Advanced BWR Design Reliability Assurance Program

ML20086S683
Person / Time
Site:	05000605
Issue date:	12/19/1991
From:	GENERAL ELECTRIC CO.
To:
Shared Package
ML20086S673	List: ML20086S683
References
NUDOCS 9201030280
Download: ML20086S683 (28)
v • d • e

Text

- _ _ _ . . .

\, , *

, Dreft 12/19/91 ABVR DESIGN RELIABILITY ,

ASSURANCE PROGRAM P

l l

CE NUCLEAR ENERGY SAN JOSE, CALIFORNIA 9201030200 911223 PDR ADOCK 05000605 A PDR

L

. Draft 12/19/91 i

ABVR DESIGN RELIABILITY ASSURANCE PROGRAM TABLE OF CONTENTS SECTION MG

1. Introduction 1

2. Scope 1

3. Purpose 2

4. Objective 2

5. SSC Identification /Prioritization 2

6. Design Considerations 4

7. Defining Failure Modes 6

8. Reliability Focused Maintenance 6

9. Owner / Operator's Reliability Askurance Program 12

10. D. RAP Implementation 14 10.1 SLCS Description 14 10.2 SLcs operation 20 10.3 SLCS Fault Tree 20 10.4 System Design Response 24

11. Glossary of Terms 26

12. References 26 LIST OF TABLES TABLE Mg

1. SLCS Inspections, Tests, Analyses and Acceptance Criteria 18

2. Top Level Cutsets for SLCS Failure 22

3. Examples of SLCS Failure Modes 6 Risk Focused Maintenance 25 LIST OF FIGURES FIGURE MQI

1. FRA Process for Risk. Critical Component Determination 3 2, Design Evaluation for SSCs 5

3. Process for Determining Dominant Failure Modes

• of Risk Critical SSCs 7

4. Use of Failure History to Define Failure Modes 8

5. Analytical Assessment to Define Failure Modes 9

6. Inclusion of Maintenance Requirements in the Definition of Failure Modes 10

7. Identification of Critical SSC Maintenance Requirements 11

8. Standby Liquid Control System (Standby Mode) 16

9. Standby Liquid Control System Top Level Fault Tree 21 111

Draft 12/19/91 ABVR DES!CN RELIABILITY ASSURANCE PROGRAM

1.0 INTRODUCTION

The ABVR Design Reliability Assurance Program (D RAP) is a program performed by CE Nuclear Energy (CE NE) to assure that the ABVP. Will be operated and maintaired in such a way that the reliability assumptions of the probabilistic risk assessment (FRA) apply throughout the plant life. The plant owner /

operator will also have a RAP that shows that the plant is being operated and maint.sined so that safety is not degraded. The PRA evaluates the plant response to initiating events to assure that plant damage has a very low probability and risk to the public is very low. Input to the PRA includes details of the plant design and assumptions about the ability of the plant owner / operator to operate and maintain the plant such that safety related structures, systems and components (SSCs) retain their reliability throughout plant life.

This D RAP will include the design evaluation of the ABVR. It will identify relevant aspects of plant operation, maintenance, and performance monitoring of plant SSCs to assure safety of the equipment and limited risk to the public.

Also included in the D RAP is a description of how the D RAP will apply to one important plant system, the standby liquid control system (SLCS). The SLCS is an example of how the principles of D RAP will be applied to other systems identified by the PRA as being important to safety.

2. SCOPE The ABVR D RAP will_ include _ the design evaluation of the ABVR, and it will identify relevant aspects of plant operation, maintenance, and performance monitoring of plant safety related SSCs. The PRA for the ABVR will be used to identify and prioritize those SSCs that are important to prevent or mitigate plant transients or other events that could present a risk to the public, i

l l 1-

Droft 12/19/91 ,

3, PURPOSE The purpose of the D RAP is to assure that the plant safety as quantified by the probabilistic risk analysis (PRA) is achieved by the design and that information is provided to the future owner / operator so that plar.t safety is maintained through operation and maintenance during the entire plant life.

4. OBJECTIVE The objective of the D. RAP is to identify those plant components that are significant contributors to safety, as shown by the PRA, and to assure that plant design provides SSCs at least as reliable as that assume:1 in the PRA.

The D. RAP will also specify operation, maintenance and monitoring requirements that will assure that such components can be expected to operate throughout plant life at least as reliably as assumed in the PRA.

