ML20083Q711
| ML20083Q711 | |
| Person / Time | |
|---|---|
| Site: | Indian Point, 05000000 |
| Issue date: | 03/04/1983 |
| From: | Alesso H LAWRENCE LIVERMORE NATIONAL LABORATORY |
| To: | NRC |
| Shared Package | |
| ML20083L077 | List: |
| References | |
| FOIA-83-618 NUDOCS 8303080290 | |
| Download: ML20083Q711 (33) | |
Text
E _.
- ~
gL ~_. ..__ _ . . . - _ . _ . . _. _ w__. . _ .
v . . _ _
\ . /
UCID- 19h73 l
l l
Preliminary Investigation of Interconnected Systems Interactions for the Safety Injection System of Indian Point-3 H. P. Alesso D. A. Lappa Lawrence livermore National Laboratory C. F, Smith Science Applications, Inc.
I. J. Sacks (1 Analytic. Information Processing, Inc. ~
3 :" -
March 4, 1983
-
- b 'r < -
..: +
^
a s . p 7 4'. >
~ G C , _
%+e '
- N ..
N $h9.
Dis is se taformal report latended prhnerity for noternal or I;mbed extermal distribelos.De -%
opinions and condesiens stated are these of the author and may or ney not be those of the . vn i
. Laboratory. , 8 ^f l
- Dis work was supported by the United States Nuclear Regulatory Commission under .# #4 a Memorandum of Understanding with the United States Department of Energy.
g ~%
e.., . eer i'*
\73c367m
~- - .
9g[m.L,.,
g.
., .. m g ?.ql,_. a,
> _-..yy - . . .-' .
. ?,
?
.- s ABSTRACT The rich diversity of ideas and techniques for analyzing interconnect-ed systems interaction has presented the NRC with the problem of identifying
, methods appropriate for their own review and audit. This report presents the findings of a preliminary study using the Digraph Matrix Analysis method to
, evaluate interconnected systems interactions for the safety injection system of Indian Point-3. '
The analysis effort in this study was subjected to NRC constraints regarding the use of Boolean logic, the construction of simplified plant representations or maps, and the development of heuristic measures as specified by the NRC.
We found the map and heuristic measures to be an unsuccessful approach since they require an effort comparab1'e to a risk assessment study while the exclusion of Boolean logic resulted in a significant reduction in statisti-cal correlation with safety. However, from the effort to model and analyze the Indian Point-3 rafety injection system, including Boolean logic in the model, we were successful in identifying singleton and doubleton cut-sets.
We recommend that (a) efforts excluding Boolean logic and utilizying the NRC heuristic measures not be pursued further at LLNL, and (b) that the Digraph Matrix approach (or other comparable risk assesstent technique) with Boolean logic included be used to conduct the audit of the Indian Point-3 _
systems interaction study. ._
i e
l l
TABLF 0F CONTENTS Section Page
1.0 INTRODUCTION
. . . . . . . . . . . . . . . . . . . . . . . . . .* 1 1.1 Background and Motivation . . . . . . . . . . . . . . . . . 1
." 1.2 Statement of the Problem . . . . . . . . . . . . . . . . . 2 1.3 Approach ......................... 3 2.0 INTERCONNECTED SYSTEMS INTERACTION EVALUATION PROCEDURE . . . . 6 3.0 PRELIMIN.tRY IP-3 SAFETY INJECTION SYSTEM EVALUATION . . . . . . 7 3.1 IP-3 Safety Injection System . . . . . . . . . . . . . . . 7 3.2 IP-3 Safety Injection System Modeling . . . . . . . . . . . 12 3.3 Di scussion of Resul ts . . ' . . . . . . . . . . . . . . . . . 33
4.0 CONCLUSION
S .......................... 35 R EF ERENCE S . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 ed 4
N i
+eem-. $
LIST OF FIGURES Page Figure 1. Indian Point-3 High Pressure Safety Injection System .... 10 Figure 2. Success Digraph of Safety Injection System . . . . . . . . 15 Figure 3. Dual Digraph of Safety Injection System . . . . . . . . . . . 16 t
17 Figure 4. Success Digraph of Electrical Support System ........
Dual Digraph of Electrical Support System . . . . . . . . . . 18 Figure S.
Figure 6. Success Digraph of Safety Injection Actuation . . . . . . . . 19 Dual Digraph of Safety Injection Actuation ......... 20 Figure 7.
24 Figure 8. Dependency Map from RWST to RCS . . . . . . . . . . . . . . .
Figure 9. Dependency Map from Safety Injection Pump 31 to RCS . . . . . 25 26 Figure 10. Dependency Map from Safety Injection Pump 32 to RCS . . . . .
27 Figure 11. Dependency Map from Safety Injection Pump 33 to RCS . . . . . _
~
28 Figure 12. Basic Component Positioning for use with Overlays . . . . . . ,
Attached Ov erl ays A-J . . . . . . . . . . . . . . . . . . . . . . . . . . . Envelope ,
9 11
~ ~ ~ ^ ~ ~
~ 2 : .- . . . . . .
q_:.- , . _
LIST OF TABLES Page Table 1. Acronyms Used in Model i ng . . . . . . . . . . . . . . . . . . 14
~
Table 2. Computer Input Listing of Logic Model . . . . . . . . . . . . 22 Table 3. List of Variables and Nimerical Designators . . . . . . . . . 23 Table 4. Deconditioned Adjacer.cy Matrix of Model . . . . . . . . . . . 30 Tabl e 5. Connectivity Measures: -
In and Out Degrees of Model Nodes . . . . . . . . . . . . . . 31 Tabl e 6. Partial List of Paths (Levels of Dependency) from RWST (2) to RCS (48) . . . . . . . . . . . . . . . . . . 32 l Table 7. Doubleton Matrix and List of Singletons . . . . . . . . . . . 34 -
l e
l
- t l
! iii
_ . . ..e ..w ,,-w.m, -. - 'eem . .*m-- -- . = ,
z :
v.
1.0 INTRODUCTION
.. I 1.1 Background and Motivation i
The term Systems Interaction (SI) has been introduced by the NRC to iden-tify the concepts of spatial and functional coupling of nuclear power plant ,
i 3 systems leading to system interdependencies. Spatial coupling refers to dependencies resulting from shared envirorseental conditions within the plant; }
? fu9ctional systems interactions include coupling due to shared support systems '
(process coupling) and interdependencies due to dynamic human error.
1 The Office of Nuclear Reactor Regulation of the NRC is developing a pro- [
gram to further define and subsequently implement SI regulatory requirements for light water reactors (LWRs). The need to design LWRs against adverse sis was recognized and fomally begun in May,1978.1 Assessments of Three Mile Island-2 (TMI-2)2 and other recent events, including those at Browns Ferry-33 -6 and Crystal River-37 have pointed to the need for increased review efforts in this area. Consequently, the NRC contracted with the Battelle Colunbus/ Pacific Northwest Laboratories,8 Brookhaven National Laboratory,9 and Lawrence Livennore National Laboratory 10 to review the state-of-the-art in SI. The three labora-tories examined reported incidents from reactor operating experience, defined a set of criteria for SI, and evaluated existing and potential methodologies for the analysis of St. The methods evaluated included some based primarily on risk assessment techniques.Il and others based primarily on the expert judg-ment of a multidisciplinary team after an on-site inspection.12 As a result of the state-of-the-art review, the three laboratories unanimously reconsnended j risk assessment techniques, such as event tree / fault tree methods, combined -
with walk-through inspections for identifying sis. Various ranking criteria "!
were suggested for evaluating the sis once they were identified. The Power Authority of the State of New York (PASNY), at about this time, developed its own systems interaction methodology for application to the interconnected sys-l tens at Indian Point-3 (IP-3).13-14 The method was based on " shutdown logic
, diagrams" which were success-paths of operational sequences.
Preliminary results15 indicated that there are at least three concepts on how Systems Interactions could be incorporated into an overall Probabilis-tic Risk Assessment (PRA).
1 h e**$ r- T-e m 't'-s-~y-g- ww-w-g-v*W -
2- em *-se-- -v me m- -ywvy,* e-wm--Y w --
w+e-g -y,+v
r - -- .. .- . _ _
~
One concept is that systems interactions can be adequately analyzed by enhancing existing PRA techniques. This would be done by expanding the scope and boundary conditions of fault tree analysis and putting additional emphasis on dependency analysis techniques such as generic analysis,16 minimum cut-set common cause/ mode analysis 16 or digraph-fault tree analysis.17 NRC's initial guidance for this point of view has already begun.15 A second, and closely related concept is that systems interactions can be incorporated into a PRA at the event tree stage of analysis. This approach .
attempts to capture systems interactions at an earlfer stage of analysis; by treating dependencies in the event tree analysis portion of a PRA, the require-ment of fault tree modeling at additional levels of detail is reduced.15 The third concept is based on matrix representation of logic diagrams and is called Digraph Matrix Analysis.17-18 This technique would be applied after the event tree analysis has identified the accident sequences, but prior to initiating , fault tree construction. It treats an accident sequence consisting of' several systems along with their support, systems as a single success-oriented model. Thus, instead of constructing a reliability block diagram (or equivalent) and a fault tree for each individual system in an accident sequence, as in the Reactor Safety Study,19 the entire accident sequence is modeled as a single success-oriented operational logic diagram which f acludes AND and OR gates.
