ML20086N245

From kanterella
Jump to navigation Jump to search

Review of the DAVIS-BESSE Unit No. 1 Auxiliary Feedwater System Reliability Analysis
ML20086N245
Person / Time
Site: Davis Besse Cleveland Electric icon.png
Issue date: 02/29/1984
From: Papazoglou I, Youngblood R
BROOKHAVEN NATIONAL LABORATORY
To:
Office of Nuclear Reactor Regulation
References
BNL-NUREG-51722, NUREG-CR-3530, TAC-43516, NUDOCS 8402170430
Download: ML20086N245 (32)


Text

' '

NUREG/CR-3530 .

BNL-NUREG-51722 Review of the Davis-Besse Unit No.1 Auxiliary Feedwater System Reliability Analysis t

Pr:ptred by R. Youngblood, I. A. Papazoglou Breckhaven National Laboratory S uclear' Regulatory Ccmmission

    1. W8M o!M88L, 9 P PDR

e5

. s W =

NOTICE This report was prepared as an account of work sponsored by an agency of the United States Government. Neithe< the United States Government not any agency thereof, or any of their employees, makes any warranty, expressed or implied, or am mes any legal liability or re-l sponsibility for any third party's use, or the results of such use, of any information, apparatus, product or process disclosed in this report, or repres'ents that its use by such third party would not infringe pr!vatei fowned rights.

l The views expressed in this report are not necessarily those of the 1

U.S. Nuclear Regulatory Connission.

Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be avaitable from one of the following sources:

1, The NRC Public Document Room,1717 H Street, N.W.

Washington, DC 20555

2. The NRC/GPO Sales Program, U.S. Nuclear Regulatory Commission, Washington, DC 20555
3. The National Technical Information Service, Springfield, VA 22161 Although the listina; that follows reoresents 'the majority of documents cited in NRC publications, it is not intended to be exhaustive.

Referenced documents available for inspection and copying for a fee from the NRC Public Docu-ment Room include N RC correspondence and ir,ternal NRC memoranda; NRC Of fice of Inspection I ar.d Enforcement bulletins, circulars, information notices, inspection and investigation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers; and applicant and

( !icensee documer**s and correspondence.

The following documents in the NUREG series a e available for purchase from the NRC/GPO Sales Program: formal NRC staff and contractor reports, NRCaponsored conference proceedings, and NRC booklets and brochures. Also availabie are Regulatory Guides, NRC regulations in the Code of e F tderal Regulations, and Nu: lear Recalatory nmmission issuances.

I

' Documett available from the National Whnical Information Service incksde NUREG series reports and technical reports prepared by othEr federal agencies r9d reports prepated by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.

Dcet; nenti available %m pobhc a..d :pecial technical libraries in wde a'l open literature items, such as books, jot.enal and periodical articles, and transactions. Federal Register notices. Oderal and state legislation, and congressional reports can usually be obtained from these libraries.

Documents such as theses, dissertations, foreign reports and translatior's, and non-NRC conference proceedings are available for purchase from the organization sponsoring the publication cited.

Single copies of NRC draft reports are available free upon written request to the Division of Tech-nical information and Document Control, U S. Nuclear Regulatory Commission, Washington, DC 20555.

Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, frorr: the American National standards Institute,1430 Broadway, New York, NY 10018.

GPO Printed copy pnce: _$3 78i _._

L

NUREG/CR-3530 BNL-NUREG-51722 Review of the Davis-Besse Unit No.1 Auxiliary Feedwater System -

Reliability Analysis i Minuscript Comp!sted: October 1983 D:t3 Published: February 1984 Prepared by R. Youngblood, l. A. Papazoglou Brookhaven National uboratory 3 Upton, NY 11973 Pr: pared for Division of Safety Technology Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission WIshingten, D.C. 20565 NRC FIN A3393

PDSTRACT

.The purposes of this report are to review the " Davis-Besse Unit No.1 Auxiliary Feedwater System Reliability Analysis Final Report", and to provide an. independent estimate of the Auxiliary Feedwater System Reliability. This report presents estimates of the probability that the Auxiliary Feedwater.

System will not perform.its mission for each of three different initiators:

(1) loss of mai.i feedwater with offsite power available, (2) loss of offsite power, (3) loss of all 4160 VAC power. The scope, methodology, and failure

' data are prascribed by NUREG-0611, Appendix III.

d l

P 4

a 111

l t

TABLE OF CONTENTS Page

.......................................... iii ABSTRACT.....................<

LIST OF FIGURES.......................................................... vi LIST OF TABLES........................................................... vi vii

SUMMARY

1

1. INTRODUCTION.........................................................

2

2. SC0PE................................................................

3

3. MISSION AND SUCCESS CRITERIA.........................................

5

4. SYSTEM DESCRIPT10N...................................................

5 4.1 Pumps...........................................................

4.2 S u p p o r t Sy s t em s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 5

g 4.3 Suction.........................................................

4.4 Discharge Paths................................................. 6 4.5 Ini ti a ti on and Cont rol Logi c. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 9

5. QUALITATIVE RELIABILITY ANALYSIS.....................................

5.1 Simpl i fied Bool ean Expression for AFWS Fail ure. . . . . . . . . . . . . . . . . . 9

.......................... 9 5.2 Common Cause Failures................

5.2.1 Dirt..................................................... 10 4 5.2.2 Isolation Valves Closed.................................. 10

$ 10 5.2.3 Strainers................................................

Pressure Switch Failures.........................;....... 11 5.2.4 5.2.5 Lo s s o f Ste am Sq. p l y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Improper Al i gnment o f Sucti on. . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5.2.6 14

6. QUANTITATIVE RELIABILITY ANALYSIS....................................

6.1 Limi tati ons of the Rel ' 'bil i ty Anal ysi s. . . . . . . . . . . . . . . . . . . . . . . . 14 6.2 Approach of the TECo Study vs. Approach of the BNL Review....... 14 15 6.3 Assumptions.................................z................ ...

16 6.4 Dominest Failure Modes.............<o..........................

16 6.5 Comments on Failure Probabilities Used in the BNL Review........

13

7. RESULTS..............................................................

18 7.1 Discussion......................................................

18 7.2 History.........................................................

19 7.3 Ge n e r a l C omm e n t s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7.4 Compa ri son wi t h TEco Res ul t s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 20 REFERENCES...............................................................

(

v

LIST OF FIGURES Figure # Title Page 4.la Davis-Besse Auxiliarj Feedwater System..................... 7 4.lb Steam Supply to AFW Pump Turbines.......................... 8 i

LIST OF TABLES Table # Title Page 6.1 Contributors to Q1 and Q2.................................. 21 6.2 Contributors to Hardware and Maintenance Unavailability to Each Train for Each Initiator........................... 24 7.1 AFW S Ur. a v a i l a b i l i ty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

{

+

vi

SUMMARY

Toleda Edison has submitted an analysts (l) of the reliability of the Auxiliary Feedwater System of Davis-Besse Unit 1. The present report reviews the submittal, and also presents an independent estimate of the failure probability of the Auxiliary Feedwater System. For different loss of main feedwater conditions, the failure probability per demand of the Auxiliary Feedwater ytems has been evaluated using methodology and data put forth in NUREG-0611 /. The results are as follows:

, Initiator Probability of AFWS Failure 1 Loss of Main Feedwerer (LMFW) 1.6x10-3

2. Loss of Offsite Power (LOOP) 2.8x10-3
3. Loss of all AC (LOAC) 3.4x10-2 These results have been obtained under the assumption that there is n.;

time for any recovery action; thus, the cale.alations do not include any credit for operator action to recover fecm malfunctions or maintenance errors. This is a consequence of the mission success requirement that steam generator dryout be avoided.

