator Water Level - Low-Low from one steam generator. 4. Loss of offsite power b. Verifying that the steam turbine-driven pump starts automatically upon receipt of each of the following test signals: 1. Loss of offsite power. 2. Steam Generator Water Level - Low-Low from two steam generators. BNL Comment: The applicant's Technical Specifications comply with Recommendation GS-1 of NUREG-0611 that the outage time for one AFW system flow train and essential instrumentation be limited to 72 hours and that'the subsequent action time by which the plant must be in the' Hot Shutdown condition is 12 hours. o 17

1 1 8.0 ASSUMPTIONS The applicant has made-the following assumptions in the preparation of the analysis. BNL canments 'are provided both here and in Section 9.0 when necessary: 1 Hardware and Human Error Failure Data: The failure data given in NUREG-0611' were assumed valid and directly applicable to the evaluation of basic events in this study. These data are listed in Table 5. BNL Comment: While the statement is generally true, there are discrepancies for human error data between the NUREG-0611 data, Table 6 of this report, and that used by the applicant, shown in Table 5. See Section 9.2.1.2 for details. Test and Maintenance Outage Contribution: The NRC-supplied calculational approach stated in NUREG-0611 was used in this study along with the data sup-plied for test and maintenance outages. The calculational approach and data used is presented in Table 5. BNL Comment: The NUREG-0611 unavailability data for valve maintenance, Table 6 of this' report, can be interpreted in two ways. See Section 9.2.1.2 for details. Offsite and Emergency Power Availability: The following assumptions were made regarding all AC power source availability: a. The unavailability of essential AC offsite power was assumed as 1x10-3' b. The unavailability of essential AC emergency onsite power (diesel AC generators) was assumed as 3x10-2 per emergency power bus. ~ The y31ues listed above are the basic point estimate values used in WASH-1400Loj to detennine the probability of a total loss of AC power coincident with LOCA. Sample and Test Lines: These lines were not considered as possible flow diversion and/or leakage paths in the development of fault trees used in the study. Passive Piping Components: All piping components (i.e., section of pipes, flanges, reducers, etc.) were assumed available with a probability of 1.0 and were not considered in the fault tree development. Control DC and 120 V AC Instrumentation Power: These power sources were assumed available with a probability of 1.0. An in-depth analysis of these power sources was considered beyond the bounds set for this study. 18 P e w

Degraded Component Failures: Degraded failures were not considered in the analysis; that is, components were assumed to operate properly or were treated as a total failure. BNL Comment: The assumptions identified above (Offsite and Emergency Power Availability to Degraded Component Failures) comply with NUREG-0611 and thus are acceptable. C'oupling of Human Errors: Except for test and maintenance, no manual actions are required for the start-up operation of the Catawba AFWS. An auto-matic start is provided in system design to activate the AFWS upon loss of main feedwater flow. Coupled human errors for test and maintenance was con-sidered through the selection of the appropriate data for human acts and er-rors as supplied by the NRC. BNL Comment: The applicant has misinterpreted the NUREG-0611 methods to evaluate coupled human errors. This mis-interpretation resulted in a nonconservative contribution to the overall results from coupling of human errors. See Sec-tion 9.2.1.2.for details. AFWS Actuation Logic Reliability: The probability of failure on demand for the actuation of a valve or pump component of the AFWS was assigned the value (7x10-3/ train) given in the NRC-supplied data. BNL Comment: This agrees with the NUREG-0611 guidelines. Water Source Availability - Condensate System and Nuclear Service Water System: The availability of water from the Upper Surge Tank, the Condenser liot Well and the AFW Condensate Storage Tank, and from Nuclear Service Water System to headers "A" and "B" at their interfac' 'he AFWS was as-l sumed available with a probability of 1.0 and thus wa-

nsidered in the l

fault tree development. The analysis of systems that (ace with the AFWS was considered beyond the bounds set for this study. BNL Comment: The quantity of water available from the Upper Surge Tank is variable. See Section 9.1.2 for a detailed discussion of suction source availabilities. Coincident Test and Maintenance of Components: The analysis assumes that coincident test and/or maintenance of components of more than one auxiliary feedwater pump and its associated flow paths, while the reactor is at full l power, is in violation of the plant's Technical Specification; thus such basic j events are treated as not being credible and are discounted in the quantita-tive evaluation of the fault tree. l An assumption is also made that components for an individual auxiliary feedwater (AFW) pump and its ' associated flow paths are tested one at a time and thus, any cut set containing basic events for testing two or more com-l l l l l 19 L

ponents at the same time are likewise treated as not being credible and are discounted. BNL Comment:. This agrees'with the NUREG-0611 guidelines. However< the applicant should clarify the overall test and maintenance policy to be applied. For example, at what frequency are the motor-operated isolation valves in each steam generator AFW inlet line to be tested? Are all valves in series unavailable during a j test? How will maintenance be performed on the inlet line valves? What types of valves will be maintained during power operation? 0 20 ~

-9.0 , RELIABILITY ANALYSIS 9.1 Qualitiative Aspects 9.1.1 Mode of System Initiation Based on the description provided in Section 4.0 and Section 5.0, BNL finds that the applicant conforms to Recommendation GL-1 of'NUREG-0611 that AFWS initiation be entirely automatic for the conditions of LMFW and LOOP. For LOAC, the steam admission valves to the turbine-driven pump will open upon loss of electrical or air supply, which in turn will start the pump. The primary suction sources are the condensate-grade supplies in the USTs, the AFW-CST, and the CHW which will normal'ly be aligned to the pump regardless of the initiating event, i.e., bOAC. Provisions have been made for automatic switchover to the CCWS if the condensate sources are depleted or lost. See Section 5.0. Therefore the applicant-complies with Recommendation GL-3 of NUREG-0611 that at least one AFW pump and its associated flow path and es-sential instrumentation should automatically initiate system flow and be cap-able of being operated independently of any AC power for at least two hours. 9.1.2 System Control Following Initiation The AFWS is controlled manually from the Control Room, from the Auxiliary Shutdown Panels, or locally at the pumps if the Control Room or ASPS are not available. The steam generator level is maintained by manually setting the air-operated AFWS flow control valves. In the event of LOOP, the instrument air supply is available only af ter the Emergency Diesel Generators have completed i the automatic sequencing of the essential loads and the " Blackout" loads such as the Instrument Air-Compressor are then manually loaded onto the diesels. The automatic sequencing takes 12 minutes so that AFWS flow control the Control Room is not possible until after the 12 minutes have elapsed l In the case of LOAC, no instrument air supply is available for AFWS flow control from the Control Room. Besides steam generator level manual control, the operator should manual- ~ ly close the motor-operated yalve (MOV) 1CA6 which isolates the AFW-CST to prevent air from entering the suction of all three pumps as the source is depleted. As a back-up, ICA6 is set also for automatic closure upon low level in the AFW-CST. Both the AFW-CST and the_USTs are elevated sources. Since the AFW-CST provides the greatest NPSH, it is depleted first. Before depleting the AFW-CST and then drawing on the USTs, the operator should then close valve ICA6 so that suction can be taken from the CHW without breaking the vacuum. If the valve cannot be closed, the operator must decide whether to: 1. break the condenser vacuum and draw suction from the CHW, or 21

2. switch over to the NSWS, or 3. continue depleting the UST while efforts are made to handjack valve ICA6 to the closed position. There appears to be some confusion as to whether motor-operated valve ICA4 which isolates the USTs must be closed by the operator after the UST are ' depleted. Some of the applicant's personnel stated that ICA4 is closed auto-matically upon low level in the USTs while others saw no reason ever to close the valve during AFWS operation. In.the BNL analysis, we have assumed that the valve must be closed, although it has no significant quantitative effect on the system unavailability, unless the effects of e.ommon mode failures are considered.. A detailed discussion of suction switchover is provided in Sec-tion 9.1.6, Common Mode Failures. 9.1.3 - Effects of Test and Maintenance Activities Each remotely-operable valve has a position ' indicator in the Control Room. This feature should substantially reduce the possibility of a valve being left in its incorrect position after test or maintenance actions and is given the lowest unavailability per demand for human errors in NUREG-0611. Each esse'ntial, manually-operated valve is locked open so that the probability of -inadvertent closure after test and maintenance actions is . minimized. The normally-closed isolation valves on the full flow pump test lines which discharge to the USTs do not appear to be locked into position. This could result.in diversion of-flow to the UST due to human error. ilowever, as per the Technical -Specifications, Section 7.0, such valves will be inspected at least once every 31 days to verify that they are in the correct positon. There are no specified test frequencies or maintenance outage limitations on non-safety class valves. Since valve ICA6 is non-safety class-(as is ICA4), no periodic testing will be performed. Since the proper functioning of this valve is fairly important (see Section 9.1.2) it appears logical that some. sort of periodic testing should be performed.- The unlimited maintenance i outage time for ICA6 does not affect the AFW pumps' integrity but does affect the' availability of water from the AFW-CST. This does not appear to be accounted for.in the quantitative analysis (see Section 9.2). p 9.1.4 Availability of Alternate Water Sources Given the stated. capacity of the NSW Pond (Section 4.0), the assured safety-class supply, of 2.74x108 gallons (maximum), and the 3 day supply of the Condenser Circulating Water System, the applicant has provided a substantial quantity of water from diverse sources as a back-up to the condensate grade source's, with automatic switchover capability to transfer to the alternate sources. Therefore~, the applicant complies with Recommendation GL-4 of NUREG-0611. 22

i lt is important to note as well that neither valves 1CA6, ICA4 nor ICA2 is safety-class. REF.3 (see Section 5.0) states that 1CA6 and ICA4 are oper-able on " blackout power". During the plant visit of July 20-21,1982 by NRC personnel, the applicant stated that the valves are powered from AC sources only, although the type was not specified. We assume that for LOOP these valves are manually loaded onto one or both of the Emergency Diesel Generator busses using redundant safety class breakers in series. Apparently for LOAC, the only available method of closing 1CA6 is to manually handjack it closed. We do not believe that such an action could be successfully completed under the severely adverse conditions of LOAC within the relatively short time of 20 minutes or so before the AFW-CST is depleted. j It appears that the condenser vacuum will be dissipated after the occurrence of LOOP or LOAC and certain incidents which cause LMFW. The ap-e plicant should provide the maximum and minimum time spans for the vacuum to 3 dissipate without operator action. The following should be also clarified: g 2 1. In what order the condensate grade sources are depleted and the time = before depletion. 4 2. The conditions under which valves 1CA6 and ICA4 must be closed and h how the closure will be accomplished. The electrical power sources available M and the actions required to utilize them should also be provided. 3 3. Whether redundant level indication and alarms are provided for the primary AF water supply (or supplies) and whether the alarms are set to allow 3 at least 20 minutes for operator action. 22 The above information should be provided separately for each of the three j transients (LMFW, LOOP, and LOAC) Such information will allow a determination of whether the applicant complies with Additional Short-Tenn Recommendation 1 - t of NUREG-0611 concerning Primary Water Source Low Level Alarm. In particular g the recommendation states that the licensee should provide redundant level W indication and low level alarms in the Control Room for the AFW system primary j water supply to allow the Operator to anticipate the need to make up water or 3 transfer to an alternate water supply and prevent a low pump suction pressure condition from occurring. The low level alarm setpoint should allow at least 20 minutes for operator action, assuming that the largest capacity AFW pump is ] operating. l E 9.1.5 Adequacy and Separation of Power Sources M Based on the description of the power sources in Section 4.0, the si applicant has provided adequate and separated power sources and therefore complies with the intent of NUREG-0611. 9.1.6 Common Mode Failures Externally-generated common mode failures such as fire, flooding, earth-f quakes, etc., with one minor exception, have been excluded from the ap-a plicant's analysis. This is in agreement with NUREG-0611. The exception is i 5 23 3 r -I a

~ i . that failures 'of.the condensate-grade and condenser circulating water sources ' due to " environmental conditions beyond the design base"-(Faults RACONDER and RACIRCER) were included. Their effect.on the overall system unavailabilities is negligible. j

NUREG-0611 considered internally-generated common mode failures in only two ways, both involving human errors. One.is the Post-Accident situation of the Control ~ Room Operators failing to actuate a manually-initiated AFWS and the-other is the Pre-Accident situation of an operator leaving one or.more ad-ditional valves in the wrong position given.that he has airc
dy left one _ valve in the wrong position, i.e., coupling of human errors.

Since the Catawba AFWS is automatically initiated, the former does not apply. The latter was not properly. considered in-the analysis. See Section 9.2.1.2 for a detailed dis-cussion of this matter. In addition, the applicant has performed a physical inspection of the plant drawings 'and a plant inspection which is described in REF.3 as fol-lows:

1. ~The.. plant diagrams.were reviewed and the Catawba site was toured in order to-determine -if there were any conditions which could cause multiple failures ~ due to a common cause.

No location dependencies were. identified which could cause commoq-mode failures of the system. - Although all auxiliary feedwater pumps are located in the same general area of the. Auxiliary Building, the turbine-driven pump is enclosed in a room that forms a barrier between it and the motor-driven pumps. 2. The system has power diversity in that both motor-driven and steam - turbine-driven pumps are used to provide auxiliary feedwater flow. . No dependencies were noted to exist between the two types of pump - - systems employed. In. addition, no. common dependencies on AC.or DC power were identified.' i The following discussion addresses the probability of a complete loss of AFW suction.' The event contemplated is air or vapor binding of all three pumps as'a result of faulty transfer between suction sources. ~ LSome-AFW systems take suction from large: condensate storage tanks which are sized for many hours of AFW operation, and whose availability is largely taken for granted, barring catastrophic' external, events. In addition, provision for automatic switchover to another source is frequently made. e Thus, loss of suction in such a plant is a conjuction.of the unlikely loss of the normal source and failure of automatic switchover. In contrast to this, at' Catawba. multiple sources are-involved at a relatively early stage of the N transient.; :It is appropriate to inquire whether loss of normal suction is relatively more likely at Catawba. The following discussion is based on ~'somewhat limited information_obtained from the report, the FSAR, and several. telephone conversations (Appendix B). L: 24 -1 y t vy t w ,p--wcy -M4e Tem y-"q.w+s ay -p 9%pe.---.y-umy.qww9 . g-gggep9qwwp- -- p-g-g-d g,. ,i.e-g'- h,4.-y-..b,y, y -+ -9yte y +ys-*--g p.-1--*v---yq-q,.qpy

Transfer-Among Condensate Sources Refer to the system flow diagram in Figure 2 and the event trees in Figure 5. Normally,- the AFWS is aligned to a header which is connected to .three condensate sources (the AFWCST, the USTs, and the CHW) through normally-open MOVs and check valves. In this arrangement, water is supplied to the header from each source according to the NPSH available from each source. - The first source to be drawn down is 'the AFWCST. Its inventory is 42,500 gal., corresponding to approximately 20 minutes cf operation at maximum attainable flow. The AFWCST is shared between two units, however, so that if both are drawing, the time required to deplete the AFWCST could be as little as 10 minutes. As the AFWCST empties, valve ICA6 should close automatically to prevent air from entering the system, and water should flow from the UST. If ICA6 does not close, air should not enter the system until the UST are depleted because the static head of the water in the USTs is sufficient to close check valve ICAS immediately downstream of MOVICA6. When the UST are depleted, one of two conditions should be met: 1. Both ICA4 and ICA6 should be closed; or 2. The condenser vacuum should be broken. If both ICA4 and ICA6 are closed, the hotwell can supply water even under vacuum; if either of these valves is open,'the vacuum should be broken, or suction from the condensate header will-be lost. As mentioned above, air can enter via the AFWCST. The USTs are expected to be free of air, but the available information implies that MOV 1CA4 must be closed to prevent loss of suction. If this is not true, this entire discussion would change substantially. The available inventory in the CHW is typically large enough that once suction is transferred successfully to that source, sufficiency of water is no longer a problem. Only in the event that the plant was operating with an abnormally low. inventory of condensate would further questions arise con-cerning availability of water. It should be mentioned that hotwell debris can be a problem (this is mentioned again under the discussion of strainers which appears later-in this section). Also, once the condenser vacuum is broken, the static head of the CHW water level appears to be sufficient to close check valve ICAS and ICA3 which isolate the AFW-CST and the UST respectively. However, it is not clear that, under continuad AFWS pump operation as the available NPSH decreases, air will not enter the system if ICA6 and 1CA4 are not closed. Requirements for Operation of ICA4 and ICA6 Normally, ICA6 will close automatically on low AFWCST level. Con- 'tributions to its failure to do so include failure of the MOV itself to oper-ate (7x10-3), lack of power, and failure of the logic that should close it. ICA6 requires AC, but is not safety-related. As far as can be ascertained 25