The advantage is that such a model can be rigorously separated into indepen-dent parts that can be analyzed individually. Once the systems interactions are identified, the fault trees and the rest of PRA could be completed.
A review of the fundamental mathematical aspects of fault-oriented and success-oriented risk analysis (including Digrapn-Matrix Analysis) was pre-sented in [20], which offered insight into the trade-off advantages and dis- {
advantages of each. .
1.2 Statement of the Problem This rich diversity of ideas and techniques for utility studies analyzing 1,nterconnected systems ir.teraction presented the NRC with the problem of find-ing a way to evaluate systems interconnections for their own review and audit.
It was desired that an independent study be conducted and compared to the licensee submittal . However, the independent study was intended to be per-formed at a reduced scope.
i l
2 u . . ___%_,,,
" * * * " * * " ' * * * *e=m. -e e = e
^
1.3 Approach Nuclear power plants are designed and operated such that any given safety function can be achieved through a variety of alternative paths. In other words, for a given safety function, there are typically redundant trains of success paths. Defense-in-depth is achieved in part through design approaches such as redundancy, physical separation, functional diversity, independence, coincidence, quality assurance and testing. If executed properly, these design approaches lead to a level of safety function reliability much higher than.can be achieved in a simpler system. However, the resulting system complexity provides the potential for systems interaction. A characteristic aspect of the systems interaction problem is the question of system and/or component independence.
To be useful in a systems interaction assessment, a methodology must be capable of analyzing systems at the component level of detail. It is further desirable that the impact of the interac. tion on plant safety as a whole be evaluated for ranking purposes.
The identification of the various systems needed to perform the basic safety functions should be followed by the identification of the systems and trains needed to support them. This will involve consideration of support systen;s, and should extend to the component level. It is likely that inter-actions resulting from failures uf the support systems will be manifested through the components of the systems directly responsible for the safety functions. Interactions at this level often involve "comon cause" failures, i.e. , multiple component failures due to comon single event or failure. -
Following the identification of the systems interactions candidates, it '
is necessary to evaluate their impact on plant safety.
A systematic approach must be taken in exploring the relationships between systems in a nuclear power plant because the plant is complex and the relation-ships are subtle. At one end of the spectrum of complexity, the systems analy-sis method could be a detailed fault tree / event tree analysis with an emphasis of dependent (conson cause/ mode) failures. Other simpler approaches have been discussed elsewhere.8,9,10,15 A forwal structured approach is believed to be desirable and has been recommended.18,20 3
--,-wu , , , , ,,- g- - - ,
--,-,---e - -,
,m --, y-,,,--
l i
l l
The Indian Point-3 Interconnected systems interaction audit effort to be ,
conducted by LLNL has been subjected to the following NRC constraints:
- 1. Boolean logic is excluded from modeling efforts (but not necessarily from computer code processing).
- 2. A " map" of the systems at the train level of detail is to be constructed.
- 3. Heuristic measures, specified by the NRC, called "connectivity" (degrees of a node) and " levels of dependency" (paths between any node and all others) are to be used to draw statistical correlation between the map and the potential for systems interactions in the ,
systems involved.
The motivation for these constraints was the possible advantages to be found from (1) simpler analyst effort and training, and (2) reduced scope and costs of effort.
This draft report is a preliminary attempt to conduct a systems inter-action investigation of the IP-3 safety injection system, and its component cooling, actuation and electrical connectio'ns subject to the NRC constraints.
We found the specific IP-3 safety injection system design to be particularly difficult to represent in'a model subject to the NRC constraints. It contained neerous common pipe-headers and conson " passive" components within and be-tween trains. In addition, the ntmerous plant modes and configurations under As a result, differing accident conditions compounded the modeling problems.
we were unable to strictly adhere to the NRC constraints.
In order to identify which components were necessary for successful oper-ation of individual trains, it was necessary to fom detailed componert level representations of the entire system. This violated constraint 2.
It addi-tion, wa attempted to apply nimerous constraints on the system model such as ,
limiting it to the injection phase following a small LOCA during loss of off- ,
site power. This was done in an attempt to avoid explicit Boolean logic in the modeling. Despite this, the component-level representation required some ~
specific AND conditions in order to differentiate multiple " dependency" condi-After a tions from simple hardware connections. This violated constraint 1.
component-level logical representation of the safety injection and related sys-tems was completed, we attempted to construct a safety injection system " map" (at the component level), and find its "connectivity" and " level of dependency" measures. The " map" became essentially our original component-level logical 4
.em-.
representation with the AND and OR logic conditions excluded. However, by ex-cluding Boolean logic, the "connectivity" and " levels of dependency" measures suffer a significant reduction in their ability to provide a statistical cor-relation with safety. Therefore, for the systems considered in this study, we found the specified measures to be inadequate. This failed constraint 3.
As a result, we found the " map," and the heuristic measures as specified by NRC to be an unsuccessful approach based on the following criteria: (a) they required as much detailed study, training, effort and cost as a comparable risk assessment study, and (b) the evaluation criteria were less infunnative than a comparable risk assessment result.
It should be noted, however, that the compcnent-level logical repre ata-tions which we constructed while attempting to overcome the modeling problems (not very different from directed logic diagrams used in Digraph-Matrix Analy-sis (DMA) or, for that matter, from conventional fault trees) still contain the essential modeling information. From these representations, which were actually the residue of our attempts, we were able to find sing 1eton and doubleton cut-sets for the safety injection system and support systems.
In section 2, we outline the efforts we made to develop a systems inter-action audit procedure subject to the NRC constraints. The methodology focuses attention on evaluating the independence of safety system trains and looks for violations of the single failure criterion.
In section 3.1, we briefly describe the IP-3 safety injection system. In section 3.2, we review modeling efforts that we used in attempting to develop -
a systems interaction audit procedure that would meet the NRC constraints. We - -
l illustrate the problem areas that forced us to violate the NRC criteria for -
this procedure. Finally, in section 3.3, Phoenix-like, we discuss how the detailed component-level logic models, which of necessity were constructed in violation of NRC constraints 1 and 2, were capable of adequately addressing l the systems interaction identification problem. From the component-level l ' logic models we found single and doubleton cut-sets (dependent failures) of the system. -
5 l
w > -o -ei *hm- eh - e i y +h
- -N a
. ~
2.0 INTERCONNECTED SYSTEMS INTERACTION EVALdATION PROCEDURE The steps in the systems interaction audit methodology attempted in this report are summarized below.
- 1. Review plant safety system to identify systems trains
- 2. Model active components within each train
- 3. Construct matrix of active components
- 4. Use matrix to generate map of each train ,
- 5. Find "connectivity" and " levels of dependency" measures First, the plant's safety systems necessary for the plants Engineering Safety Features are identified and reviewed. FSAR, P&ID, system description and electrical wiring information is gathered and reviewed. From this infor-mation, the safety systems within the Engineered Safety Features are further delineated into trains. In newer designs, trains are more readily identified.
In older designs such as Indian Point-3, hoyever, trains are greatly inter-related due to common headers and common (passive) components. Therefore, as the specific plant design required, modeling of the trains.was conoucted to the level of detail necessary to assure train identification. In the case of Indian Point-3, it was necessary to model at the individual component level of detail . It was also necessary to limit the study ;to the high pressure safety injection system with related support systems. Onc'e models of the individual trains were completed, a computer code was used to generate a train " map" and find the system measures "connectivity" and " levels of dependency." In adof-tion, we found singleton and doubleton cutsets.
eW.
k-e 6
4 a 3.0 INDIAN POINT-3 SAFETY INJECTION SYSTEM EVALUATION in section 3.1, we swanarize the Indian Point-3 Safety Injection and related support systems descriptions. Then in section 3.2, we present the model of the system developed to the train level of detail. In section 3.3, we present the mapping, measures (which proved inadequate), and singleton, doubleton cutset results.
. 3.1 Indian Point-3 Safety Injection System The following Indian Point-3 Safety Injections System description borrows from information used in this study including [21-23].
The Safety Injection System is intended to provide adequate emergency core cooling. This system (which constitutes the Dnergency Core Cooling Sys-tem) operates in three modes. These modes are referred to as passive accumu.
lator injection, active safety (or high pressure) injection and residual heat removal recirculation. The system assures that the core will remain intact and in place with its essential heat transfer geometry preserved following a rupture in the Reactor Coolant System.
Redundancy and segregation of instrumentation and components are incor-porated to assure that postulated malfunctions will not impair the ability of the system to meet the design objectives. The system is designed to be effec-tive in the event of loss of normal station auxiliary power coincident with the loss of coolant, and is designed to be tolerant of failure of any single component or instrument chtanel to respond actively in the system.21 _
System Description ,
The Safety Injection System is designed to provide adequate emergency
- core cooling following a Loss-of-Coolant Tccident. The system components operate in the following possible modes
3
- a. Injection of borated water by the passive accumulators.
- b. Injection of borated water from the Boron Injection Tank and the Refueling Water Storage Tank (RWST) with the safety . injection pumps.