The results provided in the utility report do not lend themseltecs to comparison with the above figures, because they were calculated on a different basis.

6' vii

1. _

INTRODUCTION The pyrposes of this study are: 1) to review and evaluate a Reliability AnalysishJ of the Auxiliary Feedwater System (AFWS) of Davis-Besse Unit 1, prepared by EDS for Toledo Erlison Company (TECo) and submitted to the Nuclear Regulatory Commission (NRC); and 2) to perform an independent reliabii 2}yan-alysis of the AFWS using methodology and data put forth in NUREG-0611 ,

Af ter the accident at Three Mile Island, a study was performed of the Auxiliar, Feedwater Systems ( AFWS) of all then-operating plants. The results obtained fpr] operating Westinghouse-designed At that tine, the objective was to compare plantsAFWS were presented designs; aoin NUREG-0611L2 cordingly, generic failure prababilities were used in tho analysis, rather than plant-specific data. Som of these generic data were presented in NUREG-0611. Pe probabi'ity that the AFWS would fail to perform its mission on demand was estirated f or three initiating events: LMFW, LOOP, and LOAC.

SJnqe then, each applicant for an operating license has been re-quiredL3J to su%it a reliability analysis of the plant's AFWS, In carried out addition, in a nanner similar to that empioyed in the NUREG-0611 study.

some operating plants have also submittEC reliability analpes af upgraded AFW systems. Repegtly, a quantitative criterion for AFWS reliability has been de-fined by NRCL4 J in the new Standard Review Plan (SRP).

... An acceptatsle AFWS should have an unreliability in the range of 10-4 to 10-5 per demand based on an analysis using methods and data presented in NUREG-0611 and NUREG-0635. Com-pensating factors such as other methods of accomplishing the saferv funct.ons. of the AFWS or other reliable methods for cool-ing the reactor care during abnormal conditions may be con-sidered to justify a larger enavailability of 'h AFWS".

The objective of the present study is, therefore, to analyze the re-liability of le 08-1 AFWS, using methodology and data presented in NUREG-0611, in order to f acilitate and Suppleent the qualitative review of

- the t; stem design.

The report is organized as follows: Section 2 presents the scope of the present study. Section 3 discusses the mission success criteria for the AFWS and highlights the important dif ferences between the definition of AFWS success for B&W plants and Westiaghouse plants. The latter were the subject of the analysis in NUREG-0611. Section 4 describes the basic configuration and characteristics of the AFWS. Section 5 discusses the qualitative aspects of the reliability of the system and presents the dominant contribution to the unavail abil i ty. Section 6 presents the quantitative analysis and compares the results and approaches used in the TECo report with those used in this study.

Finally, Section 7 summarizes the results.

k M - ----- - ___ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _

2. SCOPE The scope of t e reliability analysis of the AFWS is deffned in Appendix III of NUREG-0611[2 . The failure to supply water to make up for a loss of main feedwater is estimated for dif fere.it conditions, namely,
1) Loss of Main Feedwater withott Loss of Offsite Power (LMFW).
2) Loss of Main Feedwater associated with Loss of Of fsite Power (LOOP).
3) Loss of Main Feedwater associated with Loss of Offsite and Onsite AC (LOAC).

Since the purpose of this analysis is to assess the important charccteristic of the AFWS de:ign configuration, detailed mo9911ng of such support systems as electrical power (both AC and DC), service water, instrument air, etc., was not performed. Such an undertaking is beyond the stated scope of the BNL reviews. The goal is a rudimentary understanding of the properties of the design of the AFWS. To this end, standardized data are j used wherever they are available. The emphasis is on the fluid system itself;

) thus, some support systems were essentially treated as modules (emergency AC is schematically represented by the diesel generators) or assumed to be available (e.g., DC power is assumed available), although in some cases where such a system is seen to introduce a common cause mechanism, this is pointed out.

The quantity calculated here is the unavailability of the AFW system due to fluid system failures, maintenance acts, human errors, and failure to initiate, with mission success defined below (Section 3}. " Unavailability" means (as in NUREG-0611) "the probability per demand that the system will fail to perform its mission." The TECo report deals with other failure modes, e.g. , spurious isolation of tiie steam generators, various ruptures, etc.

These failures lie beyond the scope of NUREG-0611 and, tnerefore, are beyond the scope of this report.

l

3. MISSION AND $UCCESS CRITERIA The TECo study employed a mission success criterion different from that contemplated in NUREG-0611. The TECo study considers mission success to be the maintenance of adequate core cooling and the prevention of fuel damage.

To neet this requirement, it is considered sufficient either (1) to provide flow from one AFW pump within 10 minutes, or (2) establish " feed-and-bleed" within 30 minutes in conjunction with feedwater flow from the startup pump, which is not adequate in itself to remove decay heat. " Feed-and-bleed" is cooling the primary by allowing primary coolant to escape through the PORV while replenishing it with a makeup pump. Ordinarily, when " feed-and-bleed" is discussed, the process being referred to is capable of cooling the core with no extra heat reuoval capacity from the secondary side. At DB-1, the only pumps capable of working at the required pressure have insufficient capacity to accomplish this; in the TEco report's scenario, some heat is being renoved by feed-and-bleed, and some by the use of the startup pump.

NUREG-0611 would not consider circumsta..ces warranting feed-and-bleed to be a success state of the AFWS, nor is a 10 minute interval necessarily an appropriate choice of actuation time for the AFWS in this plant. These points are articulated in the following excerpts from the appropriate NUREG documents.

Appendix III of NUREG-0611 states: "The time interval of interest for all the ' ansient events considered is the unavailability of AFW systems during the period of time to boil the steam generators dry. Beyond this interval, primary coolant would be discharged via pressurizer relief and/or safety valves and thereby be lost from the primary coolant system. Without the satisfactory operation of primary coolant makeup systems (e.g., high pressure injection systems), the reactor core could be uncovered and eventually damaged. Further, as this boil-dry time is approached, the ability to drive the steam turbine-driven pumps AFW could be lost. If the AFW system design contains only steam turbine- driven pumps, or if the transient is s::ch that only this AFW subsystem is available, and if the boil-dry time is approached, then the likelihood of initiating AFW system operation would be reduced significantly."

According to NUREG-0667[5], "B&W-designed 177-FA plants show some unique levels of sensitivity in their response and recovery from anticipated transients involving overccaling and undercooling events as well as small-break loss of coolant s ccidents. The recovery from such events has often led to undesirable challenges to engineered safety features (ESF) systems. This sensitivity stems mably from the small heat sink resulting from the operation of the once through steam generator (OTSG), which is an inherent design feature of the B&W reactor plants ... [page 2-1 of Ref. 5]

... B&W plants place a premium on the reliability with which the auxiliary

  • feedwater starts are properly timed. The penalty for late starts is an increased likelihood c; transient-induced LOCA". [p. 7-8]

lt is clear that from the point of view expressed in the above excerpts, the startup punp/ feed-and-bleed combination is not a success state of the AFWS. This made of cooling could arguably be mentioned under "other methods of accomplishing the safety functions of the AFWS or other reliable metnods for cooling the reactor core during abnormal conditions," which according to the SRP "may be considered to justify a larger unavailability of the AFWS."