A major component of' plant reliability assurance is risk focused maintenance, by which maintenance resources are focused on those components that et.able the ABVR systems to fulfill their essential safety functions and on components whose failure may initiate challenges to safety systems. This focus of maintenance will have a beneficial impact in decreasing risk.

5. SSC IDENTIFICATION /PRIORITIZATION The PRA prepared for the ABVR is the source for identifying risk. critical SSCs that should be considered for design improvement and/or risk focused mainten-ance. The way the PRA is used is demonstrated in Figure 1. Those PRA cutsets that contribute to core damage frequency (CDF) are identified; the top cutsets u.at contribute significantly to the CDF are selected for evaluation of component failures. Components whose failures are involved in the top cutsets are identified. Of these, those components that may be critical as determined by consideration of aging and common cause failures are also identified. The result is a list of rie'.. critical components for further consideration.

Prioritization of the SSCs identified by the PRA is also obtained from the PRA.

Those SSCs with greater contribution to the CDF will be.given more attention i

+2=

r l

L _ _ _ _ _ . _ . - . ..___ _ . __. _ _ _ . _ . . _ _

Controtn Au Cutstislaar CoNininvit toCont DAM AGE FntoutNc y, ton Att Actiot NT St out Nets, RANKED N DLCt NoWo onocn or CDF V

Sittet Tut Top CutstisTHAt Coutnnutt scNwcANtty toTHE total CDF V

DETERulNE CoMPONE Nf B WHost FAitunts AnE INyotVE D IN THE ADoVE CUT SE18 V

DE ttRMINE CouPoNEPH$

THAT MAY DE CancAL DUE toAomo AND COMMON CAUSE CON 51DERA1 ION $

V M.

nex-enncu OcuPoNENTS LIST Figure 1. PRA Process for Risk-Critical Component Determination

-3

}.

, Draft 12/19/91 with regard to possible redesign and with regard to identifying appropriate maintenance tasks to limit the failure probability.

6. DESIGN CONSIDERATIONS The reliability of risk. critical SSCs, which are identified in the PRA, will be evaluated at the design stage by appropriate design reviews and reliability analyses of the identified equipment. Current data bases will be used to identify appropriate values for failure rates of equipment as designed, and chese failure rates will be compared with those used in the PRA. Normally the failure rates will be the same, but some may differ because of recent design changes. Whenever failure rates of designed equipment are significantly grerter than those used in the pRA, an evcluation will be performed to determine that the equipment is acceptable or that it must be redesigned to achieve a lower failure rate.

For those risk. critical SSCs contributing a large fraction of the total CDF, as indicated by PRA calculations, component redesign will be considered as a way to reduce the CDP contribution. (If the CDF is acceptably low, little effort will be expended toward redesign.) If there are no practical ways to redesign component, alternate SSC designs incorporating such features as redundant components or backup systems will be evaluated. If there are practical ways to redesign a risk. critical SSC, it will be redesigned and the change in PRA results will be calculated. Following the redesign phase, dominant SSC failure modes will be identified so that protection against such failure modes can be accomplished by appropriate maintenance. The design considerations that go into determining an acceptabic, reliable design and the SSCs that must be considered for reliability focused maintenance are shown in Figure 2.

, GE.NE will identify to the plant owner / operator the risk. critical SSCs and the reliability assumed for thez in the PRA. GE.NE will also outline a RAP for the plant owner / operator to follow to assure that PRA results will be achieved over the life of the plant.

~4

4 l

1 i I I

9 l

r i

RISK CRITICAL SSCs  :

IDENTIFED BY PRA {.

4 REDESIGN SSC C If r

RELIABILITY ASSESSMENT ARE PRA RESULTS YES i YES -

IN DESGN PHASE: -

SGNIFICANTLY CHANGED ARE FAILURE RATES > BY HGHER FAILURE THOSE IN PRA7 RATE 7-NO- NO 1 4

If YES IS COMPONENT YES

DOES SSC FAILURE HAVE &

REDESGN FEASISLE, y A LARGE IMPACT ON CDF7 PRACTICAL AND COST EFFECTIVE 7 NO ,- NO 1P 1I SSCsFOR CAN PRACTICAL -

j RELIABILITY FOCUSED ALTERNA TE SSC DESGNS, YES

MAINTENANCE SUCH AS REDUNDANT . m l

COMPONENTS OR BACKUP l SYSTEMS, REDUCE l lMPACT OF FAlLURE7  ;