Thus the two channels of high pressure injection include direct injection (RWST to the Reactor Cooling System) and boron injection through the Boron Injection Tank.
7 m . .w-, - - , , - , - - - , , + , g -,,,,.-n- - --~ -
w , , . - - , , , >,_ ,,--y
- c. Injection by the residual heat removal pumps also drawing borated water from the Refueling Water Storage Tank.
- d. Recirculation of spilled reactor coolant, injected water and Contain-ment Spray System drainage back to the reactor from the recirculation sep by the recirculation pumps. (The residual heat removal pumps provide backup recirculation capability.)
To provide protection for large area ruptures in the Reactor Coolant Syst:n, the Safety Injection System must respond to rapidly reflood the core following the depressurization and core voiding that is characteristic of .
large area ruptures. The accmulators act to perfom the rapid reflooding function with no dependence on the nomal or emergency power sources and also, with no dependence on the receipt of an actuation signal.
The measure of effectiveness of the Safety Injection system is the abil-ity of the peps and accmulators to keep the core flooded or to rerlood tne core rapidly where the core has been uncovered for postulated large area rup-tures. The result of this performance is to limit any increase in clad tem-
- perature below a value where emergency core cooling objectives are met.
With minimum onsite emergency power,available (two-of-three diesel gener-ators), the required emergency core cooling equipment is two out of three safety injection peps, one out of two residual heat peps, and three out of four accumulators for a cold leg break and four accumulators for a hot leg break. With these systems, the calculated maximum fuel cladding temperature is limited to a temperature less than that which meets the emergency core cooling design objectives for all break sizes up to and including the double-ended serverence of the reactor coolant pipe. _
For large area ruptures the clad temperatures are turned around by the ,
accumulator injection. The active pumping components serve only to complete the refill started by the accumulators. Either two safety injection pups or one residual heat removal pump provides suffient addition of water to continue the reduction of clad temperature initially caused by the accmulator.
W Initial response of the injection systems is automatic with appropriate allowances for delays in actuation of circuitry and active caponent. The active portions of the injection systems are automatically actuated by the 8
-_ ~. . . _ . . _ _ . _ _ _ _ . _
h
- g e4
'h*
..-2-.
- :.:. . = - - --
safety injection signal. In addition, manual actuation of the entire injection system and individual components can be accomplished fram the Control Room. In analysis of system perfonnance, delays in reaching the programmed trip points and in actuation of components are conservatively established on the basis that only emergency onsite power is available.
The starting sequence of the safety injection and residual heat removal punps and the related emergency power equipment is designed so that delivery of the full rated flow is reached within 34 seconds after the process parameters reach the set points for the injection signal. Motor control centers are ener-gized and injection valves are opened at the same time as the pumps are started.
s The delay time consists of the time intervals:
Seconds
- a. to initiate the safety injection signal, including instrument lag 1
- b. To start two diesel generators 19
- c. To sta'rt two safety injection pumps 8
- d. To start one residual heat removal pump 6 TOTAL 34 The initiation signal for core c'ooling by the safety injection punps is the safety injection signal which is actuated by any of the following: (a) low pressurizer pressure, (b) high containment pressure, (c) high differential pressure between any other two steam generators, (d) high steam flow in any two of the four steam lines coincident with low T, or low steam pressure, and (e) manual actuation.
For the purpose of this study, analysis has been centered on the high ]
4 pressure safety injection system as it would be required to function under small break LOCA conditions.
High Pressure Injection Phase J The high pressure safety injection system consists of three safety injec-tion pumps, the boron injection tank, and a network of piping, pipe headers, and valves. The system is dependent upon various electrical, contrC and com-ponent cooling equipmeht for support. Figure 1 is a schematic diagram of the high pressure safety injection system.
9
. . . _ . _ . , . . :- . s- .
~ ~ ~
1
! I 4 .
t to CO,G t
.
- M.. o
. A ,
I
.4W,I i ;' y - <,.. <. ,,,,
a *M., g A H
,,, 1f "' .I - -
v .. S *" ' *
. 4+w.. ., m O. nv .,.. co.. -
. G a H 32
- " W . . _ .c ....c ex. . . . M **. ..
e a e * * * .
j >'
- X :r
- . .m-m""' "'
g-] t. ,,,,
'y i.m. a c A*.
....c
[v N a <-tA---W .,
=.> . m, I,
l Figure 1. Indian Point-3 High Pressure Safety
! Injection System (from Reference 23) .
i
.. I>
i l
i
.. .I.
The safety injection signal starts the safety injection peps and opens the Safety Injection System isolation valves. The safety injection pumps deliver borated water to two separate discharge headers. The flow from each header is injected into each of the four cold legs of the Reactor Coolant System (RCS).
One major safety injection flow path contains a boror. injection tank (discharge side of pump) for the addition of negative reactivity to the reactor cold legs in the minima time delay. The tank contains boric acid at a nominal value of 21,000 ppm boron (12 percent solution), and is isolated from the safety injection pep discharge line by redundant, nonnally closed parallel valves. The valves open upon receipt of a safety injection signal.
The refueling water flowing into the tank from the discharge of the high head peps forces the high boron concentration solution out of the tank and into the RCS.
The second major flow path provides for direct injection of water from the FET f oto the RCS. The two flow paths ' deliver water to the RCS through separate discharge headers, each consisting of four cold leg injectfon lines.
The three safety injection pumps operate in parallel to provide flow from a cannon coolant supply through the two major paths into the two injection line headers. Of the three pisaps, one is dedicated to each major flow path, while the third (pump 32) provides flow to both paths.
If the four injection lines on a header remain intact, the flow from one safety injection pump is sufficient to meet design requirements for makeup of _.
coolant following a small break which does not inmediately depressurize the --
Reactor Coolant System to the accumulator discharge pressure. Since the small .
. break may be an injection line, two safety injection pups are required.
Safety Injection Component Cooling
. ? The component cooling system (CCS) is a closed loop system. Water is pumped by three component cooling water (CCW) pumps to two component cooling heat exchangers. Here, heat is exchanged to the service water system. The cooled water which emerges then travels on to various plant locations and 11
.-, _- _---..-,,,pp-% -,,,m.-ery.,w-, y _.
_er9-_ w p y ---
- - - - - - a-_.___t -
-w- y--- ,_-m &,-, .w -_
~
cools numerous components, finally returning as suction for the three CCW pumps.
The camponent cooling system's support of the safety injection system involves only the cooling of the three safety injection pumps. Considering the case of a unit trip, with loss of off-site power and safety injectf n, according to the Indian Point PRA (reference 24, page 6):
"When this condition occurs, all CCS pumps are tripped. Electrical power .
is reestablished using the emergency diesel generators. The following events will occur in the component cooling loop:
- The shaft driven circulating pumps will be running when the safety injection pumps run and will supply cooling services for these pumps."
Thus, for the plant conditions assumed, the only requirement of the CCS is that it provide suction for the shaft driven circulating pumps. On page 3 of the PRA23 we find:
"The three safety injection pumps receive flow during all plant condi-tions.... Each pump drives an attached circulating pump which is capa-ble of supplying the cooling requirements for the safety injection pump using the water contained in the CCS supply headers."
Thus for the assumed plant condition, we conclude that the no active com-ponents of the CCS are required to function. Accordingly, we have incorporated the CCS in our modeling of the safety injection system only in terms of the
~
circulating pumps that are driven by the safety injection punps.
3.2 IP-3 Safety Injection System Modeling The basic overview of the safety injection system is shown schematically .
22 23 in Figure 1 (page 10). This system was modeled from P&ID,21 FSAR and PRA information which was used to identify active components in the system and their operation during specified condicions. Note that small diameter piping connections and flow paths were ignored for this analysis. Active components were defined as compo'nents that require either a change of state or active 12
signals, actuation or operation from an external support system. The basic simplifying assumptions imposed on the analysis in order to distinguish a dependency from a simple hardware connection were:
e Small break LOCA e Loss of off-site power e Safety Injection (high pressure) phase o Inactive components and piping ignored except where required to indicate significant inter onnection between active components e The model of the actuation system is developed only to the identi-fication of instraent signal inputs to actuation logic channels e Only connections representing dependency considered e Normal system alignment of components.
Successful accomplishment of the high pressure safety injection function was assumed to occur when any one safety injection pmp had at least a single flow path to the Reactor Cooling System.
Table 1 gives a list of acronyms use'd in component modeling. The list shows the components included in the model. The principal support systems for the safety injection system are the electrical and actuation systems, with com-ponent cooling consolidated into the safety injection system itself.
The resulting component-level logic models of the safety injection system (see Figure 2), the electrical connections (see Figure 4), the actuation con-nections (see Figure 6) and their dual representations (see Figures 3, 5, 7 respectively) were then ccnstructed.
The digraphs of the safety injection system (Figures 2 and 3) illustrate -
the two major flow paths intn the RCS via separate discharge headers into cold .
- leg injection lines. The electrical and actuation system inputs into various active elements (valves, pumps, and the boron injection tank) are also included.