However, the scope of this report has been limited to consideration of the AFWS itself.

The 10 minute interval presumed available for system actuation is nori -

conservative. The boil-dry time of steam generators in B&W plants is of ten estimated at less th.m 10 minutes. As mentioned in the above excerpts, not only is the probability of transient-inducea LOCA increased by delays in actuation, but the availability of steam to drive the turbines is called into question. Unavailability of steam would be particularly serious at Davis-Besse, whose AFWS depends entirely on steam to drive the turbines. For these rn sons, AFW cperation is judged to be successful only when flow from at least one pump to at least one steam generator is established more or less im-mediately. This corresponds to the FSAR criterion: "An auxiliary feedwater flowrate of 800 gpm is required within 40 seconds after a loss of all main feedwater to prevent rupturing the pressurizer quench tank rupture disk due to excessive pressurizer relief valve discharge and to achieve a smooth trans-ition to natural circulation if the four reactor coolant pumps lose motive power."

While some problems with AFW I,ystems could arguably be cured by operator action taking place on a half-hour time scale, it is unreasonable to expect instant diagnosis and correction of unexpected problems immediately after a transient. Thus, the criterion employed here-which is much more restrictive than " core damage"-ef fectively rules out 0:.erator actions to recover previous errors or hardware problems, because the top event is considered to have occurred before such action is likely to be effective.

l t - _ _ _ _ _ _ _ - - - _ - - _ - - - - - . - - - - - - - -

1 1

4. SYSTEM DESCRIOTION 4.1 Pumps The AFWS has two pumps, both steam turbfoe-driven. Each is a horizontal centrifugal pump rated for 1050 gpm at 1050 psi head. The FSAR requirement for AFW flow is 800 gpm, so one pump is sufficient.

Pump speed is varied to accomplish steam generator level control. This is dcae by varying the speed setting on the governor.

4.2 Support Systems Both pumps are self-cooled: they are independent of service water as regards cooling. Pump cooling failures are therefore considered here to have been included in the pump failure rate. It may be the care that maintenance errors can contribute to this type of failure, but information necessary to conclude this is not available.

Both pumps require minimum flow protection, which is provided by a normally open recirculation path.

Certain of the valves associated with AFP-1 are powered by DC: MOVs AF3870 and AF360 in the discharge path, and MOV MS106, a steam admission valve. The remaining valves in the system require AC. This means that AFP-2 depends on either emergency AC or local manual action to open its steam admission valves, and that neither crosstie (from AFP-1 to SG2 and vice versa) is operable without AC or local action. Automatic isolation of a depressurized steam ganerator also reqires AC, as does control of flow from AFP-2 when SG2 pressure is low (when the pumps are feeding into low pressure, flow control is achieved with valves rather than by varying pump speed.).

4.3 Suction The two pumps take suction from a common header, which is normally supplied f rom the CST through a locked open manual valve, a check valve, another locked.open manual valve, and a fine mesh strainer. The path to each puTip contains a normally open MOV, a check valve, and a coarse mesh strainer.

Service water can be supplied to each pump suction at a point upstream of its coarse mesh strainer. Differential pressure across either pump's strainer is alarmed in the control room, as is low CST level.

Pressure switches on each pump's suction line are capable of detecting loss of suction. If these switches ser..e loss of suction, steam admission to the affected pump's turbine is inhibited while automatic switchover to service water takes place. When suction pressure is restored, steam is admitted. If it is necessary to use the Fire Protection System as a suction source, alignment cust be done manually,

4.4 Discharge Paths There is a flowpath from each pump to each steam generator. Valves in the flowpath from AFP-1 to SG-1 are nomally open, as are the valves from AFP-2 to SG-2. Valves in the lines connecting AFP-1 to SG-2 and AFP-2 to SG-1 are nomally closed. The valve blocking flow from AFP-1 to SG-2 opens only if i low pressure is sensed in SG-1, and the valve blocking flow from AFP-2 to SG-1 opens only if low pressure is sensed in SG-2. Of the three MOVs which lie between each pump and its corresponding steam generator, two are normally locked open, while the third is normelly aligned open and closes automatically to isolate a faulted steam generator.

Valvet AF-360 and AF3870 in the flowpath from AFP-1 to SG-1 are powered by DC; other MOVs in the discharge paths are powered by AC.

4.5 Initiation and Control Logic The AFWS is ostensibly controlled by the SFRCS. Formerly, the AFWS was controlled by the ICS, a non-safety-related control system which dealt with many plant functions. This was undesirable for a number of reasons (e.g.,

becaure the % was capable of causing events which it was subsequently responsible f or controlling); as a result, means of AFWS initiation and control which are independent of the ICS were mandated. The SFRCS performs l this function at Davis-Besse. However, ICS control of AFW flow is still centioned as an option; there are switches whic' apparently can be set to select either ICS, " auto essential," or manual control. Item j of 9.2.7.3 of the FSAR indicais that a mechanical stop now prevents selection of the ICS option, but section 7.7.1.2.4 states that the ICS controls AFW flow. Section 7.4.1.3.1 states that the " essential level control" maintains SG level at 108 to 132 inches, but that the operator sritches level control to ICS when it is available, so that the ICS can vary the setpoir'; over a " wider range of feedwater level requirements."

This seems to say that while means of initiating the AFWS independently of the ICS are available, they need not be selected. ICS unavailability in conjunction with its beino selected for AFW control evidently corresponds to a failure state of the AFWS.

Presumably, the SG level selected by the SFRCS is not appropriate in all cases. In other B&W plants, SG level control depends (among other things) on whether the RC pups are running. Above, it is stated that the ICS controls level "over a wider range of feedwater requirements." Thus, it is appropriate to note some of the consequences of not switching to ICS control. Overfilling of the SGs can lead to overcooling; at Crystal River 3, such an event once led to depressurization of a SG and its subsequent isolation, but this appears to have occurred at a level substantially higher than the SFRCS setpoint.

i f

I,j ,

4- lDE5ATI FIGS ~(110.

,6 Gnat'al10tJTS plat WEE'G M00lFl&O FCOM T110 (MG ~(M1 conf 13tl.'ATIO*5 E .)g (gh #

C5 Td IUCREA6f! OVCf?ALL 6f6T6t4 5'ELtABILi TV-s LO. gg.g to. t.o. f312

? M -N N

? CDie7 4C0:53 co 8G4+

MAKEf H.a#

l v o a filt! FRof.5f51M (

b N U

-N Ff29

( l H tiRhC6 i A ^

( I}jf[ych l

~

s 11

        • h""-)4 i& l tor forted A

Q &s.o.

cors1 as11 sT257t-ta&ccontg)'A m si $

C1['A

~

$G-l (D pg. Ar44

< W fg={% + (E24 !

6. SjyJ '"

W t 16hh" stusa, to aA!i'L* A blo ''

0 5l3 .