NO

, 1f l

Figure 2. Design Evaluation for SSCS l: 5

,..-..---,..-L.~.,,,-, ,,.,w,,. .n,--..,--,..-~. , ,,,,,,ni,n,_,n.,, ,+.~.,--....,,,~a~,+,-- ,,-,6-.n-v.,, r ,, ,..,,.,.w..-

i Draft 12/19/91 l

7. DEFINING FAILURE MODES The determination of dominant failure modes of risk critical SSCs will include historical information, analytical models and existing requirements. Many BVR systems and components have compiled a significant historical record, so an evaluation of that record comprises Assessment Path A in F16ure 3. Details of Path A are shottn in Fi Bure 4.

For those SSCs for which there is not an adequate historical basis to identify critical failure anodes, an analytical approach is necessary, shown as Assessment Path B in Figure 3. The details of Path B are given in Figuro $.

The failure modes identified in Paths A ..* B are then reviewed with respect to the existing maintenance activities in the industry and the maintenance requirements, Assessment Path C in Figure 3. Detailed steps in Path C are outlined in Figure 6.

8. RELIABILITY FOCUSED MAINTENANCE Once the dominant failure modes are determinea for risk critical SSCs, an assessment is required to determine the appropriate inaintenance activities that will assure acceptable performance during plant life. Such maintenance may consist of periodic surveillance inspections or tests, monitoring of SSC performance, and/or periodic preventive maintenance (Ref. 1). The decision tree covering these maintenance areas, is shown in Figure 7. As indicated, some SSCs may require a combination of maintenance activities to assure that their performance matches that assumed in the PRA.

Periodic testing of SSCs may include startup of standby systems, surveillance testing of instrument circuits to assure that they will respond to appropriate signals, and inspection of passive components (such as tanks and pipes) to show that t. hey are intact and available to perform as designed. Performance monitoring, including condition monitoring, can consist of measurement of output (such as pump flow rate or heat exchanger temperatures), measurement of magnitude of an important variable (such as vibration or temperature), and testing for abnormal conditions (such as oil degradation or local hot spots).

6

[

\- I i

l SSCsFOR REllABILITY-FOCUSED MAINTENANCE U

ASSESSMENT PATH _A DOES FAILURE HISTORY IDENTIFY CRITIC AL Fall.URE MODES AND PIECE PARTS?

NO y

V ASSESSMENT PATH 0 IDENTIFY EXISTING IDENTIFY CRITICAL FAILURE MAINTENANCE-RELATED MODES AND PIECE PARTS ACTIVITIES AND USING ANALYTICAL METHODS REQUIREMENTS V

V V _

DEFINE DOMINANT IDENTIFY MANDATORY FAILURE MODES TO MAINTENANCE DEFEND AGAINST REQUIREMENTS Figure 3. Process for Determining Dominant Failure Modes of RISK-Critical SSCS 7

INFOAMATION NF EDED, AsstssMENT PATH A

> DAT A ASSESSMENT TO

\

• INPUT FROM NPRDS LERs S ABUSH F AILURE HISTORY AND COMPASS DATA DASES

+ CONSULTATION WITH KNOWLEDGE ADLE DESIGN AND MAINTENANCE y PERSONNEL

+

ROOT CAUSE ANALYSIS DETERulNE THE ANALYSIS

• DESIGN REVIEWS DOUNDARY (INDIVIDUAL

• SYSTEM WALKDOWNS COMPONENT. COMPONENT TYPE I IN SIMILAR APPLICATIONS. ETC)

V FROM FAILURE HISTORY.

CONSTRUCT LIST OF FAILURE MODES'CAUSES AT PIECEPART LEVEL V

IF APPROPRIATE. DEVELOP FAILURE MODE CATEGORIES AND AS$1DN EACH PIECEPART FAILURE TO A CATEGORY V

ODTAIN OCCURRENCE FREQUENCY OF EACH CATEGORY (OR PIECEPART FAILURE)

V DEFINE THE DOMINANT FAILURE MODE LIST FROM DATA CONSIDERATIONS i Figure 4. Use of Failure History to Define Failure Modes 8-1

\.