The peps are shown to be dependent on their respective electric power buses, component cooling, actuation signals, and coolant flow. Motor operated valves
' that change state upon initiation of safety injection are shown to be depen-dent on electric power, actuation signals and flow. The boron injection path requires electric heating for the boron injection tank, heat tracing for the related pipes, and flow.
13
-- - - , s --w ~ , - .---
~
Table 1 Acronyms Used in Modeling I. Electrical DG31-33 Ofesel Generators 31-33 ,
OC31-33 DC battery systems 31-33 BFISA, 6A, 2A Bus Fault Interlock on bus 5A, 6A or 2A ,
UV5A, 6A, 2A Undeivoltage on aus, 5A, 6A or 2A EPSA, 6A, 2A Electric Power bus 5A, 6A or 2A BTB Bus Tie Breaker MCC36A, 368 Motor Control Center 36A or B II. Actuation MSI* Manual Safety Injection HSLF* High Steam Loop, Flow SLDP* Steam Loop Differential Pressure LPP* Low Pressurizer Pressure HCP* High Containment pressure SILOG1, 2 Safety Injectior. Logic Channels 1 and 2 SISIG1, 2 Safety Injection Signal Channels 1 and 2 III. Safety Injection RWST Refueling Water Storage Tank Vxxx Motor operated valve fxxx CCW1. 2, 3 Component Cooling Water loop 1, 2 and 3 SIP 31, 32, 33 Safety Injection Pumps 31, 32, 33 _
HDRx Header fx MANSW Manual Switch for Heat Trace HTRC Heat Tracing ENTR Electric Heaters .
BIT Boron Injection Tank ,
3 -
RCS Reactor Cooling System
- These actuation signals are not developed further.
14
.m, m,,,
~"P' 'N %"P W 4-. W j ' 59F%"T$Mq.-4.- ,,
3
., i i
9 4.'
acc3u
/
vuec vissu sisist k accam masu V8Ms
- yggg MCc)M (Mi V8%f C3e8 , (P6A
- sisisz
'N +11H'8 4 3agne c- ccu3 c noms viss2A sips visim e
g3, w s v
+\ssisi sisist i
"" accses viess .
suisz v i. -mi s i,33 e---- cour ,
Rusi v.s s si a si s2 siest !
WN) sisici s 'sisica Figure 2. Success Digraph of Safety Injection System i
I i
t Otselv 04:#fft vasec um +/ accus "*"" i l * .
sistGI & ,
,i,3 acun sweat trea
+ ,,sg "5 sit wra e- sc
( viens
+ c__.acc)64us ccu2
, sini 525555 ;
s - '
owens "0A3 sislGl sisict
@ ,.g vt s isicz s -
unse
}
gcy,s ..
scsO6- ,cy vesis ;
E .vis 2e
\ ,,, ,i,32 vs.in v is sto w
avu v N ,,. '
sistcr isict W 12
~~
{
Vesl4 Ouel II SIF3 19y ccW1 s[sicz i
t
.i I.
Figure 3 Dual Digraph of Safety injection System !,
i i
a
? **
1 1 10/\
WO v v
/\ /4 /4 h 49 ti e
" t 8 .
!gp----->,E g gp-----> E i y-----> ; _a S
- b 8
G
/1 /\ /\ /( *
/4 /\ /k /\ /4 /4
/\ /4 11.
n h6 5
e m
U ig to Eo io 25 to do io- ig io j oio 5 Y
t'a -
m ..
Ho a
B 2
So io E
J 17
,,,_,,-,..-.% ^-
! . I't !i' !j l; , i , .
- 'e b
A 3
P
(
S T m B
e t .
s .
y A
i S
M l 4 CO E T
M t
r C>
M MWM L
O o
p p
u S
l a
i c
r t
c e
l E
f o
h p
A A
s 2 a
[
r
%n 9
P% g 9q1 1
1
\ \ i D
l a
u Q
5 e
r u
g i
F A
u 1 4 z
= 2 3 2
% %1 l uv 3 3Q i
3b C v 3 1 .
C F D r 3
G 3
t 1
i = l i 8 U
m a u g
s' t 0 g% / N< g
.L s'sr y s N' .
I 2 1 3 2 G G .
G I
G % G 5C SC I f 1 Cig t
5 l
5o 1
1 g
l S
I S
5 t
S 5
! 's j ' , . .' I
, .t! I i i
. i
\.
- s '\1
F 9
1 3 3 i
l /\ /\ /\ /\
c O-50 Eb 3 a
8 5
W 7
s 9 e( b.
~
/r -
t
~
4 i
{
I b
/
o d
/ \
C E
a -
E z
d .
a m
M 19
---g 7 my- m - , - . -
- p, ,.y- -
.y,., - v+--- --.---- yw
-we- - -. -e-= ywa
> I
- j it! ' . i ,
. 4 i a c c i
si s i
i s s 1
1 C
u c
D o .
n i
o t
I 2
G a G
O O
L u
L I t s
s c A
n i
o t
c j
e s
r n e i w ,
o y t
f e
a S
f 5e : o 1
1 . h 9
p 80Av 6
a D r g
i D
se : l 6 a V
t u e^V f
D t
8 ,
7 se ) e s r t
e u g
o p AV s i p
e F
.i 3 )
- C C h c c s
m F
L S
W L
s N .
c mO iii l
- i f,4
The digraphs of the electrical support system (Figures 4 and 5) show the interrelationships between 480V power buses, motor control centers, diesel generators and DC power supplies. Also shown are the required actuation sig-nals for diesel startup, and bus fault and undervoltage conditions for diesel connections to the buses.
The digraphs of the safety injection actuation system (Figures 6 and 7) show the instrtmentation inputs into two separate logic channels. Also shown
. are the DC power requirements of the two logic channels for generating the respective actuation signals.
In developing the component level dependency models, it was necessary to incorporate infomation describing logical states of component interconnec-tions. For example, the operation of a given component might require an actu-ation signal that could be provided by either actuation channel 1 or 2. In addition to either of these actuation signals, motive power might be required.
A logical OR condition applies to the combination of actuation signals, where-as a logical AND condition expresses the mutual dependency where both actua-tion and motive power are necessary. _
The model diagrams indicate OR conditions as directed lines that converge to the appropriate node. AND conditions are represented by the intersection of tw or more directed lines with a perpendicular gate. Dummy nodes are used where necessary for computer processing.
The dual representation of a logic model (as discussed in reference 18) is obtained by changing AND gates to OR gates and OR gates to AND gates through- _
out the diagram. The dual representation of a success diagram is the corres- -
ponding fault oriented description. The dual representation is used to develop .
input for the computer processing of the model.
The computer input that represents the dual component-level logic models i
, for the safety injection and support systems is shown in Table 2. The computer code processed this infomation and produced a list of components and their computer assigned nLaerical designators (Table 3) as well as the overall sys-tem " maps" (see Figures 8-12 and Overlays A-J).
21
Table 2 ]i Computer Input 1.isting of Logic Model f
' i
}
e I RW$i,V1810,1 RWST PROVIDEs FLOW 10 VALVE 1810,NORMALLT OPEN, V856C,0upe9Yl,V8560 FLOW TO RC5 IMCIION LINES MOTOR OPERATED WALVE. V8560,DLeetVI,V856C DuMMYl .D se9Y2,V856E
.j Vlato,V8ste,I FLOW TO SIP 32 15 THRouGH VALVE 8878 V856E ,0upetY2,0Leetit V8875,V887A,1 VALVES 887A AND 3 ARE la SERIES vl810,51P31,1 V1810 PROV10E5 $UCTION FOR SIP 31 DuretT2,onsetV9,V856F V887A,5IP32,I V887A PROVIDES Sucil0N FOR SIP 32 V856F,0upetV9,0usetV2 vl810,5tP33,1 VISIO PROVIDES SETICM FOR SIP 33 5151GI,51P 33,515tG2 SAFEIT IMCil0N SIGNAL REQUIRED FOR SIP 33 $1P31,leR2,V8514 SISIG2.53P33,515IF,1 SAFEIT IMCTION SIGNAL REQUIhED FOR SlP33 HDR 2,V856K ,1 FLOW 10 COLD LEG lsJECTION LINE VALVE 515tGl 51P32.515tG2 SAFEif IMCil0N SIGNAL REQUIRED FOR SIP 32 teR2,V85M,1 515tG2,5tP32,5151G1 SAFEIT INJECTION SIGNAL REQUIRED FOR SIP 32 HDR2,V854N,1 HDR2,V856A,!