AFtSV

& @81 AF14

'* Mr 3 )Nk71 PlPlsIG t.o. A

-- , , O

$ $ @ 97.,g t.o flz M f ""# ' '-

M a NW Frl. Ap. .

32 Ar.t0 AF586 t..o.

f4 511 5

O' # AF. t f,

?, @

b

' fp

- ST tus d 61 tog cotCJ2 MiSH OIRAMERG

. saos 61231 f115 ME6H 41RAtnCK

% Figure 4.12 Davis-Besse Auxiliary Feedwater Systen:

W _

h $$t1$F$$iFkb5$"i 5-n1 IHCQ5As. OVERALL cotJFIGURMpotJ

  1. sTura  %.7e L.weiurv.

, Q 50-2

'i SG 1

?

~ fs G L. S87G* L.o 15 615*

G ICS flA ICS IM

@ ;Q# 1 s *

, 5/3 - ,

A

@y >

Llulf oF _,

~

& E616tAIC

{D fiPillG Cl u)

MS107 h3 $ MS 100 Li D.C.

MS 727 MS 72G gg.71  ::ts735 Q PS-l /'

s-

>&& N l'S-2 g t.sar/ 'o 5 72 , *

~

a- 4 MS-13o ' o- .* uS.m 4,.isd io . VStlUhl, GTCP

~ 0 MM'lhi STOP VAlvfi t.f5 V d

)J VALVE htSVI 6 -ICS SOA

@ ICS 38 B 41 @

l, Figurc 4.lb Steam Supply to AFl! Pe p

-8 Turbines -2

- AFPT-l bl S

b{p -

&61LtilCFR E x To ATuos. -:

e5t{s2 ncER ik

5. QUALITATIVE RELIABILITY ANALYSIS 5.1 Simplified Bralean Expression for AFWS Failure Based on the above system description -nd top ever*. definition, failures of the DB-1 AFWS are descr ibed by the following Boolean equation:

Failure of both trains = Q1*Q2 + CC + S , where Q1= independent failures of AFP-1 to deliver rated flow to SG1, Q2= independent failures of AFP-2 to deliver aatad flow to SG2, CC= common cause multiple failures,

S= single point failures.

Below, the contributions to Q1 ar.d Q2 will be tallied separately and ultimately multiplied to obtain a point estimate of systen failure probability. Formally, there are events involving loss of suction which are not treated correctly by this. However, it is seen that most system failures involving loss of suction are at least triple failures, because each train switches suction automatically. Exceptions are failures involving the j strainers ST201 and ST206, which are immediately upstream of each pump. These are discussed unuer " common cause." Th3y contribute to system double failures.

A single point failure involve suction is also discussed in the section on common cause. The triple failures should contribute far less than the failures discussed here.

The failures discussed here are either double independent failures of the k two tiains, or common cause events. The crosstie flowpaths are not included 4 in the analysis, because they are not ordinarily used in the transients discussed here; while they add to the system success paths, their contribution to system success for events not involving faulted steam generators is modest, given the restrictive top event definition used here and the conservative assumption regarding the ability of dry steam generators to drive the pump p turbines.

5.2 Conmon Cause Failures The DB-1 AFWS lacks diversity: its two trains are nearly identical. The J DB-1 AFWS is therefore expected to be particularly vulnerable to common cause failures. Quantificat on of these is especially problematic in the present

~

context, Phenomenological methods (beta-factor methods) have previously been

- avoided in this series of AFWS studies, in diverse syvens, of course, less may be lost by such an approach. DB-1, however, nay be a case in which the dominant system fsilures are outside the scope of the review, if the scope is 4 construed too narrowly. liere, an effort is made to identify some potential comuan-cause failures of the DB-1 AFWS and to highlight those which arise be-cause of lack of diversity.

5.2.1 Dirt In January of 1979, steam admission valves MS106 and MS106A, which open to admit steam to AFPT-1, failed to operate because dirt had collected on the valve stems. The dirt was attributed to nearby construction activity. The two affected valves were for the same pump; the other train was not affected.

Evidently, however, it could have been. The significance of the event for the present discussion is that (1) the event occurred at Davis-Besse, and (2) diverse trains are less likely to be susceptible to such environmental as-saults.

5.2.2 I_splation Valves Closed The abstract of the following LER is quoted in its entirety.

(TITLE) SFRCS DIFFERENTIAL PRESSURE SWITCHES ISOLATED AT DAVIS BESSE 1 (ABSTRACT) DATE OF EVENT - 111777. POWER LEVEL -

41%. CAUSE - PROCEDURAL ERROR. OPERATIONS PERSONNEL DIS-C0VERED THAT AUXILIARY FEEDWATER VALVES AF99 AND AF608 WERE CLOSED, THUS RENDFRING THE STEAM AND FEEDWATER RUPTURE CONTROL SYSTEM (SFRCS) STEAM GENERATOR TO FEEDWATER DIFFERENTIAL PRES-SURE SWITCH INPUTS INOPERABLE. THE VALVES WERE OPEHED. A PROCfDURAL DEFICIENCY WAS FOUND IN THE SFRCS MONTHLY TEST WHICH FAILED TO RESET THE VALVE LOGIC FOR THESE VALVES. THE TEST WAS LAST PERFORMED ON MOV.14. THE PP0CEDURE HAS BEEN REVISED.

It is presumed that "AF99" is a misprint, and that "AF599" is intended, there being no AF99 in the system, and AF599 being clearly equivalent to AF608, Refer to Figure 2.1. These valves isolate the SGs from auxiliary feedwater flow. Therefore, this event is one of which the TMI event is somewhat raniniscent (this event occurred first). These valves are und:r SFRCS control, but it is the sense of the above LER that they would not reopen l

automatically, because the " valve logic" had not been reset. Here, an error in the written procedures was blamed; but given such multiple testing, NUREG-0611 would assign 1x10-4 for leaving more than one valve mispositioned. Under the assumptions employed here (boil-dry time too short for ef fective remedial operator action, as at TMI-2), this leads immediately to the top event. The question is whether the "SFRCS monthly test" survives in its original form, or has been modified to reduce coupling between the two trains. Here, 10-4 is assigned to this failure mode. The TECo fault tree has events corresponding to possibly inappropriate operator closure of each of these valves, but coupling was not modelled, and it is not clear from the tree how the SFRCS would deal with this.

5.2.3 Strainers Strainers are a notorious common cause failure mechanism. At Davis-Besse, a fine-nesh strainer can block flow from the CST to both pumps, but 1

I this should be recovered by automatic switchover. The coarse mesh strainers, however, are immediately upstrean of the punps, so tnat no source can provide water if the coarse mesh strainers are clogged.

Differential pressure across strainers is annunciated in the control room, to that gradual buildup of foreign natter can be detected and rectified, but scne strainer events have involved a sudden buildup cf extraneous matter; the plugging can therefore occur more or less coincidentally with the demand.

One would expect that the fine mesh strainer would clog first; this being recoverable by automatic switchover, the system should then succeed unless se vice water clogs bath of the coarse mesh straine: 1 Strainer blockage has not o' een quantified here, because it is not possible to do this meaningfully without more information. It should be done, however, because this event may contribute to system unavailability at the same level as events v:hich relate to lack of redundancy and diversity.