~ Y 4 from the'available information, in the event of LOOP, ICA6 an'.1CA4 derive d -power from the." Blackout Group" bus, which is manually loaded onto the diesel-backed busses:af ter automatic sequgncing is complete (12' minutes). Thus, unavailability.of a diesel (.6x10~ ) and failure of an operator to -load the " Blackout Group" bus (10 g-)' also contribute to failure of 1CA6 to j

operate. Finally, as part of the failure of AFWCST sensing logic, there is the.possiblity cf leaving the ICA6 open/close/ auto switch away from the " auto" position precluding automatic operation..This error, which would be assessed at 5x10-3 by analogy with leaving a, valve unrestored, is assumed included in' the 7x10-3 failure _ probability of the logic, which itself. corresponds to the z

valueugedfor. actuation:logicof_.theAFWS.probabilityoffailuretoclose,whichgoes.u ~ For LMFW, then, ICA 1.4x10-given LOOP. 1CA4. requires' an operator action.to close the valve, since there are no provisions for gutomatic closure such as for ICA6. Here, operator failure is c assessed at 10. Otherwise,the.aboveremarksagply. Thus, failure to <close.1CA4 is 10-2 for operator failure and 7x1 hardware failure given LMFW,'and~10-2 foroperator-failureand5.3x10ghardwareunavailability given LOOP. L(Operator error is modelled separately on'the event tree, Figure 5- )- x - Any _ of the above can' be ' recovered, either by breaking of the h'otwell vacuum or by handjacking of the valves. Since unavailability of. " Blackout AC" fails both ~ valves, this event is modelled separatelyon the event tree'. -Role of the Operator-Detailed procedures not having been made available, the following is as-sumed here: i As the USTs are'deplet'ed, one of two situations should obtain: either >1CA4 and ICA6 'should both be closed (ICA4 by operator command). or the hotwell vacuum should-.be_ broken. This has been modelled here as two separate acts: closure of ICA4, which-is normal, and recovery (if necessary) from failure of ICA4 or ICA6 to close (which is presumably abnormal). The operators also play a' role in establishing the availability of AC' power to ICA4 and ICA6 in the event-of' LOOP.- This 'is discussed in " Requirements for Operation-of 1CA4 and '1CA6" above. - The open/close. status of valves 1CA4 and.1CA6 is directly related to the ~" automatic switchover" to the NSWS. The applicant states that upon 2 out of 3 ~ ' low differential pressure between the top and bottom of a vertical leg of the - common condensate-supply pipe to all three AFW pumps, the transfer logic for switchover to NSW will be activated '(FSAR Section 10.4.9). However, the motor-operated ' valves which are a crucial portion of this scheme (1RN250A, -1RN3108,:1CA15A,1CA188, ICA116A and ICA858) can only be automatically activated if they have.been set in the Auto mode by the operator. The 26

c operator has' a ' choice of. settings: Open/Close/ Auto. Therefore, since the valves are normally closed. there is a significant chance that the operator will set them in the closed position, blocking out the automatic switchover capability. Of course,' administrative procedures will be implemented to minimize the chances-of such an event occurring. The applicant has stated that since the NSWS normal operating pressure is in the 80-90 psig range, check valve.1CAS in the AFW-CST supply ~line'and check -valve ICA3 in the USTs supply line will close once the NSWS is aligned to supply the AFW pumps (Appendix B-1). Failure of' automatic switchover has been assessed here at 2x10-3 on the basis of the following arguments.. NUREG-0611 suggests 1x10-3 as the probability of a multiple mis-calibration of sensors (in this case, pressure switches). A multiple. AFW suc-tion. pressure' switch failure.has actually occurred at Davis-Besse-on May 21, 1979: some pressure switches were inoperable, while others were degraded in a . manner tantamount to setpoint drift. Here, parametric modell cause: failures is beyond the scope of this undertaking; 1x10 gng of common is assessed for multiple pressure. switch failure based on the.NUREG-0611 recommendation, with the Davis-Besse event borne in mind. An additional common cause con-tribution to failure of switchover is (another) human error. The MOVs that- .must operate to achieve switchover are controlled by status switches which can be set.(outside the control room) so as to preclude. automatic operation as discussed above..By analogy with the NUREG-0611 prescription for the probability of leaving morg than one-valve unrestored after maintenance, this -event ~is' assessed at 1x10-4 Combining the above', one obtains 2x10-3 as.an estimate of the probabil- ~ ity of failure.of automatic switchover. i Suction Event Tree (Figure 5)- The above discussion is summarized in the Suction Event Tree (Figure 5). This isLa chronological development of system operation. The first branch.of u. the: tree occurs at the point at which the AFWCST is depleted and ICA6 should close. This can be between 10 and 30 minutes. The next branch occurs when the USTs are depleted and the operator'.should close ICA4. This could be well over an hour, but could be.substantially less. The inventory of the USTs can fluctuate.:. If the operator has not closed ICA4, it is assumed that automatic switchover to NSW is challenged.. If the operator. acts to close ICA4, he may still have to rectify problems with ICA4 or ICA6. . In the event of LOOP, the unavailability of blackout power fails both ICA4 and ICA6.. Thus, either handjacking of both valves or breaking of hotwell vacuum-is required.' Failure to break hotwell vacuum has been reduced by a factor of :10 in this -calculation, because the systems which maintain vacuum are assumed unavailable given LOOP, so that vacuum will eventually be lost. It is not clear whether this occurs soon enough to enable the hotwell to provide suction in all cases. LOOP events are handled separately on the tree. 27

i Summary The conclusion given on the Suction Event Tree {s that probability of loss of AFW suction is 2.1x10-5 for LMFW and 2.5x10- for LOOP. lioth - figures are dominated by operator failure to close ICA4. It is assumed here that this leads to a challenge of automatic switchover, since thi; is indicated in the FSAR and in the reliability analysis. Since the time frame available to the operator is uncertain, because USTs inventory is variable, it is.not clear whether the probability assigned to this scenario is conserva-tive. An analogous but larger contribution would occur for ICA6 except that it closes automatically. ICA6 is required to close much earlier in the trans-ient, so operator error would be higher for ICA6 if it were not automatic. Note that automating ICA4 does not in itself change the conclusion, unless the operator faithfully backs up the valves' operation. Without operator backup, the rate of challenge is given by the additive combination of the expected number of failures of either ICA6 or ICA4. Because of the uncertainty concerning the need to close ICA4 for successful system operation, the numerical results obtained above have not been included in the BNL assessments shown in Tables 1 and 3. Suction Strainers Events have occurred in which several suction strainers have simulta-neously plugged, leading to AFWS unavailability. In addition, hotwell debris has been known to clog strainers in main feedwater systems; at Catawba, the -hotwell provides AFW suction in loss of feedwater events which last long enough to deplete both the AFWCST and the USTs. Thus, plugging of strainers could well be a dominant cause of AFWS unavailability at Catawba. This type of event is absent from the fault tree analysis, presumably because NUREG-0611 did not explicitly cover this type of event. The applicant has stated that -the strainers are temporary and will be removed after initial start up (Appendix B-1). We recommend that this be followed through to completion. 9.1.7 Single Point Failures No single point failures have been identified. 9.1.8 Adequacy of Emergency Procedures Based on the description of Emergency Operation, Section 5.0, the ap-plicant has not provided adequate emergency procedures to describe the trans-fer from one condensate grade source to the other as required by Recom-mendation GS-4 of NUREG-0611. The procedures should include the actions to be taken in case either of source unavailability, such as no water in the USTs or the Condenser Hot Well, or' of valve malfunctioning, such as valve ICA6 failing to close. The procedures should describe any operator actions required to 28

~ -

(.0','lcA38A and ICA668) and also the header-isolation valves (ICA111 and ICA112)betweentheMDPumps.

The ' applicant has, therefore, not adequately complied with Recommendation GS-4 of NUREG-0611 concerning emergency. procedures for transfer to alternate . water suppliet. 9.2 Quantitative Aspects 9.2.1. Applicant's Use of NRC-Suggested Methodology and Data 9.2.1.1' Fault Tree Construction and Evaluation ? According to REF.3, the AFWS reliability for the three scenarios (LMFW, LOOP, and LOAC) was evaluated by constructing and analyzing fault trees. The .' trees were developed for a top level event of failure to achieve mission suc-cess. From this point, branches of the tree were developed downward to a -level-'of detail corresponding to the NUREG-9611 data. -Once constructed, tne . fault trees were analyzed using the WAM-BAML8J computer code. The results f of the analysis were then.used to determine the dominant contributors to sys-l tem unavailability; to establish if component dependencies exist;-and for re-liability comparison to other studied AFWS. f

Unavailability was considered to be synonomous with unreliability.

I The applicant's fault. trees, and BNL e'xpansion of the trees, are shown in Figures 6, 7, and.3.. Each top event consists of an OR gate with three 4 separate inputs: Random Only,' Test, and Maintenance Unavailabilities. The . applicant's fault trees are in accordance*with the fault trees shown in Figures III-2 and-III-3 of NUREG-0611. The specific details of the test and maintenance trees have not been provided.._ The applicant stated that the Random Only trees were used repeatedly with modifications made;so that a' single AFW pump train was assumed 'to be out for maintenance or test with random failures occurring'in the other two trains. The individual results were then added together to obtain the ~ final results for the cases of. LMFW and LOOP (see Appendix B-2). Since under LOAC conditions, the system consists of a single pump (turbine-driven)feedingtwosteamgenerators,theTestandMaintenanceun-availabilities would simply be added (but separately identified) to the Random Only unavailability of each component (see LOAC fault tree, Fig. 8). 9.2.1.2 Fail'ure Data . Consistent usage of NUREG-0611 and/or WASH-1400 data has been made, with the exception of _ human error faults and valve maintenance unavailabilities. See Table 5. The unavailability data for valve maintenance given in NUREG-0611 (see Table 6,of this report):can be interpreted.in two ways. 29

1. If a plant has a 72 hour outage limitation, as per its technical specifications, the pumps are given a 19 hour mean maintenance act . duration time while plants with 24 hour outage limitations are given a 7 hour maintenance act' time for the pumps. 2.- In the case of valves, a mean maintenance act duration time of 7 hours is given a 24 hour outage limitations only. No mean mainte-nance act duration time data is. provide <1 for the 72 hour situation. .Thus the applicant conservatively assumed that the -19 hours should be ap-plied to the valves since they.are dominated by the Technical -Specification limitations on pump maintenance out, age anyway. It should be noted that the same maintenance duration time is applied to all valves regardless of type..Thus a check valve or manual gate valve is as-sumed to. require the same 19 hours as a motor-operated or air-operated valve and at the same frequency. The result is a system unavailability weighted in the direction-of a large maintenance outage contribution. With regard to human errors, the applicant conservatively assumed no credit for human corrective action and that.all human acts were of a det-rimental nature only. However, the probabilities assumed for the human er-l rors are subject.to debate. By referring to Table 6,.it can be seen that the unavailability values of NUREG-0611 are assigned essentially as follows: Pre-Accident Errors i -Correct Valve Left More Than One l-in Wrong Position Valve Affected l (Coupled Errors) (1) Position indication in 5x10-4 1x10-4 in Control Room - 4 (2) Local Walk-Around and 5x10-3 1x10-3 Double Check Procedures _(3) With Neither of Above' 1x10-2 3x10-3 The applicant assumed the following: Air or Motor Manual Valves Operated Valves (1). Valve inadvertently closed due to 1x10-3 1x10-4 maintenance error (Pre-accident) (2) Operator inadvertently-closes 1x10-4 valve once opened (Post-accident) 30 l

' Obviously, the applicant values for human errors are substantially lower than those assigned by NUREG-0611.. In the applicant's analysis, probabilities which are appropriate.for multiple events have been assigned to single events. l The LNUREG-0611 prescribed data is characterized by the following:

1..No' distinction is made between locked versus unlocked manual val'ves.

. 2. .The post-accident. data refers. strictly to AFW systems with manual l actuation.from the Control Room. Automatically-initiated systems are not nentioned. 73. Recovery factors are not explicitly mentioned except in the case of a manually-actuated system in which the Backup Control Room Operator succeeds,in. initiating-the AFW after the Primary Operator has either failed to recognize'the need or is incapable of doing so. Thus, re-covery-from AfWS faults after the system has already been initiated, j such as taking corrective action to open a valve which had incor-rectly been left closed after maintenance, is not covered. Un-fortunately. Appendix 3 of. WASH-1400 does not specifically cover lthis situation either. Other than.in the case of the Back-Up Control Room Operator, recovery factors' are basically applied in pre-accident situations, such as an inspector discovering that a valve had been left in its incorrect position. This.was then considered in the process of yielding a data point for unavailability upon later de-~ ~ mand. According to the Standard Technical Specifications to which the. applicant 1will: adhere,. Par. 7.3: At least.once every 31 days, the applicant will verify that Leach 'non-automatic valve. in the flow path that is not locked, sealed or otherwise. secured in its position,-is in ~ its correct position. Blis_obvio~usly implies that locked manual valves will receive no routine surveillance. According to the table for Pre-Accident Errors, a minimum un-

availability for Correct Valve Left'in Wrong Position wighout surveillance,

.and no position. indication in the Control Room, is 1x10. '~ Taking all of the above factors and the ensuing uncertainties into ac-count, the applicant's values -for human error probabilities are judged res-sonable if recovery is assumed to be included based on 30 minutes available h time',~ and.thus they have been utilized in the BNL analysis. One exception concerns the normally-closed manual isolation-valves for - the full flow pump test-lines which discharge ;to the USTs. According to Fig.2,-the valves have no locking devices. Each pump has three valves in l series:in its test line..The first are manually operated, normally closed, "Cavitrol". throttling valves (ICA69,.1CA71, ICA87), the next valves are similar except:that they-are normally open (ICA179, ICA180, ICA181), and the -last.are manually-operated, normally. closed valves (ICA70, ICA72, ICA88). J 31 3 -,r'. ,y

.l l The applicant assumed an independent failure probability of 1x10-3/ demand for each valve independently so that the probability of both valves being left open after test or maintenance was calculated as 1x10-6 BNL considers this approach incorrect since the situation d scribed falls into the Coupled Errors -LJtegory. From Table 3, a rate of 5x10 b is assumed for the probability of leaving one valve in the wrong position. However, since both valves have to be lef t open to divert flow to the USTs, a rate of 1x10-3 is then assumed for both valves left open, as per Table 3. From Table III 6-1, WASH-1400, a rate of 0.1 is applied for " Operator fails to act correctly after the first 30 minutes in an extreme stress condition (large LOCA)". Application of this factor, somewhat conservative since it refers to a large LOCA situation, results in an unavailability of a through the test line of 1x10-4 (n AFW pugp due to diversion of its flow 10-3x10- ). This failure probability is not a major contributor to the t of the pumps themselves are 1.4x10 gain unavailability gince the failure rates ' (LMFW) or 4.42x10-' (LOOP with the diesel {ailure added to the pump failure rate of the motor-driven pumps and 3.3x10- for the turbine-driven pump. It can be seen that adding 1x10-3 to the pump unavailabilities does not significantly alter t..- final AFWS unavailabilities for the three transients. Another exception is in the case where human error causes immediate damage to one or more of the AFWS pumps as soon as the pumps are started. This woald preclude operator recovery. In the Catawba design, such an event could occur if one or more of the locked-open, manual valves located on each pump suction line, ICA19 for the TD Pump, ICA25 for hD Pump A and ICA30 for MD Pump B, have been inadvertently closed due to human error. The valves d position indication in the Cogtrol Room. Assumingavalueof5x10gnotha without recovery instead of the 1x10- used by the applicant for the valves inadvertently left closed due to maintenance error will significantly increase the final calculated system unavailabilities. However, it must be considered that the valves are locked open and are not required by the Technical Specifications to undergo surveillance. As discussed before, for this specific case, no human error unavailability is given in the NUREG-0611 data. While not a contradiction of NUREG-0611 requirenents, the applicant has assumed that the test frequency for both pumps and valves is on a quarterly basi s. The Technical Specifications given in Section 7.0 state that each AFW pump will be tested at least once every 31 days. The applicant has thus understated the test outage contribution with regard to test frequency. This -is offset by the apparent assumption that each and every valve will be tested. This is unrealistic since some valves such as check valves may have no means of testing their operability. Also, it is not standard practice to test manually-operated isolation valves which are normally operated only during maintenance on equipment such as pumps. The Technical Specifications also do not specify the test frequency for the motor and air-operated valves on each ' steam generator inlet feed line. In some plants these types of valves are only tested at least every 18 months during shutdown. 32 1

. / r d. - -a. ' ( b.J. y ; L . 3. 'z ., 3 Q - M. 3 ' 4 " + w ~ u ,N. W.( s .N j.?.h _ l [y .,. c,_ -l 9.2.2 Applicant's Results y 9.2.2.1 System Unavailabilities j,.g.f - hg$t s.i. I The applicant's calculated results were not included in REF.3 but were ~ +; provided under separate cover (see Appendix A). The results are repeated p.,.,..p ' !. here: ?: Transient Unavailability Value [,7..i - s LMFW 4.6x10-5 gr :. g "3 '. *.. 2 ? sLMFW/ LOOP 2.8x10 4 "'3 (( ~ A ,o .g.. - t y LMFW/LOAC 8.1x10-2 Q*l " ;~j 1 n A comparison of the applicant's AFWS reliability to other AFWS designs in 8.sS. #.{ s plants using the Westinghouse NSSS was prepared by the applicant and is included as Figure 1 on page vii of this report with the BNL assessments also 4-Q " " v inoicated. The applicant states: Y.. ' 2 ( :-; 3 "As indicated in Figure..., relative to other auxiliary l 5,.N f feedwater systems of plants having a Westinghouse NSSS, $g 4 the Catawba AFWS has high reliability for Case No.1, Ea?. LMFW; medium reliability (high end) for Case No. ?, %;/D .~~ ' LMFW/ LOOP; and medium reliability (low end) for Case No, W. k. .9 T' S 3,tvFW/LOAC". ? f5 9.2.2.2 Dominant Failure Modes g#..gf. x g-w t.. - i,; According to REF.3. g. Y a) Case No. 1 - LMFW: The dominant (controlling) contributors to system gi i unavailability for this case were unscheduled maintenance of the motor-driven 3.f M [ and turbine-driven pumps and associated valves. The next greatest contributor M.Q d a to system unavailability was found to be the loss of the motor and.