SI5IGl,51P31,515tG2 SAff ff INJECTION SIGNAL RIQUIRED FOR SIP 31 5I5tG2,51 Pit,515tGI SAFETV INJECil0N SIGNAL REQUIRED FOR SIP 31 V856A,0UpstV10,V856H FLOW 10 RCS IMCil0h LINES V856N,0tsetVIO,V856A DuMMV10,0upelfil,V85 M CCW3,$lP33,1 COMPONENT COOLIE PLBIP 3 REQUIRED FOR SIP 33 V85&I.Dupetill,DupetV10 i DuMMyll,Dupettl2,V856K (CW2,5tP32,4 COtPONENT COOLING Ptstr 2 REQUIRED FOR SIP 32 CCWI,51P31,5 COMPONENT COOLING PLDer 4 REQUIRED FOR SIP 31 V856K,0upetYI2.DuHMYll
, DuMM19,RC5.DuMMYl2 FLLJ PATHS INio RCS i
(P6A,5tP33.1 480V Sus 6A REQUIRED FOR SIP 33 OupetY12,RCS 0UMMT9 EP24,51P32,1 480V BUS 2A REQUIRED FOR SIP 32 EP5A,5tP31,1 480V BUS 5A REQUIRE 0 FOR SIP 31 515tGl.0G33,515tG2
$151G2,0G33.5I5tG1 SISIG STARTS DG33 SIP 33,HDR 4,V8518 FLOW T0 BIT THROUGH llEADER 4 DG33,EP5A,8 P M ER SUPPLV FOR sus 5A
- Ct.,@ 0L POWER FOR BUS CONNECTION V8518,leR4,5tP33 DC31.EP5A.1 BFI5A,EP5A.I SU5 FAULT INTERLOCK !
m $1P32,V8518,1 FLOW PATH FOR SIP 32 TO Bli Uv5A EP5A.1 Bus Lae0ER VOLTAGE REQUIRED l
ro FLOW PATH FOR 5tP32 TO DIRECT IMCil0N EP5A,MCCMA.I POWER 5WPPLT FIEt MCCMA
$1P32,V851A,1 l H0R4,V!852A,1 FLOW' THROUGH S0R018 IMCTION LINE
- 5851Gl.0G32,515tG2 i 515tG1,V1852A,1 ACTUAll0N $1GBWit FOR Sti VALVE 515IG2,0G32,5IstGI SislG STARTS OG32 MCC MA,V1852A,1 POWER SUPPLT FOR Bli VALVE DG32,EP6A.1 POWER SUPPLY FOR BU5 6A i
FLOW THROUGH BORON IMCTION LIE DC32,EP6A.! CONTROL P0bER FOR BUS C0pneECTION HDR 4,V18528,1 51stG2,vl8528,8 ACluniluN SIGNAL FOR SIT VALVE BF I6A.EF6A,4 SUS FAET INTERLOCK
- MCC MS,V18528,1 POWER SUPPLY FOR SIT VALVE UVoA.EP64,1 BUS UNDERVOLTAGE REQUIRED V1852A,HDR3,V18528 FLOW 10 Bli INPUT MEADER SI51Gl,DG31,515tG2 3 V18528,teR3,V1852A Sl5tG2,0G31.5I51G1 515IG STARTS DG31 i
MCC364,0uMMT),1 ALTERNATE POWER SUPPLY FOR HEAT TRACING 1
' N 3I.EP2A,1 POWER SUPPLY FOR sus 2A MANSW,0upetY3,1 MANUAL SWl1CHOVER FOR HEAT TRACE SUS FAULT INTERLOCK DC33.EP2A,8 DupetV3,HTRC,MCCMA POWER SUPPLY FOR HEAT TRACING UV2A,EP2A.l Sui UNDERVOLTAGE REQUIRED MCC36A HIRC,0upetY3 EP2A,0uMMV4,1 SUS TIE TO BUS 3A
! MCCMA,EHTR,ECMS ELECTRIC HEAT FOR Bli STS 15 BUS TIE GREAAER
~ OUMM "*IE3A.tTB MCCMS.IMIR,McC36A BTB.EP34,Dupstv4 (P3A,0uMM M , STB BACK C0tusECT10N To tuS 24 HTRC,4II,1 HEAT TRACING FOR 80RON LIES 813. DUMMY 4,EP3A ENTR.Bil.1 ELECTRIC HEATING FOR Bli MSI,0UsetV5,H5LF 51 IN5 H484ENTATION HDR3 Bli,1 FLOW INTO Sif H5LF,0upetT5,M51 MSI 15 MANUAL 51 MMY5, MMV6,5LDP SLDP 15 STEAM LIE DIFFERENTIAL PRES 5URE SII.Vl835A.! FLOW PATHS FROM BIT 5LDP.DupetV6,DisetV5 8 ti,V18358, g ""
SISIGI,V1835A,1 ACiuATION OF Bli OUTLET VALVES LPP,0uM'MVT,DuM'MY6 SISIG2,Vl8358,1 MMO,0meth, O HCP 15 klGH CMAMMENT PRE 5W i MCC364,Vl835A.I POWER TO BIT GUTLET VALVE 5 EP.Diastre,0uMMY7 ,
MCC368,Vl8358,5 DuMMYB,5tLOGI,1 SILOGl 15 51 LOGIC CHAlHIEL I ,
- " l '"I G SISIGl IS CHANNEL 10F SI SIGNAL sit 0Gi,5iSiGi.i i h
HDR 6C, I FLOW TO COLD LEG INJECil0N LINE VALVES g ,
0,0,0 HDRI,W856C,1 HDR I,v856F ,I
, t
,i
. . . ._ -. . ~ . . .
i Table 3
~
List Of Variables and Numerical Ocsignators
~
1 1 37 DUMMY 1 2 RWST 38 DUMMY 2 3 V1810 39 OUMMY9 4 V8878 40 HDR2 5 V887A 41 V856K 6 SIP 31 42 V856J 7 SIP 32 43 V856H 8 SIP 33 44 V856A 9 SISIG1 45 DUMMY 10 10 SISIG2 46 DUMMY 11 11 CCW3 47 DUMMY 12 12 CCW2 48 RCS
.13 CCW1 . 49 DG33 14 EP6A 50 DC31 15 EP2A 51 BFISA 16 EPSA . 52 UVSA 17 HOR 4 53 OG32 18 V8518 54 DC32 19 V851A 55 BFI6A .
20 V1852A , 56 UV6A 21 MCC36A 57 OG31' 22 V18528-- 58 DC33 23 MCC368 59 UV2A 24 HOR 3 60 OUMMY4 25 DUMMY 3 61 EP3A 26 MANSW 62 BTB 27 HTRC 63 MSI 28 EHTR 64 DUMMYS 29 BIT 65 HSLF 30 V1835A 66 00MMY6 -
31 V1835B 67 SLDP 32 68 HOR 1 DUMMY 7 33 V856C 69 LPP ,
34 V8560 70 OUfMY8 35 V856E 71 HCP 36 V856F 72 SILOG1 73 SILOG2 23 g -
. 9 . .. a . - . . . . .
O W
/
l
/
8 8
- 8
=
_ _ g
=
W m
b E
G z
@ 3 0 sz
~
'~
06 -
U2 Q:
8 :
t
,G' bGGG b M @ B G 24
~\
p -e a k . m, . . , ----e...~c .-- . . . . .
i e
s /
a k@@ @
a
- G s
v
@ g $a-
/
s
. O e G B s 6- '
@ l e m
@ bE #
G z
@ G G s 5
@ @ G
% ;;~
% 8 E
G G
i 6
G 6 @
b@@@ b 6 M @ 0 @
25
---a e-.-_ n -..
,y ...p y.w -- - m-, p -4w-
i! ' ,r : ;l t4 y
N
)
8 4
(
S C
a R c
~N ' O T
)
7
(
2 3
P I
S e
3 Q G e #I T N
O P
O N A
e G Q I
D N
8 9 g I
- 1 0
E R
U 9 F G
I 9 .
9 .
Q e e
[ I",
e99 e ,
@ G *
-;l i:-
- !a Ioii
e.
4 S
G G
G $
M rn W
/ G "3 3 Q g s
G O M O ,
O m G bE a e
.G [
O s 5
'G G G
~
=~
@ 8 G 2 G
6 G 6 G bGGQ b 6 N G B G 27 y m- -c-.--.7.~ p -
y yg,-- -&., - -., , - - -
e .+ - yr -,-4
. i !ii' ? I. '.
G N
hNOI I
@ T I
S 9 O P
e T N
Se9 E N
O P
M 4 O C
8 C I
S A
@ B G -
G 3 T
N G I O
P 9 N A
e I D
N I
G
' feO 2 1
G O E R
U G G I G
F G '
G Q Q G 8 O
G G G e G G ,
8@ -
9 G .
Q e e e@9 8 a Oe a G e
=
l 4 ' ti. l:!
.l + !
\
J The first step of the computer processing is to produce the raw adjacency infomation. This information is developed from the inputs shown in Table 2 )
and presented in deconditioned matrix fom in Table 4. The deconditioned I matrix is the adjacency matrix where the representation of connections through j AND gates has been removed. Reachability processing is then perfonned which I yields the reachability matrix. The row and columns are then sumed to yield the nisnber of connecticas to and from each node. These values are used as the coordinates for the node layout. The upper left region of the map contains
. nodes with the highest ntmbers of connections leading from the nodes, while the lower right region contains nodes withr the highest numbers of connections leading to the nodes. When two nodes have identical coordinates, one of the nodes is shifted to eliminate overlay.
The logic and physical layout of the system being modeled is generated by the computer using the algorithm described above. Notice that node 48 (reactor core) is the system sink and is at the lower right hand corner of the plot.
This location indicates that the node is reachable from the most other nodes and it can reach no other node. The location of node 2 (source) (RWST) indi-cates it can reach the maximtsa number of' other nodes and can be reached by no other node.