5.2.4 Pressure Switch Failures There has been a common cause failure of pressure switches at Davis-Besse (05-21-79). A total of six switches were involved; some had effectively drifted, some were inoperable. A failure which caused the suction pressure switches to indicate gh pressure would prevent automatic switchover in the event of a loss of suction. A failure which caused the switches to indicate low would inhibit steam admission to the turbines; thus, a failure of this type would fail the AFWS, although operator action could conceivably recover AFW flow if steam were still available by the time such action was effective.

If the AFWS is inoperable for this latter reason, that fact should be discovered in testing; presumably, the failure mode that prevents automatic switchover would not necessarily be discovered in testing.

At some 91 ants, low suction pressure is alarmed. At DB-1, automatic switchover should occur on low suction precsure, but it appears from the FSAR that low suction pressure es such is not alarmed (although high differential pressure across a suction strainer is). Thus, in the failure mode contemplated here, low pressure is sensed, and spurious suction switchover c:. curs, but this does not relieve the spurious low pressure indication, so the puups are inhibited.

This failure is r+ot related to lack of diversity. At some plants, loss of suction does not stop the pumps. At such plants, temporary loss cf suction can cause pump damage, from which there is presumably no immediate recovery.

At DB-1, if spurious inhibition of steam admission occurs, the pumps are not damaged, but recovery from this is nevertheless dubious, because the steam supply may have evaporated before ruovery is implemented. This is based on the possibly conservative assumption that dry SGs cannot drive the turbines.

This event is not quantified b ra, because it is suspected that although other plants are vulnerable to this, it has elsewhere been considered beyond the scope of a NUREG-0611 analysis.

5. 2. b ' Less of Steam Suppig One common cause system failure is loss of steam to both t9rbines because of SG depressurization.

The TEco study uses 5x10-3 per demand-as the probability of a relief valve's failing to close. It is assumed that two out of the six relief valves must fail-in order to reduce the pressure of one SG, or that one relief valve together with the atmospheric dump valve can reduce the pressure of the SG.

This amounts to same 21 double hardware Silure possibilities, having a probability of 2.5x10-5 each. If we factor in the operator's interaction withthedumpvalve(asisdoneintheTEgotree),therearesixmorepos-sibilities, amounting to a total of 3x10 xProb(operator causing depres-surization).

plete Assuming coupling between no operator hardwareaction coupling on between valves, the two SGs webut assuming obtain 9x10 xcom-Prob (operator causing depressuriration) as the probability of depressm izing both SGs by a combination of opes,e v action and relief valve failure. Since the details of operator involvement with the pressure control are unavailable, the result will be bounded here. Values of human error probabilities are tabylated in the TEco report,. A general error of commission is 9 ven (p. 61) 4 10" for high stress and 10-" for moderate stress. This suggests that the probabsli and 9x10 gy of loss of steaa supply by this mechanism lies between 9x10-6

, whio is to say that this failure lies somewherp between " fairly significant" and " crucial." Here, the geometric mean 3x10-3 is assigned.

To reiterate: this is-important at Davis-Besse because both pumps rely on steam. It may be possible to argue that steam can be recovered by supplying water to the SGs with the startup pump. For analyses goitic beyond dryout, this possibility deserves scrutiny. However, if the conditions leading to loss of stcam have not been corrected, this is academic. l For comparison, not aprobabilityof3.4x10gthataB&WstudyE73CrystalRiverUnit#3 for loss of steam to the STD pump due (; deprgs- assigned l

surization of both SCs. The value was arrived at by assigning 1.84x10-4 as  ;

the probability of "aay of 4 code safety valves fails to rescat." This is a l similar value per valve to that assigrad in the TECo report, but note that 88W l assumed that one valve failure was sufficient to depressurize the SG, while 1ECo requires two failures per SG. The values estimated above for 08-1, while not small, do not se u conservative compared to this. Because of CP.-3's diversity, this event-is not much of a antr Jutor to system unavailability at j' C:-3, even at this high value.

5.2.6 Improper Alignment of Suction The abstract of the following LER is quoted in its entirety.

(Title) IMPROPER COOLING WATER SUPPLY AUXILIARY FEED PUMPS AT DAVIS-BESSE 1 (ABSTRACT) DATE OF EVENT - 102077. POWER LEVEL

- 6%. CAUSE -OPERATOR ERROR. IT WAS DISCOVERED THAT BOTH AUXILIARY FEED PUMP SUCTIONS WERE LINED UP TO THE DEAERATOR

STORAGE TANKS WITHOUT THE COOLING WATER SUPPLY BEING SHIFTED 4

TO SERVICE WATER. THIS LINEUP PROVIDED GREATER THAN 200 F WATER AS COOLING WATER FOR THE AFP TURBlNE BEARINGS. AN OPER-ATOR IMPROPERLY-LINEUP THE STARTUP FEED PUMP WITi: SUCTION IHROUGH FW85 INSTEAD OF FW32. VALVE FW85.WAS L:USED AND

-LOCKE

D. PROCEDURE

S WERE MODIFIED TO ADD FW85 A; LOCK 60 CLOSErr TO THE VALVE VERIFICATION LIST.

Evidently, if FW35 is inadvertently open the system is failed. The TECo' report (p. 60) would apparen?,1y assign 5x10-4,to this (credit taken for Administrative procedure for locking in position). Unless some recent system modification changes the reasoning of this, FW85 still apoears to~ be a single failure point; in Fig.10.4-12 of the c':rrent FSAR, opening FW85 still aligns both pumps to the docerator storage tanks. Here, 5x10-4 is assigned as per TECo. ibis is arguably generous, because NUREG-0611 gives no credit for lock-ing; on tlic otner hand, it is noc clear when the valve is ever manipulated.

i s

1 I

I

?

6. ,quiNTITATIVE RELIABILITY ANALYSIS 6.1 Lir.itations of the Reliability Analysis The significance of the point estimates obtained in this review is best illuminat^d by the following quotation from NUREG-0611 (page 111-19):

"The data was applied to the various idultified faults in l

the fault logic structure and a point value estimate was determined for the top fault event (i.e., ~AFW System un-L availability). Such an approach is considered adequate L to gain those engineering and reliability based insights L sought for this AFW System reassessnent. As noted, no

'~ attempt ~was made to introduce the somewhat time con-suming, calculational elegance, associated with the proc-ess of error propagation into this assessment (e.g., Mon-te Carlo). Prior experience with such a calculational process has revealed a somewhat predictable outcome that, even with v.he very redundant system, could be slightly

} higher .than the point value solution (e.g., factor of ap-proximately three times higher than the point value and usually less). Shuld there exist a clearly overwhelcing fault in a systems design, then the process of error propagation would be expected to be merely one of higher elegance and 't would yield no import 9-t change to the q -antitative solution".

It should be appreciated that not only is the median higher than the point estimate, but there is (by definition) a 507, chance that the actual unavailability is greater than the median.

Clear cut dependencies or commonalities have bcen sought in the analysis, L

but parametric modeling of common cause failures (e.g., t,ata factor l treatments) has been considered to be beyond the scope of this report.

6.2 Approach of the IECo Study vs. Approach of the BNL Review Although the fault trees are given. in the study, and although a good overview of the data base used therein was given, a detailed comparison of BNL and TECo numbers will not be given here. The BNL analysis is- substantial-ly more conservat h than that performed in the TEco report, because the relevant NUREG documents mandate a choice of top event which is substantially more conservative than that employed in the TECo report.