3.,h -' O j

turbine-driven pump systems as caused'Dy such failure modes as the pumps g f.;- failing to start and run due to a pump component failure; the motor-driven p g.c. 7" -{ pumps fail to start or run as caused by an open pump circuit breaker or a u fault in the electrical control circuit used for automatic closing of a pump circuit breaker; and the turbine-driven pump fails to start arid run due to b.. N. faults attributed to the turbine control stop valve and the turbine speed Q,$'. ! .y control valve. The least significant contributors to AFWS system unavailability were '3 f found to be testing of valves in the feedlines to each steam generator from f the motor-driven pumps and the turbine-driven pump. . } 3e" uJ The redundancy employed in the design of the Catawba AFWS was found to be p.p r,- j -- O of the type whereby no obvious single faults (active components, manual valves ih. h ~ or human errors) were identified that dominate the unavailability of the AFWS {% g.: f for a loss of main feedwater transient. y n 33 . 99 '.;.' .' ' f '- r., a y j.,. [~ _ ~^ k .+ - p is f g ' 3W '.;-. ',, .,,u,i W 5 p ' '[ 'b ' 7 ..,- ' ' 'j Q - , '; g, ; _. 3. ' ' '_ /,'.; .gQ'- [ ' 3 '. ' 's, ;y.g f. -Q. '#--# } [ i {., # e.-,,..,'y.,'q.,...'l,>..n .~."s.. c

= 1 ~ \\ b) Case No. 2 - LMFW/ LOOP: The dominant failure modes discussed above are not dependent on the source of AC power (onsite or offsite) and thus are also the dominant failure modes for this transient and the unavailability of the AFWS. The reduction in AFWS system availability for this transient is caused by a loss of redundancy in AC power sources that results from a loss of offsite power. c) Case No. 3 - LMFW/LOAC: In this transient, loss of both offsite and onsite AC power is postulated so that the available operating pump subsystems of the AFWS are reduced to only the steam turbine-driven pump train.

Thus, any single failures in this pump train alone would be sufficient to fail the AFWS for this transiert.

+..,. M.55 The dominant contributors to sy5 tem unavailability for this case were found to be ungcheduled maintenance of the turbine-driven pump and associated valves.' The next greatest contributor to system unavailability was hardware i*4 failure or human error including:

1) various turbine-driven pump faults M-(i.e., turbine / pump hardware component failure, the turbine control stop valve Nk Jc fails closed or Ahe speed control valve fails closed) causing loss of W

discharge flow from the pumps; 2) vslves in the pump suction line fail closed W due to hardware failure or human error, causing a loss of NPSH at the pump's p.; suction; and '3) valves in the pump discharge lira fail closed blocking flow 4.+ %(f. 2 from the turbine-driven pump. The least significant contributor to AFWS ? C unavailability was found to be testing of valves in the feedlines to each steam generator and testing of the turbine-driven pump itself. (;fg d) General Comparison: The primary difference in AFWS unavailability 'M between Case No. 1 and Case No. 2 is the loss of offsite AC power as other G ':s . contributors to system unavailability remain essentially the same due to the d' % diversity and automatic start features employed in the design of the Catawba k[ AFWS. tuA I "i. - ^'( i Tne medium reliability ranking of Case No. 3 results reflects the lack of N;fe. %s AC dependencies coupled with a continued capability for the automatic ? initiation of auxiliary feedwater flow. igy[ . It should be noted that no credit was taken for operator action in the U.S ana?ysis for the possible correction of a faulted. component (i.e., the manual /@,h, i positioning of a failed valve to its correct position). The reported results are therefore looked upon as conservative and the relative ranking of f.i reliability is expected to be somewhat higher. .6k.- 9.2.3 BNL Assessment 3 '. 9.2.3.1 Fault Trees 9*-1 y.. e As discussed previously in Section 9.2.1.1 of this report, the applicant's fault trees showed only random failures. No test or maintenance &;H Q t ' :~. ' $ f.' a

f f Q { ? z, g a
. ?.

34 jf ? -. d- ~~

failures were shown, nor were the fault identifiers listed in Table 5 shown on the trees. In order to yield an independent assessment, BNL proceeded as follows: a) The fault trees were checked for correspondence to the System Flow Diagram and Description. b) Minor modifications to the fault trees were made: 1. Fig. 6, Sheet 4 (LMFW)

1) " Insufficient Flow From Circulating Vater Supplies Due To Ran-dom Valve Faults" was changed from an AND gate to an OR gate to reflect the actual situation of each valve in series, ii) Fault RAMV116A, MOV ICA116A Valve Fault Causes Flow Blockage was added to the gate " Valve Fault Causes Insufficient Flow From NSW Header A and Circulating Water Supplies" because that valve is required to open to supply CCW to MD Pump A.

2. Fig. 6, Sheet 5 (LMFW)

1) Fault RAMV85BD, MOV ICA85B Valve Fault Causes Flow Blockage was added to the gate " Valve Fault Causes Insufficient Flow From NSW Header B and Circulating Water Supplies" because that valve is required to open to supply CCW to MD Pump B.

3. Fig. 8, Sheet 2 (LOAC) i) A gate "MOV 1CA6 or ICA4 Fails to Close (Automatically or by Operator Action)" was added to the gate " Insufficient Flow (From Condensate Sources) Due to Valve Faults" ii) Fault RASVBREQ "More Than One Steam Generator B Safety Relief Valve Fails Open to Bypass Steam to Atmosphere" was added to the gate "1SA1,1SA2, or 1SA3 Valve Fault Causes Loss of Steam From SGB" iii) Similarly, Fault RASVCREQ for Generator C was also added. To consider test and maintenance contributions for LMFW and LOOP, random only failures which caused insufficient flow to a steam generator were assumed to occur to 2 out of 3 steam generators. Test or maintenance outage was as-sumed to occur to the fourth steam generator (see Fig. 7). Separate sub-trees were developed for each of the four steam generators consisting of an AND gate with two gates input: 1. OR gate with test or maintenance outages. 35

l t i 5 '2. ' COMBINAT10N ' gate to repre'sent random failures occurring in 2 of the 3 + ) cremaining steam generators.

Each separate subtree was then input into 'a top event with 5 gates = input

'into an10R gate: '1. Insufficient Flow to 3 of 4. Steam Generators Due to Random Failures.

2. ; Insufficient Flow to 3.of '4 Steam Generators with Test or Maintenance l'

Outages;for Steam Generator A and Random Failures in 2.of the 3 Re-maining' Steam Generators. i3. Same as (2) for ' Steam Generator B. '4'. Same as (2).for Steam Generator C. ~ 5. Same'as (2)-for Steam Generator D. -In the case of. LOAC,~ the ~ random only tree was' modified in-a simpler man-ner. L Since the:LOAC-case is essentially a single pump situation feeding only i 2 steam ' generators and sinceiflow -is required to 2 :out of the 4 steam ' generators, any. test or maintenance outage would. result in a system. failure. P - This means that no restrictions ~need be' applied to: coincident test or. mainte. nance of more than one component. ~ .. Therefore,'the random only tree was modified by substituting for each = random component-failure an OR gate consisting of;three components: L1'. Random ~ Failure of Particular Component 2. Test Outage of Particular-Component: 3.~. ' Maintenance Outage of Particular Component 9.2.3.2 Failure Dats; q ' Al discussed in Section19.2.1, the applicant's data has been adopted i because it conforms to the NUREG-0611 requirements wherever:possible. A l ccomparison'of the data assumptions is shown in' Table 2. '9.2.3.3.1 System Unavailabilities -. m The WAM-BAM (8) and WAM-CUT (9) codes were used to obtain the results = shown in Table 3. ~ ~i, ~ k e 36

Table 2 Comparison of Data Assumptions-Unavailability / Demand Description Applicant BNL 1. Maintenance: a) Pumps 5.8x10-3 5.8x10-3 b) Valves: i) Motor-operated 5.8x10-3 2.1x10-3

11) Air-operated 5.8x10-3 2.1x10 3 iii) Recirculation check 5.8x10-3 2.1x10-3 iv) Check 5.8x10-3 0

v) Manual 5.8x10-3 0 c) Diesel Generators 0 6.1x10 3 2. Testing-a) Pumps 6.4x10-4 2.0x10-3 b) All valves 3.9x10-4 0 c) Diesel Generators 0 0 3. Random Failures a) Human errors

1). Valve inadvertently closed or open due to maintenance error Motor-operated 1x10-4 5x10-4 Manual 1x10-3 1x10 3 ii) Operator inadvertently closes valve 1x10-4 1x10-4 b) Mechanical or electrical faults
1) Plugging of all valves 1x10-4 1x10-4
11) Failure of mechanical components Pumps 1x10-3 1x10-3 Motor-operated valves lii) Loss of pump motor cooling 1x10-3 1x10-3 iv) Active control circuit failure Pumps 4x10-3 4x10-3 Valves 6x10-3 6x10-3 v) Passive control circuit failure vi) Failure of actuation logic to motor-driven pumps and valves 7x10-3 7x10-3 vii) Loss of voltage to circuit breaker (LMFW) 3x10-5 3xin-5 viii) Diesel-generator fails to start 3x10-2 3x10-2 ix) Limit switch on turbine control stop valve fails closed 3x10-4 3x10-4 37

Table 2 Cont. Unavailability / Demand Description Applicant BNL x) Turbine control stop valve fails 1x10 1x10-3 xi ) Turbine speed control valve failure 1x10-3 1x10-3 xii). More than one steam generator safety. relief valve fails open failing tue turbine-driven pump 2x10-5 2x10-6 c)' Sununation of random failures i) Pumps

1.. Motor-driven 1.4x10-2 1.4x10-2 2.

Turbine-driven 3.3x10-3 3.3x10-3 ii) Valves .1. Motor-operated Position change required 1.4x10-2 1,4x10-2 4 4 No position change required 3.0x10 4 3.0x10 4 2. Air-operated 2x10-2x10-3. Manual 1.1x10-3 1.1x10-3 4. Check 1x10-4 1x10-4 iii)- Diesel-generators 3x10-2 3x10-2 4. Miscellaneous a) Motor-operated valve ICA6 fails to close on low level in the AFW-CST: i) Random failure 6x10-3 1,4x10-2

11) Maintenance 0

2.1x10-3 b) Motor-operated valves 1CA66B and ICA38A which supply AFW from-the turbine-driven pump to Steam Generators A and D, respectively, fail to open:

1) Operator error - LMFW 1.0 1x10-2

- LOAC 1.0 1.0 11)~ Mechanical or electrical i fault 1.0

1. 4x10-2 c) Both locked-closed manual valves on.the pump test lines leading to the Upper Surge

-Tank inadvertently left open by the operator 1x10-6 1x10-3 38

Table 3' Comparison of Results Demand Unavailability Initiator Applicant BNL 1. LMFW 4.6x10-5 6.6x10-6 2 LOOP 2.8x10-4 5.0x10-5 3. LOAC 8.1x10-2 2.8x10-2 9.2.3.4 Dominant Failure Modes The BNL results have been compared to the applicant's results for system unavailabilities: a) Case No. 1-- LMFW: The arplicant stat'es that the greatest con-tributors were found to be unsc' e/.uled maintenance of the motor-driven and n turbine-driven pumps and associa'.ed. valves and that the next greatest con-- tributor was found to be randor failures of the pumps (see Section 9.2.2.2). Based on the BNL results < hown in Fig. 9, this statement can be seen to be correct. Although random failures of all three pumps is the cutset with the' greatest probability, the summation of the probabilities of all cutsets which include a maintenance failure exceeds 50% of the total system un-availability. 'This is-true whether 5.8x10-3 or 2.1x10-3 is assumed for valve maintenance acts, b) Case No. 2 - LOOP: This situation is similar to Case 1, except that random and maintenance failures of the diesel generators predominate rather than the pumps. The random failures of the diesels combined with maintenance acts on the turbine-driven pump and associated valves or random failures of the pumps and valves combined with maintenance acts on the diesels are the dominant cutsets. c) Case No. 3 - LOAC: The results of the BNL analysis support the ap-plicant's conclusion that unscheduled maintenance or failure of the turbine-driven pump and its associated valves forms the dominani contributors to system unavailability. 39

c ... ~ g = M= i 9.2.3.5 General Comparison to Other Plants [ .3 The Catawba AFWS design differs from most other plants' designs in that six separate and distinct water sources are available to supply the suction of 3 the AFWS pumps. The primary, condensate-grade (non-safety class) sources 4 consist of three distinct supplies: the Upper Surge Tank (UST) with a narmal ievel of 55,000 gallons, the Auxiliary Feedwater Condensate Storage Tank '] ( AFW-CST) which is shared between both units with a maximum (normal) level of 42,500 gallons, and the Condenser Hot Well (CHW) with a normal level of 170,000 gallons. The total water required for the design basis cooldown to s hot shutdown conditions is 225,000 gallons. The remaining three sources are j ~ the two redundant, safety-class headers from the Nuclear Service Water System ]' (NSWS) and the single, non-safety class header of the Condenser Circulating Water System (CCWS). 1 Therefore, the Catawba AFWS can be characterized as not having a single source of condensate grade AFW at a constant water level dedicated solely to g the AFWS, but rather as a system with fragmented, multiple condensate grade g sources, some of which may vary in water level and which are actually an gi integral part of the Main Feedwater System. For a LMFW incident, the initiat-J ing event may even involve, or be caused by, situations in which the ] availability of water from these sources is impaired. g The AFWS pump and discharge header configuration is similar to many other 5 plants in that it consists of two moter-driven (MD) pumps and one steam h turbine-driven (TD) pump. Each pump is normally aligned to feed two steam generators although each one can feed all four by opening certain isolation a valves. The two motor-driven pumps are joined to a common header while the turbine-driven pump has its own header. The headers are arranged such that = there are eight separate feedlines to the steam generators. The feedlines from the TD pump and the associated MD pump merge to. form the separate auxili-I ary feedwater inlet nozzle to each steam generator. The above configuration facilitates compliance with the " Feed-Only-Good" steam generator criteria which is designed to prevent or limit flow to a steam generator undergoing depressurization. This subject is beyond the scope of this report but affects the AFWS reliability in a manner discussed in Section j 9.2.3.6 following. 9.2.3.6 General Comments The applicant states that no credit was taken in his analysis for oper-ator action for the possible correction of a faulted component, e.g., the man-i ual positioning of a failed valve to its correct position and therefore he re-y= gards the reported results as conservative and the relative ranking of re-liability is expected to be somewhat higher. BNL disagrees with this i statement, because we consider that operator recovery is included in the human error rotes used in the study. Otherwise, the low values of the human errors are not justifiable g i E 40 j ~n 5 aEE

1 1 J i I !The system piping has been arranged to prevent or minimize AFW flow to a steam generator undergoing depressurization as explained in Section 4.0. This results in.a scheme such that ;each pump is normally aligned to only two of the i four' steam generators and the applicant has based his reliability analysis on this condition..This_ obviously reduces system reliability if no depres- 'surization_ is occurring, as is. assumed in the NUREG-0611 analysis. o The following aspects of the Catawba AFWS should be highlighted: 1. Test and Maintenance Policies - NUREG-0611 does not provide any specific guidelines on how test and maintenance unavailabilities are to be modeled into the analysis. The applicant has not clearly stated what valves are unavailable during. testing and maintenance. o For example, if'there is no testing to be performed on any of the valves.in the-steam generator inlet lines during _ power operation, it is not clear that maintenance will be necessary, or physically pos-

sible.without shutting the plant down, e.g., maintenance acts on the

' NOVs in each inlet line. It is:not~ clear that maintenance or testing should ha assumed for manual valves, e.g., except for certain dis- - charge valves, the manual valves in each AFW pump flow path should remain open during pump testing. There normally is no need to-test or maintain the valves themselves. 2. LMFW and LOOP - Use of MOVS 1CA38A and ICA66B - the operator may open,' both from the Control Room and locally, MOV ICA66B which isolates the.TD Pump from Steam Generator A and.MOV 1CA38A from Steam Generator D. These actions would be performed after the operator has verified:that neither steam generator is undergoing depressurization. (- This results in each MD pump feeding two steam generators and the TD L pump feeding fouristeam generators. I BNL has modeled this situation into the fault' trees and assumed that the failure of the operator to open each M0V as 1.0x10-2 Test and maintenance outages are assumed to be the same as for the normally ~ 1open MOVs in the other' steam generator feedlines ~although the valves . in. question are normally closed. Account was also taken for diesel-generator maintenance by separately. adding 6.0x10-3 (21 hours mean ~ g l-maintenance act duration time) to the maintenance outage of both MD pumps and to each MOV which-is required to operate. It was assumed that the diesels 'are-available during testing. The results shown in Table 3 are based on these assumptions. .It should also be noted that the capability still exists to open man-ual valves.1CA111 and'1CA112 which isolate the two MD Pumps from each l other.- If these valves are open, it then becomes possible :for gither one of the MD Pumps to feed all four steam generators. No credit was given for this since these~are manual actions outside of the Control Room under reduced station lighting. However, there is a very good probability that s'uch actions could be successfully completed (Ap-pendix C). 41

l l 3. LOAC - Use of MOVS 1CA38A and 1CA66B In the case of a LOAC, the MD pumps are unsvailable and there are l currently no provisions.for opening either MOV ICA66B or.MOV 1CA38A, except by handjacking, since they require AC power. The results shown in Table 3 are based on the assumption that the valves cannot be opened. No consideration is given to the operator inadvertently allowing flow to a depressurized steam generate. since that is beyond the scope of the NUREG-0611 requirements although that possiblity exists for LMFW and LOOP. 4. Pump Suction Valve Position' Indication or Interlock Each AFW pump has in its suction line a locked-open manual valve: ICA19 for the TD Pump, ICA25 for MD Pump A and ICA30 for MD Pump B. From the information available in REF.3, it does not appear that any of the valves has position indication in the Control Room nor are they interlocked with the pump starting circuit. We also infer that since the valves are locked open, they will not undergo routine sur-veillance as would otherwise be' required by the Technical Specifications. If any of the valves were inadvertently closed and its corresponding AFW pump were to begin operation, it is clear that the pump would probably.be damaged since there' are no protective trips for the pumps upon low NPSH (Appendix C). In such a case, operator recovery would not be practical within the mission success time of 30 minutes. 5. Locking of the Full Flow Pump Test Line Valves According to Fig.- 2, the' full flow pump test line isolation valves, ICA72 for MD Pump A, ICA70 for MD' Pump B, and ICA68 for the TD Pump, do not appear to be locked into position. The valves are opened ev-ery 71 days for pump testing, and thus do not require special sur-i veillance according to the Technical Specifications. 6. Initiation of AFWS with Valve ICA6 in the Closed Position In some situations, MOV ICA6, which isolates the AFW-CST from the AFW pumps, may be closed either due to maintenance on the valve itself or on the AFW-CST and associated components. In such a situation, if ' the AFWS is initiated, either manually or automatically, the concerns identified in Par. 9.1.6 involving air entering the pumps' suction from.the AFW-CST no longer exist. The pumps will take suction first from the UST and then from the CHW with no need to break the vacuum. Since both the CHW and the UST will have been depleted, the addition-42

al need for the relatively small water volume contained in the AFW-CST should' be minimal. If the condenser vacuum is available, cooldown will proceed by re-cycling the steam from the steam generators through the plant turbine by-pass to the condenser, in which care there should be no need for the water contained in the AFW-CST. In cases where condenser vacuum is not available, such as LOOP and LOAC, there should be enough water volume. in the UST and the CHW to last.until'offsite AC power has been restored.- Alternatively, opening ICA6 after the UST and the CHW have been depleted should _ pose no danger of air entering the pumps' suc-tion upon depletion of the AFW-CST because the Reactor Coolant system conditions should be at the point where operation of the Residual Heat Removal System can begin. Also, the operating pressure of the NSWS, should it be required, is sufficient.to close check valve ICAS thereby' isolating the AFW-CST (see Appendix B-1). The preceding discussion is based on the assumption that it is not necessary to also close M0V ICA4, which isolates the UST, upon de-pletion of the UST. 'However, there is a rignificant amount of un-certainty on this point as described in Par. 9.1.6. 43