Figure 8 shows the path from the . source of cooling wa.ter (RWST - node 2) to the sink the RCS (node 48). Figures 9 through 11 show the paths from each safety injection pump to the RCS. Overlays A through J, intended for use with Figure 12, show similar maps for the diesel generators, power buses, motor con-trol centers, and safety injection signal channels.
Finally, Tables 5 and 6 give the "connectivity" and " levels of dependency" measures specified by NRC. "Connectivity" is a measure of importance based on the degree of a node. The degree of a node is equal to the number of lines
]
directed into the node (called indegree), plus the nisaber of lines directed out of the node (called outdegree), plus the ntmber of undirected lines to a node. If a node has n outdegree but zero indegree, it is a source node. If a node has n indegree, but zero outdegree, it is a sink node. A source node is a possible candidate as a conunon node or singleton cut-set. However, it is
- required that the logical relationship of the system be studied before a con-clusion can be reached. For example, two source nodes may be required to fail simultaneously in order to fail a system. Thus the logical AND condition pre-cludes our using "connectivity" as a measure for evaluation.
29
.m g b -n >w- e as-
i .
Table 4 Deconditioned Adjacency Matrix 1 annamo 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 000 2 0010000000 n e n e m 0000000000 m m a m 0000000000 0000000000 0000000000 000
- 3 0001010100 0000000003 0000000000 GJ00000000 0000000000 0000000000 0000000000 000 4 0000100000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 000 5 0000001000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 000 6 0000000000 0000000000 0000000000 0000000000 0000000000 000000000C 0000000000 000 7 0000000000 0000000110 0000000000 0000000000 0000000000 0000000000 00M000000 000 8 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 000 a g nnnnnnn e nnnnnn e l 0000000901 0000000000 0000000000 0000000000 0000000000 000 l 10 0000000000 0000000000 0100000000 lann e m Onnnnnnnnn onnnnnnnnn 0000000000 000 11 0000000100 na m e nn nnnnnnnnnn 0000000000 nnnnnnnnnn 0000000000 0000000000 000 12 0000001000 nann m ann 0000000000 0000000000 nnnnnnnnna 000000u000 0000000000 000 .
13 000M10000 mnem nnnnnnnnnn onnnem 0000000000 nnnn e n00 nannnannno 000 -
14 0000000100 nnnnnnnnnn nannnnnnnn 00nnnnnnna nnnnnnnnn0 0000000000 0000000000 000 15 0000001000 annnnnn e ennnnnnnnn nnnnnnnnnn nnnnnnnnnn 0000000001 0000000000 000 16 0000010000 nn e nnnnn In e nnnnn e n e m 0000000000 0000000000 000000000C ox l 17 nnnnnannnn 0000000001 0100000000 annnne nnnene omnem 0000000000 GM 18 0000000000 nnnnnmnnn 0000000000 onnnnnnnnn 0000000000 0000000000 0000000000 000 i 13 nnnnnnn e nnn e n e e nnnnnnn n m n e m nn e nnnno 0000000000 0000000000 000 l 20 nnnnn m an na m nn e nnn e nnnn e nnnnnnn nn e m m 0000000000 0000000000 000 7100nnnnnnnn nnnnnnnnnt mennn! 0000000000 0000000000 0000000000 0000000000 000 22 nnnnnnnnnn nnnnnnnnnn nnnnnnnnan nnnnnnnnnn 0000000000 0000000000 0000000000 000 l
[
23 nnnnnnnnnn nnnnnnn m 0100100000 Innnnnnnnn nnnnnnnnnn 0000000000 O m n e m 000 '
' 24 0000000000 nnnnannnnn nannnnnr10 0000000000 0000000000 0000000000 0000000000 000 25 nnnnnnnnnn nnnnnnnnnn onnnnnnnno nnnnnnnnnn nnnnnnnnnn 0000000000 0000000000 000 l 26 0000000000 nnnnnrannn 0000100000 0000000000 0000000000 0000000000 0000000000 000 27 0000000000 0000000000 0000000010 nnnnnnnnnn nnnnn e n0 0000000000 0000000000 000 l 28 0000000000 0000000000 0000000010 0000000000 0000000000 0000000000 0000000000 000 29 0000000000 0000000000 0000000001 innnnnnnnn 0000000000 0000000000 0000000000 000 ;
30 0000000000 Onnnnnnnn0 0000000000 0000000000 0000000000 0000000000 0000000000 000 31 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 000 32 0000000000 nnnnnn a n nnnnnnnnnn 0011110000 0000000000 0000000000 0000000000 000 33 nnnnnnnnnn nnnnnnnnnn 0000000000 nnn e n e nnnnn e m 0000000000 0000000000 000 34 nnnnnnn000 nnnnnnnnnn 0000000000 annnnnnnnn 00nnnnannn 0000000000 0000000000 000
> 35 0000000000 nnnnannnnn 0000000000 0000000000 0000000000 0000000000 000000ua00 000 36 0000000000 nnannnnnnn 0000000000 0000000000 nnannnanno 0000000000 0000000000 000 37 00000000uo nnnnnnnnnn 0000000000 0000000000 0000000000 0000000000 0000000000 000 38 0000000000 nanannnnnn 0000000000 Oconnnnnnn 0000000000 0000000000 omenno 000 33 nnnnnnnnnn nannnnnnnn nnnnnnennn annnnnnnnn nnnnnnnnno 0000000000 0000000000 000 40 annnnnannn nnnnnannna 00nnnnnnnn nannnnnnna 1111000000 0000000000 0000000000 000 41 nnnnnnnnnn nneman enmann mmen anmenn amen 0000000000 000 42 annnnnnnna 0000000000 nannnnnnnn nnnnnnnnnn nannnnnnnn 0000000000 0000000000 000 43 0000000000 aannnnn e 0000000000 n e m m an e m m m m m m m a m N 000 44 nnnnnnnann annnannnnn 0000000000 annnnnnnnn nnnnnnnnnn nnnnnnnnnn 0000000000 000 45 nnnnnnnnnn nnannnnnnn nnnnnnn000 n e nnnnnn m m m m 0000000000 0000000000 000
' 46 nnnnnnnnnn nannnnnnan nnnnnnnnnn 0000000000 0000000000 0000000000 0000000000 000 l 47 nnnnnnnnnn nnnnnnnnna 0000000000 0000000000 annn e m 0000000C00 0000000000 000 i 4a 0000000000 nannnnnnnn 0000000000 annnnnnnnn nnannnnnnn 0000000000 0000000000 000 49 0000000000 0000010000 nnnnnnn000 nnnnnnnnnn nnnnnnnnnn 0000000000 000n e m 000 50 0000000010 0000010000 0000000000 n e m an0 0000000000 0000000000 0000000000 000 -
51 0000000000 0000010000 nnnnnnnnnn annnn e m 0000000000 0000000000 0000000000 000 52 nnnnnnnnnn 0000010000 0000000000 n m n e m 0000000000 0000000000 00')0000000 000 +
53 0000000000 0001000000 0000000000 nnnnnnnnn0 0000000000 0000000000 0000000000 000
! 54 0000000001 0001000000 nnnnnnnnnn 0000000000 0000000000 m m m m 000nn e m 000 -
l 55 annannnnnn 0001000000 nnnnnnnnnn annnannnnn 0000000000 0000000000 0000000000 000 56 nnannnnann 0001000000 nnnnnnn e m m m m m m m m on e m m 0000000000 000 .
57 nnnnnnnnnn 0000100000 nnnnnnnnnn n e nnnnnn e nnn e n 0000000000 0000000000 000 *
! 5e nnnnnnnnnn 0000100000 0000000000 0000000000 0000000000 0000000000 0000000000 000
' Sg nnnnnnnnnn 0000100000 nnnnnnnnnn 0000000000 nannnnnnnn nnnnnnnnnn 0000000000 000 60 nnnnnnnnnn nnannnnnnn annnnnnnnn nnnnnnnnnn 0000J00C00 0000000000 000nnnnnnn 000 ,
61 0000000000 nnnnnnnnnn nnnnnnnnnn nnnnnnnnnn annnnnnnna onannnnnan nnnannnnnn 000 I 62 0000000000 nnnnnnannn annnnnnnnn annnnnnnna annnnnnnna Onnnnnnnnn 0000000000 000 l 0 63 nnnnnnnnnn annnnnnnan annnnnnnnn annnnnnann 0000000000 nnnnnnnnnn nnnnnnnnnn 000
- 64 0000000000 nnnnnnnnnn nnnnnnnnnn nnnnnnnnnn 0000000000 nnnnnnnnnn annnnnnnnn 000 l 66 nnnnnnnnnn annnnnnann nnnnnnnnnn 0000000000 nnnnnnnnnn 0000000000 nnnnnnnnnn 000 I 65 nnnnnnnnnn nnnnnnnnnn 0000000000 0000000000 nnnnnnnnnn nnnnnnnnnn annnnnnnnn 000 67 nnnnnnnnnn nnnnnnnnan opnannnnnn nnnnnnnnnn nnnnnnnnnn 0000000000 nnnn e nnn 000 68 annnnannnn nnnnnnnnnn nannnnnnnn annnnnnnnn nnnnnnnnnn nnnnnnnnna onnnnnnnnn 000 69 0000000000 nnannnen annnnnne namman ennem nnnnnnne 0000000000 000 70 nannnnnnna nnnnnannnn nnnnnnnnnn nnnnnnnnnn nnnnnnnnnn nnnnnnnnnn nnnnn e m 011 pg nnnnnnnnnn nnnnnnnnnn nannnnnnnn nannnnnnnn nnnnnnnnnn nnnnnnnnnn nnannnnnnn 000 72 0000000010 namnen mmmm numm anmman 0000000000 0000000000 000 73 0000000001 nannnnnnnn nnnnnnnnnn annnnnnnna nannnnnnnn nnnnnnnnnn nnnnnnnnnn 000 30 n wow-----+-u 't7-Y-*- *y-Wggy
Talle 5
' Connectivity Measures: In and Out Degrees of Model Nodes t
N0DE OUTDEGREE INDEGREE N0DE OUTDEGREE INDEGREE l 1 - 0 0 38 1 2 2 1 0 39 1 2 3 3 1 40 4 2 4 1 1 41 1 1 5 1 1 42 1 1 6 '. 5 43 1 1 7 2 5 44 1 1 3 1 5 45 1 2 9 8 2 46 1 2 10 8 2 47 1 2 i 11 1 0 48 0 2 l 12 1 0 49 1 2
- j 13 1 0 50 2 0 i 14 1 4 51 1 0 1
15 2 3 . 52 1 0 '
, 16 2 4 '
53 1 2
$ 17 2 2 54 2 0 l 55 0 18 1 1 1 19 1 1 56 1 0 20 1 3 57 1 2
[ 21 4 1 58 1 0
- . 22 1 3 59 1 0 23 4 0 60 1 3 24 1 2 61 1 2 25 1- 2 62 2 0 26 1 0 63 1 0 27- 1 2 64 1 2 28 1 2 65 1 0 29 2 3 66 1 2 30 1 3 67 1 0
, 31 1 3 68 1 2 32 4 2 69 1 0 33 1 1 70 2 2 34 1 1 71 1 0 35 1 1 72 1 1 36 1 1 73 1 1 37 1 2
- I
__ _ _u_. _ _ _ _ _ . _ . . . _ _ _ _ _ _ _ _ _ _
Table 6 i
Partial List of Paths (Levels of Depr.ndency) from RWST (2) to PCS (48)
THE FCLLOWING PATH sA3 FOU10 inE FOLLCWING PATH WAS FC'JO THE F3.LCii!% FATH '45 2006 N0tEs 48 L= 1 NODE: 48 L= 1 N0DE: 43 L= 1 N0 des 47 L 2 h0DE: 47 L= 2 NGDE: 47 L= 2 MODE: 46 L= 3 NCDE= 41 L 3 h] des 86 L= !
4 N0 des 42 L: 4 NODE 4d L= 4 N0DE= 15 L=
NCDEs 48 L= 5 N0DE= 6 L= 5 N00E' 48 l* 5 NODE: 19 L: 6 gg, 3 t,, 6 N0DE 46 L: 6 NOCE= 7 L= 7 WDE: 2 L= 7 ODE' 5 l* 7 NO:Es 5 L: 8 N0 des 3 L: 8 4 L= 9 NODE: 2 L= 9 NCDE: THE FDLLOWING PATH WA3 F0'JND N0tE= 3 L= ~ 18 THE FOL'_CW:E Pm ui ;0i:t N0DE= 2 L= 11 gg, 43 t, 1 CDE= 47 L 2 THE FOLLOWING PATH 65 COU n CDE= 43 L= 1 N0!E= 41 L= 3 ggg, 4g (2 4 NSDE= 17 L= 2 20E= 46 t= ;
50 des 43 L= -1 -
gg, g9 t, 5 i
NOCE: 47 La 2 gg, 7, g N3DE= 45 L=
N] des 46 L= , 4C;Er 42 L= !
N0*Es 5 L=
N0DE 15 L= 4 C;E= .3 N00Er (i L= i 4 L=
NGDE 43 L= 5 3gg, ; t, 9 MDE: 19 L: 7 U *
- 3 NODES 44 L: 6 N0DE: 2 L= 18 7
C;E 5 L= ? .
NODE - 6 L=
MU* l* 2 OM* 3 l' 3 THE FOLLOWING FATH WA5 FOUND ,'s L3 .1 NCDE=
N0E= 2 L: 9 N0DE 48 L= 1 THE FOLLChlNG PATH WAS FOUND HM- 47 Le 2 NOIE 46 L= ;
N0DE= 42 L= 1 g.g. 42 t= a N0?E= 47 L= 2 48 L 5 NCDE ~
10DE 46 L= NODES 6 L= 6 N2DE: 45 L= 4 gg, 3 L3 7 N0DE 4: L= 5 8;Es 2L 0 -
NCDE= 4# L= 6 N0tEs 19 L* 7 CIES 7 L= 3 h0 des 5 L= 9 N0 des 4 L= !!
NOM: ; L= !!
o N0DE 2 L= 12 32
" Levels of dependency" is an NRC specified measure of path length between nodes. However, the relationship between path length and safety cannot be correlated without specified logic and consideration of the relative failure probabilities of components involved. Thus, this preclude our using " level of dependency" as an evaluation measure.
3.3 Discussion of Results The " maps" (see Figures 8-12 and Overlays A-F), "connectivity" (see Table 5), and " levels of dependency" (see Table 6 for partial listing) which we found in the last section proved to be unsatisfactory for identification and evaluation of systems interactions for the systems considered in this study.
They were not only as difficult to produce as standard risk assessment results (since they required detailed component level 133f c models as a starting point), but by excluding Boolean logic, correlation with safety was signifi-cantly reduced.
As a result, we attempted to retrieve some useful systems interaction information from the component-level logic representations modeled in Figures 2-7. By using a Digraph Matrix Analysis path-set Boolean reduction computer code, we found all the singleton and doubleton cut-sets of the safety injec-
, tion system and its support systems as modeled. The results of this subsequent effort are given in Table 7.
Singletons identified in this analysis included the RWST (the ultimate source of safety injection flow), motor operated valve V1810 '(the comon valve for suction to all three safety injection pumps under nonnal alignment), and the RCS itself.
~
Doubletons are displayed in the matrix included in Table 7. Components involved in this matrix include Headers 1, 2, 3 and 4 (Nodes 32, 40, 24 and I 17), safety injection signals 1 and 2 (Nodes 9 and 10), Heat Trace (Node 27),
, electric heat for the boron injection tank (Node 28), t'e h boron injection tank (Node 29), DC power systems 31 and 32 (nodes 50 and 54), ana Safety Injection logic channels 1 and 2 (Nodes 72 and 73).
33 g-,--- ..-,-7..__ _ -
3 _ - . - ,,---.--.--w.-.% .
-_-,_7 y
b l
. . l 1
l l
l l
i Table 7 9
Doubleton Matrix and List of Singletons .
9101724272829324050547273 *
- 9 - * - - - - - - - - -
10 17 24 27 28 29 '
32 40 - - * * * * * * - - - - -
3 50 -
54 72 -
73
- UNSUPPRESSED SINGLETONS ***
2 RWST -
3 V1810 48 RCS
~
9 i
4 e i
,1 34
~
4.0 Conclusions Lawrence Livemore National Laboratory (LLNL) has been working to develop an interconnected systems interaction audit procedure subject to the following NRC constraints:
- 1. Boolean logic is excluded from the modeling effort (but may be used for computer code processing).
- 2. A " map" of the plant at the subsystem, or train, level of detail is 1 -
to be constructed.
- 3. Heuristic measures, specified by the NRC, called "connectivity" (degree of a node) and " levels of dependency" (paths between any node and all others) are to be used to draw statistical correlation between the " map" and the potential for systems interaction in the systems involved.
The motivations for this effort were the possible advantages to be found from (1) simpler analyst knowledge and training required, and (2) simpler and less costly effort involved in auditing utility submittals. ,
In this preliminary systems interaction investigation of the IP-3 safety injection system, and its component cooling, actuation and electrical connec-tions, we found the specific IP-3 safety injection system design to be parti-cularly difficult to represent in a model subject to the NRC constraints. It contained ntmerous conson pipe-headers and common " passive" components within and between trains. In addition, the numerous plant modes and configurations under differing accident conditions compounded the modeling problems. We were unable to strictly adhere to the NRC constraints. In order to identify which components were necessary for successful operation of individual trains it was necessary to form detailed component level representations of the entire sys- -
tem. This violated constraint 2. In addition, we attempted to apply nimerous constraints on the system model such as limiting it to a small LOCA during loss '
- of offsite power for just the injection phase. This was done in an atitempt to avoid explicit Boolean logic. Despite this, the component-level representation required some specific AND conditions in order to capture " dependency" infoma-
, tion. This violated constraint 1. After a component-level logical representa-tion of the safety injection and related systems was completed, however, we attempted to construct a safety injection system " map" (at the component level) i and find its "connectivity" and " level of dependency" measures. The " map" be-came essentially our original component-level logical representation with the 35 .
i . _ . -
AND and OR logic conditions excluded. However, by excluding Boolean logic, the "connectivity" and " levels of dependency" measures suffer a significant reduction in their ability to provide statistical correlation with safety.