One factor in the definition of the top event is the feasibility of driving the steem turbines with dry steam generators. The TEco report seems n

to take credit for this in allowing startup to be delayed for 10 ninutes.

While.the "oryout" numbers calculated here would not change if the feasibility t ,__ __ .

.of this were decided, the real impact of the numbers calcuiated here may depend a great deal' on the answer to this.

6.3 Assumptions Top Event Definition: The top event in this report is " failure to <*eliver p" flow from at least one pump to at least one SG without delay.' Certain

" running"' failures are also included, e.g. loss of steam , and others are mentioned'(plugging of strainers could fail the AFWS either on demand or while running.)

Valve Maintenance: d assessed. In some studies, NUREG-0611 this has indicates been that done valve (notably maintenance the RSSMAP shou}8 studyt )be of Oconee).- WASH-1400-indicates (Page 111-40) that miintenance on valves should be assessed, but the only important contributor showing up in Table II 5-9 of WASH-1400 is maintenance on the steam admission valve. WASH-1400 acknowiedges that cointenance is performed on the MOV's in the AFWS, but in that system the multiplicity of flow paths is such that these contributions to system unavailability are neglic Mle. The policy aiopted here has been to assess maintenance in those MOVs which can be worked on without violating technical specifications or considerations of personnel safety. This reduces to consideration of the two control MOVs in each path (AF360 and AF3870 in the path from AFP-1 to SGl. etc.). Other valves are either not isolable at power, or require the disruption of more than one train. The stop valves are considered included in pump maintenance.

Flow Path Redundancy: Normally, one pump feeds one SG. The additional flowpaths connecting AFP-1 to SG-2 and vice versa are normally clased; the path from AFP-1 to SG-2 opens only when SG1 is depressurized. For simple transients not involving faulted SGs, then, the additional flow paths do not enter the analysis,'at least not on the tea- event definition given above.

The standby' character of these flowpaths may be related to the strategy of. controlling SG level by pump-speed, a task which is conceptually -

straightforward only when the pump is feeding only ene SG.

Fa"It Duration of Maintenance Errors- Although a train may be left disabled after maintenance with a certain probability (valve left closed, steam admissicn left disabled, etc.), credit could arguably be given in many cases for recovery of these faults at the next monthly test. Since it is assumed here that pump maintenance occurs every 4.5 months, tnis would reduce the demand unavailability by a factor of 1/4.5. The argument becomes complicated, however, if maintenance of other components is factored in: e.g.,

pump maintenance might occasion a given error in January, May, etc., while

. maintenance on.an associated downstren valve maht occasion the same error in February, June, etc. In ocher words, uncorrelated maintenance actt on different components tend to wash out the recovery probability. Full credit for an operability test following each maintenance ect would have a

. substantial impact on the resuits.

.e

Testing: The TECo report states that in the Analysis-Based Configuration, the " test-line" is no longer used for pump testing; rather, the recirculation '

lineLis monitored. ~Therefore, according to the report, the panps are available even when being tested. (The content of this is that flow is not divorted down the' test line.) However, it would appear that 3 downstream dOV is closed .for pump testing, be ause otherwise, one SG receives cold water.

-Thus, recovery from testing is not automatic. Indeed, thic is one rationale for assessing misalignment on the affected MOVs. It is implicit in the TECo tree that these valves are not automatically ccamanded open. Therefore, 'est unavailability is assessed here because the top event definition does not allow the operator time to deduce that he needs to interrupt the pump test.

Even in this analysir.. however, the new test policy improves reliability, because the error " test line inadvertently left opea" is not assessed. It is not.known whather the temporary monitoring device mentioned in the report can

.in any way incapacitate the pump.

Recirculation Flow: The TECo tree says that lack of minimum flow protection categorically fails-the system, even though the normal discharge path is expected to be open. The reason for this is not clear. In some plants, the discharge paths are no.nally closed, and open only when a rather low SG Ievel is reached; under those conditions, minimum flow protection may well be crucial. Here, a) SFRCS level control is not set to such a low level, and b) level control is accomplished by. pump speed. These factors combine to suggest that assessing,5x10-3 for lack of recirculation may be too conservative;

.6s4 Dominant Failure Modes No singic failure points were identified.

The common cause contribution is discussed separately in Sec. 5.2, "Canmon Cause Failures.' _ The important double failures are contribt: ions to Q1 multiplying centributions to Q2, where Q1 and Q2 are defined in 5ec. 5.2.

Contributions to-Q1 and Q2 are given in Table 6.1. Maintenance is tullied separately from other contributions, so that when system unreliability is calculated, double maintenance contributions can be avoided.

f 6.5- Comments on Failure probebilities Used in the BNL Review The numbers used here have been derived from NUREG-0611, Appendix III, wherever practicable.

Maintenance and Test Unavailab,ility: NUREG-0611 effectively trescribes these numbers for pumps;and valves'. - They have been assessed here wherever they can be assessed consistently with reasonable operating practice. An ef fort has been made to account for components whose state is altered by maintenance acts on other components-(e.g., valve closures or disablings performed to-isolate the.affected component).

v

Human Errc- Possibilities NUREG-0611 gives substantial credit for valve position indication in the control room, which 08-1 has for many of the valves in the EFWS.

Failure to restore operability of steam to the turbine (after pump maintenance) has been assumed to be included in tte valve alignment errors

  • tabulated in Q1H. Detailed knowledge of usintenance procedures would be necessary befo,e a more refined estimate cculd be made.

Recovery Factors: The top eve;4t used in this study does not pennit recovery, because it is assumed that boil-dry occurs before operator remedial action aas-time to become effective. A less stringent top event definition might allow recovery factors, but before credit is taken for them, it should be clarified whether dry steam generators can drive the turbines.

Actuation Logic: NUREG-0611 prescribes 7x10-3 per channel for actuati t logic failure probsbility. Oneshouldaskwhethertheassessmentof7x10gn per channel is reasonable. In Westinghouse plants, this value tends not to overwhelm the system unavailability, because NUREG-0611 prescribes substantial credit for orarator actuation within the "available" time. Here, no credit is being given for operator actions tithin the first few minutes, so that the conclusions are correspondingly sensitive to this parameter. For example system failgre by failure of both actuation channels without operator backup is (7x10-3)' = 4.9x10-5, which virtually exhausts the unavailability contemplated by the new SRP for auxiliary feedwater systems. B&W plants arguably need, and probably have,~ actuation systems which are_more reliable than this..

While a more complete analysis might substantiate a lower actuation failure grobability, this would be partially offset by the inclusion of failures of automatic control, which have not been aadressed here.

7 .- RESULTS 7.1 Discussion The results are presented in Table 7.1.