I INFORMATON NEEDED ASSESSMENT PATH 0 A T^ ' ^ ^

ENGINEERING DIAGRAMS OF ASSESS E T CRITICAL COMPONENT UNDER ASSESSMENT V

PERFORM A FAULT TREE OR FMEA ANALYSIS ON COMPONENTS TO PIECEPART LEVEL V

IDENTIFY:

• SINGLE PIECEPART FAILURES THAT Fall THE COMPONENT S FUNCTION (ANP THAT ARE LIKELY TO OCCUR),

• LATENT PiECPART FAILURES NOT DETECTED THROUGH ORDINARY DEMAND TESTING,

• PIECEPART FAIL URES THAT HAVE COMMON CAUSE POTENTIAL, INCLUDING BY AGING OR WEAR,

• PIECEPART FAILURES THAT COULD CASCADE TO MORE SEROUS FAILURES.

i V DEFINE THE DOMINANT FAILURE MODE LIST FROM ANALYSIS CONSIDERATONS l

l Figure 5, Analytical Assessment to Define Failure Modes 9

4 i

I Information Nooded Assessment Path C I

m l

identify planned maintenance ASME Secton XI Requirements e

P E# N ' U' 8

. Vendor Recommendatons

• EO Requirements

. Techncal Specifcaton for V Testing & Caltraton

• Other Regulatory-Mandated List all maintenance Requirements requirements and recommendations from all sources V

Partition list into those maintenance requirements and recommendations atually planned and those that are not V V reco ed t not pla ned planned V V Record rationale for Record rationale for performing the not performing the maintenance maintenarce V V Identify f ailure modes identity f ailure modes affected and frequency not protected by of maintenance maintenance (if any)

V Define the dominant f ailure modes Figure 6. Inclusion of Maintenance Requirements in the Definition of Failure Modes i

10 l

l

{-

Dominant Failure Modes of Risk-Critical SSCs V

yes Does SSC re uire penodic

, ,g no 4

V Does SSC require Yes '

" Spectly periormance periormance testhg?

monitoring no 4

V Does SSC require periodic YeS m preventive maintenance? - Specify periodic PM no 4

V Document, for owner / operator nsk-focused maintenance for SSCs.

Figure 7. Identification of Critical SSC Maintenance Requirements 11

- - ~ ~ ~ ~ ~ ~ ~ ~

Draft 12/19/91 Periodic preventive maintenance is an activity performed at regular intervals to preclude problems that could occur before the next PM interval. This could be regular oil changes, replacement of seals and gaskets, or refurbishment of equipment subject to wear or age related degradation.

Any planned maintenance activities must be integrated with the regular operating plans so that they do not disrupt normal operation. Maintenance that will be performed more frequently than refueling outages must be planned so as .

to not disrupt operation or be likely to cause reactor scram. Maintenance planned for performance during refueling outages must be conducted in such a way that it will have liLele er no impact on outage length or on other maintenance work.

9. OWNER /0PERATOR'S RILIABILITY ASSURANCE PROGRAM The RAP that will be implemented by the ABVR owner / operator will also be designed by that organization. However, GE NE will provide an outline of the RAP for the owner / operator. This outline will identify the areas of maintenance activities that should be included in the RAP. Several such areas are discussed below. ,

9.1 Reliability Performance Monitorine: The monitoring of safety related SSCs during plant operation will be specified in the owner / operator's RAP. GE NE will recommend the type and frequency of monitoring that will be required for each SSC identified an important to the achievement of the safety.

9,2 Reliability Methodology: The method by which the plant owner / operator will compare plant data to the SSC data in the PRA will be recommended by GE NE.

9.3 Problem Prioritiration: GE NE will specify, for each of the safety related SSCs, the importance of that item as a contributor to the CDF calculated by the FRA. This will assist the owner / operator in assigning priorities to problems that are detected with such equipment.

I 12 l

_ _ _ - - . . _ _ _ _ . _ _ - _ - - _ - . . . _ - - - . _ . .__ -- - - - - - =--

Draft 12/19/91 9.4 Root Cause Analysis: Any important problems that are identified by the ovner/ operator regarding reliability of safety related SSCs must be evaluated to determine the root causes, those causes which, after correction, will not recur to again degrade the reliability of equipment. The basic eierents of such root cause analysis will be identified by GE NE, and tho detailed root cause analysis techniques will be specified by the owner /crecator.

9.5 Corrective. Action Determination: The corrective actior.s required to restore equipment to its required functional capability and reliability will be determined by tha owner / operator, based on the results of problem identification and root cause analysis. Part of the determination of proper corrective action will be an evaluation of the future reliability of the equipment and comparison with the specified reliability as given in item 9.1, above.