Therefore, for the systems considered in this study, we found the specified measures to be inadequate. We, therefore, failed constraint 3.
As a result, we found the " map" and NRC measures to be an unsuccessful approach based on the following criteria: (a) they required as much detailed I
study, training, effort and cost as comparable risk assessment study, and (b) the evaluation measures were less informative than a comparable risk assess-ment result.
It should be noted, however, that the component-level logical represen-tations we constructed (not very different fram directed logic diagrams used in Digraph-Matrix Analysis (DMA) or, for that matter, from conventional fault trees) still contained the essential modeling information. From these repre-sentations, we were able to extract singletbn and douoleton cut-sets for the safety injection system and support systems. These results directly address the systems interaction problem.
In conclusion, we make the following recommendations:
(a) further efforts to use contraints excluding Boolean logic from the modeling process and utilizing heuristic measures should be discontinued at Lawrence Livermore National Laboratory, and (b) the PASNY Indian Point-3 interconnected systems interaction study should be audited by an independent LLNL effort using -
Digraph-Matrix Analysis (or com; arable risk assessnent tech-niques) to find common mode failures.
9 I 36
r a REFERENCES
- 1. G. Boyd, et al., Sandia Wational Laboratories, " Final Report, Phase I, Systems Interaction !%thodology Applications Program," U.S. Nuclear Regulatory Connission Report NUREG/CR-1321 (SAND 80-0884), April 1980.
- 2. G.E. Cummings, " Operator / Instrument Interactions During the Three Mile
, Island Incident," IEEE Symp. Nucl. Power Sys., October 19, 1979.
- 3. G. Lanik, U.S. Nuclear Regulatory Commission, " Report on the Interim
. Equipment and Procedures at Browns Ferry to Detect Water in the Scram Discharge Volme," September 1980.
- 4. C. Michelson, OAE00, memoranda to H.R. Denton, NRR, " Potential for Unacceptable Interaction Between the Control Rod Drive System and Non-Essential Control Air System at the Browns Ferry Nuclear Plant,"
August 18, 1980.
- 5. S. Rubin and G. Lanik, U.S. Nuclear Regulatory Commission, " Report on the Browns Ferry 3, Partial Failure to Scram Event on June 28, 1980,"
July 30,1980 (with Executive Summary).
- 6. U.S. Nuclear Regulatory Connission, " Transient Response of Babcock &
Wilcox - Designed Reactors," U.S. Nuclear Regulatory Commission Report NUREG-0667, May' 1980.
- 7. . Nuclear Safety Analysis Center and Institute of Nuclear Power Operations,
" Analysis and Evaluation of Crystal River Unit 3 Incident," Joint NSAC/INPO Report NSAC-3/INPO-1, March 1980.
- 8. P. Cybulskis et al., Battelle Memorial Institute, " Review of Systems Interaction Methodologies," U.S. Nuclear Regulatory Commission Report NUREG/CR-1896, January 1981.
- 9. A. Busiik, I., Papazoglou, and R. Bari, Brookhaven Natunal Laboratory,
" Review and Evaluation of Systems Interactions Methods," U.S. Nuclear Regulatory Commission Report NUREG/CR-1901, January 1981.
~
- 10. J.J. Lim, R.K. McCord, T.R. Rice, and J.E. Kelly, Lawrence Livermore National Laboratory, " Systems Interaction: State-of-the-Art Review ~
and Methods Evaluation," U.S. Nuclear Regulatory Consission Report ,
NUREG/CR-1859, January 1981.
d
- 11. U,$. Nuclear Regulatory Commission, " Interim Reliability Evaluation Program, Phase II, Procedure and Schedule Guide," Draft 2, September 9, 1980.
9 12. Pacific Gas & Electric Co., " Description of the Systems Interaction Program for Seismically-Induced Events, Diablo Canyon Units 1 and 2, U.S. Nuclear Regulatory Commission Report NUREG 0695, October 1980.
- 13. Power Authority of the State of New York, Systems Interaction Study, December 1981, Vol . I and II.
37
~
_ _ _ _ _ .__T'~ __ _ ~ __ ___. . _ . .
References (Cont.)
- 14. H.P. Alesso, " Review of PASNY Systems Interaction Study ," Lawrence Livermore National Laboratory, UCID 19130, April 1982.
- 15. F.D. Coffman, " Initial Guidance for the Performance of Sytems Interaction Reviews of Selected LWR's," U.S. Nuclear Regulatory Commission, October 1,1981 (Draf t) .
- 16. D.M. Rasmuson, G.R. Burdick, and J.R. Wilson, " Common Cause Failure '
Analysis Techniques: A Review and Comparative Evaluation," EG&G Idaho, Inc. , TREE 1349, Sept.1979.
- 17. H.P. Alesso and H.J. Benson, " Fault Tree and Reliability Relationships for Analyzing Noncoherent Two-State Systems," Nuclear Engineering and Design, Vol. 56, pp. 309-320, 1980.
- 18. H.P. Alesso, I.J. Sacks, and C.F. Smith, Initial Guidance on Digraph _
Matrix Analysis for Systems Interaction Studies at Selected LWR's, Lawrence Livermore National Laboratory UCID 1945/, October 1982.
- 19. U.S. Nuclear Regulatory Canmission, " Reactor Safety Study," WASH-1400 (NUREG-75/014), October 1975. .
- 20. H.P. Alesso, "Some Fundamental Aspects of Fault Tree and Digraph-Matrix Relationships for a Systems Interaction Evaluation Procedure,"
UCID-19131, May 1982. ,
- 21. Power Authority of the State of New York, Final Safety Analysis Report Indian Point-3, Rev. O, 7/82, Docket No. 50-286.
- 22. Power Authority of the State of New York, Piping and Instrumentation Diagrams,1982.
- 23. Power Authority of the State of New York, Indian Point Probabilistic Safety Study, 1982.
PO 9
l a
38
- mee = = = . we.~e-*
. = = = * =
e..am.r-w=.~gs-- eame ., - + . --=>--m-.- -
ia _, & M a e .2a-6,-w - w 4 , + .- o 4- L. - - - - - . o-- r-n-a g mw e.
s e
S k
l i
f f
i e
i 1
9 d
1 I
I e
a 1-O
.i G
e
. 9 b .
h [
l
-0 4 :>=
4C i
i.
+
1-1 1-1-
4 i
4
. > . - .- .. . . - ,- -. . --- ..._ ..n,...,,, -. , , -, _ -,,. J;--,- - n , , - , , .,... . n - , , , - , ,,-n,.,,.-.------,. ,, ,,----r.----,,,.,._--,
C
$ g 0
e e
t O
e
'J H __
m U s if v
8 t
4 Ta GB L4J Q
me-
-y. Ae -+-
e - e I
/ //
,1
/
/ h 9
a-..
9-E O
4 B_
. s- w a 2 A e _. - a m O b s
- 4. -
a w
1 4
a I
e 4
b A
L e_
4 6 sm MS j t
i t
0 O h
+ M t
. . . m-,... . - - _ . _ . . . . _ - _ - . . , ..__.... ..-, , , - . ..... .. . . - , . . . . . _-,__; _ _. _ . . _ m.,_-,.,.-.,.--...-__.,_.__._?. , . . - . , _ . . . . - -
a e
- i
?
.)
l
/
/
, /
s
/
/
J
/
/
t i
/
/
.i 6
1
/
4 i
s
/ / / 0,
- a g.
I
! w
- w l
i i -
_ , - - - . . _ , . . _ . _ _ _ , . - . . . _ . - . _ . . . . _ , _ _ _ _ _ . . . . . . . _ _ _ . _ _ _ . . _ _ _ _ . . . , _ _ _ _ _ . _ , _ . . - , _ _ _ _ __,....._.____.__,m._..,_.
-- W 2- _. s .h._ 4- _ .. __
- 4 4
- l I
i e
f 9
e I
i, a
8 as c, -
(-
5 D
4 w .
1 S
9 e
1 i
,--,-- . , - - - , , ,,-n--w, _,,,,,w..,n---,, .m.,,,-n, ,,--,-----.----n- _ _ . _ .-- - - - . , - - - , - - , - -
.mhN- +4-- - -
g &
I L
/
O O
m i
sw -
I 9 0
>=
- C
2.
. .. - . _ . _ _. L. . . . , . . . . _ - . . . . . .
- ^ -
- A *r r
h 4
3 4
8 f
A S
CD W - ..
4 N
O LA}
t i
I Z
v #
e
. ... , .. . - . ~ , , _ , . ~ , - . - . - _ . - - . - - - _ ,- . , _ . . . _ - . . -- . . - -. -- - . - . . . - . - . . - . .,
-hywhee.At -N** A to e 4. g , w .m m. .,4-ee-, , ,
- e
& W I
I r
t s
t 8
9 e_
S .
out
. D s
D w
D w
J b M
1 O
++-e *-=s+ + + . -=-
y _ -. - . -. .-, --v-- - - - - - - -
9 Als W 6
I i
9
/
m 9
a S, -
O' u
f i
>=
J Q
. . _ ~
-___