Because many of the valves in the DB-1 AFWS are normally open con-

! tributions to system uaavailability from the discharge paths are relatively

} minor, apart from maintenance, whose value NUREG-0611 prescribes. Control failure (e.g., spurious isolation of the SGs) may contribute in reality, but is beyond the' scope of NUREG-0611. hmp-failurc does not have a high probability in NUREG-0611. Tnis leaves steam admission as a leading con-tributor. Maintenance errors disabling steam admission are likel.v con-tributors, given LMFW. The normally closed steam admission valves have significant redundancy when AC is avaliable, but when AC is lost, AFP-2 cannet be started except possibly by local manual ?ction, and AFP-1 then relies on a single steam admission valve. The calculation performed here gives no credit for local manual action; on this assumption, DB-l's reldability given LOOP is no better than if it had onc EMD and one STD pump.

l' In a' full DRA, a great deal of effort would be spent on quantifying com-mon cause failuras, to wnich the DB-1 AFWS is presumptively vulnerable by virtue of its lack of diversity. An attempt has been ,nade hera to discuss this point without seriously overstepping the bounds set for these analyses, whose methodology and scope are geared to analysis of independent failures.

But apart from qualitative comments, the impact of common cause on this as-sessment was limited to the relatively uncertain 3x10-5 contribution due to loss of steam, the 5x1 agetanks,andthe10g-4contributionfromalignmenttothedeaeratorstor, contribution fiom the inacvertent ..losure of the

isolation valves to the 58; and of these contributions, only loss t steam has anything to do with lack of diversity. A more substantial effort than that cilocated to this reylew (and considerably more information) would be re-

[ quired before reliable conclusions could be drawn concerning the relatf ye l importance of common cause and independent failures.

l I

7.2 History It 's interesting to see how certain previous.bB-1 events cccrespond to l this analysis, i

1.. A well known precursor to TMI occurred at DB-1 on September 24, 1977.

This was initiated by a spurious half-trip of the SFRCS. One con-sequence was sticking open of the PORV. Another consequence wac boil-dry of one steam generator as a result of AFW pump speed failure.

2. On December 11, 1977, control of both AFW pumps was lost. This was due to mechanical binding in the case of one pum, and blown fuses (loss of a MCC) in the case of the other.

h 13.: .0n January 12, 1979, an essential. bus was lost. This led to a chal-Elenge of the AFWS. Delivery of water to one of the SGs was

-momentarily delayed because one AFW pump was under test at the time.

Some of the above. occurrences -are properly reflected in this analysis,

'and some are not. - Loss of a MCC -is not. The spurious SFRCS trip does not count towards AFWS failure, but loss-of speed control of one pump counts, and

is ' qualitatively re; resented by the. inclusion of pump failure. Challenge of a pump which is under-test is also included.
The ' suction event' described in Sec. 5.2 did not correspor.d to an actual Ji --system challenge, as far as.is known. A point'that desemes median here is that the-valve concerned is not really part of the AFWS; the ~ operator was

. working on the startup pump'at the time. Working only from' information sup-iplied about the AFWS, no analyst c6n predict -such an event.

7.3. General Comments

1. If.FW85 is indeed a single failure oint, this failure mode is wort'l eliminating.
2. . A qualitatively diverse third train could markedly improve system re-liability, by virtue of.added redundancy and by virtue of- cduced vulnerability to common cause failures, not all. of which have been
quantified here. Howuer, the benefits of this -(measured in terms at fractional change in unavai' ability) :aay be . limited if suction align-ment errors and strainer clogging can still occur. "

- 3. !The- importance of the, suction strainers .shoule be clarified in light

.of certain:LER events in which tstrainers have failed AFW systems. It may be that' the benefit of strainers is outwMghed by their tendency to c1og simultaneously.

4. Reliability for. the LOOP-transient would improve substantially if all

~

dependences on AC were eliminated (e.g., theLsteam admission valves).

7.4' Comparison with TECo Results

~ As. mentioned in Section 3 of this-report, the TECo report differed (substantially from the NUREG-0611 prescription, in ~its t,asic' assumptions and

':in its scope. -Additionally, fcilure probabilities other than those of

NUREG-0611 vere assigned to basic = events. Results were presented only for the

- top' event cefined in- the report; cut ' sets, as such, were not' given. Under these~ circumstances,ino meaningful comparison can be made between the BNL results and tha TECo-results.

_ A_ L ____N _ -__..._.-_---L--_- _ _ - - . - _ - - - - - -

0 REFERENCES

- 1. " Davis-Besse Unit No.1 Auxiliary Feedwater' System Reliability Analysis Final- Report," prepared by EDS Nuclear Inc. for Toledo Edison Company, submitted by Toledo Edison to NRC in December of 1981.

2. " Generic Evaluation of Feedwater Transient and Small Creak Loss-of-Coolant Accidents in Westinghouse-Designed Operating Plants",

NUREG-0611, U. S. Nt:-lear Regulatory Commission (January 1980).

3. Letter from D. F. Ross, Jr. (NRC) to "All Pending Operating License Applicants of Nuclear Steam Supply Systems Designed by Westinghouse and Combustion Engineering," dated March 10, 1980.
4. USNRC Standard Review Plan, Sec.10.4.9 (NUREG-0800),' Revised July 1981.

5 .' " Transient Response of Babcock & Wilcox-Designed Reactors",.NUREG-GG67, U.

S. Nuclear Regulatory Commission (May 1980).

6. Final Safety Analysis Report, Davis-Besse Unit 1, Revised July 1982.
17. " Emergency Fcedwater System Upgrade Reliability Analysis for the Crystal River Nuclear Generating Station Unit No. 3," prepared Dy B&W Plant Performance Engineering, submitted to NRC by Florice Power Corporation in June- 1981.
8. - " Reactor . Safety Study Methodology Applications Program: Oconee #3 PWR Power Plant", NUREG/CR-1659, U. S. Nuclear Regulatory Coinmission (January 1981, Rev. May 1981).
9. " Reactor Safety' Study, An Assessment of Accident Risks in U. S. Commercial Nuclear Power Plants, WASH-1400", NUREG-75(014), U. S. N clear Regulatory Commission (October 1975).

I r.

"m m _____ .____m_m___ ___._ __

l TABLE 6.1 CONTRIBUTORS.TO Q1 AND Q2 Q1H: Hardware and Human Error Contributions to Q1 Q2H: Hardware and Human Error Contributions to.Q2 Q1M: Maintenance and Test Contributiens to 51 Q2M: Mair.tenance and Test Contrib.:tions to Q2 MOV = Motor Operated Valve CV = Chet.K Valve MV = Manual Valve TDP = Turbine Driven Pump Q1H (LMFW)

VALUE DESCRIPTION OF EVENT 5X10-4 MOV AF608 aiigned closed 1x10-4 MOV AF608 blocked 1x10-4 CV AF3s blocked 1x10-4 CV AF72 blocked MOV AF3870 aligned closed i 5x10-4 1x10-4 MOV AF38]U blockeo 5x10-4 MLV AF360 aligned closed 1x10-4 MOV AF360 blocked ,

1x10-4 CV AF19 blocked 1x10-3 TDP AFP-1 fails to start 2.4x10-4 TDP AFP-1 fails to run (8 hrs x 3x10_5/hr) 5x10-3 MOV MS730 aligned closed (Maintenance erroM 5x10-3 MOV Stop valve ICS38b initially overthrottled 7x10-3 Actuation logic, including independent pressure switch failures, spurious isolation, etc.

lx10-4 MV MS730 blockage 1x10-4 MV MSV.1 blockage 1x10-4 l ICV ICS388 blockage ,

= 2.0x10 2 " O1H(LMFW)

_21 l

TABLE 6.1 (Cont.)-

l Q2g(LMFW)