~ REFERENCES l 1. " Generic Evaluation of Feedwater Transients ar.d Small Break Loss-of-Coolant Accidents in Westinghouse-Designed Operating Plants", NUREG-0611, USNRC, (January 1980). 2. Letter from D. F. Ross, Jr., USNRC, to "All Pending Operating License Ap-pliants of Nuclear Steam Supply Systems Designed by Westinghouse and Com-bustions Engineering", dated March 10, 1980. 3. " Reliability Analysis of the Auxiliary Feedwater System for the Catawba Nuclear Station Units 1 and 2", WCAP-9946, J. N. Steinmetz, Westinghouse Electric Corporation, (July 1981). 4. " Auxiliary Feedwater System (PWR)", USNRC Standard Review Plan 10.4.9, Rev. 2, NUREG-0800, (July 1981). .5. " Auxiliary Feedwater. System", Section 10.4.9, FSAR, Catawba Nuclear Sta-tion. 6. " Reactor. Safety Study: An Assessment of Accident Risks in U. S. Com-mericial-Nuclear Power Plants - Appendix 3 & 4: Failure Data", Section 6.3, pg. III-71, USNRC, WASH-1400 (NUREG 75/014), (October 1975). 7. "4160 VAC Blackout Auxiliary Power System". Section 8.3.1.1.1.4 and Taole 8.3.1-1, FSAR,' Catawba Nuclear Station. 8. " User's Guide for the WAH-BAM Computer Code" F. L. Leverenz, H. Kirch, EPRI' Research Project 217-2-5, Key Phase Report, (January 1976). 9. "WAMCUT, A Computer Code for Fault Tree Fvaluation", R. C. Erdmann, F. L. l Leverenz, H. Kirch, EPRI Research Projec., 767-1, NP-803, (June 1978). l l' 44

s a;, m o p n .= o. o,. m..,.. m.. a, e. .i ( .( Ou. }..

o. }

o o.. .o

o.,,

o a o a g*, 9' o .. o 'a a

o., Ik o,ib 4

4 o o. a a o. o u.. r o,

r o. -

9 ~f 9

o. 2

_.9 -- 9: r -x .;T T ..;T: oJl.c oj'o .i:o T' o' <[o m r. us- %~ g .o _ _ _., ~ -... <o ,== g g;,. 'o p, g ol o., - s l r g m o f I ,o. 1 P i,cs .oe. s a g i, o a m o,.. o.., G.. l...g Qon h-@ O Q. a a a- ^

=

ei jp=.. i'*,,,,,,,,.P== jH-. ( f.i.

  • e o,.

f /. .= ~ -. a og,c. H9 il a'- W9 il o,- .. = ' ' ona-jl =/-

- > o;; ;l.'l',

Ii i;,"

o-g

,, S_.'.- ^. o. o ^ ^ g '6' (' 6C a Wf .c - -.a c.=o. _9-O,, c A i, a'- / *.'" A -. .a - ~ u ~ go., j..,,, a,,. c... 1"' m ,g uu n u. ,,..*m 0 g,-....... u. j. c.... y, m.. .. ~ ".... " ~ ~. E,-- W;. g e;p ya. o .y -.c .u,..

  • -c...

f a'" , i.. c. ' o. a. a'

"t,"tt.".t.?!.

-... ~ ~. ~ ~,a-.. . ~ i.-. .=..:."A

","." ".t.7.'.

~ 7.,,,,,,,a = ..,no .ou. -~a Figure 2. Catawba Unit 1 - Auxiliary Feedwater Syst6:n - Simplified Flow Olagram.

FROM TUR8tNE DRIVEN NOTE:. TRAIN 8 IS SIMILAR A W W LOGIC AFW PUMP (FIGURE 7.4.1-2) liUNNING i AND d 5 SECOND TD }-.- NSW SUPPLY VALVE RN250A CLOSE LOSS OF CONDENSATE OPEN NSW Q SOURCE (2/3 LOW AP) OPEN SUPPLY VALVE d RN250A AUTO-AND BLACKOUT -(SEQ NCE R) OR l ---o. A AND [- SAFETV OPEN AFW INJECTION AUTO O PUMP A NSW SUCTION VLV OPS CAISA OR CLOSE-LOSS OF BOTH MAIN FE ATER ^ P ^ N5 U lM VALVE CAISA } l ~ STOP MOTOR DRIVEN AFW PUMP ~ 2/3 LOW-LOW DO NOT ALIGN WITH NSW LEVEL IN ANY STEAM GENERATOR Figure 3. Catawba Auxiliary Feedwater System Logic Diagram. Nietor-Driven Auxiliary Feedwater Pump Alignment to Nuclear Service Water System lFSAR Figure 7.4.1-1).

J AFW PUMP RUNNING NSW SUPPLY VALVE Call 6A AND d 5 SECOND TDh CLOSE OPEN OPEN I OR NSW SUPPLY VLV I LOSS OF CONDENSATE AUTO Call 6A SOURCE (2/3 LOW AP) AND INPUT TO LOGIC FOR NSW SUPPLY VLVS '~ j MD RN250A AND RN3108 (FIGURE 7.4.l-l)

  • b AND N

[ , OR NSW SUPPLY VLV BLACK 0UT OPEN AUTO (SEQUENCER) OPEN ~ CA858 ~ h CLOSE NSW SUPPLY VALVE 2/3 LOW-LOW LEVEL IN ANY TWO STEAM GEN. ~ STOP TURBlNE DRIVEN AFW PUMP MO DO NOT ALIGN WITH NSW Figure 4. Catawba Auxiliary Feedwter System Logic Diagram. Turbine Driven Auxillary Feedwater Pump Alignment to 11uclear Service Water System (FSAll Figure 7-4.1-2).

Operator Corrective Switchover 'USTs Depleted-ICA4 Closes Action to MSW5 nr Operator Acts to 'l Close ICA4 .s1 ' nt ' s1 AFWCST Depleted-7x10~3 s1 OK ICA6 Closes Automatic-10"2 ally. 2x10-3 114r10~7 q s1-10-2 a 2x10-3 2x10-5 YESJ N1 OK LMFW

  • 1 OK 10-2 CO NO 2x10-3 2.8x10~I q

si og 7x10-3 si-OK 1.4x10-2 10~ Pr10-3 e 10~2 2x10-3 2.8x10~7 ~0 2.1x10 TOP EVENT g Figure 5. Catawba Auxiliary Festlwater System Suction Switchover Event Tree - LMFW - ISheet 1 ol 21 -M m

1 ll1 l 5 ) 2 0 0 f 1 1 o x x 6 6 2 t 4 2 ee K K = h O O T S ( N d E e V t E a P p P O i O O s T L s i D m e u e u 3 r c T a 0 V 1 tnev E reve h 4 c A t i e C e 1d w r e S T hs o to I n tt ol o n BC 0 i 1 t re' c ev1 k6 u fE cA S s t aC nW e jI m aF e d rM h nd e t TLS an s Ha y S rea e w Cl Ab de a e "t i F l ua ov 2 y r kA '0 a c i ar 1 l e x l ix B w 6 u " o P 4 A a bw a ta C S O E N 5 Y eru g i P F OOL e ft1lll l(l l l lll

Table 4 Abbreviations and Acronyms Used in Description of Fault Events AFW Auxiliary Feedwater Air Operated Val ve A0Y Avail Available Cohdenser Cin:ulati'g Water CCW n Cond Condensate Insuff Insufficient Isol Isolation Loss of Main Feedwater IMW - LOAC Loss of AC Power M)' Motor Driven MOV-Motor Operated Yalve NPSH Net Positive Suetion Head Nuclear Service Water NSW SG Steam Generator TD - Turbine Driven Upper Surge Tank UST 50 ~.

INSUFFICIENT AFW FLOW TO STEAM i GENERATORSIN l t < 25 MINUTES (DRY OUT) l / TRANSIENT NO.1 i LMFW-ALL AC SOURCES AVAILABLE TOP sn r% ^ INSUFFICIENT AFW INSUFFICIENT AFW FLOW TO 3 OF 4 FLOW TO 3 OF 4 ^ ^ STEAM GENERATORS STEAM GENERATORS T T STWG MA NTE ANCE RANDOM FA LURES 1 1 2 3 Figure 6. Catawba Auxiliary Feedwater System. Applicant's Reduced Fault Tree Development - LMFW -[ Sheet 1 of 5).

INSUFFICIENT FLOW TO 3 OUT OF 4 i STEAM GENERATORS DUE TO RANDOM FAILURES -6 / I f I I 1 "...E". ".. E". "...E". ~ E's** l I .I .I... I I I I I i ~... ~ ~;;;=

  • ."*:ll*
  • S.T:.

= s-- "o.T:. = =,:::-

  • T "S~T:

= =, - AA ga aj A AA A A A ~ .h- .i=- .h- -!=- T h:r mig i

s

  1. F

=5: A A A A A A A A A A r i l I I I I I "'lr..".!.:T'

    • A *t/JJ.".

.;;~;,.;*- - "An.**47 '"'-=2.* 4 TJr.:::,= -l y,.;,= ..'."."t 4=;=

== a.lll~ 4=;ra a==== a==== a A A I I l f I I I I =.

c..= w c.w.

.e me.ca n .- cam m w .::::s

=='

'cas
" s

.::: = ~~~ -~~ -~~ Figure 6. Catawba Auxiliary Feedwater System - Applicant's Reduced Fault Tree Development - LMFW -(Sheet 2 of 5).

INSUFFICIENT FLOW FR0] AFJ TUR8INE DRIVEN PUZP TO STEAJ GENERATOR B -A O

=

~.. -

==

=

Q Q - =i.. =.= =.

=

=. _. = =. =. =.. - .u.=.._: = 1 o o o o Q Q Q Q E E I I I y g

=

=.=r

.::.:.=' =.. = =.

= = -.

== ~ =

== == ?,i? ~ ~.:.~ ~* ~ o h oo . = =.. = . = = =.

==

.===

=

m =::.- = =-

= =

- - ~ A A A A Q Q g Q 0 I I I I I I I E I =r.- I I = = =. %=F 3g'E.g.E, 3'G.g.E, .=; ;r.-

==;; l --- =.. =. .. =,; = l ===. S.g,. g, h h h h h

== :- =. = :r

=

==

==r = = - . =.;==.- =

== .:=: =

== ==

c.~
t.~

.=.

== ~ h h h b b b h =.=r

== == .:=: = c h Figure 6. Catawba Auxiliary Feedwater System Applicant's Reduced Fault Tree Development - LMFW -ISheet 3 of 5].

INSUFFICIENT FLOW FROM AFW - MOTOR DRIVEN PUMP A TO STEAM GENERATOR A O

  • IEEL'"E l

,;;;y.,- g =.,;,.:,.;, ,-. m.-. =,,,,,

=

..-=.. D D 6 6 ~~ -l.=_ : ::= 6 .. g A A h b u, 4 ~ ~ - - = r* * *" ~ "T *f."*" *:* l,::=

  • =' :" "J.."

a.::=,, d 6 6

==. .== =. =.. . = =. =.. =. - . =. i - =.. ~ 6 6 6 6 6

==.

,,..

,g,.,,.,,, =, .= l l =.=r.. _..... - ::=- ..r::=. =.=. r Figure 6. Catawba Auxiliary Feedwater System Applicant's Reduced Fault Tree Development - LMFW -[ Sheet 4 of 51

~ IN8UFFICIENT FLOW FROM AFW MOTOR ORIVEN PUMP 8 TO STEAM BENERATOR C A f I .. e. sg, .s s... s s.,. 8 I I I I I I I I ~ a. ~. c c... ,., ~ ~ ...o., o ~=......... ,. - '.. ~ .,m.,..,.,,,..,.,.,., =. ... cu=. ~ A P F_ I 1 I I ... ~.. ~. c,.c.c .o .~.... o. o A m ~ m i 1 ~ ".... . ' " ' ' ~. A I I I I ";;;~,1,~. g.... .... ~ ",.l;.:.;.- (% T I i [ l I o...~ .~ d d d d ,.,.....g:, Figure 6. Catawba Auxillary Feedwater System. Applicant's Reduced Fault Tree Development - LMFW -(Sheet 5 of 5).

INSUF.FLOWTO 3 OUT OF 4 STEAM GEhERATORS + r% INSUF.FLOWTO 3 OUTOF INSUF. FLOW TO STM. GEN. ' INSUF. FLOW TO STM. GEN, INSUF. FLOWTO STM. GEN. INSUF. FLOW TO STM. GEN. 4 STEAM GENERATORS A DUE TOTESTORMAINT. 8 00E TO TEST OR MAINT. C DUETOTESTOR MAINT. D DUE TO TESTOR M AINT. DUE TO CANDOM FAI L-8 RANDOM FAILURES IN 8 RANDOM FAILURES IN 8 RANDOM FAILURES IN 8 RANDOM FAILORES IN URES ONLY. 2/3 STM. GENS.8,C,8 D 2/3 STM. GENS. A,C,8 D 2/3 STM. GENS A,8,8 D 2/3 STM. GENS. A,8,8 C 1 rig. - 1 I T I SH. I I I I i i I I INSUEFLOW TOSTM IN SUF. FLOW TO2/3 lNSUE FLOWTO STM INSUEFLOW TO 2/3 INSUE FLOW TOSTM. INSUE FLOW TO2/3 INSUF. FLOW TOSTM INSUE FLOW TO 2/3 GEN. A DUE TOTEST STM. GENS. 8,C,8 D GEN. B DUE TO TEST STM. GENS. A C8 0 GEN.C DUETOTEST STM. GENS. A,B,8D GEN.D DUETOTEST STM. GENS. A,B,8 C OR MAINT. DUE TO RAN DOM OR M AINT. DUE TO R ANDOM OR MAINT. DUE TO RAN DOM OR MAINT. DUE TO RANDOM FAILURES. FAILURES. FAILURES. FAILURES A 2/3 BTM 2/3 CTM 2/3 DTM 2/3 FIG _, SH O FI G. _,S H _ FIG. .S H_ A FIG. _,SH S S I I I I INSUE FLOW TO STM. INSUEFLOWTOSTM. INSUEFLOW TOSTM. INSUE FLOW TO STM INSUE FLOW TO STM INSUF. FLOW TO STM. GENS DUETORANDOM GEN.CDUETORtPOOM GEN.DDUE TORANDOM GEM A DUE TORANDOM GEN.8 DUETO RANDOM GEN.D DUETORANDOM FAILURES FAILURES FAILURES. FAILURE 3 FAILURES FAILURES g A A A FIG. _.SH _ FIG. SH FI G. _,SH _ l I I I INSUF. FLOW TO STM. INSUF. FLOW TO STM. INSUF. FLOW TO STM, INSUF. FLOW TO STM. INSUF. FLOW TO STM INSUF. FLOW 10 STM GERADUETO RANDOM GEN.C DUETORANDOM GEN.DDUETORANDOM GEN.A DUE TO RAN DOM GEN.B DUE TORANDOM GEN.C DUETO RANDOM FAILURES FAILURES FAILURES FAILURES. FAILURES FAILURES A A Figure 7. Catawba Auxiliary Feedwater System. BNL's Conceptual Expansion of Applicant's Fault Tree to inc ude Test and Maintenance Outages and Flew From Turbine Driven Pump to Steam Generators A and D - LMFW and LOOP -(Chest I of 21

..m-INSUF. FLOWTO STM GEM INSUF, FLOW TO STM. GEM INSUF. FLOW TO STM GEN. INSUF. FLOW 10 STM. GEN, A DUE TO TEST OR B DOE TO TEST OR ' C DUE TO TEST OR D DUE TO TEST OR MAINTENANCE MAINTENANCE ' MAINTENANCE M AIN TEN A NCE ] \\ Tk TM\\ BTM ,SH._l [+ FIG._Z, SH. l + FI G._?._,SH. l +. FIG. 7_,SH.L + FIG: 7 e m i I 'l I I I I I TEST OR NAINT.ON TEST OR MAINT.ON TEST OR MAINT.ON TEST OR MAINT.ON TEST OR M AINT.ON TEST OR MAINT.ON TEST OR M AINT.ON TEST OR M AINT.ON MDP-A OR FEEDUNE TDP ORITS FEEDUNE MDP-AORITS FEEDUNE TDPOR ITS FEEDUNE MDP-B OR ITS FEED-TOPOR ITS FEEDLINE M DP-B OR ITS FEED-TDP OR ITS FEEDUNE AND RANDOM FAILUIIES AND RANDOM Fall.URES AND RANDOMRLILUl4S AND RANDOM m! LURES LINE AND RANDOM AND RANDOM FAILURES UNE AND RANDOM AND RANDOM FAILURES FEEDLINE FEEDLINE FEEDLINE FEEDLINE FAli.URES ON TDPOR ON MDP-B OR ITS FAILURES ON TDP MPP-B OR ITS IN TDPOR ITS IN MDP-A OR ITS ON TDP ORITS ON MDP-A OR ITS lTS FEEDLINE FEEDLINE OR ITS FEEDLINE FEEDLINE A A [ M A A A A 7 _7_ I I I I I I I 1 TEST OR MAINION RANDOM FAILURES TEST OR MAINION RANDOM FAILURES TEST OR M AINT.ON RANDOM FAILURES TEST OR MAINT.ON RANDOM FAILURES MDP-A OR ITS IN TDP OR ITS MDP-A OR ITS IN TDPOR ITS MDP-B OR ITS IN TDPOR ITS MDP-B OR ITS IN TDP OR ITS FEEDLINE TO SGA FEEDUNE TO SGA FEEDLINE TO SGB FEEDLINE TO SGB FEEDLINE TOSGC FEEDLINE TOSGC ~ FEEL)LINE TO SGD FEEDLINE TOSGD A A A A A A A A w" i i I l TEST OR MAINT. ON RANDOM FAILURES TEST OR MAINT.ON RANDOM FAILURES TEST OR MAINT.ON RANDOM FAILURES TEST OR M AINT ON R ANDOM FAILURES TDP OR ITS IN MDP-A OR ITS TDP OR ITS IN MDP-A OR ITS TDP OR ITS IN MOP-B OR ITS TDP OR ITS ON MDP-8 OR ITS FEEDLINE TO SG A FEEDUNE TO SGA FEEDUNE TOSGB FEEDLINE TO SGB FEEDLINE TG SGC FEEDLINE TO SGC FEEDLINE TO SGD FEEOUNE TOSGD Figure 7. Catawba Auxiliary Feedwater System. BNL Expansion of Applicant's Fault Tree lo include Test and Maintenance Outages and Flow From Terbine Driven Pump to Steam Generators A and D - LMFW and LOOP -[ Sheet 2 of 21

INSUFFICIENT FLOW TO - STEAM GENERATOR B OR C FROM AFW T-D PUMP IN t < 25 MIN (DRYOUT) / TRANSIENT NO. 3 LM FW/LOAC - \\ AC SOURCES NOT AVAILABLE TOP r m INSUFFICIENT AFW FLOW TO INSUFFICIENT AFW FLOW TO INSUFFICIENT AFW FLOW TO STEAM GENERATOR B OR C STEAM GENERATOR B OR C STEAM GENERATOR B OR C FROM AFW T-D PUMP FROM AFW T-D PUMP FROM AFW T-D PUMP - DUE TO RANDOM FAILURES DUE TO TESTING DUE TO MAINTENANCE 1 2 3 Figure 8. Catawba Auxiliary Feedwater system. Applicant's Reduced Fault Tree Development - LMFW/LOAC-l Sheet 1 of 2).

e INSUFFICIENT FLOW FROM TURBINE DRIVEN PUMP T0 STEAM GENERATOR 3 B OR C Q I T U W"' 9 8 4 g ..s. ,~.,.,;j 3 I I T m,,,.,,,.,,h,, M"***'..'wO ..u'"..P.9.b.'..O W.80 8..-. ,,gewg ,.p ,,.,gg,.,., e g f. gg .U.. .g ggg,ggg gg, g,gggg F. 6 6 6 I E I I I I I I .:.;;;.J.. e. ~... - 6 6 i ^ 6 6 6 6 I l I l ~. -.. ."--.O.

,

J. J. a. - .:='..a ~" ~.~ .:=;.- a .:=2.4 -~~* 6 6 ~ t 6 6 6 ,J'.".*a.,:: i 6 b 6, I I

:.=

6 .:=;. a .:=;. -.a Figure B. Catawba Auxiliary Feedwater System Applicant's Reduced Fault Tree Development - LMFW/LOAC -i9heet 2 of 21 L

r CUT SETS FOR GATE' TOP nR0rREO Oy ARORA81LTTY 1. 6.A5E-07 RApuuPTx 04pHupAr RAPUMpBF 2. 2.72E-07. RAPUMPTx RAPUMpAF MAPUMMBF 1. 2.72F-07' RApuupTx DApuuppF M4puMpar 4 2.02E-07 RAXV0670 DAXV0680 RAPUMPAF EAPUMARF 5. 2.02E-07 RAxV021P

  1. ApuMPAF RapdMP8F 4.

2.02E-07 RAXV019P

  1. APUMPAF RAPUMM8F 7.

9.A&E-08 RAPUMPTx

  1. Apuupar MARV032r 8.

9.A4E=08 RAPUMPTX

  1. APUMPAF MAMVeddr 9.

9.A4E-08 R4puuPTx' OADUupAF wasV040r 10. 9.94E-08 RAPUMPTX RAPUMPAF MAMy46BF 11. -9.94E-08 RAPUMPTX 04 pomp 4F MASV044r 12.- 9.34E-08 RAPUNPTX

  1. APuppRF MARV02fF 13.

9.A4F-08 RADOMPTX O Ap8f umar MAMV5dAr 14 9.A4E-08* RAPUMPTx AAPUMPBF MASv056F 15. 9.84E-08 RApuwPix OApoppAF MAMV62AF -16. 9.44E-08 RApuMPTX 4APUMPRF MASV040F 17 9.37E-08 RApUupTx OApuMPAF TApuMP8F .18. 9.37E-08 RAPUuPTX pAPUMp0F TAPUMPAF -19 8.24E-08 RAKV0670 UAXV0600 RAPUMMAF MAPUup6F 20. 8.74E -RAXV021P DAPUuPAF MAPUMpBF 21, 8.24E-08. R4xVQ19P OAPUMPAF MApuM8HF ??. 8.?4F-06 OAxV0670 DAxVA680 RApuMper uipgupgr -23. 8.24E-08 qAXV021p OANUppPF MAAUMPAF 8 24E-08 R4xVn19P OApopper MApUMpac 24. 1 25. 5.15E RAPUFP7X pAPUMPAF R4xv066p. 26. 5.15E-08 RApVMpTX

  1. ApuupAF RAxV0300 27.

5.15E-08 RAPUMPTX

  1. AxV087P RAPUM88F 29.

5.15E-04 RepuppTx oaxvnpsp oApUupBr 29. 5.15E-08 RAPUMETX pAxV055p RAPUMdbF ___3 0. 5.15r-08 RApuMPTx

  1. AxVn5RA RAPUMp8r 31.

5.15E-08 RAPUMPTx

  1. ApuuPAF RAxV0399-

~"~32.' 5.15E-0A RAPUMPTx

  1. 4pVMAAF RAxv0*3p 33.

-4.6RE=08 RAPUNPTX DAXV0710 R4xVD(20 RAPUMPRF-34. 4.01F-04 RAMV174C GAMVon6F RA4V250A piMV316R 35. 4.01E-08 RAMV175C OAMV006/ R A*4 W25 0 A M4uV3108 Figure,9. Catawba Auxiliary Feedwater Systpm Dominant Cutsets - LMFW -ISheet 1 of 3]. 60

l l I l l CUT SETS roA GATE Top cooroED av pron arf t.T TY 1. 5.72E-06 MADU4pTF D A041 &r DADGSIPr 2. 2.97E-06 RAPU=pTX OA0GSIAF RADGS1br 3. 1.89E-06 MARV070F QADGSIAF RA0GS18F l 4

1. A9E4 6 MAMV50AF GADGSIAF RADGS1bF 5.
1. AGE-06 UASV04Ar oADG91AF 040GS18F A.

1.a9E-06 uaMV546F GA0GSIAF AADGSlbF 7 1.A9E-06 MASV052F DADG91AF QA0GStbF 9. 1.A0E-0A TAPUMPTF oA0GSIAF RA0GSibF 9 1 41E-06

  1. APUuPTX oAPUupBF AA0GSIAF 10.

1.41E-06 AApu=PTX QAPUMpAF DAUGS16F 11. 9.96E-07 DaxVc%10 DA0nqiAr eADGStBr 12. 9.90E-07 RAXVQ47P QADGSIAF RADGSlar J3 9.00E-07 DAxVe670 caxvnsa0 oADGSIAF oiOGSIRF 14 9.00E-07 RAXV021P OADGSIAF RADGSIBF 15. 9.00E-07 RAXV019P DAUG91AF RA0GS18F 16. 6.65E-07 RAPUMPTX oAPt#pAF RAPUNPdF 17. 6.d4E-07 QAPUupfr oA0GSIAr uADGS10r 1A. 0.04E-07 RAPUMPIX OA0GS18F M40GS14F 19 5.74E-07 RAPUMOTA "ADUupRF R40GSIAF 20. 5.74E-C7 RAAUupTK MAPUuPAF RADGS18F 21. 4.?6E-07 QAXV0670 QAxVn690 RAPUMPAF RA0GSinr 22. 4.26E-07 QAAV021P OAPUupAF AA0GS48F 23. 4.?AE-07 DAXVn19P o A pt'wp a r oA0GS18F 24.

  • .2*E-07 AAxV0670 QAxvnna0 RAPuMP6F dA0GSIAF

_2 5_ 4.76E-07 QAxyn21p oAPUwDar oADGSIAF 26. 4.76E-07 RAAV019P oAPUuppF 4ADGSIAF 27 2.AAE-07 mapuuPTx o4PuupAF wA0GS18F 28. 2.A6E-07 RAPUwPTx pApumper MA0GSIAF 29. 2*72E-07 QAAUupTv oADUup3r =ApOMPHr 30. 2.72E-07 RAPUMpix oApgupSF MAPU4PAF

_31,
2. 7_QI-17 qAuyS48C OA0Gstar oA0GSl8F 32.

2.70E-07 AAMv50AC oADGSIAr pA0GSL8F g 33. 2.09E-07 AAPUupTx uARVn3?r RA0GSIAF 34 2.08E-07 RAPUMPTK =AHV429F RADGSIAF 35. 2.0aF-07 oApovoTu uA9vn4er oAnG$ tar 36. 2.0eE-07 RAPu4PTx

  • AMV468F RADGSAAF JL 2_. 0 P E-0 7 AAPUupfX u&SVn44r QA0GSIAF 38.

2.0AE-07 RAPUuPTX =ARVn27F RADGS10F 39. 2.08E-07 QAPU4pTX uaMVEAar RA0GS10F 40. 2.09E-07 RAPUwPTX MASVn56F oA0GStBF 41,

2. NAE-07 oApuupTx uAuva?Ar DA0GSIRr 42, 2.08E-07 RADUMPTA

=ASVn60F RADGSLPF J 2-2_n_02E-0 7 QAXVo670 DAXVOAAD DAPUppAF oiPUupAF 44 2.02E-07 RAxVn21P AAPUMPAF RAPuuP8F 45. 2.02E-07 oarV0190 oApUupAr pApuMP8r 46. l'.90E-07 RAPUMPTX TAPUup0F RA0GSIAF 47

1. car-07 oAcuupTv TipuupAF oA0GSIRF 44 1.A3E-07 RAAV0670 QAxwo6a0 AADGS1bF
  • A0GSIAF

_A 9 l.A3E-07 oA1Ve?ip o A041 e r Ha"GSIAr 50 1.93E-07 AAxvn19P DA0GSIBF MaoGSIAF 51. 1.93E-07 AAxV0670 DAXVn5A0 PADGSIAF "50GS1RF 52. 1.83E-07 AAKV021P oADGSIAF MA0GS!HF 53. 1.A?E-87 oA*Valop DAnottar uAnGSIhr v 54 1.90E-07 RASV052C OADGSIAF RA0GSL6F 55.

1. A_0_E-0 7 AASV048C oA06 Star RADGSIBF 56.

1.79E-07 RAMV174C DAMV006F RA0GSLAF 440GSIAF 57 1.79F=07 OAMV175C oAMVngAF RA0GSIAF 940GSIAF 58. 1.74E-07 RAKVn670 oAXV0630 MAPUMPAF GADGSIPF Figure 9. Catawba Auxiliary Feedwater System Dominant Cutsets - LOOP -l Sheet 2 of 3]. i 61 i

i CUT SETS FnD GATE 1 necroEO my OR0RARILITY 1. 5.80E-03 MAptlMpTF 2. 3.10E-03 RAPUMPTA 3. 2.1CE-03 MAMV548r QAMV3e&C RAMV66BC 4 2.10E-03 MASV052F DAMV384C RAMV66BC 9, 2.10r-03 MAMV50Ar o&MV34&C 24MV6eBC 6 2.10E-Q3 445V048F GAMV34AC RAMV635C 7 2.10E-03 MAQV020F 8. 2.n0E=03 TADUMPTF 9 1.10E-03 maxV0519 OAMV384C RAMV6tbc 10. 1.10E-03 eAxV047p oAMv38AC AAMV66BC 11. 1.Inr-03 OAIVn21A 12. 1 10E-03 4AxV019P 13. 1.1CE-03 DAxV0670 OAxVn680 14 3.00E-04 mAMV540C OAMV3AAC RAMV6b8C 15. 3.00E-04 DAMV50AC CAMV3AAC AAMV66BC 16. 2.00E-04 QASV052C oAMv39AC RAMv68HC 17, 2.00E-04 DASyn48C OAMV34AC RAMV6bBC 14 1.00E-04 AACV053P QAMv39AC 4AMV6sHC 19 1.00E-06 AACV0490 DAMv38AC DAMV6uBC 20. 1.00E-04 RAdV020P 21. 5.11E-05 mACONDER CAMV174C 22. 5.IIE-05 AACONDEA DAuv175C 23. 2.94E-05 MAMVn7AF DAuV174C 24 2.99E-05 MAMv07AF CAMvl75C 25. 1.10E-05 RACONDER DACIACEn isT MOMENT

  • 2.9383E-02 Figure 9. Catawba Auxiliary Feedwater System Dominant Cutsets - LOAC - 18heet 3 el 31 62

Table 5 ~FAul.T EVENTS AND ALLOCATED UNAVAILABit.ITY --CUALMOFQS - INFIGToDP Applicant's Faul t Description of Fault Event Unavallebility 13ntifier 1. RAMV62AC NOV ICA62A Valve f ault Causes Flow Blockage 3 x 10-4 a. Plugged I x 10-4 h. Control clatuit fault causes HOV ICA62A to be inadvertently closed c c. Operator inadvertently closes valve 1 x 10-4 d. Valve inadvertently closed due to aiaintenance error 1 x 10-4 Tx I6-4 I 4 2. ItACV061P Check Volve ICA61 Plugged I x 10-4 1 x 10-4 3. ItASV060C ADV ICA60 Valwe Fault Causes Flow Blockage 2 x 10-4 0 a. Plugged 1 x 10-4 h. Control circuit fault causes A0VICA61 to he inadvertently closed c c. Operator inadvertently closes valves 1 x 10-4 E = 2~x Idi-4 4. ItAXV059P Manual Valve ICA59 Plugged 1 x 10-4 1.1 x 10-3 Valve inadvertently closed due to analatenance error 1 x 10-3 E = 1.1 x 10-3 5. HAXV02SP Manual V'i ve ICA25 Plugged 1 x 10-4 1.1 x 10-3 a Val we inadverteritly closed 1 x 10-3 E = 1.1 x 10-3 6. RAXV087P Manual Valve'ICA87 Plugged 1 x 10-4 1.1 x 10-3 Valve inadvertently closed I x 10-3 E = 1.1 x 10-3

J. Table 5 (Cont.) FAL'LT EVENTS AND ALLOCATED UNAVAILABILITY CATAUlfCAFUS - LMFWTodP Applicant's Faul t Description of Fault Event Unavailability identi f ier 7. RARV027P-Recirculation Check Valve ICA27 Plugged 1 x 10-4 1 x 10-4 8a. RAXV071 Manual valve ICA071 inadvertently left open 1 x 10-3 1 x 10-3 8h. RAXV0720 Manual valve ICA072 inadvertently lef t open 1 x 10-3 1 x 10-3

94. RAPUMPAF AFW M-D Pianp A does not start on run due to 1.403 x 10-2 (LW W) pianp or power f aul t.

4.4 x 10-2 (LOOP) a. Failure of mechanical compor.ents 1 x 10-3 b. Control clituit f ailure 4 x 10-3 c. Failure of actuation logic 7 x 10-3 d. Cirtuit breaker falls open due to 1 x 10-3 mechanical f ault e. Loss of motor cooling causes pinnp to fall 1 x 10-3 f. Loss of voltage to ctrtutt breaker (LMFW-3 x 10-5 T ransient) 9 Loss of voltage to circuit breaker (LOOP-3 x 10-2 T ransient) E = GG3x10-2 (tyw) E = 4.4x10-2 (toop) 9b. RACONDER Loss of all condensate water sourtes due to 34 x 10-3 3.6 x 10-3 eartluptake

10. RAMVISAD H0V ICAISA Ypive Fault Causes Flow Blockage 1.423x10-2 (LMFW) a.

Mechanical f ailure Ix10-3 4.42x10-2 (toop) b. Plugged lx10-4 c. Control Ctrtuit Failure ;>revents valve from 6x10-3 opening

Table 5 (Cont.) FAllLI EVENIS AND At LOCAIE0 UNAVAll ABil.ITY -~CATAWI14~AFW5 7 1 WW TOOP Applicant's f aul t ()escriptiori of f aisit Event Unavailability identifier d. Loss of actuatlosi 7x10-3 c. l.oss of power to niotor control (LilfW-Transiesit) 3 x 10-6 f. Loss of power to niotor control (LOOP-Transient) 3 x 10-2 9 Operator erroneously closes valve 1 x 10-4 E = T.123x10-2 (tury) E = 4.42x10-2 ' (LOOP)

11. RAHV250A HOV lilN250A Val ve f aul t causes flow blockage 1.423x10-2 (LHFW) 1.423x10-2 (LHFW)

(See RAMVISAO) 4.42x10-2 (LOOP) 4.42x10-2 (toop)

12. RACV172P Check valve ICAl?2 plugged I x 10-4 1 x 10-4
13. RATANKOR AFW condensate storage tank ruptures to 1 x 10-6 1 x 10-6 cn caisse loss of water
14. RACV00lP Check valve ICA1 plugged I x 10-4 1 x 10-4
15. ItAMV002C HOV ICA2 valve f ault causes flow blockage a.

Plugged 1 x 10-4 1 x 10-4

16. RACV003P Check valve ICA3 plugged 1 x 10-4 1 x 10-4
17. RAMV004C HOV ICA4 valve fault caisses flow blockage 2 x 10-4 a.

Plugged I x 10-4 b. Control clrtuit failure causes valve to close e c. Operator closes vis1ve inadvertently 1 x 10-4 1:. T x 16-4

l Table 5 (Cont.) FAULT EVENTS AND ALLOCATED UNAVAll. ABILITY CATANCAFE'-D To0P Applicant's Fault Description of Fault Event Unavailability iden tif ler

18. RAHVilAC H0V ICAllA Valve Fault Causes Flow Blockage 2 x 10-4 a.

Plugged I x 10-4 h. Valve inadvertenly lef t closed due to 1 x 10-4 Idalnteiiance error r - 2 T 16-4

19. RACV012P Cicck valve ICAl2 Plugged I x 10-4 1 x 10-4
20. RAXV130P Manual valve ICA130 plugged 1 x 10-4 1 x 10-4
21. RACV129P Cicck valve ICAl29 plugged 1 x 10-4 1 x 10-4 224. RACV005P Check valve ICAS plugged I x 10-4 1 x 10-4 22b. RAHV006C H0V ICA6 valve fault causes flow blockage 2 x 10-4 a.

Plugged I x 10-4 h. Control cirtuit f ailuie caused valve to close e c. Operator inadvertently closes valve 1 x 10-4 I - 2 x T6-4

23. RAHV58AC H0V ICA58A Valve Fault Causes Flow Blockage 4 x 10-4 a.

Plugged 1 x 10-4 b. ' Control cf rtuf t f ailure causes valve to close 1 x 10-4 c. Operator inadvertently closes valve 1 x 10-4 d. Valve inadvertently closed due to maintenance 1 x 10-4 error E = 4 x 16-4

Table 5 (Cont.) Faut.T EVENIS AND All0CAIED UNAVAltAllit.ITY CATAulfCAFWAKlWoP Applicant,s Fault Description of f ault Event Unavailabillty iden ti f ier

24. RACVOS7P Check Valve ICAS/ Plugged 1 x 10-4 1 x 10-4
25. RASV056C A0V ICAS6 Valve Fault Causes Flow Illockage 2 x 10-4 a.

Plugged I x 10-4 b. Control clatuit f ault causes valve to be e inadvertently closed c. Operator inadvertently causes valve 1 x 104 Ea 2 x 16-4

26. RAXVOSSP Manual Valve ICASS Plugged I x 10-4 1.1 x 10-3 Valve inadvertently closed due to maintenance error 1 x 10-3 E = 1.1 x 10-3 3
27. RAMVS400 MOV ICAS4tl Valve Fault Cause Flow Diockage 3 x 10-4 a.

Plugged 1 x 10-4 b. Control clitult iallure causes valve tu close e c. Operator closes valve inadvertently 1 x 10-4 d. Valve inadvertently closeil due to maintenance 1 x 10-4 e r,'o r E= Tf6-4

28. HACVOS3P Check Valve ICAS3 Plugged 1 x 10-4 1 x 10-4
29. HASV052C ADV ICAS2 Valve f ault. Causes Flow Blockage 2 x 10-4 a.

Plugged I x 10-4 b. Control clitult f ailure causes valve to be c inadvertently closed

1 i Table 5 (Cont.) ~ FAULT EVENIS AND ALLOCATED UNAVAILAllit.lTY CATAUWAFWS - IW1F'T60P Applicant's Fault Description of Fault Event Unavailability iden ti f ler c. Operator inadvertently closes valve 1 x 10-4 E = 2 x 16-4 30..RAXV051P Manual Valve ICA51 Plugged 1 x 10-4 1.1 x 10-3 Valwe loadvertently closed due to maintenance error 1 x 10-3 E = 1.1 x'10-3

31. HAPUMPTA AFW T-P pump does not start or run due to pianp 3.3 x 10-3 or power f ault

. a. failum of mechanical components 1 x 10-3 h. Limit switch on tuihine control stop valve 3 x 10-4 falls closed m c. Turbine control stop valve falls 1 x 10-3 d. Turbine control speed contml valve failure 1 x 10-3 E = 3.3'x 10-3 32a. RAXV0670 Manual valwe ICA67 inadvertently lef t open 1 x 10-3 1 x 10-3 32b. HAXV0680 Manual valva ICA68 inadvertently left open ) x 10-3 1 x 10-3 32c. RARV020P Recintulation check valve ICA20 plugged I x 10-4 1 x 10-4

33. HAXV021P Hanual valve ICA21 plugged 1 x 10-4 1 x'10-4
34. RAXV019P Manual valwe l'CA19 plugged I x 10-4 1 x 10-4
35. RAMV07AP H0V valve ICA7A valve fault causes flow blockage 2 x 10-4 a.

Plugged 1 x 10-4

Table 5 (Cont.) FAULT EVENIS AND ALLOCATED UNAVAILABILITY CXfAW64 AFVS - LHFCTodP Applicant's f aul t Description of Fault Event Unavailability Identifier b. Valwe inadvertnely closed due to maintenance error 1 x 10-4 E = 2T16-4

36. RACV000P Cicck valve ICAO plugged 1 x 10-4 1 x 10-4
37. RAMVil6A HOV Call 6A valve fault caused flow blockage 1.423x10-2 (Lww) 4.42x10-2 (LOOP) a.

Mechanical Fatlure 1 x 10-3 b. Plugged 1 x 10-4 c. Control cf rtutt failure presents valve from 6 x 10-3 opening d. Loss of actuation 7 x 10-3 e. Loss of power to motor control (LHFW-Transient) 3 x 10-5 f. Loss of power to motor control (LOOP-Transient) 3 x 10-2 g. Operator erroneously closes valve 1 x 10-4 T 423710-2 (LwW) 4.42x10-2 (LOOP)

38. RAHV8500 HOV ICA850 valve f ault causes flow blockage 1.423x10-2 (LHFW)

(See RAMVil6A) 1.423x10-2 (LHFW) 4.42x10-2 (LOOP) 4.42x10-2 (Loop)

39. RACVl71P Check valve ICA171 plugged 1 x 10-4 1 x 10-4
40. RAMV3100 H0V llN3100 fault causes flow blockage 1.423x10-2 (LHFW)

(See RAMVil6A) 1.423x10-2 (LHFW) 4.42x10-2 (Loop) 4.42x10-2 (LO0p)

41. RAXVSulP Manual valve ISAl valve f ault causes blockage i -

a. Plugged I x 10-4 l l 1

Table 5 (Cont.) FAULT EVENTS AND All.0CATED UNAVAILABil_ITY CATAWDTAFWS - 1WTCT00P Applicant's fault Description of Fault Event. Unavailability e identifier b. Valve inadvertently closed due to maintenance 1 x 10-3 1.1 x 10-3 1:= El x 10-3 error

42. RACVS03P Check valwe ISA3 Plugged 1 x 10-4 1 x 10-4
43. RASVS02C ADV ISA2 valve f ault causes flow blockage a.

Plugged 1.0 x 10-4 2 x 10-4 b. Operator inadvertently closes valve once opened 1 x 10-4 E = T x 16-4

44. RACVS06P Check valve ISA6 plugged 1 x 10-4 1 x 10-4
45. RASVS05C A0V ISAS valve fault causes flow blockage 2 x 10-4 g

a. Plugged I.0 x 10-4 b. Operator inadvertently closes valve once opened I x 10-4 E = U f6-4

46. RAXVSO4P a.

Manual valve ISA4 plugged 1 x 10-4 1.1 x 10-3 b. Valve inadvertenly closed due to maintenance 1 x 10-3 error E = 1.1 x 10-3

47. RAMV468C MOV ICA468 valve f ault causes flow blockage (10)

Pluggell 1 x 10-4 4 x 10-4 a. b. Operatur inadvertently closes valve 1 x 10-4 c. Control clatuit f ailure causes valve to close 1 x 10-4 d. Valwe inadvertently closed due to maintenance 1 x 10-4 . error E = 4 x 10-4

Tahlo 5 (Cont.) FAULT EVENI'S AND Al.l.DCAIED UNAVAll. ABILITY CATAWIfA~AFW5 - LWW~TOOP Applicant's fault Descriptioni of Fault Event Iden ti f ler Unavailability

48. RACV04SP Check valve ICA45 plugged I x 10-4 1 x 10-4
47. NASV044C ADV ICA44 valve f ault caused flow blockage 2 x 10-4 a.

Plugged 1 x 10-4 b. Control circuit f ault causes valve to lie e inadvert'ently closed c. Operator inadvertently closes valve 1 x 10-4 E = U 16-4 S0. HAXV043P Manual valve ICA43 plugged I x 10-4 1.1 x 10-3 Valwe inadvertently closeI due to maintenance error 1 x 10-3 E = 1.1 x 10-3 St. RAXV030P Marinal valve ICA30 plugged 1 x 10-4 1.1 x 10-3 Vaive inadvertently closed due to mainternanice error 1 x 10-3 E = 1.1 x 10-3

52. RAXV088P Manual valve ICA88 plugged 1 x 10-4 1.1 x 10-3 Valve inadvertently closed due to maintenance error 1 x 10-3 E = 1.1 x 10-3
53. ItARC032P Reclitulation check valwe ICA32 plugged I x 10-4 1 x 10-4
54. RAPUMPBF AFW M-D pump B does not start or run due to pump or 1.402x10-2 (LWW) 1.402x10-2 (LWW) power fault 4.4x10-2 (LOOP) 4.4x10-2 (LOOP)

(See itAPtWAF) SSa. RAXV0690 Manual valve ICA69 inadvertently lef topen ! x 10-3 1 x 10-3 h'l 1

Table 5 (Cont.) FAULT EVENTS MAD ALLOCATED UNAVAILAnlLITY CATAllliA Al'US - IlW*~lNP Applicant's f aisi t Description of Fault Event Unavailability identifier SSb. RAXV0700 Hanual valve ICA70 inadvertently lef topen 1 x 10-3 1 x 10-3

56. RM4Vl80D HOV ICAl80 valve fault catise flow blockage 1.423x10-2 (LHFW) 1.423x10-2 (LHFW)

(See RM4V15AD) 4.42x10-(LOOP) 4.42x10-2 (t00p)

57. RAMV090C H0V ICA9b valve f ault caisses flow blockage 2 x 10-4 a.

Plugged I x 10-4 b. Valve inadvertently lef t closed due to 1 x 10-4 inalntenance error E = 2 T 10-4 l

58. RACV010P Check valve ICAl0 ' plugged I x 10-4 1 x 10-4 l

l

59. RNlVSOAC HOV ICA50A valve fault causes flow block,..c 3 x 10-4 l

a. Plugged 1 x 10-4 h. Control circuit f ailure causes valve to c he inadvertently closed c. Operator inadvertently closes valve 1 x 10-4 d. Valve inadvertently closed due to maintenance 1 x'10-4 error E = EI6-4

60. RACV049P Clu:ck valve ICA49 plugged I x 10-4 1 x 10-4
61. HASV048C A0V ICA48 valve f aul t caisses flow blockage 2 x 10-4 a.

Plugged 1 x 10-4 h. Control cirruit f ailure causes valve to e be inadvertently closed c. Operator inadvertently closes valve 1 x 10-4 E = 7 T15-4 e I e_

Table 5 (Cont.) i FAULT EVENTS AND ALLOCATED UNAVAILABILITY ~~- CATAUCAFUS - IMFICT60P Applicant's f aul t Description of Fault Event Unavailability I, dent i f i er

62. RAXV047P Hanual valve ICA47 plugged 1 x 10-4 1.1 x 10-3 Valve inadvertently closed due to maintenance error 1 x 10-3 I = 1.1 x 10-3
63. RAMV42DC H0V ICA420 valve fault causes flow blockage 4 x 10-4 1 x 10-4 a.

Plugged b. Control cirruit failure causes H0VICA42B to 1 x 10-4 he inadvertently closed c. Operator inadvertently closes valve 1 x 10-4 d. Valve inadvertently closed due to maintenance 1 x 10-4 E = 4 x 15-4 error 5 1 x 10-4 1 x 10-4

64. RACV041P Check valve ICA41 plugged
65. RASV04DC A0V ICA40 valve fault. causes flow blockage 2 x 10-4 a.

Plugged 1 x 10-4 h. Control circuit f ailuie causes valve to be c inadvertently closed c. Operator inadvertently closes valve 1 x 10-4 E = W[6-4

66. RASV039P Hanual valwe ICA39 plugged 1 x 10-4 1.1 x 10-3 Valwe inadvertently closed due to maintenance error 1 x 10-3 E = 1.1 x 10-3 4

I c Table 5 (Cont.) FAULT EVENIS AND All.0CATED UNAVAILAllli.ITY CATAVilf AFUS - LIQodP Applicant's Fault Description of Fault Event Unavailabillty iden tif ler

67. RAMV175C MOV CA175 (D.C. operated) Valve Faul t Causes 1.42 x 10-2 Flow Blockage a.

Mechanical Failure 1 x 10-3 b. Plugged I x 10-4 c. Control Cin: ult f ailure prevents valve from opening 6 x 10-3 d. loss of actuation 7 x 10-3 e. Operator erroneously closes valve 1 x 10-4 1.42 x 162

68. RACVI/3P Check vaive CA173 plugged I x 10-4 1 x 10-4 y
69. RAMV174C MOV CA174 (D.C. operated) valve fault causes flow blockage 1.42 x 10-2 a.

Mechanical failure 1 x 10-3 b. Plugged 1 x 10-4 -c. Control cin: ult f ailure prevents valve from opening 6 x 10-3 d. Loss of actuation 7 x 10-3 e. Operator erroneously closes valve 1 x 10-4 1.42 x 10-2

70. RAMV178C MOV CA178 valve fault causes flow blockage 2 x 10-4 a.

Illugged 1 x 10-4 b. Control'ctreult f ailure causes valve to close e c. Operator closes valve inadvertently 1 x 10-4 I= 2 x 10-4

Table 5 (Cont.) FAULT EVENTS AND ALLOCATED UNAVAILAplLITY CATAWBTAF9A.lFGMP Faul t Description of Fault Event Unavailability Identif ter

71. RASVOREQ More than one steam generator 9 safety irlief 2.0 x 10-5 valve falls open to bypass steam to atmosphere.
72. RASVCREQ More than one steam generator C safety relief 2.0 x 10-5 valve f alls open to bypass steam to atmosphere.
73. RAMV006F MOV ICA6 Fdils to close on low level 6.0 x 10-3 condensate storage tank signal
74. TA Unavailability of valves due to testing. Tests 3.9 x 10-4 conducted on a quarterly bases with a calculated mean test act duration time of 0.86 hours for valves y

(per WAsil-1400)

75. TAPUMP F Unavailability of auxiliary feedwater pumps due to 6.4 x 10-4

~ testing. Tests conducted on a quarterly basis with a calculated mean test act duration time of 1.4 hours g (per WASil-1400).

76. MA Unavailability of pimps or valves due to maintenance.

5.8 x 10-3 Maximian maintenance act duration time is 72 hours with a corresponding calculated mean maintenance act duration time of 19 hours.

Table 6 1 NRC-SUPPLIED DATA USED FOR PURPOSES OF CONDUCTING A WIT'ARAfiVE A55E55MEMI CF EXISTING AFWS DE5IGN5 MD THEIR POTENilAL RELIABILITIES Point Value Estimate of Probability of* Failure on Demand I. Cmoonent (Hardware) Failure Data a. Valves: Manual Valves (Plugged) ~1 x 10-4 Check Valves ~1 x 10-4 Motor-Operated Valves Meenanical Ccmponents ~1 x 10-3 Plugging Contribution ~1 x 10-4 Control Circuit (Lecal to Valve) w/Quartarly Tests ~6 x 10-3 w/ Monthly Tests ~2 x 10-3 5. Ptmos: (1 Ptmo) Mechanical Components ~1 x 10-3 Control Circuit w/Cuarterly ~ests ~7 x 10-3 w/ Monthly Tes s ~4 x 10-3 c. Actuation Locic ~7 x 10-3 irror fac:ces of 3-10 (up and dcwn) about sucn values are not unexpected for basic data uncertainties. 76

Table 6 (Cont.) II. Test and Maintenance Cutage Contributions: a. Calculational Approach 1. Test Outage Q ( hrs / test) ( tests / year) TEST nrs/ year 2. Maintenance Outage 0 (0.22)( hrs /maint. act)

33737, izo b.

Data Tables for Test and Maint. Outages

  • SUWARY OF TEST ACT DURATION Calculated Range on Test Mean Test Act Comoonent Act Duration Time, Mr Duration Time, to, hr Pumos 0.25 - 4 1.4 Valves 0.25 - 2 0.36 Diesels 0.25 - 4 1.4 Instrumentation 0.25 - 4 1.4 LOG-NCRMAL MODELED MAINTE'IANCE ACT OURATION Calculated Range on Maintenance Mean Maintenance Act Component Act Duration Time, hr Duration Time, t, hr 0

Pumos 1/2 - 24 7 1/2 - 72 19 Val ves 1/2 - 24 7 Diesels 2 - 72 21 Instrtmentation 1/4 - 24 6 Note: inese cata tables were taken frem the Reactor Safety Study (*4 ASH-14CO) for purposes of this AF4 system assessment. '4here the plant technical specifications placed limits on the cutage dura'.fon(s) allcwad for AFd system trains, this tach spec limit was used to estimate the mean auration times for maintenance. In general, it was found that the outages allowed for maintenanca dominated those centributions to AFA system unavailanilia;y frem outages due to testing. 77

m - ~. _ _ _ _ _... _... _... _. _.. 4 i t 4: 1 li;. Human Acts & Errors - Failure Data: Estimated Human Error / Failure Probabilities Modifying Factors & Situations' With Valve Position With Local Walk-Around & W/0 Either Indication in Control Room Double Check Procedures Point Value Est Est. on Point Value Est Est. on Point Value Est On Error l Error Estimate Error Factor Factor Factor a. Acts & Errors of A Pre-Accident Nature 1. Valves M'ispositioned During Test /Maint (a) Specific Single Valve Wrongly Selected out of A Population -2 of valves During Conduct of a -2 -2 10 1 1 1 Test or Maintenance Act (X No. Iy0 x1 1x 10 x% 10 )( 1 10 o,g of Valves in Population at Choice) Td R 20 2 3 3 2 (b) Inadvertently Leaves Correct 4 Valve in Wrong Position' 5 x 10 20 5 x 10 10 10 10 g ~4 ~3 ~3 I cl 2. More than one valve is affected i x 10 20 1 x 10 10 3 x 10 to g o -(coupled errors) a et 3. Miscalibration of Sensors / Electrical-Relays ~3 ~2 5 x 10 10 10 10 (a)' 'One Sensor / Relay Affected (b)' More than one Sensor / Relay 1 x 10 10 3 x 10 10 Affected ~3 ~3 t 4

___ __ _ _._ _.___...._.. _. _._ m. m_ S i Time Actuation Needed Estimated Failure Estimated Failure Overall Estimated Prob. for Primary Prob. of other Estimate Error Factor Operator to (Backup) Control of failure on Overall Actuate AFWS Rm. Operator to Probability Probabi,ity Actuate AFWS [ b. Acts & Errors of a Post-Accident Nature 1. Manual Actuation of AFW system from Control Room' 3 (a). Considering "Dc!'.cated" Operator 5 min. 2x10:3 2 x 10,'3 10 5[ to Actuate AFW system and Possible 15 min. I x 10,4 0.5 (mod. dep.) 5 3 10 10 3 4 1> . Backup Actuation of AFWS - 30 min. 5 x 10 .25 (Iow dep.) 10 10 en (a) Considering "Non-Dedicated" 5 min,. 5 x 10 2 5 x 10',2 10 jz; ' Operator to Actuate AFW system 115 min. 1 x 10,3 0.5 (mod. dep.) 5 5 10 10 f, ' Gj and Possible Backup 30 min. 5 x 10 .25 (Iow dep.) 10 10 o 3 Acutation of AFW system v !~ l i v i ] t m a <wi = m -e y

APPENDIX A: Applicant's Letter CATAWBA-2746 Westinghouse Water Reactor Nuttear Techno!0gy Dmston Electric Corporation Divisions sex 355 PittsturgnPennsylvania15230 March 11, 1982 NS-PL-9922 Mr. W. O. Parker, Vice President MPS #35924 Steam Production Department Duke Power Company P. O. Box 33189 Charlotte, North Carolina 28242 Attention: K. S. Canady CATAWBA NUCLEAR STATION UNITS NUMBER 1 AND 2 Auxiliary Feedwater System Reliability Analysis

Dear Mr. Parker:

a Per request of Duke Power, we are forwarding full-size copies of Figure A-1 (Sheet 4) and Figure A-2 (Sheet 2) of WCAP-9946 to the attention of Dr. Jannis Papazoglou of Brookhaven National Laboratory. We also wish to confirm here the unavailability values verbally given to Mr. R. Quelette by I. Ratsep on March 4,1982 (these may be transmitted to the NRC per their request). The values for Figure 3.0 of WCAP-9946 are as follows: Transient Unavailability Value -5 LMFW 4.6 x 10 LMFW/ LOOP 2.8 x 10-4 -2 LMFW/ Loss of all AC 8.1 x 10 i Should'there be any further questions, please contact us. Very truly yours, l ( F. J. Twog anager I. C. Ratsep/bek Duke Power Projects Attachment cc: D.1.. Fuller, IL P 3. Parker, 5L

1. K. Blackley, IL J. Papazoglou, IL, 2A 80

APPENDIX B-1 BROOKHAVEN NATIONAL LABORATORY MEMORANDUM DATE: August 13, 1982 To: I. A. Papazoglou FROM: A. Fresco & R. Youngblood May 20, 1982 Telephone Conversation on Catawba Nuclear f.U BJ ECT : Station - Units 1 & 2, AFWS Reliability Analys'is

Participants:

Nuclear Regulatory Commission K. Jabbour - DL V. Panciera - ASB J. Tsao - RRAB Brookhaven National Laboratory I. Papazoglou - DNE A. Fresco - DNE R. Youngblood - DNE Duke Power Company (O. L. Applicant) J. Cox D. Lee R. Meisenheimer R. Quellette R. Sharpe l

References:

1. WCAP-9945 " Reliability Analysis of the Auxiliary Feedwater System for the Catawba Nuclear Station - Units 1 & 2", by J. l N. Steinmetz, Westinghouse Electric Corp., July,1981. I 2. Catawba Nuclear. Station FSAR - Chapter 10.4.9 " Auxiliary Feedwater System", (Rev. 4). 3. NUREG-0611 " Generic Evaluation of Feedwater Transients and Small Break Loss-of-Coolant Accidents in Westinghouse - De-signed Operating Plants", January,1980. The conversation was conducted in two parts. The first part was based. upon a generalized agenda while the second part consisted of a specific list of questions. j 81

l APPENDIX B-1 (Cont.) I 1 Part 1 - Generalized Agenda 1 Topic - Suction Sources

  • ST-1: Conditions under which water is available from each source.
  • D-1:

The quantity of water in the Auxiliary Feedwater Condensate Storage Tank (AFWCST), which is shared between two units, corresponds to a 20-minute supply for one unit, or a 10-minute supply if both units are drawing from it. The Upper Surge Tanks (UST) typically contain approximately 20 minutes worth. The condenser hotwell typically contains much more. The only event in which a substantial amount of condensate would be " mis-sing " i.e., not available in the condensate hotwell - is a major pipe rup-ture. ST-2: Operating procedures goverr.ing switchover from one source to another. D-2: As the Auxiliary Feedwater Condensate Storage Tank (AFWCST) is depleted, the MOV isolating it from the rest of the systems (ICA6) should close automatically on low AFWCST level. Whether or not this occurs, water should be available from the Upper Surge Tank (UST). When water is no longer available from either the AFWCST or the UST - perhaps 1/2 hour after LMFW - one of two operator actions should take place: 1. Condenser vacuum can be broken to supply water from the hotwell. If vacuum is broken, water is available regardless of the state of the AFWCST and UST isolation valves (ICA6 or ICA4). 2. The operator can close the valve isolating the UST (ICA4) from the system, and verify that the valve isolating the AFWCST (ICA6) is { properly closed (it should have closed automatically on low AFWCST level). If these valves are closed, water is available from the hotwell regardless of the state of its vacuum.

  • ST-1 refers to Sub-Topic No. 1
  • D-1 refers to Discussion No. 1 82

APPENDIX B-1 (Cont.) If neither of these operator actions is taken, condensate-grade water is not available. At this point, an automatic switchover to the Nuclear Service Water System (NSWS) or the Condenser Circulating Water System (CCWS) is made in order to prevent air from entering the system and causing it to fail. The switchover to the NSWS is based on low pressure in the header supplying condensatt to the AFWS. After the switchover, Motor-Driven (MD) Pumps A and B of the AFWS are aligned respectively to trains A and B of the NSWS, while the Turbine-Driven (TD) Pump is aligned to NSWS Train A. Switchover logic meets safety-grade design requirements and is redundant (one channel for each train of NSW), although it is contained within the non-safety class portions of the AFWS. If a switchover is made to the NSWS, procedure suggests isolating each pump from the condensate supply header. The M0V's available for this (ICA7A, ICA9B, ICA11A) are not ordinarily in service (the breakers are disconnected), but this has no impact on system performance. NSW is supplied at a pressure of 80 to 90 psig, so that this last step of isolation should be unnecessary. ST-3: Maintenance and calibration activities associated with this switchover. D-3: In addition to normal valve testing, the pressure sensors in the switchover logic require periodic calibration. ST-4 : Methods of locking out switchover. 4 D-4: There are switches which disable the MOV's that open to supply NSW. These switches therefore can defeat the switchover, if they are improperly set. f ST-5: Strainers _ 0-5: It was confirmed that there are suction strainers. Duke. personnel em-i phasized that these are temporary. I l l 83

APPENDIX B-1 (Cont.) Part 2 - Specific Ouestions 0-1: The FSAR states tha 610GPM of 1340F water are required for LMFW (Loss of Main Feedwater) and 478GPM for more severe events or for plant cool-down following a period of hot standby. However, both the FSAR (Ref. 2) and the analysis (Ref. 1) list the Motor-Driven Pumps' (MDP) capacity as 500GPM each of 1340F water. This implies that both pumps are required for LMFW. please clarify. i A-1: Duke Power Company will refer this question to the reactor supplier, Westinghouse Electric Corp., for resolution in a future telephone con-ve rsation. 0-2: Since all three condensate sources are headered together, it seems that all three are being depleted simultaneously. Please explain the sequ-ence of operation. Can full flow be provided by the condenser hotwell or must the flow be restricted depending upon the pressure and level in the condenser? A-2: The lipper Surge Tank (UST) is about 100 feet elevation above the con-denser Hotwell, while the AFW Condensate Storage Tank (CST) is at. ground level. Therefore, the UST will first supply condensate to the pumps followed by the AFW-CST and then the condenser hotwell which will usual-ly be under vacuum. No limitations exist on the flow rate the pumps can draw from the hotwell. ~ 0-3: Does availability of the main plant condenser for LMFW allow continuous recycling of the AFWS flow? A-3: Yes, the AFWS can be operated almost indefinitely under those con-ditions. 0-4: At what frequency does the applicant anticipate that switchover to the NSWS and the Condenser Circulating Water System (CCWS) will be re-quired? A-4: We do not foresee any circumstances during the plant's lifetime for which switchover will be required. 84

APPENDIX B-1 (Cont.) - 0-5: Are UST or Condenser Hotwell Low-Low Level faults possible causes of LMFW? A-5: We anticipate that the only cause of a low Low Level in the Condenser Hotwell would be a major pipe rupture. (No response to the UST Low Low Level was given.) Q-6: Were separate test and maintenance fault trees, not shown in the an-alysis, prepared? If so, they should be provided to BNL. A-6: Duke Power Company will refer this question to the authors of the an-alysis Westinghouse Electric Corp., for resolution in a future telephone conve rsation. 0-7: What are the pumps' recirculation flow rates and is recirculation an intermittent process? A-7: Yes, recirculation is an intermittent process. Each MD pump has a minimum flow requirment of approximately 90GPM (design rating of 500GPM at 134 F) while the Turbine-Driven Pump (TD Pump) has a requirement of 0 approximately 200GPM (design rating of 1000GPM at 1340F). 0-8: How are the AFW flow rates and steam generator levels controlled? A-8: The control is manual from the Conrol Room (by throttling of the air-operated valves in each steam generator feedline). 0-9: What is the mode of operation of the Wet Lay-Up line (FSAR Fig.. 10.4.9-2)? In particular, how is it assured that AFWS flow can not be diverted from its proper inlet location to the steam generators? A-9: The Wet Lay-Up lines are valved off and locked closed and are not opened during AFW operation. 0-10: What is the NPSH available to all three pumps when the CCWS must be used? Required NPSH is 15 f t. and the CCWS buried pipe is probably much lower in elevation than the pumps. A-10: In reality, the buried pipe is actually higher in elevation than the pumps, which are located in a pit in the Reactor Auxiliary Building, so that sufficient pump NPSH is available at all times. 85

APPENDIX B-1 (Cont.) 1 0-11: It appears that failure to isolate the Steam Generator Blowdown lines upon AFWS actuation was not considered in the analysis. Please ex-plain. 4 A-ll: Duke Power Company will refer this question to the authors of the an-alysis, Westinghouse Electric Corp., for resolution in a future tele-phone conversation. 0-12: The MOV's, ICA66B for Steam Generator A and ICA38A for Steam Generator B, isolate AFW from the TD Pump and are shown normally closed on the Simplified Flow Diagram, Fig. 2.0, Ref.1. Also, flow from MD Pump A is isolated from Steam Generators C and D by normally closed valves ICA111 and ICA 112 while flow from MD Pump B is isolated from Steam Generators A and B by the same valves. Ref. 2 states that this valve scheme is designed to prevent excessive pump runout during an ac-cidental depressurization of a steam generator and yet maintain at least minimum AFW flow to at least two effective steam generators during the operator delay period. It further states that the motor-operated isolation valves on the MD Pump discharge lines to Steam Generators B and C (ICA58A and ICA46B) will close individually and automatically if the TD Pump is operating and the MD Pump of the op-posite train fails to start. It appears then that' if either Steam { Generator B or C is undergoing depressurization, the TD Pump will ex-perience excessive runout and trip on overspeed so that there will.re-main only one MD Pump feeding only one Steam Generator, which violates the Mission Success criteria. Please explain. A-14: The TD Pump will not experience excessive runout although about 420GPM will be delivered to the depressurized steam generator and only 150GPM to the properly functioning one. Operator action is preferred to iso-late the TD Pump flow to the depressurized steam generator. t I ( 06

APPENDIX B-2 BROOKHAVEN NATIONAL LABORATORY MEMORANDUM DATE: August 13, 1982 TO: I. A. Papazoglou FROM: A. Fresco & R. Youngblood

SUBJECT:

May 27, 1982 Telephone Conversation on atawba Nuclear Station - Units 1 & 2, AFWS Reliability Analysis

Participants:

Nuclear Regulatory Comission K. Jabbour - DL J. Tsao - RRAB Brookhaven National Laboratory I. Papazoglou - DNE A. Fresco - DNE R. Youngblood - DNE Duke Power Company _ R. Quelette Westinghouse Electric

1. Ratsep J. Shopsky J. Steinmetz References 1.

WCAP-9946 " Reliability Analysis of the Auxiliary Feedwater System for the Catawba Nuclear Station - Units 1 and 2" by J. N. Steinmetz, July,1981. 2. Catawba Nuclear Station FSAR - Chapter 10.4.9 " Auxiliary Feedwater System", Rev.4 3. NUREG-0611 " Generic Evaluation of Feedwater Transients and Small' Break Loss-of-Coolant Accidents in Westinghouse - Designed Operating Plants", l January,1980. I 87

APPENDIX B-2 (Cont.), This conversation was conducted to follow up a previous conversation on the same subject held on May 20, 1982. In the previous conversation, re-presentatives of Westinghouse were not available. Part 1 - Generalized Agenda Topic - Reliability Analysis (Ref. 1)

  • ST-1: Dominant Contributors:
  • D-1:

90% or more of the unavailability (for LMFW and LOOP) is due to triple events, of which one factor is test or maintenance and the other two' are ran-dom failures. These large contributions are related to two features of the analysis: 1. Certain flowpaths from pumps to steam generators are normally closed, and no credit was taken for these. 2. Maintenance on valves was assessed at 19 hours per act. This was based on the fact that Catawba Technical Specifications allow a train to be out for 72 hours, and NUREG-0611 (Ref. 3) tabulates a 19-hour mean maintenance outage for pumps which are allowed by technical specifications to be out of service for 72 hours. ST-2 : Human Error D-2: The policy followed in the analysis was not to take credit for human corrective action, but to assess the probability of human interference with proper system operation. NUREG-0611 as eitner 5 x 10 gives closed after maintenance was assessed in Inadvertently leaving v if the valves have control-room position indication, or 5 x 10-3 if walk-around and double-check are snployed. The analysis used 1 x 10-4 or 1 x 10-3 for this error, which are the values given la NUREG-0611 for the probability of more than one valve being left in the wrong position. This was evidently a misunderstanding of the intent of NUR EG-0611.

  • ST-1 refers to Sub-Topic No.1
  • D-1 refers to Discussion No. 1 f

88

APPENDfXB-2(Cont.) 1 Full flow test lines can divert flow during an actual challenge if they have been left open after maintenance. Each such line has two valves in series. The study quantified this event as the probability of leaving two different unrelated valves open, giving)gach 10-3, so that the probability of leaving the test line open was (10- = 10 6 This is another man-ifestation of the misunderstanding alluded The probability of leav-ingonevalveopenshouldhavebeen5x10goabove. and substantial coupling should be assumed. ST-3: Turbine-Driven (TD) Pump: 0-3: Failure of this pump to receive an actuation The Motor-Driven (MD) Pumps were each given 7 x 10 gignal was not quantified. for failure of actua-tion, a figure which appears in NUREG-0611. None of the participants was able 4 immediately to clarify whether the two channels that start the MD Pumps also starts the TD Pump. The steam admission valves' failure to operate was not quantified. The TD Pump actuation logic was stated as appearing in FSAR Fig. 7.2.1-1 (Sh. 15). ST-4: Suction: D-4: One large contributor to failure of the condensate supplies was given on the tree as failure to close valve ICA6. The previous conversation with Duke Power indicated that the situation is substantially more complicated than the fault tree indicates. The fault tree conservatively quantifies one failure event; the tree would correspond more closely to the existing situation if more events were added. Quantification of the modified tree, however, would not substantially revise the conclusion unless potential common cause failures of switchover to the Nuclear Service Water System (NSWS) are discovered. Part 2 - Specific Ouestions a) The following questions were originally posed during the May 20, 1982 con-versation but were referred to Westinghouse.by Duke Power Company: 0 0-1: The FSAR (Ref. 2) states that 610GPM of 134 F water are required for Loss of Main Feedwater (LMFW) and 478 GPM fnr more severe events or for plant s k 4 89 s 4

.9PPENDlX B-2 (Cont.) cooldown following a period of hot standby. However, both the analysis (Ref.

1) and the FSAR (Ref. 2) list the MD Pumps' capacity as 500 GPM each of 134 F water.

This implies that both pumps are required for LHFW. Please 0 4' cla ri fy. A1: NUREG-0611 identifies the major criterion for Mission Success as sufficient AFW flow to prevent the steam generators from going dry. 0 Therefore, only 392 GPM of 134 F water are required to satisfy this, although at that flow rate, the Power-0perated Relief Valves on the primary coolant side might lift. 0-2: How were the test and maintenance unavailabilities calculeted? Were separate fault trees prepared? l A-2: No separate trees were prepared. The existing random only trees were utilized by substituting test and maintenance unavailabilities in a single pump and valve train in ca,bination with randam only failures in the other two trains. Q-3: It appears that failure to isolate the Steam Generator Blowdown lines upon AFWS actuation was not considered in the analysis. Please explain. A-3: Failure to isolate the Blowdown lines was not considered to be within the scope of NUREG-0611, and would fall beyond the limits of a study considering the reliability of an AFWS. i b) The following questions were not previously discussed during the May 20th telephone conversation: 0-1: Under what circumstances would the AFW flowpaths to Steam Generators A and D from the Turbine-Driven (TD) Pump opened? A-1: Duke Power Company will respond to this question in a future telephone conversation. 0-2: Can steam be diverted past the Auxiliary Steam Supply Check Valve ISA7 in sufficient quantity to result in insufficient steam supply to the TD pump, in the event that valve ISA7 fails to close? Failure to close of ISA7 was not considered in the analysis. 90

APPENDlX B-2 (Con 2.) l A-2: Duke Power Company will respond to this question in a future telephone conversation. i 0-3: How are the Cross-Connection Valves ICA111 and ICA112, which isolate the discharge of MD Punp A from Steam Generators C and D and the discharge of MD i Pump B from Steam Generators A and B, opened, manually from the Control Room or locally? A-3: ICA111 and ICA112 are locally manually-operated valves. Q-4: Refs.1 and 2 list the primary condensate grade sources as: Max. Capacity (Gallons) 1. Upper Surge Tank (UST) 85,000 2. AFW Condensate Storage Tank (AFW-CST) (Shared between both units) 42,500 3. Condenser Hotwell 170,000 (Normal operating level) Should not credit be taken for minimum, not maximum, capacities? Please provide the normal operating and minimum capacities. A-4: Duke Power Company will respond to this question in a future telephone conversation. 0-5: Failure to valve of f the depleted AFW-CST (Ref.1, Table A-1, No. 73, RAMV006F) was assigned as 6.0E-3/ demand. How was this arrived at? Does it include both human error and hardware failures? Would the same figure be assigned to Failure to Close M0V ICA4 from the AFW-CST (not identified in the analysis but should logically be called R.WV004F)? A-5: The figure 6.0E-3 is a conservative assumption which includes both human and hardware failure. Valve ICA4 is not required to close for flow to sub-sequently be drawn from the Condenser Hotwell, so there is no need to include such a failure in the fault tree analysis. (Ref. I specifically states the f contra ry. ) 0-6: Will the check valves (ICA1, ICA3, ICAS) and the MOVs (ICA4, ICA6) of the condensate grade non-safety-related sources be tested as if they were safety class components governed by ASME Code Section XI - Subsection IWV? 91 l i

APPENDIX B-2 (Cont.) The same question applies to the check valve (ICA173) and the H0Vs (ICA174, ICA175, ICA178) of the Condenser Circulating Water System (CCWS). Duke Power Company will respond to this question in a future telephone conve rs ation. Q-7: MOVs ICA174,ICA175 and ICA178 which are located on the CCWS supply line do not appear on either the Indicators or Controls Location List of either Ref.1 or Ref. 2. Please state where the controls and indicators are located. A-7: nuke Power Company will respond in a future telephone conversation. 0-8: The fault trees show a fault identified as " Loss of Condensate Supplies Due to Environmental Conditions Beyond Design Base". Is this the sai* as Ref. 1, Table A-1, #9B, "RACONDER - Loss of all Condensate Water Due to Earth-qua ke"? How was the unavailability of 3.6E-3/ demand derived? A-8: Yes, they are the same, and the failure rate was derived from WASH-1400. Q-9: The fault trees show a fault identified as " Failure of CCW Supplies Due to Environmental Conditions Beyond Design Base" yet no corresponding fault is shownin Table A-1, Ref. 1. Should this fault be identified as RACIRCER with an unavailability of 3.6E-3/ demand? A-9: Yes 0-10: Are the Flow Indicators shown on Fig. 2-0, Ref.1, in-line type instruments, e.g., orifices? If so, should not failure due to plugging have been considered? A-10: Duke Power Company will resond to this question in a future telephone conversation. Part 3 - Concluding Remarks: It was agreed that none of these items appears to substantially revise the study's conclusions in the direction of increased unavailability, if credit is taken for operator correction of certain. failures. There is some argument for assessing maintenance less conservatively, and for taking credit for availability of normally closed flow paths. These changes would revise the study's conclusions in the direction of decreased unavailability. 1 92

APPENDIX B-3 i 'I BROOKHAVEN NATIONAL LABORATORY l MEMORANDUM DATE: August 13, 1982 TO: I. A. Papazoglou [ FROM: A. Fresco & R. Youngblood June 11, 1982 Telephone Conversa ion on Catawba Nuclear

SUBJECT:

Station - Units 1 & 2, AFWS Reliability Analysis

Participants:

Nuclear Regulatory Commission K. Jabbour - DL J. Tsao - RRAB Brookhaven National Laboratory A. Fresco - DNE R. Youngblood - DNE Duke Power Company J. Cox D. Lee R. Meisenheimer R. Quellette R. Sharpe The following conversation was held as a follow-up to a previous conversation held on May 27, 1982. Duke Power Co. was asked to respond to these questions on that date. 0.1: Under what circumstances would the AFW flowpaths to Steam Generators A and D from the Turbine-Driven Pump be opened? A.1: Afte.- determining that no fault exists, i.e., no steam generator is undergoing depressurization (no rupture or stuck-open relief valve, etc.), the operator would open them to balance the flow to the four steam generators. Q.2: Can steam be diverted past the Auxiliary Steam Supply Check Valve ISA7' in sufficient quantity to result in insufficient steam supply to the TD pump, in the event that 1SA7 fails to close? C3

I APPENDIX B-3 (Cont.) i l A.2: Upstream of ISA7 there is a locked-closed valve (ISA87) which should preclude this. 0.3: Refs. I and 2 list the primary condensate grade sources as Nax. Capacity (Gallons) 1. Upper Surge Tank (UST) 85,000 2. AFW Condensate Storage Tank (AFW-CST) (shared '.etween two units) 42,500 3. Condenser Hotwell 170,000 (Normal Operating Level) Should not credit be taken for minimum, not maximum, capacities? Please provide the nomal operating and minimum capacities. A.3: The recommended operating level for the llST is 55,000 gallons. A minimum figure is not available. The hotwell level should stay at 170,000 gallons "99% of the time". The AFWCST inventory is being made up continously as necessary during nonnal operation, and the stated inventory should be available to either unit. Q.4: Will the check valves (ICA1, ICA3, ICAS) and the MOVs (ICA4, ICA6) of the condensate grade non-safety-related sources be tested as if they were safety class components governed by ASME Code Section XI - Subsection IWV? The same question applies to the check valve (ICA173) and the M0Vs (ICA174, I ICA175, ICA178) of the Condenser Circulating Water System. A.4: tipstrean of ICA174 and ICA175 is the break between safety and f non-safety-related piping; ICA174, and ICA175 are safety-related and will be tested as per the ASME Code. See Appendix A f F the remainder of this answer. O.5: Are the flow indicators shown on Figure 2.0, Ref.1, in-line type i instruments, =,g., orifices? If so, should not failure due to plugging have been considered? A.5: They are orifices having a 2.7 " bore in a 4" line. 94

..= _ - APPENDIX B-3 (Cont.) t O.6: MOVs ICA174, ICA175 and ICA178 of the Condenser Circulating Water System (CCWS) are not shown on the Indicators or Controls Lists in either the FSAR Section 10.4.9 or the reliability analysis. Please indicate where the contrcls and indicators are located. A.6: Indicators and controls for these valves are located both in the Control Roam and on the Standby Shutdown Facilities panel. Appendix A The follnwing response was provided by Duke Power Company to the NRC in a subsequent telephone conversation in June,1982: 0. Will the MOVs (ICA4 and ICA6) and the check valves (ICA1, ICA3 and ICAS) of the condensate-grade non-safety-related sources be tested as if they were safety class components governed by ASME Code Section XI - Subsection IWV? A. Since none of the valves in question are safety-related, no specific test (or maintenance) policy will be implemented. I { l 95 a gy y 5-

APPENDIX C BROOKHAVEN NATIONAL LABORATORY MEMORANDUM DATE: July 19, 1982 TO:

1. A. Papazoglou A. Fresco and R. Youngblood

.f/ FROM: i

SUBJECT:

Catawba Unit 1 - AFWS Reliability Study aluation At the request of J. Tsao of the NRC/RRAB on July 7, 1982, we have prepared the following additional questions concerning the AFWS for his visit to the plant site on July 20-21, 1982: 1. Are there any circumstances under which the pumps will trip upon Low NPSH? 2. Under what circumstances (and why) would the Control-Room Operator block out automatic operation of the following valves: a) MOV 1CA6 on the AFW Condensate Storage Tank? b) MOVs 1RN250A, 1RN310B, ICA15A, ICA15B, ICA116A and ICA858 of the Automatic Switchover to the NSWS? 3. Under what circumstances (and why) would the operator activate: a) Auto Start Defeat Switch of the MD pumps? b) Local / Remote Control Transfer Switch? 4. a; What is the DC power source (s) for MOV 1CA67 b) How long would it be available for: 1) LOOP?

2) LOAC?

c) Is the valve operable from both the Control Room and the local panels on DC power? 96

APPENDIX C (Cont.) Memo to:

1. A. Papazoglou July 19, 1982 Page two 5.

Please verify that M0V 1CA4 which isolates the Upper Surge Tank need not be closed to prevent air from entering the AFWS pumps' suction upon depletion of the UST. 6. Please verify that the UST will be the first source to be depleted because of its high elevation and consequent static head. Please provide the NPSH available from all sources. 7. Given that MOV ICA6 fails to close automatically upon depletion of 1 the AFW-CST: a) How much time is available after the low level in the AFW-CST has been reached before the pump NPSH becomes deficient? b) How long would it take the Control Room Operator to break the. Condenser Vacuum? c) What operator actions are required to break the vacuum? i 8. For LOOP and LOAC, how quickly af ter the initiation of the incident would the condenser vacuum be dissipated? 9. If MOV 1CA6 failed to close, would this be alanned in the Control Room? 10. Where are the pressure switches for automatic Switchover to the NSWS physically located? What is the potential for mis-calibration of these switches? 11. Please verify that the normally closed MOVs 1CA66B and ICA38A, which isolate the TD pump from Steam Generators A and D, respectively: a) Cannot be operated on DC power. l b) Cannot be handjacked open. l 12. Where are the manually-operated valves 1CA111 and ICA112 physically i located? How easily could these valves be opened in the event of a LOOP? Are these valves normally throttled as shown on the Flow Dia-gram? l 1 97 l L

l APoENDIX C (Cont.) October 20, 1982 NRC Response to BNL Memo Dated July 19, 1982 The following responses were provided by J. Tsao of the NRC-RRAB based on .is visit to the Catawba plart site on July 20-21, 1982 and the subsequen.t liscussion with the applicant's personnel: 1. No pump trips upon low NPSH. 2. The operator would block out valves in a) and b) for maintenance and shutdown. 3. The operator would activate the Auto Defeat Switch of the motor driven pump for test, mainter,ance and shutdown. 4. Valve ICA6 is not D.C. powered. 5. Air cannot enter the AFW systen through valve ICA4 even if the valve fails to close. 6. The first water sour:e to be depleted is the Condensate Storage Tank. The NPSH for all water sources were undetermined. 7. a) Undete rmined b) The operator pushes a button on the control panel to break the con-denser vacuun. c) The action itself takes a few seconds; however, the time for the operator to recognize the problem is undetermined. 8. The condenser vacuum would take a few minutes to dissipate. 9. Undete rmined

10. Undete rmined i

11. The motor operated valves ICA66B and ICA38A are not operated on DC power but can be handjacked open.

12. Valves ICA111 and ICA112 are located about one floor below the control room.

The opertor would have to walk some corridors and a flight of stairs to reach them. It was not determined if these valves are throt-tied as shown on the flow diagram. ) i 98

  1. 0""

U.S. NUCLE AR REGULATORY COMMISSION NUREG/CR-3297 i" *" BIBLIOGRAPHIC DATA SHEET BNL/NUREG-51675

4. TITLE AND SUBTITLE (Ade Vasume Na, se ap.,repr,erel
2. (Leave Olm'41 Review of the Catawba Units 1 and 2 Auxihary
3. RECIPIENT'S ACCESSION NO.

Feedwater System Reliability Analysis

7. AUTHOR (S)

S. DATE REPORT COMPLt TED 1' 3 A. Fresco, R. Youngblood and I. A. Papazoglou M 198

9. PERFORMING ORGANIZATION NAME AND MAILING ADDRESS (inclue Ia Codel DATE REPORT ISSUED MONTH lVEAR Department of Nuclcar Energy October igm Brookhaven National Laboratory e_ ft,,,,,,,,,

Upton, New York 11973 8 (Leave omkl

12. SPONSORING ORGANIZATION NAME AND MAILING ADDRESS (lac /ve I,a Codel
10. PROJECT / TASK / WORK UNIT NO Division of Safety Technology Office of Nuclear Reactor Regulation
11. FIN NO.

U. S. Nuclear Regulatory Commission Washington, D.C. 20555 A3393 13 TYPE OF REPORT PE RIOD COV E RE D (Inclusive dams) Technical Report 14 (Leave o'm*/ 15 SUPPLEMENTARY NOTE S

16. ABSTR ACT (200 words or ress/

This report presents the results of a review of the Auxiliary Feedwater System Reliability Analysis for Catawba Units 1 and 2. The objective of this report is to estimate the probability that the Auxiliary Feedwater System will fail to perform its mission for each of three different initiators: (1) loss of main feedwater with offsite power available, (2) loss of offsite power, (3) loss of AC power except for vital instrumentation and control power. The scope, methodology, and failure data are prescribed by NUREG-0611, Appendix III. The results are compared with those obtained in NUREG-0611 for other Westinghouse plants. l

17. KE Y WORDS AND DOCUME NT AN ALYSIS 17a DESCRIPTORS l

Reliability Analysis Auxiliary Feedwater System Catawba Nuclear Power Plant Units 1 and 2 NUREG-0611 i 17tt IDENTIFIE RS'OPEN ENDE D TE AVS l 19 SE CURITY CLASS (Th,s reporrt 21 NO OF PAGES.

18. AVAILABILITY STATEVENT UNCLASSIFIED EEN'#

Unlimited s NRC F ORM 335 rit su

~ UNITED STATES rou nt a c t us sait 2 NUCLEAR REGULATORY COMMISSION '087 ^u n't u WASHINGTON, D.C. 20555 wasa o c m reavit m. An o N OFFICIAL BUSINESS 3 PENALTY FOR PRIVATE USE. $300 g N i 3m ~mI o l n -1I Ufhp076877 g g4N ADN-0IV OF IEDC -l PU k Lgty g PUB MGT BR-poR NUREG 501 y G hASHINorag g DC 20555 yc cz > (a tz A 5" >b Z~ t-C <X eF

  • 53

=< n I m m O i E --I m 1 3 in< Mm ; E i 1 1 8 HO 1 tum 3 a E}}

Retrieved from "https://kanterella.com/w/index.php?title=ML20081F471&oldid=4376121"