9.6 Corrective Action Impiggentaticn: The implementation of corrective action that is determined in item 9.5, above, will be performed by the owner / operator.

GE NE will identify to the ovner/ operator a list of precautions that must be observed when performing corrective action on safety related equipment so that plant safety is not compromised during su:h work.

9.7 Corrective Action Verification: When problems with safety related equipment are corrected, the owner / operator must ascertain that the equipment now functions correctly. The operations and maintenance (0 6 M) manuals for safety related equipment will have equipment checkout procedures that must be followed after maintenance to assure that such equipment will perform its safety functions. GE NE will provide an outline of such checkout procedures for all such equipment.

9.8 Plant Arina Safety related equipment will be designed for the full design life of the ABVR (60 years). Any such equipment that is expected to undergo age related degradation will have suca phenomena identified by GE NE in the D. RAP. The need for replacement or refurbishment of equipment as it ages will be specified in the 0 & M manuals.

13

Droft 12/19/91 9.9 Feedbach_to Desicner The plant owner / operator will periodically compare performance of safety related equipment to that specified in CE NE's PRA and D. RAP as mentioned in item 9.3 above. The outline for the owner / operator's RAP (item 9.1, above) will contain a request regarding feedback of plant SSC ,

performance data to GE.NE in those cases that consistently show SSC performance l below that specified. l l

9.10 Procrammatic Interfaces The D. RAP performed by CE.NE will be primarily concerned with the design of the ABWR. The D. RAP will interface with design of all equipment related to plant safety through desi 6n reviews and plant status reviews. It will also interface through procedure reviews, for initial equipment, with quality assurance and procurement.

The plant owner / operator's RAP will address the interfaces with construction, startup testing, operations, maintenance, engineering, safety, licensing, quality assurance and procurement of replacement equipment. An outline of such interfaces will be provided to the owner / operator by CE.NE.

10. D RAP IMPLEMENTATION Am example of implementation of the D. RAP is given by consideration of the standby liquid control system (SLCS). The purpose of the SLCS is to inject aeutron absorbing poison into the reactor, upon demand, providing a backup reactor shutdown capability independent of the control rods. The system is capable of operating over a wide range of reactor pressure conditions. The SLCS may or may not be identified by the final PRA as a significant contributor to CDF or to offsite risk.

10.1 SLCS Descriotion During normal operation the SLCS is on standby, only to function in event the operacors are unable to control reactivity with the normal control rods. The SLCS consists of a boron solution storage tank, two positive displacement pumps, two motor operated injection valves (provided in parallel for redundancy), and associated piping and valves used to transfer borated water trom the storage tank to the reactor pressure vessel (RPV).

l 14

f Draft 12/19/91 The borated solution is discharged through the 'B' high pressure core flooder (HPCF) subsystem sparger. A schematic diagrats of the SLCS showing major system components, is presented in Figure 8. Some locked open maintenance valves and some check valves are not shown. Key equipment performance requirements are:

a. Pump flow $0 gpm per pump

b. Maximum reactor pressure 1250 psig (for injection)

c. Pumpable volume in 6100 U.S. gal storage tank (minimum)

Design provisions to permit system testin6 include a test tank and associated pipin6 and valves. The tank can be supplied with demineralized water which can be pumped in a closed loop through either pump or injected into the reactor.

The SLCS uses a dissolved solution of sodium pentaborate as the neutron-absorbing poison. This solution is held in a heated storage tank to maintain

! the solution above its saturation temperature. The SLCS solution tank, a test water tank, the two positive displacement pumps, and associated valving are located in the secondary containment on the floor elevation below the operating floor. This is a Seismic Category I structure, and the SLCS equipment is protected from phenomena such as earthquakes, tornados, hurricanes and floods as well as from internal postulaced accident phenomena. In this area, the SLCS is not subject to conditions such as missiles, pipe whip, and discharging fluids.

The pumps are capable of producing discharge pressure to inject the solution into the reactor when the reactor is at high pressure conditions corresponding to the system relief valve actuation. Signals indicating storage tank liquid level, tank outlet valve position, pump discharge pressure and injection valve position are available in the control room.

15

i i

! VENT PRetAARY 1 CONI AIMMENT y STOHAGE m "

LANK C

$ @I I

3

= cm

< 14 /

f n,, . 'b 1 '

ItEATER 8

m 1 a ]

& I l M- 1 I --

l-

t

e r 2 i

$r -.HPCF'r i e

_. -.. {..Q .-f

' y SUCTION VALVES

" . P (WITH POStilON

-# g O A , , N E AI M o .

. = l .

N '-M--- =

--N 7 ASasE r- , ,

s_______a

.I -o 8 r

M CODE CLASS g-- p- 7  :

.e I -

j;

~

y in g

p --

=b -

-qn .

3 m .

8 I FutaPS INJECTION a e _ e g _

8 t i'

VALVES e I p s

,s 8-__ 8 t- _ _ _ s j sa n [

MTH PO~ATIOes t a f 4

l a ~ NIM L______ ____________s

$  : 8 a a S

i V g s , ,

j' M g

'- '---- 8 i :s L_ __ _ _ I_ _ _ _ _ t ASasE ' '

O a 4 g CODE CLASS 2

}  :

' 8 TEST

. TANK g Y

b.

I

. . . _ , .. .. . - . . _ - - _ . _ __ . _ . . . - . . .. - . - - _ . ~ - - . . _ . _. . _ . _ . . - .-

. . _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ . _ _ _ _ _ ~ _ . _ _ _ _ . _ _ _ . _ _ _ _ _ _ _ _ _ _ . _ . _ _ _

d Draft 12/19/91 The pumps, heater, valves and controls are powered from the standby power supply or normal offsite power. The pumps and valves are powered and controlled from separate buses and circuits so that single active failure will not prevent system operation. The power supplied to one motor operated injection valve, storage tank discharge valve, and injection pump is from Division I, 480 VAC. The power supply to the other motor. operated injection valve, storage tank outlet valve, and injection pump is from Division II, 480 VAC. The power supply to the tank heaters and heater controls is connectable to a standby power source. The standby power source is Class 1E from an on site source and is independent of the off site power.

All components of the system which are required for injection-of the neutron absorber into the reactor are classified Seismic Category I, All major mechanical components are designed to meet ASME Code requirements as shown below.

ASME Design Conditions Component Code Class Pressure Temperature i

Storage Tank 2 Static Head 150 F i

i pump / Motor 2 1560 psig 150 F l

l l Injection Valves 1 1560 psig 150 F Piping Inboard of "

Injection Valves 1 1250 sig 575 F The installation and preoperational inspections, tests, and/or analyses together with asso,'ated acceptance criteria which will be undertaken for the SLCS are given in Table 1.

17

Draft 12/19/91 Table 1. SLCS Inspections. Tests. Analyses and Acceptance Criteria Certified Design Commi ttee nt Inseeetions. Tests. Analysta Aranntance Criteria

1. The minimum 1. Construction records, 1. It must be shown the average poison revisions and plant visual SLCS can achieve a poison concentration in examinations will be concentration of 850 ppm or the reactor after undertaken to assess greater assuming a dilution operation of the as. built parameters listed due to non. uniform mixing SLCS shall be below for compatibility with in the reactor and equal to or SLCS design calculations, accounting for dilution in greater than 850 If necessary, an as built the RitR shutdown cooling ppm. SLCS analysis will be systems. This conducted to demonstrate the concentration must be acceptance criteria is stet. achieved under system design basis conditions.

Critical Parameters: Validation Attributest

a. Storage tank pumpable Storage tank pumpable volume volume range 6100 6800 gal.

l b. RPV water inventory at RPV water inventory

( 70 F < 1,000,000 lb i

c. RRR shutdown cooling RHR shutdown cooling system system water inventory at inventory < 287,000 lb 70 F

2. A simplified 2. Inspections of 2. The system system configura- installation records configuration is in tion in shown in cogether with plant accordance with Figure 8.

Figure 8. walkdowns will be conducted to confirm that the installed equipment is in compliance with tSe design configuration defAned in Figure 8.

l 18

Draft 12/19/91 Table 1. SLCS Inspections. Tests, Analyses and Acceptance Critoria (Cont.)

Certified Design Commitment Innocetions. Tests. Analyseg Acceptance Criteria

3. ;ach SLCS pump 3. System preoperation 3. It must be shown that shall be capable tests will be conducted to the SLCS can inject 100 gpm of delivering 50 demonstrate acceptable pump (two pump operation) against gpm of solution and system performance. a reactor pressure of 1250 against the These tests will involve psig, elevated pressure establishing test conditions conditions which that simulate conditions can exist in the which will exist during an reactor during SLCS design basis event, events involving SLCS initiation.

4. The system is 4. Field tests will be 4 Using normally installed designed to conducted after system controls, power supplies and permit in service installation to confirm that other auxiliaries, the functional in. service system testing system has the capability testin6 of SLCS. can be performed, t<-

a. Pump tests in a closed loop on the test tank and

b. Reactor pressure vessel injection tests using demineralized water from the test tank.

5, The pump, 5. System tests will be 5. The installed equipment heater, valves conducted after installation can be powered from the i and controls can to confirm that the standby AC power supply.

( be powered from electrical power supply the standby AC configurations are in power supply as compliance with design described in commitments.

Section 10.

19-

I Draft 12/19/91 10.2 SLCs coeration The SLCS is iniciated by cne of three means: (a) manually initiated Irom the main control room, (b) auto 3atically initiated if conditions of RPV pressure above 1125 psig and startup ra.;;;e neutron monitor (SRNM) above $4 exist for 3 minutes, or (c) automatically initiated if conditions of RPV water level below the level 2 setpoint and startup range neutron monitor (SRNM) above 54 exist for 3 minutes. The SLCS provides borated water to the reactor core to compensate for the various reactivity effects during the required conditions.

To meet its reactivity objective, it is necessary to inject a quantity of boron which produces a minimum concentration of 850 ppm of natural boron in the reactor core at 20 C. To allow for potential leakage and imperfect mixing in the reactor system, an additional 25% (220 ppm) margin is added to the above requirement. The required concentration is achieved accounting for dilution in the RPV with normal water level and including the volume in the residual heat removal shutdown cooling piping. This quantity of boron solution is the amount which is above the pump suction shutoff level in the storage tank thus allowing for the pertivr of the tank volume which cannot be injected.

10.3 J g fault Tree The top level fault tree for the SLCS is shown in Figure 9, with the top gate defined as failure to deliver 50 gpm of borated water from the storage tank to the RPV. Details providing input to most of the events in Figure 9 are contained in tho several additional branches to the fault tree.

Normally the risk significant SSCs would be determined from the total plant telleibility analysis (fault trees and event _ trees), but in this example results of the system fault tree are given in Table 2. Six cutsets, or combinations of events leading to system failure, combine to contribute a large fraction of the total system failure probability. Seven eventa or failures contribute to these top six cutsets, so the SSCs contributing to these events should be considered as candidates for redesign or for risk focused maintenaneo.

20

4 SLC FAILS TO DEUVER 60 0PM DORATED WATE R G1 F A".UAE OF q BOTH SLC BOTH PUMP BOTH PUMP BORATE D PUMPS TO SUCTON DISCHARGE WATE N NOT DELIVER yAtyggg44 yAtyggpAg AyggtAgtg Ay 00 RATED CLOSED CLOSED PUMP WATER TO SUC TON DIGCH O2 07 010 013 FAILURE TO INITIATE A

MANUAL FALURE TO AUTOuATc rAILunt INITMTE TO INITMTE G 29 i

OPERATOR SIGNAL TO '

F AILS TO INITMTE ,

INITmTE FAILURE O A SLCOO1HE G23 100E41 Figure 9. Standby Liquiel control System Top Level Fault Tree 1

Dreft 12/19/91 Table 2. Top Level Cutsets for SLCS Failure CUTSET EVENTS

• 1 OVF0011N OVF0021N 2 0FLOOOHW 3 ECA040H I

4 ECA021H 5 OPM002HW OVF001HW 6 OPM001}N OVF0021IV

• Event names:

OVF001HW Flow Diverted Through Relief Valve F003A OVF002iN Flow Diverted Through Relief Valve F003B 0FL000HW Plug ed Suction Lines From Tank OPM0011N SLCS Pump A (C001A) Fails to Operate OPM002}P' SLCS Pump B (C0018) Fails to Operate ECA021H AC Power Cable 21 Failure ECA040H AC Power Cable 40 Failure 22

, Draft 12/19/91 10.4 System Desien Resoonse The SLCS system components identified in top cutsets of the total plant fault tree would normally be ccTsidered for redesign or for risk focused maintenance, as noted above. However, for this example the seven events identified by the system fault tree are Jie a*eas most significant ta system failure to carry out its function.

Two of the events in Table 2 result from flow of SLCS fluid being diverted through relief valves back to pump suction rather than into the RPV. Sinco gate and check valve failures (which could result in relief valve operation) are accounted for by separate events, these relief valve failures of concern can be considered to be velve body failures at inadvertent opening of the relief valves. Plugging of the suction lines from the storage tank could result from some contamination of the tank fluid or collection of foreign matter it, the tank. The pump failures to start upon demand could result from electrical or mechanical problems at the pumps or their control circuits, Two AC electrical system failures that contribute to SLCS system failure are identified in Table 2. No further details of electrical system failures or maintenance are included here. That leaves the five components noted above for special attention with regard to reducing the risk of system failure.

a. Eggep Lgg If the system reliability is already adequate to meet its goals, redesign will not be necessary. Redesign considerations, if required, will include trying to identify more reliable relief valves, more reliable pumpa, and suction lines less likely to plug. The latter might be achieved by using larger diameter pipes, inlet strainers, or multiple suction lines. Pump and valve reliability might be enhanced by specific design changes or by providing greater redundancy of equipment. Any such redesign would have to be evaluated by balancing the increase in reliability achieved against the added complication to plant equipment and layout.

23

1 Draft 12/19/91

b. Failure Mode Identification If redesign is.not necessary, or after redesign has been completed, the appropriate reliability focused maintenance should be identified for the three SLCS component types identified by the fault tree and discussed above. This begins with determining the likely failure modes that will lead to loss of function. Examples of the types of failure modes that could impact reliability of these identified components are shown in Table 3. The table is not a complete listing of important failure modes, but is intended to indicate the types of failures that would be considered.

c. Eccommended Maintenance For each identified failure mode the appropriate maintenance tasks will be identified to assure that the failure mode will be (a) avoided, (b) rendered insignificant, or (c) kept to an acceptably low probability. The type of maintenance and the frequency of doing maintenance are both important aspects of assuring that the equipment failure rate viil be no greater than that assumed for the PRA. Examples of maintenance activities and frequencies are shown in Table 3 for each identified failure mode.

t

- .- .. -,, ~ .-. . - ,

{~, , .

Draft 12/19/91 TABLE 3. EXAMPLES OF SLCS FAILURE MODES & RISK FOCUSED MAINTENANCE COMPONENT FAILURE MODE /CAUSE RECOMMENDED MAINTENANCE FREOUENCY Relief Body leakage Visual inspection 24 months valve Spurious opening, Inspect closure sp. ring for breaks; 10 years sprin5 failure measure spring constant; replace spring.

Spurious opening, Visual inspection of 10 years spring fastener spring fastener; replace failure if necessary.

Spurious opening, Visual and penetrant inspection 10 years failure of valve of stem and disk, ultrasonic stem or disk inspection of wtem; replace if necessary, Pump Fails to start, Functional test of pump with 6 months electrical suction from test tank, no flow problems from storage tank, Fails to run, Measero pump vibration during 6 months mechanical pv.cp operation in functional test.

problems Disassemble / inspect pump for 5 years corrosion, waar. Refurbish as necessary.

Suction Lines plugged Sample storage tank water for 6-months-Lines by sediment sediment; clean tank as necessary Lines plugged Sample storage tank water for 1 month by precipitated degree of saturation of boron boron compounds compounds. Increase tank temper-ature as necessary,

)

[, .

Droft 12/19/91 I

11. GLOSSARY OF TERMS CDF The core damage frequency as calculated by the PRA.

D RAP Design Reliability Assurance Program performed by the plant designer to assure that the plant will be operated and maintained in such a way that the reliability assumptions of the FRA apply throughout plant life.

GE NE GE Nuclear Energy, ABWR plant designer.

Owner /

Operator The utility or other organization that owns and operates the ABWR following consttuction.

PRA Probabilistic risk assessment performed to identify and quantify the risk associated with the ABVR.

RAP Reliability Assurance Program performed by the owner / operator to assure that the plant operates safely, consistent with the PRA.

• Risk-critical Those SSCs which are identified as contributing significantly to the CDF and/or to the risk to the public.

SSCs Structures, systems and components identified as being important to the plant operation and safety.

12. REFERENCES (1) E. V. Lofgren, et. al., "A Process for Risk Focused Maintenance",

SAIC, NUREG/CR-5695, March 1991 J