CONTRIBUTORS TO Q2H(LMFW) ARE COMPLETELY . TO THOSE OF Q11' (LMFW) WITHIN THE ASSUMPTIONS USED a i.i_ "4 LYSIS Q2H(LMFW)=Q1H(LMFW) = 2.06x10-2 MM(LMFW)

VALUE DESCRIP. ION OF EVENT 5.8X10-3 TDP Pump Maintenance 2.1x10-3 MOV AF360 heintenance 2.1x10 3 MOV~AF3870 Maintenance 2.1x10-3 MOV AF3869 Maintenance 3x10-4 Pisnp . Test

.= 1.2x10-2 " Q1M(LMFW) 02M(LMFW)

CONTRIBUTIONS TO Q2M(LMFW) ARE COMPLETELY ANALOGOUS TO ~

THOSE 0F-Q1M(LMFW) WITHIN THE ASSUMPil0NS EMPLOYED IN THIS ANALYSIS Q2M(LMFW) = Q1M(LMFW) = 1.2x10-2' ,

i

- ADDITIONAL CONTRIBUTORS TO Q1H GIVEN LOOP:

VALUE- DESCRIPTION OF EVENT 1X10 #

Failure of steam admission: 3x10-3 (failure of MS106)x3.9x10-2 (failure of MS106A or unavailability of Diesel Generator 1)

I'

= 2.07x10-l = Q1H(LOOP')-

._22..

---,-,--,a- -_a,--,--- - --_ ___a-- . - - - . -

TABLE 6.1 (Cont.)

ADDITIONAL CONTRIBUTORS TO Q2H GIVEN LOOP:

VALUE 3.6x10 2 Unavailability of Diesel Generator 2 (No Steam Admission)

=5.7x10-2 = Q2H(LOOP)

___________m.________.____..________

ADDITIONAL CONTRIBUTOPS TO Q1M GIVEN LOOP:

NONE ADDITIONAL CONTRIBUTORS -T0 Q2M GIVEN LOOP:

NONE ADDIT!0NAL CONTRIBUTIONS TO Q1H GIVEN LOAC:

VALUE DESCRIPTION OF EVENT 3X10-3 -Failure of steam admission now becomes f111ure of DC.

operated K0'. MS106 to open f=2.4x102=.Q1H(LOAC)

ADDITIONAL CONTRIBUTORS TO Q2H GIVEN LOAC:

THIS TRAIN IS UNAVAIL?BLE GIVEN LOAC ON THE ASSUMPTIONS USED IN THIS ANALYSIS. STEAM ADMISSION REQUTRES AC.

Q2H (LOAC) = 1.

ADDITIONAL CONTRIBUTIONS TO Q1M GIVEN LOAC:

~NONE ADDITIONAL CONTRIBUTIONS TO Q2M GIVEt' LOAC:

NONE

-23_

. _ _ _. __ . _. -_. _, . - . . 1 e f e -

L . TABLE-6.2

~ CONTRIBUTIONS TO HARDWARE AND MAINTENANCE UNAVAILABILITY

, TO EACH TRAIN FOR EACH INITIATOR

.Q1H - Q1M Q2H Q2M LMFW- 2_1x10 1.2x10-2 2.1x10-2 1.2x10-2

~

~

!.00P , 2.1x10-2 -1.2x10-2 5.7x10-2 1.2x10-2

~

LOA 1 2.'4x10-2 1.2x10 1 0 N

S

--_..,+.4 , . . . , , ------<.,,,-y . . . , . . . . . . , , , , ,,,..,,--v.,,m, . ,, . . . , ., - . ,

TABLE 7.1 AFWS UNAVAILABILITY-Unavailability = Q1H*02H + Q1H*02M + Q1M*02H + CC + S where -S= 5x10-4 alignment of pumps to improper source (Sec.5.2),

CC= 1.3x10-4 (10-4 isolation of AF599 and AF608, 3x10-5 lossofsteam)

Q1H= Hardware and Human Error failures'of train 1, Q2H= Hardware and Human Error failures of train 2, F

Qig= Maintenance and Test Unavailability of train 1, N Q2M= Maintenance and Test Unavailability of train 2.

.AFWS Unavailability LMFW 1.6x10-3 LOOP 2.8x10-3 LOAC 3.4x10-2

FORM M g ,' U.S. NUCLE AR REGULATORY COMMISSION URGYCR-3$5I BIBLIOGRAPHIC DATA SHEET BNL-NUREG-51gl2

4. TITLE AND SUBTITLE (Add Volume No., of mormvostei 2. (Leave bra,k)

Revie f the Davis-Besse Unit No.1 Auxiliary 3. RECIPIENT'S ESSION NO.

Feedwat System Reliability Analysis

7. AUTHOR (S) 5. DATE REP [RT COMPLE TED R. Youngbl , I. A. Pap 3zogiou "D{[ber I'f#3 L 9. PE RFORMING OR NIZATION NAME AND MAILING ADDRESS (Include Zep Code! DAT[ REPORT ISSUED

[Ebruary I *1W4 i Brookhaven Natio. 1 Laboratory gt ,,,, ,,,,g ,

Upton, NY 11973 7

8. (Leave blanki
12. SPONSORING ORGANIZATIO NAME AND MAILING ADDRESS (include lip Code / T p

Division of Safety TecHt logy Office of Nuclear Reacto Regulation -

11. 7.N NO.

U.S. Nuclear Regulatory C ' mission -

A-3933 Washington, DC 20555 .

f

13. TYPE OF REPORT RIOD COVE RE D (inclusive da rs1 Technical Report g'
15. SUPPLEMENTARY NOTES M. (Leave o/ mal
16. ABSTR ACT 1200 words or less)

M The purpose of this report is to -av w)'he " Davis 'lesse Unit No.1 Auxiliary Feedwater System Reliability Anal/sis Final kepo ,. and to prc.<ide an independent estimate of the Auxiliary Feedwater System Reliability., his report presents estimates of the probability thatthe Auxiliary Feedwater System wilf n perform its missier for each of three different initiators: (1) loss of main feedwater wi offsite power available, (2) loss of offsite power, (3) loss of all 4160 VAC power. The , cope, methodology, and failure data are prescribedbyNUREG-0611,AppendixjfII.

f

/

17. MEY WORDS AND DOCUMENT AfALYSIS 17a DESCRI RS Reliability Analysis Auxiliary Feedwater 5 stem Davis-Besse Unit N .I pump and Valve Fail _re Rates 17b. IDENTIFIE RS! OPE NOGD TERMS
18. AVAILABILITY $TATEMENT 19. S TY T s report) 21 NO OF PAGES Unlimited 20 SLGURITY CLASS (Tn,s page) 22. P RICE Unclassified S N RC FC MM 3M ltt en

UNITED STATES FOU RTM CL ASS f A8L NUCLEAR CElULATC;Y COMMLSSION Posit.GE&FEESPMD usut WASHINGTON, D.C. 20555 **sh o OFFICtAL BUSINESS P(NALTY rCR PRIVATE USE. $300 s i

n m

r-i b

r 1205S5076677 1 1AN R

r US NRC r-ADM-DIV 0F TIDC 4 POLICY C PU.' MGT B R-PDR NUR'-

W-501 y WASHINGTON 2 OC 20S55 D' I

Q-

=_

tt)

I I

)

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ l